Messaging Apps Protection - Microsoft Teams

Overview

Microsoft Teams is a communication platform developed by Microsoft as part of the Microsoft 365 family of products. It offers employees and external collaborators to chat, meet online, and share files. Avanan adds security, privacy, and compliance to Microsoft Teams by scanning messages and files shared on a chat or a team for malicious content and data loss prevention (DLP) and generates actionable events on malicious content.

Avanan scans the messages and files shared through direct messaging or a team.

How it works

Avanan adds a layer of security that provides these security features for Microsoft Teams:

  • Data Leak Prevention (DLP): Protecting sensitive text messages and files
  • Anti-Malware: Scanning of files for malicious content
  • URL Reputation: Blocking malicious links within files and messages
  • User Behavior Anomaly: Identifying suspicious login and compromised accounts
  • Remediation: Tombstoning malicious files or sensitive files and messages

Required Permissions

Avanan requires these permissions to protect Microsoft Teams.

Note- All these permissions are required to access your data in the Avanan portal tenant.

Permissions required from Microsoft

Functions performed by Avanan

Send channel messages

Allows an app to send channel messages in Microsoft Teams on behalf of the signed-in user.

Sign in and read user profile

Allows users to sign in to the app and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.

Read domains

Allows the app to read all domain properties without a signed-in user.

Read and write tabs in Microsoft Teams

Read and write tabs in any team in Microsoft Teams without a signed-in user. This does not give access to the content inside the tabs.

Read tabs in Microsoft Teams

Read the names and settings of tabs inside any team in Microsoft Teams without a signed-in user. This does not give access to the content inside the tabs.

Read and write all group memberships

Allows the app to list groups, read basic properties, read and update the membership of the groups this app has access to without a signed-in user. Group properties and owners cannot be updated, and groups cannot be deleted.

Read all group messages

Allows the app to read memberships and basic group properties for all groups without a signed-in user.

Manage all users' Teams apps

Allows the app to read, install, upgrade, and uninstall Teams apps for any user without a signed-in user. It does not give the ability to read or write application-specific settings.

Read all users' installed Teams app

Allows the app to read the Teams apps that are installed for any user without a signed-in user. It does not give the ability to read application-specific settings.

Read all users' teamwork activity feed

Allows the app to read all users' teamwork activity feed without a signed-in user.

Read directory data

Allows the app to read data in your organization's directory, such as users, groups, and apps, without a signed-in user.

Read and write all groups

Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Also allows the app to read and write group calendar and conversations. All of these operations can be performed by the app without a signed-in user.

Read all groups

Allows the app to read group properties and memberships, and read the calendar and conversations for all groups, without a signed-in user.

Flag channel messages for violating policy

Allows the app to update Microsoft Teams channel messages by patching a set of Data Loss Prevention (DLP) policy violation properties to handle the output of DLP processing.

Read all channel messages

Allows the app to read all channel messages in Microsoft Teams.

Read all chat messages

Allows the app to read all 1-to-1 or group chat messages in Microsoft Teams.

Flag chat messages for violating policy

Allows the app to update Microsoft Teams 1-to-1 or group chat messages by patching a set of Data Loss Prevention (DLP) policy violation properties to handle the output of DLP processing.

Read all users' full profiles

Allows the app to read user profiles without a signed-in user.

Read files in all site collections

Allows the app to read all files in all site collections without a signed-in user.

Read and write all chat messages

Allows an app to read and write all chat messages in Microsoft Teams without a signed-in user.

Read items in all site collections

Allows the app to read documents and list items in all site collections without a signed-in user.

Read all hidden memberships

Allows the app to read the memberships of hidden groups and administrative units without a signed-in user.

Activating Microsoft Teams

Important:

  • To activate Microsoft Teams, you must have administrator access to Office 365.
  • To use the Communication DLP feature in Microsoft Teams, you must have any of these licenses:
    • Office 365 E5/A5
    • Microsoft 365 E5/A5
    • Microsoft 365 Information Protection and Governance
    • Office 365 Advanced Compliance

To activate Microsoft Teams:

  1. Navigate to Configuration > SaaS Applications and click Start for Microsoft Teams.
  2. Click Start in the pop-up screen that appears.
  3. In the Microsoft Sign-in window that opens, sign in with your Microsoft administrator credentials.
    Note - Microsoft performs the authentication, and Avanan does not provide these credentials.
  4. In the authorization screen from Microsoft, click Accept to grant necessary permissions to Avanan.
    For the list of permissions requested from Microsoft, see Permissions for Microsoft Teams.
    The Microsoft Teams SaaS is enabled, and monitoring begins immediately.
    Microsoft-Teams

Deactivating Microsoft Teams

To deactivate Microsoft Teams:

  1. Navigate to Configuration > SaaS Applications.
  2. Click Stop for Microsoft Teams.
    Microsoft-Teams-Stop

Microsoft Teams Security Settings

Customizing Tombstone Messages

If a message/file is tombstoned, a tombstone message will appear instead of the tombstoned message/file. The original message/file becomes inaccessible to the sender and the recipients in the chat/channel.

Administrators can customize the tombstone message for both messages and files.

To customize the tombstone messages:

  1. Navigate to Configuration > SaaS Applications.
  2. Click Configure for Microsoft Teams.
  3. To customize the tombstone message for messages, update the Microsoft Teams Message field.
  4. To customize the tombstone message for files, update the Microsoft Teams Files field.
  5. To allow users to unblock tombstoned messages, enable the Allow unblock message checkbox.
    Microsoft-Teams-Configuration
  6. Click Save.

Configuring Microsoft Teams Policy

Malware Policy

By default, the Microsoft Teams malware policy scans for malicious content in the files sent using Microsoft Teams.

Supported Actions

Microsoft Teams malware policy supports these actions:

  • Tombstone of files and text messages that contain malicious content.
    • If malicious content is found, the sender will get the tombstoned message.
    • If malicious content is found, the recipient(s) will get the tombstoned message.
      teams-malware-receiver-msg
  • Alert sender: Sends an email notification to the sender of a file or message that contains malicious content.
  • Alert admin(s): Sends an email notification to the admin(s) about the malicious files or messages.

Configuring Malware Policy

To configure Malware policy:

  1. Click Policy on the left panel of the Avanan portal tenant.
  2. Click Add a New Policy Rule.
  3. From the Choose SaaS drop-down list, select Microsoft Teams.
  4. From the Choose Security drop-down list, select Malware and click Next.
  5. Select the desired protection mode (Detect and Remediate or Detect).
    If required, you can change the Rule Name.
  6. Under Blades, select the threat detection blades required for the policy.
    Note - To select all the blades available for malware detection, enable All running threat detection blades checkbox.
  7. Configure Actions required from the policy.
    • To tombstone messages, enable the Tombstone Message checkbox.
      Note - This option will be available only in Detect and Remediate protection mode and when URL Reputation threat detection blade is enabled.
    • To tombstone files, enable the Tombstone File checkbox.
      Note - This option will be available only in Detect and Remediate protection mode and when the Anti-Malware threat detection blade is enabled.
    • To send email alerts to the sender about malware in messages and files, enable the Alert sender - messages and Alert sender - files checkbox.
    • To send email alerts to admins about malware in messages and files, enable the Alert admin(s) - messages and Alert admin(s) - files checkbox.

    Notes:

    • Even when the alerts are enabled here in the policy, the administrator only receives email alerts for security events when Receive Alerts role is enabled in the Specific Service Role.
    • To customize the email alert templates, click on the gear icon to the right of the alert.
  8. Click Save and Apply.

DLP Policy

By default, the DLP policy scans the messages and files for potentially leaked information, such as credit card number and Social Security Number (SSN).

Supported Actions

Microsoft Teams DLP policy supports these actions:

  • Tombstone of files and text messages that contain sensitive information.
    • If sensitive information is found, the sender will get the tombstoned message.
      teams-dlp-sender-tombstone
    • If sensitive information is found, the recipient(s) will get the tombstoned message.
      teams-malware-receiver-msg
  • Alert sender: Sends an email notification to the sender of a file or message that contains sensitive information.
  • Alert admin(s): Sends an email notification to the admin(s) about the files or messages that contain sensitive information.

Configuring DLP Policy

To configure DLP policy:

  1. Click Policy on the left panel of the Avanan portal tenant.
  2. Click Add a New Policy Rule.
  3. From the Choose SaaS drop-down list, select Microsoft Teams.
  4. From the Choose Security drop-down list, select DLP and click Next.
  5. Select the desired protection mode (Detect and Remediate or Detect).
    If required, you can change the Rule Name.
  6. Under DLP Criteria, select the DLP categories required for the policy.
    For more details about the DLP rules and categories, see DLP Built-in Rules and Categories.
  7. Select the sensitivity level required for the policy.
    • Very high (hit count > 0)
    • High (hit count > 2)
    • Medium (hit count > 5)
    • Low (hit count > 10)
    • Very Low (hit count > 20)
  8. To exclude DLP policy for the messages and files shared only with the internal users, enable the Skip Internal items checkbox.
  9. Configure Actions required from the policy.
    • To tombstone messages, enable the Tombstone Message checkbox.
      Note - This option will be available only when Detect and Remediate protection mode is enabled.
    • To tombstone files, enable the Tombstone File checkbox.
      Note - This option will be available only when Detect and Remediate protection mode is enabled.
    • To send email alerts to the sender about DLP in messages and files, enable the Alert sender - messages and Alert sender - files checkbox.
    • To send email alerts to admins about DLP in messages and files, enable the Alert admin(s) - messages and Alert admin(s) - files checkbox.

    Notes:

    • Even when the alerts are enabled here in the policy, the administrator only receives email alerts for security events when Receive Alerts role is enabled in the Specific Service Role.
    • To customize the email alert templates, click on the gear icon to the right of the alert.
  10. Click Save and Apply.

Viewing Microsoft Teams Security Events

Avanan records the Microsoft Teams detections as security events. The event type depends on the type of policy that created the event. You can handle the security events in different ways, whether they are detected/prevented automatically or discovered by the administrators after not being prevented.

The Events screen shows a detailed view of all the security events.

Teams-Events-Page