A Nice Idea, But Think Before You Enable the Policy
I’m sure many who read message center notification MC244891 (17 March) about a new Teams DLP policy recommendation widget didn’t think twice about the post. It’s just another recommendation made by Microsoft when an administrator goes to the Compliance Center to do something. Most of the time, these recommendations are candidates for quick dismissal because you want to do something else. Occasionally, they are helpful.
In this case, roadmap item 70731 tells us that the widget detects when an organization is using Teams but isn’t using DLP polices. When this happens, the widget helpfully suggests that it can create a pre-packaged Teams DLP policy to protect a range of personal (PII) and financial data sent in Teams chat and channel conversations (Figure 1). The usual types of sensitive data that people usually worry about are protected: credit card numbers, SSNs, passport numbers, and so on.
If the recommendation to turn on the policy is accepted, the widget creates the DLP policy. Administrators can tailor the new DLP policy to meet organizational requirements before activating the policy. For instance, they could add some more sensitive information types to the policy (over 200 standard types are available), including custom types defined by the organization.
The widget is rolling out now and deployment is due to complete in mid-April. Tenants like mine with Teams DLP policies already active won’t see the widget.
The Downside
It’s a good idea to help customers to protect sensitive data. Certainly, the chatty nature of Teams lends itself to an informality which is sometimes not present in other communications, and it’s possible that this might result in some people rushing to send credit card or passport numbers to each other. If this is true in your organization, the pre-packaged Teams DLP policy will stop these bad habits dead.
However, the downside is that Teams is an outlier when it comes to DLP licensing. Unlike Exchange Online and SharePoint Online, both of which support DLP policies with Office 365 E3 licenses, Teams software licensing demands Office 365 E5. It’s an example of how confusing the rules governing Microsoft 365 licensing can be for customers to navigate.
In any case, if you decide to accept Microsoft’s recommendation to create the Teams DLP policy, remember that you’re incurring the requirement to have the appropriate licenses for every user covered by the policy.
The Office 365 for IT Pros eBook team think about the upsides and downsides of details within the ecosystem. It’s the reason why the updates for our book are so worthwhile.
Totally agree, it’s disappointing and – sorry – stupid and inconsistent idea.