We all know these famous lines, but for many planning their Microsoft Teams and/or Office 365 Groups strategy, we can change that first line to be “To allow self-service or to NOT allow self-service… THAT is the question!”
Microsoft’s “on by default” strategy for self-service creation of Sites, Groups and Teams certainly allows users to quickly begin using these innovative tools to support their daily collaboration.
But for organizations that want to (or must!) take a more measured approach to the creation, cataloging and governance of collaborative workspaces, out of the box self-service in Office 365 can seem like a “sea of troubles” that has them “taking up arms” and reaching quickly for the “off” button until they can figure everything out.
This, of course, only creates problems of another sort as users who now have to wait for cumbersome, manual provisioning processes that are either slowed down or, worse yet, go around your restrictions by collaborating in a different system that you don’t have control or visibility into—the dreaded “Shadow IT” scenario.
Is There A Middle Ground?
Can I give my users the agility they need to form and equip new teams with zero delay, yet ensure that all of my policies around data ownership, reporting, ongoing management and life cycle are enforced? Well, to use another well-worn phrase, yes—you can have your cake and eat it too. How? Read on…
The “create” button is everywhere in Office 365… In Outlook, in Teams, in SharePoint, in Planner. Just for fun one day, we counted and found at least 15 different end user interfaces in Office 365 where users can initiate the creation of an Office 365 Group. This in turn provisioned a lot of new places where that group can communicate and store and share data— even with folks outside the organization (if you have allowed that of course— mercifully, “external sharing” is not on by default).
A Rose By Any Other Name (Is Still an Office 365 Group)
Different flavors of Office 365 Groups provide slightly different tools for this work, and the flavor you get depends on what interface you were in when you clicked the “create” button. For example, click create from Microsoft Teams and your conversations will happen in Teams Channels.
Click create from Yammer and your conversations will happen in Yammer posts.
But behind it all, you are creating an Office 365 Group and all of its services, including an Exchange mailbox and a SharePoint site. Fears of sprawl, duplication, lack of oversight have led organizations to develop practices, especially for SharePoint, where the creation of new workspaces was a managed process, with requests, review, approval and then fulfillment.
And if your organization is regulated or your IT organization is built on ITSM best practices, this kind of managed process for new collaborative workspaces is a must have so that you can enable scenarios such as maintaining a configuration management report for your Office 365 workspaces.
Commonly there are attributes of your workspaces that you’ll want to understand— things like:
Who is the business owner of this workspace? Did they formally accept responsibility for managing it?
What department owns this workspace?
What’s the primary purpose of this workspace?
What’s the highest level of sensitivity for the work being done here?
When was the last time this workspace had all the above information validated?
When was the last time someone attested that the access permissions to the workspace were correct?
Normally you would gather the information above during a managed provisioning process. But if you want to remove barriers to productivity for your users and leave the native Office 365 self-service provisioning of Office 365 workspaces active, how can you ensure that you collect these necessary details and, as importantly, keep them current over time?
AvePoint’s Cloud Governance solution has long supported the ability to have an automated and fully-managed provisioning process for SharePoint and Office 365, giving you control of every option and setting available to the user, and then allowing you to pass that request through a fully configurable approval process.
But, using this process meant you needed to shut off native self-service provisioning in Office 365. This is still the recommended approach if you require that granular control over every option and setting available to the requester, but if you value agility and ease of access for your business users over a fully managed provisioning process, a recent addition to our Cloud Governance solution has you covered.
Introducing “Automatic Import”
The feature is called “Automatic Import” but we refer to it internally as “create and chase.” Essentially, it allows you to leave the native self-service options for Office 365 turned on, but then automatically chases the requesting user and requires them to formally accept ownership of the workspace and supply any necessary additional governance details, such as those listed above.
Not only does this allow you to gather these critical details, the “import” of this new workspace into the Cloud Governance solution means that all of the ongoing management and lifecycle features we enable—re-certification of ownership, attributes and permissions, proactive policy enforcement, automated inactivity tracking and formal end-of-life workflows—are all activated as soon as the “chase” is complete, meaning you now have an ongoing governance process enforced for all of your workspaces.
Parting Is Such Sweet Sorrow
In many ways, this “create and chase” approach gives you a simple and effective middle path between the open-access model of the native provisioning strategy in Office 365 (along with the risks inherent in it) and the more powerful but intrusive alternate provisioning processes that many organizations have developed over the years (which can slow down users and diminish usage and adoption in Office 365).
No single approach is right for everyone and you have to carefully weigh exactly how much governance you need or want over the provisioning process in Office 365, but no matter which approach is right for your organization, AvePoint’s Cloud Governance has the tools you’ll need to make it a reality.
For your convenience, you can also find a video going over these points below:
John Peluso is AvePoint’s Chief Technology Officer. In this role, he aligns the Company’s technology and product roadmaps to grow AvePoint’s market share, and accelerate the ideation, development, and launch of innovative software products tailored to anticipate customer needs. Prior to this role, John held multiple leadership roles over his 13-year tenure at AvePoint, including Chief Product Officer, SVP of Product Strategy, Director of Education, and Chief Technology Officer, Public Sector.
Before joining AvePoint, John served in a variety of technology and business roles at New Horizons Northeast and New Horizons of Central and Northern NJ. He earned his undergraduate degree from The New School.