Are you here looking for an answer to the question in the tile? If you are Microsoft partner helping our customer implement Teams or our customer in the process of implementing Teams, then it is likely this topic is being discussed. Almost every customer I work with asks me what other customers are doing about Teams provisioning? Are others allowing end users to create a new Team as and when they need or is there a review and approval process?
Few years back, this question was not even asked in large enterprises. In recent years, organizations have developed processes for provisioning SharePoint sites and file shares. This process usually included request from end user, followed by review and approval by IT prior to provisioning an additional content store. Then why this question now? What has changed that has prompted IT to even consider if end users should be allowed to create a new Team without any review and approval?
To understand this, lets understand why organizations have a process in place for provisioning:
Historical reasons for review and approval process
CAPEX & OPEX
With on premises infrastructure such as Exchange Server and SharePoint, every new SharePoint site or a mailbox resulted in additional CAPEX & OPEX to manage the content. Though cost of storage is going down, there is still a limit, and if IT does not control growth, it ends up increasing CAPEX & OPEX – storage, networking, security, etc. In addition, IT is responsible for meeting SLA (Service Level Agreements), and with increase in CAPEX there is additional cost to ensure there are adequate people, processes and technology to ensure SLAs are met. Some organizations may also have a secondary disaster recovery infrastructure, which also needs infrastructure boost with increase in usage.
Review and approval process for provisioning allowed IT to gather business justification for new content store. In some cases, this process also allowed IT to charge back to business units.
Broadly speaking there are 2 types of content store – authoritative and project based. Authoritative content store includes corporate content, which is single source of truth for entire organization. These are managed centrally, and the content usually goes through review process before being published in that store. Examples include HR policies, financial reports, organizational records etc. Project based on the other hand are short lived content with limited visibility (compared to authoritative), and may become authoritative as it matures. Examples include initiatives, and projects. As noted earlier, you need review and approval for creating authoritative content store and to publish content in that store. Lack of review and approval in this scenario will result in redundant and obsolete content. Without a process you will end up having several HR policies, some new, some old and some in between.
In case of project based content, the scope itself is limited to a group of users. Still you can have redundant content stores in scenarios where users from two separate groups create a SharePoint site for a similar initiative. In some cases, this is a valid need, but what if it is not? What if these two groups really needed to work together in same SharePoint site?
Review and approval process in this case may have prevented creation of 2 separate SharePoint sites (assuming IT has visibility to existing sites and aware of business justification for each SharePoint site).
Do you know someone who is still holding on to their emails from 15 years back? Most of us do because as human we are programmed to hold on to things in case we may need it in future. You will see this play out in large enterprises where you have several file shares, folders and SharePoint sites that are no longer being used. In some cases, IT finds it difficult to get rid of this content because either the owner has left the organization or owner feels there is still a need to retain this content.
Review and approval process would capture business need for this content and drive the retention and disposition.
Security & compliance concerns:
Every organization big or small in most countries need to comply with industry and Govt. regulations. It could be GDPR or HIPAA or SOX or anything else. Compliance need the content to be secured, audited, archived, and reviewed based on the privacy and other needs by the regulations. As new content store or content is created, organizations need to ensure that content complies with regulatory requirements.
Review and approval process helps IT to ensure appropriate compliance controls are enabled based on the business need of the content store.
One of the biggest liability of not disposing content is the exposure to legal litigation. Content that does not need to be retained must be disposed to reduce risk of exposure from legal litigation. In addition to legal exposure, additional content results in additional expenses for attorneys review of the content during eDiscovery process.
In this scenario, having a review and approval process helps in determining the lifespan and classification of the content store resulting in retention rules.
Findability and user experience:
Have you heard users complaining search doesn't work? It doesn't because most of the content is outdated and therefore irrelevant. Our earlier points on redundant and obsolete content directly affects the search experience. Imagine trying to find recent example for a RFP response, and in turn spending time clicking through results before you find something relevant. Naming the content store has direct impact on findability as well. Imagine searching for RFP and seeing results of 10 folders named 'RFP Response'.
With review and approval process, the thought is that IT would guide users with naming to alleviate the findability concern.
Discussion between end user and IT
Now the question is whether the reasons stated above are still valid? To understand this, I encourage you to watch this recording of a dialog between end users and IT community. A lot has changed in last few years, not only technology has advanced, but agility has become key driver of business success. Today CIO has to balance risk of compliance and security with speed of innovation. I am seeing more and more organizations discussing this topic, and some even going so far as to removing all the review and approval process for creating a team in Microsoft Teams. Microsoft's IT is an example. Is your or your customer's organization ready to take the leap? Should you open it up for end users to create new Teams or take a gradual step in the process. Following are some key perspectives from the discussion in the recorded video.
End user perspective
Following are some key themes from end users. Note these are not actual phrases, but the essence of the conversation.
- People fight with me when I give wrong names. Don't tell me I cannot create teams. Educate me in soft skills, such as naming convention, necessary to make better decisions
- Just like driver needs a driving license, make sure users who are empowered to create new team has been through appropriate training.
- End users do not understand compliance unless they are part of compliance group. Help end users understand why compliance is important, and help understand what needs to be protected and how
- Control defeats innovation for learning something new. It is an experiment to learn and adjust for creating new policies for your organization. It is not point of failure, it is attempted learning
- If I am in a meeting with other end users and we decide to start a team for collaboration, I cannot wait 3, 1 or even half a day before my request for new team is approved. How do we balance speed and compliance?
- As an end user, I am not going to ask right questions. Don't write too many rules because you are keeping me dumb. Invest in end users. Educate us why this is important. This is an investment that will help in future
- Turing a control ON or OFF is not a right question. How do we enable end users to leverage technology to drive business value and what requirements we have? There is no good or bad, there is contextual learning
Following are some key themes from IT pro community. Note these are not actual phrases, but the essence of the conversation.
- When you create a new Team, other artifacts get created such as Groups, SharePoint site, and a mailbox. SharePoint is a good example. What if you have created a Team for which a SharePoint site already exists? In this scenario, you end up with two SharePoint sites for same purpose. This impacts search. As an IT pro, I want users to adopt and also want to put process in place that is fast for approvals.
- IT is responsible to protect corporate assets. In highly regulated organizations, we need to know what is being put in there so that we can control the security and expiration. We need to know when new group or team gets created. This will help us reach out for training and information protection
One common theme among end users is educate, don't control; and similarly, from IT the concern includes points we discussed above: security, compliance, and findability. I believe now is the time for every organization to revisit this topic and have a discussion between end users and IT. There are several technical controls today to ensure security and compliance, but it does not replace the need to ensure end users are educated about importance and risks. Every initiative includes people, process and technology aspect, and it starts with people. Like one of the end user suggested, let's not make end users dumb by applying controls, but empower them by education.
Even with all the education and technology controls, there could be a very valid reason to have a review and approval process for creating a new Team. Maybe you could implement the driving license analogy to ensure users who are empowered are trained and understand their responsibility. Other factors to consider is the industry and maturity of IT processes.
Unfortunately, there is no one answer that suits every organization. As a service vendor, we provide controls you can use to manage the process. In following section we will revisit all the concerns we discussed above in the light of new IT controls offered by Microsoft 365.
Use this as a guidance to help you decide how you balance between compliance and agility.
CAPEX & OPEX
Just recently there was an announcement about expanding the SharePoint storage by 20x in SharePoint online per user license storage allocation. The point being, when you are using cloud service such as Office 365, your infrastructure management cost goes down. You are not managing backup / recovery, storage or even a disaster recovery infrastructure. This does not mean there is no limit, but the whole idea of managing additional infrastructure with increase in usage is not a concern it was when you had all your infrastructure on premises. For instance, for 5000 users you get total of 51 TB of storage. This should be sufficient enough for most organizations to alleviate infrastructure management concerns with respect to Teams provisioning.
Earlier we talked about authoritative and project based content. In Office 365, SharePoint provides content services for storing, managing and recommending content for end users. You would use SharePoint capabilities such as publishing, communication and hub sites for managing authoritative content across your organization. Similarly, you would use Microsoft Teams for project based content such as projects and initiatives. Remember, when you create a new team, a SharePoint team site is created for you, and all the files within Teams team is stored and managed behind the scene by SharePoint.
In order to address the concern of having more than one team with same name, you can now use the Office 365 Groups naming policy capability. With naming policy you can define prefix and suffix rules such that name of new Group includes user's department in the prefix. For instance, when user Joe from HR creates a Group / Team named 'Hurricane Relief', the name becomes 'HR_Hurricane Reflief', similarly when user Jane from Marketing creates a new Group / Team named 'Hurricane Relief', the name becomes 'Marketing_Hurricane Relief'. This naming convention eventually helps with findability because when someone is trying to email to a Group 'Hurricane Relief', they will see 2 separate groups in their Global Address List, one with prefix of HR and other with prefix of Marketing.
One common IT ask is to prevent end users from creating Teams / Groups with names that suggests corporate functions such as HR, Marketing, Legal etc. These names are reserved for authoritative content stores managed at corporate level. Now IT can achieve this requirement by using Office 365 Groups naming policy with blocked words
As mentioned earlier, obsolete content is biggest concern not only for IT but also for legal because of the legal exposure. Most organizations find themselves trying to clean up their content every 2 to 5 years by asking their users to revisit what they have stored in file shares and SharePoint sites. This concern is now addressed with Office 365 expiration policy. With expiration policy, IT can define length of period after which the team owner will need to confirm that a team is still being used. If there is no confirmation, the team will be disposed.
Security & compliance concerns:
Compliance manager is a new capability in Office 365 that allows organizations to perform an assessment of their current compliance controls and provides recommendations to address the gaps. This is particularly important for GDPR (General Data Protection Regulation) compliance needs.
To address security requirements, Office 365 provides DLP (Data Loss Prevention) and AIP (Azure Information Protection) capabilities irrespective of where content is stored within Office 365. DLP allows IT to create policies that would prevent users from sharing sensitive content. AIP allows IT to create policies to add protection controls within the content based on DLP rules and classification labels. AIP ensures that content is protected irrespective of where it travels from one user to another. For instance, if a document contains SSN information, AIP would classify the document as Highly Confidential and then apply encryption such that only users from HR department can view the document. So even if the document is now emailed outside, either accidently or by a malicious user, the document cannot be opened by users other than from HR department.
Another great capability to deal with legal liability is the advanced data governance policies. This capability allows IT to define length of period content should either be retained, for compliance reasons, or be deleted. For instance, if a content is tagged as a contract, and if contract needs to be retained for 5 years, even if the contract is deleted by a user, Office 365 will retain the contract document for 5 years. Similarly, if the policy states that any document should be deleted in 7 years from the date of creation, the document will be deleted in 7 years even if user has not deleted the document. Data retention policies are now available for Microsoft Teams
Capabilities such as expiration policy and advanced data governance helps address the compliance needs across Office 365.
Findability and user experience:
Capabilities such as expiration policy and advanced data governance ensures that obsolete content is disposed as per compliance needs. This ensures that results generated by search includes content that is active and relevant.
What we discussed in this blog post is primarily the technology aspect. There is people and process aspects, which are equally important to ensure successful deployment and adoption of Microsoft Teams. Following are key learnings I want you to take away:
- There is no one universal answer to the question on whether you allow end users to provision Teams or there should be a process for review and approval. It really depends on the requirements. Recommendation is to revisit your decision in the light of new technological advances in Microsoft 365
- End users need speed to innovate. IT needs to ensure assets are protected and compliance needs are met.
- One key aspect from the discussion video is from end user who is asking IT to educate them on how end users can help in the process rather than controlling what end users can and cannot do.
- Review and approval process was key to ensure security and compliance because policies were assigned at container level. Now with Office 365 data governance, AIP, DLP and Office 365 Groups capabilities, policies are applied and enforced at a tenant level and applies to content across services such as Teams, SharePoint and Exchange.
- Walk before you run. Pilot new approach, solicit feedback often, fail fast, and iterate quickly.
- Video: Discussion between end user and IT pro community
- Office 365 Groups management – naming controls, expiration policies etc.
- Compliance Manager
- General Data Protection Regulations
- Office 365 Groups expiration policy
- Office 365 Groups naming policy
- Office 365 Data Loss Prevention
- Office 365 Data Governance
- Retention policies in Microsoft Teams
- Azure Information Protection