Microsoft Teams

This section covers the following topics:

• Overview
• Licensing
• Requirements
• Configure Microsoft 365 Account
  • Generate Client ID and Tenant ID Key
  • Generate Client Secret Key
  • Grant API Access
• Set Up and Scan a Microsoft Teams Target
• Edit Microsoft Teams Target Path
• Unsupported Types and Folders in Microsoft Teams
• Microsoft Teams Remediation
• Users in Multiple Groups

Overview

When Microsoft Teams is added as a scan Target, ER2 returns the channel conversations and private chat messages for all Microsoft 365 groups, teams, and user accounts. You can select specific groups, teams, channel conversations or private chat messages sent by individual users when setting up the scan schedule. Each team for channel conversations and each group for private chats will be presented as a separate location for the Microsoft Teams Target.

You can also scan the private chat messages sent by all users in your organization's domain by selecting the Private Chats > "All Users" group as a scan location.

Example of Microsoft Teams structure: Microsoft Teams [domain: example.onmicrosoft.com] +- Microsoft Teams on target MS365:EXAMPLE.ONMICROSOFT.COM +- Channels +- Team A +- Channel 1 +- Channel 2 +- Team Engineering +- Channel 1 +- Channel 2 +- Private Chats +- Group All Users +- User A +- User B +- Group Engineering +- User B +- User C +- Group Design +- User D +- User E

Licensing

For Sitewide Licenses, all scanned Microsoft Teams Targets consume data from the Sitewide License data allowance limit.

For Non-Sitewide Licenses, Microsoft Teams Targets require Client Licenses, and consume data from the Client License data allowance limit.

See Target Licenses for more information.

Requirements

Configure Microsoft 365 Account

For ER 2.8.0 and above, you will need to perform the following setup to scan Microsoft Teams Targets:

1. Generate Client ID and Tenant ID Key
2. Generate Client Secret Key
3. Grant API Access

Generate Client ID and Tenant ID Key

1. With your administrator account, log in to the Azure app registration portal.
2. In the App registrations page, click + New registration.

3. In the Register an application page, fill in the following fields:

   Field	Description
   Name	Enter a descriptive display name for ER2. For example, Enterprise Recon.
   Supported account types	Select Accounts in this organizational directory only.

4. Click Register. You will be redirected to the Overview page for the newly registered app, Enterprise Recon.

5. Take down the Application (client) ID and Directory (tenant) ID. This is required when you want to Set Up and Scan a Microsoft Teams Target.

   

Generate Client Secret Key

1. With your administrator account, log in to the Azure app registration portal.
2. In the App registrations page, go to the Owned applications tab. Click on the app that you registered (e.g. Enterprise Recon) when generating the Client ID and Tenant ID key.
3. In the Manage panel, click Certificates & secrets.
4. In the Client secrets section, click + New client secret.

5. In the Add a client secret page, fill in the following fields:

   Field	Description
   Description	Enter a descriptive label for the Client Secret key.
   Expires	Select a validity period for the Client Secret key.

6. Click Add. The Value column will contain the Client Secret key.

   

7. Copy and save the Client Secret key to a secure location. This is required when you want to Set Up and Scan a Microsoft Teams Target.

   Save your Client Secret key in a secure location. You cannot access this Client Secret key once you navigate away from the page.

Grant API Access

To scan Microsoft Teams Targets, you will need to grant ER2 permissions to access specific resource APIs.

1. With your administrator account, log in to the Azure app registration portal.
2. In the App registrations page, go to the Owned applications tab. Click on the app that you registered (e.g. Enterprise Recon) when generating the Client ID and Tenant ID key.
3. In the Manage panel, click API permissions.
4. In the Configured permissions section, click + Add a permission.
5. In the Request API permissions page, select Microsoft Graph > Application permissions.

6. Select the following permissions for the Enterprise Recon app:

   API Permissions	Description
   Group.Read.All User.Read.All Directory.Read.All ChannelMessage.Read.All Chat.Read.All	Required for probing and scanning Microsoft Teams Targets.

7. Click Add permissions.
8. In the Configured permissions page, click on Grant admin consent for <organization name>.
9. In the Grant admin consent confirmation dialog, click Yes. The Status column for all the newly added API permissions will be updated to "Granted for <organization name>".

Set Up and Scan a Microsoft Teams Target

This section describes how to set up Microsoft Teams Targets for ER 2.8.0 and above.

1. Configure Microsoft 365 Account.
2. From the New Scan page, Add Targets.
3. In the Select Target Type dialog box, select Microsoft 365 > Microsoft Teams.

4. Fill in the following details:

   

   Field	Description
   Teams Domain	Enter the Microsoft 365 domain to scan. Example: example.onmicrosoft.com Only accounts where the user principal name (UPN) shares the same domain as specified in the Teams Domain field will be scanned and/or listed when probing the Target. For example, if Teams Domain is set to example.onmicrosoft.com, user1@example2.onmicrosoft.com will not be scanned and/or listed when probing the Target even if the user belongs to a group in the example.onmicrosoft.com domain. To scan multiple domains within your organization's Microsoft 365 environment, add these domains as separate Microsoft Teams Targets.
   New Credential Label	Enter a descriptive label for the Microsoft Teams credential set. Example: m365-microsoftteams-exampledomain
   Client ID	Enter the Client ID. Example: clientid-1234-5678-abcd-6d05bf28c2bf See Generate Client ID and Tenant ID Key for more information.
   Client Secret Key	Enter the Client Secret key. Example: client~secret.key-CHvV1B5YQfr~6zDjEyv See Generate Client Secret Key for more information.
   Tenant ID	Enter the Tenant ID. Example: tenantid-1234-abcd-5678-02011df316f4 See Generate Client ID and Tenant ID Key for more information.
   Agent to act as proxy host	Select a Windows, Linux or macOS Proxy Agent host with direct Internet access.

5. Click Test. If ER2 can connect to the Target, the button changes to a Commit button.
6. Click Commit to add the Target.
7. Back in the New Scan page, locate the newly added Microsoft Teams Target and click on the arrow next to it to display a list of available Microsoft 365 groups for the domain.
8. Select the Target location(s) to scan:

   1. If "All Users" is selected, ER2 scans all user accounts in the Microsoft 365 domain.

      "All Users" is a default, non-configurable virtual group in ER2 that automatically includes all user accounts in the Microsoft 365 domain. If a similar "All Users" group pre-exists in your Microsoft 365 environment, we recommend that you change the display name for that group as it will be viewed as a duplicate group and will not be displayed in ER2.

   2. If only specific groups are selected, ER2 only scans the channel conversations or private chat messages sent from user accounts in the selected groups.

   For Microsoft Teams Target location paths that contain special characters (e.g. "#", "%", "&", etc…), probe the Target to add and scan the location.
9. Click Test. If ER2 can connect to the Target, the button changes to a Commit button.
10. Click Commit to add the Target.

11. (Optional) On the Select Locations page, probe the Target to browse and select specific Target locations to scan.

12. Click Next.
13. On the Select Data Types page, select the Data Type Profiles to be included in your scan and click Next.

14. On the Set Schedule page, configure the parameters for your scan. See Set Schedule for more information.

15. Click Next.
16. On the Confirm Details page, review the details of the scan schedule, and click Start Scan to start the scan. Otherwise, click Back to modify the scan schedule settings.

Edit Microsoft Teams Target Path

1. Set Up and Scan a Microsoft Teams Target.

2. In the Select Locations section, select your Microsoft Teams Target location and click Edit.

   For Microsoft Teams Target location paths that contain special characters (e.g. "#", "%", "&", etc…), probe the Target instead to add and scan the location.

3. In the Edit Microsoft Teams dialog box, enter a (case sensitive) Path to scan. Use the following syntax:

   Channel / Chat to Scan	Path
   All channel conversations in a specific team	Syntax: c/<Team Display Name> Example: c/Engineering (SG)
   Specific channel conversation in a specific team	Syntax: c/<Team Display Name>/<Channel Name> Example: c/Engineering (SG)/Feature A
   All private chats messages sent from all users in a specific group	Syntax: p/<Group Display Name> Example: p/Engineering (SG)
   All private chats messages sent from a specific user in a specific group	Syntax: p/<Group Display Name>/<User Principal Name> Example: p/Engineering (SG)/userA@example.onmicrosoft.com
   All private chats messages sent from all users	Syntax: p/All Users Example: p/All Users

   If there are multiple Microsoft 365 groups with the same display name in your domain, ER2 will only retrieve the first group occurrence. For example, if there are three groups with the same display name, "Engineering", ER2 will only probe, scan and return results for the first "Engineering" group for the Microsoft Teams Target.
4. Click Test and then Commit to save the path to the Target location.

Unsupported Types and Folders in Microsoft Teams

ER2 does not support the following types and folders for the Microsoft Teams Target:

• Calendar. To scan the Calendar folder, set up and scan the Exchange Online Target instead.
• Contacts. To scan the Contacts folder, set up and scan the Exchange Online Target instead.
• Attachments (e.g. files, videos etc…) sent in channel conversations and private chat messages. To scan these attachments, set up and scan the OneDrive Business or SharePoint Online Target instead.
• (Calls) History.

Microsoft Teams Remediation

The following remediation actions are supported for Microsoft Teams Targets:

• Mark Locations for Compliance Report
• PRO Delegated Remediation

Users in Multiple Groups

This section describes the behavior of users that are members of multiple groups for the Microsoft Teams Target.

License Consumption

A private chat message sent from a user account that belongs to multiple groups

• is scanned each time a group the user belongs to is scanned.
• consumes only 1x data allowance usage regardless of how many times it is scanned as part of different groups.

Scan Results

Matches that are found in private chat messages sent by users that belong to multiple groups will be reported as a distinct match count for each group.

Take for example a simplified Microsoft Teams Target for the domain "example.onmicrosoft.com" below:

EXAMPLE.ONMICROSOFT.COM 55 matches +– Engineering 30 matches +– UserA 10 matches +– UserB 20 matches +– Design 25 matches +– UserA 10 matches +– UserC 15 matches

Matches found in private chat messages sent by "UserA" will be included in the match count for both Engineering and Design groups.

PRO This feature is only available in Enterprise Recon PRO Edition. To find out more about upgrading your ER2 license, please contact Ground Labs Licensing. See Subscription License for more information.