Managing Microsoft Teams: More to it than meets the eye

Back to Blog
15Feb2019

Managing Microsoft Teams: More to it than meets the eye

There have been some pretty good improvements over the last year with Teams, and there is only more good news on the way. Check out the backlog of requested features with updates at UserVoice. Great stuff like Private channels and Outlook group calendars are on the near horizon.

But a lot of admins have complained about being able to properly administer Teams. Partly there is some truth to this, but by and large some people just don’t know what we can and can’t do now, or where to go to accomplish what they are looking to accomplish.

For instance, as admins we used to be confined to using the application itself to manage teams and membership, just like any other user. And if another user created a team and we weren’t invited, there wasn’t really a good way for us to find this out in the admin center UI. That’s no longer the case, thankfully.

Create/Edit Teams (but not Delete)

From the new Teams admin center, it is now possible for an admin to manage all of the organization’s Teams without having to become a member of them first, and managing them via the app interface. It took a long time for this to happen, but we’re glad to have it!

You will notice it is possible to create New teams from the admin UI, however, as of today, there is still no option to delete a team. In order to accomplish that, you will need to remove all other owners first, ensuring your admin account is the only member/owner left. You can accomplish this part from the Team members tab on any given team.

It is possible to assign members and owners via the admin center!

Then, you will need to delete the Team from the Teams app itself.

Various Teams settings: where to find them

As an admin, you can also control all kinds of other settings, both at the individual Teams level, or at a global level. I’ll go through some stuff and point out a few interesting settings you should check out for yourself. However, I’ll skip voice-related features for now since many SMB customers haven’t delved into that world (the “Business” subscriptions don’t include it by default).

Add and delete channels

If you are editing an individual team, you can add/remove members, assign owner status, create or delete channels (Channels tab), and manipulate some settings particular to that team. By default, teams will be very permissive with all of the settings pertaining to Conversations and Channels set to On.

Global settings are spread across several different areas, which we will cover in turn. Check out Meetings > Meeting policies > Global

Under the Audio & video section, you will find the switch to turn on transcription (Allow transcription), which is a searchable text of recorded audio/video content.

As mentioned the defaults are fairly permissive, except when it comes to external/anonymous users. So by default you will notice that certain settings such as Allow an external participant to give or request control is switched off.

Under the Participants & guests area, anonymous users do not have the ability to start meetings. Only users in your organization will be auto-admitted to meetings, but you can also set this to “Everyone” rather than “Everyone in your organization.”

Of course, you have to allow anonymous users in the first place, if you want these settings to be meaningful. You can find that under Meeting settings.

You can also customize the email invite under Meeting settings!

Meetings are to be distinguished from Messaging. Remember, a Meeting is an event that users are invited to. Usually this takes place within a channel of some given Team, and the content can be recorded (and transcribed). Live events are also basically meetings and so are located under here also, but these are meetings that are broadcast to a large group of invitees, who can attend the session like a webinar. So you can also find the option, for example, to turn on transcription under Live events policies > Global.

Messaging by contrast is just the chat function of teams–done on a 1:1 basis or within a team/channel. Check out Messaging policies > Global next.

Find the translation option at the bottom of this page.

By default any individual can delete or edit their own messages–and those settings again were under the Settings tab of each Team itself, so you always have control over your own shared content. But, be aware that there is also a global option which allows team owners to delete (but not edit) the messages that others have sent. If you needed like a comment moderator, this is where you’d find that.

Also of note here is the ability to allow translation (as in, between languages). So if you are collaborating with people from other countries, the translation option can be pretty cool. Give it a try!

If you need to enable or disable the ability for external and guest access, you can find those controls under Org wide settings.

Sometimes folks get this confused:

  • External access – this controls whether your users can chat/communicate with other people who are outside of the organization, including external Skype users. You can also allow/deny sharing by domain (rather than just opening it globally).
  • Guest access – rather than controlling whether users can initiate individual chat/communication with outside people, this toggle controls whether people from outside of the organization can be invited into your teams, to participate in team chats and share files.

Org wide settings > Teams settings is where you will find global options that don’t neatly fit into “Meetings” or “Messaging.” For example, you can turn email integration on or off (the ability to email a channel).

Also of note is this section called Files: allowing or denying external file sharing services. When you add external services like DropBox, note that Teams does not manage that content. That remains true whether these toggles are on or off.

So any archive/retention policies, etc. that you have configured in your tenant cannot reach across into DropBox and manage content that is in there, for instance. Adding a “DropBox tab” to a channel is purely a “window” into that data repository, and the access level will be whatever access level is available to whomever added the tab/DropBox account. Some people may be interested in restricting this, and forcing users to share files within the 365 ecosystem, where it can be better controlled.

I will also talk briefly about Devices and Search. Devices is for things like meeting room AV peripherals that are Teams/Skype compatible. Under Search, you can restrict which recipients are “searchable/findable” when users are creating teams or communicating via chat–this follows Exchange address book policies. You would probably only ever use this if for example you had multiple organizations under a single tenant, and certain groups are isolated from other groups.

Compliance-related concerns: a Team is more than just a team…

Data Governance in Office 365 applies also to Teams. But Teams is an interface which allows you to present a collection of services. So, it is absolutely possible to apply a retention policy, for instance, to Teams chats and channel messages. But you would also want to have separate policies to manage content that is stored in SharePoint and OneDrive.

When you share files in Teams under the files tab of some channel, that document really lives in SharePoint, not in Teams. (And you can locate the SharePoint sites associated with teams in the new SharePoint admin center too!)

When you share a file with another user while chatting directly with them, this file will be stored in each user’s OneDrive account under a folder called “Microsoft Teams Chat Files.”

Also remember that a Team is built on an Office 365 Group, which also includes a mailbox in Exchange Online. So do not neglect these locations when designing your retention policies.

Note that Teams message history will be archived into your Exchange mailbox (it is located in a hidden sub-folder), and is searchable by admins. Messages from Teams are therefore treated like any other object stored in your mailbox. Another thing to keep in mind when planning for compliance.

If you want to protect or restrict certain content such as Word documents or other files, even when they are shared within a Team, consider using Sensitivity labels. You could for example label a document as Confidential (all employees), and if an external user gets invited to a Team where one of these files is being shared/stored, they will not be able to open the file, even though they have access to the SharePoint location where that file resides.

If you need to audit Teams, for instance: see a record of who signed in and when, who added a team and when, etc.–you can locate all of this information in the Security & Compliance Center (or soon just the Compliance center). Search and investigation > Audit log search.

Type the word “team” to find activities specific to this app

Manage Teams via Office 365 Groups

A very common request we hear is limiting who in the organization has the power to create teams. Indeed, restricting who can create teams can be accomplished–by restricting who has the ability to create Office 365 Groups.

Because remember that a Team is built on top of an Office 365 Group, first and foremost. This is basically an object in Azure AD that represents a collection of users (who are either Owners or Members of the group), and which has certain Office 365 data locations automatically provisioned and associated to it (this is also how access is granted to those resources).

You will not find this capability anywhere in any of the admin centers, however. It has to be done in PowerShell; see this step-by-step article:

Likewise, if an owner deletes a Team, then an admin is indeed able to bring those Teams messages back from the dead–but they would need to restore the Office 365 Group first, in order to do so.

Conclusions

Suffice it to say that some of the management tasks related to Teams will be based a little bit on understanding what a Team actually is: it is an Office 365 Group, first of all, with a variety of services and data locations attached to it. You need to keep that architecture in mind for performing some management-related tasks–at least for now. Not all of what you need to accomplish is going to be at your fingertips in the Teams admin center. And some of it may still require getting into PowerShell.

Still, it’s coming together–slowly and surely. I believe that we are at the point now where most of what people want in terms of security and management is available to them (with additional functionality coming soon e.g. Private channels)–it’s just a matter of getting our heads around it.

Technical , , , , 0 Comments
Share:

Leave a Reply

Back to Blog

Related Posts

21Mar

My favorite Conditional Access Policies for the SMB

It's not even a question in my mind anymore--every org who moves their email and other data sets into Office 365 should be protected with Enterprise Mobility + Security (also available in Microsoft 365 Enterprise plans). If you are in the Business subscription of Microsoft... read more
03Aug

A tale of two solutions: Azure VMs vs. On-prem Server

I've been studying two different solutions to the same small business problem for a while now, and I think it is high time I finally published an article on it. I run into a fair number of clients who are interested in moving 100% of... read more
02Jul

An overview of the most common Office 365 subscriptions for the SMB

I get asked about this SO frequently, that I decided a post was in order. Update: Also check out my 365 Licensing Guide page. Apparently people don't find it that easy to navigate all the subscriptions which are now available via the Office 365 portal. To... read more
26Jan

How to prepare for a HIPAA technical risk assessment or audit

I have had to help a number of smaller-sized health services clinics with this kind of thing recently, so I figured a place to collect notes on these experiences was in order. Hopefully others will find it valuable; just know that there is no such... read more
01Oct

Should I stick with Microsoft 365 Business or move up to Enterprise?

Microsoft 365 is best described as a "bundle of bundles"--these new SKU's go beyond Office 365, and include advanced security products as well as device management and even your Windows licensing.  I have been writing a lot about the Microsoft 365 Business SKU, since it... read more
11Nov

From Ignite 2019: Office 365 ATP Best Practices Analyzer, and other actions MS is taking to democratize security

I haven't had time to write an overall review of Ignite and all the various announcements that were made. And honestly, I might just skip that because there are so many others out there doing the same. They probably did an even do a better... read more
06Sep

2016 Essentials Integration: Azure Virtual Network, part 1

This is one of the new features I am most excited about in Windows Server 2016 Essentials Experience.  Today we are going to setup a connection to an Azure Virtual Network. With this technology, we have the ability to extend our on-premises server and domain infrastructure into the... read more
31Jul

Replacing folder redirection and mapped network drives: Controlling the OneDrive client experience on Windows 10 with Intune

For as long as we can remember, the primary way to share files in an organization was mapped network drives. This may have included a "Public" or "Company" drive (e.g. P:\ for Public), as well as a "Home" or "User" drive (H:\ or U:\ respectively).... read more
25Jan

Manage Office 365 Mailboxes using Directory Synchronization w/o Hybrid Exchange

When you have a hybrid environment configured between Exchange 2010 or 2013 and Office 365, then you will probably have noticed that mailbox creation and management happens on-premises. For example, to create a new mailbox, you would initiate this process from the local Exchange server... read more
08Sep

2016 Essentials Integration: Azure Virtual Network, part 2

In the previous post, we enabled the Windows Server Essentials integration with Azure Virtual Network, and configured a virtual network in the cloud with a Site-to-site VPN right from our Dashboard. While we wait for the connection to become active, we can deploy a virtual... read more

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.

Contact Me