The Microsoft Viva platform is made up of 10 modules, split across 5 pillars – Connections, Insights, Purpose, Growth and Empowerment. Each Microsoft Viva module has its own focus. In this article, we look at the two modules included in Growth pillar – Viva Topics and Viva Learning – and talk about best practices in their governance.
Since Viva tools are built on top of Microsoft 365, it has the same security, compliance and privacy principles as the rest of the Microsoft 365 products. Organisations should configure and use tools by fulfilling the obligations on data controllers across relevant countries and regions for our organisation.
What is Viva Topics?
As discussed in our earlier introductory article, Microsoft Viva Topics is about making the most of the information stored in Microsoft 365. Viva Topics uses AI to ingest and collate information according to its theme (or topic). The output is a topic page which subject matter experts can then edit to ensure it includes the most relevant details.
Viva Topics then brings us the information we need “in the flow of work”. Which means, getting the right knowledge to the right people at the right time. Or making sure people have the information in front of them as they are working with that topic by carrying out a search or using keywords in a document, on a SharePoint page, in an email or in a Teams message.
Governing Viva Topics
Viva Topics is built on SharePoint Online and it is there that the vast majority of governance efforts are focused after the initial set up. As such it is important to ensure that you practise good data governance in SharePoint and ensure users only have access to the content and sites which they require, whilst also considering that Viva Topics does surface some information on topics to all licensed users.
Data Location
Viva Topics doesn’t store any personal data since usage and consumption data is aggregated. Files are stored in SharePoint Online in accordance with the SharePoint data residency settings for your organisation.
You can check the geographic region for your SharePoint Online network by accessing the web tool as an administrator and choosing Settings > edit Network admin settings > Success.
Microsoft 365 Admin center displaying data locations. In this tenant SharePoint data is stored in the UK.
Mobile app push notifications (in the SharePoint app) sends data to services from Apple and Google, depending on the mobile operating system used and theses services may be operated from outside your region.
App Specific Controls
The main app controls in Viva Topics relate to controlling the content Viva Topics can access when setting up. This was discussed in the Viva Topics section of Microsoft Viva: An Administrator’s View - Rencore
Microsoft 365 Compliance, Security, Privacy and Access Controls
Manage Access
As with all tools and applications in Microsoft 365 the user must first be a licensed user in Microsoft Entra ID (Azure AD) to use a product before they can gain access. In the case of Viva Topics, the licences needed are SharePoint Online and the Viva Suite (or Viva Topics) license. However, there is some integration between Viva Topics and Viva Engage for users without a Viva Topics license (due to roll out by end Sept 2023):
- All users with access to posts in Viva Engage can see the topic names applied to posts in Engage as well as in other Viva Topics experiences in Microsoft 365 (e.g., Topic cards and pages).
- Users with access to the post in Viva Engage will see it as being associated with the topics applied to that post in Topic Center and the Topic Card.
- Users with access to the post will be able to see the name in the Viva Engage topic picker and in search experiences in Viva Engage.
- Users must have pre-existing access to a topic to apply it to the post.
- Users will not be granted new access to other resources associated with the topic.
- And people who had access to the topic will not get access to the conversation if they didn't have it already.
There is as some visibility of Viva Topic experiences in SharePoint without a Viva Topics licence. As an example, granting a user access to SharePoint document tagged with a topic extends access to that topic’s name and the association with the document.
Viva Topics generally follows the SharePoint permissions assigned to the items to control visibility of information. However, there are some areas where this is not the case. The following table summarises topic page component visibility.
Users need a Viva Topics license and role assigned to interact with Viva Topics, both in the Topic Center and in the flow of work.
Data Life Cycle Management
Microsoft Purview Data Lifecycle Management is used to control retention and deletion of content stored in Microsoft 365. Files surfaced as learning content in Viva Topics are still stored in SharePoint and as such are controlled in the same way as other SharePoint content.
Retention policies can be applied to a SharePoint site to control the default retention for all content in the site and retention labels can be used to set document specific retention controls.
Where an organisation has licensing for records management, labels to be applied to files can also be used to protect document content from change, as well as control document deletion.
The principles of retention in Microsoft 365 are used to determine if the system will retain a document when multiple retention settings are in force. You can also use this Flowchart to determine when an item will be retained or permanently deleted.
Data Loss Prevention
Data loss prevention (DLP) features in Microsoft Purview are designed to control accidental or malicious oversharing of sensitive information. A DLP policy sets out customisable rules as to the circumstances in which sharing actions should be tracked or blocked.
Using files in Viva Topics does not interact with DLP directly. The content surfaced via Viva Topics to users will be protected by DLP policies configured to protect the data as files in the SharePoint sites. Viva Topics is designed to make data more visible to users who have access to it and therefore it is good practice to ensure DLP policies are fit for purpose.
Information Protection
Microsoft 365 Information Protection solutions are also known as Sensitivity Labels which can take advantage of both Sensitive Information Types and Trainable Classifiers in Microsoft Purview. Sensitivity Labels can be used to control features in Microsoft 365 Groups/Microsoft Teams teams/SharePoint Sites as well as providing content marking & encryption for documents, data, meetings and emails.
Viva Topics can be configured to exclude files assigned specific sensitivity labels. This helps to ensure that inappropriate data is not used for topic discovery. Though this will not prevent the manual addition of labelled files to topic pages as pinned content where the label includes file encryption the file encryption settings will be honoured when users try to open the file.
To configure the sensitivity label exclusions for Viva Topics go to Microsoft 365 Admin Center > Settings > Org Settings > Viva Topics > Topic Discovery > Advanced Settings and select the labels to be excluded.
Setting files to exclude from topic discovery by sensitivity label.
Data Discovery
Microsoft 365 includes three data discovery tools, Content Search and eDiscovery (Standard) and eDiscovery (Premium). All of the discovery tools can be used to search for content stored in SharePoint Online. As such there are no additional governance considerations for Viva Topics in relation to the discovery of data.
What is Viva Learning?
As discussed in our earlier introductory article, Microsoft Viva Learning brings continuous learning into the daily flow of work. Many workers struggle to find the learning opportunities and suitable content and that is where Microsoft Viva Learning comes in. With the ability to search for learning materials and recommend learning to colleagues, it makes continuous learning more social and easily accessible.
Governing Viva Learning
Viva Learning builds heavily on SharePoint Online for custom content and it is there that the vast majority of governance efforts are focused after the initial set up.Viva Learning doesn’t store any personal data since usage and consumption data is aggregated. Data storage and location behaviours remain the same as with Viva Topics.
App Specific Controls
The main app controls in Viva Learning relate to curating learning content and granting access to the content. This includes choosing learning providers and configuring your chosen sources. Each requires slightly different information and you should review the latest guidance from Microsoft on the topic. All are set up from the Microsoft Viva Admin page in the Microsoft 365 Admin center or via the Admin tab in the Microsoft Teams App.
Additional app controls include creating feature sets to highlight related & relevant content, learning paths to guide employees through content and academies to group learning paths by job role or function. Users with global admin, knowledge admin and knowledge manager roles can manage these features, though additional Microsoft 365 groups can be added to manage these via the Manage feature access option.
Microsoft 365 Compliance, Security, Privacy and Access Controls
Manage Access
As with all tools and applications in Microsoft 365 the user must first be a licensed user in Microsoft Entra ID (Azure AD) to use a product before they can gain access. In the case of Viva Learning the licences needed are SharePoint Online and, where the premium features of Viva Learning are deployed, the Viva Suite license. The premium features at time of writing are content recommendations and progress tracking, surface learning content across M365, additional learning content sources and integration with partner content providers and learning management systems.
When adding custom learning resources to Viva Learning it is important to consider the permissions on the content. This controls what users can access in Viva Learning.
Permissions to the content must be granted using Microsoft 365 Groups only. User access to indexed content is controlled as follows:
- All users can see indexed content in the catalogue and search within Viva Learning
- Users can only open and access the content from the catalogue if they have permissions to read or edit the content
- Content from SharePoint must be shared at folder level to Microsoft 365 groups for the content to be opened and used from Viva Learning using the Share or Manage Access option on the folder in SharePoint
- Access to content from external providers can also be controlled from the Viva Learning Admin tab in the Team app, by granting access to resources to up to 10 Microsoft 365 Groups.
Data Loss Prevention
Whilst working with Viva Learning does allow sharing of content, the DLP policies configured to apply to the SharePoint sites is used by Viva Learning. Viva Learning content is sharable internally so DLP policies which apply to external sharing will not apply.
Information Protection & Data Discovery
Microsoft 365 Information Protection solutions are also known as Sensitivity Labels which can take advantage of both Sensitive Information Types and Trainable Classifiers in Microsoft Purview. Sensitivity Labels can be used to control features in Microsoft 365 Groups/Microsoft Teams teams/SharePoint Sites as well as providing content marking & encryption for documents, data, meetings and emails.
Where sensitivity labels have been used on content and containers (sites, teams & groups) which are surfaced in Viva Learning, the label configuration is honoured by Viva Learning , in so far as access to the content is concerned, but it will still be visible and searchable if added to the Viva Learning index.
As such there are no additional governance considerations for Viva Learning in relation to the discovery of data.
Next Steps
In relation to which of those features are included in our licences? There are a number of tools which can be used for this, however the official source of information is the security & compliance licensing guidance.
In circumstances where Microsoft Purview does not provide all the control and options which you require, feel free to look at Rencore Governance. The governance tool centralizes all Microsoft 365 service data – including Viva Topics and Viva Learning – into one place and automates policy and lifecycle processes for complete governance and data understanding.