Recently Microsoft MVPs Jasper Oosterveld and Benjamin Niaulin hosted You’ve deployed Teams, now what? where they sat down to chat all things Microsoft Teams. Offering an inside look into how people and teams have added Teams to their productivity stack over the last year, these experts also highlighted Teams tips that they think you can use moving forward.
Can you believe that less than 5 years ago, Microsoft Teams didn’t even exist? Today, there are nearly 250 million Teams users worldwide, many who weren’t even using it 12 months ago! And while we keep hearing about how many people are using Teams, this doesn’t necessarily mean they’re using it to its full potential.
During the live webinar (available on-demand!), our MVPs took inspiration from their own experience in the industry and questions directed to them by the audience, prompting a discussion around best practices, tips and tricks for more effective Teams management. The conversation generated deep insights into how people adopt and deploy Microsoft 365 and Teams, focusing on provisioning, security, customization, and architecture—the four main areas our expert panel thinks you should consider when planning how you’ll manage your Teams environment.
Table of contents
Best practices for Microsoft Teams provisioning
So, what is Teams provisioning, exactly?
Provisioning makes sure that what gets created in your Teams environment respects your (IT) governance policies and how you want technology to be used. For example, do you allow people to add external users if they are working on a confidential project? Provisioning also allows you to automate the application of settings given a specific context.
In a more broad sense of the word, provisioning is creating new groups/teams in your Teams environment based on your users’ needs. It’s where companies can set out the exact type of information they want to know about the teams that are being created.
In the past, we’ve seen two different schools of thought around provisioning. One is the “classic” model, where users need to ask IT for permission or help with their creation of new teams. Requests are made through a form or an application, and IT grants permission to create a team. It’s the more controlled method.
Many organizations lean into this ”locked down” version of Teams provisioning because they’re worried about sprawl.
Here’s a scenario many have seen: I create a team for marketing and call it “mktg-team.” You don’t know that it exists because you’re not used to my abbreviation, then you create another one and call it “marketing-dept”. Before you know it, we have, like, five marketing teams.
“I’m really pro self-service,” says Jasper. “But unfortunately, for most organizations, that’s just a little bit too much and too advanced initially.”
With Microsoft Teams, self-service means letting business users interact with the application directly and create what they need:
- Provision their own teams directly in the application
- Share files and documents with whoever they want, whenever they want
- Invite guests and external collaborators as needed
Self-service provisioning comes with risks and requires strong governance decisions to be controllable. However, by putting in the effort to set good guidelines, self-service can come with a lot of flexibility and power for both users and IT admins who are looking to create scalable processes that don’t require as much manual work on both the approval and creation end of things.
What are the advantages of building a provisioning process?
Provisioning sets the stage for IT teams to scale and maintain an organized and productive Teams environment. It can guide and automate the creation process, helping to define collaboration and classification settings to keep sensitive data secure and avoid the duplication of teams.
With provisioning, you can:
- Set and apply more governance requirements (e.g. naming conventions)
- Provide a more user-friendly experience (e.g. requests and team creation within a couple of clicks)
- Integrate corporate branding in digital request forms
- Control the flow of the number of teams created by your end-users
This last point is becoming increasingly more relevant. We’ve seen a 21.5% increase in the creation of groups among our customers in a six-month period.
What are the challenges of implementing a provisioning process?
- Requires licenses from third-party vendors
- Requires development expertise to build and maintain your own provisioning solution
- Less freedom for the business users
- In a distributed workplace, an IT-led provisioning model can be tough to manage at scale. A successful IT modernization strategy should incorporate as much self-service as possible to minimize friction.
What are Jasper’s recommendations when it comes to provisioning?
- Review your business requirements for the governance of Microsoft Teams
- Review the IT maturity of your business users
- Self-service is preferred
- Review the options with Microsoft Teams templates in combination with sensitivity labels
Best practices for Microsoft Teams security
How can organizations keep Teams secure while still letting users do their jobs? According to Jasper, it is that mindset of self-service.
Enabling self-service doesn’t mean a free-for-all; you can still put restrictions in place to keep your environment organized (like making sure users adhere to naming conventions, for example) and prevent sprawl. You can also manage user access with continuous verification using such technologies as multi-factor authentication (MFA).
In our recent customer insights survey, we asked ShareGate users if they have MFA enabled in their organization—86.2% of respondents answered yes. So, we recommend that you go and enable MFA if you haven’t already! Sure, it can be an annoying extra step in your log-in process, but it’s a high-level shortcut that keeps your data secure.
We also learned from our report that 67.2% of respondents allow users to use their personal devices. Of course, there’s no surprise there. It’s 2021 and people want to use their device to check their email, and maybe use the SharePoint app and Teams app. You’ll need to have measures in place to facilitate that use while making sure it’s secure.
Central to security is external collaboration. In our user survey, 67.2% of respondents said they have guest and external sharing enabled in their Microsoft 365 environment.
You have different levels of access in the external sharing settings. As for which external sharing setting is commonly used among organizations, the results show that external guests have to sign in or provide a verification code.
How do you make sure that the right people have the right access?
Once again, it starts from a provisioning point of view, where you determine who will be the team’s owners. Most of Jasper’s business customers grant the owner status to people within their organizations. By assigning team ownership, you ensure there’s always someone accountable for every team in your tenant. We recommend having a minimum of 2 owners per team so that responsibilities are shared and covered.
These points should be addressed through adoption and change management strategies, where you can also create awareness by asking questions like:
- What are your responsibilities as an owner?
- What are some of the settings you’re allowed to change?
- What are some actions you can take?
At least 90-95% of customers have guest access enabled because every organization, especially those in IT, know that if it’s turned off, employees will find a different way to do what they need to do. This is what we call shadow IT.
What is shadow IT?
Shadow IT is the use of information technology systems, devices, software, applications, and services outside the scope and supervision of an organization’s approved IT system.
Examples include employee use of:
- USB flash drives or other personal data storage devices
- Unapproved productivity apps like Trello, Slack, or Asana
- Unapproved cloud storage like Dropbox or Google Drive
- Unapproved messaging apps like Facebook Messenger, Snapchat, or WhatsApp
Employees engage in shadow IT because they are facing friction with the tools they’re using and know what’s available to them on “the outside.” In short, they want to work more effectively.
Not all shadow IT is inherently dangerous, but features like file sharing and storage or digital document collaboration make your organization especially vulnerable to sensitive data leaks.
What are Jasper’s recommendations for better Teams security?
- Implement these security features ASAP:
- Multi-factor authentication (MFA) should be on by default to reduce the risk of data leaks to unauthorized people. This is especially true for external users, and something that should be evaluated for internal users.
- Mobile Device Management & Mobile App Management for corporate and personal devices.
- Review the required industry or company regulations in relationship to the Microsoft 365 compliance features
- Spend time on adoption and change management to increase the awareness and acceptance of the security and compliance features
Best practices for Microsoft Teams customization
Teams is a highly customizable software and there are many different types of customizations that can be carried out to make your environment fit your business needs:
- Microsoft applications (Microsoft 365, SharePoint Word, Excel, Yammer, etc.)
- Third party applications from the Microsoft Teams app store
- Scripted, automated customizations done through PowerShell
- Purchase Azure AD Premium P1 or P2 licenses
What we’ve generally seen is that most customizations are done during the deployment and provisioning process. It’s usually about getting a new template to work with the right webparts and theming and design. This requires a bit of customization. As a first suggestion, it can be a good idea to turn off the App Store in the creation stage, as it can be a bit overwhelming for users and you can lose control of what apps people are adding.
However, always allow Microsoft apps, like OneNote, Planner, and SharePoint, because they’re the basis for proper collaboration in Teams.
Once you’re set up, evaluate your internal procedures and decide if you want to allow your users to add apps. If you don’t, simply leave that option off from the beginning. Then, evaluate what non-Microsoft products are in use and if you want to offer those products in Teams. Some organizations have been working with non-Microsoft solutions for a long time such as Jira. In that case, we advise making sure that the app in question is available so people can add it from the App Store. Basically, start with opening access to the applications you know are already being used.
Finally, you can also review the Microsoft Teams PowerShell commands in combination with Teams to automate some manual procedures.
What are Jasper’s recommendations for Teams customization?
- Review external (non-Microsoft apps) and out-of-the-box integration options through Teams tabs
- Block third-party apps and allow Microsoft apps
- Review the Microsoft teams PowerShell commands to integrate or automate digital processes in relationship to Microsoft Teams
Best practices for Microsoft Teams architecture
If you’re going to put settings, governance, and sensitivity policies in place, you’re going to need to know what they’ve been applied to, right?
Microsoft Teams is the hub for teamwork, connecting people while minimizing the challenges of remote collaboration. It ties together chat, meetings, calling, devices, work files, documents, apps, and solutions in one centralized application. And while Teams offers a ton of great features and benefits, it can only reach its full potential because of how integrated it is with other Microsoft 365 services. When you use Teams, you’re reaping the benefits of the best Microsoft 365 tools as packaged through the Teams interface. And so, to manage Teams features, you need to manage the related tools.
It’s important to realize what this structure of tools within tools means and to understand where data is stored so that you can manage it correctly.
Teams data is actually stored in the following locations:
- SharePoint team site: Files and folders stored in the team document library or shared in a channel, external emails sent to the team, the team’s wiki page, and each channel’s OneNote assets.
- Exchange team mailbox: Group chat and channel chat conversation history, team mail, and contacts.
- Exchange mailboxes of individual users: Private (1:1) chat conversation history, voicemails, and calendar meetings.
- OneDrive for Business of individual users: Files attached to private chat sessions, or a chat during a meeting or call, are uploaded and stored in the OneDrive account of the user who shared the files.
- OneDrive organizational document library: Users’ personal OneNotes.
- Azure (using Blob storage): Images and media (except for GIFs) shared in chats.
- Stream: Meeting recordings.
- Third-party storage provider: If your organization allows users to store files with a third-party storage provider, either through tabs or other partner apps, that information is stored directly in the system used by the partner.
Impact of Teams environment in an organization
Azure Active Directory (AAD) is the foundation of Microsoft 365 Groups. AAD stores user accounts, connects people, and allows access to Microsoft 365 productivity apps, like OneDrive and SharePoint.
Microsoft 365 Groups provides a way to centralize membership for multiple Microsoft products in one place.
For example, 10 people are in a team, which means there are 10 people in that group, and they have access to all the connected services.
How to manage a list of people in Teams:
- Go to Azure AD (where it is all stored)
- Identify the group behind the Microsoft teams
- See who are the owners
- Assess how you want to manage those roles
- Evaluate any access review to put in place
What happens when you create a team?
When you create a new team from Microsoft Teams, you’re also creating a Microsoft 365 group in the back-end that’s associated with this team. You can manage groups in AAD and access various related services. To manage multiple objects, you need to manage the group along with its associated team (or the group in Stream, or in Planner, for example.
Dynamic group membership in Teams
Jasper notices that dynamic membership is gaining interest amongst his customers. Dynamic membership is an option you can enable for a Microsoft 365 group. By creating a rule, you can add or remove people in the group (and the team). It’s great for teams that have many members who are coming and going because it eliminates the tedious task of manually removing or adding each new person. It makes things easier to manage, especially for the larger, permanent teams.
By using dynamic membership, you can create a rule. For example, someone in IT will be automatically added to “Team IT.” Let’s say that person goes from “Team IT” to “Team HR,” they will be automatically removed from “Team IT” without any manual processes required.
Learn more about the difference between a team and a group and how they work together in Microsoft 365 Groups vs. Teams vs. SharePoint explained
What are Jasper’s recommendations for clean Teams architecture?
- Understand the centralized membership feature of Microsoft 365 Groups
- Understand the connection between Microsoft 365 services (Teams, SharePoint, Planner, Exchange, Planner and Stream) with the use of Microsoft 365 Groups
- Understand the permission model between the Microsoft Teams and SharePoint
- Review the usage of Dynamic Membership with Azure AD
- Update the profile properties of your users in Azure AD
Ben and Jasper really jam-packed the session with info, including real-world examples, to help you build a standout Teams environment. Want to sharpen your Teams management skills even more? Watch the recording of the live conversation.
Plus, you can still join the discussion! Leave a comment below or ask your questions using the hashtag #SGTeamsTalk on Twitter. We’ll get you the expert advice to all your burning Microsoft Teams questions.