Now, we have a new but familiar tool to help us do that—our very own Microsoft Viva Glint.

We’re using Viva Glint—which replaces LinkedIn Glint—to check in with our 190,000 employees, and to respond to their feedback accordingly.

“Employee Signals is our flagship channel for listening to our employees,” says Dante Myers, a director on the HRBI Employee Listening team. “It’s how we mobilize our entire company to ensure all our employees can thrive.”

—Dante Myers, director, HRBI Employee Listening team

We recently finished migrating our centralized, active employee listening capability to Viva Glint. As part of that, we moved our employee sentiment survey programs onto the platform, including our flagship Employee Signals program, our lifecycle surveys, and a key manager feedback survey.

We use Employee Signals to survey our employees twice per year. Our leaders, managers, and HR practitioners use the feedback to improve our work environment, to identify our strengths and improvement opportunities, and ultimately, to help our employees thrive more at work (which to us means helping them feel energized and empowered to do meaningful work).

“Employee Signals is our flagship channel for listening to our employees,” says Dante Myers, a director on the HR Business Insights (HRBI) Employee Listening team. “It’s how we mobilize our entire company to ensure all our employees can thrive.”

In July 2023, LinkedIn Glint officially became Microsoft Viva Glint as part of our Employee Experience Platform. LinkedIn Glint was a leader in the employee feedback category with a robust people science methodology. Shifting its capabilities to Viva Glint strengthens the insights and recommendations we can deliver to our customers. With this transition, we’re rebuilding and strengthening the product, making it better adhere to our security standards while improving its reporting and admin experiences, and its integration with other Microsoft products.

Viva Glint helps our managers understand insights at scale. They can use it to ask questions and to dive into comments that their employees have left for them.

—Dante Myers, director, HRBI Employee Listening team

As Customer Zero for Microsoft, it was important for us to migrate to Viva Glint so we could start taking advantage of these enhancements when we send out our Employee Signals surveys and to improve our listening systems overall. In this story, we’ll share how we achieved this technical migration, the benefits we gained, the challenges we faced, and what learnings we can pass on to other companies that want to make the same move.

“Viva Glint helps our managers understand insights at scale,” Myers says. “They can use it to ask questions and to dive into comments that their employees have left for them.”

A boost from Viva Glint

Moving to Viva Glint has given us many advantages, including access to the power of Copilot in Viva Glint, which helps our leaders, managers and HR partners easily understand, interpret, and act on feedback we get from our employees.

Here are just a few of the benefits we’ve gained from Viva Glint and its seamless integration with Copilot and other Microsoft Viva tools:

• Faster analysis: Our employee surveys give us thousands of powerful written insights that used to require heavy amounts of manual review and analysis. Now we’re using Copilot in Viva Glint to instantly analyze these results, saving us weeks of time and giving our leaders more ability to draw out useful insights. Almost 5,000 of our managers used Copilot in Viva Glint after our most recent Employee Signals to dig into their results and understand employee comments.
• Deeper understanding: Our employee surveys are a great way to understand our employee sentiment, but that’s not the whole story. How our people work, collaborate and spend their time also impacts their engagement and productivity. We used Viva Insights alongside Viva Glint to understand how our people work in meetings, after hours, during focus time, and in other specific scenarios.
• Personal growth and development tools: Viva Glint will soon come with 360 surveys that leaders and managers can use for personal growth and development (the targeted release date is August 2024). 360s were previously a separate product with LinkedIn Glint and are now included in Viva Glint.
• Advanced admin capabilities: Better and more controls in Viva Glint means we can change our ongoing surveys programs as needed. Some of these new capabilities include better data ownership, question level permissions, display logic questions, and self-serve raw data exports.
• Enhanced security and privacy: Our company runs on trust and security. With the move to Viva Glint, we now have a higher level of security as the product is built on Microsoft 365 compliance standards offering enterprise-grade security, trust, privacy and accessibility.
• Ongoing product innovation: Features like Copilot in Viva Glint are just the beginning of innovation we’re excited for in Viva Glint. Future improvements and integrations with other Microsoft products like Viva Insights will give us more opportunities to better understand our employees, take action, and drive impact.

Viva Glint provides a foundation for measuring employee satisfaction and sentiment. With the behavioral telemetry of Viva Insights, we can now see broad work patterns and combine that with the employee sentiment data from Viva Glint.

—Nate Zimmer, senior product manager, Unified Employee Experience team, Microsoft Digital

It’s all about giving you more tools to listen to and respond to the feedback your employees give you.

“Viva Glint provides a foundation for measuring employee satisfaction and sentiment,” says Nate Zimmer, a senior product manager on the Unified Employee Experience team in Microsoft Digital, the company’s IT organization. “With the behavioral telemetry of Viva Insights, we can now see broad work patterns and combine that with the employee sentiment data from Viva Glint.”

Migration approach

We accelerated our migration from LinkedIn Glint to Viva Glint so that we could take advantage of the new functionality in private preview and thoroughly test our migration tools and processes for our customers. We learned a lot from being one of the first companies to migrate, and our experience and feedback has been incorporated into the Viva Glint Migration Toolkit.

It was important we engaged our global tenant admins early in the migration process because they had necessary tasks in Microsoft 365 to complete for the migration. It’s recommended to engage with them four to six weeks in advance.

—Erica Shepard, senior program manager, HR Business Insights team

We drove our migration with a tight partnership across our Viva Glint migration team, our Viva Glint product group, HRBI Employee Listening team, and Microsoft Digital group (IT experts on privacy, security, and Microsoft 365).

“It was important we engaged our global tenant admins early in the migration process as they had necessary tasks in Microsoft 365 to complete for the migration,” says Erica Shepard, a senior program manager on the HR Business Insights team. “It’s recommended to engage with them four to six weeks in advance.”

Our migration involved migrating four years of survey data for over 190,000 employees. In addition to our twice annual Employee Signals, we have lifecycle surveys that are administered daily. We planned our migration window to minimize the impact on our survey programs, giving ourselves six weeks to plan and four weeks post migration before starting to program our next survey cycle. We completed numerous pre-migration tasks to prepare, including exporting reports for post-migration validation. These preparation tasks are outlined in our Migration Toolkit.

The migration exceeded my expectations. It was completed faster than expected and we encountered zero data quality issues.

—Erica Shepard, senior program manager, HR Business Insights team

We opted not to communicate to managers and employees that we were migrating because the impact on them would be minimal, we estimated our system would only be offline for two days. Our engineering team did extensive development and testing on our migration tools to make sure we would be fully ready to migrate our external customers in a timely, secure, and quality manner. This effort paid off for us, as we were able to complete our data migration in one day and our validations in one additional day. After that, our instance of Viva Glint was fully functional with all our data migrated, which allowed our managers to start using Viva Glint two days after our migration started.

“The migration exceeded my expectations,” Shepard says. “It was completed faster than expected and we encountered zero data quality issues,” Shepard says.

Post migration, we identified a couple of challenges that we worked with our Viva Glint migration team to resolve. These were mostly resolved with user education and making some system changes. One issue involved emails not being generated and sent, which impacted our ability to send survey invitations. We discovered a custom LinkedIn Glint template that didn’t match the email template in Viva Glint—after we deleted the LinkedIn Glint template, the system reverted to the default Viva Glint email template and the issue was resolved. This solution has been added to our Viva Glint Migration Toolkit.

Another challenge we encountered was related to our survey content. While the survey content migrated, we needed to re-program our survey invitation and reminder mails because the Viva Glint email formatting didn’t allow hyperlinks, markdown syntax, or paragraphs. To solve this, we needed to get creative and adjust our approach—we shortened our overall email text to one paragraph and included vanity URLs as text strings.

Additionally, the product team resolved an issue with the Microsoft logo not downloading in the emails—we use the logo to ensure our emails didn’t look like spam to our employees. The product team also resolved an intermittent access issue where users couldn’t sign in, which was an issue related to an expired token. When we launched our reporting portal, we discovered that our customized resources didn’t migrate, and we needed to re-create them on a tight timeline. This learning has been shared with the Migration team and our solutions are now part of our Migration Toolkit.

Administering our first survey cycle

With our migration to Viva Glint complete, we pivoted to the April cycle of our Employee Signals and Manager and Leader Signals (the latter is our survey where our employees provide feedback about their managers and skip managers). We planned our migration so that we had two months to test our survey builds on Viva Glint, which gave us time to work through the above challenges with the product team.

Overall, we’re very pleased with our successful first survey cycle on Viva Glint, even with the few bumps, especially because we were able to delight our managers by launching our results portal with Copilot for Viva Glint enabled for comment summarization.

Lessons learned

Reflecting on our migration, we were extra careful and planned to revert back to LinkedIn Glint if needed. While this approach helped us plan for a potential similar experience for customers, we don’t think customers need to go that far. “Identifying your migration window and following the Viva Glint Migration Toolkit will make your migration straightforward and easy to complete,” Shepard says.

Give yourself time post migration to explore Viva Glint and review your platform configurations so you are set up for a smooth survey administration.

—Erica Shepard, senior program manager, HR Business Insights team

The experience our employees and managers have with Viva Glint is very similar to what they experienced with LinkedIn Glint, so we didn’t do a lot of change management with the launch. We highlighted the Copilot functionality with managers when we released results. We focused our readiness efforts on making sure our admins were familiar with their new experience in Viva Glint and supporting them through the first survey cycle.

“Give yourself time post migration to explore Viva Glint and review your platform configurations so you are set up for a smooth survey administration,” Shepard says.

We suggest migrating at least four weeks before you need to launch a big program. This allows time for you as a company admin to validate using a test program, to learn about the expanded admin experience, and to understand the new settings. The Microsoft Learn content and the Viva Glint badge program are both great ways to do this.

Here are some suggestions for your own migration to Viva Glint:

• Accelerate your migration to Viva Glint to experience the improved employee engagement platform and participate in private previews of exciting new features. You can view the latest product roadmap updates to see what’s coming next.
• Contact the Viva Glint Hotline team or your Viva Glint Customer Experience PM to discuss your migration timeline and get guidance and support throughout the process.
• Use the Viva Glint Migration Toolkit to identify deliverables and key partners and develop your project plan for a smooth migration.
• Proactively engage your IT partners who are experts in Microsoft 365, security, and privacy to complete the necessary deliverables for migration.
• For Viva Glint company admins, review the Microsoft Learn content and the Viva Glint badge program content to learn about new features available in Viva Glint.

Here’s how to get started with Microsoft Viva Glint.

• Watch how Phillips 66 used Copilot in Viva Glint to summarize 14,000 employee comments in 15 seconds.
• Unpack the benefits of migrating Microsoft Viva Engage to native mode.
• Discover how we’re delivering communications internally at Microsoft with Microsoft Viva Amplify.

Want more information? Email us and include a link to this story and we’ll get back to you.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Enhancing employee listening at Microsoft with Viva Glint appeared first on Inside Track Blog.

It all started with a shift to remote work.

“New employees will always need a device on day one,” says Pandurang Kamath Savagur, a senior program manager with Microsoft Digital, the organization that powers, protects, and transforms the company. “But for the first time ever, we were also in an experience where people had to stay productive from home with only a single device. They couldn’t easily get into the offices for a secondary or loaner device.”

To anticipate demand and offset delays, Microsoft Digital built a platform where administrators across the company could project the number of devices they’d need. Simultaneously, the group took a deep dive look at the current device population to forecast the number of employees who would need a device refresh—all in time for the deployment of Windows 11.

[Discover how Microsoft quickly upgraded to Windows 11. Find out how Microsoft is reinventing the employee experience for a hybrid world. Learn more about verifying devices in a Zero Trust model.]

Getting better at predicting the future

Historically, Microsoft didn’t need to build up a large inventory of devices for employees; everything was made to order.

Business groups own the budget, so they know what the next six months will look like for their team. Microsoft onboards approximately 3,000 employees each month, and every employee needs to select and set up a device. We can’t just buy 3,000 devices a month—we need to know specifications about how it will be used.

—Pandurang Kamath Savagur, senior program manager, Microsoft Digital

It worked a little bit like this:

Procurement, having already certified devices and negotiated pricing and SLAs suitable for employees, enables administrators or direct employees to obtain a new employee device through our internal ProcureWeb tool. The tool places a purchase order directly to the OEM—the third-party manufacturer of the device—or a reseller who would then manufacture and ship the equipment out to the user.

But the shift in how people worked meant we’d need to be more proactive in procuring devices for employees. And to get there, we’d need a better picture of fluctuating demand.

“Business groups own the budget, so they know what the next six months will look like for their team,” Savagur says. “Microsoft onboards approximately 3,000 employees each month, and every employee needs to select and set up a device. We can’t just buy 3,000 devices a month—we need to know specifications about how it will be used.”

Everything from storage space, computing power, memory, and keyboard language to the number of units would need to be collected from business groups. Once that information came in, Procurement could work with OEMs to have machines ready and available to be delivered to administrators well in advance.

This new approach to device forecasting has streamlined the way Microsoft acquires devices, giving us adequate stock to ensure a good experience. We can now anticipate device purchases for new hires while also accounting for break fixes.

And the timing of this effort couldn’t have been better—Windows 11 was on the way, and we would need this new approach along with additional analysis to get the new operating system into the hands of employees.

Empowering Microsoft with Windows 11

Released in late 2021, Windows 11 gives us the enterprise-grade security that Microsoft requires. To achieve this secure-by-default state, we needed to replace older devices with equipment that met the Windows 11 hardware requirements.

But instead of issuing new devices to everyone at launch—something that would be both costly and logistically impossible—we took a strategic approach, using a combination of telemetry and machine learning to identify and prioritize devices for replacement.

“We have telemetry data, application usage, and warranty information, and that gives us a base to forecast from in Power BI,” says Neeti Sawant, a data engineer with Microsoft Digital who helped create a device forecasting dashboard as part of this effort. “It told us what we needed to monitor and forecast, which devices are aging out, and when they would be eligible for a refresh.”

But we weren’t just relying on warranty data alone.

Using Microsoft Azure Cosmos DB and Microsoft Azure DataBricks for machine learning, we are able to leverage the historical data for device population and apply survival modeling techniques, predicting how many ineligible primary devices would be active over the next few years towards the Windows 10 end of support.

Device forecasting has allowed us to work closely with OEMs so that devices are available on time and so that we’re not selecting on availability, but rather meeting all the performance, compliance, and security needs of our users. Satisfaction scores from employees have increased by 20 points since we started doing this.

—Pandurang Kamath Savagur, senior program manager, Microsoft Digital

“Not all users will replace their device at the end of warranty,” says Anqi Cheng, a data scientist with the W+D Data team at Microsoft. “Although many devices will naturally age out over time, many users hang on to their devices for an extended time. When combined with other device forecasting data, we had a holistic view of the landscape.”

This level of analysis ensured Microsoft would be able to quickly develop a roadmap for getting employees on Windows 11.

A bright forecast for Microsoft

Employees at Microsoft can—and should—expect to have a device that engages, protects, and empowers them. Device forecasting makes this possible.

“Device forecasting has allowed us to work closely with OEMs so that devices are not selected on availability, but rather meeting all the performance, compliance, and security needs of our users,” Savagur says. This effort has resulted in a better experience for employees. “Satisfaction scores from employees have increased by 20 points since we started doing this.”

Access to device forecasting information has also been helpful to admins and Finance, who now have a better idea as to which devices will need to be refreshed for Windows 11. Moving into the future, these same projections will make it easier for Procurement to put the right device into an employee’s hands.

“With the analysis provided to us by Microsoft Digital, we can now understand how many primary devices are in our environment and when we expect them to refresh,” says Colby McNorton, a senior program manager on the Microsoft Procurement team. “As we look forward, instead of the purchasing journey being reactive, we can proactively reach out to users and tell them that their device is at the end of its life and even recommend a device based on what we know about usage.”

Thanks to Windows Autopilot, new devices are automatically pre-configured with Windows 11. Windows Autopilot deploys an OEM-optimized version of the Windows client, so you don’t have to maintain custom images and drivers for every device model. This makes new devices business-ready faster, empowering employees to stay engaged and protected. Users can just switch on, sign in, and all policies and apps will be in place within a day.

• Be sure to get visibility into your device population. Find out what kinds of devices are on your network, where they’re located, who owns them, and what stage they’re at in their lifecycle. This gives you a lot of agility in a changing environment. You can do this using Microsoft Intune.
• Windows 10 and Windows 11 can be co-managed side by side using the same tools and processes, which makes it possible for Microsoft and other companies to be methodical about replacing devices.
• Spend time with team admins who understand user needs. This allows you to cultivate a short list of devices that are best suited for your employees and gives procurement clear priorities.

• Discover how Microsoft quickly upgraded to Windows 11.
• Find out how Microsoft is reinventing the employee experience for a hybrid world.
• Learn more about verifying devices in a Zero Trust model.
• Read about how Windows 11 helps businesses.

Want more information? Email us and include a link to this story and we’ll get back to you.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Boosting employee device procurement at Microsoft with better forecasting appeared first on Inside Track Blog.

Copilot for Microsoft 365 Deployment and Adoption Guide

Read our step-by-step guide on deploying Copilot for Microsoft 365 at your company. It’s based on our experience deploying it here at Microsoft:

• Full version
• eBook version
• Version for executives
• eBook version for executives

Effective adoption doesn’t happen by accident.

It takes a coordinated effort that includes executive sponsorship, education, engagement, measurement, and more. When you deploy a next-generation AI technology like Copilot for Microsoft 365 that introduces whole new ways of working, getting that process right is especially important.

Fortunately, Microsoft Viva provides a powerful suite of tools that are well suited to support our internal Copilot for Microsoft 365 adoption.

For any adoption strategy, the first thing we look at is the behavioral change we’re really trying to drive. We’re looking for the key messages and value-added scenarios that will really stoke excitement for our users.

— David Laves, director of business programs, Microsoft Digital

New ways of working demand a modern approach to adoption

Copilot for Microsoft 365 is an entirely new concept in workplace technology. Still, some adoption principles hold true no matter the tool you’re adopting.

“For any adoption strategy, the first thing we look at is the behavioral change we’re really trying to drive,” says David Laves, a director of business programs in Microsoft Digital, the company’s IT organization. “We’re looking for the key messages and value-added scenarios that will really stoke excitement for our users.”

From there, we strategize the vectors that will be most effective.

It can be a challenge to get access to our entire user base because of competing priorities. Everyone has their own business goals and metrics they need to hit, and they need to know how Copilot will specifically improve their lives.

— Kevin Wooldridge, senior director, Experiences and Devices, Microsoft Digital

It starts with an assessment that identifies the key parameters of the change. That includes several questions. Who’s impacted? How extensive is the change? What are the barriers? What are the benefits? And most importantly, what’s in it for the individual user?

“It can be a challenge to get access to our entire user base because of competing priorities,” says Kevin Wooldridge, a senior director of Experiences and Devices in Microsoft Digital. “Everyone has their own business goals and metrics they need to hit, and they need to know how Copilot will specifically improve their lives.”

The sheer size of our Copilot adoption efforts—early this year we completed a company-wide rollout stretching across all 300,000 Microsoft employees and vendors—meant that any change management efforts needed to operate at a massive scale while accounting for a phased approach that included pilot programs and organization-by-organization activations.

“Take the Greater China region as an example,” says Kai Cheng, business program manager for Copilot for Microsoft 365 in Microsoft Digital. “We have around 19,000 employees and vendors in our region, working across thirteen different organizations, so communication is always a big challenge for us.”

Driving Copilot for Microsoft 365 adoption using Microsoft Viva

Our approach to deploying Copilot for Microsoft 365 focuses on three main objectives:

• Raise awareness and educate: We’re helping our employees build critical AI skills, learn about Copilot capabilities, and inform them about the elements of AI and other Copilot experiences they can start using today.
• Drive excitement and user engagement: We’re building excitement and confidence in employees’ ability to use Copilot by offering specific scenarios to help them understand responsible and effective AI use.
• Encourage feedback and track adoption: We’re gathering feedback and monitoring progress through both self-reporting and monitoring tools to understand opportunities for further growth.

Copilot is a very new technology. As an employee, all the people you work with are experimenting at the same time, so it’s very easy for us to use Viva to build a social learning culture where people can grow together.

— Kai Cheng, business program manager, Microsoft Digital

Microsoft Viva provides ample opportunities to approach these goals across multiple apps. Two different aspects of the suite deliver a powerful advantage for change management at scale. First, Viva’s multimodality accommodates a diverse range of employee preferences for communication and engagement. Second, it offers opportunities for decentralized sponsorship and peer-to-peer support, giving organizational leaders and employee champions the chance to drive role-specific value for their colleagues.

“Copilot is a very new technology,” Cheng says. “As an employee, all the people you work with are experimenting at the same time, so it’s very easy for us to use Viva to build a social learning culture where people can grow together.”

We execute against our adoption goals by working according to Prosci’s ADKAR method, which breaks down into the five iterative stages of awareness, desire, knowledge, ability, and reinforcement. Different Viva apps have different roles in that model.

Viva Amplify

A robust communication strategy includes both centralized, company-wide messaging and executive sponsorship. Leadership from within individual business groups, regional subsidiaries, and teams offers employees a familiar, trusted voice and tailors adoption efforts to specific organizational priorities and ways of working.

With Viva Amplify, we can run campaigns using templates. So, we save lots of productivity time for executives and their managers because we’ve created pre-packaged communications they can adapt to their organizations’ needs.

— Kevin Wooldridge, senior director, Experiences and Devices, Microsoft Digital

Viva Amplify is the ideal tool for these kinds of communications. Internally, we use it to distribute turnkey assets executive sponsors can use to promote awareness and desire.

“With Viva Amplify, we can run campaigns using templates,” Wooldridge says. “So, we save lots of productivity time for executives and their managers because we’ve created pre-packaged communications they can adapt to their organizations’ needs.”

This approach has been so effective internally that we’ve created a Copilot Deployment Kit for our customers to use in Viva Amplify. It provides a pre-built campaign, a brief to outline of the overall strategy, and tools for reporting and measuring success.

Viva Learning made it possible to pick and choose the most frequently viewed or used learning assets across several different categories. For example, you can pull together pieces about working with content in Word, PowerPoint, or Outlook, and package that material into a unified learning path.

— Ju Bu, business program manager, Greater China Region, Microsoft Digital

Viva Learning

Building knowledge and ability are crucial, and Viva Learning is our workhorse app for equipping employees with Copilot know-how. It’s especially useful for employees who prefer self-directed, asynchronous, or gamified learning over facilitated training. It was an essential inclusion in our initial readiness communications, giving employees an early look at Copilot capabilities and providing preliminary skilling opportunities.

“Viva Learning made it possible to pick and choose the most frequently viewed or used learning assets across several different categories,” says Ju Bu, business program manager for Microsoft Digital in our Greater China Region. “For example, you can pull together pieces about working with content in Word, PowerPoint, or Outlook, and package that material into a unified learning path.”

The ability in Viva Learning to both create instructional modules and pull them in from different sources made assembling a Copilot learning path straightforward and easy to adapt as the technology grew. Out of that internal experience, we constructed the Microsoft Copilot Academy, now available to our customers.

Viva Engage

Of all the apps in the suite, Viva Engage has been the most impactful by far. It taps into the peer-to-peer support and role-based specificity that employees need for Copilot to drive value in their individual work. Like Viva Learning, it enhances employees’ knowledge and ability, just with a more relational, community-driven touch. It also ignites desire by showcasing how power users are saving time and maximizing productivity through AI.

Between Viva Amplify and Viva Engage, these multiple touchpoints help employees tailor adoption content to their preferences. It puts them at the center of our efforts because they can pick and choose the vectors that are most applicable to them.

— Ju Bu, business program manager, Greater China Region, Microsoft Digital

For our Copilot adoption efforts, we leaned on our Copilot Champs Community—a dedicated group of 3,000 early adopters, AI enthusiasts, and peer leaders. Through community posts, ongoing conversations, and self-driven knowledge sharing in Viva Engage, their efforts turned into a powerful organic groundswell, with employees sharing prompts and advice on their own.

Between Viva Amplify and Viva Engage, these multiple touchpoints help employees tailor adoption content to their preferences. It puts them at the center of our efforts because they can pick and choose the vectors that are most applicable to them.

— Ju Bu, business program manager, Greater China Region, Microsoft Digital

Viva Engage also gets to the heart of role-specific value. It enables peers who understand their colleagues’ work to share specific content with them that will help them do their jobs. It also eliminates bottlenecks associated with more broad-based communication models—for example, deploying centralized adoption communications to change cohorts containing thousands of employees and receiving overwhelming email responses.

“Between Viva Amplify and Viva Engage, these multiple touchpoints help employees tailor adoption content to their preferences,” Bu says. “It puts them at the center of our efforts because they can pick and choose the vectors that are most applicable to them.”

Viva Glint and Viva Pulse

Keeping our finger on the pulse of the user experience helps us reinforce usage and address any issues. Viva Glint and Viva Pulse help us uncover qualitative insights from employees through questionnaires and surveys.

Any business transformation is a process of experimentation. Glint and Pulse are our most powerful tools for capturing feedback to see how those experiments are progressing.

— David Laves, director of business programs, Microsoft Digital

Viva Glint provides change leaders with organization-wide, dashboard-based insights and analytics rooted in people science. Meanwhile, Viva Pulse provides opportunities for more rapid and localized feedback at the manager level.

“Any business transformation is a process of experimentation,” Laves says. “Glint and Pulse are our most powerful tools for capturing feedback to see how those experiments are progressing.”

Throughout our Copilot adoption process, we discovered which kinds of data are most valuable for transformation specialists and managers. Through those efforts, we assembled the Microsoft Copilot Impact survey templates for both Viva Pulse and Viva Glint.

These templates helped our internal teams gather user insights, opportunities for employee empowerment, Copilot’s impact on day-to-day work, and success stories. If you’re unsure of which qualitative data is most important or how to gather it, they’re a fantastic place to start.

Viva Insights

Effective adoption relies on robust measurement. When you combine qualitative and quantitative data, you get powerful results.

“What we try to do is marry what the user says through qualitative feedback with what they do through usage data and other metrics,” Laves says. “If users say they’re having pain, we want to see how that affects usage.”

Viva Insights enables this kind of visibility for both company-wide change leaders and more localized managers. At Microsoft, we’ve mostly used this tool to track usage across different apps like Word or Outlook. From there, we can return to Glint and Pulse to dig deeper into what’s happening.

Our internal efforts helped inform the Microsoft Copilot Dashboard powered by Viva Insights. This out-of-the-box feature provides privacy-protected data throughout every stage of your Copilot transformation journey and can help you understand its impact across meetings, email, chat, documents, search, and more.

Getting meta: Using Copilot to help us use Viva to drive Copilot adoption

Microsoft Viva is a powerful tool on its own, but adding Copilot for Microsoft 365 into the mix offers even more advantages. And getting a little meta, throughout this adoption, our change management professionals have been able to use Copilot in Viva to boost their Copilot adoption efforts.

Our team frequently leans on Copilot for help writing Viva Amplify and Viva Engage posts. Its translation abilities also make it much easier to disseminate communications to different disciplines or regions on a global scale.

Writing support is just the beginning.

Copilot’s skill as an assistant with intelligent access to company data and repositories makes searching and summarization a breeze. In Viva Learning, change leaders can ask Copilot for tailored content suggestions. And when reviewing Viva Glint and Viva Pulse results, Copilot can pick out common themes or trends to help researchers understand usage and feedback more easily.

“Utilizing Copilot within Viva Engage helps employees uplevel their communications and increase their reach and impact. It encourages those who are more reluctant to post as now they have Copilot to help,” says Tanya Roberts, a PM in Microsoft Digital. “Some people don’t gravitate toward engagement forums, so bringing Copilot in to brainstorm different ways of activating employees is a real help. The engagement level within our Viva Engage Copilot Community has increased, and is subsequently increasing the adoption of Copilot by embracing Copilot throughout Microsoft 365.”

Different aspects of Microsoft Viva will be best suited for different employees, but the most important lesson has been that it isn’t just an HR or employee engagement suite. It’s a way to meet people where they work to drive organizational goals in the modality that works best for them.

If you’re really serious about Copilot usage in your company and environment, Viva is a powerful tool for accelerating adoption. It gets to the core of AI adoption: enhancing people’s ability to work in new ways through genuine digital transformation that ensures you’re getting the return on investment you want.

— Kirk Koenigsbauer, chief operating officer and corporate vice president, Experiences and Devices Group

The results for our Copilot adoption have been incredibly powerful. During a one-month Microsoft Viva campaign in the Greater China Region, we saw usage expand by as much as 20%. And that’s just one portion of our global workforce.

“If you’re really serious about Copilot usage in your company and environment, Viva is a powerful tool for accelerating adoption,” says Kirk Koenigsbauer, chief operating officer and corporate vice president of the Microsoft Experiences and Devices Group. “It gets to the core of AI adoption: enhancing people’s ability to work in new ways through genuine digital transformation that ensures you’re getting the return on investment you want.”

Here are some tips on how to get started with using Microsoft Viva to help you deploy and drive adoption of Copilot for Microsoft 365:

• If you’re rolling Copilot out to your audience, consider the hero scenarios that will work best for their roles, then provide thought starters.
• This is as much a cultural change as it is a technical change. It’s important to work in partnership with HR and organizational leaders who understand their team culture, what they value, and their best communication channels.
• Be sure you have readiness material prepared. When people start getting their licenses, they’ll be able to access learning opportunities and informational content so they can hit the ground running.
• Take the opportunity to connect with employees genuinely by capturing two-way feedback around where the value is, where the opportunities are, and what blockers people are experiencing.
• Take advantage of a diversified channel communication strategy as much as possible. It provides multiple touchpoints for employees to help land your change.

Ready to experience Copilot for Microsoft 365? Get started here.

• Check out our Copilot for Microsoft 365 deployment and adoption guide.
• Explore how we’re enabling internal collaboration at Microsoft with Microsoft Viva.
• Discover how we’re deploying Copilot for Microsoft 365 with the help of—you guessed it—Copilot.

Want more information? Email us and include a link to this story and we’ll get back to you.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Driving Copilot for Microsoft 365 adoption with an assist from Microsoft Viva appeared first on Inside Track Blog.

Deploying Windows Hello for Business internally here at Microsoft has significantly increased our security when our employees and vendors access our corporate resources. This feature offers a streamlined user sign-in experience—it replaces passwords with strong two-factor authentication by combining an enrolled device with a PIN or biometric user input for sign in. Windows Hello was easy to implement within our existing identity infrastructure and is compatible for use within our remote access solution.

The Windows Hello for Business feature can replace passwords with strong two-factor authentication that combines an enrolled device with a PIN or biometric (fingerprint or facial recognition) user input to sign in. We—the Microsoft Digital Employee Experience team—streamlined the deployment of this feature as an enterprise credential to improve our user sign-in experience and to increase the security of accessing corporate resources.

Using this feature, users can authenticate to a Microsoft account, an Active Directory account, or a Microsoft Azure Active Directory (Azure AD) account.

The Windows Hello for Business feature is a public key or certificate-based authentication approach that goes beyond passwords. This form of authentication relies on key pairs that can replace passwords and are resistant to breaches, thefts, and phishing.

Other benefits of this feature include:

• It supports our Zero Trust security model. Emphasizes an identity-driven security solution by centering on securing user identity with strong authentication as well as eliminating passwords.
• It uses existing infrastructure. We configured Windows Hello to support smart card–like scenarios by using a certificate-based deployment. Our security policies already enforced secure access to corporate resources with two-factor authentication, including smart cards and Microsoft Azure Multi-Factor Authentication. Windows Hello is currently enabled, and we anticipate an increase in usage as more biometric-capable devices become available in the market.
• It uses a PIN. Replace passwords with a stronger authentication. Users can now sign in to a device using a PIN that could be backed by a trusted platform module (TPM) chip.
• It provides easy certificate renewal. Certificate renewals automatically occur when a user signs in with their PIN before the lifetime threshold is reached.
• It permits single sign on. After a user signs in with their PIN, the user has access to email, SharePoint sites, when using the latest Office 365 versions, and business applications without being asked for credentials again.
• It is compatible with remote access. When using a certificate-based PIN, users can connect remotely using a Microsoft Digital Employee Experience VPN without the need for multi-factor authentication with phone verification.
• It supports Windows Hello. If users have compatible biometric hardware, they can set up biometrics sign-in to swipe their finger or a take a quick look at the device camera.

Our deployment environment for the Windows Hello for Business feature include:

• Server: Microsoft Azure AD subscription and Microsoft Azure AD Connect to extend on-premises directory to Azure AD:
  • For certificate-based: Active Directory Certificate Services (AD CS), Active Directory Federation Services (AD FS) Network Device Enrollment Service (NDES), and Microsoft Intune
• Client: A device, preferably with an initialized and owned TPM.

For more information about integrating on-premises identities with Microsoft Azure AD, see Integrating your on-premises identities with Microsoft Azure Active Directory.

Enrollment and setup

Windows Hello for Business user enrollment steps vary, based on our deployed scenarios. For all scenarios, users will need to use their smart card or multi-factor authentication with a verification option—such as a phone call or verification on a mobile app, such as Microsoft Authenticator, in addition to their user name and password—to complete the enrollment.

The Windows Hello for Business feature supports the following enrollment scenarios:

• On-premises Active Directory domain–joined devices. Users sign in with their domain account, the Group Policy is applied, the device is registered with Microsoft Azure Active Directory, and then the user creates a PIN.
• Microsoft Azure AD–joined devices managed by Microsoft Intune. Users must enroll in device management (or add a work account) through Microsoft Intune. After their device is enrolled and the policies are applied, the PIN credential provisioning process begins and users receive the prompt to create their PIN.

Requirements

• Two-factor authentication is required for PIN creation using one of the existing methods (virtual smart card, physical smart card, or multi-factor authentication with phone verification).
• A PIN that is at least six characters long.
• A connection to the internet or Microsoft corporate network.

Physical architecture

Our Windows domain-joined devices were already synchronized with Microsoft Azure AD through Microsoft Azure AD Connect, and we already had a public key infrastructure (PKI) in place. Already having PKI reduced the amount of change required in our environment to enable the Windows Hello for Business feature.

To deploy user certificates based on Windows Hello keys, we used AD FS, AD CS, and Group Policy.

Server roles and services

In our implementation, the following servers and roles work together to enable Windows Hello as a corporate credential:

• Microsoft Azure AD subscription with Microsoft Azure Active Directory Device Registration Service to register devices with Azure Active Directory.
• Microsoft Intune is used to enroll devices joined to Microsoft Azure Active Directory.
• AD FS is used for federated identities and Microsoft Azure AD Application Proxy for secure remote access of web applications hosted on-premises. AD FS Registration Authority is used to handle certificate issuances and renewals for devices that are joined to the domain.
• PKI includes NDES servers (with policy module) and certificate authorities (with smart card EKU—enhanced key usage—template), used for the issuance, renewal, and revocation of Windows Hello for Business certificates.

Domain-joined service workflow

The following workflow applies to any Windows 10 computers joined to our AD DS domain.

• Our domain-joined devices pull a Group Policy object that configures certificate enrollment, PIN-enablement, and notification tasks.
• After users sign out and sign in again, or if they select the pop-up notification when it displays, a PIN creation workflow runs, and they must configure their new PIN.
• During the next sign-in, the user is prompted to configure Windows Hello for Business, confirm their identity using multifactor authentication, and create a PIN. A private key is created and registered in Microsoft Azure AD. The user can also initiate the Windows Hello setup process from the Settings app at any time.
  • If the client and infrastructure support Instant-On, a key-receipt verification package is downloaded and a certificate request is sent to the AD FS registration authority. AD FS confirms valid key ownership and submits the request on behalf of the user to an AD CS certification authority.
• The certificate is delivered to the computer.

Microsoft Azure Active Directory–joined service workflow

• Windows Intune pushes a device policy to Microsoft Azure Active Directory devices that contains the URL of the NDES server and the challenge generated by Intune. A policy has already been pushed to the device by the Intune service. This policy contains the URL of the NDES server and the challenge generated by Intune.
• During the next sign-in, the user is prompted to configure Windows Hello for Business, confirm their identity using multifactor authentication, and create a PIN. A private key is created and registered in Microsoft Azure AD. The user can also initiate the Windows Hello setup process from the Settings app at any time.
• The device contacts the internet-facing NDES server using the URL from the NDES server and provides the challenge response. The NDES server validates the challenge with the CRP and receives a “true” or “false” to challenge verification.
  • If the challenge response is “true,” the NDES server communicates with the certificate authority (CA) to get a certificate for the device. Appropriate ports need to be open between the NDES server and the CA for this to happen.
• The NDES server delivers the certificate to the computer.

Setting policies

Our Microsoft Digital Employee Experience team used domain-based Group Policies to push out policy-based settings to configure our Windows 10 domain-joined devices to provision Windows Hello user credentials when users sign in to Windows. Non-domain joined devices receive their policies from Intune. We also used these settings to define the complexity and length of the PIN that our users generate at registration and to control whether Windows Hello was enabled.

We had the option to configure whether we would accept certificate-based Windows Hello for Business with PIN as a software-backed credential. We chose to enable Windows Hello for Business with a hardware-required option, which means that keys are generated on the TPM.

Policies for Microsoft Active Directory domain–joined clients

You must create and deploy a Group Policy object using the settings found under User Configuration > Administrative Templates > Windows Components Windows Hello for Business.

The Group Policy object contains the policy settings needed to trigger Windows Hello for Business provisioning and to ensure Windows Hello for Business authentication certificates are automatically renewed. Both the Enable Windows Hello for Business setting and the Use certificate for on-premises authentication setting must be enabled.

Windows 10 also provides PIN complexity settings for control over PIN creation and management. Beginning with Windows 10 version 1703, the policy settings are found under Computer Configuration > Administrative Templates System > PIN Complexity.

Policies for Microsoft Azure Active Directory–joined clients

To use the Windows Hello/Windows Hello for Business certificate-based sign-in, configure the certificate profile (Assets & Compliance > Compliance Settings > Company Resource Access > Certificate Profiles). Select a template that has smart card sign-in extended key usage. Note that to set the minimum key size set, this certificate template should be configured in the Simple Certificate Enrollment Protocol (SCEP) Enrollment page—then you can use the Windows Hello for Business and Certificate Properties page to set the minimum key size set to 2048.

To set up the desired policy, we also need to create a new Windows Hello for Business profile (Assets & Compliance > Compliance Settings > Company Resource Access > Windows Hello for Business profiles) and specify the following required options:

• Use Windows Hello for Business
• Use a hardware security device
• Use biometrics
• PIN Complexity

User enrollment experience

When a domain-joined computer running Windows 10 Anniversary Update or later pulls Group Policy settings from a domain controller, certificate enrollment policies and the Windows Hello for Business policies are applied to the Windows 10 computer, provided all the criteria for policy application are met.

Client signs out and signs in (and unlocks) the device

The user unlocks their device, and the certificate enrollment process is triggered.

Certificate enrollment process

After a PIN is successfully created, the scheduled task runs (triggered by Event ID 300, which is “Key registration was successful.”). It checks for an existing certificate. If the user doesn’t have one, the task sends the requests for a new challenge.

At this point, Windows 10 calls on the specified Certificate Services server through AD FS and requests a challenge with an expiration time. If the PIN is cached, the certificate enrollment is triggered.

Certificate renewal behavior

We have configured PIN credential certificates to have a lifetime of 90 days from when they are issued. Renewals will happen approximately 30 days before they expire. When a user next enters their Windows Hello for Business PIN within the 30 days prior to its expiration, a new certificate will be automatically provisioned on their device.

Certificate renewal is governed by Group Policy settings for auto-enrollment. The system checks for certificate lifetime percentage and compares it against the renewal threshold. If it’s beyond the set threshold, a certificate renewal starts.

Microsoft Intune specifics

The Open Mobile Alliance Device Management client talks to the Microsoft Intune mobile device management server using SyncML. Policies are routed, and then the user receives the Simple Certificate Enrollment Protocol profile, as configured in our hybrid environment, deployed through Microsoft Intune. Within 10 minutes, the user should receive a certificate. If that fails, the user needs to manually sync.

Service management

We manage identity as a service at Microsoft and are responsible for deciding when to bring in new types of credentials and when to phase out others. When we were considering adding the Windows Hello for Business feature, we had to figure out how to introduce the new credential to our users, and to explain to them why they should use it.

Measuring service health

We’re in the process of creating end-to-end telemetry to measure the service health of Windows Hello for Business. For now, we’re monitoring the performance and status of all our servers. We’re also expanding the service, so adoption and usage numbers are very important metrics that demonstrate the success of our service. We also track the number and types of help desk issues that we see.

We use custom reports created from certificate servers and custom telemetry service metrics to collect prerequisites, and key and certificate issuance times for troubleshooting. Detailed reports about other aspects of the service can also be generated from Microsoft Intune.

We configure a user’s certificate to expire, and certificate renewals are issued with the same key. When necessary, the certificates can be revoked directly though Microsoft Intune, which provides easier administration.

TPM issues

OEM BIOS initialization instructions and TPM lockout policies are OEM-specific. We performed steps to identify and document the potential issues for each hardware provider. We also communicated to our users that clearing a TPM will cause their private key to not work in Windows Hello for Business.

Preventing PIN enrollment problems

Some of the common issues we saw with users creating their PINs could have been avoided with better communication. These issues include users not understanding the prerequisites, or the expected delays in onboarding scenarios. To help avoid this issue, we created a productivity guide to walk users through the steps.

Monitoring end-to-end service health

Windows Hello for Business relies on several underlying services: Microsoft Azure AD, AD FS, Microsoft Intune, NDES, and CA. All of these services need to be healthy and available. Certificate issuance delays can be hard to troubleshoot, but monitoring the health and performance of the supporting services can help.

• Unpack verifying identity in a Zero Trust model internally at Microsoft.
• Discover enabling a modern support experience at Microsoft.
• Explore improving security by protecting elevated-privilege accounts at Microsoft.

Active Directory and Microsoft Azure Active Directory

• Integrating your on-premises identities with Azure Active Directory
• Connect domain-joined devices to Azure AD for Windows 10 experiences
• Azure AD Join on Windows 10 devices

Management

• Network Device Enrollment Service (NDES) in Active Directory Certificate Services (AD CS)
• PART 2 – SCEP certificate enrolling using ConfigMgr 2012, CRP, NDES and Windows Intune

Policy Management

• Using a Policy Module with the Network Device Enrollment Service

Want more information? Email us and include a link to this story and we’ll get back to you.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Implementing strong user authentication with Windows Hello for Business appeared first on Inside Track Blog.

Microsoft Digital is transforming the way that we manage devices for Microsoft employees. We’re embracing modern device management principles and practices to provide a frictionless, productive device experience for Microsoft employees and a seamless and effective management environment for the Microsoft Digital teams that manage these devices. We’re using Windows 10, Microsoft Intune, Azure Active Directory (Azure AD), and a wide range of associated features to better manage our devices in an internet-first, cloud-focused environment. The move to modern management has begun our transition to Microsoft Endpoint Manager, the convergence of Intune and System Center Configuration Manager functionality and data into a unified, end-to-end management solution.

Addressing the need for modern management

Microsoft Digital is responsible for managing more than 264,000 Windows 10 devices that Microsoft employees around the world use daily. Historically, our management methods have been based primarily on the network and infrastructure on which these devices reside. The corporate network has been the functional foundation of Microsoft operations for more than 30 years. Our technical past was built on Active Directory Domain Services (AD DS) and the accompanying identity and access management principles that work well within a tightly controlled and regulated on-premises network. With this model, Microsoft Digital has been able to manage devices connected within a protected and insulated digital ecosystem.

However, the ways that our devices are being used have changed significantly over the past 10 years and continue to evolve. The corporate network is no longer the default security perimeter or environment for on-premises computing for many companies, and the cloud is quickly becoming the standard platform for business solutions. At Microsoft, we’ve been continually embracing this new model, engaging in a digital transformation that examines our technology and reimagines it as an enabler of greater business productivity.

As a result, the devices that our employees use are increasingly internet focused and interconnected. Our digital transformation entails removing solutions and services from the corporate network and redeploying them in the cloud on Microsoft Azure, Office 365, and other Microsoft cloud platforms.

Assessing device management at Microsoft

Our Windows devices have been managed by System Center Configuration Manager and AD DS for many years. To be our first and best customer and to support a modern device experience, we’ve started transitioning to Microsoft Endpoint Manager by enabling co-management with Intune and Configuration Manager. Our device management team identified several aspects of the device management experience that needed to be changed to better support our devices and users. Some of the most important aspects included:

• Device deployment effort. Our device deployment strategy has been based largely on operating system (OS) images that are heavily customized and geared to specific device categories. As a result, we managed a large number of OS images. Each of these images required maintenance and updating as our environment and requirements changed, which resulted in Microsoft Digital employees investing significant time and effort to maintain those images.
• Management scope. Image deployment relied primarily on a device connecting to the corporate network and the Configuration Manager and AD DS infrastructure that supported the deployment mechanisms. Devices connected outside the corporate network did not have the same experience or deployment and management capabilities as those connected to the corporate network.
• User experience. All these issues had implications for the user experience. If an employee was connected primarily to the internet and not the corporate network, user experience suffered. Policy application and updates were not applied consistently, and many management and support tools, including remote administration, were not available. We had to implement workarounds for these employees, such as establishing virtual private network (VPN) connections back to the corporate network to facilitate more robust device management. Even with VPN, the internet-first experience was not ideal.

Moving to modern device management

To facilitate a modern device experience for our users and better support our digital transformation, we’ve begun the process of adopting modern device management for all Windows 10 devices at Microsoft. Modern device management focuses on an internet-first device connection, an agile, flexible management and deployment model, and a scalable, cloud-based infrastructure to support the mechanisms that drive device management.

Establishing internet and cloud focus

Our modern device management approach begins with and on the internet. The internet offers the most universal and widely available network for our clients. Our modern management methods are built with internet connectivity as the default, which means using internet-based management tools and methods. To enable this, we used Intune and Azure AD to create a cloud-based infrastructure that supports internet-first devices and offers a universally accessible infrastructure model.

Moving from traditional to modern with co-management

The move to modern management necessitates migrating from our traditional methods of device management rooted in Configuration Manager and AD DS. To enable a smooth transition, we decided to adopt a co-management model that enables side-by-side functionality of both traditional and modern infrastructure. This model was critical to ensuring a smooth transition and it enabled us to take a more gradual, phased approach to adopting modern management. Some advantages of the co-management model include:

• Conditional access with device compliance.
• Intune-based remote actions such as restart, remote control, and factory reset.
• Centralized visibility of device health.
• The ability to link users, devices, and apps with Azure AD.
• Modern provisioning with Windows Autopilot.

Adopting a phased approach

We developed a phased approach to moving to modern management. This approach allowed us to adequately test and incorporate modern methods. It also enabled us to choose a transition pace that best suited our business. We outlined three primary phases:

• Phase one: Establishing the foundation for modern management
• Phase two: Simplifying device onboarding and configuration
• Phase three: Moving from co-management to modern management

In each phase, we implemented one of the primary building blocks that would lead us to a fully modern, internet-first, cloud-based device management environment that supported our digital transformation and created the optimal device experience for our employees.

Phase one: Establishing the foundation for modern management

We began by establishing the core of our modern management infrastructure. We determined how it would function and how we would support the transition to modern management from our traditional model. A significant portion of the overall effort was invested in phase one, which established the basis for our entire modern management environment going forward. Our primary tasks during phase one included:

• Configuring Azure Active Directory. Azure AD provides the identity and access functionality that Intune and the other cloud-based components of our modern management model, including Office 365, Dynamics 365, and many other Microsoft cloud offerings.
• Deploying and configuring Microsoft Intune. Intune provides the mechanisms to manage configuration, ensure compliance, and support the user experience. Two Intune components were considered critical to modern management:
  • Policy-based configuration management
  • Application control
• Establishing co-management between Intune and Configuration Manager. We configured Configuration Manager and Intune to support co-management, enabling both platforms to run in parallel and configuring support for Intune and Configuration Manager on every Windows 10 device. We also deployed Cloud Management Gateway to enable connectivity for Configuration Manager clients back to our on-premises Configuration Manager infrastructure without the need for a VPN connection.
• Translating Group Policy to mobile device management (MDM) policy. Policy-based configuration is the primary method for ensuring that devices have the appropriate settings to help keep the enterprise secure and enable productivity-enhancement features. We started with a blank slate, electing to forgo a lift-and-shift approach to migrating Group Policy settings into MDM policy. Instead, we evaluated which settings were needed for our devices within an internet-first context and built our MDM policy configuration from there, using Group Policy settings as a reference. This approach allowed us to ensure a complete and focused approach while avoiding bringing over any preexisting issues that might have resided in the Group Policy environment.
• Configuring Windows Update for Business. Windows Update for Business was configured as the default for operating system and application updates for our modern-managed devices.
• Configuring Windows Defender and Microsoft Defender Advanced Threat Protection (ATP). We configured Windows Defender and Microsoft Defender ATP to protect our devices, send compliance data to Intune Conditional Access, and provide event data to our security teams. This was a critical step, considering the internet-first nature of our devices and the removal of the closed corporate network structure.
• Establishing dynamic device and user targeting for MDM policy. Dynamic device and user targeting enabled us to provide a more flexible and resilient environment for MDM policy application. It allowed us to start with a smaller standard set of policy settings and then roll out more specific and customized settings to users and devices as required. It also enables us to flexibly apply policies to devices if the devices move into different policy scopes.

Phase two: Simplifying device onboarding and configuration

Our process for device onboarding to modern management is relatively simple. As new devices are purchased and brought into the environment, they are deployed and managed by using the modern management model. This is our approach for the entire device-rollout process; it enables us to gradually onboard devices in a relatively controlled manner and avoid the extra effort required to create in-place migration paths for existing devices. We anticipate that this strategy will result in a complete transition to modern management within three years, according to our device purchase and refresh policies.

Simplifying with Windows Autopilot

We’re using Windows Autopilot as the vehicle for simplifying the user experience and ensuring better corporate asset management. Autopilot allows us to greatly simplify operating system deployment for our users and the Microsoft Digital employees who support the process. Autopilot provides several critical enablers to the deployment process, including:

• Automatically join devices to Azure Active Directory.
• Auto-enroll devices into Intune.
• Restrict Administrator account creation.
• Create and auto-assign devices to configuration groups based on a device’s profile.
• Simplify the out-of-box experience (OOBE) and reduce user involvement in the deployment process.

These capabilities allow us to create a simplified user experience and greatly reduce the time required for Microsoft Digital support staff to configure and deploy images to devices.

Phase three: Moving from co-management to modern management

The final phase in our transition to modern management is ongoing. With our current trajectory, we estimate that 99 percent of our devices will be managed under the fully modern model within three years. We’re working within the co-management model and moving toward a fully modern-managed environment. Our next steps include:

• Decommissioning non-modern infrastructure for Windows 10 management when Endpoint Manager and our business are ready for transition.
• Transitioning clients from AD DS to Azure AD and moving to a 100-percent internet-first model for client connectivity.

We’re still on the road to modern device management, but we’ve learned several lessons along the way. These learning experiences have helped us to better enable modern management now and prepare for the future at Microsoft. Some of the most important lessons include:

• Build for the cloud and start fresh. We found that the extra time required to start fresh in areas like policies and deployment planning was well worth the investment. A fresh start allowed us to plan for exactly what our users and business need, rather than trying to restructure an old model to fit a new reality.
• Go at the speed of your business. The transition to modern device management is not a one-click process. It has wide-ranging implications for an organization, and it needs to be approached intentionally and gradually. We found that large-scale, bulk migration simply didn’t provide enough benefit in relation to the effort and planning required to implement it.

Conclusion

Our transition to modern device management will continue over the next few years as we onboard devices and refine our Microsoft Endpoint Manager platform and methods. Microsoft Endpoint Manager gives Microsoft Digital a platform that enables simplified and efficient management and configuration for our devices in an environment that supports and drives our digital transformation. Our planned refinements to modern management will improve the user experience, reduce the time it takes to get reliable, fully functioning devices into our users’ hands, and create cost savings and greater efficiencies in device management for Microsoft Digital.

• Verifying device health at Microsoft with Zero Trust.
• Explore improving security by protecting elevated-privilege accounts at Microsoft.
• Unpack evolving the device experience at Microsoft.
• Keeping Windows 10 devices up to date with Microsoft Intune and Windows Update for Business.
• Migrating mobile device management to Intune in the Azure portal.

Want more information? Email us and include a link to this story and we’ll get back to you.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Managing Windows 10 devices with Microsoft Intune appeared first on Inside Track Blog.

An ever-evolving digital landscape is forcing organizations to adapt and expand to stay ahead of innovative and complex security risks. Increasingly sophisticated and targeted threats, including phishing campaigns and malware attacks, attempt to harvest credentials or exploit hardware vulnerabilities that allow movement to other parts of the network, where they can do more damage or gain access to unprotected information.

We on the Microsoft Digital Employee Experience (MDEE) team, like many IT organizations, used to employ a traditional IT approach to securing the enterprise. We now know that effective security calls for a defense-in-depth approach that requires us to look at the whole environment—and everyone that accesses it—to implement policies and standards that better address risks.

To dramatically limit our attack surface and protect our assets, we developed and implemented our own defense-in-depth approach. This includes new company standards, telemetry, monitoring, tools, and processes to protect administrators and other elevated-privilege accounts.

In an environment where there are too many administrators, or elevated-privilege accounts, there is an increased risk of compromise. When elevated access is persistent or elevated-privilege accounts use the same credentials to access multiple resources, a compromised account can become a major breach.

This blog post highlights the steps we are taking at Microsoft to protect our environment and administrators, including new programs, tools, and considerations, and the challenges we faced. We will provide some details about the new “Protect the Administrators” program that is positively impacting the Microsoft ecosystem. This program takes security to the next level across the entire enterprise, ultimately changing our digital-landscape security approach.

[Learn how we’re protecting high-risk environments with secure admin workstations. Read about implementing a Zero Trust security model at Microsoft. Learn more about how we manage Privileged Access Workstations.]

Understanding defense-in-depth protection

Securing all environments within your organization is a great first step in protecting your company. But there’s no silver-bullet solution that will magically counter all threats. At Microsoft, information protection rests on a defense-in-depth approach built on device health, identity management, and data and telemetry—a concept illustrated by the three-legged security stool, in the graphic below. Getting security right is a balancing act. For a security solution to be effective, it must address all three aspects of risk mitigation on a base of risk management and assurance—or the stool topples over and information protection is at risk.

Risk-based approach

Though we would like to be able to fix everything at once, that simply isn’t feasible. We created a risk-based approach to help us prioritize every major initiative. We used a holistic strategy that evaluated all environments, administrative roles, and access points to help us define our most critical roles and resources within the Microsoft ecosystem. Once defined, we could identify the key initiatives that would help protect the areas that represent the highest levels of risk.

As illustrated in the graphic below, the access-level roles that pose a higher risk should have fewer accounts—helping reduce the impact to the organization and control entry.

The next sections focus primarily on protecting elevated user accounts and the “Protect the Administrators” program. We’ll also discuss key security initiatives that are relevant to other engineering organizations across Microsoft.

Implementing the Protect the Administrators program

After doing a deeper analysis of our environments, roles, and access points, we developed a multifaceted approach to protecting our administrators and other elevated-privilege accounts. Key solutions include:

• Working to ensure that our standards and processes are current, and that the enterprise is compliant with them.
• Creating a targeted reduction campaign to scale down the number of individuals with elevated-privilege accounts.
• Auditing elevated-privilege accounts and role management to help ensure that only employees who need elevated access retain elevated-access privileges.
• Creating a High Value Asset (HVA)—an isolated, high-risk environment—to host a secure infrastructure and help reduce the attack surface.
• Providing secure devices to administrators. Secure admin workstations (SAWs) provide a “secure keyboard” in a locked-down environment that helps curb credential-theft and credential-reuse scenarios.
• Reporting metrics and data that help us share our story with corporate leadership as well as getting buy-in from administrators and other users who have elevated-privilege accounts across the company.

Defining your corporate landscape

In the past, equipment was primarily on-premises, and it was assumed to be easier to keep development, test, and production environments separate, secure, and well-isolated without a lot of crossover. Users often had access to more than one of these environments but used a persistent identity—a unique combination of username and password—to log into all three. After all, it’s easier to remember login information for a persistent identity than it is to create separate identities for each environment. But because we had strict network boundaries, this persistent identity wasn’t a source of concern.

Today, that’s not the case. The advent of the cloud has dissolved the classic network edge. The use of on-premises datacenters, cloud datacenters, and hybrid solutions are common in nearly every company. Using one persistent identity across all environments can increase the attack surface exposed to adversaries. If compromised, it can yield access to all company environments. That’s what makes identity today’s true new perimeter.

At Microsoft, we reviewed our ecosystem to analyze whether we could keep production and non-production environments separate. We used our Red Team/penetration (PEN) testers to help us validate our holistic approach to security, and they provided great guidance on how to further establish a secure ecosystem.

The graphic below illustrates the Microsoft ecosystem, past and present. We have three major types of environments in our ecosystem today: our Microsoft and Office 365 tenants, Microsoft Azure subscriptions, and on-premises datacenters. We now treat them all like a production environment with no division between production and non-production (development and test) environments.

Refining roles to reduce attack surfaces

Prior to embarking on the “Protect the Administrators” program, we felt it was necessary to evaluate every role with elevated privileges to determine their level of access and capability within our landscape. Part of the process was to identify tooling that would also protect company security (identity, security, device, and non-persistent access).

Our goal was to provide administrators the means to perform their necessary duties in support of the technical operations of Microsoft with the necessary security tooling, processes, and access capabilities—but with the lowest level of access possible.

The top security threats that every organization faces stem from too many employees having too much persistent access. Every organization’s goal should be to dramatically limit their attack surface and reduce the amount of “traversing” (lateral movement across resources) a breach will allow, should a credential be compromised. This is done by limiting elevated-privilege accounts to employees whose roles require access and by ensuring that the access granted is commensurate with each role. This is known as “least-privileged access.” The first step in reaching this goal is understanding and redefining the roles in your company that require elevated privileges.

Defining roles

We started with basic definitions. An information-worker account does not allow elevated privileges, is connected to the corporate network, and has access to productivity tools that let the user do things like log into SharePoint, use applications like Microsoft Excel and Word, read and send email, and browse the web.

We defined an administrator as a person who is responsible for the development, build, configuration, maintenance, support, and reliable operations of applications, networks, systems, and/or environments (cloud or on-premises datacenters). In general terms, an administrator account is one of the elevated-privilege accounts that has more access than an information worker’s account.

Using role-based controls to establish elevated-privilege roles

We used a role-based access control (RBAC) model to establish which specific elevated-privilege roles were needed to perform the duties required within each line-of-business application in support of Microsoft operations. From there, we deduced a minimum number of accounts needed for each RBAC role and started the process of eliminating the excess accounts. Using the RBAC model, we went back and identified a variety of roles requiring elevated privileges in each environment.

For the Microsoft Azure environments, we used RBAC, built on Microsoft Azure Resource Manager, to manage who has access to Azure resources and to define what they can do with those resources and what areas they have access to. Using RBAC, you can segregate duties within your team and grant to users only the amount of access that they need to perform their jobs. Instead of giving everybody unrestricted permissions in our Azure subscription or resources, we allow only certain actions at a particular scope.

Performing role attestation

We explored role attestation for administrators who moved laterally within the company to make sure their elevated privileges didn’t move with them into the new roles. Limited checks and balances were in place to ensure that the right privileges were applied or removed when someone’s role changed. We fixed this immediately through a quarterly attestation process that required the individual, the manager, and the role owner to approve continued access to the role.

Implementing least-privileged access

We identified those roles that absolutely required elevated access, but not all elevated-privilege accounts are created equal. Limiting the attack surface visible to potential aggressors depends not only on reducing the number of elevated-privilege accounts. It also relies on only providing elevated-privilege accounts with the least-privileged access needed to get their respective jobs done.

For example, consider the idea of crown jewels kept in the royal family’s castle. There are many roles within the operations of the castle, such as the king, the queen, the cook, the cleaning staff, and the royal guard. Not everyone can or should have access everywhere. The king and queen hold the only keys to the crown jewels. The cook needs access only to the kitchen, the larder, and the dining room. The cleaning staff needs limited access everywhere, but only to clean, and the royal guard needs access to areas where the king and queen are. No one other than the king and queen, however, needs access to the crown jewels. This system of restricted access provides two benefits:

• Only those who absolutely require access to a castle area have keys, and only to perform their assigned jobs, nothing more. If the cook tries to access the crown jewels, security alarms notify the royal guard, along with the king and queen.
• Only two people, the king and queen, have access to the crown jewels. Should anything happen to the crown jewels, a targeted evaluation of those two people takes place and doesn’t require involvement of the cook, the cleaning staff, or the royal guard because they don’t have access.

This is the concept of least-privileged access: We only allow you access to a specific role to perform a specific activity within a specific amount of time from a secure device while logged in from a secure identity.

Creating a secure high-risk environment

We can’t truly secure our devices without having a highly secure datacenter to build and house our infrastructure. We used HVA to implement a multitiered and highly secure high-risk environment (HRE) for isolated hosting. We treated our HRE as a private cloud that lives inside a secure datacenter and is isolated from dependencies on external systems, teams, and services. Our secure tools and services are built within the HRE.

Traditional corporate networks were typically walled only at the external perimeters. Once an attacker gained access, it was easier for a breach to move across systems and environments. Production servers often reside on the same segments or on the same levels of access as clients, so you inherently gain access to servers and systems. If you start building some of your systems but you’re still dependent on older tools and services that run in your production environment, it’s hard to break those dependencies. Each one increases your risk of compromise.

It’s important to remember that security awareness requires ongoing hygiene. New tools, resources, portals, and functionality are constantly coming online or being updated. For example, certain web browsers sometimes release updates weekly. We must continually review and approve the new releases, and then repackage and deploy the replacement to approved locations. Many companies don’t have a thorough application-review process, which increases their attack surface due to poor hygiene (for example, multiple versions, third-party and malware-infested application challenges, unrestricted URL access, and lack of awareness).

The initial challenge we faced was discovering all the applications and tools that administrators were using so we could review, certify, package, and sign them as approved applications for use in the HRE and on SAWs. We also needed to implement a thorough application-review process, specific to the applications in the HRE.

Our HRE was built as a trust-nothing environment. It’s isolated from other less-secure systems within the company and can only be accessed from a SAW—making it harder for adversaries to move laterally through the network looking for the weakest link. We use a combination of automation, identity isolation, and traditional firewall isolation techniques to maintain boundaries between servers, services, and the customers who use them. Admin identities are distinct from standard corporate identities and subject to more restrictive credential- and lifecycle-management practices. Admin access is scoped according to the principle of least privilege, with separate admin identities for each service. This isolation limits the scope that any one account could compromise. Additionally, every setting and configuration in the HRE must be explicitly reviewed and defined. The HRE provides a highly secure foundation that allows us to build protected solutions, services, and systems for our administrators.

Secure devices

Secure admin workstations (SAWs) are limited-use client machines that substantially reduce the risk of compromise. They are an important part of our layered, defense-in-depth approach to security. A SAW doesn’t grant rights to any actual resources—it provides a “secure keyboard” in which an administrator can connect to a secure server, which itself connects to the HRE.

A SAW is an administrative-and-productivity-device-in-one, designed and built by Microsoft for one of our most critical resources—our administrators. Each administrator has a single device, a SAW, where they have a hosted virtual machine (VM) to perform their administrative duties and a corporate VM for productivity work like email, Microsoft Office products, and web browsing.

When working, administrators must keep secure devices with them, but they are responsible for them at all times. This requirement mandated that the secure device be portable. As a result, we developed a laptop that’s a securely controlled and provisioned workstation. It’s designed for managing valuable production systems and performing daily activities like email, document editing, and development work. The administrative partition in the SAW curbs credential-theft and credential-reuse scenarios by locking down the environment. The productivity partition is a VM with access like any other corporate device.

The SAW host is a restricted environment:

• It allows only signed or approved applications to run.
• The user doesn’t have local administrative privileges on the device.
• By design, the user can browse only a restricted set of web destinations.
• All automatic updates from external parties and third-party add-ons or plug-ins are disabled.

Again, the SAW controls are only as good as the environment that holds them, which means that the SAW isn’t possible without the HRE. Maintaining adherence to SAW and HRE controls requires an ongoing operational investment, similar to any Infrastructure as a Service (IaaS). Our engineers code-review and code-sign all applications, scripts, tools, and any other software that operates or runs on top of the SAW. The administrator user has no ability to download new scripts, coding modules, or software outside of a formal software distribution system. Anything added to the SAW gets reviewed before it’s allowed on the device.

As we onboard an internal team onto SAW, we work with them to ensure that their services and endpoints are accessible using a SAW device. We also help them integrate their processes with SAW services.

Provisioning the administrator

Once a team has adopted the new company standard of requiring administrators to use a SAW, we deploy the Microsoft Azure-based Conditional Access (CA) policy. As part of CA policy enforcement, administrators can’t use their elevated privileges without a SAW. Between the time that an administrator places an order and receives the new SAW, we provide temporary access to a SAW device so they can still get their work done.

We ensure security at every step within our supply chain. That includes using a dedicated manufacturing line exclusive to SAWs, ensuring chain of custody from manufacturing to end-user validation. Since SAWs are built and configured for the specific user rather than pulling from existing inventory, the process is much different from how we provision standard corporate devices. The additional security controls in the SAW supply chain add complexity and can make scaling a challenge from the global-procurement perspective.

Supporting the administrator

SAWs come with dedicated, security-aware support services from our Secure Admin Services (SAS) team. The SAS team is responsible for the HRE and the critical SAW devices—providing around-the-clock role-service support to administrators.

The SAS team owns and supports a service portal that facilitates SAW ordering and fulfillment, role management for approved users, application and URL hosting, SAW assignment, and SAW reassignment. They’re also available in a development operations (DevOps) model to assist the teams that are adopting SAWs.

As different organizations within Microsoft choose to adopt SAWs, the SAS team works to ensure they understand what they are signing up for. The team provides an overview of their support and service structure and the HRE/SAW solution architecture, as illustrated in the graphic below.

Today, the SAS team provides support service to more than 40,000 administrators across the company. We have more work to do as we enforce SAW usage across all teams in the company and stretch into different roles and responsibilities.

Password vaulting

The password-vaulting service allows passwords to be securely encrypted and stored for future retrieval. This eliminates the need for administrators to remember passwords, which has often resulted in passwords being written down, shared, and compromised.

SAS Password Vaulting is composed of two internal, custom services currently offered through our SAS team:

• A custom solution to manage domain-based service accounts and shared password lists.
• A local administrator password solution (LAPS) to manage server-local administrator and integrated Lights-Out (iLO) device accounts.

Password management is further enhanced by the service’s capability to automatically generate and roll complex random passwords. This ensures that privileged accounts have high-strength passwords that are changed regularly and reduces the risk of credential theft.

Administrative policies

We’ve put administrative policies in place for privileged-account management. They’re designed to protect the enterprise from risks associated with elevated administrative rights. Microsoft Digital reduces attack vectors with an assortment of security services, including SAS and Identity and Access Management, that enhance the security posture of the business. Especially important is the implementation of usage metrics for threat and vulnerability management. When a threat or vulnerability is detected, we work with our Cyber Defense Operations Center (CDOC) team. Using a variety of monitoring systems through data and telemetry measures, we ensure that compliance and enforcement teams are notified immediately. Their engagement is key to keeping the ecosystem secure.

Just-in-time entitlement system

Least-privileged access paired with a just-in-time (JIT) entitlement system provides the least amount of access to administrators for the shortest period of time. A JIT entitlement system allows users to elevate their entitlements for limited periods of time to complete elevated-privilege and administrative duties. The elevated privileges normally last between four and eight hours.

JIT allows removal of users’ persistent administrative access (via Active Directory Security Groups) and replaces those entitlements with the ability to elevate into roles on-demand and just-in-time.e used proper RBAC approaches with an emphasis on providing access only to what is absolutely required. We also implemented access controls to remove excess access (for example, Global Administrator or Domain Administrator privileges).

An example of how JIT is part of our overarching defense-in-depth strategy is a scenario in which an administrator’s smartcard and PIN are stolen. Even with the physical card and the PIN, an attacker would have to successfully navigate a JIT workflow process before the account would have any access rights.

In the three years this project has been going on, we have learned that an ongoing commitment and investment are critical to providing defense-in-depth protection in an ever-evolving work environment. We have learned a few things that could help other companies as they decide to better protect their administrators and, thus, their company assets:

• Securing all environments. We needed to evolve the way we looked at our environments. Through evolving company strategy and our Red Team/PEN testing, it has been proven numerous times that successful system attacks take advantage of weak controls or bad hygiene in a development environment to access and cause havoc in production.
• Influencing, rather than forcing, cultural change. Microsoft employees have historically had the flexibility and freedom to do amazing things with the products and technology they had on hand. Efforts to impose any structure, rigor, or limitation on that freedom can be challenging. Taking people’s flexibility away from them, even in the name of security, can generate friction. Inherently, employees want to do the right thing when it comes to security and will adopt new and better processes and tools as long as they understand the need for them. Full support of the leadership team is critical in persuading users to change how they think about security. It was important that we developed compelling narratives for areas of change, and had the data and metrics to reinforce our messaging.
• Scaling SAW procurement. We secure every aspect of the end-to-end supply chain for SAWs. This level of diligence does result in more oversight and overhead. While there might be some traction around the concept of providing SAWs to all employees who have elevated-access roles, it would still be very challenging for us to scale to that level of demand. From a global perspective, it is also challenging to ensure the required chain of custody to get SAWs into the hands of administrators in more remote countries and regions. To help us overcome the challenges of scale, we used a phased approach to roll out the Admin SAW policy and provision SAWs.
• Providing a performant SAW experience for the global workforce. We aim to provide a performant experience for all users, regardless of their location. We have users around the world, in most major countries and regions. Supporting our global workforce has required us to think through and deal with some interesting issues regarding the geo-distribution of services and resources. For instance, locations like China and some places in Europe are challenging because of connectivity requirements and performance limitations. Enforcing SAW in a global company has meant dealing with these issues so that an administrator, no matter where they are located, can effectively complete necessary work.

What’s next

As we stated before, there are no silver-bullet solutions when it comes to security. As part of our defense-in-depth approach to an ever-evolving threat landscape, there will always be new initiatives to drive.

Recently, we started exploring how to separate our administrators from our developers and using a different security approach for the developer roles. In general, developers require more flexibility than administrators.

There also continue to be many other security initiatives around device health, identity and access management, data loss protection, and corporate networking. We’re also working on the continued maturity of our compliance and governance policies and procedures.

Getting started

While it has taken us years to develop, implement, and refine our multitiered, defense-in-depth approach to security, there are some solutions that you can adopt now as you begin your journey toward improving the state of your organization’s security:

• Design and enforce hygiene. Ensure that you have the governance in place to drive compliance. This includes controls, standards, and policies for the environment, applications, identity and access management, and elevated access. It’s also critical that standards and policies are continually refined to reflect changes in environments and security threats. Implement governance and compliance to enforce least-privileged access. Monitor resources and applications for ongoing compliance and ensure that your standards remain current as roles evolve.
• Implement least-privileged access. Using proper RBAC approaches with an emphasis on providing access only to what is absolutely required is the concept of least-privileged access. Add the necessary access controls to remove the need for Global Administrator or Domain Administrator access. Just provide everyone with the access that they truly need. Build your applications, environments, and tools to use RBAC roles, and clearly define what each role can and can’t do.
• Remove all persistent access. All elevated access should require JIT elevation. It requires an extra step to get temporary secure access before performing elevated-privilege work. Setting persistent access to expire when it’s no longer necessary narrows your exposed attack surface.
• Provide isolated elevated-privilege credentials. Using an isolated identity substantially reduces the possibility of compromise after a successful phishing attack. Admin accounts without an inbox have no email to phish. Keeping the information-worker credential separate from the elevated-privilege credential reduces the attack surface.

Microsoft Services can help

Customers interested in adopting a defense-in-depth approach to increase their security posture might want to consider implementing Privileged Access Workstations (PAW). PAWs are a key element of the Enhanced Security Administrative Environment (ESAE) reference architecture deployed by the cybersecurity professional services teams at Microsoft to protect customers against cybersecurity attacks.

For more information about engaging Microsoft Services to deploy PAWs or ESAE for your environment, contact your Microsoft representative or visit the Cybersecurity Protection page.

Reaping the rewards

Over the last two years we’ve had an outside security audit expert perform a cyber-essentials-plus certification process. In 2017, the security audit engineers couldn’t run most of their baseline tests because the SAW was so locked down. They said it was the “most secure administrative-client audit they’ve ever completed.” They couldn’t even conduct most of their tests with the SAW’s baseline, locked configuration.

In 2018, the security audit engineer said: “I had no chance; you have done everything right,” and added, “You are so far beyond what any other company in the industry is doing.”

Also, in 2018, our SAW project won a CSO50 Award, which recognizes security projects and initiatives that demonstrate outstanding business value and thought leadership. SAW was commended as an innovative practice and a core element of the network security strategy at Microsoft.

Ultimately, the certifications and awards help validate our defense-in-depth approach. We are building and deploying the correct solutions to support our ongoing commitment to securing Microsoft and our customers’ and partners’ information. It’s a pleasure to see that solution recognized as a leader in the industry.

• Learn how we’re protecting high-risk environments with secure admin workstations.
• Read about implementing a Zero Trust security model at Microsoft.
• Learn more about how we manage Privileged Access Workstations.

Want more information? Email us and include a link to this story and we’ll get back to you.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Improving security by protecting elevated-privilege accounts at Microsoft appeared first on Inside Track Blog.

Highlighted in the third edition of the Microsoft Digital Defense Report, ransomware and extortion are considered nation-level threats due to the sophistication and boldness of attacks and their financial impact. No business, organization, or government can be considered safe from the crosshairs of ransomware threat actors. Experts estimate that ransomware’s cost to the world could reach $234 billion within the next decade.

To defend against the evolving ransomware landscape, Microsoft created the Optimal Ransomware Resiliency State (ORRS), a key component of its Ransomware Elimination Program.

This post, the third in our series on ransomware, overviews the concept of ORRS and the steps that you can take to build a ransomware resiliency state of your own.

[Read blog one in our ransomware series: Sharing how Microsoft protects against ransomware. | Read blog two in our ransomware series: Why Microsoft uses a playbook to guard against ransomware.]

What is ORRS?

Optimal Ransomware Resiliency State is the term that the Ransomware Elimination Program team uses to describe our aspiration to defeat ransomware attacks—today and in the future.

Optimal means we’re doing everything we can do—all the ORRS-required capabilities and controls are in place and verified.

—Monty LaRue, principal program manager, Ransomware Elimination Program team

Specifically, ORRS is the outcome of meeting the requirements covering an extensive set of protection and operational capabilities. Built on the foundation of Zero Trust, our ORRS consists of the collection of requirements for training, capabilities, and controls aligned to the NIST Cybersecurity framework and supported by continuously improved processes and practices. These requirements are common across Microsoft’s business, service, and product groups. Their complete implementation produces an organization-wide state of readiness that protects and defends the company and its customers, while also minimizing exposure and increasing resiliency to ransomware attacks.

“Optimal means we’re doing everything we can do—all the ORRS-required capabilities and controls are in place and verified,” says Monty LaRue, the principal program manager on the Ransomware Elimination Program team.

“It’s about achieving that optimal state through the deployment and operationalization of products, like Microsoft Defender for Endpoint for devices, covering our assets, applications, and infrastructure. We consider training and awareness to be a crucial part of ORRS. It’s essential that everyone knows how to recognize threats and how to respond appropriately. Our toolkit includes, incident response plans and playbooks, phishing education and simulation, and other simulation exercises.”

Partnerships are key to producing optimal resiliency

The role of partnerships and teamwork cannot be understated in the development and maintenance of our Optimal Ransomware Resiliency State. The approach must be holistic and cohesive, closing gaps and seams where possible.

Collaboration and open lines of communication with key stakeholders across Microsoft ensure that products and systems with protection needs are accounted for; likewise, Microsoft’s Ransomware team provides requirements to partnering teams to ensure they are equipped and running the latest defensive measures to minimize their attack surface. All involved parties have a deep understanding of their role in keeping the enterprise and our customers safe.

“We’re looking at Microsoft 365, Windows, and Azure,” LaRue says. “We’re looking at the people running MacOS, Linux, and personal devices within Microsoft. If the platforms and foundations follow Zero Trust principles and highly resilient to ransomware attacks, everything built on top shares that benefit.”

The REP team also has close ties to Microsoft’s threat intelligence and research teams, which provide information on the threat landscape and how attackers’ techniques, tactics, and procedures evolve and trend on a regular basis. They also work with internal Security Operation Centers (SOCs), which monitor threat actors and provide insights via attack data and post-mortems.

The more you prevent and protect, the less you have to respond and recover. The further you are in an attack sequence, the more complex and expensive it is to respond and recover.

—Monty LaRue, principal program manager, Ransomware Elimination Program team

Maintaining our Optimal Ransomware Resiliency State also involves using existing technology, such as Microsoft Defender suite, with a continuous improvement approach to take advantage of their latest capabilities and threat information. Learnings and insights from the ransomware program team flow back to the product and engineering teams in the form of enhancements or new requirements and features, helping to further improve our commercial products and services. One example of this is the detection of abnormal file activities, such as encryption or exfiltration, for data stores and backups in commercial services such as OneDrive, SharePoint, and Microsoft Azure which extends beyond Microsoft’s walls to protect all customers.

The practice of continuous improvement is also applied to the response procedures that make up the ransomware incident response playbook. Tabletop exercises based on new threats and information help to uncover gaps in response procedures, while simulations stress test the response system to ensure the involved security professionals have response readiness excellence should an attack ever breach our protective capabilities and controls.

Our commitment to company-wide alignment reduces the risk of a successful attack and the chance of a resulting payoff. “The more you prevent and protect, the less you have to respond and recover,” LaRue says. “The further you are in an attack sequence, the more complex and expensive it is to respond and recover.”

Building toward an optimal state

As we’ve seen throughout this series, ransomware is evolving and attackers are opportunistic. The goalposts for protection continue to shift, and ransomware’s impact on the world shows no signs of slowing. Because of this, there is no universal optimal resiliency state. Every organization’s situation is unique, from level of exposure to threats, to capabilities and services deployed, to protection needs, so every organization’s optimal state must be tailored to their business and risk tolerances.

“The Optimal Ransomware Resiliency State means different things to each organization, it’s different depending on whether your systems are physical, in the cloud, or hybrid, if you provide high availability services or large data stores, and if you work with highly confidential or sensitive data in regulated environments,” LaRue says.

The task of building an optimal ransomware resiliency state begins with a comprehensive inventory of the current state—and that means asking a lot of questions and doing verifications. Start with an understanding of which business-critical systems and services across the organization must be defended and why. It also means understanding the systems themselves, their dependencies, which configurations and controls are enabled, as well as the state of existing ransomware readiness capabilities. Such an inventory can shed light on high-value targets and the unforeseen risks to them exposing potential weaknesses and highlighting strengths.

The process of establishing your current state is insightful and has the potential to be humbling, but it encourages taking the next steps in developing your ORRS roadmap. This may include investments in training for response readiness or new technologies to reduce attack surface risk, but all optimal resiliency states require implementing a continuous improvement process to keep the organization and those that depend on it safe now and in the future.

Microsoft’s investment in the Ransomware Elimination Program highlights our commitment to defeating successful ransomware attacks. Establishing our ORRS provides us with learnings and guides us to improving our security posture, which helps the company produce secure and dependable products and services.

Ransomware may be one of the biggest security threats to your organization. Taking up the challenge to develop your own ransomware resiliency state will put you on a path forward to protecting and defending what matters most.

• You will define optimal for your organization, but attackers will always be looking for new avenues. You must be able to shift focus and update ORRS quickly to match the threat and attacker’s agility.
• Ransomware elimination starts with a shared understanding, frameworks e.g., Zero Trust, and defining your ORRS. Core protections such as MFA, pervasive backups, comprehensive telemetry and alerts, as part of a holistic, cohesive effort that spans devices and services are crucial in responding to cyberthreats like ransomware.
• Implementing tamper-resistant security capabilities and controls, and attack surface reductions reduces your malware related risks.
• Understanding the right investments is difficult, especially when threats and attackers are moving fast. Engage early and often within your organization to understand your assets, risks, and state as you define your ORRS and implement capabilities, controls, processes, and practices.

• Read blog one in our ransomware series: Sharing how Microsoft protects against ransomware.
• Read blog two in our ransomware series: Why Microsoft uses a playbook to guard against ransomware.
• Learn more about human-operated ransomware.
• Discover how Microsoft’s Zero Trust effort keeps the company secure.
• Find out how Microsoft is building a safer world together with our partners.

Want more information? Email us and include a link to this story and we’ll get back to you.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Building an anti-ransomware program at Microsoft focused on an Optimal Ransomware Resiliency State appeared first on Inside Track Blog.

There are very few applications or services that have had the transformative impact that Teams has had at Microsoft. Every day, over 200,000 employees all over the world wake up, turn on their PCs, and start to collaborate with Teams. It’s hard to remember what Microsoft was like before Teams, but I know I wouldn’t want to go back!

—Eileen Zhou, principal product manager, Microsoft Digital

Microsoft Digital was there from the beginning, although at the time we were still known as “End User Services Engineering.” Our role as the company’s IT organization was to serve as Customer Zero of this critical new enterprise capability, deploying and governing the first enterprise-grade Microsoft Teams tenant to validate and improve Teams based on our first-party experience. As Customer Zero, we’ve learned a lot and influenced the Teams experience in the five years since Microsoft Teams was released. A few examples include:

• Shaping more natural and engaging meeting experiences.
• Providing feedback on fundamentals of the experience like performance, governance, and the overall user experience workflow.
• Enabling employees to connect seamlessly with those inside and outside of their organizations. Providing ways to make remote and hybrid meetings more impactful and inclusive, like Together Mode, Teams Speaker Coach, and Live Transcription.
• Creating new ways to collaborate seamlessly, like Microsoft Loop.

And that’s just the tip of the iceberg. In fact, we recently shared Five ways Microsoft Teams has transformed Microsoft based on our learnings as Customer Zero.

“There are very few applications or services that have had the transformative impact that Teams has had at Microsoft,” says Eileen Zhou, principal product manager in Microsoft Digital. “Every day, over 200,000 employees all over the world wake up, turn on their PCs, and start to collaborate with Teams. It’s hard to remember what Microsoft was like before Teams, but I know I wouldn’t want to go back!”

Three years after the launch of Microsoft Teams, the professional landscape was forever altered by the COVID-19 pandemic. It was Teams that kept Microsoft employees and millions of people globally connected and productive. As our CEO Satya Nadella explained on LinkedIn, “Every organization requires a digital fabric that connects people, places, and processes.”

Microsoft Teams isn’t just our platform for chatting or for making video calls. It’s our hub for teamwork across applications and devices. Teams literally makes hybrid work work at Microsoft.

—Nathalie D’Hers, corporate vice president, Microsoft Digital

Microsoft Teams is the “digital fabric” that keeps Microsoft connected and collaborative across projects, devices, and even different geographies. This blog post describes how.

[Learn how we’re reinventing Microsoft’s Employee Experience for a hybrid world. Check out a new Microsoft Teams app that is helping us facilitate employee connectivity in a challenging hybrid work environment.]

The center of Microsoft’s digital fabric

While those unfamiliar with the power of Microsoft Teams may think of it simply as the place they go for meetings or chats, it’s much more. It’s a cross-platform environment enabling seamless collaboration on any device at any time, which is a critical enabler of hybrid work.

“Microsoft Teams isn’t just our platform for chatting or for making video calls,” says Nathalie D’Hers, corporate vice president of Microsoft Digital. “It’s our hub for teamwork across applications and devices. Teams literally makes hybrid work work at Microsoft.”

The Microsoft Teams product group has a lot of improvements planned for the collaboration platform.

“The next few years are going to be pretty mind-blowing,” says Jeff Teper, Microsoft president for Collaborative Apps and Platforms, speaking at Microsoft Ignite 2022. “The thing that really matters is creating engaging experiences where people stay connected. Given that distributed work is very much here to stay, we’ve got to innovate and try new experiences beyond just video.”

Staying connected so hybrid teams can collaborate seamlessly is critical for any modern enterprise.

How is Microsoft driving innovation through Microsoft Teams? There’s already a lengthy list of Teams-based experiences that are helping hybrid teams to thrive, including Microsoft Loop for seamless collaboration across Microsoft 365 apps, Microsoft Stream for enterprise video viewing and storage, Power Virtual Agents to easily incorporate intelligent chat bots, and Microsoft Viva: our Employee Experience Platform (EXP) that supports employee connections, insights, purpose, and growth.

Beyond those experiences, there’s more innovation on the horizon with Microsoft Teams Mesh, the metaverse, and additional investments in security, app integration, and the Microsoft Power Platform. We’ll explore each of those further in a little bit.

Keeping connected in a hybrid world

In Microsoft Digital, when we think about Microsoft Teams, we reflect on three phases of product usage and growth.

• The first phase ran from March of 2017, when Microsoft Teams reached general availability and ran until March of 2020. Over those first three years, usage grew rapidly, and Teams rapidly grew beyond being a platform just for synchronous communication and asynchronous chat.
• We’re still in the second phase, which began during the pandemic. Essential before the pandemic, Microsoft Teams is now the critical tool that enables Microsoft employees—and employees, students, and teachers globally—to stay connected.
• The third phase is right around the corner. Microsoft Teams will continue to propel Microsoft into the future as hybrid work becomes the new normal for information workers globally.

This growth and innovation are fueled by our feedback as Customer Zero and that of countless customers who are striving to invest in their employees and improve their hybrid experience.

Hybrid work (the second phase)

While remote and hybrid work existed prior to COVID-19, the pandemic acted as an incredible accelerator of trends we were already observing in the marketplace. As Satya said in May of 2020, “We’ve seen two years’ worth of digital transformation in two months.”

How did that manifest?

• Microsoft Teams meeting usage increased 148 percent
• Chat usage increased 45 percent
• 6 billion more emails were sent
• Collaboration in Microsoft Office documents increased by 66 percent

Microsoft launched the Microsoft Work Trends Index, an annual survey of 30,000-plus workers across industries, to better understand the changing world of work. Nadella and LinkedIn CEO Ryan Roslansky shared the result of the updated index in September of 2022. The three key findings were:

1. Leaders need to end “productivity paranoia.”
2. They need to embrace the fact that people come in for each other.
3. Re-recruiting your best employees is possible by offering better learning and development support.

Digging deeper into each of these insights offers an opportunity to think differently about hybrid work:

• While 87 percent of workers indicate that they feel productive in a hybrid work environment, only 12 percent of leaders have confidence that their team is productive.
• Business leaders and managers expressed an overwhelming desire to have people in the office so they could interact with their teams. Seventy-three percent of employees say they need a better reason to go into the office than just company expectations.
• Employees at all levels are looking for companies that support their learning and development needs. Seventy-six percent of employees reported that they would stay at their company longer if they could benefit more from learning and development support.

The workplace of today is dramatically different than the pre-pandemic workplace, and Microsoft Teams is the digital fabric that’s enabling our employees to thrive by:

• Facilitating connection and productivity to keep people productive wherever they are;
• Keeping teams and people connected through chat and video calls;
• Enabling the discovery and consumption of learning opportunities through capabilities like Microsoft Viva Learning;
• Helping our leaders to stop worrying about the productivity of their remote and hybrid teams by ensuring they have all the tools to remain productive and connected on any device and at any time.

When I think of tools that give Microsoft a competitive edge in the marketplace, Teams immediately comes to mind. It’s the one place where our employees go to collaborate, communicate, and to stay connected. And the innovations keep coming to ensure that Microsoft—and our customers—maintain that edge.

—Sara Bush, principal PM manager, Microsoft Digital

Critically, Microsoft Teams is the enterprise-wide hub for content discovery, collaboration, and document co-editing. At Microsoft, we’ve observed that it can help to end the “productivity paranoia” that so many business leaders are experiencing.

How has Microsoft Teams evolved for hybrid work?

As one of the most important tools to keep teams connected globally, Microsoft continuously innovates with new features and capabilities released monthly. In fact, there were over 450 new features released in 2022 alone! A few recent standouts include:

• Microsoft Polls for quick check-ins. Presenters can now launch a poll without preparing in advance. Simply ask your question aloud and people can answer by selecting one of two answers (yes or no, thumbs up or down, heart or broken heart).
• Together Mode. This feature uses AI segmentation technology to digitally place participants in a shared background, making it feel like you’re sitting in the same room with everyone else in the meeting.
• Background noise suppression. Helps those who have their microphone turned on in a Microsoft Teams meeting or call eliminate any background noises, allowing meeting participants to stay focused and less distracted.
• Your favorite apps. The app store in Microsoft Teams allows you to use tools you’re already familiar with directly inside your collaboration experience. The ability to extend this with custom, developed apps, written by your own organization, minimizes fatigue-inducing context switching.

Accelerating our hybrid work journey with Microsoft Teams

In addition to new features, Microsoft Teams is the digital fabric that brings together many of the most powerful elements of Microsoft 365 into a single canvas focused on collaboration.

“When I think of tools that give Microsoft a competitive edge in the marketplace, Teams immediately comes to mind,” says Sara Bush, principal PM manager in Microsoft Digital. “It’s the one place where our employees go to collaborate, communicate, and to stay connected. And the innovations keep coming to ensure that Microsoft—and our customers—maintain that edge.”

Now, we’ll share more details on some of the most powerful integrations that have accelerated our own hybrid journey and that have helped us to achieve that edge:

• Microsoft Loop. This new app designed for the hybrid workplace enables users to seamlessly collaborate as they move freely across Microsoft 365. Loop components enable hybrid teams to collaborate on things like lists, tables, or notes across any Microsoft 365 app, including Microsoft Teams, and there are more innovative experiences to come. Visit Microsoft Loop: Flexible Canvas App to learn more.
• Microsoft Stream. Video capture and viewing is an essential part of modern hybrid work, enabling asynchronous meetings that support flexible schedules and global teams. Stream makes it simple to capture, share, and measure the impact of video in your enterprise. Visit Microsoft Stream—Enterprise Video Platform to learn more.
• App integration. Microsoft Teams features powerful apps built by Microsoft that enhance user productivity and collaboration as well as a large catalog of third-party apps for many popular and useful services. It’s also easy to integrate Microsoft Power Apps. Visit Know about apps in Microsoft Teams to learn more.
• Shared channels. Does your team collaborate with individuals outside your organization? Microsoft Teams Connect shared channels enable users to seamlessly collaborate across organizational or company boundaries. Visit shared channels in Microsoft Teams to learn more.

We’ll be publishing deep dives into each of these new technologies soon to give you a better view into how these experiences are shaping our employee experience at Microsoft and how they can support yours too.

Upgrading your physical space

One surprising outcome of the move to hybrid work was the fact that satisfaction with the meeting experience increased during the pandemic. Why? The pandemic leveled the playing field for meeting participants. No longer were remote attendees disadvantaged while in-person participants had access to physical whiteboards, could read other’s body language, or more easily participate in discussion or Q&A. It was an eye-opener for all of us in Microsoft Digital and has informed our approach to space planning and Microsoft Teams development since.

That simple insight has led to breakthroughs that enable more immersive and effective hybrid meetings. One such breakthrough is the new Microsoft Teams Rooms front row layout, which is designed to enhance hybrid meetings and foster a greater sense of connection and collaboration for remote attendees and in-room meeting participants alike. Front row moves the video gallery to the bottom of the screen, showing virtual attendees at eye level with people inside the meeting room for a more natural face-to-face interaction—as if everyone were all in the same room.

Meeting chat and a rostered view of participants with raised hands are brought to the front-of-room screen, so people in the room can easily see the conversation and actively participate.

In Microsoft Digital, we’re partnering with our peers in Global Workplace Services and the Microsoft Teams Product Group to explore different physical and virtual layouts in our interactive Hive space. Read How Microsoft is rethinking the hybrid meeting room experience with Microsoft Teams to experience the Hive firsthand. And if you want to have some fun while becoming more skilled with hybrid meetings, read how we’re teaching Microsoft employees healthy hybrid meeting habits with Minecraft.

Hybrid meeting best practices

One area where Microsoft struggled, especially in the early days of the pandemic, was facilitating inclusive and productive hybrid meetings. While there are lots of different ways to ensure your meetings are inclusive, we’ve learned that if you just do these three things, you’re more likely to have meetings that your employees see as inclusive:

• Use a centralized audio device to ensure virtual attendees can hear clearly. Laptop microphones, especially if multiple devices are in use within a single room, can create distracting feedback or echo effects.
• Turn your camera on, even if you’re in the room, so folks can make eye contact and read body language. And if you’re uncomfortable leaving your camera on for the whole meeting, start with your camera on so you can make a connection with other participants if possible.
• Designate a moderator to bridge the digital/physical divide by looking for raised hands, comments or questions in the chat, as well looking for participants who come off mute (who may be trying to ask a question or make a comment).

For more tips, see Driving inclusive and effective meetings at Microsoft with Microsoft Teams.

Looking forward—the ‘third phase’

So, what’s ahead in the “third phase” of Microsoft’s Teams’ journey? Many exciting developments are just on the horizon, including a Microsoft Teams Premium option with a host of features to enhance user experience, additional Microsoft Power Platform alignment and integration, more secure meetings, and enhancements to infrastructure to support sustained growth. But perhaps one of the more exciting developments in Microsoft Teams is supporting the metaverse with Microsoft Mesh.

Microsoft Mesh for Teams

On the horizon, Mesh for Microsoft Teams will provide even more spectacular opportunities for collaboration and teamwork in the metaverse.

Here’s how Teper described Microsoft Mesh at Microsoft Ignite: “Mesh is our platform for building immersive experiences. It’s three things. Avatars in Teams, which is fun and a first step to more 3D experiences. Second is putting that avatar in a 3D space with other people and connecting it to 2D meetings to its inclusive and everybody can participate … and then we want people to create completely custom worlds to work and learn.”

The pace of innovation in Teams has been incredible, and it’s a huge point of pride in Microsoft Digital that we’ve been able to partner closely with our product team counterparts to build, test, and deploy so many of those innovative capabilities. And the pace will just continue to accelerate as we build the collaborative features needed to power teams into the future, like the incorporation of AI in Microsoft Teams Premium.

—Claire Sisson, principal group product manager, Microsoft Digital

The potential for building deep, immersive worlds that enable new and inclusive ways to collaborate in the hybrid workplace is obviously very exciting. And while these are  still the very early days for Microsoft Mesh (which is available currently only as a private preview), perhaps more than just about any other technology, Mesh has the potential of helping Microsoft to achieve its mission of “empowering every person and every organization on the planet to achieve more.”

While our journey with Microsoft Teams started years ago, it’s clear that this is just the beginning, and the best is yet to come.

“The pace of innovation in Teams has been incredible, and it’s a huge point of pride in Microsoft Digital that we’ve been able to partner closely with our product team counterparts to build, test, and deploy so many of those innovative capabilities,” says Claire Sisson, principal group product manager in Microsoft Digital. “And the pace will just continue to accelerate as we build the collaborative features needed to power teams into the future, like the incorporation of AI in Microsoft Teams Premium.”

Since 2017, the pace of innovation with Microsoft Teams has been blistering, and Teams will continue to innovate to meet the needs of our employees, customers, and partners as the world adjusts to the new normal of hybrid work. We’re excited to be on this journey together, and even more excited to continue to influence the direction of Teams based on our experience as Customer Zero at Microsoft.

• Learn how we’re reinventing Microsoft’s Employee Experience for a hybrid world.
• Check out a new Microsoft Teams app that is helping us facilitate employee connectivity in a challenging hybrid work environment.
• Find out how we’re teaching Microsoft employees healthy hybrid meeting habits with Minecraft.
• Learn how we drove the successful adoption of Microsoft Teams internally at Microsoft.
• See how deploying Microsoft Teams across Microsoft hinged on good governance.

Want more information? Email us and include a link to this story and we’ll get back to you.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Transforming Microsoft with Microsoft Teams: Collaborating seamlessly, teaming up fearlessly appeared first on Inside Track Blog.

Copilot for Microsoft 365 Deployment and Adoption Guide

Read our step-by-step guide on deploying Copilot for Microsoft 365 at your company. It’s based on our experience deploying it here at Microsoft:

• Full version
• eBook version
• Version for executives
• eBook version for executives

There’s no question: Copilot for Microsoft 365 is changing how work gets done here at Microsoft and beyond. An intelligent digital assistant with access to any company data you need that can process and accomplish requests using natural language—that’s a powerful productivity booster.

But how do you zero in on the scenarios and use cases that matter most to individual employees?

At Microsoft Digital, our company’s IT organization, we’re helping our employees get the most value out of this powerful new tool by identifying the roles where AI assistance can drive the most upfront impact, then developing hero scenarios to help them start using Copilot. The result is our Copilot for Microsoft 365 Hero Scenario Playbook, a functional framework that helps teams discover ways that specific roles can adopt Copilot into their work and drive value.

When we started rolling Copilot for Microsoft 365 out across the company, our priority in Microsoft Digital was giving as many employees as possible the chance to explore this exciting new tool. In a sense, we gave everyone the keys to the car and invited them to drive AI’s open road.

This is the beginning of an entirely new meta-skill. People are thinking through new habits and ways of working as they learn what Copilot is capable of enabling.

— Don Campbell, senior director, Employee Experience Success, Microsoft Digital

Download our new
Copilot for Microsoft 365
Hero Scenario Playbook
We’ve created a step-by-step guide for you to get the most out of your investment in Copilot for Microsoft 365.

It resulted in a lot of exploration, increased usage, and some very eager early adopters. To help as many people get up to speed with Copilot as possible, we focused our initial adoption efforts on a common professional persona: the modern information worker.

“This is the beginning of an entirely new meta-skill,” says Don Campbell, a senior director on Microsoft Digital’s Employee Experience Success team. “People are thinking through new habits and ways of working as they learn what Copilot is capable of enabling.”

Because of the excitement around AI, uptake was rapid and enthusiastic. Our next step was building on that initial surge of adoption and experimentation to drive more profound, targeted impact.

We wanted to explore how we could make Copilot more real to the individual. They’re asking how they can use this in ways that are specific to their role, in their function, in their organization.

— Don Campbell, senior director, Employee Experience Success, Microsoft Digital

Actioning inspiration: Building a pathway to hero scenarios

As Copilot for Microsoft 365 usage began to mature across the company, we saw opportunities to build on this momentum by presenting more contextual applications for AI. Within Microsoft Digital, we decided to create a standardized process for defining Copilot hero scenarios in roles where initial applications of AI could have the greatest impact. Concrete scenarios would resonate with those professionals by addressing real-world challenges they face every day, saving them time and bandwidth.

Ultimately, we had one goal: accelerating time to value for Copilot users.

“We wanted to explore how we could make Copilot more real to the individual,” Campbell says. “They’re asking how they can use this in ways that are specific to their role, in their function, in their organization.”

From the beginning, we set out to articulate our objectives and our deliverables, then worked back from there. When it came to research, we relied on our EX studio for step-by-step guidance on purposeful engagement.

— Heather Layne, director of program management, Employee Experience Success, Microsoft Digital

We identified five main objectives to help us get there:

• Understand the top responsibilities, challenges, needs, and wants of priority roles.
• Articulate and communicate hero scenarios for those roles and depict ways for Copilot to enable their work.
• Outline blockers and accelerators for Copilot adoption and hero scenarios.
• Generate feedback for product groups to improve Copilot.
• Share playbook outputs with our product marketing group and post them in our Copilot Lab, our publicly available repository of Copilot prompts, to contribute value to external users.

“From the beginning, we set out to articulate our objectives and our deliverables, then worked back from there,” says Heather Layne, a director of program management on the Employee Experience Success team in Microsoft Digital. “When it came to research, we relied on our EX Studio for step-by-step guidance on purposeful engagement.”

That process unfolded in a layered approach. First, we identified the Microsoft organizations that were best positioned to receive our support. Thanks to strong interest and a robust cohort of early adopters, sales, HR, and finance were excellent candidates for our first efforts.

In HR, for example, we ensured there was complete thinking regarding a reimagination of our business functional architecture. We identified key roles and corresponding workflows that could directly benefit from Copilot for Microsoft 365 by removing mundane and repetitive tasks and providing insight to creative solutions needed to deliver business value.

— Christopher Fernandez, corporative vice president, Microsoft HR

From there, we worked with stakeholders and AI adoption teams within each of those organizations to prioritize roles according to a rubric of criteria. Those criteria focused on enthusiasm for adoption, readiness for the next level of engagement, the number of people represented by that role within their organization, and Copilot’s applicability for their work—especially for repetitive, context-rich, or communication-intensive tasks.

“In HR, for example, we ensured there was complete thinking regarding a reimagination of our business functional architecture,” says Christopher Fernandez, corporate vice president in HR. “We identified key roles and corresponding workflows that could directly benefit from Copilot for Microsoft 365 by removing mundane and repetitive tasks and providing insight to creative solutions needed to deliver business value.”

After we identified those roles, we moved into focus-group sessions with 10 to 20 participants, all selected because they had been actively using Copilot and could provide practical ideas and suggestions. It was an opportunity to tap into willing talent and let our leaders lead.

The output of those sessions came down to three hero scenarios per role, each with six steps and six Copilot prompts to propel those processes forward, as well as the relevant Microsoft tools where the prompts would apply. We also ensure these scenarios align with the company’s Responsible AI principles.

For example, our Finance team identified operations manager as a priority role. One of its key scenarios included managing contracts, and it demonstrates how prompts come together across several apps to create a process bolstered and streamlined by automation.

“That output then served as an input in a few different places,” Campbell says. “We evangelized it out to the organization itself to help drive ideation, adoption, and usage, to our product marketing group for customer scenarios, and to our Copilot Lab to provide freely available examples of prompts.”

As a result, we’ve been able to boost Copilot adoption and usage across Microsoft, providing specific, concrete opportunities for people to apply this new way of working to their roles.

We want organizations to know that there are opportunities to keep this process controlled and standardized. By aligning with rubrics and setting up standard practices, you know you’re not just putting in time to create something that isn’t helpful or impactful.

— Heather Layne, director of program management, Employee Experience Success, Microsoft Digital

Crafting your own Copilot for Microsoft 365 hero scenarios

This process has the benefit of being structurally simple, modular, and repeatable—so much so that we’ve made it freely available to any organization that’s using Copilot for Microsoft 365 in the form of our Copilot for Microsoft 365 Hero Scenario Playbook. Whether you’re adopting Copilot across your entire organization, a department, a business group, or a team, we strongly encourage you to work through this exercise.

“We want organizations to know that there are opportunities to keep this process controlled and standardized,” Layne says. “By aligning with rubrics and setting up standard practices, you know you’re not just putting in time to create something that isn’t helpful or impactful.”

Our playbook walks adoption leaders through a four-stage process that includes readiness, engagement, delivering an output, and sharing results with employees. To accelerate time to value, we’ve designed the process implementation across three weeks.

By following the playbook through four phases, you can accomplish what we’ve done at Microsoft: understanding what your priority roles need to be successful, articulating hero scenarios tailored to their work, and sharing the outputs with your organization to accelerate time to value for Copilot users.

Phase 1: Ready

This phase will help your organization, department, or team prepare for the process. It involves aligning with leadership and sponsors who will be accountable for driving Copilot value within their organization. It’s also where you’ll select the priority roles, draft outlines of those roles so you can clarify your understanding of their needs and wants, and seek out feedback from leaders, managers, and subject matter experts.

Phase 2: Engage

Engaging with employees delivers the core value of this exercise. In the engagement phase, you’ll identify participants from your priority roles who demonstrate enthusiasm and early aptitude with Copilot. From there, you choose an engagement approach that might include in-person group sessions, virtual Microsoft Whiteboard sessions, one-on-one interviews, Microsoft 365 Loop collaboration, or whatever modality works best, then communicate the process to participants and conduct your engagement.

So much of adoption comes down to the question of ‘What’s in it for me?’ The ability to answer that question at the role level, at the level of fidelity that really resonates with what employees actually do, creates a strong bridge between the realm of possibility and day-to-day reality.

— Liz Friedman, senior director of HR AI Transformation, Microsoft HR

Phase 3: Deliver

Ideating hero scenarios is how you discover value. The delivery phase defines that value and organizes it into a useful, consumable format. It starts with reviewing and analyzing the outcomes of your sessions to gain insights and identify themes. Now is the time to document your hero scenarios and the value they add, as well as blockers and accelerators. Finally, you’ll provide your output: a comprehensive deck that includes your priority roles, hero scenarios, next steps, and more.

Phase 4: Share

The final phase of this process involves socializing your scenarios across your team or organization to realize value. If you’re part of a large organization, it’s helpful to radiate these outputs beyond the target group as an opportunity for further Copilot momentum. This stage includes diving deeper into blockers and accelerators that can help your organization as a whole speed time to value.

“So much of adoption comes down to the question of ‘What’s in it for me?’” says Liz Friedman, a senior director of HR AI Transformation. “The ability to answer that question at the role level, at the level of fidelity that really resonates with what employees actually do, creates a strong bridge between the realm of possibility and day-to-day reality.”

With Copilot, we’re building new skillsets, but also new habits. That takes experimentation and learning, but the payoff is transformative.

— Nathalie D’Hers, corporate vice president, Microsoft Digital

Capturing the limitless value of AI

The shift to AI is about more than productivity. It’s about new ways of working and new ways of being.

Thanks to the modular nature of this framework, teams across Microsoft can now apply this process to their own professional needs. As time goes on, the goal is for different organizations and roles to uncover robust and efficient ways of working.

“With Copilot, we’re building new skillsets, but also new habits,” says Nathalie D’Hers, corporate vice president of Microsoft Digital. “That takes experimentation and learning, but the payoff is transformative.”

By learning from our experience and working through the Copilot for Microsoft 365 Hero Scenario Playbook, your organization can execute best practices that will make the most of your AI investment, deliver value faster, manage change effectively, and scale across your organization.

Access the Copilot for Microsoft 365 Hero Scenario Playbook here.

Here are some tips for getting started with developing persona-specific scenarios for priority roles at your company:

• Build strong organizational partnerships and add this process into AI efforts that teams already have underway. Identify the key AI leaders and champions on those teams.
• This process is additive and iterative, so don’t be married to the playbook. Start with the framework, then allow it to grow around organic efforts.
• Frame your scenarios around business processes, then layer on the technology.
• Validate your results through active communication, especially after you’ve socialized your hero scenarios. That ensures you sort the signal from the noise and capture even greater value moving forward.
• For your working groups, make sure you’re choosing teams and people who have good engagement with the tool, especially enthusiasts and early adopters. This also gives people the chance to learn from each other and build on their colleagues’ ideas.
• Have a game plan about where to go next in terms of sharing and piloting. Include follow-ups and baselines so these outputs don’t just sit on the shelf.
• Get multiple perspectives. No role is exactly the same, even if the job title is. Bringing people who do similar work together and hearing commonalities and differences is very helpful and provides an opportunity to benefit from a diversity of perspectives.

New to Copilot for Microsoft 365? Get started today and see what’s possible.

• Deploying Copilot for Microsoft 365 internally at Microsoft
• Deploying Copilot for Microsoft 365 with the help of—you guessed it—Copilot
• Empowering our employees with generative AI while keeping the company secure

Want more information? Email us and include a link to this story and we’ll get back to you.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Unlocking the potential of Copilot for Microsoft 365 at the role level appeared first on Inside Track Blog.

Adopting data-driven cost-optimization techniques, investing in central governance, and driving modernization efforts throughout our Microsoft Azure environment, makes it so our environment—one of the largest enterprise environments hosted in Azure—is a cost efficient blueprint that all customers can look to for lessons on how to lower their Azure costs.

We began our digital transformation journey in 2014 with the bold decision to migrate our on-premises infrastructure to Microsoft Azure so we could capture the benefits of a cloud-based platform—agility, elasticity, and scalability. Since then, our teams have progressively migrated and transformed our IT footprint to the largest cloud-based infrastructure in the world—we host more than 95 percent of our IT resources in Microsoft Azure.

The Microsoft Azure platform has expanded over the years with the addition of hundreds of services, dozens of regions, and innumerable improvements and new features. In tandem, we’ve increased our investment in Azure as our core destination for business solutions at Microsoft. As our Azure footprint has grown, so has the environment’s complexity, requiring us to optimize and control our Azure expenditures.

[Discover how we’re using Microsoft Azure to retire hundreds of physical branch-office servers. Explore building an agile and trusted SAP environment on Microsoft Azure. Unpack optimizing SAP for Microsoft Azure.]

Optimizing Microsoft Azure cost internally at Microsoft

Our Microsoft Azure footprint follows the resource usage of a typical large-scale enterprise. In the past few years, our cost-optimization efforts have been more targeted as we attempted to minimize the rising total cost of ownership in Azure due to several factors, including increased migrations from on-premises and business growth. This focus on optimization instigated an investment in tools and data insights for cost optimization in Azure.

The built-in tools and data that Microsoft Azure provides form the core of our cost-optimization toolset. We derive all our cost-optimization tools and insights from data in Microsoft Azure Advisor, Microsoft Azure Cost Management and Billing, and Microsoft Azure Monitor. We’ve also implemented design optimizations based on modern Azure resource offerings. We extract recommendations from Azure Advisor across the different Azure service categories and push those recommendations into our IT service management system, where the services’ owners can track and manage the implementation of recommendations for their services.

Understanding holistic optimization

As the first and largest adopter of Microsoft Azure, we’ve developed best practices for engineering and maintenance in Azure that support not only cost optimization but also a comprehensive approach to capturing the benefits of cloud computing in Azure. We developed and refined the Microsoft Well-Architected Framework as a set of guiding tenets for Azure workload modernization and a standard for modern engineering in Azure. Cost optimization is one of five components in the Well-Architected Framework that work together to support an efficient and effective Azure footprint. The other pillars include reliability, security, operational excellence, and performance efficiency. Cost optimization in Azure isn’t only about reducing spending. In Azure’s pay-for-what-you-use model, using only the resources we need when we need them, in the most efficient way possible, is the critical first step toward optimization.

Optimization through modernization

Reducing our dependency on legacy application architecture and technology was an important part of our first efforts in cost optimization. We migrated many of our workloads from on-premises to Microsoft Azure by using a lift-and-shift method: imaging servers or virtual machines exactly as they existed in the datacenter and migrating those images into virtual machines hosted in Azure. Moving forward, we’ve focused on transitioning those infrastructure as a service (IaaS) based workloads to platform as service (PaaS) components in Azure to modernize the infrastructure on which our solutions run.

Focus areas for optimization

We’ve maintained several focus areas for optimization. Ensuring the correct sizing for IaaS virtual machines was critical early in our Microsoft Azure adoption journey, when those machines accounted for a sizable portion of our Azure resources. We currently operate at a ratio of 80 percent PaaS to 20 percent IaaS, and to achieve this ratio we’ve migrated workloads from IaaS to PaaS wherever feasible. This means transitioning away from workloads hosted within virtual machines and moving toward more modular services such as Microsoft Azure App Service, Microsoft Azure Functions, Microsoft Azure Kubernetes Service, Microsoft Azure SQL, Microsoft Azure Cosmos database. PaaS services like these offer better native optimization capabilities in Microsoft Azure than virtual machines, such as automatic scaling and broader service integration. As the number of PaaS services has increased, automating scalability and elasticity across PaaS services has been a large part of our cost-optimization process. Data storage and distribution has been another primary focus area as we modify scaling, size, and data retention configuration for Microsoft Azure Storage, Azure SQL, Azure Cosmos DB, Microsoft Azure Data Lake, and other Azure storage-based services.

Implementing practical cost optimization

While Microsoft Azure Advisor provides most recommendations at the individual service level—Microsoft Azure Virtual Machines, for example—implementing these recommendations often takes place at the application or solution level. Application owners implement, manage, and monitor recommendations to ensure continued operation, account for dependencies, and keep the responsibility for business operations within the appropriate business group at Microsoft.

For example, we performed a lift-and-shift migration of our on-premises virtual lab services into Microsoft Azure. The resulting Azure environment used IaaS-based Azure virtual machines configured with nested virtualization. The initial scale was manageable using the nested virtualization model. However, the Azure-based solution was more convenient for hosting workloads than the on-premises solution, so adoption began to increase exponentially, which made management of the IaaS-based solution more difficult. To address these challenges, the engineering team responsible for the virtual lab environment re-architected the nested virtual machine design to incorporate a PaaS model using microservices and Azure-native capabilities. This design made the virtual lab environment more easily scalable, efficient, and resilient. The re-architecture addressed the functional challenges of the IaaS-based solution and reduced Azure costs for the virtual lab by more than 50 percent.

In another example, an application used Microsoft Azure Functions with the Premium App Service Plan tier to account for long-running functions that wouldn’t run properly without the extended execution time enabled by the Premium tier. The engineering team converted the logic in the Function Apps to use Durable Functions, an Azure Functions extension, and more efficient function-chaining patterns. This reduced execution time to less than 10 minutes, which allowed the team to switch the Function Apps to the Consumption tier, reducing cost by 82 percent.

Governance

To ensure effective identification and implementation of recommendations, governance in cost optimization is critical for our applications and the Microsoft Azure services that those applications use. Our governance model provides centralized control and coordination for all cost-optimization efforts. Our model consists of several important components, including:

• Microsoft Azure Advisor recommendations and automation. Advisor cost management recommendations serve as the basis for our optimization efforts. We channel Advisor recommendations into our IT service management and Microsoft Azure DevOps environment to better track how we implement recommendations and ensure effective optimization.
• Tailored cost insights. We’ve developed dashboards to identify the costliest applications and business groups and identify opportunities for optimization. The data that these dashboards provide help empower engineering leaders to observe and track important Azure cost components in their service hierarchy to ensure that optimization is effective.
• Improved Microsoft Azure budget management. We perform our Azure budget planning by using a bottom-up approach that involves our finance and engineering teams. Open communication and transparency in planning are important, and we track forecasts for the year alongside actual spending to date to enable accurate adjustments to spending estimates and closely track our budget targets. Relevant and easily accessible spending data helps us identify trend-based anomalies to control unintentional spending that can happen when resources are scaled or allocated unnecessarily in complex environments.

Implementing a governance solution has enabled us to realize considerable savings by making a simple change to Microsoft Azure resources across our entire footprint. For example, we implemented a recommendation to convert Microsoft Azure SQL Database instances from the Standard database transaction unit (DTU) based tier to the General Purpose Serverless tier by using a simple Microsoft Azure Resource Manager template and the auto-pause capability. The configuration change reduced costs by 97 percent.

Benefits of Microsoft Azure

Ongoing optimization in Microsoft Azure has enabled us to capture the value of Azure to help increase revenue and grow our business. Our yearly budget for Azure has remained almost static since 2014, when we hosted most of our IT resources in on-premises datacenters. Over that period, Microsoft has grown by more than 20 percent,

Our recent optimization efforts have resulted in significantly reduced spending across numerous Microsoft Azure services. Examples, in addition to those already mentioned, include:

• Right-sizing Microsoft Azure virtual machines. We generated more than 300 recommendations for VM size changes to increase cost efficiency. These recommendations included switching to burstable virtual machine sizes and accounted for a 15 percent cost savings.
• Moving virtual machines to latest generation of virtual machine sizes. Moving from older D-series and E-series VM sizes to their current counterparts generated more almost 2,500 recommendations and a cost savings of approximately 30 percent.
• Implementing Microsoft Azure Data Explorer recommendations. More than 200 recommendations were made for Microsoft Azure Data Explorer optimization, resulting in significant savings.
• Incorporating Cosmos DB recommendations. More than 170 Cosmos DB recommendations reduced cost by 11 percent.
• Implementing Microsoft Azure Data Lake recommendations. More than 30 Azure Data Lake recommendations combined to reduce costs by approximately 15 percent.

Cost optimization in Microsoft Azure can be a complicated process that requires significant effort from several parts of the enterprise. The following are some the most important lessons that we’ve taken from our cost-optimization journey:

Implement central governance with local accountability

We implemented a central audit of our Microsoft Azure cost-optimization efforts to help improve our Azure budget-management processes. This audit enabled us to identify gaps in our methods and make the necessary engineering changes to address those gaps. Our centralized governance model includes weekly and monthly leadership team reviews of our optimization efforts. These meetings allow us to align our efforts with business priorities and assess the impact across the organization. The service owner still owns and is accountable for their optimization effort.

Use a data-driven approach

Using optimization-relevant metrics and monitoring from Microsoft Azure Monitor is critical to fully understanding the necessity and impact of optimization across services and business groups. Accurate and current data is the basis for making timely optimization decisions that provide the largest cost savings possible and prevent unnecessary spending.

Be proactive

Real-time data and effective cost optimization enable proactive cost-management practices. Cost-management recommendations provide no financial benefit until they’re implemented. Getting from recommendation to implementation as quickly as possible while maintaining governance over the process is the key to maximizing cost-optimization benefits.

Adopt modern engineering practices

Cost optimization is one of the five components of the Microsoft Azure Well-Architected Framework, and each pillar functions best when supported by proper implementation of the other four. Adopting modern engineering practices that support reliability, security, operational excellence, and performance efficiency will help to enable better cost optimization in Microsoft Azure. This includes using modern virtual machine sizes where virtual machines are needed and architecting for Azure PaaS components such as Microsoft Azure Functions, Microsoft Azure SQL, and Microsoft Azure Kubernetes Service when virtual machines aren’t required. Staying aware of new Azure services and changes to existing functionality will also help you recognize cost-optimization opportunities as soon as possible.

Looking forward to more optimization

As we continue our journey, we’re focusing on refining our efforts and identifying new opportunities for further cost optimization in Microsoft Azure. The continued modernization of our applications and solutions is central to reducing cost across our Azure footprint. We’re working toward ensuring that we’re using the optimal Azure services for our solutions and building automated scalability into every element of our Azure environment. Using serverless and containerized workloads is an ongoing effort as we reduce our investment in the IaaS components that currently support some of our legacy technologies.

We’re also improving our methods for decentralizing optimization recommendations to enable our engineers and application owners to make the best choices for their environments while still adhering to central governance and standards. This includes automating the detection of anomalous behavior in Microsoft Azure billing by using service-wide telemetry and logging, data-driven alerts, root-cause identification, and prescriptive guidance for optimization.

Microsoft Azure optimization is a continuous cycle. As we further refine our optimization efforts, we learn from what we’ve done in the past to improve what we’ll do in the future. Our footprint will continue to grow in the years ahead, and our cost-optimization efforts will expand accordingly to ensure that our business is capturing every benefit that the Azure platform provides.

• Discover how we’re using Microsoft Azure to retire hundreds of physical branch-office servers.
• Explore building an agile and trusted SAP environment on Microsoft Azure.
• Unpack optimizing SAP for Microsoft Azure.

Want more information? Email us and include a link to this story and we’ll get back to you.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Implementing Microsoft Azure cost optimization internally at Microsoft appeared first on Inside Track Blog.

In fact, our mission doesn’t begin and end with the products we create and the services we offer, it extends to engaging with our partners to build innovative and inclusive experiences. This story highlights how our Microsoft and ServiceNow teams are working together to manage our ServiceNow platform accessibility.

As a company, we engage with our strategic partners and our suppliers to share accessibility requirements and why accessibility is important in our employee experiences, which also benefits our mutual customers.

How accessibility conformance is managed inside Microsoft Digital

We in Microsoft Digital, the company’s IT organization, are ensuring that our engineering teams develop services and solutions that follow international accessibility standards and guidelines such as Web Content Accessibility Guidelines (WCAG). Each group has processes to build products and services with accessibility as a key requirement. This includes addressing accessibility issues within specific timeframes based on factors such as population or volume of user base and severity of issues identified.

As a company, we engage with our strategic partners and our suppliers to share accessibility requirements and why accessibility is important in our employee experiences, which also benefits our mutual customers.

This article highlights some key practices that Microsoft and ServiceNow have adopted as part of our accessibility journey, practices that have resulted in us making more than 15 different experiences accessible to consumers, including our employees and vendors, support agents, risk managers, and process owners.

ServiceNow implementation

In July 2019, we and ServiceNow announced a strategic partnership where our two companies would work together to accelerate digital transformation for our enterprise and government customers. Through our established partnership with ServiceNow, we use the ServiceNow platform for internal helpdesk and ServiceDesk process automation, IT asset management, and integrated risk management.

Since then, our Microsoft Infrastructure Engineering Services (IES) team has engaged with ServiceNow in extensive accessibility assessments for platform components deployed in production, which has resulted in identifying a significant number of accessibility bugs at different severity levels. With such a high volume of issues, it became obvious that we needed to engage with ServiceNow to define a strategy to:

Tactically work on a short-term plan to fix the already identified accessibility bugs.

Define a long-term strategy and approach to weave accessibility into our software design and development stages.

Our teams at Microsoft and ServiceNow worked together to establish an engagement model that enables an accelerated path for issue resolution (get healthy) while ensuring new experiences are more accessible by the time they’re released to customers (stay healthy).

The challenge

As we and ServiceNow were partnering to define our approach and execution plan, we faced some challenges that we needed to address along the way:

• Scale. One of the immediate challenges was the high volume of accessibility bugs in various platform components that are serving different business units and owned by different teams, which was hard to track and manage without having dedicated teams from Microsoft and ServiceNow to track issues burndown.
• Expectations around urgency of accessibility bugs. Usually, a high severity bug translates to a service outage or production blockage. In this case, we had a high volume of critical and high severity issues raised to ServiceNow in a short period of time, which is hard for any support or engineering team to tackle in a short time frame.
• Product bugs versus customization related issues. While many bugs were escalated to ServiceNow as the platform service provider, some were related to custom UI components that were implemented inside Microsoft, so we had to establish a process to identify these issues and deal with them internally.
• Platform release cadence. ServiceNow follows a semi-annual release cycle for major platform upgrades. This brought the urgent need for a proactive approach to address accessibility in the design as opposed to the reactive mode of operation where we chase issues in already released versions every six months.
• Accessibility standards. While we and ServiceNow strive to trace accessibility towards the latest WCAG guidelines, some of ServiceNow deployed modules were still tracking against an older version of WCAG guidelines. This resulted in issues that weren’t addressed by ServiceNow during the design and development phases being identified by Microsoft as high severity bugs.

Microsoft and ServiceNow approach

Our teams at Microsoft and ServiceNow worked together to establish an engagement model that enables an accelerated path for issue resolution (get healthy) while ensuring new experiences are more accessible by the time they’re released to customers (stay healthy). Below are some recommended practices that our teams have adopted:

• Leadership support. Support always starts at the top. The senior leaders of both Microsoft and ServiceNow are committed to providing customers with accessible and inclusive services. With that in mind, accessibility conformance was a fixed agenda topic in leadership meetings, where they drove alignment on product roadmaps and provided the needed support and sponsorship to make the strategy shift.
• Culture shift. Improvement isn’t just about checklists and standards but a culture shift for any engineering organization. It’s what drove ServiceNow to establish a new organization—Accessibility Engineering—that’s chartered to influence how product groups work, build community, and expand awareness and expertise within ServiceNow’s different engineering teams.
• Engineering alignment. While our accessibility experts are aligned with ServiceNow engineering on accessibility issues burndown, our platform implementation team has participated in community and targeted events like ServiceNow’s Accessibility Product Advisory Council (PAC), which drove even tighter alignment on technology roadmaps and WCAG conformance plans. This collaboration has resulted in prioritizing WCAG conformity of UI components that are exposed to a larger user population. As an example, when our IT Service Management Service Portal got conformant to WCAG2.1AA, we witnessed an over 95 percent reduction in the volume of issues as compared to the previous year.
• Accessibility testing. Our Microsoft and ServiceNow teams built a clone environment of our production instance that runs a pre-release version of the platform. This is where all accessibility assessments and validations are performed, allowing our teams enough time to escalate issues to the appropriate ServiceNow engineering groups and work directly with them to address accessibility issues during the development of new releases of the ServiceNow platform. This drove a significant reduction in issue resolution time and ensured that new services and experiences are more accessible from day one.
• Community engagement. One of our inclusive design principles is to learn from diversity. One way to achieve this is by including people with disabilities throughout the development lifecycle, including members of the engineering and testing teams. This not only helps identify gaps early during the design of new services, but also helps accelerate accessibility testing and reduces the time needed to validate bug fixes. Likewise, ServiceNow is keen to hire people with disabilities in their engineering teams to ensure accessibility design is woven in the design of new versions of the platform.
• Contractual commitment. It’s crucial to formalize the relationship between business partners to prevent conflicts, mitigate risks, and increase operational efficiency. We and ServiceNow worked together to include accessibility language in legal contracts, including WCAG conformance plans, service level agreements (SLA) for response and resolution time of accessibility related issues, and commitments from both parties regarding accessibility conformance.

While we and ServiceNow have made good progress in the accessibility space, the journey doesn’t end here and there’s still a lot to do.

Realized outcome

After over 3 years on our journey, here are a few examples of the value realized by our teams:

• Reduction in volume of issues. We’ve seen a significant reduction (92 percent) in the volume of issues identified from new accessibility assessments compared to previous years’ assessments.
• Time to resolve. The average time taken to provide accessibility bug fixes has been cut in half thanks to the ability to test in pre-release versions of the platform and work directly with the engineering team during development.
• Engineering alignment on roadmaps. Through regular touchpoints with ServiceNow Engineering, our teams now have better insight on what’s coming in the roadmap, WCAG conformance plans, and ETA of major UI improvements in future releases.
• Alignment on standards. Microsoft and ServiceNow teams are more aligned on standards being followed (test matrixes, tools being used, accessibility standards, and more), making it easier for our teams to speak the same language, set a common quality bar, and reduce engineering churn.
• Efficiency gains. Time spent on reactive issue resolution is greatly reduced, allowing us to focus more on proactively improving the service and providing more accessible and inclusive experiences.

Lessons learned

While we and ServiceNow have made good progress in the accessibility space, the journey doesn’t end here and there’s still a lot to do. That said, here are some of the learnings and recommended practices our team has captured along this journey:

• Leadership engagement is crucial to success. To drive large scale initiatives, make sure the leadership team will sponsor the strategy shift and truly drive a culture change.
• Getting healthy is hard but staying healthy can be even harder. Make sure you have a plan to sustain accessibility conformance as the product changes over time.
• Try to avoid custom development on top of third-party or partner solutions and stay with out-of-the-box configuration as much as possible.
• It might take time to realize the gains from large scale initiatives, but make sure you start with a realistic plan and hold your partners and vendors accountable to it.
• Finally, accessibility conformance should be an integral part of the solution design. Educate your engineering teams and partners on how to build an accessible solution to minimize the need to address conformance issues after the fact.

What’s next

The journey doesn’t end here, in fact, it never ends. We’ll continue to evolve and find better ways to build new services and experiences and support our customers. In dealing with accessibility in particular, we’ll continue to focus on the cultural change as well as the compliance aspect and will continue to iterate and bring innovative ideas to truly empower every person and every organization on the planet to achieve more.

Here are some things that we have learned along the way that should help you get started with rethinking accessibility at your company:

• Get leadership on board: It’s important to have support from top-level leaders. They can drive accessibility initiatives by discussing them in leadership meetings, aligning product roadmaps, and providing the necessary backing for the strategy shift.
• Foster an inclusive culture: Create a culture that values accessibility across your organization. Encourage dedicated accessibility teams to influence product development, build awareness, and share expertise. This cultural shift will help make accessibility a priority for everyone.
• Collaborate with engineers: Work together with accessibility experts and engineering teams. Participate in events and councils to align technology roadmaps and prioritize accessibility for user interface components. This collaboration reduces accessibility issues and speeds up problem-solving.
• Make it part of your partnerships: Include accessibility commitments in your contracts with business partners. Outline plans for meeting accessibility standards, set expectations for resolving accessibility issues promptly, and ensure both parties are committed to accessibility conformance.

Learn more about our approach to accessibility at Microsoft.

• Accessibility Guidelines and Requirements – Microsoft Style Guide | Microsoft Learn
• Accessibility Technology & Tools | Microsoft Accessibility
• Accessibility Resources & Training | Microsoft Accessibility
• Accessibility Center Strengthens Inclusion – ServiceNow Blog
• Commitment to Accessibility – ServiceNow Press

Want more information? Email us and include a link to this story and we’ll get back to you.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Tackling accessibility: How Microsoft and ServiceNow are building more accessible and inclusive experiences appeared first on Inside Track Blog.

Thanks to new meeting room layouts, improved technology, and better integration with Microsoft Teams, remote participants will feel more included in meetings that will also be better for people in the room.

When they decide to go into the office, employees want experiences that are worth the commute. That means making sure that when they choose to go in, they do so for an experience that they can’t get from home.

—Nathalie D’Hers, corporate vice president, Microsoft Digital Employee Experience

Getting these experiences right will play a big part in helping everyone feel comfortable and included in this new hybrid work environment. It’s not about making sure both remote and in-the-room experiences are perfectly equal—that’s not possible. Rather, the goal is to enhance and optimize each experience so each is the best it can be.

“When they decide to go into the office, employees want experiences that are worth the commute,” says Nathalie D’Hers, corporate vice president of Microsoft Digital Employee Experience, the organization that powers, protects, and transforms the company. “That means making sure that when they choose to go in, they do so for an experience that they can’t get from home.”

And vice versa, it’s important to make sure that those who work from home, at a coffee shop, or from a hotel on the road feel like that experience has been optimized for them.

“We’re building solutions that solve for both sets of needs,” D’Hers says. “Most of us are working in both worlds anyway—it benefits us all to get both experiences right.”

Several organizations across Microsoft—including Microsoft Digital Employee Experience, Global Workplace Services, and Microsoft’s product groups—are working together to make sure we get these hybrid experiences right. We want to properly greet employees and guests when they go to a Microsoft campus and that we make them feel equally welcome when they virtually join a meeting.

Along with other new transformations—including improved transportation, dining, and workspace reservation experiences—creating new hybrid meeting room experiences represents a major step forward in the future of work at Microsoft.

[Discover how Microsoft is reinventing the employee experience for a hybrid world. Find out how to advance meetings with the Microsoft Teams Meeting Guide. Unpack five ways Microsoft Teams has transformed Microsoft.]

Meet The Hive

There’s a place on Microsoft’s Puget Sound campus where our software engineers, audio-video engineers, architects, and interior designers are coming together to weave new devices, technology, and concepts into transformed meeting room experiences.

It’s called The Hive.

“It’s the facility where we bring in all the new devices that are coming to us from our OEM partners and test them out and see how they work,” says Matt Hempey, a principal program manager who focuses on engagement and collaboration at Microsoft Digital Employee Experience. “We think about all of the subtleties of how a physical space and hardware can interact—that’s the challenge we’re trying to solve here at The Hive. This is how we can get things just right for everyone.”

In The Hive, teams across Microsoft can gather to brainstorm, test, and validate all meeting room scenarios that they can think up. It’s all about coming up with new ideas, like being inspired to try a new room layout when a set of new components comes in. This can include moving walls, bringing in new furniture, and cutting a table in half—all of this can be done quickly without having to do the expensive work of structural redesign.

It used to be that people dialing into a meeting felt like they weren’t going to be as important as people who were physically there. Suddenly we were in a world where no one was physically in the room, so everyone was having the same meeting experience. Everyone was equally important; meetings became more inclusive—everyone felt heard and seen.

—Matt Hempey, principal program manager, Microsoft Digital Employee Experience

“We think of it as our living laboratory,” says Scott Weiskopf, director of the Center of Innovation for Global Workplace Services. “You’ve got cardboard tables and Styrofoam things that we can move around and do rapid prototyping and testing with. It’s our little garage that we can tool around with stuff.”

A new work experience

When thousands of Microsoft conference rooms around the globe suddenly sat empty, it was clear that the work experience was changing. The shift to fully remote demonstrated that people liked flexibility and that meetings could happen from anywhere.

In some ways, it leveled the playing field.

“It used to be that people dialing into a meeting felt like they weren’t going to be as important as people who were physically there,” Hempey says. “Suddenly we were in a world where no one was physically in the room, so everyone was having the same meeting experience. Everyone was equally important; meetings became more inclusive—everyone felt heard and seen.”

At the same time, a lot of human connection was lost.

Social bonds, the richness of discussions, the little chats that occur at the start of the meeting, and the fidelity of in-person brainstorming on a whiteboard were missed. As good as the remote technology was, some individuals still had a strong desire to get back together in meeting rooms.

We’ve had to look at what technologies can be used to make remote employees feel more included in a meeting and vice versa. It involves physical changes to the room and furniture, technical changes to the audio-visual equipment and software. And then, of course, trying to optimize this idea of including everyone.

—Scott Weiskopf, director of the Center of Innovation, Global Workplace Services

The shift brought on by the pandemic gave employees the opportunity to choose the kind of workstyle that worked best for them. Some would remain working from home while others would come back to the office. And some would manage a mix of both.

It was clear this dueling dynamic between remote and in-person would require new accommodations from Microsoft.

Having a modular environment to come up with new ideas—The Hive—has empowered Microsoft to pivot to these new circumstances, including upgrading to a new Microsoft Teams Rooms experience powered by hybrid meeting rooms.

Doing hybrid right

The pause in meeting room usage meant The Hive team could step away from normal escalations and concerns and get creative in designing the new workplace experience. This break from the norm would ultimately prove to be key in deciphering the balance between employee needs.

“We’ve had to look at what technologies can be used to make remote employees feel more included in a meeting and vice versa,” Weiskopf says of the effort to help connect in-person and remote attendees in a meeting room. “It involves physical changes to the room and furniture, technical changes to the audio-visual equipment and software. And then, of course, trying to optimize this idea of including everyone.”

Collaborators throughout The Hive designed Microsoft’s new hybrid meeting rooms as immersive and inclusive spaces. Everything was reimagined, from fabric, light, the different pieces of furniture, to how the space itself is arranged.

“What creates a great hybrid experience is not necessarily the technology as much as just the way everyone is facing,” Hempey says. “If people are facing each other in the room, they’re not focused on the people that are there remotely.”

By default, all of Microsoft’s new hybrid meeting rooms face a large screen where remote attendees are displayed. Rooms that used to sit 10 in a center-facing direction will now be refitted with a guitar pick-shaped table that focuses attention on the screen and cameras at the front of the room.

To offset any loss of capacity due to the new table shape, a second elevated table sits at the back of the room. Cameras in the room easily capture both levels of seating, so remote attendees can clearly see everyone in the room.

Other design decisions, like enabling presentations and content to appear on screen without bumping remote attendees out of line of sight, further enhance the experience. A Microsoft Surface Hub at the back of the hybrid meeting room generates additional functionality, allowing the device to be utilized for groups of two or three people without starting a formal meeting.

Working as a team

You can’t create a hybrid space without thinking about the technology that’s going to bring in virtual attendees.

Transitioning to Microsoft Teams prior to the pandemic was a huge benefit for when it was time to go virtual. Now that same technology is central to Microsoft’s hybrid meeting room experience.

“People already associate Microsoft with software, they expect to see lot of computer screens and code,” Hempey says. “For software to shine, you need the room itself to be that end-to-end experience. Our basic fundamental premise is that every room you walk into is just a Teams room, just like the software that’s on your device.”

We’re trying to get experiences right at Microsoft and hopefully others can benefit from that as well. We can be very transparent about the challenges that we face. Our software is constantly evolving; our products are constantly getting better.

—Matt Hempey, principal program manager, Microsoft Digital Employee Experience

To further improve the attendee experience, hybrid meeting rooms do away with some of the traditional headaches of finding the right cable hookups and inviting everyone into the call. Instead, the same process for joining a call in Microsoft Teams initiates the room.

This empowers attendees to use their own devices to interact with and take advantage of the room’s features.

A new standard for work

With around 13,000 meeting rooms around the globe, Microsoft is developing a way to quickly deploy these new features to employees and guests. It’s a challenge everyone is facing as the new hybrid model of work is embraced.

“We’re developing standards for things that we would like to roll out quicker than our normal refresh cycle so that we can get a better hybrid experience in the hands of our employees, guests, and customers much faster,” Weiskopf says.

In rapidly testing and prototyping scenarios and use cases inside The Hive, Microsoft has created global AV design standards that enable hybrid meeting room experiences to exist at scale.

“We’re trying to get experiences right at Microsoft and hopefully others can benefit from that as well,” Hempey says of the new hybrid meeting rooms. “We can be very transparent about the challenges that we face. Our software is constantly evolving; our products are constantly getting better.”

As new lessons are learned, Microsoft can quickly update, incorporate, and deploy changes. This iterative process will allow employees and guests to have experiences that make the trip to a Microsoft campus worthwhile.

“It’s the combination of software, hardware, and the placement of people and cameras that enable the experience,” D’Hers says. “And that’s what creates the kind of experiences that we want, that are personal and accessible.”

• The conference rooms of the past won’t necessarily be the conference rooms people want for the future; the space itself must be part of the hybrid solution.
• Space is expensive, companies spend a lot of money on real estate, but the priority needs to be on creating value without having to structurally redesign; that’s how you get maximum impact with minimum effort.
• Microsoft’s hybrid experience is built on Microsoft 365, including Microsoft Teams.
• The global AV design standards are available to other companies who are looking to build new hybrid meeting rooms. This reduces the uplift of testing and discovering new solutions.

• Discover how Microsoft is reinventing the employee experience for a hybrid world.
• Find out how to advance meetings with the Microsoft Teams Meeting Guide.
• Unpack five ways Microsoft Teams has transformed Microsoft.
• Learn about three ways you can meet new hybrid expectations with Microsoft Teams and Microsoft 365.

Want more information? Email us and include a link to this story and we’ll get back to you.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Crafting a new hybrid meeting room experience at Microsoft with Microsoft Teams appeared first on Inside Track Blog.