Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET
Microsoft Teams|Office|Office 365

Managing Users with Teams Messaging Policies

Teams Splash

Managing Teams with Policies

When Microsoft launched Teams in November 2016, the tenant-wide settings to control the application were in the Office 365 Admin Center. With the introduction of the Teams and Skype for Business Online Admin Center in April 2018 (now renamed the Teams Admin Center), some of those settings are replaced by a set of policies (messaging, meeting, and live events)

The major advantage of this approach is that you can apply different policies to different users instead of a single setting for the entire tenant. Where it makes sense to have global settings, like those governing guest user access, the Teams Admin Center manages these under org-wide settings.

Teams Messaging Policy

Microsoft publishes default policies for tenants, so there’s no need to go near them unless you have good reason. In small tenants, you might never need to use anything other than the global policy. Larger tenants are more likely to find circumstances when they wish to restrict user behavior in some way. Figure 1 shows a set of messaging policies in a tenant.

Sponsored Content

Say Goodbye to Traditional PC Lifecycle Management

Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.

Teams Messaging Policies
Figure 1: Messaging policies in the Teams Admin Center (image credit: Tony Redmond)

What a Messaging Policy Does

Each team has owners that can restrict what users can do inside the team using options controlled through the Settings section of the Manage team menu. The settings messaging policy assigned to a apply to all teams in the tenant. Policy settings don’t allow users to override a restriction set by team owners. Instead, they further restrict what users can do inside a team.

For example, in Figure 2 we see a messaging policy with two important settings disabled. The first stops the user participating in personal chats. In other words, this user can only send messages to channel conversations. The second disables the user’s ability to translate messages.

Restrictive Teams Messaging Policy
Figure 2: Restricting user actions in a Teams messaging policy (image credit: Tony Redmond)

Applying a Teams Messaging Policy to a User

To apply a policy to a user, go to the Users section of the Teams Admin Center and select their account. By default, the Teams Admin Center lists all accounts, including guest accounts, room accounts, and equipment accounts. You can only apply policies to accounts enabled for Teams, so it’s a good idea to set a filter of Account status = enabled to ensure that the portal only shows accounts which support policies. If you try to set a policy to a non-enabled account, the portal returns an error.

After selecting the user, click the Edit (pencil icon) beside the Assigned Policies heading. You can now edit the policies assigned to the user (Figure 3). Remember to Save your changes. It takes a little time before the change is effective to allow the new policy setting to synchronize to clients.

Apply Teams Messaging Policy to user
Figure 3: Assigning Teams policies to a user (image credit: Tony Redmond)

Users aren’t informed that an administrator has applied a different policy to their account. Unless they’re told in some way (it would be polite to do so), the first time they know that they’re operating under a new regime is when Teams removes some functionality in line with the policy. For instance, when chat is removed, Teams doesn’t display the Chat icon in the app bar. In addition, if someone tries to contact the user through Chat, they’re told that they can’t (Figure 4).

Teams blocks user from chat
Figure 4: The effect of a restricted policy – no chats! (image credit: Tony Redmond)

You can’t set messaging policies on groups. If you want to use a group to control messaging groups, read the members of the group and then use PowerShell to grant the policy to each member.

Working with Teams Messaging Policies Through PowerShell

The Teams PowerShell module doesn’t include the cmdlets to work with policies. Instead, you must download and use the Skype for Business Online module (which isn’t the easiest module to work with).

For example, to view the settings in the restricted messaging policy, run the Get-CsTeamsMessagingPolicy cmdlet:

Get-CsTeamsMessagingPolicy -id "Restricted - No Chat"

Identity                      : Tag:Restricted - No Chat
Description                   : This policy doesn't allow users to use personal chat
AllowUrlPreviews              : True
AllowOwnerDeleteMessage       : False
AllowUserEditMessage          : True
AllowUserDeleteMessage        : True
AllowUserChat                 : False
AllowRemoveUser               : True
AllowGiphy                    : True
GiphyRatingType               : Moderate
AllowMemes                    : True
AllowImmersiveReader          : True
AllowStickers                 : True
AllowUserTranslation          : False
ReadReceiptsEnabledType       : UserPreference
AllowPriorityMessages         : False
ChannelsInChatListEnabledType : DisabledUserOverride
AudioMessageEnabledType       : ChatsAndChannels

To change a setting in a messaging policy, run the Set-CsTeamsMessagingPolicy cmdlet. For example, this command disables the ability to add memes, stickers, and GIFs to messages.
Set-CsTeamsMessagingPolicy -Identity "Restricted - No chat" -AllowMemes $False -Allow Stickers $False -AllowGiphy $False

To assign a policy to a user, run the Grant-CsTeamsMessagingPolicy cmdlet. For example:
Grant-CsTeamsMessagingPolicy -PolicyName "Restricted - No Chat" -Identity "Oisin.Johnston"

And to check that the policy is set, use the Get-CsOnlineUser cmdlet to examine the settings for the user:
Get-CsOnlineUser -Identity Oisin.Johnston | Format-Table UserPrincipalName, TeamsMessagingPolicy

UserPrincipalName                  TeamsMessagingPolicy
-----------------                  --------------------
[email protected] Restricted - No Chat

Teams Policies Goodness

Being able to control the functionality available to individual users is a nice feature for large tenants. Because you can assign policies to users through PowerShell, it’s another action that can be incorporated into user account provisioning scripts, if that’s how you choose to set up new Office 365 accounts. Even if you don’t have the immediate need to use messaging policies, keep them in the back of your mind. You never know when you might need some extra control.

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (3)

3 responses to “Managing Users with Teams Messaging Policies”

  1. <p>Curious, does something like this exist (or will it) to control specific file permissions at a channel level within a Team? Would be nice to have Team members file access customizable within the "manage team" settings window.</p>

  2. <p>I'm not having any luck on finding whether a messaging policy can be applied to a AAD Security Group or O365 group. For instance, we have one country where read receipts need to be turned off…</p>

Leave a Reply

Tony Redmond has written thousands of articles about Microsoft technology since 1996. He covers Office 365 and associated technologies for Petri.com and is also the lead author for the Office 365 for IT Pros eBook, updated monthly to keep pace with change in the cloud.
Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: