Office 365 Governance Essentials: Part 3 – Identifying Governance Needs

This is part 3 in a series of posts about Office 365 Governance. The first post was about making use of the Weekly Office 365 Changes Digest. Doing so is an essential part of change management. The second was about the work of an Office 365 Governance Team. In this post, I will talk about the many kinds of governance questions a governance team could address. Which ones it actually addresses are determined by the team considering the needs and priorities of the business.

In no particular order, I present to you a selection of governance questions for you to ponder.

Admin Account Governance

Governance policies for Office 365 Administrative Accounts address the following questions:

  1. Should accounts with administrative privileges have usernames that follow a particular naming convention? For example, prepending the prefix “admin-” to an administrator’s regular user account name. For example, if the administrator’s regular account is jsmith, his or her admin account would be admin-jsmith.
  2. What rules should be defined, communicated, and enforced about appropriate usage of admin accounts?
    1. Guidelines I’ve seen used include:
      1. Use your admin account for any activity that requires elevated permissions
      2. Use your regular (non-admin) account for regular work (e.g. knowledge worker work, as opposed to system administration)
    2. Just-in-time permission granting to admin accounts is ideal but beyond the capability of many organizations. Separating admin accounts from regular accounts is the next best thing. Use of multiple web browsers can make it easier to segregate one’s non-admin identity from one’s admin identity. For example, use one web browser for non-admin work, another for admin work on your production Office 365 tenant, and a third browser for work on your dev/test Office 365 tenant.
  3. Who needs to have an admin account and what level of administrative permissions are needed, including in the Office 365 Admin Portal, the Security and Compliance Center, and in Azure AD?
    1. For example, what admin permissions does the helpdesk need to have? Who should have full Global Tenant Admin rights versus who should have one or more granular admin perissions?
  4. Should there be consistency between admin rights in your on premise AD environment and your SaaS environments? For example, if your SharePoint admin(s) is/are responsible for both SharePoint on premise and SharePoint Online, do they use the same admin accounts for both?
  5. What Office 365 licenses should admins have, if any? The needs can depend on what services they administrate.

SharePoint Site Governance

  1. Who gets to create a site?
  2. Should there be a workflow or approval process for site creation?
  3. Which site templates will be permitted?
  4. What do we need to know about every site in our environment?
  5. How do we avoid abandoned sites? Is it important to?
  6. Do we need to backup our SharePoint Sites?
  7. How do we manage access to our sites?
  8. What do we expect of site owners?
  9. What rules do we have about external access to sites?
  10. How many site owners must a site have?
  11. How do we handle site owner training?
  12. How do we handle site owner transition?
  13. What compliance or regulatory requirements affect our use of SharePoint?
  14. How does Microsoft Teams affect our usage of SharePoint?
  15. How do Hub Sites affect our use of SharePoint?
  16. Do we customize the access request process?

OneDrive Governance

  1. Do we allow external sharing?
  2. If we allow external sharing, how often do we review who has access?
  3. What compliance or regulatory requirements affect our use of OneDrive?
  4. Who is responsible for applying legal holds?
  5. What is appropriate usage of OneDrive at our organization? How is that being communicated to users?
  6. What OneDrive training needs to be provided to managers regarding when one of their direct reports leaves the organization and they get notified about access to the user’s OneDrive?

Information Governance/ Data Governance

  1. What policies procedures and settings do we put in place to manage sensitive information (social security numbers, PHI, customer lists, etc) and compliance requirements?
  2. What do we do regarding records management?
  3. What are our policies about document retention as they apply to SharePoint and OneDrive?

Microsoft Teams Governance

  1. Who can create a Team?
  2. Do we limit or monitor Team creation? For example, one organization I work with does not limit Team creation, but monitors it so that every time a new team is created, IT staff reach out to the creators to offer training.
  3. Do we put a Team expiration policy in place?
  4. Do we force Teams or their underlying Groups to make use of a naming convention prefix?

Service Configuration Process Governance

  • What changes made in the Office 365 Admin portal should be under strict change control?
  • Which changes in the Office 365 Admin portal should not be under change control?

    For example, user management changes done through the Office 365 Admin Portal are not considered subject to change control. However, changes that disable or enable application access for all users would be under change control. Changes that control what applications are available for the end user to download may or may not be under change control. It’s again up to the Governance team to decide that.

General Usage Governance

It’s up to the governance team to determine what “When to use what” advice to provide to end users. For example, when to use Teams versus Yammer or Sway versus PowerPoint? The answers depend on the organization as much as they depend on the use case. For example, the difference in use cases for Teams and Yammer is more significant with a larger organization (for example, 3000 users) as opposed to a small organization (15 users).

Other questions on general usage include:

  1. How often do we monitor usage of a given workload?
  2. How is success of our adoption efforts measured?
  3. Do we integrate with the HR Onboarding process and provide O365 training to new employees?

License Governance

There are a variety of licenses for Office 365 and related product services.

  1. Which license or licenses do we use?
  2. What rules do we put in place to guide which users get which licenses? For example, a mix of E3 and F1 licenses is not uncommon. How do we determine who gets which kind?
  3. Are there license options that need to be adjusted when a license is assigned a user?
  4. Is license assignment automated as part of an automated user provisioning process?
  5. Are licenses reclaimed when a user leaves the organization?
  6. Who makes decisions about license purchases?
  7. Do you buy your licenses monthly or annually? From Microsoft or a reseller?

Conclusion

At times, governance of Office 365 can seem overwhelming. There certainly are enough choices to make. If you find yourself so overwhelmed by the choices, don’t panic. Prioritize the aspects of governance that are important to your organization. If you need help, rely first on your governance team. Microsoft and Microsoft Partners can also provide assistance. Of course, it can also help to compare notes with your peers at other organizations. Join an Office 365 users group near you, or attend (in person or via web meeting) the Office 365 Adoption User Group (Chicagoland Chapter).