Microsoft Teams is being used as a most preferred method of communication platform by many organizations. By default in office 365 the group creation is enabled for end users which will allow them to create public and private groups. Most of the organizations will have the group creation disabled on the organization level for larger scale companies and have users request for creating the teams using a request form which will run through a automation process in the background with help of azure automation accounts ,Microsoft flow or few other mechanisms.
But few organizations are really interested in allowing the users to create the Office 365 groups once their workloads are migrated to office 365. This is primarily to increase the adoption rate of Office 365 workloads Microsoft Teams and SharePoint online.
We have more options available in Office 365 security and compliance center. By leveraging these options we can better secure the Office 365 suite of products which in turn controls the Data loss prevention, security compliance, information governance and threat management for the entire organization.
In this article we will look into the steps to get notify security administrator when a new team is created by end user from Microsoft Teams with the option build a team from the scratch.
Navigate to office 365 security and compliance center – select alerts – New Alert policy
Give it a name, description , severity usually it can be low or medium based on the devised security policy for office 365 public groups. Its important to choose the category type for better classification.
Select the activity type created group from the options. There are options to choose condition of selective users. But in a ideal scenario it is better to target for all users.
The security administrators responsible for viewing this new group creation alerts can be added over here.
Finally we need to review the settings and we are good to go in creating this alert policy.
We could see the group settings via powershell by connecting to the security and compliance powershell session. There are few parameters which can be used for instance alert by which is a multi-valued property.
Note: It may take up to a week for the baseline to be established for anomaly alerts. Until then this alert will not be triggered.
We can use activity alerts to notify the security administrators or the SOC team, so that they will be able to monitor the events which are categorized as non-compliance in Office 365 organization according to their security guidelines.