Supporting furloughed users in Office 365 & Teams
IT departments the world over have been relied upon heavily to keep their companies operational during the coronavirus lockdown: setting up secure remote working facilities, commissioning laptops, delivering Office 365 and Teams support and training, and more.
Now the subject of furloughing staff has reared its head, and again, IT teams will be helping their company tread the challenging path of ensuring business security and continuity, whilst dealing with this sensitive situation during unprecedented and challenging times.
In this article we are not providing advice on the legalities of furloughing. That’s one for your Legal and Human Resources department.
We do, however, want to share with you what we consider to be best practice in IT terms: setting out what’s possible, pointing out potential pitfalls and indeed highlighting some opportunities for making the best of this situation.
So let’s look at the foremost questions we are encountering from IT teams needing to support this activity:
So what exactly is furloughing?
For many, this may be the first time they’ve come across the term, but hopefully this dictionary entry explains it:
A furlough (/ˈfɜːrloʊ/; from Dutch: verlof, “leave of absence”) is a temporary leave of employees due to special needs of a company or employer, which may be due to economic conditions at the specific employer or in the economy as a whole.
A key aspect of furloughing is organisations that cannot maintain their workforce because of the impact of the Coronavirus can apply for a government grant that covers a percentage of their employees’ wages.
Should furloughed staff have their accounts disabled or can we still allow them to check their email intermittently?
Your HR department may take the stance that furloughed staff need to have some way to receive updates from the company and therefore want them to maintain email access. Enabling furloughed staff to continue to use company devices to stay in touch with friends and relatives whilst on lock down may also be your company’s view. And, in any event, arranging for staff members to return company-owned devices is currently not practicable.
Is this OK? Well, no.
We have already seen examples of furloughed staff that still have access to company email for external communications – even though they have an out of office message to the contrary. This should not be happening.
The nature of furloughing is such that users should not do any work for your company during the furlough period, and that means not even checking email or taking calls.
Therefore, where possible, when a staff member is furloughed, you should:
- Immediately block their accounts from signing in on Office 365. If you are in a hybrid environment, you should reset their on-premises AD user password to avoid Azure AD sync delays.*
- Set up an out of an out of office message with a short explanation and alternative contacts (your HR department should advise on the most appropriate content here). You might also set up an auto-forward.
- Block access (e.g. change passwords) to any other Shadow IT or systems (e.g. VPN) they use to do their job
- Re-route calls (if this capability is in your domain)
- If possible (e.g. using MDM and InTune) decommission work-related devices, including laptops and phones.
*A tip here is to add the relevant users into one or more groups and apply a Conditional Access Policy that reflects the controls you want to put in place.
This may seem a hard-line approach given the circumstances, but here’s some facts:
- The government requires evidence that a furloughed member of staff is not working, If furloughed staff still have access to their systems, well-meaning individuals may find themselves responding to requests and by doing so could inadvertently compromise your company’s ability to make a claim. Being able to prove that a staff member has been properly furloughed is a good deal easier if you can demonstrate that you have closed their account.
- As a company you have a responsibility to protect the security of PII and other confidential information. For example, if you have ISO 27001 certification as a supplier, you will have needed to put in place a series of technical measures, business controls and management processes. This includes disabling staff accounts where a user has been granted extended absence.
- Cybercrime has increased due to the Coronavirus outbreak. And sadly, phishing attempts linked with furlough payments are taking place. It goes without saying that furloughed staff will be at heightened risk of being caught out by such scams, which in turn could compromise your corporate security and finances.
- Video conferencing apps such as Zoom and Houseparty have become a top download’ for connecting people socially, but are reported to have vulnerabilities and suspect data privacy policies that could be used to hack logon details, etc.
What out of office message should we use?
The last thing any organisation wants is for enquiries or requests for assistance to be lost.
Assuming you have staff available to keep things going during the furlough period, you should include a brief OOO (also referred to as OOF) message that gives assurance that their email will be dealt with accordingly and in a timely fashion.
This message should ideally be set centrally via the Microsoft 365 Admin Center to avoid the risk of individually configured ‘variations’ that may be deemed inappropriate. It should also be worded to minimise leakage of ‘additional personal information’, e.g. co-worker’s contact details, to avoid phishing attempts.
Alternatively your HR department may wish to distribute an OOO email template for staff to configure themselves.
Suggested wording for your email should be along these lines:
Thank you for your email.
I am currently away from the office on furlough until <anticipated end of furlough period/further notice>.
My colleagues at <company> are fully available to help you in my absence and your email is being forwarded to them.
They will be in touch with you to assist, but if this matter is urgent please call <telephone number>.
As indicated in the example email, you should also configure auto forwarding* to individual or shared mailboxes to enable enquiries to be dealt with.
Auto forwarding, auto-declines of any meeting requests, and different auto-replies actions based on whether the email is internal or external or from known senders can also be achieved from the Microsoft 365 Admin Center. You can read more here.
*It’s a good idea to disable Client Auto-Forwarding rules to External Domains to avoid unwanted hacker activity, or indeed, well-intentioned attempts by furloughed staff to keep track of work emails by forwarding emails to their personal email address.
How Can We Keep the Flow of Information if We’ve Closed Down Users’ Access?
During the furlough period, it is important to have a mechanism for keeping staff informed on any changes in furlough status or instructions relating to making claims.
This ideally should be done using a personal email address.
The other communications we recommend should be added into this mix include:
- Reminders of their obligation with respect to your acceptable usage policy relating to use of email and the Internet on company technology, along with the importance of protecting PII. This will be doubly important if it is not possible to decommission or wipe their devices remotely.
- Content on the importance of staying safe, avoiding phishing attacks and malware.
Additionally, communicating anything that contributes to the mental well-being of individuals, especially given the stressful nature of the current situation, is a great idea.
To provide a platform for supporting effective communications, aside from sending emails to personal accounts, don’t forget you also have the option to use Teams Guest accounts. See https://docs.microsoft.com/en-us/microsoftteams/guest-access.
To support this approach, the Cloud Essentials team is offering its customers an at cost service that enables them to:
- Email the affected staff members with a link to a secure SharePoint form that includes:
- Communicating key information regarding the furlough situation
- Getting acceptance of terms and conditions relating to ceasing access to their regular account & accessing Teams as a Guest
- Collection of personal email addresses (with checks to ensure the email address is valid for accessing Teams e.g. Gmail, Yahoo, etc).
- Taking staff members through an authentication process (which also links their personal email address with their business email).
The latter step is important as it enables department managers and HR to keep accurate track of activities at a later date.
This brings me onto another interesting aspect of the rules relating to furloughing and the opportunities around keeping staff supported and motivated during this period.
Can a furloughed employees do training?
Yes – as long as this does not involve providing services or generating revenue for your company.
In fact, companies that use this time to invest in staff training (and perhaps acquiring new skills that will be more relevant in a post-coronavirus world), have the potential to ‘hit the ground running’ when they return.
For example, the Microsoft-recommended LMS365 solution is a learning management platform designed specifically to work with Teams (including Teams Guests accounts) and is a great way to keep staff engaged and make them feel connected and supported. There are also cyber safety and mental health benefits to be gained.
NB – Uptake of the offer of training is voluntary on the part of the furloughed staff member, but according to the Gov.UK web site, is to be encouraged.
Can we reduce our Office 365 licence costs while furloughed staff are not using their accounts?
The idea with furloughing is that it is a temporary arrangement, and workers will one day be able to return to their jobs.
You’ve probably purchased licences through a Partner or as a volume licence purchase, and as such won’t be able to remove the license from your subscription until your commitment is completed anyway.
Even if you can change your licensing on the fly, in all honesty, the hassle factor of trying to save licence fees using inactive mailboxes or shared mailboxes as a mechanism to preserve (and then later restore) a user’s data during this period will not be worth it.
We have always acknowledged that IT teams find themselves caught up in very sensitive legal and HR issues.
For example, we speak with many IT staff members who tell us they are being asked to help search and retrieve content that is of a privileged or sensitive nature in response to eDiscovery requests – largely because the platforms being used to store data have overly complex eDiscovery facilities.
Thankfully, Microsoft is shifting the problem by providing services like the Compliance Centre, that is enabling non-technical staff to implement controls.
But, for the time being, we need IT teams to support the furloughing process: acting in an advisory capacity based on their expertise in over-arching issues such as security, perhaps automating the process and using facilities like Teams Guest accounts to make things easier, and in some respects being prepared to tear up the rule book given the extraordinary circumstances surrounding this situation. We wish you all the best.