The layers of Office 365 collaboration

One of the misconceptions that many have about Office 365 is that SharePoint Team Sites is the only place that you have files. My response to that is that SharePoint Teams Sites is not the hammer to every request for an Intranet. You need to case your gaze wider. You need to consider all the options that Office 365 provides. You need to think collaboration not just storage. You need to shift your thinking from the way it has been to the way it could be.

Now having lots of options for collaboration can make choice harder, I get it. The solution is knowledge. Know what each service does well and then determine if it is a good fit. If, after consideration of all the options, a stand alone SharePoint Team Site makes sense, then great, but in my experience that is rarely the case.

Here’s an Office 365 collaboration framework that I present people to help them understand how to better use the collaboration tools that Office 365 provides them.

The simple structure I start with is shown above. There are 5 layers, each embedded within each other.

The inner most layer, layer 1, is a personal OneDrive for Business. Next is layer 2 being Microsoft Teams. Layer 3 is good old SharePoint. Layer 4 is Yammer and the outside layer is everything outside Office 365.

The SharePoint layer, layer 3, has three sub layers that are still SharePoint features but should be considered independently. These sub layers are: layer 3A being Hub sites, layer 3B being Communication sites and finally layer 3C being the traditional stand alone SharePoint Team Site.

Layer 3C is where many seem to think is the only place available to them when it comes to document collaboration. Each layer provides its own unique abilities and should be utilised in its own unique way. Let me explain further.

As you move from layer 1 (OneDrive for Business) to layer 5 (external) there is a move away from creation of information to a consumption of information. For example, most people start working on document in their own private space (layer 1 = OneDrive for Business), when they are ready they push these into a shared space for their team (layer 2 = Microsoft Teams). Here they are worked on by more people and seen more people. From here they are then pushed to the next layer (layer 3 = SharePoint) where they are seen by even more people but now few people are actually making changes to the document. Finally, the document is pushed to layer 4 where it is announced with everyone in the business. This garners the most eyeballs most of whom are merely going to consume or view the work.

Think of this analogy. A single user creates a new HR policy document in their OneDrive for Business. When they are ready they push that into the HR Microsoft Team to get further input from others in HR. Once that process is complete the completed HR policy document is pushed to the Intranet (SharePoint) where everyone else in the company can view it. Once the document is pushed to the Intranet it is announced publically on the Yammer network were it is now available for all to consume, use and comment on it.

Just as the creation process changes from creation to consumption as it moves through the layers, likewise the audience grows, from the individual to the team and then to the whole business and potentially those outside the business. Thus, information generally flows from layer 1 through to layer 5.

Let’s break this down some more. A user creates a new document in the OneDrive for Business. At this point the document is undergoing 100% creation.

When the user is ready they move the document into the appropriate Microsoft Team. Now the user may belong to some Microsoft Teams in the structure (2A and 2B) and not to others (2C).

At this point the document is probably undergoing 75% creation and 25% consumption.

From here the document is pushed to a traditional Team Site. There can be many different Team Sites if required, that people may or may not have access to. In this case it is being pushed to Team Site 3CB.

The ratio of creation to consumption here probably falls below 50% i.e. more people are reading it than editing it.

I think you get the picture. The document continues its journey through the various layers with different, but increasing audiences, having access to the document. However, the further through the layers it gets, the less the document is edited but the more it is viewed.

The reality here is that layers 3A (Hub sites) and 4 (Yammer) are really just providing navigation to the completed document which probably actually physically lives in either a traditional SharePoint Team Site or a Communication Site inside layer 3. However, the consumers of the information don’t care where it is actually stored, they simply want to know how to get to it.

At each layer I can only see and access information that is relevant to me. If I am part of the Microsoft Teams that works on the document then I can contribute. If I am not, then that document won’t be visible to me until it is pushed to a location further along that I have access to.

This means that the working for the final product can remain hidden from those not involved. So, think of the Microsoft Teams area as the traditional location where groups of people “create” and “work” on the information. This should be the location where most files from a file server are migrated, they should not be ‘dumped’ into a single location at layer 3 (SharePoint). They should be ‘placed’ into an appropriate work area for that team.

So, you should build your collaboration framework on layers. The above is just a simplified model but it is a good place to start I believe. The next point to consider with collaboration is information flow. Chances are, information is going to need to flow through to different places i.e. even though the finance department works on budgets, at some point they need to be shared with others in the business. Collaboration is about creation AND sharing of information. Simply creating information doesn’t serve any real purpose or benefit the larger cause without actually sharing it.

In most cases, your layers are going to mimic what your business already looks like structurally i.e. you’ll have a financial team, a HR team, a management team, etc. Each of these groups needs to create and publish information, thus they make logical Microsoft Teams in your collaboration structure. You may of course not need or want all these layers but I urge you to consider using them as a ‘standard’ no matter how large or small your business as each layer bring unique features and functionality to the table.

In all of this, you will notice that the concept of an ‘Intranet’ is really at the extremity of collaboration creation. To me an Intranet is about 20% creation and 80% consumption. It is not really the place you go to do work. It is however, the place you go to find stuff from others in your business. Think of the Intranet like a bookcase at reception, into which each department places the end result of their work i.e. when the finance team is done with the budgets they place them in the finance folder in this bookcase for anyone else in the business to reference. Once they have done that, they go back to their Microsoft Team to start creating the next round of budgets they’ll publish.

This framework also couples well with my recommended adoption framework detailed here:

Focus on the ‘Me’ services first

In that I suggest you implement Yammer first (layer 4) and then OneDrive for Business (layer 1). Once that is successful you move to Microsoft Teams (layer 2) and finally the Intranet (layer 3). In short, you win the adoption battle by adopting a two prone attack at the outside layers and then proceed inwards. In my books, that is a more certain way to victory.

Office 365 is a toolbox with lots of options for you to work with. Hopefully, this framework makes it bit easier for you to look at a way to conquer collaboration rather than simply abdicate for storage when it comes to your information in Office 365.

March Azure Webinar Resources

CIAOPS Need to Know Azure Webinar – March 2018 from Robert Crane

Here are the slides from the March Azure webinar where we took a look at Azure pricing.

https://www.slideshare.net/directorcia/ciaops-need-to-know-azure-webinar-march-2018

The recording is also available at:

http://www.ciaopsacademy.com.au/p/need-to-know-azure-webinars

which CIAOPS patrons get free access to as part of their subscription.

This webinar set more of the ground work for upcoming monthly webinars that will go deeper into Azure features and abilities.

So make sure you sign up for next month’s webinar.

March Office 365 Webinar Resources

CIAOPS Need to Know Office 365 Webinar – March 2018 from Robert Crane

Plenty of interest in security with legislation now making it even more important to protect information.

Slide from this month’s webinar are at:

https://www.slideshare.net/directorcia/ciaops-need-to-know-office-365-webinar-march-2018

If you are not a CIAOPS patron you want to view or download a full copy of the video from the session you can do so here:

http://www.ciaopsacademy.com.au/p/need-to-know-webinars

Watch out for next month’s webinar.

Need to Know Podcast–Episode 176

After some Microsoft Cloud news Brenton and I dive into an introduction to Microsoft 365 and why it is important for Microsoft, customers and partners. We look at what it comprises and what the major benefits are. We discuss how security and device management are the heart of the product and why that is so important in light of recent compliance legislation. This is only the start of what will no doubt be an ongoing examination of Microsoft 365 and its role in the market.

Take a listen and let us know what you think –feedback@needtoknow.cloud

You can listen directly to this episode at

https://ciaops.podbean.com/e/episode-176-microsoft-365/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

@contactbrenton

@directorcia

One year of Microsoft Teams

New experience in Outlook.com

How Office 365 protects your organisation from modern phishing campaigns

Azure AD Connect: Version release history

Update management, inventory and change tracking in Azure automation now generally available

Just in time VM access is generally available

Azure AD expiration policy for Office 365 Groups is now generally available

Microsoft expands cloud services in Europe and into Middle East

Using Office 365 labels

One of the best things about SharePoint is the ability to add ‘metadata’ about items. This makes it easier to filter, sort and search information. What you may not realise is that Office 365 itself has it’s own ‘metadata’ ability, known as Labels.

To create a label in Office 365 you’ll first need to navigate to the Security and Compliance center as an administrator. From there, select Classifications from the menu on the left and then Labels from the items that appear.

Now select the Create a label button on the right.

This will commence the label creation wizard as shown above. The first step is to give the label a Name and Description.

Press the Next button at the bottom of the dialog to continue.

In the next step you can determine whether you wish to associate a retention policy with this label. In this case, I’m creating a 2 year retention policy with a ‘disposition review’ before the data is deleted.

You’ll see a lot of these settings are similar to the Retention Policies you can create in Office 365 which I have written about here:

Using Retention Policies in Office 365

When complete, press the Next button to continue.

Review the options you have selected and then press the Create this label button at the bottom.

You should now see a summary of the label you just created as shown above. At this stage the label has been created but not applied anywhere in Office 365.

Select the Publish label at the top of the screen to apply this to Office 365.

This will kick off the label publishing wizard as shown above. You should already see the label that you just created shown as the label to publish.

Select Next to continue.

You now need to determine where this label will be applied in Office 365. You can elect to apply it across the entire tenant by selecting the All locations option at the top of the screen or select locations using the Let me choose option.

This means that you can target a specific label to a specific location in Office 365.

In this case, I’m going to apply the label to a specific Microsoft Team in the tenant. I select this location by ensuring the Office 365 Groups option is set to On and then selecting the Choose groups hyper link as shown above.

On the next screen I select Choose groups.

I then see a list of my Office 365 Groups and Microsoft Teams. In this case I’m going to select just the Special Projects group.

I should now see a banner at the to of the page that indicates my selection.

I select the Done button to continue.

I now give the policy a name and select the Next button to continue.

You should now see a list of all the options you have selected for this policy to review. You should also note the information message that the top that it may take up to 1 day for the label to appear for users and the limitations for Outlook mailboxes.

Select the Publish labels button to complete the process.

As detailed in the previous Retention Policies article, if you return to the policy you will see the status as shown above. You need to wait until that show success before the changes are available across you tenant.

You should now also see you policy listed as shown above. I have also created a second policy and applied in the same way.

After the label policy has been successfully applied across your tenant you can visit the SharePoint Team Site where it has been applied.

if you look at the Document Library in that location you see no obvious changes.

However, if you select Library settings from the COG in the top right of the screen

and then look in the Permissions and Management section as shown above, you will see an option Apply label to items in this list or library. Select this.

You’ll now see the ability to apply a label to item in this library automatically. This means when a new document is created here it will automatically assume the label you nominate. You can also elect to apply this label to any current unlabelled items in the library.

If you now select the list of labels that are available to be applied you should see the labels you just created in the Office 365 Security and Compliance center.

You can also modify the Document Library View to display the Labels field as shown. This will display the label that has been applied to that item.

If you now edit any item in that library you will see the Apply label field displayed as shown above.

When you edit this field, you will again see a list of labels you have created in the Security and Compliance center as shown above.

So the Office 365 labels act as a kind of managed metadata but the advantage they have over traditional SharePoint managed metadata is that these same labels can apply across different SharePoint, OneDrive and email locations in Office 365.

Another really great thing about Office 365 labels is that they can be applied to folders in SharePoint as well as individual items as shown above. Doing so means that everything in that folder will inherit the settings of the folder by default, just like SharePoint permissions.

Remember that labels are available across all Office 365 plans. With the Enterprise plans you get even more power when it comes to labels which I’ll dive into down the track.

Beware that you need to allow time for the policy to be applied across all your locations. In my experience this is generally quite quick with SharePoint and OneDrive but for Exchange it may take much longer. This is because each individual service applies and enforces the policy in its own way and own schedule.

In the case of Exchange the Managed Folder Assistant (MFA) handles the policy application. The MFA only runs on a seven day cycle so it can take this long for any of the policy to be applied to the mailboxes in question. You can run a PowerShell command to try and speed this process up somewhat but it is still somewhat hit and miss. So be patient after creating a new policy with email, it may take up to 7 days to be available.

I think the big take away here, and the different approach that needs to be adopted, is looking at data in a different way. Traditionally, most organisation have manually managed their own data. In reality, they haven’t really managed it at all because it takes too much work. They simply continue to create and save data in various locations with no real overarching management strategy. This allows mounts of data to accumulate, most of which no longer has relevancy. There is a cost to this.

With a bit of thought, up front planning and the use of Office 365 labels, organisations can better manage their data. They can create classifications that apply across their organisation, making it easier for users to tag data. This then allows the policies in operation in the background to take care of a large component of on going data management for them.

Like Alerts and Retention Policies, Labels are included in all Office 365 plans. They provide an easy to classify and manage across your tenant. They should be part of your information management strategy or in more official terms, the compliance policy within your organisation. To get the most from new tools like Office 365 you typically need to take a new approach to managing your information. Office 365 includes the tools to help you work smarter, so use them!

Advanced Office 365 Alerts

A while ago I wrote an article about the standard alerts in Office 365 that are common across all plans. You can read that article here:

Create Office 365 Alerts

I also eluded to the fact that with the Enterprise Plans in Office 365 you get additional features and options. Here’s an example of one such alert that I have in place to warn me about potentially suspicious activity in my Enterprise E5 tenant.

A very common activity that should be investigated is a mass download of files from the tenant. This is also heightened when that activity comes from an external source as you can see in the email alert I received above.

Now, it’s time to investigate.

If I now go to the Office 365 Security and Compliance center and select Alerts from the menu on the left and then View Alerts from the options that appear I see a list of recent alerts on the right as shown above.

To view the alert to examine it in more detail, I simply select it from the list. In this case I will select the first one.

Information about the alert now appears in the right. You will see that there is also a hyper link, View activity list to given you even more detail.

You see that selecting this option gives me the low level audit logs of the events that triggered this alarm. In this case I know that the external user is actually a member of my CIAOPS Patron community who is re-syncing the OneNote Codex that is part of their entitlements. So, I can now confirm that this was a know situation and I don’t need to investigate further.

I can however select any, or all, of the alerts and then select to Notify users using the button in the top left.

This will create an email like that shown above that you can send to the users in question.

When I’m finished looking at the alert activity I simply close that dialog.

I can now mark this alert as resolved using the button in the top right.

I do have a number of other options available to me when I mark this alert as shown above. However, in this case I’ll mark it as Resolved and Save it.

If I now re-examine an alert that has been resolved I’ll see the banner indicating that across the top of the page as shown.

You should also note that the activity items are not retained forever. It is bit hard to read but the item highlighted on the right says “The activities for this alert have expired”.

Enterprise Office 365 plans have some much more security and compliance options available to you hopefully as you can see from the above. If you are serious about IT security, then I’d be encouraging you to look at what the Enterprise Office 365 plans offer.

Using Retention Policies in Office 365

Before we get into this article I need to reinforce the following:

Retention is NOT the same as backup

Thus, what I am going to cover here should NOT be considered as a replacement to any existing backup policy you have for Office 365. What I’ll cover here is retention of data based on policies you set. Retention can be a way to preserve data as well as delete data based on a set of defined rules. You should consider retention policies as part of your compliance strategy not as part of the disaster recovery strategy.

The great thing about retention policies in Office 365 is that they are generally available across all plans. So what I detail here should apply to all Office 365 tenants.

Office 365 has no retention policies in place by default. This means that any existing data has no additional protection. Importantly, this means that existing data will NOT be covered by the policy UNTIL the data has been changed. Thus, if you create a retention policy and then go and delete data BEFORE making any changes to it, the data will NOT be saved! Once in place, the policy ONLY applies to data that gets altered (i.e. updated or modified) from that point on.

With that in mind the first step in the process is to create a retention policy. You do this by navigating to the Security and Compliance center in Office 365. From there, select the Data Governance option from the menu on the left and then Retention from the submenu as shown above. You should see that there no policies in place yet.

To create a new policy select the Create button on the right hand side of the screen.

Give your new policy a name and description and press the Next button at the bottom of the screen.

Here is where you need to decide what rules your policy will have. In this case I have chosen to retain data for 7 years based on when it was created and to not delete it after this period.

You’ll note that you can create policies that also delete data so be very careful when you select those options.

The bottom of the page allows you to use more advanced retention settings. In here there should two options to select from as shown above.

The first option allows you to apply the policy via keyword or phrase. You simply enter those terms into the editor that is displayed when you select the option.

Once you have entered the keywords you wish, you’ll need to enter the standard retention options as shown above.

The second advanced retention option allows you to apply the policy based on ‘sensitive information’. As you can see from the above, you can select from a range of pre-configured sensitive information types that can be scoped to your country. Here, I am selecting Australian Financial Data.

If you look at the policy you will see what information it consider ‘sensitive’. In this case, the policy will match things like Australian SWIFT banking codes, Tax File Numbers, Bank Accounts and Credit cards.

Once you have set the data types for your policy, you’ll need to nominate which locations inside Office 365 this retention policy will apply to. You can apply the policy across all or specific data inside Office 365 as shown above.

You’ll see that you can target Exchange mail, SharePoint Online,

Groups (as well as Teams), Skype and Exchange public folders.

You’ll see that you can also include an/or exclude specific locations inside each service if you wish. Simply select the Choose hyperlink and make your selections as shown above.

Once you have completed all these options you can then Create this policy and apply it immediately or Save for later application.

In this case I’ll create the policy and apply it immediately. Note the message at the top of of the dialog that tells you it may take a full day for the policy to be applied. I would suggest that you do wait a full day for the policy to be applied throughout your tenant before you continue.

After creating the policy you will see that the Status is On but it is Pending as shown above.

If you select the information icon you’ll see that what you want to wait for is the On (Success) option to be displayed here.

After waiting a suitable amount of time and checking the policy status you will find that it has succeeded as shown above.

At this point the policy is in place and is protecting any data that is now changed.

With the retention policy in place let’s go to the location of some file data in a SharePoint Team Site, specifically a Document Library as shown above.

Before we do anything, let’s check out that the Site actually contains.

We see that there is nothing special as yet. There will be, just not yet.

The retention policy will only act on changed documents from the point it was enabled. So we select a document in the library and edit it.

The document is changed and saved back to the library.

Now the file is still in it’s original location and the retention policy is applied. As the original file still existing in its original location the retention policy doesn’t need to take any action.

However, if the original file is now deleted from its original location as shown above what will happen?

Any document deleted from a SharePoint Document Library is sent to the Recycle Bin.

If we look in Recycle Bin we see the deleted document as shown again. The retention policy still does not yet need to take any actions as the document is still available, however remember, that items don’t stay in the SharePoint Recycle Bin forever. They are aged out after a total of 93 days. Thus, the retention policy doesn’t need to do anything until this time period is exceeded.

However, it is also possible for the user to delete the file from their recycle bin as shown above.

Once the user has deleted the file from their recycle bin the file will move to an administrator recycle bin or the remainder of the 93 days. Again, the retention policy doesn’t need to take any actions until this time period is exceeded.

At the point at which the file is going to be purged from the Office 365 environment the retention policy that was configured kicks in. It creates a new document library in the Team Site called Preservation Hold Library as shown above.

This new document library is only available for administrators to view and when you look in here you will see all versions of the deleted file. Remember, that every time you change a file in SharePoint it create a previous copy.

Thus, as an administrator, we can recover a file from this location for the period of the retention policy, which in this case is 7 years. Once the conditions of the retention policy no longer apply to the file (here it is > 7 years) the file will be removed permanently within 7 days from the tenant.

You can find lots more information about Office 365 retention policies here:

Overview of retention policies

In there, you will note for email data:

To include an Exchange Online mailbox in a retention policy, the mailbox must be assigned an Exchange Online Plan 2 license. If a mailbox is assigned an Exchange Online Plan 1 license, you would have to assign it a separate Exchange Online Archiving license to include it in a retention policy.

So, retention policies are a good way to manage the compliance of your data. As I said at the start, they are NOT a replacement for backup, however they do provide an extra layer of protection for you information and can be implemented quite easily as you can see above.

The last thing to remember is that retained data has to live somewhere and will consume you tenant space availability across the difference services. The more locations and data protect, the more copies of previous data you will have. So keep it simply and limit what you want to retain. This means planning your retention strategy in advanced rather than bulk applying it to all data in all locations.

Finally, remember that retention policies are available across the range of Office 365 license and I would encourage you to take advantage of them.

Create Office 365 Alerts

Another option that all Office 365 plans support is the ability to create your own custom alerts. Before you do this though, you’ll need to ensure that you have enabled the activity auditing in Office 365. Here’s an article I wrote that shows you how to do this:

https://blog.ciaops.com/2018/02/enable-activity-auditing-in-office-365.html

It will take 24 hours or so for the activity logging to be fully enabled but you can still go in and create alerts. You’ll need to navigate to the Security and Compliance center. From the menu on the left expand the Alerts option and then select Manage alerts.

You will probably see that there are currently no alerts configured as shown above. To configure an alert simply select the New alert policy button at the top of the page.

This will open the options window shown above. Give the alert a name and a description.

All Office 365 plans will have the choice to make the alert to be Custom or Elevation of privilege as shown above. Other plans may have additional options, but you should select the Elevation of privilege and configure that as your first alert.

If you repeat the alert creation process but this time select to create a Custom alert you can then choose from a wide variety of activities to trigger the alert as shown above.

You can filter the list to the choices you wish using the search field at the top. Here I am filtering for any password activities.

I simply select the activities I want included in the alert as shown above. When I select an option, a check appears to the right of the item.

You then optionally set the users you wish to monitor for this activity (leaving the field blank applies it to all users) and finally whom you send any alerts to in your tenant (typically an administrator).

You then save the new alert and you should now see it in the Manage Alerts area as shown above.

Now when an alert triggers you get an email alert as shown telling you about the activity.

The alert email has lots of links that allow you to go and view the details in various places, typically in the audit log, which is why you need to turn that ability on first.

When we look in the audit log we see the activity and can investigate further.

As I said, all the Office 365 plans allow you to do the basic alerting as I have shown, however with the Enterprise plans you get a whole range of additional abilities and alerts as shown above.

You also get additional categories as you see above. If you are serious about the security of your Office 365 tenant then I would highly recommend you consider Enterprise rather than business plans.

In summary, every Office 365 plan includes the ability to configure custom activity alerts which is something you should do. There are lots of activities you can alert on so be judicious on what you activities you alert on, as it is very easy to get overwhelmed by spurious alerts.

My general recommendation would be to set up the above list of alerts as a minimum but suggest you start with a handful and increase and refine overtime.

As I said, I would also recommend looking at Enterprise plans to provide additional alerting abilities and functionality, however no matter which plan you have, go in and add some for of alerting that makes sense for your tenant as there is typically nothing there by default.