Now that Office 365 Groups and SharePoint Online Team Sites are being rolled out to Standard Release tenants by end of January 2017 (SharePoint Online Team Sites & O365 Groups Moving Beyond First Release) it’s time to get things under control.
If your organization is allowing self-service Group creation in your O365 tenant, you are well-advised to have your data governance classifications in place to provide a framework for classifying Groups at the time they are being provisioned. This post will focus on the steps required to do this.
You will need 3 things: your organization’s data governance classifications, what each of these means in layman’s terms and some Azure PowerShell prowess. 🙂
STEP 1: Decide on Classifications
Come up with a list of data governance classifications for your organization. Typically, there is a role within an organization responsible for this task. (Information Management team, Records Management team, Compliance & Risk team, etc.) To illustrate by example, we will configure three data governance classifications for a fictitious company. The classifications are:
- Public
- Confidential
- Top Secret
STEP 2: Write Usage Guidelines
Based on the classifications, guidelines should be written by your corporate Data Governance team and the content placed on a webpage on your tenant. These guidelines need to be written in clear language that end-users will be able to understand. Examples of things your guidelines may want to address:
- is external sharing allowed from the group?
- what type of content is allowed in the group?
- what should happen to content in the group when/if it is deemed a “record” or has high business value?
Ensure Group creators have at least read permission to the page and take note of the URL.
STEP 3: PowerShell
Determine whether or not your organization will allow Group Site creation for all users in your organization. Your options here are:
- Enabled for all
- Disabled for all
- Enabled for a specific Group of users
For this example we will enable Group creation for all. If you want to enable it for a specific group of people, refer to this excellent post written by Drew Madelung (@dmadelung) at (Managing O365 Group Creation)
These Group settings are configured using Settings and SettingsTemplate objects. If you do not see any Settings objects in your directory your directory is configured with the default settings. To change the default settings, you will create a new settings object using a settings template. Settings templates are defined by Microsoft.
Download the Azure AD Windows PowerShell cmdlets from Azure AD Module PowerShell Preview. I used version 1.1.130.0 for my examples.
Open an Administrative Azure AD PowerShell Console and connect to your O365 tenant to get the settings template for O365 Groups:
[code language=”powershell” light=”true”]
Connect-MsolService
Get-MsolAllSettingTemplate
$template = Get-MsolSettingTemplate -TemplateId SettingTemplateObjectId
[/code]
where SettingTemplateObjectId is for the Group.Unified template.
We want to update 3 settings: EnableGroupCreation (defaults to true so not really required), UsageGuidelinesUrl (from step 2), and ClassificationList (comma-delimited list from step 1).
[code language=”powershell” light=”true”]
$setting = $template.CreateSettingsObject()
$setting["EnableGroupCreation"] = "True"
$setting["UsageGuidelinesUrl"] = "https://YourURLGoesHere"
$setting["ClassificationList"] = "Public, Confidential, Top Secret"
New-MsolSettings -SettingsObject $setting
[/code]
To confirm your settings:
[code language=”powershell” light=”true”]
Get-MsolAllSettings | ForEach Values
[/code]
What does the user see?
When a Group is provisioned users will now see a dropdown on the Group creation window prompting for a Team site classification as well as a hyperlink to the Usage Guidelines.
I’ve provisioned a top secret site to hold my recipes. I have a *killer* chocolate Brownie recipe and I don’t want anyone finding out its secret ingredient. 🙂 You can see in the Group provisioned for the team site below, the team site classification chosen during provisioning (Top Secret) now shows on the site’s heading.
What’s next?
To my knowledge, there is no current functionality (January 2017) to set policy based on this classification via the Security & Compliance Center UI however this is on the O365 Roadmap.
I’ve watched several Ignite 2016 videos showing capabilities coming to O365 in this area. Here is a sample of what I saw:
- Prevent certain activity based on classification. (Eg. No external sharing allowed from within a Confidential Group)
- Audit activity in a Group and be notified when a user changes classification or does a behaviour that is non-compliant within the group. (Eg. store customer documents on a site that prohibits them)
- Set classification at a document level
I am keenly interested in the investments Microsoft is making in the Security & Compliance Center specifically as it relates to O365 Group data governance in the coming weeks/months/years. I believe its an area with huge growth potential.
In the meantime, have a conversation with your corporate data governance team and ensure you have Groups classified and usage guidelines communicated right from the start. This should set your organization up for the functionality when it arrives.
Thanks for reading.
-JCK
A very intriguing post as you really are just setting up what is likely to come down stream in terms of compliance functionality, as a result of these classifications. I wonder if this will also impact Teams as well.