Microsoft Teams is the fastest growing enterprise app; it helped millions to collaborate better & its trending right now for its ability to work efficiently from home. in my opinion it could cover all your internal communications. However, some companies have regulations that restrict them from having their documents in data centers outside their country. and even if they own Teams license they are not willing to try it. what if we could have a regulated deployment in such no document is allowed to be uploaded into teams. or w/ maximum security options.
Below list is governance recommendation which are subject to change/approval
Assumption 1: O365 tenant is ready with proper license.
Assumption 2: Identity sign in is enabled (weather ADFS, PTA, or password hash) or cloud user
Assumption 3: you want to regulate Teams and enable it for its audio/video/chatting features only.
Users should be licensed for Teams only ( No SharePoint online/ no Overdrive for business)
1) Sign In (MFA)
Teams sign in, could be done from 3 places. Mobile App, Client Machines app, Web based (Teams.microsoft.com or office.com).
Protecting all sign in with multi-factor authentication. more info on aka.ms/mfa
2) Teams (Groups)
You could limit the users who are able to create Teams, by limiting the users who could create Groups. by running below script will create a security group that only users within this security group will be able to create Groups/Teams.
Note this will limit adoption and may cause overhead for the IT admins to control this. but it is IT Governance best practice.
3) Teams Storage Architecture
Understanding where our files are being uploaded is the first control we should pay attention to.
below figure shows us what services we should control.
4) OneDrive For Business
If you want to disable sharing of files between users, you should not give them OneDrive For Business License. Each time they try to upload a document. They will receive this message
If customer would like to give access for users to SharePoint Online but without giving them OneDrive for Business, or the user has the OneDrive already provisioned, then disable the MySite create and access
- Disable MySite access and creation (SharePoint Admin Center > Classic Features > User Profiles > Manage User Permissions > Uncheck the Create Personal Site permission)
- Delete the OneDrive from SharePoint admin portal
5) SharePoint Online
For SharePoint Online, this is by default enabled and there’s a place for files for each channel in Teams. Creation of multiple channels is a decision that may be influenced by the type of files for each channel. this helps collaboration and makes sense out of channels. (Example, private channel for budgets with limited number of users, or weekly channels for a teacher’s business class)
However, in a governance perspective; you could set a read permission for users so they will not upload documents. Below are steps on how to do that.
Note: Owners/Admins will have full control permission.
Screenshot below shows how Teams files look like from a member device. (no option to upload or create)
This way your organization shouldn't have a way to upload documents into teams, and you will be able to use the app as your chat/video/voice/desktop sharing which is our objective here.
Extra:
Disable Other Cloud storage integrations
From Teams Admin Center
Disable APP’s integrations
Also From Teams Admin center
Disable External communications
You Could disable external users or guest users from communicating with your organization
Turn off Cloud Recording
https://docs.microsoft.com/en-us/microsoftteams/cloud-recording
In-case you wanted to allow documents sharing but with different regulations. the best practices security offerings would be using AIP/ Office ATP / DLP / Cloud App security to auto label/ and the new Communication Compliance Center to verify all above and more, its a new offering.