Having trouble understanding Microsoft’s suite of collaboration tools? Register for our free webinar on Thursday, October 25th for expert explanations and recommendations.
So, you’re an Exchange admin that’s just inherited responsibilities in managing Office 365. We know as well as you that managing Exchange never means just managing Exchange. Well, we’re here to help! Let’s explore what’s changed in Office 365, what you need to keep in mind, and where to begin.
To start, you’re going to need to understand the nuances of how traditional aspects of Exchange are now affecting data security across the whole platform. You’ll immediately see why it’s important that you be part of developing strategies for governance, data security and information life cycle management in Office 365.
Due to how the many applications in Office 365 are integrated with other services, traditional Microsoft IT roles/responsibilities are evolving as organizations move their content to the cloud and Office 365. As they overlap more and more the lines between traditional responsibilities on IT teams are increasingly blurred.
In addition to this, end user-focused settings and features are becoming an increasingly vital part of the daily life of IT Admins. Due to the nature of Exchange Online in Office 365 and how it integrates with the many other Software-as-a-Service (SaaS) applications in Office 365, this is especially true for former Exchange Administrators.
The Short List of Typical Exchange Admin Roles Outside of Email and Email Database Maintenance:
Active Directory: Maintaining user profiles, security, and (sometimes) authentication and networking methodology.
Storage and database admins (sometimes): Server maintenance for Microsoft products and Exchange and of the SQL databases
Network Admins (sometimes): Maintaining network connection between Microsoft-based product servers and even connections to servers running other databases and services.
Backup (sometimes): Frequently in charge of backups for Exchange information, databases and/or servers. May also even be in charge of backup for other (and occasionally all) servers and services.
NOW IN OFFICE 365:
Since Office 365 Groups (built on Exchange) is the central membership service for Office 365 and deeply integrates with other services on the platform, Exchange admins have to coordinate with just about every other application admin on their team.
1. Azure AD, Network Security/Access is still very much tied to Exchange, and the management of Office 365 licenses is extremely important.
Understanding multi-factor authentication, the ability to control the locations and devices that can be attached to Office 365, how to enhance security for the cloud platform and the management of users, organizational structure and user licenses and how these all tie into the available features in Office 365 is extremely important.
The Azure AD Admin Center has many options for licensing, authentication and security/security groups, depending on your license in Office 365.
When services are as connected and integrated as they are in Office 365, removing licenses for certain services can dramatically affect how users can interact with their collaboration spaces. Because of this, understanding what features are available with each license (what you get with an E3 or E5 license, for instance), and which of these features your users may actually need can help you not only empower them with more tools to do their daily jobs, but can also ensure a seamless experience as they log in and utilize services in Office 365.
Managing licenses and services in the Admin Center for multiple users can be cumbersome, and many admins use PowerShell for this purpose.
As a general rule (unless you are restricting these services or doing a tiered roll-out of Office 365), especially when it comes to Groups and Teams, users should always have an Exchange, OneDrive, and SharePoint Online license as well as provisioned Exchange/Outlook mail box and OneDrive for Business spaces (see licensing requirements/features here). If Groups and Teams will be regularly utilized, it’s important not to disable any of the applications tied to the services for these users.
Thankfully, when you apply licenses for users most of these required services are turned on. However, it may still be good to keep track of how much they are consuming and turn off services they may not need. For instance, an organization that has purchased E3 or E5 licenses for all their users may find that a lower-tier license would do for a particular segment of their workforce and could see a reduction in cost by reducing the license grade for those workers.
2. Office 365 Groups usage heavily affects email distribution strategy.
In addition to the SharePoint Site, One Note Notebook, Planner, One Drive and potential Microsoft Team, every Office 365 Group has an Outlook Mailbox and user ID’s tied to Exchange. For this and many other reasons, an Exchange license is required for business users to interact with many of the services/information associated with Office 365 Groups.
There are many group options available in Office 365.
New Office 365 Groups are set by default to distribute new messages to all group members meaning that the Office 365 Groups essentially begin as de-facto distribution lists. To reduce email clutter and duplication and gain more control over distribution lists (if you have Azure AD premium or AvePoint Cloud Governance), you may set naming conventions to prevent Office 365 Groups from having the same names as your distribution lists and change the default distribution settings for Office 365 Groups in your tenant.
The inbox for Office 365 Groups is virtually indistinguishable from other user Exchange information, but also provides access to the other services in the Group. By Default, all emails sent to the Office 365 Group go to all the members of that Office 365 Group.
The other side to this equation is that it may sometimes be best to remove the list and create an Office 365 Group of the same name to not only handle the distribution of email, but also foster more collaboration for those segments of users. Ideally this group could even have a Team attached to convert the distribution list to persistent chat, reducing clutter and storage in Exchange (no more resent/duplicate attachments) while at the same time organizing communications and services for those users.
3. Microsoft Teams helps reduce email clutter and storage.
The persist ant chat in Microsoft Teams is a major reducer of email clutter and largely the true death knell of the multi-user email forward with simple, one-line messages. For every Team that is created, however, there also exist all the services of the Office 365 Group on the back end. This leads to an increase of the consumption of resources and, in some cases clutter.
This adds additional implications to life cycle management, security and data governance in Office 365. Having ways to monitor what’s happening in Teams—including Team membership and who is sharing documents with whom—is still very important.
Understanding the capabilities of Teams owners, members and now administrators and determining and controlling who should be assigned those roles needs to be heavily considered along with how this will be accomplished.
New features like the new Teams administrator role and the new Teams/Skype Admin Portal are increasing the power of Teams administration. At the same time, they can also give end-users too much power over collaboration spaces if not properly managed.
The chat feature (exclusive of Teams and Team Channels) is also extremely important to understand. When one user shares a file with another via the chat, it is uploaded into a folder in the file owner’s OneDrive and then shared with the other user(s) in the chat.
This means that without a comprehensive report of the security of all OneDrive files or granular controls on personal content sharing, users could be collaborating on and sharing just about any kind of information with little to no organizational visibility.
Having tools to get such granular reporting and enforce who can view files based on their actual content may be important for organizations that work with sensitive content such as PII or PCI.
There are tons of Office 365 and external integrations for Teams channel tabs that are enabled for each Team by default.
One last thing to remember with Teams is that the channel tabs in Teams makes integrating Teams with other applications, storage locations and other Office 365 services easier than ever. At the same time, this also means that you’ll need to be aware of how your users are integrating services into Office 365 and how to control them.
Teams owners and members who have permission can control applications at the team level and side-load apps into Teams.
4. It’s now much easier for users to share documents from their OneDrive for Business and the Office 365 Groups-based OneDrive for Business as well.
It’s also easier for users to download documents, so Exchange security features are increasingly tied to other Office 365 services like SharePoint and Office 365 Groups. Managing Azure Active Directory security groups may not be enough to govern files stored in collaboration spaces, especially with the rapid adoption of Office 365 Groups and Microsoft Teams. You’ll also need to be aware of external sharing capabilities and may need to turn this feature off at the tenant level.
Controlling lifecycle in other spaces in Office 365 becomes more important as there may not be another “project” time/opportunity to clean up the environment and it’s easier than ever for employees to create a higher volume of varied content.
Having a structured IT team coordination/record keeping process around this is crucial for governance. Many people typically have to work together to understand how such sharing capabilities will affect security and resource consumption.
5. Office 365 comes with data retention and server redundancy features, but not traditional backup capabilities.
In Exchange Online you can keep most user email information for 30 days by default. If you delete a user mailbox after the user account has been disabled, however, that information can no longer be restored once the retention period for deleted user information is expired. The same is true for other collaboration spaces in Office 365. Retention, or legal hold, can be enabled for mail as well as different Teams features (files, chats, etc.) as long as it is enabled within Exchange, SharePoint, and OneDrive.
So, if your retention policies aren’t well thought out and executed, retaining access to a deleted mailbox or Team may prove extremely difficult. Most admins find that “holding” all potentially critical data within Office 365, paying the storage premiums and dealing with the inevitable clutter is not a viable solution in the long term. Remember, a major motivation for moving to the cloud is never having to migrate again.
This means you may never have another project-based opportunity to sort through data and leave much of it behind; you’ll have to manage it on an ongoing basis instead. This isn’t to mention the risk of malware or ransomware that can wipe out this held data. As such, it’s important to have a plan for long-term data retention, restoring information for your end users and the tools (likely a backup solution) to enable granular in or out of place restore as well as data retention to suit your needs.
AvePoint Cloud Backup enables data retention (up to the life of your contract) and restores granular Office 365 assets including security (or security only!), metadata, and individual calendar events or contacts in Exchange. Out of place restore for mailboxes and files provides anytime access to that critical PST or folder. With our automatic, unlimited backup, you can easily secure Office 365 Groups, Microsoft Teams, Exchange, OneDrive, SharePoint, Project Online, and even Dynamics 365.
6. Third party tools that enable control and governance can majorly reduce the manual burden of oversight of all of these aspects.
Governing security, properties and the lifecycle of Office 365 Groups and Teams as well as controlling how they are provisioned and who can provision them are just a few of the features that you get with AvePoint’s Cloud Governance solutions. Out of the box, Cloud Governance is also capable of governing the creation of new users, moving content, changing security and many other actions by controlling who can access the capabilities of each action, enabling multi stage approvals and providing relevant automated reports that empower IT with scalable oversight while still reducing their burden of managing all of the features in Office 365.
Features like recertification enable IT admins to lock down collaboration spaces where business users have improper levels of access with the click of a button right from security reports. Approvals can similarly be handled in one step right from a business, IT or security user’s email inbox.
7.This level of functionality can increase the ROI you are getting out of services like Office 365 and reduce cost and save time in the long term.
It is vitally important to understand what features are available natively in Office 365 to comprehensively apply a true governance and security policy to meet needs for Exchange, SharePoint, One Drive for Business along with Office 365 Groups and Teams. AvePoint specializes in products that deliver great value to your implementation. This includes dynamic and automated controls that can increase security and reduce the operational burdens of managing and securing Office 365, SharePoint, and other platforms including file systems.
AvePoint solves the needs mentioned above and many others.
We’ve worked hard to meet the needs of the Exchange admin and business user alike by creating scalable SaaS software that empowers users and increases adoption and ROI from platforms, all while increasing security and governance for the organization. AvePoint is a true one-stop SaaS shop for data protection, security, governance and lifecycle maintenance in Office 365.
Want more premium Office 365 content? Be sure to subscribe to our blog!