Teams governance best practices: Secure collaboration in Microsoft Teams

Image of turquoise background with illustrated Teams icons

We spoke to Microsoft MVP Jasper Oosterveld (@jasoosterveld) about Teams governance, the biggest misconceptions about Microsoft Teams, and best practices for secure collaboration in Microsoft Teams.

Microsoft Teams is much more than just a chat tool. Productivity tools like Teams have become crucial to supporting new methods of virtual collaboration and distributed work. But what exactly does that mean? And how can IT make sure that collaboration stays secure?

We asked Jasper about the future of collaboration in Microsoft Teams, along with best practices (aka Microsoft Teams governance) you can implement before your rollout to help keep your collaborative Teams content secure.

Rather watch the interview? Check out the video recording from our interview with Jasper below.

Q: What is Microsoft Teams?

A: Well, if I talk to customers, I describe it as a tool where you can collaborate with your colleagues as well as with people outside your company. So it’s like a collaboration tool where you can also communicate—or, put another way, it’s a communication tool to chat with your colleagues and external guests.

And since Microsoft announced they will be phasing out Skype for Business Online, that’s also where you see Teams being positioned, to take over that communication aspect.

You can do a lot more, but that’s basically the description I give when I first start talking to my customers about Teams—before I show them the whole tool and what it can and can’t do.

Q: What are some of the biggest misconceptions people have about Microsoft Teams?

A: The biggest misconception I see my customers having with Teams is that they see how easy it is to use and they think: “Oh, we can just roll it out. I can just turn it on, make sure everybody has the application, and then everything will sort itself out.”

Don’t think you can just turn it on and it’ll go sort itself out because it’s so easy to use. You really need to think about governance before you start using it.

That’s not going to happen. What you’ll probably see if you do that? It’ll become a mess very quickly. Because of that, I always recommend putting some governance in place—so making sure that you have a plan for people creating Teams, how your content is being stored, and how you work with external people. That’s what I would definitely advise you to do.

Don’t think you can just turn it on and it’ll go sort itself out because it’s so easy to use. You really need to think about governance before you start using it.

Q: How do you see the future of Teams?

A: I think the future of Microsoft Teams is very interesting. It’s being positioned as the tool to use for the modern workplace. So Microsoft basically wants every business to use it to collaborate and communicate.

I think they’re definitely doing a lot of good things. The only thing I’m a little bit worried about is that it seems like they’re trying to have it do everything. And I kind of see some parallels with how SharePoint was in the past, around SharePoint 2007 and SharePoint 2010. It had to be the platform to do everything, and it couldn’t, because it wasn’t really made for it. I’m a little bit afraid Teams is trying to do the same thing, and that’s the part that worries me a little bit: are they going to be able to do that?

On the other side, what I’m really happy with and what I see bright future for is how easy it is for the end user. Because you can basically keep working within the context of your activities.

So, what does that mean? That means if I’m working in a team—so working around a project—I don’t have to open five other tools to do my job. I have the Teams application, where I can work with my files, I can chat, I can work with my tasks in Planner, all while staying within the context of that project. I think that’s such a powerful aspect of Teams, and I think that’s what’s really going to make it have a good future.

Q: What are some common challenges your customers face when deploying Microsoft Teams?

A: One of the biggest challenges we see has to do with Teams vs Skype for Business.

That’s because Skype for Business is the communication tool most customers are familiar with and have been using for years. It’s what they’ve been using for chatting one-on-one and online meetings. And now you have Teams with those same capabilities, and Microsoft announced they’re phasing out Skype for Business. So right now you basically have two tools that kind of do the same thing—and that can create confusion with users.

What we tell our customers is: if you’re not ready yet to phase out Skype for Business, disable the chat option in Teams for now so that people still use the chat tool they’ve been using for years. They can start to get used to the conversation functionality in Teams by working in channels.

One of the biggest challenges we see has to do with confusion around Microsoft Teams vs Skype for Business.

When you are ready to phase it out, you can re-enable that feature. Explain to people that you’re phasing out Skype for Business and why, have some training sessions where you explain how to use Teams and what the benefits are, re-enable chat functionality, and then off you go—now you can use Teams.

That’s just one of the main challenges. The other big one is, of course, governance. People want to know what best practices they should implement with Teams in terms of policies and procedures. So things like setting policies for creation, naming, expiration, and guest access.

Q: What Microsoft Teams governance best practices should be implemented before deploying Teams?

A: When I talk to my customers who would like to deploy Microsoft Teams, I always discuss the governance aspect of it. I think that’s very important to think about before you start. And there’s a few aspects of governance you should consider.

  1. Creation process
  2. Naming conventions
  3. External access

How to manage who can create teams

One of the first things you should think about is how to manage the creation process. Is everybody able to create teams?

I think, on one hand, you should definitely give people the freedom to create teams because otherwise they’ll start using a different tool—Box or DropBox or Trello—and then you’re dealing with the threat of shadow IT.

If you do enable self-service creation, you definitely need to have some policies in place. You need to make sure you know what each team is for, so you should have a naming convention. Do you want to allow external access? Do you want to use expiration policies?

You can create and enforce policies manually, or you could set automated governance policies with a third-party tool. Either way, if you open up team creation to everybody, make sure you have those governance plans in place so things don’t get out of control.

Naming conventions for Teams

The second thing to think about—and this ties into managing the creation process—is a naming convention. The name you choose for a newly created team impacts several aspects of Microsoft 365, so it’s important to take this step seriously.

Naming will especially affect a team’s:

  • SharePoint site collection
  • Outlook email address

On the SharePoint side of things, if you create a team in Teams and then go to the team site, you have a URL. So let’s say I created a team called “Marketing”.

The URL would just say:

What we like to do when creating a team for a department or project is put a little naming convention before it—so it says PRJ (the abbreviation of project) followed by the name of the project. This makes it easier for users to know what type of team or team site it is.

A naming convention is also crucial because Teams doesn’t give you a heads-up to let you know that a team with that name already exists. Within Teams, you’ll see two teams with the same name. And since each team also comes with its own modern SharePoint team site, Microsoft 365 will add a random number behind the name of the site collection if that name already exists.

For example:

Not only does that look ugly, it’s also confusing, and isn’t user friendly at all. Read more on how to create an effective naming convention for Microsoft 365 Groups.

Managing external access

Are you going to allow people within a team to invite guests? I definitely think that you should, because if you don’t they’ll find a different way—they’ll send an email with attachments or they’ll start to use a different tool—and that’s something you’re trying to avoid. You need to think about how to secure external file sharing before you rollout Teams.

So when I talk to customers, I ask: “What is the purpose of this team? Is it only for an internal department?” Because in that case, I don’t think you really need to collaborate externally. That team probably contains a lot of sensitive content that you don’t want to be shared.

If you create a team for a project, where people might need to collaborate externally, you definitely want to enable external sharing—but make sure you have a clearly defined policy around it. For example, you could allow that team to invite guests if they need to work on a project, and if you create a team for a department you could turn external sharing off.

Q: Microsoft Teams vs SharePoint: When should you use each one?

A: I get this question a lot from customers: “When should I use SharePoint and when should I use Teams?”

And for us, it’s been a tricky question to answer for a while because Teams and SharePoint really work together very tightly. But if you take a step back and look at SharePoint, you basically have two SharePoint templates: you have the team site and you have the communication site.

The communication site is the easiest one because the name says what it does: it’s for communicating, which means it’s basically for intranet portals. So if you’re looking to create an intranet portal, you use the communication site—and there’s no collaboration aspect to it because the communication site is not connected to a Microsoft 365 group. That also means there’s no team, there’s no Planner, there’s no OneNote, Power BI, Stream, etc. For pure communication, such as broadcasting information to your entire organization, you’d use a communication site.

Essentially, the two help each other. Instead of comparing them, you want to be thinking about how you can use a team site in combination with Teams.

It gets a little bit more confusing with a team site. Because if I create a team in Teams, I get the Files tab—and that’s basically SharePoint.

Essentially, the two help each other. Instead of comparing them, you want to be thinking about how you can use a team site in combination with Teams. A SharePoint team site is there to store the files, build knowledge base Wiki pages, and create contact details and quick links. And what I really like is that you can expose parts of the team site through a tab. So if I created a really nice welcome page on my SharePoint team site, for example, I can show that within the connected team in Teams with a tab.

Q: Should you start with a SharePoint team site and then create a team, or create everything in Teams?

A: What we do now around collaboration is basically always advise using Microsoft Teams, and then you will get your team site automatically.

There are a few situations where companies aren’t ready to start using Teams right away, and that’s fine, actually. Because then, they can start with team sites; they can use them for storing their documents, they can add quick links, they can work with pages and news posts. And when they’re ready, once they’ve gotten used to working with team sites and are ready to move on to the next step—having conversations around the content they store—there’s an option in team sites in the left bottom corner of the site asking “Do you want to connect this to a team in Teams?” If you click on that button, a team in Teams is automatically created. And once you refresh the page, you’ll have a link to Teams on the left side Quick Launch panel.

So it’s definitely possible, and actually quite easy, to deploy Teams later when you have existing SharePoint team sites. But we try to get our customers to immediately start with Teams. Because then you already have the conversation aspect of it and you’re creating team sites you can use for storing your documents.

Basically both ways are possible, and there’s definitely nothing wrong with doing it the other way around if they’re starting with SharePoint.

Q: What’s the best way to organize files in Teams?

A: Organizing files in Teams can be a bit tricky. That’s because we basically all come from the SharePoint path—at least, that’s where we learned that folders are bad and you shouldn’t use folders. So then we were told to use metadata, so now we’re all using metadata. And then we found out that it’s actually a bit difficult for people to apply metadata. So Microsoft improved the search, where basically folders are fine again, so we’re switching back to folders.

Now, we have Teams—where, if you have multiple channels, it can look similar to folders, so people get very confused. People don’t know how they’re supposed to structure their files, they don’t know what to use.

Think about each team and what kinds of topics you want to discuss—you can create different channels within teams, and each channel automatically creates a folder in that team’s central document library.

From a SharePoint point-of-view, I recommend you just use folders, so long as you don’t go too deep. Like, don’t overdo it and create ten subfolders, but one or two is definitely fine.

And then you should think about each team and what kinds of topics you want to discuss. Because you can create different channels within teams, and each channel automatically creates a folder in that team’s central document library. So I advise taking a step back and thinking about all the files you need to collaborate on, and whether that can be translated into different channels.

For example, you want to collaborate within your finance department. You could create a channel called “Budgets” and then move all the related content into that folder you just created. You could do the same thing for another channel called “Yearly review”.

So I think you need to view it more from that side, think about what kinds of topics you’d like to apply in Teams and then organize your existing content that way.

Q: What are your top 3 tips for protecting content in Teams?

A: To protect your content in Teams, you should consider using:

  1. Data classification
  2. Public vs private teams
  3. Private channels

Configure sensitivity labels to classify your data

The first thing I would be looking into is data classification—more specifically, I would take a look at sensitivity labels (formerly known as Azure Information Protection) in the Security & Compliance center.

Essentially, sensitivity labels let you classify—and, if you choose to, protect—your sensitive content across different Microsoft 365 apps.

With sensitivity labels, you can:

  • Enforce protection settings, like encryption or watermarks
  • Protect content in supported Microsoft 365 apps across different platforms and devices
  • Protect content and extend sensitivity labels to third-party apps and services with Microsoft Cloud App Security

That basically means applying a sensitivity label to a document, such as “Internal” or “Sensitive” or “Highly sensitive”. After a label is applied, the protection settings for that label are enforced. So if you labelled a document as “Highly sensitive”, for example, it becomes encrypted. That means that nobody outside Contoso is able to work with that document.

Up until recently, it was only possible to apply sensitivity labels to emails or documents. In 2020, Microsoft introduced the ability to configure sensitivity labels at the Groups & sites scope. 

Now, you can also use sensitivity labeling to protect content in the following containers: 

  • Microsoft Teams sites 
  • Microsoft 365 groups 
  • SharePoint Online sites 

It’s important to remember, though, that because this feature uses Azure AD functionality, your organization needs to have at least one active Azure Active Directory Premium P1 license.

Public vs private teams: Know the difference

The second thing you should look at is around using public or private teams.

To recap:

  • Public teams are visible to everyone, and can be joined without approval of the team owner.
  • Private teams can only be joined if the team owner adds you. You can also choose to turn discoverability off so that people can only find the team if it’s shared by an owner or member.

So if you know that the content is sensitive, you make that team private. That way, the owner (or owners) have to select who to invite to the team—and those that are invited should treat that content in a sensitive manner.

Use private channels within a team

The third thing is very new—Microsoft only completed worldwide rollout the week of Ignite 2019—and that’s private channels in Teams.

Private channels let you create focused collaboration spaces amongst a subset of individuals in a team. Anyone, including guests, can be added to a private channel as long as they’re already members of the team—but only the owners or members of the private channel can access it.

You might find a private channel useful for:

  • Limiting collaboration to a select group of users on a need-to-know basis
  • Facilitating collaboration between people assigned to a specific project without having to create another team

Let’s say you have a team you don’t necessarily want to close—you want it to be open, but there are some parts of it that you want to be private. Then you can create a private channel and only add people you want to have access to the content stored within it. So that’s another great way to protect your content in Teams.

Q: What should IT admins do to keep teams organized within the Teams application?

A: I think you also need to look at it from an end-user perspective, so I’ll actually address both sides.

  • How end users can keep their teams organized within Teams
  • How IT admins can keep Teams organized

How end users can keep their teams organized

When I do trainings or talk with customers—basically the business end users of the company—I tell them there are a couple of ways to do that.

Leave teams you don’t use anymore

First of all, you can leave a team. There’s no shame in that. I do it, too. We work internally with expert teams on certain projects. And if I’m not involved anymore, I do something else. Why would I keep that team on the left side? It can become a very long list. I tell users it’s fine to just leave. If you need to go back, you can always rejoin. There’s no shame in that. So leave teams if you can.

Hide teams you don’t use regularly

The second would be try to use that Hide and Show option. Let’s say you have twenty teams you’re a part of but you only really use five. Go to the name of a team you don’t use, click on More options (), and select Hide. That way, you make it so you only see those five teams you do use, and all the other ones are hidden under that More button.

Change the order of your teams

The other thing you can do is change the order based on how often you use them. So move the teams you use the most up to the top, and move the others down below.

How IT admins can keep Teams organized

For IT admins trying to keep Teams organized at the tenant level, I would suggest finding the teams nobody is using anymore and getting rid of them.

To do that, you should consider:

  • Setting an activity-based expiration policy in Azure AD (Azure AD Premium subscription required)
  • Using a third-party automated governance tool

Set an Microsoft 365 Groups expiration policy

Definitely look into setting an Microsoft 365 Groups expiration policy in Azure AD. Do teams really need to exist forever? I don’t think so. Of course, you have the departments that will be there forever, basically. But other teams—like teams created for projects—yeah, definitely clean those up.

And with the recently-rolled out activity-based Teams renewal feature, you can now set an expiration policy based on user activity. Before, expiration was only based on the time period you set.

But if you use an expiration policy, team owners can only decide whether to delete or renew. And you can’t get deleted content back past Microsoft’s 30-day “soft-delete” period.

Automate your governance with a third-party tool

Instead, you can use an automated governance tool like ShareGate to actually archive teams, so to speak. You can set up an expiration policy based on user activity; if a team is inactive for the length of time you set, the owner gets an email asking if they want to keep this team or archive it.

And when you archive it, all that team’s SharePoint content gets stored on either your Azure storage or ShareGate’s. So you can delete that team, but still have access to its content indefinitely. I definitely advise doing that.

The biggest thing is don’t keep stuff around forever. Just don’t do that.

What did you think of this article?

Recommended by our team

Getting started is easy

Try ShareGate free for 15 days. No credit card required.