Microsoft Teams Governance

One way to look at governing Microsoft Teams is to think about the options you have as light switches, you can turn these options on and off to meet your requirements however it is important to understand the benefits and negatives behind each of these decisions.

In this article I will look at 6 options available when looking to govern your Microsoft Teams environment.

  1. Controlling Team Creation
  2. Naming Convention
  3. Sensitivity Labels (Classify)
  4. Guest Access
  5. Expiration Policy
  6. Retention Policy

Controlling Team Creation

Customers often look at this and say things along the lines of “Everyone having the ability to create a Microsoft Team is great…but I don’t want that, how do I turn that feature off?”
Whether this statement is due to an environment that likes to have complete control over its users or something else – there are few benefits to this. And when it comes to this point, I would strongly advise that you guide your users rather than restrict them.

Benefits

  • Restricts some users from creating groups anywhere in office 365
  • Does not prevent users from using groups
  • Global Admins, Exchange Admins, SharePoint Admins and User Admins can still create Groups.

Guidance

  • Strongly consider self-service!
  • Use dynamic membership to configure Security groups members
  • Document and communicate how to request a group
  • Revisit who can create groups during your cloud journey

In essence, picture an open road with no guard rails – For an inexperienced driver – this could be a disaster as they can verily easily drive off the road.

What we should be aiming to do is incorporating guard rails with our teams governance.

Naming Convention / Policy

Customers often like to say “we’ve always had a naming convention. We need to maintain that now”
“We need consistency with our naming standards”
“Imagine the names teams will have without a naming convention!”

Naming conventions and policies are a very tricky concept with Office 365 groups as this is a really limited feature and does not provide for much flexibility. In essence – you will need to have your Active Directory ON-POINT when it comes to user fields being consistent across the entire organisation.

I would definitely opt for guidance when it comes to naming conventions rather than trying to enfore a naming convention – I would also consider a custom blocked word list.

Benefits

  • Applies to all office 365 groups created
  • Ensure group names follow your organisation schema
  • Use fixed strings or active directory attributes as prefices and/or suffixes
  • Helps identify the function, geo, department.

Guidance

  • Define custom blocked words (note: blocking words such as “sex” would also prevent use of the name Sussex, Essex etc.)
  • Use short strings as suffix
  • Use attributes with values
  • Don’t be too creative, total name length has a maximum of 264 characters

Sensitivity Labels (Classify)

The phrases below are all too common when looking into governance, and the ideal way to approach these is with sensitivity lables for sites, teams and groups.

“We don’t want public teams in our environment”

“There are some teams that should only be accessed from managed devices”

“we want to allow guests in some of our teams but not all of them, is there an easy way to manage this”

Benefits

  • Consistent experience across teams, groups, sites and office
  • Simplifies back-end management of Teams(Powershell Scripts)
  • Policies associated with sensitivity labels to control public/private settings, guest access, and access from unmanaged devices.
  • Classify and protect sensitive Microsoft Teams.

Guidance

  • Create new sensitivity labels with same names as your existing classifications
  • Educate Microsoft team owners on what the labels mean and how to use them
  • Azure information protection labels and office 365 sensitivity labels are fully compatible with each other.

Guest access

The dilemma surrounding guest access and knowing whoi has access to company data is one that is all too common.

Statements such as the ones below are all too common
“I need to know who has access to our data”
“Open guest acess is not possible”
“I wish we could limit who could be a guest in our tenant”

Benefits

  • Enabled safe teamwork outside the firewall
  • Works with any email address
  • Based on common azure business to business platform

Guidance

  • ENABLE GUEST ACCESS!!! – Microsoft teams is a collaboration tool – Let them collaborate!
  • Govern guest access using:
    • Allow/block guest domains
    • Terms of use
    • Access reviews
    • Track guest user activity via audit logs

Expiration Policy

The worries around “we are going to have WAY too many Microsoft Teams out there to control!”

Or the ones that surround “People will forget they have a Microsoft Team and never delete the content” are very common – and probably with a very legitimate reason. We’eve all experienced the users who corrupt their mailboxes because they like to horde or don’t like to use the archive.

However – With office 365 groups – there is the capability for expiration policies that can take care of this!

Benefits

  • Auto renewal as a result of user activity
  • Expire groups older than a specific period if no user activity
  • Group owners get email notification to take renewal action on the group
  • Can set expiration policy to specific groups
  • Expired groups can be restored within 40 days

Guidance

  • Pilot with specific groups initially
  • Choose inactive groups based on the activity report in Microsoft Admin Center
  • Onboard your helpdesk Team
  • Communicate renewal process to group owners
  • Create a process to identify ownerless groups

Retention Policies

And finally – Retention policies & regulations

The need to maintain data due to regulations is a scenario that almost every organisation out there will need to meet. That is, unless, your “legal department wants all of this data GONE as quickly as possible” This is where Retention policies come into play.

Benefits

  • Can be used to define a range of days after all content will be deleted or a range of days that content cannot be deleted – or both.
  • Retention period for teams can be as short as one day
  • Channel message policies can be applied globally or per team
  • Chat message policies can be applied globally or per user
  • Files use retention policies of sharePoint, and one drive for business

Guidance

  • Understand how retention works! (THEY ARE NOT FOR BACKUPS!)
  • You should consider retention policies holistically
  • Double check teams retention set end to end!

I hope that this post can assist you in governing Microsoft Teams for your organisation and many others.

Thanks for reading.

Leave a Reply

Your email address will not be published.