Your One-Stop Shop to Good Teams Governance
Looking for advice on Teams governance? Welcome, you’ve come to the right place. Here, we list the core considerations, together with links to trusted resources for the all-important ‘how to’ bits.
A podcast hosted by two of our Microsoft MVPs (Most Valued Professionals) – Steve Goodman and Jason Wynn, inspired this blog. If you fancy listening in on their wit and wisdom, grab a coffee and join them: All About 365 Teams Governance.
And kudos to Steve Goodman for his input to this advice.
What does governance mean?
Governance in Microsoft Teams boils down to one fundamental objective: protecting your content by regulating what your users can and can’t do, whether that’s by encouraging correct behaviours or enforcing them.
Your organisation’s needs and the regulations applicable to your sector will influence the choices you make.
It’s essential to take a holistic view of governance in Teams; it’s more than controlling SharePoint and Microsoft 365 groups. Teams integrates with numerous different services, from identity services like Azure Active Directory and native applications like Microsoft Planner, to bots and third-party apps.
And with this big picture approach, you can begin looking at the tools you need to safeguard your content.
Useful Microsoft links
Governance quick start for Microsoft Teams
Microsoft Plan for governance in Teams
Microsoft Teams: A quick look under the bonnet
Microsoft Teams links tightly with other Office 365 cloud services, notably:
- Azure Active Directory – the identity service underpinning all Microsoft 365 services, and the foundations for user login, group management and device registration.
- Microsoft 365 Groups – groups are the link between users and the underlying services that tie teams together. All Team content, members, owners and guests are attached to a Microsoft 365 Group.
- Exchange Online – the foundation for compliance for many Microsoft 365 services, including Microsoft Teams. Exchange Online provides the storage capability for ensuring chats and channel conversations are retained. And for Teams users, it gives the calendaring functionality essential for booking meetings.
- SharePoint Online – every Team includes a SharePoint Site Collection, which is attached to a Microsoft 365 group. Files in Teams are stored in SharePoint Online. Newer Teams functionality like Microsoft Lists also rely on SharePoint, as do capabilities like sharing and collaboration in documents.
The importance of Microsoft 365 Groups can’t be overstated. As well as the providing the bedrock for file sharing in Teams and management of Group Members, Microsoft 365 Groups equip Teams with superpowers in other Microsoft 365 services.
Want to add Planner, Stream, Microsoft Forms, Power BI or Microsoft Lists to your Team? Microsoft 365 Groups ensure the permissions stay consistent.
Useful Microsoft links
Welcome to Microsoft Teams (for admins)
Manage teams in the Microsoft Teams admin center
Microsoft Teams IT architecture and telephony solutions posters
Approaching governance
Above all, keep it simple. Your governance wrap should align with the needs of your business, so start with those needs and layer controls when necessary.
Make it possible for people in your business to accomplish what they need, and limit what they can do only when necessary. This approach has to beat locking everything down.
If you restrict things too much or introduce abrasion points, they’ll find ways of getting around things. By this point, you’ve already lost the battle.
And it’s equally important to keep things simple for your organisation. So, let the technology do the work; you can subtly control an immense amount from the backend, without annoying your users.
And here’s a bonus tip; if you’re considering a pilot of Teams, don’t confine it to your IT department. Your IT team’s agenda will be different from your users. Get a cross-section of people from across your business; involve them and listen to their views. Their perspectives, pain points and potential use-cases will better reflect what your business needs to succeed. And this will help you paint a picture of ‘what’s in it for me?’ when you launch Teams company-wide.
Core governance considerations
Ownership and accountability
Humans make mistakes; fact. Implementing every control available will not prevent them. So, when things do go wrong – let’s say someone shares content with the wrong person, who should be accountable?
Everything that happens inside Teams can be traced in its history, meaning those who slip up are easily identifiable. But indulging in blame games is a waste of everyone’s time. Instead, provide your user base with cheat sheets and tips, so they understand the right ways to use the tooling rather than discovering best-practices for themselves.
And as an IT pro, instead of policing your users, wrap the appropriate controls around your organisation’s data to minimise egress. Use Microsoft 365 capabilities to provide guide rails for the right behaviours.
Useful Microsoft links
Getting Started with Securing Microsoft Teams
Set up and manage channel moderation in Microsoft Teams
Provisioning
Self-provisioning is a tricky balance for organisations; the modern workplace is about empowering people to do their jobs. Teams sprawl can happen when users create Teams at will, creating disorder and a content wild west.
And broadly speaking, when IT ‘gets in the way’, employees will circumvent the system, creating shadow IT.
Unless your organisation is small, it’s impractical to funnel Team creation requests to IT; this will only create bottlenecks.
It comes down to guidance. For example, questions your users should ask themselves before creating a Team, such as:
- Have I checked if a similar Team exists?
- Do I already have content that can be promoted into a Team, such as in SharePoint or Planner?
- What’s the expected lifespan of this Team?
- Would adding a new channel to an existing Team be more practical?
To aid the process, you can set up a custom provisioning engine for guiding your users towards the right decisions.
Useful Microsoft links
Best practices for organizing teams in Microsoft Teams
Automate teams provisioning with the Request-a-team app template
Teams naming conventions
This is basic Microsoft Teams best practice; a consistent approach to naming Teams so they’re sufficiently descriptive and professional. For good governance, nail this early. But it’s not too late if you didn’t put this in place when you should; Teams are easily re-named.
And you can set up restrictions; for example, by limiting the creation of Teams to managers, and blacklisting profanities.
If you’re going to enable naming conventions, keep them simple. Adding a prefix to Team (and Microsoft 365 Group) names will make it harder to read Teams in the Teams client – so consider a suffix and keep it short.
Useful Microsoft link
Microsoft Teams Naming Conventions
Third-Party apps
Is your business comfortable with the use of third-party apps, or do you want to insist on the use of native Microsoft apps only? Or is a middle ground appropriate; bar some (e.g. Dropbox) but broadly speaking, give your users the flexibility to choose.
There are ways of controlling which apps your users can select. You can block or allow applications at the organisation level. And you can enable and even automatically install and pin applications to Teams clients.
Useful Microsoft link
Manage your apps in the Microsoft Teams admin center
Licensing
Review your Microsoft licence plan. What security and compliance capabilities are already included? Are you leveraging them for Microsoft Teams?
To mitigate the risks to your content in Teams and SharePoint, do you need to consider an alternative licence plan?
Useful Microsoft links
Find the right Microsoft Teams for your business
Microsoft Teams add-on licenses
The right tool for the job
A Team is ideal for rapid, closed conversations with large groups, and to some extent great for wider communication, using features like company-wide Teams. But a Team isn’t always the right place for everything.
For larger organisations, especially, Yammer works superbly well for open, collaborative conversations. For example, if you’re creating a group of 5,000 people, it’s too many for the rapid collaboration Teams is designed for. Look at a Yammer community instead. And tip; the Yammer Communities app in Teams makes it easy to balance Teams with Yammer in one app.
A common mistake is creating a SharePoint site first, then bringing it into one of your Teams. This can drive Teams sprawl when users create Teams to gain access to somewhere to store files.
If your users are self-provisioning, provide them with top tips and guidance on what your organisation prefers for various scenarios.
Useful links
Content and Code, a Content+Cloud company’s Microsoft Teams FAQs (including what’s the right tool to use when).
Microsoft Use the Yammer Communities app for Microsoft Teams
Cyber security
It’s imperative you involve your security officer or cyber team when you plan Teams governance. They will help you determine things like:
- What regulatory controls do you need to implement in Microsoft 365 before you can launch Teams?
- Defining classifications for the information you’ll contain in Teams and their associated Microsoft 365 groups. You can apply labelling at the Team level or file level.
- Understanding what types of data must be protected using Data Loss Prevention functionality both in Teams and the wider Microsoft 365 suite. (e.g. sensitive or high-value information – IP, product designs, National Insurance numbers, credit card details).
- Who, where and how Teams is accessed – these will drive your configuration of aspects such as Conditional Access policies.
Above all, your security colleagues are there to sign-off on how, from an operational standpoint, your organisation will use Teams and that the necessary measures are there to prevent data loss.
Useful Microsoft links
Microsoft 365 compliance center
Getting Started with Securing Microsoft Teams
Information protection in Teams
Exchange Online
Do you want the pre-existing DLP (data loss prevention) policies applied to Exchange Online to carry over to Microsoft Teams, or do you need to consider different DLP policies in Microsoft Teams?
Useful Microsoft link
How Exchange and Microsoft Teams interact
Data lifecycles – retention periods and expiration dates
Data retention is a biggie. There may be regulatory requirements for this, or your legal counsel’s or Data Protection Officer’s recommendations.
How long do you need to retain data for and – equally importantly, what process will you have for deletion come the expiration dates?
And don’t confine your thinking to files. Consider the information inside Teams chats and the consequences of, say, an ostensibly informal conversation becoming public knowledge a few years later.
Make the wrong decisions now, and you could potentially be putting your organisation at risk further down the line.
Once you’ve made your decisions, you can classify your data and apply labels to it, to automate the retention and deletion process.
Useful Microsoft links
Retention policies in Microsoft Teams
How to use Microsoft Teams classification
Sensitivity labels for Microsoft Teams
Using Sensitivity labels with Microsoft Teams, O365 Groups and SharePoint Online sites
eDiscovery
Electronic discovery, or eDiscovery, is the electronic aspect of identifying, collecting and producing electronically stored information (ESI) in response to a request for production in a lawsuit or investigation.
How do you want to manage this in Teams?
Useful Microsoft links
Conduct an eDiscovery investigation of content in Microsoft Teams
Meetings
Depending on your organisation and the sector you operate in, there may be a need to record all meetings.
Or perhaps you have justification for using a third-party solution for meetings. What users (including guests) can and can’t do around scheduling and recording Teams meetings is an essential consideration for good governance.
Useful Microsoft link
Manage meeting settings in Microsoft Teams
Guest access
It makes sense to have a policy on guests, and it needn’t be complicated. Who can invite guests, what will they have access to, and what restrictions should apply to them? You can set these things at a global level, in the Microsoft Teams Admin Center.
Another thing worth considering for guests is the use of MFA (multi-factor authentication).
Useful Microsoft Links
Collaborate with guests in a team
Guest Accounts require MFA? – Microsoft Partner Community
Tutorial: Enforce multi-factor authentication for B2B guest users
Manage teams in the Microsoft Teams admin center
Information rights management (IRM)
How do you ensure that only the right people have access to sensitive information in Teams, and prevent actions such as forwarding to their private email, sharing externally, editing, copying and so on?
Useful Microsoft link
Apply Information Rights Management to a list or library [in SharePoint]
Technologies to help Teams governance
Office 365 ATP (Advanced Threat Protection)
When moving to Teams, you’ll find that a lot of the information that traditionally resided in emails now lives in Teams and SharePoint.
Using ATP with Teams enables you to bring advanced functionality typically only available for email. For example, protection against zero-day threats in files and phishing links to the broader Office suite.
While legacy solutions for email protection are likely to limit your adoption of Teams, using Office 365 ATP gives you:
- real-time link click protection against Teams messages and;
- inside Office documents and;
- protects files shared over SharePoint Online and OneDrive.
Useful Microsoft link
ATP for SharePoint, OneDrive, and Microsoft Teams
DLP (Data Loss Protection)
One of the great things about DLP is that it stretches across your entire organisation; namely, everything that’s inside Office 365, including Teams. So long as you apply the same user profiles, you’re not reinventing the wheel every time.
And equally, you don’t want multiple touchpoints in your administration; you want a single approach for everyone. This way, anything that goes into your SharePoint site behind Teams is held with the same DLP.
And DLP will scan your content for things like credit card details and NI numbers.
Useful Microsoft link
Data loss prevention and Microsoft Teams
Azure AD (Azure Active Directory)
Teams leverages identities stored in your Azure Active Directory.
Useful Microsoft link
Azure Active Directory Overview
How to govern successfully
The trick is pulling this lot together and getting the technical work that underpins your governance right. We’re here to help you succeed. As a Microsoft Gold partner with a clutch of awards and decades of experience, we’ve got your back. For help with any element of Microsoft Teams governance, you’re welcome to contact us here.
Learn more about good governance at Digital Revolution Live 2020
If you found this helpful, then you won’t want to miss our online two-day Digital Revolution Live event in November. This free event includes a session called Getting a handle on governance for Microsoft SharePoint and Teams on day one, 10 November.
To join us, please register here. We look forward to welcoming you, and happy governing.
