7 min to read
Microsoft Teams Governance
Governance is not about limiting freedom. The point is to be able to manage Teams while removing chaos and sprawl so users can work in a compliant fashion that does not affect their day to day productivity. This blogs walks you with various controls available to better govern Microsoft Teams.
You need to remember that Microsoft Teams is built on top of Office365 Groups. So, Microsoft Teams uses the Office365 Group settings and policies in the background.
Some of the Teams governance controls discussed in this blog are
- Restrict Office 365 Group Creation to set of users
- Office 365 Group Expiration Policy
- Check for Teams without Owners
- Check for inactive Teams
- Guest Access in Teams
- Teams Classifications
- Retention Policy
- New Teams Admin Roles
- Office 365 Group Naming Policy
- Show Teams in GAL
Restrict Office 365 Group Creation to set of users
By default, all the users in your Office365 tenant can create Microsoft Teams. According to your organisation needs you can restrict the Teams creation permission to set of users say Full Time Employees or Managers using Dynamics Office groups. This feature requires Azure AD P1 license.
Function GroupCreators
{
param(
[Parameter(Mandatory=$True)]
[string]$securityGroup
)
#get the Security Group
Get-AzureADGroup -SearchString $securityGroup
#use the settings template and get template group.unified
$Template = Get-AzureADDirectorySettingTemplate | where {$_.DisplayName -eq 'Group.Unified'}
$SettingsCopy= $Template.CreateDirectorySetting()
$SettingsCopy= Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
#group creation allowed for all members at default make it false
$SettingsCopy["EnableGroupCreation"] = $False
#assign group of people(security group) to create group
$SettingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString $securityGroup).objectid
#apply the setting to azure directory setting
Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $SettingsCopy
(Get-AzureADDirectorySetting).Values
}
# Connecting AzureADPreview Module, if AzureADPreview Module not avaiale in your machine, you can install using this command "Install-Module AzureADPreview"
Connect-AzureAD
GroupCreators -securityGroup "SecurityGroupName"
Refer here for more details.
Now we have provided the users with permission to create Teams. How you can monitor whether the Teams created is used or it is just dormant?. Below are the ways to control it.
- Set Office365 Group Expiration Policy
- Check for Teams without Owners
- Check for inactive Teams
Office 365 Group Expiration Policy
You can set a default group expiration as 180 days. After 180 days, the Team owner will receive a notification that the Team is going to expire with an option to renew it. This feature requires Azure AD P1 license.
Check for Teams without Owners
Always assign at least two owners for groups. There are two ways to do it. You can check from the Teams Admin Centre.
Or schedule the below script to return you the Teams without Owners regularly(weekly/monthly).
Function GetTeamsWithOutOwners
{
param(
[Parameter(Mandatory=$True)]
[string]$Path
)
#install-module microsoftteams
Connect-MicrosoftTeams
$teams= get-team
$teams | ForEach-Object{
$team=$_
$teamOwner=Get-TeamUser -GroupId $team.GroupId -Role owner
if($teamOwner -eq $null)
{
New-Object -TypeName PSObject -Property @{
TeamName = $team.displayname
}
}
}|select TeamName|Export-Csv $Path -NoTypeInformation
}
GetTeamsWithOutOwners -Path C:\TeamsWithoutOwnersList.csv
Check for inactive Teams
There is no direct way to check for inactive Teams. It is difficult to define inactivity universally, since there are Teams with conversations alone, Office365 Groups with SharePoint file activities or group conversations alone. There is a nice script available in TechNet, you can download and modify the script as per your need.
Guest Access in Teams
Now comes the important part. To enable guest access in Teams you need to first enable guest access in Azure AD, second on Office 365 Groups settings and finally on individual Teams. From the Teams admin centre, you can check the number of guest on each team. If you want a report of guests across each team, use the below script.
#Get guest users in a team
Function Teams-GuestUser
{
param(
[Parameter(Mandatory=$True)]
[string]$Path
)
$teamname= "Team Name"
$guestUPN= "Guest MailId"
#install-module microsoftteams
Connect-MicrosoftTeams
#Get all the teams
$teams= get-team
$exportGuest=$teams | ForEach-Object{
$team=$_
#Get guest from each team by giving role as guest
$guestTeam=Get-TeamUser -GroupId $team.GroupId -Role Guest
#if team has guest then export team name with guest mailid
if($guestTeam -ne $null)
{
New-Object -TypeName PSObject -Property @{
$teamname = $team.displayname
$guestUPN = $guestTeam.user -replace '#[^#]+.com','' -replace '#[^#]+T','' -replace '_','@' -join ", "
}
}
}|select $teamname,$guestUPN|Export-Csv $Path -NoTypeInformation
}
Teams-GuestUser -Path C:\teamsguestuser.csv
Checklist on how to enable guest access in Teams.
https://docs.microsoft.com/en-us/microsoftteams/guest-access-checklist
You can control the guest permissions on Teams meeting and messaging from the Teams Admin centre.
https://admin.teams.microsoft.com/company-wide-settings/guest-configuration
Teams Classifications
You may come across scenario, as an admin you might want to strict the guest access for few confidential projects. But can’t manually check on it in regular basis, in such scenarios Office365 Groups classification helps you.
You can apply classification for Office365 Groups like Confidential, External, Internal etc. Adding a classification to Office365 Groups does not make any effect apart from showing it GUI. But once you classify groups, you can restrict the guest access, change the meeting policies etc according to the classification.
Below script helps you create classifications for Office365 Groups. By default classification list is empty, you need to create the list using powershell.
#This script requires AzureADPreview module, install if not available already
#install-module AzureADPreview
#Connect to AzureAD
Connect-AzureAD
#Get AzureAD group setting for classification
$setting = Get-AzureADDirectorySetting | Where-Object -Property DisplayName -Value "Group.Unified" -EQ
if($setting)
{
#If directory settings is already is available, add your classification types
$setting["ClassificationList"] = "Internal,External,Confidential"
#Make "Internal" as the default classification
$setting["DefaultClassification"] = "Internal"
Set-AzureADDirectorySetting -Id $setting.Id -DirectorySetting $setting
}
else
{
#Create a new directory setting if already one not available
$settingTemplateId = Get-AzureADDirectorySettingTemplate | where {$_.DisplayName -like "Group.Unified"} | Select-Object Id
$Template = Get-AzureADDirectorySettingTemplate -Id $settingTemplateId.Id
$templateSetting = $Template.CreateDirectorySetting()
# Create the required classification types
$templateSetting["ClassificationList"] = "Internal,External,Confidential"
#Make "Internal" as the default classification
$templateSetting["DefaultClassification"] = "Internal"
New-AzureADDirectorySetting -DirectorySetting $templateSetting
}
Once you set the classification list, it will be shown during Teams creation.
Script to block guest access based on Teams classification.
#This script requires AzureADPreview module, install if not available already
#install-module AzureADPreview
#Connect to AzureAD
Connect-AzureAD
#Connect to Exchange Online module
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session -DisableNameChecking
$groupSettingsTemplate = (Get-AzureADDirectorySettingTemplate | ? {$_.DisplayName -eq "Group.Unified.Guest"})
$Groups = (Get-UnifiedGroup -ResultSize Unlimited | Where {$_.Classification -eq "Confidential"})
ForEach ($Group in $Groups)
{
$groupSettings = Get-AzureADObjectSetting -TargetType Groups -TargetObjectId $Group.ExternalDirectoryObjectId
if($groupSettings)
{
# If policy already exists for the group, set the group settings object
$groupSettings["AllowToAddGuests"] = $False
Set-AzureADObjectSetting -Id $GroupSettings.Id -DirectorySetting $GroupSettings -TargetObjectId $Group.ExternalDirectoryObjectId -TargetType Groups
Write-Host "Guest access blocked for" $Group.DisplayName
}
Else
{
# If group settings does not exists, create a new settings object and update
$Settings = $groupSettingsTemplate.CreateDirectorySetting()
$Settings["AllowToAddGuests"] = $False
New-AzureADObjectSetting -DirectorySetting $Settings -TargetObjectId $Group.ExternalDirectoryObjectId -TargetType Groups
Write-Host "Guest access blocked for" $Group.DisplayName
}
}
Retention Policy
You can set the retention policies for Teams team conversations and chat messages.
For more information, check here
New Teams Admin Roles
Below are new Teams administrator roles added. For more information check here.
- Teams Service Administrator: The overall Teams workload admin, who can manage Office365 Groups also.
- Teams Communication Administrator: Can manage meeting and calling functionality in Teams.
- Teams Communications Support Engineer: Access to advanced call analytics tool.
- Teams Communications Support Specialist: Access to basic call analytics tool.
Office 365 Group Naming Policy
There are few organisations, where they need to follow strict naming conventions or avoid using list of words in the group name. Using Office365 Group Naming Policy, you can
- Set format for group prefix and suffix
- Create a list of blocked words which are not allowed in group names
For more information refer this Microsoft documentation.
Show Teams in GAL
By default, when you create a new team, the corresponding Office365 is not shown in Global Address List, if you want to show in SPO, Exchange and other places, you need to set HiddenFromAddressListsEnabled to True.
Set-UnifiedGroup -Identity GroupName -HiddenFromAddressListsEnabled $True