Navigating OneDrive and SharePoint for Productivity

Navigating OneDrive and SharePoint for Productivity

Sharing files and providing an intranet platform is a core part of M365. Here, we’re looking at OneDrive for Business (OD4B) for personal file storage and sharing, as well as web-based collaboration in SharePoint.

OneDrive for Business

OD4B builds on SharePoint Online to provide each licensed user with their own document storage, 1TB for most SKUs.

This quota can be increased to 5 TB for certain licenses. Once you store files in OD4B, you can access them from any device through Android, iOS, Windows, MacOS, and web interface clients.

There are some limitations on file names, types, and sizes to be aware of. The OD4B sync client lets you see all the files you have synced on a device.

They can be in an Online-only state where you see them, but they’re not actually present on the device; when you open such a file, it’s downloaded and cached and thus locally available; a user can also pick one or more files to always keep on this device.

You can restrict synchronization to only domain joined devices.

To help users manage the contents of common folders you can use Known Folder Move (KFM) to synchronize the content of the Desktop, Documents and Pictures folders to OD4B and thus between devices.

SharePoint

If you’re an on-premises SharePoint administrator, you’ll be familiar with managing the underlying infrastructure of your servers as well as the complex web of sites and document workflows that end users consume on top of it.

Suppose you’re only now meeting SharePoint in the cloud for the first time. In that case, you’ll likely have a very different experience where you see SharePoint simply as the underlying document storage for other applications (Teams, Groups, Planner) and perhaps as the platform for your company’s intranet.

Building blocks in SharePoint are sites where content is stored, and you can control the layout, theme, navigation, and security with classic and modern flavors.

If you’re starting out or creating new sites, Modern sites are the way to go and there are a few different types available such as Communication sitesTeam sites and Hub sites.

Part of a larger vision for SharePoint, the modern sites and pages are very useful as they adapt to screen resolutions across smartphones and different size computer screens.

Search lets you find sites, files (including OneDrive for Business files), people and news content and if there are pictures in the content Artificial Intelligence (AI) will have extracted metadata and (if present) text content from those images.

If you have configured a hybrid deployment your on-premises documents will show up in the search results as well. Apps are add-ins / Web parts that expand the functionality of sites and Site collections are a way to group sites with a similar purpose together.

To set up different sites, use site templates to get you started. If you’re creating an intranet site, there’s an excellent Lookbook service with beautiful sites, providing modern experiences.

SharePoint Syntex is a technology that uses AI and ML to automate content processing and transforms content into knowledge. It understands your documents, processes forms and is applicable to large organizations with complex workflows and processes.

Be aware of the limits of SharePoint Online, particularly the total storage available which is 1 TB + 10 GB per license purchased. Search is an area that you want to spend some time customizing so your end users have a good experience.

Sharing is another area that you want to control as how users can share content internally and (critically) externally directly influences the balance between collaboration and security.

To properly protect your Microsoft 365 environment, use Hornetsecurity one-of-a-kind services: 

To keep up with the latest Microsoft 365 articles and practices, visit our Hornetsecurity blog now.

Conclusion

Migrating content from on-premises SharePoint Server and network file shares to M365 is the job of the SharePoint Migration Tool, as well as numerous third-party services.

If users accidentally delete files or ransomware has encrypted stored files you can use the Restore Files interface to restore files and folders or entire libraries from up to 30 days in the past.

There’s also the Recycle bin (93 days retention) for individual file restores and Restore Files for OneDrive.

FAQ

What is the difference between OneDrive for Business and SharePoint Online?

OneDrive for Business is a file storage service for individual business users, while SharePoint Online is a collaborative platform for team-based file sharing, document management, and intranet capabilities. OneDrive is more geared towards personal storage, while SharePoint supports broader team collaboration.

Do SharePoint and OneDrive work together?

Yes, SharePoint and OneDrive integrate seamlessly within the Microsoft 365 ecosystem. Files stored in OneDrive can be shared and accessed through SharePoint sites, promoting collaboration and ensuring consistency across individual and team-based work.

How do I sync OneDrive for Business with SharePoint?

To sync OneDrive for Business with SharePoint, open the SharePoint library, select “Sync,” and follow the prompts. This integrates your OneDrive and SharePoint files, allowing changes in either location to reflect in both, fostering collaboration and accessibility.

Streamlining Communication with Exchange Online

Streamlining Communication with Exchange Online

Email is the lifeblood of business communication, even in this age of Teams, Slack, and numerous other communication tools. It’s the lowest common denominator – the one tool that you can always use to reach someone if you’ve got their email address.

And email is a commodity – every business needs it, but no business is going to be more competitive by running it “more efficiently” than another.

It’s a Hybrid World

One of the strengths of M365 over Google Workplace, for instance, is the clear migration path from what you have today to the cloud because of Microsoft’s large footprint in corporate data centers around the world. If you have Exchange 2013+ on-premises, you can pick any of the migration methods, some of which provide a hybrid co-existence.

The full hybrid option lets you continue running your on-premises infrastructure for as long as you’d like and chapmove mailboxes in batches to the cloud on your own schedule. You can even move mailboxes back to on-premises should the need arise.

As you’d expect, there are many details to manage in a hybrid setup, including prerequisitesActiveSync connectivity, and mailbox permissions – especially when a user on-premises has permissions to a mailbox in the cloud or vice versa.

If all you’re looking for is a simple way to move mailboxes from Exchange to Exchange Online – Hornetsecurity has an excellent Mailbox Migration Tool.

Backup and Native Data Protection

One thing to realize about O365 is that Microsoft is going to make sure that you don’t lose your mailbox data, which they do through the native data protection in Exchange – keeping three copies of your mailbox data on separate servers, along with a “lagged copy” (behind in time, for instances where the data is corrupted rather than lost) on a fourth server.

They DON’T, however, keep backup copies of your data going back into the past, which may or may not be an issue for your business, depending on your regulatory needs. Several third-party services on the market will do backups of your Exchange and SharePoint online data. Hornetsecurity 365 Total Backup is an excellent backup solution for mailboxes, Teams, OneDrive for Business, SharePoint, and files on endpoints.

A deleted user account and mailbox can be recovered if no more than 30 days have passed.

Autodiscover

Whether your Exchange server is in the cloud or on-premises it’s important that client applications can find it – this is the job of the Autodiscover records in DNS. There are a number of other DNS records required for M365 – find them in this article. 

If you have a hybrid Exchange deployment the Autodiscover records need to point to your on-premises Exchange 2016/2019 Mailbox Server.

Managing Mailboxes

There are many tasks associated with mailbox management, one of them is quota management. F3 licenses get 2 GB quotas, E1 are set at 50 GB (with a 50 GB archive) and E3+ have 100 GB quotas with archive mailboxes that can be max 1.5 TB.

The difference between a mailbox and an archive mailbox is that the archive is only available when you’re online. You can control how much mailbox data is stored offline on each device with a slider in Outlook.

If you’re migrating large mailboxes to Office 365, ensure they’re smaller than 100 GB and no item is larger than 150 MB before starting the move.

In the Exchange console you can configure settings for a mailbox such as adding email aliases, see quota usage, control which clients (OWA, Unified Messaging) and the protocols (EAS, MAPI, IMAP and POP) the user can use, message retention and mailbox delegation.

This last option lets you configure other users to Send As emails as the user, Send on Behalf where the recipient can see that the email is sent on behalf of the user, and Full Access.

Mailbox Archive

As mentioned earlier you can enable an Archive mailbox for mailbox content which essentially serves as a “bottomless” storage area for older content, hopefully stopping users from adopting PST files as an archiving solution.

The Outlook mobile client (iOS and Android) cannot access Archive mailboxes. You can enable auto expanding archives for E3 and E5 licensed users using PowerShell:

Set-OrganizationConfig -AutoExpandingArchive

You can also enable Archive mailboxes on a per user basis. Note that the Archive folder that’s created in a mailbox when you right click an item and select archive isn’t related to the Archive mailbox.

Mail Forwarding

Be aware that users can set up their mailboxes to forward mail to an external email address (optionally delivering to both inboxes).

This is something you should keep an eye on because while there may be legitimate business reasons to forward mail, it’s also a favored attack vector for hackers where they silently read emails and then use that for various nefarious purposes.

There’s a report in the Mail Flow dashboard to show you what forwarding rules exist. You can also block users from being able to forward mail in several ways.

Shared Mailboxes

There are times when you’d like a mailbox that doesn’t “belong” to a particular user, such as sales or support, where you have a team of users accessing the same alias.

As long as the Shared mailbox doesn’t have a larger quota than 50 GB or uses an Archive mailbox, it won’t consume a license.

It’s also one option for handling staff that have left your company while you still need to monitor their email for incoming emails; converting their mailbox to a shared mailbox and assigning access to the appropriate staff will free up the license to be assigned to a new user.

From a security point of view, make sure direct login to shared mailboxes is blocked – users should only access shared mailboxes by adding them as an additional mailbox in Outlook.

Mail Contacts And Users

Both Mail Contacts and Users show up in All Contacts, the Global Address List (GAL), and the Offline Address Book (OAB). A contact is a pointer to an email address in an external system, whilst a user is also a pointer to an external address, but the user has O365 credentials to be able to access SharePoint Online or OneDrive for Business.

The latter is a remnant of on-premises Exchange, modern external sharing such as Teams, Planner, and others use Azure Business to Business (B2B) collaboration for guest access.

Distribution Lists

Grouping email addresses together to facilitate communication with teams of people is something that email systems have been doing for decades – in the Exchange Online Admin Center (EAC), you can create Distribution Lists (DL).

Note that the default is to create an M365 Group instead, and in fact, Microsoft is pushing to replace DLs with Groups.

Dynamic Groups make maintaining membership easier, basing the membership on an Entra ID attribute such as “department” – if that’s set to Marketing, for instance, the user is automatically included in the right group.

To properly protect your Microsoft 365 environment, use Hornetsecurity one-of-a-kind services: 

To keep up with the latest Microsoft 365 articles and practices, visit our Hornetsecurity blog now.

Conclusion

In summary, Exchange Online offers a seamless transition to cloud-based communication, providing robust data protection and efficient mailbox management.

Leveraging features like Autodiscover and mailbox archives, organizations can enhance productivity and streamline communication processes.

FAQ

How do I connect to Exchange Online in PowerShell?

Use the “Connect-ExchangeOnline” cmdlet in PowerShell. Install and import the Exchange Online PowerShell module, and then run the cmdlet to initiate a connection. Provide your credentials when prompted.

How do I connect to Exchange Server in PowerShell?

Utilize the “Connect-ExchangeServer” cmdlet. Ensure the Exchange Management Shell is installed. Run PowerShell as an administrator, import the module, and execute the cmdlet with appropriate server information.

How do I Connect to Office 365 in PowerShell?

Connect to Office 365 PowerShell using “Connect-AzureAD” and “Connect-MSOLService” for the MSOnline module. Provide credentials and follow prompts. Ensure modules are installed and updated for seamless connectivity; for more information, see here.

Integrating Azure AD with Microsoft 365

Integrating Azure AD with Microsoft 365

Behind M365 lies a directory which holds user accounts, groups, and other security objects. That was known as Azure Active Directory for many years, even though it had very little in common with Active Directory on-premises. Azure AD was renamed to Entra ID in July 2023. In this article, we’ll look at Entra ID and how you interact with it for M365.

Entra, Priva and Purview

Before we dive into Entra ID, let’s look at the new portal where you’ll be accessing it, entra.microsoft.com.

All identity-related services are housed here, whereas all Information governance-related features are in compliance.microsoft.com, called the Purview portal, and it’s got a section with all the privacy-related features called Priva.

Apart from Entra ID, the Entra portal also houses Entra Permissions Management, which inventories and right sizes of administrative permissions across Azure, AWS, and GCP (IaaS and PaaS) – not related to Microsoft 365 permissions.

There’s also a Verified ID that will help in the future with new hires and managing external identities, as well as Global Secure access. 

Meet Entra ID & Hybrid Identity

AD uses Kerberos and Group Policy, has a hierarchical structure, and is based on LDAP, none of which are cloud-friendly.

Entra ID operates over HTTPS, can be accessed from a REST API, and supports modern authentication protocols such as Security Assertion Markup Language (SAML), WS-Federation, and OpenID Connect for authentication and OAuth for authorization. It also supports federation, so you can connect it to other authentication systems.

There are three types of authentications supported in Entra ID:

  1. Cloud-based
  2. Directory synchronization
  3. Single Sign On (SSO) with AD FS

The first one is appropriate when you don’t have AD on-premises (or want to retire it) and create accounts in the cloud only. It’s definitely the simplest to configure. 

The other two require linking your on-premises AD to your Entra ID tenant through the free AAD Connect tool.

Before we dive into Entra ID, let’s look at the new portal where you’ll be accessing it, entra.microsoft.com. 

All identity-related services are housed here, whereas all Information governance-related features are in compliance.microsoft.com, called the Purview portal, and it’s got a section with all the privacy-related features called Priva.

Apart from Entra ID, the Entra portal also houses Entra Permissions Management, which inventories and right sizes of administrative permissions across Azure, AWS, and GCP (IaaS and PaaS) – not related to Microsoft 365 permissions.

There’s also a Verified ID that will help in the future with new hires and managing external identities, as well as Global Secure access.

AAD Connect – Your Umbilical Cord

AAD Connect (will presumably be renamed to Entra ID Connect) has had several predecessors over the years with different names – if you find an installation using DirSync or AAD Sync make sure to upgrade to AAD Connect as those tools are no longer supported. AAD Connect supports connecting multiple on-premises directories to AAD.

There was also version 1 generation of AAD Connect which is deprecated, you should be using version 2, which updates itself automatically. You can install the tool directly on a DC or on a member server.

There’s no true active / active HA option but you can set up a second installation of AAD Connect on a separate server in Staging mode and do a manual failover if the primary server is going to be offline for some time.

AAD Connect will synchronize user and group accounts in OUs you select (or the entire directory – not recommended) to Entra ID. You then assign licenses to those user accounts, and they can start using cloud services.

Note that this also means that on-premises is always the place to create new accounts and update, disable, or delete existing ones.

There are a few choices in how you handle passwords in AD. The simplest one is to use Password Hash Synchronization.

This gives your users SSO (even though technically it’s “same sign in” as the two user accounts are in two different directories). Another benefit of this method is that Microsoft can alert you when they find credentials on the web / dark web with accounts from your tenant where the passwords match.

If you’re adamant that your user’s passwords can’t be stored in the cloud (not even a hash of a hash), Pass-through authentication (PTA) is another option.

You set up agents on several (minimum 3, maximum 40) Windows Server 2012 R2+ servers (no inbound ports required) and when a user signs in at www.office.com for instance, Entra ID will verify that the correct password is supplied by communicating with your AD on-premises through the PTA agents.

Both PTA and Password hash sync optionally let you enable Seamless Single Sign On (Seamless SSO), where the user logs on to AD, and when they access www.office.com, they’re automatically logged in.

Both PTA and Password hash sync optionally let you enable Seamless Single Sign On (Seamless SSO), where the user logs on to AD, and when they access www.office.com, they’re automatically logged in.

A companion is AAD Connect Cloud Sync, which is configured from the cloud and only relies on lightweight agents on-premises, this also means you have High Availability built-in, as long as you deploy multiple agents.

Cloud Sync has slowly been gaining feature parity with AAD Connect and the main features missing today are support for device objects, the ability to sync from non-AD LDAP directories, PTA support, some filtering options and large groups with over 250,000 members.

The blocker for many though will that there’s no support for Exchange hybrid writeback. I expect Cloud Sync to eventually replace AAD Connect. The traditional way of not storing password hashes in the cloud is to use AD Federation Services (ADFS).

This is much more complex and requires several servers to be set up on-premises (or as VMs in Azure) but does offer more flexibility. If your organization has already deployed AD FS for other purposes, setting up federation with O365 is not a huge project but my (and Microsoft’s) recommendation is to stick with PTA or Password Hash Sync.

Given the SolarWinds supply chain breach and subsequent intrusion into various organizations using ADFS, along with Microsoft’s recommendation over the last few years to migrate from ADFS to Azure AD, if you have ADFS deployed, it’s time to make the move to Azure AD.

Azure MFA

One of the best things that Entra ID unlocks is the easy setup of Multi-Factor Authentication (MFA) for users.

Passwords are one of the weakest links in today’s IT landscape and the majority of the breaches we see are due to someone’s credentials being compromised. One solution to this problem is using MFA (sometimes known as 2FA or two-step authentication), where authentication requires not only a username and password but also a device or a biometric gesture to be present.

This drastically reduces (by 99%, according to Microsoft) the success of credential attacks.

MFA can call your phone, send a text message with a code, or send a notification / require a code from the free Microsoft Authenticator app. Unless absolutely required, do not use phone calls or SMS; they’re more insecure than the app options.

As a baseline, all your privileged accounts (Global / Exchange / SharePoint / Compliance administrators, etc.) MUST use MFA. This is free at all tiers of O365 and is simple to set up and the user experience is relatively seamless if you install the app on your smartphone.

If you’re an IT decision maker, expect to receive pushback from your administrators on this point but to maintain an acceptable security posture, this step is non-negotiable – all administrators HAVE TO use MFA.

As an aside, I’ve been using Azure MFA for my own business tenant and all my client’s tenants that I administer for many years now without issues.

You must however plan for times when Azure MFA is unavailable and this includes creating one (preferably two) Global Admin cloud accounts that are exempt from MFA and any CA policies.

These accounts should have very long and complex passwords that are only available to high-ranking administrators and should have monitoring enabled so that alerts go off if they’re ever used.

These broken glass / emergency access accounts should only be used to recover user access; for instance, if Entra ID MFA is down, you might turn off MFA requirements for the duration of the outage to enable users to log in and be productive.

Enabling MFA for your end users requires some planning and end user training. The level of tech familiarity your users have and whether they’re normally working from corporate offices influences how to implement MFA.

Administrators always get MFA for free; if you’re on the Business SKUs, MFA it’s built-in, but both lack the advanced features that Entra ID Premium P1 (M365 E3) or Entra ID Premium P2 (M365 E5) offer.

These include One-time bypass, Trusted IPs/Named locations; which lets you define corporate office IP address ranges where users will not be prompted for MFA. Note that all MFA levels let you (if you allow this feature) remember MFA on a trusted device for a set number of days (7-60).

If a user has logged on to a device and successfully performed MFA, they won’t be prompted on that device for the time period, and if the device is lost or stolen, either the user or you can “un-trust” these devices easily.

Starting in May 2023, Microsoft enabled number matching for all Microsoft Authenticator approvals, so instead of just pressing Approve or Reject, you must enter a two-digit code shown on your computer screen.

The app will also show you the geographical location from where the MFA request comes. Both features are designed to combat MFA fatigue attacks, where the attacker repeatedly tries to login, generating so many requests on your phone that some users simply press Approve to make it stop.

Microsoft now enables Security Defaults for all new tenants, and you can enable it manually for your existing tenants.

This will enforce MFA for all users and administrators using the Microsoft Authenticator app only, block legacy authentication, and control access to the Azure AD portal.

While these security enforcements are a good starting point for a small business with limited requirements, I advise caution for more complex organizations, as there’s no way to exclude break glass accounts or service accounts from MFA or ways to handle users who don’t have / can’t access the authenticator app on the phone.

Publishing Applications

One of the most powerful features of Entra ID is the ability to publish applications (third-party and on-premises) to your end users.

Take a corporate Twitter account, for instance, where several users have the username and password to send tweets on behalf of the company.

Not only will you need to reset the password as soon as someone leaves the company (you want them to refrain from tweeting as your organization after they’ve been fired) but you have little control over who else that password is shared with.

If you publish Twitter through Entra ID and create an AD group to put users in that should have access, you add a user account to that group, they’ll automatically have single-sign-on access to Twitter in the My Apps portal without ever knowing the password, and once they leave the company and their account is disabled, they can’t access it any longer.

For some of the 2400+ applications supported out of the box, you can even configure automatic provisioning so that when you add a user to the AD Salesforce group, an account is automatically created for them in Salesforce – again without them even knowing the password.

A popular option is using the AWS Single Sign-On app to integrate AAD and AWS.

Premium Features

Entra ID Premium P1 doesn’t just unlock more MFA features, it also allows you to ban commonly used passwords in your on-premises AD (including a custom word list), enable users to reset their own passwords when they have forgotten them, integrate MFA with Conditional Access and let users register for both MFA and self-service password reset (SSPR) in the same experience.

The P2 level adds the full experience of Entra Identity Protection where you get reports and can block authentications based on the risk level of the user account and the sign in or even trigger an “extra” MFA prompt based on the risk profile of the authentication attempt.

P2 also offers Privileged Identity Management (PIM) where you convert all administrative accounts to eligible accounts and users have to request elevation when they need to perform administrative tasks (known as “Just in Time administration”).

Instead of assigning administrative roles in Entra ID to individual user accounts you can now use groups to grant admin access.

The groups need to have a specific attribute set (isAssignableToRole) to true and static (rather than dynamic – automatically assigning user accounts to a group based on an attribute like “department” in the directory) user account membership.

Where AD has a hierarchical structure, relying on Organizational Units (OUs) to structure your user, machine and group accounts based on department, geography, or other approach, Entra ID is a flat structure.

Administrative Units (AUs) is a feature that aims to change this, using AUs you can structure user and group accounts and then delegate administrative permissions to a single AU or AUs. The AU admins need Entra ID Premium licensing.

Note that unlike OUs where an account can only be in a single OU, a group or user account can be a member of multiple AUs (up to 30).

If you have a large environment and Premium P2 licenses, consider using entitlement management, a way to group application, group membership (including Teams) and site access into a single access package.

These are useful for internal users (“you are the new person in Marketing – here’s your package that gives you all the access you need”) and can also be used to grant access to external users.

For partner organizations that you work with frequently you can even set it up so that their users can apply for packages, self-service style. Entitlement management can also get IT out of the role of assigning permissions by delegating package assignment to business users.

Conditional Access Policies

Both P1 and P2 unlocks another powerful feature in Entra ID, Conditional Access (CA).

This lets you build policies around application access (both cloud an on-premises applications) based on the user account and what groups they’re a member of, which application they’re accessing, the state of their device, their location, the sign-in risk and which type of client application they’re accessing it from.

These “if this – then do that” rules greatly enhance the security of your data by managing risk factors affecting identity and access in M365. Making it even easier to set up good CA policies are templates (in preview at the time of writing) covering Secure Foundation, Zero Trust, Remote work, Protecting administrators, and Emerging threats.

To make sure you don’t create a policy by mistake that locks out the CEO five minutes before his board presentation, the option to deploy CA policies in Report-only mode lets you evaluate the impact the policies will have without actually enforcing them.

There’s an API for accessing CA policies. This makes it possible to backup (using PowerShell for example) your CA policies, restore them, monitor changes, and treat them as code rather than manually manage them in the portal.

You could also test policies in a test tenant before exporting them from there and importing them in your production tenant after they pass validation.

Managing the Account Lifecycle

Once you implement AAD Connect, make sure you update your process documentation to consider the full lifecycle of user accounts, such as making sure they’re given the right licenses, are added to the right groups, and when the time comes to disable the account, the right steps are followed.

To make sure that users (and guests) don’t accumulate access that they no longer need, use Access Reviews (Premium P2), which now lets you review all guest accounts in one operation rather than on a per Team/M365 Group basis.

For a smaller O365 or M365 tenant, chances are you’ll never even need to go to the full Azure AD portal, and instead, you’ll do your user management in the M365 portal. However, it is a good idea, to explore the “full” Entra portal over at https://entra.microsoft.com.

If you’re keen to try out upcoming features in Entra ID, use the Preview hub to learn about and turn on public preview features.

To properly protect your Microsoft 365 environment, use Hornetsecurity one-of-a-kind services: 

To keep up with the latest Microsoft 365 articles and practices, visit our Hornetsecurity blog now.

Conclusion

In conclusion, the transition from Azure Active Directory to Entra ID in Microsoft 365 marks a significant shift towards modern authentication and enhanced security. Entra ID offers robust features such as multi-factor authentication, application publishing, and conditional access policies, making it a pivotal component of M365’s identity management framework.

FAQ

Does Microsoft 365 include Entra ID (Azure AD)?

Yes, Office 365 & Microsoft 365 includes Entra ID, formerly Azure Active Directory (Azure AD). Entra ID is the identity and access management service used by Microsoft 365 for user authentication and authorization.

What is a Microsoft 365 group in Azure AD?

A Microsoft 365 group in Azure AD is a security group with an associated email address and shared resources. It simplifies collaboration by granting members access to shared applications, data, and conversations.  

Is Microsoft Entra ID free?

Azure AD offers both free and premium plans. The free plan provides essential identity and access management features, while premium plans offer additional capabilities such as Conditional Access policies, advanced security features and self-service identity management.  

Windows 11 Enterprise Security and Compliance

Windows 11 Enterprise Security and Compliance

The last pillar of M365 is Windows 11 Enterprise, five devices for each licensed user, which will automatically upgrade Windows 11 Pro to Enterprise as soon as a user logs in. Here, we will cover what additional security features this brings to your enterprise.

Windows 11 Enterprise

Enterprise adds Defender Application Guard and Defender Application Control on top of the security features you get in Windows 11 Pro. Application Guard protects your users when browsing potentially malicious sites using Edge in an isolated hardware manner. 

This technology has also been extended to Word, Excel, and PowerPoint. On the other hand, Application Control builds on earlier iterations of AppLocker and blocks untrusted applications, including plug-ins and add-ins, from running.  

Always On VPN doesn’t require Windows 11 Enterprise and is a successor to Direct Access if you still need to use client VPN in your business. 

Whilst it’s not exclusive to Windows 11 Enterprise, look at Windows Hello for Business to improve your user’s login experience as well as your security (a rare case of everyone winning in security) by moving away from passwords.

To properly protect your Microsoft 365 environment, use Hornetsecurity one-of-a-kind services: 

To keep up with the latest Microsoft 365 articles and practices, visit our Hornetsecurity blog now.

Conclusion

If you’re deploying large numbers of Windows 11 devices and you want to reduce the burden of wiping each new device and installing your custom image, consider using Windows Autopilot; it’s a powerful way to “deploy” Windows 11 by simply transforming the pre-installed image as your OEM delivers it.

FAQ

What is Windows 11 Enterprise?

Windows 11 Enterprise is an edition of Microsoft’s operating system designed for business environments. It includes features tailored for large organizations, such as advanced security options, remote management capabilities, and deployment tools.

Is Windows 11 Enterprise better than Pro?

Windows 11 Enterprise offers more features than the Pro edition, primarily focusing on enhanced security, device management, and deployment capabilities. The choice between them depends on the organization’s specific needs.

Is Windows 11 a free upgrade for enterprises?

Windows 11 was initially offered as a free upgrade for eligible Windows 7, 8.1, and 10 users. However, the availability of free upgrades, especially for enterprise editions, may vary based on Microsoft’s policies and licensing agreements. It’s recommended to check Microsoft’s official documentation for the latest information.

Enhancing Productivity with Microsoft 365 Clients

Enhancing Productivity with Microsoft 365 Clients

There are many pieces of software you can use to connect to M365 – in this article, we’ll look at these and how you manage them from a governance point of view.

Desktop Choices

Microsoft recommends the latest version of Chrome, Edge, Firefox, Safari, or Internet Explorer 11 for accessing M365. 

If you have the rich Office desktop client installed, all supported versions should work with M365, but using the Apps for Enterprise version for both Windows and Mac that’s included with Business Premium and E3+ is preferred. 

You can control which users get the recommended Current Channel and who gets the Monthly Enterprise channel or the Semi-Annual Enterprise Channel flavor. If you want to live on the edge, you can enroll in the Office Insider program to beta-test new features.  

Outlook Web App (OWA) or Outlook for the Web deserves special mention as it’s competent and not a “watered down” version of Outlook that runs in a browser. 

In fact, Microsoft often tests new features and approaches in the web client because they can deploy changes much quicker. You can use OWA policies to control which features are available to your end users. 

You can manage which protocols users can use to connect to Exchange with Client Access Rules.

Mobile Choices

For many years, the preferred way of connecting to Exchange Online for email was to use ActiveSync, a protocol that both the mail client in iOS and Android supports (sort of – not all features were supported by each vendor). 

Microsoft now recommends using the free Outlook client app, which lets Microsoft introduce new features much faster without having to wait for Apple or Google to catch up. This app has been steadily growing in capability, including the ability to connect to Gmail and other email services, and is now used by well over 100 million people. 

There used to be separate Word, Excel, etc. apps for mobile. Still, they’re all consolidated under the Microsoft 365 (Office) app that lets you open the different Office document types and edit them on mobile. 

It’s free to install, but functionality depends on what account you use to sign into it.

OneDrive for Business

The sync client is automatically installed on Windows or Mac OS when Apps for Enterprise is installed, and you can control its behavior using this Group Policy template.

Please train your users to use OneDrive for Business – the power to have your files available on whatever device you happen to be using shouldn’t be underestimated, particularly the ability to go to any device (if you don’t have your own devices handy), sign in to www.office.com in any browser and edit those duplicate files.

Teams

The Teams application is Microsoft’s all-in-one collaboration client with support for instant messaging chats, group chats, voice calls, video calls, and, if you have the licensing, PSTN calling to and from regular phones. 

Teams are replacing Skype for Business, and starting in early 2019, the client is automatically installed when you install Apps for Enterprise; if you need to deploy it using your favorite software deployment tool, use this MSI. 

At the time of writing, a new Team’s client app is in public preview, which should fix people’s two main gripes with the current client: performance (the client is an electron app that uses a lot of CPU and memory) and swapping between different tenants.

Apps Admin Center

The Microsoft 365 Apps admin center is a very interesting take on cloud management for Apps for Enterprise (Office on the Windows desktop).  

Instead of managing the customization settings using the Office Deployment Tool (ODT), you use the cloud portal to create the required XML files. The Apps admin center does so much more, however. 

It inventories your Office installations across your tenant, tracks which versions and build numbers are installed and which ones are out of support, and lets you build Servicing Profiles to deploy newer versions of Office. 

It also uses Security Policy Advisor to analyze current usage of the apps and allows you to create and deploy policy configurations to all Apps for Enterprise installations (without relying on GPOs or MDM), plus tracks which add-ins are in use across all your devices.  

Suppose you have a large number of users. In that case, you may want to turn off the option for users to download Apps for enterprise from www.office.com (M365 portal – Settings – Services & add-ins – Office software download settings) and instead deploy it using your favorite method. 

If your business is using System Center Configuration Manager, it can be used to deploy and update Apps for the enterprise. 

Since no additional licensing is required for the Apps admin center, you should investigate if it can make your life as an Office 365 administrator easier. 

If you need to provide a modern printing environment for your users without having to bother with print servers or installing individual drivers for each printer on each device, consider Universal Print. 

Another way you can tell how integrated the different components of M365 are is with Search. This lets you search in various places in M365 and get relevant content for you, only showing you content you can access from within your tenant.

To properly protect your Microsoft 365 environment, use Hornetsecurity one-of-a-kind services: 

To keep up with the latest Microsoft 365 articles and practices, visit our Hornetsecurity blog now.

Conclusion

In conclusion, Microsoft 365 offers streamlined collaboration, efficient administration, and integrated features for enhanced productivity. Embrace the future of seamless innovation with confidence.

FAQ

Which companies use Microsoft 365?

Numerous companies across various industries use Microsoft 365, including large enterprises like Accenture, GE, and Coca-Cola, as well as smaller businesses globally.

Who are Microsoft's clients?

Microsoft’s clients span diverse sectors, from technology and finance to healthcare and education. Major clients include Chevron, Walmart, and Boeing, demonstrating Microsoft’s broad industry reach.

What is Office 365 client?

An Office 365 client refers to the software installed on a user’s device, allowing access to Microsoft 365 applications like Word, Excel, and Outlook. It facilitates offline work and synchronization with the cloud-based Office 365 services.

Keeping Microsoft 365 Running Smoothly: Tips for Proactive Microsoft 365 Support

Keeping Microsoft 365 Running Smoothly: Tips for Proactive Microsoft 365 Support

At least initially, a big challenge for us in IT is the loss of control that the cloud brings. If you have a problem on-premises with email delivery, you can check every part of the chain to see where the problem lies. Once you have migrated to M365, it’s now a shared responsibility between you and Microsoft.

In this article, we’ll look at two self-help tools I use when there’s trouble and then at how you open and work a support case with Microsoft.

Test Connectivity

For email and Teams, connectivity is a common cause of issues. Microsoft offers a valuable tool: Microsoft Remote Connectivity Analyzer (MRCA or RCA) at https://testconnectivity.microsoft.com/.

Here, you can test several things: DNS entries, ActiveSync connectivity to Exchange, Outlook, and Outlook Autodiscover functionality, inbound and outbound SMTP email, etc. Pick the test you need to perform and enter the required information.

Depending on the test, you may need to enter a valid username and password – I suggest resetting the password of this account after you’ve completed the troubleshooting.

The Captcha verification lasts for 30 minutes, so if you’re doing several runs as you change values, you don’t have to verify that you’re a human every time. The comprehensive test output should help you pinpoint the issue quickly.

Client-Side Tools

Suppose the issue isn’t connectivity-related; instead, you suspect a problem on a particular client device.

In that case, you should use the Support and Recovery Assistant for Office 365 (SARA) to help identify Outlook, Dynamics 365, and OneDrive for Business issues and Apps for enterprise problems.

It’s a simple download that you run on the affected device; it steps you through a few questions to track down the problem. In my experience, when you’re struggling with a profile or intermittent connection issues (that aren’t due to a service side misconfiguration – see RCA), SARA is pretty good at tracking down the cause.

Another way to help end users help themselves is the My Sign-ins, My Groups, and My Access sites, which, along with My Applications, give users a good way to manage their access to M365 services. My Sign-ins is also an excellent education tool as it lists both successful logins and failed ones from attackers.

Service Requests

While the benefits of cyber insurance are evident, it’s essential to acknowledge the challenges that come with it. To give some perspective: The global cyber insurance market reached $7.8 billion in 2020 and is expected to grow to $20 billion by 2025.

In recent years, the cyber insurance landscape has seen premiums rise globally by an average of 20% per year, driven by the increasing frequency and severity of cyberattacks. Insurers are also imposing higher minimum IT security requirements on policyholders. These changes can be particularly burdensome for small and medium-sized businesses.

Service Health

The Health section of the admin center provides the overall health of the different services in M365, and if any outages/incidents affect your tenant, you can access the portal.

If the outage affects the portal or its health portion, try https://status.office365.com/. Also, make sure to follow @Office365Health and @MSFT365Status on Twitter.

The Health section also offers an interesting new tool called Network connectivity, which uses the OD4B client, together with the Windows Location Service and optional manual data gathering tests to identify each client’s connectivity quality to Office 365. It’s even got it its own portal.

Network Connectivity

Many businesses provide a substandard experience for their users by forcing them to use VPN connections back to the office and then onwards to Office 365 (overall a slower experience but a killer for the Team’s voice and video calls) or even proxying all outgoing traffic for “security.”

This last one is based on the erroneous assumption that all web services/internet sites are “bad” and all traffic must be inspected, rather than differentiating between business services provided by Microsoft and others that can be trusted and dodgy websites and handling the traffic accordingly.

Here’s an excellent article outlining required and optional optimization techniques for M365. Microsoft has also partnered with many ISPs, internet exchange partners (IXPs), and software-defined cloud interconnect (SDCI) providers for optimal connectivity to M365, Dynamics 365 and Azure using the Azure Peering service. Suppose your business is using a Software Defined WAN (SD-WAN).

In that case, there’s a feature called informed network routing that will further help optimize your connectivity by enabling data sharing between Microsoft and the SD-WAN provider to reroute traffic automatically where appropriate.

Today, only Cisco’s IOS XE SD-WAN is supported, but expect others to be added as the preview progresses. The new Productivity Score is designed to help you understand where your business is in its digital transformation journey and tracks metrics across two categories:

  1. people experiences
  2. technology experiences

Microsoft 365 Desired State Configuration

PowerShell has long had a feature called Desired State Configuration (DSC) – which defines how a system (VM, Application, etc.) should look and apply the policy, and the Local Configuration Manager ensures that the system has the correct settings, checking periodically for drift.

This is called Infrastructure as Code and is now available for M365, so you could have a test tenant where you evaluate new configurations and settings, which you can then export and apply to your production tenant.

It can also be used to export all your configurations as a “backup”, periodically reporting on changes in configuration and comparing your tenant’s settings with best practices.

To properly protect your Microsoft 365 environment, use Hornetsecurity one-of-a-kind services:

To keep up with the latest Microsoft 365 articles and practices, visit our Hornetsecurity blog now.

Conclusion

In conclusion, maintaining the seamless operation of Microsoft 365 demands a proactive approach to support.

FAQ

How do I contact Microsoft 365 support?

Contact Microsoft 365 support by signing into the Microsoft 365 admin center and selecting “Support” or by visiting the Microsoft support website for various contact options.

Does Microsoft 365 come with support?

Yes, Microsoft 365 typically includes support options based on the subscription plan. Access support through the Microsoft 365 admin center, online resources, or phone support, depending on your plan.

How do I email Microsoft 365?

Email Microsoft 365 support by logging into your admin account, navigating to the admin center, and selecting “Support.” Follow the prompts to initiate email communication or find relevant contact information on the Microsoft support website.