2021-03-13

Are you responsible for Microsoft Teams, but are worried that it’s becoming unmanageable? Or, has your Teams tenant become (or has the potential to become) a liability due to lack of compliance?

If you don’t have one already, it’s highly likely you could benefit by implementing and defining a Microsoft Teams governance strategy. As I’ve helped many customers with Teams governance, I recommend that you should make a plan and define a process for these 8 key topics / considerations:

  • Collaboration templates
  • Naming convention
  • External access
  • Expiration policy
  • Privacy
  • Back-up & restore
  • Compliance
  • Creation process

1. Collaboration templates

Microsoft Teams supports collaboration between a group of people. Organisations collaborate in different manners.

  • Departments
  • Cross-departments 
  • Projects

The first step is defining the collaboration templates. I advise to start small and keep it simple. Start with two collaboration templates and once these are successfully deployed and adopted, start again with additional templates.

2. Naming convention

Per collaboration template we can define a naming convention. For example: Each time a team is created for a project the following naming convention is applied in Microsoft Teams: PRO – Name of the project. Applying a naming convention for the URL of the SharePoint team site is possible but can only be set with a provisioning solution.

The following options, for applying a naming convention, are available:

  • Prefix-suffix naming policy: A policy available in Azure Active Directory. You can define prefixes or suffixes that are then added automatically to enforce a naming convention on your teams. For example, in the group name “GRP_JAPAN_My Group_Engineering”, GRP_JAPAN_ is the prefix, and _Engineering is the suffix
  • Connect to a provisioning solution: By using a provision solution, to create teams, you automatically enforce a naming convention.
  • Leave it up to the employees: During the creation process, the employees need to apply the naming convention defined for Microsoft Teams.
  • None: There is no naming convention set for teams.

Advantages:

  • Improving the findability of a team in Microsoft Teams: The current team overview menu makes it difficult to find teams. By applying a naming convention, finding teams becomes easier for employees.

Challenges:

  • Prefix-suffix naming policy: The Azure AD policy requires an up-to-date Azure Active Directory. This policy does not work with multiple collaboration templates because the policy is not flexible to apply a different name per template so its corresponds with the template.
  • Employees will forget: Most employees are not going to remember to set a naming convention while creating a team.

3. External Access

External access allows organisation to collaborate with external people in Microsoft Teams. These are people with an external e-mail address.

The following options are available:

  • Allow for all teams: All teams can invite an external person. 
  • Allow for a selection of teams: Only a selection of teams can invite an external person.
  • Disable for all teams: No teams can invite an external person. 
  • Decide with a sensitivity label: By selecting a sensitivity label, the team can or cannot invite an external person.

Advantages:

  • Reduce shadow IT: These days, collaboration with external people is the norm. By disabling external access in Microsoft Teams, your employees are going to use other, and most likely, external services. This results in shadow-it. By enabling external access, you reduce the risk of shadow IT within your organisation.
  • Efficient collaboration: Collaboration with external people in Microsoft Teams is more efficient compared to sending e-mails with attachments. Microsoft Teams is made for collaboration. Internally and externally.

Challenges:

  • Compliance is crucial: Once an external person has access to a team, and its content, they can download all the content. This could result in a data leak. This can be prevented by using compliance features such as data classification with sensitivity labels or Data Loss Prevention (DLP).
  • Increased responsibility for the owners: The owner of a team is responsible for inviting the correct external people. This gives them an increased responsibility compared to the alternative whereby IT only invites and adds external people to teams.

Jasper Oosterveld

Teams Governance Workshop

If you'd like to learn how to govern and control Microsoft Teams, then watch my workshop where I showed step by step how to implement a robust governance strategy.

4. Expiration Policy

After a while, your Office 365 tenant contains inactive teams. Azure Active Directory contains a feature to delete inactive teams by setting an expiration policy. The expiration policy is based on a number of days. For example: 180. The owners of a team receive an e-mail notification and a message in the team 30, 15 and one day before expiration, asking them to keep or delete the team.

Once the team is deleted, the team and all related content, is moved to a recycle bin. Only the Office 365 administrator can restore the team within 30 days. After this period, the team cannot be restored anymore. Click here for more information.

Options & activity check

The following options are available:

  • All teams: All the teams are bound to an expiration policy.
  • Selection of teams: Only a selection of teams is bound to an expiration policy. 
  • None: No expiration policy is enabled.

Active teams will not receive a notification to renew or delete the team. The activity is based upon the following user activities:

  • SharePoint: View, edit, download, move, share, or upload files.
  • Outlook: Join group, read/write group message from group space, Like a message (in Outlook Web Access). 
  • Teams: Visit a Teams channel.

Advantages:

  • Keep your Office 365 tenant clean: By removing inactive teams your Office 365 tenant stays “clean” and does not contain any inactive teams.
  • Reduce manual maintenance for IT: By giving team owners the responsibility and action for cleaning up inactive teams, IT can spend time on other activities.

Challenges:

  • Rely on Microsoft back-up & restore: Once a team is removed by an owner and the 30 days have passed, the team and all its content are gone forever. Without an additional back-up solution, you are bound to the Microsoft back-up & restore settings.
  • Retention policies need to be clear: A team that is being marked for deletion by an owner can contain content that needs to be retained for a longer period. This is where the retention policies need to be clear, so data is not deleted that should have been preserved.
  • Increased responsibility for the owners: The owner of a team is responsible for renewing or deleting a team. This gives them an increased responsibility compared to the alternative whereby IT only deletes an inactive team.

5. Privacy

Microsoft Teams offer privacy settings to control the access and visibility of the team and its content.

The following privacy options are available:

  • Private: Only owners can invite new members. 
  • Public: All employees can join the team and the content is visible for all internal employees. 
  • Org-wide: All employees are automatically added to the team.

6. Back-up & Restore

Employees have more control over the deletion of the team and content. Microsoft supports organisations by having back-up and restore in place. Questions you need to answer here are how long do you want Teams, Channels and content to be recoverable for?

7. Compliance

Sensitivity labels

Sensitivity labels are used to classify and protect content. To prevent unwanted access to content. The labels are extended to being applied to Microsoft 365 Groups (Microsoft Teams & SharePoint Online).

The following options are available once a label is connected to a team in Microsoft Teams:

  • Privacy: Automatically set the privacy, that cannot be changed once applied, to public or private. 
  • Guest access: Allow or block guest access. 
  • Unmanaged: Define the access to the content in the SharePoint Team Site for unmanaged devices: full access, web-only or none.
  • External sharing: Set the external sharing links to anyone, new & existing, existing guests or none.

The label attached to the team does not classify or protect the content. You need to set separate labels.

Data Loss Prevention (DLP)

DLP (data loss prevention) prevents the sharing of sensitive information with colleagues and / or external people.

The definition of sensitive information is defined in a DLP policy. This could be a social security or credit card number. The DLP policy can be applied to chat in Microsoft Teams (you need an Office 365 E5 license) or content stored in the SharePoint Team Site (Office 365 E3). 

Retention

Retention is aimed at preserving content from being modified and / or deleted indefinitely

The following options are currently available:

  • Retain content or chat for an X number of days, weeks, or years.
  • Retain content or chat and delete after an X number of days, weeks, or years.
  • Delete content or chat after an X number of days, weeks, or years.

During the moment of writing Microsoft does not support retention for chat in private channels.

8. Creation Process

Did you define all the above requirements for collaboration template? Now, it is time to define the creation process of your collaboration templates in Microsoft Teams.

The following options are available:

  • Allow all your employees to create a team in Microsoft Teams via the Microsoft Teams applications.
  • Allow a selection of employees to create a team in Microsoft Teams via the Microsoft Teams applications.
  • Provide a controlled creation process with a provisioning solution for all or a selection of employees.

What determines the use of self-service or a provisioning solution?

  • Do you require multiple collaboration templates?
  • Do your collaboration templates require a unique naming convention?
  • Do your collaboration templates require strict external access policies?
  • Do your collaboration templates require different expiration policies?

Did you answer yes? You are most likely bound to a provisioning solution. This is not a problem at all, as there is no wrong or right answer. You can start with a provisioning solution and move on to a self-service scenario in a later stage.

Jasper Oosterveld

Teams Governance Workshop

If you'd like to learn how to govern and control Microsoft Teams, then watch my workshop where I showed step by step how to implement a robust governance strategy.

(Visited 474 times, 4 visits today)

About the author 

Mark Jones

Collab365 Founder helping people learn Microsoft 365 via these: 👉 Collab365 Summits - Massive virtual conferences for Microsoft products 👉 Collab365 Today - Aggregation site for the best community blogs 👉 Collab365 Community - Huge blog site including plenty of Microsoft content I want to provide a friendly online community, where we can learn and grow together: 👉 365ers - coming very soon!

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Download Your "Microsoft 365 Boxset" To Help You Master The Power Platform (And Teams + Stream)!

(Includes: content on PL-900 certification, Managing SharePoint Lists with PowerApps, using Power Apps within Power BI, Improving Teams with Power Automate, understanding Microsoft Stream and more!)