S8 E1: Designing a Smart Microsoft 365 Governance Plan at Kohler

Without guiderails to help employees work smarter and more safely, collaboration tools can become unwieldy (or worse, a liability). So, what’s the secret to good governance? 

I’ll get the scoop from Ryan Hafeman, Associate Systems Analyst at Kohler, where his team manages 20,000 seats in Microsoft 365. We’ll learn how the kitchen and bath giant has, shall we say, turned off the faucet to prevent leaky data and enable remote work. 

Let’s get to it. 

In this episode:

Introducing Kohler 

We’re headquartered out of Kohler, Wisconsin, a town that grew around the company. John Michael Kohler started it back, but his great grandson, David Kohler, now runs the company. It’s a company rich in history. 

People typically think Kohler is all bathtubs, toilets, urinals, sinks, and things like that. And yes, we do make those products. That’s one of our largest business groups. But we do have a few more. We consist of four business families–kitchen and bath being the biggest. We also have a hospitality group that is famous for our golf courses. We have an interiors group that does a lot of interiors work and designing. And then we have a global powers group that does anything from generators to engines, and that business has really taken off for Kohler in the past couple of years.  

So, Kohler is a diverse company. It is a very family-rich company. We just hit, I believe, 20,000 licensed users for Microsoft 365. It’s a little bit over that if you include other manufacturing associates that may not be licensed with the Microsoft 365, but we’re a very large and growing global company. 

Remote work at Kohler with Microsoft 365 

Microsoft Teams is a huge tool for us. Our adoption exploded on the onset of the pandemic. Although there were a lot of nuances that came with that, our IT staff did a very great job of getting ready for our adoption. From communicating with their team members to holding live events, Teams has been a huge thing for us. And especially for our Kohler leadership team like David Kohler, getting those direct reports and having events scheduled remotely was crucial.   

We also heavily, heavily rely on SharePoint. Obviously, SharePoint is a backend of Teams, but for the document repository functionality, Kohler’s trying our very best to get off of our on-premise network NAS file shares onto SharePoint for cloud-based document collaboration. 

Kohler before pandemic: planning for governance 

Part of the reason we were successful with bringing Teams to support our work from home scenarios was because we already were adopting them pre-pandemic. Thankfully, we had brought AvePoint into Kohler prior to COVID.  

And prior to knowing that it was going to happen, we had said, “Okay, Teams is going to be turned on globally for our associates. We need to see the growth of number of sites, teams, workspaces. We have to have some governance around this. We need some way to reign this in.”  

And we had that in place March of 2020. And then it just took off. So, thankfully, all those thousands of teams that were created were all captured in governance. 

AvePoint Cloud Governance x Kohler 

Honestly, there weren’t a lot of governance products out there, at least when we looked. Microsoft was kind of like, “Make it in PowerShell.” And then there was AvePoint that seemed to check all of our boxes and meet us where we needed them.  

The big box to check for us was retention and the renewal process that we wanted to start to define. We were looking at the number of sites we had from when we went to SharePoint Online–when they were created, when they were last modified. And seeing such mess in that area, we didn’t want that to plague our Office 365 tenant. We wanted some mechanism that was driven automatically and interacted with the owners of these workspaces to make sure our tenants stayed clean and stayed secure.  

Also, over the last six months, we’ve found diverse groups that are asking for specific instances to be created for them, like our project management office and new product design teams. They have specific needs around their workspaces that they use that doesn’t necessarily match the rest of the company, whether it’s our retention policy, how long we want to keep files for projects or new product designs and products that stay throughout their life cycle. 

So, we took a minimum viable product approach with what AvePoint Cloud Governance offers, and that was our initial goal and our thought process at the start. We obviously have a lot more opportunities for the product still.  

Positive business impact brought by proper governance 

Proper governance has given us a level of visibility that we didn’t have before.  

It was important for us to have an understanding of what people have ownership of. So, I really liked that visibility we now have. There is an option in My Hub (which is part of Cloud Governance) that we use that gives the ability to see what exists in Kohler from a team’s perspective, even if they’re not public, that they can go out and see what team is there. So, I would say that was big for us. 

But what does good governance look like? 

Jay–who I worked with for the session that I talked at–mentioned that turning off certain valves but giving an opportunity for users to still use the tool but in a different way, was critical. We don’t want to remove the ability to create workspaces altogether and not have a door for users to walk through, right? 

So, we turned off the ability to natively create teams in the Teams app, but we gave them the opportunity to create teams without approval of IT through MyHub. Now, that was sort of our gateway. Every time they walk through that door of creating a workspace, it’s captured in governance. Now they don’t need approval from their managers or for IT, or for anything else. It gets created. And that allows us to serve those diverse groups that we talked about. 

Also, a lot of the times, users don’t understand what they need to create, and My Hub gives us the opportunity to set up somewhat of a questionnaire. There, we provide descriptions as to what these workspaces are intended for, so that if a user has some confusion, they can get some insight into what is a Team and if it makes the most sense versus a SharePoint site. You can’t just make the assumption users know exactly what Teams’ purpose is, so we need to make that a more clear distinction for them. 

Another thing, I touched on it earlier, is the renewal tasks; to have some sort of checking in on these workspaces, making sure the contexts are correct. Because we all know organizations go through reorgs. Contacts and roles can change for workspaces. Permissions can change. And a lot of the time, these users and the owners of these workspaces just don’t have the time to do that when these reorgs take place. So, if there’s a task that’s sent to them on a bi-annual basis or semi-annual, they can do that in a task that’s simple and quick, and it meets the audit finding that we had open for that internally. 

External and Guest Access 

The external sharing part of governance is also something that we still need to work on. From a security mindset, we’ve blocked and shut off other avenues of sharing, like Dropbox and Box, and really just focusing on Office 365, which has external sharing capabilities. We’re pushing towards this system where a portal is used to enter a user’s name with email, set themselves as a sponsor, and it sends out to the Microsoft invitation process and does it that way. We actually want to improve upon it, and I think AvePoint’s going to have a pretty large seat at the table when it comes to reinventing that. 

We know that AvePoint has that external access trackability like it does with workspaces where you can have contacts that sponsor an external user. You can get insights into what that external user has access to or is using. And we really liked that because that is a concern of security in our environment. That is a big challenge of ours. We call it the wild, wild west of OneDrive and SharePoint. One big area of concern now is, OneDrive’s there, you’re sharing links with people you don’t typically share your entire OneDrive. Where are all these shareable links existing in my company?  

We don’t know what they’re seeing or what they actually have access to, so we want that to be trackable and auditable. So, we’re going to be definitely looking at that in the near future. I think we’ve seen a couple of future states that AvePoint has for renewal tasks for maybe a SharePoint site to Microsoft Teams that gives them a more modern view of what’s being shared out of those workspaces.  

I know there’s another product called Policy and Insights that may have an opportunity to fill that gap for us as well. But I know that’s on the mind of our VP of Security. We just want users to have an awareness of what’s being shared of their content. 

Make #ShiftHappen in your Microsoft 365 governance 

Understand your users and understand their ability to change, and then craft your communication plan around that. Make sure that your users understand– if you’re turning off things, communicate that it’s being turned off and where the new avenue exists. Also, provide an answer as to why you’re doing this so they have clarity. Lastly, provide the knowledge as to how to complete certain tasks that may come their way.  

Another thing, too, is looking at the minimum viable product. It’s really easy to overwhelm a larger group of users, even a smaller group of users, who aren’t really knowledgeable. If you introduce a governance solution with tons of services, tons of questions, and other actions that maybe exists somewhere else, you may overwhelm your users.  

We definitely do a crawl-walk-run approach to AvePoint. And that’s a big advice from my part to see how our users are adapting to certain things. Once you see they’re adapting well, that’s when you start introducing your new other solutions. 

Today’s takeaway from Ryan: 

“We want Microsoft Teams and SharePoint to be a tool that they continually turn to, but we want to be an IT organization that can govern it effectively and make sure security is still at the forefront and in our mindset.”

Products mentioned: 

Cloud Governance: Microsoft Office 365 Governance | Accelerate O365 Adoption | AvePoint

MyHub: MyHub | Management for Microsoft 365 | AvePoint 

Policies and Insights: Policies & Insights for Microsoft 365 | Security for Microsoft 365  | AvePoint 

What’s more? 

Tune in to our new biweekly podcast, AskDux, to hear all about Microsoft 365 and the modern workplace. Email your questions to askdux@avepoint.com and you could win a hundred dollars Amazon gift card!