Friday, September 13, 2019

Just be aware: recorded data of MS Team Live Events "QuickStart" is stored outside own tenant

Microsoft Teams Live Events supports 2 flavours: Teams (formerly code-named "QuickStart"), and External App using Microsoft Stream. The charm of the Teams option is illustrated by its code-naming: it's very easy to start up and use. In the most basic and raw form, the only thing needed is a laptop with onboard camera, and Microsoft Teams desktop application installed. And then anyone granted the Teams Live Events scheduling authorisation (TeamsMeetingBroadcastPolicy -AllowBroadcastScheduling parameter = True; Who can create and schedule live events?), can self-schedule and self-produce a Live Event. However, a caveat to at least be aware of is on the location where collected data is stored: the video recording, and the data of the Moderated Q&A. When using Microsoft Stream for event webcasting, the recording is stored in your own tenant and under your direct control. The MS Teams situation is to date different:
  1. The video recordings are stored as Azure Blob in the Microsoft system instance of Azure Media Service, a generic tenant shared accross multiple customers. The AMS instance is within the same data center as your tenant (not much information on this shared, but see: Manage a live event recording and reports in Teams: "Recordings from live events produced in Teams are currently not saved in Microsoft Stream", and Teams Live Events storage location);
  2. Captured Questions & Answers are stored in a combination of Azure Tables and CosmosDb, also in a generic tenant. The QnA data is automatic deleted 180 days after end of the Live Event, unless earlier explicit deleted by yourself.
It can very well be that this outside-tenant administration of your's company data is totally irrelevant for your organization. If so, you don't need to concern yourself nor your information security. However, in case you are in a business for which legal compliance and/or data privacy holds, I do advise that you consult your information security and compliance office on whether the outside-tenant administration does not impose a continuity risk. Better be safe than afterwards sorry...

No comments:

Post a Comment