Category Archives: Exchange Server tips tutorials and expert advice

Exchange Server tips tutorials and expert advice

Set up remote domains to control Exchange messaging

information can land in an external recipient’s inbox if the Exchange admin doesn’t use remote domains.

Most organizations have certain external recipients that users send mail to on a regular basis. Exchange Online administrators can control the types of messages and the email format sent to such recipients — and anyone else in the recipient’s domain — by defining a series of remote domains.

Remote domains enforce the organization’s mail flow preferences for recipients in specific domains. Those domains usually belong to a partner organization or vendor, although some businesses use them to restrict the delivery of messages deemed sensitive or undesirable. For example, the organization might block out-of-office messages or automatic replies from going to the remote domain.

A remote domain almost always corresponds to a domain name that does not belong to the organization. Technically speaking, an organization can own the domain name, but it cannot appear within Exchange’s list of accepted domains.

How to set up a remote domain

To configure remote domains, log in to the Exchange Admin Center, and go to Mail Flow > Remote Domains. To add a remote domain, click the Add icon, and then type a display name and the domain. In addition to individual subdomains, admins can also use wildcard characters. For example, to add the poseylab.com domain and its subdomains, enter *.poseylab.com, as shown below.

The settings here will override any configuration or rules a user sets up through a mail client, such as Outlook or Outlook Web App.

Wildcard characters
Admins can use wildcard characters to add subdomains.

The dialog box also contains a number of different options to configure the behavior of communications with recipients in the remote domain.

The first section relates to out-of-office automatic replies. The admin can adjust settings to control whether automatic replies go to recipients in the remote domain but also whether those recipients should receive external or internal replies.

Admins adjust the automatic replies portion, as well as automatic forwarding, for recipients in the remote domain.

In the message reporting section, the admin manages both delivery and nondelivery reports, as well as meeting forward notifications, for recipients in the remote domain.

Lastly, select whether to allow the use of Rich Text Format, the Multipurpose Internet Mail Extension character set and the non-MIME character set. Admins can adjust these settings for users on other messaging platforms that cannot process certain formats and send out a winmail.dat attachment to a message as a result.

Save the changes to add the new remote domain. Admins can always adjust the rules for the remote domain by selecting it and clicking the Edit button.

The remote domains list also contains a default remote domain, which cannot be removed. Exchange uses the default domain to control what happens when mail is received from any domain not on the list of remote domains. Admins can edit the default remote domain, which has identical settings to the custom remote domain.

Multi-geo service tackles Office 365 data residency issues

Many modern enterprises have workers in offices spread all over the world. While there are numerous advantages…

“;
}
});

/**
* remove unnecessary class from ul
*/
$(“#inlineregform”).find( “ul” ).removeClass(“default-list”);

/**
* Replace “errorMessageInput” class with “sign-up-error-msg” class
*/
function renameErrorMsgClass() {
$(“.errorMessageInput”).each(function() {
if ($(this).hasClass(“hidden”)) {
$(this).removeClass(“errorMessageInput hidden”).addClass(“sign-up-error-msg hidden”);
} else {
$(this).removeClass(“errorMessageInput”).addClass(“sign-up-error-msg”);
}
});
}

/**
* when validation function is called, replace “errorMessageInput” with “sign-up-error-msg”
* before return
*/
function validateThis(v, form) {
var validateReturn = urValidation.validate(v, form);
renameErrorMsgClass();
return validateReturn;
}

/**
* DoC pop-up window js – included in moScripts.js which is not included in responsive page
*/
$(“#inlineRegistration”).on(“click”,”a.consentWindow”, function(e) {
window.open(this.href, “Consent”, “width=500,height=600,scrollbars=1”);
e.preventDefault();
});

to a multinational organization, the complexities of managing the data generated by a global workforce can vex even the most adept Office 365 administrator.

When the admin creates the Office 365 tenant, the Exchange Online mailboxes reside in a specific geographic region determined by the organization’s billing address. The mailboxes may be replicated to different data centers within that geographic region. To meet data residency requirements, organizations can create multiple Office 365 tenancies in different geographic regions, but this increases overall administrative complexity.

To address these Office 365 data residency needs and streamline how businesses handle them, Microsoft designed what it calls multi-geo capabilities. With multi-geo, organizations that use Exchange Online can store a mailbox in one of multiple geographic regions within a single Office 365 tenancy.

Here is some information on the multi-geo feature and its configuration for Office 365 data residency.

Multi-geo comes with restrictions

As of publication, the multi-geo feature is in a selective preview stage for Exchange Online and OneDrive for Business. Microsoft plans to release it into general availability for those services in the first half of 2018. The company intends to add multi-geo to SharePoint Online with a preview expected in the first half of 2018. Microsoft said it might add this capability to other Office 365 apps, such as Microsoft Teams, but it has not given any timelines.

However, the multi-geo service comes with restrictions. For example, the India and South Korea geographic regions are only available to organizations with licenses and billing addresses there. Other regions, such as France, are not yet available.

Microsoft recommends an organization with questions about the multi-geo feature talk to its Microsoft account team. The company has yet to unveil licensing details for the service.

Multi-geo introduces new terminology

Home geo is the term Microsoft uses for the geographic region where the Office 365 tenancy was created. Regions that the organization adds later are known as satellite geos. The multi-geo feature provisions new mailboxes in the home geo by default, but admins can start them in a satellite geo.

The organization can move existing mailboxes between home and satellite geos. This operation should not adversely affect workers because the mailboxes will remain in the same Office 365 tenancy, and the Autodiscover service automatically locates the user’s mailbox in the background. However, Microsoft said the multi-geo service does not support Exchange public folders, which must reside in the home geo.

Organizations should monitor the Microsoft Office 365 roadmap for changes in support of the multi-geo service.

PowerShell cmdlets adjust regions

In organizations where directory synchronization hasn’t been deployed, administrators can use two PowerShell cmdlets to set configuration parameters for the multi-geo feature.

Admins can use the Set-MsolCompanyAllowedDataLocation cmdlet from the Azure Active Directory (AD) PowerShell module to set up the additional geographic regions in the Office 365 tenant.

The Set-MsolUser cmdlet features a PreferredDataLocation parameter to specify the geographic region that will store the user’s Exchange Online mailbox and OneDrive for Business files. A user account can only have one PreferredDataLocation for those services.

Considerations with directory synchronization

Businesses that have deployed directory synchronization and run a hybrid configuration of Exchange, where some mailboxes are stored on premises and others in Exchange Online, need a new version of Azure AD Connect to support the multi-geo feature. Azure AD Connect synchronizes an on-premises AD user account custom attribute into the PreferredDataLocation attribute in Azure AD.

The admin sets up the geographic region of the user’s Exchange Online mailbox with the AD on-premises custom attribute. After the value is synchronized with Azure AD, Exchange Online uses that setting to place the mailbox in the proper region. This enables admins to adjust settings in on-premises AD accounts to control the geographical region of Exchange Online mailboxes.

Next Steps

Keep Office 365 data secure

Microsoft adds data loss prevention features across services

Back up Office 365 before disaster strikes

Use eseutil for Exchange database repair with care

by making a hasty attempt to get the platform back online without careful planning.

Don’t rush in and start immediate repairs with the command-line tool eseutil. While eseutil is a powerful tool for Exchange database repair work, use it wrong and it can make matters worse. Admins must understand the different functions of eseutil and when their use is appropriate.

Not every problem requires eseutil

Admins can use eseutil for several significantly different Exchange database repair procedures: to defrag a database, to recover damaged page files or to perform a roll-forward recovery of a database. The roll-forward option restores the backed-up data, then runs the transaction logs to recover the cached data.

But the best time to run eseutil depends on the circumstances. Use it in repair mode solely as a last resort when several things go wrong in the environment. If you can’t mount the database and restore backups, it might be your only option.

When database and streaming files don’t match

A failure can cause Exchange to dismount a database. This often happens when the streaming file (STM) and the database file (EDB) are not synchronized. When eseutil starts a database repair, it first checks that the STM file is in sync with the EDB file. If eseutil finds those two files do not match, it will error out.

By forcing eseutil to run an Exchange database repair despite this condition, the admin might lose all data held in the streaming file. The following command ignores the mismatch error and runs the repair:

eseutil /P .edb /I

This command has consequences. The STM file primarily holds user data from Post Office Protocol 3 (POP3) and Internet Message Access Protocol (IMAP) clients, so if all clients run Outlook, ignore an STM file mismatch. Conversely, if a large number of clients connect to Exchange servers with POP3 or IMAP, then forcing a repair though an STM file mismatch usually results in data loss.

Restore and roll forward

If the Exchange databases have proper backups, restore and roll forward a database rather than attempt a repair.

This process takes less time and comes with lower risk of data loss. By comparison, even a lightly corrupted database takes around an hour to repair each 5 GB of the database. With the size of databases in most production environments, that’s a significant time investment.

To perform a restore and roll forward, an admin needs two things: a good recent backup of the database and all the transaction logs created after that backup. If both conditions are met, run this command to restore the database and roll it forward:
eseutil /CC

Complete these Exchange database repair steps

Once eseutil completes the repair mode, there are still three tasks to execute before the admin can mount the database.

  1. Run eseutil /D (defrag) against the database.
  2. Run isinteg –fix, which uses another Exchange utility to check the integrity of the newly repaired and defragmented database.
  3. Back up the database.

Management will want the Exchange database mounted and operational as soon as possible, but admins shouldn’t skip these steps. While it’s possible to mount the database after the eseutil repair finishes, the database is not stable until you complete the first two steps, and it’s not safe until the backup is done.

Office 365 compliance features keep data locked down

Stricter guidelines for compliance regarding messaging retention are forthcoming thanks to rules such as the EU…

General Data Protection Regulation. Administrators new to Office 365 must learn the nuance of this service’s features to prepare for these changes.

Office 365 compliance features differ with those of on-premises systems, such as Exchange Server. The tools to identify, retain and remove data are built in to the Office 365 Security & Compliance Center. This portal enables businesses to keep data for as long as necessary without third-party tools or extra storage, and it works across Microsoft’s cloud services.

This article looks at the Office 365 compliance features, where they lack and how admins can adjust for these shortcomings.

Master the Office 365 Security & Compliance Center

Until recently, Office 365 mirrored its on-premises counterpart — IT managers administered and managed compliance within each individual service. To keep data in Exchange Online, the admin would adjust settings in the Exchange Admin Center with terminology specific to Exchange. It works the same with SharePoint Online.

The Security & Compliance Center changes all this. It uses a unified portal to manage compliance functionality across the Office 365 suite. Admins use the portal to create policies for all data within the Office 365 tenant. Admins also use this section to perform discovery and searches across multiple services within Office 365.

Office 365 Security & Compliance Center
Figure 1: Admins use the Security & Compliance Center to handle compliance tasks for data across the Office 365 suite.

Admins use the Security & Compliance Center to manage data in several areas. Your organization might need more than one of these Office 365 compliance features.

  • Data loss prevention (DLP): This section identifies sensitive content automatically and prevents users from uploading or sharing the data externally or internally.
  • Data governance: This area sets policies across Office 365. It works to define how long to keep, and when to remove, data. Admins can also archive data or mark it for supervision review.
  • Classifications: This section lets admins define labels to tag content in OneDrive, SharePoint and Exchange services. These labels work with the data governance function to categorize data and apply preservation rules.
  • Sensitive information types: These definitions automatically match data, such as credit card or Social Security numbers. Built-in definitions cover most financial, medical, health and personal data, and admins can also add customized definitions. DLP functions and classifications use these definitions to auto detect sensitive data.

Understand the capabilities of Office 365 compliance features

An enterprise’s most common compliance requirement is to keep all data for a certain amount of time. Most organizations must retain data for five to 10 years, although the requirement is longer for some.

With an on-premises mailbox server, organizations typically use email journaling for compliance purposes. An email journal makes a copy of every email message — this includes the message envelope and BCC recipients — on a separate system. The business retains the copy for as long as necessary.

[embedded content]

How to build new labels in Office 365
then publish them with a policy.

Organizations on Office 365 do not need a product that copies and stores data from Exchange or SharePoint. If a worker alters or removes data from the mailbox, SharePoint sites or OneDrive for Business, data governance keeps the original in Office 365.

In Figure 2, an admin creates a policy that targets all Office 365 data. The preservation lock feature prevents the Office 365 administrator from removing the policy to add an extra layer of security.

Office 365 policies
Figure 2: This policy protects data in all areas of the Office 365 suite.

Use DLP to hinder leaks

Many organizations with on-premises messaging servers try to prevent disclosures of sensitive data in email with edge-based DLP tools. But edge-based DLP tools only defend the email gateway and do not account for other ways users share sensitive information. Unless it integrates with OneDrive or SharePoint, an edge-based DLP tool does not scan documents included as a link, rather than an attachment, in email.

Office 365 DLP works across both Exchange and SharePoint and prevents sensitive data from being uploaded and shared. For example, admins can configure Office 365 DLP to prevent users from sending a list of credit card numbers to a OneDrive for Business account. Alternatively, admins can set a DLP policy to stop users from sharing credit card numbers with external guests.

New DLP policy
Figure 3: This Office 365 DLP policy sends an alert if the content includes insurance information or passport numbers.

The classifications feature identifies and marks this sensitive data for retention and removal. Autolabel policies can search for data across Exchange, SharePoint and OneDrive by keyword. The admin can further adjust settings in sensitive information types to mark data and remove it.

Who needs to take the Exchange 2016 exam?

IT pros debate whether it’s worth the effort to pursue a Microsoft certification. But in a job search, it can tip…

“;
}
});

/**
* remove unnecessary class from ul
*/
$(“#inlineregform”).find( “ul” ).removeClass(“default-list”);

/**
* Replace “errorMessageInput” class with “sign-up-error-msg” class
*/
function renameErrorMsgClass() {
$(“.errorMessageInput”).each(function() {
if ($(this).hasClass(“hidden”)) {
$(this).removeClass(“errorMessageInput hidden”).addClass(“sign-up-error-msg hidden”);
} else {
$(this).removeClass(“errorMessageInput”).addClass(“sign-up-error-msg”);
}
});
}

/**
* when validation function is called, replace “errorMessageInput” with “sign-up-error-msg”
* before return
*/
function validateThis(v, form) {
var validateReturn = urValidation.validate(v, form);
renameErrorMsgClass();
return validateReturn;
}

/**
* DoC pop-up window js – included in moScripts.js which is not included in responsive page
*/
$(“#inlineRegistration”).on(“click”,”a.consentWindow”, function(e) {
window.open(this.href, “Consent”, “width=500,height=600,scrollbars=1”);
e.preventDefault();
});

the scales in favor of one candidate over another.

For Exchange administrators, the 70-345 exam covers the design and deployment of Exchange Server 2016. The test poses installation and troubleshooting questions that range from mailbox database issues to data loss prevention setup.

Microsoft recommends test-takers have at least three years of experience with the management and design of Exchange Server and familiarize themselves with the integration of Exchange Server with Office 365 and Skype for Business. Admins should also have a strong grasp on PowerShell and comprehensive networking skills.

IT pros build credit toward a Microsoft Certified Solutions Expert (MCSE) certification by passing the Exchange 2016 exam. However, Microsoft certification exams do not define IT pros. There are many “paper MCSEs” — admins who don’t know how to manage the products covered by the exams they passed. Conversely, others are well-versed in specific Microsoft products but never took a certification exam.

IT pros should ask themselves these questions before they opt to take the Exchange 2016 exam.

Will I benefit from passing the Exchange 2016 exam?

If you think a Microsoft certification exam will get you promoted, start studying.

When I started my career as an IT professional in the 1990s, Microsoft exams were crucial. My first MCSE was a huge stepping stone in my professional development and helped me get a significantly better position. I can’t say that every exam I took was completely relevant or made me a better IT professional, but they helped me get jobs. If you think a Microsoft certification exam will get you promoted, start studying. These tests are great for IT rookies.

For experienced IT admins? Not so much. I’ve passed the latest version of the Exchange Microsoft Certified Solutions Master exam, so I don’t see much benefit in another Exchange MCSE test. The answer will vary depending on the trajectory of each admin’s career.

How is this exam different from earlier Exchange tests?

Admins with experience on previous exams for Exchange or other Microsoft technologies might think they know what to expect. In many ways, the 70-345 exam is more of the same, but there are a few key changes.

First, there is only one Exchange 2016 exam, whereas there were two tests for Exchange 2013. The exam isn’t harder, just more concentrated. There are fewer overall Exchange questions, but Microsoft removed the easy ones. In that regard, the margin for error is smaller.

Second, Microsoft Learning modernized its certification exams to make them more relevant to today’s workplace. They have improved questions in the 70-345 exam in that they are more focused with fewer debatable answer choices.

Is on-premises Exchange even a thing anymore?

This is an important question for anyone who wants to invest their time and money to train for any technology.

Microsoft encourages businesses to move to the cloud, but that isn’t an option for many enterprises. As long as demand remains for on-premises Exchange, Microsoft will develop the product. It’s possible Exchange 2019 will require an Office 365 subscription, but admins would still need to know how to manage Exchange.

On-premises Exchange will likely remain in many enterprises for some time, at least through Exchange 2019. If your organization doesn’t plan to move to the cloud, an on-premises certification brings value.

Do I need practical experience to pass the Exchange 2016 exam?

I’ve worked with Microsoft Learning to write certification tests, and while the current exams are now more based on the real world, admins can probably pass the 70-345 exam without in-production experience on Exchange 2016.

But preparation still matters. Most test-takers rush to finish Microsoft’s test. Admins receive only 150 minutes for each exam. I recommend that IT admins build a lab and play with Exchange to maximize your familiarity with the platform.

Next Steps

Some of the available Microsoft certifications

Use these tips to prepare for Microsoft certification

Be ready to show technical expertise in an MCSE exam

Don’t get hung up on Office 365 Cloud PBX pitfalls

For IT administrators, the value of Microsoft’s Office 365 Cloud PBX service is that it consolidates telephony…

“;
}
});

/**
* remove unnecessary class from ul
*/
$(“#inlineregform”).find( “ul” ).removeClass(“default-list”);

/**
* Replace “errorMessageInput” class with “sign-up-error-msg” class
*/
function renameErrorMsgClass() {
$(“.errorMessageInput”).each(function() {
if ($(this).hasClass(“hidden”)) {
$(this).removeClass(“errorMessageInput hidden”).addClass(“sign-up-error-msg hidden”);
} else {
$(this).removeClass(“errorMessageInput”).addClass(“sign-up-error-msg”);
}
});
}

/**
* when validation function is called, replace “errorMessageInput” with “sign-up-error-msg”
* before return
*/
function validateThis(v, form) {
var validateReturn = urValidation.validate(v, form);
renameErrorMsgClass();
return validateReturn;
}

/**
* DoC pop-up window js – included in moScripts.js which is not included in responsive page
*/
$(“#inlineRegistration”).on(“click”,”a.consentWindow”, function(e) {
window.open(this.href, “Consent”, “width=500,height=600,scrollbars=1”);
e.preventDefault();
});

services with email messages and cloud storage in one consumable portal. But make no mistake, this is not plug-and-play.

Admins must be sure their in-house business technology is compatible with the service to get all of its features. Office 365 Cloud PBX with public switched telephone network (PSTN) dialing capabilities enables workers to use Skype for Business Online to:

  • place, receive, transfer and mute calls;
  • click a name in the address book and call the contact; and
  • use mobile devices, a headset with a laptop or PC or an IP phone that works with Skype for Business.

However, the real benefit is that Cloud PBX integrates those features into the Office 365 portal. Admins manage all the Office 365 services, which include mailboxes and licenses, in one place and need only contact one vendor should a problem arise. But like any move to a cloud service, it requires planning and preparation.

Here are some benefits of Office 365 Cloud PBX and tips on how to easily transition to the cloud service.

Office 365 now fully replicates on premises

Many IT admins use the administrative console to handle some of the major applications within Office 365, such as Exchange, SharePoint, licensing and Skype for Business.

But Office 365 didn’t fully replace on-premises servers until Microsoft included a PBX service in the E5 subscription plan. Office 365 Cloud PBX includes critical features, such as call queues and an automated attendant, to make the service more comparable — and, therefore, a full-blown replacement — to Exchange Server for businesses.

Microsoft catches up on needed features

Businesses expect modern unified communications (UC)  platforms to offer advanced features, such as collaboration tools, mobility, call routing, hunt groups, instant messaging, presence technology, voicemail on the go and portability to take an extension or direct inward dialing anywhere users want. Businesses wish to use these platforms as a service and don’t expect to purchase hardware other than the clients’ handsets.

However, many admins found that Office 365 E5’s early release fell short. The main complaint was that it lacked two essential features: automated attendant functionality and call queues.

Office 365 didn’t fully replace on-premises servers until Microsoft included a PBX service in the E5 subscription plan.

Microsoft finally released those capabilities for general Office 365 tenants in April 2017. The company offered Skype for Business Online as a complete, hosted option with enterprise features and functions that are comparable to its on-premises counterpart. This means IT administrators don’t deal with the complexities and challenges of an on-premises voice over IP (VoIP) and keep the crucial features that the enterprise needs.

Microsoft will replace Skype for Business Online with Microsoft Teams likely by 2020, a problematic development for companies that rely on the former for telephony services.

IT considerations before a move

The introduction of a cloud-based UC system requires planning and preparation. Consider the following checklist before you bring Office 365 Cloud PBX into the business.

Avoid points of failure: Like an email server, a phone is a critical communication component. Before you install Office 365 Cloud PBX, make sure your system has multiple reliable network connections. For example, a manufacturing firm located in a rural area can’t switch its phone system to the cloud without this redundancy.

Look into new handsets: Before an organization replaces its existing VoIP with Skype for Business, IT needs to determine if the legacy handsets work with Office 365 Cloud PBX. Microsoft supports several hardware vendors, but Skype for Business with PSTN might not be compatible with some handsets. Check your firmware requirements.

Consider compliance requirements: Security is always a concern when an enterprise moves data into the cloud. Office 365 provides functionality, such as specific rules and policies, to help enterprises meet compliance obligations in email messages, archives and e-discovery. Skype for Business includes similar capabilities to archive and search for messages and interactions. In addition, admins can access detailed audit trails on communications for security reviews.

Monitor usage to manage costs: IT admins that oversee corporate mobile devices should know how to monitor data usage; it helps them stay on budget, and it identifies which resources each user consumes. Similarly, Skype for Business offers domestic and international plans with a set number of minutes. IT admins should examine several reports to monitor those plans and manage costs.

Next Steps

Survey the entire landscape before an Office 365 move

Vendors struggle with mobile unified communications

Steps to use Skype for Business in your business

Cloud App Discovery spotlights shadow IT users

Do you know what end users do with a company’s data? Do they use Dropbox to share documents with clients? Discuss…

“;
}
});

/**
* remove unnecessary class from ul
*/
$(“#inlineregform”).find( “ul” ).removeClass(“default-list”);

/**
* Replace “errorMessageInput” class with “sign-up-error-msg” class
*/
function renameErrorMsgClass() {
$(“.errorMessageInput”).each(function() {
if ($(this).hasClass(“hidden”)) {
$(this).removeClass(“errorMessageInput hidden”).addClass(“sign-up-error-msg hidden”);
} else {
$(this).removeClass(“errorMessageInput”).addClass(“sign-up-error-msg”);
}
});
}

/**
* when validation function is called, replace “errorMessageInput” with “sign-up-error-msg”
* before return
*/
function validateThis(v, form) {
var validateReturn = urValidation.validate(v, form);
renameErrorMsgClass();
return validateReturn;
}

/**
* DoC pop-up window js – included in moScripts.js which is not included in responsive page
*/
$(“#inlineRegistration”).on(“click”,”a.consentWindow”, function(e) {
window.open(this.href, “Consent”, “width=500,height=600,scrollbars=1”);
e.preventDefault();
});

trade secrets via Slack? Plan secret projects on Trello? The Cloud App Discovery feature in Office 365 reveals certain shadow IT practices admins need to know to secure the enterprise.

End users often enlist cloud services to perform their jobs, but the practice of introducing unsanctioned apps invites risk. It circumvents security practices, which potentially opens the company to an unexpected compliance issue or a cyberattack. Cloud App Discovery uncovers shadow IT without the need to implement agent-based software on users’ computers and mobile devices.

Here’s how to identify and monitor use of unauthorized cloud services within the organization — and what to do about it.

Find hidden app usage with Cloud App Discovery

Office 365’s E3 subscription includes Cloud App Discovery, a component of Cloud App Security. This service interprets log files from web proxy servers, firewalls and network devices, such as wireless access points and switches, to create a visual picture of the shadow IT services used in the organization.

Cloud App Security dashboard
Figure 1. The Discover tab in Office 365 Cloud App Security presents a visual summary of shadow IT services used in the organization.

The Office 365 version of Cloud App Discovery indicates services that have similar functions to Office 365 apps, especially productivity services. Therefore, the discovered apps section does not include nonproductivity applications. We’ll show how to uncover those later in this article.

Create reports of productivity apps

Cloud App Discovery uses logs taken from a network device that sits between end users and the internet. The Cloud App Discovery service supports common log file formats, such as those generated by Cisco access points, open source web proxy servers or third-party cloud services, such as Symantec Websense.

The admin then accesses the Cloud App Discovery feature from the Security & Compliance Center. Download a log file from the network device in a format that Cloud App Discovery supports, navigate to the main console and choose Discover > Create new snapshot report.

Search for and specify the log format from the list, then upload the log file. Office 365 takes up to 24 hours to process and display the results.

Log file upload
Figure 2. To create a new snapshot report, search for the log format you want to use, and upload the log file.

Navigate to Discover > Manage snapshot reports to see the uploaded file. Office 365 shows processed reports as Ready.

Manage snapshot reports
Figure 3. The snapshot reports section indicates when the admin uploaded the report and its status.

The report shows the productivity apps in use from the Office 365 platform and from other cloud services. Select an app to open an Excel spreadsheet for more details, such as how many users accessed the service, how many times users accessed it and the amount of traffic uploaded to and downloaded from the service.

Discovered apps
Figure 4. View the report to see the productivity apps that are in use and to see detailed information about each app.

Automate the log upload process

Organizations that subscribe to Enterprise Mobility and Security (EMS) E3 can extend Cloud App Discovery’s functionality in several powerful ways.

The continuous reports feature automates log uploads through a customized VM with a syslog server and an HTTPS uploader.

To configure continuous reports, use the Discover > Upload logs automatically option in Cloud App Security. The admin adds a data source, which replaces the uploaded log file. The admin then defines a log collector and links it to the data source, which generates the information to deploy the Hyper-V or VMware VM.

After the VM deploys, configure one or more network devices to send data to the log collector in the format that matches the defined data source. Figure 5 shows an example of a Cisco Meraki device set up to send URL data in syslog format to the log collector’s VM IP address.

Configure URL data
Figure 5. Configure a network device to send data to the VM IP address for the log collector.

After about 24 hours, results from logged data will appear in the Cloud App Discovery section. The admin accesses both real-time and historic information related to app usage.

Cloud App Discovery dashboard
Figure 6. The Cloud App Discovery dashboard shows current app usage statistics and provides access to historical information.

See the threat level of shadow IT services

Aside from productivity services — such as webmail, cloud storage and content sharing — Cloud App Discovery also provides visibility into other areas. The EMS-based version of the tool detects internet of things devices, cloud service use from providers such as Amazon Web Services and visits to websites.

Cloud App Discovery ranks the discovered services based on risk score from one to 10. A lower score indicates a more suspicious application. The Cloud Discovery service determines the rank through assessment of security policies, such as where the data resides, who has access, who has control and whether organizations can prevent unauthorized access.

Apps designed for enterprise use, such as Google’s G Suite, get good scores. Services that provide less organizational control, such as WhatsApp, receive poor grades.

WhatsApp is considered a risky service because no one has administrative control. For example, a financial advisor who communicates with a client over WhatsApp could breach regulations because the business cannot record the conversation for future discovery.

View the detailed report on each service, and decide whether to approve the cloud service.

Figure 7 lists the services with usage statistics and threat level:

Discovered apps tab
Figure 7. The Discovered apps tab lists the services used on the company network with details on the traffic used and the risk score.

Take action against shadow IT

Administrators should take action when armed with data from Cloud App Discovery. If workers use Trello, Slack and Box, then admins should deploy the corresponding Office 365 services — Planner, Teams and OneDrive for Business, respectively.

However, IT should still take action even if the business can’t make these Office 365 apps immediately available. In that case, let end users know that the company plans to roll out Microsoft services to replace shadow IT apps. Explain the benefits of the move, such as service integration across the Office 365 suite.

The EMS-integrated capabilities give admins a way to configure security alerts when workers use these unsanctioned apps. Part of the continuous reports feature partially controls the use of apps. For example, an admin creates a rule that identifies when a user downloads a lot of data from Office 365 and then uploads a lot of data to Dropbox. When the rule detects this activity, the admin gets an alert and notifies the security team to block that user’s access to Office 365.

Next Steps

Slack or Microsoft Teams: Which one makes more sense?

Shadow IT dangers present best opportunity to use cloud access security brokers

Regulate shadow IT to reduce risk

Office 365 admin portal updates offer new insights

the data center. But Microsoft’s updates to its Office 365 admin portal give IT visibility into the platform to assist with training and troubleshooting.

Office 365 reduces an organization’s on-premises infrastructure and applications, such as email servers and SharePoint, in favor of a hybrid or pure cloud play. With this shift, admins spend more time monitoring the status of Office 365 services to stay abreast of disruptions and outages that potentially affect users.

The service health dashboard is a critical part of the Office 365 admin portal for administrators. It provides a single place to check the status of their online services and determine if a disruption impacts the business. Recent enhancements to the portal relate to the overall health of the services, and others focus on ways for admins to encourage user adoption of the platform.

Microsoft overhauls the Office 365 service health overview

The summary view of the Office 365 service health dashboard gives admins an indication of any trouble at a glance. This area displays any recent incidents and advisories from Microsoft and also includes messages about planned maintenance to the platform. Microsoft notifies customers at least five days prior to any work that affects service performance.

If there is an ongoing issue, administrators drill into the service to get additional details. Microsoft also provides access to historical data of service problems that admins further segment with date filters.

Office 365 service disruption
Figure 1. The summary view of the Office 365 service health section indicates when a disruption occurred.

Power BI dashboards share user insights

Other updates in the Office 365 admin portal include new service usage dashboards to enable administrators and business leaders to see statistics on end-user activity in the different workloads.

Administrators must configure the free Power BI subscription and activate the Office 365 adoption content pack — found under the Reports > Usage section on the left navigation menu — to produce the dashboards.

After the setup, the Power BI service pulls in usage data to populate dashboards with valuable insights related to user activity in Exchange, Skype for Business, OneDrive, SharePoint and Yammer; user adoption by product, department and region; and assigned licenses. The dashboards are then available through PowerBI.com or from a mobile device or a tablet that runs an iOS, Android or Windows platform.

Power BI dashboards
Figure 2. PowerBI.com displays the dashboards related to Office 365 service usage.

Through Power BI, administrators gain access to advanced interactive capabilities. If the admin asks a question, the system responds with data visualizations. For example, Power BI generated the chart in Figure 3 in response to the request for “Total active users by product.”

Active users query
Figure 3. Power BI generates visual data based on queries from the administrator, such as active users for each product.

Microsoft also improved the visibility into directory synchronization services. The health of this service is critical because it relates to the connectivity and synchronization between Active Directory in the client’s environment and Office 365. A problem with this service can result in issues with user account synchronization.

Administrators monitor this area under Directory Synchronization services in the service health section.

More visibility on the horizon

Microsoft’s roadmap indicates the company plans to release more features in the Office 365 service health section to provide:

  • specific user monitoring capabilities;
  • access to user-level details;
  • automated service health notifications via SMS or email; and
  • ability to send faster incident reports.

The new usage reports gauge the level of end-user engagement with different services and products. Some system engineers still have the native Office 365 admin portal reports to track service use if they prefer it over Power BI.

Control Office 365 costs — or pay the price

Administrators who move to Office 365 need to acclimate themselves to the nuances of the SaaS-based cost structure…

“;
}
});

/**
* remove unnecessary class from ul
*/
$(“#inlineregform”).find( “ul” ).removeClass(“default-list”);

/**
* Replace “errorMessageInput” class with “sign-up-error-msg” class
*/
function renameErrorMsgClass() {
$(“.errorMessageInput”).each(function() {
if ($(this).hasClass(“hidden”)) {
$(this).removeClass(“errorMessageInput hidden”).addClass(“sign-up-error-msg hidden”);
} else {
$(this).removeClass(“errorMessageInput”).addClass(“sign-up-error-msg”);
}
});
}

/**
* when validation function is called, replace “errorMessageInput” with “sign-up-error-msg”
* before return
*/
function validateThis(v, form) {
var validateReturn = urValidation.validate(v, form);
renameErrorMsgClass();
return validateReturn;
}

/**
* DoC pop-up window js – included in moScripts.js which is not included in responsive page
*/
$(“#inlineRegistration”).on(“click”,”a.consentWindow”, function(e) {
window.open(this.href, “Consent”, “width=500,height=600,scrollbars=1”);
e.preventDefault();
});

on Microsoft’s cloud platform — or ignore it at their budget’s peril.

Office 365 is an attractive option for a business with an older Exchange Server platform winding down on its lifecycle. Microsoft offers several different subscriptions that charge a flat rate, but some a la carte services cost extra. With that in mind, admins must also monitor these additional Office 365 costs to ensure they don’t spiral out of control.

Admins can’t predict the overall total cost of ownership over several years without first evaluating several areas. For one, Office 365 offers more services bundled together under different plans. Microsoft considers some of these add-ons that require additional purchases, which adds complexity to Office 365 licensing.

IT decision-makers must evaluate what they need from Office 365, and that includes a careful cost analysis and upfront sizing — this consists of provisioning of cloud services, migration work and third-party services for Office 365 backups. For most IT projects, the business only approves a technology purchase or investment when tangible returns justify the project’s costs. As a result, admins should review all aspects of Office 365 costs, including the areas listed below.

Define the right licenses for the right users

Not every user needs the more advanced services, such as the analytics product Power BI Pro. Put users in categories, then determine the appropriate license for each group.

Identify the Office 365 licenses that each user needs based on their roles and requirements. Map out which plans go to what users to lock in Office 365 costs. Not every user needs the more advanced services, such as the analytics product Power BI Pro. Put users in categories, then determine the appropriate license for each group.

The Office 365 Enterprise E3 plan costs $20 per user per month and includes services such as the on-premises Office suite, Skype calling and Sway presentation app — which is overkill for some workers. Some users don’t need the on-premises Office applications; for those employees, Microsoft offers an Enterprise E1 plan that costs $8 per user per month.

Perform frequent audits

When a business moves to Office 365, the IT team needs to learn how to manage and monitor the platform’s services. Admins should use Office 365’s reports to conduct a quarterly or even monthly review of licensing use.

The Office 365 adoption content pack in Power BI builds customized dashboards that provide insights into application activations and how departments and locations use Office 365. Admins should use this data to find underutilized services to discern if employees can work without some services to reduce costs.

Monitor services with variable costs

[embedded content]

How the adoption content pack helps
admins track service adoption.

Every Office 365 subscription goes for a flat rate, but additional workloads bring extra charges. Advanced features — such as Advanced Threat Protection, Advanced Security Management, Cloud PBX and Power BI — often make Office 365 costs add up.

For example, the public switched telephone network feature in Office 365 Enterprise E5 often brings extra expenses. Workers get a set number of minutes for domestic and international calls, but when users exceed that limit, Microsoft adds additional charges to the monthly bill. Admins must monitor consumption to ensure these variable Office 365 costs don’t get out of hand.

Take advantage of licensing tools

The Office 365 license manager in the admin portal lets administrators assign licenses and see the current consumption of licenses, which makes the assignment process less confusing. Admins well-versed in PowerShell also have the option to allocate licenses via that management tool. Microsoft additionally provides a group option based on the categories created by the IT department.

Next Steps

Prepare well before an Office 365 move

Find tips on the Office 365 migration process

Different rules for Office 365 VDI deployment

Migrate to Exchange 2016 and beat the rush

The clock is ticking if you still run Exchange 2010. Extended support for that messaging platform expires in January…

“;
}
});

/**
* remove unnecessary class from ul
*/
$(“#inlineregform”).find( “ul” ).removeClass(“default-list”);

/**
* Replace “errorMessageInput” class with “sign-up-error-msg” class
*/
function renameErrorMsgClass() {
$(“.errorMessageInput”).each(function() {
if ($(this).hasClass(“hidden”)) {
$(this).removeClass(“errorMessageInput hidden”).addClass(“sign-up-error-msg hidden”);
} else {
$(this).removeClass(“errorMessageInput”).addClass(“sign-up-error-msg”);
}
});
}

/**
* when validation function is called, replace “errorMessageInput” with “sign-up-error-msg”
* before return
*/
function validateThis(v, form) {
var validateReturn = urValidation.validate(v, form);
renameErrorMsgClass();
return validateReturn;
}

/**
* DoC pop-up window js – included in moScripts.js which is not included in responsive page
*/
$(“#inlineRegistration”).on(“click”,”a.consentWindow”, function(e) {
window.open(this.href, “Consent”, “width=500,height=600,scrollbars=1”);
e.preventDefault();
});

2020. It makes sense to move to Exchange 2016 now, whether you plan to put your email system in the cloud in the future or not.

A company that waits until the end of support for Exchange 2010 limits its choices and invites the administrative headaches of a rushed migration. Explore your options, and discover the perks of a messaging platform designed in the cloud era. Exchange 2010 shops should plan to migrate to Exchange 2016 sooner rather than later.

Don’t panic, but get ahead now

Exchange 2010 launched in 2009, and the requirements for a messaging platform today are different. Businesses should go through an extensive planning checklist before they migrate to Exchange 2016. They must determine if they require new hardware, if virtual infrastructure replacements will work with Exchange 2016 and how to handle third-party archiving tools, such as Enterprise Vault. Suddenly, that end-of-support date isn’t as far away as it seems.

Additionally, Exchange 2016 leaves mainstream support in 2020 and enters extended support until 2025. If you migrate to Exchange 2016 now, you benefit from a fully supported product in its prime rather than jumping from one elderly edition to another.

Say an Exchange 2010 business wants to get to Office 365 eventually. It will be easier to get there if it migrates to Exchange 2016 first.

Expect a more complex migration if you wait until 2020 and want the most advanced on-premises version of Exchange. Based on Microsoft’s history, the company could launch a new version of Exchange in 2020. Do not presume Microsoft will allow users to migrate directly to that platform from Exchange 2010. If the past is any indication, companies will need to hop to Exchange 2013 or 2016 first.

Avoid combination of Office update and mailbox migration

Say an Exchange 2010 business wants to get to Office 365 eventually. It will be easier to get there if it migrates to Exchange 2016 first. The on-premises server ensures a simple, supportable migration path to Office 365. That’s because new versions of Microsoft Office likely won’t support Exchange 2010. For a direct move from Exchange 2010 to Office 365, Microsoft could require the administrator to deploy a new version of Office. Don’t get stuck with the pain of an Office version switch as you simultaneously push mailboxes to the cloud.

Acknowledge that Exchange Online isn’t for everyone

However, it doesn’t make sense for every shop to go to Exchange Online, now or in the future. Small businesses don’t always have fast and reliable internet connectivity. Midsize companies host Exchange on existing infrastructure because it’s a low-cost option. Enterprises often move a few mailboxes to Exchange Online but need to maintain an on-premises presence to meet legal or contractual requirements.

Get the latest innovations in Outlook

Outlook has come a long way on its web, desktop and mobile versions since Microsoft launched Exchange 2010. Outlook on the web comes with modern functionality, such as rich text formatting and improved cross-browser support. Exchange 2016 aligns closely with the features in Exchange Online and Outlook.com.

Some other benefits to an Outlook upgrade include easier image placement and link previews in email messages. Integration with Office Online Server enables rich document viewing and inline document editing in email replies.

[embedded content]

Exchange on premises or Exchange Online?

Outlook borrows inbox management features from Office 365, such as the sweep function to delete unwanted email. Outlook add-ins integrate with cloud services and third-party apps from both Outlook on the web and Office 2013 or higher.

Gain from a simplified deployment model

Exchange 2010 enabled admins to split server roles, which complicated the deployment process. Exchange 2016 changed that model with the Mailbox role, which bundles all the services to run client access, transport, unified messaging and the traditional mailbox role.

Microsoft also publishes its Exchange Preferred Architecture (PA), which simplifies highly available deployments. With this arrangement, there’s no need for intelligent load balancers to handle traffic for Exchange Server; a round-robin domain name system manages client access. This model benefits multisite deployments with easy failover between sites. Administrators who manage a multisite database availability group deployment with Exchange Server know that failover and failback URLs are a pain. Exchange Server 2016 removes this difficulty and enables URL sharing across data centers.

Reduce hardware and backup requirements

Exchange 2010 uses significant space for backup storage and RAID disks. An Exchange 2010 highly available deployment typically has at least two database copies — and usually three or more for a multi-data center deployment. These databases often run on RAID 10 on expensive virtual infrastructure. With this setup, Exchange 2010 requires six to eight times the amount of raw storage required for just the databases.

A PA deployment of Exchange Server 2016 does not use traditional backup software or RAID technology to protect data. This Exchange version works directly with the underlying disks, with spare disks defined within Exchange instead of the RAID array. It uses the automatic reseed feature to restore failed databases with online disks. This enables admins to use a redundant array of inexpensive servers with Exchange 2016 instead of a virtualized configuration that is not tuned or optimized to work with the platform.

Take advantage of cloud-tested compliance, DLP functionality

Organizations that use traditional journaling and archiving software usually migrate that functionality to Exchange Online when they move to the cloud.

Journaling includes in-place hold — introduced in Exchange Online and Exchange 2013 and refined over time — which keeps an immutable copy of the original email message even if the user deletes it. This is similar to litigation hold in Exchange 2010 but with several improvements, such as retention of blind carbon copy information, ability to set a time length on a hold and the enhanced discovery capability.

Exchange 2016’s data loss prevention (DLP) technology detects sensitive data, such as Social Security numbers or credit card numbers. DLP prevents that sensitive information from entering the email system and stops users from sharing it outside the organization. Many organizations already use DLP to meet requirements such as the General Data Prevention Regulation.

Plug into the cloud to use its tool set

If you adopt Office 365 but can’t move all — or any — mailboxes to the cloud, migrate to Exchange 2016 to benefit from its cloud-integrated features with a hybrid setup.

For example, the modern attachments feature shares files from OneDrive for Business, Microsoft’s cloud storage service. It appears as a normal attachment, but instead of the user’s mailbox, it is stored and shared from OneDrive.

Administrators in a hybrid setup will appreciate the simplified management, while users will benefit from Office 365 features.

Next Steps

Know your Exchange 2016 hardware requirements

Check that Exchange 2016 deployment

How Log Parser Studio helps troubleshoot Exchange