In an ideal world, organisations would have plenty of time to plan, trial and refine their Microsoft Teams deployments to get full control over it before opening them up for general use. However, 2020’s mad rush to support remote work, the impending end of Skype for Business, and a host of other business pressures have forced many enterprises into “deploy now; fix later” territory.
As a result, there are a whole lot of “Teams-gone-wild” situations keeping IT administrators, Governance and Compliance departments awake at night.
Thankfully, it’s absolutely possible to regain control of a Teams deployment and put the right administrative, security and governance measures in place. Here’s how you can get started.
Clamp down on administrative rights
Teams has three main levels of admin rights:
- Administrator – able to modify teams and define roles for other users.
- Owner – able to create, edit and delete teams, add members and change member permissions.
- Member – able to join teams, create channels and request new members be added.
The more users with the ability to create teams, the more difficult it is to avoid unrestrained growth and sprawl. Too few owner-level users can also be a problem (albeit to a lesser extent) by overly restricting the flexibility of the platform.
Finding the right balance of administrative rights is not a one-size-fits-all situation. It takes careful assessment of your organisational structure and preferred Teams usage patterns.
(If you’ve already been using Teams for a while, you can get great insights on your existing usage patterns via Teams analytics and reporting – more on that later.)
Set rules for the creation of new teams
If you really want to get control over Microsoft Teams sprawl, you need clear rules on when, why and how new teams can be created. Users need to understand the different roles of teams and channels, and when to opt for one over the other.
Again, these rules will vary depending on the size, structure and typical workflow of your organisation.
Pro tip: It’s possible to require admin approval for the creation of all new teams but, in our experience, the extra control is seldom worth the resulting bottlenecks and additional workload.
Create and enforce naming conventions
Regardless of how tightly you control the creation of teams, your deployment is going to grow over time – and that’s a good thing. It does, however, mean you need to put some thought into maintaining a logical structure and good usability down the line.
To this end, we highly recommend creating and enforcing Teams naming conventions.
Typically, names are defined by attributes like country, city, department name and/or team function to make it easier for users to find the right place for the right activity. This can be automated to some extent using Azure AD to apply predefined prefix-suffix naming policies and attributes, or block specific words from use. That said, manual implementation can be just as effective, or even better.
Be sure to explain your naming conventions to your Teams admins and owners, and document them (along with any standard abbreviations) for future reference.
Pro tip: If you really want to ensure teams names conform to conventions, an app can be created using Microsoft Forms and Power Automate to guide users through the name creation process with complete consistency.
Clear out the clutter
Along with growth comes clutter – dormant teams that no longer add any value. Archiving these is a great way to clean house and streamline your users’ Teams experience.
We’d suggest setting rules for what constitutes an inactive team (e.g. number of dormant weeks/months) and assigning the job of archiving these to a responsible admin. (Teams’ analytics and reporting can be invaluable in identifying teams that meet the relevant criteria.)
Information and documents within archived teams are preserved for read-only access, and the teams can also be restored at any point if they become relevant once again.
Get rid of unwanted guests
Allowing external users to access Teams channels and content can be a very convenient way to collaborate with partners and clients. However, letting guests behind the curtain of your Teams deployment also introduces some serious security risks – you don’t want sensitive information falling into the wrong hands.
To prevent this, and get control over who can access your Microsoft Teams sites, you could disallow guest access altogether, or tailor the permissions granted to users outside your organisation, including:
- Whether they have access to all group content, or only that shared directly with them
- Whether they undergo authentication via sign-in and/or a verification code
Keep in mind, Guest Sharing will need to be enabled in your B2B external collaboration settings in Azure AD as well as in your SharePoint organisation- and site-level sharing settings if you want to allow guest access to Teams.
Put sensitivity labels to work
A convenient way to control Teams access (including that of guest users) and more is to use sensitivity labels configured in the Microsoft Compliance Centre.
These can be applied globally via the Sensitivity Labelling Wizard, or be selected by users from a drop-down menu when creating a new team. The applicable policies will then be enforced, end-to-end, using a combination of Microsoft 365 Groups, the Compliance Centre and Teams services.
Sensitivity labels can be used to:
- Set global Teams or team-specific privacy levels (e.g. public/private/org-wide)
- Limit who can add new members to a team
- Allow/prevent access from outside your organisation
- Restrict device access
- Prevent external sharing
Limit third-party app access
One of Teams’ greatest strengths is its ability to streamline employee workflows and expand their collaborative capabilities. A big part of this is its capacity to natively integrate third-party apps.
These apps can introduce security and compliance challenges, however. As such, it’s generally considered best practice to limit integrations to essential apps only. Approved apps can be configured in the Teams admin centre.
Remember: for compliance purposes it’s vital to know exactly what information third-party apps are accessing, and how their data is stored and handled.
Leverage your security & compliance settings
Third-party integrations aren’t the only thing Teams does well. It also seamlessly integrates with the broader Microsoft 365 environment, which makes some very useful security and compliance functionality available if you know where to look.
Everything from Advanced Threat Protection’s Safe Links and Safe Attachments to Azure AD’s Conditional Access and Mobile Device Management can be configured for Teams (licence dependent).
Don’t forget compliance features, either. These include:
- Data loss prevention policies to prevent sensitive information being shared in Teams chats, channels and documents.
- Retention policies to govern the lifespan of chat and channel messages.
- eDiscovery & Legal Hold to search/analyse/preserve Teams chats, files, meetings and call summaries for legal purposes.
- Auditing & Reporting to search event logs for specific activities relating to an incident, or set proactive alerts for specific events.
It’s not a simple as just switching this functionality on, however. Getting the full benefit means ensuring your global policies remain logical within the Teams context, and properly configuring custom settings and policies to close gaps where necessary.
That takes a thorough understanding not only of your organisation, but also its security and compliance obligations. A skilled technology partner with extensive security, governance and compliance expertise can be an invaluable time- and cost-saver in this process.
Monitor usage via Teams analytics & reporting
We’ve already mentioned a couple of ways in which the insights provided by Teams’ analytics and reporting can be helpful. It’s all about seeing current usage patterns so that you can tweak them to get where you want to be. (Teams reports can be anonymised to maintain privacy where necessary.)
Those tweaks could include reassigning user roles for more effective teams creation and management, implementing training to improve adoption, archiving dormant teams, removing unnecessary apps, and clamping down on undesirable behaviour.
Essentially, Teams’ native analytics and reporting provides visibility into areas where governance could use fine-tuning, enabling organisations to achieve their own ideal balance of compliance, security and collaborative freedom.
Available Teams reports include:
- Teams Usage Report
- User activity Report
- Device usage report
- Live event usage report
- Teams PSTN blocked users report
- Teams PSTN minute pools report
- Teams PSTN usage report – Calling Plans
- Teams PSTN usage report – Direct Routing
Whipping an unruly Teams deployment into shape is certainly possible, but it’s not easy. There are a lot of potential pitfalls – and opportunities – that aren’t always obvious to the unpractised eye.
If you’d like a hand navigating this complex landscape, get in touch with Cloud Essentials. Our security, compliance, governance and implementation experts will ensure your Teams experience is everything it’s cracked up to be, and more.