As collaboration applications like Microsoft Teams and Slack grow in popularity, collaboration security and governance is increasingly becoming a primary area of focus for IT. Microsoft Teams continues to dominate the collaboration category — with a reported 115 million daily active users as of October 2020. As the platform solidifies its place as a central hub for work, understanding the native Microsoft Teams governance model is crucial to protect company information.
Teams is the most integrated collaboration platform to date — with robust tie–ins to the rest of the Microsoft 365 ecosystem and with surprising extensibility into third party platforms. Understanding how Microsoft’s security, compliance, and governance offerings fit into the puzzle is anything but simple. It’s essential to investigate, test, and understand the capabilities of the native governance tools (as well as their limitations), how security and governance features are licensed, and the ins and outs of all the knobs and dials.
Because of this, many companies are facing a key decision: should they accept the gaps in Microsoft’s governance capabilities or leverage third party solutions to comprehensively address their needs?
This blog will walk you through an overview of the components of the Microsoft Teams governance model, take a closer look at two of the primary governance solutions, and review key considerations when deciding if native or third-party governance tools are right for your enterprise.
An Overview of the Microsoft Teams Governance Model
If you’re an IT admin or InfoSec manager, you’re probably already familiar with the cornucopia of different Microsoft admin consoles. It will most likely be no surprise, then, that Microsoft Teams governance is built on a variety of different Microsoft solutions and their respective admin consoles. There are at least five admin consoles which have an impact on Microsoft Teams security and governance.
Azure Active Directory (AAD) Admin Console
The AAD Console is where much of the Microsoft Groups experience is controlled, including high-level identity governance and lifecycle management. Because Microsoft Groups are central to the Teams platform, changes here can have a big impact on Teams.
Teams Admin Console (TAC)
The TAC is where much of the day-to-day Microsoft Teams administrative tasks are completed. The majority of Teams feature governance happens in this console, but not all. One key governance task that is completed through this console is third-party app permissions.
SharePoint Admin Center
SharePoint also powers a large portion of the Teams experience — so much so that we’ve even written an entire blog about this — including the file sharing experience. If external sharing settings for sites, files, and folders that are set in the SharePoint Admin Center don’t match the settings in Teams, guests may not be able to access files or unexpected external access can occur.
Microsoft 365 Security Center
The Microsoft 365 security center brings together Microsoft Defender for Office 365, Microsoft Defender for Endpoint, and Microsoft 365 Defender into one console. Settings like Safe Attachments for Microsoft Teams can be controlled through the security center.
Microsoft 365 Compliance Center
The Microsoft 365 compliance center allows IT admins to set compliance policies, view active compliance alerts, and generate reports. Policies around data loss prevention and retention are set in this console. Admins can also search for Microsoft Teams messages that are not compliant in this center.
Additional Microsoft Teams Admin Tools
In addition to the five Microsoft admin consoles listed above, there are a couple other tools that IT admins and InfoSec may need to use when governing Teams:
- Corresponding PowerShell Connector Modules: Each of the five Microsoft admin consoles listed above has a corresponding PowerShell module. These PowerShell modules allow admins to execute tasks and commands that often aren’t available through the GUI of the consoles. But keep in mind that this goes both ways — some tasks can be completed through the consoles more easily than the corresponding PowerShell module.
- Call Quality Dashboard (CQD): Although not at all really related to security and governance, this dashboard allows admins to analyze organization-wide issues with calls made through Microsoft Teams and determine areas for performance improvements. As the name implies, CQD allows IT to deep dive to troubleshoot signal quality issues and can be used to identify and remediate network or firewall issues. We’re including CQD in the list here to further underscore that a day in the life of an IT or InfoSec professional managing Teams is a never-ending flip-flop through many different admin consoles.
We’ve covered the primary native Microsoft admin consoles and tools used for collaboration security and governance for Teams, but there are still others across Microsoft 365 that can have an impact. These include integrated services like Outlook, Yammer, and Planner. For instance, many end users access Planner through the integration with Teams and may request changes to how Planner displays in the Teams interface. Although the use case is through Teams, these changes are actually made through PowerShell in the Microsoft Planner solution.
A Deep Dive into Two Key Microsoft Teams Governance Modules
Now that we’re familiar with the many consoles that can affect Teams, let’s take a closer look at two of the primary modules of the Microsoft Teams governance model: Azure Active Directory Admin Console and Teams Admin Console.
Azure Active Directory (AAD) Admin Console: Identity Governance and Lifecycle Management
As we mentioned above, a large portion of the Microsoft Teams experience is controlled through the AAD Admin Console as this is where the Microsoft Groups experience is controlled. Microsoft Groups is the structural core for Microsoft Teams — every time a new team is created, a Microsoft 365 Group is also created in the background.
Two of the primary areas of the Microsoft Teams governance model that are controlled within the AAD Admin Console are identity governance and lifecycle management. However, using this console for identity governance can be challenging due to the interconnected nature of Microsoft 365 groups. This means that identity governance policies enacted with the native Microsoft tools in AAD Admin Console don’t just affect Teams — they have an affect across the entire Microsoft 365 tenant.
For instance, if you enact a guest access policy that does not allow guests from certain domains (i.e. gmail.com or comcast.com), this won’t just block those users from joining a team in Teams. Those guests will also not be able to access other areas of Microsoft 365. This can have a net negative affect when it’s necessary to work with outside guests in some Microsoft apps but not in Teams.
The AAD Admin Console poses similar challenges when it comes to lifecycle management. Because this console controls governance at the group level, it isn’t possible to implement lifecycle management policies that only affect Teams. In addition, these policies are generally not very granular, so a policy that’s appropriate for one team may cause issues for others.
For example, you may want to enact a policy to close teams after three months of inactivity. But implementing this type of policy through the AAD Admin Console means it will affect the entire Microsoft 365 group — so the other Groups connected collaboration services like a Team SharePoint site, Yammer Community, or PowerBI workspace, will be affected by the same policy. This can cause serious issues when you want to close a Team but keep the related services available for future reference.
Teams Admin Console: Day-to-Management and Teams Feature Governance
The Teams Admin Console is where most day-to-day administrative tasks for the platform are done. IT admins can view and manage all teams for the tenant, as well as view some analytics and reports — although analytics data is only stored for a maximum of 90 days.
Additionally, the majority of Microsoft Teams feature governance take place in this console, including all Teams meeting, messaging, and calling policies. InfoSec can also control which third-party apps can and cannot be added to Teams, as well as some organizational-wide settings, from this console.
While master control for guest access for the Microsoft 365 tenant is done through the AAD Admin Console, including if guest access is allowed at all and who can invite guests, a secondary layer of guest access is controlled from the Teams Admin Console. It’s at this level that IT can determine if those guests are allowed to join Teams.
Connect with a Consultant
Don’t let information security concerns keep you up at night. Work with us to take the necessary steps to secure your workplace collaboration platform with our Security Rightrack offering.
Although a majority of Microsoft Teams security and governance is controlled through either the Azure Active Directory Admin Console or the Teams Admin Console, there are still many settings that are administered through the additional consoles listed earlier in this blog.
Are the Native Microsoft Teams Governance Tools Right for Your Enterprise?
The native Microsoft Teams security and governance tools have many benefits, but they also have significant limitations. While these tools may cover all the bases for some companies, don’t assume that they’re right for your enterprise. When determining whether to use these native governance tools or go with a third-party vendor, it’s important to take several considerations into account.
First, consider the size and make-up of your IT team. For small to medium-sized businesses, it’s possible you may only need one well-rounded IT administrator to manage your Teams governance. But keep in mind that due to the complexity of navigating the native Teams governance model, this IT admin may only have time to focus on Teams rather than helping with other admin tasks. For larger companies, an entire coalition of IT stakeholders may be necessary to strategically design, approve, and implement security and governance across all Microsoft 365 solutions.
Whether your governance team consists of one team member or many, think through what training or other upskilling is necessary. Because governance for Microsoft Teams occurs through so many different admin consoles — all with a different user interface — responsible team members must be well versed in each console and knowledgeable of where to go to complete different tasks.
Secondly, determine your primary security and governance use cases when it comes to Microsoft Teams. If you simply want to implement policies on a tenant-wide level, the native governance tools may be the right fit for your company. But for enterprises that require significant governance flexibility — for different business units, geographical locations, ethical distinctions, etc. — the native tools probably won’t fit the bill. Outline your critical use cases and compare those needs to the native Microsoft capabilities as well as third-party options.
If your company has multiple collaboration platforms deployed, it’s equally important to take those into account as well. Ideally, you probably want to have the same or similar policies implemented across all your collaboration platforms. When using native governance solutions, this requires twice the work — or may not be possible at all. A third-party governance tool can address this issue by allowing you to seamlessly deploy the same policies across multiple platforms.
Lastly, pricing can be a determining factor. Cost is, of course, one of the main things to consider when choosing between native options and third-party tools. While many of the native governance features may be included in your existing license, some features — like access reviews — require Azure P2 licensing. This licensing can come with a price tag in the millions of dollars per year for large enterprises. So, if additional licensing is needed to get full functionality from the native tools, there’s a good chance a third-party tool may be able to fill the gap at a more reasonable cost.
The native Microsoft Teams governance model comes with some robust features that may be more than enough to give many companies peace of mind. But for large, distributed enterprises that require governance flexibility, third-party tools can bridge the divide as well as provide additional functionality.
Our PowerSuite software enables easy discovery and monitoring of security analytics, simplified and flexible policy creation, and manual or automated policy enforcement for Microsoft Teams. Not ready for a third-party security and governance tool? Our Teams Security and Governance Design consulting service may be right for you. This design workshop is a collaborative engagement where we will help you create — or modify an existing model — and architect your governance and security policies for Teams.