In considering governance for Microsoft Viva, it is important to recognise that Viva tools are built on top of Microsoft 365 and therefore works with the same security, compliance and privacy principles as the rest of the Microsoft 365 products, which you can read about in the Microsoft Trust Center.
This includes operating with a shared responsibility model where Microsoft as the data processor creates & supplies the tools with built-in security, compliance & privacy features and where the responsibility for the data controls rest with the customer. This means it is our responsibility to configure and use the tools in a manner that fulfils the obligations on data controllers across the relevant countries and regions for our organisation.
This is neatly summarised by Microsoft in the following graphic:
As Viva is built on Microsoft 365, it inherits the compliance features, including your configuration of such from Microsoft Teams, Exchange Online, SharePoint Online, Azure, Microsoft Graph and Viva Engage (Yammer).
With Microsoft Viva being an employee focused suite of products, there is a need to be extra diligent in ensuring rigorous controls within your organisation’s configuration.
When we consider governance of any product in the Microsoft 365 suite, we need to consider 5 key questions:
In this article, we’ll be answering the questions on data location and the coverage of key Microsoft 365 features.
As discussed in our earlier introductory article, Microsoft Viva Engage, was formerly known as Yammer. It can still be used as a standalone tool or integrated with the wider Viva suite, such as displaying announcements in Viva Connections. Since becoming Viva Engage, additional features have been included in what was formerly Yammer, such as short video posts called Stories, feeds of updates from across the organisation called Storylines, a feature to highlight updates from Leaders and advanced analytics.
When considering governance for Viva Engage it is impossible to ignore the history of the tool. Microsoft bought Yammer in 2012 and proceeded to integrate it into Microsoft 365. From January 2020 all new Yammer networks were configured in native mode, meaning they run on Microsoft 365 groups and use Azure AD for access controls. Yet it still retains aspects which are managed outside the Microsoft 365 core functionality such as keyword monitoring and is not fully supported by Microsoft Purview tools including Sensitivity Labels, Data Loss Prevention and Communication Compliance.
Viva Engage stores messaging and attached files in the same geography as the network is created. Files are stored in SharePoint Online in accordance with the SharePoint data residency settings for your organisation.
You can check the geographic region for your Viva Engage/Yammer network by accessing the web tool as an administrator and choosing Settings > edit Network admin settings > Success.
You can check your region for Microsoft 365 Services in the Microsoft 365 Admin Center by selecting Settings > Org Setting > Organisation profile > Data location.
Mobile app push notifications sends data to services from Apple and Google, depending on the mobile operating system used and theses services may be operated from outside your region.
Viva Engage still relies heavily on the Yammer administration controls and requires at least one network to be configured within the tenant. These controls are split between the classic Yammer network admin and the newer Viva Engage admin center.
As is shown in figure 2, there are many options which are specific to Viva Engage from its Yammer heritage including for content controls and security.
These include:
In the updated Viva Engage admin centre accessed from the settings cog and Admin Center within web portal or Viva Engage Teams app, additional options are available which primarily focus on the newer features of Viva Engage. These are shown in the composite screenshots in figure 4 and include:
As with all tools and applications in Microsoft 365 the user must first be a licensed user in Azure AD to use a product before they can gain access. In the case of Viva Engage the licences needed are Exchange Online, SharePoint Online, Viva Engage and, where the premium features of Viva Engage are deployed, the Viva Suite license. The premium features at time of writing are Leadership Corner, AMAs, Storyline delegation and advanced analytics.
Exchange Online and SharePoint Online features are required to support the use of Microsoft 365 Groups as the foundation for communities and to work with files in the communities. Access to the files is controlled using the same permissions model as other Microsoft 365 Groups with all members of the community given group member permissions and all community admins set as group owners.
Microsoft Purview Data Lifecycle Management is used to control retention and deletion of content stored in Microsoft 365.
Viva Engage community messages and user messages, including private messages and storyline posts, can be controlled with retention policies. Files in Viva Engage are stored in SharePoint and as such are controlled in the same way as other SharePoint content.
Retention policies can be applied to a SharePoint site to control the default retention for all content in the site and retention labels can be used to set document specific retention controls.
Where an organisation has licensing for records management, labels to be applied to files can also be used to protect document content from change, as well as control document deletion.
The principles of retention in Microsoft 365 are used to determine if the system will retain a document when multiple retention settings are in force. You can also use this Flowchart to determine when an item will be retained or permanently deleted.
Data loss prevention (DLP) features in Microsoft Purview are designed to control accidental or malicious oversharing of sensitive information. A DLP policy sets out customisable rules as to the circumstances in which sharing actions should be tracked or blocked.
It should be noted that whilst DLP policies do not apply to Viva Engage messaging, files stored in the SharePoint sites are governed but not when messages are sent via Viva Engage. This is one very good reason to limit Viva Engage to only internal users, which is the only choice for networks in the EU.
Microsoft 365 Information Protection solutions are also known as Sensitivity Labels which can take advantage of both Sensitive Information Types and Trainable Classifiers in Microsoft Purview. Sensitivity Labels can be used to control features in Microsoft 365 Groups/Microsoft Teams teams/SharePoint Sites as well as providing content marking & encryption for documents, data, meetings and emails.
Sensitivity Labels do not apply to Viva Engage communities.
Microsoft 365 includes three data discovery tools, Content Search and eDiscovery (Standard) and eDiscovery (Premium). All of the discovery tools can be used to search for content stored in Viva Engage including the files in SharePoint. As such there are no additional governance considerations for Viva Engage in relation to the discovery of data.
The next steps with governance decisions for Viva Engage are to consider the remining 3 questions posed at the start of this article.
In relation to which of those features are included in our licences? There are a number of tools which can be used for this, however the official source of information is the security & compliance licensing guidance.
Consider the items discussed in this article and the administration and configuration article, what controls you want to place on your users in relation to Viva Engage. You should start by reviewing the existing configuration for Yammer. The review should also consider what frailties there are in your current configuration and if now is a good time to review those. Secondly, consider changes you need to make with regard to the introduction of Viva Engage.
In circumstances where Microsoft Purview does not provide all the control and options which you require, feel free to look at Rencore Governance. The governance tool centralizes all Microsoft 365 service data – including Viva Engage – into one place and automates policy and lifecycle processes for complete governance and data understanding.