Groups Membership Model Makes Teams Private Channels Hard to Implement

Posted on by Tony Redmond in Microsoft Teams, Office, and Office 365 with 4 Comments

Teams Splash

Teams Fervent Work to Satisfy UserVoice

Despite being the most popular UserVoice request (by quite a margin), the desire for Teams to have secure channels isn’t on the Office 365 Roadmap. However, a UserVoice response from the Teams development group says that they are “working on it, fervently.”

Every team has at least one channel (the default channel is called General) and can have up to 200. A channel is a way of dividing discussions within a team into logical topics. Each channel can be customized with its own tabs and apps to support the discussions it hosts. For now, all channels in a team are open to all members. In other words, once you post something in a team, any member can see what you’ve done. It’s all very democratic.

The idea behind secure channels seems simple on the surface. It’s a feature that exists in Slack, the major competitor for Teams and basically means that a channel can be public (like they are today) or private (limited to certain members). And there lies the problem.

Teams and Groups

Teams is built on top of the Office 365 Groups service. A central principle of Groups is members enjoy equal access to all resources belonging to the group, whether that resource is a SharePoint team site, plans inside Planner, or as noted above, all the conversations in all channels in the team. Equal access extends to guest users from outside the tenant.

Access granted by group membership only works for applications which support Office 365 Groups. If you add a third-party app via a tab in a channel, you must ensure that team members can access the the third-party app (ideally using their Office 365 credentials).

Teams and the Office 365 Ecosystem

For Microsoft is to introduce secure channels, they might have to compromise the Office 365 Groups principle of equal access for all by imposing filtered access to those channels. If Teams were a standalone app (like Slack is), the implementation would be straightforward. When an admin marks a channel as secure, they could apply a filter to limit access to the channel. For instance, they might say that the channel is not available to guest users or can only be accessed by a defined set of users.

But the big problem is that Teams doesn’t operate independently. Instead, Teams is deeply embedded into the Office 365 ecosystem and must therefore do nothing that impacts that ecosystem.

SharePoint the Key

SharePoint Online is the most obvious difficulty to overcome. Every team has a SharePoint site and every channel has a folder within a document library in that site. SharePoint synchronizes permissions in its directory (SPODS) to align with the membership of the group that underpins the team to ensure that all members can access documents, lists, and other information in the site. Everything works well.

Introduce the notion of a secure channel and the current permissions model doesn’t work as well. You can, of course, adjust permissions inside SharePoint to block members who aren’t on the secure channel access list from data in the channel folder, but that’s likely to be an irritant to those members (much like if you use encryption to protect documents against guest access).

The Office 365 Ecosystem

Because Teams is part of the Office 365 ecosystem, the developers can’t take a decision that works for SharePoint but causes problems for other applications that might be part of a channel. Consideration must be given to Planner, OneNote, Stream, the Teams wiki, and anything else that can be attached to a channel. Even search would be impacted because it would have to filter out results for secure channels.

And what about meetings that appear in the calendar of the Exchange group mailbox belonging to the team? If a meeting is scheduled in a secure channel, does that mean that non-channel members can see the meeting details in the calendar?

In short, adding secure channels to Teams is not as simple as people might assume. Secure channels might not ever appear, and that’s OK with me as I would prefer not to compromise the current model just to deliver a feature for a single application.

Teams and Slack are Apples and Oranges

I’ve seen some comments that Teams needs secure channels because Slack has private channels and that users won’t move if Teams doesn’t introduce the feature. This attitude is short-sighted.  Teams is part of Office 365. Slack is not. Teams is integrated with the Office ecosystem in a way that Slack can never be. And workarounds are available if you really want to have limited conversations. Either use a private chat (for up to 50 people) or create a team for the favoured few and share to your heart content’s there. Where there’s a will, there’s a way.

And given that some 420,000 organizations now use Teams, lots of people have found out how to use Teams successfully, without a secure channel in sight.


Don't have a login but want to join the conversation? Sign up for a Petri Account