1. Microsoft Teams Hierarchy & Architecture

Microsoft Teams serves as a “logical wrapper” or frontend that aggregates data and services from across the Microsoft 365 ecosystem. It does not natively store its own data; instead, it relies on the following underlying architecture:

  • The M365 Group: The foundational identity and access framework. Creating a Team automatically provisions an M365 Group, which provides a shared Exchange mailbox, calendar, and SharePoint site.
  • SharePoint Online: Stores all files uploaded within standard and private Team channels. Each Team is connected to a specific SharePoint Site Collection.
  • OneDrive for Business: Stores files shared during 1:1 or group chats.
  • Exchange Online: Manages the Team calendar and stores “hidden” copies of all chat messages for compliance, eDiscovery, and search purposes.
    • User Mailboxes: Store copies of 1:1 chat and group chat messages.
    • M365 Group Mailboxes: Store copies of standard channel messages.
  • Entra ID: Handles the core user identity, authentication, and the enforcement of naming and expiration policies.

2. Governance & Lifecycle Management

  • Provisioning Strategy: Enterprise environments often disable self-service Team creation to prevent sprawl. A documented and functional provisioning workflow (e.g., via Power Automate or a custom app) is essential.
  • Naming Conventions: Enforced via Entra ID (e.g., [Department] - [Project Name]). Blocked word lists should be configured to prevent unauthorized use of terms like “HR” or “Payroll”.
  • Lifecycle & Expiration: Backed by M365 Groups. Expiration policies (e.g., 365 days) trigger renewal emails to owners. Orphaned Teams must have an escalation path for reassignment or archiving.
  • Archiving: Preferred over deletion for compliance, archiving makes the SharePoint site read-only and freezes the chat.

3. External Collaboration & Access Types

  • External Access (Federation): Allows users to find, call, and chat with people in other M365 domains. It does not grant access to channels or files.
  • Guest Access: Grants external users access to specific Teams, channels, and files via Entra External ID (B2B collaboration). It must be enabled at the Tenant, Group, and Site levels.
  • Shared Channels (B2B Direct Connect): Allows sharing a single channel with external organizations without adding them as guests. This requires cross-tenant access settings in Entra ID for both inbound and outbound traffic.

4. Meeting, Calling, & Device Policies

  • Meeting Policies:
    • Lobby Management: The safest default is “People in my organization” to ensure external users only bypass the lobby when explicitly desired.
    • Recording & Transcription: Controlled via policies. Recordings are saved to OneDrive (for chats) or SharePoint (for channel meetings).
  • Telephony / Voice: Connectivity models include Calling Plans, Operator Connect, or Direct Routing. Voice routing is traced via the Dial Plan, Voice Routing Policy, PSTN Usage, and Voice Route.
  • Resource Accounts: Used for Auto Attendants and Call Queues. These require a “Microsoft Teams Shared Devices” or a free “Microsoft Teams Phone Resource Account” license.

5. App Governance & Management

  • Permission Policies: Control which users can install specific apps. A common enterprise standard is blocking all third-party apps by default until they pass a security review.
  • Setup Policies: Controls the “Left Rail” (app bar) layout. This is used to pin critical apps like Viva Connections or ServiceNow for specific departments.

6. Troubleshooting & Diagnostics

  • Call Quality Dashboard (CQD): The primary tool for investigating audio/video issues like jitter or dropped calls.
  • “New Teams” Client (v2): Built on WebView2 rather than Electron. To clear the cache, delete the contents in %localappdata%\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams.
  • Teams Web App: Using https://teams.microsoft.com/v2/ is the recommended first step to isolate client-side from tenant-side issues.

7. Essential PowerShell Cmdlets (MicrosoftTeams Module)

  • Connection: Connect-MicrosoftTeams
  • Team Management:
    • Get-Team -User user@domain.com (Finds all Teams a user belongs to).
    • Set-Team -GroupId <ObjectID> -Visibility Private.
  • Policy Assignment:
    • Grant-CsTeamsMeetingPolicy -Identity user@domain.com -PolicyName "Restricted Meetings".
  • Voice Configuration:
    • Get-CsOnlineUser -Identity user@domain.com | Format-List LineURI, EnterpriseVoiceEnabled, VoiceRoutingPolicy.