Whitepaper

Six Terrible Office 365 Migration Mistakes

No Governance, Auditing, Security, License Management, Productivity Plan or Proper Administration

Many, perhaps most organizations, that move from on-premises versions of Office to the cloud and Office 365 only focus on the migration of users, data, applications and services. Once the move is underway, problems arise – administration is tougher than they hoped, Office 365 specific attacks threaten data, and the granting of licenses is a willy-nilly money-wasting affair. 

Some shops spot these issues midway through an Office 365 rollout. Others cry for help after the migration is complete, and problems hobble an otherwise efficient IT staff. And too many figure out cumbersome ways to deal with an imperfect situation, chalking it up to Office 365 business as usual. 

All the while, it is the migration to O365, not its actual operation, which concerns IT. Gartner in its ‘Market Guide for Cloud Office Migration Tools’, put out in February 2019, pinpointed how Office 365 migration tools are limited to, well, just migration. “Migration of emails, files and application data is a common scenario for cloud office migration, but few vendors move all three workloads using a single tool and even fewer address post migration requirements of governance,” Gartner argued. “Include as part of your cloud office migration strategy the ability to address both short-range (on-premises to cloud office) and longer-range (ongoing platform governance, tenant splits, consolidation or cross platform shifts) migration demands.” 

Ignoring these operational issues means living with an insecure, unwieldy and breach-prone SaaS environment. It doesn’t have to be this way. No matter where you are on the migratory journey, pause a bit and contemplate these six Office 365 migration mistakes. Taking care of these critical issues before, during or after migration (preferably before) creates a satisfying and optimal Office 365 experience.

1. Migrating Without Governance 

While a broad topic, in short IT governance is all about aligning IT and IT solutions with business needs and strategy so that IT helps the organization meet key goals and objectives. 

In Gartner’s view, ‘IT governance (ITG) is defined as the processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals. IT demand governance (ITDG—what IT should work on) is the process by which organizations ensure the effective evaluation, selection, prioritization, and funding of competing IT investments; oversee their implementation; and extract (measurable) business benefits,” the research house explains. “IT supply-side governance (ITSG—how IT should do what it does) is concerned with ensuring that the IT organization operates in an effective, efficient and compliant fashion.” 

In the case of Office 365 governance, the SaaS platform must be secure so it doesn’t threaten business viability, cost effective so it doesn’t harm the bottom line, a maximizer of productivity so it strengthens the bottom line, and reasonably easy to manage so IT can optimize use and quickly solve productivity sapping problems. 

Office 365 must also be managed in what Gartner calls “an effective, efficient and compliant fashion”, which means IT administrators must be highly skilled and working with a large enough staff to master all O365 complexities, or get a technology solution that does this for them. 

Many of the following five topics address issues that undermine IT governance, with suggestions as to how to create a secure and well managed Office 365 that instead supports IT governance. 

2. Not Having a Plan for Auditing and Forensics 

On-premises applications and infrastructure put auditing and log retention and analysis firmly in the hands of IT. They can hold onto them as long as they want, and analyze them to their heart’s delight. 

Office 365 has limited log retention, and native tools can make it difficult to analyze whatever logs are there to address security concerns or hunt down breaches through forensic audits. In fact, standard log retention for Office 365 is only 90 or 180 days. 

There are lots of reasons to audit logs, but one of most compelling is performing forensics to track how problems occurred and spread. Breaches, for instance, are a huge concern, and a major compliance problem. The Ponemon Institute says it takes an average of 191 days to discover that a breach has occurred.

Wouldn’t it be better to spot breaches before they happen, and through forensic audits, find the source of a breach that slipped through the cracks. With long-term log retention, you can conduct deep forensics against events that happened a year or more ago. 

3. Ignoring Office 365 Specific Security 

Every IT shop worth its salt has at least a few layers of security – anti-virus/anti-malware, firewalls, maybe some intrusion detection and prevention systems. But Office 365 adds an array of SaaS-specific openings hackers are more than happy to climb through. 

Key Office 365 security best practices include strong password policies, multi-factor authentication, tight mailbox security, and file storage security. Proactively establishing best practices in these areas dramatically reduces security risks. Basic layered and defense in-depth security tools simply do not dig into Office 365 specific vulnerabilities and security problem areas. 

For instance, did you know that using the native Microsoft O365 Admin Centers, all administrators, even those restricted to a single application or area, have global credentials – meaning they can touch each and every end users’ environment? 

Ensuring administrative privileges are limited to those that absolutely need them is critical to a safe Office 365 environment. An internal threat, such as a disgruntled employee, with access to global admin privileges, is a major risk that can be prevented simply by limiting the number of users with admin privileges — and restricting the scope of those permissions. 

Locking down end-user accounts through secure passwords and rigorous authentication is also essential. Multi-factor authentication (MFA) requires at least two forms of personal user identification and is recognized by the National Institute of Standards and Technology (NIST) guidelines for password security. The United States Department of Homeland Security now recommends that all Office 365 users implement MFA. Making MFA adoption easy, Microsoft offers tools such as Microsoft Authenticator for users to install on their smartphones, as well as Smartcards, to work in combination with passworded logins. Multi-factor authentication is a surefire way to prevent unauthorized logins, and there is little excuse not to use it. 

Meanwhile, monitoring employee activities such as their mailbox practices can identify risky behavior and proactively secure business-critical data. Preventing risky activities such as auto-forwarding to external email addresses and limiting access rights to other user’s mailboxes can prevent the spread of malware and the leakage of data through emails. In addition, being aware of unusual email activity prevents targeted spam or social engineering tactics common among today’s cybersecurity threats. 

As Gartner argues, “Nearly all successful attacks on cloud services are the result of customer misconfiguration, mismanagement, and mistakes.” That means poorly configured or managed Office 365 users are an attack waiting to happen. 

Correctly understanding your company’s existing configuration and management is the first step towards implementing solutions that immediately improve a tenant’s security. 

4. Forgetting About License Management 

Enterprise businesses deploying Office 365 across hundreds, thousands and even hundreds of thousands of employees is a massive, expensive, and complex endeavor. If you are starting this process from scratch, having a detailed plan for identifying end-users and defining their precise needs will save a lot of money and headaches. 

While many Office 365-based organizations have a relatively rigorous process for determining license needs, even the most organized and detailed approaches to buying Office 365 licenses have shortcomings – and many organizations just make a best estimate as to what level and volume of licenses are required. 

IT often buys Office 365 licenses in batches, and makes a guess at what they need. They do not or cannot perform discovery on all the on-premises end users, and identify their precise license level needs before purchasing Office 365. Plus, the number of workers or partners that use productivity software changes all the time. Invariably, they buy more licenses than they need. In many cases far more than they need. Experts find most enterprises save 30% or more by optimizing their licenses – getting rid of unassigned licenses, reclaiming inactive licenses and rightsizing where, say the E3 or E5 license paid for is more than end users need. 

Microsoft does offer low-level license management through the Office 365 Admin Center. However, license optimization, as well as business-unit-based licensing allotment and licenses provisioning automation, are not features of Office 365 Admin Center. 

Uncovering real-world Office 365 usage and licensing metrics across your entire organization is the first step towards identifying potential overspend. If 10% of 10,000+ purchased Office 365 licenses are E5’s when only E1’s were needed, we’re looking at a ~$300,000 yearly expense that can be outright eliminated. 

A detailed analysis of licensing needs should be part of the initial migration and negotiation with Microsoft. Unfortunately, with Office 365 this happens more often preparing for renewals so the organization knows what it has, and doesn’t renew licenses it doesn’t use. “To minimize TCO and maximize usage rights, companies need to take preparatory steps in the months leading up to every purchase or renewal,” explains NIP in its bulletin How to Knock Your Office 365 Purchase or Renewal Out of the Park. 

“The Microsoft Office 365 sourcing event – whether an initial subscription or part of an Enterprise Agreement renewal – is still unfamiliar territory for many Microsoft enterprise customers. Changes to Microsoft’s O365 subscription options are frequent, and customers should expect to be pressured to upgrade to Microsoft’s “latest and greatest” option during the renewal event,” NPI cautions. “One example is the current push to move O365 E3 customers to Microsoft 365 (M365) E3/E5, which Microsoft bills as a more complete, intelligent enterprise solution that includes Office 365, Windows 10, and Enterprise Mobility + Security. NPI advises customers to proceed with caution. These newer offerings may provide more functionality than you require.”

5. Neglecting Productivity, Thus Failing to Maximize Application Use 

Driving application adoption is essential to maximizing Office 365 investment. Office 365 is a collaboration and productivity suite, so driving adoption of its services improves your end users’ cloud dexterity, overall productivity, and collaboration skills. 

Key to a successful adoption plan is clustering users based on different service usage and behavior – which helps drive targeted adoption and training campaigns. For this to work, you must apply the correct metrics to define your clusters, as well as identify incorrect user behavior so you can take corrective action. 

Once you have an adoption strategy, it is time to train your users. Experts have found that standard training (classroom and eLearning) are not optimal since users forget 70% of what they learned within 24 hours. 

Instead, end users today look for on-demand training. It is not unusual for users to search the internet to learn needed skills. Sadly, using non-standard training creates inconsistency across your workforce. 

Using or adopting all key productivity applications is critical to Digital Transformation, and therefore end user training is vital to the success of any transformation initiative. On the flip side, a lack of end user training is the number one barrier to adoption, and a key reason why so many digital transformation projects fail. 

Experts find that 70% of what an end user learns through conventional approaches is forgotten in 24 hours. A better approach is Just in Time Learning (JITL) that teaches end users while they work. The secret sauce with JITL is that these videos are context sensitive, and play as the user is walking through the application. 

6. Thinking Managing Office 365 is Easy 

Microsoft Office 365 applications are so easy to use, it is tempting to believe that administration is just as simple. But there are many areas of management that are all too thoroughly complex. Having visibility into all aspects of Office 365 operation is one such area. Operating your Office 365 environment without visibility leads to difficulty, including: 

  • Fines due to noncompliance or running afoul of other government regulations 
  • Security risks and breaches due to misconfiguration or improper user behavior 
  • Excessive financial waste due to over-provisioned or inactive licenses 

While Microsoft provides some Office 365 deployment information via its API and PowerShell, it is up to an IT admin to collect, aggregate, and utilize such data to properly manage the Office 365 environment. With the Office 365 built-in tools, this takes tremendous manual effort, and the approaches to such data gathering differ greatly from application to application. At the end, IT still lacks comprehensive and actionable results. 

While Microsoft provides some Office 365 deployment information via its API and PowerShell, it is up to an IT admin to collect, aggregate, and utilize such data to properly manage the Office 365 environment. With the Office 365 built-in tools, this takes tremendous manual effort, and the approaches to such data gathering differ greatly from application to application. At the end, IT still lacks comprehensive and actionable results. 

That complexity is because Microsoft Office 365 is a multi-SaaS environment, meaning it is a collection of different SaaS services. To gain a full picture, IT must collect data from a variety of sources, often using vastly different collection techniques. The Microsoft Office 365 Admin Center is really a set of a dozen or so distinctly different management tools that change based on application. 

A better approach is a single dashboard, pane of glass if you like, that offers IT visibility into the health and operation of the entire Office 365 environment. This way IT has one unified interface that analyzes and controls all Office 365 services. 

The Power of Role-Based Access Control (RBAC) 

‘Least privilege’ means restricting access rights for users, accounts, and computing processes to only the resources absolutely required to perform routine, legitimate administrative activities. Least privilege is not new, but was promoted in the US “Department of Defense Trusted Computer System Evaluation Criteria” report in 1985, following recommendations from a task force dedicated to safeguarding classified data. 

Least privilege is hard to apply to Office 365 – at least out of the box. There is a limited range of Microsoft Office 365 admin roles, and these lack the flexibility in defining what an admin can (and cannot) do – the precise flexibility leading edge IT organizations absolutely require. Microsoft does offer some pre-made roles to limit admin rights to specific workloads — but not across all workloads. For instance, you can configure an Operator account as an Exchange admin and another account as a SharePoint admin. 

The problem is that both types of operators have access to all company users, as well as access to all configuration capabilities for the assigned workload. 

This rigid permission model simply does not match the security and operational needs of enterprises. 

If you have local support teams across multiple countries, or different support tier teams, you need far more granular permissions to limit their data access. Plus, you should restrict visibility to the appropriate scope, and limit management rights based on their defined responsibility. For instance, the helpdesk should have a more limited set of management actions compared to a second or a third level support team. 

Unfortunately, the Microsoft Admin Center has different, sometimes vastly different approaches to setting permissions for Office 365. 

A better way is to have one, high-level interface that can segment the Office 365 tenant in myriad ways — for example, by department, business unit, or location. After these groups are set up, IT should be able to dive deeper, and define specific permissions for administrators who then can only perform certain tasks — and only against a specific subset of users. 

This way IT can take the entire organization served by Office 365 and break it into logical groups, or sub-tenants, perhaps based on Active Directory (AD) attributes. Once the organization is logically divided, regional admins can be assigned to the sub-tenants. 

Avoiding and Fixing Misconfiguration 

Gartner and Forrester both indicate that 80% of SaaS breaches stem from misconfiguration, inappropriate user behaviors, or incorrectly elevated user permissions. 

For enterprises, correctly defining configurations and appropriate user behaviors are best practices. However, misconfiguration is still possible due to operator workarounds or operator error. That is why it is so important to monitor and enforce your configuration best practices including policies and baselines, and thus fully secure your SaaS environment.

The CoreView Solution – Understand Who Your Users Are and What They Are Doing 

CoreView, and in particular, the CoreAdmin tool, helps set up administrators that are specific to a location, functional set of users, or other attributes. This means admins know who their users are, and have a manageable set of end users to handle. 

At the same time, CoreView tracks application usage, so you know which applications handle the most work, and when end users are misusing the system. The ‘single pane of glass’ CoreView console offers deep insight into how end users are configured, and where they might be misconfigured. 

With CoreView, you can monitor your configurations and usage policies. If a misconfiguration or a misusage has been detected, you can immediately remediate it as well as enforce those policies using the CoreView RPA automation capability. 

With CoreView, policy management moves from a manual and error-prone process to one that is intuitive, easy and automated. 

Learn More about Managing Office 365 Using CoreView 

Learn more about Office 365 administration with a CoreView demo. 

You can also get a free CoreView Office 365 Health Check that details license savings, state of application usage, and pinpoints security problems in your Office 365 environment. 

Find out how to make your cloud environment more efficient by reading our Opportunities for Office 365 Cost savings white paper.