Securing Microsoft Teams Best Practice & Cleanup

Government or Private?

I'm in gov and we don't allow users to create their own Teams - they complete a form and it is approved (or not) by our Information Managers. 

This has helped to greatly limit the number of unused Teams and those not really required.

We archive Teams after 6 months of inactivity but also work with previous Team Owners to ensure all documents in the Teams are moved to our recordkeeping solution for long-term management.

This is a manual process and therefore staffed but the initial Teams management makes this acceptable.

Org or approx 1400 staff. Total Teams currently in use ~600. 

Block Teams Creations-  Correct, you will need to restrict the creation of M365 Groups and create a security group for those allowed to create new teams.

Expire or Archive old Teams- To expire Teams, you can create a M365 group expiration policy in AAD Admin Center.  For Archiving, you can go to Teams Admin Center or archive the team using PowerShell or MS Graph.  

There is also the option to use retention policies by going to MS Purview Compliance portal.  

Governance Example Policy

“All guest accounts must be approved, require MFA, and be reviewed every 90 days. Guest accounts inactive for 90 days will be automatically disabled. Sharing of content must be restricted to authenticated guests only — anonymous links are prohibited.”

Quick Implementation Checklist

•  Restrict who can invite guests
•  Require MFA for all guest accounts
•  Limit external sharing (no “Anyone with the link”)
•  Classify Teams/sites with sensitivity labels
•  Set up Access Reviews for recurring guest audits
•  Enable logging & monitoring of guest activity