Learn how to configure the Scope section for personal chats in Microsoft Teams policy.
To monitor the chat messages between individual users, for sensitive data, you must first configure the Directory Sync feature for your Azure Entra account. This configuration gives Nightfall access to the list of users in your Azure account and thus Nightfall can monitor the messages sent between users.
To monitor Chats, you must perform the following.
Configure the Directory Sync feature. Refer to this document.
Once you complete the configuration, you must perform the steps mentioned in the Monitoring Chats section of this document.
To Monitor Chat messages:
Enable the toggle switch, if not enabled.
Click Add Tenant and select the tenant to be monitored.
The Add Tenant button is displayed only if your organization has registered multiple M365 tenants with Nightfall. If your organization has registered a single M365 tenant, the tenant is selected by default and you will not see the Add Tenant button.
In the above image, you can see that the first two tenants are greyed out. This implies that the Directory Sync is not configured for these tenants. In such tenants, you can only monitor messages sent in groups and not messages sent between individual users.
For the selected tenant, you must select the users that must be monitored. You can choose to monitor either all the users in the tenant or specific users or group of users.
When you select the Specific user(s) & group(s) option, two new drop-down menus are displayed. These menus allow you to select specific users or groups of users to be monitored.
When you choose to monitor all the users, you may also choose a specific list of users or groups of users to exclude from monitoring. This is an optional configuration and you can skip it if you wish to monitor all the users.
To exclude specific users and groups, select the users or groups in the exclusion section.
The Exclusion section is not applicable if you select the Specific user(s) & group(s) option in the Inclusion section.
Acme Corp wishes to monitor the messages exchanged between all the users. They configure the Directory Sync for their MS Entra account and select the All users option in the inclusion section. However, they realize that there is an internal group in which users share dummy API keys, passwords, and credit card details, for testing. This group is called the Test group. To avoid false positive alerts, Acme Corp excludes the Test group from exclusion.
Learn how to configure the Scope section for personal chats in Microsoft Teams policy.
This document explains the process to configure the Scope section for messages sent in various groups of MS Teams.
To configure the Scope:
Enable the toggle switch for Teams.
Click + Add Tenant and select the tenant.
Once you select the tenant, you must select which Teams and Channels if the selected tenant, must be monitored by Nightfall. This selection can be done in the Include in monitoring section.
To learn more about Teams and Channels in MS Teams, you can refer to this Microsoft documentation.
Click the All teams radio button to monitor all the teams. This option monitors all the existing Teams present under the selected tenant. Additionally, any Team(s) created in the future will also be automatically included for monitoring.
(applicable only if you did not execute step 1) Click the Specific team(s) radio button to select the specific team(s) to be monitored.
Once you select the Specific team(s) option, a new field Teams comes up. This field allows you to select the required teams by selecting the name of the team, as shown in the following image.
The Group of Teams option allows you to select a set of Teams by entering a text string that may partially match a Team name. You can navigate to this site to generate a regular expression pattern. The supported substring match operations are as follows.
Starts With: Use this option to enter a text string which should match the start of a Team's name.
Ends With: Use this option to enter a text string which should match the end of a Team's name.
Contains: Use this option to enter a text string which should match a part of a Team's name.
Example Scenario for Patterns
Let's consider that some of the teams in your MS Teams tenant have external stakeholders too (people who are not part of your organization). A team with external stakeholders is named ext-dev, ext-cs, ext-qa, and so on. To monitor all the external teams, you can use the Starts with option and use the substring ext-.
Similarly, if you have ended all the team names that have external stakeholders, with the word ext (dev-ext, qa-ext, cs-ext), you can select the Ends With option and enter the -ext substring.
Similarly, if you have used the word ext anywhere in the team name, you can select the Contains option and enter the substring ext.
Once you select the required teams, you must now select the channels of the selected team, to be monitored. Nightfall provides you with the following options to select the channel.
Private Channels: This option monitors all the private channels of the selected team(s).
Public Channels: This option monitors all the public channels of the selected team(s).
Shared Channels: This option monitors all the shared channels of the selected team(s).
The Exclusion section allows you to exclude certain channels from being monitored. You can enter a text string that should be present in the channel name that needs to be excluded.
This section is optional and you can skip it. You must configure this section only if you wish to exclude certain channels from being monitored.
To use the exclusion section, click Create a new Exclusion Rule and select Channel Exclusion. You can navigate to this site to generate a regular expression pattern.
Channel Exclusion: This field allows you to enter a string that should be present in the Channel name for channels to be excluded from being monitored. The various options are as follows.
Starts With: Use this option to enter a string that should be present at the start of the Channel name.
Ends With: Use this option to enter a string that should be present at the end of the Channel name.
Contains: Use this option to enter a string that should be present in the Channel name.
Consider that you wish to monitor all the channels in your MS Teams. However, there are a few test channels that were created internally just for testing and you wish to exclude these test channels. There are many test channels and test channels may also be created in the future. So, you need to manually add the newly created test channels as well in the exclusion list, which is cumbersome.
You can use the Channel Exclusion option, select the Contains option and enter the text string "test".
Learn how to configure the Scope section for Microsoft Teams.
The Scope stage allows you to select an MS Office tenant in which the policy can be created. In the Scope section, you must also choose to monitor one of the following:
the messages exchanged between two users.
the messages exchanged between groups.
The following documents explain the process of configuring the Scope for messages exchanged between two users and the messages exchanged between groups.
Configure Scope for messages exchanged between users
Groups Scope for messages exchanged in Groups.
