Microsoft Switches Office 365 Groups to Private by Default

Microsoft’s original vision for Office 365 Groups emphasized openness. Anyone could create a group and all groups were public. The aim was to foster collaboration and make sure that anyone could join in any group discussion as they liked.

Time passes by and software matures in the fierce heat of customer opinion. The original dedication to openness is less than it was. A group creation policy allows tenants to restrict the creation of new groups to a limit set of users. Teams hides groups that it creates from Exchange clients to avoid the chance of confusing users and Yammer-originated groups are invisible anywhere outside Yammer.

And now, Microsoft has decided to change the default access type for a group from public to private to satisfy  the third-highest rated request for Groups on Uservoice, the place where customers voice their opinion about changes they’d like Microsoft to make.

Screen Shot 2018-05-01 at 10.43.37.png

Change Happens for Outlook First

Microsoft announced that they are rolling out the change iin Message Center notice MC134487 on April 20. OWA is the first client to go private-by-default (Figure 2), followed by the four other Outlook endpoints for group creation (Outlook for Windows and Mac, Outlook mobile for iOS and Android). Microsoft can change OWA quickly, but it takes a lot longer to work user interface changes into the other clients, so you can expect public-by-default to be around for a while yet.

OWA create new Office 365 Group

If you think that the change is bad and want to keep public by default, you can update the Exchange Online organization configuration with PowerShell. For example:

 

Screen Shot 2018-05-01 at 10.49.11

Other applications will consider this change and work it into their plans. Teams already creates its groups as private unless an owner selects public while SharePoint plans to change its default to private to match the Outlook endpoints. Expect to see a notification to this effect soon.

 

Changing Access Type with Clients

Looking back, it seems bizarre that when Microsoft launched Office 365 Groups in November 2014, you couldn’t change the access type after creation. The ability to change access type by editing group properties arrived in June 2016. Now, it’s a matter of updating the group through OWA, Outlook, or the mobile apps (Figure 3).

Screen Shot 2018-05-01 at 10.46.33.png

Some might be surprised at the level of administration group owners can perform with Outlook mobile. It’s there because Microsoft deprecated the original Groups app last February. Since then, Microsoft has moved administrative features over to Outlook.

Updating Access Type with PowerShell

Tenant administrators and group owners can also update the access type with PowerShell. Here’s how to update a single group.

Screen Shot 2018-05-01 at 10.47.42.png

And here’s how to change all the public groups in a tenant to be private to match the new philosophy.

Screen Shot 2018-05-01 at 10.48.22.png

Education Drives Some Change in Office 365

Microsoft is doing well with Groups and Teams in the education market, especially in the U.S., and it is unsurprising to see them respond to these customers by making groups private by default. Some corporate customers will like the change too, while those who don’t can switch back to the old behavior as described above. I guess everyone likes the idea of being open, but when pressure goes on, privacy is the primary concern for many.

 

 

Blog post form Petri by Tony Redmond

Deep Dive: How Hybrid Authentication Really Works

A hybrid deployment offers organizations the ability to extend the feature-rich experience and administrative control they have with their existing on-premises Microsoft Exchange organization to the cloud. A hybrid deployment provides the seamless look and feel of a single Exchange organization between an on-premises Exchange organization and Exchange Online in Microsoft Office 365. In addition, a hybrid deployment can serve as an intermediate step to moving completely to an Exchange Online organization.

But one of the challenges some customers are concerned about is that this type of deployment requires that some communication take place between Exchange Online and Exchange on-premises. This communication takes place over the Internet and so this traffic must pass through the on-premises company firewall to reach Exchange on-premises.

The aim of this post is to explain in more detail how this server to server communication works, and to help the reader understand what risks this poses, how these connections are secured and authenticated, and what network controls can be used to restrict or monitor this traffic. Continue reading → Deep Dive: How Hybrid Authentication Really Works

Office 365: ADConnect synchronization interval changed automatically…

In Azure AD Connect, the default synchronization interval is set to 30 minutes during installation.  In the majority of cases, 30 minutes is an appropriate balance between getting changes to Office 365 in a timely fashion, keeping the export set small enough to be effectively transmitted, and not overloading the on premises directories or Azure Active Directory.

The configuration of the Azure AD Connect synchronization schedule can be viewed using Get-ADSyncScheduler.

PS C:\> Get-ADSyncScheduler

AllowedSyncCycleInterval            : 00:30:00
CurrentlyEffectiveSyncCycleInterval : 00:30:00
CustomizedSyncCycleInterval         :
NextSyncCyclePolicyType             : Delta
NextSyncCycleStartTimeInUTC         : 1/23/2018 2:58:30 PM
PurgeRunHistoryInterval             : 7.00:00:00
SyncCycleEnabled                    : True
MaintenanceEnabled                  : True
StagingModeEnabled                  : False
SchedulerSuspended                  : False
SyncCycleInProgress                 : False

  Continue reading → Office 365: ADConnect synchronization interval changed automatically…

Microsoft Recommending Non Expiring Passwords to O365 Customers

My Office 365 admin portal displayed a new recommendation when I logged in last week. Microsoft is recommending that user account passwords be set to never expire. My tenant is currently set to an expiry period of 90 days, whereas a newer tenant I was doing some testing with last month has defaulted to 730 days. I am not sure whether a tenant created today will default to 720 days or to non-expiring passwords.

This recommendation has so far appeared only in tenants that I have access to that are configured with First Release for everyone, and that aren’t enabled for directory synchronization. I imagine that the recommendation is being rolled out slowly.

The thought of non-expiring passwords might raise a few eyebrows in some organizations. For a long time the accepted position for passwords was to change them regularly. This thinking comes from a time when passwords were the single factor of authentication for most systems, with multi-factor authentication being relatively rare. Times have changed though, and recent research has concluded that requiring users to change their passwords regularly will usually lead to them:

  • choosing weaker passwords to begin with, because they don’t want to learn complex new passwords each time they are forced to change it
  • choosing new passwords that are only a minor variation of their previous password, e.g. Monday01 changes to Monday02

So what should we do if we aren’t requiring our users to regularly change their passwords? Continue reading → Microsoft Recommending Non Expiring Passwords to O365 Customers

How to Secure Conversations and Data in Microsoft Teams

ms-teams.jpgWith the news at Microsoft Ignite that Teams is here to stay, and going to be the primary collaboration client in Office 365, it is going to be important for organisations to understand how to secure the data and conversations stored within Microsoft Teams.

Where is the data?

The first key thing to understand what types of data you are talking about, and where it is actually stored. Every “Team” is build on an Office 365 Group, and this is where the majority of the Team related data will be stored. Each Channel in the Team will provision a new folder in the Group’s Document Library, and this is where files shared in Group conversations will be stored. Each Group also has a Group Mailbox, and this is where conversations held within channels are stored.

However, users can also communicate directly via chat, and share files from this interface. In this instance, the conversations will be stored in the user’s mailbox, and the files they share will be stored in OneDrive.

That’s great, but what does this mean when it comes to compliance? Continue reading → How to Secure Conversations and Data in Microsoft Teams

One-click replication for Azure Virtual Machines with Azure Site Recovery

Microsoft have announced that Azure Site Recovery (ASR) is now built into the virtual machine experience so that you can setup replication in one click for your Azure virtual machines. Combined with ASR’s one-click failover capabilities, its simpler than ever before to setup replication and test a disaster recovery scenario.

Using the one-click replication feature, now in public preview, is very simple. Just browse to your VM, select Disaster recovery, select the target region of your choice, review the settings and click Enable replication. That’s it – disaster recovery for your VM is configured. The target resource group, availability set, virtual network and storage accounts are auto-created based on your source VM configuration. You also have the flexibility to pick custom target settings. You can refer to the animation below for the flow.

vm-dr

If you have applications running on Azure IaaS virtual machines, your applications still have to meet compliance requirements. While the Azure platform already has built-in protection for localized hardware failures, you still need to safeguard your applications from major incidents. This includes catastrophic events such as hurricanes and earthquakes, or software glitches causing application downtime. Using Azure Site Recovery, you can have peace of mind knowing your business-critical applications running on Azure VMs are covered and without the expense of secondary infrastructure. Disaster recovery between Azure regions is available in all Azure regions where ASR is available.

Five more reasons why you should download the Azure mobile app

You may have already heard about the Azure mobile app at the Build conference back in May 2017. The app lets you stay connected with Azure even when you are on the go.
Over the last few months, Microsoft have been working closely with customers to improve the Azure mobile app. Below are five more reasons why the Azure app is a must-have.

1. Monitoring resources

The Azure mobile app allows you to quickly check your resources status at a glance. Drill in, and see more details like metrics, Activity Log, properties and execute actions.

1 Resource list Continue reading → Five more reasons why you should download the Azure mobile app

Active Directory Access Control List – Attacks and Defense

Recently there has been a lot of attention and a few different blog posts (references at the end of the post) regarding the use of Discretionary Access Control List (DACL) for privilege escalation in a Domain environment. This potential attack vector involves the creation of an escalation path based in AD object permissions (DACLs). For example, gaining “Reset Password” permissions on a privileged account is one possible way to compromise it by DACL’s path.

Although DACL permissions are not the easiest topic to cover in one post and should be digested slowly, there are examples of potential attack scenarios we want to share. The following blog tries to shed some light on the subject, present the possible escalation paths and suggest relevant mitigations.

Continue reading → Active Directory Access Control List – Attacks and Defense

Understanding Office 365 identity and Azure Active Directory

Office 365 uses the cloud-based user authentication service Azure Active Directory to manage users. You can choose from three main identity models in Office 365 when you set up and manage user accounts:

Cloud identity. Manage your user accounts in Office 365 only. No on-premises servers are required to manage users; it’s all done in the cloud.

Synchronized identity. Synchronize on-premises directory objects with Office 365 and manage your users on-premises. You can also synchronize passwords so that the users have the same password on-premises and in the cloud, but they will have to sign in again to use Office 365.

Federated identity. Synchronize on-premises directory objects with Office 365 and manage your users on-premises. The users have the same password on-premises and in the cloud, and they do not have to sign in again to use Office 365. This is often referred to as single sign-on.

It’s important to carefully consider which identity model to use to get up and running. Think about time, existing complexity, and cost. These factors are different for every organization; this topic reviews these key concepts for every identity model to help you choose the identity you want to use for your deployment.

Continue reading → Understanding Office 365 identity and Azure Active Directory

Ways to Migrate Multiple Email Accounts to Office 365

Your organization can migrate email to Office 365 from other systems. Your administrators can migrate mailboxes from an Exchange Server or migrate email from another email system. And your users can import their own email, contacts, and other mailbox information to an Office 365 mailbox created for them. Your organization also can work with a partner to migrate email.

Before you start an email migration, review limits and best practices for Exchange Online to make sure you get the performance and behavior you expect after migration.

Migrate mailboxes from Exchange Server

For migrations from an existing on-premises Exchange Server environment, an administrator can migrate all email, calendar, and contacts from user mailboxes to Office 365.

An administrator performs a staged or cutover migration to Office 365. All email, contacts, and calendar information can be migrated for each mailbox.

There are three types of email migrations that can be made from an Exchange Server: Continue reading → Ways to Migrate Multiple Email Accounts to Office 365