Team default settings
This table details the default settings that are applied to different types of Teams:
Within Private Teams, anyone who isn’t a member cannot see any of the content. Effectively, every Private Team is its own information silo.What this means from a governance perspective:
- Within both Org-wide and Public Teams, anyone inside your organisation is either already a Member, or can choose to make themselves a member.
- By default, all of the Team’s Members can delete any files that are stored within a Team (irrespective of the type of Team that is created)
Team settings that can be configured
Team Owners have a number of different configuration settings, which modify the permissions that are granted within the Team. There are no hard and fast rules to determine how these settings are configured. Rather than go through them all, I’ll pick some of the more important from a governance perspective:
- Allow Team Members to:
- create and update channels
- delete and restore channels
- add and remove apps
- manage tabs (add, edit, remove)
- delete messages posted to the conversation
- edit messages posted to the conversation
- @mention the entire Team (or one of the channels within the Team)
- Allow External Guests to:
- create and update channels
- delete and restore channels
One great feature is that you can adjust the type of a Team. As such, an Owner could decide to switch their Public Team into a Private or Org-Wide Team.
Other Governance considerations with Teams:
Configuring a group-connected SharePoint team site
One thing that you might want to consider is whether you wish to modify the permissions granted to the SharePoint site collection (which is where the files saved to your Team will reside). I’m personally in favour of slightly reducing the permissions granted to Group Members, by granting them the ability to Contribute (rather than Edit). This change needs to be undertaken after the Team has been created, something that is best handled automatically via a workspace provisioning process. This subtle change, allows Group Members to control content, but not structures – for example, removing their ability to delete Document Libraries, or modify Content Types etc.
Ensure Teams naming conventions
If you allow users to create their own Groups, it’s very likely that you will quickly encounter issues with naming conventions. A typical scenario we see is for a regional HR team to call their new group HR, before the central HR department has got around to creating its own workspace.
One solution for organisations with either an Azure Active Directory Premium P1 license or Azure AD Basic EDU license is to make use of a ‘Groups Naming Policy’ to prefix/suffix groups. This can combine fixed strings with certain AD attributes (derived from the profile of the user who creates the Group). You can also block certain words from being used within the name of a group, which could be especially useful to reserve specific groups and guard against names containing inappropriate language.
Alternatively, the process of ensuring that your Groups/Teams are named consistently can be part of a controlled provisioning process. This could, for example, ensure that naming prefixes/suffixes are applied to all workspaces, and empowers reviewers to ensure that inappropriate names are not approved.
Consider Teams auto-expiry
Again a benefit of Azure AD Premium licences is that one of the Teams governance tools you have at your disposal is the ability to manage the lifecycle of your Office 365 Groups with expiration policies. When an expiration policy is set, Owners of the group are notified that they should consider renewing the group as the date of expiration approaches. If they choose not to, then any group that is not renewed is deleted (with up to 30 days to restore deleted groups if required).
Teams also provides an Archive feature, which allows owners to make their Team read-only, allowing content to be retained and viewed, but not edited. Usefully, archived Teams can be restored as required, making it a great governance tool. Personally, I’d like to extend the archiving capabilities with the ability to trigger immutability upon archive and automating the archive process for inactive workspaces.
Control content retention within Teams
One of the most powerful tools available for governance within Teams, is provided by Office 365 Retention Labels and Retention Policies. These can be used to ensure that content is automatically retained, or automatically disposed, within specific time parameters. If you govern the creation of new Teams and Channels effectively, there is nothing stopping you from setting default Retention Labels on each of the libraries and folders in your group-connected team sites.
To get best value from this, you should probably consider applying default retention labels to each of your different channels, as this will avoid the headache of manual tagging. To ensure consistency and reduce ongoing effort, you might wish to ensure that a process for automatically setting default labels is considered.
Footnotes / References
1 This is the default setting when the Team is created. Group Owners can choose to disable this
2 In theory this is Everyone (except external users), as anyone internal can choose to join the team
3 Private Teams are (currently) hidden, so people outside of the Team cannot choose to join (unless they are added or provided with a code to join the Team). NB, Microsoft has announced that a new ‘discoverability’ setting will be provided for Private Teams which will be introduced from this summer (2019). New Public Teams created after this point will be discoverable by default – hence, non-members will be able to make request to join (which will need approval by one of the Group Owners)
4 Microsoft has just (30/04/2019) announced that Private Teams will be getting a new ‘visibility’ setting, that will determine whether people can find them. Existing Private Teams will continue to be hidden by default; new Private Teams will be created visible but can be subsequently hidden.