Microsoft Teams Shared Channels

Shared Channels will be rolled out as a public preview in the coming weeks. This is a new channel type that will be added to the existing standard and private channels. Shared Channels allow collaboration with external users without the need for the user to switch tenants:

Shared channels can be configured as follows, via Teams Policies:

Shared Channels are based on Azure-AD B2B Direct Connect. This Azure-AD feature enables collaboration with external users without the need to add these users as B2B guests in Azure-AD. To use shared channels between tenants, both sides must configure B2B Direct Connect policies because the feature is disabled by default. Administrators can grant, restrict, or revoke access for external users on an individual, group, or client level:

More details about Cross-tenant access settings: Cross-tenant access settings in Azure AD

A separate SharePoint SiteCollection is created for each shared channel, just as for each private channel.  Conditinal Access Policies for SharePoint therefore also affect Shared Channels and the co-authoring of documents in these channels.

Further details: Microsoft Teams Connect shared channels is rolling out to public preview

Graph Insights Adjustments

Microsoft Viva takes over the functionality of the My Analytics and Workplace Analytics features step by step. And there is also a lot going on in the backend. The MeetingInsights and ItemInsights endpoints have been customizable for some time and now the PeopleInsights endpoint can also be configured. This affects the following areas:

• Profile Cards
• User Profile in Delve
• Listing relevant people / working with overview

I have already posted about the options to customize MeetingInsights and ItemInsights in the article "My Analytics, Workplace Analytics & Delve - or from the backend perspective Office Graph & Microsoft Graph".

Customize Insights

In general, the ItemInsights as well as the PeopleInsights can now be customized. The respective endpoint can be completely disabled or enabled / disabled for an Azure-AD Group. The third category, MeetingInsights, can only be globally enabled or disabled.

Details on ItemInsights and MeetingInsights: Customizing item insights privacy in Microsoft Graph

Customize PeopleInsights

PeopleInsights show relationships between people. This evaluates public signals such as joint Microsoft 365 Groups / Teams or shared Exchange distribution lists. This data is displayed in Delve and the profile cards in Microsoft 365 and can be queried via the API:

By default, this feature is enabled in a Microsoft 365 tenant. The following options are available for customization:

• Disable PeopleInsights for all users:

PATCH, beta:

{

  "isEnabledInOrganization": false

}

• Disable PeopleInsights for an Azure AD Group by additionally using the disabledForGroup paramter: 

PATCH, beta:

{

  "isEnabledInOrganization": false,

  "disabledForGroup": "f742839d-2321479-4de9-9616-e61877675c88c"

}

 To do this, for example, with Microsoft Graph Explorer, the following steps are performed:

• Open Graph Explorer and log in: https://developer.microsoft.com/en-us/graph/graph-explorer 
• GET, beta: https://graph.microsoft.com/beta/organization returns the OrganizationId that is needed in the next step:

• Get the current settings:

GET, beta: https://graph.microsoft.com/beta/organization/{organizationId}/settings/peopleInsights

• Customize the settings as needed:

PATCH, beta:

{

  "isEnabledInOrganization": false,

  "disabledForGroup": "f953948d-3423-4ac7-9616-d6187975c00c"

}

 

Effect: No more users are displayed in the "works with" section:

Important:

• The settings for PeopleInsights are currently only available in BETA.
• The update process does not check if an Azure AD Group exists. If the Group does not exist, no changes will be made for any user.
• It can take up to 24 hours for insightsSettings adjustments to take effect, or longer in the BETA version.

 

Cross-tenant access settings in Azure AD

Using Azure AD to provide access to resources in another tenant is not new. The Azure B2C and B2B feature have been available for several years. Now Microsoft has released the Cross-Tenant Access Settings feature as Preview. This allows general settings and settings per tenant, which is accessed as a guest user or from which guests access your own environment:

In addition, there is the option to accept the multifactor authentication that may already have been performed when logging on to the other Azure AD. Another option relates to the status of the device used, which can then be verified in a conditional access policy, for example.  Both the "Compliant Device" status and the "Hybrid Azure AD Joined" status can be trusted:

Overview Cross-tenant access with Azure AD External Identities

Using Cross-tenant access settings you can set default settings for your environment as well as settings per tenant from which accesses are made. So if you work with partners or selected customers on a regular basis, you can configure explicit rules for B2B collaboration - External users and groups, B2B - collaboration Applications and Trust settings for inbound and outbound traffic:

The following applies:

• The default settings apply to all external Azure AD's that are not listed in the Organizational Setting tab. These default settings can be changed, but not deleted.
• For access that is not authenticated via an Azure AD, the settings under: Edit or view collaboration restrictions applys

Configure cross-tenant access settings

The default settings for inbound and outbound traffic can be set to B2B collaboration - External users and groups, B2B - collaboration Applications and Trust settings. These values then apply to all tenants that are not explicitly registered:

On the Organizational Setting tab, explicit environments can be added via Add Organization:

These can then either also inherit the default settings, or get explicit settings:

The following settings can be configured for each tenant: 

• Select explicit external users and groups:

• Select applications:

• Settings for MFA and device

Source and more details: Configure cross-tenant access settings for B2B collaboration

Reporitng

Reports on access from other tenants can be created both via PowerShell and via the "Monitoring" tab in Azure AD.

Example via PowerShell for cross-tenant sign-in activity:

• Get-MSIDCrossTenantAccessActivity -SummaryStats -ResolveTenantId

Example via PowerShell for the sign-in logs:

Get-MgAuditLogSignIn ` 

-Filter “ResourceTenantID ne ‘your tenant id’” ` 

-all:$True| ` 

group ResourceTenantId,AppDisplayName,UserPrincipalName| ` 

select count, @{n=’Ext TenantID/App User Pair’;e={$_.name}}]

Source and more details:  Identify inbound and outbound sign-ins

Cross-tenant access activity workbook:

This workbook is available in the Azure AD under "Monitoring" and provides reports that can be filtered by the following values:

• Time range (up to 90 days)
• External tenant ID
• User principal name
• Application
• Status of the sign-in (success or failure)

Restrict Microsoft Teams Copy & Paste

The need to restrict the copy & paste feature in Teams can have different reasons.
For example, it can prevent users from copying content from Teams chats and posting it in other apps. In general, it is important to consider whether these restrictions apply to the web version of Microsoft Teams or to the Teams client/app. Both can be restricted, but different solutions are used in each case:

A common scenario, for example, is to restrict the copy & paste feature for guest users. This can also increase security on unmanaged devices, for example in the case of guest users or a bring-your-own-device strategy.

To implement this scenario for browser access, a Conditional Access policy is created that only affects guest users/selected users or groups and in which Azure AD joined devices can be excluded.

If the Teams Client / the Teams App is used for access, a App Protection Policy must be used in Endpoint Manager. This policy can then be restricted to "unmanaged" devices, for example.

Restrict copy & paste when accessing via the browser

When accessing via the browser, the request is redirected from a conditional access policy via Defender for Cloud Apps, with the "Use Conditional Access App Control" setting:

The conditional access rule can be restricted to guests or specific groups from Azure AD, for example:

A rule must then be created in Defender for Cloud Apps that prevents the copy & paste capability:

As the screenshot shows, the following other capabilities can also be restricted:

• Print
• Send item
• Send Teams message

In the "Session control type" section of the policy, you can see that uploads or downloads can also be restricted in this way. A separate policy must then be created for this, since the filter in the "Session control type" section only allows a single filter.

The user now receives the following notification when trying to copy data from a Teams chat:

Restrict copy & paste when accessing via Teams client / Teams app

App Protection rules are used when accessing via the client / app. This is a feature in Microsoft Endpoint Manger. For the scenario of restricting access from unmanaged devices, the "unmanaged" option is selected for the Device Type in the policy. In the "Apps" section of the policy, the applications that are affected by the policy are defined. As the screenshot shows, the same policy can also cover additional apps, such as Microsoft Planner:

In the section "Data protection" the setting "Restrict cut, copy, and paste between other apps" is available:

The user will now see this message when trying to copy data from a Teams chat and post it in WhatsApp, for example:

The following additional settings can be configured in the App Protection Policy:

• Backup org data to Android backup services
• Send org data to other apps
• Receive data from other apps
• Screen capture
• Printing org data
• Restrict web content transfer with other apps

Automatically encrypt content in Office 365 services

Due to the success of Microsoft Teams, the question of which data / whether sensitive data can be stored and processed in Office 365 is being asked more and more. This can be triggered by aspects of the GDPR as well as company- or industry-specific compliance rules. With the Sensitivity Labels, Microsoft Information Protection provides an option for labeling and additionally encrypting content. This is generally an option for storing and processing sensitive data in the cloud. The feature is included in the Office 365 E3 license and higher. However, only manual labeling is available in the Office 365 E3 license.

For example, to implement the following requirement, at least a license is needed that includes the Auto-Labeling feature: "All files stored in the Management Team should automatically be labeled as Internal Onyl." This is possible using the Office 365 E5 license or a license add-on such as Microsoft 365 E5 Security & Compliance. With this license, the Auto-Labeling feature in the Microsoft 365 Compliance Center will also be available:

This allows content in Exchange, SharePoint and OneDrive to be automatically labeled based on rules:

However, this only applies to Office files of type Word (.docx), PowerPoint (.pptx), and Excel (.xlsx) in SharePoint and OneDrive. For Exchange Online, PDF attachments and Office files are checked against the conditions in the Auto-Labeling Policy. If there is a match, the email is labeled, but not the attachment. Details: Apply a sensitivity label to content automatically

Automatic labeling of non-Office files

Sensitive content is often also contained in non-office files. First and foremost, the PDF format is relevant, followed by formats such as *.jpg, *.png or Visio files (*.vsdx) etc. The complete list of formats supported by Microsoft Information Protection is listed in this article: Supported file types for classification and protection

These filetypes can also be automatically labeled. For this scenario, a file policy is created in Defender for Cloud Apps:

Detail guide: Tutorial: Automatically apply Azure Information Protection classification labels

This feature is not part of the Office 365 E5 license. It can be licensed via different packages as described here: Get started with Microsoft Defender for Cloud Apps

Protect other file types

When you need to encrypt files that are not included in the list of supported file types for classification and protection, you can use the Information Protection Client. 

The client can encrypt and decrypt any file format. However, if the format is not on the list of supported file types, the Information Protection Viewer cannot be used to show the file. The file has to be saved decrypted before it can be opened with the native client app. This is currently still the case for video formats, for example.

A way to protect such files by automatic labeling is shown in the following example:

• Synchronize the folder with the video files to be encrypted with OneDrive for Business.
• Encrypt the video files locally via script: Set-AIPFileLabel -Path C:\Project Videos\ -LabelId d9f23ae3-1324-1234-1234-f515f824c57b
• OneDrive for Business then synchronizes the encrypted video files back to SharePoint Online

Microsoft has now announced a new feature that provides a similar result. This allows a SharePoint Online document library to be assigned a label that is then automatically applied to all files in this library.

https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=&searchterms=85621

Step by Step guide - limit access to Teams

Step by Step guide & scenarios to limit access to Teams (SharePoint, Exchange, etc.) from an unmanaged device.

There are already some general articles on this topic in the internet. This article is a concrete step by step guide to implement the following example:

• Access to teams should only be possible via the browser, which has the advantage that no local log files etc. are written or data is not stored in a local device backup. This is especially important for mobile devices (iOS, Android), as these backups may be stored in further cloud services.
• Download of files should not be possible. Accessing and editing in the browser shall be possible.

OR

• Download, access and editing of files should not be possible.

Solution

Services involved in this example:

• App Restriction (SharePoint & EXO Admin Center)
• Azure AD Conditional Access

To give separate option to selected users the way described here cannot be used. The reason is that in this example the Conditional Access Policy in the Session section refers to the App Restriction settings in the respective Admin Centers of Exchange and SharePoint - and these are global for the whole tenant. An option for more granular settings is to use PowerShell to apply the App Restriction only to selected SharePoint sites.

Example: Set-SPOSite -Identity https://<SharePoint online URL>/sites/<name of site or OneDrive account> -ConditionalAccessPolicy AllowLimitedAccess

Alternative methods for more selective settings related to specific users, selected Teams, or scenarios such as "access from the corporate network" can be implemented using the following methods:

• Conditional Access App Control, as described here: Use app enforced restrictions vs. Use Conditional Access App Control
• Authentication Context, as described here: Azure AD Conditional Access | Authentication Context

Step by step guide on the example

SharePoint admin center -> Access control -> Unmanaged devices -> Allow limited, web only access:

This auto generates a Conditional Access Policy:

Settings in the Conditional Access Policy:

User experience in Teams on unmanaged device -> no download available:

User experience in SharePoint on unmanaged device -> no download available:

User can open and edit documents in Teams Web-client:

The document cannot be open in the Office client:

Switching the App Restriction to block access:

The Conditional Access Policy keeps as it is, but the user experience changed:

(Teams chat is still available)

Tips & Tricks

• It can take several minutes for a Conditional Access policy to take effect / for a change to take effect.
• For tests in which policies are changed, the following applies: Always log off, close browser / clear browser cache, wait several minutes and then log in again.

Azure AD Conditional Access | Authentication Context

The Authentication Context feature can be used to add additional and granular security to access apps or data in apps such as SharePoint or Exchange.

Example: Access to SharePoint sites or data in SharePoint is only permitted with devices managed in Intune. This is enforced via a conditional access policy. For special SharePoint sites containing highly sensitive data, access is also only permitted from the company network.

Until now, this was not possible because a conditional access policy always referred to the app as such, i.e. to SharePoint in the example above. With the Authentication Context in a Conditional Access Policy, this scenario is now possible.

Authentication Context

The feature is still in preview. The following limitations apply to the preview:

• Deleting authentication context definitions is not possible in the preview.
• The preview is limited to a total of 25 authentication context definitions.

An Authentication Context is created in the Conditional Access menu in the Azure Portal:

The Authentication Context is nothing more than a container:

The Authentication Context feature can then be selected in a Conditional Access Policy in the “Cloud Apps or Actions” menu item.

This adds another option to the already existing cloud apps and user actions.

Using an Authentication Context  

To implement the example from above, a Sensitivity Label is now used. The Authentication Context is configured in the Label:

The label is then assigned to the corresponding SharePoint site. If this SharePoint site is now accessed, the conditional access policy in which the authentication context is stored applies:

The whole process:

Example:

User Stan Laurel logs into Office 365 and goes to the SharePoint app:

Now he selects the SharePoint site "SPO Authentication Context DEMO" and then gets the message that access is not possible.

However, the reason here is not permissions, but that a conditional access policy, as described above, only allows access from the company network.