Most of you will be familiar with the dialog when creating a team:
And basically, every Teams user should know the difference between these two teams:
“Private” means that the team owners decide who is a member of the team.
“Public” means that every user in the company can see this team and join it without confirmation from the team owner.
In my view, there are only very few use cases for a public team – because the better place for public communities is Viva Engage. Nevertheless, you can always find public teams at customers that should actually be private teams. Unfortunately, there is no setting from Microsoft that prevents the creation of public teams – but more on that later.
What does this have to do with M365 Copilot?
What is not clear to all users (and administrators) is that the contents of public teams are found in the Office 365 search by all users. That means all documents that are in the team. Without the user having to be a member of that team. Also, any user can then open these documents in SharePoint. This works great in the M365 search, but also in the Teams search or in Delve. M365 Copilot also accesses all content that the user has access to – and thus of course also all content from all public teams. In contrast to the normal search of the users, M365 Copilot will link these contents much better and also use them in its answers – that means at the latest then it will be massively noticeable.
What can I do as an admin now?
The first step is to identify how many public teams there are in the company.
The easiest way is as follows:
Https://admin.microsoft.com – Go to Teams and Groups – Active teams and groups The list of Teams & Microsoft 365 Groups can be easily exported there.
Sorry for the german screenshot!
If you convert the CSV into an Excel spreadsheet, you can easily filter for M365 groups that are public. Now you know your problem.
I am not a Powershell expert, but there are enough examples on the net that extract not only the list of teams but also the names of the owners. With this, you can contact the owners and ask them to change the type of the team. For the very hard ones, my colleague Philipp Ebner has written a 2-liner that converts all public teams into private teams:
#Install-Module -Name ExchangeOnlineManagement
Connect-ExchangeOnline
$Groups = Get-UnifiedGroup | Where-Object -Property AccessType -eq „Public“
foreach ($Group in $Groups) {Set-UnifiedGroup -Identity ($Group).Name -AccessType „Private“}
How can I prevent the creation of public teams as an admin?
You can do this with sensitivity labels
Sensitivity labels are a way to classify and protect your data in Microsoft 365. You can use them to apply settings such as encryption, watermarks, access restrictions, and retention policies to your teams, groups, sites, files, and emails. You can also prevent users from creating public teams by applying a sensitivity label that requires private team membership. Here are some steps to do that:
- Go to compliance.microsoft.com and sign in as a global admin or compliance admin.
- In the left navigation, go to Information protection > Labels and select Create a label.
The next step is to publish the label
In this step you can choose a test group to test the policy
I hope this helps a little bit…
