Skip to main content
McAfee MVISION Cloud

About MVISION Cloud for Microsoft Teams

McAfee MVISION Cloud for Microsoft Teams allows Security Operations Center (SOC) Admins to monitor user activity in Teams, enforce DLP policies to make sure that sensitive data violating regulatory and internal compliance policies are not posted in the form of messages or files, and review threats detected by the MVISION Cloud User and Entity Behavior Analytics (UEBA) and machine learning algorithms. For information about how to enable Microsoft Teams in MVISION Cloud, see Configure MVISION Cloud for Microsoft Teams.

Using DLP policies, you can extend MVISION Cloud protection to Teams in several ways:

  • Enforce DLP policies on in all Teams channels (including the Chat application)
  • Monitor messages posted in Teams channels and 1:1/1:many chat conversations (including messages to and from guest users) to make sure confidential data is not shared with unauthorized external parties.
  • Monitor files uploaded in Teams to enforce DLP policies.
  • Allow/Block access based on managed or unmanaged devices, trusted location, and more.
  • Monitor several types of user and administrative activities performed in Teams to identify anomalous behavior by using machine learning.
  • Make sure guest users only join specific Teams that allow guest user communication from authorized domains.

Supported DLP Policy Rule Types

  • Content/Metadata-only Policies. File Name, File Type, File Path, File Size, Classification - Supported with McAfee Classification, Data Identifier, Keyword, Regular Expression, Structured Data Fingerprint, and Unstructured Data Fingerprint  
  • Content-aware-Collaboration Policies. 'Collaboration - Folder/File Collaboration' rule with Data Identifier, Keyword, and Regular Expression rules. Content-aware collaboration is supported only for sensitive messages posted in channels with guest members. Guest members are identified according to the emails, domains specified in 'to' field of Folder/File Collaboration rule. 

NOTE: Content-aware collaboration (as described above) is supported for messages posted in Teams channels and also for messages posted in 1:1 or 1: many user chats in the Chat app. This, in addition to content-aware collaboration of files uploaded in Teams are supported. Also note that Chat logs are stored in OneDrive, not SharePoint.  

Supported External User Communication in Teams

In Microsoft Teams, there are two types of users that are not considered internal:

  1. Guest users. Guest users are external users added as guests in an organization's Azure AD (Office 365). This type of guest user can be added to any team; other users can initiate a chat conversation involving this guest user. 
    • By default in new Teams tenants, Guest Access is disabled and must be enabled.
      microsoft_teams_guest_access.png
  2. External users. These users are not added as guests to an organization's Office 365 account, you can learn more here. MVISION Cloud only has partial support for this use case.

    • External access lets your Teams and Skype for Business users communicate with other users that are outside of your organization. By default, your organization can communicate with all external domains. If you add blocked domains, all other domains will be allowed but if you add allowed domains, all other domains will be blocked. Learn more 
      microsoft_teams_external_access.png

 

Channel Type

Policy Type

External User Type

Supported

Regular channel in a team

Content/Metadata-only Policies 

Guest

Yes

Regular channel in a team

Content-aware-Collaboration Policies 

Guest

Yes

Regular channel in a team

Content/Metadata-only Policies 

External

No

Regular channel in a team

Content-aware-Collaboration Policies 

External

No

1:1 or 1:many chats

Content/Metadata-only Policies

Guest

Yes

1:1 or 1:many chats

Content-aware-Collaboration Policies

Guest

Yes

1:1 or 1:many(group) chats

Content/Metadata-only Policies

External

Partial Support*

1:1 or 1:many chats

Content-aware-Collaboration Policies

External

Partial Support* 

* If a chat conversation / thread is initiated by an internal user with any external user, then this conversation can be monitored by MVISION Cloud for DLP. If the thread is initiated by the external user, MVISION Cloud doesn't have visibility into the chat messages as Teams APIs do not notify MVISION Cloud for these messages. 

DLP Policy Response Actions

Unless specified, the following Response Actions can be used for both messages and files posted in Teams:

  • Send Email Notification
  • User Email Notification
  • Delete
  • Quarantine (supported only for files posted with a message)
  • Modify permission to None (to remove guest user)

NOTE: Currently, you cannot customize the tombstone message displayed to users when a message is deleted. This will be supported in a future release.

 

  • Was this article helpful?