Plan for governance in Teams
Teams provides a rich set of tools to implement any governance capabilities your organization might require. This article guides IT pros to ask the right questions to determine their requirements for governance, and how to meet them.
Tip
Watch the following session to learn about more about Governance in Microsoft Teams: Governance, management and lifecycle in Microsoft Teams
Group and team creation, naming, classification, and guest access
Your organization might require that you implement strict controls on how teams are named and classified, whether guests can be added as team members, and who can create teams. You can configure these areas by using Microsoft Entra ID and sensitivity labels.
- | - | - |
---|---|---|
Decision points |
|
|
Next steps |
|
Note
To help you plan ahead, learn more about setting these policies and what licenses they require.
Note
Limiting group and team creation can slow your users’ productivity, because many Microsoft 365 and Office 365 services require that groups be created for the service to function. For additional information, visit Plan for governance in Teams.
Additional information
After you’ve determined your requirements, you can implement them by using Microsoft Entra ID controls. For technical guidance on how to implement these settings, see:
Group and team expiration, retention, and archiving
Your organization might have additional requirements for setting policies for expiration, retention, and archiving teams and teams data (channel messages and channel files). You can configure group expiration policies to automatically manage the lifecycle of the group and retention policies to preserve or delete information as needed, and you can archive teams (set them to read-only mode) to preserve a point-in-time view of a team that’s no longer active. Note that teams that are archived continue to have the expiration policy applied and may be deleted unless excluded or renewed.
- | - |
---|---|
Decision points |
|
Next steps |
|
Tip
Use the following table to capture your organization’s requirements.
Capability | Details | Microsoft Entra ID P1 or P2 license required | Decision |
---|---|---|---|
Expiration policy | Manage the lifecycle of Microsoft 365 groups by setting an expiration policy. | P1 | TBD |
Retention policy | Retain or delete data for a specific time period by setting retention policies for Teams in the Security & compliance center. Note: Using this feature requires licensing of Microsoft 365 or Office 365 Enterprise E3 or above. | No | TBD |
Archive and restore | Archive a team when it’s no longer active but you want to keep it around for reference or to reactivate in the future. | No | TBD |
Note
Group expiration is a Microsoft Entra ID P1 or P2 feature. For this feature to be available, your tenant must have a subscription to Microsoft Entra ID P1 or P2 and licenses for the administrator who configures the settings and the members of the affected groups.
Additional information
For technical guidance on how to implement these settings, see:
Group and team membership management
Consistently managing members of project based, or restricted groups are necessary for teams that require rapid onboarding and offboarding or users and guests. Your organization may also need to make sure all current members have the business justification to be in a team. Managing members can be hard because team owners can leave and users don’t usually leave groups on their own accord when a project ends or when they change roles. The best way to manage group membership that allows users to get access when needed but ensure the group doesn't have a risk of inappropriate access is through two district processes: entitlement management and access reviews.
Entitlement management allows you to delegate to someone, such as a project manager, to collect all the resources that are needed, including teams memberships, into a single package. They can also define who can make requests: either users in your tenant or from other connected organizations. The project manager will receive access requests in their email and approve or deny requests in the MyAccess portal. Administrators can configure the conditions of access to include an expiry date or period by when the user or guest will be removed from the team unless access is renewed. Administrators can also set up the groups associated with teams to take part in access reviews. For access reviews, the group owners will receive regular reminders to review the members of a team. Access reviews include recommendations, which makes it easier for group owners to go through their regular attestation process.
- | - | - |
---|---|---|
Decision points | Does your organization require a consistent process for managing membership of one or more teams? Does your organization require owners, or the members themselves, to justify their continued membership of one or more teams on a regular basis? Does your organization require approval for users and guests to request access to resources including teams, groups, SharePoint sites, and apps? |
|
Next steps? | Document your organizations requirements for each team or specific teams for membership expiry. Plan how your organization can bundle teams, groups, SharePoint sites, and apps together in access packages. Plan which people, such as the requestor's manager, a project manager, a sponsor for a connected organization or a security officer in your organization will need to approve or deny access requests. |
Tip
Use the following table to capture your organization’s requirements.
Capability | Details | Microsoft Entra ID P1 or P2 license required | Decision |
---|---|---|---|
Access reviews | Setup access reviews to recertify the membership of specific teams at regular interval | P2 | TBD |
Entitlement management | Setup access package to allow users and guests to request access to teams | P2 | TBD |
Note
To help you plan ahead, learn more about what licenses they require.
Additional information
For technical guidance on how to implement these settings, see:
Teams feature management
Another important aspect of governance and lifecycle management for Teams is the ability to control what features your users will have access to. You can manage messaging, meeting, and calling features, either at the Microsoft 365 or Office 365 organization level or per-user.
- | - |
---|---|
Decision points |
|
Next steps |
|
Teams feature management focus areas
Teams provides granular capabilities for controlling messaging, meeting, calling, and live event features and more, via policies. Different policies can be applied to all users by default or per user as required by your organization.
For detailed lists of all settings, including technical guidance on how to implement them for your organization, see the following articles:
- Manage Microsoft Teams settings for your organization
- Manage Teams during the transition to the new Microsoft Teams admin center
- Private channels in Microsoft Teams
- Shared channels in Microsoft Teams
- Manage meeting policies in Teams
- Manage messaging policies in Teams
- Manage your apps in the Microsoft Teams admin center
Additionally, you can set up moderation for a channel and give moderator capabilities to certain users so that they can control who can create channel posts and respond to them. See Set up and manage channel moderation in Microsoft Teams for more information.
Security and compliance
Teams is built on the advanced security and compliance capabilities of Microsoft 365 and Office 365 and supports auditing and reporting, compliance content search, e-discovery, Legal Hold, and retention policies.
Important
If your organization has compliance and security requirements, review the in-depth content provided about this topic in the article Overview of security and compliance in Microsoft Teams.