Tobias Maestrini

From Assessment to Action: Strengthening Microsoft 365 Governance


Governance in M365 involves the set of policies, procedures, and controls that ensure the effective and secure use of Microsoft 365 tools and services within an organization.

We try to solve governance challenges in regards to licensing costs («We’re spending too much»), data sprawl and leak of sensitive information («I’m concerned about what data people can access»), user responsibilities («I’m just one person trying to do all of it») and compliance requirements.

Understanding the cost drivers in Microsoft 365 means looking at how licenses are assigned and used, storage consumption, and consumption of features.

Ways to reduce risk in M365

Some of the ways to reduce risk in M365 include:

  • Run an overall audit and assessment of your current M365 assets
  • Review who can access resources and with whom files are being shared (internal and external)
  • Regularly review and refine your organization’s governance policies
  • Automate governance processes and tasks where possible
  • Contain the content and resources sprawl

Sprawl can be dangerous if left unchecked – it impacts productivity, innovation, security and compliance. It opens you to security risks, if you don’t have proper «guardrails» in place. The decrease of business value is another risk, as users may struggle to find the information they need.

The 3 Pillars of M365 Governance

  1. Prevention: everything you do to prevent issues from happening in the first place, having guardrails in place (settings, policies, training, communication), govern the lifecycle of content and resources and manage a proper information architecture.
  2. Administration: centralize control and standardize settings, setup monitoring and reporting, establish lifecycle operations for content and resources.
  3. Community Management: build a community of practice with champions and stewards, govern communication and education, establish feedback loops through surveys.

What goes into a Governance Strategy

  1. Define a purpose and scope: output you’re looking for, what areas of M365 you’re covering.
  2. Establish roles and responsibilities: who is responsible / accountable for what (RACI).
  3. Develop policies and standards: data protection & compliacen, security standards, collaboration & sharing guidelines, retention & archiving policies.
  4. Create a change management plan: change request processes, impact analysis, user feedback mechanisms, traning and awareness
#BishopTells