There are lots of benefits of enabling self-service, but managing Microsoft 365 security and sprawl can take time and effort. Read on for our 5 best practices!
People do their greatest work when they have the freedom to collaborate and create, using the technology available to them in the ways that serve them best. For IT admins who are responsible for the security of their systems and are all too familiar with the risks inherent in a cloud computing environment coupled with the high cost of data breaches, the idea of implementing self-service in Microsoft 365 can feel uncomfortable or even downright dangerous.
But it doesn’t need to be.
This blog is the second in our series on self-service, so if you’re interested in an overview of the benefits and risks of enabling self-service, a more in-depth look into the 3 different methods you can use to manage and secure your environment, or how an automated solution like ShareGate can simplify self-service management for you, check out the other blogs in the series:
- Collaborative governance: The pros and cons of enabling self-service in Microsoft 365
- 3 methods to avoid sprawl and security risks in your Microsoft self-service environment
- How ShareGate can help you manage your Microsoft 365 self-serve environment
If you’re looking for best practices for managing your self-serve environment, then keep on reading!
As an IT leader, you have the power and ability to achieve all the benefits of self-service while keeping it safe and secure. The key to achieving this is smart IT governance.
Table of contents
- What is IT governance?
- 1. Establish policies that protect and enable effective collaborative governance
- 2. Create a shared understanding for end users with regular training and support
- 3. Monitor and audit self-service activity
- 4. Implement robust security controls
- 5. Run regular access reviews in Microsoft 365
- There you have it, everything you need for better IT governance!
What is IT governance?
IT governance is a formal framework that aligns your organization’s IT strategy with its business strategy. It not only provides for greater security but also provides a structure for ensuring that current and future use of technology is controlled and supports the organization’s business needs and strategy.
The details of what constitutes good IT governance will vary depending on your business and the industry you’re operating in. In this article, we cover five best practices for smarter IT governance that apply to any organization interested in leveraging the benefits of self-service in Microsoft 365.
But first, let’s look at some of the benefits to be gained with a collaborative IT governance program implemented with self-service in mind.
Elevate your M365 strategy: Empower users while staying in control
With Vlad Catrinescu, Microsoft MVP and MCT Regional Lead
All the benefits of self-service without all the risk
Smart IT governance provides a structure that will help you balances your end users’ needs with your organization’s security requirements and allows you to safely unlock all the benefits self-service has to offer, including:
- Improved productivity—Self-service has a lot of benefits for productivity. With regard to support, the faster your end users can find answers and solve their own IT problems, the faster they can get back to work.
- Improved end user satisfaction—End users today expect the same easy-to-use, streamlined services they enjoy with the apps they use in their personal lives in the apps they use at work. The more friction you can eliminate for them when using their Microsoft 365 applications, the happier they (and you) will be.
- Fewer support tickets—When you empower end users to create and manage their own resources, the number of support tickets that end up in your queue will naturally drop.
- Reduced IT costs—Using IT teams to handle support tickets for tasks that could otherwise be done by end users is not only expensive from a staffing perspective, but also in terms of opportunity costs. IT teams serve their highest value to the business when their service delivery is focused on resolving higher-level support tickets that truly require their expertise and when they’re able to work on IT initiatives that move the business forward.
1. Establish policies that protect and enable effective collaborative governance
There are different ways to define collaborative governance, but in the IT context, it is a governance model that, unlike a traditional top-down control of IT systems, focuses on including end users and other stakeholders within the organization in the development of policies needed for good governance.
Effective collaborative governance is consensus-oriented to reduce conflict and facilitate learning. It’s also the only way to create a Microsoft 365 governance plan that makes self-service possible.
Setting up your policies and guardrails
Working with key stakeholders in your organization to understand their different needs will help you develop clear guardrails to ensure they can work with the technologies you provide in ways that ensure their productivity but also protect your Microsoft 365 environment and the data on your network.
Here are a couple of common approaches you should consider when setting up your Microsoft 365 guardrails:
- Managing passwords and configuring access based on the principle of least privilege, which is the practice of restricting access to only those users, applications, and resources necessary to perform legitimate work functions.
- Implementing a Zero Trust security strategy, which requires rigorous and frequent evaluation of users and devices before allowing them to access data or other resources in your network.
There are a number of guardrails that you may need to consider including in your IT governance plan for Microsoft 365. Examples include:
- Using pre-set security policies that use recommended settings to protect against spam, malware, and phishing. Note that in addition to pre-set security policies, Microsoft 365 also allows you to create custom security policies depending on your needs and risks.
- Reviewing the default share settings for SharePoint, Teams, and OneDrive. They may not be appropriate for your organization’s security needs. If this is the case, modify them as needed based on the principle of least privilege.
2. Create a shared understanding for end users with regular training and support
As an IT leader you can enforce your governance standards by turning features on and off in Microsoft 365 without any explanation to affected end users. But, this approach is short-sighted.
In a Microsoft 365 self-service environment, IT governance is a team sport. For example, email is still a common way that attackers try to gain access to networks. This is because everyone in the organization uses email and hackers are getting more sophisticated every day in their attempts to fool users into giving them sensitive information or clicking on malicious links.
The combination of pre-set security policies that IT sets combined with ongoing training with refreshers on email best practices remains the best way to thwart these types of attacks.
To the extent that you engage your users to help them understand the importance of security and what they can do to help protect the network from cybersecurity threats, you will have a more secure system.
Remember, no one wants to be that employee, the one that accidentally gave a hacker access to your system. Providing training is the best way to give your users more peace of mind, and Microsoft’s cybersecurity resources are a great place to start.
3. Monitor and audit self-service activity
Monitoring and auditing self-service activity is an important part of ensuring compliance with your IT governance plan. Doing so not only ensures a more secure environment but has other benefits as well.
The ability to better protect sensitive information is one of the top benefits and reasons to keep a close eye on end-user activity. Many employees’ jobs involve the use, sharing, and storing of sensitive information, which makes monitoring their activities critical to ensuring they don’t inadvertently cause a data breach or loss. Monitoring gives you visibility into how they are handling this information and can alert you when they are using unprotected networks and unauthorized cloud storage sites or devices.
Monitoring also gives you the opportunity to help your end users improve their workflows and productivity. By understanding how end users are engaging with their Microsoft 365 applications you can identify potential areas where additional training might help them make better use of different features to be more productive.
Take advantage of the visibility Microsoft 365 reports provide
In the admin center of Microsoft 365, you’ll find a wide variety of reports that offer visibility into your environment and how users are engaging with it. Here are some examples:
- Looking at login reports can reveal excessive failed login attempts, which can indicate a potential security threat that may need to be investigated.
- Reviewing data access reports will show you who is accessing what data and whether they are internal or external to your organization. This is important to ensure your policies for data access and sharing are being followed.
- Monitoring reports on Microsoft Teams and Microsoft 365 group creation can help you avoid data sprawl.
You can also use a third-party solution like ShareGate, the out-of-the-box management solution for Microsoft 365, to give you even more visibility, plus the ability to develop custom reports to meet your organization’s unique needs.
4. Implement robust security controls
Self-service is key to getting the most value out of your Microsoft 365 deployment. Implementing robust security controls will help you find the balance between keeping your Microsoft tenant secure and realizing the full benefits a self-service approach has to offer.
On the end user side, self-service means they can use the applications you provide in whatever ways they need to be more productive. On the IT side, your life becomes much easier because you can be confident that the controls needed to keep your Microsoft 365 environment safe are already in place.
Here are some examples of robust security controls that all organizations should consider implementing:
- Use multi-factor authentication (MFA) to provide an extra layer of security against weak passwords and passwords used to sign into multiple sites. MFA requires authentication twice: once with a password and a second time with something that you likely have on your person, such as a smart phone or even your fingerprint. With MFA, even if a password is compromised, it’s unlikely that an attacker will be able to gain access to your Microsoft 365 network.
- Protect all the devices employees use, including both their personal devices and any provided by the organization. Every device connected to your network represents a potential security threat, so ensuring they are properly configured for security is critical. On this note, you may also require that users install Microsoft 365 apps on their personal devices in order to access the network. This will allow them to work more productively and securely across their devices, for example by sending links to files instead of attachments.
- And above all, protect your administrator accounts. These are the keys to the kingdom. Microsoft 365 administrators have elevated privileges which makes these accounts more attractive and susceptible to cyberattacks. Microsoft 365 has eight different admin roles. Ensuring your system has the right number of admins with their accounts properly configured for their different roles based on the principle of least privilege is critical.
How to ensure security and governance are maintained
Microsoft 365 automation tools are your best friend when it comes to keeping your Microsoft 365 environment secure. Microsoft provides a number of tools to help IT administrators monitor and manage compliance within their organizations. Here are a couple of solutions that you might want to explore to automate much of the oversight needed to ensure the security of your Microsoft 365 implementation:
- Microsoft 365 Defender is an endpoint security solution that allows you to view and respond to detected security threats, view and edit security policies, monitor and manage devices.
- Another is the Microsoft Purview, which includes a variety of different solutions focused on data protection.
- ShareGate provides automated solutions for monitoring and managing your Microsoft 365 policies to ensure that your end users can collaborate the way they need to while following the guardrails you’ve put in place.
5. Run regular access reviews in Microsoft 365
When you enable self-service in your Microsoft 365 environment, end users can create and join groups and invite people from external organizations to join and share files with them directly. While this is a core collaboration feature, it also requires regular access reviews to ensure that the right people have access to the right content.
These collaboration features are made possible through Azure Active Directory (AAD). Given this, conducting access reviews for Microsoft 365 requires an Azure premium license.
Note that the access review in AAD just shows you who has access to what. When you conduct your review, you still need to know who should and shouldn’t have access. This means you’ll need to develop some process for keeping up with group owners to get this information.
With ShareGate, you can also review guest access and external sharing. ShareGate will even ask team owners whether those guests and links are still needed, since they’re the ones who know best for their teams. This ensures that you’ll know when a guest’s access or external sharing link should be revoked to keep your system secure. And, it doesn’t require an Azure premium license. Bonus!
There you have it, everything you need for better IT governance!
Adopting a self-service mindset and approach to your Microsoft 365 implementation will ensure your organization gets the greatest return on its investment in this powerful productivity suite. However, self-service in Microsoft 365 also requires a plan for IT governance to ensure your system stay safe and secure.
With the tips provided in this article, you’ll be well prepared to develop and implement smarter, more effective IT governance for Microsoft 365 that balances users’ needs with the need for IT security.
However, while implementing IT governance for your Microsoft 365 environment is possible by manually configuring all of your security settings or by building automations in PowerShell or Power Automate, it isn’t easy. Both methods require a significant investment of time and involve a steep learning curve.
ShareGate makes IT governance for Microsoft 365 easy with intuitive, easy-to-use tools purpose-built for a self-service implementation of Microsoft 365. Talk to an expert about how ShareGate can help you manage your Microsoft 365 environment today!