Microsoft Teams Recommendations
In the age of remote working and collaboration, Microsoft Teams is one of the most popular tools being used to increase communication and productivity.
Especially those undergoing implementation and migrations from Skype for Business to Microsoft Teams - it is a good opportunity to take a step back and evaluate and clarify your implementation, the recommendations below as good as a place to start as any.
Please keep in mind that like any recommendations, do not blindly follow them, make sure to determine the impact on your users on enabling some of this functionality, there may also be recommendations that you will not be able to apply, do to business constraints.
Recommendation | Description |
---|---|
Add the Microsoft Teams SMTP domain as an allowed list in Microsoft Exchange Online Spam filter protection | Whether you create an Office 365 Group in the admin console or by using Outlook, Exchange Online is used to send notifications of a team member being added to a Group. These messages are generated from your tenant as they represent your default domain SMTP FQDN.Teams uses Microsoft Exchange Online as well to send notifications to team members when they’ve been added. The difference being the domain FQDN of the SMTP message is “@email.teams.microsoft.com” and could be caught by spam filtering. Outlook considers message from Teams as an external sender which is subject to standard security features such as blocking images and certain content. |
Allow the following User Agent Strings for Microsoft Teams within the EWS configuration | Teams users may not be able to access Teams meetings/connectors though their mailboxes are in Exchange Online. |
Assign a valid security group that can be used for controlling who can create Office 365 groups as well as Office 365 services that depends on groups such as Teams, Planner, etc | A security group is configured to restrict which users are allowed to create groups. However this security group does not exist anymore which prevents the creation of new groups. |
Assign Teams Meeting Room license to your Teams meeting room account | Without the proper license, you may have some Teams Meeting room features that are not working properly or not available such as the ability to dial-out attendees into your meeting. |
Associate registered SBC with Office domain | Check as part of the Direct Routing configuration is missing the domain name associated with one of your SBCs. |
Check Skype for Business to Microsoft Teams meeting migration failures | Some of your user’s meeting may not have been successfully migrated from Skype for Business to Teams. Users might be unable to join the affected meetings. |
Check Microsoft Stream license is assigned to users if cloud recording is allowed | Your users who can do Teams meeting and recordings may not have the necessary Microsoft Stream license to store /upload meeting recordings / playback to Microsoft Stream. |
Check the SBC gateway(s) associated with voice routes | Makse sure that none or more of your SBC gateway(s) defined in Voice Routes are in disabled state. This could cause unexpected call failures. |
Configure your Meeting Room accounts with the recommended setting of AddAdditionalResponse | Microsoft Teams Rooms will only work in a properly configured Microsoft Teams or Skype for Business environment where the device accounts are set up correctly. To provide optimal meeting experience, you should configure your meeting room accounts meeting the recommendations. |
Configure your Meeting Room accounts with the recommended setting of AddOrganizerToSubject | Microsoft Teams Rooms will only work in a properly configured Microsoft Teams or Skype for Business environment where the device accounts are set up correctly. To provide optimal meeting experience, you should configure your meeting room accounts meeting the recommendations. |
Configure your Meeting Room accounts with the recommended setting of DeleteComments | Microsoft Teams Rooms will only work in a properly configured Microsoft Teams or Skype for Business environment where the device accounts are set up correctly. To provide optimal meeting experience, you should configure your meeting room accounts meeting the recommendations. |
Configure your Meeting Room accounts with the recommended setting of RemovePrivateProperty | Microsoft Teams Rooms will only work in a properly configured Microsoft Teams or Skype for Business environment where the device accounts are set up correctly. To provide optimal meeting experience, you should configure your meeting room accounts meeting the recommendations. |
Create meeting room lists for room mailboxes to allow for searching and booking rooms with Microsoft Teams | You need to create room list distribution group to be able to specify a meeting room when you schedule a Teams meeting. |
Create multiple Microsoft Teams IP Phone Policies to cater for the different phones and meeting rooms devices that you have in the organization | To provide more tailored user interfaces to different phones and meeting room devices that you've, it is recommended to create different IP Phone policies to them. |
Create Office 365 Groups Classification | You can create classifications that the users in your organization can set when they create an Office 365 group. For example, you can allow users to set "Standard", "Secret", and "Top Secret" on groups they create. Group classifications aren't set by default and you need to create it in order for your users to set it. Use Microsoft Entra ID PowerShell to point your users to your organization's usage guidelines for Office 365 groups. |
Define Office 365 Group naming policy | To enforce consistent naming conventions for Office 365 groups created or edited by your users, set up a group naming policy for your tenants in Microsoft Entra ID (Azure AD). For example, you could use the naming policy to communicate the function of a group, membership, geographic region, or who created the group. You could also use the naming policy to help categorize groups in the address book. You can use the policy to block specific words from being used in group names and aliases. |
Enable Advance Threat Protection for Teams | People regularly share files and collaborate using SharePoint, OneDrive, and Microsoft Teams. With Office 365 Advanced Threat Protection (ATP), your organization can collaborate in a safer manner. ATP helps detect and block files that are identified as malicious in team sites and document libraries. |
Enable connectors in your Exchange Online environment | When connectors are disabled in Exchange Online environment this is impacting connectors in Microsoft Teams. Users who are trying to add a connector in both Teams desktop client and a web app version will get the error: “Connectors have been turned off for this mailbox by the admin. Contact your admin if you want to have connectors turned on: Access to Connectors is disabled.” |
Enable Teams license for some Office 365 Users | At the user level, access to Microsoft Teams can be enabled or disabled on a per-user basis by assigning or removing the Microsoft Teams product license. Once the license is disabled, the user access to Microsoft Teams will be prevented and the user will no longer be able to see Teams in the Office 365 app launcher and homepage. |
Enable users SharePoint Online, OneDrive for Business and Exchange Online | For the full Microsoft Teams experience, every user should be enabled for Exchange Online, SharePoint Online, and Office 365 Group creation.SharePoint Online is required to share and store files in team conversations. OneDrive for Business is required to share and store files in private chats. If users aren't assigned and enabled with SharePoint Online licenses, they don't have OneDrive for Business storage in Office 365. File sharing will continue to work in Channels, but users are unable to share files in Chats without OneDrive for Business storage in Office 365. In Microsoft Teams, security and compliance features like eDiscovery, Content Search, archiving, and legal hold work best in Exchange Online and SharePoint Online environments. For channel conversations, messages are journaled to the group mailbox in Exchange Online, where they're available for eDiscovery. If SharePoint Online and OneDrive for Business (using work or school account) are enabled across the organization and for users, these compliance features are available for all files within Teams as well. |
Ensure a public IP associated with FQDN of the SBCs | SBC needs to have valid public IP address to make it accessible from Internet by Teams Direct Routing components. |
Ensure that the right ports and protocols are open across your network for optimum call experience | Skype for Business Online audio/video calls over TCP traffic do not perform as well as calls over UDP traffic. |
Grant Teams Direct Routing users with appropriate Voice Routing Policy | List of users who are enabled for Teams DR/Hybrid Voice but not assigned with any OnlineVoiceRoutingPolicy |
Implement Office 365 Groups governance | Office 365 Groups has a rich set of tools to implement any governance capabilities your organization might require. |
Improve Network Performance for Skype for Business Online/Microsoft Teams | The quality of real-time media (audio, video, and application sharing) over IP is greatly impacted by the quality of end-to-end network connectivity. For optimal Skype for Business Online media quality, it is important for you to make sure there is a high-quality connection between your company network and Skype for Business Online. The best way to accomplish this is to set up your internal network and cloud connectivity based on the capacity of your network to accommodate for peak traffic volume for Skype for Business Online across all connections. |
Info: Teams which have external/guest users | You should review external users who had been invited to Teams in your environment. |
Leverage the Teams RBAC to specify different levels of Teams administrative access | Using Microsoft Entra ID (Azure AD), you can designate administrators who need different levels of access for managing Microsoft Teams. Administrators can manage the entire Teams workload, or they can have delegated permissions for troubleshooting call quality problems or managing your organization's telephony needs. |
Limit the number of Office 365 Global Administrators | Having too many Office 365 Global Administrators might indicate that you’ve not assigned the right individuals to manage your overall Office 365 environment. This could result in unwanted configuration changes to Office 365 if some of these individuals does not have the right skills or capabilities. |
Multi Factor Authentication (MFA) is not enabled for Skype for Business Administrators and/or Office 365 Global Administrators | Make sure that any account who is in the Global Administrators or Skype for Business Online Administrators group are not enabled for Multi Factor Authentication (MFA). It is recommended to enable MFA for these accounts to add an additional layer of security during the authentication process. |
Office 365 Groups usage guidelines has not been put in-place | When users create or edit a group, you can show them a link to your organization's usage guidelines. For example, if you require a specific prefix or suffix to be added to a group name. |
Old version of Skype for Business Network Assessment Tool detected | Using an older version of the Skype for Business Network Assessment Tool will impact the data collection. It is recommended to update to the latest version of the tool and run another data collection. |
Review Teams meeting policy assigned to your users | Meeting policies are used to control the features that are available to meeting participants for meeting that are scheduled by users in your organization. Different users across your organization might need different meeting features based of what they do and other things. By providing them with the right meeting policy, not only you facilitate them to accomplish their jobs but also you help to optimize the Teams environment and organization resources. |
Review the ability for Team owners to invite external users to teams | Allowing Team owners to invite external users to teams could improve work productivity and drive collaboration with external users. |
Review the Direct Routing Users whose Skype for Business accounts are hosted in on-premises Skype for Business Server | Microsoft Teams Direct Routing works only if SfB user accounts is hosted in Skype for Business Online. |
Review the Teams user accounts which had some provisioning problems | Users may experience issue when using Skype for Business Online or Microsoft Teams when they’re not properly provisioned. |
Review the Teams users’ calling policy | All users are configured with the default Teams calling policy. |
Review your Teams Co-existence mode and upgrade settings | Your current Teams and Skype for Business Global co-existence mode may be set to Island mode which might not be the best co-existence mode for the organization and could be limiting features. |
Set AllowGuestsToAccessGroups on unified group setting to True | This setting indicates whether or not a guest user can have access to Files or OneNote content in your Teams. This setting does not require an Microsoft Entra ID Premium P1 license. |
Set the UsersPermissionToReadOtherUsersEnabled to true in your Azure AD configuration | When this value is set to false in AAD, Teams owner is unable to add external/internal members in Microsoft Teams, and the following error message is displayed: "We couldn't add member. We ran into an issue. Please try again later." However, members can be added directly to Office 365 groups. |
Specify a security group who can create Office 365 groups and its related services | Because it's so easy for users to create Office 365 Groups, you aren't inundated with requests to create them on behalf of other people. Depending on your business, however, you might want to control who has the ability to create groups. |
Teams Upgrade Status: Candidate - Check the Teams Upgrade Status using Get-CsTeamsUpgradeStatus | Microsoft initiates and performs automatic upgrade to Teams to organizations that meet certain requirements. You need to understand what Teams upgrade means and the impact it would have to your organization. |
Teams Upgrade Status: Deferred - Check the Teams Upgrade Status using Get-CsTeamsUpgradeStatus | Microsoft initiates and performs automatic upgrade to Teams to organizations that meet certain requirements. You need to understand what Teams upgrade means and the impact it would have to your organization. |
Teams Upgrade Status: Downgraded - Check the Teams Upgrade Status using Get-CsTeamsUpgradeStatus | Microsoft initiates and performs automatic upgrade to Teams to organizations that meet certain requirements. You need to understand what Teams upgrade means and the impact it would have to your organization. |
Teams Upgrade Status: Paused- Check the Teams Upgrade Status using Get-CsTeamsUpgradeStatus | Microsoft initiates and performs automatic upgrade to Teams to organizations that meet certain requirements. You need to understand what Teams upgrade means and the impact it would have to your organization. |
Teams Upgrade Status: ScheduledForUpgrade - Check the Teams Upgrade Status using Get-CsTeamsUpgradeStatus | Microsoft initiates and performs automatic upgrade to Teams to organizations that meet certain requirements. You need to understand what Teams upgrade means and the impact it would have to your organization. |
Teams Upgrade Status: Upgraded - Check the Teams Upgrade Status using Get-CsTeamsUpgradeStatus | Microsoft initiates and performs automatic upgrade to Teams to organizations that meet certain requirements. You need to understand what Teams upgrade means and the impact it would have to your organization. |
Validate licenses assigned to Teams Room System | Without the proper license, you may have some Teams Meeting room features that are not working properly or not available such as the ability to dial-out attendees into your meeting |