Configure teams with protection for highly sensitive data (2024)

Table of Contents
In this article Video demonstration Guest sharing Authentication context Sensitivity labels Teams settings See Also
  • Article

Configure teams with protection for highly sensitive data (1) Some features in this article require Microsoft Syntex - SharePoint Advanced Management

In this article, we look at setting up a team for a highly sensitive level of protection. Be sure you've completed the steps in Deploy teams with baseline protection before following the steps in this article.

For this tier of protection, we create a sensitivity label that can be used across your organization for highly sensitive teams and files.

The highly sensitive tier offers the following additional protections over the baseline tier:

  • A sensitivity label for the team that allows you to turn guest sharing on or off and enforces a conditional access policy for access to the SharePoint site.
  • The label is also used as a default label for files and encrypts the files to which it's applied. Only members of your organization and guests that you have specified will be able to decrypt files that use this label.
  • Only team owners can create private channels.
  • Site access is restricted to team members.

Video demonstration

Watch this video for a walkthrough of the procedures described in this article.

Guest sharing

Depending on the nature of your business, you may or may not want to enable guest sharing for teams that contain highly sensitive data. If you do plan to collaborate with people outside your organization in the team, we recommend enabling guest sharing. Microsoft 365 includes a variety of security and compliance features to help you share sensitive content securely. This is generally a more secure option than emailing content directly to people outside your organization.

For details about sharing with guests securely, see the following resources:

  • Limit accidental exposure to files when sharing with people outside your organization
  • Create a secure guest sharing environment

To allow or block guest sharing, we use controls available in sensitivity labels.

Authentication context

We use a Microsoft Entra authentication context to enforce more stringent access conditions when users access SharePoint sites.

First, add an authentication context in Microsoft Entra ID.

To add an authentication context

See Also
Q&A in Microsoft Teams meetingsUse end-to-end encryption for Microsoft Teams callsKnow about apps in Microsoft Teams - Microsoft TeamsWhat is Microsoft Teams? - Microsoft Support

  1. In Microsoft Entra Conditional Access, under Manage, select Authentication contexts.

  2. Select New authentication context.

  3. Type a name and description and select the Publish to apps check box.

    Configure teams with protection for highly sensitive data (2)

  4. Select Save.

Next, create a conditional access policy that applies to that authentication context and that requires guests to use multifactor authentication when accessing SharePoint.

To create a conditional access policy

  1. In Microsoft Entra Conditional Access, select Create new policy.

  2. Type a name for the policy.

  3. On the Users tab, choose the Select users and groups option, and then select the Guest or external users check box.

  4. Choose B2B collaboration guest users from the dropdown.

  5. On the Target resources tab, under Select what this policy applies to, choose Authentication context, and select the check box for the authentication context that you created.

    Configure teams with protection for highly sensitive data (3)

  6. On the Grant tab, select Require multifactor authentication, and then choose Select.

    See Also
    Unveiling Microsoft Teams vulnerabilities: risks and protections

  7. Choose if you want to enable the policy, and then select Create.

We'll point to the authentication context in the sensitivity label.

Sensitivity labels

For the highly sensitive level of protection, we use a sensitivity label to classify the team. We also use this label to classify and encrypt individual files in the team. (It can also be used on files in other file locations such as SharePoint or OneDrive.)

As a first step, you must enable sensitivity labels for Teams. See Use sensitivity labels to protect content in Microsoft Teams, Microsoft 365 Groups, and SharePoint sites for details.

If you already have sensitivity labels deployed in your organization, consider how this label fits with your overall label strategy. You can change the name or settings if needed to meet the needs of your organization.

Once you have enabled sensitivity labels for Teams, the next step is to create the label.

To create a sensitivity label

  1. Open the Microsoft Purview compliance portal.
  2. Under Solutions, expand Information protection.
  3. Select Create a label.
  4. Give the label a name. We suggest Highly sensitive, but you can choose a different name if that one is already in use.
  5. Add a display name and description, and then select Next.
  6. On the Define the scope for this label page, select Items, Files, Emails, and Groups & sites. Clear the Meetings check box.
  7. Select Next.
  8. On the Choose protection settings for files and emails page, select Apply or remove encryption, and then select Next.
  9. On the Encryption page, choose Configure encryption settings.
  10. Under Assign permissions to specific users and groups, select Assign permissions.
  11. Select Add all users and groups in your organization.
  12. If there are guests who should have permissions to decrypt files, select Add users or groups and add them.
  13. Select Save, and then select Next.
  14. On the Auto-labeling for files and emails page, select Next.
  15. On the Define protection settings for groups and sites page, select Privacy and external user access and External sharing and Conditional Access and select Next.
  16. On the Define privacy and external user access settings page, under Privacy, select the Private option.
  17. If you want to allow guest access, under External user access, select Let Microsoft 365 Group owners add people outside your organization to the group as guests.
  18. Select Next.
  19. On the Define external sharing and conditional access settings page, select Control external sharing from labeled SharePoint sites.
  20. Under Content can be shared with, choose New and existing guests if you're allowing guest access or Only people in your organization if not.
  21. Select Use Microsoft Entra Conditional Access to protect labeled SharePoint sites.
  22. Select the Choose an existing authentication context option, and then select the authentication context that you created from the dropdown list.
  23. Select Next.
  24. On the Auto-labeling for schematized data assets page, select Next.
  25. Select Create label, and then select Done.

Once you've created the label, you need to publish it to the users who will use it. For sensitive protection, we make the label available to all users. You publish the label in the Microsoft Purview compliance portal, on the Label policies page under Information protection. If you have an existing policy that applies to all users, add this label to that policy. If you need to create a new policy, see Publish sensitivity labels by creating a label policy.

Teams settings

Further configuration of the highly sensitive scenario is done in the team itself and in the SharePoint site associated with the team, so the next step is to create a team.

We'll create the team in the Teams admin center.

To create a team for highly sensitive information

  1. In the Teams admin center, expand Teams and select Manage teams.
  2. Select Add.
  3. Type a name and description for the team.
  4. Add one or more owners for the team. (Keep yourself as an owner so you can choose a default sensitivity label for files below.)
  5. Choose the sensitivity label that you created for highly sensitive information from the Sensitivity dropdown list.
  6. Select Apply.

Private channel settings

In this tier, we restrict creating private channels to team owners.

To restrict private channel creation

  1. In the Teams admin center, select the team that you created, and then select Edit.
  2. Expand Message permissions.
  3. Set Add and edit private channels to Off.
  4. Select Apply.

Shared channels doesn't have team-level settings. The shared channel settings you configure in the Teams admin center and the Microsoft Entra admin center apply to individual users.

Each time you create a new team with the highly sensitive label, there are two steps to do in SharePoint:

  • Restrict access to the site to members of the team only
  • Choose a default sensitivity label for the document library connected to the team.

The default sensitivity label must be configured in the site itself and can't be set up from the SharePoint admin center or via PowerShell.

Restrict site access to team members

Each time you create a new team with the highly sensitive label, you need to turn on site access restriction on the associated SharePoint site. This prevents people from outside the team from accessing the site or its content. (This requires a Microsoft Syntex - SharePoint Advanced Management license.)

If you haven't used site access restriction before, you need to turn it on for your organization.

  1. In the SharePoint admin center, expand Policies and select Access control.
  2. Select Site access restriction.
  3. Select Allow access restriction and then select Save

It might take up to an hour for this to take effect.

To turn on site access restriction for the site

  1. In SharePoint admin center, expand Sites and select Active sites.
  2. Select the site you want to manage.
  3. On the Settings tab, select Edit in the Restricted site access section.
  4. Select the Restrict access to this site box and select Save.

Choose a default sensitivity label for files

We'll use the sensitivity label that we created as the default sensitivity label for the site document library that is connected to Teams. This will automatically apply the highly sensitive label to any new label-compatible files that are uploaded to the library, encrypting them. (This requires a Microsoft Syntex - SharePoint Advanced Management license.)

You need to be a team owner to do this task.

To set a default sensitivity label for a document library

  1. In Teams, navigate to the General channel of the team you want to update.

  2. In the tool bar for the team, select Files.

  3. Select Open in SharePoint.

  4. In the SharePoint site, open Settings and then choose Library settings.

  5. From the Library settings flyout pane, select Default sensitivity labels, and then select the highly sensitive label from the drop-down box.

For more details about how default library labels work, see Configure a default sensitivity label for a SharePoint document library and Add a sensitivity label to SharePoint document library.

See Also

Create and configure sensitivity labels and their policies

Configure teams with protection for highly sensitive data (2024)
Top Articles
Trade and Geography in the Spread of Islam
Is Venmo unavailable in Canada? Here are some alternatives
Forozdz
4-Hour Private ATV Riding Experience in Adirondacks 2024 on Cool Destinations
St Als Elm Clinic
Acbl Homeport
Regular Clear vs Low Iron Glass for Shower Doors
Connexus Outage Map
A Guide to Common New England Home Styles
Busted Newspaper S Randolph County Dirt The Press As Pawns
Cashtapp Atm Near Me
Dallas Cowboys On Sirius Xm Radio
Spoilers: Impact 1000 Taping Results For 9/14/2023 - PWMania - Wrestling News
Red Devil 9664D Snowblower Manual
The best TV and film to watch this week - A Very Royal Scandal to Tulsa King
10 Fun Things to Do in Elk Grove, CA | Explore Elk Grove
Scotchlas Funeral Home Obituaries
Accident On 215
Is A Daytona Faster Than A Scat Pack
Heart and Vascular Clinic in Monticello - North Memorial Health
Katie Sigmond Hot Pics
Company History - Horizon NJ Health
Egizi Funeral Home Turnersville Nj
What Is a Yurt Tent?
Studentvue Calexico
NV Energy issues outage watch for South Carson City, Genoa and Glenbrook
27 Fantastic Things to do in Lynchburg, Virginia - Happy To Be Virginia
Tripcheck Oregon Map
Gncc Live Timing And Scoring
Elanco Rebates.com 2022
Grove City Craigslist Pets
Mbi Auto Discount Code
Dreamcargiveaways
Litter-Robot 3 Pinch Contact & DFI Kit
Rocketpult Infinite Fuel
No Hard Feelings Showtimes Near Tilton Square Theatre
Spn-523318
8 Ball Pool Unblocked Cool Math Games
What Is Kik and Why Do Teenagers Love It?
2020 Can-Am DS 90 X Vs 2020 Honda TRX90X: By the Numbers
Questions answered? Ducks say so in rivalry rout
Simnet Jwu
SF bay area cars & trucks "chevrolet 50" - craigslist
FREE - Divitarot.com - Tarot Denis Lapierre - Free divinatory tarot - Your divinatory tarot - Your future according to the cards! - Official website of Denis Lapierre - LIVE TAROT - Online Free Tarot cards reading - TAROT - Your free online latin tarot re
Love Words Starting with P (With Definition)
Ouhsc Qualtrics
Craigslist Chautauqua Ny
Pas Bcbs Prefix
Ssss Steakhouse Menu
Secondary Math 2 Module 3 Answers
Obituaries in Westchester, NY | The Journal News
Intuitive Astrology with Molly McCord
Latest Posts
6 ESG examples driving success in business | Evergreen
The importance of ESG for a business
Article information

Author: Laurine Ryan

Last Updated:

Views: 5826

Rating: 4.7 / 5 (57 voted)

Reviews: 88% of readers found this page helpful

Author information

Name: Laurine Ryan

Birthday: 1994-12-23

Address: Suite 751 871 Lissette Throughway, West Kittie, NH 41603

Phone: +2366831109631

Job: Sales Producer

Hobby: Creative writing, Motor sports, Do it yourself, Skateboarding, Coffee roasting, Calligraphy, Stand-up comedy

Introduction: My name is Laurine Ryan, I am a adorable, fair, graceful, spotless, gorgeous, homely, cooperative person who loves writing and wants to share my knowledge and understanding with you.