Microsoft Viva is an employee focused suite of products and therefore, there is a need to be extra diligent in ensuring rigorous controls within your organization’s configuration.
It is important to recognise that since Viva tools are built on top of Microsoft 365, it has the same security, compliance and privacy principles as the rest of the Microsoft 365 products. Organizations should configure and use tools by fulfilling the obligations on data controllers across relevant countries and regions for our organization. Read more on this in our article on governance for Microsoft Viva Engage.
When we consider the governance of any product in the Microsoft 365 suite, we need to consider 5 key questions. First and foremost, where is the data stored? Considering the product and its data storage, the next question to consider is which M365 compliance, security, privacy and access controls work for the said product. Thirdly, it is important to note which features are included in our licences. Subsequently, we need to decide what controls we want to place on our users using the M365 features. Lastly, are there any additional controls we need in place, specifically for our organization?
In this article we’ll take a look at governance for Microsoft Viva Connections and be answering the questions on data location and the coverage of key Microsoft 365 features.
What is Viva Connections?
Microsoft Viva Connections is an employee experience app in Microsoft Teams that brings together relevant news, conversations, resources, and tools in one place for every employee. As discussed in our earlier introductory article, Microsoft Viva Connections has two key roles. One is to integrate SharePoint Online intranet, SharePoint News and Viva Engage announcements into Microsoft Teams, and provide a Dashboard for access to custom business tools. The second is to be the starting point for navigating Microsoft Viva.
How to Govern Viva Connections
Viva Connections builds on SharePoint Online, Viva Engage (formerly Yammer) and Microsoft Teams and as such inherits the compliance features and settings from those tools. As such it is important to ensure that you practise good data governance in SharePoint and ensure users only have access to the content and sites which they require.
Through the dashboard Viva Connections has access to Microsoft 365 products, with data storage, privacy and permissions settings being controlled by those products. Third-party apps can also be added to the dashboard and the app itself will determine governance options & data locations.
Announcements in Viva Engage and SharePoint News articles surfaced in the Viva Connections feed are stored in their source location (for example, news in the SharePoint site it is created from) with Viva Connections logging metrics on usage and engagement.
Question 1 : Data Location
Viva Connections primarily builds on SharePoint Online. SharePoint Online and Viva Connections store their data in the data centre region where the Microsoft 365 tenant resides. You can check your region for Microsoft 365 Services in the Microsoft 365 Admin Center by selecting Settings > Org Setting > Organisation profile > Data location.
For European Union (EU) and European Free Trade Association (EFTA) based Microsoft 365 tenants data is covered by the EU Data Boundary for the Microsoft Cloud introduced in January 2023 which give reassurance that the data will not be transferred outside this region.
App Specific Controls
The Dashboard and Feed are Viva Connections specific features. Access to these features is controlled by SharePoint and Viva Engage permissions. To modify the dashboard a user must be granted Site Owner access to the SharePoint Home site.
With the introduction of multiple Viva Connections experiences releasing in July 2023 for organisations with a Viva Suite license will be able to create up to 10 Viva Connections instances. Security groups can be used to target dashboard, web parts within a site and Viva Connections experiences.
Reporting is available on Viva Connections usage and can be downloaded from the home site under the settings cog > Manage Viva Connections > Download report.
These analytics are available to all users with member permissions (or higher) on the home site and are totally anonymous. The analytics can be disabled, if required.
Question 2: Microsoft 365 Compliance, Security, Privacy and Access Controls
Manage Access
As with all tools and applications in Microsoft 365 the user must first be a licensed user in Azure AD to use a product before they can gain access. In the case of Viva Connections the licences needed are SharePoint Online, Viva Engage and, where multiple Viva Connections experiences are deployed, the Viva Suite license.
Access to the content is controlled with SharePoint permissions. With regard to content from Viva Engage surfaced in the Viva Connections feed, this is controlled using network membership in Viva Engage.
Data Life Cycle Management
Microsoft Purview Data Lifecycle Management is used to control retention and deletion of content stored in Microsoft 365. Retention policies can be applied to a SharePoint site to control the default retention for all content in the site and retention labels can be used to set document specific retention controls.
Where an organisation has licensing for records management, labels to be applied to files can also be used to protect document content from change, as well as control document deletion.
Viva Engage community messages and user messages, including private messages and storyline posts, can be controlled with retention policies. Files in Viva Engage are stored in SharePoint and as such are controlled in the same way as other SharePoint content.
The principles of retention in Microsoft 365 are used to determine if the system will retain a document when multiple retention settings are in force. You can also use this flowchart to determine when an item will be retained or permanently deleted.
Data Loss Prevention
Data loss prevention (DLP) features in Microsoft Purview are designed to control accidental or malicious oversharing of sensitive information. A DLP policy sets out customisable rules as to the circumstances in which sharing actions should be tracked or blocked. Whilst working with Viva Connections does not specifically require information sharing, the DLP policies can be configured to apply to the SharePoint sites used by Viva Connections.
It should be noted that DLP policies do not apply to Viva Engage messaging.
Information Protection
Microsoft 365 Information Protection solutions are also known as Sensitivity Labels which can take advantage of both Sensitive Information Types and Trainable Classifiers in Microsoft Purview. Sensitivity Labels can be used to control features in Microsoft 365 Groups/Microsoft Teams teams/SharePoint Sites as well as providing content marking & encryption for documents, data, meetings and emails.
Where sensitivity labels have been used on content and containers (sites, teams & groups) which are surfaced in Viva Connections, the label configuration is honoured by Viva Connections. Sensitivity Labels do not apply to Viva Engage communities.
Data Discovery
Microsoft 365 includes three data discovery tools, Content Search and eDiscovery (Standard) and eDiscovery (Premium). All of the discovery tools can be used to search for content stored in SharePoint Online and Viva Engage. As such there are no additional governance considerations for Viva Connections in relation to the discovery of data.
Next Steps
The next steps with governance decisions for Viva Connections are to consider the remaining 3 questions posed at the start of this article.
In relation to which of those features are included in our licences: there are a number of tools which can be used for this. However the official source of information is the security & compliance licensing guidance.
Consider the items discussed in this article and the administration and configuration article, what controls you want to place on your users in relation to Viva Connections. You should start by reviewing the existing configuration for SharePoint and Viva Engage. The review should also consider what frailties there are in your current configuration and if now is a good time to review those. Secondly, consider changes you need to make with regard to the introduction of Viva Connections.
In preparing to implement Viva Connections, organizations sometimes find they need to make changes such as adjusting SharePoint architecture, implementing (additional) hub sites, creating/adjusting security groups for use with audience targeting and even changing front line worker log in processes to use personal accounts.
How Rencore Governance helps you
In circumstances where Microsoft Purview does not provide all the control and options which you require, feel free to look at Rencore Governance. The governance tool centralizes all Microsoft 365 service data – including Viva Connections – into one place and automates policy and lifecycle processes for complete governance and data understanding.