Category Archives: Exchange Server tips tutorials and expert advice

Exchange Server tips tutorials and expert advice

Office 365 admins can evolve as platform expands

A move to Office 365 can leave administrators feeling nonessential in the cloud productivity platform. But it’s not all bad news: The switch can spur IT teams to develop skills and empower end users to take full advantage of cloud services.

Microsoft has added a number of new services to the Office 365 suite over the years, creating an integrated enterprise collaboration platform. The company recently delivered SaaS offerings for business analytics with Power BI, a phone system through the Cloud PBX service, Skype for Business and the Yammer enterprise social network. With each new service rollout, end users must understand the capabilities of the applications.

This means that, as Microsoft pours development resources into its cloud products, Office 365 admins see their duties shift from system troubleshooters to internal marketers. Rather than wait for employees to file tickets, Office 365 admins must be internal marketers who sell users on the benefits of each app.

Administrators also can take on system integration functions. Microsoft developed a series of APIs to link its services to other products. Office 365 admins can use these tools to improve key areas, such as system security, or to work with business managers to develop procedures, such as an automated document workflow.

Translate high uptime into me time

Microsoft promises 99.9% uptime to Office 365 customers. What’s the perk of this high availability? It frees the support staff to focus on improving company processes, said Tim Clark, president of consulting firm C3 Solutions. IT staff learns about the latest features in the rapidly growing Office 365 collaboration platform and then shares those findings with users to maximize application use.

In-house app stores can ease the IT workload

Microsoft created an application store with its partners to offer a variety of tools and apps, which have a few benefits for admins. An in-house app store gives Office 365 admins a way to deploy and maintain corporate apps more easily. It simplifies the choices for users with a list of approved apps that the IT staff supports. Additionally, administrators can track downloads and employee usage trends.

The app store not only solves issues that have plagued users, but it also enables companies to keep up with trends in social media and remote workforces. Employees often get frustrated when scheduling meetings; the third-party add-in FreeBusy Scheduling Assistant uses automation to make the process less of a chore.

Also, social media has blurred the lines between personal and business offerings. For example, Starbucks developed an Office 365 application for users to schedule meetings at the local store. The Zomato Restaurant Finder helps executives determine where to go for a business lunch.

But enterprise app stores have downsides. They must work with a wide assortment of technologies and vendors. And supporting such heterogeneous environments — without breaking the budget — is difficult. For instance, allowing end users to bring any type of phone into the organization could strain Office 365. Therefore, a company can limit the number of phones it supports. Additionally, companies might need to add applications that Microsoft does not directly endorse.

What is Microsoft’s Office 365 strategy anyway?

Since the emergence of Office 365, there has been some question about what Microsoft’s plan for these services is all about. In this podcast, Scott Robinson, a SharePoint and BI expert, notes, “Microsoft has done a lot of repackaging, and sometimes, that is just to cover the fact that they haven’t finished a product.”

“Enterprises may want to integrate Slack into their collaboration platform,” said Joshua Trupin, research vice president at Directions on Microsoft.

Other integration needs can arise. Typically, consumer mobile device apps act independently of one another, but businesses must integrate them with Office 365. For example, if a company wants to tie its order management app to the logistics product, the customer often has to build and maintain these links.

Regimented approach can tame costs

Most organizations have a mix of apps — some run on premises and others in the cloud. Develop a standardized approach to provision and manage these apps, and keep a close eye on the licensing agreements to avoid any unexpected bills from cloud app vendors.

To track and ensure license compliance, Office 365 admins can use financial management tools from suppliers — such as Cloudability, Cloudyn and VMware with vRealize Business for Cloud — to keep cloud costs in line.

The notion that public cloud is less expensive than other alternatives also has been challenged recently. Some businesses that operated without a strict cloud pricing arrangement discover these offerings cost more than anticipated.

Office 365 compliance issues deserve your attention

It’s no longer enough to evaluate email servers on just the basic features. Cyberattacks and data leaks are on the rise, and the explosive growth of data means IT admins must reconsider security protections and compliance concerns in their email servers.

Those worries are acute for a business considering a move from an on-premises platform to Microsoft Office 365. Admins should be aware of the potential challenges that await once their company’s data migrates to the cloud, such as Office 365 compliance.

Businesses routinely accumulate vast quantities of data, and that increases regulatory pressures to protect digital assets. Exchange admins were accustomed to managing the security and compliance of just one workload on premises; in the cloud, the number of workloads mushrooms, and the list of Office 365 services that contain company data includes SharePoint, Skype and OneDrive. With Office 365, IT admins are responsible for data governance, and they need to consider new areas of security and compliance.

Microsoft invests $1 billion annually in cybersecurity research and development. The company regularly introduces new features and enhancements for Office 365 security. IT admins can use these modern accoutrements as ammunition to convince their business that it is worth the investment. But before making the move, administrators must address important questions about Office 365 compliance and security.

Navigate Office 365 compliance aspects

With Office 365, IT administrators have one common information protection layer.

Microsoft moved away from a decentralized administration model for on-premises Exchange, where each workload in the platform had its own security and compliance management console. There is now one centralized portal where admins can see all aspects of Office 365 compliance and security.

This portal offers admins a single place to set up and configure the policies related to Office 365 areas, such as SharePoint, OneDrive and email messages. Admins can also use the Office 365 Admin mobile app to access the management console and make adjustments on the go.

Make a data governance plan

As an important preliminary step, many early Office 365 adopters advise IT admins to put together a data governance plan. You’ll want all the policies needed to meet the business requirements in place before the data migrates. The Microsoft FastTrack team or third-party vendors can assist.

With on-premises Exchange, admins’ only compliance concern is with email messages. But for Office 365 compliance, admins must consider data elsewhere, such as Skype for Business, files and SharePoint content, that Microsoft’s data centers manage and store. IT administrators need to expand the scope of their compliance and security policies beyond Exchange and set policies for other workloads. Office 365 offers flexibility and enables some policies to be applied to multiple workloads; this eliminates the duplication of work when creating specific compliance policies.

IT admins are used to digging through troves of user activities and system logs to identify compliance and security issues. Office 365 eases that burden and offers incident and auditing capabilities, such as searchable audit logs, that are easy to use and navigate. IT administrators can now receive alerts on data deletions, departure of sensitive content to external users, or when a user signs in from a risky IP address.

Know what else is covered

In addition to features that protect and monitor compliance in services such as SharePoint, OneDrive and Skype for Business, Microsoft announced in 2017 it will extend that ability to some external data as well. The Advanced Data Governance feature in Office 365 enables administrators to ingest external data from places such as Facebook, Bloomberg, Twitter and LinkedIn; store it within Office 365 cloud storage; perform searches; and apply compliance policies to it.

Intelligence-infused services are nothing new to Microsoft, which seems to recognize the importance of artificial intelligence and how it enables administrators to perform smarter searches and detect abnormal activities. Advanced Threat Protection, Advanced eDiscovery, automatic data classification, and Advanced Security Management use AI to assist with early detection, discovery and prevention.

Manage security needs quickly

An on-premises environment typically requires admins to spend time managing multiple security and compliance platforms. With Office 365, IT administrators have one common information protection layer; a centralized administration portal manages all security and compliance needs for cloud workloads.

Surprisingly, these security components don’t require much from IT, as the tools and intelligence services automate, detect and remedy many issues that admins traditionally handled manually. Not only is there a more comprehensive security layer, but IT admins have more time to efficiently adapt to external threats.

The base Office 365 packages do not include every security and compliance feature. Determine which features your business needs and whether they require licenses to enable advanced capabilities. While Office 365 E5 includes several advanced security and compliance features, there are others — such as advanced threat analytics and Azure Active Directory premium services — that Microsoft considers add-ons, which will cost extra.

As more businesses move their email servers to the cloud and adopt cloud-based workloads within Office 365, there is demand for better visibility and improved security. IT administrators recognize they must adjust their security and compliance practices. But that brings the challenge of relying on one vendor and trusting it with the data. So far Microsoft has taken appropriate steps to invest in its Office 365 compliance and security capabilities, and all IT administrators can do is implement the recommended services based on best practices and recommendations.

Close ranks with key Office 365 security features

Businesses receive enormous convenience and cost control benefits from Office 365, but a move to the cloud also increases the company’s attack surface. This heightened exposure makes it imperative that administrators learn how best to implement the Office 365 security features.

Don’t sit back and expect adequate protection with the default security configurations in Office 365. Admins must tailor Office 365 security features to shield data on the platform from outside threats.

How does Office 365 affect business security?

Modern businesses cannot function as islands, surrounded by antimalware, antivirus and a secure perimeter and demilitarized zone for external users to access certain servers.

An enterprise that depends on Office 365 requires a more intelligent security approach that extends from the service provider to the users, who work on many different devices. Administrators need to discover and hold sensitive information, ensure compliance, prevent data loss and then identify and respond to potentially malicious traffic or use patterns quickly.

Advanced Office 365 security features include multifactor authentication, encryption to protect data at rest and in flight and data loss prevention to stop users from sending sensitive material over email or in unauthorized storage devices.

Office 365 enterprise users must balance features with price

Office 365 meets the requirements for compliance certifications, including those imposed by the Health Insurance Portability and Accountability Act, the Federal Risk and Authorization Management Program and the International Organization for Standardization/International Electrotechnical Commission 27001.

Suspicious activity afoot?

Administrators can manage and audit Office 365 security features with remote PowerShell, but the Office 365 Security & Compliance Center provides a GUI tool to enforce corporate policy and monitor potential threats. The portal provides seven major pages related to security and compliance:

  • Alerts page: This section warns you when a user violates policies that IT creates. Administrators can also view alerts, understand how each was generated and take remedial action. Office 365 includes a series of default alerts and will inform you when a user receives administrative privileges and when it detects malware or unusual file activity.
  • Permissions page: Administrators can grant users various permissions in compliance-related areas, such as device management and data retention. Elevated users can perform only the tasks assigned by the administrator. IT can alter or rescind permissions as business needs change.
  • Threat Management page: Dashboard, Threat explorer and Incidents tools let administrators oversee risks detected within Office 365.
  • Data Governance page: This area enables admins to import data into Office 365; archive and retain important messages and attachments as part of content lifecycle management; and establish supervision policies that review both inter- and intraoffice messages for inappropriate or sensitive content.
  • Search and Investigation page: This allows administrators to locate messages and search audit logs. For example, use the content search to comb mailboxes, folders, SharePoint Online sites and OneDrive for Business content in the company’s Office 365 subscription. Export results to another computer for further examination. Use audit logging to view user and other administrative activities involving files, folders, sharing, SharePoint, Azure Active Directory, Sway and PowerBI.
  • Reports page: This enables administrators to follow application use, identify suspicious app activity and provide notifications and alerts about unusual app use. The page generates reports that show how the organization’s employees use Office 365.
  • Service Assurance page: This page provides details about Office 365 compliance efforts. These include Microsoft security practices for customer data stored in the messaging platform; third-party audit reports of security; and security, privacy and compliance controls used by Office 365.

Migrate to Exchange 2016 with all the facts

Even if your current Exchange setup works reliably, all Microsoft products drop off support eventually. When your messaging platform hits its expiration date, where will you go next?

Microsoft and security experts advise businesses on a legacy platform to shift to a supported platform. But it’s no simple process to migrate to Exchange 2016, even if you decide to stay on premises. For example, if you have Exchange 2007, you’ll need to perform a two-stage maneuver in the Exchange 2016 migration.

In years past, a company’s only option for Exchange was to upgrade to the next version. But with Microsoft’s Office 365 offering, where Exchange Online lifts the email server into the cloud, the decision is not that straightforward. Admins see the value in reduced maintenance, and access to security features such as Advanced Threat Protection. However, not everyone in IT welcomes the cadence of new feature arrivals and the reliance on PowerShell for some administrative tasks.

If you elect to make an Exchange 2016 migration, hardware choices will give the platform optimal performance. Also, be sure to test the platform thoroughly.

IT experts and consultants share these four tips on how to decide between on premises and cloud; what Exchange 2007 admins should do now that support has ended; the Microsoft requirements that can be ignored; and what to do after an installation is complete.

1. Weigh upgrade options: On premises or cloud?

There are more options than ever for a corporate email platform. A business that has used Exchange Server for years can move its messaging system to a low-cost — or free — service hosted by a provider, such as Google’s Gmail. But, in addition to features and price, legal and compliance issues need to be included in Exchange admins’ decision-making process — which can make Microsoft’s Office 365 a better fit. Office 365 ties a company’s calendar, conferencing and collaboration systems into its email — but shifting on-premises services to the cloud takes some effort.

2. Abandon the Exchange 2007 ship before it sinks

Once Microsoft ends product support, a business that remains on an outdated platform risks becoming vulnerable to attack. If a company still uses Exchange 2007, the IT org must decide if it will move to a supported on-premises platform — or go to Exchange Online. A switch from Exchange 2007 to Exchange 2016 requires an intermediate step — the administrator needs to move mailboxes to Exchange 2013 then migrate to Exchange 2016. Microsoft provides tools for an Office 365 migration — and possibly financial help if you qualify.

3. When you can ignore Microsoft’s advice on Exchange 2016

As with all its server products, Microsoft provides guidelines for Exchange 2016 operation. Some businesses have good reason to sidestep these recommendations and deploy Exchange another way. For example, Microsoft does not endorse running Exchange in a virtualized environment; however, many businesses have done this for years with little consequence. Still, admins should check that the hardware or hypervisor vendor does provide support before breaking with Microsoft’s safer model.

Also verify that there’s adequate storage to run Exchange 2016 — Microsoft says a 30 GB system partition will work, but admins should have at least 100 GB. Otherwise, the databases will need to move to a separate disk.

4. Trust, but verify after Exchange 2016 installation

After a business selects an Exchange 2016 migration, executes the deployment and moves over its mailboxes, everything is ready to go, right? Not so fast. Go through a post-install checklist and confirm the configuration will work as expected. Open the Exchange Management Shell and follow a couple quick steps to verify the install was clean. Check that the organization’s domain name is on the accepted domain list, and apply OS and Exchange Server patches before anything starts up in production.

Powered by WPeMatico

Lost and found: Use an Exchange recovery database to restore data

deleted an important email or to satisfy a request from a lawyer or regulator.

A company that runs Exchange 2016 off a single server in a branch office or lacks a database availability group can tap into the Exchange recovery database to restore information, messages and other items from mailboxes. Recovery databases are special mailbox stores that are accessible only to administrators; they exist solely to obtain deleted email or other items from a production Exchange mailbox.

Execute the email recovery process

Recovery databases are special mailbox stores that are accessible only to administrators; they exist solely to obtain deleted email or other items from a production Exchange mailbox.

The email message restoration process involves a few steps. The administrator creates a new database object on the Exchange deployment and identifies it as a recovery database. The admin then restores a production database into the recovery database, which copies the data from a backup into the new recovery space. After that, Exchange reads from the mounted database. Finally, the admin runs mailbox recovery requests to bring data from the mounted recovery database into the corresponding mailbox or mailboxes — or different mailboxes or archives — to the production side.

Build the Exchange recovery database

Create the new database to hold the content we want to retrieve with the PowerShell command below. The –Recovery flag instructs Exchange that this database should not be treated as a typical mailbox database.

New-MailboxDatabase -Server EXCHANGE2016 -Name MyRecoveryDatabase -Recovery -EdbFilePath c:exchange.edb -LogFolderPath c:logs

Next, restore the production Exchange database with software or the other backup processes. For example, administrators who use Windows Server Backup would pick the location of the backup files and the date of the backup, and then choose Files and Folders to locate the database file (EDB) and the log files associated with the database. The administrator would then restore files to the locations used in the PowerShell command above to create the Exchange recovery database.

Next, use the ESEUtil utility to put the database in a readable condition. Find the location of the recovery database, and run the following at the command prompt:

eseutil /r log_file_base_name /l c:path_to_log_files /d c:path_to_database

Run the command below from the database directory to make sure the State field says Clean Shutdown, which indicates a successful recovery.

eseutil /mh databasename.edb

Next, use the name of the database to mount it with this command:

Mount-Database MyRecoveryDatabase

Once the database mounts, choose from one of the following restore options:

  • Restore content from a mailbox on the recovery database to an identical mailbox on the production database;
  • Restore content from the recovery database to an archive database;
  • Restore content from one mailbox on the recovery side to a different mailbox on the production side; or
  • Restore specific folders from within a mailbox into a corresponding mailbox, a different mailbox or a target archive mailbox.

Here are some sample commands that illustrate the required PowerShell syntax:

New-MailboxRestoreRequest -Name “Tim Jones Restore” -SourceDatabase MyRecoveryDatabase -SourceStoreMailbox “Tim Jones” -TargetMailbox “Tim Jones”

New-MailboxRestoreRequest -Name “Tim Jones Restore” -SourceDatabase MyRecoveryDatabase -SourceStoreMailbox “Tim Jones” -TargetMailbox “Tim Jones” –TargetRootFolder “Your Restored Items”

New-MailboxRestoreRequest -Name “Susan Smith Restore” -SourceDatabase MyRecoveryDatabase -SourceStoreMailbox “Susan Smith” -TargetMailbox “Susan Smith” –TargetIsArchive  –TargetRootFolder “Restored Items In Your Archive”

New-MailboxRestoreRequest -Name “Susan Smith to New Info Mailbox” -SourceDatabase MyRecoveryDatabase -SourceStoreMailbox “Susan Smith” -TargetMailbox “General Info” -TargetRootFolder “Susan Smith Items” -AllowLegacyDNMismatch

New-MailboxRestoreRequest -Name “Tim Jones Recovery of Acme Matter Content” -SourceDatabase MyRecoveryDatabase -SourceStoreMailbox “Tim Jones” -TargetMailbox “Tim Jones” -IncludeFolders “Acme Litigation/*”

To restore content from the built-in folders, surround the folder names with hashtags — for example, #Inbox# or #Deleted Items#.

How to handle a conflict

When restoring a previous version of an item, the same name of the item already exists in the destination mailbox. The administrator needs to dictate which action to take and what data to keep — the item from the recovery mailbox, the item with the latest date or everything and allow duplicates. Use the –ConflictResolutionOption PowerShell parameter to set these options:

New-MailboxRestoreRequest -Name “Tim Jones Restore” -SourceDatabase MyRecoveryDatabase -SourceStoreMailbox “Tim Jones” -TargetMailbox “Tim Jones” –ConflictResolutionOption KeepSourceItem

New-MailboxRestoreRequest -Name “Susan Smith Restore” -SourceDatabase MyRecoveryDatabase -SourceStoreMailbox “Susan Smith” -TargetMailbox “Susan Smith” –TargetIsArchive  –ConflictResolutionOption KeepLatestItem

New-MailboxRestoreRequest -Name “Susan Smith to New Info Mailbox” -SourceDatabase MyRecoveryDatabase -SourceStoreMailbox “Susan Smith” -TargetMailbox “General Info” -TargetRootFolder “Susan Smith Items” –AllowLegacyDNMismatch –ConflictResolutionOption KeepAll

After the restoration process, remove the mailbox restore requests. Completed requests remain in a queue for auditing purposes, so remove them to prevent current requests from mixing with completed ones. The first line displays the current requests to ensure the administrator selects the correct ones, while the second line removes them.

Get-MailboxRestoreRequest

Get-MailboxRestoreRequest | Where Status -eq Completed | Remove-MailboxRestoreRequest

The final step is to delete the Exchange recovery database to free up the disk space using these commands:

Dismount-Database MyRecoveryDatabase

Remove-MailboxDatabase MyRecoveryDatabase

Powered by WPeMatico

Configure Azure Active Directory SSO service and avoid delays

No one wants to enter the same password multiple times to use applications on a single machine. Many administrators…

“;
}
});

/**
* remove unnecessary class from ul
*/
$(“#inlineregform”).find( “ul” ).removeClass(“default-list”);

/**
* Replace “errorMessageInput” class with “sign-up-error-msg” class
*/
function renameErrorMsgClass() {
$(“.errorMessageInput”).each(function() {
if ($(this).hasClass(“hidden”)) {
$(this).removeClass(“errorMessageInput hidden”).addClass(“sign-up-error-msg hidden”);
} else {
$(this).removeClass(“errorMessageInput”).addClass(“sign-up-error-msg”);
}
});
}

/**
* when validation function is called, replace “errorMessageInput” with “sign-up-error-msg”
* before return
*/
function validateThis(v, form) {
var validateReturn = urValidation.validate(v, form);
renameErrorMsgClass();
return validateReturn;
}

/**
* DoC pop-up window js – included in moScripts.js which is not included in responsive page
*/
$(“#inlineRegistration”).on(“click”,”a.consentWindow”, function(e) {
window.open(this.href, “Consent”, “width=500,height=600,scrollbars=1”);
e.preventDefault();
});

seek single sign-on, and Microsoft’s Active Directory Federation Services is the traditional way to get it. But ADFS doesn’t prevent login prompts in all applications; Outlook or Skype for Business users have to look elsewhere.

Businesses have a new option for SSO. Azure Active Directory (AD) Seamless SSO registers a special computer account in AD to act as a proxy so that Integrated Windows Authentication (IWA) — which authorizes users — works against specific URLs in Azure AD to sign a user in as if the URLs were an intranet site.

Administrators can configure Azure AD Connect, which integrates an on-premises directory with Azure AD, to perform Seamless SSO; set up an Office 365 tenant to support modern authentication; and, finally, examine the client experience.

Combine Azure Active Directory SSO with modern authentication, which enables features such as multifactor authentication and certificate-based authentication, to get a full SSO without ADFS. Modern authentication uses a web browser-based sign-in within the Office applications, which enables IWA to work.

Configure Azure AD Connect

To set up the feature, start with Azure AD Connect and password synchronization in place. Launch the Azure AD Connect configuration wizard, select the User Sign-In option and choose Enable single sign on, as shown in Figure 1.

Azure AD configuration wizard
Figure 1. Click on Enable single sign on to use Seamless SSO.

On the Enable single sign on page shown in Figure 2, enter the domain administrator credentials to create the special computer account for Azure AD Connect in the local AD.

Enable single sign on
Figure 2. Enter the domain administrator credentials to create a special computer account for Azure AD Connect.

Complete the setup wizard. Once Azure AD Connect updates the configuration, verify that the new computer account has been created. Open Active Directory Users and Computers, navigate to the Computers container and look for a new computer for Azure Active Directory SSO, named AZUREADSSOACC:

Active Directory Users and Computers
Figure 3. Verify that the action created a new computer account named AZUREADSSOACC.

Set up the Office 365 tenant

To use the Seamless SSO service with Outlook and Skype for Business applications, enable the Office 365 tenant for modern authentication.

Connect with Exchange Online PowerShell and use administrative credentials, as such:

$UserCredential = Get-Credential

$ExoSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri

https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

Import-PSSession $ExoSession

Next, use the Set-OrganizationConfig cmdlet to enable the OAuth2 Client Profile:

Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

For Skype for Business Online, download and install the Skype for Business Online Windows PowerShell module. Connect to Skype for Business Online from a PowerShell prompt:

$UserCredential = Get-Credential

$SfBSession = New-CsOnlineSession -Credential $UserCredential -Verbose

Import-PSSession $SfBSession

Invoke the Set-CsOAuthConfiguration cmdlet to enable Modern Authentication.

Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed

These are common steps to enable SSO with Windows 10 Azure AD-joined devices and ADFS.

If your organization uses Office 2013 with modern authentication enabled — or Office 2016, which uses modern authentication if available — then the system will prompt clients for a password until you have completed and tested the remainder of the steps.

Configure Intranet Zone settings

Azure Active Directory SSO requires an administrator to add two URLs to Internet Explorer’s Local Intranet Zone on client PCs. This indicates to the client that the specific URLs are safe to use with IWA.

The two URLs to add are:

When you add these URLs to the Intranet Zone in Internet Explorer, Office clients — including Outlook and Chrome — inherit them.

To test the functionality, open the Internet Explorer options page, and on the Security tab, choose Local Intranet, then Sites and finally add the URLs, as shown in Figure 4.

Internet Explorer options page
Figure 4. Test that the two mandatory URLs for Azure AD’s SSO service function in Internet Explorer.

Admins typically deploy these URLs via Group Policy. Open the Group Policy management tools for your domain, and either create or amend an existing policy for users who need SSO. Under the User Configuration section, as seen in Figure 5, navigate to Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page. Select the Site to Zone Assignment List.

Group Policy Management Editor
Figure 5. Create or adjust Group Policy for users who need SSO.

Add both site URLs to the Site to Zone Assignment List, with the URL as the Value name and the Value as 1, which indicates that the URL should be added to the Intranet Zone, as seen in Figure 6.

Site to Zone Assignment List
Figure 6. Add the value name and value for each URL to join the Intranet Zone.

What are the caveats?

Once Seamless SSO is configured and you’ve deployed supporting policies, the sign-in experience removes almost all areas where a user would enter his username and eliminates the need to enter credentials.

But in some scenarios the user needs to enter a username.

A username — typically an email address — is required to access some web-based services, including the Office 365 portal, OneDrive and SharePoint. However, after entering the username, the system won’t prompt the user for a password.

The next-generation OneDrive client, which can sign into both consumer and business OneDrive services, is similar. On first entry, the user must enter a username to sign in but will not be prompted for a password.

Next Steps

Azure AD has a lot to offer Office 365 orgs

Keep abreast of Microsoft’s Azure portal changes

Pros and cons of the Azure AD PowerShell module

Powered by WPeMatico

What tools troubleshoot Autodiscover in Exchange Online?

Think a move to the cloud means you’ll never have to troubleshoot connectivity issues again? In reality, these…

“;
}
});

/**
* remove unnecessary class from ul
*/
$(“#inlineregform”).find( “ul” ).removeClass(“default-list”);

/**
* Replace “errorMessageInput” class with “sign-up-error-msg” class
*/
function renameErrorMsgClass() {
$(“.errorMessageInput”).each(function() {
if ($(this).hasClass(“hidden”)) {
$(this).removeClass(“errorMessageInput hidden”).addClass(“sign-up-error-msg hidden”);
} else {
$(this).removeClass(“errorMessageInput”).addClass(“sign-up-error-msg”);
}
});
}

/**
* when validation function is called, replace “errorMessageInput” with “sign-up-error-msg”
* before return
*/
function validateThis(v, form) {
var validateReturn = urValidation.validate(v, form);
renameErrorMsgClass();
return validateReturn;
}

/**
* DoC pop-up window js – included in moScripts.js which is not included in responsive page
*/
$(“#inlineRegistration”).on(“click”,”a.consentWindow”, function(e) {
window.open(this.href, “Consent”, “width=500,height=600,scrollbars=1”);
e.preventDefault();
});

types of problems won’t disappear and might be more difficult to solve because you only have control and visibility into part of the application.

Various tools diagnose and troubleshoot problems with Autodiscover, a web service in Microsoft Exchange Online that enables mailbox admins to configure user profile settings.

Use the Outlook troubleshooting utility

Outlook has a built-in Autodiscover troubleshooting tool. To access it, hold down Ctrl and right-click the Outlook icon in the system tray. This brings up a box labeled “Test Email AutoConfiguration,” as shown in Figure 1.

Outlook Autodiscover tool
Figure 1: The Outlook Autodiscover tool displays how Office 365 sends Autodiscover information to the client.

This test shows how the client receives — or does not receive — Autodiscover information from Office 365. This tool runs as part of Outlook on the user’s PC: If the organization’s network configuration causes the Autodiscover problem, this tool responds as if the Autodiscover endpoint is offline. To get the correct results, run the test several times from both inside and outside the organization’s network.

Try the Remote Connectivity Analyzer

The Microsoft Remote Connectivity Analyzer is a web-based tool that identifies issues with Office 365 applications (Figure 2). Click on the Office 365 tab and select the Outlook Autodiscover test under Microsoft Office Outlook Connectivity Tests.

Microsoft Remote Connectivity Analyzer
Figure 2: Use the Microsoft Remote Connectivity Analyzer to address Office 365 problems.

The Microsoft Remote Connectivity Analyzer runs tests external to the organization’s network. If these tests pass, but the test run from the Outlook client does not, the issue resides with network access to Office 365.

Run the Support and Recovery Assistant

The last tool to try is the Microsoft Support and Recovery Assistant for Office 365 (Figure 3).

Support and Recovery Assistant
Figure 3: The Microsoft Support and Recovery Assistant for Office 365 walks the administrator through the diagnostic process with a series of questions to identify the Autodiscover problem.

The Support and Recovery Assistant asks a series of questions to assist administrators with various Office 365 issues. Depending on the test, the Support and Recovery Assistant might connect to Office 365 from the PC or from test resources that Microsoft maintains, such as the Remote Connectivity Analyzer.

If the Autodiscover issue remains unresolved, open a case with Microsoft Support.

Next Steps

Methods to correct mail flow trouble in Exchange

How Autodiscover works in a hybrid configuration

Free utilities to help admins monitor, manage Exchange

Dig Deeper on Microsoft Outlook

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever’s puzzling you.

Powered by WPeMatico

Scrutinize the Office 365 roadmap to steer clear of trouble

Microsoft wants Office 365 administrators tracking every new feature and update that it puts out, but that’s not as easy as it sounds.

The cadence of releases for a cloud-hosted product can be a perk, with a steady arrival of innovative tools and functionality. But it can also be a pain, particularly if Microsoft deprecates a component that a business needs.

On its Office 365 roadmap website, Microsoft lists more than 200 features in development, rolling out or recently launched. New or upcoming features range from Advanced Threat Protection Status — which reports on the malware that ATP catches — to an option for users to delay or choose when Office 365 sends their message. As Microsoft expands Office 365 into a security, collaboration, cloud storage, private branch exchange and communication suite, IT admins must stay updated on the latest changes on the platform and alert users on the availability of new apps and features.

These Exchange and Office 365 experts — all TechTarget contributors — offered their insights on how Office 365 administrators can adapt to Microsoft’s constant changes and their experiences with how businesses handle the twists and turns of the Office 365 roadmap.

Perils of constant change

Michel de RooijMichel de Rooij

Many organizations use IT Infrastructure Library-based processes to implement new Office 365 features, which can be problematic because of the service’s rapid rollouts. Instead, look to Microsoft’s Office Insider program, with its fast and slow update rings, to bring updates into your business at the right pace.

Editor’s note: Microsoft’s Office Insider program allows Office 365 subscribers to receive early access to new features that they can test out and provide feedback on.

Let a few power users and IT operate on the fast ring to try out new features, but remember that those updates might never arrive based on your region. For example, I still haven’t received Focused Inbox in Outlook 2016, despite running First Release in Office 365 and Insider Fast for Office 2016. Microsoft sometimes pulls features, which happened to the automatic creation of groups for delegates. Also, Microsoft can turn new features on by default, often without administrative controls. An organization that signs up for these early releases needs to be comfortable with a certain amount of unpredictability.

Finally, Microsoft seems to push for certain features that its customers do not care for, such as the option to create Office 365 Groups when you actually want to create distribution groups.

It’s difficult for email and collaboration tool admins to act proactively against the sudden changes in Office 365’s roadmap, but they should always provide feedback to Microsoft when they have strong opinions about features. Administrator pushback caused Microsoft to pull the change for automatic creation of groups for delegates. There will be discrepancies between what the software provider develops and what customers are comfortable with or actually use.

Keep track of the Office 365 roadmap for changes, both for planned updates and those in development — the latter might arrive sooner than you think.

For more from Michel de Rooij, please visit his contributor page.

Users want the latest and greatest

Reda ChouffaniReda Chouffani

Office 365 changes constantly. Users will hear about new features and demand training for them. Administrators have to adapt, and they might even block new features from end users until IT can thoroughly test these updates. But admins cannot restrict the flow of enhancements as a long-term solution; users will still want to get what’s new. The IT staff needs to consider what users want while it evaluates whether these features provide a tangible benefit to the company.

New features can also be disruptive after organizations adopt and master them, if the service changes. For example, Microsoft offered a free version of its cloud-based business analytics Power BI feature, but some of its capabilities — such as dashboard sharing — disappeared when a new edition superseded the old. Early adopters of Power BI had to choose between a trial or the paid version — or lose the capability altogether.

Office 365 changes constantly. Users will hear about new features and demand training for them.

There are risks, but Office 365’s constant updates can benefit those who plan ahead. Microsoft helps IT departments implement and adopt platform features with its free FastTrack service. FastTrack ensures the IT team uses best practices with Office 365 and also provides technical assistance with implementation of its services.

For more from Reda Chouffani, please visit his contributor page.

Keep an eye on the roadmap

Neil HobsonNeil Hobson

Microsoft’s Office 365 roadmap site lets administrators understand what lies ahead for significant service and feature updates. This roadmap is split into five categories: in development, rolling out, launched, previously released or canceled. To avoid issues, administrators need to check the roadmap regularly for new items that might affect their Office 365 deployment. This gives them the early visibility required to commence high-level planning.

As new features on the roadmap near rollout, Microsoft posts announcements to the Message Center, which can be found within the main Office 365 administration portal. The Message Center also contains dated announcements about changes and actions that prevent or fix issues. Announcements contain a short description of the feature or issue, information on how it will affect the organization, actions to prepare for the update and a link to more detailed information. It is vital that administrators check Message Center posts often to be fully prepared for the imminent changes. Some actions must be completed by a specific date to avoid problems.

Admins can configure Office 365’s tenant release option to manage how the platform pushes out new features. An organization selects the First Release option to receive new features early. Admins can then choose to release those features to the entire organization or just specific users. Alternatively, the Standard Release option means that new features come via the default release schedule.

For more from Neil Hobson, please visit his contributor page.

Powered by WPeMatico

Tricks and tools to prevent data loss in Office 365

online service, instead of wrestling with day-to-day tasks. This doesn’t mean that IT teams can ignore the possibility of data loss in Office 365.

While there is a sense of security that comes with a cloud service, organizations need to develop their own data retention plans for some Office 365 features.

Businesses rely on their email systems to stay in touch with employees, clients and suppliers. SharePoint remains an integral component for enterprise content management in many organizations. Companies that shift these workloads — and their data — to Microsoft’s cloud platform should be aware that email and content stored in SharePoint or OneDrive are not, by default, protected against accidental or intentional deletions.

With a move to Office 365, some in IT have abandoned disaster recovery (DR) and business continuity plans (BCP) that were required to recover on-premises email and SharePoint platforms. IT teams only need redundant connectivity to the cloud and must trust that Microsoft’s infrastructure, data centers and systems will provide necessary data protection from hardware and software failures.

In Exchange Online, IT teams can only restore an entire mailbox within 30 days after deletion; after that point, they can ask Microsoft for an additional 14 days for a 44-day window of data recovery. SharePoint and OneDrive face similar challenges, as they do not offer easy or efficient ways to restore site collections or lists that have been deleted and removed from the recycle bin.

Filling Office 365’s DR and BCP gaps

Many companies have gaps in their DR plans; an inability to restore data from a specific point of time can lead to risks. While Microsoft offers service-level agreements of 99.9%, Office 365 has limited capabilities around backups — even though some suggest that on-hold features and retention or preservation policies can prevent data loss in Office 365. These options, however, are limited and do not offer easy ways to recover or restore data.

There are several tools on the market – based both in the cloud and on premises — for Office 365 data protection and DR, including SkyKick, Datto, Spanning and AvePoint. These tools offer automated backup of emails, calendars, OneDrive and, in some cases, SharePoint site collections — without the need for any on-premises infrastructure.

Many of the third-party tools can help IT address some of their backup needs around the Office 365 workloads — email, SharePoint and OneDrive. Admins can be confident that some of their digital assets are protected and that their DR plans are complete. But, in reality, as more users expand into other Office 365 services — such as Planner, Office Groups, PowerApps and Flow — Microsoft or other third-party tools need to play catch-up to protect data stored in those services. Currently, those services don’t offer any backup methods.

When evaluating Office 365, plan for Office 365 backups and implement them immediately after going live. Skipping that step would lead to serious risks and an incomplete DR plan. Those organizations that make the switch without the use of backup services put themselves at risk for data loss in Office 365.

Powered by WPeMatico

Office 365 admin roles give users the power of permissions

When a business moves to the Office 365 platform, its collaborative capabilities can go beyond joint efforts on…

team projects — it also extends into the IT department by letting users handle some tasks traditionally reserved for administrators.

Office 365 admin roles let IT teams deputize trusted users to perform certain business functions or administrative jobs. While it can be helpful to delegate some administrative work to an end user to reduce help desk tickets, it’s important to limit the number of end users with advanced capabilities to reduce security risks.

Organizations that plan to move to Office 365 should explore the administrative options beforehand. Companies already on the platform should review administrative rights and procedures on a regular basis.

Two levels of administrative permissions

By default, new accounts created in the Office 365 admin center do not have administrative permissions. An Office 365 user account can have two levels of administrative permissions: customized administrator role and global administrator role.

In a customized administrator role, the user account has one or more individual administrator roles. Available Office 365 admin roles include billing administrator, compliance administrator, Dynamics 365 administrator, Exchange administrator, password administrator, Skype for Business administrator, Power BI service administrator, service administrator, SharePoint administrator and user management administrator.

Some Office 365 admin roles provide application-specific permissions, while others provide service-specific permissions. For example, end users granted an Exchange administrator role can manage Exchange Online, while users with the password administrator role can reset passwords, monitor service health and manage service requests.

Customized administrator configurations benefit both large and small organizations. In large organizations, it’s common for separate administrators to manage different services, such as Exchange, Skype for Business and SharePoint. Conversely, small organizations typically have fewer administrators who manage multiple — if not all — systems. In either scenario, if additional help is needed for certain tasks, you can assign appropriate administrative roles to the most qualified users, allowing them to make modifications to the tenancy.

The global administrator role provides complete control over Office 365 services. It’s the only administrator role that can assign users with Office 365 admin roles. The first account created in a new Office 365 tenancy automatically gets the global administrator role. An organization can give the global administrator role to multiple user accounts, but it’s best to restrict this role to as few accounts as possible.

Managing Yammer requires careful planning because it’s separate in the Yammer admin center. The highest level of administrative permissions in Yammer is the verified admin role. An organization can give all Office 365 global administrators this role, but regular users with a Yammer verified role shouldn’t have it.

Security and compliance permissions

An organization must also decide how to configure permissions in the Security & Compliance Center. These permissions use the same role-based access control (RBAC) permissions model that on-premises Exchange and Exchange Online use.

The Security & Compliance Center features eight role groups that allow a user to perform administrative tasks related to security and compliance. For example, members of the eDiscovery Manager role group receive case management and compliance search roles that allow the user to create, delete and edit eDiscovery cases. These users also can perform search queries across mailboxes.

Office 365 provides 29 different roles that an organization can add to role groups, and each role holds different security and compliance permissions. This comprehensive range of role groups and available roles means that an organization must determine the most appropriate security and compliance permissions model.

It’s important to understand differences in role groups and plan permissions accordingly. For example, both the Security & Compliance Center and Exchange Online have role groups named organization management, but they are separate entities and serve different permissions purposes.

Multifactor authentication matters

Enabling Azure multifactor authentication adds another layer of protection around Office 365 accounts with administrator access. Administrators provide proof of their identity via a second authentication factor, such as a phone call acknowledgement, text message verification code or phone app notification, each time they log into the Office 365 account.

If the business uses Azure multifactor authentication, it should educate administrators and service desk staff to ensure everyone knows operational and service desk procedures involved with the security service.

Keep tabs on administrator actions

As administrators make changes to the systems and grant or revoke permissions to users and other administrators, you’ll need a way to review these actions.

In the Office 365 Security & Compliance Center, an organization can enable audit logging and search the log for details of administrator activities from the last 90 days. This log tracks a wide range of administrator actions, such as user deletion, password resets, group membership changes and eDiscovery activities.

Powered by WPeMatico