At Microsoft, our employees are using the Microsoft Power Platform to bring their ideas and visions to life. It’s our low-code development suite that anyone—not just developers—can us to create apps, automate workflows, and analyze data.

In Microsoft Digital, the company’s IT organization, we’ve implemented a Power Platform governance strategy and vision that is empowering our employees to build solutions that are improving how they get their work done, including crafting their own AI agents with Microsoft 365 Copilot and Copilot Studio.

How are we doing this?

With proper governance mechanisms that keep them safe while letting their creativity flow—and our employees are running with it, creating innovative and dynamic solutions that are streamlining our processes and enhancing our productivity.

And that’s exactly the point—the Power Platform democratizes development, allowing the citizen developer in all of us to come out and play. For us, this is an essential ingredient for fostering the kind of innovation that can and will continue to drive our company forward.  

Our strategic approach to governance on the Power Platform

Locking in on the right approach to governance is pivotal.

“Governance provides essential guardrails by ensuring that we have visibility into what is being built and enforcing policies to maintain security and compliance with the Power Platform,” says Aisha Hasan, a senior product manager at Microsoft Digital. “Governance allows us to balance the freedom to innovate with the need to protect our tenant from risks.”

Governance is a key strategic enabler to our approach.

With the wide variety of users at Microsoft developing solutions in the Power Platform, it’s vital they understand how to develop within governance parameters and deploy their solutions effectively. This ensures that while innovation flourishes, it does so within a framework that maintains security and compliance.

Starting at the top with environments

Power Platform environments are the foundation for providing structure and organization with our Power Platform tenant.

“Most of what we’re trying to do from a governance standpoint is at that environment level,” says Lianne Zelsman, a senior product manager at Microsoft Digital. “It’s a more holistic approach than at the individual app, flow, or chatbot level.”

We use an intentional environment structure to enable good governance practices, and we apply our policies and rules to that structure to ensure that every single environment is governed to our standards. This approach avoids broadly shared environments that are difficult to govern effectively.

Every environment in our tenant has a specific purpose and we ensure we have the proper information about each environment to maintain proper governance. Every environment in our tenant is tied to an owner who is accountable for everything within that environment. This ownership model ensures clear responsibility and accountability.

“We’re trying to move away from broadly shared environments that are owned by an entire organization,” Zelsman says. “It can be really hard to understand—and control—an environment containing a bunch of different unrelated solutions built by different people.”

To enable this specific approach to environments, we make clear distinctions.

First, the default environment—a built-in environment that comes with every single Power Platform tenant—is not the default.

“We’re routing developers out of the default environment,” Hasan says. “It’s about getting away from that ‘big bucket’ approach. We want every flow, bot, and app to be in an environment that is purpose-built and intentionally configured.”

To streamline the process and ensure proper governance, we’ve turned on automated routing. This means that if anyone tries to use the default environment, they’re automatically routed to a specific environment type instead, according to their use case and our environment groupings. This helps in managing the lifecycles of our environments and ensures that every Power Platform solution is in the right place with the right governance.

Shifting to environment routing

We group environments based on their usage and apply specific rules to each group. There are groups for personal productivity, team collaboration, and enterprise development; each with its own set of rules and compliance requirements and tied to a specific environment type in the Power Platform.

Personal productivity environments are designed for individual use, where users can create and experiment with applications and automations without the need for extensive governance. These environments are typically developer environments, which are highly restricted in terms of sharing capabilities. Users can build apps, flows, and other solutions for their personal productivity, but they can’t share these solutions with others. This ensures that any experimentation or personal projects remain isolated and don’t impact the broader organization.

Team collaboration environments are intended for team-based projects and workflows. These environments are usually built within Dataverse for Teams, which integrates with Microsoft Teams. Dataverse for Teams environments are tied to a Microsoft 365 group, which helps manage governance and lifecycle through the group’s settings. These environments are perfect for team productivity solutions that are used within a specific team but aren’t meant to be shared companywide. While Dataverse for Teams environments have some quirks and limitations, they provide a balance between flexibility and governance, making them suitable for moderate governance and security controls.

Enterprise development environments are used for large-scale, enterprise-level projects that require stringent governance and compliance. These environments are typically sandbox or production environments and are subject to a rigorous request and approval process. Users must provide detailed information about their project, including data sensitivity, regulatory requirements, and business justification. These environments are governed by stricter usage policies, custom ownership policies, and regular security reviews. The goal is to ensure that any enterprise-level solutions are secure, compliant, and properly managed.

Using groups, roles, and policies

Microsoft runs on trust, and our success depends on earning and maintaining it. Our Secure Future Initiative ensures that security is first in everything that we do, and that extends to how we govern the Power Platform.

Our governance strategy revolves around applying controls at the environment level. We categorize environments, using the three main groups already identified. There are specific security controls and approaches in place in each group:

“Our security controls and policies are really about enablement as much as possible,” says Jake Visser, a principal architect manager at Microsoft. “If you create a developer environment, we’ll assign an appropriate DLP policy for you to work with your solution and send you a Teams message indicating what policy we’ve assigned and what you can do there. It’s about making sure that people can build and innovate while staying within the guardrails of our governance policies.”

DLP policies are crucial for preventing data breaches and ensuring that data remains within the organization’s boundaries. We apply DLP policies at various levels to control which connectors and actions are allowed within different environments to prevent the unintentional sharing of sensitive information and ensure that data stays within the organization. These policies control which actions and endpoints connectors are allowed to interact with. For instance, if a connector is used to write data, the policy ensures that the data is protected and only interacts with approved endpoints.

For enterprise development environments, teams can request custom DLP policies if they need to use specific connectors or actions that aren’t covered by the standard policy. This involves providing a threat model and other relevant information to justify the need for the custom policy.

Harnessing proactive and reactive governance

Within each environment group, we apply a set of practices that apply our governance strategy. These practices maintain a balanced approach that incorporates both reactive and proactive measures.

We use a proactive governance approach to anticipate issues before they arise. Gaining visibility into what’s being built within our environment is a critical first step. Our inventory data collection processes collect data on apps, connectors, flows, and shared resources. By having a clear picture of our digital landscape, we can enforce policies that ensure security and compliance from the outset. We collect and integrate this data with the following methods:

• Automated data collection tools. We use automated tools to gather data on all assets within the Power Platform. These tools scan our environment to identify and catalog apps, connectors, flows, and shared resources. By automating this process, we ensure that our inventory is always current and accurate.
• Policy enforcement. With visibility and usage data in hand, we can enforce governance policies. This includes defining and applying DLP policies, custom ownership policies, and regular security reviews. These policies help ensure that solutions are secure and compliant with organizational standards. Even if users follow certain policies during the development phase, we need to keep them in check post-deployment to ensure ongoing compliance.
• Regular audits and updates. To maintain the accuracy of our inventory, we conduct regular audits. These audits involve cross-checking the data in our repository with actual usage and configurations in the Power Platform. Any discrepancies are investigated and resolved promptly.
• Integration with governance policies. Our inventory data collection is tightly integrated with our governance policies. For example, we use DLP policies to enforce data flow and access. The inventory data helps us enforce these policies by providing visibility into how data is being used and shared across the platform.
• Custom reporting and dashboards. We’ve used Power BI to develop custom reporting and dashboards to visualize our inventory data. These tools provide insights into asset usage, compliance status, and potential risks. They help us make informed decisions about governance and resource allocation.
• Collaboration with stakeholders. Collecting inventory data is a collaborative effort. We work closely with various stakeholders, including IT, security, and business units, to ensure that our data collection processes align with their needs and requirements. This collaboration helps us address any gaps and continuously improve our inventory management.

Reactive governance, on the other hand, deals with issues that arise after the fact. Even with stringent policies in place, there’s always a need to monitor and manage ongoing activities. The general application of our reactive measures is similar to the proactive measures—they even share some categories. However, our reactive governance measures are built around quickly identifying—as quickly as possible—events in the tenant that might compromise the integrity of our governance.

• Visibility and inventory. Without a good inventory, it’s impossible to govern effectively. To overcome this, we worked closely with the product group to develop an inventory solution. This tool collects data on all the apps, connectors, flows, and connections being used. By having a comprehensive inventory, we can see what’s being built and shared now, which is the first step in reactively enforcing governance.
• Usage data and metadata. After visibility is established, the next step is collecting usage data and metadata. This information tells us who is doing what within the Power Platform. By understanding usage patterns, we can enforce governance policies more effectively. For example, we can identify high-risk activities and take appropriate actions to mitigate potential issues.
• Continuous monitoring. Reactive governance also involves continuous monitoring of the Power Platform environment. This means regularly reviewing the inventory and usage data to identify any anomalies or potential risks. By staying vigilant, we can quickly address any issues that arise and ensure that our governance measures remain effective.
• Ownership accountability. One of our key reactive measures is the periodic attestation process. Every six months, we require asset owners to confirm their ownership and compliance with our policies. This includes verifying that they aren’t using unauthorized data, not sharing data outside the tenant, and adhering to all security protocols. This process helps us catch any deviations and address them promptly.
• Collaboration with product teams. Our reactive governance efforts are supported by close collaboration with the product teams. By working together, we can develop and refine tools and policies that enhance our governance capabilities. This ongoing partnership ensures that we stay ahead of potential risks and continue to improve our governance practices.

By combining proactive measures to prevent issues and reactive measures to address them, we can provide environments that allow our developers to innovate freely while safeguarding our digital assets. It’s a win for everyone involved and it’s truly enabling innovation at Microsoft.

Integrating with Microsoft Sentinel detection and response

Microsoft Sentinel plays a crucial role in our governance strategy. It’s an essential tool that helps us monitor, detect, and respond to various activities within the platform, ensuring that our governance policies are enforced effectively.

Sentinel integrates with Microsoft Purview audit feeds to monitor all activities within the Power Platform. This integration allows us to capture events such as bot creation, environment creation, flow runs, and edits. Essentially, any action performed by a user or admin within the Power Platform generates an event that is captured by Sentinel.

“With Sentinel, we can perform real-time monitoring of all activities within the Power Platform,” Visser says. “We must have visibility into what’s being built and how the platform is being used. For instance, if a user creates a new environment or modifies an existing one, Sentinel captures this event and allows us to cross-reference it with our governance policies.”

Sentinel enables us to automate governance actions based on the events it captures. For example, when a user creates a personal developer environment, we use the Sentinel events and an Azure Logic App to automatically assign a DLP policy to that environment and send a Teams message to the user, informing them of the assigned policy and what they can do within that environment.

Sentinel’s integration with the Power Platform’s inventory service allows us to maintain an up-to-date inventory of all environments, apps, and flows within the platform. This inventory is crucial for proactive governance, as it provides us with the necessary metadata to enforce policies and ensure compliance. If an environment’s configuration is altered against policy, Sentinel can trigger an alert and send an email to the environment owners, asking them to rectify the issue.

Collaborating and innovating in the framework of governance

Appropriate governance and environment ownership has opened up a whole new wave of collaboration between departments and teams at Microsoft. The controls and assurances provided by an effective governance strategy have enabled our teams to work side-by-side in the Power Platform with confidence.

“Internally, our employees and our team, especially in Microsoft Digital, are building solutions to look at different aspects of how we can continue to improve productivity,” Hasan says. “The Power Platform offers so much freedom to create quickly and with the introduction of AI and Copilot, we can add more intelligence and use all Power Platform tools to create more robust solutions across the organization.”

Streamlining financial reporting with Power Apps

The finance team at Microsoft has been using the Power Platform to streamline their processes. By collaborating with us in Microsoft Digital, they’ve developed a series of Power Apps to automate financial reporting and budget tracking. This collaboration allowed the finance team to reduce manual data entry and improve accuracy in their reports. We provided the necessary technical support to ensure the apps were secure and compliant with company policies. For instance, they created an app that pulls data from multiple sources, consolidates it, and generates real-time financial reports. This has significantly reduced the time spent on manual data consolidation and reporting.

Simplifying legal reviews with Power Automate

The marketing and legal teams have also found common ground on the Power Platform. They worked together to create a Power Automate flow that simplifies the approval process for marketing materials. The flow ensures that all marketing content is reviewed and approved by the legal team before publication. This collaboration has significantly reduced the time it takes to get marketing materials approved, allowing the marketing team to be more agile and responsive. For example, the flow includes automated notifications and reminders, ensuring that the legal team reviews and approves content promptly.

Enhancing onboarding with integration and collaboration

The HR and support teams have used the Power Platform to enhance employee onboarding and support processes. By building a Power App, they created a centralized onboarding portal where new hires can access all the necessary resources and complete required tasks. The support team integrated this app with their existing systems to provide seamless support for new employees. This collaboration has improved the onboarding experience and ensured that new hires have all the support they need from day one. The app includes features like task checklists, document uploads, and direct links to support resources.

Creating cross-functional innovation with Copilot Studio

One of the most exciting examples of collaboration is the use of Copilot Studio across various departments. Teams from finance, marketing, CELA, HR, and IT have all contributed to developing AI-infused solutions using Copilot Studio. For instance, the marketing team created an AI-powered agent to handle customer inquiries, while the HR team developed an AI assistant to help employees with common HR-related questions. Using Copilot Studio, we’ve been able to increase discoverability and productivity by using Copilot as our “UI for AI”, bringing the power of these specialized agents to answer frequently asked questions, provide product information, and even assist with troubleshooting.

Looking forward

Governance on the Power Platform at Microsoft is poised to become even more robust and comprehensive. As the platform continues to evolve, so will our strategies for ensuring its secure and effective use.

We’re working to develop and implement more granular governance controls. Currently, our governance strategy revolves around applying rules at the environment level, using environment groups and rules to manage security and compliance. However, the future holds the promise of even more detailed control mechanisms and as customer zero, we’re working with the Power Platform PG to ensure that our learnings related to governance are reflected in the product. This includes the ability to nest environment groups, allowing for more specific governance based on criteria such as geography, data sensitivity, and regulatory requirements.

The Power Platform has proven to be a transformative tool for fostering collaboration and innovation across various departments at Microsoft. From streamlining the approval process for marketing materials to enhancing employee onboarding and creating AI-driven solutions, the platform has enabled teams to work more efficiently and effectively. Our focus on robust governance helps ensure that the Power Platform remains a secure and innovative environment for all users—and Microsoft customers.

Do you want to implement effective and enabling governance in your Power Platform? Apply these best practices:

• Establish clear environment groups. Categorize environments into distinct groups such as personal productivity, team collaboration, and enterprise development. This helps apply appropriate governance controls based on the usage and risk level of each environment.
• Implement DLP policies. Use DLP policies to control which connectors and actions are allowed within different environments. This prevents unintentional sharing of sensitive information and ensures data remains within organizational boundaries.
• Use proactive and reactive governance. Employ both proactive measures, like predefined rules and policies, and reactive measures, such as custom tools and scanning mechanisms, to enforce governance. This ensures that potential risks are mitigated before they become issues.
• Use Sentinel for real-time monitoring. Integrate Sentinel with Purview audit feeds to monitor all activities within the Power Platform. This allows for real-time detection of any actions that might violate governance policies.
• Maintain an up-to-date inventory. Keep an accurate inventory of all environments, apps, and flows within the Power Platform. This is crucial for proactive governance and ensures that all necessary metadata is available for enforcing policies.
• Conduct regular security reviews. Register all enterprise development environments in a service tree and conduct biannual security, privacy, and accessibility reviews. This ensures that all solutions comply with stringent security and privacy standards.
• Enable lifecycle management. Implement lifecycle management tied to inactivity or attestation. This ensures that unused environments are deleted after a certain period, minimizing security risks.

Discover security and governance considerations in Power Platform.

• Learn more on how we’re unlocking enterprise AI extensibility at Microsoft with Microsoft Copilot Studio.
• Discover how we’re embracing AI agents at Microsoft.
• Look back at this story to learn how we helped our HR team get started with the Power Platform.
• Find admin and governance best practices for Microsoft Power Platform.
• To learn more, review Microsoft Power Platform adoption best practices.

• Want more information? Email us and include a link to this story and we’ll get back to you.

The post Empowering employees with the Microsoft Power Platform at Microsoft appeared first on Inside Track Blog.

Just like it is for all large enterprises, maintaining accurate and secure group memberships enables our employees to collaborate effectively while also safeguarding our sensitive information internally here at Microsoft.

The Microsoft Group Membership Management (GMM) tool addresses this challenge head-on by providing a robust solution that simplifies group membership management while enhancing security and productivity across Microsoft. Initially developed to solve a challenge within Microsoft, GMM is now available on GitHub, giving other organizations to access to its capabilities.

The need for group membership management 

GMM was designed to address two critical issues that companies like ours face: 

• Collaboration barriers: When the right people aren’t in the group, collaboration tools are less effective.
• Security risks: When individuals retain access to groups unnecessarily, organizations face potential data exposure.

“One of our main priorities was to create a solution that balances seamless collaboration with stringent security,” adds Olivia Han, Senior Product Manager for GMM. “We wanted organizations to feel confident in their group memberships while making the process as intuitive as possible.”

Key features of GMM 

GMM is a multi-source, multi-destination membership synchronization tool. It enables organizations to define group memberships based on user information from multiple sources and project those memberships into groups and even Microsoft Teams channels. Its standout features include: 

• Flexible membership definition: Membership can be defined based on organizational structure, user attributes, and exclusionary rules. Depth limits ensure precision and control. 
• Empowered group ownership: Group owners can define and manage their memberships independently, while administrators retain tools to protect sensitive HR information. 
• Change threshold protection: To prevent accidental disruptions, GMM includes increase and decrease thresholds that require owner confirmation before large-scale membership changes. 

Development journey and challenges 

GMM began as a solution to project nested security group hierarchies into flattened Microsoft 365 groups, addressing the lack of native nesting support in Microsoft 365. Over time, the tool evolved into a comprehensive solution that uses a variety of Azure services, including Storage, Service Bus, SQL, Azure Data Factory, and Key Vault, among others. 

“We’ve been laser-focused on adopting Microsoft Secure Future Initiative best practices,” says Paul Daly, a principal software engineering manager for GMM in Microsoft Digital. “Eliminating secrets, adopting managed identities, and moving resources to private networks have significantly improved our security posture. Scalability has been another ongoing focus, with innovations like a ‘multi-lane’ process to handle large membership changes without delays.” 

Impact and integration 

Internally at Microsoft, GMM has simplified maintenance for thousands of groups.

“Automating user additions increased the use of collaboration tools like Viva Engage, Teams, and Outlook groups,” Han says. “Removing unnecessary access not only boosts security but also gives us the confidence to enable features like Copilot.” 

GMM has had a significant impact on personalizing and enhancing the employee experience at Microsoft. By managing groups based on tenure, GMM enables targeted content delivery on the intranet website and HR portal via Viva Connections, providing relevant information to new employees during their crucial onboarding period. 

“Based on what our internal customers have told us, we know that GMM has eliminated days and even weeks of manual work that our business admins have to do to maintain accurate groups rosters,” Han says. “It has also mitigated security concerns, including reducing the risk of oversharing.” 

Externally, organizations that have adopted GMM from GitHub have experienced similar benefits, and their feedback has driven continued improvements. 

GMM integrates seamlessly with Entra ID groups and Team channel memberships, extending its impact across the Microsoft 365 suite, including Viva Engage, Teams, Outlook groups, Viva Connections, and CoPilot. 

Looking ahead 

The future of GMM is bright, with enhancements focused on usability, performance, and deployment: 

• Improved user interface: Updates driven by internal and external feedback reduce admin effort and empower users. 
• Enhanced scalability: The multi-lane process ensures timely completion of membership changes, even during large onboardings. 
• Simplified deployment: Streamlining installation will make GMM more accessible for external organizations. 

“We hope GMM’s features resonate with organizations and their use cases,” Daly says. “If so, we encourage them to give it a try and share their feedback via the GitHub repository.” 

GMM exemplifies how Microsoft uses its own tools to solve real-world challenges and shares those solutions to help others achieve their goals. With its powerful capabilities and user-centric design, GMM is transforming the way organizations manage group memberships, fostering both collaboration and security.

Here are some tips for rethinking group management at your company:

• Simplified group management: GMM streamlines group membership management, enhancing both security and productivity across organizations.
• Addressing key issues: GMM tackles collaboration barriers and security risks by ensuring that the right people are in the right groups and removing unnecessary access.
• Robust features: GMM offers flexible membership definitions, empowered group ownership, and change threshold protection to prevent accidental disruptions.
• Development and scalability: Initially created to solve internal challenges, GMM has evolved into a comprehensive solution using various Azure services and focusing on scalability and security.
• Impact and future enhancements: GMM has significantly improved group management at Microsoft with ongoing enhancements aimed at usability, performance, and deployment.

Learn more on how to manage your groups.

• Find additional resources for Group Membership Management on GitHub.
• Learn more about Group Membership Management (GMM).
• Unpack how Microsoft automates Group Member Management.

• Want more information? Email us and include a link to this story and we’ll get back to you.

The post Streamlining group membership management and governance at Microsoft appeared first on Inside Track Blog.

• Introduction: Governance in the age of AI
• Chapter 1: Enable self-service
• Chapter 2: Establish container labels and set well-scoped, intuitive defaults
• Chapter 3: Derive file labels from parent containers
• Chapter 4: Train employees
• Chapter 5: Trust employees, but verify their work
• Chapter 6: Implement lifecycle management and attestation
• Chapter 7: Enable company-sharable links
• Chapter 8: Extract inventory to detect and report oversharing
• Conclusion: The way forward
• Appendix: More resources for you

Governance in the age of AI

Unlocking the next generation of productivity tools

Microsoft 365 Copilot combines the power of large language models (LLMs) with your organization’s data to turn employees’ words into some of the most powerful productivity tools on the planet—all within the flow of work. It suffuses the Microsoft 365 apps your people use every day, including Word, Excel, PowerPoint, Outlook, Teams, and more, to provide real-time intelligent assistance.

Initial results from our Microsoft Digital team, the company’s IT organization, and early adopters speak for themselves.

Source: What can Copilot’s earliest users teach us about AI at work?

Getting governance right

With all the opportunities AI presents, your organization might be in the process of implementing Microsoft 365 Copilot. But it’s important to do that safely.

Copilot combs through your organization’s entire data estate in the blink of an eye, so the old method of security through obscurity doesn’t cut it. You need to assert control over where data flows throughout your tenant so Copilot knows what it can and can’t access or display.

To ensure that proper data hygiene extends to AI-powered workflows, Microsoft designed Copilot to respect the sensitivity labels and data loss prevention (DLP) controls that organizations configure in their Microsoft Azure environment. That way, administrators can be confident that the right people and apps have access to the data they need, and it doesn’t appear where it shouldn’t.

 {Download the eBook version of this Governance in the age of AI readiness guide.}

Our team in Microsoft Digital implemented a company-wide governance strategy to address this issue. In the process, we learned valuable lessons that will be useful to any organization using Copilot.

This guide outlines our process for implementing a governance strategy that delivers the benefits of Copilot to Microsoft employees while minimizing the risks and entryways into our data estate. It shares our internal learnings so our customers can get up and running while avoiding pitfalls or surprises.

Follow along to find out how you can safely and effectively deploy Copilot at your organization—backed by rock-solid governance.

Principles for effective AI governance

Use this set of tips to ground yourself as you read through this guide.

Enable self-service

Give employees the ability to create new workspaces across your Microsoft 365 applications. By maintaining all data on a unified Microsoft 365 tenant, you ensure that your governance strategy applies to any new workspaces.

Limit the number of information protection labels

Limit your taxonomy to a maximum of five parent labels and five sub-labels. That way, employees won’t feel overwhelmed by the volume of different options.

Use intuitive labels that mean what they say

Make your labels simple and legible. For example, a “business-critical” label might imply confidentiality, but every employee’s work feels critical to them. On the other hand, there’s very little doubt about what “highly confidential” or “public” mean.

Capture container labels for groups and sites

Label your data containers for segmentation to ensure your data isn’t overexposed by default. Consider setting your container label defaults to the “Private: no guests” setting.

Derive file labels from parent containers

Classify files according to their parent containers. That consistency boosts security at multiple levels and ensures that deviations from the default are exceptions, not the norm.

Train employees

Train your employees to handle and label sensitive data to increase accuracy and ensure they recognize labeling cues across your productivity suite.

Trust employees, but verify their work

Trust your employees to apply sensitivity labels, but also verify them. Check against DLP standards and use auto-labeling and quarantining through Microsoft Purview automation.

Implement lifecycle management and attestation

Use strong lifecycle management policies that require employees to attest containers, creating a chain of accountability.

Enable company-sharable links

Limit oversharing at the source by enabling company-shareable links rather than forcing employees to add large groups for access. For highly confidential items, limit sharing to employees on a need-to-know basis.

Extract inventory to detect and report oversharing

Use Microsoft Graph Data Connect extraction in conjunction with Microsoft Purview to catch and report oversharing after the fact. When you find irregularities, contain the vulnerability or require the responsible party to repair it themselves.

How we did it at Microsoft

Use these assets to guide you our own journey—they represent how we did things here in Microsoft Digital.

• Find out how we governed our deployment of Microsoft 365 Copilot.
• View our condensed, CIO version of our Microsoft 365 Copilot deployment guide.
• Learn how we’re responding to the AI revolution with a Center of Excellence.

More guidance for you

Here are more assets that we found useful.

• Get an overview of pre-deployment preparation for Microsoft 365 Copilot.
• Learn about our Copilot Success Kit, a one-stop shop for most of our Copilot deployment and adoption resources.

Chapter 1: Enable self-service

Applying self-service principles to the way we manage labeling and governance emerged as a crucial step for us. 

Secure self-service that empowers employees

Self-service is a core tenet of employee empowerment here at Microsoft. We want to give every employee the independence to create the resources they need without engaging IT. But that level of freedom relies on ensuring our Microsoft Digital governance team identifies and protects valuable data. As a result, our employees can implement and own the containers, workspaces, and content they need to do their work productively. 

Self-service forms the foundation of our entire governance strategy. Employees can create workspaces and content across many of the Microsoft tools they use for their day-to-day work, including SharePoint, OneDrive, Teams, and Power Platform. That freedom enables a culture of innovation and agility, where people can work together across teams and geographies without encountering “IT gating,” the need for IT to get involved in enabling day-to-day activities.

By encouraging collaboration in place, our tenant structure frees employees from resorting to email attachments or working in overly broad and open workspaces. As an IT team ourselves, we understand the value of eliminating IT gating for minimizing the time and effort our professionals need to invest in keeping employees productive.

This kind of data hygiene isn’t just about Microsoft 365 Copilot. It maintains data security and compliance wherever employees access company content and information. But because Copilot depends on the ability to access an organization’s data estate, good governance is essential for keeping it within bounds—especially in a self-service culture.

Pillars of our asset governance

Empower employees

Support self-service creation

Use lifecycle management

Empower employees

Require classification for containers

Scan with Microsoft Purview Data Loss Prevention (DLP)

Protect assets

Limit reach

Enforce policy

Use conditional access or multi-factor authentication

Microsoft Purview Information Protection

Ensure accountability

Manage group or site ownership

Review external membership

Generate reports

Microsoft Digital’s asset governance strategy rests on four pillars: Empowering employees, identifying valuable and vulnerable content, protecting our assets, and ensuring accountability.

Responsible self-service

Self-service container creation has abundant benefits, but it also poses some challenges for content governance and security—things like oversharing, unneeded asset sprawl, and data leakage. To address these challenges, our Microsoft Digital governance team has established self-service principles that balance the needs of employees and the company.

As we in Microsoft Digital have worked to improve the company’s overall governance posture, we’ve learned several important lessons. When you consider self-service container creation, there are a few questions to ask yourself:

When you’ve settled on degrees of autonomy and where to apply it, you can begin your AI governance journey. Find out how to configure containers for self-service here.

How we did it at Microsoft

Use these assets to guide you our own journey—they represent how we did things here in Microsoft Digital.

• dCheck out our guide for deploying Microsoft 365 Copilot.
• View our condensed, CIO version of our Microsoft 365 Copilot deployment guide.

More guidance for you

Here are more assets that we found useful.

• Get an overview of pre-deployment preparation for Microsoft 365 Copilot.
• Learn about our Copilot Success Kit, a one-stop shop for most of our Copilot deployment and adoption resources.

Chapter 2: Establish container labels and set well-scoped, intuitive defaults

We developed healthy baseline practices to ensure both our employees and the resources that they work with are protected.

Balancing freedom with trust through an easy-to-use labeling taxonomy

Self-service container creation forms the foundation of our employee-centric governance strategy. As part of that freedom, our Microsoft Digital governance team has established baseline protections inherent to all containers, and those protections depend on sensitivity labels. Microsoft 365 Copilot respects labels, so establishing effective labeling practices extends data security into our employees’ AI usage.

Baseline labeling habits

Employees need to label every container or workspace they create using Purview Information Protection (PIP) container labels. It’s a matter of policy at Microsoft: If it isn’t labeled, we delete it. We use container labeling for data delineation and to apply consistent protection and governance policies to containers based on their sensitivity and purpose. Microsoft labels break out into four different categories.

Container labels provide two things:

• First, they drive user awareness over how to handle content. For example, if something is highly confidential, employees shouldn’t talk about it in the café.
• Second, they illustrate what data is appropriate for which container. In other words, they signal to an employee that they shouldn’t store highly confidential documents on a general site.

Our Microsoft Digital governance team predefines and centrally manages labels to align them with broader MIP sensitivity levels used for email, files, meetings, and containers. Those include the same four categories: “highly confidential,” “confidential,” “general,” and “public,” although we don’t use the latter for containers.

Matching labels with policies and protections

Each label we’ve defined has a set of protection settings that include policies around characteristics like guest allowance and membership openness. They also drive inherited file labeling, which we use for encryption.

At its core, container classification communicates four things:

• Privacy level: Labels determine whether the workspace is broadly available internally or it’s a private site.
• External permissions: We administer guest allowance via the group’s classification, allowing specified partners to access teams when appropriate.
• Sharing guidelines: We tie important governance policies to the container’s label. For example, can employees share this workspace outside Microsoft? Is this group limited to a specific division or team? Or is it restricted to specific people? The label establishes these rules.
• Conditional access: While not implemented at Microsoft, tying identity and device verification to container labels introduces additional governance controls.

After extensive experimentation, we arrived at our current schema for how container sensitivity labels align with MIP policies. Your organization might make different choices about your labels’ relationships with information protection policies, but this can give you an idea of what a healthy governance ecosystem looks like.

Information protection container sensitivity labels

Building a process around employee ownership

The labeling process works like this: When employees create a new container, they’re responsible for selecting a container label that matches the sensitivity and purpose of the content they intend to store and share. By default, we lock new containers, which means that only the owner and members can access them. Locked containers prevent unauthorized or accidental access to their content.

Container owners can unlock the container if they need to share content with a broader audience within the organization or external partners. Container owners can also change the container label if the sensitivity or purpose of the content changes over time.

At Microsoft, this process provides the right combination of flexibility and protection while empowering employees with effective self-service.

How we did it at Microsoft

Use these assets to guide you our own journey—they represent how we did things here in Microsoft Digital.

• Learn how we create self-service sensitivity labels in Microsoft 365.
• Find out how we’re using sensitivity labels to make Microsoft more secure.

More guidance for you

Here are more assets that we found useful.

• Find information about getting started with sensitivity labels.

Chapter 3: Derive file labels from parent containers

We’re using default file-labeling based on container labels to help our teams stay consistent with how they create and store resources that they work on. Here’s how that looks for our employees:

Understanding our sensitivity labels

By defaulting file labels to their container labels, you can ensure that every item and collaborative space will align with both its context in your organization and your information protection policies. As a result, Copilot will respect those labels and their corresponding information protection policies.

How we did it at Microsoft

Use these assets to guide you our own journey—they represent how we did things here in Microsoft Digital.

• Find out how we’re using sensitivity labeling as a new layer of security for Microsoft Teams Premium meetings.
• Learn how we’re using sensitivity labels to make Microsoft more secure.

More guidance for you

Here are more assets that we found useful.

• Learn more about configuring default sensitivity labels in SharePoint libraries.

Chapter 4: Train employees

Training your employees on how to handle and label sensitive data was and continues to be a critical step on our governance journey. 

Empowering our employees: A joint effort between IT and users

Establishing a robust labeling strategy is only part of good governance. When it comes to getting employees on board, culture is as critical as policy.

At Microsoft, employee learning and development are how we move sensitivity labeling from the administrative sphere into day-to-day practice. It helps us increase the accuracy of how our labels are used and ensures that our employees recognize labeling cues when they appear across our productivity suite.

Every incoming Microsoft employee takes our Standards of Business Conduct and security trainings. As part of that process, we created an internal SharePoint resource dedicated to educating employees about their responsibilities for labeling and adhering to our governance policies. It educates employees about the philosophy behind our policies, shares a simplified overview of our sensitivity label structure, and provides practical, app-specific guidance for self-service labeling.

Use this decision tree to determine the sensitivity label needed on your document” to “Using sensitivity label decision trees

Effective learning and development assets

As you build out your employee education assets, consider emulating our content with the following elements.

Aside from laying a solid foundation as an IT team, the most effective way to promote good governance is by bringing your workforce on board. Robust learning and development content is a powerful lever for establishing a culture of data security.

How we did it at Microsoft

Use these assets to guide you our own journey—they represent how we did things here in Microsoft Digital.

• Find out how we’re deploying Microsoft 365 Copilot with the help of—you guessed it—Copilot.
• Check out how we’re embracing AI at Microsoft with AI certifications.

More guidance for you

Here are more assets that we found useful.

• Learn more about sensitivity labels.

Chapter 5: Trust employees, but verify their work

Trusting your employees while also verifying that what that their actions are secure via automation is a crucial step. 

Self-service with guardrails: How we’re backstopping our employee efforts with technology

Thanks to our education efforts and intuitive labeling interfaces, we trust employees to apply sensitivity labels. But we also verify their work. It’s how we catch the 1% of edge cases where problems might arise.

We accomplish that by checking files against our DLP standards and using auto-labeling and quarantining when we need them. Swiftly tying up any loose ends eliminates wayward items that Microsoft 365 Copilot might scoop up during the course of its work.

At Microsoft Digital, we use Purview DLP policies to define the rules and actions for detecting and protecting sensitive data across Microsoft 365, SharePoint, OneDrive, and Teams.

DLP policies support vulnerable data types and scenarios that require protection. They include any kind of information that might introduce inappropriate access to company data or intellectual property:

• Access credentials like keys or tokens
• Personally identifying information
• Financial data
• Non-public source code
• Sign-in information

Reports and dashboards are available via Purview to help our team monitor and analyze content activity and compliance across the organization. They also provide insights into the volume, location, and usage of sensitive data, as well as any incidents and alerts that indicate potential data breaches or violations.

For example, an employee might label something as “General,” but it contains credentials or other sensitive end-user identification information (EUII). In those instances, Purview will automatically block the file from access beyond its owner or reapply a more appropriate label.

Automation and escalation

We’ve configured Purview to automatically remediate these kinds of issues or escalate them to our Microsoft Digital governance team for resolution when an issue is more complex. DLP remediation and escalation processes can involve several different groups of stakeholders depending on the severity and impact of the incident or alert:

• Content owners
• Content champions
• The MIP team
• Our legal team
• Security

We use Microsoft 365 Purview to run DLP remediation operations at scale.

Fortunately, all these features and functionalities are available out of the box through Microsoft 365 and Purview. After you’ve established your labeling strategy and policies, it’s just a matter of adding guardrails to your self-service environment. By automating information protection through quarantining content or rightsizing its label, you can keep Copilot from making sensitive information available where it shouldn’t.

How we did it at Microsoft

Use these assets to guide you our own journey—they represent how we did things here in Microsoft Digital.

• Learn how we’re empowering our employees with generative AI while keeping the company secure.
• Check out how we’re transforming our data culture with AI-ready data.

More guidance for you

Here are more assets that we found useful.

• Find out how Microsoft Purview Data Loss prevention can help you automate remediation.

Chapter 6: Implement lifecycle management and attestation

We focused on strong lifecycle management policies and employee attestation to help us get our lifecycle management right. 

Pairing trust with accountability: How we’re maintaining our data hygiene with attestation

Attestation and self-service go hand-in-hand. In simple terms, it means employees can create what they need, but they’re accountable for its upkeep. In turn, that chain of accountability makes sure Copilot only accesses clean and appropriate data.

At Microsoft, we follow the principle of data minimization. That means only content that’s necessary and relevant for the company’s operations and objectives should exist in storage. Data minimization reduces the risk of oversharing content that isn’t cared for by employees, minimizes asset sprawl, halts data leakage, and improves quality and usability.

To implement this principle, Microsoft Digital requires that every existing container has attestation. By extension, we delete information that doesn’t have a full-time employee to care for it or that has become stale or irrelevant.

At Microsoft, we require attestation from a full-time employee every six months to confirm several aspects of their containers:

• It’s correctly labeled.
• Users actually care about its ongoing existence.
• The roster of people with access is accurate and necessary.
• Sharing capabilities are appropriately restrictive or permissive.
• It complies with corporate retention guidelines.

If a container or an item doesn’t have attestation, we consider it orphaned or abandoned, and it’s subject to deletion. You don’t want to be too draconian about these policies. We configure our Microsoft Entra group expiration policies and SharePoint Premium inactive sites attestation to give container owners 60 days to take action. That’s followed by a final notice at deletion time with a link to restore and resolve for another 30 days. We also archive deleted items for recovery over an extended period if employees decide they need them after the fact.

Managing exceptions

If a container is subject to a retention or hold for our legal team, that supersedes any deletion event. Generally speaking, containers where the legal team is the accountable owner aren’t subject to re-attestation because we handle those life cycles more granularly based on Purview retention policies.

Ultimately, every organization will have to decide what makes the most sense for them. Applying these principles will help you maintain organization-wide data hygiene, which prevents over-access from Copilot.

How we did it at Microsoft

Use these assets to guide you our own journey—they represent how we did things here in Microsoft Digital.

• Check out our guide for deploying and driving adoption of Microsoft 365 for executives.
• Find out how using sensitivity labels is enabling us to give our employees the access they need to do their work.

More guidance for you

Here are more assets that we found useful.

• Find out how to configure the expiration policy for Microsoft 365 groups.
• Learn about managing site lifecycle policies.

Chapter 7: Enable company-sharable links

We’re finding that the best way to reduce oversharing is by addressing it at the source.

Enabling fluid, secure collaboration: How we’re extending access with company-shareable links

At Microsoft Digital, we recognize that content sharing is essential for collaboration and productivity. Employees need to share content with both internal and external audiences. But that also poses a risk of content oversharing when employees expose material to more people or for longer than necessary. It might also mean they’ve shared content without proper protection or classification.

In many cases, employees need to share content outside its container. That might include simply sharing a specific file outside of the container’s roster to enable collaboration in place without resorting to making a copy of the file. On the other hand, someone might need to email the file as an attachment.

Using company-shareable links

Microsoft Digital limits oversharing at the source by enabling company-shareable links (CSLs) for all containers and items except ones labeled “highly confidential.” A CSL is a type of link that allows anyone who receives it within our organization to access the content. CSLs are convenient and easy to use, and they promote a culture of openness and transparency.

Before CSLs, employees resorted to sharing with large security groups because they didn’t know which groups contained everyone who needed access, and manually adding every unique user was too cumbersome. That behavior leads to oversharing because anyone with access can stumble on the content in Microsoft Search or get answers from Copilot. Any Microsoft 365 discovery scenario will security-trim results, so it’s important that users can’t directly access things they don’t need.

While employees can pass a CSL around within the company, it isn’t discoverable in Microsoft Search or Copilot because only users who received the link directly via email or chat will have pre-granted access. It might seem counterintuitive that a CSL is more secure, but it eliminates the need for standing access to content and provides greater protection.

Finally, we allow content owners to modify or revoke CSLs if their sensitivity or purpose changes, or if sharing is no longer necessary. The content owner can also set an expiration date or a password for their link to enhance security and control.

Extra protection for highly confidential items

Our governance team at Microsoft Digital determined that we should enable CSLs by default for all containers and items labeled “public,” “general,” or “confidential.” As a result, employees can share content with their colleagues without having to grant individual permissions or manage access requests.

There are some kinds of content that employees absolutely shouldn’t share through a CSL. The risk emerges if someone copies the link into an open location like a broadly accessible document or community. You’ll have to decide where to draw that line for your organization. At Microsoft, we’ve elected to disable CSLs for all containers and items that are labeled “highly confidential.”

At Microsoft, highly confidential items require need-to-know access for specific people. For these files, employees use links they designate for specific people, which allows access to only individuals the content creator or owner explicitly identifies. In those situations, large security groups aren’t appropriate in any case.

Our policy compels employees to think about who needs access to content and take deliberate action before sharing. In some ways, it acts as an extra gate or prompt to keep our people security-conscious during the sharing process.

At Microsoft Digital, we tailored our policies to the company’s specific needs, but it provides a blueprint for other organizations to build a CSL strategy. Deciding what should be sharable and how will help you ensure robust information protection that’s still flexible enough to foster collaboration and productivity.

How we did it at Microsoft

Use these assets to guide you our own journey—they represent how we did things here in Microsoft Digital.

• Learn how we’re transforming our enterprise IT infrastructure with AI.
• Check out how we’re using Microsoft Sentinel to reduce oversharing Power BI reports.

More guidance for you

Here are more assets that we found useful.

• Find out how  company-shareable links work in Microsoft 365 environments.

Chapter 8: Extract inventory to detect and report oversharing

When oversharing does slip through, it’s important to have systems in place to catch it. 

Remediating oversharing errors when they occur: How we’re reporting on broad-access files and sites with Microsoft Graph Data Connect

In spite of our Microsoft Digital governance team’s best efforts to limit oversharing at the source, it can still occur. In some ways, it’s inevitable.

Organizations are made up of people, and so will always experience human error. Left unchecked, content oversharing can have negative consequences for an organization, including data breaches, compliance violations, or reputational damage. It will also give employees access to that content through Copilot when it isn’t appropriate.

To detect and mitigate content oversharing, we use Microsoft Graph Data Connect to report on every broad-access file or site with more sensitive labels. It helps us access and analyze data from Microsoft 365, SharePoint, OneDrive, and Teams using Azure Data Factory, Azure Synapse Analytics, or Azure Machine Learning. We then connect those datasets in our data estate using Azure Synapse Spark and track how many SharePoint sites and items are currently overshared based on our business rules.

One of the principal benefits of Microsoft Graph Data Connect is accessing the information we need through each of these technologies in a secure and scalable way, with control governed by our tenant admins.

Using Microsoft Graph Data Connect for oversharing remediation

Reporting for accountability

Our tenant’s data team uses Microsoft Graph Data Connect to generate reports on every file or site on the tenant with a broad access level, like a CSL or link that can be shared with anyone. It also monitors any item with a sensitive label like “confidential” or “highly confidential.”

These reports provide information and insights on the content’s owners, recipients, activity, and content protection and compliance status. They also help identify and prioritize potential cases of content oversharing.

At Microsoft, this output is helpful for several groups of stakeholders:

• We share the reports with the content champions responsible for reviewing and validating any cases of content oversharing.
• We use the reports to contact and educate the content owners on how to resolve oversharing issues and comply with our governance and security policies.
• We share the reports with the legal and security teams responsible for investigating and responding to cases of content oversharing that involve legal or security risks and incidents.
• We track our improvement over time as we enforce policies on our assets.

To help customers benefit from this kind of visibility, we’ve created a freely available reporting template. We encourage you to use this tool to track oversharing.

Beyond weaving your Microsoft Graph data connect and data export into your own data estate, you can now also use SharePoint Advanced Management in SharePoint Premium to get a list of sites that meet a set of criteria that you select. We use this capability to find all our sites that share Highly Confidential data to more than 5,000 users. We then use the same capabilities to selectively require our site owners to fix any anomalies we discover.

Go here to get more information on this data access functionality in SharePoint.   

With the right controls and policies in place, you can minimize the number of oversharing errors your employees commit. But when errors do occur, a proactive detection strategy quarantines the risk from Copilot, even as your staff stays connected and collaborating.

How we did it at Microsoft

Use these assets to guide you our own journey—they represent how we did things here in Microsoft Digital.

• Check out how we’re deploying Microsoft 365 Copilot internally at Microsoft.
• Find out how we’re powering a generational shift in IT at Microsoft with AI.

More guidance for you

Here are more assets that we found useful.

• See how you can set up your Microsoft Graph Data Connect reporting appartus.

The way forward

Getting governance right in the age of AI

The advent of AI tools like Microsoft 365 Copilot is a once-in-a-generation development. At this point, we’re still learning all the ways that these tools can be used to unlock creativity, productivity, collaboration, and innovation. But we can be sure of one thing: implementing them securely and effectively should be priority one.

If you’re deploying Copilot to your organization, the lessons we’ve learned at Microsoft Digital can act as a roadmap for your own journey. Ultimately, the most important thing is to consider the data implications of AI assistance and plan accordingly. Diligence and forethought will make sure your employees get all the benefits of next-generation AI technology while your organization stays protected.

Welcome to the age of AI.

 {Download the eBook version of this Governance in the age of AI readiness guide.}

Appendix

This the full list of related resources shared with you in this readiness guide. 

How we did it at Microsoft with Microsoft 365 Copilot deployment and adoption

More guidance for you

Get your organization and data ready for Microsoft 365 Copilot.

• Want more information? Email us and include a link to this story and we’ll get back to you.

The post How we’re tackling Microsoft 365 Copilot governance internally at Microsoft appeared first on Inside Track Blog.

At Microsoft, Windows 11 has been powering the 225,000 devices our employees and vendors use to do their work since it was released in the fall of 2021. Since then, the addition of many new features and the integration of AI have made it even more useful to us.

Like other enterprises, we’re benefitting from how AI is being woven into every part of the technology sector, including with Windows, where we’re using Copilot+ PCs, Microsoft 365 Copilot, and the rest of the broad range of AI-powered tools and features that we’re using across the company to get more out of our longtime, signature operating system today, while also preparing for how it will continue to power everything we do in the future.

According to our 2024 Work Trend Index (WTI) annual report, 79% of US business leaders believe their company needs to adopt AI to remain competitive. Yet, the numbers suggest that those that are just now starting to get ready for AI are already behind. Users say AI is saving them time now (90%), allowing them to focus on their work (85%, be more creative (84%), and enjoy their work more (83%).

The AI era is already here, and organizations must seize every opportunity to catch up and get ready for the future.

At Microsoft Digital, our internal IT organization, we’re harnessing Windows 11 and Copilot+ PCs to give our business and our employees a foundation to build on for future developments in AI. AI interactions are happening at the desktop, in the browser, across apps, and, with Windows 11 and Copilot+ PCs, right in the local operating system.

With Windows 10 end-of-support approaching in October 2025, every organization needs to assess their PC inventory and create a plan to move forward. Outdated PCs put users and businesses at risk, and the security and functionality updates that come with Windows 11 provide the best protection and productivity for Microsoft customers.

Learning from our own deployment of Windows 11

Our own first internal rollout of Windows 11 was the smoothest and quickest operating system upgrade in the history of the company. During the key phase of the rollout, we deployed Microsoft 11 to more than 190,000 devices in five weeks.

Starting small and growing from there is an essential part of the way we deploy any solution or tool, Windows 11 included.

“We followed a ring-based approach, which is pretty typical,” says Markus Gonis, a service engineer and deployment lead with Microsoft Digital. “The initial feature testing happened with a small group of Microsoft Digital users who were close to the feature sets and understood their key implications.”

The testing team subjected Windows 11 to an initial test process to ensure it met our organization’s internal standards, the same standards that we apply to any new software or solution, whether it was developed by Microsoft or by another provider.

Following initial testing, we deployed Windows 11 to a small, specifically selected proof of concept group to ensure that its overall functionality met our expectations and requirements. Pilot-testing followed, and then full implementation. This phased approach ensured that any potential issues were identified and addressed early, and that we could perform the majority of the deployment with few issues.

“We had a minimal number of standard incidents, and no major incidents reported through support channels directly related to the Windows 11 update nor the deployment itself,” Gonis says. “Despite the complexities of hardware eligibility and app compatibility with a new operating system being a typical challenge, we were able to execute the deployment with minimal disruption.”

Moving forward with deploying subsequent versions of Windows 11, we have refined the deployment process to include many more devices, now exceeding 225,000 with the 24H2 update, both by having users update their devices on their own and through pushed deployment.

Improving deployment with Windows Autopatch

The deployment process used several new features, including Windows Autopatch (which now includes Windows Update for Business).

“Windows Autopatch has been a game-changer for us,” says Harshitha Digumarthi, a senior product manager at Microsoft Digital. “It allows us to manage our updates more effectively and to ensure our devices are running the latest and most secure versions of Windows.”

Digumarthi’s team used Windows Autopatch to manage and control Windows 11 updates throughout the deployment. By using device group membership and a few deployment parameters, they had full control over when and how they deployed major updates to the entire organization. This approach allowed for a more streamlined and efficient update process, ensuring our devices received the updates without causing disruptions.

The team also integrated Windows Autopatch into the deployment process to further enhance the efficiency of updates. This feature keeps our devices patched and up to date, reducing the need for manual intervention as it reinforces our security posture and Zero Trust strategy.

Deploying Windows 11 with security and compliance

Feature testing, especially new features included in later builds, is an important part of the ongoing security and compliance practices at Microsoft Digital.

“When a new feature comes out, we need to ensure that we can deploy and govern it securely,” says Yulia Evgrafova, a principal security engineer with Microsoft Digital. Her team helps to ensure new features are ready for enterprise deployment at Microsoft.

Evgrafova points out the extra responsibility and privilege that comes with testing Microsoft products.

“With Windows 11, it’s a Microsoft product, but we’re also using that product as a customer,” Evgrafova says. “We call ourselves Customer Zero.”

Our Customer Zero relationship at Microsoft is a special one.

We in Microsoft Digital usually adopt products like Windows 11 before any other customer. Then, as part of the relationship, we test, use, and offer feedback on the product. It’s an internal feedback mechanism that we use for most of our products, and it leads to better, more complete products that are enterprise tested and enterprise ready.

“Our feature testing is comprehensive,” Evgrafova says. “We start with the basics: what is the scope of this feature and what’s the enterprise readiness of this feature for the rollout? Our goal is to understand not only the immediate risks that a feature might pose, but also the potential risks of that feature as it matures.”

However, deploying Windows 11 wasn’t simply testing and upgrading the operating system on existing hardware.

Windows 11 has specific hardware requirements, which meant not every device at Microsoft would be part of the deployment. Most of our devices were eligible, but communicating hardware requirements was an early step.

“Communicating with our employees about the requirements and how we would handle new devices was important,” Gonis says. “Since Windows 10 and Windows 11 can be managed side-by-side with no additional overhead, we could co-manage both upgraded and non-upgraded devices until all the older Windows 10 devices were replaced.”

Replacing Windows 10 devices with new hardware created an opportunity for us to examine our hardware refresh policy, assess the hardware options, and finally make Copilot+ PCs our device refresh of choice.

Turning to Copilot+ PCs

Integrating Copilot+ PCs into the mix was a very natural next step for us.

“Copilot+ PCs were the obvious choice to replace unsupported Windows 10 hardware,” says Pandurang Savagur, a senior product manager with Microsoft Digital. “Copilot+ PCs bring an entirely new level of hardware support and acceleration of Windows 11 capabilities, in AI and beyond.”

Copilot+ PCs offer a new hardware feature set that goes beyond the traditional PC. Those features are headlined by the neural processing unit (NPU) present in every Copilot+ PC.

Neural Processing Units (NPUs) have become a crucial component in modern computing, especially with the advent of AI-driven applications. Initially, devices like the Microsoft Surface Laptop Studio Two were introduced with NPUs primarily for Windows Studio effects. These NPUs offloaded processing tasks from the CPU, enhancing device performance and battery life.

With the introduction of Copilot+ PCs, the role of NPUs has expanded significantly. Copilot+ PCs can run AI features and processing locally on the device, using the NPU. The NPUs in these devices enable faster and more efficient on-device AI processing (they support over 40 TOPS, which means they can perform more than 40 trillion operations per second). For instance, tasks like natural language translation and generative AI features can be processed locally, reducing the need for cloud-based processing and accelerating processing times.

Built-in features that support NPU offloading are coming to Windows 11, including improved Windows search, across local and cloud-based files. With improved Windows search, Windows 11 will be able to use NPU-powered search capabilities to understand the context of each file, including contents, and return more accurate and complete results.

There is now no need to remember file names, settings locations, or even worry about spelling; just type your thoughts to find what you need on a Copilot+ PC. You can even locate photos in OneDrive by describing their content in the same way. With the over 40 TOPS NPU in Copilot+ PCs, it works even when you’re not connected to the internet. Improved search will initially be available in File Explorer and will later extend to Windows Search and Windows Settings. This means searches in Windows 11 for files will become faster and more intelligent.

Copilot+ PCs also will make Microsoft 365 Copilot better. Microsoft 365 apps will soon be able to use the NPU for AI-based tasks, so the same Microsoft 365 Copilot capabilities that work in the cloud also will be available offline and with lower latency.

This also happens in apps that might surprise you. For example, Microsoft Teams has several AI-based features including face tracking and voice isolation that can use the NPU directly, freeing up CPU resources, increasing performance, and improving battery life.

Boosting ARM-based Windows 11 mobility

We’ve found significant performance improvements from NPU integration, especially from ARM Copilot+ PCs. The reduction in CPU usage has provided significantly better overall performance across Windows 11. Many of our users with ARM-based Windows 11 devices are reporting battery life exceeding 20-22 hours of active usage.

Other benefits of the ARM-based Windows 11 Copilot+ PCs include cellular data connection, providing continuous network connectivity for a new generation of ultra mobile Windows laptops. ARM-based Windows 11 devices also support instant-on power capability, just like your mobile phone or tablet.

Our employees are seeing huge benefits.

“Windows 11 Copilot+ PCs have been a huge difference-maker for our employees,” Gonis says. “Their laptops have become truly mobile devices, and it changes how they use them and where they can take them.”

The deployment of Copilot+ PCs has also highlighted the importance of app compatibility. While many apps that we use run natively on ARM-based devices—including Microsoft 365 and a large percentage of our first party apps—some still use x64 emulation. We’re working to achieve 100 percent compatibility by the end of 2025, ensuring that all our tools can fully take advantage of the capabilities of NPUs and the ARM platform.

It’s a bright feature for hybrid AI, and we’re ready for it with Windows 11 Copilot+ PCs.

Looking forward

We’re continually evaluating and implementing new Windows 11 features as they come available in each release. We’re currently testing hotpatching in Windows 11 to allow updates without system reboots. We aim to reduce the number of required reboots to one per quarter, improving efficiency and maintaining system stability.

We’re also testing the Recall experience. Recall creates an explorable timeline of a Windows 11 PC’s past using snapshots and natural language queries. It helps users find past content on their PC by responding to natural language prompts with images, text, or even the exact location of the item you’re searching for.

Of course, we’re excited about the next generation of Copilot+ PCs and the hardware and software improvements coming to Windows 11. As AI continues its rapid evolution, we’ll be working alongside the Windows 11 team to bring advancements in productivity, accessibility, and security.

We believe that hybrid AI is the future and Windows 11 with Copilot+ PCs is the platform that will support it.

Here are some tips on getting started evolving your Windows ecosystem with Copilot+ PCs:

• Adopt Copilot+ PCs as the hardware platform of choice for Windows 11 devices.
• Explore the enhanced performance and battery life of ARM-based Windows 11 Copilot+ PCs.
• Use Windows Autopatch to manage your Windows 11 deployment.
• Consider the benefits of upcoming Windows 11 features, such as Hotpatch for Windows and Recall for improved efficiency and user experience.

Prepare to deploy Windows 11 at your company.

• Learn more about how hardware-backed Windows 11 is empowering us with secure-by-default baseline.
• Look back at our deployment of Windows 11 at Microsoft.
• Check out how we’re boosting Microsoft 365 Copilot Chat with smart enterprise content management.

• Want more information? Email us and include a link to this story and we’ll get back to you.
• Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post AI in action: Unpacking our internal journey with Windows 11 and Copilot+ PCs appeared first on Inside Track Blog.

Underneath those broad strokes, we serve very specific, complex customers.

One set of such customers is in the federal sector, where the specific regulatory requirements of sovereign entities—such as the Department of Defense (DoD) in the US—require that we create highly secure environments that adhere to the Cybersecurity Maturity Model Certification (CMMC) standard. (CMMC is an intermediate cybersecurity certification for defense contractors that focuses on protecting controlled unclassified information through enhanced cyber hygiene practices.)

Building environments that meet the CMMC standard presents unique opportunities and challenges, especially when it comes to managing complex collaboration scenarios at scale while also ensuring the security of our customers’ confidential information.

To help us get this right, we build environments for our customers that employ our Zero Trust security model, which means operating on a “never trust, always verify” principle. This enables us to deliver secure platform tools, networks, elastic computing, and storage options. It also helps provide our customers with better collaboration and business operations tools.

This works for governments, their military and intelligence agencies, and goes beyond the high standards of our usual customers.

To specifically address these unique needs within Microsoft, we have created a specialized IT environment, called the Federal Government Operating Environment or Microsoft FedNet. Powered by Azure for Government and Microsoft 365 Government, this environment is carefully designed to match the complex requirements of our US Federal and US Defense Industrial Base clients.

Serving as Customer Zero

In this story, we’ll explain some of the unique challenges we faced internally as we implemented this “company within a company” to allow our employees to work easily across both our traditional corporate environment (CorpNet) and the more highly regulated environment (FedNet) that we use to support our US Federal customers.

We have a strong value around being Customer Zero for our products, so much so that we implement them the way we would suggest our customers use them, so we can experience the customer reality firsthand. While living on the edge of this innovation knife can be unsettling at times, it allows us to be first to encounter challenges our customers might face. As such, we become a valuable feedback loop back to our product teams, which speeds up the innovation cycle and lowers barriers to entry for actual customers.

It was absolutely essential that we deliver a product for our federal customers that met or exceeded the experience that our own team expected. This is the critical benefit of our Customer Zero approach to engineering—we live and breathe the product long before it reaches an external user. That gives us time to explore and refine the customer experience to be as good as can be.

— Jason Zander, executive vice president, Strategic Missions and Technologies

Cross function, cross company

At Microsoft, our commitment to creating a dedicated environment for highly regulated workloads was not just about establishing a separate space; it was about embodying a cloud-first and deeply integrated approach across our entire business spectrum. This strategic decision was pivotal in aligning our expansive scale with the nuanced demands of compliance-focused sectors.

To get this right, our comprehensive, multi-disciplinary strategy coalesced around rethinking our sales pipeline management, financial systems, modernizing commerce tools, refining our support services, and evolving our internal engineering practices. This cross-organizational synergy was crucial to ensure that every aspect of our business supported and benefited from this new initiative.

“It was absolutely essential that we deliver a product for our federal customers that met or exceeded the experience that our own team expected,” says Jason Zander, our executive vice president of Strategic Missions and Technologies. “This is the critical benefit of our Customer Zero approach to engineering—we live and breathe the product long before it reaches an external user. That gives us time to explore and refine the customer experience to be as good as can be.”

Embracing a growth mindset, we aimed to merge the insights gained from operating a $3 trillion-dollar company with our profound understanding of servicing compliance-intensive customers. This fusion of scale and specialization was geared not only toward meeting existing needs but also toward innovating in novel and impactful ways.

Our workday began by signing in to this secure environment, using Microsoft 365 applications for our daily tasks, and collaborating through Teams. This wasn’t just a separate project; it was a complete shift in our work environment. We effectively isolated ourselves within a secure bubble, distinct from the rest of Microsoft, to ensure we could operate seamlessly as an independent entity.

— Dwight Jones, principal product manager, Microsoft Federal team, Microsoft Digital

Through this transformative journey, we have not only tailored our offerings to meet the stringent requirements of highly regulated sectors, but we have also significantly enhanced our overall business intelligence. By internalizing and refining our products early in their lifecycle, we ensure that our services not only align with but surpass the expectations of our most compliance-conscious customers, continuing our legacy as a global leader in technology solutions.

What does this mean in the real world?

In our journey to develop a more secure platform for internal use at Microsoft, we took an unconventional and immersive approach; we essentially created a new federal entity within our larger corporate organization, where the creators and users of this platform merged into one. Our team, dedicated to building this secure environment, began to experience their daily work lives within FedNet, taking meetings on Microsoft Teams and using document collaboration across Microsoft 365 and ensuring its functionality and reliability firsthand.

“Our workday began by signing in to this secure environment, using Microsoft 365 applications for our daily tasks, and collaborating through Teams,” says Dwight Jones, a principal product manager on the Microsoft Federal team in Microsoft Digital (MSD), our IT division. “This wasn’t just a separate project; it was a complete shift in our work environment. We effectively isolated ourselves within a secure bubble, distinct from the rest of Microsoft, to ensure we could operate seamlessly as an independent entity.”

This shift represented a significant change in our corporate experience.

By establishing secure Microsoft tenants in the Azure Government Community Cloud’s high-security environment, we created what we call “Microsoft Federal”—a company within a company. This bold move came with its own set of challenges, but it was essential. It enabled us to not just theorize but practically test and enhance our FedNet solution in real-world conditions, ensuring its effectiveness for our sovereign customers.

Such an approach was pivotal in validating the reliability and security of our solution. It allowed us to experience the potential challenges our customers might face and address them proactively. Ultimately, this real world experiment was more than just a test; it was a commitment to delivering a product that we ourselves could rely on and trust, setting a new standard in our offerings to highly regulated sectors.

Microsoft Federal is a prime example of the potential in public-private partnerships. We bring our expertise to key government organizations, offering them advanced, secure solutions to succeed in their missions. Together, we’re shaping the future of network security.

— Jason Zander, executive vice president, Strategic Missions and Technologies

Getting security right

The key distinction between our traditional business and our new Federal sector business model lies in the stringent regulatory constraints from agencies like the US Department of Defense, adhering to CMMC level 2. Our FedNet environment is designed to not just meet but exceed these standards. In fact, our FedNet implementation has achieved a perfect score (Microsoft Federal Successfully Completes Voluntary CMMC Assessment), reflecting our security team’s commitment to the highest standards, covering a broad range of customer requirements.

“Microsoft Federal is a prime example of the potential in public-private partnerships,” Zander says. “We bring our expertise to key government organizations, offering them advanced, secure solutions to succeed in their missions. Together, we’re shaping the future of network security.”

To align with our Zero Trust principles in FedNet, we started by enhancing device endpoint security using a combination of Microsoft Conditional Access and Microsoft Azure Virtual Desktop (AVD). This provides our teams with secure and controlled virtual access to standard collaboration and productivity capabilities, a shift from the traditional physical machine setup in our corporate environment.

While aligning with our cloud-first strategy, this transition posed challenges.

The virtual environment offered less flexibility than a commercially managed machine, particularly in terms of software installation control. In our commercial environments, users can install a variety of first- and third-party applications to enable them to be productive. To comply with more stringent regulations, we highly regulate what applications can be installed on the virtual client—each piece of software has to be security cleared by our Security Portal for Assessment, Consulting and Engineering (ACE) tool—we had to create controlled processes to qualify each piece of software we deployed in our FedNet environment.

Teams is the lifeblood of collaboration at Microsoft, even a few-second delay in a Teams call hosted in our AVD environment can significantly disrupt the experience for our users in Microsoft Federal, just as it would for any other user.

— Dwight Jones, principal product manager, Microsoft Federal team, Microsoft Digital

Getting to product parity

Getting back to our internal team charged with deploying a version of this platform inside the company, our internal users at Microsoft Federal need more than just robust compute platforms and Zero Trust technology—they require the same modern communication and productivity tools as any of our other employee to manage daily operations effectively. Despite differing security protocols, essential tools like Microsoft Teams and Microsoft Outlook must function just as reliably for our Microsoft Federal users as they do for our CorpNet users.

Take Microsoft Teams meetings, for example.

“Teams is the lifeblood of collaboration at Microsoft, even a few-second delay in a Teams call hosted in our AVD environment can significantly disrupt the experience for our users in Microsoft Federal, just as it would for any other user,” Jones says.

Such technical issues, if unresolved, could hinder business operations and negatively impact user perception of our products. We recognized the need for improvement in how Teams integrated within AVD highlighting key opportunities to accelerate quality of service features across both products that, once implemented, would quickly trickle down to all users of these services.

The complexity of managing change

Not surprisingly, we found that managing change and expectations was as significant a challenge as the technical blockers. The biggest hurdle became managing the cognitive shift when moving between environments, rather than addressing technical gaps. For instance, implementing data loss prevention strategies via document labeling was optional in our commercial environment but mandatory in FedNet to comply with CMMC regulations. This necessitated a new approach to data handling and required significant adjustments from our users. Training users on the rational and procedures for data handling was critical to overcome this barrier to entry for new users.

Our Microsoft Federal environment, while more secure, should not lack any functionality or features compared to the civilian version.

— Dwight Jones, principal product manager, Microsoft Federal team, Microsoft Digital

Experiment, learn, adjust, grow

After establishing the basic functionality needed for our Microsoft Federal employees to most closely match the experience of their counterparts in the larger Microsoft organization, our focus shifted to optimizing the environment. This entailed refining existing solutions and introducing the latest innovations Microsoft is known for.

It was all about feature parity.

“Our Microsoft Federal environment, while more secure, should not lack any functionality or features compared to the civilian version,” Jones says.

A standout feature attracting global corporate interest in FedNet is Microsoft Teams Rooms. This innovative setup combines built-in screens, modern video cameras, eye-tracking technology, and Zero Trust security to revolutionize meeting experiences in Microsoft Teams, specifically tailored for our Microsoft Federal product.

Serving some of the world’s most security-conscious customers grants us unique experiences and insights that benefit our entire business. With exciting features and products, many fueled by Microsoft’s AI innovations, we’re charting a bright future for all our customers, including those in Microsoft Federal. This is how we fulfill our mission to empower every person and organization on the planet to achieve more.

— Jason Zander, executive vice president, Strategic Missions and Technologies

“Secure Teams Rooms is exactly what our internal Microsoft Federal users, and indeed any organization, would desire,” Jones says.

Following this, we began a pilot rollout of Microsoft Teams Rooms in select secure locations, with plans to extend this enriched experience to all employees in the Microsoft Federal environment. By using the same technologies they provide to customers, our employees gain valuable insights and experiences, enhancing their ability to support customers deploying Microsoft Teams Rooms in their organizations.

“Serving some of the world’s most security-conscious customers grants us unique experiences and insights that benefit our entire business,” Zander says. “With exciting features and products, many fueled by Microsoft’s AI innovations, we’re charting a bright future for all our customers, including those in Microsoft Federal. This is how we fulfill our mission to empower every person and organization on the planet to achieve more.”

Microsoft Federal and our experience building a company within a company exemplifies our commitment to empowering customers with secure, compliant, and innovative solutions. By harnessing technologies like Microsoft Teams, Azure, and Microsoft 365, we’re setting new standards for collaboration and security in government and beyond.

Here are some things to think about as you consider beefing up your security with a product like our FedNet solution:

• Zero Trust is now relevant to everyone: Hybrid work, cloud migration, and increased threats make taking a Zero Trust approach to security a prudent consideration in every organization.
• Lack of leadership alignment is the biggest obstacle to driving Zero Trust agendas: Leadership alignment is critical to driving Zero Trust agendas. It’s important to ensure that all stakeholders are aligned with the Zero Trust vision and understand how it fits into the broader security strategy. This includes executive leadership, IT teams, security teams, and other business units.
• Zero Trust architecture requires holistic, integrated thinking: Zero Trust architecture requires a holistic, integrated approach that spans people, processes, and technology. It’s important to have a clear understanding of your organization’s assets, data flows, and user behaviors in order to design an effective Zero Trust architecture.

Learn more about our Microsoft Federal program and offerings.

• Explore implementing a Zero Trust security model at Microsoft.
• Unpack culture, the cloud, and security: learning from Microsoft’s digital transformation.
• Discover enhancing Microsoft’s security posture with Microsoft Azure Firewall Manager.

Want more information? Email us and include a link to this story and we’ll get back to you.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Sharing what we learned deploying our secure federal environment appeared first on Inside Track Blog.

We’re accelerating our digital transformation with an enterprise data platform built on Microsoft Purview and Microsoft Fabric. Our solution addresses three essential layers of data transformation:

• Unifying data with an analytics foundation
• Responsibly democratizing data with data governance
• Scaling transformative outcomes with intelligent applications

As a result, we’re creating agile, regulated, and business-focused data experiences across the organization that accelerate our digital transformation.

[Unpack how we’re deploying a modern data governance strategy internally at Microsoft. Explore how we’re providing modern data transfer and storage service at Microsoft with Microsoft Azure. Discover how we’re modernizing enterprise integration services at Microsoft with Microsoft Azure.]

Accelerating responsible digital transformation

Digital transformation in today’s world is not optional. An ever-evolving set of customer expectations and an increasingly competitive marketplace prohibit organizations from operating with static business practices. Organizations must constantly adapt to create business resilience, improve decision-making, and increase cost savings.

Data is the fuel for digital transformation. The capability of any organization to transform is directly tied to how effectively they can generate, manage, and consume their data. These data processes—precisely like the broader digital transformation they enable—must also transform to meet the organization’s needs.

The Enterprise Data team at Microsoft Digital builds and operates the systems that power Microsoft’s data estate. We’re well on our way into a journey toward responsibly democratizing the data that drives global business and operations for Microsoft. We want to share our journey and give other organizations a foundation—and hopefully a starting point—for enabling their enterprise data transformation.

Seizing the opportunity for data transformation

Data transformation focuses on creating business value. Like any other organization, business value drives most of what we do. As Microsoft has grown and evolved, so has our data estate.

Our data was in silos. Various parts of the organization were managing their data in different ways, and our data wasn’t connected.

—Damon Buono, head of enterprise governance, Microsoft

At the genesis of our data transformation, we were in the same situation many organizations find themselves in. Digital transformation was a top priority for the business, and our data estate couldn’t provide the results or operate with the agility the business required.

We felt stuck between two opposing forces: maintaining controls and governance that helped secure our data and the pressure from the business to move fast and transform our data estate operations to meet evolving needs.

“Our data was in silos,” says Damon Buono, head of enterprise governance for Microsoft.  “Various parts of the organization were managing their data in different ways, and our data wasn’t connected.”

As a result, a complete perspective on enterprise-wide data wasn’t readily available. It was hard to implement controls and governance across these silos, and implementing governance always felt it was slowing us down, preventing us from supporting digital transformation at Microsoft at the required pace.

“We needed a shared data catalog to democratize data responsibly across the company,” Buono says.

Transforming data: unify, democratize, and create value

Transforming our data estate fundamentally disrupted how we think about and manage data at Microsoft. With our approach, examining data at the top-level organization became the default, and we began to view governance as an accelerator of our transformation, not a blocker. As a result of these two fundamental changes, our data’s lofty, aspirational state became achievable, and we immediately began creating business value.

Our enterprise data platform is built on three essential layers of data transformation: unifying data with an analytics foundation, responsibly democratizing data with data governance, and scaling transformative outcomes with intelligent applications.

Unifying data with an analytics foundation

Unified data is useful and effective data. Before our data transformation, we recognized the need to unify the many data silos present in the organization. Like many businesses, our data has evolved organically. Changes over the years to business practices, data storage technology, and data consumption led to increased inefficiencies in overall data use.

Analytics are foundational to the remainder of the data transformation journey. Without a solid and well-established analytics foundation, it’s impossible to implement the rest of the data transformation layers. A more centralized source of truth for enterprise data creates a comprehensive starting point for governance and creating business value with scalable applications.

With Microsoft Fabric at the core, our analytics foundation unifies data across the organization and allows us to do more with less, which, in turn, decreases data redundancy, increases data consistency, and reduces shadow IT risks and inefficiencies.

“It connects enterprise data across multiple data sources and internal organizations to create a comprehensive perspective on enterprise data,” Buono says.

Microsoft Fabric ensures that we’re all speaking the same data language. Whether we’re pulling data from Microsoft Azure, multi-cloud, or our on-premises servers, we can be confident that our analytics tools can interpret that data consistently.

Functionally, this reduces integration and operation costs and creates a predictable and transparent operational model. The unity and visibility of the analytics foundation then provide the basis for the rest of the transformation, beginning with governance.

Responsibly democratizing data with data governance

Data can be a transformative asset to the organization through responsible democratization. The goal is to accelerate the business through accessibility and availability. Democratizing data is at the center of our governance strategy. Data governance plays an active role in data protection and complements the defensive posture of security and compliance. With effective governance controls, all employees can access the data they need to make informed decisions regardless of their job function or level within the organization. Data governance is the glue that combines data discovery with the business value that data creates.

It’s critical to understand that governance accelerates our digital transformation in the modern data estate. Governance can seem like a burden and a blocker across data access and usage scenarios, but you cannot implement effective and efficient governance without a unified data strategy. This is why many organizations approach data governance like it’s a millstone hanging around their neck. Many organizations struggle with harnessing the power of data because they don’t have a data strategy and they lack alignment across the leadership teams to improve data culture.

In the Microsoft Digital data estate, governance lightens the load for our data owners, administrators, and users. Microsoft Purview helps us to democratize data responsibly, beginning with our unified analytics foundation in Microsoft Fabric. With a unified perspective on data and a system in place for understanding the entire enterprise estate, governance can be applied and monitored with Purview across all enterprise data, with an end-to-end data governance service that automates the discovery, classification, and protection of sensitive data across our on-premises, multi-cloud, and SaaS environments.

“The governance tools that protect and share any enterprise data are transparent to data creators, managers, and consumers,” Buono says. “Stakeholders can be assured that their data is being shared, accessed, and used how they want it to be.”

Our success begins with an iterative approach to data transformation. We started small, with projects that were simple to transform and didn’t have a critical impact on our business.

—Karthik Ravindran, general manager, data governance, Microsoft Security group

Responsible democratization encourages onboarding and breaks down silos. When data owners are confident in governance, they want their data on the platform, which drives the larger unification and governance of enterprise-wide data.

Scaling transformative outcomes with intelligent applications

The final layer of our data transformation strategy builds on the previous two to provide unified, democratized data to the applications and business processes used every day at Microsoft. These intelligent applications create business value. They empower employees, reduce manual efforts, increase operational efficiencies, generate increased revenue, and contribute to a better Microsoft.

How we transformed: iteration and progression

While the three layers provide a solid structure for building a modern data platform, they provide value only if implemented. Actual transformation happens in the day-to-day operations of an organization. We transformed by applying these layers to our business groups, data infrastructure, and even our cultural data approach at Microsoft Digital.

“Our success begins with an iterative approach to data transformation,” says Karthik Ravindran, a general manager who leads data governance for the Microsoft Security group. “We started small, with projects that were simple to transform and didn’t have a critical impact on our business.”

These early projects provided a testing ground for our methods and technology.

“We quickly iterated approaches and techniques, gathering feedback from stakeholders as we went, Ravindran says. “The results and learnings from these early implementations grew into a more mature and scalable platform. We were able to adapt to larger, more complex, and more critical sections of our data estate, tearing down larger data silos as we progressed.”

To understand how this worked, consider the following examples of our transformation across the organization.

Transforming marketing

The Microsoft Global Demand Center supports Microsoft commercial operations, including Microsoft Azure, Microsoft 365, and Dynamics 365. The Global Demand Center drives new customer acquisition and builds the growth and adoption of Microsoft products.

The Global Demand Center uses data from a broad spectrum of the business, including marketing, finance, sales, product telemetry, and many more. The use cases for this data span personas from any of these areas. Each internal Microsoft persona—whether a seller, researcher, product manager, or marketing executive—has a specific use case. Each of these personas engages with different customers to provide slightly different outcomes based on the customer and the product or service. It’s an immense swath of data consumed and managed by many teams for many purposes.

The Global Demand Center can holistically manage and monitor how Microsoft personas engage with customers by converging tools into the Microsoft Digital enterprise data platform. Each persona has a complete picture of who the customer is and what interactions or engagements they’ve had with Microsoft. These engagements include the products they’ve used, the trials they’ve downloaded, and the conversations they’ve had with other internal personas throughout their lifecycle as a Microsoft customer.

The enterprise data platform provides a common foundation for insights and intelligence into global demand for our products. The platform’s machine learning and AI capabilities empower next actions and prioritize how the Global Demand Center serves personas and customers. Moving the Global Demand Center toward adopting the enterprise data platform is iterative. It’s progressive onboarding of personas and teams to use the toolset available.

The adoption is transforming marketing and sales across Microsoft. It’s provided several benefits, including:

• More reliable data and greater data quality. The unification of data and increased governance over the data create better data that drives better business results.
• Decreased data costs. Moving to the enterprise data platform has reduced the overall cost compared to managing multiple data platforms.
• Increased agility. With current and actionable data, the Global Demand Center can respond immediately to the myriad of daily changes in sales and marketing at Microsoft.

Improving the employee experience

Employee experience is paramount at Microsoft. The Microsoft Digital Employee Experience team is responsible for all aspects of the employee experience. They’re using the enterprise data platform to power a 360-degree view of the employee experience. Their insights tool connects different data across Microsoft to provide analytics and actionable insights that enable intelligent, personalized, and interconnected experiences for Microsoft employees.

The employee experience involves many data points and internal departments at Microsoft. Previously, when data was managed and governed in silos, it was difficult to build data connections to other internal organizations, such as Microsoft Human Resources (Microsoft HR). With the enterprise data platform, the Employee Experiences team can access the data they need within the controls of the platform’s governance capabilities, which gives the Microsoft HR department the stewardship and transparency they require.

The enterprise data platform creates many benefits for the Employee Experiences team, including:

• Coordinated feature feedback and implementation. All planned software and tools features across Microsoft align with employee feedback and practical needs obtained from the enterprise data platform.
• Better detection and mitigation of issues. Intelligent insights help Employee Experiences team members identify new and recurring issues so they can be mitigated effectively.
• Decreased costs. The efficiencies created by using the enterprise data platform reduce engineering effort and resource usage.

Creating greater sustainability in operations

Microsoft Sustainability Operations supports efforts to increase global sustainability for Microsoft and minimize environmental impact. Sustainability Operations is responsible for environmental efforts across the organization, including waste, water, and carbon management programs.

Their internal platform, the Microsoft Cloud for Sustainability, is built on the enterprise data platform. It leverages the unified analytics and governance capabilities to create important sustainability insights that guide Sustainability Operations efforts and programs.

These insights are combined in the Microsoft Environmental Sustainability Report. This report contains 20 sections detailing how Microsoft works to minimize environmental impact. The report includes sections for emissions, capital purchases, business travel, employee commuting, product distribution, and managed assets, among others.

To provide the data for this report, Sustainability Operations has created a data processing platform with the Microsoft Cloud for Sustainability that ingests and transforms data from Microsoft Operations into a data repository. The unified data enables the team to create reports from many different perspectives using a common data model that enables quick integration.

Governance is central to the effective democratization of data, and when data is adequately democratized—safely accessible by everyone who should access it—transformation is accelerated. Modern governance is achievable using automated controls and a self-service methodology, enabling immediate opportunity to create business value.

—Damon Buono, head of enterprise governance, Microsoft

The Microsoft Environmental Sustainability Report supports decision-making at the enterprise and business group level, which enables progress tracking against internal goals, forecasting and simulation, qualitative analysis of environmental impact, and compliance management for both perspectives. These tools allow Microsoft Sustainability Operations to discover and track environmental hotspots across the global enterprise with greater frequency and more precision. Using these insights, they can drive changes in operations that create more immediate and significant environmental impact reductions.

Implementing internal data governance

Governance has been a massive part of our journey. Realizing governance as an accelerator of transformation has radically changed our approach to governance. Understanding who is accessing data, what they’re accessing, and how they’re accessing is critical to ensuring controlled and measured access. It also creates the foundation for building transparency into the enterprise data platform, growing user confidence, and increasing adoption.

“Governance is central to the effective democratization of data, and when data is adequately democratized—safely accessible by everyone who should access it—transformation is accelerated,” Buono says. “Modern governance is achievable using automated controls and a self-service methodology, enabling immediate opportunity to create business value.”

Our governance strategy uses data standards and models with actionable insights to converge our entire data estate, which spans thousands of distinct data sources. We built our approach to data governance on some crucial learnings:

• Evidence is critical to driving adoption and recruiting executive support.
• Automated data access and a data catalog are critical to consolidating the data estate.
• Data issue management can provide evidence, but it doesn’t scale well.
• A centralized data lake, scorecards for compliance, and practical controls help create evidence for governance in large enterprises.

We continue to drive the adoption of the enterprise data platform at Microsoft. As we work toward 100 percent adoption across the enterprise, we generate efficiencies and reduce costs as we go. The iterative nature of our implementation means we’ve been able to move quickly and with agility, improving our processes as we go.

We’re really very excited about where we are now with Purview, Fabric, and the entire suite of tools we now have to manage our data here at Microsoft. They are helping us rethink how we use data internally here at Microsoft, and we’re just getting started.

—Karthik Ravindran, general manager, data governance, Microsoft Security group

We’re also supporting organizational alignment and advocacy programs that will increase adoption. These programs include an internal data governance management team to improve governance, an enterprise data education program, and a training program for the responsible use of AI.

As our enterprise data estates expand and diversify, tools like Microsoft Purview and Microsoft Fabric have become indispensable in ensuring that our data remains an asset, not a liability. These tools offer a compelling solution to the pressing challenges of governing and protecting the modern data estate through automated discovery, classification, and a unified approach to hybrid and multi-cloud deployments.

“We’re really very excited about where we are now with Purview, Fabric, and the entire suite of tools we now have to manage our data here at Microsoft,” Ravindran says. “They are helping us rethink how we use data internally here at Microsoft, and we’re just getting started.”

• Go here to try out Microsoft Purview if you’re using Microsoft 365 E3.
• Click through here to try out Microsoft Fabric.

• Unpack how we’re deploying a modern data governance strategy internally at Microsoft.
• Explore how we’re providing modern data transfer and storage service at Microsoft with Microsoft Azure.
• Discover how we’re modernizing enterprise integration services at Microsoft with Microsoft Azure.

Your feedback is valued, take our user survey here!

The post Transforming data governance at Microsoft with Microsoft Purview and Microsoft Fabric appeared first on Inside Track Blog.

When Microsoft moved to Microsoft Teams for all communications, it needed a good plan.

More than 250,000 employees and licensed vendors would be affected by the shift, as would 600,000 guests that the company collaborates with on a regular basis.

The one thing we had to get right to make sure our company-wide transition to Teams was successful was to deploy the governance framework that comes with Microsoft 365.

~David Johnson, principal program manager, Microsoft 365 product strategy and development for Microsoft Digital

Too much was at stake to allow anything to go wrong.

“The one thing we had to get right to make sure our company-wide transition to Teams was successful was to deploy the governance framework that comes with Microsoft 365,” says David Johnson, who leads Microsoft 365 product strategy and deployment governance inside Microsoft Digital. “Governance was critical.”

Mission accomplished.

Microsoft Teams has been the company’s collaboration platform for more than two years. With a full set of communications capabilities, including chat, voice and video meetings, and calling, Microsoft Teams has become the place where employees work all the time, especially as they work remotely due to COVID-19.

Governance refers to the policies, roles, responsibilities, and processes that a company like Microsoft uses to help ensure their IT resources are being effectively deployed and managed, and that data security and compliance standards are in place while still allowing employees get their work done. An effective governance framework can streamline deploying solutions like Microsoft Teams, ensure all systems are secure and compliant, and generally make sure its technology does what it’s supposed to do.

“Our foundation for Microsoft 365 and Microsoft Teams governance within Microsoft is tied to how we manage and govern Microsoft 365 Groups inside the company,” Johnson says. “Groups are the common layer under Teams, SharePoint team sites, Yammer Communities, Outlook groups, and a lot more.”

Put simply, governance is setting things up so people can be their most productive selves.

“We want to let our employees do their thing, but we want to make sure we give them guardrails and watch for things that could get them in trouble,” Johnson says.

Click the video to watch Johnson’s “How Microsoft manages Microsoft 365 Groups for its employees” presentation at Microsoft Ignite.

The deployment of Microsoft Teams was a success in large part because the Microsoft Digital team relied on the governance framework they designed for the Microsoft 365 workloads they had already deployed internally, says Emily Kirby, who was a program manager on Microsoft Digital’s Microsoft Teams deployment team when rolling it out across the company.

“Because we had previously established governance for Microsoft 365 services, such as SharePoint, OneDrive, OneNote, Word, and other apps, those policies and guidelines were able to smoothly carry over to Teams,” Kirby says. “What makes Teams unique within Microsoft 365 and as a platform overall is that, during our deployment, it worked like an intelligent shell. Teams automatically inherited the permissions and policies set for the other services so that, for example, when people work on files in Teams, or use other Microsoft 365 services within Teams, they work within the governance parameters of those other services.”

[Learn more how Microsoft Digital used Microsoft Azure’s governance toolset to enable enterprise-scale governance design and compliance enforcement across the company’s entire Azure environment.]

Governing collaborative employees

Microsoft Teams is a hub for teamwork that enables people to work together by bringing chat, calling, meetings, files, and Microsoft 365 and third-party apps together in one place, Johnson says. Because it’s built on Microsoft 365, Microsoft Teams is part of a common underlying data graph that unifies all Microsoft 365 products and services. This ultimately enables AI and machine learning to help people easily accomplish tasks and focus on what matters most.

However, making this kind of unfettered collaboration work while also protecting the company requires security measures smart enough to control access based on need, that recognize and disable broad access when a team no longer needs a set of information anymore, and that help Microsoft Digital quickly identify and fix security issues when they pop up.

Microsoft Digital has partnered with the Microsoft 365 product group to inform the development of Microsoft 365 governance capabilities for all customers.

The partnership between the two has helped simplify the company’s thinking.

“Our thinking around governance is evolving,” Johnson says. “We’ve seen first-hand the difference it makes to have a well-developed governance framework in place for every service we roll out.”

One of the big insights was that delivering a unified approach to governance that runs across all Microsoft 365 services would simplify and strengthen the company’s overall approach, he says. When you handle the security of Microsoft Teams, Microsoft OneNote, Microsoft Word, and all the other Microsoft 365 products in exactly the same way on top of the same underlying graph, there are far fewer breakdowns, seams exposed, or other ways for things to go wrong.

“All of the things employees do at work are coming together in a common construct,” Johnson says. “It makes it so we only need to secure everything once, whether it be bridge auditing, establishing policies to protect data, labeling groups, and so on.”

That’s the beauty of it. We got to take all of the goodness of SharePoint governance, all the security inside OneDrive, all of the learnings that have been applied to the entire Microsoft graph—we got to absorb all of that into Teams.

~Emily Kirby, program manager on Microsoft Digital’s Microsoft Teams deployment team

It’s that kind of thinking that grounded the team that deployed Microsoft Teams across the company, Kirby says.

“That’s the beauty of it,” she says. “We got to take all of the goodness of SharePoint governance, all the security inside OneDrive, all of the learnings that have been applied to the entire Microsoft graph—we got to absorb all of that into Teams.”

Smart search needs good governance

Giving employees access to create and collaborate with others is core to Microsoft Digital’s mission, and protecting the company’s assets go hand in hand with that, Johnson says.

He says the team has been working to optimize legal and retention capabilities, so data is preserved for only as long as needed while not losing things that will be needed in the future.

Microsoft also wants to work on making it easier for employees to collaborate with customers and partners outside of the company, on onboarding new products and processes, and on transforming search so employees can find whatever information they’re looking for no matter where it resides. This includes using AI and machine learning to do things like suggest and rank relevant search results that the employee might not otherwise come across.

“If you don’t have good governance, then you can’t do these things,” Johnson says.

• Learn more how Microsoft Digital used Microsoft Azure’s governance toolset to enable enterprise-scale governance design and compliance enforcement across the company’s entire Azure environment.

The post Deploying Microsoft Teams across Microsoft hinged on good governance appeared first on Inside Track Blog.