Collaboration in times the world is no longer growing together
You must know, I have been working in the field of information technology for more than 20 years now, certainly more than 15 years in international projects and have seen some collaboration tools come and go. But what Microsoft has achieved with Microsoft Teams as a central platform to integrate all Microsoft 365 core services, has never been achieved in this form before — and with this growth. If a good IT team is working in the background and breathes even more life into this tool, the user only has to start Microsoft Teams in the morning and has found his core tool for the complete business day. So here we have a product that the user likes, that the IT team also likes and that is easy to use for both groups. Don't get me wrong, the simple handling does not mean that complex scenarios cannot be represented here. The integration of Power Apps applications into a channel, or displaying sales figures in real time via PowerBI - all feasible due to the unique variety of products that Microsoft is offering in the M365 Package.
I don't think I need to introduce Microsoft Teams as the collaboration tool par excellence, there has never been a software product with a comparable growth in the history of Microsoft. In march 2019 Microsoft Teams hits 44M daily active users, spiking 37% in one week amid remote work surge. So now we realize that we have a tool that is easy to implement, adapt and maintain and that is ideal for collaboration between departments and locations of a company. Be it for project management to provide a source for updated project documentation, or to have joint meetings on current projects. When we think about the rollout, a global rollout, we recognize that we maybe have here a bigger problem…
Now let's imagine that we are this one #awesome company called
“Crazy to act internationally”
or short “CTAI” — which does not only operate within one country, but has for example a head office in Germany and one in America.
You would say — “Where is the problem?”. We have a Microsoft Tenant and we have synchronized all users from the common Active Directory. So there should be no problem to assign a license to these users, create the teams and let the creativity run free.
Not quite. There are legal frameworks here which we can divide mainly into the area of data resistance requirements and protection of personal data. The requirements are of course not the same worldwide, that would be too easy.
In Germany, for example, there is the DSGVO (GDPR), which regulates the protection of personal related data, whereas we have different laws in other countries. Also whats getting flagged by law as personal related data is different from country to country.
So first of all we come to the area of data resistance requirements. Here Microsoft introduced a new license a few years ago called Multi-Geo.
Multi-Geo
With Microsoft 365 Multi-Geo, you can provision and store dormant data in geographic locations that meet data resistance requirements. With this technique, any user whose dormant data is not to be stored in the data center of the original Tenant needs a Multi-Geo license. Please keep in mind, when you want to go the Multi-Geo path, you have to have a specific amount of licenses and related to that you will get a specific amount of Multi-Geo licenses. Summarized, Multi-Geo is not an option for a company having 300 users — but keep in touch with the latest informations here, Microsoft is decreasing the amount of licenses you have to have to adopt MultiGeo regularly.
Let us come back to “CTAI” which is having one source Tenant in America and now have 200 users operating in Germany what results in a purchase of 200 Multi-Geo licenses because their data needs to move from the United Staates to Europe.
Now we have covered the licensing part, but what has to be done in the background?
The IT department of our demo company "CTAI" has to decide which multi-geo areas should be created. This is actually a one-time action. Here we are dependent on the multi-geo areas that Microsoft is offering. Check out this page to get an overview what Microsoft is offering here.
We quickly found the multi-geo area EMEA / EUR and went to the SharePoint Online Administration and create a new multi-geo area for our German users. What happens in the background? A new SharePoint Online structure is created in the background. This is the name of our SharePoint URL before https://awesome-ctai.sharepoint.com and now our European area is called htttps://awesome-ctaiEU.sharepoint.com.
Please keep in mind — Multi-Geo does not make you GDPR compliant!
Now when “CTAI”´s german user Thomas is creating a new SharePoint Team Site called BEST-DEPARTMENT — the IT is wondering that this site still get`s place below the structure of the American SharePoint Site. We also heard that several users created Microsoft Teams Teams continue to be created in the American structure of “CTAI”´s SharePoint Online.
There is something we missed here!
Preferred Data Location
In the user account there is an attribute called preferred data location, or PDL for short. This must be set equal to the preferred multi-geo region. “CTAI”´s IT must now assign the value “EUR” to the 200 users located in Germany. This value gets synchronized to Azure AD (please check that you have to match the attribute maybe manually). When the attribute is set also in Azure, Exchange Online mailboxes attribute will get aligned to that PDL settings and the mailbox will automatically moved to an Exchange Online structure where the databases are located in Europe. All new content will be also automatically created in the multi-geo region EUR.
The already created, wrongly placed content has to be moved manually from America to Europe — which works well thanks to a well documented procedure here. Several PowerShell scripts are made available from Microsoft. There are examples for SharePoint Online and OneDrive for Business as example.
Now let’s make things a little more difficult
Thanks to a great offer, our demo company “CTAI” has now bought new production facilities in China and Russia.
In the course of the purchase, the cooperation of departments is now one of the highest priorities for “CTAI”, so the IT department is asked to offer a SharePoint online space where Russian documents can be stored. Furthermore, a completely new SharePoint structure for China and Russia is required.
After the new Multi-Geo Region APC (Asia Pacific) was created for China, it was quickly and frighteningly discovered that there was no Multi-Geo Region for Russia. Based on the Microsoft Multi-Geo reference page this content should get stored in the EMEA region.
Let us have a look at Russia, the country Putin signs a law in December 2019 making Russian apps mandatory on smartphones and computers.
Here we directly find the information that Databases that are used to process personal related data of Russian citizens must be physically located in Russia starting September 1, 2016. In Detail, a company must ensure the initial collection and subsequent recording, systematisation, accumulation, storage, clarifications (updates / modifications) and extraction of the personal data of Russian citizens using databases located in Russia.
In terms of our Microsoft Services…
Active Directory and Azure AD
We have here Active Directory, Azure AD and a lot of Collaboration Tools acting with personal related data. Even the the display name is a personal related data. So the source of origin must be at least an Active Directory Domain Controller in Russia. When things get replicated we are fine again. The modification of data must be done again in Russia. “CTAI” has different IT Departments in each location, starting from now the IT must create and modify the Data of Russian citizens / colleges in Active Directory connected to their local Domain Controller, the Russian one.
The origin source is the Active Directory hosted on-premises means here we are fine. This on-premises data gets synchronized to Azure AD using the Meta Directory of Azure AD Connect. Microsoft designed Azure with industry-leading security controls, compliance tools, and privacy policies to safeguard the data of “CTAI” in the cloud. More informations about the Data consideration of Azure AD.
Microsoft Exchange Services
In terms of these services any kind of data is hosted in the Cloud on different data storage location than russia — caused by the lack of a missing Microsoft Datacenter / Multi-Geo Location in Russia. The result is here, the Russian Location of “CTAI” has to stay on-premises with their Exchange environment, any idea of a Hybrid-Movement from on-premises to Exchange Online will result into a Violation of the Russian Private Data Law. Even with a Exchange on-premise located in Russia several Exchange Features needs to adjusted to be compliant. Just think about the GAL (Global address-list)…
SharePoint Storage
Definitely on-premises. A lot of personal related informations get saved when users work on SharePoint. The usage of SharePoint online is based on my feeling and knowledge impossible for Russian Citizens. Maybe a on-premise hybrid Cloud solution could merge both worlds in a prober way with several rules in place.
OneDrive for Business / Microsoft Teams
Both products are nested under SharePoint Online, based on that information there is no choice for their adoption for the “CTAI” colleges in Russia. Just think about a chat scenario where someone is tagging a college in Russia with the @ — feature. The display name gets saved into the chat conversation and stored, means you store private related data of a Russian citizen inside Microsoft Teams, means — based on the Teams Architecture — you save these informations in OneDrive for Business if the user is on-premise / Microsoft Exchange mailbox if the user is having a Exchange Online mailbox.
No chance?
In terms of the mailing i would say “Yes, no chance guys!”.
When we have a deeper look into the SharePoint Online, OneDrive for Business and Microsoft Teams problematic I think with the Adoption of Data Loss Prevention (DLP), available with several Microsoft M365 License packages, maybe there is a way to block these informations directly in the transport.
Any possible solution?
We speak about collaboration and we spoke about boundaries. Managing these boundaries will definitely result into a much higher complexity because you have to check all workflows twice, react on law changes and have to implement automation for the transport of data and their protection.
Microsoft is partnering with several russia located Providers offering local places M365 Services. That means these providers are hosting parts of the M365 Infrastructure in Russia.
“Cool, problem solved!”
“Nope, some problems solved, new one made!”
Adoption these services will result into opening a new Microsoft tenant — located in Russia. This results into a mix of users located in the base tenant, managed by Multi-Geo and attached Microsoft Services with DLP — and a part of users placed into a different tenant. From the technical standpoint the Azure AD Connector needs to synchronize a part of your Active Directory into the base tenant and another part into the Russian tenant. For the collaboration you need — because you have as a result two different worlds — to create a tenant to tenant trust working with guest users and all that stuff. Yes, at the end of the day the Company “CTAI” will be mostly compliant, hosting all these services in Russia, the complexity of managing these services will definitely increase. We also should not forget, that these Microsoft verified Partners mostly not offering all services for these tenants, so here you are again limited in functionality.
Closing words
Collaboration is the no. 1 word currently used in our actual strange situation (i wrote this article at the times of the global pandemic in 2020). Software that enables remote collaboration — like Microsoft Teams — has become essential as companies implement work-from-home to keep their business running. In Germany as example, work from home was not very common. The change was carried out by many companies only slowly and very bumpy. Companies had no technology for VPN connections, on-premises servers had to be connected to the home office, sufficient hardware was missing— cloud application had to be implemented quickly. Germany has caught up with years of digitalisation within a very short time — not in all areas to be honest.
In these days international acting companies have to spend a lot of time in regulating, local laws to be as compliant as possible.
Large companies have the same problems here — only in large — as small retailers who now have to move online due to their situation in business linked to the pandemic. They also must comply with data protection laws.
And if we are honest with each other, let’s take a look at the world — it’s not getting any better. One example, Privacy Shield can no longer be used by organizations to transfer personal data from the EU to the US. The Court of Justice for the European Union has recently in 2019 issued a ruling invalidating. Here global companies relying on Privacy Shield for transatlantic data transfers should ensure they totally comply with local regulations and adapt with the least amount of risk — which is our core topic again.
