Atrium Health (formerly Carolinas HealthCare System) is one of the largest non-profit healthcare systems in the US, with over 60,000 employees. Starting in 2013, Atrium migrated Exchange and SharePoint to Office 365, which has introduced changes for both end users and the IT department. This session will cover how the Atrium Health SharePoint team manages and governs the collaboration workloads in Office 365 (SharePoint, OneDrive, Yammer, Office 365 Groups, Teams, Etc.). Attendees will walk away from this session with both specific governance tactics they can implement, as well as, the reasoning behind them.
3. Who am I?
•Kelly D. Jones
• Atrium Health
• IAS Director (SharePoint / OneDrive / Yammer / Custom Dev)
• 20+ years industry experience; 10+ SharePoint
•My blog: http://www.KellyDJones.com
•Twitter: @KellyDJones
•LinkedIn: https://www.linkedin.com/in/kdjones74/
5. Why this presentation?
•Office 365 impact – real world example
•Practical advice – beyond the sales demo
•Is the way we do things perfect? Um, no. Your
mileage may vary.
6. Atrium Health’s Move to Office 365
• Dec. 2007
• One Server
• It’s FREE!
WSS 3.0
• July 2011 – June 2016
• ~500GB
• ~300 Site Collections
SP2010 • July 2013 – Present
• 14TB SPO
• 19TB OneDrive
• 1000+ Site Collections
SPO
• Office 365 E3 license for ~45k end users
• All end user mailboxes are Exchange Online
8. • How will you support Office 365?
• Will you limit OneDrive sync?
• Will you support Explorer View?
• How will you direct people to Office?
• Will you allow external sharing?
• Will you back up SharePoint/OneDrive?
• Who can create SharePoint Site Collections?
• How will you track SharePoint site owners?
• Who can create Office 365 Groups/Teams?
• How will you populate Groups?
• Will you limit PowerApps/Flow connectors?
• Are you ready for disruptive changes?
• Are you ready for InfoPath/SPDesigner retirement?
• How will you keep up to date?
• How does Atrium handle changes?
• How does Atrium communicate changes?
Questions…
9. • What we mean for “support” –
• Incident resolution – IT will fix it if something breaks
• IT Solution Creation – IT will build solution using O365 tools
• Training
• Learning materials/training available for end users
• Learning materials/training available for power users
• Adoption campaign
• Atrium Health – too many tools and not enough IT….
How will you support Office 365?
Core Workloads
• 100% Supported by IT
• Exchange / Outlook
• Skype
• SharePoint / OneDrive
• Yammer
• Power BI (IT created dashboards)
Community Support Workloads
• Best effort support by IT
• Office Apps (anything beyond install)
• PowerApps / Flow
• Stream
• Power BI (end user created dashboards)
10. • Sync is allowed regardless
of the button appearing
• Can also set per library
(full control or edit
permission on the library
to configure)
• Mac OS
• Atrium Configuration:
• Sync to domain joined Windows PCs
• No Macs
Will you limit OneDrive Sync?
11. • Explorer View is still available in SharePoint and OneDrive
• Must use IE
• IE must be configured in a particular way
• User must be logged in via browser before using Explorer View
• Users like the familiar Windows Explorer user interface
• They’re less likely to use new features such as sharing and version history
• Users can break their SharePoint and OneDrive sites!
• Example 1: “I don’t need folder”
• Example 2: Windows 10 “shortcut” rename
• Atrium advises users against Explorer View, but we can’t block it
Will you support Explorer View?
12. • Lots of URLs can be used
• Office desktop apps can be starting point
Atrium:
• Direct all teammates to two links: one internal, one external
• Link goes to https://office.com/1
• Internal link also checks for browser version and generic login
• Generic logins are auto-login PCs in clinical environment
• If generic login detected, then username and password prompt appears
How will you direct people to Office 365?
13. • OneDrive setting applies to all OneDrive sites
• SharePoint can be configured per site collection
• You can whitelist/blacklist domains to share to
• You can allow anonymous or require external users to log in
• Atrium settings:
• External sharing allowed for OneDrive
and SharePoint
• Anonymous is allowed in only TWO
site collections
• No whitelist/blacklist configured
• Guests must sign in using the same
account to which the sharing
invitation was sent to
Will you allow external sharing?
14. • Atrium does not backup SharePoint/OneDrive (!)
Scenarios:
• Document deleted – Recycle bin restore
• Document overwritten – Version history
• Version history is enabled by default on all libraries (NOT LISTS)
• Version history minimum is enforced by Microsoft – 100 versions
• Sub site deleted – Recycle bin
• Site Collection deleted – Recycle bin
Our experience:
• People are more likely to misplace files than to delete them
• People use OneDrive when they should be using SharePoint
Will you back up SPO/OneDrive?
15. • Option 1: Self-Service Site Creation
• Option 2: Only IT administrators
Who can create SharePoint Site Collections?
16. • Atrium disabled “self-service site creation” from the start
• Only the IT SharePoint team can create site collections
• End Users submit a request for new site collections
• Identify owners (up to three)
• Title and description
• SharePoint Designer and External Sharing
• Data sensitivity
• Average 15-20 new site collections per month
• Less than 50 have been denied (duplicate, name too general, etc.)
Who can create SharePoint Site Collections?
223
61
156
265
177 193 200
114
0
100
200
300
2012 2013 2014 2015 2016 2017 2018 2019
Site Collection Creation Date
17. • Rethinking our policy…
• We rarely deny new site collection requests
• We don’t have the resources to verify if a new site is a duplicate
• Site owners aren’t renewing sites consistently
• Site owners aren’t correctly identifying sensitive data sites
• No technical difference between sensitive and non-sensitive sites
• What’s the minimum we need to do:
• As IT to manage the environment?
• To meet compliance and security requirements?
• Answer:
• We must have an owner identified – Site Collection Administrators
• We must treat all sites as if they have sensitive data – Cloud Access Security
Who will create SharePoint Site Collections?
18. Option 1: Custom List in SharePoint
• Lots of manual work to maintain (Atrium’s old policy)
Option 2: SharePoint Site List in Admin Center
• Primary Admin isn’t easily updated by end users (?)
• Only one primary
Option 3: Site Collection Administrators (Atrium’s new policy)
• Easily updated by any current Site Collection Administrator
One loophole: what to do when the last SCA leaves?
• Custom utility will (still developing)
• Log who the owners are and who their managers are
• When the last owner leaves, grants their manager SCA permission and emails them
• Just like OneDrive
How will you track SharePoint Owners?
19. • All Global Admins (can’t block admins)
Option 1: Only specific users can create
• Business Users in a designated AD Security Group
• Note: people in this group must have an Azure AD Premium or Azure AD Basic
EDU licenses (Microsoft documentation)
Option 2: Any user can create
• There are 20 ways to create an Office 365 Group (See blog post)
• Most of the 20 are accessible to end users
Microsoft Documentation
Who can create Office 365 Groups?
20. • You can only do the following if you can create groups:
• Office 365 Groups in Outlook
• Groupify a SharePoint site
• Create a plan in Planner
• Create a channel in Stream
• Create a workspace in PowerBI (groups no longer required)
• Microsoft Recommendation:
• Strongly consider self-service to empower group owners.
What happens if you limit group creation?
21. • They will create groups….
What happens if anyone can create Groups?
1
47
100
107
1
14 14 14 13
181
209 209
175
206
223
188
309
296
286
255
269
174
229
62
2 8
17
3 3
40
30
50
35 32 35
23
32 33
19
26 27
10 15
1
0
50
100
150
200
250
300
350
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug
2014 2015 2016 2017 2018 2019
Office 365 Groups - Created and Deleted
Group Created
Group Deleted
22. • Using Microsoft features:
• Group Naming Policy
• Group Classification (data tier)
• Group Usage Guidelines
• Expiration Policy
• Terms of Use
• Custom utility to document Group owners (current and past)
• C# utility deployed as Azure WebJob
• Uses Microsoft Graph API to gather group info
• Writes log info to two SharePoint custom lists (Groups, Owners)
• Use SharePoint Version History to see when Groups/Owners change
• Future state will include process for last owner leaving scenario
How to manage unrestricted group creation?
Require Azure AD Premium License
23. • Group Owners can add/remove members
• Group Owners can promote/demote owners
• Public groups – people can add themselves
• Private groups – owners must add
• Dynamic Groups –
• Add/Remove members based on profile information (Azure AD)
• Requires users to have Azure AD Premium license
• Atrium Configuration:
• No AD Dynamic Groups
• Legacy solution populates on prem AD Groups
• Building custom solution to populate groups
How will you populate Group members?
24. • Tip: Connectors are documented here
• Data Governance Policy – configuration applies to both PowerApps
and Flow
• You cannot block a connector 100%
• You can only limit which connectors are used together
• Flow Admin Center Data policies
• PowerApps Admin Center Data policies
• SO, is SQL Server business?
• Yes – PowerApps/Flow can connect to any SQL Server
• No – PowerApps/Flow can connect to any SQL Server
• Suggested solution: Create a Flow that uses the Flow admin connector that
looks for SQL Server connections and deletes any that aren’t on an approved
white list
Will you limit connectors in Flow?
25. • Microsoft will notify customers about upcoming “disruptive changes”
• Microsoft defines whether a change is disruptive
Are you ready for disruptive changes?
26. From Microsoft employee post on TechCommunity:
“There is DIFFERENT governance for service removals in Office 365. The strict
guidance is that Microsoft will give at least 30 days notice when we've indicated a
replacement product; 365 days notice if there is no replacement; and that
undocumented, unsupported features or risks which are found to compromise the
security or platform integrity could be turned off immediately. For example, if we
found a huge security loophole in the "Widget" web part, for example, we might
remove that web part immediately to protect our customers while we work on the
issue.”
…“By precedent, even though we identified a replacement tech for Access Web
Apps (PowerApps) we communicated that service removal 15 months in
advance.”
https://techcommunity.microsoft.com/t5/SharePoint/InfoPath-support-in-
SharePoint-Online/m-p/97876#M9157
Disruptive changes: InfoPath & Designer?
27. •Office 365 Admin Center – Service Health Dashboard
• Service health
• Issues that Microsoft determines at least one of your users might be seeing
• Message center
• Change announcements that are applicable to your tenant
• Planned maintenance outages – typically seven-day notice
• Example: SharePoint and OneDrive were read only from 9pm-1am (Wed-Thurs)
with one-week notice
• Office 365 Admin app – same data as Admin Center web
site
• Mobile and desktop versions
• Push notifications for health issues
How to keep up?
28. • Office blogs: https://blogs.office.com/ Microsoft Tech Community Blogs
• Curate a list of blogs by industry MVPs
• Microsoft Tech Community:
• https://techcommunity.Microsoft.com
• Roadmap:
• Thin on details and few if any dates published
Usage reports update: new reports for SharePoint, OneDrive and Yammer
New reports in the Office 365 usage dashboard. We continue to add new usage
reports, including Yammer groups, SharePoint clients and OneDrive clients, to
provide you with a complete picture of how your organization is using Office
365.
Feature ID: 70929
How to keep up?
New Infographic:
http://icsh.pt/TheJoneses
29. • Individual teams (SharePoint, Exchange, Desktop)
• Monitor news from Microsoft daily (blogs, Message Center, etc.)
• Office 365 Tech Team / Leads
• Meet weekly to coordinate efforts
• Determine what needs to be escalated
• Teammate Workgroup – IS and business users/leaders
How do we handle changes?
30. • Yammer announcements
• Information on People Connect (top level intranet)
• Focused emails (ex: site owners only)
• Enterprise wide emails
• Announcements on home page of People Connect
How do we communicate change?
32. Speaker
Survey and
Raffle
• This year we are replacing the paper
version of Speaker Survey with Microsoft
Forms.
• Scan the QR code for each session to
access and submit your survey.
• QR codes can be found in the program
guide or on the room sign located by the
door.
• You will receive ONE raffle ticket for each
session survey you complete.
• The raffle ticket volunteer will validate your
First and Last name before providing your
ticket(s)
• Drawing will be held this afternoon 4:30-
5:00 pm.
• Must be present to win.
You can download and use the QR Reader
app available for both iOS and Android
33. SharePint Happy Hour event held after
SPSCLT19 at Duckworth’s Grill and
Taphouse Uptown.
Walking distance from UNC Charlotte
Center City campus and the 7th street
light rail stop.
34. Migrating to SharePoint Online
Monday Tuesday Wednesday Thursday Friday
Week 1 SP
Team
Migrate site (full
copy)
SP Team Testing SP Team Testing
Week 1
Business
Owner
Business owner
testing
Business owner
testing
Week 2 SP
Team
Migrate site to
production
(incremental)
Identify next
batch of sites
Week 2
Business
Owner
Business Owner
Testing
Business Owner
Testing
Business Owner
Sign Off
• Tool used: MetaVis Architect Suite (now Metalogix Essentials)
36. Where did they announce this change?
1. The Office 365 Message Center for announcements
2. The Office 365 Health Dashboard
3. Tech net
4. Blogs published by the product groups (Office Blogs, PowerApps,
Planner, O365 Roadmap, SharePoint)
5. Blogs by industry MVPs (150+)
6. Product team announcements in the Microsoft Tech Community
forums
7. Plus Spaces in the Microsoft Tech Community (aka forums, 20+)
#6 – “The Office Retirement Blog” – which didn’t exist until this post. I
spotted it because of #5…
Disruptive change – Access Web Apps
Editor's Notes
Presentation Title:
How Atrium Health SharePoint Team Manages Office 365
Presentation Abstract:
Atrium Health (formerly Carolinas HealthCare System) is one of the largest non-profit healthcare systems in the US, with over 60,000 employees. Starting in 2013, Atrium migrated Exchange and SharePoint to Office 365, which has introduced changes for both end users and the IT department. This session will cover how the Atrium Health SharePoint team manages and governs the collaboration workloads in Office 365 (SharePoint, OneDrive, Yammer, Office 365 Groups, Teams, Etc.). Attendees will walk away from this session with both specific governance tactics they can implement, as well as, the reasoning behind them.
Speaker Bio:
Kelly D. Jones has over twenty years of IT experience, the last ten focused on SharePoint. He’s one of two directors responsible for Office 365 at Atrium Health (formerly Carolinas HealthCare System), with his teams focusing on SharePoint, OneDrive, Office 365 Groups, and App Development.Before moving to Waxhaw, North Carolina in 2010, he and his family (wife and two children) lived in Columbus, Ohio. They enjoyed Columbus (especially The Ohio State University), but not the weather, so they moved south to be closer to the sun.
For more information about Atrium Health, please visit: https://atriumhealth.org/about-us
For more information about Atrium Health’s migration to Office 365, please see this presentation recording on YouTube: https://youtu.be/mzM-Qml0DrA
You can also find more slide decks from this speaker here: https://www.slideshare.net/kdjones74/presentations
Atrium Health has enabled all of the services, except those that are grayed out, for our teammates to use.
Some of the services are still in a pilot stage.
This chart was created from this site: https://app.jumpto365.com/