As Microsoft 365 professionals we engage with many organisations across the year and see many challenges for staff or IT when it comes to collaborating with external parties. These might be roles like vendors, contractors, suppliers, or consultants. Essentially sharing a document to edit together, review a final draft or to receive something more formal like a ‘read-only’ contract. While we understand the concern with staff sharing information or data with people outside the organisation, some of the restrictions or control in place may seem correct to some, however, often highlight gaps in knowledge of how key services or workloads work across the environment and impact staff or the organisation in other ways.
Loryan Strant, outlined some of the technical detail in this recent blog:
Why your approach to external sharing in Microsoft 365 is wrong – Loryan Strant, Microsoft 365 MVP
While he may have described his blog as an unhinged rant, the core points are valid and important for both the IT professionals managing the environment, and also for the staff using the services.
Organisations tend to make sweeping decisions and remove the ability to share externally with reasons such as security concerns, compliance or legislation requirements. In his blog, Loryan lists out several common wrong approaches that we see organisations often make when it comes to working with external people or organisations. What I want to explore further here is some of the ways your staff can use the applications or services to share data or documents outside of your organisation that are beyond sharing documents. It is important to consider what your staff are capable of, what you need to do to assess needs and setup controls, and then how to ensure your staff understand the boundaries or controls to work within the framework and still have strong modern ways of working across Microsoft 365.
Firstly, what are some of the things to dig deeper into when reviewing how your platform is setup for sharing documents?
Most companies focus on the control around sending documents externally, with strict rules for links, the inability to attach a document to an email at all, and strict control to ensure data is secure.
There can be a short-sighted view without really considering all the other ways data can be shared outside of documents.
For example, you can stop staff sharing a document with a vendor, but what are the others ways that vendor can be provided company data? Someone can send out a survey link and gather data from stakeholders or even share the survey results with a contactor or consultant. Bleeding data in this way may be easier than you think and often overlooked.
What if an employee shares their calendar to help find a day for a workshop with a vendor, but share too much calendar detail and that vendor can see there is a sales meeting with their competitor. Forgetting to show only ‘free/ busy’ can certainly risk sharing detail that could impact a tender process, vendor relationship or even an internal staff member (we all know even seeing a meeting titled ‘termination meeting’ can cause a major impact!).
And it’s not just surveys or calendar detail, there are other ways data or documents can exit your organisation or platform. I am seeing an increasing number of staff in organisations becoming quite savvy with Power Automate. The more intuitive the apps become, the easier it is for them to establish automation without any IT input. While it is great to see growth in skills, the risks need to be reviewed. Something that can be a major concern here is the ability setup a flow to duplicate a file and store in an external service which could fall outside of the controls in place for document sharing in general. We will leave that one for the IT pro’s in an organisation to be aware of and control or block. The key message here is if someone is savvy enough to want to take data, they can work out the Flow to do so.
A key factor amongst all of this is if you are too controlling, you push people to ‘shadow IT’ and they will find a way, and then your data is outside of the Microsoft platform creating a greater challenge and risk. It’s like being too strict with a teenager and pushing them to rebel. But if you flex and create a space to enable the actions they need but with boundaries, you can meet them halfway and keep an element of control and protection.
There is a key balance required for your governance to meet the needs of both the organisation and the end-users, along with clearly communicating what is possible and the ‘why’ for settings and controls. Someone staff might be frustrated they cannot share in a specific way but if you are transparent and clear with the setup, and those choices or decisions makes sense, it eases that frustration. I think we all know how frustration can eventually lead to negative attitudes and resistance causing more challenges in the long run.
So, what can you do to help your staff?
Let’s be honest here.. It’s hard!
Firstly, you need the right people in your organisation, or external advice, that can assess and understand staff needs. Detailed use cases and review with governance can establish a strong foundation that will set you up for success in the long run.
Following that detail, what is then crucial is communication, awareness, understanding and support for your staff.
When it comes to ensuring your platform controls are setup to help enable positive ways of working, ask questions like:
- What are you trying to achieve?
- What type of data are you trying to capture?
- Where can you store the data or documents?
- How has this worked in the past, and what needs to change?
- Is it only a site or only key people?
- Is it only specific types of documents?
- What risks or problems are we trying to avoid?
Through these conversations you will understand why things have been done a certain way, the pain points, what people are trying to achieve or avoid, and make the platform or tools work for them while having the boundaries of control to suits the needs of the organisation. Then, ensure you review this at periodic intervals.
At later intervals assess – is it working? Do your staff understand? And, are ways of working changing in line with expectations of the organisation?
Consider the capability and understanding of your staff. Are they learning and applying new behaviours, or sticking with old outdated ways of doing things.
As I mentioned above, it is hard. And it’s harder for your people. Some of the detail with your platform setup really is quite complicated. You need to drive understanding of concepts and features to help staff (a) get it, and (b) come on the journey instead of being left behind.
When communicating why things have been setup in specific ways, with the major risks or key decisions, give people examples of what is possible and what can go wrong which are the reasons for the control.
Many staff have already been left behind and are confused. And unfortunately many don’t know it! What do I mean here? As an example, when it comes to sharing documents many staff click ‘share’, ‘send’ and that’s the extent of their knowledge. They don’t realise the default setting of things like ‘specific people’ or ‘organisation wide’, or event ‘edit’ or ‘read only’. In a recent focus group I ran a person told me sharing doesn’t work for their company. When I dived deeper, I found they were clicking ‘share’, getting a link not realising it was setup for ‘specific people’ and sharing via email to the entire department. Then someone would click, not get access and both people blame OneDrive of not working properly. I walked through the default rules and how to alter these and apply a different setting. Minds blown. People at this organisation were provided with OneDrive, but not supported to build knowledge on the deeper rules and settings to share in ways to meet their use cases examples. What is interesting here also is that like for many organisations, sharing is not new yet people still get it wrong. And they have raced to Microsoft Teams without fundamental basics or behaviours embedded first.
If you don’t take the time to coach and embed the behaviour you want, you are going to increase and embed the bad. Remember the old saying “practice makes permanent”. Most people don’t understand either the need to do things differently, or how, so each day they continue with the current way of doing they are making that their permanent go to.
It is an ongoing ‘dance’ but can be a mutually beneficial relationship if your setup enables efficiency and productivity while keeping your organisation secure. With adequate boundaries in place and clear awareness, education and support, you can drive a strong modern workplace where your staff can gain the skills and knowledge to exist within this framework and be accountable for their choices and skills.