Plan for governance in Teams

Teams provides a rich set of tools to implement any governance capabilities your organization might require. This article guides IT pros to ask the right questions to determine their requirements for governance, and how to meet them.

Tip

Watch the following session to learn about more about Governance in Microsoft Teams: Governance, management and lifecycle in Microsoft Teams

Group and team creation, naming, classification, and guest access

Your organization might require that you implement strict controls on how teams are named and classified, whether guests can be added as team members, and who can create teams. You can configure these areas by using Azure Active Directory (Azure AD) and sensitivity labels.


- - -
An icon depicting decision points Decision points
  • Does your organization require a specific naming convention for teams?
  • Do team creators need the ability to assign organization-specific classifications to teams?
  • Do you need to restrict the ability to add guests to teams on a per-team basis?
  • Does your organization require limiting who can create teams?
An icon depicting the next steps Next steps
  • Document your organization’s requirements for team creation, naming, classification, and guest access.
  • Plan to implement these requirements as a part of your Teams rollout.
  • Communicate and publish your policies to inform Teams users of the behavior they can expect.

Note

Limiting group and team creation can slow your users’ productivity, because many Microsoft 365 and Office 365 services require that groups be created for the service to function. For additional information, navigate to and expand Why control who creates Microsoft 365 Groups.

Additional information

After you’ve determined your requirements, you can implement them by using Azure AD controls. For technical guidance on how to implement these settings, see:

Group and team expiration, retention, and archiving

Your organization might have additional requirements for setting policies for expiration, retention, and archiving teams and teams data (channel messages and channel files). You can configure group expiration policies to automatically manage the lifecycle of the group and retention policies to preserve or delete information as needed, and you can archive teams (set them to read-only mode) to preserve a point-in-time view of a team that’s no longer active. Note that teams that are archived continue to have the expiration policy applied and may be deleted unless excluded or renewed.

- -
An icon depicting decision points
Decision points
  • Does your organization require specifying an expiration date for teams?
  • Does your organization require specific data retention policies be applied to teams?
  • Does your organization expect to require the ability to archive inactive teams to preserve the content in a read-only state?
An icon depicting the next steps
Next steps
  • Document your organization’s requirements for team expiration, data retention, and archiving.
  • Plan to implement these requirements as part of your Teams rollout.
  • Communicate and publish your policies to inform Teams users of the behavior they can expect.

Tip

Use the following table to capture your organization’s requirements.

Capability Details Azure AD Premium license required Decision
Expiration policy Manage the lifecycle of Microsoft 365 groups by setting an expiration policy. P1 TBD
Retention policy Retain or delete data for a specific time period by setting retention policies for Teams in the Security & compliance center. Note: Using this feature requires licensing of Microsoft 365 or Office 365 Enterprise E3 or above. No TBD
Archive and restore Archive a team when it’s no longer active but you want to keep it around for reference or to reactivate in the future. No TBD

Note

Group expiration is an Azure AD Premium feature. For this feature to be available, your tenant must have a subscription to Azure AD Premium and licenses for the administrator who configures the settings and the members of the affected groups.

Additional information

For technical guidance on how to implement these settings, see:

Group and team membership management

Consistently managing members of project based, or restricted groups are necessary for teams that require rapid onboarding and offboarding or users and guests. Your organization may also need to make sure all current members have the business justification to be in a team. Managing members can be hard because team owners can leave and users don’t usually leave groups on their own accord when a project ends or when they change roles. The best way to manage group membership that allows users to get access when needed but ensure the group doesn't have a risk of inappropriate access is through two district processes: entitlement management and access reviews.

Entitlement management allows you to delegate to someone, such as a project manager, to collect all the resources that are needed, including teams memberships, into a single package. They can also define who can make requests: either users in your tenant or from other connected organizations. The project manager will receive access requests in their email and approve or deny requests in the MyAccess portal. Administrators can configure the conditions of access to include an expiry date or period by when the user or guest will be removed from the team unless access is renewed. Administrators can also set up the groups associated with teams to take part in access reviews. For access reviews, the group owners will receive regular reminders to review the members of a team. Access reviews include recommendations, which makes it easier for group owners to go through their regular attestation process.

- - -
An icon depicting decision points Decision points Does your organization require a consistent process for managing membership of one or more teams?
Does your organization require owners, or the members themselves, to justify their continued membership of one or more teams on a regular basis?
Does your organization require approval for users and guests to request access to resources including teams, groups, SharePoint sites, and apps?
An icon depicting the next steps Next steps? Document your organizations requirements for each team or specific teams for membership expiry.
Plan how your organization can bundle teams, groups, SharePoint sites, and apps together in access packages.
Plan which people, such as the requestor's manager, a project manager, a sponsor for a connected organization or a security officer in your organization will need to approve or deny access requests.

Tip

Use the following table to capture your organization’s requirements.

Capability Details Azure AD Premium license required Decision
Access reviews Setup access reviews to recertify the membership of specific teams at regular interval P2 TBD
Entitlement management Setup access package to allow users and guests to request access to teams P2 TBD

Note

To help you plan ahead, learn more about what licenses they require.

Additional information

For technical guidance on how to implement these settings, see:

Teams feature management

Another important aspect of governance and lifecycle management for Teams is the ability to control what features your users will have access to. You can manage messaging, meeting, and calling features, either at the Microsoft 365 or Office 365 organization level or per-user.

- -
An icon depicting decision points
Decision points
  • Does your organization require limiting Teams features for your entire tenant?
  • Does your organization require limiting Teams features for specific users?
An icon depicting the next steps
Next steps
  • Document your organization’s requirements for limiting Teams features at the tenant and user level.
  • Plan to implement your specific requirements as part of your Teams rollout.
  • Communicate and publish your policies to inform Teams users of the behavior they can expect.

Teams feature management focus areas

Teams provides granular capabilities for controlling messaging, meeting, calling, and live event features and more, via policies. Different policies can be applied to all users by default or per user as required by your organization.

For detailed lists of all settings, including technical guidance on how to implement them for your organization, see the following articles:

Additionally, you can set up moderation for a channel and give moderator capabilities to certain users so that they can control who can create channel posts and respond to them. See Set up and manage channel moderation in Microsoft Teams for more information.

Security and compliance

Teams is built on the advanced security and compliance capabilities of Microsoft 365 and Office 365 and supports auditing and reporting, compliance content search, e-discovery, Legal Hold, and retention policies.

Important

If your organization has compliance and security requirements, review the in-depth content provided about this topic in the article Overview of security and compliance in Microsoft Teams.

Governance quick start for Teams

Microsoft 365 licensing guidance for security & compliance