Note: The following is an excerpt from our free ebook, “Right-Sizing Microsoft Teams Management and Security.” Download it today!
Let’s say your organization needed to know who had access to data in Microsoft Teams. Perhaps it is part of an important security audit or maybe it’s simply a routine process to prevent security issues.
You might be tempted to just look at the membership of any Teams, assuming you have a managed Teams provisioning process. However, as Microsoft states in their sharing files in Microsoft Teams documentation (emphasis is ours):
“When users share a file from within Teams, they can set who can access the file just like they do across Microsoft 365. They can give access to anyone, people in your organization, people with existing access, or specific people (which can include the people in a 1:1 chat, group chat, or channel).”
That means the membership of a Team DOES NOT equal who has access to a document hosted within it.
Sharing in Microsoft 365 is easy and can be accomplished many ways! This makes it easy to collaborate but also creates “shadow users” that have explicit access to files and content without being “Members” or “Owners” of workspaces.
While gaining a holistic picture of this access is difficult, it is the only way to gain an accurate understanding of who has access, or who could have access via an anonymous link that may be shared with many users.
It’s possible to research the links themselves and see who has accessed content via the link, but there’s no way to find who could access a document from where the link was posted or shared once it’s been created.
To gain a comprehensive understanding of who can access specific files, you will need to run a permissions report via PowerShell. This is the only practical native method to generate detailed permissions information in Microsoft 365.
The PowerShell report will provide data on which users and Groups have ownership and explicit permissions to which content in Microsoft 365; however, it will likely be difficult to extract usable intelligence from the resulting Excel spreadsheet. Permission reports for average-sized companies are typically tens of thousands of lines long. Moreover, the report will detail the permissions for every single piece of content within Microsoft 365. How can you drill down into the subset you really care about?
Now, let’s say you wanted to flip this analysis around and determine all the content a particular user can access. Unfortunately, PowerShell permission reports are not a very efficient tool for this type of analysis, as they require you to aggregate data across multiple reports.
For a deep dive into guest management and external sharing in Microsoft Teams, we would recommend you read our eBook on the topic. But at a high level, it is fairly easy to see the guest users in your Azure AD Admin Center.
It’s the next part that’s hard. Let’s say a higher-up wants to know which guest users have access to a particular folder, if any. With the information painstakingly gained from the PowerShell permission reports, you determine that guest users do have explicit permission to read and edit some files within that folder. The higher-up says, “Uh-oh, let’s roll back those permissions.” OK, consider it done — with just a few clicks, you update the permissions.
But wait a second, without understanding the background surrounding those guest users’ access, you may have just made a decision that’s going to impede collaboration on an active project.
In order to identify what type of control is ultimately needed (and where), you’ll want to get answers to these important questions:
- Who requested the guest have access in the first place?
- Does the guest still need access?
- Does the guest have access to sensitive content?
Perhaps the guest users are external attorneys who were given access by your general counsel to confer on an ongoing legal matter. That matter will be wrapped up in a week, but until then, it’s critical that they be able to access appropriate documents. This additional information provides vital context that tells a more comprehensive story of your data and can help you identify and prioritize exposure hot spots. Here’s a quick chart to help you visualize:
Have other burning Microsoft Teams governance and security questions you need answered? Download the full ebook here and check out other excerpts below:
- Where is Sensitive Data Located in Microsoft Teams?
- How to Discover When a Microsoft Team Was Accessed & Why it Exists