Overview
This document provides guidance on how to store and use the University of Pittsburgh’s Teams service securely. It is the responsibility of the Team owner to make the proper configuration changes outlined in this document. The Team owner must also securely manage the access to the team site.
Using Microsoft Teams to store and access sensitive data by the appropriate people can be achieved by updating the settings of an existing Team or by creating a new Team for the data with the proper settings.
Access to the data should be limited to those individuals that require access. This means the Team will need to be private, and only members added by the Team’s owners can access it. If there are to be individuals within the Team that need to collaborate but do not need to have access to some or all of the data, private channels within the Team can segregate data within the Team to control access.
It should not be possible for Team members to manage apps within Teams or add or remove tabs or connectors. These member settings can be found within the Settings section of the Manage Team option.
There are additional settings that must be made within the underlying SharePoint site associated with the Team. Please refer to the SharePoint Security Guide for details on file-level permissions.
Detail
The above concepts are explained in the following steps:
- Create a Team
- Manage Members of the Team
- Manage Team Member Permissions
- Manage File Permissions in SharePoint
1. Create a Team
To store sensitive data in Microsoft Teams, a Team can be created with the necessary settings. To create a Team with these settings:
- Open the Microsoft Teams desktop, mobile, or web application. If the application is already running or does not open to the “me space” that shows all the Teams the user is a member of, click on the Teams icon in the far-left column.
- This opens the “me space” in Microsoft Teams and displays all the Teams where the user is an owner or member. A new Team can be created from this page by clicking the [Join or create team] button towards the upper right corner.
- The Join or create team page will be displayed. Click the [Join team] button to create a new team.
-
Select either the appropriate team type. In most cases, Other or staff team types should be chosen.
The Other team type creates the most basic teams with only a general channel for discussion and file organization. Additional channels and apps can be added later.
The Staff team type creates a team with a staff Notebook attached to it. The notebook will need to be configured the first time it is opened and will include default sections in the notebook:
- Collaboration Space – Staff notes are stored here for everyone on the team to see. Each channel in the team will have a section in this space.
- Content Library – Read-only material can be published here by a team owner for all other team members to see.
- Leader-Only – A private space for team members designated as leaders to share information that should not be available to staff members.
- Private Notebooks – Each team member will have a notebook that can not be seen by other staff members but can be viewed and edited by staff leaders and themselves.
-
Regardless of the team type selected, the following screen is used to name the Team, add a description, and set the privacy option for the Team.
In the Team name field, enter a descriptive name for the Team. Team names need to be unique to avoid confusion. Be sure to consider that and possibly include the school name, department, or unit name as part of the team name.
In the Description field, enter a sentence or two describing the purpose of this Team.
Set the Privacy of the Team to: Private – Only team owners can add members.
If one of the Team members decides to leave the group, they can do so, but a Team owner would need to add them again to have access to the Team.
An existing Team can be used as a template for this new team by selecting “Create a team using an existing team as a template.” When this option is selected, a screen will be displayed showing all the Teams the current user is an owner or member so that one can be chosen as the template for this Team. The structure and group members will be copied from that Team to the new Team being created.
Members of an Office 365 group can be added as members of this new Team in mass by selecting “Create a team using a group set up by you or …”. Only the Office 365 groups that the current user owns will be displayed.
If neither of these options is selected, click [Next] to create the Team.
2. Manage Members of the Team
After the Team has been created, the Team members will need to be managed by the Team owner(s). It is important only to add those users or groups that will require access to the Team and the information stored within it.
To add members to a Team:
- Open the Microsoft Teams desktop, mobile, or web application. If the application is already running or does not open to the “me space” that shows all the Teams the user is a member of, click on the Teams icon in the far-left column.
- This opens the “me space” in Microsoft Teams and displays all the Teams where the user is an owner or member. Find the Team that is to be managed and click on the or “more options icon” ( … ) in the upper right corner of the desired Team’s tile.
-
To only add members to the Team, select “Add member.” The add members screen for the Team will be shown. Individual users or Office 365 groups can be searched for and added from this screen.
-
Type the person’s name, email address, or Office 365 group name into the search field. A list of matching users and Office 365 groups will be displayed.
-
Select the user or group from the list when it appears. The name of the user or group will be added to the field. It is possible to search for and add multiple people at one time. After the first user is selected, start another search by beginning with their name, email address, or group name, selecting them from the list as they appear. Once all of the users or groups that you want to add to the Team have been selected, click [Add].
Note:An individual can be either a University account holder or an external email address for a guest. Before adding a non-University member to the Team, be sure of the individual’s identity and need to access the Team and its information. Guest users may have some functionality limitations.
-
As members are added to the Team, they will appear in the list below the search box. From this list, members can be made an owner of the Team by changing their role from Member to Owner. The member candidate can also be removed from the list by clicking the X to the right of their name. The membership of the Team is not updated until [Close] is clicked.
Note: Guest user roles cannot be changed from a guest. The guest role has limited access to the Team.
To manage the members of a Team:
- Open the Microsoft Teams desktop, mobile, or web application. If the application is already running or does not open to the “me space” that shows all the Teams the user is a member of, click on the Teams icon in the far-left column.
- This opens the “me space” in Microsoft Teams and displays all the Teams where the user is an owner or member. Find the Team that is to be managed and click on the “more options icon” ( … ) in the upper right corner of the desired Team’s tile.
-
To manage Team members, select Manage team. From this screen, Team membership and channels can be managed. It is also possible to see analytics and tags for the Team as well from this screen. On the Members tab, all of the members of the Team are list. They are split into two separate lists for Team “Owners” and “Members and Guests.” For more information on the differences between Owners and Members, please see: https://docs.microsoft.com/en-us/microsoftteams/assign-roles-permissions
- Clicking the [Add member] will open the add member screen as seen above, and users can be added to the Team.
- In the owner section, accounts can be switched from Owner to Member. To delete an Owner, the account must first be demoted to a Member role.
- The role of a Member account can be changed to Owner in the role dropdown list or removed from the Team by clicking on the X.
3. Manage Team Member Permissions
Team members should not be able to add or remove apps, tabs, or connectors within the Team but can have the ability to manipulate channels and delete their messages. There may be instances when the latter permissions are also restricted. To update the member setting on the Team:
-
Open the Microsoft Teams desktop, mobile, or web application. If the application is already running or does not open to the “me space” that shows all the Teams the user is a member of, click on the Teams icon in the far-left column.
-
This opens the “me space” in Microsoft Teams and displays all the Teams the user is an owner or member of. Find the Team that is to be managed and click on the “more options icon” ( … ) in the upper right corner of the desired Team’s tile.
-
To manage Team members, select Manage team. Initially, this opens the Members tab. Select the Settings tab to access the settings for the Team.
-
Expand the Member permissions group by clicking on the triangle on its left.
-
Disable these permissions by unchecking to the right of each option:
- Allow members to create private channels
- Allow users to delete and restore channels
- Allow members to add and remove apps
- Allow members to upload custom apps
- Allow members to create, update, and remove connectors
4. Manage File Permissions in SharePoint
Team and SharePoint Relationship for File-Level Permissions
Whenever a Team site is created, a SharePoint site is also generated with the same name. This is because SharePoint acts as the backend file system for Teams. For this reason, to manage access to a file or folder, the permissions must be set in SharePoint. Security has created a separate guide for secure storage in SharePoint that covers file permissions available at https://www.technology.pitt.edu/security/sharepoint-security-guide.