In this episode of FusionTalk, Anouck and Steve reflect on their recent adventure at the Collab Days event in Bremen, where they both spoke and shared insights with the community. The conversation takes a humorous turn as they recount their driving experiences and the unexpected distractions on the road, leading into a deeper discussion about rules, regulations, and governance in the tech world.
The hosts explore the complexities of governance in Microsoft 365, emphasizing the importance of defining clear rules for various areas such as site security, content lifecycle, sharing, and sensitivity labels. They share anecdotes from their experiences, highlighting the necessity of having the right people involved in governance discussions and the challenges that arise when users bypass established protocols.
Anouck and Steve delve into the significance of documenting governance policies and how this documentation can streamline processes within organizations. They stress that regular reviews of these policies are essential to adapt to changing business needs and to ensure compliance with legal requirements. The episode wraps up with a light-hearted reminder of the value of governance and the critical role it plays in the successful use of technology.
Creators & Guests
What is FusionTalk?
FusionTalk is a dynamic podcast where technology, collaboration, and innovation come to life! Hosted by Anouck Fierens, a Microsoft 365 & Power Platform expert, and Steve Dalby, a SharePoint & Teams specialist with a knack for humor, each episode delivers fresh insights, real-world stories, and engaging discussions with industry leaders.
🚀 Topics include:
✅ Modern workplace & collaboration strategies
✅ Practical case studies & expert insights
Join FusionTalk and discover how to work smarter, faster, and more efficiently in today’s tech-driven world! 🎧 #FusionTalk #TechPodcast #Collaboration
Foreign.
Welcome to Fusion talk with Anouk and Steve. And I'm not even going to go and check the recording.
Really.
I'm gonna trust it.
So if the recording isn't working again, you messed it up for the second time, of one of our podcasts.
Yes, that is true. But at least I have a driving license.
Are you sure about it that you still have one after you were taken on picture in Germany?
I was, yes. Pictures in Germany were taken. That is very true. Oh, what fun we had this weekend. So, for those that didn't know, both of us were speaking Anne Marie, and actually the whole crew was there in Bremen this weekend, which is an amazing community, event for collab days and great, venue. I talk about the cars all the time, so I won't bother doing it today. but we planned on driving there together.
We did.
We planned on sharing the driving together.
We did. We planned so many things.
We did. That's true.
We plan to record a podcast over there as well.
Yeah, that. That didn't happen either, did it? But that's okay. Anyway, so, yes, we drove, to and from Bremen.
Correct. You did, yeah.
It doesn't matter. And as we were driving back out on Sunday morning, I was driving, and there was this flash of blinding light from an alien spaceship hovering over the motorway. It distracted me terribly, so much so that I think I might have been going too fast.
I'm, quite sure you were. The car was telling you.
The car was telling me. Yes. So, anyway, we'll. We'll see whether that story comes through. But actually, it leads into what we kind of want to touch on today, which is rules, regulations, and governance.
True.
There is a rule that says on that particular piece of road, thou shalt not travel any faster than 60 kilometers an hour.
There are so many rules, and many people break the rules.
That is true. And there's penalties associated with them.
Yes.
I wonder what my penalty will be for doing 93 kilometers an hour in that 60 kilometer limit.
Well, you are lucky you don't live in Germany.
That is true. Why?
Because in Germany, they have a driver's license with points on it. So maybe you could have lost your driver license and you need to do it all over again.
They do that in England as well. Yes. So, yes, it does, it does work, though. But, I mean, these rules do work.
Yeah, I know.
Do you want to explain how you know that they work?
Because I lost my driver's license doing.
Something that most people would actually disagree with. To be fair, you was using Your telephone while sitting in your car at 120 kilometers an hour. No, that's a lie.
No, that's. That's a lie. I was using my telephone sitting in my car standing still for a red light.
Yep. And, apparently since February, middle of February, it's not allowed anymore, actually. Were you one of the first people to get arrested for that law, do you think?
No.
Well, it was the 20th something that it came in.
Yeah. And it's, active from the first of January.
Ah. was it?
Yeah. Oh, well, but in the same law, they say you can't drink or, water or coffee or eat something.
While you're in your car standing still.
For a red light. So how many people break that rule?
Yeah, I know, I know. But anyway. Yes. So governance.
Yes.
So some rules to the road make sense.
True.
And some rules for the road are nonsense. nonsense. All right, so how did we get here? So we've kind of been. I talk about governance all the time, and we talk about collaboration and techniques for putting information together and, and generally, collaborating and ascertaining the requirements for apps and all those kinds of things. And I came up with this idea after speaking in Bremen around governance and around some rules and security stuff that potentially we could share some experiences where we define governance within our contracts or rules and some of the techniques we use to do it. Because there are a lot of governance areas, in M M365, all with different kinds of people.
True. And all of those areas need different rules as well, because you are doing other things in those areas. it's not only about sharing a document or something like that. It's also more like, if you want to create something, if you want to go to Dataverse and you want to create a completely data model, you need to have those kind of rules that then.
Correct. And then talking about your content, life cycle and access to sites and those kinds of things all have different kinds of rules and they tend to be controlled by different people.
Yes.
And we've talked about doing collaboration and knowing you've got the right people in the room and that kind of stuff.
Yeah, we have a few episodes about it.
So I've got five areas that are just off the top of my head. I mean, we might want to add one, or two more, but. And they go from simple things to more complicated things. So effectively, the title of this podcast or the title of our post its are, who and how to talk to the business about Governance. And then I have five areas on the list at the moment. Power platform content. So that could be content life cycle sites. And I'm guessing that's probably site security or site usage. Yes. Retention. so the, the content retention or information retention. I had sensitivity. So the sensitivity and I'm going to add OneDrive, onboarding on and off boarding because I think that's important. And I might add, sharing. We might not get to all of them, but it depends how quickly we go through them and which ones.
But the good thing is the first word you had, correct? Because when we are talking earlier about this, you said PowerPoint instead, instead of power platform.
You did? I don't know. I did, yes. She's been very careful because I'm in a cocky mood today. We just had a drink or two and
Yeah, you had a drink or two. Not me, I had some tea.
Well, did you drink it or did you pour it over your feet? I had water. All right, so let's. Which one do you want to choose? You start off with which one have you done governance for and how did you move it forward or how would you have moved it forward?
then I'm going to go for sites as the first one.
Sites. So site security, site access.
Yes, because I'm doing a lot of it, SharePoint and a lot with teams. And that's why we most of the time need to have the governance set so that people know who are having access to say sensitive documents and anything like that.
So just a minute. Is it sensitive documents or is it just access to sites? Yeah, but you can't do content and sites because they have different requirements. So are you going to do sites or are you going to do content?
Most of the time combine them. but let's go for sites.
It's going to be one of those days.
It is.
It's been a busy Monday, it's late in the day, you've been training all day. Did you have idiots in your classroom or intelligent people in your classroom today?
Both.
Both. That's even worse. One of my weirdest training sessions, seen as we're going to digress here because it was just funny. I used to do a lot of work for an American organization, training wise. and it's a very, very, very large organization, 160,000 people in Europe alone called the U.S. army. So it was a big thing and I used to do this training and in one classroom I got a 76 year old retired colonel, I got a sort of 18 or 20 year old, Southern gentleman No, gentleman's the wrong word really. Somebody that will be driving a four wheel drive truck with a rifle stuck to the back of it as an MP. And I had a beautiful 50 plus black Southern belle all in the same class and it was a three day, you're ready for this access course. And it was really very funny. Basically the courses are provided for free and they're also encouraged. And these people work part time at the nafi, they work in the comms teams, they work everywhere. So I had these three different people and about 15 other people in the course. Well now actually I would have had 13 other people in the course. And there's a couple of great stories. First of all, the 76 year old guy was determined to understand this. He was, I was there for two hours every day over in the top, just getting him through all the exercises so that he could say at least I've done this course and check the box. And it was really nice and it was good. And the 18, 20 year old can't remember how old he was. 22 year old, whatever the bloody age is. He was cocky as anything because he really didn't get it all right. He was gung ho, he was an mp. You know, his job was to put people in the right. So he was mouthy all the time. All right, so we did this, we did that and then we had this beautiful 56 year old or 50 year old black southern lady who just kept answering this young boy back throughout the whole three days. It was so very funny. yeah, so I had that diverse kid. Everybody else was there because they were there for their education, you know.
Yeah. This was for me it was a training course everyone in the organization needs to follow.
Yeah.
And there was one guy and he was completely against all of Microsoft 365.
yeah.
And then you need to convince them to start using teams for their documents and then they start to ask questions like but how are you going to keep in the hierarchy if you are syncing a document, how do you keep in the hierarchy from who is first needed to edit it and then the second one and the third one and how do you keep track on it and can you manage it yourself? You have your version history, you can make comparison in words with all of the version history so you know who can change it? And over and over he came back to the same thing and the same thing and the same thing.
Oh wow. And it's interesting, I mean the answer to that question is governance.
Yep.
It's a process with A set things in action and you move it forward.
Yes.
All right, so we're going to talk about Sites then governance on sites. Where do you start? I know where I'd start, but I'll ask you. Where would you start?
First of all, trying to understand the sites. is it just one team or is it multiple people from different kind of teams that need to access it?
Okay, so, that kind of makes sense. But I was thinking that before that wouldn't you have some kind of structure already in mind on how you are going to deal with the site permission structure? So for example, by default we've got SharePoint groups read edit owners.
Yes.
and to quite honestly, most people don't do anything else. They just put the editors in the edit groups and all that kind of stuff. And then I'm guessing the structure of the sites will drive the rest of it. And so it's the organization most of the time.
Yes.
So. So by having that model defined before you go in the meeting and then calling the business together, because we're at our basic level here, you know, if They've never met SharePoint before, they have folders that miraculously appear. you know, hey, I need a folder here and somebody either creates it that's got the rights or the help desk build it for them or something. so yeah, so for me to do sites, I start off with some kind of structure and I explain to them what it looks like and then ask them how they apply that to their business. So then I just them to talk about what they do with their folders.
At the moment as it's actually a little bit the same that we try to do, but a different kind of way to get there.
Okay, yeah. So that I find works. and then it also needs to be documented. We're going to say documentation a lot.
And all of us iters very much like to document these things.
Oh, we do. We document everything. We're all perfect. They're the easiest way of doing it. Of course. Course is just create a SharePoint page. So you basically create a service catalog in SharePoint. and then, it's one of.
The things I always suggest to my customers to start doing that.
Okay, good, good. Actually, I have a question which we'll deal with after this. Not now. But I need to. Let's assume you've got 20 pages of governance. How do you set up the navigation for it in one page without doing it manually? So my question to you is, how can I do that? Automated. Oh, developer. So I'LL give you answer. And if she gives me a good answer, we'll do that on the next podcast. All right, so that's site. So site security, keeping it very simple. and, ensuring everybody understands the structure. Keeping it the same on every site.
Yes.
and, then being clear what people can do with those particular rights, when I used to do training for this, for complete newbies, then I used to actually make them put party badges on so they'd have their name or their email. And then what rights they had to a site so they could actually send things to each other and understand that, hey, I can access that document, but I can't edit it. Oh, that's because I'm only a reader or a guest. And then somebody else can say, yeah, but I can change the document. Oh, that's because you're looking, oh, owner. And then if there's any special permissions, like, hey, you can't delete it because that's the way the governance wanted to work, then I would, you know, have somebody that was a, editor. No delete. And then, and then they would be able to try them and people would gather around the laptops and find out what they could do. It was a great way of actually.
It is, yeah. Thanks for the tip.
You're welcome. You're welcome. All righty. So that's sites well done. I think site governance is, is obviously important. And, I've just done, a presentation on sensitivity labels. And even though we were talking about far, far more complex stuff, we still end up going back and considering, you know, site permissions because it's going to underline everything you do.
It is, and it's one of the layers if you are doing this content in M365, it's something you can't get rid of. You always keep the site permissions and having. Giving people access to the entire site.
Correct. It's going to be there whatever happens. All right, so let's talk about how that might change then. I am now going to take sharing because I was thinking about that earlier. I'm going to put a big checkbox.
A really big checkbox, stripe it through.
Put a line through it. So I, want to take sharing because sharing is actually quite complicated. and it's worth understanding how you set the governance up for sharing and what you can and can't do. And I'm fairly sure it's changed a lot. so we may not cover all of it in here.
And now before you go into the governance and understanding is it not important that people know what the sharing is going to do? That they know what they are planning to go for instead of directly diving into the governance with them?
Yeah, maybe. I think, in terms of the audience, yes. I was actually trying to work out who defines the sharing. So who defines the governance for sharing. So who would you go talk to?
I'm guessing I would go with some of the business managers or something of the, the IT managers of.
Okay, okay. I guess Marines just let us know that It'll be about 6:30. So my guess is he's obviously working away from today and driving into traffic. Yes, fine. So he was going to join us. he may not be here in time to hit the podcast. So you were saying the business of sharing. I disagree. I think the people that you talk to about sharing is your CISO and your security team. This is not something that the business needs to understand how it's something that the person responsible for your content. Either your, you know, it could be your, what do they call them? The CISO is obviously the security guard or your. Oh, his name's disappeared. Data protection manager, Data protection officer, your data guy for the business. So they would say, hey, we would allow this content to be shared or we wouldn't allow this to be shared. You might, if it's extreme. You wouldn't allow attachments, you wouldn't allow sharing. So defining the governance is not really a business requirement.
No, not defining the governance, but you need to understand the need, if there is need for sharing like that.
and we're assuming that the ciso, and the data protection guy knows that because it's not basic. Basically they're going to say let's assume. They say let's turn everything off. All right. Then obviously what's going to happen is the service desk is going to be constantly inundated with how do I share this file with this business, blah, blah, blah. And they go, what is the rules? And then it will eventually. So we assume that most CISOs are sensible. So let's assume they, the people that will set the policy. I, I don't believe it's anybody else. If you set it to the business, the business will just want everything to be open.
I'm not sure if the business wants everything to be open.
Why not? They want to be able to share it all. They want to be able to get on with their job. I've never seagulls before in Antwerp. Yeah, seagulls outside the door.
yes. They want to go continue with their job. But some of the business, what people are doing is also with data that is sensible, sensor sensitive and oh, do.
You want to go into labels?
Then they know then how. If sharing is possible. Yes or no?
I guess it's. It's chunk. If I. Okay, no, it's not my guess. My experience and your experience is that businesses just want to get on and do their job and not be held accountable for data leakage protection, documents being shared with inappropriate people, blah, blah, blah. They just want to get on. If somebody got a supplier and says, hey, I need this document to get on and do this job, they want to just send it to them.
Some businesses, I have a customer that doesn't want that.
But ah, but is it defined by the business or. Defined by it or somebody high up in the organization? So who.
It's an accountancy firm.
Okay. All right. Yeah. So you're right. You get into the professional sides like legal, accountants, consultants, then they have a certain knowledge. and you're absolutely right. It depends, on this kind of business.
It's really. Yeah. And then it's most of the time a combination of. If it is something with legal, it's a combination of business and data loss prevention and security guy and management like all of that. So that's why sometimes people need to understand first what it is before they say yes or no. And that's something you need to explain to the business because security knows what it is.
But it's not our job to do that. Actually it's not our job most of the time. This would already been defined.
But you're right, we expect it's been indefined. So we need to ask and we need to make sure. But we're both right. Because if it is just another business, they want to do business as usual and they want to carry on. They don't need to define it.
No, you're right in the. To start off with. And it's obviously one of those things where, we're both right today.
We are.
but yes, the business will have a need and then I guess then the CISO or the data guy will obviously have to approve it or confirm it.
And if you noticed, I was able to say. Right.
Yeah. It doesn't happen very often. It's a Monday. Okay. it's the last Monday of the month. That's why you can do it today. All right, so let's go back. We've decided who it is and sharing and then we've got to basically work out how to set up that sharing. And there's a number of ways of doing it and some experiences. Are you struggling a little bit today, dear, with your clothing?
Yes.
Can't get comfy.
I'm itchy. I'm a back.
So a scratchy back. It's that furry jumper you got. Alrighty, so let's go with some examples. So I had a CISO that basically said, look, yes, I don't mind sharing, but I want to know that whoever received the documents, we know who got it. And it wasn't just sent out there to 10 people, which was quite cool. and there was other organizations that said that they don't mind everything is shared as long as the person sending it is aware of their responsibility for it and is sending it out. And we don't send a document out to more than five people at a time or whatever. So it can be monitored and managed.
Yes, because most of the time the monitoring of this, it's not that easy.
No. And I think those are some of the key decisions. So where the business says, hey, I want to be able to know who is seeing this and what they're doing. Then we basically stopped attachments being sent. Everything had to be shared from OneDrive or a SharePoint site that allowed external access.
Or teams.
Yeah, that's like a SharePoint site that allows external access. So you're a consultant. So just in case you hadn't worked out, Teams and SharePoint are the same repository they are.
I was giving training in that today, so. Yes, I know.
And you forgot already.
Yeah, my short time memory is having issue.
I know. Yeah. It's because you got such an itchy back. It can't be helped. All right. So one of the things that we set up was that we insisted that when something was shared, they had to confirm their email address. So you can set it so that if somebody tries to open this file, they have to request a one off code. And then so they send the email, they say, I'm going to access it, they put their email address in, they get a MFA code on their email address and then that gives them rights to share the document. And that expired after two weeks.
Yeah, I think that expiring date for sharing link is so powerful for many organizations.
They can redo it. I mean if they want the document three weeks later, they just have to redo it. And as long as the sharing is still active, then that's good. I was digging around today because I've been looking at sensitivity labels and Copilot and all that kind of stuff. A lot of it now fits into the Purview thing and the new, the new Purview portal. and of course you get the SharePoint advanced administration now as well as part of Premium and all that. And it actually has a whole module on oversharing.
Yes.
Do you know what oversharing is?
I've read it, but don't ask.
Me to explain it. I knew when you said yes you went, she's read a title here, she's read a headline. And this stuff is getting so big we can't be expected to understand.
I went in detail in it, but it's about, I think almost a year ago, so it's probably changed a lot since then.
It's quite cool. I mean they used to have the stuff where you could sort of find out whether people were attaching too many files and all that and to the. Sending them to the same email address and stuff. But, but now basically all of. Because a lot of people are concerned that how do I know how many shares and all this good stuff. But it's. Now you can get more reports on it in Purview, and you can also set, set quantifiable overviews for sharing.
That's all in the same E3 license or do you need to have the.
E5 for it now in E5?
Yeah, yeah.
I don't know the license details, but all I was trying to say was from a sharing perspective, it's not just that simple process of doing this. You've actually got to start thinking over and above it. And there are great ways now to monitor and manage it. So from a governance perspective, so from an end user's business perspective, you set the rules, hey, you can share anything, but it needs to be uploaded to OneDrive or shared from a team site. and these are what will happen. So when somebody gets this email, they'll have to confirm it's their email address and you can then also decide whether it can be forwarded on so that person that received it can forward it to somebody else or not. So you can only say that one email address is the one it can be used to shared by. you can then decide whether they can edit it. You can then decide whether they're able to download it or whether they can only run it. So. So when it comes to governance around sharing, there's actually a lot of decisions you need to, to make.
And I think that's a point that many organizations need to check on again.
This is the point, isn't it? About three years ago this was like advanced governance. That's a bit of a strong word, but it was medium governance. Now it's like the basics because there are now so much other stuff around the sharing things, federation, sharing federation and all that kind of stuff. so there, the whole governance thing around it is huge. But anyway, we're just going to keep the simple stuff. So who do I speak to for sharing? Obviously we think it's the business needs, it's the CISO who has to decide and protects the data stuff. and then we work out what restrictions we need to do and most of the time from a compliance and legal perspective, you just need to know who has got hold of the documents. So you need to be able to get some, some kind of confirmation. yes. Cool. Well that was good. So what are you gonna do next?
Let's go to OneDrive.
One drive sharing.
Yes. How do you define that? Who is going to define it? It's all. I always find it a struggle.
But I think you're back to either it, because that's the default one, or again you sit down with your security team or your data officer, data manager and you sit down with him and say, hey, this is OneDrive. Explain to them what it is. So it's a SharePoint site. The only owner is the owner of the OneDrive that, person. You can change the permissions if you wanted to, but of course we generally don't tend to leave. It is. You can decide it's going to be smaller, you can decide whether or not they're going to be able to share. You probably going to initiate the same sharing that you had before about identity. but you mainly need to make the owner of the OneDrive understand that they are responsible for anything they do with their OneDrive.
Yes. And maybe why I find OneDrive a difficult one because with giving trainings and talking to as a consultant with a lot of those, companies, a lot of them still use retransfer or something to send over a lot of data and then you need to try to explain them to not do that and to go to their OneDrive.
That's where your security guys come in again, because they can just block one. We transfer sharing.
They can, but they don't do it that often.
well, it depends how strong and how strong willed your security team are and how much they believe in that governance. But it's possible.
Yeah, I know there is a lot of things possible, but are you only going to listen to your security guy in Haiti or do you also need to know what the business needs are in this one?
Well, business needs are always there.
They are.
All right. And quite honestly, most businesses have got no idea what you're going to use OneDrive for is completely alien to them.
Yes.
So basically setting the rules, what they can do, what they can share with and everything else. Now the upside of OneDrive is that the end user can easily see what they're sharing and who they're sharing it with because they have a, set of rules in their own views and they can view what's shared by me and with me and all that kind of stuff.
That's a nice feature they have in OneDrive.
Yeah, that is true. What else was I thinking about OneDrive two seconds ago? you can decide what files are going to be stored in there. So if you wanted to narrow it down, you can do that. You need to think about what happens when that person leaves.
True. Because that's a big issue in that data and how you are going to deal with what's on it. is it just deleting everything at once or do the persons need to sign papers that the manager can access the OneDrive?
And with GDPR, have they got any rights to ask for content off their OneDrive up to three months after they leave? Yes or no. And whether you're going to close that down with those documents and papers.
Yep.
So this is always a tricky one. And that also, I guess we could put email in the same bracket here. So, you know, are people allowed to have access back to their email address once they've left? And can they get their emails?
I think one drive and email is personal for a specific user. So yes, it's going to gdpr. It will be the same thing.
Yeah. So there's a lot of, there's a lot of things in OneDrive on where to do, where to do it and what to do. I mean there are some practical things you can do. So you can say, hey, look, create a folder called Personal and put anything in there you don't want anyone to see. And then set an internal policy up with HR and with it that say, look, you know, if you have to go into a OneDrive even after somebody's left, then you know, you cannot go into the folder called Personal. and using, a four eyes approach, then at least two people are on it at the same time. It can get complicated, but it is very possible.
Yeah.
Bottom, line is just Delete the plumbing stuff. Be very clear when they leave. Hey, look, you know, you're fired, but I'm going to give you 15 minutes here and now to go through your OneDrive and forward any documents, to your own personal email address that you want. So if you've got training certificates in there and everything else, then that's due. But, very clear at the beginning, this is a company, OneDrive. It's OneDrive. It's your personal OneDrive, but it's not for storing your family pictures in and, you know, downloading your videos to, or, you know, putting, your shopping lists in.
And people do that?
Oh, of course they do. Of course they do. And the companies don't really mind.
No, most of the time they have enough storage to do all of that.
Exactly. And it's cheap storage. It is free, in fact. So anyway, so, yeah, so OneDrive is an interesting one and, again, we can put email into that. So that is cool.
So we have done sites where we can talk a lot about the governance. We have done the sharing links.
Yes.
And we have done OneDrive and Outlook.
OneDrive and Outlook, yes.
That's already a very nice basic set of governance that companies can start using.
Correct. So what else is on the list? Is it my turn to choose or your turn to choose?
It's your turn to choose.
Alrighty. Ah, cool. labels. Sensitivity labels. Seems I've been spending the last four days writing a presentation and a session on it. Let's cover that. But at a simple level. Yeah, but this can get very, very complicated.
Your session even gave me insights to start using it in some companies where I'm working for.
Thank you very much indeed. Ah, so where do I send the invoice? Sensitivity labels, and retention labels, they're different things and it's a very blurred area. And don't ask me to define what is what because I honestly don't know. I made a note on my, training journal. I don't have a training journal really. But that sounded so good to, try and look at the differences. But I was playing with sensitivity labels and because basically that gives you a lot of capability nowadays than it first came around. So initially it was really about data leakage protection. Now it's really about a lot more. It's, about retention. it's around permissioning, it's around controlling data to particular types of content. So where do we start with this? so who do we talk to governance about sensitivity labels.
And are we talking about governance for the sensitivity labels? Or what the sensitivity labels are going.
To do for governance. Let's start off. All of this is about governance. Stop changing the subject. It's about the governance of sensitivity labels.
Yes, but do you mean then the governance of what a specific label is doing for the company, or do you mean about who is able to set sensitivity labels? Who is able to create them?
Stop confusing it. Keep it simple. Simple. We. All right. dear, I don't know. I thought I was the one that's going to have a difficult stroppy podcast today. But no, that's not the case.
No, but it is a question, because.
I know, of course, everything's a question.
You can do both governances on them. or do we going to talk about.
Tell you what, why don't you decide and then we'll talk about it.
I think people are going to be more interested about what labels can do for an organization, how to define the governance on that.
So here's the thing. So you saying that you're going to use labels to define the governance. Yes, that's what you've just said now. You've just started to realize it's the same thing, haven't you? Because when you set the governance for the labels, all you're doing is transferring your governance to the document. So it's the same governance. What you're saying is who decides what that governance is, which is the same as who decides what the governance is on OneDrive or who decided what the governance was on something else. So let's just not try and answer this question, because I think it's a loop. So we'll just work it. We'll ask the same question again in 10 minutes when we've gone through this.
Yes.
So let's talk about what they do first of all then. And that might help people. Then we'll talk about who sets them up. Yes.
Yes.
Is that okay, boss?
I'm, not your boss.
Are you sure today?
Always sure.
Actually, I have a photograph to prove it.
Oh, yeah, but that's just a photograph. That was not real.
Yeah, we did a photo shoot for the podcast, which I've started to use in my presentations, which is me standing there going, what the is she talking about?
Yeah, you sometimes have that with me.
And then she's shouting at me going, it's quite a funny picture, actually. I enjoyed that. Just like our, podcast icon. You telling me to be quiet and me shouting, oh, no, it's the other way around. No, it was that way around. Anyway, anyway. Anyway, I do get where you're coming from. So let's just work this through. There are certain governance that need to be defined by relevant people for the sensitivity labels to describe what they do. So if you have a sensitive sensitivity label called confidential, okay, then that could be. You would need to decide what, what type of content you're going to use that label for and when you apply that label, what governance it applies to. And that I think is where the balance is in your head. So I have a document called Confidential, and I then need to decide that if something is a confidential document in my organization, what governance do I want to have applied to it? So do I want it encrypted? Question 1. Do I want to have it so that only three people in the organization can see it? Do I want to stop this content being emailed out to anybody else? Do I want to stop this document being shared to anybody else? Do I want to move it to a different library that has got a lot more protection against it? There are a number of governance things that you apply and this is what you were trying to get earlier. Do we talk about who decides that governance for confidential content and then what those rules are that you want to apply. So who decides which documents are confidential? Now the upside of sensitivity labels is that the end user who knows the content best of all can decide whether it is confidential, generally available, sensitive, whatever. Okay, yes. and so they, the person that applies it then has to decide. And that tends to be, you know, a set of rules and adoption on how to use labels needs to be described. But every label has got a good description, so you can tell that. So there, and there are by the way, some set labels that you can just click a button and Microsoft will go, okay, I'm going to roll these labels out.
Yes.
And then you can go and set up the restrictions or not the restrictions. But the point is that you can go to any application, you can go to Word, you can go to PowerPoint, and then you can open up that document and then there will be a column called, sensitivity labels or Labels has changed names recently.
Labels?
I guess it is, I think so. And then you can say this document is confidential or this document is sensitive and then it will apply whatever governance you have configured into that label.
Yes.
And then that document is there. Now what's really interesting is these labels are incredibly powerful. Okay. And it's ah, as I spoke this weekend about how you use these labels to do rbac, so you know, Role Based Access Control, it has a great way of dealing with Things like copilot. We're not going to get into those details now. But it's because there are so many different settings available. So you can decide if a document is confidential, who can see it. So you can say only managers and only executive or C level people in the organization. So if you're a bog standard, normal, normal pleb. All right, somebody that just does administration, if you set a document as confidential, you'll stop, you'll lose access to the document. So they need to be aware of some of the implications because they'll never get to see it again unless they're a manager. so they might have to recreate it or they might have to go and say to the help desk, help, I took this document and I set it to confidential. And really, you know, the price list for the canteen is not that confidential. Can you please revert the label back and then it can be changed back again. So that's what these labels are for the. And again they do a number of things. So you can do data leakage protection, it's not allowed to be emailed out. You can set archive, so you can say hey, after five months of nobody editing this document, I want to set it archive. You can do records management and then we've got retention on here. And that is why I always think about retention and sensitivity labels. So you can say this confidential document I need to keep for five years and then I need to delete it and after two years I'm going to move it to archive. So it's not actually in your normal, storage facility. There's a lot of things you can do when you apply sensitivity labels, but what you need to do is to design and plan them before you set your first label up.
Yes, you need a strategy because otherwise it will cool, messy and it will be getting crazy things.
It could easily be a disaster for lots of reasons.
Yes.
But it's very cool for being able to meet all of those kind of, you know, sort of important kind of data and if you're dealing with medical data, for example, that kind of stuff. So I'm also going to crop out across cross out retention. All right.
Because they are very close together. They are ah, going hand in hand. So yes.
So you can for example, say to that a particular kind of label has to be kept for a particular length of time. So you create it as a record. So a finance document, for example, may not be confidential, but it is a financial document. Could even be a public document. But you need to have the history and everything else. So you create it as a record and then every full version will be stored for whatever length of time. And you know that there are some retention documents that, if you set them to the highest standards, mean that your tenant will never be deleted for 25 years?
Yes.
Even if the company goes bust?
Yes.
The tenant cannot be deleted.
And that's crazy.
Not really. Not if you're Microsoft and somebody's going to have to keep paying for it.
True. But if your company is, not there anymore, nobody will have money to pay for it.
No. But, yeah, it's basically the SEC in the US and stuff. They had some documents that said, look, this must be here forever and ever. Amen. And so Microsoft said, we'll build that in. And they did. All right, cool. So what we got left?
We have the Power platform and content.
And we've been going for about 45 minutes.
Let's go to the Power platform then.
You've been waiting for that, haven't you?
Of course.
All right, what do you need?
Do you think Governor on the Power.
Platform needs to be, I know this. I didn't know this. So it has changed a lot. And so I'm going to some of the stuff I don't know about, but when it first came out there was a number of things. So power platform, so first of all the usual things. So who can create Power Platform products? So who can create flows, who can create power apps, you can create business, bi. Power, bi, robots, all that kind of shit. So all those that can create the content in there, then you need to decide what rights those people have. so you can't have everybody creating workflows, for example, but actually you need everybody to be able to create workflows. So therefore you need to be able to define which areas can be done. And without you're waiting for. I'm not going to finish on this. You know, I'm going to get it all. I'm letting you so basically have this concept of environments. So you can set up environments so that certain people can create certain workflows of certain sizes in certain places. So by default anybody can create a workflow, but it only has to run under their own security context. It's not allowed to run under any other security context. You don't. Sorry.
True.
You forgot that one. Had you?
No.
Okay. and then they're not allowed to use things like ah, Dataverse or any of the really smart stuff. Do you know that every time you create a Ms. Team, sites you create a new environment.
Yes.
So that's the easy way for people to be able to create their own workflows because it's contained by the owner of the team site and everything else. So you give them permissions to somebody, they can get on and do stuff. How well am I doing so far?
Very good.
Good, good, good. All right. It then really depends upon the workflow or the power application that you're designing. So if you're going to do a workflow that needs to be created right across the organization. Are you surprised yet of this stuff?
No.
Good, good.
I knew you were knowing this.
Good, good, good. I'm waiting to see if I can find something that she didn't think I'd know. Anyway, so. Yes. So you can then design an environment for a particular application or for a particular workflow. You can make sure it has access to the right resources. You can control the resources. You can control who can manage those workflows. You can give it a general account, an account that it will run under. You can give it Azure permissions so that you know what resources it needs to Azure. You didn't think I'd know that either? and you can also give it a sensitivity label so that the content generated from it is all protected accordingly. I'm going to. I mean, I can keep.
There is one important thing that I always mention when talking about governance and power platform, and it is you have your environments where you can set up governance on. Did you knew that you can have different solutions in your environment with different rights and different permissions?
Yes.
And that's even better than say, one environment for that kind of workflow.
Oh, I see what you're saying. So you can have multiple solutions inside the environment with multiple permissions. Actually, I did know that, but since I don't create permissions as solutions, I didn't actually ever have to use it.
No, but that's the way, you can protect your development life cycle a little bit. So if you define that you can do a lot of things with environments and solutions to protect it, but at.
That level you're using general accounts or PIM accounts, I'm guessing.
Anyway, yeah, most of the time it depends if you really would like to put something in production, you're not going to use an account of a user or something, then you have the general account and you have PIN protection and all of that.
It all gets. So basically, this document which is going to be managing the governance of your power applications is huge.
It is.
It's complex, but then again running applications like Oracle databases or SQL databases or websites as well. Anyway, so that's the game you're stepping into.
It is. And what I noticed in companies is that many people forget about all, of these securities for power platform.
Of course they do. Hey, look, I can create workflows. Really? Oh, look, I can create workflows. And all of a sudden you've got 25 people creating workflows and they're all then wondering why. Why am I getting all these emails?
Yes.
Every time somebody runs my workflow, I get all these emails. Why is my workflow being copied everywhere?
Yeah. And also if people are creating their own workflows, if they leave the organization, it's the same thing like with OneDrive.
Yeah. Yes. You have to decide what you're going to do about it.
Are you getting tired of this?
No, not at all. I am getting tired. It's been a long day and a long weekend, so I'm struggling a little bit. We're about to go out and have dinner in a bit, so.
True.
That will be fun. I hope that a little bit because we've only got one to. To deal with. So anyway, that says power platform. and I think that that's an important one. And of course it's growing. we've got content left, but, you know, I think we're going to leave content to another podcast.
Oh, yes, we can keep talking on that.
For content types, metadata, manage, metadata, search.
We can talk about that for hours.
Yeah, yeah. And people really would fall asleep if they were going to do that.
And to be honest, search is one that many people are looking for.
Correct. And then we've got copilot, which we're really just starting to understand and dig into. so, yeah, so that's good. So that's not bad. I quite like this. I quite like this a lot. So governance is important. We know that it is, but nobody ever wants to do it until they get caught out by doing something.
And it's one of the things many people forgot. And many people start creating things, start doing things and don't think about the risk they are having. And then people like us, consultants come in and they need to fix it.
Correct. And then we can charge them large amounts of money for doing it and remind them that if they brought us in to start off with, they could have saved all this money.
Yes.
Which they don't really like to hear. Yeah. So no governance is there. And of course all this needs to be documented. And we suggested earlier Put it onto a SharePoint site and some pages so that people can understand what they can and can't do. And the help desk can just send a link and say, yes, you should never have created that workflow. And here's a document that explains what to do and how to get around it and how to apply for a general account to, take, your workflow over, etcetera, etc, etcetera.
If you start using Copilot to create your document, which is fine to do it, but read it carefully and make sure it's really your business governance that is described in there, not something general from other things.
Yeah, yeah, I agree. Just cut and pasted from, some document or there. The other thing that. Oh, man, I am ready for some dinner tonight.
I think you need a whiskey or something.
That might actually, make me more tired, but yes, I probably will go for a whiskey in a minute. M. Or two. actually, we can go for a whiskey because you can't drive anymore, so there's the advantage of losing your license. Moraine's on his way over. He can drive us there. Where is he? Is he telling me where he is?
So we are in your studio. You have those amazing lights.
I do.
And you had some fun do it yourself stuff with the.
Of course.
Papers.
I did all of this. Everything you can see. I know you did all this yourself. I can even make the lights go blue, orange, bright. I can do all kinds of stuff here.
Now we are boys and they're toys.
Yes. You know, women complain about boys and their toys, but I happen to know you as a woman. Enjoy this studio. Yeah, it's cool.
It is.
It's very cool.
well done.
And here we are. And hopefully the podcast is sounding better for it. There's still more work to do, but that's all. Okay. So, just to finish off on governance, then. So. And then we'll go and disappear and we can save this and everything else. Documenting it is important so that when you want to change something, you've got your original setup and your original guides and you know where you're going. documentation is important so you can share it with the end users because then they understand what the business. Agreed. And what's been the reasons behind the restriction or the reason behind the way of working. There's one thing we haven't talked about, which we're not going to talk about now, because that's another huge process and that's the policies behind the governance.
Yes.
So somebody somewhere in the business has to Decide what the policy is going to be around, external sharing, for example, what the policy is going to be around, backing up and protecting your data, what the policy is going to be around about who can and cannot create workflows, what the policy is going to be around, what skills you need to be able to create workflows, that kind of stuff. So policies are a ah, key part of governance and they are the business side, the business descriptions non technical about how the organization is going to run and use those IT services.
True.
And that's the kind of first thing you need to do before we even get to think about what we've been talking about.
Yeah, I think so.
So that's a part of the process.
And if you have those policies written down in documentation, you already have a great start of your governance documentation.
Brilliant start. Because then you don't need to do so much of the conversations with the business, you don't need to sort of bring in all of the relevant people because basically you've already, they've already done that with the policies they did. You've indicated the responsibility.
And also one thing to maybe finish off with is if you write that documentation, review it every six months or something because your company is changing and your policies or governance ah, settings can be changing as well.
I agree entirely and I think that review should be primarily around the policy documents because the policy documents hopefully will drive the technology documents or the governance documents. So I agree, appropriate review and everything else. And then seeing as you are adding things that you should consider about, get your auditors to run through those policy documents and those governance documents will get your legal team to do it. Because the last thing you want to do is to spend a long time setting up your OneDrive sharing only to find that the auditors that have some legal key on your organization don't agree with it. And so consequently the first time the audit comes on they're just going to sit there and go m sorry, don't agree with that. Need you to make some changes. So yeah, make sure that appropriate people sign it off. All right. That was a good session.
It was.
I think anybody listening to this podcast needs to give us a call because this is good stuff we'd normally charge for. So we'll let you know at ah, what point if you've listened to this ah far that's at least a €5 you need to donate into the pot. because you've easily got five euros worth of free cash consultancy. So anyway, I hope you enjoyed this. Was it a good idea it was a good idea. It was a great idea.
Yes.
Cool, cool, cool. and we're off traveling again in a few weeks time.
We are.
We are. We have MVP summit True. Where we get to to find out about just about everything that we're not allowed to tell you.
That's a very good way of telling it. Yes.
We will know and you won't. And on that note, I'm going to say goodbye.
Bye.