We have made a lot of progress in securing Office 365. We enabled the audit logs in the Security & Compliance Center, and we completed an initial configuration of Cloud App Security. As part of our MDM deployment, we deployed Azure multifactor authentication, with conditional access support. We also set up data loss prevention policies in the Security & Compliance Center. We placed accounts on legal hold and completed an electronic discovery for a court-ordered subpoena. As part of our discovery process, we set up Microsoft Secure Score and the next-generation Windows Advanced Threat Protection (ATP). The new ATP threat agents combine the latest in machine learning and deep learning. We have made a lot of progress, and we now have a functioning and secure tenant.
Note
In previous books that I have written, I spent a lot of time on getting the right subscription mix. In this book, the scoring will drive the subscriptions. If you have a low score, you can only increase it by deploying more security functions that are part of higher end subscriptions. You need to change the mindset and manage the 365 tenant by the security score to protect the company.
Our configuration of Office 365 is using the Microsoft 365 E5 subscription. This subscription is the highest security subscription Microsoft supplies. We added an Azure cloud solution provider (CSP) subscription to the mix, and this allows us full access to the Azure security center and services. In the previous chapters, we spent time on the configuration of the different services. In this chapter, we are focusing on the administration functions for Office 365. For example, previous chapters discussed how to secure your business with Office 365. This chapter is focused on the administration of the service in Office 365. Time is money, and as an administrator, you are looking for the simplest way to accomplish a task. This chapter outlines the common tasks that administrators are asked to perform in the administration of Office 365. These tasks include renaming users, adding e-mail aliases, creating shared mailboxes, configuring Teams (Skype for Business), reviewing security logs, and changing the subscription type. There are five different ways to administer Office 365: the Office 365 admin center, PowerShell, third-party cloud-based tools, Azure Active directory services, and Windows Active Directory services. I mention Windows Active Directory services so you will not ignore it, but we will focus very little time on this service. Our use of Active Directory will focus on what you can manage from Office 365 versus what the user can manage from Active Directory.
Office 365 Administration Overview
The global administrator is the first account created when you sign up for Office 365. The global administrator account has full access to all Office 365 resources. You can use the PowerShell environment to configure capabilities, or you can use the graphical interfaces in the various admin centers (Exchange, Skype for Business, or SharePoint) to manage Office 365 capabilities. The only rule to remember is this: to change features using PowerShell, or in the administration graphical interfaces, you must have a license (such as Exchange, Skype for Business, or SharePoint) provisioned to the account that is being used to change that feature. If a global administrator’s account tries to change features on a subscription area that the account is not licensed to use, that action will not be permitted. In some cases, the global administrator is denied access to the GUI command options (access to the eDiscovery Center, for instance). Partners with delegated administrator rights do not have a license and cannot access a user’s data. You may also see some PowerShell commands fail (with no failure notice) without a license attached to the user.
Note
Only selected Microsoft Partners can offer delegated administrator services to their customers. The global administrator must approve the rights to a Microsoft Partner to act as a delegated administrator. Microsoft Partners that have delegated administration capabilities have earned the right to use this service offering.
As an administrator, you will use both interfaces. The only rule to remember is that you must have a license assigned to the account that you are using to grant permissions to the user accounts. The objective of this chapter is to provide you with the tools and capabilities necessary for you to administer your own Office 365 site and provide the best level of service to your organization.
Note
If you have Azure AD Connect enabled, you cannot edit some properties of a user’s mailbox, because it’s out of the current user’s write scope. Those properties in the mailbox are managed by the on-premises Active Directory.
Preparing to Administer Office 365
Office 365 is easy to manage if you have configured the service correctly after migration and you have deployed the security services we recommended in this book. You can use the GUI interface or you can manage Office 365 via the PowerShell interface. The choice is up to you. In this chapter, we have assumed that you have configured your Office 365 solution for production, and we use the following checklist to check on your status. This administration chapter assumes that you have completed the necessary configurations in the previous chapters.
Office 365 Configuration Completion Checklist
- 1.
If you have desktop Office 2013/2016/2019, plan to change your subscription to a version of the Office 365 Pro Plus subscription software. Older versions of Office desktop software (such as Office 2010, 2017, or 2003) are not enhanced, and some cases will not work with Office 365. You want to migrate to Office 365 Pro Plus and no longer use volume licenses or retail versions of Office (it is a support issue).
- 2.
Check the Office 365 domain setup in the Office 365 admin center to make sure that all DNS entries are green. If you have any actions to complete (under the action header), please complete them before you move forward.
- 3.
Verify that your Office 365 domain is set to Authoritative in the Exchange admin center and is not shared for e-mail. (This will be set only if your e-mail domain is split).
- 4.
Verify that you have placed a local DNS record on your on-premises DNS server. You need to add an Autodiscover cname to your internal DNS that points to http://autodiscover.outlook.com .
- 5.If you have an on-premises Exchange Server and you have migrated to Office 365, set the Autodiscover record to $NULL with the following command (note that, once it’s set, local clients cannot autodiscover the local Exchange Server):Set-ClientAccessServer -Identity "<name>" –AutoDiscoverServiceInternalUri $NULL
- 6.Extend the 14-day delete hold time to a 30-day delete hold time. Run the following PowerShell commands.
- a.
Extend the 30-day delete for a mailbox.
Set-mailbox [email protected] –retaindeleteditemsfor 30
- b.
Extend the 30-day delete for the organization.
Get-mailbox | Set-mailbox –retaindeleteditemsfor 30
- a.
- 7.Enable the audit logs on all users’ mailboxes. The default logs are kept for 30 days and can be extended to multiple years.#Enable Audit LoggingGet-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox" -or RecipientTypeDetails -eq "SharedMailbox" -or RecipientTypeDetails -eq "RoomMailbox" -or RecipientTypeDetails -eq "DiscoveryMailbox"}| Set-Mailbox -AuditEnabled $true -AuditLogAgeLimit 365 -AuditOwner Create,HardDelete,MailboxLogin,MoveToDeletedItems,SoftDelete,Update#Check StatusGet-Mailbox -ResultSize Unlimited | Select Name, UserPrincipalName, AuditEnabled, AuditLogAgeLimit | Out-Gridview
- 8.
Log into the Office 365 admin center, and select the Security & Compliance Center. Under Search & Investigation, select “audit log search” and “enable audit log recording.”
- 9.
The default retention policies are not enabled until the archive is enabled. If you enable the archive on a user mailbox, the retention polices begin to execute. For example, the default retention policy is two years. When the retention policy executes, e-mail is deleted. If you do not want your e-mail to be deleted or moved to an archive, remove the tag in the Exchange admin center, under “Compliance Management” and “Retention tags.”
- 10.
Remove any other retention tags you do not want to use in the retention policy.
- 11.
Verify that you have enabled Yammer on your subscription. To enable Yammer, expand the admin center, and then select Yammer. The service should auto-activate and show a green check mark.
- 12.
Log in to the OneDrive admin center and set the retention to 1,530 days for deleted files.
- 13.
In the One drive administration center, reduce the OneDrive sharing (in the OneDrive admin center) to “Existing External users” to control sharing until you understand the sharing features.
Office 365 Security Configuration Completion Checklist
- 1.
Deploy a Microsoft 365 E5 subscription.
- 2.
Create a log analytics subscription for data logging and configure services.
- 3.
Build out the Azure security center; set the data collection load you want.
- 4.
Deploy Azure threat analytics on the domain controller (on-site or in Azure).
- 5.
Deploy Windows Advanced Threat Protection agents.
- 6.
Deploy MMA agents to all clients and servers.
- 7.
Deploy the commercial ID.
- 8.
Deploy Secure Score and baseline the organization.
- 9.
Deploy Privileged Identity Management.
- 10.
Change all global admin accounts (except one) to security admin and deploy PIM for users to request elevated rights.
- 11.
Deploy Privileged Information Protection.
- 12.
Deploy MFA to all clients.
- 13.
Deploy Azure risk mitigation policies.
- 14.
Deploy Windows 10 update rings.
- 15.
Deploy the Office Pro Plus policy.
- 16.
Deploy Mobile Application Management.
Admin Centers
In our example, we have a Microsoft 365 E5 subscription, which includes 15 different admin center accesses, including Intune Mobile Device Management and Power BI. Your subscription may have a different number of applications, depending on your licenses and the additional admin centers that are added based on the optional subscriptions. This chapter focuses on the areas of administration in Office 365 for security: Exchange and Skype for Business. The other admin centers (CRM, Power BI SharePoint, Compliance and Data Loss Prevention, and Exchange Online Protection) are beyond the scope of this chapter. I have included the most common questions that you will need to address when managing your Office 365 service.
The Office 365 administration areas that we address in this chapter are Office 365 dashboard, license management, Exchange, and Teams and Teams administration. At the end of this chapter, we will wrap with a discussion on the configuration of PowerShell. This should provide you with all of the tools you need to manage your Office 365 tenant.
Before we start, there are a few navigation rules that you should know when working in the admin center. At any time that you need to get back to the home page in the admin center, click the nine-block grid in the upper-left corner and then click the “A” for administration. This action will always return you to the admin center.
User accounts can be synchronized in two ways in Office 365: through a manual process (single user load/bulk load) or via Azure Active Directory synchronization accounts created through an Active Directory process that can be managed only by on-premise Active Directory tools.
There are different types of administrative accounts on Office 365. The first account created (the first account that was created when you purchased Office 365) is a global administrator account. You can create additional global administrator accounts to manage Office 365. Global administrator accounts do not need a license to perform global administration functions. However, the global administration account does require a license to perform administration functions at the functional level. For example, if you want to configure advanced Exchange services or certain security services, the account you are using must be licensed for the function you’re trying to manage. The same is the case with SharePoint. If you do not have a license or if you are running Active Directory synchronization, you cannot configure the functions of the service, only the global access controls for the service. Table 8-1 lists the common Exchange functions that you will use to manage Office 365.
Note
If you are using Azure Active Directory synchronization, Exchange functions are controlled by the on-premises Active Directory. You can find the Azure Active Directory synchronization connector at https://portal.azure.com .
Exchange Administration Functions
Task | Description |
---|---|
Exchange administration roles | Reviews the different Exchange roles for managing Office 365. |
Default user role | Explains the default user roles and permissions. |
Conference Room/Resource Room | Explains how to set up and manage a conference room. |
Changing a user name and e-mail address | Changing an e-mail is a two-step process. This is how you change the e-mail address of the user accounts. |
Adding a user alias | Adding an alias e-mail or changing the default e-mail address. |
Shared mailbox | Explains how to create a shared mailbox for the smartphone or Outlook. |
Creating a distribution group | Explains the different Office 365 distribution groups. |
Sending e-mail from an alias e-mail address | Allows the user to send an e-mail from a different e-mail address than the user’s own e-mail address. |
Smartphone management | User configuration options for Exchange. |
Troubleshooting: Autodiscover | Desktop configuration to ignore Exchange Server. |
Teams Administration Functions
Task | Description |
---|---|
Setting up Skype for Business | Enabling Teams to communicate with noncompany users |
Adding Skype voice and porting phone numbers | Adding Skype voice local and international calling |
Configuring dial-in conferencing | Adding dial-in conferencing for Teams users |
Communicating with Skype users | Step-by-step instructions to enable Teams to Skype integration |
Restricting Teams users’ capability | Restricting Teams capabilities in the admin center |
In addition to the administration section, we have included an overview and usage section on PowerShell. PowerShell is extremely useful if you must implement unique functions or must repeat a set of tasks multiple times. Office 365 may be completely administered from PowerShell, and our discussion is not a complete list. The objective of this chapter is to show you the various options you can use in managing Office 365.
Office 365 Administration Center
The Office 365 administration consoles are easy to access once the user logs into Office 365. Once you have selected the admin console, select the admin center. The admin center only shows the admin console for the licenses that have been activated for Office 365. For example, if the Teams licenses are not purchased, there is no access to the Teams admin center. The Office 365 admin center is used to administer global functions . These oversee permissions, security groups, domain management, and system health. However, the Office 365 admin center is limited if directory synchronization is enabled. When directory synchronization is enabled, Office 365 acts as a backup to the on-premise Active Directory. In this case, only those functions that are not on the on-premise servers can be modified by Office 365.
The Office 365 Licenses tab gives you a good overview of the active and expired licenses. Different admin center access is based on the licenses assigned to the user account. Office 365 plans have different admin centers and configuration options.
The global administrator sees all administrator functions that are licensed and can configure the admin centers, such as Exchange, Skype for Business, SharePoint, Yammer, Compliance, Azure AD, and Intune. Other service centers are added based on the optional subscriptions that were purchased. For example, if you purchased Dynamics CRM and added this to your subscription, you would have access to the Dynamics admin center. Likewise, when we added Windows EMS licenses to our Office 365 tenant, we enabled Azure features for Office 365. Once you have selected the administration dashboard, you can select the different admin centers that you need to configure your Office 365 company.
Note
We review the key administration configuration areas that are important for Office 365 and leave the remaining ones for you to explore. Most of our focus is on the service admin centers.
Administrator Roles
In Figure 8-15, the additional license roles are for Skye for Business, Dynamics 365, and Power BI. In addition to the license roles, there are roles that are granted for the Microsoft Direct and Indirect Cloud solution partners. These additional roles are granted by customers to help manage the Office 365 offering they have purchased from Microsoft.
Step back and look at your company and the different roles you can assign to personnel in your company. Microsoft’s security model is to assign the least role possible and to grant basic permissions that are required to complete the job. When you assign roles, verify that you are providing access at the appropriate level needed to execute the administrative task. Table 8-4 has detailed descriptions of the different administrator rights.
Note
Global administrators are assigned all rights by default. A global administrator can grant themselves the rights to read any user’s mailbox by simply opening a mailbox other than their own. Business owners are cautioned to grant these rights only to those who need them.
Office 365 Role Descriptions
Role | Description |
---|---|
Global administrator | This is the company administrator. Users in this role have access to everything or the permission to add them to a dedicated role where they do not have permission (such as discovery management). |
Billing administrator | Access to all financial transactions. Delegated partners do not have access to this information. |
Password administrator | They can reset only passwords of users and other administrators at the same level of permissions. |
Service support administrator | This is a limited administration role. Users in this rule can only view the portal and assign support tickets. Typically, users who are assigned this role have a different role assigned to the different subsystems, such as Exchange. |
User management administrator | These users can assign licenses and passwords but cannot make changes to other admin accounts that have more privileges than they do. |
The typical Office 365 configuration leaves one account (usually the root account—the initial Office 365 account) as a global admin user without any user licenses. Some organizations leave this as a global admin account, and others use it as a user account. Regardless of what you do, the first account is the root account. The root account should never be used as a user account. The root account in Office 365 is the base account that is used to create all the different services that are linked to the Office 365 tenant. As Microsoft has deployed new versions of Office 365, the dependence of the root account has been minimized. We recommend that you do not delete or assign a user to this account.
In the past, the first account was a sacred account, and many Office 365 services depended on this account. Microsoft addressed the dependency of the first account by creating a new internal Office 365 group known as the company administrators . All global admins are members of the company administrator group. This group is where the base permissions are assigned in Office 365. This internal account reduces the criticality of using the root account as a user account.
Enable 360-day auditing for all delegated administration and administration access (see the “PowerShell” section).
Enable the audit logs in the Security & Compliance Center.
Enable the EMS productivity suite with extended security analytics.
Deploy Multi-factor authentication on global admin accounts.
Do not use a global admin account as a personal account.
Set passwords to never expire (if you have deployed MFA).
Review the Azure audit logs, Azure sign-in logs, and Office 365 audit logs weekly.
Download and archive the three logs (mentioned earlier) monthly in case you have a breach. You can also set up the logs for long term storage in Azure.
Our objective is to provide you an overview of the key areas you need to cover on Office 365 as an administrator. To understand the administrator functions better, you need a roadmap as to what to look for.
Note
If you have not configured your domain for Office 365, complete that step before you add user accounts. If you add user accounts and then change the domain, the desktop user configurations will need to change to map to the new IDs and e-mail accounts.
Config: Overview
In previous chapters, we reviewed the Security & Compliance, Azure AD, and EMS/Intune. This chapter, besides covering the Office 365 administration, will also review Exchange, Skype for Business, SharePoint, and OneDrive from an administrator perspective. There may be additional admin centers listed in your Office 365 tenant. These centers appear based on the active license assigned to the Office 365 tenant.
Note
We always recommend that you purchase at least one Microsoft 365 E5 suites and assign it to the first global administrator account created. Your Office 365 tenant will function better.
The configuration sections that follow are organized based on the required configuration order. As an example, to configure users, you need to configure your Office 365 domain and have the appropriate licenses assigned to your tenant. If you have this already configured in your Office 365 account, then use this section to review what you have set up. In our case, when I wrote this chapter, I discovered that the Office 365 domain structure changed, and even though my Office 365 was functioning, the features were having weird hiccups that no one could explain. I discovered that the DNS setup I had was no longer valid and needed to be updated.
Config: Domains
There are no practical limits on the number of domains that can be verified on Office 365. The rules are simple: you need to verify a domain if you want to use the domain in Office 365. Once you verify the domain, you assign the domain different use rights, depending on the licenses that were purchased for your Office 365 service.
- 1.
Select the Domain sidebar menu option (from the grid, select Admin ➤ Microsoft Admin center ➤ Setup ➤ Domains) and then select “Add a domain.”
- 2.
Add the TXT record to your DNS provider.
- 3.
Add the remaining DNS records (if you have not moved your e-mail to Office 365, do not change the MX, SPF, and Autodiscover records).
- 4.
Verify your DNS record and fix any record errors.
- 5.
Verify that you have fully deployed the enterprise mobility cnames.
After you select “Add a domain,” enter the records in Office 365 and validate the domain. If the record cannot be validated or is in use by another Office 365 tenant, the domain validation wizard will allow you to send an email transfer request to the owner of the domain you are trying to validate. You can only have one Office 365 tenant per domain.
Config: Domain: Troubleshooting
Config: Adding/Changing and Decreasing Licenses
There are multiple ways that you can change license numbers in Office 365. Microsoft allows you to change the existing license quantity, add new licenses by purchasing URLs, purchase a volume license key, or purchase licenses from your Microsoft Partner. The question for most users is where to find the simple display that summarizes the license mix. To find out the license mix, select the Products sidebar menu option (from the grid, select Admin ➤ Admin Center ➤ Setup ➤ Products).
You can manage the licenses from the setup portal. What Office 365 does is link the portal into some of the other portals (see Figure 8-21). For instance, the assign function links this to the user assignment. Likewise, the purchase option links you into the subscription adjustments.
You can also increase the number of licenses through the same process (described earlier), or you can purchase a volume license key from a reseller. These volume license keys are called open license keys. The process of adding licenses is slightly different when you use a reseller to purchase the license. Figure 8-23 shows you the different ways you can activate an open license key from your Microsoft Partner. Open licenses are different than a license from a CSP partner. If licenses were supplied by a CSP partner, these license adjustments will automatically appear in your account.
Note
If your Office 365 is supplied from a CSP (direct or indirect), check with the partner for the best way to change the license quantity. Different partners offer different incentives based on the organization size.
Once you have added the licenses to your Office 365 subscription, the new licenses are updated in your subscription portal. We recommend you always add the licenses before you add users.
Config: Password Expiration
Office 365 allows you to configure a password policy to allow password changes between 14 and 730 days (see Figure 8-26). Typically, a password policy is set to 90-day expiration and with a 14-day warning. To change the password policy, select Security (from the grid, select Admin ➤ Admin center ➤ Settings ➤ Security) and change the parameters for your password reset. In the security area, you also have the master control to turn on/off sharing for the Office 365 tenant.
Note
If you deploy MFA and use the Microsoft Authenticator application (as we discussed in Chapter 5), you can set your passwords to not to expire. This is more secure than changing your password every month.
Note
If you are setting passwords to never expire, purchase additional security subscriptions to manage your Office 365 tenant and enable multifactor authentication. The best subscription to do this with is to use EMS E5 and enable Azure Identity.
Config: Completing Company Configuration
Services & Add-ins: Optional application and features
Security & Privacy: Control external sharing of documents throughout Office 365
Domains: Add/remove domains for new e-mail address
Organization Profile: This section contains information about the company and the organization Office 365 configuration preferences
Partner Relationship: Control partner administration functions
Config: Partner Administrators
Cloud solution advisors are partner global administrators and need to purchase licenses through Microsoft or a third party. You can add/remove these advisors as needed.
Cloud solution providers are partner global administrators and provide licenses to Office 365 customers through a partner administrator. You cannot remove these providers unless you have removed the licenses provided by these providers.
CSPs are different from CSAs. For example, KAMIND IT CSP offerings are listed at www.kamind.com/csp . Keep in mind that if you purchase licenses through a CSP, your Microsoft account is managed by the CSP, not Microsoft. If you remove a partner CSP access, you may have breached your agreement with Microsoft.
Config: Adding, Deleting, and Restoring Users
Office 365 supports many features that you can configure through the Office 365 user interface. Some actions (such as setting conference room permissions) are available only using PowerShell. If you are running Active Directory Synchronization (AD Connect), you can use your on-premises Exchange Server 2010/2013/2016/2019 or Active Directory tools to configure services (and sync those changes into the cloud). Our focus in this chapter is on the user configuration of Office 365 using the Office 365 interface.
Adding single users via the user interface
Bulk-adding using a CSV file and the GUI interface
Deleting users
Restoring users
If you need to assign user passwords, you need to use the PowerShell commands. Typically, we load the users using the bulk-load options, and then we assign the passwords using PowerShell. If you have an Active Director Connector (AD Connect) running in your on-premises environment, you need to assign passwords using the on-premises Active Directory tools.
Note
Some organizations use Exchange Server Management Console to manage Office 365. This is not needed and causes more problems in managing Office 365. The best tool to use to manage Office 365 connected accounts is the Windows Server Active Directory Administrator Tools.
Users: Adding Office 365 Users via the Office 365 Admin Center
The Office 365 user administration tool can add users only at the Office 365 level. If you have a connected on-premise environment and those users access on-premise resources, you must add the users using the on-premise Active Directory administration tools. The Active Directory Connector enables only specific Active Directory objects to be used in the cloud and is a one-way activity.
- 1.
Set up the user name and primary e-mail address.
- 2.
Set the user password.
- 3.
Set the user administration permission (no administrator rights are the default).
- 4.
Assign a license.
These steps are reviewed next.
Step 1: Add User Information and E-mail Address
Step 2: Add Password Information
Step 3: Assign Administration Roles
Step 4: Assign the Licenses to the User
In this example, we assigned E5 licenses with the Enterprise Mobility Suite (EMS) and Skype for Business. As an administrator, you can selectively remove access to different licenses. To remove capabilities, just move the option switch to Off.
Users: Changing User Information
Users: Deleting
- 1.
Remove any legal hold on the account.
- 2.
Disable the archive on the account (if enabled).
- 3.
Remove any e-mail alias assigned to the account (leave only the onmicrosoft.com name and SIP).
- 4.
Set the user account to the onmicrosoft.com name as the primary address.
- 5.
If you do not want to keep e-mail (or move e-mail to another account), then remove all licenses from the account.
- 6.
Delete the account. (If you delete the account, the mail will be deleted!)
Note
Before you remove the user account (as suggested earlier), verify that you have the OneDrive for Business data backed up. Removing the e-mail address may delete the user’s OneDrive for Business data. Deleted account data will be retained for 30 days after the account has been deleted or licenses has been removed.
Deleted users can be recovered up to 30 days and are in the Deleted Users folder. If you want to remove the user from the Office 365 Deleted Users folder, run the following PowerShell command to purge the user account. If you have not set up PowerShell, see the “PowerShell” section later in this chapter. These PowerShell examples are code snippets and require the necessary credentials to execute.
Users: Restoring
After you select the user to restore, Office 365 will confirm the restoration and allow you to set the password as well as decide whether the user should reset the password on login to the Office 365 services.
Note
If you attempt to restore a user and it fails because of the account being managed by a different service, use the RestoreMsolUser PowerShell command to restore the user account.
Users: Renaming
Note
If you want to change the user e-mail address to a different alias, you can do that when you edit the user account. The e-mail alias will be set only if the alias e-mail address does not exist on any other user account. If the e-mail alias does exist on another user, the change you made will fail.
Config: Groups (Office 365 and Security Groups)
Groups are used to manage permissions globally in Office 365. There are different ways to use security groups. You can use security groups to filter users and administrator permissions (useful in large organizations). You can also use security groups to manage permissions for different services. SharePoint (as an example) can use security groups to grant permissions to various site libraries for users. You can also use SharePoint security permissions to restrict access to different libraries in SharePoint. For example, in large organizations, you can create a security group to isolate users from each other and use security groups to manage access to different federated services (such as Intune and Azure services). There are different ways to use security groups, depending on your business needs. Some organizations use security groups to manage SharePoint services. For example, a SharePoint site is designed and security groups are created to assign permissions to different areas. The global administrator adds accounts to the different security groups, depending on the business requirements. The users added to the security groups inherit the permissions necessary to access the functional areas in SharePoint.
Config: External Sharing
Config: External Sharing, Sites
If you select “Site settings,” this will give you the necessary controls to manage external sharing for the SharePoint Office 365 SharePoint services and OneDrive for Business. The “sites” sharing controls are used to enable these services for external access. As an administrator, you can choose to define how you externally share. In Figure 8-44, you can see three different models for sharing Office 365 content.
Note
Authentication requires that you have an Office 365 Work account or a Microsoft account. A Microsoft account can be any e-mail address. When you create a Microsoft account, you are adding additional security credentials to your e-mail address. To create a Microsoft account, go to http://account.live.com .
Config: External Sharing, Calendar
Config: External Sharing, Teams
Admin Center: OneDrive for Business
The approach for OneDrive for Business administration is to enable the service for collaboration. As an administrator, you will need to review the configuration and set up some limits. When we add a new client to us manage services, we have a discussion with the customer about the limits.
Sharing: Do you limit sharing to external companies; if so, what are the limits?
Sync: Do you enable the desktop sync client?
Device access: Do you limit this to known IP addresses and deploy policies?
Compliance: What alerts do we set to manage OneDrive activity?
Notifications: How do you communicate to the end user?
Limit access from specific IP addresses (lock it to a company’s Internet)
Deploy a policy for Mobile Device Management
OneDrive for Business has the ability to sync files as large as 15MB and as many as 100,000 files. With the size limit of 5TB (and more if you need), there is a lot of flexibility.
Note
OneDrive for Business supports two different deployment plans. Plan 2 is for subscriptions that are E3 or higher. Plan 1 is for all other plans.
Admin Center: Teams & Skype
Teams (now includes Skype for Business features) is a fully featured communications tool that supports file sharing, web conferencing, voice communications, and many other features (like Skype, but with many more features). Teams integrates into Microsoft Exchange and acts as a phone switch for incoming voice calls. Large organizations use Teams as desktop phone replacements and allow their users to deploy Teams clients on any mobile or desktop device. Teams supports enterprise voice (both people can talk at the same time). There are many different characteristics of Teams; it is a powerful and popular business communication tool, and the data it accesses is encrypted between parties. The Teams phone system services are a $4 to $24 add-on to Enterprise subscriptions in most states.
Note
If you are having trouble with file transfer on Teams clients, download a new version of the Teams client from Office 365 or run an online repair on the Office 2016 installation.
Teams: Federation
Skye for Business is configured to communicate to external users. To verify the configuration for Skype for Business, select the Teams admin center from the Office 365 dashboard (under the Admin tab) and then select “organization” and “external communications” (see Figure 8-56). Teams federation is enabled, and if the service is not configured within a 12-hour period, submit a service request to Microsoft Online Services. Once the Teams service is provisioned, you are enabled for external communications.
Note
It is recommended that you verify the domain prior to enabling Teams federation. If you enable the onmicrosoft.com domain, there may be some service downtime when you switch over to the verified domain.
Teams: Voice
The configuration requires that you have properly set up and verified the DNS. There are two phases to configure Office 365 Teams voice. First, add the phone numbers and assign them to users.
Step 1: Add Phone Numbers
The phone numbers are available for only a few minutes. The phone number request is from the telephony service provider. If you do not select the phone numbers, they will be returned to Microsoft for allocation to other users.
Note
Teams voice is a new service. Like any VoIP service, it is best to configure the service to meet the business needs (use the number provided). Once you are ready to transition to the new service, then port the phone numbers. Number porting is not instantaneous.
Step 2: Add an Emergency Response Location
Step 3: Add Phone Numbers
Step 4: Verify That Voice Has Been Provisioned
We have found that setting the phone number to ring for 35 seconds is about the right amount of time to have the phone ring on our cell phone (and be able to answer the call). You set this option under “Call forwarding” in your Teams client.
Note
Make sure that you test the ring delay for voicemail. The default setting, 20 seconds, is too short to ring to a third number; 35 seconds is a better ring delay to launch Teams on your cell phone and to answer the call (see Figure 8-65).
Step 5: Port the Phone Numbers
After you have tested the service, you are ready to port your phone number to the service. In the Teams admin center, select “Voice” and “Port numbers.” This is not an instantaneous process.
Note
Porting phone numbers is interesting. In the Portland (Oregon) area, we have phones that are caught in an artificial rate district. What happens is that you are charged a forwarding fee and your number is locked for transfer. What has worked for us in these cases is to port the number to a cell carrier, wait a month, and then port the number to Skype for Business. Please refer to your state laws on what you can legally do in your state regarding number porting.
Skype for Business: Conferencing Add-on
If you are using a third-party provider, enter the dial-in information for the user account under “dial-in users.” Your teleconferencing bridge number is enabled and automatically generated with an Outlook calendar invite if Teams is installed and running on your desktop.
Note
Teams requires that your DNS supplier support service (SRV) records. If your DNS supplier does not support SRV, you need to move your DNS hosting services to a different service.
Admin Center: Exchange
Exchange Administration Roles
Exchange Administrator Roles
Exchange Server Role | Description |
---|---|
AdminAgents | This contains all the administrators in Office 365 and any other users who are added by the admin. This is where the base Exchange administration permissions are granted. |
Compliance Management | Users in this role can configure Exchange compliance policies, such as data loss prevention, as well other Exchange policies or compliance issues (see the compliance function in the Exchange admin center). |
Discovery Management | This role manages the discovery process. To access discovery information, you must be a member of this role. |
Help desk | This manages view-only operations and password resets. |
HelpdeskAdmins | Manages the help desk. |
Helpdesk Agents | Agent that operates the help desk. |
Hygiene Management | Manages the Exchange transport services. |
ISVMailboxUsers | Third-party application developer mailbox role. |
Organization Management | Allows full access to all user mailboxes for any administrative role except for discovery management. |
Recipient Management | Role required to move mailboxes in a hybrid deployment. |
Records Management | Users in this role can configure compliance features such as retention tags and policies. |
Rim-MailBxAdmins | BlackBerry mailbox access for BlackBerry messaging servers (valid only if the BlackBerry service is enabled on Office 365). |
TenantAdmins | Legacy admin role for management of Exchange tenants. |
UM Management | Universal messaging management role to integrate necessary functions for Enterprise Voice with Skype for Business. |
View-Only Organization Management | View-only privileges for Exchange organization. Users in this role cannot modify any Exchange properties. |
In larger organizations, different roles are assigned in Exchange. But in small organizations, there are only two roles that are commonly used: the company administrator role (global admin via the AdminAgents role) and the discovery management role. The global admin does not have access to discovery management unless that role is granted and permission is granted in the discovery SharePoint center.
- 1.
Build a security group for the accounts that will be managed. The user who will manage these accounts should be in the security group.
- 2.
Assign the user Exchange administration permission to the selected account in the newly created security group (see Figure 8-69).
Once you have assigned permission to the user to manage Exchange users, you can create the necessary user roles (if needed) to manage the group.
Default User Role Defined
Default User Role Assignments
Role Assignment | Description |
---|---|
Contact Information | Allows users to change their personal contact information |
Profile Information | Allows users to modify their name |
Distribution Groups | Allows users to create distribution groups |
Distribution Group Membership | Allows users to modify their distribution group memberships |
Base Options | Allows users to modify basic operations associated with their mailboxes |
Subscriptions | Allows users to change their e-mail subscription options (such as notification of changes to SharePoint, etc.) |
Retention Policies | Allows users to change the retention policies associated with their e-mail account |
Text Message | Allows users to change their text message (IM) settings |
Marketplace Access | Allows users to change the marketplace access to modify or add remote applications |
Team Mailboxes | Allows users to create their own team mailboxes with other users |
Exchange: Conference Room, Configuration
Office 365 provides a resource called meeting room. Meeting rooms are used to control resources that are limited and need to be managed through scheduling. To set up a meeting resource, log in to Office 365 as an administrator and select Admin center ➤ Exchange ➤ Exchange admin center (EAC).
Exchange: Conference Room, PowerShell Modification
Conference and resource rooms provide the basic configuration for use, but there are additional configuration options that can be done only using PowerShell. For example, the default configuration hides the meeting status and ownership. If you want to make those available, you need to run the following PowerShell commands.
Set limited details of a conference room using PowerShell:
Note
If you want to approve conference room use, the e-mail address of the “approver” must have fully delegated rights over the conference room resource mailbox.
Exchange: Adding an Alias E-mail Address to a User
Exchange: Changing a User E-mail Account Primary Domain
Office 365 supports multiple domains and multiple user e-mail aliases per an account. In some cases, an Office 365 organization may need to change to a new domain (e.g., after a company merger or branding change). Making the change for all users is not difficult: all that is required is to verify the domain (set the MX records and Teams records), add the domain to the existing users, and set the reply address to the new e-mail alias. What you cannot do is change the <domain>.onmicrosoft.com account. If you need to change the <domain>.onmicrosoft.com, you must migrate to a new Office 365 organization.
Step 1: Validate the New Domain
Complete a validation for the new domain with the domain intent set to Exchange and Skype for Business. Follow the instructions discussed in Chapter 5 and in this chapter’s “Config: Domains” section.
Step 2: Add the User Alias and Set the Reply Address
Add the new e-mail alias to all the users needing a domain change. If a user’s primary e-mail address is changing, then select the “Make this the reply address” option. This changes the user’s primary login address to the new domain. This step is no different than changing the user’s e-mail address to a new address (as discussed earlier) .
Note
When the reply e-mail address is changed, the Outlook user is requested to log in with new credentials. Outlook recognizes that the user profile is the same and links the existing Outlook mailbox to the corrected e-mail address.
Exchange: Adding Shared Mailbox
Shared Mailbox Options
Approach | Cost (monthly) | Data Size | Capabilities |
---|---|---|---|
Shared licensed mailbox | $4–$8 | 25GB with 25GB or 100GB archive | Can be received on smartphones (active sync support) |
Exchange shared mailbox | $0 | 5GB limit | No active sync |
The key decision factor for most users is to receive the information on smartphones. This requirement dictates that you use an Office license rather than a free, shared mailbox.
Exchange: Shared Mailbox, Using with a Smartphone and Outlook
Smartphone devices require an active sync connection. You add a shared mailbox the same way you add a mailbox to Office 365. The only issue is that you must assign delegated rights to the users who want to use the mailbox. This is the same for all user mailboxes. Once a mailbox has been created, you need to assign share rights to the mailbox.
- 1.
Purchase an Exchange Plan 1 (or Plan 2) mailbox.
- 2.
Assign a user account to the Exchange e-mail account.
- 3.
Assign user-delegated rights to the mailbox.
Exchange: Shared Mailbox, Using Only with Outlook
If you need to add a shared mailbox for use only with Outlook (and you do not want to use a license), you can create a shared mailbox in the Exchange admin center and then add the user as a delegated user to the mailbox.
Exchange: Shared Mailbox, Using PowerShell
In some cases, you need to use PowerShell to set up and configure a shared mailbox. You need to run two PowerShell commands: one to set the permission and the other to set the behavior of the shared mailbox. Once you have modified the shared mailbox, the configuration is updated in the Outlook client at the next login. In this example, Identity is the shared mailbox, and User and Trustee mean the person who has access to the shared mailbox.
Step 1: Add the Recipient Permissions
Step 2: Add Mailbox Access Permissions
Exchange: Adding a Distribution Group
Distribution Group Types
Group Type | Description |
---|---|
Distribution group | Distribution groups are mail-enabled groups. An e-mail that is sent to the distribution group is sent to all members. |
Office 365 group | Automatically created groups are build with the Exchange server mailbox, SharePoint access, and third-party tool access. These are collaboration groups. |
Security group | Security groups are groups that are used to grant permissions. In some cases, these may be mail enabled. It is recommended that you do not use mail-enabled security groups. |
Dynamic distribution group | This is a distribution group that has a variable number of members based on filters and conditions in Active Directory. |
Step 1: Create the Distribution Group
Step 2: Define the Distribution Group
Step 3: Enable the Group for External Access
Exchange: Using Alias to Send to/Receive from E-mail
You may want to use a different e-mail address to send and receive e-mail. Office 365 is designed to allow only one e-mail address to be used: your primary e-mail address. The way to work around this is to use a distribution list and to grant a user account full permission to use that distribution list with PowerShell. Log in to the Office 365 admin center, and on the Admin tab, select Exchange and follow the steps outlined next.
Step 1: Create the Distribution Group
In the Exchange admin center, select Recipients ➤ Groups and click the + to add the distribution group. Use the e-mail alias as the distribution group name.
Step 2: Configure the Group Being Added
Step 3: Enable the Group for External Access
Step 4: Grant Permission to the User
The final step is to grant permission to the user. There are two ways to do this: either through PowerShell or by using the Exchange admin center. In the Exchange admin center, select “groups,” and then click the pencil icon to edit. Select “group delegation.” You need to enter the user account for both Send as and Send on Behalf (see Figure 8-84). Click OK. The user is now able to use the From address in Outlook, or in the Outlook Web App, to send e-mails using the alias e-mail address.
Step 5: Verify Outlook Configuration
PowerShell
Note
If you have not installed the Microsoft Online Services Sign-In Assistant for IT Professionals RTW, do that now. Go to www.microsoft.com , download it, and search for sign-in services assistant. PowerShell commands will not work unless the Sign-In Assistant is installed.
You have completed the base PowerShell setup; now use the preceding command to validate the installation. If the command does not work, you have installed the PowerShell GUI incorrectly, there is a lack of permissions, or you have not installed the desktop connector for Office 365. Using PowerShell requires administrative privileges and a license to be assigned to the account that is using PowerShell commands.
PowerShell: Setting Up Teams and SharePoint
Teams PowerShell : Windows PowerShell module for Teams Online
SharePoint PowerShell : SharePoint Online Management Shell
These additional commands are described in the following sections. Before you can use the commands, you must download and install the PowerShell extensions.
PowerShell: Using the Standard Header for Microsoft Online Services and Exchange
PowerShell can be complex for any user. When using PowerShell with Office 365 and Exchange, you need to use a standard PowerShell header. This standard header allows you to connect directly to the Office 365 administration interface and make the necessary changes. However, if you do not set up the commands correctly with the remote interface execution parameters, the PowerShell command will fail. The only issue is that the user account that you log in to (for Office 365) must have a license assigned to it. The licensed user can only execute the PowerShell commands for Office 365 that the user admin account is licensed to use; otherwise, it will fail.
Once you have verified the functionality of the header script, you are ready to make the necessary changes in Office 365. This section of the administration maintenance manual lists the type of problems encountered and the PowerShell solution. All that is needed for the user to execute these commands is to use an account—with global administrator rights—that is licensed with an appropriate subscription (such as Exchange, SharePoint, etc.).
PowerShell: Not Remotely Sign Error
- 1.
Start Windows PowerShell as an administrator by right-clicking the Windows PowerShell shortcut and selecting “Run as administrator.”
- 2.
The WinRM service is configured for manual startup by default. You must change the startup type to Automatic and start the service on each computer that you want to work with. At the PowerShell prompt, you can verify that the WinRM service is running using the following command:
get-service winrm
The value of the Status property in the output should be Running.- a.
If the value is not running, you can start the service from the command prompt:
sc config winrm start= auto
start winrm
- b.
To configure Windows PowerShell for remoting, type the following command:
Enable-PSRemoting –force
- a.
Mail flow should resume in the next two to four hours .
PowerShell: Winmail.dat Problem
Let’s say the e-mail is being sent externally to users in an RTF MIME format, and the users cannot read the e-mail and see a winmail.dat file. The winmail.dat file appears on the client e-mail because Outlook (on the sender) is not installed correctly or there is another Outlook add-in (on the sender) that is preventing the e-mail from being converted to text. To resolve this issue, either disable the Outlook add-ins (on the sending device) or uninstall and reinstall Office 2007/2010.
These commands will only display the user e-mail address if it supports RTF format; otherwise, it will display other options.
PowerShell: Enable Audit
PowerShell: Verification of Audit Logs
PowerShell: Mailbox Audit Log search
PowerShell: Passwords Forever
Note
If the user’s password is reset, the policy changes back to 90 days. If you want the forever policy applied, you need to set it again with PowerShell and every time you reset a password. The Office 365 interface allows passwords to be fixed for up to 720 days.
PowerShell: Get Mailbox Statistics
PowerShell: Enable Litigation Hold–No Notice
PowerShell: Review Permission Assigned to a Mailbox
PowerShell: Review the Management Role Assignment to a User Account
PowerShell: Display All Mailbox Forwarders
The following commands retrieve information about the mailbox forwarders and allow you to turn them on or off.
PowerShell: Change Mailbox Permissions
PowerShell: Change the User Principal Name on a User Account
Note
The Office 365 account has the Active Directory from the on-premise server. Make sure you check the configuration of the Active Directory to make sure that the user’s e-mail address is in the correct field and the UPN is set for the AD login. If you need to execute this command, there is a configuration problem in the local Active Directory.
PowerShell: Assign License to a User Account
PowerShell: Purging Users in the Delete Bin
PowerShell: Bypass Spam Filtering for E-mail
PowerShell: Extend the Purges Folder to Greater Than 14 Days
Extend 30-day delete for a mailbox:
Set-mailbox [email protected] –retaindeleteditemsfor 30Extend 30-day delete for the organization:
Get-mailbox | Set-mailbox –retaindeleteditemsfor 30
PowerShell: Meeting Room Configuration
To make meeting rooms more useful, you need to add additional user information about the meeting room. The only way to add these capabilities is to use PowerShell to extend the meeting room options. This example uses the “ingoodtaste1” meeting room.
Troubleshooting: Autodiscover
Note
Outlook clients (Mac and PC) use Autodiscover to find the mail server. Smartphones use the MX records.
- 1.Navigate to the following registry key:HKEY_CURRENT_USERSoftwareMicrosoftOffice12.0OutlookAutoDiscover
- 2.Set the following values:"PreferLocalXML"=dword:1"ExcludeHttpRedirect"=dword:0"ExcludeHttpsAutodiscoverDomain"=dword:1"ExcludeHttpsRootDomain"=dword:1"ExcludeScpLookup"=dword:1"ExcludeSrvLookup"=dword:1"ExcludeSrvRecord"=dword:1
Summary
Office 365 administration is a large topic, and many books could be written to cover this topic. The objective here was to provide you with an overview of how to administer Office 365. I wanted to provide you with exposure to the new tools and techniques so that you can see how easy it is to manage and secure Office 365. As you begin to work with Office 365, you can revisit the “PowerShell” section. Office 365 is about productivity and management of company resources.
References
There is a lot of information about Office 365 on the Web; the issue is finding the right site. The information contained in this chapter is a combination of my experience doing deployments and of support information published by third parties.
PowerShell for Office 365