Part 1 — Implementation
The most requested enhancement to Teams on the Microsoft Teams UserVoice website has been Private channels — this is now rolling out to tenants, having being launched last week during Ignite 2019 in Orlando.
Private channels provide a subset of the overall Teams membership with a private area for collaboration. We’ll expand on this in Part 2.
In this multi-part blog post I want to start by looking at how this has been implemented as this can have profound implications on how you design your SharePoint information architecture.
Microsoft Teams — Permissions Recap
Before digging into how this has been implemented it’s worth re-visiting Teams permissions prior to this enhancement.
Every time a Microsoft Team is created an associated Office 365 group is also provisioned (unless you are owner of an existing Office 365 group in which case you can bolt your new Team onto that)
As always, this Office 365 Group spins up an instance of Planner, a shared OneNote Notebook (stored in SharePoint), a shared calendar & inbox (stored in Exchange) — and a SharePoint Online site collection.
All document storage in Teams channels uses the ‘Default Documents’ library in this SharePoint site collection.
All Team members have access to all content in the Team — this includes documents in the library — and this is achieved by adding the Office 365 Group to the SharePoint Members group of the site.
The Team Owner(s) become the Site Collection Administrator(s) and thus will always have access to all content in the site.
Now, we could implement granular access to documents by creating additional document libraries in this site and breaking permissions inheritance from the site object on these libraries. We could also create additional folders in the Documents library with unique permissions.
This however doesn’t prevent the Team owner — who is Site Collection admin if you recall — from removing these unique permissions and gaining access to this content.
Private Channel Permissions
In short, implementing Private channels is going to require a different approach and the approach Microsoft have taken is to spin up a separate site collection for each Private channel created. That way security can be guaranteed. The channel creator becomes the Site Collection admin for this lightweight SharePoint Site and is also placed in the Members & Owners SharePoint Groups for the site. Any channel members are added to the Members SharePoint group in the site.
This ensures privacy, only the channel creator and members added have access to this content.
The overall Teams owner does not have access to this content, unless invited by the channel creator.
Since you can create up to 30 Private channels per Team, this means a Microsoft Team can now be associated with up to 31 SharePoint site collections.
In Part 2 we will look at how to create and use Private channels.