Professional Documents
Culture Documents
MS 700T00A ENU TrainerHandbook
MS 700T00A ENU TrainerHandbook
MS-700T00
Managing Microsoft
Teams
MCT USE ONLY. STUDENT USE PROHIBITED
Managing Microsoft Teams
MS-700T00
MCT USE ONLY. STUDENT USE PROHIBITED II Disclaimer
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, e-mail address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is
not responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.
1 http://www.microsoft.com/trademarks
MCT USE ONLY. STUDENT USE PROHIBITED
EULA III
13. “Personal Device” means one (1) personal computer, device, workstation or other digital electronic
device that you personally own or control that meets or exceeds the hardware level specified for
the particular Microsoft Instructor-Led Courseware.
14. “Private Training Session” means the instructor-led training classes provided by MPN Members for
corporate customers to teach a predefined learning objective using Microsoft Instructor-Led
Courseware. These classes are not advertised or promoted to the general public and class attend-
ance is restricted to individuals employed by or contracted by the corporate customer.
15. “Trainer” means (i) an academically accredited educator engaged by a Microsoft Imagine Academy
Program Member to teach an Authorized Training Session, (ii) an academically accredited educator
validated as a Microsoft Learn for Educators – Validated Educator, and/or (iii) a MCT.
16. “Trainer Content” means the trainer version of the Microsoft Instructor-Led Courseware and
additional supplemental content designated solely for Trainers’ use to teach a training session
using the Microsoft Instructor-Led Courseware. Trainer Content may include Microsoft PowerPoint
presentations, trainer preparation guide, train the trainer materials, Microsoft One Note packs,
classroom setup guide and Pre-release course feedback form. To clarify, Trainer Content does not
include any software, virtual hard disks or virtual machines.
2. USE RIGHTS. The Licensed Content is licensed, not sold. The Licensed Content is licensed on a one
copy per user basis, such that you must acquire a license for each individual that accesses or uses the
Licensed Content.
●● 2.1 Below are five separate sets of use rights. Only one set of rights apply to you.
1. If you are a Microsoft Imagine Academy (MSIA) Program Member:
1. Each license acquired on behalf of yourself may only be used to review one (1) copy of the
Microsoft Instructor-Led Courseware in the form provided to you. If the Microsoft Instruc-
tor-Led Courseware is in digital format, you may install one (1) copy on up to three (3)
Personal Devices. You may not install the Microsoft Instructor-Led Courseware on a device
you do not own or control.
2. For each license you acquire on behalf of an End User or Trainer, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one
(1) End User who is enrolled in the Authorized Training Session, and only immediately
prior to the commencement of the Authorized Training Session that is the subject matter
of the Microsoft Instructor-Led Courseware being provided, or
2. provide one (1) End User with the unique redemption code and instructions on how they
can access one (1) digital version of the Microsoft Instructor-Led Courseware, or
3. provide one (1) Trainer with the unique redemption code and instructions on how they
can access one (1) Trainer Content.
3. For each license you acquire, you must comply with the following:
1. you will only provide access to the Licensed Content to those individuals who have
acquired a valid license to the Licensed Content,
2. you will ensure each End User attending an Authorized Training Session has their own
valid licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the
Authorized Training Session,
3. you will ensure that each End User provided with the hard-copy version of the Microsoft
Instructor-Led Courseware will be presented with a copy of this agreement and each End
MCT USE ONLY. STUDENT USE PROHIBITED
EULA V
User will agree that their use of the Microsoft Instructor-Led Courseware will be subject
to the terms in this agreement prior to providing them with the Microsoft Instructor-Led
Courseware. Each individual will be required to denote their acceptance of this agree-
ment in a manner that is enforceable under local law prior to their accessing the Micro-
soft Instructor-Led Courseware,
4. you will ensure that each Trainer teaching an Authorized Training Session has their own
valid licensed copy of the Trainer Content that is the subject of the Authorized Training
Session,
5. you will only use qualified Trainers who have in-depth knowledge of and experience with
the Microsoft technology that is the subject of the Microsoft Instructor-Led Courseware
being taught for all your Authorized Training Sessions,
6. you will only deliver a maximum of 15 hours of training per week for each Authorized
Training Session that uses a MOC title, and
7. you acknowledge that Trainers that are not MCTs will not have access to all of the trainer
resources for the Microsoft Instructor-Led Courseware.
2. If you are a Microsoft Learning Competency Member:
1. Each license acquire may only be used to review one (1) copy of the Microsoft Instruc-
tor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Course-
ware is in digital format, you may install one (1) copy on up to three (3) Personal Devices.
You may not install the Microsoft Instructor-Led Courseware on a device you do not own or
control.
2. For each license you acquire on behalf of an End User or MCT, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one
(1) End User attending the Authorized Training Session and only immediately prior to
the commencement of the Authorized Training Session that is the subject matter of the
Microsoft Instructor-Led Courseware provided, or
2. provide one (1) End User attending the Authorized Training Session with the unique
redemption code and instructions on how they can access one (1) digital version of the
Microsoft Instructor-Led Courseware, or
3. you will provide one (1) MCT with the unique redemption code and instructions on how
they can access one (1) Trainer Content.
3. For each license you acquire, you must comply with the following:
1. you will only provide access to the Licensed Content to those individuals who have
acquired a valid license to the Licensed Content,
2. you will ensure that each End User attending an Authorized Training Session has their
own valid licensed copy of the Microsoft Instructor-Led Courseware that is the subject of
the Authorized Training Session,
3. you will ensure that each End User provided with a hard-copy version of the Microsoft
Instructor-Led Courseware will be presented with a copy of this agreement and each End
User will agree that their use of the Microsoft Instructor-Led Courseware will be subject
to the terms in this agreement prior to providing them with the Microsoft Instructor-Led
Courseware. Each individual will be required to denote their acceptance of this agree-
ment in a manner that is enforceable under local law prior to their accessing the Micro-
soft Instructor-Led Courseware,
MCT USE ONLY. STUDENT USE PROHIBITED VI EULA
4. you will ensure that each MCT teaching an Authorized Training Session has their own
valid licensed copy of the Trainer Content that is the subject of the Authorized Training
Session,
5. you will only use qualified MCTs who also hold the applicable Microsoft Certification
credential that is the subject of the MOC title being taught for all your Authorized
Training Sessions using MOC,
6. you will only provide access to the Microsoft Instructor-Led Courseware to End Users,
and
7. you will only provide access to the Trainer Content to MCTs.
3. If you are a MPN Member:
1. Each license acquired on behalf of yourself may only be used to review one (1) copy of the
Microsoft Instructor-Led Courseware in the form provided to you. If the Microsoft Instruc-
tor-Led Courseware is in digital format, you may install one (1) copy on up to three (3)
Personal Devices. You may not install the Microsoft Instructor-Led Courseware on a device
you do not own or control.
2. For each license you acquire on behalf of an End User or Trainer, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one
(1) End User attending the Private Training Session, and only immediately prior to the
commencement of the Private Training Session that is the subject matter of the Micro-
soft Instructor-Led Courseware being provided, or
2. provide one (1) End User who is attending the Private Training Session with the unique
redemption code and instructions on how they can access one (1) digital version of the
Microsoft Instructor-Led Courseware, or
3. you will provide one (1) Trainer who is teaching the Private Training Session with the
unique redemption code and instructions on how they can access one (1) Trainer
Content.
3. For each license you acquire, you must comply with the following:
1. you will only provide access to the Licensed Content to those individuals who have
acquired a valid license to the Licensed Content,
2. you will ensure that each End User attending an Private Training Session has their own
valid licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the
Private Training Session,
3. you will ensure that each End User provided with a hard copy version of the Microsoft
Instructor-Led Courseware will be presented with a copy of this agreement and each End
User will agree that their use of the Microsoft Instructor-Led Courseware will be subject
to the terms in this agreement prior to providing them with the Microsoft Instructor-Led
Courseware. Each individual will be required to denote their acceptance of this agree-
ment in a manner that is enforceable under local law prior to their accessing the Micro-
soft Instructor-Led Courseware,
4. you will ensure that each Trainer teaching an Private Training Session has their own valid
licensed copy of the Trainer Content that is the subject of the Private Training Session,
MCT USE ONLY. STUDENT USE PROHIBITED
EULA VII
5. you will only use qualified Trainers who hold the applicable Microsoft Certification
credential that is the subject of the Microsoft Instructor-Led Courseware being taught
for all your Private Training Sessions,
6. you will only use qualified MCTs who hold the applicable Microsoft Certification creden-
tial that is the subject of the MOC title being taught for all your Private Training Sessions
using MOC,
7. you will only provide access to the Microsoft Instructor-Led Courseware to End Users,
and
8. you will only provide access to the Trainer Content to Trainers.
4. If you are an End User:
For each license you acquire, you may use the Microsoft Instructor-Led Courseware solely for
your personal training use. If the Microsoft Instructor-Led Courseware is in digital format, you
may access the Microsoft Instructor-Led Courseware online using the unique redemption code
provided to you by the training provider and install and use one (1) copy of the Microsoft
Instructor-Led Courseware on up to three (3) Personal Devices. You may also print one (1) copy
of the Microsoft Instructor-Led Courseware. You may not install the Microsoft Instructor-Led
Courseware on a device you do not own or control.
5. If you are a Trainer.
1. For each license you acquire, you may install and use one (1) copy of the Trainer Content in
the form provided to you on one (1) Personal Device solely to prepare and deliver an
Authorized Training Session or Private Training Session, and install one (1) additional copy
on another Personal Device as a backup copy, which may be used only to reinstall the
Trainer Content. You may not install or use a copy of the Trainer Content on a device you do
not own or control. You may also print one (1) copy of the Trainer Content solely to prepare
for and deliver an Authorized Training Session or Private Training Session.
2. If you are an MCT, you may customize the written portions of the Trainer Content that are
logically associated with instruction of a training session in accordance with the most recent
version of the MCT agreement.
3. If you elect to exercise the foregoing rights, you agree to comply with the following: (i)
customizations may only be used for teaching Authorized Training Sessions and Private
Training Sessions, and (ii) all customizations will comply with this agreement. For clarity, any
use of “customize” refers only to changing the order of slides and content, and/or not using
all the slides or content, it does not mean changing or modifying any slide or content.
●● 2.2 Separation of Components. The Licensed Content is licensed as a single unit and you
may not separate their components and install them on different devices.
●● 2.3 Redistribution of Licensed Content. Except as expressly provided in the use rights
above, you may not distribute any Licensed Content or any portion thereof (including any permit-
ted modifications) to any third parties without the express written permission of Microsoft.
●● 2.4 Third Party Notices. The Licensed Content may include third party code that Micro-
soft, not the third party, licenses to you under this agreement. Notices, if any, for the third party
code are included for your information only.
●● 2.5 Additional Terms. Some Licensed Content may contain components with additional
terms, conditions, and licenses regarding its use. Any non-conflicting terms in those conditions
and licenses also apply to your use of that respective component and supplements the terms
described in this agreement.
MCT USE ONLY. STUDENT USE PROHIBITED VIII EULA
laws and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property
rights in the Licensed Content.
6. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regula-
tions. You must comply with all domestic and international export laws and regulations that apply to
the Licensed Content. These laws include restrictions on destinations, end users and end use. For
additional information, see www.microsoft.com/exporting.
7. SUPPORT SERVICES. Because the Licensed Content is provided “as is”, we are not obligated to
provide support services for it.
8. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you
fail to comply with the terms and conditions of this agreement. Upon termination of this agreement
for any reason, you will immediately stop all use of and delete and destroy all copies of the Licensed
Content in your possession or under your control.
9. LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed
Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible
for the contents of any third party sites, any links contained in third party sites, or any changes or
updates to third party sites. Microsoft is not responsible for webcasting or any other form of trans-
mission received from any third party sites. Microsoft is providing these links to third party sites to
you only as a convenience, and the inclusion of any link does not imply an endorsement by Microsoft
of the third party site.
10. ENTIRE AGREEMENT. This agreement, and any additional terms for the Trainer Content, updates and
supplements are the entire agreement for the Licensed Content, updates and supplements.
11. APPLICABLE LAW.
1. United States. If you acquired the Licensed Content in the United States, Washington state law
governs the interpretation of this agreement and applies to claims for breach of it, regardless of
conflict of laws principles. The laws of the state where you live govern all other claims, including
claims under state consumer protection laws, unfair competition laws, and in tort.
2. Outside the United States. If you acquired the Licensed Content in any other country, the laws of
that country apply.
12. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the
laws of your country. You may also have rights with respect to the party from whom you acquired the
Licensed Content. This agreement does not change your rights under the laws of your country if the
laws of your country do not permit it to do so.
13. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS" AND "AS AVAILA-
BLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND ITS RESPECTIVE AFFILIATES GIVES NO
EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. YOU MAY HAVE ADDITIONAL CON-
SUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT CANNOT CHANGE. TO
THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT AND ITS RESPECTIVE AFFILI-
ATES EXCLUDES ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICU-
LAR PURPOSE AND NON-INFRINGEMENT.
14. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO
US$5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST
PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.
MCT USE ONLY. STUDENT USE PROHIBITED X EULA
Audience
Students in this course are interested in Microsoft Teams or in passing the Microsoft Teams Administrator
Associate certification exam.
Prerequisites
This course assumes you have already acquired the following skills and experience:
●● A proficient understanding of basic functional experience with Microsoft 365 services.
●● A proficient understanding of general IT practices, including using PowerShell.
MCT USE ONLY. STUDENT USE PROHIBITED 2 Module 0 Welcome to Managing Microsoft Teams
Learning objectives
By actively participating in this course, you will learn about the following:
●● What is Microsoft Teams and how the components work together
●● How to implement Governance, Security and Compliance for Microsoft Teams
●● How to prepare an organizations environment for a Microsoft Teams deployment
●● How to deploy and manage teams
●● Ways of managing collaboration in Microsoft Teams
●● Techniques to manage and troubleshoot communication in Microsoft Teams
Course syllabus
The course content includes a mix of content, demonstrations, hands-on labs, and reference links.
Module 1- Microsoft Teams Overview
In Microsoft Teams overview, you will get an overview of Microsoft Teams including Teams architecture
and related Office 365 workloads. You will be provided an overview of security and compliance in Micro-
soft Teams and finally get an overview of how to manage Microsoft Teams. This module includes follow-
ing lessons:
1. Overview of Microsoft Teams
2. Overview of security and compliance in Microsoft Teams
3. Overview of managing Microsoft Teams
1 https://docs.microsoft.com/en-us/learn/certifications/exams/ms-700
2 https://docs.microsoft.com/en-us/learn/certifications/exams/ms-700
3 https://docs.microsoft.com/en-us/learn/certifications/m365-teams-administrator-associate
4 https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE43Nnv
MCT USE ONLY. STUDENT USE PROHIBITED
Welcome to Managing Microsoft Teams 3
Acknowledgments
Microsoft Learning wants to acknowledge and thank the following for their contribution toward develop-
ing this course. Their effort at various stages in the development has ensured that you have a good
classroom experience.
Siegfried Jagott
Siegfried Jagott is Chief Editor for Practical 365, a website that covers Office 365 related topics such as
Microsoft Teams or Exchange. He is a CEO and Principal Consultant for atwork deutschland GmbH, a
Microsoft Valuable Professional (MVP) for Office Apps and Services since the year 2013.
Siegfried is an award-winning author of Microsoft Exchange Server 2010 Best Practices (Microsoft Press)
and has been writing and technical reviewing for several Microsoft Official Curriculum (MOC) courses on
various topics such as MOC 20345 Administering Microsoft Exchange Server 2019.
He currently works on Office 365 implementations with a special focus on Teams, Messaging, Security
and Identity for international customers.
Dennis Weber
Dennis Weber is a Senior Consultant for atwork deutschland GmbH with more than 10 years of experi-
ence working with Microsoft solutions as administrator and as a solutions consultant. He is an IT-General-
ist with a focus on on-premises and cloud messaging systems, communication and collaboration, as well
as Security & Compliance for modern cloud solutions.
He is currently working on a variety of enterprise projects for different international customers and
participates as a subject matter expert in learning content development.
Vladimir Meloski
Vladimir Meloski is an MVP on Office Apps and Services, MCT and consultant, providing solutions based
on Office 365 and Exchange Server with more than 20 years experience in information technology. He is a
speaker and technical expert on Microsoft conferences worldwide. He has been an author and technical
reviewer for Microsoft official courses on Office 365, Exchange Server, and Windows Server, and one of
the book authors of “Mastering Microsoft Exchange Server 2016”, and “Mastering Windows Server 2016”.
Vladimir is devoted to IT community development by collaborating with user groups worldwide.
Jan Bruns
Jan Bruns is a Consultant for atwork Deutschland GmbH advising on Office 365 related projects with a
primary focus on Skype for Business Online, Exchange Online and Microsoft Teams.
Jan focusses on implementing Voice Solutions for Office Communication for his Customers and integrat-
ing them with existing infrastructure.
Robert Lutz
Robert Lutz is working as a consultant for atwork Deutschland GmbH providing his expert advise on
Office 365 related projects to numerous customers. Hereby he focusses on Exchange Online and Micro-
soft Teams.
He specialises in design, implementation, restructuring and migration of local and hybrid Microsoft
Exchange messaging infrastructures. He also assists his customers in deploying, implementing and
managing Microsoft Teams.
Gorana Konevska Jankoska
Gorana Konevska Jankoska is Microsoft Valuable Professional (MVP) for Office Apps and Services, Micro-
soft Certified Trainer (MCT), conference speaker and one of the organizers of community MK IT Pro User
group. She is working as a Consultant for Business Productivity in Office 365 in Meloski Consulting.
MCT USE ONLY. STUDENT USE PROHIBITED
Welcome to Managing Microsoft Teams 5
Gorana is working with end users on Office 365 adoption processes and her focus of trainings is especial-
ly pointed towards Microsoft Teams and SharePoint Online.
MCT USE ONLY. STUDENT USE PROHIBITED
Module 1 Microsoft Teams in Microsoft 365
Microsoft Teams
Microsoft Teams delivers in four core areas to create a digital workspace for high-performing teams:
1. Communicate (chat and telephony)
2. Collaborate
3. Customize
4. Work with confidence
Communicate
Teams meets the communication needs of a diverse workforce by providing a complete meeting and
calling solution, including chat, voice, and video.
Teams supports instant messaging or one-on-one (1:1) chat to defined groups. This can be accomplished
by using different clients, like the Teams desktop client, a lightweight web client or directly on a mobile
phone. It is also possible to share resources, such as users’ webcams and desktops while talking on a
landline connection with one another. Besides direct and group chat, Teams also provides open conversa-
tion in channels, where people can share information about topics that can be commented on by other
Team members.
It’s easy to move from a chat into a face-to-face meeting and share important resources, helping users to
bridge geographical barriers.
Collaborate
The deep integration of Teams with Office 365 enables today’s multigenerational workforce to use the
Office apps they are familiar with—Word, Excel, PowerPoint, OneNote, SharePoint, Planner, and even
MCT USE ONLY. STUDENT USE PROHIBITED
Overview of Microsoft Teams 9
Power BI—right within the context of Teams. Teams brings all the Office 365 services together so that
users can easily share and co-author files.
Customize
Teams enables users to integrate their different, every day work apps into a single place for a unified work
experience. Users no longer need to jump between Office 365 apps, clients, and services, because Teams
integrates them all - both native and third-party apps and connectors - into whole Teams and single
channel. Users can customize their workplace with their custom apps, and Teams administrators can
provide apps, connectors, and bots that are available across all team members.
Teams is an extensible platform that enables you to build apps and integrate with business processes.
●● Private channels. Private channels are similar to standard channels, but they restrict access to
conversations, files, and apps to a limited subset of team members. This enables private collaboration
within a project or department.
Note: Private channels currently support only connectors and tabs, but without Stream, Planner, or Forms
tabs and they don’t support messaging extensions and bots.
The following picture shows the structure of channels in Teams of an organization.
What is chat?
Teams provide an instant messaging feature that enables team members to send messages in real-time
for live collaboration. Chat is possible between single users and with multiple participants of a team, or
even with external users. In addition, a simple chat can instantly be extended with desktop sharing and
voice communication.
When users join a chat, they can send messages that include files, links, emojis, stickers, and gifs. There
are many formatting options for chat messages, including options for highlighting, font size, lists, and
more. Guests can also participate in conversations, but with limited access.
Conclusion
In summary, Microsoft Teams provides all the benefits of Office 365 services and tools in one application.
It is the new collaboration hub that combines the features of Exchange mailboxes, SharePoint site
collections, and Skype for Business communication, among others, while simultaneously meeting security
and compliance requirements.
Instead, they can spend their time within a single team or channel that effortlessly brings together all the
relevant information in-context.
There are multiple ways to leverage Microsoft 365 apps and services in Microsoft Teams. The most
common scenario is to add a new tab to a team channel. Users can also add the content to a chat from
Microsoft 365 services. The followings are examples of integrating Microsoft 365 in Microsoft Teams:
Outlook
The integration between Outlook and Teams makes it easy to collaborate no matter where the conversa-
tion is taking place.
●● Share to Outlook: Users can share chats or channel conversations to Outlook without leaving Teams
by selecting on the “Share to Outlook” in more options ("...") icon in a conversation.
●● Share to Teams: Users can move an email conversation from Outlook, including attachments, into a
Teams chat or channel conversation by selecting on the “Share to Teams” in Outlook.
●● Actionable missed activity emails: Users can set the notification for missed activity emails to stay on
top of missed conversation in Teams. The missed activity emails show the latest replies from the
conversation, and allow users to respond directly from within Outlook.
SharePoint
In Microsoft Teams, users can add published SharePoint pages or lists as a tab in a Teams channel.
SharePoint pages let users share ideas using images, video, links, and documents. SharePoint lists are a
great way to collaborate on content and data. Team members can view pages, edit lists, and add com-
ments in the Teams tabs. Add the SharePoint tab in Teams to quickly paste any page, news post, or list
from a published SharePoint site.
MCT USE ONLY. STUDENT USE PROHIBITED 12 Module 1 Microsoft Teams in Microsoft 365
Yammer
Users are able to add a Yammer page to a channel in Teams or install then pin the Yammer app (named
“Communities” ) to the app bar. This allows team members follow and share conversations in Yammer
without having to leave Teams. The team members can participate in the Yammer conversation right from
Teams, or discuss a Yammer conversation in Teams before posting a reply to the wider Yammer group.
When a Teams member goes to the Yammer tab, they are authenticated again by Yammer, so that they
only see Yammer content that they have access to.
MCT USE ONLY. STUDENT USE PROHIBITED
Overview of Microsoft Teams 13
Forms
Users can access Microsoft Forms directly in Microsoft Teams. Easily set up a Forms tab, create a new
form to collect responses, add an existing form to collect responses or show survey results, collaborate
with your team on a form, create notifications for your form, or conduct a quick poll just for your team.
There are two places in Teams where you can access Tasks: as an app in the left siderail and as a tab
within individual teams. The app comprises all tasks from To Do and Planner, like the screenshot below.
As for the tab, you can think of that as Planner renamed: it functions the same way And just like the
current Planner tab, you can add multiple Tasks tabs to a single team. Just keep in mind that the tab is for
team tasks; personal tasks from To Do cannot be added to a tab.
Streams
Microsoft Stream is an Enterprise Video service where people in your organization can upload, view, and
share videos securely. Users can collaborate using video by adding a Microsoft Stream channel or video
as a tab in Microsoft Teams. Users can also watch Streams videos in Teams, such as meeting record or live
events.
MCT USE ONLY. STUDENT USE PROHIBITED
Overview of Microsoft Teams 15
OneNote
Within Microsoft Teams, users can interact with Notebook by visiting the OneNote tab in a channel in
Teams. For example:
●● Create an OneNote tab to a channel in Teams to store text, images, handwritten notes, and more.
●● Add an OneNote tab to a channel in Teams from an existing notebook to centralize content.
common business processes. The followings are examples to leverage Power Automate in Microsoft
Teams:
●● Create and manage workflow automations directly from Teams.
●● Quickly trigger scheduled flows using the Flow bot in Teams.
●● Trigger for specific actions when someone new joins a team.
●● Streamline approvals by aggregating and automating all team's approval processes in Teams.
These complex dependencies result in different types of data produced by different workloads that were
acquired for user productivity. Because not all types of data are efficiently stored in a single storage
location, Teams uses the most effective storage location depending on the user data that is produced by
each service. The following diagram provides an overview of the types of data produced by using Teams
and where they are stored.
leakage and loss of business data by supporting compliant business processes when discovering sensitive
business data.
Conclusion
Microsoft Teams is built to combine the already effective workloads of Office 365 with a general informa-
tion protection strategy. This strategy empowers organizations to use Office 365 capabilities to create
efficient business processes that conform to modern security, compliance, and data governance require-
ments. Administrators need to understand the Teams’ architecture how it provides the link between
today’s cloud technology and the modern business needs of organizations.
1 https://docs.microsoft.com/en-us/microsoftteams/limits-specifications-teams
MCT USE ONLY. STUDENT USE PROHIBITED
Overview of Microsoft Teams 23
All SharePoint Online sites of Teams can be accessed through the Teams clients or directly through the
browser to upload, download, or change stored files. It’s also possible for members and owners to
synchronize a client to the document libraries within the OneDrive for Business client. As soon as the
B2B-Sync feature is available, guests can also synchronize the document libraries of teams in which they
have been added as guests.
When assigning a Team owner or members through one of the clients or through the Teams Admin
Center, the users are also added into the respective permission group.
Note: The SharePoint Online site collections of private channels of teams are not visible in the SharePoint
Online admin center but can be seen via the SharePoint Online PowerShell module.
team, that user will also be removed from all private channels in the team. Changes to the team like this,
that also affect the private channels, are synchronized within four hours automatically.
Note: All private channels need an owner. A private channel owner can't be removed through the Teams
client if they are the last owner of one or more private channels.
If a private channel owner leaves your organization or if they are removed from the Microsoft 365 Group
associated with the team, a member of the private channel is automatically promoted to be the private
channel owner.
PSTN
The Public Switched Telephone Network (PSTN) is the complete global telephone network operated by
national, regional, and local telephone companies. PSTN provides the infrastructure and services for
public telecommunications, including all telephone lines, fiber optic cables, microwave transmission links,
mobile networks, communication satellites, and underwater telephone cables, all of which are intercon-
nected with switching centers.
2 https://en.wikipedia.org/wiki/Telephone_exchange
MCT USE ONLY. STUDENT USE PROHIBITED
Overview of Microsoft Teams 27
for Business Online clients and certified devices. With Phone System, users can use Skype for Business
Online and Microsoft Teams to place and receive calls, transfer calls, and mute or unmute calls. Phone
System allows you to replace your existing PBX system with a set of features directly delivered from
Office 365 and tightly integrated into the company’s cloud productivity experience. To connect Phone
System to the Public Switched Telephone Network (PSTN), you can choose Microsoft’s Calling Plan or
your own telephony carrier.
Direct Routing
Direct Routing is a capability of Phone System in Office 365 to help customers connect their SIP trunks to
Microsoft Teams. In the simplest deployment model, customers start with SIP trunks from their telecom-
munications provider. Next, customers will use and configure a supported Session Border Controller (SBC)
from one of Microsoft’s certified partners. Finally, they will connect their SBC to Microsoft Teams and
Phone System.
Option Description
Phone System with Calling Plan >Licensed users can call out to numbers located in
the country/region where their Office 365 license
is assigned to the user based on the user’s
location, and to international numbers in 196
countries/regions.
>Because the PSTN Calling Plan operates out of
Office 365, this option does not require deploy-
ment or maintenance of any on-premises deploy-
ment.
>Direct Routing also supports users who have the
additional license for the Microsoft Calling Plan.
MCT USE ONLY. STUDENT USE PROHIBITED 28 Module 1 Microsoft Teams in Microsoft 365
Option Description
Phone System with own carrier through Direct >Connect your own supported SBC directly to
Routing Microsoft Phone System without the need of
additional on-premises software.
>Use virtually any telephony carrier with Microsoft
Phone System.
>Can be configured and managed by customers
or by your carrier or partner (ask if your carrier or
partner provides this option).
>Configure interoperability between your telepho-
ny equipment—such as a third-party PBX and
analog devices—and Microsoft Phone System.
Phone System with your own carrier through >Connect your own supported SBC to Microsoft
Skype for Business Server OR Cloud Connector Phone System through Skype for Business Server
Edition in hybrid deployment or Skype for Business Cloud
Connector Edition deployed on premises.
>Use virtually any telephony carrier with Microsoft
Phone System.
>If you already have Skype for Business Server on
premises, then you can leverage it; if you do not,
you can deploy a lighter version Cloud Connector
Edition.
Enterprise Voice in Skype for Business Server with >Connect your own supported SBC to the Enter-
own carrier prise Voice System in Skype for Business on
premises Server.
>Use if you need local survivability.
>Use virtually any telephony carrier with Microsoft
Phone System.
>This is the most complex option to deploy and
maintain.
Requirements and details about the different deployment options are covered in a later lesson.
Mode Calling and Chat Meeting Schedul- Teams Channels Use Case
ing
TeamsOnly Teams Teams Yes This is the final
state of being
upgraded; it’s also
the default for new
tenants. It requires
home in Skype for
Business Online.
Mode Calling and Chat Meeting Schedul- Teams Channels Use Case
ing
Islands Either Either Yes Allows a single
user to evaluate
both clients side
by side. Chats and
calls can land in
either client, so
users must always
run both clients. To
avoid a confusing
or regressed Skype
for Business
experience,
external (federat-
ed) communica-
tions, PSTN voice
services and voice
applications, Office
integration, and
several other
integrations
continue to be
handled by Skype
for Business.
Mode Calling and Chat Meeting Schedul- Teams Channels Use Case
ing
SfB With Teams Skype for Business Teams Yes Also knows as
Collab And “Meetings First.”
Meetings Primarily for
on-premises
organizations that
are not yet ready
to move calling to
the cloud, but they
want to benefit
from Teams’
meeting function-
ality.
SfB With Teams Skype for Business Skype for Business Yes Alternate starting
Collab point for complex
organizations that
need tighter
administrative
control.
SfBOnly Skype for Business Skype for Business No Specialized
scenario for
organizations with
strict requirements
around data
control. Teams is
only used to join
meetings sched-
uled by others.
MCT USE ONLY. STUDENT USE PROHIBITED 32 Module 1 Microsoft Teams in Microsoft 365
gives guests access to business sensitive content, then it's the group owner's responsibility to confirm
the guests still have a legitimate business need for access.
●● Have reviews recur periodically. You can set up recurring access reviews of users at set frequencies
such as weekly, monthly, quarterly, or annually, and the reviewers will be notified at the start of each
review. Reviewers can approve or deny access with a friendly interface and with the help of smart
recommendations.
Note: Using the Azure AD Access Reviews feature requires an Azure AD Premium P2 license.
Conditional Access
Conditional access is the set of rules for access control based on various specifications such as client,
service, registration procedure, location, compliance status, and so on. This is used to decide whether the
user's access to the company's data is possible.
By using Conditional Access policies, you can apply the right access controls when needed to keep your
organization secure and to stay out of your user’s way when not needed.
Guest Access
Guest access allows teams in your organization to collaborate with people outside your organization by
granting them access to existing teams and channels on one or more of your tenants. Anyone with a
business or consumer email account, such as Outlook, Gmail, or others, can participate as a guest in
Teams with full access to team chats, meetings, and files. Guest access is an org-wide setting in Teams
and is turned off by default. Guest access is subject to Azure AD and Office 365 service limits.
Retention policies
For most organizations, the volume and complexity of data increases daily – from email to documents to
instant messages, and more. Effectively managing or governing this information is important because you
must:
●● Comply proactively with industry regulations and internal policies that require you to retain content
for a minimum period of time; for example, the Sarbanes-Oxley Act might require you to retain certain
types of content for seven years.
●● Reduce your risk in the event of litigation or a security breach by permanently deleting old content
that you are no longer required to keep.
●● Help your organization to share knowledge effectively and be more agile by ensuring that your users
work only with content that is current and relevant to them.
A retention policy can help organizations either retain data for compliance (namely, preservation policy)
for a specific period or remove data (namely, deletion policy) if it is considered a liability after a specific
period. Retention policies are available in the Security & Compliance Center, and they work across the
different workloads and data types, such as Exchange email, SharePoint document libraries, and OneDrive
files.
Teams conversations are persistent and retained by default. With the introduction of retention policies,
administrators can configure retention policies (both preservation and deletion) in the Security & Compli-
ance Center for Teams chat and channel messages.
eDiscovery
Protecting content from accidental or intended deletion is only effective when there are ways to retrieve
them without violating legal and regulatory restrictions. eDiscovery feature is for placing a hold on
content locations relevant to a legal case and using the Content Search tool to search the locations on
hold for content that might be responsive to your case.
You can use eDiscovery in Office 365 to search for content in Exchange Online mailboxes, Microsoft 365
Groups, Microsoft Teams, SharePoint Online and OneDrive for Business sites, and Skype for Business
conversations.
All Teams 1:1 or group chats are journaled through to the respective users’ mailboxes, and all channel
messages are journaled through to the group mailbox representing the team. To facilitate eDiscovery for
guest-to-guest chats, a cloud-based mailbox (or phantom mailbox) is required to store the 1xN data and
being indexed for eDiscovery and compliance content search. Files uploaded are covered under the
eDiscovery functionality for SharePoint Online and OneDrive for Business.
Information barriers
Microsoft 365 includes powerful communication and collaboration capabilities. However, suppose that
you want to restrict communications between certain people inside your organization to safeguard
internal information. You can fulfil these requirements by implementing information barriers that restrict
communication between users inside a tenant.
Information barriers in Teams are used to prevent individuals or groups from communicating with each
other. They also prevent lookups and discovery. This means that if restricted users attempt to communi-
cate with each other, they will not find that other user in the people picker.
Information barrier policies can be used for scenarios such as:
●● To meet regulatory requirements, a day trader should not call someone on the Marketing team.
MCT USE ONLY. STUDENT USE PROHIBITED 40 Module 1 Microsoft Teams in Microsoft 365
Legal Holds
Users or teams can be put on Legal Hold to preserve all business data and communication. When a user
or group is placed on hold, all message copies are retained. For example: Mary posted a message in a
channel and then modified the message. In a hold scenario, both copies of the message are retained.
Without Legal Hold, only the latest message is retained.
Note: Placing a user on hold does not automatically place a group on hold or vice-versa.
Due to the complex workload architecture of Teams, it can be difficult to understand what to put on hold
when data must be preserved for a legal case or investigation. The following table identifies some
examples that may help with this situation.
Supervision
Supervision policies in Office 365 allow you to capture employee communications for examination by
designated reviewers. You can define specific policies that capture internal and external email, Microsoft
Teams, or third-party communications in your organization. Reviewers can then examine the messages to
make sure that they are compliant with your organization's messaging standards and resolve them with
classification type.
These policies can also help you overcome many modern compliance challenges, including:
●● Monitoring increasing types of communication channels
●● The increasing volume of message data
●● Regulatory enforcement and the risk of fines
MCT USE ONLY. STUDENT USE PROHIBITED
Overview of security and compliance in Microsoft Teams 41
In contrast to eDiscovery searches in which all results are returned, only a subset of results for specific
keyword searches are returned; for example, only 10% of all data that matches the configured conditions
may be returned.
Alert policies
Alert policies build on and expand the functionality of activity alerts by adding a categorization feature to
alert policies. Known as an alert event, this categorization feature can enable policies to be applied to all
users in a tenant, set threshold levels for triggering an alert, and decide whether to receive email notifica-
tions. The types of events have also been expanded in Microsoft 365; for example, you can create alert
policies to track malware activity and data loss incidents.
Alert events are collected in a View alerts page in the Security & Compliance Center. This page provides
an improved summary of suspicious activities in tenants, where an alert can be viewed and filtered, and
where alerts can be acknowledged or dismissed.
There is a default set of alert policies in existing and newly created tenants to monitor activities such as
assigning admin privileges in Exchange Online, malware attacks, phishing campaigns, the creation of
eDiscovery cases, and unusual levels of file deletions and external sharing.
already switched from their other legacy solutions to Teams, which makes it easier to deploy the voice
meeting capabilities.
4. Voice. The last step in a rollout is the full voice integration of PSTN calling into Teams. While dedicat-
ed telephones and on-premises PBX solutions are still common in companies, these systems do not
allow coexistence with other solutions. Therefore, switching over traditional voice communication
from legacy solutions to Teams has the highest impact on users.
Microsoft FastTrack
With the FastTrack program, Microsoft provides guidance for planning, deployment, and adoption,
including remote access to Microsoft engineering expertise, best practices, tools, and resources for a
successful deployment of Microsoft Teams and other Microsoft 365 services in organizations. FastTrack
MCT USE ONLY. STUDENT USE PROHIBITED
Overview of managing Microsoft Teams 45
for Microsoft 365 helps organizations and their partners accelerate deployment and gain end-user
adoption at no additional cost. When planning rollout paths, you should also consider using FastTrack
offers in your deployments.
Additional information. For more information on FastTrack options, see the following article on Fast-
Track for Microsoft 3653.
3 https://www.microsoft.com/microsoft-365/partners/fasttrack
MCT USE ONLY. STUDENT USE PROHIBITED 46 Module 1 Microsoft Teams in Microsoft 365
User profiles
It is very important to understand the types of users throughout your organization. Do you have users
who are primarily mobile? Are they in constant meetings or giving presentations? Do you know which of
your users have the most difficulty with your existing collaboration solutions?
Segmenting your user community in this manner can help you identify groups that are most open to
change. They are often the best targets for your early business pilots, and their feedback is extremely
MCT USE ONLY. STUDENT USE PROHIBITED
Overview of managing Microsoft Teams 47
valuable. Understanding the “day in the life” of your users will help you prioritize your business outcomes,
design adoption goals appropriate for your deployment, and sustain usage over time.
The following table identifies some typical user profiles.
Champions
It is essential that organizations initiate a Champions program. The purpose of such a program is to
recruit early Microsoft Teams enthusiasts and provide them with both resources and reasons to train their
fellow users and evangelize the benefits of Teams within the groups and organizations they could
influence. For many enthusiasts, the opportunity to promote a technology about which they feel passion-
ate is its own reward.
Identifying the individuals who can become your collaboration champions provides you with an extended
support team that can provide essential feedback regarding your implementation plans. The incentive for
those individuals selected for this program is that it provides them with early insight into the company’s
plans and enables them to provide feedback to effect change that will improve their daily processes. Any
investment you make in this community, whether it be time, attention, or rewards, will be returned to
your implementation through their support and evangelism.
Champions will help to:
●● Create the groundswell and enthusiasm that grows adoption of improved business processes.
●● Build a circle of influence among their teams.
●● Bring to life across teams the new ways of working.
●● Identify business challenges and possible solutions.
●● Provide feedback to the project team and sponsors.
For a successful Champions program, individuals from all types of user profiles are required to maximize
the range and efficiency of their benefits for a Teams deployment.
Additional information. Microsoft provides different guides and toolkits to support companies in rolling
out Teams.
●● https://aka.ms/TeamsSuccessKit.
●● https://aka.ms/MicrosoftAdoption
Add-on Functionality
Audio Conferencing The audio-conferencing features provides the
functionality to add dial in phone numbers to
meetings, for joining a meeting from the PSTN
network.
Toll free numbers for dial-in access to conferences Toll free numbers allows to add local numbers to
conferences, where participants can join a meeting
without paying fees for international calling.
Phone System The phone system feature allows users to use
traditional PBX features from their on-premises
PBX solution or from Office 365.
Calling Plans Calling plans require the phone system licenses
and provide capabilities to perform calls into the
PSTN network. They are available as “Domestic
Calling” and “International Calling”.
Microsoft Teams Rooms This feature that brings video, audio, and content
sharing to conference rooms.
Communications Credits Provides a way to pay for Audio Conferencing and
Calling Plan minutes, if a voice connection is not
covered by an auto conferencing or calling plan.
Combining the Teams add-on features with an existing Office 365 subscription can be confusing and
requires an understanding of Office 365 licensing in general.
For example, if you want to provide additional telephony features to existing users:
MCT USE ONLY. STUDENT USE PROHIBITED 50 Module 1 Microsoft Teams in Microsoft 365
Additional considerations
Starting on January 1, 2020, Teams users will be able to send Urgent Messages with Priority Notifications
according to the terms of their subscription, with reporting on priority notification usage on the admin
backend. When this new feature is available, some licensed Teams users (E1/F1/Business Basic (formerly
Business Essentials)) will only be able to send up to 5 priority messages per month, while users with
higher subscriptions (E3/E5/Business Standard(formerly Business Premium)) will be able to send unlimited
priority messages.
Virtual users, such as auto attendants with an assigned phone number, do also require licenses to obtain
calling features. These can be either a free Phone System–Virtual User license or a paid Phone System
user license to resource accounts.
Important: Due to the consequent development of Office 365, available services and licenses change
continuously. Teams administrators should always be ready to adopt to changes of the license require-
ments and new opportunities for rolling out companies to Microsoft Teams. For the latest update on
licensing, please refer to Office 365 licensing for Microsoft Teams4.
4 https://docs.microsoft.com/en-us/microsoftteams/office-365-licensing
MCT USE ONLY. STUDENT USE PROHIBITED
Overview of managing Microsoft Teams 51
●● The Microsoft Teams Commercial Cloud Trial offer is a fully functional but time limited trial offer,
valid for 1-year of testing Teams in companies. Each Commercial Cloud Trial offer license includes a
set of twelve different standalone licenses, such as Exchange foundation and SharePoint Online Kiosk
with 2 GB of storage in SharePoint Online, to provide the basic functionality that is required to use
Teams. For users licensed with standalone or other Office 365 subscription plans, the limitations of the
according licenses apply.)
Note: Not eligible for the Microsoft Teams Commercial Cloud Trial offer trial are Syndication Partner
Customers and GCC, GCC High, DoD, and EDU customers. If an organization is ineligible for the Micro-
soft Teams Commercial Cloud Trial offer, they will not see the “Let users install trial apps and services”
switch.
All trials within an organization share the same start and end dates, which is the date the first user signed
up for the trial. For example, if user A starts the first trial on January 25, 2019 and user B starts a trial on
June 3, 2019, both users' trial will expire on January 25, 2020.
The Teams (free) licenses can be upgraded to fully featured Office 365 subscriptions, or to a fully featured
tenant with Microsoft Teams Commercial Cloud Trial offer licenses, valid for one year of testing.
Note: Limiting group and team creation can slow your users’ productivity, because many Office 365
services require that groups be created for the services to function.
After you’ve determined your requirements, you can implement them by using Azure AD controls.
Teams lifecycle
In Teams, each individual team has its own lifecycle with the following sequence:
1. Initiate (beginning)
2. Active (middle)
3. Sunset (end)
Broadly speaking, the lifecycle of a team within Microsoft Teams encompasses both configuration (static
settings and policies) and management(dynamic per team during the lifecycle).
Proactive administrator activities include initiating creation of teams (including owners, members,
channels, and so on), and sunsetting of teams as required by the business. Reactive administrator
activities include changing team settings on behalf of the owner and adding team owners for orphaned
teams.
In the middle stage, collaboration takes place according to an established workflow, with team members
interacting toward common goals within team channels. Decision points that should be considered in this
stage include:
●● Who will monitor usage to identify problems?
●● What metrics will be used to determine team health?
●● Identifying any teams that have reached the end of their useful life.
●● Identifying unhealthy teams that still serve a purpose but need revitalizing.
The end stage occurs when a team has concluded its useful lifecycle, normally for a finite project. In this
stage, you formally acknowledge the closing of the team and delete teams you no longer need. Deleting
teams is actually a soft delete that IT can reverse for up to 21 days (30 days for Microsoft 365 Groups).
Deleting teams does not affect any chats or content that were retained in accordance with compliance
policies. Important decision points related to the end stage include:
●● Defining what the end of a team’s life looks like.
●● Deciding whether to keep a team’s stored content available, and for how long.
●● Documenting best practices and lessons learned.
●● Archiving data, if necessary.
The Teams Admin Center enables administrators to manage and create teams, to create teams policies,
manage phone devices and telephony numbers, locations and emergency addresses, meeting settings
and policies, such as live event settings and policies, messaging policies, the teams apps settings and
policies, organization-wide settings for sharing, guest access, resource accounts, and all calling settings.
The portal also provides links to the legacy portal, the call quality dashboard for troubleshooting, and to
StaffHub.
To access the Teams Admin Center, a user must be assigned to one of the following admin roles:
●● Global Administrator
●● Teams Admin
●● Teams communication admin
●● Skype for Business admin (might be deprecated in the future)
After installing the module, it is loaded into all new PowerShell sessions and the cmdlets are available for
configuring policies and settings, such as creating and managing teams.
Before you can work with the Teams PowerShell module, you must establish a connection to a tenant by
running the following cmdlet:
Connect-MicrosoftTeams
If you want to see a list of all the cmdlets that are included in the Microsoft Teams PowerShell module,
you should run the following command:
MCT USE ONLY. STUDENT USE PROHIBITED 58 Module 1 Microsoft Teams in Microsoft 365
Note: The Teams PowerShell module is still under development and transitioning from the Skype for
Business PowerShell module. As such, additional cmdlets will be showing up soon.
For more information, please refer to Teams PowerShell Overview5.
5 https://docs.microsoft.com/en-us/MicrosoftTeams/teams-powershell-overview
6 https://docs.microsoft.com/en-us/graph/api/resources/teams-api-overview?view=graph-rest-1.0
MCT USE ONLY. STUDENT USE PROHIBITED
Overview of managing Microsoft Teams 59
Desktop clients
The Microsoft Teams desktop client provides a full-featured experience, including real-time communica-
tions support (audio, video, and content sharing) for team meetings, group calling, and private one-on-
one calls.
Advantages of the Teams desktop client include auto-start, which ensures that you’ll stay signed in and
won’t miss any important notifications, as well as more features and a more granular management
experience.
The desktop client can be installed either individually by users or rolled out by IT in a mass deployment.
MCT USE ONLY. STUDENT USE PROHIBITED 60 Module 1 Microsoft Teams in Microsoft 365
Windows
The Microsoft Teams desktop client is available in 32-bit and 64-bit architecture and can be installed on
Windows (8.1 or later) and Windows Server (2012 R2 or later). Additionally, Teams requires .NET Frame-
work 4.5 or later.
MAC
Mac users can install Teams by using a PKG installation file for macOS computers with OS version 10.10 or
later. Administrative access is required to install the Mac client. The macOS client is installed to the /
Applications folder.
Web client
The web client is a fully-functional client that can be used from a variety of browsers. The browser must
be configured to accept third-party cookies. There is no plugin or download required to run Teams in a
web browser.
MCT USE ONLY. STUDENT USE PROHIBITED
Overview of managing Microsoft Teams 61
The web client performs browser version detection upon connecting to https://teams.microsoft.com. If an
unsupported browser version is detected, it will block access to the web interface and recommend that
the user download the desktop client or mobile app. Microsoft Teams supports the following internet
browsers with some exceptions.
Mobile clients
The Microsoft Teams mobile apps are available for Android and iOS platforms. They are targeted to
on-the-go users who participate in chat-based conversations, and they enable peer-to-peer audio calls.
The mobile apps can be downloaded directly from their respective vendor mobile stores, such as Google
Play and the Apple App Store, or by being pushed through Microsoft Intune.
MCT USE ONLY. STUDENT USE PROHIBITED
Overview of managing Microsoft Teams 63
With Microsoft 365 Groups, organizations can give a group of people access to a collection of collabora-
tion resources for those people to share, including a shared Outlook inbox, a shared calendar, a Share-
Point document library, etc. Instead of manually assigning users’ permissions to resources, adding
members to Microsoft 365 Groups automatically grants users’ permissions to all assets associated to the
group.
a Microsoft 365 Group can be created directly from Microsoft 365 admin center or indirectly from
creation of associated workloads, such as a planner or a team. When a user creates a team from Teams
client, a Microsoft 365 Group is created automatically with the same name of the team behind the scene.
Though Microsoft 365 Groups can be provisioned via multiple means, it could easily get out of control
without proper governance.
Office 365 has a rich set of tools to manage and govern Microsoft 365 Groups at scale, following table
provides an overview of governance capabilities:
1 https://docs.microsoft.com/en-us/office365/admin/create-groups/plan-for-groups-governance
MCT USE ONLY. STUDENT USE PROHIBITED 70 Module 2 Implement Microsoft Teams Governance, Security and Compliance
5. In the Group email address field, type an email address for the group, for example SalesDepart-
ment@contoso.com and optionally enter a description in the Description field.
6. From the Privacy drop-down menu, choose Private or Public.
7. Under Owner section, select Select owner, then choose the user who will be the owner of the group,
and then select Add.
Once the group is created, it will appear in Outlook with members assigned to it.
You'll see a notice indicating you have distribution lists (also called distribution groups ) that are
eligible to be upgraded to Microsoft 365 Groups.
3. Select one or more distribution lists (also called a distribution group) from the groups page.
4. Select the upgrade icon.
5. On the information dialog, select Yes to confirm the upgrade. The process begins immediately.
Depending on the size and number of DLs, the process can take several minutes or up to some hours.
If the distribution list can't be upgraded, a dialog appears with a notification.
6. If you are upgrading multiple distribution lists, use the drop-down list to filter which distribution lists
have been upgraded. If the list isn't complete, wait a while longer and then select Refresh to see
what's been successfully upgraded.
There's no notice that tells you when the upgrade process has completed for all DLs you selected. You
can figure this out by looking to see what's listed under Available for upgrade or Upgraded DLs.
MCT USE ONLY. STUDENT USE PROHIBITED
Implement Governance and Lifecycle Management for Microsoft Teams 73
7. If you selected a DL for upgrade, but it still appears on the page as Available to upgrade, then it failed
to upgrade. If the upgrade of a list fails it will remain as a distribution list without having any impact
on the list.
To following script upgrades all eligible distribution lists, by looping through the results of the Get-Eli-
gibleDistributionGroupForMigration cmdlet.
To upgrade all distribution lists possible, you need to use the Get-EligibleDistributionGroup-
ForMigration cmdlet. For example, if you want to upgrade all eligible distribution lists to a Microsoft
365 Group, run the following:
Get-EligibleDistributionGroupForMigration | Foreach-Object{Upgrade-DistributionGroup -DlIdentities $_.
PrimarySMTPAddress}
A distribution list will not be eligible for an upgrade if it fulfills any of the following criteria:
Property Eligible?
On-premises managed distribution list. No
Nested distribution lists. Distribution list either has No
child groups or is a member of another group.
Distribution lists with member RecipientType- No
Details other than UserMailbox, SharedMailbox,
TeamMailbox, MailUser
Distribution list which has more than 100 owners No
Distribution list which only has members but no No
owner
Distribution list which has alias containing special No
characters
If the distribution list is configured to be a for- No
warding address for Shared Mailbox
If the DL is part of Sender Restriction in another No
DL.
Security groups No
Dynamic Distribution lists No
Distribution lists which were converted to Room- No
Lists
Distribution lists where MemberJoinRestriction No
and/or MemberDepartRestriction is Closed
MCT USE ONLY. STUDENT USE PROHIBITED 74 Module 2 Implement Microsoft Teams Governance, Security and Compliance
To manage Microsoft 365 Group with PowerShell, use the Set-UnifiedGroup cmdlet. For example, to
configure “Sales Department” group to receive mail from unauthenticated (external) senders, run the
following cmdlet:
Set-UnifiedGroup -DisplayName "Sales Department" -RequireSenderAuthenticationEnabled $false
MCT USE ONLY. STUDENT USE PROHIBITED
Implement Governance and Lifecycle Management for Microsoft Teams 75
$GroupName = "<SecurityGroupName>"
$AllowGroupCreation = "False"
Connect-AzureAD
if(!$settingsObjectID){
$settingsCopy = $template.CreateDirectorySetting()
if($GroupName)
2 https://docs.microsoft.com/en-au/office365/admin/create-groups/manage-creation-of-groups?view=o365-worldwide
MCT USE ONLY. STUDENT USE PROHIBITED
Implement Governance and Lifecycle Management for Microsoft Teams 77
Administrators will need to create the group classifications so that users can use them when they create a
group.
To define the classifications “Standard, Internal, Confidential”, use the following cmdlet:
$Template = Get-AzureADDirectorySettingTemplate | Where {$_.DisplayName -eq "Group.Unified"}
Next, you should associate a description to each classification by using the settings attribute Classifica-
tionDescriptions, where Classification should match the strings in the ClassificationList.
For example, to add a description to the classifications Low Impact, Medium Impact and High Impact, run
the following cmdlet:
$setting["ClassificationDescriptions"] = "Standard: General communication, Internal: Company internal
data, Confidential: Data that has regulatory requirements"
To verify that the classification configuration is added correctly to the group, you need to run $Set-
ting.Values cmdlet.
3 https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-settings-cmdlets
MCT USE ONLY. STUDENT USE PROHIBITED 78 Module 2 Implement Microsoft Teams Governance, Security and Compliance
To save the setting to Azure AD and make sure they can be used by your users, you need to run the
following cmdlet:
Set-AzureADDirectorySetting -Id $Setting.Id -DirectorySetting $Setting
Note: It might take up to one hour until the classification settings are available for all users.
You can also create a group and assign a classification at the moment of the group creation. For example,
to create a new private group named ReserchDepatment@constoso.com with a classification Internal, run
the following cmdlet:
New-UnifiedGroup "ReserchDepatment@constoso.com" -Classification "Internal" -AccessType "Private"
MCT USE ONLY. STUDENT USE PROHIBITED 80 Module 2 Implement Microsoft Teams Governance, Security and Compliance
Note: For more information about required Azure AD PowerShell modules to create classification lists,
please refer to Azure Active Directory cmdlets for configuring group settings4.
3. Next, on the Expiration page, you can sepcify:
●● Group lifetime (in days) - Set the group lifetime in days with the default of 180, 365 or custom.
The custom setting requires a lifetime of at least 30 days.
4 https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-settings-cmdlets
MCT USE ONLY. STUDENT USE PROHIBITED
Implement Governance and Lifecycle Management for Microsoft Teams 81
●● Email contact for groups with no owners - Specify an email address where the renewal and
expiration notifications should be sent when a group has no owner. If the group does not have an
owner, the expiration emails will go to a specified administrator.
●● Enable expiration for these Microsoft 365 Group (All, Selected, None) – Select the Microsoft
365 Group which you would like to configure this expiration policy for. By your preferences: you
can set the policy for all of the groups within your company, only selected groups, or you can also
turn it off entirely – and that is done by selecting None.
4. To finish the configuration, select Save button.
Who can configure and use the Microsoft 365 Groups ex-
piration policy?
Group expiration is a feature that is included in an Azure AD Premium subscription. This license is
required for the administrator who needs to configure the settings and the members of the affected
groups – they all need to have Azure AD Premium licenses assigned to them.
There are two types of roles within a company which have different privileges when it comes to expiration
policies:
Role Permissions
Global administrator, Group administrator, Partner Can restore any deleted Microsoft 365 Group
Tier2 support, and Intune administrator
User administrator and Partner Tier1 support Can restore any deleted Microsoft 365 Group
except those groups assigned to the Company Ad-
ministrator role
User Can restore any deleted Microsoft 365 Group that
they own
For additional information, please refer to:
●● Configure the expiration policy for Microsoft 365 Groups5
●● Restore a deleted Microsoft 365 Group in Azure Active Directory6
5 https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-lifecycle
6 https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-restore-deleted
MCT USE ONLY. STUDENT USE PROHIBITED
Implement Governance and Lifecycle Management for Microsoft Teams 83
6. When you are done setting up the required settings, click the Save button.
$Setting.Values
2. Set the group name prefixes and suffixes, for example the prefix “GRP_”:
$Setting["PrefixSuffixNamingRequirement"] ="GRP_[GroupName]"
3. To configure custom blocked words that you want to restrict, for example Payroll and CEO run the
following cmdlet:
$Setting["CustomBlockedWordsList"]=“Payroll,CEO"
Licensing requirements
Using Azure AD naming policy for Microsoft 365 Groups requires that you as an administrator who
creates a policy have an Azure Active Directory Premium P1 license or Azure AD Basic EDU license
assigned. Also for each unique user (including guests) that is a member of one or more Microsoft 365
Groups must have a similar license.
For additional information see Groups naming policies7.
Report Description
Teams usage report An overview of the usage activity in Teams,
including the number of active users and channels,
guests, and messages in each team. You can
quickly see how many users across your organiza-
tion are using Teams to communicate and collabo-
rate.
Teams user activity report An overview of the types of activities that users in
your organization perform in Teams.
Teams device usage report The information about how users connect to
Teams. You can use the report to see the devices
that are used across your organization, including
how many use Teams from their mobile devices
when on-the-go.
Teams live event usage report An overview of the activity for live events held in
your organization, including event status, start
time, views, and production type for each event.
Teams PSTN blocked users report The information about the users in your organiza-
tion who are blocked from making PSTN calls in
Teams.
Teams PSTN minute pools report An overview of audio conferencing and calling
activity in your organization by showing you the
number of minutes consumed during the current
month.
7 https://docs.microsoft.com/en-au/office365/admin/create-groups/groups-naming-policy?view=o365-worldwide
MCT USE ONLY. STUDENT USE PROHIBITED
Implement Governance and Lifecycle Management for Microsoft Teams 89
Report Description
Teams PSTN usage report - Calling Plans An overview of calling and audio conferencing
activity for Calling Plans in your organization,
including the number of minutes that users spent
in inbound and outbound PSTN calls and the cost
of these calls.
Teams PSTN usage report - Direct Routing An overview of calling and audio conferencing
activity for Direct Routing in your organization,
including the SIP address and call start and end
times.
Item Definition
Active user Measures the number of unique users who
perform an action in Teams during the specified
date range.
Active channel Measures the number of channels of a team in
which users perform an action during the specified
date range.
MCT USE ONLY. STUDENT USE PROHIBITED 92 Module 2 Implement Microsoft Teams Governance, Security and Compliance
Microsoft 365 usage analytics content represents a dashboard that provides a cross-product view of the
last 7 days, 30 days, 90 days, and 180 days. Data won't exist for all reporting periods right away. The
reports become available within 48 hours.
8 https://docs.microsoft.com/en-us/microsoftteams/teams-analytics-and-reports/teams-reporting-reference
MCT USE ONLY. STUDENT USE PROHIBITED
Implement Governance and Lifecycle Management for Microsoft Teams 93
●● User activity
Executive summary
The executive summary section provides an insight into how the services are being used, based on all the
users who have been enabled and users which are active. The information which is included in the report
refers to the latest complete month.
The executive summary offers an easy and quick understanding of the usage patterns in Microsoft 365, as
well as how and where your employees are collaborating.
Overview
The Overview section contains multiple types of reports, including:
●● Adoption – providing the insight into the adoption trends. This report contains information about
how many users are enabled and how many users within the company are actively using Microsoft
365, as well as how many users are using the product for the first time.
●● Usage – enables information about the number of active users and the key activities for each product
for the last 12 months.
●● Communication – provides information regarding Teams, Yammer, email, or Skype calls usage, you
can follow which tools your employees prefer.
●● Collaboration – provides information on OneDrive and SharePoint usage, and shows the way users in
your company prefer to store documents and collaborate with each other, and how these trends
evolve each month. In this section you can also follow how many documents are shared in or outside
your organization, as well as how many SharePoint sites or OneDrive accounts are actively being used.
●● Storage – gives a report to track cloud storage for mailboxes, OneDrive, and SharePoint sites.
●● Mobility – enables information regarding the clients and devices which people are using to connect
to email, Teams, Skype for Business, or Yammer.
MCT USE ONLY. STUDENT USE PROHIBITED 94 Module 2 Implement Microsoft Teams Governance, Security and Compliance
Product usage
The Product usage report provides you with detailed and separate report for each Microsoft 365 service
(including Exchange, Microsoft 365 groups, OneDrive, SharePoint, Skype for Business, Teams, and Yam-
mer). Every report contains information on total enabled vs. total active user reports, counts the number
if mailboxes, sites, groups, and accounts, as well as activity type reports where appropriate.
User activity
These reports are available only for some individual services and provide user-level detail usage data
joined with Active Directory attributes. Here, the Department Adoption report enables you to filter by
separate Active Directory attributes, so that you can easily view the active users across all individual
services, for the latest complete month.
Microsoft Teams user activity report Microsoft Teams device usage report
The Teams user activity report gives you a view of The Teams device usage report provides you with
the most common activities that your users information about how your users connect to
perform in Teams. This includes how many people Teams, including mobile apps. The report helps
engage in a chat in a channel, how many commu- you understand which devices are popular in your
nicate via private chat message, and how many organization and how many users work on the go.
participate in calls or meetings. You can see this
information for your whole organization, as well as
for each individual user.
9 https://docs.microsoft.com/en-us/office365/admin/activity-reports/activity-reports?view=o365-worldwide
MCT USE ONLY. STUDENT USE PROHIBITED 96 Module 2 Implement Microsoft Teams Governance, Security and Compliance
Multifactor authentication
To increase the user’s security during the Office 365 sign-in process, Microsoft Teams supports Multi-Fac-
tor Authentication (MFA), which is a two-step verification process. With MFA, the user signing in to the
Office 365 account, after correctly entering the password is required to choose a second option, such as a
phone call, text message, or an app notification on their smartphone in order to verify the log in. With
MCT USE ONLY. STUDENT USE PROHIBITED
Implement Security for Microsoft Teams 97
MFA - after the second authentication factor has been entered correctly, a user can sign in. Multi Factor
authentication is supported with any Office 365 plan that includes Microsoft Teams.
There are two supported authentication methods which differ from one another by the identity model:
●● Cloud only: offers the following second factor options:
●● Phone Call
●● Text Message
●● Mobile App Notification
●● Mobile App Verification Code
●● Hybrid setup (Synchronized or Federated Identity model): offers the following second factor
options:
●● MFA for Office 365
●● Azure MFA module (ADFS integrated)
●● Physical or virtual smart card (ADFS integrated)
Conditional Access policies apply actions to users who sign-in to apps from their devices depending on
multiple conditions. Conditions might include a user or group membership, IP location information,
device, application, real time risk detection or Microsoft Cloud App Security information. You can choose
to have Microsoft Teams as a cloud application that will be manages with Conditional Access policies.
Conditional access policies that are set for these cloud apps apply to Microsoft Teams when a user
directly signs-in to Microsoft Teams - on any client. Microsoft Teams is supported separately as a cloud
app in Azure Active Directory conditional access policies. Conditional access policies that are set for the
Microsoft Teams cloud app apply to Microsoft Teams when a user signs in. However, you should also
configure correct policies on other apps like Exchange Online and SharePoint Online, because users may
still be able to access those resources directly.
Following are sample steps to create a Conditional Access policy for users in Sales department while
using Microsoft Teams based on specified conditions:
1. Sign-in to Azure Active Directory admin center as a Global Administrator.
2. On left pane, select All services and search for Conditional access, and then select Azure AD Condi-
tional Access.
MCT USE ONLY. STUDENT USE PROHIBITED
Implement Security for Microsoft Teams 99
●● Select Conditions that you would like to include in the policy, such as the level of sign in risk,
device platform, physical locations, client apps and device state.
MCT USE ONLY. STUDENT USE PROHIBITED 100 Module 2 Implement Microsoft Teams Governance, Security and Compliance
●● Choose what type of Access control you would like to deploy for the settings you configured in
the Assignments section.
●● Select Grant to choose which controls will be enforced, such as multi-factor authentication.
●● Select Session if you need to configure limited experience within a cloud app, such as app
enforced restriction.
5. Enable policy by selecting On in the Enable policy section and then click Create.
For more information, please refer to Common Conditional Access policies10.
10 https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policy-common
MCT USE ONLY. STUDENT USE PROHIBITED
Implement Security for Microsoft Teams 101
6. Select the role to assign to the user (for example, Teams Communications Administrator), and then
select Save changes.
You can also assign admin roles in Microsoft 365 admin center by selecting Roles in the left navigation
pane, and then select the appropriate admin role, for example Teams communications support engi-
neer. On the Teams communications support engineer page, select Assigned admins, and add the
users you want to assign the role.
7. The Teams Service Administrator role is assigned to the user and it appears on the user’s Assigned
roles page.
At the moment of writing this course, most of the PowerShell tools for these admin roles are located in
the Skype for Business PowerShell module, and some of the cmdlets that these admin roles have access
to control shared settings that are also used for Skype for Business Online. The Skype for Business admin
role also has access to all the cmdlets in the Skype for Business PowerShell module.
11 mailto:LynneR@contoso.com
MCT USE ONLY. STUDENT USE PROHIBITED 104 Module 2 Implement Microsoft Teams Governance, Security and Compliance
For additional information see Use Microsoft Teams administrator roles to manage Teams12
13
12 https://docs.microsoft.com/en-us/microsoftteams/using-admin-roles
13 https://docs.microsoft.com/en-us/microsoftteams/manage-teams-skypeforbusiness-admin-center
MCT USE ONLY. STUDENT USE PROHIBITED
Implement Security for Microsoft Teams 105
Even though the user can still see the blocked file in the document library and
web, mobile, or desktop applications, it cannot be opened, copied, moved, or
shared. However, the malicious file can be deleted. Mobile device experience is
shown in the example below:
MCT USE ONLY. STUDENT USE PROHIBITED 106 Module 2 Implement Microsoft Teams Governance, Security and Compliance
●● Identities. This category of reports provides data from Azure AD Risky Users report and Global Azure
AD admin roles. Reports are related to Microsoft Teams because of sign-in activity to Microsoft Teams
from different types of devices.
●● Data. This category of reports provides data from multiple sources, such as users with the most
shared files, DLP policy matches, false positives and overrides. Reports are related to Teams because
of data shared and accessed by Teams users.
●● Devices. This category of reports provides data from Microsoft Intune on devices at risk, device threat
analytics, device compliance, malware on devices and users with malware detection. Reports are
related to Microsoft Teams because of large numbers of mobile devices where Teams is installed.
●● Apps. This category of reports provides data from Cloud App Security on threats from different apps,
such as privileged OAuth apps, suspicious admin activity, impersonations and cloud activity geo-
graphical locations. Reports are related to Microsoft Teams because of different apps that are inte-
grated with Teams.
Files that are identified as malicious in Microsoft Teams will show up in the Microsoft Security and
Compliance center, in reports for Office 365 Advanced Threat Protection, in Explorer and real-time
detections.
To view the report for malicious files in Microsoft teams, sign-in to the Microsoft Security and Compliance
center using the following URL https://protection.office.com. Then go to Reports, select Dashboard.
MCT USE ONLY. STUDENT USE PROHIBITED 108 Module 2 Implement Microsoft Teams Governance, Security and Compliance
ATP contains multiple reports including the following that are relevant to Microsoft Teams:
●● Threat Protection Status report - contains a single view about malicious content and malicious
email detected and blocked by Exchange Online Protection (EOP) as well as Office 365 ATP. This
report can display detections from events up to 90 days.
●● Explorer is a near real-time tool used to investigate and respond to threats in Office 365. Explorer
displays information about suspected malware and phish in email and files in Office 365, as well as
other security threats and risks to your organization.
1. In the Office 365 Security & Compliance Center, choose Reports > Dashboard > Threat Protec-
tion Status.
2. In the upper right corner of the report, choose View details table.
3. View the list of files that were detected in the report.
4. Select an item in the list to view detailed information, including actions taken, the file name, the file
path, and more.
5. Choose the Advanced Analysis tab to view information, such as observed behavior and analysis
details.
1. In the Office 365 Security & Compliance Center, choose Threat Management > Explorer.
2. In the upper right corner of the report, next to View, choose Malware under the Content menu.
3. View the list of files that were detected in the report.
MCT USE ONLY. STUDENT USE PROHIBITED
Implement Security for Microsoft Teams 109
4. Select an item in the list to view detailed information, including actions taken, the file name, the file
path, and more.
5. Choose the Advanced Analysis tab to view information, such as observed behavior and analysis
details.
1. Sign-in to the Office 365 Security & Compliance Center, and from the left navigation pane, select
Alerts and then choose Alerts policies.
2. Select New alert policy, and on the Name your alert page, specify policy name, choose severity
level, for example High, and choose category, for example Threat Management.
3. On the Create alert settings page, choose alert activity, for example Detected malware in file, and
choose the alert activity threshold, for example Every time an activity matches the rule.
4. On the Set your recipients page, enter the email address of the security admin who will be responsi-
ble for receiving and reviewing the alerts.
MCT USE ONLY. STUDENT USE PROHIBITED 110 Module 2 Implement Microsoft Teams Governance, Security and Compliance
Sensitivity Labels
Sensitivity labels can help the users to classify documents and protect the sensitive content in the files.
The sensitivity labels enable data classification across the company and enforce protection based on that
classification, which helps users take the right actions on the right content and prevent the unwanted
leaking of information outside the organization.
MCT USE ONLY. STUDENT USE PROHIBITED
Implement Compliance for Microsoft Teams 111
Sensitivity labels are based on the Rights Management Services (RMS) available in Azure (Azure RMS) and
on-premises (AD RMS). Sensitivity labels are used to classify and protect documents with encryption and
central management capabilities to monitor access and even revoke access to documents, even when
they have left their own organization and perimeter of administrative access.
Sensitivity labels can be applied manually by end-users or automatically based on search patterns, while
processed by services such as mail flow rules in Exchange Online and in workflows.
In short, sensitivity labels protect the content of a document, even if the storage on which the data is
saved, is open for collaboration even with external participants.
Retention labels
In some organizational working environments, files contain data which need different actions (in order to
comply with industry regulations and internal policies). For example, you might store invoices that you
need to retain for a certain period, or press materials that needs to be permanently deleted when they
reach a certain age. In these cases, retention policies in Office 365 are used in order to make a classifica-
tion and enforce the content to be automatically deleted or preserved after a certain period.
Retention policies allow you to enforce retention and deletion rules to whole storage locations, such as
Exchange mailboxes, SharePoint site collections or Teams and some entities within these locations. For
example, you can create a retention policy that retains the content of several teams for 7 years, if certain
keywords are found or data loss prevention policies (DLP) patterns match to stored data.
Another approach is achieved by using retention labels. Scoping retention to files and apply labels to
them, also allows you to enforce retention and deletion based on events. For example, when you need to
retain all data of employees that leave your organization for 10 years, you can create a retention label
that retains all data for 10 years and trigger an event to act on all data of a user, when they leave the
organization.
Unified labeling describes the centralized management of labels, that can have retention and sensitivity
settings applied.
Note: Any item can have both, a sensitivity label and a retention label applied.
Permissions
If you need additional users within your organization to be able to create and manage sensitivity labels,
they will require permissions in order to access the Microsoft 365 compliance center, Microsoft 365
security center, or Office 365 Security & Compliance Center. The tenant admin will have access by default
to these admin centers and can give compliance officers and other people access without giving them all
the permissions of a tenant admin. In order to do so, it is recommended that you go to the Permissions
page of one of these admin centers, and then add members to the Compliance Administrator or
Security Administrator role group. These permissions are required only to create and apply labels and a
label policy. Policy enforcement does not require access to the content.
Create labels
You can create and manage both, sensitivity and retention labels in Office 365 Security & Compliance
Center (Classification), Microsoft 365 compliance center (Information protection,Records manage-
ment and Information governance), and Microsoft 365 security center.
Note: Because managing sensitivity and retention labels in the Microsoft 365 compliance center and
Microsoft 365 security center is still in preview and being migrated from the Security & Compliance
MCT USE ONLY. STUDENT USE PROHIBITED 112 Module 2 Implement Microsoft Teams Governance, Security and Compliance
Center into both independent centers, this course will focus on the currently recommended way of
managing labels in the Security & Compliance Center.
When creating labels in a productive environment, you should consider these high-level steps:
1. Define the labels – Pick a fitting name that describes its purpose.
2. Define what each label can do – Information, protection, retention or deletion?
3. Define who gets the labels – Departments, project teams, single users?
After creating and configuring labels, you need to publish them, to make them available to people in
your organization, who can then apply the labels to content. Unlike retention labels, which are published
to locations, such as all Exchange mailboxes, sensitivity labels are published to users or groups. Sensitivity
labels then appear in Office apps for those users and groups.
Next, labels can be applied manually, as recommended for users or automatically to content, that
contains sensitive information. Automated assignment of labels may not be perfect, but it can have some
benefits, such as the following:
●● The users do not have to be trained on all your classifications.
●● Admins don't need to worry if users are classifying content correctly.
●● Users no longer need to know about the policies, and they can focus on their work.
Note: Automatic labeling is a feature that requires Azure Information Protection (AIP) Plan 2 licenses, that
are included for example in Microsoft 365 E5 subscriptions.
1. Login to the Microsoft 365 compliance center with an account, that has the necessary permissions to
create labs.
2. Navigate to Solutions > Information protection.
3. Select + Create a label from the top pane.
4. A warning is shown, that asks you if you want to proceed, or if you rather want to migrate AIP labels
created in the legacy portal. Select Yes to proceed.
5. On the Name your label page, fill in the following information:
●● Label name a name that describes the purpose of this label.
●● Tooltip an information for end-users, when they shall use this label.
●● Description a good description that allows other administrators to understand the purpose of this
label.
6. Select Next after filling in all required information.
7. On the Encryption page, you can decide to turn encryption for labeled documents On or Off. When
turning it On, additional fields need to be filled out:
●● Encryption On, activates encryption of labeled documents.
MCT USE ONLY. STUDENT USE PROHIBITED
Implement Compliance for Microsoft Teams 113
●● Assign permissions now or let users decide? Allows to assign static protection, content expira-
tion, offline access, and permissions to labeled documents or lets the users choose these settings
and intended permissions manually.
8. When all encryption options are configured, including all settings for static or user-based permissions,
select Next.
9. On the Content marking page, you can decide to turn on marking of labeled documents.
●● Content marking On, activates the marking of documents.
●● Add a watermark adds a watermark with a customizable text to the document.
●● Add a header adds a header with a customizable text to the document.
●● Add a footer adds a footer with a customizable text to the document.
10. Select Next after filling in all required information.
11. On the Endpoint data loss prevention page, you can decide to activate protection of business data on
client devices, such as Windows 10. This feature is related to Windows Information Protection (WIP).
●● Endpoint data loss prevention On, to protect documents against data leakage on Windows 10
devices.
12. Select Next after turning this feature On or Off.
13. On the Auto labeling page, you can decide to apply labels automatically, based on DLP preconfig-
ured or custom search patterns (Sensitive information types).
●● Auto labeling On, activates automatic classification with labels.
●● Detect content that contains provides conditions to auto-labeling.
●● When content matches these conditions provides options to recommend a label only or to
apply it automatically.
MCT USE ONLY. STUDENT USE PROHIBITED 114 Module 2 Implement Microsoft Teams Governance, Security and Compliance
●● Message displayed to user provides a customizable message to the user, if the conditions for this
label are met.
14. After configuring the automatic labeling settings, select Next to proceed.
15. On the Review your settings page, you can review your settings once more and select Create this
label to finish the creation.
1. Login to the Microsoft 365 compliance center with an account, that has the necessary permissions to
create labs.
2. Navigate to Solutions > Records management.
MCT USE ONLY. STUDENT USE PROHIBITED
Implement Compliance for Microsoft Teams 115
3. Select + Create a label from the top pane and retention label from the dropdown menu.
4. On the Name your label page, fill in the following information:
●● Name a name that describes the purpose of this label.
●● Description for admins a meaningful description for admins, to understand the purpose and
background of this label.
●● Description for users a meaningful description for end-users to explain the purpose of this label,
when they work with labeled documents. You can leave this blank for the users to simply see the
configured settings of this label.
5. Select Next after filling in all required information.
6. On the File plan descriptors page, fill in the following:
●● Reference Id a unique ID for further processing and documentation.
●● Business function/department which business function or department are these documents
referred to?
●● Category which category do these documents fit in to?
●● Authoritytype which type of requirement is met with this label?
●● Provision/citation which regulatory requirements is this label referred to?
7. These fields are not mandatory. After filling in the file plan descriptors, select Next.
8. On the Label settings page, you can turn on the retention settings.
●● Retention On, activates retention for labeled documents.
●● When this label is applied to content… provides the action that shall be done with labeled
documents.
●● Label classification declares labeled documents as records, which prevents editing the file after
labeling it.
9. After configuring the retention settings, select Next.
MCT USE ONLY. STUDENT USE PROHIBITED 116 Module 2 Implement Microsoft Teams Governance, Security and Compliance
10. On the Review your settings page, you can review your settings once more and select Create this
label to finish the creation.
1. Login to the Microsoft 365 compliance center with an account, that has the necessary permissions to
create labs.
2. Navigate to Solutions > Information protection.
3. Select the Label policies tab and Publish labels from the top pane.
4. On the Choose sensitivity labels to publish page, select Choose labels to publish.
5. On the Choose labels page, select + Add and select one or more labels from the list.
6. Select Add, Done and Next on the following pages.
MCT USE ONLY. STUDENT USE PROHIBITED
Implement Compliance for Microsoft Teams 117
7. On the Publish these sensitivity labels page, you can choose the users who to publish the labels to.
Select Choose users or groups to select users or leave the default settings to publish the labels to all
users.
8. Select Next, to go to the Policy settings.
9. Configure the following policy settings:
●● Apply this label by default to documents and email defines a default label.
●● Users must provide justification to remove a label or lower classification label defines, if users
need to provide a business justification, if they want to remove or change a label.
●● Requires users to apply a label to their email or documents defines, if all elements need to
have a label.
●● Provide users with a link to a custom help page allows to provide a customized help page.
10. Select Next to continue.
11. On the Name your policy page, enter a meaningful name and a description, to document the
purpose of this policy.
12. Select Next, to review your settings and Publish, to finish the creation of the policy.
Follow these steps to publish retention labels:
1. Login to the Microsoft 365 compliance center with an account, that has the necessary permissions to
create labs.
2. Navigate to Solutions > Records management.
3. Select the Label policies tab and Publish labels from the top pane.
4. On the Choose labels to publish page, select Choose labels to publish.
5. On the Choose labels page, select + Add and select one or more labels from the list.
6. Select Add, Done and Next on the following pages.
7. On the Choose locations page, you can create an org-wide policy or select specific locations. When
selecting specific locations, you can also include or exclude single recipients, sites, accounts and
Microsoft 365 Groups (including teams).
8. After selecting your desired locations, select Next.
9. On the Name your policy page, enter a meaningful name and a description, to document the
purpose of this policy.
10. Select Next, to review your settings and Publish labels, to finish the creation of the policy.
Note: Depends on the locations that you publish retention labels to, it can take from 24 hours to 7 days
for those retention labels to appear for end users. For more information, please refer to Published
retention labels14.
14 https://docs.microsoft.com/en-us/microsoft-365/compliance/labels
MCT USE ONLY. STUDENT USE PROHIBITED 118 Module 2 Implement Microsoft Teams Governance, Security and Compliance
●● Get-RetentionComplianceRule
●● Get-RetentionCompliancePolicy
Additional information and example scripts are available at Bulk create and publish retention labels by
using PowerShell15.
15 https://docs.microsoft.com/en-us/microsoft-365/compliance/bulk-create-publish-labels-using-powershell
MCT USE ONLY. STUDENT USE PROHIBITED
Implement Compliance for Microsoft Teams 119
then define retention policies for these locations (also shown in the diagram).
Now, when you turn the button ON - Teams channel messages, you can specify the teams to which this
policy will apply (example: for team A and B you can set the deletion policy after 1 year (by selecting both
individually) and apply a 2 years deletion policy to the rest of the teams.
This option is also available in Teams chats - by selecting specific users and applying unique retention
policies.
The Teams channel message and Teams chats storage locations address the Teams conversations stored
in Exchange Online mailboxes (user and group mailboxes). All the messages will be deleted from all
relevant storage locations (mailboxes, substrate and chat service).
To manage retention policies for Teams files - which are stored in OneDrive for Business and SharePoint,
you will need to use those services retention policies. Since deletion policies for Teams files need to be
set in SharePoint Online and OneDrive for Business locations, it's possible that a policy could delete a file
referenced in a Teams chat or channel message before those messages get deleted (the file will be visible
in the Teams message, but if you try to open the file, you will get error message: “File not found”). This
also can happen in case of absence of a policy. For example if someone manually deletes a file from
SharePoint Online or OneDrive for Business.
Important: Teams chat and channel messages are not affected by retention policies applied to user or
group mailboxes in the Exchange or Microsoft 365 Groups locations. Even though Teams chat and
channel messages are stored in Exchange, they're affected only by a retention policy that's applied to the
Teams location.
MCT USE ONLY. STUDENT USE PROHIBITED 120 Module 2 Implement Microsoft Teams Governance, Security and Compliance
16 https://support.office.com/article/overview-of-retention-policies-5e377752-700d-4870-9b6d-12bfc12d2423
MCT USE ONLY. STUDENT USE PROHIBITED
Implement Compliance for Microsoft Teams 121
With Data Loss Prevention policies, organizations can identify, monitor, and automatically protect
sensitive information across their Office 365 environment.
DLP policy can help you to:
●● Identify sensitive information across many locations (Exchange Online, SharePoint Online, OneDrive
for Business and Microsoft Teams)
●● Prevent the sharing of sensitive information by accident
●● Monitor and protect sensitive information in the desktop versions of Excel, PowerPoint and Word.
●● View DLP reports (with content that matches your organization's DLP policies).
In this case, the user tried to send a social security number in a Microsoft Teams channel. The message
was blocked and there is a help link What can I do?. This link will open a dialog box which provides
options for the sender to resolve the issue.
As an admin, you can choose to allow users to override a DLP policy in your organization. When you
configure your DLP policies, you can use the default policy tips, or customize policy tips for your organi-
zation. In the example below you can see that the sender can opt to override the policy, or notify an
admin to review and resolve it.
MCT USE ONLY. STUDENT USE PROHIBITED 122 Module 2 Implement Microsoft Teams Governance, Security and Compliance
While the sender received the error message and options to override the DLP policy, the recipients are
viewing different message on the screen, as shown below:
You may notice that the recipients are receiving information that the message was blocked due to
sensitive content, and there is a link right next to the message: What's this? which will open an article
about DLP policies, where the users can find an explanation why the message was blocked.
9. On the next Choose locations page, deselect all other locations than Teams chat and channel
messages. You could now include and exclude single locations or leave all activated.
10. Select Next.
11. On the Customize the type of content you want to protect page, you can edit the conditions again
and configure an action to perform, if the conditions are met. By selecting Use advanced settings
you can fine-tune the high and low rules, to modify thresholds and create additional rules. Don’t
change the selection and select Next.
12. On the last What do you want to do if we detect sensitive info? page, you can configure the
following settings:
●● Show policy tips to users and send them an email notification. Shows policy tips and email
notifications on violating the DLP policy conditions.
●● Detect when content that's being shared contains: Sets the threshold, when the high actions
are triggered, to perform different actions if a higher number of sensitive data matches occur.
●● Send incident reports in email If the threshold is met or exceeded, an incident report is sent to
the creator of the policy and the global admins.
●● Restrict access or encrypt the content allows you to block access to the file or encrypt it, if the
threshold is met or exceeded.
13. After configuring the desired settings, select Next.
14. On the Do you want to turn on the policy or test things out first? page, you can select from
different settings, how to enable the new DLP policy:
●● Yes, turn it on right away activated the policy right after creation.
●● I'd like to test it out first does not enforce the policy, but policy tips can already be displayed to
user, when their actions meet the DLP policy conditions.
●● No, keep it off. I'll turn it on later. leaves the policy deactivated.
15. Select Next and on the Review your settings page, select Create.
Note: DLP policies can contain Teams and non-Teams locations at the same time.
DLP protection in Teams Chat requires different license than DLP protection for SharePoint Online,
OneDrive, and Exchange Online. For additional information see Data Loss Prevention and Microsoft
Teams17.
17 https://docs.microsoft.com/en-us/microsoft-365/compliance/dlp-microsoft-teams
MCT USE ONLY. STUDENT USE PROHIBITED 124 Module 2 Implement Microsoft Teams Governance, Security and Compliance
●● eDiscovery cases, to add holds and perform content searches in an organized case management
structure. (Core)
●● Advanced eDiscovery cases, to analyze large sets of unstructured data, that needs additional
automation through relevance recognition. (Advanced)
As an administrator, If you would like to add members to a case, control what types of actions that
specific case members can perform, place a hold on content locations relevant to a legal case, and
associate multiple Content Searches with a single case, you can do that with the help of eDiscovery.
eDiscovery permissions
The roles for managing eDiscovery include different levels of access and controls, to comply to the data
protection requirements of most organizations. While the compliance administrator, that is a part of the
global administrator role, can create and modify cases, holds and searches, that role cannot preview or
export any search results. The dedicated eDiscovery roles can also work with the found data, but these
roles are not assigned to any user by default, not even to the global administrator.
The following table shows the different permissions for eDiscovery:
3. On the New case pane on the right side, enter a meaningful Case name and a Case description that
tells the purpose of this case. Then select Save.
Now, the case that you have created will be shown in the list of cases on the eDiscovery page and it is
ready to add holds and searches.
7. In the Export results window, select the desired Outputoptions and how the Exchange content should
be arranged in the PST file(s).
14. Go back to your browser session, where the Exports tab is open, select Copy to clipboard below
Export key and paste this key to the eDiscovery Export Tool.
15. Now you can select Browse to select a location and Start to run the export process.
Scenario Consideration
Guest-to-guest chats Guests do not have a mailbox in the target tenant
and without a mailbox, guest-to-guest chats (1xN
chats in which there are no home tenant users)
would not be indexed, and as a result, would not
be included in eDiscovery. To facilitate eDiscovery
for guest-to-guest chats, a cloud-based mailbox
(or phantom mailbox) is created to store the 1xN
data. After the Teams chat data is stored in the
cloud-based mailbox, it is indexed for eDiscovery
and compliance content search.
eDiscovery of private channels Messages sent in private channels are saved in its
members user mailboxes, with an indication from
which private channel they come from and files in
private channels are stored on independent
SharePoint site collections. Since eDiscovery of
single channels is not supported, searches must be
performed over the whole team and every mem-
bers user mailbox location.
Placing private channel messages on hold This scenario is currently not supported, but it is
possible to put the mailboxes of all channel
members on hold and search their mailboxes for
required content.
In conclusion, put the following locations on hold, to retain the data:
●● Microsoft Teams Private Chats: User mailbox
●● Microsoft Teams Channel Chats: Group mailbox used for the team
●● Microsoft Teams Content (e.g. Wiki, Files): SharePoint site used by the team
●● Private Content: OneDrive for Business site of the user
Note: Placing a user on hold does not automatically place a group on hold or vice-versa.
For additional information see eDiscovery cases in the Security & Compliance Center18.
18 https://docs.microsoft.com/en-us/microsoft-365/compliance/ediscovery-cases
MCT USE ONLY. STUDENT USE PROHIBITED
Implement Compliance for Microsoft Teams 129
samples, you can use supervision policies to analyze only a certain amount of data from supervised users
and groups.
You can define policies that capture internal and external email, Microsoft Teams, or 3rd-party communi-
cations. Reviewers can then examine the messages to make sure that they are compliant with your
organization's message standards and resolve them with a classification type.
Location Description
Exchange email Emails and attachments stored in Exchange Online
mailboxes can be searched with supervision
policies.
Microsoft Teams Chat communication and attachments of public
and private channels can be supervised. Condi-
tions for supervision policies are processed every
24 hours against Teams chat for monitoring and
reports.
Skype for Business Online Chat communication and attachments are availa-
ble for supervision and conditions for chats are
also processed every 24 hours for monitoring and
reports.
Third-party sources Data imported from third-party sources, for
example through a connector that imports data
from Facebook or Twitter, can be supervised.
Component Description
Direction The direction describes the communication way
and this setting is mandatory. The direction of
communication can be:
If it was not already turned on, you have now turned on the Scope directory search, a prerequisite to use
information barriers.
Note: You need to wait at least 24 hours after enabling scoped directory search before you can set up or
define information barrier policies.
For more information see Define Information Barrier policies19.
19 https://docs.microsoft.com/en-us/microsoft-365/compliance/information-barriers-policies
MCT USE ONLY. STUDENT USE PROHIBITED
Implement Compliance for Microsoft Teams 133
Additional information about Office 365 Data Subject Requests for the GDPR and CCPA can be found at
Office 365 Data Subject Requests for the GDPR and CCPA20.
20 https://docs.microsoft.com/en-us/microsoft-365/compliance/gdpr-dsr-office365
MCT USE ONLY. STUDENT USE PROHIBITED
Implement Compliance for Microsoft Teams 135
Situation Action
Members are added to a team Whenever a user is added to a team, the user is
evaluated against the information barrier policies
of other team members. After the user is success-
fully added, the user can perform all functions in
the team without further checks. If the user's
policy blocks them from being added to the team,
the user will not show up in search.
A new chat is requested Each time a new chat is requested between two or
more users, the chat is evaluated to make sure
that it isn’t violating any information barrier
policies. If the conversation violates an information
barrier policy, then the conversation isn’t initiated.
A user is invited to join a meeting When a user is invited to join a meeting, the user's
policy is evaluated against the policies of other
team members, and if there’s a violation, the user
will not be allowed to join the meeting.
A screen is shared between two or more users Any time a screen is shared between two or more
users, the screen share must be evaluated to make
sure that it doesn’t violate the information barrier
policies of other users. If an information barrier
policy is violated, the screen share won’t be
allowed.
A user places a phone call (VOIP) in Teams Any time a voice call is initiated by a user to
another user or group of users, the call is evaluat-
ed to make sure that it doesn’t violate the infor-
mation barrier policies of other team members. If
there is any violation, the voice call is blocked.
Guest Users in Teams Information barrier policies apply to guest users in
Teams too. If guest users need to be discoverable
in your organization's global address list, see
Manage guest access in Microsoft 365 Groups.
Once guest users are discoverable, you can define
information barrier policies.
If an information barrier policy is changed by an administrator, the Information Barrier Policy Evaluation
Service automatically searches the members to ensure that members of the Team are not violating any
policies. If there are any new violations, the following actions are taken:
●● If a chat between two participants violates a policy, the chat is set to read-only and no new messages
can be sent.
●● If participants in a group chat violate a changed or new policy, the affected participants are removed
from the chat and they can see the conversation history in read-only.
●● If team members violate a policy, they are removed from the team.
Information barriers is an advanced compliance feature and requires according licenses. The feature is
available for users with one of the following licenses:
●● Microsoft 365 E5
●● Office 365 E5
●● Office 365 Advanced Compliance
●● Microsoft 365 E5 Information Protection and Compliance
Permissions for information barrier policies
To define or edit information barrier policies, administrators must be assigned to one of the following
roles:
●● Microsoft 365 global administrator
●● Office 365 global administrator
●● Compliance administrator
●● IB Compliance Management
●● Directory data because information barriers rely on user attributes, the directory data for each user
must be up to date and completely set.
●● Scoped directory search needs to be turned on.
●● Audit logging for checking the status of a policy application, audit logging must be turned on before
beginning to configure segments or policies.
●● address book policies in Exchange cannot already exist.
●● PowerShell with the Security & Compliance Center module, to configure information barriers.
●● Admin consent for information barriers in Microsoft Teams to enable the information barrier
service to take administrative actions in your tenant. As an admin, you can use the following steps in
order to enable information barrier policies to work as expected in Microsoft Teams:
1. Run the following PowerShell cmdlets:
2. When prompted to sign in, use your work or school account for Office 365, that has the above-men-
tioned permissions to grant admin consent in your tenant.
3. In the Permissions requested dialog box, review the information, and then select Accept.
MCT USE ONLY. STUDENT USE PROHIBITED
Implement Compliance for Microsoft Teams 137
3. Repeat step 2 for all required segments.
21 https://docs.microsoft.com/en-us/microsoft-365/compliance/information-barriers-attributes
MCT USE ONLY. STUDENT USE PROHIBITED 138 Module 2 Implement Microsoft Teams Governance, Security and Compliance
2. Run the following cmdlet and replace policyname with a meaningful name and both segment1name
and segment2name with the names of two different segments, to block the communication between
both segments:
New-InformationBarrierPolicy -Name "policyname" -AssignedSegment "segment1name" -Segments-
Blocked "segment2name"
2. Run the following cmdlet and replace GUID with an existing information barrier policy ID, to switch
the policy to active:
Set-InformationBarrierPolicy -Identity GUID -State Active
3. Then run the following cmdlet to start information barriers in your tenant:
Start-InformationBarrierPoliciesApplication
After approximately 30 minutes, policies are applied, user by user, for your organization. If your organiza-
tion is large, it can take 24 hours (or more) for this process to complete. (As a general guideline, it takes
about an hour to process 5,000 user accounts.)
For additional information, please refer to:
●● Information barriers in Microsoft Teams22.
●● Define policies for information barriers23
22 https://docs.microsoft.com/en-us/MicrosoftTeams/information-barriers-in-teams
23 https://docs.microsoft.com/en-us/microsoft-365/compliance/information-barriers-policies
MCT USE ONLY. STUDENT USE PROHIBITED
Implement Compliance for Microsoft Teams 139
Note: Alert policies require auditing enabled in your tenant. Check and activate auditing by navigating to
the Security & Compliance Center > Search > Audit log search. If auditing is not yet activated in your
tenant, you will be informed by a message in the dashboard that offers a button to activate it right away.
1. Administrators create new or modify existing policies in the Security & Compliance Center that
monitor unusual user or admin activity.
2. A user or administrator performs actions, which match the conditions and triggers an alert policy,
such as creating an eDiscovery case or possibly adding full access permissions to a mailbox.
3. An alert is generated, and the according alert action is triggered, such as sending an email to all
global administrators. Additionally, an alert entry is created in the alert dashboard in the Security &
Compliance Center.
4. Administrators review alerts in the alerts dashboard and decide to acknowledge or dismiss the alert.
Note: There are currently up to 22 default alert policies available, present in any existing and new tenants
and dependent on the existing subscriptions in a tenant.
Additionally, the Role Based Access Control (RBAC) permissions assigned to users in your organization
determine which alerts a user can see on the View alerts page based on the alert category. For example:
●● Members of the Records Management role group can view only the alerts that are generated by
alert policies that are assigned the Data governance category.
●● Members of the Compliance Administrator role group can't view alerts that are generated by alert
policies that are assigned the Threat management category.
●● Members of the eDiscovery Manager role group can't view any alerts because none of the assigned
roles provide permission to view alerts from any alert category.
For more information, please refer to RBAC permissions required to view alerts24.
Important: When changing the status of an alert in the Security & Compliance Center, the status of the
alert in the Cloud App Security portal won’t be updated. So, administrators must decide and communi-
cate where they want to manage the alerts for their organization.
24 https://docs.microsoft.com/en-us/microsoft-365/compliance/alert-policies
MCT USE ONLY. STUDENT USE PROHIBITED
Implement Compliance for Microsoft Teams 141
select Next.
6. On the Decide if you want to notify people when this alert is triggered page, you can specify the
recipients of the notification and frequency of daily notification limit.
Select Next.
7. On the Review your settings page, you can review the alert settings and decide to turn on the policy
right away or later. Select Finish when everything is configured as desired.
2. Login with the Security & Compliance Center PowerShell module to your tenant:
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.
compliance.protection.outlook.com/powershell-liveid/ -Credential $UserCredential -Authentication
Basic -AllowRedirection
4. Create a new alert policy, that notifies admin@contoso.com when a content search is being deleted.
New-ProtectionAlert -Name "Content search deleted" -Category Others -NotifyUser admin@contoso.
com -ThreatType Activity -Operation SearchRemoved -Description "Custom alert policy to track when
content searches are deleted" -AggregationType None
MCT USE ONLY. STUDENT USE PROHIBITED 142 Module 2 Implement Microsoft Teams Governance, Security and Compliance
5. When the cmdlet finished, you can see the settings of the new alert policy. As you can see, the status
parameter ‘Disabled’ is set to ‘false’, which means the policy is active already.
6. You can make any changes you wish by using the following cmdlet.
Set-ProtectionAlert -Name "Content search deleted"
Viewing alerts
If you are assigned to valid RBAC roles for viewing alerts, you can navigate to the Security & Compliance
Center and view active and already acknowledged alerts.
You can perform different actions on alerts, such as:
●● Assign a status to alerts (as Investigating, Resolved, or Dismissed)
●● View alert details
●● Suppress email notifications - turn off
●● Resolve alerts
MCT USE ONLY. STUDENT USE PROHIBITED
Module 3 Prepare the environment for a Mi-
crosoft Teams deployment
It is recommended the transition from Skype for Business to Teams be performed in stages. You can
review the upgrade framework1 from Microsoft. It’s important to understand how the two applications
coexist, when and how they interoperate, and how to manage users’ migration all the way to their
eventual upgrade from Skype for Business to Teams.
You will need to analyze your existing environment and deployed functionalities, understand your
business requirements, and evaluate compatibility of all existing solutions and devices for moving to
Teams.
Considering the overlapped functionalities between the solutions, you may need to review the available
coexistence and upgrade modes in order to determine which path is appropriate for your organization.
For example, you may decide to introduce Teams to target users with selected Teams features before
rolling out to the whole organization. You would then use the outcome from the pilot project to assess
the most appropriate upgrade path for your organization.
Keep in mind that having the option to upgrade does not mean that your organization is ready for this
upgrade. It is recommended that you test first to ensure that your network is ready to support Teams and
develop an adoption plan prior to upgrading users to Teams.
Islands
In this coexistence mode, called “Islands”, each of the client applications operates as a separate island.
Skype for Business talks to Skype for Business, and Teams talks to Teams. Users are expected to run both
clients at all times and can communicate natively in the client from which the communication was
initiated.
1 https://docs.microsoft.com/en-us/MicrosoftTeams/upgrade-framework
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrade from Skype for Business to Microsoft Teams 145
TeamsOnly
A Teams Only user (also called an upgraded user) has access to all the capabilities in Teams. They may
retain the Skype for Business client to join meetings on Skype for Business that have been organized by
non-upgraded users or external parties. An upgraded user can continue to communicate with other users
in the organization who are still using Skype for Business by using the interoperability capabilities
between Teams and Skype for Business (provided these Skype for Business users are not in Islands mode).
However, an upgraded user can't initiate a Skype for Business chat, call, or meeting.
As soon as your organization is ready for some or all users to use Teams as their only communications
and collaboration tool, you can upgrade those users to Teams Only mode.
Note: Even if the SfBOnly mode is meant to have the collaboration features of Teams disabled, in the
current implementation, teams and channels are not automatically turned off for the user. This can be
achieved by using the App Permissions policy to hide teams and channels.
The following diagram shows different scenarios and possible paths to move workloads to Teams:
MCT USE ONLY. STUDENT USE PROHIBITED 146 Module 3 Prepare the environment for a Microsoft Teams deployment
Upgrade journeys
When you are upgrading from Skype for Business to Microsoft Teams (either online or on-premises),
there are following two approaches:
●● Direct upgrade journey
●● Gradual upgrade journey
In case your organization is currently a Skype for Business on-premises deployment only, you need to
start planning to implement Skype for Business hybrid before upgrading your users to Teams Only
mode.
While switching to different modes, you need to consider if there is any features that’s only available in
Skype for Business, e.g. complex Enterprise Voice deployment, which might take more time to upgrade.
You can see the gradual upgrade journey illustrated in the following diagram:
For more information, see Microsoft Teams and Skype for Business coexistence and interoperability at
https://aka.ms/SkypeToTeams-Coexist.
Deployment Resources
FastTrack is a team at Microsoft designed to help IT professionals and partners get the tools, resources,
and guidance needed to move to Microsoft 365, Azure, and Dynamics 365 with confidence. That means
helping you discover what’s possible, create a plan for success, and onboard new users and capabilities at
a flexible pace.
FastTrack can provide you with personalized assistance at any time, as long as your subscription is active.
For more information about FastTrack: https://fasttrack.microsoft.com/
Take advantage of this comprehensive guide and toolset for planning and managing Microsoft Teams.
This self-service guidance serves as the methodology behind the FastTrack services for Microsoft Teams.
FastTrack provides guidance for the planning, delivery, and adoption of Microsoft Teams for your organi-
zation when you meet FastTrack eligibility requirements.
when granting either of these modes, then specify MigrateMeetingsToTeams $false in-
Grant-CsTeamsUpgradePolicy (if using PowerShell) or uncheck the box to migrate meetings
when setting a user's coexistence mode (if using the Teams admin portal).
●● Admin uses PowerShell cmdlet,Start-CsExMeetingMigration. In addition to automatic
meeting migrations, admins can manually trigger meeting migration for a user by running the cmdlet
Start-CsExMeetingMigration. This cmdlet queues a migration request for the specified user. In
addition to the required Identity parameter, it takes two optional parameters, SourceMeetingType
and TargetMeetingType, which allow you to specify how to migrate meetings.
Manage MMS
By using the Skype for Business Online PowerShell module, admins can check the status of running
migrations, manually trigger meeting migrations, and disable migrations altogether.
In order to check the status of meeting migrations, you can use the Get-CsMeetingMigrationSta-
tus cmdlet. For example, to get a summary status of all MMS migrations, run the following cmdlet which
provides a tabular view of all migration states:
Get-CsMeetingMigrationStatus -SummaryOnly
If you would like to check the status of migration for a user, you can use the Get-CsMeetingMigra-
tionStatus cmdlet with the Identity parameter. For example, to check the status of migration for user
JoniS@contoso.com, use the following cmdlet:
Get-CsMeetingMigrationStatus -Identity JoniS@contoso.com
If MMS is enabled in the organization and you want to check if it is enabled for audio conferencing
updates, check the value of the AutomaticallyMigrateUserMeetings parameter in the output
from Get-CsOnlineDialInConferencingTenantSettings. To enable or disable MMS for audio
conferencing, use Set-CsOnlineDialInConferencingTenantSettings.
For example, to disable MMS for audio conferencing, run the following cmdlet:
Set-CsOnlineDialInConferencingTenantSettings -AutomaticallyMigrateUserMeetings $false
2. On the Teams upgrade page, from Coexistence mode options, choose one of the following options
for your organization:
●● Islands
●● Skype for Business only
●● Skype for Business with Teams collaboration
●● Skype for Business with Teams collaboration and meetings
●● Teams only
Note: Starting September 1, 2019, all new Office 365 tenants are onboarded directly to Teams for
chat, meetings, and calling. Thus, you will not see the options to select Coexistence mode.
3. You can enable Notify Skype for Business users that an upgrade to Teams is available while not
selecting Teams only mode.
4. On the Teams upgrade page, you can select the Preferred app for users to join Skype for Business
meetings .
●● Skype Meetings app
●● Skype for Business
5. You can also enable Download the Teams app in the background for Skype for Business users.
6. Select the Save button to save your changes.
3. On the user page, on the Account tab, under Teams upgrade section, select Edit.
4. On the Teams Upgrade page, choose one of the following options for the selected user:
●● UseOrg-wide settings
●● Islands
●● Skype for Business only
●● Skype for Business with Teams collaboration
●● Skype for Business with Teams collaboration and meetings
●● Teams only
5. Select Apply.
6. If you select any Coexistence mode (except Use Org-wide settings), you will have the option to
enable notifications in the user's Skype for Business app, which will inform the user that the upgrade
to Teams is coming soon. Enabling this for the user is done by turning on the Notify the Skype for
Business user option.
Or, for configuring a TeamsOnly policy for the whole organization, run the following cmdlet:
Grant-CsTeamsUpgradePolicy -PolicyName TeamsOnly -Global
MCT USE ONLY. STUDENT USE PROHIBITED
Plan and configure network settings for Microsoft Teams 153
Bandwidth(up/down) Scenarios
30 kbps Peer-to-peer audio calling
130 kbps Peer-to-peer audio calling and screen sharing
500 kbps Peer-to-peer quality video calling 360p at 30fps
1.2 Mbps Peer-to-peer HD quality video calling with resolu-
tion of HD 720p at 30fps
1.5 Mbps Peer-to-peer HD quality video calling with resolu-
tion of HD 1080p at 30fps
500kbps/1Mbps Group Video calling
MCT USE ONLY. STUDENT USE PROHIBITED
Plan and configure network settings for Microsoft Teams 157
Bandwidth(up/down) Scenarios
1Mbps/2Mbps HD Group video calling (540p videos on 1080p
screen)
For more information see Prepare your organization's network for Microsoft Teams2 or go to https://
aka.ms/PerformanceRequirements.
2 https://docs.microsoft.com/en-us/microsoftteams/prepare-network
MCT USE ONLY. STUDENT USE PROHIBITED 158 Module 3 Prepare the environment for a Microsoft Teams deployment
3. On the Network Planner page, select the Personas section, review the default personas, and then
select Add persona if you’d like to add a custom persona.
4. On the Add persona page, provide the persona name and description. Under the Permissions section,
select from the following services: Audio, Video, Screen sharing, File sharing, Conference audio,
Conference video, Conference screen sharing and PSTN.
5. Select Apply.
Create a report
In order to create a report based on your network plan, perform the following steps:
1. Sign into Microsoft Teams admin center.
2. From the left navigation pane, select Planning, and then select Network Planner.
3. On the Network Planner page, under Network Plans section, select your network plan (for example,
NY Teams network plan).
4. On the plan page, select Report, and then select Add report.
5. On the Add report page, enter the report name, and in the Calculation section, choose the type of
persona, such as Office Worker or Remote Worker and the number of each persona types.
6. Select Generate report.
7. On the report page, review the report including Type of service, and required bandwidth for different
services, such as Audio, Video, Screenshare, Office 365 server traffic and PSTN.
MCT USE ONLY. STUDENT USE PROHIBITED 160 Module 3 Prepare the environment for a Microsoft Teams deployment
3 https://www.powershellgallery.com/packages/NetworkTestingCompanion/1.5.4
MCT USE ONLY. STUDENT USE PROHIBITED
Plan and configure network settings for Microsoft Teams 161
4. To start the Network Testing Companion, you can select the icon on your desktop or Start menu, or
you can run it from the PowerShell by using the following cmdlet:
●● Invoke-NetworkTestingClient
Note: Even if there are mote cmdlets available than creating the shortcuts and starting the tool, it is
recommended to use the graphical interface for performing assessments.
Start the Network Testing Companion via PowerShell or shortcut, to perform testing of your machine:
1. Run the Network Testing Companion from your desktop or Start menu, or via PowerShell.
2. The tests on the left side are performed automatically during startup of the tool. Review the results for
your Windows operating system, Internet connection, Microsoft Teams or Skype-certified
device and Network Assessment Tool. If any of the tests reports unexpected issues, document the
results and make sure your client meets the basic requirements.
3. To perform a connectivity and quality test, select the Start button on the right side, below Network
connectivity and quality test. This will start a basic test with the default parameters. When the test is
completed, you are informed via a green checkmark or a red cross if your client meeting the minimum
requirements or not.
4. Select the View Results tab, to review network connectivity and network quality data. If the tests have
been successful, you can see the details of the network quality test. If the quality tests have failed or if
the test results don’t meet the minim requirements, you will see a red cross.
5. On the same tab, you can also export the test results by selecting Report, to the left of the results.
6. Under Network connectivity and quality test, on the Settings tab, you can edit the tool settings,
such as consecutive audio tests, delay between tests and connectivity test timeout.
recommendations when using the test tool to find any bottlenecks in an existing networking environ-
ment:
●● Perform multiple tests at different times of the day and on different days of the week. There are
periods with lots of traffic and other periods when a network is mostly idling. Perform multiple tests in
your testing scenario to cover idle periods as well as busy periods, to avoid having large file transfers
in company networks interfering with your Teams voice traffic.
●● Deploy multiple clients with the Network Testing Companion spread across different segments of your
network. A segment may be capable of providing networking resources for a small number of clients,
but as soon as five or more users attempt to use voice services at the same time, it may break down.
To perform concurrent tests in different segments, the Network Testing Companion provides custom-
izable settings that allow to run, for example, 50 tests with a delay of two minutes, between each run.
This provides the ability to simulate heavy voice communication loads coming from multiple network
segments.
●● Run tests on all standard images available in your organization. One or more of the default clients
may be affected by an orphaned GPOs or third-party application that interferes with voice communi-
cation, which can result in quality or connectivity issues.
●● Stay in close contact with your networking team while carrying out your planned test scenarios.
Provide the reports from the Network Testing Companion tool and discuss the network requirement
to deploy Microsoft Teams with the networking team. The networking team should have advanced
tools and monitoring system to validate the network configuration.
The Network Testing Companion is a simple but at the same time very powerful tool to test an existing
network environment for bottlenecks and sources of disturbance. Plan your assessment scenarios
carefully and consider the best practices for best results.
manage these changes, you can end up with users blocked or with poor performance after a new IP
address or URL is added in Office 365, but the firewall team has not been informed.
Endpoints data is updated at the beginning of each month with new IP Addresses and URLs published 30
days in advance of being active. Endpoints may also be updated during the month if needed to address
support escalations, security incidents, or other immediate operational requirements. You can use RSS
feeds or the Office 365 IP Address and URL Web Service to get change notification.
It is recommended that you call the /version web method once an hour to check the version of the
endpoints that you are using to connect to Office 365. If this version changes when compared to the
current version in use, you should get the latest endpoint data from the /endpoints web method and
optionally get the differences from the /changes web method. It is not necessary to call the /endpoints
or /changes web methods if there has not been any change to the version you identified. You can also
get change notifications by using an RSS feed that can be subscribed to in Outlook. There are links to the
RSS URLs on each of the Office 365 service instance-specific pages for the IP addresses and URLs.
Examples:
●● The following URL returns the latest version of each Office 365 service instance: https://endpoints.
office.com/version4
●● To access the current Office endpoint data for wordwide tenants, simply check the following URL:
https://endpoints.office.com/endpoints/worldwide5
●● To get all the latest changes since July 2018 when the web service was first available, use https://
endpoints.office.com/changes/worldwide/00000000006
Organizations can use this web service to:
●● Update PowerShell scripts to obtain Office 365 endpoint data and modify any formatting for network-
ing devices, such as firewalls.
●● Use this information to update PAC files deployed to client computers.
For more information, please refer to following documentations:
●● Office 365 IP Address and URL web service7
●● Office 365 URLs and IP address ranges8
4 https://endpoints.office.com/version?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7
5 https://endpoints.office.com/endpoints/worldwide?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7
6 https://endpoints.office.com/changes/worldwide/0000000000?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7
7 https://docs.microsoft.com/en-us/office365/enterprise/managing-office-365-endpoints
8 https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges
MCT USE ONLY. STUDENT USE PROHIBITED 164 Module 3 Prepare the environment for a Microsoft Teams deployment
2. From the left navigation pane, select Locations, and then select Reporting labels.
3. On Reporting labels page, select Uploadlocations data, select Select a file.
4. Browse for a file a file, select Open and then select Upload.
This table below is just an example which you can follow in order to create your data file.
Note: A productive data file should not contain column headers (e.g. Network, Network Name, etc.). The
headers in the above table are used here for informational purposes only.
Implement QoS
To provide QoS, network devices must have a way to classify traffic and be able to distinguish voice or
video from other network traffic. In the moment when the network traffic passes through a router, it is
placed into a queue. If a QoS policy is not configured, there will be just one queue and all traffic will be
treated as first-in, first-out with the same priority.
When you implement QoS, you define multiple queues using one of several congestion management
features and congestion avoidance features. The following diagram illustrates building queues for
different types of traffic:
A simple analogy is that QoS creates virtual “carpool lanes” in your data network so some types of data
never or rarely encounter a delay. Once you create those lanes, you can adjust their relative size and
much more effectively manage the connection bandwidth you have, while still delivering business-grade
experiences for your organization's users. The following is a high-level overview for implementing QoS:
1. Verify if your network is ready for QoS
2. Select the desired QoS implementation method
3. Choose initial port ranges for each media type
4. Implement QoS settings on clients, routers and in Teams Admin center
5. Validate the QoS implementation by analyzing Teams traffic on the network
In a global organization with managed links that span continents, we strongly recommend QoS, as
bandwidth for those links is limited in comparison to the LAN.
You could implement QoS via port-based tagging, using Access Control Lists (ACLs) on your network
routers. Port-based tagging is the most reliable method because it works universally throughout all
platforms, such as mixed Windows and Mac environments, and is the easiest method to implement.
Your network's router examines an incoming packet. If the packet arrived using a certain port or range
of ports, it identifies it as a certain media type and puts it in the queue for that type, adding a prede-
termined differentiated services code point (DSCP) marker to the IP Packet header so other devices
can recognize its traffic type and prioritize it in their queue.
2. Group Policy Object (GPO)
You could also implement QoS by using a Group Policy Object (GPO) to direct client devices to insert
a DSCP marker in the IP packet headers identifying it as particular type of traffic, such as voice.
Routers and other network devices can be configured to recognize this and put the traffic in a
separate, higher-priority queue. This scenario works only for domain-joined Windows clients, so in the
event a device isn’t a domain-joined Windows client, it will not be enabled for DSCP tagging.
Clients such as Mac OS have hard-coded tags and will always tag traffic. In this case, controlling the
DSCP marking via GPO ensures that all domain-joined computers receive the same settings and that
they can be managed only by the designated administrator. Clients that can use a GPO will be tagged
on the originating device. Configured network devices can recognize the real-time stream by the
DSCP code and give it an appropriate priority.
priority.
3. Access Control Lists (ACLs) and Group Policy Object (GPO) combined
It is recommended to use a combination of DSCP markings at the endpoint and port-based ACLs on
routers, if possible. Using a Group Policy object to catch the majority of clients and also using port-
based DSCP tagging will ensure that mobile, Mac, and other clients will still get QoS treatment.
The most important configuration step in Teams is the classification and marking of packets. For end-to-
end QoS to be successful, you also need to carefully align the application’s configuration with the
underlying network configuration.
Media traffic type Client source port Protocol DSCP value DSCP class
range
Audio 50,000–50,019 TCP/UDP 46 Expedited For-
warding (EF)
Video 50,020–50,039 TCP/UDP 34 Assured Forward-
ing (AF41)
Application/Screen 50,040–50,059 TCP/UDP 18 Assured Forward-
Sharing ing (AF21)
Note:The port ranges you assign cannot overlap and must be adjacent to each other.
2. Distribution of the client through software deployment is only for the initial installation of Microsoft
Team clients and not for future updates.
●● Or through Terminal,
●● To install Teams using RPM package, type: sudo yum install TeamsDownloadFileName
●● To install Teams using DEB package, type: sudo apt install TeamsDownloadFileName
You need to change TeamsDownloadFileName to the Teams file name you downloaded. For example:
sudo yum install ./teams-insiders-1.2.00.26154-1.x86_64.rpm
3. You can launch Teams via Activities or via Terminal by typing Teams.
This is the default installation, which installs Teams to the %AppData% user folder. At this point,
the golden image setup is complete. Teams will not work properly with per-user installation on a
non-persistent setup.
●● Per-machine installation
msiexec /i <path_to_msi> /l*v <install_logfile_name> ALLUSER=1 ALLUSERS=1
This installs Teams to the Program Files (x86) folder on a 64-bit operating system and to the
Program Files folder on a 32-bit operating system. At this point, the golden image setup is com-
plete. Installing Teams per-machine is required for non-persistent setups.
3. The next interactive logon session starts Teams and asks for credentials.
Note: It's not possible to disable auto-launch of Teams when installing Teams on VDI using the ALLUSER
property.
9 https://statics.teams.cdn.office.net/production-windows/1.3.00.4461/Teams_windows.msi
10 https://statics.teams.cdn.office.net/production-windows-x64/1.3.00.4461/Teams_windows_x64.msi
MCT USE ONLY. STUDENT USE PROHIBITED
Deploy and Manage Microsoft Teams endpoints 171
If you need to uninstall the MSI from the VDI VM, run the following command:
msiexec /passive /x <path_to_msi> /l*v <uninstall_logfile_name>
Microsoft Intune, devices are automatically enrolled in Intune. After a device is enrolled, device compli-
ance is confirmed, and conditional access policies are applied to the device.
To do this… Do this
Change device information Select a device > Edit. You can edit details such as
device name, user information, asset tag, and add
notes.
Manage software updates Select a device > Update. You can view the list of
software and firmware updates available for the
device and choose the updates to install.
Restart a device Select a device > Restart.
View device history Select a device > History. You can view the update
history for the device.
View diagnostics Select a device > Diagnostics.
7. Under Network settings, choose will you enable DHCP, Logging, or will you configure Host name,
Domain name, IP address, Subnet mask, Default Gateway, Primary and Secondary DNS, Device’s
default admin password and Network PC port.
8. Once you complete with the configuration profile settings, select Save.
After assigning a configuration profile, the settings of this profile will be applied to the selected devices.
ing list shows the key components of Microsoft Teams Rooms, which are responsible for delivering best
user experience:
●● Touchscreen control panel
●● Compute
●● Microsoft Teams Rooms application
●● Dock/extender
●● Peripheral devices (camera, microphone, speaker)
●● External screens (maximum of two)
●● HDMI input
Microsoft Teams Rooms are designed for being used with:
●● Microsoft Teams
●● Skype for Business Online
●● Skype for Business Server 2019
●● Skype for Business Server 2015
Note: Earlier platforms like Lync Server 2013 aren't expected to work with Microsoft Teams Rooms.
Microsoft Teams Rooms system can be purchased in several configurations: bundled as a system with
separate components, or as an integrated unit. You will need to review the meeting rooms you have and
decide where you want to deploy Microsoft Teams Rooms and the peripheral devices that would be
appropriate for the room size.
For larger organizations, you will most likely coordinate these activities across several teams.
When you create an inventory of the equipment and capabilities in each existing room, your require-
ments for that room feed into your device selection planning to create a rich conferencing solution. The
audio and video capabilities that are needed for each room, as well as the room size and purpose, all play
an important roles in deciding which solution will be the most optimal one for each room.
Also, you must check and confirm that the room doesn’t have excessive echo, noisy air conditioning, or
furniture getting in the way of the equipment. You should confirm there is enough power for the screens
and Microsoft Teams Rooms. There are many factors to consider that your audio-visual (AV) team or
specialized partner will be able to advise on.
Here are some of the key elements you need to think about: Which rooms are in scope for the current
deployment, which sites are in scope for your deployment and who will undertake the meeting rooms
inventory. After you consider these, you can review the rooms in scope and define Microsoft Teams
Rooms configurations for them.
Account provisioning
Each Microsoft Teams Rooms device requires a dedicated and unique resource account that must be
enabled for both Microsoft Teams or Skype for Business and additionally for Exchange. This account must
have a room mailbox hosted on Exchange and be enabled as a meeting room in the Teams or Skype for
Business deployment. In Exchange, you need to configure calendar processing so that the device can
automatically accept incoming meeting requests.
Note: Meeting scheduling features will not work without a device account.
MCT USE ONLY. STUDENT USE PROHIBITED 176 Module 3 Prepare the environment for a Microsoft Teams deployment
It is recommended that you create the display names for these accounts that are descriptive and easy to
understand. These are the names that users will see when searching for and adding Microsoft Teams
Rooms systems to meetings. For example, you can use following convention Site-Room Name(Max Room
Capacity)-RS, so for example Florida — a 20-person conference room in Orlando—might have the display
name ORL-Florida(20)-RS.
To create a new room mailbox, use the following syntax with Exchange Online PowerShell module:
New-Mailbox -Name "<Unique Name>" -Alias <Alias> -Room -EnableRoomMailboxAccount $true
-MicrosoftOnlineServicesID <Account> -RoomMailboxPassword (ConvertTo-SecureString -String '<Pass-
word>' -AsPlainText -Force)
Here’s an example configuring the settings on the room mailbox named Project-Rigel-01.
Set-CalendarProcessing -Identity "Project-Rigel-01" -AutomateProcessing AutoAccept -AddOrganizerTo-
Subject $false -DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false -AddAddi-
tionalResponse $true -AdditionalResponse "This is a Skype Meeting room!"
For more information, please refer to Deploy Microsoft Teams Rooms with Office 36511.
Scenario Approach
Deploying a small number of Microsoft Teams If using an integrated solution, deploy by using
Rooms devices (<10). the vendor image and configure settings as
required.
Deploying between 10 and 50 devices from a Create a WIM-based image and capture a distribu-
single vendor. tion image to be used with your cloning distribu-
tion technology.
Deploying more than 50 Microsoft Teams Rooms Use a task sequencer–based software build and
devices, deploying devices from more than one distribution platform, such as System Center
vendor, or requiring organization-specific agents Configuration Manager.
as part of the deployment.
Each Microsoft Teams Rooms must have a valid and unique machine name on your network. Many
monitoring and alert systems display the machine name as a key identifier, so it’s important to develop a
naming convention for Microsoft Teams Rooms deployments that allows support personnel to easily
locate the Microsoft Teams Rooms that has been flagged as requiring an action. An example might be
using a pattern of MTR-Site-Room Name (MTR-ORL-Florida).
As part of the deployment, you’ll also need to consider your strategy for managing and configuring the
local accounts that are created by the Microsoft Teams Rooms application installer.
You can also use Microsoft Azure Monitor to monitor the Microsoft Teams Rooms deployment and report
on availability, hardware/software errors, and Microsoft Teams Rooms application version. If you decide
to use Microsoft Operations Management Suite, you should install the Operations Management Suite
agent as part of the software installation process and configure the workspace connection information
for your workspace.
11 https://docs.microsoft.com/en-us/microsoftteams/room-systems/with-office-365
MCT USE ONLY. STUDENT USE PROHIBITED
Deploy and Manage Microsoft Teams endpoints 177
An additional consideration is whether the Microsoft Teams Rooms will be domain-joined or a workgroup
member. Domain-joined deployment includes multiple advantages, such as grant domain users and
groups administrative rights and importing your organization's private root certificate chain automatical-
ly.
Device deployment
After you’ve deployed your software to the Microsoft Teams Rooms units, create your plan to ship the
devices and their assigned peripheral devices to your rooms, and then proceed to installation and
configuration. The following table shows an example, how you could document the enrollment of your
devices:
Testing
After the Microsoft Teams Rooms system has been deployed, you should perform extensive tests that
everything works as planned. Check that the capabilities listed in Microsoft Teams Rooms help are
working on the deployed device. It’s highly recommended that your deployment team verifies that the
Microsoft Teams Rooms is logging to Microsoft Operations Management Suite, if used in your organiza-
tion. It’s also important that you make test calls and meetings to check quality.
It’s also recommended, that as part of the general Teams or Skype for Business rollout, you configure
building files for Call Quality Dashboard (CQD), monitor quality trends, and engage in the Quality of
Experience Review process.
MCT USE ONLY. STUDENT USE PROHIBITED 178 Module 3 Prepare the environment for a Microsoft Teams deployment
Asset management
As part of the deployment, you’ll want to update your asset register with the room name, Microsoft
Teams Rooms device name, signed-in Microsoft Teams Rooms resource account, and assigned peripheral
devices (and which USB ports they use).
MCT USE ONLY. STUDENT USE PROHIBITED
Module 4 Deploy and manage teams
Create a team
By default, all users can create teams using the Teams client and invite members unless you restrict the
creation of teams to Global Administrators or Teams Service Administrators. Administrators can also
create teams in the Teams admin center or PowerShell. Creating new Teams can be done by using one of
the following methods:
●● Teams Admin Center
●● Teams client
MCT USE ONLY. STUDENT USE PROHIBITED 180 Module 4 Deploy and manage teams
3. In the add a new team window, define the following:
●● Team Name
●● Description
●● Team owner
●● Privacy
●● Public – A team where everybody can join
●● Private – A team where you need an invitation.
●● Classification
4. Select Create a team.
MCT USE ONLY. STUDENT USE PROHIBITED
Create and manage teams 181
4. On the What kind of team will this be? Page select the type of team you want to create.
1 https://support.office.com/en-us/article/assign-a-new-owner-to-an-orphaned-group-86bb3db6-8857-45d1-95c8-f6d540e45732?ui=en-
US&rs=en-US&ad=US
MCT USE ONLY. STUDENT USE PROHIBITED
Create and manage teams 183
Using PowerShell to create a team allows you to configure permissions for adding and deleting channels,
messages and users, modifying channels, blocking access to Giphy and posting memes instead of having
to go back and changing these settings later.
Note: If you don’t specify an owner the account running the PowerShell cmdlet, the user who creates the
team will be added as both a member and an owner. For more information about other parameters,
please refer to New-Team2.
Team properties supported by Teams templates Team properties not yet supported by Teams
templates
Base template type Files and content
Team name Team picture
Team description Channel settings
Team visibility (public or private) Connectors
Team settings (for example, member, guest, @
mentions)
Auto-favorite channel
Installed app
Pinned tabs
Team membership
There are two ways to create a team from a template:
●● Use an existing team as a template
●● Create a team from a base template
2 https://docs.microsoft.com/en-us/powershell/module/teams/new-team?view=teams-ps
MCT USE ONLY. STUDENT USE PROHIBITED 184 Module 4 Deploy and manage teams
Note: You cannot create a team from a different team using the Teams Admin Center or Teams Power-
Shell.
You can create a team with the pre-defined template by using Microsoft Graph APIs3 or New-Team
cmdlet with the -Template parameter:
New-Team -DisplayName “CompSci 101” -Description “Official team for the CompSci 101 Class.” -Tem-
plate EDU_Class
3 https://docs.microsoft.com/en-us/graph/api/team-post?view=graph-rest-beta
MCT USE ONLY. STUDENT USE PROHIBITED
Create and manage teams 187
upgraded group. The team will be created with a single channel named "General”. To upgrade a group to
a team, you can use the following methods:
6. In the Add Microsoft Team to this group? prompt select Create a team to confirm that you want to
upgrade your existing group to a team.
MCT USE ONLY. STUDENT USE PROHIBITED 188 Module 4 Deploy and manage teams
4. On the Create a new team from something you already own page select Microsoft 365 Group.
5. On the Which Microsoft 365 Group do you want to use? page select the group you want to
upgrade.
6. Select Create.
4. On your SharePoint Team site page, on left pane, select Create a Team.
Once the SharePoint Team site is converted to a team, you will also see the Teams option on the naviga-
tion pane when you open your Team site which will lead you directly to open your site in Teams client:
MCT USE ONLY. STUDENT USE PROHIBITED
Create and manage teams 191
Note: When an org-wide team is created, all global admins are added as team owners and all active
users are added as team members. Unlicensed users are also added to the team. The first time an
unlicensed user signs into Teams, the user is assigned a Microsoft Teams Commercial Cloud Trial license.
This license will expire after 12 months.
These types of accounts won't be added to your org-wide team:
●● Accounts that are blocked from sign in
●● Guest users
●● Service accounts
●● Room or equipment accounts
●● Accounts backed by a shared mailbox
As your organization's directory is updated to include new active users or if users no longer work at your
company and their account is disabled, changes are automatically synced, and the users are added or
removed from the team. Team members can't leave an org-wide team. As a team owner, you can manual-
ly add or remove users if needed.
When creating an org-wide team, consider the following things:
●● You can create up to 5 org-wide teams for your Office 365 tenant.
●● Each org-wide team can include up to 5,000 members.
●● If you don't see the Org-wide option when creating a team and you are a global admin, the feature
may not have yet rolled-out to your tenant, you have reached the five org-wide teams limit, or your
organization might have more than the current size limit of 5,000 members. This limit might be
increased in the future.
MCT USE ONLY. STUDENT USE PROHIBITED
Create and manage teams 193
●● Rooms that are not a part of a room list, equipment, and resource accounts might be added or synced
to the org-wide team. Team owners can easily remove these accounts from the team.
●● All actions by the system to add or remove members are posted in the General channel. The channel
will also be marked as having new activity in the Teams client.
If you want to create an Org-Wide team, follow these steps:
1. In the Teams Client in the left panel select Teams, and then select Join or create a team on the
bottom of the left panel.
2. Select Create team in the main pane.
3. Select Build a team from scratch on the Create your team page.
4. On the What kind of team will this be? page, select Org-wide.
5. Define the following on the Some quick details about your org-wide team page:
●● Team Name
●● Description
6. Select Create.
Best practices
To get the most out of org-wide teams, you should consider the best practices from the following table:
Manage teams
As an admin, you may need to view or update the teams that your organization set up for collaboration,
or you might need to perform remediation actions such as assigning owners for ownerless teams. You
can manage the teams used in your organization using either the Microsoft Teams admin center or
Microsoft Teams PowerShell module.
Operations
You can use the Teams Admin Center to do the following operations with teams:
Operations Details
Add To add a new team, click Add. In the Add a new
team pane, give the team a name and description,
set whether you want to make it a private or public
team, and set the classification.
Edit To edit group and team-specific settings, select
the team by clicking to the left of the team name,
and then select Edit.
Archive You can archive a team. Archiving a team puts the
team into read-only mode within Teams. As an
admin, you can archive and unarchive teams on
behalf of your organization in the admin center.
Delete Deleting a team is a soft delete of the team and
corresponding Microsoft 365 Group. How to
restore a soft-deleted team will be discovered in a
following lesson.
Search Search currently supports the string “Begins with”
and searches the Team name field.
Team profile
You can navigate to the team profile page of any team from the main Teams overview grid by selecting
the team name. The team profile page shows the members, owners, and guests that belong to the team
(and its backing Microsoft 365 Group), as well as the team’s channels and settings. From the team profile
page, you can:
●● Add or remove members and owners.
●● Add or remove channels (note that you can't remove the General channel).
MCT USE ONLY. STUDENT USE PROHIBITED
Create and manage teams 197
Using PowerShell
You can also use the Microsoft Teams PowerShell module to manage teams by using Set-Team and
Remove-Team cmdlets. For example, to change the description of the Finance Department team and
make it a private team, run the following:
Get-Team -DisplayName "Finance Department" | Set-Team -Description "This is the team for the finance
department" -Visibility Private
The available cmdlets for managing teams from the Teams PowerShell module are:
●● Add-Team
●● Get-Team
●● Remove-Team
Is there already a team Does this work need Are there multiple Recommendation
that has these people to be kept private distinct topics to
as team members? from other team discuss?
members?
Yes Yes Yes Create a private channel
in the existing team or
consider creating
dedicated private
channels for each topic.
Yes Yes No Create a private channel
in the existing team.
Yes No No Create a standard
channel in the existing
team.
No No No Consider creating a new
team.
MCT USE ONLY. STUDENT USE PROHIBITED
Create and manage teams 199
Is there already a team Does this work need Are there multiple Recommendation
that has these people to be kept private distinct topics to
as team members? from other team discuss?
members?
No No Yes Consider creating a new
team and then, depend-
ing on the confidentiali-
ty of each topic,
consider creating
separate standard or
private channels for
each topic.
No Yes No Create a new team or
create a new private
channel in an existing
team.
Note: You cannot modify the channel type once created. A channel that was created as private will stay
private and a standard channel cannot be turned into a private channel.
To create a private channel, use the membership parameter and set the type to private:
Get-Team -DisplayName "CxO Team" | New-TeamChannel -DisplayName "Billing" -Description "A channel
for requesting payment on your invoices." -MembershipType Private
Note: Using the -MembershipType parameter requires Teams PowerShell version 1.0.18 or newer.
To create a private channel on behalf of a user, without granting permissions to an administrator use the
following cmdlet:
Get-Team -DisplayName "CxO Team" | New-TeamChannel –MembershipType Private –DisplayName "Dun-
ning" –Owner Alex.Wilber@contoso.com
MCT USE ONLY. STUDENT USE PROHIBITED
Create and manage teams 201
●● When adding an existing notebook to a private channel, not everyone in the private channel will have
access to the notebook by default, because they need separate access to the location, where the
notebook is hosted, such as another team's SharePoint site.
Note: It is currently not possible to restore channels from the Teams admin center or via the Teams
PowerShell module.
●● Private teams can only be joined when the team owner adds users to them.
●● Public teams are available for all users in your organization to join. Public teams are visible to every-
one in the Teams gallery, and users can join a public team without having to get approval from the
team owner.
●● Org-Wide teams have all members of an Office 365 tenant joined automatically.
By default, a private team will be discoverable in the Teams gallery and users can see some information
about the team.
3. Under Privacy select the privacy level you want this team to have.
4. Change the privacy level under Privacy. You can select the same settings that are talked about earlier
in the lesson.
You can use the Set-Team cmdlet to disable the discoverability of individual teams:
Get-Team -DisplayName "CxO Team" | Set-Team -ShowInTeamsSearchandSuggestions $false
You can also create a policy to allow users to discover private teams:
New-CsTeamsChannelsPolicy -Identity WorkerPolicy -AllowPrivateTeamDiscovery $true
Grant-CsTeamsChannelsPolicy -Identity alex.wilber@contoso.com -PolicyName WorkerPolicy
Archive a team
If you archive a team you are putting it in read-only mode. The team will still show up in search according
to its visibility settings and members can still access the existing content. The Teams client will show an
icon next to the team name to show the teams status as archived. Archiving a team might be beneficial if
MCT USE ONLY. STUDENT USE PROHIBITED
Create and manage teams 207
the team contains information that could still be useful later without the necessity of updating or chang-
ing content in that team.
Archiving can also be used as a first step in an approval process for team deletion. In that case you prefer
to archive a team for later review before deleting it.
Following are steps to archive a team in the Teams admin center:
1. In Teams admin center on the left pane select Teams, and then select Manage teams.
5. If you would like to make the SharePoint site for the team read-only, select the check box.
6. Select Archive to archive the team.
Note: You cannot use PowerShell to archive a team or restore it from its archived state.
Delete a team
If the team will not be required in the future, then you can delete it rather than archiving it. Since an
archived Team is a Team in “read-only” mode you can also delete archived teams. Follow these steps to
delete a team.
1. In the Microsoft Teams admin center, select Teams.
2. Select a team by clicking the team name.
3. Select Delete. A confirmation message will appear.
4. Select Delete to permanently delete the team.
You can also delete a team using the Microsoft Teams PowerShell module and the Remove-Team cmdlet:
MCT USE ONLY. STUDENT USE PROHIBITED 210 Module 4 Deploy and manage teams
Note: The cmdlet Remove-Team does not accept the DisplayName of an existing team, but only the
GroupID. You can pipe the output of Get-Team to Remove-Team, or you can write down the GroupID
from the output of Get-Team and use it with Remove-Team.
Restoring a Team brings back the underlying Microsoft 365 Group and connects it with the inaccessible
Team again. This means that you will not lose any information available in the Team if you restore a
soft-deleted team.
Write down the object ID of the group you want to hard-delete and insert it to the following cmdlet:
Remove-AzureADMSDeletedDirectoryObject -Id <objectId>
Policy packages
Each policy package in Teams is designed around a user role and includes predefined policies and policy
settings that support the collaboration and communication activities that are typical for that role. Each
individual policy is given the name of the policy package so you can easily identify the policies that are
linked to a policy package. Teams currently includes the following policy packages.
Package name Messaging Meeting App setup Calling policy Live events
policy policy policy policy
Education Yes Yes Yes Yes Yes
(Higher
education
student)
Education Yes Yes Yes Yes Yes
(Primary school
student)
Education Yes Yes Yes Yes Yes
(Secondary
school student)
Education Yes Yes Yes Yes Yes
(Teacher)
MCT USE ONLY. STUDENT USE PROHIBITED 212 Module 4 Deploy and manage teams
Package name Messaging Meeting App setup Calling policy Live events
policy policy policy policy
Healthcare clin- Yes Yes Yes - -
ical worker
Healthcare Yes Yes - - -
information
worker
Public safety Yes Yes Yes Yes -
officer
Small and - - Yes - -
medium
business user
(Business
Voice)
Small and - - Yes - -
medium
business user
(without
Business Voice)
You can edit the settings of a policy through the Policy packages page or by going directly to the policy
page in the Microsoft Teams admin center.
1. In the left navigation of the Microsoft Teams admin center, do one of the following:
●● Select Policy packages, and then select the policy package by clicking to the left of the package
name.
●● Select the policy type. For example, select Messaging policies.
2. Select the policy you want to edit. Policies that are linked to a policy package have the same name as
the policy package.
3. Make the changes that you want, and then select Save.
Note: If a policy is deleted, you can still view the settings but you won't be able to change any settings. A
deleted policy is re-created with the predefined settings when you assign the policy package.
MCT USE ONLY. STUDENT USE PROHIBITED 214 Module 4 Deploy and manage teams
Manage membership
Lesson Introduction
Microsoft Teams enables you to use a team as the basis for access control to specific resources and to
share data of that team.
In this lesson you will earn about managing user membership in teams.
After this lesson, you will be able to:
●● Manage users in a team.
●● Configure dynamic membership for teams.
●● Manage user access with Azure AD access reviews.
Owner Member
Create team Yes No
Leave team Yes Yes
Edit team name/description Yes No
Delete team Yes No
Add channel Yes Yes
Edit channel name/description Yes Yes
Delete channel Yes Yes
Add members Yes No
Request to add members N/A Yes
Add tabs Yes Yes
Add connectors Yes Yes
Add bots Yes Yes
How to restrict users from creating teams by restricting the creation of Microsoft 365 Groups are dis-
cussed in Module 2-Create and manage Microsoft 365 Groups.
Note: Owners can make other members as owners in the View teams option. A team can have up to 100
owners. It’s recommended, that you have at least a few owners to help manage the team; this will also
prevent orphaned groups if a sole owner leaves your organization.
It is generally recommended to let the owners of teams manage team specific settings and membership.
They are the people working with the team and know how they want to leverage the capabilities that are
MCT USE ONLY. STUDENT USE PROHIBITED
Manage membership 215
provided for them. Managing a dynamic environment like Microsoft Teams takes up a lot of time and can
be regulated with the options discovered in different lessons of this course. This ensures that users stay
within the company set limitations while having the agency to work in a dynamic environment.
Manage membership
There are still reasons for you to add members to a team. Perhaps you need to add an owner to an
orphaned team, or you decided to create department specific teams and restrict users to creating
non-business critical teams only via company policy. Usually you would create department teams as a
team with dynamic membership. How to do this will be discussed in the following topic. If you can’t
create a team with dynamic membership you need to know how to add members using the Teams Admin
Center, the Microsoft Teams PowerShell module, or the Teams Client.
column by selecting the user’s role (either Owner or Member) from a drop-down list.
4. In the Role column of the member list select the role to pick the users new role from a drop down list.
In order to manage users in teams, you have the following cmdlets available in the Microsoft Teams
PowerShell module:
●● Add-TeamUser
●● Remove-TeamUser
For additional information see Assign team owners and members in Microsoft Teams4.
4 https://docs.microsoft.com/en-us/microsoftteams/assign-roles-permissions
MCT USE ONLY. STUDENT USE PROHIBITED
Manage membership 217
With dynamic membership you can set up teams for certain cohorts of users in your organization.
Possible scenarios include:
●● A hospital can create distinct teams for nurses, doctors, and surgeons to broadcast communications.
This is especially important if the hospital relies on temp employees.
●● A university can create a team for all faculty within a college, including an adjunct faculty that changes
frequently.
●● An airline wants to create a team for each flight (like a Tuesday afternoon non-stop from Chicago to
Atlanta) and have a frequently changing flight crew automatically assigned or removed as needed.
Using this feature, a given team's members update automatically based on a specific set of criteria,
instead of manually managing membership.
Note: Using dynamic groups requires an Azure AD Premium P1 licenses for any users in scope.
It may take anywhere from a few minutes to up to hours to reflect dynamic membership changes once
they take effect in the Microsoft 365 Group for a team.
For dynamic group membership in teams, you must consider the following:
●● Rules can define who is a team member of a team, but not who is a team owner.
●● Owners will not be able to add or remove users as members of the team, since members are defined
by dynamic group rules.
●● Members will not be able to leave teams backed by dynamic groups.
Azure AD Portal
Perform the following steps to change the group membership of an existing Team to a rule based
dynamic membership.
1. Sign into the Azure AD admin center with an account that is a global administrator or a user adminis-
trator in your tenant.
MCT USE ONLY. STUDENT USE PROHIBITED 218 Module 4 Deploy and manage teams
2. Select the search bar from the top of the page, type Azure Active Directory and select it.
3. In the left-pane menu, select Groups.
4. From the All groups list, open the group that you want to change.
5. Select Properties.
6. On the Properties page for your selected group, select a Membership type of Dynamic User.
MCT USE ONLY. STUDENT USE PROHIBITED
Manage membership 219
8. After creating the rule, select Add query at the bottom of the page.
9. Select Save on the Properties page for the group to save your changes. The Membership type of
the group is immediately updated in the group list.
PowerShell
To change the membership type of a group using PowerShell you can use the AzureAD PowerShell
module.
You need to provide a group ID to the cmdlet for it to find the correct Microsoft 365 Group to modify.
You can use the Exchange PowerShell module:
$groupId = (Get-UnifiedGroup <group_mailaddress>).ExternalDirectoryObjectID
$dynamicMembershipRule = ‘user.department -eq “Sales”’
To create the $groupTypes variable you have to get the group types of the existing group and add the
String “dynamicMembership” to it.
groupTypes = (Get-AzureAdMsGroup -Id $groupId).GroupTypes
$groupTypes.Add("DynamicMembership")
MCT USE ONLY. STUDENT USE PROHIBITED 220 Module 4 Deploy and manage teams
Operator Syntax
Not Equals -ne
Equals -eq
Not Starts With -notStartsWith
Starts With -startsWith
Not Contains -notContains
Contains -contains
Not Match -notMatch
Match -match
In -in
Not In -notIn
The values used in an expression may consist of several types, including:
●● Strings
●● Boolean – true, false
●● Numbers
●● Arrays – number array, string array
When specifying a value within an expression, it is important to use the correct syntax to avoid errors.
Some syntax tips include:
●● Double quotes are optional unless the value is a string.
●● String and regex operations are not case sensitive.
●● When a string value contains double quotes, both quotes should be escaped using the character ("),
for example, user.department -eq "Sales" is the proper syntax when “Sales” is the value.
●● You can also perform Null checks, using null as a value, for example, user.department -eq null.
For additional information see Dynamic membership rules for groups in Azure Active Directory5.
5 https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership
MCT USE ONLY. STUDENT USE PROHIBITED
Manage membership 221
5. On the page, click the Onboard now button to use Access reviews for teams in your tenant.
MCT USE ONLY. STUDENT USE PROHIBITED 222 Module 4 Deploy and manage teams
As soon as the upper right dialog switches to a green checkmark, with the message “Successfully on-
boarded access reviews in <your_tenant>”, onboarding was successfully completed.
●● Advanced Settings: You can enable if you want to send reminders, send notifications to reviewers
and administrators, show system recommendations to reviewers and force reviewers to provide a
reason for approval of a user.
7. Select Start to start the access review.
For license requirements for Azure AD access reviews, please refer to the link6.
6 https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview
MCT USE ONLY. STUDENT USE PROHIBITED 224 Module 4 Deploy and manage teams
External Access
With Microsoft Teams external access, Teams users from other domains can participate in your chats and
calls. You can also allow other external users who are still using Skype for Business Online or Skype for
Business Server.
Use external access when:
●● You have users in different domains in your business: for example, Rob@contoso.com and Ann@
northwindtraders.com.
●● You want the people in your organization to use Teams to contact people in specific businesses
outside of your organization.
●● You want anyone else in the world who uses Teams to be able to find and contact you using your
email address. If you and another user both enable external access and allow each other's domains,
this will work. If it doesn't work, the other user should make sure his or her configuration isn't block-
ing your domain.
External access allows external users to find, call, and send you instant messages, as well as set up
meetings with you. However, if you want external users to have access to teams and channels, guest
access is the only mechanism.
Note: You will be able to set up meetings with external users without enabling external access but in that
case, they will join the meeting as unauthenticated users instead of joining with their federated and
authenticated user account.
Managing external access will be covered in a later topics.
MCT USE ONLY. STUDENT USE PROHIBITED
Manage access for external users 225
Guest Access
A team owner in Microsoft Teams can add and manage guests in their teams via the web, mobile or
desktop client. Anyone with a business or consumer email account, such as Outlook, Gmail, or others, can
participate as a guest in Teams, with full access to team chats, meetings, and files. People outside your
organization, such as partners or consultants, can be added as guests and people from within your
organization, can join as regular team members.
The following functionality is not available for guest users:
●● OneDrive for Business Standalone SKU
●● People search outside of Teams
●● Calendar, Scheduled Meetings, or Meeting Details
●● PSTN calling
●● Organization Chart
●● Create or revise a team
●● Browse for a team
●● Upload files to a person-to-person chat
You can configure the functionality of guest users to limit their permissions inside the teams they are
added to or disable guest access altogether. How to do this for your organization will be discussed later.
While using Teams, text and icons give all team members clear indication of guest participation in a team.
A guest user's name includes the label (Guest), and a channel includes an icon to indicate that there are
guests on the team.
7 https://docs.microsoft.com/azure/active-directory/b2b/licensing-guidance
8 https://docs.microsoft.com/en-us/microsoftteams/communicate-with-users-from-other-organizations
MCT USE ONLY. STUDENT USE PROHIBITED 226 Module 4 Deploy and manage teams
●● Azure Active Directory: Guest access in Microsoft Teams relies on the Azure AD business-to-business
(B2B) platform. This authorization level controls the guest experience at the directory, tenant, and
application level.
●● Microsoft 365 Groups: Controls the guest experience in Microsoft 365 Groups and Microsoft Teams.
●● Microsoft Teams: Controls the guest experience in Microsoft Teams only.
●● SharePoint Online and OneDrive for Business: Controls the guest experience in SharePoint Online,
OneDrive for Business, Microsoft 365 Groups, and Microsoft Teams.
These different authorization levels provide you with flexibility in how you set up guest access for your
organization. For example, if you don’t want to allow guest users in your Microsoft Teams but want to
allow it overall in your organization, just turn off guest access in Microsoft Teams. Another example, you
could enable guest access at the Azure AD, Teams, and Groups levels, but then disable the addition of
guest users on selected teams that match one or more criteria such as data classification equals confiden-
tial. SharePoint Online and OneDrive for Business have their own guest access settings that do not rely on
Microsoft 365 Groups.
Note: Technically a guest user is a new user object in your Azure AD tenant. On the first line, you can
allow or restrict the creation of new guest objects in your tenant and then you can control whether guest
access is allowed or if there are additional dependencies to access different locations, such as Teams,
Groups and SharePoint.
The following diagram shows how guest access authorization dependency is granted and integrated
between Azure Active Directory, Microsoft Teams, and Office 365.
This means that if you disable guest access at any point in the chain every App down the line will inherit
the restriction and you will not be able to create or let your users create new Teams.
●● Yes means that guests don't have permission for certain directory tasks, such as enumerate users,
groups, or other directory resources. In addition, guests can't be assigned to administrative roles in
your directory.
●● No means that guests have the same access to directory data that regular users have in your
directory.
●● Admins and users in the guest inviter role can invite:
●● Yes means that admins and users in the guest inviter role will be able to invite guests to the
tenant.
●● No means admins and users can't invite guests to the tenant.
●● No means that only admins and guest inviters can invite guests to your directory.
●● Guests can invite:
●● Yes means that guests in your directory can invite other guests to collaborate on resources
secured by your Azure AD, such as SharePoint sites or Azure resources.
●● No means that guests can't invite other guests to collaborate with your organization.
●● Enable Email One-Time Passcode for guests (Preview): The Email one-time passcode feature
authenticates B2B guest users when they can't be authenticated through other means like Azure AD, a
Microsoft account (MSA), or Google federation. With one-time passcode authentication, there's no
need to create a Microsoft account. When the guest user redeems an invitation or accesses a shared
resource, they can request a temporary code, which is sent to their email address.
●● Collaboration restrictions:
●● Allow invitations to be sent to any domain (most inclusive) means, there is no restriction on
the guest’s domain, and everyone can be invited.
●● Deny invitations to the specified domains is a blacklist setting, that allows all domains, except
the defined list.
●● Allow invitations only to the specified domains (most restrictive) is a whitelist setting, that
allows you to invite no guests from any domains, except the defined domains.
Note: Guest Inviter Role is an Azure AD user role that permits a user to invite additional guests to your
tenant and create guest objects in Azure AD.
Adding the user guest account manually to Azure AD B2B is not required, as the account will be added to
the directory automatically when you add the guest to Teams.
in a pending state, and you set a policy that blocks their domain, the user's attempt to redeem the
invitation will fail.
6. Under TARGET DOMAINS, enter the name of one of the domains that you want to allow. For multiple
domains, enter each domain on a new line. For example:
PowerShell
You can also set the Allow/Deny List policy using the AzureAD Preview PowerShell module and the
New-AzureADPolicy and Set-AzureADPolicy cmdlets.
This will require four steps:
1. This will create the JSON for the policy definition you will need in the next step:
$policyValue=@("{`"B2BManagementPolicy`":{
`"InvitationsAllowedAndBlockedDomainsPolicy`":{`
`"AllowedDomains`": [],
`"BlockedDomains`": [`"contoso.com`"]}}}”)
3. To get the policy id you must use Get-AzureADPolicy and select the correct one based on the Type
and DisplayName:
$currentpolicy = Get-AzureADPolicy | ?{$_.Type -eq 'B2BManagementPolicy'} | select -First 1
4. Then you can set the policy using the ID you just got:
Set-AzureADPolicy -Definition $policyValue -Id $currentpolicy.Id
After this your new allow or deny list is active and guest invitations are restricted to the domains you
specified in the first step.
Note: The *-AzureADPolicy cmdlets do work only in AzureAD PowerShell module with version
2.0.2.53 and newer.
MCT USE ONLY. STUDENT USE PROHIBITED 232 Module 4 Deploy and manage teams
4. If you want to allow all Teams organizations to communicate with users in your organization, skip to
step 6.
5. If you want to limit the external organizations that can communicate with users in your organization,
you can either allow all except some domains, or you can allow only specific domains.
●● To allow all except some domains, add the domains you want to block by clicking Add domain. In
the Add a domain pane, type the domain name, click Blocked, and then click Done.
●● To limit communications to specific organizations, add those domains to the list with a status of
Allowed. Once you have added any domain to the Allow list, communications with other organi-
zations will be limited to only those organizations whose domains are in the Allow list.
MCT USE ONLY. STUDENT USE PROHIBITED
Manage access for external users 233
6. Select Save.
7. Finally, make sure the admin in the other Teams organization completes these same steps and enters
the domain for your business to their allow list or they make sure, it is not on their block list.
You should now be able to chat with external users using their email address and adding them as a
contact. You can verify if federation is working by sending a chat message to an external user via teams
and getting a response.
Note: If you allow federation, your users will only be able to use 1-on-1-chat, voice/video calls and set up
meetings with external users.
4. Set the toggles under Calling, Meeting, and Messaging to On or Off, depending on the capabilities
you want to allow for guest users.
●● Make private calls – Turn this setting On, to allow guests to make peer-to-peer calls.
●● Allow IP video - Turn this setting On, to allow guests to use video in their calls and meetings.
●● Screen sharing mode – This setting controls the availability of screen sharing for guest users.
●● Turn this setting to Disabled to remove the ability for guests to share their screens in Teams.
●● Turn this setting to Single application to allow sharing of individual applications.
●● Turn this setting to Entire screen to allow complete screen sharing.
●● Allow Meet Now – Turn this setting On, to allow guests to use the Meet Now feature in Microsoft
Teams.
●● Edit sent messages - Turn this setting On, to allow guests to edit messages they previously sent.
MCT USE ONLY. STUDENT USE PROHIBITED 234 Module 4 Deploy and manage teams
●● Guests can delete sent messages – Turn this setting On, to allow guests to delete messages they
previously sent.
●● Chat – Turn this setting On, to give guests the ability to use chat in Teams.
●● Use Giphys in conversations – Turn this setting On, to allow guests to use Giphys in conversa-
tions. Giphy is an online database and search engine that allows users to search for and share
animated GIF files. Each Giphy is assigned a content rating.
●● Giphy content rating – Select a rating from the drop-down list:
●● Allow all content - Guests will be able to insert all Giphys in chats, regardless of the content
rating.
●● Moderate - Guests will be able to insert Giphys in chats but will be moderately restricted from
adult content.
●● Strict – Guests will be able to insert Giphys in chats but will be restricted from inserting adult
content.
●● Use memes in conversations - Turn this setting On to allow guests to use Memes in conversa-
tions.
●● Use Stickers in conversations – Turn this setting On to allow guests to use stickers in conversa-
tions.
5. Click Save.
PowerShell
You can also use the Skype for Business Online PowerShell module and the Set-CsTeamsClientCon-
figuration cmdlet to toggle guest access. For example, to allow guest users globally, run the following
cmdlet:
Set-CsTeamsClientConfiguration -AllowGuestUser $True -Identity Global
If you want to limit guest user capabilities in a subset of teams you can use the Microsoft Teams Power-
Shell module and the Set-Team cmdlet. This lets you configure the same limitations as the Teams Admin
Center but instead of restricting it for all Teams you can focus on a single team. This can be useful if you
need to create a Team for your external consultants to exchange information without disrupting the
structure you gave them.
Messaging policies are managed from the Microsoft Teams admin center and through the Skype for
Business Online PowerShell cmdlets.
Setting Description
Owners can delete sent messages Controls whether owners can delete messages
sent by other users.
Users can delete sent messages Controls whether users can delete their own sent
messages.
Users can edit sent messages Controls whether users can edit their own sent
messages.
Read receipts User controlled lets the user configure whether to
receive read receipts or not.
On for everyone enforces read receipts for all
affected users, without the option to turn them off.
Off for everyone deactivates read receipts for all
affected users, without the option to activate
them.
Chat Controls whether users can use chat in teams.
Setting Description
Users can send notifications Controls whether users can send priority notifica-
tions.
5. Select Apply.
The new messaging policy was now assigned to a user and its configured settings will be applied after up
to 24 hours.
Note: Policies can only be assigned to users and not to groups. If a messaging policy must be assigned to
multiple users, the assignment must be done with a PowerShell script or by policy packages, which are
covered shortly.
●● Select Reset Global Policy to restore factory default settings of the Global (Org-wide default)
policy.
●● Select Manage users to directly assign the policy to a user.
Note: It is not possible to delete a messaging policy that still has any users assigned to it. You will receive
an error message if you attempt to delete an assigned messaging policy.
To create a new Teams policy, you should perform the following steps:
1. In Teams Admin Center, in the left-hand navigation pane, select Teams, and then in the Teams
group, select Teams Policies.
2. Select +Add from the top pane.
3. In the add a new policy window, enter the required fields and settings.
4. Select Save.
After a new Teams policy is created, it must be assigned to users. Assigning a new Teams policy to a user
replaces either the existing default policy or an existing custom policy for that user. This step can be done
through the Users settings, like the messaging policy, or directly from the Teams policies window, by
performing these steps:
1. In Teams Admin Center, in the left-hand navigation pane, select Teams Policies.
2. Select the check box to the left to a policy and then select Manage users from the top pane.
3. Type at least three characters into the search field and select the Add button that appears to the right
of the desired user’s display name.
4. The user is now listed below Users to add.
5. Select Apply to finish the process.
Note: Like messaging policies, team policies cannot be assigned to multiple users or groups, but only to
single users. To assign a custom team policy to multiple users, use PowerShell scripts or policy packages,
which are covered in a later lesson.
MCT USE ONLY. STUDENT USE PROHIBITED
Manage chat and collaboration experiences 241
Operation Behavior
User shares a file in a 1:1 or group chat The file is uploaded to the user’s OneDrive into the
folder Microsoft Teams Chat Files and all partici-
pants are granted permissions on the single file.
User shares a file in a conversation The file is uploaded to the Teams document
library, where the Teams SharePoint permission
groups grant access to all members and external
participants.
Users copy the link to a file from Teams The users can decide to copy a Teams or a Share-
Point link. While the Teams link opens Teams to
access the file, the SharePoint link opens directly in
the browser. The recipient of the link must either
have SharePoint permissions, or he or she must be
a member of the team to access the file’s content.
Since Teams relies on SharePoint Online and OneDrive for Business to store files and documents for chan-
nels and chat conversations, the file sharing experience is controlled at the organization level in Share-
Point and OneDrive admin centers.
1 mailto:79d91253.1.contoso.onmicrosoft.com@amer.teams.ms
MCT USE ONLY. STUDENT USE PROHIBITED
Manage chat and collaboration experiences 247
2 https://docs.microsoft.com/sharepoint/turn-external-sharing-on-or-off
MCT USE ONLY. STUDENT USE PROHIBITED
Manage chat and collaboration experiences 249
Scenario Explanation
Use a channel as an announcement channel The Marketing team uses a specific channel to
share key project announcements and delivera-
bles. Sometimes team members post content to
the channel that more appropriately belongs in
other channels. The team owner wants to restrict
information sharing in the channel to only an-
nouncements so that team members can use that
channel to stay on top of what's important.
4. When Channel moderation is turned On, additional settings appear that enable you to Manage the
moderators and configure Team member permissions.
MCT USE ONLY. STUDENT USE PROHIBITED 250 Module 5 Manage collaboration in Microsoft Teams
5. When channel moderation stays turned Off, a restriction can be con figured to exclude guests from
being able to start new posts.
MCT USE ONLY. STUDENT USE PROHIBITED
Manage settings for Teams apps 251
sometimes include buttons for interacting with the app. For example, a daily weather report could
include an option to download the forecast for the entire week.
Manage apps
Use the Manage apps page to view and manage all Teams apps in your organization's app catalog. You
can see the org-level status and properties of apps, block or allow apps at the org level, upload new
custom apps to your tenant catalog, and manage org-wide app settings.
MCT USE ONLY. STUDENT USE PROHIBITED 254 Module 5 Manage collaboration in Microsoft Teams
The Manage apps page gives you a view into all available apps in your tenant catalog, providing you with
the information you need to decide which apps to allow or block across your organization. You can then
use app permission policies, app setup policies, and custom app policies and settings to configure
the app experience for specific users in your organization.
For example, you can use Manage apps to:
●● Disable an app that poses a permission or data loss risk to your organization.
Summary
The following table summarizes the controls of different locations in Teams admin center:
MCT USE ONLY. STUDENT USE PROHIBITED
Manage settings for Teams apps 255
●● Name: The app name. Click the app name to see more information about the app. This includes a
description of the app, whether it's allowed or blocked, version, categories that apply to the app,
certification status, supported capabilities, and app ID. Here's an example:
●● Certification: If the app has gone through certification, you'll see either Microsoft 365 certified or
Publisher attestation. Click the link to view certification details for the app. If you see "–", we don't
have certification information for the app. To learn more about certified apps in Teams, read Micro-
soft 365 App Certification program3.
3 https://docs.microsoft.com/teams-app-certification/all-apps
MCT USE ONLY. STUDENT USE PROHIBITED
Manage settings for Teams apps 257
2. Under Third-party apps, turn off or turn on these settings to control access to third-party apps:
●● Allow third-party apps in Teams: This controls whether users can use third-party apps. If you
turn off this setting, your users won't be able to install or use any third-party apps. For apps that
you allowed, the status shows as Allowed but disabled org-wide.
When Allow third-party apps in Teams is off, outgoing webhooks4 are disabled, which means
that users can't create them. When this setting is on, outgoing webhooks are enabled for all users
regardless of whether the setting is on or off in the users' app permission policy.
●● Allow any new third-party apps published to the store by default: This controls whether new
third-party apps that are published to the Teams app store become automatically available in
Teams. You can only set this option if you allow third-party apps.
3. Under Custom apps, turn off or turn on Allow interaction with custom apps. This setting controls
whether users can interact with custom apps.
4. Click Save for org-wide app settings to take effect.
4 https://docs.microsoft.com/microsoftteams/platform/webhooks-and-connectors/what-are-webhooks-and-connectors
MCT USE ONLY. STUDENT USE PROHIBITED
Manage settings for Teams apps 259
By default, all apps are allowed in the global policy. This includes apps published by Microsoft, third
parties, and your organization. Users in your organization will automatically get the global policy unless
you create and assign a custom policy. Organization-wide app settings on the Manage apps page
override the global policy and any custom policies that you create and assign to users.
For example, you want to block all third-party apps and allow specific apps from Microsoft for the HR
team in your organization. First, you would go to the Manage apps page and make sure that the apps
that you want to allow for the HR team are allowed at the org level. Then, create a custom policy named
HR App Permission Policy, set it to block and allow the apps that you want, and assign it to users on the
HR team.
1. In the left-hand navigation pane on the Microsoft Teams admin center, go to Teams apps >
Permission policies.
MCT USE ONLY. STUDENT USE PROHIBITED 260 Module 5 Manage collaboration in Microsoft Teams
2. Select Add.
3. Enter a name and description for the policy.
4. Under Microsoft apps, Third-party apps, and Tenant apps, select one of the following options that
is listed in the following graphic:
MCT USE ONLY. STUDENT USE PROHIBITED
Manage settings for Teams apps 261
5. If you selected Allow specific apps and block all others, add the apps that you want to allow:
●● Select Allow apps.
●● Search for the app(s) that you want to allow, and then select Add. The search results are filtered to
the app publisher (Microsoft apps, Third-party apps, or Tenant apps).
●● Once you have chosen the list of apps, select Allow.
6. Similarly, if you selected Block specific apps and allow all others, search for and add the apps that
you want to block.
7. Select Save.
1. In the left-hand navigation pane on the Microsoft Teams admin center, go to Teams apps >
Permission policies.
2. Select the custom policy by selecting to the left of the policy name.
3. Select Manage users.
4. In the Manage users pane, search for the user by display name or by user name, select the name, and
then select Add. Repeat this step for each user that you want to add.
5. When you're finished adding users, select Apply.
Alternatively, you can also perform the following steps to assign a policy to a user:
1. In the left-hand navigation pane on the Microsoft Teams admin center, go to Users.
2. Select the user by selecting to the left of the username, and then select Edit settings.
3. Under App permission policy, select the app permission policy you want to assign, and then select
Apply.
Depending on the number of members in the group, this command may take several minutes to execute.
built by third-parties or by developers in your organization. You can also use app setup policies to
manage how built-in features appear.
Apps are pinned to the app bar. This is the bar on the side of the Teams desktop client and at the bottom
of the Teams mobile clients (iOS and Android).
You manage app setup policies in the Microsoft Teams admin center. You can use the global (Org-wide
default) policy or create custom policies and assign them to users. Users in your organization will auto-
matically get the global policy unless you create and assign a custom policy.
You can edit the settings in the global policy to include the apps that you want. If you want to customize
Teams for different groups of users in your organization, create and assign one or more custom policies.
If a user is assigned a custom policy, that policy applies to the user. If a user is not assigned a custom
policy, the global policy applies to the user.
MCT USE ONLY. STUDENT USE PROHIBITED 264 Module 5 Manage collaboration in Microsoft Teams
Note: If you have Teams for Education, it is important to know that the Assignments app is pinned by
default in the global policy even though you do not currently see it listed in the global policy. It will be
the fourth app in the list of pinned apps on Teams clients.
5. Turn on or turn off Allow user pinning, depending on whether you want to let users personalize their
app bar by pinning apps to it.
6. To install apps for users (in preview), do the following:
1. Under Installed apps, select Add apps.
2. In the Add installed apps pane, search for the apps you want to automatically install for users
when they start Teams. You can also filter apps by app permission policy. When you've chosen
your list of apps, select Add.
3. Arrange the apps in the order that you want them to appear in Teams, and then select Save.
MCT USE ONLY. STUDENT USE PROHIBITED
Manage settings for Teams apps 267
5. When you're finished adding users, select Save.
You can also perform the following steps if you want to assign users within the Users pane:
1. In the left-hand navigation pane on the Microsoft Teams admin center, go to Users, and then select
the user.
2. Select the user by selecting to the left of the username, and then select Edit settings.
3. Under App setup policy, select the app setup policy you want to assign, and then select Apply.
For example, to assign an app setup policy called HR App Setup Policy to all users in the Contoso HR
Project group, you would perform the following PowerShell commands:
Depending on the number of members in the group, this command may take several minutes to execute.
Org-wide custom app setting User custom app policy Team custom app setting
Teams admin center Teams admin center Teams client
>Teams apps >Teams apps >Manage team
> Manage apps > Setup policies >Settings
>Member permissions
MCT USE ONLY. STUDENT USE PROHIBITED
Manage settings for Teams apps 269
Org-wide custom app setting User custom app policy Team custom app setting
You can edit the settings in the global app setup policy to include the apps that you want. If you want to
customize Teams for different groups of users in your organization, create and assign one or more
custom app setup policies. Follow the steps below to set a user custom app policy:
1. In the left-hand navigation pane on the Microsoft Teams admin center, go to Teams apps > Setup
policies.
2. Select Add.
3. Turn on or turn off Allow uploading custom apps.
4. Choose any other settings that you want to for the policy.
5. Select Save.
Org-wide custom app User custom app Team custom app Effect
setting setting setting
Off Off Off Interaction with all
custom apps is blocked
for your organization.
Custom apps cannot be
uploaded by anyone.
You can use PowerShell
to remove the custom
app.
MCT USE ONLY. STUDENT USE PROHIBITED
Manage settings for Teams apps 271
Org-wide custom app User custom app Team custom app Effect
setting setting setting
Off On Off Interaction with all
custom apps is blocked
for your organization.
Custom apps cannot be
uploaded by anyone.
You can use PowerShell
to remove the custom
app.
Off Off On Interaction with all
custom apps is blocked
for your organization.
Custom apps cannot be
uploaded by anyone.
You can use PowerShell
to remove the custom
app.
Off On On Interaction with all
custom apps is blocked
for your organization.
Custom apps cannot be
uploaded by anyone.
You can use PowerShell
to remove the custom
app.
On Off Off The user cannot upload
custom apps.
On Off On The user cannot upload
custom apps.
On On Off If the user is a team
owner, they can upload
custom apps to the
team. If the user is not a
team owner, they
cannot upload custom
apps to the team. The
user can upload custom
apps in the personal
context.
On On On The user can upload
custom apps to the
team, regardless of
whether the user is a
team owner. The user
can upload custom apps
in the personal context.
MCT USE ONLY. STUDENT USE PROHIBITED 272 Module 5 Manage collaboration in Microsoft Teams
For example, assume that you want to allow only team owners to upload custom apps to specific teams.
You would set the following:
●● Org-wide: Turn on the Allow interaction with custom apps setting in the Microsoft Teams admin
center.
●● User level: Create and assign a custom app setup policy in the Microsoft Teams admin center with the
User can upload custom apps setting turned on and assign it to the team owners.
●● Team level: Turn off the Allow members to upload custom apps for every team to which you want
to restrict access.
A Teams app package is created by using Teams App Studio5. When you have the app package, you can
add it to the your app catalog. While all users in your organization can view the app catalog, only global
admins and Teams service admins can publish and manage it.
5 https://docs.microsoft.com/microsoftteams/platform/get-started/get-started-app-studio
MCT USE ONLY. STUDENT USE PROHIBITED 274 Module 5 Manage collaboration in Microsoft Teams
Note: If “Upload for…” does not show up, you can only upload a custom app as a sideloading because
you do not have administrative permissions to upload an app to your tenant app catalog. Sideloading
makes the app available only to your teams or to teams you select.
MCT USE ONLY. STUDENT USE PROHIBITED
Manage settings for Teams apps 275
3. Navigate to the app package and select it, and then select Open.
When you go back to your tenant apps catalog, the new app will be there. Remember, only you and
members of your organization have access to this app catalog.
For more information, please refer to Manage your custom apps in Microsoft Teams6.
6 https://docs.microsoft.com/en-us/microsoftteams/manage-your-custom-apps
MCT USE ONLY. STUDENT USE PROHIBITED
Module 6 Manage communication in Micro-
soft Teams
Meeting policies
With Meetings policies you can permit and/or restrict features that will be available to users during the
meetings and audio conferencing. You must first decide if you are going to customize the initial meeting
policies and whether you need multiple meeting policies. Then you must determine which groups of
users receive which meeting policies. Finally, you must determine whether your organization must
purchase and deploy room system devices for your conference rooms.
MCT USE ONLY. STUDENT USE PROHIBITED
Manage Live event and meetings experiences 279
Licensing
Audio Conferencing licenses are available as part of an Office 365 E5 subscription or as add-on licenses
to an existing subscription.
As you plan for audio conference licensing, you must determine whether your organization going to use
Microsoft Teams live events. If the answer is YES, then you must determine who will be responsible for
reporting and monitor usage. With Teams live events policies you can manage event settings for groups
of users. According to your organizational requirements, you can either continue to use the default
policy, or you can create additional policies that can be assigned to users who hold live events within
your organization.
Transcription service
During a meeting, users can optionally record the meeting and group call, as well as capture audio, video,
and screen sharing activity. In addition, recordings can be automatically transcribed, which will enable the
users to play back meeting recordings with closed captions and search for important discussion points in
the transcript (the recordings are saved in Microsoft Stream). To automatically transcribe a recording, you
must turn on the meeting transcription service.
4. On the Add phone number pane, select the phone number you want to add, and then select Apply.
2. Select Set as default on the menu bar.
MCT USE ONLY. STUDENT USE PROHIBITED
Manage Live event and meetings experiences 281
2. On Bridge settings pane, you may choose to configure the following:
●● Meeting entry and exit notifications. You can turn this setting on or off, depending on whether
you want users who have already joined the meeting to be notified when someone enters or
leaves the meeting. In this setting is on, you can choose from following options:
●● Entry/exit announcement type. Select one of the following options:
●● Names or phone numbers. When users dial in to a meeting, their phone number will be
played when they join it.
●● Tones. When users dial in to a meeting, an audio tone will be played when they join it.
●● Ask callers to record their name before joining the meeting. If you turn this off, callers will not
be asked to record their name before they join a meeting.
●● Pin length. Set the PIN length from 4 to 12; the default value is 5.
●● Automatically send emails to users if their dial-in settings change. This option should be
enabled or disabled.
3. Select Apply to confirm the settings.
MCT USE ONLY. STUDENT USE PROHIBITED 282 Module 6 Manage communication in Microsoft Teams
4. On the New meeting policy page, enter the following information and settings:
●● Enter a name for the new policy, and optionally enter a description.
MCT USE ONLY. STUDENT USE PROHIBITED
Manage Live event and meetings experiences 283
●● Under the General section, select whether to turn the following options On or Off:
●● Allow Meet now in channels
●● Allow the Outlook add-in
●● Allow channel meeting scheduling
●● Allow scheduling private meetings
For example, Allow Meet now is a policy which is applied before starting the meetings, and it has
per-user model. This policy controls whether the user can start a meeting in a Teams channel
without the meeting having been previously scheduled. If you turn this on, when a user posts a
message in a Teams channel, the user can select Meet now to initialize an ad hoc meeting in the
channel.
As another example, if you turn off Allow channel meeting scheduling, then the Schedule a
meeting option is not going to be available to the user when they start a meeting in a Teams chan-
nel, and the Select a channel to meet option will not be available to the user when they schedule a
meeting from Meetings in Teams.
●● Under the Audio & video section, turn the following options On or Off:
●● Allow transcription
●● Allow cloud recording
●● Allow IP video. You can also enter the Media bit rate in KBs.
For example, if the policy setting is turned on for Allow cloud recording and the user is authenti-
cated as a user from the same organization, then the recording can be started by the meeting
organizer or by another meeting participant. This only concerns the internal users; the guest users
do not have permission to start or stop the recording.
MCT USE ONLY. STUDENT USE PROHIBITED 284 Module 6 Manage communication in Microsoft Teams
●● Under the Content sharing section, choose one from the following Screen sharing modes:
●● Entire screen
●● Single application
●● Disabled
From this section you can also choose to turn the following options On or Off:
●● Allow a participant to give or request control
●● Allow an external participant to give or request control
●● Allow PowerPoint sharing
●● Allow whiteboard
●● Allow shared notes
For example, the Allow a participant to give or request control setting defines whether the user
can give control of the shared desktop or window to other participants who are present in the
meeting.
●● Under Participants & guests section, you can choose to turn the following options On or Off:
●● Let anonymous people start a meeting
●● Allow dial-in users to bypass the lobby
●● Allow Meet now in private meetings.
You can also choose from following feature options:
●● Automatically admit people. Select one of the following options:
●● Everyone
●● Everyone in your organization
●● Everyone in your organization and federated organizations
●● Enable live captions. Select one of the following options:
●● Disabled but the organizer can override
●● Disabled
●● Allow chat in meetings. Select one of the following options:
●● Enabled
●● Disabled
5. Once you have finished entering your settings, select Save.
MCT USE ONLY. STUDENT USE PROHIBITED
Manage Live event and meetings experiences 285
You should perform the following steps to assign a meeting policy in the Users section:
1. In the Teams admin center, select Users,
2. Select users you want to apply policy to and then select Edit settings
3. Under Policies section, choose the required meeting policy, and then select Apply.
You should perform the following steps to assign a meeting policy in the Meeting policies section:
1. In the Teams admin center, select Users.
2. Select the required meeting policy and then select Manage users.
3. Under the selected policy name, add users you want to apply policy to, and then select Apply.
If you want to delete a meeting policy, you cannot do it if the users are having the policy assigned. If you
are in the Users section, you will first need to assign a different policy to the users, and then you will be
able to delete the meeting policy.
2. In the Participants section, turn the Anonymous users can join a meeting option on or off.
live or recorded event in Yammer, Teams, and/or Stream, and they can also interact with the presenters
using moderated Q & A or a Yammer conversation. For live events, Microsoft Teams provides an option
that enables users to expand their meeting audience by broadcasting video and meeting content online
to large audiences of up to 10,000 attendees.
Role Description
Organizer A user with this role can perform the following
actions:
- Create the live event
- Set attendee permissions
Select production method
- Configure event options (for example, the
moderated Q&A)
- Invite attendees
- Select event group members
- Manage reports generated after the event is over
Producer A user with this role is responsible for controlling
the live event stream by performing the following
actions:
- Start and stop the live event
- Share his or her own video
- Share participant video
- Share his or her active desktop or window
- Select layouts
Presenter A user with this role presents audio, video, or a
screen to the live event, and/or moderates Q&A.
Presenters can only share audio, video, or a screen
(desktop or window) in live events produced
within Teams.
Attendee A user with this role only watches an event live or
on-demand using DVR controls, either anony-
mously or authenticated. The attendee can
participate in Q&A.
●● Private meeting scheduling, screensharing, and IP video sharing must be turned on in a Team meeting
policy.
●● The user must have an Exchange Online mailbox.
Component Description
Scheduling Organizers can create an event with the appropri-
ate attendee permissions, designate event team
members, select a production method, and invite
attendees.
Production The live events support a spectrum of production
scenarios. This includes an event produced in
Teams using a webcam or an event produced in an
external app or device. Depending on their project
requirements and budget, you can choose these
options. There are two ways to produce events:
- Teams
- External app or device
Production: Teams This option is the best and quickest option if you
are inviting remote presenters to participate in the
event, or if you want to use the audio and video
devices connected to the PC.
Production: External app or device Allow users to produce their live events directly
from an external hardware or software-based
encoder with Stream. You can choose this method
to produce the live event in cases where you
already have studio quality equipment (for
example, media mixers) which support streaming
to a Real-time Messaging Protocol (RTMP) service
The following picture shows a live event in the Teams Desktop client.
MCT USE ONLY. STUDENT USE PROHIBITED 290 Module 6 Manage communication in Microsoft Teams
Attendee experience
The most important aspect of using Live events in Microsoft Teams is to provide the attendees a great
user experience without having to deal with any issues. The attendee experience uses Azure Media Player
MCT USE ONLY. STUDENT USE PROHIBITED
Manage Live event and meetings experiences 291
for events produced in Teams and Stream Player for events produced in an external app or device. Live
events work across desktop, browser, and mobile (iOS, Android) devices.
Note: Office 365 provides Yammer and Teams as two collaboration hubs, and the live attendee experi-
ence is integrated into these collaboration tools.
1 https://docs.microsoft.com/en-us/microsoftteams/teams-live-events/plan-for-teams-live-events
MCT USE ONLY. STUDENT USE PROHIBITED 292 Module 6 Manage communication in Microsoft Teams
You should perform the following steps to create a live event policy:
1. Under Meetings & Live event policies, select on the +Add button.
2. Type the name for your policy, and optionally type a description.
3. Customize the following tabs according to your preferences for this new policy:
●● Allow scheduling
●● Allow transcription for attendees
●● Who can join scheduled live events. Choose from Everyone, Everyone in the organization, and
Specific users or groups.
●● Who can record an event. Choose from Always record, Never record, and Organizer can
record.
4. Select Save to save your new policy.
3. Search for and select the appropriate user and then select the Add button. You need to repeat this
step for every user that will be assigned this policy.
4. When you have finished, select Save.
To disable live events scheduling across your organization, you should run the following command:
Set-CsTeamsMeetingBroadcastPolicy -identity Global
-AllowBroadcastScheduling $false
To set who can join live events, you must set the global policy to allow users to create events that
everyone, including anonymous users, can attend. To do this, you should run the following command:
Set-CsTeamsMeetingBroadcastPolicy -Identity Global -BroadcastAttendeeVisibility Everyone
The recording option for live events only applies to Live events that are produced in Teams. For example,
to set the global policy to disable recording for live events, you should run the following command:
Set-CsTeamsMeetingBroadcastPolicy -Identity Global -BroadcastRecordingMode AlwaysDisabled
4. In the event your company has purchased and set up a Software Defined Network (SDN) solution or
enterprise Content Delivery Network (eCDN) solution through a Microsoft video delivery partner, you
can configure the provider by performing the following steps:
●● Use a third-party distribution provider. You must turn this option on to enable the third-party
video distribution provider.
●● SDN provider name. Enter the provider you are using.
●● Provider license key. Enter the license ID, which you received from your provider contact.
●● SDN API template URL. Enter the API template URL, which you received from your provider
contact.
5. Select on the Save button.
Note: If you want to create live events using an external app or device, you must first configure your
eCDN provider with Microsoft Stream2.
2 https://docs.microsoft.com/stream/network-caching
3 https://docs.microsoft.com/en-us/yammer/configure-your-yammer-network/enforce-office-365-identity
4 https://docs.microsoft.com/en-us/yammer/manage-yammer-groups/yammer-and-office-365-groups
5 https://support.office.com/en-us/article/create-a-group-in-yammer-b407af4f-9a58-4b12-b43e-afbb1b07c889
6 https://support.office.com/en-us/article/manage-a-group-in-yammer-6e05c6d6-5548-4c88-89cd-e6757a514ef2
MCT USE ONLY. STUDENT USE PROHIBITED 296 Module 6 Manage communication in Microsoft Teams
2. Share the Live event. Get the link to the event and share it with the users who will be attending the
event.
3. Produce the Live event. Start the event in Yammer, connect your external encoder so that you can
start the video, moderate the discussion, lead the event, and then close the event when you are done.
4. Follow up. Continue the discussion in Yammer after the event, since the Yammer conversation and
recording remain open after the event for follow-up questions and comments.
Teams
When presenters are going to use Microsoft Teams to record themselves from their computers, this
method would be the most appropriate. This type of live event is similar to setting up a Teams meeting. It
is easy to organize and produce and does not require AV expertise. This method of Live event organiza-
tion is scheduled, produced, and viewed in Microsoft Teams. Also, the attendees watch the video in Teams
and participate in the event from Teams.
Steps for broadcasting an event produced in Teams:
You should perform the following steps to organize a live event that is broadcasted in Microsoft Teams:
1. Create the event. Create the event in a Yammer group. This will automatically take you to Teams so
that you can schedule the event, invite presenters and producers, and select recording, captioning,
and reporting options.
2. Share the Live event. Get the link to the event and share it with the users who will be attending the
event.
3. Produce the live event in Teams. Start the event in Teams, start the video, moderate the discussion,
lead the event, and then close it when you are done.
4. Follow up. Continue the discussion in Yammer after the event, since the Yammer conversation and
recording remains open after the event for follow-up questions and comments.
Additional information. For more information see Yammer live event step-by-step playbook7.
7 https://resources.techcommunity.microsoft.com/wp-content/uploads/2019/05/How-to-host-a-Live-Event-in-Yammer-Playbook.pdf
MCT USE ONLY. STUDENT USE PROHIBITED
Manage phone numbers 297
You should perform the following steps to set up a calling plan for your organization:
1. Determine whether Calling Plans are available in your country/region. Calling plans can be purchased
depending on availability per country/region. Therefore, when planning for your telephony solution,
you should verify whether the country/region used in your Office 365 billing location supports audio
conferencing.
2. Buy and assign licenses. Once you ensure that calling plans can be purchased for your country/region,
you should buy the calling plan licenses and assign them to your users.
3. Obtain phone numbers. You can get phone numbers in one of following ways:
●● Use the Teams admin center. This process is used when your country/region supports getting
phone numbers through the Teams admin center.
●● Port existing phone numbers. This process is used if you want to port your existing phone numbers
from the current carrier to the Office 365 Phone System.
●● Use the request number for port numbers. This process is used when the Teams admin center in
your country/region does not support getting phone numbers.
4. Add emergency addresses and locations for the organization.
5. Assign a phone number and emergency address for the user.
Direct Routing
If your organization has an on-premises PSTN connectivity solution, Direct Routing enables you to
connect a supported Session Border Controller (SBC) to Microsoft Phone System. Direct Routing enables
you to use any PSTN trunk with your Microsoft Phone System and configure interoperability between
customer-owned telephony equipment, such as a third-party private branch exchange (PBX), analog
devices, and Microsoft Phone System.
For example, with this Direct Routing capability, you can configure on-premises PSTN connectivity with a
Microsoft Teams client, as shown in the following diagram.
Infrastructure requirements
You must meet the following infrastructure requirements to deploy a Direct Routing solution in your
organization:
●● A supported Session Border Controller (SBC).
●● One or more telephony trunks connected to the SBC. The SBC can be also be connected to third party
PBXs or Analog Telephony Adapters. On the other end, SBC will be connected to Microsoft Phone
System through Direct Routing.
●● Office 365 Tenant where your organization’s Teams users are located.
●● Users must be homed in Microsoft Teams. In a hybrid environment, on-premises Skype for Business
users cannot be enabled for voice in Microsoft Teams.
●● Domains must be configured to your organization’s Office 365 tenant. The default *.onmicrosoft.com
domain cannot be used.
●● A public DNS FQDN and a public IP address that will be used to connect to the SBC.
●● A public trusted certificate for the SBC that will be used for communication with Direct Routing.
●● Connection points FQDNs for Direct Routing that include:
●● sip.pstnhub.microsoft.com – Global FQDN, must be tried first.
●● sip2.pstnhub.microsoft.com – Secondary FQDN, geographically maps to the second priority region.
●● sip3.pstnhub.microsoft.com – Tertiary FQDN, geographically maps to the third priority region.
●● Firewall IP addresses and ports for Direct Routing and Microsoft Teams media should be opened. The
following table identifies the ports should be opened.
Licensing requirements
Users of Direct Routing must have the following licenses assigned in Office 365:
●● Microsoft Phone System
MCT USE ONLY. STUDENT USE PROHIBITED 300 Module 6 Manage communication in Microsoft Teams
●● Microsoft Teams and Skype for Business Plan 2 (from a subscription plan)
●● Microsoft Audio Conferencing is required in scenarios where a Teams user in a call wants to add a
PSTN user in a call through Audio Conferencing service.
Additional information. For more information, see Phone System Direct Routing8.
8 https://docs.microsoft.com/en-us/microsoftteams/direct-routing-landing-page
9 https://docs.microsoft.com/en-us/microsoftteams/different-kinds-of-phone-numbers-used-for-calling-plans
MCT USE ONLY. STUDENT USE PROHIBITED
Manage phone numbers 301
5. On the Select location and quantity pane, enter the following information:
●● Country or region - select country or region.
●● Number type - select the appropriate option that determines whether the phone numbers are
designated for users or for services, such as conference bridge, call queue, or auto attendant.
●● Location - choose a location for connecting the new phone numbers. If you need to create a new
location, select Add a location and enter the required location’s data.
●● Area code - select a valid area code for the country and location.
●● Quantity - enter the number of phone numbers that you want for your organization.
MCT USE ONLY. STUDENT USE PROHIBITED 302 Module 6 Manage communication in Microsoft Teams
7. On the Get numbers page, select the phone numbers you want to apply to your tenant.
8. Select Place order.
Note: The phone numbers are only reserved for 10 minutes; therefore, if you do not select Place
order, the phone numbers are returned to the pool of numbers.
●● If you need to port more than 999 phone numbers, you must submit a port order service request or
submit an order to get phone numbers ported over to Office 365.
In the Voice & Phone numbers section, you can also port existing phone numbers from a service
provider by choosing the Port button. You can see all the orders you have placed in the Order history
tab.
10 https://docs.microsoft.com/en-us/microsoftteams/manage-phone-numbers-for-your-organization/manage-phone-numbers-for-your-
organization
MCT USE ONLY. STUDENT USE PROHIBITED 304 Module 6 Manage communication in Microsoft Teams
●● Assign phone numbers (enable users to make and receive phone calls)
Note: Take extra care when configuring and maintaining your organization’s emergency locations, as they
can literally impact the life or death of your employees. Several countries/regions have strict laws that
require companies ensure the availability of an emergency phone number in the event of an accident.
MCT USE ONLY. STUDENT USE PROHIBITED 306 Module 6 Manage communication in Microsoft Teams
11 https://docs.microsoft.com/en-us/MicrosoftTeams/what-are-emergency-locations-addresses-and-call-routing
MCT USE ONLY. STUDENT USE PROHIBITED
Manage phone numbers 307
4. To assign or change the associated emergency location, search for and then select the location under
the Emergency location tab.
5. In Assigned to, search for the user by display name or username, and then select Assign. Important:
You can only find a user if the user has the appropriate license applied.
6. Select Apply.
MCT USE ONLY. STUDENT USE PROHIBITED 308 Module 6 Manage communication in Microsoft Teams
12 https://docs.microsoft.com/en-us/microsoftteams/manage-phone-numbers-for-your-organization/manage-phone-numbers-for-your-
organization
MCT USE ONLY. STUDENT USE PROHIBITED
Manage phone numbers 309
To share calls with others, a user must create a call group and then add the users he or she wants to share
the calls with (they can also configure simultaneous ring or forwarding).
Note: The call group owner and members of the call group must all be in Teams Only deployment mode,
and the maximum number of users in each call group is 25.
When you want to allow a user to use call groups, you can either change their policy using the
Set-CsTeamsCallingPolicy cmdlet, or grant a different policy to the users.
Note: Before creating a new policy, you should always verify that no policy already exists that covers your
exact scenario.
If you have permission to create call groups, you can use the Microsoft Teams Client to add a call group
by performing the following steps:
1. In the upper right corner of the client, select Settings and Calls.
2. Below Call answering rules, select Forward my calls, and open the dropdown menu by selecting
Voicemail.
3. Select the call group to open a Call group new window.
4. Use the search field below Add people and select the desired members of the call group.
5. In the Ring order menu, you can select to ring All at the same time simultaneously or In the order
above to call people in order in 20-second intervals (just note that if your call group has six or more
people, incoming calls will ring all of them at the same time).
Note: All users added to a call group receive a notification in their Teams client.
When an admin turns off group calling for a user after the user has already set up a call group, the call
group relationships for the user in the Teams admin center must be cleaned up to avoid incorrect call
routing.
To clean up or modify the call group for a user, sign into the Teams Admin Center and perform the
following steps:
1. In the left-hand navigation pane in the Teams Admin Center, select Users and then select the name
of the user you want to edit.
2. Select the Voice tab and navigate to the Group call pickup section.
3. In the list select the users you want to remove from the Call group and select Remove.
MCT USE ONLY. STUDENT USE PROHIBITED 310 Module 6 Manage communication in Microsoft Teams
If you want to add users to a call group, perform the following steps:
1. In the left-hand navigation pane in the Teams Admin Center, select Users and then select the name
of the user who owns the call group you want to modify.
2. Select the Voice tab and navigate to the Group call pickup section.
3. Select Add people and then in the right-hand pane, search for the users you want to add.
4. Select Apply to add the selected users to the call group.
Additional information. For more information see Call forwarding, call groups and simultaneous
ring in Teams13.
13 https://support.office.com/en-us/article/call-forwarding-call-groups-and-simultaneous-ring-in-teams-a88da9e8-1343-4d3c-9bda-
4b9615e4183e?ui=en-US&rs=en-US&ad=US
MCT USE ONLY. STUDENT USE PROHIBITED
Manage Phone System for Microsoft Teams 311
If you want to assign a phone number to a Phone System call queue, you must:
1. Obtain a service number and free Phone System (or a paid Phone System license to use with the
resource account or a Phone System license).
2. Create the resource account.
3. Assign the Phone System license or Phone System Virtual User license.
4. Assign a service phone number to the resource account you just assigned licenses to.
5. Create a Phone System call queue or auto attendant.
6. Link the resource account with a call queue or auto attendant.
Important: When the auto attendant (or call queue) is nested under a top level auto attendant, and you
want multiple points of entry into the structure of auto attendants and call queues, the associated
resource account only needs a phone number.
Note: Your organization is allotted Phone System–Virtual User licenses depending on its overall size. Any
organization has 25 Virtual User licenses available at no cost if it has at least one license including Phone
System, or it has Phone System added. For each 10 Phone System user licenses in your organization, one
more Phone System–Virtual User license becomes available.
MCT USE ONLY. STUDENT USE PROHIBITED
Manage Phone System for Microsoft Teams 313
2. Select New account and enter the required information in the Add resource account window:
●● Display name
●● Username – provide a unique combination of a name and verified domain for your tenant.
●● Resource account type – Select either call queue or auto attendant
3. Select Save to create the new resource account.
You should perform the following steps to assign the license to the freshly created resource account:
1. In the Office 365 Admin Center navigate to Users > Active users.
2. Search for the Display name of the resource account you created.
3. Select the resource account.
MCT USE ONLY. STUDENT USE PROHIBITED
Manage Phone System for Microsoft Teams 315
4. In the right-hand pane select Licenses and Apps, and then select either Phone System or Phone
System – Virtual User licenses.
5. Select Apply.
MCT USE ONLY. STUDENT USE PROHIBITED 316 Module 6 Manage communication in Microsoft Teams
●● Phone number type – Online, Toll-free or On Premises.
●● Assigned phone number – The number you want to assign.
●● Select an Auto attendant/Select a call queue – This option will change depending on the option
you selected when creating a resource account.
4. Select Save.
Note: The phone number cannot be assigned to the resource account if the account does not have a
valid license.
To create a call queue resource account, you must provide a different ApplicationId.
MCT USE ONLY. STUDENT USE PROHIBITED
Manage Phone System for Microsoft Teams 317
You should run the following PowerShell command to assign a direct routing phone number to a re-
source account (homed in Teams or Skype For Business Server 2019):
Set-CsOnlineApplicationInstance -Identity appinstance01@contoso.com -OnpremPhoneNumber
+14250000000
14 https://docs.microsoft.com/en-us/microsoftteams/manage-resource-accounts
MCT USE ONLY. STUDENT USE PROHIBITED 318 Module 6 Manage communication in Microsoft Teams
●● Name: This name is displayed in the notification for the incoming call.
●● Add Accounts: Select a resource account (it may or may not be associated with a toll or toll-free
phone number for the call queue, but each call queue requires an associated resource account). If
no resource accounts are listed, you will have to get service numbers and assign them to a Re-
source account before you can create this call queue.
MCT USE ONLY. STUDENT USE PROHIBITED
Manage Phone System for Microsoft Teams 319
●● Users with a Phone System license or a Calling Plan are added to either a Microsoft 365 Group, a
mail-enabled Distribution List, or a Security Group. There may be a short waiting period before users
start receiving calls from a call queue, depending on whether the newly added agent belongs to a
distribution list or a security group. Newly created Microsoft 365 Groups are available almost immedi-
ately.
●● If your agents are using Microsoft Teams App to take call queue calls, they must be in TeamsOnly
mode.
Routing method
For your call queue distribution method, you can choose from the following methods:
●● Attendant routing. Enables first call in the queue to ring all call agents at the same time. The first call
agent to pick up the call gets the call.
MCT USE ONLY. STUDENT USE PROHIBITED 320 Module 6 Manage communication in Microsoft Teams
●● Serial routing. Incoming calls ring call agents one by one, starting from the beginning of the call
agent list (agents cannot be ordered within the call agent list). If an agent dismisses or does not pick
up a call, then the call will ring the next agent on the list, trying all agents one by one until it is picked
up or times out waiting in the queue.
●● Round robin. Balances routing of incoming calls so that each call agent gets the same number of
calls from the queue.
●● Person in your company. This option enables you to select the person to whom the incoming
call will be redirected to, and the call will be forwarded directly to voicemail.
●● Voice application. You must select the name of an existing resource account associated with
either a call queue or an auto attendant.
MCT USE ONLY. STUDENT USE PROHIBITED
Manage Phone System for Microsoft Teams 321
15 https://docs.microsoft.com/en-us/microsoftteams/create-a-phone-system-call-queue
MCT USE ONLY. STUDENT USE PROHIBITED 322 Module 6 Manage communication in Microsoft Teams
●● Greeting – Do not play a greeting; instead, play an audio file or use text to speech.
●● Actions – You can decide to disconnect or redirect the call.
11. Select Save to save the holiday. You can add multiple holidays by repeating steps 9 through 11.
12. Select Next.
13. On the next page you can define the scope of users that is searchable by the caller.
●● Include – Select a group of users or all online users. Online users are all the users whose accounts
are online or those that have been added using Azure directory sync. Custom groups can be
security, distribution, and Microsoft 365 Groups.
●● Exclude – You can select none or a user group. This will exclude those users from being searcha-
ble.
14. Select Next.
15. On the next page you will be asked to assign at least one resource account to the auto attendant.
16. Select Add account and search for the account you already created in the right panel.
●● If you have yet to create an account, you can select Add resource account after searching for a
non-existing account name.
17. Select Add to add the existing resource account to the attendant.
18. Select Submit to create your auto attendant.
To modify an auto attendant, you will navigate through the same menu again. If you have not assigned a
phone number to your resource account, you cannot call the attendant.
Dial by Extension. This feature enables a caller to use voice (speech recognition) or their phone keypad
(DTMF) responses to enter the phone extension of the user they are trying to reach, and then have the
call transferred to them.
The users you wish to have located and reached using Dial by name or extension are not required to have
a phone number or have Calling Plans assigned to them, but they must have a Phone System license if
they are online users, or Enterprise Voice-enabled for Skype for Business Server users.
MCT USE ONLY. STUDENT USE PROHIBITED 324 Module 6 Manage communication in Microsoft Teams
Dial by name or extension will even be able to find and transfer calls to Microsoft Teams users who are
hosted in different countries/regions for multi-national organizations. Given the prerequisites involved,
you explicitly enable Dial by name and Dial by extension in an auto attendant.
Maximum directory size
There is no limit in the number of AD users Dial by Name and Dial by extension can support when a caller
searches for a specific person. The maximum name list size that a single auto attendant can support using
speech recognition is 80,000 users.
With Dial by Name, a caller can enter just one part of the name or full names (FirstName + LastName,
and also LastName + FirstName). There are various formats that can be used when the name is entered.
People can use the ‘0’ (zero) key to indicate a space between the first and last name. When the person
enters the name, he or she will be asked to terminate the keypad entry with the # key; for example, "After
you have entered the name of the person you are trying to reach, please press #." In the event that
multiple names found, then a list of names will be displayed, from which the person who is calling can
select the person he or she is trying to reach.
With Dial by Extension, the caller needs the full extension number.
MCT USE ONLY. STUDENT USE PROHIBITED
Manage Phone System for Microsoft Teams 325
●● Verify that the user is using the Teams client or a Teams-enabled device/Phone,
●● Check if the call has already been retrieved or terminated
●● Check is the user a member of the call park group.
●● If you are working in Island mode, note that call park and retrieve is unavailable in Teams island mode.
Additional information. For more information, see Call park and retrieve16
16 https://docs.microsoft.com/en-us/microsoftteams/call-park-and-retrieve
MCT USE ONLY. STUDENT USE PROHIBITED 328 Module 6 Manage communication in Microsoft Teams
For example, to control whether users can route inbound calls to voicemail, in the Voicemail is availa-
ble for routing inbound calls feature, select Always enabled or User controlled. To prevent routing
to voicemail, select Always disabled.
4. Select Save.
17 https://docs.microsoft.com/en-us/microsoftteams/teams-calling-policy
MCT USE ONLY. STUDENT USE PROHIBITED 330 Module 6 Manage communication in Microsoft Teams
4. Configure your policy settings:
●● Block incoming caller ID
●● Users can override the caller ID policy
●● Replace caller ID - display the user's number; set a service phone number to display as the caller
ID or display the caller ID as Anonymous.
●● Service number to use to replace the caller ID - this option is available when you choose
Service number in Replace caller ID.
5. Select Save.
You should run the following commands to assign a custom policy to multiple users of a group by using
the Azure Active Directory PowerShell module and looping through all members of a group:
●● Get the GroupObjectId of the particular group:
$group = Get-AzureADGroup -SearchString "Contoso Support"
●● Assign all users of the group a custom caller ID policy, such as Support Caller ID Policy:
$members | ForEach-Object { Grant-CsCallingLineIdentity -PolicyName "Support Caller ID Policy"
-Identity $_.EmailAddress}
Overall health
The information regarding the overall health of the connected SBCs includes: Direct Routing summary,
SBC (The FQDN of the paired SBC), and Network Effectiveness Ratio (NER), which compares the number
18 https://docs.microsoft.com/en-us/microsoftteams/teams-powershell-overview
MCT USE ONLY. STUDENT USE PROHIBITED 332 Module 6 Manage communication in Microsoft Teams
The Health Dashboard provides the following information related to overall health of the connected
SBCs:
●● Network Effectiveness Ratio. The NER measures the ability of networks to deliver calls to the far-end
terminal (except the manual call rejections). Therefore, when the recipient rejects a call (or sends it to
voicemail) the call will be considered a successful delivery. This means that an answer message, a busy
signal, or a ring with no answer are all considered successful calls.
Because the action you take might depend on the number of calls affected, the Health Dashboard
displays how many calls were analyzed to calculate various parameters. Note that if the number of
calls is less than 100, the NER might be quite low, but still be normal.
●● Average call duration. This parameter can help you to monitor the quality of calls. The average
duration of a 1:1 PSTN call is four to five minutes, but this average can differ in different companies.
Therefore, it is recommended that you establish a baseline for the average call duration for your
organization, because if the parameter falls much lower below the baseline, it will indicate that your
users are having issues with call quality or reliability and are hanging up earlier than usual. On the
other hand, if you are seeing low call durations, it may be the result of callers hanging up because the
service is not performing well.
●● Transport Layer Securityconnectivity status(TLS). This parameter shows the status of the TLS
connections between Direct Routing and the SBC. The Health Dashboard also follows the certificate
expiration date and provides information if a certificate is about to expire within 30 days. This should
give administrators enough time to renew the certificate before service is disrupted.
●● SIP options status. By default, the SBC sends options messages every minute, although this configu-
ration can vary for different SBC vendors. Direct Routing uses the SIP options status parameter to
warn administrators if the SIP options are not sent or are not configured.
●● Detailed SIP options status. This parameter provides detailed descriptions of any errors that oc-
curred. To see the descriptions, you must select the “Warning” message, where a pop-up window will
display the detailed error description. Possible values for SIP options status messages include:
●● Active. The SBC is active.
MCT USE ONLY. STUDENT USE PROHIBITED
Manage Phone System for Microsoft Teams 333
●● Warning, no SIP options. The Session Border Controller exists in the database and it is configured
to send SIP options, but the Direct Routing service never saw the SIP options coming back from
this SBC.
●● Warning, SIP Messages aren't configured. Trunk monitoring using SIP options is not turned on.
You will have problems if this trunk can be reached at the network level, but the certificate has
expired or the SIP stack does not work. To identify such problems in the early stage, it is recom-
mended that you enable the sending SIP options.
●● Concurrent calls capacity. You can manually specify the limit of concurrent calls that an SBC can
handle at one time by using the New- or Set-CsOnlinePSTNGateway command with the -MaxConcur-
rentSessions parameter (this parameter calculates how many calls were sent or received by Direct
Routing using a specific SBC and compares it with the limit which was manually set).
●● Network Effectiveness ratio. This is the same parameter that appears on the Overall Health dash-
board, but with the option to see the data by time series or call direction.
Additional information. For more information see Monitor and troubleshoot Direct Routing19.
19 https://docs.microsoft.com/en-us/microsoftteams/direct-routing-monitor-and-troubleshoot
MCT USE ONLY. STUDENT USE PROHIBITED
Manage Phone System for Microsoft Teams 335
PBX system or the phone system capabilities offered by Office 365. Performing voice calls to PSTN
when using cloud PBX also requires a calling plan.
●● Calling Plans. Enables the users to call any phone numbers outside of your business. There are
Domestic Calling Plans and Domestic and International Calling Plans in Office 365.
●● Microsoft Teams Rooms. Enables you to use capable devices for connecting video, audio, and
content sharing features to conference rooms.
To understand which add-on licenses are required for which use-cases, you must be familiar with the
standalone licensing and subscription plans for Office 365, Enterprise Mobility + Security and Windows
10.
For example, to perform voice calling into the PSTN, you must combine different licenses:
Troubleshooting overview
Troubleshooting problems within Microsoft Teams may include a wide array of possible areas that you
need to investigate - starting from the Teams client up to the coexistence mode settings configured by
your Teams administrator. This topic examines the most important areas you should be aware of when
troubleshooting Teams.
20 https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshot audio, video, and client issues 337
4. Type Teams in the search box, and then select Clear app data.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshot audio, video, and client issues 339
MCT USE ONLY. STUDENT USE PROHIBITED 340 Module 6 Manage communication in Microsoft Teams
6. Restart the Teams app and make sure the Teams logo appears when starting the app; otherwise, you
incorrectly closed the Teams app earlier.
MCT USE ONLY. STUDENT USE PROHIBITED 342 Module 6 Manage communication in Microsoft Teams
The following table identifies the method required to create the debug logs based on the Teams client
OS.
Media logs
Media logs contain diagnostic data about audio, video, and screen sharing. They are required for support
cases only upon request, and they can only be inspected by Microsoft. The following table outlines the
log location.
Windows client
●● %appdata%\Microsoft\Teams\media-stack*.blog
●● %appdata%\Microsoft\Teams\skylib*.blog
●● %appdata%\Microsoft\Teams\media-stack*.etl
Mac OSX client
●● ~/Library/Application Support/Microsoft/Teams/media-stack/*.blog
●● ~/Library/Application Support/Microsoft/Teams/skylib/*.blog
Desktop logs
Desktop logs, which are also known as bootstrapper logs, contain log data that occurs between the
desktop client and the browser. Like media logs, these logs are only required if requested by Microsoft.
The logs are text-based and can be read using any text-based editor in a top down format.
The following table identifies the method required to create the desktop logs based on the Teams client
OS.
MCT USE ONLY. STUDENT USE PROHIBITED 344 Module 6 Manage communication in Microsoft Teams
●● When the user is homed on Skype for Business Online and has Microsoft Phone System, the
user always initiates and receives PSTN calls in Skype for Business. This happens regardless of
whether the user has a Microsoft Calling Plan, or connects to the PSTN network via either
Skype for Business Cloud Connector Edition or an on-premises deployment of Skype for
Business Server (hybrid voice).
Note: Microsoft Teams Phone System with Calling Plans or Direct Routing is not supported in
Islands Mode. For Calling Plans, a user can be using SfBOnly or TeamsOnly mode. For Direct
Routing, users must be TeamsOnly.
●● Receives Microsoft Call Queues and Auto-Attendant calls in Skype for
Business.
●● Can schedule meetings in Teams or Skype for Business (and will see both
plug-ins by default).
●● Can join any Skype for Business or Teams meeting; the meeting will open in
the respective client.
2. SfBOnly
A user runs only Skype for Business. This user:
●● Can initiate chats and calls only from Skype for Business.
●● Receives any chat/call in their Skype for Business client, regardless of
where initiated, unless the initiator is a Teams user with Skype for
Business homed on-premises.
●● Can schedule only Skype for Business meetings but can join Skype for
Business or Teams meetings.
3. SfBWithTeamsCollab
A user runs both Skype for Business and Teams side-by-side. This user:
●● Has the functionality of a user in SfBOnly mode.
●● Has Teams enabled only for group collaboration (Channels); chat/calling/meeting scheduling are
disabled.
4. SfBWithTeamsCollabAndMeetings
A user runs both Skype for Business and Teams side-by-side. This user:
●● Has the chat and calling functionality of user in SfBOnly mode.
●● Has Teams enabled for group collaboration (channels - includes channel
conversations); chat and calling are disabled.
●● Can schedule only Teams meetings, but can join Skype for Business or Teams
meetings.
5. TeamsOnly (requires SfB Online home)
●● Can only schedule meetings in Teams, but can join Skype for Business or
Teams meetings.
●● Can continue to use Skype for Business IP phones.
Using TeamsOnly mode in combination with other users in Islands mode is not
recommended until Teams adoption is saturated; in other words, all Islands
mode users actively use and monitor both the Teams and Skype for Business
MCT USE ONLY. STUDENT USE PROHIBITED 346 Module 6 Manage communication in Microsoft Teams
●● Federated. If one of the chat participants is not TeamsOnly, the chat will be a non-native, SfB Interop
chat, with normal SfB interop limitations, and the chat will route through the Skype for Business
infrastructure. The External chat will display a Skype logo:
External Message Routing
When planning external message routing, you should be aware of the following routing rules:
●● Chats/Calls will route to Skype for Business if the recipient is an Islands or SfB mode user
●● Chats/Calls will route to Teams if the recipient is a TeamsOnly mode user
21 https://docs.microsoft.com/en-us/MicrosoftTeams/teams-client-experience-and-conformance-to-coexistence-modes
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshot audio, video, and client issues 347
●● Presence of the recipient will be the presence of the recipient in the client in which messages will
route
Chat Thread Switching
When the user coexistence mode of a participant in a chat thread causes a change in the type of thread,
the current chat thread will be locked, and users will be prompted to switch the conversation to the new
chat thread type with a link to the new thread:
●● Chat Thread Switch from Interop -> Native
●● Chat Thread Switch from Native -> Interop
Additional information. For more information, see Native chat experience for external (federated)
users in Microsoft Teams22.
22 https://docs.microsoft.com/en-us/microsoftteams/native-chat-for-external-users
23 https://docs.microsoft.com/en-us/microsoftteams/set-up-call-analytics
MCT USE ONLY. STUDENT USE PROHIBITED 348 Module 6 Manage communication in Microsoft Teams
5. Select the Advanced tab, and then look for yellow and red items that indicate poor call quality or
connection problems.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshot audio, video, and client issues 349
In the session details for each call or meeting, minor issues appear in yellow, which means it is outside of
normal range and may be contributing to the problem, but it is unlikely to be the main cause of the
problem. If something is red, it is a significant problem, and it is likely the main cause of the poor call
quality for this session.
MCT USE ONLY. STUDENT USE PROHIBITED 350 Module 6 Manage communication in Microsoft Teams
In only rare cases is quality of experience data not received for audio sessions. Often this is caused by the
call dropping and connection with the client terminating. When this occurs, the session rating is unavail-
able.
For audio sessions that do have quality of experience (QoE) data, the following table describes major
issues that qualify a session as poor.
24 https://aka.ms/Mkoxy7
MCT USE ONLY. STUDENT USE PROHIBITED 354 Module 6 Manage communication in Microsoft Teams
User Agent User Agent First Endpoint Second Endpoint First Is Caller
Category of Category of
Caller Callee
AV-MCU Microsoft Teams AV-MCU Microsoft Teams TRUE
Windows Windows
AV-MCU Microsoft Teams Microsoft Teams AV-MCU FALSE
Mac Mac
Microsoft Teams Microsoft Teams Microsoft Teams Microsoft Teams FALSE
Mac iOS iOS Mac
Note: The First and Second classification is separate from which endpoint is the caller or the person
being called. The First Is Caller dimension can be used to help identify which endpoint was the caller or
the person being called.
Additional information. For a list of the dimensions and measures currently available in CQD, see
Dimensions and measures available in Call Quality Dashboard25.
25 https://aka.ms/Ab3khp
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshot audio, video, and client issues 355
MCT USE ONLY. STUDENT USE PROHIBITED 356 Module 6 Manage communication in Microsoft Teams
To be able to use Location-Enhanced reports in the CQD, you must upload the location information. This
is done on the Tenant Data Upload page by selecting Tenant Data Upload from the settings menu in
the top-right corner. This page is used for admins to upload their own information, such as:
●● A map of IP address and geographical information
●● A map of each wireless AP and its MAC address
●● A map of Endpoint to Endpoint Make/Model/Type, etc.
Additional information. For more details about how to upload and use building or endpoint-specific
information in the CQD, see CQD: Upload Tenant Data information26.
2. The Get Data window should appear at this point. Navigate to Online Services, then select Microsoft
Call Quality (Beta) and select Connect.
26 https://docs.microsoft.com/en-us/microsoftteams/turning-on-and-using-call-quality-dashboard
27 https://docs.microsoft.com/power-bi/desktop-connector-extensibility#data-extension-security
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshot audio, video, and client issues 357
3. You will be prompted to login next. Use the same credentials that you use for CQD.
4. The next prompt will give you the option between two Data Connectivity modes. Select DirectQuery
and select OK.
5. Finally, you will be given a final prompt showing you the entire data model for CQD. No data will be
visible at this point, only the data model for CQD. Select Load to complete the setup process.
6. At this point, Power BI will load the data model onto the right side of the window. The page will
remain otherwise blank, and no queries will be loaded by default. Proceed to Building Queries below
in order to build a query and return data.
Build queries
Once setup is complete, you should see the names of several hundred dimensions and measures load in
the Fields pane. You can build a custom report from scratch or leverage the following predefined CQD
Power BI templates as a starting point.
MCT USE ONLY. STUDENT USE PROHIBITED 358 Module 6 Manage communication in Microsoft Teams
Template Description
CQD Helpdesk Report.pbit Integrating building and EUII data, this report is
designed to let you drill up from a single user to
find the upstream root cause of poor call quality
for that user (for example, the user is in a building
that's experiencing network problems).
CQD Location Enhanced Report.pbit Re-imagining CQD SPD location reports. Includes
9 reports, providing Call Quality, Building WiFi,
Reliability, and Rate My Call (RMC) information
with additional drill-thrus by Building or by User.
Make sure you upload the building data to
maximize your reporting experience.
CQD Mobile Device Report.pbit Provides insights specifically tuned towards mobile
device users, including Call Quality, Reliability, and
Rate My Call. View mobile network, WiFi network,
and mobile operating system reports (Android,
iOS).
CQD PSTN Direct Routing Report.pbit Provides insights specific for PSTN calls that go
through Direct Routing.
CQD Summary Report.pbit Better visualizations, improved presentation,
increased information density, and rolling dates.
These reports make it easier to identifier outliers.
Drill into call quality by location with an easy-to-
use interactive map. 9 new reports:
- Quality Overall
- Reliability Overall
- RMC (Rate My Call) Overall
- Conference Quality
- P2P Quality
- Conference Reliability
- P2P Reliability
- Conference RMC
- P2P RMC
CQD Teams Utilization Report.pbit Shows how users in your organization are using
Teams and how much. Make sure you upload the
building data to maximize your reporting experi-
ence.
CQD User Feedback (Rate My Call) Report.pbit Shows Rate My Call data in a way that you can
easily use to help support calling for your organi-
zation. Cross reference with verbatims to identify
end user education opportunities.
Additional information. For more information about building queries manually, see Install Power BI
Connector to use CQD query templates28.
28 https://docs.microsoft.com/en-us/MicrosoftTeams/cqd-power-bi-connector#building-queries