ShareGate Apricot automatically collects information from owners about how their team is being used and its level of sensitivity—giving you better visibility enabling you to apply custom-fit governance in Microsoft Teams.
Related reading: IT governance best practices for Microsoft Teams
Freedom and flexibility are at the heart of the Microsoft 365 user experience, with self-service features and collaboration tools like Microsoft Teams transforming the way that we work.
But with more user freedom comes more responsibility for IT. It’s a delicate balance: protecting data in a way that meets your organization’s business and compliance policies, while making sure user productivity isn’t hindered.
The truth is that your governance strategy needs to be flexible, too. Locking everything down is harmful, one-size-fits-all thinking that can negatively impact adoption and result in users turning to other, unapproved tools.
Ideally, policies should be customized according to how each team is being used. With ShareGate Apricot, you can collaborate with owners to categorize teams according to their business purpose and level of sensitivity. That way, you can apply the appropriate controls at the Microsoft 365 group (i.e. individual team) level to ensure your data stays secure.
Try ShareGate Apricot in your tenant for free.
The challenge of managing data at scale
Today, we have almost instant access to a historic amount of data—with enterprises producing a staggering amount, at an ever-increasing pace, each and every day.
And a lot of that data requires protection; according to McAfee’s 2019 Cloud Adoption and Risk Report, nearly a quarter of all files in the cloud contain sensitive data, up 17% over the past two years.
The best way to approach data security is from the perspective of governance. And one of the best ways to approach data security at scale is from the perspective of container governance: security and compliance policies applied at the level of Microsoft teams and Microsoft 365 groups.
The fact is, not all teams (and, by extension, the data within them) are created equal. Effective Teams governance requires targeted application. But that means you need to know where—which is to say, within which teams—your sensitive data lives.
Classify containers to help identify your valuable content
In her ShareGate webinar on how to protect your Teams content, Microsoft MVP Joanne Klein explained that container governance can be broken down into the following best practices:
- Empower employees: Enable self-service site creation and lifecycle management so users don’t turn to shadow IT.
- Identify valuable content: Define a data classification scheme and require classification for containers.
- Protect valuable assets: Put policies in place to control access to sensitive data.
- Ensure accountability: Manage group/team ownership and review external sharing and guest access.
Within the scope of this blog post, we’re going to show you how ShareGate Apricot’s “Group categorization” and “Group sensitivity” features can help you classify and protect sensitive content at the level of each container/team.
Looking for tips on how to define an effective data classification scheme for your organization? We spoke to Microsoft MVP Marc D Anderson about best practices, tips, and tricks to help you get started.
Know why users create new teams
It’s easy for users to create a new team in Microsoft Teams. Unfortunately, it’s also easy for users to ignore the optional Description field:
Users create teams for a number of reasons, some less business-oriented than others. If a team is named “Softball league”, it’s pretty easy to infer what the team will be used for.
But if a team is named “Project Pitch”, the reason of creation is less obvious. In that case, you’re going to need to ask the person who knows best: the owner of that team.
Understand how sensitive the content within each team is
Let’s consider the same “Project Pitch” example shown above: If the user creating the team doesn’t enter anything into the description field, how are you supposed to know—from the title alone—how sensitive the content inside the team will be?
You can now configure built-in sensitivity labels through the Microsoft Information Protection (MIP) solution so they can be applied at level of an individual team. In that case, users will also see an option to apply a sensitivity label when creating a new team in Teams:
However, enabling this feature involves using PowerShell and requires an Azure AD Premium P1 license.
To help you assess whether sensitivity labels in Microsoft 365 are the right fit for your organization, we wrote a blog article comparing MIP unified labeling and ShareGate Apricot’s “Group sensitivity” feature to share what we learned and highlight some key differences between MIP sensitivity labels and ShareGate Apricot’s “Group sensitivity” feature.
If you don’t have Azure AD Premium, or don’t love using PowerShell, then you’re likely going to have a hard time determining how sensitive the content in “Project Pitch” will be using Microsoft’s out-of-the-box solution. Again, you’re going to have to ask the person who knows best: the owner of the team.
Automatically collect information from owners with ShareGate Apricot’s Teams chatbot
Instead of reaching out to each owner manually, activate the ShareGate Apricot bot to ask for this information automatically. A conversational bot integrates seamlessly with users’ existing workflow in Teams, helping reduce friction and context-switching to keep productivity at its highest possible level.
Here’s how it works: When ShareGate Apricot detects a new Microsoft 365 group, our chatbot automatically contacts the owner via direct message in Teams and asks them for its reason of creation and level of sensitivity.
To make it easy for owners to make a decision, the bot presents them with pre-defined “Group purpose” and “Group sensitivity” options to choose between—then relates their selections back to you.
Activating the ShareGate Apricot Teams bot
In the ShareGate Apricot UI, click on Settings, then select the Categorization tab from the left-hand navigation. Slide the toggle next to Microsoft Teams chatbot to the right.
Note: ShareGate Apricot comes pre-populated with a default list of ‘”Group purpose'” and “Group sensitivity” categories based on some of the most common reasons users create teams. If you want to edit or add to these categories, you can do so in the Group purpose and Group sensitivity sections underneath the chatbot slider.
Once activated, the Teams bot will be installed automatically for any user the app needs to contact.
Group categorization: Use case
Let’s say John Greene decides to create a new team for members of the office softball league—the team called “Project Pitch” mentioned above.
Shortly after the new team is created, the ShareGate Apricot bot reaches out to John via chat conversation in Teams:
The chatbot asks him to define the purpose and sensitivity of his new team and presents him with pre-populated options to choose from.
We built a default list of “Group purpose” categories based on some of the most common reasons users create teams—but you can edit or add to these options in ShareGate Apricot’s Settings tab based on the needs of your organization.
- Department: Used for an ongoing project or collaboration between employees who are part of a specific department (i.e. marketing or HR).
- External project: Used for projects that involve collaboration with people outside the organization (i.e. collaboration with an external vendor).
- Internal project: Used for projects that involve collaboration with people inside the organization (i.e. implementation of a new system).
- Office location: Used to gather employees working in different geographic locations (i.e. New York office)
- Particular topic: Used to communicate and collaborate on specific initiatives or topics (i.e. planning the holiday party).
Each category also includes a description. If John is unsure which option to choose, he can click on the ? next to a category to read its description. In this case, the Particular topic option makes the most sense.
Once John clicks Select, our bot confirms his decision in their chat conversation, then moves on to asking about level of sensitivity.
To help you get started, we’ve created the following default group sensitivity labels, which you can add to, modify, or even delete if you choose to:
- General: Sets the group/team to public, allows external sharing with anyone, and enables guest access
- Confidential: Sets the group/team to private, only allows external sharing with new and existing guests, and disables guest access
- Highly confidential: Sets the group/team to private and disables external sharing and guest access
As with group purpose, if John is unsure which option to choose, he can click on the ? next to a category to read its description. In the case of John’s team for an office softball league, the General option makes the most sense.
But, let’s imagine for a moment that John’s new team, “Project Pitch”, isn’t for the office softball league. Let’s say he created the team in order to collaborate with several colleagues on pitch ideas for an upcoming project.
When he created this Project Pitch team, he made it public. And when the ShareGate Apricot chatbot first reached out to him about his new team’s purpose, he still selected “Particular topic” like in the example above (that could still technically be true).
But now, when the chatbot asks him about the level of sensitivity of his new team, he reads through the different options and their descriptions and decides the Confidential option makes the most sense—he only needs to collaborate with colleagues (no need for guests) and he wants the group to be private since their team will be going up against other employees with their pitch.
Once John clicks Select next to a group sensitivity option, the ShareGate Apricot chatbot confirms his selection and informs him of the corresponding security settings that will automatically be applied to his team.
In this example, since the “Confidential” group sensitivity doesn’t allow guests, he is told that any current guests will be removed from the team. Additionally, his team will be changed from public to private and the sharing settings will be adjusted.
Once John has made his group purpose and group sensitivity selections, ShareGate Apricot relates that information back to you in ShareGate Apricot.
Organize your teams by purpose and sensitivity for custom-fit container governance
On your end, in ShareGate Apricot, click on the Groups tab to see a list of all your teams and Microsoft 365 groups. The group purpose and group sensitivity options he selected are now visible in the “Purpose” and “Sensitivity” columns next to his “Project Pitch” team:
You can also manually assign a group purpose and/or group sensitivity category by selecting a team from the list, then clicking on Choose a group sensitivity (to assign a group sensitivity) or No purpose (to assign a group purpose).
Or, you can overwrite a selection made earlier by an owner by selecting a team, then clicking on either the assigned group sensitivity or group purpose.
In the example of John’s new team, you would click on Confidential (to change the assigned group sensitivity) or Particular topic (to change the assigned group purpose). Then, simply choose the category you’d like to apply from one of the categories presented in the drop-down list. In this case, let’s say you think “Highly confidential” is a better categorization for this team.
Once you’ve confirmed your choice, the new categorization automatically applies the corresponding security settings to the team. And, the new group sensitivity label appears next to the team name in the Groups tab, where you can organize and filter all your teams by business purpose and group sensitivity.
Next up: Protect your valuable assets with custom governance policies
Understanding how users collaborate in Teams—and how sensitive the content within each of those teams is—marks the first step towards customizing your governance policies. If you know where your sensitive data lives and what users are doing with it, you can automatically apply customized governance policies to ensure it stays secure.
We’re now in the process of building new capabilities for the next ShareGate Apricot release that will enable you to set custom policies based on a team’s assigned group purpose and group sensitivity.
For example, you’ll be able to schedule external sharing reviews for owners according to a team’s level of sensitivity. You’ll also be able to define different inactivity thresholds based on a team’s assigned purpose.
From identifying valuable content to uncovering inactive and ownerless teams, our easy-to-use governance tools provide better visibility across the entire lifecycle—from creation all the way through to archival.
ShareGate Apricot is easy to setup and even easier to manage—no clunky interface, no coding, and no Azure AD premium subscription required.
If you’re a ShareGate Desktop customer, then we have great news! Your subscription now gives you full access to ShareGate Apricot at no extra charge! Activate your ShareGate Apricot account by signing in here. Make sure to have your ShareGate Desktop license key handy—you’ll need it complete your activation.