Teams Governance Settings:
Balance Collaboration and Risk

Microsoft Teams is an incredibly powerful tool that enables efficient collaboration and information access across an organization. That said, a remarkable number of customers that we work with struggle to manage and secure it the way that they would like to.

Much of the time, Teams was enabled during the pandemic to try to help employees work more effectively remotely, but it was deployed without much planning or training. As a result, Teams access is often over-permissioned while also being under-adopted and under-governed. Features like guest access and third-party app access are often unrestricted, and the usage of Teams and channels is inconsistent. Conversely, Teams loses a lot of value if it is over-restricted, so finding a balance that is right for your organization is critical.

Teams governance overall is a huge topic. Organizations need to establish some norms and policies regarding how Teams should be used, and there are hundreds of settings in the application. In this blog, I’ll address seven of the most common recommendations we give to customers to help them start getting Teams back on track. These settings will help to address common risks from Teams sprawl and overprovisioned access while allowing most of the collaboration features to be available to employees.

7 Most Common Recommendations 

Limit Who Can Create a Team

Limiting who can create a Team helps prevent Teams sprawl and allows those who are authorized to help ensure Teams and Channels are being used appropriately, and standards can be followed regarding Teams naming and ownership.

  • Make sure to have a defined process for people to request a new Team. Service Desk tickets, Forms, or a Power App are commonly used to receive and route requests.
 
  • Restricting Team creation also restricts Office 365 group creation, so make sure to identify any other group creation workflows before applying this restriction. For more information, check out Manage who can create Microsoft 365 Groups.

Create and Publish a Teams Naming Standard

Having a naming standard helps to set some organizational norms and makes it easier for employees to understand what to expect and how to interpret Team names.

 
  • In many cases, however, Microsoft’s Group Naming Policy is not as robust as one might want. If it is too limiting, the organization should still deploy a naming standard. Standard prefixes or suffixes can make it easier to determine the type of Team and its use.

Create and Enforce a Standard Taxonomy for Teams and Channels

Establishing a standard taxonomy will help make Teams easier to navigate and encourage employees to use Teams and Channels in a similar way across business units and departments. Have a bias toward Channels. Only create a Team if a Channel in an existing Team won’t do the job. A Team is mostly just a group of Channels, so fewer Teams and more Channels is usually the right approach.

  • Public vs Private Teams: Most Teams are Private, meaning that members need to be invited by the owner, and the onus is on the owner to ensure that only the right staff (or guests) have access. Public Teams can be seen and joined by anyone in the organization, so they are good for employee engagement and other purposes where confidentiality is not a concern.
 
  • Standard vs Private Channels in a Team: Standard channels can be seen and accessed by everyone on the Team. Private channels have a separate membership list so you can hide a channel from everyone in the Team, but allow selected members access as needed. (Often managers in a group have a private channel to discuss confidential topics or share sensitive files not meant for everyone.)
 
  • Here is a sample taxonomy that you can build on:
    • Departmental Teams
      • Use instead of traditional departmental file shares and email distribution lists.
      • Collaborate in channels by subject matter area combining channel chats, files, and relevant apps.
      • Use channel files in a similar way to subdirectories in a departmental file share.
      • The OneDrive client will allow staff to sync relevant file libraries to Windows Explorer or iOS/Android devices.
      • Membership can be managed by using existing Entra ID groups.
    • Project Teams
      • Use for collaboration on internal or external projects.
      • Centralize all project information, files, discussions, and decisions in the Team to minimize document versions, emails, and other disparate data locations.
      • Use a channel per subject matter area—if some channels need to have more limited access than the entire team, use a private channel with a separate membership list.
      • Guest access can be configured to allow collaboration with external vendors and access to common workspaces and files.
    • Cross-Functional Teams
      • Internal working groups or committees (Compliance, Security, Standards & Practices, etc.).
      • Employee interest groups (Wellness, Special Events, etc.).
      • Centers of Excellence: Create Teams to document training, employee development, and discussion groups for ongoing initiatives (Teams Adoption, Regulatory Subject Matter Expertise, AI Initiatives, etc.).

Set an Expiration Policy for Dormant Teams

Dormant or unused Teams contribute to sprawl and add risk if they are not managed properly. Expiration policies take effect after the configured amount of time. If a Team isn’t accessed for that period, the Team owner receives a notification 30 days, 15 days, and 1 day before the team’s expiration date. When the team owner receives the notification, they can click Renew Now in the notification to renew the Team.

  • If any user is active in the Team (i.e., posts a message, accesses a file, etc.) the renewal cycle is restarted from the beginning. The owners of frequently used Teams will never see anything regarding expiration.
 

Establish a Team Decommissioning or Archival Process

For Teams that have reached the end of their lifecycle, it is a good idea to have a process established to either archive or delete the Team. Often an organization will want to save documents related to a project, but not chat content or other transient information captured in Teams. This archival and deletion can be an administrative process, or you can allow the Team owner to archive a Team themselves.

  • Consider adding a Teams decommission or archival step to your project close-out process.
 

Restrict Third-Party Teams Apps

Teams apps are a great way to extend the Teams client as the one-stop-shop for processes and information access, but it is important to vet the third-party (non-Microsoft) apps available in Teams before allowing their use. All Teams apps are available to users by default, so I often advise customers to restrict access to only the Microsoft apps, and then vet and publish the third-party apps as needed to either everyone or just the user groups that will use them.

Review and Update Teams Guest Access Settings

Guest access in Teams can be a bit complex, as guest capabilities are determined by the result of several policies working together across Entra ID, Microsoft 365 groups, SharePoint, and Teams. This combination gives you a lot of flexibility but can also introduce unintended consequences.

  • It is important to create a Teams guest access document that defines what guests are allowed (or not allowed) to do. That should be used as a guide to configure the various policies and settings to provide that level of access.
 
  • A top-down approach can be used, starting with Entra ID external collaboration policies, and working down through to the Teams-specific settings. This document outlines the steps concisely: Collaborate with guests in a team (IT Admins).

Define Your Teams Governance Plan

Hopefully these recommendations help to start defining what your overall Teams governance plan will look like. As mentioned above, Teams governance can be a significant effort, and there are many more considerations that should be made to build a well-governed and effective Teams environment. 

We Can Help!

We help our clients with Teams Governance and Security all the time! Click Here if you’re interested in learning more about our Teams Governance WorkshopIf you have questions or would like some help with Teams governance in general, please reach out to info@eGroup-us.com or complete the form below. 

Need Assistance with Teams Governance?

Contact our team today to schedule a call with one of our experts.

Last updated on July 10th, 2024 at 11:24 am