Microsoft 365 Guidance for UK Government: External Collaboration

By James Noyce, Senior Technical Specialist, Microsoft UK
Steve Jenkinson, Microsoft 365 Architect, Microsoft UK

07/08/2023

All great movies have a sequel, right? Well, the continuously improving nature of Microsoft 365 gives rise to the perfect opportunity for us to publish a sequel to the guidance we published in June 2022, for government organisations and other organisations that work with government, looking to improve their collaboration experience. This blog post provides some context to that sequel.

For those looking for the full history behind the first release, please see the Cross Government Collaboration Blueprint – History Refresher content at bottom of this blog.

The story so far…

In June 2021, we partnered with the Central Digital and Data Office and the National Cyber Security Centre (NCSC) and set out to improve the collaboration experience for UK government organisations by creating a Cross-Government Collaboration Blueprint. The blueprint was created by focussing on key scenarios developed in consultation with several government organisations. It is designed to be used in conjunction with the other guidance we have published, which focuses on Secure Configuration, BYOD, and Information Protection (more on that later). Please be sure to check out those too, so you have the full ‘box set’.

Fast forward to today, we’ve given that ‘box set’ a new name that makes it clear how the guidance fits together, seen in this illustration:

Microsoft 365 Guidance for UK Government: Information Protection	Microsoft 365 Guidance for UK Government: External Collaboration	Microsoft 365 Guidance for UK Government: Bring Your Own Device
Microsoft 365 Guidance for UK Government: Secure Configuration Blueprint

We also updated the guidance based on real-world feedback and product evolution to include the following:

Addition of Shared Channels guidance
Updates that clarify Calendar Availability guidance
Azure AD B2B updates
Brand and naming updates to align with changes to Microsoft technology
Teams 2.0 Release
A statement in the Strategy regarding Google Federation

A notable recent development is the update to the Government Security Classification Policy (GSCP). Microsoft has partnered with Government Security Group, the Central Digital and Data Office and the National Cyber Security Centre (NCSC) to provide configuration guidance for those wishing to implement the OFFICIAL tier of the GSCP using Microsoft Purview Information Protection (MPIP), available as part of Microsoft 365. The guidance assists those wishing to classify and protect files, control who can access them, and allow greater control when sharing information between departments, partner organisations, and customers. You can read about the Microsoft 365 Guidance for UK Government: Information Protection in another blog post.

Download the documents

Strategy Document

Technical Guide

About the authors

James Noyce, Senior Technical Specialist, Microsoft UK James has spent his entire IT career of 25 years specialising in the security arena, the last 20 of which have been for Microsoft. Based in the UK, he works in the key areas of security and identity in the public sector as a Cyber Cloud Solutions Architect. He is a regular contributor to Microsoft docs for Securing Privileged Access and was the lead architect for the Office 365 and BYOD guidance produced for Cabinet Office and NCSC.

Steve Jenkinson, Microsoft 365 Architect, Microsoft UK Steve is an experienced IT Professional with over 20 years’ experience, working with clients across the world in multiple industries to help them achieve their goals in digital transformation. Recently Steve has been aligned to public sector clients, leading them to get the most out of their investment in the Microsoft cloud.

Cross Government Collaboration Blueprint – history refresher

We started this work in 2021 by consulting a broad group of end users from across government, and we found that there was an inconsistent user experience when working with colleagues from other organisations due to differences in configuration. The guidance helps to address this, and it is important to keep up with the recent developments of Microsoft 365, which is why we have updated the guidance.

We determined that a baseline configuration for government organisations would enable a more consistent and secure approach to collaboration. The recommended configuration we’ve produced focuses on these key areas:

Keeping control of documents and allowing real-time co-authoring by sharing links rather than sending documents as email attachments.
Making it easier to arrange meetings by allowing people to share their calendar availability across government.
Allowing people to work more effectively as a team by enabling instant messaging and other features of Microsoft Teams.

Crucially, we’ve recommended an open approach to collaboration by default, giving users the freedom to choose who they collaborate with. This is a move away from a more restrictive ‘allow list’ approach which can create barriers to collaboration.

Does this approach make it less secure? No. Here’s what the NCSC have said:

“By following the Secure Configuration Alignment and applying the cross-government collaboration guidance on top, it is the NCSC’s view that Microsoft 365 can be appropriately configured to protect an organisation’s data against the threat profile for the OFFICIAL classification when collaborating and sharing information between government departments. The NCSC expects that guidance related to collaboration and security is implemented in its entirety to avoid gaps and weaknesses leading to increased risk of a data breach.

“The NCSC believes that modern cross-organisation collaboration services that share access to information via its originating system will be more secure than traditional methods such as sending copies as email attachments to external organisations. By using modern collaboration practices, such as those described in this guidance, organisations have greater auditing and visibility of how their data is being handled and more options for owning who and where their information is handled.”
National Cyber Security Centre

The Blueprint is intended to be a baseline upon which individual organisations can build. For example, if an organisation identifies specific needs that aren’t met by the Blueprint, there is flexibility for them to go further and implement even tighter controls, while being mindful that this could impact on people’s collaboration experience.