Skip to main content
Image coming soon

The Collaborative Software Administrator's Governance Playbook

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

The Collaborative Software Administrator's Governance Playbook

Run Microsoft 365, Google Workspace, Slack and the connectors between them as one governed estate, not five tabs of ad-hoc permissions.

You can grant access in two clicks. You cannot prove, on demand, who has access to what and why. This course closes that gap.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

A collaborative software administrator sits at the centre of a sprawl most of the business does not see. Microsoft 365 groups, SharePoint sites, Google shared drives, Slack or Teams channels, and a layer of third-party connectors stitched on top through Zapier, Make, and direct app integrations. Day to day the work looks like ticket queues: a license request, a guest invite, a connector that broke, a manager who wants a private channel made public. Underneath those tickets there is no single source of truth for who has what, no written policy a non-technical manager can read, no review cycle that produces a defensible artefact. When the audit ask arrives, whether from finance, HR, a customer security questionnaire, or a regulator, the administrator is asked to produce a list that the platform was never designed to produce in one place. This course is the operating model that turns the platform back into an estate you can govern.

What you walk away with

  • A single tenant inventory spanning identity, licensing, sites, drives, channels, and connectors that you can show a non-technical manager.
  • A written external-access policy with named owners, default expiry, and an exception process that fits on one page.
  • A quarterly access review cycle that produces a signed artefact, not a screenshot, and that managers will actually complete.
  • A connector and third-party app register that catches the Zapier, Make, and direct OAuth grants the admin console hides.
  • A licensing-and-cost review rhythm that surfaces dormant accounts, duplicate seats, and over-provisioned plans before the renewal conversation.

The 12 modules

Module 1. The administrator's tenant inventory
Build the single sheet that lists every domain, every identity provider, every licensed user, every guest, every shared mailbox, every site, every shared drive, every channel, and every connector. Two columns nobody normally fills in: owner and last reviewed. The inventory is the artefact every other module depends on, and is the first thing a finance or audit conversation will ask for.
Module 2. Identity and license hygiene
Reconcile licensed users against HR's current headcount. Find the licensed accounts of people who left. Find the unlicensed mailboxes that still receive mail. Find the shared mailboxes converted from leavers without sign-out. Produce a monthly leaver reconciliation that finance can sign rather than the administrator carrying alone, and a license-class report that flags over-provisioned plans before renewal.
Module 3. External sharing and guest access policy
Write the one-page policy that defines who can share externally, with whom, for how long, and with what default expiry. Translate it into the actual tenant settings in Microsoft 365 and Google Workspace, including the per-site and per-drive overrides that quietly undo the global rule. Build the guest account lifecycle from invite to expiry to removal, with an exception process that fits on a single form.
Module 4. Permission models you can defend
Replace the open-share-and-forget pattern with role-based groups for SharePoint sites and Google shared drives, channel-level access for team chat, and a documented owner per workspace. Convert orphaned sites and drives to a named owner or archive them. Produce a permissions map that names which group grants which access, so a manager can read it without opening the admin console.
Module 5. The quarterly access review that produces an artefact
Design the review cycle so each workspace owner receives a list of who currently has access, marks who should stay, and returns a signed confirmation. Use the platform's built-in access review tooling where it exists, and a spreadsheet workflow where it doesn't. The output is a dated artefact per workspace, stored centrally, that answers the audit question the platform alone cannot.
Module 6. The connector and third-party app register
List every Zapier zap, Make scenario, Power Automate flow, Apps Script bound to the domain, and OAuth-granted third-party app touching the tenant. For each, capture the owner, the data it reads, the data it writes, and the renewal or review date. Walk the admin consoles where these grants hide, including the consumer accounts that quietly grant tenant-wide access to apps.
Module 7. Data location, retention, and legal-hold basics
Map which user data lives in which region, what retention policy applies to mailboxes, sites, channels, and chat history, and how a legal hold or eDiscovery request actually executes on each platform. The administrator is rarely the legal owner of these decisions, but is always the one who must execute them. The module produces the runbook for the day the request lands.
Module 8. Backup, recovery, and the items the platform does not back up
Distinguish what Microsoft 365 and Google Workspace actually retain and recover, versus what a third-party backup must cover. Define the recovery objectives for mailboxes, sites, drives, channels, and chat. Build the restore playbook for the three scenarios that happen in practice: accidental delete, mass delete by a departing user, and a ransomware-encrypted shared drive.
Module 9. Joiner-mover-leaver as one process
Connect HR's joiner-mover-leaver feed to the tenant lifecycle so accounts are provisioned, moved between groups, and de-licensed on a schedule the business can audit. Cover the mover case that everyone underestimates: the person whose role changed eight months ago and still holds three groups from the old role. Produce the monthly mover reconciliation.
Module 10. Cost, licensing tiers, and the renewal conversation
Walk the license-class ladder in Microsoft 365 and Google Workspace, identify users on a tier richer than they need, and surface the seats that are paid for but unused. Build the dashboard that shows licensed seats versus active seats versus the seat owner's manager, so the renewal conversation runs on data, not on the vendor account manager's spreadsheet.
Module 11. Incident response inside the workspace
The three workspace incidents the administrator actually runs: a compromised account spraying messages from inside the tenant, a shared drive opened to the public by accident, and a connector exfiltrating data because the owner left. Step-by-step containment, evidence preservation, and the communication template for managers who do not understand what just happened.
Module 12. The handover pack
Compile the artefacts the prior modules produced into a single binder a second administrator could pick up tomorrow: tenant inventory, policy documents, group-and-permission map, connector register, review schedule, runbooks, restore plan, and the named owners list. The binder is what makes the administrator's role visible to the business, defensible to an auditor, and recoverable when the administrator is on leave.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

A department head asks why an external contractor still has access six weeks after a project ended, and you have no clean answer. Modules 1, 3, 5.
Finance wants to cut the renewal cost and asks for active-seat data the vendor account manager cannot produce honestly. Modules 2, 10.
A user with admin rights leaves and you discover three connectors they personally owned still moving data. Modules 6, 9, 11.
An auditor or customer security questionnaire asks for who has access to a customer's data and you must produce a signed list, not a screenshot. Modules 1, 4, 5.

What you get with this course

  • Twelve written modules in the Art of Service learning environment.
  • Downloadable templates for the tenant inventory, external-access policy, access-review pack, connector register, joiner-mover-leaver reconciliation, and licensing dashboard.
  • Worked examples for Microsoft 365, Google Workspace, and a mixed estate.
  • Runbooks for the three workspace incidents and the restore scenarios.
  • The hand-built implementation playbook tailored to your tenant, delivered alongside course access.
  • 30-day money-back guarantee.

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

Module 1 (tenant inventory) is designed to be completed in the first week, because every later module depends on it.

Modules 2 through 6 form the governance core and are typically worked through over four to six weeks.

Modules 7 through 12 are the operating-rhythm and incident modules, worked into the quarterly cycle as they apply.

Before and after

Before

Permissions are granted by ticket, external shares pile up with no expiry, the connector layer is whatever each owner set up, license renewal is a vendor-led conversation, and the audit question 'who has access to what' has no defensible answer.

After

There is one tenant inventory. There is a one-page external-access policy. Access reviews produce signed artefacts on a schedule. Connectors are registered with owners and review dates. Licensing is reviewed against active use before renewal. The audit question has a one-page answer.

What happens if you do not address this

Workspace sprawl compounds. Every new project adds shares, groups, and connectors that nobody documents. The day the access question arrives, from finance, from a customer, from a regulator, or from a leaver who shouldn't still have access, the administrator is asked to assemble in a week the artefact that should have existed all along, while still running the ticket queue.

Who it is for

A collaborative software administrator, workplace technology administrator, modern workplace engineer, or productivity platform administrator who owns Microsoft 365, Google Workspace, or a mixed estate, plus the chat and connector layer on top. Typically a team of one to three inside IT or operations, often with no separate governance function above them, accountable for licensing, access, external sharing, and the integrations that keep the workspace usable.

Who this is NOT for. Not for security analysts who only consume access reports rather than running the platform. Not for end users who want productivity tips. Not for IT directors looking for a strategy deck rather than the operating model the administrator actually runs.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Roughly two to three hours per module of reading and template work. Total course load is around 30 hours, spread across the cycle rather than consumed in a single week. The tenant inventory module is the one that pays back fastest and is worth completing first.

Why $199 is the right number

Vendor-supplied admin training teaches the console clicks but not the operating model around them. Generic ISO 27001 or SOC 2 training is written for the security analyst, not the platform administrator, and skips the workspace specifics. Consulting engagements deliver the artefacts once and leave no operating rhythm. This course gives the administrator both the templates and the rhythm to run the estate going forward.

FAQ

I run a Microsoft 365 estate, not Google Workspace. Is the course still useful?
Yes. Each module includes the Microsoft 365 walkthrough, the Google Workspace walkthrough, and the mixed-estate walkthrough. You use the section that matches your tenant.
We already have an external IT provider doing some of this. Does the course still apply?
Yes, and arguably more so. The course is the operating model the administrator runs as the accountable owner, which is what lets you hold the provider to a clear scope rather than the other way around.
How tailored is the implementation playbook?
It is hand-built per buyer once you complete the short intake form after enrolment. It reflects your tenant type, your estate size, and the two or three specific situations you are trying to solve first.
What if I am the only administrator and cannot block out training time?
The modules are written to be consumable in short sessions and the templates are usable before you have read the full module. The tenant inventory template alone delivers value in the first week.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.