Creating and managing a Microsoft 365 governance strategy is a shared responsibility. Speaking from my own experience, it can be tempting to take the lead and do as much as possible by yourself. This is not the way. But, where to start?
To answer this question, we have to start at the beginning. What topics are part of a successful Microsoft 365 governance strategy? In my experience, these are as follows:
I don’t want to use this article to deep dive into all of these topics, apart from the steering committee. That said, I do want to provide you with a brief explanation per topic.
You need an overview of all Microsoft 365 Administrator roles. Check this list and decide what roles are relevant for your Microsoft 365 environment. Look beyond your Microsoft 365 team. The communication department often needs admin roles. For example, for Viva and SharePoint. These roles shouldn’t be assigned permanently. You should use Privileged Identity Management (PIM).
You need an overview of all the tenant settings & policies related to your Microsoft 365 services. For example, SharePoint, OneDrive and Microsoft Teams. Don’t forget your template requirements: Naming convention, inactive sites & teams with an expiration policy, guest access, reviewing membership and self-service or provisioning.
You need an overview of processes and procedures related to your Microsoft 365 tenant. For example, backup & restore, employment process for licensing and access management, employee support, new features & updates and administrator role assignment.
You need an overview of the security & data security policies and settings related to your Microsoft 365 tenant. For example, multi-factor authentication, conditional access, information protection and data loss prevention.
Now we got this out of the way, it is time to find your governance partners in crime for your steering committee!
Microsoft 365 Governance always starts from an IT perspective. That’s not enough. You need more expertise and insights. So who should you invite? There is no right or wrong. That said, there are recommendations for specific roles.
In my previous assignment as Microsoft 365 Platform Owner, we setup a steering committee. Every two weeks, we had a 30 minute online meeting. During this meeting, we discussed the following two topics:
I know what you are thinking. Of course, we didn’t discuss all requests, updates and features. We only talked about items that had an impact on the following Microsoft 365 sections:
These four sections, translated in the following roles being present:
These four roles provide valuable insights. Each from their own technical perspective. Let me share an example whereby the steering committee and shared responsibility proved invaluable.
Microsoft Teams is used, no surprise, for collaborating with colleagues and a selection of external partners. An important part of that collaboration is integrating external apps. For example, ServiceNow or Jira. There are a lot of external apps, I mean a lot. Just look at the following example from my own tenant:
It’s recommend not allowing all external apps by default. Make sure you uncheck the third-party apps button in your org-wide app settings menu:
Of course, employees have valid business cases for integrating external apps in their teams. So how do you determine which external apps to allow or block? Microsoft is here to help out!
Microsoft 365 app compliance program[1] checks and audits an app against controls that are derived from leading industry-standard frameworks. The program demonstrates that strong security and compliance practices are in place to protect customer data. The program has the following phases:
Each external app has a tab whereby evidence is shared for the security and compliance standards. For example:
This overview is incredibly helpful in the decision process for allowing, or denying, the use of the request external apps. The IT Security, Risk and Architecture steering committee members use this information for their decision making process. The Microsoft 365 Administrators are responsible for gathering this information and once approved, they enable the external app for the employee. The employees are responsible for the testing process. Once the tests are successful, the external app is made available for the entire organization or a smaller selection.
In certain cases, additional communication or training is needed. This is where the shared responsibility again comes in play! A representative from the communication and e-learning department are included in the steering committee. Providing their expertise in the governance strategy for your Microsoft 365 environment. Shared responsibility, is the key to success!
Hopefully, I have been able to share the importance of a shared responsibility of setting up, and maintaining a successful Microsoft 365 governance strategy. Before we wrap up, I want to finish with a final tip!
For efficient and effective meetings, I highly recommend using Microsoft Teams Premium, ideally with Microsoft 365 Copilot, for an intelligent recap. Especially, in combination with the use of the Facilitator Agent. This makes it a lot easier to keep track of your notes and tasks. Be aware though! There are two important notes:
That said, if you are possible to use Teams Public Preview. You won’t regret it!
[1] Source: Know about high quality Microsoft certified Teams apps - Microsoft Teams | Microsoft Learn
Democratizing governance has never been more essential. With technology, now more than ever, empowering end-users to independently build the solutions their businesses need, effective governance must be accessible precisely where collaboration happens.
To truly support this new era of self-service solutions, governance must be seamlessly integrated into day-to-day business workflows, enabling secure, compliant, and efficient outcomes without slowing innovation. Want to discover how to take your Microsoft 365 governance to the next level? Get in touch with us at Rencore. we’re here to help you succeed.