How ShareGate can help you collaborate with owners to identify your valuable Teams content

Collabwithowners Featured

ShareGate’s Teams management tool automatically collects information from owners about how their team is being used and its level of sensitivity—giving you better visibility enabling you to apply custom-fit governance in Microsoft Teams.

Freedom and flexibility are at the heart of the Microsoft 365 user experience, with self-service features and collaboration tools like Microsoft Teams transforming the way that we work.

But with more user freedom comes more responsibility for IT. It’s a delicate balance: protecting data in a way that meets your organization’s business and compliance policies, while making sure user productivity isn’t hindered.

The truth is that your governance strategy needs to be flexible, too. Locking everything down is harmful, one-size-fits-all thinking that can negatively impact adoption and result in users turning to other, unapproved tools.

Ideally, policies should be customized according to how each team is being used. With ShareGate, you can collaborate with owners to categorize teams according to their business purpose and level of sensitivity. That way, you can apply the appropriate controls at the Microsoft 365 group (i.e. individual team) level to ensure your data stays secure.

The challenge of managing data at scale

Today, we have almost instant access to a historic amount of data—with enterprises producing a staggering amount, at an ever-increasing pace, each and every day.

And a lot of that data requires protection; according to McAfee’s 2019 Cloud Adoption and Risk Report, nearly a quarter of all files in the cloud contain sensitive data, up 17% over the past two years.

Twenty-one percent of all files in the cloud contain sensitive data.

McAfee’s 2019 Cloud Adoption and Risk Report Tweet this

The best way to approach data security is from the perspective of governance. And one of the best ways to approach data security at scale is from the perspective of container governance: security and compliance policies applied at the level of Microsoft teams and Microsoft 365 groups.

The fact is, not all teams (and, by extension, the data within them) are created equal. Effective Teams governance requires targeted application. But that means you need to know where—which is to say, within which teams—your sensitive data lives.

Classify containers to help identify your valuable content

In her ShareGate webinar on how to protect your Teams content, Microsoft MVP Joanne Klein explained that container governance can be broken down into the following best practices:

Within the scope of this blog post, we’re going to show you how ShareGate’s “Group categorization” and “Group sensitivity” features can help you classify and protect sensitive content at the level of each container/team.

Looking for tips on how to define an effective data classification scheme for your organization? We spoke to Microsoft MVP Marc D Anderson about best practices, tips, and tricks to help you get started.

Know why users create new teams

It’s easy for users to create a new team in Microsoft Teams. Unfortunately, it’s also easy for users to ignore the optional Description field:

New team named Project pitch.

Users create teams for a number of reasons, some less business-oriented than others. If a team is named “Softball league”, it’s pretty easy to infer what the team will be used for.

But if a team is named “Project Pitch”, the reason of creation is less obvious. In that case, you’re going to need to ask the person who knows best: the owner of that team.

Understand how sensitive the content within each team is

Let’s consider the same “Project Pitch” example shown above: If the user creating the team doesn’t enter anything into the description field, how are you supposed to know—from the title alone—how sensitive the content inside the team will be?

You can now configure built-in sensitivity labels through the Microsoft Information Protection (MIP) solution so they can be applied at the individual team level. In that case, users will also see an option to apply a sensitivity label when creating a new team in Teams:

Screenshot of sensitivity label when creating new team.


However, enabling this feature involves using PowerShell and requires an Azure AD Premium P1 license.

To help you assess whether sensitivity labels in Microsoft 365 are the right fit for your organization, we wrote a blog article comparing MIP unified labeling and ShareGate’s “Group sensitivity” feature to share what we learned and highlight some key differences between MIP sensitivity labels and ShareGate’s “Group sensitivity” feature.

If you don’t have Azure AD Premium, or don’t love using PowerShell, then you’re likely going to have a hard time determining how sensitive the content in “Project Pitch” will be using Microsoft’s out-of-the-box solution. Again, you’re going to have to ask the person who knows best: the owner of the team.

Automatically collect information from owners with ShareGate’s Teams chatbot

Instead of reaching out to each owner manually, activate ShareGate’s Teams bot to ask for this information automatically. A conversational bot integrates seamlessly with users’ existing workflow in Teams, helping reduce friction and context-switching to keep productivity at its highest possible level.

Here’s how it works: When ShareGate detects a new Microsoft 365 group, our chatbot automatically contacts the owner via direct message in Teams and asks them for its reason of creation and level of sensitivity.

To make it easy for owners to make a decision, the bot presents them with pre-defined “Group purpose” and “Group sensitivity” options to choose between—then relates their selections back to you.

Activating the ShareGate Teams bot

In the ShareGate UI, click on Settings, then select the Categorization tab from the left-hand navigation. Slide the toggle next to Microsoft Teams chatbot to the right.

Screenshot of toggle to activate Microsoft Teams chatbot.

Note: ShareGate comes pre-populated with a default list of ‘”Group purpose'” and “Group sensitivity” categories based on some of the most common reasons users create teams. If you want to edit or add to these categories, you can do so in the Group purpose and Group sensitivity sections underneath the chatbot slider.

Once activated, the Teams bot will be installed automatically for any user the app needs to contact.

Group categorization: Use case

Let’s say John Greene decides to create a new team for members of the office softball league—the team called “Provisioning Solution”.

Shortly after the new team is created, the ShareGate Teams bot reaches out to John via chat conversation in Teams:

Chatbot Askpurpose

The chatbot asks him to define the purpose and sensitivity of his new team and presents him with pre-populated options to choose from.

Group purpose

We built a default list of “Group purpose” categories based on some of the most common reasons users create teams—but you can edit or add to these options in ShareGate’s Settings tab based on the needs of your organization.

  • Department: Used for an ongoing project or collaboration between employees who are part of a specific department (i.e. marketing or HR).
  • External project: Used for projects that involve collaboration with people outside the organization (i.e. collaboration with an external vendor).
  • Internal project: Used for projects that involve collaboration with people inside the organization (i.e. implementation of a new system).
  • Office location: Used to gather employees working in different geographic locations (i.e. New York office)
  • Particular topic: Used to communicate and collaborate on specific initiatives or topics (i.e. planning the holiday party).
Screenshot of group purpose options presented by ShareGate bot in Teams.

Each category also includes a description. If John is unsure which option to choose, he can click on the ? next to a category to read its description. In this case, the Particular topic option makes the most sense.

Screenshot of group purpose options with descriptions for "Particular topic" option expanded.

Once John clicks Select, our bot confirms his decision in their chat conversation, then moves on to asking about the level of sensitivity.

Chatbot Asksensitivitywithdetails

Group sensitivity

To help you get started, we’ve created the following default group sensitivity labels, which you can add to, modify, or even delete if you choose to:

  • General: Sets the group/team to public, allows external sharing with anyone, and enables guest access
  • Confidential: Sets the group/team to private, only allows external sharing with new and existing guests, and disables guest access
  • Highly confidential: Sets the group/team to private and disables external sharing and guest access
Screen Shot 2022 08 05 At 2.00.04 Pm

As with group purpose, if John is unsure which option to choose, he can click on the ? next to a category to read its description. In the case of John’s team for an office softball league, the General option makes the most sense.

Screen Shot 2022 08 05 At 1.59.07 Pm

But, let’s imagine for a moment that John’s new team, “Provisioning Solution”, isn’t for the office softball league. Let’s say he created the team in order to collaborate with several colleagues on pitch ideas for an upcoming project.

When he created this Provisioning Solution team, he made it public. And when the chatbot in the ShareGate Teams app first reached out to him about his new team’s purpose, he still selected “Particular topic” like in the example above (that could still technically be true).

But now, when the chatbot asks him about the level of sensitivity of his new team, he reads through the different options and their descriptions and decides the Confidential option makes the most sense—he only needs to collaborate with colleagues (no need for guests) and he wants the group to be private since their team will be going up against other employees with their pitch.

Screen Shot 2022 08 05 At 1.59.07 Pm 1

Once John clicks Select next to a group sensitivity option, the ShareGate chatbot confirms his selection and informs him of the corresponding security settings that will automatically be applied to his team.

Chatbot Asksensitivity Enduseranswer Alreadychooseone

Since the “Confidential” group sensitivity doesn’t allow guests, he is told that any current guests will be removed from the team. Additionally, his team will be changed from public to private and the sharing settings will be adjusted.

Once John has made his group purpose and group sensitivity selections, ShareGate relays that information back to you in your dashboard.

Organize your teams by purpose and sensitivity for custom-fit container governance

In ShareGate, click on the Groups tab to see a list of all your teams and Microsoft 365 groups. The group purpose and group sensitivity options he selected are now visible in the “Purpose” and “Sensitivity” columns next to his team.

You can also manually assign a group purpose and/or group sensitivity category by selecting a team from the list, then clicking on Choose a group sensitivity (to assign a group sensitivity) or No purpose (to assign a group purpose).

Screenshot of Choose a group sensitivity for a team.

Or, you can overwrite a selection made earlier by an owner by selecting a team, then clicking on either the assigned group sensitivity or group purpose.

In the example of John’s new team, you would click on Confidential (to change the assigned group sensitivity) or Particular topic (to change the assigned group purpose). Then, simply choose the category you’d like to apply from one of the categories presented in the drop-down list. In this case, let’s say you think “Highly confidential” is a better categorization for this team.

Screenshot of IT admin changing group sensitivity in ShareGate.

Once you’ve confirmed your choice, the new categorization automatically applies the corresponding security settings to the team. And, the new group sensitivity label appears next to the team name in the Manage tab, where you can organize and filter all your teams by business purpose and group sensitivity.

Sgt Public Manage

Want owners to only assign a purpose OR a sensitivity tag—and not both?

You can do that easily now that we’ve split up the policies. 

Go to Categorization in Policies and toggle on the automation for the policy you want. 

  1. Purpose tag to identify the business purpose of a team/group 
  2. Sensitivity tag to identify the sensitivity level of the team/group, and automatically apply the right security settings to it 
Purpose Tags
Sensitivity Tags

ShareGate is easy to set up and even easier to manage—no clunky interface, no coding, and no Azure AD premium subscription required.

If you’re a ShareGate customer, then we have great news! Your subscription now gives you full access to ShareGate at no extra charge! Activate your ShareGate account by signing in here. Make sure to have your ShareGate license key handy—you’ll need it to complete your activation.

If you’re ready to start categorizing your groups and teams, take a look at our group purpose documentation and group sensitivity documentation to learn how to set both features up!

What did you think of this article?

Recommended by our team

Getting started is easy

Try ShareGate free for 15 days. No credit card required.

Karuana Gatimu

INTERVIEW WITH KARUANA GATIMU How to achieve frictionless IT governance