Top 9 Office 365 governance tools
Table of contents
In the last couple of years, Office 365 has evolved into a robust cloud collaboration platform. It has been reported that in 2019 it reached 180 million monthly active users, with SharePoint seeing a 60% growth in active users and with 13 million users using Microsoft Teams every day.
With all these users generating gigabytes of content creating new Office 365 Groups and workloads, it is important to define an effective governance strategy with office 365 governance tools for every site, group and team owner to follow. Here is our list of the top out-of-the-box tools that can help give you a head start with your Office 365 governance.
1. Restrict Office 365 Groups creation to prevent sprawl
When Office 365 is freshly introduced to employees, letting everyone create Office 365 groups through self-service is an ideal way to strengthen Office 365 adoption. But, as the Office 365 tenant grows, administrators might discover that groups have sprawled all over the place and the growth needs to be contained.
By restricting the creation of Office 365 groups to only a selected number of people, you can put an end to group clutter. For more information on group creation restriction, check out our Office 365 Groups governance blog or take a look at our detailed webinar that explains how you can avoid sprawl.
2. Office 365 Groups naming policy
The naming policies for Office 365 Groups can come in handy when you want to name all your groups in a uniform way. This built-in setting helps Office 365 admins curb the sprawl of groups and introduce order. While it has some cool-looking options such as appending suffixes and prefixes for groups, in my opinion, it still misses some useful features.
The other component of the group naming policy allows you to define a list of words that are not allowed to be a part of the group name e.g. “CEO” or “legal”.
3. Office 365 Groups Expiration Policy
Since all end-users are able to create groups from a large variety of workloads, such as Outlook, SharePoint, Planner, Teams, and Power BI, clutter is bound to happen if you don’t pay attention.
If you check the table below, you’ll see the entire list of workloads from where you can create Office 365 Groups. The problem happens when you automatically get a new group after creating these other workloads, which, most of the time, creators are not even aware is happening.
With the Office 365 Groups expiration policies, you can set up a system that is going to periodically check if a group is used and make the group owner responsible for verifying that.
4. Dynamic Office 365 Groups Memberships
For groups with many members, manually updating group membership can be a challenging task. This is where dynamic group memberships enter the game. This option allows you to change members of a group based on Azure Directory user properties like Department or Manager.
5. Office 365 Groups Classification
If you have ever been tasked to go through a list of groups and clean up the clutter, you have probably realized it is a challenge to understand what kind of data a group holds based on just its name.
Luckily, there is a helpful option, named Office 365 Groups classification. This feature allows you to define one more level of classification based on information type or some other internal way to differentiate groups. Some examples might include “Standard”, “Secret” or “Top Secret” type of classification.
6. Hide Office 365 Groups from the global address list (GAL)
Global address list or GAL is collection of mail-enabled recipient objects from Active Directory that is automatically created by Exchange and includes every mail-enabled object listed in Active Directory.
Even though each Office 365 group gets an email address, you might want to hide some of the groups from the global address list. For example, if you have a legal department group that you don’t want to show up in the address list, you can hide the group using a simple command in PowerShell.
7. Office 365 Groups Access Reviews
With this Azure AD feature, administrators can define routine checks to be performed against your groups and its members. This feature is designed to help you verify users, most notably external users, and if they should continue to have access to a particular group.
Such controls make a lot of sense for groups that contain very sensitive information or where membership changes often. Owners can review group access and update group memberships when informed.
8. Entitlement Management
Entitlement Management is a comprehensive solution based on Azure AD. It allows companies to group similar resources such as Azure AD Groups, Office 365 Groups and SharePoint sites, enabling users to access combined resources at once and simplifying the overall access management.
Entitlement management is capable of control who has access to what and ensures users don’t retain access through recurring access reviews.
9. Privileged Identity Management (PIM)
Privileged Identity Management lets you manage, control, and monitor access within your Azure AD organization.
For PIM usage one of the following licenses are required:
-Azure AD Premium P2
-Enterprise Mobility + Security (EMS) E5
Privileged Identity Management lists active access reviews you are assigned to complete, whether you’re reviewing access for yourself or someone else.
It also displays a dashboard and settings for Privileged role administrators to manage Azure AD roles.
Office 365 Governance Tools Licensing Costs
This concludes our list of the most helpful Office 365 governance tools. In the table below, we are going to outline the licensing requirements for each of these tools to help you calculate your licensing budget.
Feature |
License requirements |
Additional notes |
---|---|---|
Restrict Groups creation
|
Azure Active Directory (Azure AD) Premium 1
|
The Azure AD Premium Licenses are required for „group creators”.
|
Office 365 Group Naming Policy
|
Azure Active Directory (Azure AD) Premium 1
|
The Premium license is required for: everyone who is a member of the group; the person who creates the group; the admin who creates the Groups naming policy.
|
Office 365 Group Expiration Policy
|
Azure Active Directory (Azure AD) Premium 1
|
The Premium license is required for: administrators who configure the settings; the members of the affected groups.
|
Dynamic Memberships of AD Groups (e.g. based on department)
|
Azure Active Directory (Azure AD) Premium 1
|
The Premium license is required for each unique user that is a member of one or more dynamic group.
|
Group classification
|
No special license required.
|
/
|
Groups are hidden from GAL
|
No special license required.
|
/
|
Access Reviews
|
Azure Active Directory (Azure AD) Premium 2
|
The License is required for the following users: administrators who create an access review, Group owners who perform an access review; users assigned as reviewers; users who perform a self-review.
|
Entitlement management
|
Azure Active Directory (Azure AD) Premium 2
|
Using this feature requires an Azure AD Premium P2 license.
|
As indicated in the table above, you will need Azure Active Directory (Azure AD) Premium 1 or 2 to use the majority of these features. To use some of them, you will just have to license a smaller subset of your users, but the rest of them require you to purchase licenses for most of your users.
Here are the key differences between Plans 1 and 2 when it comes to Office 365 Governance.
Feature |
Azure AD P1 |
Azure AD P2 |
---|---|---|
|
||
Dynamic groups
|
|
|
Group creation permission
|
|
|
Delegation
|
|
|
Group naming policy
|
|
|
Delegation
|
|
|
Group naming policy
|
|
|
Group expiration
|
|
|
Usage guidelines
|
|
|
Default classification
|
|
|
Access reviews
|
|
|
Entitlement management
|
|
|
List price (per month/user)
|
$6 USD
|
$9 USD
|
There are different ways of procuring Azure AD Premium, and most notably through one of the Microsoft 365 packages. This concludes our post. Make sure you understand what the key benefits are of the tools and the different pricing and packaging options presented in this post. Check our Microsoft 365 governance tool – Syskit Point!