Blog Got Teams? Consider these three governance measures for a de-risked deployment

By Insight Editor / 16 Dec 2020 / Topics: Microsoft 365 Collaboration

Microsoft 365, and especially Microsoft Teams, has exploded in popularity due to unprecedented demand for hybrid working. But for many, there’s a catch: out of necessity, plenty of organisations have rapidly enabled these services without the usual planning and governance controls which would go into a typical software implementation.

This makes obvious that if it hasn’t been done already, now is the time to retrospectively apply those same stringent levels of care, or your organisation is at risk. After all, poor governance is known to result in sprawling information architectures, limited ownership and accountability, silos, and inconsistencies.

And, of course, there is the potential for significant information security and compliance risks.

In this article, I invite you to consider three easily introduced aspects of governance for your Teams implementation.

1. Teams Creation and Lifecycle

When enabling Teams, a key point is thinking about who can create teams (with a lower case, because we’re talking about a group of people, not the product).

On the one hand, you want everyone to enjoy the ability take the advantage of the collaboration and self-service capability of Teams so they can take advantage of its features and benefits, rather than looking to other third-party collaboration tools and the resulting impact of ‘Shadow IT’.

On the other, over time this freedom raises the risk of management overhead and potential teams and information sprawl.

This necessitates the introduction of polices to keep track of who has administrative rights to create teams.

Start by creating a security policy group. Only members of this group can create Microsoft 365 groups (which backs teams). This keeps teams organised across Teams, Outlook Groups, and areas where teams can be created in Microsoft 365.

Secondly, look at the solution-enabling Approval workflow using Power Automate and Forms. This means that in order to create a new team, users must first send a request.

At the same time, use the Microsoft 365 Group Expiration Policy to structure teams and avoid the chaos of excessive numbers of teams accumulating over time. This also limits storage use which results from multiple unnecessary data copies in teams which inevitably fall out of use (from events such as product experimentation, short-term team collaboration, or team owners leaving the organisation).

With this policy enabled, there’s no manual deletion of the teams and related mailboxes, SharePoint sites and so on. It just happens automatically (note that an Azure AD Premium license is required).

There are built in measures, too, so teams aren’t accidentally deleted. For example:

Group owners get email notifications of required renewal actions.
An expired group is ‘soft-deleted’ and recoverable for up to 30 days.
Auto-renewal is enabled for teams within the Group Expiration Policy (activity-based expiration policy).

2. Introduce a Naming Convention

Establishing naming conventions before rolling out Teams makes checking for duplicate names easy and equips users to navigate through teams and documentation. Reduced time searching for information not only improves productivity but reduces stress – something you’d expect from a well-structured and organised workspace. This even makes things easier for the IT department.

Let’s see why.

With each team equipped with its own SharePoint team site, team naming affects the site collection name (a team called ‘Finance’ has the URL https://contoso.sharepoint.com/sites/finance).

Where two teams have the same name, Microsoft 365 adds a random number to the site collection (such as https://contoso.sharepoint.com/sites/finance518), potentially confusing folks and a far cry from user-friendliness.

When applying a naming scheme, consider these approaches:

Create guidelines

Define guidelines for a naming scheme based on your organisation’s existing naming convention. Share the guidelines with those people who have the power to create teams (as discussed in point 1 above).

Block words and Prefix/Suffix

You can define a list of blocked words that cannot appear in the name of a team/already in use and set up prefix/suffix as part of your teams’ name (Azure AD Premium License required). This can help team members with identifying teams based on the prefix/suffix like office or region.

Set up common teams for departments, practices and teams (like ‘HR’ or ‘IT’ and of course, ‘Finance’) centrally, then block use of these team names, preventing duplication.

3. External Access (Guest Access)

Enabling Guest Access in Teams lets you invite partners and clients as external guest to your teams. You can choose the features guests can access in Microsoft Teams, including access to channels, documents and chats).

But while it enables communications with your partners or clients, Guess Access can also result in leaks of sensitive information.

Note that Microsoft Teams Guest Access settings depend on other Microsoft 365 services such as Azure AD and Microsoft 365 Groups; it is therefore essential that these dependencies are considered when conjuring Guest Access to your governance requirements.

Furthermore, as the collaboration hub, Microsoft Teams interacts with SharePoint Online and OneDrive (which has the most permissive settings for external sharing by default). Users can share files and folders using links which do not require sign-in. The risk here is akin to anonymous document sharing, with no way of knowing who accessed what.

Applying the below best practices for Guest Access is therefore recommended:

By invitation only: Admin or users with the ‘Guest Inviter’ role can invite guests.
Collaboration restrictions: Use an ‘allow or deny’ list to manage guest invitations from external partner domains.
Authentication and Authorisation: Use the conditional access policy to enforce MFA and/or session timeouts for secure guest access.

Even if Microsoft Teams is already in place, it is never too late to assess governance policies. This includes additional facets (such as Active Directory) which impact the governance of Microsoft Teams and other Microsoft 365 services.

By setting firm guardrails for collaboration, put your organisation in good shape from a security and governance perspective.

Need assistance? We’ve helped multiple organisations improve practises in managing and operating Microsoft 365. By distilling common problems and solutions into our Microsoft Teams Maturity Assessment, Insight charts your position using several governance axes, defines a target maturity level and timeframe for each axis and provides a structured, prioritised, and actionable roadmap of activities to get there.