Microsoft Teams and your DRMS: don't forget about your Corporate Permissions!
Microsoft Teams has quickly become a key component in Microsoft's 365 suite. Many customers now are deploying a Team where they used to deploy a SharePoint Site if a user requested a workspace. It's integrated collaboration and communication features have been very appealing during the last year. And with more and more functionality being added to the product, I expect its proliferation to continue.
As Microsoft states "A team is a group of people gathered to get something done in your organization. That group of people is actively collaborating on information and / or building knowledge. When you create a Team, its 'privacy' in general is set to 'Private', which means that users get access on a 'need-to-know' basis. Microsoft allows you to assign 'collaborative permissions' (Owner, Member or Guest) in a 'Private' Team to individual users, distribution lists or security groups on a 'need-to-know' basis. The Team's Owners subsequently manage permissions.
Many Teams however build knowledge and create information to be used by other users. Certain users need to be actively informed once information or knowledge becomes available. In other situations users may need access to the information when they want to consult the corporate memory (a.k.a. Document / Records Management System (DRMS)). I regularly work for customers where case, contract, project, and other types of documents need to be accessible well after the active lifecycle phase of a dossier.
Who gets access to the 'corporate memory' is usually determined at a corporate level, and AAD Groups are used to ease the administration of corporate permissions. And frankly speaking, setting and managing 'Corporate Permissions' is a Teams Governance aspect overlooked by many organizations! Often leading to frustration within these organizations, and requiring additional work to fix the issues.
Teams Provisioning and Corporate Permissions: the missing link
Teams brings a lot of benefits over just using SharePoint for collaborating on documents. Setting and managing Collaborative Permissions are well supported (although there's room for improvement). Setting 'Corporate Permissions' on the other hand is still a challenge.
When you add Owners or Members to the Team (that is, set 'Collaborative Permissions'), they are included in the associated Microsoft 365 Group. The Owners and Members are automatically given Permissions on the SharePoint Site:
Team Owners become SharePoint Site Collection Administrators (OMG!)
Team Members become SharePoint Site Members (with 'Edit' permissions !).
Microsoft's provisioning process for Teams (contrary for that for SharePoint Sites) does not support setting 'Corporate Permissions'.
And I don't know any 3rd party Team Provisioning Engines that do. Do you? If yes, please let me know via a comment.
In general Microsoft recommends against managing SharePoint site permissions separately from the Microsoft 365 Group by using SharePoint Groups. They make however an exception: if you need Visitors permissions, which are not part of an Microsoft365 Group. So, Microsoft acknowledges the gap, but has not plugged it yet.
Do you agree on the importance of setting Corporate Permissions for a Team? Vote here for the feature in Microsoft Teams UserVoice.
In the meantime, take your colleagues with you on your information journey, add Corporate Permissions to your Microsoft Team!
PS: When applying 'Corporate Permissions' you will also experience better results when you've implemented SharePoint Syntex and VivaTopics.