Microsoft has released great tools and services available through Office 365: MS Teams, PowerApps, Flow to name a few.
Turning these services on will provide huge benefits to your business. As with all great technology, don't forget to manage it properly.
We hope this post will help you on your way to effectively govern and manage these tools for your organization.
PowerApps and Flow
PowerApps and Flow are a great combination for routing information to the right person(s) or place at the right time on any platform or device. We have seen significant adoption and interest from our clients. We expect this to continue as these products continue to mature and develop.
These tools offer the ability to quickly build and deploy high value solutions that will quickly put smiles of the faces of your users. Along with this, a lot of mileage can be covered with these tools with little or no code and in a relatively short amount of time.
These tools provide great benefit to many of the organizations we visit. Once activated, any licensed user can create a PowerApp or Flow.
Environments: A Key Management and Governance Tool
Once these services are enabled, a default environment will be created on your tenant. Each environment has two built in roles; Environment Admin and Environment Maker.
Environment Admin: Anyone in the Environment Admin role has full rights to the environment including role assignments.
Environment Maker: Users in the Environment Maker role can create PowerApps and Flows.
IMPORTANT! By default, all users in the default environment are granted the Environment Maker role and it cannot be removed.
Mo' Software, Mo' Problems?
If you look at your organization, how many mission critical apps are in MS Excel or MS Access and were (maybe many years ago) created by an engineer or accountant?
Now consider how much further these solutions could evolve using a tool like PowerApps and Flow - with the availability of hundreds of connectors?
Don't feel too bad though. Most organizations have experience with their users creating undocumented, ungoverned Excel Spreadsheets that drive mission critical processes.
Control with Tools
- There are configuration settings and services in place to help mitigate some of the concerns raised above.
- Admins are able to adjust / configure Data Loss Prevention policies for Flow to keep data safe:
- Admins have visibility through the PowerApps Admin Center to manage Environment, Policies and Databases.
Manage with Environments
Several environments can also be created to control how PowerApps and Flows are deployed.
Helpful Tip! You can create Production and Test environments, then turn the Default environment into a sandbox.
Manage with Roles
You have full control of the Environment Maker role in the new environments and can add only the users you want to allow to create new Apps/Flows. This however, does not limit who can create Apps and Flows in the Sandbox (Default) environment.
Manage with PowerShell
The great folks at Microsoft have recently released PowerShell cmdlets for PowerApps and Flow (https://docs.microsoft.com/en-us/powerapps/administrator/powerapps-powershell)
You can create a script to list all apps in the Sandbox (Default) environment and delete them. This would allow you to create a true Sandbox where anyone can create, but the environment will be regularly be swept clean.
A PowerApps connector for Flow is coming, this will make it easier to create a Flow to manage the Sandbox (Default) environment.
Office 365 Groups
Capabilites and Adoption
Office 365 Groups are available by default to all users. Office 365 services that use groups include Outlook, SharePoint, Yammer, MS Teams, StaffHub, Planner and PowerBI.
Why is this a concern?
When an Office 365 Group is created the following items are created for the group:
- Shared calendar
- SharePoint library
- Shared OneNote Notebook
- SharePoint Team Site
The footprint of an Office 365 Group and how it will be governed is something you should consider as soon as your users begin using Groups.
Each user in your organization can create up to 250 Groups and Office 365 administrators. have no limit on the number of Office 365 groups they can create. The maximum number of groups and organization can have is 500,000.
Without proper training and communication, its likely that your employees will create Office 365 groups without knowing it. A common mistake users make is clicking the New Group button in Outlook, mistaking this for a distribution group.
Fortunately, there is a method for controlling who can create Office 365 Groups.
The process is outlined in this Microsoft support article: https://support.office.com/en-us/article/manage-who-can-create-office-365-groups-4c46c8cb-17d0-44b5-9776-005fced8e618
Implementing the solution outlined above will benefit you with is better control of MS Teams, Planner and (in general) Office 365 Groups.
This way, MS Teams can be active and everyone can participate in a Team, but limit the creation of a Team based on need and business value. Each request for a Team should go through an approval process - applying light governance.
We offer consulting services to help our clients solve these types of problems. However, our hope is that articles like this will help you do this on your own.