ShareGate’s Teams management tool automatically collects information from owners about how their team is being used and its level of sensitivity—giving you better visibility enabling you to apply custom-fit governance in Microsoft Teams.
Related reading: IT governance best practices for Microsoft Teams
Freedom and flexibility are at the heart of the Microsoft 365 user experience, with self-service features and collaboration tools like Microsoft Teams transforming the way that we work.
But with more user freedom comes more responsibility for IT. It’s a delicate balance: protecting data in a way that meets your organization’s business and compliance policies, while making sure user productivity isn’t hindered.
The truth is that your governance strategy needs to be flexible, too. Locking everything down is harmful, one-size-fits-all thinking that can negatively impact adoption and result in users turning to other, unapproved tools.
Ideally, policies should be customized according to how each team is being used. With ShareGate, you can collaborate with owners to categorize teams according to their business purpose and level of sensitivity. That way, you can apply the appropriate controls at the Microsoft 365 group (i.e. individual team) level to ensure your data stays secure.
Table of contents
The challenge of managing data at scale
Today, we have almost instant access to a historic amount of data—with enterprises producing a staggering amount, at an ever-increasing pace, each and every day.
And a lot of that data requires protection; according to McAfee’s 2019 Cloud Adoption and Risk Report, nearly a quarter of all files in the cloud contain sensitive data, up 17% over the past two years.
The best way to approach data security is from the perspective of governance. And one of the best ways to approach data security at scale is from the perspective of container governance: security and compliance policies applied at the level of Microsoft teams and Microsoft 365 groups.
The fact is, not all teams (and, by extension, the data within them) are created equal. Effective Teams governance requires targeted application. But that means you need to know where—which is to say, within which teams—your sensitive data lives.
Classify containers to help identify your valuable content
In her ShareGate webinar on how to protect your Teams content, Microsoft MVP Joanne Klein explained that container governance can be broken down into the following best practices:
- Empower employees: Enable self-service site creation and lifecycle management so users don’t turn to shadow IT.
- Identify valuable content: Define a data classification scheme and require classification for containers.
- Protect valuable assets: Put policies in place to control access to sensitive data.
- Ensure accountability: Manage group/team ownership and review external sharing and guest access.
Within the scope of this blog post, we’re going to show you how ShareGate’s “Group categorization” and “Group sensitivity” features can help you classify and protect sensitive content at the level of each container/team.
Looking for tips on how to define an effective data classification scheme for your organization? We spoke to Microsoft MVP Marc D Anderson about best practices, tips, and tricks to help you get started.
Know why users create new teams
It’s easy for users to create a new team in Microsoft Teams. Unfortunately, it’s also easy for users to ignore the optional Description field:
Users create teams for a number of reasons, some less business-oriented than others. If a team is named “Softball league”, it’s pretty easy to infer what the team will be used for.
But if a team is named “Project Pitch”, the reason of creation is less obvious. In that case, you’re going to need to ask the person who knows best: the owner of that team.
Understand how sensitive the content within each team is
Let’s consider the same “Project Pitch” example shown above: If the user creating the team doesn’t enter anything into the description field, how are you supposed to know—from the title alone—how sensitive the content inside the team will be?
You can now configure built-in sensitivity labels through the Microsoft Information Protection (MIP) solution so they can be applied at the individual team level. In that case, users will also see an option to apply a sensitivity label when creating a new team in Teams:
Source: https://docs.microsoft.com/en-us/microsoftteams/sensitivity-labels
However, enabling this feature involves using PowerShell and requires an Azure AD Premium P1 license.
To help you assess whether sensitivity labels in Microsoft 365 are the right fit for your organization, we wrote a blog article comparing MIP unified labeling and ShareGate’s “Group sensitivity” feature to share what we learned and highlight some key differences between MIP sensitivity labels and ShareGate’s “Group sensitivity” feature.
If you don’t have Azure AD Premium, or don’t love using PowerShell, then you’re likely going to have a hard time determining how sensitive the content in “Project Pitch” will be using Microsoft’s out-of-the-box solution. Again, you’re going to have to ask the person who knows best: the owner of the team.
Automatically collect information from owners with ShareGate’s Teams chatbot
Instead of reaching out to each owner manually, activate ShareGate’s Teams bot to ask for this information automatically. A conversational bot integrates seamlessly with users’ existing workflow in Teams, helping reduce friction and context-switching to keep productivity at its highest possible level.
Here’s how it works: When ShareGate detects a new Microsoft 365 group, our chatbot automatically contacts the owner via direct message in Teams and asks them for its reason of creation and level of sensitivity.
To make it easy for owners to make a decision, the bot presents them with pre-defined “Group purpose” and “Group sensitivity” options to choose between—then relates their selections back to you.
Activating the ShareGate Teams bot
In the ShareGate UI, click on Settings, then select the Categorization tab from the left-hand navigation. Slide the toggle next to Microsoft Teams chatbot to the right.
Note: ShareGate comes pre-populated with a default list of ‘”Group purpose'” and “Group sensitivity” categories based on some of the most common reasons users create teams. If you want to edit or add to these categories, you can do so in the Group purpose and Group sensitivity sections underneath the chatbot slider.
Once activated, the Teams bot will be installed automatically for any user the app needs to contact.
Group categorization: Use case
Let’s say John Greene decides to create a new team for members of the office softball league—the team called “Provisioning Solution”.
Shortly after the new team is created, the ShareGate Teams bot reaches out to John via chat conversation in Teams:
The chatbot asks him to define the purpose and sensitivity of his new team and presents him with pre-populated options to choose from.
Group purpose
We built a default list of “Group purpose” categories based on some of the most common reasons users create teams—but you can edit or add to these options in ShareGate’s Settings tab based on the needs of your organization.
- Department: Used for an ongoing project or collaboration between employees who are part of a specific department (i.e. marketing or HR).
- External project: Used for projects that involve collaboration with people outside the organization (i.e. collaboration with an external vendor).
- Internal project: Used for projects that involve collaboration with people inside the organization (i.e. implementation of a new system).
- Office location: Used to gather employees working in different geographic locations (i.e. New York office)
- Particular topic: Used to communicate and collaborate on specific initiatives or topics (i.e. planning the holiday party).
Each category also includes a description. If John is unsure which option to choose, he can click on the ? next to a category to read its description. In this case, the Particular topic option makes the most sense.
Once John clicks Select, our bot confirms his decision in their chat conversation, then moves on to asking about the level of sensitivity.
Group sensitivity
To help you get started, we’ve created the following default group sensitivity labels, which you can add to, modify, or even delete if you choose to:
- General: Sets the group/team to public, allows external sharing with anyone, and enables guest access
- Confidential: Sets the group/team to private, only allows external sharing with new and existing guests, and disables guest access
- Highly confidential: Sets the group/team to private and disables external sharing and guest access
As with group purpose, if John is unsure which option to choose, he can click on the ? next to a category to read its description. In the case of John’s team for an office softball league, the General option makes the most sense.
But, let’s imagine for a moment that John’s new team, “Provisioning Solution”, isn’t for the office softball league. Let’s say he created the team in order to collaborate with several colleagues on pitch ideas for an upcoming project.
When he created this Provisioning Solution team, he made it public. And when the chatbot in the ShareGate Teams app first reached out to him about his new team’s purpose, he still selected “Particular topic” like in the example above (that could still technically be true).
But now, when the chatbot asks him about the level of sensitivity of his new team, he reads through the different options and their descriptions and decides the Confidential option makes the most sense—he only needs to collaborate with colleagues (no need for guests) and he wants the group to be private since their team will be going up against other employees with their pitch.
Once John clicks Select next to a group sensitivity option, the ShareGate chatbot confirms his selection and informs him of the corresponding security settings that will automatically be applied to his team.
Since the “Confidential” group sensitivity doesn’t allow guests, he is told that any current guests will be removed from the team. Additionally, his team will be changed from public to private and the sharing settings will be adjusted.
Once John has made his group purpose and group sensitivity selections, ShareGate relays that information back to you in your dashboard.
Organize your teams by purpose and sensitivity for custom-fit container governance
In ShareGate, click on the Groups tab to see a list of all your teams and Microsoft 365 groups. The group purpose and group sensitivity options he selected are now visible in the “Purpose” and “Sensitivity” columns next to his team.
You can also manually assign a group purpose and/or group sensitivity category by selecting a team from the list, then clicking on Choose a group sensitivity (to assign a group sensitivity) or No purpose (to assign a group purpose).
Or, you can overwrite a selection made earlier by an owner by selecting a team, then clicking on either the assigned group sensitivity or group purpose.
In the example of John’s new team, you would click on Confidential (to change the assigned group sensitivity) or Particular topic (to change the assigned group purpose). Then, simply choose the category you’d like to apply from one of the categories presented in the drop-down list. In this case, let’s say you think “Highly confidential” is a better categorization for this team.
Once you’ve confirmed your choice, the new categorization automatically applies the corresponding security settings to the team. And, the new group sensitivity label appears next to the team name in the Manage tab, where you can organize and filter all your teams by business purpose and group sensitivity.
Want owners to only assign a purpose OR a sensitivity tag—and not both?
You can do that easily now that we’ve split up the policies.
Go to Categorization in Policies and toggle on the automation for the policy you want.
- Purpose tag to identify the business purpose of a team/group
- Sensitivity tag to identify the sensitivity level of the team/group, and automatically apply the right security settings to it
ShareGate is easy to set up and even easier to manage—no clunky interface, no coding, and no Azure AD premium subscription required.
If you’re a ShareGate customer, then we have great news! Your subscription now gives you full access to ShareGate at no extra charge! Activate your ShareGate account by signing in here. Make sure to have your ShareGate license key handy—you’ll need it to complete your activation.
If you’re ready to start categorizing your groups and teams, take a look at our group purpose documentation and group sensitivity documentation to learn how to set both features up!