Over the past few years as Teams has become the fastest growing product in Microsoft’s history, there have been many changes to administration capabilities and product features so this is an ever evolving list, but as of today, here are the primary questions you should ask yourself as you are considering enabling your enterprise for Teams. If you have already enabled your users don’t worry, you can still go back and add these settings where applicable.


Microsoft’s goal is to make Teams a completely self-service solution, meaning IT sets it up and then gets out of the way. This allows end users to do what they need to get their work done. You can use these 10 questions to help evaluate what settings you need to enable to get Teams set up, which empowers your users to creatively solve their business challenges and get their job done!

1) Who in your organization should be able to create Teams?


Some Teams users embrace the “Self-Service” capabilities for Teams, allowing all their users to create teams at will. Others though are fearful that users might create unnecessary, duplicate or inappropriate teams. Therefore, we would recommend to these companies to look at the Creation permissions for O365 Groups.


By enabling this setting, only authorized users will see the “Create new team” button.


Image 2.png


This setting will allow you to select a set of users who are authorized to create teams. In some orgs they keep this to IT only. This can create a bottle neck for users. We recommend finding a happy medium between no one and everyone.

One example would be allowing only managers to have the ability to create teams.


2) Do you want your teams to have a similar naming convention?


The Naming policy for O365 Groups will allow you to do just that, you can select a prefix, suffix and create a band word list. Microsoft has already created a profanity list so you don’t have to worry about adding any of those words in your banned list. However, maybe there are other words you want to ban.


As another example, some organizations will add a prefix like “GRP-“or “Team-“ or even a 3-4 digit code based on an AD attribute for department or location. This would result in a Team name that looks like:


For an “All IT” Team

  • GRP – IT – All IT (Prefix – Dept – Name)
  • Team – All IT – Corp (Prefix – Name – location)
  • All It – Corp (Name – location)

For an “Onboarding” Team in HR

  • GRP – HR – Onboarding (Prefix – Dept – Name)
  • Team – Onboarding – West (Prefix – Name – Location)
  • Onboarding – West (Name – Location)

These settings are very simple and can be configured in Azure Active Directory (AAD) under groups.


Image 3.png


3) How long do you want your Teams to exist?


Some companies are worried about “teams sprawl” or duplicate Teams. But by setting an Expiration policy you can avoid this unwanted sprawl. An expiration policy will send an email to the owner(s) of the Team 30 days prior to expiration asking them if they would like to renew their Group. If they are still using the team, they simply hit the button to renew! If they do not press the button, they will get another notification 3 days prior and 1 day prior to the expiration.


If they don’t renew, the Group will go into a Soft delete for 30 days. If for some reason after the 3 reminders a user lets their team expire and they need it back, don’t worry we have the ability for an admin to use the Soft delete and restore feature. However, after 30 days even an admin can’t restore the team.


Here is an example of what the end user email will look like.


Image 4.png


4) How long do you want to retain the data stored in a team?

For legal and compliance reasons, most large organizations also need to look at setting Retention policies for Teams. You can look at Retention in two ways, how long do I want to keep the data or how soon do you want to delete the data.


To accomplish this there are 3 Retention policies you need to set:

  • Teams Chat – this setting applies to how long you want chat history to be stored
  • Teams Conversation – this setting applies to how long you want the channel conversations to be kept and stored
  • O365 Group content – this setting applies to all the content in the team, the group mailbox, the SharePoint site and the document library

Each retention policy can be the same or different, they have no dependencies on each other. A standard recommendation  to IT Admins is to check with your legal or compliance office to determine any regulations your organization is to adhere to and allow them to guide you on how long you want to retain this information. Usually we find that Teams Chat retention is closely mimicked to email retention.


Retention is not the same as expiration though. Just because a team is expired does not mean the content is deleted. For ex: if your expiration is 6 months and retention is 2 years, the team will be deleted after 6 months (if not renewed) but the content will be retained for 2 years.


Because you can set multiple policies that might overlap it is a good rule of thumb to keep in mind the principles of retention:

Image 5.png


5) How do you want to protect confidential or sensitive data in your Teams?


Another setting that is usually set based on guidance from legal and compliance is Data Loss Prevention. DLP is very important to Healthcare organizations as they deal with Personal Health Information or PHI on a regular bases. However, there are many sensitive and confidential data types that you don’t want to get in the wrong hands.


If your organization has pre-existing DLP policies or you need to start from scratch, you can now define policies that prevent people from sharing sensitive information in a Microsoft Teams channel or chat session.



6) Do you want to allow Guests (non-employees) to be members of your teams?

Collaborating with people at other companies is a huge part of work today.  Sometimes companies will allow workers, doctors, contractors or even vendors who are not technically employees, to have an O365 license which means they are not considered a guest. Someone who does not have a license in your O365 tenant though would be considered a Guest.


Guest access in the day-to-day can be very helpful. You can host teams with customers, and customers have can invite you and other vendors into their Teams environment. What is great about Guest access is that IT Admins don’t have to worry about managing their identity. It is a BYOI, Bring Your Own Identify solution.


As an IT admin if you are not fully comfortable with allowing your users to invite anyone to a team you can whitelist or blacklist specific domains (shown below). Or if you want to get more granular, you can set up a Guest Inviter role, which limits who can invite guests to your team. Image 6.png


One of our most recent features is Guest Access review which is an advanced feature and requires AAD Premium Plan 2. It provides an additional way for an IT Admin to put the team owners in control of managing their own guests.



7) Do you have the need for your users to chat with people outside your company?


Most of our customers are coming from some sort of chat or instant messaging platform. If that is Skype for Business Online or Server you are in luck! Any Federations you have set up in Skype will be carried over to Teams when you migrate your users. Their contact list too. However, if you are not currently using Skype Federation you can take advantage of Teams Federation/External Access, also known as External Access.


This feature allows you to select domains that you work with regularly to enable chat for your users and users of an external organization.


Without this turned on, users will only be able to chat with other users in your organization and Guests (if you have that turned on).



8) Do you have the need to keep Skype in your environment as you are rolling out Teams?

Again, many of my customers are coming from a Skype environment. If you are not then you can skip this section as it will not apply to you. However if you are, we need to talk about setting your Coexistence/Upgrade Mode. In the SfB and Teams Admin center there is a “Coexistence Mode” and this is defaulted to Islands Mode. Islands Mode means there is no coexistence or interop between SfB and Teams. Users will have to manage both clients, which can be confusing.


There are a few different modes you can select from though:

  • Island Modes – no interop, users will need to manage both clients

Any mode other than Islands creates interop. You will need to select one of them as your default policy and then can move users to other policies as needed.

  • Skype Only Mode – All messages & calls are routed to the Skype Client, cannot log into Teams but can join Teams meetings
  • Teams Only Mode – All messages & calls are routed to the Teams Client, can still access Skype to join Skype meetings
  • Skype with Teams Collaboration – All messages & calls are routed to Skype and can access the Teams client for collaboration only (chat, meetings & calls are not enabled)
  • Skype with Teams Collaboration & Meetings – All messages & calls are routed to Skype and can access the Teams client for collaboration and meetings (chat and calling is not enabled)

Usually we see the default mode set to SfB with Teams Collab, and then as the org is “migrated” to Teams, they are simultaneously moved to Teams Only Mode. That way all users can keep chatting regardless of their primary client.



9) Do you have current Distribution Lists that could benefit from the features of MS Teams?

Some customers have existing on-premise Distribution Lists that could really benefit from the collaboration capabilities of Teams. Maybe not all of them, and probably not your All Company DL’s but some of the smaller ones at a team level or department level. If this is the case, instead of managing groups of users you can Migrate your existing DL’s to O365 Groups.

Image 7.png



10) Do you have existing O365 Groups that want Teams functionality?


Finally I want to provide one more recommendation. We have some customers who started taking advantage of O365 Groups before Teams was even around, so they created SP Sites with documents and Group Mailboxes. There is no need to create a new group just to have the features of Teams added for these users. You can simply Enhance an existing O365 Group with Teams.




I hope this helps you understand the capabilities Teams has that enable you to balance IT administration and security with empowering your users to create innovative solutions to operational challenges in Teams. If you have any questions or want to talk about this more OnPar Technologies will be happy to help. You can reach us at 919-926-9619 or [email protected]