Microsoft Teams Security: Compliance Configurations

Why is compliance in Microsoft Teams so important?

Microsoft Teams brings together a company’s communication, projects, and collaboration. Discussions, meetings, files, and external guests all run on the same platform. This brings efficiency, but also poses significant risks:

• Data may be deleted prematurely or in an uncontrolled manner.
• External guests often retain access longer than necessary.
• Compliance requirements such as GDPR, ISO 27001 or HIPAA are difficult to verify.
• During audits, there is no evidence of where data is stored or how long it is retained.

Anyone who makes mistakes here risks fines, data leaks, and damage to their image.

This article therefore explains all the important compliance features of Microsoft Teams, with practical examples and tips on how to use them efficiently.

This specific area is only about regulatory compliance: the configurations do not necessarily affect the user experience with collaboration.

This is the second part of our three-part blog series about Microsoft Teams Security. Here we will dive into Microsoft Teams Security details related to compliance aspects. In Part 1, we took a deeper look at the settings for collaboration options in Microsoft Teams, while part 3 covers the specific configuration of security in Microsoft Teams.

1. What is Communication Compliance for Microsoft Teams?

Problem: Users may share confidential data or inappropriate content in chats. This can lead to data protection issues or even legal consequences.

Solution:

• Communication Compliance Policies in the Purview Compliance Center allow messages to be scanned automatically.
• Rules can detect sensitive information (e.g., credit card details) or prohibited words.
• Compliance officers receive a notification in the event of rule violations.

For Microsoft Teams, the Microsoft Purview Portal allows admins to control communication compliance. Here you can configure your organization’s Microsoft Teams compliance settings as well as settings for other platforms.

You should make sure to check your admin permissions beforehand, though. Global Admin permissions are not sufficient in order to access and make changes in the individual areas of the M365 Purview Portal. At the moment, you can find the necessary Compliance permissions in two locations:

1. In the Office 365 Security & Compliance center under ‘Permissions’.

Right now the Office 365 Security & Compliance Center is gradually being replaced by the Microsoft Defender Portal, the Microsoft Purview Portal and the Exchange admin center.

2. Directly in the Microsoft Purview Portal under ‘Permissions’.

Once you have accessed the Permissions in the Microsoft Purview Portal, simply filter the available permissions by entering ‘compliance’ in the search field. Click on the permission name, and in the new panel on the right side of the screen, scroll down to find the section titled ‘Members’. Click on ‘Edit’ and add the required user as a new member. Don’t forget to save after you’re done.

What are the benefits of Communication Compliance?

Communication Compliance is supposed to automatically detect inappropriate communication and notify reviewers, based on pre-defined policies. Common use-cases are e.g.

• monitoring communications for offensive or discriminating language
• sensitive information such as financial regulatory data or customer data
• identification of potential conflicts of interest.

Use of AI: With the help of artificial intelligence, you can create policy templates that reliably identify violations of communication rules.

Real-time action: Administrators can review suspicious messages and, if necessary, immediately trigger measures, including automatic workflows.

Transparency: All relevant information is clearly displayed in a customizable dashboard.

The tools available in Communication Compliance offer a lot of options to control and monitor information and provide insights for improvements. These tools are definitely worth keeping in mind for optimizing communication and regulatory compliance.

2. How can I change the Data Location for Microsoft Teams?

Problem: Companies need to know where their data is stored. In regulated industries, the location is often mandated. Therefore, make sure you keep an eye on the data storage laws in your country.

Solution:

• Microsoft 365 assigns data to the data residency location depending on the organization.
• You can use the Microsoft 365 Admin Center to check where chats, files, or Planner data are stored, for example.
• Use the official Microsoft regions (e.g., Europe, Germany, USA).

Make sure you keep an eye on the laws regulating data location in your country. Microsoft supports you in complying with these laws by showing you where exactly your data is stored. For each Microsoft app, which includes Microsoft Teams, you can find out where your data is stored in these easy steps:

1. Go to Microsoft 365 Admin Center.
2. Select “Settings.”
3. Select “Org settings.”
4. Select “Organization Profile.”
5. Select “Data Location.”

Practical tip:

Document the storage locations for internal and external audits. Update the overview regularly.

How can I set up data storage in different locations? (Multi-Geo Support)

Microsoft has introduced rolling out support about multi-geo capabilities at Microsoft Ignite 2021. By using this multi-geo support feature, users can track and manage the location of data. Users can also specify the data centers where they prefer their data to be stored – an important part of achieving data compliance and complying to security regulations.

---

Keep control of your data with External User Manager!

Easily manage external users with the approval workflow, access control and reporting.

---

3. How can I implement Data Retention Policies for Microsoft Teams?

Problem: Without retention policies, data may be deleted too early or retained for too long. Both scenarios pose a serious compliance risk.

Solution:

• Retention policies for chats, channel messages, and files can be configured via the Microsoft Purview Portal.
• Policies can apply to specific users, teams, or storage locations.
• You can choose between retain and delete, retain only, or delete only.

Step by step:

1. In the Purview Center → Information Governance → Retention Policies.
2. Select a storage location (e.g., Teams chats).
3. Set the retention period.
4. Define a test group.
5. Roll out to all teams.

Example:

A company in the financial sector is required to retain chats for at least 7 years. Retention policies can be used to ensure these requirements are met from a technical standpoint.

Product tip:

With Teams Manager, you can integrate retention settings directly into templates. This ensures that new teams are automatically created in compliance with regulations.

4. What is the Audit log for Microsoft Teams and how do I use it?

Problem: Without tracking options, it is not clear who made which changes.

Solution:

• The Microsoft 365 Audit Log logs activities such as file downloads, team creations, and guest access.
• It is enabled by default (for E3/E5 licenses). However, please check whether the audit logs are enabled or disabled for your tenants. (For more information, see Microsoft documentation on enabling or disabling audits)
• The logs can be searched and exported via the Security & Compliance Center.

Practical tip:

Set up alerts to be notified immediately of unusual activity (e.g., mass downloads).

You can find the full list of Teams activities in the Microsoft documents:
https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-teams-audit-log-events

5. How does eDiscovery for Microsoft Teams work?

Problem: In legal disputes or investigations, data must be provided quickly and in its entirety.

Solution:

• With eDiscovery (Standard), you can search, secure, and export content in Microsoft Teams, Microsoft 365 Groups, SharePoint Online, OneDrive for Business, Viva Communities, Exchange Online mailboxes, etc.
• eDiscovery (Premium) also offers case management, analysis, and reduction of large amounts of data.
• Chats, files, meetings, and channel messages can be searched.
• Searching for data, creating holds, exporting content, and other relevant actions are easy to set up and relatively simple to use.
• Setting up the right search query, on the other hand, requires a little effort.

Practical tip:

Define standard processes for who in the company creates eDiscovery cases and how exports are checked.

Product tip:

With External User Manager, you can also document external access so that it is clear whether guests need to be included in the search.

How to Use Relevant eDiscovery Tools?

There are numerous options for setting up eDiscovery. To list and explain them all would go beyond the scope of this article. Please refer to this Microsoft document for more details: https://learn.microsoft.com/en-us/microsoft-365/compliance/ediscovery

6. How do I manage external users in Teams?

Problem: Guests are often invited but remain permanently, often even after the project has ended. This poses a major compliance risk.

Solution:

• Guest accounts can be managed manually in Entra (Azure AD).
• Lifecycle policies ensure that guests are reviewed regularly.
• Companies should establish processes for how and when guests are removed.

External User Manager automates this process:

• Guests are checked via workflows upon entry (e.g., NDA agreement).
• Access expires automatically after the end of the project or deadline.
• Reports show which guests have access.

FAQ: Microsoft Teams Compliance

---

Conclusion: Ensuring compliance in teams

Microsoft provides extensive compliance features, from retention policies and audit logs to eDiscovery. However, configuration is complex and time-consuming. Many companies reach their limits, especially when it comes to external guests and consistent implementation of retention policies.

With Teams Manager and External User Manager from Solutions2Share, this effort can be reduced:

• Consistent governance right from the start.
• Automated control of external guests.
• Reports and evidence for audits at the touch of a button.

👉 Book a demo now and implement sustainable compliance in Microsoft Teams!

This concludes the second part of our three-part blog series about Microsoft Teams Security with Compliance Configurations. Take a look at Part 1, where we took a deeper look at the settings for collaboration options in Microsoft Teams. Or go to part 3 with specific configurations of security in Microsoft Teams.