Private Channels in Teams an end to end overview

Juan Carlos Gonzalez

0 comments

This eBook provides a detailed overview of Private Channels in regards to usage scenarios. Specifically, we look at how they can be created, how membership works, how they can be managed and how they can also be extended by means of Apps.

Private Channels (PC) in Microsoft Teams enable collaboration scenarios where focused spaces for private collaboration within a Team are required. PC privacy means that only PC owners and members can access and see chats and content of the PC, but not any other Team member, which also includes Team owners that are not part of a PC. This eBook provides a detailed overview of PC in regards to usage scenarios, how PC can be created, how membership works in PC, how PC can be managed and how PC can be extended by means of Apps.

Figure 1.- PC example in a Team.

PC usage scenarios

Before digging into PC details, let’s talk about some of the usage scenarios and use cases where PC fit well:

  • A group of people in a team want a focused space to collaborate without having to create a separate Team.
  • A subset of people in a team want a private channel to discuss sensitive information (Budgets, resourcing, strategic positioning, etc.).

Bearing in mind that we can create a big number of Teams in a tenant (up to 500,000), a typical question that we should make when thinking about using PC is the following: When should I create a PC? The following decision matrix/table might help answer that question:

Is there already a team that has these people as team members?Does this work need to be kept private from others?Are there multiple distinct topics to discuss?Recommendation
YesYesYesCreate a private channel in the existing Team or consider creating dedicated private channels for each topic.
YesYesNoCreate a private channel in the existing Team.
YesNoNoCreate a channel in the existing Team.
NoNoNoConsider creating a new team.
NoNoYesConsider creating a new team and then, depending on the confidentiality of each topic, consider creating separate standard or private channels for each topic.
NoYesNoCreate a new team or create a new private channel in an existing team.

Table 1.- Decision Table/Matrix to decide when to create a PC vs. create a Team.

PC Creation

By default, PC creation is enabled in an Office 365 tenant so both Team Owners and Team Members can create a PC in a Team. (Bear in mind that the number of PC that can be created in a Team is limited to 30). PC creation can be restricted at two different levels:

  • At a global level, a Global Admin or a Teams Admin can disable PC creation by means of a Team policy. For instance, if we edit the default Teams policy in the Teams Admin Center, we can easily disable PC creation by disabling the PC creation control:

Figure 2.- PC Creation control in the default Teams policy in the Teams Admin Center.

As an alternative to globally managing who can create PC by means of the Teams Admin Center, we can use PowerShell and the New-CsTeamsChannelsPolicy with the AllowPrivateChannelCreation attribute configured as required.

  • At a Team level, a Team Owner can disable the creation of PC by Teams Members by removing the “Allow members to create private channel” permission.

Figure 3.- Permission required to create PC by Teams Member.

The process to create a PC by Team Owner or a Team Member (Note that guest users are not allowed to create PC) is quite straightforward:

  • In an existing Team, click on the “…” next to the Team name or simply click on the Team name with the right button of your mouse to display the Team menu options. Click on “Add channel” option:

Figure 4.- Add channel option in the Teams Options menu.

  • In the channel creation window, the following settings are required so the channel can be created:
  • Channel name.
  • Channel Description (optional).
  • Privacy, where we can choose between Standard – Accessible to everyone on the Team and Private – Accessible only to a specific group of people within the Team. Since we are going to create a PC, select “Private – Accessible only to a specific group of people within the team” as channel type.
  • Once all the required settings have been configured, click on “Next” so the PC is created. Bear in mind that once a PC is created, it’s not possible to convert to a Standard Channel. In the same way, a Standard Channel once created cannot be converted to a PC.

Figure 5.- Creating a PC.

  • Next Step (Optional) implies to add PC members considering the following rules about membership in PC:
  • As happens with a Team, we can have three user types in a POC: Owners, Members and Guests.
  • Only PC owners can add members and guests to a PC.
  • Only existing members and guests in the Team can be added to a
    PC.
  • Only members of the PC can view PC content. A Team owner can only be the PC content is he/she is a member of the PC.
  • We can add up to 250 members in a PC.

Figure 6.- Adding members to a PC.

  • Once the PC is created in the Team, it’s identified as PC by a lock next to the channel name.

Figure 7.- PC in a Team.

PC Membership

As described in the previous section, we can have the following user Types in PC Owners, Members, and Guests. PC owners are in charge of managing the membership and life cycle of PC:

  • The last Owner of a PC cannot be removed from the Team.
  • If a PC becomes ownerless (user leaves the company), an existing non-guest member is auto-promoted to become the Owner.

Bearing in mind the three type of users that a PC can have, the following Table summarized what each user type is able to do in a PC:

ActionTeam ownerTeam memberTeam guestPrivate channel ownerPrivate channel memberPrivate channel guest
Create private channelYes1Yes1,2NoN/AN/AN/A
Delete private channelYesNoNoYesNoNo
Leave private channelN/AN/AN/AYes3YesYes
Edit private channelNoN/AN/AYesNoNo
Restore deleted private channelYesNoNoYesNoNo
Add membersNoN/AN/AYesNoNo
Edit settingsNoN/AN/AYesNoNo
Manage tabs and appsNoN/AN/AYes4Yes5No

Table 2.- Who can do what in a PC.

1 Assuming the policy that you, the admin, configured allows the user to create private channels.
2 Each Team has a setting that team owners can turn on or off to allow team members to create private channels. Team owners can always create private channels.
3 Assuming the private channel owner isn’t the last Owner of the channel.
4 Requires the Team to have an app installed for a private channel to use it.
5 Private channel owners can configure this.

Team Owners and PC

As the PC Administration describes, Team owners can control through PC settings if members can create or not PC in a Team. Additionally, Team owners:

  • Can see names, last activity time, and owners of all private channels in a team.
  • Can delete Team or individual private channels without being a member. A deleted private channel can be deleted within 30 days after it’s permanently deleted.
  • Removing members from the Team removes them from all private channels. Blocked from removing anyone who is the last Owner of a private channel

Table 3 summarizes what Team owners and Team Members can see in a PC:

Private channel informationTeams owners can seeTeam members can see
Name and descriptionAll private channels in the TeamOnly when added to the private channel
Conversations and tabsOnly when added to the private channelOnly when added to the private channel
Files and contentOnly when added to the private channelOnly when added to the private channel
Private channel ownerAll private channels in the TeamOnly when added to the private channel
Last activity timestampAll private channels in the TeamOnly when added to the private channel

Table 3.- What Team Owners and Team Members can see in a PC.

PC Administration

PC can be managed at two levels: PC level and Teams Admin Center. This section described both administration levels. As happens with standard channels, PC has its own settings, including the ability to add and remove members, add tabs, and @mentioning for the entire channel. To access PC settings:

  • Click on the “…” next to the Channel name or simply click on the channel name with the right button of your mouse, so channel menu options are shown. Click on “Manage channel” option:

Figure 8.- Accessing the PC Management settings.

Note: Channel settings are independent of the parent team settings. When a PC is created, it inherits settings from the parent team, after which its settings can be changed independently of the parent Team settings.
  • Members section in the PC settings shows all the PC members. From this section a PC owner can add new members if they are members of the parent Team.

Figure 9.- Members section in the PC Settings.

  • Settings section contains all the settings related to the PC:
  • Member permissions where we can find controls about what a PC member can /can’t do in a PC.
  • @mentions: enables/disable the possibility to mention a PC by using “@”.
  • Fun stuff contains all the settings related to the use of emojis, memes or stickers in the PC.

Figure 10.- Settings section the PC management.

All Teams and Channels, including PC, can be globally managed from the Teams Admin Center. For a specific PC in a Team, a Global Admin or a Teams Admin can do the following actions:

Create or delete PC.

Figure 11.- Creating a PC from the Teams Admin Center.

Edit PC name & description.

Figure 12.- Editing PC name and description.

Add or remove members in the PC.

Figure 13.- Adding a new member to the PC.

Promote or demote members and owners.

Figure 14.-Promoting a PC member to Owner.

Note: As an alternative to the Teams Admin Center and the PC individual settings, we can use PowerShell Module for Teams and Microsoft Graph API to manage PC.

Apps in PC

PC also support Apps, but as of February 2020, this support is very limited compared to the support we have in regular channels. Indeed:

Tabs and connectors are supported in PC. However, we can find that there are some Apps that can be added as Tabs in standard channels that cannot be added to PC. The best example is the Planner App that is still not supported in PC.

To add a new Tab to a PC, just click the “+” action next to the Files Tab and simply choose the App you want to add:

Figure 15.- Apps that can be added as Tabs in a PC.

Once we configure the Tab selected, it will be added to the PC:

Figure 16.- Example of Tab added to the PC.

To add a connector to a PC, just click Click on the “…” next to the Channel name or simply click on the channel name with the right button of your mouse so channel menu options are shown. Click on “Manage channel” option:

Figure 17.- Connectors action in the Channel management options.

Once you click on the “Connectors” option, the Connectors window opens to select the connector to be added to the PC.

Figure 18.- Connectors that can be added to a PC.

Once you have configured the connector selected, it will start adding information to the PC:

Figure 19.- Twitter connector configured in a PC.

Note: Apps must be installed in the Team before they can be used in a private channel.

The following items are not yet supported in PC but I hope will be supported in the future:

  • Bots and Messaging extensions.
  • Certain Office 365 Group connected Apps like Planner.

Files in PC

In PC, as in Standard Channels, we can create folders, store any kind of file, and in general, take advantage of the native integration between Microsoft Teams and SharePoint Online.

Figure 20.- Files tab in a PC.

However, Files in a PC are managed differently than how Files are managed in Standard Channel:

  • A PC has its own Site Collection to store files and ensure privacy. That Site Collection has the following particularities compared to any other regular Site:
  • Ensures access to PC documents is restricted to PC members.
  • PC channel is named as <team name>-<channel name>.
  • Comes with a document library.
  • Lists can be added to the Site.
  • Pages are not supported in the Site.
  • From the PC Document Library we have a shortcut to the PC and from the Site navigation we can access the PC parent Team.

Figure 21.- PC site.

  • Lifecycle of the PC Site collection is tied to the PC itself:
  • If the Site collection is created in the same geo as the Team, it inherits guest permission on creation.
  • Membership and data classification of the Site collection is kept in sync with Team.
Microsoft has increased the number of Site collections per tenant limit from 500 K to 2 M to overcome a scenario where a lot of Site Collections can be created in a SharePoint Online tenant.

PC sites are hidden (for now) in the Modern SPO Admin Center, so they can only be managed by means of PowerShell and filtering by “TeamChannel#0” template. To get all the PC sites in a SPO tenant, just execute the following PS sentence that uses Get-SPSite cmdlet (Note: You need first to connect to the SPO tenant).

Figure 22.- Getting all PC sites in a tenant using Get-SPOSite.

Since PC Owners and Members are managed by Teams:

  • Any direct changes to these groups in SP will be automatically synchronized with the private channel membership within four hours.
  • Use visitor or a new group if you need to grant users access to documents and not channel conversations

Figure 23.- SharePoint Groups in a PC Site.

FAQs about PC Sites Management
If the site collection is deleted outside of Teams, a background job restores the site within four hours as long as the private channel is still active.

If the site collection is deleted and hard-deleted, a new site collection is provisioned for the private channel.

If a PC or Team containing a PC is restored, the site collections are restored with it.

If a PC site collection is restored and it’s beyond the 30-day soft delete window for the PC, the site collection operates as a standalone site collection.

Information Protection in PC

To finalize this eBook about PC, the following are the key considerations when talking about information protection and compliance in PC:

  • eDiscovery support for channel messages and documents:
  • Include private channel member mailboxes and SP site collection in discovery query.
  • Retention support for private channel documents:
  • Default retention policy for sites apply, manage via PowerShell.
  • Retention support for private channel messages coming later.
  • eDiscovery, Retention & Hold on group (Team) does not automatically apply to private channels in the Team:
  • Legal Hold support for messages in PC is currently rolling out:

https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=60434&rtc=1

Figure 24.- Information Protection Architecture for PC.

Conclusions

Just to summarize what we have covered in this eBook, the following are key learnings about PC in Microsoft Teams:

  • PC enabled focused and secure collaboration within a Team
  • Only owners and members of a private channel can see messages, documents and other content in a private channel.
  • Up to 30 PC can be created in a Team and there can be up 250 members in a PC.
  • PC can be extended with Apps, but they must be installed first in the Team.
  • Each time a PC is created, a brand new Site Collection linked to the PC is created.

References

  • Private Channels in Microsoft Teams:

https://docs.microsoft.com/en-us/microsoftteams/private-channels

  • Limits and specifications for Microsoft Teams:

https://docs.microsoft.com/en-us/microsoftteams/limits-specifications-teams

  • Private channels lifecycle management:

https://docs.microsoft.com/en-us/microsoftteams/private-channels-life-cycle-management

  • eDiscovery of private channels:

https://docs.microsoft.com/en-us/microsoftteams/ediscovery-investigation#ediscovery-of-private-channels

0000-00-00 00:00:00


Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}