Study Guide Series: Exam MS-700 – Plan and Implement Governance and Lifecycle Management for Microsoft Teams (Part 1)

This post is part of the overall MS-700 Exam Study Guide. Links to each topic as they are posted can be found here.

In this section I will go through the following topics relating to Governance and Lifecycle Management for Microsoft Teams.

  • Plan and manage Microsoft Teams preview features with Microsoft Teams update policies
  • Create and manage policy packages in Microsoft Teams
  • Plan policy assignment for users and groups
  • Set up policies for Microsoft 365 Groups creation

Microsoft Teams provide users with a lot of control of how they use the different tools available, that’s one of the reasons it is so popular. That being said, it is important that admins enforce governance over the Teams environment. Teams can grow exponentially and become very hard to manage without correct policies and architecture in place. The topics in this section of the exam guide detail how Teams can be governed while still allow users to have a degree of autonomy.


Plan and manage Microsoft Teams preview features with Microsoft Teams update policies

Teams update policies manage the version of Teams that users receive. Essentially if users get to use preview releases or not. They are very simple to configure and are accessed from the Teams Admin Center (TAC) under Teams -> Update Policies.

By default, there is a single Global update policy present in the tenant. Unless you want all users on Teams preview, it’s best to create a second policy using the Add button. When you add a policy, it needs a name, description and you need to choose the setting for updates (Figure 1). The available settings are:

  • Not Enabled – This turns off Teams Preview features
  • Enabled – This turns on Teams Preview features
  • Follow Office Preview – This sets Teams Preview features to match the Office preview settings for the user
Figure 1: Creating a new update policy

With the policy created, assign it to users from the Manage Users button at the top of the page, from their user profiles under Users -> Manage Users, or by using Policy Packages which I detail further later on in this post. Once users have the policy assigned, their Teams client will pick it up after about 24 hours and begin to update for preview features. In my experience, Teams policies can be very slow to take effect so it’s worth giving it a few days for everything to fall into place.


Create and manage policy packages in Microsoft Teams

Policy Packages are collections of different policies that are linked together for easy deployment. Previously, each policy had to be assigned to each user that you wanted to get it individually. With Policy Packages, personas are formed such as VIP Users or Contractors and sets of policies can be applied together.

Policies Packages are configured from the TAC under the Policies Packages section. By default Microsoft provide a number of different packages for common use cases such as Education or Healthcare. Custom Policy Packages can also be created. To create a custom package, click the Add button and give the package a name and description. Add in the policies you want to assign to users as shown in Figure 2 and hit save. A Policy Package does not need to have every policy configured and it will ignore any that are not added.

Figure 2: Create a new Policy Package and add policies

Policy Packages can be updated for individual users from the users page but are best deployed to groups (any type of group including Microsoft 365 Groups / Teams). Using the Group package assignment tab, add a new assignment and select a group and package to deploy as shown in Figure 3.

Figure 3: Assigning a Policy Package to a group

The assignment updates the policies contained in the package for all members of the group, updating only the targeted polices. This is a great way to manage policy assignment at scale. Policy Packages do not persist so if a user is updated after a package is assigned, you need to remove the package assignment and recreate it to enforce the policies again.


Plan policy assignment for users and groups

I’ve already shown how Policy Packages can be useful to deploy sets of policies to groups of users easily but they are not the only method of policy assignment available. In total, there are three different ways to assign policies to users:

  • From the user profile page
  • From the policy page using the group policy assignment option
  • From the policy package page using the group policy assignment option

The group policy assignment option is detailed above but if you want to update the policies for a single user, open the Users -> Manage Users page and select the user you want to update. On the user profile page, switch to the Policies tab and click Edit. From the pop out page (Figure 4) update any policies you want to change for the individual user and click apply to finish.

Figure 4: Manually updating Teams policies

You can also manually assign policies to multiple users by selecting them on the Manage Users page and clicking the Edit Settings button. This will open up a similar policy assignment window for updating of multiple users (Figure 5).

Figure 5: Assigning policies to multiple users at once

Set up policies for Microsoft 365 Groups creation

If you’ve been following this guide, you will know by now that Microsoft Teams are really Microsoft 365 Groups under the hood. They’ve got some extra bells and whistles but are still the same object. Because of this, to control the creation of Teams, you need to control the creation of Groups.

Limiting the creation of Microsoft 365 Groups first requires the Azure AD Preview PowerShell Module installed. The below command installs the module if you don’t already have it:

Install-Module AzureADPreview

Once it’s installed, the code below from Microsofts Documentation will lock down group creation to a specific group (replace <GroupName> with the name of your own group you want to enable to create Teams:

$GroupName = "<GroupName>"
$AllowGroupCreation = $False

Connect-AzureAD

$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
if(!$settingsObjectID)
{
    $template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}
    $settingsCopy = $template.CreateDirectorySetting()
    New-AzureADDirectorySetting -DirectorySetting $settingsCopy
    $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
}

$settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID
$settingsCopy["EnableGroupCreation"] = $AllowGroupCreation

if($GroupName)
{
  $settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString $GroupName).objectid
} else {
$settingsCopy["GroupCreationAllowedGroupId"] = $GroupName
}
Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy

(Get-AzureADDirectorySetting -Id $settingsObjectID).Values

This code first connects to Azure AD and then checks if there is currently an Azure AD Directory Setting configured for Unified Groups. If a setting exists, it updates the existing setting to limit group creation to the named group. If no setting exists, a new one is created and the values updated. The values of the directory setting that control Group creation are:

  • EnableGroupCreation – this defines if all users can create groups, if set to $false, regular users (non-admin) cannot create groups
  • GroupCreationAllowedGroupId – this defines the GUID of a group that is an exception to the Group creation block set above

It’s important to note that these settings don’t just apply to Teams and can impact SharePoint site creation, Planner Plans, Yammer groups – anything that relies on Microsoft 365 Groups (which is a lot) so this needs to be considered when implementing this restriction.


Summary

In this post I’ve looked at some of the features that can help provide governance in Microsoft Teams. Teams Policy assignments are key to this. In the next post we dive deeper into the governance settings available and look at how to manage the lifecycle of Teams.

2 thoughts on “Study Guide Series: Exam MS-700 – Plan and Implement Governance and Lifecycle Management for Microsoft Teams (Part 1)

  1. Pingback: Study Guide Series – Exam MS-700: Managing Microsoft Teams – Sean McAvinue

  2. Pingback: Study Guide Series: Exam MS-700 – Plan and Implement Governance and Lifecycle Management for Microsoft Teams (Part 2) – Sean McAvinue

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s