Back to previous page

Microsoft Teams Governance

Governance is not about limiting freedom. The point is to be able to manage Teams while removing chaos and sprawl so users can work in a compliant fashion that does not affect their day to day productivity. This blogs walks you with various controls available to better govern Microsoft Teams. 

You need to remember that Microsoft Teams is built on top of Office365 Groups. So, Microsoft Teams uses the Office365 Group settings and policies in the background. 

Some of the Teams governance controls discussed in this blog are

  • Restrict Office 365 Group Creation to set of users
  • Office 365 Group Expiration Policy
  • Check for Teams without Owners
  • Check for inactive Teams
  • Guest Access in Teams
  • Teams Classifications
  • Retention Policy
  • New Teams Admin Roles
  • Office 365 Group Naming Policy
  • Show Teams in GAL

Restrict Office 365 Group Creation to set of users

By default, all the users in your Office365 tenant can create Microsoft Teams. According to your organisation needs you can restrict the Teams creation permission to set of users say Full Time Employees or Managers using Dynamics Office groups. This feature requires Azure AD P1 license. 

Refer here for more details.

Now we have provided the users with permission to create Teams. How you can monitor whether the Teams created is used or it is just dormant?. Below are the ways to control it.

  1. Set Office365 Group Expiration Policy
  2. Check for Teams without Owners
  3. Check for inactive Teams

Office 365 Group Expiration Policy

You can set a default group expiration as 180 days. After 180 days, the Team owner will receive a notification that the Team is going to expire with an option to renew it. This feature requires Azure AD P1 license.

Groups – Expiration
Legal and COmpliance

Check for Teams without Owners

Always assign at least two owners for groups. There are two ways to do it. You can check from the Teams Admin Centre.

Teams Admin Centre

Or schedule the below script to return you the Teams without Owners regularly(weekly/monthly).

Check for inactive Teams

There is no direct way to check for inactive Teams. It is difficult to define inactivity universally, since there are Teams with conversations alone, Office365 Groups with SharePoint file activities or group conversations alone. There is a nice script available in TechNet, you can download and modify the script as per your need.

Guest Access in Teams

Now comes the important part. To enable guest access in Teams you need to first enable guest access in Azure AD, second on Office 365 Groups settings and finally on individual Teams. From the Teams admin centre, you can check the number of guest on each team. If you want a report of guests across each team, use the below script.


You can control the guest permissions on Teams meeting and messaging from the Teams Admin centre.
https://admin.teams.microsoft.com/company-wide-settings/guest-configuration

Teams Classifications

You may come across scenario, as an admin you might want to strict the guest access for few confidential projects. But can’t manually check on it in regular basis, in such scenarios Office365 Groups classification helps you. 

You can apply classification for Office365 Groups like Confidential, External, Internal etc. Adding a classification to Office365 Groups does not make any effect apart from showing it GUI. But once you classify groups, you can restrict the guest access, change the meeting policies etc according to the classification.

Below script helps you create classifications for Office365 Groups. By default classification list is empty, you need to create the list using powershell.

Once you set the classification list, it will be shown during Teams creation.

Create your team

Script to block guest access based on Teams classification.

Retention Policy

You can set the retention policies for Teams team conversations and chat messages.

Settings
Choose locations

For more information, check here

New Teams Admin Roles

Below are new Teams administrator roles added. For more information check here.

  • Teams Service Administrator: The overall Teams workload admin, who can manage Office365 Groups also.
  • Teams Communication Administrator: Can manage meeting and calling functionality in Teams.
  • Teams Communications Support Engineer: Access to advanced call analytics tool.
  • Teams Communications Support Specialist: Access to basic call analytics tool.

Office 365 Group Naming Policy

There are few organisations, where they need to follow strict naming conventions or avoid using list of words in the group name. Using Office365 Group Naming Policy, you can

  • Set format for group prefix and suffix
  • Create a list of blocked words which are not allowed in group names

For more information refer this Microsoft documentation.

Show Teams in GAL

By default, when you create a new team, the corresponding Office365 is not shown in Global Address List, if you want to show in SPO, Exchange and other places, you need to set HiddenFromAddressListsEnabled to True.

About the Author:

Narasima Perumal Chandramohan is a Co-Founder of JiJi Technologies, which specializes in project and process management. As a Microsoft Gold Certified Partner for 8 years, helps organizations better leverage Office365. Our brand Apps4.Pro won first place in Microsoft HackProductivity contest. He is also a Microsoft Office 365 MVP. You can contact me through LinkedIn.

Reference:

Chandramohan, N. (2019). Microsoft Teams Governance. Available at:
https://www.jijitechnologies.com/blogs/microsoft-teams-governance [Accessed 1st July 2019]

Share this on...

Leave a Reply

Back to previous page