• Home
  • Blog
  • Technical
  • Teams, SharePoint and OneDrive best practices? Part 3: Data governance

Teams, SharePoint and OneDrive best practices? Part 3: Data governance

Back to Blog
15Aug2019

Teams, SharePoint and OneDrive best practices? Part 3: Data governance

In part 1 of this series, we discussed external sharing and chat. In part 2, we dealt with access controls and notifications. Now, we turn our focus to Data governance, a very important conversation indeed when it comes to compliance.

And when it comes to compliance, every organization is going to answer these questions differently. So I repeat yet again, there is no “best practice” here, other than you need to be talking to your stakeholders about these items. Most of the time the people who “need to know” this stuff, simply don’t. They never learned what was possible–and how would they? If you are leading or involved with the IT engagement on an Office 365 adoption project, then it is your job to educate the stakeholders, so that they can be empowered to make the best decisions for the business, and give you direction to execute appropriately.

Microsoft Teams and the invisible compliance boundary…

Before we delve into the various dials and levers that we have around data governance, it is important for us to understand just where our compliance boundary lies. What am I talking about?

Specifically, I am referring to the Teams application. Because Teams is not exactly like a traditional SaaS app, where all of the data lives in just one place. Teams is a window into data sets from, well, just about anywhere. Not only is a Team going to have data living in SharePoint, where files are stored, and Exchange Online, where conversations are written into invisible folders within your personal mailbox and group mailboxes. But, it is also possible for end-users to connect other applications into Teams, and collaborate in their groups using outside services.

None of these other third-party services are going to be covered under the compliance boundary. So when you apply a retention policy, for example, to Teams chats and channels, you can certainly capture conversations that are taking place, but you aren’t capturing anything from outside applications that are attached to various channels as a tab. Even “inside” applications like Planner, Forms or Flow–there are just aren’t any “hooks” into those apps at this time, and so these controls that we’re about to discuss–they do not apply.

Per the graphic below, which comes from this source, unless the Teams data is ingested into either Exchange Online or SharePoint Online/OneDrive for Business, it is not protected by any of the tools we’re talking about.

Diagram of the workflow of Teams data to Exchange and SharePoint
Ingestion of Teams data to both Exchange and SharePoint

Therefore, I could share a file from my OneDrive for Business folder into a chat or channel, and it would covered. I could share files from other SharePoint locations, and they would be covered. But if I shared a DropBox location, or any other outside location, it would not be covered.

Make sense? Be sure your stakeholders are aware of this when you discuss compliance and data governance. Okay, now that we got that out of the way, let’s proceed.

Data retention

Find the settings that control data retention in the Security & Compliance center > Data governance > Retention.

Create a retention policy to ensure that data is preserved, even if it is deleted, for whatever time frame is appropriate to your organization. By default, SharePoint Online will only keep your deleted items available for 93 days after deletion. Then it’s gone forever. The OneDrive default is 30 days.

Speaking of which, check out the OneDrive admin center > Storage. Did you know that you can set the default storage limit per user up to 5 TB (if you have 5 or more licensed users)? And although the default retention for deleted accounts is set to 30 days, this value is actually configurable up to 10 years (3,650 days).

Now if you need custom retention periods on content in other locations (even for deleted items and messages) then you need to create some retention policies. When you do set these up, you can choose to preserve data or auto-delete data (or do both: preserve and then delete). For example some organizations may choose to specifically delete older data-sets whether to limit liability, or to manage storage/sprawl, or both. Other orgs may want to preserve data and keep it searchable, but they don’t necessarily want to delete that data after the preservation period ends.

There are no right answers, although certain regulated industries might say, for instance, you have to keep tax records for at least 7 years, or 10 years or something like that. It is important for your stakeholders to know what laws and regulations they are subject to, and they may even consider checking with their legal counsel on these matters.

Data classification (Sensitivity labels)

In every tenant that includes Azure Information Protection P1, such as via Microsoft 365 Business or one of the Enterprise plans, I would recommend discussing this item with your stakeholders. Adoption for this feature is somewhat low right now, and as of today there is a separate client-side (plug-in) installation required. But this feature is highly valuable and more people should be adopting it in the near future, especially as these sensitivity labels are made more widely available in the Office clients.

Security & Compliance center > Classifications > labels

I have written about this topic extensively on this blog before. In a nutshell: using Sensitivity labels, it is possible to label (encrypt) documents and messages. That means, rather than relying on the permissions which are set on a “container” such as OneDrive or a SharePoint library, this protection applies permissions to the document itself. This is way more powerful, since it means that any labeled document will remain protected no matter what container it travels to out of its original home in Office 365.

  • External USB media? Still protected.
  • Downloaded to a local hard drive and then re-shared to consumer DropBox? Still protected.
  • Emailed outside the organization? Still protected.
  • Accidentally shared into the wrong email thread, Teams channel or chat conversation? Still protected.

You get the idea. When the document is opened, before a user can gain access to the content, Office 365 must check in with the label’s permission list as published via Azure Information Protection. Does this person have access or not? If yes, what level of access do they have?

To consult with stakeholders regarding these labels, there is a fair amount of planning required. You will want to gather from them:

  • What labels do we want to publish? Public? Confidential / All employees? Other custom labels?
  • What will the labels do? Header/footer/watermark? Encrypt content? Restrict access to specific groups? Which groups?
  • How much restriction will be placed on each label and for each group that has access to the label?
  • Do you want to allow offline access to labels (for example so that your authentication is good for say 7 days before re-authenticating)?
  • Who should be allowed to see/apply which labels?
  • Should users be able to remove labels (providing justification)?
  • Should certain data-sets be auto-labeled (requires Azure Information Protection P2)

If you need to review the pre-defined permissions roles that are available then check out this table, below:

Custom permissions are also possible. And, you can assign multiple groups to each label, each with a different permission role. So for instance you might have a Finance label that grants Co-Owner to the Finance users, Co-Author to Upper Management, and Reviewer or Viewer for Board members.

For further reference I cannot recommend this Microsoft article highly enough. It contains great detail, links to other good references/resources, and explains the differences between the classic labels, and the newer “unified” labels very nicely.

Data Loss Prevention (DLP)

Last but not least, I’ll include a tip of the hat to DLP. You can do a lot with this tool, but its primary purpose is to limit or prevent the over-sharing of sensitive data types. Find this under the Security & compliance center > Data loss prevention > Policy.

Again, options here vary widely based on industry, compliance requirements, and so forth. I have written some articles detailing examples of these policies in action, you may refer to them below:

Wrap-up

Again, this overview is not meant to be exhaustive–we didn’t really cover other compliance related topics like Content search and eDiscovery. Certainly part of your engagement and customization would be learning who in the organization should have eDiscovery rights. We could go on and on here. But, at the end of all of this, I hope that through this series I have illustrated my key point: when it comes to SharePoint, Teams and OneDrive, one thing is certain–we’re going to continue to see the adoption of these services balloon in the next few years. And the only best practice “take-away” that I have for you is this:

Be sure to cover off on security & compliance related considerations with your stakeholders in the project. There is no right answer, and no wrong answer, except of course skipping the question.

Successful implementation (and adoption) depends on tackling these types of questions. Plus, being able to advise on good security & compliance hygiene will open up many other opportunities for you as the trusted technology adviser (whether you are internal IT, or a consultant like me). From there, you will likely run into host of other considerations you need to work through with your stakeholders. One opportunity leads to another, leads to another, leads to another.

Technical , , , , , , , 0 Comments
Share:

Leave a Reply

Back to Blog

Related Posts

11May

How to change your Network type from Public to Private in Windows 10 (the easy way)

In Windows 10 (and earlier versions had this too), there is a difference between Private and Public networks (there is also a third type--Domain--for when you are connected on your corporate-owned device to your corporate network). The problem is, if your computer or tablet is on... read more
07Nov

Configure alerts for your 365 Tenant from the Security & Compliance Center

If you have an Office 365 or Microsoft 365 subscription, then you should check out the Security & Compliance Center--there are plenty of tools in here to help you step up your game. Generally speaking, nothing is really configured by default, so if you want... read more
12Dec

Adding Hybrid Exchange in retrospect (post-migration)

Sometimes organizations that have already migrated email to Office 365 using a third party tool or a cutover method would like to "go hybrid" and install Azure AD Connect after the fact. Usually the driving factors here are password sync and Single Sign-On with... read more
30Jun

Migrating DHCP from SBS to Windows Server 2016

If you have a small network without much complexity (e.g. single subnet, a firewall, a few devices), you might consider having DHCP handled by the firewall rather than your new Windows Server--in that case, see Option 1 below. Otherwise, if would rather continue managing DHCP from Windows Server, then you... read more
13Oct

Top Mobility-Enabling Security Features in Office 365

At this point, even the staunchest conservatives among us have to admit that we live in a post-perimeter world. In recent years there have been even more developments and trends chipping away at our traditional conceptions of so-called perimeter-based security. Cloud and mobility means two things: Users... read more
04Jul

Migrating File Shares from SBS to Windows Server 2016 Essentials Experience

To copy files from a legacy file server to a new file server, whether 2012 R2 or 2016, the process would be the same. Note: Some files shares might be better off in SharePoint, and users' personal Documents Libraries can probably go to OneDrive. This could greatly... read more
01Sep

Updated best practices guides, Conditional access policy design and more!

Update March 2023: All of the Best Practices Checklists and Guides have seen major updates since this article was originally posted. You can obtain the Best Practices here. Updates this month include several revisions to the Azure Active Directory Best Practices checklist, and some updates to... read more
14Mar

How to configure Email encryption for Office 365

This is a four-part post on Azure Information Protection (formerly Rights Management) for Office 365. The Azure RMS service is a powerful tool that we can use to prevent data leakage and share information securely with users inside & outside of the organization. Follow along as we explore how to: Activate... read more
15Aug

Find out why Windows Server 2016 Essentials Experience still matters

Upcoming Windows Server Essentials Experience Series For many months now, I have been playing around with the Windows Server 2016 Technical Previews, especially the Essentials Experience role. You might ask: Why? Does the Windows Server Essentials product matter anymore, now that we have Office 365 and have moved well past the... read more
The Underwhelming MAM for Edge
22Aug

The Underwhelming MAM for Edge and What Else We Can Do

A while back I had written about a solution that I have been anxiously awaiting since its announcement: MAM for Edge on Windows. Let me explain the background a bit. We used to have Windows Information Protection (WIP). Well, we still have it for enrolled devices,... read more

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.

Contact Me