Office 365

Office 365

Microsoft Insists on Office 365 E5 for Automatic Decryption of Protected Documents in eDiscovery Searches


Feature Should be in Core eDiscovery

Sources inside Microsoft tell me that approximately 10% of eligible Office 365 tenants use sensitivity labels to protect information with encryption. Reflecting Microsoft’s recent efforts to increase coverage of sensitivity labels, notably through native support in the Office desktop apps and much better support in SharePoint Online, the number of tenants using sensitivity labels for both information protection and container management is steadily growing.

To apply sensitivity labels to messages and documents, users need at least the Office 365 E3 plan; to auto-apply sensitivity labels, they need Office 365 E5. Users with lower plans can read protected files, but they can’t apply labels. We know that Microsoft has sold just under 300 million Office 365 seats. Assuming that the enterprise section is roughly two-thirds of this number, maybe 20 million people are using sensitivity labels, which adds up to a lot of protection.

Protected Content and eDiscovery

All of which brings me to Microsoft’s documentation for how to handle protected content exported for eDiscovery cases. We’re talking about email and comments protected using sensitivity labels (Microsoft Information Protection) or the older Azure Rights Management technologies. In a nutshell, the situation is this:

  • After you enable sensitivity labels for Office files in SharePoint Online, Microsoft Search can index the encrypted content and make it available for eDiscovery. Encrypted email is always indexed and discoverable.
  • When you use a Core eDiscovery case or content search to find protected content, the export feature decrypts protected messages and attachments but does not decrypt protected files stored in SharePoint Online or OneDrive for Business.
  • To get automatic decryption of exported files (some exceptions exist, like sensitivity labels with user-defined permissions), you need the export capability built into Advanced eDiscovery. And to use Advanced eDiscovery, you need Office 365 E5 licenses for every account covered by the eDiscovery case.

It’s possible to decrypt protected content before export by removing sensitivity labels from files using the Microsoft Graph. Another solution is to assign rights management super-user permission to an account and use the account to run the PowerShell Set-AIPFileLabel cmdlet to remove labels from files. Although these solutions are available to Office 365 E3 tenants, the process of extracting and decrypting content is intensely manual and unsuitable for dealing with large numbers of files. It’s so much easier when Office 365 does all the heavy lifting to find, decrypt, and export content.

Decryption Should be a Core Capability

If Office 365 E3 users can apply sensitivity labels to protect content, their tenant administrators should be able to search for and decrypt files retrieved by core eDiscovery. Although I can understand why Microsoft wants to emphasize the benefits of Advanced eDiscovery by stuffing as much functionality as it can into it, there are enough features (like the ability to display complete Teams conversation threads) in Advanced eDiscovery already. And if Exchange Online is happy to decrypt protected messages and attachments for Core eDiscovery, there’s no good reason for Advanced eDiscovery not to do the same for files found in SharePoint Online and OneDrive for Business.

Source Practical365

read more
Office 365

Configuring Microsoft Defender for Office 365


Microsoft Defender for Office 365 (Previously Office 365 Advanced Threat Protection) is a suite of tools/policies that provides powerful protection for your Office 365 environment.

Using tools such as Safe-Links or Safe-Attachments, you can protect your Exchange Online, Teams, SharePoint Online, and OneDrive against malicious content in documents or hyperlinks. You can also use Advanced Anti-Phishing Policies to detect and prevent phishing in Exchange Online. This is all available under the Defender for Office 365 Plan 1 license.

With the enhanced Plan 2 licensing, you can unlock an in-depth solution by leveraging tools like Threat Tracker and Explorer to hunt and report on the potential issues in the environment. You can also leverage Attack Simulations to perform Malware / Phishing Campaigns to help users to stay vigilant.

Note: For a full breakdown of features available under different licensing SKUs, check out the table in this article.

Getting Started

Defender for Office 365 provides a lot of configuration options and thresholds that can be customized to suit your organizational policies and requirements. When getting started, it’s easy to get lost in the sea of checkboxes and buttons.

Luckily, Microsoft has provided some great guidance on this through the Recommendations for EOP and Defender for Office 365. You’ll want to use this page as a guide for your initial setup to make sure you can align with Microsoft recommended practices.

That being said, there is a lot of manual work involved in going through the documentation and updating your configuration in line with the guidance provided. A nice way to get a quick report on the configuration status of Defender for Office 365 is to run the Office 365 Advanced Threat Protection Recommended Configuration Analyzer (ORCA).


Tony Akers has published a great article on using the ORCA tool here which I highly recommend reviewing sooner than later.

The ORCA tool aims to help administrators compare their configuration against the recommendations and perform a gap analysis against their live settings. Microsoft has now made this even easier by directly integrating the ORCA functionality into the Microsoft 365 Security Portal.

This integration comes in two forms, Preset Security Policies, and Configuration Analyzer. Later in this article, I’ll review how to use each of these tools to make configuring Defender for Office 365 an easier process.

Preset Security Policies

Preset Security Policies are useful for organizations that don’t want to spend a whole lot of time and effort tweaking settings and are happy enough to comply with the recommendations provided. The policies can be found in the “Threat Policies” section of the Microsoft 365 Security Portal and offer two “flavors” of protection: Standard and Strict.

The policies align with the Standard and Strict levels defined in the Microsoft recommendation documentation and once configured, there is no customization involved.

The policies can be assigned to users, groups, or mail domains, similar to any Defender for Office 365 Policies. Simply select the baseline you want to apply as shown in Figure 1, select the assignment for EOP and Defender for Office 365 settings, and you’re done!

*It’s important to note that the Strict Policies will always take precedence over the Standard ones, and custom Defender policies will take precedence over the pre-set ones.

Configuring Microsoft Defender for Office 365
Figure 1: Defender for Office 365 Preset Security Policies

Configuration Analyzer

Configuration Analyzer integrates the functionality of the ORCA tool directly into the Microsoft 365 Security Portal. Found in the same location as the Present Security Policies, the Configuration Analyzer takes the concept of the PowerShell-based ORCA and expands on it. The Analyzer page is split into two sections:

  • Setting and recommendations
  • Configuration drift analysis and history

The “Settings and Recommendations” page gives a view of any policy item that doesn’t align with a particular baseline. Here you’ll see the policy item, policy type, current setting, and recommended setting, as shown in Figure 2:

Configuring Microsoft Defender for Office 365
Figure 2: Configuration Analyzer – Settings and recommendations.

For any items that skew from the baseline, there is also a handy “Adopt” option that can be used to remediate any setting listed to bring it in line with recommendations. Clicking this will prompt you to confirm the policy change and once confirmed, the setting will be automatically changed as shown in Figure 3:

Configuring Microsoft Defender for Office 365
Figure 3: Adopting Baseline Configuration Items.

Along with the Configuration Analyzer allowing remediation and comparison, the “Configuration drift analysis and history” section allows you to view changes that have been made to the configuration over time. This analysis shows what settings have been changed, by who, and when.

We can also see how the changes affected the comparison to baselines. In Figure 4, the change I made in the above section can be seen logged and the “Configuration Drift” column is showing an increase, which means it moved the configuration closer to the baselines. This data can also be exported as a CSV file for long-term storage or documentation:

Configuring Microsoft Defender for Office 365
Figure 4: Historical changes are available in the Configuration Drift Analysis and History section.


Defender for Office 365 allows a lot of room for customization based on customer requirements; however, not every organization will need to stray too far from the Microsoft recommendations.

That’s where Preset Policies and Configuration Analyzer steps in and can help you to very quickly align with the guidance provided, allowing you to focus on the settings that matter the most in your environment.

Source Practical365

read more
Exchange ServerOffice 365

Microsoft 365 E3 License vs. Microsoft 365 E5 License


There is little debate over whether the Microsoft 365 E5 license is a fantastic product. However, over the past two years, the E5 license offering has matured greatly, and it seems like Microsoft customers would be even more receptive to the upgraded license. If anything, customers will see major benefits from a one-stop-shop approach that replaces the need for third-party endpoint protection and mail hygiene solutions with Microsoft 365 E5 services like Microsoft 365 Defender for Endpoint and Microsoft 365 Defender for Office 365.

But does everything residing only in Microsoft 365 E5 truly belong there?  I’ve been pondering this question for a while now and believe that there is a compelling case for certain premium features to make the journey over to Microsoft 365 E3.

Pros vs. Cons

The benefits are two-fold in my opinion: First, it makes important security features that are no longer simply “nice to have” more accessible to a wider customer base.  It also gives Microsoft the incentive to stay at the leading edge of innovation and bring new and exciting features to their premium offering. While this rationale definitely made sense to me, I was curious as to what my colleagues thought, so I decided to pose the question on my Twitter feed:

Figure 1: Opening a can of worms on social media around the Microsoft 365 E5 debate.

The responses were numerous and quite varied, with many opinions on the matter. Before we examine the responses, it should be noted this licensing discussion revolves around Microsoft 365, not Office 365 – two very different things. For example, basic Microsoft 365 E3 security capabilities are not included within the Office 365 E5 license. For more information on how Microsoft 365 and Office 365 differ, you can also refer to this Microsoft page.

Which Features are the Most Wanted in Microsoft 365 E3?

After tallying up the responses, most of those voting for Microsoft 365 E5 were only voting for those specific E5 features.  However, there were two clear favorites in Privileged Identity Management and Auto labelling (Table 1):

Microsoft 365 E3 License vs. Microsoft 365 E5 License
Table 1: Twitter survey responses.

Other non-feature specific responses included:

  • Eliminate add-on licenses such as Viva and SharePoint Syntex, and add these to Microsoft 365 E5
  • Custom license bundles with competitive pricing
  • A new SKU for Power BI read-only included in Microsoft 365 E3
  • Eliminate Microsoft 365 E3 entirely, and change Microsoft 365 Business to no user limit
  • Make tenant wide license feature activation less confusing
  • Custom search indexes

So, some quite interesting responses indeed, and overall, a wider range of answers than I anticipated.  What, if anything, can we derive from this straw poll? Let’s examine some of the key takeaways.

Privileged Identity Management and Auto Labeling – an Expensive Luxury

Privileged Identity Management (PIM) enables just-in-time and approval-based access to privileged roles within Microsoft 365.  This means that users who require occasional access to elevated roles do not need to have them permanently assigned to their accounts.  They instead activate the roles on-demand for a limited period of time.

The benefits of this are self-evident – the attack surface is reduced when there are less privileged accounts.  Without PIM available, powerful admin roles will inevitably be granted to users and then forgotten about, which creates a potential vulnerability.

Auto labeling with Microsoft Information Protection provides the means to automatically assign a sensitivity label to Microsoft 365 content based on matches to built-in sensitive information types.  This is an important feature as it reduces the burden on the end-user, who oftentimes do not realize when it’s appropriate and important to apply a label to their emails and documents.

So, what would the impact on Microsoft be if these features were included in Microsoft 365 E3?  It’s difficult to speculate, but these are only two features of Microsoft 365 E5. Their inclusion in the more affordable licensing tier would demonstrate that Microsoft is committed to making important security and compliance features accessible to their wider customer base, and not just those who can afford the cost of a Microsoft 365 E5 subscription.

This is also unlikely to significantly affect subscriptions to Microsoft 365 E5.  Many Microsoft 365 E5 features are justifiably included in the premium subscription, and Cloud App Security and Advanced eDiscovery are two good examples of this.  We have also seen recent innovations with Microsoft 365 E5, such as Insider Risk Management and Communication Compliance.  Therefore, it seems there will still be plenty of exclusive features for Microsoft 365 E5 subscribers.

Questions to Consider

An important question that may provide somewhat of an answer to this debate is, “Where should you start with your Microsoft 365 Security and Compliance posture?”  In this article, Microsoft recently provided updated Security and Compliance guidance aimed specifically at the UK public sector.

They separate their Security and Compliance control capabilities into three categories – Good, Better, and Best.  Microsoft recommends “starting with Better“, which does require some Microsoft 365 E5 functionality.

If “Better” is the minimum recommendation for a Security and Compliance posture for Microsoft 365 public sector customers, then there’s also an argument to be made that even the lowest SKUs (e.g., Office 365 E1) should have at least “Good” security controls.

If you’re surveying Microsoft customers, they will of course answer that they would like the most useful parts of Microsoft 365 E5 as part of Microsoft 365 E3. But If “Better” is the recommended and essential starting point from Microsoft, then why sell products that don’t include these key features?

Playing Devil’s Advocate

Whilst this survey clearly shows there is an appetite for more choice when it comes to Microsoft 365 licensing, there are some other perspectives to consider.

For example, if Microsoft Defender for Office 365 were to be included in Microsoft 365 E3, this could lead to protests from third-party vendors from a competition law standpoint. There are many widely adopted third-party security products used with Microsoft 365 and if a premium feature like Defender became more widely accessible, then many customers may be tempted to discontinue such third-party subscriptions.

We should also consider that some of the premium features of Microsoft 365 E5 may have a clear ongoing cost to Microsoft to run, and these couldn’t simply be thrown into Microsoft 365 E3.  This may be the case for Auto-labelling, for example.

Teams Phone System is a difficult one. Customers must bring their own SIP trunk or purchase calling plans.  On that basis, should they also have to purchase Microsoft 365 E5?  There may be ongoing costs to Microsoft for Teams Phone System that justify this, but we can’t say for sure.

That being said – there is one glaring offender within Microsoft 365 E5 that I find impossible to defend.

Teams DLP Does Not Belong in Microsoft 365 E5!

The presence of Data Loss Prevention for Teams within Microsoft 365 E5 only, is baffling to me.  The arguments above on adding PIM, Auto labeling, or any other Microsoft 365 E5 feature to Microsoft 365 E3 can be debated and counter-argued, as can the need for more customization within license SKU’s.

If I’m going to stick my neck out on one opinion though, it’s that I genuinely don’t feel that DLP for Teams is correctly allocated when it comes to licensing.  How can it be fair for DLP to apply to the other key services within Microsoft 365 within the Microsoft 365 E3 subscription, but not the most relevant product in Microsoft’s recent history – Teams? It’s difficult for me to wrap my head around this decision.


Licensing is often a confusing and divisive subject, and at the end of the day, it’s all about opinions – of which there will be many.  Whilst no one could expect Microsoft to “give away the farm,” there is always a balance that can be struck or a compromise to be made.

What is clear is that there’s a common view from customers and partners that unless some of the premium features are added to Microsoft 365 E3, these customers will need to either consider buying Microsoft 365 E5 licenses; uplift current licenses for some or all users; or continue to rely on third-party alternative solutions.

Source Practical365

read more
Office 365

Microsoft 365 and Office 365: Microsoft’s Confusing Branding


The recent 10th anniversary of the launch of Office 365 brought some questions about the demarcation between Office 365 and Microsoft 365. For instance, do I have an Office 365 tenant or is it a Microsoft 365 tenant? Is a feature part of Microsoft 365 or does it belong to Office 365? And why does Microsoft insist on calling its desktop Office apps Microsoft 365 Apps for enterprise? Welcome to the bizarre world of branding, and that’s before throwing Windows 365 into the mix.

Like any other publication which covers Microsoft productivity and collaboration technology (a wide enough spectrum), we struggle with when to say Office 365 and when it’s time to switch to Microsoft 365. To begin, we can say:

  • Office 365 is the cloud ecosystem for Microsoft Office servers (Exchange Online, SharePoint Online, and Skype for Business Online), including components like Azure AD and Teams, all included in the Office 365 license plans like Office 365 E3 and E5. Microsoft targets these plans at enterprise customers.
  • Microsoft 365 is the wider ecosystem for Microsoft cloud productivity which includes areas like Information Governance, Information Protection, Compliance, and Viva. Although some Microsoft 365 functionality is covered by the Office 365 E5 plan, many features need additional licenses. For instance, Viva Topics is based on SharePoint Online, but to use Topics, you need additional per-user licenses.

For the purpose of accounting, Microsoft divides Office 365 into commercial (the enterprise services) and consumer (subscription versions of Office desktop) and reports separate numbers for revenue and user base for each segment (see the transcript of Microsoft’s Q4 FY21 results).

Muddy Waters

Microsoft muddies the water by selling a range of Microsoft 365 plans tailored for small to medium organizations that include elements of the Office 365 plans. The range of Office 365 plans designed for consumer use (covering the desktop Office applications) were redesignated as Microsoft 365 in April 2020.

The problem didn’t exist when Microsoft launched Microsoft 365 in July 2017. At that time, Microsoft 365 was a bundle to allow enterprise customers to buy:

  • Office 365 Enterprise (E3 and E5).
  • Enterprise Mobility and Security.
  • Windows 10 Enterprise.

The packaging provided popular, and many customers moved from Office 365 plans to Microsoft 365 plans. The success encouraged Microsoft to apply the Microsoft 365 brand more liberally, including changing the Office Pro Plus subscription desktop applications to become Microsoft 365 Apps for enterprise. At times, it seemed like any new product ended up with a Microsoft 365 prefix. Such is the nature of a broad-brush rebranding exercise.

Lines of Demarcation

After that leadup, here’s the current situation boiled down into a bulleted list:

  • Office 365 is a license plan chiefly sold to enterprise customers.
  • Office 365 enterprise services like Exchange Online, SharePoint Online, Teams, Planner, and OneDrive for Business run inside a Microsoft 365 tenant.
  • Tenants using Office 365 enterprise services can license optional Microsoft 365 capabilities like Information Governance and Information Protection.
  • Tenants can also license other Microsoft cloud services not branded as Microsoft 365, such as Viva Topics, SharePoint Syntex, and Microsoft Cloud App Security.
  • Office 365 enterprise services consume many other parts of the Microsoft cloud infrastructure like Azure Key Vault and Azure Active Directory. In fact, Teams consumes many Azure microservices.
  • Apart from being a branding strategy, Microsoft 365 is also a licensing strategy spanning plans targeted at consumer, SMB, and enterprise accounts.

All of which means that when we mention Office 365 in an article, we’re usually talking about the capabilities covered by the Office 365 E3 and E5 plans. When we discuss optional components not covered (or partially covered) in those plans, we are specific as in Microsoft 365 Compliance or Microsoft Information Protection.

This is probably clear as muck, but it’s as close to clarity and precision as you’re going to get in a situation where Microsoft applies the Microsoft 365 moniker so liberally in so many ways while leaving the Office 365 plans intact.

Source Practical365

read more
Office 365

Ten Years On, Office 365 Backup is More Challenging Than Ever Before


I’m not known to be an avid supporter of backup for Office 365 data. ISVs operating in this space do a reasonable job with Exchange Online and SharePoint Online, largely based on years of experience gained with on-premises servers, but struggle with applications like Teams and Planner. These applications have no on-premises counterpart, connect components drawn from across Microsoft 365, and don’t have an API suitable for backup and restore, which is not a great foundation for any backup product. And the surprising thing is that the problem of backup and restore for Office 365 has worsened since its launch ten years ago.

Issues with Restoring Office 365 Data

Leaving backup aside, the restore side of the equation is even more problematic. Among the issues I see are:

  • The amount of data which might need to be restored is typically larger in the cloud than with on-premises servers. An Exchange Online enterprise mailbox with an archive might span 250 GB (or more). OneDrive for Business accounts can grow to 25 TB, and so on. Remember, Microsoft likes tenants to have all their data in Office 365. The more data in Microsoft’s datacenters, the harder it is to move to another cloud service.
  • The challenge of restoring data into applications where no programmatic access is available. How, for instance, can you restore tasks into a Planner plan?
  • The difficulty of restoring integrated applications. Is restoring Teams just a matter of restoring channel conversations, including private channels and soon shared channels? What about the SharePoint sites belonging to teams and private channels, personal and group chats, plans, and apps?
  • The big question is finding a suitable restore target. If Office 365 is unavailable, what is a valid target to put the restored data? On-premises servers might be able to handle some mailbox and document data, but how quickly can these servers be brought online to deliver service to users, including linking an on-premises directory to these objects? Restoring to on-premises servers isn’t possible for cloud-only apps like Yammer, Teams, and Planner. And it’s hard to see how you could move the data to a different cloud service.

The Need for an Online Restore Target

Practically speaking, tenants need Office 365 and Azure AD to be online to restore data. And if a tenant is online, the instances when data needs to be restored include scenarios like:

  • Cyberattack (ransomware) encrypts user data.
  • Malicious or accidental deletion of user data which cannot be recovered using the methods built into Office 365.

Looking at how attacks have developed, it seems clear that documents and email are the most likely data ransomware seeks to encrypt. With that in mind, given that backup for documents and email is well covered, perhaps the attention of anyone concerned about ransomware should focus on these workloads. Not only are there many backup products available which can process this information, documents and email are the easiest to restore if a problem erupts.

The ransomware scenario is a real concern, but tenants can make sure that they’re not an easy target for attack by eliminating basic authentication wherever feasible, using multi-factor authentication for as many accounts as possible, and educating users how to recognize phishing and malware which gets through mail hygiene services. I don’t know of any Office 365 tenants that have been victims of a ransomware attack, but the fact that Microsoft publishes advice to help tenants recover from an attack indicates that this has happened.

Stopping Rogues

Malicious removal of user data is often referred to as the “rogue administrator” problem, when someone who has permissions deletes data because they are disaffected for some reason (like they’ve just been fired). I don’t doubt that some become very annoyed and want to hurt a company, but I don’t know of many instances where this happened. Perhaps the extensive auditing of actions within Office 365 (which proves who did what and when) is enough to dissuade potential rogues from carrying out their plans. Or maybe it’s because tenants can use tools like Privileged Access Management and Privileged Identity Management to limit administrator access to data.

Accidental Deletion

Out-of-the-box tools available in some Office 365 applications can help with the data removed accidently problem. For instance:

  • The recover deleted items (email) feature available in Outlook clients. Exchange Online administrators can also recover deleted items for users through the new EAC or with PowerShell.
  • The restore library feature available for SharePoint Online and OneDrive for Business allows the retrieval of deleted files for up to 30 days.
  • Administrators can recover deleted items in mailboxes and sites if retention policies cover the locations or the items had retention labels. A content search can find and export copies of deleted items. Although you can use retention policies and labels to stop the permanent removal of data, these are tools for information governance and not backup. However, because policies retain data for set periods, a good chance exists that it will be possible to retrieve items deleted in error, assuming that the data are in locations covered by retention processing and the retention period does not expire.

User-centric features don’t handle large-scale recovery well. If you need to retrieve 100,000 documents or 100 mailboxes, restoring data from a backup is usually faster. That is, if you have a backup. If you don’t, you can still use the out-of-the-box tools in the knowledge that retrieval will be slower.

Gaps in Restore

Which brings us back to the issue that backup tools can handle Exchange Online and SharePoint Online but struggle with other Office 365 workloads. If someone deletes a bunch of tasks in a plan, you won’t get them back because Planner doesn’t have a recycle bin or other intermediate deletion point. If someone deletes a bunch of messages in a group chat, you might be able to retrieve the compliance records for those messages but won’t be able to insert them back into the chat. And anyway, some of the content in the messages will be missing (like reactions). If someone deletes all the registered app details from Azure AD, any app which had consent to use the Graph APIs to access Office 365 data is nullified.

The point is that restoring all the connections which constitute an Office 365 tenant and its active workloads is a devilishly complex undertaking. So much so that I doubt that the complete restoration of a tenant, its configuration, and all its data can be done automatically. It might be possible to demonstrate such a feat with a test tenant with a small amount of data. But once the imperfections of operational life take hold (evident in symptoms like group sprawl), the difficulties facing any restore operation mounts. This doesn’t mean that an imperfect restore has no value. If your tenant is dead in the water, any restore is better than none.

Ten Years On

Office 365 is approaching its tenth anniversary. It’s odd that a situation exists where comprehensive tenant-wide backup and recovery spanning all workloads is impossible. This is especially true given that it was possible to contemplate such an operation for the original applications included in Office 365 in June 2011. The introduction of cloud-only applications and the massive growth in data since has created the challenges we now face. Microsoft has remained oddly passive in this area and left the running to ISVs, who are handicapped by the lack of suitable APIs. Let’s hope the situation improves over the next decade.

Source Practical 365

read more
Office 365Sharepoint

Office 365 10-Year Anniversary Series: SharePoint Online Reflections


The Beginning of My Journey into the Cloud

In June 2011, I was a consultant with EMC Consulting focused on migrating customers’ legacy Notes applications to SharePoint and moving SharePoint 2003, 2007, and 2010 customers to SharePoint 2013. That same month, Office 365 reached general availability, and I wondered how long it would be until there was an offering for SharePoint to be included in Microsoft’s cloud offering.

In July of 2012, a public beta of SharePoint Online was made available, and in February 2013, Office 365 SharePoint Online was released, adding a whole new dynamic for SharePoint migration planning.

I looked at this release as being the first of many releases. This was an online version of what was available in the on-premises product – with some limitations. While the feature set in the online version lagged the on-premises version, I knew this would change over time.

Changing the Conversation

Most of my conversations with customers with regards to Office 365 centered around SharePoint migrations and custom applications. Third-party application providers were quickly moving to provide SharePoint Online migration tools. As a result, all the conversations that I had with customers and other consultants changed.

I started to pitch SharePoint Online as a new and better target for migrations. It was an easy pitch, too:

  • Migrate once to the cloud and stay there
  • No hardware purchases
  • Sell or repurpose your existing hardware
  • Lower administration costs
  • No planning for upgrades or installing fixes
  • Keep on-premises any applications that are complex and cannot run in SharePoint Online

With regards to custom applications, this was a big concern for customers and consultants looking to maximize their SharePoint investment. These concerns extended even more to SharePoint Online. But I saw an opportunity to standardize and simplify most of the applications, and there were some good third-party form and workflow applications available to support my view.

Pitching to Cloud-Weary Skeptics

Of course, in those early days, there were still a lot of customers not ready to buy into the cloud. I explained that they may be able to justify staying on-premises this year. But the argument for going to the cloud would get stronger every year until they would eventually not be able to refute it. Eventually, I believed, changes would happen faster in the cloud than on-premises.

There were usually three types of customers who were ready to make the move:

  1. Moving content from a legacy platform (e.g., Lotus Notes) and starting over on SharePoint Online
  2. Ready to move from SharePoint 2007 or 2010 to the cloud – at least with some of their collaboration applications
  3. Introducing SharePoint Online as the new collaboration solution

The first and second sets of customers had a better chance at adopting SharePoint Online as their users were forced to use it. Both sets struggled with migrating custom applications. The third set of customers managed adoption issues with their users.

Fast Forward to the Present!

In an amazing and fortunate turn of events, I now manage the same migration products I used to recommend as a consultant in my role at Quest! We’ve seen tremendous growth in the number of Microsoft 365 users over the past ten years. We’ve all seen the SharePoint Online platform add many new and amazing features over the past ten years. One of the most popular Office applications ever (Microsoft Teams) uses SharePoint Online for storing most of its content.

10 years later and instead of an on-premises migration, you now have a tenant-to-tenant Office 365 migration. Check out this e-book to learn the Top Five Ways to Prepare for Your Next Office 365 Tenant Migration.

Source Practical 365

read more
Office 365

Office 365 10-Year Anniversary Series: The Arrival of Cloud Voice


My first exposure to cloud-hosted Exchange came when I was invited to join Microsoft’s “Exchange Labs” dogfood program that Microsoft. (Editor’s note: “dogfood” refers to the Microsoft Exchange development group’s servers running the latest internal build of the software; “eating your own dogfood” means that you run your software to find bugs. Sometimes the theory worked, sometimes it didn’t.)

At the time, there were a few efforts inside Microsoft to develop what was then known as “hosted Exchange,” mostly for telcos and other large service providers. But Exchange was far in the vanguard of this effort—everyone else, including Office Communications Server and SharePoint, were firmly grounded in the on-premises world.

Better Together

A big part of my job at the time was working with, and teaching about, the integration between Exchange and OCS (later Lync) for voice. Let’s call this the “better together” phase of my work with the BackOffice suite. It revolved around features such as Exchange Unified Messaging, which I used to call “the champagne of server roles.”

Microsoft had come up with the UM feature set as a way to sell Exchange by offering lower TCO and better features than traditional on-premises (or PBX) voicemail systems, and it was pretty successful—so they then wanted to use Exchange UM as a way to sell OCS and Lync to replace the phone systems themselves.

This was a big stretch at the time, because enterprise phone systems typically had legendary reliability and uptime, and on-premises Microsoft products couldn’t necessarily match that in lots of environments. A big part of my work was helping customers plan and design more reliable Exchange implementations that were good enough to match their SLAs for voice services.

Voice and BPOS

As Microsoft made the journey from Exchange Labs to BPOS to Office 365, the playing field for voice and IM integration started shifting. Customers who moved their mailboxes to the cloud but wanted to keep unified messaging or Lync/Skype for Business integration had to keep Exchange UM servers on-premises, for one thing, which made it hard to move completely to the cloud, but when Microsoft created Cloud Voicemail to work with Exchange Online, the writing was on the wall.

As the overall Office 365 service got more reliable, my work shifted away from “better together” and more towards “get me to the cloud.” Microsoft’s own success at getting Lync, and then Skype for Business, to replace enterprise phone systems held them back though, because a customer who deployed SfB in, say, 2016 wasn’t eager to rip it out and move to Skype for Business Online in 2017…. And then came Teams!

The Advent of Teams

Teams changed my focus to something like the process required to open a box of flat-pack furniture: first, you cut the obvious tape and straps and so forth, then you start removing each piece and its individual packing material, lay it all out, and try to figure out the right layout to get the parts close to where you want them so you can start assembling.

Like many other people swept up in the transition to the cloud, my focus has steadily moved to larger and more abstract requirements. I used to tell people how many disks they needed in each server to get the right Database Availability Group performance; then I moved on to advising people how to move to the cloud; and now I help them understand the larger issues around capability, cost, and compliance that come from moving to the cloud.

Source Practical 365

read more
Office 365

Office 365 10-Year Anniversary Series: Following Exchange into the Cloud


BPOS: A Name Only Its Mother Could Love

*This is the third article in a continuation of our weekly series celebrating the 10-year anniversary of Office 365; In Part 2 Paul Robichaux details his experiences with the advent of cloud voice.

Before the launch of Office 365, Microsoft’s online service was BPOS or the Business Productivity Online Suite. BPOS was coined in the Balmer years, which is why as a name it doesn’t exactly roll off the tongue. Based on Exchange 2007, BPOS managed to grow to a few million seats, and in my mind, demonstrated the feasibility of large-scale cloud Office services, that today (mostly), just work.

Exchange 5.5

As with so many others working with Exchange, my personal journey started with Exchange 5.5. The directory used by Exchange 5.5 later served as the foundation for Active Directory, which may explain why Exchange 2000 was also known in my day as the first “killer application” to use Windows 2000’s Active Directory. This was done by extending the schema to save configuration data in a highly accessible and self-repairing repository.

Without appreciating why, the lessons I learnt about directories and LDAP, mail routing, this “new” thing called SMTP and so many other fundamental technologies, proved essential to the understanding of an entire world. In the on-premises world, Exchange opened the understanding to Active Directory, RBAC, clustering, storage, networking, DNS, load balancing, certificates, voice over IP via Unified Messaging, the list goes on.

Mastering Exchange

While BPOS was growing up into Office 365, I increased my investment in understanding Exchange Server by joining the Microsoft Certified Master Program for Exchange 2010. Honestly, it was the hardest thing I have achieved in my professional career. The depth of understanding we gained in three weeks of training in Redmond was unsurpassed. For example, our first three days each consisted of 14-hour hours on SMTP. The same level of depth applied to absolutely every nuance we could imagine within the product. We quite literally wallowed in nuances of the Exchange 2010 sizing calculator and learnt how to deploy at scale using the Exchange Preferred Architecture.

Exchange 2013 followed with continued innovation, better clustering, Active-Active Database Availability Groups across datacenters, simplification of name spaces, etc. It was all good and I was happy to share my knowledge of Exchange with customers and the technical community.

Following Exchange into the Cloud

Exchange Hybrid evolved too, going from manual deployment in Exchange 2010 SP1 which required many manual steps, to the first wizard-based deployment in Exchange 2010 SP2.

My focus shifted incrementally from upgrading Exchange on-premises towards achieving a sustainable long term hybrid state and migrating workloads at scale. I swapped my outbalancing workshops for client rollout and Outlook upgrade workshops. I stopped memorizing URLs used for load balancing in favor of remembering what client functionality was enabled using Outlook 2010 Service Pack 2 with the required hotfixes to connect to Exchange Online.

My world shifted radically away from on-premises deployment, towards understanding how to create and maintain the adoption of the purely service-oriented nature, known as Exchange Online.

The lessons learnt from working with Exchange on-premises still hold true in many respects though. For example – collapsing Exchange Online Tenants is not radically different from collapsing Exchange forests. Retaining reliability on old messages using X500 addresses is a concept as old as Exchange itself, having its origins in the Exchange 5.5 world of X.400 based name spaces.

Exchange Today

My world has changed significantly over the last 10 years, from 3-year adoption cycles increasing to quarterly updates, to then becoming “evergreen.” I live in a state of duality, with one foot in a de-emphasized on-premises landscape, and the other in the cloud where I must know how to adopt and gain the best possible performance with fewer dials to turn and parameters to adjust.

The on-premises world I invested in so significantly to build, enable, upgrade, and migrate towards, is now enabled by the ticking of an option in Office 365. Where does that leave me personally? Having grown up with the cloud and built several cloud services myself, my appreciation has grown for just how amazing the achievement and scale of Office 365 really is. Cloud scale also enables speed and agility, where it will take us from here who knows – but we can’t see where we’re headed next without knowing where we’ve come from.

Source Practical 365

read more
Office 365

Is Your ISP Lying to You?


As an admin, let’s imagine a scenario with Outlook performance issues. These could be email send/receive performance issues; Outlook hanging when switching folder; or simply using shared calendars.

Understandably, we’re in the middle of a global pandemic – and you may be reading this from the comfort of your home office, or perhaps you are required to be on-premises now.

This network troubleshooting guidance will span both scenarios. You may recall a previous article on this topic explained the many possible causes of network latency at a high level.

In this article, we take a deeper dive to uncover the exact construction of our networks without needing to unplug anything.

Since this article is about the practicalities of network troubleshooting, we will start with the command line.

On Windows, start up a CMD or a PowerShell session; if you are working on macOS or Linux, start up a terminal.

I will be using MacOS’s terminal to illustrate the output but will be sharing both Windows, and MacOS/Linux commands.

The first thing we want to do is find our local Exchange Online Front Door. The concept of service front doors and why they matter is documented in the Office 365 network connectivity principles. However, the TL;DR version is as follows:

  • Microsoft owns one of the largest privately held global networks in the world.
  • This network is peered at many locations across the world and provides service front doors.
  • Service Front doors accept requests for Office 365 services in your country/province/state.
  • These requests are routed at Microsoft’s cost to wherever the actual service location, i.e. mailbox or OneDrive location, etc
  • Connecting to the service front door closest to you is the goal!

If you are following along on the command line, you are about to find your local Exchange Online Front Door, or if you see something that does not look local, we will find out why.

You can follow along with the examples below and note the output. Later, we will compare the result we are about to generate with another example.

In the illustration below, we have numbered our steps and highlighted the output:

Step 1 – In a command line of your choice, type nslookup and hit Enter.

Step 2 – Next, type and hit Enter.

Is Your ISP Lying to You?
Figure 1 – Author NSLOOKUP using local ISP.

In my environment, using ISPs locally provided DNS, I receive an Exchange Online Front Door Address of “”. The first three letters of the returned FQDN reveal that this front door is situated in Cape Town, as I would expect.

Next, I need to know how “far away” my Exchange Online Front Door is. As in our above example, in the illustration below, we have numbered our steps and highlighted the output: Step 1 – In Windows, use tracert, on MacOS, use traceroute to reveal the number of network hops between ourselves and our chosen front door:

Is Your ISP Lying to You?
Figure 2: author traceroute to local Exchange Online Front Door.

Notice that in step three of our traceroute, we hit the Microsoft peering point in my local ISPs Internet Exchange, which is relatively optimal, with Step 4 routing onto, the Microsoft Network. This result is an accumulation of three factors:

  1. Local ISP breakout
  2. Local DNS resolution allowing me to find the closest service front door when queried
  3. ISP peering shortening the route to the Microsoft network.

In our previous article, we discussed factors how local ISP breakout and local DNS resolution are required to satisfy the Office 365 network connectivity principles; ISP peering is a new concept. I’ll step away from the command line for a second to explain why we even care.

ISP Peering and why you should care

In the traceroute example above, we illustrated that my ISP peers with Microsoft enables me to connect to the Microsoft Network (* quickly over four hops. Once I’m connected, Microsoft uses a concept known as cold potato routing to accept my traffic and backhaul it to wherever it may need to be to consume my desired service. Network peering is a well-documented space for ISPs wishing to shorten the path to Microsoft services.

Microsoft publicly documents their AS Number – a numbering system allowing ISPs and Exchanges to exchange routing information – as “ASN 8075”. Since the internet is a well-documented space, we can see how Microsoft have peered using

Searching for “8075” lifts the hood of how extensively Microsoft have invested in this space when we note both Public Peering (Internet Exchange points and ISPs) and Private Peering (direct physical connection) points:

Is Your ISP Lying to You?
Figure 3: ASN 8075 shown on PeeringDB.

Using the filter facility, I can filter using the name of the Private Peering Facility used by most ISPs in South Africa, “Teraco”:

Is Your ISP Lying to You?
Figure 4: Private Peering filtered by name.

Clicking on the Cape Town URL reveals the list of South African ISPs who are peering with Microsoft using a similar peering methodology:

Is Your ISP Lying to You?
Figure 5: ISP’s peering with Private Peer “Terraco”

Clicking on each ISP/Peer Name in turn documents who is peering with whom, therefore displaying inter-ISP peering agreements.

Peering – Why should we care?

Not peering can dramatically increase the network distance between ourselves and Microsoft, which we now know is not optimal. For example, a client in the securities industry exhibited “slowness” when using Exchange Online for their call center agents. My team discovered that their ISP needed 15 network hops to connect to a Microsoft front door hosted in their city using traceroute. Addressing the issue with the ISP removed 150ms work of network latency. Ideally, that number should well be under 20ms at most.

Using global DNS services

Many of us, including some of our ISPs or corporate networks, use third party DNS services, like Google (, or Cloudflare (, and the like need to understand that often these services are not local to you. Here’s an example using the same two tools we used earlier – nslookup and traceroute. You can follow along from your location and note the result.

Using the same convention used above, in the illustration below, we have numbered our steps and highlighted the output:

Step 1 – In a command line of your choice, type nslookup and hit Enter.

Step 2 – type server and hit Enter. This command changes the DNS server to Google provided DNS

Step 3 – Next type and hit Enter.

Is Your ISP Lying to You?
Figure 6: NSLOOKUP using

Suppose you spotted that the resulting location code “LHR” looks like the airport code for London Heathrow in the United Kingdom and confirmed your suspicion by searching for where the four above listed IP addresses reside. In that case, you can conclude that this front door is not in Cape Town but the United Kingdom.  The three-letter code prefix is usually the closest airport code. In this article, we have seen CPT – Cape Town, and LHR, London Heathrow.

Here’s an old trick – Ping. We will ping each host in turn; first, my local Exchange Online Front Door resolved using local DNS, then my remote host returned using Google DNS and examine the results:

Is Your ISP Lying to You?
Figure 7: Ping comparisons of two Exchange Online Front Doors

Note that using Windows, your command line would not use the “-c3” parameter.

The picture here demonstrates an average latency of 11.5ms for my local front door, which is expected. The remote front door resolved using Google DNS averages just under 160ms. This picture demonstrates the effect of using non-location aware DNS and the latency impact of hair pinning traffic to a central global location.

Latency is the beginning but not the end

In this article, we cited a pleasing 20ms or so latency to a local front door, which is only a measure of the physical network. Keep in mind your mailbox may not be hosted in the exact location as your service front door. The likelihood is good that it may be in a different data center, altogether due to the high availability model which Exchange Online uses.

If you have ever opened the Connection Status dialog in Outlook, by holding Ctrl and clicking on the Outlook icon in the notification area, you would have noticed the “Avg Resp” column is much higher than 20ms. This column is the average response time for a client request, includes transactions over the entire Layer 7 networking stack, which makes up an Outlook request over HTTPS and is much more complicated than a simple ICMP or ping request.

With a multi-geo tenant, your mailbox may be in a completely different part of the world to you; however, your front door connectivity will be loca. Thus, your troubleshooting will start but not end with local network latency. Additional factors such as high item counts in critical holders, Outlook online or cached mode, etc., weigh in towards Outlook performance.

What’s Next?

Many reading this are working from home, a home office or connected remotely to HQ via a VPN. You may be experiencing performance issues in Outlook, which are less than pleasing. In this article, we have documented:

  • How to use NSLOOKUP to find the Exchange Online Front Door, which DNS hands to you as the closest location.
  • How to use Traceroute to document how “far away” that Exchange Online Front Door is in relative network terms and document the ISP peering relationship that may be affecting your connection experience.
  • What ISP peering is and how your ISP should be using it for your advantage, which is to connect you to the Microsoft network using the shortest possible routing.

You now have the tools to uncover why your experience connecting to Microsoft Services may be sub-optimal. If your ISP is not peering efficiently, think less than five hops using traceroute – how to document why.

Working from home, or your office location, or even via VPN – you can demonstrate what needs to change.

Source Practical 365

read more
Office 365

Microsoft OneDrive Gets New Share Feature on Windows and Web

no thumb

Microsoft OneDrive is about to get a new Share Dialogue through an update coming to the cloud storage and file sharing app. With the chance, users will be able to see who they share files with more easily.



Microsoft says the new Share Dialogue in OneDrive will arrive on the Windows 10 and web versions of the service. We presume that will also mean Windows 11 when Microsoft launches the platform later this year.

In terms of the new dialogue, users will now see a “Shared with” section. This lists all contacts you have shared a file instantly without needing to dig around. It will make it easier to see who has access to files at a glance.

When you interact with the “Shared with” list, it opens the Manage Access View settings, highlighting details about the file/contact. If you use the new dialogue to send a file, it will provide confirmation of the access.

If you have given access permission to contacts, they can interact with the OneDrive file through Manage Access via the new “Shared with” options.

Microsoft will begin rolling out the new feature in July as a targeted release. By mid-July, the targeted release will be complete. From then, Microsoft will start a wide roll-out to all OneDrive users on Windows and web, expecting to end this process by the end of next month.

64-Bit Version

Back in April, Microsoft finally brought a 64-bit version of OneDrive to Windows 10. Having a 64-bit version of OneDrive is important, Microsoft explains, because it makes it easier to manage large files. Of course, this will depend on whether your version of Windows 10 supports 64-bit.

“The 64-bit version is the right choice if you plan to use large files, if you have a lot of files, and if you have a computer that’s running a 64-bit version of Windows,” Microsoft’s Ankita Kirti says in a blog post.

Tip of the day: If you need to create an ad-hoc network, you can do it on Windows 10. In our tutorial we show you how to easily create a shareable wireless internet connection in Windows 10 as a free WIFI hotspot.

Source Winbuzzer

read more
1 2 3 8
Page 1 of 8