AvePoint Cloud Arcade Office 365 Protection

Why Office 365 Policy Enforcement will Turn You into a Cloud Superhero

SharePoint Online is a major component of Microsoft’s Office 365 platform. OneDrive for Business originated from My Sites, Team Sites have evolved into a place to store files for Office 365 groups, and with next generation portals it’s clear that SharePoint will be an integral part of the Office 365 DNA for many years to come. So when you have a component that’s such a large portion of a business critical system like Office 365, you don’t doubt the importance, but you wonder:

  • How do I manage SharePoint Online?
  • How will I drive SharePoint Online adoption?
  • How will I do all of this and still go home at a reasonable time?

There is a great myth about the cloud that moving to a hosted offering immediately eliminates the need for your IT and administrative staff. The truth of the matter is the opposite: Many Enterprise IT organizations end up hiring additional administrators to manage the new flood of inquiries, demands, and support needs of the user community.

Where do I start?

It all starts with governance. Governance makes considerations for international and national policies, industry standards, organization-specific business needs, and other regulatory requirements. A team typically identifies areas where process and order are necessary and can suggest broad controls. However, how those controls are interpreted or enforced in each individual system (SharePoint Online for example) form your policies. Policies are practical applications of your organization’s governance mandates to a particular system or process.

In order to effectively and efficiently manage your SharePoint Online environment, the first thing I recommend doing is building a map between governance requirements and functional policies within the platform. Take a look at all of the current workloads in your organization that you’re responsible for and map them to services, settings, and configurations within Office 365. One of the biggest mistakes you can make is using the right tool for the wrong job. Let’s take a look at a few examples:

Workload Details Recommended Mapping
Intranet Landing Page Relevant content (blogs, documents, Yammer posts), corporate newsfeed, company announcements, portal navigation SharePoint Online
Short-Term Marketing Campaign Track basic tasks, team e-mail and communication, share and co-author content Office 365 Groups
Long-Term Project Management Multiple enterprise projects, resource management, financial management Project Online
Training Site Host training slide decks, course syllabi, resource documents, video recordings Next-Gen Portals  (Video, Knowledge Management)
Employee Resources HR news, company benefit programs SharePoint Online

Once you’ve mapped your solutions to the relevant service, you’ll have not only set up a great foundation, but you’ve officially begun your road map to policy-driven governance of your Office 365 environment. By associating with a workload or business process first, you now have an understanding of the nature of the content within that work space. Knowing the nature of the content can help you identify its sensitivity, importance, and purpose within the organization. These classifications should be easy to understand at a glance by anyone who interacts with the system and clearly indicate their importance based on (but not limited to) criteria such as:

  • Financial Impact: What is the potential cost of this system becoming unavailable or suffering from a loss of fidelity in its content?
  • Risk: What is the potential impact of this system on other systems?
  • Sensitivity: What is the nature of the content relevant to your organizations policies? Does it contain personally identifiable information (PII)? Industry secrets?
  • Access: How long does this content need to be accessible? Who should have access to it? What type of interactions can they perform against the content/workspace?

This naturally shifts you to the next stage around defining policies. Here are some examples based on the above:

Workload Sample Classifications (varies based on organization) Sample Policies
Intranet Landing Page Low-Sensitivity / Medium Business Impact / Bronze Service Level Agreement (SLA)
  • Disable SharePoint Designer
  • Cannot host sensitive content
  • Content approval must be turned on
  • VERY limited use of permission levels above “Read”
Short-Term Marketing Campaign Mid-Sensitivity / Medium Business Impact / Silver SLA
  • No public groups
  • External sharing disabled
  • No custom templates
Long-Term Project Management High Sensitivity / High Business Impact / Gold SLA
  • Enable Project Permissions Model
  • External sharing enabled for authenticated users
  • Enable Information Rights Management (IRM)
Training Site Low-Sensitivity / High Business Impact / Silver SLA
  • Enable content type approval
  • Limit versioning to three
Employee Resources High-Sensitivity / Medium Business Impact / Silver SLA
  • Exclude all non-full time employees from accessing site
  • Enable IRM
  • Limit to two site collection owners
  • Members of the HR AD group have “Contribute” permissions or higher while all others have “Read”
  • HR Team collaboration is not allowed on this site
  • “All Authenticated Users” cannot be used on this site

As you can see, identifying, documenting, and defining what workloads get what policies is a major project. With all the features in SharePoint alone, the thought of creating a governance document alone seems daunting, but what about managing the environment afterwards?

Polices Not Paper

Without enforcement, all your documentation and definitions are worthless. Let’s take a look at a few ways to ensure policies are in place and being enforced throughout your environment:

1)      Limit Privileged Access: It can be tempting to grant someone contribute permission levels – and even full control at times – just so they can get their job done. While this might make things easier for accessing content, it can jeopardize your company. Be serious about permissions in SharePoint.

2)      Master the Admin Center: Microsoft has put a lot of the key controls around external sharing, group management, and license management right at your fingertips. Along with Power BI for reports on what your users are up to, the Office 365 admin center can be pivotal in adoption as well as governance.

3)      Get Familiar with PowerShell: Microsoft has created numerous extensions for Office 365 and Azure AD to help better administer and manage your online environment. In addition, some of the improvements to DSC can help you define specific bounds and ideal states which you can enforce or as Microsoft likes to say, “Make it so.”

4)      Think about a Tool: With a solution like AvePoint’s Policy Enforcer, part of our Azure-based Office 365 management offering DocAve Online, you can easily design and automatically enforce policies for SharePoint Online and OneDrive for Business. We have plans to support other components of the Microsoft Cloud – like Azure AD, Project Online, and Yammer – throughout the coming year.

Within Policy Enforcer you can easily define your desired states and configurations.

Within Policy Enforcer you can easily define your desired states and configurations.

Then you can focus on tasks like adoption, onboarding new users, upgrades, and more while Policy Enforcer keeps an eye out for you.

Then you can focus on tasks like adoption, onboarding new users, upgrades, and more while Policy Enforcer keeps an eye out for you.

What’s Next?

As you plan your journey to the cloud, be sure to check out AvePoint’s Cloud Arcade for more helpful tips on managing, migrating, and protecting Office 365! You can also learn more about Office 365 policy enforcement by watching our on demand webinar, AvePoint’s Cloud Arcade Presents: Policy-Driven Protection for Office 365.

office 365 policy-driven protection webinar