Microsoft 365 and Teams settings and security
Little Tricks
Corporations are increasingly turning to Microsoft's cloud services in the form of Exchange Online, SharePoint Online, or OneDrive for Business. The environment previously known as Office 365, and now renamed Microsoft 365, is enjoying increasing popularity. The same is true for Microsoft Teams – and not just since the pandemic. In this article, I offer simple but effective tips for the administration of both worlds.
Although Microsoft recently changed the name of Office 365 to Microsoft 365, in many cases it's still referred to as Office 365, and the names are interchangeable. Nothing has changed in terms of administration. I start with user management, which does not always have to take place at a central IT location, because in Office 365 you can delegate administrative authorizations to users or lower level administrators.
Services are managed in the Microsoft 365 Admin Center, which you can reach quickest by going to https://admin.microsoft.com. You can see the user roles there in the Manage roles menu item in user management by clicking on the user to access the menu item. The most important roles appear first in the window. You can view all the roles that are available by clicking on the item Show all by category.
Now you will see the roles and a description. If you click on a role, you will see its members in Assigned admins. Use the Export admin list link to create a CSV file listing all roles and their members. You will only see roles with members; the report will not show empty roles. If you click on several roles, you can compare their rights in context with the menu item Compare roles.
PowerShell Management
PowerShell also lets you manage authorizations and other settings for Office 365; you need the Azure AD module:
Install-<ModuleName> AzureAD
To log in, you need the Connect-MsolService cmdlet. For example, if you want to add user Thomas Joos to the Teams Service Administrator group, use the command:
Add-MsolRoleMember -RoleMemberEmailAddress "thomas@joos-test.de" -RoleName "Teams Service Administrator"
You can display all roles with Get-MsolRole.
Spam and Antivirus Protection
In the Exchange Admin Center for Office 365 (https://outlook.office365.com/ecp) you can configure the spam settings and the virus protection from the Protection menu item. The settings correspond to the options available to you in local installations of Exchange Online. However, quarantine is not managed in the Exchange Admin Center in Exchange Online, but with the Office 365 Security & Compliance (https://protection.office.com/quarantine) item.
Connecting Smartphones and Tablets
To manage the security of mobile devices connected to Office 365 you need Office 365 Security & Compliance (https://protection.office.com/). In the Data Loss Prevention section, you will find the Manage devices link, which you can use to create policies.
Setting up Mobile Device Management (MDM) in Office 365 is a wizard-based process in the Microsoft 365 Admin Center [1]. In several steps, you first configure the cloud environment and create the policies. If users connect their endpoints to Microsoft 365, the policies are transferred automatically, but users first need to register their devices and agree to the policies for private devices. If users refuse to implement the policy on individual devices, they will not be given a connection to Office 365. You first need to enable MDM in the corresponding subscription, because the functions are not enabled by default.
PowerShell Connection
To connect by PowerShell to Exchange Online, first store the credentials in a variable:
$user = Get-Credential
Now open a session in PowerShell by saving the session data in a variable and then starting the session with that variable:
$session = New-PSSession -ConfigurationName Microsoft.Exchange -Connection Urihttps://outlook.office365.com/powershell-liveid/ -Credential $user -Authentication Basic -AllowRedirection
If no error message appears, you can import the session with the saved data into PowerShell or PowerShell Core,
Import PSSession $session
which imports the Exchange Online management cmdlets into the current session and lets you manage Exchange Online in the session. Microsoft customizes the login for Exchange Online with the new Exchange Online PowerShell V2 module. Further information can be found online [2].
Managing with OneDrive Admin Center
The OneDrive Admin Center lets you manage various settings centrally for all users of a subscription for OneDrive for Business. You can reach the OneDrive Admin Center from https://admin.onedrive.com>. The Sharing and Sync options are important. You decide whether users are allowed to synchronize and share data from OneDrive, and you can also configure sharing. Microsoft also provides group policy extensions [3], which can be used to control OneDrive for Business by group policies. The download includes ADMX and ADML files.
Once you have copied the group policy files for OneDrive, they will be available in User Configuration | Administrative Templates | OneDrive and User Configuration | Administrative Templates | OneDrive. In the Group Policy Management Console, settings can also be found in Computer Configuration | Administrative Templates | Windows Components | OneDrive. The setting Prevent the usage of OneDrive for data storage is interesting. The option Prevent OneDrive files from syncing over metered connections lets you stipulate that locally stored data are not synchronized with OneDrive if the computer is on an external network or a slow WLAN.
Message Tracing in Office 365
In the Office 365 Security & Compliance Center at https://protection.office.com under Mail flow, you will find the dashboard and message expiration tracking sections. Under Dashboard you can view general information about the messages of the users in the subscription. From the Message trace item you can create your own queries. If the default reports are not enough, you can also create custom reports. The reports can be exported by Export results and saved as a CSV file. If you create your own report, you can run it in real time or save it for later use.
Creating Connectors in Exchange Online
Connectors are an important basis for sending and receiving email in on-premises deployments of Exchange. In Exchange Online, you can also configure in the Admin Center from the connectors menu item. For example, you can define settings to stipulate where email is to be sent from the Internet, from partner organizations, or from other sources. The email that local Exchange servers send to Exchange Online can also be configured by connectors.
From the recipients | groups menu you can create your own distribution lists and groups in the Exchange Online Admin Center. Distribution lists receive their own email address. If an email goes to this address, all members of the distribution list will receive the message. This process also works for receiving email from outside the Office 365 subscription. In this case, you need to enable the Senders inside and outside of my organization option in delivery management in the distribution list properties.
Encrypting Email
Microsoft has integrated functions for encrypting email in Office 365, which means that users no longer have to take action themselves or make a special request to clients. The corresponding options for configuring message encryption can be found in the Microsoft 365 Admin Center. In the web interface, the options are available under Admin Center and the selection of Exchange. You can access the page directly from https://outlook.office365.com/ecp.
Under mail flow | rules you can access the email rules for the organization. At this point you can create various transport rules. To create a new rule for message encryption, select the Apply Office 365 Message Encryption and rights protection to messages option when creating a new rule (Figure 1). The Apply this rule if drop-down lets you specify which email messages should be encrypted.
The functions for encryption are available in the Follow these rules item, which is where you determine how Office 365 should handle the messages. Under Do the following, activate the option Change message security | Apply Office 365 message encryption and rights protection to encrypt email.
Connecting Exchange with Office 365
With the Microsoft Hybrid Agent, local Exchange servers can be operated together with Office 365. Microsoft thus offers a tool that lets you connect local Exchange installations to Exchange Online. A script is also available online [4] that you can use to test the connection. After downloading, copy the file into the PowerShell Modules directory. The quickest way to open this directory is to use:
Cd $PSHome\Modules
For the script to work, you temporarily need to set the PowerShell script execution policy to Unrestricted, import the PowerShell script into PowerShell as a module, and test the connection:
Set-ExecutionPolicy Unrestricted Import modules .\HybridManagement.psm1 Test-HybridConnectivity -testO365Endpoints
By the way, Microsoft offers the free Office 365 IdFix tool that you can use to fix problems and incorrect data during Office 365 synchronization with local directories (e.g., Active Directory). The tool detects duplicates and incorrect formatting. You can download the IdFix DirSync Error Remediation Tool on GitHub [5].
Managing Rights in Teams
Microsoft Teams offers a number of roles:
- Skype for Business administrator: Full user access to all Skype for Business features in Office 365 and admin features in Microsoft Teams.
- Teams service administrator: Admin rights for Microsoft Teams.
- Teams communications administrator: Management of voice and telephony features in Teams and Skype.
- Teams communications support engineer: Access to tools that address communication issues.
- Teams communications support specialist: Management of call records of all participants.
Microsoft Teams management takes place in the Microsoft Teams Admin Center (https://admin.teams.microsoft.com). Users access Teams from the https://teams.microsoft.com address.
Security in Microsoft Teams
In Messaging policies, you can manage many important settings, including security settings, that apply to the channels and chats in each team. Global settings include allowing giphys, memes, and stickers, as well as activating message priority control.
External applications can also be integrated into Teams to improve productivity. In Teams apps, you can see the applications that users and administrators can integrate into Teams through the Manage apps item.
Under Org-wide settings, you can define whether third-party apps should be allowed or whether you are only allowing access to Microsoft apps for Teams in your organization. In Teams Admin Center, you again configure settings that apply to all teams in the Office 365 subscription. Important parameters can be found primarily under Org-wide settings | Teams settings. The defaults then apply to all teams in the Office 365 subscription.
Regulated Communications
In terms of communication, you determine in Teams settings under the Email Integration section whether the channels in teams should also receive messages by email. Each team usually uses the General channel, which is also available for all groups across teams. The channels are displayed below the team in the client. Various tasks are available there via the context menu.
The channel can be managed and notifications controlled there, including, among other things, email addresses that can be assigned to a channel. When an email is sent to the channel's address, the message appears in the channel and is available to users who have access to that channel.
Under the Files section, you can also set up whether certain cloud storage – with the exception of OneDrive for Business – should be available in teams (e.g., under the Files tab). As far as collaboration with external parties is concerned, you can allow users to invite guests to meetings from Org-wide settings | Guest access.
In most cases, people from outside the organization are not allowed to access meetings in Teams, even if they have been invited. By enabling the option Allow guest access in Teams, planners of a meeting or users in the company are allowed to invite guests. Microsoft also provides a checklist in this section [6] on whether and when it makes sense to allow guest access.
Conclusions
Office 365 is becoming increasingly popular in the corporate environment. With a few simple steps, useful settings can be made in Office 365 and Microsoft Teams, whether you want to secure the environments or set up the appropriate communication channels for users. In this article, I revealed, without claiming to be exhaustive, a number of such contact points.