We have discussed the importance of defining a governance strategy for a successful roll-out and long-term usage of your Microsoft Teams implementation. One part of this strategy is defining your employment process. The process is divided in three subprocesses:
- New employees
- Employee transfers (switching between roles or departments)
- Leaving the company
For each of these subprocesses, we need to define the following topics:
You can define and manage these by yourself or opt for third-party tools to do the job. Let’s start by taking a closer look at the topics.
Your new employees, or transferred employees, need to have access to Microsoft Teams and the teams they are going to participate in. Employees leaving need to have their access revoked. There are two options available to execute this process:
The manual option is done by the owners of a team (private teams) or by the employees themselves (public teams). This is doable for smaller teams with not a minimal transition of new employees.
For larger teams, or teams with a high transition rate, the manual option isn’t manageable. The process becomes too cumbersome for owners to manually maintain. This is where you can use the dynamic group feature. You can automatically assign employees access, to certain team, by using properties of their Azure Active Directory (AAD) profile. The most common one is department. For example: An employee with the value corporate sales in their AAD department property is added to the Corporate Sales team in Microsoft Teams.
This option is accessible through Azure Active Directory in the Azure Portal. Each Microsoft 365 Group contains a set of properties:
To enable dynamic membership, we click on membership type and select dynamic user and click on add dynamic query:
We are now able to define our rule. In our example, we want to add all corporate sales employees to the Corporate Sales team in Microsoft Teams:
Before we save our rule and hope it works, we can validate the rules with a preview feature by selecting an employee who works for Corporate Sales. We also select an employee from a different department. By doing so, we are sure the rule works!
The rule works like a charm! Before you start enabling dynamic membership for certain teams, there are a couple facts to be aware off. When using teams with dynamic groups:
- Rules can define who is a team member, but not who is a team owner.
- Owners will not be able to add or remove users as members of the team, since members are defined by dynamic group rules.
- Teams’ clients don’t allow member management for the team. Options to add members, edit member roles, send, and approve join requests, and leave the team are all hidden.
The following resources contains additional information:
- Create or update a dynamic group in Azure Active Directory
- Overview of dynamic membership for teams – Microsoft Teams | Microsoft Docs
An employee needs a license to work with Microsoft Teams. The type of license differs per organization and industry. Comparable to the access subprocess, you can assign a license manually or automatically.
The responsible employee, often someone from IT, assigns a license within the Microsoft 365 Administration Center or in the Azure Portal. This option is doable for smaller organizations.
The preferred method would be automatically assigning, and revoking, licenses. This option is enabled within the Azure Portal. In AAD there is a licenses section:
Imagine we want to assign an Office 365 E5 automatically to our Corporate Sales employees. We select the license and assign these to the Microsoft 365 Group from Corporate Sales
Each time an employee leaves the Corporate Sales department, or company, the license is automatically revoked. The following resource contains additional information:
You probably wonder why OneDrive is mentioned. That’s because OneDrive plays a crucial part in the Microsoft Teams ecosystem! Each time an employee shares a file with a colleague or external person, the file is stored in OneDrive in a folder called Microsoft Teams Chat Files:
When an employee leaves the company, and the account is deleted, all the content is deleted within 30 days. This could result in the unwanted loss of information. For your governance strategy you must pick a retention date (default is 30 days) and think about (automatic) access delegation. The delegation process allows for a manager, or different user, to move the important content before its permanently deleted. The following resource contains additional information ·
When your Microsoft 365 tenant becomes overwhelming to manage, you should consider what other solutions compliment the out-of-the-box options to scale your cloud-first governance approach. Rencore Governance is a robust third-party solution that centralizes all data for most Microsoft 365 services including Teams and OneDrive, enforces your defined governance policies for a breadth of processes and automates the resolution process.
We hope to have shown you the importance of an onboard and offboard strategy regarding your Microsoft Teams implementation. We advise to automate as much as possible instead of choosing the manual approach. Don’t forget, with the manual approach there is a higher risk for mistakes. That’s something you want to prevent. Before we close off, one last tip: Make sure your teams have at least two owners! In case an owner moves to a different role, department or leaves the company, there is one owner to safeguard and manage the team.
If you are also interested in whether a self-built or third-party automation approach will further meet your governance needs, I recommend reading the following free governance strategy whitepaper: Build vs. Buy – what’s the right path for you? It guides readers in their journey towards a mature Microsoft 365 governance approach, allowing them to conclude whether building or buying a solution makes sense.