This story was first published in 2019. We periodically update our stories, but we can’t verify that they represent the full picture of our current situation at Microsoft. We leave them on the site so you can see what our thinking and experience was at the time.

An ever-evolving digital landscape is forcing organizations to adapt and expand to stay ahead of innovative and complex security risks. Increasingly sophisticated and targeted threats, including phishing campaigns and malware attacks, attempt to harvest credentials or exploit hardware vulnerabilities that allow movement to other parts of the network, where they can do more damage or gain access to unprotected information.

Like many organizations, Microsoft Digital—our company’s IT organization—used to employ a traditional IT approach to securing the enterprise. We now know that effective security calls for a defense-in-depth approach that requires us to look at the whole environment—and everyone that accesses it—to implement policies and standards that better address risks.

To dramatically limit our attack surface and protect our assets, we developed and implemented our own defense-in-depth approach. This includes new company standards, telemetry, monitoring, tools, and processes to protect administrators and other elevated-privilege accounts.

In an environment where there are too many administrators, or elevated-privilege accounts, there is an increased risk of compromise. When elevated access is persistent or elevated-privilege accounts use the same credentials to access multiple resources, a compromised account can become a major breach.

This story highlights the steps we are taking at Microsoft to protect our environment and administrators, including new programs, tools, and considerations, and the challenges we faced. We will provide some details about the new “Protect the Administrators” program that is positively impacting the Microsoft ecosystem. This program takes security to the next level across the entire enterprise, ultimately changing our digital-landscape security approach.

Understanding defense-in-depth protection

Securing all environments within your organization is a great first step in protecting your company. But there’s no silver-bullet solution that will magically counter all threats. At Microsoft, information protection rests on a defense-in-depth approach built on device health, identity management, and data and telemetry—a concept illustrated by the three-legged security stool, in the graphic below. Getting security right is a balancing act. For a security solution to be effective, it must address all three aspects of risk mitigation on a base of risk management and assurance—or the stool topples over and information protection is at risk.

Risk-based approach

Though we would like to be able to fix everything at once, that simply isn’t feasible. We created a risk-based approach to help us prioritize every major initiative. We used a holistic strategy that evaluated all environments, administrative roles, and access points to help us define our most critical roles and resources within the Microsoft ecosystem. Once defined, we could identify the key initiatives that would help protect the areas that represent the highest levels of risk.

As illustrated in the graphic below, the access-level roles that pose a higher risk should have fewer accounts—helping reduce the impact to the organization and control entry.

The next sections focus primarily on protecting elevated user accounts and the “Protect the Administrators” program. We’ll also discuss key security initiatives that are relevant to other engineering organizations across Microsoft.

Implementing the Protect the Administrators program

After doing a deeper analysis of our environments, roles, and access points, we developed a multifaceted approach to protecting our administrators and other elevated-privilege accounts. Key solutions include:

• Working to ensure that our standards and processes are current, and that the enterprise is compliant with them.
• Creating a targeted reduction campaign to scale down the number of individuals with elevated-privilege accounts.
• Auditing elevated-privilege accounts and role management to help ensure that only employees who need elevated access retain elevated-access privileges.
• Creating a High Value Asset (HVA)—an isolated, high-risk environment—to host a secure infrastructure and help reduce the attack surface.
• Providing secure devices to administrators. Secure admin workstations (SAWs) provide a “secure keyboard” in a locked-down environment that helps curb credential-theft and credential-reuse scenarios.
• Reporting metrics and data that help us share our story with corporate leadership as well as getting buy-in from administrators and other users who have elevated-privilege accounts across the company.

Defining your corporate landscape

In the past, equipment was primarily on-premises, and it was assumed to be easier to keep development, test, and production environments separate, secure, and well-isolated without a lot of crossover. Users often had access to more than one of these environments but used a persistent identity—a unique combination of username and password—to log into all three. After all, it’s easier to remember login information for a persistent identity than it is to create separate identities for each environment. But because we had strict network boundaries, this persistent identity wasn’t a source of concern.

Today, that’s not the case. The advent of the cloud has dissolved the classic network edge. The use of on-premises datacenters, cloud datacenters, and hybrid solutions are common in nearly every company. Using one persistent identity across all environments can increase the attack surface exposed to adversaries. If compromised, it can yield access to all company environments. That’s what makes identity today’s true new perimeter.

At Microsoft, we reviewed our ecosystem to analyze whether we could keep production and non-production environments separate. We used our Red Team/penetration (PEN) testers to help us validate our holistic approach to security, and they provided great guidance on how to further establish a secure ecosystem.

The graphic below illustrates the Microsoft ecosystem, past and present. We have three major types of environments in our ecosystem today: our Microsoft and Microsoft 365 tenants, Microsoft Azure subscriptions, and on-premises datacenters. We now treat them all like a production environment with no division between production and non-production (development and test) environments.

Refining roles to reduce attack surfaces

Prior to embarking on the “Protect the Administrators” program, we felt it was necessary to evaluate every role with elevated privileges to determine their level of access and capability within our landscape. Part of the process was to identify tooling that would also protect company security (identity, security, device, and non-persistent access).

Our goal was to provide administrators the means to perform their necessary duties in support of the technical operations of Microsoft with the necessary security tooling, processes, and access capabilities—but with the lowest level of access possible.

The top security threats that every organization faces stem from too many employees having too much persistent access. Every organization’s goal should be to dramatically limit their attack surface and reduce the amount of “traversing” (lateral movement across resources) a breach will allow, should a credential be compromised. This is done by limiting elevated-privilege accounts to employees whose roles require access and by ensuring that the access granted is commensurate with each role. This is known as “least-privileged access.” The first step in reaching this goal is understanding and redefining the roles in your company that require elevated privileges.

Defining roles

We started with basic definitions. An information-worker account does not allow elevated privileges, is connected to the corporate network, and has access to productivity tools that let the user do things like log into SharePoint, use applications like Microsoft Excel and Word, read and send email, and browse the web.

We defined an administrator as a person who is responsible for the development, build, configuration, maintenance, support, and reliable operations of applications, networks, systems, and/or environments (cloud or on-premises datacenters). In general terms, an administrator account is one of the elevated-privilege accounts that has more access than an information worker’s account.

Using role-based controls to establish elevated-privilege roles

We used a role-based access control (RBAC) model to establish which specific elevated-privilege roles were needed to perform the duties required within each line-of-business application in support of Microsoft operations. From there, we deduced a minimum number of accounts needed for each RBAC role and started the process of eliminating the excess accounts. Using the RBAC model, we went back and identified a variety of roles requiring elevated privileges in each environment.

For the Microsoft Azure environments, we used RBAC, built on Microsoft Azure Resource Manager, to manage who has access to Azure resources and to define what they can do with those resources and what areas they have access to. Using RBAC, you can segregate duties within your team and grant to users only the amount of access that they need to perform their jobs. Instead of giving everybody unrestricted permissions in our Azure subscription or resources, we allow only certain actions at a particular scope.

Performing role attestation

We explored role attestation for administrators who moved laterally within the company to make sure their elevated privileges didn’t move with them into the new roles. Limited checks and balances were in place to ensure that the right privileges were applied or removed when someone’s role changed. We fixed this immediately through a quarterly attestation process that required the individual, the manager, and the role owner to approve continued access to the role.

Implementing least-privileged access

We identified those roles that absolutely required elevated access, but not all elevated-privilege accounts are created equal. Limiting the attack surface visible to potential aggressors depends not only on reducing the number of elevated-privilege accounts. It also relies on only providing elevated-privilege accounts with the least-privileged access needed to get their respective jobs done.

For example, consider the idea of crown jewels kept in the royal family’s castle. There are many roles within the operations of the castle, such as the king, the queen, the cook, the cleaning staff, and the royal guard. Not everyone can or should have access everywhere. The king and queen hold the only keys to the crown jewels. The cook needs access only to the kitchen, the larder, and the dining room. The cleaning staff needs limited access everywhere, but only to clean, and the royal guard needs access to areas where the king and queen are. No one other than the king and queen, however, needs access to the crown jewels. This system of restricted access provides two benefits:

• Only those who absolutely require access to a castle area have keys, and only to perform their assigned jobs, nothing more. If the cook tries to access the crown jewels, security alarms notify the royal guard, along with the king and queen.
• Only two people, the king and queen, have access to the crown jewels. Should anything happen to the crown jewels, a targeted evaluation of those two people takes place and doesn’t require involvement of the cook, the cleaning staff, or the royal guard because they don’t have access.

This is the concept of least-privileged access: We only allow you access to a specific role to perform a specific activity within a specific amount of time from a secure device while logged in from a secure identity.

Creating a secure high-risk environment

We can’t truly secure our devices without having a highly secure datacenter to build and house our infrastructure. We used HVA to implement a multitiered and highly secure high-risk environment (HRE) for isolated hosting. We treated our HRE as a private cloud that lives inside a secure datacenter and is isolated from dependencies on external systems, teams, and services. Our secure tools and services are built within the HRE.

Traditional corporate networks were typically walled only at the external perimeters. Once an attacker gained access, it was easier for a breach to move across systems and environments. Production servers often reside on the same segments or on the same levels of access as clients, so you inherently gain access to servers and systems. If you start building some of your systems but you’re still dependent on older tools and services that run in your production environment, it’s hard to break those dependencies. Each one increases your risk of compromise.

It’s important to remember that security awareness requires ongoing hygiene. New tools, resources, portals, and functionality are constantly coming online or being updated. For example, certain web browsers sometimes release updates weekly. We must continually review and approve the new releases, and then repackage and deploy the replacement to approved locations. Many companies don’t have a thorough application-review process, which increases their attack surface due to poor hygiene (for example, multiple versions, third-party and malware-infested application challenges, unrestricted URL access, and lack of awareness).

The initial challenge we faced was discovering all the applications and tools that administrators were using so we could review, certify, package, and sign them as approved applications for use in the HRE and on SAWs. We also needed to implement a thorough application-review process, specific to the applications in the HRE.

Our HRE was built as a trust-nothing environment. It’s isolated from other less-secure systems within the company and can only be accessed from a SAW—making it harder for adversaries to move laterally through the network looking for the weakest link. We use a combination of automation, identity isolation, and traditional firewall isolation techniques to maintain boundaries between servers, services, and the customers who use them. Admin identities are distinct from standard corporate identities and subject to more restrictive credential- and lifecycle-management practices. Admin access is scoped according to the principle of least privilege, with separate admin identities for each service. This isolation limits the scope that any one account could compromise. Additionally, every setting and configuration in the HRE must be explicitly reviewed and defined. The HRE provides a highly secure foundation that allows us to build protected solutions, services, and systems for our administrators.

Secure devices

Secure admin workstations (SAWs) are limited-use client machines that substantially reduce the risk of compromise. They are an important part of our layered, defense-in-depth approach to security. A SAW doesn’t grant rights to any actual resources—it provides a “secure keyboard” in which an administrator can connect to a secure server, which itself connects to the HRE.

A SAW is an administrative-and-productivity-device-in-one, designed and built by Microsoft for one of our most critical resources—our administrators. Each administrator has a single device, a SAW, where they have a hosted virtual machine (VM) to perform their administrative duties and a corporate VM for productivity work like email, Microsoft 365 products, and web browsing.

When working, administrators must keep secure devices with them, but they are responsible for them at all times. This requirement mandated that the secure device be portable. As a result, we developed a laptop that’s a securely controlled and provisioned workstation. It’s designed for managing valuable production systems and performing daily activities like email, document editing, and development work. The administrative partition in the SAW curbs credential-theft and credential-reuse scenarios by locking down the environment. The productivity partition is a VM with access like any other corporate device.

The SAW host is a restricted environment:

• It allows only signed or approved applications to run.
• The user doesn’t have local administrative privileges on the device.
• By design, the user can browse only a restricted set of web destinations.
• All automatic updates from external parties and third-party add-ons or plug-ins are disabled.

Again, the SAW controls are only as good as the environment that holds them, which means that the SAW isn’t possible without the HRE. Maintaining adherence to SAW and HRE controls requires an ongoing operational investment, similar to any Infrastructure as a Service (IaaS). Our engineers code-review and code-sign all applications, scripts, tools, and any other software that operates or runs on top of the SAW. The administrator user has no ability to download new scripts, coding modules, or software outside of a formal software distribution system. Anything added to the SAW gets reviewed before it’s allowed on the device.

As we onboard an internal team onto SAW, we work with them to ensure that their services and endpoints are accessible using a SAW device. We also help them integrate their processes with SAW services.

Provisioning the administrator

Once a team has adopted the new company standard of requiring administrators to use a SAW, we deploy the Microsoft Azure-based Conditional Access (CA) policy. As part of CA policy enforcement, administrators can’t use their elevated privileges without a SAW. Between the time that an administrator places an order and receives the new SAW, we provide temporary access to a SAW device so they can still get their work done.

We ensure security at every step within our supply chain. That includes using a dedicated manufacturing line exclusive to SAWs, ensuring chain of custody from manufacturing to end-user validation. Since SAWs are built and configured for the specific user rather than pulling from existing inventory, the process is much different from how we provision standard corporate devices. The additional security controls in the SAW supply chain add complexity and can make scaling a challenge from the global-procurement perspective.

Supporting the administrator

SAWs come with dedicated, security-aware support services from our Secure Admin Services (SAS) team. The SAS team is responsible for the HRE and the critical SAW devices—providing around-the-clock role-service support to administrators.

The SAS team owns and supports a service portal that facilitates SAW ordering and fulfillment, role management for approved users, application and URL hosting, SAW assignment, and SAW reassignment. They’re also available in a development operations (DevOps) model to assist the teams that are adopting SAWs.

As different organizations within Microsoft choose to adopt SAWs, the SAS team works to ensure they understand what they are signing up for. The team provides an overview of their support and service structure and the HRE/SAW solution architecture, as illustrated in the graphic below.

Today, the SAS team provides support service to more than 40,000 administrators across the company. We have more work to do as we enforce SAW usage across all teams in the company and stretch into different roles and responsibilities.

Password vaulting

The password-vaulting service allows passwords to be securely encrypted and stored for future retrieval. This eliminates the need for administrators to remember passwords, which has often resulted in passwords being written down, shared, and compromised.

SAS Password Vaulting is composed of two internal, custom services currently offered through our SAS team:

• A custom solution to manage domain-based service accounts and shared password lists.
• A local administrator password solution (LAPS) to manage server-local administrator and integrated Lights-Out (iLO) device accounts.

Password management is further enhanced by the service’s capability to automatically generate and roll complex random passwords. This ensures that privileged accounts have high-strength passwords that are changed regularly and reduces the risk of credential theft.

Administrative policies

We’ve put administrative policies in place for privileged-account management. They’re designed to protect the enterprise from risks associated with elevated administrative rights. Microsoft Digital reduces attack vectors with an assortment of security services, including SAS and Identity and Access Management, that enhance the security posture of the business. Especially important is the implementation of usage metrics for threat and vulnerability management. When a threat or vulnerability is detected, we work with our Cyber Defense Operations Center (CDOC) team. Using a variety of monitoring systems through data and telemetry measures, we ensure that compliance and enforcement teams are notified immediately. Their engagement is key to keeping the ecosystem secure.

Just-in-time entitlement system

Least-privileged access paired with a just-in-time (JIT) entitlement system provides the least amount of access to administrators for the shortest period of time. A JIT entitlement system allows users to elevate their entitlements for limited periods of time to complete elevated-privilege and administrative duties. The elevated privileges normally last between four and eight hours.

JIT allows removal of users’ persistent administrative access (via Active Directory Security Groups) and replaces those entitlements with the ability to elevate into roles on-demand and just-in-time. We used proper RBAC approaches with an emphasis on providing access only to what is absolutely required. We also implemented access controls to remove excess access (for example, Global Administrator or Domain Administrator privileges). An example of how JIT is part of our overarching defense-in-depth strategy is a scenario in which an administrator’s smartcard and PIN are stolen. Even with the physical card and the PIN, an attacker would have to successfully navigate a JIT workflow process before the account would have any access rights.

In the three years this project has been going on, we have learned that an ongoing commitment and investment are critical to providing defense-in-depth protection in an ever-evolving work environment. We have learned a few things that could help other companies as they decide to better protect their administrators and, thus, their company assets:

• Securing all environments. We needed to evolve the way we looked at our environments. Through evolving company strategy and our Red Team/PEN testing, it has been proven numerous times that successful system attacks take advantage of weak controls or bad hygiene in a development environment to access and cause havoc in production.
• Influencing, rather than forcing, cultural change. Microsoft employees have historically had the flexibility and freedom to do amazing things with the products and technology they had on hand. Efforts to impose any structure, rigor, or limitation on that freedom can be challenging. Taking people’s flexibility away from them, even in the name of security, can generate friction. Inherently, employees want to do the right thing when it comes to security and will adopt new and better processes and tools as long as they understand the need for them. Full support of the leadership team is critical in persuading users to change how they think about security. It was important that we developed compelling narratives for areas of change, and had the data and metrics to reinforce our messaging.
• Scaling SAW procurement. We secure every aspect of the end-to-end supply chain for SAWs. This level of diligence does result in more oversight and overhead. While there might be some traction around the concept of providing SAWs to all employees who have elevated-access roles, it would still be very challenging for us to scale to that level of demand. From a global perspective, it is also challenging to ensure the required chain of custody to get SAWs into the hands of administrators in more remote countries and regions. To help us overcome the challenges of scale, we used a phased approach to roll out the Admin SAW policy and provision SAWs.
• Providing a performant SAW experience for the global workforce. We aim to provide a performant experience for all users, regardless of their location. We have users around the world, in most major countries and regions. Supporting our global workforce has required us to think through and deal with some interesting issues regarding the geo-distribution of services and resources. For instance, locations like China and some places in Europe are challenging because of connectivity requirements and performance limitations. Enforcing SAW in a global company has meant dealing with these issues so that an administrator, no matter where they are located, can effectively complete necessary work.

What’s next

As we stated before, there are no silver-bullet solutions when it comes to security. As part of our defense-in-depth approach to an ever-evolving threat landscape, there will always be new initiatives to drive.

Recently, we started exploring how to separate our administrators from our developers and using a different security approach for the developer roles. In general, developers require more flexibility than administrators.

There also continue to be many other security initiatives around device health, identity and access management, data loss protection, and corporate networking. We’re also working on the continued maturity of our compliance and governance policies and procedures.

Getting started

While it has taken us years to develop, implement, and refine our multitiered, defense-in-depth approach to security, there are some solutions that you can adopt now as you begin your journey toward improving the state of your organization’s security:

• Design and enforce hygiene. Ensure that you have the governance in place to drive compliance. This includes controls, standards, and policies for the environment, applications, identity and access management, and elevated access. It’s also critical that standards and policies are continually refined to reflect changes in environments and security threats. Implement governance and compliance to enforce least-privileged access. Monitor resources and applications for ongoing compliance and ensure that your standards remain current as roles evolve.
• Implement least-privileged access. Using proper RBAC approaches with an emphasis on providing access only to what is absolutely required is the concept of least-privileged access. Add the necessary access controls to remove the need for Global Administrator or Domain Administrator access. Just provide everyone with the access that they truly need. Build your applications, environments, and tools to use RBAC roles, and clearly define what each role can and can’t do.
• Remove all persistent access. All elevated access should require JIT elevation. It requires an extra step to get temporary secure access before performing elevated-privilege work. Setting persistent access to expire when it’s no longer necessary narrows your exposed attack surface.
• Provide isolated elevated-privilege credentials. Using an isolated identity substantially reduces the possibility of compromise after a successful phishing attack. Admin accounts without an inbox have no email to phish. Keeping the information-worker credential separate from the elevated-privilege credential reduces the attack surface.

Microsoft Services can help

Customers interested in adopting a defense-in-depth approach to increase their security posture might want to consider implementing Privileged Access Workstations (PAW). PAWs are a key element of the Enhanced Security Administrative Environment (ESAE) reference architecture deployed by the cybersecurity professional services teams at Microsoft to protect customers against cybersecurity attacks.

For more information about engaging Microsoft Services to deploy PAWs or ESAE for your environment, contact your Microsoft representative or visit the Microsoft Security page.

Reaping the rewards

Over the last two years we’ve had an outside security audit expert perform a cyber-essentials-plus certification process. In 2017, the security audit engineers couldn’t run most of their baseline tests because the SAW was so locked down. They said it was the “most secure administrative-client audit we’ve ever completed.” They couldn’t even conduct most of their tests with the SAW’s baseline, locked configuration.

In 2018, the security audit engineer said, “I had no chance; you have done everything right,” and added, “You are so far beyond what any other company in the industry is doing.”

Also, in 2018, our SAW project won a CSO50 Award, which recognizes security projects and initiatives that demonstrate outstanding business value and thought leadership. SAW was commended as an innovative practice and a core element of the network security strategy at Microsoft.

Ultimately, the certifications and awards help validate our defense-in-depth approach. We are building and deploying the correct solutions to support our ongoing commitment to securing Microsoft and our customers’ and partners’ information. It’s a pleasure to see that solution recognized as a leader in the industry.

• Learn more about Cloud Security Services.
• Go deeper on our Identity and Access Management System.

• Explore how to transition to modern access architecture with Zero Trust.
• Check out how we’re rethinking wired network security at Microsoft.
• Learn more about how we manage Privileged Access Workstations.

• Want more information? Email us and include a link to this story and we’ll get back to you.

The post Improving security by protecting elevated-privilege accounts at Microsoft appeared first on Inside Track Blog.

This story was first published in 2018. We periodically update our stories, but we can’t verify that they represent the full picture of our current situation at Microsoft. We leave them on the site so you can see what our thinking and experience was at the time.

At Microsoft, we’re increasing the collaborative capability of teams across the company with Microsoft Teams.

We’ve initiated a fundamental change in the way our employees interact and communicate, with Microsoft Teams as the hub for communicating, meeting, and calling. We’re using change management processes and education so that our people can adopt and use Teams to its full capacity. As adoption grows, we are learning from the process and modifying our strategy to help people more efficiently make the cultural shift to the modern workplace with Teams.

Accelerating digital transformation with Microsoft Teams

Teamwork is an important aspect of the modern workplace, and a key element of enabling digital transformation at Microsoft. Microsoft Teams brings together tools and communication methods and is a hub for teamwork. Here on the Microsoft Digital team, we’re on our own path to digital transformation, and we believe that Teams has the potential to offer a new, more efficient way to work. Teams offers significant changes to collaboration, teamwork, and productivity within the Microsoft 365 universal toolkit that we want to realize in the modern workplace at Microsoft. The changes that Teams offers include:

• Microsoft Teams is the hub for teamwork within Microsoft 365. Teams fulfills the collaboration and communication needs of a diverse workforce, including chat, meetings, voice, and video. The look and feel of these functions is fast and fluid, has low-overhead, and is instantly familiar.
• Microsoft Teams integrates with all the apps our employees use. Teams integrates with Word, Excel, PowerPoint, OneNote, SharePoint, the Planner task management app, Stream video portal—even Power BI—so employees have the information and tools they need. Team members can also include other apps and services in their workspaces, for the team and organization. Teams allows the ability to customize workspaces with tabs, connectors, and bots. For our developer community, Teams has an extensible platform for building apps with a rich set of capabilities to support high-performing teams.
• Microsoft Teams offers a complete meeting experience. With the advent of Teams-capable conferencing devices, Teams modernizes the meetings experience. Before a meeting, team members can review conversations; during a meeting, teams can share content and use audio conferencing and video. Teams supports private and group meeting capabilities, scheduling capabilities, and free/busy calendar availability.
• Microsoft Teams has integrated security. Teams comes with the enterprise-grade security integrated with the Microsoft Purview and Microsoft Entra ID. It fits neatly into our primary solution for identity and access management, and allows us to maintain control over our data and environment.

Microsoft Teams, in combination with Microsoft 365, creates a hub for modern collaboration and effective teamwork. It empowers our employees to engage with the business and each other in a way that transforms our business for the better, moving our entire organization closer to fully realizing digital transformation. We want to shift our center of gravity to Teams to speed employee productivity and the velocity of communication.

Making adoption happen with change management

At Microsoft, the official decision to implement a workstyle change is typically made at the organizational or executive level. However, the impetus for change starts earlier, in response to the changing business needs of our people or parts of our organization. We have diverse groups that need to work in different ways, and adapting to modern workstyles is exactly what Microsoft Teams adoption is about. Our management recognizes that each of these groups has unique needs, and those needs factor heavily into how we manage organizational change.

Making change a more practical reality

While we want each employee at Microsoft to be empowered to adopt Microsoft Teams in the way that best fits their workstyle, we also realize that identifying the most common uses of collaboration tools helps our people see how Teams can benefit them every day. So, we give them a snapshot of “a day in your digital life.” We built our vision of Teams into the most common tasks in the modern workplace. For example:

• Get up to speed during morning coffee. Use Microsoft Outlook to check email and manage your calendar, Microsoft Teams to check chats and stay current on projects, and the Microsoft 365 productivity apps, OneDrive, and SharePoint to create or review documents.
• Stay connected on your commute. Use Microsoft Teams to join personal meetings or chat with voice and text, Teams and Microsoft Stream to watch live video meetings, and Microsoft Outlook to connect to a meeting from an email or calendar item.
• Hold meetings at the office. Use Microsoft Teams for both small meetings and large meetings with conference room hardware and anonymous participants.
• Collaborate with your team. Use Microsoft Teams to communicate using chat, video, screen sharing, and to coauthor files within a team. Use OneDrive and SharePoint to save and share documents to and from the cloud.
• Connect across the company. Use Microsoft Viva Engage and Yammer to track organizational updates, share knowledge, and find experts and answers. Use SharePoint to create and manage communication sites and publish news for broad groups of stakeholders.

At the core of managing organizational change is understanding how to manage change with a single person. Because overall adoption depends on wide adoption by our employees, much of our change management process revolves around meeting the needs of each employee. The essential needs are:

• Awareness of the need for change.
• Motivation to adopt or support the change.
• An understanding of how to make the change happen.
• The ability to implement or acquire the desired skills and behaviors to make the change.
• Organizational support and reinforcement to make the change permanent.

Establishing structure for change

We also recognize the need for a structured, documented process to help our adoption team coordinate change. We need to provide a common toolset for them to use and enable them to scale initial change into company-wide adoption. We’ve adopted four pillars to help us deliver well-managed change from start to finish.

Awareness

The awareness pillar is about landing the message. Before we even got our employees into training, we knew we needed to make a good first impression, hit the points that will interest them, and find the message that excites employees about Microsoft Teams. The awareness pillar encompasses several important tasks:

• Identify key roles to use teams and describe the value and impact. Our field and role guidance helps our adoption team identify how Microsoft Teams provides value to our employees. We examine the different roles within Microsoft and identify how Teams functionality serves those roles.
• Create a visual campaign to build awareness. Our worldwide visual campaign used a combination of physical and digital advertising and signage across Microsoft campuses, as well as on our internal portal sites and social media platforms to efficiently get Microsoft Teams in front of as many people as possible. We wanted Teams to be recognizable, and we wanted our employees to be aware of its availability and benefits.
• Use internal social channels to engage communities and build excitement. Community engagement is about preparing the organization for adoption and increasing overall awareness. We extended the reach of our awareness materials into company portals. We used Yammer to broadcast our message across the organization and encouraged dialog among employees.
• Inspire adoption with a supportive community of power users and influencers. Creating a community of power users and fans will inspire adoption within their spheres of influence, answer questions, help with social engagement, and give product feedback. Champions are key to ensuring the success of communities. Having executive buy-in reinforced the campaign. When management describes how they personally use Microsoft Teams in a message or speech, people take notice.

Engagement

The engagement pillar builds on awareness and starts putting Microsoft Teams in the hands of our users while ensuring they have the training, guidance, and tools to succeed with it. Engagement is about integrating Teams into our employee’s modern workplace in a way that increases collaborative productivity.

• Run a pilot program to test readiness. The pilot is one of the most crucial components of the adoption process. Early users at Microsoft tested Microsoft Teams and helped us identify how and why our employees would want to use it. We used the pilot program to test and find areas where training or configuration would encourage broader adoption.
• Create buy-in with stakeholders by designing engagements to build momentum. In these engagements, we sat down with our business teams to give hands-on, in-person guidance for using Microsoft Teams. We offered common scenarios for using Teams, demonstrated Teams features, and gave general guidance. It allowed us to focus in on a business team and show how Teams would be used in their day-to-day work.
• Establish opportunities for Q&A. Our Art of Teamwork Tour was an open, large-scale forum for us to present our vision for Microsoft Teams at Microsoft. We identified important and common use cases and showed how Teams could be used. We presented not only the benefits of Teams to the individual, but also to the whole of Microsoft. We explained to our users how Teams fits into our organization.
• Develop internal resources for support and information about using Microsoft Teams. The Toolkit for Teamwork gave people resources to help them move forward with Teams. It offers practical resources to increase engagement and encourage effective use of Teams. The toolkit includes templates, training resources, tips, and tricks.

Measurement

The Measurement pillar keeps track of the practical steps of the engagement pillar. Once we’ve engaged the user community, we need to track the effectiveness of our efforts. Measurement is about acquiring actionable feedback on the adoption process and using that feedback to refine and improve the process.

• Use your pilot feedback to elevate opportunities, offer insights, and adjust course. Our pilot program included a broad cross section of our user base along with some of our most involved and passionate Microsoft Teams adopters. Feedback came through support staff, social channels, UserVoice, and representative leaders. The program validated use-case scenarios and kept us aware of problems and successes during early rollout.
• Create the key areas your organization will use to understand adoption and measure success. We developed monitoring methods and metrics to track progress. We gathered usage statistics to gauge overall adoption and correlate trends to time-of-day, business events, and engagement efforts.
• Establish listening systems to measure engagement. Listening systems provided active feedback from our user base. We used multiple listening systems, including Yammer, to increase our awareness of what our users were saying and how they were responding to Microsoft Teams. Our internal helpdesk identified issues and helped us prepare to mitigate common issues.

Management

The Management pillar is the final pillar of the four and has the longest lifetime of any pillars in the change management process. Management is about gaining efficiency and ensuring user satisfaction once Microsoft Teams is in place. Management means continuing to support Teams and finding user stories and additional training opportunities to support Teams users at Microsoft.

• Improve deployment from employee feedback. As people continue to use Microsoft Teams, we are gauging its effectiveness through the feedback we receive. This helps us identify feature additions or changes, develop additional guidance and training, and adjust Teams implementation, when necessary. We also make sure that training and support is relevant to our people, so they can use the product to the best of their ability.
• Identify user stories. User stories help us show our people how their peers are using Teams. Stories also help us identify active Microsoft Teams users that can be champions for the product in their realm of influence at Microsoft. We try to get a cross-section of stories that are relevant across the organization. These stories evolve based on implementation and needs of the business, and we continue to listen for new stories.
• Continually assess and improve processes. We are continually assessing all processes around Microsoft Teams. We found that some things in our general processes worked well at the start of the adoption process but didn’t work as well later on or once our deployment reached global audiences and employees in the field. It’s a continual process of assessing and improving.
• Stay informed on product and feature changes. We track feature updates and potential changes in Microsoft Teams. This helps us understand how new features affect our use cases, so we can best determine how to implement them.
• Develop support for ongoing use cases and a maturing user base. As people get more familiar with Microsoft Teams, they find new ways to be more productive and collaborate efficiently. We’ve found that the more empowered our employees are to embrace Teams, the more they find their own ways to incorporate Teams into their workflow.

Recognizing Microsoft Teams adoption as social and behavior change

Harnessing employee ingenuity is critical to the overall success and relevance of a business. Working together, people generate more ideas and feel more connected to their work, which improves engagement and retention. Our employees are increasingly mobile and need to have resources and tools available wherever they go. To meet the needs of this changing modern workplace, Microsoft Teams was built as a chat-based workspace in Microsoft 365, with persistent chat, easy file access, customizable and extensible features, and the security that teams trust. We’ve started using Teams to streamline communication, improve collaboration, and get more done together.

However, successful Microsoft Teams adoption is not just technology adoption; it represents a change in behavior. Teams is more than a product—it is a fundamentally different way of working. This change is about people. We found that adoption was as much about social and cultural changes and challenges as it was about technology and tool implementation. Adopting Teams is a different journey than we’ve asked our people to take in the past. With Teams, we asked them to make four fundamental shifts in behavior:

• Chat instead of email. Move away from email as a primary method of communications for fast-moving teams and project management.
• Live in the cloud. Use all Microsoft 365 components in the cloud.
• Embrace flexibility. Empower them to embrace the flexibility of Microsoft Teams for customization.
• Work mobile. Help people to work in whatever way and place suits them best.

To accomplish this journey, we needed to educate people by managing change and offering them readiness skills they may have never embraced for any other product rollout. Even if an advanced customer has these skills within their organization, the change to both collaboration and meeting scenarios can benefit from a fresh approach.

Establishing a communications framework: Spark, ignite, bonfire

Understanding that Microsoft Teams adoption was about social and behavior change, we used the spark, ignite, bonfire communications framework to achieve our primary goals. This framework:

1. Captures the messages, placement, and methods of communication for a change.
2. Defines how these messages will be used to capture the attention of your audience and convert it to sustained interest and engagement.
3. Grows interest and engagement into new behavior patterns, cultural change, and sustainable business outcomes.

Selecting our sparks

The sparks are the “what” of the campaign. They alert your audience to changes and opportunities, and they provide the small but vital beginnings of communicating change. The sparks for Microsoft Teams, and how we used them are:

• Identify your target audience. Our primary audience for Microsoft Teams is our entire organization. We wanted full engagement throughout Microsoft, but we knew that we would need to refine our communications depending on which of our main demographics we were trying to engage. We used work done in the past with personas, or common company roles and positions, which we customized for the Teams deployment. For each persona, we identified common tasks and work trends and identified how that persona might use Teams in their day-to-day work life. Personas include information about which part of the company the employee works in, their common methods of collaborative communication, and other information about any pain points they experienced and how likely they were to adopt new technology and workstyles. We used a segmented and staged approach to control the velocity of adoption and ensure our adoption processes were as refined as possible.
• Define your key message(s). We wanted a key message that would speak to our target audience. In an audience as broad as Microsoft, we used several key messages that were focused enough to generate interest and engage our employees. Our key messages included:
  • Chat for today’s teams. Communicate in the moment and keep everyone in the know.
  • A hub for teamwork. Give your team quick access to everything they need right in Microsoft 365.
  • Customize for each team. Tailor your workspace to include content and capabilities your team needs every day.
• Choose the best channels. We needed to choose where and how we were going to get our key messages out. We chose a combination of physical and geographical placement alongside digital placement to ensure that we reached the global Microsoft audience in the most effective and cost-efficient manner. These included:
  • Internal website. We used CSEWeb, our internal SharePoint portal for IT self-help, for several pieces of adoption communication. It was the central location for all learning materials, content, and internal announcements about Teams. It also contained FAQs, explained the need for change, and provided a high-level roadmap. It hosted user stories that showed Teams adoption successes.
  • Readiness and gamification. We are creating quizzes and other gamified tools and messages to engage employees. We use small, “snackable” content to make it quick and easy for our people to learn more about adopting Microsoft Teams.
  • Social campaign. We used social networking platforms within Microsoft to get our spark messages out to employees and share user success stories. Yammer gives us a huge opportunity to reach our users. We use it for marketing messaging, user engagement, and answering user questions. It gives us a ready means for social engagement within our organization.
  • Personal targeted communications. We selected specific audiences to be leaders and encouragers of Microsoft Teams adoption. Our Sales group was a big one, because they constantly operate in a highly communicative, dynamic workspace. We used personas to make sure our content and approaches met the needs of many different users and addressed different challenges across different user groups. We also told real user stories about people in different roles, so employees could identify with the use case and apply the lessons to their role.
  • Email. We used email to communicate critical upcoming changes that would affect the way employees use Microsoft Teams and the services that Teams was replacing.
  • Signage. We also adopted traditional methods to put Microsoft Teams in front of our employees. This included signage on campus roads and in campus buildings. We used digital displays on our campuses to reinforce key messages, highlight learning resources and opportunities, and highlight new features.

Moving to ignite

This is the “how” of the campaign. Ignite is designed to convert immediate attention into short-term focus and initiate our adoption steps. We combined our sparks into an ongoing engagement that ignited action from our audience. During the ignite process, we used the following tasks to circulate our sparks:

• Build a communication and readiness plan. We built our communication and readiness plan based on our assessment of our employees and the communication specifics we created with our sparks. We created an internal launch event. The goal was to build awareness and excitement around Microsoft Teams. The launch kicked off a months-long campaign that included many different channels and approaches.
• Create a detailed communications schedule. Part of the planning process included scheduling monthly themes and scheduling out the major elements of our plan. For example, when would we offer in-person training at our main campus in Redmond, and when would we begin rolling out training around the world? We aligned to the product roadmap so we could promote new features as they were released. We also looked at opportunities to partner with other corporate events. For example, we gave participants in the annual Hackathon guidance about how to use Microsoft Teams to collaborate while hacking. Event organizers put the guidance on the hacker resource site.
• Produce creative content for sparks. We created several types of content to reach our users, both detailed and brief. We also created readiness and learning material that was suited to different learning styles.
  • We created user stories to tell real-live success stories from Microsoft employees in different roles across the company.
  • We developed readiness content in the form of both Work Smart guides and web content to help employees who want step-by-step instructions.
  • We produced visual promotional assets to catch employee attention: digital signage, physical signage, online promos for major internal portals, and Yammer posts with visuals and links to more information.
  • We developed content for in-person and online learning sessions and delivered them on campus. We also gave presentation decks and train-the-trainer sessions to training teams managed by our IT Site Operations teams around the world so the sessions were up to date on the product and messaging was consistent.
  • We developed a variety of readiness content. Having readiness content available in different formats is important to suit different learning styles. We had written guides, in-person training, and learning videos.
• Manage campaign execution. Our campaign team worked together to ensure that our communication was being received effectively and the tools we put in place were understood and used properly.
  • Sometimes we had to adjust our approach mid-flight; for example, if we weren’t seeing attendance numbers we wanted for training, we’d look at new, creative ways to get the word out.
  • We also listened for feedback and ideas from our users and trusted stakeholders and adjusted, as needed.
• Generate and review campaign reports, to see progress compared to goals. We used several reporting tools and metrics to gather and measure the success of Microsoft Teams adoption throughout the organization.

Throughout the campaign, we tracked our adoption progress, and focused on growth among weekly active users. We regularly published a report to stakeholders that also looked at the effectiveness of our various channels: web traffic, promo click-throughs, training attendance, training satisfaction surveys, Yammer activity, and how often questions on Yammer were answered.

Adding to the bonfire

Every change communication or campaign should feed the bonfire, which is a constantly growing beacon of the success of Microsoft Teams adoption here at Microsoft. As successes are achieved and advertised, the bonfire helps to:

• Achieve sustainable business outcomes.
• Drive cultural change within the company.
• Establish social norms that encourage taking quick action.
• Draw people to act and connect in new ways.

The most important aspect of the bonfire is that it adds to and integrates with the organization’s high-level technology and culture strategy. Our Microsoft Teams campaign was a piece of a bigger approach to modern workplace communication and readiness. We provided clarity on “what tool when” for our employees to help them understand how Teams fit into the bigger picture and how we envisioned Teams fitting into their workstyle.

During Microsoft Teams adoption, we did our best to be aware of the process, learn how we could improve the process during adoption, and provide lessons that could be applied to future adoption and change management initiatives at Microsoft. Here are a few of the things we learned.

• Capitalize on the reach of your marketing campaign. Our initial strategy was in person, getting Microsoft Teams in front of key users and working with them. While it was time-consuming, we found later that were able to reach field and global audiences using virtual methods to broaden our reach. We missed some opportunities to capitalize on early mover enthusiasm within those audiences and found some champions who were creating and sharing their own content.
• Understand the primary use cases for your organization. We approached our people by identifying personas within our organization that defined the most common ways Microsoft Teams would be used. This included not only typical daily use scenarios, but also deeper, scenario-based guidance to help people make the right decision.
• Understand toolset and appropriate-use scenarios. We discovered that directly addressing what tool our users should use for common collaboration tasks helped ease the transition and curb confusion. Directed use gave employees a starting point and then enabled us to measure, through feedback, whether changes or adjustments were needed. At the beginning of the campaign, we didn’t give people a lot of specific guidance, which hurt general adoption. Later, we developed guidance for specific use cases and developed step-by-step guides to take users through important and common tasks, which left them more empowered and engaged with Microsoft Teams.
• Understand the impact of Microsoft Teams on your existing collaboration and teamwork tools. During adoption, we learned that there were times when users weren’t sure what features were available, or if they could or should use a feature—especially when it worked like something they were already using. In contrast, we had a business group that had not used Skype before. We focused on essential scenarios and offered very clear guidance. Because they had not been Skype users, the change management strategy and focus had to be different.
• Align new capabilities and features to your organization’s strategy. We found that our Microsoft Teams adoption needed to be targeted and molded for our vision of transparent communications and open collaboration. Align capabilities to your business strategies rather than allowing technology to direct your strategy.
• Understand your audience. We originally looked at our users in a group, typically organized by work roles. This worked well for several parts of the adoption process, but we failed to look closely enough at secondary groups of users based on factors like age, workstyle, and geography. Once we examined these secondary groups, we found a new set of use cases and scenarios that helped us penetrate even deeper into our user base.
• Plan for executive sponsorship. In the middle of the campaign, we realized that we didn’t adequately involve leadership to help drive Microsoft Teams adoption. We weren’t giving our leadership guidance that was specific or simple enough that they could use it easily. Once we created guidance and a toolset for them to help champion Teams, they were much more engaged and willing to put their effort into Teams adoption within their scope of influence.

Get started with Microsoft Teams.

• Learn about leading a successful Microsoft Teams adoption.
• Visit the Microsoft Teams product page.
• Explore ways to have more inclusive and effective meetings in Microsoft Teams.

• Want more information? Email us and include a link to this story and we’ll get back to you.

The post Microsoft Teams increases collaboration in the modern workplace at Microsoft appeared first on Inside Track Blog.

At Microsoft, we’re using Microsoft 365 to empower our employees to achieve more by driving better teamwork and collaboration in our teams. We’re using core Microsoft 365 services such as SharePoint Online, Microsoft Teams, Exchange Online, and Viva Engage to support modern work styles and enable continued digital transformation. We’re also deploying Microsoft Viva internally at Microsoft and, where appropriate, we’re melding its modules with Microsoft 365 products.

With Microsoft 365, employees can check in one place for the latest updates, files, and data for their projects and work. As a hub for teamwork, our collaborative toolset empowers our employees to be productive and enables our entire organization to change at the speed of our business.

Examining collaboration change

The collaboration landscape is changing daily. The average worker is collaborating with more people, more often, and in more dynamic ways.  They are hybrid or remote and working on a schedule that promotes their wellbeing and allows them to be their most productive. The typical worker has seen several important collaboration changes that affect them and their business, including:

• Workers are taking part in twice as many collaborative teams as they did five years ago.
• The average information worker has seen the time spent on their day-to-day tasks increase by 50 percent.
• Companies that invest in collaboration and teamwork are five times more likely to be high-performing.

The changing face of collaboration

The change in collaboration isn’t simply about statistical increases. The way our employees collaborate is also changing:

• Collaboration spans organizational boundaries. Teamwork extends beyond the borders of our internal organization, and we need tools that enable fluid external collaboration while protecting our business and our users. Now Microsoft employees can collaborate with any external user seamlessly in a secure and scalable way.
• Teams are increasingly globally distributed. Our teams need ways to connect across locations and time zones that suit their workstyles. We have many teams that span five or six time zones and multiple countries and regions. Our teamwork solutions need to connect our users to their teams wherever and whenever they need them.
• Teams work increasingly asynchronously. Especially with hybrid work, employees need to be able to get work done on their schedule while still staying connected and deeply involved.
• Our workforce is increasingly diverse. Diversity presents itself in our organization in many ways, including lifestyle, culture, and demographics. We have five generations in the workforce at the same time, presenting varied expectations of how and when people believe they can be most productive.
• Collaboration is critical for enterprise success. The ability for our people to build on the work of others is a fundamental principle at Microsoft. We can’t afford to have our employees siloed and working apart from each other. We want our employees working with and for each other in teams.

Our goal, and likely yours too, is to enable workers to embrace modern work styles and increase collaboration by providing tools to meet the needs of our continually changing business.

Focusing on workspace instead of workplace

Of course, one of the biggest forces we’re dealing with is the way we’ve changed how and where we work. In the past, the pace of business was generally slower. Data was parked in on premises datacenters. Computers were something we used primarily at work, and work was done only from the office. Decisions were made during specific business hours. Our culture revolved around what the individual achieved.

Today the situation is quite different, and technology is enabling the difference. Worker expectations have changed in many ways:

• There are now expectations around pervasive connectivity.
• Millennial hires are impacting the workforce; they are the first digital natives.
• Work isn’t linear. People are working simultaneously in more teams, more often than ever before.
• Technology has streamlined processes. More time is available for our organization to focus on improving employee experiences, and our employees have access to tools that can greatly improve their productivity.
• It’s easier for employees to move from project to project and for organizations to use talent on demand.

Our company culture is focused on employee experience and how we can use teamwork to achieve organizational goals. Our employees want to access their workspace whenever and wherever they need. They are constantly connected, networking, and collaborating, and we reward them for teamwork and the results their teams produce, not the amount of time they spend in the office.

Driving collaboration for our enterprise

We constantly assess our organization to better understand the collaborative landscape. We examine the scenarios in which people work together and rely on technology and services. The better we understand how our teams work, the more completely we can enable a collaborative toolset and mindset that empowers them to achieve greater productivity.

We’ve found that collaboration is just as much about culture as it is about technology. Collaboration serves the needs of our people and business. Because people participate in multiple teams simultaneously, each team must establish its own collaboration standards.

We ask important questions about our teams, including:

• Who are we? Who makes up our team and what kind of team are we?
• Are we similar to other successful teams in our organization? Can we learn from what those teams have done?
• What is the fundamental nature of our work (such as creating products, providing service, or orchestrating results) and how does that determine how our team operates?
• How long will this team work together? Is our work temporary or ongoing?
• Where are members located? Does the team have global or regional factors to consider?
• Which practices and tools does the team use already? How well are they working now? How will change affect them?

By observing teams, we discovered collaboration patterns that were particularly successful in our organization. For example, agile engineering teams, support functions, sales organizations, communications initiatives, and organizations reporting to a senior leader are patterns that we reference in our training and guidance.

Enabling collaboration and teamwork at Microsoft

Productivity extends beyond thinking about technology. It’s about creating flexibility that speaks to the needs of our lines of businesses and employees—helping them achieve what CEO Satya Nadella has set out as a mission for the entire company: “It is to empower every person and every organization on the planet to achieve more.”

Microsoft 365 is one of the key contributing technologies in our collaborative environment, and we’re using it to support modern collaboration across our enterprise. It provides us with a unified environment for collaboration and teamwork. All services are managed under the same framework and identity management solution. Our data is protected by first-class security and encryption standards, and our collaboration landscape, hosted in the cloud, is more centralized and unified than it ever was on-premises. Additionally, with files and tools based in Microsoft 365, we can easily share with people inside or outside of our company, from wherever we’re working, whenever we need to. Content sharing, shared calendars, and team chat ensure that we’re always in sync with our teams.

Microsoft 365 gives our business a boost with tools to enable us to build business solutions by extending Microsoft 365 functionality. We’ve built integrations with Microsoft 365 in several ways, including creating bots to answer questions in Teams chats, using a SharePoint site with PowerApps to show data from different data sources, and integrating our data and applications into the Microsoft 365 environment.

Different apps, different collaboration types

We use each purpose-built application in Microsoft 365 to drive different aspects of collaboration and teamwork.

• Microsoft Teams is the hub for teamwork where groups that actively engage and are working on core projects can connect and collaborate.
• SharePoint is the center for files, news, and pages shared within the team and the center for sharing information outside the team. SharePoint group-connected team sites enable Microsoft Teams and SharePoint communications sites with Viva Engage to broadly share information. Every group uses SharePoint as its content service, so we have one place to store and share files.
• Outlook and Exchange Online enable people to communicate in a familiar way and take advantage of modern distribution lists with groups in Outlook. Within Microsoft, we’re replacing classic disconnected distribution lists to get the calendar, group file management, and other capabilities in Planner.
• Viva Engage is for people to connect across their company, sharing ideas on common topics of interest. Within Microsoft, employees participate in company-wide strategic conversations in the Senior Leader Connection community. Organizations set up crowd-sourced support forums. Divisions sponsor events that are broadcast via Stream and encourage related real-time conversations and Q&A in Viva Engage.
• Microsoft 365 enables synchronous and asynchronous collaboration so that you can build on each other’s work and find out what others have done while you were away. You can record meetings in Teams and replay them, get AI-generated meeting summaries, and work on documents via Teams and SharePoint.

With these tools coming together in Microsoft 365, our teams get access to holistic solutions when they need them using single-team membership across apps and services. What’s unique about teamwork in Microsoft 365 is that all these applications are built on an intelligent fabric that uses the capabilities and strengths of each application to support and supplement the other applications.

Establishing a hub for teamwork in Microsoft Teams

Teamwork is a key element of empowering connection at Microsoft. Teams brings together tools, information, and communication methods for seamless connection and flow. Microsoft Teams has revolutionized hybrid collaboration, teamwork, and productivity within the Microsoft 365 universal toolkit.

• Teams is the hub for teamwork within Microsoft 365. Teams fulfills the collaboration and communication needs of a diverse workforce, including chat, meetings, voice, and video. Because one of the persistent comments from employees has been that there are too many places to keep track of information, Teams has won fans because of its ability to bring together conversations, notes, meetings, and files. Through extensible features like tabs and apps, capabilities from other systems can be integrated into a team.

Several of our support teams now manage support incidents within Teams. They can pin real-time dashboards with relevant data, integrate alerts from monitoring systems, and quickly bring new participants up to speed on issues. Because Teams is familiar across the company, using these functions is fast and fluid, setup has low overhead, and incidents can be resolved more quickly.

• Teams integrates with all the apps our employees use. One challenging question from employees is how to manage communications that start in the inner loop and then traverse to the outer loop, and vice versa. We manage this scenario with both Teams and Viva Engage. Our community about what’s new with the evolving Teams product is open to everyone within Microsoft (outer loop). Sometimes tough questions posed by the community require focused discussion among experts (inner loop). We manage this by configuring Teams connectors and tabs to represent the outer loop conversations within the Teams context. Thus, the experts can discuss the questions and form plans through rapid informal Teams discussions then publish the necessary information concisely to the broader Viva Engage community.

Teams also integrates with Word, Excel, PowerPoint, OneNote, SharePoint, the Planner task management app, Stream video portal, and even Power BI—so employees have the information and tools they need. Team members can also include other apps and services in their workspaces for the team and organization. Frequently, engineering teams include integration between Visual Studio projects and channels so that work items can be easily discussed with people who may not use Visual Studio.

• Teams allows the ability to customize workspaces. We can customize Teams workspaces with tabs, connectors, and bots. For our developer community, Teams has an extensible platform for building apps with a rich set of capabilities to support high-performing teams.
• Teams offers a complete meeting room experience. We see that with the advent of Teams-capable conferencing devices, Teams has modernized the meeting experience. In one group that focuses on productivity services, team members propose topics and review preliminary conversations before their meetings. During a meeting, teams can chat, share content, and use audio conferencing and video. After the meeting, shared content and conversations are available for reference and follow-up. For broad information sharing, Teams supports channel meetings, which allow participants to drop in on an open meeting if the topics interest them. They can even add it to their personal calendar so that they don’t miss it or just catch up on the conversations, notes, and recordings afterward.

Teams, in combination with the rest of Microsoft 365, helps you stay connected with your work groups.  It empowers our employees to engage with each other and the business in a way that transforms our organization for the better, moving us closer to fully realizing digital transformation.

Sharing information using SharePoint and OneDrive for Business

SharePoint and OneDrive for Business are the source for our file storage, page, business process, and sharing needs.

Using SharePoint to collaborate within a team

We use SharePoint as the primary repository for storing files and data for collaboration at Microsoft. Files, data, and processes that contain corporate info, belong to teams or projects, and anything else that gets shared internally are all stored in SharePoint and OneDrive for Business.

Microsoft 365 groups are the primary vehicle for managing access in SharePoint with simplicity. A group-connected SharePoint site grants access to group members by default. Site ownership and permissions can also include a wide collection of people. Check-in workflows can be created to assign a document to the next person in line when a reviewer checks it in. If a document is important to the success of a project, it’s important that team members can access it, even if the original author is no longer working on the project. In SharePoint Online, permissions are granted on a site basis, with the option to uniquely share or restrict individual documents. If an employee is a member of the group for the SharePoint site, they typically have access to documents stored on the site. Although they can share outside of the group, the group is the standard definition for access.

With SharePoint, our teams get a collaborative advantage, and supporting that collaboration becomes much simpler within the Microsoft 365 framework. For example:

• Files aren’t stored on a user’s hard drive. Cloud storage is more secure, has continuity, and it’s accessible to employees any time and from any device.
• The group-connected SharePoint site becomes the focal point for the team’s files with deep integration into Microsoft Teams.
• Sites and content are discoverable through search. Team-specific metadata can be added to further improve search results.
• We can apply policies and governance.
• SharePoint provides us better control over permissions.
• We can apply lifecycle management and workflows, and version histories are available.
• Shared content remains available even as team members change. If a team member leaves for a vacation, their team can still share their work.

We use SharePoint as the center for internal document storage and document sharing, but it also hosts all our internal sites, including the popular MSW homepage (our company intranet homepage). Employees go there to get company news, learn about major announcements and events, find other internal sites, and search internally. Not only is the MSW site the busiest portal at Microsoft, it’s where we keep core employee content. Employees can find everything, including campus maps, expense forms, and meal card balances. It’s the gateway to all other major company sites that also run on SharePoint.

Protecting enterprise files with the cloud

Data can easily be lost or stolen when employees work from files saved to their own devices. Our employees work from the cloud because it’s more secure, it makes collaboration far easier, and we can apply policies and governance.

We encourage our employees to use Microsoft OneDrive for Business as their individual file library for personal work files and files that don’t need to be shared with others or that don’t contain corporate data. OneDrive for Business safely stores your files in the cloud. By default, files saved to OneDrive for Business are private, unless you place them in a shared folder or intentionally share them. OneDrive for Business makes it easy to access and sync your files from anywhere on any device.

OneDrive for Business is a good choice for collaborating and sharing your files, even if they have a limited scope or lifecycle. For example, an employee creates a blog post and wants a colleague to review it before it’s posted. In this case, we expect to use the document once without needing additional storage or context information. We want our employees to use OneDrive for Business for all personal file storage scenarios.

Here are some advantages of using OneDrive for Business from an IT perspective:

• Files aren’t stored on a user’s hard drive. Cloud storage is more secure, has continuity, and is accessible to employees even when their primary device is not. If something goes wrong, the employee can recover their files or revert to a previous version.
• It’s discoverable for the people it’s shared with.
• We can apply policies and governance.

Collaborating and connecting with Viva Engage

Viva Engage is the Microsoft social network that supports broad, online community and connection. People use communities to share knowledge, ask questions, and discuss topics with people that span organizations, roles, and locations. With storyline, individuals have a personal space to share their ideas, interests, and observations. Leaders post announcements to their audiences that enable recipients across Microsoft to react, comment, and share their own perspectives.

With Leadership Corner in Viva Engage, you can get to know your leaders and what they’re thinking about. This platform lets you follow their latest posts, discover the communities they’ve joined, and attend their AMAs to ask them questions directly. Leadership corner provides tools for learning about your leaders and building lasting connections with them.

Viva Engage also provides an open forum for our events where attendees can ask questions and comment about a live broadcast. Presenters and other participants can read these comments as they’re posted and respond in real time.

To ensure that CEO broadcasts reflect what’s on the minds of our employees, we use Viva Engage in advance to solicit employee input, and speakers can address those curated questions or concerns during the meeting and in later follow-ups.

Overall, Viva Engage transforms the way our employees collaborate by breaking down the barriers that location and role have historically presented. Viva Engage conversations don’t have these boundaries. People, groups, and teams who wouldn’t normally be able to engage in conversation can connect through Viva Engage.

Click here to learn more about transforming employee engagement with Microsoft Viva Engage.

Adding intelligence with Microsoft Graph

We also have unified, suite-wide intelligence with Microsoft Graph. Graph maps the connection of people and content to surface insights and is a key technology powering Microsoft 365 Copilot. For example, in most places where you type a name in Outlook 365, the autocomplete uses Graph to suggest people based on the “people I work with” edge. This same technique powers organizationally relevant suggestions in Copilot. Specific examples of this include:

• Email address autocomplete in Outlook. Outlook autocompletes names from those whom our employees recently emailed and people they have actively collaborated with across different projects in different parts of the suite.
• Context-based people and content guidance in SharePoint Home. SharePoint Home shows the sites being worked on by the employee or by people with whom they work.
• Recently used documents. Microsoft 365 Backstage is powered by Graph. The recent documents shown on one device are the same as those shown on another device, even if the document hasn’t been worked on from the second device.
• AI-generated insights powered by your data. Microsoft 365 Copilot uses Graph data to identify connections between people and their business data to deliver accurate, relevant, and contextual responses.

Enabling cultural change

At Microsoft, the official decision to implement a change like Microsoft 365 adoption is typically made at the organizational or executive level. However, the impetus for change is often a response to the changing business needs of our people or organization. We have diverse groups of people who need to work in different ways. The culture has shifted to work in place, hybrid work, and asynchronous work. With Microsoft 365, our employees are encouraged to support their peers and teammates and build from each other’s work, and they’re rewarded when they do. It’s a core attribute of driving cultural change at Microsoft.

Making change a practical reality

We want each employee at Microsoft to work seamlessly, securely, and feel connected with colleagues and leadership wherever they are.

• During morning coffee. Use Outlook to check email and manage your calendar and use Teams to view chats and stay up to date on projects. Use Microsoft 365 apps, OneDrive, and SharePoint to create or review documents.
• From your home office. Use Teams to host or join personal meetings or to chat with voice and text. Use Stream to watch live meetings, and Outlook to connect to a meeting from your email or calendar.
• Meet at the office. Use Teams to host personal meetings with smaller groups and manage notes and actions in Teams channels. Use Teams meetings to host or join conference room meetings using conference room hardware.
• Collaborate with your team. Use Teams for chat, video, screen sharing, and file coauthoring within a team. Use Microsoft 365 apps, OneDrive, and SharePoint to create or review documents and share documents from the cloud. Use Planner or Project to track actions.
• Connect across the company. Use Viva Engage to see for organizational updates, share knowledge, and find answers. Use SharePoint for communication sites and news for broad groups of stakeholders.

Setting up a structure for change

Individual needs are at the heart of change, but we also recognize the need for a structured, documented process for people who manage the change. We provide a common toolset for them to use and help them to scale up to organization-wide adoption. We use four pillars of change management to help us from start to finish. These pillars are applied repeatedly within Microsoft as technology capabilities and business needs evolve. The four pillars are:

• Awareness. The awareness pillar is about landing the message. Before employee training, we knew that we needed to make a good first impression, interest people, and find a message that excited them about Microsoft 365. Our employees needed to understand how Microsoft 365 would help them and why they should give their time to our initiative. Microsoft Viva Insights offers a clear understanding of how work patterns impact wellbeing, productivity, and business performance through data-driven visibility. You can access personal, manager, and leader insights conveniently via the Viva Insights app in Microsoft Teams, on the web, and in Outlook.
• Engagement. The engagement pillar builds on awareness and starts putting Microsoft 365 in the hands of our people along with the training, guidance, and tools to succeed. This includes training, consulting, and a champion community that supports early adopters and leads engagement in their organization.

Viva Engage introduces a fresh employee experience, fostering connections among people throughout the company, regardless of their location or work hours, to ensure inclusivity and engagement for all. The Viva Engage app, integrated into Microsoft Teams, empowers organizations to cultivate a sense of community, ignite engagement with leadership, leverage knowledge and insights, and establish personal networks.

• Measurement. The measurement pillar tracks the steps of the engagement pillar. After we engage people, we need to measure adoption success by tracking against the success metrics we set. Measurement is about getting actionable feedback and using that feedback to improve the implementation and adoption process.
• Management. The management pillar has the longest lifecycle of any of the pillars in the process. Management is about gaining efficiency and ensuring user satisfaction after Microsoft 365 is in place. It means continuing to support established groups and finding user stories and training opportunities that encourage broader collaboration at Microsoft. This pillar serves as a bridge between the initial implementation and the sustained success of Microsoft 365. It involves monitoring and fine-tuning the system to optimize its performance and meet evolving needs. By continuously evaluating and addressing user feedback, the management pillar helps identify areas where further enhancements and improvements can be made.

Enabling behavior and cultural change for collaboration

Harnessing employee ingenuity is critical to the overall success and relevance of a business. Working together, people generate more ideas and feel more connected to their work, which improves engagement and retention. Our employees need to have resources and tools available wherever they go. To meet the needs of remote and hybrid workplaces, we’ve used Microsoft 365 to streamline communication, improve collaboration, and get more done together.

However, successful collaboration with Microsoft 365 is not just technology adoption; it represents a change in behavior. Microsoft 365 is more than a product—it’s a fundamentally different way of working. The core priority is people. We found that adoption was as much about social and cultural changes and challenges as it was about technology and tool implementation. Adopting Microsoft 365 for collaboration is a different journey than we’ve asked our people to take in the past. With Microsoft 365, we’ve established nine fundamental shifts in behavior that we ask our users to embrace:

• Groups instead of distribution lists. For teams that like to communicate in Outlook, move from classic distribution lists to Outlook connected groups so that the group gets the full benefit of the group SharePoint site and calendar.
• Chat instead of email. Move away from email as a primary method of communications for fast-moving teams and project management.
• Posts instead of one-way messages. Storyline and community announcements encourage participation and provide inclusion in celebratory company moments.
• Live in the cloud. Use all Microsoft 365 components in the cloud.
• Embrace flexibility. Empower users to embrace the flexibility of Microsoft 365 for customization.
• Work mobile. Help people to work in whatever way and place suits them best.
• Catch up when it’s convenient. Unable to attend every meeting you’re invited to? You can watch the recording later and see where your name was referenced and action items assigned to you––all on Microsoft Stream. Ask an attending member to record or click the record button from the Teams meeting chat window.
• Send links, not attachments. Everyone should be working on the same copy of a file in a team SharePoint site or individual OneDrive location. This helps to ensure version consistency, track feedback and changes, allow multiple people to concurrently author, ensure discoverability by the team in enterprise search, and enable enterprise security and legal compliance.
• Share externally directly from SharePoint or OneDrive rather than emailing attachments. We share files directly from SharePoint or OneDrive so the team, with our partners, is working on the same copy of the file, and access can be audited or revoked at any time. Any company compliance, auditing, and real-time content scanning through DLP happens when the file is shared in place.
• Bring in external project partners as members in groups. A core team participant, even outside of the company, should be able to participate in the project’s Teams with Planner and SharePoint to keep the project conversations in one place.
• Use Teams Shared Channels for persistent cross-organization collaboration. When employees collaborate in a Teams channel, their collective work is kept in the same workspace. External guests are granted access to the shared channel.

To accomplish this journey, we needed to educate people by managing change and offering training that focused as much on behaviors as on product capabilities.

Managing compliance and security in immersive collaboration

Because Microsoft 365 is hosting our complete collaboration environment, we’re serious about protecting our data, organization, and users in Microsoft 365. Our compliance and security landscape in Microsoft 365 relies on our identity and access strategy, which governs all of the processes and tools we use throughout the identity lifecycle for employees, supplier staff, and partners. As a cloud-first company, we use features in the Microsoft Enterprise Mobility + Security suite, powered by Microsoft Azure and Microsoft EntraID, the default directory solution for Microsoft 365, along with on-premises identity and access management solutions to enable our users to be securely productive from anywhere.

Using Microsoft 365 identity models

Microsoft 365 supports three identity models that support a variety of identity scenarios. Depending on how an organization wants to manage identities, it can use a cloud identity model, federated identity model, or the synchronized identity model. We use Microsoft Entra Connect to integrate our on-premises directories with Microsoft Entra ID. It gives users a single identity in Microsoft 365, Azure, and software as a service (SaaS) applications that are integrated with Microsoft Entra ID. We use multi-factor authentication to protect our users and ensure the safety of our data.

Enabling external collaboration while protecting our data

Collaboration at Microsoft involves a huge amount of external teamwork. We collaborate and share with industry peers, partners, and vendors. For secure external collaboration, we use identity in Microsoft 365 to verify that external collaborators are who they say they are, and then we use that identity in Microsoft 365 groups to grant access only to resources needed for collaboration.

External collaboration could be something as simple as providing read-only access to a single file, or it could be as complex as an external identity that is part of our Microsoft 365 group membership and participates in teamwork activity in SharePoint, Viva Engage, and Teams.

A big part of external collaboration is finding a reliable and secure way to let the outside in but also to ensure that collaboration and control over our data happens on the inside as well. We want our data stored on our tenancy, under our control. Rather than circulating files outside of our Azure tenancy for external collaborators to view and work on, we keep the files within our tenancy and invite collaborators in so that the work they do and the data they access is within the scope of our security, monitoring, and governance practices. When we have this type of control, we can selectively allow external collaborators the roles and permissions they need.

We have numerous other controls that span our Microsoft 365 groups—including eDiscovery, general data protection regulation (GDPR), multi-geographical controls, and data loss prevention (DLP). They help us rationalize security and compliance and underpin our collaboration environment in Microsoft 365.

Enterprise collaboration is about culture change and empowering people to work together to achieve the best productivity results. We’re moving from a culture of competition to one of cooperation. The tools we use play an important role in this change, but we need to pay attention to behaviors as much as we pay attention to tools.

We’re changing the way that people work and contribute to teams.

Modern collaboration with Microsoft 365 is just as much about cultural change as it is the adoption of new tools, and many of the lessons we’ve learned focus on the benefits of enterprise collaboration and teamwork when it’s implemented across the organization and driven by executive sponsorship. Here are some of the most important lessons we’ve learned:

• Leaders stay better connected with their people. Without open communication, leaders feel disconnected from their people. We use Viva Engage for our monthly company meetings. Satya and his leadership team engage with employees and often chooses topics he will cover based on postings in our Senior Leader Connection community. Across the organization, we use Viva Engage to connect remote employees, work out loud, and discuss topics to drive better decisions.
• Shared team workspaces create hubs for teamwork. Teams and individuals work in many places, and a good model for teamwork supports collaboration. Microsoft Teams makes it easy for people to create virtual team workspaces to increase their productivity. Colleagues’ contributions are visible, integrated, and discoverable across the team. Sharing is fun and inclusive, so each member can express their own style.
• Being productive anywhere empowers a global workforce. We need our employees to have access wherever they are. Skype for Business and Microsoft Teams are enterprise-grade productivity solutions that simplify employees’ lives by allowing them to work and connect with others anywhere. Unified presence information allows people to see each other’s availability, making it easier to meet.
• Connecting people and sharing information enriches global teamwork. We need our employees to be connected and informed to be competitive in our business. Teams chat and Viva Engage conversations connect our entire organization and enable our people to connect and share across the world on global teams.
• Employees unify around customers and partners. It’s essential to bring people together to work across organizational boundaries. Microsoft Teams and Viva Engage each enable multiple avenues that provide an easy way for employees to stay connected with customers and partners using familiar Microsoft 365 capabilities.
• Large group collaboration creates efficiencies. Collaboration between larger teams and communities creates greater efficiencies than forming multiple, smaller collaboration spaces. More members allow for conversation that is broader and more inclusive, especially for high-level and organization-focused communication.

We’re using Microsoft 365 to empower our employees to achieve more by driving better teamwork and collaboration in our teams. Microsoft 365 services provide a unified, extensible framework within which we can achieve our business goals, support modern workstyles, and enable continued digital transformation. Microsoft 365 empowers our entire organization to collaborate and change at the speed of our business.

Want to learn more about Microsoft 365 plans and pricing? Get all the details here.

• Discover how Microsoft creates self-service sensitivity labels in Microsoft 365.
• Read more about transforming change management at Microsoft with Microsoft 365.
• Explore reinventing Microsoft’s Employee Experience for a hybrid world.
• Read more about OneDrive for Business feature shifting how employees save files within Microsoft.

• Want more information? Email us and include a link to this story and we’ll get back to you.

The post A foundation for modern collaboration: Microsoft 365 bolsters teamwork appeared first on Inside Track Blog.

Editor’s note: This content was first published in 2021. Although this particular event or moment in time has passed, we’re republishing it here so you can see what our thinking and experience was like at the time.

Our Microsoft Digital team is improving our support experience by partnering with ServiceNow to incorporate modern support-agent functionality into our environment by using ServiceNow Virtual Agent and Microsoft Teams. As a result, our support team and the employees they assist have a more complete tool set, a simpler view into the support environment, and a more streamlined method for executing tasks and solving issues quickly.

Understanding virtual-agent-based support at Microsoft

Our Global Helpdesk supplies support to these employees throughout more than 120 countries and regions worldwide. Global Helpdesk receives approximately 3,000 requests for support every day, and the ability to efficiently assess what help our users need and how we can provide that help are critical to the effectiveness of Global Helpdesk and our Microsoft Digital organization at Microsoft.

Improving the agent experience

One of the primary touchpoints for our employees has been agent-driven communication. Connecting to and speaking with a live support-team member has always been an important part of the end-user support experience here at Microsoft. As part of our ongoing digital transformation, we’re working toward a more streamlined support experience for our support team and our users, including improved virtual-agent experiences.

The preexisting virtual-agent interface—one that Microsoft Digital developed and maintains—was initially developed as an experimental solution. While the previous solution had worked well in the past, we were experiencing several challenges in using an internally developed, custom-built tool:

Limited ability to innovate. While we initially developed the previous virtual-agent tool to meet our needs at the time of its implementation, our needs changed over the years. The way our employees work also changed, and industry changes and technology advances affected our platform’s efficiency. It was difficult to keep functionality and feature availability current on a self-developed platform.

Minimal integration and information reuse. The virtual-agent experience wasn’t effectively integrated with many of our other support tools, including our service-management platform knowledge base. Our support team had to copy and paste support information into the agent and manually search for and enter ticket management data for each support request.

Limited virtual-agent support. It was difficult to develop and maintain workflows for virtual-agent functionality and to provide the guidance and support that our live agents required.

Scalability and performance issues. Our previous platform didn’t support the scalability and performance goals that we set for our infrastructure and tools.

Creating a modern virtual-agent experience

Our vision for a modern support experience involves providing our employees with easy-to-use, transparent, and integrated services by transforming how we deliver support capabilities across all digital interactions at Microsoft. As part of this vision, we examined how we could improve the virtual-agent process while enabling our continued digital transformation in this area. We established several goals, including:

• Increase information reuse. Invest in integrated tools that support connected and correlated data and the reuse of information across support processes. We wanted a solution that would integrate directly with our service-management platform and integrate with existing data in our support environment.
• Take advantage of existing partnerships and tool sets. As part of our vision for simplicity and transparency in our infrastructure, we wanted to use existing tools effectively and pursue partners that supply complementary features.
• Adopt commercially available tools with out-of-the-box functionality. We wanted to move to a commercially available product that was already in development for a large customer base. We wanted a solution that enabled agile development and also provided built-in support.
• Identify AI and machine-learning capabilities to streamline and improve support and employee experiences. Virtual-agent functionality was an important consideration for the new solution—whatever we chose needed to integrate AI and machine-learning tools to better inform the support process and better serve our Helpdesk users.

Combining ServiceNow and Teams

To begin the process of selecting a new platform, we used our challenges and goals to evaluate several potential solutions. The ServiceNow suite of capabilities now serves as our primary agent experience for live and virtual-agent support, and we use Teams as one of our most critical agent hosting environments. We’ve used ServiceNow IT Service Management for six years as our primary support-automation tool. Microsoft and ServiceNow have engaged in a strategic partnership to accelerate digital transformation for enterprise customers. As part of the partnership, we’re working together toward a common solution based on ServiceNow and Microsoft platforms, with a goal of building better products and improving customer experience for both companies.

By combining ServiceNow and Teams, we’ve created an agile support platform that easily integrates with our existing support environment and data. We’re using all the ServiceNow out-of-the-box features that fit our needs to ensure that our use-case scenarios are robustly supported. Our current ServiceNow implementation included several important milestones and challenges. Highlights from the implementation process include:

Aligning feature capabilities and requirements. We prioritized features and implementation timelines, noting what was necessary to decommission the previous solution and facilitate a smooth transition.

Establishing a crawl, walk, run approach. Our implementation started small, and we iterated from there. We incorporated quick-win features early, ensuring that we established sound implementation practices before moving on to larger and more important components.

Identifying and resolving Microsoft Entra ID synchronization issues. Initially, Microsoft Entra ID synchronization complexities made it difficult to fully integrate user data. However, through our partnership with ServiceNow and because of ServiceNow’s agility and large product support team, we received an update in the next release that fixed the problem.

Supplying direct agent integration across multiple contexts. While Teams is one of our primary agent interfaces, we’re also incorporating the ServiceNow Virtual Agent across many of our web-portal workspaces, offering in-context agent support to our employees within the application or interface that they’re using.

Integrating with Azure Cognitive Services components for intelligent virtual-agent functionality. We’re using the Azure AI Language service to supply natural-language FAQ support to the virtual-agent experience, using existing knowledge-base sources.

Results and benefits

Our new support-management platform has generated several benefits, for our business, our support agents, and our customers. These benefits include:

• Simplified interaction for our end-users. Our virtual agent usage has doubled during the first year using ServiceNow. More of our Global Helpdesk end-users are using the virtual agent to initiate support contact. Almost 50 percent of virtual agent-initiated issues are solved within the virtual agent context, without needing human involvement. The increase in virtual agent adoption decreases support costs and allows our live agents to focus on more complex issues. We expect virtual agent adoption and efficiency to increase as we improve functionality, build the virtual-agent interface into more of our end-user environment, and grow virtual-agent adoption as a replacement for other contact methods, such as email or phone calls.
• Increased future cost savings from the new solution platform. By implementing a software-as-a-service (SaaS) solution like ServiceNow, we benefit from the built-in resiliency, scalability, reusability, and feature set of a SaaS platform. We’ve also deprecated our internally developed tool, saving the associated infrastructure and maintenance costs.
• More effective self-service problem solving for our end-users. The ServiceNow virtual agent enables detailed workflow automation within the agent interface. We’re using that automation to create a better self-service experience that allows our users to resolve issues without live-agent intervention, giving more time back to the live agent.
• Improved live agent handoff. We’ve significantly improved integration between the virtual agent and our other support systems data. When the virtual agent transfers an end-user to one of our live agents, the live agent can access the virtual-agent chat transcript alongside the ServiceNow ticket and end-user information. This capability makes it easier to provide comprehensive support for the end-user in a live chat experience.
• More accurate metrics for end-to-end support processes. Due to integration with ServiceNow and other data platform, we can better understand the end-to-end support experience and identify opportunities for improvement and greater efficiency across the entire support landscape. This enables us to further reduce support costs and decrease support resolution times for our end-users.

Want to learn how Microsoft Teams can streamline communications and make a difference in your organization? Get more details here.

• Unpack modernizing Microsoft’s internal Help Desk experience with ServiceNow.
• Explore rethinking software licensing at Microsoft with ServiceNow Software Asset Management.
• Discover instrumenting ServiceNow with Microsoft Azure Monitor.
• Learn about how we’re enabling a modern support experience at Microsoft.

• Want more information? Email us and include a link to this story and we’ll get back to you.

The post Using Microsoft Teams and ServiceNow to enhance end-user support at Microsoft appeared first on Inside Track Blog.

Modern workers are increasingly mobile and require the flexibility to get work done outside of the office. Here at Microsoft headquarters in the Puget Sound area of Washington State, every weekday an average of 45,000 to 55,000 Microsoft employees use a virtual private network (VPN) connection to remotely connect to the corporate network. As part of our overall Zero Trust Strategy, we have redesigned our VPN infrastructure, something that has simplified our design and let us consolidate our access points. This has enabled us to increase capacity and reliability, while also reducing reliance on VPN by moving services and applications to the cloud.

Providing a seamless remote access experience

Remote access at Microsoft is reliant on the VPN client, our VPN infrastructure, and public cloud services. We have had several iterative designs of the VPN service inside Microsoft. Regional weather events in the past required large increases in employees working from home, heavily taxing the VPN infrastructure and requiring a completely new design. Three years ago, we built an entirely new VPN infrastructure, a hybrid design, using Microsoft Azure Active Directory (Azure AD) load balancing and identity services with gateway appliances across our global sites.

Key to our success in the remote access experience was our decision to deploy a split-tunneled configuration for the majority of employees. We have migrated nearly 100% of previously on-premises resources into Microsoft Azure and Microsoft Office 365. Our continued efforts in application modernization are reducing the traffic on our private corporate networks as cloud-native architectures allow direct internet connections. The shift to internet-accessable applications and a split-tunneled VPN design has dramatically reduced the load on VPN servers in most areas of the world.

Using VPN profiles to improve the user experience

We use Microsoft Endpoint Manager to manage our domain-joined and Microsoft Azure AD–joined computers and mobile devices that have enrolled in the service. In our configuration, VPN profiles are replicated through Microsoft Intune and applied to enrolled devices; these include certificate issuance that we create in Configuration Manager for Windows 10 devices. We support Mac and Linux device VPN connectivity with a third-party client using SAML-based authentication.

We use certificate-based authentication (public key infrastructure, or PKI) and multi‑factor authentication solutions. When employees first use the Auto-On VPN connection profile, they are prompted to authenticate strongly. Our VPN infrastructure supports Windows Hello for Business and Multi-Factor Authentication. It stores a cryptographically protected certificate upon successful authentication that allows for either persistent or automatic connection.

For more information about how we use Microsoft Intune and Endpoint Manager as part of our device management strategy, see Managing Windows 10 devices with Microsoft Intune.

Configuring and installing VPN connection profiles

We created VPN profiles that contain all the information a device requires to connect to the corporate network, including the supported authentication methods and the VPN gateways that the device should connect to. We created the connection profiles for domain-joined and Microsoft Intune–managed devices using Microsoft Endpoint Manager.

For more information about creating VPN profiles, see VPN profiles in Configuration Manager and How to Create VPN Profiles in Configuration Manager.

The Microsoft Intune custom profile for Intune-managed devices uses Open Mobile Alliance Uniform Resource Identifier (OMA-URI) settings with XML data type, as illustrated below.

Installing the VPN connection profile

The VPN connection profile is installed using a script on domain-joined computers running Windows 10, through a policy in Endpoint Manager.

For more information about how we use Microsoft Intune as part of our mobile device management strategy, see Mobile device management at Microsoft.

Conditional Access

We use an optional feature that checks the device health and corporate policies before allowing it to connect. Conditional Access is supported with connection profiles, and we’ve started using this feature in our environment.

Rather than just relying on the managed device certificate for a “pass” or “fail” for VPN connection, Conditional Access places machines in a quarantined state while checking for the latest required security updates and antivirus definitions to help ensure that the system isn’t introducing risk. On every connection attempt, the system health check looks for a certificate that the device is still compliant with corporate policy.

Certificate and device enrollment

We use an Azure AD certificate for single sign-on to the VPN connection profile. And we currently use Simple Certificate Enrollment Protocol (SCEP) and Network Device Enrollment Service (NDES) to deploy certificates to our mobile devices via Microsoft Endpoint Manager. The SCEP certificate we use is for wireless and VPN. NDES allows software on routers and other network devices running without domain credentials to obtain certificates based on the SCEP.

NDES performs the following functions:

1. It generates and provides one-time enrollment passwords to administrators.
2. It submits enrollment requests to the certificate authority (CA).
3. It retrieves enrolled certificates from the CA and forwards them to the network device.

For more information about deploying NDES, including best practices, see Securing and Hardening Network Device Enrollment Service for Microsoft Intune and System Center Configuration Manager.

VPN client connection flow

The diagram below illustrates the VPN client-side connection flow.

When a device-compliance–enabled VPN connection profile is triggered (either manually or automatically):

1. The VPN client calls into the Windows 10 Azure AD Token Broker on the local device and identifies itself as a VPN client.
2. The Azure AD Token Broker authenticates to Azure AD and provides it with information about the device trying to connect. A device check is performed by Azure AD to determine whether the device complies with our VPN policies.
3. If the device is compliant, Azure AD requests a short-lived certificate. If the device isn’t compliant, we perform remediation steps.
4. Azure AD pushes down a short-lived certificate to the Certificate Store via the Token Broker. The Token Broker then returns control back over to the VPN client for further connection processing.
5. The VPN client uses the Azure AD–issued certificate to authenticate with the VPN gateway.

Remote access infrastructure

At Microsoft, we have designed and deployed a hybrid infrastructure to provide remote access for all the supported operating systems—using Azure for load balancing and identity services and specialized VPN appliances. We had several considerations when designing the platform:

• Redundancy. The service needed to be highly resilient so that it could continue to operate if a single appliance, site, or even large region failed.
• Capacity. As a worldwide service meant to be used by the entire company and to handle the expected growth of VPN, the solution had to be sized with enough capacity to handle 200,000 concurrent VPN sessions.
• Homogenized site configuration. A standard hardware and configuration stamp was a necessity both for initial deployment and operational simplicity.
• Central management and monitoring. We ensured end-to-end visibility through centralized data stores and reporting.
• Azure AD­–based authentication. We moved away from on-premises Active Directory and used Azure AD to authenticate and authorize users.
• Multi-device support. We had to build a service that could be used by as much of the ecosystem as possible, including Windows, OSX, Linux, and appliances.
• Automation. Being able to programmatically administer the service was critical. It needed to work with existing automation and monitoring tools.

When we were designing the VPN topology, we considered the location of the resources that employees were accessing when they were connected to the corporate network. If most of the connections from employees at a remote site were to resources located in central datacenters, more consideration was given to bandwidth availability and connection health between that remote site and the destination. In some cases, additional network bandwidth infrastructure has been deployed as needed. The illustration below provides an overview of our remote access infrastructure.

VPN tunnel types

Our VPN solution provides network transport over Secure Sockets Layer (SSL). The VPN appliances force Transport Layer Security (TLS) 1.2 for SSL session initiation, and the strongest possible cipher suite negotiated is used for the VPN tunnel encryption. We use several tunnel configurations depending on the locations of users and level of security needed.

Split tunneling

Split tunneling allows only the traffic destined for the Microsoft corporate network to be routed through the VPN tunnel, and all internet traffic goes directly through the internet without traversing the VPN tunnel or infrastructure. Our migration to Office 365 and Azure has dramatically reduced the need for connections to the corporate network. We rely on the security controls of applications hosted in Azure and services of Office 365 to help secure this traffic. For end point protection, we use Microsoft Defender Advanced Threat Protection on all clients. In our VPN connection profile, split tunneling is enabled by default and used by the majority of Microsoft employees. Learn more about Office 365 split tunnel configuration.

Full tunneling

Full tunneling routes and encrypts all traffic through the VPN. There are some countries and business requirements that make full tunneling necessary. This is accomplished by running a distinct VPN configuration on the same infrastructure as the rest of the VPN service. A separate VPN profile is pushed to the clients who require it, and this profile points to the full-tunnel gateways.

Full tunnel with high security

Our IT employees and some developers access company infrastructure or extremely sensitive data. These users are given Privileged Access Workstations, which are secured, limited, and connect to a separate highly controlled infrastructure.

Applying and enforcing policies

In Microsoft Digital, the Conditional Access administrator is responsible for defining the VPN Compliance Policy for domain-joined Windows 10 desktops, including enterprise laptops and tablets, within the Microsoft Azure Portal administrative experience. This policy is then published so that the enforcement of the applied policy can be managed through Microsoft Endpoint Manager. Microsoft Endpoint Manager provides policy enforcement, as well as certificate enrollment and deployment, on behalf of the client device.

For more information about policies, see VPN and Conditional Access.

Early adopters help validate new policies

With every new Windows 10 update, we rolled out a pre-release version to a group of about 15,000 early adopters a few months before its release. Early adopters validated the new credential functionality and used remote access connection scenarios to provide valuable feedback that we could take back to the product development team. Using early adopters helped validate and improve features and functionality, influenced how we prepared for the broader deployment across Microsoft, and helped us prepare support channels for the types of issues that employees might experience.

Measuring service health

We measure many aspects of the VPN service and report on the number of unique users that connect every month, the number of daily users, and the duration of connections. We have invested heavily in telemetry and automation throughout the Microsoft network environment. Telemetry allows for data-driven decisions in making infrastructure investments and identifying potential bandwidth issues ahead of saturation.

Using Power BI to customize operational insight dashboards

Our service health reporting is centralized using Power BI dashboards to display consolidated data views of VPN performance. Data is aggregated into an SQL Azure data warehouse from VPN appliance logging, network device telemetry, and anonymized device performance data. These dashboards, shown in the next two graphics below, are tailored for the teams using them.

With our optimizations in VPN connection profiles and improvements in the infrastructure, we have seen significant benefits:

• Reduced VPN requirements. By moving to cloud-based services and applications and implementing split tunneling configurations, we have dramatically reduced our reliance on VPN connections for many users at Microsoft.
• Auto-connection for improved user experience. The VPN connection profile automatically configured for connection and authentication types have improved mobile productivity. They also improve the user experience by providing employees the option to stay connected to VPN—without additional interaction after signing in.
• Increased capacity and reliability. Reducing the quantity of VPN sites and investing in dedicated VPN hardware has increased our capacity and reliability, now supporting over 500,000 simultaneous connections.
• Service health visibility. By aggregating data sources and building a single pane of glass in Microsoft Power BI, we have visibility into every aspect of the VPN experience.

• Learn more about how we’re moving past the corporate network using Microsoft Azure.
• Get info on our Office 365 Network Connectivity Principles.
• Here’s how to prepare your network for upgrading to Microsoft Teams.
• Learn more about VPN Gateways.
• Get more info on Microsoft Azure Point-to-Site VPN.
• Check out VPN Network Virtual Appliances in the Microsoft Azure Marketplace.
• Discover more about working remotely using Microsoft Azure networking services.

The post Enhancing VPN performance at Microsoft appeared first on Inside Track Blog.

Traditional app-development efforts can take months to translate business requirements into a usable application or feature. For the business user, waiting can be the hardest part. You come up with an idea to improve efficiency or productivity at work—not only will it make your life easier, but you think it could transform the way your peers work as well. You share the idea with your managers, create a formal proposal, and submit it to your company’s engineering team. Then you wait.

Once you see how your idea was interpreted from requirements and provide feedback on the prototype, you have to wait again. This time it’s for the engineering team to wade through their backlogged change requests. Even the best idea can fall short, run over budget, or fail when business-focused teams are only peripherally plugged into the process of building the solutions they need to solve their business problems.

Enter citizen development.

Citizen development—the creation of business applications and features by the employees who use them—is an opportunity for business users to stretch beyond their day-to-day activities with innovative ways to improve their own business processes. Citizen development is not small groups of developers across the company creating an unmanageable amount of shadow IT applications; when done properly, it’s a mutually beneficial partnership—a win-win proposition for both business users and IT.

To show you how this works, here’s the story of how three launch program managers at Microsoft dreamed up an idea to get their work done more efficiently. They imagined an intelligent launch assistant app that would provide convenient access to quick tasks, centralize some satellite workflows, and provide more user-friendly views of their product launch data. Armed with only their business knowledge and some prior experience with HTML and design, they decided—on their own—to learn Microsoft Power Apps to try and build the app they envisioned. Power Apps turned out to be the right choice, as it was designed to give business users the tools they need to drive innovation and create new applications—with no coding skills required.

The team leveraged their expertise and, after doing some reading, Power Apps tutorials, and a little research, felt much less intimidated by the prospect of developing their own intelligent launch assistant. The launch managers had unknowingly begun their journey toward becoming citizen developers. In just over a month, they went from having an early prototype to a feature-rich application that more than a hundred other launch managers now use daily!

[Learn how to build connected business solutions with Microsoft Power Automate. Discover how to redesign business applications at Microsoft using Power Apps. Find out how to transform payroll processes with Microsoft Power Automate.]

Building an intelligent launch assistant app

The Launch team at Microsoft oversees all launches of Microsoft products and devices, including system changes and compliance projects. The launch managers, being change agents who drive consistency and process simplification, had already identified some ongoing challenges in their processes. Launch workflows spanned multiple tools, and the team needed to reference data stored in different locations to get a full view of their projects.

After deciding on key features for their proof of concept, the launch managers took part in a company hackathon to kickstart prototype development of the launch assistant app. By the end of that immersive, collaborative event, the team had built their first prototype and was feeling more confident about what they could accomplish as citizen developers using Power Apps.

Microsoft Digital supports every employee and team at Microsoft—including these launch managers—by deploying and managing the products and solutions they use to get work done. That includes managing the development, governance, and lifecycle for line-of-business applications. One of our core charters is to empower users to do more. In that vein, through technology and collaboration, we support efforts like citizen development.

In Microsoft Digital, we were excited to see the progress that was made in such a short time, but we were navigating relatively new territory. While the prototype was promising, it still represented a culture shift, and we had a little trepidation about using citizen development for apps that support essential business functions.

A few factors in this project helped us decide to cautiously continue along the citizen-development path. One, the existing launch workflows and tools were still in place, so there would be no disruption of operations. And two, the citizen developers were making progress, very quickly. Their velocity was outpacing any lingering concern, and we determined that whether they created something that could be rolled out broadly, or a prototype of something we would build for them, either outcome would be a step forward.

More nimble than agile

Our engineering teams generally use agile development methods while building out apps and solutions for the different business groups at Microsoft. With discovery, development, and iterating, even in two-week sprint cycles, it can still take months for us to develop a functioning app that the business users will adopt and continue to use. No matter how much time our engineers spend with a team learning about a businesses’ processes, only a business user truly understands the context, relationships, and flow of every scenario.

As illustrated in this graphic, some of the benefits we saw while working in cooperation with the Launch team’s citizen developers included improved engineering resource allocation, reduced development backlogs, and a greatly accelerated application-building process.

In 40 days, the citizen developers released more than 250 iterations that evolved the app from an early prototype that only the citizen developers were using to a fully functioning app that has been widely adopted by the other launch managers at Microsoft. They were truly nimble. When something they built or changed didn’t come out quite right, they fixed it immediately themselves, or rolled back to a prior iteration in Power Apps and started over. They didn’t need to request a change or log a bug and wait for our engineers to resolve it during the next sprint.

The first 100 or so iterations happened very quickly—sometimes dozens in a day. However, as the app grew more complex and was being more widely adopted, the iteration cadence slowed down accordingly. As more features in the app were connecting to our Microsoft Dynamics 365 platform and the Microsoft SharePoint lists that they created to centralize the data from other workflows, it made sense to begin meeting regularly to discuss guardrails and risks before each iteration was released. The citizen developers started giving our engineers weekly demos of the prototype and talking about their planned features, providing us an opportunity to provide guidance and answer questions.

A fully functional app and a living prototype

The phone and tablet versions of the intelligent launch assistant app pulled together views of all the information pertaining to a launch, including key dates and other information about the launch manager’s project, including the risks that are managed daily.

Roughly 50 percent of the information displayed in the launch assistant home page comes from data in the Microsoft Dynamics 365-based platform that serves as the “single version of truth” for all work activities across the operations teams at Microsoft. The citizen developers enhanced the experiences of several tracking and management features that weren’t in Dynamics 365 by creating SharePoint lists as a backend for the related data. Using Microsoft Power Apps, it was easy to connect to both Dynamics 365 and the SharePoint lists to create consolidated views and tasks.

As this next graphic shows, the app experience is intuitive, and the citizen developers can continually adjust the UI to mirror more optimized versions of their business processes.

The app, now broadly available to all launch managers at Microsoft, also serves as a living prototype. Launch managers enjoy a transformed workflow, while we see the impact of new features as they are being used in the production environment. We evaluate those features and experiences before investing money in engineering resources to build or integrate them into the Microsoft Dynamics 365 platform.

Lessons learned and best practices

We have spent years refining our application-development processes, and we expected to face challenges and learn new things as the traditional processes were disrupted by empowering more business-focused individuals to develop the solutions they need. This effort has been successful and educational, so we’re sharing a few of our learnings and best practices.

Partnering helps set everyone up for success

With open communication and a growth mindset, a strong partnership between the business and engineering teams is crucial in helping ensure the success of a citizen development program. For example, we learned that we didn’t start discussing risks and guardrails for each team and role soon enough. As a result, we were initially very reactionary, addressing issues as we encountered them rather than taking a more holistic approach. As we got further into the process, we were better able to determine which changes need to be monitored more closely, and to be more mindful about where test data in the production environment was being stored. In one case, we almost sent a report to executive leadership that included test data from one of our intelligent launch assistant experiments.

It’s also important to communicate early with engineers about the benefits that come with this shift in paradigm. They need to understand that citizen development isn’t intended to replace traditional development, nor does it suggest that they aren’t doing a good job. It’s just an effort to better align activities with core skillsets.

Some traditional development processes still apply

In the early phases, most of the launch assistant app users were citizen developers who could make and publish every change as a new iteration. As the user base grew, and the app features became more complex, every iteration and change required more consideration. The team moved to a role-based model in which only a few citizen developers who fully understood how the changes would impact users of the app could publish new iterations.

Not being professional developers, the citizen developers did not start keeping meticulous version notes until they realized why they were useful. More than once during the 250 iterations, they needed to roll back to a prior version after a change didn’t go as planned. Having notes that explained what changed in each iteration helped in identifying which version introduced the change.

Use Power Apps to create living prototypes that can speed engineering decisions

Citizen developers know inherently how they want to use an application within the framework of their processes, and that insight provides a high-value impact when it complements engineering’s efforts.

When business users become citizen developers and build Microsoft Power Apps solutions to address their business problems without code, it can ultimately be a benefit for engineers. We can see how a feature or functionality performs in production, how quickly users adopt it, and verify its continued use—while we plan and weigh the benefits of integration into our platform. Ultimately, when we do invest in hardening a feature for scalability, we anticipate no noticeable impacts to the user, other than performance or planned UI improvements.

Now, are you wondering how to become a citizen developer at your company? Here are some suggestions on how you can get started:

• You don’t need to wait for someone to build you a platform—with Power Apps and a little coaching from someone who’s tried it, you can define, build, and adopt a solution without the need for dedicated engineering help.
• Because you know your business so well, you can get right to building your solution—saving time and money. Your knowledge of the challenge will reduce the iterations required to transform your idea into a proven prototype.
• Read this ”What is Power Apps?” overview to get more tips on getting started and, when you’re done with that, complete our introduction.
• Find additional learning resources at Microsoft Power Platform: Learning Resources.

• Find tutorial resources in the Power Apps blog.
• Check out Power App documentation here.
• Learn how to build connected business solutions with Microsoft Power Automate.
• Find out how to transform payroll processes with Microsoft Power Automate.
• Discover how to redesign business applications at Microsoft using Power Apps.

The post Citizen developers use Microsoft Power Apps to build an intelligent launch assistant appeared first on Inside Track Blog.

When Microsoft 365 became a service, the way IT managers needed to think about change management had to change, and dramatically so.

“We were no exceptions,” says David Johnson, principal product manager architect, who leads the team that governs how Microsoft 365 is deployed across Microsoft. “Microsoft 365 started changing every day, and we needed to figure out how to keep up.”

The transition to living in this new Software as a Service (SaaS) world was further complicated by the global pandemic and ever evolving work style changes. The ongoing pandemic and its uncertain duration meant that organizations had to remain agile and responsive to the shifting needs of their workforce. IT teams had to continuously evaluate and implement new technologies and cloud-based solutions to facilitate remote collaboration, enable seamless communication, and maintain productivity. As a result of remote work, employees embraced asynchronous workflows, allowing for flexibility around when and where work could be completed.

Now with the help of generative AI, employees can utilize products like Microsoft 365 Copilot and Teams Meeting Recap to reduce meeting fatigue and prioritize workloads.

To learn more about generative AI improving the employee experience, check out our spotlight on the digital transformation series.

The pressure on IT administrators at Microsoft and everywhere increased tremendously.

It’s a hot topic for customers—how do I decide what I’m going to turn on for my company effectively? From an industry perspective, this is a fairly important conversation.

—David Johnson, principal product manager architect, Microsoft Digital

“This was a lot to absorb for an industry that had previously thrived on consistency, reliability, and predictability,” says Johnson.

Change became the new constant, and dealing with that level of change is something everyone is still getting used to.

“It’s a hot topic for customers,” says Johnson, whose team has been at the forefront of both the industry shift to the cloud and the tech demands of a new mobile workforce. “How do I decide what I’m going to turn on for my company effectively? From an industry perspective, this is a fairly important conversation.”

Microsoft Teams alone has hundreds of new features and changes in development at any given time. The rest of the Microsoft 365 suite—which includes Microsoft Office apps, hosted email, and the Microsoft SharePoint glue connecting it all—has also seen rapid changes.

Johnson’s goal was to handle the change management for all Microsoft 365 products in the same way. His team’s approach falls along getting three things right: initial triage, putting guardrails in place to allow innovation, and staying current on the latest news.

Triage for an upcoming change

IT administrators largely control what changes become available to employees, who in the workforce can see those experiences, and how to configure for them. Sometimes updates are relatively easy to deploy, such as adding the ability to raise a virtual hand in a Microsoft Teams meeting. Other times, they might involve trickier issues such as artificial intelligence or data mining—and then the concept of triage becomes paramount.

Broadly speaking, Microsoft’s internal triage involves two basic concepts: developing a posture—a set of IT principles for your company—and ensuring that features or change management fit within that posture. A posture could define the levels of security and data privacy needed, for example Microsoft 365’s compliance capabilities, such as data loss prevention (DLP), information protection, and eDiscovery, allowed major financial institutions to align their IT environment with their defined compliance posture. They implemented robust data protection measures, including encryption and access management, to safeguard sensitive financial information. Additionally, they used advanced threat protection features to detect and respond to potential security incidents proactively.

When that posture is in place, triaging against it becomes easier. The first step is to evaluate what’s coming and determine how significant the change is, then run the change through a series of questions that reflect a company’s IT posture, such as these:

• Does this need a security review?
• Do you need to run this by your privacy experts?
• What are the legal implications of turning this feature on?
• Does your human resources team need to be involved?
• Will the workers council or union need to be involved?
• What is the IT manageability impact? Are there any IT resource impacts?
• Are there employee experience implications that you’ll need to communicate?

[Transforming Data Governance at Microsoft with Purview and Fabric. Discover implementing a Zero Trust security model at Microsoft. Explore how Microsoft creates self-service sensitivity labels in Microsoft 365. Unpack upgrading Microsoft’s core Human Resources system with SAP SuccessFactors.]

Guardrails to encourage innovation and collaboration

Microsoft spends a lot of time talking about privacy and security, but just as crucial to the company are the creativity, innovation, and collaboration that take place within its workforce.

One of Microsoft’s most important postures is maintaining the sometimes tricky balance between protecting employees and allowing them to chat freely and to share files and collaborate across multiple platforms. To keep that balance, the company relies on the concept of guardrails that maintain security and privacy while giving people room to move.

One way to test the balance between security and innovation is by using an internal ring structure to deploy change management. There is a natural first ring of testers comprised of the engineering and supporting teams that worked closely with the solution. The internal ring structure allows the people who are most familiar with the solution to validate it before it’s shared with the second ring.

The second ring of initial users is where some of the most important testing takes place, and as a feature matures, it gradually sees broader distribution. At Microsoft, a group of employees who are enthusiastic about new features has signed up to see early deployments. That group, called Microsoft Elite, often comprises one of the earliest rings.

The ring structure can be used for any IT department that wants to slowly roll out changes and monitor the effects prior to impacting users on a broad scale.

“The team that manages the deployment of Microsoft Exchange internally at Microsoft uses rings to try out new features before they are broadly deployed across the company” says Nate Carson, a senior service manager who helps manage the company’s internal use of Microsoft Exchange.

“It lessens the impact to the broader company by doing it this way,” Carson says.

Using rings to try-it-before-you-deploy-it also gives security and data privacy teams more time to assess the impact of a new feature. That’s crucial for change management in the era of relentless hacking, ransomware, phishing, and other security attacks.

Companies need to be more aware of software features that are being released and understand how they might impact digital security.

—Lee Peterson, principal manager, Microsoft emerging technology standards and assurance

“There is an explosion of data and really an explosion of hackers trying to get at your data,” says Faye Harold, principal program manager for information protection services on the Digital Security and Resilience (DSR) team in Microsoft Digital. She spends most of her time thinking about hackers and trying to outwit them. Because the end user is the last line of defense for information security, she also watches how those users respond to new features. “It’s mind-boggling how many attack vectors there are, and it’s all centered on people and their identities,” Harold says.

“Microsoft has a set of security principles it has shared with product groups”, says Lee Peterson, principal manager in DSR for emerging technology standards and assurance. There are expectations around data protection, and when a change or new feature is coming down the pipeline, he watches to see how it might impact the company’s security posture.

“Companies need to be more aware of software features that are being released and understand how they might impact digital security,” he says.

Staying on top of the news

The events of the pandemic show how quickly things can change for companies of all sizes. That’s why it’s important to be aware of the latest communications from software and service developers. Microsoft relies on a Microsoft 365 Message Center to keep customers aware of changes that impact the Microsoft Office 365 environment. It’s a link on the left side of the admin portal, and it provides important news, detailed information, and visual indications of items that require an administrator’s attention. It can describe the specific actions that administrators need to take for change management and the timeframes for those changes.

“Another way to stay current on products and features is by checking in with the docs.microsoft.com site” says Darren Moffatt, senior service engineer for Microsoft 365.

“It’s pretty much our encyclopedia of everything Microsoft,” Moffatt says. “It can be super technical, but it can also have good documentation on simply how a feature works from a visual perspective. So my advice is: if there are customers, especially admins that have not made reviewing docs.microsoft.com part of their cadence or made a habit of checking it out and going to it as their reference, do that.”

Microsoft has made it easier for organizations to handle their Message Center with the help of Planner. By bringing the Message Center and Planner together, companies can now evaluate if a message could potentially affect their operations. This integration allows them to quickly assess the importance of each message and assign it to the right person for further review if needed. With Planner’s assistance, the triage process becomes smoother, ensuring that all relevant messages are carefully examined and addressed promptly.

Learn more about staying on top of important announcements from the message center with Microsoft Planner.

The changing face of IT

As the modern workforce continues to shift productivity and resources to the cloud, IT is no longer just focused on tech support. It’s now deeply involved in business enablement and improving the bottom line.

IT historically was separated into silos. The Microsoft SharePoint people were in one, and the Microsoft Exchange people were in another, and everyone had their distinct roles. But those boundaries have come down as software has enabled more collaboration. Now, working in IT means having knowledge across disciplines, and Microsoft wants to immerse employees in different areas and give them experiences that help build broader skill sets and handle change management, Moffatt says. So, when change comes at you fast—as it often does—more of the team is ready to respond.

“Microsoft has also really pushed everybody so that every quarter you don’t just get to sit on your laurels,” he says. “You do have to be very clear about how you’re going to learn and grow as an employee.”

Employees don’t see the boundaries between the services, according to Johnson. They see the boundaries across scenarios, and those scenarios are now starting to blend.

“All of these services converged because our employee scenarios converged,” he says. “Collaboration doesn’t start or end at a meeting. Voice call is no longer just a voice call; it’s now a chat and files that you’re sharing. That’s why you converge a lot of these experiences to enable effectively a more complete package for your employees.”

In a broader context, continuous improvements in change management, security, and collaboration facilitated by Microsoft 365 can indirectly contribute to enhancing AI experiences. As organizations adopt efficient change management practices, stay updated with the latest features and updates, and strike a balance between security and innovation, they create an environment that is conducive to leveraging AI technologies effectively. This allows organizations to embrace AI-driven solutions, streamline processes, and deliver more personalized and efficient AI experiences to their users.

• Evaluate upcoming changes ahead of schedule. Consider factors like security, privacy, legal compliance, HR policies, and IT manageability to ensure a smooth transition.
• Stay informed about the latest news and updates that impact your service environment.
• Gradually deploy changes using a ring structure, starting with internal testing and expanding to a broader audience.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

• Transforming Data Governance at Microsoft with Purview and Fabric.
• Discover implementing a Zero Trust security model at Microsoft.
• Explore how Microsoft creates self-service sensitivity labels in Microsoft 365.
• Unpack upgrading Microsoft’s core Human Resources system with SAP SuccessFactors.

The post Transforming change management at Microsoft with Microsoft 365 appeared first on Inside Track Blog.

At Microsoft, we’re transforming the meeting experience to encourage collaboration and increase productivity.

At the beginning of the COVID-19 pandemic, the shift to predominantly remote meetings inspired our Microsoft Digital team to examine what makes an effective meeting in which everyone feels included. We then used this research to develop the Microsoft Teams Meeting Guide, which is a Modern SharePoint site that’s available to all Microsoft employees. We’ve found this guide to be so useful that we’re inviting you to download the and repurpose it in your own Modern SharePoint site. We believe that this content can help evolve your company’s meetings, too.

Getting started

Imagine that all your meetings empower participation and meet the goals you’ve set. Imagine further that people attending your meetings know why they’re invited and how to prepare. Imagine still that your meetings encourage building collaboration and communication rather than result in fatigue. Our Microsoft Digital team is helping make these dreams a reality with the creation of the Microsoft Teams Meeting Guide.

We want to improve how Microsoft employees can achieve more together, helping improve collaboration and promote productivity for all of our employees.

To create the Microsoft Teams Meeting Guide, we worked with Microsoft Research and product groups to develop a research-based guide about how to run effective meetings. We’ve been using this engaging guide, built in Modern SharePoint, since March 2021, and have updated it regularly as new Microsoft Teams releases new features or best-practice guidance changes.

This blog post introduces research that led to the development of the Microsoft Teams Meeting Guide and how the guide’s use has helped Microsoft employees. NOTE: We’re providing visuals from the Microsoft Teams Meeting Guide as examples only.

Examining remote-meeting experiences

Before the onset of the COVID-19 pandemic, there usually were attendees who joined meetings remotely while others gathered in person. The remote attendees often found themselves inadvertently left out of conversations and, sometimes, even the meetings.

“The biggest challenge would be that most of the people there were in person and would start discussions, sometimes even before walking into the room,” says Ed Gonzalez, a curriculum manager on the Global CO+I/GOLD Learning & Development team at Microsoft. “They’d be involved in those discussions and, because of that, forget to start the meeting. And there’d be two or three of us just waiting and waiting, and so we missed a lot that way.”

The pandemic levelled the playing field, as suddenly everyone was attending meetings remotely. We saw this as an opportunity to examine and learn about the gaps and gains with respect to remote meetings. We then applied this learning to hybrid meetings, where there are both remote and in-person attendees. Our Microsoft Digital team researched what makes meetings inclusive and effective, using internal and external surveys, studies, and employee remarks.

Research conclusions

During our research, we discovered that inclusive meetings are at least three times more likely to be effective and that key elements that make meetings more inclusive include when you:

• Share an agenda.
• Begin and end meetings on time.
• Encourage attendees to use their video functionality.
• Make it clear who is in the meeting and why.
• Provide a pre-read for the meeting when you believe it applicable or helpful.

Developing the Microsoft Teams Meeting Guide

We developed the Microsoft Teams Meeting Guide to address the challenges we discovered during our research and encourage improvements in those areas. The guide is built on the Microsoft SharePoint Online platform as a site that every employee can access and leverage. It includes helpful guidance about:

• Starting meetings off right.
• Reducing meeting fatigue and increasing engagement for attendees.
• Deciding whether and how attendees should use video.
• Ensuring attendees have access to the correct information before, during, and after a meeting.
• Using Teams apps to enhance your meeting.
• Conducting hybrid meetings.

We want to clearly reveal the most impactful changes that you can make in meetings while encouraging site users to dig deeper into the topics and guidance so they can glean more insights.

“These are simple, thoughtful actions that can make a big difference in the feeling of being comfortable in a meeting, which allows for that inclusion and participation,” says Sara Bush, a principal program manager in Microsoft Digital.

The site supports this with its clean layout and the way in which it organizes information.

The Microsoft Teams Meeting Guide includes 10 key pages, including:

• A Home page that provides an overview and links to other important pages.
• Best practices that apply to all meetings at each phase: before the meeting, during the meeting, and after the meeting
• Information about each of the six common Microsoft meeting archetypes.

Promoting the meeting guide internally

The Microsoft Teams Meeting Guide is available to everyone at Microsoft, and we’re employing many strategies to ensure people know about it. Our promotional campaign includes quick bits of information about the guide and links to it, and tips and tricks. We’ve also developed and shared longer blogs, videos, and articles to drive interest in it, and have used forums such as Teams, Microsoft Yammer, and Microsoft’s internal IT help site, and newsletters and emails. We continue to release campaigns that coincide with new Microsoft Teams feature releases. Additionally, all new hires receive the Microsoft Teams Meeting Guide and managers are starting to include it in their onboarding materials.

Improving our meetings

Jacqueline Le, a senior business program manager in US Manufacturing, has shared the Microsoft Teams Meeting Guide with many of her colleagues, scheduling quick Microsoft Teams calls to share it, as she finds it’s a great way to encourage people to implement it. She said she especially appreciates the guidance about agendas, which she has leveraged to help her team decide how much time they need for a meeting.

“It’s relatively easy to use and navigate,” Le says. “You can scroll once and quickly assess what you want to get out of it. And then you can scroll again and get some more information. It’s not heavy reading, and it’s more visually appealing.”

Connor Joyce, a behavioral researcher for the Microsoft Viva Insights team, says the guide’s meeting archetypes enable him to pinpoint the type of meetings he needs to organize, which then helps him only invite the people that are most important to that meeting. This means he doesn’t invite people who aren’t required to achieve the meeting goals, thereby giving people their time back and helping reduce meeting fatigue and overload.

“If they really want to know (about the meeting), they can read the notes or watch the recording,” Joyce says. Thus, some employees are finding that the Microsoft Teams Meeting Guide is saving employees time, as they don’t have to attend some meetings and can review materials asynchronously.

Keeping current

We continue to update the Microsoft Teams Meeting Guide as Microsoft Teams features evolve to help people collaborate more effectively. We’ve been updating guidelines to support hybrid meetings based on our research and Microsoft Teams features that support them.

We’re providing you with the most recent Microsoft Teams Meeting Guide, and we recommend that you provide feedback channels for your own employees and enable them to customize it to meet their needs. You can track new Microsoft Teams features through the Microsoft 365 roadmap and Microsoft Teams help & learning pages.

We hope that you’ll customize and implement the Microsoft Teams Meeting Guide in a Modern SharePoint site that is available to your employees, as using it can help your employees save time and reduce meeting overload, use resources more efficiently, and collaborate more effectively with their teammates.

• Check out this story about the future of work.
• Read how Microsoft Employees are Using Avatars for Meetings.
• Review this guide to having better remote meetings by being more intentional.

The post Advancing your meetings with the Microsoft Teams Meeting Guide appeared first on Inside Track Blog.

Our Microsoft Digital team is implementing a modern engineering vision that creates a culture, tools, and practices focused on developing high-quality, secure, and feature-rich services to enable digital transformation across the company. Our Modern Engineering initiative has helped us be customer-obsessed, accelerated the delivery of new capabilities, and improved our engineering productivity.

Our journey

Our move to the cloud enabled us to increase the overall agility of the development process and accelerate value delivery for approximately 600 services comprised of about 1,400 components to new cloud technologies which provide quicker access to additional infrastructure. This enables spinning up environments and resources on demand, which allows an engineer to respond more quickly to evolving business needs.

However, we still needed to address several structural issues, including inconsistency between teams in basic engineering fundamentals like coding standards, automated testing, security scans, compliance, release methodology, gated builds, and releases.

We lacked a centralized common engineering system and related practices. Recognizing that we could not continue to evolve our engineering system in a federated way, we invested in a central team. The team was chartered to develop a common engineering system based on Microsoft Azure DevOps, while driving consistency across the organization regarding how they design, code, instrument, test, build, and deploy services. We brought a product engineering mindset to our services by defining a vision for each service area and establishing priorities based on objectives and key results (OKRs) which we define, track, and report using Viva Goals. These scope what we want to achieve each planning period and then execute on them via a defined cadence of sprints. The resulting engineering processes have promoted business alignment, developer efficiency, and cross-team mobility.

We incorporated industry-leading development practices for accessibility, security, and compliance. Achieving compliance has been very challenging, forcing us to change from legacy processes and tooling and requiring us to actively respond to our technical debt in these areas. We also lacked a consistent level of telemetry and monitoring that allowed us to obtain key insights about service health, features, customer experience, and usage patterns. We have moved towards a Live Site culture so that we can comprehensively drive sustained improvements in service quality. Telemetry capabilities have been improved through the ability to do synthetic monitoring and the ingestion of data from a wide variety of data sources and using services such as Azure Monitor.

Our vision for modern engineering

Microsoft’s digital transformation requires us to deliver high-quality capabilities and solutions at a faster pace and with reliability and security. To achieve this, we’re modernizing how we build, deploy, and manage our services to get new functionality in our users’ hands as rapidly as possible. We’re re-examining every part of our engineering process and instituting modern engineering practices. Satya Nadella, our Chief Executive Officer, summarized this well.

“In order to deliver the experiences our customers need for the mobile-first, cloud-first world, we will modernize our engineering processes to be customer-obsessed, data-driven, speed-oriented and quality focused.”

Our ongoing investments in modern engineering practices and technology build on the foundation that we’ve already established, and they reflect our vision and support our cultural changes. We have three key pillars on which we’re basing these investments along with a commitment to infuse AI into each pillar wherever appropriate.

• Customer obsession
• Engineering productivity
• Rapid delivery

Customer obsession

We want to ensure our engineers keep customers front and center in their thoughts, so we’re capturing feedback to provide our engineers with a deep understanding of the customer experience. Our service monitoring has enabled us to be alerted to problems and fix them before our customers are even aware of them.

We are the first customers of Microsoft’s commercial offerings, which enables us to identify and address the engineering needs of the enterprise operating in a cloud-centric architecture. We constantly work with our product engineering groups across the company, creating a virtuous cycle that makes our products such as Azure DevOps and Azure services even more enterprise ready.

Using customer feedback to drive development

We’re keeping the customer experience at the center of the engineering process via feedback loop mechanisms. Feedback loops serve as a foundation for hypothesis-driven product improvements based on actual sentiment and usage data. We’re making feedback submission as easy as possible with the same tool that the Microsoft Office product suite uses. The Send a Smile feature automatically and consistently gathers feedback across multiple channels and key user touchpoints. We use this tool as a centralized data system for storing, triaging, and analyzing feedback, then aggregating it into actionable insights.

We encourage adoption of feedback loops and experimentation methods, such as feature flighting and ring deployment, to help measure the impact of product changes. With these foundational components in place, we’re now correlating feedback data with related telemetry so that we can better understand product usability issues and the impact of service issues on customers. Our use of controlled rollouts eliminates the need for UAT environments, which accelerates overall delivery.

Telemetry

We unified the telemetry from disparate systems by building on Azure Monitor to help us implement continuous improvements in the quality of our services. This platform integrates with heterogeneous data sources such as Kusto, Azure Cosmos DB, Azure Application Insights, and Log Analytics to collect, process, and publish data from applications, infrastructure, and business processes. This helps us obtain end-to-end views and generate more actionable insights about our service management.

We’re working toward delivering highly connected insights that aggregate the health of component services, customer experience, and business processes. This produces contextual data that not only identifies events but also identifies root causes and recommended next actions. We’re using business process monitoring (BPM) to monitor true availability and performance by tracking successful transactions and customer impact across multiple services and business groups.

To achieve a sustained level of quality, we’re leveraging synthetic monitoring for all critical services, especially those with a relatively low volume of business transactions. Data-enhanced incident tickets provide a business impact prioritized view of issues, supplemented with potential causes including those identified through Machine Learning. These data-enhanced tickets allow teams to focus on the most important tickets and reduce mitigation time.

We are investing in AI technologies to proactively detect anomalies and automatically remediate them wherever possible. Being able to intelligently respond to incidents reduces support costs and improves service reliability and the overall user experience.

Service health

We have focused on increasing our effectiveness in service and live site incident management. We rolled out a standard incident management process and measured continual improvements against key incident management metrics. We monitor service health metrics and key performance indicators (KPIs) across the organization to understand customer sentiment and ensure services are reliable, compliant, and performing well. We’re using consistent standards, which helps ensure that we can aggregate data at any level in the service hierarchy and compare it across different team groups. We built a more integrated experience on top of Azure Monitor, enriched with contextual data from the unified telemetry platform, and created a set of defined service health measures and an analyzer to track events that can affect service reliability, such as upcoming planned maintenance or compliance related changes. This enables us to detect and resolve issues proactively and quickly. Defined service health measures make it easier to enable service health reporting across various services.

We knew that we must connect service health to business process health, and how we prioritize issues, so that engineers could address them in a way that reduces the negative business impact. The experience we’re building enables visualization of end-to-end business process health and the health of the underlying services by analyzing their telemetry.

We also simplified the flow of service health and engineering fundamentals data to the engineer and reduced the number of dashboards and tools they use. An internal tool is now the key repository for all service owners to view service health and other relevant KPIs. The tool’s integrated notification workflow informs service owners when a service reaches a defined threshold, making it more convenient to prioritize any needed remediation into their backlogs.

Embracing a Live Site culture

Increasing scale and agility in our services and processes required us to focus on making customers’ experiences better. We’re establishing a Live Site culture and pursuing excellence via customer-obsessed, data-driven, multidisciplinary teams. These teams embrace potential failure with honest observation, continuous learning, and measurable improvement targets.

We host an organization-wide, live site review that includes postmortem reviews on incidents, examining long-term remediation plans, and guiding service teams through modern engineering standards that will help them perform robust reviews at a local level. We base these reviews on standard and actionable reports that contain leading indicators for outages or failures based on the analysis of telemetry, synthetic monitoring, and other data.

Engineering productivity

We’re providing our engineers with best-in-class unified standards and practices in a common engineering system, based on the latest Azure tools, such as Azure DevOps. A consistent development environment allows our engineers to transition smoothly between projects and teams. Improved automation, consistency, and centralized engineering systems enable engineers to better focus on the core role of developing. This also reduces onboarding time and allows our engineers to be more flexible across projects.

Integrating developer tooling

We made organizationally mandated code analysis and compliance tools accessible directly within the development environment, thereby helping our shift-left goal. We built self-service capabilities to manage access, set policies, and make changes to Azure DevOps artifacts such as area paths, work items, and repositories. This has made it easy for engineers to create, update, or retire services, components, and subscriptions, minimizing the time spent managing such resources. We want to extend our shift left goal to also examine optimization of our Azure service design and surface recommendations for configuration optimization so that these occur early in the deployment cycle and allow us to rightsize our configurations and avoid unnecessary Azure costs.

Enabling code reuse

While at a low volume, we’re still supporting a few applications (fewer than five percent) that use on-premises servers and domain-joined Azure virtual machines. This results in ongoing effort to patch servers, upgrade software, and perform basic infrastructure maintenance tasks. It also impedes our ability to scale apps to accommodate growth. We’ve transformed these applications to Microsoft Azure platform-as-a-service (PaaS) and software-as-a-service (SaaS) based solutions, thereby leveraging the scale and availability of Azure. We enabled this by providing architectural guidance and tools to migrate data, refactoring existing functionality as APIs, and building lightweight applications by reusing APIs that others have already published.

Promoting data and code reuse to build solutions more rapidly and align with a service-oriented architecture requires that developers have the ability to publish and discover APIs easily. We built an API economy by creating a common set of guidelines for developing coherent APIs, and a central catalog and search experience for discovery. We integrated validation against API guidelines and enabled our teams to integrate API publishing into their Azure DevOps pipelines. We created a set of common API health analytics. We also enabled the growth of inner source in which sharing code outside of APIs is achieved.

Workforce strategies

To address our previous high level of dependency on suppliers, we implemented a new workforce strategy, hiring more full-time employees and bringing more work in-house. This allowed us to transform and modernize how we deliver services. Furthermore, this workforce strategy makes it imperative that there is full-time employee oversight of any supplier deliveries, ensuring they adhere to processes, standards, and regulatory requirements, including security, accessibility, and privacy. We implemented a common bar for hiring across all teams and a common onboarding program to ensure all new hires receive a consistent level of training on all key tools and technologies. As we ramp up our use of AI technologies to further transform our engineering, we are investing in re-skilling and training initiatives to expand the engineering capacity available to work on AI-related projects.

Universal design system

We leveraged Microsoft’s product design system to engineer solutions that look and behave like other Microsoft products. Every product should meet the quality expectations of today’s consumers, meaning that every piece of the user interface (UI) and user experience (UX) should be engineered with accessibility, responsiveness, and familiar behaviors, states, motion, and visual styling. On complex but common components like headers, navigation menus, and data grids this can mean weeks of engineering time multiplied across every Microsoft Digital team that requires the same components. This is considerably reduced by adopting a universal design system.

Rapid delivery

To be customer-obsessed, we’re acquiring and protecting customer trust in every aspect of our relationship. We are tracking delivery metrics so that we can shorten lead times from ingestion of customer requirements to the time the solution is in the customer’s hands and then on to measuring customer usability and feedback, while still ensuring service reliability. We’re helping engineers achieve this objective by checking for issues earlier in the pipeline and providing a way to rapidly experiment and mitigate risk. We are building feedback-loop mechanisms to ensure that we can understand the user experience as new functionality gets deployed, and we perform automated rollbacks if customer reaction or service-health signals are less favorable than we anticipated.

Integrating security, accessibility, and fundamentals

Delivering secure, compliant, accessible, dependable, and high-quality services is critical to building trust with our customers. Our engineers are checking for issues earlier in the pipeline, and we’re enabling them to experiment rapidly while limiting potential negative effect on the release process.

We moved to a shift left process, in which work happens as early in the development process as possible. This enabled us to avoid carrying debt from sprint to sprint. We also implemented gates in the developer workflow that help build security in a streamlined way and auto-onboarding services to ensure continuous compliance.

We scan code for security issues and log bugs in Azure DevOps that we discover during the scanning process, so developers can fix them directly in the same engineering system they use for other functional bugs rather than having to triage separately from security tools.

We assess accessibility within our applications, but this happens late in the development process. To move this further upstream, we adopted accessibility insights tooling during development and now expose accessibility-related bugs as part of the pipeline workflow.

We are adopting AI technologies for providing accessibility guidance and conducting accessibility assessments to ensure that our applications conform to accessibility requirements.

Additionally, we enabled engineering teams to utilize the guardrails we’re implementing by integrating policy fundamentals into the pipeline, and we’re implementing continuous integration practices. This ensures that all production releases, including hot fixes, come from builds of the main branch of source code and all have appropriate compliance steps applied consistently. Each pull request must have a successful build to ensure that the main branch is golden and always production ready. Maintaining high-quality code in the main branch minimizes build failures that ultimately slow our time to production.

Deploying safely to customers

We created an environment where teams test ideas and prototypes before building them. The goal is to drive customer outcomes in a way that encourages risk-taking with a fail-fast, fail-safe mentality. Central to increasing the velocity of service updates to customers is a consistent, simple, and streamlined way to implement safe deployments. Progressive exposure and feature flags are key in deploying new capabilities to users via controlled rollouts, so we can quickly start receiving customer feedback.

We implemented checks and balances in the process by leveraging service indicators such as latency and faults within the pipeline, thereby catching regressions and allowing initiation of automated rollbacks when predefined thresholds are exceeded. Implementing safe deployment practices, combined with a streamlined and well-managed pipeline, are two of the key elements for achieving a continuous integration, continuous deployment (CI/CD) model.

Reliability and efficiency

We are enhancing our DevOps engineering pipeline across services by identifying and removing bottlenecks and improving our services’ reliability. We’ll use DevOps Research and Assessment (DORA) metrics to measure our execution and monitor our progress against industry benchmarks.

We’re focusing on deployment frequency, lead time for changes, change failure rate, and mean time to recover in order to gain a comprehensive view of our software or service delivery capabilities. Based on this data, we’ll increase productivity, speed up time-to-market, and enhance user satisfaction.

• We’re making our vision for modern engineering a reality at Microsoft by promoting a Live Site first culture, using data to provide service and business process health signals to inform the rapid iteration on new ideas and capabilities with customers.
• We’re supporting this by moving to an Azure DevOps model of continuous integration and continuous deployment governed by a standardized engineering pipeline with automatic policy enforcement.
• The Live Site first culture and the tools and ceremonies that support it have increased visibility into engineering processes, improved the quality and delivery of our services and improved our insight into our customer experiences, all of which ensure we are continually improving and adapting our set of services and processes to support digital transformation now and into the future.

• Learn about our vision of a cloud-centric architecture.
• Read about the transformation and major initiatives shaping Microsoft.

The post Transforming modern engineering at Microsoft appeared first on Inside Track Blog.

Our internal security team works diligently 24 hours a day, 7 days a week to help protect Microsoft IP, its employees, and its overall business health from security threats.

We recently implemented Microsoft Sentinel to replace a preexisting, on-premises solution for security information and event management (SIEM). With Microsoft Sentinel, we can ingest and appropriately respond to more than 20 billion cybersecurity events per day.

Microsoft Sentinel supplies cloud-scale SIEM functionality that allows integration with crucial systems, provides accurate and timely response to security threats, and supports the SIEM requirements of our team.

Our team is responsible for maintaining security and compliance standards across Microsoft. Managing the massive volume of incoming security-related data is critical to Microsoft’s business health. Historically, we have performed SIEM using a third-party tool hosted on-premises in Microsoft datacenters.

However, we recognized several areas in which they could improve their service by implementing a next-generation SIEM tool. Some of the challenges when using the old tool included:

• Limited ability to accommodate increasing incoming traffic. Ingesting data into the previous SIEM tool was time consuming due to limited ingestion processes. As the number of incoming cybersecurity events continued to grow, it became more evident that the solution we were using wouldn’t be able to maintain the necessary throughput for data ingestion.
• On-premises scalability and agility issues. The previous solution’s on-premises nature limited our ability to scale effectively and respond to changing business and security requirements at the speed that we required.
• Increased training requirements. We needed to invest more resources in training and onboarding with the previous solution, because it was on-premises and customized to meet our requirements. If we recruited employees from outside Microsoft, they needed to learn the new solution—including its complex on-premises architecture—from the ground up.

As part of our ongoing digital transformation, we’re moving to cloud-based solutions with proven track records and active, customer-facing development and involvement. We need our technology stack to evolve at the speed of our business.

[Read more about how we’re securing our enterprise and responding to cybersecurity attacks with Microsoft Sentinel. | Discover how we’re improving our security by protecting elevated-privilege accounts at Microsoft.]

Modernizing SIEM with Microsoft Sentinel

In response to the challenges presented, we began assessing options for a new SIEM environment that would address the challenges positioning our team to manage continued growth of the cybersecurity landscape.

Feature assessment and planning

In partnership with the Microsoft Sentinel product team, our internal security division assessed whether Sentinel would be a suitable replacement for our previous solution. Sentinel is a Microsoft-developed, cloud-native enterprise SIEM solution that uses the cloud’s agility and scalability to ensure rapid threat detection and response through:

• Elastic scaling.
• AI–infused detection capability.
• A broad set of out-of-the-box data connectivity and ingestion solutions.

To move to Microsoft Sentinel, we needed to verify that equivalent features and capabilities were available in the new environment. We aligned security teams across Microsoft to ensure that we met all requirements. Some of these teams had mature monitoring and detection definitions in place, and we needed to understand those scenarios to accommodate feature-performance requirements. The issues that our previous solution presented narrowed our focus with respect to whether Sentinel would work, including throughput, agility, and usability.

Throughout the assessment period and into migration, we worked closely with the Microsoft Sentinel product team to ensure that Microsoft Sentinel could provide the feature set we required. Our engagement with the Microsoft Sentinel team addressed two sets of needs simultaneously. We received significant incident-response benefits from Microsoft Sentinel while the product team worked with us as if we were a customer. This close collaboration meant that the product team could identify what enterprise-scale customers needed more quickly.

Not only were our requirements met, but we were able to provide feedback and testing for the Microsoft Sentinel product team. This helped them better serve their large customers that have similar challenges, requirements, and needs.

Defining and refining SIEM detections

As we developed standards that met our new requirements, we also evaluated our previous SIEM solution’s functionality to determine how it would transition to Microsoft Sentinel. We examined three key aspects of incoming security data ingestion and event detection:

• Data-source validity. We pull incoming SIEM data from hundreds of data locations across Microsoft. As time has passed, some of these data sources remained valid but others no longer provided relevant SIEM data. We assessed our entire data-source footprint to determine which data sources Microsoft Sentinel should ingest and which ones were no longer required. This process helped us to better understand our data-source environment and refine the amount of data ingested. There were several data sources that we weren’t ingesting with the previous solution because of performance limitations. We knew that we wanted to increase ingestion capability when moving to Microsoft Sentinel.
• Detection importance. Our team examined event-detection definitions used throughout the previous SIEM solution, so we could understand how detections were being performed, which detection definitions generated alerts, and the volume of alerts from each detection. This information helped us identify the most important detection definitions, so we could prioritize these definitions in the migration process.
• Detection validity. Our security teams evaluated the list of detections from our SIEM environment so we could identify invalid detections or detection definitions that required refinement. This helped us create a more streamlined set of detections when moving into Microsoft Sentinel, including combining multiple detection definitions and removing several detections.

Throughout this process, we worked with the Microsoft Security Operations team to evaluate detections end-to-end. They got involved in the detection and data-source refinement process and were exposed to how these detections and data sources would work in Microsoft Sentinel.

Implementation

After feature parity and throughput capabilities were confirmed, we began the migration process from our previous solution to Microsoft Sentinel. Based on our initial testing, we added several implementation steps to ensure that our Sentinel environment would readily meet our security environment’s needs.

Onboarding data sources

Properly onboarding data sources was a critical component in our implementation and one of the biggest benefits of the Microsoft Sentinel environment. With the massive amount of default connectors available in Sentinel, we were able to connect to most of our data sources without further customization. This included cloud data sources such as Microsoft Azure Active Directory, Microsoft Defender for Cloud, and Microsoft Defender. However, it also included on-premises data sources, such as Windows Events and firewall systems.

We also connected to several enrichment sources that supplied more information for threat-hunting queries and detections. These enrichments sources included data from human-resources systems and other nontypical data sources. We used playbooks to create many of these connections.

We keep Microsoft Sentinel data in hot storage for 90 days, using Kusto Query Language (KQL) queries for detections, hunting, and investigation. We also use Microsoft Azure Data Explorer for warm storage and Microsoft Azure Data Lake for cold storage and retrieval for up to two years.

Refining detections

Based on testing, we refined our detection definitions further in Sentinel to support better alert suppression and aggregation. We didn’t want to overwhelm our Security Operations team with incidents. Therefore, we refined our detection definitions to include suppression logic when notification wasn’t required and aggregation logic to ensure that similar and related events were grouped together and not surfaced as multiple, individual alerts.

Increasing scale with the cloud

We used dedicated clusters for Microsoft Azure Monitor Log Analytics to support the data-ingestion scalability we required. At a large enterprise scale, our previous solution was exceeding its capacity at 10 billion events per day. With dedicated clusters, we were able to accommodate that initial volume and add additional data sources to improve alert detection, thereby increasing our event ingestion to > 20 billion events per day.

Customizing functionality

Our environment required several customizations to Sentinel functionality, which we implemented by using standard Microsoft Sentinel features and extension capabilities to meet our needs while still staying within the boundaries of standard functionality. Using common features for customization made our changes to Sentinel easy to document and helped our security operations team better and more quickly understand and use the new features. We made several important customizations including:

• Integration with our IT service-management system. We integrated Microsoft Sentinel with our security incident management solution. This had a two-fold positive effect, as it extended Sentinel information into our case-management environment and provided our support teams with exactly the information they need, regardless of which tool they’re in.
• Implementation of Microsoft Defender for Cloud playbook to support scale. We used a playbook to automate the addition of more than 20,000 Azure subscriptions to Microsoft Defender for Cloud.
• High volume ingestion with Microsoft Azure Event Hub and Microsoft Azure Virtual Machine scales sets. We built a custom solution that ingested the large volume of events from our firewall systems that exceeded the capabilities of on-premises collection agents. With the new solution, we can ingest more than 100,000 events per second into Microsoft Sentinel from on-premises firewalls.

We’ve experienced several important benefits from using Microsoft Sentinel as our SIEM tool, including:

• Faster query performance. Our query speed with Microsoft Sentinel improved drastically. It’s 12 times faster than it was with the previous solution, on average, and is up to 100 times faster with some queries.
• Simplified training and onboarding. Using a cloud-based, commercially available solution like Microsoft Sentinel means it’s much simpler to onboard and train employees. Our security engineers don’t need to understand the complexities of an underlying on-premises architecture. They simply start using Sentinel for security management.
• Greater feature agility. Microsoft Sentinel’s feature set and capabilities iterate at a much faster rate than we could maintain with our on-premises developed solution.
• Improved data ingestion. Microsoft Sentinel’s out-of-the box connectors and integration with the Microsoft Azure platform make it much easier to include data from anywhere and extend Sentinel functionality to integrate with other enterprise tools. On average, it’s 18 times faster to ingest data into Sentinel using a built-in data connector than it was with our previous solution.

Throughout our Microsoft Sentinel implementation, we reexamined and refined our approach to SIEM. At Microsoft’s scale, very few implementations go exactly as planned from beginning to end. However, we derived several points with our Sentinel implementation, including:

• More testing enables more refinement. We tested our detections, data sources, and processes extensively. The more we tested, the better we understood how we could improve test results. This, in turn, meant more opportunities to refine our approach.
• Customization is necessary but achievable. We capitalized on the flexibility of Microsoft Sentinel and the Microsoft Azure platform often during our implementation. We found that while out-of-the-box features didn’t meet all our requirements, we were able to create customizations and integrations to meet the needs of our security environment.
• Large enterprise customers might require a dedicated cluster. We used dedicated Log Analytics clusters to allow ingestion of nearly 20 billion events per day. In other large enterprise scenarios, moving from a shared cluster to a dedicated cluster might be necessary for adequate performance.

The first phase of our migration is complete! However, there’s still more to discover with Microsoft Sentinel. We’re taking advantage of new ways to engage and interact with connected datasets and using machine learning to manage some of our most complex detections. As we continue to grow our SIEM environment in Sentinel, we’re capitalizing on Sentinel’s cloud-based benefits to help meet our security needs at an enterprise level. Sentinel provides our security operations teams with a single SIEM solution that has all the tools they need to successfully complete and manage security events and investigations.

• Read more about how we’re securing our enterprise and responding to cybersecurity attacks with Microsoft Sentinel.
• Discover how we’re improving our security by protecting elevated-privilege accounts at Microsoft.

Want more information? Email us and include a link to this story and we’ll get back to you.
Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Moving to next-generation SIEM at Microsoft with Microsoft Sentinel appeared first on Inside Track Blog.

Here at Microsoft, we’re building our systems in the cloud to be agile, resilient, cost effective, and scalable—this allows us to be proactive and innovative as we transform our IT and business operations. Microsoft Azure resides at the core of our architecture, and we’re using the platform to automate our processes, unify our tools, and improve our engineering productivity. We’re working toward a process driven by user experience, which changes the way we provision and manage our IT infrastructure.

For us, Microsoft Digital, the organization that powers, protects, and transforms the company, a modern cloud-centric architecture is foundational to our digital transformation. To fuel that transformation, we’re building integrated, reliable systems, instrumented for telemetry, to gather data and enable experimentation. To learn more about how we’re transforming, refer to Inside the transformation of IT and operations at Microsoft.

Building a foundation for digital transformation

Microsoft Azure is now the default platform that our IT infrastructure is built upon. Several years ago, Microsoft Digital created a vision for moving from on-premises datacenters to Azure as the “first and best customer” of our cloud services. We examined our infrastructure to understand usage practices and how we could best support application teams via Azure subscriptions and connectivity options. We reviewed on-premises datacenter assets and developed schedules to migrate or retire the assets and to close multiple datacenters.

Our leadership established plans at the strategic level to move applications, which trickled down to individual cloud migration and adoption plans for each part of the organization. Our cloud-centric approach thus created a functional and flexible platform for our services and processes.

We’re using Microsoft Azure to enable a self-service model for users of the platform—providing robust telemetry and reporting capabilities via Microsoft Azure Monitor and Application Insights and using Microsoft Azure ExpressRoute to facilitate enterprise-level connectivity to the cloud from our facilities and networks.

Establishing a vision for cloud-centric architecture

We’ve moved more than 93 percent of our on-premises infrastructure to the cloud, and we’re assessing our strategic initiatives around our cloud efforts. We’ve fulfilled our goal of moving out of the datacenter. However, many services moved from virtual machines (VMs) running in a datacenter to infrastructure as a service (IaaS) VMs running in Microsoft Azure with very little change to those services. We thus recognize the opportunity to further optimize our presence in the cloud by creating more-refined and targeted strategic initiatives both for the company itself and as examples for external customers.

We need to modernize our application and service portfolio to take advantage of capabilities that were previously unattainable because of datacenter and support constraints. We need to examine how we manage our data and work toward a strategy that separates data from compute resources. We need to examine open-source big data platforms, event processing, other modern services that we can more effectively scale. Policies should enforce required controls for all configurations to improve safety regardless of the network involved. We also need to continue embracing modern engineering practices and pipelines and Microsoft Azure DevOps methods of managing services. We’re capturing the transformation of cloud-centric architecture in the following investment areas:

• Transitioning from on-premises to cloud offerings to enable dynamic elastic compute, georedundancy, a unified data strategy (that uses Microsoft Azure Data Lake), and flexible software-defined infrastructures.
• Moving to cloud-centered IT operations, including automation for provisioning, patching, monitoring, and backing up our cloud and on-premises environments through Microsoft Azure-based offerings. In this way, software engineers can manage their Microsoft Azure DevOps environments with a minimal number of manual operations.
• Facilitating continued company growth and the improvement of our platform services while staying flat on the running cost of our services.
• Developing deeper and richer insights into our service reliability via the standardization of monitoring solutions through Application Insights, incident-management tooling, and automatic alerting. At the same time, we’re increasingly modeling our critical business processes and helping ensure end-to-end integrity through the monitoring and alerting of complex processes spanning multiple systems.
• Supplying a powerful feedback loop to our product-group partners (such as those for Azure, Microsoft Dynamics 365, and Windows) to showcase Microsoft running on Microsoft. This is resulting in an improved enterprise-customer experience, including running one of the largest SAP instances entirely on Microsoft Azure and helping ensure that Azure is SAP-ready for our customers.

Designing for the future

As our services move to these modern designs, our architectures need to evolve. We need to build our solutions to adopt the advantages of Azure and to adapt as those advantages change and grow. We need to clearly understand that Zero Trust efforts will change how users access our solutions. Our network postures and zonal controls need to adapt as well. “Internet first” should be the goal of all solutions. We need to implement the governance of all corporate resources—regardless of their network environments—and recognize that user identity and data are the critical resources to keep under the proper controls. Through this continued transition to a more cloud-centric architecture, we need to remain cost effective and create clear guidance on how to transform from VMs and on-premises solutions to modern solutions.

Enabling the cloud-centric architecture

Deploying workloads to the cloud introduces the need to develop and maintain trust in the cloud to the same degree that we have in our existing datacenters. In this model, we can apply isolation policies to help achieve the required levels of security and trust. To use the cloud as our trusted platform for our new cloud-centric architecture, we need to invest in plans for multiple areas:

• Administering the Microsoft Azure fabric
• Using Infrastructure as Code (IaC)and Microsoft Azure DevOps
• Using identity management and governance
• Using modern apps and data solutions
• Using modern networks

The following sections detail the specific investments that combine to fulfill these requirements.

Administering the Microsoft Azure fabric

The Microsoft Azure fabric is a collection of programming interfaces that allows application engineering to interact with the underlying services and infrastructure. On one end of the spectrum is an application engineer connecting to the fabric and running a script to provision a VM. On the other end of the spectrum is automation connecting to the fabric, pushing data into a service, merging this data with external data sources, performing an analysis, and then publishing this data to a user interface for consumption.

The role of the IT infrastructure provider will be to supply security-enhanced, flexible, and reliable hosting in our corporate fabric for applications and data (whether in our private or our public cloud). From the perspective of an application engineering team, provisioning infrastructure will appear a lot like updating templates and running scripts that land code and data in VMs; in containers; or in purpose-built, platform as a service (PaaS) solutions, like Microsoft Azure SQL Database. The role of the core hosting provider will be to present a flexible, reliable, and safer fabric to these teams for interaction with their templates and scripts.

The role of the infrastructure team will be to enable frictionless and security-enhanced access to a fabric of APIs. A subscription will enable access to the scope of computing capacity that the subscriber can use. Subscriptions will connect to on-premises environments for hybrid scenarios, to added subscriptions for scaling out, and to third-party services for specialized processing. Our infrastructure team will need to do all of this in a security-enhanced manner, use standardized methods and building blocks, and maintain fiscal effectiveness. The team will need to conduct these interactions in a way that Microsoft deems appropriate.

The role of the fabric administrator will be to provision this fabric through subscriptions and to help ensure that each subscription has the required capacity and connectivity to meet the demands of the application in a security-enhanced and fiscally responsible manner. The fabric administrator will:

• Build subscriptions and help ensure that enough capacity exists to accommodate the demands of each application.
• Connect subscriptions to our corporate network zones where appropriate and help ensure that the required connectivity exists for the application to adequately perform and to reliably and securely communicate with integration points.
• Help ensure that our corporate standards for configuration and security are applied to the subscription.
• Work to continuously grow and expand our fabric. That is, we in Microsoft Digital will continuously release new capabilities and expand our cloud presence.
• Continuously monitor and troubleshoot fabric-related issues.

In many ways, our IT organization will function like a managed service provider or Azure service broker. The Microsoft Azure product group recognizes that a necessary gap exists between corporate application engineering and Azure services. We refer to this addressable gap as the corporate context. The corporate context consists of the specific company’s policies, standards, identity scenarios, and network connectivity scenarios. It’s the role of the service broker or fabric administrator to apply the corporate context to the fabric to enable loosely moderated consumption by application engineering teams.

Using IaC and Microsoft Azure DevOps

Within the IaC and Microsoft Azure DevOps area, we’re building a more agile and flexible process for developing and deploying critical pieces of the cloud-centric architecture. Self-service and automation are paramount, driving the goal of empowering our engineers to quickly create and configure their solutions in an unencumbered manner.

IaC

Infrastructure as Code (IaC) is the process of managing and provisioning cloud infrastructure and its configuration through definition files that machines can process—rather than through the configuration of physical hardware or the use of interactive configuration tools. IaC is about using scripts and templates to build or configure a connected landing place for applications and business data.

IaC doesn’t involve building user-interactive portals or creating tickets for others to run automation. IaC instead involves supplying standardized, robust APIs to application engineering teams to integrate into their deployment automation. Beyond supplying APIs, the infrastructure team supplies standard, curated configuration templates and software images for application engineering teams to consume.

Within the Microsoft Azure Resource Manager framework, Azure contains recognized IaC that allows engineering teams to rapidly provision the underlying hosting platform for their applications.

Microsoft Azure DevOps

We need to continue the push from fully centralized operations to a Microsoft Azure DevOps model. Specific efforts from infrastructure teams in partnership with business units need to continue and improve in the following ways:

• Continuing to decentralize operations that involve governance and auditing, while the centralized team remains responsible for the security and compliance posture
• Investing in management groups and Microsoft Azure Policy to supply guardrails for Microsoft Azure DevOps environments
• Decentralizing services, including those for patching, configuring, monitoring, backup, and managing alerts and events
• Gaining clarity on who’s responsible for responding to incidents by using the proper tools and processes for Microsoft Azure DevOps
• Improving automation by investing in tools such as Chef, creating a runbook library strategy, and specifying how teams should use Microsoft Azure Automation
• Ensuring that Microsoft Azure DevOps processes can properly deal with accessibility and privacy

Using identity management and governance

Identity management and governance supply the guardrails that help protect our cloud-centric architecture. Identity is the new perimeter in modern networking and architecture, so it deserves high-priority consideration within the architecture to help ensure the security of our environment. Governance is also critical in the modern architecture, helping to guide and safeguard a largely self-service environment.

Identity management

We need to simplify provisioning, entitlements, and access management. We also need to streamline account provisioning and management, helping ensure that all access is auditable and linked to an approved business justification. Finally, we need to ensure that all credentials will expire or be revoked when no longer required while maintaining the principle of least privilege for administrators and users. Our two primary efforts in identity management are:

• Eliminating passwords through Microsoft Azure Multi-Factor Authentication. We want to remove the use of passwords in favor of strong authentication mechanisms.
• Helping protect administrators. We want to help ensure that all users with elevated privileges use those privileges in compliance with our access control standard.

Governance

Cloud-focused architectures still require proper guardrails and governance for two reasons: to help protect corporate data and assets from internal and external threats and to help ensure that the data and assets adhere to corporate and compliance standards. Much of our current governance is manual in nature, and some is our own intellectual property created to fill product gaps in Microsoft Azure. As Azure continues to add features, we need to embrace those native features that will help ensure we’re properly governing the cloud:

• Microsoft Azure Policy will take a forefront position in supplying the right guardrails to help ensure that application teams can operate day to day within subscriptions that will keep the data in those subscriptions safer and more secure.
• With Microsoft Azure Blueprints, we want to create appropriate sets of controls for bundling policies, networking, role-based access control, runbooks, and templates info full workspace packages that complement the Microsoft Azure DevOps environments we’re pushing teams to use for their day-to-day operations.
• We need to invest efforts into the lifecycle workflow around governing subscriptions, exception management, and scaling to the enterprise via management groups.

Using modern apps and data solutions

The way we treat our apps and data has changed in cloud-centric architecture. With more user-design models becoming available, engineers no longer function as the only developers in our organization. Users are taking advantage of platforms and tools that offer no-code or low-code development methods to create business solutions. Through all of this and within our more traditionally developed apps, we need to drive consistent development and data usage and protection methods.

Modern apps

As more teams use Containers and Microsoft Azure Service Fabric, the infrastructure and security teams need to invest in creating the right guardrails for these new paradigms. This means that even more than previously, we need to track the Microsoft Azure subscription, make the correct policies and templates available, and then apply those policies and templates—to help ensure that the more-transitory resources belonging to modern solutions immediately use the correct controls. Our priorities are as follows:

• We need to supply design patterns and templates to help ensure that teams build resources according to a standard. Automatic configuration should occur during deployment, and desired state should be automatically enforced on a continual basis.
• Developers need to create containers by using default images containing the correct settings and policies.
• For microservices, teams need to build Service Fabric clusters that use standardized settings and policies right from creation time.
• We need to assess the connectivity that modern apps require. We want users to primarily access these modern systems only via the internet, but private virtual networks might also have some use in data-focused, segmented environments. The hybrid model will benefit some teams and certain types of data.

Modern data solutions

Managing our most-critical data assets will continue to be a top priority going forward. With more modern architectures, an increased ability to separate the compute and storage resources will exist, so managing the storage data will become a critical priority:

• We need to continue examining solutions based on VMs and Microsoft SQL Server and transition them to more modern architectures.
• We need to accelerate data deduplication by moving commonly used data sources into Microsoft Azure Data Lake Storage.
• Our Microsoft Azure DevOps teams need to manage cloud storage in a security-enhanced and efficient manner. This includes having centralized standards for using encryption at rest whenever possible and helping ensure that all solutions use the proper business continuity and disaster recovery options.
• We need to ensure that we classify, label, and protect all Microsoft data.

Using modern networks

Our investment in the modern networks area involves all aspects of our networking environment. That is, we’re investing in modern deployment and configuration practices to create and support a networking environment that supplies a solid foundation upon which the cloud-centric architecture rests. This includes adopting an internet first network model, increasing support for Software-Defined Networking, making more efficient use of Microsoft ExpressRoute connections, creating more intentional network segmentation, migrating to Internet Protocol version 6 (IPv6), and increasing Network Function Virtualization (NFV).

Internet first

All clients have been moving to an internet first model over time—first, by enrolling mobile devices with Microsoft Intune and, eventually, by connecting branch offices and some corporate offices primarily through the internet instead of through traditional on-premises network connectivity. Clients traversing a virtual private network (VPN) or similar solution for access to corporate applications won’t offer the best model going forward. To become an internet first organization, we’re focusing on the following:

• We need to make line-of-business applications accessible from the internet by either providing a hybrid connection to the application’s presentation layer, making the presentation layer entirely internet facing, or making the full application internet based versus traditionally on-premises network based.
• Infrastructure teams need to help secure the solutions in a standardized manner and always use verified intended access.
• Infrastructure teams need a way to correctly and efficiently handle edge traffic. They need to know how to accurately audit, respond to, and report that traffic.
• We need to find ways to supply hybrid access for data anchors that stay in a more-restricted zone, which won’t be the on-premises network.
• We need to invest in resiliency and security for these internet-facing solutions to help prevent unwanted impacts.

With most clients moving to an internet first model over the next few years, we in Microsoft Digital need to examine where line-of-business applications place services going forward. With most clients moving outside the on-premises network boundary, it makes the most sense for the applications they use day to day to have a presence on the internet versus continuing to require a special network connection back to an on-premises network-based solution. To improve services placement, we’re examining the following:

• Making user-facing services and the presentation layer externally reachable.
• Placing data or the backend in an administrator channel or private zone if appropriate to help safeguard access.
• Resolving impact to clients and applications, such as when they send data to an on-premises printer.

Software-Defined Networking and ExpressRoute

Within Microsoft Digital, the Zero Trust and internet first efforts will encourage teams to examine their on-premises, network-bound solutions by using ExpressRoute. Additionally, the Microsoft Azure ExpressRoute service will continue to grow, because a plethora of product teams are just starting to move their lab and build solutions to Azure. Over time, we want teams to examine hosting their solutions outside the traditional corporate network more and more—that is, in a fully internet-based posture, in an appropriate Software-Defined Networking environment, and with defense-in-depth security controls applied.

To further embrace Software-Defined Networking and ExpressRoute, we’re focusing as follows:

• Teams should modernize their solutions as their first choice versus migrating them directly to Microsoft Azure IaaS services. This needs to become a strategic goal across the organization.
• For our Microsoft Digital applications, we need to prioritize deployment governance over ExpressRoute usage. This will encourage the transition to modern applications that assume an internet posture versus continued dependence on the on-premises network.
• Even with a pure internet first design, these modern solutions should use Software-Defined Networking and the security features of Azure that supply controlled access to solutions.
• We’ll simplify our current ExpressRoute architecture, which uses significant physical resources. We’ll redesign the architecture to use more of the Software-Defined Networking components of Azure. The goals are to reduce costs, increase the deployment speed, make the service easier to consume, and make the service even less reliant on on-premises hardware.
• We need to engineer differentiated zonal-stratification offerings for production and mission-critical solutions versus those for research and development.
• We need to revisit the hybrid design options and revise them based on both new features and proper governance within all zones.

Network segmentation

For us in Microsoft Digital, network segmentation is one of the largest components of the cloud-centric architecture. The corporate extranet network and the security zones that define it have existed for decades. In the modern cloud-environment era, we need to revise network segmentation by:

• Dismantling the on-premises network and its security. This should result in the creation of multiple new zones that have improved controls and management.
• Noting that the traditional, on-premises-focused perimeter network is deprecated and that we’ve created a modern perimeter network having the proper controls and less blanket access both vertically and horizontally.
• Using Software-Defined Networking to enable better horizontal network controls for larger zones and for individual zones created for specific solutions.
• Creating a new and different space for virtual local area networks that includes internal zones and an administrator network specifically segmented to manage devices and the Internet of Things.

Migration to IPv6

Internet Protocol version 4 (IPv4) address ranges continue to be challenging to manage because of the dwindling number of available addresses versus the growth of the environment. We need to accelerate IPv6 deployment to help ensure continued network capacity. IPv6 removes complications from network address translation and simplifies acquisitions. We’re addressing the migration to IPv6 as follows:

• Our network team has deployed IPv6 to multiple environments and plans to have some areas use only IPv6 (where possible) to remove the dependency on the limited number IPv4 addresses.
• Application teams will need to bind their applications to IPv6 in addition to IPv4. Older applications that understand only IPv4 will need to modernize. Security optimization also needs to occur.
• The research and engineering teams will need to ensure that all policies are correct. They’ll pay special attention to the boundaries between IPv4 and IPv6.

NFV

Going forward, we need to heavily invest in Software-Defined Networking, including Network Function Virtualization (NFV). NFV has substantially improved and will continue to do so. By moving older network zones to the internet, we can increase the internet first mentality while still supplying adequate controls. Making applications self-contained within a specialized zone can help lock down both vertical and horizontal access, which makes solutions more secure. The NFV-related actions include:

• Creating best practices for zones and disaster recovery.
• Helping ensure the proper governance of Software-Defined Networking devices and zones.
• Defining methods for monitoring Software-Defined Networking environments, including those for security, telemetry, and outages.
• Defining best practices for teams managing multiple perimeter networks versus the single, flat model used on-premises.

Service tunneling

Microsoft Azure is adding the ability to use service tunneling to access resources via VPNs, including ExpressRoute virtual networks. With this new model, teams might be able to use PaaS resources within a more-limited network and security boundary. To improve service tunneling, we’re examining the following:

• Doing more work to understand this model and how we should use it within Microsoft Digital. This will potentially function as an interim step before getting to a full internet first posture. Service tunneling helps secure connections to Microsoft Azure from on-premises solutions, but we need to examine the benefits of this model and decide if it’s the right model to use going forward.
• Creating an internet first tie-in. We’re examining the potential for external presentation, where data is kept within a more private network that can use PaaS resources via a service tunnel. We need to work through the proper times and places to use hybrid cloud environments.

We’re continually assessing our approaches to cloud-centric architecture to help ensure continued growth and reliable and optimized services. We have over 40 years of IT history and technical debt that we can’t transform overnight. Our success will be determined by the fluidity of our users’ experience and the level to which we can create an abstraction of our IT infrastructure via cloud-based platforms. This abstraction will create flexibility, usability, scalability, and resiliency for the entire business, which our cloud-centric architecture will support. We’re exploring further transformation while staying dedicated to the effective operation of our entire service portfolio. We’re finding common scenarios where we can optimize services and applications for the cloud, and we’re automating and abstracting as many manual processes and tasks as possible. We’re using the metadata across all our systems to digitally document our cloud infrastructure, creating software-defined templates for the deployment and configuration of infrastructure resources.

• Learn more about how we are modernizing our applications and infrastructure.
• Read about the major initiatives that are helping to transform Microsoft.

The post Microsoft’s cloud-centric architecture transformation appeared first on Inside Track Blog.

We’ve transitioned the traditional and custom IT tools and features in Microsoft service-desk into ServiceNow ITSM. This has led to innovation in many areas of our IT help-desk management, including improving accessibility, incident management, IT workflows and processes, service level agreements (SLAs), use of AI/ML, virtual agents, automation, and knowledge across the IT help-desk organization data visualization, monitoring and reporting.

In short, our strategic partnership with ServiceNow is helping us improve the efficacy of our internal IT help-desk environment and for our mutual customers.

Working together to accelerate digital transformation

Our Microsoft Global Helpdesk team supports more than 170,000 employees and partners in more than 150 countries and regions. We deploy this new ITSM environment at enterprise scale, supporting more than 3,000 incoming user requests each day.

We collaborate with ServiceNow as a partner to accelerate our digital IT transformation and continually increase the effectiveness of our IT service management. Our Global IT Helpdesk recognizes potential improvements, provides feedback to ServiceNow, and tests new features. We receive accelerated responses to our ITSM solution requirements while ServiceNow gets valuable, large-scale feedback mechanism to continuously improve their platform.

[Explore how we’re streamlining vendor assessment with ServiceNow VRM at Microsoft. | Discover how we’re instrumenting ServiceNow with Microsoft Azure Monitor. | Unpack how we’re using Microsoft Teams and ServiceNow to enhance end-user support.]

Modernizing the internal support experience

In the past, when our internal support scale, business processes, or other factors demanded functionality that existing platforms and systems couldn’t support, our engineers would develop tools and applications to supply the required functionality. Many ITSM features at Microsoft were developed in this manner. With ServiceNow now providing the core ITSM functionality we need, we are working together to integrate our tools’ functionality into their platform, which provides a unified IT help-desk experience that is scalable with enhanced productivity and accelerated digital IT transformation.

ServiceNow enables Microsoft to integrate its digital environment with ServiceNow ITSM functionality and Microsoft uses out-of-the-box ServiceNow functionality whenever suitable. ServiceNow adds and improves functionality, often based on Microsoft feedback and development, and then Microsoft uses the resulting improved capabilities to replace internally developed tools and processes. This collaborative relationship on ITSM benefits both organizations and our mutual customers.

Collaborating to create rapid innovation

In some cases, Microsoft-developed tools are the starting point for new ServiceNow functionality, such as the recent implementation of ServiceNow ITSM Predictive Intelligence.

We initially built an experimental machine learning-based solution in our environment that automatically routed a limited number of helpdesk incidents in ServiceNow by using machine learning and AI. This reduced the amount of manual triage that our support agents had to perform and helped us learn about incident routing with predictive intelligence and identify innovation opportunities.

We then took those learnings and shared them with ServiceNow to help them make improvements to the ServiceNow ITSM Predictive Intelligence out-of-the-box platform tool. By progressing from our experimental solution to ServiceNow ITSM Predictive Intelligence, we benefitted from the out-of-the-box flexibility and scalability we needed to drive adoption of predictive intelligence within our helpdesk services landscape. We’ll use our work with ServiceNow ITSM Predictive Intelligence throughout this case study to highlight the core steps in our journey toward an improved internal support experience.

Establishing practical goals for modernized support

Predictive intelligence is one example among dozens of ITSM modernization efforts that are ongoing between ServiceNow and Microsoft. Other examples include virtual-agent integration, sentiment analysis of user interaction, anomaly detection, troubleshooting workflows, playbooks, and integrated natural-language processing. Enhancing our helpdesk support agent experience by using ServiceNow ITSM involves three key areas of focus: automation, monitoring, and self-help.

Automation

We’re automating processes, including mundane and time-consuming tasks, such as triaging incidents. Automation gives time back to our helpdesk agents and helps them focus on tasks that are best suited to their skill sets. Feature implementation examples include orchestration, virtual agents, and machine learning.

We’re using ServiceNow Playbooks for step-by-step guidance to resolve service incidents. Playbooks allow our agents to follow guided workflows for common support problems. Many playbooks, such as the password-reset process, include automated steps that reduce the likelihood of human error and decrease mean time to resolution (MTTR).

Monitoring

We use monitoring to derive better context and provide proactive responses to ServiceNow activity. Enhanced monitoring capabilities increase service-desk responsiveness and helpdesk agent productivity. Feature implementation examples include trigger-automated proactive remediation, improved knowledge cataloging, and trend identification.

Microsoft Endpoint Manager supplies mobile-device and application management for our end-user devices, and we’ve worked with ServiceNow to connect Endpoint Manager data and functionality into the ITSM environment. This data and functionality supplies device context, alerts, and performance data to ServiceNow, giving device-related details to support agents directly within a ServiceNow incident.

Self-help functionality

Self-service capabilities help our support incident requestors help themselves, by supplying simplified access to resources that guide them toward remediation. It frees up IT helpdesk agents from performing tasks that end users can do and lowers the total cost of ownership, as support-team resources can focus on more impactful initiatives. Feature implementation examples include natural language understanding, context-based interaction, bot-to-bot interactions, and incident deflection.

For example, the ServiceNow Virtual Agent integrates with Microsoft Teams for bot-to-bot interactions. Bot integration and bot-to-bot handoff enable us to continue using the considerable number of bots already in use across the organization, presenting self-help options for our users that best meet their needs. We have also collaborated with ServiceNow to create integration with knowledge and AI capabilities from Microsoft 365 support. Microsoft 365 service-health information, recommended solutions for Microsoft 365 issues, and incident-related data are available in ServiceNow to both end users and agents.

Examining the modern support experience in context

We have a holistic approach to unifying its internal service-desk platform under ServiceNow. The functionality and health of our Global Helpdesk organization drives the experience for our support agents and the people they assist. To Identify opportunities for improvement, we examined all aspects of our support environment, making observations about tool usage, overall experience of support agents, and potential gaps in the toolset that our support agents use. When thinking about new capabilities, such as AI and automation, we needed to understand how our people work. Why and how we perform certain tasks or processes can lose relevance over time, and a deviation from the original way in which we do something can potentially lead to inefficiencies that we must regularly evaluate and address. We placed these observations into the following categories:

• Comprehensive best practices. We’re encouraging our Global Helpdesk team to be a strategic partner in business, design, and transition of support at Microsoft, rather than simply focusing on tactical ticketing and related metrics. Our internal support experience improvements in ServiceNow ITSM go beyond ticketing processes and require a holistic view of all aspects of the support-agent environment. Additionally, implementing new technologies is only one part of the bigger solution in which it’s critical to verify and keep people accountable for adhering to best practices. We’re transforming our Global Helpdesk operations to provide strategic value and achieve business goals alongside the more tactical elements of service-desk operation, such as incident management and resolution.
• Interaction management. Examining how our helpdesk agents and the people they support use ServiceNow ITSM and its associated functionality to drive interface improvements. It also helps identify new modalities to connect our support agents to the issues that our users are experiencing. Our goals include increasing virtual-agent usage and reducing use of less efficient interaction modalities, such as fielding IT support requests over the phone.
• Incident management. Incident management is the core of ServiceNow ITSM functionality and forms the basis for our largest set of considerations and observations. We examine how we create and manage support incidents, triage and distribute them, and then move them toward the final goal of resolution. In all of this, we assess how Global Helpdesk performs incident management and where it can improve. It’s important to understand the use of data to aid incident resolution, and how to better automate and streamline incident processes and consolidate other elements of service-desk functionality into the incident-management workflow. There are many incident-management factors that we evaluate including identifying incident origin, integrating virtual-agent interactions, increasing contextual data in incidents, automating incident routing, deflection and resolution, and improving incident search functionality.
• Knowledge management. We’re improving how our helpdesk agents and users access knowledge for IT support. Consolidating external knowledge sources into ServiceNow centralizes our knowledge management effort and makes the knowledge they contain available across other service-desk processes, such as incident management. Among the factors we’re focusing on are standardizing knowledge article content, supporting proactive knowledge creation, improving knowledge self-service capabilities, and including related knowledge content for incidents.
• Governance and platform management. The overall management of the ServiceNow ITSM platform and how it interacts with our environment and integrates into outside data sources and tools helps Microsoft use ServiceNow data to improve other business processes. We’re focusing on improving formal business processes and integrating with other processes and technology while aligning with Microsoft’s broader business strategies and standards.

Creating value within the helpdesk support experience

Microsoft and ServiceNow are intentionally and thoughtfully continuing to improve the ServiceNow environment, both from the organizational perspective here at Microsoft and from the product perspective at ServiceNow. For each feature and business need that we evaluate, we examine the feature from all applicable perspectives. Our general feature evaluation and migration process includes:

1. Evaluating business needs for applications and features. For each identified feature, we assess the associated business need. This helps us prioritize feature implementation and understand what we could accomplish based on available resources. ServiceNow Predictive Intelligence, our example in this case study, reduced mean time to resolution (MTTR) for incidents and freed up support-agent resources. These factors both positively influenced support agent efficiency and satisfaction. We’d already been using machine learning-based functionality, so the business need was clear.
2. Determining product roadmaps, organizational goals, and support requirements. In this step, we examine a feature’s practical implementation. Understanding how we need to address a feature or feature gap often depends on product roadmaps and feature development in-flight within ServiceNow. Early access to ServiceNow roadmaps and the ServiceNow Design Partnership Program helps guide our decision making as we determine the evolution of features and how they align with our future vision for digital transformation. If ServiceNow is already developing a specific feature in ITSM space, we don’t worry about integrating or recommending our internally developed tools or functionality. However, we often contribute to the improvement of ServiceNow features based on our internally developed tools, as we did with ServiceNow Predictive Intelligence.
   It can be complex to understand the state of ServiceNow with respect to a specific feature and its requirements. We must examine where we’ve customized ServiceNow ITSM to accommodate an internally developed solution and how we can roll back those changes when we retire the internally developed solution in favor of out-of-the-box functionality.
3. Identifying risks, benefits, and effects of migration. Establishing required resource allocation and determining necessary skill sets for the migration process is critical to understanding how each feature migration might affect our service-desk environment and overall ServiceNow functionality. Specific factors we consider include licensing requirements and quality control checks, both of which greatly influence the speed and order of feature migration. We also assess the effects of retiring legacy/custom tools on the Global Helpdesk and other Microsoft teams. Many tools we use were widely adopted and instrumental to daily operations, so we must consider training and transition processes on a feature-by-feature basis. In some cases, a feature or tool’s addition or removal could cause a shift in business processes, so it’s critical that we understand the potential impact. We do this by examining feature migration in the context of organizational goals, standards, and best practices.
4. Obtaining organizational support. One of the most crucial steps is to garner organizational buy-in. Although Microsoft and ServiceNow are strategic partners, it’s critical to get support from key stakeholders here at Microsoft, including our Global Helpdesk and Microsoft Digital process owners. Communication is critical. When we involve all stakeholders, we ensure that we account for all business and technical considerations.
   Rather than getting approval at a high level for the entire ServiceNow support-improvement project, we instead obtain approval for small pilots that focus on fast delivery and high value. This demonstrates the potential for a feature’s broader adoption at the Global Helpdesk. In our predictive-intelligence example, we started by engaging the Global Helpdesk team that was using the experimental machine learning-based incident-routing tool. The existing experimental tool was only routing some incidents, so we proposed a pilot to route the remaining tickets using ServiceNow ITSM Predictive Intelligence. We worked very closely with our internal support team to ensure that the solution met their needs. The pilot demonstrated the tool’s effectiveness in daily operations and proved the tool’s capabilities in production use. This built confidence and trust in the tool and helped drive broader adoption across the organization.
5. Establishing plans for transition, deallocation, and retirement of legacy tools and systems. We had critical decisions to make about retirement and deallocation of existing tools. Many feature transitions involved identifying how we would move or transform data. Addressing data access and security is a common challenge.
   Additionally, with Predictive Intelligence, our team needs real incidents to train the Predictive Intelligence algorithms. This involves moving production data into a development environment, which has security implications. The feature team must proactively engage our Microsoft security team to provide appropriate information. ServiceNow supplies detailed platform-security documentation, which helps us obtain security-related approval. Also, transition often requires retraining. We must arrange training for users of legacy systems so they can use the new features in ServiceNow and understand how the transition might affect their daily activities and overall service-desk operations.
6. Engaging in feature implementation. We implemented features following specific plans, processes, and best practices that we established. Implementation scope and effort varies depending on the feature, and in the case of Predictive Intelligence, the Microsoft development team began by creating a pilot. This enables the team to confirm that ServiceNow ITSM Predictive Intelligence can achieve the required level of routing accuracy. It also provided a proof of concept that enabled us to quickly find gaps in functionality.
   Starting with a prototype means we then have a functional example that’s up and running quickly so we get early feedback on the out-of-the-box capabilities. We were able to start fast, iterate, and deliver a better solution more quickly. However, we also had to examine and account for scalability within the ServiceNow platform to ensure that the solution would work well when widely adopted.
   Predictive Intelligence went live with a small number of incident-routing destinations, which helped build the confidence of the service-desk team. We then expanded the number of assignment groups as we received positive feedback. The rollout required minimal organizational change management because Predictive Intelligence was automating an existing process and the service-desk team was already using an experimental AI tool for automated routing.
7. Measure progress and review results. We measure all aspects of the feature-implementation progress. Identifying and enabling key metrics and reports helps build confidence and trust in each feature’s effectiveness. As we iterate changes and work through a pilot process for any given feature, we keep stakeholders involved and use our results to contribute to the broader digital transformation. It’s also critical for adoption and is an effective way to illustrate benefits and bring other teams onboard.

Integrating ServiceNow ITSM and Microsoft products

In addition to feature enhancement and growth of ServiceNow functionality, Microsoft and ServiceNow are working together to integrate our products with ServiceNow. This enables us to capitalize on their capabilities and make it easier for our customers at Microsoft to integrate ServiceNow into their environment. For example, device-management capability and reporting data from Microsoft Intune, Microsoft’s mobile device management platform, can integrate directly with ServiceNow. This integration improves contextual data within ServiceNow and extends ServiceNow’s capabilities by using Intune and Microsoft Endpoint Manager functionality on managed devices.

Our Microsoft Global Helpdesk team has observed significant benefits from the continued ServiceNow ITSM feature implementations, and we’re still working with ServiceNow on an extensive list of features that we want to implement. Some of the best benefits we’ve observed include:

• Increased business value. We’ve been able to retire custom solutions and the infrastructure that supports them, reducing total cost of ownership and management effort for legacy solutions. Consolidating our service-desk functionality in ServiceNow ITSM makes licensing and maintenance much more simple and more cost-effective.
• Reduced service-desk management effort. The various automation features we’ve implemented have reduced the effort our IT helpdesk agents exert, particularly with respect to mundane or repetitive tasks. AI and machine-learning capabilities have improved built-in decision making, reduced the potential for human error, and given time back to our helpdesk agents so they can focus on the work that demands their expertise. For example, ServiceNow ITSM Predictive Intelligence is routing incidents with 80 percent accuracy, saving considerable time and effort.
• Improved helpdesk agent experience. Unifying our tools and features within ServiceNow ITSM enabled us to create a more simple, easier-to-navigate toolset for our support agents. They can move between tasks and tools more effectively, which increases overall support responsiveness and makes our service desk more efficient.
• Reduced mean time to resolution. We’re experiencing a continual reduction in incident resolution as we integrate features and modernize the agent support experience. For example, ServiceNow ITSM Predictive Intelligence reduced MTTR by more than 10 percent, on average in our pilot project. Based on these numbers, we’re deploying Predictive Intelligence at a broader scale for Global Helpdesk.

While we’ve successfully migrated many internally developed capabilities into out-of-the-box ServiceNow ITSM features and tools, it is an ongoing process and we’re continuing to learn lessons about the migration process and successfully transforming the IT help-desk environment for greater efficiency and a more productive IT-agent experience. Some key lessons we’ve learned and continue to explore include:

• Start small and expand scope as a feature matures. We typically start feature implementation small with a single team or use-case scenario. We use pilot projects to validate a solution, prove feature completeness, and gather proof of concept to gain support from stakeholders. Each pilot project contributes to a broader improvement to ServiceNow functionality.
• Get buy-in from stakeholders early. Establishing organizational support is critical to the overall success of every feature implementation. We work hard to understand who our stakeholders are within Microsoft and make them aware of how a feature implementation might affect them—and ultimately improve our organization.
• Test scalability and establish monitoring early. Starting small results in many quick wins and rapid feature implementation. However, we must ensure that any capabilities we implement can scale to meet enterprise-level requirements, both in functionality and usability. Tracking metrics and maintaining accurate reporting using ServiceNow’s reporting capabilities provides concrete assessment of feature effectiveness as it increases in usage and scale.
• Don’t accept feature requirements at face value. Specific features are easy to quantify and qualify, but we always consider the bigger picture. We ask what business questions or challenges the requirements are addressing and then ensure our perspective always includes holistic business goals. We don’t simply want a granular implementation of a specific feature.

We’re working on a thorough list of feature integrations that include extensive use of AI and machine learning. This will simplify and strengthen predictive and automation capabilities in ServiceNow. We’re also investigating deeper integration between ServiceNow ITSM and Microsoft products including Microsoft 365, Microsoft Dynamics 365 and Azure.

We are excited that our joint efforts have introduced a rapid iteration of feature capability into the ServiceNow platform and the impact this brings to the ITSM industry.

• Read more about Predictive Intelligence with ServiceNow.
• Explore how we’re streamlining vendor assessment with ServiceNow VRM at Microsoft.
• Discover how we’re instrumenting ServiceNow with Microsoft Azure Monitor.
• Unpack how we’re using Microsoft Teams and ServiceNow to enhance end-user support.

The post Modernizing Microsoft’s internal Help Desk experience with ServiceNow appeared first on Inside Track Blog.