Govern Microsoft 365

You bought it. Use it right.

Analyst Perspective

You must govern Microsoft 365, or it just won't work.

Microsoft 365 is not an IT project. Some might think upgrading an email service or changing the service model for productivity software is something that IT should handle on its own. But Office 365 is such a massive undertaking that this simply isn't possible.

Microsoft 365 is about more than just delivering the same experiences in a different way. It brings additional capabilities at additional cost. If those capabilities are worth it, everyone – not just IT – needs to work together to realize those benefits.

IT needs to empower users while protecting the interests of the business and reducing risk insofar as is possible. Too often IT leaders interpret this as “locking down” their Microsoft 365 tenant. I think this is the wrong approach. Articulate your goals, identify how Microsoft 365 can meet them, and balance those capabilities with governance. Use the resulting principles to build out targeted controls that will help you be the enabler your business needs you to be.

It's that easy!

Fred Chagnon
Principal research Director, Core Infrastructure
Info-Tech Research Group

Executive Summary

Your Challenge

Microsoft 365 seems like an inevitability, but it's not as simple as migrating from one version of Office to another. With Microsoft 365, Microsoft is introducing a fundamentally new way of working using tools that are deceptively similar to its on-premises offerings, but which work differently in the cloud. What's different about SharePoint Online? How can I safely enable OneDrive for my end users? What are the implications of moving my users to Teams from Skype for Business?

There's a lot that is new when it comes to Office 365, and it's not always easy to navigate.

Common Obstacle

Microsoft 365 is a lot for most organizations. The number of different features and services that come with even a basic E1 license introduces governance challenges. Chief among these:

• Licensing is complicated.
• No single repository of all available controls.
• Integrations and dependencies between the different services are not always obvious.
• Building out governance in a new environment is not always easy.

Info-Tech's Approach

Microsoft 365 may be big and different, but it's not impossible to implement well. Consider these points:

1. All controls should be mapped to governance areas, which should be mapped to governance disciplines. You must be able to draw a line between a control and what it will help you to accomplish.
2. The cloud is different. You should do things differently. Leverage its strengths; obviate its weaknesses. While your goals may not change, the way you accomplish them will.

Info-Tech Insight

Microsoft 365 isn't inherently better or worse than Office CALs. It comes with some additional features, and likely some additional cost, and reduces your overall control over your environment while enabling cloud features such as easy remote access and elasticity. If it's right for you, you'll be able to take advantage of its features. But it may not be right for you.

You need to get this right

Odds are, you already have a Microsoft footprint. If you're not already in Microsoft 365, it may well be on the roadmap.

Like it or not, Microsoft is a behemoth in the office suite market. Google (the next largest provider) is growing, but Microsoft continues to hold more than 85% of the overall market. Its dominance has filtered into other areas, and for many organizations the question isn't “what product should we buy?” it's “what's the next step in our relationship with Microsoft?” Right-sizing your Office deployment, getting licensing in order, and planning for a smooth rollout of Microsoft 365 have all become central to modernizing productivity and collaboration environments. Once your tenant is in place, ensure you're using it as effectively as possible and that end users understand any trade-offs and benefits that come with such a substantial revision of how IT services are delivered.

258,000,000
Monthly active users as of October 2021
MS FY20 Q1 Earnings call

87.5%
Microsoft's share of the office suite market
CIO Dive, 2020

595,935
Number of American companies using Office 365
Statista, 2020

Microsoft 365 Governance Framework

Balance Risk Reduction Controls With Work Enablement to Achieve Corporate Goals

GOVERNANCE CASCADE

Governance Objectives
At the highest level of abstraction, a governance objective enables a goal.

Corporate Goals

Use Microsoft's governance disciplines to generate your own governance objectives and apply them to the three work enablers.

Example Corporate Goals:

• Increase revenue
• Expand globally
• Cut costs

Priorities
Derived from the interaction between governance objectives and focus areas.

Five Disciplines of Cloud Governance

• Cost Management
  Build out cost control policies.
• Deployment Acceleration
  A standard approach to deployment will speed it up.
• Resource Consistency
  Consistently configure resources to limit risk relating to the instantiation and management of workloads.
• Security Baseline
  Use governance policies to enforce policies across the cloud environment.
• Identity
  Consistently apply identity requirements for optimal security.

Work Enablers

• Productivity
  Creation-focused services that generate portable artifacts.
• Content Management
  Services that allow users to sort and access content.
• Collaboration
  Services that allow users to work together to accomplish corporate goals.

Refined Governance Priorities

Example Refined Governance Priorities:

• Enable access to content based on need
• Leverage integration across the suite
• Use standard templates for collaboration groups
• Make productivity tools available by default

Controls
At the service level, governance principles take the form of specific controls.

Controls

Controls should all map to a broader organizational goal. If you want to implement a control but can't figure out why, reconsider said control.

Ensure that every control cascades down from your overall governance objective, which is important.

Example Controls:

• Limit external sharing
• Prevent users from creating SharePoint sites
• Disable third-party applications in Teams
• Sign out inactive users
• Mark new files as sensitive by default
• Prevent users from syncing OneDrive contents to their desktops
• Control access to SharePoint/OneDrive based on network location