While working on my current book, I was thinking about a deeper exploration of how Microsoft Teams handles permissions and content. One of our Sr. Customer Engineers has a fantastic (and very expansive) diagram of the moving pieces, which I’ve adapted to fit here.
Here’s a brief excerpt of some of the type of content that you’ll see as we unravel the web of interdependency.
Background
We can’t really talk about a team’s architecture until we talk about the underlying components.
Microsoft 365 Groups
Ah, the Microsoft 365 group. We’ve called them a few things over the past few years (Modern Group and Office 365 Group are two of the most popular names we’ve used). So, let’s take a peek into this special Azure AD-only object.
You’ll notice right away three main data services are involved:
- Exchange Online (group mailbox)
- SharePoint Online (SharePoint Modern Team site)
- OneNote Notebook
Every Microsoft 365 group is comprised of these three main pieces (mailbox, site, notebook).
Exchange Online
Exchange Online provides a mailbox component–and the two most important pieces of it are the Inbox and the Calendar.
The Inbox is where all of the content that gets sent to the group will go. Members of the group can choose to subscribe to the group, which causes the Exchange Online service to treat them like a traditional distribution list member and deliver a copy of all messages the the member’s inbox. Members can also choose to not subscribe, which means copies of the messages won’t get delivered to a member’s mailbox–the member will need to open up the group mailbox and read them messages themselves.
Each Microsoft 365 group mailbox also contains a calendar–just like a traditional shared mailbox calendar, you can schedule meetings and events.
The next part of a Microsoft 365 group is the SharePoint site collection (in modern SharePoint, all new sites are site collections by default–though you can still create subsites). By default, the site uses the Modern GROUP#0 Teamsite template. Like any other SharePoint site, you can apply branding and themes (and even make it part of a hub site topology).
Microsoft 365 groups have the concepts of owners and members. Owners can change the properties of a group, while members … well, they’re just members. When it comes to the SharePoint aspect, the group’s Owners are mapped into the Site Collection Administrators and Site Owners SharePoint groups, while the members are mapped to the Site members SharePoint group.
As you use the Microsoft 365 group, email messages will get stored in the Inbox. Any attachments sent with those emails will be pulled off and stored in the default document library of the group’s corresponding SharePoint site.
OneNote
The final piece is the OneNote Notebook. While the storage of the OneNote file is maintained in SharePoint Online, the structure and format are part of the OneNote service. The OneNote Notebook is stored as a file in the Site Assets document library:
Now, we can look at a Team.
Teams
This will probably look like an eye chart, but I’ll do the best I can:
Let’s go ahead and deconstruct this.
You’ll notice we added a new service (Teams), a few columns underneath it, and then some other boxes and lines all over the place.
Before we get too far, we’ll address the parallel tracks–Teams have the concept of public and private channels–basically, a control mechanism that allows you to share information with a smaller subset of team members. In order to manage the security of the private channel, a new site is created. The membership of the private channel is used for the site owner and membership lists, and the teams’ object GUID is stored in the private channel site’s RelatedGroupId property (for some information on how this impacts eDiscovery, check out my post on that).
We’ll come back to private channels in a minute.
Public Channels
There’s lots of stuff going on here, so we’ll tackle it top-down.
- A public channel gets a default Notebook tab (that you can show or not). That Notebook tab is stored in the Microsoft 365 group’s OneNote Notebook.
- A team also gets a Wiki. A new list is created in the group’s SharePoint site called Teams Wiki Data List.
- While a Microsoft 365 group stores all email attachments in the default document library at the top level, a team stores its files in subfolders named after each channel in the default document library. If you create a brand new team and then go browse the SharePoint site, you’ll see the Documents document library, and then a single folder under it called General, which is where files from the General channel will be stored. Each new public channel that you create will cause a new subfolder to be provisioned.
- If you conduct channel meetings and record them, a new subfolder called Recordings will be created in the corresponding channel’s SharePoint folder and new recordings will be placed there.
- A channel’s calendar data is stored on the Microsoft 365 group mailbox calendar.
- A channel’s conversation data is stored in the TeamsMessagesData hidden subfolder of the group mailbox’s Conversation History folder.
You can easily apply retention to Teams data using the Security & Microsoft 365 Compliance Center.
Private Channels
Like public channels, private channels have conversations and file storage. Only in this case, there are some important differences:
- As I mentioned previously, in order to manage the security of the private channel, a new site is created. The membership of the private channel is used for the site owner and membership lists, and the teams’ object GUID is stored in the private channel site’s
RelatedGroupId
property. - Conversations are not stored in the group mailbox folder but in the private channel members’ mailboxes.
That’s all I’ve got right now–I need to get back to slaving away on the book. 🙂