Drive external collaboration for your organization using Microsoft 365 Groups

Hello, and welcome Today we will talk about external collaboration with Microsoft 365 Groups in Microsoft Teams, Outlook, Yammer, and SharePoint My name is Salil Kakkar, and I’m a program manager in the Microsoft 365 Groups in Yammer team, and I’m joined today by my colleague, Nandini Hi everyone, my name is Nandini Bhavasar, and I’m a program manager for the Microsoft 365 Groups team Our goal with this video is to help you become a champion for external collaboration for your organization We hope by the end of this video, you will be familiar with all the governance superpowers you have at your disposal, and that you’re ready to craft a rollout strategy for external collaboration for your organization So, what are we going to do in the next 45 minutes? We are going to power through these four key themes First, we will start with a quick introduction about external collaboration using Microsoft 365 Groups, share some emerging trends we are seeing across the industry Second, we’ll look through the group lifecycle and adoption stages We’ll talk about how do you go from zero to one in setting up external collaboration? Third, we’ll deep-dive into the best practices to administer and govern guests at scale Last, but not least, we’ll look at how Microsoft manages guests This is one of the most frequently-asked questions we hear from you all, so we are happy to share the tools and processes we deploy internally Some housekeeping, we will be providing a lot of reference material in the form of URLs throughout this presentation We encourage you to review these resources, and reach out to us for any questions The way we live and work is changing People need to collaborate more and more just to get work done With geographically-dispersed teams, a growing fleet of independent workers, and the new work-from-home reality that many of us face, collaboration is no longer limited to the four walls of your organization We see more and more organizations use technology to bridge the physical distance between workers This is where external collaboration comes in Microsoft 365 suite, including the core communication apps, give you a secure and compliant model for external collaboration Now let’s take a look at guests by the numbers The users of external collaboration using Microsoft 365 Groups is going through the roof Around the same time last year, we had about 9 million provisioned guests, so we see a three-X growth year-on-year, with a sharp increase in the active guests The feature has deep penetration across our customer base 98% of all production tenants have guest access enabled Fun fact, we have a tenant in Antarctica which uses guest access, so you can imagine how this feature is really helping bring the world closer This huge uptick we’re seeing is due in large part to efforts of people like yourselves who are working super hard at being change agents within your organization, so a big shout-out to you all administrators watching this When it comes to external collaboration, the admins often have to tread a tight rope On one hand, admins want to empower the end users to seamlessly collaborate with external partners On the other hand, they must ensure that only the right guests have access to the authorized resources at any point in time At the heart of this dilemma is the fact that there is an information asymmetry between folks in the organization who use external collaboration, and the admins who enforce governance We do see tremendous feedback from the admin community about how existing ordinance capabilities make your life easier We also receive feedback from you that we need to do even more to simplify and automate the guest management across the suite To address these issues, we now provide some key governance superpowers to admins, so they can rely on the system to put the necessary checks and balances in place They can also empower their employees with additional capabilities, so the end users do not need to bother or depend on admins for external collaboration Now let’s take a look at the guest lifecycle, and the different adoption stages If you’re just starting out with guest access, you’re on what NASA calls an exploratory mission Your journey starts on the bottom-left of this chart However, the recommended eventual state for all tenants is the one on the top-right Here we have a self-sustaining ecosystem of guests using Microsoft 365 Groups with the necessary guardrails of governance and security The guest lifecycle, as shown by the wheel on the top-right, is similar to the lifecycle for other Microsoft 365 constructs, like Groups

In the coming slides, we’ll go over the details for various policies and tools you can use out-of-the-box Before we deep-dive into the best practices for guest governance, here’s a quick refresher on Microsoft 365 Groups We often get questions like what is Microsoft 365 Group, and how do they impact external collaboration? The way to think about this is Groups is the platform layer, which powers all the collaboration within this suite It is the common membership service for both internal and external users that supports the 22 apps in the suite, and a growing number of partner applications What this means for guest governance is that Groups is the fundamental construct with which the admins can manage guest governance So, it doesn’t matter if your guests are in Teams, Outlook, Yammer, or SharePoint, you can enforce the same set of governance rules at a Groups level, and be confident that this works seamlessly across the apps You will notice that Yammer is a relatively recent entrant to the list Over the last one year, we’ve made huge investments in bringing the suite-wide parity and innovation to external collaboration in Yammer We’re really excited to announce that the new B2B guest in Yammer is now open for early-access customers So, let me kick off the demos by showing you how seamlessly the new B2B guest experience in Yammer looks like Let us start by looking at the guest access settings in the inviting tenant, Contoso We’ll go to the Microsoft 365 admin center, and take a look at the settings for Microsoft 365 Groups From the homepage, we navigate to Settings, then Org settings, and Microsoft 365 Groups The first option here controls whether the group owners are able to invite guests from outside the organization The second option determines whether the guest users have access to group’s content and resources Since both of these options are already checked, we are good to go Let’s look at the brand-new guest experience in Yammer, where we made deep investments recently Megan is a user in Contoso, a tenant where guest access is enabled Megan owns a community for AI enthusiasts She wants to invite Alex, who’s part of a different organization to get some advice All Megan needs to do here is add Alex’s email in the member list This two-click guest invite process is very similar to how she adds regular members, and, presto, the guest is added Let’s look at the guest experience Alex receives an email notification from Megan He finds out that he’s been invited to a community called AI Enthusiasts from the tenant Contoso He simply clicks on the link to join Once inside the community, Alex can access all the community resources, and collaborate like a regular member He loves the content, and favorites it right away To recap, you saw how admins can enable guest access settings for Groups You also saw the new B2B guest experience in Yammer, including the invitation and redemption flow for guests Now let us look at guest governance This is a quick checklist of all the concepts you need to know while managing guests using Microsoft 365 Groups These policies form the bedrock of all the guest governance capabilities we provide across the suite We will cover the highlighted concepts in detail for this session For the rest, we encourage you to go through the learning resources linked here As you prepare to enable guest access for your tenant, there are three fundamental questions to consider First, who within your organization can invite guests? Second, who all are eligible to be invited as guests? Third, what content is permissible to be shared with the external users? The admins need to draw a resource boundary, and anything outside this boundary would remain out of reach for the guests The answers to the above questions might vary based on different factors For example, the policies and regulations in your organization is subjective For example, these could come from your legal or HR departments Another factor could be level of end-user awareness about implications of guest access

Once these questions have been answered, you are ready to configure the guest access policies for your tenant The Guest Inviter role lets admins select which internal users can invite guests This option is particularly useful for admins who want to run pilot for guest access with a limited set of users first The way this works is really simple First, you can create a group and populate its membership with all the users who you’d like to empower to invite guests Second, you can simply assign a Guest Inviter role to this group For example, in the early stages of rollout, you might only want the managers in your organization to be able to invite guests With this policy, you can do that in a jiffy The domain restrictions give you control over which external organizations can participate in your tenant For example, you might set up an allow list of domains for seamless collaboration with your partners, or you might wish to set up a deny list with all the competitor’s domain listed, so that no one from the competitor organization ever gets added by mistake This feature is available through PowerShell and Azure Active Directory Portal For the SharePoint-heavy tenants, in case you have any existing SharePoint domain policies, you can easily migrate them as well The group-level guest access policy affords you granular control over which assets within your organization can be shared with external guests For example, if there is a group which houses any trade secrets or proprietary information which you should never wish to open for guests, you can disable the group-level guest setting so that there is no accidental leaks of any sensitive information This makes sure that when it comes to guests accessing your organizational data, you’re always in the driver’s seat Now let’s take a look at these policies in action NANDINI: Let’s now see how we can leverage domain restrictions to control guest access For this, go to the External Identities module of the Azure Portal, and then click on External collaboration settings Here, scroll down to the section of Collaboration restrictions There are three options here For the first one, you’ll be allowing invitations to all the domains in the world, so this is the most inclusive option For the second one, you’ll get be denying invitation to a specific list of domains, and with the third one, you’ll be able to allow invitations only to a specific set of domains This is the most restrictive one For the purpose of the demo, let’s choose the second option Imagine a scenario wherein you do not want to allow employees of your competitive organization to have access to any of your resources In this case, you would choose the option two, and enter the domain of your competitor When it’s done, you’ll see that with this you have restricted access to all the employees of your competitor organization Now let’s take an example We have a SharePoint site here, and somebody from your organization accidentally tries to add the member of your competitor organization, and when they do so, we see that their request fails, so this is how you can control guest access based on domain restrictions Let’s now see how we can control guest access at the group level Consider the case where you have a team with a group like LeadershipOnly This is a highly confidential team, and you want to block all accidental guest additions into this team You’ll be able to do that with the help of a simple PowerShell script Here, in the first section, I’m retrieving the group ID of the group LeadershipOnly In the second section, I’m setting the AzureADDirectorySettingTemplate with AllowToAddGuests set to false, and in the last section, I’m just updating the template of the group Once when executed, you’ll be able to see that AllowToAddGuests of the group LeadershipOnly is set to false Now if anyone tries to accidentally add a guest into this team, they’ll not be able to do so This is how we block guest access at the group level Many of you might be familiar with sensitivity labels in Microsoft 365 These are the unified labels which help you classify and protect your organization’s data Among other things, these labels can be used to regulate which users can create groups that allow for external participation

One common query we get from admins is with guest access enabled for our tenant, now all the users are creating groups which are enabled for guest access In some cases, the admins might want to restrict certain users from creating such groups which allow external members This is where the sensitivity label can be really useful You can create labels which define the guest access settings as disabled You can then create a policy to attach the label to a specified set of users Now you have ensured that this set of users can never create a group which allows for guest access This option is really useful in the pilot stages for external collaboration Now let’s see a demo on this NANDINI: Hi, everyone, let’s now see how we can control guest access via sensitivity labels For this, go to the Microsoft 365 security center, scroll down to Classification, and click on Sensitivity labels Sensitivity labels are a way to classify email messages, documents, sites, and more, and these labels can be used to protect content on a site based on the settings chosen Let’s see how For this, let’s create a label, and name it, and then click on Next I won’t be enabling encryption or content marking for now Under the Site and group settings, you’ll see an option for external users By checking this, I’ll be allowing guest access into the group By unchecking this, I’ll be blocking guest access Once a label is created and published, we’ll be able to leverage these labels to control guest access Let’s understand how When you’re managing a large organization, users might have the need to add guests, but that might not be often, so they’re not going to be experts in understanding when they can allow guests and when they cannot So, all you have to do is educate users about these small number of labels, and help them pick the right label when they’re creating a resource, and you as an admin can enforce the right policies from behind the scenes Let’s take an example I already have two labels created One of them is called Marketing, where external users are allowed I have one more label called just Research where external users are blocked, so you have to tell your users to apply this Research sensitivity label whenever you’re creating a resource or a group which is related to research and development of your organization Let’s see how they can use it When one is creating a new group, they’ll be able to see this Edit button with which they can select the right label When the user is creating a research resource, or research group, they can select this Research label Automatically, no guests policy is applied When they apply the Marketing label, guests will be allowed Similarly, when one is creating a team, the same set of labels will be enabled for users to pick from By selecting the right label, you’ll be able to control guest access These labels can also be applied to existing teams, or groups, and the changes will take effect henceforth, and that’s how you can use sensitivity labels to control guest access, thank you Entitlement management is a great way to automate guest management and lifecycle at scale Imagine a scenario where you have a bunch of guest contractors joining a project for six months You would want all such users to be productive right from day one, by giving them access to all the documents and resources they need You might also want to set up a workflow so that the respective owners of these internal resources can approve such requests Finally, once the project is over, you want to make sure that the guest access is revoked for the whole bunch This is where entitlement management does all the heavy-weight lifting for you You can create an access package, which is nothing but a bunch of resources in your tenant You get a shareable link, which you can share with the guest users Once the guests users request for access, the request is automatically routed to the specified list of approvers Once approved, the guests can access all the resources right away You can also configure the time window for the guests’ access, past which the access is automatically disabled Guest access reviews allow for periodic attestation for guests This ensures that you only have the relevant sort of guests in your tenant at any point in time This takes the burden off the admins’ shoulders by creating a self-service model,

where the owners of the respective resources are on point to validate the guest’s membership For example, the admins can set up a guest access review policy, which asks the owner of the group to confirm at regular intervals if the guest’s presence is still needed If the owner confirms, the guest retains access Otherwise, the guest access is revoked instantly Additionally, as admins, you can also define what happens if the owner fails to attest You can configure the policy to withdraw the guest access by default in such scenarios Now let’s take a look at these features in action NANDINI: Welcome to the demo on entitlement management Imagine a scenario where you have hired a vendor organization for a project in your company For faster and effective collaboration and progress on the project, you might want to assign access to certain SharePoint sites, perhaps, of your company, to the employees of the vendor organization Entitlement management lets you do the same in an efficient manner Let’s see how we can leverage this feature For this, go to the Identity Governance module of the Azure Portal of the home tenant, in this case, Contoso, and scroll down to Connected organization Connect to the organization as an external Azure AD Directory or a domain that you have a relationship with Let’s add an entry for a vendor organization, in this case, Fabrikam, and then click on Next Here, we’ll be adding the domain of the Fabrikam, and add it In the next section, we’ll be selecting the sponsors I’ll add the admin of the home tenant as the internal sponsor, and I’ll also add the admin of the Fabrikam tenant as the external sponsor Once done, and the details have been reviewed, click on Create to create a new connected organization entry for Fabrikam Now let’s go to the next step of creating an access package For this, go to the Access package pane Click on New access package, and start entering the details, and click on Next In this section, I’ll be adding all those resources to which I want the Fabrikam employees to have access to Let me add a SharePoint site I can then add a team Let me also add an application, say, Salesforce, and select it I’ll also assign the roles for the employees of Fabrikam, say, Visitors to the SharePoint site, Member to the team, and, say, Standard User to the Salesforce application, and then click on Next Since I’m creating this package for external users, I’m going to select this option, For users not in your directory, and then go ahead with this option of Specific connected organization, and select the Fabrikam connected organization entry that we just created, and then select We want every request to be approved by an internal or external sponsor, so I’m going to select this as Yes We want the requester to justify their request, so this is set to Yes, and just want one stage of approval, and we want the first approver to be, say, the internal sponsor I’ll also add a fallback as admin of the Fabrikam, and if the decision is not made in 14 days, the request will be automatically rejected We do not want the approver to justify their decision, so I’ll set this to No, and we want new requests and assignments of this policy to be enabled, so I’ll set this to Yes In the next section, we’ll be deciding on the expiration and access review policies We want the assignment to expire after, say, 365 days, so I’ll let this be We want to enable access reviews, and we want these access reviews to happen bi-annually, so I’ll select that, and then click on Next Once all the details have been reviewed, and all the resources to which you want the employees of Fabrikam to have access to is in place, let’s create the access package Once the package is created,

we just have to pass on this My Access portal link to the vendor organization The employees of the vendor organization can then request access to this package with this URL Now we are in the account of Alex, an employee of Fabrikam, and he has received the URL to the access package from his administrator When he opens it, he’ll be able to click on this plus button and request for access He’ll enter the business justification, agreed to the terms, and click on Submit With this, Alex has submitted the request to access the access package Now back into the account of the admin from Contoso He sees that Alex from Fabrikam has requested permissions to access to the resources He selects the request, and clicks on Approve With this, the admin has approved Alex to access the resources Back into the account of Alex from Fabrikam, we see that he’s received an email stating that his request has been approved, and he now has access to the package By clicking on the Get started button, he goes to the My Access page, and can now see all the resources to which he has access to, for example, the SharePoint site Alex can now use this resource to start collaborating with Contoso So, this is how leverage entitlement management to collaborate with external organizations in an easy and secure manner, thank you One of the most frequent questions I get from customers is about the guest access controls we have in place internally within Microsoft Microsoft is a large tenant, and we rely heavily on external collaboration to work with tons of partners and customers, like yourselves Within Microsoft, the guest access capability is enabled at the tenant level, and all full-time employees can invite guests We also deploy a simple but comprehensive terms of use for all incoming guests to set and manage the expectations between employees and external partners The other feature to highlight here is the guest access reviews we covered just a few minutes back This is a popular and heavily-used feature within Microsoft, and it’s used for automating guests lifecycle management We see similar trends across the organizations in our customer base We hope this provides you with a glimpse into how the other organizations are managing guest access, and helps you define your own philosophy on external collaboration As the next step, we would like you to create your own organizational plan for external collaboration Please feel free to reach out to us if you have any questions Thanks for watching the video, bye