COVID-19 has led many IT Departments scrambling to roll out some form of conference/ collaboration tool as many had to work remotely. This has affected organizations that where were not agile or cloud agnostic by not adopting to modern workplace earlier on.
Microsoft Teams runs on SharePoint Online, OneDrive in its core, organizations running on-premises compliance/DLP solutions will find it hard to put in controls for data in the cloud, not being an early adopter, and having to enable collaboration tools such as Microsoft Teams is a daunting task when you want to protect the organizational data from going walkabouts. If your organization is one of those, which is like a cat on the wall – how do we do it?
Block File sharing in Teams by:
1. Not assigning a SharePoint Online license for End-users
2. Not creating a Teams or Channels, if you do….
3. Create Teams for your organization but remove the Teams members from having EDIT permission on the Teams SharePoint Site.
4. Additionally if the tenant has Microsoft Cloud App Security enabled – create a session based conditional policy, which blocks upload and download of files in Teams and SharePoint Online.
SharePoint Online License – by not assigning this you deprive the end users from accessing OneDrive for business, which is primary storage for file sharing when it comes to 1-1 and group chats.
Creating a Team – when a team is created with members, this creates a SharePoint online site, which by default allows members to have edit permission on the site. By removing the EDIT permission from the Team site leaves members with only read permission leaving only the owner of the Team/SharePoint site full permission, no just do not assign or delegate the owner permission to a regular user.
Microsoft Cloud App Security – is a Microsoft CASB solution (Cloud Access Security Broker) acts as a reverse proxy. A session based conditional policy can be configured to prevent file uploads/downloads in Teams/Sharepoint site, caveat this only works when accessing them via Web but not through desktop client, hence the above point – remove EDIT permission for Team members. MCAS gives you an insight and alert when someone does indeed try to upload a file as it will block and alert the admin.
Now that you have control of filesharing and enabled Microsoft Teams, start strategic roll out of cloud solutions for DLP, Information protection and governance, classification – all of this is available via Microsoft 365 through Azure Information Protection, DLP, Azure and Defender ATP which can scan and classify your organization data automatically based on data sensitivity you can control.
If we do not assign license to user in O365 (which is NOT recommended), we have noticed that the users were able to share the file in teams chat using OneDrive. When two users chat in teams, the file exchanged b/w them is saved in sender’s OneDrive and automatically shared with recipients. Also unlicensed user can create teams as well.
When sharepoint license is not assigned then onedrive is not available, perhaps the users were assigned earlier on and you need to sign them out forcefully form Admin centre. Regarding creation of teams, you can control who can create a team using the powershell so only approved users can create Teams.http://www.thatlazyadmin.com/how-to-restrict-users-from-creating-new-microsoft-teams-and-office-365-groups/
virendrak is right, not assigning the license doesn’t prevent anything. On my brand new account I’m able to even download all the team files. Conditional Access worked just fine.
Not when you don’t assign them OneDrive license.
There’s a way to do it simply with a friendly UI called SphereShield. It has a granular approach to control which users have permission to file sharing, messaging, calls and screensharing
Here’s the appsource link: https://appsource.microsoft.com/en-us/product/web-apps/agatsoftwaredevelopmentltd1592480580416.agatsoftware_msteams_ethicalwall_01
This is the Official Site: https://agatsoftware.com/microsoft-teams-ethical-wall/
All the best!
LikeLiked by 1 person
thanks for the share
Everything looks good but if we remove the owner, nobody is able to add a team member any more. how did you handle this?
Yes, you will still need a owner, so perhaps add a owner who is not an actual user which only you as the admin can login and add members – more controlled. members will request to add other members, you will recieve email notification to add them.
thanks for sharing the article.
for current user, need to delete the SharePoint site.
for new user don’t assign the SharePoint license
follow the below article for details with graphics.