Microsoft Teams Policies Best Practices: How to Manage Guest Access and Team Owners

Written by: Natalie Stottler

In the wake of COVID-19, many organizations are now fully invested in Microsoft Teams. The workstream collaboration platform has seen rapid growth since the pandemic began. In fact, Microsoft Teams now boasts 115 million daily active users, up from 44 million in March. While this type of rollout sometimes takes years, organizations rushed to enable their users for remote work. 

With more limited planning, collaboration security and governance took a backseat. However, now many IT teams are struggling to determine Microsoft Teams policies best practices. 

As the specter of a major Microsoft Teams security breach looms, IT organizations are reevaluating their collaboration security and governance needs. Data from analyst firm Nemertes shows that only a third of organizations have a proactive collaboration security strategy, while another third are evaluating one.  

Determining Microsoft Teams policies best practices for your organization can be challenging. Teams introduces new complexity compared to legacy unified communications (UC) solutions, and navigating the Microsoft Teams admin center is no walk in the park. Getting started is difficult. From guest access to naming conventions, there are many types of important policies to consider. 

Microsoft Teams monitoring

Microsoft Teams Policies Best Practices with PowerSuite 

Because of the acute need for Microsoft Teams collaboration security, the complexity of advanced governance, and the limitations of the native Office 365 admin capabilities, Unify Square has added policy management functionality to our PowerSuite software. 

PowerSuite’s policy management helps you discover issues with your environment through security analytics. With this information in hand, it’s easy to create policies to manage your Microsoft Teams environment. While the initial release includes basic functionality with key policies, updates will allow you to secure Microsoft Teams with automatic enforcement for even more IT time savings. 

To ensure you’re taking full advantage of PowerSuite’s new policy management, we’ve created this Microsoft Teams Policies Best Practices series of blog posts. The Policies Best Practices series is aimed at introducing you to recently released policies and how to use them for advanced governance of Microsoft Teams. We’ll cover common use cases and Microsoft Teams policies best practices. 

For our first installment in the Policy Series, we’re going to dive into a couple different types of policies. First, we’ll talk through how to create tenant wide and teams channels guest access policies. Then, we’ll discuss policies targeted at ensuring a minimum number of team owners. 

These policies are a good starting place for securing your Microsoft Teams environment, and the advanced governance capabilities of PowerSuite in these areas offer added value and functionality versus what’s available out of the box in the Microsoft Teams admin center. 

implementing security policies in Microsoft Teams

Managing Guest Access for a More Secure Microsoft Teams Environment 

Allowing guests in Microsoft Teams presents security risk, yet these guests are often necessary for business purposes. Contractors, clients, and suppliers are all valuable members of teams. 

However, it’s important to set policies to ensure only the right guests have access to the right teams for the right period of time. Microsoft Teams represents a new surface area of risk, so properly securing guest access is one of many Microsoft Teams policies best practices. 

PowerSuite provides a variety of guest access policies. From basic restrictions to more nuanced guest interaction limitations, PowerSuite’s guest access policies give you granular control that balances security with end-user productivity. Let’s take a closer look at the guest access options. 

Microsoft Teams policies best practices guest access in PowerSuite
Guest access policies templates in PowerSuite

Control Guest Access 

The most basic policy for guest access allows you to restrict guests at the team or tenant level. This policy gives you “Denylist” and “Allowlist” options. 

A “Denylist” allows you to specify which guest domains should not be given access, including the ability to deny all access. Correspondingly, an “Allowlist” lets you specify guest domains that should be allowed access.  

This policy gives IT teams the ultimate flexibility around how they want to restrict guest access. As an example use case, across the tenant, Contoso’s IT team knows that they want to restrict any guests from their competitor, Badtoso. A quick policy configuration allows them to deny access across their tenant from all guests with the domain “Badtoso.” 

Restricting Guests from Public Domains 

Another commonly used PowerSuite policy is restricting public domains. Guests from public domains present more risk than guests associated with an organization. 

For instance, our previous policy allowed us to deny access to guests with the “Badtoso” domain. However, someone at Badtoso could choose to try to access our Microsoft Teams environment with their Gmail account. 

One of PowerSuite’s guest access templates allows you to quickly restrict all guests from public domains. PowerSuite prepopulates a list of public domains so IT can easily disallow all of these users. Although there are options to do this at either the team or tenant level, this is one policy we recommend applying across your tenant. 

Free Ebook

The Ultimate Guide to Collaboration Security.

Download our IT and Information Security Teams’ Guide to Collaboration Security in the Enterprise. Download Now.

Adding Guest Access Exceptions 

With any policy, realistically there will be particular exceptions. For instance, after choosing to restrict guests from public domains, the head of the marketing department reached out because one of his freelance designers uses Gmail. 

With PowerSuite, we can quickly mark this guest as an exception to the rule and add an expiration date for easy auditing. PowerSuite’s list of violations also allows for bulk actions, so multiple violations can be marked as exceptions simultaneously. This functionality is available across all available policies. 

Limiting Interactions Between Guests from Different Companies 

Now, let’s look at some more advanced guest access functionality. Rather than limit guest access to your Microsoft Teams environment, you may want to limit the ability for guests within your environment to interact with each other. This may be the case because they are competitors or because of a more general policy on Microsoft Teams guest access limitations. 

As an example, competitor companies Finance Frenzy and Finance for You provide different consulting services to an organization. It’s important to the organization to ensure guests from these companies never end up on the same team. PowerSuite lets you specify that you don’t want particular guest domains present on the same team, and this policy can be applied across the entire tenant. 

Some organizations want to go even further and limit all interactions between guests from different companies. For even more flexibility, PowerSuite can limit the number of companies present within a single team. Again, like all PowerSuite policies, you can set this policy for individual teams or for your entire tenant. 

Microsoft Teams policies best practices

Ensuring Teams Have the Right Number of Owners in Microsoft Teams 

Switching gears, let’s talk about a different type of policy: minimum number of owners. Many organizations want to ensure that every team has an owner, so there are no orphaned teams. 

This is important, as owners control Microsoft Teams member permissions for their teams. Without an owner, no one takes the proper management steps, allowing new members, moderating the discussion, and managing content. 

PowerSuite allows you to set a minimum acceptable number of owners. This allows more flexibility than reports covering only ownerless teams. Many organizations prefer two owners for each team, in case one leaves the company. 

Microsoft Teams policies best practices team owners in PowerSuite
Team owners policies reporting in PowerSuite

Additionally, service accounts may be automatically set as team owners, upping the owners visible through reporting. For instance, Contoso decides that they want to create a policy for a minimum of three owners because of a content backup service account automatically designated as an owner. They also decide to set an additional policy for a minimum of two owners, as teams that are in violation of this policy are a higher priority for their IT team to remediate. 

Gain a simultaneous, panoramic view of all collaboration and communications platforms, expediting responses to service interruptions and threats.

Take Control of Collaboration Security and Governance 

PowerSuite’s Policy Management solution set provides advanced governance capabilities for Microsoft Teams. Take control of collaboration security and governance, with granular policies that allow you to balance security with end user productivity. Our industry-leading software does it all, with insight-driven security analytics for issue discovery. Take the next step to ensuring collaboration security. 

We hope that this first installment of the Microsoft Teams Policies Best Practices series has helped you reevaluate Microsoft Teams policies best practices for your organization. Stay tuned for the next installment where we’ll drill into the details of naming convention policies! 

Read Our Other Latest Blogs

Shopping Basket