Governance is often seen as control or restriction, however with new platforms like Microsoft Teams governance should be less about shadow IT and more about user empowerment with the necessary balance of business control and security. When creating a governance strategy, it's important to consider and discuss the following questions:
In this three-part blog series about Microsoft Teams I will cover sharing in Office 365 and Microsoft Teams in particicular from different perspective: user, administrator and advisor.
As IT professionals we need to think of all the roles in the organisation that can be impacted when creating a governance strategy
Data classification is a process of consistently categorizing data based on specific and pre-defined criteria so that this data can be efficiently and effectively protected. Classification can be driven by governance, company compliance, regulation (e.g. PCI, GDPR), protection of intellectual property (IP). A Data Classification Scheme is not strictly necessary for Microsoft Teams Governance, but as we will see Teams is part of the Office 365 ecosystem, and if you want to have security and compliance of your data in Office 365 (and Azure) you will need at least as a starting point some categories to classify your data. PWC recommends starting with just three categories. Starting with three can dramatically simplify getting the project off the ground. If after deployment more are needed, the decision will be driven by data, not speculation.
If you don’t know what you have (data), where it is, and why you have it, you can’t expect to apply the appropriate policies and controls to protect it. For example you cannot use Office 365 Sensitivity labels to assign different level confidentiality to documents.
Microsoft has a Preview service in the Security and Compliance Centre for data classification:
Now that we understand some of the background information for data governance let's look at Microsoft Teams. As you are likely aware Microsoft Teams relies on other Office 365 services and when you create a Microsoft Teams team you automatically get a number of other applications, namely a SharePoint site, a OneNote notebook, a Planner plan, a shared mailbox and calendar. And more importantly all these services share an underlying Office 365 group (now called Microsoft 365 Groups) where its membership is shared across those applications.
The main point here is that to govern Microsoft Teams you need to govern Microsoft 365 Groups. Refer to Part 2 for more details on Microsoft 365 Groups (previously known as Office 365 Groups). Based on your company's policies and maturity level of the organisation you might want to take a more or less open approach to groups creation. Disabling the ability to create Microsoft 365 Groups could be too restrictive and impacting collaboration and engagement. On the other end of the spectrum, allowing every user to create a group or Team could quickly lead to sprawl if you don't have the right training and policies in places.
You could take a midway approach by enabling the creation to only specific users, maybe using dynamic membership matching a specific user's attribute (e.g. manager). To limit creation to specific users:
There are of course other solutions that allow users to request the creation of a new Group/Team via an approval process. These could be developed in-house or provided by third-party tools. Governance for Microsoft Teams can be summarised in the following pillars:
Provisioning can be implemented to some extent with out of the box tools, depending on the requirements. The Operational part is about the available functionalities and how they are provided to different type of users, think meeting capabilities, guest access, but also includes how information in Microsoft Teams is structured i.e. your information architecture and your guidelines to access it. The Information Lifecycle is about what happens to the content when a Team is deleted.
Who can create Teams: This is almost the equivalent of "Who can create group?" because to create a Team you need permission to create an Microsoft 365 group.
Naming Policies: Naming Policies can be applied to Groups and allow to specify a prefix or suffix to group names. It's also possible to upload a list of blocked words that cannot be used in group names; This feature requires azure AD Premium P1
Expiration and renewal: There is one policy that is easy to implement (it requires Azure AD Premium P1 though). It's in Azure AD -> Groups -> Expiration
Guest Access: We have covered this in Part 1 and Part 2. Additionally you could use Access Reviews in the Groups settings in Azure AD to request Group owners to regularly review Guests in their groups (requires Azure AD P2).
Another option that is related to Guest Access is the ability to allow anonymous users to join a meeting. This can be found in the "Meeting settings" in the Admin Centre.
Meetings capabilities: There are many policy settings that can be configured for Meetings in the Microsoft Teams Admin Centre for example who can start and schedule meetings in a channel, what content can be shared in a meeting, who can participate and how. A good practice before rolling out a policy is to target it to only a subset of users and test it. If you make any changes to the policy you might need to wait up to 24 hours before the policy takes effect.
Security and Compliance: Sensitivity Labels for Microsoft Teams are still in Preview at the time of writing, but they will let you configure privacy and external access. For example you could define that when a Team is created with a Confidential sensitivity label, external sharing for that Team is not permitted.
Admin Centre: The Admin Centre is certainly the main entry point for managing Microsoft Teams, where all the different policies can be configured, for meeting, messaging, apps (for example pinning core features or approved apps); external and guest access settings are also found here (see Part 2 for details about external access).
If you are at the beginning of you Teams journey the Microsoft Teams Advisor in the Admin Centre is a good guide for your next required steps.
The Analytics and Monitoring can provide some insights about Teams usage, user activity, live events, devices and calls. This can also be extended using PowerBI to gain more powerful insights.
For the core admin there is even the Admin Centre mobile app where you can do basic actions like assign licenses or reset a user's password
That was the easy part. It becomes a bit more tricky when dealing with the deletion of Teams. After a Team is deleted, all the underlying group content is retained for 30 days, and after that it is permanently deleted. Let's see what we need to consider:
Unfortunately there aren't yet out of the box tools to manage the lifecycle of the different types of content in Microsoft Teams.
One option would be to use Retention Policies, but these apply only to chat and channel messages, and even then they have some limitations and private channels are not supported yet. To manage the whole lifecycle for the moment we need to create in-house processes or resort to third party tools.
Governance is not a set and forget document, it's evolving because new features are constantly rolled out, and they need to be governed (think of Tags recently released). Governance doesn't have to be complicated either, in fact starting with simple steps can help getting it off the ground and be effective from the beginning.
News, trends, insights and opinions
about the modern workplace