Microsoft Teams Governance: Enterprise Framework and Best Practices

Why Teams Governance Is a Business-Critical Priority

Microsoft Teams is now the core of enterprise communication. As of 2025, it has over 320 million monthly active users. Teams supports:

• Messaging
• Video conferencing
• File collaboration

Additionally, it acts as the integration layer for business applications. This includes Power Platform, third-party apps, and custom development.

Teams enables users to create new teams quickly. Any user with a Microsoft 365 license can set up a new team in seconds. This process automatically generates several resources:

• A Microsoft 365 Group
• A SharePoint site
• A shared mailbox
• A Planner board
• A OneNote notebook

Over time, this can lead to significant issues. Consider the following:

• Thousands of employees creating teams.
• Abandoned and duplicate teams.
• Poorly organized team structures.

These factors contribute to what governance professionals call "team sprawl." This situation makes it hard to find information and poses serious compliance risks.

Organizations that delay governance until sprawl has already occurred face a much harder remediation path. Cleaning up 5,000 ungoverned teams is exponentially more difficult than preventing the problem from day one. This guide provides the enterprise governance framework that EPC Group deploys for Fortune 500 clients managing Teams environments with 10,000 to 100,000+ users.

Pillar 1: Naming Conventions and Classification

Azure AD Group Naming Policies

Naming conventions are essential for making Teams easily discoverable. Without clear names, users may create teams with titles like:

• "Marketing Project"
• "New Marketing Project"
• "Marketing Project v2"

These names refer to different efforts, making it hard to tell them apart quickly.

Microsoft Entra ID (formerly Azure AD) provides group naming policies that enforce consistent naming at creation time. These policies support two mechanisms:

• Prefix-suffix naming — Automatically prepend or append standardized strings. Example: [Department]-[GroupName]-[Location] produces names like "FIN-Q1BudgetReview-NYC"
• Blocked words — Prevent the use of specific terms in team names, including profanity, reserved project codes, or terms that conflict with organizational naming standards

You can set up naming policies in the Microsoft Entra admin center. Go to Groups > Naming policy to configure them. These policies apply at the Microsoft 365 Group level. This means they also control the names of the related SharePoint site, mailbox, and Planner board.

Recommended Naming Convention Structure

For enterprise environments, we recommend a three-part naming structure:

This produces team names like FIN-Q1-Budget-Review-CONF or ENG-Mobile-App-Redesign-INT, which immediately communicate department ownership, purpose, and classification level to any user browsing the Teams directory.

Sensitivity Labels for Classification

Sensitivity labels in Microsoft Purview provide enforceable access controls based on naming conventions. A label applied to a team can:

• Control whether external guests can be added.
• Determine if files can be shared outside the organization.
• Ensure content is encrypted at rest and in transit.

The recommended label taxonomy for enterprise Teams governance includes:

• Public — Open to all employees, guests allowed with standard controls, no encryption required
• Internal — Employee-only access, no guest access, standard retention policies
• Confidential — Restricted membership, guest access requires approval workflow, DLP policies enforced, enhanced retention
• Highly Confidential — Executive-approved membership only, no guest access, encryption enforced, 10-year retention, audit logging mandatory

Pillar 2: Lifecycle Management

The Team Lifecycle Problem

Teams are formed for various purposes, including projects, initiatives, events, and ad-hoc collaboration. While many of these teams have limited lifespans, they can continue to exist without proper lifecycle management. This can lead to:

• Excessive storage consumption
• Cluttered search results
• Exposure of outdated data to users who should no longer have access

A typical organization with 10,000 users creates between 50 and 200 new teams each month. Over two years without governance, this leads to:

• 1,200 to 4,800 total teams
• 30% to 50% of these teams are usually inactive

This inactivity leads to:

• 500 to 2,400 abandoned teams
• Resource consumption
• Increased risk

Microsoft 365 Group Expiration Policies

Group expiration policies are configured in the Microsoft Entra admin center under Groups > Expiration. Key configuration decisions include:

• Expiration period — 180 days for project teams, 365 days for department teams, no expiration for compliance-critical teams
• Notification cadence — Owners receive renewal emails at 30, 15, and 1 day before expiration
• Scope — Apply expiration to all groups or specific groups (recommended: apply to all, then exempt critical teams)
• Soft delete recovery — Expired groups enter a 30-day soft-delete window where they can be restored by an admin

Activity-Based Lifecycle Decisions

Expiration alone is not enough. Some teams experience long periods of low activity, such as seasonal teams and annual event planning teams. To enhance expiration, use activity-based monitoring.

• Utilize Microsoft 365 usage reports.
• Employ Graph API queries.
• Identify teams with:
• Zero message activity
• Zero file activity
• No membership changes over 90+ days

Use Power Automate to create an automated workflow. This workflow will:

• Query the Microsoft Graph API for team activity reports.
• Flag inactive teams.
• Notify owners with a request to archive or renew.
• Escalate to IT governance if no response is received within 14 days.

Archival Best Practices

Always choose to archive instead of delete. Archiving a team makes it read-only, preserving all conversations, files, and metadata for compliance and historical reference. This action also removes the team from active use. If needed, archived teams can be reactivated.

For long-term archival beyond the retention period, export critical content to a dedicated archive SharePoint site or Azure Blob Storage with appropriate retention locks.

Pillar 3: Guest Access Controls

The Guest Access Risk Surface

Guest access in Microsoft Teams offers both advantages and challenges. It enables collaboration with partners, vendors, and clients. However, it also raises the risk of data leaks in various Teams environments.

A single misconfigured team with guest access can:

• Expose internal files
• Share conversations
• Reveal business data to external parties

Enterprise guest access governance requires controls at four levels: tenant-wide settings, per-team sensitivity labels, conditional access policies, and periodic access reviews.

Tenant-Wide Guest Settings

In the Teams admin center under Org-wide settings > Guest access, configure the baseline permissions for all guests across your tenant:

• Allow guest access — Enable at the tenant level, then control per-team via sensitivity labels
• Allow guest calling — Disable for most organizations unless there is a specific business requirement
• Allow guest meeting scheduling — Disable by default; guests should join meetings scheduled by internal users
• Allow guests to edit and delete messages — Enable editing (reasonable), disable deletion (prevents evidence tampering in regulated environments)

Conditional Access for Guests

Conditional access policies in Microsoft Entra ID provide the enforcement layer for guest access security. Essential policies include:

• Require MFA for all guest access — Non-negotiable for enterprise environments
• Block legacy authentication — Prevents guests from using older protocols that bypass MFA
• Require compliant devices — For guests accessing confidential or highly confidential teams, require device compliance via Intune or a third-party MDM
• Session controls — Enforce sign-in frequency of 1 hour for guests accessing sensitive data, preventing persistent sessions on shared devices
• Block consumer email domains — For regulated industries, block guest invitations from gmail.com, yahoo.com, outlook.com, and other consumer providers

Access Reviews

Microsoft Entra access reviews automate the regular review of guest access. You can set up quarterly access reviews for all teams that allow guest access.

Team owners will receive a notification to confirm or deny continued access for each guest. If an owner does not respond within the review period, access is automatically revoked. This secure default prevents stale guest access from lasting indefinitely.

Pillar 4: Compliance and Data Protection

Retention Policies

Retention policies in Microsoft Purview manage the duration for which Teams data is kept and the timing of its deletion. You can set up retention policies for:

• Teams channel messages
• Teams chat messages
• Teams channel files (stored in SharePoint)

Recommended retention periods by industry:

Data Loss Prevention (DLP)

DLP policies in Microsoft Purview scan Teams messages and files for sensitive information types. Essential DLP rules for enterprise Teams governance include:

• Financial data — Credit card numbers, bank account numbers, financial statements
• Personal data — Social Security numbers, driver's license numbers, passport numbers
• Healthcare data — Protected Health Information (PHI), medical record numbers, insurance IDs
• Intellectual property — Custom sensitive information types matching patent numbers, project codes, or proprietary terminology
• Credentials — Passwords, API keys, connection strings shared in chat messages

Configure DLP policies to achieve three key goals:

• Educational: Show a policy tip to the user.
• Preventive: Block the message from being sent.
• Detective: Alert the compliance team.

This combination offers a strong defense without being too restrictive for legitimate collaboration.

Communication Compliance

Communication compliance policies help identify inappropriate content, regulatory violations, and insider risk signs in Teams messages.

• Monitor for insider trading language in financial services.
• Detect harassment or discrimination across all industries.
• Identify potential data exfiltration patterns when users discuss moving company data to personal accounts.

Pillar 5: Provisioning and Team Creation Workflows

The Provisioning Dilemma

The default Teams experience lets any licensed user create a team. Microsoft made this choice to promote faster adoption. However, unrestricted team creation can lead to sprawl, which poses challenges for enterprise governance.

To manage team creation effectively, organizations must:

• Control team creation without causing excessive friction.
• Avoid making the process so difficult that users bypass it.

Restricting Team Creation

You can restrict Microsoft 365 Group creation to members of a specific security group. This can be done using Azure AD (Entra ID) PowerShell.

This limitation helps control who can create teams directly in the Teams client.

• Create a security group called Teams Creators.
• Add IT admins, department leads, and designated team owners to this group.

For everyone else, we offer a self-service provisioning form created in Power Apps. This form captures essential metadata, including:

• Purpose
• Classification
• Expected lifetime
• Owner
• Guest requirements

The form then routes through an approval workflow in Power Automate. Finally, it provisions the team with the correct naming convention, sensitivity label, and configuration automatically.

Power Platform Governance Integration

Teams governance extends to the Power Platform because Teams is a primary surface for Power Apps, Power Automate flows, and Power BI dashboards. Governance considerations include:

• Environment strategy — Separate development, test, and production environments for Power Platform components embedded in Teams
• DLP policies for connectors — Control which data connectors Power Automate flows can use within Teams, preventing unauthorized data movement
• App management — Control which Power Apps and third-party apps can be installed in Teams channels through app permission policies
• Dataverse for Teams — Monitor and manage Dataverse for Teams databases that are automatically created when users build Power Apps within a team

Team Templates

Team templates help standardize the structure of new teams based on their purpose. You can create templates for common use cases, including:

• Project teams: Channels for Planning, Execution, Reporting, and Retrospective.
• Department teams: Channels for Announcements, General, Resources, and Social.
• Client-facing teams: Restricted guest channels and information barriers.

Templates can include pre-configured channels, tabs (Planner, OneNote, SharePoint document libraries), and apps. They enforce consistency while reducing the setup burden for team owners.

Teams Admin Roles and Responsibilities

Effective Teams governance requires clear role definitions. The Microsoft 365 admin center provides several Teams-specific admin roles:

Follow the principle of least privilege. No single administrator should have all roles. It is essential to separate operational administration from compliance administration. This separation helps meet the requirements of frameworks such as:

• SOC 2
• ISO 27001

Monitoring, Reporting, and Continuous Improvement

Usage Analytics

The Microsoft Teams admin center provides usage reports. These reports include:

• Active users
• Device usage
• Channel activity
• App usage

You can export these reports monthly. This helps you track trends over time and identify governance gaps.

• Number of new teams created each month
• Percentage of teams with no activity in 90+ days
• Guest-to-member ratios across teams
• DLP policy matches per month

Microsoft Graph API for Custom Reporting

For deeper insights, use the Microsoft Graph API to create custom governance dashboards. You can query team membership, activity, and configuration data programmatically.

Additionally, build Power BI dashboards to:

• Visualize governance health metrics
• Identify teams that violate naming conventions
• Spot teams lacking required sensitivity labels
• Find teams with excessive guest membership

Governance Review Cadence

Governance is an ongoing process, not a one-time setup. Establish a quarterly review cycle to assess:

• Policy effectiveness metrics
• Exception requests and patterns
• New feature releases from Microsoft, such as Teams updates (monthly)
• User feedback and adoption challenges
• Compliance audit findings

Adjust policies based on data, not assumptions. For example, if your provisioning workflow takes an average of 3 days to approve a team request, users may seek workarounds.

The goal is to create governance that enhances productivity instead of limiting it.

Teams Governance for Regulated Industries

Healthcare (HIPAA)

Healthcare organizations must take several steps to protect PHI sharing. They should:

• Enable message encryption for clinical communications.
• Configure a 7-year retention policy for all Teams messages and files.
• Implement DLP policies to detect PHI patterns, such as medical record numbers, insurance IDs, and diagnosis codes.
• Maintain HIPAA-compliant audit trails with BAA-covered data residency controls.
• Use sensitivity labels to automatically encrypt teams used for clinical collaboration.
• Block guest access to any team containing patient data.

Financial Services (SEC/FINRA)

Financial services must meet several key requirements for compliance. They need to:

• Archive all Teams communications for SEC/FINRA recordkeeping with a 7-year retention period.
• Implement information barriers between divisions, creating Chinese walls between investment banking and trading.
• Configure communication compliance for insider trading detection by monitoring specific terms and patterns.
• Ensure all Teams data is captured in compliance archives that are accessible for regulatory examination.

Additionally, deploy information barrier policies to prevent members of restricted segments from communicating with each other in Teams.

Government (FedRAMP)

Government agencies must ensure that Teams operates within their GCC or GCC High tenant, not the commercial cloud. They should enforce NIST 800-171 access controls and restrict Teams to CONUS data residency.

Additionally, agencies need to:

• Configure 10-year retention for all communications.
• Implement CUI (Controlled Unclassified Information) handling procedures.
• Use sensitivity labels and DLP policies.

GCC High tenants offer extra isolation from the commercial cloud. This isolation is essential for handling ITAR and EAR controlled data.

How EPC Group Implements Teams Governance

With 29 years of Microsoft consulting experience, EPC Group has designed and deployed Teams governance frameworks for organizations ranging from 1,000 to 100,000+ users across healthcare, financial services, and government. Our approach includes:

• Governance assessment — Audit your current Teams environment to quantify sprawl, identify compliance gaps, and benchmark against industry best practices
• Policy design — Develop naming conventions, lifecycle policies, guest access controls, and compliance configurations tailored to your regulatory requirements
• Automated provisioning — Build Power Platform-based provisioning workflows that enforce governance while maintaining user satisfaction
• Compliance integration — Configure DLP, retention, sensitivity labels, and communication compliance aligned with HIPAA, SOC 2, FedRAMP, or your specific framework
• Adoption and training — Train team owners and administrators on governance policies and their responsibilities within the framework
• Ongoing managed services — Optional quarterly governance reviews and continuous policy optimization as Microsoft releases new capabilities

Frequently Asked Questions