Managing Teams with PowerShell
If your familiar with my writing, you know I'm a huge proponent of Office 365 administrators...
Microsoft Teams is the darling of the Microsoft 365 suite, with pretty much every app in the ecosystem pushing for their share of user real estate.
And with more than 270 million active users – it’s not hard to understand why.
However, this continued push for everything to be in Microsoft Teams creates somewhat of a challenge for the ongoing administration of the platform.
For starters, how do we define what is administration of Microsoft Teams? The product sits on top of the Microsoft 365 platform, leveraging key workloads such as Exchange, Azure Active Directory, and SharePoint, yet is also a platform unto itself.
Some time ago I sat in a room with a bunch of fellow MVPs and Microsoft staff to design the MS-700 “Managing Microsoft Teams” exam. We had a number of debates about what a Microsoft Teams administrator should know, and what their job should consist of.
When the exam blueprint was sent out to review, a number of complaints were made about the lack of voice-related questions included. Other complaints stated that there were too many security and compliance questions, and others said that the exam simply covered too many elements of the platform.
When I say some time ago, I mean mid-2019, when Microsoft Teams was barely 2 years old. Since then, the platform has grown considerably both in features as well as complexity.
However, the question still remains – what is a Microsoft Teams administrator, and what should they know in order to do their job effectively?
The answer, as in many similar cases, is “it depends”.
Consider this scenario: Contoso has deployed Microsoft Teams to its workforce. Staff report that when they work remotely, they are unable to access the Files tab from any Team. However, they also report that this issue does not occur when working in the office or connected via VPN.
The answer in this case, is that Contoso has a conditional access policy applied to accessing SharePoint, and a different policy for accessing Microsoft Teams.
So, who is responsible for addressing that? Is it the security team who defined the conditional access policy? Is it the intranet team who are responsible for managing access to SharePoint? Regardless, who, is this something that can be addressed with the flick of a switch, or should there be a security review to determine risk and impact?
And is the Microsoft Teams administrator expected to be able to remediate this themselves? And what are the support staff supposed to say to those who are affected? “Sorry, we need to perform a security review – it’ll be about two weeks until our next CAB meeting, so perhaps you can ask your peers to email you the necessary files as attachments.”
While you may read this and think that this problem shouldn’t have happened if things were done properly – that’s exactly the point. Define “properly”. Define who should have been involved in the meetings.
The reality is that administering the Microsoft Teams platform comes with a lot of strings attached – something that must be taken seriously, with due consideration given to countless scenarios. Let’s take a look at but a small sampling of the challenges.
Within Microsoft 365 there are many different licensing options and scenarios. Even within the various licenses, you can choose what features of Microsoft 365 are enabled and which aren’t.
The following table provides an example of some of the products included in Office 365 E3, and what feature of Microsoft Teams is affected when they are not allocated to the user:
It’s not uncommon for administrators to not give users full access to the Microsoft 365 product suite as they are not ready to support them, are trying to stage the release of functionality, or in some cases – don’t fully understand them and therefore don’t appreciate the value they offer users.
In these scenarios, users can have different experiences based on their license allocation. One user might be able to use Planner and as such assigns tasks to their peers, but some of them may not be able to access those tasks as they have a different license construct.
And I’m not even getting into the details of why the organisation logo appears in the meeting lobby for some users and not others (hint: it comes down to whether they are licensed for Advanced Communications).
If an organisation has in place good security and administration practices, they may use Privileged Identity Manager – a component of Azure Active Directory Plan P2 (I thought we were done talking about licensing!?). And with this in mind, administrators should only be elevating to the required permission level to perform the task.
So you’ve elevated to be a Teams Administrator because you want to manage the apps available to users? No sorry, you can’t do that.
Want to look at the audit log to see which user invited a guest into the Team? Nope, can’t do that either.
Unfortunately, being a Teams Administrator does not give you everything you need to administer Microsoft Teams. Instead, admins will have to elevate up to be a Global Administrator – something that should in theory be a last resort.
A common task required when administering Microsoft Teams is to clean up inactive Teams. There are a few ways to perform this function, however the topic of this particular section is around defining what is inactive.
As defined in the Microsoft Teams usage report, activity is measured by users and channels – and the combination of activities performed by one, in the other.
So, it makes sense that an administrator could look at the report and based on levels of inactivity, determine which Teams can be archived or even deleted, right? Wrong.
As mentioned earlier, Microsoft Teams is both a platform unto itself, as well as a platform on top of other platforms. So we cannot simply determine a Team’s activity level by the Team itself. Instead, we can look to SharePoint and see whether the underlying team site (yes, “team site” is a SharePoint term from the early 00’s) has any activity. It doesn’t have any activity? Great, we can archive/delete it. Let’s move to the next section…
Something I’ve heard many admins tell me is that when they “archive” off the content of a, they usually just take the files from the Files tab of the channels and move them into a different location.
The problem with this approach, is that a Team is MUCH more than just the channel content you see before you. It may also be wiki content (*shudder*), Lists in the SharePoint site, Forms associated with the M365 Group, email in the associated Exchange mailbox, data in Forms connected to the M365 Group, notes in the OneNote notebook, and so on. (You can read the specifics on this in an article I wrote for Microsoft a couple of years ago: Groups services interactions | Microsoft Docs.)
And unfortunately, a lot of this data is not easily visible to administrators – mainly because there are no out of the box reports, and in some cases no APIs to even get to the data (I’m look at you Forms).
This lends itself to the previous section, in that, because admins are unable to see the content, admins are also unable to see the activity. Which can possibly mean that admins are archiving or deleting Teams which actually have activity in other workloads. (Some good guidance and considerations comes in the form of another technical article I authored for Microsoft: End of lifecycle options for groups, teams, and Yammer | Microsoft Docs.)
Something that ultimately makes all of this more challenging for administrators is the various reports available that provide different levels of data.
The key reports administrators need to use are:
The challenge here, is that it doesn’t end there. Administrators need to invest in customised and third-party report solutions in order to get a better understanding of how their environment is being used. And we haven’t even touched on some of the earlier challenges about security, compliance, access, and other areas related to Microsoft Teams.
On-premises components, such as AD FS, PTA, and Exchange Hybrid are critical for Office 365 end user experience. In addition, something as trivial as expiring Exchange or AD FS certificates can certainly lead to unexpected outages. By proactively monitoring hybrid components, ENow gives you early warnings where hybrid components are reaching a critical state, or even for an upcoming expiring certificate. Knowing immediately when a problem happens, where the fault lies, and why the issue has occurred, ensures that any outages are detected and solved as quickly as possible.
Over 20 years in IT Loryan has had the opportunity to work with many leading edge technologies - allowing him to be a part of major transformations in the industry. Starting out in web design prior to the dot com era, Loryan then took on more technical roles and has been involved in some of the first Australian deployments of metropolitan networks, voice over IP and video streaming over the Internet. His technical experiences were followed by 15 solid years in various senior consulting positions advising both internal and external senior management / stakeholders on strategic technology adoption and selection along with delivery of solutions across a range of business sectors, and managing technical resources for delivery. Many of his roles have involved coaching and mentoring team members along with establishing incentive schemes to drive results and growth. One of his strengths is the ability to thoroughly understand each client’s challenges and deliver solution in line with their unique business requirements. Loryan is passionate about the cloud and the opportunities it brings. Having spent most of his career delivering on-premise business productivity technology, he founded Paradyne to deliver cost-effective solutions and to advance how people work by means of the cloud. His deep technical expertise is backed by practical business experience, ensuring that customers get the best of both worlds – world-class technology that delivers real business benefits.