Teams Can Now Capture Compliance Records for Hybrid & Guest Users

Screen Shot 2018-06-07 at 10.43.44.png

Capturing Compliance Data Since January

Neatly aligned with the need for better compliance mandated by GDPR, Microsoft announced on June 1 that they have been collecting compliance records for messages sent by on-premises users in personal chats since January 31, 2018. Microsoft says that they are working to create compliance records for chats before this date but cannot commit to when this data might be available.

Filling a Gap

Capturing these conversations fills a big gap in the Teams compliance story. Before this, if someone with an on-premises Exchange mailbox participated in a personal chat, Teams did not capture copies of their messages. On-premises users do not have cloud mailboxes, and the mechanism used by Teams to capture compliance records relied on the ability to store compliance records in the hidden Team Chat folder in mailboxes.

The problem is obvious when you think that two on-premises users could have had a personal conversation in Teams without leaving a trace of what they discussed. That’s not a desirable situation in a world when the ability to enforce compliance is demanded for regulatory or legal reasons.

Channel conversations never had the same problem because Office 365 captures compliance records for these conversations in the group mailbox for to the team that owns the channel.

Only for Synchronized On-Premises Mailboxes

Starting last January, Microsoft provisioned special “phantom” mailboxes inside Office 365 for enterprise tenants (those with E1, E3, or E5 licenses) for on-premises mailboxes whose accounts are synchronized to Azure Active Directory with AADConnect. The on-premises mailboxes are part of a hybrid Exchange configuration where some objects stay on-premises and some are in the cloud.

Compliance for Guest Users Too

Microsoft uses the same solution to capture compliance records for messages sent by guest users in private conversations.

The provisioning process to create phantom mailboxes for hybrid and guest users happened automatically to make sure that chat data is now available to search across all the Office 365 datacenter regions supported by Teams.

The phantom mailboxes, otherwise called “cloud-based mailbox for on-premises users,” have a single “Team Chat” folder to store the compliance records. Office 365 creates the phantom mailboxes in the same datacenter region as the tenant.

Unavailable to Office 365 Management Tools

You cannot log onto these mailboxes or manage them through the normal Office 365 management interfaces, including PowerShell. However, because Exchange Online knows about these mailboxes, their content is indexed and discoverable, which then means that content searches can find the compliance records, including the searches used by eDiscovery cases and GDPR Data Subject Requests (DSRs).

Enabling a Special GUI

Although the collection of compliance records happens in the background, some work is needed to expose those records to a tenant so that they appear in the Security and Compliance Center. Microsoft says that a tenant must submit a support request called “Enable Application Content Search for On-premises Users” together with the tenant name, default domain, and the tenant identifier, a unique GUID. You can find the identifier in the Azure Active Directory portal, or with PowerShell by running the Get-AzureADTenantDetail cmdlet:

Screen Shot 2018-06-07 at 10.46.23.png

When Office 365 engineering receives the support request, they enable the tenant for a special form of the GUI used to create content searches in the Security and Compliance Center. Under the search locations, a new option appears to include on-premises data in the search (Figure 1).

Security and Compliance Center IM

PowerShell Searches Available Now

Microsoft says that it typically takes 2-3 weeks for them to complete the process of provisioning a tenant to see the amended GUI. If you can’t wait, you can use PowerShell because the New-ComplianceSearch cmdlet supports two new parameters:

  • Set AllowNotFoundExchangeLocationsEnabled to $True to tell Office 365 that you want to search the phantom mailboxes. The search won’t try to check that the Exchange mailboxes specified for the search exist (they do, but they are phantoms). It also means that content searches will check compliance records generated by guest users.
  • Set IncludeUserAppContent to $True to tell Office 365 that some or all of the mailboxes specified for the search are phantoms.

After that, it’s a matter of specifying the on-premises mailboxes individually in the ExchangeLocation parameter or searching all Exchange mailboxes. For example, these commands create a content search for chat records and then start the search.

Screen Shot 2018-06-07 at 10.47.37.png

Previewing Search Results

Even if you don’t ask Microsoft to update the Security and Compliance Center GUI to deal with phantom mailboxes, after creating a search in PowerShell, you can preview results through the Security and Compliance Center. Figure 2 shows a compliance record generated for a message in a personal chat (it has “IM” as its subject) authored by a guest user.

Guest user IM

No Hold or Retention for Phantom Mailboxes

Although you can search for compliance records generated by on-premises users, you cannot put phantom mailboxes on hold. This should not be a problem because no one can log onto those mailboxes and try to remove items. Also, you cannot apply Office 365 retention policies to the phantom mailboxes.

The Enduring Search for Compliance Perfection

Over the last year, Teams has made good progress in getting better at meeting the compliance requirements of customers by supporting features like Office 365 retention policies. This new update is a good step forward, but there’s more to do. Expect to hear more as Microsoft drives to complete functionality before the Ignite conference in September.





From Petri – Tony Redmond

GDPR Data Subject Requests with Office 365

GDPRGDPR Data Subject Access Requests

With GDPR taking effect on May 25, any company operating in the European Union must be able to deal with Data Subject Access Requests (DSRs). Section 3 of Article 15 says that “The controller shall provide a copy of the personal data undergoing processing [to the data subject].”

In the context of Office 365, the controller is the administrator of an Office 365 tenant while the personal data is anything held in an Office 365 data store relating to the data subject (a person). An organization has up to 30 days to respond to a request, which might come from a current or former employee, or someone who does business with the organization. Here’s an interesting blog post describing the kind of request you might receive. Continue reading → GDPR Data Subject Requests with Office 365

Microsoft Switches Office 365 Groups to Private by Default

Microsoft’s original vision for Office 365 Groups emphasized openness. Anyone could create a group and all groups were public. The aim was to foster collaboration and make sure that anyone could join in any group discussion as they liked.

Time passes by and software matures in the fierce heat of customer opinion. The original dedication to openness is less than it was. A group creation policy allows tenants to restrict the creation of new groups to a limit set of users. Teams hides groups that it creates from Exchange clients to avoid the chance of confusing users and Yammer-originated groups are invisible anywhere outside Yammer.

And now, Microsoft has decided to change the default access type for a group from public to private to satisfy  the third-highest rated request for Groups on Uservoice, the place where customers voice their opinion about changes they’d like Microsoft to make.

Screen Shot 2018-05-01 at 10.43.37.png

Change Happens for Outlook First

Microsoft announced that they are rolling out the change iin Message Center notice MC134487 on April 20. OWA is the first client to go private-by-default (Figure 2), followed by the four other Outlook endpoints for group creation (Outlook for Windows and Mac, Outlook mobile for iOS and Android). Microsoft can change OWA quickly, but it takes a lot longer to work user interface changes into the other clients, so you can expect public-by-default to be around for a while yet.

OWA create new Office 365 Group

If you think that the change is bad and want to keep public by default, you can update the Exchange Online organization configuration with PowerShell. For example:


Screen Shot 2018-05-01 at 10.49.11

Other applications will consider this change and work it into their plans. Teams already creates its groups as private unless an owner selects public while SharePoint plans to change its default to private to match the Outlook endpoints. Expect to see a notification to this effect soon.


Changing Access Type with Clients

Looking back, it seems bizarre that when Microsoft launched Office 365 Groups in November 2014, you couldn’t change the access type after creation. The ability to change access type by editing group properties arrived in June 2016. Now, it’s a matter of updating the group through OWA, Outlook, or the mobile apps (Figure 3).

Screen Shot 2018-05-01 at 10.46.33.png

Some might be surprised at the level of administration group owners can perform with Outlook mobile. It’s there because Microsoft deprecated the original Groups app last February. Since then, Microsoft has moved administrative features over to Outlook.

Updating Access Type with PowerShell

Tenant administrators and group owners can also update the access type with PowerShell. Here’s how to update a single group.

Screen Shot 2018-05-01 at 10.47.42.png

And here’s how to change all the public groups in a tenant to be private to match the new philosophy.

Screen Shot 2018-05-01 at 10.48.22.png

Education Drives Some Change in Office 365

Microsoft is doing well with Groups and Teams in the education market, especially in the U.S., and it is unsurprising to see them respond to these customers by making groups private by default. Some corporate customers will like the change too, while those who don’t can switch back to the old behavior as described above. I guess everyone likes the idea of being open, but when pressure goes on, privacy is the primary concern for many.



Blog post form Petri by Tony Redmond

Data Resiliency in Microsoft Office 365

Given the complex nature of cloud computing, Microsoft is mindful that it’s not a case of if things will go wrong, but rather when. Microsoft designed their cloud services to maximize reliability and minimize the negative effects on customers when things do go wrong. We have moved beyond the traditional strategy of relying on complex physical infrastructure, and Microsoft have built redundancy directly into the cloud services. They use a combination of less complex physical infrastructure and more intelligent
software that builds data resiliency into our services and delivers high availability to the customers.
This post describes data resiliency in Microsoft Office 365 from two perspectives:
1. How Microsoft prevents customer data from becoming lost or corrupt in Exchange Online,
SharePoint Online, and Skype for Business; and
2. How Exchange Online, SharePoint Online, and Skype for Business protect customer data
against malware and ransomware. Continue reading → Data Resiliency in Microsoft Office 365

Deep Dive: How Hybrid Authentication Really Works

A hybrid deployment offers organizations the ability to extend the feature-rich experience and administrative control they have with their existing on-premises Microsoft Exchange organization to the cloud. A hybrid deployment provides the seamless look and feel of a single Exchange organization between an on-premises Exchange organization and Exchange Online in Microsoft Office 365. In addition, a hybrid deployment can serve as an intermediate step to moving completely to an Exchange Online organization.

But one of the challenges some customers are concerned about is that this type of deployment requires that some communication take place between Exchange Online and Exchange on-premises. This communication takes place over the Internet and so this traffic must pass through the on-premises company firewall to reach Exchange on-premises.

The aim of this post is to explain in more detail how this server to server communication works, and to help the reader understand what risks this poses, how these connections are secured and authenticated, and what network controls can be used to restrict or monitor this traffic. Continue reading → Deep Dive: How Hybrid Authentication Really Works

Demystifying Hybrid Free/Busy: what are the moving parts?

Hybrid Free/Busy is one of those things that many people do not fully understand. If everything works well, the complexity is hidden from view and people working in various parts of organization can seamlessly work together. But if things go wrong… you will appreciate deeper understanding of what makes it work. This is why we wanted to create the blog post series on the subject.

In this article, we will discuss how Free/Busy works in an Exchange Hybrid configuration. In next blog post, you will learn what are the most common problems along with how we go about diagnosing those (often) complex issues.

So, what is Free/Busy? Free/Busy is a feature that allows you to see when others are free (their calendar shows availability), busy (their calendar shows them as busy), or even Out of Office, or Something Else (tentative or working away) so that you can find an appropriate time for your meetings. Calling it all “Free/Busy/OOF/Something-Else” didn’t sound so cool to marketing hence “Free/Busy”. In a Hybrid deployment, we usually have some mailboxes in Exchange On-Premises and some mailboxes in Exchange Online (users are in different premises) and this has to work there too. Continue reading → Demystifying Hybrid Free/Busy: what are the moving parts?

Create an Office 365 Backup Policy

backup-cloud-button.jpgDon’t get stumped by a request to recover deleted email messages in Office 365. Know what Microsoft offers, and plan ahead to stop mailbox content from performing a disappearing act.

Some Office 365 adopters assume a move to Microsoft’s cloud comes with automatic data protection. But administrators must prepare backups or find out the hard way when messages and other important material are lost — with no chance of recovery. Continue reading → Create an Office 365 Backup Policy

Security and compliance in Microsoft Teams

Microsoft Teams is built on the Office 365 hyper-scale, enterprise-grade cloud, delivering the advanced security and compliance capabilities our customers expect.

Teams is Tier C-compliant at launch. This includes the following standards: ISO 27001, ISO 27018, SSAE16 SOC 1 and SOC 2, HIPAA, and EU Model Clauses (EUMC). Within the Microsoft compliance framework, Microsoft classifies Office 365 applications and services into four categories. Each category is defined by specific compliance commitments that must be met for an Office 365 service, or a related Microsoft service, to be listed in that category.

Services in compliance categories C and D that have industry-leading compliance commitments are enabled by default. Services in categories A and B come with controls to turn on or turn off these services for an entire organization. Details can be found in the Compliance Framework for Industry Standards and Regulations. Teams also supports Cloud Security Alliance compliance.

Teams also enforces team-wide and organization-wide two-factor authentication, single sign-on through Active Directory, and encryption of data in transit and at rest. Files are stored in SharePoint and are backed by SharePoint encryption. Notes are stored in OneNote and are backed by OneNote encryption. Continue reading → Security and compliance in Microsoft Teams

Office 365: ADConnect synchronization interval changed automatically…

In Azure AD Connect, the default synchronization interval is set to 30 minutes during installation.  In the majority of cases, 30 minutes is an appropriate balance between getting changes to Office 365 in a timely fashion, keeping the export set small enough to be effectively transmitted, and not overloading the on premises directories or Azure Active Directory.

The configuration of the Azure AD Connect synchronization schedule can be viewed using Get-ADSyncScheduler.

PS C:\> Get-ADSyncScheduler

AllowedSyncCycleInterval            : 00:30:00
CurrentlyEffectiveSyncCycleInterval : 00:30:00
CustomizedSyncCycleInterval         :
NextSyncCyclePolicyType             : Delta
NextSyncCycleStartTimeInUTC         : 1/23/2018 2:58:30 PM
PurgeRunHistoryInterval             : 7.00:00:00
SyncCycleEnabled                    : True
MaintenanceEnabled                  : True
StagingModeEnabled                  : False
SchedulerSuspended                  : False
SyncCycleInProgress                 : False

  Continue reading → Office 365: ADConnect synchronization interval changed automatically…