In the world of compliance, there are differing categories of controls to help get the job done. Given a specific requirement, all may be needed to satisfy your requirements, including:
- Technical controls (e.g., auto-apply sensitivity labels based on content or location)
- Operational/Process controls (e.g., review guest access on a regular basis)
- Manual controls (e.g., end users manually agreeing to adhere to supplied guidance)
If you’re an IT administrator in charge of Microsoft Teams, your day-to-day focus is likely on the technical bits you have control over. That is to say, the backend configuration controlling how the service works for end users.
But as good as technology is, there’s often a human element to be considered. Sometimes you need to combine a technical control with an end-user manual control. This post describes a practical example of this with something you may want to consider for Microsoft Teams, particularly those of you in a regulated organization.
Anecdotally, many records managers often tell me, “We aren’t supposed to make business decisions in a Teams conversation” or “We shouldn’t be sharing confidential documents in Teams chats.” The technical controls I mentioned above can certainly be put in place to help mitigate the risk of it happening; however, we must ensure Microsoft Teams’ users are also aware of your guidance. Without this, your Teams users are the Achilles’ heel of your compliance strategy.
A chain is only as strong as its weakest link.
A great way of strengthening that link is with a ToU targeted specifically for Microsoft Teams.
I’ve seen many methods used to communicate this type of “Teams guidance” including:
- In an org-wide email (however, this may get lost in the noise of an end-user’s inbox)
- As a news item on your intranet (however, this may get missed by those not paying attention to that communication channel)
- An attestation form built using Microsoft Forms and sent/tracked to end-users (however, it’s up to you to build the form and track who has/hasn’t responded)
- A custom solution using the Power Platform (however, it’s up to you to build and support the custom solution, which will in turn incur technical debt)
The ToU feature has several helpful options built-in:
- Can apply to employees and/or guests
- Can decide how often a user must re-accept a ToU
- Can be purpose-built for a specific app (e.g., Teams, SharePoint, OneDrive) or apply to all
- Can list who has/hasn’t accepted the ToU
- Can support multilingual users
Let’s dig in.
The first thing to do is create your ToU. For the purposes of this post I’ll create a Microsoft Teams ToU, but you could create a common one to address all your communication channels, multiple ToUs to target different groups of users (employees or guests), or a separate one for each app. In all cases, engage your legal, risk, and compliance teams for the right wording of your ToU. Here’s the sample Teams ToU:
I want acceptance of this Teams ToU to be required for employees and guests before gaining access to Teams. I also want it to be displayed to users on a recurring schedule – once every quarter.
- Language of English
- Require users to expand the ToU so they are encouraged to read it
- Expire the ToU consent by starting immediately and re-accepting every quarter (i.e. 90 days)
Step 2: Create a Conditional Access Policy
To enforce your ToU, a conditional access policy is required. For our ToU, I want it to apply to internal users and guests when they access Microsoft Teams, so I’ll select the Custom policy option.
This will take you to the Conditional Access screen shown below to create a new Conditional Access policy. Alternatively, you can use one of the built-in templates; however, for this example, I want to target only Microsoft Teams, so I’ll create a custom one:
I give the conditional access policy a name and then make the following assignments:
- User or workload identities the policy applies to (internal users, external users, guests)
- Cloud apps or actions the policy applies to (Teams)
- Access controls (associate our Teams ToU here)
Users or Workload Identities
I want this ToU to apply to guests, external users, and to the two users on my tenant:
Cloud Apps or Actions
I want this ToU to apply to Microsoft Teams only; however, this is how you could have different ToUs for each type of cloud app if desired (Exchange, SharePoint, OneDrive) as a reminder to staff of the compliance controls you’re wanting to enforce:
Grant Access Controls
Last, but not least, enable the policy:
What does the end-user see?
The next time I sign into Teams, this is what I’ll see:
I now can access Microsoft Teams and will be prompted with the ToU again after 90 days. Brilliant!
Looking for more extensive Microsoft Teams management solutions? Request a demo for AvePoint’s Microsoft Teams Admin & Management solutions today!