Microsoft Viva: Group-less campaigns in Viva Amplify

🚨 The Signal: Viva Amplify campaigns no longer require M365 Groups, simplifying creation but shifting administrative control solely to SharePoint admins. This reduces group-based security dependencies.

The Impact

SharePoint admins are solely responsible for Viva Amplify security, increasing risk if their accounts are compromised.

• SharePoint Admins: Increased responsibility for campaign security, elevating risk if their accounts are compromised.
• M365 Group Admins: Reduced scope of responsibility for Viva Amplify, potentially leading to oversight if not aware of the change.
• Security Teams: Need to review and potentially adjust monitoring and access policies for SharePoint admin roles.
• Compliance Teams: Must update documentation to reflect the shift in administrative control for Viva Amplify.

The Action

1. Review and strengthen access controls for all SharePoint Administrator roles within Entra ID.
2. Implement or verify Multi-Factor Authentication (MFA) for all SharePoint Administrator accounts.
3. Ensure robust logging and alerting are configured for SharePoint Administrator activities.
4. Communicate the change in administrative responsibility to M365 Group and SharePoint administrators.
5. Update security documentation and incident response plans to reflect the new administrative model for Viva Amplify.

Domain: SharePoint · Impact: medium · Workload: SharePoint · Essential Eight: Restrict Administrative Privileges · ISM: ISM-0445, ISM-1175, ISM-1380, ISM-1507, ISM-1508, ISM-1509, ISM-1647, ISM-1648, ISM-1650, ISM-1686, ISM-1688, ISM-1689, ISM-1883, ISM-1897, ISM-1898