Governance Automation in Microsoft 365

The primary goal of this article is to educate IT executives on the roles and capabilities of governance automation tools in Microsoft 365 (M365).

You may also be interested in our companion white paper: Microsoft 365 Governance Automation Tools Report. This paper offers a detailed analysis – including a feature-by-feature comparison of the all Microsoft 365 governance automation tools.

In this article, we’ll answer the following questions:

  • Why do I need governance in Microsoft 365?
  • How does M365 governance fit with overall IT governance?
  • What should the role of automation be?
  • What content must be governed and what services?
  • What features should I expect from M365 governance automation tools.

O365 Governance is Needed Now More than Ever

  • Communication and collaboration environments have left the safe space of locked-down office environments.
  • Microsoft adds services, capabilities and governance features to M365 at a dizzying pace.
  • A lack of employee life cycle governance can lead to significant M365 over-licensing and wasted money.
  • Services such as Microsoft Teams and the Power Platform can empower business users to create business solutions without IT involvement.

How M365 Governance Fits with IT Governance

Before we get to M365 governance tools, a little about M365 governance’s role in overall IT governance.

IT governance can be broken into 2 major categories as depicted in the diagram above: Demand Governance and Supply Governance.

M365 governance is the practice of applying IT supply-side governance principles to the Microsoft 365 platform. The chief aim of M365 governance is to make content and the processes that interact with it to be efficient, secure, available and accurate.

What Kind of M365 Content Must be Governed?

What Services Must be Governed?

While there are dozens of M365 services, this article will focus on those services which have functions and features that are the most popular, generate the most content and require the most governance:

Not a Governance Plan, but a System

In our experience, customers are focused on creating a governance plan and often overlook these other components of a governance system:

  • Organizational Change Management: Policies outlined in a governance plan may affect the features available to users and how users interact with the governance plan. The impact of changes are not always easily absorbed into the organization. This element of a governance plan ensures that your user community can efficiently adapt to your plan. For example: If your governance plan calls for content owners to manage access to a Teams or SharePoint workspace, you may wish to provide training and other material support on how to do this.
  • Standard Operating Procedures (SOPs): Whether governance automation has been implemented or not, individuals who play a role in the governance plan should have documented SOPs with instructions for fulfilling their duties within the plan.
  • Automation tools: It is very easy to codify a policy in your governance plan that cannot realistically be implemented through manual procedures. Automation tools help.

There are hundreds of articles and books on how to produce M365 governance plans, covering plan structures, sample policies, and how to organize a steering committee. However, we find that nearly every customer that we speak with has a poor understanding of the software tools that are available to support governance. Most have little understanding of the built-in tools that come with M365, never mind understanding the marketplace of 3rd-party tools.

Governance Automation Requirements

Before we can understand the utility of the tools that are available, a little about what we need the tools to do. The following diagram shows the major functional categories that governance automation tools may support.

Governance Automation Functional Categories
The Stuff that We Won’t Cover in this Article
  • DevOps & Custom Applications Built on the M365 Platform: An organization can build customized, line-of-business applications on the M365 platform using traditional development tools such as .Net or JavaScript or the ever-more-popular “no-code” tools such as the Power Platform or Nintex. Each such application will have its own unique governance plan and automation.
  • Data Governance: While this article does consider some content governance features such as information security, data governance is a subject area that is deeply complex and merits a separate discussion. So, we won’t touch on features related to data classification, data life cycle policies, and their ilk.  
  • Service Monitoring: While a modicum of service monitoring is built into M365 (Health Checker), it deserves to be monitored by an enterprise service monitoring tool. These tools are not specific to the M365 platform and are typically responsible for the monitoring of all applications within an IT portfolio.

Requirements for Governance Automation Tools

The following is sections of this article provide more detail around the specific features that we should expect within the categories of features that we’ve illustrated above.

Workspace and Group Life Cycle Management

What is a workspace? This is a generic term for collaboration areas in M365: SharePoint has sites, Teams have teams, Planner has plans, and Yammer has communities.

Certifications: A certification process has the owner of a workspace or group take action and report back. For example: If a content owner is responsible for 5 Teams workspaces and 1 SharePoint site, twice per year they must review their permissions for each site and attest that it has been completed. Note that certification processes are commonly predicated on a lease that is assigned to each workspace or group. This lease has an expiration date and actions must be taken in advance of such an expiration.

Workspace and Group Life Cycle Management
FeatureM365 Built-In Capability / LimitationHow Governance Automation Tools Should Help
Provisioning of WorkspacesOut-of-the-box, users have the ability to create workspaces in Teams while they cannot create SharePoint, Planner or Yammer workspaces.
Most organizations disable the out-of-the-box self-service Teams workspace creation due to a lack of control, leaving all workspace creation to admins.
Automating the creation of SharePoint, Teams, Yammer and Planner workspaces, and related groups.
Providing customizable approval workflows and forms and the ability for administrators or content owners to track these flows.
Forms for users to fill out to request such workspaces.
Control naming conventions for sites and teams.
Workspace Usage CertificationThere is no concept in Office 365 of expiration of workspaces and there is no automated archival or deletion of any workspace, so content may accumulate unchecked.Configurable assignment of a “lease” for each workspace.
Automated actions such as archival and deletion upon lease expiration.
Workspace Permissions+ CertificationPermissions may be granted to any given user directly or in the context of a SharePoint, M365 or Azure AD security group. Workspace owners have no ability to see the members of M365 or Azure AD security groups, making it difficult for a workspace owner or an admin to understand who has access.Support a schedule for permissions certification activities where content owners must certify that they’ve reviewed and remediated permissions.
On top of permissions, the tool could support the certification of workspace contacts, governance conditions or even customizable information.
Guest Member CertificationM365 has no concept of expiration for guest members.Rule may be configured to identify inactive members and request lease extension for them.
Disable them if inactive and their lease has not been renewed.
Content Owner Participation / Self-ServiceWorkspace owners are the people with the most knowledge of their workspaces and the final responsibility for them, yet they have no tools to participate in a governance process.Ability for admins or content owners to manage the workspace life cycle, including renewing leases, allowing expirations, expiration disposition, etc.
The ability for content owners to review and manage permissions.
The ability to see the members of M365 and Azure AD security groups.
Ability to see all workspaces that they own and otherwise participate in.
Customizable Service CatalogNot availableThe ability to package the creation of a workspace or group along with various elements to define a service that can be used by administrators or content owners.
For example: You could create a service definition called “Teams Project” and define the service as the creation of the team and the addition of apps, tabs, folder structures, and the like to the team.
Provide service catalog users with customizable forms for each service definition. These forms help to capturing decisions and data required to complete the service request.
Communications and TrainingThere is no built-in communications or training center for M365 governance.Using SharePoint or Teams, it’s easy to create a workspace dedicated to governance training, communication, and resources for all users in your organization.
Usage Analytics & MetadataEach SharePoint site has a built-in activity report.
Such reports are not present in Teams, Planner, Yammer or M365 groups
User traffic to workspaces should be captured and visualized.
Metrics such as created date, last modified, membership counts, etc. should be available for workspaces and groups.
Service Request ManagementMany governance plans require tasks to be completed by admins, content owners and other role players. However, there is no built-in way to track these tasks.A tool should be able to track these tasks and provide task dashboards for each role player.
Workflow IntegrationNot availableAn external system such as IT Service Management (ITSM) software or a workflow automation service should be able to request a service from our service catalog.
Tool should be able to invoke an external workflow upon completion.
Audit Log Exploration

In 2020, Microsoft replaced the older audit technology with the Unified Audit Log. Some governance automation tools do not support the new audit log technology.

Audit Log Exploration
FeatureM365 Built-In Capability / LimitationHow Governance Automation Tools Should Help
Audit log caching & extended retentionAudit activity is only tracked by M365 for 90 days.Support longer, even unlimited log retention periods.
Make human-readableThe M365 Compliance Center captures audit activities for all of the services that we are interested in. However, the information is very difficult to understand, even for seasoned admins.
SharePoint information in the audit log often include internal IDs rather than the name of lists and libraries. This feature would retrieve human readable values for these IDs.
Without tools, our managed services admins must painstakingly modify the output from the audit log to provide content owners with a human-readable audit trail.
Support easy-to-read audit reports for consumption by non-technical workspace owners.
Contextual AccessThis had been available within the context of site collection administration, but with the advent of the M365 unified log, this feature is no longer available.When any content container such as a site collection, site, sub-site, list, library, folder or document presents itself anywhere in the tool’s UI, we should eb able to see the audit details for that container.
Support for 3rd-Party BI tools to access audit dataNot availableExport data to SQL-Server or otherwise expose the data to 3rd-party BI tools.
Content Owner Participation / Self-ServiceThe audit search interface in M365 is restricted to administrators.Make audit log information available to non-technical content owners.
Create alertsThe M365 Compliance Center allows administrators to create alerts when certain events occurs against certain objectsSame ability to alert on events built into the tool.
Operations Management / Administration
Operations Management / Administration
FeatureM365 Built-In Capability / LimitationHow Governance Automation Tools Should Help
Manageable ObjectsN/ASharePoint, Teams, OneDrive, Planner, Yammer and Groups
Simple way to explore a user’s OneDrive. This is particularly useful during an offboarding process.
DashboardM365 offers individual administrative centers for SharePoint, Teams, Yammer, Planner and M365 groups. These dashboards tend be very limited and not user-friendly.At-a-glance, should surface common, critical governance metrics and conditions.
Should have the ability to take action against workspaces and groups, individually or in bulk, through pick lists and/or classifications.
Access controlWhile it is relatively simple-to-manage access control via out-of-the box user interfaces, it can be complicated when permissions inheritance is broken for libraries, folders and documents.
Making matters more complicated and confusing is the fact that with Teams workspaces, permission can be managed both through the Teams interface as well as the SharePoint interface. These settings may conflict with one another or they can difficult to discover.
It is also very difficult to perform any access control operations en masse.
Support simple discovery of complex permissions, including across linked SharePoint and Teams workspaces.
The ability to apply access controls to more than one user or group at a time.
Check PermissionsUsing out-of-the-box tools, it is possible to see the permissions that a user has in a given workspace. However, it is difficult to find this feature. This may be even more confusing when permissions are granted in the context of an M365 group or an Azure AD security group. There is no ability to see the membership of these groups.
It’s not possible to see access beyond the current workspace. This feature may become particularly important when a person leaves an organization or their activity comes under suspicion.
Allows a user to easily check on the permissions that a user has across workspaces and services, providing a wholistic.
Permissions CopyWe get requests for copying of permission relatively frequently: “I am taking over for Jane, can you give me the same permissions that she has for everything?”Allow an admin to use an existing user or group as a model for permissions and copy this model to a new group or user.
Everywhere, Remove Permission for a UserOften as part of an offboarding process, we must remove permissions for a user. While an admin can shut off access to all M365 services with ease, this does not result in the cleanup of permissions in the various services.
For example: In SharePoint, even if a user is deleted from Azure AD in M365, the user name still “appears” to have permissions to various resources. We refer to these as “orphaned” users.
Remove the user from all permissions references in all services.
Prevent Orphaned WorkspacesIt is quite easy to disable or delete the last owner of a Teams, SharePoint, Planner, or Yammer workspace.
Once the last owner is gone, there is no way to maintain membership or to have a content owner participate in the governance of the workspace.
As part of an onboarding process, we need the ability to check to see if the exiting user is the last owner of a workspace.
Armed with this information, an admin can proactively contact other staff to take ownership of the space.
Content ManagementThere are a variety of governance related activities that may require the copying of SharePoint or Teams folders, lists, and libraries, or even entire sites or teams. M365 does not offer support for this.
An example: As part of developing an application, a separate workspace is created to house the development version of the content and production content is synchronized/copied to this development space periodically.
Support the ability to copy site collections, sites, Teams, documents, folders, lists, library, sites and teams an M365 tenancy.
Content Owner Participation / Self-ServiceOut-of-the-box, content owners can maintain membership and permissions for their workspaces through each service’s user interface.
The user interface is lacking and can make these activities confusion, particularly when folders and files have unique permissions.
Also, there is no single dashboard that allows content owners to administer their sites.
Provide a user-friendly, centralized dashboard for content owners to manage membership and permissions for their workspaces.
Policy & Compliance

All Policy & Compliance features are available to administrators only.

Policy & Compliance
FeatureM365 Built-In Capability / LimitationHow Governance Automation Tools Should Help
Define PoliciesOf course, we define governance policies in our governance plan, but the plan provides no automated rules management, and neither does M365.
This often leaves administrators attempting to find violations through the out-of-the-box functionality. This is often impossible or impractical.
Define rules for governance that may be used in governance automation to identify non-conformity and possible to take action.
Rules should be based both on conditions and events.
Example of a Rule Based on a Condition: Let’s say that your organization wishes to prevent users from creating unique permissions for folders in a Teams workspace. It is possible for a workspace owner to use the Teams workspace’s companion SharePoint site to violate this rule.
Example of a Rule Based on an Event: Member removed from a specific M365 group. If we wish to prevent the removal of any member from a specific M365 group, we can create a rule that will identify this deletion event.
Ideally a tool would support many policies across all services. Object control via these policies should include:
• M365 Groups
• OneDrive
• Planner Plans
• SharePoint Site
• Teams
• Yammer Groups
Identify Policy Violation InsightsM365 has no dashboard for policy violations. While it’s possible to use out-of-the-box tools to discover such violations, it is impractical to manually identify and address violations of the governance plan across all workspaces and all services.• Provide a dashboard detailing policy violations.
• Control a schedule for policy violation scans.
Automated Policy Violation RemediationNot availableGovernance tools should offer options to automatically address violations of policy via notifications, reversing the permissions, etc. This is referred to as Retroactive Remediation.
Workspace ClassificationOut-of-the-box, there is no way to classify workspaces in order to have different workspaces be subject to distinct governance policies.Tools should allow administrators to “tag” sites in such a way that automated or manual governance activities may vary based on such classification.
Create custom categories of sites to apply discrete sets of policies and actions.
Identify Data Leakage RiskNot availableExample:
• Combine sensitivity classification with external user access to see external users with access to the most sensitive information.
Overshare IdentificationNot availableIdentify M365, SharePoint and Security groups with large numbers of users.
Identify large numbers of directly permissioned users.
Reporting

While tool’s administrative user interfaces may offer much of the information that an admin or site content owner needs, there is still a need for traditional reports that can be customized, scheduled and automatically delivered.

Reporting
FeatureM365 Built-In Capability / LimitationHow Governance Automation Tools Should Help
Ready-Made ReportsM365 offers no significant, out-of-the-box reports for policy-related metadata and metrics.A tool should provide reporting on policy violations, events related to governance and key metrics.
Here are some example reports:
• Content aging
• Directly Assigned Permissions
• External Users
• Inactive workspaces
• Orphaned users
• Orphaned sites
• Oversharing
• Permissions matrix
• Sites & other objects with custom permissions
• Storage Trends
• Teams with Private Channels
• Workspace metrics
• Yammer Communities
Create your own ReportsIn the M365 Compliance Center, an admin can create limited custom reports.Tool should provide the ability to create custom sorting, filtering and columns based on a wide array of metrics, events and conditions related to governance.
Ideally, we would be able to query against the following governance-related entities:
• Workspaces and data containers such as Teams, SharePoint sites, libraries, lists, folder, items, etc.
• Users and user activity
• Group membership, metrics and activity
• Permissions assignments
3rd-Party Analytics and Open DataNot availableAbility for 3rd-party analytics tools to use governance data to create reports and dashboards.
Report SchedulingAn administrator can schedule custom reports, though these reports are very limitedAllow for the scheduling of any report, canned or custom.
Report DeliveryN/A• Deliver reports to central site
• Deliver reports to related sites
• Deliver reports via email
Group TransparencySharePoint sites, including those that support Teams may have permissions assigned in the context of SharePoint Azure AD security and M365 groups.
M365 offers no ability to see the membership for Azure AD Security groups in any of the major services.
For non-admins, only teams can provide visibility into Office365 groups. This is not available in SharePoint or elsewhere.
Even for admins, there is no ability to see M365 group membership via the SharePoint UI. The administrator must switch to the SharePoint Admin Center.
See the members of Azure AD, SharePoint and M365 groups anywhere the groups are referenced in explorers and reports.
Incorporate group membership metrics into governance policies and dashboards.

In Summary

If we could wave a magic wand and make our governance wishes come true, we would have a single, cost-effective tool that supports all of the features laid out earlier in this article. With this magical tool, one could create any policy knowing that it could be supported by automation.

Alas, while there is a rich marketplace of governance automation tools for M365, no single tool does quite everything (though one tool comes very close). Also, there is a significant variation in cost. Furthermore, not every organization needs all of the above features.


So, how should you best implement governance automation to support a plan that is right for your organization?

The first step in creating an M365 governance system is to create a governance plan, which will detail governance decisions. This policy document will serve as the basis for the requirements for governance automation. However, creating a governance plan is difficult if you don’t understand what is feasible for tools to support.

The aim of this article has been to arm the reader with an understanding of what is possible with governance automation tools.

Likely, you are now thinking that this is all well-and-good, but which tool or tools should I choose to implement in support of my plan?

Follow the link below to get our report on the 7 leading governance automation tools in the marketplace, including a detailed comparison of features and cost.

Click here to view our Microsoft 365 Governance Automation Tools Report

Leave a Reply

© Copyright 2021 Distributed Logic Corp.

contact via web form  |  info@distributedlogic.com   |    (866) 229-8621

%d bloggers like this: