Microsoft Teams has offered “a new way to work and learn for a new digital age” throughout the rollercoaster that is the pandemic. Bridging the gap between the office and the remote work environment, Teams enables users to meet, share ideas, and build connections in one platform, making it one of the most popular collaboration tools in the remote work era.
When it comes to the platform’s mass adoption, the numbers don’t lie. The software has grown exponentially, from20 million daily active users (DAUs) in November 2019 to 44 million DAUs in March 2020 to 250 million monthly active users in July 2021. As Microsoft plans to continue adding innovative features and integrations, there are no signs this growth will slow down.
But in the rush to adopt tools like Teams, many organizations lagged behind on one critical element: Microsoft Teams governance. As organizations continue to meet, collaborate, and automate their work on this platform, they must also consider how they can establish strong Microsoft Teams governance.
When we talk about Microsoft Teams governance, we’re really talking about information governance — or a data organization framework that brings together technology, people, process, and policy. Strong governance can help maximize the value and minimize the risk of not just your Teams data, but also data spread across the entire Microsoft Suite, given its tight integrations with SharePoint, OneDrive, and other services.
Although implementing strong Microsoft Teams governance before the initial rollout of the tool is ideal, an instantaneous shift to remote work in 2020 made this near impossible. This has triggered a trend of retrospective information governance, as companies of all sizes and industries ask themselves, “what have we missed?”
Although daunting at first, applying Microsoft Teams governance best practices is possible. As the saying goes, “the hardest part is getting started,” so here are seven simple steps you can take to get going.
A good place to kickstart Microsoft Teams governance is deciding who can and can’t create teams. You can allow all users to create teams, add a third-party app to control team creation, or block direct team creation and require users to submit a request to create the team. You’ll also want to make sure you’ve clarified when users should create a team and when it would make more sense to just add a channel.
Another permission to consider is whether to allow or prohibit users from inviting guests outside your organization to join teams. You want to keep your data private, but you also don’t want to discourage people from collaboration. Chances are, they’ll find a different tool to use, upon which you lose control of data altogether. You can set access permissions for external guests using Azure Active Directory.
It’s important to have naming conventions for your teams. Not just for basic organization, but to also make data easily discoverable in the event of a legal obligation like eDiscovery. Without a proper naming convention, you won’t be able to tell whether or not you’ve co-opted another team’s name. Instead, it will allow two teams with the same name to exist. But when it points to your team’s files in SharePoint, Microsoft 365 will add a random number to your team’s name in the URL.
To avoid duplication and add clarity, set a naming convention that requires users to name teams the same way every time, such as with a project name or abbreviation, regional office name, or other identifiers. To enforce the convention, you can set a policy in Azure Active Directory to automatically add a prefix or suffix to your teams. Alternatively, you can use a third-party solution.
When people collaborate, they share information. Anytime your data leaves your network, it loses the built-in protection of your organization’s firewall. Therefore, you’ll want to make sure you have a way to protect your sensitive data as part of your Microsoft Teams governance plan.
Teams allows you to set custom sensitivity labels that establish a selected protection level over that document. So, for example, you can set a sensitivity label to encrypt an email or document. Or you can mark the content with a watermark, header, or footer. You can also control access to a container — a site or group — where sensitive content is located.
It’s easier than ever for users to integrate third-party apps with Teams. But do you want every team to have the ability to add any app at any time? Probably not. No matter how helpful, third-party apps add a layer of risk to your data.
As a Microsoft Teams governance best practice, you’ll want to establish an app permission policy. This allows you to set permissions around downloading and using apps based on whether they’re published by your organization, Microsoft, or a third party. You may want to choose the option that allows specific apps and blocks all others to ensure users have access to what they need while still protecting your data.
Teams allows you to limit the sensitive data that users share in chats and channels, which is great for Microsoft Teams governance purposes. By default, Microsoft tracks all credit card numbers shared, both internally and externally, with the organization. When a number is shared, it triggers an alert and sends an email to an administrator.
You can configure this policy to block other behaviors in the Teams Compliance Center. You can also configure the policy to set conditions, such as the types and numbers of instances of data sharing that will trigger the rule, and you can set policies that address specific accounts, sites, and workloads.
With so much critical information coursing through Teams, you’ll want to make sure you can retain what you need for compliance and legal obligations and safely dispose of data that no longer has any business value. Fortunately, Teams allows you to set a data retention policy, which should be established for strong Microsoft Teams governance.
Teams admins can decide how to apply a retention policy for chats and channel messages: to the entire organization or to specific teams or users. Note: The retention period for Teams data always starts when the data is created.
Once you’ve set a retention policy, users can still edit and delete their messages, but the original message is stored in a secure location accessible by admins.
It’s unlikely that your teams will be relevant and useful forever. You can implement a policy that archives teams in storage for later reactivation or that removes inactive teams from your system to maintain good data hygiene.
You should set a particular period for inactivity, such as 90 days. Teams will notify the team owners that they need to renew if they want to keep the team. If a team is set to expire and the owner doesn’t renew it, it will be soft-deleted. That means users can reactivate the team and recover its data for 30 days past the expiration date.
Even if you’ve been using Microsoft Teams for quite some time, it’s not too late to start implementing these Microsoft Teams governance best practices. Remember, Teams is just one piece of your enterprise data puzzle, so taking small steps now can pay off big time later.
Need a tool that helps you govern Teams along with your entire tech stack? Learn how our enhanced Microsoft Teams connector can help you find, access, and protect your Microsoft data — along with other third-party data — all in one platform.