Manage Content Sprawl in Teams
Many of us rolled out Teams in the spring of 2020 as the pandemic sent us all home. We connected our newly remote users to each other and to our organization resources. We got everyone productive and helped them adapt to their new telework situations.
As content moves to Teams and collaboration begins to take off, prudent customers are taking steps toward managing it. The most common tools our customers use are:
Microsoft Security and Compliance retention rules enable you to apply retention to content you have not only in Teams, but across the Microsoft O365 platform. Starting with a written corporate document retention policy, you will define the kinds of content your org cares about (i.e. document types like Invoice, Employee Applications, Contracts,) how long that content should be kept (1 year, 7 years, etc.,) the trigger that kicks off your retention period (Create Date, Employee Termination, Contract End Date,) and disposition (delete immediately, forward to compliance for review and action.) You can even designate content as being an “Official Record,” which makes the content immutable.
You can apply these retention rules with Retention Label Policies and Retention Policies.
Retention Label Policies are associated with Retention Labels you define that articulate the duration, trigger, and disposition of your content. The Label becomes an immutable property of your content and follows your content wherever it might go across the O365 platform. The Retention Label Policy makes the Label available wherever you decide.
Retention Policies are applied to broad locations like Document Libraries or Folders, for example. Any content in a container with a Retention Policy attracts that policy so long as it remains in that container. So, if you save all your Invoices to a Finance and Accounting Document Library that has a Retention Policy to keep content for 7 years after create date and delete, that policy will apply to all your Invoices. If you move an Invoice out of that Library, it loses the policy.
From Microsoft Docs, Get started with retention policies and retention labels:
Ready to start governing your organization's data by retaining the content that you need to keep, and deleting the content that you don't? Use the following high-level guidance to get started:
Understand how retention works in Microsoft 365, and then identify whether you need to use retention policies or retention labels, or a combination: Learn about retention
Identify the retention settings and actions that are required by your organization policies or industry regulations.
As part of this assessment, determine whether you will use records management.
Create retention policies and retention labels, based on the retention settings and actions that you identified.
For retention labels, you might find it useful to use file plan to define and refine your retention labels in a spreadsheet. Then, import that spreadsheet to create your labels.
Publish and apply your retention labels. While retention policies are designed for "set it and forget it" configuration, retention labels are reusable building blocks that can be used in multiple policies and can be incorporated into user workflows. See the list of common scenarios to help you identify how retention labels can be used.
Data Loss Prevention
Your tenant has sensitive content on it: SSNs, Credit Card #s, Passport #’s, Bank Account #’s, etc. There are lots of good reasons why that kind of content might be on your tenant and why staff may share, discuss, and include this kind of content in docs, emails and conversations as part of their duties. What isn’t good is when that content goes places it shouldn’t go, when it is exposed to users who shouldn’t see it or when it leaves the tenant.
Microsoft DLP controls help you to identify that content, where it resides on your tenant, discover the appropriate uses for that content, and apply rules that limit how that content is shared and used. Two AP clerks share a list of SSNs for staff that need adjustments to expense reports. That’s fine. But if one of those AP clerks attempts to share that same list with a Guest in a Team, the share is blocked.
Depending on how you compose your rules, content can be blocked, users are warned and given the option to override a restraint, or just given a warning about the sensitive nature of the content. Your business requirements will drive what content should be protected and how it should be protected across the organization.
Office 365 E3 licenses will get you DLP for SPO, OD4B, and Exchange Online. For those wanting to extend DLP to Teams Chat and Channel messages, you’ll need E5/A5/EMS E5, or Microsoft 365 Information Protection and Governance or Office 365 Advanced Compliance.