MS-700: Microsoft Teams Administrator Study Guide
MS-700: Microsoft Teams Administrator validates your ability to plan, deploy, configure, manage, secure, and monitor Microsoft Teams across collaboration, meetings, and calling workloads. It targets Teams administrators who configure policies, governance, telephony (Teams Phone), and compliance for an organization, and who collaborate with networking, security, telephony, and identity teams. The 120-minute exam has a passing score of 700 and tests both portal-based configuration (Teams admin center) and PowerShell/Microsoft Graph administration.
Domain 1: Configure and Manage Teams
- The Microsoft Teams admin center (https://admin.teams.microsoft.com) is the central portal for org-wide settings, policies, teams/channels, users, and app management; the Microsoft Teams PowerShell module (Connect-MicrosoftTeams) provides scripted and bulk administration.
- Teams has no identity store of its own - every user, group, and team membership is backed by Microsoft Entra ID, which handles authentication, MFA, Conditional Access, and group membership resolution.
- Every user must have a Microsoft 365 license that includes Teams (for example Business Basic/Standard or enterprise E3/E5) explicitly assigned to their account before they can use Teams.
- Policies can be assigned three ways: org-wide (Global default), direct per-user assignment, or group policy assignment to a security/M365 group; direct user assignment takes precedence over group assignment, and group assignment uses a ranking when a user is in multiple groups.
- Policy packages are bundles of predefined policies tailored to a role (for example Education Teacher, Healthcare Clinical Worker, Frontline Worker) to simplify assignment of multiple policy types at once.
- Creating a team automatically provisions a Microsoft 365 Group, a SharePoint site (team files live in the channel's document library), a shared mailbox, and a OneNote notebook; 1:1 and group chat files are stored in the sender's OneDrive.
- Team creation can be restricted by limiting Microsoft 365 Group creation in Entra ID to members of a designated security group, which prevents team/group sprawl.
- Microsoft 365 Group expiration policies with auto-renewal based on activity automatically remove inactive teams; renewal can be triggered by activity so active teams are not deleted.
- Team templates (built-in or custom) pre-create channels, tabs, and apps at team creation time to standardize new teams for specific scenarios.
- Teams real-time media (audio, video, screen share) is sensitive to latency, jitter, and packet loss; implement QoS with DSCP markings and open the required UDP port ranges (notably 3478-3481) and Microsoft 365 URLs/IPs.
- For optimal media performance, egress Teams traffic to the internet as close to the user as possible (local/regional egress) so traffic reaches the nearest Microsoft network edge; avoid hairpinning through a central data center.
- Allowlist (bypass) the Microsoft 365 'Optimize' category endpoints and exclude them from proxy and SSL inspection so latency-sensitive Teams media is not delayed or blocked.
- Deploy and update the Teams desktop client through your software distribution tool (for example Intune/Configuration Manager) and stagger updates; use Delivery Optimization / peer caching so binaries are shared on the LAN rather than each device downloading separately.
- External collaboration is controlled by org-wide guest access settings (which span Teams, Entra B2B, and Microsoft 365 Groups) plus SharePoint/OneDrive external sharing settings; Teams guest access depends on these underlying settings being enabled.
Domain 2: Manage Chat, Calling, and Meetings
- A standard channel is visible to all members of the parent team; a private channel has its own membership roster (a subset of the team) and its own dedicated SharePoint site; a shared channel can be shared with people inside and outside the org without switching tenants or creating guest accounts.
- Shared channels use Microsoft Entra B2B direct connect (cross-tenant access settings) so external partners participate without guest accounts or extra licenses - the preferred approach for ongoing partner collaboration over creating guest accounts.
- External access (federation) lets users in external domains chat, call, and meet with your users without being added as guests; guest access invites external users into specific teams/channels with broader membership rights - these are two distinct, independently configured mechanisms.
- Messaging policies govern chat features such as editing/deleting sent messages, Giphy and sticker availability, read receipts, immersive reader, and chat permissions for users.
- App permission policies control which apps (Microsoft, third-party, custom) users can install; app setup policies control which apps are pinned and pre-installed and the app bar layout for users.
- Meeting policies control who can present, lobby/admit (bypass) behavior, cloud recording, transcription, live captions, and other meeting features; meeting recordings are stored in OneDrive (for ad-hoc/private meetings) or the channel SharePoint site (for channel meetings).
- The meeting lobby is a security checkpoint where participants (commonly anonymous and external users) wait until an organizer or presenter admits them; bypass settings determine who joins directly versus who waits.
- Teams Phone with a connectivity option enables PSTN calling; the three PSTN connectivity options are Microsoft Calling Plans (Microsoft is the carrier), Direct Routing (your own SBC and carrier), and Operator Connect (a partner carrier managed in the admin center).
- Auto attendants provide an IVR menu that routes inbound calls (for example 'press 1 for sales'); call queues distribute inbound calls to a group of agents with hold music and routing methods; both require a resource account, and a resource account needs a Microsoft Teams Phone Resource Account license (Virtual User license, free).
- Phone numbers are assigned in the Teams admin center; Audio Conferencing licenses/add-ons enable dial-in (PSTN) access to meetings and can be removed from users who do not need dial-in to save cost.
- For cost-efficient contact-center-style calling, use call queues with shared resource accounts and service numbers rather than assigning an individual DID/Calling Plan to every agent, and use Communication Credits/pay-as-you-go only where occasional outbound dialing occurs.
- Direct Routing connects a certified Session Border Controller (SBC) to Teams and uses voice routing policies, PSTN usage records, and voice routes to direct outbound calls.
- Implement QoS with DSCP markings (insertion/tagging on clients and the network) and open the required UDP media ports so Teams real-time media is prioritized and not blocked.
- Allow split-tunnel VPN so Teams media goes directly to Microsoft 365 endpoints (the Optimize category) instead of being forced through the corporate VPN, which degrades call quality.
Domain 3: Manage Teams and App Policies
- Meeting policies are applied per user or org-wide and control cloud recording, who can present, lobby/access behavior, transcription/translation, and meeting feature availability; the policy assigned to the organizer often governs the meeting's behavior.
- Teams Phone combined with a Calling Plan or Direct Routing turns Teams into a full telephony client for making/receiving PSTN calls with assigned phone numbers.
- An auto attendant is a resource account providing an IVR voice menu; a call queue is a resource account distributing calls to agents using methods like attendant routing, serial, round robin, or longest idle, with options for hold music and overflow/timeout handling.
- App permission policies allow or block apps tenant-wide or per user (allow all, allow specific, block specific, block all); app setup policies pin and pre-install specific apps and set the order of pinned apps.
- Org-wide app settings control whether users can upload/sideload custom apps and whether third-party apps are allowed; these global toggles override what individual policies can enable.
- Assign app setup (and other) policies to a department's security/M365 group via group policy assignment so membership changes are handled automatically without per-user reassignment.
- Cloud recordings are stored in OneDrive/SharePoint; a meeting policy that mandates automatic recording plus OneDrive/SharePoint storage satisfies automatic-capture and accessibility compliance requirements.
- For regulated industries, enable compliance recording with a certified third-party partner solution (integrated via Graph API and the bot framework) assigned to regulated users - standard meeting recording is not sufficient for compliance recording.
- Manage team lifecycle and sprawl with Microsoft 365 Group expiration and renewal policies, group naming policies, and team archiving to automatically clean up or freeze inactive teams.
- Archive a team to make it read-only while preserving content via the Teams admin center or Set-TeamArchivedState in PowerShell, rather than deleting it or leaving it active.
- Pinning only a few approved apps via app setup policies (instead of pre-installing many) reduces client clutter and resource overhead while still allowing on-demand access to permitted apps.
- A least-privilege app strategy uses an app permission policy that allows only approved apps and blocks the rest, combined with a setup policy that pins the required ones.
- Normalization rules (dial plans) translate dialed numbers into a standard E.164 format for routing; tenant dial plans supplement the effective dial plan applied to users.
- Emergency calling policies and emergency call routing policies (with Location Information Services / dynamic emergency calling) ensure emergency calls are routed with accurate location information per regulations.
Domain 4: Monitor, Report, and Manage Compliance
- Teams usage reports in the Teams admin center and Microsoft 365 admin center report on adoption - active users, messages, meetings, calls, and device usage - and help identify inactive or non-active licensed users for license reclamation.
- The Call Quality Dashboard (CQD) aggregates data across millions of calls to surface organization-wide quality trends (latency, jitter, packet loss, codec) by subnet/building; per-call (per-user) analytics in Users > select user > Meetings & calls show per-session diagnostics for troubleshooting a specific user's call.
- Upload building/subnet/tenant data (the building data file) into CQD so reports can map subnets to physical locations, distinguishing wired versus Wi-Fi and inside versus outside the corporate network.
- Review CQD reports/templates on a schedule, including the CQD Power BI connector/templates, to track quality trends by location over time.
- Microsoft Purview retention policies can be scoped specifically to Teams chats and channel messages with retain, delete, or retain-then-delete actions; Teams retention is configured separately from Exchange/SharePoint locations.
- Use New-RetentionCompliancePolicy with -TeamsChannelLocation (channel messages) and -TeamsChatLocation (1:1 and group chats) to create Teams retention policies in PowerShell.
- Teams chat and channel messages are journaled into hidden folders in Exchange Online mailboxes, so content search uses New-ComplianceSearch with -ExchangeLocation (user mailbox for chats, the group mailbox for channel messages).
- Microsoft Purview eDiscovery (content search and holds) lets legal/compliance teams search and preserve Teams messages and files; place content on an eDiscovery hold and run a content search to preserve and collect data for investigations.
- Create eDiscovery (Premium) case holds with New-CaseHoldPolicy together with New-CaseHoldRule to preserve content scoped to a case.
- Information barrier policies in Microsoft Purview define segments and block communication/discovery between groups (for example New-InformationBarrierPolicy -SegmentsBlocked) to keep regulated units separated within Teams.
- Data Loss Prevention (DLP) policies for Teams chat and channel messages detect and act on sensitive information (such as credit card or SSN data) being shared, blocking or alerting on policy matches.
- Compliance recording is delivered through a certified partner solution assigned via a Teams policy to regulated users, ensuring automatic, auditable capture of calls and meetings - distinct from standard cloud recording.
- Sensitivity labels can be applied to teams/groups to enforce privacy (public/private), guest access, and external sharing settings on the underlying Microsoft 365 Group and SharePoint site.
- Audit logs in Microsoft Purview capture Teams admin and user activities (team creation/deletion, membership changes, settings changes) for investigation and compliance reporting.
MS-700 exam tips
- Master the policy assignment hierarchy: Global (org-wide) default applies unless overridden; direct user assignment wins over group assignment; among multiple groups, the assignment ranking decides. Many questions hinge on which policy a specific user effectively receives.
- Know the right tool for the right scope: CQD for organization-wide quality trends by location, and per-user call analytics (Meetings & calls) for troubleshooting one user's specific call. Expect scenarios that ask you to pick between them.
- Memorize the three PSTN connectivity options (Calling Plan, Direct Routing, Operator Connect) and when each applies, plus that auto attendants and call queues both require resource accounts with a (free) Virtual User license.
- For compliance scenarios, distinguish retention policies (keep/delete), eDiscovery (search/hold), information barriers (block communication), DLP (block sensitive sharing), and compliance recording (certified partner) - match the requirement to the exact feature.
- Be comfortable with PowerShell cmdlet patterns: Connect-MicrosoftTeams, Set-TeamArchivedState, New-RetentionCompliancePolicy -TeamsChannelLocation, New-ComplianceSearch -ExchangeLocation, and New-CaseHoldPolicy/New-CaseHoldRule for case holds.
Study guide FAQ
What is the difference between guest access, external access, and shared channels?
External access (federation) lets your users chat, call, and meet with users in external domains without those users being added to your teams. Guest access invites an external person into your team/channel as a member-like guest, which consumes a guest account governed by Entra B2B and Microsoft 365 Group settings. Shared channels use Entra B2B direct connect (cross-tenant access settings) to let external partners collaborate in a specific channel without any guest account or extra license, making them the preferred choice for ongoing partner collaboration.
How do I improve poor Teams call quality on the network?
Implement QoS with DSCP markings on clients and network devices, open the required UDP media port ranges (3478-3481), enable local/regional internet egress so media reaches the nearest Microsoft edge, allowlist the Microsoft 365 Optimize endpoints and exclude them from proxy/SSL inspection, and use split-tunnel VPN so media bypasses the corporate VPN. Then use CQD to track location trends and per-user call analytics to diagnose individual calls.
Where are Teams files and meeting recordings stored?
Team/channel files live in the team's SharePoint site document library; 1:1 and group chat files live in the sender's OneDrive. Channel meeting recordings are saved to the channel's SharePoint site, while recordings of non-channel (private/ad-hoc) meetings are saved to the recording initiator's OneDrive. Cloud recording must be enabled in the applicable meeting policy.
How do I prevent team sprawl and manage the team lifecycle?
Restrict Microsoft 365 Group creation in Entra ID to a designated security group so only approved users can create teams, apply a group expiration policy with activity-based auto-renewal to remove inactive teams, enforce a group naming policy for consistency, and archive completed teams (read-only) via the admin center or Set-TeamArchivedState rather than deleting or leaving them active. Sensitivity labels can additionally enforce privacy and external sharing settings at creation.