Friday, May 22, 2015

Office 365 First Release for Specific Users

A while ago Office introduce the First Release program. This was a new solution to allow forward leaning organizations to access new features as quick as possible.

There was a recent announcement that the First Release program was be modified to now allow customers to select specific end users to receive First Release features. This beneficial because new features will not be pushed to the entire organization, it will just be pushed to those users. This will organizations to do some review of these new features with some power users before it pushed to the entire organization. Organizations can customize their change management processes based on this.

It is worth noting that the First Release program is available to Exchange Online, SharePoint Online, Office 365 Nav bar and Office 365 Admin Center today. The First Release program for select users is not available for SharePoint Online.

Remember there are tons of way your organizations can get prepared for change. There is the:

  • Public Office 365 Roadmap website
  • Office 365 Public and Private Preview Programs
  • Notifications through the Office 365 Admin Center
  • Review the Office 365 Blog for announcements
  • If you are a managed customer through Microsoft Consulting Services (MCS) you can get NDA roadmaps and planning

Announcement -

New OneDrive for Business and OWA Integration

There was an announcement a few days ago that I very happy to see because I have had customers ask for this a lot.

The new feature being added is that from OWA, you now have the ability to save attachments to OneDrive for Business. Yes, I am excited to see this.

This new feature really is starting to unify the full browser experience for customers. A few months ago, Office Online was integrated with OWA so that users can immediately edit Word, Excel and PowerPoint attachments and then send those edits right back to people.

With the new Save to OneDrive for attachments, users can just save their attachments they want to work on right to OneDrive for Business through the browser.


Why is this great to hear?

  • If you are a heavy Sync user, the attachment(s) saved to OneDrive will be pushed to all your devices.
  • There could be scenarios where you are accessing Office 365 and all you have is a browser. If you want move that file out of OWA and start working with it in OneDrive for Business, you can do that.
  • There are scenarios where customers because of their policies turn off the ability to download attachments out of OWA. Having this new capability allows users to be able to continue to work with attachments without having to download a file to an unmanaged device.

Announcement -

New Unified DLP for Office 365 Coming Soon

At the RSA Security Conference (April 2015) and the Ignite Conference there were some new announcements for the futures of Data Loss Prevention for Office 365.

What is available right now?

There are multiple solutions in Office 365 right now.

So what is new?

New Unified DLP in Compliance Center

Even with all of this, there is more required and Office 365 is stepping up. Office 365 is planning to provide a comprehensive and unified Data Loss Protection (DLP) solution across Exchange Online, SharePoint Online, OneDrive for Business and Office ProPlus. This new unified experience will allow customers to define a single DLP policy and see consolidated DLP reporting for something like PII across Office 365 workloads, not just Exchange Online. This is super exciting!!!


New SharePoint Online and OneDrive for Business Policy Tips

SharePoint Online and OneDrive for Business had a DLP capability for compliance to find the data, yet there was no policy tip feature. Now a new Policy Tip feature is being introduced that will proactively notify end users they are placing content that violates policy in SharePoint Online and OneDrive for Business.


New SharePoint Online and OneDrive for Business Solutions

The initial release allowed you to find data, the feature set is being enhanced.

In Preview Right Now

  • Detect external sharing and apply actions – This is nice because the policy can detect if the SharePoint site itself has permissions given to external users.
  • Scope policies to specific locations / sites – This is nice because there may be specific sites where different policy needs to be applied.
  • Scanning for document properties – Will check for DLP not just in a file, but in the metadata, that is good to have.
  • Block / restrict access to sensitive content – Basically the ability take action on sensitive data once it has been found.
  • Customized Policy tips – just mentioned this above.

Additionally there is a phase 3 that is being worked on. It is targeted for H2 CY15 and would include:

  • Exceptions for locations / conditions – This will allow you to create a policy and then create exception rules that state a specific site is allowed to have sensitive data.
  • Ability to encrypt content as an action – Once a sensitive file is found, an AD RMS policy can then be placed on that data.
  • Support for custom classifications and document fingerprinting – This will look at the structure of content.
  • Shared by/by member of conditions
  • Detect content scanning errors
  • Richer content types and more enforcement endpoints

Policy Tips in Office ProPlus

As part of Office 2016, some new user experiences are going to be provided. Users will be notified in real-time in Work, Excel and PowerPoint that users are accessing sensitive content. That is awesome. DLP is being pushed farther down the stack. So if a user opens up a sensitive file from SharePoint Online or OneDrive for Business they will be notified.


Announcement -

Ignite Conference Session -

Office 365 More Advanced Encryption Coming

There was an announcement that at the RSA Conference (April 2015) that was really interesting. Exchange Online was going to be adding some additional advanced encryption above what is already available today.

Today – There are a lot of good solutions in Exchange Online. There is Rights Management, S/MIME support and Office 365 Message Encryption (OME) which can all be used to encrypt what I call the message payload (the actual email). As well, Microsoft BitLocker drive level encryption has been applied into Exchange Online so data is encrypted at rest. Additionally remember that all data in transit to Office 365 is encrypted.

So what is being added? – On top of the really good encryption and protection, Microsoft is going to make more strides for Exchange Online. Last year, a new file based encryption solution was added for SharePoint Online and OneDrive for Business. This solution encrypts every file stored with its own unique key, and re-encrypts with a new key for subsequent update. There is a lot more to this solution. For Exchange Online, a similar content level encryption solution is be made available by the end of CY 2015.

The announcement also stated that in 2016, customers will be enabled to generate their own keys for this content level encryption across Office 365!

This just adds yet another layer of data protection and encryption demonstrating Office 365’s commitment. Very very very exciting.

Here is the announcement -

Here is a good presentation from the recent Ignite Conference (May 2015) on Encryption solutions available today in Exchange Online -

Office 365 Ignite Conference Sessions

Were you like me and missed the Ignite in May 2015? No worries, all the sessions are publically available here -

New Office 365 Management Activity Feeds and APIs

At the RSA conference in April 2015 there was an interesting announcement for some new security and compliance management APIs for Office 365.

Today there are numerous ways to get access to application logs. For instance:

So what is changing?

These APIs are going to be consolidated to the “Office 365 Management Activity API” which will be a set of REST web services that can be a single point to get over 150 transaction types for SharePoint Online, Exchange Online, Azure AD, etc. I am really excited to this see this as today customers have to go to a lot of places to pull down this data.

Additionally in the announcement it was stated that the ISVs will building solutions on top of these APIs for customers. Here is the announcement -

At the recent Ignite Conference (May 2015), more information about this was presented. Here is the video of that session -




Office 365 DoD Cloud Computing L2 Impact Level PA

Microsoft Office 365 has been granted a L2 Impact Level Provisional Authority (PA). This L2 PA is for the Office 365 for Enterprises and Office 365 for Government offerings. The announcement is here -

This PA is predicated on the fact that Office 365 has a FedRAMP Agency ATO which is listed here -

If you want to read more, you can review the DoD Cloud Computing Security Requirements Guide (SRG) located here -

Office 365 Customer Lockbox


There was a major announcement made at the RSA Security Conference (April 2015) associated to Office 365 and a solution called the Lockbox. In this announcement, it was publically communicated that a new step is being added to this Lockbox process. The new addition of the process gives Office 365 customers explicit control of the rare instances when a Microsoft Engineer may need access to customer content to resolve a customer issue.

So what is the Lockbox?

If you have not read about the Office 365 Lockbox, I highly recommend you learn more about it. There is good information if the Office 365 Security Whitepaper (

In Office 365, Microsoft Engineers do not have any standing permissions into the environment. Access to the environment is controlled through a solution called the Lockbox. The Lockbox require multiple levels of approval and ultimately provides a just-in-time access to the least amount of privileges required to support an activity. All activity is time boxed so the support activity must be completed in the specified period of time. All activity is logged and audited. Remember there are tons of other solutions available in Office 365 to protect customer content. For instance Microsoft strives to automate all access to the environment to reduce human access, there is separation of duties, encryption in transition, encryption at rest, two-factor authentication, etc., etc., etc.

Microsoft has designed the Office 365 service such that access to customer content is not required. Microsoft’s position has always been the customer owns the data and Microsoft does not mine or use customer data for advertising purposes.

So what is the update to the Lockbox process?

The Lockbox will provide engineers access to the environment. Remember just because an engineer is given access to the environment does not mean they need any access to customer content.

Are there rare cases where a support engineer may need access to customer content to troubleshoot an issue? Sure there could be.

With this new announcement customers, now have an approval step in the Lockbox process mentioned earlier. If there is a support request, and rare access to customer content is required, the customer now owns rights to approve or reject access. Logs of this approval activity will also be available to customers. If a customer rejects access, no Microsoft Engineer will have access to continue forward.



This solution is industry changing for cloud SaaS providers. It provides customers additional control to be assured that their data is being protected. Microsoft has provide industry leading data protections solutions to this point, the solution only becomes better with this announcement.

Announcement is here -