The number of services end-users have under their fingertips in Office 365 has been dramatically growing, and there are just a minimum number of hurdles stopping end-users to go completely wild with all these options. This means the amount of digital data that is being stored in Office 365 and company processes that touch Office 365, has been ever-increasing and organizations and IT professionals are struggling to keep up to govern the data. In this session, we are going to dig deep in order to discuss best practices for governing such a system, what are some of the typical use cases and scenarios and typical pitfalls with governance. We are going to review what kind of reports and tools are available at our disposal as part of the built-in Office 365 offering, and when to use the programmable approach to automate governance.

1. Toni Frankola
Governance in the Modern
Workplace: SharePoint,
OneDrive, Groups, Teams,
Flows, and PowerApps

2. • More than 20 years experience in IT
• SharePoint / Office 365 MVP 2010-2019
• With SharePoint since 2003.
Toni Frankola
Co-founder and CEO
SysKit Ltd., Croatia

3. SharePoint On-prem, Hybrid
and Office 365 Solutions
SysKit Ltd.
SysKit is a software development company
based in Zagreb, Croatia, Europe founded
in 2009. ​
We create innovative software solutions for
SharePoint and Office 365 admins and
consultants.

5. Governance is the set of policies, roles, responsibilities, and processes that control how
an organization's business divisions and IT teams work together to achieve its goals.
What is Office 365 Governance?

6. How do we manage Office 365
• Via the Admin Center(s)
• PowerShell
• Exchange Online
• SharePoint Online
• Microsoft Teams
• Azure AD (Groups)
• Power platform (PowerApps / Flow)

7. Office 365 Groups

9. Office 365
Groups
Outlook
Yammer
SharePoint
Microsoft
Teams
StaffHub
Planner
PowerBI
Power
Platform
Power
Apps
Flow

10. 8 ways to create Office 365 groups
Source: sharepointeurope.com

11. Office 365 Groups
• The foundation that allows you to manage security
• Reduces the need for „Shadow IT”

12. Dangers of Office 365 group sprawl
• In the effort to stop the „Shadow IT” we can easily encounter sprawl
• Key steps:
• Control who can create Office 365 Groups
• Group soft delete and restore (30 days)
• Group naming policy
• Group expiration policy
• Group guest access
• Group policies & information protection
• Upgrade traditional collaboration tools
• Groups reporting

13. Restrict Groups creation
• Creation of groups can be restricted to a members of a particular security group
• Configured via PowerShell
• Pros: Prevents group sprawl
• Cons: Increases the burden on the limited number of people and prevents O365 usage
• Caveats:
• Certain administrator roles exempt from this rule
• Exchange, Partner Support, Directory Writers, SharePoint, Teams, User Mngt.
 Azure AD Premium Licenses required for „group creators”
• No special license is required for users that will NOT be creating groups

14. Control who can create Office 365 Groups – Best Practices
• Start with self-service if anyhow possible
• Make sure your internal policies documented and in-place
• Revisit this as you go
• Three modes of operation: Open, IT-Led, Controlled
• Tightly controlled group creation can decrease productivity as many services require Office
365 groups

15. Restrict Groups Creation
Demo

16. Office 365 Groups naming policy
• Sometimes inconsistent naming can cause a lot of governance issues
• OOTB naming policy can leviate some of those issues
• Easier categorization or identifiy purpouse
• Block certain words (important because each group gets and email address e.g
billg@microsoft.com)
• To use the Groups naming policy feature, the following people need an Azure Active
Directory Premium P1 license or Azure AD Basic EDU license:
• Everyone who is a member of the group.
• The person who creates the group.
• The admin who creates the Groups naming policy

17. Group naming policies
Demo

18. Office 365 Group Expiration Policy
• Can be setup as an internal process so owners have to „renew” the group
• Helps clear the groups that are no longer being used like:
• Projects that finished
• Departments that merged
• Staled groups
• Group expiration is an Azure Active Directory (Azure AD) Premium feature

19. Group expiration policies
Demo

20. Orphaned Groups
• When group owner leave the company, group becomes orphan i.e. without owner
• Group can still be used, content is not lost
• Administrator should assign someone else as owner
• Best practice always have more than one owner at anytime

21. How do I find „orphaned” groups
Sample:
$Groups = Get-UnifiedGroup | Where-Object {([array](Get-UnifiedGroupLinks -
Identity $_.Id -LinkType Owners)).Count -eq 0}
$Groups | Select Id, DisplayName, ManagedBy, WhenCreated
ForEach ($G in $Groups) {
Write-Host "Warning! The following group has no owner:" $G.DisplayName
}

22. External / Guest users
• By default, guest (external) access is turned on
• An external user is someone from outside your Office 365 subscription to whom you have
given access to one or more sites, files, or folders. An Authenticated external user is
a user who have a Microsoft account or a work or school account from another Office
365 subscription.
• Can be turned off for entire org, or individual sites
• Plan external sharing ahead
• It's important that all group members have permission to access the team site

23. External users authorization
• Three basic authorization levels for shared items:
(may wary depending on the object type being shared)
• Sign-in with an account
• Sign-in with code
• Anonymous

24. Manage guest access to Office 365 Groups
• Controlled by underlaying
SharePoint Online settings
• OneDrive can be more restrictive
• You can control it for individual
sites (more restrictive)
• SharePoint site
• OneDrive site

25. External Sharing
Demo

26. How do I find all these external sharings
• Audit Log
• Warning: Data retention and content overflow
• eDiscovery
• Warning: Licenses
• PowerShell
• Get-SPOExternalUser
• 3rd party tools

27. Groups Governance additional steps
• Organizational-wide teams
• Dynamic Memberships of AD Groups (e.g. based on department)
• Azure AD Premium feature
• Group classification
• Groups hidden from GAL
• Define usage guidelines
• Azure Information Protection
• Access Reviews
• Groups with secret membership

28. SharePoint

29. SharePoint
• The most of governance for SharePoint online depends on the underlaying group
• There are some specifics…

30. Permissions explained

31. External users (Applies to OneDrive too)

32. SharePoint / OneDrive per site external sharing settings
• Individiaul security settings can be configured per individual OneDrive or SharePoint

33. OneD riv e / Sha rePo int p er sit e ext erna l user set t ing s
Demo

34. Modernize SharePoint Online sites
1. Run the SharePoint modernization scanner to detect those sites
2. Connect to a SharePoint group
 Not available for some templates
3. Remove non-supported customizations on web-part and wiki pages
• Check SharePoint Modernization Framework PnP

35. OneDrive

36. External Users
(see SharePoint slides)

37. OneDrive default size and PowerShell repor ts
Demo

38. OneDrive Limited Access
For OneDrive Using these settings you can:
• Block downloading files in the apps
• Block taking screenshots in the Android apps
• Block copying files and content within files
• Block printing files in the apps
• Block backing up app data
• Require an app passcode
• Block opening OneDrive and SharePoint files in other apps
• Encrypt app data when the device is locked
• Require Office 365 sign-in each time the app is opened
• Choose values for how often to verify user access and when to wipe app data when a
device is offline.

39. Microsoft Teams

40. Office 365 Groups and Teams Activity Report
• Activity in Group mailbox
• Activity in SharePoint site
• Activity in the Teams chat
• Script by Tony Redmond Office 365 Groups and Teams Activity Report

41. Office 365 Groups and Teams Activity Repor t
Demo

42. PowerApps / Flow

43. The landscape

44. Environments
• Microsoft PowerApps Environment Admin, Office 365 Global Admin, or Azure Active
Directory Tenant Admin, who needs to have a Plan2 license for PowerApps and/or Flow.
• Use the Admin Cetner to control them
• Use PowerShell
Install-Module -Name Microsoft.PowerApps.PowerShell -AllowClobber
Install-Module -Name Microsoft.PowerApps.Administration.PowerShell
Add-PowerAppsAccount
Get-AdminPowerAppEnvironment | Format-Table -Property EnvironmentName,
DisplayName, CreatedBy, Location

45. Po wer Pla t fo rm Ad min UI
Demo

46. Connectors

47. Retrieve connectors
$allApps=Get-AdminPowerApp | Where-Object{$_.EnvironmentName-
eq$envname} | SELECT AppName,CreatedTime,EnvironmentName
foreach($app in $allApps) {
$app.AppName
Write-Output"=========="
Get-AdminPowerAppConnectionReferences-EnvironmentName $envname-
AppName $app.AppName | SELECT
ConnectorName,ConnectorId,DisplayName,Publisher
}

48. List of connectors

49. Audit Log

50. Audit Log
• Easily forgotten but the key tool to govern your Office 365
• Audit log search feature comes handy as it allows you to search for following event types:
• Admin activity in SharePoint Online
• Admin activity in Azure Active Directory (the directory service for Office 365)
• Admin activity in Exchange Online (Exchange admin audit logging)
• User and admin activity in Sway
• eDiscovery activities in the Office 365 Security & Compliance Center
• User and admin activity in Power BI
• User and admin activity in Microsoft Teams
• User and admin activity in Dynamics 365
• User and admin activity in Yammer
• User and admin activity in Microsoft Flow
• User and admin activity in Microsoft Stream

51. Audit Log (2)
• Audit logging is not turned on by default so configure it in advance
• Retention:
• Office 365 E3: Audit records are retained for 90 days. That means you can search the
audit log for activities that were performed within the last 90 days.
• Office 365 E5: Audit records are also retained for 90 days. Retaining audit records for
one year may eventually be available for E5 users and users with an E3 license and an
Office 365 Advanced Compliance add-on license.
• The private preview program for the one-year retention period for audit records for
E5 organizations (or for users in E3 + ACL)

52. Audit Log Tools
• Search and Compliance Center
• PowerShell (Exchange module)

53. Aud it Lo g To o ls
Demo

54. BINGO CARDS
• WEBCON – has the bingo cards, visit them to play
• Bingo Cards = how you win prizes at the end of the event.
• The cards must be stamped by ALL the Sponsors in order to be eligible to win.
• For the grand prizes you must have opted-in when registering.
• Must be here to win at the end of the day.
Another Surface Go Xbox One S
Tons of prizes .. Socks, buttons, bags, echo dots, gift cards, plural sight, gaming monitor, Bluetooth

55. EVALUATIONS
• Speaker Evaluations
• located at the front of the room
• Will be read by the org and then sent to speakers
• Be honest and constructive
• Turn in 6th floor info desk
• Event Evaluations
• Visit the 6th floor info desk
• Give us your honest feedback – we can take it
• Turn in 6th floor info desk

56. THANK YOU
EVENT SPONSORS
We appreciated you supporting the
New York SharePoint Community!
• Diamond, Platinum, Gold, & Silver have
tables scattered throughout
• Please visit them and inquire about their
products & services
• To be eligible for prizes make sure to get
your bingo card stamped by ALL sponsors
• Raffle at the end of the day and you must
be present to win!

57. Beer Authority
300 W 40h St
[across the street]
Join us for a round of drinks
http://www.beerauthoritynyc.com

58. Q&A