Introducing Teams Private Channels
Microsoft Responds to #1 User Demand for Teams
Support for private channels is easily the top-rated request in Teams User Voice. Responding in part to a perceived competitive advantage for Slack, Microsoft announced at the Microsoft Ignite conference that they are deploying support for private channels to Office 365 tenants worldwide. The deployment is expected to reach all tenants by the end of November 2019. This article describes the basic architecture of private channels. In a follow-up, I’ll take you through how private channels are created and managed.
A private channel is a restricted part of a team that’s only available to a nominated subset of team members. In a way, it’s a strange notion for Teams because the product is all about open communications, but it’s an undeniable fact that many scenarios exist when you want to limit access to some information within an otherwise open team. Microsoft calls this “focused private collaboration with a subset of team members.” Apart from anything else, private channels might help tenants avoid the need to create additional teams to isolate information to a subset of users.
Limiting Access to Specific Members
Take mergers and acquisitions for example. It’s common to set up a group of people from the companies involved, including professional advisors, to work the issues involved in these deals. Creating a team to host discussions about the project is a good way to foster collaboration, but it’s the nature of this activity that not everyone needs to know about everything. For instance, the legal representatives probably need a closed space to discuss the intricacies of the merger process; they probably don’t want the other players involved in the deal to see (or interfere) with some of the legal debate. The same goes for the accounting folks, or the senior negotiators, or even those who will make the final decision. The team accommodates everyone, but each sub-group can now have its own private channel to discuss, argue, debate, and resolve issues before exposing the results to the full team.
Even an org-wide team, the epitome of openness, could use private channels. For instance, you could have a private channel for managers to receive advance notifications of important company announcements before general release.
Say Goodbye to Traditional PC Lifecycle Management
Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.
The Architecture of Private Channels
A team is composed of channels. By default, anyone belonging to the team can participate in the discussions hosted by the channel. Members can also access the apps available through channel tabs, including the files posted in the SharePoint team site owned by the team. It’s a very democratic way of working.
A private channel is a subset of a team with its own set of settings and members. Channel members, including guests, must first be a member of the host team before they can be made a member of a private channel. If someone leaves a team, they also lose membership of any private channels in that team. Conversations within a private channel occur like those in standard channels with the exception that only channel members can participate. One way of thinking of a private channel is that it’s like being in a group chat with threaded conversations with the added benefit of also having a secure document library available to store shared files.
SharePoint Sites and Private Channels
The big point to understand in the architecture of private channels is that each private channel has its own SharePoint site collection. There can be up to 30 private channels in a team, each of which supports 250 members. Thus, a team fully equipped with private channels will have 31 SharePoint sites; one for general access and one for each of the private channels. To accommodate the expected growth in sites caused by private channels, Microsoft has increased the maximum number of sites supported by an Office 365 tenant from 500,000 to two million.
The sites used for private channels are created in the same geographic region as the parent team and inherit settings from the parent site (the classification setting is synchronized automatically by Teams). Afterwards sites belonging to private channels function independently. Guest access always depends on the parent team setting, so if guests are allowed for the parent team, they are supported for any private channel belonging to the team. Channel owners are administrators of the site while channel members are site members. Users know that the sites are linked to a private channel through visual hints shown when they visit the site (Figure 1).
Managing SharePoint Sites Belonging to Private Channels
The sites belonging to private channels are hidden from the SharePoint Admin Center because management of these sites should be done through Teams. This is especially important for member access to the sites used by private channels. To make sure that the right people have access to a site belonging to a private channel, Teams synchronizes the channel members to the owners and members SharePoint groups for the site every four hours (this is the SLA; synchronization can happen faster). In other words, don’t try to add or remove members to these groups via SharePoint as Teams will overwrite your changes. If you need to customize access to a private channel’s site for some reason, use the Visitors group or create another group.
Microsoft’s choice to assign a separate SharePoint site for each private channel instead of another option, like a dedicated folder within the site belonging to the team, usually creates a hubbub of comment. The need to protect the privacy of the private channel is the reason why it has a separate site. Remember that Teams is built on top of Office 365 Groups and the membership model used by Groups allows free access to all resources for all group members. By using a separate site, Teams can guarantee access to the content stored in the site is restricted to the members of the private channel. Team owners can see that a private channel exists, but they can’t access a private channel unless they are made a member of the channel.
If you don’t like the chosen architecture and want team owners to have full visibility within a team then simply add team owners to the channel membership. Alternatively, ignore private channels and create new teams whenever the need exists to keep work private to distinct sets of users.
Access control to ensure privacy is very important to a private channel. It is this requirement that creates some challenges for first- and third-party apps that integrate with Teams. Microsoft says that, apart from Planner, their first-party apps (including the Wiki) support private channels. ISVs will take a little extra time to come up to speed with the new structure and upgrade their apps to support private channels.
Popular Addition for Teams
Given the demand for private channels, there’s no doubt that this will be a popular feature within the Teams community. One big advantage that you gain from private channels is the elimination of the need to create a brand new team to support subsets of members. That should reduce some of the proliferation of teams seen in some tenants today.
It will be interesting to see how tenants use private channels in production. Microsoft has run a long TAP (test program) to validate their implementation of private channels and say that everything works. The hard test of widespread deployment now awaits.