Due to global events, many IT departments have had to accelerate, or in some cases deploy from scratch, their remote working solution. For many IT professionals this has been about the deployment of Microsoft Teams. The number of MS Teams users has doubled since the beginning of the year to 44 million users daily, and while the Microsoft suite is a familiar tool to most organisations, MS Teams best practices and governance may not be.
As many IT Teams begin to move from a mobilisation phase and into risk management, securing and managing your Microsoft estate becomes a hot priority. Here are our 10 tips for MS Teams governance and best practice.
1. Limit Team Creation
By default anyone can create a new Team collaboration space. Making sure your key stakeholders have the ability to create new Teams is a great way to drive adoption, however it is important to avoid this becoming a free for all.
MS Teams allows you to restrict Teams creation to either IT administrators or a group of specific users, depending on your specific requirements.
NB: IT Administrators will already have elevated rights, but you may need to check your licence to see if any other users you have identified have the relevant versions to Teams creation.
2. Create a Naming Policy
It is challenging to manage your Teams if you don’t know why they exist or what they are used for, which is why limiting the users who can create a Teams space is key to your internal governance.
Another way to help is to use an automated naming policy for groups within Office 365. This will add a combination of a fixed word and Azure Active Directory attributes such as [department] or [office] as a suffix of prefix. This way, you will be able to see instantly who has created the group and how many Teams spaces have been created for each department/ location/ team, etc.
We recommend discussing your naming convention with key stakeholders and to clearly communicate to users how and why the policy exists before any roll out.
MS Teams also allows you to add a list of blocked words to your naming convention. A useful way to use this feature would be to add department names to the block list, once their formal Teams space has been created, so that multiple department streams don’t occur. For example, once your HR department has a Teams space, you could add [HR] and [Human Resources] to the block list so that multiple Teams can’t be created and cause confusion. This will force your users to clearly label their Teams spaces, making their purpose more obvious.
3. Implement a Data Life Cycle
During the initial rollout it is possible to end up with a large number of Teams, especially if you haven’t restricted the number of users that can create a Teams space, many of which will become stale as they do not serve a clearly defined purpose. This is particularly common with early adopters prior to initial governance being in place.
The good news is that each Team is covered by the same security and compliance settings as the rest of your SharePoint sites.
To start managing the sprawl now is a good time to instigate an Office 365 group expiration policy. It is possible to define a period of days after which an Office 365 group and its associated resources will be deleted if there is no activity. Activity is defined as:-
- SharePoint - view, edit, download, move, share, or upload files.
- Outlook - join group, read or write group message from the group, and like a message (Outlook on the web).
- Teams - visiting a teams channel.
So for example, you could set a group expiration date for 365 days, which would delete any groups that had no activity for one year. The group owners will receive an email 30 days before the expiration date, giving the option to renew the group and an admin can restore the group for up to 30 days after it has been deleted.
4. Limit External Access
The default setting is to allow open federation with external organisations. This lets people in your organisation find, call, chat and set up meetings with external parties who are running Teams or Skype for Business.
We recommend changing this this to Allow Specific Domains, this will give you the ability to control with whom information can be shared outside your organisation, which is especially important with a distributed workforce.
5. Restrict Guest Access
Not to be confused with external access settings. This is disabled by default and allows an organisation to invite anyone with a business or consumer email account access to team chats meetings and files. This would be relevant if you were closely collaborating with your customers or a third party, but we recommend confirming that guest user permissions are limited and disabling the ability for guests to invite more guests, or to create or delete channels.
NB: not all guest settings are found within the Microsoft Teams Admin Centre, a few recommend settings live under Azure Active Directory user settings.
6. Create a Messaging Policy
Keep messages and content suitable for work and in line with company standards by controlling the use of Gifs, Memes, Stickers and applying a content rating.
We also recommend considering whether to allow users to edit and delete send messages that may need to be retraced.
7. Consider a Meetings Policy
MS Teams allows you to record and transcribe your meetings, but these features should be considered under your current company policies. If you choose to record or transcribe a call it should be clearly signposted to all attendees.
We also recommend that you consider only allowing employees to have direct access into meetings, and holding guests in a lobby before the organiser is ready to allow them into the meeting.
Finally of note, this is where you can reduce the quality of the media stream. We don’t recommend this as Teams already scales intelligently based on the available bandwidth. If this is a route you need to go down, especially during total remote working, then we recommend creating a policy targeting specific users, this way you will not be degrading the experience for the majority of users, but still targeting problem cases.
8. Manage Integrated Applications
One of the most powerful tools within Microsoft Teams is the ability to integrate 3rd party apps. By default any user can install and use a supported application. You may want to consider allowing only Microsoft applications and managing a specific list of agreed upon 3rd party applications.
For example, at Ideal our Marketing team have integrated Trello so that they can use this productivity tool seamlessly within Teams.
9. Consider a Message Retention Policy
This can be easily overlooked, as it is not a Teams setting but in the Office 365 Security & Compliance centre.
It is possible to set a retention policy for Teams chats and Teams channel messaging so that you can set an expiry from the day a message is sent. For example, messages will expire three years after the message is sent. This is helpful if you have years of messages between users that are no longer relevant.
It's important to note that your "lifecycle" expiration and message retention policies work in tandem. So if your O365 lifecycle is set to expire after one year, but your message rentention is set to two years, then users won't be able to see their messages after the first year, but they will be accessible to IT admins until the message retention kicks in.
10. Analyse Call History & Monitoring
Originally found in the Skype for Business Admin Centre, this has now been fully integrated into the Microsoft Teams Admin Centre, however the location isn’t obvious. Now found under Users, it is possible to see an individual’s call history (traffic, devices, headset, etc) over the last 30 days. This contains device usage and network quality and is invaluable when trouble shooting individual call issues.
However, if you want to review broader trends then the Call Quality Dashboard will provide call quality trends going over the previous 90 days and this is still found in the Skype for Business Legacy Portal. Analysing your call quality will give you insight into how your network is performing.
Whatever stage of maturity you’re at with MS Teams, and however robust your security and compliance already is, hopefully these tips have helped you understand how Teams can be configured for maximum security and collaboration while your employees are working away from the office.
If you want to discuss how to optimise and adopt MS Teams or Office 365 further, book a meeting with one of our experts today.