Transforming change management at Microsoft with Microsoft 365

Aug 31, 2021   |  

Once Microsoft 365 became a service, the way IT managers needed to think about change management had to change, and dramatically so.

“We were no exception,” says David Johnson, who leads the team that governs how Microsoft 365 is deployed across Microsoft. “Microsoft 365 started changing every day, and we needed to figure out how to keep up.”

The transition to living in this new “software as a service” world was further complicated when the global COVID-19 pandemic pushed much of the workforce into remote and hybrid environments.

The pressure on IT administrators at Microsoft and everywhere ratcheted up tremendously.

It’s a hot topic for customers—how do I decide what I’m going to turn on for my company effectively? From an industry perspective, this is a fairly important conversation.

—David Johnson, principal program manager, Microsoft Digital

“This was a lot to absorb for an industry that had previously thrived on consistency, reliability, and predictability,” says Johnson, a principal program manager in Microsoft Digital, the organization that powers, protects, and transforms Microsoft.

Change became the new constant. And dealing with that level of change, well, that’s something everyone is still getting used to.

“It’s a hot topic for customers,” says Johnson, whose team has been at the forefront of both the industry shift to the cloud and the tech demands of a new mobile workforce. “How do I decide what I’m going to turn on for my company effectively? From an industry perspective, this is a fairly important conversation.”

Microsoft Teams alone has hundreds of new features and changes in development at any given time. The rest of the Microsoft 365 suite—which includes Microsoft Office apps, hosted email, and the Microsoft SharePoint glue connecting it all—has also seen rapid changes.

Johnson’s goal was to handle the change management for all Microsoft 365 products in the same way. His team’s approach falls along getting three things right: initial triage, putting guardrails in place to allow innovation, and staying current on the latest news.

[Read how Microsoft is modernizing its data estate. Find out how Microsoft is implementing a Zero Trust security model internally.]

Triage for an upcoming change

IT administrators largely control what changes become available to employees, who in the workforce can see those experiences, and how to configure for them. Sometimes updates are relatively easy to deploy, such as adding the ability to raise a virtual hand in a Microsoft Teams meeting. Other times, they might involve trickier issues such as artificial intelligence or data mining—and then the concept of triage becomes paramount.

Broadly speaking, Microsoft’s internal triage involves two basic concepts: developing a posture—a set of IT principles for your company—and ensuring that features or change management fit within that posture. A posture could define the levels of security and data privacy needed, for example.

Once that posture is in place, triaging against it becomes easier. The first step is to evaluate what’s coming and determine how significant the change is; then run the change through a series of questions that reflect a company’s IT posture, such as:

  • Does this need a security review?
  • Do you need to run this by your privacy experts?
  • What are the legal implications of turning this feature on?
  • Does your human resources team need to be involved?
  • What is the IT manageability impact? Are there any IT resource impacts?
  • Are there employee experience implications that you’ll need to communicate?

Guardrails to encourage innovation and collaboration

Microsoft spends a lot of time talking about privacy and security, but just as crucial to the company are the creativity, innovation, and collaboration that take place within its workforce.

One of Microsoft’s most important postures is maintaining the sometimes tricky balance between protecting employees while still allowing them to chat freely and to share files and collaborate across multiple platforms. To that end, the company relies on the concept of guardrails that maintain security and privacy while at the same time giving people room to move.

One way to test the balance between security and innovation is by using an internal ring structure to deploy change management. The first ring of initial users is where some of the most important testing takes place, and as a feature matures it gradually sees broader distribution. At Microsoft, a group of employees who are enthusiastic about new features has signed up to see early deployments. That group, called Microsoft Elite users, often comprises one of the earliest rings.

The ring structure can be used for any IT department that wants to slowly roll out changes and monitor the effects prior to impacting users on a broad scale.

The team that manages the deployment of Microsoft Exchange internally at Microsoft uses rings to try out new features before they are broadly deployed across the company, says Nate Carson, a service manager who helps manage the company’s internal use of Microsoft Exchange.

“It lessens the impact to the broader company by doing it this way,” Carson says.

Using rings to try-it-before-you-deploy-it also gives security and data privacy teams more time to assess the impact of a new feature. That’s crucial for change management in the era of relentless hacking, ransomware, phishing, and other security attacks.

Companies need to be more aware of software features that are being released and understand how they might impact digital security.

—Lee Peterson, principal manager, Microsoft emerging technology standards and assurance

“There is an explosion of data, and really an explosion of hackers trying to get at your data,” says Faye Harold, principal program manager for information protection services on the Digital Security and Resilience (DSR) team in Microsoft Digital. She spends most of her time thinking about hackers and trying to outwit them. Because the end user is the last line of defense for information security, she also watches how those users respond to new features. “It’s mind-boggling how many attack vectors there are, and it’s all centered on people and their identities,” Harold says.

Microsoft has a set of security principles it has shared with product groups, says Lee Peterson, principal manager in DSR for emerging technology standards and assurance. There are expectations around data protection, and when a change or new feature is coming down the pipeline, he watches to see how it might impact the company’s security posture.

“Companies need to be more aware of software features that are being released and understand how they might impact digital security,” he says 

Staying on top of the news

The events of the last year show how quickly things can change for companies of all sizes. That’s why it’s important to be aware of the latest communications from software and service developers. Microsoft relies on a Microsoft 365 Message Center to keep customers aware of changes that impact the Microsoft Office 365 environment. It’s a link on the left side of the admin portal, and provides important news, detailed information, and visual indications of items that require administrator attention. It can describe the specific actions that administrators need to take for change management and the timeframes for those changes.

Another way to stay current on products and features is by checking in with the site, says Darren Moffatt, senior service engineer for Microsoft 365.

“It’s pretty much our encyclopedia of everything Microsoft,” Moffatt says. “It can be super technical, but it can also have good documentation on simply how a feature works from a visual perspective. So, my advice is if there are customers, especially admins that have not made reviewing part of their cadence or made a habit of checking it out and going to it as their reference, do that.”

The changing face of IT

As the modern workforce continues to shift productivity and resources to the cloud, IT is no longer just focused on tech support. It’s now deeply involved in business enablement and improving the bottom line.

IT historically was separated into different silos. The Microsoft SharePoint people were in one, and maybe the Microsoft Exchange people were in another, and everyone had their distinct roles. But those boundaries have come down as software has enabled more collaboration. Now, working in IT means having knowledge across disciplines, and Microsoft wants to immerse employees in different areas and give them experiences that help build broader skill sets and handle change management, Moffatt says. So, when change comes at you fast—as it often does—more of the team is ready to respond.

“Microsoft has also really pushed everybody so that every quarter you don’t just get to sit on your laurels,” he says. “You do have to be very clear about how you’re going to learn and grow as an employee.”

Employees don’t see the boundaries between the services, Johnson says. They see the boundaries across scenarios and those scenarios are now starting to blend.

“All of these services converged because our employee scenarios converged,” he says. “Collaboration doesn’t start or end at just a meeting. Voice call is no longer just a voice call, it’s now a chat and files that you’re sharing. That’s why you converge a lot of these experiences to enable effectively a more complete package for your employees.”

Check out the extensive IT library at

Here’s how to stay on top of Microsoft 365 changes.

Read how Microsoft is modernizing its data estate.

Implementing a Zero Trust security model at Microsoft.

Tags: ,