Dienstag, 15. Februar 2022

Restrict Microsoft Teams Copy & Paste

The need to restrict the copy & paste feature in Teams can have different reasons.
For example, it can prevent users from copying content from Teams chats and posting it in other apps. In general, it is important to consider whether these restrictions apply to the web version of Microsoft Teams or to the Teams client/app. Both can be restricted, but different solutions are used in each case:
A common scenario, for example, is to restrict the copy & paste feature for guest users. This can also increase security on unmanaged devices, for example in the case of guest users or a bring-your-own-device strategy.
To implement this scenario for browser access, a Conditional Access policy is created that only affects guest users/selected users or groups and in which Azure AD joined devices can be excluded.
If the Teams Client / the Teams App is used for access, a App Protection Policy must be used in Endpoint Manager. This policy can then be restricted to "unmanaged" devices, for example.

Restrict copy & paste when accessing via the browser

When accessing via the browser, the request is redirected from a conditional access policy via Defender for Cloud Apps, with the "Use Conditional Access App Control" setting:

The conditional access rule can be restricted to guests or specific groups from Azure AD, for example:

A rule must then be created in Defender for Cloud Apps that prevents the copy & paste capability:

As the screenshot shows, the following other capabilities can also be restricted:
  • Print
  • Send item
  • Send Teams message
In the "Session control type" section of the policy, you can see that uploads or downloads can also be restricted in this way. A separate policy must then be created for this, since the filter in the "Session control type" section only allows a single filter.
The user now receives the following notification when trying to copy data from a Teams chat:

Restrict copy & paste when accessing via Teams client / Teams app

App Protection rules are used when accessing via the client / app. This is a feature in Microsoft Endpoint Manger. For the scenario of restricting access from unmanaged devices, the "unmanaged" option is selected for the Device Type in the policy. In the "Apps" section of the policy, the applications that are affected by the policy are defined. As the screenshot shows, the same policy can also cover additional apps, such as Microsoft Planner:

In the section "Data protection" the setting "Restrict cut, copy, and paste between other apps" is available:

The user will now see this message when trying to copy data from a Teams chat and post it in WhatsApp, for example:

The following additional settings can be configured in the App Protection Policy:
  • Backup org data to Android backup services
  • Send org data to other apps
  • Receive data from other apps
  • Screen capture
  • Printing org data
  • Restrict web content transfer with other apps

Keine Kommentare:

Kommentar veröffentlichen