***Edited on 7/28/2020
Hi again, if you have seen my other blogs thanks for coming back! If not, just a quick intro. I am an Office 365 Technical Specialist for Microsoft and I work exclusively with Healthcare customers. Lately, I have been asked very similar questions over and over…
Even though I work with healthcare companies I know these questions are not unique to healthcare and will apply to all organizations looking for assistance with Teams administration and governance.
Introduction to Office 365 Groups
First, some of you already know this, but it is important before we move on that everyone understands that MS Teams is really a fancy User Interface (UI) for O365 Groups. It has a ton of amazing features, but in reality there is no data stored in Teams, and membership is managed by Azure Active Directory (AAD), where the identity is Office 365 Groups.
What is an Office 365 Group? A single identity for teamwork!
Moving forward, anytime I mention “Teams” please note that it goes hand in hand with “O365 Groups”. To manage Teams, you must understand this concept. If you need further information on O365 Groups, please check out this article.
Over the past few years as Teams has become the fastest growing product in Microsoft’s history, there have been many changes to administration capabilities and product features so this is an ever evolving list, but as of today, here are the primary questions you should ask yourself as you are considering enabling your enterprise for Teams. If you have already enabled your users don’t worry, you can still go back and add these settings where applicable.
Microsoft’s goal is to make Teams a completely self-service solution, meaning IT sets it up and then gets out of the way. This allows end users to do what they need to get their work done. You can use these 10 questions to help evaluate what settings you need to enable to get Teams set up, which empowers your users to creatively solve their business challenges and get their job done!
Some of my customers embrace the “Self-Service” capabilities for Teams, allowing all their users to create teams at will. Others though are fearful that users might create unnecessary, duplicate or inappropriate teams. Therefore, we would recommend to these companies to look at the Creation permissions for O365 Groups.
By enabling this setting, only authorized users will see the “Create new team” button.
This setting will allow you to select a set of users who are authorized to create teams. In some orgs they keep this to IT only. I have found though that over time these organizations find that IT becomes a bottle neck for their users, and it stifles creativity. I highly recommend finding a happy medium between no one and everyone.
Many of my customers settle on all “people managers” can have the ability to create teams.
If this still does not make you feel comfortable on allowing self-service team creation I encourage you to read through these other questions because many of them resolve the most frequent reasons why people are concerned with a self-service team creation policy. Hopefully this will help you feel better about empowering your users to be innovative, collaborative and creative with Teams.
A new option that has presented itself in this area is to us MS Teams App Templates for "Request a Team", the details can be found here.
This app template called "Request-a-team" is a Microsoft Teams app that optimizes new team creation for your enterprise organization. The app supports standardization and best practices when creating new team instances through the integration of a wizard-guided request form, an embedded approval process, a request status dashboard, and automated team builds. These workflows can take into account many policies and permissions that we discuss below in this article.
The Naming policy for O365 Groups will allow you to do just that, you can select a prefix, suffix and create a band word list. Microsoft has already created a profanity list so you don’t have to worry about adding any of those naughty 4 letter words in your banned list. However, maybe there are other words you want to ban like “Firing” so someone does not name a team “Firing Committee”. I’m sure you can come up with some in your organization that would make sense.
As another example, I have seen organizations add a prefix like “GRP-“or “Team-“ or even a 3-4 digit code based on an AD attribute for department or location. This would result in a Team name that looks like:
For an “All IT” Team
For an “Onboarding” Team in HR
These settings are very simple and can be configured in Azure Active Directory (AAD) under groups.
Some of my customers are worried about “teams sprawl” or duplicate Teams. But by setting an Expiration policy you can avoid this unwanted sprawl. An expiration policy will send an email to the owner(s) of the Team 30 days prior to expiration asking them if they would like to renew their Group. If they are still using the team, they simply hit the button to renew! If they do not press the button, they will get another notification 3 days prior and 1 day prior to the expiration.
If they don’t renew, the Group will go into a Soft delete for 30 days. If for some reason after the 3 reminders a user lets their team expire and they need it back, don’t worry we have the ability for an admin to use the Soft delete and restore feature. However, after 30 days even an admin can't restore the team.
Here is an example of what the end user email will look like.
For legal and compliance reasons, most large organizations also need to look at setting Retention policies for Teams. You can look at Retention in two ways, how long do I want to keep the data or how soon do you want to delete the data.
To accomplish this there are 3 Retention policies you need to set:
Each retention policy can be the same or different, they have no dependencies on each other. My recommendation to IT Admins is to check with your legal or compliance office to determine any regulations your organization is to adhere to and allow them to guide you on how long you want to retain this information. Usually we find that Teams Chat retention is closely mimicked to email retention.
Retention is not the same as expiration though. Just because a team is expired does not mean the content is deleted. For ex: if your expiration is 6 months and retention is 2 years, the team will be deleted after 6 months (if not renewed) but the content will be retained for 2 years.
Because you can set multiple policies that might overlap it is a good rule of thumb to keep in mind the principles of retention:
Another setting that is usually set based on guidance from legal and compliance is Data Loss Prevention. DLP is very important to Healthcare organizations as they deal with Personal Health Information or PHI on a regular bases. However, there are many sensitive and confidential data types that you don’t want to get in the wrong hands.
If your organization has pre-existing DLP policies or you need to start from scratch, you can now define policies that prevent people from sharing sensitive information in a Microsoft Teams channel or chat session.
Collaborating with people at other companies is a huge part of work today, especially in a hospital system. Many doctors that practice at one hospital are employed by another system, are self-employed or own their own practice, so they are technically not your employee. Sometimes I see orgs allow these workers, doctors, contractors or even vendors who are not technically employees, to have an O365 license which means they are not considered a guest. Someone who does not have a license in your O365 tenant though would be considered a Guest.
I find Guest access in my own day-to-day very helpful. I have teams with my customers, and customers have invited me and other vendors into their Teams environment. What is great about Guest access is that IT Admins don’t have to worry about managing their identity. It is a BYOI, Bring Your Own Identify solution.
As an IT admin if you are not fully comfortable with allowing your users to invite anyone to a team you can whitelist or blacklist specific domains (shown below). Or if you want to get more granular, you can set up a Guest Inviter role, which limits who can invite guests to your team.
One of our most recent features is Guest Access review which is an advanced feature and requires AAD Premium Plan 2. It provides an additional way for an IT Admin to put the team owners in control of managing their own guests.
Most of our customers are coming from some sort of chat or instant messaging platform. If that is Skype for Business Online or Server you are in luck! Any Federations you have set up in Skype will be carried over to Teams when you migrate your users. Their contact list too. However, if you are not currently using Skype Federation you can take advantage of Teams Federation/External Access, also known as External Access.
This feature allows you to select domains that you work with regularly to enable chat for your users and users of an external organization.
Without this turned on, users will only be able to chat with other users in your organization and Guests (if you have that turned on).
Again, many of my customers are coming from a Skype environment. If you are not then you can skip this section as it will not apply to you. However if you are, we need to talk about setting your Coexistence/Upgrade Mode. In the SfB and Teams Admin center there is a “Coexistence Mode” and this is defaulted to Islands Mode. Islands Mode means there is no coexistence or interop between SfB and Teams. Users will have to manage both clients, which can be confusing.
There are a few different modes you can select from though:
Any mode other than Islands creates interop. You will need to select one of them as your default policy and then can move users to other policies as needed.
Usually we see the default mode set to SfB with Teams Collab, and then as the org is “migrated” to Teams, they are simultaneously moved to Teams Only Mode. That way all users can keep chatting regardless of their primary client.
Some customers have existing on-premise Distribution Lists that could really benefit from the collaboration capabilities of Teams. Maybe not all of them, and probably not your All Company DL’s but some of the smaller ones at a team level or department level. If this is the case, instead of managing groups of users you can Migrate your existing DL’s to O365 Groups.
Finally I want to provide one more recommendation. We have some customers who started taking advantage of O365 Groups before Teams was even around, so they created SP Sites with documents and Group Mailboxes. There is no need to create a new group just to have the features of Teams added for these users. You can simply Enhance an existing O365 Group with Teams.
I hope this helps you understand the capabilities Teams has that enable you to balance IT administration and security with empowering your users to create innovative solutions to operational challenges in Teams. If you have any questions or want to talk about this more I am happy to help! If you are a healthcare customer I can help you directly, but if not, I can connect you with the right person at Microsoft.
If you still want additional help enabling self-service team creation but want a little more control then you should look at our MS Form/MS Flow Group Creation Process, shown here in this MS Ignite Video and download the script from this GitHub.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.