We’ve transitioned the traditional and custom IT tools and features in Microsoft service-desk into ServiceNow ITSM. This has led to innovation in many areas of our IT help-desk management, including improving accessibility, incident management, IT workflows and processes, service level agreements (SLAs), use of AI/ML, virtual agents, automation, and knowledge across the IT help-desk organization data visualization, monitoring and reporting.

In short, our strategic partnership with ServiceNow is helping us improve the efficacy of our internal IT help-desk environment and for our mutual customers.

Working together to accelerate digital transformation

Our Microsoft Global Helpdesk team supports more than 170,000 employees and partners in more than 150 countries and regions. We deploy this new ITSM environment at enterprise scale, supporting more than 3,000 incoming user requests each day.

We collaborate with ServiceNow as a partner to accelerate our digital IT transformation and continually increase the effectiveness of our IT service management. Our Global IT Helpdesk recognizes potential improvements, provides feedback to ServiceNow, and tests new features. We receive accelerated responses to our ITSM solution requirements while ServiceNow gets valuable, large-scale feedback mechanism to continuously improve their platform.

[Explore how we’re streamlining vendor assessment with ServiceNow VRM at Microsoft. | Discover how we’re instrumenting ServiceNow with Microsoft Azure Monitor. | Unpack how we’re using Microsoft Teams and ServiceNow to enhance end-user support.]

Modernizing the internal support experience

In the past, when our internal support scale, business processes, or other factors demanded functionality that existing platforms and systems couldn’t support, our engineers would develop tools and applications to supply the required functionality. Many ITSM features at Microsoft were developed in this manner. With ServiceNow now providing the core ITSM functionality we need, we are working together to integrate our tools’ functionality into their platform, which provides a unified IT help-desk experience that is scalable with enhanced productivity and accelerated digital IT transformation.

ServiceNow enables Microsoft to integrate its digital environment with ServiceNow ITSM functionality and Microsoft uses out-of-the-box ServiceNow functionality whenever suitable. ServiceNow adds and improves functionality, often based on Microsoft feedback and development, and then Microsoft uses the resulting improved capabilities to replace internally developed tools and processes. This collaborative relationship on ITSM benefits both organizations and our mutual customers.

Collaborating to create rapid innovation

In some cases, Microsoft-developed tools are the starting point for new ServiceNow functionality, such as the recent implementation of ServiceNow ITSM Predictive Intelligence.

We initially built an experimental machine learning-based solution in our environment that automatically routed a limited number of helpdesk incidents in ServiceNow by using machine learning and AI. This reduced the amount of manual triage that our support agents had to perform and helped us learn about incident routing with predictive intelligence and identify innovation opportunities.

We then took those learnings and shared them with ServiceNow to help them make improvements to the ServiceNow ITSM Predictive Intelligence out-of-the-box platform tool. By progressing from our experimental solution to ServiceNow ITSM Predictive Intelligence, we benefitted from the out-of-the-box flexibility and scalability we needed to drive adoption of predictive intelligence within our helpdesk services landscape. We’ll use our work with ServiceNow ITSM Predictive Intelligence throughout this case study to highlight the core steps in our journey toward an improved internal support experience.

Establishing practical goals for modernized support

Predictive intelligence is one example among dozens of ITSM modernization efforts that are ongoing between ServiceNow and Microsoft. Other examples include virtual-agent integration, sentiment analysis of user interaction, anomaly detection, troubleshooting workflows, playbooks, and integrated natural-language processing. Enhancing our helpdesk support agent experience by using ServiceNow ITSM involves three key areas of focus: automation, monitoring, and self-help.

Automation

We’re automating processes, including mundane and time-consuming tasks, such as triaging incidents. Automation gives time back to our helpdesk agents and helps them focus on tasks that are best suited to their skill sets. Feature implementation examples include orchestration, virtual agents, and machine learning.

We’re using ServiceNow Playbooks for step-by-step guidance to resolve service incidents. Playbooks allow our agents to follow guided workflows for common support problems. Many playbooks, such as the password-reset process, include automated steps that reduce the likelihood of human error and decrease mean time to resolution (MTTR).

Monitoring

We use monitoring to derive better context and provide proactive responses to ServiceNow activity. Enhanced monitoring capabilities increase service-desk responsiveness and helpdesk agent productivity. Feature implementation examples include trigger-automated proactive remediation, improved knowledge cataloging, and trend identification.

Microsoft Endpoint Manager supplies mobile-device and application management for our end-user devices, and we’ve worked with ServiceNow to connect Endpoint Manager data and functionality into the ITSM environment. This data and functionality supplies device context, alerts, and performance data to ServiceNow, giving device-related details to support agents directly within a ServiceNow incident.

Self-help functionality

Self-service capabilities help our support incident requestors help themselves, by supplying simplified access to resources that guide them toward remediation. It frees up IT helpdesk agents from performing tasks that end users can do and lowers the total cost of ownership, as support-team resources can focus on more impactful initiatives. Feature implementation examples include natural language understanding, context-based interaction, bot-to-bot interactions, and incident deflection.

For example, the ServiceNow Virtual Agent integrates with Microsoft Teams for bot-to-bot interactions. Bot integration and bot-to-bot handoff enable us to continue using the considerable number of bots already in use across the organization, presenting self-help options for our users that best meet their needs. We have also collaborated with ServiceNow to create integration with knowledge and AI capabilities from Microsoft 365 support. Microsoft 365 service-health information, recommended solutions for Microsoft 365 issues, and incident-related data are available in ServiceNow to both end users and agents.

Examining the modern support experience in context

We have a holistic approach to unifying its internal service-desk platform under ServiceNow. The functionality and health of our Global Helpdesk organization drives the experience for our support agents and the people they assist. To Identify opportunities for improvement, we examined all aspects of our support environment, making observations about tool usage, overall experience of support agents, and potential gaps in the toolset that our support agents use. When thinking about new capabilities, such as AI and automation, we needed to understand how our people work. Why and how we perform certain tasks or processes can lose relevance over time, and a deviation from the original way in which we do something can potentially lead to inefficiencies that we must regularly evaluate and address. We placed these observations into the following categories:

• Comprehensive best practices. We’re encouraging our Global Helpdesk team to be a strategic partner in business, design, and transition of support at Microsoft, rather than simply focusing on tactical ticketing and related metrics. Our internal support experience improvements in ServiceNow ITSM go beyond ticketing processes and require a holistic view of all aspects of the support-agent environment. Additionally, implementing new technologies is only one part of the bigger solution in which it’s critical to verify and keep people accountable for adhering to best practices. We’re transforming our Global Helpdesk operations to provide strategic value and achieve business goals alongside the more tactical elements of service-desk operation, such as incident management and resolution.
• Interaction management. Examining how our helpdesk agents and the people they support use ServiceNow ITSM and its associated functionality to drive interface improvements. It also helps identify new modalities to connect our support agents to the issues that our users are experiencing. Our goals include increasing virtual-agent usage and reducing use of less efficient interaction modalities, such as fielding IT support requests over the phone.
• Incident management. Incident management is the core of ServiceNow ITSM functionality and forms the basis for our largest set of considerations and observations. We examine how we create and manage support incidents, triage and distribute them, and then move them toward the final goal of resolution. In all of this, we assess how Global Helpdesk performs incident management and where it can improve. It’s important to understand the use of data to aid incident resolution, and how to better automate and streamline incident processes and consolidate other elements of service-desk functionality into the incident-management workflow. There are many incident-management factors that we evaluate including identifying incident origin, integrating virtual-agent interactions, increasing contextual data in incidents, automating incident routing, deflection and resolution, and improving incident search functionality.
• Knowledge management. We’re improving how our helpdesk agents and users access knowledge for IT support. Consolidating external knowledge sources into ServiceNow centralizes our knowledge management effort and makes the knowledge they contain available across other service-desk processes, such as incident management. Among the factors we’re focusing on are standardizing knowledge article content, supporting proactive knowledge creation, improving knowledge self-service capabilities, and including related knowledge content for incidents.
• Governance and platform management. The overall management of the ServiceNow ITSM platform and how it interacts with our environment and integrates into outside data sources and tools helps Microsoft use ServiceNow data to improve other business processes. We’re focusing on improving formal business processes and integrating with other processes and technology while aligning with Microsoft’s broader business strategies and standards.

Creating value within the helpdesk support experience

Microsoft and ServiceNow are intentionally and thoughtfully continuing to improve the ServiceNow environment, both from the organizational perspective here at Microsoft and from the product perspective at ServiceNow. For each feature and business need that we evaluate, we examine the feature from all applicable perspectives. Our general feature evaluation and migration process includes:

1. Evaluating business needs for applications and features. For each identified feature, we assess the associated business need. This helps us prioritize feature implementation and understand what we could accomplish based on available resources. ServiceNow Predictive Intelligence, our example in this case study, reduced mean time to resolution (MTTR) for incidents and freed up support-agent resources. These factors both positively influenced support agent efficiency and satisfaction. We’d already been using machine learning-based functionality, so the business need was clear.
2. Determining product roadmaps, organizational goals, and support requirements. In this step, we examine a feature’s practical implementation. Understanding how we need to address a feature or feature gap often depends on product roadmaps and feature development in-flight within ServiceNow. Early access to ServiceNow roadmaps and the ServiceNow Design Partnership Program helps guide our decision making as we determine the evolution of features and how they align with our future vision for digital transformation. If ServiceNow is already developing a specific feature in ITSM space, we don’t worry about integrating or recommending our internally developed tools or functionality. However, we often contribute to the improvement of ServiceNow features based on our internally developed tools, as we did with ServiceNow Predictive Intelligence.
   It can be complex to understand the state of ServiceNow with respect to a specific feature and its requirements. We must examine where we’ve customized ServiceNow ITSM to accommodate an internally developed solution and how we can roll back those changes when we retire the internally developed solution in favor of out-of-the-box functionality.
3. Identifying risks, benefits, and effects of migration. Establishing required resource allocation and determining necessary skill sets for the migration process is critical to understanding how each feature migration might affect our service-desk environment and overall ServiceNow functionality. Specific factors we consider include licensing requirements and quality control checks, both of which greatly influence the speed and order of feature migration. We also assess the effects of retiring legacy/custom tools on the Global Helpdesk and other Microsoft teams. Many tools we use were widely adopted and instrumental to daily operations, so we must consider training and transition processes on a feature-by-feature basis. In some cases, a feature or tool’s addition or removal could cause a shift in business processes, so it’s critical that we understand the potential impact. We do this by examining feature migration in the context of organizational goals, standards, and best practices.
4. Obtaining organizational support. One of the most crucial steps is to garner organizational buy-in. Although Microsoft and ServiceNow are strategic partners, it’s critical to get support from key stakeholders here at Microsoft, including our Global Helpdesk and Microsoft Digital process owners. Communication is critical. When we involve all stakeholders, we ensure that we account for all business and technical considerations.
   Rather than getting approval at a high level for the entire ServiceNow support-improvement project, we instead obtain approval for small pilots that focus on fast delivery and high value. This demonstrates the potential for a feature’s broader adoption at the Global Helpdesk. In our predictive-intelligence example, we started by engaging the Global Helpdesk team that was using the experimental machine learning-based incident-routing tool. The existing experimental tool was only routing some incidents, so we proposed a pilot to route the remaining tickets using ServiceNow ITSM Predictive Intelligence. We worked very closely with our internal support team to ensure that the solution met their needs. The pilot demonstrated the tool’s effectiveness in daily operations and proved the tool’s capabilities in production use. This built confidence and trust in the tool and helped drive broader adoption across the organization.
5. Establishing plans for transition, deallocation, and retirement of legacy tools and systems. We had critical decisions to make about retirement and deallocation of existing tools. Many feature transitions involved identifying how we would move or transform data. Addressing data access and security is a common challenge.
   Additionally, with Predictive Intelligence, our team needs real incidents to train the Predictive Intelligence algorithms. This involves moving production data into a development environment, which has security implications. The feature team must proactively engage our Microsoft security team to provide appropriate information. ServiceNow supplies detailed platform-security documentation, which helps us obtain security-related approval. Also, transition often requires retraining. We must arrange training for users of legacy systems so they can use the new features in ServiceNow and understand how the transition might affect their daily activities and overall service-desk operations.
6. Engaging in feature implementation. We implemented features following specific plans, processes, and best practices that we established. Implementation scope and effort varies depending on the feature, and in the case of Predictive Intelligence, the Microsoft development team began by creating a pilot. This enables the team to confirm that ServiceNow ITSM Predictive Intelligence can achieve the required level of routing accuracy. It also provided a proof of concept that enabled us to quickly find gaps in functionality.
   Starting with a prototype means we then have a functional example that’s up and running quickly so we get early feedback on the out-of-the-box capabilities. We were able to start fast, iterate, and deliver a better solution more quickly. However, we also had to examine and account for scalability within the ServiceNow platform to ensure that the solution would work well when widely adopted.
   Predictive Intelligence went live with a small number of incident-routing destinations, which helped build the confidence of the service-desk team. We then expanded the number of assignment groups as we received positive feedback. The rollout required minimal organizational change management because Predictive Intelligence was automating an existing process and the service-desk team was already using an experimental AI tool for automated routing.
7. Measure progress and review results. We measure all aspects of the feature-implementation progress. Identifying and enabling key metrics and reports helps build confidence and trust in each feature’s effectiveness. As we iterate changes and work through a pilot process for any given feature, we keep stakeholders involved and use our results to contribute to the broader digital transformation. It’s also critical for adoption and is an effective way to illustrate benefits and bring other teams onboard.

Integrating ServiceNow ITSM and Microsoft products

In addition to feature enhancement and growth of ServiceNow functionality, Microsoft and ServiceNow are working together to integrate our products with ServiceNow. This enables us to capitalize on their capabilities and make it easier for our customers at Microsoft to integrate ServiceNow into their environment. For example, device-management capability and reporting data from Microsoft Intune, Microsoft’s mobile device management platform, can integrate directly with ServiceNow. This integration improves contextual data within ServiceNow and extends ServiceNow’s capabilities by using Intune and Microsoft Endpoint Manager functionality on managed devices.

Our Microsoft Global Helpdesk team has observed significant benefits from the continued ServiceNow ITSM feature implementations, and we’re still working with ServiceNow on an extensive list of features that we want to implement. Some of the best benefits we’ve observed include:

• Increased business value. We’ve been able to retire custom solutions and the infrastructure that supports them, reducing total cost of ownership and management effort for legacy solutions. Consolidating our service-desk functionality in ServiceNow ITSM makes licensing and maintenance much more simple and more cost-effective.
• Reduced service-desk management effort. The various automation features we’ve implemented have reduced the effort our IT helpdesk agents exert, particularly with respect to mundane or repetitive tasks. AI and machine-learning capabilities have improved built-in decision making, reduced the potential for human error, and given time back to our helpdesk agents so they can focus on the work that demands their expertise. For example, ServiceNow ITSM Predictive Intelligence is routing incidents with 80 percent accuracy, saving considerable time and effort.
• Improved helpdesk agent experience. Unifying our tools and features within ServiceNow ITSM enabled us to create a more simple, easier-to-navigate toolset for our support agents. They can move between tasks and tools more effectively, which increases overall support responsiveness and makes our service desk more efficient.
• Reduced mean time to resolution. We’re experiencing a continual reduction in incident resolution as we integrate features and modernize the agent support experience. For example, ServiceNow ITSM Predictive Intelligence reduced MTTR by more than 10 percent, on average in our pilot project. Based on these numbers, we’re deploying Predictive Intelligence at a broader scale for Global Helpdesk.

While we’ve successfully migrated many internally developed capabilities into out-of-the-box ServiceNow ITSM features and tools, it is an ongoing process and we’re continuing to learn lessons about the migration process and successfully transforming the IT help-desk environment for greater efficiency and a more productive IT-agent experience. Some key lessons we’ve learned and continue to explore include:

• Start small and expand scope as a feature matures. We typically start feature implementation small with a single team or use-case scenario. We use pilot projects to validate a solution, prove feature completeness, and gather proof of concept to gain support from stakeholders. Each pilot project contributes to a broader improvement to ServiceNow functionality.
• Get buy-in from stakeholders early. Establishing organizational support is critical to the overall success of every feature implementation. We work hard to understand who our stakeholders are within Microsoft and make them aware of how a feature implementation might affect them—and ultimately improve our organization.
• Test scalability and establish monitoring early. Starting small results in many quick wins and rapid feature implementation. However, we must ensure that any capabilities we implement can scale to meet enterprise-level requirements, both in functionality and usability. Tracking metrics and maintaining accurate reporting using ServiceNow’s reporting capabilities provides concrete assessment of feature effectiveness as it increases in usage and scale.
• Don’t accept feature requirements at face value. Specific features are easy to quantify and qualify, but we always consider the bigger picture. We ask what business questions or challenges the requirements are addressing and then ensure our perspective always includes holistic business goals. We don’t simply want a granular implementation of a specific feature.

We’re working on a thorough list of feature integrations that include extensive use of AI and machine learning. This will simplify and strengthen predictive and automation capabilities in ServiceNow. We’re also investigating deeper integration between ServiceNow ITSM and Microsoft products including Microsoft 365, Microsoft Dynamics 365 and Azure.

We are excited that our joint efforts have introduced a rapid iteration of feature capability into the ServiceNow platform and the impact this brings to the ITSM industry.

• Read more about Predictive Intelligence with ServiceNow.
• Explore how we’re streamlining vendor assessment with ServiceNow VRM at Microsoft.
• Discover how we’re instrumenting ServiceNow with Microsoft Azure Monitor.
• Unpack how we’re using Microsoft Teams and ServiceNow to enhance end-user support.

The post Modernizing Microsoft’s internal Help Desk experience with ServiceNow appeared first on Inside Track Blog.

Like our customers, we at Microsoft have a strong business need to address the new challenges created by remote and hybrid work. The internal adoption of Windows 11 is helping our company meet those needs, while enabling our employees to work smarter and more securely, regardless of where they are.

Moving Microsoft to Windows 11

1. Microsoft tries Windows 11 on for size and likes the fit
2. Unpacking Microsoft’s speedy upgrade to Windows 11 (this story)
3. Windows 11 boosts employee engagement at Microsoft
4. Employees are at the heart of Microsoft’s internal Windows 11 upgrade
5. Five key learnings from Microsoft’s Windows 11 upgrade

Upgrading to Windows 11 at Microsoft

Our priority in rolling out Windows 11 internally was to provide employees uninterrupted access to a safe and productive workspace while giving them a chance to try out the new operating system.

Introducing a new operating system, especially across a distributed workforce, naturally led to questions about device downtime and app compatibility. However, with established practices and evolved solutions in hand, historical obstacles became just that—a thing of the past. The rollout of Windows 11 at Microsoft was our most streamlined to date, frictionlessly delivering employees the latest operating system in record time.

What made the deployment of Windows 11 a success?

Over the past decade, our Microsoft Digital Employee Experience team, the organization that powers, protects, and transforms employee experiences, has worked closely with teams such as the Windows product group to improve how it runs Microsoft’s updates, upgrades, and deployments.

Whereas significant time and resources were once dedicated to testing app compatibility, building out multiple disk images, and managing a complex delivery method, processes and tools introduced during Windows 10 have streamlined upgrades and enabled the transformation to a frictionless experience.

Data from App Assure, a Microsoft service available to all customers with eligible subscriptions, shows the company had 99.7 percent compatibility for all apps in Windows 11—that eliminated the need for extensive testing. It also meant that employees’ Windows 10 apps work seamlessly in Windows 11. Additionally, Microsoft Endpoint Manager and Windows Update for Business eliminated the need for using more than one disk image and made it easier for employees to get Windows 11.

Our Microsoft Digital Employee Experience team relied on the same familiar tools and process as a Windows 10 feature update to quickly deliver the upgrade to employees.

The upgrade was divided into three parts:

Plan: Identify an execution and communication plan, then develop a timeline

Prepare: Establish reporting systems, run tests, ready employees, and build backend services

Deploy: Deploy Windows 11 to eligible devices

It all starts with a good plan

We at Microsoft Digital Employee Experience have a successful history of deploying new services, apps, and operating systems to employees. And it all starts at the same place—creating a disruption-free strategy that enables employees to embrace the latest technology as soon as possible without sacrificing productivity.

Assess the environment

Before the deployment of Windows 11 could begin, we had to take a careful inventory of all devices at Microsoft and determine which they should target. Windows 11 has specific hardware requirements, and a percentage of employees running ineligible devices meant that not every device would be upgraded. Employees with these devices will upgrade to Windows 11 during their next device refresh.

To evaluate the device population, we used Update Compliance and Microsoft Endpoint Manager’s Endpoint analytics feature. This allowed our team to generate reports on devices that either met or failed to comply with minimum specifications. For example, certain devices, especially older desktops, lacked the Trusted Platform Module 2.0 (TPM) chipset requirements for security in Windows 11.

In the end, 190,000 devices were deemed eligible based on hardware and role requirements. Over the course of five weeks, our Microsoft Digital Employee Experience team deployed Windows 11 to 99 percent of qualifying devices.

Address ineligible devices and exclusions

After evaluating the broad population of devices, our team developed a plan for devices that would not receive a Windows 11 upgrade. Since Windows 10 and Windows 11 can be seamlessly managed side-by-side within the same management system, we only had to designate the number of devices that would not receive the upgrade. Using Update Compliance to inform deployment policies, we applied controls on ineligible devices, automatically skipping them during deployment. These measures made it easy to know why a device didn’t upgrade, but also assured a disruption-free experience for both employees and those on our team responsible for managing the upgrade.

These controls also allowed the company to bypass deployment on any device that had been incorrectly targeted for an upgrade.

Ineligible devices. Windows 10 and Windows 11 can be managed side-by-side and will be supported concurrently at Microsoft until all devices are upgraded or retired. As devices are refreshed, more and more of our employees will gain access to Windows 11.

Devices that should not receive the upgrade. Other devices, like servers and test labs—where we validate new products on previous operating systems—were issued controls and excluded from receiving Windows 11.

Establish a deployment timeline

Once upgradeable devices were identified, our team was able to create a clear timeline. From this schedule, our communications team developed an outreach plan, support teams readied the helpdesk, and the deployment team developed critical reporting mechanisms to track progress.

For the deployment itself, our team used a ring-based approach to segment the deployment into several waves. This allowed us to gradually release Windows 11 across the company, reducing the risk of disruption.

Create a rollback plan

Windows 11 has built-in support for rolling back to Windows 10 with a default window of 10 days after installation. If needed, our Microsoft Digital Employee Experience team could have revised this period via group policy or script using Microsoft Intune. Post-upgrade, there wasn’t much demand for a rollback, but the strategic release cadence that the team used, paired with the rollback capability, gave our team an easy way to quickly revert devices that might require going back to Windows 10 for a business need.

Preparing for success

Prior to starting the Windows 11 upgrade, we asked employees to complete pre-work needed for a successful upgrade. Because the upgrade was so smooth, only light readiness communications were needed. Instead, we focused on ensuring that employees were aware and excited about the benefits of Windows 11 and that they were ready to share their feedback on what it was like to use it.

Reach everyone

To maximize the impact of our communications, our team readied content that was digestible for every employee, regardless of role. Employees needed clear and concise messaging that would resonate, so that they could understand what Windows 11 would mean for them.

Our team in Microsoft Digital Employee Experience targeted a variety of established channels, including Yammer, FAQs on Microsoft SharePoint, email, Microsoft Teams, Microsoft’s internal homepage, and digital signage to promote Windows 11.

To generate interest, our materials focused on:

• The new look and features of Windows 11, designed for hybrid work and built on Zero Trust
• Flexible and easy upgrade options, including the ability to schedule upgrades at a time that worked best for the employee
• The speed at which employees could be up and running Windows 11, as quickly as 20 minutes
• New terms related to Windows 11 and where employees could go to learn more

An entire page on our company’s internal helpdesk site was dedicated to links related to the upgrade, including Microsoft Docs, where users could find a comprehensive library on new features.

Executive announcements from company leadership also conveyed the benefit of moving to Windows 11 and the ease with which it could be done.

Set expectations

Our team directed employees waiting to see if their device met Windows 11’s hardware requirements to the PC Health Check app. At an enterprise level, the team relied on Update Compliance to assess the device population.

We also used this opportunity to reinforce messaging to Windows 10 users—both operating systems would continue to operate side-by-side until all devices were refreshed. This helped ease concerns for employees who had to wait for an upgrade.

Ready support

Getting the deployment right wasn’t just about sending messages outward. Our team needed to receive and respond to employee questions before, during, and after the Windows 11 rollout.

Our support teams were given an opportunity to delve into Windows 11 prior to the deployment, which, based on experiences with previous upgrades, gave them time to categorize and group by severity any potential issues they might encounter. This familiarity not only helped them give employees informed answers, but also served as another feedback gathering mechanism.

Open for feedback

We run Microsoft on Microsoft technology and we encourage our employees to join the Windows Insider Program, where users are free to provide feedback directly to developers and product teams.

That’s why communications didn’t just focus on what was new with Windows 11, but on how feedback could be shared. If an employee had comments, they submitted them through a Feedback Hub where other employees could upvote tickets, giving visibility to our engineers in Microsoft Digital Employee Experience and the Windows product group.

Pre-work for deployment readiness

In addition to readying employees, we had to make sure all the backend services were in place prior to the deployment. This included building several processes, setting up analytics, and testing.

Establish analytics reports

Evolving beyond previous upgrades, the deployment of Windows 11 was the most data driven release we have ever done. Looking closer at diagnostic data and creating better adoption reporting gave our team clear data to look at throughout the deployment.

Using Microsoft Power BI, our team could share insights regarding the company’s environment. This better prepared everyone on the team and allowed us to monitor progress during deployment.

Our team captured the following metrics:

• Device population
• Devices by country
• Devices by region
• Eligibility
• Adoption

In addition to visibility into project status, access to this data empowered our team to engage employees whose eligible devices did not receive the upgrade.

Build an opt-out process

To accommodate users whose eligible devices might need to be excluded from the deployment, our team created a robust workback plan that included a request and approval process, a tracking system, and a set timeline for how long devices would be excluded from the upgrade.

Our Microsoft Digital Employee Experience team released communications specifying the timeframe for employees to opt out, including process steps. Employees who needed to remove their devices from the upgrade submitted their alias, machine name, and reason for exclusion. From there, our team evaluated their requests. Only users with a business reason were allowed to opt out. For example, Internet Explorer 11 requires Windows 10, so employees who need that browser for testing purposes were allowed to remove their devices from the deployment.

Once we had approved devices for exclusion, a block was put in place to remove them from the deployment. Data gathered during the opt-out process enabled us to follow up with these employees, upgrading them to Windows 11 at a more appropriate time.

Create a security model

At Microsoft, security is always top of mind for us. A careful risk assessment, including testing out a series of threat scenarios, was performed before Windows 11 was deployed across the company.

Our Microsoft Digital Employee Experience team built several specific Windows 11 security policies in a test environment and benchmarked them against policies built for Windows 10.

After testing the policies and scenarios to see if they would have any impact on employees, we found that devices with Windows 11 would meet Microsoft’s rigorous security thresholds without creating any disruptions. Just as importantly, users would experience the same behaviors in Windows 11 as they might expect from Windows 10.

The deployment

A decade ago, our efforts to deploy feature updates could be challenging, as we needed to account for different builds, languages, policies, and more. This required careful management of distribution points and VPNs prior to beginning deployment efforts in earnest.

When Windows 10 was released in 2015, our team used two deployment strategies: one for on-premises managed devices and one for cloud managed devices.

Today, the situation is much simpler.

Launched during the Windows 10 era, Windows Update for Business established some of the trusted practices that make product releases and feature updates a great experience for us here at Microsoft. Windows Update for Business deployment service introduces new efficiencies for our team, consolidating two deployment strategies into one.

For the deployment of Windows 11, our team had an advantage—Windows Update for Business deployment service.

Windows Update for Business deployment service enabled our Microsoft Digital Employee Experience team to grab device IDs from across the environment and use them to automate the deployment. Windows Update for Business deployment service handled all the backend processing and scheduling for us; all we needed to do was determine the start and end dates.

Our team easily managed exclusions and opt-outs with Windows Update for Business deployment service, and when a device needed to be upgraded, the service made it easier to remove and roll them back to Windows 10.

Importantly, Windows Update for Business deployment service provides a single deployment strategy for us moving forward. Deployment has been simplified, and the data loaded into Windows Update for Business deployment service for this upgrade will help speed up future releases.

Policies for success

We had to decide which policies they wanted to work with for the greatest outcome. This included how many alerts an employee would receive before receiving an upgrade to Windows 11.

Windows Update for Business deployment services reduced the long list of policies that our team needed to manage during deployment. This accelerated deployment without compromising security.

From pilot to global deployment

By structuring the deployment timeline to hit a small group of employees before incrementally moving on to a larger population, our Microsoft Digital Employee Experience team ensured Windows Update for Business deployment service ran as expected and that all required controls and permissions were set.

As our team used the Windows Update for Business deployment service to plot out upgrade waves, Windows 11 downloaded in the background and employees received pop-up alerts when their device was ready. The employee could restart at any time and would boot into Windows 11 after a few automated systems completed the installation. Employees could also schedule Windows 11 to upgrade overnight or during the weekend.

Onboarding OEMs

Working closely with Microsoft Surface and other Original Equipment Manufacturer (OEM) partners, the companies who supply Microsoft with new devices, our team was able to ensure that our employees had Windows 11 pre-loaded onto their PCs. This approach guaranteed that new devices complied with the hardware requirements of the new system.

A new device, straight out of the box, only needs to be powered on and connected to the internet before Windows Autopilot authenticates and configures everything for the user. Once initial setup is complete, Windows Autopilot ensures that new devices are equipped with Windows 11 and all the correct policies and settings.
For a transcript, please view the video on YouTube: https://www.youtube.com/watch?v=1d4z5N5XCsA, select the “More actions” button (three dots icon) below the video, and then select “Show transcript.”

Entering the next stage of Windows at Microsoft

The deployment of Windows 11 at Microsoft validates our team’s approach to product releases and upgrades. With no measured uptick in support tickets, the deployment of Windows 11 has been a frictionless experience for employees and the wide adoption of new features confirms the value of the effort. The speed at which the team completed the deployment—190,000 devices in five weeks—represents the fastest deployment of a new operating system in company history.

We credit the success of this deployment to good planning, tools, strong communication, and the positive upgrade experience Windows 11 provides.

Windows Update for Business deployment service proved to be a big step in the evolution of how employees get the latest version of Windows. The service’s ease of use meant the team had a higher degree of control, flexibility, and confidence.

The tighter hardware-to-software ecosystem that comes with Windows 11 means our employees and all users of the operating system benefit from richer experiences. This, along with integration to Microsoft Teams, are just a few examples of what users are seeing now that they’re empowered by Windows 11.

• Understand the hardware eligibility requirements for Windows 11.
• The better you understand your environment the easier it will be to create a timeline, a communication plan, and ultimately track the deployment.
• Messaging is key for leaders in the organization to share, especially for adoption.
• Run a pilot with a handful of devices before deploying company wide. This will allow you to check policies for consistent experiences. Then move on to a ring-based deployment to carefully manage everything.
• There’s no need to create multiple deployment plans with Windows Update for Business deployment service; it can automate the experience, streamlining the entire workflow. Instead of waiting until everyone is ready, consider running Windows 10 and Windows 11 side-by-side. Prepare today by deploying to those who are ready now.

• Discover how Microsoft employees are leveraging the cloud for file storage with OneDrive Folder Backup.
• Explore how Microsoft is reimagining meetings for a hybrid work world.
• Check out enhancing VPN performance at Microsoft.

The post Unpacking Microsoft’s speedy upgrade to Windows 11 appeared first on Inside Track Blog.

Verified device health is a core pillar of our Microsoft Digital Zero Trust security model. Because unmanaged devices are an easy entry point for bad actors, ensuring that only healthy devices can access corporate applications and data is vital for enterprise security. As a fundamental part of our Zero Trust implementation, we require all user devices accessing corporate resources to be enrolled in device-management systems.

Verified devices support our broader framework for Zero Trust, alongside the other pillars of verified identity, verified access, and verified services.

[Explore verifying identity in a Zero Trust model. | Unpack implementing a Zero Trust security model at Microsoft. | Discover enabling remote work: Our remote infrastructure design and Zero Trust. | Watch our Enabling remote work infrastructure design using Zero Trust video.]

Verifying the device landscape at Microsoft

The device landscape at Microsoft is characterized by a wide variety of devices. We have more than 220,000 employees and additional vendors and partners, most of whom use multiple devices to connect to our corporate network. We have more than 650,000 unique devices enrolled in our device-management platforms, including devices running Windows, iOS, Android, and macOS. Our employees need to work from anywhere, including customer sites, cafes, and home offices. The transient nature of employee mobility poses challenges to data safety. To combat this, we are implementing device-management functionality to enable the mobile-employee experience—confirming identity and access while ensuring that the devices that access our corporate resources are in a verified healthy state according to the policies that govern safe access to Microsoft data.

Enforcing client device health

Device management is mandatory for any device accessing our corporate data. The Microsoft Endpoint Manager platform enables us to enroll devices, bring them to a managed state, monitor the devices’ health, and enforce compliance against a set of health policies before granting access to any corporate resources. Our device health policies verify all significant aspects of device state, including encryption, antimalware, minimum OS version, hardware configuration, and more. Microsoft Endpoint Manager also supports internet-based device enrollment, which is a requirement for the internet-first network focus in the Zero Trust model.

We’re using Microsoft Endpoint Manager to enforce health compliance across the various health signals and across multiple client device operating systems. Validating client device health is not a onetime process. Our policy-verification processes confirm device health each time a device tries to access corporate resources, much in the same way that we confirm the other pillars, including identity, access, and services. We’re using modern endpoint protection configuration on every managed device, including preboot and postboot protection and cross-platform coverage. Our modern management environment includes several critical components:

• Microsoft Azure Active Directory (Azure AD) for core identity and access functionality in Microsoft Intune and the other cloud-based components of our modern management model, including Microsoft Office 365, Microsoft Dynamics 365, and many other Microsoft cloud offerings.
• Microsoft Intune for policy-based configuration management, application control, and conditional-access management.
• Clearly defined mobile device management (MDM) policy. Policy-based configuration is the primary method for ensuring that devices have the appropriate settings to help keep the enterprise secure and enable productivity-enhancement features.
• Windows Update for Business is configured as the default for operating system and application updates for our modern-managed devices.
• Microsoft Defender for Endpoint (MDE) is configured to protect our devices, send compliance data to Azure AD Conditional Access, and supply event data to our security teams.
• Dynamic device and user targeting for MDM enables us to supply a more flexible and resilient environment for the application of MDM policies. It enables us to flexibly apply policies to devices as they move into different policy scopes.

Providing secure access methods for unmanaged devices

While our primary goal is to have users connect to company resources by using managed devices, we also realize that not every user’s circumstances allow for using a completely managed device. We’re using cloud-based desktop virtualization to provide virtual machine–based access to corporate data through a remote connection experience that enables our employees to connect to the data that they need from anywhere, using any device. Desktop virtualization enables us to supply a preconfigured, compliant operating system and application environment in a pre-deployed virtual machine that can be provisioned on demand.

Additionally, we’ve created a browser-based experience allowing access, with limited functionality, to some Microsoft 365 applications. For example, an employee can open Microsoft Outlook in their browser and read and reply to emails, but they will not be able to open any documents or browse any Microsoft websites without first enrolling their devices into management.

How we treat the devices that our employees and partners use to access corporate data is an integral component of our Zero Trust model. By verifying device health, we extend the enforcement capabilities of Zero Trust. A verified device, associated with a verified identity, has become the core checkpoint across our Zero Trust model. We’re currently working toward achieving better control over administrative permissions on client devices and a more seamless device enrollment and management process for every device, including Linux–based operating systems. As we continue to strengthen our processes for verifying device health, we’re strengthening our entire Zero Trust model.

• Explore verifying identity in a Zero Trust model.
• Unpack implementing a Zero Trust security model at Microsoft.
• Discover enabling remote work: Our remote infrastructure design and Zero Trust.
• Watch our Enabling remote work infrastructure design using Zero Trust video.

The post Verifying device health at Microsoft with Zero Trust appeared first on Inside Track Blog.

Like many enterprises, we use SAP—the global enterprise resource planning (ERP) software solution—to run our various business operations. Our SAP environment is critical to our business performance, and we integrate it into most of our business processes. SAP offers functionality for enterprise services at Microsoft, such as human resources, finance, supply-chain management, and commerce. We use a wide variety of SAP applications, including:

• SAP S/4HANA
• ERP Central Component (ECC)
• Global Trade Screening (GTS)
• Business Integrity Screening (BIS) on S4
• Master Data Governance (MDG) on S4
• Governance, Risk, Compliance (GRC)
• Revenue Management, Contract Accounting (RMCA)
• OEM Services (OER)
• SAP SaaS (Ariba, IBP, Concur, SuccessFactors)

Since 2018, Microsoft’s instance of SAP is 100 percent migrated to Microsoft Azure. This project entailed moving all SAP assets to more than 800 Azure virtual machines and numerous cloud services.

We approached the migration by using both vertical and horizontal strategies.

From a horizontal standpoint, we migrated systems in our SAP environment that were low risk—training systems, sandbox environments, and other systems that weren’t critical to our business function. We also looked at vertical stacks, taking entire parts of our SAP landscape and migrating them as a unified solution.

We gained experience with both migration scenarios, and we learned valuable lessons in the early migration stages that helped us smoothly transition critical systems later in the migration process.

[Unpack how we’re optimizing SAP for Microsoft Azure. | Discover how we’re protecting Microsoft’s SAP workload with Microsoft Sentinel. | Explore how we’re unlocking Microsoft’s SAP telemetry with Microsoft Azure.]

Operating as Microsoft Azure-native

At Microsoft, we develop and host all new SAP infrastructure and systems on Microsoft Azure. We’re using Azure–based cloud infrastructure and SAP–native software as a service (SaaS) solutions to increase our architecture’s efficiency and to grow our environment with our business. The following graphic represents our SAP landscape on Azure.

The benefits of SAP on Microsoft Azure

SAP on Microsoft Azure provides several benefits to our business, many of which have resulted in significant transformation for our company. Some of the most important benefits include:

• Business agility. With Microsoft Azure’s on-demand SAP–certified infrastructure, we’ve achieved faster development and test processes, shorter SAP release cycles, and the ability to scale instantaneously on demand to meet peak business usage.
• Efficient insights. SAP on Microsoft Azure gives us deeper visibility across our SAP landscape. On Azure, our infrastructure is centralized and consolidated. We no longer have our SAP infrastructure spread across multiple on-premises datacenters.
• Efficient real-time operations and integration. We can leverage integration with other Microsoft Azure technologies such as Internet of Things (IoT) and predictive analytics to enable real-time capture and analysis of our business environment, including areas such as inventory, transaction processing, sales trends, and manufacturing.
• Mission-critical infrastructure. We run our entire SAP landscape—including our most critical infrastructure—on Microsoft Azure. SAP on Azure supports all aspects of our business environment.

Identifying potential for improved monitoring

As we examined our SAP environment on Microsoft Azure, we found several key areas where we could improve our monitoring and reporting experience:

• Monitoring SAP from external business-process components. External business process components had no visibility into SAP. Our monitoring within individual SAP environments provided valuable insight into SAP processes, but we needed a more comprehensive view. SAP is just one component among many in our business processes, and the owners of those business processes didn’t have any way to track their processes after they entered SAP.
• Managing and viewing end-to-end processes. It was difficult to manage and view end-to-end processes. We couldn’t capture the end-to-end process status to effectively monitor individual transactions and their progress within the end-to-end process chain. SAP was disconnected from end-to-end monitoring and created a gap in our knowledge of the entire process pipeline.
• Assessing overall system health. We couldn’t easily assess overall system health. Our preexisting monitoring solution didn’t provide a holistic view of the SAP environment and the processes with which it interacted. The overall health of processes and systems was incomplete because of missing information for SAP, and issues that occurred within the end-to-end pipeline were difficult to identify and problematic to troubleshoot.

Our SAP on Microsoft Azure environment was like a black box to many of our business-process owners, and we knew that we could leverage Azure and SAP capabilities to improve the situation. We decided to create a more holistic monitoring solution for our SAP environment in Azure and the business processes that defined Microsoft operations.

Creating a telemetry solution for SAP on Microsoft Azure

The distributed nature of our business process environment led us to examine a broader solution—one that would provide comprehensive telemetry and monitoring for our SAP landscape and any other business processes that constituted the end-to-end business landscape at Microsoft. The following goals drove our implementation:

Integrate comprehensive telemetry into our monitoring.

• Move toward holistic health monitoring of both applications and infrastructure.
• Create a complete view of end-to-end business processes.
• Create a modern, standards-based structure for our monitoring systems.

Guiding design with business-driven monitoring and personas

We adopted a business-driven approach to building our monitoring solution. This approach examines systems from the end-user perspective, and in this instance, the personas represented three primary business groups: business users, executives, and engineering teams. Using the synthetic method, we planned to build our monitoring results around what these personas wanted and needed to observe within SAP and the end-to-end business process, including:

• Business user needs visibility into the status of their business transactions as they flow through the Microsoft and SAP ecosystem.
• Executives need to ensure that our business processes are flowing smoothly. If there are critical failures, they need to know before customers or partners discover them.
• Engineers need to know about business-process issues before those issues affect business operations and lead to customer-satisfaction issues. They need end-to-end visibility of business transactions through SAP telemetry data in a common consumption format.

Creating end-to-end telemetry with our Unified Telemetry Platform

The MDEE team developed a telemetry platform in Microsoft Azure that we call the Unified Telemetry Platform (UTP). UTP is a modern, scalable, dependable, and cost-effective telemetry platform that’s used in several different business-process monitoring scenarios in Microsoft, including our SAP–related business processes.

UTP is built to enable service maturity and business-process monitoring across MDEE. It provides a common telemetry taxonomy and integration with core Microsoft data-monitoring services. UTP enables compliance with and maintenance of business standards for data integrity and privacy. While UTP is the implementation we chose, there are numerous ways to enable telemetry on Microsoft Azure. For additional considerations, access Best practices for monitoring cloud applications on the Azure documentation site.

Capturing telemetry with Microsoft Azure Monitor

To enable business-driven monitoring and a user-centric approach, UTP captures as many of the critical events within the end-to-end process landscape as possible. Embracing comprehensive telemetry in our systems meant capturing data from all available endpoints to build an understanding of how each process flowed and which SAP components were involved. Azure Monitor and its related Azure services serve as the core for our solution.

Microsoft Azure Application Insights

Application Insights provides a Microsoft Azure–based solution with which we can dig deep into our Azure–hosted SAP landscape and extract all necessary telemetry data. By using Application insights, we can automatically generate alerts and support tickets when our telemetry indicates a potential error situation.

Microsoft Azure Log Analytics

Infrastructure telemetry such as CPU usage, disk throughput, and other performance-related data is collected from Azure infrastructure components in the SAP environment by using Log Analytics.

Microsoft Azure Data Explorer

UTP uses Microsoft Azure Data Explorer as the central repository for all telemetry data sent through Application Insights and Microsoft Azure Monitor Logs from our application and infrastructure environment. Azure Data Explorer provides enterprise big-data interactive analytics; we use the Kusto query language to connect the end-to-end transaction flow for our business processes, for both SAP process and non–SAP processes.

Microsoft Azure Data Lake

UTP uses Microsoft Azure Data Lake for long-term cold-data storage. This data is taken out of the hot and warm streams and kept for reporting and archival purposes in Azure Data Lake to reduce the cost associated with storing large amounts of data in Microsoft Azure Monitor.

Constructing with definition using common keys and a unified platform

UTP uses Application Insights, Microsoft Azure Data Explorer, and Microsoft Azure Data Lake as the foundation for our telemetry data. This structure unifies our data by using a common schema and key structure that ties telemetry data from various sources together to create a complete view of business-process flow. This telemetry hub provides a central point where telemetry is collected from all points in the business-process flow—including SAP and external processes—and then ingested into UTP. The telemetry is then manipulated to create comprehensive business-process workflow views and reporting structures for our personas.

Common schema

UTP created a clearly defined common schema for business-process events and metrics based on a Microsoft-wide standard. That schema contains the metadata necessary for mapping telemetry to services and into processes, and it allows for joins and correlation across all telemetry.

Common key

As part of the common schema for business process events, the design includes a cross-correlation vector (XCV) value, common to all stored telemetry and transactions. By persisting a single value for the XCV and populating this attribute for all transactions and telemetry events related to a business process, we can connect the entire process chain related to an individual business transaction as it flows through our extended ecosystem.

Multilayer telemetry concept for SAP

For SAP on Microsoft Azure, our MDEE team focused on four specific areas for telemetry and monitoring:

1. SAP Business Process layer
2. SAP Application Foundation layer
3. Infrastructure layer
4. Surrounding API layer

The result was holistic telemetry and monitoring across these layers, a structure that leverages Microsoft Power BI as the engine behind our reporting and dashboarding functionality.

Our MDEE team created reporting around business-driven monitoring and constructed standard views and dashboards that offer visibility into important areas for each of the key business personas. Dashboards are constructed from Kusto queries, which are automatically translated in the Microsoft Power BI M formula language. For each persona, we’ve enabled a different viewpoint and altitude of our business process that allows the persona to view the SAP monitoring information that’s most critical to them.

Microsoft Azure Monitor for SAP Solutions

Microsoft previously announced the launch of Microsoft Azure Monitor for SAP Solutions (AMS) in public preview—an Azure-native monitoring solution for customers who run SAP workloads on Azure. With AMS, customers can view telemetry of their SAP landscapes within the Azure portal and efficiently correlate telemetry between various layers of SAP. AMS is available through Microsoft Azure Marketplace in the following regions: East US, East US 2, West US 2, West Europe, and North Europe. AMS doesn’t require a license fee.

Our MDEE team worked in close collaboration with Microsoft Azure product teams to build and release SAP NetWeaver provider in Microsoft Azure Monitor for SAP solutions.

• The SAP NetWeaver provider in Microsoft Azure Monitor for SAP Solutions enables SAP on Microsoft Azure customers to monitor SAP NetWeaver components and processes on Azure in the Azure portal. The SAP NetWeaver provider includes default visualizations and alerts that can be used out of the box or customized to meet customer requirements.
• SAP NetWeaver telemetry is collected by configuring the SAP NetWeaver provider within AMS. As part of configuring the provider, customers are required to provide the host name (Central, Primary, and/or Secondary Application server) of SAP system and its corresponding Instance number, Subdomain, and System ID (SID).

For more information, go to AMS quick start video and SAP NetWeaver monitoring-Azure Monitoring for SAP Solutions.

Our telemetry platform provides benefits across our SAP and business-process landscape. We have created a solution that facilitates end-to-end SAP business-process monitoring, which in turn enables our key personas to do their jobs better.

Persona benefits

Benefits for each persona include the following:

• Business users no longer need to create service tickets to get the status of SAP transaction flows. They can examine our business processes from end to end, including SAP transactions and external processes.
• Executives can trust that their business processes execute seamlessly and that any errors are proactively addressed with no impact to customers or partners.
• Engineers no longer need to check multiple SAP transactions to investigate business-process issues and identify in which step the business process failed. They can improve their time-to-detect and time-to-resolve numbers with the correct telemetry data and avoid business disruption for our customers.

 Organization-wide benefits

The benefits of our platform extend across Microsoft by providing:

• End-to-end visibility into business processes. Our Unified Telemetry Platform (UTP) provides visibility into business processes across the organization, which then facilitates better communication and a clearer understanding of all parts of our business. We have a more holistic view of how we’re operating, which helps us work together to achieve our business goals.
• Decreased time to resolve issues. Our visibility into business processes informs users at all levels when an issue occurs. Business users can examine the interruption in their workflow, executives are notified of business-process delays, and engineers can identify and resolve issues. This activity all occurs before our customers are affected.
• More efficient business processes. Greater visibility leads to greater efficiency. We can demonstrate issues to stakeholders quickly, everyone involved can recognize areas for potential improvement, and we can monitor modified processes to ensure that improvement is happening.

We learned several important lessons with our UTP implementation for SAP on Microsoft Azure. These lessons helped inform our progress of UTP development, and they’ve given us best practices to leverage in future projects, including:

• Perform a proper inventory of internal processes. You must be aware of events within a process before you can capture them. Performing a complete and informed inventory of your business processes is critical to capturing the data required for end-to-end business-process monitoring.
• Build for true end-to-end telemetry. Capture all events from all processes and gather telemetry appropriately. Data points from all parts of the business process—including external components—are critical to achieving true end-to-end telemetry.
• Build for Microsoft Azure-native SAP.  SAP is simpler to manage on Azure and instrumenting SAP processes becomes more efficient and effective when SAP components are built for Azure.
• Encourage data-usage models and standards across the organization. Data standards are critical for an accurate end-to-end view. If data is stored in different formats or instrumentation in various parts of the business process, the end reporting results won’t accurately represent the business-process’ state.

We’re continuing to evaluate and improve as we discover new and more efficient ways to track our business processes in SAP. Some of our current focus areas include:

• Machine learning for predictive analytics. We’re using machine learning and predictive analytics to create deeper insights and more completely understand our current SAP environment. Machine learning also helps us anticipate growth and change in the future. We’re leveraging anomaly detection in Microsoft Azure Cognitive Services to track SAP business service-health outliers.
• Actionable alerting. We’re using Microsoft Azure Monitor alerts to create service tickets, generate service-level agreement (SLA) alerts, and provide a robust notification and alerts system. We’re working toward linking detailed telemetry context into our alerting system to create intelligent alerting that enables us to more accurately and quickly identify potential issues within the SAP environment.
• Telemetry-based automation. We’re using telemetry to enable automation and remediation within our environment. We’re creating self-healing scenarios to automatically correct common or easy-to-correct issues to create a more intelligent and efficient platform.

We’re continually refining and improving business-process monitoring of SAP on Microsoft Azure. This initiative has enabled us to keep key business users informed of business-process flow, provided a complete view of business-process health to our leadership, and helped our engineering teams create a more robust and efficient SAP environment. Telemetry and business-driven monitoring have transformed the visibility that we have into our SAP on Azure environment, and our continuing journey toward deeper business insight and intelligence is making our entire business better.

• Unpack how we’re optimizing SAP for Microsoft Azure.
• Discover how we’re protecting Microsoft’s SAP workload with Microsoft Sentinel.
• Explore how we’re unlocking Microsoft’s SAP telemetry with Microsoft Azure.

The post Monitoring Microsoft’s SAP Workload with Microsoft Azure appeared first on Inside Track Blog.

Building the most empowering digital workplace experience for Microsoft employees takes solid partnerships. Microsoft Digital Employee Experience (MDEE), the organization that powers, protects, and transforms Microsoft, collaborates closely with teammates in Global Workplace Services (GWS) to enable a workplace that uses physical infrastructure, devices, and cloud services to create an integrated experience that’s unparalleled. The digital workplace is deeply integrated with Microsoft products and services, including Microsoft Azure IoT, Microsoft Dynamics 365, and Microsoft 365, to increase productivity, create efficiency, enable accessibility, and eliminate friction.

Nathalie D’Hers, CVP of Microsoft Digital Employee Experience, talked about the importance of this collaboration with her counterpart Michael Ford, CVP of Global Workplace Services.

“Due to the nature of our roles, a commercial real estate leader and a technology leader see things from a slightly different lens,” D’Hers says. “I believe that what’s most important in achieving mutual success is to first align on vision to have a shared sense of where you want to go. Then it’s just figuring out how we’re going to get there. A lot of it relies on formulating a vision that both teams are comfortable with and then agreeing on the path to get there.”

Keeping up with a dynamic, hybrid work environment also represents a massive, ongoing investment in employees. The Digital Workplace investment is a leading example of how enterprises can transform their workplaces. This article showcases how to deploy digital workplace experiences at scale while making them secure, inclusive, accessible, and manageable. It also shows how these investments lead to increased employee satisfaction and productivity. To find out more about how the Digital Workplace investment fits into the broader vision for a better employee experience at Microsoft, read Reinventing the employee experience at Microsoft.

Catalyst for change

The global pandemic forced us to rethink the digital workplace. Prior to COVID-19, we were already championing an effort to be more open, transparent, and collaborative, as many companies were moving their employees from traditional office settings into more contemporary environments optimized for teams. Teams were already becoming more collaborative, and the nature of work was changing. But never has it become more necessary for workforces to learn to quickly adapt to becoming more agile and innovative than since the pandemic.

Interestingly, the pandemic has brought the MDEE and GWS teams closer together.

“There’s beauty and power when people work together in a moment of crisis,” D’Hers says. “Some of the things that might have been challenging outside of a crisis became easier. Prioritizing deliverables and determining the things we must do right away versus things that we could delay became easier, even budget prioritization and alignment was easier because we were working as one team.”

As employees prepare to return to the physical office and assess what a new hybrid workplace reality will look like, employers need to ensure an environment that empowers employees throughout their workday while keeping them safe and secure. At Microsoft, our teams are taking a holistic approach to improve the methods employees use to get to, engage, and work on campus.

At the same time, employees and their respective teams will be more distributed as we continue to embrace a “work from anywhere” approach. The nature of collaboration has significantly changed, and employees want a digital workplace that enables them to be productive in their work, engage with team members, and feel empowered no matter where they are. As Microsoft Chief Digital Officer Andrew Wilson says, “The digital employee experience is the employee experience.”

Establishing priorities

Microsoft Digital focuses on three key priorities that capture the experiences in which the Digital Workplace investment is relevant: putting employees first, creating compelling experiences that matter, and measuring the value of efforts.

• Employees first. How do our employees get to and around work safely and efficiently? From the morning commute to navigating buildings to getting home at the end of the day, moving around safely and efficiently is a foundational need for employees right now, and within the communities where worksites are located.
• Create compelling experiences that matter. Employees expect more flexibility in their choice of workplace, and they want new experiences that were not available pre-pandemic. How do we provide dynamic access to services? What tools can we provide to enable effective collaboration and focus? Interaction within the workplace should be friction-free and straightforward.
• Measure the value of efforts. The workplace should offer the most powerful solutions available for getting work done, both when employees are working collaboratively and when they’re focusing on their own work. Increased real-time analytics and building health and utilization metrics will be key to our real estate team (GWS) having a comprehensive view of physical spaces, so we can quickly prioritize and respond to changing employee preferences.

Through the lens of these priorities, the Microsoft Digital team created a framework for improving the employee experience. These powerful new capabilities are simple to use and integrate and combine securely and efficiently with other initiatives to accelerate digital transformation at Microsoft.

Making the digital workplace a reality

The vision for the digital workplace includes investments in infrastructure and physical components. With our three key priorities in mind, here are some of those experiences we’re evaluating to make a more compelling, start-to-finish workday for employees.

Priority 1: Putting the employee first

Employees need to be put in control of how they interact with Microsoft campuses. Social distancing and attention to safety are part of the post-COVID norm, and workplace technology must adapt to that.

Health and well-being have been emerging imperatives and now they are more important than ever. The campus of the future will have a strong focus on all aspects of an employee’s health and well-being. Onsite food and beverage programs will enable users to order ahead and have seamless payment to minimize waits and optimize their mealtime, access customized food delivery options, and obtain catering for special events. Helping employees find extra time, take breaks effectively, and find ways to maintain fitness at work are all important aspects of a reimagined on-campus experience. Health self-attestation apps to ensure employee safety as well as optimized temperature, lighting, and other environmental factors will all play a role to ensure optimal productivity.

Social distancing expectations will influence physical and digital designs. For example, Microsoft updated internal transportation offerings to enable a quick transition to social distancing if needed in the future, including fewer occupants per vehicle. Multimodal journey planning tools are also forthcoming to enable employees to easily select from a variety of options and quickly adapt to individual wellness preferences and hybrid schedules.

Similarly, we’re researching ways to monitor crowding in cafeterias so we can signal the best time to visit. Machine learning will help us develop models to improve our employee services in a safe manner.

Additionally, we want our employees to feel safe when there are visitors on campus. This means touchless visitor check-in to reduce health concerns and providing host notification and simple access to the Microsoft guest Wi-Fi network. Ideally, the visitor welcome experience begins prior to a visit, by providing visitors with a preregistration check-in and helpful information about their upcoming visit.

Key initiatives

By enabling these “employee first” initiatives, several key benefits occur:

• Improved and informed commuting decisions.
• Space for recharging and resetting with Health and Wellness resources.
• Order-ahead dining, seamless payment, and cafeteria crowdedness indicators.
• Clear access to health attestation and optimized environmental controls.
• Touchless visitor arrival and departure experiences.

Priority 2: Creating compelling experiences that matter

The physical spaces employees encounter when they’re in the office, especially the meeting room experience, are critical differentiators as employees begin to return to worksites. This section addresses two key areas: workflow improvements—improving the employee’s experience throughout their day as they arrive, engage, and work on campus—and meeting room improvements, specifically what changes need to be made to represent the new hybrid norm and to ensure a fair and inclusive meeting experience, whether you are joining from campus or remotely.

Workflow improvements

At Microsoft, an improved employee experience will be available through a variety of interfaces that meet employees wherever they may be. This includes a company-wide employee mobile app, smart building and lobby kiosks, desktop applications, and AI/bots that make applications predictive. Moving towards a variety of smart building capabilities that provide employees with flexibility and complement the way they go about their day will be the norm moving forward.

As Microsoft employees begin returning to worksites, they’ll have to start preparing for something they haven’t experienced in a while: their commute. That experience should be supported with smart recommendations about the best way to get to work, navigate traffic, and park their car. Smart parking allows for a proactive response to users’ parking needs. The parking design will lead to better space utilization, greater employee satisfaction, and improved safety and productivity when employees can easily and quickly find a vacant parking spot.

When people reach a facility, the arrival experience needs to be frictionless, welcoming, and secure. For employees, we’re working towards a mobile access option to enable fast and secure entry into Microsoft buildings. This system also eliminates the lost-badge scenario and helps Microsoft ensure the safety of employees while they are in buildings.

Employees’ commutes don’t end once they reach the office; they spend time moving within buildings and campuses during the workday. Enabling this travel by providing quick and easy shuttle bookings for employees on campuses and digital and physical indoor wayfinding to help employees find a colleague, conference room, or other location is key. The goal is to improve employees’ ability to get directions from one location to another across Microsoft facilities.

After employees get to work, they want on-demand and intelligent access to workplace services such as finding and booking a conference room, accessing transportation, making facility requests, as well as dining and wellness services that add value to their day.

In addition to enhancing the employee and visitor experience, partnering with the GWS team to reduce environmental impact through improved transportation offerings is also critical. For example, one of Microsoft Digital’s primary goals is to provide GWS counterparts with transportation utilization information so that they can optimize fleet operations and contribute to lower carbon emissions while still enabling the best possible employee experience.

Key initiatives

By focusing on these key workplace experiences, we can make it easier for employees to go about their day, adding value to their commute and on-campus experience:

• Seamless commute and fast parking.
• Badgeless entry.
• Clear and visible wayfinding.
• A move toward smart building capabilities.
• A focus on environmental sustainability.

Meeting room improvements

Microsoft Digital is also focused on addressing the challenges of the conference room experience at scale by simplifying the process for joining a meeting and sharing content, improving audio reliability, and driving video availability and adoption, whether on site or remote. Meeting rooms that were once built and operated largely by facilities staff are becoming critical endpoints for digital collaboration. Computer-driven room systems (such as Microsoft Teams Rooms) can now be deployed and supported at scale in a cost-effective manner.

With nearly 16,000 meeting spaces at Microsoft, our “north star” is to provide a simple, consistent, reliable experience no matter where you are in the world. We’ve been most effective at achieving this goal in the Puget Sound region by leaning heavily on Microsoft Teams Rooms and Microsoft Surface Hubs. In 2022, we’ll move beyond our corporate headquarters and focus on delivering better meeting spaces globally, continuing to drive more capability at lower cost, increasing the number and type of spaces we support, and delivering new scenarios for our employees.

Remote attendees should find it simple and easy to join a meeting from wherever they are. By using Microsoft Teams to imagine the meeting experience beyond the conference room or traditional desktop connection, we’re working toward a friction-free, fully featured, and inclusive remote connection experience. With the right peripherals (good lighting is important) and Microsoft Teams enabled devices like headsets, speakerphones, and web cameras, everyone that has joined the meeting will be well represented and have a great meeting room experience.

To empower remote meeting attendees, we want to provide an experience on par with that of in-person attendees. We’re examining technical improvements to make sure remote attendees are included equally and can access meeting-specific content such as physical and digital whiteboard drawings, and by building functionality to ensure that employees of every ability have access to a full-featured meeting experience, including automated notetaking, automated task creation, and more intelligent integration of meeting information into the collaboration experience. For more ways to ensure the best use of these technologies and to create a culture of inclusive meeting experiences, check out Microsoft’s tips for staying productive in an evolving hybrid world.

Finding an available meeting room can be a challenge and will prove especially difficult for employees who haven’t been on campus for a while. Wayfinding (the ability to use an app or digital service to find your way within a building), resource management practices, and scheduling systems will offer help locating and making more efficient use of available rooms. And by enabling automated booking and management processes that continually reevaluate meeting room usage, we can reduce occurrences of double bookings, unused rooms, and cancellations that aren’t reflected in room availability, ensuring everyone has a space to meet.

Microsoft Digital has also developed a set of meeting room standards that we deploy around the world to ensure consistency of experience and supportability, helping to increase efficiency and reduce costs. By deploying this globally, we enable more accurate inventories, better visibility across more assets, efficient alerting capabilities, and improved remote access. By also developing more streamlined support processes, we’re building manageability and support for a new generation of communal devices.

Key initiatives

Enabling these meeting and collaboration experiences allows for the following improvements:

• Deployment of Microsoft Teams Rooms.
• Decommission old conferencing technology.
• Improved meeting space reservation time.
• Ensured inventory accuracy and device visibility.

Priority 3: Measuring the value of efforts

Optimizing usage of space was difficult pre-pandemic even though there was a long, stable history of how spaces were utilized day in and day out. In a hybrid work environment, determining space utilization and the new normal of employee building utilization patterns will be even more challenging. By using data science and modeling to provide timely and accurate occupancy and facilities data, Microsoft can make better decisions about how its workspaces, buildings, and campuses will be utilized, which informs return to workplace occupancy planning as well as long-term real estate portfolio strategy.

Compounding the challenge is that, as we discover the new patterns of building occupancy, the need for occupancy data becomes more real time. Prior to COVID, occupancy data was looked at less frequently (several times a year). We have updated our dashboards to reflect this need for real-time data and to provide pre- and post-pandemic comparisons that can be separated by organization and region, to account for global locations being in various stages of COVID response. This data will come from both badge swipes and IoT sensors.

MDEE is also working closely with GWS to help them improve how they manage their facilities and operations, including efficient facility management, energy-smart buildings, and back-of-the-office processes such as lease management and utility bill payments. To achieve this optimization, the cross-functional team is building a state-of-the-art facility management system using Microsoft Dynamics 365 Field Services, Microsoft Azure Digital Twins, and a real estate Microsoft Azure data lake. This technology combines to influence this transformation of facilities usage and management throughout the industry. The campus of the future will rely heavily on AI and machine learning to help improve precision of occupancy modeling and optimize energy use by up to 50%.

Key initiatives

By focusing on real-time data and machine learning, we can predictively model attendance, transportation and dining usage, cleaning signals, and more, resulting in the following benefits:

• More precise occupancy and building portfolio planning.
• Increased usage of real-time data.
• Enhanced end-to-end facility management.
• A digital twin of a physical building for providing an integration platform for smart spaces.
• Quick onboarding of data from sensors and third-party systems to our Smart Building (digital twin) system.
• Digitized floorplans.

Conclusion

At Microsoft, our investments in the Digital Workplace put employees at the center of their experience and ensures that those experiences add value to their day. Employees and guests will have simple, consistent, and reliable technologies, meeting spaces, and collaboration devices that allow them to be highly productive and conduct business with ease and professionalism. At Microsoft, the digital workplace experience will serve as a model of workplace productivity and an inspiration to our customers around the world.

• A strong partnership between an IT team and real estate team can produce amazing results.
• COVID has created an uncertain future for employee experiences, and a lot of opportunity to redefine the digital workplace. By doing continual, small-scale experiments, you’ll be better prepared for a wide range of possibilities.
• Prioritize the employee first by putting them in control of their environment, whether it’s on campus or a hybrid experience. Once basic needs are met, the focus is then on creating compelling experiences that matter and measuring the value of those efforts.
• Computer-driven room systems (such as Microsoft Teams Rooms) can be cost-effectively deployed and supported on a global
• Data, especially real-time data, has an even larger prominence because of the need for rapid decision-making by employees, human resources, and real estate teams (for example, space utilization and space effectiveness).

• Explore shining a light on how Microsoft manages Shadow IT.
• Discover powering IoT experiences at Microsoft.
• See what is buzzing with meeting room excitement in The Hive.

The post Creating the digital workplace at Microsoft appeared first on Inside Track Blog.

Business-to-business (B2B) and app-to-app (A2A) integration are imperatives in modern software solutions. Integration services use middleware technology that helps secure communication between integration points and data exchange between diverse enterprises and business applications. At Microsoft, our business demands integration across multiple independent software systems with diverse message formats such as EDIFACT, X12, XML, JSON, and flat file. Modern integration requires many modes of connectivity and data exchange, and includes the ability to connect:

• Two or more internal applications.
• Internal applications to one or more business partners.
• Internal applications to software as a service (SaaS) applications.

[Discover streamlining vendor assessment with ServiceNow VRM at Microsoft. Explore shining a light on how Microsoft manages Shadow IT. Unpack implementing a Zero Trust security model at Microsoft.]

Building on a foundation of enterprise integration

For decades, we as a company have worked to integrate our business data internally and in business-to-business scenarios with partners, vendors, and suppliers. BizTalk Server has been a standard for integration services for us and our partners, providing a foundation for dependable, easy-to-configure data integration.

Our ongoing digital transformation is driving cloud adoption to move business resources out of datacenters. As data storage and application development has evolved, cloud-native solutions based on SaaS and PaaS models have predominated among enterprise applications in most industries. To meet the growing need to supply increased scalability, reduce maintenance overhead for infrastructures, and decrease total cost of ownership, our Platform Engineering team has increasingly moved toward cloud-based solutions for enterprise integration.

Transforming integration with Microsoft Azure

Our Platform Engineering team began investigating Microsoft Azure Integration Services as a potential solution for scalable, cloud-based enterprise integration. Integration Services combines several Microsoft Azure services, including Logic Apps, API Management, Service Bus, Event Grid, and Azure Functions. These services provide a complete platform that companies can use to integrate business applications and data sources. Our team began working with Integration Services to gauge feasibility, test integration scenarios, and plan for enterprise-scale integration capabilities on the platform.

Collaborating to improve Microsoft Azure Integration Services

Throughout the development process, our Platform Engineering team worked closely with the Integration Services product group to enhance and build connectors. This collaboration allowed us to suggest improvements to existing Integration Services functionality. This effort prompted the creation of two new Logic Apps connectors—SAP with Secure Network Communication (SNC) and Simple Mail Transport Protocol (SMTP)—and enhancements to two existing Logic Apps connectors (EDIFACT and X12).

Examining our Azure Integration Services architecture

We in MDEE use all Microsoft Azure Integration Services components in its architecture to support end-to-end integration. Each component supplies an important part of the larger solution, including:

• API Management for APIs, policies, rate limiting, and authentication.
• Logic Apps for business workflows, orchestration, message decoding and encoding, schema validations, transformations, and integration accounts to store B2B partner profiles, agreements, schemas, and certificates.
• Microsoft Azure Event Grid for event-driven integration to publish and subscribe to business events.
• Microsoft Azure Functions for writing custom logic tasks, including metadata and config lookup, data lookup, duplicate check, replace namespace, and replace segments.
• Microsoft Azure Data Factory for processing low volume, large payload messages, ETL processes, and data transformation.

We used Microsoft Azure Front Door as the entry point for all inbound traffic and helped secure endpoints by using Microsoft Azure Web Application Firewall configured with assignment permissions for allowed IP addresses. Additionally, API Management enabled us to abstract the authentication layer from the processing pipeline to help increase security and simplify processing of incoming data.

We deployed the entire solution to an integration service environment, which supplied a fully isolated and dedicated integration environment and other benefits, including autoscaling, increased throughput limits, larger storage retention, improved availability, and a predictable cost model.

The following figure illustrates our solution’s architecture using Microsoft Azure Integration Services.

The solution architecture adheres to several important design principles and goals, including:

• Pattern-based workflows that enable dynamic decisions using partner information.
• Self-contained extensible workflows that can be modified and improved without affecting existing components.
• A gateway component to store and forward messages.
• Publish and subscribe services for data pipeline output.
• Complete B2B and A2A pipeline processing with 100 transactions per second throughput and message handling up to 100 megabytes (MB) per message.

Designing dataflow pipelines

Our dataflow pipelines perform processing for most of our business-data transformation and movement tasks. We designed the B2B and A2A processing pipelines using Logic Apps and Microsoft Azure Functions, processing documents in their native format and delivering them to line of business (LOB) or enterprise resource planning (ERP) systems such as Finance, HR, Volume Licensing, Supply Chain, and SAP.

• B2B pipeline. Electronic data interchange (EDI) documents such as purchase orders are brought in using AS2, processed using X12 standards, transformed, decoded and encoded using Logic Apps and Azure Functions, and then sent to the LOB app using the Logic Apps HTTP adapter.
• A2A pipeline. Documents such as XML/JSON come in using one of the built-in adapters including SAP, File, SQL, SSH File Transport Protocol (SFTP), or HTTP. The documents are debatched, transformed, decoded, and encoded using Logic Apps and Azure Functions, and then sent to the line-of-business system using the appropriate Logic Apps adapter.

Our integration solution used these pipelines in practical business scenarios across many lines of business at Microsoft, such as for volume licensing. A hardware manufacturer that includes Windows or Microsoft Office in their laptops submits an order for Windows or Office license to Microsoft’s ordering system, which sends the order details to our integration suite. The suite validates the messages, transforms them to IDoc format, and routes the IDoc to SAP using a data gateway for taxation and invoice generation. SAP generates an order acknowledgement in IDoc format and then passes it to the integration suite, which transforms the IDoc message into a format that the Microsoft ordering system will recognize.

Here’s another example from Microsoft Finance. An employee incurs an expense using a corporate credit card and the issuing financial institution sends a transaction report to the integration solution, which validates the message and performs currency conversion before sending it to Microsoft’s expense-management system for further approvals. After it’s approved in the expense-management system, the remittance transaction flows through the integration suite back to the banking system for payment settlement.

Capturing end-to-end messaging telemetry

We designed our solution to monitor message flow across the pipeline. Every transaction injects data into the telemetry pipeline using Microsoft Azure Event Hubs. The pipeline synthesizes and correlates that data to identify end-to-end processing status and recognize runtime failures. We built a custom tracking service that monitors and tracks important metrics for end-to-end workflows by using visual indicators on a dashboard. Accurate and readily available telemetry creates a more robust and reliable integration environment and improves the customer experience across pipelines.

We’ve realized several benefits across our integration environment, including:

• Increased scalability. Our integration solution processes millions of monthly transactions, including 10 million B2B, 2.5 million A2A, and 74 million hybrid cloud transactions.
• Improved quality of service. We used cross-region deployment with active-active configuration and thorough handling of faults to help achieve 99.9 percent in availability and reliability metrics.
• Reduced total cost of ownership. We’ve reduced monthly costs in Microsoft Azure by more than 40 percent with this iPaaS solution.
• Increased customer engagements. We’re working toward increasing Microsoft Azure Integration Services adoption by promoting this solution to our partners, vendors, and suppliers.

Microsoft Azure Integration Services has created an improved and more efficient integration environment for Microsoft. The increased scalability, reliability, and cost-effectiveness of Azure Integration Services has moved our business into a better position to actively collaborate with and operate alongside our partners, suppliers, and vendors. We’re continuing to transform our integration services landscape with Azure Integration Services to keep pace with the rapidly changing modern business environment.

• Discover streamlining vendor assessment with ServiceNow VRM at Microsoft.
• Explore shining a light on how Microsoft manages Shadow IT.
• Unpack implementing a Zero Trust security model at Microsoft.

The post Modernizing enterprise integration services at Microsoft with Microsoft Azure appeared first on Inside Track Blog.

Our aging content management system needed to be replaced, so we—the Inside Track team in Microsoft Digital (MSD), the company’s IT organization—turned to the company’s citizen developer platform for help.

What did we do?

We moved our content management system for managing this website away from an older version of SharePoint to a more powerful and flexible Microsoft Power App built on a Microsoft Azure SQL back end. The new system relies on Microsoft Power Automate for workflows and Microsoft Power BI for reporting.

Our decision to overhaul the legacy system was prompted by performance issues and the need for scalability and compliance.

“As the previous content management system got used more, it just couldn’t scale—it got slow, very slow,” says Tracey Peyton, a director of technical development who supports the Inside Track team. “It was really a no-brainer to go to SQL for the back end and use Power Apps for the UI with Power Automate as the workflow because the scalability and interoperability is there.”

Running legacy systems can come with a host of challenges, including performance and compliance issues. As business needs evolved, the capabilities of Microsoft Power Platform unlocked a new way to efficiently manage the content publishing system.

“After issues with the previous platform reached a peak, it became abundantly clear that it wasn’t performing how the content experience managers needed it to,” Peyton says. “The Inside Track team decided to make the leap, and the results did not disappoint.”

The Inside Track team creates content that shows IT leaders and practitioners how Microsoft uses its own technology and services to support its employees and internal business groups.

Peyton, who is on the team, has been doing web development since 1993 as a pro developer. He says that the move to Microsoft Power Platform (which includes Microsoft Power Apps, Microsoft Power Automate, and Microsoft Power BI) and Microsoft Azure SQL had numerous benefits that couldn’t be ignored.

The best of both worlds

On top of Microsoft Power Platform’s increased capability to scale, it’s a system that both professional and citizen developers can collaborate within because of its flexibility and capabilities.

Citizen development uses in-house talent and expertise, accelerates solution delivery, and fosters innovation. It allows organizations to respond swiftly to changing demands and customize solutions to fit each team’s needs.

By automating repetitive tasks and streamlining workflows, low-code and no-code environments like Microsoft Power Platform can significantly enhance productivity for developers and customers alike. Employees can focus on higher-value tasks while routine, time-consuming activities are streamlined.

Peyton led the vanguard for the migration to Microsoft Power Platform. He credits Microsoft Power Platform for its short ramp-up time and extensive ability to connect with other platforms. As of the writing of this blog post, premium subscriptions can connect to over 350 connectors⁠—and the list continues to grow.

“Almost out of the box, anyone can start building a customized app—with the wide variety of connectors available and the ability to leverage data and functionality from other systems, it’s straightforward,” Peyton says. “It gives you ease of access for citizen developers.”

Compliance is also an aspect that can easily outrun the abilities of a legacy system.

“Policies change much quicker than tech requirements—our move to Microsoft Power Platform allowed us to respond to policy needs much more quickly,” says Lukas Velush, a senior business program manager on the Inside Track team.

The migration from the old system to the new included:

• SharePoint data to Microsoft Azure SQL: We took the opportunity to move our data from SharePoint and Microsoft Excel to a SQL database. Most of the static data moved easily, but because the team wanted to keep the new environment in sync while tested, it used Microsoft Power Automate to sync changes with the legacy system and transform any data that needed extra attention on the new platform.
• Custom SharePoint UI to Microsoft Power Apps: To ease user transition, the team kept a similar interface with the new UI, but some controls (like multi-select combo boxes and the ability to search for multiple people across the org) didn’t work the same in Microsoft Power Apps. In these cases, the team built alternatives where needed using a customized view and low code solutions.
• Microsoft Power Automate for workflow: Because Microsoft Power Automate seamlessly integrates with the platforms the team was using, Peyton and the rest of the team had already been moving their workflows to Microsoft Power Automate. With the ability to invoke stored procedures in SQL, the team has even more options and flexibility to meet its automation needs.
• Microsoft Power BI for dashboards: This was the heaviest lift of the migration. With plenty of deprecated data in the old system, it was time to rebuild these from scratch. The team moved to shared data sources, making it easy to create multiple reports without rebuilding its datasets each time.

Flipping the switch

The development of the new system took six months.

Peyton and the team embarked on the migration first in an exploratory sense. There was much back and forth about how Microsoft Power Platform could meet the business needs without any functional loss—and with the exploration, a lot of prototyping was involved.

Months later, when it came time to complete the migration, the system only had to go offline for a few hours.

“When it was time to flip the switch, it was scary, and we were a little nervous at first,” Peyton says, explaining that they need not have worried—everything worked seamlessly. “I was really pleased with the increased performance—things were loading much quicker.”

Microsoft Power Platform enables professional developers like Peyton to accelerate their solutions. Using Adobe Analytics and Microsoft Azure SQL with Microsoft Power Platform meant that Peyton could hook up a SQL database with workflow, reporting, and a powerful front end without writing code. Professional developers have shifted to avoid building more code than necessary to reduce performance errors.

“Whereas before we had to do some wild data transformations on the previous system (the older SharePoint), we were able to step back and say that we can do this with SQL,” Peyton says. “Because of the interoperability of the Power Platform, we can move to managing data in native environments where you can get much more efficient processing.”

But, he says, there were pain points.

With Microsoft Power Platform, they did initially give up some functionality. One of those, Peyton says, was related to data sheet views.

“We lasted only a week before the people who used data sheet views said nope,” Peyton says.

The data sheet view offered the ability to make changes to multiple fields across several records directly to the underlying data without using the main form. It was only really for experienced power users. But, within hours, the team was able to build a separate Power App that provided the necessary access to the desired fields without compromising the data.

While building the UI, it was easy to keep accessibility standards in mind with the new platform capabilities.

“Having an agile or low-code environment can make it easy to push out new changes, which means your product can be in tune and responsive to updated compliance and policy updates,” Peyton says.

“There’s such a breadth of interoperability,” Peyton says. “The system allows you to focus on what you need and offload what you don’t.”

Problem-solving without the burden of technical problems

Velush says, Microsoft Power Platform “allows the people who know the business to solve business problems and not have to worry too much about technical problems.”

From being faster, easily customizable, scalable, fully compliant, and having capabilities that charm both citizen and pro developers, Microsoft Power Platform has become the answer to a legacy system that Inside Track had outgrown.

“We have the agility and flexibility to take this system wherever we want from here,” Velush says.

Creating customized views in the Power Platform, whether it’s in Power Apps, Power Automate, or Power BI, offers several significant benefits to the Inside Track team and leadership teams. These customized views enhance visibility, decision-making, and overall efficiency with the use of tailored insights, efficient data access, personalization to fit each user’s needs and role-based access to support the pillars of Microsoft’s Zero Trust security efforts.

In the early phases of development, the new system was only shared with the team via direct access, this meant members of the team had to request permission and wait for approval from the tool owner. After the system was established, it shifted to Entra ID (formerly Azure Active Directory) to allow collaboration across Microsoft Digital.

Integrating new programs

The team sought out solutions with Power Platform to address evolving business needs. By adjusting the views of the new Power App and related dashboards, the team is able to quickly respond with custom views and tools that can handle the scale of our content portfolio.

We needed to efficiently manage content promotions across various social media platforms and ensure older stories were assessed by the subject matter experts to ensure we’re providing modern solutions to customers and employees.

The custom views based off the new system created a unified place for end-to-end promotion management. This allowed collaborators in Microsoft Digital to jump into the application with little to no experience. Collaborators could quickly see all the information needed to promote stories and track when and where a story was featured.

Auditing the content portfolio on Inside Track’s internal and external sites was a manual process for the team and took up valuable time. There are rapid changes around Microsoft and establishing a program that reviewed and worked to update stories was almost a full-time job by itself.

“We were able to rapidly build a solution that helped with a specific business problem,” says Jenny Neill, a project manager on the developer team for Inside Track. “We needed to get our arms around a large set of content that hasn’t been looked at in a long time. We needed a different lens, and it was possible to develop the requirements in a new Power App and bolt it onto the existing data structure.”

The Power Platform provided a needed solution at the right time.

“After hearing the challenges from one of the content experience managers, it was clear we needed to create a system to efficiently support the program,” Velush says. “Tracey and the developer team responded with a prototype that was already functional within the week.”

Peyton and the developer team created custom views in Power BI and a new Power App to support Inside Track in six weeks. “It was a radical improvement, our CXM was able to scale up the program and it was easy to check-in on the program with the familiar interface,” Velush says.

The success of Microsoft Power Platform, Peyton says, can ultimately be traced to the system being able to flawlessly integrate—and Microsoft’s willingness to cater to the “next level” of integration.

“Over the last few years, Microsoft has made a great effort to refocus, ensuring they provide tools to developers so that they can interoperate with any environment; it doesn’t matter what you want to integrate with, regardless of platform,” Peyton says. “They’re giving developers the tools that they need to do what they need to do.”

• Consider scalability and interoperability: When modernizing a legacy system, prioritize scalability and interoperability. Ensure that the chosen technology stack can handle increased usage over time and seamlessly integrate with other platforms and systems.
• Empower citizen and pro developers: Utilize no-code or low-code platforms like Microsoft Power Platform to empower both citizen and professional developers within your organization. These platforms allow individuals with varying levels of technical expertise to collaborate efficiently.
• Prioritize compliance and policy responsiveness: Recognize that policies can change quickly in a business environment. Choose a modernization approach that allows you to respond rapidly to policy needs while maintaining compliance with data security and regulatory requirements.
• Customize and adapt: Be prepared to customize solutions to match the specific needs of different departments or teams within your organization. Modernization efforts should offer flexibility and the ability to adapt to unique requirements.

Build professional solutions with Power Apps.

• Experience SQL innovation on Azure.
• Create a data-driven culture with BI for all.
• Discover how citizen developers use Microsoft Power Apps to build an intelligent launch assistant.

Want more information? Email us and include a link to this story and we’ll get back to you.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Revamping a content management system at Microsoft with the Microsoft Power Platform appeared first on Inside Track Blog.

Microsoft OneDrive Folder Backup (known as Known Folder Move) is a policy deployed by Microsoft that automatically syncs the contents of a user’s critical folders—Documents, Desktop, and Pictures—to the cloud to protect it in the event of device crashes and ransomware attacks. Files are safe in the cloud, easy to share and collaborate on, and are accessible across different devices.

“The goal of this project was to empower every OneDrive user in Microsoft to protect their critical files and sync their “known” folders to the cloud—this gives them seamless access from any of their devices from anywhere without changing the way they work,” says Priya Chebiyam, a senior product manager who leads Microsoft’s internal use of OneDrive for the Microsoft Digital team—the organization that powers, protects, and transforms the company.

[Learn about Microsoft’s digital security strategy. Find out how Microsoft is enabling remote work. Discover how a OneDrive feature shifts the way employees save files within Microsoft.]

Putting data security first

The Known Folder Move project was piloted at the end of 2019, starting with a small group of employees.

A significant step in the pilot was to decide on the deployment approach—would it be silent or prompt-based? With a silent approach, the policy would be automatically initiated for users who would then be notified when their backup was complete. With a prompt-based system, users would be notified at the start of the process and choose whether to opt in or opt out.

While a silent approach is widespread across the industry, Microsoft opted at first to give employees a choice during the program pilot. As the team rolled out the pilot program, a surge in cyberattacks altered the plan.

“We found during the pilot program that opt-in security measures raise levels of vulnerability,” says Chebiyam. “Adoption of security measures was slow in the opt-in pilot. There was also an increased risk of low employee participation.”

“Pivoting to a silent deployment reduces risks,” continues Chebiyam. “So, faced with rising levels of cyberattacks, the choice was clear.”

The Microsoft team swiftly countered rising cyberattacks by switching to silent deployment and rewrote the Microsoft’s corporate security policy to require that all work documents and files reside in a corporate-approved storage system; OneDrive is that system.

With this shift in tactics, the team has been progressively rolling out a new plan that emphasizes security and disaster recovery across the company.

“Security is ingrained in the fabric of our culture,” says James Speller, a client deployment engineer on the project with Microsoft Digital. “The idea is to make data security as easy and non-disruptive as possible without compromising on safety.”

Learning from the results of the Known Folder Move pilot, the company took a different path at LinkedIn from the start, choosing the silent deployment approach.

It’s ideal to keep security measures as non-disruptive to employees as possible, and striking the right balance between security and efficiency has been at the top of our minds during this project.

—Priya Chebiyam, senior product manager

“At LinkedIn, doing it that way was right for their culture and the way they run their business,” Chebiyam says. “We focused on accelerating the adoption of security measures.”

Additionally, the cross-company Known Folder Move team relied heavily on employee feedback to create a better solution and user experience. They took their time to get this rollout right, as this policy affects employee productivity.

“We had to take a step back and consider how the rollout will affect productivity,” says Chebiyam. “It’s ideal to keep security measures as non-disruptive to employees as possible, and striking the right balance between security and efficiency has been at the top of our minds during this project.”

The team used Viva Engage (formerly known as Microsoft Yammer) and OneDrive in-app surveys to collect feedback that would be sent directly to the help desk. Feedback was communicated to the product team, continuously improving the product to provide a better user experience.

After enough feedback was gathered and implemented, the rollout came to the entire Microsoft user base—approximately 290,000 targeted employees and vendors. This user base was divided based on role and geography, and the team started rolling it out to about 5,000 users per batch.

Because files are automatically synced to OneDrive, users don’t have to worry about what happens to their computer, giving them peace of mind that their files are safe.

—Gaia Carini, principal group product manager

New employees and vendors are given this feature by default.

“The rapid growth of KFM-enabled OneDrives will significantly help the admins with any data investigation issues efficiently, with a quicker turnaround during critical emergencies. As a tenant admin, this KFM capability helps me to apply improved security controls on our Corp content residing in user OneDrives across the company,” says Abhishek Sharma, a senior service engineer with the team.

Change management

To get employees on board with using the cloud, messaging focused on the benefits of using OneDrive. These benefits include the amount of storage provided (all OneDrive accounts in Microsoft come with 5 TB of free cloud storage), the ability to access files if your computer is lost, broken, or in a refresh cycle, more secure sharing, easier access, improved collaboration, and real-time versioning.

“Because files are automatically synced to OneDrive, users don’t have to worry about what happens to their computer, giving them peace of mind that their files are safe” says Gaia Carini, a principal group product manager on the experience and devices team. “You don’t have to worry about where your data is or where your content lives.”

While Eva Etchells, a senior content publishing manager on the Microsoft Digital team, worked on messaging internally to employees, our OneDrive product marketing team, shaped the narrative around OneDrive Folder Backup outside of Microsoft, communicating the benefits to external stakeholders.

The narrative formed around figuring out how to automatically backup all users’ content without disrupting the way they work. Like Etchells’s messaging, the OneDrive product team focused on device crashes, stolen PCs, ransomware attacks, and so on to drive change management and adoption of the product.

Out of sight, out of mind

With OneDrive Folder Backup, users don’t have to think about the safety and security of their documents or worry about it affecting their productivity. It’s invisible, seamless, and always in sync. Millions of files and hundreds of terabytes of data have been uploaded to OneDrive, and it continues to grow each month.

“OneDrive has provided a valuable benefit to me for a long time,” says Susan Sims, a fan of the service who works in Microsoft Digital as a team Senior Program Manager.

Sims managed global file services years ago that hosted shared content. According to Sims, there was an attack on those file servers nearly monthly, attacks that led to manual lockdowns to make sure the company didn’t lose business-critical content. Microsoft OneDrive Folder Backup has eliminated the risk and concern around losing content from device crashes as well as attacks.

“OneDrive is crucial for recovery from ransomware attacks,” says Vivek Vinod Sharma, a Senior Security Architect who served as the security point of contact for the project for the Microsoft Digital Security and Resilience team. “As a best practice for fast-tracking people to get back to a productive state if affected by an attack, we want more business data to reside in OneDrive.”

Moving forward, the team aims to enable OneDrive Folder Backup through silent deployment for all Windows users.

“OneDrive Folder Backup brings the power of the cloud to the desktop on Windows and macOS,” Carini says. “It’s a critical part of the strategy and important for customers to enable in their organizations.”

• Backing up files to the cloud is one of the most secure ways to store critical content to prevent file loss from ransomware attacks.
• For faster and more effective change management across the organization, focus on the features and benefits employees will gain by adopting the policy to make them more likely to opt-in.
• For a global rollout, communication is vital to ensure everything runs smoothly, especially when working across four or five different teams and geographies. Defining roles for each person and group is crucial.
• When you begin moving your employees to OneDrive in the cloud, make sure their needs are at the center of everything you do. Get them as involved in the process as possible and act on as much of their feedback as you can to create a better user experience for everyone.
• Acknowledge your organization’s policies and processes regarding security and compliance and use that as guidance when rolling out an approach to the entire user base.
• Employees should be informed regarding what data is being collected and how that data is being used as part of the company security measures.
• Consider the risks of workers not participating in security back-up options. Enforcing security uniformly as a company-wide policy minimizes potential damage to company assets from ransomware attacks.

• Check out how Expedia Group is using OneDrive.
• Find out how Microsoft is enabling remote work.
• Discover how a OneDrive feature shifts the way employees save files within Microsoft.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post How Microsoft employees are leveraging the cloud for file storage with OneDrive Folder Backup appeared first on Inside Track Blog.

Microsoft Digital has developed tools and processes that help us effectively manage physical IT assets and resources. But with the increase in cloud resources comes some unique challenges. Conventional processes weren’t adequately giving us visibility into self-provisioned usage and related risks. Teams and business units at Microsoft could acquire cloud resources on behalf of the organization without passing through the traditional controls that give us some level of oversight and governance.

The adoption of self-service cloud technologies was making it difficult for us to keep up with rapid changes. We needed better visibility into Azure resource utilization for individual employees, groups, and roles. To improve our ability to manage Azure resources and to help ensure compliance, we developed processes to help us:

• Create and maintain an inventory of the Azure subscriptions and resources used within the enterprise.
• Define a methodology to help us correlate detailed resource-level records with operational visibility. This provides a cross-checked resource management mechanism that can be audited.
• Develop a system for Azure usage management that uses the inventory to help us drive the most efficiency and value from our Azure resources.

Improving the efficiency of Azure resources

In a cloud environment, performance and availability of business workloads are often addressed by initially overestimating the compute and storage resources required. We didn’t have visibility to collect usage data or to determine whether the resources required to run an application were in alignment with the demand or needs of the business. To be more efficient with resources, we needed a way to identify underutilized capacity, dormant or orphaned resources, and other undesirable artifacts that can lead to increased costs and unnecessary risk or complexity. Our starting point in addressing the challenge was to gather and maintain an accurate inventory of the resources within Azure to help ensure that the proper controls are practiced, optimize resources, and mitigate unsanctioned cloud use.

Reducing risks through increased visibility

As an IT organization, we can’t manage risks that we can’t see. We require visibility into our environment to help us effectively measure, manage, and protect our infrastructure and systems. For our behavior-based Security Incident and Event Management (SEIM) systems to perform their functions, they rely on an accurate view into IT infrastructures. When assessing compliance, security, cost-effectiveness, efficiency, troubleshooting, or other important functions, we need the capability to view and delve into every resource to determine its purpose, who can access it, and its value to the business.

Understanding the risk and usage profiles of both sanctioned and unsanctioned Azure cloud resources requires the collection of accurate Azure resource and usage information—they’re necessary for correlating risks and behaviors. Implementing appropriate controls and a method to monitor for unsanctioned usage helps us reduce the risks associated with unsanctioned and unknown cloud resources. Those risks include:

• Inefficient use of resources. Trying to manage and support unsanctioned cloud resources consumes unnecessary time, effort, and expense. Audits and investigations can provide inaccurate or less effective results, and it can be difficult, or impossible, for us to enforce security policies on unsanctioned cloud resources.
• Process maturity and execution inefficiencies. Although we’re working to advance operational levels of process maturity, unsanctioned and unknown cloud resources can lead to inefficiencies in:
  • Compliance and policy audits, and overall audit effectiveness.
  • Inventory and configuration management processes and practices.
  • Patch and vulnerability management.
  • Quality and operational processes.
• Data loss or leakage. Unsanctioned and unknown cloud resources expand our threat surface. If cloud services are used to store business data, it occurs outside of our organizational policies and controls—and that data could be exposed, or exploited.

Creating an Azure resource inventory with usage and reporting capabilities

Just about everything in Azure that’s associated with an account or a subscription is considered a resource. There can be thousands of resources used for a single Azure deployment, including virtual machines, Azure Blob storage, address endpoints, virtual networks, websites, databases, and third-party services.

To be able to produce a comprehensive inventory, we needed to be able to answer the following questions about all of the Azure resources in use across the organization:

• What is it?
• Where is it?
• What is it worth?
• Who can access it?

We’re responsible for managing the on-premises and cloud resources in our environment at Microsoft. Because cloud services are self-service and constantly changing, we needed to ensure that any methodology that we created to inventory Azure resources was agile enough to keep pace.

We designed an Azure inventory solution that would collect subscription information from our internal billing system, resource and usage data from Azure Resource Manager, and store it in an Azure SQL database. The collected data could then be audited and reported on.

Step 1: Locating and identifying the subscriptions within the enterprise

Subscriptions help us organize access to cloud service resources. They also help control how resource usage is reported, billed, and paid for. Each subscription can have a different billing and payment setup, so you can have different subscriptions and different plans by department, project, regional office, and so on. Every cloud service belongs to a subscription, and the subscription ID may be required for programmatic operations.

To identify which subscriptions we had in the environment, we generated a list from our internal billing system. The list we pulled from the internal billing system represented our “universe” view of all of the Azure subscriptions we would be collecting resource information for in Azure Resource Manager.

NOTE: Customers with an Azure Enterprise Program Agreement can access usage and billing information through a representational state transfer (REST) API. An enterprise administrator must first enable access to the API by generating a key from the Microsoft Azure Enterprise Portal. Anyone with access to the enrollment number and the key has read-only access to the API and data.

Step 2: Ensuring access to the subscriptions

Azure Resource Manager is a central computing role within Azure that provides a consistent layer for administrating and managing cloud resources. It’s also the component responsible for providing access to detailed resource usage reports and data. We use Azure Resource Manager REST APIs to pull resource and usage information from Azure Resource Manager into the data collection solution we built.

To effectively monitor Azure cloud usage and access privileges, our administrators required both visibility and administrative access into subscriptions and resources to list, monitor, and manage them. We created an Azure Active Directory service principle object that provides read-only access to our automated data collection tool.

Step 3: Building a data storage solution for subscription and resource metadata

We built a storage solution for subscription and resource metadata that we collect from the billing system and Azure Resource Manager using Azure SQL. We use Blob storage for backup. The datasets that we collect from the APIs aren’t standard, so we parse and structure them before we place them into the Azure SQL database. Our primary data storage solution supports only structured data, but our backup Blob storage supports unstructured data.

Step 4: Constructing an automated data collection tool

The data for the Azure resource inventory comes from 60 APIs, so we couldn’t rely on manual processes to collect that data with any regular frequency. Manual processes don’t scale and aren’t cost effective. We constructed an automated data collection tool that calls the numerous REST APIs to capture and store the metadata on a daily basis. The automated tool is a Windows virtual machine that has a C# native application running on it that calls the 60 Azure REST APIs. The application captures and parses the returns of each dataset before storing it in the Azure SQL database. The tool then creates a backup copy in Azure Storage.

Using an automated tool for data collection provides reliable results on a predictable schedule and saves us a great deal of time and money

Step 5: Consolidate and link together datasets to create a subscription-level view

Each dataset represents a single object or view of the information. We use the unique subscription IDs and resource names to create subscription-level views that we can compare to our Azure baselines. After the data is consolidated and linked to its subscription ID and resource name, we can begin working with it to analyze and audit for specific activities, using familiar productivity tools like Power BI, Excel Power Query, or Excel PowerPivot. We regularly send Azure configuration insight reporting data to two internal portals—one that’s related to security and compliance, and another that reports organizational efforts to keep devices safe by keeping them current. We also use the resource information in our reporting to identify areas in which we have an opportunity to improve compliance through user education. Some of the reports we use include:

• Azure Security Center alerts and compliance report. With this report, we pull a list of alerts that are found in Azure Security Center and provide detailed statistics, such as the number of High, Medium, and Low alerts found in the environment and the top subscriptions that are seeing alerts. The target audience is application teams and their organizations to help focus their efforts.
• Compliance reporting by group. For our compliance reporting, we apply our baselines and aggregations to the Azure inventory. The compliance rates can be viewed at either an organization or team level to provide overall or drill-down information about compliance. The target audience is management and compliance leadership, to help them drive Azure security and compliance.
• Compliance reporting for user role authorization. This report helps us identify user role authorization, assess them against the baselines as defined by the security use case, or narrative, and determine corresponding compliance rates against it per resource. This report includes the:
  • Total number of administrators in the environment.
  • Average administrator counts across groups and teams.
  • Number and names of non-employees that have privileged roles in subscriptions (contributor, administrator, and so on).
  • Number of potential unauthorized assignments.
  • Names of the people who created the potential unauthorized assignments.
  • Role type assignment details.
• Resource type count report. This report includes a breakdown of resource type counts across the organization. including Azure SQL, Azure Virtual Network, virtual machines, Azure storage, and so on. It also contains a breakdown of resource type counts in the three fundamental cloud service models, infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS).

• We’ve improved our visibility of Azure resources, and that has numerous benefits. Azure makes it easier to provision virtual machines and scope and scale Azure resources for testing. The inventory makes us better able to identify qualified resources for testing products and services.
• We can make better decisions about cloud utilization, and reduce costs. And we’re reducing risk through our ability to easily identify and mitigate unsanctioned cloud applications. We’re better able to manage and audit Azure resources, to meet compliance standards by providing oversight and governance.
• We didn’t stop there—after creating the inventory, came the task of managing our resource and subscription configurations.

• Manage Azure resources with PowerShell and Resource Manager
• Azure Resource Manager overview

The post Azure resource inventory helps manage operational efficiency and compliance appeared first on Inside Track Blog.

The increasing prevalence of cloud-based services, mobile computing, internet of things (IoT), and bring your own device (BYOD) in the workforce have changed the technology landscape for the modern enterprise. Security architectures that rely on network firewalls and virtual private networks (VPNs) to isolate and restrict access to corporate technology resources and services are no longer sufficient for a workforce that regularly requires access to applications and resources that exist beyond traditional corporate network boundaries. The shift to the internet as the network of choice and the continuously evolving threats led us to adopt a Zero Trust security model internally here at Microsoft. Though our journey began many years ago, we expect that it will continue to evolve for years to come.

[Learn how we’re transitioning to modern access architecture with Zero Trust. Find out how to enable a remote workforce by embracing Zero Trust security. Running on VPN: Learn how we’re keeping our remote workforce connected.]
For a transcript, please view the video on YouTube: https://www.youtube.com/watch?v=ZVLlEj2So4E, select the “More actions” button (three dots icon) below the video, and then select “Show transcript.”

The Zero Trust model

Based on the principle of verified trust—in order to trust, you must first verify—Zero Trust eliminates the inherent trust that is assumed inside the traditional corporate network. Zero Trust architecture reduces risk across all environments by establishing strong identity verification, validating device compliance prior to granting access, and ensuring least privilege access to only explicitly authorized resources.

Zero Trust requires that every transaction between systems (user identity, device, network, and applications) be validated and proven trustworthy before the transaction can occur. In an ideal Zero Trust environment, the following behaviors are required:

• Identities are validated and secure with multifactor authentication (MFA) everywhere. Using multifactor authentication eliminates password expirations and eventually will eliminate passwords. The added use of biometrics ensures strong authentication for user-backed identities.
• Devices are managed and validated as healthy. Device health validation is required. All device types and operating systems must meet a required minimum health state as a condition of access to any Microsoft resource.
• Telemetry is pervasive. Pervasive data and telemetry are used to understand the current security state, identify gaps in coverage, validate the impact of new controls, and correlate data across all applications and services in the environment. Robust and standardized auditing, monitoring, and telemetry capabilities are core requirements across users, devices, applications, services, and access patterns.
• Least privilege access is enforced. Limit access to only the applications, services, and infrastructure required to perform the job function. Access solutions that provide broad access to networks without segmentation or are scoped to specific resources, such as broad access VPN, must be eliminated.

Zero Trust scenarios

We have identified four core scenarios at Microsoft to help achieve Zero Trust. These scenarios satisfy the requirements for strong identity, enrollment in device management and device-health validation, alternative access for unmanaged devices, and validation of application health. The core scenarios are described here:

• Scenario 1: Applications and services have the mechanisms to validate multifactor authentication and device health.
• Scenario 2: Employees can enroll devices into a modern management system which guarantees the health of the device to control access to company resources.
• Scenario 3:  Employees and business guests have a method to access corporate resources when not using a managed device.
• Scenario 4: Access to resources is limited to the minimum required—least privilege access—to perform a specified function.

Zero Trust scope and phases

We’re taking a structured approach toward Zero Trust, in an effort that spans many technologies and organizations, and requires investments that will carry over multiple years. The figure below represents a high-level view of the Zero Trust goals that we aim to fully achieve over the next two to three years, grouped into our core Zero Trust pillars. We will continually evaluate these goals and adjust them if necessary. While these goals don’t represent the full scope of the Zero Trust efforts and work streams, they capture the most significant areas of Zero Trust effort at Microsoft.

Scope

Our initial scope for implementing Zero Trust focused on common corporate services used across our enterprise—our employees, partners, and vendors. Our Zero Trust implementation targeted the core set of applications that Microsoft employees use daily (e.g., Microsoft Office apps, line-of-business apps) on platforms like iOS, Android, MacOS, and Windows (Linux is an eventual goal). As we have progressed, our focus has expanded to include all applications used across Microsoft. Any corporate-owned or personal device that accesses company resources must be managed through our device management systems.

Verify identity

To begin enhancing security for the environment, we implemented MFA using smart cards to control administrative access to servers. We later expanded the multifactor authentication requirement to include all users accessing resources from outside the corporate network. The massive increase in mobile devices connecting to corporate resources pushed us to evolve our multifactor authentication system from physical smart cards to a phone-based challenge (phone-factor) and later into a more modern experience using the Microsoft Azure Authenticator application.

The most recent progress in this area is the widespread deployment of Windows Hello for Business for biometric authentication. While Windows Hello hasn’t completely eliminated passwords in our environment, it has significantly reduced password usage and enabled us to remove our password-expiration policy. Additionally, multifactor authentication validation is required for all accounts, including guest accounts, when accessing Microsoft resources.

Verify device

Our first step toward device verification was enrolling devices into a device-management system. We have since completed the rollout of device management for Windows, Mac, iOS, and Android. Many of our high-traffic applications and services, such as Microsoft 365 and VPN, enforce device health for user access. Additionally, we’ve started using device management to enable proper device health validation, a foundational component that allows us to set and enforce health policies for devices accessing Microsoft resources. We’re using Windows Autopilot for device provisioning, which ensures that all new Windows devices delivered to employees are already enrolled in our modern device management system.

Devices accessing the corporate wireless network must also be enrolled in the device-management system. This includes both Microsoft–owned devices and personal BYOD devices. If employees want to use their personal devices to access Microsoft resources, the devices must be enrolled and adhere to the same device-health policies that govern corporate-owned devices. For devices where enrollment in device management isn’t an option, we’ve created a secure access model called Microsoft Azure Virtual Desktop. Virtual Desktop creates a session with a virtual machine that meets the device-management requirements. This allows individuals using unmanaged devices to securely access select Microsoft resources. Additionally, we’ve created a browser-based experience allowing access to some Microsoft 365 applications with limited functionality.

There is still work remaining within the verify device pillar. We’re in the process of enabling device management for Linux devices and expanding the number of applications enforcing device management to eventually include all applications and services. We’re also expanding the number of resources available when connecting through the Virtual Desktop service. Finally, we’re expanding device-health policies to be more robust and enabling validation across all applications and services.

Verify access

In the verify access pillar, our focus is on segmenting users and devices across purpose-built networks, migrating all Microsoft employees to use the internet as the default network, and automatically routing users and devices to appropriate network segments. We’ve made significant progress in our network-segmentation efforts. We have successfully deployed several network segments, both for users and devices, including the creation of a new internet-default wireless network across all Microsoft buildings. All users have received policy updates to their systems, thus making this internet-based network their new default.

As part of the new wireless network rollout, we also deployed a device-registration portal. This portal allows users to self-identify, register, or modify devices to ensure that the devices connect to the appropriate network segment. Through this portal, users can register guest devices, user devices, and IoT devices.

We’re also creating specialized segments, including purpose-built segments for the various IoT devices and scenarios used throughout the organization. We have nearly completed the migration of our highest-priority IoT devices in Microsoft offices into the appropriate segments.

We still have a lot of work to do within the verify access pillar. We’re following the investments in our wireless networks with similar wired network investments. For IoT, we need to complete the migration of the remaining high-priority devices in Microsoft offices and then start on high-priority devices in our datacenters. After these devices are migrated, we’ll start migrating lower-priority devices. Finally, we’re building auto-detection for devices and users, which will route them to the appropriate segment without requiring registration in the device-registration portal.

Verify services

In the verify services pillar, our efforts center on enabling conditional access across all applications and services. To achieve full conditional access validation, a key effort requires modernizing legacy applications or implementing solutions for applications and services that can’t natively support conditional access systems. This has the added benefit of eliminating the dependency on VPN and the corporate network. We’ve enabled auto-VPN for all users, which automatically routes users through the appropriate connection. Our goal is to eliminate the need for VPN and create a seamless experience for accessing corporate resources from the internet. With auto-VPN, the user’s system will transparently determine how to connect to resources, bypassing VPN for resources available directly from the internet or using VPN when connecting to a resource that is only available on the corporate network.

Amid the COVID-19 pandemic, a large percentage of our user population transitioned to work from home. This shift has provided increased use of remote network connectivity. In this environment, we’ve successfully identified and engaged application owners to initiate plans to make these applications or services accessible over the internet without VPN.

While we have taken the first steps toward modernizing legacy applications and services that still use VPN, we are in the process of establishing clear plans and timelines for enabling access from the internet. We also plan to invest in extending the portfolio of applications and services enforcing conditional access beyond Microsoft 365 and VPN.

Zero Trust architecture with Microsoft services

The graphic below provides a simplified reference architecture for our approach to implementing Zero Trust. The primary components of this process are Intune for device management and device security policy configuration, Microsoft Azure Active Directory (Azure AD) conditional access for device health validation, and Azure AD for user and device inventory.

The system works with Intune, by pushing device configuration requirements to the managed devices. The device then generates a statement of health, which is stored in Microsoft Azure AD. When the device user requests access to a resource, the device health state is verified as part of the authentication exchange with Azure AD.

A transition that’s paying off

Our transition to a Zero Trust model has made significant progress. Over the last several years, we’ve increased identity-authentication strength with expanded coverage of strong authentication and a transition to biometrics-based authentication by using Windows Hello for Business. We’ve deployed device management and device-health validation capabilities across all major platforms and will soon add Linux. We’ve also launched a Windows Virtual Desktop system that provides secure access to company resources from unmanaged devices.

As we continue our progress, we’re making ongoing investments in Zero Trust. We’re expanding health-validation capabilities across devices and applications, increasing the Virtual Desktop features to cover more use cases, and implementing better controls on our wired network. We’re also completing our IoT migrations and segmentation and modernizing or retiring legacy applications to enable us to deprecate VPN.

Each enterprise that adopts Zero Trust will need to determine what approach best suits their unique environment. This includes balancing risk profiles with access methods, defining the scope for the implementation of Zero Trust in their environments, and determining what specific verifications they want to require for users to gain access to their company resources. In all of this, encouraging the organization-wide embrace of Zero Trust is critical to success, no matter where you decide to begin your transition.

• Collect telemetry and evaluate risks, and then set goals.​
• Get to modern identity and MFA—then onboard to AAD.​
• For conditional access enforcement, focus on top used applications to ensure maximum coverage.​
• Start with simple policies for device health enforcement such as device lock or password complexity. ​
• Run pilots and ringed rollouts. Slow and steady wins the race. ​
• Migrate your users to the Internet and monitor VPN traffic to understand internal dependencies.​
• Focus on user experience as it is critical to employee productivity and morale. Without adoption, your program will not be a success.​
• Communication is key—bring your employees on the journey with you! ​
• Assign performance indicators and goals for all workstreams and elements, including employee sentiment. ​

• Learn how we’re transitioning to modern access architecture with Zero Trust.
• Find out how to enable a remote workforce by embracing Zero Trust security.
• Read our Microsoft Security Zero Trust blogs.
• Check out our top 9 ways Microsoft IT is enabling remote work for its employees list.
• Running on VPN: Learn how we’re keeping our remote workforce connected.
• Learn more about verifying identity in a Zero Trust model  and on verifying devices in a Zero Trust model.

Share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Implementing a Zero Trust security model at Microsoft appeared first on Inside Track Blog.

The need for digital transformation

The need for our digital transformation is evident—the global pandemic has created challenges for every organization, from employee placement to supply chain management, to continued retail operations. The investments that Microsoft has made in digital transformation have helped us respond quickly and efficiently to the frequent changes brought by the COVID-19 pandemic.

Our continued digital transformation will enable Microsoft to further its mission of empowering every person and every organization of the planet to achieve more, and it starts right here at home, with MDEE. Every new challenge presents an opportunity to assess our role in the organization and how we can put Microsoft in an even better position to take on new challenges.

Disruptions have always been a catalyst for business transformation. To lead on the forefront, we’re becoming more agile, efficient, and innovative. This means changing our systems and processes to support and quickly adapt to new products, services, business models, regulations, and anything else that comes our way.

Leading with vision and world-class execution

Leading with vision is the primary driver of our digital transformation. MDEE powers the company, and we are critical to both internal and external customers. To lead with vision, we need a clearly articulated view of where we want to take things and what we need to get there. Aligning our work to a larger vision of what we want to accomplish pushes us past day-to-day fire drills and comfortable routines to deliver something truly great for Microsoft.  Each one of our groups has a clear, targeted vision grounded in what our customers need and what we need as an organization. However, articulating the vision is not enough. An inspired and productive vision must accurately reflect what we actually do.

Vision is the foundation for the major decisions we make, not a document that we write once a year and put on a shelf. Building a strong connection between vision and work can be clarified by telling a story. The vision should create a narrative that informs our day-to-day decisions at every level. Each choice, no matter how granular, should connect itself and contribute to the broader vision. In turn, the vision inspires these choices, supporting aspirations for the business and energizing our employees. Telling the story this way makes us think carefully about how a piece of work fits into the broader vision—or if it doesn’t. It also helps us define our work in a way that’s consumable by our various stakeholder audiences, which is critical if we want them to support and partner with us. If we tell the story well, our stakeholders should be able to tell the story of how our work supports them to others.

[Discover how we’re reinventing Microsoft’s Employee Experience for a Hybrid World. Learn more about Microsoft’s cloud-centric architecture transformation. Find out how we’re enabling a modern support experience at Microsoft.]

Making hard choices

Being vision-led means making difficult and specific choices about where we will focus our efforts, and which work we will need to postpone or simply not do. We ruthlessly prioritize, focusing on what to stop investing in as much as what to invest in next. We set a high bar for quality, delivery, cost, and compliance. Our approach includes observing important guidelines for how we implement our vision and how that informs our operations. This includes:

• Connecting outcomes to the vision and clearly prioritizing.
• Placing user experiences at the center of our designs.
• Building capability and depth within role-specific disciplines.
• Investing in core platforms and systems to drive engineering productivity.
• Using data and insights to continually assess and prioritize our approach, ensuring that we achieve our most important goals and that they align with our vision.

With this mindset and these guidelines for execution, we empower our employees to think strategically. We want them to continually have this question in their minds: What experience do customers have when interacting with Microsoft, and how can we make it better?

Establishing priorities that support our vision

As part of our Microsoft Digital Product Vision, we established and articulated critical priorities that framed our areas of work. We based the priorities on pain points that existed within MDEE and on best-in-class experiences across other organizations that we studied. The priorities continue to define and guide our work, and they act as an organizational tool for measuring our transformation’s progress:

Cloud-centric architecture

Cloud-centric architecture is designed to deliver a consistently high level of service reliability. Our systems in the cloud are agile, resilient, cost-effective, and scalable, so we can be proactive and innovative. Microsoft Azure is at the core of our architecture. We use Azure to automate our processes, unify our tools, and improve our engineering productivity. This includes transitioning to a DevOps model using the out-of-the-box capabilities that Azure DevOps and Azure Pipelines offer. The DevOps model enables faster deployment of new capabilities that are more secure and compliant. A modern cloud-centric architecture is foundational to our digital transformation, and we’re building integrated, reliable systems, instrumented for telemetry, to gather data and enable experimentation. Our investments include:

• Transitioning from on-premises to cloud offerings to enable dynamic elastic compute, geo-redundancy, unified data strategy (Azure Data Lake), and flexible software-defined infrastructures.
• Moving to cloud-centered IT operations, with provisioning, patching, monitoring, and backups for our cloud and on-premises environments utilizing Azure-based offerings.
• Enabling continued company growth and improvement in our platform services while staying flat on the running cost of our services.
• Developing deeper and richer insights into our service reliability, via standardization of monitoring solutions through Azure Application Insights, and standardization of incident-management tooling and automatic alerting. At the same time, we’re increasingly modeling our critical business processes and helping ensure end-to-end integrity through the monitoring and alerting of complex processes spanning multiple systems.
• Providing a powerful feedback loop to our product-group partners (such as those for Azure, Microsoft Dynamics 365, and Windows) to showcase Microsoft running on Microsoft. This results in an improved enterprise-customer experience, including running one of the largest SAP instances entirely on Azure and helping ensure that Azure is SAP-ready for our customers.

Secure enterprise

Security is a never-ending, holistic pursuit that requires the same level of innovation and improvement found in every facet of the tech industry. Cloud-based architecture and ubiquitous user access require an enterprise security strategy that embraces identity as the new perimeter and encompasses our entire digital footprint. Improved security, which we’re seamlessly integrating into all parts of our digital transformation, is a component of every product we develop. Our strategy aligns around six core security pillars: device health, identity management, information protection, data and telemetry, risk management, and security assurance. Some of the specific areas in which we’re investing include:

• Using Zero Trust as a model to help protect our infrastructure through enforced device health, strong authentication, least-privileged access, and pervasive telemetry that verifies control effectiveness.
• Eliminating passwords through strong multi-factor authentication.
• Thwarting phishing attacks on our users by using Microsoft Office 365 safe filters and Safe links, phishing detection, and email-delivery prevention.
• Making our Security Operations Center even more efficient and effective through automation and the orchestration of detection and response.

Data and intelligence

Data is the most critical asset that modern organizations possess. The exponential increases in data, sophisticated algorithms, and computational power are fueling modern organizations to make rapid advances in technology and business disruptions. Our data’s value is directly proportional to the number of people within our organization who can find it, understand it, know they can trust it, and then connect it in new and meaningful ways for the deepest insights. We’re turning disparate company data into cohesive insights and intelligent experiences, and we’re investing in core areas including:

• Creating a modern data foundation by aggregating clean, connected, and authoritative data that is catalogued and easily discoverable in a common location and any team can understand how to use to create insights and intelligent experiences.
• Developing AI and machine learning—not to replace human experts but augment and accelerate human decisions using trusted intelligent models built on the wealth of available data.
• Using analytics services to understand user journeys, processes, behavior, and insights, which roll up to executive scorecards to measure our progress against strategic goals.

Customer centricity

Employees and customers belong at the center of our focus and need to feel that they’re doing business with “One Microsoft” across all products and channels. Our ability to digitally transform hinges on a strong foundation of customer data. Achieving a holistic understanding allows us to provide customers with relevant and tailored offers and highly customized customer service by responding to their needs proactively. The complete technology solutions in the offers give customers the best value and a consistent experience. To achieve a security-enhanced and 360-degree understanding of our customers, online identity tenants need to be linked with sales accounts, purchase accounts and agreements, billing accounts, and third-party organizational-reference data. Our investments include:

• Developing customer health-analytics and recommendation engines, using a clean directory and historical customer actions and interactions, to better understand and predict our customers’ needs and how we can add value with our offerings.
• Publishing a shared, authoritative, and clean directory of organizational data and providing the tools and processes to maintain its accuracy and completeness.
• Augmenting the organizational data that Microsoft holds by identifying and managing the relationships for any organization, enabling a more holistic understanding of who the customer is and how we can better serve them.

Productive enterprise

Microsoft employees are at the heart of our mission to enable and support our customers and partners to achieve more. We empower our employees to be their most creative and productive in how they work and collaborate across physical and digital environments. We use Microsoft products and services underpinned with Microsoft 365, AI, and machine learning to deliver connected, accessible, interactive, and individualized experiences for our employees. Our specific investments include:

• Supporting a broad selection of devices, providing a quick and easy setup, and ensuring the devices are always up to date. We provide secure and seamless access to work-related apps, sites, services, documents, and data.
• Developing enterprise search and task-automation capabilities that use Microsoft Search and integrated digital assistants. We’re providing our employees with a coherent and reliable enterprise-search experience and delivering automated micro-task capability to further enhance productivity.
• Enabling team productivity by using Microsoft Teams and Office 365 as the backbone, fostering increased engagement, and accelerating decision making across devices and locations.
• Creating a modern workplace where our employees have integrated digital and physical experiences for finding meeting spaces, indoor wayfinding, transportation, parking, and other workplace services.
• Providing a customizable web and mobile employee experience focused on what’s important to the individual, delivering personalized access to workplace services, and making it easier to quickly complete common tasks.

Turning vision into a practical reality

Our priorities describe what we do, but how we’ll do it is just as important. We’ve made significant changes to the way we work to enable transformation. These changes allow us to take more ownership of our work, run more efficiently and effectively, and build in a way that’s durable over time. With a model for transformation, we can move away from decisions and directions based on team budget availability and move toward the delivery of clear and prioritized business outcomes. We measure our collective success by directly applying this model to our business and not by pure delivery of features. We prioritize as an organization based on where our vision directs us rather than at the local budget level. The practical goal of our vision-led product mindset is to discover the most effective and efficient solutions that will have the greatest impact on the transformational focus areas that make our vision a reality.

[Learn how we’re creating the digital workplace at Microsoft. Discover how we’re transforming modern engineering here at Microsoft. Check out how we’re redefining the digitally assisted workday at Microsoft. Learn how we’re transforming enterprise collaboration at Microsoft.]

Transformed operating model

With an operating model for transformation, we can move away from decisions and directions based on team budgets and move toward the delivery of clear and prioritized business outcomes. Through this model, we’re empowering our business groups and employees by giving them autonomy and decision-making capabilities. Each business group maintains its own vision and has the freedom to prioritize its work based on that vision. However, this work still needs to align with the overarching MDEE vision and is assessed twice a year during a central review. This ensures that work is correctly prioritized and funded across the entire organization. Examples of our transformed operating model include:

• Centralizing funding and prioritization: We’ve moved away from a decentralized, department-focused funding model and toward a centralized model where MDEE owns the budget. In the past, our business groups, such as Finance and Marketing, drove funding and projects. Now, we can use our priorities to fund work based on our vision.
• Insourcing core systems and engineering: We’re managing the systems most critical to our organization’s success with trained, full-time employees. Historically, we outsourced much of this work. However, we’re bringing it back under the control of our employees and retaining intellectual property. We want our people behind the design, development, and operation of our most-important internal products.
• Focusing metrics on business outcomes: Our metrics reflect the business outcomes to which we’re driving as opposed to traditional IT operating metrics. To transform successfully, alignment with our vision and contribution to the organization’s success take top priority. Therefore, how we measure success is based on business outcomes and not on arbitrary metrics.

Product-based approach to our business

To enable world-class execution of the services we build and run, we’re taking a product-based approach to our processes. We want to focus on developing solutions that contribute to our vision, and we want to use agile development methods and product-focused management in our development. Taking a product-based approach to our business means:

• Creating a vision and business-driven agenda: We ensure that anything in which we invest resources aligns to our vision. We’re asking our internal teams to always have the best interest of Microsoft in mind. If it doesn’t align with our vision, it should be questioned—regardless of who’s doing the questioning. We want to produce the best products for our internal and external customers.
• Focusing on skill development and a DevOps structure: A DevOps structure extends the management lifecycle for developers beyond version release. With the DevOps approach, the people on our team in MDEE who build solutions are responsible for the operation, fixes, troubleshooting and ownership over each line of code they write. A DevOps approach and agile methodology focus our employees on a solution’s success both during its development and after it’s in use. This leads to a more fluid evolution of product features and a focus on functionality rather than on feature addition.
• Shifting to product management: We manage products rather than projects. Product management keeps our teams focused on the success of the product rather than the completion of a project. Our product managers are involved in the entire process, from managing relationships with stakeholders to understanding the technical foundations of their products. Product management builds on the DevOps structure to help ensure that teams who develop a solution feel invested in the ongoing success of that solution and not just on the release of the latest version.

Modern engineering and design practices across all processes

Modern engineering focuses on providing a common set of tools and automation that delivers code and new functionality to our employees by enabling continuous integration and delivery practices. We prioritize the most effective outcomes for the business, delivering against a ranked backlog. We add telemetry to monitor customer usage patterns, which provides insights on the health of our services and customer experiences. We want to remove functional silos in our organization and increase the ways in which our infrastructure, apps, and services connect and integrate. Behind all this, we have a unified set of standards that protect and enable our employees. We engineer for the future by:

• Establishing a coherent design system: We’re creating a consistent, coherent, and seamless experience for our employees and customers across all our products and solutions. This means establishing priorities and standards for design and the user experience and creating an internal catalog of shared principles and guidelines to keep our entire organization in sync. Historically, we’ve developed in siloes, which led to varying user experiences and a cacophony of different tools. Now, we’re reviewing work in aggregate and scrutinizing experiences to drive user productivity.
• Creating integrated and connected services: Our move to the cloud increases the overall agility of the development process and accelerates value delivery to the company. We’ve achieved this by re-envisioning our portfolio into a microservice architecture that promotes code reuse and enables cross-service dependencies through APIs. This further enables the delivery of a seamless and integrated experience that brings data and tools together, providing users with intuitive experiences and new insights.
• Building privacy, security, and accessibility standards into our workflow: We integrate tools that support our engineers in building improved privacy, security, and accessibility into our solutions. Without these standards and automated policies, we’d have to rework and clean up as situations change. This is more costly and impacts our velocity of releases to users. Creating standards that we apply organization-wide, and from the beginning, creates an environment of trust in our engineering practices. Our innovations in this area ensure that our solutions also benefit our customers as these solutions are integrated into our commercial products.

Using a customer-zero feedback cycle

In MDEE, we have a unique opportunity to help our customers through their own transformations by sharing our best practices and lessons learned. As early adopters of Microsoft solutions, we provide feedback to our product-development teams and we co-develop solutions with them, which ultimately improves the products that we, and our customers, use to transform. Many of our product enhancements begin as internal solutions to business problems at Microsoft and then evolve within the feedback cycle, and then are incorporated into a final product. A key part of being customer zero is that we provide advice, guidance, and reference materials to customers based on our transformation blueprint and early adopter experience.

Almost every company in the world, including Microsoft, finds itself at a point unlike any other since the industrial revolution. The old IT model hinders the ability to remain relevant in an ever-changing marketplace, and companies must transform to maintain their competitive positioning. At Microsoft, we’ve rallied around transformation and are well underway. We’ve set ambitious goals, and we’re reshaping what we value and how we work. At our core, we’re vision-led and adopting the expectation for world-class execution. The combination of external and internal change presents a significant challenge but, more importantly, it offers a substantial opportunity for us to become more agile and respond more quickly. As a result, we’re in a better position to empower our employees, engage our customers and partners, optimize our operations, and transform our products.

Transformation does not have a finish line—it’s a journey. As we progress through our transformation, we’ll make mistakes and adjust our strategy accordingly, but we’ll also continue to move forward. We will share our transformation journey with our customers with the hope that our experiences can inspire, advise, and assist them through their own transformations.

• Discover how we’re reinventing Microsoft’s Employee Experience for a Hybrid World.
• Learn more about Microsoft’s cloud-centric architecture transformation.
• Find out how we’re enabling a modern support experience at Microsoft.
• Learn how we’re creating the digital workplace at Microsoft.
• Discover how we’re transforming modern engineering here at Microsoft.
• Check out how we’re redefining the digitally assisted workday at Microsoft.
• Learn how we’re transforming enterprise collaboration at Microsoft.

Share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Understanding Microsoft’s digital transformation appeared first on Inside Track Blog.

Microsoft Intune makes it convenient to bring your own device to work. Watch to learn how simple it is to enroll your employees’ personal mobile devices in Intune, giving them secure access to corporate resources and applications. Our Microsoft Digital Employee Experience team uses Intune to help ensure that personal devices, such as iOS devices, adhere to corporate security policies without accessing personal files.

For a transcript, please view the video on YouTube: https://www.youtube.com/watch?v=eyk19T1OXy8, select the “More actions” button (three dots icon) below the video, and then select “Show transcript.”

• Explore verifying device health at Microsoft with Zero Trust.
• Unpack managing Windows 10 devices with Microsoft Intune.
• Discover evolving the device experience at Microsoft.

The post Microsoft Intune makes it easy to bring your own device to work appeared first on Inside Track Blog.