Microsoft MVP Jasper Oosterveld (@jasoosterveld) covers processes you can implement to ensure your Teams environment remains organized, efficient, and secure.
As more and more organizations shift to distributed work, the use of Microsoft Teams—and the amount of teams and data in a tenant—has significantly increased. This means that smart identity governance for your Teams environment is more important than ever.
Team membership tends to change over time and guest access to content can exceed the original business need, resulting in ownerless teams and potential security risks. IT departments that rolled out Teams without a clear access control plan in place now face the challenge of finding a scalable way to prevent inappropriate access.
In the second session from ShareGate’s recent 3-part masterclass, Create a dream Teams: Mastering Microsoft Teams management across the entire lifecycle, I covered middle-of-life best practices that can help you maintain good identity governance in Microsoft Teams.
Maintain access control in Teams with these middle-of-life best practices from a Microsoft MVP:
What is identity governance?
Identity governance refers to the policies and controls that govern user identity management and access management. A security identity is vital to ensuring compliance with regulatory standards. Sometimes organizations have identity governance capabilities built-in, but ideally, you want to make sure you’re controlling user access at every level.
Access Control starts with regular reviews
Team membership tends to change over time as people move between departments and projects or leave an organization.
You want to be certain the right people have (or still need to have) access to a team and all it’s content because the people who need to be in a team at the beginning of a project don’t always need to remain in the team later on.
Securing your Microsoft 365 remote work infrastructure in hybrid environments to ensure seamless end-user management is critical when conducting regular reviews.
Has your Microsoft Teams owner left?
That’s why having team owners is so important, because owners are accountable for each team.
So, what kinds of permissions do owners, members, and guests have? First, let’s look at the different permissions available in Microsoft Teams:
As you can see, an owner can edit and delete a team, add members, and promote another member to owner status, among other things. This is because owners are responsible for managing their team and ensuring the content within it is secured.
But team owners are busy and they don’t always monitor who has access to what in Teams, so sometimes IT admins have to step in.
Understanding the different user permissions roles and what they can do is essential for maintaining a secure environment and ensuring smooth collaboration.
How to review who has access privileges in Teams:
- Within the Microsoft team itself
- Through the Microsoft Teams admin center
- Via Azure access reviews (note: this requires an Azure AD Premium P2 license)
- With ShareGate’s automated access management platform for Microsoft Teams
Something to look out for when you’re reviewing team membership is making sure that all of the teams in your tenant have at least one owner. Sometimes the owner of a team leaves the company. If you don’t have a second owner—which I definitely recommend having whenever possible!—then you can end up with ownerless Microsoft teams.
Members of an ownerless team will still be able to use it, but if the team is private, no one within the team will be able to add or remove users without the help of IT. Additionally, not having an owner who can manage your team’s membership and be held accountable for security can cause risks for your business.
There are a few ways you can identify ownerless teams:
- Microsoft Teams admin center
- PowerShell
- A third-party tool like ShareGate
ShareGate identifies ownerless teams for you allowing you to easily promote a new owner in the interface. ShareGate will actually make recommendations as to who might be the best candidate for a new owner based on user activity.
Access management recommendations:
- Role management: assign each team at least two owners! This helps guarantee accountability to the members of the team and the security of the content.
- Educate your owners on how to manage access of authorized users and guests.
- Implement a periodic review of membership to find and fix any ownerless teams.
Managing Access: Review external sharing links
External sharing links are great when you’re collaborating on a project with a freelancer, consultant, etc., but external users typically only need access to shared content for the duration of a project or goal.
If you share a link with an external user and never look back, you open yourself up to security risks if the content in that link changes or the external user’s relationship with your organization shifts.
That’s why I recommend conducting external sharing reviews, to reduce risk and guarantee that people outside your organization only have the right access.
Two ways to ensure access control:
- Run a report on file and folder sharing links for each team’s SharePoint site.
- Schedule automatic external sharing reviews with ShareGate’s administration solutions
Within SharePoint, if you go to “Site usage”, it gives you a little bit of insight into what type of content is shared with whom. But, it’s not the best way forward if you have a lot of sites, as you need to manually pull these reports for every site you have in your Microsoft 365 environment.
Once you’ve reviewed the external sharing links, you still need to determine if changes need to be made to a sharing link (or if access should be revoked), information that the team owner probably has a better handle on than an IT admin.
So, you’ll need to reach out to them and ask them to make any necessary changes. Then, you’ll have to manually log any changes for compliance and internal auditing purposes. All in all, it’s a time-consuming process.
We know access controls can be a pain. So, ShareGate lets you see all the links that have been shared externally within the app. You can remove access yourself by deleting those links. But again, owners typically know best where they’re at within the access lifecycle.
That’s why you can schedule external sharing reviews with ShareGate. It automates repetitive administrative tasks, so all you have to do is set a start date and the frequency at which you want links reviewed, and owners will be asked to review externally shared links and validate or remove access privileges.
You’ll be able to track the progress of each external sharing review in the app, and changes that team owners make will be logged automatically. Managing user access has never been easier.
My external access management recommendation:
- Implement a periodic review of external sharing links to prevent unnecessary access to sensitive content in your teams.
Identity governance takeaways:
- Periodically review user access and access requests of all your teams! Do this to identify ownerless teams (and then assign new owners), as well as to ensure that only external users have timely access.
- Team owners are typically in the best position to know whether or not external links still need to be shared, so make sure to get their input during your periodic reviews.
