Posts

Let’s Talk About Microsoft Teams and Your Internal Communications

Should we add Microsoft Teams as a channel to communicate with our employees? It is one of the most debated topics in corporate communications today.

It’s not an easy decision as we already have many channels, for example, email, Intranet, Newsletters, Mobile Apps, etc. Each channel has had varying levels of success when it comes to effectively communicating with your employees – and how do we, or can we, measure that effectiveness. For decades, we’ve been blindly publishing content and hoping for engagement or maybe using simplistic means for measuring it. So, given that state of affairs, would we really want to bring Microsoft Teams into the picture? Particularly with its challenges on certain fronts like authoritative communications.

Let’s quickly dissect each of the classic communications channels and then make a case for Microsoft Teams:

Intranets – they have been the standard of employee engagement and communication for years. I have worked with companies that have redesigned their Intranet in three-year cycles for the last 15 years with the hope that a new version of SharePoint or a new Intranet product will save the day. I have seen organizations track hits on their home page as a measure of adoption while forcing everyone’s browser to default to the Intranet’s home page – as the saying says – “There is no worse blind man than the one who doesn’t want to see.”

Intranets do have a place in the corporate communication ecosystem, but we have to acknowledge that they are time-consuming and costly to implement and support. A good Intranet needs to provide employees with reasons to return on a regular basis for it to be effective at corporate communication.

Despite the most valiant of efforts, Intranets have never become the holy grail of engagement and communications many had hoped they would become. We have gone through many revamps, each hoping to get it better, only for whatever initial success was found to often slip away. We are not advocating for an organization not to have an Intranet, yet. They do have shortcomings that we seem to be unable to escape. Shortcomings that a truly collaboration centric-platform like Microsoft Teams doesn’t have.

Newsletters – The first challenge with newsletters (both printed and digital) is around timeliness and immediacy of information. Newsletters are a good way to summarize what has happened during a time period (say a week or two). However, they are lacking when you have an important message that you need employees to see and act on immediately. They also tend to be one-way communication channels, and therefore difficult for the audience to engage. We become the classic professor in a lecture hall focused on saying content, rather than being the approachable leader who draws people in and discusses items of importance. During this pandemic, the latter has never been more critical.

Email – The most used medium of communication today and for the last few decades. While email does have the immediacy that you would need for important, timely messages, it is overused to the point where many of us tune out all but the most essential ones. DMR reports show that the average office worker receives 121 emails per day. That’s a lot of emails.

There is no effective way to distinguish between important corporate communication and other emails. There is too much noise on this channel, and it is challenging to have two-way conversations with your entire audience without overwhelming them with even more email. Also, engagement often becomes confused as people are responding to comments that are out of order.

Let’s talk about Microsoft Teams

Microsoft Team is a modern platform built around collaboration. Your employees can chat with each other, they can collaborate on files, projects, attend virtual meetings, and you can host virtual townhalls.

If you are like most organizations, you are realizing the following:

  • Your employees are spending less time in email and a lot more time in Microsoft Teams.
  • Your employees are spending even less time in the Intranet and a lot more time in Microsoft Teams.

COVID-19 and social distancing has expedited the adoption of Microsoft Teams and accelerated a digital transformation as we have never seen before. The usage stats are impressive, including over 75 million daily users, more than 2.7 billion daily meeting minutes, etc. More importantly, you can check your organization stats by running these Microsoft reports.

After you verify your stats, you will likely confirm that, yes, your employees are spending most of their day in Microsoft Teams – collaborating, attending meetings, chatting. Microsoft Teams does not have the lack of adoption that your Intranet suffers from.

Unlike newsletters, Microsoft Teams provides an excellent channel for important and immediate messages. You can reach your employees on the platform they are using several times a day. It is also a platform that provides an inherent segmentation mechanism by grouping employees into Teams and common interests; email doesn’t have a good way of accomplishing this.

To summarize: 
  • Unlike Intranets, Microsoft Teams does not suffer from poor adoption.
  • Unlike Intranets, Microsoft Teams, as a platform, is likely used by most of your employees several times a day.
  • Unlike email, Microsoft Teams provides a built-in segmentation mechanism.
  • Unlike Newsletters, Microsoft Teams provides a channel built for immediacy and important messages that need to be seen now.

Microsoft Teams has received some key criticisms, and on its own, they are entirely valid.

  • Critical communications and authoritative posts can get lost in the chatter.
  • No means to manage corporate communications and delegate publishing.

Sparrow for Teams is a product that fills those holes and completes the picture, allowing for Microsoft Teams to step up and be the hub of communication for the enterprise. We have detailed an article that goes into depth on this.

It’s far easier and more natural to bring the content to where the people are (in Microsoft Teams) than trying to haul the people out of their now natural work environment and get them to visit the Intranet or read a newsletter email. With a few days and Sparrow for Teams, your org could be good to go.

Book your Demo Sparrow for Microsoft Teams today to see this in action. Best of all, it is easy to install and configure that you can be communicating in Microsoft Teams by next Friday.

 

Download the White Paper

Automating Site Provisioning and Governance in Office 365

What is Site Provisioning? 

Site Provisioning is a process of creating SharePoint sites programmatically to meet business requirements.  

Site Provisioning deeply impacts both governance and site sprawl, and for that reason, it is one of the most important aspects of any Office 365 implementation. Nowadays, with more and more companies adopting Office 365, provisioning becomes increasingly relevant as it helps maintain structure in the digital workplace. This presents a whole new set of challenges for  IT and Office 365 administrators as they need to understand what are best methods for provisioning sites, teams and groups? How to ensure new sites, teams and groups fulfill governance criteria? And, finally how to automate the provisioning process? In this article we will address all of these questions.

Table of Contents

  1. How Site Provisioning affects governance 
  2. The benefits of automating site provisioning in Office 365 
  3. Automated provisioning: Real life example
  4. SharePoint site provisioning methods 
  5. How to automate the site, team or group provisioning process in Office 365 

How Site Provisioning affects governance 

Sites are the main structural element of SharePoint. There are different types of sites that organizations can use as a template to create their custom site structure. They may include classic sites, communication sites, team sites, publishing sites etc. In the previous versions of SharePoint on-premises, creating a new site was somewhat complicated. Nowadays, SharePoint Online lets us create a new site effortlessly through a simple 2-step process which, at least in theory, can be triggered by anyone in the organization. Users just need to navigate to the SharePoint site (/_layouts/15/sharepoint.aspxand click on + Create site” and that’s it.  

Create a site in SharePoint

However, this ease of use creates a problem. If users can create new sites on a whimeven a well-maintained internal site structure will soon turn into a messy, hard to manage bulk. 

Before we discuss the solutions, letexplain the difference between Site Provisioning processes in SharePoint on-prem and in Office 365 

In SharePoint on-premise, provisioning applies only to sites. However, in Office 365 this process applies to all structural elements of applications that make up the large modern work space: teams and channels in Microsoft Teams, channels in Microsoft Stream, and groups in Office 365. Considering the collaborative nature of all these tools, its easy to imagine that the sheer volume of Team, Channel and Group requests could quickly overwhelm the administrators.  

The benefits of automating provisioning in Office 365

There are numerous benefits to automating the provisioning process in Microsoft workplace collaboration apps, but the real game changer here is a truly enforceable governance. In a typical organization, governance policies live in a shared document. Employees refer to it from time to time, however the policies contained within are difficult to enforce across the organization. Keeping your governance documents up to date is rarely enough. By automating site provisioning processes with wizards or workflows, you’re helping employees do their jobs without worrying about non-compliance. 

Automated provisioning significantly reduces the chances of a human error. In fact, when automated, site or team provisioning on the front end is as simple as following an intuitive wizard that guides employees through the process, while ensuring business logic.  

Here’s how automated provisioning helps your organization: 

  • Sites, teams, channels are created by users in a self-serve system that follows business logic specific to your organization. 
  • Employees follow a step by step wizard that ensures new sites and teams adhere to corporate policies. 
  • Automation decreases the burden on your Office 365 administrators.    
  • The metadata that employees input during the process, helps manage the life cycle of the new site, team or channel. This means that deciding whether a site needs to be kept or retired becomes much easier.  
  • Automated site provisioning allows you to also automatically create reports, audits and site/channel directories.  
  • The process uses established APIs. 
  • Additional functionality (e.g. updating a site life cycle database) can be added easily. 

Automated provisioning: Real life example

Here we’ll show you a provisioning process we have been recommending to our clients. This particular process leverages PowerApps and Power Automate (formerly Microsoft Flow).  

  1. User requests a site and completes a form wizard filling it with required metadata. This information can include owner, purpose, description, related projects, cost centre, start date, end date, and template.  
  2. Application uses the metadata to create a team site based on the selected template. 
  3. Information from metadata helps manage the sites in the future. For example, information offered in the cost center is synced with internal accounting systems, end date and is used to ensure that there are no orphaned (or unused) sites. Team site owner becomes responsible for managing the team site’s life cycle. 

This approach lets you regain control over your Office 365 by ensuring that all sites, channels and groups follow the prescribed life cycle. By automating the process, you’re ensuring that new sites are added to a corporate site structure and, if needed, to a corporate site directory.  

This diagram explains a typical automated site SharePoint provisioning process we recommend:  

automated SharePoint site and Teams provisioning for Office 365

While our example focused on provisioning a SharePoint team sites, the same approach can be applied to provisioning Teams, Stream, and Office 365 Groups.  

SharePoint site provisioning methods 

Our automated provisioning process for Office 365 applications combines a set of provisioning methods that I’ll describe below. You can use each one of these stand-alone methods to provision sites in your organization. However, before you get started with any of them, consider you organization’s particular policies and restrictions to decide what’s the best fit for your organization.   

Provisioning a SharePoint Site using the User Interface 

There are a couple of ways to do this. The most obvious one is by enforcing Governance and applying settings to your tenant to limit the ways users can create a Team site (with or without an Office 365 Group). 

In this scenario, after clicking the SharePoint icon in the Office 365 App Launcher (often referred to as the Waffle Icon)the user opens SharePoint in a browser clicks on Create Site.
 App Launcher Office 365

Our next method is creating an Office 365 Group. User creates an Office 365 Group in Outlook by clicking on the New Group link. Each new Office 365 Group automatically creates a SharePoint site. 

Create a New group in Outlook

Good governance is critical if you’re using this method, as members of an Office 365 Group can soft delete a group (sometimes by accident). Without safeguards in place, the IT department won’t know this happened. To prevent this situation, you can set up a requirement to evaluate Office 365 Group deletions before they can be permanent. The deleted group is retained but not visible for 30 days from the deletion date. You can view and manage the deleted Office 365 groups that are available to restore by signing into the Azure AD Admin Center. 

Lastly, a SharePoint Admin can create a site in the new SharePoint Admin Center. 

 create a site in the SharePoint Admin Center

Provisioning using Microsoft Graph 

Using the Create Group API in Microsoft Graph will result in the creation of either an Office 365 Group. By default, an Office 365 Group is integrated with a bundle of Office 365 services. Currently, the Create Group API does not have the option to enable Microsoft Teams. If you require to include Microsoft Teams in your provisioning processthen you will need to execute an additional API in Microsoft Graph to enable Microsoft Teams on an Office 365 Group. When provisioning using the Microsoft Graph approach, you are creating a Team site via the creation of an Office 365 Group. 

Provisioning using REST API Operations 

If you’re looking for a more scalable Site Provisioning process, REST API Operations is one worth considering. With REST API Operations you create a SharePoint site based on a defined Site Template.  

SharePoint Admin Center - Site Template

Some of the most used site templates are Team sites and a Communication sites, but you can also apply other templates to provision a site using REST API Operations.  

Provisioning using PnP CSOM Core Component 

Another way to provision a site in SharePoint is by installing the Core library, which is available as a NuGet PackageThis method allows to develop the provisioning of a team site programmaticallyYou can get your core library NuGet packages for your SharePoint version below: 

Provisioning using PnPowerShell 

Like PnP CSOM Core Component, SharePoint developers can also provision sites using PnP PowerShell. With this approachyou create a PowerShell script to apply a provisioning template to a site. 

You can automate either of these approached with the help Power Automate (previously known as Flow), Logic AppsAzure Functionsand/or Web Jobs. Power Automate and Logic Apps are best for simple site provisioning operations, whereas Azure Functions and Web Jobs work well for more complex site provisioning operations. Here are some examples of complex site provisioning operations:  

  • Enabling web parts or custom actions (SPFx extensions) 
  • Creation of pages 
  • Creation of Content Types and Columns 

Automated Site Provisioning – The DevFacto Solution 

DevFacto has developed solutions that are constructed using all of the approaches listed above. One of our recent solutions developed for a client, calls APIs from Microsoft Graph and REST Operations automated via Microsoft Power Automate. Microsoft Graph is used to provision the Office 365 Group (which includes a site) and then the site is customized by calling additional REST Operations. 

Power Automate - Create O365 Group

Used the “HTTP” action (which is considered a PREMIUM connector)

This method allows to enable Microsoft Teams on the Team site. To accomplish that, we included it in the provisioning process by calling Microsoft Graph again. You can do that too by applying “/team” at the end of the URI to enable Teams to an Office 365 Group. Optionally, you can customize the Team by modifying the Body property (see next screenshot) with additional channels to be created, installation of apps, pinned tabs using delegated permissions, and defining Member/Guest/Fun/Messaging/Discovery settings for the new Microsoft Teams team. 

Power Automate -Enable Teams

Used the “HTTP” action (which is considered a PREMIUM connector)

Site Scripts and Site Designs are used to apply site artifacts and security principals to siteYou can determine the exact actions to be executed in the Site Scripts and Site Designs. Initiate Discovery workshops by analysing the business requirements of particular groups within your organization.   

ower Automate -Apply Site Designs

Used the “Send an HTTP request to SharePoint” action (which is in the SharePoint connector)

Alternatively, users can apply a site design to a site through the SharePoint UI. 

SharePoint Site Provisioning-Apply Site Design

 

 

Summary 

Whether your organization is new to Office 365 or has been using it for quite some time, you will need a provisioning process to ensure that new sites, teams, channels and groups are created in an orderly fashion. There are many good ways to manage the provisioning process, including low-tech ones. Some smaller organizations can get away with using their established IT ticketing system and that’s completely fine. However, growing needs and complexity drive other organizations to automating the provisioning process as it significantly improves efficiency and significantly reduces management costs.  

Automated provisioning ensures that governance rules are followed, while greatly improving application security and user experience. It also provides you with a wealth of metadata that’s collected during the provisioning process making it easier to maintain and administrate sites, channels, teams and groups well into the future.  

Automating the provisioning processes requires an upfront development investment. However, you can significantly reduce the associated costs by leveraging the tools you already have. Power Platform (PowerApps and Power Automate) apps we used in our example are included in most Office 365 subscriptions. What’s more, these tools come with many preconfigured low-code and no-code elements that fit together like LEGO bricks to give you more flexibility and more custom experience. 

Looking to get started with automating your Office 365 provisioning process? Get in touch.   

This article was written by Oliver Wirkus and Adam Tobias

References 

1) User Adoption Matters – How to Succeed with Your Office 365 Rollout 

2) Migration Pitfalls – Site-Provisioning 

3) Manage modern SharePoint sites using REST  

4) Choose the right integration and automation services in Azure 

5) Provisioning “modern” team sites programmatically 

6) Microsoft Graph  Create a team 

 

Information Barriers for Office 365: Enhancing Control over Communications

Employees are the source of corporate information. They constantly create documents and data records, generating gigabytes of corporate information every single day. And this corporate information needs to be protectedMany organizations trust Office 365 and SharePoint Online as a secure platform to run their corporate intranet. This puts some pressure on Office 365 to ensure that sensitive corporate information is not just securely stored, but also that it complies with stringent regulations and laws (like FINRA). The new Information Barriers policies for Office 365 (Microsoft Teams and soon SharePoint) help administrators achieve just that.

Information Protection in Office 365

Before we dive into the new Information Barriers feature in Office 365, let’s first spend a few moments on Information Protection and examine what it means for organizationsThe obvious choice to protect information within a corporate intranet is using access permissions. With access permissions, organizations can decide which user has access to which siteFor example, in an organization with a legal department, only a narrow group of users will need access to the sites of this department 

Besides access permissions, Office 365 and SharePoint Online provide additional options to protect sensitive corporate information such as Retention PoliciesData Loss PreventionAzure Information Protection, and Compliance Sensitivity LabelsThese features ensure that corporate information stays protected within the organization and control access to specific documents. 

When they are well configured, organizations are in an excellent position to keep data and documents safe. However, for some organizations, that might not be enough. 

Limitations to information security

Although security options provide a significant level of protection, there are some limitations you need to be aware ofThe most apparent threat to Information Protection is what I like to call the human factor. For instance, there is no technical way to protect corporate information if employees meet outside of the organization and, for example, verbally share sensitive information.  

And even when it is available, technology comes with some limitations too.  

For instance, a user who does not have access to specific site may obtain sensitive files from a user who does. And while a sharing invite does not provide access to the entire site, the user who receives an invite can open, download or potentially edit the document. This means that even though strict compliance policies regarding access permissions are in place, the SharePoint Sharing mechanism can be used to bypass those policies quite effortlesslyOf course, external sharing can be disabled in SharePoint Online, but since SharePoint was built around sharing information initially, internal sharing can’t be disabled. This is just one example of how corporate compliance policies can be sidestepped 

Another example is online chats and remote meetings initiated via Microsoft Teams. Even if a user does not have access to a particular site, this user may still be invited to join the team chat, thus getting information that shouldn’t be shared with anyone else outside of the defined team. 

Finally, access permissions can sometimes be accidentally given to the wrong person. This happens surprisingly often when a couple of people in the organization share the same name. Mistakes are a part of human nature, and sometimes, they are hard to avoid.  

Need for additional layers of security 

For many companies, these restrictions are not necessarily critical. If there are trust and appropriate employee education about the importance of the company’s compliance policies, companies can do a lot to protect their sensitive information. However, some organizations need to follow stringenCompliance and Security stipulations and laws. For those, being able to bypass policies by just sharing a document is a severe threat.  

Information Barriers Policies in Office 365

This is when the new Information Barriers come into play. With Information Barriers, organizations can encapsulate or separate specific corporate entities from the rest of the organization, even though all corporate entities share the same corporate intranet and technically, the same Office 365 tenant. 

Let’s see what this means. At the beginning of this blog post, I explained why even strict access permissions might not be enough for some organizations. Sharing, the feature that makes SharePoint great, can be used as a loophole to bypass policies.  

Information Barriers policies in SharePoint and OneDrive for Business go much furtherSpecifically, because they prevent users from sharing documents with others outside of a specific corporate entity. But that’s not all. Users of an encapsulated corporate entity won’t even be able to lookup users of a different department.  

This is because Information Barriers in SharePoint and OneDrive for Business acts as a separate (logical) tenant, even though the organization technically uses just a single tenant. The following screenshot shows an example of how this might look like in SharePoint: 

Limiting file sharing in SharePoint with Information Barriers Policies

 

Configuring Information Barriers Policies in Office 365

Now that we know how Information Barriers will work in SharePoint and OneDrive for Business, let’s see how these Information Barrier Policies can be configured.  

Information Barriers rely on user account attributes defined in Azure Active Directory. These attributes can include information like department, job title, location, and team name. Organizations can create segments based on these user account attributes. Those segments can be entire corporate entities, but also groups of users (like all users with the job title ‘Financial Advisor’). The concept of segments is very flexible as it is based on user account attributes. User account attributes are defined in Azure Active Directory, but segments will be defined in the Office 365 Security & Compliance Center. With segments defined, Information Barrier policies can be created based on two kinds of policies. Companies can create policies to Block access or to Allow access. There is a significant limitation, though: a user can only be part of one (1) segment (as of December 2019), and the segments must not overlap. 

Creating segments and Information Barrier policies require thoughtful and thorough planning as Information Barriers are rigorous policies, which have a massive impact on users and the entire organization. Microsoft provides an Excel-based workbook, which organizations can use to create and configure policies. The workbook also offers support for managing policies via PowerShell. You can download the workbook here  

The following two screenshots show how you can create segments and policies in the Office 365 Security and Compliance Center: 

Create segments in Office 365 Security and Compliance Center

Blocked File Collaboration based on Information Barriers settings

Information Barriers in Microsoft Teams 

In the previous section of this blog post, we looked at options to secure SharePoint and OneDrive for Business. Still, more applications in Office 365 allow communication and collaboration within users of different corporate entities – like Microsoft Teams. Since Microsoft Teams uses SharePoint Online technology under the hood, some protection already exists therebut it may not be enough. Information Barriers in Microsoft Teams offer added security. 

Microsoft Teams allows users to communicate with each otherBut in a strictly regulated environment, this kind of electronic communication needs to be secured by policies. Information Barriers in Microsoft Teams can be used to prevent team members from communicating with other teams and sharing documents. Also, Information Barriers can be used to encapsulate a team in Microsoft Teams entirely, restricting communication to that team only. All communicationincluding sharing with anyone outside of that team, can be blocked.  

But, there’s more you can do to secure and monitor information exchange in Microsoft Teams. Information Barrier policies can also be applied to the following: 

  • Adding members to a team 
  • Requesting a new chat 
  • Invited user to join a meeting 
  • During screen-sharing 
  • During VOIP calls 
  • Guest access in teams (includes guest users) 

The next screenshot shows how Information Barrier policies are activated in Microsoft Teams: 

Activating Information Barriers policies in Microsoft Teams

User Experience 

Information Barriers can be very restrictive, and organizations should be fully transparent regarding the implementation of Information Barriers in Office 365. The entire staff (including new hires) need to know about the existence of Information Barrier policies and how these policies will affect their daily business. Educational workshops, recorded training sessions and tailored communication are an absolute must. Regarding the user experience, there are many areas where Information Barriers affect the regular usage of SharePoint. Here are some examples: 

  • Users cannot see blocked users in the People tab and People Picker. 
  • Posts of blocked users won’t show up in the activity tab. 
  • Blocked users won’t show up on the org chart and the list of suggested contacts. 

Technically, Information Barriers will affect employees when they are collaborating and trying to get in touch with each otherBasically, mostif not all, of the collaboration and information sharing possibilities in SharePoint, OneDrive for Business and Microsoft Teams will be affected or restricted by Information BarriersA full list of what users will experience if another user is blocked by Information Barrier policies can be found here. The following screenshots show how this looks like in Microsoft Teams. The left screenshot shows the user experience when trying to add blocked user to a channel, the right screenshot shows the user experience if you try to send a message to a blocked user directly: 

Couldn't add member to team due to Information Barriers policy

Requirements and Roadmap 

To be able to use Information Barriers, organizations require an Office 365 E5 license. The following roles can create information Barrier policies: 

  • Global Administrator 
  • Compliance Administrator 
  • Information Barrier Compliance Management (new role) 

My recommendation is to split administrative tasks in Office 365 to multiple roles. Each role in Office 365 (including the new Global Reader role) is supposed to be used for a specific task only. This is done to provide an additional layer of security to sensitive administrative activities in Office 365. I know that many organizations utilize the Global Administrator role for all configuration tasks, but that is definitely not best-practice and it threatens security. Organizations should associate the Compliance Administrator role or the IB Compliance Management role to specific users and use only those roles to manage Information Barrier policies. 

Information Barriers are rolling out now, but they will only be available in Microsoft Teams for now (as of January 2020)Information Barriers for SharePoint and OneDrive for Business are still in development and are expected to roll out later in Q1/2020. If you are interested, there is a Preview Program you can subscribe to. 

Conclusion 

Information Barriers are a great addition to the existing Security and Compliance policies in Office 365. While they do contradict the original idea behind SharePoint (after all, it is called SharePoint), they come in response to a growing demand for advanced security policies. Once Information Barriers are fully supported in Office 365, they will be welcomed by organizations that need to follow strict Security and Compliance regulations. 

Organizations should not underestimate the implications of Information Barriers as they will drastically impact the daily tasks of the entire staff. Reason enough to start planning now – even though Information Barriers won’t be available in SharePoint and OneDrive for Business until later in Q1/2020. Planning means not just thinking about potential policies. Implementing Information Barriers comes with an entire process of activities – beginning with checking potential legal regulationsThe implementation process also includes roles and responsibilities, identifying segments, communication to the staff, reviewing existing business processes, defining policies, training, user adoption, change management, etc.  

If your organization needs to implement Information Barrier policies, I recommend starting now to ensure, you have enough time to carefully and thoughtfully plan the entire implementation as Information Barriers will change how your organization is working today 

At DevFacto we are already working on guidelines, best practices, and recommendations to support our customers regarding Information Barriers in Office 365. Want to know more about ensuring compliance with Microsoft tools? Reach out to us. 

References 

Information Barriers Preview thread 

Information Barriers in Microsoft Teams 

Information Barrier Overview 

Define Information Barriers Policies 

User Adoption Matters – How to succeed with your Office 365 rollout