DESIGNING CLOUD FILE SYSTEM IN OFFICE 365

Conceptual model of Cloud File System within Office 365. Suits well those organizations that already invested in Microsoft Office 365 or planning to, and wish to maximize return on investment.

PROBLEM / INTRO

A little while ago, I took on a challenge in revamping an organization’s file storage. There were four stand-alone file servers around the world with no replication between them. Employees copied files from remote regions to their local server in order to work with them efficiently. This created a problem with redundant copies stored in various locations, while some of the file copies were more up to date than others. Permissions were a mess as well. The overall picture was very grim and made those people frustrated who had to deal with file server content on a daily basis.
SKIP BORING PART

My initial reaction to this mess was to simply deploy new File Servers with extra storage and configure DFS. This worked well in the past. On the other hand, I just started with this organization and knew very little about its related processes. The decision was made to research the challenges experienced by employees.

Immediately, I was hit by the number of constraints that made me question my initial solution. One of those constraints was that the organization already invested in Office 365 and Azure and pointed to the fact that on-premises file services may not be a good idea.

Microsoft offered 2 possible solutions to my problem:

  1. Azure File Sync – less complex alternative to DFS. This solution worked nicely, yet required spending on Azure Storage Accounts and on-prem hardware upgrade.
  2. SharePoint Online – identical to how MS OneDrive works that all users already familiar with. Uses employee workstation and Office 365 to store files. This solution was more appealing as there was no added cost to it.

Below is a quick preview of what came out of SharePoint Online, which replaced traditional file servers. File Explorer displays both file repositories from SharePoint communication site and from my Teams site. This allows updating files without a need to go to each.

ASSUMPTIONS

  • This post is a description of the conceptual model and does not contain detailed instructions.
  • A reader of this post has basic knowledge of Office 365 and SharePoint Online.
  • The organization is exercising Medium to Low-security practices. You may want to add an extra layer(s) of complexity if using it in Moderate to High-security organization.
  • The organization is already using or planning to transition to Office 365.

REQUIREMENTS

Business Requirements

  1. Structure permissions using groups
  2. Make files available for employees at any location from a single place
  3. Keep the cost to the minimum
  4. Avoid adding hardware on-premises

Angry S.P.A.C.E.

Also, there are few things that I like to add into the mix, using the Angry S.P.A.C.E. model.

  1. Simplify administration by means of partial control delegation to end-user – allows IT to focus more on other projects instead of support.
  2. Reduce the skill level required for IT administration – allows hiring less skilled and cheaper IT force on the job market.
  3. Maximize return on investment – savings can later be converted into bonuses to motivate and boost the morale of your team.
  4. Modernize –  facilitates adoption, as well as intuitive transition.

SOLUTION

SharePoint Online was the choice I made over anything else available.

  • It comes as part of Office 365 Business Premium and Essential subscriptions. Most organizations start of with those licenses for their email and office applications. This means that you do not need to buy anything extra (Business req. 3)
  • It is cloud service. Therefore business requirements 2 and 4 are automatically satisfied.
  • Permissions are easy to administer by adding groups via modern interface or by going into detailed permissions in site settings (Business req. 1)
  • SharePoint Online can be configured by admin with minimal experience (S.P.A.C.E. 2)
  • You can use existing and create new Active Directory or Azure Active Directory security groups or Mail-Enabled Security Groups to allow users to manage members from Outlook Address Book (S.P.A.C.E. 1)
  • Out of the box modern design templates look cool and pages are easy to update if end user wants to use it as their department Intranet (S.P.A.C.E. 1 and 4)
  • he cost of this solution is labor only if organization is already using Office 365 (S.P.A.C.E. 3)

Cloud File System on Paper

SharePoint Online - Cloud File System
AngryAdmin.NET

Basic Terminology

Hub Sites allow to associate other SharePoint sites and MS Teams sites to one entity. All associated sites inherit common hub menu at the top. Hub Menu is used to hold common menu items that associated sites may share.

Example: links to all associated sites

Site Collections are easy to manage via SharePoint Admin Center. In old days we used to create sub-sites to inherit menu items and permissions. Today hubs resolve menu issues and permissions are more convenient to manage via Active Directory or Azure Active Directory. Create necessary groups and add those to default SharePoint security groups.

Each site comes with default Document Library. This is where your users will upload their files to.

In some cases, you will need to create additional document libraries with limited access.

Sharable Links are an excellent way of sharing files and folders with external users and other employees that do not need to see your entire library.

Furthermore sharable links feature is excellent alternative to insecure FTP servers.

Flat Structure Using Site Collections

I chose to structured sites flat as opposed to classic hierarchy.

Reasons are the following:

  1. Microsoft no longer uses hierarchy when sites are created for its services. They use flat lists and meta-data filters. Use imagination to estimate administration effort in their classic admin panels, such as in the older version of Windows…
  2. Separate site collections are easier to manage from the Admin Center, as opposed to sub-sites.
  3. SharePoint Online security groups are used only to hold AD or AAD security groups. This will allow you to update user group membership from a single pane of glass.
  4. With Hub Site functionality in SharePoint Online, you can carry over the same menu across different site collections and still have a secondary menu for the specific site collection.

SECURITY

Recomendation

My goal is usually – Simplify technology. Security is one of those areas where it’s very difficult to do so. However, it is possible when you set some sort of guidelines where you need enhanced security and where you don’t.

List of guidelines for SharePoint Online Cloud File System described here:

  • Do not go deeper than 2 levels on managing access:
    1. Site Collection – configure from Admin Center;
    2. Document Library – configure from library settings.
      You will find yourself quickly overwhelmed if you start creating sub-sites and manage permissions anywhere other than two areas above. Use Hub Menu instead to create a perception of hierarchy.
  • Let department managers control their department via Mail-Enabled Security Groupsthey know best who should have access to their department files.
  • Only admins should control access to restricted document librariesdelegating this control may result in permissions creep and data leakage.
  • Stay away from configuring access document library folders at one point users may want to switch to Meta-data filters and you’ll end up re-doing or even splitting document library
    • Apply Sharable Links practice with expiration dates if the user asks about giving access to a specific folder – this will prevent permissions creep and will allow employees temporary access to get the job done.

Document Access Levels

Start with identifying who needs access to what. It will take time, but this documentation will speed up your rollout.

I created a template for my team to follow when collecting this information. You may want to build your own, or use mine.

Download "CFS Dept. Permissions Matrix.xlsx"

Access Permissions

There are four common group types you need to be concerned about creating in your directory.

  1. Department Members – by default will have access to edit documents and department site content.
  2. Custom Document Libraries – narrow group(s) of users is permitted to edit/view them.
  3. Everyone but External Users – rest of the organization. This group is already pre-setup in SharePoint Online. Typically has read-only access to default documents or not configured at all.
  4. Site Owners – a small group of users that has administrative access to the site and its libraries. It usually consists of SharePoint admin users.

I recommend sticking to the above roles to keep things simple and manageable. Though, you can extend these to meet your requirements.

SharePoint Online has three types of Security Groups. Desired permissions can be achieved by positioning AAD security within them.

  1. Owners – Administrators: full
  2. Contributors – Department: edit
  3. Visitors – Rest of organization: read

For custom document libraries you may want to keep Owners, but remove Contributors and Visitors. Replace them with AAD security groups that should have access to the library.

Standard Security Groups

Standard security groups are useful in Custom Document Libraries. User must have access to Admin Center to modify members of the security group.

You can also use Mail-Enabled Security Groups for this if you plan to have non-admin users managing members. Otherwise, it’s better to keep things simple and clean.

Mail Enabled Security Groups

Use them to set up departments and assign Managers as owners. Let them worry about who will be accessing/editing their files and site content.

Email Enabled Security Groups for departments, also allow you to use them as email distribution lists. Thus, you can send emails to the entire department without a need to create a duplicate distribution list.

Naming Convention for Mail-Enabled Security Groups

Keep your naming clean and informative. Avoid using ambiguous wording and explain the purpose of each group using minimum words. Also, think about filtering and search, when naming groups or creating email addresses for them.

I like to follow the logic used in FQDN for email addresses and aliases – go from small on the left to big on the right.

[departmentName].department@mydomoain.com
[branchName].office@mydomain.com
[projectName].team@mydomain.com

Examples:
hr.department@angryadmin.net
toronto.office@angryadmin.net
executive.team@angryadmin.net
web.team@angryadmin.net

Note the pattern used in each example. I find it very simple and self-explanatory. This will work for, pretty much, anything in the organization.

What do you think about naming conventions?

Explain To End Users

The hardest part is to explain to the end-user what goes where. Once they understand the difference between OneDrive, Teams and SharePoint Online.

You are likely to melt their brain if you try to explain that this is all the same thing. I found it helpful to introduce one product at a time. OneDrive first, then Teams or SharePoint after.

SharePoint Online

Used for department files and functional documents accessed by multiple departments. Files may be stored for the long term.

Microsoft Teams

Used for files with defined life cycle at the end of which they either get deleted or moved into the Department document libraries within SharePoint Online

OneDrive

Used for individual employee business files or work in progress files, which may be moved to either Teams or SharePoint for collaboration and/or retention.

Office 365 Document Libraries
AngryAdmin.NET

Adoption

Depending on the technical skills of your users, implementation and adoption may need to be done in several stages.

Stage I

If you end users grew up on social media and pretty good with tech then jump straight to the next stage.

Users with little technical knowledge will need a lot of help from your team. Avoid preaching them how great is SharePoint Online; it’s a waste of time. Simply hit Sync button in needed document libraries, so files are synced through their OneDrive app to Explorer and move on.

For a bit more advanced users you may want to craft an instructional email and save your team time.

Stage II

Meet with each department individually and giving a brief presentation about their Intranet page. Explain what they can do and access there.

Show users Sync feature and explain how it works.

You may be able to collect immediate feedback on how to scale some departments to once you are done with your initial rollout.

Stage III

Collect feedback and make necessary adjustments for each department site collection.

CONCLUSION

With proper planning and smooth implementation of this concept, you’ll deliver a very simple and intuitive File System. Your end-users will still have their favorite folders, while you’ll have less hardware to take care of.

Once the transition is completed, you can also start planning for the introduction of metadata to your file system. It will replace traditional folders and will allow finding files using rich filters.

1
2
3
4
5
6
7
SharePoint Online Sync Feature
1

Libraries that user chose to Sync to device.

2

Synced SharePoint Library

3

Files Synced from MS Teams

4

Folders that user chose to keep in the Cloud or Local

5

Document libraries Synced from SharePoint department sites

6

Synced MS Teams Library

7

OneDrive – individual employee working files and backups of Desktop, Documents and Pictures

Angry S.P.A.C.E.

Every project I work on usually is inserted into the Angry S.P.A.C.E. model to be evaluated on whether it’ll live or die. Its parameters are measured across 5 criteria to determine its ROI.

  • Supplier – who and how delivers the product
  • Product – what you are delivering
  • Approximate Cost – of your product
  • Customer – who will be using your product
  • Evaluation – a decision-making process

I’ll explain how these parameters impact return on investment and make stakeholders angry in one of future posts or videos.

Cloud Security

(ISC)² CLOUD SECURITY REPORT

,
This recent cloud security report by (ISC)² reflects some trends that correlateс with the 2020 job market during COVID.
PaloAlto Networks

PaloAlto NG Firewall Rules Optimization

,
Efficient method to review, organize and manage rules in the PaloAlto Next-Generation Firewalls.
Cyber-COVID-19

COVID-19 Best Cybersecurity Practices

,
Important cybersecurity practices to consider during the COVID-19 pandemic for IT professionals and users who work remotely. Official government cybersecurity recommendations.
Cloud Migration

Express Migration to Cloud – High Level Overview

,
IT Infrastructure Energy Consumption

IT Infrastructure Energy Efficiency

Minimize the energy cost of the on-premises data center by 30%. Recover hidden costs by optimizing your IT Infrastructure.
Cloud File System in Office 365

Cloud File System In Office 365

,
Conceptual model of Cloud File System within Office 365. Suits well those organizations that already invested in Microsoft Office 365 or planning to, and wish to maximize return on investment.
IT Infrastructure Energy ConsumptionIT Infrastructure Energy Efficiency