Data Loss Prevention (DLP): Block External Sharing of Teams Recordings

Data Loss Prevention (DLP)

02 December, 2021

Surely people are gradually getting back to their offices and meetings have started to take place in person. Just imagine, during the lockdown period, you must have conducted a bunch of meetings that had confidential things being discussed. What if the data ever gets leaked and falls into the wrong hands? What if falls in the hands of your competitors and sensitive information gets leaked and they make the move ahead of you?

You need to have a policy set in place which blocks external sharing of data and prevents data leaks. This is where something like DLP comes into play.

 

Earlier:

Microsoft Stream, launched in 2017, was the source where all Teams recordings used to get stored as soon as the meeting ended. At Ignite 2020, Microsoft had made an announcement wherein they said that now tenants can opt to use OneDrive to store the latest recordings. Then 3 months later, it was announced that all recordings will be now stored in OneDrive unless the organization chooses to continue using Stream. But in August 2021, all tenants were switched and the latest Teams meeting recordings will now be stored in OneDrive even if the organization has set to Stream.

All recordings will now be explicitly stored in OneDrive for Business and SharePoint Online. As for the Microsoft Stream links, the links will be completely redirected to OneDrive and SharePoint Online.

 

Why did Microsoft move from Stream to OneDrive?

The whole idea behind Microsoft is to make everyday work seamless. Although Stream was created with the purpose of users being able to create, upload, view, store, and manage video files. The issue with Microsoft Stream was that it does not integrate well with the other M365 apps and used to get stored separately.

 

Now, what can you do to ensure that the Teams Recording stays within the organization and isn’t shared externally?

This is where Data Loss Prevention (DLP) comes into play.

 

What is DLP and how exactly does it work?

DLP detects sensitive information through deep content analysis. Even while the analysis is going on, it won’t affect the work of the people who are currently working on the content. In short, it protects confidential, sensitive data to reduce inadvertent risks and prevents users from sharing data and files with people who shouldn’t be having it. DLP Policies are stored and synced to OneDrive for Business, Exchange Online, SharePoint Online Sites etc. Once synchronized, it can block sharing of data and Teams recordings (in this scenario) with people outside the organization.

When creating policies, choose the locations to apply and then create rules where the condition is defined in the form of sensitive info types and then you can choose to encrypt the file, remove it etc.

 

How to build a DLP Policy to prevent sharing of Microsoft Teams Recordings

The rule looks for any file with the property value ProgId:Media.Meeting that is shared with someone outside the organization. The rule action blocks sharing the data or file with people external to the organization. In the below-attached image it shows what the rule conditions look like. Optionally, the rule can allow users to override the block by justifying explaining why they need to share a recording with an external person.

# Connect to Teams and update the meeting policy

Connect-MicrosoftTeams -Credential $O365Cred

# Update the Teams meeting policy for US employees so that their meeting recordings are stored in OneDrive

Set-CsTeamsMeetingPolicy -Identity “U.S. Region Workers” -RecordingStorageMode OneDriveForBusiness

 

 

A step-by-step walkthrough

  • Navigate to https://compliance.microsoft.com/homepagedlp m365 compliance centre
  • Go to Data loss Prevention on the left-hand side
  • Then Data Loss Preventiondlp create policy
  • Using a custom policy here, but one can also use templates.create custom policy
  • Add a name and descriptiondlp name your dlp policy
  • Specify the location which we want to control in this case we need to select the SharePoint site and OneDrive account and the location of the particular path.dlp choose location to apply policy
  • Define the Policy settingsdlp define policy settings
  • Create rules
  • If the user ignores the warning and goes ahead to try and share the recording anyway, they won’t be able to do this because OneDrive for Business blocks the attempt to create and send a sharing link

 

Once you’ve created the DLP Policy, it’ll take up to an hour for it to come into effect. Also keep in mind that once a meeting has ended and a recording is created, it’ll take a few minutes for the new file to get encrypted. So if somebody shares a file before the encryption is in place and shares it with any external party, it is possible for them to view it but as soon as the block is in place, the link shared previously will get nullified.

 

Pros and cons

Pros

  • Provides more visibility and greater control into Data Exchanges
  • Enforce authorization procedures before accessing sensitive data
  • You can’t copy/download and send

Cons

  • Deploying a DLP policy takes a lot of time and effort
  • You need to keep an inventory of all data
  • Require precise data flow policies
  • You need to audit the access levels of each user within your organization

 

 

Upcoming

We keep uploading new blogs every week on our website- keep an eye out for those.

Lastly, if you need help with more such IT Solutions, feel free to reach out to us. We’ll be happy to resolve your queries.