We have some dedicated volunteers in our missions department that have their own email addresses and access to the missions file shares on the network. This makes me nervous since they have “official” accounts that carry the same weight as staff accounts.
What would you consider best practices for accounts like this?
We do have a “volunteer” group we put them in that prohibits them from accessing certain areas regardless of other group membership (in fact, I believe this is the only reason we use “forbid” permissions at all on the fileserver).
I’ve considered a volunteer domain (i.e. person@vol.domain.tld).
We have generic volunteer accounts that are used in rotation that are severely limited, but I’m thinking more for the “full time volunteers” that are here 10+ hours a week on a regular schedule that might need a higher level of access.
We simply don’t give volunteers email addresses - for the reasons you outline and also because our reading of the nonprofit O365 license agreement from Microsoft doesn’t allow it. We do have people who are what we call “Volunteer Staff” who agree to all the same guidelines and have the same training as a regular employee, but we generally treat them more like unpaid employees than volunteers.
In your case I might consider giving those volunteers some specific training or guidelines and asking them to sign something acknowledging it before giving them an email account, just so everyone is on the same page.
This really does need some consideration. Especially because emails they send and receive likely have sensitive information. Think ‘clear text’. We recommend giving them internal email addresses and requiring that any email communications on behalf of the church only be done via your email server. This doesn’t impact all volunteers, but it does impact board members and others who communicate sensitive information.
I’ll have to re-read the EULA with volunteers in mind. I definitely want to honor the agreement. I’m still using on-prem Exchange CALs for volunteers and staff, but would love to use O365 for “Volunteer Staff”. I wonder what we’d need to do to make sure we’re honoring the EULA with integrity.
It’s relatively flexible, as long as you meet their criteria. Our “Volunteer Staff” definitely meet those criteria; our regular volunteers may or may not so to keep it simple we enforce a somewhat arbitrary distinction. The criteria are below:
Office 365 Nonprofit is intended primarily for employees of eligible nonprofit organizations. Nonprofit members or beneficiaries are NOT eligible for Office 365 for nonprofit licensing. Nonprofits may license volunteers that have significant fiduciary or managerial responsibilities for the organization, such as members of the Board of Directors. A volunteer of an eligible nonprofit organization can receive a license for Office 365 ONLY if they meet ALL THREE of the following tests:
The volunteer is accountable for specific activities and results within the nonprofit organization that are defined by a written volunteer position description
The volunteer’s role with the nonprofit is a year-round ongoing role or is seasonal or part-time role that reoccurs annually
The volunteer will not use Office 365 for personal uses that result in income to the person who is volunteering.
Already you’ve gotten some good feedback I won’t repeat. I’ll add that here we consider email and file access as separate (and separable) decisions.
We have a few volunteers that have a true need for a church email account. For example, we have a volunteer who represents the church to Mandarin speaking families. Because of her spiritual and language gifts and abilities, she is the perfect person to fulfill this ministry. Also, because she has an official church email address it sets visitors at ease. Finally, we have an official record of these conversations. Of course, instructions and safeguards need to go along with the issuing of the email.
Similarly, we have a few volunteers that volunteer time to performing some tasks that require access to specific records/documents on the church file server. We always assess the business need, provide them access ONLY to those records, and generally require they be onsite using church computers to do so.
Having said that, as expressed in another topic I posted, I’m currently looking for answers for providing robust and secure file share collaboration with groups that have staff and volunteers in leadership together and require ongoing collaboration. One example everyone can relate to is the church board.
Bottom line is each circumstance requires some deep thinking.
We have been discussing this internally the last few weeks because we do have a few volunteers that have church email accounts that are not paid staff. We are toying with the idea of having an @volunteer.domain.com address rather than an @domain.com address to differentiate volunteers that have accounts through O365. We are diving deeper into the O365 world and are planning on opening up more services to users and volunteers could benefit from having email addresses. We are also discussing locking down the volunteer addresses to internal email only but there are pros and cons to this.
If you’re an Office 365 shop, MS Teams finally supports guest access, so you can include folks from outside the organization. I’m just starting to play around with it now, so can’t give you all the ins and outs of it yet. Teams allows file sharing that is backed by SharePoint, so guests that you invite have access to file storage as well.
I think it is going to be a fantastic option for boards etc., especially when you can add Planner for task management etc.
I’m bringing this back up because now we know more and have “volunteer licenses”, but I’m still concerned that Volunteers in Microsoft 365 will have access to all “public” teams. Is there a way to block members of a specific group (i.e. “Volunteers”) from accessing specific Teams (i.e. the “Staff” staff-wide team)?