07 Jan Microsoft Office 365 and SharePoint
As with any new technology, an important part of achieving company-wide compliance with Microsoft Teams is establishing strong, sustainable governance. Based on our (Access Sciences and our clients) experience, here are the minimal considerations for Microsoft Teams Governance best practices:
- Teams naming conventions
- Who can create Teams?
- External and guest access
- Approved apps
- Data security and compliance
- Teams delete / archive policy
Your Teams Governance Plan and SharePoint Governance Plan are separate but complementary governing documents under an overarching Office 365 Governance Plan. While these are two separate tools within the Office 365 suite, Teams utilizes SharePoint as well as other Office 365 components such as One Drive for Business, and Exchange Online to manage Teams content. Teams governance must therefore, align with governance plans for those applications.
For example, SharePoint Governance focuses on site life cycle and management, Teams Governance focuses on the items mentioned in (previous FAQ) Microsoft Teams Governance best practices (i.e., Teams life cycles, naming standards, access, as well as data security and compliance. SharePoint sites provisioned through the Teams creation process, must still comply with SharePoint governance requirements.
Do you suggest Microsoft Teams implementation in multiple phases or opening all features/functionality at once to the enterprise?
To maximize compliance, Access Sciences recommends an incremental and measured approach across three phases: Plan, Implement, and Scale/Refine.
In the planning phase, you should:
- Establish a multi-disciplined team to assess your organizational readiness at both a technical and user-level.
- Develop your Strategy, Governance Plan, identify basic Teams processes, foundational Information Architecture (IA), and change management needs.
- Develop technical roadmap and plan for enterprise rollout.
In the Implement stage, you should:
- Implement basic processes such as consistent Team provisioning and decommissioning,
- Implement foundational IA, create training and communications content.
- Implement standards for Teams and allowed
- Execute phased rollouts to select organizational groups.
In the Scale/Refine stage, you should:
- Complete enterprise-wide rollout to all remaining organizational groups.
- Refine governance plan as you add more groups and scenarios.
- Monitor the right metrics to determine success at a company level.
- Monitor compliance using audit and administration tools.
Your Teams application stores data in different locations based on the type of information and context:
- 1-1 and Group chats, calls, meetings data is stored in Exchange Online within each participant’s mailbox
- Files shared within 1-1 and Group chats, calls, and meetings are stored within the sharing user’s ODFB, with sharing enabled with all participants
- Teams files are stored within SharePoint Online; Teams channel chats, meetings data are stored within Exchange Online, and tasks data is in Planner.
- All meeting recordings are stored in Stream.
*See Logical architecture for MS Teams and related services illustration below
What is the default lifecycle of content associated with Teams? What should be considered in order to manage the lifecycle or retention of all those items?
Teams chat, channel, and file data are retained indefinitely by default. But as an Administrator, you can set up retention policies that specify whether to retain the data, delete it, or retain it for a specific time frame and then delete it.
To create and manage retention policies, visit the Microsoft 365 Compliance Center or by using PowerShell cmdlets. You can apply a Teams retention policy to your entire organization or to specific users and teams through three options: manually applied, automatically applied, or machine-learning applied (coming soon).
Here are some considerations and limitations to be aware of when working with Teams retention policies:
- A Teams retention policy will trigger a process to delete chat and channel messages. However, depending on service load, it may take up to seven days to permanently delete these messages from backend storage and Teams apps. Note that these messages will be searchable in both eDiscovery and end user searches till they are permanently delete
- Teams requires a retention policy that’s separate from other workloads, meaning you must create specific retention policies for Teams chats and/or channel messages and can’t include Teams in org-wide retention policies.
- Currently, retention policies for Teams only applies to standard channel messages – not private channel messages.
- Currently, Teams doesn’t support advanced retention settings like the ability to apply a policy to content that contains keywords or sensitive information.
How do we mitigate Microsoft Teams information security risks when using Microsoft Teams guest access for external parties?
When collaborating with users external to your organization, it’s important to understand the difference between external access and guest External access is granted at the domain level, between organizations. If organizations A and B have external access enabled between them, any Teams user in A can find, contact, and set up meetings with any other Teams user in B, and vice versa. Note, external access does not grant access to Teams collaboration areas. To grant access to Teams collaboration areas, guest access must be granted at the individual level by adding the guest’s email account to the specific Team where they can then access shared files and collaborate. Note, guests cannot access an organization’s ODFB environment, create/modify teams, or upload files in 1-1 chats.
To protect your sensitive information, you need to have a strategy for collaborating securely with external users. These external sharing recommendations will get you started on the right foot:
- Collaboration: Enable external sharing by default and disable based on classification.
- Domains: Limit domains as required.
- Educate: Educate your users on how to share and what to share.
- Anyone Links: Use DLP to prevent the creation of “anyone” links for sensitive SharePoint and OneDrive for Business documents.
- Audit: Make security audits part of your governance process.
Access Sciences first seeks to understand the business goals you wish to achieve through the use of Microsoft Teams. Then our Microsoft 365 experts work directly with you to design and deliver a tailored solution considering information risk, ease of use, and sustainability throughout the entire implementation. We also offer training and reinforcement to increase user adoption and efficiency.
We are a Microsoft Gold-Certified Partner that has delivered hundreds of Microsoft projects for our clients. To get in touch with our Microsoft 365 experts, send us an email at firstname.lastname@example.org.
“Our partnership with Access Sciences has been a fantastic one. The Pertempo framework for SharePoint, as well as the staff is first-rate! I gladly recommend them to anyone and hope to encourage other departments to engage with them.” – Jeff, State Government