Is “Best Practices” a myth?

Back to Blog
28Jul2020

Is “Best Practices” a myth?

I often find myself musing over this question these days. Granted, I actually do publish something called The Microsoft 365 Best Practices Checklists–but really these are more like recommendations. In fact, I recently updated them to include governance decisions around collaboration (e.g. affecting apps such as OneDrive for Business, Teams and SharePoint Online).

But is it best practice to disable anonymous links in OneDrive and SharePoint, for example? Or to restrict external chat capability in Teams? It depends–what are your goals for having a collaboration system?

The truth is that all of the answers are correct–you can make a case for any configuration you like. The only way to implement a wrong practice, is by failing to discuss the relevant options with stakeholders. Don’t get me wrong–there are a small handful of items where I have a very strong opinion, and I will advocate for those in every engagement–Multi-factor authentication for example. But that list is actually pretty short.

The only reason I publish the Best Practices guides to begin with is because it is one of the most frequently asked questions I hear from my readers: “What are the ‘best practices’ for rolling out Microsoft 365? Email, yes–but what about the other parts, too?” I heard this question so many times that I had to respond to it.

I think what people are really asking for here is some help narrowing down their field of choices. Because what Microsoft gives us is both a blessing and a curse: so many options! We have perhaps too many degrees of flexibility for some folks to digest; many different customizations could be made, but which of these really should be made? That is the question that I try to help folks answer.

Notice how I heat-rank checklist items as Critical, Recommended or Optional

And when it comes to collaboration and data governance, this is even more tricky than dealing with areas like Azure AD and Intune, which are more “binary” in nature. MFA is either on or off. You either measure Device compliance or not. These are simple binary choices that you get to make.

But things aren’t so black-and-white everywhere. Compliance labels aren’t binary. External sharing is not a binary choice, either–sometimes you need it sometimes you don’t. Sometimes convenience wins out over security for certain sites/datasets, and anonymous links are preferred. So you can’t just say this way or that way is the best practice across the board.

Recommended governance considerations for ‘High Sensitivity’ environments

Nevertheless, when you have an organization that deals in sensitive or highly regulated data (e.g. PII, ePHI, etc.), it can be helpful to say, “You may want to consider taking a closer look at this option or that option.” And that’s really the “spirit” of my Best Practices guidance. It does not mean “implement every single one of these items as I describe,” but rather, “You should consider this for your environment, and discuss it with the powers that be.” And that’s the key. If you are in IT–these are not your decisions alone to make. But hopefully, the resources I provide here on ITProMentor.com can help you have the conversations you need to have with the business(es) you serve.

Philosophy, Question , , , 1 Comment
Share:

Comment (1)

  • Adrian Clenshaw Reply

    This is a great article Alex – a topic close to my heart which as you have alluded to can be somewhat grey these days. I have many parties in my ear around ‘best practices’, and generally my response to them is ‘according to who?’ We all have opinions – backing up claims with sources of authority gives opinions some basis!
    Thank you for sharing and guiding – keep up the excellent work. :-)

    July 30, 2020 at 10:54 pm

Leave a Reply

Back to Blog

Related Posts

01Sep

A simpler Conditional Access baseline

Some folks have written to me about the "complexity" of my Conditional Access guide and were hoping to find something a bit simpler. This surprised me, and initially I shrugged it off. But I have heard this feedback more than once now, so I decided... read more
11Feb

Boost your security with Hybrid Azure AD Join: From Zero to Conditional Access in one afternoon

"Alex, I work at a non-profit and I would love to take advantage of the better security in Microsoft 365 Business (we have Business Premium now), but it sounds like it is for "cloud-only" customers? Is that right?? We are using Office 365 for Exchange,... read more
04Jan

How to be great at your job

What makes me good at my job? People sometimes ask how I can “keep it all together” in my head—they want to know how I can juggle so much simultaneously.  They ask how am I “so smart,” or how do I make my job look... read more
Hybrid Azure AD Join or not?
08Jul

Should I use Hybrid Azure AD Join or not?

I consulted with an MSP recently about one of their larger customers, and whether or not to implement Hybrid Azure AD Join for existing Windows workstations (joined to traditional Active Directory). The classic consultant answer of course is, "It depends." In certain cases, perhaps. But... read more
Making sense of the many DLP options in Microsoft 365
18May

Making sense of the many DLP options for Microsoft 365

One of my readers wrote to me recently about an article that I penned a couple of years ago, on the topic of Data Loss Prevention in Microsoft 365. They pointed out that my breakdown was a bit dated now, and that the Microsoft universe... read more
25Jul

What is Technology?

What is technology? The word technology is made up of two root words—techne and logos. Both come from Ancient Greek. The first of these means “art, skill or craft,” while the second means “dialogue, discourse or study.” Techne is particularly concerned with human agency and artisanship--that... read more
25Apr

Two philosophies for deploying Microsoft Teams in an organization

IT admins throughout the world subscribe to one of two worldviews today: Control mindset: IT's job is to control and restrict, and of course, to protect the clueless users from all of those scary threats out there in the world today (including themselves)Empower mindset: IT's... read more
Reader question: Deny-by-Default?
19Aug

Reader Question: How can I set up a “Deny-by-Default” Conditional Access Policy?

It has been a while since I took a question from a reader and turned it into a blog post. It is one of my favorite things to do here on ITProMentor, but the “busy-ness” of life has taken me away from the keyboard a... read more
10Apr

What is the biggest opportunity for IT Service Providers and Consultants today, in light of COVID-19?

I got this question from a reader named Rob the other day. The full question is actually a bit more detailed and revealed a lot more about the author of the question--so I've only included an abridged version that pulls out the heart of the... read more
12Jun

Managed Services Opportunities within Microsoft 365

I still regularly receive questions from independent IT consultants as well as Managed Services Providers about Microsoft 365 in relation to "regular maintenance" tasks and the like, which can be translated into Managed Services opportunity. Everyone intuitively understands that something like this is possible, but... read more

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.

Contact Me