AI is fantastic, but if you have bad or over overexposed information, AI is going to surface it. AI is not going to care, but it shouldn't show you something you have access to it, it's going to show it to you. So getting permissions right, getting the memberships right, getting identities right is absolutely cornerstone to good and well managed AI. And that to me is a fundamental
part of our future. And and that that, you know, when I think about managing and governing our services, really it's to make Copilot shine. So you took my copilot question because that's what I wanted to ask you was how do you see this kind of evolving with that? So I'm going to take it in another direction. We're going to go backwards.
Is there a a particular innovation or thing that happened and we'll just call it in the SharePoint environment or the group permission management, that kind of thing that you see as like, Oh yeah, when we did that back in X, that really kind of changed the game of how we're approaching this or made things easier. Like, is there something that stands out? I think I I'd pick on a coupled key things. I think one, we are group membership management for VP groups.
The fact that all of the engaged community for some organizations automatically created constructed an intro we serve right people. That's cornerstone us getting labeling even tied to the interest of Microsoft 365 groups. Again, cornerstone the fact that I can differentiate that highly confidential data from a general general data. Those are things that make a big difference in the IT organization. This is identity at the center if it has anything to do with
IAM. This is the go to podcast now your hosts Jim McDonald and Jeff Stedman. Welcome to the Identity at the Center podcast. I'm Jeff, and that's Jim. Hey, Jim. Hey, Jeff, how are you? Oh, not so bad yourself. I'm good. So I was reminded today what was the first thing I said to you when I first met you many, many moons ago. Do you like? Baseball. Never forget it. Yeah. And what's cool about I know we've told that story a few times, right?
We, we do this show, it's real, you know, and that's a real story that really happened. But So what I was reminded about it was just like, it's been a lifelong dream of mine to go to Arizona in the month of March to catch some spring training. And I always figured I'd have to spend my own money on it and things like that. Well, I actually have a work project that's going to send me out to Arizona. I'm going to get to catch a game on a Sunday while I'm out there.
So, you know, fly out there a little bit early and and check one more thing off the bucket list before I kick it. That's the pro move, right? Whenever you get to travel for work, try and bookend it with something to do in the city. And I say that as a pro move because I never do that. I'm like in and out like hotel or I'm like airport, hotel, client, hotel, airport and I'm out. That's pretty much how I do it. But. You're doing it the more you travel, the more you fall into
that trap. But I've been, you know, since COVID, not traveling nearly as much as pre COVID. But I'm fully going to take advantage of this trip to Arizona in March and. You're a big baseball guys, that's spring training, so you're going to see what teams out there. I think I'm going to go. And so there's like half the MLB plays out there and I'm not a big fan of either of these teams, A's and Giants.
But from everything I read, which is mostly on Reddit, the San Francisco Giants has to be true. The San Francisco Giants stadium in the Surprise, AZ is like, you've got to see it, it's the best. So that's so if if you have one to do, that's the place to go, apparently. At least I'll know if I enjoy it or not. I don't know if I'll be able to say how it ranks against other parks. I've been to a lot of spring training in Florida because I live near Florida and it's a short drive.
Short, as in eight hours or so, but. It's not a short. Drive, but I get it. Yeah, exactly. That's cool. I'm sure you'll have a good time. And you know, baseball's your jam. I'm not much of a baseball fan and you know, for whatever reason, our total opposites seem to work on this. Yeah, exactly. But yeah, mostly what I'm doing, my travel these days is for conferences. So we lined up a bunch of discount codes. You want to kind of go over those.
Yeah, we've got 3. So we'll start with the Gartner I AM Summit in London. That one is in March, March 24th and 25th. And if you use the code IDAC 425, you will save, I don't think we ever determined 425 of some sort of local currency. I don't know if it's pounds. Or EUR 420. 5 something, I think it's EUR though, and we'll have that link in our show notes as well with, you know, discount codes. But yeah, that's kind of cool
that they've extended out there. You and I were at the Gartner conference in December and that was a lot of fun. So shout out to Rebecca for hosting us on stage and, and giving us a, giving us a yeah, the, the grilling that we gave them a couple years ago. It was they turned the she turned the tables on us. Yeah, my, how, the, my, how the tables turn. So Next up we've got Berlin. This is something you and I are going to. It's the European Identity and Cloud Conference that's May 6th
through the 9th. And if you use the code IDAC 25 MKO, you get 25% off of that one. So you and I have been spending a lot of time getting that coordinated and starting to figure out our plans for that. I still have to book my flight but I do have a hotel so that's good. Yeah, absolutely.
I'm, you know, like I said, I'm going to go out there the week before I'm going to be in Oslo, Norway and hoping to set up an identifier, but that's already being planned and I'm going to spend the weekend in Copenhagen. So if there are listeners in Copenhagen, would love to to meet even just for a coffee or whatever. Not sure how big our listener base is in Copenhagen, but then after that heading to Berlin so. We got listeners everywhere, so. We do.
We do. We'll buy you a beer or a coffee or something like that. Absolutely glad to. Let's see. Then after that we're coming back to the United States and we're going to do Ideniverse 2025 in Las Vegas. So June 3rd to the 6th at a discount for that as well. IDV 25-I D AC25, they get you 25% off. So you and I have some things that we're planning and we had a meeting this morning about that. So some fun stuff that we're not quite ready to announce, but stay tuned for information on that.
So I'm, I'm excited because we're going to do something with that, that we had a good time with last year. Absolutely. I would expect for, you know, both Berlin as well as Idanoverse, we're going to put out as much content as we can coming out of those. So stay tuned for that. Yeah, I, I will. We'll see what happens with timing wise because I, I would rather not be editing on vacation, stuff like that. So we might space it out a little bit.
But yeah, we'll have content for that and then let's see what else we got. The Authenticate conference by Fight Alliance that's coming up later this year. And I think their call for speakers is open, right? Is that run through next couple of couple months through March, right? Actually, you know, down a couple of months, the proposals do on March 3rd.
So it's got about a month. So drops you got a couple weeks, but you know, focus on password lists, authentication, you know, device or or possession based factors over knowledge factor. So if you've got a good paper in mind or a good twist on something you've done within your organization or was looking for things like that, so you go to authenticatecon.com, like authenticate conference, but just con. I will have all these links in a show notes and they're always on
our homepage to idcpodcast.com. You'll see all the current discounts that we're aware of. So go there, check it out. You know, use the codes, abuse them, send as many people out. And if you do let us know, come up, meet us. Jim and I are usually carrying stickers, and we're happy to hand those out. So all right, why don't we get to our guest who's been patiently waiting in the wings here listening to this. His name is David Johnson. He's the principal PM architect at Microsoft.
Welcome to IDENTITY at the Center, David. Thank you. Hello. And yes, I'm in the Microsoft Digital organization, specifically at Microsoft, where you might think of it as Microsoft's IT organization. Gotcha. So we're going to get into probably a few different things around like groups and AD and Entra and SharePoint and teams and all kinds of stuff like that. But it's your first time on the show, so we always like to find
out origin stories. Yours might be a little interesting because you've been with Microsoft for like 25 years. So I'm curious, how did you get into the identity space? Is this something that you chose? Did it choose you? Like how did that come about? Well, it I guess more than 20 years ago or so, I kind of got involved with SharePoint and how we were managing SharePoint on premise.
And when you think about some of the key themes around SharePoint, it's about permission management and how are you kind of making sure of the right people have access to what how you on doing ongoing access? How do you make sure you're minimizing, you know, over sharing of information? Bright people should have access, right stuff. Identity is a sensor of all
that, right? And that's kind of where you think about that's when on Prem world moving into the cloud, Entra becomes your foundational story of how SharePoint and how teams and all these other services are all foundationally managed and tied to identity and Entra. And so really when I think about how do I govern the Microsoft 65 data state, which is what I do, I have to govern effectively the intra data estate when it comes to groups especially.
And so we've my though my focus is Microsoft 365 and related services like our platform copilot agents and so on. Intra is a big part of that because it's foundational. You can't be successful if you don't have a good identity stack. I like what you said there. Identity Center. Somebody should start a podcast called that you. Well, Microsoft also has a bunch of conferences. Do you ever speak at any of the conferences that Microsoft does? Because it seems like they have
3 or 4 per year. Yeah, I do. I last year I spoke to the Microsoft 35 conference. I'm doing, I do again this May, I think it's in Vegas, if I recall correctly, the Microsoft 35 conference. I generally talk about how Microsoft manages Microsoft, that we govern ourselves because obviously it's some people are kind of interested in, you know, we're a large customer of
ourselves. What does it mean we're managing SharePoint and teams and intro groups and how do we pull it all together to to let our employees be successful without IT getting in a way too much? What's a common question that you get from people when you when you present and stuff like that? And I have to imagine a lot of people are like, OK, well, you know, how does Microsoft do it? Microsoft using their own products. But is there like a common question that you typically will
get after you you present? Yeah, I think it's everything from I actually, there's a lot. It's like, well, do you really turn this all on? Do you really run it? It's how do you run this at scale? What kind of problems do you have? And it's often coming up with the same concerns customers have. I mean, it's like, how do you deal with the oversharing problem? How do you still sprawl on the enterprise? What are employees allowed to do in your enterprise? How do you just deal with change?
You're running in a cloud, How do you keep up with the product stack? What as Microsoft, you're kind of your first customer yourselves. Is that hard? Like those are the common questions that I'll get all the time. And those are common themes I'll get into is how do we govern Microsoft and how do we manage effectively all this stuff that people create and is our our guiding principle goes back to we're trying to let employees do things.
So the conversation we're going to have today is really kind of focused more on your viewpoint as that practitioner, right? We're not talking like Microsoft's tablets coming from on high and saying thou shalt do this. This is really more your own experience and and just want to get that out there, right? We make sure that we don't portray things the way they shouldn't be. No, exactly. And I'll say my role is responsible for how, whatever standard, what do we do
internally? And so all I can talk about is how Microsoft manages Microsoft. I can't give, of course, how you should do it as a customer. It's up to you. I, I also please say I think this is a good idea. This is clearly something we do, but that's as far as I'll go. So, David, I know as, as we've kind of gotten into some of the conversations, I, I mean, clearly, you know, Active Directory and, and groups way better than I do. So let's kind of ease people into some of these topics that
we're going to talk about today. And what I wanted to talk about is how the Microsoft Directory products handle entitlements, namely groups. You know, my origin into Microsoft as well was kind of back in the day of Windows MT4 and they're just groups back then, but there's different
kinds of groups now, right? And so I was wondering if you kind of start us with an overview of with the types of groups, thinking about kind of the Entre environments and also hybrid environments where you've got obviously, I think almost all Microsoft customers at this point have got some staked Entre, but a lot of companies still have that on premise Active Directory and they're keeping the two In Sync.
So if you kind of give us an overview of how you know what group, what different types of groups are out there and how they work. Yeah. And, and fundamentally I'll, I guess I'll, I'll focus a lot of the intro groups, the Azure Active Directories that was formerly known groups. Obviously things like security groups and distribution list and and e-mail enabled security groups, security enabled distribution list like those are all things that existed on premise in the AD world and in
the cloud AD intra. You now have effectively additionally Microsoft 365 groups and in addition to security groups in addition to DLS and the Microsoft 365 group construct is effectively the what's unique about it is in addition to it being a membership construct to to make sure you got the right people, it's also the construct that backs every share of SharePoint sites and every Microsoft team. For example, a channel are all backed by a a Microsoft 365
group. Some people might think of them as universal groups, groups that they, they how every people engaged community, they're all backed by the same group type in intra. And that's why when you think about the themes that how do you manage SharePoint? How do you manage themes? At the end of the day, a lot of this comes down to how do you manage groups because that's that's your construct. Yeah. And I mean, that's what you're doing all the time.
And it's kind of like eat your own dog food kind of model. And I don't want to ask you what are the best practices from a Microsoft perspective, but in your mind, when it comes to managing groups, what are some best practices that you know you would give that advice to your best friend? Yeah, I would say first of all, determine who is allowed to create groups. Obviously as an IT organization, you have certain trust issues. Everyone does.
We know for example, in our case, we will let our full time employees create groups. We will let, we'll let our full time employees create SharePoint sites and team sites and teams and things like that. But not even engaged communities, Sorry, I'm not sure if there's other background noise coming through. But, and you know, point is, yeah, we will let our employees create these things. And so it's part one who can create Part 2, You know, and I
think it's really important. I will let people create more groups, more sites, more teams. It's better doing that than say, letting sprawl happen, letting abuse, abuse happen of all these things all over again. I want to make sure that you don't go deep on something like it's far better for you to have multiple SharePoint sites, multiple groups, then effectively doing a bunch of nesting and a bunch of reuse of an existing group for a different purpose.
Because the end of the day that when oversharing happens is when people get it wrong because somebody didn't realize that this group, this location has a different permission structure. When you think this location has nesting that you didn't realize, you just open this thing up to. And so when you think about kind of groups and the of the Microsoft group model, having a ability for people to create things, I think is essential. But at the same time that comes with accountability.
So we let people create things. We're also going to validate that we have the appropriate owners on these things. So we've got expiry policies on these things. We keep them only as long as we need to. And that keeps the house clean because that's the other part of this that you don't just want groups sitting around forever
unmanaged. Oh, and one of the big theme for groups and is we allow guests in our groups that and it's kind of funny to think about, but it's better from a tenant standpoint at least for us to bring guests in and have those confidential conversations and collaboration on our tenant using identities that are guests into our tenant versus the data would be going away and and people leaving our services completely. So we'll bring guests into our services.
But one other thing that I talked about a lot of our groups is we label our groups something that's not necessarily an identity construct, but it is a core, I guess data construct is how do you manage labeling of things? How do you make sure that the right I see sensitivity. In other words, something's highly confidential or is it wide open to the entire company? And so that way I can define and say this Microsoft 365 group is a highly confidential group.
Maybe it's an internal only group, but therefore it has policies side to it. This other group is actually general. It can be all company for all I care. You can bring guests into it. It's OK. But we one of the big things that I think about from a best practice standpoint is all the things are on group creation and management life cycle, but also
data delineation. The fact that I have a label on a group means I can delineate the groups which are meant to be open and protect versus the ones that need to be deeply protected because they're backing sensitive data.
Yeah, I, I see a lot of my clients I work with over the years have struggled with this concept of how do you manage the creation of groups And one, kind of making sure that they are putting good descriptions and good metadata, assign the owners, assigning sensitivity, writing the description that makes sense to people and then not making the process too inefficient, right. But usually there's got to be some kind of like check or approval process.
I think what I've seen probably the most is some kind of process where either a third party tools in use or there's a lot of PowerShell scripting that takes place after a review has been done of like a request for groups. But I guess I, you know, initially when you said, hey, it's delegated, any employee can create groups. I, you know, I was wondering what, what are the mechanics of that, that you know that you'd have that kind of quality check?
Yeah, No, it's a great question because an employee can create a group in the intraportal. They can create a group in in teams. You go on Outlook, go create a new group from Outlook, go create a new group in SharePoint, because I want a new SharePoint site to the team site that's backed by a group. So all those experiences do the group creation flow and all those experiences. Basically, they all honor the rules like we get to define an
intra who's allowed to create. We get to define the the the naming rule policies for groups. We also get to define like we can do prefixing if we were to choose to, obviously, effectively the naughty word list. As we think about it, the words that you just shouldn't put in a group name, things like that are in the block word list, things like that. Plus the the label definition that intra will, if you have it all configured, will force
collect the label of a group. So it doesn't matter where you created, it's creating SharePoint or teams or intra. It'll collect the label of a group. And from there the the group is created and then we will do a checks after a fact. So the in product provisioning, we're actually letting people you know directly in Outlook, right? We're not having a third party tool or some custom UI to create the group Co create the group
where you are. We believe that it's actually faster for employees, it's more intuitive for employees that create an in place experiences, but we're going to hold them accountable to what we created. We're going to put force them into the naming rules. Of course we're going to force them into the labeling and we're going to react after a fact. So we have a bunch of things running against a tenant in a reactive way to watch what's done.
So of course there's all the proactive stuff from collecting the basics, which the product is going to do and all the reactive validation to go, hey, you didn't have a second owner to this group. We're going to require you put a had a second owner into this group, for example, or the second owners left the company, we're going to catch that and portion had a second owner, things like that. How do you, I guess what, how do you enforce those types of
controls with that? Is it a form based thing where it's doing like data validation? Is there some tool or maybe power script or something running behind the OR PowerShell running behind the screen? How's that work? So that's a great question. I think first that Intra will collect what you tell it to collect to just at least in terms of the labeling and naming roles and stuff like that.
Other things are literally Azure jobs running against a tenant that watch, scan for anomalies, catch them, send a notification of a group owner to say the house out, take action basically. And if you and if you don't take action in a certain amount of time, we do delete things like one of the things that the nice thing about you three to five groups and teams and SharePoint and all these things, these constructs are restorable within 30 days.
So as ITI don't feel too guilty about deleting it. So if you don't take action as a group owner, I'm going to, you know, I'm going to hold you accountable. If you don't do what I tell you to do, I'm going to delete this thing. I give you plenty of warning. But then yeah, I've got that Azure job which is going to run against the service and wipe your group out. Hey, David, One thing that you touched on and I don't want to
let it go was about nesting. And so I know a lot of my clients that are in kind of hybrid environments have got nested groups and it seems to be the bane of their existence at some level. I'm wondering kind of what is your perspective on group nesting? So I'll, I'll frame it. There's two really good stories here. Part 1 is Microsoft 365 groups actually don't even support nesting, at least not today. They're, you know, it's actually a really good thing for me.
So I don't even have a nesting thing to worry about on a, you know, on a Microsoft 365 groups part Part 1. But there's a catch because people like nesting. People like their DLS where they've got some VP distribution list made-up of a whole bunch of a direct distribution list and they want to bring it all together a security groups or
whatever. What we do for that is we use either dynamic groups and intra or we have our own group membership management tool, which is actually on GitHub and we can share a link that people can actually use just open source tool effectively about how do you do group membership management then build automatically populate so that VP group, they don't have to worry about it. So I don't have to have a bunch of nested groups in that VP
group. If I really want to add Group 1 into group 2 and a bunch of other things and miss people based on some business rule, for example, all full time employees under some vice president or all program managers under this team, we can totally do that. Our tool will run and build the group membership out and keep it up to date. I don't need nesting at that point. And and that to me is the best practices.
Don't use nesting. If a membership needs to be managed from some tight way with some business rules like that and or you want to delegate it down to bring in a whole bunch of other things, use membership management in some way to build your group out. Don't just try to build some nesting hierarchy that people are likely to get wrong and and quite frankly, we see them getting it wrong. Back to your point on security groups, yes, they get it wrong.
We don't realize that this group is embedded with a whole bunch of other groups. I want to go back to something you mentioned about inviting guests into the environment. I feel like this is something that a lot of people maybe don't understand or maybe isn't configured on their own tenants to kind of do it the way that they are expecting it to. But first of all, let's not lose anybody. What do you define as a guest when it comes to Entra or Microsoft or SharePoint should say?
Right. So how I kind of think about that is obviously tenant members, we meant, we meant the identity. So we bought joe@microsoft.com minted identity or even a, a supplier where we're minting the identity, you know, v-joe@microsoft.com, right?
Those are things on our tenant. Tenant members, guests are where we invite, you know, Joe at contoso.com is a guest into our product project that you know, if someone wants to bring Joe at Contoso into a team or they want to share a file on SharePoint to Joe Contoso, they'll bring them into the tenants as a guest and and therefore do a sharing. And so the guest, the guest effectively is anyone whose identity isn't minted in your tenant. You're not owning the identity
construct. You're simply saying, I trust Contoso is validating it that they the identity is coming from them. I'm forcing some rule like in our case, our our guest model is set up to say we're going to require multi factor authentication that that the other provider better have that set up. Otherwise we're not going to trust that guest. But assuming they do and intro will confirm that, then they guests come into our tenant, assuming of course the the
employees invited the guest. And then of course, you got a life cycle. But I'll get to that in a minute. So the basic construct is anyone who's outside of our tenant boundaries from identity perspective, we consider them guests. And that guest can be a Microsoft account or can it be a Google account or an e-mail address? Like what's the requirement there? So it can be any work identity from any other organization effectively anything intra supports from a guest
perspective. So yes, typically work identities. You can have consumer identities as well like in a Microsoft account. To your point, you can have social identities spending. We're focused predominantly on work identities that we bring in as guests from Intra or Microsoft account identities as guests in the Intra. As long as we can do a validate to say yes, you really are who you say they are, then we're OK. What is something that people commonly get wrong when they're
setting this up? Because I feel like I've had so many different experiences coming in as a guest to other environments that I'm not sure if there's if there's a right way or a wrong way to do it. Well, I think Part 1 where people can get this wrong is what are you allowing a guest to do and what, what are the guest defaults like? I think the big theme that scares companies to bring in guests is kind of a construct of, well, what does this look like? What are we going to get access
to? Which is why your, your, your, your environment has to be configured to basically block guests by default. It has to be very purposeful act to bring a guest in. So even a guest is in your tenant in some way on in the directory structure doesn't mean they've accessed anything. That guest has to be explicitly added to something to get access to it.
I can bring joan.katosa.com into that tenant as a guest, but until I bring them in into a team or invite them to access file, they're not going to get out anything, right. And so that's a cornerstone. And the other thing when I think about guest management, I, I mentioned labeling earlier, but that team is going to be default, for example, or that 365 group is going to be default guest block.
Like we say, our default group label is confidential Microsoft Intel only, which means just that, no guests. You have to switch the label to allow a guest to become a member of a group. And then even then you're going to have to have invited that guest and bring them in. And if there's any files, this files are going to have to allow guests. So everything we're doing is guest block by default, but guests allowed based on data label and sensitivity management.
So there's the other big themes. And the other part that I'd say from a tenant perspective is life cycle management for guests. And that's for us a really big thing. Do you, how long should that guest be there? Like we will wipe guests from our directory if we're inactive for a period of time.
I think it's 60 days right now. And we'll force a reattestation of a guest that when you invite a guest into a team, you'll have to reattest to the fact that the guest should still be there, you know, half a year later, roughly, should the guest still have access to this thing, the SharePoint, this file, this, this group, right. We we require reattestation all over the place. You had a couple questions that I was going to ask about that life cycle.
Part of how long is too long to have a guest who's not doing anything within your environment? Yeah, I'd argue if a guest is inactive in your tenant for 60 days, they should be in your tenant, right? There's got to be a reason for their that partnership has to be an ongoing thing and someone has to care, right? Someone who invited that guest in needs to care, but the guest is still there. Otherwise why are they there?
It's like I think my point is it it's totally legit to have a sensitive project, even cross tenant bringing the guests into a project. I'd rather it be on my tenant but as soon as that project is done I want it out. And if a project manager forgets to get them out, I'm going to get them out. Oh, they'll never forget. No one ever forgets to remove. No one ever forgets. No no. Exactly. Access reviews and interests are essential. I think they're an undervalued thing that really critical.
SharePoint also has access reviews. If you bring a guest into a SharePoint site or shareable file, same thing. Access reviews kick off. One of the things that I think people try to take advantage of is delegated authority and having an admin in an organization kind of manage their own. Does that really apply to the guest environment? Is that more for, you know, let's say your own tenant minted
identities? Where does the role of a delegate managing a separate organization come into this? Well, I mean there to a degree you are. I mean, if you're using what's considered native identity or yeah, David, I should be direct connect, that's the other inter kind of guest construct, then you're basically setting up a trust relationship with another tenant. Or if you're doing multi tenant organization, you're setting up a trust relationship with another tenant.
And then you're basically delegating to say, Yep, I I have a deeper level of trust with this other directory, right. Otherwise, we guest you're defining an intra what basic levels you're going to level the trust. You can say what what domains, for example, you're going to allow in by default, what domains you're going to block, what people are allowed to bring in and what authentication type
you're going to allow, right? Or you can go all the way in to say, Yep, we're going to require conditional access checks, for example. And you must have passed your conditional access checks for your organization, right? Those are all things that you can do that that help you be in better shape. And that's when your delegated identity, sorry. No, that's, that's good advice. I let me take this from the angle of what should I not be doing when it comes to that sort of delegation?
Are there like things like, oh, you're really probably not going to have a good experience with that or it's not secure or or guidance like that? Well, I'd say be thoughtful again about who can bring in. Do you trust your employees or be trained sufficiently? Make sure of it again, you have a light a a good data delineation story around where guests can access, because to me, inviting somebody in your house doesn't mean you want them to raid your fridge, right?
So make sure you got a very clearview of your there are a lot in the living room, but not the kitchen kind of deal. And making sure I set up in advance and making sure you got a clear plan for that in advance. Bringing guests in without any plan is a problem. Like you don't know what they're going to get right. And you know, Microsoft's made mistakes ourselves too. Like this is not like saying, yeah, we're perfect. We, we mess up and we keep learning and getting better
about all this. So guest management for us, it has become a critical thing. We, we absolutely manage our tenants in a very aggressive way. Knowing those principles allow guests in the employees allowed to invite, we will get rid of them. We will make sure our data is properly delineated so we only
have access to the right things. I want to keep talking about SharePoint, but I want to kind of clarify when it comes to SharePoint Online, are we also talking about Teams that is, so is the overlap there and how is it different from an access management standpoint? It's a great, it's an interesting topic because every team with the channel hierarchy is a Microsoft 365 group. It's that's how it's back identity wise. And so the membership in the team is actually membership in an intra.
That's how it's defined. That team also comes with a SharePoint site. So when you create that team UK, create that Microsoft 365 group, you get a SharePoint site for it, which has all the advantages now of saying I have a membership aligned to that site aligned to that team. I have one membership for everything and it's kind of the one membership rule model construct because it's so
valuable, right? I've got a project team and it doesn't matter if I'm in plan or SharePoint or Outlook or Teams, I've got the membership construct behind it and they can work in all those workloads and they're just against same Microsoft 365 group behind the scenes. It's putting it, pulling it all together, right. That's the beauty of of this stuff that that team, it has that SharePoint site. In fact, Teams, when you think about it, is it's whole storage layer for files is SharePoint
right for, for any real team. So it it all fits together intrinsically. I kind of feel like philosophically the team slash SharePoint is an umbrella of that you can hand over to somebody, say you decide, you put, you decide what Files Go in here, what goes in the under the umbrella and then you can manage the permissions within the umbrella, like who gets access to what, but you're not going to be able to break out of that umbrella to manage the
permissions beyond that. So it's kind of a safety zone, but I, and I feel like that is an uncomfortable situation sometimes for, you know, I people who own identity and access management in that like it seems to me like it's just the area that you hand over to somebody else. Do you kind of feel like I guess that's the way the product's designed, but in your experience, are you worried about kind of what they do under their umbrella or is that?
Oh, yes, no, Oh yes. And I think there's some strategies for that, everything from based on type of site. You know you have this deep secret site, highly confidential as we call it. Maybe the the owner doesn't allow any sharing on the site. There's SharePoint settings, say only the owner of the site, the owner of a group can share anything on it. No, no breakaway permissions, no sharing. It's everything's completely tied to the membership of the group, which is tightly
controlled, right. So you do that as an example, you can block downloads, you can write to protect content on that site. So you can absolutely lock down SharePoint and to the access management be entirely controlled and limited to the intro group.
In fact, with new kind of user defined permissions and SharePoint type that is entitled back by a rights protection envelope, effectively you can literally allow downloading of encrypted content that if someone loses access to the 365 group and SharePoint site, they'll lose access to the downloaded content too. They won't be even encrypted anymore. You can, we kind of go that far and so we can do a ton of protection so that I can choose
to say yes. But because this is a tented project, the owner controls everything effectively. And by the way, I have a very much of trust verify model in that we let people create things as I noted, but we'll not only make you attached to things, we'll make you label things. We also will double check to make sure you got it right. So everything from Purview, DLP to scan for your patterns. And hey, we found a password on this site in the file somewhere.
We're going to flag it. We're going to do something about it. We run over sharing reports, including what's now in in SharePoint advanced management to say you shared this confidential site with half a company that's not allowed. And we flag that and Bush reports can look for that kind of thing.
So we can then take action. So I'd say it's there are times that you're going to have a hard aggressive lockdown model and there are times that you're going to do a trust with verify model to say, I'm going to let people do things, but within some boundary. And then I'm going to verify that they got it right. And if I got it wrong, I'm going to take action. David, I feel like when we all talk about our 20 plus years and whatever we kind of date ourselves. I'm going to give you a blast
from the past right here. So do you remember a product called Moss Moss, which was essentially SharePoint, You could build websites with it. Is there AI don't think Moss around anymore. What is there a replacement? What? What's the deal? Well, SharePoint lets you build what's considered portals, communication sites. And so in fact, within Microsoft, our internal portals are all on SharePoint.
As an example, the construct of having a SharePoint platform provide external sites doesn't exist right now, but internal sites, absolutely right. So people as opposed to using some other platform will normally be using SharePoint as their web hosting for some communication site like our HR portal, for example, and corporate portals, they're all in, in tech web, as we call it, they're all on SharePoint. And so, but they're different type of SharePoint.
So when you think about SharePoint from a, a collaboration and teams perspective, that's kind of type 1. When you think of this other type of cloud communication sites where you're building a portal for, you know, providing information to your company, that's kind of the other big type that we, we absolutely
still use. But what you might think of as Moss as a kind of a, a communications front end, you know, it's now everything from Viva includes everything now from Viva Amplify and, and Viva Communications to of course core, core communication sites in SharePoint. So I mentioned durian that you've been with Microsoft for 25 years. So Speaking of age and aging ourselves, I want to, I want to shift maybe a little more to the
future here. What are some of the things that you see changing when it comes to this topic? Either Entra group permissions, SharePoint sites like what is and, and I'm not going to hold you like you're not the product person, right? Is there not promises? But how do you see this evolving over time? Well, I, I think, you know, there's two themes and I think one helping our employees get it right becomes one of the big
themes, right? And whether you think of it as AI or you think that it is good intelligence against a service, watching what employees are doing, helping steer employees and the right behavior, helping make sure you're detecting and, and, and almost fixing when something has gone wrong.
You know, that's kind of to me where I see a lot of this going the constructs of when I say labeling and that we're kind of going labeling everywhere that so more and more content and things are getting labeled like we label a meeting, for example, and that that meeting label will then define, you know, potentially what the files for that meeting should be that come out of the meeting. If you have a meeting recording, it should be a sensitive as a meeting itself.
The identity management, again, you'll be limited based on a label of what's allowed so that that highly confidential thing will have rights protection tied to it, for example. And so these things all fit together to me to be and again to your point earlier. Your identity is absolutely the Center for all of this, but I think that's a big part. The other thing for me is of course as micro digital copilot is one of our big things that we're working with and and
trying to enable. And as we envision where we're going with copilot, you think of like data management and data hygiene and and protection. That's kind of cornerstone. AI is fantastic, but if you have bad or over overexposed information, AI is going to surface it. AI is not going to care, but it shouldn't show you something. You have access to it, it's going to show it to you.
So getting permissions right, getting the memberships right, getting identities right is absolutely cornerstone to good and well managed AI. And that to me is a fundamental part of our future. And and that, you know, when I think about managing and governing our services, really it's to make Copilot shine. So you took my copilot question because that's what I wanted to ask you was how do you see this kind of evolving with that? So I'm going to take it in
another direction. We're going to go backwards. Is there a particular innovation or thing that happened, we'll just call it in the SharePoint environment or the group permission management, that kind of thing that you see as like, Oh yeah, when we did that back in X, that really kind of changed the game of how we're approaching this or made things easier. Like, is there something that stands out? I think I I'd pick on a coupled
key things. I think one, we are group membership management for VP groups. The fact that all of the engaged community for some organizations automatically created constructed an intro we serve right people. That's cornerstone us getting labeling even tied to the interest of Microsoft 365 groups. Again, cornerstone the fact that I can differentiate that highly confidential data from that
general general data. Those are things that make a big difference in the IT organization that, you know, we have some 100,000 SharePoint sites as an example. You think of a volume. How do you know like that's why labeling and you know, I, I get hung up on, on that kind of conversation. People think I talk about labeling a lot because otherwise how does IT know when
something's overshared you? IT is no way of no differentiating that that massively shared file from someone site from another unless you have to delineation labeling in place to tell you by the way, this is highly confidential that oversharing is probably wrong versus not.
And I think getting that kind of theme right was essential as we kind of got on this journey with SharePoint that's allowed us to do better trapping of when employees get it wrong and kind of steer them in. So to me, those are kind of cornerstones of things that I think about are really critical. David, I'm going to take you back even further. So this is kind of a fun one. So I met Steve Ballmer over a decade ago. Of course, I remember that.
He's like a giant, right? He's a very large human being, which I think you don't realize until you meet him in person. But he's also a very nice man. So I think sometimes people don't think about that when they think of him, but like, that's what I was reminded of is just like, he was a gentle giant, if you will. I've never met Bill Gates.
I've never met Paul Allen. I love the pictures of them, like when they first started the company because Paul's got that big grizzly beard and Bill's kind of like this younger, like lean kind of guy. But I'm wondering, have you ever met any of those 3? I've I've met Dill in passing, but not like never had any presentation. Same thing with bomber. I've been in meetings with Bomber and and Sacha. So I mean, these things are are it's great to be in those conversations.
It's great to watch them in action Is like, you know, not only is Bomber and and now Sacha and incredibly, you know, I think almost at your point, gentle giants, but kind of what, but I'd also say why isn't smart, but asking the right questions And that's what you want your leaders, right, is the right questions you've asked right, You know, challenge assumptions. Bomber did that and now Sacha does that in spades. Like the the questions and and continue to learn and self improve.
That's a cornerstone of our culture, right as Microsoft and I think we've evolved over time to get that our our CE OS over the years have been continuing to build that the cultural improvement, which you know, I'm, I'm excited about and I
I've watched it happen. I've wait watched for the company go from a very and sometimes difficult culture at times where you you have, you know, inflicting potentially conflicting situations to where you know, it is much more of a one Microsoft kind of challenge assumptions to make yourself make the company better make do growth mindset kind of mentality
essentially would call it right. So, yeah, I, I love where we are and our leaders have, I think back to your point, grown and and it's just, it's just amazing to this history we've had and how we've changed so much as a company over the years, but. An interesting ride for sure. So I'm I'm happy you're able to spend some time with us. I know it's a for us. It's a Friday, late afternoon for you. I want to get the weekend started before we let you go. What do you do for fun outside of this?
I think you mentioned you have some travel. Maybe you're going to Hawaii. Yeah, I know. I, I, I, I'm a big travel fan. I love to travel tropical places in particular. So, you know, if you put me on a beach, you know, I'll, I'll happily follow a turtle kind of deal, you know, go, go snorkeling, follow a turtle, go diving, go, go explore a little bit, right, Those kind of things. But that's my, my happy place,
right. So, you know, when I'm in the Seattle Redmond area, it's like it's cold. It's, you know, not not nice. Now when I travel, yeah, I'm happy. Is there a particular place that you like to go the best? Like what's your favorite spot to go to? I'm, I'm still a Maui fan, kind of Polly Maui. That's my home base basically when I'm, when I'm in the islands. But you know, anything tropical with beautiful sand, you know, I, that's nice water that's fits my place, right?
So almost anywhere. I mean, I, I've been to many, many places like that. You know, I've been to Tahiti and lots of, lots of great tropical destinations. But for me, Hawaii and Maui is why still home base, right? All right, so you're a veteran. I've never been to Hawaii. Give me a pro tip that I can use to say OK you know this is not some newbie coming over from the mainland. I I think be open, be kind for Maui.
I mean, Maui, the people, the place, respect for the environment, the IT, it's really cornerstone. You come in as a, a tourist, you're not going to get, it's not as quite as you want to be. I, I guess I should say, not not come in as a tourist, but come in as someone who wants to embrace the area and, and, you know, embrace the culture, embrace the beauty, you know, and, and not running to go to the mall, not running to go to some restaurant, right?
Like just enjoy the time, enjoy the people, enjoy the culture, right? That's, that's to me, the Hawaiian thing, right? You know the spirit of Aloha is real. Jim, have you ever been to Hawaii? I have and I've been to Maui and I love Maui and my I've only been there once with my pro tip would be I'm just as outside of all the tips that everybody will give you. You got to be on island time.
If you go there and you're like, all right, chop, chop got to, you know, we're going to get breakfast and we're going to drive all the way around the island. Then we're going to do XY and Z. You're you're probably not going to be happy there. I'll still be happy there, but you might make everybody else miserable. Go there, be on island time and then you know the tips that everybody will give you, you got to try the banana bread.
So there's this. You can drive all the way around Maui and like you feel like you're in different different places at different parts of the island because of the amount of rain that they get and stuff like that. And there's also a big thing which I've not done, but when I get back I want to do, which is you can get on the bike and go around this volcano and basically you don't have to pedal because the car drives you to the top.
And then you just ride the bike down the volcano and grab it like gravity do the work. But you can, you can rent a cheap or something like that, drive all the way around the island. And there are people who live on these like little plantations and they just, I don't know if you would call it like survival farming or whatever, but they, they basically just like live there and they do the farming and then they make the banana bread and sell it on the roadside and it's just super cool.
If you haven't been there, you definitely should put it on your list. Oh no. Banana bread, Yes. I'll say you're getting a head, not from David. So definitely you're hitting that cord there. Yeah, and, and, you know, you're right on the island time thing. Absolutely. Just chill, you know, that's what I mean. I'm follow a turtle, respectfully of course. Yeah, respectfully, that sounds like something I can get behind when I go on vacation. I I don't typically like to have
an itinerary. It's kind of like, all right, we'll just kind of do whatever today. So island time sounds like the the perfect spot for me. So OK, we're going to let you go. David, we appreciate you spending some time with us. We're going to wrap things up for this week. Let's see what else. I'm going to have your LinkedIn in our show notes, if that's all right. People have questions about things or whatever it may be, you know, feel free to reach out.
And then I hope you'll come back and and share some more tips and tricks from the the wizard himself at some point in the future. So with that, we'll can leave it for this week. You can find us on the web, idacpodcast.com. If you like what you heard, hit that like and subscribe button, whether you're on YouTube or whatever podcast, if you don't like it, hit like anyway and then send it to a friend and trick them into listening to it.
We don't care as long as people are listening or watching. That works for us. And yeah, connect with us on LinkedIn if you have questions, comments, ideas for shows, things like that. Jim and I read all that stuff and we try to take that under advisement for future episodes. So thanks everybody for watching and or listening and we'll talk with you all in the next one. You've been listening to Identity at the Center. We hope you've enjoyed the show.
Make sure to like, rate and review, and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com. See you next time on Identity at the Center.