Cloud with Azure 101

Hi,

In this article I would like to share the learning options and how can you get Microsoft Azure cloud training.

Office 365 IT Pro Training https://mva.microsoft.com/en-US/training-courses/support-corner-accessing-azure-ad-portal-from-office-365-10634

Option 1: Microsoft Azure Free Training

Free Training: https://azure.microsoft.com/en-in/community/training/

Azure VMs Getting Started: https://azure.microsoft.com/en-us/community/training/courses/azure-vms-getting-started/

Azure Infrastructure Getting Started: https://azure.microsoft.com/en-us/community/training/courses/managing-infrastructure-microsoft-azure-getting-started/

Managing and Monitoring: https://www.pluralsight.com/courses/azure-iaas-monitoring-management-getting-started?twoid=54b2915b-fe06-488f-9d5d-c8a892d950eb

Microsoft Virtual Academy a free learning platform

Azure Fundamentals: https://mva.microsoft.com/en-US/training-courses/microsoft-azure-fundamentals-8391

Azure AD: https://mva.microsoft.com/en-US/training-courses/microsoft-azure-for-it-pros-content-series-azure-active-directory-16754

https://mva.microsoft.com/en-US/training-courses/azure-active-directory-core-skills-jump-start-8736

Azure Security Center: https://mva.microsoft.com/en-US/training-courses/introduction-to-azure-security-center-16614

https://mva.microsoft.com/en-US/training-courses/automating-the-cloud-with-azure-automation-8323

https://mva.microsoft.com/en-US/training-courses/deploying-linux-vms-on-microsoft-azure-8451

https://mva.microsoft.com/en-US/training-courses/azure-networking-fundamentals-for-it-pros-8917

https://mva.microsoft.com/en-US/training-courses/microsoft-azure-for-it-pros-content-series-storage-17237

Azure Infrastructure

https://mva.microsoft.com/en-US/training-courses/moving-to-hybrid-cloud-with-microsoft-azure-8372

https://mva.microsoft.com/en-US/training-courses/certification-exam-overview-70533-implementing-microsoft-azure-infrastructure-solutions-17405

https://mva.microsoft.com/en-US/training-courses/certification-exam-overview-70532-developing-microsoft-azure-solutions-17404

https://mva.microsoft.com/en-US/training-courses/certification-exam-overview-70534-architecting-microsoft-azure-solutions-17406

https://mva.microsoft.com/en-US/training-courses/microsoft-azure-for-it-pros-content-series-virtual-networking-16753

https://mva.microsoft.com/en-US/training-courses/building-microservices-applications-on-azure-service-fabric-16747

https://mva.microsoft.com/en-US/training-courses/microsoft-azure-iaas-deep-dive-jump-start-8287

https://mva.microsoft.com/en-US/training-courses/microsoft-azure-machine-learning-jump-start-8425

https://mva.microsoft.com/en-US/training-courses/microsoft-azure-for-it-pros-content-series-virtual-machines-16752

https://mva.microsoft.com/en-US/training-courses/microsoft-azure-for-it-pros-content-series-paas-cloud-services-17332

https://mva.microsoft.com/en-US/training-courses/microsoft-azure-for-it-pros-content-series-management-security-17254

https://mva.microsoft.com/en-US/training-courses/getting-started-with-azure-security-for-the-it-professional-11165

 

Microsoft product demo environment and hands-on experiences for partners

These tools can really be a powerful resource in helping you accelerate your sales of Microsoft products and services, but I know it can sometimes be confusing as to which tool to use for what situation and for what audience, so I wanted to provide some clarity around that.

Microsoft Demos (demos.microsoft.com)

Microsoft Demos is similar to CIE except where CIE is a scenario-based day-in-the-life script that focuses on real-world business use cases and showcases the whole Microsoft technology stack and integrated productivity solution, Microsoft Demos scripts are more product-centric and focus on showing the new features and functionality of a specific product or service.  Microsoft Demos contains deep dive demo scripts for things such as Administering Office 365, Administering SharePoint Online, Yammer, Visio Professional, Sway, Clutter, Office 365 Planner, OneNote, Advanced Threat Protection, Delve, eDiscovery, OneDrive for Business, Outlook, Project Professional, Project Online, Excel, PowerPoint, Word, Skype for Business, and more.

As with CIE, Microsoft Demos covers the Office suite of products, Dynamics CRM Online, and EMS.  The target audience for Microsoft Demos is mainly end users and technical/business decision makers, again very similar to CIE.  However, Microsoft Demos is primarily used for delivering demos, whereas CIE is used for delivering demos AND hands-on lab experiences.  In addition, the Microsoft Demos environment is delivered via a customized demo machine, whereas CIE can be delivered via customized demo machine or via RDS.

To access Microsoft Demos, go to http://demos.microsoft.com.  Click on the Microsoft Partner Login link, and provide the Microsoft Account (Live ID) credentials of an account that is associated with your MPN ID.  Once logged in, you will be able to create demo tenants and access the demo scripts.

Because CIE and Microsoft Demos offer similar environments for delivering Office Suite of Products based demos, I typically recommend that partners start with CIE, and then consider Microsoft Demos if you are looking to do those product-centric, deep dive demos around specific features and functionality.

CIE (Customer Immersion Experience)

The Microsoft Customer Immersion Experience (CIE) is a hands-on introduction to Microsoft’s suite of productivity tools, including the Office suite of products (Outlook, Skype, Yammer, SharePoint, etc.), Dynamics CRM Online, and Enterprise Mobility Suite (EMS).  A true-to-life user experience, CIE takes you through everyday business situations, such as working remotely, analyzing sales data and collaborating with coworkers, and lets you see how Microsoft products make it all easy, convenient and secure.  CIE can be used for 1:1 or 1:many demonstrations either in person or remotely via a web conference.  CIE can also be used to facilitate hands on lab experiences with your customers or prospects.

The target audience for CIE is Office suite end users, as well as an organization’s technical and business decision makers.  The environment can be delivered via customized demo machine, Remote Desktop Session (RDS), or as a hands-on lab environment with multiple machines configured with different demo personas.  Partners can access the CIE environment for free, but can also invest to become a qualified CIE facilitator.  Go to http://cie.brainstorminc.com to get more information on becoming a certified CIE Facilitator.  There are many benefits to becoming CIE qualified including the ability to check out Microsoft-owned CIE travelling kits that include devices for helping you deliver CIE hands-on sessions.

To access CIE, go to http://www.microsoftcie.com.  Click on the link to “Log In” as a Microsoft Partner, and provide the Microsoft Account (Live ID) credentials of an account that is associated with your MPN ID.  Once logged in, you will be able to create CIE tenants, access resources such as demo scripts and training videos, and schedule hands-on lab events.

CPI (Cloud Platform Immersion)

Microsoft Cloud Platform Immersion provides instructor-led hands-on labs on the latest cloud infrastructure and data platform technologies from Microsoft, so companies that are looking to adopt these technologies can experiment and learn how to work with Microsoft cloud products with step-by-step instructions in a real environment.  Unlike CIE and Microsoft Demos, which are mostly aimed at end users, the target audience for CPI is customer IT Professionals, DBAs, Developers, and technical decision makers.  CPI covers the Cloud Platform products including Azure, Windows Server, SQL Server, Enterprise Mobility Suite (EMS), Power BI, System Center, and Visual Studio.  CPI’s hands on lab environment is delivered exclusively via Remote Desktop Session (RDS).

CPI contains 4 tracks, so you can pick and choose what best fits your customer’s needs.  They are Transform the Datacenter, Empower Enterprise Mobility, Unlock Insights on any Data, and Enable Application Innovation.  Click the links to learn more about the stories, experiences, and technologies represented in each track, as well as the marketing materials to support driving interest in these experiences.

Partners can get access to the environment by going to http://www.microsoftimmersion.com and following these 3 training steps.

  1. Attend an Introduction to Immersion webinar.
  2. Request access to the self-paced training environment to familiarize with the environment.
  3. Review the Immersion content facilitator training videos found in each of the Immersion track pages.

 

Take a look at the following matrix which nicely summarizes the differences between the 3 environments to assist you with finding the Microsoft demo tool and/or hands-on environment that best suits you and your customer’s need.

image

 

Whether you use just 1 or all 3, I would highly encourage you to take advantage of these tools to help you land the business and technical value of Microsoft products and services, as well as help you accelerate sales.  Our research shows that partners that take advantage of these tools for demonstrating the solutions and/or giving their customers immersive hands-on experiences have the greatest success with selling Microsoft solutions.  They consistently have more sales, bigger deal sizes, and have customers with the highest usage of Microsoft products and services across the stack.

And although the primary intent of these tools is for you to deliver demonstrations and hands-on experiences to your customers and prospects, don’t forget that these tools can also be used as a fantastic training opportunity for your internal teams.  I hear from partners all the time who use these tools as an extremely effective technology training tool for their internal teams across technical, sales, and marketing roles.

For training and other hands-on lab you can join https://www.microsoft.com/handsonlabs (Microsoft Hands-on Labs) and for IT Pro training you can join http://mva.microsoft.com/ (Microsoft Virtual Academy). Both of these services are free and any IT professional can take these hands-on lab and training. I hope this information helps you to increase your performance and skills.

Enabling Student Advantage for Office 365 Education clients

Any organization who has subscribed Office 365 Education can register for the student advantage with their partner or service provider.

A key requirement of getting your Office 365 licenses is to have a valid agreement covering all your staff. If you’re new to EES also make sure your reseller uses the Eduserv agreement to get the best pricing.

You need to ask your reseller for the Office 365 licenses to be added to your agreement; both for the free plan A2 (now known as E1) for Faculty \ Students as well as the (additional) Student Advantage licenses.

When renewing \ setting up your agreement make sure you fill in your primary contact details carefully. The activation email for your Office 365 accounts will go to the primary account contact unless you specify a separate licensing contact on the form.

You might need to do this if your agreement is ordered by someone outside of IT and they get put down as the primary contact. This is important as it can be difficult to track down those activation emails later on if they’ve gone to a user who isn’t expecting them.

ees contact info

 

Activating your licenses and checking VLSC

Once your EES agreement is processed you should see two things

  1. your licenses will appear in VLSC in the Agreement Summary
  2. you’ll receive an email (or two) to activate your Office 365 licenses

Sometimes the Office 365 licenses might take a week or two longer to come through compared to when your new EES agreement goes live. If you don’t see anything after 14 days it’s worth checking with your reseller \ Microsoft that everything has gone through OK.

To check VLSC log in with the nominated Microsoft account you use to manage your licenses then head to Licenses > License Summary

VLSC license summary

Then look down the list for the Office 365 licenses as highlighted below:

I've snipped this screenshot as we have a lot more licenses in the list!

 

So now you just need that activation email… although you might have already received it but not realised. You might initially think it would be branded from Office 365 but it’s a lot more subtle and could easily be mistaken as a confirmation email for your VLSC access. Watch out for the magic words Microsoft Online Services Team

Here’s what the subject line looks like in your inbox:

student advantage subject line

Now, you need to activate your license.

How institutions get Student Advantage

Let’s start with a recap of how you qualify. Any institution will need to meet some criteria:

  1. You must have an OVS-ES or EES volume licensing agreement.
  2. You must cover 100% of your faculty/staff for Office on that OVS/ES or EES agreement.

As long as you meet the criteria you’ll need to contact your licensing reseller after December 1st to order the Student Advantage licences. What happens next depends on which volume licence agreement you have.

OVS-ES Customers

Once you’ve placed your order with your reseller you’ll get sent a link to retrieve your keys from the Volume Licensing Service Centre (VLSC). Through here you’ll see your product keys and be able to access the redemption interface to enter your keys into your tenant.

After you’ve entered the keys you’ll have the licences available (note, the image below does not show the Student Advantage Office 365 ProPlus licences, it’s just for illustration):

Office 365 Admin Center

You can then follow the process for assigning these licences to your student users in the normal way; either via the admin centre, or Windows Remote PowerShell. These will be in addition to any other Office 365 licences a user may already have, such as Exchange Online Plan 1 or Office 365 Plan A2.

EES Customers

As with OVS-ES you’ll need to contact your reseller to order the licences. Once the order is processed an email will be sent to the Online Services Manager, Notices Contact, or the Primary Contact. This email will contain two links: one to sign in, and one to sign up.

Whoever is going to process this email needs to ensure they are fully signed out of any and all Microsoft Online Services (this includes Outlook.com, SkyDrive, Xbox Live, Office 365, etc.). This will avoid accidentally attempting to associate the licences to the wrong place. Given that you’ll already have a tenant with users in place you’ll need to click sign in and authenticate with your Office 365 administrative credentials.

This process provisions the licences to your tenant, and once completed you’ll be able to assign them to your users following whatever process you currently use.

Once an institution has allocated the Office 365 ProPlus licences that underpin the Student Advantage benefit students will not necessarily see anything different in their experience of Office 365. So, in the spirit of sharing, here are a couple of ideas for how to spread the word:

  • Send an email to all students informing them of the new software available to them.
  • Promote a link to the software through your student portal.
  • Put posters up around school / campus advertising the new software.
  • Use social media to communicate the new benefit.

The direct link, if you want to include it in communication, is: https://portal.microsoftonline.com/OLS/MySoftware.aspx but without the direct link, here’s what you need to know…

Students will need to sign into Office 365 with their credentials in the usual way, such as through your SSO portal, directly into OWA, etc. Once there, click on the little sprocket in the top right-hand corner, and select Office 365 settings from the menu.

Office 365 settingsThis will take you to your main settings page, where you can see all sorts of interesting things, but in the context of Student Advantage and Office 365 ProPlus we’re only interested in the software link.

Office 365 settings page

Clicking the software link will take you to the page, below, where you can access your Office 365 ProPlus software!

image

Simply select the appropriate language, and whether you want the 32-bit or 64-bit (click advanced to unlock that option) and then click install. Your Office 365 ProPlus experience will then begin.

If you’re running Mac OS X then this screen may look a little different to let you download Office for Mac 2011.

How do I get Student Advantage in Office 365 Education?

Office 365 ProPlus, which is the “proper name” for Student Advantage, is delivered through Office 365 Education. You might jump to the conclusion that in order to get it you must be using Office 365 Education for all of the other workloads that come with it, like Exchange Online, Lync Online or SharePoint Online. You’d be wrong.

Office 365 Education is a collection of many services:

  • Windows Azure Active Directory for identity
  • Exchange Online for email, calendaring, etc.
  • Lync Online for instant messaging, voice and video communication, etc.
  • SharePoint Online, SkyDrive Pro and Office Web Apps for document creation, storage and collaboration, etc.
  • Office 365 ProPlus for the full featured rich client experience of Office on the desktop and mobile devices.

The only required part of Office 365 Education is Windows Azure AD – that’s the bit that controls the user accounts and licensing. Without it, there’d be no service. Everything else is optional. You can pick and choose which services you take; many start with Exchange Online, adding in other services later. Some will start with just Office 365 ProPlus (under Student Advantage).

You don’t have to move away from your current email and collaboration services to pass on the Student Advantage benefit to your students! Although obviously, I think you should because the full Office 365 Education collection of services when run together is pretty awesome.

The easy way out

Student Advantage is a volume licensing benefit where students get Office 365 ProPlus at no additional cost, provided institutions meet the following criteria:

1. Institution has an EES agreement or an OVS-ES agreement

2. Licenses 100% of Faculty/Staff organization wide for Office (i.e. Office 365 ProPlus, Office 365 Education A3 or A4, or Office Professional Plus 2013)

3. Institution places an order for Student Advantage licenses through their reseller

Since various institutions order licenses for Office 365 for Education differently, we have produced a handy ordering and deployment guide for you, with details of how to assign your licenses to your Students.

So, if you are an existing Office 365 for Education customer (either through EES or directly through our web site) with single or multiple tenancies or if you are a brand new Office 365 for Education customer please take a look at this deployment guide and FAQ to find out more about how to get up and running quickly

Google Gmail to Office 365 migration

If your organization is using Google Apps gmail, and if you are considering to migrate it to Microsoft Office 365, this tutorial will explain everything that you need to know to complete the migration.

The following are the high-level steps that are covered in this tutorial:

  1. Active Office 365 subscription and create admin access
  2. Verify Your Domain in Office 365
  3. Create User Mailboxes and assign Office 365 License
  4. Create Migration Endpoints with Gmail IMAP
  5. Create List of Users for Migration Batch
  6. Create Migration Batch to Migrate Mailboxes
  7. Update DNS – Repoint MX Records to Microsoft

Once you sign-up, you’ll create an account for yourself in office 365. The first account that you create will be an admin account. Later you can also change this account to a regular account and make some other account as admin account.

Note: In Office 365 migration document, it says that you should turn on the 2-step verification on the gmail side to do the migration. But, this is not required. I have completed the migration of gmail boxes to office 365 without turning on 2-step verification on gmail side. It works without any issues. You don’t have to create an app password on google side for the gmail migration. If you already have 2-step verification turned-on, and like to use it, it is Ok. But, you don’t have to turn it on, just to complete the migration, as it is not required.

For the migration, you can create all your mailboxes initially in office 365, and connect them to the corresponding gmail mailboxes. After this, this will be syncing the emails on an on-going basis, until you decided to make the final cut-over.

This way, you can work on migrating all your users mailbox in the background while they are still receiving and sending the emails through gmail until the last-minute when you decide to make the cut-over.

2. Verify Your Domain in Office 365

Login to Office 365 portal: http://portal.office.com

From here, click on the “Admin” tile from the home page. This will take you to the “Admin center” as shown below. This will says “Your office 365 setup is incomplete”. Click on “Go to setup” from here.

This will have the following three high-level steps inside:

  • Step 1: Select domain
  • Step 2: Add users
  • Step 3: Setup DNS

Please note that we can always stop in-between and any step and continue later from where we left off. For example, we can complete step#1, step#2 and perform the last step later.

Inside the step1, there are multiple sub-steps.

Add a domain: The first is to “Add a domain”. Click on the radio button that says “I already own a domain”, and type in your domain name. Click on next.

Verify domain: Now you have to verify to microsoft that you really own this domain name. To do this, you have two options. This will automatically figure-out who own the domain. In this case, office 365 knows that the domain I entered is owned by go-daddy. So, I have the following two options:

  • Sign-in to go-daddy: If I choose this option, this will redirect to go-daddy webpage, and I just have to sign-in using my godaddy credentials. This will confirm to microsoft that I own this domain.
  • Verify TXT record: If I can’t do the above option, then I can manually add the TXT value given by microsoft to my domain name. If you choose this option, this will give a TXT name, TXT value, and TTL. Enter this on your domain record. Once that is done, come back here, and click on “Verify”. The following is an example TXT record given by microsoft. I just have to enter this on my domain.

TXT name: @
TXT value: MS=ms1234567
TTL: 3600

At this stage, come out of this wizard, and we’ll bulk upload the users from a different menu option.

3. Create User Mailboxes and assign Office 365 License

Before you create users, make sure you have purchased the appropriate license for these users. For example, if you are creating 10 users, first get the license for the 10 users. You can also create the users and assign the license later. But, if you are doing bulk upload, it is better to assign the license at this stage, as it is easier.

To purchase the license, from the “Admin center”, click on “Billing” on the right panel -> Click on “Subscription” -> From here, click on “Add/remove license” -> then select the total number of license you want to purchase. Please note that, you also have the option to purchase month-to-month license (instead of annual commitment).

From the “Admin center”, click on “Users” on the right panel -> Click on “Active Users” -> From here, click on the “More” button, which will give you “Import Multiple Users” option.

Note: If you just have only few users and like to create them one-by-one, just click on “Add a user” from the above screen and enter the values manually.

Create an excel file (it’s really a CSV file) the first line should have the following columns exactly in the same order. This is the header row: 1) User Name 2) First Name 3) Last Name 4) Display Name 5) Job Title 6) Department 7) Office Number 8) Office Phone 9) Mobile Phone 10) Fax 11) Address 12) City 13) State or Province 14) ZIP or Postal Code 15) Country or Region

From the 2nd line onward enter the user details in each and every line. For example, if you want to create 10 users in the office 365, this excel file will have 11 lines. The 1st line is the above header line, and the next 10 lines will be for the users.

Note: The “User Name” column will contain the email address. For example, this will be ramesh@example.com

Note: When you click on “Import Multiple Users”, it will give you an option to download a sample excel sheet, which you can use as a baseline to add your users.

Office 365 Create and Upload File

Once you have the excel with the list of usernames, from the following “Create and upload file” screen, click on “Browse”, and select the excel file. After this click on “Verify”, which will tell you whether the format in the excel file is correct or not. Once the verification is done, it will say “File looks good”. Click on “Next”.

Office 365 Import Multiple Users

Now, for these users, you have to set the options. For example, you’ll have to assign the product license for these users from this page. You can also not assign a license to the user by selecting the “Create users without product license” as shown below. If you choose this, you’ll have to assign the license later manually. Click on “Next”, which will create these users and display the results.

4. Create Migration Endpoints with Gmail IMAP

Now that we have created the users in office 365, next step is to create “Migration Endpoints” in 365, which will connect to gmail and migrate the emails from gmail to 365.

From the “Admin center” -> Click on “Admin centers” link at the bottom of the left panel -> Click on “Exchange” from here as shown below. This will take you to the exchange admin center.

From the “Exchange admin center” -> click on “recipients” from the left panel as shown below.

From here, click on the “migration” link located on the top bar (the last option here) as shown below.

From here, click on the “…” the last option, which will show “migration endpoints” as shown below. From here, you can create the migration endpoints.

Office 365 Exchange Migration Menu

In the migration endpoints screen, click on the “+” icon to create new migration endpoints.

This will give the following three choices. Select “IMAP” from here.

  • Exchange Remote
  • Outlook Anywhere
  • IMAP (select this)

Enter the following values for gmail migration.

  • IMAP server: imap.gmail.com
  • Authentication: Basic
  • Encryption: SSL
  • Port: 993

Click on “Next”, and enter a name for this “Migration endpoint”. In this example, I named it as RN-test-migration.

Leave these two fields empty. Don’t enter any values for these: 1) Maximum concurrent migrations 2) Maximum concurrent incremental sync.

Once you’ve created a migration endpoint, it will look like the following:

Office 365 Test Migration Endpoint

5. Create List of Users for Migration Batch

Next, we have to create a list of users to migrate in an excel file (it’s really a CSV file). Please note that this excel is different than the one we used for creating new users in Office 365.

This excel will be used only for migrating mailboxes from gmail to office 365 for the users that we’ve already created in office 365.

The 1st line of this excel file will be a header line with the following three values:

  • EmailAddress
  • UserName
  • Password

Starting from the 2nd line, enter the list of mailboxes that needs to be migrated.

Note: The password field should have gmail password for the corresponding mailbox that we are migrating. The following is an example file:

Office 365 Migration CSV File

6. Create Migration Batch to Migrate Mailboxes

From “Exchange Admin Center” -> Recipients -> Migration -> Click on the first “+” icon, and click on “Migrate to Exchange Online” as shown below.

Office 365 Migrate to Exchange Online

From here, you can create a new “Migration Batch”. This will display the following 4 options. Select the “IMAP Migration” from here.

  • Remote move migration (Supported by Exchange server 2010 and later versions)
  • Staged migration (supported by Exchange Server 2003 and 2007 only)
  • Cutover migration (Supported by Exchange server 2003 and later versions)
  • IMAP migration (supported by Exchange and other email systems) — Select This!

Next, in the “Select the Users” screen, click on “browse” and select the CVS file that we created in the previous steps with the username and password for gmail account that we like to migrate. Click on “Next”.

This will display the IMAP migration configuration. This will display the IMAP configuration values that we already entered. This should display the following: 1) IMAP server: imap.gmail.com 2) Authentication: Basic 3) Encryption: SSL 4) Port: 993

Click on “Next” and enter the Migration Batch name. In this example, I entered “rn-migration” as the name for this migration batch. Click on “New”, which will create this migration batch and start migrating the email automatically. You’ll see the status of this migration batch as shown below. Initially the status will be “Queued”, and will change to “Syncing” as shown below. Once it is done, it will says “Synced”.

Office 365 Migration Batch

While the emails are getting migrated, click on “View details”, which will display how many email have been migrated so far for each and every mailboxes.

7. Update DNS – Repoint MX Records to Microsoft

You are at the last stage. So far you’ve created all the mailboxes on the Office 365, and migrated all mailboxes from gmail to office 365. Now it is time to point your MX record in DNS from gmail to office 365.

To do this, from the “Admin Center” -> click on “Settings” on the left panel -> Click on “Domains” as shown below. Click on your domain name. This will says “Setup in progress”. You might also see another line here, which will says “Setup completed”. For example, if you domain name is example.com

  • example.com (Default) – Setup in progress
  • example.onmicrosoft.com – Setup completed

Office 365 Domains

Click on the default example.com, this will display “Setup your online services” screen with the following two options:

  • Add records for me – This option will connect to your DNS domain (For example, godaddy) and update the MX records automatically.
  • I’ll manage my own DNS records – This option will give you a list of DNS entries (MX record values) that you’ll need to add it manually from your domain registrar.

Click on the 2nd option, to see what MX records you should be adding on your DNS. In this example, it shows the following three records: MX, TXT and CNAME. Please note that for your domain, the MX record value will be different.

Office 365 DNS MX Records

Once you update your DNS with the above values, you’l start receiving the new emails to our Office 365.

Check out this video to better understand https://www.youtube.com/watch?v=r6jBYRaQdME

DLP in SharePoint an Overview

To comply with business standards and industry regulations, organizations need to protect sensitive information and prevent its inadvertent disclosure. Examples of sensitive information that you might want to prevent from leaking outside your organization include financial data or personally identifiable information (PII) such as credit card numbers, social security numbers, or national ID numbers. With a data loss prevention (DLP) policy in SharePoint Server 2016, you can identify, monitor, and automatically protect sensitive information across your site collections.

With DLP, you can:

  • Create a DLP query to identify what sensitive information now exists in your site collections. Before you create DLP policies, it’s often helpful to see what types of sensitive information people in your organization are working with, and which site collections contain this sensitive information. With a DLP query, you can find sensitive information that’s subject to common industry regulations, better understand your risks, and determine what and where is the sensitive information that your DLP policies need to protect.
  • Create a DLP policy to monitor and automatically protect sensitive information in your site collections. For example, you can set up a policy that displays a policy tip to users if they save documents that contain personally identifiable information. Further, the policy can automatically block access to those documents for everyone but the site owner, content owner, and whoever last modified the document. And lastly, because you don’t want your DLP policies to prevent people from getting their work done, the policy tip has an option to override the blocking action, so that people can continue to work with documents if they have a business justification.

DLP templates

When you create a DLP query or a DLP policy, you can choose from a list of DLP templates that correspond to common regulatory requirements. Each DLP template identifies specific types of sensitive information – for example, the template named U.S. Personally Identifiable Information (PII) Data identifies content that contains U.S. and U.K. passport numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), or U.S. Social Security Numbers (SSN).

DLP policy templates

Sensitive information types

A DLP policy helps protect sensitive information, which is defined as a sensitive information type. SharePoint Server 2016 includes definitions for many common sensitive information types that are ready for you to use, such as a credit card number, bank account numbers, national ID numbers, and passport numbers.

When a DLP policy looks for a sensitive information type such as a credit card number, it does not simply look for a 16-digit number. Each sensitive information type is defined and detected by using a combination of:

  • Keywords
  • Internal functions to validate checksums or composition
  • Evaluation of regular expressions to find pattern matches
  • Other content examination

This helps DLP detection achieve a high degree of accuracy while reducing the number of false positives that can interrupt peoples’ work.

Each DLP template looks for one or more types of sensitive information. For more information on how each sensitive information type works, see What the sensitive information types in SharePoint Server 2016 look for.

This DLP template… Looks for these sensitive information types…
U.S. Personally Identifiable Information (PII) Data U.S. / U.K. Passport Number

U.S. Individual Taxpayer Identification Number (ITIN)

U.S. Social Security Number (SSN)

U.S. Gramm-Leach-Bliley Act (GLBA) Credit Card Number

U.S. Bank Account Number

U.S. Individual Taxpayer Identification Number (ITIN)

U.S. Social Security Number (SSN)

PCI Data Security Standard (PCI DSS) Credit Card Number
U.K. Financial Data Credit Card Number

EU Debit Card Number

SWIFT Code

U.S. Financial Data ABA Routing Number

Credit Card Number

U.S. Bank Account Number

U.K. Personally Identifiable Information (PII) Data U.K. National Insurance Number (NINO)

U.S. / U.K. Passport Number

U.K. Data Protection Act SWIFT Code

U.K. National Insurance Number (NINO)

U.S. / U.K. Passport Number

U.K. Privacy and Electronic Communications Regulations SWIFT Code
U.S. State Social Security Number Confidentiality Laws U.S. Social Security Number (SSN)
U.S. State Breach Notification Laws Credit Card Number

U.S. Bank Account Number

U.S. Driver’s License Number

U.S. Social Security Number (SSN)

DLP queries

Before you create your DLP policies, you might want to see what sensitive information already exists across your site collections. To do this, you create and run DLP queries in the eDiscovery Center.

Create DLP Query button

A DLP query works the same as an eDiscovery query. Based on which DLP template you choose, the DLP query is configured to search for specific types of sensitive information. First choose the locations you want to search, and then you can fine tune the query because it supports Keyword Query Language (KQL). In addition, you can narrow down the query by selecting a date range, specific authors, SharePoint property values, or locations. And just like an eDiscovery query, you can preview, export, and download the query results.

DLP query containing sensitive information types

DLP policies

A DLP policy helps you identify, monitor, and automatically protect sensitive information that’s subject to common industry regulations. You choose what types of sensitive information to protect, and what actions to take when content containing such sensitive information is detected. A DLP policy can notify the compliance officer by sending an incident report, notify the user with a policy tip on the site, and optionally block access to the document for everyone but the site owner, content owner, and whoever last modified the document. Finally, the policy tip has an option to override the blocking action, so that people can continue to work with documents if they have a business justification or need to report a false positive.

You create and manage DLP policies in the Compliance Policy Center. Creating a DLP policy is a two-step process: first you create the DLP policy, and then you assign the policy to a site collection.

Compliance Policy Center

Step 1: Creating a DLP policy

When you create a DLP policy, you choose a DLP template that looks for the types of sensitive information that you need to identify, monitor, and automatically protect.

New DLP Policy page

When a DLP policy finds content that includes the minimum number of instances of a specific type of sensitive information that you choose – for example, five credit card numbers, or a single social security number – then the DLP policy can automatically protect the sensitive information by taking the following actions:

  • Sending an incident report to the people you choose (such as your compliance officer) with details of the event. This report includes details about the detected content such as the title, document owner, and what sensitive information was detected. To send incident reports, you need to configure outgoing e-mail settings in Central Administration.
  • Notifying the user with a policy tip when documents that contain sensitive information are saved or edited. The policy tip explains why that document conflicts with a DLP policy, so that people can take remedial action, such as removing the sensitive information from the document. When the document is in compliance, the policy tip disappears.
  • Blocking access to the content for everyone except the site owner, document owner, and person who last modified the document. These people can remove the sensitive information from the document or take other remedial action. When the document is in compliance, the original permissions will be automatically restored. It’s important to understand that the policy tip gives people the option to override the blocking action. Policy tips can thus help educate users about your DLP policies and enforce them without preventing people from doing their work.

    Policy tip showing blocked access to document

Step 2: Assigning a DLP policy

After you create a DLP policy, you need to assign it to one or more site collections, where it can begin to help protect sensitive information in those locations. A single policy can be assigned to many site collections, but each assignment needs to be created one at a time.

Policy assignments for site collections

Policy tips

You want people in your organization who work with sensitive information to stay compliant with your DLP policies, but you don’t want to block them unnecessarily from getting their work done. This is where policy tips can help.

A policy tip is a notification or warning that appears when someone is working with content that conflicts with a DLP policy — for example, content like an Excel workbook that contains personally identifiable information (PII) and that’s saved to a site.

You can use policy tips to increase awareness and help educate people about your organization’s policies. Policy tips also give people the option to override the policy, so that they’re not blocked if they have a valid business need or if the policy is detecting a false positive.

Viewing or overriding a policy tip

To take action on a document, such as overriding the DLP policy or reporting a false positive, you can select the Open … menu for the item > View policy tip.

The policy tip lists the issues with the content, and you can choose Resolve, and then Override the policy tip or Report a false positive.

Policy tip for a document Overriding a policy tip

Details about how policy tips work

Note that it’s possible for content to match more than one DLP policy, but only the policy tip from the most restrictive, highest-priority policy will be shown. For example, a policy tip from a DLP policy that blocks access to content will be shown over a policy tip from a rule that simply notifies the user. This prevents people from seeing a cascade of policy tips. Also, if the policy tips in the most restrictive policy allow people to override the policy, then overriding this policy also overrides any other policies that the content matched.

DLP policies are synced to sites and contented is evaluated against them periodically and asynchronously (see the next section), so there may be a short delay between the time you create the DLP policy and the time you begin to see policy tips.

How DLP policies work

DLP detects sensitive information by using deep content analysis (not just a simple text scan). This deep content analysis uses keyword matches, the evaluation of regular expressions, internal functions, and other methods to detect content that matches your DLP policies. Potentially only a small percentage of your data is considered sensitive. A DLP policy can identify, monitor, and automatically protect just that data, without impeding or affecting people who work with the rest of your content.

After you create a DLP policy in the Compliance Policy Center, it’s stored as a policy definition in that site. Then, as you assign the policy to different site collections, the policy is synced to those locations, where it starts to evaluate content and enforce actions like sending incident reports, showing policy tips, and blocking access.

Policy evaluation in sites

Across all of your site collections, documents are constantly changing — they’re continually being created, edited, shared, and so on. This means documents can conflict or become compliant with a DLP policy at any time. For example, a person can upload a document that contains no sensitive information to their team site, but later, a different person can edit the same document and add sensitive information to it.

For this reason, DLP policies check documents for policy matches frequently in the background. You can think of this as asynchronous policy evaluation.

Here’s how it works. As people add or change documents in their sites, the search engine scans the content, so that you can search for it later. While this is happening, the content’s also scanned for sensitive information. Any sensitive information that’s found is stored securely in the search index, so that only the compliance team can access it, but not typical users. Each DLP policy that you’ve turned on runs in the background (asynchronously), checking search frequently for any content that matches a policy, and applying actions to protect it from inadvertent leaks.

Diagram showing how DLP policy evaluates content asynchronously

Finally, documents can conflict with a DLP policy, but they can also become compliant with a DLP policy. For example, if a person adds credit card numbers to a document, it might cause a DLP policy to block access to the document automatically. But if the person later removes the sensitive information, the action (in this case, blocking) is automatically undone the next time the document is evaluated against the policy.

DLP evaluates any content that can be indexed. For more information on what file types are crawled by default, see Default crawled file name extensions and parsed file types.

View DLP events in the usage logs

You can view DLP policy activity in the usage logs on the server running SharePoint Server 2016. For example, you can view the text entered by users when they override a policy tip or report a false positive.

First you need to turn on the option in Central Administration (Monitoring > Configure usage and health data collection > Simple Log Event Usage Data_SPUnifiedAuditEntry). For more information about usage logging, see Configure usage and health data collection.

Option to turn on DLP usage logs

After you turn on this feature, you can open the usage reports on the server and view the justifications provided by users for overriding a DLP policy tip, along with other DLP events.

Reason for user override in usage log

Before you get started with DLP

This topic outlines some of the features that DLP depends on. These include:

  • To detect and classify sensitive information in your site collections, start the search service and define a crawl schedule for your content.
  • Turn on out-going email.
  • To view user overrides and other DLP events, turn on the usage report.
  • Create the site collections:
    • For DLP queries, create the eDiscovery Center site collection.
    • For DLP policies, create the Compliance Policy Center site collection.
  • Create a security group for your compliance team, and then add security group to the Owners group in the eDiscovery Center or Compliance Policy Center.
  • To run DLP queries, view permissions are required for all content that the query will search – for more information, see Create a DLP query in SharePoint Server 2016.

More information

Data Loss Prevention (DLP) implementation in Office 365 – Part 2

What the DLP policy templates include?

Data loss prevention (DLP) in the Office 365 Security & Compliance Center includes ready-to-use policy templates that address common compliance requirements, such as helping you to protect sensitive information subject to the U.S. Health Insurance Act (HIPAA), U.S. Gramm-Leach-Bliley Act (GLBA), or U.S. Patriot Act. This topic lists all of the policy templates, what types of sensitive information they look for, and what the default conditions and actions are. This topic does not include every detail of how each policy template is configured; instead, the topic presents with you enough information to help you decide which template is the best starting point for your scenario. Remember, you can customize these policy templates to meet your specific requirements.

PCI Data Security Standard (PCI DSS)
Rule name Conditions

(including sensitive information types)

Actions
PCI DSS: Scan content shared outside – low count Content contains sensitive information:

  • Credit Card Number — Min count 1, Max count 9

Content is shared with:

  • People outside my organization
Send a notification
PCI DSS: Scan content shared outside – high count Content contains sensitive information:

  • Credit Card Number — Min count 10, Max count any

Content is shared with:

  • People outside my organization
Block access to content

Send a notification

  • Allow override
  • Require business justification

Send incident report

For more details on what DLP policy template includes visit here.

View the reports for data loss prevention

After you create your data loss prevention (DLP) policies, you’ll want to verify that they’re working as you intended and helping you to stay compliant. With the DLP reports in Office 365, you can quickly view the number of DLP policy matches, overrides, or false positives; see whether they’re trending up or down over time; filter the report in different ways; and view additional details by selecting a point on a line on the graph.

You can use the DLP reports to:

  • Focus on specific time periods and understand the reasons for spikes and trends.
  • Discover business processes that violate your organization’s DLP policies.
  • Understand any business impact of the DLP policies.
  • View the justifications submitted by users when they resolve a policy tip by overriding the policy or reporting a false positive.
  • Verify compliance with a specific DLP policy by showing any matches for that policy.
  • View a list of files with sensitive data that matches your DLP policies in the details pane.

In addition, you can use the DLP reports to fine tune your DLP policies as you run them in test mode.

DLP report showing policy matches

View the DLP reports

  1. Office 365 admin center.
  2. Navigate to Admin centers > Security & Compliance. You’re now in the Office 365Security & Compliance Center.
  3. Navigate to Reports > View reports. Under Data loss prevention (DLP), go to either DLP policy and rule matches or DLP false positives and overrides.

    Reports page in the Office 365 Security & Compliance Center

  4. You can filter the reports by date, location, and policy or rule.

    DLP report showing options to filter

  5. If you choose the DLP policy and rule matches report, select a point on a line on the graph to view details about matches.

    The details pane appears below the graph. Here you can view:

    • The specific rule and action that matched the content.
    • The file name and path of content that matched the rule.
    • Who last modified the content.
    • What types and count of sensitive information were detected.

    Note: A match is logged only the first time a file matches a rule. But if you edit a rule in a DLP policy, a newer version of the rule is created, so another match will be logged if the file matches the new version of the rule.

    DLP report with details pane below the chart

  6. If you choose the DLP false positives and overrides report, select a point on a line on the graph to view details about overrides or false positives.

    The details pane appears below the graph. Here you can view:

    • The specific rule that matched the content.
    • The file name and path of content that matched the rule.
    • Who last modified the content.
    • What types and count of sensitive information were detected.
    • The justifications submitted by users when they resolved a policy tip.

    DLP false positives and overrides report showing user justification text

Find the cmdlets for the DLP reports

To use most of the cmdlets for the Security & Compliance Center, you need to:

  1. Connect to the Office 365 Security & Compliance Center using remote PowerShell
  2. Use any of these Office 365 Security & Compliance Center cmdlets

However, DLP reports need pull data from across Office 365, including Exchange Online. For this reason, the cmdlets for the DLP reports are available in Exchange Online Powershell—not in Security & Compliance Center Powershell. Therefore, to use the cmdlets for the DLP reports, you need to:

  1. Connect to Exchange Online using remote PowerShell
  2. Use any of these cmdlets for the DLP reports:

Send email notifications and show policy tips for DLP policies

You can use a data loss prevention (DLP) policy to identify, monitor, and protect sensitive information across Office 365. You want people in your organization who work with this sensitive information to stay compliant with your DLP policies, but you don’t want to block them unnecessarily from getting their work done. This is where email notifications and policy tips can help.

Message bar shows policy tip in Excel 2016

A policy tip is a notification or warning that appears when someone is working with content that conflicts with a DLP policy—for example, content like an Excel workbook on a OneDrive for Business site that contains personally identifiable information (PII) and is shared with an external user.

You can use email notifications and policy tips to increase awareness and help educate people about your organization’s policies. You can also give people the option to override the policy, so that they’re not blocked if they have a valid business need or if the policy is detecting a false positive.

In the Office 365 Security & Compliance Center, when you create a DLP policy, you can configure the user notifications to:

  • Send an email notification to the people you choose that describes the issue.
  • Display a policy tip for content that conflicts with the DLP policy:
    • For email in Outlook on the web and Outlook 2013 and later, the policy tip appears at the top of a message above the recipients while the message is being composed.
    • For documents in a OneDrive for Business account or SharePoint Online site, the policy tip is indicated by a warning icon that appears on the item. To view more information, you can select an item and then choose Information Information pane icon in the upper-right corner of the page to open the details pane.
    • For Excel 2016, PowerPoint 2016, and Word 2016 documents that are stored on a OneDrive for Business site or SharePoint Online site that’s included in the DLP policy, the policy tip appears on the Message Bar and the Backstage view (File menu > Info).

Add user notifications to a DLP policy

When you create a DLP policy, both email notifications and policy tips are part of the User notifications section.

  1. Go to https://protection.office.com.
  2. Sign in to Office 365 using your work or school account. You’re now in the Office 365 Security & Compliance Center.
  3. In the Security & Compliance Center > left navigation > Data loss prevention > Policy > + Create a policy.

    Create a policy button

  4. Choose the DLP policy template that protects the types of sensitive information that you need > Next.

    To start with an empty template, choose Custom > Custom policy > Next.

  5. Name the policy > Next.
  6. To choose the locations that you want the DLP policy to protect, do one of the following:
    • Choose All locations in Office 365 > Next.
    • Choose Let me choose specific locations > Next.

      To include or exclude an entire location such as all Exchange email or all OneDrive accounts, switch the Status of that location on or off.

      To include only specific SharePoint sites or OneDrive accounts, switch the Status to on, and then click the links under Include to choose specific sites or accounts.

  7. Choose Use advanced settings >Next.
  8. Choose + New rule.
  9. In the rule editor, under User notifications, switch the status on.

    User notifications section of rule editor

Options for configuring email notifications

For each rule in a DLP policy, you can:

  • Send the notification to the people you choose. These people can include the owner of the content, the person who last modified the content, the owner of the site where the content is stored, or a specific user.
  • Customize the text that’s included in the notification by using HTML or tokens. See the section below for more information.

Notes:

  • Email notifications can be sent only to individual recipients—not groups or distribution lists.
  • Only new content will trigger an email notification. Editing existing content will trigger policy tips but not an email notification.

Email notification options

Default email notification

Notifications have a Subject line that begins with the action taken, such as “Notification”, “Message Blocked” for email, or “Access Blocked” for documents. If the notification is about a document, the notification message body includes a link that takes you to the site where the document’s stored and opens the policy tip for the document, where you can resolve any issues (see the section below about policy tips). If the notification is about a message, the notification includes as an attachment the message that matches a DLP policy.

Notification message

By default, notifications display text similar to the following for an item on a site. The notification text is configured separately for each rule, so the text that’s displayed differs depending on which rule is matched.

If the DLP policy rule does this… Then the default notification for SharePoint or OneDrive for Business documents says this… Then the default notification for Outlook messages says this…
Sends a notification but doesn’t allow override This item conflicts with a policy in your organization. Your email message conflicts with a policy in your organization.
Blocks access, sends a notification, and allows override This item conflicts with a policy in your organization. If you don’t resolve this conflict, access to this file might be blocked. Your email message conflicts with a policy in your organization. The message wasn’t delivered to all recipients.
Blocks access and sends a notification This item conflicts with a policy in your organization. Access to this item is blocked for everyone except its owner, last modifier, and the primary site collection administrator. Your email message conflicts with a policy in your organization. The message wasn’t delivered to all recipients.

Custom email notification

You can create a custom email notification instead of sending the default email notification to your end users or admins. The custom email notification supports HTML and has a 5,000-character limit. You can use HTML to include images, formatting, and other branding in the notification.

You can also use the following tokens to help customize the email notification. These tokens are variables that are replaced by specific information in the notification that’s sent.

Token Description
%%AppliedActions%% The actions applied to the content.
%%ContentURL%% The URL of the document on the SharePoint Online site or OneDrive for Business site.
%%MatchedConditions%% The conditions that were matched by the content. Use this token to inform people of possible issues with the content.

Notification message showing where tokens appear

Options for configuring policy tips

For each rule in a DLP policy, you can configure policy tips to:

  • Simply notify the person that the content conflicts with a DLP policy, so that they can take action to resolve the conflict. You can use the default text (see the tables below) or enter custom text about your organization’s specific policies.
  • Allow the person to override the DLP policy. Optionally, you can:
    • Require the person to enter a business justification for overriding the policy. This information is logged and you can view it in the DLP reports in the Reports section of the Security & Compliance Center.
    • Allow the person to report a false positive and override the DLP policy. This information is also logged for reporting, so that you can use false positives to fine tune your rules.

Policy tip options

For example, you may have a DLP policy applied to OneDrive for Business sites that detects personally identifiable information (PII), and this policy has three rules:

  1. First rule: If fewer than five instances of this sensitive information are detected in a document, and the document is shared with people inside the organization, the Send a notification action displays a policy tip. For policy tips, no override options are necessary because this rule is simply notifying people and not blocking access.
  2. Second rule: If greater than five instances of this sensitive information are detected in a document, and the document is shared with people inside the organization, the Block access to content action restricts the permissions for the file, and the Send a notification action allows people to override the actions in this rule by providing a business justification. Your organization’s business sometimes requires internal people to share PII data, and you don’t want your DLP policy to block this work.
  3. Third rule: If greater than five instances of this sensitive information are detected in a document, and the document is shared with people outside the organization, the Block access to content action restricts the permissions for the file, and the Send a notification action does not allow people to override the actions in this rule because the information is shared externally. Under no circumstances should people in your organization be allowed to share PII data outside the organization.

Here are some fine points to understand about using a policy tip to override a rule:

  • The option to override is per rule, and it overrides all of the actions in the rule (except sending a notification, which can’t be overridden).
  • It’s possible for content to match several rules in a DLP policy, but only the policy tip from the most restrictive, highest-priority rule will be shown. For example, a policy tip from a rule that blocks access to content will be shown over a policy tip from a rule that simply sends a notification. This prevents people from seeing a cascade of policy tips.
  • If the policy tips in the most restrictive rule allow people to override the rule, then overriding this rule also overrides any other rules that the content matched.

Policy tips on OneDrive for Business sites and SharePoint Online sites

When a document on a OneDrive for Business site or SharePoint Online site matches a rule in a DLP policy, and that rule uses policy tips, the policy tips display special icons on the document:

  1. If the rule sends a notification about the file, the warning icon appears.
  2. If the rule blocks access to the document, the blocked icon appears.

Policy tip icons on documents in a OneDrive account

To take action on a document, you can select an item > choose Information Information pane icon in the upper-right corner of the page to open the details pane > View policy tip.

The policy tip lists the issues with the content, and if the policy tips are configured with these options, you can choose Resolve, and then Override the policy tip or Report a false positive.

Information pane showing policy tip

Policy tip with option to override

DLP policies are synced to sites and contented is evaluated against them periodically and asynchronously, so there may be a short delay between the time you create the DLP policy and the time you begin to see policy tips. There may be a similar delay from when you resolve or override a policy tip to when the icon on the document on the site goes away.

Default text for policy tips on sites

By default, policy tips display text similar to the following for an item on a site. The notification text is configured separately for each rule, so the text that’s displayed differs depending on which rule is matched.

If the DLP policy rule does this… Then the default policy tip says this…
Sends a notification but doesn’t allow override This item conflicts with a policy in your organization.
Blocks access, sends a notification, and allows override This item conflicts with a policy in your organization. If you don’t resolve this conflict, access to this file might be blocked.
Blocks access and sends a notification This item conflicts with a policy in your organization. Access to this item is blocked for everyone except its owner, last modifier, and the primary site collection administrator.

Custom text for policy tips on sites

You can customize the text for policy tips separately from the email notification. Unlike custom text for email notifications (see above section), custom text for policy tips does not accept HTML or tokens. Instead, custom text for policy tips is plain text only with a 256-character limit.

Policy tips in Outlook on the web and Outlook 2013 and later

When you compose a new email in Outlook on the web and Outlook 2013 and later, you’ll see a policy tip if you add content that matches a rule in a DLP policy, and that rule uses policy tips. The policy tip appears at the top of the message, above the recipients, while the message is being composed.

Policy tip at the top of a message being composed

Policy tips work whether the sensitive information appears in the message body, subject line, or even a message attachment as shown here.

Policy tip showing that an attachment conflicts with a DLP policy

If the policy tips are configured to allow override, you can choose Show Details > Override > enter a business justification or report a false positive > Override.

Policy tip in message expanded to show Override option

Policy tip dialog where you can override the policy tip

Note that when you add sensitive information to an email, there may be latency between when the sensitive information is added and when the policy tip appears.

Policy tips in the Exchange Admin Center vs. the Office 365 Security & Compliance Center

Policy tips can work either with DLP policies and mail flow rules created in the Exchange Admin Center, or with DLP policies created in the Office 365 Security & Compliance Center, but not both. This is because these policies are stored in different locations, but policy tips can draw only from a single location.

If you’ve configured policy tips in the Exchange Admin Center, any policy tips that you configure in the Office 365 Security & Compliance Center won’t appear to users in Outlook on the web and Outlook 2013 and later until you turn off the tips in the Exchange Admin Center. This ensures that your current Exchange transport rules will continue to work until you choose to switch over to the Office 365 Security & Compliance Center.

Note that while policy tips can draw only from a single location, email notifications are always sent, even if you’re using DLP policies in both the Office 365 Security & Compliance Center and the Exchange Admin Center.

Default text for policy tips in email

By default, policy tips display text similar to the following for email.

If the DLP policy rule does this… Then the default policy tip says this…
Sends a notification but doesn’t allow override Your email conflicts with a policy in your organization.
Blocks access, sends a notification, and allows override Your email conflicts with a policy in your organization.
Blocks access and sends a notification Your email conflicts with a policy in your organization.

Policy tips in Excel 2016, PowerPoint 2016, and Word 2016

When people work with sensitive content in the desktop versions of Excel 2016, PowerPoint 2016, and Word 2016, policy tips can notify them in real time that the content conflicts with a DLP policy. This requires that:

  • The Office document is stored on a OneDrive for Business site orSharePoint Online site.
  • The site is included in a DLP policy that’s configured to use policy tips.

These Office 2016 desktop programs automatically sync DLP policies directly from Office 365, and then scan your documents to ensure that they don’t conflict with your DLP policies and display policy tips in real time.

Depending on how you configure the policy tips in the DLP policy, people can choose to simply ignore the policy tip, override the policy with or without a business justification, or report a false positive.

Policy tips appear on the Message Bar.

Message bar shows policy tip in Excel 2016

And policy tips also appear in the Backstage view (on the File tab).

Backstage shows policy tip in Excel 2016

If policy tips in the DLP policy are configured with these options, you can choose Resolve to Override a policy tip or Report a false positive.

Options on policy tip in Backstage in Excel 2016

In each of these Office 2016 desktop programs, people can choose to turn off policy tips. If turned off, policy tips that are simple notifications will not appear on the Message Bar or Backstage view (on the File tab). However, policy tips about blocking and overriding will still appear, and they will still receive the email notification. In addition, turning off policy tips does not exempt the document from any DLP policies that have been applied to it.

Default text for policy tips in Excel 2016, PowerPoint 2016, and Word 2016

By default, policy tips display text similar to the following on the Message Bar and Backstage view of an open document. The notification text is configured separately for each rule, so the text that’s displayed differs depending on which rule is matched.

If the DLP policy rule does this… Then the default policy tip says this…
Sends a notification but doesn’t allow override This file conflicts with a policy in your organization. Go to the File menu for more information.
Blocks access, sends a notification, and allows override This file conflicts with a policy in your organization. If you don’t resolve this conflict, access to this file might be blocked. Go to the File menu for more information.
Blocks access and sends a notification This file conflicts with a policy in your organization. If you don’t resolve this conflict, access to this file might be blocked. Go to the File menu for more information.

Custom text for policy tips in Excel 2016, PowerPoint 2016, and Word 2016

You can customize the text for policy tips separately from the email notification. Unlike custom text for email notifications (see above section), custom text for policy tips does not accept HTML or tokens. Instead, custom text for policy tips is plain text only with a 256-character limit.

Data Loss Prevention (DLP) implementation in Office 365 – Part 1

What is Data Loss Prevention (DLP)?

Data loss prevention (DLP) is a strategy for making sure that end users do not send sensitive or critical information outside the corporate network. The term is also used to describe software products that help a network administrator control what data end users can transfer.

DLP software products use business rules to classify and protect confidential and critical information so that unauthorized end users cannot accidentally or maliciously share data whose disclosure could put the organization at risk. For example, if an employee tried to forward a business email outside the corporate domain or upload a corporate file to a consumer cloud storage service like Dropbox, the employee would be denied permission.

Adoption of DLP is being driven by insider threats and by more rigorous state privacy laws, many of which have stringent data protection or access components. In addition to being able to monitor and control endpoint activities, some DLP tools can also be used to filter data streams on the corporate network and protect data in motion.

DLP products may also be referred to as data leak prevention, information loss prevention or extrusion prevention products.

Data loss prevention software detects potential data breaches/data ex-filtration transmissions and prevents them by monitoring, detecting and blocking sensitive data while in-use (endpoint actions), in-motion (network traffic), and at-rest (data storage). In data leakage incidents, sensitive data is disclosed to unauthorized parties by either malicious intent or an inadvertent mistake. Sensitive data includes private or company information, intellectual property (IP), financial or patient information, credit-card data and other information.

The terms “data loss” and “data leak” are related and are often used interchangeably.[1] Data loss incidents turn into data leak incidents in cases where media containing sensitive information is lost and subsequently acquired by an unauthorized party. However, a data leak is possible without losing the data on the originating side. Other terms associated with data leakage prevention are information leak detection and prevention (ILDP), information leak prevention (ILP), content monitoring and filtering (CMF), information protection and control (IPC) and extrusion prevention system (EPS), as opposed to intrusion prevention system.

Overview of data loss prevention policies

To comply with business standards and industry regulations, organizations need to protect sensitive information and prevent its inadvertent disclosure. Examples of sensitive information that you might want to prevent from leaking outside your organization include financial data or personally identifiable information (PII) such as credit card numbers, social security numbers, or health records. With a data loss prevention (DLP) policy in the Office 365 Security & Compliance Center, you can identify, monitor, and automatically protect sensitive information across Office 365.

With a DLP policy, you can:

  • Identify sensitive information across many locations, such as Exchange Online, SharePoint Online, and OneDrive for Business.

    For example, you can identify any document containing a credit card number that’s stored in any OneDrive for Business site, or you can monitor just the OneDrive sites of specific people.

  • Prevent the accidental sharing of sensitive information.

    For example, you can identify any document or email containing a health record that’s shared with people outside your organization, and then automatically block access to that document or block the email from being sent.

  • Monitor and protect sensitive information in the desktop versions of Excel 2016, PowerPoint 2016, and Word 2016.

    Just like in Exchange Online, SharePoint Online, and OneDrive for Business, these Office 2016 desktop programs include the same capabilities to identify sensitive information and apply DLP policies. DLP provides continuous monitoring when people share content in these Office 2016 programs.

  • Help users learn how to stay compliant without interrupting their workflow.

    You can educate your users about DLP policies and help them remain compliant without blocking their work. For example, if a user tries to share a document containing sensitive information, a DLP policy can both send them an email notification and show them a policy tip in the context of the document library that allows them to override the policy if they have a business justification. The same policy tips also appear in Outlook on the web, Outlook 2013 and later, Excel 2016, PowerPoint 2016, and Word 2016.

  • View DLP reports showing content that matches your organization’s DLP policies.

    To assess how your organization is complying with a DLP policy, you can see how many matches each policy and rule has over time. If a DLP policy allows users to override a policy tip and report a false positive, you can also view what users have reported.

You create and manage DLP policies on the Data loss prevention page in the Office 365 Security & Compliance Center.

Data loss prevention page in the Office 365 Security & Compliance Center

What a DLP policy contains

A DLP policy contains a few basic things:

  • Where to protect the content – locations such as Exchange Online, SharePoint Online, and OneDrive for Business sites.
  • When and how to protect the content by enforcing rules comprised of:
    • Conditions the content must match before the rule is enforced — for example, look only for content containing Social Security numbers that have been shared with people outside your organization.
    • Actions that you want the rule to take automatically when content matching the conditions is found — for example, block access to the document and send both the user and compliance officer an email notification.

You can use a rule to meet a specific protection requirement, and then use a DLP policy to group together common protection requirements, such as all of the rules needed to comply with a specific regulation.

For example, you might have a DLP policy that helps you detect the presence of information subject to the Health Insurance Portability and Accountability Act (HIPAA). This DLP policy could help protect HIPAA data (the what) across all SharePoint Online sites and all OneDrive for Business sites (the where) by finding any document containing this sensitive information that’s shared with people outside your organization (the conditions) and then blocking access to the document and sending a notification (the actions). These requirements are stored as individual rules and grouped together as a DLP policy to simplify management and reporting.

Diagram shows DLP policy contains locations and rules

Locations

A DLP policy can find and protect sensitive information across Office 365, whether that information is located in Exchange Online, SharePoint Online, or OneDrive for Business. You can easily choose to protect all sites or mailboxes, or just specific ones.

Options for locations where a DLP policy can be applied

Rules

Rules are what enforce your business requirements on the information stored by your organization. A policy contains one or more rules, and each rule consists of conditions and actions. For each rule, when the conditions are met, the actions are taken automatically. Rules are executed sequentially, starting with the highest-priority rule in each policy.

A rule also provides options to notify users (with policy tips and email notifications) and admins (with email incident reports) that content has matched the rule.

Here are the components of a rule, each explained below.

Sections of the DLP rule editor

Conditions

Conditions are important because they determine what types of information you’re looking for, and when to take an action. For example, you might choose to ignore content containing passport numbers unless the content contains more than ten such numbers and is shared with people outside your organization.

Conditions focus on the content, such as what types of sensitive information you’re looking for, and also on the context, such as who the document is shared with. You can use conditions to assign different actions to different risk levels — for example, sensitive content shared internally might be lower risk and require fewer actions than sensitive content shared with people outside the organization.

List showing available DLP conditions

The conditions now available can determine if:

  • Content contains any of the 81 built-in types of sensitive information.
  • Content is shared with people outside or inside your organization.
Types of sensitive information

A DLP policy can help protect sensitive information, which is defined as a sensitive information type. Office 365 includes definitions for many common sensitive information types across many different regions that are ready for you to use, such as a credit card number, bank account numbers, national ID numbers, and passport numbers.

List of available sensitive information types

When a DLP policy looks for a sensitive information type such as a credit card number, it doesn’t simply look for a 16-digit number. Each sensitive information type is defined and detected by using a combination of:

  • Keywords
  • Internal functions to validate checksums or composition
  • Evaluation of regular expressions to find pattern matches
  • Other content examination

This helps DLP detection achieve a high degree of accuracy while reducing the number of false positives that can interrupt peoples’ work.

Actions

When content matches a condition in a rule, you can apply actions to automatically protect the document or content.

List of available DLP actions

With the actions now available, you can:

  • Restrict access to the content For site content, this means that permissions for the document are restricted for everyone except the primary site collection administrator, document owner, and person who last modified the document. These people can remove the sensitive information from the document or take other remedial action. When the document is in compliance, the original permissions will be automatically restored. When access to a document is blocked, the document appears with a special policy tip icon in the library on the site.

    Policy tip showing access to document is blocked

    For email content, this action blocks the message from being sent. Depending on how the DLP rule is configured, the sender will see an NDR or (if the rule uses a notification) a policy tip and/or email notification.

    Warning that unauthorized recipients must be removed from the message

User notifications and user overrides

You can use notifications and overrides to educate your users about DLP policies and help them remain compliant without blocking their work. For example, if a user tries to share a document containing sensitive information, a DLP policy can both send them an email notification and show them a policy tip in the context of the document library that allows them to override the policy if they have a business justification.

User notifications and user overrides sections of DLP rule editor

The email can notify the person who sent, shared, or last modified the content and, for site content, the primary site collection administrator and document owner. In addition, you can add or remove whomever you choose from the email notification.

In addition to sending an email notification, a user notification displays a policy tip:

  • In Outlook 2013 and later and Outlook on the web.
  • For the document on a SharePoint Online or OneDrive for Business site.
  • In Excel 2016, PowerPoint 2016, and Word 2016, when the document is stored on a site included in a DLP policy.

The email notification and policy tip explain why content conflicts with a DLP policy. If you choose, the email notification and policy tip can allow users to override a rule by reporting a false positive or providing a business justification. This can help you educate users about your DLP policies and enforce them without preventing people from doing their work. Information about overrides and false positives is also logged for reporting (see below about the DLP reports) and included in the incident reports (next section), so that the compliance officer can regularly review this information.

Here’s what a policy tip looks like in a OneDrive for Business account.

Policy tip for a document in a OneDrive account

Incident reports

When a rule is matched, you can send an incident report to your compliance officer (or any people you choose) with details of the event. This report includes information about the item that was matched, the actual content that matched the rule, and the name of the person who last modified the content. For email messages, the report also includes as an attachment the original message that matches a DLP policy.

Page for configuring incident reports

Simple settings vs. advanced settings

When you create a DLP policy, you’ll choose between simple or advanced settings:

  • Simple settings make it easy to create the most common type of DLP policy without using the rule editor to create or modify rules.
  • Advanced settings use the rule editor to give you complete control over every setting for your DLP policy.

Don’t worry, under the covers, simple settings and advanced settings work exactly the same, by enforcing rules comprised of conditions and actions — only with simple settings, you don’t see the rule editor. It’s a quick way to create a DLP policy.

Simple settings

By far, the most common DLP scenario is creating a policy to help protect content containing sensitive information from being shared with people outside your organization, and taking an automatic remedial action such as restricting who can access the content, sending end-user or admin notifications, and auditing the event for later investigation. People use DLP to help prevent the inadvertent disclosure of sensitive information.

To simplify achieving this goal, when you create a DLP policy, you can choose Use simple settings. These settings provide everything you need to implement the most common DLP policy, without having to go into the rule editor.

DLP options for simple and advanced settings

Advanced settings

If you need to create more customized DLP policies, you can choose Use advanced settings.

The advanced settings present you with the rule editor, where you have full control over every possible option, including the instance count and match accuracy (confidence level) for each rule.

To jump to a section quickly, click an item in the top navigation of the rule editor to go to that section below.

Top navigation menu of DLP rule editor

DLP policy templates

The first step in creating a DLP policy is choosing what information to protect. By starting with a DLP template, you save the work of building a new set of rules from scratch, and figuring out which types of information should be included by default. You can then add to or modify these requirements to fine tune the rule to meet your organization’s specific requirements.

A preconfigured DLP policy template can help you detect specific types of sensitive information, such as HIPAA data, PCI-DSS data, Gramm-Leach-Bliley Act data, or even locale-specific personally identifiable information (P.I.). To make it easy for you to find and protect common types of sensitive information, the policy templates included in Office 365 already contain the most common sensitive information types necessary for you to get started.

List of templates for data loss prevention policies with focus on template for U.S. Patriot Act

Your organization may also have its own specific requirements, in which case you can create a DLP policy from scratch by choosing the Custom policy option. A custom policy is empty and contains no premade rules.

Roll out DLP policies gradually with test mode

When you create your DLP policies, you should consider rolling them out gradually to assess their impact and test their effectiveness before fully enforcing them. For example, you don’t want a new DLP policy to unintentionally block access to thousands of documents that people require access to in order to get their work done.

If you’re creating DLP policies with a large potential impact, we recommend following this sequence:

  1. Start in test mode without Policy Tips and then use the DLP reports to assess the impact. You can use DLP reports to view the number, location, type, and severity of policy matches. Based on the results, you can fine tune the rules as needed. In test mode, DLP policies will not impact the productivity of people working in your organization.
  2. Move to Test mode with notifications and Policy Tips so that you can begin to teach users about your compliance policies and prepare them for the rules that are going to be applied. At this stage, you can also ask users to report false positives so that you can further refine the rules.
  3. Start full enforcement on the policies so that the actions in the rules are applied and the content’s protected. Continue to monitor the DLP reports and any incident reports or notifications to make sure that the results are what you intend.

Options for using test mode and turning on policy

You can turn off a DLP policy at any time, which affects all rules in the policy. However, each rule can also be turned off individually by toggling its status in the rule editor.

Options for turning off a rule in a policy

DLP reports

After you create and turn on your DLP policies, you’ll want to verify that they’re working as you intended and helping you stay compliant. With DLP reports, you can quickly view the number of DLP policy and rule matches over time, and the number of false positives and overrides. For each report, you can filter those matches by location, time frame, and even narrow it down to a specific policy, rule, or action.

With the DLP reports, you can get business insights and:

  • Focus on specific time periods and understand the reasons for spikes and trends.
  • Discover business processes that violate your organization’s compliance policies.
  • Understand any business impact of the DLP policies.

In addition, you can use the DLP reports to fine tune your DLP policies as you run them.

Reports Dashboard in Security and Compliance Center

How DLP policies work

DLP detects sensitive information by using deep content analysis (not just a simple text scan). This deep content analysis uses keyword matches, dictionary matches, the evaluation of regular expressions, internal functions, and other methods to detect content that matches your DLP policies. Potentially only a small percentage of your data is considered sensitive. A DLP policy can identify, monitor, and automatically protect just that data, without impeding or affecting people who work with the rest of your content.

Policies are synced

After you create a DLP policy in the Security & Compliance Center, it’s stored in a central policy store, and then synced to the various content sources, including:

  • Exchange Online, and from there to Outlook on the web and Outlook 2013 and later
  • OneDrive for Business sites
  • SharePoint Online sites
  • Office 2016 desktop programs (Excel 2016, PowerPoint 2016, and Word 2016)

After the policy’s synced to the right locations, it starts to evaluate content and enforce actions.

Policy evaluation in OneDrive for Business and SharePoint Online sites

Across all of your SharePoint Online sites and OneDrive for Business sites, documents are constantly changing — they’re continually being created, edited, shared, and so on. This means documents can conflict or become compliant with a DLP policy at any time. For example, a person can upload a document that contains no sensitive information to their team site, but later, a different person can edit the same document and add sensitive information to it.

For this reason, DLP policies check documents for policy matches frequently in the background. You can think of this as asynchronous policy evaluation.

Here’s how it works. As people add or change documents in their sites, the search engine scans the content, so that you can search for it later. While this is happening, the content’s also scanned for sensitive information and to check if it’s shared. Any sensitive information that’s found is stored securely in the search index, so that only the compliance team can access it, but not typical users. Each DLP policy that you’ve turned on runs in the background (asynchronously), checking search frequently for any content that matches a policy, and applying actions to protect it from inadvertent leaks.

Diagram showing how DLP policy evaluates content asynchronously

Finally, documents can conflict with a DLP policy, but they can also become compliant with a DLP policy. For example, if a person adds credit card numbers to a document, it might cause a DLP policy to block access to the document automatically. But if the person later removes the sensitive information, the action (in this case, blocking) is automatically undone the next time the document is evaluated against the policy.

DLP evaluates any content that can be indexed. For more information on what file types are crawled by default, see Default crawled file name extensions and parsed file types in SharePoint Server 2013.

Policy evaluation in Exchange Online, Outlook 2013 and later, and Outlook on the web

When you create a DLP policy that includes Exchange Online as a location, the policy’s synced from the Office 365 Security & Compliance Center to Exchange Online, and then from Exchange Online to Outlook on the web and Outlook 2013 and later.

When a message is being composed in Outlook, the user can see policy tips as the content being created is evaluated against DLP policies. And after a message is sent, it’s evaluated against DLP policies as a normal part of mail flow, along with Exchange transport rules and DLP policies created in the Exchange Admin Center (see the next section for more info). DLP policies scan both the message and any attachments.

Policy evaluation in the Office 2016 desktop programs

Excel 2016, PowerPoint 2016, and Word 2016 include the same capability to identify sensitive information and apply DLP policies as SharePoint Online and OneDrive for Business. These Office 2016 programs sync their DLP policies directly from the central policy store, and then continuously evaluate the content against the DLP policies when people work with documents opened from a site that’s included in a DLP policy.

DLP policy evaluation in Office 2016 is designed not to affect the performance of the programs or the productivity of people working on content. If they’re working on a large document, or the user’s computer is busy, it might take a few seconds for a policy tip to appear.

How DLP in the Office 365 Security & Compliance Center works with DLP and transport rules in the Exchange Admin Center

After you create a DLP policy in the Office 365 Security & Compliance Center, the policy is deployed to all of the locations included in the policy. If the policy includes Exchange Online, the policy’s synced there and enforced in exactly the same way as a DLP policy created in the Exchange admin center.

If you’ve created DLP policies in the Exchange admin center, those policies will continue to work side by side with any policies for email that you create in the Office 365 Security & Compliance Center. But note that rules created in the Exchange admin center take precedence. All Exchange transport rules are processed first, and then the DLP rules from the Office 365 Security & Compliance Center are processed.

This means that:

  • Messages that are blocked by Exchange transport rules won’t get scanned by DLP rules created in the Office 365 Security & Compliance Center.
  • If an Exchange transport rule modifies a message in a way that causes it to match a DLP policy in the Office 365 Security & Compliance Center – such as adding external users – then the DLP rules will detect this and enforce the policy as needed.

Also note that Exchange transport rules that use the “stop processing” action don’t affect the processing of DLP rules in the Office 365 Security & Compliance Center – they’ll still be processed.

Policy tips in the Exchange Admin Center vs. the Office 365 Security & Compliance Center

Policy tips can work either with DLP policies and mail flow rules created in the Exchange Admin Center, or with DLP policies created in the Office 365 Security & Compliance Center, but not both. This is because these policies are stored in different locations, but policy tips can draw only from a single location.

If you’ve configured policy tips in the Exchange Admin Center, any policy tips that you configure in the Office 365 Security & Compliance Center won’t appear to users in Outlook on the web and Outlook 2013 and later until you turn off the tips in the Exchange Admin Center. This ensures that your current Exchange transport rules will continue to work until you choose to switch over to the Office 365 Security & Compliance Center.

Note that while policy tips can draw only from a single location, email notifications are always sent, even if you’re using DLP policies in both the Office 365 Security & Compliance Center and the Exchange Admin Center.

Permissions

Members of your compliance team who will create DLP policies need permissions to the Security & Compliance Center. By default, your tenant admin will have access to this location and can give compliance officers and other people access to the Security & Compliance Center, without giving them all of the permissions of a tenant admin. To do this, we recommend that you:

  1. Create a group in Office 365 and add compliance officers to it.
  2. Create a role group on the Permissions page of the Security & Compliance Center.
  3. Add the Office 365 group to the role group.

Skype for Business Audio and Video Troubleshooting

If you’re a Skype for Business user and encounter an audio or video issue during a meeting or a collaboration, this troubleshooting guide might help you resolve the issue. I hope this will save your day and effort.

Troubleshoot Skype for Business video issues

Other participants can’t see my video:

  • In the Skype for Business main window, go to Tools > Video Device Settings. You’ll see what your camera sees in the window.

    Video device settings

    Notes:

    • If you have more than one webcam, all should appear in the drop-down list.
    • Video device settings, Crop and center my video in meetings check box

If the camera doesn’t appear in the list.

  1. Is your camera plugged in?
    If you’re using an external instead of a built-in webcam, make sure that it’s plugged in and turned on. If it’s connected to your computer by USB, try plugging it into a different USB slot. If you’re using a USB hub, try plugging the camera directly into a USB slot on your computer instead—and try disconnecting other USB devices.
  2. Is your webcam installed correctly?
    Check that your camera is listed and enabled in Device Manager, even if you’re using the computer’s built-in camera.

    To open the Device Manager

    • In Windows 10 and Windows 8 desktop, tap the Windows logo key (Start) and type Device Manager in the search box. If necessary, choose the administrative tool from the results.
    • In Windows 7, choose the Windows logo key (Start) > Control Panel. In the View by browse control items, choose Category.

      Choose Hardware and Sound, and then under Devices and Printers, choose Device Manager.

Under Imaging devices, check that your camera is listed.

List of imaging devices

If it’s listed, make sure it’s enabled. If you see a Disable option, then the camera is enabled. If you don’t, right-click and choose Enable.
If it isn’t listed, or if there’s a question mark or exclamation mark, you’ll need to reinstall the camera. You can find the latest drivers for your camera on the Internet. Searching for the camera model on Bing.

If the camera shows up in the list but doesn’t show preview.

  1. Is another application using your webcam?
    Close any applications that might be using your webcam, including video editing software, virtual camera software, instant messengers and Internet browsers. If your webcam has a light to show when it’s in use and you see it when you’re not in a call, then some other application is using your camera.
  2. Check camera privacy settings.
    Some cameras have “Privacy” setting.

    Video device camera settings

    Choose Camera Settings and disable the setting.

    If you only see a solid black frame in video preview, your camera might have a physical privacy shutter. Open the shutter to enable the video.

    Video quality is poor:

    If video quality is poor—meaning that call participants can see each other’s video feed but the picture is too dark, blurred, or pixelated, or the picture freezes—the following tips might can help:

    • Check your connection
      If the video freezes, looks block-like, or has motion blur, it might be your Internet connection (or another participant’s Internet connection) causing the problem. If Skype for Business detects a weak connection, it’ll reduce the quality to try and stop the call from dropping altogether. Review our guide to solve your connection issues.
    • Improve the lighting conditions
      A well-lighted room can make a big difference with the video quality of your calls. If the room is too dark, your webcam will try to amplify the signal to make the picture brighter, which reduces the video quality. Also if you have a window(s) or a bright light source behind you, for example, your face will appear dark and featureless to the other participant. For best results, make sure there’s enough ambient light, and avoid back light.
    • Check your camera settings
      In the Skype for Business main window, go to Tools > Video Device settings. You’ll see what your camera sees in the window. Choose Camera Settings to access the settings of the used webcam. We recommend using the default settings to let the camera automatically adapt to the lighting conditions. It might be necessary, however, to manually change some settings. For example, the anti-flicker setting might not be set correctly for the 50 Hz (hertz) or 60 Hz wall power setting in your area.
    • Upgrade your camera
      Built-in cameras in older laptops and tablets might not produce the best results. You might want to invest in a newer webcam. Most external webcams work with Skype for Business, but the best experience is guaranteed by using a Skype for Business Certified webcam listed in the catalog. If you’re already using an external camera and you’re having problems with video, try plugging it into a different USB port.

I can’t see video from other participants:

  • Choose the Participant icon. Next to the participants sending video, there’s a blue camera icon.

    Number of participants in video call

    If an icon is shaded (meaning it’s unavailable), that participant can’t send video. Or if two vertical bars are shown, then there is video capability but the participant isn’t using it.

    Note:  If an audio only call is started, all camera icons are shaded—meaning they’re unavailable—until one participant starts sending video.

    Legend showing status of connected participants by chat box, microphone, camera, or screen

    If you can’t see video from a specific participant, then it’s likely the problem isn’t yours. Recommend this troubleshooting guide to the participant.

My video is moving around:

Skype for Business is trying to keep you in the center of the sent video with the Crop and center my video in meetings feature that, by default, is turned on. If you want to disable this functionality, go to Tools > Video Device settings, and clear the Crop and center my video in meetings check box.

Video device settings, Crop and center my video in meetings check box

Troubleshoot Skype for Business audio issues

Solve speaker or headphone issues

If you can’t hear the other participant at all, or can’t hear them very well, there might be something wrong with your playback device (speakers or headphones) or settings.

I can’t hear the other participants:

If you can’t hear anything from the other participants, the problem is either with one of their microphones, or with your playback device.

  • Make sure the correct device is selected.
    Watch this short video for the detailed instructions about how to check your audio and video settings, or follow the steps below.
  1. On the lower-left side of the Skype for Business main window, choose Audio Device Settings.
  2. If you want to use different devices for audio input and output, choose Custom Device. This selection opens separate drop-down menus for Speaker and Microphone.
  3. In the Speakers drop-down list, choose t the playback device you want to use. If you only have your computer’s built-in speakers, you’ll see one option in the drop-down list. If you’re using headphones or external speakers, make sure you choose the correct option.
  4. Choose the play icon to test your speakers.

    Customized settings--speaker, microphone, ringer--for audio device

  • Make a test call.

    Note: This feature is not yet available for Skype for Business Online users.

    • On the lower-left side of the Skype for Business main window, choose Check Call Quality.

      Check call quality for custom device

      If you can hear the voice on the test call, then your audio is working fine. The problem might be with a participant’s connection or microphone. If you can, ask the participant whom you can’t hear to review this guide to solve microphone issues.

      If you can’t hear the voice on the test call, continue with these steps to check your audio settings in Skype for Business.

  • Check your Windows settings.
    Make sure the speaker volume isn’t muted and is high enough for you to hear it.

    • Choose the loudspeaker icon at the bottom-right of the screen to adjust the volume.

      Focus on Windows speakers icon that is shown on the taskbar

      The volume slider control is for the system default playback device. If you have multiple playback devices, Skype for Business might be using a different one. To change the volume for other devices, right-click the loudspeaker icon and choose Playback devices. Right-click the device Skype for Business uses and choose Properties. Then on the Levels tab, use the slider control to adjust the volume.

      If these steps haven’t helped, you might have a problem with your Windows audio settings. Microsoft has a tool to automatically diagnose and fix audio problems.

I can’t hear the other participants very well:

If the audio quality is poor—meaning that you can hear the other participant but their voice sounds muffled, or echoes, or drops in and out—the following tips can help.

  • Check your playback device.
    If the other participant sounds quiet, you might need to turn up your speaker volume.

    • Choose the loudspeaker icon at the bottom-right of the screen to adjust the volume.

      Focus on Windows speakers icon that is shown on the taskbar

      The volume slider control is for the system default playback device. If you have multiple playback devices, Skype for Business might be using a different one. To change the volume for other devices, right-click the loudspeaker icon (shown above) and choose Playback devices. Right-click the device Skype uses, choose Properties, and then on the Levels tab, use the slider control to adjust the volume.

  • Check in-client volume control.
    • On the lower-left side of the Skype for Business main window, click Audio Device Settings. Move the Speaker slider control and choose the play icon to test your speakers.

      Customized settings--speaker, microphone, ringer--for audio device

      Alternatively, during a call it is accessible from the call window by choosing the Call Controls button.

      Screenshot showing Skype audio keypad

  • Check your connection.
    If there are gaps or delays in the audio, it might be your Internet connection (or the other participant’s) causing the problem. See solve your connection issues in this guide.
  • Improve the sound at the other end.
    • If you hear background noise in a conference call. choose the Participants button, and then look at the microphone icon for each participant.

      Number of participants in video call

      The icons indicate activity and if the background noise matches with a non-presenter then you should ask that participant to mute their microphone. If you’re a presenter, you can mute the participant yourself.

      Ask the other participant to follow the tips in this guide to solve microphone issues. There are many ways to improve the speech-to-noise ratio, which will make it easier for you to more clearly hear the participant.

Solve microphone issues

Other participants can’t hear me:

If other participants can’t hear anything from your side, the problem is either with your microphone or with their playback device (speakers or headphones).

  1. Check your settings in Skype for Business.
    Skype for Business automatically mutes people joining a scheduled conference. This is done to reduce the noise from parties that aren’t active presenters.

    To unmute yourself, choose the microphone icon with the diagonal line in the call window.

    Skype tools showing the following icons: camera, microphone, present screen, phone handset

  2. Check your microphone.
    If you’re using your computer’s built-in microphone, make sure it isn’t muted. If you’re using an external microphone, check that its plugged in. If it’s a wireless microphone, make sure the batteries are charged. Also check for physical mute buttons on the headset/headset cord.
  3. Make sure that the correct device is selected.
    Watch this short video for detailed instructions about checking your audio and video settings. Or, follow the steps below.

    1. On the lower-left side of the Skype for Business main window, choose Audio Device Settings.
    2. If you want to use different devices for audio input and output, then choose Custom Device. This opens separate drop-down lists for Speaker and Microphone. In the Microphone drop-down list, choose the mic you want to use. If you only use your computer’s built-in microphone, you’ll see just one option.

      Speak into the microphone. If the microphone can hear you, the blue speech activity indicator bar will move up and down (the farther right it reaches the better the signal level is). If you have more than one microphone and you’re not sure which name relates to which microphone, talk into each microphone in turn and check the blue speech activity indicator for movement.

  4. Make a test call.

    On the lower-left side of the Skype for Business main window, choose Check Call Quality.

    Note: This feature isn’t available yet for Skype for Business Online users.

    Check call quality for custom device

    • If you can hear your recorded message played back, then your microphone is working fine. The problem might be with another participant’s connection or playback device. Suggest the participant review this guide to solve speaker or headset issues.
    • If you can’t hear your recorded message, continue through these steps to check your Windows audio settings.
  5. Check your Windows settings.
    Adjust the signal strength (boost) of the microphone in Windows by right-clicking the loudspeaker icon at the bottom-right of the screen and using the slider control.

    Focus on Windows speakers icon that is shown on the taskbar

    Choose Recording devices. Right-click the device Skype for Business uses and choose Properties. Then, on the Levels tab, use the slider control to adjust the volume.

    If these steps haven’t helped resolve the issue, you might have a problem with your Windows audio settings. Microsoft has a tool to automatically diagnose and fix audio problems.

Other participants have difficulty hearing me:

If the audio quality is poor—meaning that the other participant can hear you but your voice echoes, sounds muffled, or drops in and out—the following tips can help.

  • Check your connection.
    If there are gaps or delays in the audio or if a participant starts sounding like a robot, it might be your or another participant’s Internet connection causing the problem. See solve your connection issues in this guide.
  • Make sure that the correct device is selected.
    On the lower-left side of the Skype for Business main window and choose a device from Select Primary Device.
  • Check your Audio Device Settings.
    On the lower-left side of the Skype for Business main window, choose Audio Device Settings. Adjust the volume control under selected Microphone and check that, when speaking normally, at least one-third of the sound detected fills the box.

    If the level indicator can’t reach it, then try to increase the signal strength of the microphone in Windows by right-clicking the loudspeaker icon at the bottom-right of the screen.

    Focus on Windows speakers icon that is shown on the taskbar

    Select Recording devices. Right-click the device Skype for Business uses and choose Properties. On the Levels tab, use the slider control to increase (boost) the strength of microphone’s signal if that setting is available.

  • Improve the speech to noise ratio.
    The best way to improve audio quality is by increasing the contrast between the sound of your voice and all other sounds around you. There are lots of ways to do this.

    • In case of speakerphone or webcam move closer to the microphone. Being too far away from your microphone makes it hard for the mic to pick up your voice clearly. If you’re using the built-in microphone on your computer, make sure you know where it is and make sure nothing is blocking it. For tablet devices, make sure your hand or a finger is not blocking the microphone entrance when you hold the device.
    • Reduce background noise. Quiet spaces are best for audio quality because there is less ambient noise for your voice to compete with. Built-in microphones tend to pick up sound from all around.
    • Reduce the volume of the playback. If the volume of your speakers is too loud, or if the speakers are too close to your microphone, either condition can cause interference or echo. Turn down the volume on your speakers and, if possible, move them farther away from the microphone.
    • Use a headset. Almost all the issues described can be improved or solved by using a USB headset. All USB headsets work with Skype for Business, but the best experience is guaranteed by using a Skype for Business Certified headset listed in the catalog.

      If the headset is new and you’re having problems with audio, try plugging it into a different USB port. Also check for hardware level microphone mute. On some headsets, for example, rotating the microphone boom up toward the ceiling equals “mute.” Consult the headset quick start guide or user guide for information about the proper operation of the headset.

Office 365 Ultimate Customer Guide

Productivity boosting software simplifies, accelerates, and automates daily work processes. As part of the mission, the software enhances communication, facilitates collaboration, promotes work organisation, tracks jobs, and visualises workflows for better understanding. Office 365 has set the global standard for productivity software enabling countless organisational entities to work faster and smarter every day with productivity services and applications which are now bundled with the traditional Office suite, forming Office 365.

Microsoft has joined the IT industry proponents who embrace the Cloud model for software and services and by doing so, it made Office 365 available as a subscription-based software pack for Windows and Macintosh. When individual or business users subscribe, they get free automatic updates, the ability to install the software on up to five computers, tablets, and phones. Office 365 stores data in the cloud by default, so teams can access their information and collaborate from any connected device.

However, there is also Office 2016, providing users with the traditional software experience. It includes the Microsoft core software suite, with one copy required for each PC or Mac. Rather than purchasing this software as a subscription, users pay once for it. To get future major version releases of the software, Office 2016 users must buy a software upgrade.

Purpose and scope of the guide:

The first part of this guide will define the Office 365 product and discuss its components and their essential features. Readers will also find a short history of the evolution of the Microsoft Office that will help them understand the present position of the product. A review of the name changes and revisions made to Office components in the 365 version will help readers avoid confusion.

This section also provides an overview of everything Office 365 offers, so that users can evaluate their needs and choices. Many Office 365 subscription options exist, so readers will find an overview of available plans, how the subscriptions management system works, and how to take advantage of the available free trial period. Readers will also find step-by-step instructions for using Office 365 applications to boost their productivity.

The second part of this guide covers technical aspects of the Office suite. Besides discussing built-in data security, user and administrator controls, and customisable features, the section will discuss identity management, data loss and its prevention, archiving, eDiscovery, utilisation, and which Office version to choose.

At the end of the second section, readers will learn about the various types of Exchange environments along with an evaluation of their advantages and disadvantages. Information about Exchange setup and migration will also receive coverage. Microsoft Outlook, a component of the Office suite, does not require the use of Exchange, but many businesses either already have it installed or have an interest in deploying it.

Throughout, this guide will inform about real life choices, restrictions, and potential problems readers might encounter while using Office and respond to those factors with recommendations and helpful information.

 

PART I: Familiarisation with the Fundamentals

In Chapter 1, we will start off by introducing the apps and services and their roles with useful tips on managing Office apps and features. In Chapter 2, there will be a familiarization with the course of changes to Office 365 since its original introduction, services that were rebranded, changed, new and upcoming 2016 versions of Office components. In Chapter 3, we will provide an overview of subscription plans with guidance on choosing a plan, managing subscription, and, finally, in the last Chapter, we will cover each Office 365 component’s prominent features with detailed instructions on how to use them to boost productivity.

Managing Office 365 Apps and Features

The advent of the cloud computing era is exactly what the Web 2.0 era had in mind when it came of age in the early 21st century. It was only a decade ago when Web developers dreamed that computer users would be able to access applications as powerful as Microsoft Office from virtually any Internet-connected device. That day has arrived; nonetheless, there are still functional reasons that call for a desktop and cloud version of the world’s most popular productivity suite.

Tech giant Microsoft released its latest Office version in September of 2015. Microsoft Office 2016 is a powerful productivity suite designed to take maximum advantage of the Windows 10 architecture, which means that it can run on multiple hardware platforms while at the same time allowing users to collaborate on projects via the cloud and Office 365.

The new Microsoft Office releases may be a little confusing to some users. Whereas in the past Microsoft Office was a software suite for desktop and laptop computers, these days there are a few versions that interact with each other. A couple of years ago, Microsoft introduced Office 365 as an upgrade to Office 2013, which had to be downloaded and installed; the novelty was the release of a cloud technology that allowed online storage as well as the ability to create and edit documents across different platforms.

The initial cloud functionality of Office 365 in 2013 was somewhat limited, but it was successful in giving users a taste of the current Microsoft Office ecosystem, which became fully mature and interactive in 2016. The current Office flavours are:

officemobilerectMicrosoft Office Mobile: A set of free apps developed for the major mobile platforms, including Android, iOS, Windows Phone, and Windows 10 (mobile). Needless to say, the best experience of Office Mobile is on a Lumia smartphone powered by Windows 10, for it can truly interact and sync with Office 2016.
officeonlinerectMicrosoft Office Online: A set of free cloud apps that do not require installation and can be accessed from any Internet-connected device equipped with a modern browser. These apps do not offer the full Office 2016 experience, but they do a good a job in terms of viewing and editing. Naturally, Office Online is best experienced on Windows 10 running the new Microsoft Edge browser.
office365rectMicrosoft Office 365: A platform of software apps, services and technologies that can either be purchased and installed or accessed by means of a subscription. In 2015, Office 365 was upgraded to allow access to Office 2016 home users. At one point, the value-added services of Office 365 made a subscription attractive mostly for business users; however, the various plans these days make it also ideal for students, casual users, and enterprise-level players.
office2016rectMicrosoft Office 2016: This is the latest and most advanced version of the traditional office suite, which can be installed on various Windows 10 devices and used in conjunction with Office 365 subscriptions and any other Office version, including legacy suites. Some of the powerful new features that make Office 2016 a must-have include:

  • Integrated communication
  • Real-time collaboration
  • Advanced version history editing
  • Intuitive interface
  • Advanced themes

 

Office 2016 Apps

It is important to understand that Office is no longer a software suite; it is rather a collection of apps, services and technologies that can boost productivity at all levels. Calling Office a technology platform or an ecosystem is more adequate, particularly when combined with an Office 365 subscription. True to its roots, Office kept the core apps:

Word: The most popular word processing tool in the world is still used for the creating and editing documents that primarily consist of text, graphics and tables. The ribbon menu that was introduced back in the Office XP days is still there, but it is now more intuitive and includes new features such as Tell Me and Smart Lookup, which make the ribbon less intrusive.Although real-time collaboration is possible in all the core Office applications, it works better in Word. Basic sharing and editing is possible through Office Online; advanced real-time collaboration by various authors and teams requires Office 365, SharePoint or OneDrive for Business.

Excel: Another staple of the business computing world is Excel, the ultimate spreadsheet and data analysis application. The Office 2016 features that make Excel a great app include: the new Forecast function that automates projections through various standard models, Power Pivot makes it easy to import data and play with variables, Power View simplifies the creation of user-friendly dashboards, Power Map provides powerful geolocation and mapping tools, and Power Query automates the Power Pivot processes.
PowerPoint: Virtually any document created with Office apps can be formatted in a way that allows quick showings. When a formal presentation to an audience is required, PowerPoint is still the most reliable application. Two new features that stand out for PowerPoint 2016 include Designer and Morph. The former allows the application of themes, formats and styles to spruce up and polish presentations while the latter is a tool that enables the import and creation of 3D animations.
OneNote: Online notepads and scrapbooks that allow synchronisation and sharing are all the rage these days; however, OneNote is the original enterprise-level notebook application, and the latest version allows the capture and storage of just about any data, from digital audio to online video and from file attachments to embedded Office 2016 objects. The ability to create group notebooks that can be shared via OneDrive and Office 365 makes OneNote ideal for business projects handled by various teams.
Outlook: When a business user logs into the Office 365 or 2016 portal, the first action he or she is bound to take will be to tap or click on the Mail tile to be taken to Outlook. This legendary application can be used for more than just email communications; it can be used to manage work calendars and contacts as if it were a basic Customer Relationship Management (CRM) tool.Setting up Outlook for enterprise use is as easy as connecting the app and its folders to OneDrive for Business or SharePoint; any files saved in these two cloud services can be given access through Outlook messages in the form of a link with access permissions.

Publisher: When business users need to create and distribute stylish documents with flair for the purpose of making a certain impact, the Word app may come up short. Fancy brochures, newsletters, memos, storytelling letters, printable calendars, and other attractive documents can be easily created on Publisher.
Access: Similar to Publisher, this application is only available in the Professional Edition of Office 2016. With Access, users can collect and manipulate data applying the rules and functions of Visual Basic and relational database engines.
Office Online: Just about anyone with a Microsoft account can take advantage of Outlook, Word, Excel, PowerPoint, and OneNote via Office Online. The features are limited, but they can be upgraded to a certain extent with an Office 365 subscription. When using Office Online, users can store and synchronise documents and projects with the OneDrive application, which was previously known as SkyDrive. Ideally, Office Online should be accessed from a Windows 10 device running the Edge browser.

 

Microsoft Office Communications Services

Office business users will have access to the following services, depending on the version and the Office 365 subscription level:

Yammer: This is a social networking application that can be setup for a business organisation. When Yammer is integrated with SharePoint, it can be used to create teams for remote project collaboration.

Skype for Business: Microsoft Lync has been replaced with Skype for Business, an application that fully integrates with Office 2016 so that PowerPoint presentations can be displayed. Additionally, Skype for Business enables videoconferencing with whiteboards and file transfer. Advanced users can set up Skype as a full VoIP solution for the office.

Exchange: Enterprise users who need a unified solution for hosting and business communications should consider Microsoft Exchange for Office, which offers a robust online architecture that makes it possible for users to set up a Client Access Server environment that uses the cloud for support. Once Exchange Server 2016 is installed, enterprise administrators have three set-up choices: Mailbox Server, Edge Transport and Hybrid Scenario. To a certain extent, these choices can be combined to meet the communications and organisation demands of each company.

 

Advanced Cloud Storage and Collaboration

Although users can get a lot done with OneDrive, the ideal situation for business users is to upgrade an Office 365 subscription to gain OneDrive for Business for maximum storage, synchronisation, collaboration and control. For even more features, SharePoint enables business users to either leverage the cloud or setup an internal and secure platform for storage, organisation and collaboration through private browser sessions. With the right SharePoint configuration, enterprises that handle sensitive information can even check to see if there have been attempts by unauthorised members to access folders or documents.

 

Business Intelligence

Delve, Power BI and Dynamics CRM are special, third-party services offered through appropriate Office 365 subscriptions. These services provide value-added content and functions such as: data visualisation tools, advanced dashboards, social insights, productivity tools, modules to record client interaction, call centre scripts, operational performance metrics, and more.

In the specific case of Dynamics CRM, the Office 2016 version integrates tightly into Outlook and offers even more functions through the Microsoft Cortana personal assistant. With Cortana and Dynamics CRM, business users can increase the automation level of their sales processes to make them more effective and less exhausting; essentially, tasks such as setting up a follow-up phone call or as reminder to review a client file can be accomplished with easy voice commands.

 

Security Services

Whereas SharePoint offers BitLocker technology at the platform level to provide security and privacy, the Office 2016 Customer Lockbox is specifically designed to keep content safe on a personal and individual basis for every client and customer. For company-wide security management, Azure RMS can be installed to enact office policies to define levels of access and interaction.

The advantage of Azure RMS is that documents remain protected and encrypted across devices even when they are sent outside of the organisation. Once Azure RMS is configured, all files and messages are automatically protected with defined encrypted libraries; furthermore, administrators can follow the path of documents as users handle them to see exactly who opened or edited them.

 

Professional Presentations

Office 2013 introduced the concept of using PowerPoint to deliver presentations to remote audiences online. The Office Presentation Service is free to anyone with a Microsoft account, and it is very easy to use. For Office 2016, Microsoft has gone beyond PowerPoint in terms of presentations.Since Office 2016 puts the mobile and cloud computing paradigms at the centre of the user experience, it is easy to understand the idea behind Sway. This hybrid app/service will probably replace PowerPoint as the standard in digital presentations. With Sway, the concept of delivering a presentation one slide at a time is replaced by a storyline. This new presentation concept allows real-time collaborations within projects that are always in the cloud. Sway presentations are delivered to just about any Internet-connected device that has a modern browser installed.

Skype for Business also offers a presentation service that is more professional in form and execution than simply sending a PowerPoint show file by email. A microphone is required to deliver a PowerPoint presentation via Skype for Business; in Office 2016, the show can be scheduled from the actual file, and the audience members can be invited by name or telephone number. Similar options are available for Sway, which can be used for simpler, but more colourful and stylish presentations.

Visio: Rarely found in Office 365 plans, but purchasable separately, Microsoft Visio is a professional diagramming tool which can also be used to display and present almost anything with its capability to create 3D floor plans, organizational charts and anything in-between. It offers a myriad of smart shapes, pre-crafted diagrams, import of shapes or live information from external resources, e.g. Excel, as well as a quick import option, through which Visio identifies the given data, imports it, links it to shapes, applies graphics and converts diagrams into dashboards for real-time monitoring. Additionally, it works in browsers, across devices and others can add comments via SharePoint.

 

Organisation and Management Services

Zoom: Just before Office 2016 was released, Microsoft acquired Equivio, a developer of eDiscovery solutions. The Equivio Zoom platform for analytics and predictive coding is now part of Office, and helps users with data management, especially regarding legal case documents.Equivio Zoom can search and analyse data from Exchange, SharePoint, OneDrive, Skype and Outlook to help analyse unstructured data, identify redundant data and collect data relevant to cases, which can be exported out of Office for review. Equivio Zoom employs machine learning and gives users a great degree of control over data while displaying analysis functions such as structured data, theme organisation, relevance, and Boolean logic.

Project: Designed to assist project managers, Microsoft Project serves to develop plans, add tasks, assign resources to them with estimates, progress tracking, resource capacity forecasting and much more. It supports agile and waterfall methodologies and integrates with Visio and SharePoint. Project can be purchased separately and it also has an online version which has limits, but can be run anywhere from a browser.

 

Navigating Office 365 Changes

The Road to Office 365

As the most comprehensive enterprise productivity solution in the market, Office 365 is the culmination of a series of efforts launched by Microsoft over a ten-year period. While many people believe that the 2010 release of Office 365 was in response to Google Docs and other Web 2.0 productivity solutions, Microsoft’s work on advanced hosted applications dates back to 2004.

Office 365 started with Exchange and the Windows Live paradigm. At one point, Microsoft offered Office Live Small Businesses, which was a combination of cloud email and hosting services. In 2010, Microsoft had observed Google Apps and Google Docs long enough to realize that the time was ripe to target enterprise customers with the Business Productivity Online Suite, which included Exchange, Sharepoint, Live Meeting, and Lync.

The initial versions of Office Web Apps were better than Google Docs, but they lagged significantly in comparison to the desktop version of MS Office. By 2013, however, Microsoft was ready to deliver Office 365 services that would put them far in front of Google. With the release of three subscriptions plans for various business needs, Microsoft added powerful features such as SkyDrive, eDiscovery, Yammer, and Power BI.

In preparation for Windows 10 and Office 2016, Microsoft upgraded and re-branded its services to match the cross-platform, app-driven, cloud computing paradigm of the 21st century. These days, Office 365 is a cloud platform that forms part of a business ecosystem, and its evolution has taken place as follows:

From Office Web Apps to Office Online

In the past, users had to login through SkyDrive and create or upload a document with Office Web Apps. These days, users can go directly to http://www.office.com and select the app they wish to work with: Word, Excel, PowerPoint, OneNote, Outlook, Sway, or Calendar. Documents can be uploaded or they can be edited directly from Outlook messages.

From SkyDrive to OneDrive

A brand name conflict with the British Sky Broadcasting Group prompted Microsoft to change the name of its cloud storage solution to OneDrive. The renaming was not the only change; the amount of storage was adjusted for free users and subscribers, thereby keeping up the competitive spirit against rivals such as Google and Dropbox. Some of the neat features added include automatic backup of mobile photo albums, advanced sharing functions, and the ability to jump to Office Online to manage documents. Office 365 users can get up to one terabyte of storage with subscription plans.

 

From Lync to Skype for Business

The app and service formerly known as Lync quickly became favourites among business users after being released to the enterprise world a few years ago. Lync was built on the Skype platform, which Microsoft had smartly acquired years ago. All the great features of Lync were transferred to Skype for Business, which adds new functions such as integration with desk phones, an intuitive interface, advanced call administration, and more. Overall, Skype for Business is a better app for video conferencing and for managing call centre teams; however, nostalgic users who miss the Lync chat features can switch back to the old interface.

From Outlook Web App to the New Outlook

Office 365 subscribers were the first to get a glimpse at Outlook on the Web, which has a few new features that are somewhat reminiscent of what Google Wave used to be. One of the most powerful new functions is the opportunity to be able to reply and edit an Office document simultaneously and in real-time. Online images can be dragged and dropped instead of being attached, and the new Sweep command can quickly organize batches of messages based on set rules and previous behaviours.

 

New Office Apps

Office 365 offers more than just upgrades; two new apps and a special browser extension make this enterprise ecosystem more useful and functional.

Sway: This new app is a cloud-native solution inspired by PowerPoint and OneNote. Sway is a new way to easily collaborate and create; it allows users to come together and create more than just documents. With Sway, business teams can tell engaging stories about projects, proposals, reports, statements, etc.

This born-mobile application allows users to clip and collect content from a variety of sources. Sway can handle anything from digital photos to MP3 files and from PDF documents to spreadsheets. Thanks to responsive design, the content is neatly arranged automatically and ready to be displayed on just about any Internet-connected device. Sway is not a replacement for boardroom presentations; that is still within the realm of PowerPoint, but it is a welcome addition to Office 365.

Google Chrome Extension: Although the best Office 365 experience takes place within the new Microsoft Edge browser running on Windows 10, users are not limited to this particular configuration. Office 365 can be accessed from just about all modern browsers, and it performs quite well on the popular Google Chrome. To this effect, Chrome offers direct browser support for MS Office files; moreover, once the Office extension is installed, users can also create documents and even access their OneDrive accounts. With this extension, Chrome first opens Office documents in a secure sandbox environment to ensure that they are free of malware.

Planner: This new app is something that MS Office users have been clamouring for. The Office 365 Planner vastly improves the actions of setting up Outlook reminders and organizing calendar items. With the new Planner app, users can invite friends and business associates to work together on new projects. Planner is very visual and powerful; to a certain extent, it is similar to MS Project but not as technical or rigid. This app breaks down complex tasks into boards, cards and buckets that can be arranged and labelled in many ways. Documents created with Office apps can be easily integrated into Planner, and dashboards are automatically created to quickly get top-level updates.

 

Office 365 and the New Office 2016

To fully experience every effort that Microsoft has put into its premier enterprise productivity solution, the best setup would include an Office 2016 license running on Windows 10 plus a subscription to Office 365 accessed through the Edge browser and on Lumia mobile devices.

Office 2016 users will notice that the desktop versions of the core apps are far more advanced than those offered at http://www.office.com even with premium subscription plans, and this is because developers are able to take advantage of hardware and operating system improvements that are not yet available for the cloud. Still, Office 365 inspired two major new features found in Office 2016: Tell Me, which is an advanced help and support system that works with queries, and Smart Lookup, which can intuitively bring information from the Web into documents.

Other major Office 2016 advances include:

Outlook 2016: The Office 365 Groups can now be accessed from desktops, laptops, tablets, and smartphones through respective apps, and integration with OneDrive files is seamless thanks to features such as Edit and Reply, which allows users to work on Office attachments at the same time they are composing replies.

Excel 2016: It is widely known that Excel gets smarter and more powerful with each new version of Microsoft Office, and this is particularly the case with Office 2016. Data visualization is more prominent in this version thanks to new chart types such as histogram, treemap, hierarchy, and others. The former Power Query add-in module is now a standard function named Get and Transform, which allows advanced data analysis. The Power BI data modelling service can be integrated from the desktop or from Excel Online. With the new Calendar Insights template, users can track their time and work efforts through a dashboard that they can pivot in order to create time scenarios for better productivity.

Visio 2016: The most powerful new feature of this diagram and flowchart app is that data can now be easily incorporated into projects with Quick Import. This smart wizard interprets data from various sources and assigns shapes as the information is being imported with a click; once this is accomplished, dashboards can be easily created to manipulate the data and change graphics around. Information Rights Management is a new feature that makes collaboration more efficiently by controlling how much information and access can be assigned to various individuals.

Project 2016: Although Microsoft now offers the Office 365 Planner for the creation and administration of planned undertakings, Microsoft Project is still one of the most sought-after software tools for project managers. Some of the new features included in the latest version of this app include: integration with the Tell Me Office query, a new way to establish agreements between the project manager and administrators, and an improved timeline view that allows pivoting of dates for outcome scenarios.

Exchange 2016: The new version of Microsoft Exchange assumes that users will be more inclined to access their mail and calendars via Web browsers. To this end, it is more cloud-centric as it simplifies the Mailbox Server roles and provides an Edge Transport feature. In terms of compliance, administrators can install and set internal rules to enable retention, indexing and permanent archival for eDiscovery purposes. Exchange 2016 includes BitLocker support for data protection.

Power BI: Microsoft has completely revamped the Power BI service, calling it a “new experience” that users must migrate to if they were subscribed to Power BI for Office 365 in 2015. The new service is no longer dependent on SharePoint; it focuses on the collaboration groups created in Office 365 and allows editing of spreadsheets from outside the Power BI website. Dashboards and reports can now be viewed from iPhones, iPads and Android-powered devices, but the mobile experience is always better on Lumia devices running Windows 10. The Power BI Pro version is extremely comprehensive as it includes SQL SAS and Azure connectivity, custom creation of data, grouping, and data streaming.

SharePoint 2016: Contrary to what some analysts had predicted, SharePoint is hardly going away; in fact, the new version provides greater functionality and seamless integration with Office 365. The new SharePoint resides and operates in the cloud and it can be easily accessed from mobile devices. The collaboration experience has been enhanced, and the roles assigned to users are automatically made compliant across all servers. SharePoint now works with OneDrive for site storage.

OneDrive: Free cloud storage quotas have been reduced to 5 GB; a new 50 GB plan will soon replace the 100 and 200 GB plans, but will not affect current customers. Now that OneDrive integrates with SharePoint, users can manage their sites from within, and they are no longer limited to managing files and folders; they can also create libraries according to access policies.

Yammer: Enterprise social networking is the way to do business in the 21st century, and the Yammer platform is the most ideal for this purpose. In 2016, the new focus is on creating teams derived from Office 365 groups, which means that users will now be able to sign in with their Office 365 accounts. Internally, Yammer features indexing and archival features for the purpose of compliance and eDiscovery. Real-time collaboration and access to feeds has been improved, and file sharing is not limited to OneDrive; files can also be shared via Dropbox. Yammer is now a service that is fully integrated with OneNote and Outlook.

Choosing a Subscription Plan

Microsoft Office 365 – Current Subscription Plans

Choosing the right Office 365 subscription entails reviewing what the level of service and the features that each plan has to offer. The plans are arranged within three main groups: Home, Education and Business. The Home group includes two plans: Home and Personal; the Business group has plans for Small Business, Enterprise, Government, Nonprofit, and Kiosk.

Home Group Plans

The Office 365 Home plan is ideal for users who wish to share the apps and services with members of their household. In early 2016, pricing was set at £7.99 per month; the annual subscription offered a 16 per cent savings for £79.99. Prospective users can also use their credit cards to try this plan for free during one month. The apps included are: Word, Outlook, Excel, OneNote, PowerPoint, Publisher, and Access. The services include 1 TB of cloud storage on OneDrive, as well as Skype with 60 minutes per month. This plan grants access to apps and services for five desktops, laptops or mobile devices.

The Personal plan is for individual use. It includes full installation of Word, Outlook, Excel, OneNote, PowerPoint, Publisher, and Access in one desktop or laptop in addition to one smartphone and one tablet. Services include: OneDrive cloud storage up to 1 TB plus Skype with 60 minutes per month.

Education Group Plans

The Education plans are for academic institutions; as such, pricing will depend on the number of teachers, students and school staff members that will need access to the apps and services. The plans include the following Office Online cloud apps: Word, Excel, PowerPoint, OneNote, Sway, and Outlook. Depending on the level of subscription chosen, the Education plan may include services such as Skype, eDiscovery, Rights Management, OneDrive, social networking through Yammer, SharePoint third-party app support, and HD video conferencing. The academic volume licensing can be managed so that credentials expire when teachers and staff members no longer work at the school, and also when students graduate or transfer. The Office Online apps and services can be accessed from mobile devices, and full Office 2016 apps can be installed on up to five desktops in each school.>/p>

Business Group Plans

The three main plans in this group are: Business Essentials, Business, and Business Premium. The Essentials plan is the most affordable at just £3.10 per month with an annual commitment, and it includes Office Online access, 1 TB of OneDrive storage, Outlook mailbox with 50 GB of cloud storage, and video conferencing. The Business plan offers a full installation of Office apps on one desktop plus one smartphone and one tablet plus 1 TB of OneDrive storage for £7.00 per month, but it does not include email. The Premium plan includes fully installed apps plus an Outlook mailbox with 50 GB of cloud storage, video conferencing, and 1 TB of OneDrive storage for £7.80 per month. Business plans allow the porting of an existing domain name, and the subscriptions can be combined so that some employees can use Essentials while others use Business or Premium. Certain services such as Skype for Business, Yammer, eDiscovery, and others can be added as needed.

The Office 365 Enterprise plans include ProPlus, E1, E3, and E5 options:

ProPlus is £10.10 per month, and it includes a full installation of all Office 2016 apps on up to five desktops and mobile devices; it also includes access to Office Online, 1 TB of OneDrive storage, Sway, enterprise management, and Business Intelligence.E1 plan offers Office Online access, 1 TB of OneDrive storage, Outlook mailbox with 50 GB of cloud storage, Skype for Business with video conferencing, intranet, Yammer, Sway, search Office Graph, video portal, and broadcasting of meetings for £5.00 per month.

E3 plan includes all E1 features plus a full Office 2016 installation including Access, an unlimited Outlook mailbox, enterprise management, Business Intelligence, compliance tools, and eDiscovery for £14.70 per month.

E5 plan includes all E3 features plus Power BI analytics, advanced security tools, PSTN conferencing access within Skype for Business, and Cloud PBX for switchboard-style communications.

Government organisations have two Exchange and two Office 365 subscriptions to choose from:

Online Plan 1 costs £2.20 per month, and it includes an Outlook mailbox with 50 GB of cloud storage plus the ability to view Office Online attachments.Online Plan 2 costs £4.40 per month, and it includes an Outlook mailbox with 50 GB of cloud storage, the ability to view Office Online attachments, and access to compliance and information protection tools.

Enterprise E1 plan costs £3.70 per month; it includes the Online Plan features plus 1 TB of OneDrive storage, Skype for Business with video conferencing, intranet, Yammer, and search via Office Graph.

Enterprise E3 plan costs £12.50 per month and includes all features of the Enterprise E1 plan in addition to a full Office 2016 installation on up to five desktops and mobile devices, enterprise management, Business Intelligence, compliance tools, eDiscovery, and hosted voicemail with unified messaging.

 

Qualified nonprofit organisations can take advantage of two Office 365 plans granted as donations and two business plans at very affordable monthly subscription costs. The plans start as free trials and can be received as donations from Microsoft, but they can also be upgraded.

Nonprofit Business Essential plan is limited to 300 users; it offers access to Office Online apps, 1 TB of OneDrive storage, Outlook mailbox with 50 GB of cloud storage, Skype for Business with video conferencing, intranet, Yammer, and search via Office Graph.Nonprofit E1 plan is available to unlimited users and offers the same features as the Business Essential plan plus a corporate video portal.

Nonprofit Business Premium Plan costs £1.30 per user and is limited to 300 seats; it includes a full Office 2016 installation on up to five desktops and mobile devices per each user in addition to the features offered by the Business Essentials plan.

Nonprofit E3 plan costs £3.30 per month per user, and it includes all the Business Premium features as well as enterprise management, Business Intelligence, compliance tools, and eDiscovery.

 

Kiosk plans are ideal for shared desktop environments:

Exchange Online Kiosk plan costs £1.30 per user per month, and it can accommodate unlimited users. This plan offers an Outlook mailbox with 2 GB of cloud storage, premium security suite, Exchange ActiveSync support for employees who use smartphones, and POP email support.Office 365 Enterprise K1 plan costs £2.50 per user per month; it accommodates unlimited users and offers all the features of the Online Kiosk plan plus Yammer, SharePoint sites access, and Office Online apps.

 

Choosing the Right Office 365 Plan and Subscription

The Office 365 consumer group subscriptions (Home and Business) can be purchased by just about any user without restriction. The Education, Government and Nonprofit plans require users to meet a certain level of eligibility; making this determination is the first step to consider when evaluating which plan merits subscription. The next step is to consider the expenses, the number of users and the scope of intended use.

Individuals, students and self-employed professionals will probably benefit from a Personal plan that can be installed in one desktop or laptop plus one smartphone and one tablet. The Office 365 Home plan is better suited for households that wish to save on their subscription costs since it can be installed in up to five desktops or laptops plus five tablets and five smartphones.

The Education plans are for both students and teachers of qualified schools. The apps and services can be selected according to academic needs, and licensing costs can be adjusted according to the required volume.

The main Business plans can be combined to accommodate companies with more than 300 employees without having to pay for Enterprise plans at a higher cost. Enterprise plans can accommodate up to 10,000 employees.

Government plans are only available to qualified entities that operate at levels from municipal to national as well as certain international cooperation agencies. The entities that qualify for these plans must sign a contract that is authorised under jurisdictional laws.

Nonprofit organizations should take advantage of the free Office 365 trial while Microsoft determines eligibility. Nonprofits are not under any obligation to pay at the end of the free trial period, and many smaller organizations may qualify for a donation. Eligible nonprofits that operate on a larger scale can later upgrade their donations to a paid subscription that is very reasonable.

Kiosk plans are ideal for companies whose operations include shared desktops, thin clients or casual employees who need to access basic productivity tools on their smartphones, particularly under the Bring Your Own Device (BYOD) model. These plans can support unlimited users and can be combined with Enterprise plans.

Signing Up for Free Trials

Most Office 365 plans offer a free, one-month evaluation period. Generally, prospective users will need a Microsoft account and a credit card to register their free trial by visiting Office.com. For the convenience of users who wish to purchase a subscription after their free trial expires, the initial credit card information can be kept to continue billing or it may be changed at a later time. In the case of Government and Nonprofit plans, prospective users must contact Microsoft to go through the process of eligibility determination.

Once the Office 365 free trial starts, users can install apps on their devices and begin the evaluation process. To cancel the trial, users must access their Office 365 profiles and look for the auto-renew option under the “My Account” section; this option must be turned off before the end of the trial period.

Free Office 365 trials are offered on some new desktops, laptops and tablets powered by the Windows 10 operating system. The trial can be started by clicking on the Microsoft Office icon, but prospective users do not have to worry about turning off the auto-renew option because the trial ends automatically after 30 days. At that point, prospective users are offered a chance to register and purchase a subscription. Any files or documents stored in OneDrive can be retrieved by users at no cost if they decide against purchasing a subscription.

Office 365 Subscription Management

Managing an Office 365 account and subscription is simple; everything is done from the “My Account” screen. It is possible to switch between plans as long as they are in the same group. When upgrading or downgrading plans, it is important to remember that the previous features stop immediately and can no longer be accessed without switching again.

Generally, each account can be used to manage no more than one plan. Subscriptions can be purchased up to five years in the future, and the auto-renewal billing process can be stopped at any time; however, if the subscription was purchased from a third-party retailer, subscribers must turn off auto-renewal from the original point of purchase. There is no refund for annual subscriptions when plans are cancelled, but the time left can carry over to a new plan.

The Office 365 Home subscriptions can be shared with up to four other people via the Share Office 365 section of My Account, which sends invitations via email. It is important to note that one invitee can install Office apps on more than one device; however, doing so will take away an installation from the subscription plan, which is limited to five.

Shared subscriptions can also be taken away by means of deactivation or removal. When an installation is deactivated, users can still use Office apps to read and print documents. When an installation is deactivated, OneDrive storage is still available, but such is not the case with removal. This does not mean that removed subscribers will lose their files; however, they will lose their ability to upload and will need to download their data at some point.

When an Office 365 subscription comes to an end, users are given an opportunity to renew or else download their data within 90 days. To keep the subscription functional after expiration and before renewal, users should login at least once every 30 days.

Boosting Your Productivity with Office 365

Depending on the subscription plan chosen, Office 365 offers services and components that can be greatly beneficial to business productivity. Learning more about what can be accomplished with each service and how they interact with Office documents can help in making an educated decision on what subscription plan to get.

Here are some of the most interesting features that Office 365 offers to boost productivity:

Outlook

Microsoft has applied major upgrades and improvements to this favourite email, calendar and contacts application. One of the most talked-about new features available in Outlook is Clutter, which is available only to Office 365 subscribers and not for those who purchased a one-time Office 2016 license. Essentially, Clutter saves time by applying a smart filter to arrange messages. With Clutter, the email server acts upon algorithms that determine the importance and interest of each message received. The determination is based upon the messages that are routinely read or ignored; those messages that are less important are set aside into a special folder labelled “Clutter.” Since this is a cloud feature, it must be turned on or off from the Outlook Web App from the Settings – Options – Mail section. Since it may take a few days for the smart filter to learn the mail reading habits of new users, it helps to train the system by right-clicking on each message and choosing the Move to Clutter option.

Yammer

It took a few years for social networks to be recognized as valid productivity tools by the enterprise world. Yammer has been around less than 10 years; within that time, however, it has become the premier social networking app for enterprise purposes, and its functionality has greatly expanded since Microsoft acquired it in 2012. As part of an Office 365 subscription, a Yammer network can be created for the benefit of users who have company email addresses; external users can be accepted on a strict invitation-only basis. Similar to other social networks, Yammer encourages positive reinforcement by means of the “Praise Button,” which can be used to send commend co-workers, associates and partners. Praise can be given on a number of actions: from company announcements to promotions and from completion of a project to a great idea. Yammer has been proven to be an excellent medium for driving innovation; to this effect, companies can use a single post to ask for input from staff members on a single topic, or they can highlight a single piece of user-generated content and learn about its impact from the social reaction.

Skype for Businesses

Ever since Microsoft acquired Skype, the former P2P voice chat service has grown into a mature solution for business communication and collaboration. Some of the most powerful features of Skype for Business include: ad-hoc contacts, which can be done from the contact list or from the search results; setting up contact lists, which can be done from the Add to favorites or Add to Contacts options; presentations, which can be accomplished with a click of the “Present” icon at the bottom of the call screen, and the ability to invite up to 250 participants to a single video or voice conference. Of all the new Skype features, the ability to present just about anything, from desktops to interactive whiteboards is perhaps one of the most powerful.

SharePoint and OneDrive for Business

With OneDrive for Business, sharing a document for basic collaboration and editing is as easy as selecting the Add to My OneDrive option; however, this functionality is not the same as the real-time collaboration offered by SharePoint, as OneDrive is was not primarily intended for sharing. With SharePoint, users can go to a document library, open a file on Office Online, and see the number of people working on the document at any given time. Depending on the permissions set for each user, they may be able to edit on a semi-formal, formal, or commentary basis. On top of that, the versioning option shows when a file was changed in any way and by whom, along with their comments. If there are problems with the current version, previous ones can be viewed without overwriting the current one and the current one can be replaced with a previous one.

Business Intelligence Services

Delve is a very interesting new service offered for Office 365 business users. Delve is based on Office Graph, which is a Microsoft technology that is similar to the machine learning algorithms used by powerful search engines and artificial intelligence developers. In essence, Delve is a smart business researcher that gathers, collects and organises information, relationships and ideas that users may not see on a daily basis, and the data collected may even come from mobile devices. For business managers who must stay on top of everything that happens within their organisations, Delve is a great informational and time-saving tool; since it does not actively move to change file permissions or access private files, it never becomes intrusive to the point of violating privacy.

Power BI is another business intelligence service for Office 365 that is becoming more functional and powerful as time goes by. In essence, Power BI takes data and transforms it into dashboards, which can show detailed reports displayed as tiles. With Power BI, a company can connect to multiple datasets from other services such as Salesforce. Getting started with reports is as easy as following the sequence of importing data to create a new Excel spreadsheet; once this is accomplished, the data is ready to be transformed and explored. A nice extra within Power BI is provided by Quick Insights, a set of 32 detail-rich data visualizations with descriptions that can be displayed in seconds and easily modified with filters and pivots.

Microsoft Dynamics CRM

The greatest advantage of using this customer relations management solution is having one organised data storing place for prospecting and customer information, in which data is entered manually (e.g. records of phone calls with custom notes), imported from sources like social networks, an accounting system or Excel, to which data can also be exported into a spreadsheet. Among other features, there is an integrated dashboard creation option with charts, which uses the imported data. That is especially useful for sales, like the lead/opportunity labels for contacts, and there is also easy case creation, search and monitoring for service representatives. Once Dynamics CRM is properly configured, data about clients, customers and prospects can be managed to ensure that contacts are made timely and that follow ups are conducted periodically.

Professional Presentation Services

Office 365 offers two professional presentation options: the Visio app and the Sway service. Visio is a mainstay of the Microsoft Office software family, and it is still the best app for business charts, diagrams, network maps, 3D models, floor plans, flowcharts, etc. Also, its Quick Import option enables linking of resources like Excel, AD or SQL Server for real-time data displaying next to visualisations. Sway, on the other hand, is a very intuitive and attractive online service that can be used for quickly creating presentations. Both Visio and Sway offer online collaboration; however, the former is more effective for describing technical processes while the latter is better to tell engaging business stories.

Organisation and Management Services

Microsoft Excel and Project have been upgraded with new functions to expand their functionality. With Power Pivot, Excel now allows the import of very large datasets from various sources. With PowerView, the data gathered, filtered and connected with Power Pivot can be visualised in multiple charts. Power Map allows the integration of geographic data and Power Query can adjust data in relation to external changes with just one click.

Microsoft Project now offers Resource Engagements, which is a management feature that focuses on the staffing portion of a business project. This new feature adds a new ribbon to Microsoft Project, which replaces the traditional Resource Availability view the new Capacity Planning. Within this new view, project managers can view resources and their workloads expressed as heat maps. In this fashion, work can be assigned to certain resources without having to worry about overworking them or having others sit outside of the project with excessive non-working hours.

Office 365 User Assistance Services

Professional users who subscribe to Office 365 can enjoy the benefits of FastTrack, a dedicated customer success service that delivers substantial value. The Microsoft FastTrack centre is staffed by hundreds of engineers from all over the world; they are trained in providing remote assistance in a personalised manner.

FastTrack representatives contact Office 365 business users within 30 days of a new subscription becoming active. This service is available to customers who purchase subscriptions of at least 50 seats. FastTrack engineers work with subscribers to develop and commit to an Office 365 success plan set up for the deployment and implementation across an enterprise.

Part II: Delving Deeper

In the second part of the guide we will cover the more technical features and options, also with provided instructions to accomplish the jobs at hand. Chapter 5 concentrates on Office 365 security layers and how users control security and privacy. After that, Chapter 6 will be about guidance regarding Identity Management Models, followed by information about Data Loss Prevention and how the user can take steps to prevent sensitive data loss in Chapter 7. Chapter 8 explains how archiving and eDiscovery work and with instructions on how to utilise them, and, lastly, Chapter 9 explains On-Premises, Cloud and Hybrid Environments and provides requirements, considerations and instructions for their setup.

Staying Safe with Office 365

General Information on Security

A subscription to Office 365 means that users will be entrusting their documents, data and important information to the Microsoft cloud. As with any other cloud service, it is reasonable to expect that many users will be concerned about security; after all, tech news media outlets routinely publish headlines about spectacular data breaches suffered by major cloud providers. Such concerns are valid; however, it is important to learn about the levels of security that Microsoft implements to its Office 365 cloud services.

The Microsoft servers that house Office 365 files and applications are located within ultra-secure data centres. The physical security at these centres is augmented with access control, motion sensors, biometric scanners, and many other security controls. Over the last two years, Microsoft has been able to maintain uptime levels higher than 99.96 per cent, and these levels are jealously controlled and verified by technicians.

The risk of emergency security threats is taken very seriously at Microsoft data centres. To this effect, one strategy applied by Microsoft is known as assumed breach practice or red teaming, which consists of undercover hackers working on behalf of the company to launch attacks against its data centres. The targets are typically Office 365 and Azure cloud services, and the red team tries everything to exploit vulnerabilities through tactics, techniques and procedures replicated from real-life events. The Microsoft security never knows if they are protecting against one of their own red teams or cyber criminals; this only revealed at the end of the exercises.

Office 365 and Exchange Online Protection

Data created and stored in Office 365 is primarily protected by BitLocker, Microsoft’s current encryption mechanism, which can be deployed with either Advanced Encryption Standard (AES) 128 or 256 bit security; this is for all the servers that hold email messages, Office documents, projects, instant messages, and conversations across OneDrive and SharePoint.

How the Service-Level Security Layers Protect the User

Office 365 users are protected by core methods of defence applied through three layers of security:

Physical Layer: As previously described, Office 365 physical security is handled by Microsoft in their data centres, which are staffed around the clock by technicians who must utilise multi-factor authentication for physical and remote login procedures in addition to biometric scanning and personal challenges. The data centres are set up in a way that the hardware and software are protected individually from subscriber data; in this fashion, attackers cannot access a system through another one.

Logical Layer: The logical security of Office 365 data is provided through lock box processes, which are greatly automated for the purpose of minimising human access and potential mistakes. All server processes are whitelisted to prevent the introduction of malicious code, and security teams are constantly looking out for avenues of malicious access through techniques such as perimeter security, port scanning, and intrusion detection.

Data Layer: As previously described, static data is protected by means of BitLocker AES 128 or 256 bit encryption. When in transit, data is protected by the secure socket layer (SSL) and transport layer security (TLS) protocols. Microsoft also practices constant disaster recovery and business continuity drills to ensure that data will always be available and secure for Office 365; this is all part of the service level agreement (SLA) between Microsoft and subscribers.

 

How to Customise Security Controls as User or Administrator

Malware and spam protection controls can be managed from the Office 365 Administration Centre (OAC); from here, administrators can also control the flow of spam messages, and they can also set up lists of blocked senders. Additionally, individual users can also manage their own lists of blocked senders from their Outlook inboxes.

Exchange Admin Centre (EAC)

Using the EAC, Office 365 subscribers can configure their own anti-malware policies for improved protection. The Protection – Malware Filter section of the EAC gives users control over the various policies. The default policy can be edited so that it applies to the entire company; also, admin users can create new policies for the purpose of applying them to select users and groups. These user-created policies can be named and given descriptions; their behaviour in so far as the Malware Detection Response can be set to delete the message, only the malicious attachment, or issue custom alerts so that individual users can update their lists of blocked senders.

Password Expiration Policies

Since Office 365 is a subscription-based system, proper password management is essential. Administrators can set passwords to never expire, but this is only recommended for users who are expected to work with the organisation only for a short time. Otherwise, passwords expire on a regular basis; settings can be changed by accessing the OAC and accessing the Service Settings – Password section. Aside from setting passwords to never expire, administrators can also set the number of days from 14 to 730, and they can also set the number of days before users get a notification that their passwords are about to expire.

Secure Multipurpose Internet Mail Extension (S/MIME)

Office 365 uses S/MIME, an electronic messaging protocol that allows users to handle correspondence that is digitally signed and encrypted. Administrators can increase the security of their organisation messaging systems by setting up S/MIME in all Outlook app versions from 2010 and 2013 as well as in their Outlook on the Web systems and their Exchange ActiveSync. This will require installation of a Windows Security Certificate that will issue public S/MIME encryption keys. The certificate must be published in an Active Directory Domain Service account, and a virtual certificate collection must be applied to validate the certificate before the endpoint Outlook or Exchange clients can be activated.

Additional message protection in Office 365 can be obtained through Message Encryption, which allows TLS communications with trusted partners. This feature must be purchased along with a subscription to Microsoft Azure Rights Management, which costs about $2 per month for each user. With this feature, users can send confidential and encrypted mail seamlessly.

Office 365 Content Management Policies

Advanced document management and control features can be enforced for compliance within Office 365. Various policies can be created and applied to multiple content types within a collection, within a website, or within a library, collection, or list of documents. The most common policy is applied at the site collection level, which can be started from the Site Settings page; from here, users can access the Site Collection Administration – Content Type Policy Templates to create new policies along with descriptions. The features that can be specified include: Retention, Auditing, Labels, and Barcodes.

Office 365 Multi-Factor Authentication (MFA)

As with all cloud services, good security begins at the access level; to this effect, Office 365 offers MFA, which allows verification of login credentials via mobile calls, text messages or in-app notifications. There is a standard MFA for Office 365, but users can also purchase the higher Azure MFA. Setting up the standard Office 365 MFA can be done from the OAC – Users and Groups – Active Users section; from here, MFA requirements can be enabled, disabled and enforced for individuals.

Role-Based Access Control (RBAC)

Administrative roles are not limited to a single user in Office 365. From the OAC Active Users section, current administrators can assign new admin roles or take them away as needed. Admin roles require an alternate email account for password recovery as well as a mobile number for MFA.

 

Microsoft Privacy Policy and User Data and Communication Privacy Control

The Microsoft SLA for Office 365 treats user data under a “Privacy by Design” policy, which implies that subscribers have full control to documents and other information they create, share and store. Furthermore, users can control the privacy of their data and communications by means of settings within OneDrive and SharePoint. The default data access levels are Read and Edit; other advanced permissions such as Full Control can be set by SharePoint admin users at the list, site, and personal levels. Greater customisation can be found in SharePoint in comparison to OneDrive.

Choosing a Model for Identity Management

Identity management is a special feature of Office 365 and other subscription services offered by Microsoft. The purposes of identity management are varied; the two most important being security and control. Essentially, identity management allows an organisation to identify users and assign proper resources in accordance with work policies.

The three components of identity management are: access, authentication and authorisation. The access component refers to devices and networks while authentication involves the verification of that user’s identity by means of security credentials; authorisation refers to the actions and permissions assigned to users once they have been authenticated.

Office 365 administrators have a few identity management models to choose from. Each model presents options that may be suitable for various organisations. The choosing and switching of models are decisions that organisations can make in relation to their needs.

Office 365 Identity Management Models

The three identity management models available to Office 365 administrators are: Cloud, Synchronised and Federated Identity.

Cloud Identity model: allows the management of Office 365 users and their identities from the Online Admin Centre. The credentials are actually stored in Azure Active Directory, with Microsoft tasked with access and control. This model is ideal for administrators who wish to handle all the identity management tasks from the cloud and without having to depend on user directories that are handled as on-premises lists. With the Cloud Identity model, the deployment and management functions are simplified and do not require service installations. The reliability of Azure Active Directory is protected and guaranteed by Microsoft and its extensive data centres.
Synchronised Identity model: administrators can integrate an existing, on-premises directory with Office 365. Essentially, the user identities are managed within a directory located in an on-premises server. The credentials that are stored on this on-premises directory will be the same used by users to access Office 365 apps and services, but the verification is handled by Azure Active Directory. The credentials and password hashes are synchronised to the cloud by means of a special tool provided by Microsoft. The greatest benefit of the Synchronised Identity model is that it allows administrators to work with local directories that they must keep in accordance to existing policy; however, it requires the upkeep of a server and the implementation of consistency checks with Azure Active Directory.
Federated Identity model: administrators must manage their own on-premises identity service, which can be provided by a third-party developer, without synchronizing with Azure Active Directory. This model is ideal for administrators who may already have Active Directory Federation Services in their local servers; one example would be administrators who are running a Microsoft Exchange Server or SharePoint application, or who are managing smart-card security solutions. The Federated Identity model is probably the most secure and complex, but it is also the most dependent on third-party technologies; it is ideal for organisations that use single sign-on as one of their best practices, but it may require them to implement advanced solutions such as the use of tokens or biometric scanners.

 

Identity Management Model Recommendations

The username/password paradigm of Internet security and access control is becoming dated. Technology news headlines these days are becoming dominated by cyber crime stories about hacking outfits that breach networks for the nefarious purpose of accessing username/password databases. Only the most spectacular breaches are reported; it is reasonable to believe that small businesses and organizations that keep access control lists and directories stored on local servers are amongst the most vulnerable.

Clearly, there is a need for enhanced identity management and access control when it comes to subscription services such as Office 365; after all, users of these apps and services often create documents and engage in long conversations about sensitive business matters that must be kept confidential at all times.

With the move towards cloud computing, security enhancements are moving beyond username/password credential systems of yesteryear. Of the three identity management models employed by Office 365, the Federated model is not only the most secure, but also moving in the direction of Internet access and control for the future.

The identity management models offered by Office 365 improve on the Yet Another Username and Password (YAUP) paradigm of online access and control that has been the norm since the 20th century. Each model is a step towards Single Sign-On (SSO), which is the antithesis of YAUP.

Office 365 administrators who manage small business organizations can easily adopt the Cloud Identity model to allow their users access to several apps and services. In the YAUP days, users would have needed different credentials to access their Outlook mail, Yammer accounts, Sway presentations, Word documents, etc. The Cloud Identity model assumes that the administrator is a reliable identity provider (IDP) that provides credentials managed by Azure Active Directory as the Relying Party (RP).

The three Office 365 identity management models establish a trust relationship between the IDP and RP to offer users SSO abilities. The SSO paradigm makes use of security assertion markup language (SAML) technology, which conforms to the organization for the Advancement of Structured Information Standards (OASIS). SSO is at its best when applied through the Federated Identity model, which is a browser-based means of authentication with an IDP. The trust created through SSO in the Federated Identity model requires a reliable and compliant on-premises directory that syncs with an on-premises IDP. Ideally, SSO will become a Web standard through the widespread implementation of biometric devices such as fingerprint scanners.

Most small and medium-sized companies will find the Cloud Identity model suitable to their needs. In some cases, however, the synchronized Identity model is required for certain companies with compliance requirements that force them to keep directories on-premises. Microsoft does not expect all companies to be able to adopt the Federated Identity model at this time; therefore, the Cloud and Synchronised Identity models are probably more attainable.

Switching Between Office 365 Identity Models

Depending on operational requirements and business needs, Office 365 administrators are able to switch between identity management models. As previously discussed, one day all administrators will be able to choose and implement the Federated model for the convenience of their users; however, they may have to settle for the Cloud or Synchronised models until they can upgrade their systems with tokens or biometric readers.

For most Office 365 administrators, choosing an identity management model will come down to which one is the simplest to implement. Should the need arise to switch from one model to another, it is important to note that it is not possible to go directly from the Cloud model to the Federated model.

Switching from Cloud to Synchronised model can be accomplished by deploying the DirSync tool. Since the list of users is already stored in the cloud and managed by Azure Active Directory, the RP will attempt to establish trust by means of matching up existing users. To this effect, administrators can use the PowerShell tool to extract Primary SMTP email addresses used to access Office 365; these addresses can then be imported into the Active Directory of the on-premises server.

The process of switching from the Synchronised to the Federated model is not complicated since the synchronization is a prerequisite. The on-premises server must be segmented by domain unless separate servers are already in use. In this switch, the administrator must indicate the RP to use for password validation, and the federation option must be selected in the Office 365 Admin Centre.

From the Federated to the synchronized model, administrators can use the PowerShell tool to convert the domain from Office 365 to standard, and passwords can be synchronized with DirSync in lieu of having all users reset their passwords individually. PowerShell can also be used to switch from the Synchronised to the Cloud model; this requires administrators to turn off synchronization in the Office 365 Admin Centre. This switch will require a 72-hour update of Office 365 services.

It is important to note that administrators who already have SSO for various cloud services or for apps within their IT infrastructure are not obligated to synchronize with Azure Active Directory. If business requirements state that Office 365 subscriptions must be kept separate, the best course of action would be to choose the Cloud Identity model and forego the password hash function offered by Azure Active Directory. Should this be the case, it is important to avoid redundant passwords.

Managing Data Loss Prevention Policies

The Role of Data Loss Prevention

Data loss prevention (DLP) has been a feature provided by Microsoft to enterprise clients since 2013. DLP was first implemented in Exchange Server and Exchange Online; these days, the feature extends to Office 365, SharePoint and even MS Office 2016.

In general, DLP allows enterprises to set policies that enable them to handle sensitive information adequately. The idea is to provide integrity for messages and documents as they are transmitted, stored or edited as a collaborative effort. The basic DLP functions are: identification, monitoring and protection; they are enforced through a set of conditions, filters and transport rules.

Managing DLP Policies

The Compliance center component of Office 365 allows administrators to apply DLP policies. Microsoft has designed these policies with certain business compliance standards in use across the enterprise world. Sensitive information that must be protected may include customer data, client information, credit card numbers, health records, and others.

A DLP policy allows compliance managers to identify whether information being handled in Office 365 is sensitive. If the process of identification is positive, the DLP policy will allow administrators to adjust settings to monitor and protect information deemed to be sensitive.

The rules implemented and enforced by DLP policies are based on location, conditions and actions. In the case of Office 365, the locations will likely be Exchange, SharePoint and OneDrive. The conditions are set to enable the DLP to look for specific content that matches certain formatting such as passport numbers or bank accounts. The actions are set by compliance officers to allow users to view, share or edit the information; furthermore, actions can be set to notify key personnel about information being accessed.

Basics on Setting up DLP Policies

The Office 365 Compliance center can be accessed from the left navigation bar of the Admin Portal, under the Tools option. From here, the DLP option can be found and accessed for creation and administration of policies on documents. DLP policy management for emails and other messaging options is accessed through the Exchange admin portal, but this may be consolidated in the future.

Currently, the Financial and Medical industries are specifically listed as options for creating new DLP policies; there are also Custom and Privacy options to choose from. Office 365 users can expect that more of these options will become available in the future as business and regional standards disseminate.

When a new DLP policy is created, administrators are given a choice of services to protect, followed by the rules that can be customized with conditions. When the Create button is clicked, the new DLP policy will immediately be applied.

DLP Policy Creation Methods

Aside from creating new DLP policies from scratch, Office 365 administrators also have options to import policies from third-party vendors or using templates provided by Microsoft.

Creating a DLP policy from a template is an out-of-the-box process that can save administrators a considerable amount time since they do not have to build new rules from scratch. This creation method requires administrators to specify the compliance regulation, the type of data to handle and the organizational expectations.

Enterprises that have intricate and particular requirements for data protection and monitoring will likely have to create custom DLP policies in Office 365. In this case, administrators need to specify everything from the data types to the constraints. This process may not be as complex as coding, but it requires careful attention to compliance requirements.

Third-party vendors may provide DLP policies that conform to certain enterprise environments, ISO standards or government regulations. Office 365 allows the importing of such policies, which are often developed by Microsoft partners.

 

DLP Policy Tips

Similar to Exchange Mail Tips, DLP policies in Office 365 offer tips that can be used to notify users that they may be about to violate a compliance regulation. For example, if an Officer 365 subscriber is about to send an Outlook messages that contains sensitive information such as healthcare records, a DLP Policy Tip may be displayed to alert the user of the potential compliance issue.

DLP policy tips can also be created to do more than display messages. Tips can also be set to perform certain actions such as blocking a message from being sent, preventing a folder from being shared, notifying supervisors, or even providing the option to override a protective measure by notifying the administrator that the information in question is not sensitive.

Aside from enforcement, DLP policy tips can serve to educate users on compliance issues. Tips can be tested on a variety of devices since they are designed to work on the Outlook mobile app.

How Sensitive Content Detection Works

DLP policies can be as strong as their ability to identify sensitive content. Microsoft has been working on sensitive content detection since the early days of Exchange 2013; to this effect, the code architecture of Exchange 2013 and Office 365 provides deep analysis of content along with extensive criteria that can be applied as detection rules.

One of the issues that affect sensitive content detection at the enterprise level is the potential for false positive. When a DLP policy action is mistakenly applied without reason, users can become frustrated and may look for ways to circumvent compliance just so they can get their work done.

Microsoft tries to make as many sensitive content detection rules as possible, so that Office 365 administrators can provide them out-of-the-box. Many of these rules are related to standards such as credit card numbers and bank account numbering that adheres to the IBAN standard; altogether, there are more than 80 of these options. Microsoft has also coded checksum routines that look for certain keywords and patterns to identify sensitive content in documents or corporate communication.

 

Sensitive Information Rules and Document Fingerprinting

DLP policy files are created on XML documents that follow a certain schema. DLP templates allow administrators and developers to get started quickly; however, Microsoft recommends original rules that go beyond the basic rule structure for enterprises that are serious about compliance. The rule creation process starts with preparing test documents representing the target environment: one subset of documents contains the matching logic for the rule and the other does not. Afterwards, the rules that meet acceptance requirements are identified to identify the qualifying content, followed by establishment of a confidence level for the rules, based on the acceptance requirements. Lastly, the rules are validated by instantiating a policy with them and by monitoring of the sample content, after which rule or confidence level adjustments can be done to maximize detection and minimize false positives and negatives.

Document fingerprinting is a DLP strategy in which the DLP agent identifies a sensitive document’s unique word pattern and creates a “fingerprint” (XML file) based on that pattern, which is used to detect outbound documents with such patterns and a created transport rules and other policies can be applied. This strategy is particularly useful to organizations that frequently use standard forms or templates. Document fingerprinting works on just about all text-based files, and can also be applied to documents created and edited by means of collaboration.

 

Detection Approaches in SharePoint Online and OneDrive for Business

Microsoft continues to develop DLP for all services, apps and components of the Office 365 ecosystem. As announced in 2015, the DLP features are extended to OneDrive for Business and SharePoint online. On SharePoint, DLP works as a crawler that checks documents and communications for sensitive content. This integration also includes Dynamic CRM and eDiscovery services, and it extends to the search indexes so that unauthorized users are not able to see snippets of sensitive information as they enter queries.

The initial implementation of DLP for SharePoint Online includes 51 types of sensitive information such as credit cards and bank account numbers that adhere to the IBAN numbering standard. Administrators can take advantage of the DLP for SharePoint and OneDrive built into Enterprise Search to look for documents that may contain sensitive information in the eDiscovery center. Various queries for sensitive content can be run, and the results appear under the SharePoint tab for evaluation.

Results from sensitive content queries can be exported into a report for a detailed review by compliance officers and administrators. Based on this report, various actions can be manually taken. For example, documents that contain sensitive information can be removed from shared sites or the permissions can be adjusted as needed.

Microsoft is working on extending DLP features across SharePoint so that they are as comprehensive as in Office 365; however, the current ability to manually search for sensitive content has been well-received by compliance professionals. If administrators have not yet activated the eDiscovery center service, the initial application of DLP may take up to 90 minutes. The process begins with the assignment of permissions to users who need access to eDiscovery functions before selecting a template to create a case. Once an eDiscovery case has been created, a query can be created to search for sensitive content across SharePoint sites.

Utilizing Archiving and eDiscovery

The Need for Archiving and eDiscovery

As a comprehensive enterprise productivity solution, Office 365 provides features and services that cover many facets of business. Compliance is a major factor in today’s business climate, and this is something that Microsoft Office developers have been paying close attention to over the last few years.

Compliance with records retention, archiving and electronic discovery is something that every business organization should be able to reasonably implement, particularly in common law jurisdictions in the Commonwealth of Nations and the Anglo sphere. Office 365 takes advantage of the cloud computing paradigm to offer business subscribers a sensible solution to enterprise compliance needs related to archiving and electronic discovery. As long as regulators allow the use of cloud services for the purpose of meeting compliance requirements, Office 365 will probably meet the needs of most businesses.

Exchange Online Archiving

Archiving is a service that dates back to Exchange Server 2010; it is hosted on the reliable and ultra-secure Microsoft data centers around the world, and it offers 24-hour live support that is available to certain subscription levels. With this service, business organizations can keep all their important documents and communications in a single place along with user and transmission metadata that can be preserved for as long as it may be required.

Hosting documents, communications, records, and archives on Office 365 servers will make sense for most enterprises. The benefits are numerous; from scalable storage to integrated management and from technical support to remote access, complying with record retention policies, subpoenas and witness summons is not only possible but also efficient and cost-effective.

The basic Exchange Online Archiving Plan 1 offers a total of 50GB of cloud storage between Inbox and Archive folder content. Plan 2 offers more comprehensive compliance solutions with unlimited storage and extended features.

Office 365 eDiscovery

Electronic discovery, commonly known as eDiscovery, is a legal compliance process that deals with the production and exchange of information that is electronically stored. The eDiscovery process may be a result of investigations by law enforcement agencies, regulators, or local court orders related to litigation. When an organization receives an eDiscovery subpoena, summons or court order, the burden is on the business principals to comply, and this may involve intricate production of data.

Office 365 offers various levels of eDiscovery that make it easy to comply with legal orders. The process starts with archiving and record preservation; it continues with analysis and production. To reduce liability and increase compliance, Office 365 eDiscovery offers features such as data management, real-time search, and In-Place Holds of select data. All these features can be accessed through an intuitive Web interface.

Both Archiving and eDiscovery are services that can be managed from the Exchange Administration center (EAC) or from PowerShell; this is where administrators can enable archiving for specific users. Most administrators will initially set up Archiving to retain all documents and communications; however, this can later be optimized to comply with custom retention policies. Storage should not be a concern, particularly when cloud services are chosen; nonetheless, efficient retention policies may call for the omission of certain files for the purpose of respecting personal privacy to a compliant extent. Experienced Office 365 administrators can customize retention policies to respect privacy and to set limits specified by business needs.

Managing Office 365 Archiving Features

New subscribers who have had a local version of Outlook can import data to Exchange Online by means of the Import and Export Wizard. A Personal Store (.pst) data file is needed for this process; once this file is imported, the .pst data can be manipulated and the email messages can be dragged into the Archive folder. Alternatively, administrators can drag messages directly from an Outlook Mailbox into the Archive folder. Administrators who are actively complying with records retention can also set archive policies that can move certain email messages from mailboxes to the Archive folder automatically.

On-Premises Archiving

Certain business organizations may need to retain records on their own servers for the purpose of complying with local rules or company policy. Office 365 allows subscribers to create on-premises archives from the EAC. To do this, select Recipients – Mailboxes and click on New – User – Mailbox. At this point, the Alias box should be selected and completed before clicking on More Options. From here, click on Mailbox Database – Archive – Browse to select the local storage target of the on-premises archive.

In-Place Archiving

Office 365 business subscribers no longer need to rely exclusively on .pst data files to archive company email communications. The In-Place Archiving feature is a historical, permanent and compliant email solution for single users, but not for shared mailboxes. In-Place Archiving is much more efficient than dealing with .pst data files, and it adds an important compliance dimension by allowing administrators to recover Deleted Items from local Outlook apps or from Outlook on the Web. When Deleted Items are retrieved, information such as when they were created and deleted can be retained for investigative purposes.

Managing eDiscovery Functions and Features

Exchange Online includes the In-Place Hold feature, which offers real-time protection of sensitive documents without creating an impact on workflow. With In-Place eDiscovery, administrators can search mailboxes for relevant content even within SharePoint environments. Standard eDiscovery queries provide not only relevant content but also statistics and the ability to export findings into a case file that is portable and can be transferred to hard drives or removable storage media for offline evaluation.

Creating an eDiscovery Case

Office 365 administrators can create investigation cases from the eDiscovery center. Once a case is created, administrators can let auditors and legal staff run queries and export findings for examination. Each new case must have a title, a short description and a short URL. Once this is done, administrators must select an eDiscovery Case template and set User Permissions, which can be adjusted at the parent or specific level if other users must be included. Under Queries, a new item must be created and named before inputting the search terms and indicating the location URL. At this point, the administrator can click on Search to get the results and export them to an external case file. In many jurisdictions, prosecutors are familiar with eDiscovery Case files.

Since eDiscovery cases will primarily operate in cloud environments, administrators can capture data from multiple Office 365 apps and services. Everything from email messages to documents and from OneNote files to Skype conversations can be collected in real-time.

Office 365 eDiscovery is not limited to the cloud; it is also available on-premises and can be connected to Exchange for the purpose of extending queries across SharePoint, Office Online and even Skype. In fact, legal teams can also create eDiscovery Case Sites so that they can collaborate and formulate strategies just like within a SharePoint environment.

Enjoying the Ease of Operation and Maintenance

In the past, the records retention and eDiscovery processes were difficult and costly for many companies to operate and maintain. Office 365 alleviates these issues by providing businesses with powerful tools that allow them to focus on operations without having to worry about whether they can afford in-house legal and compliance teams.

Since most of the eDiscovery summons, investigations and court orders deal with corporate communications, the first step in terms of compliance is to manage an email solution that is conducive to archival. With Exchange Online Archiving, Office 365 subscribers can rely on Microsoft technology to provide the foundation of email compliance.

Accessing archived email from the Outlook application and from Outlook on the Web is an easy task that does not require users to learn new tools. The Office 365 user interface demystifies archival and eDiscovery through intuition; this allows administrators to quickly settle into their compliance roles.

Microsoft frequently releases software patches that are applied automatically to Outlook, Exchange and eDiscovery, which means that legal staff members and Office 365 administrators do not have to worry about their systems becoming out-dated and out of compliance. Access to archived data is consistent and almost universal with the solutions provided by Office 365.

Thanks to In-Place Archiving, the legacy Outlook .pst data files are being gradually phased out. What this means for business managers is that they will no longer be afflicted by the performance issues that arise when .pst files become very large. The ability to set retention policies helps administrators to efficiently organize information since they can easily choose the items that should be archived or deleted.

Understanding On-Premises, Cloud and Hybrid Environments

Pros, Cons, and Setup of On-Premises Environments

The advantages of on-premises Exchange servers are mostly related to the degree of control the user organization retains over the system. First of all, they control the hardware, software, and the recovery tools. That extends to customizing inbox size limits and message restrictions, which can make a significant difference in the storage needed. If the user would like to incorporate third-party apps into the email system, then this setup is the most practical for doing that. Users also have total control over the security and the email data itself, so access is not handed to someone else. There are no external sources of downtime because maintenance and updates happen on the organizations schedule. One can take advantage of any and all Exchange features, and the new ones can be quite attractive. Lastly, maintaining Exchange on-site equals a significant speed boost.

On the other hand, this option is expensive both in terms of money and in terms of staff time. Skilled staff is needed at all times, because the user is in charge of support. It is also necessary to purchase and maintain all the supporting hardware, like the cooling and power systems, and the network infrastructure to support the Exchange servers. Anytime there is a significant update, the user prepares and executes the transition, while ensuring minimal impact to the user experience. Not only are these downsides costly, but also consume time that could be spent on something else, so one should consider whether the control features are worth the additional work and costs of keeping everything on-premises.

As for the installation, there are three types. The first one is the Mailbox server role and it is mandatory. An Edge Transport role and management tools can be installed on a different server.

For the Mailbox, first install the OS roles and features and restart afterwards. After that, .NET Framework version 4.5.2, is installed, followed by Microsoft Unified Communications Managed API 4.0, Core Runtime 64-bit. For the Edge Transport role, instead of installing roles and features, WindowsFeature ADLDS should be installed and continued according to the instructions for downloading the two supplementary pieces of software for Mailbox. To install the Exchange Management Shell on Windows Server 2012 R2 or Windows 8.1, only .NET Framework 4.5.2. is needed and, after that has been done, the chosen installation of Exchange is ready to be installed.

Firstly, an Active Directory schema update needs to be installed, for which the aforementioned .NET Framework and RSAT-ADDS are needed: there will be prompts for these when the initial setup for Exchange is run. Before applying the scheme update, the forest directory should be backed up, because permanent changes are made and a permanent, irreversible organization name is chosen. Afterwards, Exchange and the Mailbox role are simply installed and the server is rebooted.

Pros, Cons and Setup of Cloud Environments

Another choice is the cloud-only environment in which all email services are performed through Office 365. This has its own set of pros and cons. On the plus side, money is saved on software and hardware compared to an on-premises install, as well as on staffing costs due to no need for on-site support. Microsoft guarantees 99.9 per cent up time with financial backing. Remote log-ins are possible from almost any location and device. The cost of third-party apps can be integrated into the user’s subscription fee.

There are some disadvantages to consider, such as no control over data, which could possibly result in non-compliance with some data security protocols that matter to the user’s organization. Also, there is a limit to the extent of possible linking into the email system with APIs. This might matter if, for example, a comprehensive CRM solution and incorporation of email would be desired. There is also the risk that subscription costs will change over time as the business grows. Lastly, it appears unclear how the data could be integrated back into the organization if the contract is terminated.

While an on-premises environment gives greater control and the ability to incorporate more third-party tools, the cloud provides significantly lower costs and transfers the burden of logistics and management outside of the organization. The right choice for an organization will depend on the current costs, staff, objectives, as well as the sensitivity of the data contained in its emails.

The setup for moving from an on-premises system to a cloud solution is easier than the initial installation of the on-premises approach. If there are less than 2000 mailboxes that need to make the transition, it is best to do it all at once through a cutover migration. Every user will get a new user account for Office 365 and the licenses will need to be assigned to every user whose mailbox migrated to the cloud, which is why it might not be practical for many mailboxes and 150 are recommended.

If, on the other hand, there are more than 2000 mailboxes, it is better to make the transition in parts. The Azure Active Directory tool is used to manage a staged migration in which a portion of the total mailboxes make the migration in each pass. Azure Active Directory will provide the link to enable synchronization between the existing Active Directory domain and the Office 365 environment. However, only user and resource mailboxes can be migrated.

Pros, Cons and Setup of Hybrid Environments

A hybrid approach provides the user with some of the advantages of both systems. For example, control is kept over security and other tasks fall to the cloud. That allows you to focus money and staff time on the most important aspects of your email system. It is also easier to scale the costs, because staged migrations of users to the cloud can be carried as needed, which can control the subscription costs. This is also a useful point to test out some of the Exchange’s hosted features to decide whether they would be welcome in the entire system or not.

On the downside, it can be a challenge to set up and maintain a hybrid system because two infrastructures have to be managed at once. That also means financing two infrastructures at once, because of the required staff, hardware, and software for both. Hybrid solutions can get expensive depending on the proportion of users in the cloud and how extensive the on-premises needs are. Some users are in the cloud while others are not, which resulted in problems before, but with single sign-on or password synchronization users can log on to both environments with the on-premises credentials. In the case with existing on-premises accounts, Directory synchronization helps mirror accounts between the two environments, so there is no need to re-create or update accounts twice.

In cases when ADFS or Dirsync are used, an on-premises Exchange server should be kept even in the event of a complete migration to the Office 365 cloud. This is because the only supported way to edit the attributes of an object synced from on-premises Active Directory is that very on-premises directory. It is not possible to edit these Exchange attributes without using unsupported tools like ADSIEdit.

In any case, before beginning with the setup, it needs to be verified that all the prerequisites are met, starting with the latest cumulative update, or at the very least the one immediately prior; any earlier update is not supported. There needs to be at least one server in the Mailbox role and, if the Exchange version is 2013 or older, one in the Client Access role. The license for Office 365 must support Azure Active Directory and the Azure Active Directory Connect tool must be deployed, and all necessary custom domains must be registered and the Auto-discover DNS records set to point to the Client Access server if not in Exchange 2016. The Exchange Admin Center is connected to the user organization and valid digital certificates are obtained from a digital authority. After that, the Hybrid Configuration Wizard can be run, which will provide guidance through the process. Another option is to enlist the services of the MS or third-party support team.

Conclusion

Productivity software and related services play an essential role in modern private and business life. Such a role naturally evolved as the use of computers, laptops, smartphones, and tablets progressively altered the hardware landscape. Microsoft has long ago established itself as the provider of software that users could quickly learn and use to become productive in the Information Age. The popularity of Office applications such as Word, Excel, and PowerPoint propelled them into their current iconic status as compatibility standards for the entire world.

Using Office, businesses and individuals can create documents, spreadsheets, presentations, and other materials that people can open, read, edit, and save anywhere in the world. Although such compatibility continues to factor into the decision to use Microsoft productivity software, many other compelling factors contribute to its enduring appeal. The suite has evolved to include more features and services, keeping pace with the rapid pace of technological development and continues to play a central role in business and private life. For example, modern collaboration tools have expanded the utility of Office, accommodating teams and helping them to work together efficiently. Using Office applications, multiple users can contribute, review and approve documents in a secure online environment.

With versions of its applications available for Android, iOS, and Windows Phone, Office has set another standard for mobile productivity. The emergence of smartphones and tablets with these platforms allowed users to work anywhere in the world, provided they have an Internet connection. Since so many people already use Microsoft productivity applications, mobile users can seamlessly integrate into modern workflows.

The emergence of cloud-based software has provided opportunities for software developers to earn steady revenue streams. In return, they provide users with a continual stream of security and feature updates that helps them stay on the cutting edge of productivity and performance. Although some users might balk at paying the monthly or yearly subscription fee for Microsoft Office 365, others can choose to buy Office 2016 and then selectively update to future versions as conditions warrant. Still, subscription plans range from the Outlook personal email service to an entire business ecosystem for the enterprise.

This guide covered a large portion of Office 365, familiarizing users with the general user experience. Readers learned about a range of possible problems and potential solutions, giving them a realistic picture of what to expect while using Office applications.

Potential users must decide whether they want to pay the subscription price for the Office 365 suite and its accompanying features while considering their individual needs. The list of considerations influencing the decision includes the number of devices and users that need access to the software. Readers were also advised to consider how often they have bought Office upgrades in the past (if at all) to gauge whether the open-ended cost of the Office subscription provides sufficient value to rule out the traditional licensing model.

The ability to work from multiple locations using different devices ranks among the top reasons for choosing the Office 365 subscription. Businesses that depend on having the latest software updated with security and user features will need the subscription, as will those who must have the ability for multiple users and teams to collaborate and communicate.

By utilizing the information found within this guide, individuals and businesses should be able to work more efficiently within the Microsoft productivity ecosystem and make informed decisions.