guest-access.jpg

Office 365 Governance of Guest Access in an Office 365 Tenant

Find this Podcast “Office 365 Governance of Guest Access in an Office 365 Tenant” on the ThreeWill:


In this Podcast, Office 365 Governance of Guest Access in an Office 365 Tenant, we discuss…

MinTopic
3:46Two approaches for governance for the Azure Active Directory
6:47Private Channels in Teams
7:46How do you govern new features on Microsoft’s roadmap?
13:25Categorization of information
14:35Provisioning flow
22:23Definition of governance

Learn More About Governance
Look through these blog posts

Danny:It’s Friday, January 10th, 2020 and today Tommy and I talk with Pete Skelly about enabling guests access and focusing on governance. I hope you enjoy this conversation. Hello everyone, today we’ve got a follow-up conversation with Tommy and Pete. How are you doing guys?

 

Pete Skelly:Doing well.

 

Tommy:Doing well. It’s Friday.

 

Danny:It is Friday, that’s a good thing. We’re right about to enter into the weekend four o’clock on a Friday and just wrapping up the week and today I wanted to talk-

 

Tommy:We are committed, ain’t we?

 

Danny:Absolutely. So we’ve had a couple of conversations about enabling guest access and as we were sort of prepping for this, it made me think of growing up, in the bathroom upstairs there was a little cross stitch that was up there that said, “No job is finished until the paperwork is done.” I feel like with SharePoint and Office 365 no project is done until the governance is done right. You have to think about this, you really have to think through security and governance and so therefore we’re pulling in Pete, did you ever think you’d get to a point, Pete, where you’d be pulled in as the expert on security and governance in on a conversation?

 

Pete Skelly:Wait, I’m supposed to be a security and governance expert?

 

Danny:That’s right. That’s right. You’re what? Okay.

 

Pete Skelly:Sorry, what?

 

Danny:We talked with Bo about in particular Tommy and I had some fun talking about just the high level things with enabling guest access. We had a great conversation with Bo and it sort of started getting into the discussions about security because it naturally would. Because we’re talking about opening up Office 365 to folks outside your organization and security obviously is one of the initial things that you need to talk about. What we wanted to do was to talk with Pete again around the theme of enabling guest access and opening up to folks outside your organization as we prep for this. Pete thought a good thing for us to talk about would be governance. So why don’t we get us started with this. Pete, what are some of the first things that you should be thinking about when you’re enabling guest access with regards to governance?

 

Pete Skelly:Bo mentioned B2B and B2C sort of guest types. I think the first thing is what’s the distinction? Right? Understand the distinction between those two. B2B is essentially tenant to tenant. Microsoft 365 may be, there’s some subtleties in there I may be missing, but B2C is [inaudible 00:03:10] that’s a consumer account, Gmail account, something like that. So that’s probably the first topic.

 

The next one is you’ve got a suite of services in Office 365 you’re consuming and that suite of services is governed by Azure Active Directory, right? So your tenant just has an Azure Active Directory instance sitting behind there governing all this stuff. A, understanding that linkage and then thinking, “Okay, I have all these services, how do I have to configure these and how do I control them?” I think a good place to start is, there’s two approaches. One sort of try to think of everything in advance and do a little bit of planning, a lot of planning.

 

The other is if you’re a smaller organization or a medium size organization and just saying, “Hey, I just want to get out of the way. I don’t want to be the IT organization that says, no, I just want to turn everything on.” Well, how are you going to control that. In both situations, how are you going to make sure you’re not exposing yourself to a collaborative activities that are going to put you at risk? Right? I think external guests, Office 365 is amazing as far as letting us treat partners, customers, clients as just somebody that I want to add value to and collaborate with to accomplish a goal, right?

 

Danny:Mm-hmm (affirmative).

 

Pete Skelly:When you start to enable some of these services like sharing and providing external links for anonymous guests and links that anyone can click on and get back into and how do I know that that document library that I just shared, that document from actually should have been shared from in the first place? Those are things that governance topics you should think of in advance.

 

Danny:Okay.

 

Pete Skelly:Well, you’ve got an Office 365 group that’s associated with a team and you’re collaborating in that team, but you have video. Oh well, I can’t really do much with today with stream and external users, but maybe how can I provide that content but do it in an effective way that’s not exposing my organization to risk or that’s not presenting challenges. So thinking of how do I provide guest access, how do I provide collaborative environments that are going to let us get our work done and going to add value to both parties but not get in the way.

 

Danny:Yeah.

 

Pete Skelly:We’ve done sort of digital workplace workshops where we talk about if you’re going to go through the exercise of governance planning. The idea of governance should be, don’t impose friction where it’s unnecessary. So if users are trying to create content and they’re all internal, then maybe you can just get out of the way, if you start to expand that audience and you start to get guests users or you start to get partners that are different companies but within Office 365 great, maybe you let the walls down a little bit and you open things up.

 

Things like private channels had create some new, what I would call governance nightmares, because a member can create a private channel and then even the owner doesn’t know that it exists. So how are you going to manage that? Because what if they share it? What if you have team sharing turned on as well and somebody has a private channel that they share something in? So the scenario of, “Hey, I want to have an M&A activity in a private channel. Okay, then maybe I should disable external sharing in there as well.” Right? Just to kind of a quick reason why governance should be considered.

 

Tommy:Pete, as I’m talking to our customers, one of the things that comes up is now that I’m on Office 365 I’ve got everything moved in there, I’ve got my users collaborating there and I’ve got this journey of an evergreen environment that new features are constantly being released. How do you see organizations governing that live environment? Let’s say there’s new features that are coming out, they show up on the roadmap. How are they typically rolled out? Are they rolled out, turned off or turned on or is it a mix? What do you see are some of the good practices that people are doing to think about how do I manage those features as they come?

 

Pete Skelly:Yeah, you just mentioned how the features are rolled out? Are they enabled by default? Disabled by default? Some of those types of things. The recent PowerApps, Power Platform changes that Microsoft rolled out that just said, “Hey, we’re going to change the licensing model.” And, “Oh by the way, we’re also going to enable business users just to purchase licensing.” I guess there’s two schools of thought there, just as on side a, that’s great because now you’ve kind of to use the Microsoft term, you’ve democratized IT to kind of a citizen developer, right? You’ve torn down the wall and IT doesn’t have to be the organization that says no. But how do you budget for that? You get a bunch of users going out and registering for PowerApps and using the Power Platform for all sorts of things that could upset your budget, right? Your cashflow could change rapidly.

 

Tommy:Some of that going behind what is the point about the [inaudible 00:09:27]

 

If you recognize some of the challenges with it?

 

Pete Skelly:I would say as a general rule, most things are deployed considering it’s a Greenfield, evergreen environment. In my opinion, most things that Microsoft releases, they go with pretty intelligent defaults. However, there are exceptions to that rule, but in general, most of the things you’re going to get, like the external sharing is sort of a medium posture, so to speak, by default, right? So you’ve got to turn some knobs and buttons to open things up. They’re relatively open to promote sharing, but by large it’s permissive enough, let’s put it that way. And most of the features that they’re rolling out are the same way, if something like the private channels is a good example, that’s something that you can just say disabled at the tenant level.

 

So you can say, “No, this isn’t available to anybody.” You can delay the release and figure out from a governance perspective Do we really want to enable this? Well, what does it mean if we do? How am I going to govern this? How am I going to report on those? Do a little due diligence. How can I search for sites, site collections in SharePoint that were created with the new site template for private channels, right? So it’s a specific site template that you can search for to say, “Oh well these are the things that I have.” As you figure out how should I be governing these? With external guests, how do you figure out what content was shared? Right?

 

If you’re going to be very permissive in one drive and your governance rules for one drive or if you’re in a sharing situation or collaborative situation, one to one or one to three, and once you hit four or five, you want to put that in a team. How do you make sure that that is shared appropriately? What are you going to do for your users to let them fall into the pit of success? Are you going to give them a little flowchart? We’ve done that for a few customers where, especially for one drive, people are going to want to know how should I do this? Well, if it’s a document you’re going to share with a small group of people, collaborate in one drive, share that one drive and you can collaborate that way as soon as there’s expands what are the rules and provide them that capability.

 

As far as what most of our customers do to react, I think most of our customers are of the size where they know they’re going to have some level of governance. We’ve had some folks that said, “I’m just going to turn teams on.” They have an active directory premium license and they just say, “I’m going to use some of the features of Azure Active Directory premium and enable those users to basically turn…” Once the group is about to auto expire the group and once the group is about to expire, they’re going to get notifications and have to basically say, “I’m still using the group or it’s going to be deleted.” I forget the timeframes for it, but we also have other customers who have said, “I’m just going to turn things on, but then post a deployment, I’m going to look at what’s the use of that site or that team or that communication site.” And sort of backfill submitted data at whatever level it is, whether it’s the group for the team or a SharePoint site, et cetera. So they know who owns this, what’s its purpose, maybe a classification for the data.

 

Internally for us, we’ve made it simple and followed couple of rules from Microsoft with high business impact, medium business impact and low business impact and our categorization of that is a little different than Microsoft but having folks find the canonical confidential, highly confidential, public and internal, being able to say, “How do I know what content this is? And if I’m in a site that’s low business impact, maybe you enable an external sharing for those team’s insights.” But if it’s high business impact, you may say, “No, let me turn all this stuff off.”

 

Tommy:[inaudible 00:14:07] Because I know you’ve been going through and classifying all of our sites. So there’s a way to say whether a certain type of site can allow for guest access? That’s something you can in control?

 

Pete Skelly:Yeah, you can control that at the tenant level and then at the site level or team level as well. That’s one of those reasons. That’s one of the best reasons for a provisioning process. A lot of times you say provisioning process and people think it has to be this incredibly heavyweight activity and it doesn’t have to be, it can be as simple as a flow. We’ve got customers where we’ve done just a very simple flow with a PowerApp front end and that just starts a process where IT going to provision that they might have a very low duration SLA to get it created.

 

That enables them to say what was the purpose of this? Is this an internal project? Well, internal projects or maybe medium business impact and so you enable internal sharing only, right? Only your finances. You probably don’t want to external sharing turned on in a finance related site. So your provisioning process can ask what’s the purpose of this site and you can adjust sort of your Managed Metadata… excuse me, your Metadata, not Managed Metadata could be, but how are you going to control that? How are you going to know what it is? What’s the lifetime of that particular object, whether that’s a team or associated resources to a team for a group, et cetera.

 

Danny:One of the things that came out from the conversation with Bo was sort of like from the golden days of SharePoint where used to have sort of like an intranet where it was for everybody in the company and then you would create a separate extranet and then the move to the Cloud has sort of like, it’s made things a little bit more [inaudible 00:16:05] because you show up to somebody and they’re talking there’s the concept now is not so much, okay. We used to have an intranet and you would only allow for internal users into that intranet that’s SharePoint, web-based, yada yada. You still have those today where people are a lot of these sort of like department sites and more where people are pushing out information to the masses that are there.

 

But, what was interesting from the conversation with Bo was that we were sort of getting to the point where they’ll still continue to be sort of more like that our internal portal where information is shared inside these larger organizations. But what I found interesting was teams seem to be like, “Okay I have a team, I need to get something done.” The people who are getting that work done might be partners, might be a vendor working with a customer in teams sort of like that the security context, a place where you add people in and people are going in and out through that.

 

I thought it’s almost like this world of, “Yeah, we’ve got SharePoint online where you can go to our intranet, which is web-based.” For us as we’re truly trying to get our work done, we’re working within teams and we’re pulling people in and out of these teams where we’re getting work done. It’s not just people inside my organization, it’s everyone.

 

Tommy:If you think about it back in the days of explicit extranets, you were talking about creating kind of security boundaries. Some people were installing extra nuts on a separate machine or separate ABAP. So you had those isolations and the new world of SharePoint that you create today in the Cloud is you’re trusting these environments are secure in the first place. And when you create something today, it’s in this flat structure and it’s more smaller pieces that you bring together and things like hub sites.

 

When you create a site that has external users, you’re creating an extranet and you can create many extranets and you don’t have to go provision this new environment, hardware and or web apps to do that. We’re empowered to create those SharePoint extranets but now we’ve got this ability of making this decision or is this information that we’re trying to put out in the communication site or is this teamwork and collaboration around active content that you’re trying to get work done.

 

You can have that extranet scenario in both cases where maybe it’s more informational or your partners that they have to go find guides and you want to structure that well and you want to make it look pretty. They don’t need to have a full blown team. They just need to have an informational site to get to the information. Think about extranet because I don’t think you have to put in the effort to the architecture to make it a secure extranet you’ve got that provided for you by Microsoft. The challenge is part of it I look at is, it could be a whole mixture of I’ve got all these site collections out there that some of them have external access, some of them don’t and there’s not really clear boundaries of, “Okay, here’s where you go create your extranets. You just set a setting.”

 

Pete Skelly:Yeah. I think for some of our customers, what we’ve recommended just based on their requirements are what are the mnemonics you use to help users make those decisions very quickly? Right? Should I share something from this site? Well, if that site has a classifier that’s high business impact or confidential or internal only, well, okay, that, that should be your first cue, right? If you were about to share something and you’re looking at the team name, for example, we have a customer and then we do this internally is if you have a truly extranet collaborative environment, the prefix to that team, that group is actually external. External dash, so you know immediately that that site has external sharing turned on. You have the capability for someone to external to your organization to see this, it better be classified as LDI or MBI. So you kind of help ease or fall into the pit of success on that one.

 

Tommy:Yes. Right.

 

Pete Skelly:So thinking of those things, you don’t necessarily have to think of those things in advance, right? The likelihood of somebody creating a site, if you open up site creation or team creation and getting into trouble by the time you know that site’s created, well, if you have an automated process behind the scenes, you can reduce the friction for creation but require, “Hey, within two days you have to tell me or I’m just going to basically lock the site down and remove you.” So thinking of those things in advance and kind of reducing friction, but making sure you’re protecting yourself from a governance capability. What are the rules on specific teams?

 

Maybe you want to remove guest deletion capabilities for a guest to delete channels or create channels in a team. That’s something that you can figure out. Well, it’s an external site but I want to communicate but I don’t want them to delete something because I may have a compliance concern or I may have a need for storing some of that data. Governance gets such a bad rap. It’s just looking for ways to not just control but enable. Right? So governance shouldn’t be such a dirty word that you’re like, “No, can’t do that now.” It should be, “Yes and how do I help you enable that collaboration? Yes, how do we configure your environment to do that? Yes, how do I get you an external sharing collaborative environment that doesn’t put the business at risk.”

 

Danny:Well, you’ve made it this long in the conversation, I salute you for getting through to this. If this stuff is fascinating to you and you want to talk with… I mean a lot of this is great because we run into this with large companies trying to deploy Office 365 and some of these things it’s been great to be able to provide some guidance, work on some very difficult problems around this. And we’d love to talk with you more come to the threewill.com site, go to contact us that’ll come to me. Let’s talk about what you’re trying to do with regards to enabling guest access. If you’ve got some questions, please feel free if you’re on the ThreeWill site watching this, leave a comment below. Thank you Pete for doing this. We appreciate you. I know you’re-

 

Pete Skelly:Tommy stole all my thunder so-

 

Danny:I know you’re like [inaudible 00:23:51] say that but what. They both knew we were going to follow up the conversation with you-

 

Pete Skelly:That’s okay. We’re just going to have a different conversation where I can geek out. That’s all. But honestly, I think given what Bo said, the things that Bo and Will, especially those two have a lot of experience with kind of the turning of the knobs. But I think the work that they did get to that point is undersold. It’s underappreciated because it takes a lot of effort to figure out, well how am I going to control this without really kind of doing it in a bad way and enabling the things you’re trying to do.

 

Tommy:I think where it’s a followup on a rundown that a spreadsheet from Will, there sounded like there was some good stuff there that we probably should reuse on projects and maybe find some form of it to share with the community so they’re aware of it as well.

 

Pete Skelly:I like the idea of making that Tommy mentioned putting that out and if somebody as things change, being able to update that from the comments, it’s a good way to do that.

 

Tommy:Yeah. Sounds great.

 

Danny:Sounds great. Well, thank you for doing this on a Friday afternoon. Thank you everybody for listening and have a wonderful day.

 

Thank you for listening to the Work Together Better Podcast. We’re available on SoundCloud, iTunes, Stitcher, and Tune In. If you’re looking for a partner to help you craft a modern digital workplace in the Microsoft cloud, please come by and see us at threewill.com that’s the number three spelled out, W-I-L-L.com. Thank you and have a great day.

 

Danny RyanOffice 365 Governance of Guest Access in an Office 365 Tenant

Join the conversation

This site uses Akismet to reduce spam. Learn how your comment data is processed.