[music] STEPHEN ROSE: Welcome, and thank you for joining us. This is episode 7 of our "Hybrid work with MS Teams" webcast. I'm your host, Stephen Rose. Today, we're going to talk about Microsoft Teams security, and it's an ask me anything. We've gotten some great questions from folks, and we'll continue to get them in during the show, so feel free to send them in and join us. Before I introduce my guests, I want to take a moment and kind of talk about how engineering works because I had a really great question during Ignite on, "Hey, you guys promised us a few months ago, and how come we didn't get it, and how often does engineering look and make decisions like this?" And I thought I'd take a moment before we jump in and kind of talk about this. And it's really three things. Number 1, evolution versus revolution. When I was on the OneDrive team, I spent a lot of time with engineering, and they sit down quarterly, and they take a look at several things, including UserVoice. Any item and UserVoice that has over a thousand upvotes they add to their list of, "OK, let's take a look at it. Let's make a decision. Are we going to do this? Not do this?" et cetera. But I encourage you to think of engineering like a piece of string. It's a finite amount of resources, and if you pull it this way to do something, that's something falls off. And we're always looking at that balance of evolution and revolution-- evolution, which are the features that help to move the product forward, making it more secure, easier to use, features that help us to compete with our competitors or that you've asked for that helped you do more within a specific industry. And then, there's revolution--features that no one expects, like some of our different user modes, where you can see different seatings of people and how you interact to make people feel more inclusive as we start to do that. So, we look at that, we look at UserVoice, we look at issues and problems, and really sit down and figure out how we can best help. And that's how engineering moves forward. So, I will encourage you that at the end of this program, if you have thoughts or ideas, head out to UserVoice because it's so incredibly important for us that you go out there, add those, or upvote those so that they get on the radar. Now, speaking of engineering and people who help to solve problems and make things happen, I have two great guests today. My first guest, my good friend and previous guest, Chris Jackson, who is a principal architect here at Microsoft. Good morning, Chris. CHRIS JACKSON: Good morning, Steven. STEPHEN ROSE: How are you? CHRIS JACKSON: I'm doing terrific. Really I love the introduction on how engineering works because it is literally my job to be an advocate for the voice of the customer. So that's all that I focus on is really understanding what is it that customers are trying to achieve and how can we reflect that into our products? And I can't emphasize just how important that is. We build this for real people based on actual feedback and try to prioritize it in a way that we think delivers full scenarios as fast as possible. So great, great description. STEPHEN ROSE: Thank you! I appreciate that. And from my team, on the Microsoft team, Teams product manager, John Gruszczyk. Good morning, John! How are you? JOHN GRUSZCYK: Hey, Steven. Doing well. How are you doing today? STEPHEN ROSE: Good an you are not home, as I can see, in Seattle. You are actually joining us during your vacation, which I appreciate, and you are in Colorado, are you not? JOHN GRUSZCYK: I'm in Wyoming. STEPHEN ROSE: Wyoming. JOHN GRUSZCYK: Yeah: Grand Teton National Park. So yes, you may see the car background I'm not on the run or anything, just enjoying some National Parks. STEPHEN ROSE: Perfect. And if we do see a bear somehow in the background, we should know that you're OK because you're in a car, so . . . JOHN GRUSZCYK: Exactly. STEPHEN ROSE: All right. We've got a lot of great questions in. If you have some during the show, please send them in. We'd love to answer them, but John I'll start with you for the first one, which was Raymond wrote in, "How do you deal with team sprawl, and what is the best practice to manage external guests when terminating access?" So, let's start with team sprawl. What suggestions do you have around team sprawl and how we prevent that from happening? Because I know a lot of administrators have rolled out the product, and then turned around three months later, and there are 3,000 teams, and many of them are duplicative or only have one, two users in it instead of working together as a group. JOHN GRUSZCYK: Yeah, exactly, and that's a great point, and it really starts with that opening question of governance of full open creation of Teams or controlled, so we are talking about a controlled scenario here. And so there's a couple of different items: We can look to have a specific IT administrators create teams, or we could pass on that responsibility to business champions. And then, we also have things like naming policies, where you can set prefix, suffix, or block words that help kind of limit is how many teams get created. And then, of course, one of the other big ones is just team management of expiration. So, we have the ability to include automatic renewals or reminders to renew the team. And what that helps do is that automatic expiration will start to expire teams that no longer need to be out there. So, let's say you did have some people that created some test teams or whatnot, those will expire. But I think in a controlled environment, it's always best to set some designated business champions, even if that's someone in a specific department that may be responsible for creating those teams, and they'll help work with IT to make sure that they're valid team creations. STEPHEN ROSE: All right. Well on that, then, how does external access and federation work, and how is this different from guest access? Because there's been a lot of confusion around that: Do I have to add a person to the tenant for them to have access to this? Do I have to have Azure B2B? Is there a different way to do it? So, can you take a few moments and sort of kind of walk through that process and what are the gotchas that people run into? JOHN GRUSZCYK: Yeah, good. Great point, Stephen. And so yeah, as you pointed out, there is external access, which is really just that federation. So it's the ability for me and you, Stephen, to talk in different organizations through chat as normal. So, I can see your status, I can see when you're away or when you're working. So, that is your external commitments. And so that's like whitelisting and blacklisting IPs almost: You're essentially adding those partner domains or federated domains. Guests access is where, Steven, you bring me into your tenant to work fully as a guest, be a part of your team, have access to those Teams tabs, the documents inside of there. So guests access is where we really bring someone in, but that includes those security and compliance controls that we want to enforce. So again, the great part is when we bring a guest into our environment, we do have those security and compliance controls. One of the great questions I think I heard you mention is that kind of guests access review. STEPHEN ROSE: Right. JOHN GRUSZCYK: And so, we know that we have guests in, coming out. And you think of large organizations like Microsoft, we want to have people that don't need guest access anymore removed. Ad so, one of those great items to leverage is within Azure Active Directory, or Azure AD, and using what we call "guest access reviews." So, we can create either new or reoccurring access reviews that actually act proactively for us as administrators to routinely review those users who have access to apps, teams, or members of a group. And administrators have the ability to define the frequency of those reviews. So again, that's some of that automation that helps be proactive for you. But of course, I'll leave it with, it's never a bad idea to do that kind of that normal hygiene to do a monthly review as IT. STEPHEN ROSE: Awesome. Chris, have a few questions here for you. So, I love the fact that Mary Jo Foley refers to Chromium Edge as "Credge." I think that's just the greatest thing ever, and I have to give her credit for that. But, I had shown the shortcut of the ability in Edge to be able to save a site as an app and to do that if you have multiple tenants of Teams and be able to keep it open, which is great, but then someone came back and said, "Well, outside that feature, isn't Chrome and Edge basically the same thing? Aren't they identical browsers?" You know, the answer there is no because of the enterprise controls. So take a moment and kind of explain, how is Edge different from Google Chrome, and what are the enterprise features that we have that they do not? CHRIS JACKSON: Sure! So, I mean— STEPHEN ROSE: And you can simplify that down if you need to. CHRIS JACKSON: Yeah, yeah. No, and definitely they're tied together as we announced what--like two years ago now? a year and a half?--that we were moving to base Edge upon the open source Chromium Project and contributing to that. So not just consuming it but actively being collaborators in that process, which really, we think, is the right thing to do for customers--to have that level of compatibility. But I think it's really good question to say, "Well what, then, is the difference between the two of them?" And yeah, there's a few things that we look at. I mean one of them is, hey we're able to tie it to different identities. So let me actually share the screen here. That way, we kind of show off some of the things we're doing. I can both show what you get out of the box as well as what you can add into it. So let me . . . here we go, Share screen. See if I can get that to work. That coming through? STEPHEN ROSE: It is, although I still see myself in you. So you're going to want to minimize that first tab. CHRIS JACKSON: OK. Perfect! STEPHEN ROSE: There we go. CHRIS JACKSON: One of the questions that comes up is, How is this relevant to Teams? STEPHEN ROSE: We're still seeing Teams, so you need to minimize Teams. CHRIS JACKSON: Well, I'm showing you Teams in the browser. STEPHEN ROSE: Oh, got it. OK, got it. Perfect. Thank you. Now I understand. All right. CHRIS JACKSON: Because I think in a Teams conversation, my Teams is a web app. STEPHEN ROSE: I'm aware you're showing Teams. Just want to make sure we're on the same page. CHRIS JACKSON: So, it is a web app. You can kind of go in there and say, "Oh, it's built on top of Angular, there's some things we're doing with React." So, all of this is built on top of the modern web. The Teams desktop app is actually running inside of a container. So, it's built upon Electron, which is also built on top of Chromium. And we've been really enthusiastic contributors to . . . STEPHEN ROSE: Hang on, hang on. So, your saying that our app is really a web app inside of a desktop frame? CHRIS JACKSON: Yeah. STEPHEN ROSE: All right. CHRIS JACKSON: Yep, so you have that. So, one of the things that comes up first is when I think about what's different for the enterprise, I think really specifically, what's in it for a Microsoft 365 customer? And one of the things that we frequently hear is that when you think about profiles, it's all about identity, and the identity is not just tied to a consumer profile, to the user's profile, but you can actually tie it to an AAD. So here's my Microsoft one, I have a personal profile that I can put in for things I'm doing. I've got a couple of different tenants that I am looking after for work. So, folks who work for managed service providers find this extremely convenient to mode-shift between all of them. And now, this data is then synced and tied to a corporate identity. So, if you were to revoke that identity, right? they're going to revoke access to it, so it's no longer just, "Oh it's sitting inside of all this personal data." This is tied directly to what you're doing as an organization, which for a lot of customers is really powerful. They have that construct where this is now truly tying into work for me and having that built-in authentication. So I'm able to log in, have this incredibly meaningful conversation with you, as well. Some of the other features we look at is . . . in fact, I can just go to "Edge Compat," and one of the really big features that we come across is, you know--in fact, I can navigate to the site, we can see the experience-- you no longer have to have multiple browsers and say, "Oh. Well, for this site, just go open up IE and run it that way. But for that site, you'll actually to use a modern browser," and the user has to remember that. There's so much focus on making it great for the user, and being able to just automatically click over. I'm in the same tab. It just clicked over and became an IE mode tab, and if I navigate from here on to something else, like just maybe I'm going to go shopping for guitars as we were talking of or doing GitHub or whatever the case may be, I just navigate there, and now it immediately just navigates back to a modern tab in Edge without the user having to be concerned with that. STEPHEN ROSE: And compatibility mode is something we've had for a long time. It's just something that we've really refined and made far more invisible for guests as we start to do that. And that's really a big part of that background, and with the redesign, is to make it just more streamlined. CHRIS JACKSON: Yes, absolutely. Yeah, and so we see a lot of organizations are saying, "We're going to have Teams. We're going to have it installed as an app," which you can do. And from there, then, now I can actually have a policy set up to say, You know what? For access to all of my internal sites, particularly in this work-from-home era, I can just get a policy onto your device that says, Yeah, let me put on an enterprise mode site list that you're using Edge. It'll just work on all of our stuff not just a subset. STEPHEN ROSE: Awesome! That's great. John, I'm going to come back to you. We've gotten a few questions in. One asked, "Will you be adding a feature to only do expiration to MS Teams rather than all O365 groups?" JOHN GRUSZCYK: That's a great question. It starts with understanding the reliance of Teams on Microsoft 365 Groups as that founding identity principle. So, that's not something that is on our roadmap right now. It's a good idea, and we have thought about how can we better just focus on expiration of Teams or a specific concept within Teams. But right now, the answer on that is nothing publicly committed. STEPHEN ROSE: OK, awesome. And then, we're going to suggestion: "Do you plan to do a tutorial on how to use Teams integration with Dynamics 365 Marketing?" That's a great episode idea, so we'll have to take a look at it. Here's a good one. One more, and then we have a guest segment that I want to switch over to here in a few moments, but let's do this one. And this one's also for John: "For guest accounts, it makes things more complicated when that guest also needs an AD on-prem account to access different resources and recognizing account that is duplicate as well as an Azure AD only. Is there a best practice or other advice to make more obvious or clear or avoid that confusion that this creates?" JOHN GRUSZCYK: Yeah, it's a great question, and some of that is just feedback we've taken at Microsoft. We can talk about some of the Azure B2B integration and really setting up that federation with a partner organization. The example I always use as like a legal team is one that most often is working with other legal entities or groups that we actually do federate. We have more open policies because they're legal teams. So I think right now, the answer is from a feature functionality standpoint, we're still working on that. But what I always do recommend is when you are working closely with another organization, go ahead and set up as many of that federation control within Azure AD to have that close partnership. So you actually both have some of the viewing and the resources in AAD of reporting, monitoring, et cetera. But again, it is good feedback, and we are looking at more granular controls around guests, how to make it more apparent, and easier management when we're in those kinds of hybrid or full-blown solutions. STEPHEN ROSE: All right. Chris, I'm going to give you a question, but we'll answer it when we come back from the break. And that is, somebody asked, "What are three features that Edge offers from a security standpoint that Chrome does not?" So, I'm going to take a break. We're going to go to our guest interview, and then we'll come back, and then Chris will answer that question for us. So, let's take a look at our security guests this week. I am so excited today to have a very good friend of mine join us to talk about security and all that is important in security. Paula, calling in from Warsaw, no less. Thank you so much for joining us today. How are you? PAULA JANUSCZKIEWICZ: Well, thank you so much for the invitation. Everything is good. And how are you doing? STEPHEN ROSE: I'm doing great. So, I've known you for about 12 years, but even then, you were doing security. So, tell us a little bit about yourself and the work that you do and how you have gotten to this point in being one of the top security experts . . . you know, speakers in the world. PAULA JANUSCZKIEWICZ: Well, thank you for this. Yeah we know each other for so many years, right? But well, I've been in the industry for the past 15 years actually, and the company that I have established called CQURE is right now 12 years old. And also to show how cybersecurity has grown for so many years, at the very beginning, I was the only one, and right now we've got 42 team members. STEPHEN ROSE: That's crazy. That really shows how important it has become back since the Windows 7 days and NT. Well, you were doing like Windows 2000 security, and then sort of moved up from that as I continued to know you and work with you over the years. So, our show today is on security, and I thought it would be great to ask you, what are the three or four questions that you consistently get that you say, "I wish I didn't have to answer these four because either so many other great things to dig into." So what are three or four things that every person who's looking at security should really think about or should really know? PAULA JANUSCZKIEWICZ: Oh, well. Some of them are quite generic that I'm getting. STEPHEN ROSE: Which is fine, yeah. PAULA JANUSCZKIEWICZ: OK. So, this is the first funny one I'm getting if, for example, during the pen test, as well, or after the speech at the conferences and so on, and that question is simple and it sounds, How to hack Windows? [laughs] STEPHEN ROSE: OK. PAULA JANUSCZKIEWICZ: That really makes me laugh because there are so many things, right? that are dependent on like while you were getting into the infrastructure things can be misconfigured, and there's a platform security in Windows, which is great, so there's plenty of things that that the answer isn't very short, yeah? But on the other hand I don't want to fall into the typical consultant and answer it, which will be, "Well, it depends." STEPHEN ROSE: Yeah, but it is. I mean, there it's not that Windows is not a secure platform on its own, it's how people configure it or misconfigure it or don't finish things is where those areas lie. So absolutely, I think it depends on the person, how they're looking at things. So what advice, if somebody is saying, "I want to secure Windows," what are one or two things you say are the absolute must-dos? Where does somebody kind of start? PAULA JANUSCZKIEWICZ: So when we, for example, look from the enterprise perspective, one of the top things to consider right now would be the whole platform that is related with preventing running the software, in general, the code that we don't know. So simply speaking, whitelisting implemented through AppLocker, Device Guard, application control, and also the attack surface reduction rules, which are related to Exploit Guard that are, for example, preventing us from running micros from the documents while also taking into consideration phishing right now. That is a really nice thing to have because phishing has grown within the pandemic time in a massive way. STEPHEN ROSE: Yeah, it's crazy how much it has gone up and how many "your Netflix account didn't go through" and things like that that are hitting. How about MFA? How important is it for folks to put in MFA or some sort of two-factor authentication? PAULA JANUSCZKIEWICZ: Yeah, it's good that you mentioned it because not a really long time ago, I was actually doing a pen test for an oil and gas company and there were approximately 6,000 accounts that I was supposed to test, and that was one of the first stages of the penetration test. And I started with the simplest possible thing that is out there, which is a password spraying [and these guys did not have MFA], and 29 accounts out of that 6,000, approximately, they actually had the user name, of course, as the name within the company but the password was "companyname2020." So, like it's just statistics, right? STEPHEN ROSE: It is so great to see you. I'm sorry we weren't able to connect this year at Ignite because I'm missing you and Gregors and everybody else, but it is wonderful. I really appreciate you joining us. I know how busy you are. I know that you, because you can be virtual, can do two or even three conferences at the same time, and you are. So, thanks again for joining us. Stay well. And everybody, check out Paula's information. It's absolutely tremendous. And thank you again for being on the show today. PAULA JANUSCZKIEWICZ: Thank you so much. STEPHEN ROSE: It is always great to get a chance to talk to Paula. To see the rest of our interview, make sure to check out our Extras area. We kept talking for quite a while and covered a lot of great stuff, so make sure to check out the full interview in the Extras area, but thanks again for her getting up early and joining us from Poland. So Chris, before the break, I had asked you, What are three security features that Chrome does not have that Edge does, and what do you have for me? CHRIS JACKSON: Great! So I'm going to go back to demo cause that's kind of my thing. And I think before we kind of dig into the differentiator, what I want to say is that we actually . . . the foundation of Chromium actually brings a whole lot of security. I'll kind of dig in more the gnarlier aspects, but this is something that we've been contributing back into the Chromium Project is to make sure that we're taking advantage of all of the features that are available in Windows itself, right? So the protections we have, here called "process mitigations." So, things like a renderer process does not necessarily need to do a call into win32K.sys. So depending on what it needs to do, we can call into the Windows API, which will disable all of that access. One of the things that historically we've not really told exactly what those mitigations are, so I wanted to kind of call out for my fellow nerds out there that this is something that we have documented. If you do a search for "Exploit Protection Reference," every single mitigation that we have is fully documented here. So you can see exactly what those things are. So the foundation is actually pretty good, and we can go back and take a look at that later, but that sandbox technology is actually a really deep sandbox. But in addition to that, one thing that Edge has, is this thing called "Application Guard," which is an even deeper sandbox. And if we actually look, I'm going to use Process Explore here from SysInternals to take a look, and we find that we actually don't even see an Edge process at all. We're really just seeing this RDP client, because what we're actually doing is hosting Microsoft Edge inside of what's called a "krypton container." Again, for all of the nerds out there, I did a whole session at the last in-person Ignite we had back in the before times, where I go into all kinds of depth on krypton containers for anyone who's interested. At a high level, though, this is inside of a micro-virtual machine. So, it doesn't take all of the resources of a full VM. It's really just projecting into this virtual machine resources from the host device, though it takes a lot fewer resources in order to be able to launch it and run it, so you get a lot better performance, better startup times, but you get that virtual machine isolation. So, now it is actually, if something were to be able to successfully attack and penetrate the sandbox, they'd get onto a VM that is contained. And in fact, every time I log off the device, it's just going to throw away the old VM and come back with a fresh, clean one the next time. So we really get an additional level for extreme levels of high security that we're able to get to here. So one is the availability of an extra container. We talked before the break about the browser and how we have IE mode as an option. So, I wanted to point out another aspect of IE mode is that it also allows you to serve steer away because one of the challenges of, hey, users, just go and pick the right browser for the right device for the right site, that means that to some extent you could end up, say, using Internet Explorer longer than you want to. STEPHEN ROSE: Right. CHRIS JACKSON: Internet Explorer . . . while, we are committed to making that a safe and secure browsing experience, we will do services, the team still fully supports it-- if you hit a security issue, we'll fix it-- isn't going to have the same level of investment in security innovation that Microsoft Edge would. And so by going into Internet Explorer mode, we can actually then set an additional Group Policy that says, "If it's not on my site list, send it back to Edge." So now, even if you launch a full version of Internet Explorer, if you navigate to a site that's not in your site list, it's going to bounce you back and going to immediately bring you there. And so you don't end up staying in that full browser for too long because we do see customers who will not fully disable access to IE because that's kind of your break-glass, your fail safe. But this Group Policy lets me really constrain that to say, "You know what? I'm not going to let the attacker pick the browser they feel like attacking. I'm going to take some control and I'm going to constrain that surface area." So, we have a second feature there. And then, the third one that we think about is just overall safety and protection. One of the things that we look at there (and let me close my F12 window here because I don't need that) and I've opened up here, and it really comes down to privacy, which I think is also important when thinking about security. Every single thing we do in Microsoft Edge is tied to Microsoft's privacy. I would say from a team perspective, everyone is a hundred percent obsessed with privacy. So everything in the code . . . if we don't control the service it connects to, we don't connect to it. So everything is going to follow and track to the Microsoft privacy commitments, and we were just super really dedicated to making sure that that is a really fundamental and as you've heard, our President Brad Smith say, "We believe that privacy is a fundamental human right." Super important to us towards delivering that fantastic M365 experience. STEPHEN ROSE: Awesome! That was great, Chris. Thank you. John: DLP communication compliance and keeping chat safe. What do you have to say about that? JOHN GRUSZCYK: Absolutely. Two things that every organization should be taking advantage of, or at least piloting and testing out. I'll quickly kind of break down the differences because there are some minor . . . Data loss prevention is what it sounds like: It's going to proactively work on behalf of your SecOps or IT team to help find a sensitive data that could be getting leaked out. So at the highest level, we talk about things like personal identification numbers, passport numbers, credit card information. So Stephen, when you send me your credit card information to buy some team lunch, it's actually going to get blocked, and the great thing is we don't just block that message. Of course, IT gets notified that that information was shared, but you as the end user would get blocked and the little policy tip that actually lets you know why it was blocked. So again, we're actually trying to help educate end users because it's not always malicious data leakage. Sometimes, it's by accident, like a credit card. So, we just want to inform that end user, "Hey, you shouldn't be sharing this type of information either from a personal standpoint or from a governance perspective as a company. We can't share this information." So DLP . . . oh, go ahead. STEPHEN ROSE: I was just going to say, so very simply, the DLP policies that we have for SharePoint, for OneDrive, and for Exchange, you can easily just expand out to Teams, especially since Teams is SharePoint at the bottom in many ways. So, you're just sort of extending that across just a new surface, but it's something that's already there and in place. JOHN GRUSZCYK: Exactly. It would actually take me longer to pull up my screen share than to show you how easy it is to take an existing DLP policy and just flip the switch on for Teams. Yeah, it's that easy. STEPHEN ROSE: Yeah, all you have to do is you go to the Advanced, and then you see OneDrive, SharePoint, Teams, and you just click it and it's there and you're done. So, it's super easy. Awesome. Which actually leads in really well. I've got a question from Raymond. He has a bunch of questions, but it's like, "How does file uploading and sharing work with Teams?" He tried to upload a file that had the same name as another one but it didn't work, and max file sizes--what could prevent a file? So, what's important to understand is, it's SharePoint. Every time you create a new team group, you're creating a new SharePoint site that's going to follow the SharePoint rules, which means you can do over 100 GB uploads. It's best if you have OneDrive because then you're taking a file from OneDrive and copying it from one cloud to the other, not having to bring something that's down and bring it back up again and go in that route. Or if your using Box or Dropbox, you may want to consider moving to OneDrive because that will reduce a lot of those going back and forth, but you can't have two files with the same name in SharePoint. It just doesn't allow it because it creates a lot of confusion. So, if you do try to upload a second one, if it's the same file it's going to say, "Do you want to overwrite it?" If you're trying to do two different versions, well, there's a lot of reasons why: Either A, you're used to working on prem, where you're just having five different people work on the same file and they're trying to bring it all together. And in that case, you really should share it from OneDrive or drop it into the team and have everybody work on that version. That way, it's up, everybody's working on it simultaneously. You can have multiple people doing that. It will only lock the section of the texts that that person is working with. But that's often why that happens is you have people that are still doing things the old way. I have five different versions of this file, and then everybody's working on it, and it's going back and forth, so that will do that. What's going to prevent a file upload problem besides a bad internet connection? If it is a file type or if that person doesn't have rights to save to that area. But again, if they're allowed to use SharePoint, if they're a member of those O365 groups, there really shouldn't be a problem. So, think about it as SharePoint-OneDrive, and try to get down to one version of the file that everybody's using. That's really where the product excels and does extremely well. JOHN GRUSZCYK: Hey Stephen, I did not really touch on communication compliance, so I'll give kind of a quick 30 pitch on that one--a 30-second pitch. So communication compliance is almost like DLP, but it's more proactive monitoring. And so it actually takes the administrator once an item is flagged, you would actually have to block it. So, a good example is in large lectures, education, but I'll take this, for example. I am a Chicago native and I break one of the most cardinal sins in putting ketchup on my hot dog. STEPHEN ROSE: No. JOHN GRUSZCYK: It generates a lot of hate mail, and so essentially, when I start getting those hateful messages in from maybe yourself or Chris, our IT administrator is actually able to immediately see that message is in violation of our company policy, and then you can block it the same way DLP works. So, the real difference between kind of communication compliance and DLP is DLP is going to block it automatically. Communication compliance is going to trigger an alert to our SecOps or admin teams that are responsible for monitoring this, and then have the ability to actually block that, and then actually follow up with the employee. And so communication compliance actually has some additional trainable, classifiers on offensive and threatening language that we're always working on to help kind of keep that safe, inclusive workplace. STEPHEN ROSE: Alright. I have one more question . . . CHRIS JACKSON: I'm actually curious, is it not true that putting ketchup on your hot dogs is a violation of corporate policy? Because I thought that was true. STEPHEN ROSE: Well, only in Chicago. In Chicago, that is a corporate policy, and we are all three Chicago natives, but I think once you leave the state, they allow it, which I don't get, but that's fine. They also like pizza that's really flat and wide in certain cities, too, so I don't get that either but. All right, now we will talk about da pizza and da Bears. So one more question for you, John, then one for Chris, and then we got to wrap up the show. So John, any good policies or guidance around retention? That's one thing that folks have asked, and obviously you want to sit down with HR and you want to figure out what your retention policies are, but should we look at Teams retention the same way that we look at SharePoint and OneDrive and file retention? What's your advice when someone asks you that? JOHN GRUSZCYK: Yeah, Stephen, you nailed it. And I'll give kind of a, I guess, a high-level pitch here, but it's about integrating into that Microsoft 365 security and compliance layer. So, to your point about DLP, if we're doing a retention in SharePoint, in Groups, or any area across the business, Teams is likely going to have that same type of data, information, or content that we do need to or want to retain. So, we always sit down and talk with compliance and security teams and say, "Hey, if you're governing and retaining items and SharePoint or Groups in a specific way, you should at least have that same kind of architecture deep dive on your Teams side and ensure that you're within internal national regulations and compliance." So again, it's kind of a high-level answer, but we always recommend however you're doing things across SharePoint and Exchange--those common set of services--Teams is just another service layer that snaps into that Microsoft 365 layer of management. STEPHEN ROSE: Awesome. Chris, I was reading an article earlier this week from On Microsoft, which I sent to you, which was explaining why there are so many different processes going on in Edge, and that's something which you covered, which is basically, it's all of these little virtual machines that are allow . . . or sandboxes that are allowing Edge to run within it to make it more secure. So, it's not that it's using up a ton more resources, it just has more of these broken-down, sandboxed areas. Is there anything you wanted to add to that? And then, I have one final question for you, which somebody asked, was, "Were there any key features announced at Ignite around Edge?" So, you could take whichever one of those two you would like. CHRIS JACKSON: Ooh. So there there's a, a couple of them. But I would say the one that I'm most excited for . . . We haven't put the bits out there yet, but we've got a lot of customers, particularly in the work-from-home world, who are saying, "I want to be able to manage my users who are using Edge, but I need to make sure that I can reach them where they are." So, one of the things we announced is that we're investing in building out really mobile application management for Microsoft Edge. So today you can control Edge using Microsoft Endpoint Manager if you are on an MDM managed device. And we're looking to build the same thing that we have a lot of mobile platforms today for Microsoft Edge, where you can set a policy, directly from Endpoint Manager, even for a non-MDM-managed device, which I think is super exciting and something that's going to help us do to get the right configuration, whether it be for security reasons or even productivity reasons-- things like configuring features like IE mode or configuring for the environment to make sure that those things work. STEPHEN ROSE: Awesome. We've got two more questions in. So one says, "Can I email files to specific OneDrive folders? We are trying to replicate the Box functionality we currently have today." And the answer behind that is, the way that we look at OneDrive and SharePoint is different than the way Box looks at it. Box puts both of those together into one, while we say SharePoint should be replacing all of your shared drives--X drive, C drives, if HR has a drive, then that should be moved to SharePoint. And that's where those files are because you can sync that, be able to see it locally, drag and drop folders into it, but of course work from it from the web. So with that, you can just drag files into that. You don't even need email. You could say, I want to put these folders into the HR SharePoint or have that off to the side by doing a file sync. We look at OneDrive as where you put your personal files. These are your files on things you're working at, not things that are being used by a large group of people. So, we've made that much easier rather than "What's my files? What's the company files?" and making it very confusing. We think that's a better way to do it. So, and if you want, you're welcome to catch me on Twitter, and I'm happy to have a longer conversation with you on this. But I think, John, this one's for you: "What is your best process or way to require more than one owner when a user creates a team being that we want to have more than one owner to avoid orphan teams, and it's not a feature right now in the box." So I get that. So you could say, "Hey, I want to have two owners in case somebody leaves or changes role so that other person can take over or they're out or get hit by a bus, et cetera." So, how do we do that? JOHN GRUSZCYK: Yeah, I've seen a lot of actually very kind of innovative solutions here in back. Early when Teams was created we saw some folks doing things like this to create those governance layers, which was the first question that we actually talked about. And sometimes, that's creating forms or escalation processes within some of your tooling to, for example, if I want to create a new team, I'm going to have to submit it to you, Stephen, as my IT admin, and you can actually set up both those team owners. Sometimes, we do have to work through a couple more governance-layer processes to ensure things like that. So to your point, it's not a feature right now, but we have seen some items around either using things like SharePoint list or forms or submittals that you can essentially submit your request to create a new team. Someone will create that team and assign it on your behalf. And again, we can talk about business champions instead of going up to IT or your actual security teams. So it's a long way around saying again, we don't have the feature existing quite yet, but you can create those governance layers either through some of the Microsoft services or if you have an internal line-of-business application through ticketing or requests, you can essentially input that. You know, fill out your necessary information, and then someone's going to approve that on your behalf and create that team and assign it out. STEPHEN ROSE: Awesome, yeah. And to whoever asked that question, if you have more questions you can reach out to John directly on LinkedIn he'll be happy to answer it. Chris is available through @appcompatguy, or you can send it to me and I'm happy to forward it to them. We talked about a lot of really cool stuff today, but I do want to cover some of the links that will help to do this, so let's take a look at that. We have, of course, our Planning for Teams Governance; our Team Security Compliance and Privacy Overview; the Security Guide; the Tenantwide Security Enablement; Microsoft Edge Security for Your Business; the Microsoft Security Baselines and the Tech Community; and of course the MyIgnite "State of the browser" 2020 session, which has some of the features that Chris talked about. So, a lot great stuff. We're at 40 minutes. Normally, the show is 30 so we can obviously keep going on with this, which is awesome. And again, I want to thank my guests, Chris Jackson and John Gruszczyk, for joining us today. It's funny that John happened to mention there are some really great processes that we can do in approvals and things like that, which really goes into PowerShell, which is going to be our next show. Our next show is going to be a step-by-step guide on low-code, no-code with PowerShell. We're actually going to spend the full half hour actually just demoing how you can create a basic Power App easily and how easy it is to do. And we're going to do it live and in front of your eyes and do that. And I'm super excited to announce that our show the first week in November, our guests is going to be none other than corporate vice president Jeff Teper. So, come with all your Teams and Office questions and M365 questions because he is the man, the myth, the legend between all that and has also an awesome guitar collection, much like Mr. Jackson. If you have any comments, questions, show ideas, send them to me @StephenLRose. I love hearing from you guys and what you do. I want to thank all of our listeners, and thank you, and we'll see you in two weeks.