1 00:00:00,160 --> 00:00:05,640 AI is fantastic, but if you have bad or over overexposed 2 00:00:05,640 --> 00:00:07,800 information, AI is going to surface it. 3 00:00:08,320 --> 00:00:10,680 AI is not going to care, but it shouldn't show you something you 4 00:00:10,680 --> 00:00:12,880 have access to it, it's going to show it to you. 5 00:00:13,080 --> 00:00:16,320 So getting permissions right, getting the memberships right, 6 00:00:16,320 --> 00:00:19,040 getting identities right is absolutely cornerstone to good 7 00:00:19,040 --> 00:00:21,840 and well managed AI. And that to me is a fundamental 8 00:00:21,840 --> 00:00:24,640 part of our future. And and that that, you know, 9 00:00:24,640 --> 00:00:28,000 when I think about managing and governing our services, really 10 00:00:28,000 --> 00:00:31,840 it's to make Copilot shine. So you took my copilot question 11 00:00:31,840 --> 00:00:35,040 because that's what I wanted to ask you was how do you see this 12 00:00:35,040 --> 00:00:37,280 kind of evolving with that? So I'm going to take it in 13 00:00:37,280 --> 00:00:38,680 another direction. We're going to go backwards. 14 00:00:38,680 --> 00:00:43,520 Is there a a particular innovation or thing that 15 00:00:43,520 --> 00:00:45,600 happened and we'll just call it in the SharePoint environment or 16 00:00:45,600 --> 00:00:48,360 the group permission management, that kind of thing that you see 17 00:00:48,360 --> 00:00:52,160 as like, Oh yeah, when we did that back in X, that really kind 18 00:00:52,160 --> 00:00:54,840 of changed the game of how we're approaching this or made things 19 00:00:54,840 --> 00:00:55,880 easier. Like, is there something that 20 00:00:55,880 --> 00:00:59,120 stands out? I think I I'd pick on a coupled 21 00:00:59,120 --> 00:01:02,040 key things. I think one, we are group 22 00:01:02,040 --> 00:01:03,920 membership management for VP groups. 23 00:01:03,920 --> 00:01:06,680 The fact that all of the engaged community for some organizations 24 00:01:06,680 --> 00:01:08,880 automatically created constructed an intro we serve 25 00:01:08,880 --> 00:01:11,960 right people. That's cornerstone us getting 26 00:01:12,600 --> 00:01:15,320 labeling even tied to the interest of Microsoft 365 27 00:01:15,320 --> 00:01:17,080 groups. Again, cornerstone the fact that 28 00:01:17,080 --> 00:01:20,120 I can differentiate that highly confidential data from a general 29 00:01:20,120 --> 00:01:23,000 general data. Those are things that make a big 30 00:01:23,000 --> 00:01:24,560 difference in the IT organization. 31 00:01:29,880 --> 00:01:35,080 This is identity at the center if it has anything to do with 32 00:01:35,080 --> 00:01:39,720 IAM. This is the go to podcast now 33 00:01:39,720 --> 00:01:43,600 your hosts Jim McDonald and Jeff Stedman. 34 00:01:49,640 --> 00:01:51,320 Welcome to the Identity at the Center podcast. 35 00:01:51,320 --> 00:01:52,720 I'm Jeff, and that's Jim. Hey, Jim. 36 00:01:53,120 --> 00:01:55,600 Hey, Jeff, how are you? Oh, not so bad yourself. 37 00:01:56,240 --> 00:01:59,240 I'm good. So I was reminded today what was 38 00:01:59,240 --> 00:02:02,640 the first thing I said to you when I first met you many, many 39 00:02:02,640 --> 00:02:04,120 moons ago. Do you like? 40 00:02:04,120 --> 00:02:05,520 Baseball. Never forget it. 41 00:02:06,040 --> 00:02:07,880 Yeah. And what's cool about I know 42 00:02:07,880 --> 00:02:09,320 we've told that story a few times, right? 43 00:02:09,320 --> 00:02:14,680 We, we do this show, it's real, you know, and that's a real 44 00:02:14,680 --> 00:02:18,560 story that really happened. But So what I was reminded about 45 00:02:18,560 --> 00:02:22,560 it was just like, it's been a lifelong dream of mine to go to 46 00:02:22,600 --> 00:02:28,000 Arizona in the month of March to catch some spring training. 47 00:02:28,000 --> 00:02:30,920 And I always figured I'd have to spend my own money on it and 48 00:02:30,920 --> 00:02:33,120 things like that. Well, I actually have a work 49 00:02:33,240 --> 00:02:36,560 project that's going to send me out to Arizona. 50 00:02:36,800 --> 00:02:40,120 I'm going to get to catch a game on a Sunday while I'm out there. 51 00:02:40,120 --> 00:02:45,080 So, you know, fly out there a little bit early and and check 52 00:02:45,080 --> 00:02:47,400 one more thing off the bucket list before I kick it. 53 00:02:48,000 --> 00:02:50,000 That's the pro move, right? Whenever you get to travel for 54 00:02:50,000 --> 00:02:53,520 work, try and bookend it with something to do in the city. 55 00:02:53,880 --> 00:02:55,880 And I say that as a pro move because I never do that. 56 00:02:55,880 --> 00:03:00,520 I'm like in and out like hotel or I'm like airport, hotel, 57 00:03:01,000 --> 00:03:03,160 client, hotel, airport and I'm out. 58 00:03:03,640 --> 00:03:04,560 That's pretty much how I do it. But. 59 00:03:04,880 --> 00:03:06,880 You're doing it the more you travel, the more you fall into 60 00:03:06,880 --> 00:03:09,760 that trap. But I've been, you know, since 61 00:03:09,760 --> 00:03:12,680 COVID, not traveling nearly as much as pre COVID. 62 00:03:13,640 --> 00:03:16,440 But I'm fully going to take advantage of this trip to 63 00:03:17,160 --> 00:03:20,920 Arizona in March and. You're a big baseball guys, 64 00:03:20,920 --> 00:03:22,920 that's spring training, so you're going to see what teams 65 00:03:22,920 --> 00:03:24,840 out there. I think I'm going to go. 66 00:03:24,840 --> 00:03:28,840 And so there's like half the MLB plays out there and I'm not a 67 00:03:28,840 --> 00:03:32,400 big fan of either of these teams, A's and Giants. 68 00:03:32,400 --> 00:03:36,640 But from everything I read, which is mostly on Reddit, the 69 00:03:36,640 --> 00:03:39,960 San Francisco Giants has to be true. 70 00:03:40,240 --> 00:03:46,520 The San Francisco Giants stadium in the Surprise, AZ is like, 71 00:03:47,000 --> 00:03:48,960 you've got to see it, it's the best. 72 00:03:49,400 --> 00:03:53,320 So that's so if if you have one to do, that's the place to go, 73 00:03:53,320 --> 00:03:56,560 apparently. At least I'll know if I enjoy it 74 00:03:56,560 --> 00:03:58,560 or not. I don't know if I'll be able to 75 00:03:58,560 --> 00:04:00,400 say how it ranks against other parks. 76 00:04:00,400 --> 00:04:03,760 I've been to a lot of spring training in Florida because I 77 00:04:03,760 --> 00:04:06,480 live near Florida and it's a short drive. 78 00:04:06,800 --> 00:04:09,600 Short, as in eight hours or so, but. 79 00:04:10,080 --> 00:04:11,360 It's not a short. Drive, but I get it. 80 00:04:11,960 --> 00:04:14,120 Yeah, exactly. That's cool. 81 00:04:14,800 --> 00:04:15,840 I'm sure you'll have a good time. 82 00:04:16,480 --> 00:04:17,800 And you know, baseball's your jam. 83 00:04:17,839 --> 00:04:21,160 I'm not much of a baseball fan and you know, for whatever 84 00:04:21,160 --> 00:04:24,160 reason, our total opposites seem to work on this. 85 00:04:24,640 --> 00:04:28,160 Yeah, exactly. But yeah, mostly what I'm doing, 86 00:04:28,160 --> 00:04:30,680 my travel these days is for conferences. 87 00:04:31,040 --> 00:04:32,960 So we lined up a bunch of discount codes. 88 00:04:32,960 --> 00:04:34,240 You want to kind of go over those. 89 00:04:34,560 --> 00:04:37,920 Yeah, we've got 3. So we'll start with the Gartner 90 00:04:37,920 --> 00:04:41,160 I AM Summit in London. That one is in March, March 24th 91 00:04:41,160 --> 00:04:43,760 and 25th. And if you use the code IDAC 92 00:04:43,960 --> 00:04:48,120 425, you will save, I don't think we ever determined 425 of 93 00:04:48,120 --> 00:04:50,160 some sort of local currency. I don't know if it's pounds. 94 00:04:50,680 --> 00:04:56,240 Or EUR 420. 5 something, I think it's EUR though, and we'll have 95 00:04:56,240 --> 00:04:58,840 that link in our show notes as well with, you know, discount 96 00:04:58,840 --> 00:05:00,720 codes. But yeah, that's kind of cool 97 00:05:00,720 --> 00:05:02,680 that they've extended out there. You and I were at the Gartner 98 00:05:02,880 --> 00:05:05,440 conference in December and that was a lot of fun. 99 00:05:05,440 --> 00:05:09,240 So shout out to Rebecca for hosting us on stage and, and 100 00:05:09,240 --> 00:05:13,080 giving us a, giving us a yeah, the, the grilling that we gave 101 00:05:13,080 --> 00:05:16,560 them a couple years ago. It was they turned the she 102 00:05:16,560 --> 00:05:19,480 turned the tables on us. Yeah, my, how, the, my, how the 103 00:05:19,480 --> 00:05:22,320 tables turn. So Next up we've got Berlin. 104 00:05:22,320 --> 00:05:23,600 This is something you and I are going to. 105 00:05:23,600 --> 00:05:26,960 It's the European Identity and Cloud Conference that's May 6th 106 00:05:26,960 --> 00:05:30,520 through the 9th. And if you use the code IDAC 25 107 00:05:30,560 --> 00:05:33,360 MKO, you get 25% off of that one. 108 00:05:33,360 --> 00:05:35,920 So you and I have been spending a lot of time getting that 109 00:05:35,920 --> 00:05:38,640 coordinated and starting to figure out our plans for that. 110 00:05:38,640 --> 00:05:41,440 I still have to book my flight but I do have a hotel so that's 111 00:05:41,440 --> 00:05:43,600 good. Yeah, absolutely. 112 00:05:43,600 --> 00:05:45,960 I'm, you know, like I said, I'm going to go out there the week 113 00:05:45,960 --> 00:05:50,400 before I'm going to be in Oslo, Norway and hoping to set up an 114 00:05:50,400 --> 00:05:54,360 identifier, but that's already being planned and I'm going to 115 00:05:54,360 --> 00:05:58,160 spend the weekend in Copenhagen. So if there are listeners in 116 00:05:58,160 --> 00:06:03,840 Copenhagen, would love to to meet even just for a coffee or 117 00:06:03,840 --> 00:06:06,400 whatever. Not sure how big our listener 118 00:06:06,400 --> 00:06:10,600 base is in Copenhagen, but then after that heading to Berlin so. 119 00:06:11,840 --> 00:06:14,320 We got listeners everywhere, so. We do. 120 00:06:14,360 --> 00:06:17,320 We do. We'll buy you a beer or a coffee 121 00:06:17,320 --> 00:06:19,920 or something like that. Absolutely glad to. 122 00:06:21,040 --> 00:06:23,600 Let's see. Then after that we're coming 123 00:06:23,600 --> 00:06:26,440 back to the United States and we're going to do Ideniverse 124 00:06:26,440 --> 00:06:30,920 2025 in Las Vegas. So June 3rd to the 6th at a 125 00:06:30,920 --> 00:06:35,560 discount for that as well. IDV 25-I D AC25, they get you 126 00:06:35,560 --> 00:06:38,320 25% off. So you and I have some things 127 00:06:38,320 --> 00:06:40,400 that we're planning and we had a meeting this morning about that. 128 00:06:41,000 --> 00:06:43,600 So some fun stuff that we're not quite ready to announce, but 129 00:06:44,560 --> 00:06:46,520 stay tuned for information on that. 130 00:06:47,000 --> 00:06:49,320 So I'm, I'm excited because we're going to do something with 131 00:06:49,320 --> 00:06:50,880 that, that we had a good time with last year. 132 00:06:51,640 --> 00:06:54,480 Absolutely. I would expect for, you know, 133 00:06:54,560 --> 00:06:58,200 both Berlin as well as Idanoverse, we're going to put 134 00:06:58,200 --> 00:07:00,960 out as much content as we can coming out of those. 135 00:07:00,960 --> 00:07:04,520 So stay tuned for that. Yeah, I, I will. 136 00:07:04,520 --> 00:07:07,160 We'll see what happens with timing wise because I, I would 137 00:07:07,160 --> 00:07:09,880 rather not be editing on vacation, stuff like that. 138 00:07:10,160 --> 00:07:11,800 So we might space it out a little bit. 139 00:07:11,800 --> 00:07:14,720 But yeah, we'll have content for that and then let's see what 140 00:07:14,720 --> 00:07:16,840 else we got. The Authenticate conference by 141 00:07:16,840 --> 00:07:18,920 Fight Alliance that's coming up later this year. 142 00:07:18,920 --> 00:07:21,040 And I think their call for speakers is open, right? 143 00:07:21,040 --> 00:07:23,560 Is that run through next couple of couple months through March, 144 00:07:23,560 --> 00:07:25,640 right? Actually, you know, down a 145 00:07:25,800 --> 00:07:29,880 couple of months, the proposals do on March 3rd. 146 00:07:29,960 --> 00:07:33,240 So it's got about a month. So drops you got a couple weeks, 147 00:07:33,240 --> 00:07:38,360 but you know, focus on password lists, authentication, you know, 148 00:07:38,360 --> 00:07:43,040 device or or possession based factors over knowledge factor. 149 00:07:43,040 --> 00:07:47,080 So if you've got a good paper in mind or a good twist on 150 00:07:47,080 --> 00:07:50,440 something you've done within your organization or was looking 151 00:07:50,440 --> 00:07:56,640 for things like that, so you go to authenticatecon.com, like 152 00:07:56,640 --> 00:07:58,720 authenticate conference, but just con. 153 00:07:59,880 --> 00:08:02,760 I will have all these links in a show notes and they're always on 154 00:08:02,760 --> 00:08:05,400 our homepage to idcpodcast.com. You'll see all the current 155 00:08:05,400 --> 00:08:08,200 discounts that we're aware of. So go there, check it out. 156 00:08:08,560 --> 00:08:11,600 You know, use the codes, abuse them, send as many people out. 157 00:08:11,760 --> 00:08:13,840 And if you do let us know, come up, meet us. 158 00:08:14,440 --> 00:08:16,880 Jim and I are usually carrying stickers, and we're happy to 159 00:08:16,880 --> 00:08:19,320 hand those out. So all right, why don't we get 160 00:08:19,320 --> 00:08:21,440 to our guest who's been patiently waiting in the wings 161 00:08:21,440 --> 00:08:24,200 here listening to this. His name is David Johnson. 162 00:08:24,200 --> 00:08:27,040 He's the principal PM architect at Microsoft. 163 00:08:27,400 --> 00:08:29,040 Welcome to IDENTITY at the Center, David. 164 00:08:29,680 --> 00:08:31,040 Thank you. Hello. 165 00:08:31,720 --> 00:08:34,200 And yes, I'm in the Microsoft Digital organization, 166 00:08:34,200 --> 00:08:36,240 specifically at Microsoft, where you might think of it as 167 00:08:36,240 --> 00:08:39,280 Microsoft's IT organization. Gotcha. 168 00:08:39,280 --> 00:08:41,280 So we're going to get into probably a few different things 169 00:08:41,280 --> 00:08:45,040 around like groups and AD and Entra and SharePoint and teams 170 00:08:45,040 --> 00:08:46,160 and all kinds of stuff like that. 171 00:08:46,520 --> 00:08:49,120 But it's your first time on the show, so we always like to find 172 00:08:49,120 --> 00:08:51,520 out origin stories. Yours might be a little 173 00:08:51,520 --> 00:08:54,040 interesting because you've been with Microsoft for like 25 174 00:08:54,040 --> 00:08:56,680 years. So I'm curious, how did you get 175 00:08:56,680 --> 00:08:58,840 into the identity space? Is this something that you 176 00:08:59,120 --> 00:09:00,520 chose? Did it choose you? 177 00:09:00,520 --> 00:09:04,440 Like how did that come about? Well, it I guess more than 20 178 00:09:04,440 --> 00:09:08,840 years ago or so, I kind of got involved with SharePoint and how 179 00:09:08,840 --> 00:09:11,160 we were managing SharePoint on premise. 180 00:09:11,600 --> 00:09:15,080 And when you think about some of the key themes around 181 00:09:15,080 --> 00:09:17,840 SharePoint, it's about permission management and how 182 00:09:17,840 --> 00:09:19,840 are you kind of making sure of the right people have access to 183 00:09:19,840 --> 00:09:23,200 what how you on doing ongoing access? 184 00:09:23,480 --> 00:09:26,080 How do you make sure you're minimizing, you know, over 185 00:09:26,080 --> 00:09:28,000 sharing of information? Bright people should have 186 00:09:28,000 --> 00:09:30,600 access, right stuff. Identity is a sensor of all 187 00:09:30,600 --> 00:09:33,280 that, right? And that's kind of where you 188 00:09:33,280 --> 00:09:36,920 think about that's when on Prem world moving into the cloud, 189 00:09:37,400 --> 00:09:42,040 Entra becomes your foundational story of how SharePoint and how 190 00:09:42,040 --> 00:09:44,680 teams and all these other services are all foundationally 191 00:09:45,000 --> 00:09:47,320 managed and tied to identity and Entra. 192 00:09:47,640 --> 00:09:51,800 And so really when I think about how do I govern the Microsoft 65 193 00:09:51,800 --> 00:09:55,800 data state, which is what I do, I have to govern effectively the 194 00:09:55,800 --> 00:10:00,080 intra data estate when it comes to groups especially. 195 00:10:00,400 --> 00:10:04,040 And so we've my though my focus is Microsoft 365 and related 196 00:10:04,040 --> 00:10:07,800 services like our platform copilot agents and so on. 197 00:10:08,720 --> 00:10:11,280 Intra is a big part of that because it's foundational. 198 00:10:11,280 --> 00:10:13,760 You can't be successful if you don't have a good identity 199 00:10:13,760 --> 00:10:16,280 stack. I like what you said there. 200 00:10:16,280 --> 00:10:17,960 Identity Center. Somebody should start a podcast 201 00:10:17,960 --> 00:10:22,600 called that you. Well, Microsoft also has a bunch 202 00:10:22,600 --> 00:10:24,160 of conferences. Do you ever speak at any of the 203 00:10:24,160 --> 00:10:26,040 conferences that Microsoft does? Because it seems like they have 204 00:10:26,040 --> 00:10:27,600 3 or 4 per year. Yeah, I do. 205 00:10:27,600 --> 00:10:30,080 I last year I spoke to the Microsoft 35 conference. 206 00:10:30,080 --> 00:10:33,720 I'm doing, I do again this May, I think it's in Vegas, if I 207 00:10:33,720 --> 00:10:36,240 recall correctly, the Microsoft 35 conference. 208 00:10:36,560 --> 00:10:39,120 I generally talk about how Microsoft manages Microsoft, 209 00:10:39,120 --> 00:10:42,400 that we govern ourselves because obviously it's some people are 210 00:10:42,400 --> 00:10:44,560 kind of interested in, you know, we're a large customer of 211 00:10:44,560 --> 00:10:47,120 ourselves. What does it mean we're managing 212 00:10:47,720 --> 00:10:50,920 SharePoint and teams and intro groups and how do we pull it all 213 00:10:50,920 --> 00:10:55,240 together to to let our employees be successful without IT getting 214 00:10:55,240 --> 00:10:58,400 in a way too much? What's a common question that 215 00:10:58,400 --> 00:11:00,720 you get from people when you when you present and stuff like 216 00:11:00,720 --> 00:11:02,480 that? And I have to imagine a lot of 217 00:11:02,480 --> 00:11:05,360 people are like, OK, well, you know, how does Microsoft do it? 218 00:11:05,360 --> 00:11:06,600 Microsoft using their own products. 219 00:11:06,600 --> 00:11:08,640 But is there like a common question that you typically will 220 00:11:08,640 --> 00:11:12,280 get after you you present? Yeah, I think it's everything 221 00:11:12,280 --> 00:11:16,200 from I actually, there's a lot. It's like, well, do you really 222 00:11:16,200 --> 00:11:18,040 turn this all on? Do you really run it? 223 00:11:18,040 --> 00:11:19,160 It's how do you run this at scale? 224 00:11:19,160 --> 00:11:20,480 What kind of problems do you have? 225 00:11:20,920 --> 00:11:24,360 And it's often coming up with the same concerns customers 226 00:11:24,360 --> 00:11:27,880 have. I mean, it's like, how do you 227 00:11:27,880 --> 00:11:29,320 deal with the oversharing problem? 228 00:11:29,320 --> 00:11:32,040 How do you still sprawl on the enterprise? 229 00:11:32,320 --> 00:11:34,880 What are employees allowed to do in your enterprise? 230 00:11:35,520 --> 00:11:37,960 How do you just deal with change? 231 00:11:37,960 --> 00:11:40,160 You're running in a cloud, How do you keep up with the product 232 00:11:40,160 --> 00:11:42,720 stack? What as Microsoft, you're kind 233 00:11:42,720 --> 00:11:44,440 of your first customer yourselves. 234 00:11:44,960 --> 00:11:46,840 Is that hard? Like those are the common 235 00:11:46,840 --> 00:11:48,400 questions that I'll get all the time. 236 00:11:48,400 --> 00:11:51,840 And those are common themes I'll get into is how do we govern 237 00:11:51,840 --> 00:11:56,840 Microsoft and how do we manage effectively all this stuff that 238 00:11:56,960 --> 00:12:00,120 people create and is our our guiding principle goes back to 239 00:12:00,120 --> 00:12:01,760 we're trying to let employees do things. 240 00:12:03,200 --> 00:12:05,200 So the conversation we're going to have today is really kind of 241 00:12:05,200 --> 00:12:08,640 focused more on your viewpoint as that practitioner, right? 242 00:12:08,640 --> 00:12:12,080 We're not talking like Microsoft's tablets coming from 243 00:12:12,080 --> 00:12:13,800 on high and saying thou shalt do this. 244 00:12:13,800 --> 00:12:16,800 This is really more your own experience and and just want to 245 00:12:16,800 --> 00:12:18,360 get that out there, right? We make sure that we don't 246 00:12:18,960 --> 00:12:20,320 portray things the way they shouldn't be. 247 00:12:20,760 --> 00:12:24,000 No, exactly. And I'll say my role is 248 00:12:24,000 --> 00:12:26,520 responsible for how, whatever standard, what do we do 249 00:12:26,520 --> 00:12:29,000 internally? And so all I can talk about is 250 00:12:29,000 --> 00:12:32,880 how Microsoft manages Microsoft. I can't give, of course, how you 251 00:12:32,880 --> 00:12:34,760 should do it as a customer. It's up to you. 252 00:12:34,840 --> 00:12:37,520 I, I also please say I think this is a good idea. 253 00:12:37,720 --> 00:12:40,560 This is clearly something we do, but that's as far as I'll go. 254 00:12:41,800 --> 00:12:44,800 So, David, I know as, as we've kind of gotten into some of the 255 00:12:44,800 --> 00:12:49,280 conversations, I, I mean, clearly, you know, Active 256 00:12:49,280 --> 00:12:52,520 Directory and, and groups way better than I do. 257 00:12:52,520 --> 00:12:56,200 So let's kind of ease people into some of these topics that 258 00:12:56,200 --> 00:12:58,960 we're going to talk about today. And what I wanted to talk about 259 00:12:58,960 --> 00:13:05,520 is how the Microsoft Directory products handle entitlements, 260 00:13:05,720 --> 00:13:08,800 namely groups. You know, my origin into 261 00:13:08,800 --> 00:13:14,080 Microsoft as well was kind of back in the day of Windows MT4 262 00:13:14,400 --> 00:13:17,200 and they're just groups back then, but there's different 263 00:13:17,200 --> 00:13:19,760 kinds of groups now, right? And so I was wondering if you 264 00:13:19,760 --> 00:13:22,440 kind of start us with an overview of with the types of 265 00:13:22,440 --> 00:13:27,360 groups, thinking about kind of the Entre environments and also 266 00:13:27,360 --> 00:13:31,720 hybrid environments where you've got obviously, I think almost 267 00:13:31,720 --> 00:13:36,880 all Microsoft customers at this point have got some staked 268 00:13:36,880 --> 00:13:41,000 Entre, but a lot of companies still have that on premise 269 00:13:41,000 --> 00:13:43,520 Active Directory and they're keeping the two In Sync. 270 00:13:43,520 --> 00:13:49,280 So if you kind of give us an overview of how you know what 271 00:13:49,280 --> 00:13:52,720 group, what different types of groups are out there and how 272 00:13:52,720 --> 00:13:54,440 they work. Yeah. 273 00:13:54,480 --> 00:13:57,840 And, and fundamentally I'll, I guess I'll, I'll focus a lot of 274 00:13:57,840 --> 00:14:00,000 the intro groups, the Azure Active Directories that was 275 00:14:00,000 --> 00:14:03,200 formerly known groups. Obviously things like security 276 00:14:03,200 --> 00:14:07,400 groups and distribution list and and e-mail enabled security 277 00:14:07,400 --> 00:14:10,840 groups, security enabled distribution list like those are 278 00:14:10,840 --> 00:14:15,720 all things that existed on premise in the AD world and in 279 00:14:15,720 --> 00:14:19,000 the cloud AD intra. You now have effectively 280 00:14:19,120 --> 00:14:22,880 additionally Microsoft 365 groups and in addition to 281 00:14:22,880 --> 00:14:27,600 security groups in addition to DLS and the Microsoft 365 group 282 00:14:27,720 --> 00:14:31,520 construct is effectively the what's unique about it is in 283 00:14:31,520 --> 00:14:34,560 addition to it being a membership construct to to make 284 00:14:34,560 --> 00:14:38,680 sure you got the right people, it's also the construct that 285 00:14:38,680 --> 00:14:42,000 backs every share of SharePoint sites and every Microsoft team. 286 00:14:42,000 --> 00:14:45,960 For example, a channel are all backed by a a Microsoft 365 287 00:14:45,960 --> 00:14:47,280 group. Some people might think of them 288 00:14:47,280 --> 00:14:52,640 as universal groups, groups that they, they how every people 289 00:14:52,640 --> 00:14:55,320 engaged community, they're all backed by the same group type in 290 00:14:55,320 --> 00:14:57,680 intra. And that's why when you think 291 00:14:57,680 --> 00:15:00,840 about the themes that how do you manage SharePoint? 292 00:15:00,840 --> 00:15:03,200 How do you manage themes? At the end of the day, a lot of 293 00:15:03,200 --> 00:15:06,240 this comes down to how do you manage groups because that's 294 00:15:06,360 --> 00:15:08,960 that's your construct. Yeah. 295 00:15:08,960 --> 00:15:11,200 And I mean, that's what you're doing all the time. 296 00:15:11,200 --> 00:15:14,600 And it's kind of like eat your own dog food kind of model. 297 00:15:14,880 --> 00:15:17,440 And I don't want to ask you what are the best practices from a 298 00:15:17,440 --> 00:15:21,320 Microsoft perspective, but in your mind, when it comes to 299 00:15:21,320 --> 00:15:25,480 managing groups, what are some best practices that you know you 300 00:15:25,480 --> 00:15:27,440 would give that advice to your best friend? 301 00:15:28,080 --> 00:15:31,520 Yeah, I would say first of all, determine who is allowed to 302 00:15:31,520 --> 00:15:35,480 create groups. Obviously as an IT organization, 303 00:15:35,480 --> 00:15:38,240 you have certain trust issues. Everyone does. 304 00:15:39,360 --> 00:15:41,520 We know for example, in our case, we will let our full time 305 00:15:41,520 --> 00:15:46,040 employees create groups. We will let, we'll let our full 306 00:15:46,040 --> 00:15:49,720 time employees create SharePoint sites and team sites and teams 307 00:15:49,720 --> 00:15:52,760 and things like that. But not even engaged 308 00:15:52,760 --> 00:15:55,640 communities, Sorry, I'm not sure if there's other background 309 00:15:55,640 --> 00:15:57,520 noise coming through. But, and you know, point is, 310 00:15:57,520 --> 00:16:00,840 yeah, we will let our employees create these things. 311 00:16:00,840 --> 00:16:04,280 And so it's part one who can create Part 2, You know, and I 312 00:16:04,280 --> 00:16:06,800 think it's really important. I will let people create more 313 00:16:06,800 --> 00:16:11,000 groups, more sites, more teams. It's better doing that than say, 314 00:16:12,280 --> 00:16:15,320 letting sprawl happen, letting abuse, abuse happen of all these 315 00:16:15,320 --> 00:16:19,280 things all over again. I want to make sure that you 316 00:16:19,280 --> 00:16:22,360 don't go deep on something like it's far better for you to have 317 00:16:22,600 --> 00:16:25,760 multiple SharePoint sites, multiple groups, then 318 00:16:26,520 --> 00:16:30,880 effectively doing a bunch of nesting and a bunch of reuse of 319 00:16:30,880 --> 00:16:32,440 an existing group for a different purpose. 320 00:16:32,680 --> 00:16:36,520 Because the end of the day that when oversharing happens is when 321 00:16:36,520 --> 00:16:39,200 people get it wrong because somebody didn't realize that 322 00:16:39,200 --> 00:16:42,040 this group, this location has a different permission structure. 323 00:16:42,040 --> 00:16:45,600 When you think this location has nesting that you didn't realize, 324 00:16:45,840 --> 00:16:50,040 you just open this thing up to. And so when you think about kind 325 00:16:50,040 --> 00:16:54,720 of groups and the of the Microsoft group model, having a 326 00:16:54,840 --> 00:16:57,320 ability for people to create things, I think is essential. 327 00:16:57,480 --> 00:16:59,520 But at the same time that comes with accountability. 328 00:16:59,920 --> 00:17:02,600 So we let people create things. We're also going to validate 329 00:17:02,600 --> 00:17:04,760 that we have the appropriate owners on these things. 330 00:17:04,760 --> 00:17:06,680 So we've got expiry policies on these things. 331 00:17:06,680 --> 00:17:08,280 We keep them only as long as we need to. 332 00:17:09,119 --> 00:17:11,560 And that keeps the house clean because that's the other part of 333 00:17:11,560 --> 00:17:14,720 this that you don't just want groups sitting around forever 334 00:17:14,720 --> 00:17:17,079 unmanaged. Oh, and one of the big theme for 335 00:17:17,079 --> 00:17:21,040 groups and is we allow guests in our groups that and it's kind of 336 00:17:21,040 --> 00:17:24,960 funny to think about, but it's better from a tenant standpoint 337 00:17:24,960 --> 00:17:28,560 at least for us to bring guests in and have those confidential 338 00:17:28,560 --> 00:17:33,320 conversations and collaboration on our tenant using identities 339 00:17:33,320 --> 00:17:37,880 that are guests into our tenant versus the data would be going 340 00:17:37,880 --> 00:17:40,200 away and and people leaving our services completely. 341 00:17:40,440 --> 00:17:42,440 So we'll bring guests into our services. 342 00:17:42,720 --> 00:17:45,600 But one other thing that I talked about a lot of our groups 343 00:17:46,000 --> 00:17:49,000 is we label our groups something that's not necessarily an 344 00:17:49,000 --> 00:17:53,000 identity construct, but it is a core, I guess data construct is 345 00:17:53,000 --> 00:17:56,280 how do you manage labeling of things? 346 00:17:56,600 --> 00:18:01,480 How do you make sure that the right I see sensitivity. 347 00:18:01,480 --> 00:18:03,720 In other words, something's highly confidential or is it 348 00:18:03,720 --> 00:18:06,720 wide open to the entire company? And so that way I can define and 349 00:18:06,720 --> 00:18:10,040 say this Microsoft 365 group is a highly confidential group. 350 00:18:10,040 --> 00:18:12,040 Maybe it's an internal only group, but therefore it has 351 00:18:12,040 --> 00:18:15,160 policies side to it. This other group is actually 352 00:18:15,160 --> 00:18:16,640 general. It can be all company for all I 353 00:18:16,640 --> 00:18:17,960 care. You can bring guests into it. 354 00:18:17,960 --> 00:18:20,280 It's OK. But we one of the big things 355 00:18:20,280 --> 00:18:23,200 that I think about from a best practice standpoint is all the 356 00:18:23,200 --> 00:18:26,560 things are on group creation and management life cycle, but also 357 00:18:26,560 --> 00:18:29,760 data delineation. The fact that I have a label on 358 00:18:29,760 --> 00:18:32,840 a group means I can delineate the groups which are meant to be 359 00:18:32,840 --> 00:18:35,680 open and protect versus the ones that need to be deeply protected 360 00:18:35,680 --> 00:18:37,560 because they're backing sensitive data. 361 00:18:38,840 --> 00:18:44,000 Yeah, I, I see a lot of my clients I work with over the 362 00:18:44,000 --> 00:18:48,240 years have struggled with this concept of how do you manage the 363 00:18:48,240 --> 00:18:52,240 creation of groups And one, kind of making sure that they are 364 00:18:52,240 --> 00:18:55,840 putting good descriptions and good metadata, assign the 365 00:18:55,840 --> 00:18:59,920 owners, assigning sensitivity, writing the description that 366 00:18:59,920 --> 00:19:05,200 makes sense to people and then not making the process too 367 00:19:05,200 --> 00:19:08,440 inefficient, right. But usually there's got to be 368 00:19:08,440 --> 00:19:10,960 some kind of like check or approval process. 369 00:19:11,440 --> 00:19:14,600 I think what I've seen probably the most is some kind of process 370 00:19:14,600 --> 00:19:18,680 where either a third party tools in use or there's a lot of 371 00:19:18,680 --> 00:19:24,080 PowerShell scripting that takes place after a review has been 372 00:19:24,080 --> 00:19:26,200 done of like a request for groups. 373 00:19:26,480 --> 00:19:29,200 But I guess I, you know, initially when you said, hey, 374 00:19:29,200 --> 00:19:31,560 it's delegated, any employee can create groups. 375 00:19:33,080 --> 00:19:35,760 I, you know, I was wondering what, what are the mechanics of 376 00:19:35,760 --> 00:19:39,560 that, that you know that you'd have that kind of quality check? 377 00:19:39,800 --> 00:19:42,040 Yeah, No, it's a great question because an employee can create a 378 00:19:42,040 --> 00:19:45,320 group in the intraportal. They can create a group in in 379 00:19:45,320 --> 00:19:47,520 teams. You go on Outlook, go create a 380 00:19:47,520 --> 00:19:50,080 new group from Outlook, go create a new group in 381 00:19:50,080 --> 00:19:52,560 SharePoint, because I want a new SharePoint site to the team site 382 00:19:52,560 --> 00:19:55,520 that's backed by a group. So all those experiences do the 383 00:19:55,520 --> 00:19:59,360 group creation flow and all those experiences. 384 00:20:00,560 --> 00:20:03,560 Basically, they all honor the rules like we get to define an 385 00:20:03,560 --> 00:20:06,800 intra who's allowed to create. We get to define the the the 386 00:20:06,800 --> 00:20:10,680 naming rule policies for groups. We also get to define like we 387 00:20:10,680 --> 00:20:14,080 can do prefixing if we were to choose to, obviously, 388 00:20:14,080 --> 00:20:15,800 effectively the naughty word list. 389 00:20:15,800 --> 00:20:18,640 As we think about it, the words that you just shouldn't put in a 390 00:20:18,640 --> 00:20:21,800 group name, things like that are in the block word list, things 391 00:20:21,800 --> 00:20:24,960 like that. Plus the the label definition 392 00:20:24,960 --> 00:20:28,360 that intra will, if you have it all configured, will force 393 00:20:28,360 --> 00:20:30,680 collect the label of a group. So it doesn't matter where you 394 00:20:30,680 --> 00:20:33,320 created, it's creating SharePoint or teams or intra. 395 00:20:33,640 --> 00:20:35,080 It'll collect the label of a group. 396 00:20:35,200 --> 00:20:39,760 And from there the the group is created and then we will do a 397 00:20:39,760 --> 00:20:42,600 checks after a fact. So the in product provisioning, 398 00:20:42,600 --> 00:20:45,040 we're actually letting people you know directly in Outlook, 399 00:20:45,160 --> 00:20:46,320 right? We're not having a third party 400 00:20:46,320 --> 00:20:50,040 tool or some custom UI to create the group Co create the group 401 00:20:50,040 --> 00:20:52,760 where you are. We believe that it's actually 402 00:20:53,680 --> 00:20:57,240 faster for employees, it's more intuitive for employees that 403 00:20:57,240 --> 00:21:00,160 create an in place experiences, but we're going to hold them 404 00:21:00,160 --> 00:21:02,840 accountable to what we created. We're going to put force them 405 00:21:02,840 --> 00:21:04,560 into the naming rules. Of course we're going to force 406 00:21:04,560 --> 00:21:08,600 them into the labeling and we're going to react after a fact. 407 00:21:08,600 --> 00:21:11,280 So we have a bunch of things running against a tenant in a 408 00:21:11,280 --> 00:21:12,880 reactive way to watch what's done. 409 00:21:12,880 --> 00:21:15,520 So of course there's all the proactive stuff from collecting 410 00:21:15,520 --> 00:21:18,400 the basics, which the product is going to do and all the reactive 411 00:21:18,400 --> 00:21:20,720 validation to go, hey, you didn't have a second owner to 412 00:21:20,720 --> 00:21:22,640 this group. We're going to require you put a 413 00:21:22,640 --> 00:21:25,240 had a second owner into this group, for example, or the 414 00:21:25,240 --> 00:21:27,400 second owners left the company, we're going to catch that and 415 00:21:27,400 --> 00:21:29,240 portion had a second owner, things like that. 416 00:21:30,280 --> 00:21:33,080 How do you, I guess what, how do you enforce those types of 417 00:21:33,080 --> 00:21:36,400 controls with that? Is it a form based thing where 418 00:21:36,400 --> 00:21:39,440 it's doing like data validation? Is there some tool or maybe 419 00:21:39,440 --> 00:21:41,360 power script or something running behind the OR PowerShell 420 00:21:41,360 --> 00:21:42,680 running behind the screen? How's that work? 421 00:21:43,200 --> 00:21:45,880 So that's a great question. I think first that Intra will 422 00:21:45,920 --> 00:21:47,880 collect what you tell it to collect to just at least in 423 00:21:47,880 --> 00:21:50,520 terms of the labeling and naming roles and stuff like that. 424 00:21:50,840 --> 00:21:53,560 Other things are literally Azure jobs running against a tenant 425 00:21:53,640 --> 00:21:58,080 that watch, scan for anomalies, catch them, send a notification 426 00:21:58,080 --> 00:22:00,240 of a group owner to say the house out, take action 427 00:22:00,240 --> 00:22:03,000 basically. And if you and if you don't take 428 00:22:03,000 --> 00:22:05,920 action in a certain amount of time, we do delete things like 429 00:22:05,920 --> 00:22:08,640 one of the things that the nice thing about you three to five 430 00:22:08,640 --> 00:22:11,360 groups and teams and SharePoint and all these things, these 431 00:22:11,360 --> 00:22:13,640 constructs are restorable within 30 days. 432 00:22:13,960 --> 00:22:16,680 So as ITI don't feel too guilty about deleting it. 433 00:22:16,960 --> 00:22:19,840 So if you don't take action as a group owner, I'm going to, you 434 00:22:19,840 --> 00:22:21,120 know, I'm going to hold you accountable. 435 00:22:21,120 --> 00:22:23,560 If you don't do what I tell you to do, I'm going to delete this 436 00:22:23,560 --> 00:22:24,880 thing. I give you plenty of warning. 437 00:22:25,120 --> 00:22:27,240 But then yeah, I've got that Azure job which is going to run 438 00:22:27,240 --> 00:22:29,520 against the service and wipe your group out. 439 00:22:29,640 --> 00:22:33,720 Hey, David, One thing that you touched on and I don't want to 440 00:22:33,720 --> 00:22:37,280 let it go was about nesting. And so I know a lot of my 441 00:22:37,280 --> 00:22:40,560 clients that are in kind of hybrid environments have got 442 00:22:40,560 --> 00:22:45,160 nested groups and it seems to be the bane of their existence at 443 00:22:45,160 --> 00:22:47,840 some level. I'm wondering kind of what is 444 00:22:47,840 --> 00:22:49,640 your perspective on group nesting? 445 00:22:50,240 --> 00:22:53,200 So I'll, I'll frame it. There's two really good stories 446 00:22:53,200 --> 00:22:56,880 here. Part 1 is Microsoft 365 groups 447 00:22:56,880 --> 00:22:59,200 actually don't even support nesting, at least not today. 448 00:22:59,200 --> 00:23:02,040 They're, you know, it's actually a really good thing for me. 449 00:23:02,200 --> 00:23:04,200 So I don't even have a nesting thing to worry about on a, you 450 00:23:04,200 --> 00:23:06,840 know, on a Microsoft 365 groups part Part 1. 451 00:23:07,560 --> 00:23:10,280 But there's a catch because people like nesting. 452 00:23:10,400 --> 00:23:14,120 People like their DLS where they've got some VP distribution 453 00:23:14,120 --> 00:23:16,720 list made-up of a whole bunch of a direct distribution list and 454 00:23:16,720 --> 00:23:18,360 they want to bring it all together a security groups or 455 00:23:18,360 --> 00:23:21,120 whatever. What we do for that is we use 456 00:23:21,120 --> 00:23:24,000 either dynamic groups and intra or we have our own group 457 00:23:24,000 --> 00:23:26,680 membership management tool, which is actually on GitHub and 458 00:23:26,680 --> 00:23:30,760 we can share a link that people can actually use just open 459 00:23:30,760 --> 00:23:33,040 source tool effectively about how do you do group membership 460 00:23:33,040 --> 00:23:36,560 management then build automatically populate so that 461 00:23:36,560 --> 00:23:38,720 VP group, they don't have to worry about it. 462 00:23:38,720 --> 00:23:41,280 So I don't have to have a bunch of nested groups in that VP 463 00:23:41,280 --> 00:23:44,400 group. If I really want to add Group 1 464 00:23:44,400 --> 00:23:47,160 into group 2 and a bunch of other things and miss people 465 00:23:47,160 --> 00:23:50,600 based on some business rule, for example, all full time employees 466 00:23:50,600 --> 00:23:54,520 under some vice president or all program managers under this 467 00:23:54,520 --> 00:23:58,480 team, we can totally do that. Our tool will run and build the 468 00:23:58,480 --> 00:24:00,280 group membership out and keep it up to date. 469 00:24:00,280 --> 00:24:01,680 I don't need nesting at that point. 470 00:24:02,000 --> 00:24:03,880 And and that to me is the best practices. 471 00:24:04,120 --> 00:24:06,400 Don't use nesting. If a membership needs to be 472 00:24:06,400 --> 00:24:09,640 managed from some tight way with some business rules like that 473 00:24:09,640 --> 00:24:11,840 and or you want to delegate it down to bring in a whole bunch 474 00:24:11,840 --> 00:24:15,760 of other things, use membership management in some way to build 475 00:24:15,760 --> 00:24:18,360 your group out. Don't just try to build some 476 00:24:18,360 --> 00:24:22,320 nesting hierarchy that people are likely to get wrong and and 477 00:24:22,320 --> 00:24:23,800 quite frankly, we see them getting it wrong. 478 00:24:23,800 --> 00:24:26,480 Back to your point on security groups, yes, they get it wrong. 479 00:24:26,480 --> 00:24:28,680 We don't realize that this group is embedded with a whole bunch 480 00:24:28,680 --> 00:24:31,800 of other groups. I want to go back to something 481 00:24:31,800 --> 00:24:34,200 you mentioned about inviting guests into the environment. 482 00:24:34,280 --> 00:24:37,560 I feel like this is something that a lot of people maybe don't 483 00:24:37,560 --> 00:24:41,360 understand or maybe isn't configured on their own tenants 484 00:24:41,360 --> 00:24:43,800 to kind of do it the way that they are expecting it to. 485 00:24:43,800 --> 00:24:46,320 But first of all, let's not lose anybody. 486 00:24:46,400 --> 00:24:50,880 What do you define as a guest when it comes to Entra or 487 00:24:50,880 --> 00:24:52,160 Microsoft or SharePoint should say? 488 00:24:52,280 --> 00:24:53,720 Right. So how I kind of think about 489 00:24:53,720 --> 00:24:57,720 that is obviously tenant members, we meant, we meant the 490 00:24:57,720 --> 00:25:00,080 identity. So we bought joe@microsoft.com 491 00:25:00,080 --> 00:25:03,160 minted identity or even a, a supplier where we're minting the 492 00:25:03,160 --> 00:25:06,320 identity, you know, v-joe@microsoft.com, right? 493 00:25:06,600 --> 00:25:10,680 Those are things on our tenant. Tenant members, guests are where 494 00:25:10,680 --> 00:25:13,880 we invite, you know, Joe at contoso.com is a guest into our 495 00:25:13,880 --> 00:25:17,520 product project that you know, if someone wants to bring Joe at 496 00:25:17,520 --> 00:25:20,400 Contoso into a team or they want to share a file on SharePoint to 497 00:25:20,400 --> 00:25:24,480 Joe Contoso, they'll bring them into the tenants as a guest and 498 00:25:24,920 --> 00:25:28,760 and therefore do a sharing. And so the guest, the guest 499 00:25:28,760 --> 00:25:33,880 effectively is anyone whose identity isn't minted in your 500 00:25:34,320 --> 00:25:36,120 tenant. You're not owning the identity 501 00:25:36,120 --> 00:25:38,280 construct. You're simply saying, I trust 502 00:25:38,280 --> 00:25:41,520 Contoso is validating it that they the identity is coming from 503 00:25:41,520 --> 00:25:44,240 them. I'm forcing some rule like in 504 00:25:44,240 --> 00:25:48,200 our case, our our guest model is set up to say we're going to 505 00:25:48,200 --> 00:25:50,720 require multi factor authentication that that the 506 00:25:50,760 --> 00:25:52,400 other provider better have that set up. 507 00:25:52,400 --> 00:25:54,120 Otherwise we're not going to trust that guest. 508 00:25:54,400 --> 00:25:58,000 But assuming they do and intro will confirm that, then they 509 00:25:58,000 --> 00:26:00,120 guests come into our tenant, assuming of course the the 510 00:26:00,120 --> 00:26:03,280 employees invited the guest. And then of course, you got a 511 00:26:03,280 --> 00:26:04,400 life cycle. But I'll get to that in a 512 00:26:04,400 --> 00:26:06,040 minute. So the basic construct is anyone 513 00:26:06,040 --> 00:26:08,080 who's outside of our tenant boundaries from identity 514 00:26:08,080 --> 00:26:10,000 perspective, we consider them guests. 515 00:26:10,840 --> 00:26:15,080 And that guest can be a Microsoft account or can it be a 516 00:26:15,080 --> 00:26:16,600 Google account or an e-mail address? 517 00:26:16,600 --> 00:26:17,680 Like what's the requirement there? 518 00:26:17,800 --> 00:26:22,640 So it can be any work identity from any other organization 519 00:26:22,640 --> 00:26:24,760 effectively anything intra supports from a guest 520 00:26:24,760 --> 00:26:26,400 perspective. So yes, typically work 521 00:26:26,400 --> 00:26:28,480 identities. You can have consumer identities 522 00:26:28,480 --> 00:26:29,920 as well like in a Microsoft account. 523 00:26:29,920 --> 00:26:32,520 To your point, you can have social identities spending. 524 00:26:32,800 --> 00:26:35,560 We're focused predominantly on work identities that we bring in 525 00:26:35,560 --> 00:26:38,320 as guests from Intra or Microsoft account identities as 526 00:26:38,320 --> 00:26:40,760 guests in the Intra. As long as we can do a validate 527 00:26:41,000 --> 00:26:45,360 to say yes, you really are who you say they are, then we're OK. 528 00:26:46,440 --> 00:26:49,200 What is something that people commonly get wrong when they're 529 00:26:49,200 --> 00:26:50,800 setting this up? Because I feel like I've had so 530 00:26:50,800 --> 00:26:53,840 many different experiences coming in as a guest to other 531 00:26:53,840 --> 00:26:57,000 environments that I'm not sure if there's if there's a right 532 00:26:57,000 --> 00:27:01,280 way or a wrong way to do it. Well, I think Part 1 where 533 00:27:01,280 --> 00:27:03,600 people can get this wrong is what are you allowing a guest to 534 00:27:03,600 --> 00:27:06,760 do and what, what are the guest defaults like? 535 00:27:06,760 --> 00:27:09,960 I think the big theme that scares companies to bring in 536 00:27:09,960 --> 00:27:15,240 guests is kind of a construct of, well, what does this look 537 00:27:15,240 --> 00:27:16,280 like? What are we going to get access 538 00:27:16,280 --> 00:27:17,960 to? Which is why your, your, your, 539 00:27:18,000 --> 00:27:21,080 your environment has to be configured to basically block 540 00:27:21,080 --> 00:27:23,280 guests by default. It has to be very purposeful act 541 00:27:23,280 --> 00:27:25,840 to bring a guest in. So even a guest is in your 542 00:27:25,840 --> 00:27:28,840 tenant in some way on in the directory structure doesn't mean 543 00:27:28,840 --> 00:27:31,080 they've accessed anything. That guest has to be explicitly 544 00:27:31,080 --> 00:27:32,880 added to something to get access to it. 545 00:27:33,200 --> 00:27:37,080 I can bring joan.katosa.com into that tenant as a guest, but 546 00:27:37,080 --> 00:27:40,600 until I bring them in into a team or invite them to access 547 00:27:40,600 --> 00:27:43,160 file, they're not going to get out anything, right. 548 00:27:43,160 --> 00:27:46,280 And so that's a cornerstone. And the other thing when I think 549 00:27:46,280 --> 00:27:49,760 about guest management, I, I mentioned labeling earlier, but 550 00:27:49,920 --> 00:27:52,160 that team is going to be default, for example, or that 551 00:27:52,160 --> 00:27:54,680 365 group is going to be default guest block. 552 00:27:54,680 --> 00:27:58,320 Like we say, our default group label is confidential Microsoft 553 00:27:58,320 --> 00:28:02,040 Intel only, which means just that, no guests. 554 00:28:02,200 --> 00:28:05,040 You have to switch the label to allow a guest to become a member 555 00:28:05,040 --> 00:28:07,720 of a group. And then even then you're going 556 00:28:07,720 --> 00:28:10,160 to have to have invited that guest and bring them in. 557 00:28:11,040 --> 00:28:13,680 And if there's any files, this files are going to have to allow 558 00:28:13,680 --> 00:28:15,720 guests. So everything we're doing is 559 00:28:15,720 --> 00:28:19,200 guest block by default, but guests allowed based on data 560 00:28:19,200 --> 00:28:20,960 label and sensitivity management. 561 00:28:21,720 --> 00:28:23,800 So there's the other big themes. And the other part that I'd say 562 00:28:23,800 --> 00:28:25,880 from a tenant perspective is life cycle management for 563 00:28:25,880 --> 00:28:28,560 guests. And that's for us a really big 564 00:28:28,560 --> 00:28:30,720 thing. Do you, how long should that 565 00:28:30,720 --> 00:28:33,080 guest be there? Like we will wipe guests from 566 00:28:33,080 --> 00:28:35,800 our directory if we're inactive for a period of time. 567 00:28:35,800 --> 00:28:39,480 I think it's 60 days right now. And we'll force a reattestation 568 00:28:39,480 --> 00:28:43,280 of a guest that when you invite a guest into a team, you'll have 569 00:28:43,280 --> 00:28:45,920 to reattest to the fact that the guest should still be there, you 570 00:28:45,920 --> 00:28:48,600 know, half a year later, roughly, should the guest still 571 00:28:48,600 --> 00:28:51,120 have access to this thing, the SharePoint, this file, this, 572 00:28:51,440 --> 00:28:53,920 this group, right. We we require reattestation all 573 00:28:53,920 --> 00:28:56,520 over the place. You had a couple questions that 574 00:28:56,520 --> 00:28:57,920 I was going to ask about that life cycle. 575 00:28:57,920 --> 00:29:00,800 Part of how long is too long to have a guest who's not doing 576 00:29:00,800 --> 00:29:02,680 anything within your environment? 577 00:29:03,320 --> 00:29:06,320 Yeah, I'd argue if a guest is inactive in your tenant for 60 578 00:29:06,320 --> 00:29:08,520 days, they should be in your tenant, right? 579 00:29:08,520 --> 00:29:12,560 There's got to be a reason for their that partnership has to be 580 00:29:12,560 --> 00:29:15,920 an ongoing thing and someone has to care, right? 581 00:29:16,320 --> 00:29:18,880 Someone who invited that guest in needs to care, but the guest 582 00:29:18,880 --> 00:29:21,760 is still there. Otherwise why are they there? 583 00:29:21,760 --> 00:29:26,000 It's like I think my point is it it's totally legit to have a 584 00:29:26,000 --> 00:29:28,640 sensitive project, even cross tenant bringing the guests into 585 00:29:28,640 --> 00:29:30,320 a project. I'd rather it be on my tenant 586 00:29:30,640 --> 00:29:33,920 but as soon as that project is done I want it out. 587 00:29:33,920 --> 00:29:36,280 And if a project manager forgets to get them out, I'm going to 588 00:29:36,280 --> 00:29:38,440 get them out. Oh, they'll never forget. 589 00:29:38,440 --> 00:29:40,520 No one ever forgets to remove. No one ever forgets. 590 00:29:40,800 --> 00:29:41,920 No no. Exactly. 591 00:29:41,920 --> 00:29:43,560 Access reviews and interests are essential. 592 00:29:43,760 --> 00:29:47,080 I think they're an undervalued thing that really critical. 593 00:29:47,080 --> 00:29:48,440 SharePoint also has access reviews. 594 00:29:48,440 --> 00:29:51,000 If you bring a guest into a SharePoint site or shareable 595 00:29:51,000 --> 00:29:53,440 file, same thing. Access reviews kick off. 596 00:29:54,520 --> 00:29:56,960 One of the things that I think people try to take advantage of 597 00:29:56,960 --> 00:30:00,960 is delegated authority and having an admin in an 598 00:30:00,960 --> 00:30:02,520 organization kind of manage their own. 599 00:30:02,520 --> 00:30:04,880 Does that really apply to the guest environment? 600 00:30:04,880 --> 00:30:07,720 Is that more for, you know, let's say your own tenant minted 601 00:30:07,720 --> 00:30:09,640 identities? Where does the role of a 602 00:30:09,640 --> 00:30:13,600 delegate managing a separate organization come into this? 603 00:30:14,280 --> 00:30:17,480 Well, I mean there to a degree you are. 604 00:30:17,480 --> 00:30:20,720 I mean, if you're using what's considered native identity or 605 00:30:21,520 --> 00:30:25,320 yeah, David, I should be direct connect, that's the other inter 606 00:30:25,320 --> 00:30:27,560 kind of guest construct, then you're basically setting up a 607 00:30:27,560 --> 00:30:29,240 trust relationship with another tenant. 608 00:30:30,040 --> 00:30:32,040 Or if you're doing multi tenant organization, you're setting up 609 00:30:32,040 --> 00:30:33,680 a trust relationship with another tenant. 610 00:30:33,960 --> 00:30:36,960 And then you're basically delegating to say, Yep, I I have 611 00:30:36,960 --> 00:30:39,760 a deeper level of trust with this other directory, right. 612 00:30:40,880 --> 00:30:45,160 Otherwise, we guest you're defining an intra what basic 613 00:30:45,160 --> 00:30:46,920 levels you're going to level the trust. 614 00:30:46,920 --> 00:30:50,240 You can say what what domains, for example, you're going to 615 00:30:50,240 --> 00:30:52,040 allow in by default, what domains you're going to block, 616 00:30:52,880 --> 00:30:56,360 what people are allowed to bring in and what authentication type 617 00:30:56,360 --> 00:30:58,520 you're going to allow, right? Or you can go all the way in to 618 00:30:58,520 --> 00:31:00,840 say, Yep, we're going to require conditional access checks, for 619 00:31:00,840 --> 00:31:02,480 example. And you must have passed your 620 00:31:02,480 --> 00:31:04,960 conditional access checks for your organization, right? 621 00:31:05,320 --> 00:31:08,480 Those are all things that you can do that that help you be in 622 00:31:08,480 --> 00:31:11,200 better shape. And that's when your delegated 623 00:31:11,200 --> 00:31:14,120 identity, sorry. No, that's, that's good advice. 624 00:31:14,120 --> 00:31:17,160 I let me take this from the angle of what should I not be 625 00:31:17,160 --> 00:31:20,040 doing when it comes to that sort of delegation? 626 00:31:20,040 --> 00:31:22,160 Are there like things like, oh, you're really probably not going 627 00:31:22,160 --> 00:31:24,360 to have a good experience with that or it's not secure or or 628 00:31:24,360 --> 00:31:27,720 guidance like that? Well, I'd say be thoughtful 629 00:31:27,720 --> 00:31:30,560 again about who can bring in. Do you trust your employees or 630 00:31:30,560 --> 00:31:33,240 be trained sufficiently? Make sure of it again, you have 631 00:31:33,240 --> 00:31:36,400 a light a a good data delineation story around where 632 00:31:36,400 --> 00:31:40,120 guests can access, because to me, inviting somebody in your 633 00:31:40,120 --> 00:31:43,560 house doesn't mean you want them to raid your fridge, right? 634 00:31:43,960 --> 00:31:48,360 So make sure you got a very clearview of your there are a 635 00:31:48,360 --> 00:31:50,200 lot in the living room, but not the kitchen kind of deal. 636 00:31:51,080 --> 00:31:54,320 And making sure I set up in advance and making sure you got 637 00:31:54,320 --> 00:31:55,880 a clear plan for that in advance. 638 00:31:56,120 --> 00:31:59,800 Bringing guests in without any plan is a problem. 639 00:31:59,800 --> 00:32:01,560 Like you don't know what they're going to get right. 640 00:32:01,560 --> 00:32:03,880 And you know, Microsoft's made mistakes ourselves too. 641 00:32:03,880 --> 00:32:05,720 Like this is not like saying, yeah, we're perfect. 642 00:32:05,720 --> 00:32:10,360 We, we mess up and we keep learning and getting better 643 00:32:10,360 --> 00:32:13,960 about all this. So guest management for us, it 644 00:32:14,040 --> 00:32:16,320 has become a critical thing. We, we absolutely manage our 645 00:32:16,320 --> 00:32:17,840 tenants in a very aggressive way. 646 00:32:18,240 --> 00:32:21,400 Knowing those principles allow guests in the employees allowed 647 00:32:21,400 --> 00:32:23,240 to invite, we will get rid of them. 648 00:32:23,240 --> 00:32:26,640 We will make sure our data is properly delineated so we only 649 00:32:26,640 --> 00:32:29,400 have access to the right things. I want to keep talking about 650 00:32:29,400 --> 00:32:33,040 SharePoint, but I want to kind of clarify when it comes to 651 00:32:33,040 --> 00:32:39,320 SharePoint Online, are we also talking about Teams that is, so 652 00:32:39,320 --> 00:32:42,160 is the overlap there and how is it different from an access 653 00:32:42,160 --> 00:32:45,040 management standpoint? It's a great, it's an 654 00:32:45,040 --> 00:32:50,680 interesting topic because every team with the channel hierarchy 655 00:32:50,680 --> 00:32:52,920 is a Microsoft 365 group. It's that's how it's back 656 00:32:52,920 --> 00:32:56,200 identity wise. And so the membership in the 657 00:32:56,200 --> 00:32:58,720 team is actually membership in an intra. 658 00:32:58,720 --> 00:33:02,440 That's how it's defined. That team also comes with a 659 00:33:02,440 --> 00:33:05,680 SharePoint site. So when you create that team UK, 660 00:33:05,800 --> 00:33:08,840 create that Microsoft 365 group, you get a SharePoint site for 661 00:33:08,840 --> 00:33:11,920 it, which has all the advantages now of saying I have a 662 00:33:11,920 --> 00:33:15,320 membership aligned to that site aligned to that team. 663 00:33:15,600 --> 00:33:19,320 I have one membership for everything and it's kind of the 664 00:33:19,320 --> 00:33:21,920 one membership rule model construct because it's so 665 00:33:21,920 --> 00:33:24,760 valuable, right? I've got a project team and it 666 00:33:24,760 --> 00:33:28,320 doesn't matter if I'm in plan or SharePoint or Outlook or Teams, 667 00:33:28,360 --> 00:33:31,120 I've got the membership construct behind it and they can 668 00:33:31,120 --> 00:33:33,920 work in all those workloads and they're just against same 669 00:33:33,920 --> 00:33:36,280 Microsoft 365 group behind the scenes. 670 00:33:36,280 --> 00:33:38,200 It's putting it, pulling it all together, right. 671 00:33:38,200 --> 00:33:41,840 That's the beauty of of this stuff that that team, it has 672 00:33:41,840 --> 00:33:43,720 that SharePoint site. In fact, Teams, when you think 673 00:33:43,720 --> 00:33:47,560 about it, is it's whole storage layer for files is SharePoint 674 00:33:47,560 --> 00:33:52,120 right for, for any real team. So it it all fits together 675 00:33:52,120 --> 00:33:55,160 intrinsically. I kind of feel like 676 00:33:55,440 --> 00:34:02,600 philosophically the team slash SharePoint is an umbrella of 677 00:34:03,600 --> 00:34:06,680 that you can hand over to somebody, say you decide, you 678 00:34:06,680 --> 00:34:11,080 put, you decide what Files Go in here, what goes in the under the 679 00:34:11,080 --> 00:34:15,520 umbrella and then you can manage the permissions within the 680 00:34:15,520 --> 00:34:19,719 umbrella, like who gets access to what, but you're not going to 681 00:34:19,719 --> 00:34:23,159 be able to break out of that umbrella to manage the 682 00:34:23,639 --> 00:34:27,000 permissions beyond that. So it's kind of a safety zone, 683 00:34:27,520 --> 00:34:33,600 but I, and I feel like that is an uncomfortable situation 684 00:34:33,600 --> 00:34:37,719 sometimes for, you know, I people who own identity and 685 00:34:37,719 --> 00:34:42,000 access management in that like it seems to me like it's just 686 00:34:42,000 --> 00:34:44,679 the area that you hand over to somebody else. 687 00:34:44,679 --> 00:34:49,320 Do you kind of feel like I guess that's the way the product's 688 00:34:49,320 --> 00:34:52,080 designed, but in your experience, are you worried 689 00:34:52,080 --> 00:34:55,719 about kind of what they do under their umbrella or is that? 690 00:34:56,639 --> 00:34:59,400 Oh, yes, no, Oh yes. And I think there's some 691 00:34:59,400 --> 00:35:04,200 strategies for that, everything from based on type of site. 692 00:35:04,200 --> 00:35:06,680 You know you have this deep secret site, highly confidential 693 00:35:06,680 --> 00:35:10,040 as we call it. Maybe the the owner doesn't 694 00:35:10,040 --> 00:35:12,920 allow any sharing on the site. There's SharePoint settings, say 695 00:35:13,120 --> 00:35:15,560 only the owner of the site, the owner of a group can share 696 00:35:15,560 --> 00:35:18,280 anything on it. No, no breakaway permissions, no 697 00:35:18,280 --> 00:35:19,880 sharing. It's everything's completely 698 00:35:20,120 --> 00:35:21,800 tied to the membership of the group, which is tightly 699 00:35:21,800 --> 00:35:24,800 controlled, right. So you do that as an example, 700 00:35:24,800 --> 00:35:27,440 you can block downloads, you can write to protect content on that 701 00:35:27,440 --> 00:35:30,320 site. So you can absolutely lock down 702 00:35:30,320 --> 00:35:33,400 SharePoint and to the access management be entirely 703 00:35:33,760 --> 00:35:36,160 controlled and limited to the intro group. 704 00:35:36,440 --> 00:35:39,720 In fact, with new kind of user defined permissions and 705 00:35:39,720 --> 00:35:43,320 SharePoint type that is entitled back by a rights protection 706 00:35:43,320 --> 00:35:46,240 envelope, effectively you can literally allow downloading of 707 00:35:46,240 --> 00:35:51,760 encrypted content that if someone loses access to the 365 708 00:35:51,760 --> 00:35:53,560 group and SharePoint site, they'll lose access to the 709 00:35:53,560 --> 00:35:55,280 downloaded content too. They won't be even encrypted 710 00:35:55,280 --> 00:35:58,000 anymore. You can, we kind of go that far 711 00:35:58,000 --> 00:36:02,160 and so we can do a ton of protection so that I can choose 712 00:36:02,160 --> 00:36:03,760 to say yes. But because this is a tented 713 00:36:03,760 --> 00:36:07,160 project, the owner controls everything effectively. 714 00:36:07,400 --> 00:36:11,200 And by the way, I have a very much of trust verify model in 715 00:36:11,200 --> 00:36:14,840 that we let people create things as I noted, but we'll not only 716 00:36:14,840 --> 00:36:17,480 make you attached to things, we'll make you label things. 717 00:36:17,480 --> 00:36:19,440 We also will double check to make sure you got it right. 718 00:36:19,760 --> 00:36:25,320 So everything from Purview, DLP to scan for your patterns. 719 00:36:25,320 --> 00:36:28,000 And hey, we found a password on this site in the file somewhere. 720 00:36:28,240 --> 00:36:29,880 We're going to flag it. We're going to do something 721 00:36:29,880 --> 00:36:32,120 about it. We run over sharing reports, 722 00:36:32,120 --> 00:36:34,840 including what's now in in SharePoint advanced management 723 00:36:35,200 --> 00:36:39,640 to say you shared this confidential site with half a 724 00:36:39,640 --> 00:36:43,680 company that's not allowed. And we flag that and Bush 725 00:36:43,680 --> 00:36:45,040 reports can look for that kind of thing. 726 00:36:45,040 --> 00:36:49,720 So we can then take action. So I'd say it's there are times 727 00:36:49,720 --> 00:36:52,960 that you're going to have a hard aggressive lockdown model and 728 00:36:52,960 --> 00:36:55,000 there are times that you're going to do a trust with verify 729 00:36:55,000 --> 00:36:57,640 model to say, I'm going to let people do things, but within 730 00:36:57,640 --> 00:36:59,320 some boundary. And then I'm going to verify 731 00:36:59,320 --> 00:37:01,440 that they got it right. And if I got it wrong, I'm going 732 00:37:01,440 --> 00:37:06,640 to take action. David, I feel like when we all 733 00:37:06,640 --> 00:37:10,840 talk about our 20 plus years and whatever we kind of date 734 00:37:10,840 --> 00:37:13,080 ourselves. I'm going to give you a blast 735 00:37:13,080 --> 00:37:15,920 from the past right here. So do you remember a product 736 00:37:15,920 --> 00:37:20,600 called Moss Moss, which was essentially SharePoint, You 737 00:37:20,600 --> 00:37:25,560 could build websites with it. Is there AI don't think Moss 738 00:37:25,560 --> 00:37:29,160 around anymore. What is there a replacement? 739 00:37:29,160 --> 00:37:30,120 What? What's the deal? 740 00:37:30,520 --> 00:37:33,480 Well, SharePoint lets you build what's considered portals, 741 00:37:33,480 --> 00:37:36,400 communication sites. And so in fact, within 742 00:37:36,400 --> 00:37:39,800 Microsoft, our internal portals are all on SharePoint. 743 00:37:39,800 --> 00:37:44,520 As an example, the construct of having a SharePoint platform 744 00:37:44,520 --> 00:37:50,000 provide external sites doesn't exist right now, but internal 745 00:37:50,000 --> 00:37:53,800 sites, absolutely right. So people as opposed to using 746 00:37:53,800 --> 00:37:56,800 some other platform will normally be using SharePoint as 747 00:37:56,800 --> 00:38:00,200 their web hosting for some communication site like our HR 748 00:38:00,200 --> 00:38:02,680 portal, for example, and corporate portals, they're all 749 00:38:02,680 --> 00:38:05,560 in, in tech web, as we call it, they're all on SharePoint. 750 00:38:05,880 --> 00:38:07,360 And so, but they're different type of SharePoint. 751 00:38:07,360 --> 00:38:09,120 So when you think about SharePoint from a, a 752 00:38:09,120 --> 00:38:11,720 collaboration and teams perspective, that's kind of type 753 00:38:11,720 --> 00:38:13,120 1. When you think of this other 754 00:38:13,120 --> 00:38:16,040 type of cloud communication sites where you're building a 755 00:38:16,040 --> 00:38:18,960 portal for, you know, providing information to your company, 756 00:38:19,440 --> 00:38:21,880 that's kind of the other big type that we, we absolutely 757 00:38:21,880 --> 00:38:23,680 still use. But what you might think of as 758 00:38:23,680 --> 00:38:27,920 Moss as a kind of a, a communications front end, you 759 00:38:27,920 --> 00:38:30,320 know, it's now everything from Viva includes everything now 760 00:38:30,320 --> 00:38:35,800 from Viva Amplify and, and Viva Communications to of course 761 00:38:35,800 --> 00:38:38,720 core, core communication sites in SharePoint. 762 00:38:40,520 --> 00:38:42,640 So I mentioned durian that you've been with Microsoft for 763 00:38:42,640 --> 00:38:45,520 25 years. So Speaking of age and aging 764 00:38:45,520 --> 00:38:49,920 ourselves, I want to, I want to shift maybe a little more to the 765 00:38:49,920 --> 00:38:52,000 future here. What are some of the things that 766 00:38:52,000 --> 00:38:55,600 you see changing when it comes to this topic? 767 00:38:55,600 --> 00:38:59,120 Either Entra group permissions, SharePoint sites like what is 768 00:38:59,480 --> 00:39:01,560 and, and I'm not going to hold you like you're not the product 769 00:39:01,560 --> 00:39:03,000 person, right? Is there not promises? 770 00:39:03,000 --> 00:39:05,320 But how do you see this evolving over time? 771 00:39:06,160 --> 00:39:09,440 Well, I, I think, you know, there's two themes and I think 772 00:39:09,440 --> 00:39:12,520 one helping our employees get it right becomes one of the big 773 00:39:12,520 --> 00:39:14,960 themes, right? And whether you think of it as 774 00:39:15,120 --> 00:39:18,840 AI or you think that it is good intelligence against a service, 775 00:39:19,240 --> 00:39:21,720 watching what employees are doing, helping steer employees 776 00:39:21,720 --> 00:39:25,360 and the right behavior, helping make sure you're detecting and, 777 00:39:25,360 --> 00:39:28,240 and, and almost fixing when something has gone wrong. 778 00:39:28,560 --> 00:39:30,920 You know, that's kind of to me where I see a lot of this going 779 00:39:31,280 --> 00:39:33,840 the constructs of when I say labeling and that we're kind of 780 00:39:33,840 --> 00:39:37,680 going labeling everywhere that so more and more content and 781 00:39:37,680 --> 00:39:40,440 things are getting labeled like we label a meeting, for example, 782 00:39:40,440 --> 00:39:43,520 and that that meeting label will then define, you know, 783 00:39:43,560 --> 00:39:47,160 potentially what the files for that meeting should be that come 784 00:39:47,160 --> 00:39:48,680 out of the meeting. If you have a meeting recording, 785 00:39:48,680 --> 00:39:50,320 it should be a sensitive as a meeting itself. 786 00:39:50,680 --> 00:39:55,320 The identity management, again, you'll be limited based on a 787 00:39:55,320 --> 00:39:58,960 label of what's allowed so that that highly confidential thing 788 00:39:58,960 --> 00:40:01,320 will have rights protection tied to it, for example. 789 00:40:01,320 --> 00:40:05,440 And so these things all fit together to me to be and again 790 00:40:05,600 --> 00:40:07,480 to your point earlier. Your identity is absolutely the 791 00:40:07,480 --> 00:40:11,600 Center for all of this, but I think that's a big part. 792 00:40:11,600 --> 00:40:15,320 The other thing for me is of course as micro digital copilot 793 00:40:15,320 --> 00:40:18,040 is one of our big things that we're working with and and 794 00:40:18,040 --> 00:40:21,080 trying to enable. And as we envision where we're 795 00:40:21,080 --> 00:40:24,360 going with copilot, you think of like data management and data 796 00:40:24,360 --> 00:40:28,040 hygiene and and protection. That's kind of cornerstone. 797 00:40:28,240 --> 00:40:33,760 AI is fantastic, but if you have bad or over overexposed 798 00:40:33,760 --> 00:40:35,880 information, AI is going to surface it. 799 00:40:36,400 --> 00:40:38,680 AI is not going to care, but it shouldn't show you something. 800 00:40:38,680 --> 00:40:40,960 You have access to it, it's going to show it to you. 801 00:40:41,160 --> 00:40:44,400 So getting permissions right, getting the memberships right, 802 00:40:44,400 --> 00:40:47,120 getting identities right is absolutely cornerstone to good 803 00:40:47,120 --> 00:40:49,960 and well managed AI. And that to me is a fundamental 804 00:40:49,960 --> 00:40:52,960 part of our future. And and that, you know, when I 805 00:40:52,960 --> 00:40:56,080 think about managing and governing our services, really 806 00:40:56,080 --> 00:41:00,760 it's to make Copilot shine. So you took my copilot question 807 00:41:00,760 --> 00:41:04,000 because that's what I wanted to ask you was how do you see this 808 00:41:04,000 --> 00:41:06,240 kind of evolving with that? So I'm going to take it in 809 00:41:06,240 --> 00:41:07,640 another direction. We're going to go backwards. 810 00:41:07,640 --> 00:41:12,960 Is there a particular innovation or thing that happened, we'll 811 00:41:12,960 --> 00:41:14,840 just call it in the SharePoint environment or the group 812 00:41:14,840 --> 00:41:17,680 permission management, that kind of thing that you see as like, 813 00:41:17,680 --> 00:41:21,200 Oh yeah, when we did that back in X, that really kind of 814 00:41:21,200 --> 00:41:23,800 changed the game of how we're approaching this or made things 815 00:41:23,800 --> 00:41:24,760 easier. Like, is there something that 816 00:41:24,760 --> 00:41:28,080 stands out? I think I I'd pick on a coupled 817 00:41:28,080 --> 00:41:30,960 key things. I think one, we are group 818 00:41:30,960 --> 00:41:32,840 membership management for VP groups. 819 00:41:32,840 --> 00:41:35,640 The fact that all of the engaged community for some organizations 820 00:41:35,640 --> 00:41:37,800 automatically created constructed an intro we serve 821 00:41:37,800 --> 00:41:40,920 right people. That's cornerstone us getting 822 00:41:41,520 --> 00:41:44,280 labeling even tied to the interest of Microsoft 365 823 00:41:44,280 --> 00:41:46,040 groups. Again, cornerstone the fact that 824 00:41:46,040 --> 00:41:48,760 I can differentiate that highly confidential data from that 825 00:41:48,760 --> 00:41:51,960 general general data. Those are things that make a big 826 00:41:51,960 --> 00:41:54,240 difference in the IT organization that, you know, we 827 00:41:54,240 --> 00:41:57,680 have some 100,000 SharePoint sites as an example. 828 00:41:57,840 --> 00:42:00,480 You think of a volume. How do you know like that's why 829 00:42:00,480 --> 00:42:03,280 labeling and you know, I, I get hung up on, on that kind of 830 00:42:03,280 --> 00:42:04,640 conversation. People think I talk about 831 00:42:04,640 --> 00:42:07,200 labeling a lot because otherwise how does IT know when 832 00:42:07,200 --> 00:42:09,600 something's overshared you? IT is no way of no 833 00:42:09,600 --> 00:42:14,680 differentiating that that massively shared file from 834 00:42:14,680 --> 00:42:18,840 someone site from another unless you have to delineation labeling 835 00:42:18,840 --> 00:42:21,680 in place to tell you by the way, this is highly confidential that 836 00:42:21,800 --> 00:42:23,560 oversharing is probably wrong versus not. 837 00:42:23,840 --> 00:42:26,800 And I think getting that kind of theme right was essential as we 838 00:42:26,800 --> 00:42:29,680 kind of got on this journey with SharePoint that's allowed us to 839 00:42:30,000 --> 00:42:33,520 do better trapping of when employees get it wrong and kind 840 00:42:33,520 --> 00:42:35,120 of steer them in. So to me, those are kind of 841 00:42:35,120 --> 00:42:38,120 cornerstones of things that I think about are really critical. 842 00:42:38,480 --> 00:42:41,240 David, I'm going to take you back even further. 843 00:42:41,600 --> 00:42:48,480 So this is kind of a fun one. So I met Steve Ballmer over a 844 00:42:48,480 --> 00:42:51,040 decade ago. Of course, I remember that. 845 00:42:51,040 --> 00:42:54,280 He's like a giant, right? He's a very large human being, 846 00:42:54,280 --> 00:42:57,640 which I think you don't realize until you meet him in person. 847 00:42:58,960 --> 00:43:04,920 But he's also a very nice man. So I think sometimes people 848 00:43:04,920 --> 00:43:09,160 don't think about that when they think of him, but like, that's 849 00:43:09,160 --> 00:43:13,520 what I was reminded of is just like, he was a gentle giant, if 850 00:43:13,520 --> 00:43:17,320 you will. I've never met Bill Gates. 851 00:43:17,320 --> 00:43:20,160 I've never met Paul Allen. I love the pictures of them, 852 00:43:20,160 --> 00:43:23,040 like when they first started the company because Paul's got that 853 00:43:23,040 --> 00:43:27,160 big grizzly beard and Bill's kind of like this younger, like 854 00:43:27,160 --> 00:43:32,280 lean kind of guy. But I'm wondering, have you ever 855 00:43:32,280 --> 00:43:37,080 met any of those 3? I've I've met Dill in passing, 856 00:43:37,080 --> 00:43:39,280 but not like never had any presentation. 857 00:43:39,280 --> 00:43:41,280 Same thing with bomber. I've been in meetings with 858 00:43:41,280 --> 00:43:45,480 Bomber and and Sacha. So I mean, these things are are 859 00:43:45,560 --> 00:43:47,200 it's great to be in those conversations. 860 00:43:47,200 --> 00:43:51,560 It's great to watch them in action Is like, you know, not 861 00:43:51,560 --> 00:43:56,120 only is Bomber and and now Sacha and incredibly, you know, I 862 00:43:56,120 --> 00:44:00,200 think almost at your point, gentle giants, but kind of what, 863 00:44:00,200 --> 00:44:02,440 but I'd also say why isn't smart, but asking the right 864 00:44:02,440 --> 00:44:06,320 questions And that's what you want your leaders, right, is the 865 00:44:06,320 --> 00:44:08,880 right questions you've asked right, You know, challenge 866 00:44:08,880 --> 00:44:13,640 assumptions. Bomber did that and now Sacha 867 00:44:13,640 --> 00:44:17,600 does that in spades. Like the the questions and and 868 00:44:17,600 --> 00:44:19,200 continue to learn and self improve. 869 00:44:19,200 --> 00:44:21,880 That's a cornerstone of our culture, right as Microsoft and 870 00:44:22,320 --> 00:44:25,680 I think we've evolved over time to get that our our CE OS over 871 00:44:25,680 --> 00:44:29,200 the years have been continuing to build that the cultural 872 00:44:29,200 --> 00:44:31,760 improvement, which you know, I'm, I'm excited about and I 873 00:44:31,840 --> 00:44:33,720 I've watched it happen. I've wait watched for the 874 00:44:33,720 --> 00:44:38,880 company go from a very and sometimes difficult culture at 875 00:44:38,880 --> 00:44:42,280 times where you you have, you know, inflicting potentially 876 00:44:42,280 --> 00:44:46,280 conflicting situations to where you know, it is much more of a 877 00:44:46,280 --> 00:44:49,280 one Microsoft kind of challenge assumptions to make yourself 878 00:44:49,320 --> 00:44:52,520 make the company better make do growth mindset kind of mentality 879 00:44:52,520 --> 00:44:56,440 essentially would call it right. So, yeah, I, I love where we are 880 00:44:56,440 --> 00:45:00,080 and our leaders have, I think back to your point, grown and 881 00:45:00,080 --> 00:45:04,760 and it's just, it's just amazing to this history we've had and 882 00:45:04,760 --> 00:45:06,840 how we've changed so much as a company over the years, but. 883 00:45:08,360 --> 00:45:11,320 An interesting ride for sure. So I'm I'm happy you're able to 884 00:45:11,320 --> 00:45:13,160 spend some time with us. I know it's a for us. 885 00:45:13,160 --> 00:45:15,360 It's a Friday, late afternoon for you. 886 00:45:15,360 --> 00:45:18,640 I want to get the weekend started before we let you go. 887 00:45:18,960 --> 00:45:21,120 What do you do for fun outside of this? 888 00:45:21,120 --> 00:45:22,480 I think you mentioned you have some travel. 889 00:45:22,480 --> 00:45:24,480 Maybe you're going to Hawaii. Yeah, I know. 890 00:45:24,480 --> 00:45:28,960 I, I, I, I'm a big travel fan. I love to travel tropical places 891 00:45:28,960 --> 00:45:30,760 in particular. So, you know, if you put me on a 892 00:45:30,760 --> 00:45:33,920 beach, you know, I'll, I'll happily follow a turtle kind of 893 00:45:33,920 --> 00:45:37,240 deal, you know, go, go snorkeling, follow a turtle, go 894 00:45:37,240 --> 00:45:40,240 diving, go, go explore a little bit, right, Those kind of 895 00:45:40,240 --> 00:45:43,160 things. But that's my, my happy place, 896 00:45:43,200 --> 00:45:45,040 right. So, you know, when I'm in the 897 00:45:45,040 --> 00:45:47,320 Seattle Redmond area, it's like it's cold. 898 00:45:47,320 --> 00:45:50,200 It's, you know, not not nice. Now when I travel, yeah, I'm 899 00:45:50,200 --> 00:45:54,160 happy. Is there a particular place that 900 00:45:54,160 --> 00:45:56,120 you like to go the best? Like what's your favorite spot 901 00:45:56,120 --> 00:46:00,240 to go to? I'm, I'm still a Maui fan, kind 902 00:46:00,240 --> 00:46:03,320 of Polly Maui. That's my home base basically 903 00:46:03,320 --> 00:46:05,080 when I'm, when I'm in the islands. 904 00:46:05,400 --> 00:46:08,640 But you know, anything tropical with beautiful sand, you know, 905 00:46:08,680 --> 00:46:12,560 I, that's nice water that's fits my place, right? 906 00:46:12,560 --> 00:46:16,560 So almost anywhere. I mean, I, I've been to many, 907 00:46:16,560 --> 00:46:19,240 many places like that. You know, I've been to Tahiti 908 00:46:19,240 --> 00:46:21,800 and lots of, lots of great tropical destinations. 909 00:46:21,800 --> 00:46:25,640 But for me, Hawaii and Maui is why still home base, right? 910 00:46:26,920 --> 00:46:28,880 All right, so you're a veteran. I've never been to Hawaii. 911 00:46:28,880 --> 00:46:32,880 Give me a pro tip that I can use to say OK you know this is not 912 00:46:32,880 --> 00:46:34,560 some newbie coming over from the mainland. 913 00:46:36,160 --> 00:46:40,080 I I think be open, be kind for Maui. 914 00:46:40,120 --> 00:46:44,120 I mean, Maui, the people, the place, respect for the 915 00:46:44,120 --> 00:46:47,720 environment, the IT, it's really cornerstone. 916 00:46:47,720 --> 00:46:50,960 You come in as a, a tourist, you're not going to get, it's 917 00:46:50,960 --> 00:46:54,640 not as quite as you want to be. I, I guess I should say, not not 918 00:46:54,640 --> 00:46:56,960 come in as a tourist, but come in as someone who wants to 919 00:46:57,360 --> 00:46:59,880 embrace the area and, and, you know, embrace the culture, 920 00:46:59,880 --> 00:47:03,800 embrace the beauty, you know, and, and not running to go to 921 00:47:03,800 --> 00:47:05,960 the mall, not running to go to some restaurant, right? 922 00:47:07,000 --> 00:47:10,240 Like just enjoy the time, enjoy the people, enjoy the culture, 923 00:47:10,240 --> 00:47:11,680 right? That's, that's to me, the 924 00:47:12,080 --> 00:47:14,760 Hawaiian thing, right? You know the spirit of Aloha is 925 00:47:14,760 --> 00:47:17,920 real. Jim, have you ever been to 926 00:47:17,920 --> 00:47:20,840 Hawaii? I have and I've been to Maui and 927 00:47:21,000 --> 00:47:25,400 I love Maui and my I've only been there once with my pro tip 928 00:47:26,120 --> 00:47:30,000 would be I'm just as outside of all the tips that everybody will 929 00:47:30,000 --> 00:47:33,680 give you. You got to be on island time. 930 00:47:33,960 --> 00:47:36,440 If you go there and you're like, all right, chop, chop got to, 931 00:47:37,040 --> 00:47:38,680 you know, we're going to get breakfast and we're going to 932 00:47:38,680 --> 00:47:40,160 drive all the way around the island. 933 00:47:40,160 --> 00:47:43,520 Then we're going to do XY and Z. You're you're probably not going 934 00:47:43,520 --> 00:47:47,440 to be happy there. I'll still be happy there, but 935 00:47:47,440 --> 00:47:49,520 you might make everybody else miserable. 936 00:47:50,120 --> 00:47:54,160 Go there, be on island time and then you know the tips that 937 00:47:54,160 --> 00:47:57,040 everybody will give you, you got to try the banana bread. 938 00:47:57,040 --> 00:47:59,720 So there's this. You can drive all the way around 939 00:47:59,720 --> 00:48:04,200 Maui and like you feel like you're in different different 940 00:48:04,200 --> 00:48:06,840 places at different parts of the island because of the amount of 941 00:48:06,840 --> 00:48:08,560 rain that they get and stuff like that. 942 00:48:08,920 --> 00:48:11,640 And there's also a big thing which I've not done, but when I 943 00:48:11,640 --> 00:48:15,680 get back I want to do, which is you can get on the bike and go 944 00:48:15,680 --> 00:48:18,200 around this volcano and basically you don't have to 945 00:48:18,200 --> 00:48:20,680 pedal because the car drives you to the top. 946 00:48:20,960 --> 00:48:24,600 And then you just ride the bike down the volcano and grab it 947 00:48:24,600 --> 00:48:29,840 like gravity do the work. But you can, you can rent a 948 00:48:29,840 --> 00:48:32,240 cheap or something like that, drive all the way around the 949 00:48:32,240 --> 00:48:34,360 island. And there are people who live on 950 00:48:34,360 --> 00:48:39,280 these like little plantations and they just, I don't know if 951 00:48:39,280 --> 00:48:41,920 you would call it like survival farming or whatever, but they, 952 00:48:42,240 --> 00:48:45,000 they basically just like live there and they do the farming 953 00:48:45,000 --> 00:48:47,720 and then they make the banana bread and sell it on the 954 00:48:47,720 --> 00:48:50,480 roadside and it's just super cool. 955 00:48:50,560 --> 00:48:52,800 If you haven't been there, you definitely should put it on your 956 00:48:52,800 --> 00:48:54,560 list. Oh no. 957 00:48:54,560 --> 00:48:56,880 Banana bread, Yes. I'll say you're getting a head, 958 00:48:56,880 --> 00:48:58,200 not from David. So definitely you're hitting 959 00:48:58,200 --> 00:49:01,480 that cord there. Yeah, and, and, you know, you're 960 00:49:01,480 --> 00:49:03,640 right on the island time thing. Absolutely. 961 00:49:03,640 --> 00:49:05,480 Just chill, you know, that's what I mean. 962 00:49:05,520 --> 00:49:09,520 I'm follow a turtle, respectfully of course. 963 00:49:10,240 --> 00:49:12,680 Yeah, respectfully, that sounds like something I can get behind 964 00:49:12,680 --> 00:49:15,160 when I go on vacation. I I don't typically like to have 965 00:49:15,160 --> 00:49:16,520 an itinerary. It's kind of like, all right, 966 00:49:16,520 --> 00:49:17,640 we'll just kind of do whatever today. 967 00:49:17,640 --> 00:49:21,000 So island time sounds like the the perfect spot for me. 968 00:49:21,000 --> 00:49:23,640 So OK, we're going to let you go. 969 00:49:23,640 --> 00:49:25,800 David, we appreciate you spending some time with us. 970 00:49:25,800 --> 00:49:27,680 We're going to wrap things up for this week. 971 00:49:28,560 --> 00:49:30,480 Let's see what else. I'm going to have your LinkedIn 972 00:49:30,760 --> 00:49:31,960 in our show notes, if that's all right. 973 00:49:31,960 --> 00:49:35,200 People have questions about things or whatever it may be, 974 00:49:35,960 --> 00:49:36,960 you know, feel free to reach out. 975 00:49:36,960 --> 00:49:40,560 And then I hope you'll come back and and share some more tips and 976 00:49:40,560 --> 00:49:44,680 tricks from the the wizard himself at some point in the 977 00:49:44,680 --> 00:49:46,880 future. So with that, we'll can leave it 978 00:49:46,880 --> 00:49:48,640 for this week. You can find us on the web, 979 00:49:48,640 --> 00:49:51,760 idacpodcast.com. If you like what you heard, hit 980 00:49:51,760 --> 00:49:54,120 that like and subscribe button, whether you're on YouTube or 981 00:49:54,440 --> 00:49:57,240 whatever podcast, if you don't like it, hit like anyway and 982 00:49:57,240 --> 00:49:59,360 then send it to a friend and trick them into listening to it. 983 00:49:59,400 --> 00:50:01,200 We don't care as long as people are listening or watching. 984 00:50:01,200 --> 00:50:03,800 That works for us. And yeah, connect with us on 985 00:50:03,800 --> 00:50:06,840 LinkedIn if you have questions, comments, ideas for shows, 986 00:50:06,840 --> 00:50:08,840 things like that. Jim and I read all that stuff 987 00:50:08,880 --> 00:50:11,960 and we try to take that under advisement for future episodes. 988 00:50:11,960 --> 00:50:15,840 So thanks everybody for watching and or listening and we'll talk 989 00:50:15,840 --> 00:50:20,440 with you all in the next one. You've been listening to 990 00:50:20,440 --> 00:50:24,360 Identity at the Center. We hope you've enjoyed the show. 991 00:50:24,560 --> 00:50:28,640 Make sure to like, rate and review, and we'll be back soon. 992 00:50:28,920 --> 00:50:31,200 But in the meantime, hit the website at 993 00:50:31,200 --> 00:50:37,560 identity@thecenter.com. See you next time on Identity at 994 00:50:37,560 --> 00:50:38,440 the Center.