Downloaden Sie, um offline zu lesen
Hochgeladen vonRencore
How to achieve easy and efficient Microsoft 365 Governance
We’re excited to have Greg Bowles from the Specialist Risk Group (SRG) and Alex Eggar from Yoko:10 on the webinar to talk about their first-hand experience with a tool-based governance approach, how they identified the need for it and how they were able to build value from the tool having to address all angles ranging from ongoing management, administration, security, usability, and adoption.
How to achieve easy and efficient Microsoft 365 Governance
- 1. rencore.com How to achieve easyand efficient Microsoft 365 Governance! 22/09/2021
- 2. rencore.com Introductions Rencore, Specialist RiskGroup and yoko:10
- 3. rencore.com Rencore B2B software company Providingsolutions essential for organizations to stay in control of Microsoft Office 365, SharePoint, Teams Azure and the Power Platform. Empower organizations to identify, manage and mitigate risks of uncontrolled platform growth & unmonitored customizations.
- 4. rencore.com 433 full-time employees. 13offices across the UK. 10 acquisitions over the past 2 years. Moved to Exchange Online Q1 2019. Launched a new SharePoint Online intranet Q3 2019. Started rolling-out Teams and OneDrive late 2020. “We are specialists. We specialise in creating solutions to challenging risk transfer questions.” Specialist Risk Group (SRG)
- 5. rencore.com yoko:10 Consultants with along history of governance planning and adoption. Experience with Rencore’s previous product set. Joined the Rencore Governance preview programme in August 2020. Been assisting SRG with their Microsoft 365 roll-out since late 2017. Our work with SRG has included strategy and governance planning. “yoko:10 are all about Microsoft consultancy. We specialise in three core areas; Microsoft 365, intranets and governance.”
- 6.
- 7. rencore.com Defining governance inMicrosoft 365 Governance planning and decisions Security and Permissions Information lifecycle Usability Adoption Configuration Communications Training Admin and management
- 8. rencore.com SRG - Thecase for Rencore Governance Recent roll-out of OneDrive and Teams across the organisation. Emerging use of Power Platform, both strategically and “self service”. Potential “sprawl” as adoption increases. Many disabled accounts, linked to acquisitions and leavers. Changing license requirements, due to acquisitions and recruitment. Reassurance that identities and data are secure. “With further acquisitions planned, and Microsoft 365 adoption increasing, anything to further support goverance and reporting is a huge benefit to SRG ”
- 9. rencore.com The Approach 1. General governanceand management 2. Governance of individual services 3. Automation Product Demonstration – available data, features and potential use cases
- 10. rencore.com 1. General governanceand management The quick wins
- 11. rencore.com Considerations and Priorities Whatinformation is shared externally? How is it being shared? When employees leave SRG, are their accounts being correctly managed? Are M365 licenses being correctly assigned? Do we have enough? What guests accounts do we have? Are they active? Where are they used? Are employees making effective use of the available services? Are we managing the lifecycle of content effectively?
- 12. rencore.com The Dashboards Adoption De-Clutter.External Access ID / Info Protection Licensing Offboarding.
- 13.
- 14.
- 15.
- 16.
- 17. rencore.com 2. Governance ofServices Teams, OneDrive, SharePoint, Power Automate
- 18. rencore.com Defining Governance forM365 Services Review the existing governance plan and governance decisions. Make any further additions or changes. Confirm what can be monitored in Rencore Governance. Confirm dashboard requirements, both current and longer term. Create dashboards “Governance discussions, and subsequent decisions, ensure all key aspects of your Microsoft 365 deployment are considered.”
- 19. rencore.com Governance Decisions A Teamshould always have 2 owners, but no more than this. Private Channels can be used, but only when necessary. Team names should follow a standard naming convention. OneDrive shouldn’t be used to store team or departmental files. Production flows should run under a dedicated service account. All employees must have an EM+S license assigned.
- 20. rencore.com Microsoft 365 ServicesDashboard
- 21.
- 22. rencore.com 3. Adding Automation Remindersand triggers
- 23.
- 24.
- 25. rencore.com Automation steps forlow licenses Current Proposed On violation of “Low License” check. Send an HTTP request to Power Automate Execute flow to order licenses, following confirmation from IT On violation of “Low License” check. Send an email to IT with relevant details.
- 26. rencore.com 1. General governance and management 2.Governance of individual Services 3. Automation Summary Review product capabilities and use cases Governance planning
- 27. rencore.com Benefits How Rencore Governanceis supporting SRG
- 28. rencore.com The benefits we‘reseeing We have one place to view the majority of M365 usage and activity. We have early visibility of problematic or risky configuration and activity. We see how employees are using M365 and support them where needed. We have visibility of unused and unneeded content. We can better manage our onboarding and offboarding process. "Rencore allows us to view the information that is available in M365 in one place, in a simple, contextual way. Thas where Rencore really excel."
- 29. rencore.com Considerations and Priorities Greg Statusof user accounts and licenses? What’s been created and is it being used? Are there any security or data breach considerations? “With further acquisitions planned, and the adoption of Microsoft 365 increasing, we knew where additional insights were required”
- 30. Q&A • hello@yoko10.com • +44114700 6070
- 31.
Hinweis der Redaktion
- #3 0o
- #4 *CHARLES*
- #5 *GREG* Thanks Charles and Welcome to Specialist Risk Group. We are a specialist insurance broker based in the UK and Ireland. The clue is in the name 'Specialist', we do specialist insurance from jewellers, to trade credit to equestrian insurance and so on. The company has been on a huge M&A trail over the last 2 years acquiring specialist business enabling us to offer a wider variety of products to our clients. This has caused us to grow from 180 members of staff when I joined in April 2019 to now just shy of 450 members of staff. Working alongside yoko10 and Alex, they have helped us in moving to Exchange Online, deploying a company intranet and in our most recent project rolling out Teams & One Drive. That leads me on quite nicely to handing over to Alex to introduce Yoko10. I will now pass over to Alex to give a brief background on yoko10...
- #6 *ALEX* yoko:10 provide consultancy service for all aspect of Microsoft 365 and SharePoint. We have a particular focus on intranet solutions and planning, governance and adoption of Microsft 365 collaboration services. Our consultants have long background in delivering SharePoint projects. That means we also have extensive experience with adoption and governance, as this has always been key to these types of project. We have worked with Rencore products previously, specifically we dealing with highly customised and complex SharePoint migrations. Because of the prior relationship, we were invited to join the preview programme for Rencore Governance in August last year. We attended some sessions to understand more about the product and straight away could see the benefits and some of the existing gaps in Microsfot 365 reporting that it filled. We then proceeded to onboard a couple of our customers, one of these being specialist risk group. We started working with SRG when they first moved to Microsoft 365. The early stages of the engagement focused on strategy and governance planning, to ensure some consistency in how the tool were used and administered, and also clear messaging for the business around that. This is why they were an obvious candidate for Rencore Governance.
- #7 *ALEX* For the remainder of the webinar we aim to provide an overview of how yoko:10 and SRG worked together to define goverance for Microsoft 365, and then how Rencore was used to proactively monitor those governance decisions, and support the ongoing administration of SRG’s Microsfot 365 environment.
- #8 *ALEX* For us, Governance is something that underpins every successful Microsoft 365 deployment. The upfront governance discussions, and subsequent decisions, define the configuration, training and communications associated with the roll-out of Microsoft 365. Your governance decision touch on all aspects of your Microsoft 365 deployment, including security, permissions, information lifecycle, usability and adoption. If you think about Teams as an example; Will Teams by public or private by default, will we allow guest access, will be apply expiration policies to help manage the lifecycle, will we restrict channel creation to Team Owners, Another key aspect of Microsoft governance is what to use when, and what goes where. There need to be clear policies and guidelines outlining the use cases for each Microsoft service and also they type of content or data that should or can be stored in each. yoko:10 worked with SRG to define a strategy and governance plan which covered all of these areas. Rencore Governance did not drive these decisions, instead it provided an easy and effective way to monitor the compliance of those governance decisions. While governance planning had already taken place SRG, around the time that Rencore Governance became available, it felt like the right time for SRG to look at the product, due to a few different factors. Greg’s going to talk a little bit about that now.
- #9 *GREG* Thanks Alex, Although Teams has been used for messaging and meetings, there has been a recent, strategic move to use Teams for file management and collaboration. This included a move to OneDrive for Business for personal file storage which has resulted in increased usage of Microsoft 365 and also an increase in the level of corporate data stored in M365. Employees have also been given access to Power Automate and Power Apps, with some instances being used to manage core business processes. It is key these stay active and also important that IT have sight of what employees are creating. As the various Microsoft 365 services are adopted in SRG we need to ensure they are used correctly (as agreed strategically and as defined by governance) and effectively (avoiding sprawl and promoting good lifecycle management). There are a relatively large number of disabled accounts linked to the onboarding process for new acquisitions, but there are also disabled accounts linked to leavers. We need to be able to differentiate between these and ensure they are being managed through their lifecycle effectively for example allocating and de-allocating licenses, and managing access and group membership. As with all organisations, SRG wants to use every option available to ensure data held in Microsoft 365 is secure and the risk of unauthorised access is minimised where possible. Most, if not all, this information is available in one of the M365 admin centres, but there’s no way to view it in one place, in a simple, contextual way. That’s where Rencore really seemed to excel. Back to you Alex.
- #10 *ALEX* We followed a fairly simple process when planning the deployment of Rencore Governance in SRG. Started with a demo of Rencore goverannce, to show the relevant stakeholders in SRG what information was being gathered when Rencore Goverannce scanned the environment, the ways in with this data could be queried using checks, and how reporting could be provided in the form of dashboards and tiles. We’ll look at those components in more detail shortly. After reviewing the capabilities of the tool against SRG’s requirements, we decided to take a three stage approach. General governance and management – Rather than looking at the governance of specific Microsoft 365 services, we started by looking at the broader us of Microsoft 365, and areas like managing identities, security etc. The aim was to bring this audit, inventory and activity information together into one place AND provide easy to clear simple metrics for key topics or areas of concern. 2. Governance of M365 services – Next stage was to focus on specific Microsoft 365 service and to use Rencore to provide a similar way of reporting on the key governance decision relating to each service. 3. Automation – The final stage was to review the checks that had been created (if you remember, checks are the rules, or queries that identify specific behaviour, items or configuration in Microsoft 365), and see if we could add automation to manage, or alert on any check considered critical. We’ll look at each of those sages in a little more detail now.
- #11 *ALEX* So, as discussed, the fist stage was to create several dashboards within Rencore Governance, each addressing an area associated the wider governance of Microsoft. Greg’s going to talk about a few of the considerations which helped define the dashboard that were created.
- #12 *GREG* When we were working with Yoko10 we had many considerations and priorities to ensure we were covering when looking how to best utilise Rencore. Touching on a couple of the items on the screen, keeping an eye on what guest accounts we have and where they are being used is vitaly important for us. Being a company heavily involved in Mergers and Acquisitions part of our integration process is to invite the staff as guests until we have fully integrated the business into the wider group. It is important these are cleaned up along the way as this can cause sync issues in Azure AD and O365. Keeping an eye leavers accounts, I mean we all know that is hugely important for any business but it is always good to know that the leaver procedures are working and allows us to adapt and learn from anything that may have been missed previously. And lastly, are employees making effective us of the available services has come in very handy with the recent deployment of Teams and OneDrive to the business. Helping us to learn if anyone is resistent to the new products and also if anyone could do with any further training on the systems. I will now hand over to Alex to give a background about our Dashboards.
- #13 *ALEX* After our discussions, we decided on the six initial dashboards for stage 1. I’ll provide you with a brief overview of each one. Adoption – Are employees using the Microsoft 365 services available to them? Are they logging in and actively in use. Are employees being included in security and distribution groups? De-Clutter – Which content repositories (Teams, SharePoint, OneDrive) look like they haven’t ever been used, or are no longer in use? And the same for instances of Power App and Flows. External Access – How many guests accounts do we have in the tenant, and what do they have access to. Also, to what extent are files being shared externally and where are they being shared from? Identity and information protection – Are there active account which don’t have EM+S licenses assigned, and therefore are not sufficiently protected? Has anonymous sharing has been enabled or used anywhere? Licensing – How many licenses are available and how many have been consumed. How many of the consumed licenses are allocated to disabled accounts. Are there licenses SKU’s which need to be ordered? Offboarding – How many disabled accounts do we have? What access do the disabled accounts have and what resources are they consuming? Just going to focus in on a few of those dashboard so you can see some of the detail they provide.
- #14 *ALEX* First want to start by explaining the components of a dashboard Dashboard Tile Check - A check is basically a policy or rule that defines what I want to look for in my Office 365 environment. An example of a check could be “Teams with external sharing enabled.” . What I can’t show you now, but will in the demo, is how I can select any of these checks and click through to view all the instances which have been discovered, and all the properties associated with them. Right, let ‘s look at some of the checks included on the Declutter dashboard. Items and repositories created, but with no activity - were they created but never used, have they finished, should they be archived? Items and repositories created, but with little content - are they being used for chat rather than collaboration? Teams with less than two members - should these be Teams, are they being used?
- #15 *ALEX* General overview of the number of external accounts, can click through and view details of each if I want Where do the guest accounts have access, All group, Teams. Where are files being shared with external users. Not an issue necessarily, but may want to quickly review which Teams are sharing files externally, or even which files are being shared. Which M365, Security and Distribution Groups include guest accounts.
- #16 *ALEX* General overview of disabled accounts, including those with owner or admin roles, or those with licenses. A breakdown of different groups which contain disabled accounts, M365, Security and Disabled. Off the screen, another tile which lists different M365 services which have disabled accounts as owners or members e.g. Teams, SharePoint sites, Power Apps and Flows
- #17 *ALEX* We have an external access dashbo Going to create Create “External File Sharing” tile Create new check for “Groups with external file sharing” For every site collection (Is Group Connected = true) That has Any SharePoint File Sharing (Is External = true) Create new tile – Simple – List Add OneDrive with external Sharing SharePoint Site collections with external sharing Groups with external sharing
- #18 *ALEX* After we’d completed the dashboards relating to the general, wider governance of Microsoft 365, we switched to the governance surrounding specific Microsoft 365 services, namely Teams, OneDrive, Power Automate and Power Apps.
- #19 *ALEX* As mentioned before, yoko:10 and SRG had completed an earlier planning exercise around governance and adoption. We reviewed the documentation and decided if anything needed adding or changing, based on feedback and experience from rolling out the services. We then reviewed the governance decisions against the data available in Rencore Governance. This allowed us to define the checks and tiles we could creates. Greg’s going to talk about some of the governance decisions defined by SRG, and
- #20 *GREG* yoko:10 and SRG discussed best practise and other considerations, related to the rollout and adoption of Microsoft 365 services. This resulted in a number of key governance decisions for Teams, OneDrive Power Platform etc. A few of which are highlighted here. Private channels – Use of private channels is fine, but when there are too many private channels within a Team, multiple Teams may be a better solution, or the owner may not understand other options available. Managing permissions correctly across many private channels is not only time consuming, it also introduces the risk of incorrect permissions and data breaches. Employee with a large number of OneDrive files, or sharing a large number of file from OneDrive, may indicate they’re storing files in OneDrive which may be better stored within a Team. All SRG employees have an EM+S license assigned. This provides additional protection for their identity and also when accessing data on personal and corporate devices. Identifying any account where this is not the case reduces the potential for malicious access. I will hand back to Alex to explain the Microsoft 365 Services Dashboard.
- #21 *ALEX* We then proceeded to create a single M365 services dashboard, which included a separate tile for Teams, OneDrive, Power Automate, Power Apps and SharePoint. We could have create separate dashboard for each service -> You can see from the Teams tile that we’re monitoring ….. This will likely extend as new ideas come up, or new features are added.
- #22 *ALEX* Decided against dashboard per service, with details tiles per check. This was because, at the moment, trends and historical data isn’t particualrly important to SRG. Easy to re-configure to this format later, as all checks have already been created.
- #23 *ALEX* The final step we took was to add automation to several of the checks we created. This meant the relevant parties in SRG could be notified of important check violations, without being required to browse the dashboards.
- #24 *ALEX* There are several actions currently available in Rencore Governance, each can be triggered by the occurrence of a check violation e.g. a new Team being identified as having only one owner. For now, we just wanted to inform SRG’s IT department when some key checks were flagged. Two of these were active accounts without and EM+S license and licenses with very low numbers. To meet these requirements, we were able to create simple automation tasks using the “Send email” action.
- #25 *ALEX* Simple GUI based email editor which allows variable and check properties to be added to email content.
- #26 *ALEX*
- #27 *ALEX* Greg’s going to talk about some of the benefits SRG are now seeing.
- #28 *ALEX*
- #29 *GREG* Thanks Alex, I think the points are pretty self explanatory on the screen however, Rencore allows us to see all this useful information in one portal having visibility to review of any potential problematic activity. It allows us to learn where we can improve the housekeeping and internal processes for the business along with helping us to uunderstand how the employees are using the services and if there are any key areas that we need to provide further support on.
- #30 Rather than focusing on the governace decisions of individual services, we looked at the inventory and auit info to focus on specific scenarios