Managing Teams Private Channels

Use the Right Team/Channel at the Right Time

When I introduced Teams private channels, I said that it’s possible these channels will reduce the need to create a new team to protect information. That’s absolutely true, but Office 365 tenant administrators need to understand how to manage private channels before they can decide how best to use private channels in their organization. My goal in this article is to describe how private channels are created and how to control those channels during their subsequent lifecycle.

Controlling the Creation of Private Channels

By default, any team member can create a private channel. The person who creates a private channel becomes its owner. It’s a good idea to have at least two owners for a private channel because channel owners control membership. Remember, a team owner can only see that a private channel exists; they have no control over the settings and members of the channel. This creates some interesting scenarios, such as when a team owner receives a notification that a team is about to expire and will soon be deleted. Although they can see the timestamp for the last activity in a private channel (use Manage team and select the Channels tab), the team owner might not know if the private channels in the team are still active and needed because they have no access to the channel conversations or site (unless they ask the channel owners). The update to the group expiration policy to become activity-based instead of time-based helps by only removing teams when no activity is detected, but the point illustrates how private these channels are.

I think most organizations will exert control and restrict the ability to create private channels to specific users. To stop users creating private channels, make sure that the setting in the Teams policy assigned to accounts is restricted. Go to the Teams Admin Center, select Teams and then Teams policies, and examine the policies, especially the default policy that’s automatically assigned to users. To disable the ability to create private channels, move the slider (Figure 1) to Off.

How to control the creation of Teams private channels via policy
Figure 1: How to control the creation of Teams private channels via policy

PowerShell Policy Control

You can also control the ability to create private channels via PowerShell by updating the AllowPrivateChannelCreation setting in the Teams channel policy. Run the Get-CsTeamsChannelsPolicy cmdlet (in the Skype for Business Online PowerShell module) to reveal the settings for the policies in a tenant.

Get-CsTeamsChannelsPolicy | Format-Table Identity, AllowPrivateChannelCreation

Identity               AllowPrivateChannelCreation
--------               ---------------------------
Global                                        True
Tag:PrivateTeamsPolicy                        True
Tag:Default                                   True

To block creation of private channels, run the Set-CsTeamsChannelsPolicy cmdlet to reset AllowPrivateChannelCreation for the global (default) policy:

Set-CsTeamsChannelsPolicy -Identity Global –AllowPrivateChannelCreation $False

If you have a policy to allow private channels to be created, you can run the Grant-CsTeamsChannelsPolicy cmdlet to grant the right to individual accounts:

Grant-CsTeamsChannelsPolicy -PolicyName PrivateTeamsPolicy -Identity [email protected]

Creating Private Channels

There’s no way to convert an existing standard channel to become a private channel (or indeed, to move content from an existing channel to a private channel). To create a new private channel, go to the […] menu for a team you own and select Add Channel. The default privacy setting for a channel is that it is accessible to everyone in the team. To make a private channel, set the privacy to Private (Figure 2).

Teams Create Private Channel 1
Figure 2: Creating a private channel

The only other step at this point is to add the initial members for the channel. You don’t need to do this now if you want to leave it for later.

A private channel in the teams list
Figure 3: A private channel in the teams list (image credit: Tony Redmond)

Private channels are shown in clients by the presence of a lock against the channel name in the teams list (Figure 3). Apart from that, everything works as you’d expect. The Files tab points to a folder named after the channel in the document library of the SharePoint site created for the private channel.

Note the little people icon in the top right-hand corner of conversations. This appears in a private channel. Click the icon to open the People Pane to see a list of channel members.

Manage Channel

The Manage Channel option allows channel owners to manage membership (Figure 4) and channel settings, which are inherited from the parent team and can thereafter be changed to meet the needs of the channel. Only the classification given to a team continues to be synchronized with its private channels. If you’re used to managing teams, there’s nothing here to worry you as everything works as you’d expect.

Managing the membership of a private channel
Figure 4: Managing the membership of a private channel (image credit: Tony Redmond)

Management through the Teams Admin Center

The Teams Admin Center lists private channels for a team (Figure 5). You can create or delete a private channel from the Admin Center and edit its display name and description settings and amend the membership of a private channel, including the promotion of team members to become channel owners.

A private channel as listed in the Teams Admin Center
Figure 5: A private channel as listed in the Teams Admin Center (image credit: Tony Redmond)

When you delete a private channel, Teams also removes the associated SharePoint site. And if you delete a team with a private channel, both the default site and the site belonging to the private channel are removed. You can restore deleted teams and channels during the 30-day grace period when Teams retains these objects in a soft-deleted state. These operations restore all the associated sites.

Last Member Standing

No one likes to see a team without an owner, so Teams doesn’t allow the last owner of a private channel to leave the channel without adding a new owner or promoting another channel member to be the owner. However, if the last owner leaves a channel involuntarily (for instance, they resign from the organization and their Office 365 account is deleted), Teams auto-promotes one of the surviving channel members to become the channel owner (excluding guest members).

If the last member/owner of a channel leaves, a tenant administrator can add a new owner with the Add-TeamChannelUser PowerShell cmdlet. Randomly selecting a team member to become the owner of a private channel is unsatisfactory and Microsoft has some work to do here to enable tenants to determine who should take over if the last channel owner leaves. For instance, a tenant might decide that Teams should choose a team owner to take over.

Email to Private Channels

Teams supports the same inbound email capabilities for private channels as are available for public channels. Any channel member can retrieve the email address for the channel and use it to send email to the channel. Teams fetches the email using a connector and posts the message to the channel and into the Email Messages folder in the SharePoint site belonging to the channel.

Teams Compliance Records

Private channels have their own sites, but they don’t have a group mailbox. For this reason, Exchange Online stores the compliance records captured for conversations in the private channel in the personal mailboxes of channel members. This is the way that records for group chats are stored. From a content search perspective, it means that more copies of compliance records are captured (up to 250 copies of each message posted to a private channel). Another way of looking at this is that you’ll find a record if you add a single member of a private channel to a content search.

Because the compliance records are in user mailboxes, Office 365 retention policies for Teams don’t currently clean up the records created for messages in private channels. Microsoft is considering how best to change retention policies to deal with the records generated by private channels and will release an update in the future.

Adding SharePoint Sites to eDiscovery Searches

If you want to add the SharePoint site belonging to a private channel to a content search, you need to know its URL. The easiest way is to use the “Open in SharePoint” option in the Files tab and copy the URL exposed by SharePoint.

On an admin level, by design, these sites are hidden from the SharePoint Admin Center but accessible in PowerShell. For example, when run by a SharePoint administrator, this PowerShell code returns all the sites belonging to private channels and uses the group identifier to retrieve the group name from the Office 365 Group before writing out the display name and site URL.

$Sites = Get-SPOSite -Template "TeamChannel#0"
ForEach ($Site in $Sites) {
 $SPOSite = Get-SPOSite -Identity $Site.url -detail
 $Group = Get-UnifiedGroup -Identity $SPOSite.RelatedGroupID.Guid
 Write-Host "Team" $Group.DisplayName "owns private channel site" $Site.URL}

Notice that the SharePoint template used for private channel sites is “TeamChannel#0.” This template supports the addition of lists to the site, but not pages.

When you examine the URLs created for sites used by private channels, you’ll see the following naming convention:

For example, the site for the “Legal Discussions” private channel owned by the “Corporate Acquisition Planning 2020” team is:

Audit records

Teams logs Office 365 audit records when a new private channel is created (ChannelAdded, ChannelType = Private) and members are added to a channel (MemberAdded, ChannelType = Private). Audit records also capture the creation of the new SharePoint site.

PowerShell and Graph

A new version of the Teams PowerShell module contains updated cmdlets to support the management of private channels, including member updates. The module is still at the beta stage but should have been released by the time you read this post. Microsoft has also updated the Graph API for Teams with the commands necessary to manage private channels.

A Lot to Learn

There’s a lot of stuff to digest before you master private channels. I believe private channels are a valuable addition to Teams and that they’ll be a popular method for subsets of teams to collaborate. That being said, private channels still need to be managed. Just think: Microsoft increased the maximum number of SharePoint sites per tenant to 2 million. Although you probably won’t get within sniffing distance of that number, there’s still going to be more channels and sites to manage. Enough said.