Before you setup anything, please take the time to carefully plan how your department utilizes Teams and develop a plan that best fits your needs. Use these best practices to guide your departments implementation.
Team Roles
Overview
UW accounts can be in an “Owner” or “Member” role; the “Guests” role is for external non-UW accounts (additionally, to access the team, a Microsoft account is required)
Owner
Team owners are the administrators of the team, and they have near full control of every setting within teams. Team owners should regularly review membership and remove people who no longer need access. It is important to note that despite the role being called “Team Owner”, there can be multiple team owners in each team. Here is a list of permissions that team owners have:
- Add or Remove Members and Guest
- Manage the permissions of all users in the team
- Change team configuration settings
- Delete a team
- Edit chat settings within a team
- Managing Channel permissions
- Full List here
Since team owners have a wide range of permissions, members with this role should only be trusted members of the team. Be careful who you assign this role to, we recommend that senior team members be assigned to this role. It is also prudent to have at least two owners on every team just in case one member leaves the university or one member is out for an extended period.
Members
Members is the standard role that most users will/should be. Members will be able to communicate and collaborate with other team members but have no ability to make changes to the team.
Here are the settings that we recommend departments use for members:
Allow members to create and update channels (Disabled)
Allow members to delete and restore channels (Disabled)
Allow members to add and remove apps (Disabled)
Allow members to upload custom apps (Disabled)
Allow members to create, update, and remove tabs (Disabled)
Allow members to create, update, and remove connectors (Disabled)
Owners can delete all messages (Enabled)
Give members the option to delete their messages (Enabled)
Give members the option to edit their messages (Enabled)
Guests
Guests are very similar to members when it comes to the permissions that they possess. The permissions that they lack are the ability to add apps, and they are unable to share chat files. These users should be people who interact with the team frequently enough to warrant any kind of access but are not a part of the team itself. Guests should not be able to join without the express permission of a team owner unless the team is public facing with minimal privacy concerns.
Here are the settings that we recommend departments use for guests:
Allow guests to create and update channels (Disabled)
Allow guests to delete channels (Disabled)
Team Structure
The structure and the permissions given to users within groups should reflect how the true organizational structure of the team itself. Senior team members who need access to make changes to their team should be made administrators. Most users should be standard members with minimal permissions. Guests need to be people who participate enough in the team but aren’t actually a part of the team itself.
Teams Settings
Privacy Settings
Teams Privacy Settings
Whenever possible, use private teams where only approved members can join. Leaving teams open risks the confidentiality of information shared within the team. It is important to consider what is being shared within a team if the team is exclusively made of employees and the team is made for the purposes of collaborating with other employees. Even if there is no expectation that the team will have sensitive information shared within it, it is imperative for people who otherwise would not be a part of the team’s organizational structure (or manually approved users) to be excluded from it.
Channel Privacy Settings
Within a team, there are still good reasons to maintain private channels to limit what people have access to what information. Private channels are especially valuable when you have a larger team where you need some segmentation between subgroups within the team. Departments should be using private channels is when the team is public (anyone can join), but a secondary function of that team is to communicate with other employees. Hypothetical example: A department provides tutoring for a group of students, but the team needs to also be used by the tutors providing the service. They could have a private channel to coordinate the tutoring of students and provides a private space to ask for help. Private channels are a powerful communication tool, but they come with some limitations including video meetings cannot be scheduled in a private channel, certain apps such as Tasks (Planner) and Forms are not available. (See: https://docs.microsoft.com/en-us/microsoftteams/private-channels)
Changing Roles
To change roles: open the Team > click on the “…” next to the team name > select Manage team > go to the Members tab > expand and adjust Member permissions > find the person and change roles or use the X to remove the person from the team
Changing Permissions
To adjust permissions: open the Team > click on the “…” next to the team name > select Manage team > go to the Settings tab > expand and adjust Member permissions)
Apps in Teams
First Party Apps
First party apps will be from Microsoft and are generally trusted and safe to use even if the team has sensitive information shared within it. Many of these apps will be preinstalled and only require that you add a tab, but some first party apps will require you to add them first. You should generally have little hesitation before installing these apps.
Third Party Apps
Unlike first party apps, you should tread very carefully when installing third party apps as there is a much higher risk of sensitive information being leaked.
Here is what you should consider before installing third party apps:
- Who developed the app?
- What permissions is the app requesting?
- Has this app been certified by Microsoft?
- Do you need this application enough to potentially leak sensitive information?
In general, it is best to not install third party apps (which is also why we recommended that standard members be denied permissions to install such apps by default).