Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Microsoft Teams Governance
1. Microsoft Teams Governance
By ,
NarasimaPerumal Chandramohan
Co-Founder, JiJi Technologies Private Limited
Microsoft Office365 MVP
@narasimapermal
MS Teams webinar learning series from Office 365 and Power Platform user group –India
2. People will create too many teams and sites and there
will be duplications, confusion and total DOOM
Intellectual property will be lost
Guests will have access to things shouldn’t
People won’t be able to access to things they need
Performance will suffer due to too many teams and sites
Common concerns
3. Office 365 Groups is a membership service
One Identity
Azure Active Directory (AAD) is the master
for group identity and membership across
Office 365 (Exchange, SharePoint, etc.)
Federated Resources
O365 services extend with their data
(e.g. Group messaging, SharePoint
Team Site, OneNote, Planner)
Loose coupling
Services notify each other of
changes to a group (e.g., creation,
deletion, updates).
User creates new group
for collaboration
Office 365 Application
Group experience populated
in app of choice
Office 365 Application
Group identity created in
Azure Active Directory
Azure Active Directory
Identity, Resource URLs,
Owners, Members
1 2 3
To govern Microsoft Teams you must
govern Microsoft 365 Groups
Note: Office 365 Groups is renamed as Microsoft 365 Groups
4. Office 365 Groups is a membership service
One Identity
Azure Active Directory (AAD) is the master
for group identity and membership across
Office 365 (Exchange, SharePoint, etc.)
Federated Resources
O365 services extend with their data
(e.g. Group messaging, SharePoint
Team Site, OneNote, Planner)
Loose coupling
Services notify each other of
changes to a group (e.g., creation,
deletion, updates).
User creates new group
for collaboration
Office 365 Application
Group experience populated
in app of choice
Office 365 Application
Group identity created in
Azure Active Directory
Azure Active Directory
Identity, Resource URLs,
Owners, Members
1 2 3
8. Governance Quick Start
Who can create Groups?
Naming Conventions?
Guest
Access?
Approved
Apps?
Meeting
Capabilities?
Data
Security?
https://aka.ms/Teams/GovernanceQuickStart
9. Control governance before day one
Who can
create
Create site
(SharePoint)
Create team
(Teams)
Create shared
library (OneDrive)
Create group
(Outlook)
Naming
conventions
Prefix-suffix
naming policies,
fixed strings or
user attributes
Custom blocked
words
Configure
guest access
Manage who can
add guest users
Turn sharing
option on or off
Turn on or off
guest access to
group files and
OneNote
Configure external
sharing for
SharePoint
Configure
expiry
Set expiration
duration
Choose which
Groups policy will
apply to
Set policies
Retention
eDiscovery
Data Loss
Prevention
Use of
templates
Teams templates
SharePoint site
designs
Themes
Monitoring
Teams Admin
Center
SharePoint Admin
Center
Office 365 admin
center
Office 365
adoption content
pack
Groups report
10. Enable self-
service
Restrict Office365 Group creation
to set of users. Ex-Managers, IT
Admins, Full Time Employees
Employees use the in-product UI
for containers creation
11. How?
Create Dynamic Office Group
for managers, FTE etc…
Restrict Group creation
permission to the above
created group
13. Function GroupCreators
{
param( [Parameter(Mandatory=$True)]
[string]$securityGroup
)
#get the Security Group
Get-AzureADGroup -SearchString $securityGroup
#use the settings template and get template group.unified
$Template = Get-AzureADDirectorySettingTemplate | where {$_.DisplayName -eq 'Group.Unified'}
$SettingsCopy= $Template.CreateDirectorySetting()
$SettingsCopy= Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property
DisplayName -Value "Group.Unified" -EQ).id
#group creation allowed for all members at default make it false
$SettingsCopy["EnableGroupCreation"] = $False
#assign group of people(security group) to create group
$SettingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString
$securityGroup).objectid
#apply the setting to azure directory setting
Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -
Value "Group.Unified" -EQ).id -DirectorySetting $SettingsCopy
(Get-AzureADDirectorySetting).Values
}
# Connecting AzureADPreview Module, if AzureADPreview Module not available in your machine, you
can install using this command "Install-Module AzureADPreview"
Connect-AzureAD
GroupCreators -securityGroup "SecurityGroupName"
Script to
restrict group
creation
14. Group
Naming
Policy
Using Office365 Group Naming Policy, you can
• Set format for group prefix and suffix
• Create a list of blocked words which are not
allowed in group names
15. Enable in-product
Lifecycle
management
Microsoft enforces 180 days Lifecyle
What you can define when setting Expiration Policies
• Set expiration timeline
• Notification intervals are set automatically
• Set fallback email address for ownerless groups
• Apply policy to selected groups
• Soon groups will be auto-renewed based on membership activity
(in Private Preview).
22. External
Collaboration
To enable guest access in Teams you need to
- First enable guest access in Azure AD,
- Second on Office 365 Groups settings and
- Finally on individual Teams.
From the Teams admin center, you can check the
number of guest on each team.
Checklist on how to enable guest access in Teams.
https://docs.microsoft.com/en-us/microsoftteams/guest-access-checklist
Control the guest permissions on Teams meeting and
messaging from the Teams Admin centre.
https://admin.teams.microsoft.com/company-wide-settings/guest-
configuration
23. Groups guest access
Benefits
Guidance
Documentation
• Guest access in Office 365 groups
• Guest access in Office 365 groups – Admin Help
• Azure AD access reviews
Guest inviter role
• Azure Active Directory Terms of Use feature
• Google Federation
Assign Guest inviter roll to a user
Add-MsolRoleMember -RoleObjectId 95e79109-95c0-
4d8e-aee3-d01accf2d47b -RoleMemberEmailAddress
<RoleMemberEmailAddress>
24. Admins can create a policy where only
users with the “Guest Inviter” role
can invite guests. This can be
configured using Active Directory
properties on the user object such as
Title, Job Description, etc.
Admins can create an allow/deny list of
external partner domains from which
guests can be added.
Guest Access can be enabled or
disabled at the group level.
Best practices for Guest Access
Reach
25. #Get guest users in a team
Function Teams-GuestUser
{
param(
[Parameter(Mandatory=$True)]
[string]$Path
)
$teamname= "Team Name"
$guestUPN= "Guest MailId"
#install-module microsoftteams
Connect-MicrosoftTeams
#Get all the teams
$teams= get-team
$exportGuest=$teams | ForEach-Object{
$team=$_
#Get guest from each team by giving role as guest
$guestTeam=Get-TeamUser -GroupId $team.GroupId -Role Guest
#if team has guest then export team name with guest mailid
if($guestTeam -ne $null)
{
New-Object -TypeName PSObject -Property @{
$teamname = $team.displayname
$guestUPN = $guestTeam.user -replace '#[^#]+.com','' -replace '#[^#]+T','' -replace '_','@' -join ", "
}
}
}|select $teamname,$guestUPN|Export-Csv $Path -NoTypeInformation
}
Teams-GuestUser -Path C:teamsguestuser.csv
Get guest users in
Teams
26. New sensitivity labels
• Unified labels across Microsoft 365
• Consistent and simple experience for users across Files, Sites, Groups, Teams
• Associate richer policies with labels
27. Content classification
• Enable AIP in the file level
• Scan file with data loss prevention (DLP)
• Warn employees when classification should be different
• Employees can overwrite DLP suggestion with proper justification
• General is the default classification in the file level
28. Container classification
• AAD Classification scheme
• Consistent across all workloads
is the default classification in the container level
• Custom policies are enforced based on classification
TeamsSharePoint
