Office 365 Admin Best Practices

Office 365 Admin Best Practices

Office 365 Admin Best Practices

Businesses are quickly moving business-critical systems, data, services, and other roles to the public cloud. Public cloud environments are becoming increasingly powerful, with new features and functionality being added regularly. Microsoft’s Office 365 public cloud is an extremely popular and feature-rich cloud offering that provides numerous capabilities to businesses wanting to migrate resources from on-premises to the public cloud.

Administrating public cloud environments is much different than the traditional on-premises environment. There are certainly best practices that go along with public cloud environments such as Office 365 that ensure migrating to and managing public cloud effectively, securely, and in a way that allows administrators to satisfy the needs of the business. In this post, we will take a look at the Top 5 Office 365 Admin Best Practices, what these are, how they can be implemented, and why they are important.

Top 5 Office 365 Admin Best Practices

The migration to the public cloud can present challenges in terms of moving from the familiar landscape of on-premises environments and tooling to public cloud infrastructure which has its own interfaces, processes, and controls. This includes new and different permissions controls, network configurations, and cloud security mechanisms. This means that businesses especially need to adhere to a set of recommended best practices to ensure data is migrated, the environment is accessed, managed, and secured appropriately. The following top 5 Office 365 best practices are by no means the only things Office 365 administrators need to do, however, they represent some of the big items that must be given attention from the point of migration to day two operations in the Office 365 public cloud.

  1. Choose the appropriate Office 365 data migration option
  2. Office 365 Backup
  3. Secure Access to Resources Appropriately
  4. Use Data Loss Prevention Policies
  5. Utilize Mobile Device Management (MDM) policies

Let’s consider each of the above items and see how they can be addressed appropriately by administrators looking to minimize issues and have stable, secure, and efficiently operating Office 365 environments.

Choose the Appropriate Migration Option

There are certainly best practices when considering day two operations in the Office 365 public cloud. However, simply getting to the cloud can be filled with potential “gotchas” if not planned and thought through correctly. As can be imagined, many of the Office 365 admin best practices revolve around security initiatives. The first order of business however is actually choosing the appropriate migration option that will fit the needs of the business appropriate. There are quite a few options to get your data into the Office 365 public cloud. These include the following:

  • Hybrid deployment and migration – In the hybrid migration, organizations may choose to only migrate certain services to the Office 365 public cloud and leave some services on-premises. This may be for business or compliance reasons.
  • Staged migration – The staged migration performs the migration in “batches” of users, etc.
  • Cutover migration – The cutover migration allows migrating all services/users in one operation or batch and then going live by “cutting over” to the new Office 365 public cloud environment.
  • IMAP migration – generally associated with the cutover migration. Using the IMAP method, user mailboxes can be cutover to the Office 365 environment.

Choosing the right migration strategy and option is essential to being able to successfully access data and services and in a way that is expected. The different options basically provide different levels of data migration and determine if any data/services are left on-premises either temporarily or permanently.

Backup Office 365

Perhaps one of the most important best practices in the list is backing up Office 365. So many businesses choose to migrate to the public cloud and totally forget to think about data protection in the public cloud. Many inappropriately treat the public cloud as an ironclad mechanism in which it is impossible to lose data. While public cloud is ultra-resilient, data loss CAN happen and happen easily, either by accidental/intentional deletion, ransomware, or some other data disaster.

Additionally, even if organizations have thought about data protection after the migration is complete and the business is “in production”, what about during the migration process? If you think about it, there can potentially be data loss even during the migration phase of the operation. Businesses need to think seriously about putting data protection mechanisms in place before the migration takes place so that as soon as data begins to migrate it is being protected by the mechanisms available.  Office 365 Backups are essential to the integrity of data. Data is the lifeblood of the business. Not protecting it, even in the public cloud, is asking for disaster. How can you effectively backup data in the Office 365 public cloud?

The native Office 365 environment is limited by a lack of data protection functionality across the board. The closest thing that organizations have to data protection is the ability to roll back to previous file version in OneDrive for Business for up to 30 days back. However, the functionality for this limited rollback mechanism is sorely lacking when thinking about the capabilities of a true data protection solution. Being limited to 30 days for recovery is not acceptable for many businesses. Also, for now, Microsoft is only offering this functionality for OneDrive and no other services. Where does this leave businesses migrating to the Office 365 public cloud who want to adhere to Office 365 admin best practices? Essentially businesses must choose a third-party provider to be able to protect the Office 365 environment using true enterprise-grade backups.

Spinbackup provides an excellent solution for businesses to fill the need of enterprise-ready data protection that provides robust features and capabilities. Spinbackup provides the following functionality for businesses looking to protect their Office 365 environments.

  1. Automated backups 1x or 3x daily – Includes OneDrive for Business, Email, Contacts, Calendar, and People
  2. Provides ability to store data from OneDrive outside of the Office 365 public cloud – Either AWS or GCP storage
  3. Version control
  4. Ultra-secure backups – AES 256-bit encryption in-flight and at-rest
  5. Unlimited storage capability and backups
  6. Migrate data between user accounts
  7. Search for items backed up from Office 365
  8. Report on the status of protected data
  9. Upcoming  Office 365 security features!

Backing up Office 365 services using Spinbackup Office 365 Backup

Backing up Office 365 services using Spinbackup Office 365 Backup

Using the Spinbackup solution businesses migrating their business-critical data to the Office 365 public cloud can confidently count on their data to be stored safely and securely. Spinbackup provides a powerful and cost-effective solution for data protection that allows “checking all the boxes” when it comes to ensuring business-critical data in the cloud meets the requirements of the business, compliance, and regulations. With the upcoming security features for Office 365 that match what is available in the Google G Suite version of Spinbackup, the capabilities of Spinbackup will allow organizations not only to backup business-critical data in Office 365 but also implement the same world-class security mechanisms that are found in Spinbackup for G Suite, including data leak protection, third-party apps control, insider-threat protection, etc.

Secure Access to Resources Appropriately

Inappropriately provisioned permissions on public cloud resources have led to some of the most prolific breaches in public cloud data. Often hackers and other groups simply look and scan for “open” permissions on some of the more common storage services in public cloud environments to find permissions that have been improperly configured or not configured at all. Public cloud security permissions are an often-targeted resource since they are generally less understood than on-premises security permissions secured by administrators using more familiar technologies. Public cloud environments often have new mechanisms for securing resources that administrators, coming from purely on-premises backgrounds, can easily misconfigure.

Office 365 comes with a set of admin roles that can be assigned to users in the Office 365 organization. These admin roles map to common business functions and allows users assigned to the roles to perform specific tasks. Additionally, there are Office 365 groups that simplify the administration of users, resources, and Office 365 security in general. There are four types of groups in Office 365. They are:

  1. Office 365 group – used for collaboration between users, both inside and outside the company. Members get a group email and shared workspace for conversations, files, and calendar events.
  2. Security group – Used for granting access to Office 365 resources, such as SharePoint. Can contain users or devices. Can be based on dynamic membership in Azure Active Directory.
  3. Mail-enabled security group – Function the same as regular security groups, except they cannot be dynamically managed through Azure Active Directory and can’t contain devices.
  4. Distribution lists – used for sending notifications to a list of people. Can receive external email if enabled.

A mistake can be made in trusting the “default” permissions assigned to users accessing certain resources in Office 365. Just because it is configured as a default permission does not make it the correct configuration for the user. Each user, group, etc, should be evaluated to determine the correct set of permissions based on the actual business need for that user. Assigning permissions based on the group, instead of the user, can make this process easier as it allows assigning the permission to the group and then simply adding the user to the correct group with the assigned permissions needed.

The principle of least privilege should always be followed when determining what permissions a user should hold in the Office 365 environment.

Use Data Loss Prevention Policies

Data leakage is one of the dangers that businesses face when migrating to the cloud. The worst thing that can happen is for businesses to have sensitive information with personally identifiable information leak onto the Internet. This can lead to fines, lost customer confidence, and a tarnished reputation. To prevent these types of incidents from happening, businesses must put mechanisms into place to protect sensitive information in the public cloud. Microsoft Office 365 contains data loss prevention mechanisms to protect sensitive information in the Office 365 public cloud. However, businesses have to take full advantage of the capabilities in order to be protected.

By using data loss prevention (DLP) policy in Office 365 security & compliance center, businesses can identify, monitor, and automatically protect sensitive information across Office 365. This PII information can include credit card numbers, social security numbers, or health records. DLP policies work by detecting sensitive information using deep content analysis and not simply a text scan. This type of deep analysis uses keyword analysis, dictionary matches, regular expressions, internal functions, and other methods to detect content that matches your DLP policies. With DLP, administrators can define policies that:

  • Identify sensitive information across locations (Exchange, SharePoint, OneDrive, etc)
  • Prevent accidental sharing of sensitive information
  • Monitor and protect sensitive information in desktop versions of Office
  • Help users learn how to stay compliance without interrupting their workflow
  • View DLP reports showing content that matches your organization’s DLP policies

A DLP policy is made up of a where, when, and how component. Administrators decide the locations to protect content, such as Exchange Online, SharePoint Online, OneDrive for Businesses, etc. Then, the when and how conditions are matched and actions are taken based on the conditions found.

When creating the DLP policy, either simple or advanced settings can be chosen. The simple settings make it easy to create the most common types of DLP policies without using the rule editor to create or modify rules. The Advanced settings use the rule editor to give you complete control over every setting for DLP policy. The advanced settings allow you to create more customized DLP policies. DLP policies can be rolled out in test mode to determine the impact on users before fully enforcing them. This helps to prevent unintentionally blocking access to thousands of documents that are required for business-continuity. In test mode, DLP reports can be read to determine the impact of incidents caught with the test mode DLP policies. After any false positives are identified and the policies are adjusted accordingly, you can then move up to full enforcement on the policies.

Office 365 DLP policy template for defining protected information (image courtesy of Microsoft)

Office 365 DLP policy template for defining protected information (image courtesy of Microsoft)

Using policy templates, you can choose a template of the type of information you want to protect. This allows saving the work of building a new set of rules from scratch, and figuring out which types of information should be included by default.

Utilize Mobile Device Management (MDM) policies

There is no question that mobile devices are utilized more than ever today. Employees are using their devices anywhere and everywhere they are located and where they travel. Part of the extraordinary power of the public cloud is the ease of which the infrastructure and services can be accessed from anywhere and from any device. While mobile device access and BYOD mindsets have allowed employees to be liberated from the confines of offices and be productive from anywhere, the mobile device landscape has created a concerning situation for security. Office 365 provides Mobile Device Management (MDM) policies to help solve this problem.

What do MDM policies allow organizations to do? It helps to secure and manage user’s mobile devices like iPhones, iPads, Androids, and Windows phones. Using the MDM policies, organizations can create and manage device security such as remotely wiping a device that is lost or stolen. In addition, with MDM policies, detailed device reporting is possible to know which devices are connected to and accessing the Office 365 environment.

The MDM policies are part of the Security and Compliance Center and is where the MDM policies are setup and configured. To setup MDM policies you will need to complete the following tasks in Office 365 Security and Compliance Center:

  • Activate the Mobile Device Management service
  • Set up Mobile Device Management
  • Configure Domains for MDM
  • Set up multi-factor authentication (recommended)
  • Manage device security policies
  • Ensure that users enroll their devices

Setting up multi-factor authentication in Office 365 (image courtesy of Microsoft)

Setting up multi-factor authentication in Office 365 (image courtesy of Microsoft)

Using MDM policies in Office 365, policies that apply to a user’s device can be used to force compliance to policy requirements before allowing access to certain Office 365 resources. In addition, policies and access rules created in MDM in Office 365 will override Exchange ActiveSync mobile device mailbox policies and device access rules created in the Exchange admin center. What are some of the policy settings for mobile devices that may prevent them from accessing Office 365 resources? For instance, if users have any of the following settings in the specific sections, they can be prevented from accessing:

  • Security
  • Encryption
  • Jail broken
  • Managed email profile

Workflow of mobile device access used for Office 365 access and MDM policy (courtesy of Microsoft)

Workflow of mobile device access used for Office 365 access and MDM policy (courtesy of Microsoft)

Enforcing these kinds of controls on mobile device accessing the Office 365 environment is absolutely essential to ensuring the security of the environment. While the ease of access from mobile devices provides tremendous benefits, it can open the door to definite security implications. MDM policies help to alleviate that threat. It is certainly a recommended Office 365 admin best practice to implement MDM policies to control access to data and services from mobile devices.

Wrapping Up

The Office 365 is powerful and provides a tremendous opportunity for businesses today to accelerate access to the latest services and technologies offered by Microsoft for the enterprise. The agility and flexibility gained from utilizing the public cloud is extremely beneficial. However, along with the tremendous benefits, there are certainly aspects of the public cloud that organizations must think through carefully. Following Office 365 admin best practices can help to alleviate these concerns and potential security issues that arise by utilizing the Office 365 public cloud environment. Utilizing powerful integrations such as Spinbackup Office 365 backup, allows businesses to have the features needed for such important aspects of their migration to public cloud such as disaster recovery.

Spinbackup allows businesses to have the features and functionality for backups and disaster recovery that businesses are accustomed to on-premises. It does this simply, effectively, and easily. Public cloud is here to stay. Businesses are making use of it and will continue to use it more and more. By following the Office 365 Admin best practices outlined to get there and to manage day two operations, the transition can be made and business-continuity can be maintained.