We continue our series on Microsoft 365 administration, which began with a look at configuring your admin portal and moved on to configuring Microsoft Teams. Today, we will continue with more on configuring Microsoft Teams. Let’s start with policies.
There are several types of policies in Teams. These are policy packages, setup, messaging, meetings, live events, and Teams policies. Luckily, they all operate the same way. Let’s take a deeper dive.
Configuring Microsoft Teams: Policy packages
Microsoft has put together some suggested policies for different types of workers in certain industries. They include education, health care, small business, and public safety. For education, health care, and small business they include policy groups for various personas. These policy packages can include some or all of the various types of policies I just listed.
Below you see the policy package for a small business person who is not using the phone system. In this case, all they’ve done is remove the Calls button from the menu. So, there is only one policy in the package.
In the case of a primary school age student, there are many policies in the package.
Looking at the messaging policy, we see that several items are turned off. You can click on each policy to see what it contains and what the settings are.
To activate one of the policy packages, you need to first assign a user to the policy. This is a bit counter-intuitive because typically we could create the policy, tweak the policy to our specific need, and then assign it. If you’d rather do it that way you could use these policy packages as template suggestions and instead create your own custom policy. Alternatively, you can assign just a single person, maybe a test user, and then make changes and add the production users later.
Once I assign a user to a policy package, the policy itself shows up in the app setup policy list under Teams apps
I can edit those policies once they are populated here. As an example, I can turn features off or on and I add an additional app to the right panel app list in Teams. To add an additional app, I open the policy, then click the add apps button, and search for tasks. It presents me with a list of available task apps by Microsoft and third parties. When I choose one, it becomes part of the apps in Teams. I can choose to move that app up or down on the menu too. In this case, I move it up one from the bottom.
Pro tip: Go into Users in the Teams admin to assign policies to users. It’s much faster and easier than adding them one at a time as you are required to do in the policy itself.
Private teams and channels
Private teams and channels were the most-requested features for Microsoft Teams and now they are here. Before we get started, I want to make a note about the backup of these. If you are using a third-party backup service, as of this writing, most of them are not backing up the private channels.
The reason that backup services are not backing up private channels is because they don’t have permission to do so. The architecture of these private spaces is such that an entirely separate SharePoint collection, not site, is created when a private channel is created within a regular team. These are not simply permission-based entities. These are seriously segregated data spaces and only the members of them have access to those spaces. No one other than the members will see these items in search or know that they exist at all. This includes your backup service and your administrators.
At some point, there will be a solution to backing these up. The oAuth permission will need to be unique for each one and that’s the challenge that the services have to rise to.
Let’s understand the difference between a private team and a private channel. A private team is not as private as a private channel. A private team resides in the same SharePoint collection and the admin can make private teams discoverable. The only thing that makes a private team private is that the owner of the team has to add the members. Members cannot decide to join a private team. That’s all there is that unique to private teams and that’s all I need to say about them.
Private channels are an entirely different matter. Everything is different about a private channel. A private channel exists within a team. As I mentioned above its architecture is such that the private channel is very, very private. It resides in a separate SharePoint collection by itself. Meaning, each private channel spins up a new SharePoint collection. Each of those SharePoint collections has unique access based on the members of the private channel.
Even the global admin does not have permission to the private channels. The presence of a lock next to a channel name means that it is a private channel. Only members of the private channel see the existence of the private channel, other members of the team don’t see it at all. In addition, none of the content will be revealed when non-members search.
Guests can be invited to a private channel. The guest must be a member of the team in which the channel resides. They will essentially see a team with a single channel in it, the private channel unless you also add them to more channels.
The owner of the private channel can manage their channel just like any other channel. However, the administrator of Teams, if they are not a member of the private channel, will only be able to see that the channel exists. They will not be able to see the membership or the data.
Private channels are not visible in the SharePoint admin console. They can only be managed via PowerShell or Microsoft Graph. The prefix for each private channel is TEAMCHANNEL#0 then the name of the channel. If the administrator needs to discover the channels for management purposes, create a private channel for a team, manage an eDiscovery inquire the best starting point will be this article, where Microsoft has included several PowerShell scripts that you’ll need.
Microsoft has this handy chart for helping you to decide when to use a private channel for communications.
One final consideration is whether or not you want the user to create private channels. A team owner can make this decision if private channels have not been turned off by the admin.
When you are configuring Microsoft Teams, I recommend turning this off until such time that it is needed or until your team owners have been trained in their use and understand the implications and severity of the privacy.
I have previously written a nice article on data storage in Teams so I’m not going to repeat that here but rather refer you to the three articles below. Suffice to say in summary you might be surprised to find that it takes a village of data storage locations, not just SharePoint and Exchange to keep Microsoft Teams data organized. Those three articles were Restoring Teams data, Recovering Teams messages, and Surprising places Teams stores your data.
If you need to perform a Teams data eDiscovery, the inclusions vary depending upon the type of team or channel the data might be held in. In a regular team, messages are delivered to a shared mailbox, so you need to include the team and the team shared mailbox. In a private channel, there is no shared mailbox so you need to include the site collection, the team, and each member’s mailbox to gather the data.
There’s quite a lot to eDiscovery and Microsoft Teams so I’m going to refer you back to Microsoft for the PowerShell that you’ll need.
Featured image: Designed by Freepik
More Microsoft 365 Configuration Tips articles
- Azure AD administrative units: A go-to tool for Microsoft 365 administration
- Microsoft 365: Create an Outlook rule to reply to all emails automatically
- Microsoft 365 administration: Configuring Microsoft Teams
- Setting up Endpoint Manager for success: Step-by-step guide
- Microsoft 365 administration: Changes to auto-forwarding rules