Remember the eight predictions I made for 2021? I hope you’ve enjoyed my subsequent posts detailing the first six:
- Ransomware victims will face penalties.
- Your digital reputation will come under attack.
- Zerologon will continue to cause pain for IT pros.
- People will remember the hard way that they have Group Policy.
- A rebound in M&As will make more people realize just how hard a tenant-to tenant migration is.
- Transitional and project-based employees will increase the risk to intellectual property (IP).
Today, I’ll explain why I expect that Microsoft 365 Multi-Geo configurations will send multi-nationals down the rabbit hole.
Multi-Geo is designed to help corporations meet compliance requirements.
Microsoft rolled out Multi-Geo configurations as an add-on feature in April 2020. Using Microsoft 365 Multi-Geo, you can specify a preferred data location (PDL) for each user that controls where their Exchange mailbox, their OneDrive and all SharePoint sites they create are provisioned and stored.
This feature was created to help multi-national companies meet the data residency requirements imposed by various legislation and policies, which mandate that data be stored in a particular country or other geographical location. For example, Russia, China, Germany, France, Indonesia and Vietnam all require that their citizen’s data be stored only on physical servers within the country’s borders. Conversely, the General Data Protection Regulation (GDPR) does not mandate that all data it regulates be stored inside the EU, but it prohibits storage in any location that lacks equivalent data protection requirements.
To add more complexity, some data residency laws apply only to specific types of data. For instance, Australia requires that personal health records be stored in the country, and, interestingly, Bulgaria mandates that data related to gambling operations be stored locally. The Information Technology and Innovation Foundation (ITIF), a U.S. nonprofit public policy think tank, offers a nice summary of country-specific data requirements.
Microsoft 365 Multi-Geo helps you comply with these data residency mandates by enabling you specify that a given user’s data be kept only in Microsoft’s U.S. datacenters, only in its European datacenters, or only in its Southeast or East Asia datacenters. Previously, this was possible only with a dedicated regional Microsoft 365 tenant.
Note that Multi-Geo is available as an add-on to the following Microsoft 365 subscription plans only:
- Microsoft 365 F1, E1, E3 or E5
- Exchange Online Plan 1 or Plan 2
- OneDrive for Business Plan 1 or Plan 2
- SharePoint Online Plan 1 or Plan 2
You also need to be an Enterprise Agreement (EA) customer with a minimum of 250 seats in your tenant, at least 5% of which must use Multi-Geo.
Get the essential vocabulary right.
As your organization considers its legal obligations and technology options, it’s vital to understand the key terminology. I’ve just explained what data residency means, but there are two other terms that are often used interchangeably with it, when in fact they actually have different meanings and therefore different implications for IT professionals.
Data localization laws govern the transfer of data between geographical locations. Some of these laws require only that a copy of the data be kept locally, usually to guarantee that the government can audit data on its own citizens without having to navigate the laws of other countries. Other laws strictly prohibit the data from crossing the border at all, and some impose various conditions on the transfer process. For instance, South Korea’s Personal Information Protection Act requires companies to obtain consent from data subjects before exporting their data.
One solution. Many workloads.
Data sovereignty is the principle that any data stored in a given country is subject to that country’s laws. It basically adds another layer onto data residency: Not only must data be stored in a designated location, but it is also subject to the laws of the country in which it is physically stored. This difference is critical to understand, since data subjects will have different privacy and security protections depending on the physical location of the data centers that store information about them. Data sovereignty is particularly important for law enforcement, e-discovery, and indigenous peoples.
Multi-Geo is not a compliance panacea.
Again, Microsoft 365 Multi-Geo was designed specifically to help multi-national companies meet the increasing number of data residency mandates being enacted around the world. However, there are simply a lot of unknowns and concerns around Multi-Geo that will complicate your path to regulatory compliance in 2021. They including the following:
- Setup complications — Don’t expect instant deployment once you’ve obtained your licenses for the feature; Microsoft notes that most tenants are configured within a month, but larger or more complex tenants can take even longer. Moreover, although a user’s Exchange mailbox is migrated automatically when you set their PDL, you’ll need to migrate their OneDrive sites yourself.
- Hybrid environments — If you sync from an on-premises Active Directory system to Azure AD, users’ PDLs must be populated in AD and synched to Azure AD. Will you on-prem admins have the requisite information to create the settings accurately?
- Limited scope — Multi-Geo is available for Exchange Online, OneDrive and SharePoint Online only. Other workloads, including Yammer and PowerApps, are excluded, at least for now, so organizations will still need other guardrails in place to ensure compliance.
- Microsoft Teams — SharePoint Online and OneDrive for Business are the foundation for the file experience in Microsoft Teams, so “the Teams experience with file collaboration is also Multi-Geo aware.” This means that the files associated with a team are stored in the PDL of the user who created the team. In addition, a team member’s “recent files” list could include OneDrive files hosted in other locations than their own files, and users will be able to see their colleagues during “@” mentions, regardless of their location. However, conversations in chats and meeting IM notes in Teams are not Multi-Geo aware; they are all stored in the central location of the tenant. Although Microsoft claims that “typically, chat conversations aren’t applied to data residency needs,” it remains to be seen whether some organizations will encounter compliance issues.
- Tenant migrations — As I explored in my fifth prediction for 2021, tenant-to-tenant migrations are on the rise, in part due to increasing M&A activity, and these migrations are already plenty challenging. Multi-Geo adds another layer of complexity. How exactly do you migrate a tenant that has the Multi-Geo feature turned on?
- Employee relocation — The pandemic has closed a lot of borders, but soon enough, individuals will again be trotting around the globe. If you change the PDL for a user, their mailbox is moved to the location automatically, but their OneDrive data is not, so you will need to complete a rather lengthy process to move the OneDrive library to a different geo-location. It’s also not clear whether and for how long their email and OneDrive data might be unavailable?
- Orphaned SharePoint sites — What happens if one user creates a SharePoint site but moves to a different role or a different geographical location, or leaves the organization altogether? Can you associate the site with a different user? Does that require the site to be unavailable for a period of time? How will that affect business processes?
- Backup and recovery — How can you ensure proper backups per region? What happens if an older backup is used in recovery scenario and PDL wasn’t turned on at the time of that backup? What if you deleted data in response to a data subject request after the backup was made, and the restore operation brings that data back?
- Global collaboration— What if you are collaborating with someone on a document that isn’t in your PDL; can you download it locally to work offline? How will the organization ensure that no data residency or data localization regulations are being violated?
- eDiscovery — By default, an eDiscovery Manager or Administrator can perform eDiscovery only in the central location of their tenant. To conduct eDiscovery in the satellite locations, they need the Microsoft 365 Global Administrator to assign them “Region” parameters. Again, that raises questions about how the organization will ensure they are not violating any local laws.
The best way to prepare is to implement proven IT best practices.
In short, a wide variety of issues and unknowns with Multi-Geo will keep multi-national organizations scrambling throughout 2021 — and probably well beyond. Here are three broad best practices that will help you be as prepared as possible:
- Clean up — No matter what complexities you encounter, getting your IT house in order will make your life easier. Pare down permissions in accordance with least privilege, clean up group sprawl, both on premises and in the cloud. Make sure you have clear insight into your configurations, and make sure your Group Policy is working as intended by consolidating GPOs.
- Automate — Automating IT tasks dramatically reduces the risk of human errors and oversight. Moreover, it frees up your valuable IT pros to really focus on strategic concerns, like how to set up and use Multi-Geo effectively and ensure it meets your compliance requirements.
- Pay attention — Make sure you know exactly what’s happening across your IT ecosystem with proactive alerts and enterprise-wide reporting.
- Respond promptly — Finally, ensure that you can quickly investigate incidents, remediate improper changes, and restore anything, from a single object attribute to an entire Active Directory forest.
Stay tuned…
One more prediction to go! To wrap up this series of posts, I’ll explain why I expect increased cloud service and telco outages to drive renewed interest in bare-minimum hybrid business continuity plans. I know, that sounds kind of dry, but I promise to make it worth your time!