Balancing Self-Service with Governance and Control in Office 365

When designing the Shire intranet, one of our earliest decisions was to enable our users to provision their own sites without needing to involve the support team. Traditionally, IT has placed controls and process around the creation of SharePoint sites with the goal of preventing sprawl and maintaining a centralized repository of all sites and their basic metadata.

Having build a number of custom site provisioning processes and governance strategies for SharePoint 2007-2013 I understood that we always started with the best intentions of preventing duplication and reviewing each request. As the number of requests increase over time and our focus is split across many competing priorities, we often fail to live up to our noble aspirations and blindly approve all incoming site requests.

During a rollout of Yammer in 2015 I came across a great article on Yammer vs SharePoint governance by Rich Wood that further influenced my perspective on self-service. Rich describes traditional SharePoint as a heavily architected, controlled, locked down environment in contrast to Yammer’s free and open communication style. Rich focused heavily on who can contribute content, join in conversations and pull people into a conversation. For me, the interesting part was that in Yammer, anyone could create a new group and admins had no ability to disable or stop group creation.


To monitor for the creation of new Yammer groups, one simply monitored for the “has created” phrase as each new group is announced in the All Company feed. At that point, the Yammer admin can take reach out to the group owners to offer training, collect metadata or even take down the group if it was inconsistent with company guidelines. In 2015 I had reservations about this monitored self-service model but found that the key to success was actually monitoring for what groups were being utilized and promoting them while removing groups that weren’t active. Let the business create new groups to support community or project conversations, just be diligent about cleaning up unused groups to avoid confusion.

Whether we are discussing Yammer or SharePoint, the act of creating a group or site is inconsequential and costs us nothing. The objective is to discover the site before the user invests too much effort or shares the site broadly. If we reach the user early, we can accomplish our business outcomes of education, governance, and cataloging without impacting the user’s ability to provision new Sites or Office 365 Groups from SharePoint, Outlook, Teams, Stream, Planner, PowerBI, Yammer etc.

At the start of this project we had 5 on-premises SharePoint environments and 2 Office 365 tenants. To accomplish our goal of consolidating to a single Office 365 environment we needed a single source of truth for our SharePoint inventory data, the metadata and status of each of the sites. We created a command line agent that connects to SharePoint APIs and captures all new sites into a centralized database. The application runs every 5 minutes and collects any new sites and gives them a status indicating that they are new, and we haven’t collected information about the site yet.


After identifying a new site, the agent adds a SharePoint Framework Extension to all modern SharePoint sites and a User Custom Action to classic SharePoint sites injecting a JavaScript onto the page that loads our governance banner.


How it works:


The SharePoint Framework Extension or the User Custom Action load a JavaScript onto every page on the site. The script collects the userID of the logged in user and the URL of the site collection and calls an HTTP Initiated Azure Function that sits on our Site Catalog database. The function returns a block of generated HTML based upon the status of the site in our catalog and if the user is an administrator. For each governance status, the database stores a html / handlebars template that is rendered by the Azure Function based on data in our Site Catalog. This lets us easily define custom banners for Newly Created Sites, Sites Requiring Recertification, Sites Requiring Migration, or even a custom redirect for Migrated Sites.



From the big red banner, a user can click through to an app where they can provide information about their new site that is captured in the site catalog database. Once we have received information about the site, the status in the database is changed and the banner no longer displays. When six months elapse and we want to recertify the site, we simply change the status of the site in the catalog and a new banner is displayed to users.


If a user doesn’t want to complete the form right away, they can dismiss the banner for 24 hours and access the site.

The process of letting users create sites immediately without IT intervention has been incredibly successful resulting in up to 50 new site collections per day being created.

In our tenant we hide the ability for users to create subsites within modern sites giving us an extremely flat information architecture.

By collecting this data about each and every site as well as the business sponsor for each site, we can easily communicate with owner, provide a managed decommissioning / archival process for unused sites and identify all SharePoint sites for a particular business function, location, or line of business.

Around the globe and around the clock users can provision new SharePoint Sites and Office 365 Groups to meet their needs without waiting for IT. Within minutes of site creation, users are prompted with a banner (and an email) requesting that they register their site and providing additional guidance and training. If a site hasn’t been registered within 30 days the status is updated and a decommissioning process begins automatically enabling a clean, governed environment with self-service for all.

3 Replies to “Balancing Self-Service with Governance and Control in Office 365”

    1. I haven’t seen folks use azure automation for this but have certainly demoed it with azure functions. While interesting, you loose the self service from the native endpoints including yammer, planner, stream, teams etc and place an approval process in the middle which didn’t align our goals. That said, it’s a new way to do the site creation process I hadn’t seen so worth a read for anyone who hasn’t played with azure automation. Thanks for sharing it!

      1. I was thinking more in terms of the technique for monitoring the sites with Azure Automation rather than the specific use case I wrote up in the post. I know that we have had clients that wanted to set up the approval process but I like your take on that in that the creating site collections, Groups, etc by itself “costs us nothing” in terms of Governance. I think that the shift in thinking from “control over who does it” to “monitor and remediation” is one that will take some selling to the admins in our clients but worth the conversation in Governance engagements. Thanks.

Comments are closed.