Tips for Office 365 IT Managers

August 17th, 2019 | Posted by admin in Exchange | Office 365 - (0 Comments)

Microsoft Office 365 introduced many new services when compared with the services available 5 years back. Office 365 Enterprise E3 Plan was mostly used by enterprise organization for the services like Exchange Online, SharePoint Online, One Drive for Business Online and Microsoft Teams. As on date, ~250 Million mailboxes are there in Office 365 and the mailbox count increasing day by day.



As an Office 365 IT manager, you need to ensure the following are properly monitored as part of your daily activities.

Service Health Dashboard:

Microsoft announces Office 365 related outages on your Office 365 Tenant Service Health Dashboard. Though there is a delay that you can see on the notification, it is your responsibility to monitor the Service Health dashboard and check if any of your users are reporting the issues.

Message Center:

Any planned changes or enhancements to the Office 365 services will be announced in Message Center and you have an option to receive the announcements in email. Details about the announcement, the services that are going to get affected and the steps that you need to follow will be shared here. Ensure you are reviewing the announcements on daily basis

Office 365 Reports:

Microsoft provides a best in class reporting feature about the Office 365 services. Active Users, Application Usage, Storage consumption and License usages can be viewed from the Reports. Review the report to understand the Office 365 services utilization in your environment.

Security and Compliance Dashboard:

Security and Compliance portal provides the information about Security. Reporting section on this portal is enhanced and it provides more insights about your Office 365 Tenant. Review the available reports.

Azure AD Sign-In Logs & Audit Logs:

Users with administrative permissions can make changes in your environment. Review the Audit logs of the changes done by them to see whether the administrators are not changing anything without Change Approval.

Review the Permissions assigned to Administrators:

Users left the Organization may still have permission on the environment or the common account that has an admin permission and the password may be known by the person who left the organization, change the password for common accounts.

Azure AD Connect Sync:

Though the AD objects automatically synchronize to Azure AD by Azure AD Connect, it is better to check the last successful Synchronization. Monitor the AD Connect alerts in Azure AD to find the duplicates etc… In addition, ensure the AD Connect application updated with latest updates.

ADFS Health Check:

Configure ADFS Health agent and monitor the server status from Azure AD. Azure AD Monitoring will alert you in case of any issue with ADFS infrastructure.

License Validation:

License validation is required to ensure you are not over subscribing the office 365 services. If you do not want your users to use the free trails, disable the trial services from Office 365 Admin Portal.

External Sharing Capability:

Validate whether the external Sharing Capability from OneDrive, SharePoint, Office 365 Groups and Teams are properly configured as per your plan.

Data Retention:

Ensure you have configured the retention policies on all the Office 365 Services as per your legal and compliance requirements.

Guest Accounts:

Review the guest accounts in your Azure AD. They are already interacting with your users and having access to your company data in one or other way.

Application Permission:

Are you allowing users to register the Azure AD application on their own? Review the applications registered and what data they are accessing in Azure AD.

Having queries… reach us @ superhybrid.coud@yahoo.com

Many Organizations involved Microsoft to do a Network Assessment before migrating to Office 365. Microsoft will review your network and recommendations will be shared to the customers to ensure users have proper connectivity to office 365 Services.


Microsoft announced a new tool connectivity.office.com help all organizations to analyze the network connectivity to Office 365 services. Once analyzed the network connectivity it will redirect you to fix if any issues in found your environment. Microsoft did a tremendous job for Office 365 customers to use this network connectivity tool to analyze their network traffic to Office 365 services.

This Tool is capable to analyze the below

  • 470 tests will be done to validate the traffic to Exchange Online, Skype for Business Online and Microsoft Teams + Identity & Authentication.
  • Tools will analyze whether you are using Proxy servers to reach Office 365 Services or a direct Internet connection and validates the latency.
  • SSL Intercepted URL will be identified and you can ensure those URL are not intercepted.
  • It will compare the performance with the other customers near to you and share the status of your company network status.

To validate your network connectivity

From your network, access connectivity.office.com in IE or Edge Browser and the select your location.

Enter your tenant name alone without onmicrosoft.com and click on run the Test.

Once the test completed, you can see the result in the browser.

You can view the results and impact status of your network and also the Details and Solutions details of the network validation. In addition, you can get a link of your network performance validation result and share with other engineers or Microsoft.

Hope you are validating your network performance from all the locations to ensure no issues in connecting Office 365 services.

If your mailbox hosted in Office 365 and experiencing slowness while accessing the mailbox using outlook, you need to check below things before raising a ticket with Microsoft.

  • Check the Global DNS Resolution

It is always better to check whether your connection goes the closest regional office 365 datacentre. If your Office 365 tenant hosted in US and you are accessing your mailbox in US but the DNS resolution to Singapore ingress point, then you may to need to contact your ISP to identify/fix the issue.

Check the host name resolution for outlook.office365.com. Below connecting to outlook-in.office365.com as I’m in sitting in India.

 

 

 

    
 

 

NSLOOKUP will show the nearby Ingress endpoint name. Below the ingress point available at office 365 and the location details

  • Check the network latency using ping or psping test

If you are experiencing slowness in accessing your Office 365 Mailbox, you can check the network latency to outlook.office365.com using ping test, average latency should not exceed 300 ms.

  • Outlook Connection Status

Check the Outlook Connection Status by focussing the Average Request and Average Response. You can calculate the round trip time using RTT = Average Request – Average Response which has to be less than 300 ms

  • Trace Route to find the number of hops to reach Microsoft network

Use the tracert command to outlook.office365.com to check the number of hops it is taking to reach the Microsoft network (msn.net)

  • TCP Idle session

TCP time out has to be configured more than 2 hours on the perimeter devices like firewall and other network devices

  • check the latency when using Proxy and a direct internet connection

Most of the organization use proxy server to allow the clients to connect to internet. Check the latency when using proxy and without proxy and if proxy shows more latency check if you can bypass it

  • Disable the outlook Add-Ins to see if any Add-Ins is causing a Problem.

Outlook -> File -> Options -> AddIns -> Manage Add-Ins

  • Also you can use SARA Tool to find any issues in Outlook issues

Above are the basic things that we can check to see if any issue at the end user side. If everything looks normal, then raise a ticket with Microsoft 😉

In this post, we will see how to control External Sharing in SharePoint Online & OneDrive for Business Online. It is better to control external sharing to restrict who can share contents with whom and this ensures your organization data safe.


Default settings on OneDrive for Business Online or for SharePoint Online is to share the content with anyone in the world (not to aliens 😉 ). Below the shows the default settings. ‘

You can login to Admin.OneDrive.com to control the external sharing both the applications.

OneDrive for Business Online

In addition, you can login to SharePoint Online Admin center to see the default settings, which will be like Allows external sharing with Authentication users, which means share with anyone who can authenticate with Azure AD.

Below the settings available for external sharing and you can choose any option that best suits your requirement or policy.

  • Only People in your organization – In other words, you are disabling the external sharing capabilities.
  • Existing external users – External users account already created in your Azure AD. If you create an external user, user in your organization can share with that external user
  • New and existing external users – You can share with anyone, if they authenticate with Azure AD using their organization account or using their live.com account then that account will be created in your organization’s Azure AD and users in your organization can share the content with them.
  • Anyone – Default option, as it is says sharing can be done to anyone and there is no requirement to login using his or her account.

We can move the slider based on our requirement to set the external sharing options.

Advanced settings for External Sharing:

Organizations may want to set the external sharing only to the domains that they collaborate on daily basis, to achieve this; on the same OneDrive admin center we control the advanced external sharing options.

You can manage the Advanced settings for external sharing settings here. I have explained the available options below.

Let external users shared items they don’t own: By default, it allows the external users to share the content with other users.

Allow or block sharing with people on specific domains: You can add the domains to which your organization users can share the documents.

External users must accept sharing invitations using the same account that the invitations were sent to: It is the best options to validate only the intended recipient is opening the shared content.

If you ask me, I would recommend organization’s to go with the below settings to ensure your data is on control.

Hope this is informative. We will see the external sharing with other domain and external user experience on my next post.

Generating report on SharePoint Online Site collection is easy, you can run the below command to export the report.

Connect to SharePoint Online Management PowerShell and run the below command

Get-SPOSite -Limit All | export-csv C:\Temp\SPOsite.csv -NoTypeInformation

Output will be like below and you can filter based on your requirement

All the information about the Site collections in your tenant will be available in the output.

We can quickly view the SharePoint online management shell version using below command

Get-Module *Sharepoint* | fl

In addition, we can see the version number of this file to know the SharePoint Online Management Shell

C:\Program Files\SharePoint Online Management Shell\Microsoft.Online.SharePoint.PowerShell\Microsoft.Online.SharePoint.PowerShell.dll

Why it is required?

Microsoft may say that few things will work only on a particular PowerShell version. So better to know which version of the SharePoint Online Management shell you are using.

Configuring OWA session timeout is an important security measure that every organization should follow to keep Organizations data safe. Below the default session time out settings for Outlook Web Access (OWA) or Outlook on the Web (OotW).


OWA forms based authentication provides 2 option to choose whether you logged in from a Private or Public computer. OWA session time out depends on user’s selection.

  • If it is a Private computer – OWA session time out at 15 minutes of inactivity
  • If it is a Private computer – OWA session time out at 8 to 12 hours of inactivity

Make a note of the word 15 minutes of inactivity. Session will time out only when there is no activity at outlook web access.

Note: Typing something in meeting requests, appointments contacts, or tasks is not considered as an activity.

Your Corporate Security may advice you to configure a session time out based on the security concerns like every 15 minutes or two hours once etc. and to change the settings, you should have Organization Administrator rights in Exchange Online and you need to run the below command.

Set-OrganizationConfig -ActivityBasedAuthenticationTimeoutEnabled:$True -ActivityBasedAuthenticationTimeoutWit hSingleSignOnEnabled: $True -ActivityBasedAuthenticationTimeoutInterval 00:15:00

You have to wait for quite some time for the settings to replicate and You can run the below command to check the settings are properly configured.

Get-OrganizationConfig | fl Activity*

Ultimate aim of this post is that, when you are setting OWA session timeout for lesser interval and configured Azure Conditional Access Policy to trigger MFA when accessing Exchange Online Mailbox in OWA, users experience will be affected as every time they have to Key in MFA challenge when logging in OWA.

Educate your users about the 15 minutes OWA session time out settings and your MFA challenge settings and if they are the user where they will access only OWA to see their emails, then ask them to check the option not to prompt for MFA challenge for next 24 hours.

Again, if you think it is a security concern, discuss with your corporate security about the challenge and decide a solution considering user experience and security measures.

Hope this is informative and you like it.

Device Management in Azure AD is required to ensure the devices connecting to the cloud services are meeting the Company Security and Compliance Standards. If you have On-Premise Active Directory, computers related to that company are joined to that AD and administrators will have control to those AD joined devices like pushing group policies etc.

Joining a Computer to Azure Active Directory is similar to joining a computer to local active directory. Difference is Azure AD is in Cloud and when joining a machine to Azure AD, it provides additional capabilities like Single Sign On experience when accessing the applications and we can restrict access to those devices based on the Azure AD Join status using Azure Conditional Access.


Device Join to Azure Active Directory are three types:

  • Hybrid Azure AD Join: Device joined to On-Premise Active Directory and Azure Active Directory.
  • Azure AD Join: Device joined directly with Azure AD (not On-Premise AD Domain joined)
  • Azure AD Registered (Workplace Join): Device registered with Azure Active Directly like Windows 10 Personal and Mobile Devices.

During the Azure conditional access validation, all the above devices joined to azure are considered as domain joined devices and the respective settings will be applied.

Hybrid Azure AD Join in Windows 10

Windows 10 Device Registration process explained as

  1. Group Policy pushed to the machine starts the device registration with Azure AD
  2. Windows Device will query AD to get the information about the Azure AD Tenant
  3. Windows Device authenticates itself to Azure AD via ADFS to get a token for device registration
  4. Windows Device generates key pairs used for device registration
  5. Windows Device registers with Azure AD via Azure Device Registration Service.

Below the detailed explanation on how the Hybrid Azure AD Join works

We need to configure few things for Hybrid Azure AD Join to work properly like AD Connect deployment, Group Policy pushing and ADFS Issuance Transformation Rule etc… those prerequisites configuration steps not explained here. We will assume those are already set and will see the flow on how the Azure AD Join working in Windows 10 Machine.

  1. Group policy pushed to Windows 10 clients, which creates a task for the device registration to work and the task will be triggered.
  2. Windows 10 client queries AD (Service Connection Point object) which has the details about the Azure AD tenant to which the client has to connect. Azure AD Connect deployment will create those objects. I have highlighted the path for reference on the diagram.
  3. Azure AD Tenant information like the Azure AD name and the ID will be sent to Windows 10 Client.
  4. A hidden Internet browser is launched and the OAuth code authentication request is sent to Azure AD
  5. Azure AD redirects the client to authenticate with ADFS
  6. Client will reach ADFS by sending the computer account as identity, using Windows Integrated Authentication. Note: If the device is in Internet, then the authentication will fail because the WAP server will have form based authentication and you won’t know the prompt in hidden browser to authenticate.
  7. ADFS validates the computer identity with AD
  8. After the successful authentication, AD send the claim details to ADFS
  9. ADFS send a token along with 3 claims to Windows client, which the device will sent it to Azure AD for successful authentication
  10. Client sends the token along with 3 claims about the device received from ADFS to Azure AD
  11. Azure AD trust the token from ADFS server as it is already integrated and send a final token to Client for Azure Device Registration
  12. Device creates a Private/Public key pair to be used in a certificate-signing request from Azure DRS, to obtain the certificate that the device will use to authenticate to Azure AD later on. In addition, the task generates a second private/public key pair that is later used to bind the Primary Refresh Token (PRT) to the physical device upon authentication.
  13. Task send the Certification Signing Request along with final token received from Azure AD to Azure Device Registration Service.
  14. Azure DRS authorize the token, create a certificate, creates a Device object with its certificate thumbprint and return the certificate to the client.
  15. Client stores the certificate in the User My Store.

If you see above, the device registration is successful. For the Single Sign-On experience in Windows 10, the Primary Refresh Token will be received from Azure AD.

User sign-in to client using his credential, the Cloud Authentication Provider plug-in in windows client authenticates with Azure AD and ADFS, to obtain the Primary Refresh Token. Cloud Authentication Provider knows the Azure AD and ADFS details from the cache available during the Device Registration. Cloud AP plugin will directly send the credential to ADFS and get the SAML token and present it to Azure AD for authentication, Azure AD authenticates it and build a PRT with both User and Device claims and it will return to Window device.

I hope this is informative and you like it. Please comment for any clarification.

Let us assume that Exchange Hybrid Organization pointed its MX record to Office 365 or Exchange Online Protection, the mail flow works as shown in the below diagram.

In this article, we will see how the inbound and outbound flow works when the email routing configured to route through Exchange Online Protection.

Inbound Mail Flow

MX record point towards Office 365 Tenant -> Exchange Online Protection will receive the email and it will do the Recipient validation using Directory Based Edge Blocking, if the recipient is not available email will be dropped -> Anti-Virus scanning will occur, EOP has 3 AV engines -> Recipient resolution will occur like distribution group expansion -> Transport Rule will be applied, if any marked as SPAM using Transport rule then those emails will be quarantined -> Anti-Spam Protection will occur which includes, content scanning, outlook safe sender validation, URL blocking, bulk mail filtering, international spam filtering – > customer delivery pool and then to On-Premise Server.

Outbound Mail Flow

Office 365 or On-Premise user send an email -> Virus Scanning will occur -> Recipient Resolve -> Transport Rules -> SPAM Protection -> Outbound Delivery Pool -> Recipient MX resolution -> Recipient domain.

If an outbound email identified with high SPAM score, then it will delivered via high-risk delivery pool.

Above are the high level illustration of how the mail flow works in Office 365.