Microsoft Teams Compliance is the processes around meeting legal, regulatory, or organizational policies. For example, regulatory compliance is:
- Regulations imposed through laws or regulatory frameworks, typically dependent on jurisdiction.
- Document example includes contracts, invoices, tax documents, employee files, and customer data.
- Other examples include data residency and meeting specific certification requirements.
Microsoft Teams compliance covers many topics across the Office 365 feature set. This approach is because Microsoft Teams brings together many Office 365 apps and services into a single user interface. To understand compliance, we need to look at overall Office 365 features. These features cover most applications available in Office 365 that are accessible through Teams. We also need to look at the compliance functionality available in each application. It sometimes differs from the features available in Office 365 overall.
In this article, we are going to supply an overview of all the compliance features used by Microsoft Teams. Security and managing access to data is undoubtedly a vital compliance topic. Because we have so much to cover, we are going to focus on the non-security components of compliance in this post.
Here is what we will cover:
- Firstly, we need to understand where Microsoft locates Microsoft Teams data. Where we find the information is where the compliance magic happens.
- Next, we are going to talk about how Microsoft licenses compliance features and the overall certifications. This cover both Microsoft Teams and Office 365 have.
- Then, another hot topic, which is data residency and how to meet those requirements.
- Then the newest kid on the block. Microsoft Teams Information Barriers.
Read These Related Posts!
There are two other essential Microsoft Teams compliance topics that we will not cover today. The reason is that they are so vital that they have dedicated posts. These are:
- Office 365 Retention and Records Management: How to ensure content is kept for a proper amount of time and not prematurely deleted. Also, how to delete content permanently when appropriate.
Where is Microsoft Teams Data Located?
As you may know by now, there is no data that sits in Microsoft Teams. What happens is Teams stores the data in other services and then surfaced visually in the Microsoft Teams user interface. This architecture is why it is imperative to understand the data location for Microsoft Teams compliance.
As an example, you cannot put a retention policy on an entire Microsoft Team and have it cover all the files, conversations, and other data. You must think about each component that’s in the Team and apply the compliance policy there.
As another example, if you want to apply retention to files in one-to-one chats, Teams stores them in OneDrive for Business. You would need to set a retention policy or a retention label to the user’s OneDrive.
Where is Teams Chat Data Located?
A copy of Teams Chats are stored in user mailboxes for compliance and eDiscovery purposes. If you have a one-on-one chat with somebody, Teams stores a copy of the conversation in each user’s Exchange mailbox. This information is in a hidden folder that can only be accessed by administrators and Office 365 search services.
A chat with a bot is technically the same as a chat with a human. Teams also stores a copy of these conversations in the hidden chat folder in each user’s Exchange mailbox.
If you share a file in a one-to-one chat or one-to-many chat, then it is going to be stored in a OneDrive folder. That location is where Microsoft Teams compliance will be managed.
Where is Teams Channel Data Located?
When you create a Microsoft Team, a few services are also provisioned to support it. Firstly, it creates an Office 365 Group. This Group manages the permissions for the Team, and it also has an Exchange Group Mailbox. Additionally, it creates a SharePoint site for the Team. This location is where files will be stored.
Teams stores a copy of all channel conversations in the Exchange group mailbox. See the section below on the Chat Substrate for additional information related to the chats and conversation service. Teams treats posts in the channel conversation created by a connector or bot the same as any other conversation.
When a user shares a file or image in a channel conversation, then Team stores the file SharePoint. This location is where we manage Microsoft Teams compliance. The SharePoint site has a library called Documents, with a folder for each Teams channel. The files tab in each channel shows documents that are in the corresponding channel folder. Because of this, when we upload a document via Teams or the SharePoint user interface will always appear in both places.
Teams also stores emails sent to a Microsoft Teams channel in the Documents library, in the channel folder. When you submit the first email, Teams will create a new folder called Email Messages, within the channel folder.
In addition to files, there is a Wiki tab in each Microsoft Team. TTeams stores the wiki data in a SharePoint document library called Teams Wiki Data. Again, each channel has a folder inside this library, and then each wiki page is stored as a .mht file inside the channel folder.
If you create a OneNote for the Team, then it will be stored in the SharePoint site in the Site Assets document library.
Where is Teams Meeting and Call Information Located?
Calendar invites are a particular case because there is a copy of it that’s in both the group calendar and exchange mailbox. There is also a copy in the user mailbox when they accept the meeting.
The Skype (or Teams) call itself is launched from the individual’s Exchange mailbox, which includes both voice and video calls. After the meeting, Teams stores a summary in the user’s mailbox. This location is where meeting and call information is managed for Microsoft teams compliance.
If you are using Microsoft Teams for VOIP calls, then all the information is driven from the user’s Exchange mailbox. Firstly, contacts are stored, and the company directory is stored or accessed through Exchange. Secondly, Teams stores any voicemails or transcripts in the user’s mailbox. Finally, the call history and summaries are also stored there.
Where is Other Microsoft Teams Data Stored?
Let us look at where Microsoft Teams stores other related data. We do this by breaking down this functionality into a list of features. We look at where the data is stored, and how you would apply Microsoft Teams compliance in the chart below.
If you are using Microsoft Teams with Exchange on-premises, please see this article. It details where Teams stores the data in these cases.
|Chats||Exchange – User Mailbox||Follows the Office 365 retention policy or label applied to Microsoft teams chats|
|Conversations||Exchange – Group Mailbox||Follows the Office 365 retention policy or label applied to Microsoft teams channels|
|Files in a 1:1 or group chat||OneDrive for Business||Follows the Office 365 retention policy or label applied to the user’s OneDrive|
|Files in a Team||SharePoint||Follows the Office 365 retention policy or label applied to the SharePoint site|
|Third party file integration||Within the 3rd party service||Third party service|
|Group email and calendar||Exchange – Group Mailbox||Follows the Office 365 retention policy or label applied to the Team Exchange group mailbox|
|Planner||Planner||No compliance functionality|
|PowerBI||Source data system||The service where the data resides would manage compliance policies, not PowerBI|
|Stream||Stream||No compliance features|
|Yammer||Yammer||No compliance features|
|Bots||Chat or Conversation in Teams||Follows the Office 365 retention policy or label applied to Microsoft Teams chats or conversations|
|Connectors||Conversation in Teams||Follows the Office 365 retention policy or label applied to Microsoft Teams conversations|
|Tabs||A tab provides a view to content that resides in another location||The service where the data resides would manage compliance policies|
Other Teams Locations
Here are a few more details about the areas we have not yet discussed.
- Third-Party File Integration: Teams can show files from a location outside of Office 365, such as Box or Dropbox. Compliance for the files would occur in the service for the location of the data, such as Box.
- Planner: Microsoft Planner can help you manage tasks and projects. There currently is no compliance functionality for Planner. However, in the Microsoft documentation for Office 365 Retention, there is a note. It says, “[retention policy] Support for content in Planner…is coming soon”.
- Power BI: Power BI is a data dashboard tool. Given that, the data location is not Power BI, but in the database, Excel document, or another place where the data resides.
- Stream: Microsoft Stream is where video from Microsoft Teams recordings is stored. There is no compliance or retention functionality available.
- Yammer: There is no current Yammer functionality. But the note in the Retention documentation linked in the Planner bullet says it is coming soon.
- Tabs: A tab simply provides a view into content located in an app or service. That service would govern the data displayed in the tab.
The Microsoft Teams Chat Substrate
For compliance purposes, it is essential to understand how Microsoft Teams processes chat data. Teams uses an Azure-powered chat service that technically stores chat and channel messages. Only a copy of chats and conversations are kept in the user mailbox for compliance purposes. By default, this service stores the information forever.
The diagram below is from the Microsoft article “Overview of security and compliance in Microsoft Teams.”
How Office 365 Compliance Features are Licensed
Next, let us look at how Microsoft Teams compliance is licensed. Office 365 licensing is essential to understand. This is because some of the features we refer to in this article aren’t going to be available unless you have the right license. Some need either an E5 license or the Office 365 Advanced Compliance SKU.
The Advanced Compliance SKU is an add on that you can buy if you have Office or Microsoft 365 E3 license and you do not want to buy the entire E5 license. The Advanced Compliance SKU includes the compliance features we are discussing today. It does not include other E5 functionality.
The diagram above shows you what I consider to be compliance features. I got the image from Aaron Dinnage’s GitHub project and modified it for this purpose.
Microsoft and Office 365 E3 Compliance Functionality:
- Retention Policy includes basic retention functionality, such as creating retention labels and policies.
- Data Loss Prevention protects sensitive data in SharePoint, Office 365 Groups, and OneDrive.
- We cover Audit Logging in the linked article (coming soon).
- We cover eDiscovery in the linked article (coming soon).
Microsoft and Office 365 E5 Compliance Functionality and the Office 365 Advanced Compliance SKU:
- Customer Key controls your organization’s encryption keys. You then configure Office 365 to use them to encrypt your data at rest in Microsoft’s data centers.
- Customer Lockbox ensures that Microsoft cannot access your content to perform a service operation without your explicit approval.
- Privileged access management allows granular access control over privileged admin tasks in Office 365.
- Advanced Message Encryption helps customers meet compliance obligations that require more flexible controls over external recipients and their access to encrypted emails.
- Advanced Data Governance covers many compliance features, such as the automatic application of retention labels and policies, disposition review, file plan manager, event-based retention, and more.
- We cover Advanced eDiscovery in the linked article (coming soon).
- Data Loss Prevention for Teams: allows you to protect sensitive information in chats and channels.
- We cover Information Barriers in the section below.
How Office 365 Compliance is Certified
When we think about compliance and Office 365, it is vital to understand how Microsoft certifies their different services. Microsoft has different tiers of compliance certification that are labeled A, B, C, and D. These are important to understand for Microsoft Teams compliance.
The chart above comes from the Compliance Framework for Office 365 whitepaper from Microsoft. You can see in the table what certifications or commitments they have met for each one of the tiers.
Tier D has the strictest requirements, meeting the commitments listed in tiers A-D. Microsoft Teams and all the related services are Tier D compliant. To look a little more into that, you can see when we highlight all the features that are in Microsoft Teams; they are all our Tier D compliant except for Planner.
Microsoft Teams Data Residency
What is data residency? Data residency refers to the physical or geographic location of an organization’s data or information. If you are an existing Office 365 customer, you can look at where your data is found at rest right now. The location of your data is important to understand for Microsoft Teams compliance.
Here is how you find the location of your Office 365 data. You must be a tenant administrator.
- Browse to Office 365 Tenant Administration.
- Click on settings > organizational profile > data location.
Here you can see where Microsoft locates your Exchange, SharePoint, Skype for Business, and Microsoft Teams data.
If you are not an existing Office 365 customer, or if you have not started to use one of these services, there is a different tool you can use. By the way, “using Microsoft Teams” is defined as one user from your tenant has logged into Microsoft Teams.
The Office 365 data location map allows you to view where all the Microsoft data centers exist in the world. You can also see what services are provided by each data center. This helps you meet your Microsoft Teams compliance residency needs.
To use the data location tool, follow these steps.
- Navigate to https://products.office.com/en-us/where-is-your-data-located.
- Select your company location, OR your geography.
- It shows the available data centers along with the exact location for data at rest for Office 365 and Azure.
Your data will always be replicated between two data centers to ensure redundancy for up time.
Data Residency Example for Microsoft Teams
Let us say you are a government organization located in Australia. You have a law with which you need to comply that says all government data must stay in Australia. Here are the steps you will need to follow to enable multi-geo.
- Purchase the Multi-Geo Capabilities in Office 365 service plan from Microsoft.
- Enable Multi-Geo in Exchange and SharePoint.
- Set the PreferredDataLocation (PDL) for each user in Azure connect.
Once you complete these steps, here is what will happen when a user creates a new Microsoft Team:
- A user in Australia clicks create Team.
- An Office 365 Group is created in Australia because that is the user’s PDL.
- The Office 365 Group creates the Exchange Group Mailbox.
- It creates a SharePoint site in Australia based on the PDL.
- The user’s OneDrive and Exchange mailbox are already located in Australia for teams chats.
If you need to move existing Exchange Mailboxes and SharePoint sites (and therefore existing Teams data) to different geography, you can follow these instructions.
Microsoft Teams Information Barriers
Our final topic is Microsoft Teams information barriers. Information Barriers prevent individuals or groups from chatting with one another or sharing documents. Information barriers are important for Microsoft Teams compliance in some organizations. When we authored this article, information barriers are still in preview and is not generally available.
Microsoft does not yet support Information barriers for SharePoint and OneDrive file collaboration. However, that is coming soon. Microsoft has not announced a date yet for this release, but it’s something they call very clearly in the documentation.
If you want to manage these policies, you will need to use the PowerShell cmdlets, and I have the documentation for that linked here.
Now you know everything about Microsoft Teams compliance! Please add your questions in the comments.