author: Jonathan Stuckey
Microsoft introduced integrated management for permissions, to link Microsoft Team channel to SharePoint site access and permissions (see M365 Message Centre: MC282480, MC261534 and Private channels in Microsoft Teams - Microsoft Teams | Microsoft Docs).
The extension of Private Channel support for integrated permissions seemed like a great step-forward, introducing much needed consistency and integration between the products and services... except that one key area of permissions inheritance has some frankly nuts UX for different roles, and serious implications for managing your sites... [specifically in Deleting private channel]:
In this last month though I've been testing out the operational control and management of this functionality and I discovered that Microsoft has again released functionality without thorough testing - functional or usability based.
The statement on the docs.microsoft.com seems relatively innocuous, and on first-glance does not seem significant - until you test-out the scenario of create|update|delete a private channel with content and validate impact.
This is worse than the normal lapses in UI design standards or missed options though, because this change does unforgivable things in admin:
allows Owner roles to make significant change to site, communication and content, without being directly granted rights, and
offers 1 obscure recovery option in the event of a mistake (or malicious action) - causing perception of non-recoverable loss of data for users.
....it also does some banana's things with broken malformed Teams URLs, and just plain confusing options.
But surely it's just...
NO! Stop right there. I've worked for a long time with Microsoft products, SharePoint and Microsoft Teams in particular (even before they were SharePoint and Microsoft Teams). I have seen far too many mistakes, so many in fact that in the 2000's the MVPs coined the term "its a SharePoint surely (speak: 'Shirly')" - when the product-group stuff-up was so monumental that you just throw-up your hands and want to change career.
In fact these sorts of problems got so frequent we had a blond-wig and would pass it around when we heard some in the office say "SharePoint..?! But surely it just/does/can.." - you could hear the sound of shear stupidity galloping up behind you.
To prove the point I've added a video step-through here:
Testing
If you want to prove it to yourself, then here's what I did...
Scenarios
We're being pretty basic here - just checking the scope of impact of configuration, with a couple of role based scenarios. We are specifically interested the integration to Private Channel, the communication, associated SharePoint site and content:
1. can a Member of Private channel change or delete it?
If so, is it recoverable?
If not, how is user guided or managed
2. can the Owner who created the Private channel delete it?
If so, what happens?
Is it recoverable?
If not, how is the Owner guided or managed
3. can an Owner, who did not create the Private channel and is not a member, change or delete it?
If so, what happens?
Is it recoverable?
If not, how is the Owner guided or managed
4. can an M365 Admin, who did not create the Private channel and is not a member, change or delete it?
If so, what happens?
Is it recoverable?
If not, how is the Administrator guided or managed to complete task
Note:
When I ran this in the video...
no customisation or changes were made to the Teams or applied policies.
the test Owner or Member user accounts do not have additional permissions
Setup
Create a Microsoft Team
Add 2 Owners and a team member
Switch to be one of Owners
Go to the site
Create Private channel
Add the Member to Private channel membership
CAUTION: DO NOT add the other Owner to the Private channel
Run scenarios
as each role, run the following steps
Navigate to the test Microsoft Teams
Check if the Private Channel is visible in the UI
if it is visible
click on the ellipsis (menu) next to channel
select 'delete Channel' (if option is visible)
click 'Delete'
If it is not visible
click on the ellipsis (menu) next to the Microsoft Team name
select 'manage team'
on the main screen now click 'Channels'
Repeat the above for each role identified for testing
Do the following additional steps for Owner and administrator roles
after Channel has been deleted
In a browser
open https://admin.teams.microsoft.com
go to Manage Teams (Manage teams - Microsoft Teams admin center)
check for Test Microsoft team
confirm if has Private Channel site count greater than (0)
if yes - click on Team details and confirm name
if count is (0) the site is not accessible or manageable via admin UI
open https://<tenancy>-admin.sharepoint.com
go to navigation on left - click on Sites > Active sites
check for site with name of the Microsoft Team
if 'Channel sites' is greater than (0) - check details of the site.
If site exists here - content is not lost, and users can still access documents
If site does not exist here check Deleted sites list
go to navigation on left - click on Sites > Deleted Sites
check for site with URL & name of the Microsoft Team Private Channel
If site is visible here - it is recoverable by admin
If site is not visible here it is not recoverable with only admin privileges.
Test results
Table; test-results from trying delete/recover process on private channel and underlying site
Role | Delete Private Channel | Recover Private Channel | Clear Guide or dialogue | Manage deleted channel in Teams | See deleted channel in Teams Admin | See deleted site in SP Admin |
Member | No | n/a | n/a | No | n/a | n/a |
Owner who created Channel | Yes | Yes | No | Yes | n/a | n/a |
Owner - Channel | Yes | Yes | No | Yes | n/a | n/a |
Owner - Parent only | Yes | Yes | No | Yes | n/a | n/a |
Admin - not member | No | No | None | No | No | No |
Implications
If you are an ordinary Microsoft Team member - no change
If you are Owner of a Channel someone can remove your channel without your approval
If you are an Administrator and someone reports Private Channel (or SP site) missing - you have no way to find it without adding your admin account to the specific Microsoft Team as an Owner
Closing note
Based on the unintended administration experience and complete lack of control, as well as the horrendous user-perception of permanent data-loss I just cannot recommend using Private Channels without introducing either:
controls preventing Owners from managing Private Channels, or
extend the monitoring and alerting processes to cover channel deletion events, or
add-on a 3rd party data-recovery UX/interface for users
The fact Microsoft allow any Owner on a site with the Private channel, regardless of if they are a member/owner of the Channel, to remove it, the associated SharePoint site and all content in a non-visible means (to admin) is just this side of idiotic.
REQUEST: anyone who deals with administration, information management or operational teams and support PLEASE raise report an issue/bug on the user-experience. If you have access this can be done from: Service health - Microsoft 365 admin center .. and Report an Issue
Or just click the "give feedback" button in the bottom right and fill in the form.
about the author: Jonathan Stuckey
Комментарии