Saturday, March 18, 2017

Compliance challenges of Microsoft Teams

Microsoft Teams is a fantastic service and users absolutely love it, as I mentioned in a previous article:

The modern way of collaboration using Microsoft Teams

Microsoft Teams requires a different approach to not only using the service but also managing it. In this article I’ll cover off some challenges Microsoft Teams currently brings to IT administrators.

image

So let’s start with who can actually use Microsoft Teams at the moment. As you can see from the above table found in the Office 365 Service descriptions, Microsoft Teams is currently unavailable to Office 365 Business, Education and Kiosk licenses. So it is available to most but not all.

When you create a Microsoft Team it also creates an Office 365 Security group for you:

image

Permissions to different services are provided via this security group. It is also important to note that this group and the Microsoft Team by association also gets a public email address assigned to it. This means people outside the business can potentially email directly into the tenant without the IT Admin’s knowledge.

This could be a problem if a malicious user created a private Microsoft Team for themselves called ‘accounts’ say. That would potentially given them an email address accounts@domain.com. They could then start using that email account for nefarious things without the IT admin or the business being any the wiser.

image

If I have a Microsoft Team (here NSA) I also get a new SharePoint Site Collection for that Team.

image

That looks like:

image

The important thing to pay attention to here is the URL for the Microsoft Team Site Collection which in this case is:

https://ciaops365e1.sharepoint.com/sites/NSA

Let’s now pop into the SharePoint Admin center to do some administration on this new Site Collection.

image

So what Site Collection is missing from my list above? Yup, that’s right, the one that was created by the Microsoft Team (here NSA). So, Site Collections created by Microsoft Teams don’t appear in the standard SharePoint Admin area.

But what about using PowerShell to work with the Site Collection created by Microsoft Teams?

image

As the above screen shot shows, I can see the Site Collection URL via PowerShell.

(You might also observe here that I have a lot of sites with random two digit numbers at the end. These are test sites that were created when I was testing Microsoft Teams functionality. These are no longer linked to a Microsoft Team but they still exist! More on this in upcoming articles.)

image

image

I can also manage the Site Collection created by Microsoft Teams using PowerShell as shown above.

Luckily, as you can see we can at least get to this new Site Collection created by Microsoft Teams using PowerShell. Hooray for PowerShell!

So now what happens if you delete a Team? Remember, that firstly the user that creates a Team is considered the Admin and thus has the power to delete the Team maliciously or by accident.

This is very important question so I checked with Microsoft directly and this is what I received after logging a support ticket in my tenant.

Per an offline research and the testing, it is learnt that if a Team is accidentally deleted, all channels, chats, files and the associated Office 365 group for this Team will be deleted and cannot be recovered at the moment. For a channel, if it is accidentally deleted, all conversations for this channel will be deleted and this cannot be undone, however, files for this channel are still accessed from ‘Open in SharePoint’ for this Team.

We sincerely apologize that the feature of recovering a Team or a channel is not available at the moment. As the Microsoft Teams is still in the preview and many features still need development, could you please submit a feedback to our Office 365 product team by this link (https://office365.uservoice.com/) to help them improve this function? You opinion will be much appreciated.

Delete a Team:

image

Delete a channel:

image

Access files of the deleted channel by clicking this Team and click ‘Open in SharePoint’ :

image

image

Ok, if you are an IT admin responsible for managing the things Microsoft Teams creates then you are going to need to backup the Site Collection information and the Team mailbox using conventional tools that are readily available if required. However, it seems there really isn’t a current way to back up things like Planner plans, chats, channels, etc. Hopefully, we will see this option soon for Microsoft Teams.

The recovery of an Office 365 Group (which is the product Teams is built on) is on the roadmap:

https://products.office.com/en-us/business/office-365-roadmap?filters=&featureid=31837

and if you want to vote up this as a priority visit:

https://office365.uservoice.com/forums/286611-office-365-groups/suggestions/9349221-recover-restore-deleted-office-365-group

Another thing to consider is that when it comes to Teams, out of the box, there are only two levels of permissions, Admins and Members.

image

However, when you take a look at the Team Site Collection that the Microsoft Team created you’ll find everyone as a Member of the Microsoft Team Site Collection as shown above (they are part of the team name security group created when the Microsoft Team was created). However, you’ll also see that Everyone except external users is also a member. This occurs when you create a ‘public’ Microsoft Team. So this means, that even if people aren’t members of the Microsoft Team they still get access to the Site Collection created by a ‘public’ Microsoft Team.

image

For Microsoft Teams created as ‘private’ you see that only people in that Microsoft Team are made members of the new Microsoft Team Site Collection.

Using a ‘public’ Microsoft Team could be problem if you wanted to create an area that was designed to be restricted to say just the Executive level to discuss something confidential. A non-Team member who can work out the URL of the Site Collection could navigate there and have access (again, provided the Microsoft Team was created as ‘public’).

image

Remember, Members get Edit permissions by default. Edit permissions include the ability to DELETE!

Now of course you can go in and adjust the permissions for the Team created Site Collection but to really make it secure and give different people different levels of access someone is going to have to go in and do that manually. If you simply accept and don’t change the default for a ‘public’ Microsoft Team then all tenant users have access and the ability to read and change information in any Microsoft Team created as ‘public’!

image

What about this scenario? A user creates a new Microsoft Team and invites others in as members. There however only remains a single admin of the Microsoft Team, being the initial user. Now let’s say that some time elapses and that original user leaves the organisation. Their login is removed as part of the standard process. So now we have a Microsoft Team with no admin? How can we manage that Microsoft Team when everyone is only a member as you can see above?

Considered what happens if you create two Microsoft Teams in the same tenant with the same name?

image

It allows you and then creates two separate Site Collections:

image

image

One has the URL /sites/marketing the second has a URL /sites/marketing20/ i.e. it appends a random two digit number of the end of the URL.

Not unexpected behaviour but certainly means an IT Admin has to be diligent to what happens when two Microsoft Teams are created with the same name (which is easily done). Some places they look the same,others they don’t.

Another thing to watch is the fact that Microsoft Teams can take a little while to provision all its components. Give it time to complete all the tasks it needs to around creating Site Collections, Planner, etc.

The bottom line here for IT Admin is that you need to understand what Microsoft Team actually does, what and how it provisions services. Chances are that IT Admins will need to go in immediately after the creation of a Microsoft Team and ensure it is configured the appropriate way for the organisation. IT Admin is needed now more than ever!

Given this is still early days for Microsoft Teams it is expected that the challenges here will be addressed in very near future as the product continues to evolve. The message here is that even though the power of provisioning is now in the hands of users, IT Admins are required more than ever to ensure such systems remain compliant. However, this means IT Admin have to invest the time to learn about new products like Microsoft Teams so they are ready with the answers and solutions no doubt users will bring them.