CoreView Playbooks Overview

Modified on Fri, 07 Oct 2022 at 08:15 AM

This release introduces a major new initiative by CoreView to introduce best practices for managing Microsoft 365 -- Playbooks. CoreView Playbooks take many of the capabilities of CoreSuite – reporting, workflow, KPIs, but assemble them into a pre-defined, out-of-the-box solution that detects problems in your M365 environment and then provides automated remediation.    

Playbooks are composed of Policies that we define for our M365 environment. Example of policies include: 

  • Admins must have MFA  
  • Teams must have an owner  
  • Shared mailboxes must not be assigned a license  
  • Sharepoint sites shared externally must not have sensitive content  
  • Guest users must be reviewed and approved every 6 months 

Each policy has an associated workflow to help moderate and manage those issues. The workflows are pre-defined but provide flexibility to configure for your organization needs.  Workflows can be scheduled to run on a recurring basis or can be executed manually.  

Playbooks also provide the ability to manage exceptions, either temporary or permanent, with easy oversight to manage those exceptions.  

Policies are also Virtual tenant aware, so two users with different v-tenant responsibilities can review the same policies, but see different users, groups, etc. within the tenant.  

Teams Policies 

With the September 2022 release we are focused on policies related to Microsoft Teams. One of the big challenges of Microsoft Teams is how quickly and easily it can grow out of control. Users can easily create new teams and new channels, and there is very little incentive to clean up Teams after they are no longer used. This has both security and productivity implications. From a security standpoint, files and other data can be placed in Teams without anyone monitoring whether the appropriate users who can see those documents are members of the Team or Channel.  Guest users can be added without putting any sort of “end of access” date. From a productivity standpoint, as files and data accumulate in Teams it can be difficult for employees to know if they are accessing the correct and most relevant information. Imagine searching Teams for a customer list and returning 10 different Excel spreadsheets, all named “Latest”.  

Below are the first policies being released: 

Inactive Teams  

Inactive Teams identifies teams where there is no user activity occurring.  Operators can configure how long a Team must be inactive before it is a policy violation (I.e., 90 days). You can decide whether to archive or delete the team, and you can route an approval request to the team owner before taking action.    

Empty Teams  

Empty teams are those teams which have no members.  With Empty Teams you can choose to archive or remove the Team. 

Teams without owners 

Teams without owners cause difficulties if no one is monitoring usage of the team, which can result in inappropriate members being added to the team, sensitive content being shared, and no one there to curate or manage. Microsoft recommends a minimum of two group owners per Team.  This workflow allows you to email a specified user or all members of the Team requesting that they identify and add a Team owner.  

Teams without multiple owners 

Similar to above, Teams without multiple owners identifies groups with only a single owner, and sends an email to the owner or a specified user requesting that they identify and add additional Team owners. 

Public Teams  

For organizations that want to limit the number of Teams employees can join, Public Teams are something to be actively monitored.  Many organizations have chosen a periodic attestation process to require Public Teams owners to attest that the Team is still necessary.  This workflow will email a group owner or specific user asking them to attest that the Team is still needed. Otherwise, the Team will be archived or removed.   

Teams with guest users 

Teams with guest users identifies those teams who have guest users as members of the team.  This can be a security risk as they may have access to files and content intended for employees only.  This workflow emails the group owner or a specified user requesting that they attest that the guest users still need access to the Team. Otherwise, the guest owners are removed from the Team.   

Teams with guest users with a certain sensitivity label 

Sensitivity labels allow organizations to define different levels of sensitive information being shared. The Teams with guest users with a certain sensitivity label policy allows you to identify those teams that should not have guest users based on the sensitivity of the information being shared. With this policy you can identify the sensitivity label. This workflow emails the group owner or a specified user requesting that they attest that the guest users still need access to the Team. Otherwise, the guest owners are removed from the Team.  

Inactive Teams users with Audio Conferencing license 

This policy helps to identify those users who have been assigned an Audio Conferencing license, but who are not actively using Teams Voice. You can identify the threshold for inactivity, and then the workflow can send an email to the user’s manager or a specified address asking whether the license is still needed. If not, the license is removed from the user.   

Configuring Playbooks  

Setting up Policies 

For all of CoreView’s out-of-the box policies, they come enabled by default, but with workflow disabled and not displayed to delegated administrators.  

To configure a CoreView policy: 

  1. Go to Settings > Playbooks 
  2. Click See Details on the policy you want to edit.  
  3. Click Edit.  

This will display a form with configuration settings specific to each policy. This might include choices to enable an approval workflow, to perform a specific management action, to configure a trigger, etc. But these settings are common to all policies: 

  • Acceptance Threshold – This allows you to identify a value to flag a policy as “red”.  For example, if you had a policy to identify inactive users with an E5 license, you might say that there are always going to be some inactive users but flag as red when there are 50 inactive licenses.  
  • Set as public – This allows you to control whether your delegated administrators will have access to this policy.  This works in combination with the Permission to access the Playbook Dashboard. The delegated admin must be given the permission to see the Playbook Dashboard, at which point they will see all the public policies in that playbook.  
  • Enabling workflow – You can configure a policy only to report on the number of problems or you can choose to enable an associated workflow. If you enable the workflow, you can then choose to do that based on an automated schedule or only to be triggered manually 
  • Scheduling workflow – If you wish to schedule workflows you can do it on a daily, weekly, or monthly basis. For some event types it will also be possible to schedule the workflow to remediate immediately. For example if an admin with a weak password was identified that could kick off a password reset workflow immediately.  

Enabling for Delegated Admins 

As stated above, enabling delegated admins to monitor and manage playbooks is a multi-step process 

  • Permissions – Edit the Permissions of the user who you wish to monitor playbooks. Under Permissions, there is a new tab for Permissions. That will list all the Playbooks/Dashboards available. You can select the ones the user will manage. 
  • Making Public – Each policy that the user is allowed to manage must be made public.  That will enable it within the Playbook Dashboard 

Setting up Custom policies & Playbooks 

CoreView also provides the ability to create custom policies and playbooks.  Currently, custom policies cannot be associated with a workflow, but that capability is coming later in 2022.  

To configure a custom policy: 

  1. Go to Settings > Playbooks 
  2. Click Create New > Create Policy 
  3. Enter the Policy details 
    1. You can categorize policies using your own taxonomy. This can then be used to search for policies in the advanced filters. This becomes valuable as you add a large number of policies.  
    2. You can add policies to Customer Playbooks or create the Playbook/Dashboards you want on the fly.  
  4. Click Next  
  5. Create the Policy Definition 
    1. The Policy definition is essentially a custom report. Select the target object, select the fields, and enter the appropriate filters. For example, if you wanted to identify all users who have MFA disabled, you would select the User target, show the Multifactor Auth State column, and filter to show disabled users.  
    2. The Policy Key allows to define criteria around managing exceptions. For example, if you had a policy that identified inactive E5s after 30 days in order to downgrade them to E3s, you might say that all executives are exceptions to that rule. They need E5s no matter what. In that case you could define the policy key to be based on Department (assuming all executives were members of the executive department), so that if a user who was flagged as an exception changed departments, they would be removed as an exception.  
  6. Click Next and click Save.  

To create a custom Playbook:  

  1. Go to Settings > Playbooks 
  2. Click Create New > Create Playbook 
  3. Enter the Playbook details and click Next 
  4. Select the Policies to include in the Playbook and click Next 
  5. Click Save.  

Monitoring and Managing Playbooks 

Once polices and playbooks have been established, monitoring and managing is extremely easy. Each Playbook dashboard is comprised of three tabs.  

  • Strategic – The Strategic tab is only visible by the Tenant Administrator. It provides an overall view of the playbook history showing Policy snapshots over time, remediation actions performed over time, and an calculator showing how much time has been saved by automation.  Different widgets on this page can be configured. Those configurations are personal to the individual.  
  • Operational Dashboard – This tab is available to Tenant and Delegated Admins. This page allows users to monitor workflows and to ensure they are being acted upon. For example, the Workflow Progress by policy dashboard identifies those workflows that have failed or which are pending approval. Different widgets on this page can be configured. Those configurations are personal to the individual. 
  • Monitoring – This allows both Tenant and Delegated Admins to review policy matching items, to manage exceptions, and to execute workflow manually.   

Note: For the September release the Monitoring and Operational dashboard tabs will not filter by virtual tenant. That is currently under development and will be released in October 2022.  

Below is more detail on the monitoring and management activities that can be performed from the Monitoring tab.  

  • Reviewing matching items – The number of matching items is displayed below the policy name. You can click to launch a policy report showing the matched items. 
  • Executing manually – From the policy report you can select items and execute the policy workflow. Note, because it can take time to execute workflows, the number of policy matches will not update immediately.  
  • Marking Exceptions – From the policy report, you can also mark items as exceptions. This will immediately remove them from the policy report 
  • Managing Exceptions – From the Monitoring tab, you can also see the number of exceptions for each policy. Clicking will take you to an exceptions report. From here you can select items that you want to remove as exceptions.   

KPIs and Custom Dashboards 

KPIs and Customer Dashboards that were created in the legacy CoreView UI will be converted to custom policies and custom dashboards. These policies will be flagged as “legacy” and will not be editable within the new UX.  These will be made editable at a future date.   

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons

Feedback sent

We appreciate your effort and will try to fix the article