Blog Post

Microsoft 365 Blog
17 MIN READ

Loop governance, lifecycle, manageability for IT Admins – Nov 2024

dancontoso's avatar
dancontoso
Icon for Microsoft rankMicrosoft
Nov 11, 2024

IT Admins, 

It's hard to believe it's been almost a year since Loop became generally available at Ignite 2023. We've listened to your feedback and have some exciting updates to share! If you prefer a video format, check out ▶️ Microsoft Loop IT governance and management controls.

In this update, we'll cover:

  • Why IT Admins will love Loop
  • How IT Admins can think about Loop
  • Timeline for remaining capabilities
  • Data lifecycle, governance, and Loop workspace types
  • Admin policies to get Loop enabled
  • Common Loop configurations
  • Managing Loop content in the SharePoint Admin Center
  • Admin usage dashboards
  • Purview and compliance

 

Why IT Admins will love Loop

We want you to feel confident piloting Loop in any organization in 2024 and be fully enabled early next year. This update will boost your confidence and inspire you to adopt Loop.

One recent announcement is that Loop integrates seamlessly with Copilot, including Copilot Pages, a dynamic, persistent canvas in Copilot chat designed for multiplayer AI collaboration. With Pages, you can turn insightful Copilot responses into something durable with a side-by-side page that you can edit and share with your team. Check this out if you're an IT Admin seeking only Copilot Pages info. Additionally, Loop integrates across Microsoft 365 experiences, including collaborative meeting notes in Teams and calendar, and Loop components in Teams chats, Outlook emails, OneNote, and Whiteboard. Inspired by decades of collaboration research and the latest Work Trend Index, it's high time to enable Loop in your tenant!

 

 

 

 

How IT Admins can think about Loop 

Now that you understand the benefits, let's explore how you can implement Loop in your organization. The tl;dr is that Loop simply creates .loop files, like any other file (.docx, .pdf, .pptx, .xlsx, etc.), in your SharePoint ecosystem. There are two main concepts: files and containers.

  • Files: At its core, Loop interactions with pages and components are just co-authoring sessions with a .loop file. Loop files are managed like other files in your SharePoint ecosystem (.docx, .pdf, .pptx, .xlsx, etc.). They support version history, audit logs, change attribution in each version of version history, export, eDiscovery workflows, legal hold, etc. (more here). End-users share them like files as links in Teams messages and Outlook emails, just like other files in your communication ecosystem. When sharing a component link, applications like Teams and Outlook display an interactive experience in the message or email, like showing the video instead of the link.
  • Containers: Loop workspaces create SharePoint Embedded containers. Containers are the core concept for storage and containment in SharePoint Embedded, just like a Site is the core concept for storage and containment in SharePoint. IT Admins manage containers like they manage SharePoint communication sites. Your governance and compliance processes apply the same way. Guest app permissions are available today to tools like AvePoint, ShareGate, your in-house tooling, and others. A full Loop workspace is shared by sending an invitation, like inviting someone to your collaboration party. Once there, they can see all the Loop pages and linked files if they have permission to the underlying file.
Diagram illustrating the user experience of Loop and the core concepts of containers, pages, and components

 

Where are .loop files stored? 

They are saved in the same place as other files if they were to upload a new file. If there's no shared storage, they go to the user's OneDrive. If there's shared storage, like a SharePoint folder, they go there. You can check a table of storage locations here for precision.

 

Storage quota 

The storage space taken by SharePoint Embedded containers for Microsoft applications like Loop and Designer are counted within your organization's existing total SharePoint quota. This applies to the ownership types described in this article. Learn more here.

 

Managing Loop content 

Loop content supports the capabilities listed here. In summary, that includes admin toggles, GDPR and EUDB compliance, Intune device management, Conditional Access policies, Information Barriers, Customer Lockbox, individual file recycle bin, version history, audit logs, eDiscovery, export, legal hold, retention policies, sensitivity labels, and data loss prevention.

To take full advantage of Copilot integrations and other enhancements Loop provides, be aware of the following new capabilities coming soon.

 

Timeline for remaining capabilities 

Now that you understand what Loop creates, where it creates, and a summary of management features it already supports, let’s detail what’s coming.

We are excited to share the timelines for addressing key feature gaps and introducing new capabilities. For features that need more detailed information, we will provide it via Admin Message Center posts before they release and public documentation updates. Stay tuned for updates!

 

Q4 CY2024 

  • Delivered while we were writing this blog! Guest app permission to content in SharePoint Embedded containers (enables Governance, Management, and Compliance tools like AvePoint, ShareGate, Smarsh, Relativity One, Nuix, and many more) – Message Center Post MC897562
  • Sensitivity labels at the Loop workspace level (like this) – Roadmap ID 111225 has started rolling out – Message Center Post MC923176
  • Guest/external access via Entra B2B config for tenants with sensitivity labels – Roadmap ID 421614 
  • End-users can promote members to owners for Loop workspaces – Roadmap ID 362124 
  • SharePoint Admin Center columns to identify user-owned containers, ability to filter and sort the list of containers 
  • Retention labels for Loop files – Roadmap ID 397755 

Q4 CY2024 to Q1 CY2025 

  • SharePoint Admin Center ability to search existing containers  
  • SharePoint Admin Center ability to change membership and ownership, and deletion/restoration of workspaces, and all changes will appear in the user's view of Loop – Roadmap ID 421613 
  • Admins can ensure that new workspaces are always connected to and managed by an existing M365 group – Roadmap ID 422725 
  • Multi-Geo: M365 group-owned workspaces are created in the group's geo, while non-M365 group-owned workspaces are created in the creator's preferred data location – Roadmap ID 421616 
  • User-owned personal Loop workspace available, which is automatically deleted when the user account is deleted instead of remaining in the tenant as ownerless (data lifecycle will be like OneDrive) – Roadmap ID 422727  
  • Existing Ideas Loop workspaces function as a Shared Loop workspace – Roadmap ID 422729 

H1 CY2025 

  • End-user recycle bin for Loop workspaces – Roadmap ID 421615 
  • Usage reports in admin usage dashboards – Roadmap ID 421611 
  • Departed user content workflows for user-owned containers (user notifications, in-app experiences, etc.) – Roadmap ID 421612 
  • Loop workspaces can have M365 groups as members in tenant owned workspaces 
  • Read-only access for workspaces 

 

The rest of this post will discuss the upcoming changes and the above capabilities in more detail. 

Data lifecycle, governance, and Loop workspace types 

Now that we’ve covered what’s available and what’s coming, we’ll detail what direction we’re headed with manageability at a broad level. Loop will be managed like existing things in the M365 ecosystem. We’ll cover each concept in this next section.

Loop workspaces are SharePoint Embedded containers. The ownership type determines how the data is retained or deleted over time and establishes the boundaries for governance within your organization. Until recently, there were only tenant-owned containers. With the announcement of Copilot Pages, we’ve added the creation of one user-owned container. Group-owned containers are coming in Q1 CY2025. The following sections will describe how each of those ownership types will function from the user’s perspective and from the IT Admin’s perspective.

Diagram showing the three Loop workspace models and IT management models based on ownership type

 

 

Diagram illustrating the storage objects for IT management based on each workspace type

 

Personal Storage 

New user-owned Loop storage containers 

A user doesn’t choose to create a user-owned container, they will just receive one. There are two apps that create this single container: Copilot Pages is the first, the Loop app is the second. The same user-owned container is utilized by Copilot Pages and Loop. All SharePoint Embedded containers, including user-owned containers, are counted within your organization’s existing total SharePoint quota.

The .loop files in the user's OneDrive and the .loop files in the user-owned Loop workspace within SharePoint Embedded will be lifetime-managed with the user account. Like OneDrive, the user-owned SharePoint Embedded container will be soft-deleted 30 days after the user account is deleted, and then can be recovered for up to 93 more days by the admin. After this time, the container is purged.

When a user leaves, there's a workflow to enable access to OneDrive before deletion. There is a roadmap item (421612) tracking the ability for end-users to be notified of their access to the content and be able to make copies of valuable data before it’s deleted.

User-owned containers will be identifiable in the SharePoint Admin Center by two new columns: Principal Owner and Ownership Type. The principal owner will be set to the username when the container is user-owned. And ownership type will be User. This is the signal to SharePoint to manage the lifetime of the container like OneDrive, to be deleted or restored when the user account is deleted or restored.

 

Shared Storage 

New group-owned Loop storage containers 

There is a roadmap item (422728) tracking the user’s ability to select an existing M365 group to connect the new Loop workspace to upon creation. These Loop workspaces are group-owned like a SharePoint team site, which are lifetime-managed with the M365 group, and will integrate with the lifetime management of M365 groups, such as M365 group ownerless workflows or M365 group expiration policies.

Group-owned containers will be identifiable in the SharePoint Admin Center by two new columns: Principal Owner and Ownership Type. The principal owner will display the M365 group name when the container is group-owned. And the Ownership Type will be Group. This is the signal to SharePoint to manage the lifetime of the container with the M365 group: to be deleted or restored when the M365 group is deleted or restored. Additional characteristics of compliance and governance are also inherited from the M365 group, such as the sensitivity label, membership/permissions, governance policies such as attestation, etc. There is a roadmap item (422725) tracking that an administrator will be able to enforce that all new Loop workspaces must be tied to an existing M365 group for governance and lifecycle management. Setting this policy requires end-users to select an existing M365 group to connect the Loop workspace to upon creation, and if not, the Loop workspace creation will abort. This policy applies existing governance and lifecycle policies for the M365 group to the new Loop workspace within the organization.

 

Tenant-owned Loop storage containers 

This is the default workspace type created today, before the ability exists to connect to an existing M365 group. All Loop workspaces to date have been created as tenant-owned and managed, except for the Copilot Pages collection.

Tenant-owned workspaces are managed like a SharePoint communication site, which are lifetime managed by the tenant admin using the organization’s governance processes.

There will be a roadmap item tracking that tenant-owned containers can have M365 groups as members. This enables Knowledge Management workspaces such as the sales, engineering, and support group all having access to a single Loop workspace. The M365 group is not responsible for managing lifetime, it’s used only for membership to the workspace. Governance is handled like a SharePoint site where separate attestation, sensitivity labeling, and ownership policies can be evaluated and communicated to the current Loop workspace owner(s). Tenant-owned containers can become ownerless, and governance processes are used to correct or mitigate these scenarios.

There is a roadmap item (421613) tracking that admin updates to existing Loop workspaces are reflected in the user’s view, for example, admin changes to membership, ownership, and deletion/restoration of workspaces will appear in the user's view of Loop workspaces in the Loop app.

 

 

Admin policies to get Loop enabled

Loop is already default enabled in your tenant unless you've turned it off. Different integrations come with different admin policy tech.

Diagram mapping admin policy scope, tools used, SharePoint Embedded storage, and Loop service plan

 

More information on the M365 license level required to create shared Loop workspaces is covered in this support article under the Loop app section: Loop access via Microsoft 365 subscriptions - Microsoft Support

 

Cloud Policy settings 

Documentation: https://learn.microsoft.com/microsoft-365/loop/loop-components-configuration#settings-management-in-cloud-policy 

A: Create and view Loop files in Microsoft apps that support Loop (Not Configured == Enabled) 

B: NEW! Create and view Loop files in Microsoft 365 Copilot Chat (Not Configured == Enabled) 

C: Create and view Loop workspaces in Loop (Not Configured == Enabled) 

D: Create and view Loop files in Outlook (Not Configured == Enabled) 

Screenshot of Cloud Policy tool's Loop policy settings

 

SharePoint Online organization properties 

Documentation: https://learn.microsoft.com/microsoft-365/loop/loop-components-configuration#settings-management-for-loop-functionality-in-teams 

E: IsLoopEnabled for Loop components Teams chat and channels 

F: IsCollabMeetingNotesFluidEnabled for Collaborative meeting notes 

Screenshot of PowerShell command output for Get-SPOTenant, highlighting the IsLoopEnabled and IsCollabMeetingNotesFluidEnabled settings toward the bottom of the output

 

Common Loop configurations 

Enabled (most common) 

Most organizations will simply leave everything Not Configured, which equates to Loop experiences being available everywhere. For manageability, we have considered multiple scenarios, and we'll cover those here too.

Loop scenarios are, at their core, document collaboration scenarios. Multiple people can open the same component, page, or workspace, see each other's presence in the document, update from Teams, Outlook, and Loop at the same time by coauthoring together. This can be done synchronously or asynchronously, using any of the existing content types like tables, lists, paragraphs, kanban boards, voting options, mermaid diagrams, code blocks, and more.

 

Workspace governance considerations 

IT Admins manage Loop workspaces just like SharePoint sites with independent lifetime within the tenant. You can use the SharePoint Admin Center or existing third-party tools now that Guest app permissions are available to manage SharePoint Embedded container content.

If you have a process for creating governance policy around new collaborative data sources such as Loop workspaces, you may choose to enable the creation of Loop files in existing storage such as OneDrive and SharePoint, but temporarily disable the creation of new end-user content in shared Loop workspaces within SharePoint Embedded containers until you understand how to apply your organization's governance to these new containers.

The Cloud Policy setting for controlling the creation of new Loop workspaces is Create and view Loop workspaces in Loop. To configure it, follow the Admin Center instructions here or the Cloud Policy instructions here. Both methods configure the same Cloud Policy setting. Setting it to disabled will prevent the creation of new Loop workspaces.

Diagram mapping admin policy scope, tools used, SharePoint Embedded storage, Loop service plan, and Shared Loop workspace creation disabled

 

Two notes about the admin policy:

  1. A new type of Loop workspace was just introduced with the release of Copilot Pages - all pages created within the Copilot chat experience are stored in a new, user-owned SharePoint Embedded container that is lifetime managed with the user account. Like OneDrive, when a user leaves the organization, their user-owned content will be soft deleted (can be recovered by an IT Admin) and then purged. Because many organizations do not perform additional governance on user-owned content, it is not included in the workspaces policy.
  2. Setting a Loop admin policy to Disabled will prevent creation and loading interactive previews of Loop content where the link was shared. The policy does not change access to existing files in the M365 ecosystem, and when a link to the file is clicked, users will still be able to open and edit when they have access. To additionally block a user’s ability to interact with Loop content, even when they have access to it, use Conditional Access policies. This is documented here for workspaces.

 

eCommunication sensitive organizations 

As mentioned above, at its core, Loop interactions are just co-authoring sessions with a .loop file. Loop files are managed like other SharePoint files (.docx, .pdf, .pptx, .xlsx, etc.). They support version history, audit logs, change attribution in each version of version history, export, eDiscovery workflows, legal hold, etc. And they are shared as links in Teams messages and Outlook emails, like other files in your communication ecosystem. This is why we often say that Loop collaboration from a discovery and admin perspective is like a Word document. The difference is the export format for Loop is HTML to support offline review.

If you have regulatory controls in your industry, sometimes the review process for new features and integrations in electronic communication apps like Teams or Outlook can take a little longer. Loop turbocharges your collaboration when used in communication scenarios, but if you need to start with it turned off there, it's easy to do with the admin policies.

The only settings you need to configure are for Teams and Outlook:

  • Teams: Follow the SharePoint Online organization properties instructions here and configure IsLoopEnabled to $false using PowerShell. Depending on whether your organization considers real-time collaborative meeting notes eCommunication, you can also configure IsCollabMeetingNotesFluidEnabled to $false.
  • Outlook: Follow the Cloud Policy instructions here and configure Create and view Loop files in Outlook to Disabled. 
Diagram mapping admin policy scope, tools used, SharePoint Embedded storage, Loop service plan, and eCommunication app integration disabled.

 

Repeating a note about what configuring to Disabled does: Setting a Loop admin policy to Disabled will prevent creation and loading interactive previews of Loop content where the link was shared. The policy does not change access to existing files in the M365 ecosystem, and when a link to the file is clicked, users will still be able to open and edit when they have access. To additionally block a user’s ability to interact with Loop content, even when they have access to it, use Conditional Access policies. This is documented here for components.

 

 

Managing Loop workspaces in the SharePoint Admin Center 

Now that we’ve covered the capabilities that exist, capabilities coming, and the overall concepts Loop workspaces follow in the Microsoft 365 ecosystem, let’s cover the tools that help IT Admins manage the content: SharePoint Admin Center and Purview. We’ll do SharePoint Admin Center first. The middle portion of this article's companion video demonstrates these features.

To use the SharePoint Admin Center to manage Loop workspaces, assign the SharePoint Embedded administrator role. Then, manage the Loop workspaces as containers using the SharePoint Embedded Admin Center. You can view active and deleted containers in the tenant, view detailed information of a container, delete, restore, and permanently delete a container. More details here. Coming in Q4 CY2024, you will also be able to filter, sort, and modify membership and ownership of containers. And container search is coming in Q1 CY2025.

Screenshot of the SharePoint Admin Center's Active containers view

 

 

Admin usage dashboards 

Currently, there are no built-in dashboards for end-user activity usage in Loop. Administrators can manually parse audit logs to create usage reports. Reference this learn article for information on filtering the events to Loop activity.

There is a roadmap item (421611) tracking Loop usage reports in the Microsoft 365 Apps usage.

 

 

Purview and compliance 

There are several compliance and manageability capabilities built into the SharePoint platform that Loop fully supports. Please see this learn article for an inventory. In the next sections, we'll summarize the top areas we get questions about. The last portion of this article's companion video also demonstrates many of these features.

 

Audit 

Since .loop files are stored in the SharePoint ecosystem, full audit activity is available in the unified audit log that SharePoint events are already part of. Creates, updates, reads and deletes are logged with attribution. Reference this learn article for information on filtering the events to Loop activity.

 

Legal hold, eDiscovery, and export  

Because .loop files are like the other files in your SharePoint ecosystem, Purview understands them and supports them natively with very little change. You can place SharePoint Embedded containers on legal hold using the URL to the container just like placing a SharePoint site on hold. You can search for content to place on hold using full text search in Purview. You can export the content in a review set that includes .loop files and automatically convert to .html for offline readable format using Purview Premium. 

If you use third-party tools for eDiscovery or export for compliance, programmatic API access to content in SharePoint Embedded containers is delivered! See the Admin Message Center post MC897562 for more information.

 

Multi-geo 

Today, Loop's multi-geo support is the same as SharePoint communication sites. All shared Loop workspaces are treated as collaborative spaces owned by the organization, not tied to one person's geo, and are created in the tenant's default geo. The user-owned container created for Copilot Pages is a user-owned container and is automatically created in the user's preferred data location (PDL). 

There is a roadmap item (421616) tracking tenant-owned Loop workspaces being created in the creator’s PDL. For example, for a multi-geo company with a default geo in the U.S. and a German employee at a multi-geo German site creates a Loop workspace, that Loop workspace will be created in the German site instead of the default geo of the U.S. 

There is a roadmap item (421616) tracking group-owned Loop workspaces being created in the Group’s defined geo. An admin can run a PowerShell command to move any Loop workspace between geo’s. 

 

Sensitivity labels and data loss prevention 

Two ways to control over-sharing in your organization are fully supported in .loop files. The first is sensitivity labeling, which users can configure per Copilot Page. If Copilot finds content that has a source label higher than the page, placing it via the "Edit in Page" button will automatically upgrade the sensitivity label. Sensitivity labels can control things like external sharing rights, encryption of data, and more. The second is data loss prevention, a security-conscious scanner that detects very sensitive information and immediately blocks all sharing and triggers the owner of the file to remove it before full collaboration can be restored.

Organizations also use sensitivity labels on containers such as M365 groups and SharePoint sites, to control sharing of content. Currently, only SharePoint Embedded admins can view or edit container level sensitivity labels on Loop workspaces. There is a roadmap item (111225) tracking the Loop app’s ability for a user to see the container sensitivity label and set it.

 

Guest/External sharing 

Because sensitivity labels at the Loop workspace (SharePoint Embedded) container level are not yet visible in the Loop app experience, guest and external sharing scenarios for Loop content will automatically disable if your tenant uses any sort of sensitivity label. Once container-level sensitivity labels are visible and can be set in the Loop app experience in Q4 CY2024, Guest/External sharing will work with .loop files per your organizations Entra B2B configuration settings. You can read more about this configuration here. An Admin Message Center post will go out prior to external sharing being enabled for tenants with sensitivity labels.

 

Governance tooling 

Governance of a user-owned container is a lot simpler than shared content like an M365 group or a SharePoint site, or even a shared Loop workspace, since it is lifetime managed with the user account. However, if you use third-party tools for governing user-owned containers, programmatic Guest app access to content in SharePoint Embedded containers is available, and you can apply these tools to Loop workspaces, just like you manage SharePoint sites.  

Governance for shared content is typically more standardized in larger organizations. Some of these include running checks for multiple owners, setting sensitivity labels on the containers, performing regular attestations for sharing settings, purging content after inactivity periods, or other common governance operations. Many organizations use third-party tools or in-house tooling for these governance tasks, which use the available programmatic API access to content in SharePoint Embedded containers. See the Admin Message Center post MC897562 for more information.

 

Multiple owners 

Organizations often require multiple owners to be declared on digital content shared for collaborative purposes to ensure accountability and maintain continuity in case of personnel changes. There is a roadmap item tracking (362124) for the Loop experience to enable owners to declare multiple members as owners in Q4 CY2024 to Q1 CY2025.

 

Retention labels 

Since all .loop files are stored in the SharePoint ecosystem, one of the integrated features for these files are retention labels. There is a roadmap item (397755) tracking the Loop’s ability to show and set the retention label for the .loop file. The .loop files will participate in the same way that other SharePoint files do in your use of the retention label workflows, including manually or automatically applying retention settings, declaring items as records, managing data lifecycle by retaining or deleting content based on your compliance requirements. Retention label capability on .loop files is coming in Q4 CY2024.

 

 

Conclusion 

We’ve heard that while most organizations love Loop and are feeling end-user pressure to enable Loop, the IT Admins are waiting for some of the capabilities in this update before fully rolling it out. We hope this summary leaves you feeling confident about Copilot Pages in your organization, piloting Loop this quarter, and fully enabling Loop in the new year!

And if you’re looking for materials to help onboard or train your users on Loop, check out https://aka.ms/LoopAdoption. We want to hear from you in the comments.

Updated Nov 21, 2024
Version 3.0
admin
Adoption
ai
copilot
Deployment
microsoft 365
Microsoft 365 Groups
Microsoft 365 Roadmap
Microsoft Loop
  • Don Jones's avatar
    Don Jones
    Copper Contributor
    Nov 20, 2024

    Any word on how to back up and restore loop content?  There are third party services out there that claim that this is not possible at this time. 

    • dancontoso's avatar
      dancontoso
      Icon for Microsoft rankMicrosoft
      Nov 20, 2024

      good question, and thanks for asking. :)

      .loop files are just files in the ecosystem that are fully accessible via existing methods to third parties. Guest app access was recently enabled for SPE containers, so CRUD operations are now possible.

      the tricky part is being able to create new Loop workspaces (SPE containers that the Loop app recognizes as "it's own"), which is not available yet. so, export is possible (which meets the needs of most scenarios), but creating new things from scratch that are fully recognized by Loop as "yup, that's exactly what I would have done if my code had created a new Loop workspace and put .loop files and shortcuts and .pod files in it" is the part that's not repeatable - this is what's necessary for restore.

      M365 Backup and M365 Archive are on the backlog. once we get started on this, it will help us fill out the frame of everything we'll need to build in order for both us and anyone else to be able to do this properly. no timelines to share, probably a good time to ask again would be early CY2025.

  • pviellieux's avatar
    pviellieux
    Copper Contributor
    Nov 20, 2024

    As recently as a couple weeks ago, I was able to upload documents to Loop.  Now that option is missing.  When will it be restored?

  • lachvit's avatar
    lachvit
    Brass Contributor
    Dec 09, 2024

    Microsoft advertises that the Loop service is free, but upon investigation, we found that it is not entirely free because saving Loop workspaces requires enabling SharePoint embedded containers, for which data storage incurs a cost. Is this true?

     

    • dancontoso's avatar
      dancontoso
      Icon for Microsoft rankMicrosoft
      Dec 09, 2024

      I can see how you would be confused if you are also reading the SharePoint Embedded developer documentation. It does not further clarify that Microsoft's 1st party applications such as Loop and Designer do not use metered storage and instead are part of the tenant's total SharePoint storage quota. Please refer to these two links alone for license and storage for Loop. I will ask the team to clarify in the SharePoint Embedded developer documentation.

      • lachvit's avatar
        lachvit
        Brass Contributor
        Dec 09, 2024

        Thank you for your response, but it was the reply we received after raising a case with Microsoft so I wanted to double-check. Do you know how to enable embedded containers in SharePoint for Loop? Currently, we cannot find the embedded containers management feature in SharePoint Online. All the articles explain how to enable the paid version of Loop embedded containers, but there are no articles on enabling them specifically for Loop.