Microsoft Teams|Office|Office 365

Groups Membership Model Makes Teams Private Channels Hard to Implement

Teams Splash

Teams Fervent Work to Satisfy UserVoice

Despite being the most popular UserVoice request (by quite a margin), the desire for Teams to have secure channels isn’t on the Office 365 Roadmap. However, a UserVoice response from the Teams development group says that they are “working on it, fervently.”

Every team has at least one channel (the default channel is called General) and can have up to 200. A channel is a way of dividing discussions within a team into logical topics. Each channel can be customized with its own tabs and apps to support the discussions it hosts. For now, all channels in a team are open to all members. In other words, once you post something in a team, any member can see what you’ve done. It’s all very democratic.

The idea behind secure channels seems simple on the surface. It’s a feature that exists in Slack, the major competitor for Teams and basically means that a channel can be public (like they are today) or private (limited to certain members). And there lies the problem.

Sponsored Content

Devolutions Remote Desktop Manager

Devolutions RDM centralizes all remote connections on a single platform that is securely shared between users and across the entire team. With support for hundreds of integrated technologies — including multiple protocols and VPNs — along with built-in enterprise-grade password management tools, global and granular-level access controls, and robust mobile apps to complement desktop clients.

Teams and Groups

Teams is built on top of the Office 365 Groups service. A central principle of Groups is members enjoy equal access to all resources belonging to the group, whether that resource is a SharePoint team site, plans inside Planner, or as noted above, all the conversations in all channels in the team. Equal access extends to guest users from outside the tenant.

Access granted by group membership only works for applications which support Office 365 Groups. If you add a third-party app via a tab in a channel, you must ensure that team members can access the the third-party app (ideally using their Office 365 credentials).

Teams and the Office 365 Ecosystem

For Microsoft is to introduce secure channels, they might have to compromise the Office 365 Groups principle of equal access for all by imposing filtered access to those channels. If Teams were a standalone app (like Slack is), the implementation would be straightforward. When an admin marks a channel as secure, they could apply a filter to limit access to the channel. For instance, they might say that the channel is not available to guest users or can only be accessed by a defined set of users.

But the big problem is that Teams doesn’t operate independently. Instead, Teams is deeply embedded into the Office 365 ecosystem and must therefore do nothing that impacts that ecosystem.

SharePoint the Key

SharePoint Online is the most obvious difficulty to overcome. Every team has a SharePoint site and every channel has a folder within a document library in that site. SharePoint synchronizes permissions in its directory (SPODS) to align with the membership of the group that underpins the team to ensure that all members can access documents, lists, and other information in the site. Everything works well.

Introduce the notion of a secure channel and the current permissions model doesn’t work as well. You can, of course, adjust permissions inside SharePoint to block members who aren’t on the secure channel access list from data in the channel folder, but that’s likely to be an irritant to those members (much like if you use encryption to protect documents against guest access).

The Office 365 Ecosystem

Because Teams is part of the Office 365 ecosystem, the developers can’t take a decision that works for SharePoint but causes problems for other applications that might be part of a channel. Consideration must be given to Planner, OneNote, Stream, the Teams wiki, and anything else that can be attached to a channel. Even search would be impacted because it would have to filter out results for secure channels.

And what about meetings that appear in the calendar of the Exchange group mailbox belonging to the team? If a meeting is scheduled in a secure channel, does that mean that non-channel members can see the meeting details in the calendar?

In short, adding secure channels to Teams is not as simple as people might assume. Secure channels might not ever appear, and that’s OK with me as I would prefer not to compromise the current model just to deliver a feature for a single application.

Teams and Slack are Apples and Oranges

I’ve seen some comments that Teams needs secure channels because Slack has private channels and that users won’t move if Teams doesn’t introduce the feature. This attitude is short-sighted.  Teams is part of Office 365. Slack is not. Teams is integrated with the Office ecosystem in a way that Slack can never be. And workarounds are available if you really want to have limited conversations. Either use a private chat (for up to 50 people) or create a team for the favoured few and share to your heart content’s there. Where there’s a will, there’s a way.

And given that some 420,000 organizations now use Teams, lots of people have found out how to use Teams successfully, without a secure channel in sight.


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (4)

4 responses to “Groups Membership Model Makes Teams Private Channels Hard to Implement”

  1. <p>"<span style="color: rgb(34, 34, 34);">Because Teams is part of the Office 365 ecosystem, the developers can’t take a decision that works for SharePoint but causes problems for other applications that might be part of a channel.&nbsp;Consideration must be given to Planner, OneNote, Stream, the Teams wiki, and anything else that can be attached to a channel."</span></p><p><br></p><p>That suggests a problem with the platform, not the individual applications. The platform should have a unified permissions subsystem each app can implement, rather than each having to create its own. That subsystem should also address long-standing issues, such as the lack of "deny" permissions in SharePoint, group membership limits (currently ~1,000, which can be an issue for project-oriented work), etc.</p><p><br></p>

    • <blockquote><em><a href="#16086">In reply to bluvg:</a></em></blockquote><p>Well, you can argue what the permissions model should be, but I simply point out the ramifications of what the model actually are… And it's hard to retrofit a new permissions model across a range of applications.</p>

  2. <p>I've only used Slack a bit, and we are just starting to MS Teams in my organization… but given that, to me this sounds more like a governance discussion than a feature discussion.</p><p><br></p><p>If a group of people need a private discussion, then they should have a new, exclusive, O365 Group to accommodate them. If the organization doesn't let them create that new O365 Group, well, then, that is an IT governance decision.</p><p><br></p><p>As I try to understand and learn the concepts of O365 Groups I find using a Facebook group as an analogy very fitting. If I am in a Facebook group, but I want a private subset of that group what would I do? Obviously, create another fb group. Microsoft seems to be pushing a flat architecture these days. Having a private channel would add a parent/child hierarchy to the overall model and would go against the flat architecture model.</p><p><br></p><p>At least this is how I see this discussion.</p><p><br></p>

    • <blockquote><em><a href="#16094">In reply to mikefarinha:</a></em></blockquote><p>Yep. I think this is a perfectly valid strategy. Apart from the danger of ending up with a surplus of groups, it's logical and easy to manage.</p>

Leave a Reply

Tony Redmond has written thousands of articles about Microsoft technology since 1996. He covers Office 365 and associated technologies for and is also the lead author for the Office 365 for IT Pros eBook, updated monthly to keep pace with change in the cloud.