Microsoft MVP Drew Madelung on Microsoft 365 provisioning scenarios, and four key steps to provisioning success.
Provisioning is the act of “providing” or making something available. In Microsoft 365, this can be as high-level as:
- provisioning a new tenant
- provisioning a new user
- provisioning a new SharePoint page
- provisioning a new Team or Team site for a department
Organizations can and will establish multiple provisioning scenarios around Microsoft 365 technologies and most likely use Microsoft automation technologies to deliver them.
One of the most common provisioning scenarios we have in Microsoft 365 is the concept of collaboration workspace provisioning. This can be thought of as the ability to provision solutions within Microsoft 365 that provide communication and collaboration platforms to your employees. The concept of a collaboration workspace is a single location where multiple people will work together.
To start collaboration provisioning, you first need to understand what this means within the Microsoft 365 architecture.
Table of contents
What Microsoft products does provisioning cover?
Instead of initially thinking about collaboration products, think about the services they provide within Microsoft 365. Chat, channels, files, email, calendar, pages, and communities are services with a product or many products backing them. Products come and go, and names change, but the core architecture for these services doesn’t change often. Think about how these services are tied together and how they are separate.
Azure active directory provisioning solutions
The core solution binding these collaboration solutions together is Microsoft 365 Groups.
Microsoft 365 Groups are the cross-solution membership service in Microsoft 365. At a basic level, a Microsoft 365 group is an object in Azure Active Directory with a list of members and a coupling to related workloads, including:
- Microsoft Teams (chat/channels)
- SharePoint team site (files/pages/lists)
- Shared Exchange mailbox (email/calendar)
- Planner (tasks)
- Yammer (communities)
- And more
You can add or remove people to the group just as you would any other group-based security object in Azure Active Directory, replicating the solutions to provide access to those solutions.
There are nuances to this architecture to understand for provisioning:
- A SharePoint communication site or classic SharePoint site doesn’t use a Microsoft 365 group and uses SharePoint permissions only
- If you create a Yammer community, you can’t add Microsoft Teams to it
- If you create a Microsoft team, you can’t add a Yammer community to it
- Groups have the strongest tie to Exchange, so most advanced parameters are visible through the Exchange object of the group, including PowerShell management
By understanding this technical architecture, you can build a better collaboration workspace provisioning solution as you see you are not just building a Microsoft Teams or SharePoint site provisioning solution. You’re provisioning more and need to start at the Microsoft 365 Groups level for planning.
Plan for modern provisioning solutions
As modern collaboration technologies have evolved, so have the provisioning options. In the past, collaboration provisioning solutions, such as on-premises SharePoint sites, were primarily IT-owned with helpdesk requests driving them, and nothing out-of-the-box could be used. This caused frustration for end users as this took time, would stall work from being started, and most likely wasn’t flexible enough to meet their actual needs.
Our modern provisioning is faster, Microsoft 365 group-backed, and primarily self-service driven. This has also allowed modern templates to be used across collaboration workspaces that employees can use, and administrators can build.
With modern provisioning, we want to eliminate boundaries and bottlenecks between users and IT. You want to balance IT, security, and compliance provisioning requirements and the user experience. You want to add guardrails when required and empower users where possible.
4 key steps to Microsoft 365 provisioning success
Good governance is the balance of productivity and security. As your modern Microsoft 365 provisioning solutions need to be more flexible with different types of services in the collaboration workspaces, you need to ensure you’re not overcomplicating a process or technology.
It is far too easy to make a provisioning decision for Teams or SharePoint that doesn’t consider all the technologies or how the users will feel and interact with the process. So you should start with actual requirement gathering before you move into the technology.
Step 1: Requirement gathering for Microsoft 365 provisioning policy development
Figuring out what requirements your organization actually has sets the stage for your provisioning solution. It’s most important to figure out the “Why” before you go into tooling. For example, if you want to build a Teams provisioning solution, you need to document the goals for doing this. Some examples could be:
- We have security or compliance risk that needs to be addressed for specific users in an organization
- We have multiple business units or subsidiaries and want to be able to identify a Team or Team site by business unit or subsidiary
- We want metadata added to the Team or Team site based on the user creating it for reporting or auditing purposes, such as the creator’s location or department
- We have an existing process that would be faster to create collaboration workspaces automatically versus users doing it manually
- We want to add custom content or experiences to new collaboration workspaces as learning tools for new owners
When you establish these requirements with both the business and IT, you understand the value of a provisioning process. Remember, it’s not about adding unnecessary boundaries to user adoption, so don’t add a provisioning solution just to do it. Gather the requirements first!
Step 2: Technical understanding: What’s possible for your architecture?
Now that you have the “Why,” you need to know what’s possible. There can be limiting factors in a provisioning process like APIs, permissions, and automation technology that are instant blockers. This step is about not overpromising what can be done based on the identified requirements.
A great provisioning example of this is that we can’t do a URL redirect to add a form to point to a provisioning question form across all creation starting points. So, if you want an entry port form, you’ll need to do an org change management practice to educate the users for the new location instead of allowing the “create” out-of-the-box options.
This will also be about understanding the technical architecture of Microsoft 365 collaboration, which I began to break down above. Beyond the base architecture, a key piece to this will be working with the Microsoft Graph if you go with an advanced custom provisioning process.
The Graph will provide the necessary create, read, update and delete (CRUD) operations you need to perform to create, modify and delete Teams, Sites, Communities, and their supporting Microsoft 365 Groups.
Step 3: Develop the user provisioning process
One of the most overlooked aspects of a provisioning process is how users will initiate a certain type of request. We now have the “Why” and what’s possible on the technology side, so it’s time to get back to user experience.
The way that users will initiate a request is one of the most crucial decisions for provisioning. This decision will greatly impact the user’s daily experience and the effort required to respond to their requests. There are countless ways users can create Microsoft 365 collaboration workspaces across clients, browsers, and mobile apps, and you can’t add custom logic to it all.
Organizations underestimate the organizational change required when moving away from the out-of-the-box Microsoft 365 creation templates and any processes outside initial provisioning. It’s also a very good user experience if you can use out-of-the-box creation and editing for Teams, SharePoint sites, and Groups to add your necessary provisioning requirements behind the scene after or during the initial creation.
How can you make sure users get the best experience?
If you need to switch from the native experience, the first question to ask is, where do users make other types of requests today? Concentrate on the users here, and what is best for them.
Making a siloed decision to put the entry point in a Microsoft Form if no one is using those yet could be less successful than embedding this into existing user routines like ServiceNow or identity management requests. This is about understanding what tools already exist and work best within your organization.
Step 4: Establishing a Microsoft 365 provisioning policy with the right software
We have all the details we need to decide what technology we’ll use to establish our Microsoft 365 collaboration workspace provisioning solution. The three primary routes I see are:
- Native creation tools and post-creation provisioning
- Build your own using custom development
- Purchase a third-party solution
You need to look at these and understand which works best for your organization.
- Don’t commit to a custom solution if a team isn’t available to maintain it and own it.
- Don’t overcomplicate the process by introducing tools that would disrupt users just because they are new and shiny.
- Ensure you know the technical tools your organization has access to and experience with. This will lessen the time to complete and post-implementation impact.
- A good example of this is the user entry point. When going custom, Power Apps is a common tool to be used. If you have not deployed Power Apps globally or don’t own it, it puts a potentially unnecessary blocker in if another form solution already is being utilized by other teams that would work just fine for this.
Bringing all these decisions together will ensure that your Microsoft 365 collaboration workspace provisioning solution is being done for the right reasons, has a good user experience, and will be sustainable once up and running.
Now that you have a better understanding of what Microsoft 365 provisioning is, check out the next blog in this series on how to get started with modern Microsoft 365 provisioning.