Managing Microsoft Teams: More to it than meets the eyeAlex Fields
There have been some pretty good improvements over the last year with Teams, and there is only more good news on the way. Check out the backlog of requested features with updates at UserVoice. Great stuff like Private channels and Outlook group calendars are on the near horizon.
But a lot of admins have complained about being able to properly administer Teams. Partly there is some truth to this, but by and large some people just don’t know what we can and can’t do now, or where to go to accomplish what they are looking to accomplish.
For instance, as admins we used to be confined to using the application itself to manage teams and membership, just like any other user. And if another user created a team and we weren’t invited, there wasn’t really a good way for us to find this out in the admin center UI. That’s no longer the case, thankfully.
Create/Edit Teams (but not Delete)
From the new Teams admin center, it is now possible for an admin to manage all of the organization’s Teams without having to become a member of them first, and managing them via the app interface. It took a long time for this to happen, but we’re glad to have it!
You will notice it is possible to create New teams from the admin UI, however, as of today, there is still no option to delete a team. In order to accomplish that, you will need to remove all other owners first, ensuring your admin account is the only member/owner left. You can accomplish this part from the Team members tab on any given team.
Then, you will need to delete the Team from the Teams app itself.
Various Teams settings: where to find them
As an admin, you can also control all kinds of other settings, both at the individual Teams level, or at a global level. I’ll go through some stuff and point out a few interesting settings you should check out for yourself. However, I’ll skip voice-related features for now since many SMB customers haven’t delved into that world (the “Business” subscriptions don’t include it by default).
If you are editing an individual team, you can add/remove members, assign owner status, create or delete channels (Channels tab), and manipulate some settings particular to that team. By default, teams will be very permissive with all of the settings pertaining to Conversations and Channels set to On.
Global settings are spread across several different areas, which we will cover in turn. Check out Meetings > Meeting policies > Global
Under the Audio & video section, you will find the switch to turn on transcription (Allow transcription), which is a searchable text of recorded audio/video content.
As mentioned the defaults are fairly permissive, except when it comes to external/anonymous users. So by default you will notice that certain settings such as Allow an external participant to give or request control is switched off.
Under the Participants & guests area, anonymous users do not have the ability to start meetings. Only users in your organization will be auto-admitted to meetings, but you can also set this to “Everyone” rather than “Everyone in your organization.”
Of course, you have to allow anonymous users in the first place, if you want these settings to be meaningful. You can find that under Meeting settings.
Meetings are to be distinguished from Messaging. Remember, a Meeting is an event that users are invited to. Usually this takes place within a channel of some given Team, and the content can be recorded (and transcribed). Live events are also basically meetings and so are located under here also, but these are meetings that are broadcast to a large group of invitees, who can attend the session like a webinar. So you can also find the option, for example, to turn on transcription under Live events policies > Global.
Messaging by contrast is just the chat function of teams–done on a 1:1 basis or within a team/channel. Check out Messaging policies > Global next.
By default any individual can delete or edit their own messages–and those settings again were under the Settings tab of each Team itself, so you always have control over your own shared content. But, be aware that there is also a global option which allows team owners to delete (but not edit) the messages that others have sent. If you needed like a comment moderator, this is where you’d find that.
Also of note here is the ability to allow translation (as in, between languages). So if you are collaborating with people from other countries, the translation option can be pretty cool. Give it a try!
If you need to enable or disable the ability for external and guest access, you can find those controls under Org wide settings.
Sometimes folks get this confused:
- External access – this controls whether your users can chat/communicate with other people who are outside of the organization, including external Skype users. You can also allow/deny sharing by domain (rather than just opening it globally).
- Guest access – rather than controlling whether users can initiate individual chat/communication with outside people, this toggle controls whether people from outside of the organization can be invited into your teams, to participate in team chats and share files.
Org wide settings > Teams settings is where you will find global options that don’t neatly fit into “Meetings” or “Messaging.” For example, you can turn email integration on or off (the ability to email a channel).
Also of note is this section called Files: allowing or denying external file sharing services. When you add external services like DropBox, note that Teams does not manage that content. That remains true whether these toggles are on or off.
So any archive/retention policies, etc. that you have configured in your tenant cannot reach across into DropBox and manage content that is in there, for instance. Adding a “DropBox tab” to a channel is purely a “window” into that data repository, and the access level will be whatever access level is available to whomever added the tab/DropBox account. Some people may be interested in restricting this, and forcing users to share files within the 365 ecosystem, where it can be better controlled.
I will also talk briefly about Devices and Search. Devices is for things like meeting room AV peripherals that are Teams/Skype compatible. Under Search, you can restrict which recipients are “searchable/findable” when users are creating teams or communicating via chat–this follows Exchange address book policies. You would probably only ever use this if for example you had multiple organizations under a single tenant, and certain groups are isolated from other groups.
Compliance-related concerns: a Team is more than just a team…
Data Governance in Office 365 applies also to Teams. But Teams is an interface which allows you to present a collection of services. So, it is absolutely possible to apply a retention policy, for instance, to Teams chats and channel messages. But you would also want to have separate policies to manage content that is stored in SharePoint and OneDrive.
When you share files in Teams under the files tab of some channel, that document really lives in SharePoint, not in Teams. (And you can locate the SharePoint sites associated with teams in the new SharePoint admin center too!)
When you share a file with another user while chatting directly with them, this file will be stored in each user’s OneDrive account under a folder called “Microsoft Teams Chat Files.”
Also remember that a Team is built on an Office 365 Group, which also includes a mailbox in Exchange Online. So do not neglect these locations when designing your retention policies.
Note that Teams message history will be archived into your Exchange mailbox (it is located in a hidden sub-folder), and is searchable by admins. Messages from Teams are therefore treated like any other object stored in your mailbox. Another thing to keep in mind when planning for compliance.
If you want to protect or restrict certain content such as Word documents or other files, even when they are shared within a Team, consider using Sensitivity labels. You could for example label a document as Confidential (all employees), and if an external user gets invited to a Team where one of these files is being shared/stored, they will not be able to open the file, even though they have access to the SharePoint location where that file resides.
If you need to audit Teams, for instance: see a record of who signed in and when, who added a team and when, etc.–you can locate all of this information in the Security & Compliance Center (or soon just the Compliance center). Search and investigation > Audit log search.
Manage Teams via Office 365 Groups
A very common request we hear is limiting who in the organization has the power to create teams. Indeed, restricting who can create teams can be accomplished–by restricting who has the ability to create Office 365 Groups.
Because remember that a Team is built on top of an Office 365 Group, first and foremost. This is basically an object in Azure AD that represents a collection of users (who are either Owners or Members of the group), and which has certain Office 365 data locations automatically provisioned and associated to it (this is also how access is granted to those resources).
You will not find this capability anywhere in any of the admin centers, however. It has to be done in PowerShell; see this step-by-step article:
Likewise, if an owner deletes a Team, then an admin is indeed able to bring those Teams messages back from the dead–but they would need to restore the Office 365 Group first, in order to do so.
Suffice it to say that some of the management tasks related to Teams will be based a little bit on understanding what a Team actually is: it is an Office 365 Group, first of all, with a variety of services and data locations attached to it. You need to keep that architecture in mind for performing some management-related tasks–at least for now. Not all of what you need to accomplish is going to be at your fingertips in the Teams admin center. And some of it may still require getting into PowerShell.
Still, it’s coming together–slowly and surely. I believe that we are at the point now where most of what people want in terms of security and management is available to them (with additional functionality coming soon e.g. Private channels)–it’s just a matter of getting our heads around it.