Category Archives: Hyper-V

Why You Should Use OneDrive for Business

As part of your organization’s journey to the cloud / digital transformation, document storage is key. OneDrive for Business (OD4B) replaces the traditional local “Documents” folder and opens up access to work documents from anywhere, on any device, along with many other capabilities.

This article will look at what OneDrive for Business is, how it compares with personal OneDrive, how to use OD4B, protecting your files and sharing them with others securely and some tips for Microsoft 365 administrators managing OD4B for a business. If you’d like an overview on how to use OneDrive for Business I’ve made the video below which accompanies this article:

[embedded content]

The Basics of OneDrive for Business

OD4B is SharePoint based cloud storage that you license as part of Office / Microsoft 365 that gives each user 1 TB of storage for their documents. You can access these documents from any Windows (the client is built into Windows 10, 1709, or later, but also available for earlier versions) or Mac computer, as well as through apps for Android and iOS. You can also access OD4B in any web browser, one easy way to get there is to log in at and clicking on the OneDrive icon.

OD4B in

OD4B in

Alternatively, you can right-click on the folder in Windows Explorer on your desktop and select View online.

Right click on OD4B in Windows Explorer

Right-click on OD4B in Windows Explorer

Either way, you end up in the web interface where you can create new Office documents, upload files or folders, sync the content between your machine and the cloud storage (see below) as well as create automation flows through Power Automate.

OD4B web interface

OD4B web interface

Note that if you click on an Office file in the web interface, it’ll open in the web-based version of Word, giving you the option of working on any device where you have access to a browser.

For most people, 1 TB of storage is sufficient but many modern devices don’t come with that amount of internal storage so you may need to choose what to sync to the local device. There are two approaches, you can right-click on a folder or file and select Always keep on this device which will do exactly that (and take up space on your local PC), or Free up space which will delete the local copy but keep the files in the cloud. You can tell the different states with the filled green tick (always on this device) icon, or the white cloud (space freed up). The automatic way is to simply double-click on a file that you need to work on, and the file will be downloaded (green tick on white background), called Available locally, this feature is called Files on demand.

In Windows, there’s also a handy “pop up” menu to see the status of OD4B, see which files have been recently synced, and also lets you pause syncing temporarily.

Pop up menu from OD4B client

Pop up menu from OD4B client

If you’re working in Word, Excel, PowerPoint in both Windows and Mac on a file stored in OD4B (and OneDrive personal / SharePoint Online) it’ll AutoSave your changes without you having to save manually. OD4B will also become the default save location in Word, Excel, etc.

And the “secret” is that OD4B is a just a personal document library in SharePoint Online, managed by the OD4B service.

Choosing syncing options for folders.png

Choosing syncing options for folders

OneDrive versus OneDrive for Business

If you sign up for a free Microsoft account, you get the personal flavor of OneDrive which provides 5GB of storage. You can augment this with a Microsoft 365 personal (1 person) or Home (up to 6 users) subscription providing up to 1TB of storage per user, as well as Office for your PC or Mac.

From an end-user point of view the services are very similar but the business version adds identity federation, administrative control, Data Loss Prevention (DLP), and eDiscovery.

Advanced Features

OD4B provides quite a few advanced features that the casual user might not know about. For instance, when you’re attaching a document to an email, you’ll have the option to attach a link to the document in your OD4B instead of a copy of it. If you’re emailing the document to someone internally in your business or someone externally that you collaborate with, this is a better option as you’ll both still be working on the one file (potentially at the same time, see below) rather than having multiple copies attached to different emails and ending up having to manually reconcile the edits at the end.

Known Folder Move is another feature that you can enable as an administrator. This will redirect the Desktop, Documents, Pictures, Screenshots and Camera Roll folders from a user’s local device to OD4B. This has two benefits; firstly, if a user loses their device or it’s broken, their files will still be there when they log in on a new device, secondly, they can use their local Documents, Pictures, etc. folders as they always have.

There’s also versioning built into OD4B which keeps track of each version as it’s saved, you can access this either in the web interface or by right-clicking on a file in Windows Explorer.

OD4B document versions

OD4B document versions

The Recycle bin in the web UI for OD4B has saved many an IT Pro’s career when the CEO has deleted (“by mistake” – but they swear they never hit delete) an important file. Simply click on the Recycle bin and restore files that were deleted up to 93 days ago (up to 30 days for OneDrive personal). A related feature is OneDrive Restore that lets you recover an entire (or parts of) OD4B, perhaps after all the files have been encrypted by a ransomware attack. It also shows a histogram of versions for each file, making it easy to spot the version you want to restore.

Using AI, OD4B (and SharePoint) will automatically extract text from photos that you store so that you can use it when searching for files, it’ll also automatically provide a transcript for any audio or video file you store. File insights let you see who has viewed and edited a shared file (see below) and get statistics.

If you’re using the app on your smartphone you can scan the physical world (a whiteboard, a document, business card, or photo) with the camera and it’ll use AI to transcribe the capture.

Scanning in the Android app

Scanning in the Android app

Recently, Microsoft added a new feature called Add to OneDrive that lets you add a shortcut in OD4B to folders that others have shared with you or that are shared with you in Teams or SharePoint. Speaking of Teams – sharing files in there will now use the same sharing links functionality that OD4B uses (see below). Even more useful will be the forthcoming ability to move a folder and keep the sharing permissions you have configured for it, and some files (CAD drawings anyone?) the increase of the maximum file size from 15 GB to 100 GB is welcome. And, like all the other cool kids, OD4B (and OneDrive personal) on the web will add a dark theme option.

Collaboration and OneDrive for Business

One of the powerful features of OD4B is the ability to share documents (and folders) with internal and external users. As you might expect, administrators have full control over sharing options (see below) but assuming it’s not turned off or restricted you can right-click on a file or folder and click the blue cloud icon Share option, or click the Share option in the web interface. This lets you share a link to the file or folder with internal and external users, grant access to specific people, make it read-only or allow editing and block the ability to download the document (they have to edit the online, shared copy).

Sharing a file, One Drive For Business

Sharing a file

It’s a good idea to turn on external sharing notifications via email.

Once a document is shared you can also use Co-authoring to work on the document simultaneously, both in the web-based versions of Word and Excel as well as the desktop versions of the Office apps. You can see which parts of a document another user is working on.


If you’re the administrator for your Office 365 deployment you can access the SharePoint admin center (from the main Microsoft 365 Admin center) and control sharing for both OneDrive and SharePoint. There is also a link to the OneDrive admin center where you have control over other aspects of OD4B as well as the same sharing settings.

Sharing Settings in OD4B Admin Center

Sharing Settings in OD4B Admin Center

The main settings for you to consider here are who your users can share content with. The most permissive setting allows them to share links to documents with anyone, no authentication required (not recommended). The next level up allows your users to invite external users to the organization but they have to sign in (using the same email address that the sharing link was sent to), creating an external user in your Azure Active Directory and thus giving you some control, including the ability to apply Conditional Access to their access. If you only allow sharing with existing external users, you must have another process in place for how to invite external users. And the most restrictive is to only allow sharing with internal users, blocking external sharing. Don’t be fooled by these sliders however, if you set this too restrictive and users need to share documents externally, they will do so using personal email, other cloud storage solutions, etc. They will just not be using OD4B sharing links which at least allows you visibility in audit logs and reports, along with some control.

Under the advanced settings for the links you can configure link expiry in days, prohibiting links that last “forever”. You can also limit links to be view only. The advanced settings for sharing let you black or whitelist particular domains for sharing, preventing further sharing (an external user sharing with another external user) and letting owners see who is viewing their files.

Under Sync you can limit syncing to domain-joined computers and block specific file types. Storage lets you limit the storage quota and set the number of days that OD4B content is kept after a user account is deleted. Device access lets you limit access based on IP address as well as set some restrictions for the mobile apps, whereas the Compliance blade has links to DLP, Retention, eDiscovery, Alerts, and Auditing, all of which are generic Office 365 features. The next blade, Notifications, controls email notifications for sharing and the last blade, while Data migration is a link to an article with tools for migrating to OD4B from on-premises storage.

If you’re considering OD4B, there are handy deployment and administration guides for administrators, both for Enterprises and Small businesses. If, on the other hand, your business is definite about keeping “stuff” on-premises you can use OneDrive with SharePoint server, including 2019.

Note that a recent announcement means that the OD4B admin center functionality will move into the SharePoint Online admin center, but the above functionality will stay intact, just not in a separate portal.


There’s no doubt that cloud storage is a cornerstone of successful digital transformation and if you’re already using Office 365, OneDrive for Business is definitely the best option.

Is Your Office 365 Data Secure?

Did you know Microsoft does not back up Office 365 data? Most people assume their emails, contacts and calendar events are saved somewhere but they’re not. Secure your Office 365 data today using Altaro Office 365 Backup – the reliable and cost-effective mailbox backup, recovery and backup storage solution for companies and MSPs. 

Start your Free Trial now

Go to Original Article
Author: Paul Schnackenburg

How to Use Azure ExpressRoute Global Reach to Interconnect Datacenters

Wide Area Market is in a change right now. When talking to my customers, I see more and more of those customers moving away from classic MPLS and Dark Fibre networks, and with that, many of them are thinking about the value of services like Microsoft Azure ExpressRoute.

With this blog post, I would like to give you some insides into how ExpressRoute is evolving and becoming more valuable in addition to a simple MPLS or Datacenter Interconnect to Azure.

First, let’s get some frequently asked questions away.

What is Azure ExpressRoute?

ExpressRoute is an Azure Service that lets you connect your on-premises networks and network colocations to the Microsoft Edge Network via private connection between you, your connectivity provider, and Microsoft. These connection locations are called Microsoft Enterprise Edge or MSEE and they are distributed around the globe in around 65+ network colocations in different datacenters.

With ExpressRoute you can either access Microsoft Azure Services or even Microsoft 365 Services. Microsoft still does not recommend accessing Microsoft 365 trough ExpressRoute but there is another interesting option on how to use ExpressRoute in extending to regular Azure Service access.

Later in the article when we dig deeper into our main topic, you will learn how to leverage ExpressRoute to connect your datacenters and colocation independently from provider availability in that location. There is a SKU for ExpressRoute called Global Reach, which enables customers to build and extend their backbone through the Microsoft Global Network.

How Does Azure ExpressRoute Work?

As already explained, ExpressRoute is a private connection between the customer and the Microsoft Edge Network. ExpressRoute comes in different flavors.

ExpressRoute or ExpressRoute Direct?

There are two options on how to do the physical interconnect. The first and regular option is to use ExpressRoute through a Network Provider as shown in the example below.

ExpressRoute Network Provider

The other option is to use ExpressRoute direct. Here you eliminate the need of a Network Provider and establish a connection with Microsoft yourself.

ExpressRoute Direct

With a regular ExpressRoute you are limited to what your provider can offer you in regards to locations and you are limited in a maximum of 10GBE bandwidth. Also, you have additional costs on the provider interconnect between you and Microsoft but it is much easier to implement and you do not need high-end routing equipment, colocation space in the MSEE Edge location, or dramedies knowledge on provider peering.

With ExpressRoute Direct you can achieve much higher bandwidth, currently up to 100 GBE. For that, you need to follow some peering policies and technical requirements shown below.

  • Microsoft Enterprise Edge Router (MSEE) Interfaces:
    • Dual 10 or 100 Gigabit Ethernet ports only across router pair
    • Single Mode LR Fiber connectivity
    • IPv4 and IPv6
    • IP MTU 1500 bytes
  • Switch/Router Layer 2/Layer 3 Connectivity:
    • Must support 1 802.1Q (Dot1Q) tag or two Tag 802.1Q (QinQ) tag encapsulation
    • Ethertype = 0x8100
    • Must add the outer VLAN tag (STAG) based on the VLAN ID specified by Microsoft – applicable only on QinQ
    • Must support multiple BGP sessions (VLANs) per port and device
    • IPv4 and IPv6 connectivity. For IPv6 no additional sub-interface will be created. IPv6 address will be added to existing sub-interface.
    • Optional: Bidirectional Forwarding Detection (BFD) support, which is configured by default on all Private Peerings on ExpressRoute circuits

The table below shows the key difference between ExpressRoute with a Service / Network Provider and ExpressRoute direct.

ExpressRoute using a service provider ExpressRoute Direct
Utilizes service providers for fast onboarding and connectivity into existing provider infrastructure Requires 100 Gbps/10 Gbps infrastructure and full management of all layers
Integrates with hundreds of providers including Ethernet and MPLS Direct/Dedicated capacity for regulated industries and massive data ingestion
Circuit SKUs:

  • 50 Mbps
  • 100 Mbps
  • 200 Mbps
  • 500 Mbps
  • 1 Gbps
  • 2 Gbps
  • 5 Gbps
  • 10 Gbps
Customer may select a combination of the following circuit SKUs on 100 Gbps ExpressRoute Direct:

  • 5 Gbps
  • 10 Gbps
  • 40 Gbps
  • 100 Gbps

Customer may select a combination of the following circuit SKUs on 10 Gbps ExpressRoute Direct:

  • 1 Gbps
  • 2 Gbps
  • 5 Gbps
  • 10 Gbps
Optimized for single tenant and single customer Optimized for single tenant with multiple business units and multiple work environments

Network Providers are not allowed to leverage ER direct for their customers. They are supposed to become regular ExpressRoute providers.

Additional insides about ExpressRoute Direct can be found in Microsoft’s official article.

ExpressRoute SKUs

ExpressRoute comes in three different SKUs for available services and limitations. 

  • ExpressRoute Local / Kommune
  • ExpressRoute Standard
  • ExpressRoute Premium

A detailed pricing guide is also available.

ExpressRoute Global Reach is an Add On to ExpressRoute Premium SKU and needs to be ordered in addition. 

I will explain to you the technical concept later in the blog. For those curious in pricing, a detailed guide is available

What is an ExpressRoute Circuit?

To explain an ExpressRoute Circuit you need to know about the other components of an ExpressRoute in Azure first.

  • ExpressRoute Gateway: when you want to connect an ExpressRoute Circuit to a virtual network, you need some kind of Gateway. That gateway is called an ExpressRoute Gateway and another “mode” of the Azure Virtual Network Gateway.
  • Peerings: To establish the routing through an ExpressRoute Circuit you need to configure peerings on the circuit to establish the BGP connection. There are two peering types.
    • Private Peering: Azure virtual machines and IaaS resources, and Azure PaaS resources that can leverage private Endpoints or VNet integration, that are deployed within a virtual network can be connected and leverage the ExpressRoute Private Peering. The Azure Private Peering can be considered as a trusted extension of a customer core network into Microsoft Azure Datacenters. With private peering, you set up a bidirectional interconnect between your network and your virtual network in Azure. The peering IPs used on the private peering are private IPv4 and later this year IPv6 addresses.
    • Microsoft Peering: Connectivity to Microsoft online services such as Office 365 and Azure PaaS services are made available via the Microsoft Peering. Microsoft enables bi-directional connectivity between a customer WAN and Microsoft cloud services through the Microsoft global backbone and Microsoft Routing Domain named with AS# 12076. Microsoft Peering can only use public IP addresses owned by the customer or customer connectivity provider. To enable Microsoft Peering, you need to agree to all with that peering connected rules.

Now let’s talk about the circuit itself. The circuit is a so-called NNI, a Network to Network Interconnect.

A network-to-network interface (NNI) is a physical interface that connects two or more networks and defines inter signaling and management processes. It enables the linking of networks using signaling, Internet Protocol (IP) or Asynchronous Transfer Mode (ATM) networks.

How do I set up an Express Route in Azure?

There are three different parts to set up an ExpressRoute.

The first one is the Setup within the Azure Portal. Microsoft published a pretty good guide on how to do it.

The next part would be to setup the provider part of your ExpressRoute, which is highly dependent on your provider. I linked you examples from two providers.

Afterward, you need to configure the peering in ExpressRoute and the routing in your Router or Network.

Using ExpressRoute with Global Reach to Interconnect Datacenters

Now, let’s move to the main topic. How can I use ExpressRoute to interconnect my colocation and datacenters.

Why Would you Use ExpressRoute Instead of a Global Network Provider?

There are three main reasons why you maybe want to decide on a combination of ExpressRoute and a local interconnect provider.

  • Provider availability: When you look into provider availability, you will sooner or later notice that not every provider is available in every region or in every datacenter. When you are in a local datacenter or a region with a limited amount of network providers, you normally have high costs to make your network provider available in that datacenter or on-prem location. Let me show you an example from the peering Database. With ExpressRoute you can select any provider who can make ExpressRoute connections available in that region or datacenter. You do not need the same provider in every location.
    • Networks in Equinix Dusseldorf

ExpressRoute Networks in Equinix Dusseldorf

  • Networks in ITENOS Berlin

ExpressRoute Networks in ITENOS Berlin

  • Longterm contracts: When you want to interconnect datacenters you mostly need to agree to some kind of long term contract starting with 12 months or more contract time. With providers like Megaport, Equinix, Interxion, and others, you mostly have a pay as you go agreement which can be canceled every month. It is the same with Microsoft ExpressRoute. You can use that interconnect as pay as you go.
  • Provider Lock In: When working with Network Providers you normally commit to a provider and to change afterward is a huge migration with high time and financial investment. Many customers don’t have that flexibility and overpay on networking.

What do I Need to Enable ExpressRoute for Global Interconnect?

ExpressRoute by default is already a global service but with the main SKUs it can only connect you to Azure Production Regions / Datacenter and not interconnect networks from different providers. To interconnect network providers, you need the ExpressRoute Global Reach Add On.

Looking on an ExpressRoute without Global Reach, the interconnect would look like the following.

ExpressRoute without Global Reach

When enabling Global Reach, the routing behavior changes as shown below.

ExpressRoute with Global Reach Enabled

While an Azure Production Region is normally three milliseconds from an ExpressRoute Edge, the traffic with Global Reach stays within the Microsoft Edge Network.

Now, let’s think about how that could work with an interconnect strategy. In our scenario, we have the following locations and interconnects.

  • Europe provided by British Telecom
  • Hong Kong provided by Equinix
  • Japan provided by NTT

Normally you would need to ask all of those providers to build an interconnect,  or get another colocation or office location to interconnect all these networks yourself. As you can see in the picture, with ExpressRoute Global Reach you can do that trough the Microsoft Backbone and use it as a service from Microsoft Azure. The additional fact is, you do not leverage additional cloud services from Microsoft. You can just use Microsoft as a backbone provider. The figure below shows our scenario simplified.

Microsoft Global Network Express Route

After you configured the ExpressRoutes with the local providers of your choice you need to setup ExpressRoute Global Reach. There is one downside. ExpressRoute Global Reach is not available in every country where you have Azure Regions. Mostly because there are law or tax regulations which make Microsoft with Global Reach a network service and last-mile network provider. In those cases, Microsoft is mostly solving that over time with special government agreements.

There is a workaround for those countries where Global Reach is not available, like in South Africa, India or Brazil. I will explain the workaround later in the blog.

How to Set Up Global Reach

ExpressRoute Global Reach can only be set up through PowerShell or Azure CLI. There are two options when you set up Global Reach. I will link you both setup guides below.

Afterward, you need to verify the configuration. That must be done via PowerShell or Azure CLI too.

If you simply run $ckt1 in PowerShell, you see CircuitConnectionStatus in the output. It tells you whether the connectivity is established, “Connected”, or “Disconnected”. For more information, you can consult this detailed guide.

To disconnect you also run a command which looks like following.

For more information, you can consult this detailed guide.

What is an Alternative when Global Reach is not available?

To use private peering with ExpressRoute Global Reach, it needs to be enabled in the country. As already explained, that’s not the case everywhere.

You can use the global transit architecture with Azure Virtual WAN or an overlay network using a Network Virtual Appliance. In that case, you create an ExpressRoute and do not use the ExpressRoute private Peering. You configure Microsoft Peering with that ExpressRoute. What you have then is the public IP addresses from Azure virtual WAN and the Network Virtual Appliance in that peering. That would enable you to build an IPSec Tunnel through the ExpressRoute to the VPN Gateway. With virtual WAN you would then be able to route through the Microsoft Backbone to the other ExpressRoute Gateways. With an NVA you can leverage User Defined Routes to establish the same transit architecture.

The schematic setup for a solution with Azure virtual WAN could look like following.

Azure virtual WAN

With virtual WAN such a solution comes out of the box as soon as ExpressRoute Global Reach becomes available. You only need to enable it and a few minutes later Virtual WAN will switch from IPSec VPN to the connected ExpressRoute. Afterward, you can just decommission the VPN Tunnel.

Closing Thoughts

Hopefully, my post gives you a brief introduction to the possibilities you have with ExpressRoute besides a simple connection to Azure. If you would like to read more about Wide Area Networks with Microsoft Azure, please leave a comment and describe the scenarios you are looking for.

Go to Original Article
Author: Florian Klaffenbach

The Real Cost of Microsoft 365 Revealed

Estimating the real cost of a technology solution for a business can be challenging. There are obvious costs as well as many intangible costs that should be taken into account.

For on-premises solutions, people tend to include licensing and support maintenance contract costs, plus server hardware and virtualization licensing costs. For Software as a Service (SaaS) cloud solutions, it seems like it should be easier since there’s no hardware component, just the monthly cost per licensed user but this simplification can be misleading.

In this article we’re going to look at the complete picture of the cost of Microsoft 365 (formerly Office 365), how choices you as an administrator make can directly influence costs, and how you can help your business maximize the investment in OneDrive, SharePoint, Exchange Online and other services.

Office 365 & Microsoft 365

As covered in our recent blog there are naming changes afoot in the Office ecosystem. The personal Office 365 subscriptions have changed and are now called Microsoft 365 Family (up to six people) and Personal along with the Office 365 Business SKUs, that top out at 300 users, has also been renamed. The new SKUs are Microsoft 365 Business Basic, Apps, Standard, and Premium.

There’s no reason to believe that this name change won’t eventually extend to the Enterprise SKUs but until it does, from a licensing cost perspective it’s important to separate the two. Office 365 E1, E3 and E5 gives you the well-known “Office” applications, either web-based or on your device, along with SharePoint Online, Exchange Online and OneDrive for Business in the cloud backend.

Microsoft 365 F3, E3 and E5, on the other hand, includes everything from Microsoft 365 plus Azure Active Directory Premium features (identity security), Enterprise Mobility & Security (EMS) / Intune for Mobile Device Management (MDM) and Mobile Application Management (MAM) along with Windows 10 Enterprise.

Comparing M365 plans

Comparing M365 plans

So, a decision that needs to be looked at early when you’re looking to optimize your cloud spend is whether your business is under 300 users and likely to stay that way for the next few years. If that’s the case you should definitely look at the M365 Business SKUs as they may fulfill your business needs, especially as Microsoft recently added several security features from AAD Premium P1 to M365 Business.

If you’re close to 300, expecting to grow or already larger, you’re going to have to pick from the Enterprise offerings. The next question is then, what’s the business need – do you just need to replace your on-premises Exchange and SharePoint servers with the equivalent cloud-based offerings? Or is your business looking to manage corporate-issued mobile devices (smartphones and tablets) with MDM or protecting data on employee-owned devices? The latter is known as Bring Your Own Device (BYOD), sometimes called Bring Your Own Disaster. If you have those needs (and no other MDM in place today), the inclusion of Intune in M365 might be the clincher. If on the other hand you need to protect your on-premises Active Directory (AD) against attacks using Azure Advanced Threat Protection (AATP) or inspect, understand and manage your users’ cloud usage through Microsoft Cloud App Security (MCAS) you’ll also need M365 E5, rather than just O365.

Microsoft 365 Cloud app security dashboard

Cloud app security dashboard

The difference is substantial, outfitting 1000 users with O365 E3 will cost you $ 240,000 per year, whereas moving up to M365 E3 will cost you $ 384,000. And springing for the whole enchilada with every security feature available in M365 E5 will cost you $ 684,000, nearly 3X the cost of O365 E3. Thus, you need to know what your business needs and tailor the subscriptions accordingly (see below for picking individual services to match business requirements).

Note that if you’re in the education sector you have different options (O365 A1, A3, and A5 along with M365 A1, A3, and A5) that are roughly equivalent to the corresponding Enterprise offerings but less costly. And charities/not-for-profits have options as well for both O365 and M365. M365 Business Premium is free for up to 10 users for charities and $ 5 per month for additional users.

A la carte instead of bundles

There are two ways to optimize your subscription spend in O365 / M365. Firstly, you can mix licenses to suit the different roles of workers in your business. For instance, the sales staff in your retail chain stores are assigned O365 E1 licenses ($8 / month) because they only need web access to email and documents, the administrative staff in head office use O365 E3 ($20 / month) and the executive suite and other high-value personnel use the full security features in E5 ($35 / month). Substitute M365 F3, E3, and E5 in that example if you need the additional features in M365.

Secondly, you don’t have to use the bundles that are encapsulated in the E3, E5, etc. SKUs, and you can instead pick exactly the standalone services you need to meet your business needs. Maybe some users only need Exchange Online whereas other users only need Project Online. The breakdown of exactly what features are available across all the different plans and standalone services is beyond the scope of this article but the O365 and M365 service descriptions is the best place to start investigating.

Excerpt from the O365 Service Description

Excerpt from the O365 Service Description

And if you’re a larger business (500 users+) you’re not going to pay list prices and instead these licenses will probably be part of a larger, multi-year, enterprise agreement with substantial discounts.

If you hate change

If you want to stay on-premises Exchange Server 2019 is available (only runs on Windows Server 2019), as is SharePoint Server 2019 and you can even buy the “boxed” version of Office 2019 with Word, Excel, etc. with no links to the cloud whatsoever. This is an option that moves away from the monthly subscription cost of M365 (there’s no way to “buy” M365 outright) and back to the traditional way of buying software packages every 2-5 years. Be aware that these on-premises products do NOT offer the same rich features that O365 / M365 provides, whether it’s the super-tight integration between Exchange Online and SharePoint Online, cloud-only services like Microsoft Teams that builds on top the overall O365 fabric or AI-powered design suggestions in the O365 versions of Word or PowerPoint. There’s no doubt that Microsoft’s focus is on the cloud services, these are updated with new features on a daily basis, instead of every few years. If your business is looking to digitally transform, towards tech intensity (two recent buzzwords in IT with a kernel of truth in them) using on-premises servers and boxed software licensing is NOT going to get you there. But if you want to keep going like you always have, it’s an option.

And if you’re looking at this from a personal point of view, a free Microsoft account through does give you access to Office Online: Word, Excel, and PowerPoint in a browser. There’s even a free version of Microsoft Teams available.

Transforming your business

There’s a joke going around at the moment about the Covid-19 pandemic bringing digital transformation to many businesses in weeks that would have taken years to achieve without it. There’s no doubt that adopting the power of cloud services has the power to truly change how you run your business for the better. A good example is moving internal communication from email to Teams, including voice and video calls and perhaps even replacing a phone system with cloud-based phone plans.

But these business improvements depend on the actual adoption of these new tools. And that requires a mindset shift for everyone. Start with your IT department, if they still see M365 as just cloud-hosted versions of their old on-premises servers they’re missing the much bigger picture of the integrated platform that O365 has become. Examples include services such as Data Loss Prevention (DLP), unified labeling and automatic encryption/protection of documents and data, and unified audit logging that spans ALL the workloads. So, make sure you get them on board with seeing O365 as a technology tool to transform the business, not just a place to store emails and documents in OneDrive. And adding M365 unlocks massive security benefits, enabling zero-trust (incredibly important as everyone is working from home), identity-based perimeters, and cloud usage controls. But if your IT or security folks aren’t on board with truly adopting these tools, they’re not going to make you any more secure. Here’s a free IT administrator training for them.

Finally, you’re going to have to bring all the end-users on board with a good Adoption and Change Management (ACM) program, helping everyone understand these new services and what they can do to make their working lives better. This includes training but make sure you look to short, interactive, video-based modules that can be applied just when the user needs coaching on a particular tool, not long classroom-based sessions.

And all of that, for all the different departments, isn’t a once-off when you migrate to O365, it’s an ongoing process because the other superpower of the cloud is that it changes and improves ALL the time. This means you’ll need to assign someone to track the changes that are coming/in preview and ensure that the ones that really matter to your business are understood and adopted. The first place to look is the Microsoft 365 Message Center in the portal where you can also sign up for regular emails with summaries of what’s coming. Another good source is the Office 365 Weekly Blog.

M365 portal Message Center

M365 portal Message Center

A great course to help your IT staff is the free Microsoft Service Adoption Specialist (if you want the certificate at the end, it’s going to cost you $99). To help you track your usage and adoption of the different services in O365 there is a usage analytics integration with PowerBI. Use this information to firstly see where adoption can be improved and take steps to help users with those services and secondly to identify services and tools that your business isn’t using and perhaps don’t need, giving you options for changing license levels to optimize your subscription spend.

PowerBI Offie 365 Usage Analytics

PowerBI O365 Usage Analytics (courtesy of Microsoft)

Closing notes

There’s another factor to consider as you’re moving from on-premises servers to Microsoft 365 and that’s the changing tasks of your IT staff. Instead of swapping broken hard drives in servers these people now need to be able to manage cloud services and automation with PowerShell and most importantly, see how these cloud services can be adopted to improve business outcomes.

A further potential cost to take into account is backup. Microsoft keeps four copies of your data, in at least two datacentres so they’re not going to lose it but if you need the ability to “go back in time” and see what a mailbox or SharePoint library looked like nine months ago, for instance, you’ll need a third-party backup service, further adding to your monthly cost.

And that’s part of the overall cost of using O365 or M365, training staff, adopting new features, different tasks for administrators and managing change requires people and resources, in other words, money. And that’s got to be factored into the overall cost using Microsoft 365, it’s not just the monthly license cost.

The final question is of course – is it worth it? Speaking as an IT consultant with clients (including a K-12 school with 100 students) who recently moved EVERYONE to work and study from home, supported by O365, Teams, and other cloud services, the answer is a resounding yes! There’s no way we could have managed that transition with only on-premises infrastructure to fall back on.

Is Your Office 365 Data Secure?

Did you know Microsoft does not back up Office 365 data? Most people assume their emails, contacts and calendar events are saved somewhere but they’re not. Secure your Office 365 data today using Altaro Office 365 Backup – the reliable and cost-effective mailbox backup, recovery and backup storage solution for companies and MSPs. 

Start your Free Trial now

Go to Original Article
Author: Paul Schnackenburg

How to Install or Disable Hyper-V in Windows 10

In this article, I will write about a familiar-sounding tool I regularly use to prepare custom images for Azure amongst other tasks. Windows 10 comes with the Windows Client Version of Hyper-V with it built-in so there is no need to download anything extra! It is the same Hyper-V you use within the Server but without the cluster features. Here’s how to configure Hyper-V for Windows 10.

Operating System Prerequisites

First, let us check the prerequisites.

Windows 10 Licensing

Not every license of Windows 10 has Hyper-V enabled. Only the following versions are eligible for Windows 10 Hyper-V.

  • Windows 10 Professional
  • Windows 10 Enterprise
  • Windows 10 Education

You can find your installed Windows Version when using PowerShell and following command.

The screenshot below shows the PowerShell output.

Windows 10 licencing, PowerShell

Let us follow up with the hardware prerequisites,

Hardware prerequisites

There are two parts to be considered. First the hardware configuration and second the BIOS and UEFI setup.

Hardware configuration

  • 64-bit Processor with Second Level Address Translation (SLAT).
  • CPU support for VM Monitor Mode Extension (VT-x on Intel CPU’s).
  • Minimum of 4 GB memory. As virtual machines share memory with the Hyper-V host, you will need to provide enough memory to handle the expected virtual workload.

The screenshot shows my system as an example.

Windows 10 Basic System Information

BIOS / UEFI Configuration

You need to enable two Options in your system BIOS / UEFI.

  • Virtualization Technology – may have a different label depending on the motherboard manufacturer.
  • Hardware Enforced Data Execution Prevention.

You can find these options in the CPU Settings of your system. See the screenshot below as an example.

BIOS UEFI CPU settings Windows 10

How to check the hardware compatibility

To verify hardware compatibility in Windows, open the PowerShell and type systeminfo. 

Windows 10 PowerShell System Info

If all listed requirements in the output are showing “yes”, your system is compatible with Hyper-V.

How to Install or Disable Hyper-V in Windows 10

How to install Hyper-V in Windows 10

When all hardware and license requirements are met, you can start the installation of Hyper-V in your Windows.

The easiest way is to search for Hyper-V in the Start Menu. It will then point to “Turn On or Off Windows Feature” Window in the Control Panel

Hyper-V Installation Windows 10

Within the context menu, you enable the Hyper-V feature together with the Platform and Management Tools.

Hyper-V Platform and Management Tools

Afterward, your system will require a reboot.

Windows 10 reboot

After the reboot, you should be able to open the Hyper-V Manager on your system and start to configure Hyper-V.

WIndows 10 start menu, Hyper-V

Hyper-V Manager WIndows 10

That’s all you need to do in order to install Hyper-V on your Windows 10 system.

How to disable Hyper-V in Windows

To disable Hyper-V is again pretty simple. You go the back to the “Turn Windows Features on or off” section in the control panel.

Turn Windows Features on or off control panel

Remove the checkmark from the Hyper-V checkbox.

Disable Hyper-V Windows 10

Reboot your Windows System and you are done.

Rebooting Windows 10 after removing Hyper-V

Closing notes

Hyper-V in Windows 10 can be a pretty good tool for some certain administrative or daily task e.g.:

  • Spinning up a VM to test certain software
  • Using VMs to open suspicious files
  • Create an encapsulated work environment on your PC or Notebook when you work from home
  • Create custom images for VDI environments like Citrix or Windows Virtual Desktop
  • Open backups from VMs and extract certain files
  • etc.

I hope the blogpost will help some of you to become familiar with Hyper-V and the management tools. If there is anything you wish to ask, let me know in the comments below and I’ll get back to you!

Go to Original Article
Author: Florian Klaffenbach

How Conditional Access Makes MFA Easy for Your Company

Many IT Pros will attest that there is a constant push/pull between security and ease-of-use and I have personally seen many instances of IT Pros struggling with this push/pull over the years within their own organizations. Often times its resistance from the organization itself in implementing changes that would positively affect their own security posture, not the inability or desire on the part of the system admin or IT department. Even focusing on something as simple as multi-factor authentication (MFA), it is common to see push-back from management or certain departments.

In this article, we are going to talk about common reasons for this push-back, and ways that Microsoft’s Conditional Access feature can allow you to tread the line between security and ease-of-use.

What is Conditional Access?

Conditional Access, when paired with Azure Active Directory, is a tool used to provide next-generation identity services in the cloud age. No longer do administrators have to simply worry about the four walls of their building. Employee workforces today are dynamic and are working on several devices from several different locations. The needs of authentication and trust now must exist outside of those four walls of the business, and Azure AD and Conditional Access play an important role in this process.

Conditional Access uses a three-step process in determining if a user or device’s access should be allowed.

MFA Conditional Access

Figure 1 – Conditional Access


A conditional access signal acts as a trigger for a Conditional Access policy. A signal could be something like:

  • IP Location Information – Such as the device living within a trusted IP range or Corporate HQ for example
  • Certain Devices or platforms
  • User or group membership
  • Detected risky sign-in behavior
  • Much More


As part of the Conditional Access process, once a signal is triggered, a decision has to be made by the service based on the configuration of the conditional access policy. This usually boils down to the user/device simply being provided access (or not) but can also include varying levels or access as well. For example, you’ll be given access to the resources you’re trying to reach, but because you are using an administrative account, the service will force you to provide additional login information (such as MFA). Or, because you’re signing in using a legacy authentication mechanism, access will be denied, and you’ll be directed towards using the current (accepted) authentication mechanism being used within the organization.

These are just a few simple examples, but there are many other granular options along this vein that are provided by Conditional Access.


This is what I like to call the “Make-It-So” phase. Basically, Conditional Access will take the Signal from step one, look at the configured policy for that situation, and then enforce it. Combined, these three steps within Conditional Access serve to provide tightly control access mechanisms when access company resources in a cloud/mobile world.

So, how does this help you sell the idea of MFA within your organization? Let’s dig into that question.

NOTE: This was something of a crash course on the concept of Conditional Access. Much more information on this feature can be found in the official documentation, and we’ll be looking to feature more example use-cases in the future here on the Altaro Dojo.

How Does Conditional Access Make Multi-Factor Authentication Easy?

Many organizations have tried multi-factor authentication with varying degrees of success. The more mature ones found a way to persevere through those challenges and their security posture was all the better for it. Others likely failed and rolled things back. Whether you’re using MFA today or haven’t yet looked at it, conditional access to help with the process. Let’s get into some concrete examples.

A business owner or manager complains that his/her department is constantly getting prompted for MFA. After all, they just want to do their work….

This is likely the most common complaint I see around MFA within organizations. Users get “annoyed” with the extra sign-on step, especially if it’s excessive or difficult. Conditional Access can improve this situation. As mentioned above Conditional Access can be configured to action on IP location. In this case, you can essentially white-list the IP for your primary office location(s) and tell conditional access that if a login attempt is coming from that location, that it’s trusted and does not require MFA. This step alone greatly reduces the amount of MFA “Chatter”, and will only prompt users for MFA when physically outside of the office.

An Administrator is concerned with knowing when to force password resets for users and what to do with accounts that are potentially suspicious.

Password hygiene is something that has been in flux these past few years where best practices are concerned. Did you know that new NIST recommendations state that there is no need to change a password unless there is evidence of breach?

Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).

Knowing this, one question many admins will ask themselves, is “On top of MFA, when will I have the time to monitor for compromised passwords?” The answer is you don’t have too! Conditional Access can do that. When paired with Azure AD Identity Protection, Conditional Access can check to see if the user’s username/password combination has appeared on any known credential sharing sites. If so, conditional access will force a password reset prior to allowing access.

Additionally, you can configure conditional access to force an MFA prompt (even within an otherwise known safe IP range) if certainly other “risky conditions” have been identified.

Paired with MFA, the policy of forcing password changes in conditional access serves to supplement user authentication hygiene and requires very little administrator work in doing so.

A CIO may be concerned that security requirements for administrator accounts are too lax.

This is a pretty common concern, Conditional Access can be used to force an MFA requirement on any account that has administrative access. I highly recommend this; due to the sensitive nature of the access, these types of accounts have. The added bonus here is that conditional access takes all the work out of enforcing it amongst your admins.

Interested in Learning More?

What we’ve covered here is only a small taste of what Conditional Access can do for your organization. There are many more potential use cases than these three, but they are certainly some of the more common ones I’ve run across. We have recent eBooks that cover both Azure IaaS and Microsoft 365 with some security topics sprinkled throughout.


I’m interested in hearing about any of your other security and access concerns. Do you see a positive use for these Conditional Access policies? Is there a specific issue you’ve been trying to solve? Let us know in the comments below and we’ll be sure to get you an answer!

Thanks for reading!

Is Your Office 365 Data Secure?

Did you know Microsoft does not back up Office 365 data? Most people assume their emails, contacts and calendar events are saved somewhere but they’re not. Secure your Office 365 data today using Altaro Office 365 Backup – the reliable and cost-effective mailbox backup, recovery and backup storage solution for companies and MSPs. 

Start your Free Trial now

Go to Original Article
Author: Andy Syrewicze

How to Enable Advanced Threat Protection in Microsoft 365

As more of the workforce connects from their homes, there has been a spike in usage for remote productivity services. Many organizations are giving Microsoft Office 365 subscriptions to all of their staff, using more collaboration tools from Outlook, OneDrive, SharePoint, and Teams.

Unfortunately, this is creating new security vulnerabilities with more untrained workers being attacked by malware or ransomware through attachments, links, or phishing attacks.

This article will provide you with an overview of how Microsoft Office 365 Advanced Threat Protection (ATP) can help protect your organization, along with links to help you enable each service.

ATP is included in the Microsoft Office 365 Business Premium, Enterprise E5, and Education A5 subscriptions, but it can be added to almost any subscription. For additional information about ATP and Microsoft Office 365 security, check out Altaro’s upcoming webinar Critical Security Features in Microsoft Office 365 Admins Simply Can’t Ignore.

What is Advanced Threat Protection?

Microsoft Office 365 now comes with the Advanced Threat Protection service which secures emails, attachments, and files by scanning them for threats. This cloud service uses the latest in machine learning from the millions of mailboxes it protects to proactively detect and resolve common attacks. This technology has also been extended beyond just email to protect many other components of the Microsoft Office suite. In addition to ATP leveraging Microsoft’s global knowledge base, your organization can use ATP to create your own policies, investigate unusual activity, simulate threats, automate responses, and view reports.

Microsoft Advanced Threat Protection

Advanced Threat Protection (Source: Microsoft techcommunity)

Safe Links

Microsoft Office 365 ATP helps your users determine if a link is safe when using Outlook, Teams, OneNote, Word, Excel, PowerPoint and Visio. Malicious or misleading links are a common method for hackers to direct unsuspecting users to a site that can steal their information. These emails are often disguised to look like they are coming from a manager or the IT staff within the company. ATP will automatically scan links in emails and cross-reference them to a public or customized list of dangerous URLs. If a user tries to click on the malicious link, it will give them a warning so that they understand the risk if they continue to visit the website.

How to enable ATP Safe Links

Safe Attachments

One of the most common ways which your users will get attacked is by opening an attachment that is infected with malware. When the file is opened, it could execute a script that could steal passwords or lock up the computer unless a bounty is paid, in what is commonly known as a ransomware attack. ATP will automatically scan all attachments to determine if any known virus is detected. You and your users will be notified about anything suspicious to help you avoid any type of infection.

How to enable ATP Safe Attachments

Anti-Phishing Policies

When ATP anti-phishing is enabled, all incoming messages will be analyzed for possible phishing attacks. Microsoft Office 365 uses cloud-based AI to look for unusual or suspicious message elements, such as mismatched descriptions, links, or domains. Whenever an alert is triggered, the user is immediately warned, and the alert is logged so that it can be reviewed by an admin.

How to enable ATP Anti-Phishing

Real-time Detection & Reports

Approved users will have access to the ATP dashboard along with reports about recent threats. These reports contain detailed information about malware, phishing attacks, and submissions. A Malware Status Report will allow you to see malware detected by type, method, and the status of each message with a threat. The URL Protection Status Report will display the number of threats discovered for each hyperlink or application and the resulting action taken a user. The ATP Message Disposition report shows the different types of malicious file attachments actions in messages. The Email Security Reports include details about the top senders, recipients, spoofed mail, and spam detection.

How to view all the various ATP reports. Note: there are some more advanced reports which must be triggered through a PowerShell cmdlet.

Threat Explorer

Another important component of ATP is the Threat Explorer which allows admins or authorized users to get real-time information about active threats in the environment through a GUI console. It allows you to preview an email header and download an email body, and for privacy reasons, this is only permitted if permission is granted through role-based access control (RBAC). You can then trace any copies of this email throughout your environment to see whether it has been routed, delivered, blocked, replaced, failed, dropped, or junked. You can even view a timeline of the email to see how it has been accessed over time by recipients in your organization. Some users can even report suspicious emails and you can use this dashboard to view these messages.

How to enable ATP Threat Explorer

Threat Trackers

Microsoft Office 365 leverages its broad network of endpoints to identify and report on global attacks. Administrators can add any Threat Tracker widgets which they want to follow to their dashboard through the ATP interface. This allows you to track major threats attacking your region, industry, or service type.

How to enable ATP Threat Trackers

Automated Incident Response

Another great security feature from Microsoft Office 365 ATP is the ability to automatically investigate well-known threats. Once a threat is detected, the Automated Incident Response (AIR) feature will try to categorize it and start remediating the issue based on the industry-standard best practices. This could include providing recommendations, quarantining, or deleting the infected file or message.

How to use Automate Incident Response (AIR)

Attack Simulator

One challenge that many organizations experience when developing a protection policy is their inability to test how their users would actually respond to an attempted attack. The ATP Attack Simulator is a utility that authorized administrators can use to create artificial phishing and password attacks. These fake email campaigns try to identify and then educate vulnerable users by convincing them to perform an action that could expose them to a hacker. This utility can run a Spear Phishing Campaign, Brute Force Attack, and a Password Spray Attack.

How to enable the ATP Attack Simulator

This diverse suite of tools, widgets, and simulators can help admins protect their remote workforce from the latest attacks. Microsoft has taken its artificial intelligence capabilities to learn how millions of mailboxes are sharing information, and use this to harden the security of their entire platform.

If you want to learn more about Microsoft Office 365 ATP and Microsoft Office 365 in general, attend the upcoming Altaro webinar on May 27. I will be presenting that along with Microsoft MVP Andy Syrewicze so it’s your chance to ask me any questions you might have about ATP or other Microsoft Office 365 security features live! It’s a must-attend for all admins – save your seat now

Microsoft Office 365 ATP Altaro Webinar

Is Your Office 365 Data Secure?

Did you know Microsoft does not back up Office 365 data? Most people assume their emails, contacts and calendar events are saved somewhere but they’re not. Secure your Office 365 data today using Altaro Office 365 Backup – the reliable and cost-effective mailbox backup, recovery and backup storage solution for companies and MSPs. 

Start your Free Trial now

Go to Original Article
Author: Symon Perriman

Managing Mailbox Retention and Archiving Policies in Microsoft 365

Microsoft 365 (formerly Office 365) provides a wide set of options for managing data classification, retention of different types of data, and archiving data. This article will show the options a Microsoft 365 administrator has when setting up retention policies for Exchange, SharePoint, and other Microsoft 365 workloads and how those policies affect users in Outlook. It’ll also cover the option of an Online Archive Mailbox and how to set one up.

There’s also an accompanying video to this article which shows you how to configure a retention policy, retention labels, enabling Archive mailboxes, and creating a move to archive retention tag.

[embedded content]

Before we continue, we know that for all Microsoft 365 admins security is a priority. And in the current climate of COVID-19, it’s well documented how hackers are working around the clock to exploit vulnerabilities. As such, we assembled two Microsoft experts to discuss the critical security features in Microsoft 365 you should be using right now in a free webinar on May 27. Don’t miss out on this must-attend event – save your seat now!

How To Manage Retention Policies in Microsoft 365

There are many reasons to consider labeling data and using retention policies but before we discuss these let’s look at how Office 365 manages your data in the default state. For Exchange Online (where mailboxes and Public Folders are stored if you use them), each database has at least four copies, spread across two datacenters. One of these copies is a lagged copy which means the replication to it is delayed, to provide the option to recover from a data corruption issue. In short, a disk, server, rack, or even datacenter failure isn’t going to mean that you lose your mailbox data.

Further, the default policy (for a few years now) is that deleted items in Outlook stay in the Deleted Items folder “forever”, until you empty it, or they are moved to an archive mailbox. If an end-user deletes items out of their Deleted Items folder, they’re kept for another 30 days (as long as the mailbox was created in 2017 or later), meaning the user can recover it, by opening the Deleted Items folder and clicking the link.

Where to find recoverable items in Outlook, Microsoft 365

Where to find recoverable items in Outlook

This opens the dialogue box where a user can recover one or more items.

Recovering deleted items in Exchange Online, Microsoft 365

Recovering deleted items in Exchange Online

If an administrator deletes an entire mailbox it’s kept in Exchange Online for 30 days and you can recover it by restoring the associated user account.

Additionally, it’s also important to realize that Microsoft does not back up your data in Microsoft 365. Through native data protection in Exchange and SharePoint online they make sure that they’ll never lose your current data but if you have deleted an item, document or mailbox for good, it’s gone. There’s no secret place where Microsoft’s support can get it back from (although it doesn’t hurt to try), hence the popularity of third-party backup solutions such as Altaro Office 365 Backup.

Litigation Hold – the “not so secret” secret

One option that I have seen some administrators employ is to use litigation or in-place hold (the latter feature is being retired in the second half of 2020) which keeps all deleted items in a hidden subfolder of the Recoverable Items folder until the hold lapses (which could be never if you make it permanent). Note that you need at least an E3 or Exchange Online Plan 2 for this feature to be available. This feature is designed to be used when a user is under some form of investigation and ensures that no evidence can be purged by that user and it’s not designed as a “make sure nothing is ever deleted” policy. However, I totally understand the job security it can bring when the CEO is going ballistic because something super important is “gone”.

Litigation hold settings for a mailbox, Microsoft 365

Litigation hold settings for a mailbox

Retention Policies

If the default settings and options described above doesn’t satisfy the needs of your business or regulatory requirements you may have, the next step is to consider retention policies. A few years ago, there were different policy frameworks for the different workloads in Office 365, showing the on-premises heritage of Exchange and SharePoint. Thankfully we now have a unified service that spans most Office 365 workloads. Retention in this context refers to ensuring that the data can’t be deleted until the retention period expires.

There are two flavors here, label policies which publish labels to your user base, letting users pick a retention policy by assigning individual emails or documents a label (only one label per piece of content). Note that labels can do two things that retention policies can’t do, firstly they can apply from the date the content was labeled, and secondly, you can trigger a disposition / manual review of the SharePoint or OneDrive for Business document when the retention expires.

Labels only apply to objects that you label; it doesn’t retroactively scan through email or documents at rest. While labels can be part of a bigger data classification story, my recommendation is that anything that relies on users remembering to do something extra to manage data will only work with extensive training and for a small subset of very important data. You can (if you have E5 licensing for the users in question) use label policies to automatically apply labels to sensitive content, based on a search query you build (particular email subject lines or recipients or SharePoint document types in particular sites for instance) or to a set of trainable classifiers for offensive language, resumes, source-code, harassment, profanity, and threats. You can also apply a retention label to a SharePoint library, folder, or document set.

As an aside, Exchange Online also has personal labels that are similar to retention labels but created by users themselves instead of being created and published by administrators.

A more holistic flavor, in my opinion, is retention policies. These apply to all items stored in the various repositories and can apply across several different workloads. Retention policies can also both ensure that data is retained for a set period of time AND disposed of after the expiry of the data, which is often a regulatory requirement. A quick note here if you’re going to play around with policies is that they’re not instantaneously applied – it can take up to 24 hours or even 7 days, depending on the workload and type of policy – so prepare to be patient.

These policies can apply across Exchange, SharePoint (which means files stored in Microsoft 365 Groups, Teams, and Yammer), OneDrive for business, and IM conversations in Skype for Business Online / Teams and Groups. Policies can be broad and apply across several workloads, or narrow and only apply to a specific workload or location in that workload. An organization-wide policy can apply to the workloads above (except Teams, you need a separate policy for its content) and you can have up to 10 of these in a tenant. Non-org wide policies can be applied to specific mailboxes, sites, or groups or you can use a search query to narrow down the content that the policy applies to. The limits are 10,000 policies in a tenant, each of which can apply to up to 1000 mailboxes or 100 sites.

Especially with org-wide policies be aware that they apply to ALL selected content so if you set it to retain everything for four years and then delete it, data is going to automatically start disappearing after four years. Note that you can set the “timer” to start when the content is created or when it was last modified, the latter is probably more in line with what people would expect, otherwise, you could have a list that someone updates weekly disappear suddenly because it was created several years ago.

To create a retention policy login to the Microsoft 365 admin center, expand Admin centers, and click on Compliance. In this portal click on Policies and then Retention under Data.

Retention policies link in the Compliance portal, Microsoft 365

Retention policies link in the Compliance portal

Select the Retention tab and click New retention policy.

Retention policies and creating a new one, Microsoft 365

Retention policies and creating a new one

Give your policy a name and a description, select which data stores it’s going to apply to and whether the policy is going to retain and then delete data or just delete it after the specified time.

Retention settings in a policy, Microsoft 365

Retention settings in a policy

Outside of the scope of this article but related are sensitivity labels, instead of classifying data based on how long it should be kept, these policies classify data based on the security needs of the content. You can then apply policies to control the flow of emails with this content, or automatically encrypt documents in SharePoint for instance. You can also combine sensitivity and retention labels in policies.


Since there can be multiple policies applied to the same piece of data and perhaps even retention labels in play there could be a situation where conflicting settings apply. Here’s how these conflicts are resolved.

Retention wins over deletion, making sure that nothing is deleted that you expected to be retained and the longest retention period wins. If one policy says two years and another says five years, it’ll be kept for five. The third rule is that explicit wins over implicit so if a policy has been applied to a specific area such as a SharePoint library it’ll take precedence over an organization-wide general policy. Finally, the shortest deletion policy wins so that if an administrator has made a choice to delete content after a set period of time, it’ll be deleted then even if another policy applies that requires deletion after a longer period of time. Here’s a graphic that shows the four rules and their interaction:

Policy conflict resolution rules. Microsoft 365

Policy conflict resolution rules (courtesy of Microsoft)

As you can see, building a set of retention policies that really work for your business and don’t unintentionally cause problems is a project for the whole business, working out exactly what’s needed across different workloads, rather than the job of a “click-happy” IT administrator.

Archive Mailbox

It all started with trying to rid the world of PST stored emails. Back in the day, when hard drive and SAN storage only provided small amounts of storage, many people learnt to “expand” the capacity of their small mailbox quota with local PST files. The problem is that these local files aren’t backed up and aren’t included in regulatory or eDiscovery searches. Office 365 largely solved part of this problem by providing generous quotas, the Business plans provide 50 GB per mailbox whereas the Enterprise plans have 100 GB limits.

If you need more mailbox storage one option is to enable online archiving which provides another 50 GB mailbox for the Business plans and an unlimited (see below) mailbox for the Enterprise plans. There are some limitations on this “extra” mailbox, it can only be accessed online, and it’s never synchronized to your offline (OST) file in Outlook. When you search for content you must select “all mailboxes” to see matches in your archive mailbox. ActiveSync and the Outlook client on Android and iOS can’t see the archive mailbox and users may need to manually decide what to store in which location (unless you’ve set up your policies correctly).

For these reasons many businesses avoid archive mailboxes altogether, just making sure that all mailbox data is stored in the primary mailbox (after all, 100 GB is quite a lot of emails). Other businesses, particularly those with a lot of legacy PST storage find these mailboxes fantastic and use either manual upload or even drive shipping to Microsoft 365 to convert all those PSTs to online archives where the content isn’t going to disappear because of a failed hard drive and where eDiscovery can find it.

For those that really need it and are on E3 or E5 licensing you can also enable auto-expanding archives which will ensure that as you use up space in an online archive mailbox, additional mailboxes will be created behind the scenes to provide effectively unlimited archival storage.

To enable archive mailboxes, go to Security & Compliance Center, click on Information governance, and the Archive tab.

The Archive tab, Microsoft 365

The Archive tab

Click on a user’s name to be able to enable the archive mailbox.

Archive mailbox settings, Mod admin, Microsoft 365

Archive mailbox settings

Once you have enabled archive mailboxes, you’ll need a policy to make sure that items are moved into at the cadence you need. Go to the Exchange admin center and click on Compliance management – Retention tags.

Exchange Admin Center - Retention tags, Microsoft 365

Exchange Admin Center – Retention tags

Here you’ll find the Default 2 year move to archive tag or you can create a new policy by clicking on the + sign.

Exchange Retention tags default policies, Microsoft 365

Exchange Retention tags default policies

Pick Move to Archive as the action, give the policy a name and select the number of days that has to pass before the move happens.

Creating a custom Move to archive policy, Microsoft 365

Creating a custom Move to archive policy

Note that online archive mailboxes have NOTHING to do with the Archive folder that you see in the folder tree in Outlook, this is just an ordinary folder that you can move items into from your inbox for later processing. This Archive folder is available on mobile clients and also when you’re offline and you can swipe in Outlook mobile to automatically store emails in it.


Now you know how and when to apply retention policies and retention tags in Microsoft 365, as well as when online archive mailboxes are appropriate and how to enable them and configure policies to archive items.

Finally, if you haven’t done so already, remember to save your seat on our upcoming must-attend webinar for all Microsoft 365 admins:

Critical Security Features in Office/Microsoft 365 Admins Simply Can’t Ignore

Is Your Office 365 Data Secure?

Did you know Microsoft does not back up Office 365 data? Most people assume their emails, contacts and calendar events are saved somewhere but they’re not. Secure your Office 365 data today using Altaro Office 365 Backup – the reliable and cost-effective mailbox backup, recovery and backup storage solution for companies and MSPs. 

Start your Free Trial now

Go to Original Article
Author: Paul Schnackenburg

How to Recover Deleted Emails in Microsoft 365

When the CEO realizes they deleted a vital email thread three weeks ago, email recovery becomes suddenly becomes an urgent task. Sure, you can look in the Deleted Items folder in Outlook, but beyond that, how can you recover what has undergone “permanent” deletion? In this article, we review how you can save the day by bringing supposedly unrecoverable email back from the great beyond.

Before we continue, we know that for all Microsoft 365 admins security is a priority. And in the current climate of COVID-19, it’s well documented how hackers are working around the clock to exploit vulnerabilities. As such, we assembled two Microsoft experts to discuss the critical security features in Microsoft 365 you should be using right now in a free webinar on May 27. Don’t miss out on this must-attend event – save your seat now!

Now onto saving your emails!

Deleted Email Recovery in Microsoft And Office 365

Email Recovery for Outlook in Exchange Online through Microsoft and Office can be as simple as dragging and dropping the wayward email from the Deleted Items folder to your Inbox. But what do you do when you can’t find the email you want to recover?

First, let’s look at how email recovery is structured in Microsoft 365. There are few more layers here than you might think! In Microsoft 365, deleted email can be in one of three states: Deleted, Soft-Deleted, or Hard-Deleted. The way you recover email and how long you have to do so depends on the email’s delete status and the applicable retention policy.

Email Recovery in Microsoft 365

Let’s walk through the following graphic and talk about how email gets from one state to another, the default policies, how to recover deleted email in each state, and a few tips along the way.

Items vs. Email

Outlook is all about email yet also has tasks, contacts, calendar events, and other types of information. For example, you can delete calendar entries and may be called on to recover them, just like email. For this reason, the folder for deleted content is called “Deleted Items.” Also, when discussing deletions and recovery, it is common to refer to “items” rather than limiting the discussion to just email.


Various rules control the retention period for items in the different states of deletion. A policy is an automatically applied action that enforces a rule related to services. Microsoft 365 has hundreds of policies you can tweak to suit your requirements. See Overview of Retention policies for more information.

‘Deleted Items’ Email

When you press the Delete key on an email in Outlook, it’s moved to the Deleted Items folder. That email is now in the “Deleted” state, which simply means it moved to the Deleted Items folder. How long does Outlook retain deleted email? By default – forever! You can recover your deleted mail with just a drag and drop to your Inbox. Done!

If you can’t locate the email in the Deleted Items folder, double-check that you have the Deleted Items folder selected, then scroll to the bottom of the email list. Look for the following message:

Outlook Deleted Items Folder

If you see the above message, your cache settings may be keeping only part of the content in Outlook and rest in the cloud. The cache helps to keep mailbox sizes lower on your hard drive, which in turn speeds up search and load times. Click on the link to download the missing messages.

But I Didn’t Delete It!

If you find content in the Deleted Items and are sure you did not delete it, you may be right! Administrators can set Microsoft 365 policy to delete old Inbox content automatically.

Mail can ‘disappear’ another way. Some companies enable a personal archive mailbox for users. When enabled, by default, any mail two years or older will “disappear” from your Inbox and the Deleted Items folder. However, there is no need to worry. While apparently missing, the email has simply moved to the Archives Inbox. A personal Archives Inbox shows up as a stand-alone mailbox in Outlook, as shown below.

Stand-alone mailbox in Outlook

As a result, it’s a good idea to search the Archives Inbox, if it is present when searching for older messages.

Another setting to check is one that deletes email when Outlook is closed. Access this setting in Outlook by clicking “File,” then “Options,” and finally “Advanced” to display this window:

Outlook Advanced Options

If enabled, Outlook empties the Deleted Items when closed. The deleted email then moves to the ‘soft-delete’ state, which is covered next. Keep in mind that with this setting, all emails will be permanently deleted after 28 days

‘Soft-Deleted’ Email

The next stage in the process is Soft-Deleted. Soft-Deleted email is in the Deleted-Items folder but is still easily recovered. At a technical level, the mail is deleted locally from Outlook and placed in the Exchange Online folder named Deletions, which is a sub-folder of Recoverable Items. Any content in Recoverable Items folder in Exchange Online is, by definition, considered soft-deleted.

You have, by default, 14 days to recover soft-deleted mail. The service administrator can change the retention period to a maximum of 30 days. Be aware that this can consume some of the storage capacity assigned to each user account and you could get charged for overages.

How items become soft-deleted

There are three ways to soft-delete mail or other Outlook items.

  1. Delete an item already in the Deleted Items folder. When you manually delete something that is already in the Deleted Items folder, the item is soft-deleted. Any process, manual or otherwise that deletes content from this folder results in a ‘soft-delete’
  1. Pressing Shift + Delete on an email in your Outlook Inbox will bring up a dialog box asking if you wish to “permanently” delete the email. Clicking Yes will remove the email from the Deleted-Items folder but only perform a soft-delete. You can still recover the item if you do so within the 14 day retention period.

Soft Deleting Items in Outlook

  1. The final way items can be soft-deleted is by using Outlook policies or rules. By default, there are no policies that will automatically remove mail from the Deleted-Items folder in Outlook. However, users can create rules that ‘permanently’ (soft-delete) email. If you’re troubleshooting missing email, have the user check for such rules as shown below. You can click Rules on the Home menu and examine any created rules in the Rules Wizard shown below.

Microsoft Outlook Policies and Rules

Note that the caution is a bit misleading as the rule’s action will soft-delete the email, which, as already stated, is not an immediate permanent deletion.

Recovering soft-deleted mail

You can recover soft-deleted mail directly in Outlook. Be sure the Deleted Items folder is selected, then look for “Recover items recently removed from this folder at the top of the mail column, or the “Recover Deleted Items from Server” action on the Home menu bar.

Recovering soft-deleted mail in Outlook

Clicking on the recover items link opens the Recover Deleted Items window.

Recover Deleted Items, Microsoft Outlook

Click on the items you want to recover or Select All, and click OK.

NOTE: The recovered email returns to your Deleted Items folder. Be sure to move it into your Inbox.

If the email you’re looking for is not listed, it could have moved to the next stage: ‘Hard-Deleted.’

While users can recover soft-deleted email, Administrators can also recover soft-deleted email on their behalf using the ‘Hard-Deleted’ email recovery process described next (which works for both hard and soft deletions). Also, Microsoft has created two PowerShell commands very useful in this process for those who would rather script the tasks. You can use the Get-RecoverableItems and Restore-RecoverableItems cmdlets to search and restore soft-deleted email.

Hard-Deleted Email

The next stage for deletion is ‘Hard Delete.’ Technically, items are hard deleted when items moved from the Recoverable folder to the Purges folder in Exchange online. Administrators can still recover items in the folder with the recovery period set by policy which ranges from 14 (the default) to 30 (the maximum). You can extend the retention beyond 30 days by placing legal or litigation hold on the item or mailbox.

How items become Hard-Deleted

There are two ways content becomes hard-deleted.

  1. By policy, soft-deleted email is moved to the hard-deleted stage when the retention period expires.
  2. Users can hard-delete mail manually by selecting the Purge option in the Recover Deleted Items window shown above. (Again, choosing to ‘permanently delete’ mail with Shift + Del, results in a soft-delete, not a hard-delete.)

Recovering Hard-Deleted Mail

Once email enters the hard-delete stage, users can no longer recover the content. Only service administrators with the proper privileges can initiate recovery, and no administrators have those privileges by default, not even the global admin. The global admin does have the right to assign privileges so that they can give themselves (or others) the necessary rights. Privacy is a concern here since administrators with these privileges can search and export a user’s email.

Microsoft’s online documentation Recover deleted items in a user’s mailbox details the step-by-step instructions for recovering hard-deleted content. The process is a bit messy compared to other administrative tasks. As an overview, the administrator will:

  1. Assign the required permissions
  2. Search the Inbox for the missing email
  3. Copy the results to a Discovery mailbox where you can view mail in the Purged folder (optional).
  4. Export the results to a PST file.
  5. Import the PST to Outlook on the user’s system and locate the missing email in the Purged folder

Last Chance Recovery

Once hard-deleted items are purged, they are no longer discoverable by any method by users or administrators. You should consider the recovery of such content as unlikely. That said, if the email you are looking for is not recoverable by any of the above methods, you can open a ticket with Microsoft 365 Support. In some circumstances, they may be able to find the email that has been purged but not yet overwritten. They may or may not be willing to look for the email, but it can’t hurt to ask, and it has happened.

What about using Outlook to backup email?

Outlook does allow a user to export email to a PST file. To do this, click File” in the Outlook main menu, then “Import & Export” as shown below.

Outlook Menu, Import Export

You can specify what you want to export and even protect the file with a password.

While useful from time to time, a backup plan that depends on users manually exporting content to a local file doesn’t scale and isn’t reliable. Consequently, don’t rely on this as a possible backup and recovery solution.

Alternative Strategies

After reading this, you may be thinking, “isn’t there an easier way?” A service like Altaro Office 365 Backup allows you to recover from point-in-time snapshots of an inbox or other Microsoft 365 content. Having a service like this when you get that urgent call to recover a mail from a month ago can be a lifesaver.


Users can recover most deleted email without administrator intervention. Often, deleted email simply sits in the Deleted folder until manually cleared. When that occurs, email enters the ‘soft-deleted stage,’ and is easily restored by a user within 14-days. After this period, the item enters the ‘hard-deleted’ state. A service administrator can recover hard-deleted items within the recovery window. After the hard-deleted state, email should be considered uncoverable. Policies can be applied to extend the retention times of deleted mail in any state. While administrators can go far with the web-based administration tools, the entire recovery process can be scripted with PowerShell to customize and scale larger projects or provide granular discovery. It is always a great idea to use a backup solution designed for Microsoft 365, such as Altaro Office 365 Backup.

Finally, if you haven’t done so already, remember to save your seat on our upcoming must-attend webinar for all Microsoft 365 admins:

Critical Security Features in Office/Microsoft 365 Admins Simply Can’t Ignore

Is Your Office 365 Data Secure?

Did you know Microsoft does not back up Office 365 data? Most people assume their emails, contacts and calendar events are saved somewhere but they’re not. Secure your Office 365 data today using Altaro Office 365 Backup – the reliable and cost-effective mailbox backup, recovery and backup storage solution for companies and MSPs. 

Start your Free Trial now

Go to Original Article
Author: Brett Hill

R.I.P. Office 365, Long Live Microsoft 365

Microsoft just made sweeping changes to the Office 365 ecosystem, both for personal subscriptions (Office 365 Personal and Home) and Office 365 for Business, sunsetting the Office 365 brand and replacing it with Microsoft 365. This was put in place as of April 21, 2020.

This article will look at what these changes mean, explore the differences between Office 365, Microsoft 365 and Office 2019 and the subscription model underlying these offerings as well as make some predictions for the enterprise services that are still under the Office 365 name.

Office 365 Home and Personal

Let’s start with the home and family subscriptions. Over 500 million people use the free, web-based versions of Word, Excel etc. along with Skype and OneDrive to collaborate and connect. Then there are 38 million people who have subscribed to Office 365 Home or Office 365 Personal. Both provide the desktop Office suite (Word, Excel etc.) for Windows and Mac, along with matching applications for iOS and Android and 1 TB of OneDrive space. These two plans are changing name to Microsoft 365 Personal ($6.99 per month) and Microsoft 365 Family ($9.99 per month) respectively. Personal is for a single user whereas Family works with up to six people (and yes, they each get 1 TB of OneDrive storage for a maximum of 6TB). Otherwise, they’re identical and provide advanced spelling, grammar and style assistance in Microsoft Editor (see below), AI-powered suggestions for design in PowerPoint, coaching when you rehearse a PowerPoint presentation and the new Money in Excel (see below). Each user also gets 50 GB of email storage in Outlook, the ability to add a custom email domain and 60 minutes worth of Skype calls to mobiles and landlines.

Office 365 Microsoft 365 Plan Choices

Picking a plan for home use is easy

Microsoft Editor is Microsoft’s answer to Grammarly and is available in Word on the web, and the desktop Word version, along with as well as an Edge or Chrome extension. It supports more than 20 languages and uses AI to help you with the spelling, grammar, and style of your writing. The basic version is available to anyone, but the advanced features are unlocked with a Personal or Family subscription. These include suggestions for how to write something more clearly (just highlight your original sentence), plagiarism checking and the ability to easily insert citations and suggestions for improving conciseness and inclusiveness.

Settings for the Microsoft Editor browser extension

Settings for the Microsoft Editor browser extension

Money in Excel connects Excel to your bank and credit card accounts so you can import balances and transactions automatically and provides personalized insights on your spending habits. Money isn’t available yet and will be US only in the first phase when it rolls out over the next couple of months.

Outlook on the web will let you add personal calendars, not only marrying your work and home life but also providing clarity for others seeking to find appointment times with you – of course, they won’t see what’s penned in your calendars, only when you’re not available. Play My Emails is coming to Android (already available on iOS), letting Cortana read your emails to you while you’re on the go. The Teams mobile app is being beefed up for use in your personal life as well. Finally, Microsoft Family Safety is coming to Android and iOS devices, helping parents protect their children when they explore and play games on their devices.

You’ll have noticed that nearly all of these new features and services are on the horizon but not here yet. If you’re already an Office 365 Home or Personal subscriber your subscription just changed its name to Microsoft 365 Family or Personal but nothing else changed and until these new goodies are available – nothing has changed, including the price of your subscription. Note that none of these changes applies to the perpetual licenses Office 2019 which is Word, Excel etc. that you can purchase (not subscribe to) and that Office 2019 doesn’t provide any cloud-powered, AI-based features, nor gets the monthly feature updates that its Office 365 based cousin enjoys.

Microsoft 365 Business Basic, Apps, Standard and Premium

Of more interest to readers of Altaro’s blogs are probably the changes to the Office 365 SMB plans (that top out at 300 users). As a quick summary, (for a more in-depth look at Office & Microsoft 365, here’s a free eBook from Altaro) Microsoft 365 Business Basic (formerly known as Office 365 Business Essentials at $5 per user per month) gives each user an Exchange mailbox, Teams and SharePoint access, the web browser versions of Word, Excel etc. and 1TB of OneDrive storage.

Microsoft 365 Apps for Business (old name Office 365 Business, $8.25 per user per month) provides the desktop version of Office for Windows, Mac, Android, and iOS devices and 1TB of OneDrive storage.

Microsoft 365 Business Standard (prior name Office 365 Business Premium which is a name change that won’t confuse anyone weighs in at $12.50 per user per month) gives you both the desktop and web versions of Office.

Finally, Microsoft 365 Business Premium (formerly known as Microsoft 365 Business, again not confusing at all, at $20 per user per month) gives you everything in Standard, plus Office 365 Advanced Threat Protection, Intune based Mobile Device Management (MDM) features, Online Archiving in Exchange and much more.

Microsoft 365 Management Portal

Microsoft 365 Management Portal

In a separate announcement, Microsoft is bringing the full power of AAD Premium P1 for free to Microsoft 365 Business Premium. This will give SMBs cost-effective access to Cloud App Discovery which provides insight and protection for users in the modern world of cloud services, including discovering which applications your staff are using. It’ll also bring Application Proxy to be able to publish on-premises applications to remote workers easily and securely, dynamic groups make it easier to make sure staff are in the right groups for their role, and password-less authentication using Windows Hello for Business, FIDO 2 security keys and Microsoft’s free authenticator app.

Note that none of the Enterprise flavors of Office 365, E1, E3 and E5, F1 for first-line workers, the A1, A3 and A5 for education, nor the G1, G3 and G5 varieties for government organizations are changing at this time. My prediction is that this will change and before long, all of these will be moved to the unifying Microsoft brand.

Philosophically there are a few things going on here. As a consultant who both sells and supports Office / Microsoft 365 to businesses, as well as a trainer who teaches people about the services, there’s always been a pretty clear line between the two. Office 365 gives you the Office applications, email and document storage. If you wanted mobile device management (Intune), advanced security features (Azure Active Directory, AAD), Windows 10 Enterprise and Information Protection you went for Microsoft 365. These features are all available under the moniker Enterprise Mobility + Security (EMS) so essentially Microsoft 365 was Office 365 + EMS.

Adding Microsoft 365 Licenses

Adding Microsoft 365 licenses

This line is now being blurred for the small business plans which can make it even more difficult to make sure that small and medium businesses pick the right plans for their needs. Remember though that you can mix and match the different flavors in business, just because some users need Microsoft 365 Business Premium doesn’t mean that other roles in your business can’t work well with just Microsoft 365 Business Basic.

And this isn’t a surprise move, even Office 365 administrators have been using the Microsoft 365 management portal for quite some time, here’s a screenshot of the old, retired Office 365 portal.

Office 365 Admin Center

Office 365 Admin Center

More broadly though I think the brand changes are signalling that Office 365 is “growing up” and using the same name across the home user stack as well as the SMB stack (with the Enterprise SKUs to follow) provides a more homogenous offering.

Just as with the name changes to the personal plans there’s nothing for IT administrators to do at this stage, the plans will seamlessly change names but all functionality remains the same (including the lack of long term backup, something that Altaro has a remedy for).

Go to Original Article
Author: Paul Schnackenburg

RTO and RPO: Understanding Disaster Recovery Times

You will focus a great deal of your disaster recovery planning (and rightly so) on the data that you need to capture. The best way to find out if your current strategy does this properly is to try our acid test. However, backup coverage only accounts for part of a proper overall plan. Your larger design must include a thorough model of recovery goals, specifically Recovery Time Objective (RTO) and Recovery Point Objective (RPO).

Ideally, a restore process would contain absolutely everything. Practically, expect that to never happen. This article explains the risks and options of when and how quickly operations can and should resume following systems failure.

Table of Contents

Disaster Recovery Time in a Nutshell

What is Recovery Time Objective?

What is Recovery Point Objective?

Challenges Against Short RTOs and RPOs

RTO Challenges

RPO Challenges

Outlining Organizational Desires

Considering the Availability and Impact of Solutions

Instant Data Replication

Short Interval Data Replication

Ransomware Considerations for Replication

Short Interval Backup

Long Interval Backup

Ransomware Considerations for Backup

Using Multiple RTOs and RPOs

Leveraging Rotation and Retention Policies

Minimizing Rotation Risks

Coalescing into a Disaster Recovery Plan

Disaster Recovery Time in a Nutshell

If a catastrophe strikes that requires recovery from backup media, most people will first ask: “How long until we can get up and running?” That’s an important question, but not the only time-oriented problem that you face. Additionally, and perhaps more importantly, you must ask the question: “How much already-completed operational time can we afford to lose?” The business-continuity industry represents the answers to those question in the acronyms RTO and RPO, respectively.

What is Recovery Time Objective?

Your Recovery Time Objective (RTO) sets the expectation for the answer to, “How long until we can get going again?” Just break the words out into a longer sentence: “It is the objective for the amount of time between the data loss event and recovery.”

Recovery Time Objective RTO

Of course, we would like to make all of our recovery times instant. But, we also know that will not happen. So, you need to decide in advance how much downtime you can tolerate, and strategize accordingly. Do not wait until the midst of a calamity to declare, “We need to get online NOW!” By that point, it will be too late. Your organization needs to build up those objectives in advance. Budgets and capabilities will define the boundaries of your plan. Before we investigate that further, let’s consider the other time-based recovery metric.

What is Recovery Point Objective?

We don’t just want to minimize the amount of time that we lose; we also want to minimize the amount of data that we lose. Often, we frame that in terms of retention policies — how far back in time we need to be able to access. However, failures usually cause a loss of systems during run time. Unless all of your systems continually duplicate data as it enters the system, you will lose something. Because backups generally operate on a timer of some sort, you can often describe that potential loss in a time unit, just as you can with recovery times. We refer to the maximum total acceptable amount of lost time as a Recovery Point Objective (RPO).

Recovery Point Objective RPO

As with RTOs, shorter RPOs are better. The shorter the amount of time since a recovery point, the less overall data lost. Unfortunately, reduced RPOs take a heavier toll on resources. You will need to balance what you can achieve against what your business units want. Allow plenty of time for discussions on this subject.

Challenges Against Short RTOs and RPOs

First, you need to understand what will prevent you from achieving instant RTOs and RPOs. More importantly, you need to ensure that the critical stakeholders in your organization understand it. These objectives mean setting reasonable expectations for your managers and users at least as much as they mean setting goals for your IT staff.

RTO Challenges

We can define a handful of generic obstacles to quick recovery times:

  • Time to acquire, configure, and deploy replacement hardware
  • Effort and time to move into new buildings
  • Need to retrieve or connect to backup media and sources
  • Personnel effort
  • Vendor engagement

You may also face some barriers specific to your organization, such as:

  • Prerequisite procedures
  • Involvement of key personnel
  • Regulatory reporting

Make sure to clearly document all known conditions that add time to recovery efforts. They can help you to establish a recovery checklist. When someone requests a progress report during an outage, you can indicate the current point in the documentation. That will save you time and reduce frustration.

RPO Challenges

We could create a similar list for RPO challenges as we did for RTO challenges. Instead, we will use one sentence to summarize them all: “The backup frequency establishes the minimum RPO”. In order to take more frequent backups, you need a fast backup system with adequate amounts of storage. So, your ability to bring resources to bear on the problem directly impacts RPO length. You have a variety of solutions to choose from that can help.

Outlining Organizational Desires

Before expending much effort figuring out what you can do, find out what you must do. Unless you happen to run everything, you will need input from others. Start broadly with the same type of questions that we asked above: “How long can you tolerate downtime during recovery?” and “How far back from a catastrophic event can you re-enter data?” Explain RTOs and RPOs. Ensure that everyone understands that RPO means recent a loss of recent data, not long-term historical data.

These discussions may require a fair bit of time and multiple meetings. Suggest that managers work with their staff on what-if scenarios. They can even simulate operations without access to systems. For your part, you might need to discover the costs associated with solutions that can meet different RPO and RTO levels. You do not need to provide exact figures, but you should be ready and able to answer ballpark questions. You should also know the options available at different spend levels.

Considering the Availability and Impact of Solutions

To some degree, the amount that you spend controls the length of your RTOs and RPOs. That has limits; not all vendors provide the same value per dollar spent. But, some institutions set out to spend as close to nothing as possible on backup. While most backup software vendors do offer a free level of their product, none of them makes their best features available at no charge. Organizations that try to spend nothing on their backup software will have high RTOs and RPOs and may encounter unexpected barriers. Even if you find a free solution that does what you need, no one makes storage space and equipment available for free. You need to find a balance between cost and capability that your company can accept.

To help you understand your choices, we will consider different tiers of data protection.

Instant Data Replication

For the lowest RPO, only real-time replication will suffice. In real-time replication, every write to live storage is also written to backup storage. You can achieve this many ways, but the most reliable involve dedicated hardware. You will spend a lot, but you can reduce your RPO to effectively zero. Even a real-time replication system can drop active transactions, so never expect a complete shield against data loss.

Real-time replication systems have a very high associated cost. For the most reliable protection, they will need to span geography as well. If you just replicate to another room down the hall and a fire destroys the entire building, your replication system will not save you. So, you will need multiple locations, very high speed interconnects, and capable storage systems.

Short Interval Data Replication

If you can sustain a few minutes of lost information, then you usually find much lower price tags for short-interval replication technology. Unlike real-time replication, software can handle the load of delayed replication, so you will find more solutions. As an example, Altaro VM Backup offers Continuous Data Protection (CDP), which cuts your RPO to as low as five minutes.

As with instant replication, you want your short-interval replication to span geographic locations if possible. But, you might not need to spend as much on networking, as the delays in transmission give transfers more time to complete.

Ransomware Considerations for Replication

You always need to worry about data corruption in replication. Ransomware adds a new twist but presents the same basic problem. Something damages your real-time data. None-the-wiser, your replication system makes a faithful copy of that corrupted data. The corruption or ransomware has turned both your live data and your replicated data into useless jumbles of bits.

Anti-malware and safe computing practices present your strongest front-line protection against ransomware. However, you cannot rely on them alone. The upshot: you cannot rely on replication systems alone for backup. A secondary implication: even though replication provides very short RPOs, you cannot guarantee them.

Short Interval Backup

You can use most traditional backup software in short intervals. Sometimes, those intervals can be just, or nearly, as short as short-term replication intervals. The real difference between replication and backup is the number of possible copies of duplicated data. Replication usually provides only one copy of live data — perhaps two or three at the most — and no historical copies. Backup programs differ in how many unique simultaneous copies that they will make, but all will make multiple historical copies. Even better, historical copies can usually exist offline.

You do not need to set a goal of only a few minutes for short interval backups. To balance protection and costs, you might space them out in terms of hours. You can also leverage delta, incremental, and differential backups to reduce total space usage. Sometimes, your technologies have built-in solutions that can help. As an example, SQL administrators commonly use transaction log backups on a short rotation to make short backups to a local disk. They perform a full backup each night that their regular backup system captures. If a failure occurs during the day that does not wipe out storage, they can restore the previous night’s full backup and replay the available transaction log backups.

Long Interval Backup

At the “lowest” tier, we find the oldest solution: the reliable nightly backup. This usually costs the least in terms of software licenses and hardware. Perhaps counter-intuitively, it also provides the most resilient solution. With longer intervals, you also get longer-term storage choices. You get three major benefits from these backups: historical data preservation, protection against data corruption, and offline storage. We will explore each in the upcoming sections.

Ransomware Considerations for Backup

Because we use a backup to create distinct copies, it has some built-in protection against data corruption, including ransomware. As long as the ransomware has no access to a backup copy, it cannot corrupt that copy. First and foremost, that means that you need to maintain offline backups. Replication requires essentially constant continuity to its replicas, so only backup can work under this restriction. Second, it means that you need to exercise caution around restores when you execute restore procedures. Some ransomware authors have made their malware aware of several common backup applications, and they will hijack it to corrupt backups whenever possible. You can only protect your offline data copies by attaching them to known-safe systems.

Using Multiple RTOs and RPOs

You will need to structure your systems into multiple RTO and RPO categories. Some outages will not require much time to recover from. Some will require different solutions. For instance, even though we tend to think primarily in terms of data during disaster recovery planning, you must consider equipment as well. For instance, if your sales division prints its own monthly flyers and you lose a printer, then you need to establish, RTOs, RPOs, downtime procedures, and recovery processes just for those print devices.

You also need to establish multiple levels for your data, especially when you have multiple protection systems. For example, if you have both replication and backup technologies in operation, then you will set one RPO/RTO value for times when the replication works, and RTO/RPO values for when you must resort to long-term backup. That could happen due to ransomware or some other data corruption event, but it can also happen if someone accidentally deletes something important.

To start this planning, establish “Best Case” and “Worst Case” plans and processes for your individual systems.

Leveraging Rotation and Retention Policies

For your final exercise in time-based disaster recovery designs, we will look at rotation and retention policies. “Rotation” comes from the days of tape backups, when we would decide how often to overwrite old copies of data. Now that high-capacity external disks have reached a low-cost point, many businesses have moved away from tape. You may not overwrite media anymore, or at least not at the same frequency. Retention policies dictate how long you must retain at least one copy of a given piece of information. These two policies directly relate to each other.

Backup Rotation and Retention

In today’s terms, think of “rotation” more in terms of unique copies of data. Backup systems have used “differential” and “incremental” backups for a very long time. The former is a complete record of changes since the last full backup; the latter is a record of changes since the last backup of any kind. Newer backup copies have “delta” and deduplication capabilities. A “delta” backup operates like a differential or incremental backup, but within files or blocks. Deduplication keeps only one copy of a block of bits, regardless of how many times it appears within an entire backup set. These technologies reduce backup time and storage space needs… at a cost.

Minimizing Rotation Risks

All of these speed-enhancing and space-reducing improvements have one major cost: they reduce the total number of available unique backup copies. As long as nothing goes wrong with your media, then this will never cause you a problem. However, if one of the full backups suffer damage, then that invalidates all dependent partial backups. You must balance the number of full backups that you take against the amount of time and bandwidth necessary to capture them.

As one minimizing strategy, target your full backup operations to occur during your organization’s quietest periods. If you do not operate 24 hours per day, that might allow for nightly full backups. If you have low volume weekends, you might take full backups on Saturdays or Sundays. You can intersperse full backups on holidays.

Coalescing into a Disaster Recovery Plan

As you design your disaster recovery plan, review the sections in this article as necessary. Remember that all operations require time, equipment, and personnel. Faster backup and restore operations always require a trade-off of expense and/or resilience. Modest lengthening of allowable RTOs and RPOs can result in major cost and effort savings. Make certain that the key members of your organization understand how all of these numbers will impact them and their operations during an outage.

If you need some help defining RTO and RPO in your organization, let me know in the comments section below and I will help you out!

Go to Original Article
Author: Eric Siron