Privacy is rapidly becoming one of our greatest concerns in our digital society. Microsoft is putting a whole lot of effort into providing great tools for privacy and security in Office 365. Microsoft Teams is the fastest growing product in the history of the company and it sure gets its fair share of these efforts.
Many municipalities in Sweden are deploying Microsoft Teams for their schools. Teams is a wonderful tool for the classroom and its extensible nature opens up for many third-party learning tools to be a part of the Teams experience. Teachers love it and students love it.
However, letting children into the platform shared with many different kinds of users, internal and external, privacy becomes a challenge. For example, adult students, unknown to the teachers, children and parents can freely contact these children via chat, voice and video. As you can imagine, this is not a suitable setup.
Fear not! There are different ways to segregate groups of users in Microsoft Teams.
Step 1: Microsoft Teams Scoped Directory Search
Teams Scoped Directory Search sits on top of Exchange Online Adress Book Policies and let the organization create virtual boundaries (or views) of the organization. Users inside such a scope can only search and find users inside the same scope. This is a good start to hide certain user groups from each other, like students and faculties, but it won’t block communication. A user can still input the whole email address in Teams to initiate a chat or a call. This leads us to step 2.
Step 2: Microsoft Teams Information Barriers
Information barriers are policies that an admin can configure to prevent individuals or groups from communicating with each other. The differences from Scoped Directory Search is that information barriers also enforce the policy to block the communication and lets the user know this. You create policies based on queries for departments or other Azure AD attributes. This makes it very flexible.
Here are a couple of examples of the user experience when information barriers are violated.
| Action | User Experience if policy is violated |
| Adding Members to a team | The user will not show up in search |
| Start a new private chat | The chat is not created, and an error message appears |
| invited a user to join a meeting | The user will not join the meeting and an error message appears |
| Screen sharing is initiated | The screen share won’t be allowed, and an error message appears |
| Placing a phone call (VOIP) | The voice call is blocked |
When a new information barrier is created, the evaluation service searches across Teams to find any pre-existing communications that may violates the policy:
- Existing 1:1 chats will become read-only
- Users will be removed from group chats
- Team membership will be updated accordingly
Summary
There are many situations where different users in an Azure AD should NOT be able to communicate with each other. These tools makes this possible and since dynamic queries are used for policies, if configured correctly, all this can be an automated experience for everyone.
Please follow me here, on LinkedIn and on Twitter.
Daniel Chronlund Cloud Security Blog 