If you are going to configure your environment according to best practices settings, it is essential that you keep an eye on security, compliance and, most importantly, the user experience. These factors must be well balanced if you want your end users to be as productive as possible. For example, you don't want the security of the environment to be too tight, causing end users to look for alternatives. Balance is the key word here.
Digital transformation
How do you optimize your Microsoft 365 environment?
An optimized Microsoft 365 environment is essential for productivity, efficiency and security. There are several best practices and tools you can use for this purpose. In this article, we will discuss best practices for Teams, SharePoint Online and Admin Center.
Best practices for Microsoft Teams, SharePoint Online and Admin Center
Microsoft Teams
Naming convention: keep your Teams environment organized and efficient and give teams clear names. In addition, use a recognizable prefix and make sure the name stays under thirty characters. With a good naming convention and the Microsoft Power Platform, you can completely automate the process of creating teams and managing guest users.
The Microsoft Power Platform is a collection of low-code tools designed to automate business processes, analyze data, and develop apps and chatbots, allowing organizations to operate more efficiently and flexibly.
Expiration policy: as a project nears its end, the teams involved may no longer be needed. It is important to consider what to do with these obsolete teams and their content. To avoid overloading Microsoft Teams with unused teams, it is advisable to set up team expiration policies. This allows unused teams to be automatically discontinued, for example. An advance reminder can be sent to the owner before the team expires. After the expiration date, a team's associated services (such as SharePoint, mailbox and scheduler) are also terminated.
External users and guest access: collaborating with people outside your organization can provide new opportunities for your business, but it can also lead to security and governance challenges. It can be difficult to be prepared for governance from the start in projects that require constant onboarding and offboarding of external users and guests. This is where your governance can excel by planning ahead for managing external users. Before implementing Teams, it is important to answer the following questions to guide your strategies for managing guest access in your Teams:
- Does the organization have a process to assess guests and their access?
- Who can invite a guest to a team?
- Which guests have access to Teams resources, such as groups, teams, SharePoint sites and more? How will the organization monitor access to these resources?
Use sensitivity labels: protect sensitive data while collaborating in Teams with sensitivity labels. By applying labels, you limit access to sensitive information, reduce the risk of compliance issues and preserve the company's reputation.
SharePoint Online
Limit access to sensitive data: as with any other part of an IT infrastructure, access to sensitive data in SharePoint should be limited to only those users who really need it. By following the principle of least privilege, organizations can prevent cyber attacks, leaks and data theft.
To enforce least privilege access, administrators must assign users the appropriate sites and SharePoint groups. They should also ensure that permissions are properly configured for each list, folder and library and regularly monitor internal and external access through user access reviews.
Naming scheme: a consistent approach to naming sites, pages and documents makes it a lot easier to browse through SharePoint. This also applies to managing them, especially if there is a large organization with multiple administrators. To make sure everyone is on the same page when it comes to naming conventions, it is important to educate site owners and users on the subject and make the proper naming scheme easily accessible for reference.
Security features: Microsoft 365 comes with a wide range of security features: to protect SharePoint Online and other apps in the Microsoft 365, it is important that administrators enable and configure the included security features based on their specific needs and requirements.
Some features that organizations should definitely take advantage of are Multi-Factor Authentication and conditional access in Azure AD, blocking outdated authentication and setting up automatic logout for inactive sessions.
Access: sharing access to documents is one of the main purposes of SharePoint - both within organizations and with external accounts. To prevent the wrong people from accessing or maintaining access to sensitive information, SharePoint provides a number of tools that allow you to restrict file sharing.
For example, administrators can disable the Anyone-links to prevent anonymous sharing. You can also disable sharing for certain domains, enable it only for specific groups or add an expiration date for guest access.
Microsoft 365 Admin Center
Calendar: attackers often spend time getting to know organizations before launching an attack. Publicly available calendars can help attackers understand relationships within the organization and determine when specific users may be more vulnerable to attack, such as when they are traveling. Therefore, we recommend disabling calendar data sharing with remote users.
Ownerless groups policy: the Ownerless Group Policy allows you to request most active team members to be promoted to team owner. The ownerless group policy can be enabled and configured in the Microsoft 365 Admin Center in the Microsoft 365 group settings.
User consent to apps: attackers often use custom applications to trick users into accessing corporate data. Disabling the setting for future user consent operations reduces this risk and reduces the threat surface. If user permission is disabled, previous permission grants are still honored, but all future permission operations must be performed by an administrator.
Idle session timeout: idle session timeout gives you the power to automatically log out inactive users after a preset period of inactivity. When a user reaches this set period of inactivity, he receives a notification that he will be logged out soon. The user must choose to remain logged in, otherwise he will be automatically logged out of all Microsoft 365 web apps. Combined with a Conditional Access rule, this only affects non-managed devices. A managed device is considered a device managed by Intune MDM.
Centric
In recent years, many organizations have accelerated their adoption of Microsoft 365 to enable (hybrid) collaboration within their organization. It is crucial that this platform is well managed and facilitated in a secure manner. This is especially true as Microsoft 365 is constantly being expanded with new functionalities and capabilities. Is your organization still in control of Microsoft 365? With Microsoft 365 In Control from Centric, you gain a clear insight into the governance, manageability, and optimization of Teams, SharePoint, OneDrive, and other Microsoft 365 productivity applications. M365 In Control also helps you identify areas of focus within your productivity environment.
Ongoing journey
Finally, it is good to realize that optimizing Microsoft 365 is not a one-time effort. It is an ongoing journey of learning and growing, always striving to improve and optimize.
