Microsoft Teams Cookbook

Recipes for best practices and use cases for Microsoft Teams.

Table of contents

Executive Brief

Section 1: Teams for IT

Section 2: Teams for End Users

Executive Summary

Situation

Remote work calls for leveraging your Office 365 license to utilize Teams – but IT is unsure about best practices for governance and permissions.

Without a framework or plan for governing the rollout of Teams, IT risks overlooking secure use of Teams, the phenomenon of “teams sprawl,” and not realizing how Teams integrates with Office 365 more broadly.

Complication

Teams needs to be rolled out quickly, but IT has few resources to help train end users with Teams best practices.

With teams, channels, chats, meetings, and live events to choose from, end users may get frustrated with lack of guidance on how to use Teams’ many capabilities.

Resolution

Use Info-Tech’s Microsoft Teams Cookbook to successfully implement and utilize Teams. This cookbook includes recipes for:

• IT best practices concerning governance of the creation process and Teams rollout.
• End-user best practices for Teams functionality and common use cases.

Key Insights

Teams is not a standalone app

Successful utilization of Teams occurs when conceived in the broader context of how it integrates with Office 365. Understanding how information flows between Teams, SharePoint Online, and OneDrive for Business, for instance, will aid governance with permissions, information storage, and file sharing.

IT should paint the first picture for team creation

No initial governance for team creation can lead to “teams sprawl.” While Teams was built to allow end users’ creativity to flow in creating teams and channels, this can create problems with a cluttered interface and keeping track of information. To prevent end-user dissatisfaction here, IT’s initial Teams rollout should offer a basic structure for end users to work with first, limiting early teams sprawl.

The Teams admin center can only take you so far with permissions

Knowing how Teams integrates with other Office 365 apps will help with rolling out sensitivity labels to protect important information being accidentally shared in Teams. Of course, technology only does so much – proper processes to train and hold people accountable for their actions with data sharing must be implemented, too.

Related Info-Tech Research

Establish a Communication and Collaboration System Strategy

Don’t waste your time deploying yet another collaboration tool that won’t get used.

Modernize Communication and Collaboration Infrastructure

Your legacy telephony infrastructure is dragging you down – modern communications and collaboration technology will dramatically improve productivity.

Migrate to Office 365 Now

One small step to cloud, one big leap to Office 365. The key is to look before you leap.

Section 1: Teams for IT

Governance best practices and use cases for IT

From determining prerequisites to engaging end users.

IT fundamentals

• Creation process
• Teams rollout

Use cases

• Retain and search for legal/regulatory compliance
• Add an external user to a team
• Delete/archive a team

Overview: Creation process

IT needs to be prepared to manage other dependent services when rolling out Teams. See the figure below for how Teams integrates with these other Office 365 applications.

Which Microsoft 365 license do I need to access Teams?

• Microsoft 365 Business Essentials
• Microsoft 365 Business Premium
• Office 365 Enterprise, E1, E3, or E5
• Office 365 Enterprise E4 (if purchased prior to its retirement)

Please note: To appeal to the majority of Info-Tech’s members, this blueprint refers to Teams in the context of Office 365 Enterprise licenses.

Assign admin roles

You will already have at least one global administrator from setting up Office 365.

Global administrators have almost unlimited access to settings and most of the data within the software, so Microsoft recommends having only two to four IT and business owners responsible for data and security.

Info-Tech Best Practice

Configure multifactor authentication for your dedicated Office 365 global administrator accounts and set up two-step verification.

Once you have organized your global administrators, you can designate your other administrators with “just-enough” access for managing Teams. There are four administrator roles:

Prepare the network

There are three prerequisites before Teams can be rolled out:

• UDP ports 3478 through 3481 are opened.
• You have a verified domain for Office 365.
• Office 365 has been rolled out, including Exchange Online and SharePoint Online.

Microsoft then recommends the following checklist to optimize your Teams utilization:

• Optimize calls and performance using the Call Quality Dashboard.
• Assess network requirements in the Network Planner in the Teams admin center.
• Ensure all computers running Teams client can resolve external DNS queries.
• Check adequate public IP addresses are assigned to the NAT pools to prevent port exhaustion.
• Route to local or regional Microsoft data centers.
• Whitelist all Office 365 URLs to move through security layers, especially IDS/IPS.
• Split tunnel Teams traffic so it bypasses your organization’s VPN.

Info-Tech Best Practice

For online support and walkthroughs, utilize Advisor for Teams. This assistant can be found in the Teams admin center.

Team Creation

You can create and manage Teams through the Teams PowerShell module and the Teams admin center. Only the global administrator and Teams service administrator have full administrative capabilities in this center.

Governance over team creation intends to prevent “teams sprawl” – the phenomenon whereby end users create team upon team without guidance. This creates a disorganized interface, with issues over finding the correct team and sharing the right information.

Prevent teams sprawl by painting the first picture for end users:

1. Decide what kind of team grouping would best fit your organization: by department or by project.
2. Start with a small number of teams before letting end users’ creativity take over. This will prevent initial death by notifications and support adoption.
3. Add people or groups to these teams. Assign multiple owners for each team in case people move around at the start of rollout or someone leaves the organization.
4. Each team has a general channel that cannot be removed. Use it for sharing an overview of the team’s goals, onboarding, and announcements.

Info-Tech Best Practice

For smaller organizations that are project-driven, organize teams by projects. For larger organizations with established, siloed departments, organize by department; projects within departments can become channels.

Integrations with SharePoint Online

Teams does not integrate with SharePoint Server.

Governance of Teams is important because of how tightly it integrates with other Office 365 apps, including SharePoint Online.

A poor rollout of Teams will have ramifications in SharePoint. A good rollout will optimize these apps for the organization.

Teams and SharePoint integrate in the following ways:

• Each team created in Teams automatically generates a SharePoint team site behind it. All documents and chat shared through a team are stored in that team’s SharePoint document library.
• As such, all files shared through Teams are subject to SharePoint permissions.
• Existing SharePoint folders can be tied to a team without needing to create a new one.
• If governance over resource sharing in Teams is poor, information can get lost, duplicated, or cluttered throughout both Teams and SharePoint.

Info-Tech Best Practice

End users should be encouraged to integrate their teams and channels with existing SharePoint folders and, where no folder exists, to create one in SharePoint first before then attaching a team to it.

Permissions

Within the Teams admin center, the global or Teams service administrator can manage Teams policies.

Typical Teams policies requiring governance include:

• The extent end users can discover or create private teams or channels
• Messaging policies
• Third-party app use

Chosen policies can be either applied globally or assigned to specific users.

Info-Tech Best Practice

If organizations need to share sensitive information within the bounds of a certain group, private channels help protect this data. However, inviting users into that channel will enable them to see all shared history.

External and guest access

Within the security and compliance center, the global or Teams service administrator can set external and guest access.

External access (federation) – turned on by default.

• Lets you find, call, and chat with users in other domains. External users will have no access to the organization’s teams or team resources.

Guest access – turned off by default.

• Lets you add individual users with their own email address. You do this when you want external users to access teams and team resources. Approved guests will be added to the organization’s active directory.

If guest access is enabled, it is subject to Azure AD and Office 365 licensing and service limits. Guests will have no access to the following, which cannot be changed:

• OneDrive for Business
• An organization’s calendar/meetings
• PSTN
• Organization’s hierarchical chart
• The ability to create, revise, or browse a team
• Upload files to one-on-one chat

Info-Tech Best Practice

Within the security and compliance center, you can allow users to add sensitivity labels to their teams that can prevent external and guest access.

Expiration and archiving

To reduce the number of unused teams and channels, or delete information permanently, the global or Teams service administrator can implement an Office 365 group expiration and archiving policy through the Teams admin center.

If a team has an expiration policy applied to it, the team owner will receive a notification for team renewal 30 days, 15 days, and 1 day before the expiry date. They can renew their team at any point within this time.

• To prevent accidental deletion, auto-renewal is enabled for a team. If the team owner is unable to manually respond, any team that has one channel visit from a team member before expiry is automatically renewed.
• A deleted Office 365 group is retained for 30 days and can be restored at any point within this time.

Alternatively, teams and their channels (including private) can be archived. This will mean that all activity for the team ceases. However, you can still add, remove, and update roles of the members.

Retention and data loss prevention

Retention policies can be created and managed in the Microsoft 365 Compliance Center or the security and compliance center PowerShell cmdlets. This can be applied globally or to specific users.

By default, information shared through Teams is retained forever.

However, setting up retention policies ensures data is retained for a specified time regardless of what happens to that data within Teams (e.g. user deletes).

Info-Tech Best Practice

To prevent external or guest users accessing and deleting sensitive data, Teams is able to block this content when shared by internal users. Ensure this is configured appropriately in your organization:

• For guest access in teams and channels
• For external access in meetings and chat

Please note the following limitations of Teams’ retention and data loss prevention:

• Organization-wide retention policies will need to be manually inputted into Teams. This is because Teams requires a retention policy that is independent of other workloads.
• As of May 2020, retention policies apply to all information in Teams except private channel messages. Files shared in private channels, though, are subject to retention policies.
• Teams does not support advanced retention settings, such as a policy that pertains to specific keywords or sensitive information.
• It will take three to seven days to permanently delete expired messages.

Teams telephony

Teams has built-in functionality to call any team member within the organization through VoIP.

However, Teams does not automatically connect to the PSTN, meaning that calling or receiving calls from external users is not immediately possible.

Bridging VoIP calls with the PSTN through Teams is available as an add-on that can be attached to an E3 license or as part of an E5 license.

There are two options to enable this capability:

• Enable Phone System. This allows for call control and PBX capabilities in Office 365.
• Use direct routing. You can use an existing PSTN connection via a Session Border Controller that links with Teams (Amaxra).

Steps to implement Teams telephony:

1. Ensure Phone System and required (non-Microsoft-related) services are available in your country or region.
2. Purchase and assign Phone System and Calling Plan licenses. If Calling Plans are not available in your country or region, Microsoft recommends using Direct Routing.
3. Get phone numbers and/or service numbers. There are three ways to do this:
   • Get new numbers through the Teams admin center.
   • If you cannot get new numbers through the Teams admin center, you can request new numbers from Microsoft directly.
   • Port or transfer existing numbers. To do this, you need to send Microsoft a letter of authorization, giving them permission to request and transfer existing numbers on your behalf.
4. To enable service numbers, including toll-free numbers, Microsoft recommends setting up Communications Credits for your Calling Plans and Audio Conferencing.

Overview: Teams rollout

1. From Skype (and Slack) to Teams
2. Gain stakeholder purchase
3. Employ a phased deployment
4. Engage end users

Skype for Business is being retired; Microsoft offers a range of transitions to Teams.

Combine the best transition mode with Info-Tech’s adoption best practices to successfully onboard and socialize Teams.

From Skype to Teams

Skype for Business Online will be retired on July 31, 2021. Choose from the options below to see which transition mode is right for your organization.

Skype for Business On-Premises will be retired in 2024. To upgrade to Teams, first configure hybrid connectivity to Skype for Business Online.

Islands mode (default)

• Skype for Business and Teams coexist while Teams is rolled out.
• Recommended for phased rollouts or when Teams is ready to use for chat, calling, and meetings.
• Interoperability is limited. Teams and Skype for Business only transfer information if an internal Teams user sends communications to an external Skype for Business user.

Teams only mode (final)

• All capabilities are enabled in Teams and Skype for Business is disabled.
• Recommended when end users are ready to switch fully to Teams.
• End users may retain Skype for Business to join meetings with non-upgraded or external parties. However, this communication is only initiated from the Skype for Business external user.

Collaboration first mode

• Skype for Business and Teams coexist, but only Teams’ collaboration capabilities are enabled. Teams communications capabilities are turned off.
• Recommended to leverage Skype for Business communications yet utilize Teams for collaboration.

Meetings first mode

• Skype for Business and Teams coexist, but only Teams’ meetings capabilities are enabled.
• Recommended for organizations that want to leverage their Skype for Business On-Premises’ Enterprise Voice capability but want to benefit from Teams’ meetings through VoIP.

From Slack to Teams

The more that’s left behind in Slack, the easier the transition. As a prerequisite, pull together the following information:

• Usage statistics of Slack workspaces and channels
• What apps end users utilize in Slack
• What message history you want to export
• A list of users whose Slack accounts can map on to required Microsoft accounts

Test content migration

Your Slack service plan will determine what you can and can’t migrate. By default, public channels content can be exported. However, private channels may not be exportable, and a third-party app is needed to migrate Direct Messages.

Files migration

Once you have set up your teams and channels in Teams, you can programmatically copy files from Slack into the target Teams channel.

Apps migration

Once you have a list of apps and their configurations used in Slack’s workspaces, you can search in Teams’ app store to see if they’re available for Teams.

User identity migration

Slack user identities may not map onto a Microsoft account. This will cause migration issues, such as problems with exporting text content posted by that user.

Info-Tech Best Practice

Avoid data-handling violations. Determine what privacy and compliance regulations (if any) apply to the handling, storage, and processing of data during this migration.

Gain stakeholder purchase

Change management is a challenging aspect of implementing a new collaboration tool. Creating a communication and adoption plan is crucial to achieving universal buy-in for Teams.

To start, define SMART objectives and create a goals cascade.

Sample list of stakeholder-specific benefits from improving collaboration

Use these activities to define what pain points stakeholders face and how Teams can directly mitigate those pain points.