Embed Size (px)
Citation preview
Govern 365 – Tenant Signup Guide
A Product by Netwoven
Tenant Signup Guide
DOCUMENT VERSION 2.0
NoticesThis document is classified as “Customer Ready” and is intended for use by Govern 365 customers only.
This document is subject to change at any time and is contingent on the evolution of the product. Changes shall be made at the sole discretion of Netwoven. This document is included as Govern 365 “SaaS Materials”.
This document and the solution it describes, are protected by copyrights in accordance with applicable laws.
Copyright © Netwoven Inc 2019. All rights reserved.
Table of Contents1 Introduction..........................................................................................................52 New Tenant Sign Up.............................................................................................5
2.1 Register and Provide Consent........................................................................53 Completing Signup...............................................................................................74 Additional Configuration.....................................................................................11
4.1 Configure Security Classification.................................................................114.1.1 Configure Security Classification...........................................................11
4.2 Configure Prerequisites for Content Inventory and Reporting.....................134.2.1 Configure Inventory Data Storage Account in Azure.............................134.2.2 Configure Inventory Data Collection......................................................164.2.3 Collection of Inventory Data..................................................................17
4.3 Configure Inventory Reports........................................................................184.3.1 Power BI Setup......................................................................................184.3.2 Change Data Source to Azure Storage account.....................................184.3.3 Alternate approach to connect to a different data source.....................204.3.4 Enhance Power BI Report......................................................................21
4.4 Configure Disposition Flow...........................................................................234.4.1 Download and Import Flow.zip...............................................................234.4.2 Configure Actionable Email for Disposition Flow....................................314.4.3 Configure Flow.......................................................................................344.4.4 Install SPFX package..............................................................................35
4.5 Configure Provisioning Requests Approval Flow..........................................354.5.1 Download and Import Flow.zip...............................................................354.5.2 Configure Flow.......................................................................................36
4.6 Configure Re-certification Flow....................................................................414.6.1 Download and Import Flow.zip...............................................................414.6.2 Configure Flow.......................................................................................41
1 IntroductionFirstly, thank you very much for your interest in Govern 365. Your attention to the balance between maintaining the appropriate administrative control and providing a seamless user experience in Office 365 is essential to the long-term success of your modern workplace transformation initiative and we are ecstatic to help you along the path!
Although we have invested a considerable amount of time and thought into streamlining, automating and making intuitive the new tenant sign-up process, we understand that a little more information can help. This document is intended as an accompanying guide to clarify and enumerate the details as well as help you successfully complete your sign-up process. If you have any questions at any point during the process, please don’t hesitate to reach out [email protected].
2 New Tenant Sign UpPlease make sure that the user performing the sign-up process has the Office 365 Global Administrator role.
2.1 Register and Provide Consent
1. Go to https://www. govern365.com and click on the “Start a Free Trial” button. Clicking the “Start a Free Trial” button will take you to a form to fill out. Complete the form and you will be sent an email with a link to the “Tenant Signup” page at https://o365governance.azurewebsites.net/#/signUpTenant.
2. Read the “Sign Up” Text (shown in the Tenant Sign-Up page above) and click on the “log in” button. Enter your credentials (global administrator) on the login page that appears as shown below.
3. Provide Consent to the Govern 365 application to get access to your tenant with requested permissions, by clicking on ‘Accept’ button.
4. After the successful submission of your tenant signup request, the below screen is displayed. It will take ~15 minutes to an hour to complete the remainder of automated configuration tasks. We will send you an email with Tenant Configuration completion and login Information as soon as our automated part of the process is complete.
3 Completing Signup
After the registration and consent process completes, login to the Govern 365 application. A notification will be displayed at the top of the dashboard page enumerating the pending manual tasks that you need
to complete (as shown in the screenshot below). Perform each task in the steps listed below and check the box next to complete the task and stop displaying it in the Dashboard alert.
1. Organization Sign Up – Click on this link to sign up on behalf of the entire organization (so that every user does not have to individually consent)
2. Assign Users to Roles – Click on this link to add/Remove users or groups from your AD into one of the user roles (Admin and User) for the application. For starters, you may only want to add a few of your close service admin colleagues. Later you will add more users for your pilot and ultimately you will add all users that you expect to use the application in your organization for Go-Live.
3. Register the Provisioning Remote Event Receiver – Click on this link to Register Remote Event Receiver. The RER handles the triggering of the Provisioning engine and process from a submitted request. Provide the credentials of the same user who initiated the signup process to complete this step.
4. If you are interested in collecting inventory data about aggregate conversation count in a channel or the date and time stamp of the most recent conversation in Microsoft Teams, a service account is required. In the Tenant Settings page, click on Teams and specify the credentials for the service account.
The account specified for Teams provisioning must meet the following requirements:
Must be a cloud-only account in Azure AD (UPN in the format user@<domain>.onmicrosoft.com)
Disable Multi Factor Authentication for the account Set password to never expire (or expire after the longest time your
security policies permit) Assign a Microsoft Teams license to the account If your organization restricts who can create Office 365 Groups (described
here), then add this service account to the security group authorized to create groups. (Note: this requires assigning Azure AD Premium license to the service account)
5. Yammer access token – To generate Yammer access Token, please follow the steps below-
Go to Yammer and click on Setting & Apps icon
o
Then click “MyApps” and then “Register New App” button Fill up the form
o Application Name – Any suitable name like – Govern365<Tenant>o Organization – Your organization nameo Support e-mail – Your support emailo Website – Your web site URLo Redirect URI – Your web site URL
Copy the client Id Click on the link – “Generate a developer token for this application” to
generate token and copy that Copy the yammer domain
o
Go to “App Settings” in Govern 365 application then “Tenant Settings” and click on “Yammer Tab”
o Paste the copied items to the form below –
4
Additional ConfigurationA few other configurations and settings need to be done to complete the overall Tenant signup process as stated below.
Security Classification data setup Content inventory and Reporting setup Disposition flow setup
4.1 Configure Security Classification
This provides for the security classification e.g. Internal, External or Confidential of the containers that would be provisioned by Govern 365.
4.1.1Configure Security ClassificationFirst you need to check what are the classification values has already been set in the tenant. To view this go to (App Settings -> Tenant Settings)
Then click on “Classification” tab as shown below.
If the tenant has already classifications enabled, you would see them as comma separated values. In that case if you wish you can add/update values (comma separated) and click on Set Classification button to save the updated values.
If you see the first text field (Classification values: (Provide comma separated) empty that means there are no classifications set in the tenant, so you can add new values (comma separated).
Provide a default value in the second column. (This value needs to be any single classification provided in the first column).
You may or may not provide any usage guideline url in the third column. This is not mandatory, If you know the usage guidelines exists somewhere in your organization regarding the usage of classifications then provide the full url here).
After that click on “Set Classification”.
Launch Govern 365 site and go to “Provisioning Requests” -> “Submit a New Request”
The newly added security classification field would be added in the form as shown below.
Please note: If no values for security classifications are configured by tenant admin then this field will not be visible despite all the above steps taken. Follow the steps here to configure this in your tenant
If any default classification is set, then the same will be seen by default in the security classification dropdown list.
4.2 Configure Prerequisites for Content Inventory and Reporting
A content inventory is an ever-changing data set. As content is created, edited, deleted, or moved in Office 365, you need to be able to monitor all contents from a content audit perspective and as a result build the right content strategy.
Govern 365 crawls all the designated content sources regularly, extracts the required inventory data and makes them available to a Power BI interface for ready visualization.
This document helps the administrator to set up and configure Govern 365 in your environment for the purpose of the said inventory management and reporting.
4.2.1Configure Inventory Data Storage Account in Azure1. Create a new Azure storage account to store the inventory data navigating to all resources and
selecting to create a new storage account.
2. Provide all necessary information and click on “Review + create”.
3. Once the storage account is created, click on “Go to resource”.
4. Click on “Access Keys” in the left navigation and copy/save both the connection strings in a handy place.
4.2.2Configure Inventory Data Collection1. Log into the Govern 365 application as Admin, navigate to “App Settings ->
Tenant Settings -> Inventory Tab”, and check the Inventory and Report checkboxes.
2. Navigate to “Content Inventory -> Configure Data Storage”, select Azure Table Storage and provide the Account Name and Key from one of the connection strings saved earlier. Click Save.
3. Navigate to “Content Inventory -> Configure Data Collection” and enable Office 365 objects for which inventory needs to be collected using the slider (first icon under the Action column). To select all objects, click on “Enable All” button at the bottom.
This completes the setup of inventory collection process
4.2.3Collection of Inventory DataTo start collecting content inventory data, you can either kick off the Content Inventory (full crawl) job for chosen container types immediately or wait for the job’s scheduled run at Saturday 6 AM UTC.
To run the Content Inventory (full crawl) job on demand, navigate to “Content Inventory -> Configure Data Collection” and click on the “Start” button (2nd icon under the Action column) against the desired container type as shown below.
After some time, navigate to “Content Inventory -> Inventory Job History”and verify that the jobs have completed successfully. In Azure portal, navigate to the Storage Account created earlier and select Storage Explorer (preview) in the left navigation. You should see the tables created and populated with data.
4.3 Configure Inventory Reports
4.3.1Power BI Setup1. Download the latest version of Microsoft Power BI Desktop application (free)
from https://powerbi.microsoft.com/en-us/desktop/2. Log into powerbi.com, and using the Workspaces link in the left nav, create a
new app workspace for storing the Govern 365 dashboard, reports, and data set. Add members to the workspace as necessary. All members need Power BI Pro licenses (standalone or included with Office 365 E5) assigned to access the named workspace.
3. Verify that appropriate Power BI API permissions are granted to Govern 365 app registered in Azure AD.
4.3.2Change Data Source to Azure Storage account1.. Log into the Govern 365 application as Admin, navigate to “App Settings ->
Tenant Settings ->Report Tab”, and download the master version of Power BI report from link provided on the page.
2.. Open the downloaded PBIX file in Power BI Desktop, and make the following modifications to the report.
3.. Change the Power BI data source connection to point to the customer’s Azure storage account: From the “Edit Queries” ribbon menu item, select the “Edit Queries” option to launch a new “Power Query Editor” window in addition to the existing Power BI Desktop window.
4.. In the “Power Query Editor” window, select the AzureStorageAccountName parameter in the left navigation, and provide the storage account name configured earlier. Then click on “Close and Apply” ribbon menu item on the top left. This should prompt for the account key, and then refresh the data in the report from the specified Azure storage account.
4.3.3Alternate approach to connect to a different data source1 From Edit Queries -> Edit Parameters
2 It will prompt the below screen asking for “account name”. Enter the new storage account name.
3 Click ok and you will see below screen. Click on Apply changes on top.
4 Then below screen will appear prompting to enter the storage account key
5 Put the account key for azure storage and click on connect
4.3.4Enhance Power BI ReportYou can always modify/enhance the existing Power BI reports as per your requirement. Some examples are provided below.
You can extract Property Bag values attached to containers and use them in report, mash up Govern 365 Inventory data with other corporate data sources, add/change visualizations etc.
For example, select a query (e.g. Content Inventory) in the Power Query Editor window, and click on Advanced Editor ribbon menu to see the Power Query (or M) steps applied to data fetched from the table in Azure storage account.
Save the modified PBIX file to Inventory library of the SharePoint infrastructure site for future reference (optional).
Choose File ->Publish option in Power BI Desktop to publish the report to the app workspace created earlier in powerbi.com. This will publish the reports and data set to the Power BI Service.
Create a Dashboard by pinning desired tiles from reports.
Create a refresh schedule for the Data Set published to the app workspace. Credentials to Azure storage account may need to be entered again.
Note the GUID of the workspace in the URL and the name of the Dashboard created.
Configure the Govern 365 application to point to the published dashboard at powerbi.com: Navigate to “App Setting -> Tenant Settings -> Report tab” and specify the App workspace GUID and Dashboard Name.
4.4 Configure Disposition Flow
Microsoft “Flow” needs to be set up in your tenant for enabling Govern 365 to execute the disposition rules. It is important that the user performing the sign-up process must have Office 365 Global Administrator role to set up “Flow”
4.4.1Download and Import Flow.zipNavigate to below screen (App Settings -> Tenant Settings)
Next from the below screen click on “Disposition” tab, you will see two download links one for downloading the flow another for downloading spfx package. Click on those links to download these files(.zip and .sppkg file)
You need to import that downloaded flow zip file into your Flow tenant. You will also have to specify the Flow name and connections. Below are the exact steps that you will need to perform.
1. Go to https://us.flow.microsoft.com and sign in with the tenant admin account for which the flow is to be setup.
2. After signing in, click on My flows as shown in the screen below.
The following screen appears.
3. Go to “Team flows” and click on Import. The following screen appears.
4. Upload the zip file from your local store as demonstrated below.
Wait till the package gets imported successfully. System will show the message below indicating that the package import is in progress.
5. Once the import is completed click on “Update” button under “Import setup” as shown below.
You will be presented with the update (import) set up options as shown below.
6. Change the setup option to “Create as new“ from “update” and provide an appropriate name for the “Resource name” and click on save. You should see the following screen once the import set up is completed.
7. Now it is time for setting up the connection. Click on Action (wrench icon) under related resource and you will see the screen below.
8. Click on “Create new” to create a new outlook office365 connection as shown in the image below.
9. The following screen appears and then click on “New connection”.
10.In the new connection screen that appears as below, search for “outlook”, and select “outlook office 365” from the list.
A modal pop up appears as below.
11.Click on create and you will be presented with a screen to choose from the existing accounts or using a new one. Choose the right sign in account. After that the selected connection will be added to connections list.
12.After this, you will need to add connections in the similar way for each of the entries under related resource by clicking on the “action” against each entry and provide the connection details. In each case you will observe the added connection as below.
13.This way, you will come to creating the connection for the last one which is “SharePoint Connection”. Select SharePoint as described in the following image.
The following screen would appear and leave the chosen option as it is since the cloud service is already selected by default.
14.Click on “Create” and go back to the Import set up screen as shown below.
15.Click on action related to “SharePoint connection” and select the newly added connection and save it.
16.Finally, click on Import as shown below once all the connections are set up.
You need to wait till the import process gets successfully completed and the following message is displayed.
17.After successful import, edit the Flow and change the trigger to use the “DispositionWorkflow” library in the associated infrastructure site, change URL and save the flow as per the screen below.
4.4.2Configure Actionable Email for Disposition FlowThere are certain prerequisites for setting up actionable email that is to enable the user to click on actionable buttons directly on the mail.Register a provider id with Microsoft actionable email dashboard
1. Go to Microsoft actionable email dashboard page from the link: https://outlook.office.com/connectors/oam/publish and sign in with the respective tenant id for which flow is being configured.
2. Click on "New Provider"
3. The form below will appear. You need to provide few information in this form
and save this for approval. Please refer the screenshot below, fill up the form and then save. After saving respective tenant administrators will be notified regarding the approval.
Provide the target URL as https://o365governance.azurewebsites.net/api/FunctionApp/UpdateContentLifeCycle
4. At this stage, you will have to await approval from the tenant administrators.
Once they approve this request i.e. this provider will be shown as approved on the dashboard.
4.4.3Configure FlowAfter importing the disposition flow in your tenant the following configuration(changes) need to be done.
1. Edit the flow 1.1.Update the Site Address. This value can be obtained by visiting
(https://o365governance.azurewebsites.net/#/inventoryConfiguration) and there is a link of infrastructure site. This infrastructure link needs to be provided as Site Address.
1.2. Update the value of originator id in action "Initialize actionable email originator id" with the previously noted provider id as was shown in actionable email dashboard.
2. Next “Save” the flow.
4.4.4 Install SPFX packageDeploy provided SPFX App to Tenant App Catalog site as given in the following image.
1. Locate the app catalog site (from <tenant>-admin.sharepoint.com site -> Apps -> Apps Catalog) and upload the “.sppkg” file in the "Apps for SharePoint" list
2. Check the option to enable the app for all site collection - this will make an entry in Tenant Wide Extensions list.
This completes setting up of the “Flow” process and the disposition rules will be executed as the designed flow.
4.5 Configure Provisioning Requests Approval Flow
Microsoft “Flow” (Power Automate) needs to be set up in your tenant for enabling Govern 365 to execute the approval requests for newly submitted provisioning requests. It is important that the user performing the sign-up process must have Office 365 Global Administrator role to set up “Flow”.
4.5.1Download and Import Flow.zipNavigate to below screen (App Settings -> Tenant Settings)
Click on “Disposition” tab in the screen below and you will see few download links. Click the link in the item “Please download the container approval flow template” to download the zip file.
4.5.2Configure FlowAfter importing the approval flow in your tenant, the following configuration(changes) need to be done.
Before you proceed, please ensure that you create a SharePoint group in infrastructure site with the name “O365 Governance - IT Approval Group”.
You need to import that downloaded flow zip file into your Flow tenant. You will also have to specify the Flow name and connections. Below are the exact steps that you will need to perform.
1. Go to https://us.flow.microsoft.com and sign in with the tenant admin account for which the flow is to be setup.
2. After signing in, click on My flows as shown in the screen below.
The following screen appears.
3. Go to “Team flows” and click on Import. The following screen appears.4. Upload the zip file from your local store as demonstrated below.
5. Wait till the package gets uploaded successfully. Once it is uploaded successfully then update the connections. Please follow the exact steps as
previously specified in section 4.4.1 Download and Import Flow.zip). Once all the connections are updated, click on Import as per the screen below.
6. Once the import is complete, open the flow in edit mode where you need to update the values corresponding to your environment as mentioned in the steps below.
a) Site Address
b) Value (Initialize Infrastructure Site Url)
c) Site Address
d) Site Address
e) Update job status to pending (Site Address)f) Update request status (Site Address)g) Update provisioning job status (Site Address)
h) Update status to pending (Site Address)
This completes the approval flow set up in the Govern 365 application.
4.6 Configure Re-certification Flow
Microsoft “Flow” needs to be set up in your tenant for enabling Govern 365 to execute the recertification task requests for the newly submitted recertification policy requests. It is important that the user performing the sign-up process must have Office 365 Global Administrator role to set up “Flow”.
4.6.1Download and Import Flow.zipNavigate to below screen (App Settings -> Tenant Settings)
Click on the “Disposition” tab and locate the download link for re-certification flow. Click on that to download the zip file.
4.6.2Configure FlowAfter importing the disposition flow in your tenant, the following configuration(changes) need to be done.
Before proceeding further, please ensure that you create a SharePoint group in infrastructure site with the name “Govern O365 Service Admin Group” having Design/Contribute Permission.
You need to import that downloaded flow zip file into your Flow tenant. You will also have to specify the Flow name and connections. Below are the exact steps that you will need to perform.
1. Go to https://us.flow.microsoft.com and sign in with the tenant admin account for which the flow is to be setup.
2. After signing in, click on My flows as shown in the screen below.
The following screen appears.
3. Go to “Team flows” and click on Import. The following screen appears.4. Upload the zip file from your local store as demonstrated below.
5. Wait till the package gets uploaded successfully. Once it is uploaded successfully then update the connections as previously specified in 4.4.1 Download and Import Flow.zip
6. Once the connections are updated, click on Import.7. Once imported then change the values below with those of the corresponding
infrastructure site of your tenant.8. Also create two default SharePoint document libraries in corresponding
infrastructure site Recertification RecertificationWorkFlow
9. Now open the flow in edit mode where you need to update the values corresponding to your environment as mentioned below.
a) Step: When a file is created in a folder
Set the infrastructure site address URL in “Site Address” and select Folder Id to RecertificationWorkflow
b) Step: Initialize RequestUrl
Set the infrastructure site address in value field.
This completes the setup of recertification flow in Govern 365 application.
