As with any part of M365, it’s important that we look to protect and govern the different apps, services and data it provides. That’s no different to Microsoft Viva so todays post is going to go in to some detail on the different permissions, management, and governance for each of the different modules within Microsoft Viva.
The first task is to understand how each of the modules environment is built and this will give us an idea of how we can control it. An example is Viva Connections relies heavily on the SharePoint admin and permissions model with a little bit of Teams admin managment sprinkled on top. So, below I’ll dive into each module and give some details of the roles, permissions management and governance available for them. Another important factor is knowing who within your organisaiton is best suited to the different roles and access levels so I’ve tried to add a persona/type of person/job function you may want to consider for each one.
Viva Connections
As mentioned in the example above Viva Connections relies heavily on the SharePoint admin and permissions model so I’ve broken this down into the different tasks and related roles required to perform those tasks.
- Step 1: Prepare your intranet navigation design and content and below are the different roles required and what tasks they can perform.
- SharePoint or Global Administrators can create home sites and hub sites.
- Site owners of the home site (or higher) can enable and customize global navigation.
- Site owner and site member permissions are required to customize site-level navigation.
- Step 2: Designate a home site in SharePoint
- SharePoint administrator (or higher) can create a home site.
- Step 3: Enable the SharePoint app bar and customize global navigation
- Site owner (or higher) permissions to the home site are required to enable and customize global navigation in the SharePoint app bar.
- Step 4: Create your Dashboard, add cards, and apply audience targeting in SharePoint
- Site editor (or higher) permissions to the Dashboard site are required to create and edit Dashboard resources.
- Step 5: Get content ready for your Feed with SharePoint news and Yammer
- Permissions required to create a Yammer community vary depending on your organization.
- Permissions required for SharePoint news:
- To create an organization news site, you need SharePoint administrator permissions.
- To create news stories, you need page-edit permissions or higher.
- Step 6: Enable the Viva Connections app in the Microsoft Teams admin centre
- Teams administrator (or higher) permissions are required to add the Viva Connections app to the Teams Admin Centre (TAC).
- Step 7: Choose settings for your mobile Viva Connections app
- Site editor (or higher) permissions to the Dashboard site are required to choose settings for the mobile experience.
As you can see most of the roles are based around the SharePoint permissions framework so if you’re familiar with this then its a good starting place.
Viva Insights
When it comes to Viva Insights some of the roles may be familiar if you were using workplace analytics.
Insights Admin Role – Has access to Data sources, upload pages within data sources, and analyst settings. The admin is responsible for configuring the privacy settings and system defaults and for preparing, uploading, and verifying the organizational data for Viva Insights. Think of this role as like an IT admin or analyst who will be doing the nitty gritty of switching Viva Insights on.
There are 2 things to note here with the Insights Admin Role
- Insights Administrators are not Microsoft 365 admins. Unless they are also assigned the role of Microsoft 365 admin, they only have access to organizational data, not to Microsoft 365 data.
- The Insights admin and the legacy Workplace Analytics admin are interchangeable roles.
Insights Business Leader- Insights Business leaders can see organizational insights on the My organization page within the Viva Insights app in Teams. This is for your leadership team to give them access to their leadership/organisational insights helping them to make decisions to drive better wellbeing and employee experience through the company.
People Manager – People managers are assigned access by the Viva Insights admin. Managers can see their team’s group insights on the My team page within the Viva Insights app in Teams. This used for people managers within your organisaiton allowing them to view insights relating to their direct reports, (remember minimum direct reports of 5 for it to surface any insights).
Analyst – Has full access to all service features except Upload and some Analyst settings that are only available to admins. An Analyst has the most complete access to data, including the ability to launch, manage, and track Plans in the advanced insights app. This role is for you Power BI peeps or maybe still business leaders or programme managers. They’ll be able to see all the BI information and really get a grasp on the powerful data driven insights. Remember all insights data is anonymised so no need to worry from that point of view.
Analyst (Limited Access) – Same as above but with a couple of restrictions:
- No access to Query designer.
- Read-only access to Analyst settings where the meeting and attendee exclusion rules are defined.
Program Manager – Has access to organizational data for Viva Insights within the advanced insights app. A Program Manager can also open, manage, and track Plans in the advanced insights app. Great to give this role to someone who is leading the programme of change to be able to report on things and have that birds eye view of things.
So, Viva Insights roles are there and hopefully all make sense I’ve added the types of people who may require the different roles at the end of each one. Click here for more details on this from Microsoft.
Viva Topics – Access
Right, when it comes to Viva Topics first up is the setup of it all and for this it requires either the Microsoft 365 global admin or SharePoint admin role, with this the admin will be able to perform the below setup tasks.
- Select which SharePoint sites will be crawled for topics.
- Select which licensed users who can view topics (topic viewers).
- Select which topics will be excluded from being identified.
- Select which licensed users who can create and edit topics (topic contributors).
- Select which licensed users who can manage topics.
- Name the topic centre.
Note on this is that essentially your global admin or SharePoint admin then become a Knowledge admin due to the fact all the setup is done within the M365 admin centre.
Next up are the roles required to manage Viva Topics on an ongoing basis and these are listed below
Topic viewer – Topic viewers are users in your organization who can view topics highlighted in their SharePoint modern site, Microsoft Search through SharePoint and Office.com and the topic centre. They can view more details about a topic on the topic page. We have now seen this ability to view highlighted topics in OWA and soon it’s coming to Teams which will be a really big win.
Just to note for topic highlights and their topic pages to be visible to a topic viewer, the user must:
- Be assigned a Viva Topics license by their Microsoft 365 admin.
- Be allowed to have visibility to topics. This task is done by the knowledge admin in the Viva Topics settings page in the Microsoft 365 admin centre.
This is something you’d want assigned to the majority/all of your workforce so they can all gain the value of Viva Topics within your organisaiton.
Topic contributor – This is your people who not only need to be able to view topics as above, but also need to have the ability to edit existing topic or even create a new topic. They are granted this ability by the Knowledge Admin and it can be done via an Azure AD security group which is always the best way of managing it. A topic contributor can also create and publish a new topic through their topic centre.
The topic contributor will see an Edit button displayed on Topic pages which is what allows them to make updated and publish a topic.
Knowledge manager – Knowledge managers are users who manage topics in your organization. Topic management is done through the Manage topics page in the topic centre, and it’s only visible to knowledge managers. These knowledge managers are like a crack team of poeple who really get the value behind knowledge managment they should have a good overall knowledge of you business and also know who within your different business areas are subject matter experts for chosen topics. These people need really good communication skills a good example of this is; if a new project has sensitive information, the knowledge manager needs to be informed so that they can make sure that the SharePoint site is not crawled for topics, or specific topic names need to be excluded.
The knowledge manager will be able to perform the below
- View AI-suggested topics.
- Review topics to confirm that they’re valid.
- Remove topics that you don’t want visible to your users.
With Viva Topics it’s less about built in Azure AD roles and more about the knowledge Admin controlling the level of access through the M365 admin centre, preferably using an Azure AD security group for ease of managment.
Viva Topics – Governance
Along with the above roles and access there are some governance features within Viva Topics which are a great addition, this is where the knowledge admin role would work with team leaders and knowledge managers to protect sensitive information. Currently you can upload a list of keywords or topic names or private code names that need to remain confidential and exclude them, once excluded from the list knowledge indexing will not identify them as a topic. There are some great features here like choosing if the keyword needs to be an exact match or only a partial match.
Currently on the roadmap for GA in May 2022 is the ability to select sensitivity label to exclude sites from topic discovery. This can’t come soon enough in my opinion and will really bolster the governance and compliance for Viva Topics.
Viva Learning
Finally, we have Viva Learning and this is probably the most simple of the 4 modules. It is by default available in Microsoft Teams with some content already enabled.
To set up learning content sources in Viva Learning and manage individual licensing, you’ll need these permissions:
- Microsoft Teams admin
- Microsoft 365 global admin or SharePoint admin
- Knowledge admin
Summary
Let’s summarise – Microsoft Viva is essential already built upon a strong framework of security controls and governance that M365 and Azure has at its core. So you can rest assured that you are covered from this perspective. It does however hold some very powerful data from within your organisaitons tenant so each of the modules requires some thought-out planning to make sure its implemented correctly.
Let me know your thoughts on Microsoft Viva and it’s security and governance controls and if there is anything else you’d like to see. As I mentioned earlier I’m looking forward to the 2 roadmap items below to be GA.
- Use Microsoft Information Protection (MIP) sensitivity labels to control which sites should not be included in topic discovery.
- Use Microsoft Information Protection (MIP) sensitivity labels to control which files should not be included in topic discovery.