Governance and Management of External Users in Microsoft 365
Microsoft Office Apps & Services MVP Rene Modery coaches you to defeat security loopholes while collaborating with users outside of your organization.
Since 2011, the subscription service has competed with Google’s own productivity apps. Microsoft 365 bundles together over 30 applications, services, and other useful tools, including well known household names such as:
According to Microsoft, governance is “the set of policies, roles, responsibilities, and processes that control how an organization’s business divisions and IT teams work together to achieve its goals.” That may sound complicated at first glance, but in a nutshell, governance involves anything from security and compliance to basic tasks like folder naming.
Company size can influence how governance looks. For example, larger companies might be able to form multiple, specialized governance teams for different purposes. Conversely, a smaller company with fewer resources might have just one employee take responsibility. Overall, Microsoft believes that governance relies on buy-in from numerous employees such as:
Specifically, Microsoft 365 compliance involves Microsoft’s apps and services. Using Microsoft’s apps means relying on their built-in functions. For example, SharePoint, Teams, or OneDrive have unique default configurations. Customizable settings directly influence privacy and sharing behaviors.
Let’s quickly talk about SharePoint. SharePoint allows you to share folders internally or externally with those outside of your company. You can also decide who can access your site and its resources. If you need to strengthen security, SharePoint lets you create custom permissions—which you can apply to users and groups. Admins can restrict access pretty easily. This shows how data governance can directly impact collaboration.
Because many of Microsoft’s apps are so deeply integrated, an advantage of using its ecosystem, governance measures are linked. Since it’s so easy to connect Word to SharePoint, for example, you should pay careful attention to the documents and data uploaded between both apps. You don’t want to save a sensitive document to a public SharePoint site accidentally.
Finally, it’s critical to note that governance isn’t a “set and forget” policy. It requires careful planning and commitment throughout a tool’s or organization’s lifecycle. To have a safe environment you need continuous dedicated effort.
Today’s organizations manage mountains of data. Six years ago, the average company managed 162.9 TB of data, while your average enterprise safeguarded over twice as much. While customers generate huge amounts of data, so too do employees. This information, which exists in many forms, is often sensitive or proprietary.
The files, emails, images, and more that employees share drive business operations. Protecting all this information is highly important. Microsoft 365 contains apps specifically geared towards seamless collaboration. It’s quite easy for resources to change multiple hands throughout a single workday.
While that exchange of information is handy, it requires teams to work carefully. A mix of active and passive measures help prevent carelessness, which is vital to protecting stored and flowing data.
Governance policies ensure that only authorized users can access key data within SharePoint, OneDrive, or Exchange, to name some examples. Remote information is theoretically accessible from anywhere. The access-management portion of governance keeps information isolated by an organization, group, or individual—like putting a keycard lock on a door. Understanding which data is private or openly available is critical.
Overall, governance across Microsoft 365 keeps your data:
It’s also worth noting that sensitive data crosses messaging pathways quite often. This is true for Skype, Teams, and programs like Outlook. While backend controls are useful for reducing careless behavior, governance education can considerably change how employees distribute data across these platforms.
For that reason, governance can influence your teams to collaborate more carefully and mindfully. Governance isn’t just a set of processes but also has its roots in cultural change.
For example, companies operating in the financial and healthcare sectors maintain vast stores of personal identifiable information (PII)—including payment information, patient records, insurance information, and more. Keeping this information under wraps is essential.
For healthcare, in particular, Microsoft hails 365’s ability to keep information safe. However, these baked-in safeguards still need the support of governance best practices to prevent data leakages. Microsoft Teams is used for virtual visits, while secure messaging is used to help care providers collaborate. These measures are crucial and mandatory due to HIPAA regulations. The picture is similar in finance, where SOX regulations reign supreme.
HIPAA violations can cost anywhere from $100 per violation to upwards of $50,000 a piece, depending on the severity. Note that compliance violations can stem from willful, malicious neglect (non-governance) to benevolent lack of awareness. Meanwhile, SOX violations can result in hefty fines and possibly even jail time. However, Microsoft 365 doesn’t outwardly tie as closely to this as Dynamics 365 might—though data governance does encompass transparent reporting (a practice facilitated via Microsoft’s apps).
These penalties are nothing to sneeze at, and they can cripple all but the largest of organizations in many cases. Compliant organizations are shielded from preventable legal troubles and can operate without that cloud hanging over them.
Finally, we should assess the role governance plays in voluntary compliance—where companies strive to achieve a certain level of security and privacy for the sake of doing so. This is common for regulations under the NIST Cybersecurity Framework. Many companies in tech, or those aiming to be security-focused, adhere to those best practices. However, companies that handle government contracts must abide by NIST standards. This is where something like Azure Information Protection or Active Directory can pay dividends.
Both products and their data have lifecycles. Determining strategies for adopting, decommissioning, and using apps helps uncover any risks to data longevity. Additionally, setting clear data retention limits prevents the information from being forever vulnerable.
Before companies create a lifecycle management policy, they must evaluate the data they have on hand. They must also know where it’s stored. SharePoint is a common repository for assets and project resources; however, key files might exist within other locations and services. Monitoring everything will prevent things from getting lost. Additionally, determining a resource’s business value lets you better track mission-critical data.
Due to compliance and business needs, you might need to have several different data retention rules which define how long you need to keep some data. You might also want to define rules when to archive some content to keep it safe and clear up the end user’s everyday workspace from unneeded data. This way, you will avoid disorder while your data can be safe in an archive for X years before you can delete it.
Good governance doesn’t happen overnight. Organizations need to plan effectively while using Microsoft 365—despite what Microsoft has done to make life easier. The following questions will help you create a clear path to effective M365 governance:
You’ll want to know what you hope to achieve with Microsoft 365. This will naturally influence how you manage your data and the types of data you create.
For example, a company using Office’s original apps will probably generate and circulate numerous documents—presentations, spreadsheets, etc. These apps are perfectly matched to certain content, and that includes contracts (Word), financial records (Excel), or presentations (PowerPoint).
Organize all critical data or create a system compatible with your current business plan. You’ll be building a new data layout in many cases.
This governance phase is very important to define before widespread usage kicks off. Ending up with thousands of workspaces without proper governance applied can be an incredible drain on your resources because it will be very hard to do it retroactively.
You need to align your business goals with your Microsoft 365 implementation. Ideally, you want to make adoption as easy as possible for your users while setting up proper governance to keep your content secure.
Here are the main considerations on which decisions need to be made:
Here are some additional M365 best practices which are good to consider right from the start as they might influence the main choices you need to make:
You need to choose the correct options for your organization, there is no one size fits all. Be sure to understand all your requirements and validate them with business owners to get the most out of your Microsoft 365. Once you make the key decision it will be clear how to move forward. Some things you can solve by using out-of-the-box features while for others you might want to build your own solutions or buy the existing solutions from 3rd party vendors.
To make your tenant secure and protect your content during the whole lifecycle, you need to establish governance processes and rules which will make this happen. There are a lot of things going on in the organization – new employees are coming, people change positions, roles, and departments, people are leaving, start of cooperation with new external companies, end of cooperation with different external companies, etc. These are all situations that require a clear plan and process, so everyone responsible knows what to do in each situation.
We’ve listed some of the processes you need to consider to safeguard your content during all these organizational changes:
This is important from both a productivity and security aspect. You need to prevent cluttered workspaces which would decrease productivity over time. Also, when a project is finished you want to remove unnecessary access to minimize security risks. You might also have different data retention requirements for some specific data (such as legal documents). Here are some processes to consider regarding end-of-life for your content and users:
Manually managing processes, access management, and security is extremely tedious as stakeholders must tackle numerous tasks alongside their existing projects and commitments.
Automation means less investigating, scripting, or button clicking and saves employees massive amounts of time. It increases productivity by automatically solving security issues and by highlighting any ecosystem weaknesses.
Governance can become even more complicated as organizations grow, people change roles, new employees come, and new projects start with different vendors. If the right tools, processes, and education that automates your tasks are in place, the growth should be tackled smoothly, and IT will not become a bottleneck.
You need to keep an eye on many things related to governance, which means there is a lot of room to miss something if everything needs to be done manually. With the proper automation and tools that do the hard work, you can relax and be sure your environment is governed efficiently and in the right way.