Let's say your organization needs to know who has access to data in Microsoft Teams with Microsoft Development Services. Maybe it's part of an important security audit or maybe it's just a routine process to prevent security issues.
You may be tempted to just look at members of any Teams team, assuming you have a managed Teams provisioning process. However, as Microsoft states in its documentation on file sharing in Microsoft Teams :
“When users share a file from Teams, they can define who can access the file, just like they do in Microsoft 365. They can give access to all users , people in your organization, people with access or to specific people (which can include people in a one-to-one chat, group chat, or channel). »
.jpg)
This means that the members of a team ARE NOT the same as those who have access to a document hosted in this team.
Sharing in Microsoft 365 is easy and can be done in many ways! This facilitates collaboration but also creates “phantom users” who have explicit access to files and content without being “members” or “owners” of workspaces.
Although it is difficult to get an overview of this access, it is the only way to know exactly who has access to it or who can access it via an anonymous link that can be shared with many users.
It is possible to search the links themselves and find out who accessed the content through the link, but there is no way of knowing who can access a document from where the link was posted or shared once it has been created.
Microsoft Insights
To get a clear idea of who can access specific files, you should run a permissions report through PowerShell. This is the only convenient native way to generate detailed permissions information in Microsoft 365.
The PowerShell report will provide data on which users and groups have explicit ownership and permissions for which content in Microsoft 365. However, extracting actionable insights from the Excel spreadsheet will likely be difficult. results. Permissions reports for midsize companies typically have tens of thousands of rows. Additionally, the report will detail the permissions on each piece of content in Microsoft 365. How can you access the subset you really care about?
Now imagine that you want to reverse this analysis and determine all the content that a particular user can access. Unfortunately, PowerShell Permissions Reports aren't a very effective tool for this type of analysis, as they require you to aggregate data into multiple reports.
For an in-depth look at managing guest users and external sharing in Microsoft Teams, we recommend reading our eBook on the subject . But at a high level, it's quite easy to see guest users in your Azure AD admin center.
It's the next part that is difficult. Let's say a supervisor wants to know which guest users have access to a particular folder. Using information painstakingly obtained from PowerShell permissions reports, you determine that guest users have explicit permissions to read and modify certain files in this folder. The line manager says, "Oops, let's revoke those clearances." Well, consider the fact that with just a few clicks you update the permissions.
But wait, without understanding the context surrounding these guest user access, you may have just made a decision that will hinder collaboration on an ongoing project.
In order to identify the type of control needed (and its location), you will need to answer these important questions:
Who requested guest access in the first place?
Does the guest still need access?
Does the guest have access to sensitive content?
Guest users may be outside attorneys who have been granted access by your general counsel to discuss an ongoing legal matter. This matter will be settled in a week, but until then it is essential that they can access the appropriate documents. This additional information provides critical context that paints a more complete picture of your data and can help you identify and prioritize hotspots of exposure.
.jpg&description=Who can access Microsoft Teams and its content?){kind=link}
0 Comments