In our recent beginning-of-life masterclass session, Microsoft MVP Jasper Oosterveld (@jasoosterveld) covered best practices that can help you understand why users create their teams—so you can apply the right governance policies and security settings from the moment of creation.
As we’ve seen since the global shift to distributed work, many organizations rushed to roll out Microsoft Teams to facilitate new methods of virtual collaboration—often without time to implement an effective Teams management plan. IT teams now face the challenge of finding a scalable way to maintain an organized and productive Teams environment.
You want to give users the freedom to create new resources as they see fit, but you don’t want that freedom to come at the cost of creating a security risk. In the first session from ShareGate’s recent 3-part masterclass, Create a dream Teams: Mastering Microsoft Teams management across the entire lifecycle, I covered beginning-of-life best practices that can help you understand why users create their teams. That way, you can apply the right governance policies and security settings from the get-go and build a solid Microsoft Teams foundation from the moment of creation.
Build a solid Teams foundation with these beginning-of-life best practices from a Microsoft MVP:
- Define a Microsoft Teams creation process
Not all teams are created equal; some contain highly sensitive data, while others are created for less business-oriented reasons. That’s why the first step in any lifecycle management plan should be defining a creation process to help you understand the goal of each team.
- Define a Microsoft Teams collaboration process
The ability to collaborate with external users securely is now more crucial than ever. Having the right settings and policies in place ensures that employees use Microsoft Teams correctly and keeps sensitive data secure.
- Define a Microsoft Teams classification process
Categorizing your teams according to purpose and sensitivity helps you better understand why users create their teams and where sensitive data lives. Once categorized, you can apply the appropriate settings to each team.
Define a Microsoft Teams creation process
Users create new teams in Microsoft Teams for all sorts of different reasons. They’re a great way to collaborate with colleagues and people outside your organization on shared projects, whatever those projects might be. But, not all teams are created equal; some contain highly sensitive data while other are created for less business-oriented reasons.
That’s why the first step in any effective lifecycle management plan should be defining a creation process to help you understand the goal of each Microsoft team. That way, you can customize your governance policies and security settings based on teach team’s business purpose and level of sensitivity.
Questions to consider at the beginning of a team’s life:
- What’s the purpose of the team?
- Who belongs on the team?
- Will the team be public or private?
- How sensitive will the information contained inside each team be?
- Who will have permissions to create channels or add tabs, bots, and connectors?
Microsoft Teams templates
First announced in May of last year, templates in Microsoft Teams are pre-built definitions of a team’s structure that enable you to create effective teams faster and more easily.
With Teams templates, you can:
- Use 13 out-of-the box templates for different scenarios
- Customize or create your own
- Add additional channels and tabs per template
- Assign one or more templates per policy for all, or a selection of, employees
When creating a new team, users can choose from a variety of customizable templates built around a business need or project.
Or, you can create your own template in the admin console—allowing you to standardize team structures, surface relevant apps, and scale best practices in Teams.
During the creation process, admins can define the channel structure, tabs, and apps that make up the new template. This allows you to take proven team structures for common scenarios and deploy them at scale across your organization.
All Teams templates, whether built-in or admin-created, can be managed and modified from the Microsoft Teams admin center. Head to Microsoft’s official documentation for more details on how to get started with Teams templates in the admin center.
Implement a naming convention
What’s in a name? Well, as Romeo discovered at the end of Shakespeare’s classic play, a name can impact a lot! Calling a team “Project Pitch” might not embroil you in any family blood feuds, but it can create confusion later on—especially if tons of teams are being created all the time and IT isn’t part of each new team.
A naming convention can help you and your users identify the function, membership, geographic region, and/or creator of a team.
|Type of team||Microsoft Teams||SharePoint|
|Department||DEP <name of the department>|
Example: DEP Marketing
|Geographic location||DEP <name of the department or project> <geographic location>|
Examples: DEP Marketing CA
DEP Marketing USA
|/teams/dep-private-<department name>-<geographic location>|
With a well-thought-out naming convention in place, you can figure out the function of each Microsoft team quickly, ultimately making it easier for you to put the right governance policies and security settings in place.
You can use a naming policy to enforce a consistent naming strategy for teams created by users in your organization. A naming policy allows you to provide a team with a pre-defined naming convention.
Three options to apply a naming policy:
- Provisioning solution
- Manually by the business users
- Microsoft 365 groups naming policy through Azure Active Directory (requires Azure AD Premium P2 license)
What are my recommendations?
- Allow users the freedom and flexibility to create new teams.
- Consider using built-in or custom Teams templates to help users create effective teams faster and more easily.
- Create and enforce a naming convention to help expose the purpose and goal of a team.
Define a Microsoft Teams collaboration process
With Teams usage at an all-time high and a global shift to distributed work, the ability to freely collaborate with external users is now more crucial than ever. But you don’t want that freedom to come at the cost of creating a security risk for your business.
While some IT admins think it’s safer to disable external sharing entirely, this can negatively impact end user productivity and adoption and lead to shadow IT. Instead, leverage the power of self-service to drive user adoption in Teams while implementing a strategy to govern proper usage. Having the right settings and policies in place ensures that employees use the tool correctly and keeps sensitive data secure.
Depending on the needs of your organization, external sharing can be used to enable:
- Collaboration with people outside your organization in a document (via sharing link)
- Collaboration with people outside your organization in a team (via guest access)
Collaborate with external users via sharing link
If your users need to collaborate with people outside your organization on documents in SharePoint or OneDrive, they can send them an external sharing link to grant them access to the document in question.
With this method:
- Instead of inviting a guest into the entire team, business users share one or more files with someone outside your organization.
- The external user receives an e-mail with a link to the files.
- The external user has to enter a verification code to access the files. (Unless it’s an “Anyone” sharing link; then they can simply click on the link to gain access)
When end users create a new sharing link, they can choose from the following options (the options available to them will depend on how you’ve configured sharing settings in your organization):
- Anyone gives access to anyone who receives the link, whether they receive it directly or forwarded from someone else.
- People in <Your Organization> gives anyone in your organization who has the link access to the file, whether they receive it directly or forwarded from someone else.
- People with existing access can be used by people who already have access to the document or folder.
- Specific people gives access only to the people who are specified. However, if someone already has access and is forwarded the sharing invitation, they will also be able to use the link.
Where do you manage external sharing link settings?
In order for people outside your organization to have access to a document in SharePoint or OneDrive, your SharePoint and OneDrive organization-level sharing settings must allow for sharing with people outside your organization.
From the SharePoint admin center, you can control external sharing settings for your entire organization (Policies > Sharing) as well as for individual team sites (Sites > Active sites > select the site in question, then select Policies and click on Edit under External sharing):
The organization-level settings for SharePoint determine the settings that will be available for individual SharePoint sites, and site settings can’t be more permissive than the organization-level settings. So, choose the most permissive setting that will be needed by any site in your organization when configuring your SharePoint organization-level sharing settings.
What are my recommendations?
- Enable external sharing with “New and existing guests”.
- Implement a periodic review of sharing links (more on that in the session 2 recap!).
- Educate your team owners and members on best practices for external sharing links.
- Start with defining your classification scheme and strategy.
Collaborate with guest users in a team
Guest access, on the other hand, allows you to invite people from outside your organization to join an existing team in your Teams tenant.
With guest access, users can provide people outside your organization access to:
- Teams in Microsoft Teams
- Documents in channels
Teams is built on top of Microsoft 365 Groups, so you can manage guests in your Azure Active Directory and the same compliance and auditing protections as the rest of Microsoft 365 apply. Essentially, guest access lets you maintain complete control and your data never leaves your sight.
Why would you allow guests in Teams?
- Reduce shadow IT
- Provide an efficient collaboration experience
- More control and insights into who’s working with your colleagues and content
Enabling guest access in Teams
Originally, guest access was disabled by default. But, with Microsoft’s recent change to the default configuration for guest access in Teams, guest access is now enabled by default for any customers who have not configured this setting—bringing the Teams guest access capability into alignment with the rest of the suite, where the setting is already enabled by default.
Turning on guest access depends on settings in Azure Active Directory, Microsoft 365, SharePoint, and Teams. For more information, check out ShareGate’s blog article on how to control guest access at every authorization level.
Determine how external collaborators can be invited into your tenant
Before getting into the nitty gritty of what guests can and can’t do, you need to think about how they’ll be invited into your tenant in the first place.
Global admins can manage the guest access experience in Teams at the highest level through your Azure Active Directory (External identities > External collaboration settings > Collaboration restrictions).
Control which guests can be invited by choosing one of the following options:
- Allow invitations to be sent to any domain (most inclusive)
- Deny invitations to the specified domains
- Allow invitations only to the specified domains (most restrictive)
Guest access permissions
A guest can be given nearly all the same Teams capabilities as a native team member within your organization. Like any other team member, guests can chat, call, meet, and they can also collaborate on files and have access to other resources within a team.
The following table compares the Teams functionality available for an organization’s team members compared to its guests:
|Permissions in Teams||Team member within organization||External user with guest access|
|Create a channel*||✔||✔|
|Participate in a private chat||✔||✔|
|Participate in a channel conversation||✔||✔|
|Post, delete, and edit messages||✔||✔|
|Share a channel file||✔||✔|
|Access SharePoint files||✔||✔|
|Attach files||✔||Channel posts only|
|Share a chat file||✔|
|Create meetings or access schedules||✔|
|Invite an external user to become a guest*||✔|
|Create a team||✔|
|Discover/join a public team||✔|
SOURCE: Microsoft Teams guest access: Permissions, settings, and how to add a guest
But, as you can see in the table above, they can’t do certain things like create meetings or access schedules, create a new team, invite another person outside your organization to become a guest, or discover/join a public team.
- A guest is considered a member!
- A guest receives access to all the content of the public channels
Configure guest permissions in Microsoft Teams
When guest access in enabled, people outside your organization can access teams and channels if they’re invited to join a team as a guest. But, you can configure guest permissions in Teams to control which features guests can access in the platform.
- Organization-wide permissions are set within the Microsoft Teams admin center (Org-wide settings > Guest access)…
- …and guest user permissions for individual teams are configured through the Teams client settings of the specific team (next to the team name, click more options > Manage team > Settings).
Other collaboration settings in the Teams admin center
Aside from managing guest access permissions, the Teams admin center is your HQ for managing Microsoft Teams settings for your entire organization.
- Teams policies: Enable private channels
- App policy: Enable Microsoft apps and limit or block third-party apps
Control what settings or features are available to users when they’re using teams and channels by creating (or editing) Teams policies in the Teams admin center (Teams > Teams policies).
I recommend enabling private channels across your organization with the Global (Org-wide default) policy.
App permission policies in the Teams admin center (Teams apps > Permission policies) control what apps you want to make available to Teams users in your organization. You can use the Global (Org-wide) default policy and customize it, or create new policies to meet the needs of your organization.
I suggest enabling Microsoft apps and either limiting or blocking third-party apps for your Teams users.
What are my recommendations?
- Enable guest access at the organization level
- Implement a process to periodically review guests (more on that in the session 2 recap!)
- Enable multi-factor authentication (MFA) for guests
- Educate your team owners
- Work with private channels for internal collaboration
- Start with defining your classification scheme and strategy
Define a Microsoft Teams classification process
Not all data—and by extension, not all teams—are created equal. You don’t need to apply the same controls to the office softball league team as you would to a team containing highly confidential info about quarterly earnings.
What is data classification?
Data classification makes it easier to locate, leverage, and protect your valuable data—and is crucial for effectively managing your Teams environment. Put simply, it’s the process of organizing data into categories that make it easier for you to manage and protect it.
In order to categorize your data, you first need to know what the categories are! That’s where a data classification scheme comes in. It maps out and defines all of the available options for your users. You can see an example of a basic classification scheme in the table below:
Example of a real world classification scheme
|Non-business data, for personal use only||Company data specifically prepared and approved for public use||Company data intended for general use within and outside of the organization (business partners)||Sensitive company data that poses a business risk if it’s shared with unauthorized people||Highly sensitive company data that poses a business risk if it’s shared with unauthorized people|
An organization’s classification scheme is often determined by the regulation of your country or company industry. For example, E.U. GDPR or U.S. Health Insurance Act (HIPAA). If that’s not the case for you, also be sure to check out ShareGate’s blog article with insights from Microsoft MVP Marc D Anderson on how to define an effective data classification scheme for Microsoft 365.
Apply classification at the container level (i.e., at the level of each team)
Once you have your classification scheme in place, make your life easier when it comes to customizing settings and policies by applying classification at the container level—i.e., at the level of each Microsoft 365 group or team.
- Classify a team according to its purpose. For example: Project or department
- Classify a team according to its level of sensitivity. For example: Internal or Highly sensitive
Categorizing your teams according to purpose and sensitivity helps you better understand why users create their teams, how your users collaborate within Teams, and where sensitive data lives. Once categorized, the appropriate controls can be applied to monitor and control data access, transportation, and storage within each team.
What classification options are there?
- Manually applied by business users (for example, by enforcing a naming convention related to classification)
- Sensitivity labels through the Microsoft Information Protection (MIP) framework
- ShareGate‘s team purpose and team sensitivity tabs
Sensitivity labels through Microsoft Information Protection (MIP)
Microsoft 365 has a built-in feature that lets you classify and protect your data at the container level: sensitivity labels through the Microsoft Information Protection (MIP) solution.
Previously only used to apply encryption and content marking to files and emails, you can now use sensitivity labels to protect content at the container level in Microsoft Teams.
You can configure sensitivity labels to enforce the following security settings for a team:
- Privacy of the team
- Enable or disable guest access
- Type of external sharing links from SharePoint team site
- Type of access to SharePoint content from unmanaged devices
Sensitivity labels allow Teams admins to protect and regulate access to sensitive organizational content created during collaboration within teams. Once you’ve created and published sensitivity labels in the Microsoft 365 compliance center, users will be able to choose a label when creating a new team in Microsoft Teams and all of the pre-configured settings will be automatically applied.
When the new team is created, the chosen sensitivity label is visible in the upper-right corner of channels in the team:
However, it’s important to note that a team owner can change the sensitivity label and the privacy setting of the team at any time by going to the team and clicking on Edit team.
I should also point out that to configure this feature, you first need to enable sensitivity labels for containers and synchronize labels—which requires that you possess at least one active Azure Active Directory Premium P1 license in your Azure AD organization.
ShareGate’s group purpose and sensitivity tag features
You may know ShareGate for their best-in-class migration tool, ShareGate. But did you know they also have a governance tool for Microsoft Teams? In fact, both tools—ShareGate and ShareGate—come together when you’re a ShareGate customer.
Classifying your teams and Microsoft 365 groups in ShareGate is really simple. There are 2 ways you can do it:
- Use ShareGate’s Teams chatbot to automatically ask owners to select a team purpose and a team sensitivity right after they’ve created their team.
- Classify Microsoft Teams yourself in ShareGate—or overwrite what owners have previously picked.
Automatically ask owners to classify their teams
Use ShareGate’s Teams chatbot to automatically ask owners to select a team purpose and a team sensitivity right after they’ve created their team.
You can make your own purpose and sensitivity tags and add a description to make it easy for owners to make a decision. Or, you can have users choose from a list of pre-set default options.
Team purpose = reason for creating the team
Team sensitivity = how sensitive the content shared by the team will be
Using a conversational Teams chatbot to collect this information creates less friction for owners since they’re already doing most of their work in Teams.
Once an owner has made a decision, this information is relayed back to you in the app, where you can filter and find teams according to purpose and sensitivity—or see which teams are missing tags completely.
The big advantage with team purpose and team sensitivity tags in ShareGate is that you don’t need an Azure AD Premium subscription or a provisioning form to get this information from owners. Plus, it’s collected where they spend the most time, in Teams.
Classify your Microsoft teams directly in-app
You can also take matters into your own hands and assign a team purpose or team sensitivity tag to a team directly in the ShareGate app.
Or, you can overwrite a tag an owner has previously picked if you want to.
For both of these methods, you can make your own purpose and sensitivity tags and add a description that makes it easy for owners to make a decision.
Automatically apply the right security settings with team sensitivity tags
ShareGate’s sensitivity tags let you classify AND protect your data at the container (i.e., team) level.
Similar to MIP sensitivity labels, you can configure sensitivity tags in ShareGate to control the following security settings for a team:
- Privacy status: Set to “Private” or “Public”
- External sharing: Set to “Anyone”, “New and existing guest”, “Existing guests”, or “Only people in your organization”
- Guest access: Set to “Guests allowed” or “Guests not allowed”
Once a sensitivity tag has been picked (by the owner or by you), ShareGate automatically applies the corresponding security settings to the team. That way, you can prevent some teams from sharing content externally and having guests while giving more freedom to other teams.
The software will even flag a team that has the wrong security settings (i.e., settings that don’t match its assigned sensitivity tag). So, if a team has been assigned a “Highly confidential” tag and the owner later changes the team’s privacy status from private to public, ShareGate automatically detects that sensitivity mismatch for you. Then, you can fix the problem fast by making changes directly in the app.
Not sure which classification feature is the right fit for you? Check out ShareGate’s blog article for more details on the differences between Microsoft Information Protection sensitivity labeling and ShareGate’s team sensitivity feature.
What are my recommendations?
- Start defining your classification scheme for Microsoft 365/Teams
- Implement a classification/tagging system for your Microsoft teams
Takeaways from part 1
- Talk with your business users about their requirements and needs
- Enable guest access and sharing links at the organization level
- Define and implement your classification scheme and strategy