With Office 365 moving toward 200 million corporate users globally, enterprise organizations need help in managing, securing, and optimizing their Office 365 tenants. Disparate admin centers, workflow process automation, simplistic RBAC, license bloat, and poor adoption are causing some to be frustrated by Office 365. In this book, Microsoft Office 365 MVP J. Peter Bruzzese discusses the challenges of managing Office 365 and look at how SaaS Management Platform (SMP) solutions have arisen to simplify, improve, and optimize Office 365 management.
Sponsored by Coreview
Coreview is the global leading Saas Management Platform (SMP) for Office 365. We provide enterprise organizations and Microsoft partners with the ability to monitor, manage, report, and audit valuable information on all aspects of their Office 365 environment, via a “single-pane of glass” control platform. This comprehensive data and the advanced functionality built into CoreView allows organizations to improve security, streamline administration, achieve compliance, optimize licensing, and deliver operational improvements.
For more information on CoreView, visit www.CoreView.com
Conversational Office 365 Management
By J. Peter Bruzzese
© 2019 Conversational Geek
Conversational Office 365 Management
Published by Conversational Geek® Inc.
All rights reserved. No part of this book shall be reproduced, stored in a retrieval system, or transmitted by any means, electronic, mechanical, photocopying, recording, or otherwise, without written permission from the publisher. No patent liability is assumed with respect to the use of the information contained herein. Although every precaution has been taken in the preparation of this book, the publisher and author assume no responsibility for errors or omissions. Nor is any liability assumed for damages resulting from the use of the information contained herein.
Conversational Geek, the Conversational Geek logo and J. the Geek are trademarks of Conversational Geek®. All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. We cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark.
Warning and Disclaimer
Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information provided is on an “as is” basis. The author and the publisher shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or programs accompanying it.
For general information on our other products and services, or how to create a custom Conversational Geek book for your business or organization, please visit our website at ConversationalGeek.com
All of the folks responsible for the creation of this guide:
Author: J. Peter Bruzzese Project
Editor: Nick Cavalancia
Copy Editor: John Rugh
Content Reviewer: Doug Barney
Note from the Author
Believe it or not, I was once “Mr. Anti-Cloud”. It’s true. Perhaps many of you reading this book were of a similar sentiment – Stay out of the cloud. Security breaches and outages were all you heard about during the early days of cloud adoption, whether they involved SaaS, IaaS or PaaS.
But with time and greater stability, I was slowly won over. Seeing the value of solution suites like Office 365 and what they had to offer in the form of 21st century communication and collaboration tools caused me to rethink my “on-prem only” mindset and embrace the cloud and Office 365 especially.
Nevertheless, just as on-premises solutions from Microsoft always left the door open for an ecosystem to spring up around them and enhance what they did out of the box, Office 365 opens the door for new cloud-based solutions to take what is built-in and make it better, giving us more options.
One area where I can see this being valuable is in our management of Office 365. There are solutions in the marketplace that help improve onboarding and offboarding, provide greater insight into the services being used, provide license management, automate things that you would typically have to do manually (or through a script that you have to take the time to figure out and build) and more. In this book we’ll explore the value of SaaS Management and Office 365.
J. Peter Bruzzese
The “Conversational” Method
We have two objectives when we create a “Conversational” book: First, to make sure it’s written in a conversational tone, so it’s fun and easy to read. Second, to make sure you, the reader, can immediately take what you read and include it in your own conversations (personal or business-focused) with confidence.
These books are meant to increase your understanding of the subject. Terminology, conceptual ideas, trends in the market, and even fringe subject matter are brought together to ensure you can engage your customer, team, co-worker, friend and even the know-it-all Best Buy geek on a level playing field.
“Geek in the Mirror” Boxes
We infuse humor into our books through both cartoons and light banter from the author. When you see one of these boxes, it’s the author stepping outside the dialog to speak directly to you. It might be an anecdote, it might be a personal experience or gut reaction and analysis, it might just be a sarcastic quip, but these “geek in the mirror” boxes are not to be skipped.
Native Office 365 Management
In Microsoft’s Q3 2019 quarterly earnings call, CEO Satya Nadella said Office 365 commercial now has “180 million users”. Office 365 has gained the trust of enterprises, resulting in a strong presence in the enterprise market with lots of end users to manage.
And with such large volumes of users utilizing Microsoft’s premier communications and collaborations platform, there comes the need for IT to manage this environment to meet the specific needs of each customer organization. As Microsoft did with their legacy on-premises solutions, they’ve also done with Office 365; they’ve provided us with a variety of tools used to address daily and one-off administrative needs.
But, similarly, it’s understood that Microsoft has so many customers with such varying needs, that it’s impossible for their management capabilities to be comprehensive in nature. As you’ll see, Microsoft has definitely put thought into what kinds of management are possible natively, but some more advanced functionality either requires customization, scripting, or 3rd party help.
Let’s begin by taking a look at what comes right “out of the cloud”.
Native Office 365 Administration Tools
Microsoft provides a basic set of admin tools through administrative consoles that, where applicable, port back to their on-premises counterparts.
For example, when working with specific features of Office 365, like Exchange Online, an admin will have the ability to work with a web-based portal solution similar to what they use on-premises.
In addition, you can establish a remote PowerShell connection to Office 365 and perform most (but not all) tasks through the command-line as you would through the GUI.
Some organizations might look at what Office 365 offers and say it’s “good enough” for their needs. Others might want greater transparency and visibility into reporting, license administration, role-based access control (RBAC) features, and more.
It’s not a slight against Microsoft (or any other SaaS vendor for that matter) to say the native, built-in administrative consoles and features might not fully satisfy the management requirements of an organization – especially a large shop. But you can’t let that deter you from pursuing the valuable communication and collaboration services platform provided through Office 365. Microsoft has always left gaps for third parties to fill in – and Office 365 is no exception.
The Office 365 Management Battlefield
There are aspects to Office 365 management that are both time consuming and prone to error. Let’s consider a few:
- Provisioning users is a clear example. First, you need to determine if you have enough licenses (and the right ones for the users), which isn’t entirely an intuitive task. The Office 365 Admin Center console will have you searching for the Licenses page (under Billing – Licenses). From there, you have to go back to the Active Users page (under Users) and begin the process of manually provisioning each user. Scripting the onboard process for bulk user provisioning can be done through a remote PowerShell connection with a lot of research and trial and error.
- Deprovisioning is an even bigger issue, especially due to the security threat posed should a terminated user not be deprovisioned properly. Admins typically have a list of deprovisioning steps in mind provided by Microsoft that includes saving the contents of a former employee’s mailbox (either through an export to .PST or by converting the mailbox to “inactive”), forwarding their email, wiping and blocking their mobile device, blocking access to their mailbox and data, moving their OneDrive content, removing the license, and deleting the account. And to accomplish all of this, you’re moving from one Admin Center to another (e.g., from the M365 Admin Center to Exchange to SharePoint).
- The onboard/offboard process taps into the license management side of Office 365, which is yet another cause for angst. When first getting started with Office 365, many IT admins will scan its different license plans, see the features connected with each plan (E1 / E3 / E5), and make quick decisions on the number of licenses they need based on the end-user count and perceived use of services. Done! But is it really? Every plan has a base of services that, in a buffet license arrangement, may feel right for a swath of your end users. You may think “I’ll level up or down” depending on your needs. But the challenge is first finding out what you really need before you can right size. Unfortunately, Office 365 isn’t incredibly transparent in this regard.
- Security insight and management is another key aspect to Office 365. Microsoft now provides its Secure Score report (through the Security and Compliance Admin Center) which will tell you, from a very high-level point of view, where you need to bolster security (hint: a large part of your score is based on multi-factor authentication (MFA) for all users). From the Secure Score dashboard, you can quickly select remediation options, and you’re taken to the Azure dashboard (yet another interface) for policy enablement.
- PowerShell is used to manage policies and feature options and to provide visibility into Office 365 (bit.ly/2RPe7J0). Granted, in some cases, this is simply the more efficient way to do something (just like with on-prem environments). Legacy admins don’t mind getting their hands dirty to perform a little scripting. There are other situations that actually require PowerShell, because it’s the only way to accomplish the task. For example, PowerShell is sometimes the only way to obtain information that isn’t available anywhere in the M365 Admin Center. One example is the Deleted Item Retention Time. By default, it’s 14 days, but you can adjust it up it to 30 days through a remote PowerShell connection and the Set-Mailbox – RetainDeletedItemsFor command. PowerShell is also necessary for reporting on anything that spans the suite of products by collating and combining that information.
We could go on, but the point is clear that organizations of all sizes will appreciate the services that Microsoft provides through Office 365, but not necessarily the management tools provided along with those services.
This is one of the reasons Gartner has defined a new market of solutions – the SaaS Management Platform (SMP) – which are designed to help with the day-to-day operations of managing SaaS applications. According to Gartner:
While SaaS applications have their own native management consoles, the depth of their capabilities often doesn’t completely meet enterprise requirements. SMPs provide additional capabilities to fill these gaps.
SaaS Management Platforms and Office 365
A relatively newly coined phrase, SaaS Management Platforms (SMP) step in and fill the gaps that native SaaS platforms (like Office 365) have left open with regard to the depth of their capabilities. As we’ve discussed with Office 365, Microsoft uses a cornucopia of different SaaS applications and management consoles that are Frankenstein’d together. SMP solutions see Office 365 as an opportunity to benefit from the services through a consolidation of their management aspects.
According to Gartner there are six major functional SMP categories: administration, IT role-based access control, policy management, license management, workflow automation and reporting. The major players in this space will hit some or all of these categories (and perhaps a few additional ones where they feel the native SaaS platform needs a boost, like security and compliance needs). The market direction, according to Gartner, is for SMPs to focus on “tactical IT administrative challenges in the native SaaS administrative consoles”.
Here are some places I see an SMP being of value to organizations large and small that are feeling the pain of managing Office 365.
Single Pane of Glass
In the native Microsoft 365 Admin Center, there are a variety of different dashboards and management tools to access reporting, service information, and so on, adding to the complexity in trying to administer what are essentially massive server solutions stitched together with their individual consoles. Keep in mind, if Microsoft was starting all of this from scratch, they would have designed that unified console from the beginning, but that’s not how Office 365 was built. It started as on-premises endpoint and server solutions that are now cloud-based, hosted solutions, so the single pane of glass simply doesn’t exist. Here is an area where an SMP solution can provide assistance: offering up a single dashboard with the ability to perform administration and reporting, and to handle permissions and such, that can make it easier to manage Office 365 as well as provide the visibility into the use of the solution.
Workflow Process Automation
You can use the various Admin Center UIs to accomplish the basic administrative tasks. And you can resort to PowerShell (command-line) to accomplish deeper bulk administrative functions. However, the amount of time wasted and the degree of error or missed steps make the native consoles less than ideal.
Automation is one of those areas third-party solutions tend to focus on. Why should every admin in every organization have to research, build, test, and deploy PowerShell scripts for the basic process automation of their environment? Having access to one-click, GUI-based options makes much more sense and helps eliminate the user error that comes from poor execution of home-grown scripting solutions.
Another area of concern is policy management and proper service configurations. While it’s easy to get Office 365 up and running with the basic settings, the deeper configuration and management sides to it require a great deal of effort for admins to research, test, and deploy (rinse/repeat). Having an easier means of deploying services with best practices in mind through default policy controls would prevent misconfigured accounts.
Role-Based Access Control (RBAC)
The concept of least privilege is an important security principle that requires that RBAC be implemented properly. Office 365 does offer about 20 different admin roles, but they paint with a very wide brush (bit.ly/301KYNE).
If you scan the different admin roles, there is a global administrator (which can do pretty much anything… including handle services like Exchange, SharePoint, and so on). There is also a billing administrator and a license administrator. There is a helpdesk admin for password resets, support ticket management, and service health. There are also service admins (like for Exchange and SharePoint). The problem, however, is that even though the roles might narrow control, these are global credentials. Perhaps in small shops that kind of approach works, but in global environments where you have different teams and tiers, a granular approach that allows the management of specific groups, departments, geos, etc. is needed.
There are plenty of times organizations eliminate a position or fires an employee and do not reduce the number of Office 365 licenses. This mismanagement of licenses can become very costly if not addressed.
Additionally, there are situation where licenses are underutilized. For example, what if you have an E3 plan for all your users but find, through reporting, that several hundred do not have Office ProPlus installed on-premises because they’re still using a legacy version of Office on their system?
Situations such as this create oversized licenses issues that should be addressed. An E1 license (which would be the correctly-sized license) would save the company money and might better suit your needs. Alternatively, you might want to review software deployment to get everyone onto Office ProPlus, or turn on the archive features to ensure you’re getting every last bit of that license.
There are two ways to address this issue of oversized licenses: you can either attempt to drive adoption through training (more on this in a moment) or downsize to the proper license. Using the native tools, it’s very difficult to pinpoint your users’ exact consumption levels. This means you’re most likely wasting license fees within your tenant. Having optics on the adoption and consumption of your licensing and usage can ensure your money is better spent by right-sizing software spend. SMPs providing granular visibility into license usage can assist in the identification portion of these kinds of scenarios, as well as the downsizing of licensing.
You may be shocked to find out that, within many organizations, less than 50% of the services are adopted. And when analyzed, it’s often found that a large percentage of paidfor licenses are unassigned or inactive.
Now, should you want to drive the adoption of more of Office 365, there are some basic links off the Microsoft 365 Admin Center home page that can help you improve adoption (aka consumption) through training. There is a “Train yourself” section for admins and a “Train your people” section for endusers. Included are a variety of different cheat sheets, infographics, and training videos.
On the home page, you can also find options to push out training on a variety of subjects (such as Teams) to end users. However, the training resources are somewhat light compared to the task at hand – that of taking 20th century end users and bringing them up to 21st century SaaS communication and collaboration levels. You can’t just assume the end users will “figure it out”. They won’t.
Here again is where having improved reporting on unused or underused apps can provide insight into the level of adoption within your organization that will allow you to then pursue a targeted approach toward training. You’d likely want to run campaigns that will drive adoption through training. Depending on your organization, that might be one-on-one training, video training, learning management system (LMS), self-serve training, and so on.
Because Office 365 management leaves some IT organizations wanting, SMP solutions exist to address those gaps. CoreView provides organizations with an SMP solution focused on tackling some of the shortcomings in Office 365 native management.
CoreView is a leading SaaS Management Platform solution provider with over 2 million active users in nearly 60 different countries. Their primary offering is called CoreSuite. Let’s dive in!
CoreSuite has 3 main pillars:
- CoreAdmin – Delegate and Oversee License Management.
- CoreSecurity – Prevent and Respond to Data Breaches.
- CoreAdoption – Monitor and Maximize License Usage.
Let’s look at each.
CoreAdmin takes the gaps discussed in the previous section revolving around issues with license over/under commit, RBAC, and such, and offers mitigation through license management, virtual tenants, and other features.
CoreAdmin allows you to break up your Office 365 tenant into smaller sub-tenants or virtual tenants (v-tenants). The granular, easy-to-use aspects of role-based access control options under CoreAdmin are valuable; they help fill the gaps of Office 365 administration by giving admins specific permissions to perform only those tasks they’re assigned and only over those users they’re assigned. So, with CoreAdmin you’re able to have local admins, or assign admins to departments, and limit who the admin manages, and what management functions they can perform. Wait… that sounds like… you’ve got it… real RBAC. This is in stark contrast to the global permission allowances given to IT admins because it’s a bit of a nightmare to try and box them in using the built-in roles provided.
Office 365 has an endless number of license and service configurations thanks to set plans and a la carte combinations. It can become convoluted and expensive, especially with larger, distributed organizations and/or government entities. With CoreAdmin, you can spot unused, unassigned or underused licenses, and enjoy an average savings of 30% on license costs.
Additionally, CoreAdmin can set up license pools for better management, tracking, chargebacks, etc. The license pools allow you to delegate to different business units through virtual tenants. This proactive license management helps you to better control the assignment of licenses (and who is paying for those licenses). In addition, it provides license usage reporting on the use of those accounts broken down by group.
Workflow automation, another important aspect of CoreAdmin, helps optimize execution of common tasks while removing human error with repetitive tasks like user provisioning and de-provisioning. Combine that with auditing, so you know who is doing what, when, where and why.
With nearly 200 million users, Microsoft has a tremendous amount of threat intel that can be of benefit to them, and to your organization. CoreSecurity provides forensic analysis and auditing with long-term, full-year storage of activity logs (Microsoft only stores logs for 90 days). Data can be mined and surfaced back in compliance reports that can be analyzed by department, business unit, country and so on. This will help you see where breaches are occurring. You’re able to create custom, real-time alerts to allow for faster response times for your IT staff (which is great for inappropriate file access or sharing and false log-in attempts).
File auditing and data analysis can really help an organization to see user behavior throughout their Office 365 environment. CoreSecurity has 200+ customizable reports to assist you with monitoring usage and end-user activity to ensure you’re fully compliant with company/governmental policies.
Often you actually WANT folks to use Office 365. A good reason why they may not be is, they simply don’t know how. Educating those users is a key to adoption of underused apps such as Microsoft Teams, and there are a variety of different ways to do that. CoreAdoption allows you to set up campaigns that help to drive adoption through training. They use just-intime learning with context-sensitive, on-the-fly videos, targeted adoption campaigns, and the ability to actually track success. CoreView has a library of task-based (i.e., short) videos that can be delivered to end users with the goal of helping them to feel more comfortable with the communication and collaboration tools (like Teams) that you have put in their hands.
CoreView Office 365 Health Check
In addition to CoreView’s suite, they also offer a health check service that provides a full report back on license utilization, vulnerabilities, security and compliance risks, and usage activities. The results are organized into four categories: license management, security and compliance, change management and adoption, and an action plan.
For example, the assessment might report that you are not using MFA within your environment (or perhaps it hasn’t been enabled for all users to take advantage of). Through CoreSecurity, you can easily set and enforce MFA policies. The same is true of password policies; through CoreSecurity, you can also monitor and enforce appropriate password policies for your organization.
CoreView’s CoreSuite is an enterprise-grade Office 365 SaaS Management Platform (SMP) with a heavy focus on improved administration, RBAC, policy management, license insights, workflow automation, reporting and adoption. Through its centralized approach to managing Office 365, it provides organizations with an ability to simplify the work of increasing the overall adoption of Office 365, improving end-user productivity, centralizing IT’s control, and enhancing the organization’s security and compliance stance – all while lowering the overall cost of owning Office 365.