Microsoft 365 - Stay In Control!
In this guest article, Jörg Schanko, Managing Director of Konverion UG (limited liability) presents his tool Microsoft 365 Checker, which helps the works council monitor changes to Microsoft products and whether they affect data security.
Microsoft 365 is an exceptionally comprehensive and complex platform that many organizations use as the basis for all communication and collaboration - both internally as well as with customers and partners.
This complexity is further increased by the so-called "evergreen" approach, meaning Microsoft no longer waits to release new functions and enhancements at fixed intervals, but releases them directly after completion instead.
Regular Review of TOMs
The scope and dynamics brought on by this new approach pose new challenges for IT departments, but also others. Works councils in particular are confronted with the seemingly insurmountable task of monitoring compliance with company agreements on Microsoft 365 that have once been concluded – since these are subject to change, monitoring must be done continuously and often during ongoing operations. Data protection officers also share this fate. After all, according to the EU General Data Protection Regulation, there is an obligation to regularly check and document all technical and organizational measures for the protection of personal data.
The Microsoft 365 Checker
To provide assistance here, we have developed the "Microsoft 365 Checker". With its help, all configurations relevant to co-determination from the various Microsoft 365 components (Azure Active Directory, Security, Compliance, Exchange, Teams...) can be read out and documented. And that without in-depth Microsoft 365 knowledge!
And here's how:
First, you define one or more templates in which you specify which configurations are to be read out.
After the template is saved, you can create reports based on it, which are stored in a local, encrypted database.
Good to know: Microsoft 365 Checker uses PowerShell "under the hood" to do this, the same technology administrators use to manage complex environments.
By its nature, the information read-out is very technical. Therefore, it is recommended that the initial report be discussed between the works council or data protection officer and IT.
If all settings are as specified, for example, in the company agreement on Microsoft 365, mark the report as a "comparison basis". Reports that are created at a later date can then simply be compared with this basis. If there are discrepancies between the reports, the corresponding areas will be highlighted.
This way, you get a quick overview if - and if so, what has changed in the meantime. All reports and comparisons can also be exported as a Word document.
If a group of companies shares a common Microsoft 365 tenant (client), the reports can be configured so that only the personal data of employees is displayed for whom each company is responsible. This allows data protection to be ensured during the monitoring.
Secure Internal Transmission of Reports
To be able to create a report, you need a user account in Azure Active Directory that has the necessary permissions (usually "Global reader" and "Security reader"). If these permissions cannot be provided directly to a panel, the reports can also be created centrally by IT and made available via export. The export files are encrypted and provided with a hash value so that changes to the content are not possible.
In general, the Microsoft 365 Checker provides a monitoring option that is simple and time-saving for all parties.