Ok. So you have successfully migrated to Office 365. Phew! Your migration went well and you are slowly settling down into the routine of managing your “cloudified” environment. It’s time to start stringing together the right set of tasks to effectively administer your Office 365 tenant. You need to first understand what’s there in your office 365 tenant and which elements in your office 365 are important to track and keep a tab on. In other words, audit and document your Office 365!
The importance of auditing and documenting your Office 365 environment
When it comes to successfully managing the Office 365 environment, the very first step that administrators need to do before anything else is to perform an Office 365 Audit. You need to know who your Office 365 users are, what groups have been configured, what permissions have been granted, who your administrators are, what roles have been granted to users, how your mailboxes have been configured and so on. If you have migrated to Office 365 SharePoint online you have another set of documentation to generate – your site collections, sites, lists, Site permissions, user access rights to your SharePoint content etc. These give you detailed information on what you are starting out with after your migration and also serves as a checklist to ensure that your migration was indeed completed successfully. A post-migration audit of Office 365 also helps catch errors due to any oversight while validating your settings and content post your Office 365 migration. Here is a quick list of Office 365 documentation reports to give you some idea of what’s involved. This is in no way a complete list, but gives you a possible approach to systematically documenting your Office 365 environment. I have also not covered Lync (Skype for business) and Yammer in this list.
1. What to document? Well document every bit of information for your records. You don’t want to manage your office 365 environment without knowing what you are starting out with. First, start with reports on how you have configured your Office 365 (Office 365 post-migration reports)
- Tenant Configuration – list of tenants/custom domains, Authentication details (such as multi-factor authentication), Directory Synchronization details, list of assigned licenses etc.
- Exchange online configuration – Admin roles, mailbox configuration, Mailbox email addresses, Public folders and their permissions, Mail flow rules, Message size restrictions, Message delivery restrictions, Storage Quotas, Mailbox Storage quotas, Mailbox delivery options, Mailbox default folder security, Public Folder settings, Public Folder message size and delivery restrictions, Public folder limits etc.
- SharePoint Online configuration – Site inventory, List inventory, Site configuration, List configuration, List templates, Site collection workflow templates, Site columns, Site content types, Site templates, Site workflows, Web parts etc.
2. Office 365 Security Audit for Exchange online
After documentation, the admin’s immediate task is to ensure security by performing a complete security audit of important elements that moved from Exchange/AD On-premises to Office 365.
- Groups and Group members
- Group membership determines indirect access rights for users. Users and their group membership must be audited to check for nested groups and associated access rights for users.
- Mailbox permissions
- All mailboxes must be audited for user permissions after migration and validated against mailboxes on premises to ensure integrity of permissions. If differences are detected the changes have to be validated with authorizing personnel.
- Mailbox folder permissions
- Similar to mailboxes, mailbox folder permissions also need to be secured.
- Public Folder Permissions
- This is perhaps the most important set of permissions that need to be audited to prevent unauthorized access to folders. Permissions on Public Folders require periodic cleansing when users no longer need access. After public folders are migrated, all permissions need to be documented along with differences from Exchange on-premises.
The following SharePoint online elements need to be audited for security to analyze access rights of users.
- Permissions of Sites, Lists and List Items, including effective permissions
- Access rights of Users and Groups
- Group Ownership
- Limited Access permissions
- Sites and Lists with no unique securable objects
- Unique securable objects with empty permissions
No, we will see how to understand the usage of your Office 365 by your users. Office 365 usage and analytical reports give you insights on how to better control and manage your users and their data in office 365.
Office 365 Management Reports
Dashboard Summary for Office 365
A Dashboard summary gives you a summary of important reports that you would like to see. It is only a summary – offering just enough information for you to decide if anything warrants attention. A quick glance at the reports tells you if any action must be taken if something doesn’t look right. For example, if you have the top 5 or 10 mailbox sizes reported in your dashboard and if a few of them are growing out of control you can alert the users or take other actions bring these mailbox sizes under control. While you review mailbox sizes, it is important to note that the Microsoft has increased the size limits for mailboxes across plans and some of your earlier assumptions may not be valid.
Here is a TechNet article covering the various Exchange online limits:
Nevertheless, the idea of keeping an eye on mailbox sizes may be a good administrative habit and will continue to be relevant. For example, if you have shared mail boxes that receive a lot of incoming mails (say, when you have a single shared mailbox for Customer Support), it may still be worthwhile to monitor the mailbox size. (The limit for a Shared mailbox is 50 GB. That’s quite substantial, that too given that shared mailboxes are free!)
Similarly you can have other important summary reports such as mail traffic reports, number of users and groups reports, new mobile devices that have been added etc. A review of your dashboard summary report is the best way to start your day with office 365 administration.
Reporting on Office 365 Users
As an administrator you need to be on top of all new users/groups that have been provisioned as well as Inactive users and Deleted users. This gives you the ability to plan for your resources and take actions for compliance and governance. As part of provisioning you need to keep an eye what license rights have been provided or need to be provisioned (more on this in the next section). As part of Deprovisioning activities you need to take actions as per the governance policies of your organization, such as archiving their mailboxes and one drive content. Another issue in large organizations is the issue of not knowing when users actually move out of the organization. It will be great to run a report on a weekly or monthly basis to see the last logon dates of users. If Office 365 admins see users not logged on for some time, they can contact the line managers to know if they have left the organization and take appropriate action on their mailbox and content.
Office 365 License reporting and management
Your organization purchases Office 365 licenses on a subscription basis under different plans offered by Microsoft. Putting these licenses to proper use and reducing costs is what any CIO will be looking into painstakingly. Employees may come and leave, change departments or get promoted. All these require licenses to be assigned, removed, purchased or recycled for optimal use. The Office 365 services an employee needs may also keep changing based on the projects the employee is working on. In short, proper Office 365 license management tool is a must in any organization in order to make licensing efficient and effective and save on licensing costs. You must have the ability assign, remove and recycle office 365 licenses with full audit trail in order to have complete control of Office 365 license usage within the organization. You should be able to view reports based on the types of licenses assigned to employees or get a count of each license type used within the company or just get a list of employees and their assigned licenses. You must be able to provision or deprovision Office 365 user licenses in bulk. Having an Office 365 license management process in place with proper tools can result in significant savings in Office 365 annual licensing costs.
Office 365 Administration Roles
If you have a fairly large organization with multiple departments, you will most likely need to assign several users for Office 365 Administration roles. These roles let you delegate administrative functions such as license management and password resets to certain users within the organization. All delegated roles must be assigned or removed with proper audit trail allowing you track when changes were made. These Office 365 Administration roles also need to be audited regularly to verify if the assigned users and roles continue to be valid (for example, an assigned user may have left the organization). From a security control standpoint Office 365 administration roles assigned to users require constant attention and you need role administration reports on changes made to these roles.
Vyapin Office 365 Management Suite contains a comprehensive Reporting module for Office 365. Even though many of these reports may be generated using PowerShell scripts, the power and convenience of having a dedicated reporting tool for Office 365 should not be underestimated. As one of the earliest vendors of reporting solutions for IT management, Vyapin tools have assisted thousands of IT administrators and managers to get the right reports in the right format for Compliance and Security Management needs.