Microsoft MVP Vlad Catrinescu (@vladcatrinescu) provides actionable advice for keeping your Microsoft 365 environment under control while enabling self-service to meet your end users’ needs.
The world of Microsoft has evolved to embrace a self-service culture, but even though the concept of self-service has grown in popularity, it remains a touchy subject. Industry-hardened IT admins probably have a few bad memories associated with self-serve when SharePoint was on-prem.
With the move to the cloud and new Microsoft 365 tools, self-serve is the clear path forward. According to Microsoft MVP Vlad Catrinescu, the optimal solution is to control when required and empower when not.
Having guardrails in place when required gives end users the flexibility to collaborate without hassle. At the same time, IT admins can rest easy knowing things are under control.
To explain how this would work, Vlad joined us for our Pass the Mic webinar session. In this recap article, we summarize some of his key points about striking the right balance between IT control and allowing users to work how they want.
Watch the webinar or read through our recap of Vlad’s key points and Q&A from the webinar.
Table of contents
History of self-serve in the Microsoft ecosystem
Before the rise of the cloud, most IT admins were accustomed to self-serve in a SharePoint on-premises environment. Of course, some are still in this position or are in the middle of their migration process.
Whatever the case, the history of self-serve in an on-premises environment hasn’t been ideal. Mostly, this is because users that were given controls with SharePoint on-premises didn’t know what to do with it.
End users unexpectedly changed the environment and opened helpdesk tickets involving IT to solve problems.
On the other hand, IT admins who constantly saw self-serve as the reason for most of these problems became anti-self-serve, taking control away from end-users.
But with the rise of Microsoft 365, things are different for the better this time around.
-Helpdesk requests for new sites
-Site templates used
-Not connected to other resources
-Microsoft 365 group-powered
Today, with Microsoft 365, users don’t have to rely entirely on IT. Everyone can create things like groups and teams without getting bogged down on back-and-forth approval from IT. And in turn, IT teams don’t have to answer an overflow of end-user tickets that end users could quickly solve.
Vlad sums it up perfectly:
But how are we sure that self-serve works this time around?
To start with, know that no magic button can solve this problem. But, the technology is at a point where if you can implement the right policies, it can work. Think about balance when thinking about self-serve in Microsoft 365.
Start by imagining what it will take to find the perfect balance between IT and users. “Control when required – empower when not” should be the mantra for enabling self-serve in Microsoft 365.
What Microsoft 365 tools do we have to achieve balance?
To understand the tools you’ll need, starting with groups is a good idea. And in the context of managing groups, you’ll need to understand the stages of the group lifecycle:
Each stage of the group lifecycle has its own set of challenges and will require tools to help you find the balance between keeping your tenant under control and realizing the full benefits of a self-service approach has to offer.
Stage 1: Creation
Consider the following five key aspects for effective self-service governance at the creation stage.
Who can create Microsoft 365 groups?
Any user can create a Microsoft 365 group—unless you’ve decided to manage Microsoft 365 Groups creation by limiting who can create a group.
You can configure Microsoft 365 to only allow certain people within the organization and each department to have group creation capabilities.
You might be asking yourself, who in my organization should have group creation privilege, and how do we decide?
That would be an internal decision and varies from organization to organization. But generally, the following kinds of team members are good to go:
- Full-time staff
- Only users who passed a certain training
- Only select people from each department
Overall, having internal policies to lay a foundation on who can create groups helps empower end users to manage the Microsoft 365 environment themselves without overreliance on IT.
Another great way to keep things organized when handing over control to end users is to have a naming policy in place. By putting labels that associate identification traits such as country, department, user name, etc., to the name of the group, things stay organized.
For example, say John from HR wants to create a group. The name he wants to give to the group is ‘Project Alpha’. Once he types that down, the naming policies will automatically attach specific labels along with the name. The name of the group will look something like “GRP-Canada_Project Alpha_HR”.
This helps other team members know that the group Project Alpha was created by John from HR, who lives in Canada.
Setting naming policies can help give IT peace of mind knowing end users can’t create groups without the proper context. Questions like “Who created this group?” or “Why was this group created” disappear.
Besides naming conventions, your organization can even set a blocked words policy to ensure end users can’t use specific keywords when creating group names.
For example, you can create a policy prohibiting users from using the words ‘CEO,’ ‘Payroll,’ ‘legal,’ etc., in group names.
With team templates, you have a lot of room to play around according to your specific needs. For starters, IT admins can decide which templates are shown to users and have different options based on each user.
ShareGate goes further with customizable provisioning Teams templates where end users can create what they need following the guardrails you put in place for them:
- Add a naming convention
- Select a minimum number of owners
- Choose public or private
- Apply sensitivity tags and purpose tags
- Pre-set channels
Sensitivity labels are great for IT admins to clarify what information is sensitive and what isn’t before letting users play around in the environment. They help to guide users on privacy.
Labels such as ‘Highly confidential,’ ‘For C-suites only,’ ‘Internal only,’ and ‘HR only’ can help guide users on privacy and communicate who can access certain kinds of data.
ShareGate lets you create a range of purpose and sensitivity tags to suit your needs, edit and maintain existing tags, and monitor how they’re being applied—all in one central location.
Stage 2: During the life of the group
After the group is created, there are still issues that can crop up if the proper measures aren’t in place from the get-go, such as:
- Users might create groups that aren’t required after a certain period
- A team member might leave the company, resulting in an ownerless group
- A team member might be inactive because his/her task was completed and is unnecessarily present there now
Whatever the case, such scenarios can hinder the organization’s ability to have an effective self-serve environment.
Keeping reading for Vlad’s recommendations on how to counteract issues during this stage.
Azure Active Directory access reviews
Azure Active Directory allows you to proactively engage owners to check if everyone on the team still needs access.
Imagine you’re the team owner, and every month you get a notification saying, “Hey, this is everyone who’s part of the team. Should these X people still be in the team because they haven’t been active in quite a while?”
Because of the notification, the owner can check why some users aren’t active anymore. It could be a reason as simple as the project is done with or that a specific user’s part was completed.
The point is, the owners of the team know more about the users in them than anyone else. And by enabling Azure Active Directory access reviews, teams can stay updated with only members actively working in them by following up with owners about this kind of information.
Microsoft 365 group expiration policy
Group expiration policies help you to automatically tackle inactive teams without any active involvement by letting the owners take care of their own groups.
It works with IT setting a certain number of days (say 180), after which all groups should automatically be deleted.
To make sure no group is accidentally deleted, the following aspects help:
- Active groups are automatically renewed and are not deleted.
- Owners of the groups are notified to renew the groups 30, 15, and 1 day before expiration.
- The group can be restored within 30 days of deletion in case of issues such as the owner forgetting to renew the group, the team later realizing the group is important, etc.
Microsoft 365 ownerless group policy
Team members leaving is a regular occurrence. One by-product of this is groups becoming ownerless if the team member who left was an owner of the group. So, in such a situation, what happens?
Well, if a group becomes ownerless, Microsoft automatically checks who the most active member in that group is. That member gets a notification and is asked if they want to take ownership of the group.
You can configure policies and define how your Microsoft 365 environment should react in such a situation. You can set the number of active members who should be notified, who should receive ownership notifications, etc.
Stay on top of Microsoft Teams lifecycle management
Despite having all of these Microsoft out-of-the-box tools to help you with lifecycle management, it’s still not easy to get a bird’s eye view of your entire environment.
ShareGate helps with this by providing complete visibility, from creation to sunset, in one central location. And by doing the heavy lifting for you.
- Get visibility across your tenant in one central location
- Create governance policies based on real data
- Automate external sharing reviews and guest access management
- Automatically identify inactive and ownerless teams
- Collaborate with owners to keep Teams organized
Stage 3: After the team/group has served its purpose
What are some efficient ways to get rid of groups once they’ve served their purpose? Let’s take a look at some of Microsoft’s OOB tools.
Deleting a team/group
The easiest way is to delete the team or group, which the owners can do. Once done, you’ll have 30 days to restore the Microsoft 365 group. The things that are deleted when you delete a group or team include:
If you’re unsure whether the contents of the teams or groups might be required in the future, you can opt for archiving instead of deleting. This helps retain all the team’s contents for knowledge purposes.
A few aspects related to archiving include:
- All activity within the team ceases once archived
- You can still add or remove members
- You can still view files and chats
- Although this is optional, but you can also make the SharePoint site read-only for team members.
- The Team owner can restore the team
All archived teams can be viewed directly by going to ‘Manage Teams view.’
Retention policies in Microsoft 365 handle groups that are no longer needed and help you to more effectively manage the information in your organization. The policies work with:
- SharePoint Online
- OneDrive for Business
- Microsoft Teams
- Microsoft 365 groups
ShareGate’s automated inactivity detection policy
ShareGate automatically finds inactive teams in your tenant, so you don’t have to. And it can ask the right people to take action on them, saving your IT time. You can keep, archive, or delete inactive teams yourself or notify the owners to act on them.
Managing your self-service Microsoft 365 environment
Focus on the bigger picture: Having guardrails in place when self-service is enabled in your organization.
Incorporating end-user training, naming policies, expiration policies, data policies, and automation should work in unison to help you maintain a balanced environment.
Microsoft 365 offers great features for facilitating collaboration among end users, but managing it is no easy feat.
Get the Modern Workplace Checklist: We created this checklist in collaboration with Microsoft MVP Vlad Catrinescu. In it, you’ll get concrete steps to help you manage your digital workplace and tips to increase end-user collaboration without negatively impacting security.
As a quick refresher, let’s go over some of the points in the recap article.
- For self-service to work in Microsoft 365, it’s important to strike a balance between end-user freedom and IT control. To pull this off, you need to put guardrails in place to mitigate sprawl and security risks, and encourage end-user adoption.
- ‘Groups’ are an essential concept in Microsoft 365. They’re tied to the tools you’ll need to empower users while staying in control.
- The group lifecycle (i.e., creation, during the life of the group, end-of-life) is an important concept when trying to achieve balance between end users and IT, and different tools can help at each stage.
About the expert
Vlad Catrinescu is a Microsoft MVP, MCT Regional Lead, and Microsoft 365 consultant. An IT professional at heart, Vlad focuses on helping administrators deploy, manage, automate, and configure governance across services such as SharePoint, OneDrive for Business, and Teams. To learn more, visit: vladtalkstech.com
When identifying activity within a group or team, how is that defined?
Good question! Groups that are actively in use are renewed automatically 35 days before the group expires. But overall, according to Microsoft, here are all of the activities and how they’re defined:
- SharePoint – View, edit, download, move, share, or upload files. (Viewing a SharePoint page does not count as an action for automatic renewal.)
- Outlook – Join or edit group, read or write group message from the group, and like a message (Outlook on the web).
- Teams – Visit a teams channel.
- Yammer – View a post within a Yammer community or an interactive email in Outlook.
- Forms – View, create, or edit forms, or submit a response to a form.
Can naming policies be applied conditionally?
Blocked words and naming policies will not apply to admins. As for the content of the naming policy, you can use the department, company, office, state or province, or country or region. So, it will apply depending on the user who creates it.
When I delete a team, does the associated SharePoint site get deleted?
When you delete a team, all the SharePoint sites associated with that team will get deleted.
If you delete a standard channel, your files will still be accessible in the hosted folder. When you delete a shared or private channel, so does the whole site collection.