Controlling Microsoft Teams Guest Access using Sensitivity Labels

Part 2 of 2: The Admin Experience

The video demonstration below provides a basic overview of how I created the sensitivity labels and the associated policy that I used during my Part 1 of 2: The End User Experience post. If you are new to this topic it should provide a useful few minutes of content to help you get started.

Enabling Sensitivity Labels in a Tenant: At the time of writing I had to enable MIP (Microsoft Information Protection) in my tenant to turn on Sensitivity labels. Some getting started documentations is provided here. I’ve pasted a screenshot of the Group.Unified template with MIP enabled below:

In a production environment there are numerous other considerations we need to incorporate into a deployment plan. For example, if a tenant has previously used Classic Azure AD group classification, then you’ll probably want to migrate these labels to your new ones. For more detailed information about this topic and others start here.

Controlling Microsoft Teams Guest Access using Sensitivity Labels

Part 1 of 2: The End User Experience

Guest Access is a really useful way to work collaboratively in Microsoft Teams with people who are not part of your tenant. However, most organisations want to provide controls that allow some teams to have Guests and block external users from others. This can be achieved in a number of ways ranging from PowerShell to the Power Platform and the approach an administrator takes will most likely depend of the business requirements and the security posture of their company.

One way of providing end users the ability to choose their Guest policy as they create (or edit) a team is via the assignment of a Sensitivity Label. These can be used for a variety of purposes such as protecting content or restricting access from un-managed devices but the video below focuses on blocking/allowing external users within a team.

In Part 2 of this blog I’ll run through the basic admin experience around the creation of the Sensitivity Labels shown in the above demonstration.

Securing Teams Meetings Content Sharing

I recently posted a short blog called My Teams Security Slide, which contained an overview of the security controls I associate with Microsoft Teams. One of the features I listed was “Sensitivity Labels for Content”, which for organisations concerned about data loss prevention is a way of classifying content and applying security policies.

So what does this has to do with a Teams Meeting?

Microsoft 365 Sensitivity Labels actually allow administrators to managed document permissions and Microsoft Teams will honour these. One of the net effects is that is that you can restrict the ability to share confidential documents during a Teams Meeting.

I created this video to demonstrate the resulting end user experience.

This is a great way to protect against accidental data loss during a Microsoft Teams share. But what about policing a Teams Meeting chat? I’ll talk about this in a future post.