How Microsoft Teams is handling Security and Privacy.
Over the past week, there has been a lot written about video conferencing, privacy, and security. As an IT professional, you may be getting a lot of questions. We want to help. Privacy and security are always top of mind for IT, but never more so than at this moment, when the end users you support are working remotely. Recently, we shared best practices for enabling remote work and security. Today, we’d like to outline our approach to privacy and security in Microsoft Teams. Here is our commitment to you.
We provide privacy and security controls for video conferences in Teams
- Meeting options: With meeting options, you can decide who from outside of your organization can join your meetings directly, and who should wait in the lobby for someone to let them in. PSTN callers will be joining via lobby. Meeting organizers can also remove participants during the meeting.
- Roles in a meeting: A meeting organizer can define roles in a Teams meeting that designate “presenters” and “attendees,” and control which meeting participants are allowed to present content in the meeting.
- Attendee consent for recording: All recordings of meetings are accompanied by a notice to attendees that a recording is taking place. The notice also links to the privacy notice for online participants, and the meeting organizer controls which attendees have the ability to record.
- Meetings recording access: Meeting recording access is limited to those people who are on the call, or invited to the meeting, unless the meeting organizer authorizes others to access the recording. Recordings are uploaded to Microsoft Stream and may be shared and downloaded according to permissions enabled by account administrators.
- Channel moderation and controls: Channel owners can moderate a channel conversation and control who is, and is not, allowed to share content in channel conversations. This helps ensure only appropriate content is viewed by others.
- Communication compliance: Communication compliance enables organizations to foster a culture of inclusion and safety by identifying and preventing negative behaviors like bullying and harassment.
We safeguard your privacy by design
When you use Teams, you are entrusting us with one of your most valuable assets—your data and personal information. Our approach to privacy is grounded in our commitment to giving you transparency over the collection, use, and distribution of your data. Far from an afterthought, privacy is deeply ingrained in our company philosophy and how we build products. Here are a few of our key privacy commitments to you.
- We never use your data to serve you ads.
- We do not track participant attention or multitasking in Teams meetings.
- Your data is deleted after the termination or expiration of your subscription.
- We take strong measures to ensure access to your data is restricted and carefully define requirements for responding to government requests for data.
- You can access your own customer data at any time and for any reason.
- We offer regular transparency reports on the Transparency Hub, detailing how we have responded to third-party requests for data.
- We have taken steps to ensure that there are no back doors and no direct or unfettered government access to your data.
We protect your identity and account information
- Multi-factor authentication (MFA): Multi-factor authentication requires users to provide additional forms of verification to prove their identity, helping protect their accounts from attacks that take advantage of weak or stolen passwords.
- Conditional Access: Conditional Access allows you to set risk-based policies for access based on user context, device health, location, and more.
- Microsoft Endpoint Manager: Microsoft Endpoint Manager allows you to manage devices and apps and enforce Conditional Access on any device.
- Secure guest access: Secure guest access allows users to collaborate with individuals outside their organization while still controlling their access to organizational data.
- External access: External access provides an authenticated connection to another organization, enabling collaboration between organizations.
We protect your data and defend against cybersecurity threats
- Encryption: Teams data is encrypted in transit and at rest. Microsoft uses industry standard technologies such as TLS and SRTP to encrypt all data in transit between users’ devices and Microsoft datacenters, and between Microsoft datacenters. This includes messages, files, meetings, and other content. Enterprise data is also encrypted at rest in Microsoft datacenters, in a way that allows organizations to decrypt content if needed, to meet their security and compliance obligations, such as eDiscovery.
- Data Loss Prevention: Data Loss Prevention prevents sensitive information from accidentally being shared with others.
- Sensitivity labels: Sensitivity labels allow you to regulate who can access a team by controlling the privacy and guest settings of the team.
- Advanced Threat Protection: Advanced Threat Protection helps protect users from malicious software hidden in files, including files stored in OneDrive or SharePoint.
- Cloud App Security: Cloud App Security provides you with tools to identify and mitigate suspicious or malicious activity, including the large-scale deletion of teams or addition of unauthorized users.
We meet more than 90 regulatory and industry standards
- Compliance and regulatory standards: To comply with global, national, regional, and industry-specific regulations, Teams supports more than 90 regulatory standards and laws, including HIPAA, GDPR, FedRAMP, SOC, and Family Educational Rights and Privacy Act (FERPA) for the security of students and children.
- Information barriers: Information barriers allow you to control communication between users and groups in Teams to protect business information in cases of conflict of interest or policy.
- eDiscovery, legal hold, audit log, and content search: eDiscovery and related features allow you to easily identify, hold, and manage information that may be relevant in legal cases.
- Retention policies: Retention policies allow you to manage content in the organization by deleting or preserving information to meet organizational policies, industry regulations, and legal requirements.
We recognize that security, compliance, and privacy have never been more important. From schools and universities taking learning online to enterprise organizations moving to remote work on Teams, we’re committed to continuing to learn and get better each day as we strive to help you keep your organization productive and secure. Our approach to these important issues is designed to give you the control and manageability you need to have peace of mind in this challenging moment and beyond. Please visit the Microsoft Trust Center to learn more.