Microsoft Teams: don’t forget to manage the information!

by Florian Delabie - Information Security Consultant
| minute read

Although undoubtedly a great tool for collaboration and operational team management, Microsoft Teams poses many questions in terms of information management and preservation. It is therefore important to provide your users and, more specifically, your Team owners with clear guidelines and effective procedures for recordkeeping and information governance.

In these days of enforced confinement due to the ongoing coronavirus pandemic, most businesses find themselves resorting to online work tools. They are doing so out of sheer necessity: to ensure the continuity of their operations on the one hand and to keep in touch with colleagues, customers and partners on the other. Of these collaboration tools, Microsoft Teams could very well be the most popular at the moment. If only because, as a hub for teamwork in Microsoft Office 365, it is already seamlessly integrated with and included in that flagship cloud productivity suite. As a result, enterprises can immediately get started with it.

Information governance

There’s no arguing that Microsoft Teams is indeed a very interesting tool for team and/or project management, since it brings together a large number of applications that are useful for operational management, such as chat, video chat, a shared calendar and document sharing. But while collaborative work is clearly supported and encouraged by this tool, which allows productivity to remain high even when working remotely, it is nevertheless necessary to raise the issue of information governance here.

For the fact is that many organisations let their users create the different Teams themselves, without providing guidelines or recommendations in terms of information management and preservation. To provide these, it is first necessary to understand what is involved in creating a Team. To begin with, each Team implies the creation of a private Office 365 group. That is like a cross between an Active Directory (AD) security group, which controls the access to your IT resources and systems, and a simple mailing list. Each Office 365 group has an owner and a number of members. The owner is by default the person who creates the Team, if its creation is left to users (as opposed to IT staff). Each Office 365 group also has a shared mailbox, which will not always be visible or accessible to its users. The mailbox for the group appears in the Outlook of every member of the group.

SharePoint: not fully used

Each new Team also implies the creation of a dedicated SharePoint site, where all the documents shared in that Team are safely stored. By default, each Team member has the right to read and edit all of these documents. The SharePoint site is created with all the default options and the creation of folders. Consequently, you cannot fully use SharePoint with its libraries and metadata management via your Teams interface. Visitors can be added to the SharePoint site, but they will not have access to the Team nor to the Office 365 group mailbox.

Finally, with each new Team also comes a chat area. Chat is in fact the most used function in Teams, making up 70 to 95 percent of all messages. The chats from your Team are stored in a hidden folder in your Office 365 group’s mailbox. And while your personal chats are stored in a hidden folder in your own mailbox, they are not directly accessible. Should you decide to record a video chat, it will be stored in the Microsoft Stream app.

Question first, implement later

Now that you know what the creation of a Team implies, here are some important questions to ask yourself:

  • What are the needs for collaboration expressed by your team or organisation?
  • What security measures do you want to apply to these Team documents or their content?
  • Who is responsible for these documents? Who can access and/or modify them?
  • How do you facilitate access to the content of these documents (metadata, descriptions, title, etc.)?
  • What rules should be put in place for the management and preservation of these documents?
  • How do you apply the information lifecycle?

The responses to these questions will help you define where and how to manage your information and if a Team or a SharePoint site should be created for it.