Managing your organization’s permissions and configuration settings is a bit like brushing your teeth – everyone does it, whether they enjoy doing it or not. Also, like brushing teeth, some people tend to be much better at it than others.
While I don’t find teeth brushing particularly interesting, I do find it very interesting to see how organizations manage their permissions and configuration settings. Having worked with organizations of all sizes and across many different industries, I am continually surprised at the amount of effort put into data management. I would expect the organizations with the most critical business processes and the most sensitive data to be the ones that spend the most time and effort supporting those processes and protecting their data, but this is often not the case. In fact, many of the organizations I work with don’t even know where their most critical data is and who has access to it. I think this is an important observation, because it means there are a lot of organizations out there that are exposing themselves to unnecessary cost and high levels of risk.
The problem is even more significant for organizations looking to move to Office 365 – they are creating additional headaches for themselves by not properly controlling permissions and configuration management.
With the continuous evolution of the Microsoft Cloud, an increasing amount of organizations are seeing the benefits of moving their data and business services to Office 365. That said, very few organizations are in a position to move all their data and business services to Office 365 right away. Even if they are, it isn’t practical (nor is it recommended) to move everything all at once. This means that any organization moving to Office 365 needs to be ready to operate a hybrid environment, for at least as long as their transition project, if not longer.
Operating in a hybrid environment means dealing with permissions and configuration management both in Office 365 and on-premises systems. If managed well, this is no big deal. However, it can turn into a huge headache for the organizations that don’t plan ahead.
In my experience, most organizations either underestimate or simply overlook the complexity of operating a hybrid environment and choose, either intentionally or unintentionally, to take what appears to be the easy option and manage Office 365 independently. After all, how hard can it be? It’s only a few users and a couple of sites. Although I’m a big fan of projects that provide the organization with a quick win, this is one of those situations where the long-term cost can quickly outweigh the additional up-front effort required to do it properly. Here’s why:
- As Office 365 adoption increases, the overhead of permissions management will continue to increase as well. You will also find that, despite your best intentions, the permissions you configured perfectly when you first configured Office 365 will erode over time… especially if you use the default set of security roles provided with Office 365.
- Maintaining a consistent configuration between Office 365 and your on-premises systems – in particular SharePoint Server – will provide a better experience for your users as they move back and forth between Office 365 and on-premises SharePoint.
- Managing things twice tends to breed inconsistency, which makes understanding and auditing your permissions more difficult. It also makes automation, governance, and policy enforcement disproportionately more complex, because one set of rules and settings no longer applies to everything.
- The needs of your organization aren’t static, and neither is your data. You need to be agile in terms of reconfiguring business services and restructuring your content as your requirements evolve over time. Having this capability not just on premises or in Office 365 but back and forth between the two environments is a huge advantage that you forgo when things are inconsistent.
So, What Should I do?
Since this blog is about controlling permissions and configuration across hybrid Office 365 deployments, I’m glad you asked. Here are five steps you’ll need to take:
1. Lead With Design
A good design will be, as much as possible, system-agnostic. Regarding permissions management, this means designing and developing a security model that can be applied consistently to both your on-premises systems and Office 365. The industry standard is a Role-Based Access Control (RBAC) system for permissions management that leverages Active Directory (AD) security principals, universal access roles, and system-specific permissions. I also recommend defining and using a standard set of security roles in Office 365 and in your on-premises SharePoint environments.
Similarly, when considering configuration elements, they should be designed and developed from the perspective of making them both easy to use and maintain. They should also be developed based on a common set of standards and implemented in a consistent way. A simple but extremely common example is Office 365 branding. Allowing each team or department to develop their own branding not only duplicates development effort, but also makes the experience of using Office 365 unintuitive for users. Without standards and common elements, it’s also very likely each team will implement their branding inconsistently, making it more difficult to make global changes later.
Spending the time up front to design for permissions and configuration management will create alignment between Office 365 and your on-premises systems, allowing permission and configuration management activities to occur once. Although it likely won’t be perfect, it will be much better than if you let the two systems develop organically.
2. Follow With Enforcement
As important as a forward-thinking design is, it’s only good if you can stick to it. The implementation standards and common elements from your design need to tie into your governance program and be enforceable. This means not just having the rules, but having the ability to find exceptions – the places where your permissions and configuration don’t align with your standards – and being able to proactively remediate them.
Even better is being able to define and enforce policies that prevent your users (and your administrators, who are often the worst culprits) from making prohibited changes in the first place, even if they have the permissions to do so.
3. Consolidate Your Directory Services
In order to provide consistent permissions across a hybrid environment, you need to be working from a single directory service. The good news is that Office 365 uses Azure AD for account management, which can be federated with your on-premises AD using Azure AD Connect. This will provide you with single sign-on (SSO), making it seamless for your users to move back and forth between Office 365 and your on-premises systems.
4. Address Your Dark Data
In terms of potential hybrid Office 365 management headaches, this is a big one. For those of you not familiar with the term “dark data,” it refers to the information assets your organization collects but doesn’t use, usually because you don’t know what they contain. Thinking about it differently, dark data can be identified by asking three questions:
- What are you using it for?
- How long do you need to keep it?
- Does it contain sensitive information?
If the answer to any of these questions is “I don’t know,” then it’s dark data.
Dark data is important because it represents both an unjustified financial cost and an increased risk for your organization. From the perspective of permissions and configuration management, dark data creates uncertainty. Without knowing what it is, you can’t possibly know what to do with it. Specific to this conversation, this means you have no way of knowing whether the permissions and configuration applied to dark data are appropriate or not.
In my experience, dark data is one of the most common barriers to cloud adoption. Many organizations aren’t comfortable moving data to the cloud without knowing what it is. The best way to address your dark data is to roll up your sleeves and start digging. The good news is there are lots of good articles out there about how to do this, as well as discovery and analysis software like AvePoint Compliance Guardian to help you figure out what you have, what to move to Office 365, and what permissions and configuration will be required to support it.
5. Look Ahead to Automation and Self Service
With consistency comes an opportunity to automate and to delegate. This means not doing everything by hand and not doing everything yourself. Providing your users with a self-service interface – such as DocAve Governance Automation – where they can complete some of the high-frequency, low-complexity tasks they usually ask you to do will both free up your time and make your IT Department more responsive.
Developing a good design and addressing your organization’s dark data puts you in a position where you can perform management activities only once. The consistency this provides allows you to implement management tools that can span both Office 365 and on-premises SharePoint, and make a permissions or configuration change once, regardless of whether it happens in Office 365, on premises, or across both.
A single set of governance policies, a single set of transaction logs, and a single management interface makes operating a hybrid environment no big deal. It’ll be as easy as brushing your teeth.
Want to learn more about Office 365 management fundamentals? For our strategy guide to unlocking the full potential of Office 365, be sure to check out AvePoint’s Cloud Arcade. You can also learn more about the topic by viewing our recent webinar, AvePoint’s Cloud Arcade Presents: How to Win the Office 365 Management Game.