Saturday, December 14, 2013

Exchange Online Protection (EOP) Overview

Introduction

I have to say I am a little embarrassed. I actually started writing this blog over six months ago and got distracted J

Well I have just finished it off. I really think there is even more I could discuss but I need to get this out the door.

In this blog I am going to give a high-level overview of Exchange Online Protection (EOP) and discuss some major considerations as you review it.

As you learn about EOP you will find out:

  • EOP is very flexible and configurable it is.
  • EOP has real enterprise creditability.
  • EOP is 100% integrated into the Office 365 and Exchange Online administrative and end user experience. EOP is not a bolt-on.

This is a real differentiator.

Processing Flow Chart

Before we go diving into each component, it is important to understand conceptually what the major components of EOP are:

  • Connection Filtering – This enable safe listing across your entire organization. This is the first step that an email will go through as it comes into Exchange Online.
  • Anti-Malware – This will always be executed. It will check the email and attachments for viruses.
  • Transport Rules and Policy Filters – This is where any sort of custom policies and especially transport rules will be executed that will redirect email.
  • Content Filtering – These are the anti-spam engines that analyze email coming in (plus going out).

clip_image002

I highly recommend review this EOP Overview - http://technet.microsoft.com/en-us/library/jj723119(v=exchg.150).aspx.

In the next few sections I will do a high-level break out on each section.

Connection Filtering

Connection filtering is user to specifically to create IP Allow and IP Block lists and to enable safe listing throughout the entire organization.

In the EAC got to Protection >> Connection Filter. There is a default connection filter policy which will be blank. You simply go add allow and block IP addresses.

There is also a checkbox called Enable Safe List. This is a list of trusted safe senders provide by third-party sources that Microsoft subscribes to. Selecting that option will skip spam filtering (content filtering) on messages sent by those senders.

Here is a quick reference - http://technet.microsoft.com/en-us/library/jj200718(v=exchg.150).aspx.

clip_image004

Malware Scanning

Malware is the component of EOP that checks for viruses and spyware that may be in email that is sent to your organization. Remember that viruses can infect other programs or data on your computer while spyware is gathers personal information of your computer.

Configuring Malware Policies is again simple, here is a reference - http://technet.microsoft.com/en-us/library/jj200669(v=exchg.150).aspx

First you need to go to the EAC >> Protection >> Malware Filter. This is where you can create one or more Malware Filter policies. You can prioritize the policies by using the up and down arrows. You also have the ability to enable and disable customer policies, but you can never disable the default policy.

clip_image006

When working with a Malware Filter policy you have several configurations that you can work with. Here is some information about the configurations you have available.

  • Name and Description – pretty obvious.
  • Malware Detection Response – This gives you options to delete the entire message or delete just the attachments. There are options to use the default message or to customize the message. Note that this action is applied to both inbound and outbound messages.
  • Sender Notifications – this allows you define if internal and/or external senders will be notified.
  • Administration Notifications – this allows you to determine which administrators should be notified for internal and/or external malware.
  • Custom Notifications – this allows you to create custom notifications based on the administrator notifications that were checked earlier.
  • Apply To – This is the final area which allows you to actually create criteria for the Malware Filter policy. You have the ability to assign it to user(s), group(s) and domain(s).

clip_image008

Policy Enforcement

Transport rules provide organizations the ability to create rules that will process inbound and outbound email. Transport rules use Predicates and Actions to create logic to process email. There are tons of actions in Transport Rules that are used for processing, data loss prevention, compliance, etc. For email hygiene there are actions such as deliver message to spam quarantine, use the following outbound connector, reject the message, delete the message, set the message header value, apply message classification, set the spam confidence level (SCL), require TLS encryption, generate incident report and sent it to, etc. There are a lot actions that you will use to create policy.

Here is a good reference to learn more about rules - http://technet.microsoft.com/en-us/library/jj919238(v=exchg.150).aspx

It is really easy to just go in and create rule using a pre-configure template or just creating a blank rule from scratch.

clip_image010

Content Filtering

Content Filtering is the actual component of EOP that performs the actual spam filtering based on the content of the message. You have the ability to create rules for the organization, groups of users, users and even domains.

Here is a good reference with a video showing you how to get Content Filtering set-up - http://technet.microsoft.com/en-us/library/jj200684(v=exchg.150).aspx.

First you go to the Content Filtering management area.

clip_image012

When setting up the Content Filtering policy the Actions screen is an important. This is where you actually create the rules that determine where spam will be directed. By default mail identified as spam is sent to the junk mail folder. There are some other options like send the email to quarantine, delete the message, add X-header, prepend subject line with text or redirect message to email address. Plus you can assign the rules based on the SCL. There are two rules, you can create one for email that is potentially spam versus email that EOP has determined to have a high confidence in spam.

This really provides organizations some real flexibility. Let’s discuss some of this.

One recommended approach is to utilize the junk mail folder and quarantine together. The nice thing about letting some potential low spam email go through to the end user is that the end user can make a decision on whether it is spam or not. With EOP, the content filtering policy will take into account the individual end user’s safe sender list. Remember in the junk mail folder the end user can indicate that an email is or is not junk mail. Those indications are remembered and then utilized when email is again sent to that individual end user. I usually say to people that there is legitimate marketing emails that are sent out that I want to be notified about. I as an end user can say email from user, domain, etc. is good email and should be routed to my inbox. While there may be other people in my organization that do not feel the same way and thus create junk mail rule that email from a user, domain, etc. should always go to their junk mail folder. End users can do this through Outlook and OWA. This really provides a level of flexibility to end users.

As you may recall I said above you can create actions for spam versus high confidence spam. If your organization really wants to make sure that high confidence spam never shows up, you can create a different action to send high confidence spam directly to the quarantine. Some organizations want to send all email to the quarantine; that is fine too. If you send email to the quarantine, you can configure the content filter policy to send notifications to end users every three days giving them the ability to release items from the quarantine. They will get an email like below.

clip_image014

Remember you have other actions you can take: delete the message, add X-header, prepend subject line with text or redirect message to email address. It is really up to you to come up with appropriate policies based on how your IT organization supports is end users.

You have a lot of flexibility; that is what I like so much about EOP.

Additionally part of your Filtering Policy you can create rules for international spam by looking at the languages and where the email originated from. This is huge when trying to determine what is spam and what is not. The screenshots below show the main screens where you can configure your spam policy.

clip_image015

Next there are advanced spam options that are available to you. Here is a good reference on this - http://technet.microsoft.com/en-us/library/jj200750(v=exchg.150).aspx. There are a ton of configurations you should consider.

  • There are several rules that you turn on which will check to see if there specific html, urls, objects, etc. in the body of the message that your organization wants to categorize the email as spam.
  • The SPF record: hard fail and Conditional Sender ID filtering: hard fail are should be turned on if you want extra protection again phishing.
  • The Block all bulk email messages is another good option to turn on. What this will do is if there are bulk messages being sent to your organization (like a company doing a targeted campaign at your entire organization), these can be blocked. Note that end users have the ability to create their own Safe Sender lists in Outlook and OWA so if that individual wants to that email, they will still get it.

Again there are lots of good options that you can explore.

clip_image016

Note that you must always have a default policy. With additional content filtering policies you have the option to rules to apply them to specific to users, groups, or domains. This can be valuable if you have specific spam policy for different types of information workers.

clip_image018

Junk Mail Folder / Quarantine

In the previous section we talked about Content Filtering policies and how both the quarantine and junk mail folders played an important part with those policies. If you need to manage and find email in the quarantine, there is an admin screen in EOP that is easy to use. For more information, please review this - http://technet.microsoft.com/en-us/library/jj200776(v=exchg.150).aspx.

clip_image020

Additionally if you want to send notifications to end users that email is going to the quarantine, you need to click Enable End-User Spam Notifications on the Content Filter policy to enable this.

clip_image022

Additionally here is a good reference about the junk mail folder - http://office.microsoft.com/en-us/outlook-help/overview-of-the-junk-email-filter-HA102748954.aspx. The junk mail folder is also available in OWA. Remember in the content filter policies you have the ability to create rules that can direct email that potentially may be spam to an end users junk mail folder.

clip_image025

One side note, is that there is retention policy on the junk mail folder. I commonly have people say, I want to make sure that the junk mail folder get cleaned out. No problem. By default there is retention policy on the junk mail folder for 30 days. You can change that retention to make sure it goes away.

Finally there are way to report junk mail to Microsoft. This can be done by end users or administrators. For more information, please read this - http://technet.microsoft.com/en-us/library/jj200769(v=exchg.150).aspx.

Outbound Spam

EOP also implements rules which helps to ensure that organizations are not the originator of spam and malware. All email being sent from your organization will be checked and a policy must be present; it is not possible to turn it off. If email is identified as being spam or having malware it will either be stopped or sent to through a high risk delivery pool. All of your normal email with go through a normal delivery pool, thus not allowing your good email to be associated with email that is originating from your organization that is considered to be spam.

It is possible if a customer continues to send spam, that the email box will be stopped by Microsoft from sending email. There are notifications that can be configured to contact an administrator if this occurs. For more information, read here - http://technet.microsoft.com/en-us/library/jj200737(v=exchg.150).aspx.

clip_image027

Here is the screen where you can configure how to notify administrators when there is outbound spam.

clip_image029

Message Trace

Message Trace is another valuable feature of EOP that will allow administrators to follow messages as it passes through the Exchange Online and EOP environment. This is very helpful if you are trying to understand the rules and processing of messages. For instance, it can help you understand where good email getting stopped if you have a lot of rules. This helps the administrator to determine how they may need to re-configure or tweak EOP policies to ensure that email gets through. Additionally it is also good for understanding how email is being forwarded in a situation when you are performing an audit.

For more information read here - http://technet.microsoft.com/en-us/library/jj200668.aspx.

clip_image031

Connectors

Another piece is configuring Inbound and Outbound Connectors. Connectors are used to control email flow and become very important as part of an enterprise deployment.

There are two main references I recommend people to read http://technet.microsoft.com/en-us/library/jj723133(v=exchg.150).aspx and http://technet.microsoft.com/en-us/library/jj723138(v=exchg.150).aspx.

Connectors are used to create secure connections between EOP and email appliances, gateways, etc. When you are first learning about connectors, you need to understand the term “inbound” and “outbound” connectors. Neither term is aligned to “inbound” nor “outbound” email for the mail server; it is aligned to email traffic of EOP. Quicker you understand that, the more quickly this will make sense.

clip_image033

Let’s talk about some common scenarios I usually talk with organizations about.

  • MX Record On-Premise – Many of the organizations I work with require all email to be routed through their on-premise for regulations reasons. They have appliances that must monitor both their inbound and outbound email traffic. In this scenario you would set up an Inbound Connector for EOP to receive email from on-premise and then create an Outbound Connector for EOP to send email to on-premise to subsequently be sent to out. I recommend reading Connector Scenario for Partner with Forced TLS Scenario - http://technet.microsoft.com/en-us/library/jj723154(v=exchg.150).aspx and make the appropriate configurations (for instance make an on-premise connector type). In this case, the partner is your on-premise email appliance, gateways, etc. that mail is being routed through.
  • Hybrid – For hybrid with Exchange Online and on-premise, it would be the same as just described as you want to ensure your connections are secured. You will create an inbound connect to receive email from Exchange on-premise and an outbound connect to send email back to on-premise. I recommend you read both of these articles to understand the hybrid mail flow patterns: http://technet.microsoft.com/en-us/library/jj659055(v=exchg.150).aspx and http://technet.microsoft.com/en-us/library/jj659050(v=exchg.150).aspx. Then I recommend reading Connector Scenario for Partner with Forced TLS Scenario - http://technet.microsoft.com/en-us/library/jj723154(v=exchg.150).aspx and make the appropriate configurations (for instance make an on-premise connector type). In this case, the partner is your on-premise Exchange server. Actually when you use the new Hybrid Configuration Wizard, it will set up these connectors for you! For more information, read here - http://technet.microsoft.com/en-us/library/jj200790(v=exchg.150).aspx.
  • Partner with Forced TLS – Used to ensure secure communication with a partner organization. Again you will create an outbound connector from EOP to the partner organization and then create an inbound connector to receive email from the partner organization. This scenario will only work if you have the MX record residing with EOP. I recommend reading Connector Scenario for Partner with Forced TLS Scenario - http://technet.microsoft.com/en-us/library/jj723154(v=exchg.150).aspx.

clip_image035

  • Email DLP Appliance On-Premise – There are cases where organizations have DLP or other email appliance that they want to route only outbound email traffic through. The customer may be considering moving over to Exchange Online DLP solution but they need to transition over slowly. This is sometimes referred to as the Smart Host scenario. In this case the MX record resides with Exchange Online. In this case, all you need to do is setup an outbound connector to your on-premise email appliance. Please review this - http://technet.microsoft.com/en-us/library/jj723128(v=exchg.150).aspx.

clip_image037

  • Conditional Mail Routing – Another scenario which you may set up if you have the MX record residing with EOP and you have distributed email servers on-premise. If this is the case, you may want to create multiple outbound connectors from EOP to those on-premise email servers. To support this, you will create multiple outbound connectors. Next you will create transport rules with conditional logic that will redirect the mail traffic over an outbound connector. This is actually an action you can select on a transport rule, very cool. For more information, read here - http://technet.microsoft.com/en-us/library/jj950234(v=exchg.150).aspx.

clip_image039

Outbound Connector

Creating an outbound connector is fairly easy. In the EAC you need to go to Mail flow >> Connectors, and then create an outbound connector. You will be presented with the following fields.

  • Name – give the connector a logical name.
  • Connector Type – select whether it is a partner or on-premise connector.
  • Retain service headers on transmission – this checkbox should only be checked if you have an outbound connector supporting a hybrid deployment.
  • Connection Security – the default is opportunistic TLS, but if you can set up certificate based connections as well.
  • Outbound Delivery – will specify the location where you are sending an email to from EOP. In the case of partner scenario, you will select “MX record associated with the recipient domain”. In an on-premise scenario you will select “route mail through smart hosts” and then enter the fully qualified domain name or IP address of the destination server. If you were to enter multiple different smart hosts, EOP will randomly select the first one to send to and then uses a round-robin load balancing pattern to distribute messages across those locations.
  • Use for Criteria Based Routing (CBR) – Need to check this checkbox if you plan to use the outbound connector with a transport rule as part of the Criteria Based Routing scenario described above.
  • Route all accepted domains through this connector – This checkbox is used when you create an on-premise outbound connector. Checking this checkbox will not require you enter all the domains in the following field. The connector will just apply to all the domain associated to your tenant.

clip_image041

Inbound Connector

Next creating an inbound connector is just as easy. In the EAC you need to go to Mail flow >> Connectors, and then create an inbound connector. Here are the fields you need to fill in:

  • Name – logical name for the connector.
  • Connector Type – Select either partner or on-premise.
  • Retain service headers on transmission - this checkbox should only be checked if you have an inbound connector supporting a hybrid deployment.
  • Connectivity Security – Opportunistic and Forced TLS are your options. Pretty straight forward.
  • Domain Restrictions – Select None means that there are no restrictions for incoming messages, while selecting Restrict domains by IP Address will only accept messages from specified domains where the source IP addresses are in the specified IP addresses. If you have selected Forced TLS, the Restrict Domains by Certificate option will only accept messages from specified domains where the source matches the certificate.
  • Scope – You will enter the locations where we will accept email from. In a Partner scenario you will simply enter the domain you will accept email from (you can optionally enter IP addresses or accepted domains). In an on-premise type, the same really holds true, enter the domain, IP address or accepted domains. For clarification, many people ask what is the difference between a Domain versus an Accepted Domain. For a Partner Inbound Connector, the domain is the sender’s domain while the accepted domain is your domain that you want to send the email to. For a hybrid scenario, this will be set up by the Hybrid Configuration Manager. In most cases it is recommended to enter * for Domains and enter nothing for Accepted Domains. If you do not want block some on-premise domains from sending email through, you will send the same domain in both you want to allow in both domains and accepted domains.

clip_image043

Reports

Exchange Online Protection does have reports such as mail received, sent mail, received spam, malware detections received, malware detections sent, top malware and sent spam. It is really easy to click into these reports from the Office 365 Admin Center. You can click into an interactive dashboard as well. Here is information from the service description - http://technet.microsoft.com/en-us/library/office-365-reports.aspx.

clip_image045

Additionally you have the ability to download and slice through the data using additional custom filters using Excel - http://technet.microsoft.com/en-us/library/jj945734(v=exchg.150).aspx. This is really nice tool to allow you to create custom reports.

Finally if you really need to do some high end custom reporting or if you need to retain the logs for an extended period of time locally, there are web services which you can use to access all the data. Please review this - http://msdn.microsoft.com/library/office/jj984325.aspx.

Conclusions

Hopefully this will help you get started with understanding how EOP can help you and your organization protect yourself. EOP is really powerful and there is probably a lot more we can dive into in the future.

Office Remote from Windows Phone

If you have a Windows phone and you do a lot of presentations there is this new cool app called Office Remote. It allows you to control remotely from your phone PowerPoint, Word and Excel on a computer you are presenting from. You can jump around to any slide while avoiding having to press the back or forwards button tons of times. You even have a cool laser pointer that you can click on your phone. You can see all your speaker notes too.

I have even been using my OneNote App on my phone, which is connected to my corporate SkyDrive Pro, and take notes right there standing in the room. This makes me HIGHLY productive.

This app is literally changing the way I am presenting to customers. I have to do a lot of two day deep dives on Office 365 customers discussing everything about the cloud.

Love it.

Give it a try.

References

http://blogs.windows.com/windows_phone/b/windowsphone/archive/2013/11/18/turn-windows-phone-into-a-magic-wand-for-microsoft-office-presentations.aspx

http://research.microsoft.com/en-us/projects/officeremote/

Sunday, November 24, 2013

New Office 365 Mobile Admin App

If you missed this, there was a really cool new announcement this week for Office 365. Microsoft created an app that you can put on your mobile device for you to check the status for your tenant. They stated that it is available on Windows 8 phones (I installed it on mine and it is working wonderful). They plan to be releasing the same app for Android (4.2.1 and up) and iOS 7 in the coming weeks. That is just really awesome because if you are an admin, it will help you keep a pulse even when you are on the go.

clip_image002

Reference - http://blogs.office.com/b/office365tech/archive/2013/11/21/check-the-service-health-of-your-office-365-service-on-the-go.aspx

Monday, November 4, 2013

SharePoint Online New Publishing Features

There were some new announcements just made for SharePoint Online that I was really excited to see that are now supported. Specifically the Content Search Web Part and Cross-Site Collection Publishing are now supported in SharePoint Online. Why is this exciting? With both of these features now available, organizations will be empowered to create more robust publishing sites in SharePoint Online.

The Content Search Web Part (CSWP) uses SharePoint search to find content and then publish the results on the page. In most cases, end users do not even know that search is being utilized to find documents, list items, videos, etc. to be displayed on the page. Using the CSWP is a much more efficient want to display content on publishing pages.

What is just is as exciting is the addition of the Cross Site Publishing feature to SharePoint Online. Publishing features have always been available in SharePoint Online so that items and documents must be published to be seen by end users. Now with Cross Site Publishing you have the ability to create an Authoring Site Collection where you can centrally define content (lists and libraries). Then you can add CSWP web parts in other site collections that can present that content. This can be a very helpful solution if you are managing many site collections yet there is common content that you want to manage and publish centrally.

Here is more information about the announcement - http://blogs.office.com/b/office365tech/archive/2013/10/29/search-innovations-for-site-and-portal-design-in-sharepoint-online.aspx.

Friday, October 11, 2013

Power BI Data Management Gateway and Resources

Power BI continues to be a hot topic that many people have been asking me about.

As you may know, there was an announcement in July about the new Power BI in Office 365 that is coming. Here is more information about that announcement - http://www.astaticstate.com/2013/07/office-365-power-bi-announcement.html

A lot of people have been asking for more information.

First if you want to try out the Power BI Preview, please go here to sign-up for the preview - http://office.microsoft.com/en-us/excel/power-bi-FX104080667.aspx

Second I have had many people ask me for some good resources. If you want to learn more about Power BI with Power Query, Power Pivot, Power View and Power Map here are two really good links - http://technet.microsoft.com/en-us/library/dn198234.aspx and http://technet.microsoft.com/en-us/library/dn198234.aspx. If you follow the sub links of these articles you will find a ton of good information.

Third, the biggest question I still get is does the new Power BI support the ability to connect to line of business databases. This is probably one of the most exciting things being introduced because up till now because Excel Services could only work with the data contained in the spreadsheet. The answer is the new Data Management Gateway. It requires to you to install a gateway on-premise that will make a secure connection to SharePoint Online. It push data from on-premise (on demand or a schedule) to your spreadsheets stored in SharePoint Online to render the reports through the browser. You still have the ability to open the Excel client with the add-ins for Power Query, Power Pivot, Power View and Power Map.

Here is a really good reference for you to start reading and all of its associated articles - http://office.microsoft.com/en-us/office365-sharepoint-online-enterprise-help/power-bi-admin-center-help-HA104078330.aspx?CTT=5&origin=HA104078557. There are articles that cover what the Data Management Gateway is, how it is installed / configured, how to create data sources using OData and then how to connect them into Excel. There is even a really interesting article about how SSIS can be utilized as a data source for Power BI. As well is a good article on health reports and utilization of the Data Management Gateway.

Exchange Deployment Assistant

If you have not heard, the Exchange Server Deployment Assistant has received a big uplift and streamlining.

I would say this is a necessary tool any organization should utilize as they begin planning for Exchange Online. The tool brings together topics from the Office 365 Service Descriptions, Deployment Guide and TechNet providing a single place to begin planning your Exchange Online deployment. Based on a few simple questions you get information on:

  • Single Sign On / ADFS / DirSync
  • How to route email through on-premise or directly to EOP
  • How to configure hybrid
  • Guidance for certificates, network security, bandwidth, unified messaging, mobile devices, client requirements, EOP, public folders, etc.
  • Required software
  • Required information to collect
  • Running the hybrid configuration wizard
  • Etc.

This tool really covers all the major activities and recommend that you use it.

Reference - http://blogs.technet.com/b/exchange/archive/2013/10/02/released-the-new-exchange-server-deployment-assistant.aspx

Mobile Lync App Expanded Meeting Capabilities

There was yet again another new announcement this week on Lync App for Windows Phone, iPhone and iPad which can be used with Lync Online.

The big news is the Lync App now supports the ability for attendees to join a meeting without a Lync account (as a guest) using the app. With this capability allows people to use the Lync Audio feature (without having to dial-in) to participate in the meeting. They can see all the content, including desktop sharing on their mobile device. This is huge feature because it allows organizations to easily allow people from outside of their organization to attend meetings without having to dial-in or be on a computer with the full Lync client.

Additionally the Lync App was extended to allow for ad-hoc, multi-party meetings to be initiated by the mobile device.

Reference - http://blogs.technet.com/b/lync/archive/2013/10/08/new-features-available-for-windows-phone-iphone-and-ipad-lync-mobile-apps.aspx

Sunday, October 6, 2013

Lync Online Meetings and Enterprise Compliance Features

In this short blog I am going to capture a few simple facts about how easy it is to create an Online Meeting with Office 365. Plus will I cover a few administrator topics to show you why Office 365 with Lync Online is an Enterprise class cloud service that aligns to Enterprise businesses.

Creating Meetings in Outlook Web Access Calendar

Some people do not know, but is now possible to schedule a Lync Online meeting inside of Outlook Web Access. When creating a meeting just click Online Meeting.

clip_image002

As you can see here, the online meeting link and information was added into the meeting invite.

clip_image004

If you click on the online meeting settings you can see what policies have been set as inviting people to meeting, the default policy for the lobby (which is where attendees go through to attend a meeting), and who can be presenters. Your organization Lync Online administrator has control over this policy and it cannot be overridden. This is an important topic and I will discuss it more at the end of this blog.

clip_image006

Creating an Online Meeting in Outlook

As I mentioned, it is possible to create an Online Meeting in Outlook client. All you need to is click the button.

clip_image008

Once that is done as you can see, the meeting has been created just like in OWA.

clip_image010

If you click on Meeting Options, you will see you have some more options change the default configuration of your Lync Online Meeting. These setting can easily be set during the actual online meeting but sometimes it is nice to have them pre-set just in case you are the presenter and you are running a little late. Additionally, if you like a configuration, you can click Remember Settings.

clip_image012

Interesting note, if you make changes, the Lync meeting URL changes in the invite.

The Lync Online Meeting

I am not going to cover the full Lync Online Meeting experience in this blog. It is suffice to say, there is a lot of features and capabilities that are available to an end user. There are tons of presenter controls to mute/unmute, blog attendees, admit people into the meeting from the lobby, promote attendees to presenters, etc. End users can share their desktop, applications, polling, white-boarding, question and answer, recording, etc. Note that Online Meetings do not have to be created through a calendar, they can be completely ad-hoc. End users can be talking with one another in Lync Online and inviting / drag-and-drop more people right into their conversation. Plus there are Lync Mobile apps that are on Windows, iPhone and Android. This allows people to attend meetings when they are on the go.

For all the information about Lync Online, I recommend reading the Service Description here - http://technet.microsoft.com/en-us/library/lync-online-service-description.aspx.

clip_image014

Adding a Conference Call Phone Number

With Lync Online Meetings by default you have ability to do PC-to-PC audio based meetings. These meetings are multi-party. However your organizations may need to support online meeting for people who need to call in through a phone number. Lync Online supports the ability for Third-Party Dial-in Audio Conferencing Providers (ACP) to be integrated into the Lync Online service. For more information review the Service Description - http://technet.microsoft.com/en-us/library/lync-online-meetings.aspx

Below is a screenshot of where this is configured. You have the ability to identify which users have the ability to add a call number to their meeting.

Once this completed, the ACP phone number and passcode will automatically be added into the online meeting information for the end user.

clip_image016

Lync Online Federation with Other Organizations

Another thing you may consider when configuring Lync Online Meetings for your business is to set up federation. You can configure federation with other organizations that have Lync Online, Lync on-premise or even OCS R2 on-premise. Doing this allows for Lync PC multi-party audio without having to set up a conference bridge. This also enables IM, presence and whole host of other features to allow your organizations to communicate with each more effectively. Below is a screenshot of where you will go to set up Lync Online Federation.

Note this is also where you go allow or disallow integrated public communications with Skype. This is very powerful capability and we ensure you have control over this to protect your organizational data.

Here is some more information about it - http://technet.microsoft.com/en-us/library/lync-online-federation-and-public-im-conectivity.aspx

clip_image018

To extend upon this, Exchange Online also allows organizations to share calendars with each other. This enables organizations with Exchange Online or Exchange on-premise to create an organizational relationship to share calendar information. Doing this will make it extremely easy for an end user to look at calendar free/busy and then create an Online Meeting with partner organizations. Below is a screenshot showing where you can set up calendar federation. Note your organization can also allow sharing by individually externally instead of using federation. For more information about the policies for external calendar sharing, please read the following - http://technet.microsoft.com/en-us/library/jj916670(v=exchg.150).aspx.

clip_image020

Additional Configuration for Meetings

The Lync Online administrator also has the ability to add organizational information into the online meeting invite template. You can incorporate your company logo, create a help URL to provide any custom instructions, you can provide a URL to legal compliance information and even put in a customer footer message. All important things for an enterprise service. Below is a screenshot of where this would be configured.

clip_image022

Lync Online Meeting Policy

Here is another really differentiator of Lync Online Meetings when compared to other cloud services. With Lync Online you can create corporate policies on what you will allow with Online Meetings. These cannot be overridden by end users. For instance you can use the Conference Policy (http://technet.microsoft.com/en-us/library/gg413019.aspx) to control things such as:

  • Whether you allow anonymous participants
  • What level of participation you all external people to participate – you may limit it
  • Whether you allow conferences to be recorded
  • Whether you allow video
  • You can control which features you will even allow – for instance you can shut off Polling, Q and A, whiteboarding, etc.
  • Whether you allow desktop sharing
  • You may want to block file transfers
  • Etc.

This is important because enterprise data must be protected. There is tons of data being communicated in Online Meetings and there are legitimate business reasons why communications need to be controlled. You can create policies that align to your data loss prevention policies you are creating across Office 365.

If you want to explore more policies to create for Lync Online, I highly recommend you read this http://technet.microsoft.com/en-us/library/dn362831.aspx and http://technet.microsoft.com/en-us/library/dn362817.aspx. There are more considerations other than just Online Meetings.

Lync Online Meeting Archiving

In addition to policy, another important feature of Lync Online Meetings with Office 365 is archiving. Luckily with Office 365 Lync Online is integrated with Exchange Online; again a differentiator with other cloud services.

To archive peer-to-peer instant messages, multiparty instant messages, and content upload activities in meetings a Legal Hold with Exchange Online would be created. You can specify the types of data to be captured in that legal and as you can see below, there is a Lync Items option. This will ensure the data is captured along with calendar items. Below is a screenshot to show you where that is accounted for.

clip_image024

Additionally, if you have very strict rules around being legally required to preserve electronically stored information, you have the ability to turn off features. For instance within Lync Online and create policy to turn of features that are not captured in archiving.

clip_image026

In my blog posting here - http://www.astaticstate.com/2013/07/office-365-compliance-solutions.html - I explored many of the features of Legal Hold as there is a lot things to be considered.

For more information Lync Online archiving you can also read the Service Description here - http://technet.microsoft.com/en-us/library/lync-online-security-and-archiving.aspx.

In Closing

I feel like there is a lot more I can cover around why Online Meetings as they are great in Office 365.

Friday, October 4, 2013

Lync Online Reports Updates

Back in July, Office 365 and Lync Online released some initial reports. I posted some information about it here - http://www.astaticstate.com/2013/07/new-lync-online-reports.html.

I was just announced that this reporting capability has been expanded - http://blogs.office.com/b/office365tech/archive/2013/10/03/visualize-lync-usage-for-your-business-with-new-reports.aspx. These are new visual reports that used to only be available through PoweShell or REST Services. Now you have visual reports on active users, audio/video minutes, conference minutes, P2P sessions, P2P conferences, etc.

This provides good report information that can be presented to your management to show how the Lync Online service is being used.

This is really valuable information as it allows customers to get a handle on Lync utilization. This can be helpful information for tweaking your network configuration to support Lync Online services. For more information on more on network planning for Lync Online, recommend you read the following - http://technet.microsoft.com/en-us/library/hh852542.aspx and utilize this tool http://www.microsoft.com/en-us/download/details.aspx?id=19011.

Force Lync Web App Client for a Web Meeting in Lync Online

Forcing Lync Web App Client

I learned a neat trick the other day. Let’s say you have a meeting you need to schedule with Lync Online (this works on-premise too) that you need to force the attendees to meet over the browser (Lync Web App Client). Well this is actually pretty simple, all you need to do is modify the meeting URL. Just add ?sl=1 to the end of the URL.

So your URL may be like the following - https://meet.lync.com/tenantname/jsmith/XYZXYZ

All you need to do is change it to be - https://meet.lync.com/tenantname/jsmith/XYZXYZ?sl=1

When a user clicks on the link, they will be forced into the Lync Web App Client. They will not be prompted to install the Lync client.

clip_image002

Considerations

There are some considerations for the presenter on the type of web meeting you are planning to give.

  • Sharing Slides - If the meeting the presenter is showing some slides instead of sharing your desktop or PowerPoint as a Program try using the PowerPoint option. This uploads the PowerPoint into the Lync Online service versus running the slides locally. This has two advantages first you will get better performance. Second no browser add-in is required; a browser add-in is required if you are sharing your desktop or a program. This may be important to you of the meeting audience is outside of your organization and you may not know what computer lockdown requirements they may enforced.

clip_image004

  • Audio - In the web meeting you will most likely need to support audio; an add-in is required and the user will be prompted to add it if it is not there. Like I mentioned, your meeting may be with an external audience that may not support add-ins because they have lockdown requirements on their computers. This is not a problem for Lync Online. You can purchase Audio Conferencing Partner (ACP) that will provide an integrated 1-800 call in service. This will allow anyone to call the 1-800 number be integrated into the Lync Online meeting. The person attending the meeting can simply select the option that they will call the 1-800 number for the meeting versus installing the add-in.
  • Other Stuff – Many of the other features of such as polling, whiteboarding, IMing in the meeting, sharing files, etc. do not require an add-in. If you need to share you need desktop or do a video sharing session, and you must force the web meeting with the browser, an add-in is required. I have provided some references below.

Resources

Here are some good resources.

Wednesday, September 4, 2013

New OWA Delegation Features for Exchange Online

There was a huge announcement today by the Exchange Online team for expanded support of delegation inside of OWA - http://blogs.office.com/b/office365tech/archive/2013/09/04/configuring-delegate-access-in-outlook-web-app.aspx.

I am asked this a lot as organizations have user bases that do not require the full Outlook experience to do email; they only need OWA. Plus OWA has been closing the gaps with Outlook. Traditionally if you wanted to do granular delegation, a user is required to use Outlook to do this delegation.

When the new Exchange Online was released in the cloud (Exchange 2013), it included the ability to delegate your calendar through the browser. This has been expanded to support delegation of email folders, like your Inbox. Plus this delegation feature is being supported in the new Outlook Web Apps for iPhone and iPad; which is great for people who need to work with Exchange Online across devices and platforms. Please read the post for details - http://blogs.office.com/b/office365tech/archive/2013/09/04/configuring-delegate-access-in-outlook-web-app.aspx.

Now if you still need to delegate more than just email and calendar, Exchange Online admins can delegate an entire user’s mailbox to another user. They can then use the “Open Another Mailbox…” feature in OWA to completely manage and do “Send As”. Please review my blog posting in July 2013 on this topic - http://www.astaticstate.com/2013/07/delegating-mailbox-through-browser.html.

Exchange Online Troubleshooting Tool

The Exchange Product team posted a new useful tool that I started playing around with called the Mail Flow Guided Walkthrough (GWT) - http://blogs.technet.com/b/exchange/archive/2013/09/03/office-365-mail-flow-troubleshooter-now-available.aspx.

You can access the tool here - http://support.microsoft.com/common/survey.aspx?scid=sw;en;3568&showpage=1.

What it will do is ask you basic questions that challenges you may have and help you debug them. There are several scenarios for Office 365, Exchange Online and hybrid. I see this as a very useful tool to help with debugging initial deployments as well.

For instance I followed the path for checking to see if an Exchange Online mailbox is having issues sending an email. First you need to check if DNS is configured. Second check your NDRs. Third check the health of the service. Fourth run a message trace report. Fifth check the users Outbox, connectivity, third party add-ins, OST files, etc. Really found this to be a great tool.

Tuesday, September 3, 2013

7 Year Blog Birthday

I figured I take a second to reflect on my 7 years on running this blog. First I cannot believe it has been 7 years. Keeping this blog going has been extremely important to me professionally. It allows me to refine my thoughts and communicate to others the solutions I am work through. I work very hard to ensure that I post at least one new item a month. Sometimes I crank out a lot of stuff and in only one instance did I miss a month (still annoys me).

This blog got its start when on a long Labor Day weekend when I has some time available and wrote my first blog (http://www.astaticstate.com/2007/09/automation-testing-or-simulation-with.html). No kids jumping on me either <g>.

My series that I wrote on Silverlight MVVM Patterns (http://www.astaticstate.com/2010/04/silverlight-4-using-mvvm-patter-ria.html) is still the most populate series I have written. My series on SharePoint 2010 Architecture is in second (http://www.astaticstate.com/2010/01/sharepoint-2010-service-architecture.html) and third my series on SharePoint Branding (http://www.astaticstate.com/2011/05/branding-master-page.html). Along the way I have written a lot about SharePoint App Dev, Enterprise Search, etc.

Most of my days for the past two years have been totally focused on Office 365. Given the role I am now, I do not do application development anymore. I am really excited to be working with Office 365 and you may have seen my work expand to Exchange Online, Lync Online and Office.

SkyDrive Pro Sync Considerations

Initial Thoughts

I was recently asked is it possible to turn off the sync capability of SkyDrive Pro?

Before we go down the path of showing you how, let’s put this into perspective.

From a historical perspective Microsoft acquired a technology several years ago called Groove which could sync document offline. In SharePoint 2010 timeframe, a solution called the SharePoint Workspace 2010 was created to sync documents and data offline (http://technet.microsoft.com/en-us/library/ee649102(v=office.14).aspx). The SharePoint Workspace 2010 client is a good solution and can still be used with SharePoint 2013 – I wrote a blog about this a few months ago - http://www.astaticstate.com/2013/04/skydrive-pro-sync-and-sharepoint-2010.html.

With SharePoint 2013 (and available in SharePoint Online) there is the new SkyDrive Pro Sync Client. When it was first released there was some confusion. Here are some important points:

So what is the concern as the Sync capability is a great solution to allow end users to work on documents centrally in corporate resource that is managed and discoverable? Well some may have concerns about providing a capability that easily allows users to download large amounts of documents. Let’s address that from multiple different angles as this can be mitigated.

  • Information Architecture – An organization must make a determination of how to manage the content and who will have access to it. SharePoint Online can be configured so that content that is of high business impact is accessible to smaller amounts of people using granular access controls. Additionally there is audit reporting available to track access to content and how it is being utilized.
  • Device Connectivity – I think this overlooked the most. Remember your organization will have IT policies that dictate who can connect to your SharePoint Online and SkyDrive Pro. For instance, if you want to lock access to content by devices, use ADFS Client Access policies to control where devices can connect from to access your cloud content. A common scenario is to only allow specific IP ranges to only allow devices connecting from the corporate network or VPN. As well your IT staff should already have policies around what devices are allowed on the network. They probably have MDM Wipe Solutions or encryption solutions (like BitLocker) to ensure the content is protected on those devices. You can even incorporate solutions such as Forefront Unified Access Gateway (UAG) to do endpoint protection for remote devices connecting. With this, you know that if content is being Sync’ed it is protected by your corporate policies.
  • Authentication - Additionally utilization of ADFS also ensures that a corporate username and password are used to access the content; even two-factor authentication can be required. These policies are under your organization’s control and are not managed by Office 365 or SharePoint Online.
  • Data Loss Protection (DLP) – AD RMS can be incorporated into document libraries which store high impact documents – read up on it here - http://office.microsoft.com/en-us/office365-sharepoint-online-enterprise-help/set-up-information-rights-management-irm-in-sharepoint-online-HA102895193.aspx.
  • Etc.

Ultimately it is of a question of how you want your end users to access your content management services and you have control over your data. Blindly turning of Sync is not really the total answer because remember all Enterprise Content Management systems need to allow their users to download documents.

Configuration

At this point you have still identified scenarios where you need to limit the ability for end users to do Sync of content. There can be numerous reasons why. Let’s talk through how you would do it for SharePoint Online.

Specifically there is a property on a SharePoint List called ExcludeFromOfflineClient. This was originally introduced in SharePoint 2010 to block people using the SharePoint 2010 Workspace. This same property is also used to block SharePoint 2013 Sync capability.

Option - PowerShell

If you are an on-premise SharePoint 2013 customer, no problem PowerShell can easily be written to remove the ability to Sync. Please review this reference - http://technet.microsoft.com/en-us/library/dn169080.aspx

However if you are a SharePoint Online organization, the SharePoint Online PowerShell for SPOSite does not support ExcludeFromOfflineClient - http://technet.microsoft.com/en-us/library/fp161397.aspx.

Option – Turn Off via UI

As many of you know the Sync button is available in the top right hand corner. To get rid of it is pretty simple.

clip_image002

Go to Site Settings >> Search >> Search and Offline Availability >> and turn the Offline Client Accessibility to No.

clip_image003

The result is the Sync button not available removed (see below screen capture). The only consideration for this option is that it removes the Sync capability from the entire site and all the document libraries in that site. It will not remove the Sync button from each sub site.

clip_image005

Option – Using the Sandbox Solution

I did some digging and saw that the ExcludeFromOfflineClient property was available in the SharePoint Sandbox API and is supported in SharePoint Online - http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.splist.excludefromofflineclient(v=office.14).aspx.

I then then looked at the SharePoint 2013 listing of that API to see if it was supported for Sandbox or SharePoint Online but there was no mention - http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.splist.excludefromofflineclient(v=office.15).aspx.

My goal was to create a solution for SharePoint Online administrators that will allow them to disable a large amount of sites without having to manually disable the Sync capability on each and every site. My idea was that you could create a Feature that uses the FeatureActivated event handler to flip the ExcludeFromOfflineClient property to false. I was able to confirm that yes, it does work.

public override void FeatureActivated(SPFeatureReceiverProperties properties) {

SPWeb web = properties.Feature.Parent as SPWeb;

SPList list = web.GetList(“Documents”);

list.ExcludeFromOfflineClient = true;

list.Update();

web.Update();

}

Ultimately you will need to write some code to recursively loop over all the sites and libraries to remove the Sync capability. Only limitation of this solution is that a Site Administrator has the ability to go back turn Sync back on. That issue can be dealt by rerunning the feature or training your Site Administrators.

Since this is a Feature, you can get a lot more creative too. For instance you could build an entire UI to manage the Sync capability on per library basis, you can make library template, you can make a ribbon button, etc.

My colleague Ed Hild created the code snippet for me as I had not installed Visual Studio on my new machine – scary – thanks Ed.

Non-Option – Client Side Object Model

This is something I at least investigated but is not possible. If you look at the CSOM API for List you will see that ExcludeFromOfflineClient is not available - http://msdn.microsoft.com/en-us/library/office/microsoft.sharepoint.client.list.aspx.

Non-Option – Disable the Sync client

This is something I at least explored but determined it was not the best approach.

As I mentioned earlier, the Sync client I part of Office 2013 and is available as a standalone install of Office 2010, 2007, etc. Yes it is possible that you can create group policies to not allow the standalone Sync client to be installed. However if you are using Office 2013 I did not find a quick solution to block it.

Plus it is just not a realistic option. From a management perspective you should create policies based on your information architecture that drive security which is implemented by your SharePoint Online configuration. You will identify types of content where you may not want to allow syncing and therefore you will turn it off using the options I discussed above.

SkyDrive Pro “Shared with Me” View

Sometimes, it is the little things that count. Well there is a new feature being added to SkyDrive Pro in SharePoint Online called “Shared with Me”. It is awesome!

This provides an end user with a single place to go to review and edit documents / folders that have directly shared with them. Now you no longer have to bookmark or dig through old emails trying to find a link to a specific document that was shared with you.

Additionally adding this feature really helps people share files with each other using SkyDrive Pro. I am heavy user of SkyDrive Pro. I commonly create presentations for customers or write-ups that I only want to share with specific individuals. I always put them in SkyDrive Pro and then just share it with those specific people. Now all they need to do is just go to the “Shared with Me” view in SkyDrive Pro to find the documents I gave them permissions too.

clip_image001

And remember, sharing documents with SkyDrive Pro and with SharePoint 2013 sites is general is really simple! No more digging through complex permissions screens. It is so easy for end users.

clip_image003

Note the new “Shared with Me” feature does not show you documents / folders that been shared with you because you are associated to a group. It only retrieves items that are directly shared with you. This makes a lot of sense because you could have permissions to a Document Center that may have thousands of documents. You do not want to see all those documents clutter up this list. Remember you can always click the Follow button to follow large repositories or sites that you are most interested in.

Resource - http://blogs.office.com/b/office365tech/archive/2013/08/27/skydrive-pro-increases-storage-and-ease-of-sharing.aspx

New EOP Spam Notification Email

EOP Spam Notification Email

The Exchange Online Protection (EOP) service description has been update - http://technet.microsoft.com/en-us/library/anti-spam-and-anti-malware-protection-in-eop.aspx.

One feature in particular I am excited to write about is the new Quarantine End User Self-Management feature. Some of you may know in the previous FOPE solution that allowed end users to be given direct access to the quarantine management in FOPE administration. This is no longer allowed in the new EOP solution with Exchange Online.

Now end users can receive a spam notification email which contains a list of spam-quarantined messages received in the last three days. End users can release the quarantined email to their inbox and report the email as Not Junk through the email.

clip_image002

Turning It On

For instructions, go here - http://technet.microsoft.com/en-us/library/dn296367(v=exchg.150).aspx

As you can see here, I just went to my Content Filter policy and simply clicked the link turn on End-user spam notifications.

clip_image004

From a Policy Perspective

EOP has some really flexible configurations that will allow you to create a policy that meets the needs of your end users. Really your end users do not need direct access to the quarantine management area; the Junk Mail folder is recommended. Think about these points:

  • Content Filter Policies – For each content filter policy you create, you have the ability to send email to either the quarantine or the junk mail folder (there are actually several other options but let’s just keep with this line of thought). In a content filter policy you can create rules that send some spam to the quarantine and other spam to the junk folder. A common configuration would be to send High Spam Confidence Level (SCL) to the quarantine, while sending Low SCL email to the junk mail folder. This is good because it allows end users to have direct access low SCL email. If email has a high SCL (it was tagged that for a reason) and there is a strong chance the end user really does not need to have immediate access to it.
  • Multiple Filter Policies – Remember you can create multiple content filter policies in EOP that can be assigned to users, groups and even email domains. So it is possible to only turn on end user spam notifications for a subset of end users.
  • Transport Rules – Remember you have transport rules at your disposal that can analyze the email. You can create your own rules that change SCL of a message.
  • Outlook / OWA Safe Senders – Remember end users’ safe and block lists (set in Outlook or OWA) are taken into consideration as the email is being filtered. Why is that important? Remember one end user may regard an email as spam while another user may believe the emails is completely legitimate email (let’s take phishing out of the picture for a second <g>; and yes EOP has solutions for that too).
  • Retention on Junk Mail Folder – I have also had people say to me, well if the email is going to in the Junk Mail folder is that going to take up space in their mailbox? Well yes, but that is what retention rules are for. By default the Junk Mail folder retention period is set to 15 days. You can make that shorter or longer.

The point that I want to make is that organizations have choice in their configurations. You can use quarantine, junk mail folder, transport rules, safe sender lists, etc. to come up with a great solution.