Microsoft Teams is a tool that facilitates collaboration among end users, providing chat, voice, and document collaboration capabilities and other management controls such as a security group for securing permissions and access. Combining these multiple tools into a single entry point is fantastic, but managing them can be complicated.
Securing a Whole Microsoft Teams Environment
Within most organisations, end-users need to work together to perform specific tasks, work on projects or collaborate. Microsoft 365 provides multiple tools that facilitate all types of collaboration. The most recent application to use is Microsoft Teams, which provides the ability for people to work together around these types of common goals, decisions, or projects.
Microsoft Teams is a front-end to multiple services within Microsoft 365. It provides chat, voice, meetings, storage, document collaboration capabilities, and other underlying management controls, such as a security group for securing permissions and access. Combining these multiple services and applications into a single-entry point is fantastic, but it can be complicated to manage. As with most services within Microsoft 365, though they provide excellent capabilities, they are often not optimised for specific organisational needs and overall management. You may also find that complete lifecycle management of certain features does not meet the general business needs.
Out-of-the-box Microsoft Teams is simple and easy to use for all users. End-users can create Teams as and when needed, often without the need for approval or understanding of what gets built. With all the components formed as part of Microsoft Teams, many organisations find there are often hundreds of Teams created , which means that hundreds of SharePoint Online site collections get created. Users can also store content in both the primary site collection and any secondary site collections which map to private channels.
Remember that content could also reside within OneDrive for Business and other applications such as Planner, which integrates into the Teams. The most common problems are large amounts of Teams content and the associated site sprawl. Another less-discussed concern is connected apps that may also contain data. By default, end-users can grant access to connected apps to personal data and stored information such as documents and files. Too often, organisations do not control or limit this capability allowing unwanted dissemination of content.
To manage and govern Microsoft Teams successfully and meet all organisational security requirements and any legal requirements or classification, you need governance. However, many things can impact Microsoft Teams from a management and governance perspective, which are unrelated to the team and site collection sprawl that often happens. A few of these are:
- Team naming convention
- External sharing configuration
- Security and access control
- Team privacy
An end-user can name a team anything by default. The name associated with the team then flows to the Microsoft 365 Group, SharePoint site collection, and supporting services. It can often cause problems when multiple components of the Teams contain the same name or may not make any sense as they don’t follow a standard naming convention.
By default, SharePoint Online, a supporting Teams service, allows for external sharing to anyone. When a team gets created, unless this control is adjusted, as soon as end-users add content through Teams, they could easily share content with anyone, violating existing security policies for external sharing.
Microsoft Teams uses an Azure Active Directory group for managing members of the team. The group has the same name as the created team and allows adding users directly to the group or through the application. The same is true for permissions within the supporting services such as SharePoint Online, which hides the standard security management in favor of the Teams interface. Most Teams end up with more users than required as end-users can often manage the members themselves, providing access to users who do not need it.
Sometimes Teams need extra security due to the sensitivity of members, content, or privacy requirements. Teams natively support classification to help control the dissemination of content to both internal and external users. Many organisations, however, do not realise these capabilities are not within Teams but part of the overall Microsoft Purview security and compliance feature set. Enabling this feature within Teams requires specific configurations which are not part of Microsoft Teams.
Management and Governance
Microsoft Teams is not an application that should be left alone. Organisations need to plan and prepare for a Microsoft Teams deployment and then the overall management and governance of the created Teams and corresponding services.
You can secure and govern Microsoft Teams using either the administration centres, PowerShell, or Microsoft Graph. The main problem is that you need to manage multiple services, not just Teams. To manage, you often need to use combinations of the following:
- Microsoft 365 Administration Center
- Teams Administration Center
- Azure Active Directory Portal
- SharePoint Administration Center
- Security Center
- Compliance Center
You can also utilize scripting within PowerShell using combinations of the following modules:
- Azure Active Directory (AzureAD)
- Azure Active Directory Preview (AzureADPreview)
- Microsoft Online Services (MsolOnline)
- Microsoft Teams (MicrosoftTeams)
- Exchange Online (ExchangeOnlineManagement)
- SharePoint Online (Microsoft.Online.SharePoint.PowerShell)
The difficulty is identifying the administration centre or PowerShell module to use. Sometimes there is no way to perform a specific configuration, and you may even need to call the Microsoft Graph directly. Microsoft has also provided you with the Patterns and Practices PowerShell modules that focus on SharePoint Online and Microsoft Teams to help with the administration.
For example, for end-users to use Microsoft Teams, they must have a license assigned to them. You cannot complete this within the Microsoft Teams administration centre or the Team PowerShell module. To assign licenses, you must use either the Azure Active Directory Portal, Microsoft 365 Administration Center, or PowerShell using either the Azure Active Directory (AzureAD) or Microsoft Online Services (MsolOnline) modules.
Another example could be assigning a classification to a team to control the dissemination of content to external users, which requires work within Microsoft Purview via the Compliance Centre and then accessing the Team configuration within the Microsoft Team’s Administration Centre.
Suppose you need to provide lifecycle management of Microsoft Teams. In that case, this function resides within the Microsoft Team’s Administration Centre and is as simple as adding an expiration policy that offers a renew Team option. However, this may not work for advanced use cases, and you may need to use other features within the Microsoft Purview Compliance Centre to meet the business requirements.
Though you can script much of the configuration, you still need to load multiple PowerShell modules, make numerous connections to the services, and script the creation and deployment.
Regardless of which approach you choose, it still requires multiple steps and tasks to manage Team’s configuration, security, and controls.
For most organisations with standard requirements, the out-of-the-box tools will suffice and allow proper management and governing of Microsoft Teams. However, this changes over time, especially as the number of Teams, the dependency on them, and the maturity of using cloud services changes. As organisational usage increases within Teams, so does the complexity of management and controls. IT Teams require specific skills for securing Teams and supporting Microsoft 365 services. Many organisations do not have the necessary skills in-house and need to invest in training or hiring individuals who have the required skills. Even with the right skills, securing Teams becomes a time-consuming task due to excessive usage.
IT and Support Expectations
Securing and Governing Microsoft Teams falls on the shoulders of the IT and Support departments and Teams within most organisations. The most common approach allows end-users to create what they need when they need it and provides support using a ticket-based method. The problem with this approach is that by the time an end-user potentially has an issue affecting Microsoft Teams, the created Team is mission-critical, and adjusting becomes complicated. It can be very complex to undo poorly implemented security, lock down a created team that is wide-open, change a team to use a different Template, copy a team, and even report on the Team’s usage and activity.
The expectation is that IT and Support Teams can adjust as needed using standard tooling and efficiently when it is much more complicated. The key to successfully securing and governing Microsoft Teams is using out-of-the-box capabilities in planning everything upfront, implementing, and being consistent with the tooling. Organisations must also remember some features don’t currently exist within Microsoft Teams. The most significant risk is the number of Teams and corresponding SharePoint site collections created, which provide external sharing capabilities. It often becomes hard for IT to know which SharePoint site collections are Teams connected and which are not. It can also become very complicated to control external content sharing when end-users create Teams as they need and share without restrictions.
Overall, Microsoft Teams provides excellent tooling to meet nearly all securing and governing team requirements. Though you may need to use multiple administration centres, PowerShell modules, or other services, you can do it. The tools may not be the most elegant and cohesive, but they get the job done, even if it takes longer and is more complicated to implement. Being successful, more innovative, faster, and securing Teams requires dedicated time, resources, and a solid competency in Microsoft 365 Technologies and tools. You will also find that you are constantly jumping between various services and tools to get the job done.
How can Vantage 365 help you?
We understand that managing Microsoft Teams Governance effectively can be challenging for many organisations. We have received numerous inquiries from customers like you who are experiencing uncontrolled growth and a lack of control over governance, leading to security risks and unnecessary costs.
To support our customers, we have been diligently working on providing a solution. We are pleased to announce that we are offering a complimentary review of your current Teams usage, utilising our advanced governance tool set and see your Microsoft Teams governance score. This review will provide valuable insights into your existing Teams environment, enabling you to implement better governance practices and improve user adoption.
If you find that your Microsoft Teams Governance is slipping out of your hands, don’t hesitate to get in touch with us. You can reach out to our team by filling out the registration form.
Vantage 365 is a specialist consultancy that helps businesses of all sizes get the most from their investment in Microsoft 365’s robust suite of business tools and productivity apps. Our team of expert consultants has years of experience creating customised solutions, applications and strategies to optimise our clients’ technology, capabilities, and performance.
Our mission is to help every client reach their true potential by future-proofing their business and enabling them to thrive in today’s digital landscape. From small businesses to large enterprises, we understand that each company has unique needs and goals, and we work closely with our clients to develop tailored solutions that address their specific challenges.
Whether streamlining workflows, improving collaboration, or enhancing security, we have the expertise to maximise the benefits businesses receive from their investment in Microsoft 365. Our commitment to ongoing support and service ensures that our clients continue to achieve success and stay ahead of the curve in today’s rapidly evolving business environment.
Get in touch today to discover the potential of your Microsoft Subscriptions. We look forward to hearing from you.