This post is based on our recent virtual lab, “Cleaning Office 365/ Microsoft Teams Sprawl with Cloud Governance.” Watch the full session here!
There’s no denying that Microsoft Teams is an exceptionally useful tool. It offers tons of functionality in a single interface: chat, dedicated Teams, channels, tabs across the top for files and other applications, and so on. However, all of that functionality often results in users creating Teams and channels for single uses and never touching them again.
As business users, they’re just leveraging the tool. But on the IT side, that’s a lot of users creating a lot of Teams, which can subsequently result in increased storage costs and decreased usability/discoverability. So, what’s the best way to combat that?
What About the Microsoft Teams Admin Center?
If you’re an IT admin working with Microsoft 365, you’re probably fairly familiar with the Microsoft Teams Admin Center by now. Aside from being able to get an overview of all the Teams in your tenant and glean some basic information about them, the admin center can be used to set up policies and even org-wide settings to govern what employees can do in Teams. However, there are often exceptions to org-wide settings (needing to add external users to a Team, for instance) that can cause issues.
Restricting who can create Teams is another route admins typically take when trying to keep sprawl under control. However, this will only result in more work for admins; users will ping them all day long asking for new Teams and channels to be manually added for various projects. This restriction also limits the core functionality of Microsoft Teams, ensuring that your organization doesn’t get to use it to its full potential. What you need is a way to identify and apply your governance requirements without limiting functionality for end users.
Considering policies for how new Teams will be created is important, but most of you already have existing Teams that weren’t created with your ideal regulations. This is why the ability to import existing Teams that you have no oversight over is so useful.
AvePoint’s Cloud Governance solution not only allows you to set rules for how new Teams can be created, but it also lets admins set those same policies for existing Teams by importing them. External sharing settings, inactivity thresholds, and more can be layered on top of existing Teams that were created before you adopted Cloud Governance. This way all of the Teams in your tenant can be governed the same way without compromise.
After you finish the importing process and have control over which Teams are being created, the hope is that you can then get your business users to request new Teams that already have those policies and settings in place.
The MyHub app in Microsoft Teams streamlines this process by integrating directly with Cloud Governance to display all of the Groups, Teams, and Yammer Communities that a user is a part of. Furthermore, users can start a service request directly in the app, including provisioning requests for new Teams. This simple interface makes it easy to track what’s already been created and helps nudge users towards following your policies and keeping everything nice and tidy.
Ideally, it’s best to plan for rolling out Teams ahead of time as much as possible. However, sprawl will likely still happen unless you can lock down who can create Teams and the boundaries in which they can be created. If you don’t, tons of Teams will get created very quickly and you won’t know what the individual settings are outside of org-wide policies.
If you want to gain control over that and set necessary thresholds, your best bet is to import everything and apply policies in-line with what your organization needs.
With today’s reality of remote work and online learning, people need the ability to share content—documents, presentations, photos, videos, lesson plans, you name it—to get work done. And because of this, security around internal and external sharing is more important than ever before. While the ability to share content with colleagues both inside and outside the organization helps people stay productive and connected, you must protect against risks. Accidental sharing of sensitive information or sharing with unintended recipients can pose a threat to the integrity and privacy of your data, people, and devices. OneDrive helps you define secure, virtual perimeters for sharing content, educate people about your policies for secure collaboration, and monitor how people share to discover and address gaps. In this practical guide, you’ll learn about how you can easily manage secure external sharing.
Establishing boundaries to help prevent critical mistakes
The first things to consider when it comes to external sharing are the hard sharing restrictions for your organization. Depending on your business or industry, you may have different requirements that you must meet for protecting sensitive information. You should also consider what behaviors you want to prevent entirely when people in your organization share information. For example, are you worried about users enabling anonymous access to files containing sensitive information, such as financial data, or personally identifiable information, such as credit card numbers, Social Security numbers, or health records? Or are you more concerned about leaking company IP? The best first step is to talk with your Security, Legal, or Compliance teams to understand their requirements.
Another example of how OneDrive helps you establish these specific boundaries is by enabling you to limit external sharing to specific groups of users. For example, Sales and
Marketing may need permission to use Anyone links to share information with a broad number of vendors and customers. On the other hand, you may want to give HR and Finance permission to share information only with external users who authenticate their identities before accessing files. Now, you can add and manage security groups to determine who can share content externally—and who they can share it with. Bottom line, setting up security groups helps reduce the chance that someone who’s busy or distracted will accidently share the wrong information with someone outside your organization or school.
Create security groups to segment users and allow external sharing .
Setting people up for successful collaboration
Collaboration is absolutely critical for both remote work and online learning. But when people are working, security usually isn’t foremost in their minds. The power of OneDrive is that it provides rich capabilities that enable them to share content and collaborate securely by default. In OneDrive, you can set up your organization's policies so that people who tend to click Share and go about their business have less permissive sharing options—and you can also let people choose more permissive options as needed. You do this by specifying the type of link that’s selected by default when people share files in OneDrive: anyone, people only inside the organization, or specific people. You can also set the permission to either view or edit. This way, employees, teachers, or students can’t accidently share information with anyone outside the organization or externally share content that is meant for internal use only.
Set up your organization's sharing policies.
Another great example of helping people be successful is setting up expiration policies. This ensures that external users won’t retain access to your content indefinitely, and helps prompt people in your organization to periodically review who they’ve given access to their files. You can also easily revoke access that was previously granted.
Educating people about secure collaboration
With long daily to-do lists, people are often trying get through tasks as quickly as possible and mark them complete. The last thing you want to do is slow them down by preventing them from sharing files. That’s why we built quick reminders and help into the OneDrive UI to remove some of the burden from your IT help desk. So if you’ve set up your environment for internal sharing only, when someone tries to share a file externally, they immediately see an error message that lets them know external sharing isn’t permitted. You can also set up custom help links, so employees can quickly and easily get in-context assistance and direction, such as instructions for signing up for a training course on protecting company information.
In product error messages help educate users of the organizational policies.
Unfortunately, shadow IT can still pose a problem. If some people need to share information or get feedback on a document quickly, they may choose more familiar apps—or an app suggested by a client--to share files. That’s why you need to help people see why using unapproved commercial apps can pose a security risk—and what tools you’ve provided instead to help make their jobs easier. You can also offer training courses for staff or students to complete for them to be added to a group with external sharing permissions. Creating a portal that people can access for further education around the right apps to use and secure sharing policies to follow can also help to reduce risk from information leakage, especially for new hires or new students.
Monitoring sharing to help keep data—and people—safe
Establishing sharing boundaries for your organization and educating people about your external sharing policies helps you spend less time managing requests and troubleshooting issues, so you can focus on other priorities. Instead, you can monitor OneDrive activity across your organization or school to see what people are doing. Using the information on the Productivity Score page of the Microsoft 365 Admin Portal, you can spot patterns that alert you to abnormal or suspect usage and adjust sharing and security policies to adapt or address issues. Understanding usage patterns can also help you develop and revise education materials to improve information security, which can help lessen the burden on your security team. You can also review audit logs to detect anomalies, such as people who are sharing or downloading more files than usual, and external sharing reports to help you gauge sharing behavior and provide insights that you can use to improve best practices and education across the board.
There’s not one moment when it all changed. The speed of innovation and connection started as a slow creep with the first telephone call in the 1800s, the first email in the 1960s and dial-up Internet. I can still hear my mum telling me to, “Stop chatting on MSN because I need to use the phone!”. Then suddenly we were catapulted into a world where it’s possible to connect with anyone at a moment’s notice. Boundaries around how we connect have been falling at an intense rate, opening a world of opportunity for connection, education, research, cooperation across nations, businesses, and more.
Technology has toppled boundaries everywhere and we’re certainly feeling that in our now hybrid workplaces. We often see boundaries as undesirable because they mean separation, but boundaries can also be protective of our productivity and well-being. In a world where attention is scarce and the lines between individual and collective productivity are blurring, a key capability is developing boundaries of a protective nature.
Protective boundaries in the workplace keep us at our best, ensuring we can give work and people the attention and care required to succeed in today’s workplace. These protective boundaries fall into three categories: today vs. tomorrow boundaries, access boundaries, and social boundaries. So how do we go about setting up healthy boundaries that protect us and how can the Modern Collaboration Architecture – picking the right technology for the task – support?
The Today vs. Tomorrow Boundary
This boundary is about creating the conditions that remind us of our longer-term goals and keep our focus. They shape our environment to focus us on that big chunk of work due “tomorrow” rather than diverting down “today’s” easier path of consuming email, scanning our phones, or looking at cat pictures. Procrastination can be beneficial until, at some point, we need to just get it done. Getting it done is where these boundaries come into play.
When you start your day or week, think about your priorities, whether that’s a daily highlight or a top three for the week. Try using a custom list in ToDo to create your Highlight or Big 3 Lists – your purpose for the week. This helps keep the focus on some of the bigger items you need to make progress on (and keeps you from getting sucked into busy).
It’s great to make the list but what about making the time? Recent research has shown that for the majority of people, somewhere between 07.00 and 12.00 is when they most easily find Flow. What’s your rhythm and when are you at your best? Whether you use MyAnalytics or a simple, recurring calendar block, schedule focus time into your diary and protect that time. Don’t want to get sucked into emails but still want to see your appointments and focus slots for the day? Use the Advanced settings in Outlook options to make it start-up on the calendar (instead of your inbox).
Ever had good intentions to get started on something but then got distracted as you search for the document you want to work on and something else grabs your attention? Try using Task View in Windows 10 to scroll through your documents from the last days and open them directly from there. Focus Assist is also a helpful way to block out alerts when you don’t want to be disturbed.
The Access Boundary
This boundary is about consciously deciding when we are available online or not – when do we jump to reply and when are we unreachable because we are focused on progressing our priorities? When we don’t set this boundary, we notice a feeling of getting pulled into the whirlwind of business as usual, blasting out emails, and feeling busy.
A few years ago, when you started your day, you didn’t used to run out in your pyjamas and answer all your letters immediately. Why do it with email? Turn on your “Focused” and “Other” inboxes and you can teach Outlook which mails have priority for you. If you are going to try something like inbox opening hours, the trick is awareness – put it in your email signature or chat status – so that people know when they can expect a reply. You can also turn off all Outlook alerts except for calendar reminders which puts another barrier in place to stop you getting sucked into email. Set your status to “Do Not Disturb” or the now available “Offline” status functionality.
What about at the end of the day? Fully closing the workday leaves us to better connect with our families, friends, and hobbies. Setting access boundaries that align with our commitments outside of work sets both a mental boundary and a physiological one. Physiologically, always being “on” increases cortisol – a stress hormone – and with it, the risk of burnout. Mentally, creating a level of segmentation helps us focus and transition into the different roles and responsibilities of our home life.
Take a last look through Microsoft Teams and check if any alerts or @mentions need your attention, check what’s upcoming tomorrow, in short do what works for you. Our most important piece of advice is to build a ritual that helps you step away from work and re-focus your attention on your leisure time. Leverage quiet hours on Microsoft Teams mobile and try building in a virtual commute (coming soon to desktop), a great step to help you switch off at the end of the day regardless of your work setting.
The Social Boundary
This boundary is all about how we work with others and our expectations of others and ourselves. Our digital life needs social boundaries as much as our analogue life. In the work context, this means agreeing how we will collaborate and engage with others.
One of our Microsoft subsidiaries benefited when they did this at the organizational level, setting out six rituals for how they work together. These focused on various topics from being fully present in meetings to ensuring that people had and took time to refresh throughout the day. Whilst this seems like a culture topic, technology can also support at the individual level to set expectations.
Try using your status in Microsoft Teams to make it explicit when you are available and in what time-zone. If you do email on the weekend, save drafts in Outlook and send emails when you get into the office on Monday. Whether you’re working across time-zones or just have different rhythms, leverage the power of co-editing, comments, and chat to work more asynchronously when it suits you. Use meetings to focus on discussion and ideas.
We hope this blog gave some actionable tips that are helpful to you and others you work with. We’re definitely still learning, and we look forward to learning with you. What have you tried? Let us know.
Join us in the next blog with a focus on attention in the context of teamwork.
This blog post is a part of our series on the Modern Collaboration Architecture, developed by @Rishi Nicolai, a Microsoft Digital Strategist with over 25 years of experience in leading organizations through change and improving employee productivity. Blog one and blog two can be found under the links.
About the authors:
Emma is a Customer Success Manager at Microsoft and is passionate about bringing the human element into the workplace. She believes technology both enables change and can catalyze wider change efforts if introduced in the right way. Emma is based in Zurich and currently studying for her Masters in Applied Positive Psychology and Coaching Psychology with a hope to leverage this in the organizational context.
Tony Crabbe is a Business Psychologist who supports Microsoft on global projects as well as a number of other multinationals. As a psychologist he focuses on how people think, feel and behave at work. Whether working with leaders, teams or organizations, at its core his work is all about harnessing attention to create behavioral change.
His first book, the international best-seller ’Busy’ was published around the world and translated to thirteen languages. In 2016 it was listed as being in the top 3 leadership books, globally. His new book, ‘Busy@Home’ explores how to thrive through the uncertainties and challenges of Covid; and move positively into the hybrid world.
Tony is a regular media commentator around the world, as well as appearances on RTL, the BBC and the Oprah Winfrey Network.
As organizations, big and small, across the world rely on Microsoft Teams to help enable hybrid work for all their employees, our goal is to help make sure IT Professionals and Teams admins are up to the task. To help you get ready to deploy and manage Microsoft Teams in your organization and deliver the experiences that meet the needs of your users, we have created new Teams training courses and interactive product how-to guides designed to quickly ramp up your Teams admin knowledge base.
At Microsoft Ignite last month, we introduced a number of new Microsoft Teams role-based learning paths, learning modules, and interactive product experiences that are available at MS Learn.
MS Learn provides free, online training that you can work through at your own pace to build skills and earn certifications. Interactive product how-to guides are a hybrid of traditional hands-on labs and click-thru demos that do not require a sandboxed environment for training.
If you need help figuring out where to start your learning journey or just want to browse the new Teams learning content, check out the new MS Learn landing page for Microsoft Teams and the new interactive product how-to guides for Microsoft Teams admins.
Microsoft Teams Learning paths and modules on MS Learn
Below is a list of the latest Microsoft Teams learning content for administrators. Learning paths are full topic learning solutions, while modules are bite sized learning chunks dedicated around a specific task. These are designed for you to learn at your own pace and even includes bookmarks for you to save your progress.
These guides are designed to simulate the hands-on lab experience to guide you through the specific individual steps needed to complete a task. They include an interactive window to perform tasks and a comprehensive script to follow. This script can also be downloaded as a reference to complete tasks on your own Microsoft 365 and Teams environment.
Use the Microsoft 365 Security, Microsoft 365 Compliance, and Microsoft Teams admin centers, as well as Windows PowerShell to manage and configure an Office 365 organization's Microsoft Teams policies and settings.
Learn how to configure and deploy the right Microsoft Teams environment for your Firstline Workforce.
We will continue to create new learning and training content as Microsoft Teams continues to add great new features and capabilities. We would love to hear from you on how we can help better prepare and support your learning journey. We know that not everyone learns the same, so please let us know how and what your needs are to help us evaluate new and exciting learning content!
In this Episode, a follow up to Episode 71. The teams walks through the process of running Microsoft 365 DSC in Azure Automation.
What is MicrosoftDSC?
Microsoft365DSC is an Open-Source initiative hosted on GitHub, lead by Microsoft engineers and maintained by the community. It allows you to write a definition for how your Microsoft 365 tenant should be configured, automate the deployment of that configuration, and ensures the monitoring of the defined configuration, notifying and acting on detected configuration drifts. It also allows you to extract a full-fidelity configuration out of any existing Microsoft 365 tenant. The tool covers all major Microsoft 365 workloads such as Exchange Online, Teams, Power Platforms, SharePoint and Security and Compliance.
Why automate MicrosoftDSC using a runbook?
Ordinarily, you would need to run MicrosoftDSC manually or setup an “agent” on a server to monitor changes in your tenant (tenant drift) which can be cumbersome and not always practical for some environments.
Azure Automation is a service in Azure that allows you to automate your Azure management tasks and to orchestrate actions across external systems from right within Azure.
The following guide shows you what how to setup Microsoft DSC as an Azure runbook. The runbook will monitor for changes in your Office 365 tenant an alert you when any changes do occur.
Getting everything setup in your Azure Tenant
Running MicrosoftDSC requires many prerequisite PowerShell Modules and dependencies to be installed into your Azure Tenant. This quite a cumbersome process so we have created a script to simplify this. **Shout out to fellow MVP Barbara Forbes for the inspiration for this code - https://twitter.com/Ba4bes**
Before running this you will need to do the following things:
This happens way too often. You created a Communication site or a Team Site, gave it a name, hit the Create button, and started collaborating. Nice and easy. Only to find out later that you misspelled the name. Or maybe the team or project name has changed, and not you ended up with an old URL. Well, we now have the option to change the URL address of a SharePoint site; it is a pretty easy and painless process. Let me explain how this works.
What happens when you create a new Team Site or a Communication site
Once you hit the Create button, the SharePoint site is created with the chosen URL.
How to change the URL address of a SharePoint site
In case you need to change the URL of a site, you have got to navigate to the SharePoint Admin Center.
Office 365 App Launcher > Admin
Under Admin Centers, choose SharePoint
Click Active Sites under Sites to show the list of all active sites in your tenant
Check the box next to the site whose URL you want to change and click on the “i” in a circle
Under General tab, click Edit next to URL
Type in the new URL, it will make sure the address is available, then click Save
It will then give you an option to change the Site Name as well, you can do this or skip (you can always change the Site Name later by going to the site and clicking Gear Icon > Site Information)
After a few minutes, you will now notice that the site URL has changed
What happens when you change the URL address of a SharePoint site
When you change the URL of a site, it does not really change the URL, but rather creates a new SharePoint site and redirects the old URL to the new one. So, in other words, both the old and new addresses are still used and are active. This helps when you say you bookmarked an old URL – it will redirect you to the new one now. Likewise, if you shared files and folders from the old URL, they will keep still working as well due to the above-mentioned redirect.
In case you want to re-use the old URL address for a new site now, you would need first to “free it up” and remove the redirect using PowerShell. Please check out this post for instructions.
You cannot change the URL of a site that is a Hub – for that you will need to temporarily unregister the Hub and then register back