Governing and securing your Microsoft 365 content can be difficult, particularly when it comes to maintaining and tracking ownership and permissions for your M365 groups, sites, teams, and communities. In Episode 68 of the Microsoft 365 Voice, Mike, Antonio, and I discuss methodologies we’ve seen for certifying M365 groups.
What are certifications?
Certifications are formal attestations (or evidence) that Microsoft 365 groups, SharePoint Online sites, Microsoft Teams, and Yammer communities have been reviewed. Organizations may require certifications for various reasons, including regulatory requirements, audit needs, security protocols, etc.
What do certifications cover?
Certification requirements vary based on an organization’s industry, security needs, and regulatory requirements. As we discuss in this episode, organizations may require M365 re-certifications at specific intervals (annually, semi-annually, etc.). The contents of certifications differ, but often include a review of M365 group permissions, a validation of who owns/manages the groups, etc.
What should organizations consider when implementing a certification process?
You should start with a review of your organization’s security requirements. Certifications can be expensive and time-consuming to conduct, so it’s important to understand why you need to complete certifications and what the outputs of the process should be. Key questions to consider:
- What evidence should be gathered and stored as part of your certifications?
- How often do you need to certify your groups?
- What defines success? Do you need to have 100% of your groups certified during each cycle or will a lesser percentage (e.g. 95% of groups certified) meet the objective?
- Who will oversee the certification process?
- How will you facilitate and support the certification reviews?
- What tool(s) will you use to gather evidence? Will you survey M365 group owners or have them fill out a PowerApps form to “sign off” on their certification?
- How will you maintain certification records?
- Will you retain a master list of M365 group owners?
- Who is responsible for completing M365 group certifications? Will you require a high-level business officer to complete each review or will the person who grants access to your M365 groups be required to complete the certification?
We hope you find this episode helpful as you consider your M365 certification needs.
Have a Microsoft 365 question? Submit it online! Your question may be featured in a future podcast episode.