Information Protection reduces the risk with guest invites into Teams

I have met a lot of customers who have hesitated to enable the possibility to invite external guests into Teams (and SharePoint/OneDrive). In all cases the concern is about information leakage. “What if our users invite others that are getting access to sensitive information”?


The solution in all these scenarios are classification and protection.

If the information is classified correctly with protection for sensitive information, we can mitigate the risks of information leakage.

Let’s take an example with this scenario.

The business requirements

This organization wants to be able to invite external guests.

They have a couple of projects that needs to include external users that also need to be able access sensitive project information.

They also have internal information that needs to be blocked for the external users. There are also internal SharePoint and Team sites that can’t allow external guests at all.

The Solution

Let’s start with the last business requirement where we need to define which sites that should allow external invites.
Based on Classification of the site itself we are able to define if external invites are allowed or not. In this scenario, Confidential sites allow external invites while Secret sites do not.
More about what’s behind the scene can be read in my previous post

image image

Let’s focus on an example for a sensitive project that should only be accessible for the project members (both internal and external users).

This is Project Delta

Project leader, Peter can invite members (because this is classified Confidential site) and in this case he invites an external account via Azure AD B2B.

The external users get an invite and are able to access this Team site.



When we look at all stored information on this Teams site the user can easily see how each of these files are classified.

Based on the classification we also have protection and access control of these files.


The external user is able open information classified and protected to Project Delta


If he downloads these documents the local copy will be protected and only accessible for Project Delta members


The external user will also have access to default classified Business documents but will be restricted from accessing classified Confidential or secret information that is protected for internal use only



The Setup

In the background we have the following setup


There is an Office 365 group that was created in the back end by default when the Project Delta Team was created.
This group also gives access to the same SharePoint site that is used for this Project Delta Team.


This group is then used to give access to information protected by the Project Delta label


With this setup we support the project leader to follow the business requirements.

Based on the site classification he can create a Teams site that allows invites of external guests. Hi can also make sure that information for the Delta project is limited only for the project members that also include his invited guest. By classifying information as Confidential Peter can choose if information should be available for Project Delta.



Peter can also classify information as Confidential and define if the information should be restricted to “Internal” users. This prevent all external guests to access any of this content.


In the next article we going to go through how we can support Project Delta, to automatically identify and protect their information as soon as it being stored in Microsoft/Office 365. This with the recently released “Auto Classification” that helps us act on data-at rest in the cloud. Stay tuned!

Detta inlägg publicerades i Microsoft Information Protection och märktes . Bokmärk permalänken.

En kommentar till Information Protection reduces the risk with guest invites into Teams

  1. Pingback: Auto-labeling for Office Online services | IT-Säkerhetsguiden


Fyll i dina uppgifter nedan eller klicka på en ikon för att logga in:

Du kommenterar med ditt Logga ut /  Ändra )


Du kommenterar med ditt Facebook-konto. Logga ut /  Ändra )

Ansluter till %s