Blog

Shared Responsibility: The key to a successful Microsoft 365 Governance strategy

5 min read
Jasper Oosterveld
Hero_banner_The key to a successful Microsoft 365 Governance strategy
5 min read
Jasper Oosterveld

Creating and managing a Microsoft 365 governance strategy is a shared responsibility. Speaking from my own experience, it can be tempting to take the lead and do as much as possible by yourself. This is not the way. But, where to start? 

To answer this question, we have to start at the beginning. What topics are part of a successful Microsoft 365 governance strategy? In my experience, these are as follows:

  • Steering committee
  • Administrator roles & responsibilities.
  • Collaboration settings & policies
  • Processes & procedures
  • Security & Data Security

I don’t want to use this article to deep dive into all of these topics, apart from the steering committee. That said, I do want to provide you with a brief explanation per topic.

Administrator roles & responsibilities

You need an overview of all Microsoft 365 Administrator roles. Check this list and decide what roles are relevant for your Microsoft 365 environment. Look beyond your Microsoft 365 team. The communication department often needs admin roles. For example, for Viva and SharePoint. These roles shouldn’t be assigned permanently. You should use Privileged Identity Management (PIM).

Collaboration settings & policies

You need an overview of all the tenant settings & policies related to your Microsoft 365 services. For example, SharePoint, OneDrive and Microsoft Teams. Don’t forget your template requirements: Naming convention, inactive sites & teams with an expiration policy, guest access, reviewing membership and self-service or provisioning.

Processes & procedures

You need an overview of processes and procedures related to your Microsoft 365 tenant. For example, backup & restore, employment process for licensing and access management, employee support, new features & updates and administrator role assignment.

Security & Data Security

You need an overview of the security & data security policies and settings related to your Microsoft 365 tenant. For example, multi-factor authentication, conditional access, information protection and data loss prevention.

Now we got this out of the way, it is time to find your governance partners in crime for your steering committee!

Partners in crime aka your steering committee

Microsoft 365 Governance always starts from an IT perspective. That’s not enough. You need more expertise and insights. So who should you invite? There is no right or wrong. That said, there are recommendations for specific roles.

Themes and roles

In my previous assignment as Microsoft 365 Platform Owner, we setup a steering committee. Every two weeks, we had a 30 minute online meeting. During this meeting, we discussed the following two topics:

  • Requests from business users.
  • Microsoft 365 updates & features.

I know what you are thinking. Of course, we didn’t discuss all requests, updates and features. We only talked about items that had an impact on the following Microsoft 365 sections:

  1. Security
  2. Risk
  3. Architecture
  4. Maintenance

These four sections, translated in the following roles being present:

  • IT Security
  • IT Risk
  • IT Architecture
  • Microsoft 365 administrators

These four roles provide valuable insights. Each from their own technical perspective. Let me share an example whereby the steering committee and shared responsibility proved invaluable.

Microsoft Teams External Apps

Microsoft Teams is used, no surprise, for collaborating with colleagues and a selection of external partners. An important part of that collaboration is integrating external apps. For example, ServiceNow or Jira. There are a lot of external apps, I mean a lot. Just look at the following example from my own tenant:

Jasper_shared_repsonsibilty_image_1 (1)

It’s recommend not allowing all external apps by default. Make sure you uncheck the third-party apps button in your org-wide app settings menu:

Jasper_shared_repsonsibilty_image_2 (1)

Of course, employees have valid business cases for integrating external apps in their teams. So how do you determine which external apps to allow or block? Microsoft is here to help out!

External App Security and Compliance

Microsoft 365 app compliance program[1] checks and audits an app against controls that are derived from leading industry-standard frameworks. The program demonstrates that strong security and compliance practices are in place to protect customer data. The program has the following phases:

  1. Publisher verification.
  2. Publisher attestation.
  3. Microsoft 365 certification.

Each external app has a tab whereby evidence is shared for the security and compliance standards. For example:

Jasper_shared_repsonsibilty_image_3 (1)

Jasper_shared_repsonsibilty_image_4 (1)

This overview is incredibly helpful in the decision process for allowing, or denying, the use of the request external apps. The IT Security, Risk and Architecture steering committee members use this information for their decision making process. The Microsoft 365 Administrators are responsible for gathering this information and once approved, they enable the external app for the employee. The employees are responsible for the testing process. Once the tests are successful, the external app is made available for the entire organization or a smaller selection.

In certain cases, additional communication or training is needed. This is where the shared responsibility again comes in play! A representative from the communication and e-learning department are included in the steering committee. Providing their expertise in the governance strategy for your Microsoft 365 environment. Shared responsibility, is the key to success!

Conclusion

Hopefully, I have been able to share the importance of a shared responsibility of setting up, and maintaining a successful Microsoft 365 governance strategy. Before we wrap up, I want to finish with a final tip!

For efficient and effective meetings, I highly recommend using Microsoft Teams Premium, ideally with Microsoft 365 Copilot, for an intelligent recap. Especially, in combination with the use of the Facilitator Agent. This makes it a lot easier to keep track of your notes and tasks. Be aware though! There are two important notes:

  • Facilitator in Teams is available as part of the public preview program and might undergo further changes before being released publicly.
  • To get access to this and other upcoming features, switch to Teams public preview.
  • Only Microsoft 365 Copilot licensed users can add Facilitator to a meeting or turn it on during a meeting. However, any meeting participant (excluding external participants) can see all real-time updates in Chat and Notes.

That said, if you are possible to use Teams Public Preview. You won’t regret it!

[1] Source: Know about high quality Microsoft certified Teams apps - Microsoft Teams | Microsoft Learn

A note from Rencore

Democratizing governance has never been more essential. With technology, now more than ever, empowering end-users to independently build the solutions their businesses need, effective governance must be accessible precisely where collaboration happens.

To truly support this new era of self-service solutions, governance must be seamlessly integrated into day-to-day business workflows, enabling secure, compliant, and efficient outcomes without slowing innovation. Want to discover how to take your Microsoft 365 governance to the next level? Get in touch with us at Rencore. we’re here to help you succeed.
Blog post author image
Jasper Oosterveld
Jasper Oosterveld is a Microsoft MVP and Data Security Consultant at Rubicon Cloud Advisor within the Netherlands. On a daily basis, he works with customers to implement the Modern Workplace with Microsoft 365. Jasper focuses on collaboration, governance and compliance. Jasper loves to share his expertise and love for Microsoft products with everyone who is willing to listen.

Subscribe to our newsletter