Retro fitting governance into MS Teams as an interim measure

Posted by

a083c-4fc13-image-asset

Hi,

First a disclaimer – I am an information governance and exploitation professional, not an MS365 Technology specialist so please forgive any naive terminology or poor grasp of M365 technology concepts – and please feel free correct any of these that may occur!

I am grateful to the generosity of MS365 specialist for all the wisdom and experience they share here and publicly online. However I am still searching for recommendations, experience and case study examples of the following, all-too-common scenario.

The IT team – very much a traditional tech support set up –  has been asked to reduce costs by senior management. They decide to move from client-server file-shares and MS Office apps to cloud-based Office365  and call it ” an infrastructure and desktop replacement programme”. The reality is they rush into uncontrolled use of MS Teams and OneDrive as a result of this programme. People/teams experiment with the new, juicy treats they are presented with and absolutely love how it supports their immediate individual, team and third party working. Then bad stuff starts to happen – familiar issues of the “old digital world” multiplied by 100 – from inaccessibility of files on network shared directories because members of newT eams workspaces choose to MOVE files, wholesale from network shared directories to Files in their Teams workspace so others, not members of the Team can’t access them any more, to inappropriate conversations, and especially private chats in Teams including risk-laden personal data – because the chat environment just feels so informal.

As someone tasked with resolving this – when the organisation realises they have a total vacuum when it comes to actual expertise management and governance of digital information itself, I absolutely know what my big game plan is – and have loads of great advice provided about lessons learnt re governance in Teams/OneDrive as well as the order of roll out for MS365. What I cannot find is shared experience/steps to address the transition from where we are now to where we want to be – interim governance rules and actions which enable the organisation to continue to derive benefit from the undoubted benefits of collaboration and comms in MS Teams, and maintain the precious buy-in from users, while mitigating the sometimes-very-scary risks that this new, uncontrolled digital working environment has introduced – much of which is lost/invisible to those who are working in it. Awareness and training and actually getting the organisation to look, holistically at its actual requirements, I get. It is support, advice and experience for the transition that I am looking for. Apologies for the length of my question – thanks in advance for your responses.

——————————
Heather Jack
Consulting Director
HJBS Ltd
——————————


a083c-4fc13-image-asset

Hi Heather,

In my opinion the very first step you will want to take is to pull together a Governance plan – define precisely who is responsible for areas of the tenancy, and how you expect staff to use specific workloads. This governance plan will almost certainly dovetail with a future architecture – i.e. a structure of Teams and SharePoint sites, probably involving SharePoint Hub – so that ownership of different elements can be distributed across the organisation.

The next question you will want to ask yourself is what precisely do we need from the future state in order to manage sites in the future. Typically, I’d expect most organsiations to require naming conventions for new sites, and possibly some concept of the type of site, it’s purpose and possibly even it’s expected lifespan. You might even consider concepts such as whether you need the site to have a Site Classification, whether the content needs to be considered for it’s sensitivity and whether content needs to be retained for specific durations.

Once you’ve established the controls you need to get in place om each Team / Site, you then need to work out how the ensure these are applied. For example, can you trust your staff to abide by governance rules that you define? (in fact, can you even delegate all the controls you need to staff so that they can undertake governance themselves. Typically, most organisations reach this point and realise that they need some form of processes to ensure that your governance requirements are consistently applied to new sites. While in theory this can be done after sites have been created – possibly by triggering a process (whether manual or automated) to configure the site/team as required after it has been created, it’s far more common to see organisations decide that they need to prevent staff from creating new un-governed workspaces (Sites/Teams). As such, many organisations chose to disable self-service site / team creation and replace it with their own process for provisioning new sites. While it’s possible for a smaller organisation to centralise the creation of new sites/teams and build each that is required manually, most organisations (certainly those with more than a few hundred staff) will need to consider automating the creation of new workspaces.

The above steps will help you to create a more controlled future architecture. However, you will still have a legacy problem with any sites / teams that pre-date the introduction of the new provisioned-governance process. There are various strategies you might consider to reduce the scale of the legacy/un-governed sites (which will depend upon the resources and timescales that you have at your disposal, and also upon the complexity of the customisations that have been made in the un-governed sites (e.g. are there any SPFx web parts? Are there any Power Automate workflows or PowerApps deployed in these sites etc.). While any number of approaches could be taken, its probably easiest to encourage people to move/migrate over to a new governed workspace themselves (possibly with some central assistance). Alternatively, you could attempt to apply the governance you need to existing sites. Either way the process can be pretty painful (especially if you already have thousands of sites/teams to work through).

I guess, if at all possible, I’d attempt to stop the growth of the problem as soon as you can – perhaps by disabling self-service, and asking for requests to instead be submitted to a central IT team for approval – however, I recognise that this is easier said than done (especially if the central team isn’t resourced for the additional workload. I guess what I’m saying is as you’re no doubt aware, doing nothing isn’t an option as the governance headache will continue to grow – the sooner you can disable self-service site / team creation (ideally with a new provisioning process to replace it) the better.

More than happy to answer questions if you have any.

Rob Bath
Office 365 Solution Architect
London, UK

——————————
Robert Bath
Information Management & Compliance Practice Lead
Intelogy Ltd
——————————


12616-efe8c-image-asset
Heather,

While I agree in principle with the things Robert has suggested, I’m actually going to suggest what I see as critical “pre-work” before diving into any of those activities.  Especially given your statement that you are an IG pro already, so I assume the vast majority of what he has listed are things you already have a handle on/plan for (probably even templates��). And this comes far more from the transformation/change management perspective.  I would strongly recommend going to your exec and management (or the client’s given that HJBS is a consultancy), and getting them to come clean about what their REAL expectations are for the technology.  And this is especially driven by:

  • What they are actually willing to fund
  • How much of THEIR time and effort they are actually prepared to invest to actively support their expected outcome(s)

The answers to these questions could save you a great deal of effort (as you can imagine!).

Why?  Well, because my experience has shown me that organizations that have exec/management and/or IT that view M365 as an “infrastructure” solution are very, very difficult to get moved towards truly understanding and embracing it as an information management solution.  Is that the hill you want to die on in vain?

Now, IF you get believable answers that support genuine buy-in for it becoming an information management solution, THEN you can start looking at taking the IG plan you undoubtedly already have drafted, and look at ways to instantiate the controls you want (HIGHLY recommend acquiring and implementing one of the solutions on the market for automating and auditing this) within the technology.

Just my 2 cents.

6e028826941a440aa1aa00f15f5a7c7e
1552962330b443d590a70db8f47b6073
5fb6037fd49842dc88a1458974addc81


a083c-4fc13-image-asset

Hey Lorne,

We were clearly typing responses simulataneously! Engagement with the Exec is right up there on my agenda. Ultimately the business does not know what O365 (MS365?) actually really is, what it can offer, how many different approaches there are etc… and even more fundamentally, how their actual business requirements strategic / legal&compliance / operational relate to each other and what is needed/available to meet them in terms of IG, IT and Comms – and indeed the need to align and integrate these supporting elements rather than viewing and treating them as separate, unrelated workstreams – not to mention risk, compliance and performance management. From my experience, this organisation is by no means unique – I think what is new is the recent improvments and advances that Microsoft have made as they have moved into M365 world, which makes it a much more compelling proposition as a plaform for digital working. However, because it is by no means a “new kid on the block”, the majority of organisations have got a legacy relationship with MS technologies that makes the transition stage really challenging, but I truly think that there needs to be more focus on managing that transition than we have seen up to now … or am I just havering 🙂

Cheers
Heather

——————————
Heather Jack
Consulting Director
HJBS Ltd
——————————


12616-efe8c-image-asset

In terms of the transition, my suggestion is to let the staff for this client continue to do what they’re doing while you build, deliver, measure, and optimize the education (as opposed to “training”) of the exec, management, and staff of all the aspects you just pointed out.  THEN, you can start to really focus on the more ‘mechanical’ transition work where you should then have considerable support and enthusiasm from some reasonable percentage of the participants.

Or, at least, that is what I would do if at all possible to save more dents in my head from “the wall”.  Ya know?��

And if that’s not possible?  The resort back to the consultant 101 and tell the client the time with their own watch.  I’m confident you know what I mean.

6e028826941a440aa1aa00f15f5a7c7e

1552962330b443d590a70db8f47b6073
5fb6037fd49842dc88a1458974addc81


a083c-4fc13-image-asset

Thanks Lorne,

That’s exactly my plan – with one proviso – address any medium to high risks faced by the organisation as a result of what they are currently doing.

Cheers
Heather

——————————
Heather Jack
Consulting Director
HJBS Ltd
——————————


a083c-4fc13-image-asset

Thanks so much Robert,

I totally agree with you in terms of moving ASAP to proper requirements gathering, planning and implementing O365 holistically. My key issue is, as you also mention, managing the legacy stuff and also managing the “people” side of things. I am developing an interim governance poiicy for use of current Teams and OneDrive and also an action plan to manage the transition from the uncontrolled O365 world that currently exists to the holisitic, good practice approach that should have been adopted from the start. I may be delusional, idealistic or just simply ignorant, but my hope is that we can maintain some of the buy-in, momentum and “immediate working/collaboration” business benefits that the organisation is already getting from its O365 experience, albeit with some restrictions through interim governance rules that will adequately mitigate the current risks and issues that the approach to date has created. Worst case scenario is we simply stop all use of teams, but I want to avoid this if possible because of the negative impact this will have from a change management/culture/buy-in perpsective.

This is the area in which I am finding it hard to find any advice, guidance or shared experience – interim/transitional goverance rules and actions . Once I am through this phase – and when I get eureka moments on the journey – I will be happy to share my own experiences and outputs with the community.

Cheers
Heather

——————————
Heather Jack
Consulting Director
HJBS Ltd
——————————

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.