1 / 58

Toni Frankola

Toni Frankola. Governance in the Modern Workplace: SharePoint, OneDrive, Groups, Teams, Flows, and PowerApps. Toni Frankola. Co-founder and CEO SysKit Ltd., Croatia. More than 20 years experience in IT SharePoint / Office 365 MVP 2010-2019 With SharePoint since 2003. SysKit Ltd.

searl
Download Presentation

Toni Frankola

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Toni Frankola Governance in the Modern Workplace: SharePoint, OneDrive, Groups, Teams, Flows, and PowerApps

  2. Toni Frankola Co-founder and CEO SysKit Ltd., Croatia • More than 20 years experience in IT • SharePoint / Office 365 MVP 2010-2019 • With SharePoint since 2003.

  3. SysKit Ltd. SharePoint On-prem, Hybrid and Office 365 Solutions SysKit is a software development company based in Zagreb, Croatia, Europe founded in 2009. ​ We create innovative software solutions for SharePoint and Office 365 admins and consultants.

  4. Governance is the set of policies, roles, responsibilities, and processes that control howan organization's business divisions and IT teams work together to achieve its goals. What is Office 365 Governance?

  5. How do we manage Office 365 • Via the Admin Center(s) • PowerShell • Exchange Online • SharePoint Online • Microsoft Teams • Azure AD (Groups) • Power platform (PowerApps / Flow)

  6. Office 365 Groups

  7. 8 ways to create Office 365 groups Source: sharepointeurope.com

  8. Office 365 Groups • The foundation that allows you to manage security • Reduces the need for „Shadow IT”

  9. Dangers of Office 365 group sprawl • In the effort to stop the „Shadow IT” we can easily encounter sprawl • Key steps: • Control who can create Office 365 Groups • Group soft delete and restore (30 days) • Group naming policy • Group expiration policy • Group guest access • Group policies & information protection • Upgrade traditional collaboration tools • Groups reporting

  10. Restrict Groups creation • Creation of groups can be restricted to a members of a particular security group • Configured via PowerShell • Pros: Prevents group sprawl • Cons: Increases the burden on the limited number of people and prevents O365 usage • Caveats: • Certain administrator roles exempt from this rule • Exchange, Partner Support, Directory Writers, SharePoint, Teams, User Mngt. • Azure AD Premium Licenses required for „group creators” • No special license is required for users that will NOT be creating groups

  11. Control who can create Office 365 Groups – Best Practices • Start with self-service if anyhow possible • Make sure your internal policies documented and in-place • Revisit this as you go • Three modes of operation: Open, IT-Led, Controlled • Tightly controlled group creation can decrease productivity as many services require Office 365 groups

  12. Restrict Groups Creation Demo

  13. Office 365 Groups naming policy • Sometimes inconsistent naming can cause a lot of governance issues • OOTB naming policy can leviate some of those issues • Easier categorization or identifiypurpouse • Block certain words (important because each group gets and email address e.gbillg@microsoft.com) • To use the Groups naming policy feature, the following people need an Azure Active Directory Premium P1 license or Azure AD Basic EDU license: • Everyone who is a member of the group. • The person who creates the group. • The admin who creates the Groups naming policy

  14. Group naming policies Demo

  15. Office 365 Group Expiration Policy • Can be setup as an internal process so owners have to „renew” the group • Helps clear the groups that are no longer being used like: • Projects that finished • Departments that merged • Staled groups • Group expiration is an Azure Active Directory (Azure AD) Premium feature

  16. Group expiration policies Demo

  17. Orphaned Groups • When group owner leave the company, group becomes orphan i.e. without owner • Group can still be used, content is not lost • Administrator should assign someone else as owner • Best practice always have more than one owner at anytime

  18. How do I find „orphaned” groups Sample: $Groups = Get-UnifiedGroup | Where-Object {([array](Get-UnifiedGroupLinks -Identity $_.Id -LinkType Owners)).Count -eq 0} $Groups | Select Id, DisplayName, ManagedBy, WhenCreated ForEach ($Gin$Groups) { Write-Host"Warning! The following group has no owner:"$G.DisplayName }

  19. External / Guest users • By default, guest (external) access is turned on • An external user is someone from outside your Office 365 subscription to whom you have given access to one or more sites, files, or folders. An Authenticated external user is a user who have a Microsoft account or a work or school account from another Office 365 subscription. • Can be turned off for entire org, or individual sites • Plan external sharing ahead • It's important that all group members have permission to access the team site

  20. External users authorization • Three basic authorization levels for shared items:(may wary depending on the object type being shared) • Sign-in with an account • Sign-in with code • Anonymous

  21. Manage guest access to Office 365 Groups • Controlled by underlaying SharePoint Online settings • OneDrive can be more restrictive • You can control it for individual sites (more restrictive) • SharePoint site • OneDrive site

  22. External Sharing Demo

  23. How do I find all these external sharings • Audit Log • Warning: Data retention and content overflow • eDiscovery • Warning: Licenses • PowerShell • Get-SPOExternalUser • 3rd party tools

  24. Groups Governance additional steps • Organizational-wide teams • Dynamic Memberships of AD Groups (e.g. based on department) • Azure AD Premium feature • Group classification • Groups hidden from GAL • Define usage guidelines • Azure Information Protection • Access Reviews • Groups with secret membership

  25. SharePoint

  26. SharePoint • The most of governance for SharePoint online depends on the underlaying group • There are some specifics…

  27. Permissions explained

  28. External users (Applies to OneDrive too)

  29. SharePoint / OneDrive per site external sharing settings • Individiaul security settings can be configured per individual OneDrive or SharePoint

  30. OneDrive / SharePoint per site external user settings Demo

  31. Modernize SharePoint Online sites • Run the SharePoint modernization scanner to detect those sites • Connect to a SharePoint group • Not available for some templates • Remove non-supported customizations on web-part and wiki pages • Check SharePoint Modernization Framework PnP

  32. OneDrive

  33. External Users (see SharePoint slides)

  34. OneDrive default size and PowerShell reports Demo

  35. OneDrive Limited Access • For OneDrive Using these settings you can: • Block downloading files in the apps • Block taking screenshots in the Android apps • Block copying files and content within files • Block printing files in the apps • Block backing up app data • Require an app passcode • Block opening OneDrive and SharePoint files in other apps • Encrypt app data when the device is locked • Require Office 365 sign-in each time the app is opened • Choose values for how often to verify user access and when to wipe app data when a device is offline.

  36. Microsoft Teams

  37. Office 365 Groups and Teams Activity Report • Activity in Group mailbox • Activity in SharePoint site • Activity in the Teams chat • Script by Tony Redmond Office 365 Groups and Teams Activity Report

  38. Office 365 Groups and Teams Activity Report Demo

  39. PowerApps / Flow

  40. The landscape

  41. Environments • Microsoft PowerApps Environment Admin, Office 365 Global Admin, or Azure Active Directory Tenant Admin, who needs to have a Plan2 license for PowerApps and/or Flow. • Use the Admin Cetner to control them • Use PowerShell • Install-Module -Name Microsoft.PowerApps.PowerShell -AllowClobber • Install-Module -Name Microsoft.PowerApps.Administration.PowerShell • Add-PowerAppsAccount • Get-AdminPowerAppEnvironment | Format-Table -Property EnvironmentName, DisplayName, CreatedBy, Location

  42. Power PlatformAdmin UI Demo

  43. Connectors

  44. Retrieve connectors $allApps=Get-AdminPowerApp | Where-Object{$_.EnvironmentName-eq$envname} | SELECT AppName,CreatedTime,EnvironmentName foreach($app in $allApps) { $app.AppName Write-Output"==========" Get-AdminPowerAppConnectionReferences-EnvironmentName $envname-AppName $app.AppName | SELECT ConnectorName,ConnectorId,DisplayName,Publisher }

  45. List of connectors

  46. Audit Log

  47. Audit Log • Easily forgotten but the key tool to govern your Office 365 • Audit log search feature comes handy as it allows you to search for following event types: • Admin activity in SharePoint Online • Admin activity in Azure Active Directory (the directory service for Office 365) • Admin activity in Exchange Online (Exchange admin audit logging) • User and admin activity in Sway • eDiscovery activities in the Office 365 Security & Compliance Center • User and admin activity in Power BI • User and admin activity in Microsoft Teams • User and admin activity in Dynamics 365 • User and admin activity in Yammer • User and admin activity in Microsoft Flow • User and admin activity in Microsoft Stream

More Related