Last month many of you joined our Ask The Experts (ATE) sessions at Microsoft Ignite, specifically ATE-FS191 – Ask the Expert: Microsoft Teams Manageability and ATE-FS191-R1 – Ask the Expert: Microsoft Teams Security and Compliance. We promised that we would pull together the questions and answers and post them in a blog post, so here we are making good on that promise.
1. How easy is it to retrospectively apply data sensitivity labels at the Teams or channel level?
a. Once you get sensitivity labels enabled and set up to apply to Microsoft 365 groups/sites/teams, you’ll be able to edit a team to apply a label published. See: https://docs.microsoft.com/microsoft-365/compliance/sensitivity-labels-teams-groups-sites?view=o365-…
2. Are shared private channels available to all tenants now?
a. Private channels have been around for a while, but shared channels are not yet available.
3. Are there any plans to allow real-time reporting out of the management solution? Right now, reports are delayed until, at the very least, the meeting or call is over.
a. We will introduce this capability to Private Preview in April 2021.
4. How can an admin retrieve Teams chats if a user leaves the company and/or does a forensic audit must be done?
a. You will need to use content search and eDiscovery investigation. Note that with E5 compliance license, you can put conversations together; with basic eDiscovery, you will get the single chat messages. See: https://docs.microsoft.com/microsoftteams/ediscovery-investigation
5. Will there be a way to find which apps are being used by a team?
a. Yes, use the app usage reports by using a Graph call to enumerate apps installed per team. See: https://docs.microsoft.com/graph/api/team-list-installedapps?view=graph-rest-1.0&tabs=http
6. Will the Teams client installer change from being profile-based to computer-based? Customers mentioned that they had shared devices in learning spaces that they want to update, so users don’t have to wait or, in some cases, quit Teams and re-launch before class.
a. Yes, you can install per machine. See: https://docs.microsoft.com/microsoftteams/teams-for-vdi
7. Will we ever get the ability to delete Teams chats? Customers have mentioned that chats are really cluttered right now without this function.
a. Yes, you can do this with Retention Policies at compliance.microsoft.com. You can age conversations that are greater than a specific number of days.
8. Does Microsoft have a recommended Teams naming taxonomy/naming convention?
a. No, best practice is to follow your organization’s guidelines/requirements and take advantage of custom dictionary/taxonomy controls like preventing names. My personal recommendation is always leave room for organizational growth/expansion when creating your taxonomy.
9. Is there a way to report on activity outside the 90 days? Customers have mentioned that extended unused Teams that need to be cleaned, but identifying them might be problematic?
a. You can use the Graph API for that purpose. It can access historical data up to a year.
10. Are there any good resources for managing Teams sprawl, guest users, and general Teams hygiene?
a. You can restrict the creation of Teams and put a gating process in front of it. You can get creative with Forms and Flows via Power Automate to have users submit requests and then the helpdesk can create the team.
11. Can you manage Teams membership via a domain security group?
a. Currently, you cannot manage Teams membership using an AD security group. The Office 365 Group membership drives Teams membership, and as of right now, you cannot add nested groups to an Office 365 Group.
12. When will real-time/live analytics be available for Teams Live Events and traditional Teams meetings? It is challenging right now as an admin to troubleshoot exec calls for townhall-type sessions.
a. This feature is coming in April 2021.
13. Could someone give a basic overview of the purpose of the Network Planner in the Teams Admin Center?
a. The Network Planner is meant to give you an idea of what the impact of Teams will be on your network. It allows you to define all your network subnets and user personas so that you can pre-determine the network impact of Teams.
14. Can you talk about the controls or policies for Teams Connect regarding adding external people to channels? How are the permissions different than that for external guests today?
a. Guest access uses guest accounts that are created in the source Azure AD hosting the guest access. Teams Connect, or shared channels, does not use this method; it works by allowing federated Teams users to have access to the shared channel. Expect to have more published on this in the coming weeks.
15. Is there a Microsoft recommended solution or app to install in Teams to manage user requests for creating new Teams?
a. There is no Microsoft recommended solution I’m aware of for this. However, approaches I have seen work well involve using PowerApps that have users submit their Team request and then have the back-end helpdesk review the request and approve/reject the request. You can create some pre-checks in the flow to see if the team already exists, for example.
16. With the coming enhancements to Teams meetings recordings around captioning/speech to text, will this be discoverable with core and/or advanced eDiscovery?
a. Yes, the plan after the Stream migration of the recordings to OneDrive and SharePoint will have this functionality to retain and search with eDiscovery.
17. I have not seen wherein Teams policy in Admin Centre changed to OneDrive from Stream, is it global or group based?
a. It has been rolled out globally to most tenants, and you can delay it through PowerShell. The change is done via PowerShell today, it can be set on meeting policy level, and if it is not available yet in your tenant, you can follow this guide: https://docs.microsoft.com/microsoftteams/tmr-meeting-recording-change. It should, however, be default for all tenants.
18. We have a ton of distribution groups created on-prem and maintained with scripts. How can we use these existing groups to create and maintain Teams?
a. There are few steps you may need to consider for this: (1) Clean up the distribution groups; (2) Sync your on-prem AD with Azure AD; convert your distribution group to a Microsoft 365 group; create a team from the Microsoft 365 group. Keep in mind when you do so, the membership management will be within the converted Microsoft 365 Group after you upgrade the distribution list.
19. Will it be possible at some point to specify policies for a user group to block them completely from all external communication?
a. You can create an ExternalAccessPolicy and use New-CsBatchPolicyAssignmentOperation to assign it to multiple users at a time, based on a group in AAD regularly, though, it will not automatically add it to new users in the group.
20. We need to record all calls for our call center associates. Is there a way to make this based on group membership?
a. Compliant call recording is possible through third parties such as Verint and Numonix. I would reach out to them to check for this functionality. It should be possible in a direct routing configuration.
21. Is it possible to enable guest access per Team like you can in SharePoint, or is it all or nothing?
a. Yes, you can restrict guest access for certain Teams (Office 365 groups). The configuration is only performed via PowerShell. See: https://docs.microsoft.com/microsoft-365/solutions/per-group-guest-access?view=o365-worldwide
22. Any plans to consolidate Guest and External entities for 1:1 chat (not switching organization and minimizing end-user confusion)? Also, group chat with External entities without having to switch organizations.
a. Guest access and External access will continue to function as they are, as they each have their own use cases. However, with the new Teams Connect, you will have channels shared outside of your tenant into an external user tenant.
23. How come policies take forever to roll out – up to days??
a. It can take time, usually 2 – 4 hours. I would recommend periodically logging out and clearing cache, and logging back in. If it persists for more than a day, I recommend raising a ticket to Microsoft support. That seems like a very long time.
24. Is it possible for end-users to create a team in a different domain than the default? We would want them to be able to pick the domain; for example, teams.company.com.
25. Are there any licensing requirements to be able to add members of a group to a private team?
a. There are no specific license requirements.
26. Is there a way to list all applications in Teams and which are enabled or disabled?
a. Yes, in admin.teams.microsoft.com you can see all apps and enable/disable them.
27. Hello, I work at a school with children from 4 till 18 years old. In the last couple of weeks, we have some students who like to start big group chats and add a lot of (younger) students. In these chats, there is a lot of swearing and cursing. We want to protect our younger students from this, and I am wondering if there is an option that can block being added to a group chat or at least give them a choice of being added. I know it is possible to disable the chat for these users, but that has a lot of impact on their schoolwork. I know it is not a specific security question, but it is a safety question to protect our (younger) students, but this can be a security question too if there is a breached account.
a. Have a look at Communication Compliance: https://docs.microsoft.com/microsoft-365/compliance/communication-compliance?view=o365-worldwide
28. I want to enforce MFA for all guest accounts to create secure Teams channels. Should the guest accounts have any Microsoft licenses to use MFA with their respective domain accounts?
a. You can use Conditional Access for this. The license model here is based on the licenses you have in your tenant.
29. SafeLinks are coming to Teams (which is good). Will the SafeLinks wrapper be visible to Teams participants? If so, some may read “protection.outlook.com” and assume the link to Microsoft.
a. SafeLinks act the same as they do in Outlook.
30. How can we ensure the coherence/governance of all the controls/labels we put in place? Any tool/method to use before diving into Teams configuration?
a. This is all controlled from the Compliance Center under Information Protection, where you can implement your labels and label policies.
31. Can we use the OCR example to check that sent pictures in Teams don’t contain privileged info?
a. You can use Advanced eDiscovery to check this.
32. Is it possible to prevent your users from joining Teams meetings hosted by external orgs? Currently, everyone can click on a Teams meeting link someone sent to them, and that will either load their Teams client, and they will join as authenticated or via browser as anonymous?
a. No, if the meeting or Live Event is available to “everyone”.
33. How is end-to-end encryption 1:1 different compared to an average Teams meeting?
a. E2EE is encrypted same “key” from start to endpoint, with no interception. Teams standard is encryption in transit and at rest so customers can access content as needed.
34. Is there a possibility to invite external users within channels and manage permissions on a per folder basis within the channel so that R/RW is possible within a channel and subfolders?
a. You can use granular SharePoint permissions for this.
35. Who can follow up on GDPR requests from attendees of a meeting held a while ago and provide them information on what data has been collected from them?
a. You can use the Data Subject Request (DSR) case tool by the compliance administrator. See: https://docs.microsoft.com/compliance/regulatory/gdpr-manage-gdpr-data-subject-requests-with-the-dsr…
36. What levels of staff will be able to turn on E2E encryption? IT staff generally do not lose passwords.
a. IT will have full control over what users/user groups can opt into E2EE.
37. Can you use a retention policy to prevent team owners from deleting a team?
a. Not at this time, but a retention policy will ensure all the files are saved for compliance purposes. Be mindful that Teams retention policies must exist on their own, independent of other Teams workloads. So, you need to have EOL policy for 1:1 chats, Microsoft 365 groups for group chat, and SPO policy for files held in teams
38. Is there any way to stop anyone from sharing files in Teams? We have certain locations where they don’t want to use it for file sharing.
a. Those policies are the ones set in OneDrive and SharePoint. You would need to adjust those there.
39. Is it possible having a person out of the company, out of my network become part of the Organizer Team in a Teams Live Event and so actively contribute?
a. Yes, that’s possible. Either as a Guest in your org, or they have an AAD account in their own org. There will also be improvements coming to this to make it easier.
Thank you again if you attended these sessions. We hope this recap helps you as you continue to support Teams for your customers and organizations.
For more information about all the exciting announcements around Microsoft Ignite, be sure to check out the recap episode on Inside Microsoft Teams. We have special guests Mary Jo Foley, Paul Thurrott, and Brad Sams in this episode that you don’t want to miss out.