).Count -eq 0}
$Groups | Select Id, DisplayName, ManagedBy, WhenCreated
ForEach ($G in $Groups) {
Write-Host "Warning! The following group has no owner:" $G.DisplayName
}](https://image.slidesharecdn.com/spsnyc2019-190730002847/85/Governance-in-the-Modern-Workplace-SharePoint-OneDrive-Groups-Teams-Flows-and-PowerApps-21-320.jpg)
![Beer Authority
300 W 40h St
[across the street]
Join us for a round of drinks
http://www.beerauthoritynyc.com](https://image.slidesharecdn.com/spsnyc2019-190730002847/85/Governance-in-the-Modern-Workplace-SharePoint-OneDrive-Groups-Teams-Flows-and-PowerApps-57-320.jpg)
Governance in the Modern Workplace: SharePoint, OneDrive, Groups, Teams, Flows, and PowerApps
- 1. Toni Frankola Governance in the Modern Workplace: SharePoint, OneDrive, Groups, Teams, Flows, and PowerApps
- 2. • More than 20 years experience in IT • SharePoint / Office 365 MVP 2010-2019 • With SharePoint since 2003. Toni Frankola Co-founder and CEO SysKit Ltd., Croatia
- 3. SharePoint On-prem, Hybrid and Office 365 Solutions SysKit Ltd. SysKit is a software development company based in Zagreb, Croatia, Europe founded in 2009. We create innovative software solutions for SharePoint and Office 365 admins and consultants.
- 5. Governance is the set of policies, roles, responsibilities, and processes that control how an organization's business divisions and IT teams work together to achieve its goals. What is Office 365 Governance?
- 6. How do we manage Office 365 • Via the Admin Center(s) • PowerShell • Exchange Online • SharePoint Online • Microsoft Teams • Azure AD (Groups) • Power platform (PowerApps / Flow)
- 10. 8 ways to create Office 365 groups Source: sharepointeurope.com
- 11. Office 365 Groups • The foundation that allows you to manage security • Reduces the need for „Shadow IT”
- 12. Dangers of Office 365 group sprawl • In the effort to stop the „Shadow IT” we can easily encounter sprawl • Key steps: • Control who can create Office 365 Groups • Group soft delete and restore (30 days) • Group naming policy • Group expiration policy • Group guest access • Group policies & information protection • Upgrade traditional collaboration tools • Groups reporting
- 13. Restrict Groups creation • Creation of groups can be restricted to a members of a particular security group • Configured via PowerShell • Pros: Prevents group sprawl • Cons: Increases the burden on the limited number of people and prevents O365 usage • Caveats: • Certain administrator roles exempt from this rule • Exchange, Partner Support, Directory Writers, SharePoint, Teams, User Mngt. Azure AD Premium Licenses required for „group creators” • No special license is required for users that will NOT be creating groups
- 14. Control who can create Office 365 Groups – Best Practices • Start with self-service if anyhow possible • Make sure your internal policies documented and in-place • Revisit this as you go • Three modes of operation: Open, IT-Led, Controlled • Tightly controlled group creation can decrease productivity as many services require Office 365 groups
- 16. Office 365 Groups naming policy • Sometimes inconsistent naming can cause a lot of governance issues • OOTB naming policy can leviate some of those issues • Easier categorization or identifiy purpouse • Block certain words (important because each group gets and email address e.g billg@microsoft.com) • To use the Groups naming policy feature, the following people need an Azure Active Directory Premium P1 license or Azure AD Basic EDU license: • Everyone who is a member of the group. • The person who creates the group. • The admin who creates the Groups naming policy
- 18. Office 365 Group Expiration Policy • Can be setup as an internal process so owners have to „renew” the group • Helps clear the groups that are no longer being used like: • Projects that finished • Departments that merged • Staled groups • Group expiration is an Azure Active Directory (Azure AD) Premium feature
- 20. Orphaned Groups • When group owner leave the company, group becomes orphan i.e. without owner • Group can still be used, content is not lost • Administrator should assign someone else as owner • Best practice always have more than one owner at anytime
- 21. How do I find „orphaned” groups Sample: $Groups = Get-UnifiedGroup | Where-Object {([array](Get-UnifiedGroupLinks - Identity $_.Id -LinkType Owners)).Count -eq 0} $Groups | Select Id, DisplayName, ManagedBy, WhenCreated ForEach ($G in $Groups) { Write-Host "Warning! The following group has no owner:" $G.DisplayName }
- 22. External / Guest users • By default, guest (external) access is turned on • An external user is someone from outside your Office 365 subscription to whom you have given access to one or more sites, files, or folders. An Authenticated external user is a user who have a Microsoft account or a work or school account from another Office 365 subscription. • Can be turned off for entire org, or individual sites • Plan external sharing ahead • It's important that all group members have permission to access the team site
- 23. External users authorization • Three basic authorization levels for shared items: (may wary depending on the object type being shared) • Sign-in with an account • Sign-in with code • Anonymous
- 24. Manage guest access to Office 365 Groups • Controlled by underlaying SharePoint Online settings • OneDrive can be more restrictive • You can control it for individual sites (more restrictive) • SharePoint site • OneDrive site
- 26. How do I find all these external sharings • Audit Log • Warning: Data retention and content overflow • eDiscovery • Warning: Licenses • PowerShell • Get-SPOExternalUser • 3rd party tools
- 27. Groups Governance additional steps • Organizational-wide teams • Dynamic Memberships of AD Groups (e.g. based on department) • Azure AD Premium feature • Group classification • Groups hidden from GAL • Define usage guidelines • Azure Information Protection • Access Reviews • Groups with secret membership
- 28. SharePoint
- 29. SharePoint • The most of governance for SharePoint online depends on the underlaying group • There are some specifics…
- 31. External users (Applies to OneDrive too)
- 32. SharePoint / OneDrive per site external sharing settings • Individiaul security settings can be configured per individual OneDrive or SharePoint
- 33. OneD riv e / Sha rePo int p er sit e ext erna l user set t ing s Demo
- 34. Modernize SharePoint Online sites 1. Run the SharePoint modernization scanner to detect those sites 2. Connect to a SharePoint group Not available for some templates 3. Remove non-supported customizations on web-part and wiki pages • Check SharePoint Modernization Framework PnP
- 35. OneDrive
- 36. External Users (see SharePoint slides)
- 37. OneDrive default size and PowerShell repor ts Demo
- 38. OneDrive Limited Access For OneDrive Using these settings you can: • Block downloading files in the apps • Block taking screenshots in the Android apps • Block copying files and content within files • Block printing files in the apps • Block backing up app data • Require an app passcode • Block opening OneDrive and SharePoint files in other apps • Encrypt app data when the device is locked • Require Office 365 sign-in each time the app is opened • Choose values for how often to verify user access and when to wipe app data when a device is offline.
- 39. Microsoft Teams
- 40. Office 365 Groups and Teams Activity Report • Activity in Group mailbox • Activity in SharePoint site • Activity in the Teams chat • Script by Tony Redmond Office 365 Groups and Teams Activity Report
- 41. Office 365 Groups and Teams Activity Repor t Demo
- 42. PowerApps / Flow
- 43. The landscape
- 44. Environments • Microsoft PowerApps Environment Admin, Office 365 Global Admin, or Azure Active Directory Tenant Admin, who needs to have a Plan2 license for PowerApps and/or Flow. • Use the Admin Cetner to control them • Use PowerShell Install-Module -Name Microsoft.PowerApps.PowerShell -AllowClobber Install-Module -Name Microsoft.PowerApps.Administration.PowerShell Add-PowerAppsAccount Get-AdminPowerAppEnvironment | Format-Table -Property EnvironmentName, DisplayName, CreatedBy, Location
- 45. Po wer Pla t fo rm Ad min UI Demo
- 46. Connectors
- 47. Retrieve connectors $allApps=Get-AdminPowerApp | Where-Object{$_.EnvironmentName- eq$envname} | SELECT AppName,CreatedTime,EnvironmentName foreach($app in $allApps) { $app.AppName Write-Output"==========" Get-AdminPowerAppConnectionReferences-EnvironmentName $envname- AppName $app.AppName | SELECT ConnectorName,ConnectorId,DisplayName,Publisher }
- 49. Audit Log
- 50. Audit Log • Easily forgotten but the key tool to govern your Office 365 • Audit log search feature comes handy as it allows you to search for following event types: • Admin activity in SharePoint Online • Admin activity in Azure Active Directory (the directory service for Office 365) • Admin activity in Exchange Online (Exchange admin audit logging) • User and admin activity in Sway • eDiscovery activities in the Office 365 Security & Compliance Center • User and admin activity in Power BI • User and admin activity in Microsoft Teams • User and admin activity in Dynamics 365 • User and admin activity in Yammer • User and admin activity in Microsoft Flow • User and admin activity in Microsoft Stream
- 51. Audit Log (2) • Audit logging is not turned on by default so configure it in advance • Retention: • Office 365 E3: Audit records are retained for 90 days. That means you can search the audit log for activities that were performed within the last 90 days. • Office 365 E5: Audit records are also retained for 90 days. Retaining audit records for one year may eventually be available for E5 users and users with an E3 license and an Office 365 Advanced Compliance add-on license. • The private preview program for the one-year retention period for audit records for E5 organizations (or for users in E3 + ACL)
- 52. Audit Log Tools • Search and Compliance Center • PowerShell (Exchange module)
- 53. Aud it Lo g To o ls Demo
- 54. BINGO CARDS • WEBCON – has the bingo cards, visit them to play • Bingo Cards = how you win prizes at the end of the event. • The cards must be stamped by ALL the Sponsors in order to be eligible to win. • For the grand prizes you must have opted-in when registering. • Must be here to win at the end of the day. Another Surface Go Xbox One S Tons of prizes .. Socks, buttons, bags, echo dots, gift cards, plural sight, gaming monitor, Bluetooth
- 55. EVALUATIONS • Speaker Evaluations • located at the front of the room • Will be read by the org and then sent to speakers • Be honest and constructive • Turn in 6th floor info desk • Event Evaluations • Visit the 6th floor info desk • Give us your honest feedback – we can take it • Turn in 6th floor info desk
- 56. THANK YOU EVENT SPONSORS We appreciated you supporting the New York SharePoint Community! • Diamond, Platinum, Gold, & Silver have tables scattered throughout • Please visit them and inquire about their products & services • To be eligible for prizes make sure to get your bingo card stamped by ALL sponsors • Raffle at the end of the day and you must be present to win!
- 57. Beer Authority 300 W 40h St [across the street] Join us for a round of drinks http://www.beerauthoritynyc.com
- 58. Q&A
Editor's Notes
- #60: Group naming policy > okej ti mozes lijepiti neke atribute, ali ne mozes uvjetovati da grupa recimo ima „External” ako su unutar nje vanski useri. To lijepljenje atributa je dosta rigidno i ne daje fleksibilnost i samo mnogo povećava ta imena Traži licencu Nema mogućnosti da si ja stavim email kad netko napravi grupu ili team Nema mogućnosti da se nađu iste grupe Nema pametne mogućnosti da se detektiraju unused grupe tipa Krk trail i da se obavi neka operacija s tim Nema mogućnost postavljanja alerta kad netko pozove external usera Groupe bez ownera Grupe s jednim ownerom Grupe samo s disejblanim ownerima Znaci ti mozes kontrolirati External Sharing na razini organizacije sa svim onim postavkama, onda to mozes mijenjati za svaki SharePOint Site i OneDrive. OneDrive se upravlja preko Admin > Active Users a ne preko OneDrive admin centra