This chapter covers Microsoft Teams governance and policy management, a critical topic for the MS-900 exam. Understanding how to control Team creation, lifecycle, and user behavior through policies is essential for managing a Microsoft 365 tenant securely and efficiently. Approximately 10-15% of exam questions relate to tenant management, with governance and policies being a key subset. You will learn the mechanisms behind Teams policies, including naming conventions, guest access, retention, and expiration, and how to configure them via the Teams admin center, PowerShell, and Microsoft 365 compliance center.
Jump to a section
Imagine a city planning department that issues building permits. Each new building (Team) must comply with zoning laws (compliance policies), safety codes (data retention), and access rules (guest access). The city inspector (Microsoft 365 admin) uses a checklist (policy templates) to approve or deny permits. Once a building is constructed, the inspector can enforce rules like maximum occupancy (member limits) and fire exit requirements (channel moderation). If a building violates code, the inspector can issue fines (restrict features) or even condemn the building (archive or delete the team). The city has a central registry (Azure AD) that lists all buildings and their compliance status. Just as building codes evolve, Teams governance policies can be updated via the Teams admin center or PowerShell, and existing teams can be audited against new rules. This analogy mirrors how Teams governance uses policies to control creation, lifecycle, and behavior at scale.
What is Microsoft Teams Governance and Why It Exists
Microsoft Teams governance refers to the set of policies, settings, and procedures that control how Teams is used within an organization. Without governance, users can create Teams with arbitrary names, add external guests without oversight, and retain data indefinitely, leading to security risks, compliance violations, and administrative chaos. Governance ensures that Teams usage aligns with organizational policies, legal requirements, and best practices. The MS-900 exam tests your ability to identify the correct governance tools and configurations for given scenarios.
How Teams Governance Works Internally
Teams governance is enforced through a combination of Azure Active Directory (Azure AD) settings, Microsoft 365 Groups policies, and Teams-specific policies. At the core, every Team is backed by an Office 365 Group (now Microsoft 365 Group). Therefore, many governance controls are applied at the group level. When an admin configures a policy, it is stored in Azure AD or the Teams admin center and applied to all new or existing Teams based on the policy's scope.
Team Creation Control: By default, any user can create a Team. To restrict creation, an admin can use Azure AD group settings to limit who can create Office 365 groups. This is done via the GroupCreationAllowedGroupId setting in Azure AD PowerShell. Alternatively, the Teams admin center provides a 'Manage who can create Teams' setting that allows specific security groups.
Naming Policies: Naming conventions are enforced using Azure AD group naming policies. Admins can define prefixes/suffixes (e.g., "Project-") and block specific words. These policies are applied when a user creates a new Team; if the name violates the policy, creation is blocked.
Guest Access: Guest access is controlled at the Azure AD level (external collaboration settings) and Teams level (guest access toggle). Even if Azure AD allows guests, the Teams admin must enable guest access in the Teams admin center under Org-wide settings. Additionally, conditional access policies can restrict guest behavior.
Retention Policies: Retention policies for Teams messages and channels are configured in the Microsoft 365 compliance center. These policies can delete or preserve data for a specified period. They apply to Teams chats (1:1 and group) and channel messages separately.
Expiration Policies: Teams (and their underlying groups) can have an expiration policy set via Azure AD. If a Team is not renewed within the expiration period, it is automatically deleted. The policy can be configured for specific groups or all groups.
Messaging Policies: These control what users can do within Teams, such as using GIFs, memes, or editing messages. They are created in the Teams admin center and assigned to users via policy assignments.
Key Components and Defaults
Default Teams Policy: Every user gets the Global (Org-wide default) policy for messaging, meetings, and apps. Admins can modify the Global policy or create custom policies.
Group Creation Default: By default, all users can create Office 365 groups. To restrict, you must set GroupCreationAllowedGroupId to a security group.
Guest Access Default: Guest access is disabled by default in Azure AD and Teams. It must be explicitly enabled.
Retention Default: No default retention policy is applied; data is kept indefinitely unless a policy is created.
Expiration Default: No expiration policy is set by default. When enabled, the default expiration period is 365 days, with a renewal window of 30 days before expiration.
Naming Policy Default: No naming policy is configured by default.
Configuration and Verification
- Azure AD PowerShell for Group Creation:
Install-Module -Name AzureAD
Connect-AzureAD
$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | Where-Object -Property DisplayName -Value "Group.Unified" -EQ).Id
$Setting.Values["GroupCreationAllowedGroupId"] = "<SecurityGroupObjectId>"
Set-AzureADDirectorySetting -Id $Setting.Id -DirectorySetting $SettingTeams Admin Center: Navigate to Teams > Teams settings > Manage who can create Teams. Select a security group.
Naming Policy via Azure AD: In Azure AD > Groups > Naming policy, configure prefixes/suffixes and blocked words.
Retention Policy via Compliance Center: Go to Compliance > Policies > Data lifecycle management > Retention policies. Create a policy targeting Teams channel messages or chats.
Expiration Policy via Azure AD: In Azure AD > Groups > Expiration, set the expiration period and enable email notifications.
Verification: Use Get-AzureADDirectorySetting to confirm group settings. Use Teams admin center reports to audit policy assignments.
How It Interacts with Related Technologies
Teams governance is tightly integrated with Microsoft 365 Groups, Azure AD, and the Microsoft 365 compliance center. Changes in one area affect others. For example, disabling guest access in Azure AD overrides the Teams guest setting. Retention policies for Teams are part of broader data lifecycle management. Conditional access policies in Azure AD can enforce MFA for Teams access. Understanding these interactions is crucial for designing a cohesive governance strategy.
Exam-Relevant Details
Default values: Guest access disabled, group creation open to all, no retention or expiration policies.
PowerShell cmdlets: Get-AzureADDirectorySetting, Set-AzureADDirectorySetting, New-Team, Set-Team.
Key concepts: The difference between org-wide settings (affect all users) and per-user policies (assigned to individuals or groups).
Common exam trap: Confusing Teams admin center policies with Azure AD group settings. Remember: naming policies are in Azure AD, messaging policies in Teams admin center.
Plan Governance Requirements
Identify organizational needs: who can create Teams, naming conventions, guest access rules, data retention periods, and expiration periods. Document these requirements and map them to available policies. Consider legal and compliance obligations, such as GDPR or industry regulations. This step determines the policies you will configure.
Configure Group Creation Controls
In Azure AD, restrict group creation to a specific security group using the `GroupCreationAllowedGroupId` setting. Alternatively, use the Teams admin center to limit Team creation. This prevents unauthorized users from creating Teams. Verify by attempting to create a Team as a non-member of the allowed group.
Set Naming Policies
In Azure AD Groups > Naming policy, define a prefix/suffix (e.g., "Project-") and blocked words. This ensures consistent naming and prevents offensive or sensitive names. The policy is enforced at Team creation; violations block creation with an error message.
Enable and Configure Guest Access
First, enable guest access in Azure AD external collaboration settings. Then, in Teams admin center under Org-wide settings, turn on Guest access. Optionally, configure conditional access policies for guests. Without both steps, guest access remains disabled. Test by inviting an external user.
Create Retention Policies
In the Microsoft 365 compliance center, create retention policies for Teams channel messages and chats. Specify the retention period (e.g., 7 years) and action (delete or preserve). Policies can target specific users or all users. Note that retention policies for Teams are separate from Exchange or SharePoint policies.
Configure Expiration Policy
In Azure AD Groups > Expiration, enable expiration and set the period (default 365 days). Configure email notifications for group owners. When a Team nears expiration, owners receive emails to renew. If not renewed, the Team is deleted. This prevents stale Teams from accumulating.
Assign Messaging and Meeting Policies
In Teams admin center, create custom policies for messaging (e.g., disable GIFs) and meetings (e.g., disable recording). Assign policies to users or groups via the Users section. The Global policy applies to all users unless overridden. Use PowerShell for bulk assignments.
Scenario 1: Large Enterprise with Compliance Requirements
A multinational bank must comply with financial regulations that require all communications to be retained for 7 years. They implement a retention policy for Teams channel messages and chats with a 7-year retention period. They also restrict Team creation to IT and project managers using a security group. Naming policies enforce a prefix like "Project-" and block words like "confidential". Guest access is disabled entirely to prevent data leakage. Expiration is set to 365 days with automatic renewal for active Teams. This setup ensures compliance and reduces administrative overhead. Misconfiguration: If retention policies are not applied to all users, some communications might be deleted prematurely, leading to compliance violations.
Scenario 2: Educational Institution with Guest Lecturers
A university allows faculty to create Teams for courses. They enable guest access for external lecturers but restrict guest permissions to prevent them from adding other guests. They use a custom messaging policy that disables the ability to delete messages for students. Expiration is set to 180 days (semester length) with renewal by course end. Naming policies include the course code prefix. Common issue: If expiration is too short, Teams might be deleted before the semester ends. They configure a notification email to the faculty owner 30 days before expiration.
Scenario 3: Small Business with Minimal Overhead
A startup wants to avoid complexity. They leave default settings (all users can create Teams, guest access disabled, no retention or expiration). As the company grows, they find stale Teams and decide to implement expiration. They enable expiration with a 365-day period and notify owners. They also start using a naming policy to ensure Teams names include department abbreviations. Performance considerations: With fewer than 100 Teams, governance overhead is low. They use the Teams admin center for all configurations rather than PowerShell.
Exam Focus for MS-900
The MS-900 exam tests your understanding of Teams governance at a conceptual level, not deep technical configuration. Key objective codes: 1.3 (Tenant Management), 1.3.1 (Manage Teams settings), 1.3.2 (Implement governance). You must know: - Default settings: Guest access is disabled by default; all users can create Teams; no retention or expiration policies are applied. - Where to configure: Naming policies in Azure AD; retention in compliance center; messaging policies in Teams admin center; expiration in Azure AD. - Common wrong answers: Candidates often confuse Teams admin center policies with Azure AD settings. For example, they might think naming policies are in the Teams admin center (they are in Azure AD). Another trap: thinking that enabling guest access in Teams alone works — it also requires Azure AD external collaboration settings. Another: believing that retention policies for Teams are in the Teams admin center (they are in the compliance center). - Specific numbers: Expiration default is 365 days; retention policies can be set from 1 day to indefinite; group creation can be restricted to a security group. - Edge cases: If a user is removed from the allowed group after creating a Team, the Team still exists but they cannot create new ones. Expiration policies can be renewed manually or automatically if configured. Retention policies can be adaptive (based on user attributes) or static. - Elimination strategy: When asked where to configure a policy, ask yourself: Is it about Teams features (messaging, meetings) → Teams admin center. Is it about group lifecycle (creation, naming, expiration) → Azure AD. Is it about data retention → compliance center. This logic eliminates most wrong answers.
Guest access in Teams requires both Azure AD external collaboration settings and Teams org-wide settings to be enabled.
Naming policies for Teams are configured in Azure AD, not the Teams admin center.
Retention policies for Teams chats and channel messages are set in the Microsoft 365 compliance center.
Expiration policy for Teams defaults to 365 days with a 30-day renewal notification.
By default, all users can create Teams; restrict via security group in Azure AD or Teams admin center.
Teams admin center policies override Global policy when assigned to a user.
PowerShell cmdlets like Get-AzureADDirectorySetting and Set-Team are used for advanced governance.
These come up on the exam all the time. Here's how to tell them apart.
Azure AD Group Settings
Controls group creation, naming, and expiration.
Configured via Azure AD portal or PowerShell.
Applies to all Microsoft 365 Groups (including Teams, Yammer, etc.).
Examples: GroupCreationAllowedGroupId, Naming policy, Expiration.
Requires Azure AD P1 license for some features.
Teams Admin Center Policies
Controls Teams-specific features like messaging, meetings, and apps.
Configured via Teams admin center or Teams PowerShell.
Applies only to Teams, not other group types.
Examples: Messaging policies (GIFs, memes), Meeting policies (recording, screen sharing).
Available with any Teams license.
Mistake
Guest access is enabled by default in Teams.
Correct
Guest access is disabled by default in both Azure AD external collaboration settings and Teams org-wide settings. Both must be enabled for guest access to work.
Mistake
Naming policies for Teams are configured in the Teams admin center.
Correct
Naming policies for Teams are configured in Azure Active Directory under Groups > Naming policy. They apply to all Microsoft 365 Groups, including Teams.
Mistake
Retention policies for Teams are set in the Teams admin center.
Correct
Retention policies for Teams messages and chats are configured in the Microsoft 365 compliance center under Data lifecycle management.
Mistake
Expiration policies automatically delete Teams without warning.
Correct
Expiration policies send email notifications to group owners 30 days before expiration. Owners can renew the Team. If not renewed, the Team is deleted but can be restored within 30 days.
Mistake
All users can create Teams by default, and this cannot be changed.
Correct
While all users can create Teams by default, admins can restrict creation to specific security groups using Azure AD settings or the Teams admin center.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Use Azure AD group settings to limit Office 365 group creation to a specific security group. In Azure AD, navigate to Groups > General, then set 'Users can create security groups' or use PowerShell to set GroupCreationAllowedGroupId. Alternatively, in Teams admin center, go to Teams > Teams settings and select a security group. The Azure AD method is more comprehensive as it affects all group types.
Naming policies for Teams are configured in Azure Active Directory under Groups > Naming policy. You can add prefixes, suffixes, and blocked words. These policies apply to all Microsoft 365 Groups, including Teams, Outlook groups, and Yammer. The Teams admin center does not have a naming policy option.
First, enable guest access in Azure AD under External Identities > External collaboration settings. Then, in Teams admin center under Org-wide settings, turn on 'Guest access'. Both steps are required. Additionally, you can configure conditional access policies for guests. If guests are not working, check both settings.
There is no expiration policy by default. When you enable expiration, the default period is 365 days. You can change this to any value between 30 and 730 days. Group owners receive email notifications 30 days before expiration to renew. If not renewed, the group is deleted but can be restored within 30 days.
Create a retention policy in the Microsoft 365 compliance center under Data lifecycle management > Retention policies. Target 'Teams channel messages' or 'Teams chats'. Specify the retention period (e.g., 7 years) and action (delete or preserve). You can scope the policy to specific users or all users. Note that retention policies for Teams are separate from Exchange or SharePoint.
Yes. In Teams admin center, create custom messaging policies (e.g., disable GIFs, allow memes). Then assign them to users or groups via the Users section. The Global policy applies to all users by default. You can also use PowerShell to bulk assign policies. Policy precedence: user-level assignment overrides Global.
If a Team is not renewed before the expiration date, it is soft-deleted. The group owners receive multiple email notifications starting 30 days before expiration. After deletion, the Team can be restored within 30 days by an admin via Azure AD or PowerShell. After 30 days, the group is permanently deleted.
You've just covered Microsoft Teams Governance and Policy Management — now see how well it sticks with free MS-900 practice questions. Full explanations included, no account needed.
Done with this chapter?