13 Jul External Sharing in Microsoft Teams: Secure Access for Guest Users & External Collaborators
Posted at 14:30h in Blog Posts
External Sharing in Microsoft Teams: Secure Access for Guest Users & External Collaborators
17 July 2020 · 5 min read
External sharing is an essential part of collaboration for many organizations. Whether providing access to guest users or inviting external collaborators on different projects or engagements, setting up access controls is necessary.
Microsoft Teams has become the main collaboration and productivity application for most organizations. Overseeing external collaboration is important when third parties, such as expert witnesses, are provided with access to single or multiple projects or engagements from different locations.
And while the risk might not be visible right now, once the shared data leaves the organization, there is no control over it or where it ends up. As a result, numerous security and privacy complications arise.
1. Determine the Type of Access: Guest Access vs. External Access
Before jumping into it, there is a need to determine the type of access needed. Organizations need to evaluate if (a) this is a one-time collaboration where the user needs only external access or (b) this a continuous collaboration over a specific time frame prompting guest access.
This table helps explain the major differences between the two:
Microsoft Teams also offers some limitations for guest users by default:
- Searching for people outside of Teams
- Accessing OneDrive
- Viewing the organizational chart
- Creating or revising a team
- Browsing for a team
- Uploading files in a user-to-user chat
- Accessing calendars, seeing scheduled meetings, or corresponding details
- Making PSTN calls through Teams.
Office 365 enables granular controls, but they can be difficult to manage. Controls are spread out across different administration centers, making it difficult to set up proper security permissions for external sharing.
It becomes even more problematic when Teams, Channels, and projects or engagements cannot be properly tracked due to limited metadata. Because of this, projects and corresponding documents are not accurately secured for all internal and external users.
There are a couple of ways to ensure secure external collaboration for Microsoft Teams:
Track Guest Users & External Collaborators to Projects (Matters)
Document Management System (DMS) integration with Microsoft Teams provides easier access management capabilities. While Microsoft Teams does not offer the ability to properly track projects or associated matters, assigning custom metadata linked to a directory solves this problem. And automatic provisioning for Teams can result in consistent client and project (matter) IDs for easier content location and governance.
It also means that a Team or a Channel can be identified through its corresponding client or project/matter number. Tracking guest users to set up access controls and permissions becomes easier. It also limits inappropriate access for any guest user or external collaborator. Automating this process ensures efficiency and privacy compliance.
Allowing your invited guest users to have directory access or inviting other fellow guests to Teams, are just some of the security controls to consider. You can even moderate and set up messaging rules, like allowing a guest user to delete messages or use GIFs. But providing the right access to Teams & Channels is just one part of the story.
The other side is limiting access to guests to only the necessary content for collaboration without infringing the privacy rights of other users, on a need-to-know basis. By limiting content access, you ensure privacy compliance all while securely collaborating with others outside your organization.
While there is no set way to provide external or guest user access, we’ve developed a set of best practices from our own experiences here at Prosperoware to help guide the process.
Enforcing Information Barriers to Handle Sensitive Information
Dealing with sensitive data is a daily occurrence for most organizations. Although Office 365 has powerful tools to enable Information Barriers for access to personal and other types of sensitive information, configuration of tenants for workspaces is still necessary.
IT administrators have the capability to add guest users at the tenant level. They can then use the Microsoft Teams admin center to manage access and permissions and obtain reports on guest user activity.
When organizations with multiple departments have different external sharing requirements and restrictions, the situation can get complicated pretty quickly. While these requirements and restrictions can be set up through the user interface, an organization’s IT team will find it quite difficult and complicated. This can all be resolved through automating external collaboration access on a need-to-know basis.
To add to the challenge, enforcing such barriers requires complex PowerShell scripting. When scripting is required across hundreds or thousands of projects or matters, organizations will experience a surge in costs and inefficiency.
Being able to automatically apply or carry over information barriers from other systems is one way to solve this challenge. It saves immense costs and time for manual scripting, reducing the likelihood of errors and strengthening security.
Terminating Access for Guest Users & Collaborators
Once collaboration has ended with the guest or external user, organizations need to terminate Teams access. This needs to be carried out on time (upon project/matter ending) and across multiple projects (for all Teams & Channels in which access was provided). The practice of de-provisioning access decreases your organization’s liability for data shared and stored. It also increases overall content security whereby organizations control access on a need-to-know basis.
How Prosperoware CAM Helps
Prosperoware CAM is an enterprise privacy management platform for collaboration systems in the cloud and on-premises. CAM’s unique approach lies in the pairing process with governance. It enables process improvement around the management of office documents and reduces risks related to privacy & cybersecurity. CAM integrates with a variety of content systems, including Microsoft Teams.
CAM tackles the challenges related to Microsoft Teams and external collaboration through:
- DMS integration with iManage & NetDocuments to keep track of your projects, clients, and users in a project/matter directory
- Managing (provisioning & de-provisioning) internal and external users and groups across systems
- Rich metadata capabilities to ensure identification of appropriate documents for transfer & external sharing
- Granular guest access control without the need for PowerShell scripting
- Automatic application of information barriers from iManage SPM and Intapp Walls, and more
See all that CAM can do for Microsoft Teams by watching a 3-minute only demo video here.