©  Matthew Katzer 2018
Matthew KatzerSecuring Office 365https://doi.org/10.1007/978-1-4842-4230-8_8

8. Managing Office 365

Matthew Katzer1 
(1)
Hillsboro, OR, USA
 

We have made a lot of progress in securing Office 365. We enabled the audit logs in the Security & Compliance Center, and we completed an initial configuration of Cloud App Security. As part of our MDM deployment, we deployed Azure multifactor authentication, with conditional access support. We also set up data loss prevention policies in the Security & Compliance Center. We placed accounts on legal hold and completed an electronic discovery for a court-ordered subpoena. As part of our discovery process, we set up Microsoft Secure Score and the next-generation Windows Advanced Threat Protection (ATP). The new ATP threat agents combine the latest in machine learning and deep learning. We have made a lot of progress, and we now have a functioning and secure tenant.

Managing our 365 tenant is a different set of problems. We can use our security score to manage Office 365 because it shows how we are doing as administrators. Have we done the correct Office 365 configuration? Have we configured the different 365 services? Are we doing our jobs as administrators and managing our Office 365 company? If we look at the identity management scores, we even have a grade on our accounts. Has our account been configured correctly (see Figure 8-1)?
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig1_HTML.jpg
Figure 8-1

Identity Secure Score

Office 365 and Azure security and compliance are large topics. There is so much information that the question is where do you start? There are two ways to focus on this problem; first we look at the tactical issues represented by Secure Score, and then we look at the administrative issues of how we manage our Office 365 (and Azure) environment. As an example, our security score was 412/711. As we deployed new tools and solutions, the score drastically changed (Figure 8-2), and our combined Microsoft 365 score is now 1064/1711. At this point, we are going to dive into the administration of Office 365, with a focus on managing the Office 365 tenant and how that impacts the Microsoft Security Score.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig2_HTML.jpg
Figure 8-2

Our tenant security score for Office 365 deployment

Looking at the score in detail will give us the direction that we need to pursue to be successful with Office 365. We have made a lot of changes since we started make changes in our Office 365 tenant. We started this journey with a score of 31, and now at the end of the book, we are at a score of 412 (see Figure 8-3) – a difference of 381! The scoring gives us an impartial view of how good we are doing.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig3_HTML.jpg
Figure 8-3

Our tenant security score for Office 365 deployment

Note

In previous books that I have written, I spent a lot of time on getting the right subscription mix. In this book, the scoring will drive the subscriptions. If you have a low score, you can only increase it by deploying more security functions that are part of higher end subscriptions. You need to change the mindset and manage the 365 tenant by the security score to protect the company.

Our configuration of Office 365 is using the Microsoft 365 E5 subscription. This subscription is the highest security subscription Microsoft supplies. We added an Azure cloud solution provider (CSP) subscription to the mix, and this allows us full access to the Azure security center and services. In the previous chapters, we spent time on the configuration of the different services. In this chapter, we are focusing on the administration functions for Office 365. For example, previous chapters discussed how to secure your business with Office 365. This chapter is focused on the administration of the service in Office 365. Time is money, and as an administrator, you are looking for the simplest way to accomplish a task. This chapter outlines the common tasks that administrators are asked to perform in the administration of Office 365. These tasks include renaming users, adding e-mail aliases, creating shared mailboxes, configuring Teams (Skype for Business), reviewing security logs, and changing the subscription type. There are five different ways to administer Office 365: the Office 365 admin center, PowerShell, third-party cloud-based tools, Azure Active directory services, and Windows Active Directory services. I mention Windows Active Directory services so you will not ignore it, but we will focus very little time on this service. Our use of Active Directory will focus on what you can manage from Office 365 versus what the user can manage from Active Directory.

Office 365 Administration Overview

As an administrator, you’ll find that your company needs different components and applications for the different business roles of the employees in your business. Office 365 allows you to add different components to your subscription. In some cases, your business needs will change, and you’ll be in a situation where you have too many licenses (or too few). You can easily change your subscription mix. There are three ways to change the license mix. You may purchase directly (via the license portal) or through a Tier 1 or Tier 2 cloud solution provider. The Office 365 admin center (see Figure 8-4) is fully configurable. The dashboard that we set up gives us a snapshot of the different admin centers. There are 15 different centers. Our focus in this chapter is not to look at all of these admin centers but rather to look at the key centers that affect security and compliance of the Office 365 environment.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig4_HTML.jpg
Figure 8-4

Office 365 admin center

The global administrator is the first account created when you sign up for Office 365. The global administrator account has full access to all Office 365 resources. You can use the PowerShell environment to configure capabilities, or you can use the graphical interfaces in the various admin centers (Exchange, Skype for Business, or SharePoint) to manage Office 365 capabilities. The only rule to remember is this: to change features using PowerShell, or in the administration graphical interfaces, you must have a license (such as Exchange, Skype for Business, or SharePoint) provisioned to the account that is being used to change that feature. If a global administrator’s account tries to change features on a subscription area that the account is not licensed to use, that action will not be permitted. In some cases, the global administrator is denied access to the GUI command options (access to the eDiscovery Center, for instance). Partners with delegated administrator rights do not have a license and cannot access a user’s data. You may also see some PowerShell commands fail (with no failure notice) without a license attached to the user.

Note

Only selected Microsoft Partners can offer delegated administrator services to their customers. The global administrator must approve the rights to a Microsoft Partner to act as a delegated administrator. Microsoft Partners that have delegated administration capabilities have earned the right to use this service offering.

A good example is using PowerShell to set up a shared mailbox for a user. If you do not have an Exchange license assigned to the global admin account, the Exchange PowerShell scripts will fail when they make a set-mailbox call. There are many different commands that you can use to manage Office 365 with PowerShell (see Figure 8-5).
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig5_HTML.jpg
Figure 8-5

PowerShell command to add members to a distribution list

For example, you can use PowerShell to administer Office 365, or you can use the GUI interface (see Figure 8-6). Both interfaces provide the same results, but one is much more scalable than the other. There is an additional interface, and that is the Exchange management interface. Over time you will see the new group interface be where you will see change.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig6_HTML.jpg
Figure 8-6

New distribution group interface

As an administrator, you will use both interfaces. The only rule to remember is that you must have a license assigned to the account that you are using to grant permissions to the user accounts. The objective of this chapter is to provide you with the tools and capabilities necessary for you to administer your own Office 365 site and provide the best level of service to your organization.

Note

If you have Azure AD Connect enabled, you cannot edit some properties of a user’s mailbox, because it’s out of the current user’s write scope. Those properties in the mailbox are managed by the on-premises Active Directory.

../images/429219_1_En_8_Chapter/429219_1_En_8_Fig7_HTML.jpg
Figure 8-7

Office 365 legacy group interface to add members to the Accounting group

Preparing to Administer Office 365

Office 365 is easy to manage if you have configured the service correctly after migration and you have deployed the security services we recommended in this book. You can use the GUI interface or you can manage Office 365 via the PowerShell interface. The choice is up to you. In this chapter, we have assumed that you have configured your Office 365 solution for production, and we use the following checklist to check on your status. This administration chapter assumes that you have completed the necessary configurations in the previous chapters.

Office 365 Configuration Completion Checklist

The completion checklist looks at common areas that are used to prepare your company to use Office 365. Take a moment and verify your configuration of the Office 365 setup with these 13 steps:
  1. 1.

    If you have desktop Office 2013/2016/2019, plan to change your subscription to a version of the Office 365 Pro Plus subscription software. Older versions of Office desktop software (such as Office 2010, 2017, or 2003) are not enhanced, and some cases will not work with Office 365. You want to migrate to Office 365 Pro Plus and no longer use volume licenses or retail versions of Office (it is a support issue).

     
  2. 2.

    Check the Office 365 domain setup in the Office 365 admin center to make sure that all DNS entries are green. If you have any actions to complete (under the action header), please complete them before you move forward.

     
  3. 3.

    Verify that your Office 365 domain is set to Authoritative in the Exchange admin center and is not shared for e-mail. (This will be set only if your e-mail domain is split).

     
  4. 4.

    Verify that you have placed a local DNS record on your on-premises DNS server. You need to add an Autodiscover cname to your internal DNS that points to http://autodiscover.outlook.com .

     
  5. 5.
    If you have an on-premises Exchange Server and you have migrated to Office 365, set the Autodiscover record to $NULL with the following command (note that, once it’s set, local clients cannot autodiscover the local Exchange Server):
    Set-ClientAccessServer -Identity "<name>" –AutoDiscoverServiceInternalUri $NULL
     
  6. 6.
    Extend the 14-day delete hold time to a 30-day delete hold time. Run the following PowerShell commands.
    1. a.

      Extend the 30-day delete for a mailbox.

      Set-mailbox [email protected] –retaindeleteditemsfor 30

       
    2. b.

      Extend the 30-day delete for the organization.

      Get-mailbox | Set-mailbox –retaindeleteditemsfor 30

       
     
  7. 7.
    Enable the audit logs on all users’ mailboxes. The default logs are kept for 30 days and can be extended to multiple years.
    #Enable Audit Logging
    Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox" -or RecipientTypeDetails -eq "SharedMailbox" -or RecipientTypeDetails -eq "RoomMailbox" -or RecipientTypeDetails -eq "DiscoveryMailbox"}| Set-Mailbox -AuditEnabled $true -AuditLogAgeLimit 365 -AuditOwner Create,HardDelete,MailboxLogin,MoveToDeletedItems,SoftDelete,Update
    #Check Status
    Get-Mailbox -ResultSize Unlimited | Select Name, UserPrincipalName, AuditEnabled, AuditLogAgeLimit | Out-Gridview
     
  8. 8.

    Log into the Office 365 admin center, and select the Security & Compliance Center. Under Search & Investigation, select “audit log search” and “enable audit log recording.”

     
  9. 9.

    The default retention policies are not enabled until the archive is enabled. If you enable the archive on a user mailbox, the retention polices begin to execute. For example, the default retention policy is two years. When the retention policy executes, e-mail is deleted. If you do not want your e-mail to be deleted or moved to an archive, remove the tag in the Exchange admin center, under “Compliance Management” and “Retention tags.”

     
  10. 10.

    Remove any other retention tags you do not want to use in the retention policy.

     
  11. 11.

    Verify that you have enabled Yammer on your subscription. To enable Yammer, expand the admin center, and then select Yammer. The service should auto-activate and show a green check mark.

     
  12. 12.

    Log in to the OneDrive admin center and set the retention to 1,530 days for deleted files.

     
  13. 13.

    In the One drive administration center, reduce the OneDrive sharing (in the OneDrive admin center) to “Existing External users” to control sharing until you understand the sharing features.

     

Office 365 Security Configuration Completion Checklist

The completion check list looks at common areas that are used to prepare your company to use Office 365. Take a moment and verify your configuration of the Office 365 organization.
  1. 1.

    Deploy a Microsoft 365 E5 subscription.

     
  2. 2.

    Create a log analytics subscription for data logging and configure services.

     
  3. 3.

    Build out the Azure security center; set the data collection load you want.

     
  4. 4.

    Deploy Azure threat analytics on the domain controller (on-site or in Azure).

     
  5. 5.

    Deploy Windows Advanced Threat Protection agents.

     
  6. 6.

    Deploy MMA agents to all clients and servers.

     
  7. 7.

    Deploy the commercial ID.

     
  8. 8.

    Deploy Secure Score and baseline the organization.

     
  9. 9.

    Deploy Privileged Identity Management.

     
  10. 10.

    Change all global admin accounts (except one) to security admin and deploy PIM for users to request elevated rights.

     
  11. 11.

    Deploy Privileged Information Protection.

     
  12. 12.

    Deploy MFA to all clients.

     
  13. 13.

    Deploy Azure risk mitigation policies.

     
  14. 14.

    Deploy Windows 10 update rings.

     
  15. 15.

    Deploy the Office Pro Plus policy.

     
  16. 16.

    Deploy Mobile Application Management.

     
This will give you a good baseline and a secure organization. Once you have done this, the next step is to take a new baseline secure score. This will be your baseline token used to compare the organization. This is your configuration that will be used for success measurements. In our case, we started with a score of 31 and ended with a security score of 136 (see Figure 8-8). Our additional changes has raised this score to 412 - an increase of 381!
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig8_HTML.jpg
Figure 8-8

Office 365 security score increase, result of the 16 steps

Admin Centers

They are on our checklist, so let’s visit the admin centers one more time. Office 365, in our example, has multiple admin centers created to support your subscriptions. The standard centers are Office 365, Exchange, Skype for Business, SharePoint, CRM, Power BI, Compliance, Azure AD, and OneDrive for Business. You can reach the admin centers by expanding “Admin centers” (see Figure 8-9).
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig9_HTML.jpg
Figure 8-9

Office 365 admin center view with domains not set up

In our example, we have a Microsoft 365 E5 subscription, which includes 15 different admin center accesses, including Intune Mobile Device Management and Power BI. Your subscription may have a different number of applications, depending on your licenses and the additional admin centers that are added based on the optional subscriptions. This chapter focuses on the areas of administration in Office 365 for security: Exchange and Skype for Business. The other admin centers (CRM, Power BI SharePoint, Compliance and Data Loss Prevention, and Exchange Online Protection) are beyond the scope of this chapter. I have included the most common questions that you will need to address when managing your Office 365 service.

The Office 365 administration areas that we address in this chapter are Office 365 dashboard, license management, Exchange, and Teams and Teams administration. At the end of this chapter, we will wrap with a discussion on the configuration of PowerShell. This should provide you with all of the tools you need to manage your Office 365 tenant.

Before we start, there are a few navigation rules that you should know when working in the admin center. At any time that you need to get back to the home page in the admin center, click the nine-block grid in the upper-left corner and then click the “A” for administration. This action will always return you to the admin center.

User accounts can be synchronized in two ways in Office 365: through a manual process (single user load/bulk load) or via Azure Active Directory synchronization accounts created through an Active Directory process that can be managed only by on-premise Active Directory tools.

There are different types of administrative accounts on Office 365. The first account created (the first account that was created when you purchased Office 365) is a global administrator account. You can create additional global administrator accounts to manage Office 365. Global administrator accounts do not need a license to perform global administration functions. However, the global administration account does require a license to perform administration functions at the functional level. For example, if you want to configure advanced Exchange services or certain security services, the account you are using must be licensed for the function you’re trying to manage. The same is the case with SharePoint. If you do not have a license or if you are running Active Directory synchronization, you cannot configure the functions of the service, only the global access controls for the service. Table 8-1 lists the common Exchange functions that you will use to manage Office 365.

Note

If you are using Azure Active Directory synchronization, Exchange functions are controlled by the on-premises Active Directory. You can find the Azure Active Directory synchronization connector at https://portal.azure.com .

Table 8-1

Exchange Administration Functions

Task

Description

Exchange administration roles

Reviews the different Exchange roles for managing Office 365.

Default user role

Explains the default user roles and permissions.

Conference Room/Resource Room

Explains how to set up and manage a conference room.

Changing a user name and e-mail address

Changing an e-mail is a two-step process. This is how you change the e-mail address of the user accounts.

Adding a user alias

Adding an alias e-mail or changing the default e-mail address.

Shared mailbox

Explains how to create a shared mailbox for the smartphone or Outlook.

Creating a distribution group

Explains the different Office 365 distribution groups.

Sending e-mail from an alias e-mail address

Allows the user to send an e-mail from a different e-mail address than the user’s own e-mail address.

Smartphone management

User configuration options for Exchange.

Troubleshooting: Autodiscover

Desktop configuration to ignore Exchange Server.

Teams allows you to communicate internally without any configuration. The normal configuration is to enable communications with external users (Skype and smartphones). The problem is external communication. The administration topics in Table 8-2 are the configuration changes that are required to address communication across different external domains.
Table 8-2

Teams Administration Functions

Task

Description

Setting up Skype for Business

Enabling Teams to communicate with noncompany users

Adding Skype voice and porting phone numbers

Adding Skype voice local and international calling

Configuring dial-in conferencing

Adding dial-in conferencing for Teams users

Communicating with Skype users

Step-by-step instructions to enable Teams to Skype integration

Restricting Teams users’ capability

Restricting Teams capabilities in the admin center

In addition to the administration section, we have included an overview and usage section on PowerShell. PowerShell is extremely useful if you must implement unique functions or must repeat a set of tasks multiple times. Office 365 may be completely administered from PowerShell, and our discussion is not a complete list. The objective of this chapter is to show you the various options you can use in managing Office 365.

Office 365 Administration Center

The Office 365 administration consoles are easy to access once the user logs into Office 365. Once you have selected the admin console, select the admin center. The admin center only shows the admin console for the licenses that have been activated for Office 365. For example, if the Teams licenses are not purchased, there is no access to the Teams admin center. The Office 365 admin center is used to administer global functions . These oversee permissions, security groups, domain management, and system health. However, the Office 365 admin center is limited if directory synchronization is enabled. When directory synchronization is enabled, Office 365 acts as a backup to the on-premise Active Directory. In this case, only those functions that are not on the on-premise servers can be modified by Office 365.

Accessing the Office 365 admin center is simple: just log in to Office 365. If you have the permissions, you will land at the main page. Select the Admin dashboard (see Figure 8-10). If your permissions are limited, your menu options will be limited to reflect your privileges. One of the first areas to access is the Licenses area. This is located under the Billing. The Licenses will show you the active license mix in your Office 365 tenant.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig10_HTML.jpg
Figure 8-10

Dashboard after logging in as an administrator

As Microsoft builds out newer releases of Office 365 and reengineers the administrative panel, the biggest change will be the customization of the user experience. As an example, we will have a different experience (similar to the dashboard in Figure 8-11) versus the security administrator, who will have more information about security and less about service tickets.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig11_HTML.jpg
Figure 8-11

Licenses dashboard, under Billing

The Office 365 Licenses tab gives you a good overview of the active and expired licenses. Different admin center access is based on the licenses assigned to the user account. Office 365 plans have different admin centers and configuration options.

To access the administration area for other Office 365 features, click Admin and then select the appropriate admin center you want to use (see Figure 8-12).
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig12_HTML.jpg
Figure 8-12

Office 365 admin centers

The Office 365 admin center is organized into separate admin centers based on your license mix. Administrator access is granted if the license is assigned to the global administrator account (see Figure 8-13). Earlier we discussed the different types of administrators. Different versions of the administration dashboard appear in the previous figures.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig13_HTML.jpg
Figure 8-13

Overview of the admin center functions

The global administrator sees all administrator functions that are licensed and can configure the admin centers, such as Exchange, Skype for Business, SharePoint, Yammer, Compliance, Azure AD, and Intune. Other service centers are added based on the optional subscriptions that were purchased. For example, if you purchased Dynamics CRM and added this to your subscription, you would have access to the Dynamics admin center. Likewise, when we added Windows EMS licenses to our Office 365 tenant, we enabled Azure features for Office 365. Once you have selected the administration dashboard, you can select the different admin centers that you need to configure your Office 365 company.

Note

We review the key administration configuration areas that are important for Office 365 and leave the remaining ones for you to explore. Most of our focus is on the service admin centers.

Administrator Roles

There are different permission structures in Office 365, depending on which console you are given permissions to use. The basic administrator permissions of Office 365 are shown in Figure 8-14. There are five different administrator permissions that may be assigned to user accounts on Office 365. The only account that is assigned global permissions by default is the first account. This account was created when you purchased the service. All other accounts are assigned user-level permissions. Depending on the size of the organization, it may make sense to assign different roles for different job functions.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig14_HTML.jpg
Figure 8-14

Office 365 administrative roles (courtesy of Microsoft)

Microsoft’s approach is to provide administration management like on-premise Active Directory. Active Directory Synchronization (using AD Connect) used to “sync” the AD environment to Office 365. The Office 365 (and Azure) permissions are global in design, and the individual admin centers are used to restrict permissions. For example, global administrators have all rights, but to access eDiscovery data, the data needs to be placed in the appropriate Exchange administration permission groups. Smaller companies do not need to have such distributed administration rights and tend to be less granular. Small organizations typically assign three roles: Global administrator, Billing administrator, and Password administrator. There are additional permissions that are assigned based on the additional subscription offerings (see Figure 8-15).
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig15_HTML.jpg
Figure 8-15

Office 365 administrative roles with additional license roles

In Figure 8-15, the additional license roles are for Skye for Business, Dynamics 365, and Power BI. In addition to the license roles, there are roles that are granted for the Microsoft Direct and Indirect Cloud solution partners. These additional roles are granted by customers to help manage the Office 365 offering they have purchased from Microsoft.

Step back and look at your company and the different roles you can assign to personnel in your company. Microsoft’s security model is to assign the least role possible and to grant basic permissions that are required to complete the job. When you assign roles, verify that you are providing access at the appropriate level needed to execute the administrative task. Table 8-4 has detailed descriptions of the different administrator rights.

Note

Global administrators are assigned all rights by default. A global administrator can grant themselves the rights to read any user’s mailbox by simply opening a mailbox other than their own. Business owners are cautioned to grant these rights only to those who need them.

Table 8-3

Office 365 Role Descriptions

Role

Description

Global administrator

This is the company administrator. Users in this role have access to everything or the permission to add them to a dedicated role where they do not have permission (such as discovery management).

Billing administrator

Access to all financial transactions. Delegated partners do not have access to this information.

Password administrator

They can reset only passwords of users and other administrators at the same level of permissions.

Service support administrator

This is a limited administration role. Users in this rule can only view the portal and assign support tickets. Typically, users who are assigned this role have a different role assigned to the different subsystems, such as Exchange.

User management administrator

These users can assign licenses and passwords but cannot make changes to other admin accounts that have more privileges than they do.

The typical Office 365 configuration leaves one account (usually the root account—the initial Office 365 account) as a global admin user without any user licenses. Some organizations leave this as a global admin account, and others use it as a user account. Regardless of what you do, the first account is the root account. The root account should never be used as a user account. The root account in Office 365 is the base account that is used to create all the different services that are linked to the Office 365 tenant. As Microsoft has deployed new versions of Office 365, the dependence of the root account has been minimized. We recommend that you do not delete or assign a user to this account.

In the past, the first account was a sacred account, and many Office 365 services depended on this account. Microsoft addressed the dependency of the first account by creating a new internal Office 365 group known as the company administrators . All global admins are members of the company administrator group. This group is where the base permissions are assigned in Office 365. This internal account reduces the criticality of using the root account as a user account.

Our approach in setting up Office 365 customers has changed over the years. We always recommend the following configuration for our new Office 365 clients. There are additional measures you can take in the configuration of your Office 365 company. Some of these were discussed in Chapter 7. Our typical configuration for Office 365 includes the following:
  • Enable 360-day auditing for all delegated administration and administration access (see the “PowerShell” section).

  • Enable the audit logs in the Security & Compliance Center.

  • Enable the EMS productivity suite with extended security analytics.

  • Deploy Multi-factor authentication on global admin accounts.

  • Do not use a global admin account as a personal account.

  • Set passwords to never expire (if you have deployed MFA).

  • Review the Azure audit logs, Azure sign-in logs, and Office 365 audit logs weekly.

  • Download and archive the three logs (mentioned earlier) monthly in case you have a breach. You can also set up the logs for long term storage in Azure.

Our objective is to provide you an overview of the key areas you need to cover on Office 365 as an administrator. To understand the administrator functions better, you need a roadmap as to what to look for.

Note

If you have not configured your domain for Office 365, complete that step before you add user accounts. If you add user accounts and then change the domain, the desktop user configurations will need to change to map to the new IDs and e-mail accounts.

Config: Overview

The Office 365 admin center (see Figure 8-16) is extremely flexible for managing your Office 365 organization. Our first step to managing Office 365 is to make sure you have the correct administrative roles assigned to your IT support staff. The next step is the configuration of the 365 tenant. The basic Office 365 admin center allows you to manage users, groups, support, settings, setup/domains, reports, and health. The additional admin centers are used to manage the unique features to each of your subscription. As an example, if you only purchase Exchange plan 1 (and not other features), then the admin center will only have Exchange and Security & Compliance Center as options.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig16_HTML.jpg
Figure 8-16

Office 365 admin center

In previous chapters, we reviewed the Security & Compliance, Azure AD, and EMS/Intune. This chapter, besides covering the Office 365 administration, will also review Exchange, Skype for Business, SharePoint, and OneDrive from an administrator perspective. There may be additional admin centers listed in your Office 365 tenant. These centers appear based on the active license assigned to the Office 365 tenant.

Note

We always recommend that you purchase at least one Microsoft 365 E5 suites and assign it to the first global administrator account created. Your Office 365 tenant will function better.

The configuration sections that follow are organized based on the required configuration order. As an example, to configure users, you need to configure your Office 365 domain and have the appropriate licenses assigned to your tenant. If you have this already configured in your Office 365 account, then use this section to review what you have set up. In our case, when I wrote this chapter, I discovered that the Office 365 domain structure changed, and even though my Office 365 was functioning, the features were having weird hiccups that no one could explain. I discovered that the DNS setup I had was no longer valid and needed to be updated.

Config: Domains

There are no practical limits on the number of domains that can be verified on Office 365. The rules are simple: you need to verify a domain if you want to use the domain in Office 365. Once you verify the domain, you assign the domain different use rights, depending on the licenses that were purchased for your Office 365 service.

There are many reasons to add a secondary domain. This could be to restrict specific services for a segment of users. This allows administrators to restrict services on domains. Adding a domain is straightforward: just add the domain (see Figure 8-17) and enter the necessary record changes in the DNS. When you add the domain, it is easy to follow the wizards; just be careful with the options that you select. We typically use a manual approach when adding DNS records once an Office 365 account is active. To add a domain, follow these steps:
  1. 1.

    Select the Domain sidebar menu option (from the grid, select Admin ➤ Microsoft Admin center ➤ Setup ➤ Domains) and then select “Add a domain.”

     
  2. 2.

    Add the TXT record to your DNS provider.

     
  3. 3.

    Add the remaining DNS records (if you have not moved your e-mail to Office 365, do not change the MX, SPF, and Autodiscover records).

     
  4. 4.

    Verify your DNS record and fix any record errors.

     
  5. 5.

    Verify that you have fully deployed the enterprise mobility cnames.

     
The migration to Office 365 was covered in Chapter 7. In the previous steps, if you have already cut over to Office 365 or added another domain to Office 365 (the focus of this chapter), then change the MX, SPF, and Autodiscover records.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig17_HTML.jpg
Figure 8-17

Office 365 adding a domain

After you select “Add a domain,” enter the records in Office 365 and validate the domain. If the record cannot be validated or is in use by another Office 365 tenant, the domain validation wizard will allow you to send an email transfer request to the owner of the domain you are trying to validate. You can only have one Office 365 tenant per domain.

We started the process of adding the domain to Office 365 (see Figure 8-18). The first step was to verify the domain with the TXT records. Once the DNS verification records was added, we used the Domain wizard to add/validate the complete. When you have successfully added the records, you should see a summary page (see Figure 8-19). If you have errors, the Domain wizard will display the errors so you can resolve them.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig18_HTML.jpg
Figure 8-18

Office 365 verifying the domain in Office 365

../images/429219_1_En_8_Chapter/429219_1_En_8_Fig19_HTML.jpg
Figure 8-19

Complete domain adding process for Office 365

Config: Domain: Troubleshooting

Once you have added the domain, Office 365 constantly verifies your DNS and highlights the invalid DNS records. Fixing the records is easy: just select the domain (see Figure 8-20) and then select Check DNS. If there are any issues present or a configuration that you can’t use, Fix Issues is available as an option. Correct these records in your DNS records and verify them until all the records have no errors.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig20_HTML.jpg
Figure 8-20

Fixing the DNS records

Config: Adding/Changing and Decreasing Licenses

There are multiple ways that you can change license numbers in Office 365. Microsoft allows you to change the existing license quantity, add new licenses by purchasing URLs, purchase a volume license key, or purchase licenses from your Microsoft Partner. The question for most users is where to find the simple display that summarizes the license mix. To find out the license mix, select the Products sidebar menu option (from the grid, select Admin ➤ Admin Center ➤ Setup ➤ Products).

You can manage the licenses from the setup portal. What Office 365 does is link the portal into some of the other portals (see Figure 8-21). For instance, the assign function links this to the user assignment. Likewise, the purchase option links you into the subscription adjustments.

If you are using a CSP, you will need to contact your CSP partner or use your partner’s configuration portal to adjust the licenses. KAMIND IT’s license portal is at www.kamind.com/license and requires an Office 365 account to log in. KAMIND IT offers this service at no charge for the license management of Office 365 subscriptions.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig21_HTML.jpg
Figure 8-21

License mix summary with shortcuts

Reducing licenses is simple in the administration portal (see Figure 8-22); just select the Subscription sidebar menu option (from the grid, select Admin ➤ Admin center ➤ Billing ➤ Subscription) and the subscription that needs the license quantity adjusted. You can reach this same menu from the Products menu.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig22_HTML.jpg
Figure 8-22

Changing the license quantity

You can also increase the number of licenses through the same process (described earlier), or you can purchase a volume license key from a reseller. These volume license keys are called open license keys. The process of adding licenses is slightly different when you use a reseller to purchase the license. Figure 8-23 shows you the different ways you can activate an open license key from your Microsoft Partner. Open licenses are different than a license from a CSP partner. If licenses were supplied by a CSP partner, these license adjustments will automatically appear in your account.

Note

If your Office 365 is supplied from a CSP (direct or indirect), check with the partner for the best way to change the license quantity. Different partners offer different incentives based on the organization size.

../images/429219_1_En_8_Chapter/429219_1_En_8_Fig23_HTML.jpg
Figure 8-23

Different types of open subscription activation and links

When you purchase an open license from a partner, you retrieve the subscription license number from the volume license center ( www.microsoft.com/licensing ) and select the appropriate link to start the activation process (see Figure 8-24). You must be a global administrator to add the open license key to your Office 365 environment.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig24_HTML.jpg
Figure 8-24

Activating the open license key

Log in to the Office 365 tenant and follow the wizard to add the new subscription to your environment. If you purchase multiple licenses of the same license type (an E3 Open subscription), all the licenses are pulled together as one license group. It works better if you add each license one at a time to get the correct expiration dates. In Figure 8-25, we are adding 25 licenses. If there were multiple licenses added on the same date, Microsoft gives you the option to group the licenses together for a common renewal date.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig25_HTML.jpg
Figure 8-25

Grouping licenses

Once you have added the licenses to your Office 365 subscription, the new licenses are updated in your subscription portal. We recommend you always add the licenses before you add users.

Config: Password Expiration

Office 365 allows you to configure a password policy to allow password changes between 14 and 730 days (see Figure 8-26). Typically, a password policy is set to 90-day expiration and with a 14-day warning. To change the password policy, select Security (from the grid, select Admin ➤ Admin center ➤ Settings ➤ Security) and change the parameters for your password reset. In the security area, you also have the master control to turn on/off sharing for the Office 365 tenant.

Note

If you deploy MFA and use the Microsoft Authenticator application (as we discussed in Chapter 5), you can set your passwords to not to expire. This is more secure than changing your password every month.

../images/429219_1_En_8_Chapter/429219_1_En_8_Fig26_HTML.jpg
Figure 8-26

Changing the password policy

Once you have edited the password option, set the password policy for your organization. We recommend you leave the default (change passwords every 90 days), unless you are planning to enable multifactor authentication. Changing the password is simple: select the new password option and click Save after you make the changes (see Figure 8-27). These changes are global and affect all users.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig27_HTML.jpg
Figure 8-27

Setting the password option

Note

If you are setting passwords to never expire, purchase additional security subscriptions to manage your Office 365 tenant and enable multifactor authentication. The best subscription to do this with is to use EMS E5 and enable Azure Identity.

Config: Completing Company Configuration

Before we leave the configuration section, there are some additional areas that need to be changed to support your Office 365 deployment (see Figure 8-28). Let’s look in detail at the other functions in Settings (from the grid, select Admin ➤ Admin center ➤ Settings). The Settings area allows you to customize your Office 365 deployment. Settings is where you customize your Office 365 environment and make it unique for your deployment. This section allows you to do the following:
  • Services & Add-ins: Optional application and features

  • Security & Privacy: Control external sharing of documents throughout Office 365

  • Domains: Add/remove domains for new e-mail address

  • Organization Profile: This section contains information about the company and the organization Office 365 configuration preferences 

  • Partner Relationship: Control partner administration functions

When Microsoft releases a new feature, these features are optional for the organization. To enable the feature, you must actively turn the feature on for deployment. A good example is Microsoft Teams. This is like the third-party product Slack, but Teams is included in your Office 365 subscription. To access Teams, select Admin ➤ Admin Center ➤ Teams & Skype (see Figure 8-29)
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig28_HTML.jpg
Figure 8-28

Configuring Office 365 company options

../images/429219_1_En_8_Chapter/429219_1_En_8_Fig29_HTML.jpg
Figure 8-29

Enabling Office 365 Teams features

.

Config: Partner Administrators

“Partner relationships” is where you add a partner as a delegated administrator. These are your trusted advisors. There are two types of delegated administrators: Microsoft and Microsoft Partners. When an Office 365 site is created, no administration rights are granted to any external parties. Microsoft does not have the ability to access user data, unless that right is granted by the account owner. There are two types of partner administrators: delegated administration from a Microsoft cloud advisor and a Microsoft CSP (see Figure 8-30).
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig30_HTML.jpg
Figure 8-30

Types of Microsoft cloud partners

The account owner (global admin) can add (or delete) cloud solution advisors and add (or delete) the CSPs as needed, with some caveats.
  • Cloud solution advisors are partner global administrators and need to purchase licenses through Microsoft or a third party. You can add/remove these advisors as needed.

  • Cloud solution providers are partner global administrators and provide licenses to Office 365 customers through a partner administrator. You cannot remove these providers unless you have removed the licenses provided by these providers.

CSPs are different from CSAs. For example, KAMIND IT CSP offerings are listed at www.kamind.com/csp . Keep in mind that if you purchase licenses through a CSP, your Microsoft account is managed by the CSP, not Microsoft. If you remove a partner CSP access, you may have breached your agreement with Microsoft.

Config: Adding, Deleting, and Restoring Users

Office 365 supports many features that you can configure through the Office 365 user interface. Some actions (such as setting conference room permissions) are available only using PowerShell. If you are running Active Directory Synchronization (AD Connect), you can use your on-premises Exchange Server 2010/2013/2016/2019 or Active Directory tools to configure services (and sync those changes into the cloud). Our focus in this chapter is on the user configuration of Office 365 using the Office 365 interface.

There are four primary user operations for administration:
  • Adding single users via the user interface

  • Bulk-adding using a CSV file and the GUI interface

  • Deleting users

  • Restoring users

If you need to assign user passwords, you need to use the PowerShell commands. Typically, we load the users using the bulk-load options, and then we assign the passwords using PowerShell. If you have an Active Director Connector (AD Connect) running in your on-premises environment, you need to assign passwords using the on-premises Active Directory tools.

Note

Some organizations use Exchange Server Management Console to manage Office 365. This is not needed and causes more problems in managing Office 365. The best tool to use to manage Office 365 connected accounts is the Windows Server Active Directory Administrator Tools.

Users: Adding Office 365 Users via the Office 365 Admin Center

The Office 365 user administration tool can add users only at the Office 365 level. If you have a connected on-premise environment and those users access on-premise resources, you must add the users using the on-premise Active Directory administration tools. The Active Directory Connector enables only specific Active Directory objects to be used in the cloud and is a one-way activity.

Log in as an administrator (at https://portal.office.com or http://portal.microsoft.com ), as shown in Figure 8-31. Click the nine-block grid (at the top left). Next, click Admin ➤ Admin center ➤ Users ➤ Active users. Click “+ Add users” to add a new user.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig31_HTML.jpg
Figure 8-31

Adding users to Office 365

Fill in the information for the user and create the account. The minimum information you need to create a user is the username (first, last), e-mail address, and licenses. There are additional configuration options on user accounts (contacts, password, products, and administration roles) that may be needed. These additional fields are optional. There are four steps to set up a user account.
  1. 1.

    Set up the user name and primary e-mail address.

     
  2. 2.

    Set the user password.

     
  3. 3.

    Set the user administration permission (no administrator rights are the default).

     
  4. 4.

    Assign a license.

     

These steps are reviewed next.

Step 1: Add User Information and E-mail Address
See Figure 8-32.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig32_HTML.jpg
Figure 8-32

Adding the user information

Step 2: Add Password Information
It is important that you change the default password policy when you create a new user. There are cases where you need to set the password when the account is created and cases where you need to have the user reset the password. Our recommendation is that you always have the user set their own password (see Figure 8-33).
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig33_HTML.jpg
Figure 8-33

Assigning password and setting the administrator role

Step 3: Assign Administration Roles
When you add a user, you can assign the role for the user (see Figure 8-34). Only global administrators can assign administrator roles. If you assign a user admin rights, you need to supply a mobile phone number in the contacts and an alternate e-mail address (not located in your current Office 365 tenant); otherwise, you cannot create a new account. All administrator users must have a cell phone that receives calls.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig34_HTML.jpg
Figure 8-34

Assigning the admin user

Step 4: Assign the Licenses to the User
You can assign any valid license to the user. You can also selectivity assign access to the various Office 365 services (see Figure 8-35). Office 365 allows you to enable/disable different services associated with the license. Some organizations do not want to allow users to access services that the help desk cannot support. The global administrators can enable or disable the service on each user account or using PowerShell. Once you have selected the appropriate licenses and other license features, click Save. You have created the user account.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig35_HTML.jpg
Figure 8-35

Assigning the license to the user

In this example, we assigned E5 licenses with the Enterprise Mobility Suite (EMS) and Skype for Business. As an administrator, you can selectively remove access to different licenses. To remove capabilities, just move the option switch to Off.

Users: Changing User Information

You can also change any information about a user. Just select the user and edit the information (see Figure 8-36).
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig36_HTML.jpg
Figure 8-36

Changing user information

Users: Deleting

Deleting users is as simple as selecting the user and then selecting Delete (see Figure 8-37). If the “delete user” trashcan icon is not present, then the user is blocked from deletion in Office 365, and you need to use the PowerShell command to remove the user account. A blocked user account usually happens when a user is placed on legal hold or when an account was not deleted properly. To remove users that are on litigation hold, you need to remove the in-place hold or the legacy litigation using PowerShell or the Exchange admin center. Once the in-place or litigation hold is cleaned up, you can delete the user. When you delete an account, we recommend you follow these steps:
  1. 1.

    Remove any legal hold on the account.

     
  2. 2.

    Disable the archive on the account (if enabled).

     
  3. 3.

    Remove any e-mail alias assigned to the account (leave only the onmicrosoft.com name and SIP).

     
  4. 4.

    Set the user account to the onmicrosoft.com name as the primary address.

     
  5. 5.

    If you do not want to keep e-mail (or move e-mail to another account), then remove all licenses from the account.

     
  6. 6.

    Delete the account. (If you delete the account, the mail will be deleted!)

     

Note

Before you remove the user account (as suggested earlier), verify that you have the OneDrive for Business data backed up. Removing the e-mail address may delete the user’s OneDrive for Business data. Deleted account data will be retained for 30 days after the account has been deleted or licenses has been removed.

../images/429219_1_En_8_Chapter/429219_1_En_8_Fig37_HTML.jpg
Figure 8-37

Deleting a user account

Deleted users can be recovered up to 30 days and are in the Deleted Users folder. If you want to remove the user from the Office 365 Deleted Users folder, run the following PowerShell command to purge the user account. If you have not set up PowerShell, see the “PowerShell” section later in this chapter. These PowerShell examples are code snippets and require the necessary credentials to execute.

PowerShell provides commands to return the list of deleted Office 365 users. This PowerShell command returns all the deleted user accounts in the recycle bin with the GUID for the user.
Get-MsolUser –ReturnDeletedUsers
Here are the PowerShell commands to remove the user account from the Deleted Users folder using the user e-mail address:
Remove-MsolUser -User <such as [email protected]> –RemoveFromRecycleBin

Users: Restoring

To restore deleted users, select “Users and groups” and then “Deleted users.” You can then select the user account you want to restore. Deleted users remain in your Office 365 Deleted Users recycle bin for 30 days, depending on the configuration of Office 365. Figure 8-38 shows the deleted users restoration option. Just select the user and then click Restore. You can only restore users to the same license provisioned to the user account when the account was deleted.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig38_HTML.jpg
Figure 8-38

Restoring a deleted user

After you select the user to restore, Office 365 will confirm the restoration and allow you to set the password as well as decide whether the user should reset the password on login to the Office 365 services.

Note

If you attempt to restore a user and it fails because of the account being managed by a different service, use the RestoreMsolUser PowerShell command to restore the user account.

Users: Renaming

Renaming a user display name is a simple process: select the user account from the Office 365 admin center, followed by Actions, and then the property you want to change (see Figure 8-39).
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig39_HTML.jpg
Figure 8-39

Changing a user’s properties

After you select the user, select the edit function for the area that you want to change. For example, you can select the user name/e-mail address and change the username, add an e-mail alias, and set the domain as the primary login address (see Figure 8-40) of the user.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig40_HTML.jpg
Figure 8-40

Editing the user e-mail address and login domain

Note

If you want to change the user e-mail address to a different alias, you can do that when you edit the user account. The e-mail alias will be set only if the alias e-mail address does not exist on any other user account. If the e-mail alias does exist on another user, the change you made will fail.

Config: Groups (Office 365 and Security Groups)

Groups are used to manage permissions globally in Office 365. There are different ways to use security groups. You can use security groups to filter users and administrator permissions (useful in large organizations). You can also use security groups to manage permissions for different services. SharePoint (as an example) can use security groups to grant permissions to various site libraries for users. You can also use SharePoint security permissions to restrict access to different libraries in SharePoint. For example, in large organizations, you can create a security group to isolate users from each other and use security groups to manage access to different federated services (such as Intune and Azure services). There are different ways to use security groups, depending on your business needs. Some organizations use security groups to manage SharePoint services. For example, a SharePoint site is designed and security groups are created to assign permissions to different areas. The global administrator adds accounts to the different security groups, depending on the business requirements. The users added to the security groups inherit the permissions necessary to access the functional areas in SharePoint.

Creating security groups is easy. Sign in as an administrator, and select Groups (select grid, then Admin ➤ Admin Center ➤ Groups ➤ Groups). Click the + to add a new Office 365 group or a security group (see Figure 8-41).
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig41_HTML.jpg
Figure 8-41

Selecting or creating a new group

If you’re looking to create a different type of group (other than a distribution group), select the type of group from the drop-down (see Figure 8-42) and then follow the same steps for creating a new group.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig42_HTML.jpg
Figure 8-42

Creating a different type of group

Config: External Sharing

The administrator uses external sharing to manage external access to manage Office 365. Office 365 is designed for collaboration. As an administrator, you control how SharePoint (aka sites), calendars, and teams are shared. There are two steps to manage collaboration: enabling the service for external users (set the capability on or off) and configuring the local services (SharePoint, Skype for Business account) in the various admin centers. If you disable the global options, then the local service options will not have those external feature options. You should configure the services, as shown in Figure 8-43, for external sharing.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig43_HTML.jpg
Figure 8-43

Office 365 admin center: external sharing settings

Config: External Sharing, Sites

If you select “Site settings,” this will give you the necessary controls to manage external sharing for the SharePoint Office 365 SharePoint services and OneDrive for Business. The “sites” sharing controls are used to enable these services for external access. As an administrator, you can choose to define how you externally share. In Figure 8-44, you can see three different models for sharing Office 365 content.

Note

Authentication requires that you have an Office 365 Work account or a Microsoft account. A Microsoft account can be any e-mail address. When you create a Microsoft account, you are adding additional security credentials to your e-mail address. To create a Microsoft account, go to http://account.live.com .

../images/429219_1_En_8_Chapter/429219_1_En_8_Fig44_HTML.jpg
Figure 8-44

Office 365 admin center: external sharing settings

Once you have set up global sharing, then the next step is to configure the individual sites (see Figure 8-45). Go to the SharePoint admin center (select Grid and then Admin ➤ Admin Center ➤ Admin Centers ➤ SharePoint). When you create a new SharePoint Site, the default sharing is off, and you need to enable sharing. To enable sharing, select the “site” in sharing, then click the Sharing icon, and then define how you want to share the site. If you want to control the OneDrive for Business sharing, select the site that has -my. This is https://kamindsecure-my.sharepoint.com (also known as the OneDrive for Business sites).
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig45_HTML.jpg
Figure 8-45

SharePoint admin center: external sharing settings

This is how an administrator manages the external access to different sites. Administrators have the permission to set the allowed sharing (with logins, without logins, or disabled altogether). Administrators also can manage the external users that have shared documents (see Figure 8-46).
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig46_HTML.jpg
Figure 8-46

Managing external sharing on SharePoint Site and OneDrive for Business

Config: External Sharing, Calendar

Administrators can also control the way calendars are shared. For example, you may want to openly share information with external users to see the details in your calendar when you get a meeting invite. Likewise, you may want to restrict the information to free/busy. The settings in Figure 8-47 apply to all users globally, regardless of their individual settings.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig47_HTML.jpg
Figure 8-47

Managing external sharing of calendar for Office 365 users

Config: External Sharing, Teams

Teams is the business version of Skype. Business users can communicate to other business users by using an e-mail address, if the sharing is enabled in the Office 365 account. Skype users can communicate to Teams users only if the administrator has allowed this option. In both cases, you need to have the e-mail address of the user to speak with them. To set up Teams sharing, go to the Teams admin center (select Grid, then Admin ➤ Admin Center ➤ Admin Centers (at bottom) ➤ Teams & Skype for Business) If you purchased the Teams calling plans, we’ll walk you through the configuration steps later in the chapter. The basic sharing configuration (allowing you to speak with other Teams users and Skype users) are controlled, as shown in Figure 8-48.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig48_HTML.jpg
Figure 8-48

Setting global options for Teams

Admin Center: OneDrive for Business

One Drive for Business subscriptions have gone through a lot of changes since the service was released in 2014. The old SharePoint client is obsolete. Users can use the same sync client for all OneDrive activities (including SharePoint). The file size limits have changed considerable, and the new sync client can sync up to 100,000 files (see Figure 8-49). If an Office 365 tenant has 5 users or more, the OneDrive for business Plan 2, have unlimited storage, otherwise it is limited to 5TB. OneDrive plans allows you to store files in size up to 15GB in size. There are limitations on file names (see https://support.office.com/en-us/article/invalid-file-names-and-file-types-in-onedrive-onedrive-for-business-and-sharepoint )
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig49_HTML.jpg
Figure 8-49

OneDrive for Business limits

Along with the changes in OneDrive for Business, a new admin center gives visibility into the usage. Administrators can manage OneDrive from either the PowerShell or GUI interface. Figure 8-50 shows the usage reporting available for OneDrive for Business.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig50_HTML.jpg
Figure 8-50

OneDrive for Business usage

The OneDrive for Business administration site has changed. Administrators can select the OneDrive administration (see Figure 8-51). The new admin center will allow you to set the necessary controls on your Office 365 tenant. These controls include sharing, sync, storage size, device access, compliance, and notifications.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig51_HTML.jpg
Figure 8-51

OneDrive for Business usage report

The approach for OneDrive for Business administration is to enable the service for collaboration. As an administrator, you will need to review the configuration and set up some limits. When we add a new client to us manage services, we have a discussion with the customer about the limits.

Sharing: Do you limit sharing to external companies; if so, what are the limits?

Sync: Do you enable the desktop sync client?

Storage: Set to 5TB limits and 1530-day data retention (see Figure 8-52).
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig52_HTML.jpg
Figure 8-52

OneDrive for Business with 5TB limits and 1,530-day retention

Device access: Do you limit this to known IP addresses and deploy policies?

Compliance: What alerts do we set to manage OneDrive activity?

Notifications: How do you communicate to the end user?

These are typically questions that need to be answered by the compliance officer. Data is the company’s lifeblood. The Office 365 OneDrive admin center allows you to place strategic controls over the management of the information to prevent data loss in the organization. One of the first questions that is asked is how do you limit external access (see Figure 8-53). The typical follow-up question is how do you limit the devices that can connect to OneDrive for Business.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig53_HTML.jpg
Figure 8-53

OneDrive for Business sharing

As you look through the OneDrive for Business configuration, refer to the questions that were asked earlier, explore the OneDrive for Business admin center, and set up the configuration to map to your organization. As an example, if you want to control OneDrive for Business for only approved devices, you have the ability to do that with the device access control (see Figure 8-54). OneDrive for Business allows you to do the following
  • Limit access from specific IP addresses (lock it to a company’s Internet)

  • Deploy a policy for Mobile Device Management

OneDrive for Business has the ability to sync files as large as 15MB and as many as 100,000 files. With the size limit of 5TB (and more if you need), there is a lot of flexibility.

Note

OneDrive for Business supports two different deployment plans. Plan 2 is for subscriptions that are E3 or higher. Plan 1 is for all other plans.

../images/429219_1_En_8_Chapter/429219_1_En_8_Fig54_HTML.jpg
Figure 8-54

OneDrive for Business device management and mobile policy

Admin Center: Teams & Skype

Teams (now includes Skype for Business features) is a fully featured communications tool that supports file sharing, web conferencing, voice communications, and many other features (like Skype, but with many more features). Teams integrates into Microsoft Exchange and acts as a phone switch for incoming voice calls. Large organizations use Teams as desktop phone replacements and allow their users to deploy Teams clients on any mobile or desktop device. Teams supports enterprise voice (both people can talk at the same time). There are many different characteristics of Teams; it is a powerful and popular business communication tool, and the data it accesses is encrypted between parties. The Teams phone system services are a $4 to $24 add-on to Enterprise subscriptions in most states.

Note

If you are having trouble with file transfer on Teams clients, download a new version of the Teams client from Office 365 or run an online repair on the Office 2016 installation.

../images/429219_1_En_8_Chapter/429219_1_En_8_Fig55_HTML.jpg
Figure 8-55

Accessing the Teams administration center

Teams: Federation

Skye for Business is configured to communicate to external users. To verify the configuration for Skype for Business, select the Teams admin center from the Office 365 dashboard (under the Admin tab) and then select “organization” and “external communications” (see Figure 8-56). Teams federation is enabled, and if the service is not configured within a 12-hour period, submit a service request to Microsoft Online Services. Once the Teams service is provisioned, you are enabled for external communications.

Note

It is recommended that you verify the domain prior to enabling Teams federation. If you enable the onmicrosoft.com domain, there may be some service downtime when you switch over to the verified domain.

../images/429219_1_En_8_Chapter/429219_1_En_8_Fig56_HTML.jpg
Figure 8-56

Enabling external communications

Teams: Voice

Teams supports domestic and international voice. The configuration requires that that you have properly set up and verified the DNS. Teams allows you to port numbers to the service or to generate the necessary numbers for your users (see Figure 8-57). The Teams voice management is in the legacy Skype for Business administration center.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig57_HTML.jpg
Figure 8-57

Teams admin center

The configuration requires that you have properly set up and verified the DNS. There are two phases to configure Office 365 Teams voice. First, add the phone numbers and assign them to users.

Step 1: Add Phone Numbers

Adding phone numbers is a straightforward process. Select the “phone numbers” option, followed by +, and then add the new numbers (see Figure 8-58).
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig58_HTML.jpg
Figure 8-58

Adding numbers in the Teams (Skype for Business) admin center

The Teams phones are grouped into two different types: user numbers and service numbers. Select the type of voice link that you need to use for the Office 365 services. You can check your location to see whether a phone number is available (see Figure 8-59). Enter the desired number of phone numbers. Teams will attempt to acquire the phone number that you need.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig59_HTML.jpg
Figure 8-59

Selecting a phone number for Teams (Skype for Business)

The phone numbers are available for only a few minutes. The phone number request is from the telephony service provider. If you do not select the phone numbers, they will be returned to Microsoft for allocation to other users.

Note

Teams voice is a new service. Like any VoIP service, it is best to configure the service to meet the business needs (use the number provided). Once you are ready to transition to the new service, then port the phone numbers. Number porting is not instantaneous.

Step 2: Add an Emergency Response Location

Once you have your phone number, you can set an emergency response location (see Figure 8-60).
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig60_HTML.jpg
Figure 8-60

Assigning an emergency location

Step 3: Add Phone Numbers

Once you have your emergency response location set up, the next step is to assign the phone number to the different user accounts. Select the user account (see Figure 8-61) and assign (or remove) one of the phone numbers you allocated from the previous step.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig61_HTML.jpg
Figure 8-61

Assigning phone numbers to user for a conference room

Once you assign the phone number to the user, you have completed the configuration of the Teams voice system. The Save button is enabled if the emergency location has been identified (see Figure 8-62).
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig62_HTML.jpg
Figure 8-62

Assigning phone numbers in Skype for Business

Step 4: Verify That Voice Has Been Provisioned

Have your user log out of Teams and then log back in. The “dial paid” will show up once the user logs back in to the service (see Figure 8-63).
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig63_HTML.jpg
Figure 8-63

Verifying that the voice number is set up for the user’s Skype for Business client

At this point, you are ready to use the service. There are additional configurations of voice systems that you may want to have the user complete. For example, we let our desk (Skype for Business) and our smartphones ring at the same time. To access the ring options, select Tools ➤ Options (under the gear; see Figure 8-64) and then adjust the time length for the phone to ring.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig64_HTML.jpg
Figure 8-64

Accessing the Teams options

We have found that setting the phone number to ring for 35 seconds is about the right amount of time to have the phone ring on our cell phone (and be able to answer the call). You set this option under “Call forwarding” in your Teams client.

Note

Make sure that you test the ring delay for voicemail. The default setting, 20 seconds, is too short to ring to a third number; 35 seconds is a better ring delay to launch Teams on your cell phone and to answer the call (see Figure 8-65).

../images/429219_1_En_8_Chapter/429219_1_En_8_Fig65_HTML.jpg
Figure 8-65

Setting the voice options for 35 seconds

Step 5: Port the Phone Numbers

After you have tested the service, you are ready to port your phone number to the service. In the Teams admin center, select “Voice” and “Port numbers.” This is not an instantaneous process.

Note

Porting phone numbers is interesting. In the Portland (Oregon) area, we have phones that are caught in an artificial rate district. What happens is that you are charged a forwarding fee and your number is locked for transfer. What has worked for us in these cases is to port the number to a cell carrier, wait a month, and then port the number to Skype for Business. Please refer to your state laws on what you can legally do in your state regarding number porting.

Skype for Business: Conferencing Add-on

There are several different conferencing suppliers for Skype for Business. To find all the providers, in the Teams admin center, select the “dial-in conferencing” tab (see Figure 8-66). You can use Microsoft or a third-party supplier (such as InterCall). Configuration of the service is simple: you need to assign a Teams conferencing license to the user and then enable the service. There is nothing else that you need to do. Microsoft service numbers are integrated with the licenses.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig66_HTML.jpg
Figure 8-66

Teams admin center, provider listings

If you are using a third-party provider, enter the dial-in information for the user account under “dial-in users.” Your teleconferencing bridge number is enabled and automatically generated with an Outlook calendar invite if Teams is installed and running on your desktop.

Note

Teams requires that your DNS supplier support service (SRV) records. If your DNS supplier does not support SRV, you need to move your DNS hosting services to a different service.

Admin Center: Exchange

Office 365 administration sites (shown in the admin center) are added based on the licensed purchased. Exchange (e-mail services in Office 365) is a licensed subscription option. The global administrator has access by default, but different administrator access may be disabled if their roles do not permit them access. Role-based permissions are controlled in the Office 365 Exchange admin center (EAC), which is located under Admin ➤ Exchange (see Figure 8-67). All the commands in the following section assume you are operating in the Exchange administration section.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig67_HTML.jpg
Figure 8-67

Office 365 admin center

Select Exchange (under admin centers). This is the location to manage the user account with advanced mail flow and mailbox features (see Figure 8-68). If the account is synced via Active Directory, some of these features need to be managed through the on-premises Active Directory center.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig68_HTML.jpg
Figure 8-68

Office 365 Enterprise Exchange admin center (EAC)

Exchange Administration Roles

The Exchange admin center includes several administration roles. These roles are used to assign various subtasks to users. The Office 365 global administrator is an organization administrator. The global administrator may not have permission in some Exchange roles; however, the global administrator can be added to that role, but that action is audited. In large organizations, the global administrator accounts are controlled and user accounts are modified with administrator permissions based on the job roles. For example, a large company may create a security group of users from one location, and the Exchange administrator is a user in that security group. The Exchange administrator functions are limited to that location, as defined in the security group. This contrasts with a global administrator who has access to all accounts.
Table 8-4

Exchange Administrator Roles

Exchange Server Role

Description

AdminAgents

This contains all the administrators in Office 365 and any other users who are added by the admin. This is where the base Exchange administration permissions are granted.

Compliance Management

Users in this role can configure Exchange compliance policies, such as data loss prevention, as well other Exchange policies or compliance issues (see the compliance function in the Exchange admin center).

Discovery Management

This role manages the discovery process. To access discovery information, you must be a member of this role.

Help desk

This manages view-only operations and password resets.

HelpdeskAdmins

Manages the help desk.

Helpdesk Agents

Agent that operates the help desk.

Hygiene Management

Manages the Exchange transport services.

ISVMailboxUsers

Third-party application developer mailbox role.

Organization Management

Allows full access to all user mailboxes for any administrative role except for discovery management.

Recipient Management

Role required to move mailboxes in a hybrid deployment.

Records Management

Users in this role can configure compliance features such as retention tags and policies.

Rim-MailBxAdmins

BlackBerry mailbox access for BlackBerry messaging servers (valid only if the BlackBerry service is enabled on Office 365).

TenantAdmins

Legacy admin role for management of Exchange tenants.

UM Management

Universal messaging management role to integrate necessary functions for Enterprise Voice with Skype for Business.

View-Only Organization Management

View-only privileges for Exchange organization. Users in this role cannot modify any Exchange properties.

In larger organizations, different roles are assigned in Exchange. But in small organizations, there are only two roles that are commonly used: the company administrator role (global admin via the AdminAgents role) and the discovery management role. The global admin does not have access to discovery management unless that role is granted and permission is granted in the discovery SharePoint center.

You can assign any of the administrator roles in Table 8-4 to the user mailbox. Our recommendation for assigning user permissions follows this model:
  1. 1.

    Build a security group for the accounts that will be managed. The user who will manage these accounts should be in the security group.

     
  2. 2.

    Assign the user Exchange administration permission to the selected account in the newly created security group (see Figure 8-69).

     
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig69_HTML.jpg
Figure 8-69

Assigning administrative permissions

Once you have assigned permission to the user to manage Exchange users, you can create the necessary user roles (if needed) to manage the group.

Default User Role Defined

All users have a default role assigned to them when they are added to Office 365. The default user role defines the characteristics that the user has in accessing the Exchange mail system. For example, Outlook web access is defined as a user role. If you don’t want to have users access the web mail, you can remove these privileges. The user roles that you can change are listed in Table 8-5.
Table 8-5

Default User Role Assignments

Role Assignment

Description

Contact Information

Allows users to change their personal contact information

Profile Information

Allows users to modify their name

Distribution Groups

Allows users to create distribution groups

Distribution Group Membership

Allows users to modify their distribution group memberships

Base Options

Allows users to modify basic operations associated with their mailboxes

Subscriptions

Allows users to change their e-mail subscription options (such as notification of changes to SharePoint, etc.)

Retention Policies

Allows users to change the retention policies associated with their e-mail account

Text Message

Allows users to change their text message (IM) settings

Marketplace Access

Allows users to change the marketplace access to modify or add remote applications

Team Mailboxes

Allows users to create their own team mailboxes with other users

Either create a new role or modify the existing role, and change the permissions associated with the role. If you modify the default role, you change the role for all users. It is recommended that you create a new role and then apply that role to the user account (or accounts). To create a new role, select Permission ➤ admin roles. Either create a new role (click the +) or modify the existing role (click the pencil icon), as shown in Figure 8-70.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig70_HTML.jpg
Figure 8-70

Changing the default user role

Exchange: Conference Room, Configuration

Office 365 provides a resource called meeting room. Meeting rooms are used to control resources that are limited and need to be managed through scheduling. To set up a meeting resource, log in to Office 365 as an administrator and select Admin center ➤ Exchange ➤ Exchange admin center (EAC).

Creating a conference room is simple. After you have selected the EAC, select recipients ➤ mailboxes (in the drop-down dialog box in Figure 8-71), and select “Room mailbox.” This sets up the meeting room with a default configuration (if the meeting room is being used, it shows a busy status). There are additional configuration changes that can be made on conference rooms, but there is no GUI interface. These changes would need to be made using PowerShell.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig71_HTML.jpg
Figure 8-71

Creating a new conference room

When you create the meeting room, the first order of business is to assign users that have permission to book the meeting room. These users are called delegate users . You have two options on meeting rooms: allow all users to book meeting rooms (default) or allow restricted users to book meeting rooms. Provide the name of the meeting room and select the appropriate option; then click OK (see Figure 8-72).
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig72_HTML.jpg
Figure 8-72

Configuring a conference room

The room is configured with the default setting showing only a busy status. Meeting rooms are versatile. You can use this function to reserve any type of resource, such as equipment. Remember, meeting rooms are a single device, and a meeting room resource manages multiple objects. To use meeting rooms to manage multiple objects, you need to create a meeting room for each device. After you have created the room, you can modify the capabilities of the room based on your needs from the Exchange admin center or from the Office 365 admin center (see Figure 8-73).
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig73_HTML.jpg
Figure 8-73

Reviewing conference room characteristics

Exchange: Conference Room, PowerShell Modification

Conference and resource rooms provide the basic configuration for use, but there are additional configuration options that can be done only using PowerShell. For example, the default configuration hides the meeting status and ownership. If you want to make those available, you need to run the following PowerShell commands.

Set full details of a conference room using PowerShell:
Set-CalendarProcessing –Identity ingoodtaste1 –AddOrganizerToSubject $true –DeleteComments $false –DeleteSubject $false

Set limited details of a conference room using PowerShell:

Set-MailboxFolderPermission –AccessRights LimitDetails –Identity

Note

If you want to approve conference room use, the e-mail address of the “approver” must have fully delegated rights over the conference room resource mailbox.

ingoodtaste1:calendar –User default

Exchange: Adding an Alias E-mail Address to a User

It is simple to add an alias e-mail address. Earlier we added the e-mail alias for the main Office 365 admin center. In this case, we are adding the alias from the Exchange admin center. To add an alias, select the user account, click Edit, and select the e-mail address (see Figure 8-74). Enter the new e-mail “alias” address for the user. The domain must be verified in Office 365; otherwise, the alias will not be added.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig74_HTML.jpg
Figure 8-74

Adding a new e-mail address to an existing account

Exchange: Changing a User E-mail Account Primary Domain

Office 365 supports multiple domains and multiple user e-mail aliases per an account. In some cases, an Office 365 organization may need to change to a new domain (e.g., after a company merger or branding change). Making the change for all users is not difficult: all that is required is to verify the domain (set the MX records and Teams records), add the domain to the existing users, and set the reply address to the new e-mail alias. What you cannot do is change the <domain>.onmicrosoft.com account. If you need to change the <domain>.onmicrosoft.com, you must migrate to a new Office 365 organization.

Step 1: Validate the New Domain

Complete a validation for the new domain with the domain intent set to Exchange and Skype for Business. Follow the instructions discussed in Chapter 5 and in this chapter’s “Config: Domains” section.

Step 2: Add the User Alias and Set the Reply Address

Add the new e-mail alias to all the users needing a domain change. If a user’s primary e-mail address is changing, then select the “Make this the reply address” option. This changes the user’s primary login address to the new domain. This step is no different than changing the user’s e-mail address to a new address (as discussed earlier) .

Note

When the reply e-mail address is changed, the Outlook user is requested to log in with new credentials. Outlook recognizes that the user profile is the same and links the existing Outlook mailbox to the corrected e-mail address.

Exchange: Adding Shared Mailbox

There are two methods for adding a shared Exchange mailbox. The approach you use depends on the capabilities that you want the mailbox to have. If you need to receive information on a mobile device or if you require the mailbox to be an archive for long-term storage, then you need to use a licensed mailbox. If you do not need these features and you want to have access only via Outlook, then the mailbox does not need to have a license. We have outlined the choices in Table 8-6.
Table 8-6

Shared Mailbox Options

Approach

Cost (monthly)

Data Size

Capabilities

Shared licensed mailbox

$4–$8

25GB with 25GB or 100GB archive

Can be received on smartphones (active sync support)

Exchange shared mailbox

$0

5GB limit

No active sync

The key decision factor for most users is to receive the information on smartphones. This requirement dictates that you use an Office license rather than a free, shared mailbox.

Exchange: Shared Mailbox, Using with a Smartphone and Outlook

Smartphone devices require an active sync connection. You add a shared mailbox the same way you add a mailbox to Office 365. The only issue is that you must assign delegated rights to the users who want to use the mailbox. This is the same for all user mailboxes. Once a mailbox has been created, you need to assign share rights to the mailbox.

To add a shared mailbox, follow these steps:
  1. 1.

    Purchase an Exchange Plan 1 (or Plan 2) mailbox.

     
  2. 2.

    Assign a user account to the Exchange e-mail account.

     
  3. 3.

    Assign user-delegated rights to the mailbox.

     
In the Exchange admin center, highlight the user account, click Edit (the pencil icon), and then select the e-mail address (see Figure 8-75). Select “mailbox delegation” and then add the user for both Full Access and Send on Behalf. Click OK when done. The mailbox is modified.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig75_HTML.jpg
Figure 8-75

Adding delegated rights to a mailbox

Exchange: Shared Mailbox, Using Only with Outlook

If you need to add a shared mailbox for use only with Outlook (and you do not want to use a license), you can create a shared mailbox in the Exchange admin center and then add the user as a delegated user to the mailbox.

In the Exchange admin center, click Shared. Create a shared mailbox. In this case, we created a mailbox called CompanyCal (see Figure 8-76). Select the mailbox and then “mailbox delegation.” Add the users who will access the shared mailbox. Click OK when completed. The shared mailbox will appear in Outlook for each user added as a delegated user.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig76_HTML.jpg
Figure 8-76

Adding a free shared mailbox

Exchange: Shared Mailbox, Using PowerShell

In some cases, you need to use PowerShell to set up and configure a shared mailbox. You need to run two PowerShell commands: one to set the permission and the other to set the behavior of the shared mailbox. Once you have modified the shared mailbox, the configuration is updated in the Outlook client at the next login. In this example, Identity is the shared mailbox, and User and Trustee mean the person who has access to the shared mailbox.

Step 1: Add the Recipient Permissions
Add-RecipientPermission -Identity [email protected] -Trustee [email protected] -AccessRights SendAs
Step 2: Add Mailbox Access Permissions
Add-MailboxPermission -Identity [email protected] -User [email protected] -AccessRights FullAccess -InheritanceType All

Exchange: Adding a Distribution Group

There are three different types of distribution groups: distribution groups, mail-enabled security groups, and dynamic distribution groups. When you add a group (see Figure 8-77), you select a group based on the business role that you want the group to perform.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig77_HTML.jpg
Figure 8-77

Adding a new group: security, distribution, or Office 365 group

There are different view types for groups, and the group you use comes down to the management view. In general, security groups are not mail-enabled and are managed externally to the Exchange admin center. Security groups are created in the Office 365 admin center and are managed from Office 365, not the Exchange admin center. Typically, you create a distribution group or Office 365 groups. If you are a large organization, you create a dynamic distribution group.
Table 8-7

Distribution Group Types

Group Type

Description

Distribution group

Distribution groups are mail-enabled groups. An e-mail that is sent to the distribution group is sent to all members.

Office 365 group

Automatically created groups are build with the Exchange server mailbox, SharePoint access, and third-party tool access. These are collaboration groups.

Security group

Security groups are groups that are used to grant permissions. In some cases, these may be mail enabled. It is recommended that you do not use mail-enabled security groups.

Dynamic distribution group

This is a distribution group that has a variable number of members based on filters and conditions in Active Directory.

Step 1: Create the Distribution Group

In the Exchange admin center, select “recipients” and “groups” (see Figure 8-78). Verify that the distribution group is being created; otherwise, an Office 365 group is created. Add the group by clicking the + and then select the distribution group to be added.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig78_HTML.jpg
Figure 8-78

Adding a new distribution group

Step 2: Define the Distribution Group

Fill in the information about the distribution group. When you first create the group, leave the defaults in place. You must specify an owner of the group and any initial members you want to add (see Figure 8-79).
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig79_HTML.jpg
Figure 8-79

Defining the distribution group

Step 3: Enable the Group for External Access

After you have created the group and saved it, the group is set up for internal access. If you want to enable the group for external access, you must edit the group and enable the external access options (see Figure 8-80). Select the group, click Edit, and then select the “delivery management” option. This is a two-step process. You must create an internal distribution group (and save it) before you can enable it for external access.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig80_HTML.jpg
Figure 8-80

Settings for external delivery

Exchange: Using Alias to Send to/Receive from E-mail

You may want to use a different e-mail address to send and receive e-mail. Office 365 is designed to allow only one e-mail address to be used: your primary e-mail address. The way to work around this is to use a distribution list and to grant a user account full permission to use that distribution list with PowerShell. Log in to the Office 365 admin center, and on the Admin tab, select Exchange and follow the steps outlined next.

Step 1: Create the Distribution Group

In the Exchange admin center, select Recipients ➤ Groups and click the + to add the distribution group. Use the e-mail alias as the distribution group name.

Step 2: Configure the Group Being Added

Since this is a personal alias, add a description and complete the additional steps for the configuration of the group (see Figure 8-81).
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig81_HTML.jpg
Figure 8-81

Adding a distribution group

Add the user and select the membership options. Since this is an e-mail alias (i.e., an internal group), it is recommended that you restrict it to the individual who is using the group (see Figure 8-82).
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig82_HTML.jpg
Figure 8-82

Restricting access to the distribution group

Step 3: Enable the Group for External Access

In the Exchange admin center, select “groups” and then click the pencil icon to edit. Select “delivery management” (see Figure 8-83) and then enable the mail option (“Only senders inside my organization” is the default) and the user for access outside the organization. This is identical to the external distribution groups discussed earlier.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig83_HTML.jpg
Figure 8-83

Enabling the group for external access

Step 4: Grant Permission to the User

The final step is to grant permission to the user. There are two ways to do this: either through PowerShell or by using the Exchange admin center. In the Exchange admin center, select “groups,” and then click the pencil icon to edit. Select “group delegation.” You need to enter the user account for both Send as and Send on Behalf (see Figure 8-84). Click OK. The user is now able to use the From address in Outlook, or in the Outlook Web App, to send e-mails using the alias e-mail address.

You can also grant permissions using the PowerShell commands for a shared mailbox. In this case, you are using a distribution list and granting full access for its use. Execute the PowerShell command and give access rights to the user mailbox. The shared mailbox PowerShell command is as follows:
Add-RecipientPermission -Identity [email protected] -Trustee [email protected] -AccessRights SendAs
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig84_HTML.jpg
Figure 8-84

Setting Send on Behalf options

Step 5: Verify Outlook Configuration

The final step is to send an e-mail from Outlook to verify that you can send a message from an alias (see Figure 8-85). For this to work, you must select the e-mail distribution group you created earlier. In our example, we used Get365. Select Get365 from the group e-mail address book. (If you manually type the e-mail address in, this will fail.) To send an e-mail alias from Outlook, follow these steps:
  1. 1.

    Open Outlook and select From ➤ Other e-mail address (see Figure 8-84).

     
  2. 2.

    In the From box, select From and find the distribution alias (see Figure 8-85).

     
  3. 3.

    Click OK to send the e-mail.

     
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig85_HTML.jpg
Figure 8-85

Selecting the From/Other e-mail address

After selecting “Other E-mail addresses,” select the distribution group (see Figure 8-86). You cannot enter the distribution group name in the address bar. The e-mail will not be sent.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig86_HTML.jpg
Figure 8-86

Selecting the alias address Get365

PowerShell

Earlier, we briefly discussed PowerShell and the capabilities that it provides. PowerShell is required for any bulk changes that you need to perform or for special commands that are not part of the Office 365 admin console. Typically, we recommend that if your organization has more than ten accounts, then you may find it more convenient to use PowerShell. The account that you will use for PowerShell management is the global admin user account. The account must have a license in the area that the PowerShell command is executing. For example, if you are using Exchange PowerShell commands, the global admin account must have an Exchange license assigned. If the license is not assigned, then the PowerShell command will fail. The simplest way to install the latest version of PowerShell is to go to http://docs.microsoft.com/en-us/powershell (see Figure 8-87) and select the Get Started tab.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig87_HTML.jpg
Figure 8-87

Installing PowerShell for Office 365 (courtesy of Microsoft)

Note

If you have not installed the Microsoft Online Services Sign-In Assistant for IT Professionals RTW, do that now. Go to www.microsoft.com , download it, and search for sign-in services assistant. PowerShell commands will not work unless the Sign-In Assistant is installed.

The latest version of Azure PowerShell can be downloaded from Microsoft Downloads; see https://docs.microsoft.com/en-us/office365/enterprise/powershell/manage-office-365-with-office-365-powershell (see Figure 8-88). The PowerShell installation verifies the updates required to support Azure PowerShell. Make sure you download the files and run them as an administrator (right-click and Select “Run as administrator”) to make sure the files install correctly.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig88_HTML.jpg
Figure 8-88

Installing Office 365 PowerShell from https://docs.microsoft.com/

Once you have installed Office 365 PowerShell, launch the PowerShell module and enter the following commands:
Set-ExecutionPolicy RemoteSigned
$LiveCred = Get-Credential
Import-module msonline
Connect-MSOLService –Credential $LiveCred –Verbose
Get-MsolGroup
The result of running these commands should look like Figure 8-89.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig89_HTML.jpg
Figure 8-89

Validating PowerShell commands

You have completed the base PowerShell setup; now use the preceding command to validate the installation. If the command does not work, you have installed the PowerShell GUI incorrectly, there is a lack of permissions, or you have not installed the desktop connector for Office 365. Using PowerShell requires administrative privileges and a license to be assigned to the account that is using PowerShell commands.

PowerShell: Setting Up Teams and SharePoint

There are different versions of PowerShell installations for Teams Online, SharePoint Online, and other Microsoft online services (such as BI and CRM). For those services, you need to install the appropriate Active Directory services. These additional PowerShell modules are available from the Microsoft Download Center ( www.microsoft.com/download ).
  • Teams PowerShell : Windows PowerShell module for Teams Online

  • SharePoint PowerShell : SharePoint Online Management Shell

These additional commands are described in the following sections. Before you can use the commands, you must download and install the PowerShell extensions.

PowerShell: Using the Standard Header for Microsoft Online Services and Exchange

PowerShell can be complex for any user. When using PowerShell with Office 365 and Exchange, you need to use a standard PowerShell header. This standard header allows you to connect directly to the Office 365 administration interface and make the necessary changes. However, if you do not set up the commands correctly with the remote interface execution parameters, the PowerShell command will fail. The only issue is that the user account that you log in to (for Office 365) must have a license assigned to it. The licensed user can only execute the PowerShell commands for Office 365 that the user admin account is licensed to use; otherwise, it will fail.

We use a standard PowerShell interface, which allows the command to run in a PowerShell command prompt, or the integrated systems editor (ISE). The standard command interface (or PowerShell header) can be invoked with this script:
Set-ExecutionPolicy RemoteSigned
$LiveCred = Get-Credential
Import-module msonline
Connect-MSOLService –Credential $LiveCred –Verbose
$Session = New-PSSession -ConfigurationName Microsoft.Exchange-ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic –AllowRedirection
Import-PSSession $Session –Allow Clobber
# Insert Other Power shell commands before remove PSSession
#*********
# PowerShell Commands go here
#*********
#Clean up and close the session
Remove-PSSession $Session

Once you have verified the functionality of the header script, you are ready to make the necessary changes in Office 365. This section of the administration maintenance manual lists the type of problems encountered and the PowerShell solution. All that is needed for the user to execute these commands is to use an account—with global administrator rights—that is licensed with an appropriate subscription (such as Exchange, SharePoint, etc.).

PowerShell: Not Remotely Sign Error

The first time you run PowerShell, you may get the error “not remotely signed.” To correct this error, you need to enable PowerShell on your system.
  1. 1.

    Start Windows PowerShell as an administrator by right-clicking the Windows PowerShell shortcut and selecting “Run as administrator.”

     
  2. 2.

    The WinRM service is configured for manual startup by default. You must change the startup type to Automatic and start the service on each computer that you want to work with. At the PowerShell prompt, you can verify that the WinRM service is running using the following command:

    get-service winrm

    The value of the Status property in the output should be Running.
    1. a.

      If the value is not running, you can start the service from the command prompt:

      sc config winrm start= auto

      start winrm

       
    2. b.

      To configure Windows PowerShell for remoting, type the following command:

      Enable-PSRemoting –force

       
     

Mail flow should resume in the next two to four hours .

PowerShell: Winmail.dat Problem

Let’s say the e-mail is being sent externally to users in an RTF MIME format, and the users cannot read the e-mail and see a winmail.dat file. The winmail.dat file appears on the client e-mail because Outlook (on the sender) is not installed correctly or there is another Outlook add-in (on the sender) that is preventing the e-mail from being converted to text. To resolve this issue, either disable the Outlook add-ins (on the sending device) or uninstall and reinstall Office 2007/2010.

If this fails, then as a last resort you can force Office 365 Exchange Server to send only pure-text e-mail. This command forces the e-mails to be sent out in a pure-text format:
Set-MailContact <ExternalE-mailAddress or GUID> -UseMapiRichTextFormat Never
Verify that the mail format was applied:
Get-MailContact | Select <ExternalE-mailAddress or GUID> | Select UseMapiRichTextFormat

These commands will only display the user e-mail address if it supports RTF format; otherwise, it will display other options.

PowerShell: Enable Audit

The Audit command turns on full tracking for any access to a mailbox. To change the audit state on a mailbox, run this command:
Set-Mailbox <Identity> -AuditEnabled $true
Set multiple mailboxes for audit:
$UserMailboxes = Get-mailbox -Filter {(RecipientTypeDetails -eq 'UserMailbox')}
$UserMailboxes | ForEach {Set-Mailbox $_.Identity -AuditEnabled $true}

PowerShell: Verification of Audit Logs

Run the following command to verify the audit log configuration and the time limit configuration. Administrator audit logs are on by default; mailbox logs are off by default. Audit logs are enabled for 15 days.
Get-AdminAuditLogConfig

PowerShell: Mailbox Audit Log search

To perform an audit log search in PowerShell, use the following command (it requires that auditing be enabled on the mailbox in question):
New-mailboxAuditLogSearch -Mailboxes [email protected] –Startdate 1/1/2010 –EndDate 12/31/2013 –StatusMailRecipients [email protected]

PowerShell: Passwords Forever

Passwords can be set from the user interface. However, when you reset a password, all passwords revert to the 90-day password reset.
Get-MSOLUser | Set-MsolUser -PasswordNeverExpires $true

Note

If the user’s password is reset, the policy changes back to 90 days. If you want the forever policy applied, you need to set it again with PowerShell and every time you reset a password. The Office 365 interface allows passwords to be fixed for up to 720 days.

PowerShell: Get Mailbox Statistics

This command retrieves all the usage data about the user:
Get-Mailbox | Get-MailboxStatistics | Select-Object DisplayName,StorageLimitStatus,TotalItemSize

PowerShell: Enable Litigation Hold–No Notice

There are different legal holds—with notice and without notice. This command places a mailbox on legal hold with no notice given to the end user:
Get-Mailbox -ResultSize unlimited | Set-mailbox -LitigationHoldEnabled $true

PowerShell: Review Permission Assigned to a Mailbox

This command retrieves all the permission information about the user:
Get-MailboxPermission -Identity [email protected]

PowerShell: Review the Management Role Assignment to a User Account

This command retrieves all the permissions assigned to different roles in Office 365:
Get-ManagementRoleAssignment- -Enabled $True -Delegating $True

PowerShell: Display All Mailbox Forwarders

The following commands retrieve information about the mailbox forwarders and allow you to turn them on or off.

Display all mailbox forwarders:
Get-Mailbox | Where {$_.ForwardingSMTPAddress -ne $null} | Select Name, ForwardingSMTPAddress, DeliverToMailboxAndForward
Turn off all mailbox forwarders:
Get-Mailbox | Where {$_.ForwardingAddress -ne $null} | Set-Mailbox -ForwardingAddress $null
Turn off a single mailbox forwarder:
Set-Mailbox <e-mailaddress> -ForwardingSmtpAddress $null

PowerShell: Change Mailbox Permissions

The mailbox permission command is useful; you can use this on any e-mail-enabled item (such as distribution groups):
Add-MailboxPermission -Identity [email protected] -User [email protected] -AccessRights FullAccess -InheritanceTypeAll -Confirm:$false
Add-RecipientPermission -Identity [email protected] -Trustee [email protected] -AccessRights SendAs

PowerShell: Change the User Principal Name on a User Account

After you configure ADDConnect, you may run into a situation where the user account name has not synced correctly to Office 365. This is usually because the e-mail address is not set up in the on-premises Active Directory or the UPN is missing in the root of the Active Directory. If you have corrected the on-premises AD and the user’s principal name has not changed, then run the following PowerShell command:
Set-MSOLUser -UserPrincipalName [email protected] -NewUserPrincipalName [email protected]

Note

The Office 365 account has the Active Directory from the on-premise server. Make sure you check the configuration of the Active Directory to make sure that the user’s e-mail address is in the correct field and the UPN is set for the AD login. If you need to execute this command, there is a configuration problem in the local Active Directory.

PowerShell: Assign License to a User Account

After you have directory-synced an account, there may be a need to bulk-assign licenses via PowerShell. To complete this, you need to execute the following two PowerShell commands. There are additional PowerShell commands that you also need to run to retrieve the subscription SKUs to use this command. The license types must be active.
Set-MSOLUser -UserPrincipalName [email protected] -UsageLocation US
Set-MSOLUserLicense -UserPrincipalName [email protected] -AddLicenses {tenantid}:ENTERPRISEPACK

PowerShell: Purging Users in the Delete Bin

There are cases where you need to remove users that have been deleted in Office 365. A deleted user is retained in Office 365 for 30 days, which allows you to easily restore the user account to the same subscription that the account had prior to deletion. If you need to delete all user data, use these PowerShell commands to perform this action:
#Get a list fousers in the RecyleBin
Get-MsolUser –ReturnDeletedUsers
#Purge all users from RecyleBin
Get-MsolUser –ReturnDeletedUsers | Remove-MsolUser –RemoveFromRecycleBin –force
#Purge a user from the RecyleBin
Remove-MsolUser -UserPrincipalName [email protected] –RemoveFromRecycleBin –force
#Restore a user from the recycle bin
Restore-MsolUser -UserPrincipalName [email protected]

PowerShell: Bypass Spam Filtering for E-mail

Allow all mail to be sent to a mailbox without filtering e-mail by using Exchange Spam Confidence Level (SCL) for e-mail processing. This command accepts all incoming e-mail that is processed by Office 365 Exchange Transport server role.
Set-ContentFilteringConfig –Bypassedrecipients [email protected]

PowerShell: Extend the Purges Folder to Greater Than 14 Days

E-mail in Office 365 is deleted from the Purges folder after 14 days, once the user has selected the item in the Delete folder. You can extend this to 30 days with the following commands.
  • Extend 30-day delete for a mailbox:

    Set-mailbox [email protected] –retaindeleteditemsfor 30
  • Extend 30-day delete for the organization:

    Get-mailbox | Set-mailbox –retaindeleteditemsfor 30

PowerShell: Meeting Room Configuration

To make meeting rooms more useful, you need to add additional user information about the meeting room. The only way to add these capabilities is to use PowerShell to extend the meeting room options. This example uses the “ingoodtaste1” meeting room.

Set the conference room to show “limited details–free & busy”:
Set-MailboxFolderPermission –AccessRights LimitDetails –Identity ingoodtaste1:calendar –User default

Troubleshooting: Autodiscover

Autodiscover allows an Outlook client (including your laptop and your smartphone) to discover the location of the Office 365 Exchange e-mail server and to automatically connect to that server (see Figure 8-90). You need to insert the Autodiscover record in the external DNS and the internal DNS. Both records should point to outlook.com .
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig90_HTML.jpg
Figure 8-90

Autodiscover record value

Note

Outlook clients (Mac and PC) use Autodiscover to find the mail server. Smartphones use the MX records.

The Autodiscover process is outlined in Figure 8-91. When an internal client looks up an Autodiscover record, it first determines the Autodiscover record through Active Directory. If the client is external, it looks up the Autodiscover record from the DNS.
../images/429219_1_En_8_Chapter/429219_1_En_8_Fig91_HTML.jpg
Figure 8-91

Exchange Autodiscover process (courtesy of Microsoft)

If you are on-site and you are trying to connect to the Office 365 Exchange Server, the Outlook client uses the Exchange Service Control Point connection object to attach to the local Exchange Server and bypass the external Autodiscover lookup. If you have chosen not to use Microsoft migration tools, you need to block the local clients from finding the on-site Exchange Server in the Autodiscover process or convert the mailboxes to a mail-enabled user (MEU). The registry entries that must be modified for clients are listed next (see https://support.microsoft.com/en-us/kb/2612922 ).
  1. 1.
    Navigate to the following registry key:
    HKEY_CURRENT_USERSoftwareMicrosoftOffice12.0OutlookAutoDiscover
     
  2. 2.
    Set the following values:
    "PreferLocalXML"=dword:1
    "ExcludeHttpRedirect"=dword:0
    "ExcludeHttpsAutodiscoverDomain"=dword:1
    "ExcludeHttpsRootDomain"=dword:1
    "ExcludeScpLookup"=dword:1
    "ExcludeSrvLookup"=dword:1
    "ExcludeSrvRecord"=dword:1
     

Summary

Office 365 administration is a large topic, and many books could be written to cover this topic. The objective here was to provide you with an overview of how to administer Office 365. I wanted to provide you with exposure to the new tools and techniques so that you can see how easy it is to manage and secure Office 365. As you begin to work with Office 365, you can revisit the “PowerShell” section. Office 365 is about productivity and management of company resources.

References

There is a lot of information about Office 365 on the Web; the issue is finding the right site. The information contained in this chapter is a combination of my experience doing deployments and of support information published by third parties.

Installing PowerShell for Teams Online with Office 365
Installing PowerShell for SharePoint Online with Office 365
Microsoft Online Services Sign-In Assistant for IT Professionals RTW
PowerShell Tools Site

PowerShell for Office 365

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.141.12.224