Spark the future.

May 4 – 8, 2015Chicago, IL

Office 365 Administration Best PracticesScott SchnollSenior Program ManagerMicrosoft Corporationschnoll@microsoft.com

Key Objectives and TakeawaysUnderstand Microsoft best practices and recommendations for Office 365 administration

Learn emerging best practices for administration of Office 365

Deployment and Migration

More than 150 users?Use the Onboarding Center - http://aka.ms/Office365OC

Migration Best PracticesConsider the differences and choose the appropriate migration option the first timeHybrid deployment and migration

Exchange - http://aka.ms/HybridDeploymentSkype for Business - http://aka.ms/HybridDeploymentLyncSharePoint - http://aka.ms/HybridDeploymentSharepoint

Staged migration – http://aka.ms/StagedMigrationCutover migration – http://aka.ms/CutoverMigration IMAP migration – http://aka.ms/IMAPMigration

Migration Best Practices

Migration Best Practices

Migration Best Practices

Migration Best Practices

Migration Best Practices

Migration Best Practices

Migration Best Practices

Migration Best PracticesAmong top support call generators for mailbox moves are load balancers and certificatesLoad balancers as the endpoint for remote move requests can often introduce failures due to shifting remote moves between servers, and adds complexity to the move processMoves use HTTPS and therefore rely on valid certificates

Consider creating multiple migration endpoints that point directly to individual on-premises CAS

Ensure that you have the appropriate certificates in place that correspond to the migration endpoint names

Migration Best PracticesNetwork capacityIdentify your available network capacity and determine the maximum upload capacityContact your ISP to confirm your allocated bandwidth and get details about restrictions, such as the total amount of data that can be transferred in a specific period of timeUse tools to evaluate your actual network capacityMake sure you test the end-to-end flow of data, from your on-premises data source to the Microsoft datacenter gateway serversIdentify other loads on your network (for example, backup utilities and scheduled maintenance) that can affect your network capacity

Network stabilityNetwork hardware and driver issues often cause network stability problemsWork with your hardware vendors to understand your network devices and apply the vendor’s latest recommended drivers and software updates

Migration Best PracticesNetwork delaysEvaluate network delays to all potential Microsoft datacenters to ensure the result is consistentWork with your ISP to address Internet-related issues

Add IP addresses for Microsoft datacenter servers to your allow list, or bypass all migration-related traffic from your network firewallSee http://aka.ms/O365IPs for 365 IP address ranges and URLs

Migration Best PracticesMonitor system performance during a pilot migration testIf the system is busy, we recommend avoiding an aggressive migration schedule because of potential migration slowness and service availability issuesIf possible, enhance the source system performance by adding hardware resources and reducing the load on the system by moving tasks and users to other servers that aren’t involved in the migration

When migrating from an on-premises Exchange organization where there are multiple mailbox servers, we recommend that you create a migration-user list that is evenly distributed across mailbox serversBased on individual server performance, the list can be further fine-tuned to maximize throughput

Migration Best PracticesReview other system tasks that might be running during migrationWe recommend that you perform data migration when no other resource-intensive tasks are runningFor customers with on-premises Exchange, the most common tasks are backup and store maintenance

Non-Hybrid migrations: verify what throttling policy is deployed for your existing email systemFor example, Google Mail limits how much data can be extracted in a certain time periodDepending on the version, Exchange Server has policies that restrict IMAP access to the on-premises mail server (used by IMAP migrations) and RPC/HTTP access (used by cutover and staged migrations)

Perform 3rd party tool migrations when there is max resource availability (after hours, weekends, holidays)

Network Best PracticesFollow tuning guidance for each workloadhttp://aka.ms/tune for Exchange Online, SharePoint Online, Skype for Business Online, and Office 365

Monitor your network for low bandwidth and high latencyHigh latency can be caused by a number of factors including low bandwidth, a sparse connection, or transmission time

Ensure proxy and firewall devices are sized to handle the additional trafficThe additional traffic going to Office 365 results in an increase of outbound proxy connections as well as an increase in SSL traffic

Network Best PracticesAnalyze user edge traffic patterns for optimal cloud-based performanceAny enterprise planning to migrate its services to a public cloud should make time to analyze and consider the effects of change to its traffic flows, and plan network changes accordingly

Predict core network change requirementsAs you make plans to increase the scale and performance of your user edge, you should take steps to ensure that your network backbone adds sufficient capacity to support those changes

Understand the impact of revised traffic flows on the user edgeNetwork changes that use new technologies can also affect user edge trafficFor example, many services use IPv6 for Internet communications, and when a user edge is upgraded to support IPv6, the abrupt change in traffic patterns can require additional design considerations

Network Best PracticesConsider multiple user edgesReplicating a distributed edge design in multiple locations helps scale out the volume of internet-bound traffic, and provides redundancy if there is an outage

Understand application flow details before migrationWhen planning the migration of a hybrid application, it's important to examine the application architecture to understand which components will remain in the datacenter and which will be moved to the public cloudAlso, understanding how users access the application is important for understanding traffic flows, and using this understanding to validate the application's performance will not decrease post-migration

Include security teams in the application migration planning processSuccessful migration of applications to the public cloud requires both network and security expertiseResearch and analysis done by network teams can be audited by security experts to ensure holistic, secure migration planning and positive results

Browser Best PracticesBrowser Best PracticesDisable browser add-ons that might degrade performance or that users don’t really needIncrease the cache size for temporary Internet filesKeep the browser window open throughout the day

When possible, reduce round trips to Office 365For example, rather than paging through lists or libraries, use search to locate files in a large library, or filtering in a list to get directly to the results you wantOr, create custom views that minimize page load time

Office 365 Import ServiceProvides two new options for migrating from on-premises to Exchange OnlineShipping drives to MicrosoftUploading the files directly over the network

Several reasons to use this serviceHelps address compliance needs by making your data discoverable using search tools, subject to retention policies, and covered by auditing controlsHelps protect against data loss – PSTs moved into Office 365 mailboxes inherit the high availability features of Exchange, vs. data on a user's machine that may not beMakes data available to the IW on all machines using Outlook, via OWA, etc. vs. a PST

MiscellanousUse branding on the Office 365 login screenIn addition to customizing the experience, it also acts as a site key

Enable user self-service password reset to avoid having to reset user passwordsRequires Azure AD premium for sync’d users…cloud users no requirements

Identity

Which Directory Sync Tool Should You Use?Start with simple – Azure AD SyncOther methods include Microsoft Azure Active Directory Module for Windows PowerShell, Microsoft Azure AD GRAPH API, and Office 365 portalDirSync and FIM + Connector are still supported, but not recommended for new deployments

Directory synchronization lets you to sync invalid attribute values to the cloud, but the best practice is to fix errors with IdFix before you synchronize

Tool Usage

DirSync Default tool in Azure and Office 365 portalsStill used for single forest deployments

Azure AD Sync Used when DirSync does not solve the scenario, such as multi-forest deployments

Azure AD Connect Currently in preview (cannot be used in production)

FIM + Connector Should not be used for new deployments

UPN Management in a DirSync World Management Interfaces

User Type On-Premises MSO Shell Portal

Identity Federated UPN Prefix:  Yes

UPN Suffix: partially,Suffix change from managed to Federated work, but from Federated to Federated do not

UPN Prefix: Yes

UPN Suffix: Partially• Federated to Managed: Yes• Managed to Federated: Yes• Federated to Federated: Yes, but

you cannot go from federated to federated directly, you have to go from federated to managed then to federated

UPN Prefix: No

UPN Suffix: partially, you can change the UPN from federated to managed but not back to federated

Licensed - DirSync'd (no ADFS)

UPN Prefix:  No

UPN Suffix: No

UPN Prefix: Yes

UPN Suffix: Yes

UPN Prefix: No

UPN Suffix: Yes

Unlicensed - DirSync'd  (No ADFS)

UPN Prefix:  Yes

UPN Suffix: Yes

UPN Prefix: Yes

UPN Suffix: Yes

UPN Prefix: No

UPN Suffix: Yes

PowerShell

Quickly Login to a Service with PowerShell1. Create C:\O365Scripts2. Install PowerShell modules for Azure AD,

SharePoint and Skype for Business Online (CSOnline)*

3. Write scripts using ISE to log into service4. Create shortcuts for PowerShell.exe that

launch scripts

Also, create scripts for common tasks, as looking them up can burn a lot of time!

Quickly Login to a Service with PowerShellCreate a combo login if managing multiple servicesSkype for Business Online and Exchange Online do not share the same URI, nor do they use the same connection method, but you can manage both using a single remote session

$credential = Get-Credential "admin@ignitedemos.com"

$lyncSession = New-CsOnlineSession -Credential $credential

$exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Credential $credential -Authentication "Basic" -AllowRedirection

Import-PSSession $lyncSession

Import-PSSession $exchangeSession

SharePoint Online Permissions ManagementThree key security elements work together to control user access to sites and site content:Permissions inheritancePermission levels (sometimes known as SharePoint roles)SharePoint groups (or SharePoint security groups)

SitesIf you work on a site, you are working inside a site collectionEvery site exists in a site collection, which is a group of sites that are in a hierarchy under a single top-level site (the top-level site is called the root site of the site collection)

GroupsEach SharePoint group has a permission level, and all users in the group are granted that same permission level

SharePoint Online Permissions ManagementCustomize permission settings as a best practiceThis will help you better reflect the requirements of your organization

Looks for ways to optimize permissionsStopping permission inheritance, or creating new groups and new permission levels are ways to do this

Sites can have multiple site owners who can change settings for the sites they own

SharePoint Online Permissions ManagementPlan for unique permissions as a best practiceOrganize the site structure to reflect requirements for accessFor example, create a special sub-site for documents that contain sensitive data, or a special sub-site that contains lists with restricted access

Group people who require similar access as a best practice

SharePoint Online Permissions ManagementFollow the Principle of Least PrivilegeGive people the lowest permission levels they need to perform their assigned tasks

Give people access by adding them to default groupsMake most members of the Members or Visitors groupsLimit the number of people in the Owners group

Use permissions inheritance to create a clean, easy-to-visualize hierarchyAvoid granting permissions to individuals, instead work with groupsWhere possible, have sub-sites simply inherit permissions from your team site, rather than having unique permissions, but use unique permissions where necessary

SharePoint Online Permissions ManagementBulk assign permissions using security groups as best practice1. Create a security group in Office 3652. Bulk add users to security group3. Add security group to SharePoint group

Site Management Best PracticesTeam site owner should create a governance model to address site’s policies, processes, roles, and responsibilities

Site owner for a sub-site in a site collection, such as a team site, should create additional governance model to address sub-site’s specific needs

Information Architecture Best PracticesRequire check-out of filesEnsures that only one person can edit the file until it is checked in

Track versionsIf you need to keep previous versions of files, libraries can help you track, store, and restore the files

Require document approvalYou can specify that approval for a document is required (documents remain in a pending state until they are approved or rejected by someone who has proper permissions)

Stay informed about changesUse RSS technology to alert you of any changes to a library, such as when files that are stored in the library change

Information Architecture Best PracticesCreate workflowsApply business processes to its documents that specify actions that need to be taken in a sequence, such as approving or translating documents

Define content typesExtend the functionality of your library by enabling and defining multiple content types

Audit TrackingDefine a policy that allows you to enable 'Audit' tracking of events, such as file changes, copies or deletion

and

Exchange Online Protection

Shared Mailboxes and DirSyncA shared mailbox is a mailbox that's not primarily associated with a single user and is generally configured to allow access for multiple users

When DirSync is enabled, there is currently no way to create a shared mailbox in the cloud, or convert a cloud mailbox to a shared mailboxYou have to create the shared mailbox locally and move it

Transport Best Practices – Configure CorrectlyCommon misconfigurationsUse of smart host connector pointing to third-party gateway or systemExpired or invalid certificates

Third-party gatewaysThird-party gateways between Office 365 and on-premises Exchange servers do not support secure mail flowSecurity configurations created by the HCW allows for secure transport and non-anonymous transport

CertificatesEnsuring that certificates are valid is paramount to successful transport operationsWhen a certificate is invalid or has expired, mail will queue in Office 365 due to the inability to use TLS between environmentsCertificates that are near expiry should be replaced prior to expiration

Routing – Centralized v. DirectWith centralized routing, all mail flow from Office 365 to traverse the-on premises organizationTypically chosen due use of third-party compliance / journaling / archiving solutionIf on-premises resources are not available, cloud mail flow is negatively affectedAny custom connectors created in Office 365 are ignored

With direct routing, mail from Office 365 to external users is sent through Office 365

Throttling PoliciesEach tenant has throttling policies that are appliedFor example, PowerShell throttling limits number of set calls that can be made in a given time period

Depending on tenant size some of these policies can be relaxedConsult with Office 365 SupportPowerShell throttling can be relaxed based on tenant sizeIf performing an EWS migration, policies can be temporarily relaxed to allow higher throughput

Exchange Online Protection Best PracticesEnsure that your Office 365 default domain is updated to be one of your own domains

DirSync with Office 365 before moving MX record

Block executable attachments

Set Bulk Mail blocking in the Content Filter

Exchange Hybrid

Decommissioning Hybrid Server(s)Getting from on-premises to hybrid can be easy

Getting from hybrid to cloud-only can be trickyHow and when to decommission your on-premises Exchange servers in a hybrid deployment - http://aka.ms/DecommissionHybrid

When directory synchronization is enabled and a user is synchronized from on-premises, most of the attributes must be managed from on-premisesCustomers who move all mailboxes to the cloud and then decommission on-premises servers can no longer manage cloud mailboxes

Decommissioning Exchange Server(s)While hybrid configurations vary, there are three primary scenarios we cover for hybrid to cloud-onlyScenario 1: My organization is in a hybrid configuration and all mailboxes have been moved to Exchange Online. We do not need to manage users from on-premises and no longer need directory synchronization or password synchronization. In this case, you can safely disable directory synchronization and remove Exchange from the on-premises environment.

Scenario 2: My organization is in a hybrid configuration and all mailboxes have been moved to Exchange Online. We are keeping Active Directory Federation Services for user authentication for Exchange Online mailboxes. In this case, because you are keeping directory synchronization, you cannot remove all Exchange servers from the on-premises environment. However, they can decommission most of the Exchange servers, but leave a couple behind for user management. The remaining servers can run as virtual machines since the workload is almost completely shifted to Exchange Online.

Scenario 3: We use on-premises Exchange for other things, such as SMTP relay or public folders. In this case, we recommend against removing Exchange and the hybrid configuration.

Skype for BusinessRegularly visit Skype for Business Resources

http://aka.ms/SFBInfo

Contains all guidance, documentation and blog references for IT Pros, End Users and Developers

OneDrive for BusinessVolume of support calls for OD4B sync issues has been on steady incline for past several monthsAvoid issues by following these best practicesUse the OneDrive for Business Sync Guide for initial setup - http://aka.ms/SetupOD4BMake sure that the OneDrive for Business sync app is kept up-to-date - http://aka.ms/UpdateOD4BUse valid file and folder names, and stay within file size, item count, and file path length limits - http://aka.ms/OD4BLimits

Resolve issues by following these best practicesFirst, try repairing the OneDrive for Business sync connection - http://aka.ms/RepairOD4BNext, stop syncing and then restart syncing - http://aka.ms/StopOD4B and http://aka.ms/SyncOD4BNext, try the OD4B Troubleshooter - http://aka.ms/TShootOD4B

Office Professional PlusVolume of support calls for activation issues have been high and steady over the past few months

Avoid issues by following these best practicesIf users are behind a proxy server, ensure that proxy settings for Windows HTTP clients are correctIf users are behind a firewall, ensure that Office 365 ProPlus and other required URLs are available

Resolve issues by following these best practicesFirst, verify the appropriate license has been assignedNext, if this was a previously licensed installation, try removing and re-adding the product keyIf that fails, you should uninstall and reinstall OfficeDetailed troubleshooting steps - http://aka.ms/TShootOffice and http://aka.ms/TShootOffice2

Tools

Office 365 ToolsDiagnostic check tools at http://portal.office.com/toolsComprehensive list at http://aka.ms/office365tools

Office 365 ToolsDiagnostic check tools at http://portal.office.com/toolsDIY Troubleshooters at http://aka.ms/office365DIYTS

Office 365 ToolsDIY TroubleshootersCRM OnlineDelveExchange OnlineExchange Online ProtectionIdentity ManagementSkype for Business Online (Lync Online)Office client subscriptionSharePoint OnlineUser and domain managementYammer

Office 365 Readiness ChecksPart of an automated tool that gathers configuration requirements for the services you want to set up

Performs readiness checks against your on-premises environment to ensure that requirements are met

Informs you about any issues in your environment that may block setup so that you can address them proactively

Office 365 Readiness ChecksRun the tool…Before you deploy Office 365 (especially if you need identity federation or a hybrid deployment)When you're adding new features or complexityBefore proceeding to the next phase of your phased deployment approach

The readiness checks run against the environment that your computer is currently connected to and uses your credentials to inspect configurationRun the checks while connected to your current local network environment and while logged in as an administratorOutlook and computer checks run only against the local computer and don't inspect all of your workstations, so if users have different configurations, run these checks from multiple computers

Office 365 Readiness ChecksTwo types of checksQuick (basic checks that complete in just a few minutes)Advanced (detailed checks that can take up to an hour to run, including checks for enterprise scenarios such as directory synchronization)

You must download and install the Microsoft Office 365 Support Assistant to your computer to run checksBy agreeing to install and run the tool, the test results may be sent to Microsoft or the user may choose to save the results locallyThe results sent to Microsoft will contain basic information, such as the test that was run, failures, domain name, OS version, browser version, regional/language settings, and IP hash

Network Bandwidth CalculatorsExchange Client Network Bandwidth CalculatorEstimates the bandwidth required for a specific set of Outlook, Outlook Web App, and mobile device users in your Office 365 deploymenthttp://go.microsoft.com/fwlink/p/?LinkId=321550

Lync 2010 and 2013 Bandwidth CalculatorEnter information about users and the Lync Online features you want to deploy, and the calculator helps you determine bandwidth requirementshttp://go.microsoft.com/fwlink/p/?LinkId=321551

OneDrive for Business synchronization calculatorProvides network bandwidth approximations based on usage patterns from user profile datahttp://go.microsoft.com/fwlink/p/?LinkId=517364

Auditing and Reporting

Auditing and Reporting Best PracticesEnable auditing everywhere possible; for example, Exchange Online

Administrator Audit loggingRecords any action, based on an Exchange Management Shell cmdlet, performed by an administrator

Mailbox Audit LoggingRecords whenever a mailbox is accessed by someone other than the person who owns the mailbox

Auditing and Reporting Best PracticesBe aware of auditing limits and requirementsThe administrator audit log doesn’t record any action that is based on an Exchange cmdlet that begins with  Get, Search, or Test

Audit log entries are by default kept for 90 days; when an entry is older than 90 days, it's deleted

When a change is made in your organization, it may take up to 15 minutes to appear in audit log search results; if a change doesn't appear in the administrator audit log, wait a few minutes and run the search again

By default Mailbox Audit Logging is disabled; you have to enable it for each mailbox

Mailbox audit logs are generated for each mailbox that has mailbox audit logging enabled. Log entries are stored in the Recoverable Items folder in the audited mailbox, in the Audits subfolder

Mailbox Audit LoggingAction Description Administrators Delegated users

Update A message was changed. Yes Yes

Copy A message was copied to another folder. No No

Move A message was moved to another folder. Yes No

Move To Deleted Items

A message was moved to the Deleted Items folder.

Yes No

Soft-delete A message was deleted from the Deleted Items folder.

Yes Yes

Hard-delete A message was purged from the Recoverable Items folder.

Yes Yes

FolderBind A mailbox folder was accessed. Yes No

Send as A message was sent using SendAs permission. This means another user sent the message as though it came from the mailbox owner.

Yes Yes

Send on behalf of

A message was sent using SendOnBehalf permission. This means another user sent the message on behalf of the mailbox owner. The message will indicate to the recipient who the message was sent on behalf of and who actually sent the message.

Yes No

MessageBind A message was viewed in the preview pane or opened.

No No

Partner Engagement

Office 365 Ask the ExpertsWeekly opportunity to discuss sales, compete, design, deployment, and best practices with an expertReceive a short technical training on Office 365 deployment topics and support issuesStay current on recent announcements about the Office 365 serviceLearn design and deployment best practices from a partner technical consultantAsk and discuss deep technical questions blocking deployments with your customersEngage in a round-table discussion with other partners and Microsoft expertsParticipate in an interactive white-boarding discussion of recommended architectures

Designed for the IT manager and technical specialist roles at Microsoft Partner Network membershttp://aka.ms/Office365ATE

Office 365 Practice Accelerator for SMBLearn fundamental deployment principles and processes that lead to repeatable successful deployments of Office 365 for small and medium customersProvides you with Microsoft Services best practices and resources to help you accelerate your time to market, increase customer wins and retention, and improve delivery quality through proven guidance

Targeted to presales technical specialist, technical specialist, consultant, practice manager, or IT manager roles at Microsoft Partner Network members

© 2015 Microsoft Corporation. All rights reserved.