1. The Intake Framework (Uncovering the “Why”)

  • The Golden Rule: Users ask for solutions (e.g., “I need a custom Power Automate flow to break inheritance on 500 folders”). A good Consultant must uncover the requirement (e.g., “We need to securely share specific documents with different external vendors”).
  • The Triage Questions: Before reviewing any technical solution, establish:
    1. Data Classification: What is the sensitivity of the data being handled? (Dictates the required Purview labels and sharing restrictions).
    2. Audience & Lifecycle: Who is the audience (Internal vs. B2B Guests), and when does this project end? (Dictates identity lifecycle and M365 Group expiration).
    3. Supportability: Who owns this when the project is over? If it requires custom code (e.g., SPFx, complex Power Apps), is there an internal developer team to maintain it?

2. Evaluating Requests Against Existing Governance

  • The Strategy Alignment Check: You are there to enforce the existing strategy, not invent a new one. Filter requests through these baseline questions:
    • Is this out-of-the-box (OOTB)? Always default to native M365 capabilities before approving third-party apps or custom development.
    • Does it bypass security controls? (e.g., Requests for service accounts that bypass MFA, or requests to disable DLP for a specific executive).
    • Does it scale? (e.g., Manually managing item-level permissions works for 10 files, but fails for 10,000. Pivot the user to a metadata-driven approach or separate Document Libraries).

3. Constructive Pushback (The Art of the Compliant “No”)

  • The Framework (Acknowledge -> State Risk -> Provide Alternative): Never issue a flat “No.”
    • Example Request: “We need a shared mailbox for 50 people.”
    • Acknowledge: “I understand the team needs a central place to receive and manage these generic inquiries.”
    • State Risk: “However, adding 50 people to a single shared mailbox will cause severe Outlook performance issues, sync delays, and lacks an audit trail of who replied to what.”
    • Provide Alternative: “To align with our M365 standards, we should set this up as a Microsoft Teams shared channel or a Group-connected Team site, which is designed for large-scale collaboration.”
  • Depersonalize the Decision: Reference the policy, not your personal opinion. Use phrases like, “To align with the organization’s Zero Trust framework…” or “Based on the enterprise M365 architectural guardrails…”

4. Practical Translation for Delivery Teams

  • Avoid “Policy Parroting”: Do not just send delivery teams a link to a 50-page governance PDF.
  • Provide the “How-To”: Translate the governance into actionable, step-by-step configurations.
    • Bad: “Ensure your new SharePoint site complies with the external sharing policy.”
    • Good: “When provisioning this site, you must run Set-PnPTenantSite -SharingCapability ExistingExternalUserSharingOnly and assign the ‘Confidential’ sensitivity label to the connected M365 Group.”
  • Standardized Templates: If you notice delivery teams repeatedly asking the same questions, create a 1-page standard operating procedure (SOP) or a PowerShell snippet they can reuse.