For IT teams, governing Microsoft Teams is about more than reducing operational risk. Adopting MS Teams governance best practices has the potential to increase visibility, keep employees productive, increase your agility, and simplify management and optimization. However, that’s only possible if you understand the full spectrum of Microsoft Teams governance—from access and sharing to operations and continuity—and avoid the pitfalls of outdated best practices.
Inside this article:
Effective management of Microsoft Teams means implementing best practices across every part of MS Teams, from the way people collaborate to how you embed strong data security policies.
To learn what policies you should implement in other key Microsoft areas, download CoreView’s Microsoft 365 Governance Best Practices Guide.
We’ve broken the best practices into Microsoft Teams access and sharing best practices, Microsoft Teams apps best practices, Microsoft Teams content best practices, Microsoft Teams operational efficiency and continuity best practices, and Microsoft Teams data security best practices and challenges.
An employee can join any public team, but this freedom can lead to governance complexity. As a foundation for good Microsoft Teams access and sharing governance, control the number of public teams that employees can join and implement an automated attestation process where team owners periodically confirm whether their membership is still required. If there's no response or the team is no longer regularly used, consider archiving or removing it for improved organizational efficiency and security.
Beyond your employees, be sure to establish clear policies for external members who can access Microsoft Teams. While inviting external users can enhance collaboration with customers, suppliers, government agencies, and other outside entities, a team owners should regularly review whether granted guest-user permissions are still required.
Best practices for access and sharing in Microsoft Teams should also involve a keen focus on content organization, and sensitivity labels are a crucial feature for this.
Develop a well-planned data classification scheme and apply sensitivity labels accordingly to enforce security protocols based on the sensitivity of the content. Additionally, using of private or shared channels in MS Teams allows controlled access to specific documents, ensuring that only the necessary individuals can access information.
Regular audits are recommended to maintain a secure and accessible content environment. This will include reviewing who can access a given Team, as well as updating sensitivity labels.
Consider implementing automated auditing tools as well. This ensures you have regular, actionable insights to maintain a secure and accessible content environment.
MVP Vasil Michev shares that organizations should “set whatever policies make sense for your organization and stick to them.”
Organizations should establish policies that require a minimum number of team owners or automate ownership reassignment upon user departure to ensure continuity.
Michev continues here:
MS Teams governance with the native Microsoft Teams tools’
Initially, some organizations avoided using guest access due to concerns about security and control. However, Microsoft has significantly improved the security and governance features related to guest access. Today, it’s a valuable feature for collaborating with external partners—and one you can use with confidence and control
Establish clear guidelines on the use of built-in and third-party apps. This includes creating and regularly reviewing app setup policies, defining who can approve new apps, and outlining the process for integrating third-party apps.
Be sure to review these policies periodically and update them to reflect new app offerings and security updates.
Develop a comprehensive security governance policy for app usage. This should include using apps from trusted sources only, conducting regular security audits, and implementing measures to protect data and privacy.
Regular training ensures team members are up-to-date on app features and best practices. Implement a governance strategy that requires regular review and updates of app policies and permissions to ensure they remain relevant, secure, and effective.
Microsoft 365 tools can be integrated into the Teams experience, but care must be taken to avoid app sprawl. This can be managed by creating templates within Teams, which can include custom apps or integrations with third-party tools like monday.com. These templates streamline the creation of new teams or channels and can help monitor the spread of apps across Teams. However, a thorough audit is advisable to truly understand the spread and usage of apps.
Microsoft expert Roy Martinez shares more ways to avoid app sprawl in Teams in this 2-minute clip:
MVP Vasil Michev shares his thoughts on auditing Teams apps:
However, it’s important to note that auditing your Teams apps (especially third-party ones) can be challenging.
While the Teams Admin Center provides some visibility into first-party apps, you’ll need to use audit logs, historical audit tracking, and other solutions to truly understand when and how apps are being used.
Here’s Vasil again:
For more detailed auditing, PowerShell allows admins to traverse different objects and access hidden apps, bypassing some of the front-end UI limitations. This ensures a deeper, more accurate understanding of app usage across MS Teams.
It’s possible to create teams without an assigned owner, but these are vulnerable to misuse and abuse. Implement a policy that ensures every team has an owner—ideally more than one.
Single-owner teams pose a significant risk to continuity, especially if an employee leaves the company or moves to a new project or role. Microsoft advises assigning at least two owners per team to increase resilience.
Monitor and manage inactive MS Teams groups, including sunsetting project-specific groups post-completion. Develop policies for deleting teams after a certain period of inactivity. This could be action-based (for example, based on the number of users visiting a channel, chatting, or updating files) or time-based.
Before archiving or deleting an inactive Team, carefully consider the ramifications—retaining a record might offer valuable insights for future reference. Always consult with any team owners before deleting anything.
Offline working is another way to improve operational efficiency in Microsoft Teams. Users can work offline, and their changes are stages and synced with MS Teams when they reconnect to the internet. This ensures seamless continuity, even when people have been working without a connection.
The document versioning feature within Microsoft Teams provides a historical record of document changes, creating an audit trail while allowing reversion to previous states if required.
Implement ongoing, role-specific training programs on MS Teams content best practices to ensure users are equipped to work efficiently and securely. Admin teams can also use analytics and reporting to understand usage patterns and spot opportunities for improvement and refinement.
In a recent discussion with SharePoint migration and Microsoft Teams expert Roy Martinez, he shared the following best practices for managing content.
The foundation of effective IT governance in Microsoft Teams is logical content organization. This begins with understanding how Microsoft Teams uses SharePoint for its content management system. All content within MS Teams is stored either in SharePoint sites or OneDrive, making it essential for IT professionals to have a strong grasp of these platforms.
Develop a flexible metadata strategy that can adapt to future changes and incorporate lessons learned from existing practices.
As Roy advises, "It's best to set [your metadata], but not necessarily forget. You want to try to get it right the first time because changing things retroactively means crawling tons of data, which might affect downstream processes."
The managed metadata feature in SharePoint can help maintain order and consistency by imposing constraints on how metadata is created and managed. However, many organizations falter when it comes to content management due to the absence of a tagging structure, leading to documents being saved haphazardly.
All Microsoft Teams content can be assigned with tags, improving organization and searchability. Sensitivity labels are particularly important: tags that assign specific security policies to given content types. These policies may affect who can view and edit content, as well as retention policies. IT professionals must consider the use of these labels, striking the balance between protecting sensitive data and accessibility.
Another critical aspect of IT governance in MS Teams is managing permissions effectively.
Be sure that permission management in MS Teams is synchronized with SharePoint and OneDrive settings for consistent and effective access control.
(As a reminder, every team in Microsoft Teams correlates to a Microsoft 365 group, and each of these groups corresponds to a SharePoint site. This relationship creates a security boundary allows you to define who has access to what.)
To maintain security and accessibility, IT professionals need to refine access to specific documents and folders as needed. This is accomplished in MS Teams through private channels or shared channels, which allow only a subset of users from the main team to access them.
While it's not always necessary to create specific privileges for every file or folder, it becomes essential when collaborating with external users from other organizations who need access to specific data subsets. This refined access management ensures that sensitive information is shared prudently and securely.
Learn how to evaluate your security setup for internal and external users. Watch “Movers, Joiners, and Leavers: Managing personnel changes and external users in Microsoft 365,” on-demand.
Even with effective management of permissions and sensitivity labels, IT teams need to keep pace with changes over time. With the Microsoft 365 compliance center and other auditing tools, you can conduct regular, comprehensive reviews of content and access permissions, ensuring appropriate access is maintained.
Tiered auditing is particularly effective, with frequent minor audits of your most sensitive content and more occasional deep audits of everything. Microsoft 365’s own tools can provide basic data auditing, reporting, and access management automation. By applying these best practices, IT professionals can ensure that their organization's use of Microsoft Teams remains secure, organized, and efficient.
Watch this 2-minute clip from Roy for more recommendations on auditing your Microsoft Teams content:
Microsoft Teams governance has evolved in much the same way as our approach to content—from a hierarchical folder structure to shared storage with a flat structure and tags for searchability. Also, roles in content and information management have become more flexible and less tied to specific platforms like SharePoint, indicating an evolution from the conventional SharePoint administrator role to more versatile roles.
Data security in MS Teams relies on the effective management of sensitive data.
Sensitivity labels play a vital role in protecting sensitive information based on its level of confidentiality. Regularly assess data, assign a security level, and label accordingly. With policies automatically assigned to labeled data, you can significantly reduce the risk of manual errors that leave your security compromised.
When establishing these sensitivity labels, it’s important to clearly understand the organization's security requirements and ensure application of sensitivity labels is user-friendly.
Microsoft Teams allows owners to set up policies that restrict guest-user access based on the sensitivity level assigned—ensuring only those who require such access have it and removing them once they no longer need it. To maintain data security during MS Teams meetings, review all guest users with sensitive data permissions regularly and disable any unnecessary accounts immediately.
In a recent conversation with MVP Vasil Michev, we discussed the challenges of using sensitivity labels effectively for MS Teams data security.
Unfortunately, Microsoft has played a big part in creating those challenges.
Michev shares, “The ‘free for all’ model Microsoft Teams uses doesn’t play that well in any organization of size, yet Microsoft decided to ignore any feedback on the subject initially. It took them years to provide some controls, and the solution is now tied to ‘premium’ licensing.”
Because of the challenges with sensitivity labels, ISVs are stepping in and providing their own solutions for Groups/Teams governance. In fact, some organizations are even investing in their own solutions to manage Groups and Teams (e.g., using Graph APIs and PowerShell and various other automation tools).
Here’s Vasil on this topic:
Vasil shares that yet another challenge with using sensitivity labels for MS Teams is making sure that users actually stamp a label upon creation.
Archiving and retrieving data effectively can help with business continuity, protecting sensitive information, and restricting unnecessary access.
Roy Martinez shares more about using sensitivity labels in Teams in this 2-minute clip:
An organization’s specific needs for data archival and storage within MS Teams will vary. In most cases though, organizations can simply configure a Microsoft 365 retention policy that supports their needs.
However, for organizations needing to retrieve archived Microsoft Teams conversations, Michev recommends purchasing the Advanced eDiscovery SKU.
As for archiving and exporting to external systems, there are multiple ISVs that offer products in this space. Oftentimes, organizations purchase these solutions because they need to meet certain legal or compliance requirements. But, if your organization is especially paranoid about ransomware or rogue admins, you may consider this option as well.
Either way, be sure to integrate these archival and retrieval strategies with the broader data governance framework to support business continuity and compliance.
While manual archiving of inactive teams was once common, it's now recommended to transition to automated archiving solutions that streamline this process and ensure compliance with retention policies. Consider using Microsoft’s auto-expiration feature for teams. This feature automatically archives teams after a certain period of inactivity, freeing up your M365 admin’s time.
Private channels were once heavily used for controlling access to information. However, overuse of private channels can lead to siloed information and become a barrier to collaboration. Now, experts recommend using private channels sparingly, instead of relying more on the permissions and security controls available at the Team and file level.
<< Jump to How to view and create Teams private channels >>
Download the full Microsoft Teams Governance Checklist.
Crafting a strategic plan for Microsoft Teams implementation sets the groundwork for how the tool will be used, managed, and secured within your organization. This strategic plan will outline the policies, procedures, and remediation actions in place to ensure effective MS Teams usage and security. It also provides a roadmap to mitigate the potential risks associated with data sharing--both internally and externally--and keep confidential files secure.
With a defined policy for handling empty Microsoft Teams groups, you can optimize your implementation. While empty teams pose low security risks, they’re an unnecessary burden on your resources. Regularly identifying and deciding whether to archive or remove empty teams prevents unnecessary resource allocation, enhancing your overall operational efficiency.
<< Jump to How to find empty Teams groups in the Teams Admin center >>
A policy for inactive MS Teams groups helps you maintain an organized, secure, and efficient environment. Inactive teams could become potential security vulnerabilities or consume unnecessary resources. By defining what constitutes inactivity, regularly monitoring, and determining appropriate actions for inactive teams, you can continually optimize your implementation and maximize your efficiency.
<< Jump to How to generate a list of inactive Teams Groups >>
Public teams can potentially have many members, making them challenging to manage. A clear policy for these teams and an attestation process requiring owners to periodically confirm their membership can improve organizational efficiency and security.
Guest users can enhance collaboration but can also pose security risks given their visibility into files and content meant for internal use only. A policy that requires regular review of guest user permissions is important to ensure that only necessary access is granted and any potential security risks are mitigated.
Sensitivity labels help secure information by assigning different levels of protection to your content and teams. A policy that restricts guest user access based on these sensitivity labels ensures that only those who require such access have it. Regular review of guest users with sensitive data permissions and disabling any unnecessary accounts adds an extra layer of security.
Teams with single owners can face continuity issues, especially if the owner leaves the company or moves to a new role. Microsoft advises having at least two owners per team to avoid any gaps caused by the change or departure of an owner. A policy for this ensures continuity and smooth functioning of the team.
Teams without proper owners are vulnerable to misuse and abuse. A policy addressing this issue ensures that every team has an owner, enhancing the security and proper use of MS Teams. Regular review and rectification of ownerless MS Teams help keep sensitive data protected against potential risks.
<< Jump to How to identify the owners of a Teams group >>
Download the full Microsoft Teams Governance Checklist.
Embedding a robust set of governance best practices for Microsoft Teams starts with an effective governance plan. There are twelve main phases to consider—read on for a step-by-step guide or download our Microsoft Teams governance plan template.
Before you begin, set the direction and extent of your governance plan. A clear purpose and scope helps everyone understand why the plan is necessary and where it applies within the organization.
Example: Purpose and scope
The purpose of this governance plan is to ensure secure and efficient use of Microsoft Teams at XYZ Corp, enhancing collaboration while maintaining compliance with industry standards and regulations.
This plan applies to all departments within XYZ Corp, with a particular focus on the Sales, Marketing, and Customer Support teams that heavily utilize MS Teams for daily operations.
Assign roles and responsibilities to promote accountability and smooth functioning of your MS Teams environment. Start by establishing your Administrators (users that manage and control the entire environment) and team owners (users that manage specific teams, members, and channels). End by assigning users that only use Microsoft Teams for day-to-day communication as End Users.
Example: Role assignment
IT Department Heads at XYZ Corp are assigned as team owners and are responsible for managing team membership and settings. All other employees are Team Members who use Microsoft Teams for daily communication and collaboration.
Develop policies and procedures to standardize how Microsoft Teams should be used and managed, promoting consistency and efficiency. Team Creation and Management policies define who can create teams and how they should be managed. Data Access and Sharing policies ensure data is securely and appropriately shared and accessed. And App Usage policies manage the use of any third-party apps within MS Teams.
Recommended policies and guidelines include:
Establish security and compliance measures to make sure MS Teams usage complies with internal and external security and compliance standards. This should include:
For the full list of measures, download CoreView’s Microsoft Teams governance plan template.
Training your employees helps to drive adoption, bringing more activity under MS Teams and, in turn, your governance plan. Schedule initial onboarding and regular training to keep employees up to date with changes to both MS Teams and your policies.
Review and update your processes regularly to keep your governance plan relevant and effective. From the outset, establish how often the plan should be reviewed and how you plan to communicate any changes to your plan over time.
Example: Auditing
The governance plan at XYZ Corp is reviewed annually, with updates communicated via email and team meetings.
XYZ Corp conducts bi-annual audits of Microsoft Teams usage and policy compliance.
The IT department at XYZ Corp generates monthly reports on MS Teams usage, which are shared with the Senior Management team.
Establish your incident response plan to promote quick recovery in the event of a security incident. An effective incident response plan will outline key responsibilities and actions if data is leaked or stolen, as well as how you plan to handle inappropriate usage of MS Teams.
Create Archiving and Retention policies to ensure any data is kept for as long as necessary, but not longer than is necessary. This is fundamental best practice for all data, but you should pay special attention to any known sensitive data across your organization.
Control how data is shared outside your organization with external sharing policies. Establish who has the authority to share data externally, what data can be shared, and how data should be shared to ensure security protocols are followed.
Set up your change management policy to ensure any changes to the governance plan are managed effectively. Identify who has the authority to alter the plan and the process for proposing and approving changes.
Download the full Microsoft Teams Governance Plan Template here (includes examples).
While native governance tools provide basic functionality, be aware of their limitations and consider third-party solutions for more comprehensive governance capabilities.
Compared to purpose-built tools for governing Microsoft Teams, these techniques rely on manual analysis of the data, which can be time consuming depending on the size of your implementation. However, the native tools are can help identify possible policy violations, like inactive teams or team groups without owners. You can also use PowerShell to access more even Microsoft Teams data.
Below are the most common actions and frequently asked questions for Teams governance.
Identifying any inactive teams groups is a vital part of Microsoft Teams' governance best practice. Once you know which teams are inactive, you can clean them up to reduce the risk of misuse or wasted resources.
To find inactive MS Teams in the M365 Admin Center:
Creating private channels is an effective way to control access to channels and ensure only the necessary users can use them.
If you're a Teams admin, follow these steps:
If you're already a team owner and want to create a private channel, refer to this MSDN article: Create standard and private channels in Teams.
(Note: These PowerShell scripts were created by 9-time MVP Vasil Michev, 20-year Microsoft expert Marco Benaglio, and CoreView Cofounder and CTO Ivan Fioravanti.)
You can also use PowerShell to view and create Teams channels, which may be faster and easier to automate than manual handling through the Admin Center.
Before you begin, make sure to install the latest Microsoft Teams PowerShell module. Then, run the following command to connect to the MS Teams module:
Connect-MicrosoftTeams
To create a new private channel in an existing team, use the following command:
For more information, refer to this MSDN article: New-TeamChannel.
Once this is done, you’ll see the following output in the Teams Admin Center:
Keeping your environment clean is crucial, and part of that involves cleaning up empty team groups in your Microsoft 365 tenant to save on storage.
Knowing who owns any team group is a key part of Teams administration. The Teams Admin Center enables you to view team group owners in a few clicks.
You can also identify teams group owners in the Azure portal:
(Note: These PowerShell scripts were created by 9-time MVP Vasil Michev, 20-year Microsoft expert Marco Benaglio, and CoreView Cofounder and CTO Ivan Fioravanti.)
With the MS Teams PowerShell module installed, you can find team group owners with PowerShell. For more information on installing the module, refer to the Teams PowerShell install guide.
Once the module is installed, run the following cmdlets:
Here is a snapshot of the PowerShell cmdlet used to find the owner of the “cvnew” Teams Group.
Developing an effective, comprehensive Microsoft Teams governance plan is vital for any organization that uses Teams—but monitoring, managing and enforcing this plan is difficult at scale with the kind of manual tools Teams natively offers.
But to keep things simple, even at scale, consider using a Microsoft 365 management platform like CoreView.
With CoreView, you can be confident that you’re following established best practices for governing Microsoft Teams. With all the data in one place—from ownership to usage, user activity, and more, you’ll know exactly what needs attention and where to look for problems.
Plus, with our Governance Playbooks, you can ensure ongoing compliance with both internal and external policies and regulations—and get alerts when those policies are violated. And the best part? All these options are underpinned by extensive options for automation.
It’s the most effective way to get complete clarity on your entire MS Teams environment.
See Microsoft Teams governance made easy with CoreView. Tour the platform in under 3 minutes.
To learn what policies you should implement in other key Microsoft areas, download CoreView’s Microsoft 365 Governance Best Practices Guide.
