Microsoft Teams Tech Blog Part 3: Governance

Michele Casazza
24.05.20 15:54

Governance is often seen as control or restriction, however with new platforms like Microsoft Teams governance should be less about shadow IT and more about user empowerment with the necessary balance of business control and security. When creating a governance strategy, it's important to consider and discuss the following questions:

  • Why are we doing this?
  • What are the desired outcomes?
  • Which tools will we use?
  • Where do we apply controls?
  • Who is responsible?
  • When are we doing this?


In this three-part blog series about Microsoft Teams I will cover sharing in Office 365 and Microsoft Teams in particicular from different perspective: user, administrator and advisor.

  1. Part 1: Microsoft Office 365 Sharing Model
  2. Part 2: Sharing Model and Guest Access
  3. Part 3: Microsoft Teams Governance

Roles and their needs:

As IT professionals we need to think of all the roles in the organisation that can be impacted when creating a governance strategy

  • Business: Accomplish business goals as simply as possible – if it’s too hard, find an easier way
  • Employee: Get out of my way; Make it easy for me to get my work done fast; Let me share easily, but protect my secret stuff
  • Security officer: Prevent data leaks and breaches; Protect high value information
  • Legal: Comply with retention; Support eDiscovery

Microsoft Teams Free Ebook

Do you have a Data classification scheme?

Data classification is a process of consistently categorizing data based on specific and pre-defined criteria so that this data can be efficiently and effectively protected. Classification can be driven by governance, company compliance, regulation (e.g. PCI, GDPR), protection of intellectual property (IP). A Data Classification Scheme is not strictly necessary for Microsoft Teams Governance, but as we will see Teams is part of the Office 365 ecosystem, and if you want to have security and compliance of your data in Office 365 (and Azure) you will need at least as a starting point some categories to classify your data. PWC recommends starting with just three categories. Starting with three can dramatically simplify getting the project off the ground. If after deployment more are needed, the decision will be driven by data, not speculation.

If you don’t know what you have (data), where it is, and why you have it, you can’t expect to apply the appropriate policies and controls to protect it. For example you cannot use Office 365 Sensitivity labels to assign different level confidentiality to documents. 

Microsoft has a Preview service in the Security and Compliance Centre for data classification:

Microsoft Data Classification Preview Service

Now that we understand some of the background information for data governance let's look at Microsoft Teams. As you are likely aware Microsoft Teams relies on other Office 365 services and when you create a Microsoft Teams team you automatically get a number of other applications, namely a SharePoint site, a OneNote notebook, a Planner plan, a shared mailbox and calendar. And more importantly all these services share an underlying Office 365 group (now called Microsoft 365 Groups) where its membership is shared across those applications.

Microsoft 365 Unique Workstyle of every Group

The main point here is that to govern Microsoft Teams you need to govern Microsoft 365 Groups. Refer to Part 2 for more details on Microsoft 365 Groups (previously known as Office 365 Groups). Based on your company's policies and maturity level of the organisation you might want to take a more or less open approach to groups creation. Disabling the ability to create Microsoft 365 Groups could be too restrictive and impacting collaboration and engagement. On the other end of the spectrum, allowing every user to create a group or Team could quickly lead to sprawl if you don't have the right training and policies in places.

You could take a midway approach by enabling the creation to only specific users, maybe using dynamic membership matching a specific user's attribute (e.g. manager). To limit creation to specific users:

  1. Create a security or dynamic group in Azure AD
  2. Disable group creation globally
  3. Enable group creation for the specific group

There are of course other solutions that allow users to request the creation of a new Group/Team via an approval process. These could be developed in-house or provided by third-party tools. Governance for Microsoft Teams can be summarised in the following pillars:

Governance pillars in Microsoft Teams

Provisioning can be implemented to some extent with out of the box tools, depending on the requirements. The Operational part is about the available functionalities and how they are provided to different type of users, think meeting capabilities, guest access, but also includes how information in Microsoft Teams is structured i.e. your information architecture and your guidelines to access it. The Information Lifecycle is about what happens to the content when a Team is deleted.

Let's look at some of the provisioning and operational options

Who can create Teams: This is almost the equivalent of "Who can create group?" because to create a Team you need permission to create an Microsoft 365 group.

Naming Policies: Naming Policies can be applied to Groups and allow to specify a prefix or suffix to group names. It's also possible to upload a list of blocked words that cannot be used in group names; This feature requires azure AD Premium P1

Expiration and renewal: There is one policy that is easy to implement (it requires Azure AD Premium P1 though). It's in Azure AD -> Groups -> Expiration

  • Group owners receive an email 30 days the expiration with the option to renew the group. If the group doesn't have an owner, the email goes to the administrator
  • Admins can restore a group up to 30 days after expiration

Guest Access: We have covered this in Part 1 and Part 2. Additionally you could use Access Reviews in the Groups settings in Azure AD to request Group owners to regularly review Guests in their groups (requires Azure AD P2). 
Another option that is related to Guest Access is the ability to allow anonymous users to join a meeting. This can be found in the "Meeting settings" in the Admin Centre.

Governance questions in Microsoft Teams

Meetings capabilities: There are many policy settings that can be configured for Meetings in the Microsoft Teams Admin Centre for example who can start and schedule meetings in a channel, what content can be shared in a meeting, who can participate and how. A good practice before rolling out a policy is to target it to only a subset of users and test it. If you make any changes to the policy you might need to wait up to 24 hours before the policy takes effect.

Security and Compliance: Sensitivity Labels for Microsoft Teams are still in Preview at the time of writing, but they will let you configure privacy and external access. For example you could define that when a Team is created with a Confidential sensitivity label, external sharing for that Team is not permitted.

Admin Centre: The Admin Centre is certainly the main entry point for managing Microsoft Teams, where all the different policies can be configured, for meeting, messaging, apps (for example pinning core features or approved apps); external and guest access settings are also found here (see Part 2 for details about external access).
If you are at the beginning of you Teams journey the Microsoft Teams Advisor in the Admin Centre is a good guide for your next required steps.

The Analytics and Monitoring can provide some insights about Teams usage, user activity, live events, devices and calls. This can also be extended using PowerBI to gain more powerful insights.
For the core admin there is even the Admin Centre mobile app where you can do basic actions like assign licenses or reset a user's password

Information Lifecycle 

That was the easy part. It becomes a bit more tricky when dealing with the deletion of Teams. After a Team is deleted, all the underlying group content is retained for 30 days, and after that it is permanently deleted. Let's see what we need to consider:

  • What happens to files? Do we copy them to a SharePoint archiving location? We'd need a trigger and a process for this. Power Automate or Logic App could be an option
  • Conversations: these are also records, they could be the equivalent of an email. They are stored in Exchange Online. Do they need to be retained?
  • What about other SharePoint content that is not files e.g. lists, web parts?
  • Guests: even after a Team's content is permanently deleted, guests are still in Azure AD, they can potentially still message users, not a big deal, but they should also be reviewed, maybe deleted.
  • Stream videos like meetings recordings get orphaned. Stream is probably the least integrated of the Office 365 services so far. Who owns this content? what happens to it?

Unfortunately there aren't yet out of the box tools to manage the lifecycle of the different types of content in Microsoft Teams.

One option would be to use Retention Policies, but these apply only to chat and channel messages, and even then they have some limitations and private channels are not supported yet. To manage the whole lifecycle for the moment we need to create in-house processes or resort to third party tools. 

Governance is not a set and forget document, it's evolving because new features are constantly rolled out, and they need to be governed (think of Tags recently released). Governance doesn't have to be complicated either, in fact starting with simple steps can help getting it off the ground and be effective from the beginning.

Start by creating a site for Governance where you:
  • Share information
  • Provide guidance
  • Set roles and responsibilities
  • List what can be done and what cannot
FRONT_HEADER Microsoft Teams Einführung


Language/Sprache: German/Deutsch

Download Ebook


News, trends, insights and opinions
about the modern workplace

Subscribe to Updates

Subscribe by Email