Skip to content

Microsoft Teams Governance Software: Self-hosted vs. SaaS

If you are about to make a decision about a SaaS-based governance solution, then you really need to read this article.  

Companies are tending to use more and more SaaS-based software solutions instead of hosting the solutions themselves. SaaS solutions bring a lot of benefits and will become more and more common. Is the statement also valid for SaaS-based Microsoft Teams governance solutions? 

Data protection and data security were previously K.O. criteria for an automated governance solution for your company. At the latest, you would have failed because of the works council? 

SaaS-based Microsoft Teams governance solutions have access to company-critical information and require the following authorisations: 

  1. Access to all files and documents created in SharePoint/Microsoft Teams
  2. Access to Teams chat and channels
  3. Access to apps
  4. Access to user profile information
  5. Access to all company emails 

    While you have legally secured comprehensive data processing agreements with MS Teams to make the move to the cloud, the General Data Protection Regulation is still breathing down your neck.  

    In addition, your corporate and IT culture at all times requires the protection of intellectual property, i.e. the safeguarding of the intellectual property of corporate data within your company. 

What is a SaaS (Software as a Service) solution? 

A SaaS - Software as a Service - solution describes how you consume a software system. A SaaS solution is hosted on your product vendor's environment.  

In our case, the environment is an Azure Tenant. 

This gives you the advantages of not having to install, maintain and buy the licences needed to run the software solution yourself.  

All activities are taken over by your product manufacturer.  

This saves you costs and time for the maintenance of the software.  

Usually, the SaaS-based software solutions are offered with a subscription payment model.  

You can rent the SaaS-based solutions on a monthly or annual basis.  

In addition to this, other SaaS payment models exist, which we will not go into in this article. 

Although a SaaS solution has many advantages, there is one point you should be aware of.  

Because SaaS solutions are hosted on the environment by the product vendor, the product vendor theoretically has access to the information that is stored on the environment. 

Many SaaS providers try to guarantee that no one will have access to the information, but technically it always remains possible.  

Therefore, you have to rely on the product manufacturer at this point. 

What is a self-hosted solution? 

A self-hosted solution is a software solution that is installed and hosted directly on your environment.  

It has the advantage that the product vendor does not have access to your company data. 

A self-hosted solution is the best option to avoid the unwanted access to the company data. 

This security option means that you do not have to take over the tasks of installing the solution, maintaining it and updating it yourself.

Download Checklist: Optimal Governance for Microsoft Teams

Check all relevant aspects step by step to ensure optimal governance for Microsoft Teams

Download Checklist now  

Do you prefer SaaS solutions? 

Many companies prefer SaaS solutions because of their IT strategy. It may be that your company has the same strategy.  

In principle, we recommend the use of SaaS solutions. Is the recommendation also valid for SaaS-based Microsoft Teams solutions? 

When choosing a SaaS-based governance solution, you have to pay attention to a few things. 

For the user, it makes no difference whether you use a SaaS or Paas solution.  

With a SaaS solution, however, it is imperative to explicitly sensitise all users to the data protection regulations. 

The reason for this is the technically possible access to all data by the SaaS provider. This must therefore be regulated in a legally secure way in a data processing contract. 

A SaaS-based governance solution will access your company data from the outside. For access, appropriate exceptions must be set on your environment, which your IT administrators will not be happy about. 

In addition, governance solutions require very high permissions to provision workspaces in Microsoft Teams.  

Your environment is accessed with refresh tokens. If this Refresh Token is not stored professionally enough and is stolen, the person will have access to critical company information. This can cause a breach of data protection rights. 

The following permissions must be enabled for a SaaS solution:
 

Microsoft Graph Permissions* 

Description 

How critical is it? (From a privacy and security perspective) 

Application.ReadWrite.All 

Allows the app to create, read, update and delete applications and service principals on behalf of the logged-in user. 

non-critical

Directory.AccessAsUser.All 

Allows the app to have the same access to information in the directory as the logged-in user. 

non-critical

Directory.ReadWrite.All 

Allows the app to read and write data in your organisation's directory without a user logged in, such as users and groups. Does not allow you to delete a user or group

critical

Group.ReadWrite.All 

The app can create groups, read and update group memberships and delete groups. The app can also perform read and write operations for calendar, conversations, files and other group content for all groups. All of these operations can be performed by the app without a user logged in. 

Very critical 
 
This theoretically gives the product provider access (read and write) to all documents and messages of the company. The point can lead to major discussions with the works council and internal security teams. In addition, IT managers usually have to justify the situation of theoretical access to data to the management. The directors ultimately bear the responsibility with personal liability. 
 

Notes.Read.All 

Allows the app to read OneNote notebooks that the logged-in user in the organisation has access to. 

Very critical 

This theoretically gives the product provider access (read and write) to all notes in the organisation. 

Organization.Read.All 

Allows the app to read organisation and related resources on behalf of the logged-in user. Related resources include, for example, subscribed SKUs and client branding information. 

non-critical

Team.ReadBasic.All 

Retrieve a list of all teams without a user being logged in. 

non-critical

User.Read.All 

Allows the app to read the full set of profile properties, reports and supervisors of other users in your organisation on behalf of the logged in user. 

critical

Microsoft SharePoint Berechtigungen* 

Description

How critical is it? 

Sites.FullControl.All 

Allows the app to gain full control of SharePoint sites in all site collections without a logged in user. 

Very critical 

This theoretically gives the product provider access (read and write) to company information stored in SharePoint. 

Sites.Manage.All 

Allows the app to manage and create lists, documents, and list items in all site collections without a logged-in user.   

*Source: Microsoft 

 

Download Checklist: Optimal Governance for Microsoft Teams

Check all relevant aspects step by step to ensure optimal governance for Microsoft Teams

Download Checklist now  

Do you prefer self-hosted solutions? 

If you answer in the affirmative to one or more of the following aspects, then you have increased security requirements. A self-hosted solution is an option for your governance requirements.  

  • Your company is subject to the GDPR
  • You want to prevent your company's data from being shared with third-party providers at all costs
  • Your business increasingly deals with sensitive personal data, such as the finance and insurance industry or medicine and pharmaceuticals
  • You do not want to give third-party providers access to your tenant  

An alternative to this can be an internal development and implementation with Microsoft PowerShell scripts. This is then also hosted in your tenant like a self-hosted solution. 

With the self-hosted variant, you have maximum data isolation so that the product manufacturer has no access to your data.  
Your self-hosted solution is also not accessible from the outside. 
You enable maximum security with a self-hosted solution. 

SaaS solutions are not inherently insecure. However, you should carefully consider this aspect when deciding on your governance solutions, as SaaS-based governance solutions require high rights on your tenant. 

 

Advantages of a SaaS-based governance solution 

Depending on your requirements and IT strategy, you can benefit from the following advantages. 

  • The product manufacturer takes care of the installation of the solution - With a SaaS solution, you save yourself the entire installation process. Once you subscribe to the solution, you have the solution within minutes. This saves you an enormous amount of time when you opt for a SaaS-based solution.
  • You don't need to maintain the solution yourself - After installing a governance solution, you need to perform maintenance on the infrastructure. With a SaaS solution, you don't have to worry about the infrastructure because the maintenance is taken care of by the product vendor.
  • You save on infrastructure costs - Since the solution is run on the product vendor's environment, you do not have to bear the infrastructure costs.  Infrastructure costs are included as a lump sum in your subscription. 
  • Simple update processes - The updates are installed on your environment by the product manufacturer. You do not need a highly competent employee to accompany the update process. 

Download Checklist: Optimal Governance for Microsoft Teams

Check all relevant aspects step by step to ensure optimal governance for Microsoft Teams

Download Checklist now  

Disadvantages of a SaaS-based governance solution 

A SaaS-based governance solution includes attractive advantages and follows the trend in the software development world. However, it does not mean that it is the perfect option over the self-hosted variant. The following points highlight the disadvantages of a SaaS-based governance solution.

  • The product vendor theoretically has access to your data - The most important point to consider with a SaaS-based Microsoft Teams governance is access to company data. The product vendor stores your data on their environment and can theoretically access the data. It is hugely important that your product vendor has certifications such as ISO 9001 and ISO 27001. Ask about quality assurance measures before you let them choose a SaaS-based governance solution.
  • Major security breaches occur if the Refresh Token is stolen - In case of errors, third parties can access your environment and read corporate information such as emails, documents, OneNote notes, etc. This is the biggest risk that an IT manager has to take and defend to the management. A Refresh Token is required to access your environment and must be stored on the vendor's database. Therefore, check how the Refresh Token is stored on the product manufacturer's database and which services can access the token. It is also important to be able to prove that the token can be deleted by a central office at your request. Before purchasing SaaS-based governance software, conduct a security review of the solution and find out how your data is handled. 
  • The product vendor gets very high permissions from you - and has high rights to access your environment from the outside. 
  • No control over the timing of updates - you can neither push back the timing nor apply updates early if this is in your interest. This sovereignty remains with the manufacturer. 

Advantages of a self-hosted governance solution 

  • Full control over all data - No one from outside your organisation gets access to your internal data with a Platform as a Service solution. All data is located exclusively within your tenant. In this way, you ensure that no unauthorised access takes place. You guarantee data security.
  • High authorisation levels remain in the tenant - Some tasks, such as creating a team room, require very high authorisation levels. The self-hosted solution requires high authorisation levels only within your tenant. There is no need to assign any authorisation shares for access from outside the tenant. IT staff monitor everything based on Azure features. You only grant permissions to the provider for the initial provisioning and installation process. You retain full control.
  • Full flexibility over the timing of updates - you alone determine the exact timing of when updates are applied. Fast and short-term updates can be helpful if you want to provide your users with enhanced functionalities as early as possible. Delaying updates can be useful if certain projects need to be completed beforehand. Another reason can be ongoing processes that can influence the timing of the update.
  • Control over Azure services - you decide which services you need and which you can do without. In this way, you scale as you wish on your tenant when and which services provided by your PaaS provider are available to you. For example, you can set yourself how long you want to keep your database backups.  You scale up as soon as it becomes necessary for the duration defined by you. Compliance regulations can be implemented in a customised manner.
  • Adaptable to company requirements - A self-hosted solution offers you full freedom to map and freely configure your own processes. Expand according to your requirements and integrate additional application components. 

Disadvantages of a self-hosted governance solution 

As soon as you have stricter requirements due to your business model, the self-hosted variant will be interesting for you.  

There are also disadvantages with this variant that you should consider:
 

  • Infrastructure costs - In addition to the licensing costs, you will incur the infrastructure costs or the cost of the Microsoft Azure services. Although they are usually not high, you must take the costs into account in your cost calculation.
  • Effort for maintenance internally or by your service provider - Since the product manufacturer does not have access to your environment, the solution cannot be maintained by the manufacturer. In this case, you must either maintain the solution yourself or arrange appointments with the product manufacturer to handle the maintenance and servicing.
  • Ready to use - From the moment the decision is made, the solution is not immediately available. The pure installation can be carried out within one day. When this appointment takes place and the implementation is carried out can take about 4 weeks, depending on the workload of the provider, including the coordination. 

Download Checklist: Optimal Governance for Microsoft Teams

Check all relevant aspects step by step to ensure optimal governance for Microsoft Teams

Download Checklist now  
 
valprovia-governance-checklist-eng

Conclusion

As soon as it is important for your company to retain full control over the data at all times, a self-hosted solution has decisive advantages over a SaaS solution. 

Strict data protection requirements can be implemented with a self-hosted solution without having to negotiate and conclude further data processing agreements. 

Data security is ensured by the fact that the solution provider has no access to your tenant. You do not have to release any rights. 

You are independent of the solution provider's update cycles and decide for yourself whether you are an early adopter or prefer to wait for each available update. 

Scalability and expandability of the self-hosted solution are further advantages compared to a software-as-a-service governance automation.