Office 365 Advanced Security Management

This text is an extract from Chapter 19 of the eBook “Office 365 for IT Pros”. We’re commonly asked at what level the content of the book is pitched and how up to date it is. Well, this topic was announced by Microsoft on June 1 and you can judge the level for yourself. For more information about Office 365 for IT Pros, see (for PDF and EPUB versions and some bonus material) or Amazon (for the Kindle version).

Advanced Security Management

The Advanced Security Management application is included in the E5 enterprise plan and also available as an $3/month add-on for the other enterprise plans. Every user in the tenant needs to be licensed for Advanced Security Management as it is not possible to exclude the audit data for individual users from the anomaly detection and analysis.

The current implementation of Advanced Security Management is part of a long-term plan to provide Office 365 customers with much better oversight about what’s happening in their tenant based on the audit data that is accumulated in the Office 365 unified audit data mart, with the major advantage of the approach being that no agents or other software needs to be deployed to support the gathering and analysis of the data to detect the threats that might lie in the anomalies that are picked up. Analyzing the audit data also reveals how the actions taken by individual users might compromise the security of the organization through suspicious behavior, such as someone downloading all of the documents from a library containing confidential information within a short period. Other indications are taken into account, such as suspicious IP addresses that might originate from anonymous proxies or known botnets.

Advanced Security Management allows administrators to create tenant-specific policies to fire alerts when specific events happen or when a particular pattern of actions occur. For instance, you could create a policy that will alert administrators by email or SMS whenever certain conditions occur. Microsoft provides a preconfigured “General anomaly detection” policy to get the ball rolling. This policy covers common conditions that should cause suspicion, such as a user logging in from two places that are widely separated in distance within a short period. Other anomaly detection policies can be added to highlight specific activities that are of concern to the organization. For example, a policy could be created to look for attempted log-ins from IP addresses outside the corporate IP range. Policies can be tailored to turn off or on different risk factors or to increase sensitivity to a risk.

AS 1

Alerts show up in the Advanced Security Management Console

The screen shot above shows how a set of alerts appear in the Office 365 Advanced Security Management console. In this case, a set of alerts have been signaled because Advanced Security was recently enabled for the tenant. When this happens, Advanced Security examines the current state of the tenant to establish a baseline and to report any events that it believes should be brought to the attention of an administrator. The fact that someone accesses an application, like SharePoint Online or OneDrive for Business, from a location for the first time is an example of a built-in anomaly alert that helps the system to set a baseline. The first alert shows that Paul Cunningham accessed SharePoint from Australia (AU). If this is expected because Paul always accesses Office 365 from Australia, the administrator can resolve the alert (to mark it done) and the alert will no longer appear because Advanced Security knows that this is a normal condition. On the other hand, if Paul’s account is used to access SharePoint Online from Egypt when he is known to be sunning himself in his back garden in Brisbane, then we might have a problem. When the security administrator resolves an alert, they can enter a comment to explain why the condition is satisfactory and deemed to be resolved.

Reviewing Office 365 Advanced Security Alerts

If more information is needed to understand the pattern behind a user’s behavior or another aspect of an alert, such as the IP address, the administrator can click the item to have Advanced Security Management reveal what it has recorded in its Activity Log. For example, all events logged for Paul Cunningham are shown if his account name is clicked.

Each alert is rated a high, medium, or low risk. The risk level is determined using behavioral analytics to compare normal user interaction with Office 365 against the information contained in the audit data. The analytics are based on Microsoft’s collected knowledge about the threats that exist and their origin gathered from across Office 365 and other cloud services. Assigning a risk value allows an administrator to filter for high risk alerts and prioritize their resolution.

Another example of an alert is when an account is detected to have elevated permissions (a “New admin user” alert). Again, if the permissions were assigned purposely, the alert can be resolved and Advanced Security knows that it does not have to signal the issue again. However, it could be the case that someone has been assigned permissions in error or that they hold permissions for too long, in which case the resolution is different and might require the account to be suspended or to have its permissions adjusted. User accounts can also be suspended as an action contained in a policy to ensure that action is taken to protect the organization without requiring an administrator to do something manually. Suspended users show up in Office 365 as blocked users. If this turns out to be the wrong thing to do, you can reverse the suspension from Advanced Security Management or the Office 365 Admin Center.

It’s possible that an alert highlights an event that is uninteresting or invalid. In these instances, you can dismiss the alert or mark it as a false positive. These actions are recorded in the Activity Log and the fact that the user’s location or their admin status is deemed to be valid will be taken into account by Advanced Security Management when it processes audit and other data to detect anomalies and suspicious activity in the future.

Filters are available to focus in on one or more of the Office 365 applications or to look for selected users. The latter filter is valuable when you might be concerned about the activities of a particular individual. You can also search for high, medium, or low severity alerts or for alerts that have been previously dismissed or resolved. You can also filter by category (access control, compliance, configuration control, privileged accounts, sharing control, and threat detection). The filters can be combined together to focus in on certain actions, meaning that even a very large volume of alerts can be quickly refined to produce a set of alerts that need to be examined. You can also export alerts to a CSV file if required.

Advanced Security Management is accessed through the Alerts section of the Security and Compliance Center where the Manage Advanced Alerts option connects to Microsoft Cloud App Security, a platform designed to analyze very large amounts of information relating to security events.  Cloud App Security has no dependency on Office 365 and is available for purchase as a standalone product. The version used with Office 365 only handles Office 365 data; the standalone version is capable of handling data extracted from many other cloud applications.

When a tenant opts-in to use Office 365 Advanced Security, a link is created between the Office 365 tenant and an equivalent tenant automatically created within Cloud App Security. The link allows audit data to be extracted from Office 365 and analyzed by the Cloud App Security analytics engine, which detects suspicious activity and other potential problems. It takes about a week after a tenant is enabled before a satisfactory model is created of its normal activity and build a baseline that suspected anomalies can be measured against.

Audit entries extracted from Office 365 can be examined in the Activity Log along with other logged items, such as those recorded when an administrator resolves or dismisses an alert. Again, a range of filters are available to reduce the number of log entries down to a manageable amount. In the example shown below, the filters have been used to extract events relating to document check-outs by users based in Bulgaria in a certain period. Note the option in the top right-hand corner of the screen to create a new policy based on search criteria, meaning that you can easily create a new policy to create alerts if similar events occur in the future.

AS Log

Filtering Audit events

One issue for non-U.S. customers is that Cloud App Security is currently based on an Azure data store that runs in a U.S. datacenter. However, only audit data and information about tenant users and groups is moved to the Azure data store and personal information belonging to tenant users remains within Office 365. Microsoft plans to extend Cloud App Security so that its data is stored in other datacenter regions in the future. When this happens, Cloud App Security data for a tenant will be stored in the same region as Office 365.

In some respects, apart from the analytics used by Advanced Security Management to pick up suspicious activity by correlating events, the technology is not rocket science. You could argue that a skilled administrator who knows what is happening in their tenant is likely to be able to detect and resolve the same kind of issues that Advanced Security highlights. However, an application like Advanced Security scores through its ability to handle massive quantities of information of the type generated by audit events and to reduce the mass down to what’s important. A human can do this too, but will struggle with:

  • The volume of data to process (especially as the environment scales).
  • The time required to recognize complex suspicious audit events and to learn the characteristics that mark new threats
  • The need to be consistent in how events are treated.

It’s also likely that the human administrator will forget that some events have happened (or not) in the past, so when something happens, they have to consider the event on its merits. Computers are better at remembering things, so Advanced Security Management quickly recognizes when an event is rare (and therefore potentially out of the norm) or normal.

In addition, the machine learning that lies behind analytics is much faster at correlating events to detect suspicious activity. Once software learns what it should be looking for, it generally produces more consistent results than a human can, 24 hours a day, 365 days a year, which is why applying technology to automate the collection and validation of information drawn from multiple sources is a good solution to understanding the kind of threat introduced by how individuals behave.

Follow Tony @12Knocksinna

Posted in Cloud, Office 365, Uncategorized | Tagged , , , , , | Leave a comment

Introducing Office 365 for IT Pros – third edition – now available


The writing team is delighted to announce the immediate availability of our new eBook “Office 365 for IT Pros – Third Edition” at The PDF (for PCs) and EPUB for many eReaders, including the iPad, are available now and the Amazon Kindle version is available for pre-order, with a release date of June 12 lined up.

Nineteen months ago, Paul Cunningham and I started work on the idea of creating a book that would help Exchange on-premises administrators move over to Office 365. After roping in Van Hybrid as a co-author and enlisting the services of Jeff Guillet as the technical editor, the first edition was released at the Microsoft Ignite conference in May 2015.

The first edition, which we named “Office 365 for Exchange Professionals”, was flawed and imperfect, as all first efforts are, but it was a fantastic learning experience for us in terms of how to put together and publish a book. We wanted to do something different, to have a living book that took advantage of the power of the Internet to keep pace with the changes occurring inside Office 365. This led us to the concept of pushing out regular updates for the book, which is what we now do. Sometimes updates occur every few days, sometimes it’s every few weeks. It all depends on what’s happening inside Office 365 and if we find mistakes (editorial, formatting, or grammatical) that we need to fix.

When we began work, we always knew that we would release new editions when we considered that we had enough new material to warrant such a release. The second edition appeared in September 2015. This was possibly too soon after the first edition but we wanted to correct some of the flaws that were apparent in the first edition. Anyway, the version of the second edition that is currently available is considerably different to what was released in September because we have made so many changes over the intervening period. That’s one of the joys of e-publishing: if you’re unhappy with a book, you can keep on working on it until the book is in a shape that makes you happier.

Over the last year, we also brought the book to Amazon to make it available to Kindle users and have looked at the feasibility of printed copies. Formatting for Kindle proved to be one of those “interesting” challenges that are supposed to build character. We’ve spent a lot of time during this release cycle to improve the formatting for both EPUB and Kindle, particularly around how PowerShell examples are displayed, and although these are better, we know that more work is needed in this area.

Kindle isn’t profitable when you look at the number of hours that are invested into preparing a large technical book for publication through that channel compared to the net revenue after Amazon extracts its 70% fee, but people do like having books on their Kindle devices and we’re happy to facilitate that choice.

Printing books, which we did with the support of Microsoft for the first edition, is an expensive and time-consuming business. We’re still looking at whether this is a good road to go down. The biggest concern is that printing delivers a point-in-time version of the book that we can’t update. This is fine when technology doesn’t change all that often, which is why printed books worked so well in the past when a new version of an on-premises product like Exchange or SharePoint appeared once every three years. However, when you’re trying to cover a topic like Office 365, a service that introduced 450 changes in the year to August 2015, doing so in a print format is an interesting problem to contemplate.

As proof of the issue, just look at all of the print format Office 365 books that are available today. We’ve learned from our experience that any material that was published more than a year ago is now very outdated and anything past that point is possibly misleading and invalid. That’s a real problem for us. But on the other hand, when we surveyed readers, we heard that print was still the second most popular medium for technical books and that people would like a printed version. We’ll keep an eye on the evolving methods that are available for print-on-demand distribution to see whether we can do something useful in this space.

We’ve been working on the third edition since February. This is our biggest release yet and because of a massive change in scope and the amount of new material covering new topics, we’re also changing the title of the book to reflect that content. Instead of “Office 365 for Exchange Professionals”,  which we used for the first and second editions, the third edition is called “Office 365 for IT Pros”. The new title reflects the real breadth of the book and we think it’s the right one to use going forward.

Office 365 for IT Pros extends to over 800 pages spanning 399,000 words in 24 chapters, and includes 688 practical examples of PowerShell being used to interact with different Office 365 workloads. We’re reducing the price of the book by $5 to $39.95. Early-bird discounts are available on until mid-June.

Those who notice these things might note that we reduced the margins on the pages to make them more like U.S. trade-size books. If we ever decide to print copies, this change had the bonus effect of reducing the number of pages required. We also removed a heap of graphics that we didn’t think added as much value as we wanted. Overall, the book is about 10% longer but we estimate that we added about 250 pages of new material. In addition, every existing page was checked by multiple people to ensure that its content reflects what we see today in Office 365 rather than what we might have observed in late 2014 when we started to first write.

Major work areas for the Office 365 for IT Pros team included:

  1. Adding coverage of new Office 365 applications such as Office 365 Planner, Delve Analytics, Advanced eDiscovery (Equivio Zoom), and Advanced Security Management
  2. Revising the text covering feature areas that have received major updates over the last six months: Admin, Office 365 Groups, HCW, and the Security and Compliance Center.
  3. Expanding the book’s focus to encompass all of Office 365 rather than a prime focus on Exchange Online. Exchange remains important and there’s lots of content covering how it works in the book, but the balance is better.
  4. Revising the structure and flow of the book to bring common material together (like identities and authentication – now covered in chapter 3).
  5. Removing of material that is of lower interest (site mailboxes), takes up lots of space (migration steps and history of Exchange), or is redundant. The material that we consider still valuable is available to customers through 100+ pages of downloadable bonus files.

The change in focus to cover all of Office 365 means that we include a lot more material on SharePoint Online and OneDrive for Business, both of which are great areas for companies to investigate when they move to the cloud. SharePoint Online is particularly important because of its foundational role in applications such as Office 365 Video. The topics covered in the book are:

  • Exchange Online (probably 50%)
  • SharePoint Online
  • OneDrive for Business
  • Office 365 Video
  • Office 365 Groups
  • Office 365 Planner
  • Advanced Security Management
  • Delve and Delve Analytics
  • Advanced eDiscovery and what Microsoft is doing to make eDiscovery happen for all Office 365 sources
  • Yammer (some)
  • Even Sway! – and discovered some interesting nuggets, such as sharing and data at rest location

We are proud of the in-depth coverage of areas like Office 365 Groups, Planner, Clutter, Office 365 Video, Delve Analytics, and Exchange hybrid connectivity – it’s at a level that we believe is simply unavailable in such a comprehensive form elsewhere.

We received great help and assistance from many people at Microsoft who work on Office 365 to parse out what really happens behind the scenes of features like Delve Analytics. In addition, we are grateful for the help and advice that we had from many of our fellow MVPs. We also acknowledge with gratitude the contribution of our technical editors, Jeff Guillet and Vasil Michev, who played a huge role in refining and improving the text.

Our biggest issue now is curating the mass of information we have assembled to ensure that it remains accurate, up-to-date, and interesting. That’s a challenge we accept with relish. We also need to continue to work hard to expand the non-Exchange content to enable readers to more productive and effective with all of Office 365.

We will continue to update Office 365 for IT Pros to keep track of updates released by Microsoft. And then thoughts will turn to what the next edition might include…

Thanks for all your support to date. We hope you enjoy the book. And if you’d like to listen to Paul and I discussing its creation, why not download the podcast on the topic.

Tony, Paul, and Michael

Follow Tony @12Knocksinna

Posted in Cloud, Delve, Delve Analytics, Exchange Online, Office 365, Office 365 Groups, SharePoint Online | Tagged , , , , , , , , , , , , | 2 Comments

Office 365 Exposed Podcast #3

As the gentle readers of my blog might remember, the esteemed Paul Robichaux and I often tape a podcast when we’re together. Unlike other podcasts about Exchange and/or Office 365, we try to take a strategic look rather than diving down into the weeds. Although we’re not always successful, we have a good time chatting about what’s going on. Paul has posted the latest episode on his site – you can get it there or download the podcast from iTunes.

  • The topics include the horrible mess that Microsoft Learning is making of recertification for messaging MCSEs and why “YouTube certification” isn’t worth much (also discussed here)
  • How technologists can stay ahead of the curve in a world when things change at an increasing rate.
  • What’s likely to happen at the Microsoft Ignite conference in Atlanta next September and why the “Anti Kool-Aid” conference (aka IT/DEV Connections) offers value of a different type. I’m looking forward to IT/DEV Connections, which takes place in the ARIA Hotel in Las Vegas in October, because it attracts a great crowd, including many MVPs and even some of the more famous individuals from the world of Exchange.
  • The need for ISVs to react as the on-premises market shrinks and Microsoft takes more of the available space in the cloud.

In any case, enjoy! And if you don’t, well…

Most of my time in the last few weeks has been spent preparing for the publication of the upcoming “Office 365 for IT Pros” book. We’re making excellent progress and the book is now listed for pre-order on Amazon. Expect an announcement soon about the availability of the PDF and EPUB versions from


Office 365 for IT Pros – now available for pre-order for Kindle

In any case, because we’re writing about Office 365, I have been pretty hard-nosed about using Office 365 to support the writing effort. Naturally, all of the text is created using Word 2016 and 2013 before it is converted to PDF, EPUB, and MOBI (for Kindle) and we store the files in an Office 365 group document library (SharePoint Online).

The writing team is distributed across Ireland, Australia, and Belgium and our technical editors are in the U.S. and Bulgaria, so we have a pretty good spread. This shouldn’t be an issue because Microsoft has installed a network of local network access points for clients to connect to Office 365. Once connected, traffic is routed across Microsoft’s dark-fiber datacenter backbone, so it doesn’t really matter where in the world someone happens to be.

The network is great but the tools have flaws. Two in particular have been causing me some grief. First, the change that Microsoft made in Excel 2016 as to how worksheets that are stored in SharePoint Online document libraries are opened. The worksheets are now opened in read-only mode and the theory is that you can click the button to open the worksheet in write mode. If this is what happened all would be well and I wouldn’t complain, but it doesn’t. At least not about 40% of the time. When this happens I close the worksheet and open it again and invariably, but not always, it can be opened for writes. Office 2016 has been out for nine months and I’m using the up-to-date click-to-run version. There’s no excuse for this kind of problem to persist so long.

Until of course you find another even worse problem, which is the bastard child from IT hell called the OneDrive for Business sync client (the old and horrible version). OneDrive for Business has two sync clients. The old one is built on the now-ancient foundations of Groove, a product I attempted to deploy at Compaq in 2001. It was a network pig then and we dropped it after trying to make Groove work for a year or so. Even Ray Ozzie’s words of reassurance failed us.

A decade-and-a-half later, Groove.exe is no better. On the other hand, the new sync client, which is used for both the consumer and business versions of OneDrive, is pretty good and appears to be reliable. At least, I do not have to fix, repair, swear at, moan about, or otherwise castigate the old-and-horrible sync client after it fails once again. I am patient (normally), but the baffling array of faults that this software has exhibited for years makes me wonder why Microsoft hasn’t a) put Groove.exe out of its misery and b) fixed the new sync client so that it can handle SharePoint Online document libraries. Apparently that functionality is coming “before the end of 2016”. It can’t come soon enough.

Finally, I see that Paul Cunningham has written an in-depth review of QUADROtech PST FlightDeck, a tool to help find, process, and migrate those annoying PSTs and get the data across to Office 365 where the data is safe, compliant, and secure. Full disclosure: I am an external board member for QUADROtech – even so, I think this review contains a number of points that anyone looking to take on a PST migration should build into their project.

Speaking of which, I must run an catch the flight to Zurich to go and attend a board meeting…

Follow Tony @12Knocksinna

Posted in Cloud, Email, Office 365, Technology | Tagged , , , , , , , | Leave a comment

Delve finds private Office 365 Groups and other ramblings

As the weekend draws thankfully nearer, some thoughts about recent developments that have come into my idle mind that need to be shared with the world.

First, a question arose about the way that Microsoft’s Outlook for iOS and Android clients still store user data on Amazon Web Services. People don’t like this with good reason because the data is not covered by the steps Microsoft takes to protect data on their own cloud platforms. This isn’t to say that Amazon does anything untoward with the data; it’s simply a matter that Microsoft can’t make guarantees about how Amazon protects user data.

The fact that this data resides on Amazon is a lingering artifact of the way that Acompli, the company who originally developed the clients, processed information. Microsoft is all too aware of the need to change and really wants to get the data moved over to Azure. When I spoke to Javier Soltero, the newly-installed GM for Outlook, in January, his take was that the switch would happen in “early 2016”. Clearly that hasn’t happened and data continues to be processed on Amazon to construct the “focused Inbox” loved by the 30-odd million users who have downloaded the Outlook apps (presumably they use the apps too). Essentially what happens here is that the data is fetched (using ActiveSync) from user mailboxes, processed in a data store on Amazon Web Services, and then provided to clients.

There’s no doubt that the data should be on Azure, if only to allow Microsoft to be able to provide an end-to-end guarantee that data is being protected from mailbox to client and back again. However, it does take time and care to make a fundamental switch like this and it’s likely that some technical hiccups have occurred along the way. I’d prefer that the job is done right than being rushed through to make some arbitrary date. Stay tuned, this change is coming. Soon.

Another question that came my way asked about the possibility of using the venerable IMAP4 protocol to access Office 365 Groups. I’m afraid that this query deserved a blunt “No” – and with good reason. IMAP4 is a mail access protocol, conceived at a time when email servers were rudimentary and email was barely functional. Although the protocol has been tweaked and enhanced over its 30-plus year history, it is now so archaic and obsolete that it really should be consigned to the dustbin. I know some people care very much about IMAP4 and like the clients that use it, but much better and more powerful protocols exist to allow people to access Exchange and Office 365. Exchange Web Services is one, ActiveSync is another. And the browser interface (Outlook Web App) is now so functional that it is more than sufficient for most situations. Enjoy yourself with IMAP4 if that’s your personal choice, but don’t expect to be able to do anything than just plain email.

Speaking of Office 365 Groups, it is good to see that Microsoft has eliminated the problem that caused documents in private groups to be invisible to the Search Foundation, which is the technology used to index information managed by both Exchange and SharePoint. These documents are now visible and can be included in content searches (essential for compliance) and show up in Delve (see below), all of which makes private Office 365 Groups much more valuable all round. It also removes a deployment blocker for some companies who were concerned that information was hidden in these libraries. To be clear, my tenant is configured for First Release and you might not see this functionality yet if your tenant uses Standard Release.


Delve exposes documents stored in the document libraries of private Office 365 Groups

The sites used to host the document libraries for Office 365 Groups have had quite a history. Each site uses a hidden site collection. The reason why they are hidden is to stop people using regular SharePoint management tools against the sites as this might impact the special links that Office 365 Groups use to tie together components drawn from different workloads, specifically access to the SharePoint Online resources. Recently, Microsoft dropped the old (and restricted) UI for group document libraries and upgraded it by adopting the UI used for “regular” sites. The upside of the change is that a lot more functionality was made available for group document libraries. The downside is that some parts of SharePoint (like access control) are now revealed in a way that might tempt people to mess where they shouldn’t. The golden rule for these sites is to leave well alone. If you want to customize a site to meet some specific requirements, create a regular team site and have your way. Don’t complain to Microsoft if a customization you make to a group document library has some unforeseen consequences. Always practice safe SharePointing…

Another good thing that has come about through that recent change is that the sites used for Office 365 Groups are now treated like any other SharePoint Online site within a tenant.As shown below, two Office 365 Groups are listed alongside a team site. You really wouldn’t know the difference.


SharePoint Online sites used for the document libraries belong to Office 365 Groups are listed alongside normal sites

To close, the team writing the “Office 365 for IT Pros” ebook are closing in on the final text. We’re busily processing the results of some very insightful technical edits and reviews by some of our fellow MVPs, all of which are helping us to improve the quality of the information presented in the book. It’s always amazing how text that makes sense to an author can confuse others, so it’s great to have people read over what we have written so that we can clarify and expand where required. We’re also terrifically pleased with some of the advice and guidance we have received from some of the Office 365 engineering teams where developers have taken the time to explain in great detail just what they are trying to achieve with some of the newer functionality that is now appearing.

The new book is available for pre-order on Amazon. If all goes well, we should be able to release it to members of the site on June 1 and have general availability a week thereafter. At least, that’s the plan.

Follow Tony @12Knocksinna

Posted in Cloud, Delve, Office 365, Uncategorized | Tagged , , , , , , , | Leave a comment

Chasing down mailbox delegate access in Exchange Online

A recent question from a reader focuses on the need to determine the last logon time for Exchange users. The organization is in the middle of moving to Exchange Online and some management reporting scripts that are used do not deliver the same results when run against Exchange Online mailboxes.

A quick discussion revealed that the script uses the Get-MailboxStatistics cmdlet to retrieve login information, specifically the LastLoggedOnUserAccount property. For instance, if we use the cmdlet to look at an Exchange Online mailbox, you might see something like this:

[PS] C:\> Get-MailboxStatistics –Identity | Format-Table *Log*

LastLoggedOnUserAccount LastLogoffTime LastLogonTime

----------------------- -------------- -------------

                                       10-Mar-16 5:39:54 PM

The LastLogonTime property reports the last time the mailbox was logged onto by a user and is available. The LastLoggedOnuserAccount property, which is used to report the name of the last account to connect to the mailbox is blank. In some instances, this information could be important because it’s not necessarily the case that the mailbox owner is the account that connects to the mailbox. Perhaps it was another account with full access permission.

Two problems are faced here. First, the ability of the Get-MailboxStatistics cmdlet to report the name of the account that logged on to a mailbox was deprecated in Exchange 2013. If you examine mailbox properties through the Exchange Administration Center (on-premises or Online), you’ll see that only the last logon time is reported.

Second, Office 365 operates a directory of record (Azure Active Directory) and workload-specific directories. The directory of record is the source of authority for account information while the workload directories hold information specific to a workload. Exchange Online does not have the same intimate relationship with the directory of record as exists on-premises where Active Directory is used for everything.

For example, Exchange Online obviously needs to hold information about mailboxes that are not necessarily required by every Office 365 account as some accounts don’t use Exchange. This information is held in EXODS (Exchange Online Directory Services). An EXODS instance is operated for each Exchange Online forest and multiple forests support the various Office 365 regions (U.S., EMEA, India, etc.). Similar arrangements exist for SharePoint Online (SPODS), Skype for Business (LYODS), and Yammer.

Synchronization routines are in place to keep Azure Active Directory and the workload directories aligned. Normally, synchronization is very fast and a change made to an attribute in a workload directory is updated in Azure Active Directory in a matter of seconds.

However, because Azure Active Directory is the directory of record, you have to retrieve information about user logons from it rather than using a cmdlet like Get-MailboxStatistics that operates exclusively against EXODS. Thus, we need to use the Search-UnifiedAuditLog cmdlet to interrogate the Azure Active Directory data held in the SIEM-like repository for audit information drawn from workloads across Office 365.

The unified auditing repository is the same data that is searched by the Office 365 Activity Report option in the Compliance Center. It is populated by feeds from multiple sources drawn from across the service, including Exchange mailbox and admin audit data. The idea is that the number of sources will be enhanced over time so that audit information from every Office 365 workload will be available through a common interface, which seems like a good thing.

Here’s an example to search the unified audit repository for logons by a specific user (you can pass several user identifiers separated by commas):

[PS] C:\> Search-UnifiedAuditLog -Operations PasswordLogonInitialAuthUsingPassword -StartDate 9-Mar-2016 -EndDate 10-Mar-2016 –UserIds | Format-Table UserIds, Operations, CreationDate

UserIds                             Operations                            CreationDate

-------                             ----------                            ------------ PasswordLogonInitialAuthUsingPassword 10-Mar-16 5:41:06 PM

Depending on when the data is imported from a feed, it can take up to 12 hours before data from a source appears in the repository. In some cases, you can get the data that you need sooner by executing searches against Exchange admin audit log or mailbox audit log data. However, the caveat here is that sometimes those searches don’t work as well as they should.

Audit events return a property called AuditData in JSON format. You can look at the raw data and pick things out but it’s often easier to use the ConvertFrom-JSON cmdlet to interpret the data. First capture the audit event you want to examine into a variable and then run it through the cmdlet. For example, this code finds some records, stuffs it into the $Audit variable, and uses the cmdlet to view the audit data of the sixth record in the set.

[PS] C:\> $Audit = Search-UnifiedAuditLog -Operations PasswordLogonInitialAuthUsingPassword -StartDate 9-Mar-2016 -EndDate 10-Mar-2016 –UserIds | Format-Table UserIds, Operations, CreationDate

[PS] C:\> ConvertFrom-JSon $Audit.AuditData[5]

The client field gives us a clue as to what application was involved. For instance, if you see “Outlook” here you know that an Outlook client has authenticated against the account. If “Exchange” is shown, it means that an ActiveSync client connected. However, these events record instances when clients were forced to go through the process of entering a password. If cached credentials are used, they won’t be recorded. We need to focus on audit events for a different operation. The MailboxLogin operation seems like a good choice:

[PS] C:\> Search-UnifiedAuditLog -Operations MailboxLogin -StartDate 9-Mar-2016 -EndDate 10-Mar-2016 –UserIds | Format-Table UserIds, Operations, CreationDate

By now you’ve realized the flaw in this explanation. No connection exists between the audit data and the mailbox logon data. We know that some account connected to a mailbox at a certain time. We can surmise that it might be the mailbox owner by checking the logon data from Azure Active Directory, especially if the user logged on to their account just before the connection was made to the mailbox. But we can’t prove that the mailbox owner was the account that connected to the mailbox.

All of this proves that you can’t take it for granted that scripts or other techniques that work well on-premises will transition flawlessly into the cloud. Office 365 is a completely different environment (in so many different ways) than any on-premises environment. Some work is probably required to review and, if necessary, to update your favorite scripts before they’ll work as well in the cloud.

The good news is that Microsoft’s approach to build a unified auditing repository for Office 365 encompassing all workloads is commendable and is likely to improve in terms of scope and capability over time. Isn’t progress wonderful?

Follow Tony @12Knocksinna

Posted in Cloud, Exchange, Exchange Online, Office 365 | Tagged , , , | 2 Comments

Public folders to Office 365 Groups – Yes Please!

The last couple of weeks have brought forward news of two solutions to migrate public folders (aka “the cockroaches of Exchange”) to Office 365 Groups (aka “Microsoft’s new answer to collaboration in the cloud”). The two solutions differ in concept and implementation, but both are valuable in what they do.

First, we have Binary Tree’s E2E Complete V4.1, which has added the ability to move public folders to Office 365 Groups to the set of other features previously supported by this well-known migration utility. Binary Tree has some serious credentials in the migration space, mostly earned by their ability to move Lotus Notes users over to Exchange on-premises or Office 365 (Binary Tree provide the Lotus Notes migration tools to Microsoft’s FastTrack migration center).

The development of the new E2E Complete feature was led by Exchange MVP Justin Harris, who knows his stuff. Justin is lined up to speak about several topics, including Office 365 Groups, at the IT/DEV Connections conference (aka the “anti Kool-Aid event”) in Las Vegas in October.Basically, you figure out what public folders you want to move to Office 365 Groups by applying a couple of simple tests:

  • Are the public folders in active use?
  • Do the users have Exchange Online mailboxes?
  • Are they mail-enabled?
  • Do the public folders store posts and calendar items?

There’s no point in migrating rubbish to Office 365 Groups. Old, obsolete, and unwanted material contained in public folders won’t be any better after it is moved to Office 365 Groups. The user interface might look nicer but the information will still smell.

Currently, users need to have Exchange Online mailboxes to be able to access Office 365 Groups. This limitation is due to go away soon as Microsoft has indicated that external access support for Office 365 Groups is a high-priority item that is on its way.

Posts are moved to Office 365 Groups as conversation items and stored in the group mailbox. Calendar items are moved to the group calendar. If a post has an attachment, it moves as an attachment. However, documents posted direct to a public folder can’t be moved today nor can journal items, contacts, or tasks. These item types are unknown in the context of Office 365 Groups. I guess they could be moved, but there would be little point if you couldn’t access them afterwards because the data couldn’t be presented as the UI was missing. Folders containing sub-folders will be collapsed into one if a single Office 365 Group is selected as the target.

After reviewing public folders and selecting those that should be moved, the administrator has to create the target Office 365 Groups (if they don’t already exist). Once all is ready, the source and the target are connected using the E2E Complete console and a background synchronization process based on MAPI moves the content from one to the other. After synchronization finishes, it’s best to check that the expected content arrived. and if happy, to remove the source public folder (or change its permission to stop further write access) and advise users to start using the Office 365 Group instead. Some element of bi-directional synchronization is possible, but E2E Complete is not designed to keep content updated between a public folder and an Office 365 Group over a sustained period. This is, after all, a migration utility.

The new capability is great news for Binary Tree customers who have settled on E2E Complete as their preferred migration tool. Office 365 Groups become another viable destination for public folder content and the same tool handles everything.

The other new product in this space is project ADAM from QUADROtech Solutions AG. In the spirit of full disclosure, I am a non-executive director of QUADROtech and have spent time working on ADAM, which remains a product in search of a name. I’m told that marketing have this issue on their plate and a wonderful name will be settled upon by the time Microsoft’s Worldwide Partner Conference (WPC) takes place in Toronto, Canada, in July.


The Dashboard for QUADROtech’s Project Adam

Although QUADROtech also engineers migration products for Exchange such as PST FlightDeck and MailboxShuttle (if you’re interested in eradicating those pesky PSTs, you can grab a copy of a free eBook on the topic authored by Mr. ExchangeServerPro, Paul Cunningham), ADAM is very different. Why? Because it is powered by an advanced analytic engine that is designed to cut through the mass of source data that often clogs up migration projects. Take public folders for example – quite often, you discover that the public folder hierarchy is populated with vast quantities of old, forgotten, or unknown folders that belong to no one or no group. Public folder hierarchies can range well up into the several hundred thousands and no good tools exist to make sense of what’s valuable and what’s not in the data lurking within.

The analytic engine used patent-pending technology to interpret the public folder hierarchy and come up with intelligent recommendations that administrators can then action with a single click. Multiple characteristics are considered in making a recommendation about the right target for a public folder. That target might be an Office 365 Group but on the other hand, if the public folder contains information that hasn’t been accessed in five years or a public folder has no known users, maybe its data should be moved to a PST.

Behind the scenes, other QUADROtech technology such as its Advanced Ingestion Protocol (AIP) is used to move the data out of public folders over to Office 365 Groups.

We’re still in the early days of public folder to Office 365 Groups migration and I imagine that other tools will appear by the time the Microsoft Ignite conference comes around next September. In the interim, it’s good to see that two respected companies in the Exchange ecosystem have come forward with two different kinds of solutions. Choice is great for everyone and competition has a fantastic effect on driving technology forward.

Follow Tony @12Knocksinna




Posted in Cloud, Email, Exchange Online, Office 365, Uncategorized | Tagged , , , , , , , | Leave a comment

News about the “Office 365 for Exchange Professionals” eBook


A quick post to let you know that we have issued an update for the second edition of the “Office 365 for Exchange Professionals” eBook. The updates are now available to those who purchased the PDF/EPUB versions through and the Kindle version through Amazon. The updated version is dated 20-May-2016. More information about our update process is available here.

These updates contain some corrections and clarifications that were identified during the technical editing process for the third edition together with some additional nuggets that we thought should be included, such as the instructions for tenants who want to move their data into a new Office 365 datacenter region. The introduction of the new datacenters in Canada make this news topical as many Canadian companies might want to move their data from U.S.-located datacenters to Canada to achieve the desired data residency. Note that only “core” Office 365 data can be moved, which means SharePoint Online and Exchange Online data. Some data, such as Sways created through an Office 365 account or the metadata for plans managed through Office 365 Planner (approaching general availability soon) will remain in the U.S.  And of course, the Outlook for iOS and Android apps have not yet moved off their intermediate processing that is performed on the Amazon Web Services platform to Azure. That will happen later in 2016.

Speaking of the third edition, we are going to take the opportunity presented by this edition to rename the book “Office 365 for IT Pros“. The simple reason is that although we started off by focusing on Exchange Online and helping on-premises admins figure out how to move workload into the cloud, the focus has changed dramatically since we released the first edition on 1 May 2015. The vast majority of the new content we have added covers topics that leverage components drawn from across Office 365, such as Office 365 Groups, or not related to Exchange Online, like Delve Analytics. We have also expanded coverage of SharePoint Online and OneDrive for Business because we believe that these are the natural next steps for an Exchange deployment to take following a mailbox migration.

We have so much new content that we have had to enlist the support of a second technical editor to handle the load. Vasil Michev, an Office 365 MVP who is well known to anyone who follows the Office 365 Network on Yammer for the quality of his responses to questions raised there, is doing a great job for us alongside Jeff Guillet, who had sole responsibility for the first and second editions.

In any case, the third edition is coming soon. Those who buy books through will be offered a very attractive opportunity to update to the third edition following its release. Stay tuned for more news.

Follow Tony @12Knocksinna

Posted in Cloud, Delve Analytics, Email, Exchange Online, Office 365, Office 365 Groups, SharePoint Online, Uncategorized | Tagged , , , , , , , | Leave a comment