The complete guide to Microsoft 365 governance

According to Microsoft, governance is “the set of policies, roles, responsibilities, and processes that control how an organization’s business divisions and IT teams work together to achieve its goals.” That may sound complicated at first glance, but in a nutshell, governance involves anything from security and compliance to basic tasks like folder naming. 

Company size can influence how governance looks. For example, larger companies might be able to form multiple, specialized governance teams for different purposes. Conversely, a smaller company with fewer resources might have just one employee take responsibility. Overall, Microsoft believes that governance relies on buy-in from numerous employees such as: 

• IT professionals
• Executives
• DevOps leaders
• Trainers
• Compliance officers
• Architects
• Software developers

Specifically, Microsoft 365 compliance involves Microsoft’s apps and services. Using Microsoft’s apps means relying on their built-in functions. For example, SharePoint, Teams, or OneDrive have unique default configurations. Customizable settings directly influence privacy and sharing behaviors. 

Let’s quickly talk about SharePoint. SharePoint allows you to share folders internally or externally with those outside of your company. You can also decide who can access your site and its resources. If you need to strengthen security, SharePoint lets you create custom permissions—which you can apply to users and groups. Admins can restrict access pretty easily. This shows how data governance can directly impact collaboration. 

Because many of Microsoft’s apps are so deeply integrated, an advantage of using its ecosystem, governance measures are linked. Since it’s so easy to connect Word to SharePoint, for example, you should pay careful attention to the documents and data uploaded between both apps. You don’t want to save a sensitive document to a public SharePoint site accidentally. 

Finally, it’s critical to note that governance isn’t a “set and forget” policy. It requires careful planning and commitment throughout a tool’s or organization’s lifecycle. To have a safe environment you need continuous dedicated effort.

Today’s organizations manage mountains of data. Six years ago, the average company managed 162.9 TB of data, while your average enterprise safeguarded over twice as much. While customers generate huge amounts of data, so too do employees. This information, which exists in many forms, is often sensitive or proprietary. 

The files, emails, images, and more that employees share drive business operations. Protecting all this information is highly important. Microsoft 365 contains apps specifically geared towards seamless collaboration. It’s quite easy for resources to change multiple hands throughout a single workday.

While that exchange of information is handy, it requires teams to work carefully. A mix of active and passive measures help prevent carelessness, which is vital to protecting stored and flowing data. 

Better Access Procedures and Data Safety 

Governance tools ensure that only authorized users can access key data within SharePoint, OneDrive, or Exchange, to name some examples. Remote information is theoretically accessible from anywhere. The access-management portion of governance keeps information isolated by an organization, group, or individual—like putting a keycard lock on a door. Understanding which data is private or openly available is critical. 

Overall, governance across Microsoft 365 keeps your data: 

• Secure – or safe from attacks and theft of all origins 
• Trustworthy – or accurate, valid, and either immutable or selectively mutable (to avoid unwanted tampering) 
• Logged – or recorded, cataloged, and organized in logical ways 
• Managed – or overseen by team members that are trusted and knowledgeable 
• Auditable – or inspectable, reportable, and verifiable (for quality purposes) 

It’s also worth noting that sensitive data crosses messaging pathways quite often. This is true for Skype, Teams, and programs like Outlook. While backend controls are useful for reducing careless behavior, governance education can considerably change how employees distribute data across these platforms. 

For that reason, governance can influence your teams to collaborate more carefully and mindfully. Governance isn’t just a set of processes but also has its roots in cultural change. 

How to improve Microsoft 365 compliance? 

For example, companies operating in the financial and healthcare sectors maintain vast stores of personal identifiable information (PII)—including payment information, patient records, insurance information, and more. Keeping this information under wraps is essential.

For healthcare, in particular, Microsoft hails 365’s ability to keep information safe. However, these baked-in safeguards still need the support of governance best practices to prevent data leakages. Microsoft Teams is used for virtual visits, while secure messaging is used to help care providers collaborate. These measures are crucial and mandatory due to HIPAA regulations. The picture is similar in finance, where SOX regulations reign supreme. 

HIPAA violations can cost anywhere from $100 per violation to upwards of $50,000 a piece, depending on the severity. Note that compliance violations can stem from willful, malicious neglect (non-governance) to benevolent lack of awareness. Meanwhile, SOX violations can result in hefty fines and possibly even jail time. However, Microsoft 365 doesn’t outwardly tie as closely to this as Dynamics 365 might—though data governance does encompass transparent reporting (a practice facilitated via Microsoft’s apps). 

These penalties are nothing to sneeze at, and they can cripple all but the largest of organizations in many cases. Compliant organizations are shielded from preventable legal troubles and can operate without that cloud hanging over them.

Finally, we should assess the role governance plays in voluntary compliance—where companies strive to achieve a certain level of security and privacy for the sake of doing so. This is common for regulations under the NIST Cybersecurity Framework. Many companies in tech, or those aiming to be security-focused, adhere to those best practices. However, companies that handle government contracts must abide by NIST standards. This is where something like Azure Information Protection or Active Directory can pay dividends. 

Better Asset Protection and Lifecycle Management 

Both products and their data have lifecycles. Determining strategies for adopting, decommissioning, and using apps helps uncover any risks to data longevity. Additionally, setting clear data retention limits prevents the information from being forever vulnerable. 

Before companies create a lifecycle management policy, they must evaluate the data they have on hand. They must also know where it’s stored. SharePoint is a common repository for assets and project resources; however, key files might exist within other locations and services. Monitoring everything will prevent things from getting lost. Additionally, determining a resource’s business value lets you better track mission-critical data. 

Due to compliance and business needs, you might need to have several different data retention rules which define how long you need to keep some data. You might also want to define rules when to archive some content to keep it safe and clear up the end user’s everyday workspace from unneeded data. This way, you will avoid disorder while your data can be safe in an archive for X years before you can delete it. 

Good governance doesn’t happen overnight. Organizations need to plan effectively while using Microsoft 365—despite what Microsoft has done to make life easier. The following questions will help you create a clear path to effective M365 governance:

1. Which apps and technologies will be used—for what purposes—and how can you manage them? 
2. Are there any service-level agreements? 
3. What value will each Microsoft 365 product or service provide? 
4. Will the Office suite mesh effectively with the current infrastructure or any planned changes? Is there flexibility? 
5. How will scaling your workforce and data impact governance? 
6. How can Microsoft 365 help meet privacy, security, and compliance objectives, if those already exist? 
7. Does your IT department have the tools and expertise needed? 

You’ll want to know what you hope to achieve with Microsoft 365. This will naturally influence how you manage your data and the types of data you create. 

For example, a company using Office’s original apps will probably generate and circulate numerous documents—presentations, spreadsheets, etc. These apps are perfectly matched to certain content, and that includes contracts (Word), financial records (Excel), or presentations (PowerPoint). 

Organize all critical data or create a system compatible with your current business plan. You’ll be building a new data layout in many cases. 

Start-of-life governance 

This governance phase is very important to define before widespread usage kicks off. Ending up with thousands of workspaces without proper governance applied can be an incredible drain on your resources because it will be very hard to do it retroactively.

You need to align your business goals with your Microsoft 365 implementation. Ideally, you want to make adoption as easy as possible for your users while setting up proper governance to keep your content secure. 

Here are the main considerations on which decisions need to be made: 

• Based on your business needs define which Microsoft 365 Plan your users need. This decision defines which apps they can use but what is also important is licenses like Azure AD Premium (P1/P2) define which security features they can use. Check out our blog The Microsoft 365 Apps Decision: Business or Enterprise to help decide.
   
• Who is allowed to create new sites, M365 groups, MS Teams, Planner, etc.? By allowing self-service provisioning, you are democratizing Microsoft 365, making it easily accessible to all users and speeding up adoption. But without any guidance and governance, this can lead to a massive number of workspaces with duplication of information and one big group sprawl syndrome, leading to decreased productivity.
   
• Do you need to collaborate with external partners and vendors? There are different settings for SharePoint Online at the tenant and site level, then controls for groups and controls for teams. If external access is needed it is best to have dedicated sites/groups/teams for collaboration while disabling external sharing capability on internal ones to avoid accidental sharing. You also need to set up procedures to remove guest user access once it is no longer needed.  

Here are some additional M365 best practices which are good to consider right from the start as they might influence the main choices you need to make: 

• Use naming conventions for your sites, groups, and teams. This will allow your end-users to easily recognize the purpose and ownership of workspaces for different business units. You also want to prevent misuse by blocking certain names (such as CEO, payroll, and similar).
   
• Speed up onboarding on new sites by using SharePoint Site templates to enforce the company norms for site design, branding, functionalities, and content. Speed up onboarding to new teams by using Teams templates to predefine channels, tabs and apps.
   
• Protect confidential data by using Microsoft 365 Sensitivity Labels. Make sure they are applied as soon as a new workspace is created. This will provide maximum security and prevent confidential data from leaving your organization. 
   
• Define rules on when to use Public and when to use Private teams. This one may seem simple, but many organizations struggle with users creating too many public teams and putting confidential data inside public teams. You might want to additionally educate your end-users, or limit who can create public teams or put approval flows in place.
   
• Define clear ownership rules for all workspaces. The higher the number of owners a specific team has, the higher the chances are that no one will take full responsibility. Having a defined primary owner and secondary owner helps by having clear responsibility for managing and administering that group/team during its entire lifetime.   

You need to choose the correct options for your organization, there is no one size fits all. Be sure to understand all your requirements and validate them with business owners to get the most out of your Microsoft 365. Once you make the key decision it will be clear how to move forward. Some things you can solve by using out-of-the-box features while for others you might want to build your own solutions or buy the existing solutions from 3rd party vendors.

Continuos governance during the lifecycle 

To make your tenant secure and protect your content during the whole lifecycle, you need to establish governance processes and rules which will make this happen. There are a lot of things going on in the organization – new employees are coming, people change positions, roles, and departments, people are leaving, start of cooperation with new external companies, end of cooperation with different external companies, etc. These are all situations that require a clear plan and process, so everyone responsible knows what to do in each situation. 

We’ve listed some of the processes you need to consider to safeguard your content during all these organizational changes:

• Access reviews – periodically recertify access to your workspaces and ensure only the right people have access to your content. There are a lot of decisions to be made here: 
  • Which workspaces need to be reviewed? – do you want to perform access reviews on all workspaces (teams, groups, sites, OneDrive), or just part of it? Do you want to perform access reviews only on public workspaces, on the workspaces which contain sensitive content or externally shared content only? 
     
  • How often does the review need to be performed? – based on the data you have on your sites and groups you should choose a different period for access reviews. For example, for highly classified content or content shared with external users you should consider more frequent access reviews (every month or every three months), and for content where only people in your organization have access, 1-year access reviews should be enough. 
     
  • Who will perform access reviews? – who is responsible for the content should be part of the company governance policy and based on that you should choose who will perform access reviews. For example, do access reviews need to be performed by all team/group owners or is there only one primary contact who needs to perform reviews? Do access reviews for SharePoint sites need to be performed by the primary admin, site collection admins, or site owners? 
     
  • What needs to be reviewed? – if your organization is working with different vendors, partners, and clients, you should consider reviewing guest users and externally shared content. If there is any data inside the company which is confidential and should not be available to everyone, you should consider reviewing internal memberships and all shared content. 
     
  • Is there any regulatory policy the company needs to be compliant with such as HIPAA.
• Access requests – without an automated policy in place, your users will keep sending access requests to join M365 workspaces. Your IT team will waste time resolving every ticket, as they lack the context for different teams’ admission rights. 
  • With the policy applied, a self-service solution can streamline the workspace access request/approval process and keep everything under control. Less dependence on IT brings significant productivity benefits for both workspace owners and admins. 
  • After the admin sets up all the policies, your users get an intuitive workspace center in a user-friendly Point Teams app – they can see, search, and request access to public workspaces and those with an applied policy. Approvers will be able to manage those requests directly from the same location. This results in increased efficiency for all parties involved, reduced sprawl, and a simplified process.
• Guest recertification – working with different external vendors, clients, and partners is normal in today’s business, and knowing who are the guest users that have access to the content in your organization is critical. Organizations start working with new external companies as new projects come in, they stop working with external companies when projects finish, and that’s why you need to recertify guest users periodically. If guest users are not removed when they become inactive, this can cause a security risk and create clutter.
   
• Public teams & groups – content in public groups and teams is available to everyone in the organization, so you should periodically recertify if it contains content that should be private and require users to reconsent to terms of use.
   
• Ownerless workspaces (Orphaned) – every workspace should have a person who is responsible for managing it. As people are leaving, it may happen that a workspace becomes without an active owner, so it’s a best practice to regularly check if all the workspaces have someone responsible. Learn more on how to deal with orphaned workspaces. 
   
• Keeping in line with ownership best practices – it is recommended that groups and teams have between 2 and 5 owners. This is the ideal number because if there are too many owners, no one feels responsible, and if there aren’t enough owners, a situation may arise where the person responsible is not available when needed.
  

End of life 

This is important from both a productivity and security aspect. You need to prevent cluttered workspaces which would decrease productivity over time. Also, when a project is finished you want to remove unnecessary access to minimize security risks. You might also have different data retention requirements for some specific data (such as legal documents). Here are some processes to consider regarding end-of-life for your content and users: 

• Expiration policy – with the increased usage of teams and groups, you need to have a governance process to clean up unused workspaces. Projects finish over a certain period and teams become inactive, so you need to remove groups and teams which are not needed and make things cleaner. There are a few decisions to be made:
  • How long does the workspace need to be inactive before it’s considered unused.
  • Who is accountable for making a decision.
  • Does the content get archived or deleted when it’s not needed. 
  • Does the selected content need to be moved to another location before the site or group is deleted.
     
• Retention policies – retention is about how long you need to keep the content and if you are subject to any regulatory policy. You should enable retention policies on specific data which needs to be retained for many years (for example, specific documents that need to be stored for at least 5 years in some industries). Also, you should decide for which content you need to apply retention policies and labels (documents, emails, chats, channel messages…). 

• Expiration of access for external users – when you stop cooperating with an external company, you should consider removing access for guest users you are no longer working with. This reduces clutter and makes your data more secure as those users cannot access your content anymore.
   
• Automate offboarding – Practically every company has a process for employee offboarding, but the best practice would be to automate as many tasks as possible to reduce IT bottlenecks and decrease the possibility of an error. Microsoft 365 is just part of the whole offboarding process, and to ensure that data remains secure you should decide what to do with employees’ M365 accounts and their content (documents, emails) after they leave. 

• Removal of unused/inactive licenses – part of the offboarding process should be removing the user’s license, so you could assign the license to a new user and prevent unnecessary costs.
   
• Removing access to inactive users – after people leave, you should remove their access from groups and teams to prevent clutter. This could be as part of the offboarding process, or you can suggest content owners to remove inactive users as part of their access reviews. 

Save time & reduce IT cost of having to do them manually 

Manually managing processes, access management, and security is extremely tedious as stakeholders must tackle numerous tasks alongside their existing projects and commitments.  

Automation means less investigating, scripting, or button clicking and saves employees massive amounts of time. It increases productivity by automatically solving security issues and by highlighting any ecosystem weaknesses. 

Ensure scalability as your organization grows 

Governance can become even more complicated as organizations grow, people change roles, new employees come, and new projects start with different vendors. If the right tools, processes, and education that automates your tasks are in place, the growth should be tackled smoothly, and IT will not become a bottleneck.

Reduce the risk of something being overlooked and human error 

You need to keep an eye on many things related to governance, which means there is a lot of room to miss something if everything needs to be done manually. With the proper automation and tools that do the hard work, you can relax and be sure your environment is governed efficiently and in the right way.