In considering governance for Microsoft Viva it is important to recognise that the Viva tools are built on top of Microsoft 365 and thus works with the same security, compliance and privacy principles as the rest of the Microsoft 365 products, which you can read about in the Microsoft Trust Center.
This includes operating with a shared responsibility model where Microsoft as the data processor creates & supplies the tools with built-in security, compliance & privacy features and where the responsibility for the data controls rest with the customer. This means it is our responsibility to configure and use the tools in a manner that fulfils the obligations on data controllers across the relevant countries and regions for our organisation.
This is neatly summarised by Microsoft in the following graphic
As Viva is built on Microsoft 365, it inherits the compliance features, including your configuration of such from Microsoft Teams, Exchange Online, SharePoint Online, Azure, Microsoft Graph and Viva Engage (Yammer).
With Microsoft Viva being an employee focused suite of products, there is a need to be extra diligent in ensuring rigorous controls within your organisation’s configuration.
When we consider governance of any product in the Microsoft 365 suite, we need to consider 5 key questions:
- Where is the data stored?
- Which Microsoft 365 compliance, security, privacy and access controls work with the product & its data storage?
- Which of those features are included in our licences?
- What controls we want to place on our users using the Microsoft 365 features?
- Are there any additional controls we need in place?
In this article we’ll be answering the questions on data location and the coverage of key Microsoft 365 features.
What is Viva Engage?
As discussed in our earlier introductory article, Microsoft Viva Engage, was formerly known as Yammer. It can still be used as standalone tool or integrated with the wider Viva suite, such as displaying announcements in Viva Connections. Since becoming Viva Engage additional features have been included such as short video posts called Stories, feeds of updates from across the organisation called Storylines, a feature to highlight updates from Leaders and advanced analytics.
Governing Viva Engage
When considering governance for Viva Engage it is impossible to ignore the history of the tool. Microsoft bought Yammer in 2012 and proceeded to integrate it into Microsoft 365. From January 2020 all new Yammer networks were configured in native mode, meaning they run on Microsoft 365 groups and use Azure AD for access controls. Yet it still retains aspects which are managed outside the Microsoft 365 core functionality such as keyword monitoring and is not fully supported by Microsoft Purview tools including Sensitivity Labels, Data Loss Prevention and Communication Compliance.
Viva Engage stores messaging and attached files in the same geography as the network is created. Files are stored in SharePoint Online in accordance with the SharePoint data residency settings for your organisation.
You can check the geographic region for your Viva Engage/Yammer network by accessing the web tool as an administrator and choosing Settings > edit Network admin settings > Success.
You can check your region for Microsoft 365 Services in the Microsoft 365 Admin Center by selecting Settings > Org Setting > Organisation profile > Data location.
Mobile app push notifications sends data to services from Apple and Google, depending on the mobile operating system used and theses services may be operated from outside your region.
App Specific Controls
Viva Engage still relies heavily on the Yammer administration controls and requires at least one network to be configured within the tenant. These controls are split between the classic Yammer network admin and the newer Viva Engage admin center.
As is shown in figure 2, there are many options which are specific to Viva Engage from its Yammer heritage including for content controls and security.
- Setting an acceptable use policy which users must accept when first accessing Viva Engage or when changes are made to it.
- Setting keywords for monitoring to send messages containing those keywords to nominated email address.
- Allowing users to report conversations to a nominated email address.
- Allow/block external users (not supported for where network data is stored in the EU Geographical area)
- Private Content Mode to allow the currently signed admin account to view all messages incl private messages and those posted in private groups
In the updated Viva Engage admin centre accessed from the settings cog and Admin Center within web portal or Viva Engage Teams app, additional options are available which primarily focus on the newer features of Viva Engage. These are shown in the composite screenshots in figure 4 and include:
- Assigning Corporate Communicators who will manage campaigns and leadership corner features.
- Turning on/off sentiment analysis and analytics features which are used to build the reports in the analytics screens.
- Export data for the whole tenant incl all networks, or individual user, or all users.Remove Viva Engage users.Turn on/off and configure options for newer features such as leadership corner, storyline, campaigns, answers and rewards
Microsoft 365 Compliance, Security, Privacy and Access Controls
As with all tools and applications in Microsoft 365 the user must first be a licensed user in Azure AD to use a product before they can gain access. In the case of Viva Engage the licences needed are Exchange Online, SharePoint Online, Viva Engage and, where the premium features of Viva Engage are deployed, the Viva Suite license. The premium features at time of writing are Leadership Corner, AMAs, Storyline delegation and advanced analytics.
Exchange Online and SharePoint Online features are required to support the use of Microsoft 365 Groups as the foundation for communities and to work with files in the communities. Access to the files is controlled using the same permissions model as other Microsoft 365 Groups with all members of the community given group member permissions and all community admins set as group owners.
Data Lifecycle Management
Microsoft Purview Data Lifecycle Management is used to control retention and deletion of content stored in Microsoft 365.
Viva Engage community messages and user messages, including private messages and storyline posts, can be controlled with retention policies. Files in Viva Engage are stored in SharePoint and as such are controlled in the same way as other SharePoint content.
Retention policies can be applied to a SharePoint site to control the default retention for all content in the site and retention labels can be used to set document specific retention controls.
Where an organisation has licensing for records management, labels to be applied to files can also be used to protect document content from change, as well as control document deletion.
The principles of retention in Microsoft 365 are used to determine if the system will retain a document when multiple retention settings are in force. You can also use this Flowchart to determine when an item will be retained or permanently deleted.
Data Loss Prevention
Data loss prevention (DLP) features in Microsoft Purview are designed to control accidental or malicious oversharing of sensitive information. A DLP policy sets out customisable rules as to the circumstances in which sharing actions should be tracked or blocked.
It should be noted that whilst DLP policies do not apply to Viva Engage messaging, files stored in the SharePoint sites are governed but not when messages are sent via Viva Engage. This is one very good reason to limit Viva Engage to only internal users, which is the only choice for networks in the EU.
Microsoft 365 Information Protection solutions are also known as Sensitivity Labels which can take advantage of both Sensitive Information Types and Trainable Classifiers in Microsoft Purview. Sensitivity Labels can be used to control features in Microsoft 365 Groups/Microsoft Teams teams/SharePoint Sites as well as providing content marking & encryption for documents, data, meetings and emails.
Sensitivity Labels do not apply to Viva Engage communities.
Microsoft 365 includes three data discovery tools, Content Search and eDiscovery (Standard) and eDiscovery (Premium). All of the discovery tools can be used to search for content stored in Viva Engage including the files in SharePoint. As such there are no additional governance considerations for Viva Engage in relation to the discovery of data.
The next steps with governance decisions for Viva Engage are to consider the remining 3 questions posed at the start of this article.
In relation to which of those features are included in our licences? There are a number of tools which can be used for this, however the official source of information is the security & compliance licensing guidance.
Consider the items discussed in this article and the administration and configuration article, what controls you want to place on your users in relation to Viva Engage. You should start by reviewing the existing configuration for Yammer. The review should also consider what frailties there are in your current configuration and if now is a good time to review those. Secondly, consider changes you need to make with regard to the introduction of Viva Engage.
In circumstances where Microsoft Purview does not provide all the control and options which you require, feel free to look at Rencore Governance. The governance tool centralizes all Microsoft 365 service data – including Viva Engage – into one place and automates policy and lifecycle processes for complete governance and data understanding.