Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Microsoft Teams Secure Collaboration Use Cases

  1. Last updated
  2. Save as PDF

Supported Features

Skyhigh CASB for Microsoft Teams supports these features for the secured collaboration of users:

  • Identify and remove sensitive content shared with unauthorized external/guest users.
  • Monitor and remove guest users from unauthorized domains.
  • Monitor and remove unauthorized guest users from internal-only conversations or private channels.
  • Identify and remove sensitive content shared in specific teams/channels.
  • Identify and remove sensitive content shared by internal users with guest users.
  • Supports OCR for screenshots and image snippets shared in chats/channels via copying and pasting.

Identify and Remove Sensitive Content Shared With Unauthorized External/Guest Users

Skyhigh CASB for Microsoft Teams allows security admins to define the DLP policies to monitor and remove sensitive data posted in channels having unauthorized external/guest users as members. Messages or files posted in the regular channels and 1:1 or 1: many chat conversations are monitored and deleted.

Make sure to define the policy for the following service instances:

  • Teams Instance. Monitors and deletes sensitive messages posted in regular channels or chat conversations.
  • SharePoint Instance. Monitors and deletes sensitive files posted in regular channels.
  • OneDrive Instance. Monitors and deletes sensitive files posted in 1:1 or 1:many chat conversations.

For example, say your organization has the domain myorg.com. Some of the teams in 'MyOrg' Office 365 tenant have guest users as members. So the organization wants to detect and remove any sensitive data such as credit card numbers posted in channels having guest user presence. 

To identify and remove the sensitive content posted in channels having guest users, define the DLP policy for Microsoft Teams in the Skyhigh CASB as described.

Rule Group

For the DLP Policy, create the Collaboration for Files and Folders associated with the Rule Group to identify the sensitive data.

To create a Collaboration for files and folders:

  1. Go to Policy > DLP Policies
  2. Click Actions > Sanctioned Policy > Create New Policy
  3. On the Description page, enter a name, description, and deployment type. For Services, select SharePoint. Then select the users the policy will apply to. 
  4. On the Rules page, select Collaboration
  5. For Sharing From, select Anyone
  6. For Sharing To, select Anyone
  7. For Sharing Permission, make a selection. 
  8. Click AND and select any rule options such as Data Identifier, Keyword, or Regular Expression.
    teams_guests_rule.png

Exception Group

To add an exception to a policy:

  1. Click Add Exception.
  2. Select Collaboration.
  3. For Sharing From, select Anyone
  4. For Sharing To, select Specific Users/Domains and Manually enter users/domains. Enter the domain names, for example, internal-domain1.com, internal-domain2.com, etc. In this case, the internal domain of the organization is myorg.com
  5. For Sharing Permission, make a selection. 
  6. Click Next
    teams_guests_exception.png

Response Action

To add a response action to a policy:

  1. On the Response page, click AND, and select Delete to remove the sensitive data.
    teams_guests_response.png
  2. Select an Email Template
  3. Click Next.
  4. Review your policy and click Save

Monitor and Remove Guest Users from Unauthorized Domains

IMPORTANT: If you have been using the Teams API for Skyhigh CASB in your tenant, to leverage the feature Monitor and Remove Unauthorized Guest Users from Unauthorized Domains, as well as the Internal Teams Channels/Multi-Chat, you must re-enable API access.

Skyhigh CASB for Microsoft Teams allows security admins to define DLP policies to monitor and remove any unauthorized guest users joining teams.

For example, say you have an organization that wants to allow guest users from allowed domains allowed-domain1.com and allowed-domain2.com but wants to remove any guest users from other domains joining teams. This can be accomplished by defining DLP policies for Microsoft Teams in Skyhigh CASB as described below.

Rule Group

To create a Collaboration for Files and Folders:

  1. Go to Policy > DLP Policies
  2. Click Actions > Sanctioned Policy > Create New Policy
  3. On the Description page, enter a name, description, and deployment type. For Services, select SharePoint. Then select the users the policy will apply to. 
  4. On the Rules page, select Collaboration
  5. For Sharing From, select Anyone
  6. For Sharing To, select Anyone
  7. For Sharing Permission, make a selection. 
  8. Click AND and select any rule options such as Data Identifier, Keyword, or Regular Expression.
    teams_guests_rule.png

Exception Group

To add an exception to a policy:

  1. Click Add Exception.
  2. Select Collaboration.
  3. For Sharing From, select Anyone
  4. For Sharing To, select Specific Users/Domains and Manually enter users/domains. Enter the domain names, for example, allowed-domain1.com, allowed-domain2.com, etc. If any guest user joins Teams from outside of the listed domains, then the policy is triggered.
  5. For Sharing Permission, make a selection. 
  6. Click Next
    teams_remove_guests_exception.png

Response Action

To add a response action to a policy:

  1. On the Response page, click AND and select Revoke Sharing for and Everyone to remove the guest user.
  2. Select an Email Template
    teams_remove_guests_response.png
  3. Click Next.
  4. Review your policy and click Save

Monitor and Remove Unauthorized Guest Users from the Internal Teams Channels/Multi-Chat

NOTE: If Microsoft Teams API access is already enabled in your tenant, you must re-enable API access to enable this use case.  This is applicable for Multi-Chat also.

Skyhigh CASB for Microsoft Teams allows security admins to define the DLP policies to monitor and remove the unauthorized guest users joining internal-only teams (teams meant for internal conversations only).

To monitor and remove the unauthorized guest user from the internal-only teams, define the DLP policy for Microsoft Teams in the Skyhigh CASB as described.

Rule Group

Create a Collaboration rule for Files and Folders.

  1. Go to Policy > DLP Policies
  2. Click Actions > Sanctioned Policy > Create New Policy
  3. On the Description page, enter a name, description, and deployment type. For Services, select SharePoint. Then select the users the policy will apply to. 
  4. On the Rules page, select Collaboration
  5. For Sharing From, select Anyone
  6. For Sharing To, select Anyone
  7. For Sharing Permission, make a selection. 
  8. Click AND and select File Path/Folder ID, then Manually enter Select File Path/Folder ID and enter the list of internal team names.
  9. Click Done

teams_internal_rule.png

Exception Group

To add an exception to a policy:

  1. Click Add Exception, select Collaboration.
  2. Select Collaboration
  3. For Sharing From, select Anyone
  4. For Sharing To, select Specific Users/Domains, and Manually enter users/domains
  5. Enter the list of internal domains or list of allowed domains for To field. For example, allowed-domain1.com, allowed-domain2.com. If any guest user joins Teams from a domain outside of the listed domains, then the policy is triggered.
  6. Click Next
    teams_internal_exception.png

Response Action

To add a response action to a policy:

  1. On the Response page, click AND and select Revoke Sharing for and Everyone to remove the guest user.
  2. Select an Email Template
    teams_internal_response.png
  3. Click Next.
  4. Review your policy and click Save

Identify and Remove Sensitive Content Shared in Specific Teams/Channels

Microsoft Teams dedicate channels within a team to keep conversations organized by specific topics, projects, disciplines, etc. To create a channel, you must create a Team Name, and then add the channels to it. Skyhigh CASB for Microsoft Teams allows security admins to define the DLP policies to monitor and remove the sensitive content shared in any specific teams /channels.

For example,  say you are sharing sensitive content such as credit card details in the teams name external.team1 and the associated channels with that team such as Channel 1 and  Channel 2  also receive the same sensitive information. To remove the sensitive content from that specific teams/ channels, define the DLP policy for Microsoft Teams in the Skyhigh CASB as described.

Rule Group 

Create File Path/Folder ID collaboration rule.

  1. Go to Policy > DLP Policies
  2. Click Actions > Sanctioned Policy > Create New Policy
  3. On the Description page, enter a name, description, and deployment type. For Services, select SharePoint. Then select the users the policy will apply to. 
  4. On the Rules page, select File Path/Folder ID, then Manually enter Select File Path/Folder ID and enter the team-name/* to monitor all channels in that team or provide the specific team-name/channel-name to monitor specific team/channel.
  5. Click Done
  6. Click AND and select any options such as Data IdentifierKeywordRegular Expression.
    teams_delete_channel_rules.png

Response Action 

To add a response action to a policy:

  1. On the Response page, click AND, and select Delete to remove the sensitive data.
  2. Select an Email Template
    teams_delete_channel_response.png
  3. Click Next.
  4. Review your policy and click Save

Identify and Remove Sensitive Content Shared with Guest Users

Skyhigh CASB for Microsoft Teams allows security admins to define the DLP policies to monitor and remove sensitive data posted in meeting chats or group chats having guest users as members. Messages posted by internal users in meeting chats or group chats with a guest user present, are monitored and deleted.

For example, say your organization has the domain sedlp.onmicrosoft.com, and when internal users post sensitive data in a meeting chat or group chat while a guest user is present, the DLP policy should be triggered. This secure collaboration feature provides your organization with visibility into guest user details and allows it to detect and remove any sensitive data posted in meeting chats or group chats with guest user presence.

To identify and remove sensitive content posted by internal users in meeting chats or group chats with guest users, define the DLP policy for Microsoft Teams in Skyhigh CASB as described.

Rule Group

For the DLP Policy, create the Collaboration for Files and Folders associated with the Rule Group to identify the sensitive data.

To create a collaboration rule for files and folders:

  1. Go to Policy > DLP Policies
  2. Click Actions > Sanctioned Policy > Create New Policy
  3. On the Description page, enter a name, description, and deployment type. For Services, select Microsoft Teams. Then select the users the policy will apply to. 
  4. On the Rules page, select Collaboration
  5. For Sharing From, select Anyone
  6. For Sharing To, select Anyone
  7. For Sharing Permission, make a selection. 
  8. Click AND and select any rule options such as Data Identifier, Keyword, or Regular Expression.
    clipboard_e50c887ca426f91b72374e52a6173beb5.png

Exception Group

To add an exception to a policy:

  1. Click Add Exception.
  2. Select Collaboration.
  3. For Sharing From, select Anyone
  4. For Sharing To, select Specific Users/Domains and Manually enter users/domains. Enter the domain names, for example, sedlp.onmicrosoft.com, allowed-domain1.com, etc. If a guest user joins the Teams meeting chat or group chat, the policy is triggered.
  5. For Sharing Permission, make a selection. 
  6. Click Next
    clipboard_e2c0e8b4212a5a3263ba15bc6bcbf0507.png

Response Action

To add a response action to a policy:

  1. On the Responses page, click AND, and select Delete to remove the sensitive data.
  2. Select an Email Template
  3. Click Next.
  4. Review your policy and click Save.
    clipboard_e019ba438b647fa7b6cd6677735f25989.png

OCR Support to Identify and Remove Policy-Violated Images in Chats/Channels

You can share images in Microsoft Teams chats/channels by attaching or copying and pasting them. Skyhigh CASB for Microsoft Teams allows security admins to define DLP policies to monitor and remove the sensitive content in images shared in chats/channels by copying and pasting them.

NOTE: If you attach an image, it will upload to SharePoint/OneDrive. To apply DLP policies to the attached images, select SharePoint or OneDrive service on the Description page and then add a response action.

To identify and remove sensitive content in the pasted images, define the DLP policy for Microsoft Teams in Skyhigh CASB as described below.

IMPORTANT: You must enable OCR to identify and remove policy-violated images in chats/channels.

Create Classifications

Create classification to identify sensitive content in the images.

To create a classification:

  1. Go to Policy > DLP Policies > Classifications.
  2. Click Actions > Create Classification.
  3. Enter the classification name.
  4. Select a category from the menu. For example, we have selected Sensitive.
  5. For Criteria, make a selection. For example, we have selected Keyword.
  6. Click Save.

    Create Classification.png

Rule Group

For the DLP Policy, create a classification for identifying sensitive content in images, and associate it with the Rule Group to enforce detection and protection of the sensitive content.

To create a classification rule for the sensitive content in the images:

  1. Go to Policy > DLP Policies > DLP Policies.
  2. Click Actions > Create New Policy.
  3. On the Description page, enter a name, description, and deployment type. For Services, select Microsoft Teams. Then choose the users the policy applies to. 
  4. Click Done.
  5. Click Next.
  6. On the Rules page, select Classification
  7. Select the previously created classification.
  8. Click THEN and select the incident severity from the menu.

    Create_RulesPage.png
     
  9. Click Next.

Response Action

To add a response action to the policy:

  1. On the Response page, click THEN, and select Delete to remove the sensitive data.
  2. Click Done.
  3. Select an Email Template
  4. Click Next.
  5. Review your policy and click Save

    Response Action.png
  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    This page has no tags.