In this release, as part of ShareGate Apricot’s Team security solutions, we’ve made it possible for you to easily manage and adapt your organization’s governance policies based on a team or Microsoft 365 group’s business purpose and level of sensitivity.
Users create Microsoft teams for all sorts of reasons, and the level of risk each team poses to an organization depends on the type of information that’s shared within it. Since no team or Microsoft 365 group is created equal, why should the governance policies applied to them all be the same?
Ideally, you want to be able to give maximum freedom to lower risk groups to drive adoption while enforcing stricter rules of engagement for higher risk groups to protect your organization.
It’s probably not such a big deal if Laura shares her favorite recipes with the external ad agency. But if you put strict restrictions that don’t allow her to do that, she could start using a third-party tool to communicate with external people. On the other hand, you’d want to make sure that there are stricter rules set for Jenny’s “Compensation review” team since they discuss and share employee information.
At the same time, you want to make sure that short-lived teams are cleaned up once they’ve served their purpose. That way, you avoid having a growing number of inactive groups accumulating in your tenant, which can get quite messy.
So, how can you find the right balance when setting a team’s governance policies between implementing policies that are too strict, which can lead to shadow IT, and policies that are not strict enough, which can lead to sprawl and sensitive information getting into the wrong hands?
Microsoft’s out-of-the-box solutions don’t allow for this kind of customization. The Microsoft 365 governance policies are one-size fits all. And even if you had an Azure AD Premium license or wanted to venture into writing a PowerShell script, there isn’t a straightforward way of customizing your governance policies. That’s the problem we aim to tackle with our latest release.
Introducing ‘Custom governance policies’ in ShareGate Apricot
At ShareGate, we want to help you set custom governance policies based on the purpose of each team and the risk it poses to your business.
That’s why we’re excited to launch custom governance policies in ShareGate Apricot. This new feature allows you to easily customize and manage two policies: inactive group detection and external sharing review, based on a team’s purpose and sensitivity.
Try ShareGate Apricot in your tenant for free.
Clean up inactive teams based on their purpose in ShareGate Apricot
You can now customize your inactive group detection policy by setting the number of days after which a team is automatically deemed inactive based on its business purpose. This allows you to clean up short-lived groups more frequently and keep your tenant more organized for everybody.
You’d want to set a shorter inactivity threshold for time-based projects because once the project is finished, the team will have served its purpose and become idle. By cleaning it up quickly, you avoid having too many inactive time- and project-based teams piling up in your environment, creating clutter.
For example, you might want to set a 30-days threshold for teams that have External project as their purpose like Laura’s “Earth Day Ad” team. This means that ShareGate Apricot will look for user generated activities in Teams, SharePoint, and Outlook, and if none is detected for 30 days, ShareGate Apricot will flag the team as inactive. At which point you’ll have the option to either keep, archive, or delete the team. And if you’ve entrusted Laura with her team, she’ll also be notified, either by email or via the ShareGate Apricot chatbot, to make that decision herself.
On the other hand, teams that you know are used for a long time, like those based around Departments or Office locations, would benefit from a longer wait time before being marked as inactive. This would reduce the frequency at which you and the owner are nudged to act on the team, something we’re sure everyone would appreciate!
How it works
Whether you used the default ‘Group purpose’ categories we set up or have created your own, you will be able set a customized inactivity threshold, in days, for each purpose tag.
You can edit the inactivity threshold based on group purpose.
We understand that all of your teams may not yet have a purpose assigned to them, which is why for those teams, the default inactivity detection policy that you’ve set will be applied.
You can set a default inactivity detection policy for teams without a purpose.
Set the frequency of external sharing reviews based on a team’s sensitivity
Now you might be thinking, and what about group sensitivity? How can you use that information to customize a policy? That’s where our external sharing review policy comes into play.
It gives IT admins visibility on the links of every file that’s shared externally by each team. And team owners are asked to review the validity of those files periodically to avoid your organization’s data falling into the wrong hands.
By combining our group sensitivity feature with the external sharing review policy, you can customize the frequency at which team owners are asked to review externally shared links, based on their team’s sensitivity level. It reduces the risk of exposing sensitive data to external people who should no longer have access to it. Sounds great! But what does that mean?
It means that you can set your policy so that owners of higher-risk groups can be asked to review their links more frequently than those of lower-risk groups.
Let’s take Jenny’s “Compensation review” team for example. Since it involves discussing and sharing employee details and salaries with an external consultant, you’d want to make sure she reviews the validity of externally shared links frequently, let’s say every 30 days. That way, owners of teams sharing more sensitive information are asked to remove links to files that no longer need to be shared more often, lowering the risk that those shared links could pose to the business should they fall into the wrong hands.
Whereas for Laura’s “Earth Day Ad” team, which contains data that poses less of a security risk to the business, you might want to set the review recurrence to every 90 days. Customizing how frequently links are reviewed based on each team’s level of sensitivity helps ensure the safety of your organization’s data.
How it works
Whether you used the default ‘Group sensitivity’ labels we set up or have created your own, you will be able set a customized external sharing review recurrence, in days, for each sensitivity tag.
We understand that all of your teams may not have a group sensitivity label assigned to them yet, which is why for those teams, the default external sharing review policy that you have set will be applied.
Note: This doesn’t apply to group sensitivity labels that only allow users to share links within the organization.
You can set a default occurrence for external sharing reviews for teams without a sensitivity.
Coming soon: Simpler way of collaborating with your owners using the chatbot
We know you might not always have the answers needed to make the right decisions about the organization and security of your Teams. Luckily, team and group owners usually have most of those answers.
Our next feature will focus on making it easier for you to identify and individually contact owners of specific teams and groups, both new and current ones, for any missing information in relation to any of the ShareGate Apricot governance policies. This on-demand collaboration with owners will allow you to confirm or obtain missing information about a particular team or group to better understand why it’s been created, how it’s being used or how much of a risk it poses to the organization.
We’re excited for what’s coming up on the roadmap!