Enable your workforce to confidently return to on-site work by deploying Microsoft’s Return To The Workplace app. The app allows managers to view location readiness, conduct employee health screenings, and ultimately ensure a safe environment to return to. Return To The Workplace is available in the AppSource, and is deployed as a Dynamics 365 App within your environment.
The App includes four separate solutions, all of which are interconnected through Common Data Services (CDS) and are all essential to use together to make the solution effective. These four solutions include:
- Location Readiness dashboard (Power BI)
- Workplace Care Management dashboard (Power BI)
- Facility Safety Management app (PowerApp)
- Employee Return to the Workplace app (PowerApp)
Learn how to use the other sections of the solution in this Return to the Workplace Solution Overview.
Prerequisites
The Return To The Workplace app requires two prerequisites:
- Global Administrator: Required to install the app and deploy it within an environment.
- PowerApps Per-App Plan ($10/Month): Required to have at least 1 per app plan to run this app.
Using the App
The first screen gives users the options to get a day pass, look up the status of a facility, or register a guest for entering a facility. There is also an optional self-assessment to select how safe the employee feels to return to work (Yes, No, Neutral). The selection is saved inside a CDS entity and factored into the app’s pre-configured algorithms. Organizations can modify those algorithms with the PowerApp studio to customize how it behaves and/or handles the user’s inputs.
Day Passes
The Day Pass feature allows users to search for active facilities and select one they want to enter. Users can follow the below steps to book a day pass:
- Select Get Day Pass.
- Search for the facility they would like to enter.
- Select Book A Space.
- Select Accept to agree to take the Daily Health Check questionnaire which will be given upon arrival at the facility.
- Select I Agree to confirm that the users’ current health meets the requirements to enter. NOTE: Selecting I Disagree will deny the user from being able to book a space.
- The day pass is generated.
- If a user needs to cancel, they can do so by selecting Cancel.
When it comes time to enter the facility, the user must first complete the Daily Health Check to ensure they are healthy enough to enter the facility.
Then, the user must choose which facility they’d like to enter.
They are given a pass for the facility of choice.
Register A Guest
This feature allows users to generate a day pass for guests to enter facilities. To do so, a user should:
- Select Register A Guest.
- Fill out the guest info and select Next.
- Proceed with the same steps as Get Day Pass.
Look Up Status
This function allows users to view the current status of a facility. The status of facilities is pre-configured by ‘Phases’ inside the Facility Safety Management app.
To utilize the Look Up Status feature, follow these steps:
- Select Look Up Status from the home screen of the app.
- Search and select the facility in question.
- View the current Phase.
- NOTE: If the facility is open and active, the Book A Space button will be enabled.
Safely Get Back To The Workplace
Give your team the ability to control their return to workplace operations with custom safety parameters set through the Microsoft Return to the Workplace app. Employees will have increased confidence in management’s ability to control potential risks and management will feel confident in their ability to control the return to work process and give some responsibility to the employees.
FOXBOROUGH, MA – October 7, 2020 – Thrive, a premier provider of NextGen Managed Services, announces today that it has acquired Timlin Enterprises, an information technology services provider and long-time collaboration partner focusing on the Microsoft 365 platform, Teams and SharePoint. This transaction is Thrive’s first non-MSP, product-capability acquisition, greatly enhancing its existing technology portfolio by adding a proven team with expertise on Microsoft tools.
Timlin, headquartered in Massachusetts, has a deep bench of engineers, consultants, and business analysts spread out geographically across the United States. The company is predominantly focused upon the Life Sciences and Biotech industries, boasting an impressive clientele list, along with additional proficiency in Banking & Financial Services.
The acquisition of Timlin significantly expands Thrive’s Microsoft Collaboration and Digital Transformation efforts to help companies unlock the hidden value they are paying for and not utilizing within the Microsoft 365 platform, increasing employee adoption and driving productivity increases. Additional benefits include enterprise-wide governance, training, management, development, support; Teams integration and collaboration; SharePoint architecture management; SQL hosting and management; Power BI and Power Platform business process automation; and other Microsoft application management.
“We’re very excited to welcome Timlin to the Thrive family and create a separate Microsoft Collaboration Unit,” said Rob Stephenson, CEO of Thrive. “Timlin’s tremendous team of expert technical and consultative employees will provide a huge benefit to Thrive’s Microsoft 365 customers, enabling them to accelerate their digital transformation efforts and enhance employee productivity.”
“Timlin has more than 10 years of experience guiding our valued clients with Microsoft platform adoption efforts, especially in the Life Sciences sector, and we’re proud to combine our highly-skilled team, tools and insights with Thrive to enhance its industry-leading NextGen Managed Services Platform,” said Ryan Thomas, CEO of Timlin Enterprises. “Our whole team is excited to embark upon this journey and spur additional growth for Thrive, as well as to allow Timlin customers access to Thrive’s Cyber Security and Public, Private & Hybrid Cloud-focused services.”
Mr. Thomas, Jeff Johnson, and Joe Piccirilli will continue to oversee the management of Timlin as the Microsoft Collaboration Division of Thrive, along with their existing employees. Timlin engaged BellMark Partners as an exclusive advisor on the deal.
The Timlin transaction is now the eighth acquisition for Thrive since the M/C Partners investment back in 2016.
###
About Thrive
Thrive is a leading provider of NextGen managed services designed to drive business outcomes through application enablement and optimization. The company’s Thrive5 Methodology utilizes a unique combination of its Application Performance Platform and strategic services to ensure each business application takes advantage of technology that enables peak performance, scale, and the highest level of security. For more information, visit thrivenextgen.com
Thrive: LinkedIn, Twitter, Facebook, YouTube and Instagram
MEDIA CONTACT:
Stephanie Farrell
Director of Corporate Marketing
617.952.0289 | sfarrell@thrivenetworks.com
About Timlin Enterprises
Founded in 2010, Timlin Enterprises helps clients operate as digital organizations by enabling and continuing to advance their Office 365 and SharePoint capabilities. Timlin harnesses each organization’s unique definition of digital transformation, focuses on end users as the key to adoption, leverages a proven methodology, and maintains a commitment to exceptional service delivery using only US-based resources, as proven by a 100% service retention rate. From targeted professional services to Center of Excellence managed services they have the solutions to help organizations adopt the tools available in the Office 365 platform to keep pace with the new speed of business. For more information, visit timlinenterprises.com
About M/C Partners
Based in Boston, M/C Partners is a private equity firm focused on small and mid-sized businesses in the communications and technology services sectors. For more than three decades M/C Partners has invested $2.2 billion of capital in over 130 companies, leveraging its deep industry expertise to understand long-term secular trends and identify growth opportunities. The firm is currently investing its eighth fund, partnering with promising companies and empowering strong leaders to accelerate growth, optimize operations, and build long-term value. For more information, visit mcpartners.com
About BellMark Partners
BellMark Partners, LLC is a boutique investment banking firm providing M&A, capital raising, restructuring, and strategic advisory services to middle market companies with a particular emphasis on the Consumer, Industrial, Healthcare, and Business Services markets. Headquartered in Boston, MA with an additional office in Cleveland, OH. For more information, visit bellmarkpartners.com
Microsoft Bookings, an app included in Microsoft 365, is a scheduling tool that allows customers to easily book appointments with a company. The app incorporates a web-based calendar that integrates with Outlook, ensuring availability always stays up-to-date. Customers can easily schedule appointments during available time slots with the team member of their choice, cancel and reschedule bookings, and enjoy auto-generated emails to keep all parties notified.
The following Microsoft licenses include Bookings:
- Microsoft 365 Business Standard
- Microsoft 365 A3
- Microsoft A5 subscriptions
- Office 365 E3 and E5 subscriptions
Components of Microsoft Bookings
Business Information
All details about your business are configured in the Business Information section. These details, such as your business name, address, phone number, logo, and hours of operations, are visible to your customers.
Services
Business offerings are configured in the Services section. You can specify details such as:
- Service location (virtual or physical)
- Service description
- Pricing
- Staff member assignments
- Maximum number of attendees per service
Staff
The Staff section is where you can specify all items relating to the members of your team relating to the services they provide. This can include:
- Assign to specific services
- Services the business provides
- Hours of availability for each staff member
Customers
When users schedule an appointment or book a service, they are automatically added as a customer in your Bookings app.
Customers can be added manually or imported from a .csv file.
Bookings Page
The Bookings Page is where major app details are configured and where the app is published. These details include:
- Selecting a color scheme/theme of the Bookings app
- Setting the time zone
- Setting email notifications
- Requiring customers to have an Office 365 account to use the app
Calendar
The Calendar is for internal use only — it is only accessible by staff members. All Bookings made by customers will populate in the Calendar. The Calendar view can be switched around to display bookings by Day, Work Week, Week, Month, or Today. Clicking on each booking will display all the information regarding that specific booking.
Home
The Home dashboard displays an overview of the number of bookings made, the estimated revenue from all bookings, and the number of unique customers that have booked.
The Problem
The COVID-19 pandemic forced companies to quickly transition to working remotely. As the pandemic settles and work-from-home mandates are lifted, businesses will have to adjust, once again, to ensure a safe return to the workplace. One of the main priorities during return to work operations is limiting capacities to ensure social distancing is possible.
The Solution
At Thrive, we pride ourselves on discovering ways to leverage existing tools in the Microsoft 365 ecosystem to fulfill even more business needs than they were originally intended for. Why not utilize Microsoft Bookings to ensure a safe and socially-distanced return to the workplace?
By utilizing the Services section for your office building, room, floor, or workspace, you can automate monitoring and limiting capacity with ease. The Staff section can be used for reservations and the Customer section can be used by employees who would like to come into the office.
The Fine Print
The ‘Maximum Attendees’ feature in the Services component doesn’t always work as seamlessly as we would like.
The key to successfully limiting the number of people that can book on a specific day is to add the exact amount of staff members, listed below as “reservations,” as a guideline for the maximum capacity for the office. In other words, make the total number of staff members equal the maximum capacity of people allowed in the office at once to restrict any more appointments.
Bookings require at least one staff member per booking. With three added staff member reservations and myself as an Administrator (by necessity), the app will allow four bookings per day—and nothing more. Even if ‘Maximum Attendees’ was set to one or two, the app would still allow four users to book—which is why this workaround is necessary to get the app to behave how it is intended to.
For this to work, the Availability for the Services must be set to “Bookable when staff are free.”
Takeaways
We encourage you to try customizing your Microsoft features to best fit your needs. Microsoft Bookings’ capabilities reach far beyond simply scheduling and can be a great way to assist with keeping your team safe while returning to work.
As always, Thrive is here to help you keep up with these quick transitions. If you would like assistance to get the most out of your Microsoft 365 investment, please contact us today.
In the second blog of this series, we discussed how Access Reviews in Azure Active Directory (Azure AD) provides a guided review of a group of Microsoft 365 users to help determine if their continued access to tenant resources is required. The third and final tool designed to control and audit access to company resources is Privileged Identity Management (PIM). PIM works synergistically with the other tools to help keep a watchful eye on the collaboration space without impeding productivity.
In Part 3, we’ll discuss PIM in detail. This tool is designed to provide just-in-time escalation of permissions to ensure higher permission levels are only available when needed and can be applied with governance in mind.
Privileged Identity Management
Setting up Privileged Identity Management
PIM is designed to support a “least privileged” model by making granular roles available to users requiring elevated functionality. In addition, users with continuous excessive access are vulnerable in the event their account is compromised, so when not-needed users’ accounts have no extraneous permissions. When needed, a user simply requests elevation into a specific role that has been made available to them. Depending on configuration, the assignment is either automatic or requires approval and/or justification.
The first step in configuring PIM is selecting which roles should be available under which circumstances. This configuration is found under Identity Governance, in the Manage section, by selecting Roles. The Roles screen presents a large list of Roles along with a Description of the Role’s intended usage. The screen will also display how many users are currently Active in a Role and how many users are eligible to be activated in the role.
For example, suppose you want to allow an Administrative Assistant to occasionally reset passwords without involving a tenant Global Administrator. To set this up, click on the Helpdesk Administrator Role in the list, or use the search to filter the list. Selecting this Role will list all current assignments for that Role, including Eligible, Active, and Expired. Pressing the “Add assignments” button will begin the process.
The first screen will show you the Role you have selected, with a link to select member(s) to assign to the role. Pressing the hyperlink under the Select member(s) will bring you to a search for all users within your tenant.
Select the user and press the Select button to add them to the list of members eligible for the Role. Selecting Next navigates to the Settings section, where you determine the Assignment type and durations. Leaving the type Eligible will require the user to request elevation when needed, which is the intention in this case. If you want the assignment to be limited in duration, such as covering an employee who is on leave or vacation, you can set dates for the start and end of the assignment by un-checking Permanently eligible and select dates. Selecting Assign will move that assignment into the Eligible list.
Additional settings can be applied to the Role by selecting the Settings button at the top of the Assignments screen for the Role.
From this screen, there are many configuration options to allow for more granular control of how the escalation process is executed, including approval and notification options.
The first section covers the Activation process itself. Here you can set a maximum duration for the escalation, require Azure MFA, justification, ticket information, or even approval. If requiring approval, you can select who provides the approval from this screen as well.
The next section covers Assignment, where you can decide if permanent Eligible assignments are allowed, permanent Active assignments, and whether justification and/or MFA is required for Active assignments.
The final section provides rich configuration for Notifications to be sent regarding this process. Notifications can be enabled for when members are assigned eligible to the role, when they are assigned as Active to the role, and when eligible members activate the role. This last alert would trigger when escalation has occurred. Each section of notification includes three options: Role activation, Notification to requestor, and request for approval. All of these options are enabled by default, with default recipients being Admin, Requestor/assignee, and Approver. Additional recipients can be added for most notifications.
Requesting Elevation
Once a role is configured to be available, a user can request escalation by going to Azure AD, navigating to the Identity Governance screen, and selecting “Activate Just In Time”. There, they will see all Roles for which they are eligible, and have the opportunity to request being assigned to that role. Pressing Activate will start the process to be added to the role.
Depending on configuration there may be approval and / or justification needed for the assignment to be completed. They can also set a Duration, up to the configured maximum, for how long the assignment should be in effect.
Once completed, they will be in the Active roles section until the duration has been met, or they manually Deactivate the assignment.
Summary
Privileged Identity Management in Azure AD Identity Governance provides just-in-time elevation to targeted roles, helping to protect users’ accounts during normal usage, but providing an easy, governed method of escalating privileges when needed. As with the other facets of Identity Governance, PIM provides a healthy balance of productivity and security within the Microsoft 365 platform.
Need a refresher?
In our first blog of this series, we discussed how entitlement management in Azure Active Directory (Azure AD) Identity Governance creates Access Packages to control the scope and duration of access to groups, applications, and SharePoint sites. The two additional primary tools designed to control and audit access to company resources include Access Reviews and Privileged Identity Management. These three functions work synergistically to help keep a watchful eye on the collaboration space without impeding productivity.
In Part 2, we’ll discuss Access Reviews in detail. These are about auditing access to ensure previously-granted permissions are still appropriate and necessary.
Access Reviews
Setting up an Access Review
An Access Review is a scheduled, guided review of a group of Microsoft 365 users to help determine if their continued access to tenant resources is required. The review can be performed by multiple users and can be set to report on dispositions and, in some cases, automatically take action based on the dispositions set.
The first step of creating an Access Review is naming and describing its purpose. You will also set a start date and frequency if the intention is to perform the review periodically. Frequencies include weekly, monthly, quarterly, semi-annually, and annually. Occurrences can run indefinitely or can end by a specified date or after a number of occurrences. The review will also have an end date, after which the review will close and the “upon completion settings” will be applied.
Next, you determine who will be reviewed and who will be performing the review. The users to review can be Members of a Group or users Assigned to an Application on the tenant. Additionally, you can scope the review to include Guest users only or include all users. For Reviewers, you can select the Group’s owners, specific tenant users, or allow for self-review by the users. You can also associate the review with a Program (similar in concept to a Catalog for Access Packages) or choose the Default Program.
Next, we’ll set the “Upon completion settings,” which determine the action to take when the end date of the review is reached. The first choice is whether or not you’d like to auto-apply the results. With this setting enabled, any user whose disposition is to Deny access will automatically have their access removed upon the completion of the review. The second option is to determine what actions to take if reviewers don’t respond. These options include “No change,” “Remove access,” “Approve access,” or “Take recommendations.” The last option is based on Azure AD’s auto-set recommendations, which are primarily based on the last time the reviewed user utilized the system.
The final settings, under Advanced, include options to Show recommendations, Require a reason on approval, Mail notifications, and send Reminders to reviewers. All are currently enabled by default.
At this point, we are ready to start the review process. After pressing the Start button, the new Access Review will be added to the Access Reviews section within the Identity Governance module. The listing will include the name, the resource being reviewed, the status, and when it was created.
Clicking on the review will show an overview of the settings as well as a chart showing the status of the resources being reviewed. There are also pages to view the Results and the Reviewers. You can even send automated reminders for individual reviewers with the press of a button.
Performing a User Access Review
If the Mail Notifications option was set to Enabled, reviewers should receive an email with a link to begin their review. The email will have a hyperlinked button to take the user directly to the review page.
The Review page will show all relevant information, including who requested the review, when it is due by, the names of any other reviewers, and the progress made so far. It will also list each Resource being reviewed with their name, email address, Access Info (statement about whether they have recently logged in), and a recommended Action.
This list of users can be filtered based on Status (Reviewed, Not Yet Reviewed, All), Recommendation (Approve, Deny, All), or Action (Approved, Denied, Don’t Know, All). The reviewer can click on a single source to review or multi-select resources using the checkboxes, then press the “Review n user(s)” button. Reviewing resources opens a dialog with options for the disposition and comments. Actions can be Approve, Deny, or Don’t Know. The recommended action will be highlighted already. Don’t Know is useful if there are other reviewers who may have more insight or knowledge of the resource being reviewed.
Although all Resources may have been reviewed, the Access Review will stay open until its end date has been reached to allow for changes or other reviewers to provide input. If desired, a review can be manually stopped so action can be taken. This can be done by the user who originally set up the review using the Access Review overview screen. At that time, the actions will be automatically applied if the “Upon completion” setting’s “auto apply results to resource” is enabled, or the Apply Results button can be pressed if not.
The results of the review can be reviewed in the Results section of the Access Review.
Summary
Access Reviews in Azure AD Identity Governance provide a simple, consistent, and governed method of reviewing and controlling access to company tenant resources. By combining Access Reviews with Access Packages, administrators can tightly control who has access to which resources and ensure they retain the appropriate access only as long as required, all while maintaining agility and simplicity for users.
Next up: Privileged Identity Management. Configure just-in-time role escalation to implement a least-privileged security model for day-to-day operations while providing a rapid but governed path to escalated roles as required. Stay tuned!
For those using Zoom, hopefully you are carefully reconsidering your use based on the recent security concerns exposed. In this blog, I’ll review the features of Zoom relative to Teams to make sure users are aware of what they get and are giving up with each platform in the event they could take advantage of features that allow them to communicate and work better.
Unlike a simple “review site,” I’ll address this from the view of a remote worker trying to get their job done and highlight the differences in functionality. This comparison is not intended to target the “social distancing cocktail party” crowd, though they may benefit from it as well.
Security
Zoom should essentially be treated like an “open conversation” until they get their security issues fixed. The platform is easy to hack and Zoom has previously admitted to collecting and sharing users’ personal data. If security is a real concern, I would not recommend Zoom for anything that you wouldn’t feel comfortable with any random person hearing.
Microsoft Teams does not use users’ data for anything other than to provide better services. The Microsoft 365 platform, in general, is designed around data loss prevention and information protection. However, it has more to protect as it is designed for persistent storage and collaboration on sensitive information, not just a simple video conferencing platform.
Web Conferencing
Zoom is simple — which is part of what made it vulnerable. It’s really just an audio/video conferencing tool. Zoom makes it easy to set up a virtual meeting, meet, chat, discuss, and be done. It also doesn’t require any advanced authentication or account management besides your name.
Teams has similar functionality, but may take a moment longer to set up a conference due to the intent of the platform. For example, Teams was built for integration with Microsoft 365, not as just a standalone product. Its scheduled meetings can be done from within its own calendar interface, which pulls directly from your Outlook/Microsoft calendar. You can also create meetings for Teams directly within Outlook and never open Teams.
Video Calls & Chat
When it comes to one-on-one or multi-person calls and chatting, Zoom is heavily built around the ID of a meeting or user, which is sent out for attendees to “join.” This system is designed to help users schedule meetings or start ad hoc video conferring meetings quickly, but it gets a lot less user-friendly when you want chat with someone, view their availability, jump on a video call, and add/remove people from that context.
Teams is designed around the individual, not the meeting. Chatting with someone, adding another person to a chat stream, sharing documents and notes, and collaborating on files are Teams’ main goal. It’s called “Teams” for a reason — it’s meant to let smaller groups of people work together.
It’s important to know that when sharing documents or data with people in ad hoc chats or video calls, that data is stored in OneDrive and available indefinitely if you want to continue working on it.
Since Teams is part of the overall Microsoft 365 ecosystem, all the data is searchable and discussion/chats can be sent out via email.
Telephone Integration
One of the biggest differences between Teams and Zoom is telephony. Zoom allows you to use a web link or a dial-in number for those joining from phones, but that’s pretty much where it leaves off. Teams has advanced integration with true calling capabilities because it was designed to replace telephone systems as well.
For example, with the proper licensing, I can call a telephone or join someone else’s conference via a traditional dial-in number with Teams, treating it like it was a telephone. In a voice meeting or chat, when I want to add a user, I can choose to call their telephone to dial them in. If Teams knows the user, it allows you to choose to invite them via telephone or their traditional online user account.
If you want the ability to add legitimate telephone capabilities (including receiving calls and voicemail), Teams is a much better choice.
Complete Internal Communication
Teams was created to be a complete internal communication hub — a context-based front-end to a lot of the work we perform on a daily basis. Its capabilities include: emailing, chatting, meeting, co-authoring documents, setting up calendar items, working on projects, and collaborating with both internal and external users on various secured topics and data.
Teams allows users to work with documents in secure channels, synchronize data to desktops, and co-author documents, adding workflow and automation to them as well. It also allows users to notify others when certain changes are made or reduce notifications on items they don’t need to hear about.
Teams provides for persistent notes integrated into meetings or work “locations” and @ mentions and hashtags to message people and groups specifically or allow them to search for tagged data and conversations.
One of the most important aspects of Teams is the ability to create multiple teams to work on specific content or projects and make sure those locations are private, secure, and audited, only accessible by the intended groups or users you define.
Platforms
Both applications are available on all typical platforms: PC, Mac, iOS, and Android. There isn’t a big distinction here in terms of availability, and both tools can be browser–based.
Price
Teams has a free version and the paid access starts with a $5 minimum licensing. However, most organizations already have Microsoft 365 Business Premium ($12.50) or E3 ($20) licensing, which includes a fully–functioning version of Teams at no additional cost. Prices increase if you want to use Teams as your office phone.
Zoom has a free version with some meeting time limitations, and their standard pricing is approximately $15-20 per month.
Bottom Line
The bottom line is that, in many ways, Teams and Zoom aren’t even comparable.
Security aside, if all you want to do is create a video/audio conference calls from a computer, Zoom is certainly easier to set up and use. Because the functionality is very specific and limited, there isn’t much else to do with it.
Teams, however, is designed to be an enterprise collaboration and productivity tool for business that do a lot more than calling and conferencing. The integration of documents, data, workstreams, permissions, and sharing all lend themselves to a deeper overall product. This product does come with some complexity and governance challenges that need to be addressed unless you simply want to use it for video conference calls.
If you want to do more with the tools you have and prefer software you can manage internally via settings, provisioning, and auditing, Teams is the clear choice for you.
How Azure Active Directory (Azure AD) Identity Governance can assist your organization in responding quickly to new collaboration needs while maintaining security and governance.
The sudden onset of the COVID-19 pandemic sent much of the world into a frenzy. With businesses concerned for the safety and wellbeing of their employees and customers, and many governments strongly advising social distancing, the need to ramp-up the remote workforce went from a distant goal to a top priority almost overnight. One of the many groups greatly impacted by this new priority is the group of people responsible for collaboration platforms such as Microsoft 365. The need to quickly enable remote workers has made it seem necessary for many groups to ignore or postpone best practices and security considerations in favor of business continuity. Azure AD’s Identity Governance is one set of tools designed to help strike the balance between security and productivity, enabling quick turnaround on required resources while providing checks and balances to mitigate risk.
What is Azure AD Identity Governance?
Simply put, Azure AD Identity Governance is about “ensuring the right people have the right access at the right time.” More specifically, it is a set of 3 primary tools designed to control and audit access to company resources.
Entitlement Management is about creating Access Packages to control the scope and duration of access to groups, applications, and SharePoint sites.
Access Reviews are about auditing access to ensure previously granted permissions are still appropriate and necessary.
Privileged Identity Management covers the just-in-time elevation of tightly scoped roles to allow users to perform privileged operations when needed while maintaining lower permission levels during their day-to-day job functions.
These three functions work synergistically to help keep a watchful eye on the collaboration space without impeding productivity. Part 1 of this series will cover Entitlement Management in detail.
Entitlement Management
Setting up an Access Package
The key component of Entitlement Management is the creation of “Access Packages”. An Access Package is a collection of resources that users can be granted or request access to. Unlike simply adding users directly to Groups, these packages can control the duration, approval process, and periodic reviews of those assignments.
The first step of creating an Access Package is naming and describing its purpose. You can also create “Catalogs” to group multiple packages and delegate the administration of them to the appropriate users.
Next, you determine the Resource Roles that will be part of this package. It can be a combination of Groups/Teams, Applications, and SharePoint sites. In this case, we will grant access to the “COVID-19 Response Team” team in the Member role.
We’ll then move onto the Request process. Since this team may be made up of external collaborators who are unknown at this time, we’ll select “For users not in your directory”, and we’ll allow “All users (All connected organizations + any new external users)” to request access.
Since we are allowing as of yet unknown external users, we must require approval (other settings allow you to disable approval). We will set a specific user to provide approval, ensure a decision is made within 2 days, and force both the requestor and the approver to provide a justification for the access. We’ll enable this access request when we are ready to start requesting access.
Next, we will set the lifecycle of the access being provided. In this case, we will allow for 30 days of access, with the ability to request an extension (which also requires approval). If this was a longer duration or did not expire, we could also tie access to an Access Review, which we’ll cover later.
The last page will show a summary of all the choices to allow you to make any desired changes before creating the package.
Once the package is created, the browser will display a list of all Access Packages the current user has access to. From here, you can use the ellipsis to copy the link used to request access. This link can be emailed, put on a public site, or shared in any other traditional way.
Requesting Access
To request access via an Access Package, a user can use the link generated during the creation process. Once they sign in to the 365 tenant, they will be presented details of the access being requested. The user would then select the package and push the “request access” button.
From there, because we require justification, the user will be presented an area to provide the reason they are requesting access.
They will receive confirmation that their request was submitted.
Approving Access
After requesting access, the Approver will receive an Email with actions to Approve or Deny the request, and a summary of the information about the request.
Pressing the Approve or deny request button takes you to an Approvals page where you can approve or deny and provide the required justification.
Now that the request has been approved, the user should have access to the Team as a Member. When the expiration date is reached in 30 days, that access will be revoked unless an extension is requested.
Summary
Entitlement Management using Access Packages is a great way to govern access to resources such as Teams, SharePoint sites, and Applications, especially when external users are involved or the context of the access is limited to a specific timeframe. Users can request access as needed, owners can be empowered to grant access on demand, and removal of access can be automated to prevent lingering exposure of company information.
Next up: Access Reviews
Configure periodic, guided reviews of access to resources with suggestions based on login activity and automated resolution based on dispositions.
With the current COVID-19 pandemic impacting almost everyone these days, many organizations, groups, and people in general are trying to find ways to maintain business continuity very quickly. Almost everything is more difficult when you have less time to make it happen. Since more than half of our team permanently works remotely and much of our business and customer efforts are completed remotely, we have been doing this for a while and thought the timing was right to share some of our tips and tricks with everyone out there.
Select a Technology / Tool
If you can standardize one tool for your company to use, it makes the effort a lot easier. Trying to use various different technologies to maintain continuity can be difficult. We are a Microsoft shop, so we use Microsoft Teams. Recently, Microsoft offered to give this tool away for free to help companies struggling with recent events.
In short, Microsoft Teams provides a platform for calling, video chatting, conferencing and recording, written and verbal discussion areas, file storage, document co-authoring, tagging, notifications, and more. Teams even allows for the compartmentalization of workstreams and security so you have context when collaborating in a certain location. Instead of one giant, open phone line, Teams helps streamline what you are working on and notifies when you people are working/discussing other topics.
Stop Emailing
This one is tough, but we recommend you think twice before emailing people within your organization. Email inboxes can be difficult to search properly, tedious to keep organized, and can make it hard for users to keep track of timelines and files.
In Microsoft Teams and other similar technologies, users can post documents, allow for collaboration on those documents, and determine who can and cannot edit those documents. If your team is working on a document without you, you can still hop in whenever you want to see the progress, add comments, or review updates. When you aren’t viewing the channel the document was added in, you won’t get bombarded or distracted as you might with email.
Reducing internal emails reduces clutter and distractions, and lets you choose the topics and virtual work locations that are important to you.
Talk to People
Schedule time to actively reach out and talk to your team throughout the day. We strongly suggest video chats (most laptops are equipped with a camera) so you can see their faces, look at their inflection, and remember there are human beings on the other side of these conversations. The biggest risk in remote work is the human isolation component. Now more than ever, with the recommendation to physically isolate, it is imperative for our mental health to stay connected, involved, and actively engaged in not just social activities, but also productive/work social activities.
Create Multi-Person Chats
A great way to encourage a positive online culture is to create and participate in chats between more than just two people. Go out of your way to respond, and others will follow suit. It’s inspiring to see people responding, helping, and moving the ball forward together in a way you can see (rather than just hoping it’s happening).
Consider an even wider audience chat instead of emails for major communication and news. Company-wide channels allow for responses and interaction from all the folks on the team — not just those in one department. Staying connected and cross-pollinating are the names of the game here.
Go one step further! Modern tools can securely invite people from outside your organization to participate with almost all the available activities for collaboration. Your contractors, vendors, support personnel, and partners will all be able to continue working with you — possibly better and more efficiently than they have up to until now.
Stay Notified
Since email, chat, and just about anything except a phone call or video chat are asynchronous, it’s important your technology notifies you of activities and changing information. In the old world, we called this “toast” because a small window in the lower right would pop up like a piece of toast, with just enough information on it so we knew what was going on, but not so much that had to interact or do anything about immediately unless we wanted to.
By using these notifications, you can continue working on your current efforts and glance quickly at notifications coming in. Emails and phone calls do not give you this level of anti-distraction capabilities.
Don’t Keep Documents Locally
Use the modern workplace tools to work on documents in a specific location where others can join in. When you get to the “can you take a look at this?” moment, you can easily ask and notify the group that you need some feedback. All work on the document(s) can be tracked, saved, and available for everyone at any time — without using ANY email.
Keep a History
One of our biggest issues with email is when we need to go back and look at a series of communications or activities and try to piece it back together. It feels like we must be a detective. Choose a technology that keeps a running tab of contextual communications and documents so all you have to do is go look, maybe scroll a bit, and can view any version of the document at any time. Then, when you add someone else to the workstream, you don’t have to try to find all the correct emails to forward to them in order to get them up to speed on the project — they can simply go look in the channel for themselves.
Logically Segment the Work
Don’t use an advanced tool and treat it just like email. A singular Teams setup with one big channel where all your work, chats, meetings, and interaction occur is essentially the same single steam firehose that email gives you, and is not valuable.
Break up your work into logical areas, departments, projects, teams, and efforts. Don’t choose so many that you must jump around for absolutely everything, find the balance that best suits your company’s needs. If you need assistance making this determination, our specialized consultants are here to help. We are willing to help at no cost to you during this pandemic, so don’t suffer because you didn’t budget for an emergency. We are happy to have a quick call with your team to pass along best practices and get your remote work started off on the right foot.
We hope this helps trigger some thoughts, ideas, and actions to make you and your organization more effective as you find you may have no choice but to work from home.
Stay safe,
Ryan Thomas
CEO, Timlin Enterprises
According to Techterms, an intranet is a “private network that can only be accessed by authorized users.” In reality, it’s a lot more interesting than that. An intranet is an intelligent resource of organizational bliss that can improve internal communication, collaboration, knowledge sharing, and more.
One way to imagine an intranet is as a password-protected VIP club. Within this private club are virtual file cabinets full of information and areas for private, secure communication that only the club members have access to. With all information and members in one password-protected space, users can send out important messages and updates more simply and securely.
How Does an Intranet Compare to an Intelligent Intranet?
Intranets are designed to be the central location that an organization’s employees can access company updates, announcements, and resources — improving not only company culture but also internal communications and collaborations.
For example, the LiveTile’s Wizdom Intelligent intranet takes all of the ease, privacy, and connection of an intranet, and includes a wide range of leading productivity tools that employees can use in a cohesive, digital workspace.
Through our partnership with LiveTiles, your IT team can deliver a powerful digital workplace that surfaces the relevant tools, communications, and knowledge, wherever and whenever your employees are working. There are several benefits to implementing and using an intranet within your organization. Here are our top reasons:
10 Reasons To Implement An Intelligent Intranet
1. Security
Sensitive, private information can be saved in one specific location, with access given only to authorized personnel. In addition, groups, users, or teams are able to manage their workspaces with predefined security settings.
2. Reduced Meeting Times
Access to employee directories within the intranet gives employees a chance to locate the correct person to answer questions and chat about business-related matters from their desks in real-time. This lessens the time spent in meetings and prevents sidetracked conversations from taking over.
3. Improved Individual Productivity with Bots
LiveTiles Bots help to connect people to specific information, lists, or data that they need, allowing them to receive, create, and organize their work. The automation of otherwise mundane tasks helps to free up employee time to focus on more productive assignments. Bots can be customized based on each unique business and changed as a business evolves.
4. Quick, Efficient Access to Information
Access to information becomes more convenient, leading to enhanced productivity and less wasted time. Communication sites, like the Wizdom Noticeboard, provide a place to share anything from reports to news or anything else that may need to be communicated.
5. Boosts Team Collaboration
Individual teams can use tools and features in Office 365 to collaborate more efficiently on projects or tasks specific to their department or function. With more remote workers, it is imperative that you provide tools and capabilities that promote easy to use collaboration solutions making it simple to collaborate, hit deadlines, and increase productivity.
6. Customizability
The features of Modern SharePoint combined with the enhanced capabilities of LiveTiles allow you to deliver solutions using mostly out of the box tools. However, in order to deliver highly engaging solutions, organizations need to customize their intranets to add corporate branding, extended features, or integrations. The customization allows businesses to develop actual solutions to cover any need necessary, something that would be impossible with the use of a ready-made site. In addition, site designs can be applied at any time — at or after site creation.
7. Less Strain On Development Resources
The usability of Office 365 and a LiveTiles Wizdom Intelligent intranet means that a developer is no longer necessary to create what content editors are now capable of. The tools in both platforms allow business owners to configure solutions that meet their requirements. For times that development resources are needed, LiveTiles’ built-in intuitive interface allows you to design as quickly and efficiently with over 70 preconfigured tiles and a drag-and-drop interface.
8. Cross-Department Collaboration
More brainpower results in better ideas, especially when various departments are able to collaborate using an integrated approach. LiveTiles is easily integrated with CRM, ERP, BI, ITSM, and other software, making cross-department collaboration easier than ever.
9. Saves Time
The primary goal of a corporate intranet is to improve internal communications, ensure you have a hub for information and collaboration, and bring efficiency to internal processes. The implementation of a properly designed and governed intranet will drive time and cost efficiencies by improving how users find, act, and communicate internally. LiveTiles’ intelligence provides real actionable insights that allow for content evolution based on direct user feedback, analytics, and insights. Users are no longer spending hours trying to find a specific policy, fill out a vacation request form, or simply find the right person in the organization to solve an issue.
10. Greater Cost Control
The choice of different intranet deployment and payment models allows organizations to make financial decisions that are right for them. When site creation and design are being driven by organizations themselves, sites can be maintained with less effort. Additionally, there is no need to employ extra IT resources or experience developmental delays, saving both time and money.
Based on these ten reasons, a LiveTiles Wizdom Intelligent intranet can propel your organization towards greater success. The time and money saved, and improved collaboration across departments and increased team communication are equally priceless.
Interested in learning more about LiveTiles Wizdom Intelligent intranet? Reach out to our team to get your company on board.
Are your powers users confident about the security of their content in Teams? A constant point of contention for power users are uninvited guests or unfamiliar users found within an Office 365 group, team, or site the power user owns. This persistent issue negatively impacts adoption and needs to be addressed. Surprisingly enough, SharePoint admins usually wind up being one of the root causes. Let’s investigate why.
Currently, in SharePoint Online, support staff with the SharePoint Administrator role must grant themselves Owner rights before they can access a site, team, or modify group membership. Admins that perform this action show up on the modern permissions display panel and in the O365 group causing concern amongst the site owners who quickly feel that they have no control over the access of their content.
So what are these admins up to?
Most SharePoint setups today use this method to perform system maintenance. In some cases, support may be performing a change request or resolving an issue.
6 Steps To Secure Access
These headaches can be alleviated by one Office 365 Group, a few updates, and a little scripting. Just follow the below steps:
- In the Office 365 Admin Center, create a “SharePoint Administrators” Office 365 Group and add all your SharePoint Support staff to it as “members” (Owner rights don’t seem to be as effective in this scenario).
- Request temporary Global or User Management Administrator rights.
- Run a PowerShell script to add “yourself” as an owner to all group connected SharePoint sites (Requires Global or User Management Administrator rights).
- Add “yourself” as an owner to all other Team and Communication sites (not group connected) via the SharePoint Admin Center: https://[TenantName]-admin.sharepoint.com/_layouts/15/online/AdminHome.aspx#/siteManagement
- Run another PowerShell script to add the “SharePoint Administrators” Office 365 Group to the “Site Collection Administrators” section of all sites.
- Run a final PowerShell script to remove your personal account’s access from the sites and the Office 365 Groups minus the “SharePoint Administrators” Office 365 Group.
That’s it! Your support staff now have Full Control access to all sites so that they can perform their daily duties without:
- Disrupting the end-users by showing up in the Owners section and/or Office 365 Group.
- Needing to add and remove themselves to make SharePoint changes.
Likewise, you can and should use this same process in tangent with a “SharePoint Service Accounts” Office 365 Group. Otherwise, whenever your Flow or analysis service account or job needs to access something, it will take additional steps to manually grant it access.
The Final Touch
Make adding these groups part of your manual and/or automated site creation process.
Interested in diving deeper on secure internal and external collaboration? Reach out to our team here to set up a free consultation call.
