Teaching IT How to Manage and Govern Microsoft Teams

Chirag Patel


This eBook will consider 10 steps that will help you manage your Microsoft teams and Microsoft 365 workloads effectively to ensure your users remain happy and informed, throughout your organisation.

This eBook will consider ten steps that will help you manage your Microsoft teams and Microsoft 365 workloads effectively to ensure your users remain happy and informed throughout your organization.

We’ll look at various admin capabilities around Microsoft 365 setup to help you monitor your live environment, looking out for red alarms, as well as looking at deployment advisors, to help you roll out additional services. We’ll also look at the Microsoft 365 groups in terms of how best to manage them as that’s the underlying component for a lot of your online services. On the way, we will also consider external sharing, guest access, security, and compliance with policies, as well as looking at PowerShell tools for some advanced administration capabilities as well.

Why Microsoft 365?

Microsoft 365 provides many different services, SharePoint, Microsoft Teams, Yammer, etc.. Still, at the end of the day, it’s all about what kind of services you’re delivering that matters to the users. The diagram below groups different technical services into specific business needs, such as collaboration, external collaboration, document management and so on. You’ll notice that some of the services appear in multiple categories, which just illustrates how central they are to many different business processes.

If you look at document management, for example, you can have different contracts, agreements, and corporate projects. Once your group roughly the services you’re providing, then you’re able to fulfil and support your users in helping to meet the various scenarios that you may have.

Updates to apps and services you get as part of Microsoft 365 can be found here: https://www.microsoft.com/en-us/microsoft-365/products-apps-services.

Microsoft 365 Setup

The Setup options within the Microsoft 365 Admin Centre provide recommendations for tasks based on the Microsoft 365 Services you are using. It gives you traffic light indicators as to what’s completed, or what needs to be completed and also provides information about what impact the changes will have on your users.

Using the Setup options

Let’s take a look at that in slightly more detail. There are many different options in Setup. Green ticks against an item mean that you have configured that element. In my example below, I’ve set passwords never to expire and also to allow users to reset their passwords. Items without green ticks mean that those areas can be configured if you want them to be.

By clicking ”View” for “Give admins only the access they need,” you will see additional information about the feature. The “At a glance” section summarises the effect of that control, and “User impact” section explains what will happen and also provides more links if available.

We’ll consider the Microsoft Secure score increase later in this book. In the example above, you can see there are six global admins, which is quite a lot. The recommendation here is to reduce the number of Global admins, to no more than four, and only give that level of access to the people who need it to do their jobs. Following this recommendation and assigning less permissive roles to two of the current Global admins will reduce their level of access and reduce the organization’s collective risk.

Click “Get started” to make changes, select the correct new admin role, identify the users who need to move to this new role, and finally click “Assign roles.”

When you go back to the original screen, you’ll notice that it has a completed status and green tick.

The Admin Centre allows you to amend many other configurations from this central point and is really helpful in managing and controlling your entire environment.

Microsoft 365 Deployment Advisors.

This area of the admin center helps you to configure and roll out additional services within Microsoft 365 admin.

From the main admin center, go to the “Training & guides” section and select “Customized setup guidance.”

Once your users have been informed what updates are going to be rolled out, you can begin those activities from this area.

The Self-guided wizards are like a shortcut to the Microsoft fast track program, and allow you to configure rollouts in house, using a set of guided steps.

The suggested action below will help secure the Microsoft 365 environment, in light of the COVID-19 situation, by making remote working environments more secure.

There are several different sections grouping setups for various reasons, including Initial Setup, Security, and Collaboration.

On the right-hand side of the Collaboration section, you can see that there are two actions in progress.

By clicking on the Microsoft Teams setup guide, on the next screen, you can find out how much progress has been made and the remaining steps that need completing before reaching the finishing point. At each stage, additional information is provided on the right-hand side of the page to explain specific configurations.

In the example above, the checkbox is asking whether I want to configure a Cloud voice in Microsoft Teams. As it may require additional subscriptions, I’m going to skip that stage for now and click next to move on to the next step which is Prepare for Microsoft Teams.

At this stage, there are two outstanding actions, around network planner (to assess the network performance of the organization) and also to look at the Team’s advisor (which carries out the assessment of the Microsoft 365). These two actions are also available within Microsoft Teams and can be actioned from the Microsoft Teams admin center, but from this Admin Centre, we have a quicker way to roll out Microsoft Teams.

The next stage provides options around external access, guest access, tagging, notifications, and email integration.

These options can be set in the Microsoft Teams admin center.

Clicking “Next” takes us to the Installation screen where you have options to install into the desktop client, web client, etc.

The Next page tells me that once I finish this wizard, it’s going to go and create the Microsoft Teams chat workspace using the settings specified earlier in this Setup.

The setup guide has, therefore, helped you create the plan to configure your instance of Teams.

Click next to arrive at the final screen, which includes additional documents to review for other configuration details.

Click done to roll out the service as per your settings and configuration choices.

A similar process can be followed for other rollouts and updates.

Managing Microsoft 365 Groups

The next step is around understanding Microsoft 365 groups. They were formally called Office 365 groups and were recently renamed, but they mean the same thing. Essentially with every Office 365 group, you get a SharePoint Team site, Exchange Inbox, Shared Calendar, OneNote, as well as being able to use Planner, create Microsoft Teams, or Yammer.

A lot of the services in Microsoft 365, as well as some of the online third party connectors, make use of Microsoft 365 groups.

Users may ask, “Why would I use SharePoint when I can use Teams to access files and OneDrive.” There may be instances within your environment where you want to create a SharePoint team site, but not associate Microsoft Teams with it. An example is document management, where you want to deploy SharePoint sites purely from a document management perspective and leave the collaboration aspect of chat and communication separately, or maybe in another chat workspace altogether.

The platform components of Microsoft 365, that Microsoft Teams depends on are shown in the diagram below.

  • Files and chat files reside in a user’s (the person who shared their files) OneDrive. OneDrive should be used for private or personal purposes when you want to collaborate with just a few specific people.
  • Files from a Team chat workspace reside within SharePoint Online. A SharePoint, based, Microsoft teams chat space is a better place to keep the workload of a larger team in SharePoint.
  • Meeting recordings reside in Microsoft Stream.
  • Group-wide conversations can only currently be held within a specific channel inside Microsoft Teams. You can use the General channel as well as an outlook group to allow your emails to go to the entire group without having to use the channels inside Microsoft Teams.

Channels in Microsoft Teams are separate and different to the channels inside Microsoft Stream. Channels in Microsoft Stream allow you to group videos around a particular topic for that specific team.

Teams created in Microsoft teams will also appear in Microsoft Stream.

Tools to manage Microsoft 365 Groups

The first step is to create a dedicated group of security members who can actually create Microsoft 365 Groups.

The next decision is to consider creating a naming convention, to set rules on display names or aliases depending on what team chat workspaces you create. You may also want to extend this to include names for documents, contracts, as well as projects, so you have a consistent approach across the whole group configuration.

If you go into Azure AD, you can manage group settings as well as being able to set expiry dates. Without expiry dates, your Microsoft 365 groups will exist indefinitely, and the list will keep on growing. When users search for specific groups, they’ll just be overwhelmed by the sheer number of groups that you have. Groups can be restored if they get deleted by accident.

A big part of Microsoft 365 groups is to be able to manage and understand the dependencies between various online services that you have and be able to report the total number of groups you have.

External Sharing and Guest Access

The next step is effectively managing your external sharing and guest access.

Microsoft Teams also has an area to control the guest access, which, by default, is disabled.

SharePoint has an external sharing model where you can control SharePoint all the way down to individual SharePoint sites, as well as OneDrive. So let’s take a look at that in slightly more detail.

In the SharePoint admin center, from the left-hand options, go to policies and then sharing. The default position is to allow anyone to access your environment.

The sliders for both OneDrive and SharePoint can be moved up or down the scales to decide whether content can be shared with:

  • Anyone,
  • New & Existing Guests,
  • Existing Guests or
  • Only people within your organization

Move the slider button to select the required level. You will notice that changes made to the sharing configuration for SharePoint are also reflected in OneDrive. You can make further restrictions in OneDrive, and make OneDrive only available for existing guests, but you can’t set OneDrive to be more permissive than SharePoint.

More external sharing settings are available to further down the screen. It’s possible to limit sharing by domain and also for specific security groups, so not everybody has got that right to share.

A handy option is the requirement to get users to reauthenticate after a set number of days. So if they haven’t used the system or accessed the tenant at all, then it will require them to reauthenticate to access information.

Remember to save your chosen settings before moving on.

Microsoft 365 Security & Compliance

The sixth step you have is managing the security and compliance position of your Microsoft 365 environment. This covers all of your workloads in there, not just Microsoft Teams. When you look at the Secure score, essentially you are assessed based on what configurations you’ve enabled, to meet those particular set of requirements, as well the security and compliance elements that are incorporated from Microsoft.

The idea here is not to get the maximum score, but to get a high enough score to make sure that your information and devices are well protected. So let’s take a look at that.

Security centre admin

You can see that in this example, there is a 9% secure score, which is very low. Only 12 out of 128 points have been achieved. You can click to reveal more detail.

Improvement actions are suggested and also provide a scoring impact, so you can know how much your secure score will improve by following the recommendations.

Clicking on each improvement action will drill down into further detail.

In the Action Plan section, you can set the radio button to accept the risk, leave it to address in the future, plan to take the recommended action or resolve through either a third party or alternative mitigation, leaving a note to explain your decision.

The “At a glance” section explains what kind of impact it has, and the Implementation section explains the next steps and provides detailed guidance around how to proceed.

Further down the screen, you can see the history of changes made to this setting and their impact on the overall score.

Also, comparisons to other organizations are provided, so you can review how your security settings compare to similar organizations.

Compliance Admin

So the next aspect we want to look at is the compliance admin, which has a similar layout and provides an overall compliance score.

This provides the same sort of information around what actions can be taken to improve and increase the compliance score.

The section in the middle, “Solution catalog”, provides various sections to help with Information protection and guidance, Insider risk management, and Discovery and response.

Selecting “View” for the Information protection section takes you to more information as below.

This provides additional detail about what’s in this particular release, additional steps you can take, and constantly gets updated as, and when new configuration elements get rolled out in Microsoft 365. This particular area of information protection could have an impact of 127 points, clicking “Open Solution” takes you straight into the information protection area (so saves you from trying to locate it from the menu structure.)

This shows that I currently have four labels, which can be used to classify messages, documents, sites, etc. Each one can be edited.

You can amend the display name and descriptions.

You can also set encryption options.

Content marking items can also be added.

Auto labelling options are also available.

Then review all of the settings before finally submitting them.

The changes will then be reflected wherever that label is used.

That gives an overview of how to use the compliance center, the score, and also enables your solution catalogue to get to various configuration elements within it.

In some organizations, security and compliance are left as a separate phase of the project or program or only considered after services have been rolled out. Ideally, legal and security teams, as well as other leadership teams, need to be included from an early stage in a joint effort to implement this properly.

As a starting point, here is a starter list of policies that could be implemented to help with your overall security and compliance position:

Additionally, this link provides more information for Business Decision Makers (BDM): https://docs.microsoft.com/en-us/microsoft-365/security/microsoft-365-security-for-bdm

Microsoft Teams Policies

The seventh step is Microsoft teams, and depending on how you roll out additional services, there might be some specific policy configurations that you want to enable or disable.

For example, the Teams policy allows you to control whether users can discover private teams and create private channels.

In the Microsoft Teams admin centre, you can set other policy settings as well as meeting policies. The Outlook add-in will allow your users to forward any emails they receive into Microsoft teams channels – if you don’t want that to happen, then you can simply just switch that off. You can also allow transcription for audios and videos that take place in your team’s environment.

These are some of the ways you can govern Microsoft teams, remember you also need to have policies in place and be able to support your users effectively.

Teams Apps

Microsoft Teams is a large platform that allows many third-party apps to integrate with it. You may not want to allow all the apps to be available to your users who could then connect and bring them into their teams.

You can initially set your global policy, and then create additional policies for specific departments or business units that may need to use some additional apps. You can, therefore, ensure that everyone has access to the tools they need.

You can pre-determine which apps are pinned to the left rail menu for your Teams, so it’s easy for users to access key apps. You can also control what other apps can be pinned as well.

There are many other settings in the Microsoft Teams admin center for you to discover.

Microsoft Graph Explorer

Microsoft graph is the tool that allows you to access all parts of Microsoft 365 through the graph API interface. It provides a single endpoint whether you’re developing applications, or simply trying to look after your environment.

Microsoft Graph Explorer is a web-based tool that you can use to build and test requests using Microsoft Graph API. Sample queries are provided in Graph Explorer to enable you to run common requests quickly.

In the screenshots below I’m signed into Graph as a global admin for this particular tenant. On the left-hand side, I have a set of sample queries that look at all workloads for Microsoft 365 services.

By expanding the team’s option and running the query to get a list of the teams that I am a member of, I get the following response:

The information is presented in a code format, but can then be used in other applications or by developers for inclusion as they build applications.

The Modify permissions option tells me what permissions you need in order to run this query, otherwise, it’s going to be access denied.

To find the members of a team, you need to know the Team ID (shown in the code sample above) and paste it into the query address, then run the query.

The response is again in code, but you can scroll down to find the names of the people in the team.

Using Microsoft Graph is a very quick way to explore the Microsoft 365 environment without having to go into any of the actual programs themselves.

Training and Adoption

Last but not least is always about the users in terms of how do you train them. If you don’t have a training department or not enough training resources to keep up with new features getting rolled out you can use the Microsoft 365 Learning Pathways.

Microsoft 365 Learning Pathways

The SharePoint team have provided a dedicated site, called Microsoft 365 learning pathways. This is essentially a site that looks just like a SharePoint site but has been preloaded with training material (the link is shown below) for each of the Microsoft 365 services. It’s a kind of on-demand, learning solution which can be customized further by adding other third-party systems that you may already have.


This is a very quick way to help support your users and manage help content that Microsoft has already produced for us.

Office What’s New Management

This allows you to control the “What’s new” notifications that are sent to your users. From the Microsoft 365 admin center, settings option, choose “Org settings” and then scroll down the screen to find the “Office What’s New management.”

This is the May 2020 release, and shows the set of features that it contained and which services they apply to. Earlier releases are shown further down the page.

You can click on each feature and decide whether you want to hide the notifications about the feature to users.

Microsoft 365 Enterprise Administrator certification

From the IT team perspective, the platform is constantly changing and developing and to prove you understand the full capability of Microsoft 365 you can gain an MS-100 or MS-101 certification.

0000-00-00 00:00:00

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}