Is My Office 365 E-mail Secure? - Part 2: The "Cloud"

So, a while back I wrote an article about Office 365's security and talked about the connection between Outlook and Office 365 and also between the browser and Outlook Web Access (at http://portal.microsoftonline.com).  Both are secure.  Outlook uses Outlook Anywhere (an RPC session encapsulated within an SSL HTTPS connection) and Outlook Web Access uses a secure SSL HTTPS session.

The question I didn't answer, however, was what happens to your e-mail when it leaves Office 365.  Does it remain encrypted?  I'm back now with some answers.

Let's start with a diagram:

The scenarios where you have mail transfer with Office 365 are:

• Mailbox traffic & Outlook Web Access - covered in Is My Office 365 E-mail Secure? - Part 1: Outlook
• SMTP relay from on premises applications and devices that don't directly support TLS (more on this in a minute)
• SMTP relay using TLS
• Mail delivery to servers that do not support TLS
• Mail delivery to servers using TLS

TLS

Before I dig in to those four new scenarios let's talk about TLS.  TLS stands for Transport Layer Security.  If you're familiar with SSL (Secure Sockets Layer) TLS is similar.  TLS encrypts "the segments of network connections at the Transport Layer, using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity." (Credit http://en.wikipedia.org/wiki/Transport_Layer_Security)

Mail Delivery

SMTP (Simple Mail Transfer Protocol) is used to transfer e-mail between mail servers on the internet.  SMTP transfers e-mail unencrypted, in plain text.  To enable secure communications additional measures must be taken.  TLS provides that functionality.

TLS is can be enabled on Microsoft Exchange systems and is enabled by default on Office 365.  TLS has two settings: opportunistic and forced.  Opportunistic checks to see whether the partner in each e-mail conversation also supports TLS and if they do the conversation is encrypted.  If TLS is not supported, the conversation fails back to standard unencrypted communications.  Opportunistic TLS functions "out of the box" for Office 365 and requires no configuration.

If you wish to force encryption between your organization and another you'll want to look in to forced TLS.  This changes the behavior of Office 365 to check each e-mail communication for TLS support and then to deny connections with any systems that do not support TLS.  The communication partner can be configured for opportunistic or forced TLS, it doesn't matter which.  This video will introduce you to forced TLS.  In Office 365 TLS is configured within Forefront Online Protection for Exchange (or FOPE).  It is not necessary to use FOPE for normal Office 365 operation but it gives you (in E1 and higher plans) the ability to perform more advanced configurations.

SMTP Relay

So, back to the diagram above.  In this scenario, a SMTP relay server is used to facilitate the sending of e-mail for on-premises applications and devices.  Exchange servers are often used to relay e-mail to the internet and when they are removed a new IIS (Internet Information Server) server can be used to replace that functionality.  This is necessary because Office 365 does not allow anonymous, unencrypted e-mail relay.  Many devices and applications do not support secure connections using TLS directly so it is necessary to stand up a replacement relay server that can proxy that secure connection for them.

In the diagram, internal applications and devices deliver their e-mail to the relay server with a standard anonymous SMTP connection.  The relay server is configured with a certificate and then creates a TLS connection with Office 365 to deliver the e-mail.  It is possible for a SMTP relay server to directly deliver e-mail to the destination server but this bypasses the e-mail hygiene features of Office 365 among other things.  Make sure to check Office 365's restrictions before relaying through the service to make sure that you can do so.  In some cases, you may not wish for your e-mail to be limited and won't care if it is secure or not.

For more on how to set up an on-premises SMTP relay server see http://support.microsoft.com/kb/2600912.



Conclusions
So, we've discovered that:

• E-mail between Office 365 and other mail systems is secure by default (using TLS when supported by the partner mail system) and can be forced to be secure when necessary.
• SMTP relay communications can be configured to be secure and use Office 365 when combined with TLS as well.
• Communications between Outlook / web browsers and Office 365 are encrypted with SSL.

Related articles

• Help Wanted: Office 365 Cloud Consultant

  ---

• Office 365 P1 vs E1 Plans - What Does $2 Buy You?

  ---

• Top 8 Ways to Prepare for an Office 365 Migration

  ---

• Office 365 Tools

  ---

Update on Microsoft Store in Overland Park, KS

Check out my updated article with pictures and my impressions of the Overland Park Microsoft Store!


Microsoft Store (Photo credit: Wikipedia)

I just received an announcement on LinkedIn that the Overland Park, KS. Microsoft Store in Oak Park Mall will be opening up June 28th.  Here's the text from Lisa Seigneur, store manager:


"Come out on June 28th to help us celebrate the Oak Park Mall Microsoft Store grand opening! In honor, Microsoft will be donating $1,000,000 in software to the local chapter of Junior Achievement."


You can get information on the store on the Microsoft website at http://content.microsoftstore.com/store/detail/Overland-Park-KS.

Office 365 P1 vs E1 Plans - What Does $2 Buy You?

This is a no-brainer.  There is NO reason to go with P1 if you only save $2 per user.  You lose so much:

1. Phone support 24x7 - this is HUGE.  The Office 365 community is great but I wouldn't want to depend on them solely for support for a system critical to the operation of my business.
2. There is NO upgrade to E1 - this one is also BIG.  In order to move up to E1 if you need it you need to do another full migration - VERY painful.  It's best to avoid this issue even if you're nowhere near the 50 user limit for P1.
3. SharePoint - the version of SharePoint you get with P1 doesn't include its full functionality.  You don't get My Sites (individual user sites).  Also, you don't get the workflow features and some other bits.
4. Storage upgrades.  If you think you'll ever need more than 25GB per mailbox for e-mail storage you need E1.  P1 doesn't have any upgrade path to E3 where you get unlimited e-mail storage.
5. E-mail archiving and legal hold - you need Exchange Plan 2 or E3 or better for these.  Legal hold doesn't sound like something most people need, but it allows you to force Office 365 to hold on to e-mail for longer periods of time.  Since your backup options are limited with Office 365 this is a way to get the benefits of archival backup solutions that let you restore data from previous points in time - a feature otherwise unavailable in Office 365.
6. Office Professional Plus - if there's the possibility that you would ever need the full version Office suite you need to be in the E plans so you can upgrade to E3.  Otherwise you'll be stuck on your old Office version until you go pay your $399 per user capital expenditure.  $6 per month (the difference between E2 and E3) looks like a pretty good deal in comparison.

The only thing you lose going from P1 to E1 is the ability to both view and EDIT documents in Office Web Apps.  If you really need to be able to edit you can move up one more notch to E2 for $14 per month instead.

$8 per month is a steal for everything you get.  You've moved a capital expentiture to a regular operational expenditure that you can budget reliably for.  Also, don't be surprised if the price continues to go down and if features are added.  These are some of the benefits of expanding market share on a cloud service... you keep on getting more and more for your money.

Related articles

• Office 365 Tools
• Common Office 365 PowerShell Scripts
• Help Wanted: Office 365 Cloud Consultant
• Top 8 Ways to Prepare for an Office 365 Migration

Office 365 Tools

Much like my list of PowerShell scripts I'll be keeping track of the various good Office 365 tools I find here.

Happy Clouding!

Deployment Readiness Tool

http://community.office365.com/en-us/f/183/p/2285/8155.aspx#8155

Get-ExchangeEnvironmentReport
http://www.stevieg.org/2011/06/exchange-environment-report/

Office 365 Speed Test
http://speedtest.microsoftonline.com

Exchange Client Network Bandwidth Calculator
http://blogs.technet.com/b/omers/archive/2012/03/11/exchange-client-network-bandwidth-calculator-beta2.aspx


Exchange Connectivity Test
https://www.testexchangeconnectivity.com/

PowerShell Scripts
http://blog.quitecloudy.com/2012/05/common-office-365-powershell-scripts.html

More PowerShell Scripts - Package to Run Locally
http://www.microsoft.com/en-us/download/details.aspx?id=29568

Pre-Stage Migration Software
Office 2010 & Lync (from your portal), ADFS, DirSync (from your portal), OnlineServices PowerShell, .NET 35 SP1, Desktop Setup Wizard (from your portal)

DNS Testing Tools
GUI Tool by Justin Wyllys and www.testmyoffice365.com

3rd Party Migration Tools
Migration Wiz, MetaVis, Metalogix, Quest

Related articles

• Is Microsoft Better at Apple's Game Than Apple is at Microsoft's Game?
• Four Tips to Create Memorable Office 365 Complex Passwords
• Office 365 password expiry notifications in Outlook
• MS Office 365 Cloud Migration Tips

Common Office 365 PowerShell Scripts

I have compiled a list of useful PowerShell Scripts for use with Office 365.  I will continue to update the list over time.  I'll list the source for any scripts that aren't directly from Microsoft or that I've written from scratch.

I hope you find these useful!

* Update 5/10/13 - added scripts for changing user principal names (UPNs) singly or in bulk in Active Directory.*
* Update 5/6/13 - added scripts for changing mailboxes to shared singly or in bulk.*
* Update 5/1/13 - added script for changing from one SKU to another.*

----------------------------------------------------------------------------------------------------------

First Time in Office 365 PowerShell per Machine Set-ExecutionPolicy RemoteSigned

Close PowerShell Session Remove-PSSession $session

Full Microsoft List of Office 365 Commandlets http://onlinehelp.microsoft.com/en-us/office365-enterprises/hh125002.aspx

Thomas Ashworth's PowerShell Resources on Technet http://blogs.technet.com/b/thomas_ashworth/

Import Contacts by CSV $csv = Import-Csv “C:\Contacts.csv” foreach($line in $csv) {New-MailContact -Name $line.DisplayName -ExternalEmailAddress $line.EmailAddress -OrganizationalUnit “users” -Alias $line.Alias}

----------------------------------------------------------------------------------------------------------

Connect to Office 365 PowerShell $o365cred=get-credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $o365cred -Authentication Basic -AllowRedirection

Import-PSSession $session

Grant Access to One Mailbox After you are connected, you must run the following command to give Alan full access to Bob’s mailbox: Add-MailboxPermission -identity Bob@domain.com -user Alan@domain.com -AccessRights FullAccess -InheritanceType All

Grant Access to All Mailboxes If you wanted to give Alan full access to all mailboxes in your environment you would run: Get-Mailbox | Add-mailboxpermission -user Alan@domain.com -AccessRights FullAccess

Set Send-as Permissions for Users on Groups This grants Alan SendAs permission for Bob's mailbox: Add-RecipientPermission Bob@domain.com -AccessRights SendAs -Trustee Alan@domain.com or Set-Mailbox -Identity mailbox -GrantSendOnBehalfTo user

For Example: Add-RecipientPermission "grouptoaccess@domain.com" -AccessRights SendAs -Trustee "usertoaccess@domain.com"

(Credit How to Grant Full Access to an Office 365Mailbox)

----------------------------------------------------------------------------------------------------------

Assign Licenses via CSV Import Connect-MsolService Get-MsolAccountSku

That will output your sku's. Once you have that you would run a script like this: Connect-MSOLService -Credential $adminCredential $AccountSkuId = "sku:ENTERPRISEPACK" $UsageLocation = "US" $LicenseOptions = New-MsolLicenseOptions -AccountSkuId $AccountSkuId $Users = Import-Csv c:\Users.csv $Users | ForEach-Object { Set-MsolUser -UserPrincipalName $_.UserPrincipalName -UsageLocation $UsageLocation Set-MsolUserLicense -UserPrincipalName $_.UserPrincipalName -AddLicenses $AccountSkuId -LicenseOptions $LicenseOptions }

If you wanted to do this for everyone you would change the line: $users | Import-Csv c:\Users.csv

to: $users | get-msoluser -resultsize unlimited

(Credit Can I assign a license to a group of usersby PowerShell?)

----------------------------------------------------------------------------------------------------------

Assign Licenses Granularly via PowerShell Open Microsoft Online Services Module for Windows PowerShell and connect to the service: Get-MsolAccountSku | Format-Table AccountSkuId, SkuPartNumber

The second column in this list is referenced in the next command as [SkuPartNumber] : $ServicePlans = Get-MsolAccountSku | Where {$_.SkuPartNumber -eq "[SkuPartNumber]"} $ServicePlans.ServiceStatus

This returns all the service plans

Secondly you need to assign the licence to the user(s): Set-MsolUser -UserPrincipalName user@domain.com -UsageLocation GB Set-MsolUserLicense -UserPrincipalName user@domain.com -AddLicenses [tenantname:AccountSkuId] -LicenseOptions $MyO365Sku

Repeat for any other licences you want to apply for other users or other licence options you want to apply to this user.

(Credit Granular license assignment from PowerShell)

----------------------------------------------------------------------------------------------------------

Change Licenses from One SKU to Another via PowerShell

This script will identify all users with one SKU assigned and replace that SKU with a different one.  To test, change the "$Users = " variable assignment. Be careful - removing licenses rather than replacing them correctly will de-provision user services and delete data. Connect to Microsoft Online Service PowerShell Set the variables for the SKU you want to replace and the one you want to add Change your UseageLocation and MaxResults if necessary Run the script Connect-MSOLService -Credential $adminCredential $AccountSkuRemove = "STANDARDPACK" $AccountSkuId = ":ENTERPRISEPACK" $UsageLocation = "US" $LicenseOptions = New-MsolLicenseOptions -AccountSkuId $AccountSkuId $Users = Get-MsolUser -MaxResults 50000 | Where-Object {$_.licenses[0].AccountSku.SkuPartNumber -eq $AccountSkuRemove -and $_.IsLicensed -eq $True} $Users | ForEach-Object {Set-MsolUser -UserPrincipalName $_.UserPrincipalName -UsageLocation $UsageLocation Set-MsolUserLicense -UserPrincipalName $_.UserPrincipalName -RemoveLicenses $AccountSkuRemove -AddLicenses $AccountSkuId -LicenseOptions $LicenseOptions}

----------------------------------------------------------------------------------------------------------

Convert Mailboxes to Shared Mailboxes - For Single Mailboxes

1. Start by checking your mailbox to see if it is under the 5 GB shared mailbox limit:

Get-MailboxStatisics | FL Total*

2. Change the mailbox type to shared:

Set-Mailbox -Identity -Type “Shared” -ProhibitSendReceiveQuota 5GB -ProhibitSendQuota 4.75GB -IssueWarningQuota 4.5GB

3. Add Full Access permissions to the mailbox - gives access to the contents of the mailbox:

Add-MailboxPermission -Identity -User -AccessRights FullAccess -InheritanceType All

4. Add Send As permissions to the mailbox - allows a user to send as if they were the mailbox itself:

Add-RecipientPermission -Identity -Trustee -AccessRights SendAs -Confirm:$false

5. Remove the user license from the mailbox

$MSOLSKU = (Get-MSOLUser -UserPrincipalName ).Licenses[0].AccountSkuId  Set-MsolUserLicense -UserPrincipalName -RemoveLicenses $MSOLSKU

Convert Mailboxes to Shared Mailboxes in Bulk

1. Ensure that all mailboxes are under the 5 GB limit.

2. Create an input.csv file in c:\temp with the following format:

userPrincipalName

User1@domain.com

User2@domain.com

User3@domain.com

3. Run the following script in PowerShell:

Import-csv C:\temp\input.csv | foreach {  $UPN = $_.userPrincipalName  Set-Mailbox $UPN -Type “Shared” -ProhibitSendReceiveQuota 5GB -ProhibitSendQuota 4.75GB -IssueWarningQuota 4.5GB  $MSOLSKU = (Get-MSOLUser -UserPrincipalName $UPN).Licenses[0].AccountSkuId  Set-MsolUserLicense -UserPrincipalName $UPN -RemoveLicenses $MSOLSKU  }

(Credit Office 365 – Converting mailboxes to shared mailboxes)

----------------------------------------------------------------------------------------------------------

Both of these scripts Alter the UPN Suffix for users.  They will both require you to open PowerShell and run the following command first:

import-module activedirectory

Change the UPN Suffix for a Single User, Search by SAM Account Name

Get-ADUser -Filter {SamAccountName -eq ""} | ForEach-Object ($_.SamAccountName) {$CompleteUPN = $_.SamAccountName + "@"; Set-ADUser -Identity $_.DistinguishedName -UserPrincipalName $CompleteUPN}

How to use it: replace with the user's SAM account name from Active Directory Users and Computers on the Account page and replace with the desired UPN suffix in the format of domain.com.

Change the UPN Suffix for All Users in an OU

Get-ADUser -SearchBase "ou=,dc=,dc=" -SearchScope OneLevel -filter * | ForEach-Object ($_.SamAccountName) {$CompleteUPN = $_.SamAccountName + "@"; Set-ADUser -Identity $_.DistinguishedName -UserPrincipalName $CompleteUPN}

How to use it: replace and with the OU path that contains the user accounts you wish to modify and replace with the desired UPN suffix in the format of domain.com. Test Before You Run Your Scripts!

If you wish to test your scripts before running them (you should!) you can replace the final "$CompleteUPN}" with "$CompleteUPN -whatif}" and then run the script.  If the script doesn't work you will get no return output.  If it does, you'll be presented with something like this for all affected users:

What if: Performing operation "Set" on Target "CN=,OU=,DC=,DC=". You can also test that you are affecting the correct user accounts by changing the end of the script.  Replace everything from the pipe | to the end with the following: | FT -property name,userprincipalname You'll be presented a table with the affected users' full names and UPNs.

Related articles

• E-mail Tip #1 from my Time at Microsoft - Notifying Your Coworkers about Vacation
• 4 Shocking Microsoft Products You Need to Know About
• Forum Post: RE: Outlook 2016 not synchronizing with Office 365 Exchange
• Office 365 Security Updates - Encryption, DKIM, DLP, and More!
• The Future of Productivity and HoloLens

Help Wanted: Office 365 Cloud Consultant

The company I work for, Valorem Consulting, is looking for someone with strong Exchange and Windows server skills that is interested in Office 365 migration work.  See below for the details or refer to the original posting at the link.  You can check out Valorem at http://www.valoremconsulting.com.


The work is challenging, fun, and we work with the latest Microsoft cloud technologies.  If it sounds like something you'd be interested in contact Josh Pluid (contact info below). 

Cloud Services Consultant

Job Description

Our Kansas City cloud services team needs a Cloud Solutions Consultant for projects in the Kansas City and surrounding areas.  You will be working onsite and remotely performing Office 365 migrations from Exchange, SharePoint, Google Apps, Lotus Notes and other collaboration systems.  Other projects types may be considered as your skills and availability allow.

You will be assisting our cloud architects and project managers in implementing solutions using the Valorem Project Delivery Experience, a Microsoft best practices-based methodology for delivering high-quality repeatable cloud-service project results to customers.

Required Skills & Experience

• Microsoft Exchange (2003, 2007, 2010) administration
• Windows Server (2003, 2008, 2008 R2) administration
• Windows desktop (XP, Vista, 7) administration
• Microsoft Office (2003, 2007, 2010) – especially Outlook (PST management & setup)
• TCP/IP and basic LAN / WAN networking
• Experience configuring mobile devices (phones and tablets) from multiple manufacturers
• Documenting configurations via Microsoft Visio and Word
• Working in fast-paced, challenging consulting roles
• Interest in playing with the very latest emerging technologies
• Being a team player and looking for additional opportunities within existing customers
• Knowing when to ask for and how to obtain assistance
• A dedication to customer service and a quality work ethic

Additional Desired Experience

• PowerShell and scripting a big plus
• Microsoft Lync and Communicator
• Other e-mail systems (Google Apps, Lotus Notes, etc.)
• SharePoint (2003, 2007, 2010) end-user and administration, not developer
• E-mail and SharePoint migration experience a big plus
• SQL Server (infrastructure management, not DBA)
• Working with remote access technologies (RDP, LogMeIn, etc.)
• E-mail hygiene products like Forefront Online Protection for Exchange (FOPE), Postini, & AppRiver
• Antivirus and endpoint security products

Josh Pluid

jpluid@valoremconsulting.com

405-314-0459

Related articles

• Top 8 Ways to Prepare for an Office 365 Migration
• Microsoft's Worldwide Partner Conference 2011 - BlackBerry, Office 365 and more!
• What's new in Microsoft's Office 365? There's a wiki for that

Top 8 Ways to Prepare for an Office 365 Migration

I recently delivered a webinar for Valorem Consulting on preparing for Office 365 migrations.  We uploaded the video to YouTube for any of you who are interested.

The topics I cover are:

1. Get Good Help:  Know where to go for help - Microsoft phone support?  Online forums?  Maybe from a Microsoft Partner?  How do you know which are good?
2. Choose Your Migration Type: What's the right method for migrating from your system?  There are several that each have differing levels of capability and complexity.
3. Know Office 365's Requirements and Limits: You'll probably need to upgrade software or run Windows updates.  There are size limits on e-mails and storage as well.
4. Get Good Tools - Know what tools are at your disposal and will make your migration easier.
5. Document Everything - Make e-mail flow and network diagrams, write a summary of how your e-mail systems work, etc.
6. Know About the Cloud - Understand how using e-mail and services in the cloud differ from your legacy systems on-premises.  Understand how support is different as well.
7. Know What You Need - Ask good questions about what functions you need, how you manage it, etc.
8. Clean House - Choose what to migrate and clean up your data.

The webinar is over an hour long, so isn't for the faint of heart, but there's some really good information in there.

In the webinar I mention some resource links.  You can find them posted online at Free Online Resources for Planning and Migrating to Office 365.