6/27/2018 12:15 PM BRK3332 Ten critical areas for those moving from Exchange on-premises to Office 365 Or how your admin world changes utterly… Tony Redmond @12Knocksinna © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Tony Redmond Executive at HP, Compaq, and DEC for many years Lead author for “Office 365 for IT Pros” eBook https://practical365.com/ebooks/office-365-for-it-pros/ MVP since 2004 Columnist for Petri.com
Assumptions and Goals Your migration is complete You might or might not run a hybrid environment You need some new challenges to fill in all the time released from server and software maintenance… This is not a deep-dive into any specific topic – 2-3 slides per topic! Instead, the goal is to increase awareness of operating conditions that are significantly different after you move to Office 365
A New World Office 365 used to be close to the on-premises Exchange and SharePoint products, but it isn’t now Exchange and SharePoint are “basic workloads” within Office 365 Most of Microsoft’s engineering efforts for Exchange and SharePoint focuses on cloud Office 365 and Exchange Online are massive Office 365 develops at a rapid cadence Licenses and add-ons control access to functionality
Topics for Discussion Backups Expanding archives Distribution Groups and Office 365 Groups Content Searches Data Loss Prevention Classification Labels Auditing PowerShell Mobile architecture Keeping up with Change
Backups in the Cloud
1. Backups Microsoft uses Native Data Protection to safeguard Exchange Online mailbox databases – no backups Office 365 is divided into datacenter regions, each with at least two datacenters Four mailbox database copies (1 lagged), split across datacenters Single Item Recovery 14-day (30-day max.) Deleted Item Retention SharePoint Online does have backups – but restores are for complete site collections Use holds to keep items for longer Use Inactive mailboxes to retain ex-employee data
1 Backups ISVs offer cloud backup solutions for basic Office 365 data, streaming data across the internet to their datacenters Issues: Lack of support for integrated applications (Groups, Teams, Planner) Do you need backups for cloud data? Can APIs and networks supporting backups for 100 GB mailboxes, expandable archives, and tons of documents Cost
Expanding Archives
2. Expanding Archives Keeping all your data inside Office 365 makes data governance easier and cheaper Office 365 Import Service and ISV tools can process and ingest information from multiple sources: PSTs Documents Social networking and instant messages Archive mailboxes are the natural target for much of this data
2. Expanding Archives Auto-expanding archives are an option for Exchange Online tenants who need to store massive amounts of data Largest expandable archive now well over 1 TB Configurable for the tenant or for individual mailboxes (one-way switch) Can’t transfer an expandable archive to on-premises Exchange Clients see a single large archive mailbox but search restricted inside a single folder [PS] C:\> Set-OrganizationConfig –AutoExpandingArchive [PS] C:\> Enable-Mailbox -Identity "Kim Akers" – AutoExpandingArchive
3. Expanding Archives Users begin with a normal archive mailbox. As data moves into the archive, a mailbox assistant monitors capacity and, when necessary, creates a new auxiliary mailbox The auxiliary mailbox is linked to the archive by a GUID Exchange automatically moves data from the archive to the auxiliary to rebalance storage; MRS synchronizes the data for up to 60 days to eliminate possibility of data loss [PS] C:\> Get-MailboxLocation -User TRedmond | Sort MailboxLocationType -Descending | Format-Table MailboxGUID, MailboxLocationType MailboxGuid MailboxLocationType ----------- ------------------- 0370f354-2752-4437-878d-cf0e5310a8d4 Primary afc1e472-0826-498e-b990-85de223e809d MainArchive bb131464-1461-147e-b774-41646ddadd11 AuxArchive
The Future of Distribution Groups
3. DLs and Office 365 Groups Distribution Groups are the workhorse of Exchange Office 365 offers Outlook Groups as an upgrade option Team site (Files), notebook, mailbox, Teams, Planner, Stream, etc. Outlook Groups mobile client and Outlook for iOS and Android Groups appear as DLs in an on-premises GAL Microsoft wants Office 365 tenants to use Groups Upgrade only viable when source DLs Are not nested Only include cloud mailboxes Other conditions
3. DLs and Office 365 Groups Office 365 (Outlook) Groups are limited to 1,000 members Office 365 (Yammer) Groups have higher limits because they do not store conversations in the group mailbox Dynamic Office 365 Groups are available, but require Azure AD Premium licenses for every member in the scope of queries used for these groups Not an issue for tenants with EM+S AAD policy available to control group creation – use it! Strong use case still remains for DLs
Compliance, starting with Searches Microsoft added compliance functionality from Exchange 2010 on. Much of what you see in Office 365 comes from the principles established in Exchange, influenced by SharePoint and extended or modified to handle other Office 365 locations
4. Content Searches Search and hold capabilities inherited from on-premises Exchange and SharePoint servers deprecated Content searches are faster, more scalable, and cover more locations EXO, Public Folders, Groups, SPO, OD4B (*permissions), Skype for Business IM, Teams Number of mailboxes Average search time 100 30 seconds 1,000 45 seconds 10,000 4 minutes 25,000 10 minutes 50,000 20 minutes 100,000 25 minutes
4. Content Searches Security and Compliance Center is the fulcrum for cross-Office 365 data governance functionality (note: different RBAC groups) Use content searches for simple searching Use eDiscovery cases to coordinate the searches, holds, and exports needed for investigations Exports to PST or MSG files (email) or to files In-place holds available for all locations supported by content searches, but are placed through eDiscovery cases Exchange-specific retention and legal holds also available
4. Content Searches Searches in KQL syntax with keywords and qualifiers to find content Exchange and SharePoint support different keywords Preview search results works like it does for Exchange on-premises Searches can be targeted to specific folders or sites Search results can be limited with filters Advanced eDiscovery available (E5 or add-on) to deal with mega-investigations
Search-Mailbox The Search-Mailbox cmdlet persists in Exchange Online and is the only way to permanently remove information found by searches from user mailboxes You can add a delete action to a content search with PowerShell, but only for soft-delete Delete actions apply to all content locations
Data Loss Prevention
5. Data Loss Prevention (DLP) Exchange DLP uses transport rules (ETRs) to enforce checking for sensitive content; checks also integrated in OWA and Outlook Exchange DLP supports document fingerprinting Office 365 DLP policies cover Exchange, SharePoint, and OneDrive for Business, but functionality differs with ETR-based checking DLP checks integrated into file sharing dialog Checks against multiple data types and classification labels No document fingerprinting (yet) DLP is important in the context of PII protection for GDPR
5. Data Loss Prevention Office 365 DLP policies cover Exchange content now and are executed after ETR-based policies Gradually, Office 365 DLP policies will replace ETR-based policies Use Office 365 policies whenever possible!
A Surplus of Labels
6. Classification Labels Exchange Messaging Records Management (MRM) introduced in Exchange 2007 and rewritten in Exchange 2010 Retention policies and tags processed by the Managed Folder Assistant (MFA) SharePoint Online supports deletion policies to control removal of information Classification labels are part of the Office 365 Data Governance framework to help tenants “Keep what you want, remove what you don’t” Designed to work across all workloads
6. Classification Labels Office 365 Classification Labels have actions and retention periods Placed on messages, folders, documents, and group conversations Action can remove or keep information or do nothing (visual indicator) Can trigger manual disposition by human (remove, extend, or apply new label) Can be applied manually or through auto-label policies based on sensitive data type or keyword query (E5) Can mark items as permanent records Content searches can find items with specific classification
6. Classification Labels Labels are published to locations using Office 365 retention policies Force labels to appear in UX MFA must process mailbox before labels appear in OWA or Outlook; labels act like personal retention tags Can apply to all locations or selected locations Can impose preservation lock on marked content (limited ability to change policy settings)
Auditing
7. Auditing Exchange includes both mailbox and administrative auditing Admin auditing enabled by default, you have to enable mailbox auditing Office 365 has a unified audit mart with ingestions from multiple workloads, including Exchange Events normalized using common schema during ingestion A tenant with 200 users can easily generate > 5,000 audit events daily SharePoint Online is the most verbose application – much poorer coverage in other applications You still have to enable mailbox auditing for Exchange Events turn up in the audit mart between 15 minutes and a few hours after generation and stay there for 90 days
Admin Activity Recorded User Activity Recorded 7. Auditing Workload Admin Activity Recorded User Activity Recorded Azure Active Directory Yes Exchange Online Yes (Admin Audit Logging) Yes (Mailbox Audit Logging) SharePoint Online and OneDrive for Business (including sync. client) Skype for Business No Sway Yes (Coming soon) Power BI for Office 365 Microsoft Teams Yammer eDiscovery (searches and cases) N/A Teams No (* sign-ins) Dynamics 365 Flow Coming ---
7. Auditing Fast Channel Slow Channel Management Activity API Pipeline (Azure Micro services) O365 services DataMart Fast Channel Shredder Tenant 1 Service bus Tenant 2 Tenant 3 Audit Search Reports Dashboards Security & Compliance Center Applications Management Activity API Microsoft OMS Microsoft Cloud App Security External partners Non-Office 365 Apps mbx2 shard1 shard2 shard3 Slow Channel Office 365 workloads Azure AD Exchange Online SharePoint & OneDrive for Business Security & Compliance Center Power BI
7. Auditing Search Audit log (Security and Compliance Center) for online searches of the Office 365 audit mart Export results to CSV file Search-UnifiedAuditLog PowerShell cmdlet also available to search for audit events Retrieve batches of audit data (5,000 entries) Audit data in JSON format
7. Auditing Searching audit entries rapidly becomes tiresome and prone to human error, so some auditing help might be needed Office 365 Advanced Security Management (E5) Quadrotech Security and Audit Alert Policies (E5) automate scanning for patterns of events recorded in audit log “external volume of file deletion” Activity Alerts check for specific events recorded in audit log (can be created from SCC Search Audit Log option) and email notifications to named individuals Can arrive well after the event
PowerShell for All
8. PowerShell PowerShell used extensively within Office 365 to solve administrative problems Remove items from mailboxes, search audit logs, perform common operation on hundreds of objects, etc. PowerShell set for Exchange on-premises contains hundreds of cmdlets that you don’t find in Exchange Online Exchange Online has its own unique cmdlets too – like those to control Office 365 Groups (Set-UnifiedGroup, etc.) Other important endpoints: SharePoint Online, Security and Compliance Center (SCC), Azure Active Directory, Rights Management, Skype for Business See https://eightwone.com/2015/08/31/connecting-to-office-365exchange/
8. PowerShell More extensive throttling exists in the cloud than on-premises Azure AD PowerShell module exists in V1 and V2 V1: -MSOL cmdlets V2: -AzureAD cmdlets The functionality available in the two versions are not identical Important to use SCC endpoint when dealing with compliance functionality Content searches, eDiscovery cases, classification labels
Managing Mobile Devices
9. Mobile Devices ActiveSync is great, but it is an old protocol and is now the “lowest common dominator” connection protocol used by companies like Apple, Samsung, and Google Outlook for iOS and Android use a different architecture to access mailbox data Focused Inbox support Complete mailbox contents is indexed and available for searching Other Office 365 mobile clients use a mixture of APIs such as the Microsoft Graph
9. Mobile Devices EAC Mobile Device Access policies are good enough for ActiveSync devices, but they are not well suited to Office 365 mobile clients Intune is the preferred option
Keeping up to date with an Ever-changing Cloud
10. Keeping Up to Date Office 365 changes rapidly and often and sometimes without warning Documentation and blogs are not always accurate (blogs decay quickly) The Office 365 Roadmap is your friend, but changes occur outside the roadmap Message Center in Office 365 Admin Center is more precise for your tenant Use weekly update emailed as a heads-up First Release and Standard Release (and mixed) Test tenants Licenses control functionality Using AAD Groups for license management
10. Keeping Up to Date Service Health Dashboard (SHD) and the question of knowing what’s happening inside Office 365 Should you worry about the Office 365 Service Level Agreement (SLA)?
Random But Important Stuff Multi-factor authentication and conditional access (including for PowerShell) Much easier to use Rights Management (Azure Information Protection) Need to rework processes to secure ex-employee data Inactive mailboxes and other data sources that need to be secured Widespread use of machine learning within Office 365, including analytics products Office 365 Power BI adoption pack Office 365 Secure Score https://securescore.office.com/
Cloud Skills In-depth knowledge of at least one basic Office 365 app Exchange, SharePoint/OneDrive for Business, Skype for Business Broad awareness of newer apps like Groups, Planner, Teams, StaffHub Knowledge of Azure Active Directory (accounts, external sharing, license management) Hybrid connectivity (if needed) PowerShell (to the level of basic scripting) Tracking new developments – Stream, PowerApps, Flow, etc.
Summary and Takeaways Topic Comment Backups None for Exchange Online – but do you need them? Archives Expandable in the cloud Distribution Groups Office 365 Groups might be better… PowerShell endpoints Limited cmdlet set for Exchange compared to on-premises; separate endpoint for Security and Compliance Center Searches Content searches for EXO, SPO, Groups, OD4B, Teams DLP Unified DLP policies taking over from Exchange Transport Rules Classification Labels Apply to EXO, SPO, OD4B, Groups – but not like mailbox retention policies and tags Auditing Unified Office 365 audit mart and audit searches for everything Mobile ActiveSync now lowest common denominator; Outlook is the king Change Just get used to constant change because Office 365 is “evergreen”…
In Closing The radically different nature of Office 365 needs a different administrative mindset to Exchange or any other on-premises environment Office 365 is where development focuses and where new functionality appears Embrace change and keep your eyes open…
Thanks! Come talk to me at the Quadrotech booth (119)…
Please evaluate this session Tech Ready 15 6/27/2018 Please evaluate this session From your Please expand notes window at bottom of slide and read. Then Delete this text box. PC or tablet: visit MyIgnite https://myignite.microsoft.com/evaluations Phone: download and use the Microsoft Ignite mobile app https://aka.ms/ignite.mobileapp Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.