How will Organizations Handle Compliance and Backup for Teams Shared Channels?
Teams customers are naturally very excited by the imminent arrival of the shared channel feature in public preview in March. Nice as it will be to be able to implement federated collaboration with your favorite tenants (Figure 1), the introduction of major new functionality in an application comes with its own administrative challenges.
Figure 1: Conversations in a Teams shared channel
Take the subject of compliance. Microsoft says that all the Microsoft 365 compliance technologies like Data Loss Prevention, retention policies, and communications compliance work with shared channels. Microsoft’s assertion is accurate and it’s all possible because compliance occurs within the tenant which owns a shared channel. In other words, all processing happens within the home tenant and all data created and used within the shared channel remains in that tenant.
Keeping and managing data within the home tenant is analogous to how Teams handles compliance for data generated by guest users in regular and private channels, but I’ve heard some people assume that the federated arrangement between tenants based on Azure AD B2B Connect cross-tenant policies mean that data is shared between tenants. Or perhaps that Teams would create copies of data in both tenants.
Duplication Possible But Not Feasible
From a technical perspective, the Microsoft 365 substrate could duplicate data in the tenants involved in a shared channel. Duplication would be straightforward for Teams messages but would become increasingly messy as other workloads and applications become involved with a shared channel. For instance, the substrate could create a duplicate SharePoint site for each tenant and then synchronize document and lists as users work on them. However, how would sharing work? Or information protection? And do you really want copies of confidential documents to end up in other tenants?
Time and engineering talent could work through and solve the problems. However, I think it is wise of Microsoft to adopt the keep it simple principle from the start and say that a shared channel has one set of data which remains and is managed on the host tenant.
Cloud-Only Mailboxes for Shared Channels
An interesting aspect of the shared channel implementation is the use of a cloud-only mailbox (aka “shard mailbox”) to hold data used by the channel such as calendar items and compliance records. Regular channels store this information in a group mailbox, while private channels don’t have a calendar and store their compliance records in the personal mailboxes of channel members. Microsoft knows that cloud-only mailboxes work well for compliance because this is how they retain data for hybrid and guest users. A big advantage of the implementation is that Microsoft doesn’t have to create special retention processing for shared channels like they had to do for private channels. Normal Teams retention policies already handle the compliance records for hybrid and guest accounts. Now they’ll handle those for shared channels.
Keeping compliance processing to a single tenant certainly simplifies matters, even if compliance managers need to think through how they can manage the activities of their users in other tenants. The obvious answer is to agree a means to co-operate with other tenants when federated conversations need to be investigated. It will be interesting to see how things develop in this area.
Using cloud-only mailboxes for shared channels comes with a downside. Normal administrative and client interfaces have no access to these mailboxes. This might not seem a big thing if compliance processing like eDiscovery searches can find the information in those mailboxes (which they can). The issue lies when applications attempt to use public APIs to access shared channel data for purposes like backups or tenant-to-tenant migrations.
The Teams Backup Challenge
Teams is already the most challenging Microsoft 365 application to backup. The lack of a Microsoft backup API for Teams messages and the degree of integration between Teams and other Microsoft 365 applications like Planner mean that backup ISVs have been forced to use techniques like copying compliance records from Exchange Online. This approach certainly copies compliance records. The problem comes when attempting to restore the data.
Microsoft has a beta Teams messaging API which backup and tenant to tenant vendors use. The restoration of data copied from channel conversations ends up as new messages containing the original topic and all its replies posted into a target channel. Even if this isn’t a perfect representation of the original data, it can be good enough (depending on your need). Chat messages have always been a challenge because the beta API didn’t handle them.
Hope might be on the horizon in the form of the Teams Export APIs. Generally available since October 1, the new APIs seem to offer everything that a backup ISV might need to copy Teams chat and channel messages. Of course, restoring the messages is another day’s work and includes issues like fixing up cross-tenant access policies and the roster of channel membership.
The Export API can handle regular and private channels today. Microsoft hasn’t said if the Export API will be able to handle shared channels. It’s a fair assumption that this capability will be available, but there’s no information about when this might happen. And even when such a capability becomes viable, there’s still the issue of the consumption charging model Microsoft uses for the API. Microsoft has provided some guidelines for how the charging will work when exporting Teams messages using the Export API, but those guidelines need to be worked out into charging patterns for different kinds of tenants, including those with heavy, moderate, and light volumes of Teams messaging.
It’s difficult for backup vendors to have discussions with potential customers when a product has a dependency on an API with such a charging model. I suspect Microsoft will let customers use the Teams Export APIs free of charge for a period to gather data and figure out an acceptable charging regime. When that’s done, tenants will likely pay for the backup transactions they consume using an Azure subscription.
Shared channels are a nice step forward for cross-tenant collaboration. Like all technology, their implementation and management will require new APIs and techniques. The learning continues!
Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.
{"id":null,"mode":"button","open_style":"in_modal","currency_code":"EUR","currency_symbol":"\u20ac","currency_type":"decimal","blank_flag_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/blank.gif","flag_sprite_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/flags.png","default_amount":100,"top_media_type":"featured_image","featured_image_url":"https:\/\/office365itpros.com\/wp-content\/uploads\/2022\/11\/cover-141x200.jpg","featured_embed":"","header_media":null,"file_download_attachment_data":null,"recurring_options_enabled":true,"recurring_options":{"never":{"selected":true,"after_output":"One time only"},"weekly":{"selected":false,"after_output":"Every week"},"monthly":{"selected":false,"after_output":"Every month"},"yearly":{"selected":false,"after_output":"Every year"}},"strings":{"current_user_email":"","current_user_name":"","link_text":"Virtual Tip Jar","complete_payment_button_error_text":"Check info and try again","payment_verb":"Pay","payment_request_label":"Office 365 for IT Pros","form_has_an_error":"Please check and fix the errors above","general_server_error":"Something isn't working right at the moment. Please try again.","form_title":"Office 365 for IT Pros","form_subtitle":null,"currency_search_text":"Country or Currency here","other_payment_option":"Other payment option","manage_payments_button_text":"Manage your payments","thank_you_message":"Thank you for supporting the work of Office 365 for IT Pros!","payment_confirmation_title":"Office 365 for IT Pros","receipt_title":"Your Receipt","print_receipt":"Print Receipt","email_receipt":"Email Receipt","email_receipt_sending":"Sending receipt...","email_receipt_success":"Email receipt successfully sent","email_receipt_failed":"Email receipt failed to send. Please try again.","receipt_payee":"Paid to","receipt_statement_descriptor":"This will show up on your statement as","receipt_date":"Date","receipt_transaction_id":"Transaction ID","receipt_transaction_amount":"Amount","refund_payer":"Refund from","login":"Log in to manage your payments","manage_payments":"Manage Payments","transactions_title":"Your Transactions","transaction_title":"Transaction Receipt","transaction_period":"Plan Period","arrangements_title":"Your Plans","arrangement_title":"Manage Plan","arrangement_details":"Plan Details","arrangement_id_title":"Plan ID","arrangement_payment_method_title":"Payment Method","arrangement_amount_title":"Plan Amount","arrangement_renewal_title":"Next renewal date","arrangement_action_cancel":"Cancel Plan","arrangement_action_cant_cancel":"Cancelling is currently not available.","arrangement_action_cancel_double":"Are you sure you'd like to cancel?","arrangement_cancelling":"Cancelling Plan...","arrangement_cancelled":"Plan Cancelled","arrangement_failed_to_cancel":"Failed to cancel plan","back_to_plans":"\u2190 Back to Plans","update_payment_method_verb":"Update","sca_auth_description":"Your have a pending renewal payment which requires authorization.","sca_auth_verb":"Authorize renewal payment","sca_authing_verb":"Authorizing payment","sca_authed_verb":"Payment successfully authorized!","sca_auth_failed":"Unable to authorize! Please try again.","login_button_text":"Log in","login_form_has_an_error":"Please check and fix the errors above","uppercase_search":"Search","lowercase_search":"search","uppercase_page":"Page","lowercase_page":"page","uppercase_items":"Items","lowercase_items":"items","uppercase_per":"Per","lowercase_per":"per","uppercase_of":"Of","lowercase_of":"of","back":"Back to plans","zip_code_placeholder":"Zip\/Postal Code","download_file_button_text":"Download File","input_field_instructions":{"tip_amount":{"placeholder_text":"How much would you like to tip?","initial":{"instruction_type":"normal","instruction_message":"How much would you like to tip? Choose any currency."},"empty":{"instruction_type":"error","instruction_message":"How much would you like to tip? Choose any currency."},"invalid_curency":{"instruction_type":"error","instruction_message":"Please choose a valid currency."}},"recurring":{"placeholder_text":"Recurring","initial":{"instruction_type":"normal","instruction_message":"How often would you like to give this?"},"success":{"instruction_type":"success","instruction_message":"How often would you like to give this?"},"empty":{"instruction_type":"error","instruction_message":"How often would you like to give this?"}},"name":{"placeholder_text":"Name on Credit Card","initial":{"instruction_type":"normal","instruction_message":"Enter the name on your card."},"success":{"instruction_type":"success","instruction_message":"Enter the name on your card."},"empty":{"instruction_type":"error","instruction_message":"Please enter the name on your card."}},"privacy_policy":{"terms_title":"Terms and conditions","terms_body":null,"terms_show_text":"View Terms","terms_hide_text":"Hide Terms","initial":{"instruction_type":"normal","instruction_message":"I agree to the terms."},"unchecked":{"instruction_type":"error","instruction_message":"Please agree to the terms."},"checked":{"instruction_type":"success","instruction_message":"I agree to the terms."}},"email":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email address"},"success":{"instruction_type":"success","instruction_message":"Enter your email address"},"blank":{"instruction_type":"error","instruction_message":"Enter your email address"},"not_an_email_address":{"instruction_type":"error","instruction_message":"Make sure you have entered a valid email address"}},"note_with_tip":{"placeholder_text":"Your note here...","initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"empty":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"not_empty_initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"saving":{"instruction_type":"normal","instruction_message":"Saving note..."},"success":{"instruction_type":"success","instruction_message":"Note successfully saved!"},"error":{"instruction_type":"error","instruction_message":"Unable to save note note at this time. Please try again."}},"email_for_login_code":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email to log in."},"success":{"instruction_type":"success","instruction_message":"Enter your email to log in."},"blank":{"instruction_type":"error","instruction_message":"Enter your email to log in."},"empty":{"instruction_type":"error","instruction_message":"Enter your email to log in."}},"login_code":{"initial":{"instruction_type":"normal","instruction_message":"Check your email and enter the login code."},"success":{"instruction_type":"success","instruction_message":"Check your email and enter the login code."},"blank":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."},"empty":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."}},"stripe_all_in_one":{"initial":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"empty":{"instruction_type":"error","instruction_message":"Enter your credit card details here."},"success":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"invalid_number":{"instruction_type":"error","instruction_message":"The card number is not a valid credit card number."},"invalid_expiry_month":{"instruction_type":"error","instruction_message":"The card's expiration month is invalid."},"invalid_expiry_year":{"instruction_type":"error","instruction_message":"The card's expiration year is invalid."},"invalid_cvc":{"instruction_type":"error","instruction_message":"The card's security code is invalid."},"incorrect_number":{"instruction_type":"error","instruction_message":"The card number is incorrect."},"incomplete_number":{"instruction_type":"error","instruction_message":"The card number is incomplete."},"incomplete_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incomplete."},"incomplete_expiry":{"instruction_type":"error","instruction_message":"The card's expiration date is incomplete."},"incomplete_zip":{"instruction_type":"error","instruction_message":"The card's zip code is incomplete."},"expired_card":{"instruction_type":"error","instruction_message":"The card has expired."},"incorrect_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incorrect."},"incorrect_zip":{"instruction_type":"error","instruction_message":"The card's zip code failed validation."},"invalid_expiry_year_past":{"instruction_type":"error","instruction_message":"The card's expiration year is in the past"},"card_declined":{"instruction_type":"error","instruction_message":"The card was declined."},"missing":{"instruction_type":"error","instruction_message":"There is no card on a customer that is being charged."},"processing_error":{"instruction_type":"error","instruction_message":"An error occurred while processing the card."},"invalid_request_error":{"instruction_type":"error","instruction_message":"Unable to process this payment, please try again or use alternative method."},"invalid_sofort_country":{"instruction_type":"error","instruction_message":"The billing country is not accepted by SOFORT. Please try another country."}}}},"fetched_oembed_html":false}
You mentioned DLP policies, but what about Sensitivity Labels, do you know how those will interact with shared channels?
Sensitivity labels apply to shared channels in the same way as they do to private channels: settings are inherited from the host team.