MS 700T00A ENU TrainerHandbook

MCT USE ONLY.
STUDENT USE PROHIBITED

Microsoft
Official
Course
MS-700T00
Managing Microsoft
Teams
MCT USE ONLY. STUDENT USE PROHIBITED
Managing Microsoft Teams
MS-700T00
MCT USE ONLY. STUDENT USE PROHIBITED II Disclaimer
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, e-mail address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is
not responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.
© 2019 Microsoft Corporation. All rights reserved.
Microsoft and the trademarks listed at http://www.microsoft.com/trademarks 1are trademarks of the

Microsoft group of companies. All other trademarks are property of their respective owners.
1 http://www.microsoft.com/trademarks
EULA III
MICROSOFT LICENSE TERMS

MICROSOFT INSTRUCTOR-LED COURSEWARE
These license terms are an agreement between Microsoft Corporation (or based on where you live, one
of its affiliates) and you. Please read them. They apply to your use of the content accompanying this
agreement which includes the media on which you received it, if any. These license terms also apply to
Trainer Content and any updates and supplements for the Licensed Content unless other terms accompa-
ny those items. If so, those terms apply.
BY ACCESSING, DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS.
IF YOU DO NOT ACCEPT THEM, DO NOT ACCESS, DOWNLOAD OR USE THE LICENSED CONTENT.
If you comply with these license terms, you have the rights below for each license you acquire.
1. DEFINITIONS.
1. “Authorized Learning Center” means a Microsoft Imagine Academy (MSIA) Program Member,
Microsoft Learning Competency Member, or such other entity as Microsoft may designate from
time to time.
2. “Authorized Training Session” means the instructor-led training class using Microsoft Instruc-
tor-Led Courseware conducted by a Trainer at or through an Authorized Learning Center.
3. “Classroom Device” means one (1) dedicated, secure computer that an Authorized Learning Center
owns or controls that is located at an Authorized Learning Center’s training facilities that meets or
exceeds the hardware level specified for the particular Microsoft Instructor-Led Courseware.
4. “End User” means an individual who is (i) duly enrolled in and attending an Authorized Training
Session or Private Training Session, (ii) an employee of an MPN Member (defined below), or (iii) a
Microsoft full-time employee, a Microsoft Imagine Academy (MSIA) Program Member, or a
Microsoft Learn for Educators – Validated Educator.
5. “Licensed Content” means the content accompanying this agreement which may include the
Microsoft Instructor-Led Courseware or Trainer Content.
6. “Microsoft Certified Trainer” or “MCT” means an individual who is (i) engaged to teach a training
session to End Users on behalf of an Authorized Learning Center or MPN Member, and (ii) current-
ly certified as a Microsoft Certified Trainer under the Microsoft Certification Program.
7. “Microsoft Instructor-Led Courseware” means the Microsoft-branded instructor-led training course
that educates IT professionals, developers, students at an academic institution, and other learners
on Microsoft technologies. A Microsoft Instructor-Led Courseware title may be branded as MOC,
Microsoft Dynamics, or Microsoft Business Group courseware.
8. “Microsoft Imagine Academy (MSIA) Program Member” means an active member of the Microsoft
Imagine Academy Program.
9. “Microsoft Learn for Educators – Validated Educator” means an educator who has been validated
through the Microsoft Learn for Educators program as an active educator at a college, university,
community college, polytechnic or K-12 institution.
10. “Microsoft Learning Competency Member” means an active member of the Microsoft Partner
Network program in good standing that currently holds the Learning Competency status.
11. “MOC” means the “Official Microsoft Learning Product” instructor-led courseware known as
Microsoft Official Course that educates IT professionals, developers, students at an academic
institution, and other learners on Microsoft technologies.
12. “MPN Member” means an active Microsoft Partner Network program member in good standing.
MCT USE ONLY. STUDENT USE PROHIBITED IV EULA
13. “Personal Device” means one (1) personal computer, device, workstation or other digital electronic
device that you personally own or control that meets or exceeds the hardware level specified for
the particular Microsoft Instructor-Led Courseware.
14. “Private Training Session” means the instructor-led training classes provided by MPN Members for
corporate customers to teach a predefined learning objective using Microsoft Instructor-Led
Courseware. These classes are not advertised or promoted to the general public and class attend-
ance is restricted to individuals employed by or contracted by the corporate customer.
15. “Trainer” means (i) an academically accredited educator engaged by a Microsoft Imagine Academy
Program Member to teach an Authorized Training Session, (ii) an academically accredited educator
validated as a Microsoft Learn for Educators – Validated Educator, and/or (iii) a MCT.
16. “Trainer Content” means the trainer version of the Microsoft Instructor-Led Courseware and
additional supplemental content designated solely for Trainers’ use to teach a training session
using the Microsoft Instructor-Led Courseware. Trainer Content may include Microsoft PowerPoint
presentations, trainer preparation guide, train the trainer materials, Microsoft One Note packs,
classroom setup guide and Pre-release course feedback form. To clarify, Trainer Content does not
include any software, virtual hard disks or virtual machines.
2. USE RIGHTS. The Licensed Content is licensed, not sold. The Licensed Content is licensed on a one
copy per user basis, such that you must acquire a license for each individual that accesses or uses the
Licensed Content.
●● 2.1 Below are five separate sets of use rights. Only one set of rights apply to you.
1. If you are a Microsoft Imagine Academy (MSIA) Program Member:
1. Each license acquired on behalf of yourself may only be used to review one (1) copy of the
Microsoft Instructor-Led Courseware in the form provided to you. If the Microsoft Instruc-
tor-Led Courseware is in digital format, you may install one (1) copy on up to three (3)
Personal Devices. You may not install the Microsoft Instructor-Led Courseware on a device
you do not own or control.
2. For each license you acquire on behalf of an End User or Trainer, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one
(1) End User who is enrolled in the Authorized Training Session, and only immediately
prior to the commencement of the Authorized Training Session that is the subject matter
of the Microsoft Instructor-Led Courseware being provided, or
2. provide one (1) End User with the unique redemption code and instructions on how they
can access one (1) digital version of the Microsoft Instructor-Led Courseware, or
3. provide one (1) Trainer with the unique redemption code and instructions on how they
can access one (1) Trainer Content.
3. For each license you acquire, you must comply with the following:
1. you will only provide access to the Licensed Content to those individuals who have
acquired a valid license to the Licensed Content,
2. you will ensure each End User attending an Authorized Training Session has their own
valid licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the
Authorized Training Session,
3. you will ensure that each End User provided with the hard-copy version of the Microsoft
Instructor-Led Courseware will be presented with a copy of this agreement and each End
EULA V
User will agree that their use of the Microsoft Instructor-Led Courseware will be subject
to the terms in this agreement prior to providing them with the Microsoft Instructor-Led
Courseware. Each individual will be required to denote their acceptance of this agree-
ment in a manner that is enforceable under local law prior to their accessing the Micro-
soft Instructor-Led Courseware,
4. you will ensure that each Trainer teaching an Authorized Training Session has their own
valid licensed copy of the Trainer Content that is the subject of the Authorized Training
Session,
5. you will only use qualified Trainers who have in-depth knowledge of and experience with
the Microsoft technology that is the subject of the Microsoft Instructor-Led Courseware
being taught for all your Authorized Training Sessions,
6. you will only deliver a maximum of 15 hours of training per week for each Authorized
Training Session that uses a MOC title, and
7. you acknowledge that Trainers that are not MCTs will not have access to all of the trainer
resources for the Microsoft Instructor-Led Courseware.
2. If you are a Microsoft Learning Competency Member:
1. Each license acquire may only be used to review one (1) copy of the Microsoft Instruc-
tor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Course-
ware is in digital format, you may install one (1) copy on up to three (3) Personal Devices.
You may not install the Microsoft Instructor-Led Courseware on a device you do not own or
control.
2. For each license you acquire on behalf of an End User or MCT, you may either:
(1) End User attending the Authorized Training Session and only immediately prior to
the commencement of the Authorized Training Session that is the subject matter of the
Microsoft Instructor-Led Courseware provided, or
2. provide one (1) End User attending the Authorized Training Session with the unique
redemption code and instructions on how they can access one (1) digital version of the
Microsoft Instructor-Led Courseware, or
3. you will provide one (1) MCT with the unique redemption code and instructions on how
they can access one (1) Trainer Content.
2. you will ensure that each End User attending an Authorized Training Session has their
own valid licensed copy of the Microsoft Instructor-Led Courseware that is the subject of
the Authorized Training Session,
3. you will ensure that each End User provided with a hard-copy version of the Microsoft
MCT USE ONLY. STUDENT USE PROHIBITED VI EULA
4. you will ensure that each MCT teaching an Authorized Training Session has their own
valid licensed copy of the Trainer Content that is the subject of the Authorized Training
Session,
5. you will only use qualified MCTs who also hold the applicable Microsoft Certification
credential that is the subject of the MOC title being taught for all your Authorized
Training Sessions using MOC,
6. you will only provide access to the Microsoft Instructor-Led Courseware to End Users,
and
7. you will only provide access to the Trainer Content to MCTs.
3. If you are a MPN Member:
1. Each license acquired on behalf of yourself may only be used to review one (1) copy of the
Microsoft Instructor-Led Courseware in the form provided to you. If the Microsoft Instruc-
tor-Led Courseware is in digital format, you may install one (1) copy on up to three (3)
Personal Devices. You may not install the Microsoft Instructor-Led Courseware on a device
you do not own or control.
2. For each license you acquire on behalf of an End User or Trainer, you may either:
(1) End User attending the Private Training Session, and only immediately prior to the
commencement of the Private Training Session that is the subject matter of the Micro-
soft Instructor-Led Courseware being provided, or
2. provide one (1) End User who is attending the Private Training Session with the unique
redemption code and instructions on how they can access one (1) digital version of the
Microsoft Instructor-Led Courseware, or
3. you will provide one (1) Trainer who is teaching the Private Training Session with the
unique redemption code and instructions on how they can access one (1) Trainer
Content.
2. you will ensure that each End User attending an Private Training Session has their own
valid licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the
Private Training Session,
3. you will ensure that each End User provided with a hard copy version of the Microsoft
4. you will ensure that each Trainer teaching an Private Training Session has their own valid
licensed copy of the Trainer Content that is the subject of the Private Training Session,
EULA VII
5. you will only use qualified Trainers who hold the applicable Microsoft Certification
credential that is the subject of the Microsoft Instructor-Led Courseware being taught
for all your Private Training Sessions,
6. you will only use qualified MCTs who hold the applicable Microsoft Certification creden-
tial that is the subject of the MOC title being taught for all your Private Training Sessions
using MOC,
7. you will only provide access to the Microsoft Instructor-Led Courseware to End Users,
and
8. you will only provide access to the Trainer Content to Trainers.
4. If you are an End User:
For each license you acquire, you may use the Microsoft Instructor-Led Courseware solely for
your personal training use. If the Microsoft Instructor-Led Courseware is in digital format, you
may access the Microsoft Instructor-Led Courseware online using the unique redemption code
provided to you by the training provider and install and use one (1) copy of the Microsoft
Instructor-Led Courseware on up to three (3) Personal Devices. You may also print one (1) copy
of the Microsoft Instructor-Led Courseware. You may not install the Microsoft Instructor-Led
Courseware on a device you do not own or control.
5. If you are a Trainer.
1. For each license you acquire, you may install and use one (1) copy of the Trainer Content in
the form provided to you on one (1) Personal Device solely to prepare and deliver an
Authorized Training Session or Private Training Session, and install one (1) additional copy
on another Personal Device as a backup copy, which may be used only to reinstall the
Trainer Content. You may not install or use a copy of the Trainer Content on a device you do
not own or control. You may also print one (1) copy of the Trainer Content solely to prepare
for and deliver an Authorized Training Session or Private Training Session.
2. If you are an MCT, you may customize the written portions of the Trainer Content that are
logically associated with instruction of a training session in accordance with the most recent
version of the MCT agreement.
3. If you elect to exercise the foregoing rights, you agree to comply with the following: (i)
customizations may only be used for teaching Authorized Training Sessions and Private
Training Sessions, and (ii) all customizations will comply with this agreement. For clarity, any
use of “customize” refers only to changing the order of slides and content, and/or not using
all the slides or content, it does not mean changing or modifying any slide or content.
●● 2.2 Separation of Components. The Licensed Content is licensed as a single unit and you
may not separate their components and install them on different devices.
●● 2.3 Redistribution of Licensed Content. Except as expressly provided in the use rights
above, you may not distribute any Licensed Content or any portion thereof (including any permit-
ted modifications) to any third parties without the express written permission of Microsoft.
●● 2.4 Third Party Notices. The Licensed Content may include third party code that Micro-
soft, not the third party, licenses to you under this agreement. Notices, if any, for the third party
code are included for your information only.
●● 2.5 Additional Terms. Some Licensed Content may contain components with additional
terms, conditions, and licenses regarding its use. Any non-conflicting terms in those conditions
and licenses also apply to your use of that respective component and supplements the terms
described in this agreement.
MCT USE ONLY. STUDENT USE PROHIBITED VIII EULA
3. LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY. If the Licensed Content’s subject

matter is based on a pre-release version of Microsoft technology (“Pre-release”), then in addition to
the other provisions in this agreement, these terms also apply:
1. Pre-Release Licensed Content. This Licensed Content subject matter is on the Pre-release
version of the Microsoft technology. The technology may not work the way a final version of the
technology will and we may change the technology for the final version. We also may not release a
final version. Licensed Content based on the final version of the technology may not contain the
same information as the Licensed Content based on the Pre-release version. Microsoft is under no
obligation to provide you with any further content, including any Licensed Content based on the
final version of the technology.
2. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly
or through its third party designee, you give to Microsoft without charge, the right to use, share
and commercialize your feedback in any way and for any purpose. You also give to third parties,
without charge, any patent rights needed for their products, technologies and services to use or
interface with any specific parts of a Microsoft technology, Microsoft product, or service that
includes the feedback. You will not give feedback that is subject to a license that requires Micro-
soft to license its technology, technologies, or products to third parties because we include your
feedback in them. These rights survive this agreement.
3. Pre-release Term. If you are an Microsoft Imagine Academy Program Member, Microsoft Learn-
ing Competency Member, MPN Member, Microsoft Learn for Educators – Validated Educator, or
Trainer, you will cease using all copies of the Licensed Content on the Pre-release technology upon
(i) the date which Microsoft informs you is the end date for using the Licensed Content on the
Pre-release technology, or (ii) sixty (60) days after the commercial release of the technology that is
the subject of the Licensed Content, whichever is earliest (“Pre-release term”). Upon expiration or
termination of the Pre-release term, you will irretrievably delete and destroy all copies of the
Licensed Content in your possession or under your control.
4. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you
more rights despite this limitation, you may use the Licensed Content only as expressly permitted in
this agreement. In doing so, you must comply with any technical limitations in the Licensed Content
that only allows you to use it in certain ways. Except as expressly permitted in this agreement, you
may not:
●● access or allow any individual to access the Licensed Content if they have not acquired a valid
license for the Licensed Content,
●● alter, remove or obscure any copyright or other protective notices (including watermarks), brand-
ing or identifications contained in the Licensed Content,
●● modify or create a derivative work of any Licensed Content,
●● publicly display, or make the Licensed Content available for others to access or use,
●● copy, print, install, sell, publish, transmit, lend, adapt, reuse, link to or post, make available or
distribute the Licensed Content to any third party,
●● work around any technical limitations in the Licensed Content, or
●● reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the
Licensed Content except and only to the extent that applicable law expressly permits, despite this
limitation.
5. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to
you in this agreement. The Licensed Content is protected by copyright and other intellectual property
EULA IX
laws and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property
rights in the Licensed Content.
6. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regula-
tions. You must comply with all domestic and international export laws and regulations that apply to
the Licensed Content. These laws include restrictions on destinations, end users and end use. For
additional information, see www.microsoft.com/exporting.
7. SUPPORT SERVICES. Because the Licensed Content is provided “as is”, we are not obligated to
provide support services for it.
8. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you
fail to comply with the terms and conditions of this agreement. Upon termination of this agreement
for any reason, you will immediately stop all use of and delete and destroy all copies of the Licensed
Content in your possession or under your control.
9. LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed
Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible
for the contents of any third party sites, any links contained in third party sites, or any changes or
updates to third party sites. Microsoft is not responsible for webcasting or any other form of trans-
mission received from any third party sites. Microsoft is providing these links to third party sites to
you only as a convenience, and the inclusion of any link does not imply an endorsement by Microsoft
of the third party site.
10. ENTIRE AGREEMENT. This agreement, and any additional terms for the Trainer Content, updates and
supplements are the entire agreement for the Licensed Content, updates and supplements.
11. APPLICABLE LAW.
1. United States. If you acquired the Licensed Content in the United States, Washington state law
governs the interpretation of this agreement and applies to claims for breach of it, regardless of
conflict of laws principles. The laws of the state where you live govern all other claims, including
claims under state consumer protection laws, unfair competition laws, and in tort.
2. Outside the United States. If you acquired the Licensed Content in any other country, the laws of
that country apply.
12. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the
laws of your country. You may also have rights with respect to the party from whom you acquired the
Licensed Content. This agreement does not change your rights under the laws of your country if the
laws of your country do not permit it to do so.
13. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS" AND "AS AVAILA-
BLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND ITS RESPECTIVE AFFILIATES GIVES NO
EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. YOU MAY HAVE ADDITIONAL CON-
SUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT CANNOT CHANGE. TO
THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT AND ITS RESPECTIVE AFFILI-
ATES EXCLUDES ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICU-
LAR PURPOSE AND NON-INFRINGEMENT.
14. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO
US$5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST
PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.
MCT USE ONLY. STUDENT USE PROHIBITED X EULA
This limitation applies to

●● anything related to the Licensed Content, services, content (including code) on third party Internet
sites or third-party programs; and
●● claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,
or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion
or limitation of incidental, consequential, or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this
agreement are provided below in French.
Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en français.
EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Toute
utilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune autre
garantie expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection
dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les
garanties implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contre-
façon sont exclues.
LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES DOMMAG-
ES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages
directs uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation pour les
autres dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de bénéfices.
Cette limitation concerne:
●● tout ce qui est relié au le contenu sous licence, aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers; et.
●● les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité stricte, de
négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur.
Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel
dommage. Si votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages
indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus
ne s’appliquera pas à votre égard.
EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits
prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois
de votre pays si celles-ci ne le permettent pas.
Revised April 2019
Contents
■■ Module 0 Welcome to Managing Microsoft Teams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Welcome to Managing Microsoft Teams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
■■ Module 1 Microsoft Teams in Microsoft 365 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Overview of Microsoft Teams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Overview of security and compliance in Microsoft Teams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Overview of managing Microsoft Teams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
■■ Module 2 Implement Microsoft Teams Governance, Security and Compliance . . . . . . . . . . . . . 65
Implement Governance and Lifecycle Management for Microsoft Teams . . . . . . . . . . . . . . . . . . . . . . . . 65
Implement Security for Microsoft Teams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Implement Compliance for Microsoft Teams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
■■ Module 3 Prepare the environment for a Microsoft Teams deployment . . . . . . . . . . . . . . . . . . . 143
Upgrade from Skype for Business to Microsoft Teams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Plan and configure network settings for Microsoft Teams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Deploy and Manage Microsoft Teams endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
■■ Module 4 Deploy and manage teams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Create and manage teams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Manage membership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Manage access for external users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
■■ Module 5 Manage collaboration in Microsoft Teams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Manage chat and collaboration experiences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Manage settings for Teams apps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
■■ Module 6 Manage communication in Microsoft Teams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Manage Live event and meetings experiences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Manage phone numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Manage Phone System for Microsoft Teams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Troubleshot audio, video, and client issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Module 0 Welcome to Managing Microsoft
Teams
Welcome to Managing Microsoft Teams

About this course
Welcome to the Managing Microsoft Teams course!
The digital world is advancing at amazing speeds. To succeed, organizations must embrace a digital
transformation: new ways of connecting people, data, and processes to create value. Microsoft Teams is
the hub for teamwork in Microsoft 365 that brings people together in a shared workspace where they can
chat, meet, collaborate on files, and automate workflows.
This course is designed for persons who are aspiring to the Microsoft 365 Teams Admin role. Microsoft
Teams admins configure, deploy, and manage Office 365 workloads for Microsoft Teams that focus on
efficient and effective collaboration and communication in an enterprise environment.
This course covers six central elements - Microsoft Teams overview, implementing governance, security
and compliance for Microsoft Teams, preparing the environment for a Microsoft Teams deployment,
deploying and managing teams, managing collaboration, and managing communication in Microsoft
Teams.
Level: Intermediate
Audience
Students in this course are interested in Microsoft Teams or in passing the Microsoft Teams Administrator
Associate certification exam.
Prerequisites
This course assumes you have already acquired the following skills and experience:
●● A proficient understanding of basic functional experience with Microsoft 365 services.
●● A proficient understanding of general IT practices, including using PowerShell.
MCT USE ONLY. STUDENT USE PROHIBITED 2 Module 0 Welcome to Managing Microsoft Teams
Learning objectives
By actively participating in this course, you will learn about the following:
●● What is Microsoft Teams and how the components work together
●● How to implement Governance, Security and Compliance for Microsoft Teams
●● How to prepare an organizations environment for a Microsoft Teams deployment
●● How to deploy and manage teams
●● Ways of managing collaboration in Microsoft Teams
●● Techniques to manage and troubleshoot communication in Microsoft Teams
Certification exam preparation

This course helps you prepare for the
Exam MS-700: Managing Microsoft Teams1 certification exam.
MS-700 includes three study areas, as shown in the table. The percentages indicate the relative weight of
each area on the exam. The higher the percentage, the more questions you are likely to see in that area.
MS-700 Study Areas Weight

Plan and Configure a Microsoft Teams Environ- 45-50%
ment
Manage Chat, Calling, and Meetings 30-35%
Manage Teams and App Policies 20-25%
✔️ Note: The relative weightings are subject to change. For the latest information visit the exam page2
and review the Skills measured section.
Passing the exam will earn you the Microsoft 365 Certified: Teams Administrator Associate3 certifica-
tion.
The modules in the course are mapped to the objectives listed in each study area on the Skills Meas-
ured4 sheet so it will be easy for you to focus on areas of the exam you choose to revisit.
Course syllabus
The course content includes a mix of content, demonstrations, hands-on labs, and reference links.
Module 1- Microsoft Teams Overview
In Microsoft Teams overview, you will get an overview of Microsoft Teams including Teams architecture
and related Office 365 workloads. You will be provided an overview of security and compliance in Micro-
soft Teams and finally get an overview of how to manage Microsoft Teams. This module includes follow-
ing lessons:
1. Overview of Microsoft Teams
2. Overview of security and compliance in Microsoft Teams
3. Overview of managing Microsoft Teams
1 https://docs.microsoft.com/en-us/learn/certifications/exams/ms-700
2 https://docs.microsoft.com/en-us/learn/certifications/exams/ms-700
3 https://docs.microsoft.com/en-us/learn/certifications/m365-teams-administrator-associate
4 https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE43Nnv
Welcome to Managing Microsoft Teams 3
Module 2 : Implement Microsoft Teams Governance, Security and Compliance

In implementing governance, security and compliance for Microsoft Teams, you will plan and configure
governance for Microsoft 365 Groups including expiration and naming policies. Then you will implement
security by configuring conditional access, MFA or Threat Management for Microsoft Teams. Finally, you
will implement compliance for Teams by using DLP policies, eDiscovery cases or supervision policies. This
module includes following lessons:
1. Implement Governance and Lifecycle Management for Microsoft Teams
2. Implement Security for Microsoft Teams
3. Implement Compliance for Microsoft Teams
Module 3 : Prepare the environment for a Microsoft Teams deployment
In preparing the environment for a Microsoft Teams deployment, you plan an upgrade from Skype for
Business to Microsoft Teams by evaluating upgrade paths with coexistence and upgrade modes, manage
meeting migrations and configuring coexistence and upgrade settings. Then you plan and configure
network settings for Microsoft Teams, and finally you will deploy and manage Microsoft Teams endpoints.
This module includes following lessons:
1. Upgrade from Skype for Business to Microsoft Teams
2. Plan and configure network settings for Microsoft Teams
3. Deploy and Manage Microsoft Teams endpoints
Module 4 : Deploy and manage teams
In deploying and managing teams, you will learn how to create and manage teams, manage membership
and access for both, internal and external users. This module includes following lessons:
1. Create and manage teams
2. Manage membership
3. Manage access for external users
Module 5 : Manage collaboration in Microsoft Teams
In managing collaboration in Microsoft Teams, you will manage chat and collaboration experiences such
as team settings or private channel creation policies. Finally, you will manage settings for Teams apps
such as app setup policies, Apps, bots & connectors in Microsoft Teams or publish a custom app in
Microsoft Teams. This module includes following lessons:
1. Manage chat and collaboration experiences
2. Manage settings for Teams apps
Module 6 : Manage communication in Microsoft Teams
This course concludes with managing communication in Microsoft Teams. You will learn how to manage
Live event and meetings experiences, manage phone numbers or Phone System for Microsoft Teams and
finally how to troubleshoot audio, video, and client issues. This module includes following lessons:
1. Manage Live event and meetings experiences
2. Manage phone numbers
3. Manage Phone System for Microsoft Teams
4. Troubleshot audio, video, and client issues
MCT USE ONLY. STUDENT USE PROHIBITED 4 Module 0 Welcome to Managing Microsoft Teams
Acknowledgments
Microsoft Learning wants to acknowledge and thank the following for their contribution toward develop-
ing this course. Their effort at various stages in the development has ensured that you have a good
classroom experience.
Siegfried Jagott
Siegfried Jagott is Chief Editor for Practical 365, a website that covers Office 365 related topics such as
Microsoft Teams or Exchange. He is a CEO and Principal Consultant for atwork deutschland GmbH, a
Microsoft Valuable Professional (MVP) for Office Apps and Services since the year 2013.
Siegfried is an award-winning author of Microsoft Exchange Server 2010 Best Practices (Microsoft Press)
and has been writing and technical reviewing for several Microsoft Official Curriculum (MOC) courses on
various topics such as MOC 20345 Administering Microsoft Exchange Server 2019.
He currently works on Office 365 implementations with a special focus on Teams, Messaging, Security
and Identity for international customers.
Dennis Weber
Dennis Weber is a Senior Consultant for atwork deutschland GmbH with more than 10 years of experi-
ence working with Microsoft solutions as administrator and as a solutions consultant. He is an IT-General-
ist with a focus on on-premises and cloud messaging systems, communication and collaboration, as well
as Security & Compliance for modern cloud solutions.
He is currently working on a variety of enterprise projects for different international customers and
participates as a subject matter expert in learning content development.
Vladimir Meloski
Vladimir Meloski is an MVP on Office Apps and Services, MCT and consultant, providing solutions based
on Office 365 and Exchange Server with more than 20 years experience in information technology. He is a
speaker and technical expert on Microsoft conferences worldwide. He has been an author and technical
reviewer for Microsoft official courses on Office 365, Exchange Server, and Windows Server, and one of
the book authors of “Mastering Microsoft Exchange Server 2016”, and “Mastering Windows Server 2016”.
Vladimir is devoted to IT community development by collaborating with user groups worldwide.
Jan Bruns
Jan Bruns is a Consultant for atwork Deutschland GmbH advising on Office 365 related projects with a
primary focus on Skype for Business Online, Exchange Online and Microsoft Teams.
Jan focusses on implementing Voice Solutions for Office Communication for his Customers and integrat-
ing them with existing infrastructure.
Robert Lutz
Robert Lutz is working as a consultant for atwork Deutschland GmbH providing his expert advise on
Office 365 related projects to numerous customers. Hereby he focusses on Exchange Online and Micro-
soft Teams.
He specialises in design, implementation, restructuring and migration of local and hybrid Microsoft
Exchange messaging infrastructures. He also assists his customers in deploying, implementing and
managing Microsoft Teams.
Gorana Konevska Jankoska
Gorana Konevska Jankoska is Microsoft Valuable Professional (MVP) for Office Apps and Services, Micro-
soft Certified Trainer (MCT), conference speaker and one of the organizers of community MK IT Pro User
group. She is working as a Consultant for Business Productivity in Office 365 in Meloski Consulting.
Welcome to Managing Microsoft Teams 5
Gorana is working with end users on Office 365 adoption processes and her focus of trainings is especial-
ly pointed towards Microsoft Teams and SharePoint Online.
Module 1 Microsoft Teams in Microsoft 365
Overview of Microsoft Teams

Lesson Introduction
Microsoft Teams is a cloud-based communications platform that combines different services for collabo-
ration, such as chat, meetings, calling, and files. Teams is tightly integrated into Office 365 and combines
multiple workloads into a unified communication and collaboration system. In addition, Teams offers
integration capabilities for additional tools and third-party products.
In this lesson, you will learn about the basic features of Microsoft Teams, along with its architecture and
integration with other Microsoft services.
After this lesson, you will be able to:
●● Describe what Microsoft Teams is used for
●● Explain Microsoft Teams integration with Office 365
●● Describe how Microsoft Power Platform integrates with Teams
●● Illuminate the architecture of Microsoft Teams
●● Describe how Microsoft Teams interacts with SharePoint Online and OneDrive for Business
●● Describe how Microsoft Teams interacts with Exchange
●● Describe the voice communication capabilities of Teams
Overview of Microsoft Teams

The digital world is advancing at amazing speeds. To succeed, organizations must embrace a digital
transformation: new ways of connecting people, data, and processes to create value. Microsoft Teams is
the hub for teamwork in Microsoft 365 that brings people together in a shared workspace where they can
chat, meet, collaborate on files, and automate workflows.
Microsoft Teams is also built on the security and compliance tools of Microsoft 365, which enables you to
join modern collaboration and communication together with today’s complex legal and regulatory needs
for businesses.
MCT USE ONLY. STUDENT USE PROHIBITED 8 Module 1 Microsoft Teams in Microsoft 365
Microsoft Teams
Microsoft Teams delivers in four core areas to create a digital workspace for high-performing teams:
1. Communicate (chat and telephony)
2. Collaborate
3. Customize
4. Work with confidence
Communicate
Teams meets the communication needs of a diverse workforce by providing a complete meeting and
calling solution, including chat, voice, and video.
Teams supports instant messaging or one-on-one (1:1) chat to defined groups. This can be accomplished
by using different clients, like the Teams desktop client, a lightweight web client or directly on a mobile
phone. It is also possible to share resources, such as users’ webcams and desktops while talking on a
landline connection with one another. Besides direct and group chat, Teams also provides open conversa-
tion in channels, where people can share information about topics that can be commented on by other
Team members.
It’s easy to move from a chat into a face-to-face meeting and share important resources, helping users to
bridge geographical barriers.
Collaborate
The deep integration of Teams with Office 365 enables today’s multigenerational workforce to use the
Office apps they are familiar with—Word, Excel, PowerPoint, OneNote, SharePoint, Planner, and even
Overview of Microsoft Teams 9
Power BI—right within the context of Teams. Teams brings all the Office 365 services together so that
users can easily share and co-author files.
Customize
Teams enables users to integrate their different, every day work apps into a single place for a unified work
experience. Users no longer need to jump between Office 365 apps, clients, and services, because Teams
integrates them all - both native and third-party apps and connectors - into whole Teams and single
channel. Users can customize their workplace with their custom apps, and Teams administrators can
provide apps, connectors, and bots that are available across all team members.
Teams is an extensible platform that enables you to build apps and integrate with business processes.
Work with confidence

Microsoft Teams comes with the enterprise-grade security, compliance, and manageability that is already
well known from existing Office 365 services.
By using Teams, administrators can comply with modern business requirements and closely control how
internal and external users work together; thereby, mitigating data loss and data leakage. With Microsoft
Teams, companies can leverage user collaboration and communication while protecting their business
data and interest on an enterprise scale.
What are teams?

A team is a collection of people, content, and tools surrounding different projects and outcomes within
an organization. A team can either be private, which consist only of invited users, or public, which are
open to anyone within the organization. To achieve its goal of efficiency through a flat hierarchy, Teams
only provides two user roles which consist of - Owners and Members.
Teams can be dynamic for project-based work (such as running projects), as well as ongoing, to reflect
the internal structure of your organization (such as departments and office locations). All data within a
team, such as conversations, files, and notes across team channels are only visible to members of the
team.
What are channels?

Teams are made up of channels. Channels enable users to organize a team into dedicated subsections for
the purpose of keeping conversations organized by specific topics (such as Team Events), projects (such
as Presentations), or disciplines (such as a department name, like Marketing or Engineering). Channels are
where you hold meetings, have conversations, and work on files together.
At the top of each channel, you will find tabs, which are basically links to your favorite files, apps, and
services. For example, all members can see and reply to messages on the Conversations tab of a channel.
Every channel has its own Conversations tab, as well as a Files tab for sharing and collaboration. Files that
you share in a channel (on the Files tab) are stored in SharePoint. Additional tabs are also available for
extending channels with apps that include tabs, connectors, and bots.
Two types of channels can be maintained within a team:
●● Standard channels. Standard channels are visible to all team members; therefore, they are available
for conversations that everyone on a team can participate in.
●● Private channels. Private channels are similar to standard channels, but they restrict access to
conversations, files, and apps to a limited subset of team members. This enables private collaboration
within a project or department.
Note: Private channels currently support only connectors and tabs, but without Stream, Planner, or Forms
tabs and they don’t support messaging extensions and bots.
The following picture shows the structure of channels in Teams of an organization.
What is chat?
Teams provide an instant messaging feature that enables team members to send messages in real-time
for live collaboration. Chat is possible between single users and with multiple participants of a team, or
even with external users. In addition, a simple chat can instantly be extended with desktop sharing and
voice communication.
When users join a chat, they can send messages that include files, links, emojis, stickers, and gifs. There
are many formatting options for chat messages, including options for highlighting, font size, lists, and
more. Guests can also participate in conversations, but with limited access.
Conclusion
In summary, Microsoft Teams provides all the benefits of Office 365 services and tools in one application.
It is the new collaboration hub that combines the features of Exchange mailboxes, SharePoint site
collections, and Skype for Business communication, among others, while simultaneously meeting security
and compliance requirements.
Microsoft Teams integration with Microsoft 365

Out of the box, Microsoft Teams brings together the most common tasks that employees need under a
single roof, such as chats, meetings, calls, and the productivity suite of Microsoft 365. By combining these
together into a sole product, employees can avoid having to constantly switch between various contexts.
Instead, they can spend their time within a single team or channel that effortlessly brings together all the
relevant information in-context.
There are multiple ways to leverage Microsoft 365 apps and services in Microsoft Teams. The most
common scenario is to add a new tab to a team channel. Users can also add the content to a chat from
Microsoft 365 services. The followings are examples of integrating Microsoft 365 in Microsoft Teams:
Microsoft 365 apps and services
Outlook
The integration between Outlook and Teams makes it easy to collaborate no matter where the conversa-
tion is taking place.
●● Share to Outlook: Users can share chats or channel conversations to Outlook without leaving Teams
by selecting on the “Share to Outlook” in more options ("...") icon in a conversation.
●● Share to Teams: Users can move an email conversation from Outlook, including attachments, into a
Teams chat or channel conversation by selecting on the “Share to Teams” in Outlook.
●● Actionable missed activity emails: Users can set the notification for missed activity emails to stay on
top of missed conversation in Teams. The missed activity emails show the latest replies from the
conversation, and allow users to respond directly from within Outlook.
SharePoint
In Microsoft Teams, users can add published SharePoint pages or lists as a tab in a Teams channel.
SharePoint pages let users share ideas using images, video, links, and documents. SharePoint lists are a
great way to collaborate on content and data. Team members can view pages, edit lists, and add com-
ments in the Teams tabs. Add the SharePoint tab in Teams to quickly paste any page, news post, or list
from a published SharePoint site.
Yammer
Users are able to add a Yammer page to a channel in Teams or install then pin the Yammer app (named
“Communities” ) to the app bar. This allows team members follow and share conversations in Yammer
without having to leave Teams. The team members can participate in the Yammer conversation right from
Teams, or discuss a Yammer conversation in Teams before posting a reply to the wider Yammer group.
When a Teams member goes to the Yammer tab, they are authenticated again by Yammer, so that they
only see Yammer content that they have access to.
Forms
Users can access Microsoft Forms directly in Microsoft Teams. Easily set up a Forms tab, create a new
form to collect responses, add an existing form to collect responses or show survey results, collaborate
with your team on a form, create notifications for your form, or conduct a quick poll just for your team.
Planner and Tasks

Microsoft Planner is a task management tool that small teams of individuals can use to manage their
work and associated tasks visually and openly with the rest of the team. Having Planner as a tab in
Microsoft Teams enables the team to work more collaboratively and closer together without any added
effort, for example a conversation can easily be had within Teams around tasks in Planner resulting in the
rest of the team having visibility to that conversation, whereas otherwise it may be in a side email or
phone call.
Tasks in Teams is a cohesive task management experience that consolidates personal tasks from To Do
and team tasks from Planner into a single, comprehensive view in Teams. For users of To Do and Planner,
it is a great way to access tasks while communicating with a team, without having to switch apps.
There are two places in Teams where you can access Tasks: as an app in the left siderail and as a tab
within individual teams. The app comprises all tasks from To Do and Planner, like the screenshot below.
As for the tab, you can think of that as Planner renamed: it functions the same way And just like the
current Planner tab, you can add multiple Tasks tabs to a single team. Just keep in mind that the tab is for
team tasks; personal tasks from To Do cannot be added to a tab.
Streams
Microsoft Stream is an Enterprise Video service where people in your organization can upload, view, and
share videos securely. Users can collaborate using video by adding a Microsoft Stream channel or video
as a tab in Microsoft Teams. Users can also watch Streams videos in Teams, such as meeting record or live
events.
Office documents (Word, Excel, PowerPoint)

Users can add document files as a tab in Microsoft Teams. Additionally, files stored in team's file library
are accessible to every member of the Team. Users and their team members can co-edit Word, Power-
Point, or Excel documents, or comment on Visio files.
OneNote
Within Microsoft Teams, users can interact with Notebook by visiting the OneNote tab in a channel in
Teams. For example:
●● Create an OneNote tab to a channel in Teams to store text, images, handwritten notes, and more.
●● Add an OneNote tab to a channel in Teams from an existing notebook to centralize content.
Bots, Connectors, and Message extensions

In addition to apps, there are other ways of including Microsoft 365 content into a team, such as bots,
connectors, and message extensions. While a tab provides access to content in an embedded window in
the Teams client, the other types of apps can actively process content and post the results into a channel
or chat, or they can enable direct processing of workflows through chat commands or similar triggers.
The following list includes examples of how users can interact with apps in Teams:
●● Chat with a bot. Bots provide answers, updates, and assistance in a channel. Users can chat with
them one-on-one or in a channel. They can help with task management, scheduling, and more.
●● Share content on a tab. Tabs help users to share content and functionality from their services in a
channel. They can connect Microsoft services (like Excel or SharePoint), other services (like Asana,
YouTube, and Zendesk), or to custom websites.
●● Get updates from a connector. Connectors send updates and information directly to a channel to
get dynamic updates from services like Trello, JIRA, Twitter, RSS feeds, GitHub, and more.
●● Rich content in messages. These apps find content from different services and send it straight to a
message. Users can share things like weather reports, daily news, images, and videos with anyone
they're talking to. Messages sometimes include buttons for interacting with the app. For example, a
daily weather report could include an option to download the forecast for the entire week.
Due to the huge possibilities of integrating Microsoft 365 and third-party content into Teams, the close
implementation of internal and external content , the possibility of displaying sensitive business content,
and the self-service capabilities of Teams, administrators and IT coordinators must carefully plan the
deployment of Teams apps. Granted, Teams provides different control mechanisms, such as app policies
in the backend, to control the user consumption of apps. But because apps enable users to collaborate
and communicate from a unified client, the rollout of apps should be planned with extreme caution and
due diligence.
The following table provides an example for the integration of Microsoft 365 workloads and third-party
services and content to different Teams. Administrators should make a similar plan or provide examples
and ideas to their user community before rolling out Teams and apps to their users. This will help miti-
gate any potential chaos and unintended use of Teams apps.
Types of Teams Potential Channels Apps (Tabs/Connectors/Bots)

Sales Annual Sales Meeting Power BI
Quarterly Business Review Trello
Monthly Sales CRM
Pipeline Review Summarize Bot
Sales Playbook
Public Relations Press Releases RSS Feed
News and Updates Twitter
Fact Checking
Event Planning Marketing Twitter
Logistics and Scheduling Facebook
Venue Planner
Budget PDF
Marketing/Go to Market Market Research YouTube
Messaging Pillars Microsoft Stream
Communications Plan Twitter
Marketing Bill of Materials MailChimp
Technical Operations Incident Management Team Services
Sprint Planning Jira
Work Items AzureBot
Infrastructure and Operations
Microsoft Teams integration with Power Plat-

form
Microsoft Teams is the hub for teamwork, the Microsoft Power Platform can augment this hub.
Microsoft Teams groups all the information that users need for a particular context within various tabs in
a channel. However, not all tasks can come fully formed out-of-the-box. There will always be business or
operational processes that are unique to an organization that require tailored solutions. This is where the
Power Platform can come in to fill those gaps.
Organizations can streamline business processes with Power Platform. With tools like Power Apps and
Power Automate, organizations can build custom applications that can automate routine processes and
supply a structure where there previously was none. And with Microsoft Teams, employees can use these
custom apps all while taking advantage of the conversational nature of Microsoft Teams. Additionally,
users can further develop custom solutions for their own use with pre-built templates, drag-and-drop
simplicity, and quick deployment approaches.
Power Apps in Microsoft Teams

Power Apps is a high-productivity application development platform from Microsoft. The platform can be
used to customize everything from simple SharePoint forms to immersive end-to-end solutions. Com-
bined with Microsoft Teams, Power Apps can be used to build a modern workplace through custom tabs
and apps in the app bar all with little to no code. The followings are examples to leverage Power Apps in
Microsoft Teams:
●● Create a Teams app using Power Apps for sales submitting customer orders.
●● Pin Power Apps to the Microsoft Teams app navigation bar.
Power Automate in Microsoft Teams

Power Automate emable employees to complete routine tasks with less efforts and spend more time on
more creative and innovative tasks. The integration of Power Automate and Teams streamlines processes
to make the work in Teams even more efficient. Users can use prebuilt templates to easily automate
common business processes. The followings are examples to leverage Power Automate in Microsoft
Teams:
●● Create and manage workflow automations directly from Teams.
●● Quickly trigger scheduled flows using the Flow bot in Teams.
●● Trigger for specific actions when someone new joins a team.
●● Streamline approvals by aggregating and automating all team's approval processes in Teams.
Power BI in Microsoft Teams

Power BI emable users to connect and transform data into accessible visualizations seamlessly. Measuring
and tracking results is essential for teams to achieve their objectives. Users can visualize insights with
Power BI in Teams and discuss data effortlessly to enable data-driven decisions. The followings are
examples to leverage Power BI in Microsoft Teams:
●● Create Power BI tab in Teams to make data-driven decisions quickly and confidently.
●● Ask questions about the data in Teams chats and include a link to the Power BI tab to track easily and
together.
●● Create a Power BI interactive card in Teams by pasting the link to a particular Power BI report. This
experience will help users quickly find and take actions on their data.
Overview of Microsoft Teams architecture

Multiple Office 365 services have been combined together to provide the unified communication and
collaboration hub experience of Microsoft Teams.
The Basis: Microsoft 365 Groups (formerly Office 365

Groups)
Microsoft 365 Groups is the cross-application membership service in Office 365. The prerequisite for any
team is a Microsoft 365 Group that provides collaboration for a set of people, and that is enhanced with
instant messaging and voice capabilities, as well as wide application integration and automation features.
Therefore, to understand the Teams architecture, administrators need to know what Microsoft 365
Groups are and what they consist of, because they are the foundation to interconnect the Office 365
services for Teams.
Microsoft 365 Groups are related to traditional Active Directory groups, but while AD groups serve
permission management and message distribution purposes only, Microsoft 365 Groups are built for
collaboration of Teams and not suited for granular permission management. They support two types of
members: Owners and Members. Owners can manage the group settings and membership, while mem-
bers can participate with the group resources and subscribe to updates.
Basically, a Microsoft 365 Group is an object in Azure Active Directory with a list of members and a loose
coupling to related workloads including a SharePoint team site, Yammer Group, shared Exchange mailbox
resources, Planner, Power BI, and OneNote. You can add or remove people to the group just as you
would any other group-based security object in Active Directory.
The following resources are included in a Microsoft 365 Group:
●● A (hidden) shared Outlook inbox
●● A (hidden) shared calendar
●● A SharePoint document library
●● A Power BI workspace
●● A Team (if the group was created from Teams)

●● A Planner (if the group was created from Planner)
●● Yammer (if the group was created from Yammer)
●● Roadmap (if Project for the web is licensed)
Teams integration with Microsoft 365 Groups

Teams provides features to enhance the existing collaboration services and features of a Microsoft 365
Group with additional communication services, such as a persistent chat-based workspace (channels/
chat) and voice (conferencing/PSTN calling). You can create a new team, which also creates a Microsoft
365 Group, or you can enable a Microsoft 365 Group with Microsoft Teams.
Teams adds several new features to a Microsoft 365 Group, including:
●● Chat capabilities for 1:1 and 1:n instant messaging
●● Standard channels for open communication and collaboration between all team members
●● Private channels for secure communication and collaboration for a subgroup of team members
●● A dedicated SharePoint document library for any standard and private channel
●● Tab integration to a unified client experience
●● Integration of apps, native, third-party and line of business apps into a unified client
●● Activity feeds for easy
Dependencies of Microsoft Teams

Teams utilizes the services of Office 365 to provide collaboration and communication capabilities that
were already well known before Teams existed. When you create a team, on the backend, you’re creating
a Microsoft 365 Group and the associated SharePoint document library and OneNote notebook, along
with ties into other Office 365 cloud applications. For example, Teams uses Exchange Online to send,
receive, and distribute emails. It stores data processed by the chat services that are built on Skype for
Business. The voice services, such as conferencing for meetings and PSTN calling, are consumed from
Skype, and files are stored and processed through SharePoint Online and OneDrive for Business.
The following diagram shows the existing dependencies from Teams to the traditional Office 365 services.
These complex dependencies result in different types of data produced by different workloads that were
acquired for user productivity. Because not all types of data are efficiently stored in a single storage
location, Teams uses the most effective storage location depending on the user data that is produced by
each service. The following diagram provides an overview of the types of data produced by using Teams
and where they are stored.
Governance, security, and compliance for Teams

Teams not only enables users to consume different Office 365 services and store user data at the most
efficient locations, it also provides a strict approach to ensure governance, security, and compliance with
regard to the consumption and processing of business data. This is done by applying the complex
Security & Compliance features in dedicated ways on all data that Teams produce. This protects against
leakage and loss of business data by supporting compliant business processes when discovering sensitive
business data.
Limits of Microsoft Teams

While Microsoft Teams provides a variety of workloads and features, the architecture is naturally bound
to several limits that administrators must be aware of. Please refer to the documentation in Limits and
specifications for Microsoft Teams1.
Conclusion
Microsoft Teams is built to combine the already effective workloads of Office 365 with a general informa-
tion protection strategy. This strategy empowers organizations to use Office 365 capabilities to create
efficient business processes that conform to modern security, compliance, and data governance require-
ments. Administrators need to understand the Teams’ architecture how it provides the link between
today’s cloud technology and the modern business needs of organizations.
Microsoft Teams with SharePoint Online and

OneDrive for Business
One of the core features of Microsoft Teams is the collaboration service it provides through SharePoint
Online and OneDrive for Business. When a new team is created, a new SharePoint site is provisioned,
including sub-sites for any public channel created in the team. If a team is added to an already existing
Microsoft 365 Group (formerly Office 365 Group), the public channels are added in the existing Share-
Point site. Files shared in a public channel are automatically added to the document library, and permis-
sions and file security options set in SharePoint Online are automatically reflected within Teams.
Creating private channels differs from creating public channels, because private channels are not stored
in a document library within the same site. Every private channel has its own site collection that's separate
from the parent team site. This ensure access to private channel files is restricted to only members of the
private channel.
1 https://docs.microsoft.com/en-us/microsoftteams/limits-specifications-teams
SharePoint site structure (Public Channels)

Any tenant has two unique namespaces below “*.sharepoint.com”, where all SharePoint Online sites and
OneDrive for Business storages are located. For example, Contoso Corporation would use the following
namespaces:
●● SharePoint: https://contoso.sharepoint.com/sites/…
●● OneDrive for Business: https://contoso-my.sharepoint.com/personal/…
When a new Microsoft 365 Group or team is created, a new SharePoint site is provisioned below the
tenant’s unique namespace. For example, a “Finance” Team in the “Contoso” tenant that contains the
default “General” channel would appear as follows:
●● Finance: https://contoso.sharepoint.com/sites/Finance/…
●● General channel: https://contoso.sharepoint.com/sites/Finance/Shared Documents/General/…
When a new channel is created, a folder in Shared Documents is automatically provisioned. For example,
if additional channels titled “Internal” and “Budget” are created in the “Finance” site, the folders would
appear as follows:
●● Internal: https://contoso.sharepoint.com/sites/Finance/Shared Documents/Internal/…
●● Budget: https://contoso.sharepoint.com/sites/Finance/Shared Documents/Budget/…
The following diagram shows another example of how teams and public channels rely on SharePoint site
collections and document libraries.
All SharePoint Online sites of Teams can be accessed through the Teams clients or directly through the
browser to upload, download, or change stored files. It’s also possible for members and owners to
synchronize a client to the document libraries within the OneDrive for Business client. As soon as the
B2B-Sync feature is available, guests can also synchronize the document libraries of teams in which they
have been added as guests.
SharePoint site permissions (Public Channels)

Like regular SharePoint sites, Teams SharePoint resources contain the three default permission groups
“Members”, “Owners”, and “Visitors”. In contrast to a pure SharePoint site collection, these permission
groups on a Teams site cannot be edited or changed.
When assigning a Team owner or members through one of the clients or through the Teams Admin
Center, the users are also added into the respective permission group.
Teams utilization of SharePoint

Teams not only supports the manual upload of files to its document libraries , it also supports storing the
following resources in SharePoint Online and OneDrive for Business:
Scenario Description Storage location

Files shared in private chats Shared files in a chats (1:1/1:n) Stored in the sender’s OneDrive
for Business Microsoft Teams
Chat Files folder. Permissions
are automatically granted to all
participants on the single file
that was shared.
Files or pictures sent as conver- Files or pictures posted in a The channels document library.
sation conversation
Mails sent to a channel Emails are sent to a channels The channels document library,
email address into the subfolder Email Mes-
sages.
SharePoint site structure (Private Channels)

When a team member creates a new private channel, instead of a new site in the teams site collection, a
whole new site collection is being created and the creator of the channel is added as the site collection
owner.
The following diagram shows, how every private channels data is stored in an independent SharePoint
Online site collection.
Note: The SharePoint Online site collections of private channels of teams are not visible in the SharePoint
Online admin center but can be seen via the SharePoint Online PowerShell module.
SharePoint site permissions (Private Channels)

Because private channels are not stored within the site collection of the team, but settings of a team,
such as members and classification, also affect the private channels, a sync process between the teams
site collection and the independent site collections is in place. If a member leaves or is removed from a
team, that user will also be removed from all private channels in the team. Changes to the team like this,
that also affect the private channels, are synchronized within four hours automatically.
Note: All private channels need an owner. A private channel owner can't be removed through the Teams
client if they are the last owner of one or more private channels.
If a private channel owner leaves your organization or if they are removed from the Microsoft 365 Group
associated with the team, a member of the private channel is automatically promoted to be the private
channel owner.
Microsoft Teams with Exchange

Another core service of Microsoft Teams is Exchange Online. When you create a team, a corresponding
Microsoft 365 Group (formerly Office 365 Group) is automatically created behind the scenes, along with a
mailbox for the Group in Exchange Online. This group mailbox provides messaging capabilities and a
mail-based storage location for data processed and created in Teams. For each additional Microsoft 365
Group that is created and associated with a team, a corresponding group mailbox is automatically
created in Exchange Online.
Exchange Mailbox for Teams

Every Microsoft 365 Group that is associated with a team has a corresponding group mailbox in Exchange
Online that provides resources to use messaging and a calendar for planning meetings.
Exchange mailboxes are organized in highly available databases that are optimized to store communica-
tion and messaging data so that it’s secure and compliant to common business requirements. As a result,
a team makes heavy use of its associated Exchange mailbox, even if regular messaging is one of the
lesser used functions of users.
Data created in Teams is stored in different Exchange locations:
●● Emails sent to the team. When email is sent to the address of Microsoft 365 Group, it is stored in the
Microsoft 365 Group mailbox and a copy is distributed to the user mailboxes of all subscribers.
●● Chat messages. Chat messages and users’ chat history are stored in their user mailboxes.
●● Channel messages. Messages posted into channel conversations are stored in a hidden folder in the
Microsoft 365 Group mailbox.
●● Meeting information. When planning meetings for a team, the meetings are stored as meeting
elements in the Microsoft 365 Group mailbox.
●● User profilepicture. When a user changes his or her profile picture in Teams, the picture is also stored
in the user’s mailbox.
●● Call History and Voicemail. Call history and voice mail messages are delivered to the associated
user’s mailbox.
●● Connector configuration. The configuration data for connectors is stored in the Microsoft 365 Group
mailbox. An example would be the connector data required to subscribe to RSS feeds.
These Exchange locations support the Security & Compliance tools provided by Office 365, such as
retention policies, eDiscovery, legal holds, and data loss prevention.
How the Security & Compliance features work and how they are used is covered in a later lesson.
Teams in a Hybrid Exchange Deployment

Teams can be deployed with Exchange Hybrid, where either some or all mailboxes are hosted on an
on-premises Server(s). In a hybrid deployment, Exchange must be deployed so that it’s ready to use the
supported Teams feature for storing and discovering data from on-premises Exchange locations.
How Teams works with Hybrid deployments in detail is covered in a later lesson.
Overview of Microsoft telephony solutions

The telephony features of Microsoft Teams have been developed to achieve feature parity to Skype for
Business Online. This first step in the feature development process was completed in August 2018. Since
then, Microsoft Teams has been updated to provide a full-featured communication service for voice
communication into and from the wired telephony network.
Parts of voice communication

The voice communication service that is implemented with Microsoft Teams incorporates the following
communication components.
PSTN
The Public Switched Telephone Network (PSTN) is the complete global telephone network operated by
national, regional, and local telephone companies. PSTN provides the infrastructure and services for
public telecommunications, including all telephone lines, fiber optic cables, microwave transmission links,
mobile networks, communication satellites, and underwater telephone cables, all of which are intercon-
nected with switching centers.
Private Branch Exchange (PBX)

A private branch exchange (PBX) is a telephone exchange2 or switching system that serves a private
organization. It enables sharing of central office trunks between internally installed telephones, and it
provides intercommunication between those internal telephones within the organization without the use
of external lines. The central office lines provide connections to the PSTN, and the PBX permits the shared
use of these lines between all stations in the organization.
Phone System in Office 365

Phone System is Microsoft’s technology for enabling call control and PBX capabilities in the Office 365
cloud with Microsoft Teams and/or Skype for Business Online. Phone System works with Teams or Skype
2 https://en.wikipedia.org/wiki/Telephone_exchange
for Business Online clients and certified devices. With Phone System, users can use Skype for Business
Online and Microsoft Teams to place and receive calls, transfer calls, and mute or unmute calls. Phone
System allows you to replace your existing PBX system with a set of features directly delivered from
Office 365 and tightly integrated into the company’s cloud productivity experience. To connect Phone
System to the Public Switched Telephone Network (PSTN), you can choose Microsoft’s Calling Plan or
your own telephony carrier.
Session Initiation Protocol (SIP) trunks

A SIP trunk enables an end point’s PBX phone system to send and receive calls through the Internet. SIP
trunking is a service offered by communications service providers that uses the Session Initiation Protocol
to provision streaming media services and Voice over IP (VoIP) connectivity between an on-premises
phone system and the PSTN. SIP trunks enable Internet telephony service providers to deliver telephone
services and unified communications to customers equipped with SIP-based IP PBX and unified commu-
nications facilities.
Direct Routing
Direct Routing is a capability of Phone System in Office 365 to help customers connect their SIP trunks to
Microsoft Teams. In the simplest deployment model, customers start with SIP trunks from their telecom-
munications provider. Next, customers will use and configure a supported Session Border Controller (SBC)
from one of Microsoft’s certified partners. Finally, they will connect their SBC to Microsoft Teams and
Phone System.
Operational modes for Teams voice communication

Microsoft Teams provides different features and functionalities for broadcasting, conferencing, and
communication to PSTN throughout its licensing options and deployment variants.
For example, calls to other Skype for Business and Microsoft Team users are free. However, if you want
your users to be able to call regular phones but you don’t have a service provider for voice calls, then
you’ll need to buy a calling plan.
The following table identifies the general deployment options available for voice communication with
Teams.
Option Description
Phone System with Calling Plan >Licensed users can call out to numbers located in
the country/region where their Office 365 license
is assigned to the user based on the user’s
location, and to international numbers in 196
countries/regions.
>Because the PSTN Calling Plan operates out of
Office 365, this option does not require deploy-
ment or maintenance of any on-premises deploy-
ment.
>Direct Routing also supports users who have the
additional license for the Microsoft Calling Plan.
Option Description
Phone System with own carrier through Direct >Connect your own supported SBC directly to
Routing Microsoft Phone System without the need of
additional on-premises software.
>Use virtually any telephony carrier with Microsoft
Phone System.
>Can be configured and managed by customers
or by your carrier or partner (ask if your carrier or
partner provides this option).
>Configure interoperability between your telepho-
ny equipment—such as a third-party PBX and
analog devices—and Microsoft Phone System.
Phone System with your own carrier through >Connect your own supported SBC to Microsoft
Skype for Business Server OR Cloud Connector Phone System through Skype for Business Server
Edition in hybrid deployment or Skype for Business Cloud
Connector Edition deployed on premises.
Phone System.
>If you already have Skype for Business Server on
premises, then you can leverage it; if you do not,
you can deploy a lighter version Cloud Connector
Edition.
Enterprise Voice in Skype for Business Server with >Connect your own supported SBC to the Enter-
own carrier prise Voice System in Skype for Business on
premises Server.
>Use if you need local survivability.
Phone System.
>This is the most complex option to deploy and
maintain.
Requirements and details about the different deployment options are covered in a later lesson.
Interoperation with Skype for Business (SfB)

If your organization uses Skype for Business (SfB) and you are starting to use Teams alongside Skype for
Business—or you are starting to upgrade to Teams—it’s important to understand how the two applica-
tions coexist, when and how they interoperate, and how to manage user migration all the way to their
eventual upgrade from Skype for Business to Teams.
The following table identifies the general coexistence modes with Teams.
Mode Calling and Chat Meeting Schedul- Teams Channels Use Case
ing
TeamsOnly Teams Teams Yes This is the final
state of being
upgraded; it’s also
the default for new
tenants. It requires
home in Skype for
Business Online.
If you uninstall the

Skype for Business
client after you
move a user to
Teams Only mode,
presence works
fine in Teams but
stops working in
Outlook and other
Office apps. To see
presence in
Outlook (and other
Office apps), Skype
for Business must
be installed, even
if you're running
Teams in Teams
Only mode.
ing
Islands Either Either Yes Allows a single
user to evaluate
both clients side
by side. Chats and
calls can land in
either client, so
users must always
run both clients. To
avoid a confusing
or regressed Skype
for Business
experience,
external (federat-
ed) communica-
tions, PSTN voice
services and voice
applications, Office
integration, and
several other
integrations
continue to be
handled by Skype
for Business.
In Islands mode, all

messages and calls
from people
outside your
organization are
delivered to Skype
for Business. After
upgrading to
Teams Only mode,
all messages and
calls from outside
your organization
are delivered to
Teams.
ing
SfB With Teams Skype for Business Teams Yes Also knows as
Collab And “Meetings First.”
Meetings Primarily for
on-premises
organizations that
are not yet ready
to move calling to
the cloud, but they
want to benefit
from Teams’
meeting function-
ality.
SfB With Teams Skype for Business Skype for Business Yes Alternate starting
Collab point for complex
organizations that
need tighter
administrative
control.
SfBOnly Skype for Business Skype for Business No Specialized
scenario for
organizations with
strict requirements
around data
control. Teams is
only used to join
meetings sched-
uled by others.
Overview of security and compliance in Micro-

soft Teams
Lesson Introduction
Microsoft Teams is a powerful and unified communication and collaboration platform that enables users
to access and process sensitive business data that is stored across the different workloads of Office 365.
To protect this sensitive data against threats such as security and compliance breaches and accidental or
intended data loss, Microsoft provides several Security and Compliance tools and services.
In this lesson you will learn about the underlying basic architecture for Microsoft teams and the security
and compliance functions of Microsft 365, as well as their integration into Microsoft teams.
●● Describe the specialized admin roles in Microsoft Teams
●● Describe the role of Azure Active Directory within Teams
●● Differentiate between Microsoft 365 Groups and other group types
●● Explain how Microsoft 365 Groups work below Teams
●● Describe security and compliance features for Microsoft Teams
Overview of Teams Admin Roles

Microsoft 365 provides a variety of preconfigured administrative role groups so that selected users can
receive elevated access to administrative tasks within the Office 365 services. The role groups are as-
signed through different portals, such as the Microsoft 365 Admin Center, the Security & Compliance
Center, the Azure Portal, and PowerShell.
Several administrative roles have full access to all of the Teams' service settings, such as the Global
Administrator and the Teams admin. Other roles only provide access to certain parts of Microsoft Teams
to perform recurring tasks, such as troubleshooting call quality problems and managing telephony
settings.
The specialized Teams admin roles include:
●● Teams admin
●● Teams communication admin
●● Teams communication support engineer
●● Teams communication support specialist
Note: Even if Teams consists of different workloads from Office 365, the team-specific administrator roles
do not grant permissions to other services, such as Exchange Online or SharePoint Online.
Teams roles and capabilities

The following table identifies the tasks that each role can perform, as well as the tools the administrator
can use in the Microsoft Teams Admin Center and in PowerShell.
Overview of security and compliance in Microsoft Teams 33
Role Can do these tasks Can access the following tools

Teams admin Manage the Teams service, and Everything in the Microsoft
(former called Teams service manage and create Microsoft Teams admin center and associ-
administrator) 365 Groups ated PowerShell controls,
including:
- Manage meetings, including

meeting policies, configurations,
and conference bridges.
-Manage voice, including calling

policies and phone number
inventory and assignment.
-Manage messaging, including

messaging policies.
-Manage all org-wide settings,

including federation, teams
upgrade, and teams client
setting.s
-Manage the teams in the organ-

ization and their associated
settings, including membership
(group management supported
via PowerShell, team manage-
ment in the Teams admin center).
-View user profile page and

troubleshoot user call quality
problems using advanced
troubleshooting toolset.
- Access, monitor and trouble-

shoot tenant's call quality and
reliability using data exposed in
Call Quality Dashboard (CQD)
down to the users impacted by
poor call quality. Create new
reports, update and remove
reports as needed. Upload and
update CQD building data.
- Publish apps to the Tenant

App Catalog from the Teams
client (https://docs.microsoft.
Role Can do these tasks Can access the following tools

Teams Communications Admin- Manage calling and meetings Manage meetings, including
istrator features within the Teams meeting policies, configurations,
service. and conference bridges.
Manage voice, including calling

policies and phone number
inventory and assignment.
View user profile page and

troubleshoot user call quality
problems using the advanced
Access, monitor, and trouble-

down to the users who are
impacted by poor call quality.
Create new reports, update and
remove reports as needed.
Upload and update CQD
building data.
Teams Communications Support Troubleshoot communications View user profile page and
Engineer issues within Teams by using troubleshoot user call quality
advanced tools. problems using advanced

down to the users who are
impacted by poor call quality.
Teams Communications Support Troubleshoot communications Access user profile page for
Specialist issues within Teams by using troubleshooting calls in Call
basic tools. Analytics. Can only view user
information for the specific user
being searched for.

Call Quality Dashboard (CQD).
Note: The Teams Service Administrator role in the Azure portal is the same role as the Teams admin in
the Microsoft 365 Admin Center. If you assign this role to a member in the Azure portal, you can also see
it in the Microsoft 365 Admin Center (and vice versa).
Overview of Azure Active Directory

Azure Active Directory (Azure AD) is the cloud-based identity and access management service for Office
365. As such, it’s a vital part of Microsoft Teams because Teams leverages identities stored in Azure AD for
collaboration and communication.
The license requirements for using Azure AD identities and for accessing Teams are included in a large
number of different licensing bundles, such as Small Business Plans like Office 365 Business, Enterprise
Plans like Office 365 Enterprise E1, Education Plans like Office 365 Education, and Developer Plans like
Office 365 Developer.
Managed identities for Azure resources

In cloud deployments, a common challenge when building and deploying cloud applications is how to
manage the credentials in your code for authenticating to cloud services while still keeping your creden-
tials secured. Azure AD solves this problem with a feature called “managed identities,” which provides
access to Azure and Office 365 resources for custom applications and services. The feature provides
Azure services with an automatically managed identity in Azure AD. You can use this identity to authenti-
cate to any service that supports Azure AD authentication, such as Exchange Online, SharePoint,
OneDrive, and Microsoft Teams, without any credentials in your code.
Azure AD Access Review

Because Azure AD enables you to collaborate internally within your organization and with users from
external organizations, such as partners, it’s essential that organizations regularly review users’ access to
ensure that only the right people have access to cloud resources. This can be accomplished through an
Azure AD feature titled Access Reviews, which enables organizations to efficiently manage group
memberships, access to enterprise applications, and role assignments. User's access can be reviewed on a
regular basis to make sure only the right people have continued access, and that no orphaned permis-
sions provide users with unintended access to cloud resources.
The following list describes scenarios in which Azure AD Access Reviews can be used:
●● Too many users in privileged roles. It's a good idea to check how many users have administrative
access, how many of them are Global Administrators, and if there are any invited guests or partners
that have not been removed after being assigned to do an administrative task.
●● When automation is infeasible. You can create rules and reviews for dynamic memberships on
Security groups or Microsoft 365 Groups (formerly Office 365 Groups). This ensures that those users
who still need access continue to have access.
●● When a group is used for a new purpose. If you have a group that is going to be synced to Azure
AD, or if you plan to enable an application for everyone in a specific group, it would be useful to ask
the group owner to review the group membership prior to the group being used in a different risk
content.
●● Business critical data access. For certain resources, it might be required to ask people outside of IT
to regularly sign out and give a justification on why they need access for auditing purposes.
●● To maintain a policy's exception list. In an ideal world, all users would follow the access policies to
secure access to your organization's resources. However, sometimes there are business cases that
require you to make exceptions.
●● Ask group owners to confirm they still need guests in their groups. Employee access might be
automated with some on premises identity access management tool, but not invited guests. If a group
gives guests access to business sensitive content, then it's the group owner's responsibility to confirm
the guests still have a legitimate business need for access.
●● Have reviews recur periodically. You can set up recurring access reviews of users at set frequencies
such as weekly, monthly, quarterly, or annually, and the reviewers will be notified at the start of each
review. Reviewers can approve or deny access with a friendly interface and with the help of smart
recommendations.
Note: Using the Azure AD Access Reviews feature requires an Azure AD Premium P2 license.
Conditional Access
Conditional access is the set of rules for access control based on various specifications such as client,
service, registration procedure, location, compliance status, and so on. This is used to decide whether the
user's access to the company's data is possible.
By using Conditional Access policies, you can apply the right access controls when needed to keep your
organization secure and to stay out of your user’s way when not needed.
Group Naming Policy

Organizations use a group naming policy to enforce a consistent naming strategy for groups created by
users in your organization. You can use the policy to block specific words from being used in group
names and aliases.
The naming policy is applied to groups that are created across all groups workloads (like Outlook,
Microsoft Teams, SharePoint, Planner, Yammer, and so on). It gets applied to both the group name and
group alias whenever a user creates a group or when group name or alias is edited for an existing group.
The group naming policy consists of the following features:
●● Prefix-Suffix naming policy. You can use prefixes or suffixes to define the naming convention of
groups (for example: “GRP_US_My Group_Development”). The prefixes/suffixes can either be fixed
strings (like “Department”) or user attributes that will get substituted based on the user who is
creating the group.
●● Custom Blocked Words. You can upload a set of blocked words specific to their organization that will
be blocked in the group names that are created by users. (For example: “salary statement, HR”).
Classification for Microsoft 365 Groups

Classification in Office 365 is a feature of Azure Information Protection. It´s a cloud-based solution that
helps an organization to classify and optionally protect its content by applying labels. Microsoft Teams
does not currently support Azure Information Protection, so for now, you can create text-based classifica-
tions that simply display in the Microsoft Teams client and Microsoft 365 Groups. While limited in use,
they can still be used to set expectations with your users when they create a Microsoft 365 Group.
Currently in teams, classifications can only be configured through the Azure AD PowerShell module. They
are self-created simple text classifications such as, Internal, External, Confidential, Highly Confidential.
Group classifications aren't set by default, and you need to create it in order for your users to set it.
Note: Classifications in Office 365 should not to be mistaken with classification of Azure RMS, which is a
different feature.
Guest Access
Guest access allows teams in your organization to collaborate with people outside your organization by
granting them access to existing teams and channels on one or more of your tenants. Anyone with a
business or consumer email account, such as Outlook, Gmail, or others, can participate as a guest in
Teams with full access to team chats, meetings, and files. Guest access is an org-wide setting in Teams
and is turned off by default. Guest access is subject to Azure AD and Office 365 service limits.
Overview of Microsoft 365 Group

Microsoft 365 Groups (formerly Office 365 Groups) let you choose a set of people with which you wish to
collaborate, and easily set up a collection of resources for those people to share. Manually assigning
permissions to resources is a thing of the past because adding members to the Group automatically
grants the needed permissions to all assets provided by the group.
When creating a Microsoft 365 Group, you must decide if you want it to be a private group or a public
group.
●● Public group. Any user in your organization can join public groups without the need of an adminis-
trator or owner to add or approve them. Therefore, content in a public group can be seen by anybody
in your organization as soon they join the group.
●● Private group. Content in a private group can only be seen by the members of the group. People
who want to join a private group must be approved by a group owner. Private groups are separated
into discoverable and non-discoverable private groups.
●● Discoverable private group. These groups can be seen by all users of a tenant, and users can file
a request to join the group.
●● Non-discoverable private group. These groups are only visible for users that are already mem-
bers of the group.
The following table identifies the differences between Microsoft 365 Groups and other types of groups.
Name Description Used when…

Microsoft 365 Groups Used for collaboration between a collaborative workspace for a
users, both inside and outside group of users is required, such
your company as a department or users
working on a common project.
Name Description Used when…

Distribution groups Used for sending notifications to sending email communication to
a group of people a defined group of users, such as
“People in Building A” or "Every-
one at Contoso."
Security groups Used for granting granular granular permissions are re-
permissions to SharePoint quired on SharePoint resources;
resources for example, shared file reposito-
ries.
Mail-enabled security groups Same as security groups but granular permissions to Share-
includes email distribution to Point resources and message
members. distribution to members is
required.
Note: Mail-enabled security
group membership cannot be
dynamic and cannot contain
devices.
Overview of security and compliance in Micro-

soft Teams
Microsoft 365 provides comprehensive Security & Compliance tools and services to help organizations
comply with the multitude of legal and regulatory requirements they face across different industry
sectors and countries. This topic gives you an overview of available Security & Compliance features for
Microsoft Teams, and we will provide more details in later modules.
Data Loss Prevention (DLP)

Data loss prevention (DLP) policy is used to identify, monitor, and automatically protect sensitive infor-
mation across Office 365, including financial data, custom search patterns personally, simple keywords,
and identifiable information (PII) such as credit card numbers, social security numbers, and health
records.
Recently, data loss prevention (DLP) capabilities were extended to include Microsoft Teams chat and
channel messages. If an organization already has configured DLP policies, they can now add Teams
channels and chat sessions as locations to existing policies or new policies. This enables the organization
to prevent people from sharing sensitive information with participants who do not have permission to
view the information.
Policy tips appear in Teams when an action conflict with a DLP policy, which is similar to how DLP works
in Exchange, Outlook, Outlook on the web, SharePoint Online, OneDrive for Business sites, and Office
desktop clients. Besides showing policy tips, DLP policies can also block access to content or send
compliance reports to additional recipients.
Note: In contrast to DLP policies for other workloads, Data Loss Prevention for Microsoft Teams is an
advanced feature that requires an E5 license.
Retention policies
For most organizations, the volume and complexity of data increases daily – from email to documents to
instant messages, and more. Effectively managing or governing this information is important because you
must:
●● Comply proactively with industry regulations and internal policies that require you to retain content
for a minimum period of time; for example, the Sarbanes-Oxley Act might require you to retain certain
types of content for seven years.
●● Reduce your risk in the event of litigation or a security breach by permanently deleting old content
that you are no longer required to keep.
●● Help your organization to share knowledge effectively and be more agile by ensuring that your users
work only with content that is current and relevant to them.
A retention policy can help organizations either retain data for compliance (namely, preservation policy)
for a specific period or remove data (namely, deletion policy) if it is considered a liability after a specific
period. Retention policies are available in the Security & Compliance Center, and they work across the
different workloads and data types, such as Exchange email, SharePoint document libraries, and OneDrive
files.
Teams conversations are persistent and retained by default. With the introduction of retention policies,
administrators can configure retention policies (both preservation and deletion) in the Security & Compli-
ance Center for Teams chat and channel messages.
eDiscovery
Protecting content from accidental or intended deletion is only effective when there are ways to retrieve
them without violating legal and regulatory restrictions. eDiscovery feature is for placing a hold on
content locations relevant to a legal case and using the Content Search tool to search the locations on
hold for content that might be responsive to your case.
You can use eDiscovery in Office 365 to search for content in Exchange Online mailboxes, Microsoft 365
Groups, Microsoft Teams, SharePoint Online and OneDrive for Business sites, and Skype for Business
conversations.
All Teams 1:1 or group chats are journaled through to the respective users’ mailboxes, and all channel
messages are journaled through to the group mailbox representing the team. To facilitate eDiscovery for
guest-to-guest chats, a cloud-based mailbox (or phantom mailbox) is required to store the 1xN data and
being indexed for eDiscovery and compliance content search. Files uploaded are covered under the
eDiscovery functionality for SharePoint Online and OneDrive for Business.
Information barriers
Microsoft 365 includes powerful communication and collaboration capabilities. However, suppose that
you want to restrict communications between certain people inside your organization to safeguard
internal information. You can fulfil these requirements by implementing information barriers that restrict
communication between users inside a tenant.
Information barriers in Teams are used to prevent individuals or groups from communicating with each
other. They also prevent lookups and discovery. This means that if restricted users attempt to communi-
cate with each other, they will not find that other user in the people picker.
Information barrier policies can be used for scenarios such as:
●● To meet regulatory requirements, a day trader should not call someone on the Marketing team.
●● To meet business requirements, Finance personnel working on confidential company information

should not receive calls from certain groups within their organization.
●● To meet business requirements, a research team should be restricted to only calling or online chatting
with a product development team.
With information barrier policies in effect, whenever users who are covered by those policies attempt to
communicate with others in Microsoft Teams, tests are performed to prevent (or allow) communication
(as defined by information barrier policies).
Note: Microsoft Exchange includes information barriers known as ethical walls that can be applied to
email communication through mail flow rules. In contrast to these ethical walls in Exchange, information
barriers also apply to chat, voice, and sharing services across different Office 365 workloads.
Legal Holds
Users or teams can be put on Legal Hold to preserve all business data and communication. When a user
or group is placed on hold, all message copies are retained. For example: Mary posted a message in a
channel and then modified the message. In a hold scenario, both copies of the message are retained.
Without Legal Hold, only the latest message is retained.
Note: Placing a user on hold does not automatically place a group on hold or vice-versa.
Due to the complex workload architecture of Teams, it can be difficult to understand what to put on hold
when data must be preserved for a legal case or investigation. The following table identifies some
examples that may help with this situation.
Scenario What to place on hold

Microsoft Teams Private Chats User mailbox
Microsoft Teams Channel Chats Group mailbox used for the team
Microsoft Teams Content (e.g. Wiki, Files) SharePoint site used by the team
Private Content OneDrive for Business site of the user
Holds are required to protect user and mailbox content from accidental or intended deletion and pre-
serve it for future investigation or processing. There are two types of holds available with Office 365:
●● In-Place Holds in eDiscovery Cases (all workloads)
●● Litigation Holds on single mailboxes (Exchange only)
While an in-place hold protects only content that matches keywords from being deleted, a litigation hold
protects all the content stored in a mailbox.
Supervision
Supervision policies in Office 365 allow you to capture employee communications for examination by
designated reviewers. You can define specific policies that capture internal and external email, Microsoft
Teams, or third-party communications in your organization. Reviewers can then examine the messages to
make sure that they are compliant with your organization's messaging standards and resolve them with
classification type.
These policies can also help you overcome many modern compliance challenges, including:
●● Monitoring increasing types of communication channels
●● The increasing volume of message data
●● Regulatory enforcement and the risk of fines
In contrast to eDiscovery searches in which all results are returned, only a subset of results for specific
keyword searches are returned; for example, only 10% of all data that matches the configured conditions
may be returned.
Alert policies
Alert policies build on and expand the functionality of activity alerts by adding a categorization feature to
alert policies. Known as an alert event, this categorization feature can enable policies to be applied to all
users in a tenant, set threshold levels for triggering an alert, and decide whether to receive email notifica-
tions. The types of events have also been expanded in Microsoft 365; for example, you can create alert
policies to track malware activity and data loss incidents.
Alert events are collected in a View alerts page in the Security & Compliance Center. This page provides
an improved summary of suspicious activities in tenants, where an alert can be viewed and filtered, and
where alerts can be acknowledged or dismissed.
There is a default set of alert policies in existing and newly created tenants to monitor activities such as
assigning admin privileges in Exchange Online, malware attacks, phishing campaigns, the creation of
eDiscovery cases, and unusual levels of file deletions and external sharing.
Rights Management Services

Azure Rights Management Services, which is often referred to as Azure RMS, is the protection technology
used by Azure Information Protection.
This cloud-based protection service uses encryption, identity, and authorization policies to help secure
your files and email, and it works across multiple devices, including phones, tablets, and PCs. Because
information protection remains with the data even when it leaves your organization’s boundaries,
information can be protected both within and outside your organization.
For example, an employee might email a document to a partner company, or save a document to his or
her cloud drive. The persistent protection that Azure RMS provides not only helps to secure your compa-
ny data, but it can be legally mandated for compliance, legal discovery requirements, or simply for good
information management practices.
While securing your files and email is obviously important in today’s digital age, authorized people and
services (such as search and indexing) must still be able to read and inspect the protected data. This
capability is not easily accomplished with other information protection solutions that use peer-to-peer
encryption, which is often referred to as “reasoning over data,” and it is a crucial element in maintaining
control of your organization’s data.
Azure RMS supports multiple security, compliance, and regulatory requirements, such as industry-stand-
ard cryptography and FIPS 140-2 support, nCipher nShield hardware security module (HSM) to store the
tenant key in Microsoft Azure data centers, ISO/IEC 27001:2013 (./includes ISO/IEC 27018), and many
more.
Overview of managing Microsoft Teams

Lesson Introduction
Even though Microsoft Teams focuses considerable attention on self-service, there are still some essential
management and implementation tasks that must be completed to maximize a deployment’s effective-
ness. For example, even when implementing self-service features, some policies that you create to guide
users are very important and should be planned with the appropriate diligence.
In this lesson you will learn about rollout paths to deploy Teams, user adoption and licensing, as well as
Teams governance and lifecycle management. By the end of the lesson you should have insight into the
different management tools that are available with Teams, and the different clients that can work with
Teams content.
●● Describe the different rollout paths for Teams
●● Understand the importance of a user adoption plan when deploying Teams
●● Describe the different licensing options for Teams
●● Understand the importance of governance for Teams
●● Describe the benefits of an appropriate lifecycle management for Teams
●● Explain which management tools are available for Teams
●● Recognize the different clients that are available to work with Teams content
Overview of rollout path

When deploying Microsoft Teams, you should create a rollout path that describes the high-level steps
required to deploy Teams as a collaboration and communication hub for your company. Rollout paths
typically provide a macro view of the steps required for a deployment rather than a detailed, micro view
of the deployment processes. So rather than providing a list of the detailed, technical steps that are
needed, rollout paths provide a holistic view of the organizational steps required to complete the
deployment.
Microsoft’s recommended path for rolling out Teams includes the following steps:
1. Get started. The starting point for any Teams deployment begins with familiarizing stakeholders with
their new collaboration and communication client. Because self-service is an important aspect of
Teams, it is critical that this step identify project champions and drive user adoption.
2. Chat, teams, channels, & apps. To help drive user adoption of Teams, you should look for a quick
win in the deployment process. Because most companies already use legacy chat applications and
services, the quickest win typically involves integrating these persistent chat capabilities and apps into
Teams. This is possible given chat’s independence from other collaboration workloads, and because
Office 365 and third-party apps can be integrated into Teams. By integrating your existing chat
capabilities and apps into Teams, users can continue to use the legacy solutions they’re comfortable
with, which avoids disruption to their daily activities.
3. Meetings & Conferencing. Although voice communication and conferencing is used by basically
every employee in a company, most legacy solutions cannot be integrated into Teams. Therefore,
implementing meetings and conferencing in a Teams deployment is typically performed later in the
rollout process. That being said, by the time most companies get to this point in the rollout, they have
Overview of managing Microsoft Teams 43
already switched from their other legacy solutions to Teams, which makes it easier to deploy the voice
meeting capabilities.
4. Voice. The last step in a rollout is the full voice integration of PSTN calling into Teams. While dedicat-
ed telephones and on-premises PBX solutions are still common in companies, these systems do not
allow coexistence with other solutions. Therefore, switching over traditional voice communication
from legacy solutions to Teams has the highest impact on users.
The Important of User Adoption

An estimated 70% of technology projects fail to deliver their desired results, in large part due to poor
user adoption. Just because you implement a new system does not mean that users will embrace it. In
fact, some users who have had their concerns ignored or who were not consulted during the rollout
process go so far as to sabotage the implementation. Therefore, you must deliberately think about how
you will manage change, and you must carefully consider your user adoption methodology before you
launch the solution.
When rolling out Teams, it is recommended that you do so in stages, feature by feature, and only when
your organization is ready. It is important to note that you do not have to wait until you have completed
one step before you move to the next. While some organizations may want to roll out all Teams features
at once, it is recommended that you perform a phased approach to maximize user adoption.
Your goal is to make users feel comfortable with the new system. If that means rolling out one Teams’
feature at a time over a longer period of time as opposed to rolling out all Teams features at once, then
so be it. It makes no sense to roll out the entire system at once just to save some time if the net results
include frustrated, bewildered, and frazzled employees who “hate” the new system, begrudgingly use it,
and spread ill-will towards it by constantly complaining about it to other users, all because you’ve taken
away all the security they felt using their legacy applications. Change is never easy, so implementing
change in small steps is preferable to achieving user acceptance and maintaining management buy-in.
Note: If you are starting from Skype for Business, on-premises, or hybrid deployments, you may need to
alter this recommended rollout path to suite your organization’s business requirements.
First steps of a rollout

Before you begin your rollout, you should ensure that all prerequisites are met, such as environmental
and network readiness; only then should you start your deployment.
To get started quickly on Teams, it is recommended that you create two or three pilot teams and channels
for a select group of early adopters. By rolling out Teams on a small scale, organizations will learn about
Teams by using one feature at a time. This will enable management to gain valuable insights into how
they can best deploy Teams across the entire organization.
You should perform the following steps to roll out your initial set of teams and channels so the early
adopters can begin chatting, sharing files, and collaborating:
●● Step 1: Create the first teams and channels
●● Step 2: Onboard early adopters
●● Step 3: Monitor usage and feedback
●● Step 4: Get resources to plan an organization-wide rollout
Note: To increase user adoption, it is critical that this first phase of the Teams rollout be completed with
little to no issues. This can be best accomplished by ensuring that you only move and create content in
Teams using the system’s default settings, that is project relevant, and is not business critical. Moving any
business-critical data into Teams should only be done when the required security and compliance
features in your rollout have been deployed.
Deploying Teams features

In the recommended path, you should plan and roll out the different Teams features to additional pilot
users. You start by rolling out chat, teams, channels, and apps, because they are the simplest workload.
From there you can move on to the more complex workloads, which include meeting and voice capabili-
ties.
In most productive environments, organizations already have meeting and voice solutions in place, so
instant messaging and channels are new features that can be deployed in coexistence with existing
solutions. However, meeting and voice workloads are usually more complex and therefore need to be
migrated from legacy systems into Teams.
Of course, depending on organizational needs, it is possible to deploy them all at once. This is where
planning is so important to addressing your organization’s requirements and implementing a successful
Teams deployment.
Migrate from existing Skype for Business to Teams

When rolling out Teams in an organization that already uses Skype for Business, you must consider
initially implementing both systems simultaneously in a coexistent state and then eventually migrate from
Skype for Business to Teams.
Note: Skype for Business Online will be retired on July 31, 2021, after which it will no longer be accessible
or supported.
Microsoft FastTrack
With the FastTrack program, Microsoft provides guidance for planning, deployment, and adoption,
including remote access to Microsoft engineering expertise, best practices, tools, and resources for a
successful deployment of Microsoft Teams and other Microsoft 365 services in organizations. FastTrack
for Microsoft 365 helps organizations and their partners accelerate deployment and gain end-user
adoption at no additional cost. When planning rollout paths, you should also consider using FastTrack
offers in your deployments.
Additional information. For more information on FastTrack options, see the following article on Fast-
Track for Microsoft 3653.
Overview of adoption plan

As previously mentioned, user adoption is vital to the success of any Microsoft Teams deployment.
Because Teams combines a wide range of different workloads, such as messaging, file, and voice commu-
nication, organizations may experience significant change to business processes to efficiently collaborate
and communicate with Microsoft Teams. And as business processes change, end-users often find that
their daily routines or processes change as well. It is this change that users must positively embrace to
successfully implement Teams. Without buy-in from the end-users who implement Teams as their primary
collaboration hub, a Teams deployment will fail, even if rolled out perfectly.
The following is a recommended list of high-level steps that organizations should pursue to implement
Teams and drive positive user adoption. These steps, which can be altered depending on the size of the
organization, will help ensure a sustained level of communication with stakeholders, champions, IT
administrators, and users to land a successful deployment for Microsoft Teams.
1. Identify key stakeholders, champions, and user profiles.
2. Identify and select fitting business scenarios.
3. Conduct a pilot that includes business users, champions, and IT professionals.
4. Design, launch and manage an adoption campaign. Download the Customer Success Kit as a starting
point. A good adoption campaign includes:
●● Internal awareness materials such as posters, digital signage, and events
●● Self-help and training information in a specific location
●● A defined feedback mechanism
●● Pre-defined success measures (solution adoption, views of key materials, attendance at courses)
5. Build a champion program alongside your service deployment.
6. Provide a standard feedback method.
7. Measure and share success.
8. Adjust messaging and methods based on feedback, and then repeat.
3 https://www.microsoft.com/microsoft-365/partners/fasttrack
Identify key stakeholders, champions, and user profiles

The first rule of a successful adoption is to create a dynamic team comprised of key stakeholders and the
right people who can drive and effect change in others. The team should consist of committed individuals
representing a cross-section of the organization. Key stakeholder roles include an Executive Sponsors,
Service Owners, IT Professionals, and Champions.
●● Executive Sponsors. These individuals are key leaders within the organization, and their participation
is essential in driving employee adoption. They have the greatest influence on company culture and
can actively communicate the value and benefits of new technology and business processes.
●● Service Owners. These individuals are responsible for ensuring people use the service and get value
from it. Defining Service Owners within your organization is important to ensure the business goals
set for Office 365 are realized.
●● IT Professionals and Champions. Gaining buy-in from every user across an organization is a chal-
lenge. IT Professionals and Champions can help alleviate this challenge and play an important role in
the adoption of Office 365. They are knowledgeable, committed to furthering their expertise and are
willing to provide peer coaching and assistance. They help translate Office 365 into the reality of their
department or team.
Organizations should plan regular meetings of these stakeholders to keep them up-to-date on the
progress of the projects. Initiating a “collaboration council” to allow for feedback and discussion can be a
useful tool depending on corporate culture.
Best Practice: Ironically, the people who may be the biggest obstacles to change can also become your
most important allies in a deployment of this kind. You should engage with these members of organiza-
tions early and often to hear their concerns and issues. Often, they have valuable feedback that will make
the Teams deployment project more successful. Once you receive their buy-in on the project, other
end-users who may be skeptical of the change oftentimes follow their lead and embrace the new system
as well.
User profiles
It is very important to understand the types of users throughout your organization. Do you have users
who are primarily mobile? Are they in constant meetings or giving presentations? Do you know which of
your users have the most difficulty with your existing collaboration solutions?
Segmenting your user community in this manner can help you identify groups that are most open to
change. They are often the best targets for your early business pilots, and their feedback is extremely
valuable. Understanding the “day in the life” of your users will help you prioritize your business outcomes,
design adoption goals appropriate for your deployment, and sustain usage over time.
The following table identifies some typical user profiles.
User profile Focus on

Office Workers Works mainly in the office, creates meetings and
calls
Sales Representatives Works externally, chats a lot, and uses file storage
Management or “C-level” Works with sensitive data; therefore, has increased
security requirements
Champions
It is essential that organizations initiate a Champions program. The purpose of such a program is to
recruit early Microsoft Teams enthusiasts and provide them with both resources and reasons to train their
fellow users and evangelize the benefits of Teams within the groups and organizations they could
influence. For many enthusiasts, the opportunity to promote a technology about which they feel passion-
ate is its own reward.
Identifying the individuals who can become your collaboration champions provides you with an extended
support team that can provide essential feedback regarding your implementation plans. The incentive for
those individuals selected for this program is that it provides them with early insight into the company’s
plans and enables them to provide feedback to effect change that will improve their daily processes. Any
investment you make in this community, whether it be time, attention, or rewards, will be returned to
your implementation through their support and evangelism.
Champions will help to:
●● Create the groundswell and enthusiasm that grows adoption of improved business processes.
●● Build a circle of influence among their teams.
●● Bring to life across teams the new ways of working.
●● Identify business challenges and possible solutions.
●● Provide feedback to the project team and sponsors.
For a successful Champions program, individuals from all types of user profiles are required to maximize
the range and efficiency of their benefits for a Teams deployment.
Additional information. Microsoft provides different guides and toolkits to support companies in rolling
out Teams.
●● https://aka.ms/TeamsSuccessKit.
●● https://aka.ms/MicrosoftAdoption
Overview of Teams licensing

Microsoft Teams is available in different license models, from a Teams (free) license, over the Teams
Commercial Cloud Trial offer, up to subscriptions that include Teams and additional calling and voice
Add-On licenses.
Licensing Teams for Office 365

At the user level, access to Microsoft Teams can be enabled or disabled on a per-user basis by assigning
or removing the Microsoft Teams product license. Based on different organizations’ requirements, there
are two main differentiation when choosing the desired licenses:
●● The core functionalities include chat, meetings, live events(without telephony and PSTN calling), and
access to the admin center, policies, reporting and several compliance functions.
●● The advanced functionalities for Teams include the core functions and additional compliance capabili-
ties, such as DLP for Teams and information barriers. Voice communication to the PSTN network is
also an advanced feature.
The core functionalities are available in all Office 365 education, business, enterprise and developer
subscription plans. Advanced features require an E5 plan and/or additional add-on licenses.
The following table shows the most important difference of Teams features between E3 and E5 subscrip-
tion plans:
Feature Functionality Minimum requirements

Data Loss Prevention (DLP) for DLP functionality when sharing E3
Exchange Online and SharePoint sensitive data Teams data stored
Online in Exchange or SharePoint.
Data Loss Prevention (DLP) for DLP functionality when exposing E5 or standalone license
chat and channel messages sensitive data in chats or channel
messages.
Information barriers for Teams Creating communication barriers E5 or standalone license
between Teams.
Audio Conferencing Providing dial-in phone numbers E5 or add-on license
in meetings, for participants
joining from PSTN network.
Phone System Capabilities to connect on-prem- E5 or add-on license
ises PBX systems and to use
telephony features without the
requirement of performing calls
into the PSTN network.
Team naming policy Use Prefix/Suffix–based naming Azure AD Premium P1 (part of
restrictions and define custom E3)
word blocking.
Team classification Assign classification functions to Azure AD Premium P1 (part of
teams. E3)
Team creation Limit team creation to security Azure AD Premium P1 (part of
group members. E3)
Group creation Limit team creation to security Azure AD Premium P1 (part of
group members. E3)
Group usage guidelines Set a link the Group Usage Azure AD Premium P1 (part of
Guidelines which will be visible E3)
on all group creation endpoints.
Access Reviews Perform reviews to efficiently Azure AD Premium P2 (part of
manage group memberships for E5)
both internals and guest users
Feature Functionality Minimum requirements

Terms of Use A simple method that organiza- Azure AD Premium P1 (part of
tions can use to present informa- E3)
tion to end users. This presenta-
tion ensures users see relevant
disclaimers for legal or compli-
ance requirements.
Security and Compliance features from the Office 365 Advance Compliance standalone license pack that
are targeted for Exchange Online and SharePoint Online also affect the according Teams functionalities.
Office 365 Advance Compliance is also a part of Office 365 E5.
All supported subscription plans are eligible for access to the Teams web client, desktop clients, and
mobile apps.
Microsoft Teams Audio & Conferencing Add-on Licensing

Besides basic Teams features, there are add-on licenses for more features such as audio conferencing,
phone system, calling plans, and Microsoft Teams rooms.
For audio conferencing, organizations will need to buy and assign an audio-conferencing license to each
user who will set up dial-in meetings. For calling plans, each user will need a phone system plus a
domestic or domestic and international calling plan. The table below lists the add-on licenses available
for Teams:
Add-on Functionality
Audio Conferencing The audio-conferencing features provides the
functionality to add dial in phone numbers to
meetings, for joining a meeting from the PSTN
network.
Toll free numbers for dial-in access to conferences Toll free numbers allows to add local numbers to
conferences, where participants can join a meeting
without paying fees for international calling.
Phone System The phone system feature allows users to use
traditional PBX features from their on-premises
PBX solution or from Office 365.
Calling Plans Calling plans require the phone system licenses
and provide capabilities to perform calls into the
PSTN network. They are available as “Domestic
Calling” and “International Calling”.
Microsoft Teams Rooms This feature that brings video, audio, and content
sharing to conference rooms.
Communications Credits Provides a way to pay for Audio Conferencing and
Calling Plan minutes, if a voice connection is not
covered by an auto conferencing or calling plan.
Combining the Teams add-on features with an existing Office 365 subscription can be confusing and
requires an understanding of Office 365 licensing in general.
For example, if you want to provide additional telephony features to existing users:
User license Desired functionality Add-on required

Office 365 E3 Perform phone calls to the PSTN Phone system and calling plan
network.
Office 365 E5 Perform phone calls to the PSTN Calling plan only (phone system
network. is included in E5)
Office 365 E3 Provide dial in phone numbers Audio conferencing
to meetings.
Office 365 E5 Provide dial in phone numbers None (audio conferencing is
to meetings. included in E5)
Office 365 E5 Perform phone calls to the PSTN None (phone system is included
network routed over on-premis- in E5)
es PBX phone system.
Office 365 E5 (without Audio Perform phone calls to the PSTN Calling plan only (phone system
Conferencing) network. is included in E5)
Teams administrators should recognize from these examples, that it is not enough just to know the Teams
add-on features, but it is also important to know licensing the other Office 365 services.
Note: If users aren't assigned SharePoint Online and Exchange Online licenses correctly, some Teams
features will not work, that utilize these services.
Additional considerations
Starting on January 1, 2020, Teams users will be able to send Urgent Messages with Priority Notifications
according to the terms of their subscription, with reporting on priority notification usage on the admin
backend. When this new feature is available, some licensed Teams users (E1/F1/Business Basic (formerly
Business Essentials)) will only be able to send up to 5 priority messages per month, while users with
higher subscriptions (E3/E5/Business Standard(formerly Business Premium)) will be able to send unlimited
priority messages.
Virtual users, such as auto attendants with an assigned phone number, do also require licenses to obtain
calling features. These can be either a free Phone System–Virtual User license or a paid Phone System
user license to resource accounts.
Important: Due to the consequent development of Office 365, available services and licenses change
continuously. Teams administrators should always be ready to adopt to changes of the license require-
ments and new opportunities for rolling out companies to Microsoft Teams. For the latest update on
licensing, please refer to Office 365 licensing for Microsoft Teams4.
Free and trial licenses for Teams

Besides licenses for organizations, there are two special license models called Teams (free) and the Teams
Commercial Cloud Trial offer. These two are not used for larger deployments but offer several advantages
for smaller projects or the evaluate Teams features.
●● The Teams (free) offer is in fact free of charge and intended for small businesses and consumers with
a Microsoft account, that do not have a tenant and Azure AD identities yet. This offer has the smallest
feature set available and does not contain scheduled meetings, conferencing, custom email domains,
voice communication to PSTN, admin tools, reporting and no configurable policies. (Upon Free Teams
activation, a tenant is automatically created. The Teams user count is limited to 300 per organization
and maximum of 2 GB SharePoint Storage)
4 https://docs.microsoft.com/en-us/microsoftteams/office-365-licensing
●● The Microsoft Teams Commercial Cloud Trial offer is a fully functional but time limited trial offer,
valid for 1-year of testing Teams in companies. Each Commercial Cloud Trial offer license includes a
set of twelve different standalone licenses, such as Exchange foundation and SharePoint Online Kiosk
with 2 GB of storage in SharePoint Online, to provide the basic functionality that is required to use
Teams. For users licensed with standalone or other Office 365 subscription plans, the limitations of the
according licenses apply.)
Note: Not eligible for the Microsoft Teams Commercial Cloud Trial offer trial are Syndication Partner
Customers and GCC, GCC High, DoD, and EDU customers. If an organization is ineligible for the Micro-
soft Teams Commercial Cloud Trial offer, they will not see the “Let users install trial apps and services”
switch.
All trials within an organization share the same start and end dates, which is the date the first user signed
up for the trial. For example, if user A starts the first trial on January 25, 2019 and user B starts a trial on
June 3, 2019, both users' trial will expire on January 25, 2020.
The Teams (free) licenses can be upgraded to fully featured Office 365 subscriptions, or to a fully featured
tenant with Microsoft Teams Commercial Cloud Trial offer licenses, valid for one year of testing.
Overview and planning for Teams governance

Microsoft Teams provides a rich set of tools to implement governance capabilities for organizations.
When planning for governance, you should consider the following areas:
●● Group and team creation, naming, classification, and guest access
●● Group and team expiration, retention, and archiving
●● Teams feature management
To quickly implement governance in Teams, organizations should focus on these areas, as described in
the following diagram.
Group and team creation, naming, classification, and guest

access
Organizations oftentimes implement strict controls on how teams are named and classified, whether
guests can be added as team members, and who can create teams. You can configure each of these areas
by using Azure Active Directory (Azure AD).
The following table includes some questions you should consider when planning for group and tenant
creation policies.
What you should consider? When to consider

Does your organization require a specific naming If you require that a prefix be added to every team
convention for teams that are created in Microsoft name during creation so your users can clearly
Teams? identify the team from a user mailbox. If you have
a tenant for multiple subsidiaries, with independ-
ent Sales/HR departments.
Do team creators need the ability to assign If you want to implement specific classifications,
organization-specific classifications to teams? such as internal or top-secret teams.
Do you need to restrict the ability to add guests to If you need to restrict collaboration for teams with
teams on a per-team basis? sensitive information, such as personally identifia-
ble information (PII).
Does your organization require limiting who can If you need to restrict team creation to specific
create teams? users only to avoid uncontrolled growth of teams.
Note: Limiting group and team creation can slow your users’ productivity, because many Office 365
services require that groups be created for the services to function.
After you’ve determined your requirements, you can implement them by using Azure AD controls.
Group and team expiration, retention, and archiving

Organizations might have additional requirements for setting policies for expiration, retention, and
archiving teams and Teams’ data. Group expiration policies can be configured to automatically manage
the lifecycle of a group and retention policies to preserve or delete information as needed. Teams can
also be archived (set them to read-only mode) to preserve a point-in-time view of a team that’s no longer
actively required or in use.

Do you require specifying an expiration date for If your company has a compliance requirement to
teams? remove or delete unused resources such as teams,
after a project has ended or a request for proposal
(RFP).
Do you require specific data retention policies be If the data of a team needs to be preserved for a
applied to teams? certain amount of time; for example, after a
project has ended.
Does your organization expect to require the If a project has ended and the documentations has
ability to archive inactive teams to preserve the been handed over to a customer, to avoid changes
content in a read-only state? to completed material.
After defining compliance requirements, you can begin defining policies and implementing them.
Teams feature management

Another important aspect of governance and lifecycle management for Teams is the ability to control
what features users will have access to. Messaging, meeting, and calling features can be managed, either
at the Office 365 tenant level or per-user.

Do you require limiting Teams features for your When your business requirements forbid services
tenant? from saving data that is stored outside of Europe,
because of GDPR requirements.
Do you require limiting Teams features for specific If you want to roll out new Teams features to an
users? early adopters group first.
Next Steps for Teams Governance

Once you have identified your Teams governance topics, you should consider the following steps to
develop a governance roadmap for your Teams rollout project:
●● Document your organization’s requirements.
●● Plan to implement your specific requirements.
●● Communicate and publish your policies to inform Teams users of the behavior they can expect.
Overview of lifecycle management

Planning for lifecycle management is essential for organizations to get the most out of Microsoft Teams.
Like most projects, creation and management of teams passes through beginning, middle, and end
stages. However, Teams has such a variety of uses that it may not always be obvious which stage a
project is in. Having a plan for lifecycle management will help track an organization’s projects as they go
through these stages.
Teams lifecycle
In Teams, each individual team has its own lifecycle with the following sequence:
1. Initiate (beginning)
2. Active (middle)
3. Sunset (end)
Broadly speaking, the lifecycle of a team within Microsoft Teams encompasses both configuration (static
settings and policies) and management(dynamic per team during the lifecycle).
Proactive administrator activities include initiating creation of teams (including owners, members,
channels, and so on), and sunsetting of teams as required by the business. Reactive administrator
activities include changing team settings on behalf of the owner and adding team owners for orphaned
teams.
Teams lifecycle stages

Typically, the stages of each team’s lifecycle include a beginning, middle, and end, when the team has
completed its purpose and reached the end of its useful life.
The beginning stage involves defining the team’s goal and membership, creating the team and its
channels, inviting team members, and setting permissions for individual members. Key decision points to
consider in the beginning stage include:
●● What is the team’s purpose?
●● Who belongs on the team?
●● Will the team be private or public?
●● Can new members add themselves or do team owners add them?
●● Who will have permissions to create channels or add tabs, bots, and connectors?
●● What initial channels will be added to the team?
In the middle stage, collaboration takes place according to an established workflow, with team members
interacting toward common goals within team channels. Decision points that should be considered in this
stage include:
●● Who will monitor usage to identify problems?
●● What metrics will be used to determine team health?
●● Identifying any teams that have reached the end of their useful life.
●● Identifying unhealthy teams that still serve a purpose but need revitalizing.
The end stage occurs when a team has concluded its useful lifecycle, normally for a finite project. In this
stage, you formally acknowledge the closing of the team and delete teams you no longer need. Deleting
teams is actually a soft delete that IT can reverse for up to 21 days (30 days for Microsoft 365 Groups).
Deleting teams does not affect any chats or content that were retained in accordance with compliance
policies. Important decision points related to the end stage include:
●● Defining what the end of a team’s life looks like.
●● Deciding whether to keep a team’s stored content available, and for how long.
●● Documenting best practices and lessons learned.
●● Archiving data, if necessary.
Automation throughout the lifecycle

You can configure and manage the Teams lifecycle through the Teams Admin Center, the Office 365
Admin Center, and the Azure AD Admin Center. Should you wish to automate specific management tasks
throughout the team lifecycle, you can do so using PowerShell and Graph API automation tools, as
depicted in the following diagram.
*The feature is not yet available in PowerShell.
Overview of Teams management tools

Managing the various aspects of Microsoft Teams can be performed using a variety of tools. Basic tasks,
such as creating and editing Teams settings, adding or removing members, and adding, removing and
configuring apps can be performed by users through one of the Teams clients. Administrative tasks must
be performed with administrative roles and through the Teams Admin Center, the Teams PowerShell
module, or Microsoft Graph API.
Teams Admin Center

The Microsoft Teams Admin Center is available from the Microsoft 365 Admin Center or by navigating to
the web address “https://admin.teams.microsoft.com/”. The Microsoft Teams Admin Center provides a
dashboard that shows the Teams usage and user activity in an organization and the full administrative
capabilities required to configure all aspects of Teams in a tenant.
The Teams Admin Center enables administrators to manage and create teams, to create teams policies,
manage phone devices and telephony numbers, locations and emergency addresses, meeting settings
and policies, such as live event settings and policies, messaging policies, the teams apps settings and
policies, organization-wide settings for sharing, guest access, resource accounts, and all calling settings.
The portal also provides links to the legacy portal, the call quality dashboard for troubleshooting, and to
StaffHub.
To access the Teams Admin Center, a user must be assigned to one of the following admin roles:
●● Global Administrator
●● Teams Admin
●● Teams communication admin
●● Skype for Business admin (might be deprecated in the future)
Teams PowerShell Module

To use Windows PowerShell to run Teams-related commands, you must first install the Teams PowerShell
module by running the following command in an elevated PowerShell session:
Install-Module -Name MicrosoftTeams
After installing the module, it is loaded into all new PowerShell sessions and the cmdlets are available for
configuring policies and settings, such as creating and managing teams.
Before you can work with the Teams PowerShell module, you must establish a connection to a tenant by
running the following cmdlet:
Connect-MicrosoftTeams
If you want to see a list of all the cmdlets that are included in the Microsoft Teams PowerShell module,
you should run the following command:
Get-Command -Module MicrosoftTeams
Note: The Teams PowerShell module is still under development and transitioning from the Skype for
Business PowerShell module. As such, additional cmdlets will be showing up soon.
For more information, please refer to Teams PowerShell Overview5.
Teams Graph API

Microsoft Teams also provides management capabilities through Microsoft Graph, where Teams is
represented by a group resource.
The Graph API can be used for various tasks regarding managing team settings, members, and resources.
The primary use of Graph API is its automation capabilities because Graph API calls can be embedded
into tab pages and easily called from other sources.
For more information, please refer to Use the Microsoft Graph API to work with Microsoft Teams6.
5 https://docs.microsoft.com/en-us/MicrosoftTeams/teams-powershell-overview
6 https://docs.microsoft.com/en-us/graph/api/resources/teams-api-overview?view=graph-rest-1.0
Management through Teams Clients

Team owners can make changes on their owned teams by performing certain management tasks without
being assigned either the Global Administrator or Teams Service Administrator roles.
The following list describes some of the tasks a team owner can perform themselves:
●● Manage team settings
●● Control @[team name] mentions
●● Allow @channel or @[channel name] mentions
●● Allow usage of emoji, GIFs, and memes
●● Add or remove members and guests
●● Add, edit and remove connectors and apps
●● Manage join requests
●● Create, edit and remove channels
●● Manage member and guest permissions
●● Auto-show or hide channels for the whole team
●● Change the team picture
●● Renew or delete teams
●● Configure channel moderation
●● Archive or restore a team
These management tasks are available through the Desktop client, the web client, and the mobile client.
Overview of Teams clients

Microsoft Teams has clients available for desktop (Windows, Mac, and Linux), web, and mobile (Android
and iOS). It's integrated with communications and meeting-room devices for a frictionless experience no
matter which device users work from. All clients require an active internet connection and do not support
an offline mode.
Desktop clients
The Microsoft Teams desktop client provides a full-featured experience, including real-time communica-
tions support (audio, video, and content sharing) for team meetings, group calling, and private one-on-
one calls.
Advantages of the Teams desktop client include auto-start, which ensures that you’ll stay signed in and
won’t miss any important notifications, as well as more features and a more granular management
experience.
The desktop client can be installed either individually by users or rolled out by IT in a mass deployment.
Windows
The Microsoft Teams desktop client is available in 32-bit and 64-bit architecture and can be installed on
Windows (8.1 or later) and Windows Server (2012 R2 or later). Additionally, Teams requires .NET Frame-
work 4.5 or later.
MAC
Mac users can install Teams by using a PKG installation file for macOS computers with OS version 10.10 or
later. Administrative access is required to install the Mac client. The macOS client is installed to the /
Applications folder.
Linux (Public Preview)

Microsoft Teams is now available for Linux users as a public preview. . Teams on Linux enables high
quality collaboration experiences for the open source community at work and in educational institutions.
Users can download the native Linux packages in .deb and .rpm formats.
Web client
The web client is a fully-functional client that can be used from a variety of browsers. The browser must
be configured to accept third-party cookies. There is no plugin or download required to run Teams in a
web browser.
The web client performs browser version detection upon connecting to https://teams.microsoft.com. If an
unsupported browser version is detected, it will block access to the web interface and recommend that
the user download the desktop client or mobile app. Microsoft Teams supports the following internet
browsers with some exceptions.
Browser Calling - audio, video, and Meetings - audio, video, and

sharing sharing
Internet Explorer 11 Not supported Meetings are supported only if
the meeting includes PSTN
coordinates. To attend a meeting
on IE11 without PSTN coordi-
nates, users must download the
Teams desktop client.
Video: Not supported
Sharing: Incoming sharing only

(no outgoing)
Microsoft Edge, RS2 or later Fully supported, except no Fully supported, except no
outgoing sharing outgoing sharing
Browser Calling - audio, video, and Meetings - audio, video, and

sharing sharing
Microsoft Edge (Chromi- Fully supported Fully supported
um-based), the latest version
plus two previous versions
Google Chrome, the latest Fully supported Fully supported
version plus two previous
versions Sharing is supported without any
plug-ins or extensions on
Chrome version 72 or later.
Firefox, the latest version plus Not supported Meetings are supported only if
two previous versions the meeting includes PSTN
on Firefox without PSTN coordi-

(no outgoing)
Safari 11.1+ Not supported Meetings are supported only if
the meeting includes PSTN
on Safari without PSTN coordi-

(no outgoing)
Safari is enabled on versions

higher than 11.1 in preview.
While in preview, there are
known issues (https://support.
office.com/article/safari-browser-
support-1aac0a7c-35a8-42c1-
a7df-f674afe234df) with Safari's
Intelligent Tracking Prevention.
Mobile clients
The Microsoft Teams mobile apps are available for Android and iOS platforms. They are targeted to
on-the-go users who participate in chat-based conversations, and they enable peer-to-peer audio calls.
The mobile apps can be downloaded directly from their respective vendor mobile stores, such as Google
Play and the Apple App Store, or by being pushed through Microsoft Intune.
Supported mobile platforms for Microsoft Teams mobile apps include:

●● Android: Support is limited to the last four major versions of Android. When a new major version of
Android is released, the new version and the previous three versions are officially supported.
●● iOS: Support is limited to the two most recent major versions of iOS. When a new major version of
iOS is released, the new version of iOS and the previous version are officially supported.
Mobile apps are distributed and updated through the respective mobile platform’s app store only.
Distribution of the mobile apps via MDM or side-loading is not supported by Microsoft. Once the mobile
app has been installed on a supported mobile platform, the Teams Mobile App itself will be supported
provided the version is within three months of the current release.
Module 2 Implement Microsoft Teams Govern-
ance, Security and Compliance
Implement Governance and Lifecycle Manage-

ment for Microsoft Teams
Lesson Introduction
Organizations today are using a diverse toolset. Multiple collaboration tools are in use because every
group is unique and has their own functional needs and workstyle. Some will use only email while others
will live primarily in chat.
Planning and implementing governance and lifecycle management for Microsoft Teams is very important
for consistent and well-organized communication and collaboration solution. Before deploying Microsoft
Teams, you should consider things, such as who can create teams, what is the teams naming convention,
whether to allow guest access, etc.
Teams is built on Microsoft 365 Groups (formerly Office 365 Groups), which includes a rich set of tools to
implement governance capabilities that organizations require. In this lesson you will learn the features
that you can use for Teams Governance, such as groups creation, classification, expiration policy, and
naming policy. You will also learn how to leverage Teams usage reports to understand user adoption.
●● Plan for governance in Microsoft 365 Groups.
●● Create and manage Microsoft 365 Groups.
●● Configure Microsoft 365 Groups classification.
●● Configure Microsoft 365 Group expiration policy.
●● Configure Microsoft 365 Groups naming policy.
●● Analyze Teams usage reports.
MCT USE ONLY. STUDENT USE PROHIBITED 66 Module 2 Implement Microsoft Teams Governance, Security and Compliance
Plan for governance in Microsoft 365 Groups

Microsoft 365 Groups (formerly Office 365 Groups) is the cross-application membership service in Office
365. It is an object in Azure Active Directory. Organizations can add or remove people from the group
just as any other group-based security object in Active Directory.
With Microsoft 365 Groups, organizations can give a group of people access to a collection of collabora-
tion resources for those people to share, including a shared Outlook inbox, a shared calendar, a Share-
Point document library, etc. Instead of manually assigning users’ permissions to resources, adding
members to Microsoft 365 Groups automatically grants users’ permissions to all assets associated to the
group.
a Microsoft 365 Group can be created directly from Microsoft 365 admin center or indirectly from
creation of associated workloads, such as a planner or a team. When a user creates a team from Teams
client, a Microsoft 365 Group is created automatically with the same name of the team behind the scene.
Though Microsoft 365 Groups can be provisioned via multiple means, it could easily get out of control
without proper governance.
Office 365 has a rich set of tools to manage and govern Microsoft 365 Groups at scale, following table
provides an overview of governance capabilities:
Capability Details Azure AD Premium When to use

license required
Group naming policy Use Prefix-Suffix–based, P1 When organizations
Custom Blocked Words. need to enforce a
consistent naming
strategy for groups
created by users in your
organization.
Group classification Assign classifications to P1 When organizations
teams. need classifications
while Microsoft 365
Groups are created. For
example, users can set
“Standard”, "Secret",
and “Top Secret”
classification on groups
they create.
Implement Governance and Lifecycle Management for Microsoft Teams 67

license required
Group guest access Allow or prevent guests No When users need to
from being added to collaborate with people
groups. outside of their organi-
zation. For example,
access can be granted
to a partner, vendor,
supplier, or consultant.
Guest users are granted
access to group conver-
sations, files, calendar
invitations, and the
group notebook.
Group creation Limit team creation to No For organizations that
administrators. want to control who can
create groups.
Group creation Limit team creation to P1 For organizations that
security group mem- want to control who can
bers. create groups.
Group usage guide- Set a link the Group P1 Used in scenarios where
lines Usage Guidelines which users need to be
will be visible on all provided with a link to
group creation end- organization's Microsoft
points. 365 Groups usage
guidelines. The link
appears when users
create or edit a Micro-
soft 365 Group.
Hidden membership Hide the members of No In organizations where
the Microsoft 365 because of security or
Group from users who compliance reasons,
aren't members of the users that are not
group member of a particular
Microsoft 365 Group,
should not its members.
Expiration policy Manage the lifecycle of P1 Used in organizations
Microsoft 365 Groups that have a large
by setting an expiration number of inactive
policy. groups.

license required
Group activity reports Gain insights into the No Used in organizations
activity of Microsoft 365 that have large number
Groups in your organi- of Microsoft 365
zation and see how Groups, so that admins
many Microsoft 365 can see how many
Groups are being Microsoft 365 Groups
created and used. are being created and
used, number of
messages and posts
sent to the groups, files
and storage used.
Retention policy Retain or delete data for No In organizations that
a specific time period by need to comply with
setting retention industry regulations and
policies for Microsoft internal policies for
365 Groups in the retaining content for a
Security & compliance specific minimum
center. Note: Using this period of time.
feature requires licens-
ing of Office 365
Enterprise E3 or above.
Data loss prevention Identify sensitive No In organizations that
policy information across need to comply with
Microsoft 365 Group business standards and
connected sites and industry regulations,
prevent the accidental where organizations
sharing. Note: Using need to protect sensi-
this feature requires tive information and
licensing of Office 365 need to prevent its
Enterprise E3 or above. inadvertent disclosure.
Archive and restore Archive a team when it’s No Used in organizations
no longer active but you that need to archive the
want to keep it around group content when it is
for reference or to no longer active, with
reactivate in the future. ability to reactivate in
the future if needed.
Access Reviews Perform reviews to P2 In organizations that
efficiently manage need to s to review
group memberships for group memberships,
both internal and guest access to enterprise
users applications, and role
assignments.

license required
Terms of Use A simple method that P1 In organizations that
organizations can use to have legal and compli-
present information to ance requirement to
end users. This pres- display terms of use of
entation ensures users the Microsoft 365
see relevant disclaimers Group users.
for legal or compliance
requirements.
For additional information, please refer to Plan for governance in Microsoft 365 Groups1.
Create and manage Microsoft 365 Groups

There are many ways to create a Microsoft 365 Group (formerly Office 365 Group). Beyond the Microsoft
365 admin center, users can create Microsoft 365 Groups in the following three primary communication
applications in Office 365:
●● Outlook: collaboration through email with a shared group inbox and calendar.
●● Microsoft Teams: a persistent chat-based workspace where you can have informal, real-time, conver-
sations around a variety of topics, organized by specific sub-groups.
●● Yammer: enterprise social experience for collaboration.
Note: Creating a new Microsoft 365 Group via other Office 365 applications - such as SharePoint, Planner
or Stream - will create a Group with an Outlook communication modality that includes the ability to
connect to Microsoft Teams.
Depending on where a Group is created, certain resources are provisioned automatically, such as:
●● Inbox - For email conversations between your members. This inbox has an email address and can be
set to accept messages from people outside the group and even outside your organization, much like
a traditional distribution list.
●● Calendar – For scheduling events related to the group
●● SharePoint Team Site – A central repository for information, links and content relating to your group
●● SharePoint Document Library – A central place for the group to store and share files
●● OneNote Notebook – For gathering ideas, research, and information
●● Planner – For assigning and managing project tasks among your group members
●● Yammer Group – A common place to have conversations and share information
●● Microsoft Teams – A chat-based workspace in Office 365
Administrators in your Office 365 tenant can also create and manage Microsoft 365 Groups in their
specific admin centers as listed in the following table:
Admin role Admin center

Global Administrator In every admin center including M365 admin
center
Teams Service Administrator Teams Admin center, Azure AD
1 https://docs.microsoft.com/en-us/office365/admin/create-groups/plan-for-groups-governance
Admin role Admin center

Exchange Administrator Exchange Admin center, Azure AD
Partner Tier 1 Support M365 admin center, Exchange Admin center,
Azure AD
Partner Tier 2 Support Microsoft 365 Admin center, Exchange Admin
center, Azure AD
Directory Writers Azure AD
SharePoint Administrator SharePoint Admin center, Azure AD
User Management Administrator M365 admin center, Yammer, Azure AD
Besides creating a new Microsoft 365 Group, Administrators can also upgrade a distribution list to a
Microsoft 365 Group.
Create a new Microsoft 365 Group
Create an Office group from Microsoft 365 admin center

1. In the admin center, on the left navigation pane, select Groups, and then choose Groups.
2. On the Groups page, select Add a group.
3. On the New group page, from the Type menu, select Office 365.
4. In the Name field, type a name for the group.
‎
5. In the Group email address field, type an email address for the group, for example SalesDepart-
ment@contoso.com and optionally enter a description in the Description field.
6. From the Privacy drop-down menu, choose Private or Public.
7. Under Owner section, select Select owner, then choose the user who will be the owner of the group,
and then select Add.
Once the group is created, it will appear in Outlook with members assigned to it.
Create an Office group from PowerShell

To create Microsoft 365 Group with PowerShell, use the New-UnifiedGroup cmdlet when connected to
Exchange Online. For example, to create a new Microsoft 365 Group with name “Sales Department” and
alias Salesdepartment, run the following cmdlet:
New-UnifiedGroup -DisplayName "Sales Department" -Alias Salesdepartment
Upgrade a distribution list to a Microsoft 365 Group

Distribution lists have a long history in messaging for organizing people into groups to facilitate
communication and collaboration. But distribution lists are limited to email messages, and available in
SharePoint for distribution only. Turning a Distribution List into a Microsoft 365 Group adds additional
collaboration capabilities for users. It also has the benefit of keeping permissions and membership intact
instead of creating a new group that you must add to your Access Control.
Note: If you upgrade distribution lists to a Microsoft 365 Group, existing users will not receive a welcome
mail when joining this group.
Upgrade a distribution list from Exchange Admin center

To upgrade a distribution list to a Microsoft 365 Group, you need to login to the Exchange admin center
as an administrator such as Office 365 global admin or Exchange admin and follow these steps:
1. Go to the Exchange admin center.
2. In the Exchange admin center, go to Recipients > Groups.
‎You'll see a notice indicating you have distribution lists (also called distribution groups ) that are
eligible to be upgraded to Microsoft 365 Groups.
‎
3. Select one or more distribution lists (also called a distribution group) from the groups page.
‎
4. Select the upgrade icon.
‎
5. On the information dialog, select Yes to confirm the upgrade. The process begins immediately.
Depending on the size and number of DLs, the process can take several minutes or up to some hours.
If the distribution list can't be upgraded, a dialog appears with a notification.
6. If you are upgrading multiple distribution lists, use the drop-down list to filter which distribution lists
have been upgraded. If the list isn't complete, wait a while longer and then select Refresh to see
what's been successfully upgraded.
‎There's no notice that tells you when the upgrade process has completed for all DLs you selected. You
can figure this out by looking to see what's listed under Available for upgrade or Upgraded DLs.
7. If you selected a DL for upgrade, but it still appears on the page as Available to upgrade, then it failed
to upgrade. If the upgrade of a list fails it will remain as a distribution list without having any impact
on the list.
Upgrade a distribution list from PowerShell

You can also use PowerShell to upgrade distribution lists. For this you must connect your PowerShell to
Exchange Online or install the Exchange Online module.
To upgrade one or more distribution lists, run the Upgrade-DistributionGroup cmdlet. As an
alternative, you can also run New-UnifiedGroup cmdlet to convert a single distribution group. For
example, if you want to upgrade two distribution lists with SMTP address marketing-dl@contoso.com
and finance-dl@contoso.com, run the following command:
Upgrade-DistributionGroup -DlIdentities marketing-dl@contoso.com, finance-dl@contoso.com
To following script upgrades all eligible distribution lists, by looping through the results of the Get-Eli-
gibleDistributionGroupForMigration cmdlet.
To upgrade all distribution lists possible, you need to use the Get-EligibleDistributionGroup-
ForMigration cmdlet. For example, if you want to upgrade all eligible distribution lists to a Microsoft
365 Group, run the following:
Get-EligibleDistributionGroupForMigration | Foreach-Object{Upgrade-DistributionGroup -DlIdentities $_.
PrimarySMTPAddress}
A distribution list will not be eligible for an upgrade if it fulfills any of the following criteria:
Property Eligible?
On-premises managed distribution list. No
Nested distribution lists. Distribution list either has No
child groups or is a member of another group.
Distribution lists with member RecipientType- No
Details other than UserMailbox, SharedMailbox,
TeamMailbox, MailUser
Distribution list which has more than 100 owners No
Distribution list which only has members but no No
owner
Distribution list which has alias containing special No
characters
If the distribution list is configured to be a for- No
warding address for Shared Mailbox
If the DL is part of Sender Restriction in another No
DL.
Security groups No
Dynamic Distribution lists No
Distribution lists which were converted to Room- No
Lists
Distribution lists where MemberJoinRestriction No
and/or MemberDepartRestriction is Closed
Manage a Microsoft 365 Group

After the group has been created, administrators can add members and configure additional settings.
Also, users can add themselves or request approval for membership.
1. In the Microsoft 365 admin center, on the Groups page, select the group that you want to configure.
2. On the selected group page, you can edit the settings, such as managing members and owners,
changing group privacy, changing email sending permissions, or creating a team from the group.
‎
To manage Microsoft 365 Group with PowerShell, use the Set-UnifiedGroup cmdlet. For example, to
configure “Sales Department” group to receive mail from unauthenticated (external) senders, run the
following cmdlet:
Set-UnifiedGroup -DisplayName "Sales Department" -RequireSenderAuthenticationEnabled $false
Strategies for Microsoft 365 Groups creation

Organizations may have specific requirements about who can create Microsoft 365 Groups. The following
table lists the advantages of the different provisioning models:
Model Advantages When to use

Open (default) Users can create their own Most common if you do not
groups as needed want to restrict group creation in
any way.
IT-led Users can request a group from Very often done in large enter-
IT department, which will lead prises to control group creation
them in selecting the best centrally, and maybe add
collaboration tools for their additional information such as
needs internal back-charging numbers
to charge for each group.
Controlled Group creation restricted to An ideal approach to prevent
specific people, teams or services un-controlled group creation by
users but be not as restrictive as
with the IT-led model. For
example, each department can
decide on their own how to
handle group creation.
Restrict creation of teams by modifying group creation per-

missions
You can restrict Microsoft 365 Group creation for example to the members of a particular security group.
To restrict the creation of new teams you need to modify the Microsoft 365 Groups creation permissions
since all Teams are based on Microsoft 365 Groups. This does not hide the option for creating a new
teams from the Teams client, but the process will fail for everyone who isn’t allowed to create new
Microsoft 365 Groups.
If you want to restrict the creation of new Teams to a subset of users, you need to create a security group
and use the AzureAD PowerShell module to modify the AzureAD Directory Settings on a tenant basis. If
you run the following script in your environment, you will stop users from creating new Microsoft 365
Groups unless they are a member of the security group you specified in the first line of the script.
The script will perform the following actions:
1. Run Connect-AzureAD to connect to the AzureAD PowerShell
2. Get the ObjectID of the Directory Setting for Microsoft 365 Groups (unified groups) using Get-Az-
ureADDirectorySetting
3. Use New-AzureADDirectorySetting to create the setting from a template if it does not exist
4. Use Set-AzureADDirectorySetting to set the EnableGroupCreation setting to false and
block the creation of Microsoft 365 Groups.
5. Allow a specific Security group to override the group creation restriction by modifying the Setting
before applying it.
6. Display the results of the change.
$GroupName = "<SecurityGroupName>"
$AllowGroupCreation = "False"
Connect-AzureAD
$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.

Unified" -EQ).id
if(!$settingsObjectID){
$template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}
$settingsCopy = $template.CreateDirectorySetting()
New-AzureADDirectorySetting -DirectorySetting $settingsCopy
$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.

Unified" -EQ).id
$settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID

$settingsCopy["EnableGroupCreation"] = $AllowGroupCreation
if($GroupName)
{ $settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString $GroupName).

objectid
Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy
(Get-AzureADDirectorySetting -Id $settingsObjectID).Values
For additional information see Manage creation of Groups 2
Configure Microsoft 365 Groups classification

When creating Microsoft 365 Groups, you might want to add information about the groups purpose. For
example, you might want to inform users what type of documents are stored within the group. This type
of group functionality is called group classification.
You can configure group classification so that when users in your company create a group, they can
choose a classification. For example, when the user creates a group, the user can choose from classifica-
tions such as “Standard”, "Internal", and “Confidential”. Group classifications do not exist by default.
2 https://docs.microsoft.com/en-au/office365/admin/create-groups/manage-creation-of-groups?view=o365-worldwide
Administrators will need to create the group classifications so that users can use them when they create a
group.
Enable and configure Microsoft 365 Group Classifications

Before users can use classifications on Microsoft 365 Groups, an administrator needs to define the
classifications by using Azure Active Directory PowerShell3 cmdlet.
To install the latest version of AzureADPreview, use the following cmdlet:
# Uninstall any previous version of AzureADPreview.
Uninstall-Module AzureADPreview
Uninstall-Module azuread
# Install the latest version of AzureADPreview.

Install-Module AzureADPreview
To define the classifications “Standard, Internal, Confidential”, use the following cmdlet:
$Template = Get-AzureADDirectorySettingTemplate | Where {$_.DisplayName -eq "Group.Unified"}
if (!($Setting=Get-AzureADDirectorySetting|Where {$_.TemplateId -eq $Template.Id})) {$Setting = $Tem-

plate.CreateDirectorySetting}
$setting["ClassificationList"] = "Standard, Internal, Confidential"
Next, you should associate a description to each classification by using the settings attribute Classifica-
tionDescriptions, where Classification should match the strings in the ClassificationList.
For example, to add a description to the classifications Low Impact, Medium Impact and High Impact, run
the following cmdlet:
$setting["ClassificationDescriptions"] = "Standard: General communication, Internal: Company internal
data, Confidential: Data that has regulatory requirements"
To verify that the classification configuration is added correctly to the group, you need to run $Set-
ting.Values cmdlet.
3 https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-settings-cmdlets
To save the setting to Azure AD and make sure they can be used by your users, you need to run the
following cmdlet:
Set-AzureADDirectorySetting -Id $Setting.Id -DirectorySetting $Setting
Note: It might take up to one hour until the classification settings are available for all users.
Configure Classifications from Outlook and Teams client

Once Microsoft 365 Group classifications have been enabled, you can configure the classification to a
group from Outlook or Teams client as in the following image:
Configure Classifications on Microsoft 365 Groups using

PowerShell
To set a classification to a Microsoft 365 Group, you use the Set-UnfiedGroup cmdlet with the -Clas-
sification parameter. For example, to set a “Confidential” classification on the group SecretData@
contoso.com, run the following cmdlet in Exchange Online:
Set-UnifiedGroup "SecretData@contoso.com" -Classification "Confidential"
You can also create a group and assign a classification at the moment of the group creation. For example,
to create a new private group named ReserchDepatment@constoso.com with a classification Internal, run
the following cmdlet:
New-UnifiedGroup "ReserchDepatment@constoso.com" -Classification "Internal" -AccessType "Private"
Note: For more information about required Azure AD PowerShell modules to create classification lists,
please refer to Azure Active Directory cmdlets for configuring group settings4.
Configure Microsoft 365 Groups expiration poli-

cy
Typically people in organizations work on different projects and collaborate with different departments, it
is common that users are added to many Microsoft 365 Groups (formerly Office 365 Groups). Sometimes,
the projects are finished, but the Microsoft 365 Groups still exist. Regarding this, the administrators and
users need a way to clean up the unused groups. The most optimal solution for this is to set an expiration
policy, which helps to remove inactive groups from the system.
The expiration is turned off by default, the administrators have to enable the feature in their tenants and
specify an expiration period for a group.
When approaching group expiration, an email notification will be sent to the group owners if renewal is
needed for an additional period. If the group is not renewed, the group will be deleted automatically. If
the administrator changes the expiration policy, the Office 365 expiration period will be recalculated for
the groups.
It is very important to know that when a group expires, all the groups associated content will be deleted,
including Outlook, Planner, and SharePoint. However, there is an option to recover content for up to 30
days from the expiration date.
Please see the following steps to configure the Microsoft 365 Group expiration policy:
1. Sign-in to Azure AD Admin Center as a global administrator.
2. On the left pane select Groups section, and then select Expiration to open the expiration settings.
‎
3. Next, on the Expiration page, you can sepcify:
●● Group lifetime (in days) - Set the group lifetime in days with the default of 180, 365 or custom.
The custom setting requires a lifetime of at least 30 days.
4 https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-settings-cmdlets
●● Email contact for groups with no owners - Specify an email address where the renewal and
expiration notifications should be sent when a group has no owner. If the group does not have an
owner, the expiration emails will go to a specified administrator.
●● Enable expiration for these Microsoft 365 Group (All, Selected, None) – Select the Microsoft
365 Group which you would like to configure this expiration policy for. By your preferences: you
can set the policy for all of the groups within your company, only selected groups, or you can also
turn it off entirely – and that is done by selecting None.
4. To finish the configuration, select Save button.
Who can configure and use the Microsoft 365 Groups ex-
piration policy?
Group expiration is a feature that is included in an Azure AD Premium subscription. This license is
required for the administrator who needs to configure the settings and the members of the affected
groups – they all need to have Azure AD Premium licenses assigned to them.
There are two types of roles within a company which have different privileges when it comes to expiration
policies:
Role What they can do

Office 365 global admin, User administrator Create, read, update, or delete the Microsoft 365
Groups expiration policy settings.
User Renew or restore a Microsoft 365 Group that they
own
How expiration works with the retention policy

If you have setup a retention policy in the Microsoft 365 Security and Compliance center for groups,
expiration policy works in alignment with retention policy. When a group expires, the group's conversa-
tions in Outlook and files in SharePoint Online are retained in the retention container for the specific
number of days defined in the retention policy. However, the users will not see the group or its content,
after expiration.
Notification on a Groups expiration

When a group is about to expire, a group owner(s) will only be notified with an email notification, no
matter if the group was created via Planner, SharePoint, or any other app. The expiration notifications will
always be sent by email. If the group was created via Teams, the group owner will receive a notification to
renew through the activity section in the Microsoft Teams application. The timeline of the notification is:
30 days before the group expires, and If it is not renewed, another renewal email will be sent 15 days
before the expiration. In case it is still not renewed, one more email notification will be sent the day
before the expiration.
If no one renews the group before it expires it will be deleted, but the administrator will still be able to
restore the group in the next 30 days after the expiration date. The permissions required to restore a
group can be any of the following:
Role Permissions
Global administrator, Group administrator, Partner Can restore any deleted Microsoft 365 Group
Tier2 support, and Intune administrator
User administrator and Partner Tier1 support Can restore any deleted Microsoft 365 Group
except those groups assigned to the Company Ad-
ministrator role
User Can restore any deleted Microsoft 365 Group that
they own
For additional information, please refer to:
●● Configure the expiration policy for Microsoft 365 Groups5
●● Restore a deleted Microsoft 365 Group in Azure Active Directory6
Configure Microsoft 365 Groups naming policy

Organizations can use a group naming policy to enforce a consistent naming strategy for groups created
by users. A naming policy can help users identify the function of the group, membership, geographic
region, or the person who created the group. The naming policy is applied to groups that are created
across all Office 365 apps, such as Outlook, Teams, SharePoint, Planner, Yammer, and it applies for the
group name and group alias, as well.
The group naming policy consists of the following features:
●● Prefix-Suffix naming policy. You can use prefixes or suffixes to define the naming convention of
groups. For example, if you configure “GRP” as prefix, this will create the Marketing group as “GRP
Marketing”.
●● Custom Blocked Words. You can also specify a variety of words that will be blocked in groups
created by users, such as GM, Billings, Payments, HR.
Prefix-Suffix Naming policy

Prefixes and suffixes can either be fixed strings or user attributes.
●● Fixed Strings: When using fixed strings, it is recommended that you use short strings that will help
differentiate groups in the Global Address List(GAL). Some of the frequently used prefixes and suffixes
are keywords as: ‘Grp_Name’ , '#Name', ‘_Name’
●● Attributes: you can use attributes which can help in identification of which user has created the group
like [Department] and where it was created from like [Country].
For example, a naming policy = “GRP [GroupName] [Department]” will result in the following if the group
is named “My Group” and the user's department is “Engineering”:
“GRP My Group Engineering”
Supported Azure Active Directory (Azure AD) attributes are [Department], [Company], [Office], [StateOr-
Province], [CountryOrRegion], [Title]. Unsupported user attributes are considered as fixed strings. E.g.
"[postalCode]". Also, extension attributes and custom attributes aren't supported.
It's recommended that you use attributes that have values filled in for all users in your organization and
don't use attributes that have longer values.
5 https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-lifecycle
6 https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-restore-deleted
There are things you need to be aware of:

●● The total prefixes and suffixes string length is restricted to maximum 53 characters.
●● Prefixes and suffixes can contain special characters in the group name (and group alias), and if they
contain special characters that are not allowed in the group name they will be removed and applied
to the group alias. And it will result with the group prefixes and suffixes which will be different from
the ones applied to the group alias.
●● If you are using Yammer Office 365 connected groups, avoid using the following characters in your
naming policy: @, #, [, ], <, and >. If these characters are in the naming policy, regular Yammer users
will not be able to create groups.
Custom Blocked Words

You can use custom blocked words to prevent the users from using them when creating a group. You
may also list blocked words which need to be separated by a comma between the different words. The
blocked words check is done on the user entered group name. For example, if a user enters ‘final’ and
'Prefix_' as the naming policy, ‘Prefix_final’ will fail.
Sub-string search is not done so that users can use some of the common words like ‘Pilot’ even if 'lot' is a
blocked word.
Configure Microsoft 365 Groups naming policy from Az-

ure Admin Center
1. Sign in to Azure portal, select Azure AD, and under Manage section, choose Groups.
2. Under Settings section, select Naming policy.
3. Select the Group naming policy tab.
4. In Current policy section, select whether you would like to require a prefix or suffix (or both), and
select the appropriate check boxes.
5. Choose between Attribute and String.
6. When you are done setting up the required settings, click the Save button.
Configure Microsoft 365 Groups naming policy using Az-

ure AD PowerShell
View Microsoft 365 Groups naming policy settings

To view the current naming policy settings, run the following PowerShell command as an administrator :
$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property Display-
Name -Value "Group.Unified" -EQ).id
$Setting.Values
In the output, check the following values :

●● CustomBlockedWordsList,
●● EnableMSStandardBlockedWords
●● PrefixSuffixNamingRequirement.
1. Get the existing directory settings from your Azure AD:
$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property Display-
Name -Value "Group.Unified" -EQ).id
2. Set the group name prefixes and suffixes, for example the prefix “GRP_”:
$Setting["PrefixSuffixNamingRequirement"] ="GRP_[GroupName]"
3. To configure custom blocked words that you want to restrict, for example Payroll and CEO run the
following cmdlet:
$Setting["CustomBlockedWordsList"]=“Payroll,CEO"
4. Update the setting in Azure AD directory settings:

Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value
"Group.Unified" -EQ).id -DirectorySetting $Setting
Remove the naming policy

To remove the naming policy by using Azure AD, perform the following steps:
1. On the Naming policy page, select Delete policy.
2. After you confirm the deletion, the naming policy is removed, including all prefix-suffix naming policy
and any custom blocked words.
To remove the naming policy using Azure AD PowerShell, perform the following steps:
1. Empty the group name prefixes and suffixes in Azure AD PowerShell.
$Setting["PrefixSuffixNamingRequirement"] =""
2. Empty the custom blocked words.

$Setting["CustomBlockedWordsList"]=""
3. Save the settings.

Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value
"Group.Unified" -EQ).id -DirectorySetting $Setting
User experiences across Office 365 apps

After you create a group naming policy in Azure AD, when users create a group in an Office 365 app, they
will have the following experiences depending on the group naming policies settings:
●● Users will see a preview of the name according to your naming policy (with prefixes and suffixes) as
soon as the user types in the group name.
●● If the users enter blocked words, they will see an error message so they can remove the blocked
words.
Outlook (Outlook on the web or OWA) naming policy expe-

rience
In cases when a user decides to enter a custom blocked word in Outlook, an error message will appear in
the UI together with the blocked word which was entered, so that the user can remove it, as shown on
the example below:
Outlook Desktop experience

Groups created in Outlook desktop are compliant with naming policys, so the created naming policy will
automatically apply when selecting create/edit and users will be presented with errors if there are custom
blocked words in the group name or alias.
Microsoft Teams experience

Microsoft Teams shows the naming policy when the user enters a team name, so when the user enters a
custom blocked word, an error message will appear containing the blocked word, as shown in the image
below:
Groups naming policies in PowerShell

While group naming policies automatically add the configured pre- and suffix to a group name when
creating a group in the Teams Client, the behavior with creating new teams in PowerShell is different.
When you create a new team via the Microsoft Teams PowerShell module, and you fail to add the pre-
and suffix to the DisplayName and MailNickName parameters manually, you will receive an error mes-
sage that prevents the team from being created.
For example, if the configured prefix is “Contoso” and the suffix is “Group”, you need to enter the follow-
ing cmdlet parameters, to create a new team called Sales without receiving an error message:
New-Team -DisplayName “ContosoSalesGroup” -MailNickName “ContosoSalesGroup”
Licensing requirements
Using Azure AD naming policy for Microsoft 365 Groups requires that you as an administrator who
creates a policy have an Azure Active Directory Premium P1 license or Azure AD Basic EDU license
assigned. Also for each unique user (including guests) that is a member of one or more Microsoft 365
Groups must have a similar license.
For additional information see Groups naming policies7.
Microsoft Teams usage reports

There are various reports in the Microsoft Teams admin center. You can run different reports to get
insights into how users in your organization are using Teams. For example, you can see how many users
communicate through channel and chat messages and the kinds of devices they use to connect to Teams.
Your organization can use the information from the reports to better understand usage patterns, help
make business decisions, and inform training and communication efforts for successful user adoption.
Here's a list of the Teams reports available in the Microsoft Teams admin center:
Report Description
Teams usage report An overview of the usage activity in Teams,
including the number of active users and channels,
guests, and messages in each team. You can
quickly see how many users across your organiza-
tion are using Teams to communicate and collabo-
rate.
Teams user activity report An overview of the types of activities that users in
your organization perform in Teams.
Teams device usage report The information about how users connect to
Teams. You can use the report to see the devices
that are used across your organization, including
how many use Teams from their mobile devices
when on-the-go.
Teams live event usage report An overview of the activity for live events held in
your organization, including event status, start
time, views, and production type for each event.
Teams PSTN blocked users report The information about the users in your organiza-
tion who are blocked from making PSTN calls in
Teams.
Teams PSTN minute pools report An overview of audio conferencing and calling
activity in your organization by showing you the
number of minutes consumed during the current
month.
7 https://docs.microsoft.com/en-au/office365/admin/create-groups/groups-naming-policy?view=o365-worldwide
Report Description
Teams PSTN usage report - Calling Plans An overview of calling and audio conferencing
activity for Calling Plans in your organization,
including the number of minutes that users spent
in inbound and outbound PSTN calls and the cost
of these calls.
Teams PSTN usage report - Direct Routing An overview of calling and audio conferencing
activity for Direct Routing in your organization,
including the SIP address and call start and end
times.
Access Teams reports

In order to access the Teams usage reports, you need to have one of the following roles assigned:
●● Office 365 global admin
●● Teams service admin
●● Teams communications admin
●● Skype for Business admin
Go to the Microsoft Teams admin center, in the left navigation, select Analytics & reports, and then
under Report, choose the report you want to run. You can select different Data range or Columns to be
shown in the report.
Report What's measured? Screenshot

Teams usage report Active users
Active users in teams and
channels
Active channels
Messages
Privacy setting of teams
Guests in a team
Teams user activity report 1:1 calls a user participated in

Messages a user posted in a
team chat
Messages a user posted in a
private chat
Last activity date of a user

Teams device usage report Windows users
Mac users
iOS users
Android phone users
Teams live event usage report Total views

Start time
Event status
Organizer
Presenter
Producer
Recording setting
Production type
Teams PSTN blocked users Display name

report Phone number
Reason
Action type
Action date and time
Teams PSTN minute pools report Country or region

Capability (license)
Total minutes
Minutes used
Minutes available

Teams PSTN usage report - Call- Time stamp
ing Plans User name
Phone number
Call type
Called to
To country or region
Called from
From country or region
Charge
Currency
Duration
Domestic/International
Call ID
Number type
Country or region
Conference ID
Capability (license)
Teams PSTN usage report - Di- Time stamp
rect Routing Display name
SIP address
Phone number
Call type
Called to
Start time
Invite time
Failure time
End time
Duration
Number type
Media bypass
SBC FQDN
Azure region
Event type
Final SIP code
Final Microsoft subcode
Final SIP phrase
Correlation ID
Note: The Teams reports display the data for the users and channels which have been active. For exam-
ple, if a user in your organization isn't active in Teams during the date range specified for a report, data
for that user will not be included in that report.
Item Definition
Active user Measures the number of unique users who
perform an action in Teams during the specified
date range.
Active channel Measures the number of channels of a team in
which users perform an action during the specified
date range.
Download Teams reports

You can export the report to a CSV file for offline analysis. Select Export to Excel, and then on the
Downloads tab, select Download to download the report when it's ready.
For additional information see Teams analytics and reporting8.
Microsoft 365 usage reports

Microsoft 365 usage analytics provide you with a better view of how your organization is adopting the
various services within Microsoft 365. Аt-a-glance activity widget gives you a cross-product view of how
users communicate and collaborate using the other various services in Microsoft 365:
Microsoft 365 usage analytics content represents a dashboard that provides a cross-product view of the
last 7 days, 30 days, 90 days, and 180 days. Data won't exist for all reporting periods right away. The
reports become available within 48 hours.
Microsoft 365 usage analytics (Power BI)

Use Microsoft 365 usage analytics within Power BI to gain insights on how your organization is adopting
the various services within Microsoft 365 to communicate and collaborate. You can visualize and analyze
Microsoft 365 usage data, create custom reports and share the insights within your organization and gain
insights into how specific regions or departments are utilizing Microsoft 365. Microsoft 365 usage
analytics within Power BI contain the following reports:
●● Executive summary
●● Overview
●● Activation and licensing
●● Product usage
8 https://docs.microsoft.com/en-us/microsoftteams/teams-analytics-and-reports/teams-reporting-reference
●● User activity
Executive summary
The executive summary section provides an insight into how the services are being used, based on all the
users who have been enabled and users which are active. The information which is included in the report
refers to the latest complete month.
The executive summary offers an easy and quick understanding of the usage patterns in Microsoft 365, as
well as how and where your employees are collaborating.
Overview
The Overview section contains multiple types of reports, including:
●● Adoption – providing the insight into the adoption trends. This report contains information about
how many users are enabled and how many users within the company are actively using Microsoft
365, as well as how many users are using the product for the first time.
●● Usage – enables information about the number of active users and the key activities for each product
for the last 12 months.
●● Communication – provides information regarding Teams, Yammer, email, or Skype calls usage, you
can follow which tools your employees prefer.
●● Collaboration – provides information on OneDrive and SharePoint usage, and shows the way users in
your company prefer to store documents and collaborate with each other, and how these trends
evolve each month. In this section you can also follow how many documents are shared in or outside
your organization, as well as how many SharePoint sites or OneDrive accounts are actively being used.
●● Storage – gives a report to track cloud storage for mailboxes, OneDrive, and SharePoint sites.
●● Mobility – enables information regarding the clients and devices which people are using to connect
to email, Teams, Skype for Business, or Yammer.
Activation and licensing

This section provides reports on Microsoft 365 activation. Report includes how many licenses have been
assigned by your company and how many users have downloaded and activated Office apps.
●● Activation – provides information about the service plan (for example, Microsoft 365 Apps for
enterprise, Project, and Visio) activations in the company. Reports in this section provide information
about the devices on which people have installed Office apps. However, to activate a plan, the users
have to install the app and sign in with their account.
●● Licensing – report contains information about the types of license, number of users who were
assigned each license, and the license assignment distribution for each month.
Product usage
The Product usage report provides you with detailed and separate report for each Microsoft 365 service
(including Exchange, Microsoft 365 groups, OneDrive, SharePoint, Skype for Business, Teams, and Yam-
mer). Every report contains information on total enabled vs. total active user reports, counts the number
if mailboxes, sites, groups, and accounts, as well as activity type reports where appropriate.
User activity
These reports are available only for some individual services and provide user-level detail usage data
joined with Active Directory attributes. Here, the Department Adoption report enables you to filter by
separate Active Directory attributes, so that you can easily view the active users across all individual
services, for the latest complete month.
Teams activity reports in the Microsoft 365 admin center

You can use activity reports in the Microsoft 365 admin center to see how users in your organization are
using Microsoft Teams. For example, if some don't use Microsoft Teams yet, they might not know how to
get started or understand how they can use Teams to be more productive and collaborative. Your
organization can use the activity reports to decide where to prioritize training and communication efforts.
To view the activity reports, you will need one of the following permissions:
●● Global admin role
●● Product-specific admin role (Exchange, Skype for Business, or SharePoint)
●● Reports reader role
The following are steps to see the Microsoft Teams reports in Microsoft 365 admin center:
1. In the Microsoft 365 admin center, select Reports > Usage.
2. On the Usage page, choose Select a report, and then under Microsoft Teams in the list of reports,
choose the report you want to view.
There are currently two activity reports you can view:
●● Microsoft Teams device usage report
●● Microsoft Teams user activity report
Microsoft Teams user activity report Microsoft Teams device usage report
The Teams user activity report gives you a view of The Teams device usage report provides you with
the most common activities that your users information about how your users connect to
perform in Teams. This includes how many people Teams, including mobile apps. The report helps
engage in a chat in a channel, how many commu- you understand which devices are popular in your
nicate via private chat message, and how many organization and how many users work on the go.
participate in calls or meetings. You can see this
information for your whole organization, as well as
for each individual user.
‎ ‎
View usage information for a specific user

The service reports can help the administrator have a clear view of how much a specific user is using the
service (e.g. how much mailbox storage a specific user has consumed or open the Mailbox usage report).
If you would like to review a large number of users, then you can export the report to Excel, which will
allow you to apply a filter through the list and display detailed results.
What happens to usage data when a user account is delet-

ed?
If you delete a user account, Microsoft will delete the user's usage data within 30 days. Deleted user data
will still be included in the Activity chart totals for the periods in which he/she was active, however the
information about the user will not appear in the User Details table. Also, when you select a date (up to
28 days from the current date), the report will show the user's usage for that day in the User Details table.
For additional information see Microsoft 365 usage reports9.
9 https://docs.microsoft.com/en-us/office365/admin/activity-reports/activity-reports?view=o365-worldwide
Implement Security for Microsoft Teams

Lesson Introduction
Microsoft Teams is the hub for teamwork. Confidential information can be exchanged between the team
members. Applying, managing, and administering the security features of Microsoft Teams is crucial for
deploying a secured collaboration environment.
In this lesson you will learn how to manage Microsoft Teams security through the Microsoft Teams admin
center, Security Admin Center, and PowerShell. Topics include how to add Teams admin roles to the users
within your organizations and protect from threats by using Advanced Threat Protection.
●● Explain Microsoft Teams authentication.
●● Configure Conditional Access and Multi Factor Authentication (MFA) for Microsoft Teams.
●● Assign Microsoft Teams admin roles.
●● Implement Threat Management for Microsoft Teams.
●● Describe security reports and alerts for Microsoft Teams.
Microsoft Teams Authentication

Microsoft 365 includes multiple technologies that provide security and user identity protection. There are
multiple tools which are built-in to Microsoft 365 services so the administrators can choose how to
protect the identity of the users using the platforms and applications.
Identity models supported in Teams

Microsoft Teams supports all the identity models which are available in Office 365, including cloud
identity, synchronized identity and federated identity:
Cloud Identity Synchronized Identity Federated Identity

A user is created and managed The user identity is managed in A synchronized identity with the
in Office 365 and stored in Azure an on-premises server, and the user password is verified by the
Active Directory, and the pass- accounts and password hashes on-premises identity provider.
word is verified by Azure Active are synchronized to the cloud. The password hash does not
Directory. The user enters the same need to be synchronized to
password on-premises as they Azure AD, and Active Directory
do in the cloud, and at sign-in Federation Services (ADFS) or a
the password is verified by Azure third-party identity provider is
Active Directory. This model uses used to authenticate users
the Microsoft Azure Active against the on-premises Active
Directory Connect Tool. Directory.
Multifactor authentication
To increase the user’s security during the Office 365 sign-in process, Microsoft Teams supports Multi-Fac-
tor Authentication (MFA), which is a two-step verification process. With MFA, the user signing in to the
Office 365 account, after correctly entering the password is required to choose a second option, such as a
phone call, text message, or an app notification on their smartphone in order to verify the log in. With
Implement Security for Microsoft Teams 97
MFA - after the second authentication factor has been entered correctly, a user can sign in. Multi Factor
authentication is supported with any Office 365 plan that includes Microsoft Teams.
There are two supported authentication methods which differ from one another by the identity model:
●● Cloud only: offers the following second factor options:
●● Phone Call
●● Text Message
●● Mobile App Notification
●● Mobile App Verification Code
●● Hybrid setup (Synchronized or Federated Identity model): offers the following second factor
options:
●● MFA for Office 365
●● Azure MFA module (ADFS integrated)
●● Physical or virtual smart card (ADFS integrated)
Using modern authentication to sign-in to Microsoft

Teams
Modern authentication is a process which provides the Teams application with verification that you have
already entered your credentials (your work email and password) on some other app in Office 365. With
this process you are not required to enter credentials again in order to start your Teams application. The
user experience may be different depending on whether you are trying to log in from a Windows or a
Mac, as well as whether your organization has enabled single-factor authentication or multi-factor
authentication.
Windows user scenario

●● When you are signed-in to other Office 365 apps through your Office 365 Enterprise account, and
you start Microsoft Teams – you are going to be taken directly to the app (no need to enter pass-
word). ‎
●● When you are not signed-in to your Office 365 account anywhere else and you try to start Teams,
then depending on what your organization has already set – you will need to provide single-factor
authentication (SFA) or multi-factor authentication (MFA). ‎
●● If you are signed in to a domain-joined computer and you try to start Teams, then you might be
asked to go through one more authentication step (also depending if your organization sets up for
MFA or also if your computer already requires MFA to sign in). In the scenario where your computer
already requires MFA to sign in, then when you open Teams, the application will automatically start.
Apple Mac user scenario

If an Apple Mac computer user tries to start Teams, the computer will not be able to use the credentials
from Office 365 Enterprise account, or from any other application Office 365 application. The user will be
requested SFA or MFA (according to the company’s settings). Then, when the user enters the credentials,
Teams will not request sign-in again. At that point, whenever the user is working on the same computer,
the Microsoft Teams client will automatically start.
Switching accounts after completing modern authentication

If the user is working on a domain-joined computer, then the user cannot switch the accounts once the
modern authentication has been completed. If the user is not working on a domain-joined computer,
accounts switches can be made.
Signing out of Microsoft Teams after completing modern

authentication
In order to sign out of Microsoft Teams, the user can click the profile picture which can be found at the
upper right corner of the application, and then select the Sign out option. Another way to sign out is to
right-click the app icon in the taskbar, and then select the Sign out option. Once the user is signed out
from Teams, for new sign in password verification will be needed.
Configure conditional access and MFA for Mi-

crosoft Teams
Organizations are in a constant changing security threat environment. Employees often need to access
the company resources as well as communication channels from different locations. Organizations face a
challenge with protecting the company data, and at the same time providing the employees with access
to workplace resources they need. Microsoft Teams users are accessing corporate data not only from
their PC or laptop, but also using their mobile devices.
‎
Conditional Access policies apply actions to users who sign-in to apps from their devices depending on
multiple conditions. Conditions might include a user or group membership, IP location information,
device, application, real time risk detection or Microsoft Cloud App Security information. You can choose
to have Microsoft Teams as a cloud application that will be manages with Conditional Access policies.
Conditional access policies that are set for these cloud apps apply to Microsoft Teams when a user
directly signs-in to Microsoft Teams - on any client. Microsoft Teams is supported separately as a cloud
app in Azure Active Directory conditional access policies. Conditional access policies that are set for the
Microsoft Teams cloud app apply to Microsoft Teams when a user signs in. However, you should also
configure correct policies on other apps like Exchange Online and SharePoint Online, because users may
still be able to access those resources directly.
Following are sample steps to create a Conditional Access policy for users in Sales department while
using Microsoft Teams based on specified conditions:
1. Sign-in to Azure Active Directory admin center as a Global Administrator.
2. On left pane, select All services and search for Conditional access, and then select Azure AD Condi-
tional Access.
3. On the Conditional Access – Policies page, select New Policy.

4. In the New page, insert the following information in the corresponding fields in the sections of the
left navigation menu:
●● In the field Name, type the name of the policy, for example “Sales_ConditionalAccess”
●● In the section Assignment configure the following settings:
●● Select Users and groups that you would like to apply this policy to, for example Sales group.
●● Select Cloud apps or actions that you would like to apply the policy, and from the list of the
apps, choose Microsoft Teams.
●● Select Conditions that you would like to include in the policy, such as the level of sign in risk,
device platform, physical locations, client apps and device state.
●● Choose what type of Access control you would like to deploy for the settings you configured in
the Assignments section.
●● Select Grant to choose which controls will be enforced, such as multi-factor authentication.
●● Select Session if you need to configure limited experience within a cloud app, such as app
enforced restriction.
5. Enable policy by selecting On in the Enable policy section and then click Create.
For more information, please refer to Common Conditional Access policies10.
Assign Microsoft Teams Admin roles

As a global administrator, you can access Azure Active Directory (Azure AD) and configure additional
administrators which require different levels of access for managing Microsoft Teams. These administra-
tors can manage the entire Teams imlplementation, or you can choose and assign them permissions just
for a segment of Microsoft Teams.
10 https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policy-common
Overview of Teams admin roles

There are four Teams admin roles available:
●● Teams Service Administrator - Manage the Teams service,manage, and create Microsoft 365 Groups.
This type of admin can access everything in the Microsoft Teams admin center and associated Power-
Shell controls.
●● Teams Communications Administrator - Manage calling and meetings features within the Teams
service (Manage meetings, including meeting policies, configurations, voice, including calling policies
and phone number inventory and assignment; access, monitor, and troubleshoot tenant's call quality,
view user profile page and troubleshoot user call quality problems).
●● Teams Communications Support Engineer - Troubleshoot communications issues within Teams by
using advanced tools, including Call Analytics (can view all user profile page and troubleshoot user
call quality problems) and Call Quality Dashboard (can access, monitor, and troubleshoot tenant's call
quality and reliability down to the users who are impacted by poor call quality).
●● Teams Communications Support Specialist - Troubleshoot communications issues within Teams by
using basic tools, including Call Analytics (can only view user information for the specific user being
searched for) and Call Quality Dashboard (can access, monitor, and troubleshoot tenant's call quality
and reliability).
You can assign Teams admin roles by using Azure AD or PowerShell. The Global Admin role is needed to
assign Teams admin roles to users.
Assign Teams admin roles in Microsoft 365 admin center

To assign Teams admin roles in the Microsoft 365 admin center, you will need to perform the following
steps:
1. Sign-in to the Microsoft 365 admin center using a Global administrator account.
2. Select Users, and then select ActiveUsers.
3. Search for a user and then select the user getting the role assignment.
4. On the user page, under Roles section, select Manage Roles.
5. Select Show all.
6. Select the role to assign to the user (for example, Teams Communications Administrator), and then
select Save changes.
You can also assign admin roles in Microsoft 365 admin center by selecting Roles in the left navigation
pane, and then select the appropriate admin role, for example Teams communications support engi-
neer. On the Teams communications support engineer page, select Assigned admins, and add the
users you want to assign the role.
Assign Teams admin roles in Azure AD

To assign Teams admin roles in Azure AD, you will need to perform following steps:
1. Sign-in to the Azure portal using a Global administrator account for the directory.
2. Select Azure Active Directory, and then select Users.
3. Search for a user and then select the user getting the role assignment.
4. On the user page, select Assigned Roles, select Add assignment.
5. In the Directory role page, in the search box, type Teams.
6. Select the role to assign to the user (for example, Teams Service Administrator), and then select
Add.
7. The Teams Service Administrator role is assigned to the user and it appears on the user’s Assigned
roles page.
Assign admin roles with Office 365 PowerShell

Assigning admin roles with Office 365 PowerShell is used when you want to automate the process of
assignment or you need to perform bulk assignments in Azure AD. You can assign admin roles with Office
365 PowerShell by using Azure Active Directory PowerShell for Graph or Microsoft Azure Active
Directory Module for Windows PowerShell module.
Note: At the moment of writing this course, the Azure Active Directory PowerShell for Graph module
does not completely replace the functionality in the cmdlets of Microsoft Azure Active Directory Module
for Windows PowerShell module.
Assign an Admin role using Azure Active Directory Power-

Shell
To assign an admin role, you need to run Add-AzureADDirectoryRoleMember cmdlet in Azure Active
Directory PowerShell for Graph module in Windows PowerShell. For example, if you want to assign
LynneR@contoso.com11 the admin role Teams Service Administrator, run the following cmdlets:
$userName=”LynneR@contoso.com”
$roleName="Teams Service Administrator"
$role = Get-AzureADDirectoryRole | Where {$_.displayName -eq $roleName}
Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId (Get-AzureADUser | Where {$_.

UserPrincipalName -eq $userName}).ObjectID
At the moment of writing this course, most of the PowerShell tools for these admin roles are located in
the Skype for Business PowerShell module, and some of the cmdlets that these admin roles have access
to control shared settings that are also used for Skype for Business Online. The Skype for Business admin
role also has access to all the cmdlets in the Skype for Business PowerShell module.
11 mailto:LynneR@contoso.com
For additional information see Use Microsoft Teams administrator roles to manage Teams12
13
Implementing Threat Management for Microsoft

Teams
Once deployed, Microsoft Teams will become a hub for organizational
collaboration, where multiple documents will be shared and accessed. Therefore,
you must ensure that all documents that are used and shared within Microsoft
Teams are protected from potential threats, such as malware. Office 365 Advanced
Threat Protection (ATP) helps your organization protect against malicious
threats which may be posed by email messages, links (URLs) as well as through
the collaboration tools you are using. It includes threat protection policies,
reports, threat investigation and response capabilities, as well as automated
investigation and response capabilities.
To configure and assign ATP policies, you must have one of the following roles:
●● Office 365 Global Administrator.
●● Security Administrator (Azure Active Directory admin center)
You can access Office 365 ATP features in the Microsoft 365 Security portal
using the following URL - https://security.microsoft.com. In the Microsoft 365
Security portal, from the left navigation pane, select Policies, and then
select ATP Safe attachments (Office 365).
12 https://docs.microsoft.com/en-us/microsoftteams/using-admin-roles
13 https://docs.microsoft.com/en-us/microsoftteams/manage-teams-skypeforbusiness-admin-center
How ATP works

Office 365 Advanced Threat Protection (ATP) provides the users within your
company with a safe environment for collaboration and communication and helps
the malicious files to be detected and blocked in team sites and document
libraries.
If a document that is stored in Microsoft Teams, SharePoint Online or OneDrive
for Business, has been identified as malicious, ATP directly works with the file
stores to lock the file.
The image below shows an example of a malicious file detected in a library:
Even though the user can still see the blocked file in the document library and
web, mobile, or desktop applications, it cannot be opened, copied, moved, or
shared. However, the malicious file can be deleted. Mobile device experience is
shown in the example below:
Implementing ATP Safe Attachments

In order to configure ATP Safe attachments for Teams, perform the following
steps:
1. Signin to the Microsoft 365 Security center. On the left navigation pane,
select Policies, and then select ATP safe attachments on the
dashboard.
2. On the Safe attachments page, select the following checkbox: Turn on
ATP for SharePoint, OneDrive, and Microsoft Teams.
Quarantine in ATP for Microsoft Teams

Quarantine is a section in the Security & Compliance Center, which can be
accessed through Threat management – Review – Quarantine and filter for
Content. Quarantine stores files which have been shared in Microsoft Teams,
SharePoint Online or OneDrive for Business and have been identified as
malicious.
You can then download, release, report, and delete files that are detected as
malicious by ATP from quarantine by performing following steps:
1. In the Office 365 Security & Compliance Center, choose Threat management> Review > Quaran-
tine, or directly to https://protection.office.com/quarantine.
2. In the upper left corner, change the drop-down menu from Emails to
Files. If the list of results includes too many items, use the
Filter functionality to narrow down the selection.
3. Select an item in the list to view detailed information, including the
file's URL.
4. Choose an available action:
●● Select Release file to unblock the file.
●● Select Send report to Microsoft to report the file as a false positive to Microsoft.
●● Choose Download file to investigate the file further.

●● Select Remove from quarantine to remove the file from the list of quarantined items. If you
choose this option, you must also delete the file from its respective library in SharePoint Online,
OneDrive for Business, or Microsoft Teams. This option does not unblock a file from being opened
or
shared.
5. Select Close to close the details for a selected item.
Security reports and alerts for Microsoft Teams

The Microsoft 365 Security center provides reports that allow you to monitor potential security threats in
your organization. Even though threat security reports may not be directly related to Microsoft Teams,
they might alert you to suspicious activity that is threatening security of your organization.
Microsoft 365 security center contains a dashboard that displays reports from different sources, including
following categories:
‎
●● Identities. This category of reports provides data from Azure AD Risky Users report and Global Azure
AD admin roles. Reports are related to Microsoft Teams because of sign-in activity to Microsoft Teams
from different types of devices.
●● Data. This category of reports provides data from multiple sources, such as users with the most
shared files, DLP policy matches, false positives and overrides. Reports are related to Teams because
of data shared and accessed by Teams users.
●● Devices. This category of reports provides data from Microsoft Intune on devices at risk, device threat
analytics, device compliance, malware on devices and users with malware detection. Reports are
related to Microsoft Teams because of large numbers of mobile devices where Teams is installed.
●● Apps. This category of reports provides data from Cloud App Security on threats from different apps,
such as privileged OAuth apps, suspicious admin activity, impersonations and cloud activity geo-
graphical locations. Reports are related to Microsoft Teams because of different apps that are inte-
grated with Teams.
Files that are identified as malicious in Microsoft Teams will show up in the Microsoft Security and
Compliance center, in reports for Office 365 Advanced Threat Protection, in Explorer and real-time
detections.
To view the report for malicious files in Microsoft teams, sign-in to the Microsoft Security and Compliance
center using the following URL https://protection.office.com. Then go to Reports, select Dashboard.
ATP contains multiple reports including the following that are relevant to Microsoft Teams:
‎
●● Threat Protection Status report - contains a single view about malicious content and malicious
email detected and blocked by Exchange Online Protection (EOP) as well as Office 365 ATP. This
report can display detections from events up to 90 days.
●● Explorer is a near real-time tool used to investigate and respond to threats in Office 365. Explorer
displays information about suspected malware and phish in email and files in Office 365, as well as
other security threats and risks to your organization.
View the Threat Protection Status report with information

about detected files
To view status and detailed information about files that were detected by Office 365 ATP, you can use the
Threat Protection Status report by performing following steps:
‎
1. In the Office 365 Security & Compliance Center, choose Reports > Dashboard > Threat Protec-
tion Status.
2. In the upper right corner of the report, choose View details table.
3. View the list of files that were detected in the report.
4. Select an item in the list to view detailed information, including actions taken, the file name, the file
path, and more.
5. Choose the Advanced Analysis tab to view information, such as observed behavior and analysis
details.
View Explorer with information about detected files

To view the status and detailed information about files that were detected by Office 365 ATP, you can use
the Threat Protection Status report by performing following steps:
‎
1. In the Office 365 Security & Compliance Center, choose Threat Management > Explorer.
2. In the upper right corner of the report, next to View, choose Malware under the Content menu.
3. View the list of files that were detected in the report.
4. Select an item in the list to view detailed information, including actions taken, the file name, the file
path, and more.
5. Choose the Advanced Analysis tab to view information, such as observed behavior and analysis
details.
Set up alerts for malware files

Security admins can create alert policies that will inform them when a shared document in SharePoint
Online, OneDrive for Business, or Microsoft Teams has been identified as malicious. To create an alert
policy, perform the following steps:
‎
1. Sign-in to the Office 365 Security & Compliance Center, and from the left navigation pane, select
Alerts and then choose Alerts policies.
2. Select New alert policy, and on the Name your alert page, specify policy name, choose severity
level, for example High, and choose category, for example Threat Management. ‎
3. On the Create alert settings page, choose alert activity, for example Detected malware in file, and
choose the alert activity threshold, for example Every time an activity matches the rule.
4. On the Set your recipients page, enter the email address of the security admin who will be responsi-
ble for receiving and reviewing the alerts.
Implement Compliance for Microsoft Teams

Lesson Introduction
Organizations of all industry types all over the world must follow different legal and regulatory business
requirements. For example, some countries require companies to store their business data for a certain
amount of time and protect tax relevant data against accidental or intended deletion. Other regulatory
requirements need companies of certain industries to store medical and health data for a certain time. All
companies that are located in Europe or that have any business relations to countries in the European
Union (EU), need to comply with the requirements of the General Data Protection Regulation (GDPR).
To follow all compliance requirements an organization is facing, Microsoft 365 offers an expansive set of
tools and configurations to comply to business requirements in the best way for each organization.
In this lesson you will learn how to create, add and manage retention policies and labels, create discovery
cases and set alerts for Microsoft Teams in order to protect the sensitive business data and personally
identifiable information (PII) existing in organization.
●● Describe how unified labeling works and how to configure them.
●● Describe how to create retention policies.
●● Generate Data Loss Prevention policies to protect against data leakage.
●● Create and manage eDiscovery cases and supervision policies.
●● Configure supervision policies for reviewing communication.
●● Activate the scoped directory search in Teams.
●● Manage data subject request cases in context of GDPR.
●● Describe how information barrier policies work and how to create them.
●● Configure alert policies for events in Microsoft Teams.
Create and manage labels

In today’s modern workplace, most organizations use email, chat services, collaboration tools, storage
platforms to share information and documentation inside and outside the organization. This makes the
data no longer located behind a perimeter firewall – it flows everywhere, across devices, apps, and
services. This open collaboration approach adds additional challenges to protect the sensitive business
data in files and to follow the various legal and regulatory requirements that force companies to retain
data for certain lengths of time or to delete it after it is not required for any business use.
Microsoft 365 addresses these challenges with sensitivity and retention labels, and a unified labeling
strategy that combines these independent features to a unified solution.
Sensitivity Labels
Sensitivity labels can help the users to classify documents and protect the sensitive content in the files.
The sensitivity labels enable data classification across the company and enforce protection based on that
classification, which helps users take the right actions on the right content and prevent the unwanted
leaking of information outside the organization.
Implement Compliance for Microsoft Teams 111
Sensitivity labels are based on the Rights Management Services (RMS) available in Azure (Azure RMS) and
on-premises (AD RMS). Sensitivity labels are used to classify and protect documents with encryption and
central management capabilities to monitor access and even revoke access to documents, even when
they have left their own organization and perimeter of administrative access.
Sensitivity labels can be applied manually by end-users or automatically based on search patterns, while
processed by services such as mail flow rules in Exchange Online and in workflows.
In short, sensitivity labels protect the content of a document, even if the storage on which the data is
saved, is open for collaboration even with external participants.
Retention labels
In some organizational working environments, files contain data which need different actions (in order to
comply with industry regulations and internal policies). For example, you might store invoices that you
need to retain for a certain period, or press materials that needs to be permanently deleted when they
reach a certain age. In these cases, retention policies in Office 365 are used in order to make a classifica-
tion and enforce the content to be automatically deleted or preserved after a certain period.
Retention policies allow you to enforce retention and deletion rules to whole storage locations, such as
Exchange mailboxes, SharePoint site collections or Teams and some entities within these locations. For
example, you can create a retention policy that retains the content of several teams for 7 years, if certain
keywords are found or data loss prevention policies (DLP) patterns match to stored data.
Another approach is achieved by using retention labels. Scoping retention to files and apply labels to
them, also allows you to enforce retention and deletion based on events. For example, when you need to
retain all data of employees that leave your organization for 10 years, you can create a retention label
that retains all data for 10 years and trigger an event to act on all data of a user, when they leave the
organization.
Unified labeling describes the centralized management of labels, that can have retention and sensitivity
settings applied.
Note: Any item can have both, a sensitivity label and a retention label applied.
Permissions
If you need additional users within your organization to be able to create and manage sensitivity labels,
they will require permissions in order to access the Microsoft 365 compliance center, Microsoft 365
security center, or Office 365 Security & Compliance Center. The tenant admin will have access by default
to these admin centers and can give compliance officers and other people access without giving them all
the permissions of a tenant admin. In order to do so, it is recommended that you go to the Permissions
page of one of these admin centers, and then add members to the Compliance Administrator or
Security Administrator role group. These permissions are required only to create and apply labels and a
label policy. Policy enforcement does not require access to the content.
Create labels
You can create and manage both, sensitivity and retention labels in Office 365 Security & Compliance
Center (Classification), Microsoft 365 compliance center (Information protection,Records manage-
ment and Information governance), and Microsoft 365 security center.
Note: Because managing sensitivity and retention labels in the Microsoft 365 compliance center and
Microsoft 365 security center is still in preview and being migrated from the Security & Compliance
Center into both independent centers, this course will focus on the currently recommended way of
managing labels in the Security & Compliance Center.
When creating labels in a productive environment, you should consider these high-level steps:
1. Define the labels – Pick a fitting name that describes its purpose.
2. Define what each label can do – Information, protection, retention or deletion?
3. Define who gets the labels – Departments, project teams, single users?
After creating and configuring labels, you need to publish them, to make them available to people in
your organization, who can then apply the labels to content. Unlike retention labels, which are published
to locations, such as all Exchange mailboxes, sensitivity labels are published to users or groups. Sensitivity
labels then appear in Office apps for those users and groups.
Next, labels can be applied manually, as recommended for users or automatically to content, that
contains sensitive information. Automated assignment of labels may not be perfect, but it can have some
benefits, such as the following:
‎
●● The users do not have to be trained on all your classifications.
●● Admins don't need to worry if users are classifying content correctly.
●● Users no longer need to know about the policies, and they can focus on their work.
Note: Automatic labeling is a feature that requires Azure Information Protection (AIP) Plan 2 licenses, that
are included for example in Microsoft 365 E5 subscriptions.
Create sensitivity labels

To create a new sensitivity label in the Microsoft 365 compliance center, follow these steps:
‎
1. Login to the Microsoft 365 compliance center with an account, that has the necessary permissions to
create labs.
2. Navigate to Solutions > Information protection.
3. Select + Create a label from the top pane.
4. A warning is shown, that asks you if you want to proceed, or if you rather want to migrate AIP labels
created in the legacy portal. Select Yes to proceed.
5. On the Name your label page, fill in the following information:
●● Label name a name that describes the purpose of this label.
●● Tooltip an information for end-users, when they shall use this label.
●● Description a good description that allows other administrators to understand the purpose of this
label.
6. Select Next after filling in all required information.
7. On the Encryption page, you can decide to turn encryption for labeled documents On or Off. When
turning it On, additional fields need to be filled out:
●● Encryption On, activates encryption of labeled documents.
●● Assign permissions now or let users decide? Allows to assign static protection, content expira-
tion, offline access, and permissions to labeled documents or lets the users choose these settings
and intended permissions manually.
8. When all encryption options are configured, including all settings for static or user-based permissions,
select Next.
9. On the Content marking page, you can decide to turn on marking of labeled documents.
●● Content marking On, activates the marking of documents.
●● Add a watermark adds a watermark with a customizable text to the document.
●● Add a header adds a header with a customizable text to the document.
●● Add a footer adds a footer with a customizable text to the document.
11. On the Endpoint data loss prevention page, you can decide to activate protection of business data on
client devices, such as Windows 10. This feature is related to Windows Information Protection (WIP).
●● Endpoint data loss prevention On, to protect documents against data leakage on Windows 10
devices.
12. Select Next after turning this feature On or Off.
13. On the Auto labeling page, you can decide to apply labels automatically, based on DLP preconfig-
ured or custom search patterns (Sensitive information types).
●● Auto labeling On, activates automatic classification with labels.
●● Detect content that contains provides conditions to auto-labeling.
●● When content matches these conditions provides options to recommend a label only or to
apply it automatically.
●● Message displayed to user provides a customizable message to the user, if the conditions for this
label are met.
‎
14. After configuring the automatic labeling settings, select Next to proceed.
15. On the Review your settings page, you can review your settings once more and select Create this
label to finish the creation.
Create retention labels

To create a new retention label in the Microsoft 365 compliance center, follow these steps:
‎
create labs.
2. Navigate to Solutions > Records management.
3. Select + Create a label from the top pane and retention label from the dropdown menu.
4. On the Name your label page, fill in the following information:
●● Name a name that describes the purpose of this label.
●● Description for admins a meaningful description for admins, to understand the purpose and
background of this label.
●● Description for users a meaningful description for end-users to explain the purpose of this label,
when they work with labeled documents. You can leave this blank for the users to simply see the
configured settings of this label.
‎
6. On the File plan descriptors page, fill in the following:
●● Reference Id a unique ID for further processing and documentation.
●● Business function/department which business function or department are these documents
referred to?
●● Category which category do these documents fit in to?
●● Authoritytype which type of requirement is met with this label?
●● Provision/citation which regulatory requirements is this label referred to? ‎
7. These fields are not mandatory. After filling in the file plan descriptors, select Next.
8. On the Label settings page, you can turn on the retention settings.
●● Retention On, activates retention for labeled documents.
●● When this label is applied to content… provides the action that shall be done with labeled
documents.
●● Label classification declares labeled documents as records, which prevents editing the file after
labeling it. ‎
9. After configuring the retention settings, select Next.
10. On the Review your settings page, you can review your settings once more and select Create this
label to finish the creation.
Assign labels to label policies

After creating sensitivity and retention labels, they need to be published to end-users by using label
policies. Both policy assignments, for sensitivity and retention labels, can be done in the Microsoft 365
compliance center.
Follow these steps to publish sensitivity labels:
‎
create labs. ‎
2. Navigate to Solutions > Information protection.
3. Select the Label policies tab and Publish labels from the top pane.
4. On the Choose sensitivity labels to publish page, select Choose labels to publish.
5. On the Choose labels page, select + Add and select one or more labels from the list.
6. Select Add, Done and Next on the following pages.
7. On the Publish these sensitivity labels page, you can choose the users who to publish the labels to.
Select Choose users or groups to select users or leave the default settings to publish the labels to all
users.
8. Select Next, to go to the Policy settings.
9. Configure the following policy settings:
●● Apply this label by default to documents and email defines a default label.
●● Users must provide justification to remove a label or lower classification label defines, if users
need to provide a business justification, if they want to remove or change a label.
●● Requires users to apply a label to their email or documents defines, if all elements need to
have a label.
●● Provide users with a link to a custom help page allows to provide a customized help page. ‎
10. Select Next to continue.
11. On the Name your policy page, enter a meaningful name and a description, to document the
purpose of this policy.
12. Select Next, to review your settings and Publish, to finish the creation of the policy.
Follow these steps to publish retention labels:
create labs.
2. Navigate to Solutions > Records management.
3. Select the Label policies tab and Publish labels from the top pane.
4. On the Choose labels to publish page, select Choose labels to publish.
5. On the Choose labels page, select + Add and select one or more labels from the list.
6. Select Add, Done and Next on the following pages.
7. On the Choose locations page, you can create an org-wide policy or select specific locations. When
selecting specific locations, you can also include or exclude single recipients, sites, accounts and
Microsoft 365 Groups (including teams). ‎
8. After selecting your desired locations, select Next.
9. On the Name your policy page, enter a meaningful name and a description, to document the
purpose of this policy.
10. Select Next, to review your settings and Publish labels, to finish the creation of the policy.
Note: Depends on the locations that you publish retention labels to, it can take from 24 hours to 7 days
for those retention labels to appear for end users. For more information, please refer to Published
retention labels14.
Creating policies with PowerShell

To create policies with PowerShell, you need to use the Security & Compliance Center PowerShell module
and the following cmdlets:
●● Get-ComplianceTag
14 https://docs.microsoft.com/en-us/microsoft-365/compliance/labels
●● Get-RetentionComplianceRule
●● Get-RetentionCompliancePolicy
Additional information and example scripts are available at Bulk create and publish retention labels by
using PowerShell15.
Create and manage a retention policy

Teams conversations are persistent and kept as along as the team exists. However, you can configure
retention policies for both preservation and deletion of data. Retention policies for Teams chat and
channel messages are set in the Microsoft 365 compliance center.
Retention policies help organizations to retain data for compliance or delete data after a specific period.
Teams retention policies ensure that when you delete data, it is removed from all permanent data storage
locations on the Teams service.
Teams retention policies do support:
●● Preservation: Keep Teams data for a specified duration and then do nothing
●● Preservation and then delete: Keep Teams data for a specified duration and then delete
●● Deletion: Delete Teams data after a specified duration
For Teams private chats (1:1 or 1:Many chats) and Teams channel messages can be set up with separate
retention policies. To set up these policies, you need to log into the Microsoft 365 compliance center, go
to Solutions, select Information governance. Turn on Teams channel messages and Teams chats and
15 https://docs.microsoft.com/en-us/microsoft-365/compliance/bulk-create-publish-labels-using-powershell
then define retention policies for these locations (also shown in the diagram).
Now, when you turn the button ON - Teams channel messages, you can specify the teams to which this
policy will apply (example: for team A and B you can set the deletion policy after 1 year (by selecting both
individually) and apply a 2 years deletion policy to the rest of the teams.
This option is also available in Teams chats - by selecting specific users and applying unique retention
policies.
The Teams channel message and Teams chats storage locations address the Teams conversations stored
in Exchange Online mailboxes (user and group mailboxes). All the messages will be deleted from all
relevant storage locations (mailboxes, substrate and chat service).
To manage retention policies for Teams files - which are stored in OneDrive for Business and SharePoint,
you will need to use those services retention policies. Since deletion policies for Teams files need to be
set in SharePoint Online and OneDrive for Business locations, it's possible that a policy could delete a file
referenced in a Teams chat or channel message before those messages get deleted (the file will be visible
in the Teams message, but if you try to open the file, you will get error message: “File not found”). This
also can happen in case of absence of a policy. For example if someone manually deletes a file from
SharePoint Online or OneDrive for Business.
Important: Teams chat and channel messages are not affected by retention policies applied to user or
group mailboxes in the Exchange or Microsoft 365 Groups locations. Even though Teams chat and
channel messages are stored in Exchange, they're affected only by a retention policy that's applied to the
Teams location.
Create a new retention policy

To create and manage Teams retention policies, you can use the Microsoft 365 compliance center or the
Security & Compliance Center PowerShell module.
Follow these steps, to create a new retention policy in the Microsoft 365 compliance center: ‎
create labs.
2. Navigate to Solutions > Information governance.
3. Select the Retention tab and + New retention policy from the top pane.
4. On the Name your policy page, enter a meaningful Name and a Description, that explains the
purpose of this retention policy. ‎
5. Select Next.
6. On the Decide if you want to retain content, delete it, or both page, con figure the desired
retention or deletion settings that shall be processed on the locations in scope. When choosing Use
advanced retention settings, you can limit the retention actions to content that matches keywords
or sensitive information patterns.
7. Select Next when configuring the retention actions.
8. On the Choose locations page, you can configure an org-wide policy or select individual locations.
After selecting a location, you can include or exclude single recipients or sites.
‎Note: A single retention policy cannot contain Teams and non-Teams locations. You need to configure
individual policies to protect channel messages and chat content alongside the email and SharePoint
site data.
9. After selecting the locations to apply retention actions to, select Next.
10. On the Review your settings page, perform a review and select Create this policy, if all settings are
correct.
Create a new retention policy using PowerShell

To create and manage retention policies via PowerShell, you need to use the Security & Compliance
Center PowerShell module. The following cmdlets are available for managing retention policies:
●● New/Set-RetentionCompliancePolicy
●● New/Set-RetentionComplianceRule
●● New/Set-TeamsRetentionCompliancePolicy
●● New/Set-TeamsRetentionComplianceRule
For additional information see Overview of retention policies16.
Create and manage DLP policies

Many organizations today are concerned with protection of sensitive information and being compliant
with their internal business standards and industry regulations. When we mention sensitive data, we
mean the information which can include financial data or personally identifiable information such as
credit card numbers, social security numbers, or health records.
16 https://support.office.com/article/overview-of-retention-policies-5e377752-700d-4870-9b6d-12bfc12d2423
With Data Loss Prevention policies, organizations can identify, monitor, and automatically protect
sensitive information across their Office 365 environment.
DLP policy can help you to:
●● Identify sensitive information across many locations (Exchange Online, SharePoint Online, OneDrive
for Business and Microsoft Teams)
●● Prevent the sharing of sensitive information by accident
●● Monitor and protect sensitive information in the desktop versions of Excel, PowerPoint and Word.
●● View DLP reports (with content that matches your organization's DLP policies).
Overview of DLP in Microsoft Teams

For the organizations which have DLP for Teams licensed, policies can be configured that prevent people
from sharing sensitive information in a Microsoft Teams channel or chat session. With these policies, the
admin can protect:
●● Sensitive information in messages
●● Sensitive information in documents
Educate your Teams users about Data Loss Prevention poli-

cies
When you have created and applied a DLP policy, and there is an action taken in Microsoft Teams which
conflicts with that policy, the user will get policy tip, as shown in the image below:
In this case, the user tried to send a social security number in a Microsoft Teams channel. The message
was blocked and there is a help link What can I do?. This link will open a dialog box which provides
options for the sender to resolve the issue.
As an admin, you can choose to allow users to override a DLP policy in your organization. When you
configure your DLP policies, you can use the default policy tips, or customize policy tips for your organi-
zation. In the example below you can see that the sender can opt to override the policy, or notify an
admin to review and resolve it.
While the sender received the error message and options to override the DLP policy, the recipients are
viewing different message on the screen, as shown below:
You may notice that the recipients are receiving information that the message was blocked due to
sensitive content, and there is a link right next to the message: What's this? which will open an article
about DLP policies, where the users can find an explanation why the message was blocked.
Create a new DLP policy for Microsoft Teams

DLP policies can be managed in the Microsoft 365 compliance center, below Data loss prevention.
Follow these steps to create a new DLP policy for Teams locations:
create DLP policies.
2. Navigate to Data loss prevention.
3. Select + Create policy from the top pane.
4. On the Start with a template or create a custom policy page, you can choose from different
sensitive information type templates or you can choose the create a Custom policy. Make your
choice and select Next.
purpose of this DLP policy.
6. Select Next after entering the required fields.
7. On the Choose locations page, you can choose to create an org-wide policy, or you can select Let
me choose specific locations to protect only individual locations and users.
8. Select Let me choose specific locations and Next.
9. On the next Choose locations page, deselect all other locations than Teams chat and channel
messages. You could now include and exclude single locations or leave all activated.
10. Select Next.
11. On the Customize the type of content you want to protect page, you can edit the conditions again
and configure an action to perform, if the conditions are met. By selecting Use advanced settings
you can fine-tune the high and low rules, to modify thresholds and create additional rules. Don’t
change the selection and select Next.
12. On the last What do you want to do if we detect sensitive info? page, you can configure the
following settings:
●● Show policy tips to users and send them an email notification. Shows policy tips and email
notifications on violating the DLP policy conditions.
●● Detect when content that's being shared contains: Sets the threshold, when the high actions
are triggered, to perform different actions if a higher number of sensitive data matches occur.
●● Send incident reports in email If the threshold is met or exceeded, an incident report is sent to
the creator of the policy and the global admins.
●● Restrict access or encrypt the content allows you to block access to the file or encrypt it, if the
threshold is met or exceeded.
‎
13. After configuring the desired settings, select Next.
14. On the Do you want to turn on the policy or test things out first? page, you can select from
different settings, how to enable the new DLP policy:
●● Yes, turn it on right away activated the policy right after creation.
●● I'd like to test it out first does not enforce the policy, but policy tips can already be displayed to
user, when their actions meet the DLP policy conditions.
●● No, keep it off. I'll turn it on later. leaves the policy deactivated.
15. Select Next and on the Review your settings page, select Create.
Note: DLP policies can contain Teams and non-Teams locations at the same time.
DLP protection in Teams Chat requires different license than DLP protection for SharePoint Online,
OneDrive, and Exchange Online. For additional information see Data Loss Prevention and Microsoft
Teams17.
Create and manage a eDiscovery case

Organizations have many reasons to respond to legal cases involving certain executives or other employ-
ees in their organization. This might involve quickly finding and retaining for further investigation specific
information in email, documents, instant messaging conversations, and other content locations used by
people in their day-to-day work tasks. With eDiscovery, organizations can better understand Microsoft
365 data and reduce eDiscovery costs.
There are three types of eDiscovery available:
●● Content searches, to perform fast searches for content saved in one of the Office 365 services.
17 https://docs.microsoft.com/en-us/microsoft-365/compliance/dlp-microsoft-teams
●● eDiscovery cases, to add holds and perform content searches in an organized case management
structure. (Core)
●● Advanced eDiscovery cases, to analyze large sets of unstructured data, that needs additional
automation through relevance recognition. (Advanced)
As an administrator, If you would like to add members to a case, control what types of actions that
specific case members can perform, place a hold on content locations relevant to a legal case, and
associate multiple Content Searches with a single case, you can do that with the help of eDiscovery.
eDiscovery permissions
The roles for managing eDiscovery include different levels of access and controls, to comply to the data
protection requirements of most organizations. While the compliance administrator, that is a part of the
global administrator role, can create and modify cases, holds and searches, that role cannot preview or
export any search results. The dedicated eDiscovery roles can also work with the found data, but these
roles are not assigned to any user by default, not even to the global administrator.
The following table shows the different permissions for eDiscovery:
Role Compliance eDiscovery Organization Reviewer

Administrator Manager & Management
Administrator
Case Management ✓ ✓ ✓
Compliance Search ✓ ✓ ✓
Export ✓
Hold ✓ ✓ ✓
Preview ✓
Review ✓ ✓
RMS Decrypt ✓
Search And Purge ✓
The difference between the eDiscovery Manager and the eDiscovery Administrator is the ability to open
the results of existing cases. While eDiscovery Administrators can access all cases, eDiscovery Managers
can only create and access their own cases but they cannot access the cases of any other administrator.
Note: This role lets users perform bulk removal of data matching the criteria of a content search.
The eDiscovery specific roles are assigned in the Security & Compliance Center, when selecting Permis-
sions from the left-side pane.
Create a new case

Now, since we have assigned the permissions to the users, we can go to the next step and create a new
eDiscovery case. Note that in order to create a case, you must be a member of the eDiscovery Managers
role group. As previously explained, after you create a new case in the Security & Compliance Center, you
(and other case members) will be able to access that same case in Advanced eDiscovery if your organiza-
tion has an Office 365 E5 subscription.
Follow the next steps in order to create a new case:
1. Sign-in to Security & Compliance Center and select eDiscovery from the left-side navigation pane.
2. Select eDiscovery from the menu and select + Create a case from the top pane, to open a new case.
3. On the New case pane on the right side, enter a meaningful Case name and a Case description that
tells the purpose of this case. Then select Save.
Now, the case that you have created will be shown in the list of cases on the eDiscovery page and it is
ready to add holds and searches.
Place a hold on Microsoft 365 Groups and Microsoft

Teams
When you place a Microsoft 365 Group or Microsoft Team on hold, the group mailbox and group site are
going to be protected from deletion and any changes.
Note: If you need to investigate a compliance breach in a team, you should also consider including the
individual users into the case and put their Exchange and SharePoint locations on hold.
Since Microsoft Teams relies on Microsoft 365 Groups, and for every group there is a specific and con-
nected mailbox, the conversation which is taking place in the channel are stored in the mailbox that is
associated with the Microsoft Teams team. Also, the documents which the team members are sharing in a
channel are stored on the team's SharePoint site. Regarding this, you need to consider placing the team
mailbox and SharePoint site on hold to retain conversations and files in a channel.
Conversations which are part of the Chat list in Microsoft Teams are stored in the mailbox of the users
who participate in the chat. All the files that are going to be shared in that Chat conversation are stored
in the OneDrive for Business site of the user who shares the file. Regarding this, you must place the
individual user mailboxes and also the user’s OneDrive for Business sites on hold to retain conversations
and files in the Chat list.
Follow these steps, to add a hold to the just created eDiscovery case:
1. Sign-in to Security & Compliance Center and select eDiscovery from the left-side navigation pane.
2. Select eDiscovery from the menu and select Open, left from a case.
3. On the Core ED page, select the Holds tab from the top pane.
4. Select + Create to create a new hold.
5. On the Name your hold page, enter a meaningful Name and a Description, that explains the purpose
of this hold.
6. Select Next.
7. On the Choose locations page, you can decide to hold individual locations:
●● Choose users, groups, or teams for Exchange email locations.
●● Choose sites for SharePoint site locations.
●● Slider below for all or none of the Exchange public folders. ‎
8. By default, no locations are on hold. Select your desired locations and users or groups and select
Next.
9. On the Query conditions page, enter keywords for holding content or select + Add conditions to
perform a more granular search. Any element found, that contains these keywords is put on hold.
10. Select Next to review your settings. Then select Create this hold to finish the creation.
Note: After placing a content location on hold, it can take up to 24 hours for the hold to become active.
Create and run a Content Search associated with a case

When an eDiscovery case is created and the custodians are placed on hold, you can create and run one
or more Content Searches associated with that case. These content searches will perform the search
operation, which results can later be previewed or exported.
To add a Content Search to the eDiscovery case, follow these steps:
1. Sign into Security & Compliance Center and select eDiscovery from the left-side navigation pane. ‎
2. Select eDiscovery from the menu and select Open, left from a case. ‎
3. On the Core ED page, select the Searches tab from the top pane.
4. Select the dropdown arrow right from + New search and select + Guided Search. ‎
5. On the Name your search page, enter a meaningful Name and a Description, that tells the purpose
of this search on context of this eDiscovery case.
6. Select Next.
7. On the Locations page, select the following:
●● All locations to perform an org-wide search
●● Locations on hold to search only the data that is protected by a hold from the same case.
●● Specific locations to choose a location from the list below.
8. After choosing the desired locations, select Next.
9. On the Condition card page, enter keywords for the search or select + Add conditions to perform a
more granular search. Any element found that contains these keywords is displayed in the result of
the search.
10. Select Finish to create the search within the eDiscovery case.
After the search is completed, you can preview the search results.
Preview and export the results

After the search is completed, you can preview the results, export a report of the found data or export the
search results.
Follow these steps to export the results of a content in an eDiscovery case:
1. Sign into Security & Compliance Center and select eDiscovery from the left-side navigation pane.
2. Select eDiscovery from the menu and select Open, left from a case.
3. On the Core ED page, select the Searches tab from the top pane.
4. Select a search from the Search window to open the right-side pane.
5. Check below Status, how many items have been found by this search.
6. Select Export results to start an export of the found items.
7. In the Export results window, select the desired Outputoptions and how the Exchange content should
be arranged in the PST file(s).
8. Select Export to start an export job.

9. Back on the Searches tab, select the Exports tab from the top pane.
10. An export job with the same name as the search should appear, including an “_Export” suffix. Select
this job to open another right-side pane.
11. When the Status of the job says The export has completed. you can select Download results from
the top pane.
12. An application to launch will be started, with the name Microsoft.Office.Client.Discovery.UnifiedEx-
portTool.application. This is the eDiscovery Export Tool, required to connect to the storage where
the results export is stored. Run and install this application.
13. When the eDiscovery Export Tool opens, you need to specify the export key and a location on your
local machine, to save the exported data.
14. Go back to your browser session, where the Exports tab is open, select Copy to clipboard below
Export key and paste this key to the eDiscovery Export Tool.
15. Now you can select Browse to select a location and Start to run the export process.
Considerations of eDiscovery for Microsoft Teams

Due to the architecture of Teams, there are several specialties to consider, when performing an eDiscov-
ery investigation against Teams content.
Scenario Consideration
Guest-to-guest chats Guests do not have a mailbox in the target tenant
and without a mailbox, guest-to-guest chats (1xN
chats in which there are no home tenant users)
would not be indexed, and as a result, would not
be included in eDiscovery. To facilitate eDiscovery
for guest-to-guest chats, a cloud-based mailbox
(or phantom mailbox) is created to store the 1xN
data. After the Teams chat data is stored in the
cloud-based mailbox, it is indexed for eDiscovery
and compliance content search.
eDiscovery of private channels Messages sent in private channels are saved in its
members user mailboxes, with an indication from
which private channel they come from and files in
private channels are stored on independent
SharePoint site collections. Since eDiscovery of
single channels is not supported, searches must be
performed over the whole team and every mem-
bers user mailbox location.
Placing private channel messages on hold This scenario is currently not supported, but it is
possible to put the mailboxes of all channel
members on hold and search their mailboxes for
required content.
In conclusion, put the following locations on hold, to retain the data:
●● Microsoft Teams Private Chats: User mailbox
●● Microsoft Teams Channel Chats: Group mailbox used for the team
●● Microsoft Teams Content (e.g. Wiki, Files): SharePoint site used by the team
●● Private Content: OneDrive for Business site of the user
Note: Placing a user on hold does not automatically place a group on hold or vice-versa.
For additional information see eDiscovery cases in the Security & Compliance Center18.
Create and manage a supervision policy

For many compliance requirements youmay need to take samples from user communications, to see, if
they comply with all policies and regulations. Because eDiscovery is an inadequate tool for taking random
18 https://docs.microsoft.com/en-us/microsoft-365/compliance/ediscovery-cases
samples, you can use supervision policies to analyze only a certain amount of data from supervised users
and groups.
You can define policies that capture internal and external email, Microsoft Teams, or 3rd-party communi-
cations. Reviewers can then examine the messages to make sure that they are compliant with your
organization's message standards and resolve them with a classification type.
Supported communication types of Supervision policies

Supervision policies can analyze data from different Office 365 locations. In the following table you can
find a list of the supported locations:
Location Description
Exchange email Emails and attachments stored in Exchange Online
mailboxes can be searched with supervision
policies.
Microsoft Teams Chat communication and attachments of public
and private channels can be supervised. Condi-
tions for supervision policies are processed every
24 hours against Teams chat for monitoring and
reports.
Skype for Business Online Chat communication and attachments are availa-
ble for supervision and conditions for chats are
also processed every 24 hours for monitoring and
reports.
Third-party sources Data imported from third-party sources, for
example through a connector that imports data
from Facebook or Twitter, can be supervised.
License requirements for Supervision policies

Supervision is an advanced compliance feature and all users in scope of supervision policies need one of
the following license options:
●● Microsoft 365 E5 Compliance
●● Office 365 Enterprise E3 license with the Advanced Compliance add-on
●● Office 365 Enterprise E5 subscription
Settings available for Supervision policies

Supervision policies support a broad range of settings to search for data from supervised users. The
following table shows some of the most important available settings:
Component Description
Direction The direction describes the communication way
and this setting is mandatory. The direction of
communication can be:
- Inbound for communication that is sent to a

supervised user.
- Outbound for communication sent by a super-
vised user.
- Internal for communication between supervised
users.
Sensitive information types To identify data to review, supervision policies also
support DLP policy search patterns for sensitive
information types.
Custom keyword dictionaries For recurring reviews, companies can create
custom keyword dictionaries for sensitive or
business data.
Offensive language Supervision policies can spot the use of offensive
language in email messages. This feature can be
useful for anti-harassment and bullying policies in
organizations.
Conditional settings To review communication that meets specific
conditions, for example attachments larger than
30 MB to find people that still send large files via
email, you can apply conditions to a supervision
policy.
Review percentage To review not all content in scope of a supervision
policy, you can reduce the review percentage from
100% to a smaller percentage value, such as 3% to
review only a basic amount of company communi-
cation.
Note: In contrast to Data Loss Prevention policies, supervision is not used to prevent data leakage in
communication, but to review communication that meets specific criteria. Since this requires looking into
the actual user’s data, many governments legal requirements allow these insights only under special
circumstances. For example, if an administrator views in secret into the data of a supervised user, he may
eventually violate the data protection laws of that supervised user.
Create a supervision policy

Several steps need to be taken, to create a supervision policy and provide insight into company commu-
nication. To set up a supervision policy, follow these steps:
1. Login to the Office 365 Security & Compliance Center. ‎
2. Navigate to Permissions and select SupervisoryReview from the list. ‎
3. Select Edit right beside Members. ‎
4. On the Editing Choose members page, select Choose members and + Add. ‎
5. Select your account from the list, select Add, Done and Save. ‎
6. Now select Supervision from the left-side pane. ‎
7. Select + Create to create a new supervision policy.

purpose of this supervision policy.
9. On the Whose communications do you want to supervise? page, select the users to supervise or to
non-supervise. After choosing, select the rows to supervise Exchange email, Teams chat and Skype
for Business Online conversations.
10. After selecting the desired communication data, select Next.
11. On the What communications do you want to review? page, select the direction and possibly add
conditions or sensitive information filters. Then select Next.
12. On the What percentage of these communications should be reviewed? page, select the desired
percentage value. When looking for specific data, a higher value is recommended. When just planning
to take samples, choose a lower value. Select Next.
13. On the Who should review these communications? page, enter the names of desired reviewers and
select them from the dropdown list. Then select Next.
14. Review your settings and select Finish.
Note: When adding groups to supervised users, dynamic distribution groups are not supported. On
choosing reviewers, neither distribution groups nor dynamic distribution groups are supported.
Use scoped directory search

With Microsoft Teams scoped directory search, the administrator can create virtual boundaries that
control how users communicate with each other within the organization. Microsoft Teams provides
custom views of the directory to the company users (Information Barrier policies support these custom
views). Once the policies have been enabled, the results returned by searches for other users (example: to
initiate a chat or to add members to a team) will be scoped according to the configured policies. Users
will not be able to search or discover teams when scoped search is in effect. Note that in case of Ex-
change hybrid environments, this feature will only work with Exchange Online mailboxes (not with
on-premises mailboxes).
When should you use scoped directory searches?

You may use the scoped directory search, when:
●● Your organization has multiple companies within a single tenant, and you want to segment searches
by companies
●● Limit chats between faculty and students, or different departments.
Address book policies can provide only a virtual separation of users (from the directory perspective),
which means that the users can still initiate communications with others by providing complete email
addresses.
Note that any user data that had already been cached (prior to the enforcement of new or updated
address book policies) will remain available to other users for up to 30 days.
Turn on scoped directory search

In order to turn on the option for scoped directory search, you need to use Information Barrier policies in
order to configure your organization into virtual subgroups. Perform the following steps to configure
scoped directory searches in your tenant:
1. Login to the Teams Admin center.
2. Navigate to Org-wide settings > Teams settings.
3. Scroll down to Search by name and turn the slider behind Scope directory search using an Ex-
change address book policy to On.
If it was not already turned on, you have now turned on the Scope directory search, a prerequisite to use
information barriers.
Note: You need to wait at least 24 hours after enabling scoped directory search before you can set up or
define information barrier policies.
For more information see Define Information Barrier policies19.
Manage GDPR data subject requests

Personal data is defined in detail under the General Data Protection Regulation (GDPR), and it refers to
any data which relates to an identified or identifiable natural person that is a resident of the European
Union. The (GDPR) defines the rights and restrictions on how to manage the personal data that has been
collected by an employer or other organization. Because any company with employees residing in the
European union, or with customers living in the European union, needs to comply with the GDPR, it is
crucial to know about the GDPR features in Office 365.
Office 365 administrative tools have implemented features which can assist in searching and finding, as
well as acting on personal data in order to respond to Data Subject Requests (DSR) (this includes how to
find, access, and act on personal data that is stored in Microsoft's cloud).
In this topic we will cover how to find personal data stored in SharePoint Online and OneDrive for
Business, which includes the sites for all Microsoft 365 Groups and Microsoft Teams.
19 https://docs.microsoft.com/en-us/microsoft-365/compliance/information-barriers-policies
DSR case tool in Office 365

To manage investigations in response to a DSR submitted by a person, you can use the DSR case tool in
the Security & Compliance Center to find content stored in:
●● Any user mailbox in your organization, which includes Skype for Business conversations and one-to-
one chats in Microsoft Teams.
●● All mailboxes associated with a Microsoft 365 Group and all team mailboxes in Microsoft Teams.
●● All SharePoint Online sites and OneDrive for Business accounts.
●● All teams and Microsoft 365 Groups.
●● All public folders in Exchange Online.
Note: The DSR case tool is based on eDiscovery but modified to find personal data of users.
The DSR tool can be found in the Security & Compliance Center, below Data privacy > Data subject
requests or via the GDPR Dashboard.
Creating a DSR case

Follow these steps to create a new DSR cased in the Security & Compliance Center:
1. Login to the Microsoft 365 Security & Compliance Center.
2. Navigate to Data privacy > Data subject requests.
3. Select + New DSR case from the top pane.
4. Enter a meaningful Name and a Description that explains the purpose of this DSR case.
5. On the Request details page, search for the person who filed the request and select its name. Select
Next.
6. On the Confirm your case settings page, review the settings and select Save.
7. On the next page, you are informed, that the case has been created. Select Show me search results
to go directly to the search results.
8. You are redirected to the Core ED dashboard; you can see the keywords for this search on the
left-side pane and the search results in the middle of the window.
You can now process the results as required and export them, including exporting a report or preparing
the results for deletion.
Use Content Search to find personal data

Because DSR cases are not only filed by users regarding their data, but also by customers who want to
understand how their personal data is used in a company, the DSR case tool is not always enough.
Administrators or data protection officers with eDiscovery permissions can also create content searches
or regular eDiscovery cases to find personal data in your tenant’s storage locations.
Note: Always keep in mind, that working with user content violates the legal data protection require-
ments in many governments and that administrators possibly are not allowed to see the results of those
searches. You should clarify with your company’s data protection officer, under which circumstances you
are allowed to perform searches like described in this topic.
Additional information about Office 365 Data Subject Requests for the GDPR and CCPA can be found at
Office 365 Data Subject Requests for the GDPR and CCPA20.
Create information barrier policy

Information barrier policies are created when an administrator wants to restrict the communication
between certain individuals or groups. For example, an R&D department is working on a highly confiden-
tial project which are not allowed to share with people outside the department. The administrator needs
to prevent or isolate people in R&D department from communicating with anyone outside of that group.
The information barriers can be used in some of the following cases:
●● When a team must be prevented from communicating or sharing data with a specific other team.
●● When a team must not communicate or share data with anyone outside of that team.
Information barrier policies are managed only via the Security & Compliance Center PowerShell module.
How information barriers work

Information barriers are based on Exchange address book policies and restrict the ability of users affected
by a policy to find, select, chat, or call users from the other side of the barrier, which means that if
someone tries to find and communicate with other person that’s restricted by an information barrier
policy, the user will not be able to find the other person.
In this way information barriers can prevent the following types of communication between users in
Teams:
●● Searching for a user
●● Adding a member to a team
●● Starting a chat session with someone
●● Starting a group chat
●● Inviting someone to join a meeting
●● Sharing a screen
●● Placing a call
Note: Information barriers require the scoped directory search in Teams. If you didn’t activate it already,
you need to activate it and wait up to 24 hours to use this feature.
Information barriers are checked regularly against the directory and if a violation is detected, actions are
taken.
The following table shows several situations, where communication attempts are checked against
information barriers and how restricted communication is prevented:
20 https://docs.microsoft.com/en-us/microsoft-365/compliance/gdpr-dsr-office365
Situation Action
Members are added to a team Whenever a user is added to a team, the user is
evaluated against the information barrier policies
of other team members. After the user is success-
fully added, the user can perform all functions in
the team without further checks. If the user's
policy blocks them from being added to the team,
the user will not show up in search.
A new chat is requested Each time a new chat is requested between two or
more users, the chat is evaluated to make sure
that it isn’t violating any information barrier
policies. If the conversation violates an information
barrier policy, then the conversation isn’t initiated.
A user is invited to join a meeting When a user is invited to join a meeting, the user's
policy is evaluated against the policies of other
team members, and if there’s a violation, the user
will not be allowed to join the meeting.
A screen is shared between two or more users Any time a screen is shared between two or more
users, the screen share must be evaluated to make
sure that it doesn’t violate the information barrier
policies of other users. If an information barrier
policy is violated, the screen share won’t be
allowed.
A user places a phone call (VOIP) in Teams Any time a voice call is initiated by a user to
another user or group of users, the call is evaluat-
ed to make sure that it doesn’t violate the infor-
mation barrier policies of other team members. If
there is any violation, the voice call is blocked.
Guest Users in Teams Information barrier policies apply to guest users in
Teams too. If guest users need to be discoverable
in your organization's global address list, see
Manage guest access in Microsoft 365 Groups.
Once guest users are discoverable, you can define
information barrier policies.
If an information barrier policy is changed by an administrator, the Information Barrier Policy Evaluation
Service automatically searches the members to ensure that members of the Team are not violating any
policies. If there are any new violations, the following actions are taken:
‎
●● If a chat between two participants violates a policy, the chat is set to read-only and no new messages
can be sent.
●● If participants in a group chat violate a changed or new policy, the affected participants are removed
from the chat and they can see the conversation history in read-only.
●● If team members violate a policy, they are removed from the team.
Prerequisites for information barriers

Required licenses for information barriers
Information barriers is an advanced compliance feature and requires according licenses. The feature is
available for users with one of the following licenses:
●● Microsoft 365 E5
●● Office 365 E5
●● Office 365 Advanced Compliance
●● Microsoft 365 E5 Information Protection and Compliance
Permissions for information barrier policies
To define or edit information barrier policies, administrators must be assigned to one of the following
roles:
●● Microsoft 365 global administrator
●● Office 365 global administrator
●● Compliance administrator
●● IB Compliance Management
●● Directory data because information barriers rely on user attributes, the directory data for each user
must be up to date and completely set.
●● Scoped directory search needs to be turned on.
●● Audit logging for checking the status of a policy application, audit logging must be turned on before
beginning to configure segments or policies.
●● address book policies in Exchange cannot already exist.
●● PowerShell with the Security & Compliance Center module, to configure information barriers.
●● Admin consent for information barriers in Microsoft Teams to enable the information barrier
service to take administrative actions in your tenant. As an admin, you can use the following steps in
order to enable information barrier policies to work as expected in Microsoft Teams:
1. Run the following PowerShell cmdlets:
# Login with the Azure Resource Manager PowerShell to your tenant:

Login-AzureRmAccount
# Save the information barrier service app id to a variable:
$appId="bcf62038-e005-436d-b970-2a472f8c1982"
# Get a service principal in Azure for the app id:
$sp=Get-AzureRmADServicePrincipal -ServicePrincipalName $appId
# If a service principal could not be retrieved, create a new one:
if ($sp -eq $null) { New-AzureRmADServicePrincipal -ApplicationId $appId }
# Start the process to grant consent, by running:
Start-Process https://login.microsoftonline.com/common/adminconsent?client_id=$appId
2. When prompted to sign in, use your work or school account for Office 365, that has the above-men-
tioned permissions to grant admin consent in your tenant.
3. In the Permissions requested dialog box, review the information, and then select Accept.
Define policies for information barriers

There are three main phrases to define policies for information barriers.
●● Part 1: Segment users in your organization
●● Part 2: Define information barrier policies
●● Part 3: Apply information barrier policies
Part 1: Segment users in your organization

To ensure you comply with regulatory requirements, you need to plan which users are allowed to com-
municate and which are not allowed to do so.
To control communication between your groups of users, two types of policies are available:
●● Block policies prevent one group from communicating with another group.
●● Allow policies allow a group to communicate with only certain other, specific groups.
When you have your initial list of groups and policies, proceed to identify the segments you'll need.
Identify segments
Any user affected by information barriers needs to belong to at least one segment, but not more than
two segments. Each segment can have only one information barrier policy.
A segment is defined by a certain directory attributes, such as Department or MemberOf. For example, a
segment can be all users that are a MemberOf a specific group or with a certain string in their depart-
ment attribute.
Note: A full list of all supported attributes is available at Attributes for information barrier policies21.
Define segments using PowerShell

To create segments for information barrier policies, follow these steps:
1. Open PowerShell and connect with the Security & Compliance Center PowerShell module to your
tenant.
2. Run the following cmdlet and replace segmentname with a meaningful name and both attribute and
attributevalue with the desired directory attribute to filter segment members for.
New-OrganizationSegment -Name "segmentname" -UserGroupFilter "attribute -ne 'attributevalue'"
‎
3. Repeat step 2 for all required segments.
Part 2: Define information barrier policies

After creating segments, you can create the policies that restrict the segments from communication.
Remember that any policy restricts only one way and if you want to restrict the communication between
two segments, you need at least two polices.
tenant.
21 https://docs.microsoft.com/en-us/microsoft-365/compliance/information-barriers-attributes
2. Run the following cmdlet and replace policyname with a meaningful name and both segment1name
and segment2name with the names of two different segments, to block the communication between
both segments:
New-InformationBarrierPolicy -Name "policyname" -AssignedSegment "segment1name" -Segments-
Blocked "segment2name"
3. Repeat step 2 for all required policies.
Part 3: Apply information barrier policies

After creating segments and policies for communication, the information barrier policy stell needs to be
applied. Follow these steps to apply a policy:
tenant.
‎
2. Run the following cmdlet and replace GUID with an existing information barrier policy ID, to switch
the policy to active:
Set-InformationBarrierPolicy -Identity GUID -State Active
3. Then run the following cmdlet to start information barriers in your tenant:
Start-InformationBarrierPoliciesApplication
After approximately 30 minutes, policies are applied, user by user, for your organization. If your organiza-
tion is large, it can take 24 hours (or more) for this process to complete. (As a general guideline, it takes
about an hour to process 5,000 user accounts.)
For additional information, please refer to:
●● Information barriers in Microsoft Teams22.
●● Define policies for information barriers23
Create security and compliance alerts for Micro-

soft Teams
Alert policies help administrators identify events in their tenants that could indicate a security breach, an
abuse of administrative privileges or other activities that require monitoring. Alert policies send email
notifications and track recognized events on an alert dashboard in the Security & Compliance Center, to
keep track of events in a tenant.
There are several default alert policies available, depending on the existing licenses in a tenant, that
monitor actives, such as the creation or an export of eDiscovery data, if a user or tenant is restricted from
sending emails due to compromised activity or if forwarding/redirect rule to external recipients are
created.
Alert policies and the alert dashboard are available in the Security & Compliance Center and via the
Security & Compliance Center PowerShell module.
22 https://docs.microsoft.com/en-us/MicrosoftTeams/information-barriers-in-teams
23 https://docs.microsoft.com/en-us/microsoft-365/compliance/information-barriers-policies
Note: Alert policies require auditing enabled in your tenant. Check and activate auditing by navigating to
the Security & Compliance Center > Search > Audit log search. If auditing is not yet activated in your
tenant, you will be informed by a message in the dashboard that offers a button to activate it right away.
How alert policies work

The following diagram shows the basic workflow, how alert policies work:
1. Administrators create new or modify existing policies in the Security & Compliance Center that
monitor unusual user or admin activity.
2. A user or administrator performs actions, which match the conditions and triggers an alert policy,
such as creating an eDiscovery case or possibly adding full access permissions to a mailbox.
3. An alert is generated, and the according alert action is triggered, such as sending an email to all
global administrators. Additionally, an alert entry is created in the alert dashboard in the Security &
Compliance Center.
4. Administrators review alerts in the alerts dashboard and decide to acknowledge or dismiss the alert.
Note: There are currently up to 22 default alert policies available, present in any existing and new tenants
and dependent on the existing subscriptions in a tenant.
Alert policy components and categories

An alert policy consists of:
●● A set of rules and conditions that define the user or admin activity that generates an alert
●● A list of users who are in scope of triggering the alert, if they perform the activity
●● A threshold that defines how many times the activity must occur before an alert is triggered
All alerts are categorized into one of six categories, which helps with tracking and managing the alerts
generated by a policy, you can assign one of the following categories to a policy:
●● Data governance
●● Data loss prevention
●● Mail flow
●● Permissions
●● Threat management
●● Others
Additionally, the Role Based Access Control (RBAC) permissions assigned to users in your organization
determine which alerts a user can see on the View alerts page based on the alert category. For example:
●● Members of the Records Management role group can view only the alerts that are generated by
alert policies that are assigned the Data governance category.
●● Members of the Compliance Administrator role group can't view alerts that are generated by alert
policies that are assigned the Threat management category.
●● Members of the eDiscovery Manager role group can't view any alerts because none of the assigned
roles provide permission to view alerts from any alert category.
For more information, please refer to RBAC permissions required to view alerts24.
Cloud App Security alerts

Cloud App Security is also integrated into the alert dashboard, if licensed and activated in a tenant. Alerts
triggered in Clod App Security are displayed in the Security & Compliance Center and additionally in
Cloud App Security.
Like an alert triggered by an alert policy in the Security & Compliance Center, you can click a Cloud App
Security alert to display a flyout page with details about the alert. The alert includes a link to view the
details and manage the alert in the Cloud App Security portal and a link to the corresponding Cloud App
Security policy that triggered the alert.
Important: When changing the status of an alert in the Security & Compliance Center, the status of the
alert in the Cloud App Security portal won’t be updated. So, administrators must decide and communi-
cate where they want to manage the alerts for their organization.
24 https://docs.microsoft.com/en-us/microsoft-365/compliance/alert-policies
Create new alerts from Security & Compliance Center

To create a new alert policy in the Security & Compliance Center and to check if audit logging is turned
on, follow these steps:
1. Sign into Security & Compliance Center and select Alerts > Alert policies from the left-side
navigation pane.
2. Select + New alert policy from the top pane to create a new alert policy.
3. On the Name your alert, categorize it, and choose a severity. page, enter the following:
●● Name for identifying the use of this alert policy.
●● Description for other administrators to understand the purpose of this alert policy.
●● Severity for a level of importance for events of these alerts.
●● Category to configure access for different roles in your organization.
4. Select Next.
5. On the Choose an activity, conditions and when to trigger the alert page, select a desired activity
and condition for the alert, then
‎select Next.
6. On the Decide if you want to notify people when this alert is triggered page, you can specify the
recipients of the notification and frequency of daily notification limit.
‎Select Next. ‎
7. On the Review your settings page, you can review the alert settings and decide to turn on the policy
right away or later. Select Finish when everything is configured as desired.
Create new alerts from PowerShell

You can create new alerts via the Security & Compliance Center PowerShell module by following these
steps:
1. Enter valid credentials and store them in a variable.
$UserCredential = Get-Credential
2. Login with the Security & Compliance Center PowerShell module to your tenant:
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.
compliance.protection.outlook.com/powershell-liveid/ -Credential $UserCredential -Authentication
Basic -AllowRedirection
3. Import the session with the Security & Compliance Center:

Import-PSSession $Session -DisableNameChecking
4. Create a new alert policy, that notifies admin@contoso.com when a content search is being deleted.
New-ProtectionAlert -Name "Content search deleted" -Category Others -NotifyUser admin@contoso.
com -ThreatType Activity -Operation SearchRemoved -Description "Custom alert policy to track when
content searches are deleted" -AggregationType None
5. When the cmdlet finished, you can see the settings of the new alert policy. As you can see, the status
parameter ‘Disabled’ is set to ‘false’, which means the policy is active already.
6. You can make any changes you wish by using the following cmdlet.
Set-ProtectionAlert -Name "Content search deleted"
Viewing alerts
If you are assigned to valid RBAC roles for viewing alerts, you can navigate to the Security & Compliance
Center and view active and already acknowledged alerts.
You can perform different actions on alerts, such as:
●● Assign a status to alerts (as Investigating, Resolved, or Dismissed)
●● View alert details
●● Suppress email notifications - turn off
●● Resolve alerts
Module 3 Prepare the environment for a Mi-
crosoft Teams deployment
Upgrade from Skype for Business to Microsoft

Teams
Lesson Introduction
Skype for Business Online will be retired on July 31, 2021, after which it will no longer be accessible or
supported. When an organization is still running a Skype for Business environment, the administrators
need to plan their upgrade path from Skype for Business to Teams. For this upgrade journey to Microsoft
Teams, administrators need to make a solid plan for the upgrade strategy and path.
In this lesson, we will cover different upgrade paths and coexistence modes during the upgrade journey
to help administrators to get familiar with the various ways on how the transition can be done and
determine the most optimal solution for the organizations.
●● Explain different upgrade paths for coexistence and upgrade modes
●● Manage the migration for meetings
●● Configure coexistence and upgrade settings
Evaluate upgrade paths with coexistence and

upgrade modes
Upgrading from Skype for Business to Teams is more than a technical migration. It represents a transfor-
mation in how users communicate and collaborate, and change is not always easy. The ideal upgrade
approach should address the technical aspects of your upgrade as well as encourage user acceptance
and adoption of Teams, driving a positive user experience and business outcome realization.
MCT USE ONLY. STUDENT USE PROHIBITED 144 Module 3 Prepare the environment for a Microsoft Teams deployment
It is recommended the transition from Skype for Business to Teams be performed in stages. You can
review the upgrade framework1 from Microsoft. It’s important to understand how the two applications
coexist, when and how they interoperate, and how to manage users’ migration all the way to their
eventual upgrade from Skype for Business to Teams.
You will need to analyze your existing environment and deployed functionalities, understand your
business requirements, and evaluate compatibility of all existing solutions and devices for moving to
Teams.
Considering the overlapped functionalities between the solutions, you may need to review the available
coexistence and upgrade modes in order to determine which path is appropriate for your organization.
For example, you may decide to introduce Teams to target users with selected Teams features before
rolling out to the whole organization. You would then use the outcome from the pilot project to assess
the most appropriate upgrade path for your organization.
Keep in mind that having the option to upgrade does not mean that your organization is ready for this
upgrade. It is recommended that you test first to ensure that your network is ready to support Teams and
develop an adoption plan prior to upgrading users to Teams.
Upgrade journey building blocks

When planning the transition, you will need to get yourself familiar with the various modes, concepts,
and terminology relevant to upgrading from Skype for Business to Teams:
Skype for Business Only

In this coexistence mode, users remain in Skype for Business—not Teams—for chat, meeting, and calling
capabilities; they do not use Teams for teams and channels.
This mode can be used prior to starting a managed deployment of Teams to prevent users from starting
to use Teams ahead of having built users readiness. This can also be used as a way to enable authenticat-
ed participation in Teams meetings for Skype for Business users, provided the users are licensed for
Teams.
Islands
In this coexistence mode, called “Islands”, each of the client applications operates as a separate island.
Skype for Business talks to Skype for Business, and Teams talks to Teams. Users are expected to run both
clients at all times and can communicate natively in the client from which the communication was
initiated.
Skype for Business with Teams (SfBWithTeamsCollab)

In this mode, Skype for Business is left unchanged for chat, calling, and meeting capabilities, and Teams
collaboration capabilities—teams and channels, access to files in Office 365, and applications – are added.
Teams communications capabilities—private chat, calling, and scheduling meetings—are off by default in
this mode.
This mode is a valid first step for organizations still relying on Skype for Business, that want to provide a
first insight into the collaboration capabilities of Teams for their users.
1 https://docs.microsoft.com/en-us/MicrosoftTeams/upgrade-framework
Upgrade from Skype for Business to Microsoft Teams 145
Skype for Business with Teams (SfBWithTeamsCollabAnd-

Meetings)
In this mode, private chat and calling remain on Skype for Business. Users will use Teams to schedule and
conduct their meetings along with using Teams for teams and channels–based conversations in this
mode. This mode is as known as “Meetings First” solution.
This coexistence mode is especially useful for organizations with Skype for Business on-premises deploy-
ments with Enterprise Voice, who are likely to take some time to upgrade to Teams and want to benefit
from the superior Teams meetings as soon as possible.
TeamsOnly
A Teams Only user (also called an upgraded user) has access to all the capabilities in Teams. They may
retain the Skype for Business client to join meetings on Skype for Business that have been organized by
non-upgraded users or external parties. An upgraded user can continue to communicate with other users
in the organization who are still using Skype for Business by using the interoperability capabilities
between Teams and Skype for Business (provided these Skype for Business users are not in Islands mode).
However, an upgraded user can't initiate a Skype for Business chat, call, or meeting.
As soon as your organization is ready for some or all users to use Teams as their only communications
and collaboration tool, you can upgrade those users to Teams Only mode.
Note: Even if the SfBOnly mode is meant to have the collaboration features of Teams disabled, in the
current implementation, teams and channels are not automatically turned off for the user. This can be
achieved by using the App Permissions policy to hide teams and channels.
The following diagram shows different scenarios and possible paths to move workloads to Teams:
Upgrade journeys
When you are upgrading from Skype for Business to Microsoft Teams (either online or on-premises),
there are following two approaches:
●● Direct upgrade journey
●● Gradual upgrade journey
Direct upgrade journey

In direct upgrade journey, you first deploy Teams alongside Skype for Business in Islands mode as part of
evaluation and early adoption and then upgrade users to Teams Only mode. The goal is to quickly retire
Skype for Business from the environment for all users in the organization; it is the recommended journey
for Skype Business online customers (unless organizations have concerns on users’ adoption).
In direct upgrade journey, Teams are deployed to all users in the organization and configured in Islands
mode. After educating the users about Teams functionalities and scenarios, the organization will decide
that Teams can replace Skype for Business. From that moment, you can upgrade the users to Teams Only
mode. At that point, Skype for Business can be retired from the environment. You can see the direct
upgrade journey illustrated in the following diagram:
In case your organization is currently a Skype for Business on-premises deployment only, you need to
start planning to implement Skype for Business hybrid before upgrading your users to Teams Only
mode.
Gradual upgrade journey

A gradual upgrade journey offers coexistence and individual upgrade modes for different groups of users
(also called cohorts) based on different requirements.
In this path, Teams is deployed for the organization in Islands mode for evaluation and then move to
different coexistence modes for different groups of users. For examples, a group of users are enabled for
Islands mode, while another group of users are enabled for Skype for Business with Teams collabora-
tion and meetings mode, and a third group of users are enabled for Skype for Business with Teams
collaboration only mode. Over time, the organization will be ready to retire Skype for Business and use
only Teams for communications and collaboration.
While switching to different modes, you need to consider if there is any features that’s only available in
Skype for Business, e.g. complex Enterprise Voice deployment, which might take more time to upgrade.
You can see the gradual upgrade journey illustrated in the following diagram:
For more information, see Microsoft Teams and Skype for Business coexistence and interoperability at
https://aka.ms/SkypeToTeams-Coexist.
Deployment Resources
FastTrack is a team at Microsoft designed to help IT professionals and partners get the tools, resources,
and guidance needed to move to Microsoft 365, Azure, and Dynamics 365 with confidence. That means
helping you discover what’s possible, create a plan for success, and onboard new users and capabilities at
a flexible pace.
FastTrack can provide you with personalized assistance at any time, as long as your subscription is active.
For more information about FastTrack: https://fasttrack.microsoft.com/
Take advantage of this comprehensive guide and toolset for planning and managing Microsoft Teams.
This self-service guidance serves as the methodology behind the FastTrack services for Microsoft Teams.
FastTrack provides guidance for the planning, delivery, and adoption of Microsoft Teams for your organi-
zation when you meet FastTrack eligibility requirements.
Manage meeting migration

The Meeting Migration Service (MMS) provides updates for existing meetings, when:
●● When a user is migrated from on-premises to the cloud (SfB Online or to TeamsOnly)
●● When an admin makes a change to the user’s audio-conferencing settings
●● When an online user is upgraded to Teams only
●● When you use PowerShell to trigger MMS
In each one of these cases the MMS is automatically triggered (the admin can disable it at the tenant
level). Also, the admin can use a PowerShell cmdlet to manually trigger meeting migration for a user.
Note that in situations where the user’s mailbox is hosted in Exchange on-premises or the user is being
migrated from the cloud to Skype for Business Server on-premises, the users must use Meeting Migration
Tool in order to migrate their own meetings (since in this case the MMS cannot be used).
Meeting Migration Service

When Meeting Migration Service has been triggered for a user, a migration request for that user is placed
in a queue. Once the MMS processes the request, it will perform these tasks:
1. It searches user’s mailbox for all existing future meetings organized by that user.
2. It updates or schedules new meetings in either Teams or Skype for Business Online for that user,
depending on the information found in the user’s mailbox.
3. In the email message, it replaces the online meeting block in the meeting details.
4. It sends the updated version of that meeting to all meeting recipients on behalf of the meeting
organizer, and the meeting invitees will receive a meeting update with updated meeting coordinates
in their email.
Once the Meetings Migration Service is triggered, the meetings migration process can take up to two
hours until it is finalized. It may take longer if the user has a large number of meetings.
Note: If an error occurs during the migration process, MMS will periodically retry up to nine times during
the 24 hours.
Trigger MMS for a user

When the MMS is triggered for a user, the following scenarios are available:
●● User is migrated from on-premises to the cloud. This is the most common scenario where the MMS
helps to ease the transition for users. Without meeting migration, once the user is moved online, the
existing meetings organized by a user in Skype for Business Server on-premises will no longer work.
Therefore, when you use the on-premises admin tools (either Move-CsUser or the Admin Control
Panel) to move a user to the cloud, existing meetings are automatically moved to the cloud as
follows:
●● If the MoveToTeams switch in Move-CsUser is specified, meetings are migrated directly to Teams
and the user will be in TeamsOnly mode. Use of this switch requires Skype for Business Server 2015
with CU8 or later. These users can still join any Skype for Business meeting they may be invited to,
using either the Skype for Business client or the Skype Meeting App.
●● Otherwise, meetings are migrated to Skype for Business Online.
●● Admin makes a change to the user’s audio-conferencing settings. In this scenario, MMS will
update existing Skype for Business and Microsoft Teams meetings in order to add, remove, or modify
dial-in coordinates:
●● When you assign or remove a Microsoft Audio Conferencing service license to a user, and that
user is not enabled for a third-party audio-conferencing provider.
●● When you change the audio provider.
●● When you enable or disable audio conferencing for a user.
●● When you move the user to a new audio-conferencing bridge.
●● When a phone number from an audio-conferencing bridge is unassigned.
However, when you change meeting organizer’s SIP address, or when you change organization’s
meeting URL, MMS will not be trying an update.
●● Updating meetings when assigning TeamsUpgradePolicy. By default, meeting migration is auto-
matically triggered when a user is granted an instance of TeamsUpgradePolicy with mode=Team-
sOnly or mode= SfBWithTeamsCollabAndMeetings. If you do not want to migrate meetings
when granting either of these modes, then specify MigrateMeetingsToTeams $false in-
Grant-CsTeamsUpgradePolicy (if using PowerShell) or uncheck the box to migrate meetings
when setting a user's coexistence mode (if using the Teams admin portal).
●● Admin uses PowerShell cmdlet,Start-CsExMeetingMigration. In addition to automatic
meeting migrations, admins can manually trigger meeting migration for a user by running the cmdlet
Start-CsExMeetingMigration. This cmdlet queues a migration request for the specified user. In
addition to the required Identity parameter, it takes two optional parameters, SourceMeetingType
and TargetMeetingType, which allow you to specify how to migrate meetings.
Manage MMS
By using the Skype for Business Online PowerShell module, admins can check the status of running
migrations, manually trigger meeting migrations, and disable migrations altogether.
In order to check the status of meeting migrations, you can use the Get-CsMeetingMigrationSta-
tus cmdlet. For example, to get a summary status of all MMS migrations, run the following cmdlet which
provides a tabular view of all migration states:
Get-CsMeetingMigrationStatus -SummaryOnly
If you would like to check the status of migration for a user, you can use the Get-CsMeetingMigra-
tionStatus cmdlet with the Identity parameter. For example, to check the status of migration for user
JoniS@contoso.com, use the following cmdlet:
Get-CsMeetingMigrationStatus -Identity JoniS@contoso.com
Enable and disable MMS

MMS is enabled by default for all organizations, but it can also be disabled on different levels:
●● Disable entirely for the tenant
●● Disable only for changes related to audio conferencing (where MMS will still run when a user is
migrated from on-premises to the cloud or when you grant TeamsOnly mode or SfBWithTeamsColla-
bAndMeetings mode in TeamsUpgradePolicy).
To check if MMS is enabled for your organization, run the following cmdlet. MMS is enabled if the
MeetingMigrationEnabled parameter is $true:
Get-CsTenantMigrationConfiguration
To enable or disable MMS, use the Set-CsTenantMigrationConfiguration cmdlet. For example, to

disable MMS, run the following cmdlet:
Set-CsTenantMigrationConfiguration -MeetingMigrationEnabled $false
If MMS is enabled in the organization and you want to check if it is enabled for audio conferencing
updates, check the value of the AutomaticallyMigrateUserMeetings parameter in the output
from Get-CsOnlineDialInConferencingTenantSettings. To enable or disable MMS for audio
conferencing, use Set-CsOnlineDialInConferencingTenantSettings.
For example, to disable MMS for audio conferencing, run the following cmdlet:
Set-CsOnlineDialInConferencingTenantSettings -AutomaticallyMigrateUserMeetings $false
Configure coexistence and upgrade settings

When planning your transition from Skype for Business to Teams, you will need to choose appropriate
upgrade path and coexistence modes for a smooth transition to Microsoft Teams in your organization.
You can choose the same coexistence mode for all users and upgrade to Microsoft Teams all at once, or
you may do the migration batch by batch, configuring different coexistence modes for different groups
of users.
Set upgrade options for all users from Teams Admin

Center
The following steps configure upgrade for all users within your organization:
1. Sign in to Microsoft Teams admin center, and under Org-wide settings > select Teams upgrade.
2. On the Teams upgrade page, from Coexistence mode options, choose one of the following options
for your organization:
●● Islands
●● Skype for Business only
●● Skype for Business with Teams collaboration
●● Skype for Business with Teams collaboration and meetings
●● Teams only
Note: Starting September 1, 2019, all new Office 365 tenants are onboarded directly to Teams for
chat, meetings, and calling. Thus, you will not see the options to select Coexistence mode.
3. You can enable Notify Skype for Business users that an upgrade to Teams is available while not
selecting Teams only mode.
4. On the Teams upgrade page, you can select the Preferred app for users to join Skype for Business
meetings .
●● Skype Meetings app
●● Skype for Business
5. You can also enable Download the Teams app in the background for Skype for Business users.
6. Select the Save button to save your changes.
Set upgrade options for a single user from Teams Admin

Center
In some scenarios, you may want to set different coexistence modes for different users. The following
steps set the upgrade options for a single user:
1. Sign in to Microsoft Teams admin center.
2. Under the Users section, find the user for whom you would like to set the upgrade options.
3. On the user page, on the Account tab, under Teams upgrade section, select Edit.
4. On the Teams Upgrade page, choose one of the following options for the selected user:
●● UseOrg-wide settings
●● Islands
●● Skype for Business only
●● Skype for Business with Teams collaboration
●● Skype for Business with Teams collaboration and meetings
●● Teams only
5. Select Apply.
6. If you select any Coexistence mode (except Use Org-wide settings), you will have the option to
enable notifications in the user's Skype for Business app, which will inform the user that the upgrade
to Teams is coming soon. Enabling this for the user is done by turning on the Notify the Skype for
Business user option.
7. At the end, select the Apply button to apply your changes.
Set upgrade options from PowerShell

PowerShell is a good option for automation. In order to allow administrators to use PowerShell to
manage the transition from Skype for Business to Teams, you can use Grant-CsTeamsUpgradePolicy
cmdlet. This cmdlet enables admins to apply TeamsUpgradePolicy to either individual users or to
configure the default settings for an entire organization.
For example, to configure the user AlexW@contoso.com to Teams in Islands mode and to notify the
user, run the following cmdlet:
Grant-CsTeamsUpgradePolicy -PolicyName IslandsWithNotify -Identity “AlexW@contoso.com”
Or, for configuring a TeamsOnly policy for the whole organization, run the following cmdlet:
Grant-CsTeamsUpgradePolicy -PolicyName TeamsOnly -Global
Plan and configure network settings for Microsoft Teams 153
Plan and configure network settings for Micro-

soft Teams
Lesson Introduction
Before deploying Microsoft Teams in a productive environment, administrators need to ensure that the
existing network infrastructure of an organization will meet the requirements needed for collaboration
and communication.
In this lesson you will learn how to make a detailed review of the current infrastructure within your
organization, check the existing network capabilities, set up ports and protocols, as well as configuring
reporting labels. You will also learn how to test the network environments capabilities and use Quality of
Service for network optimization.
●● Explain the network requirements of Microsoft Teams
●● Work with the Network Planner tool
●● Utilize the Network Test Companion
●● Describe the required network ports and protocols
●● Configure reporting labels for Microsoft Teams
●● Implement Quality of Service in your environment
Overview of Teams networking requirements

Prior the deployment of Microsoft Teams in a productive environment, you need to evaluate if the
existing network meets the networking requirements of Microsoft Teams. Make sure that you have the
required bandwidth, access to all required IP addresses, the correct ports opened, and that you’re
meeting the performance requirements for real-time media.
Microsoft Teams utilizes three types of network traffic directions:
●● Data traffic between the Office 365 Online environment and the Teams client (signaling, presence,
chat, file upload and download, OneNote synchronization)
●● Peer-to-peer real-time communications traffic (audio, video, desktop sharing)
●● Conferencing real-time communications traffic (audio, video, desktop sharing)
This impacts the network data flow in two levels:
1. Traffic flows between the Teams clients directly in peer-to-peer situations
2. Between the Office 365 environment and the Teams clients for meetings
Therefore, to ensure optimal traffic flow, traffic must be allowed to flow between the internal network
segments, such as between sites over the wide area network (WAN) as well as between the network sites
and Office 365. Not opening the correct ports or actively blocking specific ports will lead to a degraded
experience.
Considerations for network capabilities

When analyzing the existing network capabilities, consider the following areas in your network assess-
ment:
Area Description Best practices

Connectivity to Office 365 Connectivity of a client in the No Firewall and proxy blockers.
company network to the Office All required DNS names must be
365 services. resolved correctly, and IP-ad-
dresses must be reachable.
Quality of the network connec- The quality of an established Existing networking hardware
tivity connection, measured in values, must provide a stable connection
such as latency, jitter, and with as few active networking
packet-loss rates. devices between a client and
Office 365 as possible; each
active networking device adds
additional latency and raises the
chance of connectivity quality
issues.
Available bandwidth The bandwidth available for The required bandwidth of
network communication to Teams depends on the required
Office 365. functionalities and number of
clients on a company location.
You should analyze the maxi-
mum number of concurrent
participants and multiply this
number with the provided
utilized Teams functionalities.
Clients connected over wireless Clients connected over a wireless Wi-Fi solutions are vulnerable for
connection, such as company high latency and possibly higher
Wi-Fi networks and hot spots. packet-loss if not prepared for
real-time services, such as voice
and video communication.
Additionally, the network
coverage must provide enough
bandwidth even between access
points and on the edges.
Intrusion detection (IDS) and Firewalls can use IDS and IPS If any environment uses IDS and
prevention systems (IPS) capabilities to analyze the IPS solutions, make sure all
payload of data packages for traffic between your environ-
attack signatures. ment and Office 365 is whitelist-
ed and excluded from scanning.
NAT Pool Size Network Address Translation When multiple users/devices
(NAT) provides access to multiple access Office 365 using Network
internal system by using a single Address Translation (NAT) or Port
public IP-address. Address Translation (PAT), you
need to ensure that the devices
hidden behind each publicly
routable IP address do not
exceed the supported number.

Network health determination It is important that you perform When planning on the imple-
network health test before Teams mentation of Microsoft Teams
deployment in your organization. within your network, you must
ensure having sufficient band-
width, accessibility to all required
IP addresses, the configuration
of ports, and meeting the
performance requirements for
real-time media.
VPN Provides encryption tunnel VPNs are not designed to
between endpoints, such as support real-time media and
remote user and corporate introduce an extra layer of
network. encryption on top of media
traffic that’s already encrypted.
In addition, connectivity to the
Teams service might not be
efficient due to hair-pinning
traffic through a VPN device. The
recommendation is to provide
an alternate path that bypasses
the VPN for Teams traffic. This is
commonly known as split-tunnel
VPN.
Wi-Fi Wi-Fi networks are commonly Wi-Fi networks aren’t necessarily
used in organizations as addition designed or configured to
to the wired networks support real-time media.
Implementing QoS or Wi-Fi
Multimedia (WMM) will ensure
that media traffic is getting
prioritized accordingly over the
Wi-Fi networks. You should plan
and optimize the Wi-Fi bands
and access point placement.
Implement band steering and
ensure the access points that are
next to each other are on
channels that don’t overlap.

Proxy servers Allow content inspection and It is recommended that proxy
Internet traffic control. servers are bypassed. Perfor-
mance-related problems can be
introduced into the environment
through latency and packet loss.
Issues such as these will result in
a negative experience in Teams
or Skype for Business audio and
video scenarios, where real-time
streams are essential. It is also
recommended that organiza-
tions use external DNS resolu-
tion, direct UDP based routing,
and allow UDP traffic.
Plan for your network requirements

When evaluating the existing network environment, hard limitations such as blocked IP-addresses, faulty
name resolution through DNS and blocked ports, are fast to spot because certain Teams features will sim-
ply not work at all when IP-addresses or ports are closed. Discovering bandwidth, latency or packet-loss
issues is more complicated, because they may appear only under special circumstances, for example, if a
high number of users are using voice communication at the same time. Therefore, when planning the
network requirements for a Teams deployment, you must calculate the maximum number of concurrent
users, including a reasonable buffer.
The following table shows the recommended network capabilities in package transmission quality:
Value Client to Microsoft Edge Customer Edge to Microsoft

(without SfB Hybrid) Edge (incl. SfB Hybrid)
Latency (one way) < 50ms < 30ms
Latency (RTT or Round-trip Time) < 100ms < 60ms
Burst packet loss <10% during any 200ms interval <1% during any 200ms interval
Packet loss <1% during any 15s interval <0.1% during any 15s interval
Packet inter-arrival Jitter <30ms during any 15s interval <15ms during any 15s interval
Packet reorder <0.05% out-of-order packets <0.01% out-of-order packets
Besides quality, you must also consider the available bandwidth for your clients. The following table
shows the estimated minimum required bandwidth for different scenarios of client communication:
Bandwidth(up/down) Scenarios
30 kbps Peer-to-peer audio calling
130 kbps Peer-to-peer audio calling and screen sharing
500 kbps Peer-to-peer quality video calling 360p at 30fps
1.2 Mbps Peer-to-peer HD quality video calling with resolu-
tion of HD 720p at 30fps
1.5 Mbps Peer-to-peer HD quality video calling with resolu-
tion of HD 1080p at 30fps
500kbps/1Mbps Group Video calling
Bandwidth(up/down) Scenarios
1Mbps/2Mbps HD Group video calling (540p videos on 1080p
screen)
For more information see Prepare your organization's network for Microsoft Teams2 or go to https://
aka.ms/PerformanceRequirements.
Use the Network Planner

Network Planner is a tool in the Teams admin center, which is designed to assist the admin to determine
and organize network requirements for connecting Microsoft Teams users across the whole organization.
You can access the tool by going to Microsoft Teams admin center > Planning > Network planner.
After providing network details and Teams usage, the Network Planner calculates the network require-
ments for deploying Teams and cloud voice across the organization’s physical locations.
With Network Planner you can:

●● Create representations of your organization using sites and Microsoft recommended personas (office
workers, remote workers and Teams room system devices).
●● Generate reports and calculate bandwidth requirements for Teams usage
In order to use the Network Planner, you must have one of the following roles:
●● Global administrator
●● Teams admin
●● Teams communication administrator
Create a custom persona

To create a custom persona in your network plan, perform the following steps:
1. Sign into Microsoft Teams admin center.
2. Navigation to Planning > Network Planner.
2 https://docs.microsoft.com/en-us/microsoftteams/prepare-network
3. On the Network Planner page, select the Personas section, review the default personas, and then
select Add persona if you’d like to add a custom persona.
4. On the Add persona page, provide the persona name and description. Under the Permissions section,
select from the following services: Audio, Video, Screen sharing, File sharing, Conference audio,
Conference video, Conference screen sharing and PSTN.
5. Select Apply.
Build your plan

In order to build your network plan, perform the following steps:
2. Navigation to Planning > Network Planner.
3. On the Network Planner page, under Network Plans section, select Add.
4. On the Network Plan name page, enter the name for the network plan (for example NY Teams
network plan), an optionally description, and select Apply.
5. The newly created network plan will appear under the Network Plans section. Select the plan you
created.
6. On the plan page, for example NY Teams network plan, under Network Sites section, select Add a
network site.
7. On the Add a network site page, enter the following information and then click Save:
●● Name of the network site
●● Network site address

●● Network settings – IP address subnet and network range
●● Express route or WAN connection
●● Internet egress
●● Internet link capacity
●● PSTN egress (VoIP only or local).
●● an optional description.
Create a report
In order to create a report based on your network plan, perform the following steps:
2. From the left navigation pane, select Planning, and then select Network Planner.
3. On the Network Planner page, under Network Plans section, select your network plan (for example,
NY Teams network plan).
4. On the plan page, select Report, and then select Add report.
5. On the Add report page, enter the report name, and in the Calculation section, choose the type of
persona, such as Office Worker or Remote Worker and the number of each persona types.
6. Select Generate report.
7. On the report page, review the report including Type of service, and required bandwidth for different
services, such as Audio, Video, Screenshare, Office 365 server traffic and PSTN.
Use the Network Testing Companion

The Skype for Business and Microsoft Teams Network Testing Companion is a tool that Teams administra-
tor can use to simulate user sessions and traffic for testing the available network quality and connection
settings for using Skype for Business Online and Microsoft Teams. These tests include several areas, such
as overall connectivity to Office 365 on required ports, if certified devices are connected to the client and
if the network quality meets the official minimum requirements for real-time voice communication.
The Network Testing Companion provides results for exporting and sharing with other network adminis-
trators or partners, in order to create a documented detailed overview about the existing network
environments quality. The Companion also helps discover potential issues related to the organization’s
network and connectivity to Teams.
This tool can also be used during the assessment and planning process of Microsoft Teams deployment.
If you are using Teams now, you can also use this tool to troubleshoot voice quality issues or analyze the
network connection before users make a call.
The following picture shows the graphical interface of the Network Testing Companion:
The Network Testing Companion is available from the PowerShell Gallery3.
Install the Network Testing Companion

Perform the following steps to install the Skype for Business and Microsoft Teams Network Testing
Companion:
1. Run Windows PowerShell as Administrator.
2. Run the following cmdlet:
●● Install-Module NetworkTestingCompanion
3. After the PowerShell module has been installed, create shortcuts for opening the tool by running the
following cmdlet:
●● Invoke-ToolCreateShortcuts
3 https://www.powershellgallery.com/packages/NetworkTestingCompanion/1.5.4
4. To start the Network Testing Companion, you can select the icon on your desktop or Start menu, or
you can run it from the PowerShell by using the following cmdlet:
●● Invoke-NetworkTestingClient
Note: Even if there are mote cmdlets available than creating the shortcuts and starting the tool, it is
recommended to use the graphical interface for performing assessments.
Start the Network Testing Companion via PowerShell or shortcut, to perform testing of your machine:
1. Run the Network Testing Companion from your desktop or Start menu, or via PowerShell.
2. The tests on the left side are performed automatically during startup of the tool. Review the results for
your Windows operating system, Internet connection, Microsoft Teams or Skype-certified
device and Network Assessment Tool. If any of the tests reports unexpected issues, document the
results and make sure your client meets the basic requirements.
3. To perform a connectivity and quality test, select the Start button on the right side, below Network
connectivity and quality test. This will start a basic test with the default parameters. When the test is
completed, you are informed via a green checkmark or a red cross if your client meeting the minimum
requirements or not.
4. Select the View Results tab, to review network connectivity and network quality data. If the tests have
been successful, you can see the details of the network quality test. If the quality tests have failed or if
the test results don’t meet the minim requirements, you will see a red cross.
5. On the same tab, you can also export the test results by selecting Report, to the left of the results.
6. Under Network connectivity and quality test, on the Settings tab, you can edit the tool settings,
such as consecutive audio tests, delay between tests and connectivity test timeout.
Best practices for using the Network Testing Companion

When performing network assessments, the Network Testing Companion can be essential to discovering
network segments with performance issues or firewall configuration issues. You should follow some
recommendations when using the test tool to find any bottlenecks in an existing networking environ-
ment:
●● Perform multiple tests at different times of the day and on different days of the week. There are
periods with lots of traffic and other periods when a network is mostly idling. Perform multiple tests in
your testing scenario to cover idle periods as well as busy periods, to avoid having large file transfers
in company networks interfering with your Teams voice traffic.
●● Deploy multiple clients with the Network Testing Companion spread across different segments of your
network. A segment may be capable of providing networking resources for a small number of clients,
but as soon as five or more users attempt to use voice services at the same time, it may break down.
To perform concurrent tests in different segments, the Network Testing Companion provides custom-
izable settings that allow to run, for example, 50 tests with a delay of two minutes, between each run.
This provides the ability to simulate heavy voice communication loads coming from multiple network
segments.
●● Run tests on all standard images available in your organization. One or more of the default clients
may be affected by an orphaned GPOs or third-party application that interferes with voice communi-
cation, which can result in quality or connectivity issues.
●● Stay in close contact with your networking team while carrying out your planned test scenarios.
Provide the reports from the Network Testing Companion tool and discuss the network requirement
to deploy Microsoft Teams with the networking team. The networking team should have advanced
tools and monitoring system to validate the network configuration.
The Network Testing Companion is a simple but at the same time very powerful tool to test an existing
network environment for bottlenecks and sources of disturbance. Plan your assessment scenarios
carefully and consider the best practices for best results.
Configure network ports and protocols

All clients that use Office 365 cloud-based services, including Microsoft Teams, need to connect to the
Office 365 endpoints. Office 365 endpoints represent set of destination IP addresses, DNS domain names,
and URLs for Office 365 traffic on the Internet.
Different Office 365 clients and devices connect to Office 365 services through multiple network paths
and network equipment, including switches, routers, proxy servers and firewalls. Therefore, to optimize
the performance to Office 365 cloud-based services, the network admins should configure network
equipment according to the Office 365 endpoints requirement.
For Teams to function correctly, you must open TCP ports 80 and 443 and UDP ports 3478 through 3481
from the clients to the internet. The TCP ports are used to connect to web-based content such as Share-
Point Online, Exchange Online, and the Teams Chat services. Plug-ins and connectors also connect over
these TCP ports. The four UDP ports are used for media such as audio and video, to ensure they flow
correctly.
Scenario Source IP/Port Destination IP/Port

Non real-time traffic Client IP / High ports Office 365 / 80, 443 TCP
Real time media traffic Client IP / 50,000-50,059 UDP Transport Relays / 3478-3481
UDP
Office 365 endpoint changes

In addition to selecting appropriate configuration for your network perimeter, it is critical that you adopt
a change management process for Office 365 endpoints. These endpoints change regularly. If you do not
manage these changes, you can end up with users blocked or with poor performance after a new IP
address or URL is added in Office 365, but the firewall team has not been informed.
Endpoints data is updated at the beginning of each month with new IP Addresses and URLs published 30
days in advance of being active. Endpoints may also be updated during the month if needed to address
support escalations, security incidents, or other immediate operational requirements. You can use RSS
feeds or the Office 365 IP Address and URL Web Service to get change notification.
It is recommended that you call the /version web method once an hour to check the version of the
endpoints that you are using to connect to Office 365. If this version changes when compared to the
current version in use, you should get the latest endpoint data from the /endpoints web method and
optionally get the differences from the /changes web method. It is not necessary to call the /endpoints
or /changes web methods if there has not been any change to the version you identified. You can also
get change notifications by using an RSS feed that can be subscribed to in Outlook. There are links to the
RSS URLs on each of the Office 365 service instance-specific pages for the IP addresses and URLs.
Examples:
●● The following URL returns the latest version of each Office 365 service instance: https://endpoints.
office.com/version4
●● To access the current Office endpoint data for wordwide tenants, simply check the following URL:
https://endpoints.office.com/endpoints/worldwide5
●● To get all the latest changes since July 2018 when the web service was first available, use https://
endpoints.office.com/changes/worldwide/00000000006
Organizations can use this web service to:
●● Update PowerShell scripts to obtain Office 365 endpoint data and modify any formatting for network-
ing devices, such as firewalls.
●● Use this information to update PAC files deployed to client computers.
For more information, please refer to following documentations:
●● Office 365 IP Address and URL web service7
●● Office 365 URLs and IP address ranges8
Configure reporting labels for Microsoft Teams

You can use Reporting labels in your organization to organize the physical locations of offices, buildings,
as well as the organizational sites. In the Microsoft Teams admin center under the Reporting labels page,
you can upload a text file (.csv or .tsv) containing a list of physical locations and their associated network
subnets. This document is used for generating reports for Call Analytics and the Call Quality Dash-
board. After you have uploaded your subnet mapping, the reports provided by these services will contain
the location names, which will enable you to easier interpret and understand the reports.
The report labels and locations data you provide is a single data structure (there is currently no user
interface available to make individual edits to the data).
To configure the table of subnets and locations, perform the following steps:
1. Sign into Teams admin center.
4 https://endpoints.office.com/version?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7
5 https://endpoints.office.com/endpoints/worldwide?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7
6 https://endpoints.office.com/changes/worldwide/0000000000?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7
7 https://docs.microsoft.com/en-us/office365/enterprise/managing-office-365-endpoints
8 https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges
2. From the left navigation pane, select Locations, and then select Reporting labels.
3. On Reporting labels page, select Uploadlocations data, select Select a file.
4. Browse for a file a file, select Open and then select Upload.
This table below is just an example which you can follow in order to create your data file.
Note: A productive data file should not contain column headers (e.g. Network, Network Name, etc.). The
headers in the above table are used here for informational purposes only.
Implement Quality of Service (QoS)

Quality of Service (QoS) is a mechanism you use to prioritize certain types of network traffic. QoS is a
way to allow real-time network traffic (like voice or video streams) that is sensitive to network delays to
“cut in line” ahead of traffic that is less sensitive (like downloading a new app, where an extra second to
download is negligible). QoS identifies and marks all packets in real-time streams (using Windows Group
Policy Objects and a routing feature called Port-based Access Control Lists - more about this below)
which then helps your network to grant voice, video, and screen share streams a dedicated portion of
network bandwidth.
Followings are typical issues in voice and video communication without implementing QoS:
●● Jitter describes the occurrence where media arrives at different rates which results in missing words
or syllables in calls.
●● Packet loss describes the occurrence where packets in a data transfer are dropped and missing. This
will cause lower voice quality and speech that is difficult to understand.
●● Delayed round trip time (RTT) describes media packets requiring a longer time to reach their
destinations. Users will experience noticeable delays between two parties in a conversation, causing
people to speak at the same time.
One way to solve these network quality issues is to increase the overall available bandwidth for data
connections - both internal and to the internet. However, quality issues are caused by low bandwidth for
certain real-time applications and other services consume the majority of available bandwidth, such as
mass file transfers. To solve these quality issues, you can manage the bandwidth with Quality of Service
technologies.
In most cases, the implementation of QoS is considered either during the planning and assessment phase
or during the deployment of Microsoft Teams voice communication. With the implementation of QoS,
when issues occur for end-users, you can evaluate QoS for troubleshooting purpose. You should work
with networking team and consider using the Teams reporting capabilities, such as Call Analytics and Call
Quality Dashboard to identify the issues and adjust the setting of QoS.
Implement QoS
To provide QoS, network devices must have a way to classify traffic and be able to distinguish voice or
video from other network traffic. In the moment when the network traffic passes through a router, it is
placed into a queue. If a QoS policy is not configured, there will be just one queue and all traffic will be
treated as first-in, first-out with the same priority.
When you implement QoS, you define multiple queues using one of several congestion management
features and congestion avoidance features. The following diagram illustrates building queues for
different types of traffic:
A simple analogy is that QoS creates virtual “carpool lanes” in your data network so some types of data
never or rarely encounter a delay. Once you create those lanes, you can adjust their relative size and
much more effectively manage the connection bandwidth you have, while still delivering business-grade
experiences for your organization's users. The following is a high-level overview for implementing QoS:
1. Verify if your network is ready for QoS
2. Select the desired QoS implementation method
3. Choose initial port ranges for each media type
4. Implement QoS settings on clients, routers and in Teams Admin center
5. Validate the QoS implementation by analyzing Teams traffic on the network
Verify if a network is ready for QoS

Using QoS requires all network devices to be managed and available with QoS. If an organization’s
network is unmanaged and does not support QoS, it may be required to replace network devices in the
existing network with managed, QoS capable devices.
Additional VPN considerations
QoS only works as expected when implemented on all links between callers. If you use QoS on an internal
network and a user signs in from a remote location, you can only prioritize within your internal, managed
network. Although remote locations can receive a managed connection by implementing a virtual private
network (VPN), a VPN inherently adds packet overhead and creates delays in real-time traffic. It is
recommended that you avoid running real-time communications traffic over a VPN.
In a global organization with managed links that span continents, we strongly recommend QoS, as
bandwidth for those links is limited in comparison to the LAN.
Select a QoS implementation method

There are different methods for implementation of QoS based on different situations:
1. Access Control Lists (ACLs)
You could implement QoS via port-based tagging, using Access Control Lists (ACLs) on your network
routers. Port-based tagging is the most reliable method because it works universally throughout all
platforms, such as mixed Windows and Mac environments, and is the easiest method to implement.
Your network's router examines an incoming packet. If the packet arrived using a certain port or range
of ports, it identifies it as a certain media type and puts it in the queue for that type, adding a prede-
termined differentiated services code point (DSCP) marker to the IP Packet header so other devices
can recognize its traffic type and prioritize it in their queue.
2. Group Policy Object (GPO)
You could also implement QoS by using a Group Policy Object (GPO) to direct client devices to insert
a DSCP marker in the IP packet headers identifying it as particular type of traffic, such as voice.
Routers and other network devices can be configured to recognize this and put the traffic in a
separate, higher-priority queue. This scenario works only for domain-joined Windows clients, so in the
event a device isn’t a domain-joined Windows client, it will not be enabled for DSCP tagging.
Clients such as Mac OS have hard-coded tags and will always tag traffic. In this case, controlling the
DSCP marking via GPO ensures that all domain-joined computers receive the same settings and that
they can be managed only by the designated administrator. Clients that can use a GPO will be tagged
on the originating device. Configured network devices can recognize the real-time stream by the
DSCP code and give it an appropriate priority.
priority.
3. Access Control Lists (ACLs) and Group Policy Object (GPO) combined
It is recommended to use a combination of DSCP markings at the endpoint and port-based ACLs on
routers, if possible. Using a Group Policy object to catch the majority of clients and also using port-
based DSCP tagging will ensure that mobile, Mac, and other clients will still get QoS treatment.
The most important configuration step in Teams is the classification and marking of packets. For end-to-
end QoS to be successful, you also need to carefully align the application’s configuration with the
underlying network configuration.
Choose initial port ranges for each media type

The DSCP value tells the corresponding configured network what priority to give a packet or stream,
whether the DSCP mark is assigned by clients or the network itself, based on ACL settings. Each media
workload gets its own unique DSCP value (other services might allow workloads to share a DSCP marking,
Teams does not) and a defined and separate port range used for each media type.
The following table shows the required DSCP markings and the suggested corresponding media port
ranges used by both Teams and ExpressRoute.
Media traffic type Client source port Protocol DSCP value DSCP class
range
Audio 50,000–50,019 TCP/UDP 46 Expedited For-
warding (EF)
Video 50,020–50,039 TCP/UDP 34 Assured Forward-
ing (AF41)
Application/Screen 50,040–50,059 TCP/UDP 18 Assured Forward-
Sharing ing (AF21)
Note:The port ranges you assign cannot overlap and must be adjacent to each other.
Implement QoS in the Teams admin center

Teams administrators can activate and deactivate QoS in the Teams admin center for a tenant and
configure the port range for each type of real-time media traffic. While the port ranges can be adjusted,
the DSCP markings cannot be changed. Implement your required settings in Teams admin center,
followed by Meetings > Meeting settings in the Network area.
If you select Automatically use any available ports, available ports between 1024 and 65535 are used.
Use this option only when not implementing QoS. Selecting a port range that is too narrow will lead to
dropped calls and poor call quality. The default values should be used at minimum.
Note: Turning on Insert Quality of Service (QoS) markers for real-time media traffic will also enable
communication to the Transport Relay with UDP ports 3479 (Audio), 3480 (Video) and 3481 (Sharing).
Validate the QoS implementation

For the QoS to be effective, the DSCP value set by the Group Policy object needs to be present at both
ends of a call. By analyzing the traffic generated by the Teams client, you can verify if the DSCP value has
not changed or been stripped out when the Teams workload traffic traverses moves through the network.
It is also recommended that you use the Call Analytics and Call Quality Dashboard for evaluating your
changes.
Migrate a QoS solution to Teams

If your organization has already deployed Skype for Business Online (including QoS tagging and port
ranges) and you now plan to deploy Teams, Teams will use the same port ranges and tagging as the
Skype for Business client. In most cases, no additional configuration will be needed.
Note: If you have deployed Application Name QoS tagging via Group Policy, then you will need to add
the Teams.exe to an application name.
Deploy and Manage Microsoft Teams end-

points
Lesson Introduction
Microsoft Teams is an application which offers the users to stay connected no matter which type of
device or operating system they work. Users can work with Teams on desktop clients available in Win-
dows and Mac, as well as web clients and mobile clients in Android and iOS. There are also lot of different
Teams devices, such as conference phones, headsets, speakerphones, cameras and conference rooms.
Employees use Teams from their devices in order to attend the meetings, deliver files and join the
conversations from anywhere, while you as an admin create secure and well managed collaboration
environment.
In modern communication and collaboration environment, Teams administrators are responsible for man-
aging wide range of devices. Therefore, you will learn how to install and manage Microsoft Teams client
on different operating systems and devices. You will also learn how to deploy and configure Microsoft
Teams Room system, as a solution that includes audio video and content sharing for conference rooms.
●● Deploy Microsoft Teams to devices
●● Manage device settings and firmware
●● Manage configuration profiles
●● Configure Microsoft Teams Rooms
Deploy Microsoft Teams clients to devices

There are different ways to deploy Teams clients based on devices.
Deploy Teams desktop clients

The desktop client is available for the following operating systems:
●● Windows (8.1 or later) and Windows Server (2012 R2 or later), 32-bit and 64-bit versions
●● macOS 10.10 and later
●● Linux .deb and .rpm formats
As a Teams administrator, you can choose your preferred method to distribute the installation files to
computers in your organization. For example, you can use Microsoft Endpoint Configuration Manager for
Windows operating systems or JAMF Pro for macOS. There are several ways to deploy Teams desktop
clients:
●● As a part of the Microsoft 365 Apps for enterprise ( Office 365 ProPlus ) installer.
●● MSI files (both 32-bit and 64-bit) for IT bulk deployment, such as through Microsoft Endpoint Config-
uration Manager, Group Policy, or any third-party distribution mechanism for broad deployment.
●● A standalone (.exe) installer for user installation.
Note:
1. The Teams desktop client on the Windows OS doesn’t require elevated permissions and every user
can install the client to their profile path. On macOS systems, administrative permissions are required.
Deploy and Manage Microsoft Teams endpoints 169
2. Distribution of the client through software deployment is only for the initial installation of Microsoft
Team clients and not for future updates.
Windows Operating Systems

The Microsoft Teams installation for Windows provides downloadable installers in 32-bit and 64-bit
versions. During the deployment process, the Windows client is deployed to the AppData folder located
in the user’s profile. Deploying to the user’s local profile allows the client to be installed without requiring
elevated rights. The Windows client leverages the following locations:
●● %LocalAppData%\Microsoft\Teams
●● %LocalAppData%\Microsoft\TeamsMeetingAddin
●● %AppData%\Microsoft\Teams
●● %LocalAppData%\SquirrelTemp
On Windows, the Teams Desktop client requires .NET Framework 4.5 or later. If this is not installed on the
PC, the Teams installer will offer to install it automatically.
When users initiate a call using the Microsoft Teams client for the first time, they might notice a warning
with the Windows firewall settings that asks for users to allow communication. Users might be instructed
to ignore this message because the call will work, even when the warning is dismissed.
Mac Operating Systems

Mac users can install Teams by using a PKG installation file for macOS computers. Administrative access is
required to install the Mac client. The macOS client is installed to the /Applications folder. To install Teams
by using the PKG file, perform the following steps:
1. From the Teams download page, under Mac, click Download.
2. Double click the PKG file.
3. Follow the installation wizard to complete the installation.
4. Teams will be installed to /Applications folder; it is a machine-wide installation.
Linux Operating Systems

Users can install native Linux packages in .deb and .rpm formats.
Installing the DEB or RPM package will automatically install the package repository
●● DEB https://packages.microsoft.com/repos/ms-teams stable main
●● RPM https://packages.microsoft.com/yumrepos/ms-teams
The signing key to enable auto-updating using the system's package manager is installed automatically.
However, it can also be found at: (https://packages.microsoft.com/keys/microsoft.asc). Microsoft Teams
ships monthly and if the repository was installed correctly, then your system package manager should
handle auto-updating in the same way as other packages on the system. To install Teams by using DEB or
RPM package, perform the following steps:
1. Download the package from https://aka.ms/getteams.
2. Install using one of the following:
●● Open the relevant package management tool and go through the self-guided Linux app installa-
tion process.
●● Or through Terminal,
●● To install Teams using RPM package, type: sudo yum install TeamsDownloadFileName
●● To install Teams using DEB package, type: sudo apt install TeamsDownloadFileName
You need to change TeamsDownloadFileName to the Teams file name you downloaded. For example:
sudo yum install ./teams-insiders-1.2.00.26154-1.x86_64.rpm
3. You can launch Teams via Activities or via Terminal by typing Teams.
Teams for Virtualized Desktop Infrastructure

Virtual Desktop Infrastructure (VDI) is virtualization technology that hosts a desktop operating system
and applications on a centralized server in a data center. By using VDI, the users can enjoy a fully person-
alized desktop experience with a fully secured and compliant centralized source.
Using Teams in a virtualized environment may be somewhat different from using Teams in a non-virtual-
ized environment.It is recommend that you consult your virtualization solution provider to ensure
minimum requirements are met.
You can deploy the Teams desktop app for VDI using a per-machine installation or per-user installation
using the MSI package. Deciding on which approach to use depends on whether you use a persistent or
non-persistent setup and the associated functionality needs of your organization. To deploy the Teams
desktop app to the VM, perform the following steps:
1. Download the Teams MSI package that matches your VDI VM operating system using one of the
following links:
●● 32-bit version9
●● 64-bit version10
2. Install the MSI to the VDI VM by running one of the following commands:
●● Per-user installation (default)
msiexec /i <path_to_msi> /l*v <install_logfile_name> ALLUSERS=1
This is the default installation, which installs Teams to the %AppData% user folder. At this point,
the golden image setup is complete. Teams will not work properly with per-user installation on a
non-persistent setup.
●● Per-machine installation
msiexec /i <path_to_msi> /l*v <install_logfile_name> ALLUSER=1 ALLUSERS=1
This installs Teams to the Program Files (x86) folder on a 64-bit operating system and to the
Program Files folder on a 32-bit operating system. At this point, the golden image setup is com-
plete. Installing Teams per-machine is required for non-persistent setups.
3. The next interactive logon session starts Teams and asks for credentials.
Note: It's not possible to disable auto-launch of Teams when installing Teams on VDI using the ALLUSER
property.
9 https://statics.teams.cdn.office.net/production-windows/1.3.00.4461/Teams_windows.msi
10 https://statics.teams.cdn.office.net/production-windows-x64/1.3.00.4461/Teams_windows_x64.msi
If you need to uninstall the MSI from the VDI VM, run the following command:
msiexec /passive /x <path_to_msi> /l*v <uninstall_logfile_name>
Deploy Teams mobile clients

The Microsoft Teams mobile apps are available for Android and iOS. In order to download the mobile
apps, users can go to their mobile store via Google Play or the Apple App Store. There are two supported
mobile platforms for Microsoft Teams mobile apps:
●● Android: Support is limited to the last four major versions of Android. When a new major version of
Android is released, the new version and the previous three versions are officially supported.
●● iOS: Support is limited to the two most recent major versions of iOS. When a new major version of
iOS is released, the new version of iOS and the previous version are officially supported.
Note: Distribution of the Teams mobile app using an MDM solution is not supported.
Deploy Teams web clients

The Teams web client is available for a variety of different browsers, including Edge, Chrome, and Safari.
The web client performs browser version detection upon connecting to https://teams.microsoft.com. If an
unsupported browser version is detected, it will block access to the web interface and recommend that
the user download the desktop client or mobile app.
Client update management

Teams desktop client updates are released every two weeks with new features and quality updates. This
update process for Teams is different than the update process for the other Offices apps, such as Word
and Excel.
The desktop client updates itself automatically. Teams checks for updates every few hours behind the
scenes, downloads it, and then waits for the computer to be idle before silently installing the update.
Users can also manually download updates by selecting Check for updates on the Profile drop-down
menu on the top right of the app. If an update is available, it will be downloaded and silently installed
when the computer is idle.
Teams clients on Virtual Desktop Infrastructure (VDI) aren't automatically updated the way that non-VDI
Teams clients are.
With per-machine installation, automatic updates is disabled. This means that to update the Teams app,
you must uninstall the current version to update to a newer version. With per-user installation, automatic
updates is enabled. For most VDI deployments, it is recommended to deploy Teams using per-machine
installation. To update to the latest Teams version, start with the uninstall procedure followed by latest
Teams version deployment.
Manage device settings and firmware

Administrators can manage Teams devices in their organization from the Microsoft Teams admin center.
For example, administrators can view and manage the device inventory for their organization and
perform tasks such as update, restart, and monitor diagnostics for devices. Admins can also create and
assign configuration profiles to a device or groups of devices.
For a device to be managed in Teams, it must be certified for Teams and enrolled in Teams. A device is
automatically enrolled the first time a user signs into Teams on the device. If an organization uses
Microsoft Intune, devices are automatically enrolled in Intune. After a device is enrolled, device compli-
ance is confirmed, and conditional access policies are applied to the device.
Manage devices in Teams

Managing devices in performed with Microsoft Teams admin center. When you sign into Teams admin
center, on the left navigation pane, select Devices, and then select Phones. On the Phones page, select
All devices.
Here you can see and manage all devices which have enrolled in Teams within your organization. For
example, you can review the devices summary, that includes total number of devices, number of devices
that need update, and number of devices that are offline. Information that is going to show for each
device will include device name, manufacturer, model, user, status, action, last seen and history (you can
also customize the view to show the information that fits your needs).
Management tasks for Teams devices are listed in following table:
To do this… Do this
Change device information Select a device > Edit. You can edit details such as
device name, user information, asset tag, and add
notes.
Manage software updates Select a device > Update. You can view the list of
software and firmware updates available for the
device and choose the updates to install.
Restart a device Select a device > Restart.
View device history Select a device > History. You can view the update
history for the device.
View diagnostics Select a device > Diagnostics.
Manage configuration profiles

To manage settings and features for Teams devices in your organization, you can use configuration
profiles. As an administrator, you can create or upload configuration profiles to include settings and
features which you would like to enable or disable and then assign a profile to a device or groups of
devices.
Create a configuration profile

To create a configuration profile, perform the following steps:
1. Sign in to Microsoft Teams admin center.
2. On the left navigation pane, select Devices.
3. On the Phones page, select Configuration profiles, and then select Add.
4. On the Devices\New page, enter the name of the configuration profile and optionally description.
5. Under General section, choose will you enable Device lock and PIN, Language, Time zone, Date
and Time format.
6. Under Device settings section, choose will you enable Display screen saver, Brightness, Backlight
timeout, Contrast, Silent mode, Office hours, Power Saving and Screen capture.
7. Under Network settings, choose will you enable DHCP, Logging, or will you configure Host name,
Domain name, IP address, Subnet mask, Default Gateway, Primary and Secondary DNS, Device’s
default admin password and Network PC port.
8. Once you complete with the configuration profile settings, select Save.
Assign a configuration profile

Once the configuration profiles have been created, you will need to assign them to the appropriate
devices. To assign a configuration profile, perform the following steps:
1. In Microsoft Teams admin center, on the Phones page, select Configuration profiles.
2. Select the policy you want to apply, for example Teams Desk Phones New York, and then click
Assign to device.
3. On the Assign devices to a configuration profile page, select the appropriate devices and then
select Apply.
After assigning a configuration profile, the settings of this profile will be applied to the selected devices.
Configure Microsoft Teams Rooms

Microsoft Teams Rooms provides a complete meeting experience that brings HD video, audio, and
content sharing to meetings of all sizes, from small huddle areas to large conference rooms. The follow-
ing list shows the key components of Microsoft Teams Rooms, which are responsible for delivering best
user experience:
●● Touchscreen control panel
●● Compute
●● Microsoft Teams Rooms application
●● Dock/extender
●● Peripheral devices (camera, microphone, speaker)
●● External screens (maximum of two)
●● HDMI input
Microsoft Teams Rooms are designed for being used with:
●● Microsoft Teams
●● Skype for Business Online
●● Skype for Business Server 2019
●● Skype for Business Server 2015
Note: Earlier platforms like Lync Server 2013 aren't expected to work with Microsoft Teams Rooms.
Microsoft Teams Rooms system can be purchased in several configurations: bundled as a system with
separate components, or as an integrated unit. You will need to review the meeting rooms you have and
decide where you want to deploy Microsoft Teams Rooms and the peripheral devices that would be
appropriate for the room size.
Considerations of Microsoft Teams Room deployment

When you want to deploy Microsoft Teams Rooms in your organization, you must go through a detailed
planning phase, including evaluating and testing several solutions for your organization, to find the best
fitting conferencing experience for your users. The following diagram shows the common required steps
to prepare, deploy and maintain Microsoft Teams Rooms in an organization:
For larger organizations, you will most likely coordinate these activities across several teams.
Room inventory and capability planning

When you plan the Teams rooms inventory and capabilities, you should start with evaluating your existing
infrastructure. What are the requirements of your organization for meetings?
How do the existing conference rooms look like? You will need to understand the environments, room
size, layout, and purpose, and then identify the capabilities you want each room to have in the future.
When you create an inventory of the equipment and capabilities in each existing room, your require-
ments for that room feed into your device selection planning to create a rich conferencing solution. The
audio and video capabilities that are needed for each room, as well as the room size and purpose, all play
an important roles in deciding which solution will be the most optimal one for each room.
Also, you must check and confirm that the room doesn’t have excessive echo, noisy air conditioning, or
furniture getting in the way of the equipment. You should confirm there is enough power for the screens
and Microsoft Teams Rooms. There are many factors to consider that your audio-visual (AV) team or
specialized partner will be able to advise on.
Here are some of the key elements you need to think about: Which rooms are in scope for the current
deployment, which sites are in scope for your deployment and who will undertake the meeting rooms
inventory. After you consider these, you can review the rooms in scope and define Microsoft Teams
Rooms configurations for them.
Plan for operations

Note that your organization must do monitoring, administration and management tasks on an ongoing
basis. It is very important to agree who will undertake these tasks early in your deployment. While plan
for operations, factors you need to consider are deciding who will manage Microsoft Teams Rooms and
which helpdesk queue to route Microsoft Teams Rooms–related calls to. After completing these steps,
you can start with preparing to host accounts.
Plan for adoption and change management

When deploying Microsoft Teams Rooms systems, you need to consider that your user need to operate
new devices deployed in your meeting rooms, which deliver new capabilities and features. This requires
you to plan for user adoption, enabling users to use all the rich features of Teams Meeting Rooms. You
may organize show-and-tell events to inform your users of the new capabilities or you might also create
in-room “quick start guides.”
Configurate and deploy Microsoft Teams Room

Configuration and deployment of Microsoft Teams Rooms include following steps:
●● Account provisioning
●● Device software installation
●● Device deployment
●● Microsoft Teams Rooms application and peripheral device configuration
●● Testing
●● Asset management
Account provisioning
Each Microsoft Teams Rooms device requires a dedicated and unique resource account that must be
enabled for both Microsoft Teams or Skype for Business and additionally for Exchange. This account must
have a room mailbox hosted on Exchange and be enabled as a meeting room in the Teams or Skype for
Business deployment. In Exchange, you need to configure calendar processing so that the device can
automatically accept incoming meeting requests.
Note: Meeting scheduling features will not work without a device account.
It is recommended that you create the display names for these accounts that are descriptive and easy to
understand. These are the names that users will see when searching for and adding Microsoft Teams
Rooms systems to meetings. For example, you can use following convention Site-Room Name(Max Room
Capacity)-RS, so for example Florida — a 20-person conference room in Orlando—might have the display
name ORL-Florida(20)-RS.
To create a new room mailbox, use the following syntax with Exchange Online PowerShell module:
New-Mailbox -Name "<Unique Name>" -Alias <Alias> -Room -EnableRoomMailboxAccount $true
-MicrosoftOnlineServicesID <Account> -RoomMailboxPassword (ConvertTo-SecureString -String '<Pass-
word>' -AsPlainText -Force)
Here’s an example configuring the settings on the room mailbox named Project-Rigel-01.
Set-CalendarProcessing -Identity "Project-Rigel-01" -AutomateProcessing AutoAccept -AddOrganizerTo-
Subject $false -DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false -AddAddi-
tionalResponse $true -AdditionalResponse "This is a Skype Meeting room!"
For more information, please refer to Deploy Microsoft Teams Rooms with Office 36511.
Device software installation

When planning to deploy Microsoft Teams Rooms, there are several options to consider installing the
base image of devices. Common scenarios and approaches are described in the following table.
Scenario Approach
Deploying a small number of Microsoft Teams If using an integrated solution, deploy by using
Rooms devices (<10). the vendor image and configure settings as
required.
Deploying between 10 and 50 devices from a Create a WIM-based image and capture a distribu-
single vendor. tion image to be used with your cloning distribu-
tion technology.
Deploying more than 50 Microsoft Teams Rooms Use a task sequencer–based software build and
devices, deploying devices from more than one distribution platform, such as System Center
vendor, or requiring organization-specific agents Configuration Manager.
as part of the deployment.
Each Microsoft Teams Rooms must have a valid and unique machine name on your network. Many
monitoring and alert systems display the machine name as a key identifier, so it’s important to develop a
naming convention for Microsoft Teams Rooms deployments that allows support personnel to easily
locate the Microsoft Teams Rooms that has been flagged as requiring an action. An example might be
using a pattern of MTR-Site-Room Name (MTR-ORL-Florida).
As part of the deployment, you’ll also need to consider your strategy for managing and configuring the
local accounts that are created by the Microsoft Teams Rooms application installer.
You can also use Microsoft Azure Monitor to monitor the Microsoft Teams Rooms deployment and report
on availability, hardware/software errors, and Microsoft Teams Rooms application version. If you decide
to use Microsoft Operations Management Suite, you should install the Operations Management Suite
agent as part of the software installation process and configure the workspace connection information
for your workspace.
11 https://docs.microsoft.com/en-us/microsoftteams/room-systems/with-office-365
An additional consideration is whether the Microsoft Teams Rooms will be domain-joined or a workgroup
member. Domain-joined deployment includes multiple advantages, such as grant domain users and
groups administrative rights and importing your organization's private root certificate chain automatical-
ly.
Device deployment
After you’ve deployed your software to the Microsoft Teams Rooms units, create your plan to ship the
devices and their assigned peripheral devices to your rooms, and then proceed to installation and
configuration. The following table shows an example, how you could document the enrollment of your
devices:
Site Room name Room type Microsoft Peripheral Microsoft Microsoft

Teams devices Teams Teams
Rooms Rooms Rooms
system computer resource
name account
Orlando HQ Florida Medium
Sydney HQ Hill Large
Microsoft Teams Rooms application and peripheral device

configuration
After each Microsoft Teams Rooms system has been physically deployed and the supported peripheral
devices connected, you’ll need to configure the Microsoft Teams Rooms application to assign the Micro-
soft Teams Rooms resource account and password created earlier, to enable the Microsoft Teams Rooms
system to sign in to Microsoft Teams or Skype for Business and Exchange. It's key to leverage certified
USB audio and video peripherals linked elsewhere in the document. Not doing so can result in unpredict-
able behavior.
You can manually configure each Microsoft Teams Rooms system. Alternatively, you can use a centrally
stored, per–Microsoft Teams Rooms XML configuration file to manage the application settings and
leverage a start-up GPO script to reapply the configuration you want, each time the Microsoft Teams
Rooms system boots.
Testing
After the Microsoft Teams Rooms system has been deployed, you should perform extensive tests that
everything works as planned. Check that the capabilities listed in Microsoft Teams Rooms help are
working on the deployed device. It’s highly recommended that your deployment team verifies that the
Microsoft Teams Rooms is logging to Microsoft Operations Management Suite, if used in your organiza-
tion. It’s also important that you make test calls and meetings to check quality.
It’s also recommended, that as part of the general Teams or Skype for Business rollout, you configure
building files for Call Quality Dashboard (CQD), monitor quality trends, and engage in the Quality of
Experience Review process.
Asset management
As part of the deployment, you’ll want to update your asset register with the room name, Microsoft
Teams Rooms device name, signed-in Microsoft Teams Rooms resource account, and assigned peripheral
devices (and which USB ports they use).
Module 4 Deploy and manage teams
Create and manage teams

Lesson Introduction
Creating teams and managing features of a team is an important aspect of managing the Teams experi-
ence for your users. Extreme growth without oversight and management leads to a lack of information
clarity and confusion.
In this lesson, you will learn about the creation of teams with the different management tools and the
configuration of Microsoft Teams features.
●● Create new teams
●● Create teams from existing resources
●● Configure restrictions on team creation
●● Create an org-wide team
●● Manage teams
●● Manage private and public channels
●● Manage privacy levels of teams
●● Archive, restore from archive, delete and restore deleted teams
Create a team
By default, all users can create teams using the Teams client and invite members unless you restrict the
creation of teams to Global Administrators or Teams Service Administrators. Administrators can also
create teams in the Teams admin center or PowerShell. Creating new Teams can be done by using one of
the following methods:
●● Teams Admin Center
●● Teams client
MCT USE ONLY. STUDENT USE PROHIBITED 180 Module 4 Deploy and manage teams
●● PowerShell or Graph API
Create a team from Teams Admin Center

To create a team in the Teams admin center, follow these steps:
1. In Teams Admin Center on the left pane select Teams, and then select Manage teams.
2. On Manage teams pane, select Add.
‎
3. In the add a new team window, define the following:
●● Team Name
●● Description
●● Team owner
●● Privacy
●● Public – A team where everybody can join
●● Private – A team where you need an invitation.
●● Classification
4. Select Create a team.
Create and manage teams 181
Create a team from Teams Client

To create a team in the Teams Client, follow these steps:
1. In the Teams Client in the left panel select Teams, and then select Join or create a team on the
bottom of the left panel.
2. Select Create team in the main pane.
3. Select Build a team from scratch on the Create your team page.
4. On the What kind of team will this be? Page select the type of team you want to create.
●● Private – A team where you need an invitation.

●● Public – A team where everyone in your organization can join.
●● Org-Wide – A team where everyone in your organization is a member.
5. Define the following:
●● Team Name
●● Description
6. Select Create to create the team.
Note: Whenever you create a team it is a best practice to configure at least two owners for the self-ser-
vice needs of the team. If a group owner leaves your company the group could find itself without an
owner. The content in the group is unaffected by this - the content belongs to the group and isn't tied to
the owner's account. But not having a group owner means there's nobody with permissions to manage
the group. Anytime the single owner is not available and modifications in the team are required, the
members will have to contact a Teams administrator. This problem can be resolved by any administrator
in your organization. For more information, please refer to Assign a new owner to an orphaned group1.
Create a team with PowerShell

To create a new team with PowerShell, you must run the New-Team cmdlet in a PowerShell session that
has the Microsoft Teams PowerShell module installed. For example, to create a new team named “Sales”
that is a private team and the owner is "Alex Wilber" run the following:
1 https://support.office.com/en-us/article/assign-a-new-owner-to-an-orphaned-group-86bb3db6-8857-45d1-95c8-f6d540e45732?ui=en-
US&rs=en-US&ad=US
New-Team -DisplayName Sales -Visibility Private -Owner Alex.Wilber@contoso.com -Description "This is

a team for the Sales Department."
Using PowerShell to create a team allows you to configure permissions for adding and deleting channels,
messages and users, modifying channels, blocking access to Giphy and posting memes instead of having
to go back and changing these settings later.
Note: If you don’t specify an owner the account running the PowerShell cmdlet, the user who creates the
team will be added as both a member and an owner. For more information about other parameters,
please refer to New-Team2.
Create a team from a template

Teams templates are pre-built definitions of a team's structure designed around a business need or
project. You can use Teams templates to quickly create rich collaboration spaces with channels for
different topics and preinstall apps to pull in mission-critical content and services. Teams templates
provide a predefined team structure that can help you easily create consistent teams across your organi-
zation.
Teams template capabilities

Most properties in a team are included and supported by templates. The following table provides a quick
summary of what's included and what's not included in Teams templates.
Team properties supported by Teams templates Team properties not yet supported by Teams
templates
Base template type Files and content
Team name Team picture
Team description Channel settings
Team visibility (public or private) Connectors
Team settings (for example, member, guest, @
mentions)
Auto-favorite channel
Installed app
Pinned tabs
Team membership
There are two ways to create a team from a template:
●● Use an existing team as a template
●● Create a team from a base template
Use a different Team as a template

If you want to leverage the same data, channels, and settings from an existing team to create a new team,
you can make a copy and then choose how your new team is organized and set up.
1. In the Teams client, select Teams on the left side of the app, then select Join or create a team at the
bottom of your teams list.
2 https://docs.microsoft.com/en-us/powershell/module/teams/new-team?view=teams-ps
2. Select Create team (first card, top left corner).

3. On the Create your team page, select Create from…, then choose Team on the Create a new team
from something you already own page.
4. On the Which team do you want to use? page, Choose the team you want to copy.
5. Name your new team, add a description, edit the team privacy, or edit the team's data classification, if
your organization has set this up. Use the check boxes to pick which parts of the team you want to
copy: channels, tabs, settings, apps, and even members.
6. When you’re done, select Create.
Note: You cannot create a team from a different team using the Teams Admin Center or Teams Power-
Shell.
Create a team using a base template

Base template types are special templates that Microsoft created for specific industries. These base
templates often contain proprietary apps that aren't available in the store and team properties that are
not yet supported individually in Teams templates.
Once a base template type is defined, you can extend or override these special templates with additional
properties that you'd like to specify. But some base template types contain properties that can't be
overridden.
By default the base template is set to Standard which doesn't contain any additional proprietary apps or
special properties. Below is the current list of base template types available.
Base template type baseTemplateId Properties that come with this

base template
Standard https://graph.microsoft. No additional apps and proper-
com/beta/ ties
teamsTemplates('stand-
ard')
Education - https://graph.microsoft. Apps:
Class Team com/beta/ - OneNote Class Notebook
teamsTemplates('educa- (pinned to the General tab)
tionClass') - Assignments app (pinned to
the General tab) Team proper-
ties:
- Team visibility set to Hidden-
Membership (cannot be
overridden)
Staff Team com/beta/ - OneNote Staff Notebook
tionStaff')
PLC team com/beta/ - OneNote PLC Notebook
tionProfessionalLearn-
ingCommunity')
Retail - https://graph.microsoft. Channels:
Store com/beta/ - Shift handoff
teamsTemplates('retail- - LearningTeam properties
Store') - Team visibility set to Public-
Member permissions
- Prevent members from
creating, updating, or removing
channels
- Prevent members from adding
or removing apps
connectors
Retail - https://graph.microsoft. Channels:
Manager collaboration com/beta/ - Shift handoff
teamsTemplates('retail- - LearningTeam properties:
ManagerCollaboration') - Team visibility set to Private-
Member permissions:
channels
- Prevent members from adding
or removing apps
connectors
Base template type baseTemplateId Properties that come with this

base template
Healthcare - https://graph.microsoft. Channels:
Ward com/beta/ - Announcements*
teamsTemplates('health- - Huddles*
careWard') - Rounds
- Staffing*
- Training*
*Auto-favorited channels
Healthcare - https://graph.microsoft. Channels:
Hospital com/beta/ - Announcements*
teamsTemplates('health- - Compliance*
careHospital') - Custodial
- Human Resources
- Pharmacy
*Auto-favorited channel
You can create a team with the pre-defined template by using Microsoft Graph APIs3 or New-Team
cmdlet with the -Template parameter:
New-Team -DisplayName “CompSci 101” -Description “Official team for the CompSci 101 Class.” -Tem-
plate EDU_Class
Create a team from an existing resource

There are several options to create a team from an existing resource. You can upgrade a SharePoint Team
site or a Microsoft 365 Group to a team directly. You also can convert a distribution list (or distribution
group) to a Microsoft 365 Group, then you can convert it to a team with this intermediate step.
This also works if the group was created as part of a plan in Planner. Remember, when creating a Team,
the underlying group cannot have more than 5000 members.
To summarize, you have the following upgrade paths to create teams from an existing resource:
●● Distribution list -> Microsoft 365 Group -> Team
●● Microsoft 365 Group (e.g., Planner group) -> Team
●● SharePoint Team site -> Team
Upgrading a Microsoft 365 Group to a Team can be done by using one of the following methods:
●● Teams Admin Center
●● Teams client
●● PowerShell
Upgrade a Microsoft 365 Group to a Team

Microsoft 365 Groups can be directly upgraded into teams. If you upgrade a Microsoft 365 Group to a
team, the new team will use the DisplayName, Description, Privacy Settings and membership of the
3 https://docs.microsoft.com/en-us/graph/api/team-post?view=graph-rest-beta
upgraded group. The team will be created with a single channel named "General”. To upgrade a group to
a team, you can use the following methods:
Using the Microsoft 365 Admin Center to create a team

from a Microsoft 365 Group
To create a team from a Microsoft 365 Group in the Microsoft 365 Admin Center, follow these steps:
1. Open the Microsoft 365 admin center as an administrator.
2. On the navigation pane, select Groups > Groups.
3. In the main pane, select the Microsoft 365 Group you want to upgrade to a team.
4. In the right overlay pane, select the Microsoft Teams tab.
5. Select Create a team in the Microsoft Teams tab.
‎
6. In the Add Microsoft Team to this group? prompt select Create a team to confirm that you want to
upgrade your existing group to a team.
Using the Teams Client to create a team from a Microsoft

365 Group
To create a team in the Teams Client, follow these steps:
3. On the Create your team page, select Create from.
‎
4. On the Create a new team from something you already own page select Microsoft 365 Group.
5. On the Which Microsoft 365 Group do you want to use? page select the group you want to
upgrade.
6. Select Create.
Using PowerShell to create a team from an existing Micro-

soft 365 Group
Use the New-Team cmdlet from the Teams PowerShell module to upgrade a Microsoft 365 Group to a
Team. You must use the GroupID parameter to specify the group ID. Use the Exchange PowerShell
module to find the GroupID with Get-UnifiedGroup. If you want to convert the Microsoft 365 Group
MarketingDep@contoso.com to a private team, you run the following cmdlets:
$group = Get-UnifiedGroup -Identity MarketingDep@contso.com
New-Team -GroupID $group.ExternalDirectoryObjectID -Visibility Private
Things to consider when upgrading a Microsoft 365 Group

Creating a team from a resource does not automatically associate the existing group notebook with any
Channel. If your users have been working with the group before you upgraded it into a team you need to
make sure your users can see the group notebook in one of the new team channels. Follow these steps to
manually add a Notebook to your Channel:
1. Select the Channel you want to add the Notebook to in the left pane.
2. Select + in the main pane.
3. Select OneNote.
4. Select the Notebook you want to add.
5. Select Save to add the Notebook to the Channel.
Teams creates a new folder in the primary document library of the underlying SharePoint team site for
each channel you create in a team. By default, these folders are empty, and you must use the team site to
move the files into the correct folders.
Upgrade a SharePoint Team site to a Team

You can also upgrade your existing SharePoint Team sites to a team. As Team sites are Microsoft 365
Groups, you can either follow the previous guidance how to upgrade a Microsoft 365 Group to a Team
such as from Teams client, or you upgrade it directly from your SharePoint Team site settings as described
in the following steps:
1. Login to your Office 365 portal using https://portal.office.com.
2. On Office 365 apps page, select SharePoint.
3. On left pane, select your SharePoint Team site or search for it.
4. On your SharePoint Team site page, on left pane, select Create a Team.
‎
Once the SharePoint Team site is converted to a team, you will also see the Teams option on the naviga-
tion pane when you open your Team site which will lead you directly to open your site in Teams client:
Create an org-wide team

Org-wide teams provide an automatic way for everyone in a small to medium-sized organization to be a
part of a single team for collaboration or announcements.
With org-wide teams, you can easily create a public team that pulls in every user in the organization and
keeps the membership up to date with Active Directory as users join and leave the organization.
Only global admins can create org-wide teams and currently an org-wide team is limited to organizations
with no more than 5,000 users. There's also a limit of five org-wide teams per tenant. If these require-
ments are met, global admins will see Org-wide as an option when they select Build a team from
scratch when creating a team.
Note: At the time of writing this course, you can only create an org-wide team by using the Teams Client.
‎
Note: When an org-wide team is created, all global admins are added as team owners and all active
users are added as team members. Unlicensed users are also added to the team. The first time an
unlicensed user signs into Teams, the user is assigned a Microsoft Teams Commercial Cloud Trial license.
This license will expire after 12 months.
These types of accounts won't be added to your org-wide team:
●● Accounts that are blocked from sign in
●● Guest users
●● Service accounts
●● Room or equipment accounts
●● Accounts backed by a shared mailbox
As your organization's directory is updated to include new active users or if users no longer work at your
company and their account is disabled, changes are automatically synced, and the users are added or
removed from the team. Team members can't leave an org-wide team. As a team owner, you can manual-
ly add or remove users if needed.
When creating an org-wide team, consider the following things:
●● You can create up to 5 org-wide teams for your Office 365 tenant.
●● Each org-wide team can include up to 5,000 members.
●● If you don't see the Org-wide option when creating a team and you are a global admin, the feature
may not have yet rolled-out to your tenant, you have reached the five org-wide teams limit, or your
organization might have more than the current size limit of 5,000 members. This limit might be
increased in the future.
●● Rooms that are not a part of a room list, equipment, and resource accounts might be added or synced
to the org-wide team. Team owners can easily remove these accounts from the team.
●● All actions by the system to add or remove members are posted in the General channel. The channel
will also be marked as having new activity in the Teams client.
If you want to create an Org-Wide team, follow these steps:
3. Select Build a team from scratch on the Create your team page.
‎
4. On the What kind of team will this be? page, select Org-wide.
5. Define the following on the Some quick details about your org-wide team page:
●● Team Name
●● Description
6. Select Create.
Best practices
To get the most out of org-wide teams, you should consider the best practices from the following table:
Best practice Description

Allow only team owners to post to the General Reduce channel noise by having only team owners
channel post to the General channel. In the Teams Client
go to the team and select ˙˙˙ More options >
Manage Team. On the Settings tab, click Mem-
ber permissions > select Only owners can post
messages.
Best practice Description

Turn off @team and @[team name] mentions Reduce @mentions to keep them from overload-
ing the entire organization. In the Teams Client go
to the team and select ˙˙˙ More options > Man-
age Team. On the Settings tab, click @mentions
> turn off Show members the option to @team
or @[team name].
Automatically favorite important channels Favorite important channels to ensure everyone in
your organization engages in specific conversa-
tions.
Set up channel moderation Consider setting up channel moderation and
giving moderator capabilities to certain team
members. (When moderation is set up, team
owners are given moderator capabilities automati-
cally.) Moderators can control who can start a new
post in a channel, add and remove moderators,
control whether team members can reply to
existing channel messages, and control whether
bots and connectors can submit channel messag-
es.
Remove accounts that might not belong Even though members can’t leave an org-wide
team, as a team owner, you can manage the team
roster by removing accounts that don’t belong.
Make sure you use Teams to remove users from
your org-wide team. If you use another way to
remove a user, such as the Microsoft 365 admin
center or from a group in Outlook, the user might
be added back to the org-wide team.
Is there a way to create an org-wide team other than using

the Teams client?
If your organization limits creating teams to using PowerShell, the recommended workaround is to add
your global admins to the security group of users who can create a team.
If this isn't an option, you can use PowerShell to create a public team and add a global admin as the team
owner. How to do this will be discovered in a different topic.
If you want to change the team you just created to be an org-wide team, follow these steps.
1. In the Teams Client select Teams in the left pane.
2. In the left panel select … behind the team you want to modify.
3. In the dropdown menu select Edit Team.
4. Change the Privacy level to Org-wide.
5. Select Done to apply the changes.
Manage teams
As an admin, you may need to view or update the teams that your organization set up for collaboration,
or you might need to perform remediation actions such as assigning owners for ownerless teams. You
can manage the teams used in your organization using either the Microsoft Teams admin center or
Microsoft Teams PowerShell module.
Teams overview grid

Management tools for teams are available under the Teams node in the Microsoft Teams admin center.
(In the admin center, select Teams > Manage teams.) Each team is backed by a Microsoft 365 Group,
and this node provides a view of groups that have been Microsoft Teams-enabled in your organization.
The grid displays the following properties:

●● Team name
●● Channels - number of all channels in the team, including the default General channel.
●● Team members - number of total users, including owners, guests, and members from your tenant.
●● Owners - number of owners for this team.
●● Guests - number of Azure Active Directory B2B guest users who are members of this team.
●● Privacy - Visibility/AccessType of the backing Microsoft 365 Group.
●● Status - the Archived or Active status for this team. More about archiving will be discovered in a
following lesson.
●● Description - description of the backing Microsoft 365 Group.
●● Classification - classification (if used in your organization) assigned to the backing Microsoft 365
Group. More about Classification will be discovered in a different lesson.
●● GroupID - unique GroupID of the backing Microsoft 365 Group.
Operations
You can use the Teams Admin Center to do the following operations with teams:
Operations Details
Add To add a new team, click Add. In the Add a new
team pane, give the team a name and description,
set whether you want to make it a private or public
team, and set the classification.
Edit To edit group and team-specific settings, select
the team by clicking to the left of the team name,
and then select Edit.
Archive You can archive a team. Archiving a team puts the
team into read-only mode within Teams. As an
admin, you can archive and unarchive teams on
behalf of your organization in the admin center.
Delete Deleting a team is a soft delete of the team and
corresponding Microsoft 365 Group. How to
restore a soft-deleted team will be discovered in a
following lesson.
Search Search currently supports the string “Begins with”
and searches the Team name field.
Team profile
You can navigate to the team profile page of any team from the main Teams overview grid by selecting
the team name. The team profile page shows the members, owners, and guests that belong to the team
(and its backing Microsoft 365 Group), as well as the team’s channels and settings. From the team profile
page, you can:
●● Add or remove members and owners.
●● Add or remove channels (note that you can't remove the General channel).
●● Change team and group settings.
Make changes to teams

On the team's profile page, you can change the following elements of a team:
●● Members - add or remove members and promote or demote owners.
●● Channels - add new channels and edit or remove existing channels. Remember that you can't delete
the default General channel.
●● Team name
●● Description
●● Privacy - set whether the team is public or private.
●● Classification - this is backed by your Microsoft 365 Group classifications. Choose Confidential,
Highly Confidential, or General.
●● Conversations settings - set whether members can edit and delete sent messages.
●● Channels settings - set whether members can create new channels and edit existing ones, and add,
edit, and remove tabs, connectors, and apps.
The changes that you make to a team are logged. If you're modifying group settings (changing the name,
description, photo, privacy, classification, or team members), the changes are attributed to you through
the audit pipeline. If you are performing actions against Teams-specific settings, your changes are tracked
and attributed to you in the General channel of the team.
Note: Changing the Team name only modifies the display name. It will not change the name of the
underlying group, library or any other resources that are connected to the team.
Using PowerShell
You can also use the Microsoft Teams PowerShell module to manage teams by using Set-Team and
Remove-Team cmdlets. For example, to change the description of the Finance Department team and
make it a private team, run the following:
Get-Team -DisplayName "Finance Department" | Set-Team -Description "This is the team for the finance
department" -Visibility Private
The available cmdlets for managing teams from the Teams PowerShell module are:
●● Add-Team
●● Get-Team
●● Remove-Team
Manage public and private channels

Channels are dedicated sections within a team to keep conversations organized by specific topics,
projects, disciplines. Each channel could be a different unit in a department or a project group in a larger
project with different groups.
Before you create channels, you first need to decide, which channels you need and if they shall be
standard or private. Especially private channels require a solid planning and decisions, if they are the right
tool to achieve your business aims.
For example, a private channel is useful in these scenarios:

●● A group of people in a team want a focused space to collaborate without having to create a separate
team.
●● A subset of people in a team want a private channel to discuss sensitive information, such as budgets,
resourcing, strategic positioning, and so on.
A lock icon indicates a private channel. Only members of private channels can see and participate in
private channels that they are added to.
The following decision matrix should be helpful at planning private channels:
Is there already a team Does this work need Are there multiple Recommendation
that has these people to be kept private distinct topics to
as team members? from other team discuss?
members?
Yes Yes Yes Create a private channel
in the existing team or
consider creating
dedicated private
channels for each topic.
Yes Yes No Create a private channel
in the existing team.
Yes No No Create a standard
channel in the existing
team.
No No No Consider creating a new
team.
Is there already a team Does this work need Are there multiple Recommendation
that has these people to be kept private distinct topics to
as team members? from other team discuss?
members?
No No Yes Consider creating a new
team and then, depend-
ing on the confidentiali-
ty of each topic,
consider creating
separate standard or
private channels for
each topic.
No Yes No Create a new team or
create a new private
channel in an existing
team.
Note: You cannot modify the channel type once created. A channel that was created as private will stay
private and a standard channel cannot be turned into a private channel.
Manage channels in Teams Admin Center

To add a Channel in the Teams Admin Center, follow these steps:
2. In the main pane select the team you want to modify.
3. Select the Channels tab.
4. Select Add channel.
5. Provide the following information:
●● Name
●● Description
●● Type – Select if the channel should be a standard channel or a private channel.
To modify a channel in the Teams Admin Center, follow these steps:
4. Select the Channel you want to modify.
5. Select Edit channel.

6. Modify the team name and description.

To delete a channel in the Teams Admin Center, follow these steps:
4. Select the Channel you want to delete.
5. Select Delete channel to delete the channel.
Use PowerShell to manage channels

Use the New-TeamChannel cmdlet to create a new standard channel:
Get-Team -DisplayName "CxO Team" | New-TeamChannel -DisplayName "Billing" -Description "A channel
for requesting payment on your invoices."
To list all channels of a specific team, run the following:

Get-Team -DisplayName "CxO Team" | Get-TeamChannel
To modify a channel, use the Set-TeamChannel cmdlet:

Get-Team -DisplayName "CxO Team" | Set-TeamChannel -CurrentDisplayName "Billing" -NewDisplay-
Name "Invoices"
Remove a channel, by using the Remove-TeamChannel cmdlet:

Get-Team -DisplayName "CxO Team" | Remove-TeamChannel -DisplayName "Invoices"
To create a private channel, use the membership parameter and set the type to private:
Get-Team -DisplayName "CxO Team" | New-TeamChannel -DisplayName "Billing" -Description "A channel
for requesting payment on your invoices." -MembershipType Private
Note: Using the -MembershipType parameter requires Teams PowerShell version 1.0.18 or newer.
To create a private channel on behalf of a user, without granting permissions to an administrator use the
following cmdlet:
Get-Team -DisplayName "CxO Team" | New-TeamChannel –MembershipType Private –DisplayName "Dun-
ning" –Owner Alex.Wilber@contoso.com
Private channel permissions

Due to the closed nature of private channels, there are several differences in permissions between public
standard and private channels. The following table outlines what actions owners, members, and guests
can do in private channels.
Action Team owner Team Team guest Private Private Private

member channel channel channel
owner member guest
Create Yes Yes No - - -
private chan-
nel
Delete Yes No No Yes No No
private chan-
nel
Leave private - - - Yes Yes Yes
channel
Edit private No - - Yes No No
channel
Restore Yes No No Yes No No
deleted
private chan-
nel
Add mem- No - - Yes No No
bers
Edit settings No - - Yes No No
Manage tabs No - - Yes Yes No
and apps
Note: The permissions to restrict private channel creation are available at different places and through
different tools, such as team policies and teams settings. Also, the last member of a private channel, even
if promoted to an owner automatically, cannot leave a private channel, and the last owner must delete it.
Considerations around private channels

Because private channels are very different from standard public channels, administrators need to make
some additional considerations before deployment.
Each private channel has independent settings to edit members, member permissions, mentioning and
fun stuff for the entire channel.
Not all features of standard channels are already available for private channels and OneNote does not
fully work in private channels. This causes several things to consider, when adding notebooks to private
teams, because the permissions to notebooks are not bound to the private channel:
●● When a new OneNote notebook is created in a private channel, additional users can still access to the
notebook because the behavior is the same as sharing access to any other item in the SharePoint site
associated to the private channels.
●● If a user is granted access to a notebook in a private channel through SharePoint site, removing the
user from the team or private channel won't remove the user's access to the notebook.
●● When adding an existing notebook to a private channel, not everyone in the private channel will have
access to the notebook by default, because they need separate access to the location, where the
notebook is hosted, such as another team's SharePoint site.
Restore a deleted channel

When a channel is deleted accidently or by purpose, it can be recovered within 30 days. This must be
done by a team owner of the team that contained the deleted channel via the Teams client.
To recover a deleted channel in the Teams client, follow these steps:
1. In Teams client, select Teams, and then the team that contained the channel.
2. Select the Channels tab from the top pane.
3. Open the Deleted row by selecting it.
4. Select Restore right from the channel you need to restore.
Note: It is currently not possible to restore channels from the Teams admin center or via the Teams
PowerShell module.
Manage privacy levels for a team

There are three levels of privacy a team owner can use to manage access to his team.
●● Private teams can only be joined when the team owner adds users to them.
●● Public teams are available for all users in your organization to join. Public teams are visible to every-
one in the Teams gallery, and users can join a public team without having to get approval from the
team owner.
●● Org-Wide teams have all members of an Office 365 tenant joined automatically.
By default, a private team will be discoverable in the Teams gallery and users can see some information
about the team.
Change privacy level

Owners can manage privacy levels using the Teams Admin Center, the Teams Client or PowerShell.
If you want to change the privacy level of a team in the Teams Admin Center, follow these steps:
2. Select a team by clicking in front of the team name.
3. Under Privacy select the privacy level you want this team to have.
4. Select Apply to modify the privacy level.

If you want to change the privacy level of a team in the Teams Client, follow these steps:
1. In the Teams Client select Teams in the left pane.
2. In the left panel select … behind the team you want to modify.
3. In the dropdown menu select Edit Team.
4. Change the privacy level under Privacy. You can select the same settings that are talked about earlier
in the lesson.
5. Select Done to apply the changes.

You can use the Microsoft Teams PowerShell module and the Set-Team cmdlet to change the privacy
level:
Get-Team -DisplayName "CxO Team" | Set-Team -Visibility Private
Manage private team discovery

To change the privacy level of a team at a later time you can use the Teams client to navigate to More
options > manage team. On the settings tab, expand the Team Discovery Settings
You can use the Set-Team cmdlet to disable the discoverability of individual teams:
Get-Team -DisplayName "CxO Team" | Set-Team -ShowInTeamsSearchandSuggestions $false
Manage whether users can discover private teams

As an admin, you can also control which users in your organization can discover private teams in search
results and suggestions in Teams. Create a policy by using the New-CsTeamsChannelsPolicy cmdlet,
and then assign the policy to users:
New-CsTeamsChannelsPolicy -Identity VendorPolicy -AllowPrivateTeamDiscovery $false
Grant-CsTeamsChannelsPolicy -Identity vendoruser1@company.com -PolicyName VendorPolicy
You can also create a policy to allow users to discover private teams:
New-CsTeamsChannelsPolicy -Identity WorkerPolicy -AllowPrivateTeamDiscovery $true
Grant-CsTeamsChannelsPolicy -Identity alex.wilber@contoso.com -PolicyName WorkerPolicy
By default, AllowPrivateTeamDiscovery is set to true for all users in an organization.
Archive, delete and restore a team

At some point when managing Teams, it will become necessary to retain or delete teams that are no
longer actively used. You can archive or delete teams. Both options stop users from modifying team con-
tent and using that team for further collaboration.
Archive a team
If you archive a team you are putting it in read-only mode. The team will still show up in search according
to its visibility settings and members can still access the existing content. The Teams client will show an
icon next to the team name to show the teams status as archived. Archiving a team might be beneficial if
the team contains information that could still be useful later without the necessity of updating or chang-
ing content in that team.
Archiving can also be used as a first step in an approval process for team deletion. In that case you prefer
to archive a team for later review before deleting it.
Following are steps to archive a team in the Teams admin center:
1. In Teams admin center on the left pane select Teams, and then select Manage teams.
2. Select a team by clicking in front of the team name.
3. Select Archive. The following message will appear.

4. If you would like to make the SharePoint site for the team read-only, select the check box.
5. Select Archive to archive the team. The team’s status will change to Archived.
To archive a team in the Teams Client, follow these steps:
1. In the left pane select the Cogwheel at the bottom.

2. In the main pane select … to the right of the Team you want to archive.
3. In the menu select Archive team.
4. The following message will appear.
5. If you would like to make the SharePoint site for the team read-only, select the check box.
6. Select Archive to archive the team.
Note: You cannot use PowerShell to archive a team or restore it from its archived state.
Restore an archived team

You may want to reactivate an archived team if your organization requires users to work with the archived
data again. For example, you might have a team that was used for a specific event and your organization
decided to keep the information archived in case they want to rehost this event. Now that the event will
be hosted again, you can reactivate the archived team to allow the event coordinators to work with the
content again.
Follow these steps to make an archived team active again.
1. In the Microsoft Teams admin center, select Teams.
2. Select a team by clicking the team name.
3. Select Unarchive. The team’s status will change to Active.
To restore an archived team using the Teams client, follow these steps:
1. In the left pane select the Cogwheel at the bottom.
2. In the main pane expand Archived.
3. In the main pane select … to the right of the Team you want to restore.
4. Select Restore team to restore it.
Delete a team
If the team will not be required in the future, then you can delete it rather than archiving it. Since an
archived Team is a Team in “read-only” mode you can also delete archived teams. Follow these steps to
delete a team.
1. In the Microsoft Teams admin center, select Teams.
2. Select a team by clicking the team name.
3. Select Delete. A confirmation message will appear.
4. Select Delete to permanently delete the team.
You can also delete a team using the Microsoft Teams PowerShell module and the Remove-Team cmdlet:
Get-Team -DisplayName “CxO Team” | Remove-Team
Note: The cmdlet Remove-Team does not accept the DisplayName of an existing team, but only the
GroupID. You can pipe the output of Get-Team to Remove-Team, or you can write down the GroupID
from the output of Get-Team and use it with Remove-Team.
Restore a deleted team

You may want to restore a deleted team if you deleted it accidentally.
Follow these steps to restore a deleted team by restoring the Microsoft 365 Group that's associated with
the team. By default, a deleted Microsoft 365 Group is retained for 30 days. This 30-day period is called
“soft-delete” because you can restore the group. This 30-day period can’t be extended and after it
passed the group and its content will be gone.
You can use the AzureAD module to restore a deleted group using PowerShell. Use the Get-Az-
ureADMSDeletedGroup to find all deleted Microsoft 365 Groups.
$groupId = Get-AzureADMSDeletedGroup -SearchString “Sales@contoso.com”
You can then restore the group by using the Restore-AzureADMSDeletedDirectoryObject

cmdlet:
Restore-AzureADMSDeletedDirectoryObject -ID $groupId.Id
Restoring a Team brings back the underlying Microsoft 365 Group and connects it with the inaccessible
Team again. This means that you will not lose any information available in the Team if you restore a
soft-deleted team.
Permanently delete a team

You can also hard-delete a team by doing a soft delete and using the AzureAD PowerShell module to find
the underlying deleted Microsoft 365 Group:
Get-AzureADMSDeletedGroup
Write down the object ID of the group you want to hard-delete and insert it to the following cmdlet:
Remove-AzureADMSDeletedDirectoryObject -Id <objectId>
Manage policy packages

Policy packages in Microsoft Teams let you control Teams features that you want to allow or restrict for
specific sets of people across your organization. Policy packages simplify, streamline, and help provide
consistency when managing policies for groups of users across your organization.
A policy package is a collection of predefined policies and policy settings that you can assign to users
who have similar roles in your organization. When you assign a policy package to users, the policies in
the package are created and you can then customize the settings of the policies in the package to meet
your organization's needs.
Policy packages
Each policy package in Teams is designed around a user role and includes predefined policies and policy
settings that support the collaboration and communication activities that are typical for that role. Each
individual policy is given the name of the policy package so you can easily identify the policies that are
linked to a policy package. Teams currently includes the following policy packages.
View policy packages

View the settings of each policy in a policy package before you assign a package. Make sure that you
understand each setting and then decide whether the predefined values are appropriate for your organi-
zation or whether you need to change them to be more restrictive or lenient based on your organiza-
tion's needs.
1. In the left navigation of the Microsoft Teams admin center, select Policy packages, and then select a
policy package by selecting to the left of the package name.
2. Select the policy you want to view.
The following shows the available predefined policies of different packages:
Package name Messaging Meeting App setup Calling policy Live events
policy policy policy policy
Education Yes Yes Yes Yes Yes
(Higher
education
student)
(Primary school
student)
(Secondary
school student)
(Teacher)
Package name Messaging Meeting App setup Calling policy Live events
policy policy policy policy
Healthcare clin- Yes Yes Yes - -
ical worker
Healthcare Yes Yes - - -
information
worker
Public safety Yes Yes Yes Yes -
officer
Small and - - Yes - -
medium
business user
(Business
Voice)
Small and - - Yes - -
medium
business user
(without
Business Voice)
Assign policy packages

Assign the policy package to users. Remember that policies in a policy package aren't created until you
assign the package, after which you can change the settings of individual policies in the package.
Assign a policy package to one user

1. In the left navigation of the Microsoft Teams admin center, go to Users, and then select the user.
2. On the user's page, select Policies, and then next to Policy package, select Edit.
3. In the Assign policy package pane, select the package you want to assign, and then select Save.
Assign a policy package to multiple users

1. In the left navigation of the Microsoft Teams admin center, go to Policy packages, and then select the
policy package you want to assign by selecting to the left of the package name.
2. Select Manage users.
3. In the Manage users pane, search for the user by display name or by user name, select the name, and
then select Add. Repeat this step for each user that you want to add.
4. When you're finished adding users, select Save.
Customize policy packages

Customize the settings of policies in the policy package to fit the needs of your organization. Any
changes you make to policy settings are automatically applied to users who are assigned the package.
You can edit the settings of a policy through the Policy packages page or by going directly to the policy
page in the Microsoft Teams admin center.
1. In the left navigation of the Microsoft Teams admin center, do one of the following:
●● Select Policy packages, and then select the policy package by clicking to the left of the package
name.
●● Select the policy type. For example, select Messaging policies.
2. Select the policy you want to edit. Policies that are linked to a policy package have the same name as
the policy package.
3. Make the changes that you want, and then select Save.
Note: If a policy is deleted, you can still view the settings but you won't be able to change any settings. A
deleted policy is re-created with the predefined settings when you assign the policy package.
Manage membership
Lesson Introduction
Microsoft Teams enables you to use a team as the basis for access control to specific resources and to
share data of that team.
In this lesson you will earn about managing user membership in teams.
●● Manage users in a team.
●● Configure dynamic membership for teams.
●● Manage user access with Azure AD access reviews.
Manage users in a team

Within Microsoft Teams there are two user roles: owner and member. By default, a user who creates a
new team is granted the owner status and owners can promote other members to become additional
owners. Independently from a user’s role, owners and members can both have moderator capabilities for
a channel (if moderation has been set up). If a team is created from an existing Microsoft 365 Group,
permissions are inherited.
Owners can add members to their teams. If a team is public then members are also allowed to add
members to the team. In a private Team, members can request additional new members to the Team. The
owners will be informed of the request and can act accordingly.
As an owner you can restrict the creation of tabs, bots, connectors and channels to the owner role. The
table below lists the privileges available to owners and members of a team:
Owner Member
Create team Yes No
Leave team Yes Yes
Edit team name/description Yes No
Delete team Yes No
Add channel Yes Yes
Edit channel name/description Yes Yes
Delete channel Yes Yes
Add members Yes No
Request to add members N/A Yes
Add tabs Yes Yes
Add connectors Yes Yes
Add bots Yes Yes
How to restrict users from creating teams by restricting the creation of Microsoft 365 Groups are dis-
cussed in Module 2-Create and manage Microsoft 365 Groups.
Note: Owners can make other members as owners in the View teams option. A team can have up to 100
owners. It’s recommended, that you have at least a few owners to help manage the team; this will also
prevent orphaned groups if a sole owner leaves your organization.
It is generally recommended to let the owners of teams manage team specific settings and membership.
They are the people working with the team and know how they want to leverage the capabilities that are
Manage membership 215
provided for them. Managing a dynamic environment like Microsoft Teams takes up a lot of time and can
be regulated with the options discovered in different lessons of this course. This ensures that users stay
within the company set limitations while having the agency to work in a dynamic environment.
Manage membership
There are still reasons for you to add members to a team. Perhaps you need to add an owner to an
orphaned team, or you decided to create department specific teams and restrict users to creating
non-business critical teams only via company policy. Usually you would create department teams as a
team with dynamic membership. How to do this will be discussed in the following topic. If you can’t
create a team with dynamic membership you need to know how to add members using the Teams Admin
Center, the Microsoft Teams PowerShell module, or the Teams Client.
Manage users in a team using Teams Admin Center

You use the Teams admin center to manage users and user roles for a specific team. To do this follow
these steps:
1. Select Teams > Manage teams.
2. On Manage teams pane, select the name of the team to manage the team’s membership.
3. In the teams pane, select the Members tab (it should be selected automatically).
4. On the Members pane, you can either select Add members or change role of a member in the Role
column by selecting the user’s role (either Owner or Member) from a drop-down list.
Manage users in Teams Client

To assign a user role in Teams Client, follow these steps:
1. Select Teams in the left panel.
2. Select Manage teams in the dotted menu to the right of the team name.
3. Select the Members tab.
4. In the Role column of the member list select the role to pick the users new role from a drop down list.
Manage users in PowerShell

You can use the Add-TeamUser cmdlet in the Microsoft Teams PowerShell module to add users of a
team. For example, use the following cmdlet to add the user Alex.Wilber@contoso.com to a team called
CxO Team and assign him the Owner user role:
Get-Team -DisplayName “CxO Team” | Add-TeamUser – User Alex.Wilber@contoso.com -Role Owner
In order to manage users in teams, you have the following cmdlets available in the Microsoft Teams
PowerShell module:
●● Add-TeamUser
●● Remove-TeamUser
For additional information see Assign team owners and members in Microsoft Teams4.
Configure dynamic membership

Microsoft Teams supports dynamic membership of Teams members by leveraging the dynamic member-
ship feature in Azure Active Directory. Dynamic membership enables you to define members of a team by
one or more rules that check for certain user attributes in Azure Active Directory (Azure AD). Users are
automatically removed or added to the designate teams as user attributes change or users join and leave
the tenant.
4 https://docs.microsoft.com/en-us/microsoftteams/assign-roles-permissions
With dynamic membership you can set up teams for certain cohorts of users in your organization.
Possible scenarios include:
●● A hospital can create distinct teams for nurses, doctors, and surgeons to broadcast communications.
This is especially important if the hospital relies on temp employees.
●● A university can create a team for all faculty within a college, including an adjunct faculty that changes
frequently.
●● An airline wants to create a team for each flight (like a Tuesday afternoon non-stop from Chicago to
Atlanta) and have a frequently changing flight crew automatically assigned or removed as needed.
Using this feature, a given team's members update automatically based on a specific set of criteria,
instead of manually managing membership.
Note: Using dynamic groups requires an Azure AD Premium P1 licenses for any users in scope.
It may take anywhere from a few minutes to up to hours to reflect dynamic membership changes once
they take effect in the Microsoft 365 Group for a team.
For dynamic group membership in teams, you must consider the following:
‎
●● Rules can define who is a team member of a team, but not who is a team owner.
●● Owners will not be able to add or remove users as members of the team, since members are defined
by dynamic group rules.
●● Members will not be able to leave teams backed by dynamic groups.
Enable dynamic membership

To enable dynamic membership in a Team you must modify the underlying Microsoft 365 Groups mem-
bership rule using the Azure AD portal or PowerShell. The references to the group will not be changed
if you modify the membership. If the group is used for access every member added by the dynamic
membership rule will have access to the resources of the group.
There currently is not a way to create a team with dynamic membership directly. You must either create a
team then change the membership rule of the associated Microsoft 365 Group or create a Microsoft 365
Group with dynamic user membership type then create a team from the existing Microsoft 365 Group.
Note: You can also create a dynamic membership rule that applies to devices. In the context of adminis-
trating Teams, you will mainly work with user membership for the team.
Warning: When changing an existing static group to a dynamic group, all existing members are removed
from the group, and then the membership rule is processed to add new members. If the group is used to
control access to apps or resources, be aware that the original members might lose access until the mem-
bership rule is fully processed. You should test the new membership rule beforehand to make sure that
the membership in the group is as expected.
Azure AD Portal
Perform the following steps to change the group membership of an existing Team to a rule based
dynamic membership.
1. Sign into the Azure AD admin center with an account that is a global administrator or a user adminis-
trator in your tenant.
2. Select the search bar from the top of the page, type Azure Active Directory and select it.
3. In the left-pane menu, select Groups.
4. From the All groups list, open the group that you want to change.
5. Select Properties.
6. On the Properties page for your selected group, select a Membership type of Dynamic User.
7. Select Add dynamic query, and then provide the rule.
8. After creating the rule, select Add query at the bottom of the page.
9. Select Save on the Properties page for the group to save your changes. The Membership type of
the group is immediately updated in the group list.
PowerShell
To change the membership type of a group using PowerShell you can use the AzureAD PowerShell
module.
You need to provide a group ID to the cmdlet for it to find the correct Microsoft 365 Group to modify.
You can use the Exchange PowerShell module:
$groupId = (Get-UnifiedGroup <group_mailaddress>).ExternalDirectoryObjectID
$dynamicMembershipRule = ‘user.department -eq “Sales”’
Use the following command to switch the group to dynamic membership:

Set-AzureAdMsGroup -Id $groupId -GroupTypes $groupTypes.ToArray() -MembershipRuleProcessing-
State "On" -MembershipRule $dynamicMembershipRule
To create the $groupTypes variable you have to get the group types of the existing group and add the
String “dynamicMembership” to it.
groupTypes = (Get-AzureAdMsGroup -Id $groupId).GroupTypes
$groupTypes.Add("DynamicMembership")
Create a dynamic membership rule

You can build a rule from one or more expressions. A single expression has the format Property Opera-
tor Value. For example: user.department -eq “Sales”. If you want to add multiple expressions to
a single rule you can use the same operators to combine them and keep every expression in its own
parenthesis:
(user.department -eq "Sales") -and (user.department -eq "Marketing”)
There are three types of properties that can be used to construct a membership rule.
●● Boolean
●● String
●● String collection
The supported operators are:
Operator Syntax
Not Equals -ne
Equals -eq
Not Starts With -notStartsWith
Starts With -startsWith
Not Contains -notContains
Contains -contains
Not Match -notMatch
Match -match
In -in
Not In -notIn
The values used in an expression may consist of several types, including:
●● Strings
●● Boolean – true, false
●● Numbers
●● Arrays – number array, string array
When specifying a value within an expression, it is important to use the correct syntax to avoid errors.
Some syntax tips include:
●● Double quotes are optional unless the value is a string.
●● String and regex operations are not case sensitive.
●● When a string value contains double quotes, both quotes should be escaped using the character ("),
for example, user.department -eq "Sales" is the proper syntax when “Sales” is the value.
●● You can also perform Null checks, using null as a value, for example, user.department -eq null.
For additional information see Dynamic membership rules for groups in Azure Active Directory5.
5 https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership
Manage user access with Azure AD access re-

views
Azure Active Directory (Azure AD) access reviews enable organizations to efficiently manage group
memberships without needing administrative oversight.
You can create access reviews for different types of scenarios. In this lesson you will learn about creating
access reviews for Teams. You can use Access Reviews for owners to evaluate team members and guests
or for members and guests to review if they still need access to the teams they are members of.
Manage access reviews

Before access reviews can be used in a tenant, it needs to be activated. This process is called an Onboard-
ing.
To onboard your Azure AD directory to access reviews, follow these steps:
1. Sign into the Azure portal as a Global administrator or User administrator of your directory, where you
want to use access reviews.
3. In the left-pane menu, select Identity Governance.
4. In the Identity Governance menu, select Access reviews.
5. On the page, click the Onboard now button to use Access reviews for teams in your tenant.
As soon as the upper right dialog switches to a green checkmark, with the message “Successfully on-
boarded access reviews in <your_tenant>”, onboarding was successfully completed.
Create Access Reviews in Azure Active Directory

To create access reviews, follow these steps.
1. Sign into the Azure portal as a Global administrator or User administrator of your directory, where you
want to use access reviews.
3. In the left-pane menu, select Identity Governance.
4. Select Access reviews.
5. Select new access review, to create a new process.
6. Fill out the Form with the desired settings:
●● Review Name: The identifiable name of the review
●● Description: Description of the Review used for identification
●● Start Date: Select when the review will start for the first time
●● Frequency: How often you want the review to be. You can do a One-Time review or schedule a
weekly, monthly, quarterly, semi-annual or annual review.
●● Duration in Days: If you do a One Time review the reviewers have one day to complete the
review. If you schedule a repeating review you can select a duration between one day and up to
five days before the next review begins. For example, in the case of an annual review you can
select up to 360 days to complete it but in the case of a weekly review you can give your reviewers
a maximum of 6 days for completing the review.
●● End: You can specify the end of a review in number of occurrences, to end by a specific date or to
never end.
●● Users to review: In the case of Teams you want to review “Users in a group”. You can also review
users assigned to an app, but this does not have an impact on Teams.
●● Scope: Select if you want the reviewers to only review access of guest users or of all members of
the Team.
●● Group: Select the underlying Microsoft 365 Group to create a review for the Team.
●● Reviewers: You can let owners review their Team, let each member review their own access or
choose specific users to review access to the Team.
●● Program: To better identify Access Reviews you can select a Program the review will be put under.
Programs help auditors select information relevant to them. If you need to review access to
specific Teams because of sensitive information you could create a Program for your security
policies and put the review under that umbrella.
●● Auto apply results: If you select yes, the reviewers selected recommendations will automatically
be applied after all reviewers submitted their review or the time is up.
●● If reviewers don’t respond: If there are unreviewed users at the end of a review you can decide
how the automatic application of results should manage these users. Your options are to remove
access, approve access, take the system recommendations or don’t change anything in the current
access levels.
●● Advanced Settings: You can enable if you want to send reminders, send notifications to reviewers
and administrators, show system recommendations to reviewers and force reviewers to provide a
reason for approval of a user.
7. Select Start to start the access review.
For license requirements for Azure AD access reviews, please refer to the link6.
6 https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview
Manage access for external users

Lesson Introduction
Microsoft Teams allows collaboration beyond the borders of your own organization and tenant. You can
also chat, call and share content with external users and allow your users to invite guests of their choice
to Teams they own.
In this lesson you will learn about the different ways Teams allows you to communicate with external
users.
●● Explain external access and guest access.
●● Describe how to manage external access and guest access.
●● Manage external access in Azure Active Directory.
●● Configure external access in Microsoft Teams.
●● Manage guest access in Microsoft Teams.
Overview of external access and guest access

There are two ways to collaborate and communicate with people outside of your organization when
using Teams. You can add them as guest users in your tenant, or you can enable external access.
External Access
With Microsoft Teams external access, Teams users from other domains can participate in your chats and
calls. You can also allow other external users who are still using Skype for Business Online or Skype for
Business Server.
Use external access when: ‎
●● You have users in different domains in your business: for example, Rob@contoso.com and Ann@
northwindtraders.com.
●● You want the people in your organization to use Teams to contact people in specific businesses
outside of your organization.
●● You want anyone else in the world who uses Teams to be able to find and contact you using your
email address. If you and another user both enable external access and allow each other's domains,
this will work. If it doesn't work, the other user should make sure his or her configuration isn't block-
ing your domain.
External access allows external users to find, call, and send you instant messages, as well as set up
meetings with you. However, if you want external users to have access to teams and channels, guest
access is the only mechanism.
Note: You will be able to set up meetings with external users without enabling external access but in that
case, they will join the meeting as unauthenticated users instead of joining with their federated and
authenticated user account.
Managing external access will be covered in a later topics.
Manage access for external users 225
Guest Access
A team owner in Microsoft Teams can add and manage guests in their teams via the web, mobile or
desktop client. Anyone with a business or consumer email account, such as Outlook, Gmail, or others, can
participate as a guest in Teams, with full access to team chats, meetings, and files. People outside your
organization, such as partners or consultants, can be added as guests and people from within your
organization, can join as regular team members.
The following functionality is not available for guest users:
●● OneDrive for Business Standalone SKU
●● People search outside of Teams
●● Calendar, Scheduled Meetings, or Meeting Details
●● PSTN calling
●● Organization Chart
●● Create or revise a team
●● Browse for a team
●● Upload files to a person-to-person chat
You can configure the functionality of guest users to limit their permissions inside the teams they are
added to or disable guest access altogether. How to do this for your organization will be discussed later.
While using Teams, text and icons give all team members clear indication of guest participation in a team.
A guest user's name includes the label (Guest), and a channel includes an icon to indicate that there are
guests on the team.
External Access vs. Guest Access

Guest access gives access permission to an individual. External access gives access permission to an
entire domain.
Guest access utilizes your existing licenses when using certain features. Teams doesn't restrict the
number of guests you can add. However, the total number of guests that can be added to your tenant is
based on what your Azure AD licensing allows - usually 5 guests per licensed user. For more information,
see Azure AD B2B collaboration licensing7.
External access allows you to communicate with users from other domains that are already using teams.
Therefore, they need to provide their own licenses to use teams.
For more information, please refer to Compare external and guest access8.
Overview of managing access for external users

External users are guest users that get invited to collaborate inside your tenant.
This differs from users you can communicate with using external access (federated users).
You can manage Microsoft Teams guest access features and capabilities through four different levels of
authorization. All the authorization levels apply to your Office 365 tenant. Each authorization level
controls the guest experience as shown below:
7 https://docs.microsoft.com/azure/active-directory/b2b/licensing-guidance
8 https://docs.microsoft.com/en-us/microsoftteams/communicate-with-users-from-other-organizations
‎
●● Azure Active Directory: Guest access in Microsoft Teams relies on the Azure AD business-to-business
(B2B) platform. This authorization level controls the guest experience at the directory, tenant, and
application level.
●● Microsoft 365 Groups: Controls the guest experience in Microsoft 365 Groups and Microsoft Teams.
●● Microsoft Teams: Controls the guest experience in Microsoft Teams only.
●● SharePoint Online and OneDrive for Business: Controls the guest experience in SharePoint Online,
OneDrive for Business, Microsoft 365 Groups, and Microsoft Teams.
These different authorization levels provide you with flexibility in how you set up guest access for your
organization. For example, if you don’t want to allow guest users in your Microsoft Teams but want to
allow it overall in your organization, just turn off guest access in Microsoft Teams. Another example, you
could enable guest access at the Azure AD, Teams, and Groups levels, but then disable the addition of
guest users on selected teams that match one or more criteria such as data classification equals confiden-
tial. SharePoint Online and OneDrive for Business have their own guest access settings that do not rely on
Microsoft 365 Groups.
Note: Technically a guest user is a new user object in your Azure AD tenant. On the first line, you can
allow or restrict the creation of new guest objects in your tenant and then you can control whether guest
access is allowed or if there are additional dependencies to access different locations, such as Teams,
Groups and SharePoint.
The following diagram shows how guest access authorization dependency is granted and integrated
between Azure Active Directory, Microsoft Teams, and Office 365.
This means that if you disable guest access at any point in the chain every App down the line will inherit
the restriction and you will not be able to create or let your users create new Teams.
Azure Active Directory

Use Azure AD to determine whether external collaborators can be invited into your tenant as guests, and
in what ways. It is possible to restrict the creation of new guests to guest inviters only or to individual
domains. If guest access is restricted to a single domain or for guest inviters only, these are the boundary
for guest access in other services.
Microsoft 365 Groups

In the Microsoft 365 Group settings you can control whether Group owners can add guest users to their
groups and teams. This will not remove existing guests from your groups. You can also control if added
guests have access to the shared content of the group or whether their access is limited to content
specifically shared with them.
Note: These settings apply on a tenant level and can’t be enabled for a subset of groups.
Teams Admin Center

In Teams, you can control whether the guest experience is enabled or disabled for your Teams organiza-
tion. The setting is disabled by default and applies at the tenant level for Teams. You can also configure
permissions for guest users in your teams like Audio/Video settings and screen sharing capabilities.
SharePoint Online and OneDrive for Business

Teams relies on SharePoint Online and OneDrive for Business to store files and documents for channels
and chat conversations. For Teams you need to allow sharing with guest users on this level or the guests
will not have access to content stored in the Teams document libraries.
Manage external collaboration in Azure AD

Because guest invitations create guest objects in your Azure AD tenant, the external collaboration
settings in Azure AD are the most restrictive and control the guest experience for the tenant and all
applications. To configure these settings in the Azure portal, go to Active Directory > Users > User
settings, and under External users, select Manage external collaboration settings.
Azure AD includes the following settings to configure external users:

●● Guest user permissions are limited:
●● Yes means that guests don't have permission for certain directory tasks, such as enumerate users,
groups, or other directory resources. In addition, guests can't be assigned to administrative roles in
your directory.
●● No means that guests have the same access to directory data that regular users have in your
directory.
●● Admins and users in the guest inviter role can invite:
●● Yes means that admins and users in the guest inviter role will be able to invite guests to the
tenant.
●● No means admins and users can't invite guests to the tenant.
‎- Members can invite:

●● Yes means that non-admin members of your directory can invite guests to collaborate on resourc-
es secured by your Azure AD, such as SharePoint sites or Azure resources.
●● No means that only admins and guest inviters can invite guests to your directory.
●● Guests can invite:
●● Yes means that guests in your directory can invite other guests to collaborate on resources
secured by your Azure AD, such as SharePoint sites or Azure resources.
●● No means that guests can't invite other guests to collaborate with your organization.
●● Enable Email One-Time Passcode for guests (Preview): The Email one-time passcode feature
authenticates B2B guest users when they can't be authenticated through other means like Azure AD, a
Microsoft account (MSA), or Google federation. With one-time passcode authentication, there's no
need to create a Microsoft account. When the guest user redeems an invitation or accesses a shared
resource, they can request a temporary code, which is sent to their email address.
●● Collaboration restrictions:
●● Allow invitations to be sent to any domain (most inclusive) means, there is no restriction on
the guest’s domain, and everyone can be invited.
●● Deny invitations to the specified domains is a blacklist setting, that allows all domains, except
the defined list.
●● Allow invitations only to the specified domains (most restrictive) is a whitelist setting, that
allows you to invite no guests from any domains, except the defined domains.
Note: Guest Inviter Role is an Azure AD user role that permits a user to invite additional guests to your
tenant and create guest objects in Azure AD.
Adding the user guest account manually to Azure AD B2B is not required, as the account will be added to
the directory automatically when you add the guest to Teams.
Restrict guest domains

You can use an allow list or a deny list to allow or block invitations to B2B users from specific organiza-
tions. For example, if you want to block personal email address domains, you can set up a deny list that
contains domains like Gmail.com and Outlook.com. Or, if your business has a partnership with other
businesses like Contoso.com, Fabrikam.com, and Litware.com, and you want to restrict invitations to only
these organizations, you can add Contoso.com, Fabrikam.com, and Litware.com to your allow list.
These are some things you must consider, when creating an allow/deny list (whitelist/blacklist):
●● You can create either an allow list or a deny list. You can't set up both types of lists. By default,
whatever domains are not in the allow list are on the deny list, and vice versa.
●● You can create only one policy per organization. You can update the policy to include more domains,
or you can delete the policy to create a new one.
●● The number of domains you can add to an allow list or deny list is limited only by the size of the
policy. The maximum size of the entire policy is 25 KB (25,000 characters), which includes the allow list
or deny list and any other parameters configured for other features.
●● This list works independently from OneDrive for Business and SharePoint Online allow/block lists. If
you want to restrict individual file sharing in SharePoint Online, you need to set up an allow or deny
list for OneDrive for Business and SharePoint Online.
●● The list does not apply to external users who have already redeemed the invitation and that already
have a guest account in Azure AD. The list will be enforced after the list is set up. If a user invitation is
in a pending state, and you set a policy that blocks their domain, the user's attempt to redeem the
invitation will fail.
Add a deny list

This is the most typical scenario, where your organization wants to work with almost any organization but
wants to prevent users from specific domains to be invited as B2B users.
To add a deny list:
1. Sign into the Azure portal.
2. Select the search bar from the top of the page, type Azure Active Directory and select the first
search result.
3. Select Azure Active Directory > Users > User settings.
4. Under External users, select Manage external collaboration settings.
5. Under Collaboration restrictions, select Deny invitations to the specified domains.
6. Under TARGET DOMAINS, enter the name of one of the domains that you want to block. For multiple
domains, enter each domain on a new line.
7. When you're done, click Save.
After you set the policy, if you try to invite a user from a blocked domain, you receive a message saying
that the domain of the user is currently blocked by your invitation policy.
Add an allow list

This is a more restrictive configuration, where you can set specific domains in the allow list and restrict
invitations to any other organizations or domains that aren't mentioned.
If you want to use an allow list, make sure that you spend time to fully evaluate what your business needs
are. If you make this policy too restrictive, your users may choose to send documents over email, or find
other non-IT sanctioned ways of collaborating.
To add an allow list:
1. Sign into the Azure portal.
2. Select the search bar from the top of the page, type Azure Active Directory and select the first
search result.
3. Select Azure Active Directory > Users > User settings.
4. Under External users, select Manage external collaboration settings.
5. Under Collaboration restrictions, select Allow invitations only to the specified domains (most
restrictive).
6. Under TARGET DOMAINS, enter the name of one of the domains that you want to allow. For multiple
domains, enter each domain on a new line. For example:
7. When you're done, click Save.

After you set the policy, if you try to invite a user from a domain that's not on the allow list, you receive a
message saying that the domain of the user is currently blocked by your invitation policy.
PowerShell
You can also set the Allow/Deny List policy using the AzureAD Preview PowerShell module and the
New-AzureADPolicy and Set-AzureADPolicy cmdlets.
This will require four steps:
1. This will create the JSON for the policy definition you will need in the next step:
$policyValue=@("{`"B2BManagementPolicy`":{
`"InvitationsAllowedAndBlockedDomainsPolicy`":{`
`"AllowedDomains`": [],
`"BlockedDomains`": [`"contoso.com`"]}}}”)
2. You will create the new policy using:

New-AzureADPolicy -Definition $policyValue -DisplayName B2BManagementPolicy -Type B2BManage-
mentPolicy
3. To get the policy id you must use Get-AzureADPolicy and select the correct one based on the Type
and DisplayName:
$currentpolicy = Get-AzureADPolicy | ?{$_.Type -eq 'B2BManagementPolicy'} | select -First 1
4. Then you can set the policy using the ID you just got:
Set-AzureADPolicy -Definition $policyValue -Id $currentpolicy.Id
After this your new allow or deny list is active and guest invitations are restricted to the domains you
specified in the first step.
Note: The *-AzureADPolicy cmdlets do work only in AzureAD PowerShell module with version
2.0.2.53 and newer.
Manage external access in Microsoft Teams

External access lets your Teams and Skype for Business users communicate with other users who are
outside of your organization. This setting is not influenced by enabling, disabling or limiting Guest access
in Azure AD. By default, your organization can communicate with all external domains, without any
restrictions. Configuring blocked domains or allowed domains restrict communication to white- or
blacklisted domains.
Configuring external access for organizations includes three scenarios for setting it up:
●● Scenario 1 - You can use OPEN FEDERATION. This is the default setting and it lets people in your
organization find, call, and send IM/Chats, as well as set up meetings with people external to your
organization. When you use this set up, your users can communicate with ALL external domains that
are running Teams or Skype for Business AND are using Open Federation or have added your domain
to the allow list.
●● Scenario 2 - You can add a domain or domains to the ALLOW list. To do this, click Add a domain,
add the domain name, click Action to take on this domain, and then select Allowed. It's important
to know that if you do this it will BLOCK all other domains.
●● Scenario 3 - You can add a domain or domains to the BLOCK list. To do this, click Add a domain, add
the domain name, click Action to take on this domain, and then select Blocked. It's important to
know that if you do this it will ALLOW all other domains.
Follow these steps to allow or block domains:
1. Open the Teams admin center.
2. In the left navigation, select Org-wide settings > External access.
3. Toggle the Users can communicate with Skype for Business and Teams users switch.
4. If you want to allow all Teams organizations to communicate with users in your organization, skip to
step 6.
5. If you want to limit the external organizations that can communicate with users in your organization,
you can either allow all except some domains, or you can allow only specific domains.
●● To allow all except some domains, add the domains you want to block by clicking Add domain. In
the Add a domain pane, type the domain name, click Blocked, and then click Done.
●● To limit communications to specific organizations, add those domains to the list with a status of
Allowed. Once you have added any domain to the Allow list, communications with other organi-
zations will be limited to only those organizations whose domains are in the Allow list.
6. Select Save.
7. Finally, make sure the admin in the other Teams organization completes these same steps and enters
the domain for your business to their allow list or they make sure, it is not on their block list.
You should now be able to chat with external users using their email address and adding them as a
contact. You can verify if federation is working by sending a chat message to an external user via teams
and getting a response.
Note: If you allow federation, your users will only be able to use 1-on-1-chat, voice/video calls and set up
meetings with external users.
Manage guest access in Microsoft Teams

You can add guests at the tenant level, set and manage guest user policies and permissions, and view
reports on guest user activity. These controls are available through the Microsoft Teams admin center.
Guest user content and activities are under the same compliance and auditing protection as the rest of
Office 365.
Important: Even if you activate Guest access in Teams you have to make sure that Guest access is
enabled in Azure AD.
Teams Admin Center

If you want to set guest permissions on a tenant level, you should use the Teams Admin Center to
configure global guest access permissions:
1. Sign into the Microsoft Teams admin center.
2. Select Org-wide settings > Guest access.
3. Set the Allow guest access in Microsoft Teams toggle switch to On.
4. Set the toggles under Calling, Meeting, and Messaging to On or Off, depending on the capabilities
you want to allow for guest users.
●● Make private calls – Turn this setting On, to allow guests to make peer-to-peer calls.
●● Allow IP video - Turn this setting On, to allow guests to use video in their calls and meetings.
●● Screen sharing mode – This setting controls the availability of screen sharing for guest users.
●● Turn this setting to Disabled to remove the ability for guests to share their screens in Teams.
●● Turn this setting to Single application to allow sharing of individual applications.
●● Turn this setting to Entire screen to allow complete screen sharing.
●● Allow Meet Now – Turn this setting On, to allow guests to use the Meet Now feature in Microsoft
Teams.
●● Edit sent messages - Turn this setting On, to allow guests to edit messages they previously sent.
●● Guests can delete sent messages – Turn this setting On, to allow guests to delete messages they
previously sent.
●● Chat – Turn this setting On, to give guests the ability to use chat in Teams.
●● Use Giphys in conversations – Turn this setting On, to allow guests to use Giphys in conversa-
tions. Giphy is an online database and search engine that allows users to search for and share
animated GIF files. Each Giphy is assigned a content rating.
●● Giphy content rating – Select a rating from the drop-down list:
●● Allow all content - Guests will be able to insert all Giphys in chats, regardless of the content
rating.
●● Moderate - Guests will be able to insert Giphys in chats but will be moderately restricted from
adult content.
●● Strict – Guests will be able to insert Giphys in chats but will be restricted from inserting adult
content.
●● Use memes in conversations - Turn this setting On to allow guests to use Memes in conversa-
tions.
●● Use Stickers in conversations – Turn this setting On to allow guests to use stickers in conversa-
tions.
5. Click Save.
PowerShell
You can also use the Skype for Business Online PowerShell module and the Set-CsTeamsClientCon-
figuration cmdlet to toggle guest access. For example, to allow guest users globally, run the following
cmdlet:
Set-CsTeamsClientConfiguration -AllowGuestUser $True -Identity Global
If you want to limit guest user capabilities in a subset of teams you can use the Microsoft Teams Power-
Shell module and the Set-Team cmdlet. This lets you configure the same limitations as the Teams Admin
Center but instead of restricting it for all Teams you can focus on a single team. This can be useful if you
need to create a Team for your external consultants to exchange information without disrupting the
structure you gave them.
Analytics and Reports

You can track guest additions in Azure AD or the Office 365 Security & Compliance Center. Adding a
guest in Microsoft Teams is audited and logged as an Azure AD group administration activity “Added
member to group”.
You can also use the Teams usage report in the Analytics & Reports sections in the Teams Admin Center
to see the guests that are using your organization’s Teams.
Module 5 Manage collaboration in Microsoft
Teams
Manage chat and collaboration experiences

Lesson Introduction
Microsoft Teams provides a variety of different policies for managing collaboration between users within
teams and channels. You can control the general abilities of users to use chat, edit or delete their sent
messages in conversations, and configure the collaboration features and settings that are available to
them.
In this lesson you will learn about the policies and settings to manage collaboration in teams.
●● Create and modify messaging policies
●● Design teams’ policies for channel creation and discovery
●● Configure the organization-wide settings for teams
●● Manage the creation of private channels within the Teams client
●● Control the email integration of teams
●● Organize the file sharing functions from the Teams client
●● Understand how to set up channel moderation in teams
Manage messaging policies

Messaging policies are used to control chat and channel messaging features for users. They can provide
and deny messaging actions for users, such as the possibility to delete sent messages, access to Memes,
Stickers Giphy, or the ability of users to remove other users from a group chat.
All users are assigned to the Global (Org-wide default) policy by default. Additional custom policies can
be created and assigned to individual users, but any user can only be assigned to one messing policy at a
time.
MCT USE ONLY. STUDENT USE PROHIBITED 236 Module 5 Manage collaboration in Microsoft Teams
Messaging policies are managed from the Microsoft Teams admin center and through the Skype for
Business Online PowerShell cmdlets.
Messaging policy settings

Messaging policies can be used to activate or deactivate messaging features, and to configure or enforce
messaging settings. This includes chat and conversations.
The following table provides an overview of available messaging policy settings.
Setting Description
Owners can delete sent messages Controls whether owners can delete messages
sent by other users.
Users can delete sent messages Controls whether users can delete their own sent
messages.
Users can edit sent messages Controls whether users can edit their own sent
messages.
Read receipts User controlled lets the user configure whether to
receive read receipts or not.
On for everyone enforces read receipts for all
affected users, without the option to turn them off.
Off for everyone deactivates read receipts for all
affected users, without the option to activate
them.
Chat Controls whether users can use chat in teams.
Note: Does not affect the ability to participate in

conversations.
Use Giphys in conversations Controls whether users can use Giphy animated
GIF files in chat conversations.
Giphy content rating No restriction means that all content is permitted
without any restrictions.
Moderate allows inserting images with up to a
moderate content rating for adult content. Strict
allows only Giphy images without any rating for
adult content.
Use Memes in conversations Controls whether users can use Memes in chat
conversations.
Use Stickers in conversations Controls whether users can use Stickers in chat
conversations
Allow URL previews Controls whether URLs from chat conversations
are previewed or not.
Allow users to translate messages Controls whether users can have chat messages
translated automatically into their configured
language.
Allow immersive reader for viewing messages Controls whether users can view messages in
Microsoft Immersive Reader.
Manage chat and collaboration experiences 237
Setting Description
Users can send notifications Controls whether users can send priority notifica-
tions.
Note: Priority notifications notify users every 2

minutes for a period of 20 minutes or until
messages are picked up and read by the recipient.
Voice message creation Allowed in chats and channels permits users to
leave voice messages in both chats and channels.
Allowed in chats only allows users to leave voice
messages in chats, but not in channels.
Disabled restricts users from creating voice
messages in chats or channels
On mobile devices, display favorite channels above Controls whether favorite channels are moved to
recent chats the top of the mobile device screen for mobile
users.
Allow a user to remove users from a group chat Controls whether users can remove other users
from a group chat.
Important: Some of these settings, such using Giphys, can also be configured at the team level by team
owners and at the private channel level by private channel owners.
Create new messaging policies

If different settings for individual users are required, such as when an organization wants to deny regular
users the ability to delete sent messages, a Teams admin must create a new messaging policy and assign
it to a user.
To create a new messaging policy in the Teams admin center and assign it to a user, you should perform
the following steps:
1. In Teams Admin Center, in the left-hand navigation pane, select Messaging Policies.
2. Select + Add from the top pane.
3. In the add a Messaging policies / Add window, enter the following:
●● New messaging policy - A name for the policy
●● Description - A description for the policy
●● All settings desired in the white box
4. Select Save to create the new messaging policy.
After creating a new messaging policy, it will be displayed in the Messaging policies window, where it will
be ready for assignment to individual users.
To assign the newly created policy to a user, you should perform the following steps:
1. In Teams Admin Center, in the left-hand navigation pane, select Users, and then select a user the
new policy should be assigned to.
2. Select Policies from the top pane.
3. Select Edit right beside Assigned policies.
4. Use the drop-down menu below Messaging policy to select the newly created messaging policy.
5. Select Apply.
The new messaging policy was now assigned to a user and its configured settings will be applied after up
to 24 hours.
Note: Policies can only be assigned to users and not to groups. If a messaging policy must be assigned to
multiple users, the assignment must be done with a PowerShell script or by policy packages, which are
covered shortly.
Modify or delete existing policies

When changes to an existing messaging policy are required, or if the Global policy settings need to be
changed, they can be edited, or in the case of custom policies, they can be deleted.
Note: The default Global (Org-wide default) policy cannot be deleted, but it can be reset to default
settings.
To modify policies or delete them, you should perform the following steps:
1. In Teams Admin Center, in the left-hand navigation pane, select Messaging Policies.
2. For the policy that you want to modify or delete, select the check box that appears to the left of the
policy. Then select one of the following options:
●● Select Edit to delete the policy.
●● Select Duplicate to create a copy of the selected policy with a “copy” suffix.
●● Select Delete to remove the policy.
●● Select Reset Global Policy to restore factory default settings of the Global (Org-wide default)
policy.
●● Select Manage users to directly assign the policy to a user.
Note: It is not possible to delete a messaging policy that still has any users assigned to it. You will receive
an error message if you attempt to delete an assigned messaging policy.
Manage messaging policies using PowerShell

The required cmdlets to work with messaging policies are available in the Skype for Business Online
module. These cmdlets include:
●● Get-CsTeamsMessagingPolicy
●● New-CsTeamsMessagingPolicy
●● Set-CsTeamsMessagingPolicy
●● Grant-CsTeamsMessagingPolicy
●● Remove-CsTeamsMessagingPolicy
For example, to show the currently configured settings from the Global (Org-wide default) messaging
policy, you can use the following cmdlet:
Get-CsTeamsMessagingPolicy Global
Manage teams policies for channels

Teams policies control how users can interact with teams and channels. This includes the availability of
features for teams; for example, whether private teams are discovered in the search results, and whether
users can create private teams.
If users are not assigned a custom policy, the default global policy controls the available features. A user
can only be assigned to one team policy at a time.
Note: Policy changes can take up to 24 hours to take effect.
Teams policies are managed from the Microsoft Teams admin center and through the SharePoint Online
PowerShell cmdlets.
Teams policy settings

Teams policies can be controlled by the following settings:
●● Discover private teams. This setting controls whether users can see private teams in the gallery view,
which enables users to request access to a team.
●● Create private channels. This setting controls whether users can create private channels.
●● Restrict the creation of org-wide teams. This setting controls whether users are restricted from
creating organization-wide teams. This setting is only available through PowerShell.
Create a new Teams policy

A custom Teams policy is required when only a limited group of users should be allowed to perform
certain actions within Teams; for example, if only management personnel are allowed to create private
channels.
To create a new Teams policy, you should perform the following steps:
1. In Teams Admin Center, in the left-hand navigation pane, select Teams, and then in the Teams
group, select Teams Policies.
2. Select +Add from the top pane.
3. In the add a new policy window, enter the required fields and settings.
4. Select Save.
After a new Teams policy is created, it must be assigned to users. Assigning a new Teams policy to a user
replaces either the existing default policy or an existing custom policy for that user. This step can be done
through the Users settings, like the messaging policy, or directly from the Teams policies window, by
performing these steps:
1. In Teams Admin Center, in the left-hand navigation pane, select Teams Policies.
2. Select the check box to the left to a policy and then select Manage users from the top pane.
3. Type at least three characters into the search field and select the Add button that appears to the right
of the desired user’s display name.
4. The user is now listed below Users to add.
5. Select Apply to finish the process.
Note: Like messaging policies, team policies cannot be assigned to multiple users or groups, but only to
single users. To assign a custom team policy to multiple users, use PowerShell scripts or policy packages,
which are covered in a later lesson.
Modify a Teams policy

After creating a custom policy, administrators may want to modify the default Global (Org-wide default)
policy to allow only a limited scope of users the ability to create private channels.
To change the default Teams policy, you should perform the following steps:
1. In Teams Admin Center, in the left-hand navigation pane, select Teams Policies.
2. Select the Global (Org-wide default) policy.
3. In the right-hand pane, select the Create private channels slider and move it to Off.
4. Select Apply.
With this setting, only users who are assigned a custom policy can create private channels.
Manage Teams policies using PowerShell

A custom Teams policy can be deleted if it is no longer required. Like the other Teams policy manage-
ment tasks, these operations can also be carried out through the Skype for Business Online PowerShell.
For example, you should run the following command to create a new Teams policy that allows the
creation of org-wide teams and private team discovery, but that also restricts the creation of private
channels in Teams:
New-CsTeamsChannelsPolicy -Identity "IT-Department" -Description "All members of the IT-Department"
-AllowOrgWideTeamCreation:$true -AllowPrivateTeamDiscovery:$true -AllowPrivateChannelCreation:$-
false
The following cmdlets are available to work with Teams policies:

●● Get-CsTeamsChannelsPolicy
●● Grant-CsTeamsChannelsPolicy
●● New-CsTeamsChannelsPolicy
●● Remove-CsTeamsChannelsPolicy
●● Set-CsTeamsChannelsPolicy
Note: The PowerShell cmdlets provide an additional parameter that is not visible in the Teams Admin
Center. This parameter is -AllowOrgWideTeamCreation, and it controls whether users can create
org-wide teams.
Manage teams settings

Managing Teams settings includes several options to control basic features of Microsoft Teams, including
notifications and feeds, email integration, cloud storage options, and devices. These settings are organi-
zational-wide settings and apply to all users and teams in an organization.
Available Teams settings

The following table identifies the available settings for all teams in your organization:
Setting Area Description Configure when…

Suggested feeds can Notifications and feeds Controls whether users Suggested feeds may
appear in a user's can be notified about improve open commu-
activity feed activities of other users nication and collabora-
in Teams. tion, even between
users that do not know
each other.
Allow users to send Email integration If this setting is turned You want to simplify
emails to a channel on, Teams users can integration of Teams
email address retrieve an email into messaging work-
address to send email flows and to provide
messages that are content that is only
posted in a channel. available as email
messages.
Accept channel email Email integration This setting allows only You want to restrict
from these SMTP users from a specific email communication to
domains SMTP domain to send allowed domains only
messages to channels; to avoid spamming or
for example, only to unauthorized senders.
their own domain or to
partner domains.
Citrix files Files Controls the availability You want to restrict the
of Citrix files as use of third-party
third-party storage storage providers on
provider in teams. the tenant level in
Teams to all, some, or
no other providers. This
can be required if
storage providers with
storage location outside
of Europe are not
allowed in your organi-
zation.
DropBox Files Controls the availability Same as above.
of DropBox as third-par-
ty storage provider in
teams.
Box Files Controls the availability Same as above.
of Box files as third-par-
ty storage provider in
teams.
Google Drive Files Controls the availability Same as above.
of Google Drive as
third-party storage
provider in teams.

Show Organization tab Organization Shows or hides the You want to hide this
in chats organization tab in tab because you do not
chats that shows want organizational
additional data about a structures displayed by
chat partner. default to any chat
partner. This can be
helpful to boost open
communication and
avoid restraints because
of different positions in
an organization of the
different chat partners.
Require a secondary Devices Controls whether users You want this setting to
form of authentication must provide a second provide an additional
to access meeting form of authentication security verification
content before entering a before users can access
meeting. This setting is possibly sensitive
especially useful when content. This is especial-
using surface hub ly helpful when using
devices, where users can shared devices, such as
possibly join a meeting surface hubs, where
with the identity of a users oftentimes forget
different user who is to sign off after using a
already logged on. device.
Set content PIN Devices Requires users to enter You want to protect
a PIN before accessing access to possibly
documents from a team. sensitive content on
This also is a useful shared devices, similar
setting for multiuser to the secondary
devices, where users can security verification.
possibly access the
session of a different
user who is already
logged on.
Resource accounts can Devices Allows resource ac- You want to allow
send messages counts to send messag- automatic messages by
es to participants. resources, or you want
to restrict communica-
tion of these accounts.
This setting can be
helpful when configur-
ing workflows for
resources.

Scope directory search Search by name Allows use of scoped You want to allow the
using an Exchange directory searches from use of segmentation for
address book policy Teams using Exchange users in the organiza-
address books. tion’s directory and
limited search results.
Note: This is a prerequi-

site for information
barrier policies.
Manage private channel creation policies

One way to restrict the creation of private channels is to let an administrator create a Team policy that
restricts private channel creation. But team owners can also restrict the private channel creation on a per
team level basis themselves. This can be handy when team owners want to retain full control of their
team activity, which includes restricting members from creating private channels, which team owners in
turn cannot control.
Modify a team to control private channel creation

To restrict team members from creating private channels, a team owner must open the team from one of
the Microsoft Team clients and manage the team. A team owner should perform the following steps to
restrict his or her team members from creating private channels:
1. Login to one of the Microsoft Teams clients.
2. Select the ellipsis icon (the three dots) to the right of the team and select Manage team.
3. Open the Settings tab and the Member permissions dropdown menu.
4. Select or deselect Allow members to create private channels.
By performing these steps, you will restrict private channel creation to team owners only.
Manage email integration

When integrating Microsoft Teams into existing messaging workflows to provide information through
email to team members, it is possible to retrieve email addresses for any individual channel within a team.
Messages sent to these email addresses are then posted as conversation messages to the conversations
of the channel, and other members can download the original message or add comments to the mes-
sage’s content.
Note: The maximum message length for Teams messages is 24 KB, which can be reached very quickly
when creating an email. Therefore, if you just want to post basic information into a channel, you should
use a text-only email. Otherwise, only the very first part of the email is displayed as a team’s conversation,
and all team members who want to read the message must download and open it using an EML format.
Retrieve email address for a channel

Any team member can retrieve the email address of channels by selecting the ellipsis icon to the right of
a channel’s name and then selecting Get email address. The format of these channel email addresses
makes it difficult to recognize the address since they appear similar to the following:
ChannelName - TeamName < UniqueID.TenantName .onmicrosoft.com@amer.teams.ms>
Owners and users can remove the email address, or they can modify advanced settings to restrict
message delivery to team members and certain domains only.
Note: When an email is sent to the channels email address, the email is stored as EML file in the folder
Email Messages in the channels document library. All participants of a channel can download the files
and open them in their preferred viewer for EML files.
Best practices for email integration

Because the automatically generated addresses for channels are hard to remember, it is a common best
practice for users to create contact objects for the channel addresses, or for Exchange administrators to
create mail contacts that provide an easy to recognize mail address in their own company’s custom
domain.
For example, if you have a channel titled “Management” in the team “IT-Department”, the channel’s email
address could be:
Management – IT-Department 79d91253.1.contoso.onmicrosoft.com@amer.teams.ms1
When you create a mail contact with the alias it-department@contosos.com and set its external email
address to 79d91253.1.contoso.onmicrosoft.com@amer.teams.ms, all email sent from internal users to
your simple email address will be forwarded to the team’s channel.
Note: Users can remove and reactivate a channel’s email address, in which case a new address is generat-
ed and the old address cannot be reused. This invalidates the mail contact’s external address, which in
turn must be changed when this occurs.
Manage sharing files

Sharing files is a basic operation in Office 365 and Microsoft Teams when collaborating with internal and
external participants. The different operations in Teams result in different file handling operations to
provide file access to one or many chat participants or all members of a single channel, including external
guest users.
The following table identifies the different behavior related to sharing files depending on the sharing
operation.
Operation Behavior
User shares a file in a 1:1 or group chat The file is uploaded to the user’s OneDrive into the
folder Microsoft Teams Chat Files and all partici-
pants are granted permissions on the single file.
User shares a file in a conversation The file is uploaded to the Teams document
library, where the Teams SharePoint permission
groups grant access to all members and external
participants.
Users copy the link to a file from Teams The users can decide to copy a Teams or a Share-
Point link. While the Teams link opens Teams to
access the file, the SharePoint link opens directly in
the browser. The recipient of the link must either
have SharePoint permissions, or he or she must be
a member of the team to access the file’s content.
Since Teams relies on SharePoint Online and OneDrive for Business to store files and documents for chan-
nels and chat conversations, the file sharing experience is controlled at the organization level in Share-
Point and OneDrive admin centers.
1 mailto:79d91253.1.contoso.onmicrosoft.com@amer.teams.ms
Select this option: For this result:

Anyone Users can create links that can be freely shared.
They can also select to require sign-in when they
share items.
New and existing external users Users can send invitations to anyone (unless you
choose to restrict domains). Invitations to access
files can be redeemed only once. After they've
been redeemed, they can't be used by others to
gain access. New external users will be added to
Azure Active Directory when they sign in to view
the shared item.
Existing external users Users can send sharing invitations to any external
user who has been added to Azure Active Directo-
ry. Invitations to access files can be redeemed only
once. After they've been redeemed, they can't be
used by others to gain access.
Only people in your organization External sharing is not allowed.
For more information, see Turn external sharing on or off2.
Manage channel moderation

Channel moderation allows team owners to control how users can participate in channel conversations. It
is a useful feature to keep channel conversations under control within large channels, where, for example,
only selected users shall post updates on a project or a schedule.
The channel moderation feature is independent from the owner and member roles of a team. It needs to
be activated and configured by a team owner, and when doing so, it can be set to recognize all team
owners, individual users, and even guest users as channel moderators.
What channel moderators restrict in channels:
●● Starting new posts in a channel. When moderation is turned on for a channel, only moderators can
start new posts in that channel.
●● Reply to existing channel messages. With moderation the overall ability of channel members to
reply to posts can be restricted.
●● Channel messages submitted by bots. Bots can be restricted from sending channel messages.
●● Channel messages submitted by connectors. Just like bots, connectors can also be restricted from
sending channel messages.
A special case for channel moderation is the default General channel, which exists in every team. This
channel supports only three settings for moderation:
●● Anyone can post messages. No restrictions, moderation turned off.
●● Anyone can post; show alert that posting will notify everyone. No restrictions but includes user
notification to avoid spamming.
●● Only owners can post messages. Strict moderation, where only team owners can post messages.
Note: It is not possible to set up moderation for private channels.
Scenarios for moderation

The following table identifies some examples of how your organization can use channel moderation in
Teams.
2 https://docs.microsoft.com/sharepoint/turn-external-sharing-on-or-off
Scenario Explanation
Use a channel as an announcement channel The Marketing team uses a specific channel to
share key project announcements and delivera-
bles. Sometimes team members post content to
the channel that more appropriately belongs in
other channels. The team owner wants to restrict
information sharing in the channel to only an-
nouncements so that team members can use that
channel to stay on top of what's important.
In this scenario, the team owner adds Marketing

leads as moderators so they can post announce-
ments in the channel and turns off the ability for
team members to reply to messages in that
channel.
Use a channel for class discussions in Teams for In Teams for Education, a science teacher wants to
Education use a channel to engage students in focused
discussions on specific classroom topics.
In this scenario, the teacher allows his or her

teaching assistants to moderate the channel. The
teaching assistants can then create new posts to
initiate and drive discussions with students.
Managing channel moderation

Channel moderation is managed in one of the Teams clients by team owners. To access the moderation
features for any channel, you should perform the following steps:
1. Open the Teams client and then select Teams on navigation bar.
2. On Teams pane, within a team that you own, select the ellipsis icon for a channel, and then select
Manage channel.
3. In the Channel settings tab, in Permissions, select the Channel moderation drop-down menu and
then select the appropriate option to turn moderation On or Off. ‎
‎
4. When Channel moderation is turned On, additional settings appear that enable you to Manage the
moderators and configure Team member permissions.
‎
5. When channel moderation stays turned Off, a restriction can be con figured to exclude guests from
being able to start new posts.
Manage settings for Teams apps 251
Manage settings for Teams apps

Lesson Introduction
Microsoft Teams includes apps that are provided by Microsoft or a third-party service. Teams apps can be
tabs, connectors, or bots, or any combination of the three. These apps can significantly expand the value
of your Teams collaborative experience.
In this lesson, you will learn about managing Microsoft Teams apps admin settings, app permission, and
setup policies. You will learn how to manage custom app policies, settings, apps, bots, and connectors, as
well as how to publish a custom app in Microsoft Teams.
●● Describe apps, bots, and connectors in Microsoft Teams
●● Provide an overview of Teams apps admin settings
●● Manage app permission policies
●● Configure app setup policies
●● Manage custom app policies and settings
●● Publish a custom app in Microsoft Teams
Overview of Teams apps

Teams apps let you do more in Teams. Think about the tools, files, and dashboards your org already uses.
Many of them can be added right into Teams. Teams apps provide out-of-the-box tools that enable your
organization to maximize its Teams experience in the context of a channel in a team, a group chat, or an
individual user alone (personal).
You can use apps functionality within Microsoft Teams to help you find content from your favorite
services and then share it in Teams. Apps can assist you with things such as pinning services at the top of
a channel, chatting with bots, and sharing and assigning tasks. For example, you can add the Microsoft
Planner app to your initial Teams rollout to drive Teams adoption.
These apps combine the functionality of tabs, messaging extensions, connectors, and bots provided by
Microsoft, built by a third-party, or by developers in your organization. There are several ways you can
interact with apps and services in Teams:
●● Share content on a tab
When you work with different people, you want different information and different tools on hand. You
can add relevant files and apps as tabs to any Teams conversation. Tabs help you share content and
functionality from your favorite services in a channel. They can connect you to Microsoft services (like
Excel, SharePoint, Power Apps), other services (like Asana, YouTube, and Zendesk), or to a website of
your choice.
●● Get updates from a connector
Connectors keep your team current by delivering content and updates directly to a channel from
services you frequently use. With connectors, Teams users can receive updates from popular services
such as Twitter, Trello, Wunderlist, GitHub, and Azure DevOps Services in their Teams chats.
●● Add rich content to your messages
These apps find content from different services and send it straight to a message. You can share
things like weather reports, daily news, images, and videos with anyone you're talking to. Messages
sometimes include buttons for interacting with the app. For example, a daily weather report could
include an option to download the forecast for the entire week.
●● Chat with a bot

Bots provide answers, updates, and assistance in private chats or channels. You can chat with them
one-on-one or in a channel. Bots allow you to interact with cloud services such as task management,
scheduling, and polling in a Teams chat.
Overview of Teams apps admin settings

Teams Apps are a way to aggregate one or more capabilities into an app package that can be installed,
upgraded, and uninstalled.
Teams provides a default set of apps published by Microsoft and by third-parties that are designed to
engage users, support productivity, and integrate commonly used business services into Teams. For
example, users can use the Planner app to build and manage team tasks in Teams. These apps are
available to organizations through the Teams app store. By default, all apps, including custom apps that
you have submitted through the Teams app store approval process, are turned on for all users.
While all Microsoft apps and all custom apps are available by default, Teams admin can turn the availa-
bility of individual apps on or off. For efficiency purposes, an organization-wide setting is available that
lets Teams admin turn all custom apps on or off for your entire organization.
In the Teams apps section of the Microsoft Teams admin center, you can set policies to manage apps for
your organization. For example, you can allow or block apps at the org level, set policies to control what
apps are available to Teams users, and customize Teams by pinning the apps that are most important for
your users.
Manage apps
Use the Manage apps page to view and manage all Teams apps in your organization's app catalog. You
can see the org-level status and properties of apps, block or allow apps at the org level, upload new
custom apps to your tenant catalog, and manage org-wide app settings.
The Manage apps page gives you a view into all available apps in your tenant catalog, providing you with
the information you need to decide which apps to allow or block across your organization. You can then
use app permission policies, app setup policies, and custom app policies and settings to configure
the app experience for specific users in your organization.
For example, you can use Manage apps to:
●● Disable an app that poses a permission or data loss risk to your organization.
App permission policies

With app permission policies, you can control what apps are available to specific users in your organiza-
tion. You can allow or block all apps or specific apps published by Microsoft, third-parties, and your
organization.
For example, you can use app permission policies to:
●● Gradually roll out new third-party or custom-built apps to specific users.
●● Simplify the user experience, especially when you start rolling out Teams across your organization.
App setup policies

App setup policies let you customize the app experience for your users. You choose the apps that you
want to pin to the app bar in the Teams clients and the order in which they appear, on web, desktop, and
mobile clients.
The following are examples of how you can use app setup policies:
●● Drive awareness and adoption of core apps. For example, pin a custom recruiting and talent manage-
ment app for users on your HR team.
●● Selectively pin core Teams features, such as Chat, Teams, and Calling. Doing so can help ensure users
are engaged in specific activities within Teams.
Custom app policies and settings

Microsoft Teams enables developers in your organization to build, test, and deploy custom apps to other
users. Custom apps can be added to Teams by uploading an app package in a .zip file directly to a team
or in the personal context. You can use app setup policies to control who in your organization can
upload custom apps. You can also set organization-wide settings to control whether users can interact
with specific custom apps.
Summary
The following table summarizes the controls of different locations in Teams admin center:
Teams Admin Center Control level Available Controls

Manage apps Org-wide All apps :
- Allow/Block individual apps.
Third party apps :
- Allow/Block third party apps.
- Allow any new third party apps
published to the store by default.
Custom apps :
- Allow interaction with custom
apps.
- Upload, update, or delete
custom apps.
Permission policies Users All apps :
- Allow/Block individual apps.
Setup policies Users All apps :
- The apps pinned in the Teams
app navigation bar.
- Allow users pinning apps
Custom apps :
- Allow user upload custom
apps
Manage org-level app settings

As an admin, the Manage apps page in the Microsoft Teams admin center is where you view and
manage all Teams apps in your organization's app catalog. You can see the org-level status and proper-
ties of apps, upload new custom apps to your tenant app catalog, block or allow apps at the org level,
and manage org-wide app settings. Organization-wide app settings govern the behavior for all users and
override any other app permission policies assigned to users. You can use them to control malicious or
problematic apps.
In the left navigation of the Microsoft Teams admin center, go to Teams apps > Manage apps. You must
be a global admin or Teams service admin to access the page.
View apps in your tenant app catalog

You can view every app in your tenant app catalog including the following information about each app.
●● Name: The app name. Click the app name to see more information about the app. This includes a
description of the app, whether it's allowed or blocked, version, categories that apply to the app,
certification status, supported capabilities, and app ID. Here's an example:
●● Certification: If the app has gone through certification, you'll see either Microsoft 365 certified or
Publisher attestation. Click the link to view certification details for the app. If you see "–", we don't
have certification information for the app. To learn more about certified apps in Teams, read Micro-
soft 365 App Certification program3.
3 https://docs.microsoft.com/teams-app-certification/all-apps
●● Categories: Categories that apply to the app.

●● App status: Status of the app at the org level, which can be one of the following:
●● Allowed: The app is available for all users in your organization.
●● Blocked: The app is blocked and not available for any users in your organization.
●● Version: App version.

To see the information that you want in the table, click Edit Column in the upper-right corner to add or
remove columns to the table.
Allow and block apps

The Manage apps page is where you allow or block individual apps at the org level. It shows every
available app and its current org-level app status.
To allow or block an app, select it, and then click Allow or Block. When you block an app, all interactions
with that app are disabled and the app doesn't appear in Teams for any users in your organization.
When you block or allow an app on the Manage apps page, that app is blocked or allowed for all users
in your organization. When you block or allow an app in a Teams app permission policy, it's blocked or
allowed for users who are assigned that policy. For a user to be able to install and in teract with any app,
you must allow the app at the org level on the Manage apps page and in the app permission policy
that's assigned to the user.
To uninstall an app, right-click on the app and then click Uninstall or use the More apps menu on the
lefthand side.
Manage org-wide app settings

Use org-wide app settings to control whether users can install third-party apps and whether users can
upload or interact with custom apps in your organization. Org-wide app settings govern the behavior for
all users and override any other app permission policies assigned to users. You can use them to control
malicious or problematic apps.
1. On the Manage apps page, select Org-wide app settings. You can then configure the settings you
want in the panel.
2. Under Third-party apps, turn off or turn on these settings to control access to third-party apps:
●● Allow third-party apps in Teams: This controls whether users can use third-party apps. If you
turn off this setting, your users won't be able to install or use any third-party apps. For apps that
you allowed, the status shows as Allowed but disabled org-wide.
When Allow third-party apps in Teams is off, outgoing webhooks4 are disabled, which means
that users can't create them. When this setting is on, outgoing webhooks are enabled for all users
regardless of whether the setting is on or off in the users' app permission policy.
●● Allow any new third-party apps published to the store by default: This controls whether new
third-party apps that are published to the Teams app store become automatically available in
Teams. You can only set this option if you allow third-party apps.
3. Under Custom apps, turn off or turn on Allow interaction with custom apps. This setting controls
whether users can interact with custom apps.
4. Click Save for org-wide app settings to take effect.
Manage app permission policies

As an admin, you can use app permission policies to control what apps are available to Microsoft Teams
users in your organization. You can allow or block all apps or specific apps published by Microsoft,
third-parties, and your organization. When you block an app, users who have the policy are unable to
install it from the Teams app store. You must be a global admin or Teams service admin to manage these
policies.
You manage app permission policies in the Microsoft Teams admin center. You can use the global
(Org-wide default) policy or create and assign custom policies to individual users or users in a group.
4 https://docs.microsoft.com/microsoftteams/platform/webhooks-and-connectors/what-are-webhooks-and-connectors
By default, all apps are allowed in the global policy. This includes apps published by Microsoft, third
parties, and your organization. Users in your organization will automatically get the global policy unless
you create and assign a custom policy. Organization-wide app settings on the Manage apps page
override the global policy and any custom policies that you create and assign to users.
For example, you want to block all third-party apps and allow specific apps from Microsoft for the HR
team in your organization. First, you would go to the Manage apps page and make sure that the apps
that you want to allow for the HR team are allowed at the org level. Then, create a custom policy named
HR App Permission Policy, set it to block and allow the apps that you want, and assign it to users on the
HR team.
Create a custom app permission policy

If you want to control the apps that are available for different groups of users in your organization, create
and assign one or more custom app permission policies. You can create and assign separate custom
policies based on whether apps are published by Microsoft, third-parties, or your organization. It's
important to know that after you create a custom policy, you can't change it if third-party apps are
disabled in org-wide settings.
‎
1. In the left-hand navigation pane on the Microsoft Teams admin center, go to Teams apps >
Permission policies.
2. Select Add. ‎
‎
3. Enter a name and description for the policy.
4. Under Microsoft apps, Third-party apps, and Tenant apps, select one of the following options that
is listed in the following graphic:
5. If you selected Allow specific apps and block all others, add the apps that you want to allow:
●● Select Allow apps.
●● Search for the app(s) that you want to allow, and then select Add. The search results are filtered to
the app publisher (Microsoft apps, Third-party apps, or Tenant apps).
●● Once you have chosen the list of apps, select Allow.
6. Similarly, if you selected Block specific apps and allow all others, search for and add the apps that
you want to block.
7. Select Save.
Edit an app permission policy

You can use the Microsoft Teams admin center to edit a policy, including the global policy and custom
policies that you create.
1. In the left-hand navigation pane of the Microsoft Teams admin center, go to Teams apps > Permis-
sion policies.
2. Select the policy by selecting to the left of the policy name, and then select Edit.
3. Make the changes that you want. You can manage settings based on the app publisher and add and
remove apps based on the allow/block setting.
4. Select Save.
Assign a custom app permission policy to users

You can use the Microsoft Teams admin center to assign a custom policy to one or more users. Alterna-
tively, you can use the Skype for Business PowerShell module to assign a custom policy to groups of
users, such as all users in a security group or distribution group.
Assign a custom app permission policy to a user

To assign users to app permission policies, you can either assign users to a policy, or you can assign
policies to a user.
You should perform the following steps to assign users to a policy:
‎
Permission policies.
2. Select the custom policy by selecting to the left of the policy name.
then select Add. Repeat this step for each user that you want to add. ‎
5. When you're finished adding users, select Apply.
Alternatively, you can also perform the following steps to assign a policy to a user:
‎
1. In the left-hand navigation pane on the Microsoft Teams admin center, go to Users.
2. Select the user by selecting to the left of the username, and then select Edit settings.
3. Under App permission policy, select the app permission policy you want to assign, and then select
Apply.
Assign a custom app permission policy using PowerShell

You may want to assign a custom app permission policy to multiple users with PowerShell for automa-
tion. For example, you may want to assign a policy to all users in a security group. You can do this by con-
necting to the Azure Active Directory PowerShell module and the Skype for Business PowerShell module
and using the Grant-CsTeamsAppPermissionPolicy cmdlet.
For example, if you want to assign a custom app permission policy called HR App Permission Policy to all
users in the Contoso HR Project group, you would run the following command:
$group = Get-AzureADGroup -SearchString "Contoso HR Project"
$members = Get-AzureADGroupMember -ObjectId $group.ObjectId -All $true | Where-Object {$_.

ObjectType -eq "User"}
$members | ForEach-Object { Grant-CsTeamsAppPermissionPolicy -PolicyName "HR App Permission

Policy" -Identity $_.EmailAddress}
Depending on the number of members in the group, this command may take several minutes to execute.
Manage app setup policies

As an admin, you can use app setup policies to customize Microsoft Teams to highlight the apps that are
most important for your users. You choose the apps to pin to the apps bar and set the order that they
appear. App setup policies let you showcase apps that users in your organization need, including those
built by third-parties or by developers in your organization. You can also use app setup policies to
manage how built-in features appear.
Apps are pinned to the app bar. This is the bar on the side of the Teams desktop client and at the bottom
of the Teams mobile clients (iOS and Android).
Teams desktop client Teams mobile client
You manage app setup policies in the Microsoft Teams admin center. You can use the global (Org-wide
default) policy or create custom policies and assign them to users. Users in your organization will auto-
matically get the global policy unless you create and assign a custom policy.
You can edit the settings in the global policy to include the apps that you want. If you want to customize
Teams for different groups of users in your organization, create and assign one or more custom policies.
If a user is assigned a custom policy, that policy applies to the user. If a user is not assigned a custom
policy, the global policy applies to the user.
Note: If you have Teams for Education, it is important to know that the Assignments app is pinned by
default in the global policy even though you do not currently see it listed in the global policy. It will be
the fourth app in the list of pinned apps on Teams clients.
Create a custom app setup policy

You can use the Microsoft Teams admin center to create a custom policy:
1. In the left navigation of the Microsoft Teams admin center, go to Teams apps > Setup policies.
2. Select Add.
3. Enter a name and description for the policy.

4. Turn on or turn off Upload custom apps, depending on whether you want to let users upload custom
apps to Teams. You won't be able to change this setting if Allow third-party apps is turned off in
org-wide app settings.
5. Turn on or turn off Allow user pinning, depending on whether you want to let users personalize their
app bar by pinning apps to it.
6. To install apps for users (in preview), do the following:
1. Under Installed apps, select Add apps.
2. In the Add installed apps pane, search for the apps you want to automatically install for users
when they start Teams. You can also filter apps by app permission policy. When you've chosen
your list of apps, select Add.
7. To pin apps, do the following:

1. Under Pinned apps, select Add apps.
2. In the Add pinned apps pane, search for the apps you want to add, and then select Add. You can
also filter apps by app permission policy. When you've chosen your list of apps to pin, select Add.
3. Arrange the apps in the order that you want them to appear in Teams, and then select Save.
Edit a custom app setup policy

You can use the Microsoft Teams admin center to edit a policy, including the global (Org-wide default)
policy and custom policies that you create.
1. In the left-hand navigation pane on the Microsoft Teams admin center, go to Teams apps > Setup
policies.
2. Select the policy by selecting to the left of the policy name, and then select Edit.
3. From here, make the changes that you want. You can add, remove, and change the order of apps.
4. Select Save.
Assign a custom app setup policy to users

You can use the Microsoft Teams admin center to assign a custom app setup policy to individual users, or
you can use the Skype for Business PowerShell module to assign a custom policy to groups of users, such
as a security group or distribution group.
Assign a custom app setup policy to users from Teams ad-

min center
There are multiple ways to assign an app setup policy to your users in the admin center. You can assign
users either in Setup policies or in Users in Teams admin center.
You should perform the following steps if you want to assign users in setup policies:
policies.
2. Select the policy by selecting to the left of the policy name.
‎
5. When you're finished adding users, select Save.
You can also perform the following steps if you want to assign users within the Users pane:
1. In the left-hand navigation pane on the Microsoft Teams admin center, go to Users, and then select
the user.
2. Select the user by selecting to the left of the username, and then select Edit settings.
3. Under App setup policy, select the app setup policy you want to assign, and then select Apply.
Assign a custom app setup policy to users in a group using

PowerShell
You may want to assign an app setup policy to multiple users that you have already identified. For
example, you may want to assign a policy to all users in a security group. You can do this by connecting
to the Azure Active Directory PowerShell for Graph module and the Skype for Business PowerShell
module.
For example, to assign an app setup policy called HR App Setup Policy to all users in the Contoso HR
Project group, you would perform the following PowerShell commands:
## Get the GroupObjectId of the particular group: ##

$group = Get-AzureADGroup -SearchString "Contoso HR Project"
## Get the members of the specified group: ##

## Assign all users in the group to a particular app setup policy: ##

$members | ForEach-Object { Grant-CsTeamsAppSetupPolicy -PolicyName "HR App Setup Policy" -Identi-
ty $_.EmailAddress}
Depending on the number of members in the group, this command may take several minutes to execute.
Manage custom app policies and settings

Users can add a custom app to Teams by uploading an app package (in a .zip file) directly to a team or in
the personal context. This is different from how apps are added through the Teams app store. Adding a
custom app by uploading an app package, also known as sideloading, lets you test an app as it's being
developed, before it is ready to be widely distributed. It also lets you build an app for internal use only
and share it with your team without submitting it to the Teams app catalog in the Teams app store.
As an admin, you can use custom app policies and settings to control who in your organization can
upload custom apps to Microsoft Teams. Admins decide which users can upload custom apps, and
admins and team owners can determine whether specific teams in your organization allow custom apps
to be added to them. After you edit the custom app policy, it can take up to 24 hours for changes to take
effect. You must be a global admin or Teams service admin to manage these policies.
There are three components determine whether a user can upload a custom app to a team. This gives
you granular control over who can add custom apps to a team and which teams custom apps can be
added to. These settings do not affect the ability to block third-party apps.
Org-wide custom app setting User custom app policy Team custom app setting
Teams admin center Teams admin center Teams client
>Teams apps >Teams apps >Manage team
> Manage apps > Setup policies >Settings
>Member permissions
Org-wide custom app setting User custom app policy Team custom app setting
Org-wide custom app setting

The org-wide custom app setting, Allow interaction with custom apps, applies to everyone in your
organization and governs whether they can upload or interact with custom apps. This setting overrides
the user and team custom app policy and setting. It is intended to serve as a master on/off switch during
security events. Follow the steps below to configure the org-wide custom app setting:
Manage apps.
2. Select Org-wide app settings.
3. Under Custom apps, turn on or turn off Allow interaction with custom apps.
User custom app policy

As part of app setup policies, admins can use the policy setting Allow uploading custom apps to control
whether a user can upload custom apps to Teams.
If this setting is turned on:
●● The user can upload custom apps to the personal context.
●● The user can upload custom apps to teams that allow it and to teams for which they are owners,
depending on the org-wide custom app setting.
●● The user can interact with custom apps, depending on the org-wide custom app setting.
If this setting is turned off:
●● The user cannot upload a custom app to any team in your organization or in the personal context.
●● The user can interact with custom apps, depending on the org-wide custom app setting.
You can edit the settings in the global app setup policy to include the apps that you want. If you want to
customize Teams for different groups of users in your organization, create and assign one or more
custom app setup policies. Follow the steps below to set a user custom app policy:
policies.
2. Select Add.
3. Turn on or turn off Allow uploading custom apps.
4. Choose any other settings that you want to for the policy.
5. Select Save.
Team custom app setting

Admins and team owners can control whether a team allows for custom apps to be added to it. The
Allow members to upload custom apps setting, together with a user's custom app policy determines
who can add custom apps to a particular team.
If this setting is turned on:
●● Team owners and members can add custom apps if their custom app policy allows for it.
If this setting is turned off:
●● Team owners can add custom apps if their custom app policy allows it.
●● Team members who are not team owners cannot add custom apps to the team.
Follow the steps below to configure the team custom app setting:
1. In Teams client, go to the team, Select More options ˙˙˙ > Manage team.
2. Select Settings, and then expand Member permissions.
3. Select or clear the Allow members to upload custom apps check box. ‎
How custom app policies and settings work together

The following table summarizes the custom app policy and settings, how they work together, and their
combined effect on controlling who in your organization can upload custom apps to Teams.
Org-wide custom app User custom app Team custom app Effect
setting setting setting
Off Off Off Interaction with all
custom apps is blocked
for your organization.
Custom apps cannot be
uploaded by anyone.
You can use PowerShell
to remove the custom
app.
Org-wide custom app User custom app Team custom app Effect
setting setting setting
Off On Off Interaction with all
uploaded by anyone.
app.
Off Off On Interaction with all
uploaded by anyone.
app.
Off On On Interaction with all
uploaded by anyone.
app.
On Off Off The user cannot upload
custom apps.
On Off On The user cannot upload
custom apps.
On On Off If the user is a team
owner, they can upload
custom apps to the
team. If the user is not a
team owner, they
cannot upload custom
apps to the team. The
user can upload custom
apps in the personal
context.
On On On The user can upload
custom apps to the
team, regardless of
whether the user is a
team owner. The user
can upload custom apps
in the personal context.
For example, assume that you want to allow only team owners to upload custom apps to specific teams.
You would set the following:
●● Org-wide: Turn on the Allow interaction with custom apps setting in the Microsoft Teams admin
center.
●● User level: Create and assign a custom app setup policy in the Microsoft Teams admin center with the
User can upload custom apps setting turned on and assign it to the team owners.
●● Team level: Turn off the Allow members to upload custom apps for every team to which you want
to restrict access.
Publish a custom app in Microsoft Teams

Microsoft Team enables you to provide and distribute team apps to your users. There are three options to
distribute custom apps, depending on who your target audience is.
Custom apps distribution methods Who can use the app?

App Store Everyone.
This is Microsoft’s global app store which you can
use to provide your apps to all Microsoft Teams
users globally, as well as to users located in other
Microsoft 365 tenants.
Tenant Apps Catalog Users in your organization.
This app catalog provides your apps to all your
Microsoft 365 tenant users only. Users in other
Microsoft 365 tenants cannot see or add your
apps.
Sideloading A few individuals in your organization.
Sideloading makes the apps available only to your
teams or to the teams you select.
If your app only needs to be shared to your team,
or a few individuals in your organization, you can
share your app package and upload it directly.
In this topic, we focus on the custom apps in Tenant Apps Catalog. You can use your app catalog to test
and distribute line-of-business applications that are built specifically for your organization.
A Teams app package is created by using Teams App Studio5. When you have the app package, you can
add it to the your app catalog. While all users in your organization can view the app catalog, only global
admins and Teams service admins can publish and manage it.
Publish a custom app to the Tenant Apps Catalog
From Teams admin center

1. Go to Teams admin center.
2. On the Manage apps page, select Upload new app to upload your app package in .zip format.
The app isn't highlighted after it's uploaded so you'll need to search your app catalog to find it.
From the Teams client

1. Sign into Teams client using an account that is assigned either the Global Admin role or the Teams
service admin role.
2. In the Apps page, select Upload a custom app > Upload for <YourTenant>.
5 https://docs.microsoft.com/microsoftteams/platform/get-started/get-started-app-studio
‎
Note: If “Upload for…” does not show up, you can only upload a custom app as a sideloading because
you do not have administrative permissions to upload an app to your tenant app catalog. Sideloading
makes the app available only to your teams or to teams you select.
3. Navigate to the app package and select it, and then select Open.
When you go back to your tenant apps catalog, the new app will be there. Remember, only you and
members of your organization have access to this app catalog.
Update a custom app in the Tenant Apps Catalog
From Teams admin center

1. Go to Teams admin center.
2. On the Manage apps page, select the app name, and then select Update.
Doing this replaces the existing app in your app catalog and all app permission policies and app setup
policies remain enforced for the updated app.
From the Teams client

1. Sign into Teams client.
2. On Apps page, select Built for <YourTenant>.
3. On the middle pane, select “…” on the top right of the app you want to update.
4. Select Update.
5. In the open window, navigate to the updated app package and select it, and then select Open. ‎
‎
For more information, please refer to Manage your custom apps in Microsoft Teams6.
6 https://docs.microsoft.com/en-us/microsoftteams/manage-your-custom-apps
Module 6 Manage communication in Micro-
soft Teams
Manage Live event and meetings experiences

Lesson Introduction
Microsoft Teams offers different scenarios for meetings and live events within your organization, with
both internal and external attendees. To choose the optimal solutions for your environment, you must
familiarize yourself with the settings and policies which can be applied in Microsoft Teams meeting and
Live events.
In this lesson, we are going to cover the step-by-step process that will guide you as a Microsoft Teams
administrator in planning, organizing, assigning roles, and configuring policies and settings so that you
can provide your users with the optimum user experience during the Teams meetings and Live events.
●● Understand meetings and conferencing in Microsoft Teams
●● Set up conference bridges
●● Manage meeting policies
●● Configure meeting settings
●● Explain Live events in Microsoft Teams
●● Manage Live events policies
●● Configure Live events settings
●● Integrate Yammer Live events
MCT USE ONLY. STUDENT USE PROHIBITED 278 Module 6 Manage communication in Microsoft Teams
Overview of meetings and conferencing in Mi-

crosoft Teams
Once you have set up teams, channels, and applications within Microsoft Teams, the next step you can
take is to add and customize the meetings settings and policies for audio conferencing, video, and
sharing.
There are different types of meetings that you can create in Microsoft Teams depending on the nature of
the meeting:
●● Private meeting. When you want to have a meeting with individual people but you do not want the
meeting to be visible to others.
●● Channel meeting. Scheduled in the Teams team, all team members are automatically invited and will
have access to the discussion and recording (should the meeting be recorded).
●● Ad-hoc meeting(Meet now). When you want to meet immediately at the current point in time
without previously scheduling a meeting.
People can join meetings from a variety of clients. For example, by using Audio Conferencing, users can
attend meetings from regular phones by dialing in to the meeting.
The Teams admin can enable or disable certain types of meetings in addition to disabling modalities such
as video or screen sharing, according the organization regulations.
Since there is integration between Office 365 tools such as Microsoft Outlook, you can use an add-in to
schedule Teams meetings directly from your calendar.
Based on your company needs and requirements, you can configure the appropriate settings for the
meetings and conferencing which your employees are going to use in Microsoft Teams. Because this
communication workspace offers so many options and advantages, it is very important for you as an
administrator to review and confirm that your environment is properly configured to provide your
employees the best possible experience.
To scale meetings across your organization, you should ensure that all user locations have internet access
to connect to Office 365. Next, as a base of the further settings, you should:
●● Determine whether your network is ready for a deployment of Microsoft Teams meetings.
●● Decide which users are going to be responsible for Teams meetings and need to be assigned the
following roles:
●● Teams Communications Administrator
●● Teams Communications Support Engineer
●● Teams Communications Support Specialist
Meeting policies
With Meetings policies you can permit and/or restrict features that will be available to users during the
meetings and audio conferencing. You must first decide if you are going to customize the initial meeting
policies and whether you need multiple meeting policies. Then you must determine which groups of
users receive which meeting policies. Finally, you must determine whether your organization must
purchase and deploy room system devices for your conference rooms.
Manage Live event and meetings experiences 279
Licensing
Audio Conferencing licenses are available as part of an Office 365 E5 subscription or as add-on licenses
to an existing subscription.
As you plan for audio conference licensing, you must determine whether your organization going to use
Microsoft Teams live events. If the answer is YES, then you must determine who will be responsible for
reporting and monitor usage. With Teams live events policies you can manage event settings for groups
of users. According to your organizational requirements, you can either continue to use the default
policy, or you can create additional policies that can be assigned to users who hold live events within
your organization.
Transcription service
During a meeting, users can optionally record the meeting and group call, as well as capture audio, video,
and screen sharing activity. In addition, recordings can be automatically transcribed, which will enable the
users to play back meeting recordings with closed captions and search for important discussion points in
the transcript (the recordings are saved in Microsoft Stream). To automatically transcribe a recording, you
must turn on the meeting transcription service.
Configure conference bridges

Conferencing bridges allow users to dial into meetings through their phones. When configuring Audio
Conferencing in your Office 365 environment, you will receive phone numbers for your users from what is
called an audio-conferencing bridge (a conferencing bridge can contain one or more phone numbers).
These phone numbers are used when the users dial in to a meeting (the phone number to be included in
every Microsoft Teams meeting invite).
As an admin you can choose to continue using the default settings for a conferencing bridge, or you can
change the phone numbers (toll and toll-free) and other settings (as the PIN or the languages that are
used). However, you must first decide if you need to add new conferencing bridge numbers, which
number should be your default, if you need to modify the bridge settings, and whether you must port
numbers to use with audio conferencing.
Adding additional conference bridge numbers

You should perform the following steps to add a conference bridge number:
1. Sign into the Microsoft Teams admin center and on the left-hand navigation pane, select Meetings,
and then select Conference bridges.
2. On the Conference bridges page, select Add.
3. In the drop-down field, select either Toll number or Toll-free number.
‎ ‎
4. On the Add phone number pane, select the phone number you want to add, and then select Apply.
Define a default conference bridge number

You should perform the following steps to configure a default number for your conference bridge:
1. On the Conference bridges page, on the main pane that shows all the conference bridge phone
numbers, select the phone number you want to configure as your default.
‎
2. Select Set as default on the menu bar.
Configuring conference bridges settings in Teams admin

center
You should perform the following steps to configure conference bridge settings:
1. On the Conference bridges page, select Bridge settings.
‎
2. On Bridge settings pane, you may choose to configure the following:
●● Meeting entry and exit notifications. You can turn this setting on or off, depending on whether
you want users who have already joined the meeting to be notified when someone enters or
leaves the meeting. In this setting is on, you can choose from following options:
●● Entry/exit announcement type. Select one of the following options:
●● Names or phone numbers. When users dial in to a meeting, their phone number will be
played when they join it.
●● Tones. When users dial in to a meeting, an audio tone will be played when they join it.
●● Ask callers to record their name before joining the meeting. If you turn this off, callers will not
be asked to record their name before they join a meeting.
●● Pin length. Set the PIN length from 4 to 12; the default value is 5.
●● Automatically send emails to users if their dial-in settings change. This option should be
enabled or disabled.
3. Select Apply to confirm the settings.
Manage meeting policies

In many organizations, Teams admins must control the features of meetings which the users within their
organizations are scheduling. Meeting features are controlled by creating and managing meeting
policies, which are then assigned to users.
You can manage meeting policies within the Microsoft Teams admin center or by using Windows Power-
Shell. Implemented policy will directly impact the user’s meeting experience, beginning before the start of
the meeting, as well as during the meeting and after the meeting ends. Meeting policies can be applied
in three different ways:
1. Per organizer. All meeting participants inherit the policy of the organizer.
2. Per user. Only the per-user policy applies to restrict certain features for the organizer and/or meeting
participants.
3. Per organizer and per user. Certain features are restricted for meeting participants based on their
policy and the organizer's policy.
Note that a policy named Global (org-wide default) is created by default, and all the users within the
company will be assigned this meeting policy by default. The company administrators can decide if there
are changes that must be made to this policy, or they can choose to create one or more custom policies
and assign those custom policies to users.
Create a new meeting policy

You should perform the following steps to create a new meeting policy:
2. From the left-hand navigation pane, select Meetings, and then select Meeting policies.
3. Select Add to create a new meeting policy.
4. On the New meeting policy page, enter the following information and settings:
●● Enter a name for the new policy, and optionally enter a description.
●● Under the General section, select whether to turn the following options On or Off:
●● Allow Meet now in channels
●● Allow the Outlook add-in
●● Allow channel meeting scheduling
●● Allow scheduling private meetings
For example, Allow Meet now is a policy which is applied before starting the meetings, and it has
per-user model. This policy controls whether the user can start a meeting in a Teams channel
without the meeting having been previously scheduled. If you turn this on, when a user posts a
message in a Teams channel, the user can select Meet now to initialize an ad hoc meeting in the
channel.
As another example, if you turn off Allow channel meeting scheduling, then the Schedule a
meeting option is not going to be available to the user when they start a meeting in a Teams chan-
nel, and the Select a channel to meet option will not be available to the user when they schedule a
meeting from Meetings in Teams.
●● Under the Audio & video section, turn the following options On or Off:
●● Allow transcription
●● Allow cloud recording
●● Allow IP video. You can also enter the Media bit rate in KBs.
For example, if the policy setting is turned on for Allow cloud recording and the user is authenti-
cated as a user from the same organization, then the recording can be started by the meeting
organizer or by another meeting participant. This only concerns the internal users; the guest users
do not have permission to start or stop the recording.
●● Under the Content sharing section, choose one from the following Screen sharing modes:
●● Entire screen
●● Single application
●● Disabled
From this section you can also choose to turn the following options On or Off:
●● Allow a participant to give or request control
●● Allow an external participant to give or request control
●● Allow PowerPoint sharing
●● Allow whiteboard
●● Allow shared notes
For example, the Allow a participant to give or request control setting defines whether the user
can give control of the shared desktop or window to other participants who are present in the
meeting.
●● Under Participants & guests section, you can choose to turn the following options On or Off:
●● Let anonymous people start a meeting
●● Allow dial-in users to bypass the lobby
●● Allow Meet now in private meetings.
You can also choose from following feature options:
●● Automatically admit people. Select one of the following options:
●● Everyone
●● Everyone in your organization
●● Everyone in your organization and federated organizations
●● Enable live captions. Select one of the following options:
●● Disabled but the organizer can override
●● Disabled
●● Allow chat in meetings. Select one of the following options:
●● Enabled
●● Disabled
5. Once you have finished entering your settings, select Save.
Assign meeting policy to a user

After you created a meeting policy, you must assign the policy to users. You can assign a meeting policy
within the Teams Admin center in both the Users and Meeting policy sections.
‎
You should perform the following steps to assign a meeting policy in the Users section:
1. In the Teams admin center, select Users,
2. Select users you want to apply policy to and then select Edit settings
3. Under Policies section, choose the required meeting policy, and then select Apply.
You should perform the following steps to assign a meeting policy in the Meeting policies section:
1. In the Teams admin center, select Users.
2. Select the required meeting policy and then select Manage users.
3. Under the selected policy name, add users you want to apply policy to, and then select Apply.
If you want to delete a meeting policy, you cannot do it if the users are having the policy assigned. If you
are in the Users section, you will first need to assign a different policy to the users, and then you will be
able to delete the meeting policy.
Create and configure a meeting policy using PowerShell

You can also use PowerShell to create and configure a meeting policy.
●● To create a meeting policy, you must use the New-CSTeamsMeetingPolicy cmdlet.
●● To configure a meeting policy, you must use the Set-CsTeamsMeetingPolicycmdlet.
For example, consider the setting titled AllowTranscription. This setting controls whether meetings can
include real time or post meeting captions and transcriptions. If you want to enable this setting on an
existing meeting policy titled MarketingMeetingPolicy, you should run the following command:
Set-CsTeamsMeetingPolicy -Identity MarketingMeetingPolicy -AllowTranscription $True
Manage meeting settings

Microsoft Teams provides meeting settings that determine whether anonymous users can join Teams
meetings, customize meeting invitations, and if you want to enable Quality of Service (QoS), set port
ranges for real-time traffic. If you change any of these meeting settings, the changes will be applied to all
Teams meetings that users schedule within your company. These settings are outlined in the following
table.
Meeting setting When to change

Participants With this option you define whether anonymous
participants can join a meeting. Anonymous
participants are users who can join without
logging in, as long as they have the link for the
meeting.
E-mail invitation If your organization has specific meeting needs
and requirements concerning the meeting invita-
tions, you can customize them. For example, you
can add your organization's logo, include addi-
tional information as links to your support website
and legal disclaimer, and add a text-only footer.
Network settings If you are using Quality of Service (QoS) to
prioritize network traffic, you can enable QoS
markers and set port ranges for each type of
media traffic. It is important to note that if you
enable QoS or change settings in the Microsoft
Teams admin center for the Microsoft Teams
service, you will also need to apply matching
settings to all user devices and all internal network
devices to fully implement the changes to QoS.
Configure Meeting settings in Teams admin center

You should perform the following steps to configure your meeting settings in the Teams admin center: ‎
1. Sign into the Microsoft Teams admin center, select Meetings, and then select Meeting settings.
2. In the Participants section, turn the Anonymous users can join a meeting option on or off.
3. In the Email invitation section, enter the following information:

●● Logo URL. Enter the URL where your logo is stored.
●● Legal URL. If your organization has a legal website where you want attendees to read the legal
information, you can enter it here.
●● Help URL. If your organization has a support website that you want people to go to if they run
into issues regarding meetings, you can enter it here.
●● Footer. Enter the text that you want to include as a footer.
●● Preview invite. Selecting this button will display a preview of the Email invitation so you can verify
whether it is correct.
4. In the Network settings section, enter the following information:
●● Select On if you want to insert Quality of Service (QoS) markers for real-time media traffic.
●● Select a port range for each type of real-time media traffic. You can use any available ports
automatically or choose Starting port, Ending port and Total ports for Audio, Video and
Screen sharing.
5. After you configure network settings, select Save.
Note: It may take approximately an hour for the changes to take effect, at which point you should
schedule a Teams meeting to see if the information in the meeting invitation is correct.
Overview of live events in Microsoft Teams

Microsoft Teams offers users chat-based collaboration, calling, meetings, and live events. A live event is
created for one-to-many communications where the host of the event leads the interactions and audi-
ence participation is primarily geared to viewing the content shared by host. The attendees can watch the
live or recorded event in Yammer, Teams, and/or Stream, and they can also interact with the presenters
using moderated Q & A or a Yammer conversation. For live events, Microsoft Teams provides an option
that enables users to expand their meeting audience by broadcasting video and meeting content online
to large audiences of up to 10,000 attendees.
Event group roles

The following table identifies the roles that exist to successfully organize, lead, and participate in a live
event in Microsoft Teams. ‎
Role Description
Organizer A user with this role can perform the following
actions:
- Create the live event
- Set attendee permissions
Select production method
- Configure event options (for example, the
moderated Q&A)
- Invite attendees
- Select event group members
- Manage reports generated after the event is over
Producer A user with this role is responsible for controlling
the live event stream by performing the following
actions:
- Start and stop the live event
- Share his or her own video
- Share participant video
- Share his or her active desktop or window
- Select layouts
Presenter A user with this role presents audio, video, or a
screen to the live event, and/or moderates Q&A.
Presenters can only share audio, video, or a screen
(desktop or window) in live events produced
within Teams.
Attendee A user with this role only watches an event live or
on-demand using DVR controls, either anony-
mously or authenticated. The attendee can
participate in Q&A.
User requirements for creating live events

To create a live event, a user must satisfy the following licensing and permission requirements and
additional conditions:
●● The user must have a user account in Azure AD; the user cannot be a guest or from another organiza-
tion.
●● The user must have an Office 365 Enterprise E1, E3, or E5 license or an Office 365 A3 or A5 license.
●● The user must have permission to create live events in the Microsoft Teams admin center
●● The user must have permission to create live events in Microsoft Stream for events produced using an
external broadcasting app or device
●● Private meeting scheduling, screensharing, and IP video sharing must be turned on in a Team meeting
policy.
●● The user must have an Exchange Online mailbox.
Who can attend live events

If an event is set to public, then anyone who has the meeting link can attend without logging in. Howev-
er, when the live event is set to private and the attendance is restricted to your organization or to
specific people and groups, then the attendees must log in to join the meeting. Also, if the event is
produced in Teams, the attendees must have a license that includes Teams. If it is produced externally,
then they will need a license that includes Microsoft Stream.
Live events components

The following table identifies the components that you must consider when organizing a live event.
Component Description
Scheduling Organizers can create an event with the appropri-
ate attendee permissions, designate event team
members, select a production method, and invite
attendees.
Production The live events support a spectrum of production
scenarios. This includes an event produced in
Teams using a webcam or an event produced in an
external app or device. Depending on their project
requirements and budget, you can choose these
options. There are two ways to produce events:
- Teams
- External app or device
Production: Teams This option is the best and quickest option if you
are inviting remote presenters to participate in the
event, or if you want to use the audio and video
devices connected to the PC.
Production: External app or device Allow users to produce their live events directly
from an external hardware or software-based
encoder with Stream. You can choose this method
to produce the live event in cases where you
already have studio quality equipment (for
example, media mixers) which support streaming
to a Real-time Messaging Protocol (RTMP) service
The following picture shows a live event in the Teams Desktop client.
Enterprise Content Delivery Network

Enterprise Content Delivery Network (eCDN) enables you to take video content from the internet and
distribute it through your enterprise without impacting network performance. When a corporate office
has a large number of concurrent viewers watching the same video content being streamed from the
internet, such as a live broadcast, an eCDN relieves the network bottleneck associated with delivering that
video content.
Without an eCDN, each viewer downloads the same stream from an external content delivery network,
which can overload the ISP links and stress the corporate network resources serving the video traffic. In
other words, without an eCDN, every single viewer has a connection to the originating server that is
downloading the video content, which means that all viewer connections are downloading the exact
same bytes. To accommodate this level of network traffic, organizations must buy larger Internet pipes
from their ISPs, which can be very expensive. And because all traffic from the Internet goes through the
corporate firewall, organizations must buy a bigger firewall device to inspect content, which also increas-
es their network costs.
However, when eCDN servers are deployed inside your corporate firewalls, you can reduce the amount of
network resources needed to serve the same amount of traffic. With eCDN, you only need to download
the video content from the originating server once for each eCDN server that you have deployed. All
viewers get the content from the eCDN servers over the LAN, which significantly reduces the required
WAN bandwidth. This also reduces the load on the firewall because there are far fewer network packets
that it has to inspect as they arrive from the internet.
eCDN is supported with the following certified eCDN partners, which help you optimize your network for
live events held within your organization: Hive, Kollective and Ramp.
Attendee experience
The most important aspect of using Live events in Microsoft Teams is to provide the attendees a great
user experience without having to deal with any issues. The attendee experience uses Azure Media Player
for events produced in Teams and Stream Player for events produced in an external app or device. Live
events work across desktop, browser, and mobile (iOS, Android) devices.
Note: Office 365 provides Yammer and Teams as two collaboration hubs, and the live attendee experi-
ence is integrated into these collaboration tools.
Live event usage report

In the Microsoft Teams Admin center, the tenant admins can view real time usage analytics for live events.
The Live Event Usage report provides an overview of the live event activities held in an organization.
Administrators can view event usage information, including event status, start time, views, and production
type.
Additional information. For more information on using Microsoft Teams to support live events, see Plan
Microsoft Teams live events1.
Manage live events policies

With the help of Live events policies, an administrator can control which users in the company can hold
live events, as well as which features are going to be available in the events they create. A default live
events policy is available, or the administrator can create one or more custom live events policies. After
the custom policy is created, it should be assigned to a user or groups of users within the organization.
Default live events policy

If a custom policy is not created and assigned, then the users will receive the default policy. In the default
live events policy, the following settings are defined:
●● Live event scheduling is enabled for Teams users.
●● Live captions and subtitles are turned off.
●● Everyone in the organization can join live events.
●● The recording setting is set to always record.
Create or edit a live events policy

In Microsoft Teams admin center, under the Meetings tab > Live event policies, you can choose to
create or manage/edit live event policies. When doing so, you can manage the following options:
●● Globalpolicy. This organization-wide policy is the existing default policy. You can choose the edit
button to make changes to this policy.
●● New policy. This option is used to create a new custom policy.
●● Choose existing policy. By selecting this option, along with an existing policy and the Edit button,
you can make changes to that policy.
1 https://docs.microsoft.com/en-us/microsoftteams/teams-live-events/plan-for-teams-live-events
You should perform the following steps to create a live event policy:
1. Under Meetings & Live event policies, select on the +Add button.
2. Type the name for your policy, and optionally type a description.
3. Customize the following tabs according to your preferences for this new policy:
●● Allow scheduling
●● Allow transcription for attendees
●● Who can join scheduled live events. Choose from Everyone, Everyone in the organization, and
Specific users or groups.
●● Who can record an event. Choose from Always record, Never record, and Organizer can
record.
4. Select Save to save your new policy.
Assign a live events policy to users

Once you create a custom live events policy, you must assign it to users for the policy to become active.
You should perform the following steps in the Microsoft Teams admin center to assign the policy:
1. Choose Users section and then select the user or multiple users.
2. Next to Assigned policies, select the live events policy you want to assign and then select Edit.
3. When you have finished, select Save.
You can also assign a live events policy to one or multiple users in the Microsoft Teams admin center
under the Meetings section.
1. In Meeting section select on the Live events policies.
2. Select the name of the policy you want to assign and then select Manage users.
3. Search for and select the appropriate user and then select the Add button. You need to repeat this
step for every user that will be assigned this policy.
4. When you have finished, select Save.
Manage Live event policies using PowerShell

You can also manage Live event policies by using the following Windows PowerShell cmdlets:
●● Get-CsTeamsMeetingBroadcastPolicy
●● Set-CsTeamsMeetingBroadcastPolicy
●● New-CsTeamsMeetingBroadcastPolicy
●● Grant-CsTeamsMeetingBroadcastPolicy
When a user has been assigned the global policy, the AllowBroadcastScheduling parameter will indicate
whether the user can schedule a live event. To determine whether this parameter is set to True, you
should run the following command:
Get-CsTeamsMeetingBroadcastPolicy -identity Global
To disable live events scheduling across your organization, you should run the following command:
Set-CsTeamsMeetingBroadcastPolicy -identity Global
‎-AllowBroadcastScheduling $false
To set who can join live events, you must set the global policy to allow users to create events that
everyone, including anonymous users, can attend. To do this, you should run the following command:
Set-CsTeamsMeetingBroadcastPolicy -Identity Global -BroadcastAttendeeVisibility Everyone
The recording option for live events only applies to Live events that are produced in Teams. For example,
to set the global policy to disable recording for live events, you should run the following command:
Set-CsTeamsMeetingBroadcastPolicy -Identity Global -BroadcastRecordingMode AlwaysDisabled
Manage live events settings

Settings for the Live events that are held within your company can be configured in the Microsoft Teams
admin center. The administrator can set up a support URL and configure a third-party video distribution
provider (note that these settings are going to be applied to all live events which are going to be created
in your organization).
You should perform the following steps to manage these settings:
1. Sign into the Microsoft Teams admin center with your admin account.
2. Select Meetings and then choose Live events settings.
3. On the Live events settings page, in the Support URL section, you can define the URL that will be
shown to your attendees who will participate at the Live event.
‎
4. In the event your company has purchased and set up a Software Defined Network (SDN) solution or
enterprise Content Delivery Network (eCDN) solution through a Microsoft video delivery partner, you
can configure the provider by performing the following steps:
●● Use a third-party distribution provider. You must turn this option on to enable the third-party
video distribution provider.
●● SDN provider name. Enter the provider you are using.
●● Provider license key. Enter the license ID, which you received from your provider contact.
●● SDN API template URL. Enter the API template URL, which you received from your provider
contact.
5. Select on the Save button.
Set up Support URL using Windows PowerShell

To set up the Support URL using PowerShell, you must run the following command:
Set-CsTeamsMeetingBroadcastConfiguration -SupportURL “{your URL}”
Configure third-party video provider using Windows Pow-

erShell
If you want to configure your third-party video provider using Windows PowerShell, you must first to
obtain the license ID or API token and API template from your provider contact. Once you have that
information, you should run the following command (in this example, the provider is Hive Streaming):
Set-CsTeamsMeetingBroadcastConfiguration -AllowSdnProviderForBroadcastMeeting $True -SdnProvid-
erName hive -SdnLicenseId {license ID GUID provided by Hive} -SdnApiTemplateUrl “{API template URL
provided by Hive}”
Note: If you want to create live events using an external app or device, you must first configure your
eCDN provider with Microsoft Stream2.
Integrate Yammer Live Events

Using Live events in Yammer can provide your Office 365 users with the ability to produce live events
directly in the Yammer app, with built-in discussions for use before, during, and after the event. Live
events support up to 10,000 attendees in the same moment, from anywhere, using the attendees’ device
or computer. If you decide to record the Live event, you can make the video available after the event, so
that people who cannot attend at the scheduled time can still participate.
Yammer network and group requirements for live events

●● To host a live event in Yammer, your organization must have Enforce Office 365 identity selected,
and you must be using Office 365 connected Yammer groups. For more information see Enforce
Office 365 identity for Yammer users3 and Yammer and Microsoft 365 Groups4.
●● The event must be held in either a public Yammer Office 365 connected group, or a private Yammer
Office 365 connected group that includes everyone who will be invited to the live event. For more
information, see Create a group in Yammer5 and Manage a group in Yammer6.
●● The All Company group can’t be used for live events.
Broadcast a live event in Yammer

There are two production methods you can choose from when broadcasting a live event in Yammer:
●● Using an external app or device
●● Using Microsoft Teams
Using an external app or device

With this production method the video processing is handled by Microsoft Stream. However, you never
have to leave Yammer because everything your users need to schedule, run, and participate in the event
already exists in Yammer.
You should consider this production method when you are organizing events for large auditoriums, and
you already have the necessary equipment to mix audio and video (and, of course, you have the right
people to run it). Once you have the AV equipment set up and the hardware or software external encoder
in place, the steps to organize and run this type of event will be easy to follow. The event is automatically
recorded and is available for viewing in Yammer or from Microsoft Stream.
Steps for broadcasting an event using an external app or device:
You should perform the following steps to organize a live event using an external app or device:
1. Schedule the Live event. Schedule the event in the Yammer group, invite the presenter(s), and select
caption and recording options.
2 https://docs.microsoft.com/stream/network-caching
3 https://docs.microsoft.com/en-us/yammer/configure-your-yammer-network/enforce-office-365-identity
4 https://docs.microsoft.com/en-us/yammer/manage-yammer-groups/yammer-and-office-365-groups
5 https://support.office.com/en-us/article/create-a-group-in-yammer-b407af4f-9a58-4b12-b43e-afbb1b07c889
6 https://support.office.com/en-us/article/manage-a-group-in-yammer-6e05c6d6-5548-4c88-89cd-e6757a514ef2
2. Share the Live event. Get the link to the event and share it with the users who will be attending the
event.
3. Produce the Live event. Start the event in Yammer, connect your external encoder so that you can
start the video, moderate the discussion, lead the event, and then close the event when you are done.
4. Follow up. Continue the discussion in Yammer after the event, since the Yammer conversation and
recording remain open after the event for follow-up questions and comments.
Teams
When presenters are going to use Microsoft Teams to record themselves from their computers, this
method would be the most appropriate. This type of live event is similar to setting up a Teams meeting. It
is easy to organize and produce and does not require AV expertise. This method of Live event organiza-
tion is scheduled, produced, and viewed in Microsoft Teams. Also, the attendees watch the video in Teams
and participate in the event from Teams.
Steps for broadcasting an event produced in Teams:
You should perform the following steps to organize a live event that is broadcasted in Microsoft Teams:
1. Create the event. Create the event in a Yammer group. This will automatically take you to Teams so
that you can schedule the event, invite presenters and producers, and select recording, captioning,
and reporting options.
2. Share the Live event. Get the link to the event and share it with the users who will be attending the
event.
3. Produce the live event in Teams. Start the event in Teams, start the video, moderate the discussion,
lead the event, and then close it when you are done.
4. Follow up. Continue the discussion in Yammer after the event, since the Yammer conversation and
recording remains open after the event for follow-up questions and comments.
Additional information. For more information see Yammer live event step-by-step playbook7.
7 https://resources.techcommunity.microsoft.com/wp-content/uploads/2019/05/How-to-host-a-Live-Event-in-Yammer-Playbook.pdf
Manage phone numbers 297
Manage phone numbers

Lesson Introduction
Microsoft Teams includes cloud voice capabilities that are delivered from Office 365 and provide Private
Branch Exchange (PBX) functionality and options for connecting to the Public Switched Telephone
Network (PSTN). Microsoft’s technology that enables call control and PBX capabilities is titled Phone
System.
Phone System in Microsoft Teams allows users to place and receive calls, transfer calls, and mute or
unmute calls. Calling in Teams supports basic Phone System features, such as call answering and initiating
(by name and number) with integrated dial pad, call holding and retrieving, call forwarding and simulta-
neous ringing, call history, voicemail, and emergency calling. Users can also use a different range of
devices to establish calls, including mobile devices, headset connected to a computer, and an IP phone.
●● Evaluate PSTN connectivity solution
●● Explain how to get new phone numbers
●● Manage emergency addresses
●● Manage phone numbers for users
●● Manage voice settings for users
Evaluate PSTN connectivity solutions

Within Microsoft Phone System, calls between users in your organization are handled internally. However,
to enable calls to landlines and mobile phones, Phone System must be connected to the PSTN. PSTN
connectivity can be established in two ways:
●● Calling Plan. Establish and receive calls directly through Office 365 Phone System as a telephony
provider by purchasing a Microsoft Calling Plan (domestic or domestic and international) for Office
365.
●● Direct Routing. Connect your current on-premises PBX infrastructure with the Office 365 Phone
System by using Direct Routing.
Calling Plans for Office 365

When users call other Microsoft Teams users within an organization, the calls are free. However, you must
buy a Calling Plan if you want your users to be able to call regular phones and you do not have a service
provider to make voice calls.
There are two Microsoft Calling Plans options that can be purchased:
●● Domestic Calling Plan. With this plan, licensed users can call out to numbers located in the country/
region where they are assigned in Office 365.
●● Domestic and International Calling Plan. With this plan, licensed users can call out to numbers
located in the country/region where their Office 365 license is assigned to the user based on the
user's location, and to international numbers in supported countries/regions. As of this writing, there
are 196 countries/regions that you can dial into using an international number.
You should perform the following steps to set up a calling plan for your organization:
1. Determine whether Calling Plans are available in your country/region. Calling plans can be purchased
depending on availability per country/region. Therefore, when planning for your telephony solution,
you should verify whether the country/region used in your Office 365 billing location supports audio
conferencing.
2. Buy and assign licenses. Once you ensure that calling plans can be purchased for your country/region,
you should buy the calling plan licenses and assign them to your users.
3. Obtain phone numbers. You can get phone numbers in one of following ways:
●● Use the Teams admin center. This process is used when your country/region supports getting
phone numbers through the Teams admin center.
●● Port existing phone numbers. This process is used if you want to port your existing phone numbers
from the current carrier to the Office 365 Phone System.
●● Use the request number for port numbers. This process is used when the Teams admin center in
your country/region does not support getting phone numbers.
4. Add emergency addresses and locations for the organization.
5. Assign a phone number and emergency address for the user.
Direct Routing
If your organization has an on-premises PSTN connectivity solution, Direct Routing enables you to
connect a supported Session Border Controller (SBC) to Microsoft Phone System. Direct Routing enables
you to use any PSTN trunk with your Microsoft Phone System and configure interoperability between
customer-owned telephony equipment, such as a third-party private branch exchange (PBX), analog
devices, and Microsoft Phone System.
For example, with this Direct Routing capability, you can configure on-premises PSTN connectivity with a
Microsoft Teams client, as shown in the following diagram.
A Direct Routing solution is deployed in organizations within the following scenarios:

●● Microsoft Calling Plan is not available in the organization country/region.
●● The organization requires connection to third-party analog devices or call centers.
●● The organization has an existing contract with a PSTN carrier.
Infrastructure requirements
You must meet the following infrastructure requirements to deploy a Direct Routing solution in your
organization:
●● A supported Session Border Controller (SBC).
●● One or more telephony trunks connected to the SBC. The SBC can be also be connected to third party
PBXs or Analog Telephony Adapters. On the other end, SBC will be connected to Microsoft Phone
System through Direct Routing.
●● Office 365 Tenant where your organization’s Teams users are located.
●● Users must be homed in Microsoft Teams. In a hybrid environment, on-premises Skype for Business
users cannot be enabled for voice in Microsoft Teams.
●● Domains must be configured to your organization’s Office 365 tenant. The default *.onmicrosoft.com
domain cannot be used.
●● A public DNS FQDN and a public IP address that will be used to connect to the SBC.
●● A public trusted certificate for the SBC that will be used for communication with Direct Routing.
●● Connection points FQDNs for Direct Routing that include:
●● sip.pstnhub.microsoft.com – Global FQDN, must be tried first.
●● sip2.pstnhub.microsoft.com – Secondary FQDN, geographically maps to the second priority region.
●● sip3.pstnhub.microsoft.com – Tertiary FQDN, geographically maps to the third priority region.
●● Firewall IP addresses and ports for Direct Routing and Microsoft Teams media should be opened. The
following table identifies the ports should be opened.
Traffic From To Source port Destination port

SIP/TLS SIP Proxy SBC 1024 – 65535 Defined on the
SBC
SIP/TLS SBC SIP Proxy Defined on the 5061
SBC
●● Media Transport Profile should allow TCP/RTP/SAVP and UDP/RTP/SAVP. The media traffic flows to
and from a separate service in the Microsoft Cloud. The IP range for Media traffic should include
52.112.0.0 /14 (IP addresses from 52.112.0.1 to 52.115.255.254).
●● Media traffic codecs:
●● The Direct Routing interface on the leg between the Session Border Controller and Cloud Media
Processor (without media bypass) or between the Teams client and the SBC (if Media Bypass
enabled) can use the following codecs:
●● Non-Media bypass (SBC to Cloud Media Processor): SILK, G.711, G.722, G.729
●● Media Bypass (SBC to Teams client): SILK, G.711, G.722, G.729, OPUS
●● On the leg between the Cloud Media Processor and the Microsoft Teams client, media flows
directly between the Teams client and the SBC, where either SILK or G.722 is used.
Licensing requirements
Users of Direct Routing must have the following licenses assigned in Office 365:
●● Microsoft Phone System
●● Microsoft Teams and Skype for Business Plan 2 (from a subscription plan)
●● Microsoft Audio Conferencing is required in scenarios where a Teams user in a call wants to add a
PSTN user in a call through Audio Conferencing service.
Additional information. For more information, see Phone System Direct Routing8.
Get phone numbers

Before you can assign phone numbers to the users or services in your organization, you must first get
phone numbers.
There are three ways to get phone numbers:
●● Use the Microsoft Teams admin center. For some countries/regions, you can get numbers for your
users using the Microsoft Teams admin center.
●● Port your existing numbers. You can port or transfer existing numbers from your current service
provider or phone carrier.
●● Use a request form for new numbers. Depending on your country/region, you may not be able to
get your new phone numbers using the Microsoft Teams admin center, or you will need specific
phone numbers or area codes. In either case, you will need to download a form, complete it, and
return it to Microsoft.
The number of phone numbers for users (subscribers) is equal to the total number of Domestic Calling
Plan and/or Domestic and International Calling Plan licenses you have assigned multiplied by 1.1, plus
10 additional phone numbers. For example, if you have 50 users in total with a Domestic Calling Plan
and/or Domestic and International Calling Plan, you can acquire 65 phone numbers (50 x 1.1 + 10).
Types of phone numbers

Microsoft Teams uses different telephone number types depending on the purpose for which the phone
number will be used:
●● User numbers. These numbers can be assigned to users in your organization for calling purposes.
●● Service numbers. These numbers are assigned to services such as Audio Conferencing, auto attend-
ants, and call queues. Service phone numbers, which have a higher concurrent call capacity than user
numbers, will vary by country/region and the type of number (whether it's a toll or toll-free number).
Additional information. For more information about types of phone numbers, see the following article
on Different kinds of phone numbers used for Calling Plans.9
Get new phone numbers in the Teams admin center

You must perform the following steps to add new phone numbers to your tenant for assignment to users
or as service numbers:
2. From the left-hand navigation pane, choose Voice > Phone Numbers.
3. On the Phone numbers window, below Numbers, select + Add for a new phone number request.
4. On the main pane, enter a name and description.
8 https://docs.microsoft.com/en-us/microsoftteams/direct-routing-landing-page
9 https://docs.microsoft.com/en-us/microsoftteams/different-kinds-of-phone-numbers-used-for-calling-plans
5. On the Select location and quantity pane, enter the following information:
●● Country or region - select country or region.
●● Number type - select the appropriate option that determines whether the phone numbers are
designated for users or for services, such as conference bridge, call queue, or auto attendant.
‎ ‎
‎
●● Location - choose a location for connecting the new phone numbers. If you need to create a new
location, select Add a location and enter the required location’s data.
●● Area code - select a valid area code for the country and location.
●● Quantity - enter the number of phone numbers that you want for your organization.
6. Select Next to continue.
‎
7. On the Get numbers page, select the phone numbers you want to apply to your tenant.
8. Select Place order.
‎Note: The phone numbers are only reserved for 10 minutes; therefore, if you do not select Place
order, the phone numbers are returned to the pool of numbers.
Port or transfer phone numbers from your service provid-

er or phone carrier
You can transfer phone numbers using either of the following methods:
●● If you need 999 or fewer phone numbers for your users, you can use the legacy portal in the Microsoft
Teams admin center.
●● If you need to port more than 999 phone numbers, you must submit a port order service request or
submit an order to get phone numbers ported over to Office 365.
In the Voice & Phone numbers section, you can also port existing phone numbers from a service
provider by choosing the Port button. You can see all the orders you have placed in the Order history
tab.
Use a request form for new numbers

It is very important that each country/region have different types of phone numbers (geographic/
non-geographic) and services (toll/toll-free) and rules or regulations for getting phone numbers so they
can be used in Microsoft Teams. Also, some countries/regions do not provide the ability to get phone
new phone numbers using the Microsoft Teams admin center, so the only way to do so is to download
and fill out a form known as a Letter or Authorization, or LOA.
A LOA provides Microsoft permission, on your behalf, to request transfer of existing phone number(s)
from a different service provider, in following cases:
●● User numbers that you already have from another carrier.
●● Service (toll) numbers for audio conferencing bridges, auto attendants, and call queues.
●● Service (toll-free) phone numbers.
●● You have more than 999 user phone numbers but cannot get in the Microsoft Teams admin center
using the use the Local Number Porting wizard.
Additional information. For detailed instruction on how to get phone numbers in your specific country/
region, see Manage phone numbers for your organization10.
Show phone numbers for your organization

In the left-hand navigation pane of the Microsoft Teams admin center, go to Voice > Phone numbers
to view the numbers for your organization, including location, number type, and status information.
In the Microsoft Teams client, users can see their phone number by selecting Calls in the left-hand
navigation pane. The phone number is displayed above the dial pad, as seen in the following screen shot.
10 https://docs.microsoft.com/en-us/microsoftteams/manage-phone-numbers-for-your-organization/manage-phone-numbers-for-your-
organization
Manage emergency addresses

An emergency location may be referred to as a civic address, street address, or a physical address. It is
the street or civic address of a place of business for your organization that is used to route emergency
calls to the appropriate dispatch authorities and to assist in locating the emergency caller. If your organi-
zation has multiple physical locations, you'll need more than one emergency location.
Validating an emergency address involves making sure that it is legitimate and correctly formatted for
emergency response services. It is possible to add and save an emergency location that is not validated,
but only validated locations can be associated with a user. After an emergency location is validated and
saved, you can assign it to a user. To change an emergency location that is saved and validated, you must
create a new one.
An emergency location is associated with a place to give a more exact location within a building. A place
is typically a floor, building wing, or office number where the user is located. You can have an unlimited
number of places associated with an emergency address.
When you assign an emergency location to a user, you will assign a location ID references the location.
The location ID includes the referenced emergency address (the street or civic address). A default place is
included with an emergency location for cases in which in-building places are not needed.
Emergency locations and places are used when routing emergency calls to the appropriate dispatch
center for the purpose of dispatching emergency first responders. When a Teams user dials an emergency
number, how the call is routed to the serving Public Safety Answering Point (PSAP) varies by country/
region. In some countries/regions, such as the United States and the United Kingdom, the calls are first
screened to determine the current location of the user before connecting the call to the appropriate
dispatch center. In other countries/regions, calls are routed directly to the dispatch center serving the
phone number associated with the emergency caller.
When adding emergency locations for your organization, it is recommended that you follow these steps:
●● Plan for emergency locations (make a list of all physical addresses before deciding on emergency
locations)
●● Add emergency locations (and validate the address)
●● Get phone numbers
●● Assign phone numbers (enable users to make and receive phone calls)
Note: Take extra care when configuring and maintaining your organization’s emergency locations, as they
can literally impact the life or death of your employees. Several countries/regions have strict laws that
require companies ensure the availability of an emergency phone number in the event of an accident.
Add an emergency location

You should perform the following steps to add an emergency location:
2. On the left-hand navigation pane, select Locations > Emergency addresses.
3. On the Emergency addresses page, select Add + to add a new location.
4. Type the name and description for the location.
5. Select the country/region, and then enter the Address.
6. If the address cannot be found, you must set the Edit the address manually option to On and type
the address.
7. Select Save.
‎ ‎
Change an emergency location

You should perform the following steps to change the emergency location:
1. On Emergency addresses page, select the location that you want to change from the list, and then
select Edit.
2. Make your changes.
3. Select Save.
Important: You can only change the address information for a location when the address is not validat-
ed. If the address was previously validated, you must delete the location and then create a new location
with the correct address.
Remove an emergency location

You can also use the Emergency addresses page in the Microsoft Teams admin center to delete an
emergency location. To do so, you must find and select the location that you want to remove from the list
of locations, and then select the Delete button.
Additional information. For more information, see What are emergency locations, places and call
routing11.
Manage phone numbers for users

After you have finished setting up Calling Plans in your organization, you must assign phone numbers to
your users. You can also manage and remove user phone numbers if need be.
Assigning phone numbers in the Teams admin center

You should perform the following steps to assign phone numbers to users through the Teams admin
center:
2. On the left-hand navigation pane, select Voice and then select Phone numbers.
11 https://docs.microsoft.com/en-us/MicrosoftTeams/what-are-emergency-locations-addresses-and-call-routing
3. Select an unassigned number in the list and then select Edit.
‎
4. To assign or change the associated emergency location, search for and then select the location under
the Emergency location tab.
‎
5. In Assigned to, search for the user by display name or username, and then select Assign. Important:
You can only find a user if the user has the appropriate license applied.
6. Select Apply.
Change a phone number for a user

You should perform the following steps to change to a user’s phone number using the Teams admin
center:
1. In the left-hand navigation pane, select Users and select a user.
2. In the Account tab, below General information, you can see the user’s assigned phone number.
3. In the left-hand navigation pane, select Voice, and then select Phone numbers.
4. On the Phone numbers page, select the number that that you want to change, and then select Edit
from the top pane.
5. In the right-side Edit pane, below Assigned to, select X to remove the user.
6. Select Apply.
7. On the Phone numbers page, select an unassigned number in the list, and then select Edit.
8. Under Assigned to, search for the user by display name or username, and then select Assign.
9. Select Apply.
Remove a phone number for a user

You should perform the following steps to remove a user’s phone number using the Microsoft Teams
admin center:
1. In the Users section, locate and select the user, select Account, and then under General information,
make a note of the phone number that is assigned to the user.
2. In the left-hand navigation pane, select Voice and then select Phone numbers.
3. On the Phone numbers page, select the number that you want to remove for a user, and then select
Edit.
4. In the Edit section, under Assigned to, select X in order to remove the user.
5. Select Apply.
Additional information. For more information, see Manage phone numbers for your organization12.
Manage voice settings for users

Voice settings for users include call sharing and group call pickup features of Microsoft Teams, which let
users share their incoming calls with colleagues so that the colleagues can answer calls that occur while
the user is unavailable.
Group call pickup is less disruptive to recipients than other forms of call sharing (such as call forwarding
or simultaneous ringing) because users can configure how they want to be notified of an incoming
shared call (through audio and visual notification, visual only, or through a banner in the Teams app), and
they can decide whether to answer it. To share calls with others, a user creates a call group and adds the
users they want to share their calls with. Then they choose a simultaneous ring or forward setting.
Regarding the licensing requirements, the users must be Enterprise Voice enabled to set up and use call
sharing and group call pickup.
12 https://docs.microsoft.com/en-us/microsoftteams/manage-phone-numbers-for-your-organization/manage-phone-numbers-for-your-
organization
To share calls with others, a user must create a call group and then add the users he or she wants to share
the calls with (they can also configure simultaneous ring or forwarding).
Note: The call group owner and members of the call group must all be in Teams Only deployment mode,
and the maximum number of users in each call group is 25.
Group call configuration

Call groups enable users to manage who they want notified when they get a call.
Administrators do not have to configure these features for their users since the call group creation and
notification settings are available for configuration on the user side. However, administrators can use the
Skype for Business Online PowerShell module to modify the AllowCallGroups parameter in the Teams-
CallingPolicy to enable or disable call groups:
New-CsTeamsCallingPolicy -Identity "AllowCallingPreventCallgroups" -AllowCallGroups $false
The Grant-CsTeamsCallingPolicy cmdlet can be used to grant the policy to a user:

Grant-CsTeamsCallingPolicy -Identity alex.wilber@contoso.com -PolicyName AllowCallingPreventCall-
groups
When you want to allow a user to use call groups, you can either change their policy using the
Set-CsTeamsCallingPolicy cmdlet, or grant a different policy to the users.
Note: Before creating a new policy, you should always verify that no policy already exists that covers your
exact scenario.
If you have permission to create call groups, you can use the Microsoft Teams Client to add a call group
by performing the following steps:
1. In the upper right corner of the client, select Settings and Calls.
2. Below Call answering rules, select Forward my calls, and open the dropdown menu by selecting
Voicemail.
3. Select the call group to open a Call group new window.
4. Use the search field below Add people and select the desired members of the call group.
5. In the Ring order menu, you can select to ring All at the same time simultaneously or In the order
above to call people in order in 20-second intervals (just note that if your call group has six or more
people, incoming calls will ring all of them at the same time).
Note: All users added to a call group receive a notification in their Teams client.
When an admin turns off group calling for a user after the user has already set up a call group, the call
group relationships for the user in the Teams admin center must be cleaned up to avoid incorrect call
routing.
To clean up or modify the call group for a user, sign into the Teams Admin Center and perform the
following steps:
1. In the left-hand navigation pane in the Teams Admin Center, select Users and then select the name
of the user you want to edit.
2. Select the Voice tab and navigate to the Group call pickup section.
3. In the list select the users you want to remove from the Call group and select Remove.
If you want to add users to a call group, perform the following steps:
1. In the left-hand navigation pane in the Teams Admin Center, select Users and then select the name
of the user who owns the call group you want to modify.
2. Select the Voice tab and navigate to the Group call pickup section.
3. Select Add people and then in the right-hand pane, search for the users you want to add.
4. Select Apply to add the selected users to the call group.
Additional information. For more information see Call forwarding, call groups and simultaneous
ring in Teams13.
13 https://support.office.com/en-us/article/call-forwarding-call-groups-and-simultaneous-ring-in-teams-a88da9e8-1343-4d3c-9bda-
4b9615e4183e?ui=en-US&rs=en-US&ad=US
Manage Phone System for Microsoft Teams 311
Manage Phone System for Microsoft Teams

Lesson Introduction
Microsoft Teams provides features to enhance the user experience and create auto attendants to manage
calls. Some of these features have been used in telephony solutions for decades and provide a way to
configure your Teams environment to keep providing these capabilities.
In this lesson you will learn about the different ways to manage the phone system for Microsoft Teams.
●● Create and manage resource accounts
●● Create and manage call queues
●● Create and manage auto attendants
●● Configure call park policies
●● Configure policies to manage calling capabilities
●● Describe Teams Direct Routing
●● Explain Teams addon licensing
Manage resource accounts

A resource account is a disabled user object in Azure Active Directory. It is used to represent objects
other than users. For an example, in Exchange it can represent conference rooms, and in Teams it allows
each conference room to have a phone number. A resource account can be homed in Azure AD or
on-premises using Skype for Business Server 2019.
Phone System call queues and auto attendants must have at least one associated resource account in
Microsoft Teams. As shown in the following diagram, a resource account will need an assigned phone
number depending on the intended use of the associated call queue/auto attendant.
If you want to assign a phone number to a Phone System call queue, you must:
1. Obtain a service number and free Phone System (or a paid Phone System license to use with the
resource account or a Phone System license).
2. Create the resource account.
3. Assign the Phone System license or Phone System Virtual User license.
4. Assign a service phone number to the resource account you just assigned licenses to.
5. Create a Phone System call queue or auto attendant.
6. Link the resource account with a call queue or auto attendant.
Important: When the auto attendant (or call queue) is nested under a top level auto attendant, and you
want multiple points of entry into the structure of auto attendants and call queues, the associated
resource account only needs a phone number.
Note: Your organization is allotted Phone System–Virtual User licenses depending on its overall size. Any
organization has 25 Virtual User licenses available at no cost if it has at least one license including Phone
System, or it has Phone System added. For each 10 Phone System user licenses in your organization, one
more Phone System–Virtual User license becomes available.
Create a resource account with a phone number

You must perform the following steps to create a resource account that uses a phone number:
1. Port or get a toll or toll-free service number (you cannot assign the number to any other voice
services or resource accounts).
2. Before you assign a phone number to a resource account, you must get (or port) your existing toll or
toll-free service numbers. After that, they are going to show up in Microsoft Teams admin center >
Voice > Phone numbers, and the Number type will be listed as Service - Toll-Free.
3. Obtain a Phone System Virtual User license (or a regular Phone System license).
4. To get the Virtual User license, log into Microsoft 365 admin center, navigate to Billing > Purchase
services > Add-on subscriptions and then scroll to the end – here you will find “Phone System - Vir-
tual User” license. Select Buy now. It is a zero cost, but you will still need to follow these steps to
acquire the license.
5. Create a new resource account.
6. Assign a Phone System.
7. Assign the service number to the resource account.
8. Set up one of the following: Cloud auto attendant or Cloud call queue.
9. Link the resource account to the auto attendant or call queue.
When you create a resource account while creating an auto attendant, the licenses are applied automati-
cally.
Note: Phone numbers will be assigned to the underlying resource account, not to the call queue or auto
attendant.
Create a resource account without a phone number

To create a resource account that does not need a phone number, you must:
1. Create a new resource account.
2. Set up one of the following: Cloud auto attendant or Cloud call queue.
3. Assign the resource account to the call queue or auto attendant.
Create a resource account in Microsoft Teams admin

center
You should perform the following steps to create a resource account using the Microsoft Teams admin
center:
1. In the Teams Admin Center select Org-wide settings > Resource accounts. ‎
‎
2. Select New account and enter the required information in the Add resource account window: ‎
‎
●● Display name
●● Username – provide a unique combination of a name and verified domain for your tenant.
●● Resource account type – Select either call queue or auto attendant
3. Select Save to create the new resource account.
You should perform the following steps to assign the license to the freshly created resource account:
‎
1. In the Office 365 Admin Center navigate to Users > Active users.
2. Search for the Display name of the resource account you created.
3. Select the resource account.
4. In the right-hand pane select Licenses and Apps, and then select either Phone System or Phone
System – Virtual User licenses.
5. Select Apply.
Manage Resource account settings in Microsoft Teams ad-

min center
You should perform the following steps to manage resource accounts using the Microsoft Teams Admin
Center:
1. In the Teams Admin Center navigate to Org-wide settings > Resource accounts.
2. Select the account you want to modify.
3. Select Edit.
4. Modify the following options:
●● Display name
●● Call queue or Auto attendant. The options displayed depend on the selection made at time of
creation of the resource account.
5. Select Save to apply the changes.
Assign/Unassign phone numbers and services

Once you have created the resource account and assigned the license, you can assign a service number
to the resource account, or assign the resource account to an auto attendant or call queue that already
exists.
You should perform the following steps to assign a phone number to a resource account using Microsoft
Teams admin center:
1. In the Teams Admin Center select Org-wide settings > Resource accounts.
2. Select the resource account you want to modify.
3. Select Assign/unassign and provide the following information:
‎
‎
●● Phone number type – Online, Toll-free or On Premises.
●● Assigned phone number – The number you want to assign.
●● Select an Auto attendant/Select a call queue – This option will change depending on the option
you selected when creating a resource account.
4. Select Save.
Note: The phone number cannot be assigned to the resource account if the account does not have a
valid license.
Create a resource account in PowerShell

You must use Skype for Business Online PowerShell to assign a direct routing (or hybrid number) to a
resource account.
You should run the following PowerShell command to create a resource account for an Auto Attendant:
New-CsOnlineApplicationInstance -UserPrincipalName “AutoAttendant1@contoso.com” -ApplicationId
ce933385-9390-45d1-9512-c8d228074e07 -DisplayName “Resource Account for AA”
To create a call queue resource account, you must provide a different ApplicationId.
Call queue 11cd3e2e-fccb-42ad-ad00-878b93575e07

Auto attendant ce933385-9390-45d1-9512-c8d228074e07
Note: Using Cloud Call Queues and Cloud Auto Attendants with resource accounts homed on Skype For
Business Server 2019 will be covered in a later topic.
To use the resource account after creating it, you must first assign it a license. When the license is
assigned you can assign a phone number to the resource account. If you did not apply a license to the
resource account, the phone number assignment will fail.
You should run the following PowerShell commands to assign a phone number:
Set-CsOnlineVoiceApplicationInstance -Identity testra1@contoso.com -TelephoneNumber +14255550100
‎
Get-CsOnlineTelephoneNumber -TelephoneNumber +14255550100
You should run the following PowerShell command to assign a direct routing phone number to a re-
source account (homed in Teams or Skype For Business Server 2019):
Set-CsOnlineApplicationInstance -Identity appinstance01@contoso.com -OnpremPhoneNumber
+14250000000
Note: Hybrid implementations will use the New-CsHybridApplicationEndpoint cmdlet.

Additional information. For more information, see the following article titled Manage resource ac-
counts in Microsoft Teams14.
Create and configure a call queue

With cloud call queues you can add different features for calling, such as:
●● a greeting message
●● music while people are waiting on hold
●● redirecting calls to call agents in mail-enabled distribution lists and security groups
●● setting different parameters such as queue maximum size, timeout, and call handling options
You must associate a phone number to a call queue using a resource account (a call queue can be dialed
directly or accessed by a selection on an auto attendant). Then all calls in the queue will be sent to agents
by one of the following methods:
●● With attendant routing, the first call in the queue rings all agents at the same time.
●● With serial routing, the first call in the queue rings all call agents one by one.
●● With round robin, routing of incoming calls is balanced so that each call agent gets the same number
of calls from the queue.
●● Only one incoming call notification at a time (for the call at the head of the queue) goes to the call
agents.
●● After a call agent accepts the call, the next incoming call in the queue will start ringing call agents.
Note: Call agents who are offline, or who have set their presence to Do not disturb, or who have opted
out of the call queue will not receive calls.
14 https://docs.microsoft.com/en-us/microsoftteams/manage-resource-accounts
Start with creating call queue

You should consider the following requirements before you start using call queues:
●● A call queue must have an associated resource account.
●● When you assign a phone number to a resource account, you can use the cost-free Phone System
Virtual User license.
●● You can only assign toll and toll-free service phone numbers that you got in the Microsoft Teams
admin center or transferred from another service provider (communications Credits are required for
toll-free service numbers) to Cloud call queues.
Get or transfer toll or toll-free service phone numbers

Before you create your call queues, you must either get or transfer your existing toll or toll-free service
numbers. Once you get the toll or toll-free service phone numbers, they will show up in Microsoft Teams
admin center > Legacy Portal > Voice > Phone numbers.
When you set up multiple auto attendants, you can only assign a phone number to the main auto
attendant's resource account. This will direct callers to your call queues or nested auto attendants. In
those situations, you create all auto attendants and call queues in your system without assigning dialpad
options, and then edit the settings later. This is necessary because you are not allowed to create an
option linking to a call queue or auto attendant that does not yet exist.
Create a new call queue

Because every call queue must have an associated resource account, you must first create the resource
account, and then you can associate it to the call queue. You should perform the following steps to create
a new call queue:
1. Go to the Microsoft Teams admin center, select Voice, Call queues, then select + Add new:
2. You must then define the call queue display name and resource account:
●● Name: This name is displayed in the notification for the incoming call.
●● Add Accounts: Select a resource account (it may or may not be associated with a toll or toll-free
phone number for the call queue, but each call queue requires an associated resource account). If
no resource accounts are listed, you will have to get service numbers and assign them to a Re-
source account before you can create this call queue.
3. Set the greeting and music played while on hold (optional).
4. Select the call answering options.

You can select up to 200 call agents who belong to any of the following mailing lists or groups:
●● Microsoft 365 Group
●● Security group
●● Distribution list
The call agents that you select must be from one of these categories:
●● Online users with a Phone System license and Enterprise Voice enabled
●● Online users with a Calling Plan
●● On-premises Skype for Business Server users
To enable an agent for Enterprise Voice, you will have to use Windows PowerShell.
For example, you could run the following command:
Set-CsUser -identity "Sarah Michael" -EnterpriseVoiceEnabled $true
●● Users with a Phone System license or a Calling Plan are added to either a Microsoft 365 Group, a
mail-enabled Distribution List, or a Security Group. There may be a short waiting period before users
start receiving calls from a call queue, depending on whether the newly added agent belongs to a
distribution list or a security group. Newly created Microsoft 365 Groups are available almost immedi-
ately.
●● If your agents are using Microsoft Teams App to take call queue calls, they must be in TeamsOnly
mode.
Routing method
For your call queue distribution method, you can choose from the following methods:
●● Attendant routing. Enables first call in the queue to ring all call agents at the same time. The first call
agent to pick up the call gets the call.
●● Serial routing. Incoming calls ring call agents one by one, starting from the beginning of the call
agent list (agents cannot be ordered within the call agent list). If an agent dismisses or does not pick
up a call, then the call will ring the next agent on the list, trying all agents one by one until it is picked
up or times out waiting in the queue.
●● Round robin. Balances routing of incoming calls so that each call agent gets the same number of
calls from the queue.
Select an agent opt-out option

You can choose to allow call queue agents to opt-out of taking calls from a particular queue. You can also
revoke the agent opt-out privilege at any time. To access the opt-out option, an agent should perform
the following steps:
1. Open Options in their desktop Skype for Business client.
2. On the Call Forwarding tab, select the Edit settings online link.
3. On the user settings page, select Call Queues, and then clear the check boxes for any queues the
agent wants to opt-out of.
Note: The Agent Alert setting defines the duration of an agent being notified of a call before the Serial
or Round Robin routing methods move to the next agent. The default setting is 30 seconds, but it can be
set for up to 3 minutes.
Set the call overflow and timeout handling options

You can configure the Maximum calls in the queue option to set the maximum number of calls that can
wait in the queue at the same time (the default is 50, but it can range from 0 to 200). When the call queue
reaches its maximum size (the Maximum calls in the queue setting), you can choose what happens to
new incoming calls from the following options:
●● Disconnect. This option will disconnect the call.
●● Redirect to. Select one of the following redirect options:
●● Person in your company. This option enables you to select the person to whom the incoming call
will be redirected to, and the call will be forwarded directly to voicemail.
●● Voice application. You must select the name of an existing resource account associated with
either a call queue or an auto attendant.
●● Call Timeout. Enables you to set up how long a call can be placed on hold in the queue before it
times out and needs to be redirected or disconnected (where it is redirected will depend on your
When a call times out setting). You can set a time from 0 to 45 minutes, and the timeout value can
be set in seconds, at 15-second intervals. When the call reaches the limit, you can choose what
happens to this call based on the following options:
●● Disconnect. This option will disconnect the call.
●● Redirect to. Select one of the following redirect options:
●● Person in your company. This option enables you to select the person to whom the incoming
call will be redirected to, and the call will be forwarded directly to voicemail.
●● Voice application. You must select the name of an existing resource account associated with
either a call queue or an auto attendant.
Call queue cmdlets

You can also create and set up call queues with Windows PowerShell. The following cmdlets can be used
to manage a call queue:
●● New-CsCallQueue
●● Set-CsCallQueue
●● Get-CsCallQueue
●● Remove-CsCallQueue
Additional information. For more information see Create a Cloud call queue15.
Create and configure an auto attendant

Auto attendants enable both external and internal callers to use a menu system to locate and place (or
transfer) calls to users or departments in your organization. When people call a number that is associated
with an auto attendant, their choices can redirect the call to a user or locate someone else in your
organization and then connect to that user.
Cloud auto attendants can enable someone to leave a message if a person does not answer the call, and
they can provide corporate greetings, custom corporate menus (you can customize these menus to have
more than one level), and messages that specify business and holiday hours. A Cloud auto attendant can
also support transferring calls to an operator, other users, call queues, and auto attendants. It also
provides directory search that enables people who call in to search the organization's directory for a
name, and It supports multiple languages for prompts, text-to-speech, and speech recognition.
Before you get started

As you prepare to use auto attendants, you should consider the following:
●● An auto attendant must have an associated resource account.
●● When assigning a phone number to an auto attendant, you are assigning it to the resource account
that has been associated with that auto attendant; this enables you to have more than one phone
number that can access an auto attendant.
●● Most often, a resource account will use the cost-free Phone System Virtual User license.
●● To get and use toll-free service numbers for your auto attendants, you must set up Communications
Credits.
●● A complete auto attendant system usually involves multiple auto attendants and may only require a
single assigned phone number for the top-level or entry auto attendant.
●● You can apply more than one phone number to an auto attendant by associating more than one
resource account to the auto attendant.
15 https://docs.microsoft.com/en-us/microsoftteams/create-a-phone-system-call-queue
Set up an auto attendant with an existing resource ac-

count
You should perform the following steps to create an Auto Attendant and associate it with a resource
account:
1. In the Teams Admin Center on the left-hand navigation pane, navigate to Voice > Auto attendant.
2. Select Add.
3. Provide the following information on the next page:
●● Name
●● Operator – Specifies whether a user can request to talk to a person or voice app, or if there will be
no designated operator. You can refer people to another auto attendant, call queue, or an enter-
prise voice-enabled Skype for Business or Teams user.
●● Time Zone – The time zone in which the auto attendant will calculate business hours and holidays.
●● Language
●● Enable voice input – Enables voice navigation in the auto attendant menu.
4. Select Next.
5. On the next panel, you are asked to select if you want to:
●● First play a greeting message – You can play no greeting, play an audio file, or use text to speech
for your greeting.
●● Route the call – You can redirect the call, disconnect the call, or play the menu. If you play the
menu you will be able to configure which options are open to the caller and how he or she can
choose between them. The caller can use dial keys or voice input to navigate the options, and you
can redirect the caller to auto attendants, call queues, or users. You can also allow users to search
your directory.
6. Select Next.
7. On the next panel, provide the following information:
●● Business hours – Specify when the auto attendant will be considered working. If you do not
provide any business hours, the auto attendant will be set to 24/7 by default.
●● First play a greeting message – Specify a greeting for calls that are received outside of business
hours. If you do not change the default, your call will not play an outside of business hours
greeting.
●● Route the call – Select what will happen to the call outside of business hours. If you do not
change the default, your call will disconnect outside of business hours.
8. Select Next.
9. On the next page you can select Add to add specific dates as holidays for your auto attendant.
10. You will be asked to provide the following information:
●● Name – Select the Name for the holiday option.
●● Holiday – This a list of holidays that were already created for your organization. You can add to
this list by selecting Add in the dropdown menu.
●● Provide a Name and a Date for the holiday.

●● Greeting – Do not play a greeting; instead, play an audio file or use text to speech.
●● Actions – You can decide to disconnect or redirect the call.
11. Select Save to save the holiday. You can add multiple holidays by repeating steps 9 through 11.
12. Select Next.
13. On the next page you can define the scope of users that is searchable by the caller.
●● Include – Select a group of users or all online users. Online users are all the users whose accounts
are online or those that have been added using Azure directory sync. Custom groups can be
security, distribution, and Microsoft 365 Groups.
●● Exclude – You can select none or a user group. This will exclude those users from being searcha-
ble.
14. Select Next.
15. On the next page you will be asked to assign at least one resource account to the auto attendant.
16. Select Add account and search for the account you already created in the right panel.
●● If you have yet to create an account, you can select Add resource account after searching for a
non-existing account name.
17. Select Add to add the existing resource account to the attendant.
18. Select Submit to create your auto attendant.
To modify an auto attendant, you will navigate through the same menu again. If you have not assigned a
phone number to your resource account, you cannot call the attendant.
Assign phone numbers for an auto attendant

You can assign a Microsoft service number, a direct routing number, or a hybrid number to your auto
attendant's linked resource account.
To assign a service number, you must first get or port your existing toll or toll-free service numbers. Once
you get the toll or toll-free service phone numbers, they show up in Skype for Business admin center >
Voice > Phone numbers. Number type is listed as Service - Toll-Free.
Search for users

When searching for users as part of the auto attendant functionality, callers can search by name or by
extension. This functionality is also known as directory search.
Dial by Name. This feature enables the people who call your auto attendant to use voice (speech
recognition) or their phone keypad (DTMF) responses to enter a full or partial name to search your
company's directory, locate the person, and then have the call transferred to them. .
‎
‎Dial by Extension. This feature enables a caller to use voice (speech recognition) or their phone keypad
(DTMF) responses to enter the phone extension of the user they are trying to reach, and then have the
call transferred to them.
The users you wish to have located and reached using Dial by name or extension are not required to have
a phone number or have Calling Plans assigned to them, but they must have a Phone System license if
they are online users, or Enterprise Voice-enabled for Skype for Business Server users.
‎Dial by name or extension will even be able to find and transfer calls to Microsoft Teams users who are
hosted in different countries/regions for multi-national organizations. Given the prerequisites involved,
you explicitly enable Dial by name and Dial by extension in an auto attendant.
Maximum directory size
There is no limit in the number of AD users Dial by Name and Dial by extension can support when a caller
searches for a specific person. The maximum name list size that a single auto attendant can support using
speech recognition is 80,000 users.
With Dial by Name, a caller can enter just one part of the name or full names (FirstName + LastName,
and also LastName + FirstName). There are various formats that can be used when the name is entered.
People can use the ‘0’ (zero) key to indicate a space between the first and last name. When the person
enters the name, he or she will be asked to terminate the keypad entry with the # key; for example, "After
you have entered the name of the person you are trying to reach, please press #." In the event that
multiple names found, then a list of names will be displayed, from which the person who is calling can
select the person he or she is trying to reach.
With Dial by Extension, the caller needs the full extension number.
Dial by Name - Name recognition with speech

People can also search for others in their company using speech recognition. When you enable speech
recognition for an auto attendant, the phone keypad entry is not disabled, which means that it can be
used at any time (even if speech recognition is enabled on the auto attendant).
Set menu Options

You can assign 0-9 dial keys in an auto attendant using the Skype for Business admin center.
Different sets of menu options can be created for business hours and after hours, and you can enable or
disable Dial by Name in the Menu Options. Keys can be mapped to transfer the calls to any of the
following:
●● an operator
●● call queue
●● another auto attendant
●● Microsoft Teams user who has a Phone System license that is Enterprise Voice-enabled or has Calling
Plans assigned to them
In Cloud auto attendants you can create menu prompts (for example, “Press 1 for Marketing, Press 2 for
Finance”) and set up menu options to route calls. Menu prompts can either be created using text-to-
speech or by uploading a recorded audio file. Speech recognition accepts voice commands, but people
can also use the phone keypad to navigate the menu.
Manage call park policies

Call park, which is available in Teams only mode, enables a user to place a call on hold in the Teams
service in the cloud. For example, a user’s phone is running out of battery, so the user decides to park a
call and then retrieve the call from Teams desk phone.
To park and retrieve calls, a user must be an Enterprise Voice user, and an administrator must grant the
user a call park policy. You must have an administrator role to configure a park policy. The feature is
disabled by default, so as an admin you can enable it for users and create user groups using the call park
policy.
Enable a call park policy

You should perform the following steps to enable a call park policy:
1. Go to Microsoft Teams admin center > Voice > Call park policies.
2. Select New policy.
3. Give the policy a name, and then switch Allow call park to On.
‎4. Select Save.
Assign a call park policy

You should perform the following steps to assign a call park policy to one or more users:
1. Go to Microsoft Teams admin center > Voice > Call park policies.
2. Select the policy by clicking to the left of the policy name.
5. When you are finished adding users, select Save.
Configure call park and retrieve with PowerShell

You can also use the New-CsTeamsCallParkPolicy PowerShell cmdlet to create a call park policy.
Use the Grant-CsTeamsCallParkPolicy PowerShell cmdlet to grant a call park policy.
You can change the default setting by using **Set-CsTeamsCallParkPolicy** cmdlet as follows:
Set-CsTeamsCallParkPolicy -Identity Global -AllowCallPark $true
Troubleshooting call parking

Some common troubleshooting scenarios involving call parking include:
●● If users cannot see the park or retrieve button, you must verify whether the user has the Call Park
policy enabled.
●● When a user tries to retrieve a call but it is not successful, then you must:
●● Verify that the user is using the Teams client or a Teams-enabled device/Phone,
●● Check if the call has already been retrieved or terminated
●● Check is the user a member of the call park group. ‎
●● If you are working in Island mode, note that call park and retrieve is unavailable in Teams island mode.
Additional information. For more information, see Call park and retrieve16
Manage calling policies

Calling policies in Microsoft Teams help you determine which calling and call forwarding features will be
available to your users. These policies determine whether the user can make private calls, use call for-
warding or simultaneous ringing to other users or external phone numbers, route calls to voicemail, send
calls to Call Groups, use delegation for inbound and outbound calls, and many more options.
Note: While a default global policy is created automatically, administrators can create and assign custom
calling policies.
Create a custom calling policy

You should perform the following steps to create a custom calling policy:
1. Sign into the Microsoft Teams admin center and select Voice > Calling policy.
2. Select New policy.
3. On the New calling policy page, you can turn on the features that you want available in your calling
policy (note that all features are turned Off by default). ‎
16 https://docs.microsoft.com/en-us/microsoftteams/call-park-and-retrieve
‎
For example, to control whether users can route inbound calls to voicemail, in the Voicemail is availa-
ble for routing inbound calls feature, select Always enabled or User controlled. To prevent routing
to voicemail, select Always disabled.
4. Select Save.
Modify an existing calling policy

You should perform the following steps to modify an existing calling policy:
1. Sign into the Microsoft Teams admin center and select Voice > Calling policy.
2. Select the policy that you want to modify and then select the Edit button.
3. Turn on the features that you want to use in your calling policy (note that all selections are Off by
default)
4. To control whether users can route inbound calls to voicemail, select Always enabled or User con-
trolled. To prevent routing to voicemail, select Always disabled.
5. At the end choose Save.
Assign a calling policy to a user

You should perform the following steps to assign a custom calling policy to a user:
1. Sign into the You should perform the following steps and select Voice > Calling policy.
2. Select the policy name and then select Manage users.
3. In the Manage users pane, search for the user’s name.

4. Select the user’s name, and then select the Add button.
5. At the end choose Save.
Calling policy settings

You can use the following settings to create a custom calling policy:
●● User can make private calls. This option controls all calling capabilities in Teams, so if you would like
to turn off all calling functionality in Teams, this option should be turned off.
●● Call forwarding and simultaneous ringing to other users option. This option allows incoming calls
to be forwarded to other users or to ring another person at the same time.
●● Call forwarding and simultaneous ringing to external phone numbers. This option allows incom-
ing calls to be forwarded to an external number (or to ring an external number at the same time).
●● Make voicemail available for routing inbound calls to users. This option allowsinbound calls to be
sent to voicemail. There are three options within this setting: always enabled, always disabled, and
user controlled (the user decides if he or she wants this option to be active).
●● Inbound calls routing to calls groups. This option allows incoming calls to be forwarded to a call
group.
●● Allow delegation for inbound and outbound calls. This option allows inbound calls to be routed to
delegates, who can then make outbound calls on behalf of the users (for whom they have delegated
permissions).
●● Prevent toll bypass and send calls through the PSTN. This option allows calls to be sent through
the PSTN and incur charges (rather than sending them through the network and bypassing the tolls).
●● Busy on Busy is available while in a call. This option, which is used in Teams calling policies, deter-
mines how incoming calls are handled when the intended user is already in a call. For example, you
can set this option to reject the incoming call with a busy signal. While this option is disabled by
default, it can be enabled at the tenant level or at the user level.
Additional information. For more information see Teams calling policy17.
Manage caller ID Policies

Caller ID policies in Microsoft Teams can help you change or block the caller. It is set up by default so that
when a Teams user calls a PSTN phone, their phone number is visible. Conversely, the phone number of
PSTN callers can be seen when they call a Teams user.
Caller ID policies are managed in the Microsoft Teams admin center in the Voice section, under Caller ID
policies. You can choose the global (Org-wide default) policy or create custom policies according to your
company preferences and then assign them to users. If you do not create a policy, the users within the
company will by default get the global policy.
Create a custom caller ID policy

You should perform the following steps to create a custom caller ID policy:
1. Sign into the Microsoft Teams admin center and under the Voice section, select Caller ID.
17 https://docs.microsoft.com/en-us/microsoftteams/teams-calling-policy
2. Select the Add button.

3. On the New caller ID policy window enter a name and description for the policy. ‎
‎
4. Configure your policy settings:
●● Block incoming caller ID
●● Users can override the caller ID policy
●● Replace caller ID - display the user's number; set a service phone number to display as the caller
ID or display the caller ID as Anonymous.
●● Service number to use to replace the caller ID - this option is available when you choose
Service number in Replace caller ID.
5. Select Save.
Edit a caller ID policy

You can edit the global policy, or you can edit any custom policy that you created.
You should perform the following steps to edit a caller ID policy:
2. Below Voice, select Caller ID policies.
3. Select the check box to the left of the desired policy and then select Edit.
4. Make the requested changes.
5. Select Save.
Assign a custom caller ID policy to users through Power-

Shell
A custom caller ID policy can be assigned to users by using the Skype for Business Online PowerShell
module. The following commands provide examples of using PowerShell to update custom caller ID
policies.
You should run the following command to assign the custom policy Support Caller ID Policy to AlexW@
contoso.com:
Grant-CsCallingLineIdentity -Identity <a href="mailto:AlexW@contoso.com" title="" target="_blank"

data-generated=''>AlexW@contoso.com</a> -PolicyName "Support Caller ID Policy"
You should run the following commands to assign a custom policy to multiple users of a group by using
the Azure Active Directory PowerShell module and looping through all members of a group:
●● Get the GroupObjectId of the particular group:
‎$group = Get-AzureADGroup -SearchString "Contoso Support"
●● Get the members of the specified group:

●● Assign all users of the group a custom caller ID policy, such as Support Caller ID Policy:
$members | ForEach-Object { Grant-CsCallingLineIdentity -PolicyName "Support Caller ID Policy"
-Identity $_.EmailAddress}
Additional information. For more information see Teams PowerShell Overview18.
Direct Routing health dashboard

The Direct Routing Health Dashboard can help you monitor the connection between your Session Border
Controller (SBC) and the Direct Routing interface. To see the Health Dashboard, you must sign into the
Microsoft Teams Admin Center. You can then monitor information about your SBC, the telephony service,
as well as the network parameters between your SBC and the Direct Routing interface. The dashboard can
provide information on potential issues, such as the reasons for dropped calls, as well as the status of the
connected SBCs, including detailed information on the SBCs and their overall health.
Overall health
The information regarding the overall health of the connected SBCs includes: Direct Routing summary,
SBC (The FQDN of the paired SBC), and Network Effectiveness Ratio (NER), which compares the number
18 https://docs.microsoft.com/en-us/microsoftteams/teams-powershell-overview
of calls sent versus the number of calls delivered to a recipient.
The Health Dashboard provides the following information related to overall health of the connected
SBCs:
●● Network Effectiveness Ratio. The NER measures the ability of networks to deliver calls to the far-end
terminal (except the manual call rejections). Therefore, when the recipient rejects a call (or sends it to
voicemail) the call will be considered a successful delivery. This means that an answer message, a busy
signal, or a ring with no answer are all considered successful calls.
Because the action you take might depend on the number of calls affected, the Health Dashboard
displays how many calls were analyzed to calculate various parameters. Note that if the number of
calls is less than 100, the NER might be quite low, but still be normal.
●● Average call duration. This parameter can help you to monitor the quality of calls. The average
duration of a 1:1 PSTN call is four to five minutes, but this average can differ in different companies.
Therefore, it is recommended that you establish a baseline for the average call duration for your
organization, because if the parameter falls much lower below the baseline, it will indicate that your
users are having issues with call quality or reliability and are hanging up earlier than usual. On the
other hand, if you are seeing low call durations, it may be the result of callers hanging up because the
service is not performing well. ‎
●● Transport Layer Securityconnectivity status(TLS). This parameter shows the status of the TLS
connections between Direct Routing and the SBC. The Health Dashboard also follows the certificate
expiration date and provides information if a certificate is about to expire within 30 days. This should
give administrators enough time to renew the certificate before service is disrupted.
●● SIP options status. By default, the SBC sends options messages every minute, although this configu-
ration can vary for different SBC vendors. Direct Routing uses the SIP options status parameter to
warn administrators if the SIP options are not sent or are not configured. ‎
●● Detailed SIP options status. This parameter provides detailed descriptions of any errors that oc-
curred. To see the descriptions, you must select the “Warning” message, where a pop-up window will
display the detailed error description. Possible values for SIP options status messages include:
●● Active. The SBC is active.
●● Warning, no SIP options. The Session Border Controller exists in the database and it is configured
to send SIP options, but the Direct Routing service never saw the SIP options coming back from
this SBC.
●● Warning, SIP Messages aren't configured. Trunk monitoring using SIP options is not turned on.
You will have problems if this trunk can be reached at the network level, but the certificate has
expired or the SIP stack does not work. To identify such problems in the early stage, it is recom-
mended that you enable the sending SIP options. ‎
●● Concurrent calls capacity. You can manually specify the limit of concurrent calls that an SBC can
handle at one time by using the New- or Set-CsOnlinePSTNGateway command with the -MaxConcur-
rentSessions parameter (this parameter calculates how many calls were sent or received by Direct
Routing using a specific SBC and compares it with the limit which was manually set).
Detailed information for each SBC

The detailed information for a specific SBC can be also viewed in the Health Dashboard. The detailed view
shows the following information:
●● TLS Connectivity status. Shows the same metric as on the “Overall Health” page.
●● TLS Connectivity last status. Shows time when the SBC made a TLS connection to the Direct Routing
service.
●● SIP options status. Shows the same metric as on the “Overall Health” page.
●● SIP options last checked. Time when the SIP options were received last time.
●● SBC status. Shows the overall status based on all monitored parameters.
●● Concurrent call. Indicates how many concurrent calls the SBC handled.
●● Network parameters. All network parameters are measured from the Direct Routing interface to the
Session Border Controller.
●● Jitter. The millisecond measure of delay time between two endpoints using RTCP (The RTP Control
Protocol).
●● Packet Loss. A measure of packet that failed to arrive, which is computed between two endpoints.
●● Latency. The length of time it takes for a signal to be sent, plus the length of time it takes for that
signal to be received.
According to your preferences, you can slide the data by number of days and call direction (inbound/
outbound/All streams).
●● Network Effectiveness ratio. This is the same parameter that appears on the Overall Health dash-
board, but with the option to see the data by time series or call direction.
Additional information. For more information see Monitor and troubleshoot Direct Routing19.
Microsoft Teams add-on licensing

Add-on licenses for voice capabilities and phone system features provide additional Teams features to
users with an active subscription plan. For example, if a user is licensed with Microsoft 365 E3 and wants
to use calling features for voice communication from his Teams client into PSTN, you can purchase a
phone system add-on license and a calling plan license to provide usage rights for the phone systems of
Office 365 (phone system add-on) and credits to perform phone calls (calling plan add-on). Microsoft
Teams add-on licensing is designed to provide maximum flexibility for organizations when licensing users
with already assigned subscription plans for voice communication features.
Depending on which plan you already have, the following add-on licenses are available to provide
Microsoft Teams and voice calling features:
●● Audio Conferencing. Enables users to provide dial-in phone numbers for Teams meetings. It is
available for purchase by country/region, so you will need to check if your country is listed.
●● Toll free numbers. Enables users to add regional, toll free dial-in phone numbers for conferencing. If
you want to use toll-free numbers with Skype for Business and Microsoft Teams for calling, you must
set up Communications Credits or a calling plan license.
●● Phone System option. Enables users to use Teams with traditional on-premises and cloud PBX phone
system solutions that provide calling into PSTN. This license only permits accessing an on-premises
19 https://docs.microsoft.com/en-us/microsoftteams/direct-routing-monitor-and-troubleshoot
PBX system or the phone system capabilities offered by Office 365. Performing voice calls to PSTN
when using cloud PBX also requires a calling plan.
●● Calling Plans. Enables the users to call any phone numbers outside of your business. There are
Domestic Calling Plans and Domestic and International Calling Plans in Office 365.
●● Microsoft Teams Rooms. Enables you to use capable devices for connecting video, audio, and
content sharing features to conference rooms.
To understand which add-on licenses are required for which use-cases, you must be familiar with the
standalone licensing and subscription plans for Office 365, Enterprise Mobility + Security and Windows
10.
For example, to perform voice calling into the PSTN, you must combine different licenses:
Assigned ubscription plan On-premises PBX(Direct Cloud PBX

Routing)
Office 365 E5 No additional requirements Calling plan or communication
credits
Office 365 E3 Phone system license Phone system license + calling
plan or communication credits
Office 365 E1 Phone system license Phone system license + calling
plan or communication credits
Troubleshot audio, video, and client issues

Lesson Introduction
It is essential that Teams administrators know how to troubleshoot the Microsoft Teams client because
the Teams client, the network, and any number of configuration issues in Microsoft Teams admin center
can disrupt your users from effectively sending and receiving calls and participating in Teams meetings.
Just imagine your Teams meetings are not available during an important board meeting where remote
users are required to participate. The ability to investigate these issues and find the proper solution is a
key task for Teams administrators. On the other hand, understanding the issues and preventing them
from happening in the first place is also necessary to being successful in your Teams administrator role.
In this lesson you will learn about the most common Teams troubleshooting areas, including the Teams
client, call analytics, and using the call quality dashboard to investigate voice issues.
●● Describe key aspects of Teams troubleshooting
●● Optimize call quality by using Call Analytics
●● Analyze call quality by using Call Quality Dashboard
Troubleshooting overview
Troubleshooting problems within Microsoft Teams may include a wide array of possible areas that you
need to investigate - starting from the Teams client up to the coexistence mode settings configured by
your Teams administrator. This topic examines the most important areas you should be aware of when
troubleshooting Teams.
Troubleshooting connectivity issues with the Microsoft

Teams client
Most issues discovered with the Microsoft Teams client can be traced back to firewall or proxy connectivi-
ty. Verifying that the necessary URLs, IP addresses, and ports are opened in your firewall or proxy will
minimize unnecessary troubleshooting.
Additional information. For specific information on URLs and IPs required for Microsoft Teams, please
see the Office 365 URLs and IP Address20 support article.
The following scenarios require specific URLs and ports to be opened in the firewall:
●● Authentication
●● Microsoft Teams Client Connectivity
●● Collaboration
●● Media
●● Shared Services
●● Third Party Integration
●● Skype for Business Interoperability
●● Skype for Business Client Interoperability
20 https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2
Troubleshot audio, video, and client issues 337
Clear Microsoft Teams client cache

Clearing the Microsoft Teams client cache is the recommended first step to troubleshooting if you
discover user information mismatches, such as an incorrect display name. The most common issues that
will be solved by clearing the client cache are as follows:
●● When you contact Microsoft support, it is a best practice to clear the cache. Starting with a clean log
file makes it much easier to find a problem in Teams.
●● User information is updated including display name, external vs. guest, and so on.
●● Clearing the cache forces the client to immediately retrieve the latest information from the people
service (normally this information is only updated once every 24 hours – with the exception when
updating co-existence mode for users when they are upgraded to Teams).
Depending on which client you are using, there are different steps to follow to clear each client.
Clear the Microsoft Teams client cache for Windows

The cache for Teams is split in multiple directories and locations, so only after clearing these locations is it
considered a clean start for the Teams app.
You should perform the following steps to clear the Teams cache for the Teams client:
1. Exit the Microsoft Teams client. To do this, either right-click Teams from the icon tray and select Quit,
or run Task Manager, select the Microsoft Teams process, and then select End Task.
2. Open File Explorer, and type in %appdata%\Microsoft\teams.
3. Once in the directory, you must remove the files in the following folders:
●● Application Cache – %appdata%\Microsoft\Teams\Application Cache - Application files, cached
CDN files ( JS,CSS, etc ) Locations
●● Blob_Storage – %appdata%\Microsoft\Teams\Blob_Storage (If there)
●● Cache – %appdata%\Microsoft\Teams\Cache - Web Cache for Electron(Images, JS files, Cookies,
Profile Photos)
●● Databases – %appdata%\Microsoft\Teams\databases
●● GPUCache – %appdata%\Microsoft\Teams\GPUCache
●● LocalStorage – %appdata%\Microsoft\Teams\LocalStorage
●● Tmp – %appdata%\Microsoft\Teams\tmp
4. Restart the Teams client.
Note: If you prefer to use Windows PowerShell to clean your Microsoft Teams client cache, free third-par-
ty PowerShell scripts are available and can be downloaded from the Internet.
Clear the Microsoft Teams client cache for iOS

You should perform the following steps to clear the Teams client cache for iOS devices:
1. Close your Teams app (if running).
2. Open the Settings app on the iPhone, iPad, or iPod touch.
3. At the primary Settings app screen, tap and pull down on the settings screen to reveal the “Search”
box at the top of the Settings screen.
4. Type Teams in the search box, and then select Clear app data.
5. In Teams screen, scroll down and select Clear app data.
‎
6. Restart the Teams app and make sure the Teams logo appears when starting the app; otherwise, you
incorrectly closed the Teams app earlier.
Clear the Microsoft Teams client cache for Android

You should perform the following steps to clear the Teams client cache for android devices with android
pie (version 9):
1. Close your Teams app (if running).
2. Open the device Settings with the cogwheel.
3. Select Apps and Apps again.
4. Search for the Teams app from the app list and select it.
5. Select Storage and below Cache, select CLEAR CACHE.
6. Restart the Teams app.
‎
Use log files in troubleshooting Microsoft Teams

There are three types of log files that are automatically produced by the client that can be leveraged to
assist in troubleshooting Microsoft Teams:
●● Debug or Diagnostic logs
●● Media logs
●● Desktop or bootstrapper logs
When creating a support request with Microsoft Support, the support engineer will require the debug
logs. Having these logs on hand before creating the support request enables Microsoft to quickly begin
troubleshooting the problem. Media or desktop logs are only required if requested by Microsoft.
The following table outlines the various clients and their associated logs. Log files are stored in locations
specific to the client and the operating system.
Client Debug Desktop Media

Web X - -
Windows X X X
Mac OSX X X X
iOS - - -
Android - - -
Debug logs or Diagnostic logs

Debug logs, which are also known as diagnostic logs, are produced by browser-based clients and the
Windows and Mac desktop clients. The logs are text-based and are read from the bottom up. They can
be read using any text-based editor, and new logs are created when logging into the client. For example,
the free Visual Studio Code (available from https://code.visualstudio.com/download) can be used to
analyze the debug log files.
Debug logs show the following data flows:
●● Login
●● Connection requests to middle tier services
●● Call/conversation
The following is an example of the output from a debug log created using the Teams client for Windows:
The following table identifies the method required to create the debug logs based on the Teams client
OS.
Teams Client Keyboard shortcut Log file folder

Windows Ctrl + Alt + Shift + 1 %userprofile%\Downloads
Mac OSX Option + Command + Shift+1 Downloads
Teams Client Keyboard shortcut Log file folder

Browser Ctrl + Alt + Shift + 1 You will be prompted to save the
debug log to the default save
location
Media logs
Media logs contain diagnostic data about audio, video, and screen sharing. They are required for support
cases only upon request, and they can only be inspected by Microsoft. The following table outlines the
log location.
Windows client
●● %appdata%\Microsoft\Teams\media-stack*.blog
●● %appdata%\Microsoft\Teams\skylib*.blog
●● %appdata%\Microsoft\Teams\media-stack*.etl
Mac OSX client
●● ~/Library/Application Support/Microsoft/Teams/media-stack/*.blog
●● ~/Library/Application Support/Microsoft/Teams/skylib/*.blog
Desktop logs
Desktop logs, which are also known as bootstrapper logs, contain log data that occurs between the
desktop client and the browser. Like media logs, these logs are only required if requested by Microsoft.
The logs are text-based and can be read using any text-based editor in a top down format.
The following table identifies the method required to create the desktop logs based on the Teams client
OS.
Teams Client Keyboard shortcut Log file location

Windows Right-click “the Microsoft Teams %appdata%\Microsoft\Teams\
icon in” your application tray, logs.txt
select "Get Logs"
Mac OSX Choosing “Get Logs” from the ~/Library/Application Support/
"Help" pull-down menu Microsoft/Teams/logs.txt
Teams coexistence troubleshooting with Skype for Busi-

ness users
Troubleshooting Teams and Skype for Business users is a very complex process that requires you to
understand the concept of coexistence for Microsoft Teams; namely, Teams coexistence modes and
Federation.
Use coexistence modes for troubleshooting

As an organization with Skype for Business starts to adopt Teams, administrators can manage the user
experience using the concept of coexistence mode, which is a property of TeamsUpgradePolicy. Using
Teams coexistence mode, administrators manage interoperability and migration as they manage the
transition from Skype for Business to Teams. A user's coexistence mode determines in which client
incoming chats and calls will land, in what service (Teams or Skype for Business) new meetings are
scheduled, and what functionality will be available in the Teams client.
Teams coexistence modes can be configured:
●● Globally in Teams Org-wide settings
●● In Teams users (this overrides the global setting, so always check here first)
To troubleshoot the coexistence mode behavior, you must understand the different
modes and what they mean for each user as described in the following.
1. Islands (default)
A user runs both Skype for Business and Teams side-by-side. This user:
●● Can initiate chats and VoIP calls in either Skype for Business or Teams
client. Note: Users with Skype for Business homed on-premises cannot
initiate from Teams to reach another Skype for Business user, regardless of
the recipient's mode.
●● Receives chats & VoIP calls initiated in Skype for Business by another user
in their Skype for Business client.
●● Receives chats & VoIP calls initiated in Teams by another user in their
Teams client if they are in the same tenant.
●● Receives chats & VoIP calls initiated in Teams by another user in their
Skype for Business client if they are in a federated tenant.
●● Has PSTN functionality as noted below:
●● When the user is homed in Skype for Business on-premises and has Enterprise Voice, PSTN
calls are always initiated and received in Skype
for Business.
●● When the user is homed on Skype for Business Online and has Microsoft Phone System, the
user always initiates and receives PSTN calls in Skype for Business. This happens regardless of
whether the user has a Microsoft Calling Plan, or connects to the PSTN network via either
Skype for Business Cloud Connector Edition or an on-premises deployment of Skype for
Business Server (hybrid voice).
Note: Microsoft Teams Phone System with Calling Plans or Direct Routing is not supported in
Islands Mode. For Calling Plans, a user can be using SfBOnly or TeamsOnly mode. For Direct
Routing, users must be TeamsOnly.
●● Receives Microsoft Call Queues and Auto-Attendant calls in Skype for
Business.
●● Can schedule meetings in Teams or Skype for Business (and will see both
plug-ins by default).
●● Can join any Skype for Business or Teams meeting; the meeting will open in
the respective client.
2. SfBOnly
A user runs only Skype for Business. This user:
●● Can initiate chats and calls only from Skype for Business.
●● Receives any chat/call in their Skype for Business client, regardless of
where initiated, unless the initiator is a Teams user with Skype for
Business homed on-premises.
●● Can schedule only Skype for Business meetings but can join Skype for
Business or Teams meetings.
3. SfBWithTeamsCollab
●● Has the functionality of a user in SfBOnly mode.
●● Has Teams enabled only for group collaboration (Channels); chat/calling/meeting scheduling are
disabled.
4. SfBWithTeamsCollabAndMeetings
●● Has the chat and calling functionality of user in SfBOnly mode.
●● Has Teams enabled for group collaboration (channels - includes channel
conversations); chat and calling are disabled.
●● Can schedule only Teams meetings, but can join Skype for Business or Teams
meetings.
5. TeamsOnly (requires SfB Online home)
●● Can only schedule meetings in Teams, but can join Skype for Business or
Teams meetings.
●● Can continue to use Skype for Business IP phones.
Using TeamsOnly mode in combination with other users in Islands mode is not
recommended until Teams adoption is saturated; in other words, all Islands
mode users actively use and monitor both the Teams and Skype for Business
clients. If a TeamsOnly user initiates a call or chat to an Islands user,

that call or chat will land in the Islands user’s Teams client. If the
Islands user does not use or monitor Teams, that user will appear offline
and will not be reachable by the TeamsOnly user.
The Teams client user experience when using coexistence

modes
When a user is in any of the Skype for Business modes (SfBOnly, SfBWithTeamsCollab, SfBWithTeamsCol-
labAndMeetings), all incoming chats and calls are routed to the user’s Skype for Business client. To avoid
end-user confusion and ensure proper routing, calling and chat functionality in the Teams client is
automatically disabled when a user is in any of the Skype for Business modes. Similarly, meeting schedul-
ing in Teams is automatically disabled when users are in the SfBOnly or SfBWithTeamsCollab modes, and
automatically enabled when a user is in the SfBWithTeamsCollabAndMeetings mode.
Additional information. For more information, see Teams client experience and conformance to
coexistence modes21.
Investigating External or Federation communication
Federation from Teams to another user using Skype for Business requires the Teams user be homed
online in Skype for Business or Teams.
External or Federated Chat Threads
To investigate federation communication, you must be aware what coexistence mode all chat participates
are in. You can identify this by looking at the logo of the chat thread:
●● External. If participants are TeamsOnly, chats will be native Teams federation chats and will route
within Teams chat infrastructure service:
‎
●● Federated. If one of the chat participants is not TeamsOnly, the chat will be a non-native, SfB Interop
chat, with normal SfB interop limitations, and the chat will route through the Skype for Business
infrastructure. The External chat will display a Skype logo:
‎
External Message Routing
When planning external message routing, you should be aware of the following routing rules:
●● Chats/Calls will route to Skype for Business if the recipient is an Islands or SfB mode user
●● Chats/Calls will route to Teams if the recipient is a TeamsOnly mode user
21 https://docs.microsoft.com/en-us/MicrosoftTeams/teams-client-experience-and-conformance-to-coexistence-modes
●● Presence of the recipient will be the presence of the recipient in the client in which messages will
route
Chat Thread Switching
When the user coexistence mode of a participant in a chat thread causes a change in the type of thread,
the current chat thread will be locked, and users will be prompted to switch the conversation to the new
chat thread type with a link to the new thread:
●● Chat Thread Switch from Interop -> Native
‎
●● Chat Thread Switch from Native -> Interop
‎
Additional information. For more information, see Native chat experience for external (federated)
users in Microsoft Teams22.
Optimize call quality by using Call Analytics

Call analytics can help you troubleshoot call and connection problems with Microsoft Teams. Call Analyt-
ics shows detailed information about the devices, networks, and connectivity for the calls and meetings of
each user in your Office 365 account. If building, site, and tenant information has been added to Call
Analytics, it will also be shown for each call and session. Information available through Call Analytics can
help you figure out why a user had a poor call or meeting experience.
Call Analytics permissions

Teams administrators and Teams communication administrators have full access to all the features of Call
Analytics and the Teams admin center, and they can assign the following Azure Active Directory roles to
Teams support staff:
●● Teams communication support specialist role. This role should be assigned to users who should
have a limited view of Call Analytics. Communication support specialists handle basic call-quality
problems. They don't investigate issues with meetings; instead, they collect related information and
then escalate to a communication support engineer. The communication support specialist role is
equivalent to tier 1 support.
●● Teams communication support engineer role. This role should be assigned to users who need
access to the full functionality of Call Analytics. Communication support engineers see information in
detailed call logs that is hidden from communication support specialists. Users in this role can help
troubleshoot problems with both calls and meetings. The communication support engineer role is
equivalent to tier 2 support.
Additional information. For a detailed comparison of the Teams communication support specialist and
Teams communication support engineer roles, see Set up Call Analytics23.
22 https://docs.microsoft.com/en-us/microsoftteams/native-chat-for-external-users
23 https://docs.microsoft.com/en-us/microsoftteams/set-up-call-analytics
Troubleshoot call quality problems using Call Analytics

You should perform the following steps to troubleshoot call quality problems:
1. Sign in to the Teams admin center.
2. On the Dashboard, in User Search, start typing either the name or SIP address of the user whose calls
you want to troubleshoot, or select View users to see a list of users.
3. Select a user from the list.
4. Select Call history, and then select the call or meeting that you want to troubleshoot. ‎
‎
5. Select the Advanced tab, and then look for yellow and red items that indicate poor call quality or
connection problems.
‎
In the session details for each call or meeting, minor issues appear in yellow, which means it is outside of
normal range and may be contributing to the problem, but it is unlikely to be the main cause of the
problem. If something is red, it is a significant problem, and it is likely the main cause of the poor call
quality for this session.
In only rare cases is quality of experience data not received for audio sessions. Often this is caused by the
call dropping and connection with the client terminating. When this occurs, the session rating is unavail-
able.
For audio sessions that do have quality of experience (QoE) data, the following table describes major
issues that qualify a session as poor.
Issue Area Description

Call setup Session The error code Ms-diag 20-29
indicates the call setup failed.
The user could not join the call
or meeting.
Audio network classified poor Session Network quality issues (such as
call packet loss, jitter, NMOS degra-
dation, RTT, or concealed ratio)
were encountered.
Issue Area Description

Device not functioning Device A device is not functioning
correctly. Device not functioning
ratios are:
- DeviceRenderNotFunctionin-
gEventRatio >= 0.005
- DeviceCaptureNotFunctionin-
gEventRatio >= 0.005
Analyze call quality by using Call Quality Dash-

board
Where Call Analytics is designed to help admins and helpdesk agents troubleshoot call quality problems
with specific calls, the Call Quality Dashboard (CQD) is designed to help Teams admins and network
engineers optimize a network. CQD shifts focus from specific users and instead looks at aggregate
information for an entire Teams organization.
Maybe one user’s poor call quality is due to a network issue that is also affecting many other users. The
user’s individual call experience is not visible in CQD, but the overall quality of calls made using Teams is
captured. With the CQD, overall patterns may become apparent, allowing network engineers to make
informed assessments of call quality. CQD provides reports of call quality metrics that give you insights
into overall call quality, server-client and client-client streams, and voice quality service level agreements.
Call Quality Dashboard permissions

Make sure you have the right CQD access role to access the reports.
View reports View EUII fields Create reports Upload building

data
Global Administra- Yes Yes Yes Yes
tor
Teams Service Yes Yes Yes Yes
Administrator
Teams Communi- Yes Yes Yes Yes
cations Adminis-
trator
Teams Communi- Yes Yes Yes No
cations Support
Engineer
Teams Communi- Yes No Yes No
cations Support
Specialist
Skype for Business Yes Yes Yes Yes
Administrator
Azure AD Global Yes Yes Yes No
Reader
Microsoft 365 Yes No Yes No
Reports Reader1
Additional information. To learn more about CQD and how to enable it for Teams, see Turning on and
using Call Quality Dashboard for Microsoft Teams24.
What's the Call Quality Dashboard, and when should I use

it?
Call Analytics and CQD run in parallel and can be used independently or together. For example, consider
the scenario where a Tier 1 agent determines he needs more help troubleshooting a call problem. The
Tier 1 agent passes the call to a Tier 2 agent, who has access to more information in Call Analytics than
the Tier 1 agent. In turn, the Tier 2 agent can alert a network engineer to an issue. The network engineer
may check CQD to see if an overall site-related issue could be a contributing cause of the call problems.
Many of the dimensions and measures in the Call Quality Dashboard are labeled as first or second. The
following logic determines which endpoint involved in the stream or call is labeled as first:
●● First will always be a Server endpoint (AV MCU, Mediation Server, and so on) if a Server is involved in
the stream/call.
●● Second will always be a Client endpoint unless the stream is between two Server endpoints.
●● If both endpoints are the same type, the order for which is first or second is based on internal order-
ing of the user agent category. This ensures the ordering is consistent.
For example, each row in the following table represents a pair of User Agents involved in a stream.
24 https://aka.ms/Mkoxy7
User Agent User Agent First Endpoint Second Endpoint First Is Caller
Category of Category of
Caller Callee
AV-MCU Microsoft Teams AV-MCU Microsoft Teams TRUE
Windows Windows
AV-MCU Microsoft Teams Microsoft Teams AV-MCU FALSE
Mac Mac
Microsoft Teams Microsoft Teams Microsoft Teams Microsoft Teams FALSE
Mac iOS iOS Mac
Note: The First and Second classification is separate from which endpoint is the caller or the person
being called. The First Is Caller dimension can be used to help identify which endpoint was the caller or
the person being called.
Additional information. For a list of the dimensions and measures currently available in CQD, see
Dimensions and measures available in Call Quality Dashboard25.
Using Location-Enhanced Reports in CQD

The Location-Enhanced Reports in the CQD aggregate call quality and reliability for the users building or
endpoint custom views. For example, you can include different building locations such as Seattle or
Frankfurt, or endpoint-specific views such as wired or Wi-Fi connected devices. The data can be assessed
to determine if the problem is isolated to a single user or affects a larger segment of users.
25 https://aka.ms/Ab3khp
To be able to use Location-Enhanced reports in the CQD, you must upload the location information. This
is done on the Tenant Data Upload page by selecting Tenant Data Upload from the settings menu in
the top-right corner. This page is used for admins to upload their own information, such as:
●● A map of IP address and geographical information
●● A map of each wireless AP and its MAC address
●● A map of Endpoint to Endpoint Make/Model/Type, etc.
Additional information. For more details about how to upload and use building or endpoint-specific
information in the CQD, see CQD: Upload Tenant Data information26.
Analyze call quality by using CQD Power BI Con-

nector
Microsoft Call Quality Power BI Connector enable you to build your own custom reports. You can use
customizable Power BI templates predefined by Microsoft as a starting point for a new report's layout,
data model, and queries.
Install Microsoft Call Quality Power BI Connector

1. Check to see if your computer already has a [Documents]\Power BI Desktop\Custom Connectors folder.
If not, create this folder.
2. Download the connector file (either a *.mez or *.pqx file) and place it in the Custom Connectors
directory.
3. If the connector file is a *.mez file, you will also need to adjust your security settings as described in
the custom connector setup documentation27.
If a new version of this Power BI Connector for Microsoft Teams is released, simply replace the old
connector file in the Custom Connectors directory with the new file.
Setup Microsoft Call Quality Power BI Connector

In order to build a report and run queries, you will first need to connect to the CQD data source. Follow
the steps below in order to connect:
1. In the Home tab of Power BI Desktop, click on Get Data.
2. The Get Data window should appear at this point. Navigate to Online Services, then select Microsoft
Call Quality (Beta) and select Connect.
26 https://docs.microsoft.com/en-us/microsoftteams/turning-on-and-using-call-quality-dashboard
27 https://docs.microsoft.com/power-bi/desktop-connector-extensibility#data-extension-security
3. You will be prompted to login next. Use the same credentials that you use for CQD.
4. The next prompt will give you the option between two Data Connectivity modes. Select DirectQuery
and select OK.
5. Finally, you will be given a final prompt showing you the entire data model for CQD. No data will be
visible at this point, only the data model for CQD. Select Load to complete the setup process.
6. At this point, Power BI will load the data model onto the right side of the window. The page will
remain otherwise blank, and no queries will be loaded by default. Proceed to Building Queries below
in order to build a query and return data.
Build queries
Once setup is complete, you should see the names of several hundred dimensions and measures load in
the Fields pane. You can build a custom report from scratch or leverage the following predefined CQD
Power BI templates as a starting point.
Template Description
CQD Helpdesk Report.pbit Integrating building and EUII data, this report is
designed to let you drill up from a single user to
find the upstream root cause of poor call quality
for that user (for example, the user is in a building
that's experiencing network problems).
CQD Location Enhanced Report.pbit Re-imagining CQD SPD location reports. Includes
9 reports, providing Call Quality, Building WiFi,
Reliability, and Rate My Call (RMC) information
with additional drill-thrus by Building or by User.
Make sure you upload the building data to
maximize your reporting experience.
CQD Mobile Device Report.pbit Provides insights specifically tuned towards mobile
device users, including Call Quality, Reliability, and
Rate My Call. View mobile network, WiFi network,
and mobile operating system reports (Android,
iOS).
CQD PSTN Direct Routing Report.pbit Provides insights specific for PSTN calls that go
through Direct Routing.
CQD Summary Report.pbit Better visualizations, improved presentation,
increased information density, and rolling dates.
These reports make it easier to identifier outliers.
Drill into call quality by location with an easy-to-
use interactive map. 9 new reports:
- Quality Overall
- Reliability Overall
- RMC (Rate My Call) Overall
- Conference Quality
- P2P Quality
- Conference Reliability
- P2P Reliability
- Conference RMC
- P2P RMC
CQD Teams Utilization Report.pbit Shows how users in your organization are using
Teams and how much. Make sure you upload the
building data to maximize your reporting experi-
ence.
CQD User Feedback (Rate My Call) Report.pbit Shows Rate My Call data in a way that you can
easily use to help support calling for your organi-
zation. Cross reference with verbatims to identify
end user education opportunities.
Additional information. For more information about building queries manually, see Install Power BI
Connector to use CQD query templates28.
28 https://docs.microsoft.com/en-us/MicrosoftTeams/cqd-power-bi-connector#building-queries

MS 700T00A ENU TrainerHandbook

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

MS 700T00A ENU TrainerHandbook

Uploaded by

Copyright:

Available Formats

MCT USE ONLY.

STUDENT USE PROHIBITED

© 2019 Microsoft Corporation. All rights reserved.

Microsoft and the trademarks listed at http://www.microsoft.com/trademarks 1are trademarks of the

MICROSOFT LICENSE TERMS

3. LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY. If the Licensed Content’s subject

This limitation applies to

■■ Module 0 Welcome to Managing Microsoft Teams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  1

Welcome to Managing Microsoft Teams

Certification exam preparation

MS-700 Study Areas Weight

Module 2 : Implement Microsoft Teams Governance, Security and Compliance

Overview of Microsoft Teams

Overview of Microsoft Teams

Work with confidence

What are teams?

What are channels?

Microsoft Teams integration with Microsoft 365

Microsoft 365 apps and services

Planner and Tasks

Office documents (Word, Excel, PowerPoint)

Bots, Connectors, and Message extensions

Types of Teams Potential Channels Apps (Tabs/Connectors/Bots)

Microsoft Teams integration with Power Plat-

Power Apps in Microsoft Teams

Power Automate in Microsoft Teams

Power BI in Microsoft Teams

Overview of Microsoft Teams architecture

The Basis: Microsoft 365 Groups (formerly Office 365

●● A Team (if the group was created from Teams)

Teams integration with Microsoft 365 Groups

Dependencies of Microsoft Teams

Governance, security, and compliance for Teams

Limits of Microsoft Teams

Microsoft Teams with SharePoint Online and

SharePoint site structure (Public Channels)

SharePoint site permissions (Public Channels)

Teams utilization of SharePoint

Scenario Description Storage location

SharePoint site structure (Private Channels)

SharePoint site permissions (Private Channels)

Microsoft Teams with Exchange

Exchange Mailbox for Teams

Teams in a Hybrid Exchange Deployment

Overview of Microsoft telephony solutions

Parts of voice communication

Private Branch Exchange (PBX)

Phone System in Office 365

Session Initiation Protocol (SIP) trunks

Operational modes for Teams voice communication

Interoperation with Skype for Business (SfB)

If you uninstall the

In Islands mode, all

Overview of security and compliance in Micro-

Overview of Teams Admin Roles

Teams roles and capabilities

Role Can do these tasks Can access the following tools

- Manage meetings, including

-Manage voice, including calling

-Manage messaging, including

-Manage all org-wide settings,

-Manage the teams in the organ-

-View user profile page and

- Access, monitor and trouble-

■■ Module 0 Welcome to Managing Microsoft Teams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1