Tag Archives: Office 365

2015/03/03 · 09:43

License usage reporting in Office 365, part 1

On this blog, I write about whatever interests me. To the chagrin of some folks, this often includes aviation, fitness, and various complaints, but hey.. it could be worse. I save the really inane stuff for Twitter.

Besides the content I post here, though, I also blog at the Summit 7 Systems blog collective. Right now I’m publishing a series on reporting in Office 365. The first part of the series, on license usage reporting, is here, and the second part will be published shortly. In general, when I post content there that might be of interest to readers here, I’ll cross-post it with a short post like this one.

3 Comments

Filed under Office 365, UC&C

Tagged as ,

2014/12/18 · 17:07

Microsoft sneaks out Mac Outlook update

Good news: Microsoft just issued an updated version of Outlook for Mac. (I guess that’s the official name, as opposed to the older Outlook 2011). The list of fixes is pretty nondescript: you can change calendar colors, add alt-text to images, and use custom AD RMS templates. I suspect most of the effort for this release was actually focused on the “Top crashes fixed” item in the KB article.

Bad news: you have to manually download it from the Office 365 portal. The AutoUpdate mechanism shipped with Office 2011 doesn’t yet know how to handle updates for Outlook for Mac. I suppose Microsoft could either update the Office 2011 AU mechanism or ship a new one as part of a future Outlook update; presumably the latter choice would actually deliver the Office 2015 update mechanism, since there’s undoubtedly going to be one.

The real news here is how quickly Microsoft released this update. While this is only one release, it’s an excellent sign that we got it quickly, and it makes me hopeful that we’ll see a steady stream of updates and fixes for the Mac Office apps in the future— with a cadence more akin to the Lync Mobile clients releases than the glacial pace of past Mac Office updates.

1 Comment

Filed under OS X, UC&C

Tagged as , ,

2014/11/21 · 18:14

My first week with Office 365 Clutter

Immediately after Microsoft announced that Clutter was available, I enabled it in all my personal tenants and started training it. As you may recall, you can train Clutter in two ways: implicitly (as it sees how you interact with mail from particular senders, such as by ignoring it or deleting it without reading it) or explicitly (by moving messages into or out of the Clutter folder). Because I’m fairly impatient, I set about explicit training by moving messages to the Clutter folder. I’ve done this with all of the clients I use: Outlook for Mac, OWA, Outlook 2013, the iOS mail app, and Outlook Mobile. Whenever possible I move the message while leaving it unread, so as not to make Clutter think I’m interested.

The upshot: it works reasonably well, but it seems to have trouble learning about messages from some sources. For example, both Strava and Twitter alerts remain resolutely un-Cluttered even though I’ve been moving 100% of those messages, unread, to the folder. I think that’s because the message subject for these messages often changes to reflect the message contents (e.g. “@jaapwess retweeted a Tweet you were mentioned in!”) and that confuses the algorithm in some way. It may be that the algorithm used to categorize these messages needs more data to act on before it can decide. The downside of machine learning systems is that, as an end user, you often can’t see just what the machine has learned, only the actions it takes. In this regard, machine learning is somewhat like owning a cat. I can see that Clutter isn’t moving some messages I think it should, but I don’t have any way to see why, nor any way to effectively correct it. This reminds me of the good old days of training neural networks from HNC Software to do various interesting things and sometimes being bewildered by the resulting behavior.

One bit of good news: I have been very pleased to see no false positives; that is, Clutter has not taken any mail I wanted to read and treated it as clutter. If the price of zero false positives is that some real clutter isn’t treated as such, I’m OK with that.

The junk mail filtering infrastructure continues to catch some messages that might more properly be treated as clutter, e.g. the flood of marketing crap I get from GameStop. I don’t mind such messages being treated as junk, though.

One unexpected side effect is that I have been much more diligent than usual about unsubscribing from newsletters or marketing mails that I no longer care about. This has helped to cut the volume of clutter I have to deal with.

In closing, I note that no matter how many times I tell Clutter that notifications from Yammer should be treated as clutter, they keep going right into my Inbox. I suspect a conspiracy.

3 Comments

Filed under Office 365, UC&C

Tagged as ,

2014/10/28 · 09:16

Microsoft announces data loss prevention, mobile device management for Office 365

Microsoft made a slew of Office 365 announcements at TechEd Europe this week. Taken collectively, they’re clear evidence of how Microsoft is executing their strategy of cross-linking capabilities across Windows, the Office suite, and Office 365.

Let’s start with data loss prevention (DLP), a feature first introduced in Exchange 2013. (Side note: I love it that yet another marquee feature in Office 365 was first shipped as part of Exchange.) The idea behind DLP is that you can have an automated system that will detect when users send out sensitive information (for certain selected values of “sensitive”) and take appropriate action, ranging from warning the user through a Policy Tip to journaling the message to notifying a person or group to blocking the message. DLP shipped with a template engine that allows Microsoft and its partners to build templates for different policies, along with a set of templates for common policies such as US HIPAA and PCI. However, Exchange 2013 DLP suffered from some limitations, chiefly that it only worked with messages sent through Exchange. Users only get Policy Tip warnings in OWA 2013 and Outlook 2013, and the template system seems primarily intended for use by a few specialized partners and not the general population.

Microsoft is addressing these problems by extending DLP into SharePoint Online and OneDrive for Business. While they haven’t discussed the specifics of how this will work, it seems reasonable that both SharePoint and ODB will consume the same policy templates used in Exchange, so that you can apply a consistent set of policies across the three products. Conspicuously absent from the announcement was any mention of bringing this capability to on-prem SharePoint. Maybe that was just an oversight.

The OneDrive for Business capability will be of huge interest to several of my large customers. Microsoft’s messaging around large, low-cost personal storage for business users is getting a lot of traction, with both users and enterprises eager to take advantage of it, but organizations have a reasonable concern that users will, accidentally or on purpose, put stuff in their ODB libraries that they shouldn’t. Assuming that you can define a DLP policy that covers what you don’t want stored in ODB, having this enforcement mechanism could potentially be very valuable.

In addition to these DLP extensions, Microsoft is giving Office 365 DLP the ability to recognize and act on tags created in the Windows Server file classification infrastructure (FCI). With this support, the automated metadata tags generated by FCI can be recognized by Exchange Online, SharePoint Online, and OneDrive for Business—so if you have, say, an Excel spreadsheet that’s classified as protected health information (PHI), the DLP infrastructure will recognize and treat it as such. I don’t have a good feel for how pervasive FCI is in the enterprise, since I don’t normally deal with file/print deployments, but I suspect that this is a nice 2-for-1 play for Microsoft: they can sell the benefits of FCI to cloud customers and sell the benefits of DLP that’s driven by FCI to entrenched on-prem customers.

Another major DLP improvement is coming in Office: Word, PowerPoint, and Excel will get support for Policy Tips. While it would be technically possible to roll this out into Office 2013, it wouldn’t surprise me at all to see this offered as a feature only in Office 16.

I’ll have a lot more to say about the details of these features once Microsoft releases more public details. While I’ll look forward to picking the collective brains of the Office 365 PM team at the MVP Summit, I don’t expect them to share any public details beyond what they’re showing in Barcelona. In the meantime, though, Microsoft is clearly trying to reinforce the ties between their core Office and Windows Server customers and Office 365, while at the same time providing some more tasty cloud-only features in an attempt to entice customers into drinking the 365 Kool-aid.

For another day, a more detailed analysis of Microsoft’s announcement that mobile device management (MDM) capabilities are being added to almost all of the existing Office 365 plans.

3 Comments

Filed under Office 365, UC&C

Tagged as ,

2014/09/25 · 15:40

A few quick notes on Office 365 Groups

Today the Office 365 team announced the rollout of the first phase of the Groups feature. I hadn’t been playing close attention to the roadmap for this particular feature, so I decided to play around with it and report my findings. Rather than the kind of carefully reasoned analysis you might expect from Tony or Van Hybrid, this is sort of a stream-of-consciousness record of my initial exploration. However, it probably reflects how most customers will discover and use the feature. Remember that this is written within a few hours after the feature launched, so things that I call out as not working or missing may not be lit up in my tenant yet.

  • First, I looked around to figure out how to create a new group. The screenshot in the online help shows Groups appearing in the left-side folder nav bar. I didn’t see that in my tenant. When I switched to the People view, I noticed that the People search selector had a “Groups” item available, but since there were no groups that wasn’t super helpful. Clicking the “New” icon at the upper right of the People view gave me a modal pop-up asking me whether I wanted to create a new group or person. The interface for creating new groups is straightforward: give your group a name, add some people to it, and off you go. Here’s what it looks like:
Creating a new group is straightforward.

Creating a new group is straightforward.

Note that there’s no way to specify an email address for the group object. You can send mail to it from within OWA, or by clicking the envelope icon in the group information sheet, but there’s no visible external SMTP address to, send to. This seems like an oversight.

  • The group documentation says that newly created groups get their own OneDrive for Business folder and group mailbox, but I haven’t yet seen any signs of those objects in my tenant. However, the docs also say that group members will get a “welcome to your new group” email once those objects have been created, and because that hasn’t shown up yet, I’m guessing that there’s just a short provisioning delay.
  • I created a new group named “Managing Consultants”. I picked that name on purpose, because I already had a mail-enabled security group with the same name. The Groups interface happily let me create a duplicate. The existing USG doesn’t show up in the Groups interface in OWA, nor does the new Group show up in Outlook’s online GAL (which may just be an artifact of AD latency). The help topic for creating and navigating groups shows a number of settings that aren’t visible in my tenant. For example, you can supposedly change the URL used to access the group or set the group to either private or public– those options aren’t available to me yet.
  • I clicked on the mail icon to create a message and sent it off; it arrived immediately in the target mailboxes. Interestingly, though, the group name doesn’t show up in Outlook; instead, the individual group members’ names appear.
  • Even after creating two groups and sending a message to one of them, neither group appeared in the OWA left navigation bar. Surprisingly, they didn’t appear in the OneDrive nav bar either:
Where'd my groups go?

Where’d my groups go?

  • Bizarrely, clicking the “Browse groups” item opens a new OWA window, which opens in mail view, not the People view. The new OWA window’s left nav bar has a People section, but it’s empty– even though the original OWA window I kept open still correctly shows unread mail from people in my Inbox.
  • When I create a Group, it doesn’t appear as an available group in Yammer. I presume this is by design.
  • I didn’t test Group conversations because there are no visible Group objects in OWA where the docs say they should be.

From the bumpy state of feature display and behavior at this point, I infer that there’s a multi-step provisioning task that runs when a new Group is created, and that at least the ODB step hasn’t run yet. This might confuse users who wonder why they can use a group for one purpose (sending mail) but not another (ODB). I’ll wait a day or so for the provisioning and loop back to see which of these items are bugs and which are just caused by setup delays.

6 Comments

Filed under Office 365, UC&C

Tagged as

2014/07/22 · 15:17

Moving to Summit 7 Systems

It must be the season or something. Like several of my peers (e.g. Paul, Phoummala, and Michael, to name 3), I’m moving on from my current position to a unique new challenge. In my case, I’m taking the role of Principal Architect at Summit 7 Systems.

Astute readers may remember that, just about a year ago, I joined Dell’s global services organization as a global principal consultant. I was fortunate to work with a large group of extremely smart and talented people, including several MCMs (Todd, Dave, Andrew, Ron, and Alessandro, y’all know who I’m talking about!) Working for a large company has both its benefits and challenges, but I was happy with the work I was doing and the people I was working with. However, then this happened.

Scott Edwards, cofounder of Summit 7 and a longtime friend from my prior time in Huntsville, told me that he wanted to grow Summit 7’s very successful business, previously focused on SharePoint and business process consulting, to expand into Office 365, Lync, and Exchange. Would I be interested in helping? Yes, yes, I would. Summit 7 is already really well known in the SharePoint world, with customers such as NASA, Coca-Cola, Nucor Steel, and the State of Minnesota. SharePoint consulting is a very different world in many ways from what I’m used to, so it will be interesting, challenging, and FUN to carry the Lync/Exchange/365 torch into a new environment.

In my new role, I’ll be building a practice essentially from scratch, but I’ll be able to take advantage of Summit 7’s deep bench of project management, business process consulting, marketing, and sales talent. I’m excited by the opportunity, which is essentially the next step forward from my prior work as a delivery specialist. I am not yet taking over the role of Summit 7’s corporate pilot, but that’s on my to-do list as well. (A couple of folks have already asked, and the answer is: yes, I will be flying myself occasionally to customer gigs, something that Dell explicitly forbade. Can’t wait!)

This is an exciting opportunity for me and I relish the chance to get in and start punching. Stay tuned! (Meanwhile, you can read the official Summit 7 press release here.)

4 Comments

Filed under UC&C

Tagged as , , , ,

2014/06/04 · 07:57

Creating an Office 365 demo tenant

One of the big advantage of software as a service (SaaS) is supposed to be reduced overhead: there are no servers to install or configure, so provisioning services is supposed to be much easier. That might be true for customers, but it isn’t necessarily true for us as administrators and consultants. Learning about Office 365 really requires hands-on experience. You can only get so far from reading the (voluminous) documentation and watching the (many and excellent) training videos that Microsoft has produced. However, there’s a problem: Office 365 costs money.

There are a few routes to get free access to Office 365. If you’re an MVP, you can get a free subscription, limited (I think) to 25 users. If you’re an MSDN subscriber, you can get a tenant with a single user license, which is fine for playtime but not terribly useful if you need a bigger lab. Microsoft also has a 30-day trial program (for some plans: Small Business Premium, Midsize Business, and Enterprise) that allows you to set up a tenant and use it, but at the end of that 30-day period the tenant goes away if you don’t pay for it. That means you can potentially waste a lot of effort customizing a tenant, creating users, and so on only to have it vanish unless you whip out the credit card.

I was a little surprised to find out recently that there’s another alternative: Microsoft has a tool that will create a new demo tenant on demand for you. You can customize many aspects of the tenant behavior, and you can use the provided user accounts (which include contact photos and real-looking sample emails and documents) or create your own. There are even vertical-specific packs that customize the environment for particular customer types. And it’s all free; no payment information is required. However, you do have to have a Windows Live ID that is associated with a Microsoft Partner Network (MPN) account. If you don’t have one, you can join MPN fairly easily.
All this goodness is available from www.microsoftofficedemos.com. Here’s what you need to do to use it.
  1. Go to http://www.microsoftofficedemos.com/ and log in.
  2. Click the “Get Demo” link in the top nav bar, or the “Create Demo” link on the page, or just go to https://www.microsoftofficedemos.com/Provision_step1.aspx. That will display the page below. Note that you can download VHDs that provide an on-prem version of the demo environment if you want those instead.
    Tenant01
  3. Make sure you’ve selected “Office 365 tenant” from the pulldown, then click “Next”. That will display a new page with four choices, all of which are pretty much self-explanatory. If you want an empty tenant to play around with, choose the “Create an empty Office 365 tenant”. If you want one that has users, email, documents, and so on, choose “Create new demo environment” instead.
    tenant02
  4. On the next page, you can choose whether you want the standard demo content or a vertical-specific demo pack. This will be a really useful option once Microsoft adds more vertical packs, but for now the only semi-interesting one is retail, and the provided demo guides (IMHO) are more useful for the standard set, so that’s what I’d pick. After you choose a data set, click “Create Your Demo”.
  5. The next page is where you name the tenant, and where Microsoft asks you to prove you’re not a bot by entering a code that they send to your mobile phone. (Bonus points if you know why I picked this particular tenant name!) The optional “Personalize Your Environment” button lets you change the user names (both aliases and full names) and contact pictures, so if you’re doing a demo for a particular customer you can put in the names of the people who will attend the demo to add a little spice. The simple option is to customize a single user; there’s one main user for each of the demos (which I’ll get to in a minute), but you can customize any or all of the 25 default users.
    Tenant04
  6. Once you click “Create My Account”, the demo engine will start creating your tenant  and provisioning it. This takes a while; for example, yesterday it took about 12 hours from start to finish. Provisioning demos is just about last on Microsoft’s priority list, so if you need a tenant in a hurry use the “create a blank tenant” option I mentioned earlier. You’ll see a progress page like the one below, but you’ll also get a notification email to the address you provided in step 5 when everything’s finished, so there’s no need to sit and watch it.
    Tenant06
Once the tenant is provisioned, you can log into it using any of the test users, or the default “admin” user. How do you know which users are configured (presuming you didn’t customize them, that is)? Excellent question. The demo guides provide a complete step-by-step script both for setting up the demo environment and executing the demo itself. For example, the Office 365 Enterprise “hero demo” is an exhaustive set of steps that covers all the setup you need to do on the tenant and whatever client machines you’re planning on using.
Once the tenant is provisioned, it’s good for 90 days. You can’t renew it, but at any time during the 90 days you can refresh the demo content so that emails, document modification times, and so on are fresh. And on the 91st day, you can just recreate the tenant; there doesn’t seem to be any explicit limit to the number of tenants you can create or the number of times you can create a tenant with a given name.
While the demo data set is quite rich, and the provided demo scripts give you a great walkthrough to show off Office 365, you don’t have to use them. If you just want a play area that you can test with, this environment is pretty much ideal. It has full SMTP connectivity, although I haven’t tested to verify that every federation and sharing feature works properly (so, for example, you might not be able to set up free/busy sharing with your on-prem accounts). I also don’t know whether there are any admin functions that have been RBAC’d to be off limits. (If you see anything like that, please post a comment here.)
Enjoy!

11 Comments

Filed under Office 365, UC&C

Tagged as

2014/06/02 · 07:30

Mailbox-level backups in Office 365

Executive summary: there aren’t any, so plan accordingly.

Recently I was working with a customer (let’s call him Joe, as in “Joe Customer”) who was considering moving to Office 365. They went to our executive briefing center in Austin, where some Dell sales hotshots met and briefed them, then I joined in via Lync (with video!) for a demo. The demo went really well, and I was feeling good about our odds of winning the deal… until the Q&A period.

“How does Office 365 provide mailbox-level backups?” Joe asked.

“Well, it doesn’t,” I said. “Microsoft doesn’t give you direct access to the mailbox databases. Instead, they give you deleted item retention, plus you can use single-item retention and various types of holds.” Then I sent him this link.

“Let me tell you why I’m asking,” Joe retorted after skimming the link. “A couple of times we’ve lost our CIO’s calendar. He uses an Outlook add-in that prints out his calendar every day, and sometimes it corrupts calendar items. We need to be able to do mailbox-level backups so that we can restore any damaged items.”

At that point I had to admit to being stumped. Sure enough, there is no Office 365 feature or capability that protects against this kind of logical corruption. You can’t use New-MailboxExportRequest or the EAC to export the contents of Office 365 mailboxes to PST files. You obviously can’t run backup tools that run on the Exchange server against your Office 365 mailbox databases; there may exist tools that use EWS to directly access a mailbox and make a backup copy, but I don’t know of any that are built for that purpose.

I ran Joe’s query past a few folks I know on the 365 team. Apart from the (partially helpful) suggestion not to run Outlook add-ins that are known to corrupt data, none of them had good answers either.

While it’s tempting to view the inability to do mailbox-level backups as a limitation, it’s perfectly understandable. Microsoft spent years trying to get people not to run brick-level backups using MAPI. The number of use cases for this feature is getting smaller each year as both the data-integrity and retention features of Exchange get better. In fact, one of the major reasons that we now have single-item recovery in its current form is because customers kept asking for expanded tools to recover deleted items, either after an accidental deletion or a purge. Exchange also incorporates all sorts of infrastructure to protect against data loss, both for stored data and data in transit, but nothing really helps in this case: the corrupt data comes from the client, and Exchange is faithfully storing and replicating what it gets from the client. In fairness, we have seen business logic added to Exchange in the past to protect against problems caused by malformed calendar entries created by old versions of Outlook, but clearly Microsoft can’t do that for every random add-in that might stomp on a user’s calendar.

A few days after the original presentation, I sent Joe an email summarizing what I’d found out and telling him that, if mailbox-level backup was an absolute requirement, he probably shouldn’t move those mailboxes to Office 365.

The moral of this story, to an extent that there is one, is that Microsoft is engineering Office 365 for the majority of their users and their needs. Just as Word (for instance) is supplemented by specialized plugins for reference and footnote tracking, mathematical typesetting, and chemistry diagrams, Exchange has a whole ecosystem of products that connect to it in various ways, and Office 365 doesn’t support every single one of those. The breadth and diversity of the Exchange ecosystem is one of the major reasons that I expect on-premises Exchange to be with us for years to come. Until it finally disappears, don’t forget to do some kind of backups.

8 Comments

Filed under Office 365, UC&C

Tagged as ,

2014/05/21 · 21:05

US lawyers and Office 365

Every field has its own unique constraints; the things the owner of a small manufacturing business worries about will have some overlap, but many differences, compared to what the CEO of a multi-billion-dollar energy company is concerned with. The legal industry is no exception; one major area of concern for lawyers is ethics. No, I don’t mean that they’re concerned about not having any. (I will try to refrain from adding any further lawyer jokes in this post unless, you know, they’re funny).

Disclaimer: I am not a lawyer. This is not legal advice. Seriously.

The entire US legal system is based on a number of core principles, including that of precedent, or what laymen might call “tradition”. For that reason, as well as the stiff professional penalties that may result from a finding of malpractice or incompetence, many in the legal profession have been slower to embrace technology than their peers in other industries. When there is no settled precedent to answer a question, someone has to generate precedent, often by taking a case to court. Various professional standards bodies can generate opinions that are considered to be more or less binding on their members, too. To cite one example of what I mean, here’s what the Lawyers’ Professional Responsibility Board of the state of Minnesota has to say about one small aspect of legal ethics, the safeguarding and use of metadata:

…a lawyer is ethically required to act competently to avoid improper disclosure of confidential and privileged information in metadata in electronic documents.

That seems pretty straightforward; the body responsible for “the operation of the professional responsibility system in Minnesota” issued an opinion calling for attorneys in that state to safeguard metadata and refrain from using it in ways that conflict with their other ethical obligations. With that opinion now extant, lawyers in Minnesota can, presumably, be disciplined for failing to meet that standard.

With that as background, let me share this fascinating link: a list of ethics opinions related to the use of cloud services by lawyers and law firms. (I found the list at Sharon Nelson’s excellent “Ride the Lightning” blog, which I commend to your attention.)

Let that sink in for a minute: some of the organizations responsible for setting ethical standards for lawyers in various states are weighing in on the ethics of legal use of cloud services.

This strikes me as remarkable for several reasons. Consider, for example, that there don’t seem to be similar guidelines for e-mail admins, or professional engineers, or cosmetologists, or any other profession that I can think of. In pretty much every other market, if you want to use cloud services, feel free! Oh, sure, you may want to consider the ramifications of putting sensitive or protected data into the cloud, especially if you have specific requirements around compliance or governance. By and large, though, no one is going to punish you for using cloud services in your business if that choice turns out to be inappropriate. On the other hand, if you’re a lawyer, you can be professionally liable for failing to protect your clients’ confidentiality, as might happen in case of a data breach at your cloud provider.

The existence of these opinions, then, means that in at least 14 states, there are now defined standards that practitioners are expected to follow when choosing and using cloud services. For example, the Alabama standard (which I picked because it is simple, because I live in Alabama, and because it was first in the alphabetical list) says:

…a lawyer may use “cloud computing” or third-party providers to store client data provided that the attorney exercises reasonable care in doing so… The duty of reasonable care requires the lawyer to become knowledgeable about how the provider will handle the storage and security of the data being stored and to reasonably ensure that the provider will abide by a confidentiality agreement in handling the data. Additionally, because technology is constantly evolving, the lawyer will have a continuing duty to stay abreast of appropriate security safeguards that should be employed by the lawyer and the third-party provider. If there is a breach of confidentiality, the focus of any inquiry will be whether the lawyer acted reasonably in selecting the method of storage and/or the third party provider.

The other state opinions are generally similar in that they require an attorney to act with “reasonable care” in choosing a cloud service provider. That makes Microsoft’s recent relaunch of the expanded Office 365 Trust Center a great move: it succinctly addresses “appropriate security safeguards” that are applied throughout the Office 365 stack. Reading it will give you a solid grounding in the physical. technical, and operational safeguards that Microsoft has in place.

Compared to its major SaaS competitors, Microsoft’s site has more breadth and depth about security in Office 365, and it’s written in an approachable style that is appropriate for non-technical people… including attorneys. In particular, the top-10 lists provide easily digestible bites that help to reassure customers that there data, and metadata, are safe within Microsoft’s cloud. By comparison, the Google Apps security page is limited in both breadth and depth; the Dropbox page is laughable, and the Box.net page is basically a quick list of bullets without much depth to back them up.

The Office 365 Trust Center certainly provides the information necessary for an attorney to “become knowledgeable about how the provider will handle the storage and security of the data being stored”, and it is equally useful for the rest of us because we can do the same thing. If you haven’t already done so, it’s worth a few minutes of your time to go check it out; you’ll probably come away with a better idea of the number and type of security measures that Microsoft applies to Office 365 operations, which will help you if a) you go to law school and/or b) you are considering moving to Office 365.

4 Comments

Filed under Office 365, UC&C

Tagged as

2014/05/02 · 10:59

Speaking at Exchange Connections 2014

I’m excited to say that I’ll be presenting at Exchange Connections 2014, coming up this fall at the Aria in Las Vegas.

Tony posted the complete list of speakers and session titles a couple of days ago. I’m doing three sessions:

  • “Who Wears the Pants In Your Datacenter: Taming Managed Availability”: an all-new session in which the phrase “you’re not the boss of me” will feature prominently. You might want to prepare by reading my Windows IT Pro article on MA, sort of to set the table.
  • “Just Like Lemmings: Mass Migration to Office 365”: an all-new session that discusses the hows and whys of moving large volumes of mailbox and PST data into the service, using both Microsoft and third-party tools. (On the sometimes-contentious topic of public folder migration, I plead ignorance; see Sigi Jagott’s session if you want to know more). There is a big gap between theory and practice here and I plan to shine some light into it.
  • “Deep Dive: Exchange 2013 and Lync 2013 Integration” covers the nuts and bolts of how to tie Lync and Exchange 2013 together. Frankly, if you saw me present on this topic at DellWorld, MEC, or Lync Conference, you don’t need to attend this iteration. However, every time I’ve presented it, the room has been packed to capacity, so there’s clearly still demand for the material!

Exchange Connections always has a more relaxed, intimate feeling about it than the bigger Microsoft-themed conferences. This is in part because it’s not a Microsoft event and in part because it is considerably smaller. As a speaker, I really enjoy the chance to engage more deeply with the attendees than is possible at mega-events. If you’re planning to be there, great— and, if not, you should change your plans!

1 Comment

Filed under Office 365, UC&C

Tagged as , ,

2014/04/17 · 11:32

Microsoft updates Recoverable Items quota for Office 365 users

Remember when I posted about the 100GB limit for Personal Archive mailboxes in Office 365? It turns out that there was another limit that almost no one knew about, primarily because it involves mailbox retention. As of today, when you put an Office 365 mailbox on In-Place Hold, the size of the Recoverable Items folder is capped at 30GB. This is plenty for the vast majority of customers because a) not many customers use In-Place Hold in the first place and b) not many users have mailboxes that are large enough to exceed the 30GB quota. Multiply two small numbers together and you get another small number.

However, there are some customers for whom this is a problem. One of the most interesting things about Office 365 to me is the speed at which Microsoft can respond to their requests by changing aspects of the service architecture and provisioning. In this case, the Exchange team is planning to increase the size of the Recoverable Items quota to 100GB. Interestingly, they’re actually starting by increasing the quota for user mailboxes that are now on hold— so from now until July 2014, they’ll be silently increasing the quota for those users. If you put a user on hold today, however, their quota may not be set to 100GB until sometime later.

If you need an immediate quota increase, or if you’re using a dedicated tenant, you’ll still have to use the existing mechanism of filing a support ticket to have the quota increased.

There’s no public post on this yet, but I expect one shortly. In the meantime, bask in the knowledge that with a 50GB mailbox, 100GB Personal Archive, and 100GB Recoverable Items quota, your users probably aren’t going to run out of mailbox space any time soon.

2 Comments

Filed under Office 365, UC&C

Tagged as ,

2014/04/07 · 16:12

Two-factor authentication for Outlook and Office 2013 clients

I don’t usually put on my old man hat, but indulge me for a second. Back in February 2000, in my long-forgotten column for TechNet, here’s what I said about single-factor passwords:

I’m going to let you in on a secret that’s little discussed outside the security world: reusable passwords are evil.

I stand by the second half of that statement: reusable passwords are still evil, 14 years later, but at least the word is getting out, and multi-factor authentication is becoming more and more common in both consumer and business systems. I was wrong when I assumed that smart cards would become ubiquitous as a second authentication factor; instead, the “something you have” role is increasingly often filled by a mobile phone that can receive SMS messages. Microsoft bought into that trend with their 2012 purchase of PhoneFactor, which is now integrated into Azure. Now Microsoft is extending MFA support into Outlook and the rest of the Office 2013 client applications, with a few caveats. I attended a great session at MEC 2014 presented by Microsoft’s Erik Ashby and Franklin Williams that both outlined the current state of Office 365-integrated MFA and outlined Microsoft’s plans to extend MFA to Outlook.

First, keep in mind that Office 365 already offers multi-factor authentication, once you enable it, for your web-based clients. You can use SMS-based authentication, have the service call you via phone, or use a mobile app that generates authentication codes, and you can define “app passwords” that are used instead of your primary credentials for applications— like Outlook, as it happens— that don’t currently understand MFA. You have to enable MFA for your tenant, then enable it for individual users. All of these services are included with Office 365 SKUs, and they rely on the Azure MFA service. You can, if you wish, buy a separate subscription to Azure MFA if you want additional functionality, like the ability to customize the caller ID that appears when the service calls your users.

With that said, here’s what Erik and Franklin talked about…

To start with, we have to distinguish between the three types of identities that can be used to authenticate against the service. Without going into every detail, it’s fair to summarize these as follows:

  • Cloud identities are homed in Azure Active Directory (AAD). There’s no synchronization with on-premises AD because there isn’t one.
  • Directory sync (or just “dirsync”) uses Microsoft’s dirsync tool, or an equivalent third-party tool, to sync an on-premises account with AAD. This essentially gives services that consume AAD a mostly-read-only copy of your organization’s AD.
  • Federated identity uses a federation broker or service such as Active Directory Federation Services (AD FS), Okta, Centrify, and Ping to allow your organization’s AD to answer authentication queries from Office 365 services. In January 2014 Microsoft announced a “Works With Office 365 – Identity” logo program, so if you don’t want to use AD FS you can choose another federation toolset that better meets your requirements.

Client updates are coming to the Office 2013 clients: Outlook, Lync, Word, Excel,  PowerPoint, and SkyDrive Pro. With these updates, you’ll see a single unified authentication window for all of the clients, similar (but not necessarily identical) to the existing login window you get on Windows when signing into a SkyDrive or SkyDrive Pro library from within an Office client. From that authentication window, you’ll be able to enter the second authentication factor that you received via phone call, SMS, or authentication app. During the presentation, Franklin (or maybe Erik?) said “if you can authenticate in a web browser, you can authenticate in Office clients”— very cool. (PowerShell will be getting MFA support too, but it wasn’t clear to me exactly when that was happening).

These client updates will also provide support for two specific types of smart cards: the US Department of Defense Common Access Card (CAC) and the similar-but-civilian Personal Identity Verification (PIV) card. Instead of using a separate authentication token provided by the service, you’ll plug in your smart card, authenticate to it with your PIN, and away you go.

All three of the identity types of these methods provide support for MFA; federated identity will gain the ability to do true single sign-on (SSO) jn Office 2013 clients, which will be a welcome usability improvement. Outlook will get SSO capabilities with the other two identity types, too.

How do the updates work? That’s where the magic part comes in. The Azure Active Directory Authentication Library (ADAL) is being extended to provide support for MFA. When the Office client makes a request to the service the service will return a header that instructs the client to visit a security token service (STS) using OAuth. At that point, Office uses ADAL to launch the browser control that displays the authentication page, then, as Erik puts it, “MFA and federation magic happens transparent to Office.” If the authentication succeeds, Office gets security tokens that it caches and uses for service authentication. (The flow is described in more detail in the video from the session, which is available now for MEC attendees and will be available in 60 days or so for non-attendees).

There are two important caveats that were a little buried in the presentation. First is that MFA in Outlook 2013 will require the use of MAPI/HTTP. More seriously, MFA will not be available to on-premises Exchange 2013 deployments until some time in the future. This aligns with Microsoft’s cloud-first strategy, but it is going to aggravate on-premises customers something fierce. In fairness, because you need the MFA infrastructure hosted in the Microsoft cloud to take advantage of this feature, I’m not sure there’s a feasible way to deliver SMS- or voice-based MFA for purely on-prem environments, and if you’re in a hybrid, then you’re good to go.

Microsoft hasn’t announced a specific timeframe for these updates (other than “second half calendar 2014”), and they didn’t say anything about Mac support, though I would imagine that the rumored v.next of Mac Office would provide this same functionality. The ability to use MFA across all the Office client apps will make it easier for end users, reducing the chance that they’ll depend solely on reusable passwords and thus reducing the net amount of evil in the world— a blessing to us all.

1 Comment

Filed under Office 365, UC&C

Tagged as ,

2014/02/17 · 16:36

Office 365 Personal Archives limited to 100GB

There’s a bit of misinformation, or lack of information, floating around about the use of Office 365 Personal Archives. This feature, which is included in the higher-end Office 365 service plans (including E3/E4 and the corresponding A3/A4 plans for academic organizations), is often cited as one of the major justifications for moving to Office 365. It’s attractive because of the potential savings from greatly reducing PST file use and eliminating (or at least sharply reducing) the use of on-premises archiving systems such as Enterprise Vault.

Some Microsoft folks have been spreading the good news that archives are unlimited (samples here and here), and so have many consultants, partners, and vendors– including me. In fact, I had a conversation with a large customer last week in which they expressed positive glee about being able to get their data out of on-prem archives and into the cloud.

The only problem? Saying the archives are unlimited isn’t quiiiiite true.

If you read the service description for Exchange Online (which we all should be doing regularly anyway, as it changes from time to time), you’ll see this:

Clip from Nov 2013 O365 service description

Clip from Nov 2013 O365 service description

See that little “3”? Here’s its text:

Each subscriber receives 50 GB of storage in the primary mailbox, plus unlimited storage in the archive mailbox. A default quota of 100 GB is set on the archive mailbox, which will generally accommodate reasonable use, including the import of one user’s historical email. In the unlikely event that a user reaches this quota, a call to Office 365 support is required. Administrators can’t increase or decrease this quota.

So as an official matter, there is no size limit. As a practical matter, the archive is soft-limited to 100GB, and if you want to store more data than that, you’ll have to call Microsoft support to ask for a quota increase. My current understanding is that 170GB is the real limit, as that is the maximum size to which the quota can currently be increased. I don’t know if Microsoft has stated this publicly anywhere yet but it’s certainly not in the service descriptions. That limit leads me to wonder what the maximum functional size of an Office 365 mailbox is– that is, if Microsoft didn’t have the existing 100GB quota limit in place, how big a mailbox could they comfortably support? (Note that this is not the same as asking what size mailbox Outlook can comfortably support, and I bet those two numbers wouldn’t match anyway.) I suppose that in future service updates we’ll find out, given that Microsoft is continuing to shovel mailbox space at users as part of its efforts to compete with Google.

Is this limit a big deal? Not really; the number of Office 365 customers who will need more than 100GB of archive space for individual user mailboxes is likely to be very small. The difference between “unlimited” and “so large that you’ll never encounter the limit” is primarily one of semantics. However, there’s always a danger that customers will react badly to poor semantics, perhaps because they believe that what they get isn’t what they were promised. While I would like to see more precision in the service descriptions, it’s probably more useful to focus on making sure that customers (especially those who are heavy users of on-premises archives or PST files) know that there’s currently a 100GB quota, which is why I wrote this post.

For another time: a discussion of how hard, or easy, it is to get large volumes of archive data into Office 365 in the first place. That’s one of the many topics I expect to see explored in great depth at MEC 2014, where we’ll get the Exchange team’s perspective, and then again at Exchange Connections 2014, where I suspect we’ll get a more nuanced view.

5 Comments

Filed under Office 365, UC&C

Tagged as , ,

2014/01/02 · 10:59

Office 365 token disclosure flaw: patch your desktops now

Happy New Year! To start the year off right, let’s talk about security. More to the point, let’s talk about Office 365 security.

One of the ways I often talk about Office 365 to customers is this: any time you move to a hosted service, you’re placing a bet that your hosting provider can do something better or cheaper than you do. Maybe they’ll deliver better uptime than you can afford to provide, or they’ll offer global reach, or some feature or function that you don’t currently have. As with any other bet, you have to carefully evaluate the odds and your counterparty (the person offering the bet). One of the big arguments in favor of Office 365 has been its security: Microsoft has invested a huge amount of money in physical and logical security for Office 365. Tie this in with the huge investment (several billion dollars and counting) brought about by Trustworthy Computing and you can see why Microsoft is eager to tout the security of their products: they have made huge strides over the last ten years. (Sadly, many other vendors are still as bad as they were back in 2005… let that thought sink in for a few minutes.)

In December, Microsoft released a patch, MS13-104, which every organization using Office 365 should immediately deploy. Microsoft rated this bulletin as “important” using their severity scale. While I understand that the “critical” severity is usually reserved for flaws that could allow remote code execution, I think this is just as bad because it allows an attacker to silently steal every document you have in a SharePoint Online document library.

Wow.

Keep this tab open, then open a new tab and use it to start figuring out how to patch your clients ASAP if you’re using SharePoint Online. Then you can come back.

I won’t repeat the excellent analysis performed by Adallom Security, the folks who reported the flaw to Microsoft in May 2013. That’s right: they reported in May 2013, and the patch was issued in December 2013. That’s a minimum of 7 months of days-of-risk, which is bad enough without considering how long this flaw was being exploited before Adallom found it. However, I do want to make a couple of additional points.

First, they wrote their post before the recent spate of disclosures surrounding the NSA’s Targeted Access Operations (TAO) team and their catalog of exploits. There is of course no evidence that NSA developed or was using this particular exploit, but this is exactly the kind of silent, virtually undetectable attack that is the specialty of nation-states. The fact that Adallom’s customer is a large, high-profile enterprise is potentially bad news for Office 365 sales efforts, given that those customers are already a little leery of cloud services because of a perceived lack of security controls.

Second, this exploit apparently doesn’t work against Exchange Online or Lync Online, but that hasn’t been proven conclusively. Don’t hold off patching Office 2013 just because you aren’t using SharePoint Online.

Third, it seems to me that this kind of flaw is the natural consequence of breaking new ground. Seamlessly tying together on-premises and cloud services through a complex desktop suite is something that no other software company has even attempted: the major Office 365 competitors, such as Box.net and Google, don’t offer traditional desktop productivity apps, preferring instead to run inside the browser, where the design patterns and potential vulnerabilities of authentication are much better understood. So I don’t think of this as sloppiness necessarily on Microsoft’s part: sometimes in complex systems, people make mistakes. 210+ days-of-risk makes me a little nervous though.

My overall takeaway: if you have truly sensitive data that you want to protect, putting it in the cloud is not necessarily any more risky than keeping it on-premises. That may seem counterintuitive, but an entity that is determined to get your data has many potential avenues of attack, and my experience tells me that the vast majority of sites have a number of local vulnerabilities (such as poor patching practices, poor intrusion detection, or inattention to basic security practices) that put them at higher risk than a relatively esoteric, hard-to-exploit flaw like this one. if you don’t believe me, just look at the number of sites hit by Cryptolocker and various banking-related Trojans. Put another way, you don’t need to worry about defending yourself against NSA if you can’t even manage to defend yourself against script kiddies.

Now go forth and patch!

Leave a comment

Filed under Office 365, UC&C

Tagged as , ,

2013/12/23 · 09:15

Office 365 beta exams: a few thoughts

Last week I took the beta versions of the two MCSA exams for Office 365: 71-346 is Managing Office 365 Identities and Requirements and 71-347 is Enabling Office 365 Services. I thought it might be useful to write up a few NDA-safe notes on the exams and the topics they cover. Keep in mind that the questions on the beta exam are there because they’re being tested; the objective domains (ODs), or areas of knowledge being tested, won’t change but the specific questions probably will as the beta identifies “bad” questions (those that everyone gets right or everyone gets wrong are immediately suspect!) The Microsoft exam development process is really complicated; to summarize, by the time the exams hit beta, the knowledge areas to be tested are set in stone but the questions themselves can be modified, or thrown out, based on beta exam feedback.

First, be forewarned that there are no formal study materials for these exams. I hear that Office 365 Admin Inside Out from MS Press is decent, but haven’t read it yet. Be prepared to do a lot of binging to look up specific things that you want to know how to do.

Second, the absolute best way to prepare for the exam is to sign up for a trial Office 365 E3/E4 tenant and make sure that you know how to do everything mentioned in the exam objectives in both PowerShell and the GUI. This is baloney, and it has been a hot topic of debate in the MVP community. IMHO there is little value in asking an examinee to show that they know how to do something in PS which is trivial to do in the GUI, especially if it’s a one-time task like setting up Azure RMS. Nonetheless, that’s the requirement.

For 346, specific things you should probably know include:

  • How to add a new tenant, from scratch. This includes choosing a region (and what effect that has), setting the domain purpose, and confirming domain ownership.
  • How to configure DNS records and firewall settings: SRV, CNAME, and MX records, what they point to, etc.
  • How to design ADFS: how to size it, when to use SQL Server instead of WID, and so on. Note that actually doing HA or DR with ADFS is not one of the topics listed in the OD, but you’ll need to know how to do it anyway. The ADFS 2.0 documentation content map is very helpful here.
  • How to administer (parts of) ADFS, including installing it (prerequisites too) on both Windows 2008 and 2012 (but not R2), controlling filtering, and managing dirsync. I have heard that there are questions in the pool that cover ADFS 3.0 but don’t know if that’s true.
  • How you’d conduct a pilot, including how to use connected accounts and mail forwarding.
  • What the different administrative roles in 365 are for and what they can do, including how to manage delegated admins.
  • How to provision / license users through the 365 Admin Center.
  • Basic account management through PowerShell: creating users, modifying their properties, licensing them, etc. Nothing too exotic; I expect most Exchange and Lync admins can do these types of things now without difficulty.
  • How to provision, enable, and administer AD RMS, a surprisingly cool technology that Brian Reid has written about at length already.
  • What the mail flow/message hygiene reports are and what you can do with them
  • How to do daily admin tasks: checking service health, using the RSS feeds, opening service tickets, etc.
  • Troubleshooting using the Remote Connectivity Analyzer and MOSDAL

347 is a little more of a mixed bag because it contains both admin-level material similar to ODs in 346 plus a smorgasbord of other stuff. The most important thing to know here: you must know how to do stuff with SharePoint Online. Out of the 53 questions on my beta exam, 12 of them (22.6%) were related to SPO.  Given that about 0.5% of my actual knowledge relates to SPO, that was a problem. I don’t use it, and I haven’t worked on the SPO-related parts of any deployments for Dell customers, so I was unprepared. Don’t be like me. Be prepared to demonstrate that you know:

  • All about Click-to-Run, including how it differs from MSI installations, how you customize what gets installed, how the installs themselves work, etc.
  • All about Office Telemetry. Never heard of it? Neither had I. Its inclusion in these exams seems a bit odd, since I suspect you’d see people running it before deploying Office 2013 on-prem too. It’s been a while since I was directly involved in the world of desktop deployment, though, so maybe everyone but me knows about them.
  • How to manage SPO site collections, including how to share and unshared them, set quotas, etc.
  • How to provision (including how to license) Excel and Visio Services
  • How to manage proxy, reply-to/default addresses, resource mailboxes, external contacts, and groups in Exchange— standard stuff for working Exchange admins.
  • How to work with archiving policies on both Exchange and Lync, including integration with Exchange 2013’s in-place hold mechanism
  • How to set up Lync settings for external access, including visibility of presence and per-user access to PIC

Again, you need to know how to do these things in both PowerShell and the GUI, despite the fact that many of the tasks in the ODs will be things you do once (or maybe quarterly, at most).

Should you take the beta exams? It depends, I guess. They cost the same as the “real” exam, and they’re subject to the same “Second Shot” MS program that grants you one retake of a failed exam. So you could sign up and take the beta now for $150, then take the real exam for free if you don’t pass. Based on the state of the exam questions I saw, and the lack of structured training materials, I don’t recommend that you rush to take the exam, though; the real version goes live on 17 February. Until then, your time would probably be better spent setting up a scratch tenant that you can play with, then running through the list of ODs to make sure that you know how to do the things on the list.

I’d be interested in hearing from people who took the exam to see how well you think the exam actually matches up with what Office 365 admins and designers need to know in the real world.

1 Comment

Filed under Office 365, UC&C

Tagged as , , ,