Purchasing Additional SharePoint Online Storage for Office 365

There are a number of different options for customers to purchase Office 365.  In the U.S.A. and the majority of markets, customers can purchase Office 365 directly from Microsoft via MOSP (Microsoft Online Subscription Program).  This is the most common way for small businesses to purchase Office 365.  Customers can purchase licenses using a credit card.  There is no minimum license quantity for MOSP.  Customers pay for Office 365 via an automatic monthly subscription.

In Australia, Telstra has a syndication agreement with Microsoft.  This means that customers who want to purchase Office 365 in Australia transact the purchase with Telstra.  This service is known as T-Suite.  Billing for T-Suite can be via a monthly credit card payment or the customer’s existing Telstra account.  After purchasing the licenses from Telstra, customers are provided with an Office 365 Org ID and password to access the new tenant.

Another option for customers to purchase Office 365 is via a volume license (VL) agreement.  For large enterprises that require 250 licenses and above, customers can purchase via an Enterprise Agreement (EA) or Enterprise Subscription Agreement (EAS).  Smaller customers that require between 5 – 249 licenses can purchase Office 365 via an Open Agreement.  VL agreements require a commitment of 1 – 3 years, depending on the agreement.  VL agreements are billed annually.  Customers who are based in Australia and wish to buy Office 365 directly from Microsoft can do so with a VL agreement.

There are many differences between Office 365 purchases via MOSP vs. VL.  The differences include:

1) The prices of the licenses

2) The frequency of the payments

3) The length of commitment

4) The types of SKUs which are available

It is important to consider all of these factors before making a decision on the best way to purchase Office 365 for your organization.

This blog will focus on one of the major differences between the Office 365 SKUs offered via MOSP vs. an Open agreement.

When customers purchase Office 365 and SharePoint Online, they are provided with 10 GB of storage by default.  This storage can be used to provision a number of different SharePoint Online websites including public and internal websites.  For each Office 365 and SharePoint Online user license purchased, the tenant is provided with an additional 500 MB of storage.  For example, a customer who purchases 10 E3 licenses will receive 10 GB + (10 users) * (500 MB) = 10 GB + 5 GB = 15 GB.  Please note that this pool of SharePoint Online storage is separate from the storage used by OneDrive for Business. Each users who runs OneDrive for Business is now given 1 TB of storage for personal files.

In some instances, customers may want to increase the amount of storage available for SharePoint Online.  Kloud Solutions works with many customers who would like to move their corporate file shares from an on-premises server to SharePoint Online.  The storage required for your file shares may exceed the default storage allocation in SharePoint Online.  Therefore, Microsoft has introduced the option for customers to purchase additional SharePoint storage on a per GB basis.

There are many different types of Office 365 plans that can be purchased.  You will first need to determine if your existing Office 365 subscription is eligible for additional storage.  SharePoint Online storage is available for the following subscriptions:

  • Office 365 Enterprise E1
  • Office 365 Enterprise E2
  • Office 365 Enterprise E3
  • Office 365 Enterprise E3 for Symphony
  • Office 365 Enterprise E4
  • Office 365 Midsize Business
  • Office Online with SharePoint Plan 1
  • Office Online with SharePoint Plan 2
  • SharePoint Online (Plan 1)
  • SharePoint Online (Plan 2)

SharePoint Online Storage for Small Business is available for the following subscriptions:

  • Office 365 (Plan P1)
  • Office 365 Small Business Premium
  • Office 365 Small Business

If your subscription is one of the above eligible plans, you can purchase Office 365 via MOSP or the T-Suite portal for customers in Australia.

One of the key limitations to consider is that Microsoft does NOT offer the option to purchase additional SharePoint Online storage via an Open Agreement for small and medium businesses.  For instance, you can purchase 10 E3 licenses via an Open Agreement. This would provide 15 GB of SharePoint Online storage using the example above.  However, you would NOT be able to purchase additional GB of storage as the SKU is not available on the Open price list.

You can mix Open and MOSP licensing in the same Office 365 tenant.  For example, you could buy 10 E3 license via an Open agreement and then apply them to a tenant using an Office 365 product key.  If you wanted to buy an additional 3 GB of storage, you could do so via a credit card in the same tenant.  However, SharePoint Online storage must be tied to another license.  It cannot be purchased by itself.  So you would have to buy at least 1 additional E3 license via MOSP in order to add the additional 3 GB of storage.  This is something to consider when you are pricing an Office 365 solution.

For reasons of both simplicity and flexibility, Kloud Solutions recommends purchasing Office 365 via MOSP or T-Suite if you need additional SharePoint Online storage today, or if you think you may need it in the future.  Purchasing via MOSP or T-Suite allows you to keep your options open and plan for future storage growth.  Buying Office 365 via Open means that you are locked in to a certain storage allocation as determined by Microsoft.   There is no guarantee that Microsoft’s default storage allocation will meet your requirements.

It is very likely that Microsoft will increase the default storage allocation for SharePoint Online in the future.  The cost of storage is always declining according to Moore’s Law.  For example, Microsoft recently increased the amount of storage available in OneDrive from 25 GB to 1 TB.  Here is a blog post which references this change:

https://blog.kloud.com.au/2014/05/04/sharepoint-online-storage-improvements-in-office-365/

However, there have been no announcements from Microsoft to date indicating that they plan to increase the default storage for SharePoint Online beyond 10 GB per tenant or 500 MB per user.  There will be future posts to this blog about this topic if there are any relevant updates in the future.

If you have any questions about the different options for purchasing Office 365 from Microsoft or Telstra, please contact Kloud  Solutions using the following URL:

http://www.kloud.com.au/

Securing Emails Outside of Your Organization With Office 365 Message Encryption

​For those of you who have been concerned about email security for a number of years, you may remember a solution from Microsoft called Exchange Hosted Encryption (EHE).  This was a cloud based service which allowed organizations to encrypt emails according to certain defined rules.  For example, you could encrypt emails where the intended recipient was outside of your organization and certain keywords or regular expressions where detected such as a credit card number.  This was a very useful service for protecting emails sent to ANY user, regardless of the relationship with the user’s company.  There was no need to set up federation between the two organization.  All certificates were stored and maintained in the cloud which made it very simple to administer compared to an on-premises solution.

The problem with EHE was that it was a separate service.  It required a completely separate console to configure and administer .  Moreover, using EHE required an additional licensing cost for every user that needed to send encrypted email.  As a result, adoption of EHE was low except for industries where data security was paramount.  Some examples of industries where EHE is very popular include:

1) Financial services including banking and insurance

2) Healthcare

3) Lawyers

4) Contract management

Microsoft recently announced Office 365 Message Encryption as the next release of EHE.  There are a number of improvements in this release which make it far more appealing to deploy and utilize.  First, the service is based on Microsoft Azure Rights Management Services (RMS).  Office 365 integrates beautifully with Azure AD and Azure AD (RMS).  This means that Office 365 Message Encryption is a built-in capability of Office 365.  Deployment and configuration of the service can be performed directly from the Exchange Online Admin Console. 

The following plans include Office 365 Message Encryption:

1) Office 365 E3

2) Office 365 E4

3) Azure AD RMS

4) Enterprise Mobility Suite (Exchange Online not included)

Other Office 365 plans can add Message Encryption as an additional subscription SKU.  Running Exchange Online Protection (EOP) is a pre-requisite to running Message Encryption.

The behavior of Office 365 Message Encryption is controlled by Exchange transport rules.  These rules are configured by an Exchange Online administrator and apply across the organization.  Here are some examples of popular transport rules:

1) Encrypt all emails sent from legal council to a user external to the organization

2) Encrypt all emails sent to a user external to the organization where the phase “encrypt” appears in the subject line

3) Encrypt all emails sent to a user external to the organization where the body contains the number pattern XXXX-XXXX-XXXX-XXXX which resembles a credit card PAN.

When a user sends an email that matches one of these transport rules, the message is encrypted, converted into an HTML attachment, and then transmitted to the recipient.  When the message is received, the end user is given instructions on how to open the encrypted message.  The recipient does NOT require an email account that is trusted by the sender or federated with his organization.  The only requirements is that the email address of the recipient is configured as either a:

1) Microsoft Account

2) Microsoft Organization ID

If the email address of the recipient is NOT configured as one of the above accounts, he will be presented with instructions on how to do so.  This is required before the encrypted message can be opened.

To improve the Office 365 Message Encryption experience for end users, I recommend that you set up at least two transport rules:

1) Transport rule for outbound email based on business rules for data protection

2) Transport rule to decrypt inbound email on delivery to save internal users the extra step

Organizations using Office 365 Message Encryption can customize the experience for the end user.  They can add a corporate logo or standard disclaimer text to every encrypted email.  Customizing the experience requires the user of PowerShell as there is no UI available for message customization in the current release.

If you need assistance securing your corporate email, please contact Kloud solutions at the following URL:

http://www.kloud.com.au/#

Unable to Administer Office 365 Using PowerShell with Multi-Factor Authentication

Back in February, Microsoft announced the release of multi-factor authentication.  This feature allows IT administrators to dramatically increase the security of Office 365 by requiring a second factor of authentication to access the service.  This feature is very simple to configure and use.  It is far simpler to configure multi-factor authentication for Office 365 than it is to enable an equivalent solution on premises.  To learn more about multi-factor authentication, I recommend the following blog post:

https://blog.kloud.com.au/2014/04/16/protect-your-identity-in-the-cloud-with-multi-factor-authentication/

 

There are some limitations of multi-factor authentication that are important to be aware of before turning on this feature.  One key limitation is that PowerShell commands cannot be run with an account that has multi-factor authentication enabled.  Here is why:

1) Authentication of a PowerShell session only accepts a user name and password.  There is no way to provide a second factor.

2) Application passwords cannot be used to authenticate a PowerShell session

All Office 365 administrators will need to run PowerShell commands at some point to administer the service.  Therefore, multiple admin accounts will be required for different administrative scenarios.

 

Kloud Solutions recommends creating three separate Office 365 accounts for global admins who need to run PowerShell:

 

1) A standard user account to perform daily tasks such as checking email or accessing shared files.   This account will have an Office 365 license assigned.  Multi-factor authentication is not required for this account, but it is highly recommended.

2) A global admin account to perform administrative tasks.  This account should only be used when administrative access is required.  Because this account is privileged, I strongly recommend enabling multi-factor authentication to increase the level of security.

3) A global admin account to run PowerShell commands.  This account cannot be secured with multi-factor authentication.  So I recommend leaving it disabled until it is needed.  This will reduce the risk that the account will be compromised without requiring the second authentication factor.

 

If you are looking for assistance with Office 365, PowerShell, or multi-factor authentication, please contact Kloud Solutions at the following URL:

https://blog.kloud.com.au/

RDS and Shared Computer Support for Office 365 Pro Plus

There is no denying that the workplace is moving towards a multi-device world.  The majority of information workers (IWs) now have an average of 3 – 4 devices per user.  This can include a PC, notebook, tablet, and phone.  The problem is that Office Professional is licensed per device.  This means that organizations planning to deploy Office Professional have to purchase additional copies of Office to run on these different devices.  For most organizations, this is prohibitively expensive. 

 

This is one of the reasons why Office 365 Pro Plus is such an attractive options for most organizations.  Adopting Office 365 Pro Plus means that you can allow BYOD within your organization and still keep your users productive on their own devices by providing a familiar Office experience.  This is a great value for IWs across a range of industries.

 

But not all of your employees are IWs.  Some organizations have the majority of their workfoce in roles where every device is shared by multiple users.  This is very common in industries such as call centers, mining, retail, and logistics.  These positions are often characterized by shift work where a device is passed from user to user when shifts end.  These shared devices generally belong to the organization, not the individual.  But some of these devices stilll require a copy of Office to read and edit documents and emails.  Sometimes Office runs locally on the machine.  In some instances, Office runs on an Remote Desktop Server (RDS) and presents to the user on the shared device. 

 

Office 365 Pro Plus does not currenly run properly on shared devices.  The reason is because activation is tied to the user’s account.  When multiple users attempt to access the same copy of Office 365 Pro Plus, activation will fail.  This made it impossible to use Office 365 Pro Plus in RDS and other shared environments.  It created challenges for many organizations because it required that they run a different version of Office depending on whether the device is dedicated to a single user or shared by multiple users.

 

The good news is that Microsoft has heard the feedback and has announced a solution.  Shared Computer Activation is a new feature that is due to release in H2 CY2014.  Shared Computer Activation will allow organizations to run Office 365 Pro Plus on RDS for Windows Server 2008 R2 and above.  It will also permit Office 365 Pro Plus to run on shared computers with multiple user profiles. 

 

Shared Computer Activation separates the installation of Office 365 Pro Plus from the activation process.  Using the Office Deployment Tool, Office 365 Pro Plus can be installed in Shared Computer Mode.  Running as a Shared Computer means that Office 365 Pro Plus activation lasts for the duration of a logon session.  When a user logs onto the machine or into an RDS session, activation will be based on the logged on user’s Office 365 Pro Plus license.  Activation will succeed only if the user is properly licensed to run Office 365 Pro Plus.  When a new user signs onto the same device, activation happens again using the new user’s credentials.  Running Office 365 Pro Plus on a Shared Computer does not count against a user’s 5 license limit.  This means that IWs can use shared computers without having to sacrifice one of their personal devices.

 

If you are looking for assistance running Office 365 Pro Plus in environments with shared devices, please contact Kloud Solutions at the following URL:

http://www.kloud.com.au/#

What Is The Microsoft Enterprise Mobility Suite?

Microsoft released the Enterprise Mobility Suite (EMS) back in April 2014. This was a major announcement for Microsoft which has typically focused on traditional information workers (IWs) who sit at a desk for most of the day. The EMS is a license designed for a mobile worker who uses a range of different devices including a PC, tablet, and mobile phone. The EMS assumes that the mobile worker will take advantage of BYOD and choose to use a non-corporate device for accessing corporate data.

 

The EMS enables an organization to be able to embrace mobility and BYOD by address the key areas of concern and risk for all organizations:

1) User Identity and Access

2) Device Management

3) Application Management

4) Data Protection

 

The EMS includes the following components and capabilities:

​1) Azure Active Directory Premium ​- Cloud Identity Management
​2) Windows Intune ​- Mobile Device Management (MDM)
​3) Windows Intune ​- Mobile Application Management (MAM)
​4) Azure Rights Management Services (RMS) –  ​Email and Document Protection

 

Rather than purchasing piecemeal solutions, organizations can license EMS to address the challenges that come with a mobile workforce and BYOD. Instead of resisting change, IT departments can embrace new technologies, keep users happy and productive, and protect their organizations from security threats.

 

If you are looking for guidance on how to enable greater mobility in your workforce, please contact Kloud Solutions at the following URL:

http://www.kloud.com.au/#

End User Access To Spam Quarantine in Office 365

One of the ​features of Office 365 which gets very little attention is Exchange Online Protection (EOP). EOP is a Microsoft cloud service which protects Exchange Online in Office 365 from spam and viruses. EOP is a built-in capability of Office 365. There is no additional license required to use it.

Emails which EOP detects as spam are trapped in a quarantine area. Users were notified that email was quarantined by an automatically generated email message from EOP. The user could then decide if the email was truly spam or a false positive. If the user felt that the email was not spam, there was an option to release the email from quarantine. Released emails are immediately delivered to the user’s inbox.

Microsoft has released a new feature for Office 365 called the spam quarantine page. This new page allows end users to view their emails which are currently in quarantine via a web-based in interface using an Office 365 OrgID. Users can choose to release an email from quarantine and have id delivered to their inbox fromthe spam quarantine page. The console can be accessed via the following URL:

https://admin.protection.outlook.com/quarantine

There is an advanced search option in the spam quarantine page. This allows users to search for a speific email trapped in quarantine. The user can search using the following criteria:

1) Message ID

2) Sender Email Address

3) Recipient Email Address

4) Subject

5) Received

6) Expires

7) Type

If you are looking for guidance on how to migrate to and configure EOP to protect your Office 365 tenant, please contact Kloud Solutions at the following URL:

http://www.kloud.com.au/

Microsoft Antimalware for Azure is Now in Preview

Microsoft Antimalware for Azure Cloud Services and Virtual Machines is a new cloud service that detects and remove viruses, spyware, and other malicious software. Administrators can configure alerts to detect when malicious software attempts to install or run on a Microsoft Azure workload. The service is currently in preview.

I was really excited when I heard this new service announced at TechEd North America. Microsoft Antimalware for Azure addresses a major gap in the market. There is a legitimate need to protect IaaS and PaaS workloads running on Azure from viruses and other malware. So it is great to see that Microsoft has recognized that this is an issue and that they are trying to address it.

For those of you who are familiar with Microsoft’s portfolio of security solutions, Microsoft has four offerings for consumers and businesses:

1) Microsoft Security Essentials (MSE)

2) Windows Defender (for Windows 8 and higher)

3) System Center Endpoint Protection

4) Windows Intune Endpoint Protection

Microsoft Antimalware for Azure is built on the same engine as the existing solutions from Microsoft. But it is a distinctly different service. It is single-agent solution for PaaS applications and virtual machines. It is designed to run in the background without human intervention. The service has a default configuration which is appropriate for most workloads. But it also offers the option for advanced custom configuration, including antimalware monitoring.

The following core features are available in the preview release:

Real-time protection – monitors activity in Azure Cloud Services and on Virtual Machines to detect and block malware execution.

Scheduled scanning – periodically performs targeted scanning to detect malware, including actively running programs.

Malware remediation – automatically takes action on detected malware, such as deleting or quarantining malicious files and cleaning up malicious registry entries.

Signature updates – automatically installs the latest protection signatures (virus definitions) to ensure protection is up-to-date on a pre-determined frequency.

Antimalware Engine updates – automatically updates the Microsoft Antimalware engine.

Antimalware Platform updates – automatically updates the Microsoft Antimalware platform.

Active protection – reports telemetry metadata about detected threats and suspicious resources to Microsoft Azure to ensure rapid response to the evolving threat landscape, as well as enabling real-time synchronous signature delivery through the Microsoft Active Protection System (MAPS).

Samples reporting – provides and reports samples to the Microsoft Antimalware service to help refine the service and enable troubleshooting.

Exclusions – allows application and service administrators to configure certain files, processes, and drives to exclude them from protection and scanning for performance and/or other reasons.

Antimalware monitoring – records the antimalware service health, suspicious activities and remediation actions taken in the operating system event log and collects them into the customer’s Azure Storage account. The antimalware monitoring is enabled via the Azure Diagnostics Service extension as an advanced configuration.

The capabilities of Microsoft Antimalware are somewhat similar to other antimalware products available from Microsoft. Unfortunately, the current release of Microsoft Antimalware for Azure is extremely difficult to deploy, configure, and manage. The main reason for this is the lack of any UI for the administrator or end user. To do any type of meaningful administration of the service requires the use of Powershell. I do not believe it is an exaggeration to say that Microsoft Antimalware for Azure is the most difficult to use antimalware solution on the market today. I realize that the product is in preview and that it will mature over time.

Another major limitation of Microsoft Antimalware for Azure is that it cannot be deployed to an existing Azure VM. There is no way to deploy the agent to a VM that has already been created. You have to create a brand new VM and choose the option to add the Microsoft Antimalware security extension by checking the box in the create virtual machine wizard. This is the one and only configuration option which has a user interface at the present time. The fact that you cannot deploy Microsoft Antimalware for Azure to an existing VM is a major limitation. It means that you will need to delete and recreate any VMs which you have already deployed in order to start using the solution. This is a major undertaking which makes deployment extremely difficult and cumbersome.

I am frankly surprised that Microsoft has taken the approach of building an entirely new service to provide antimalware to Microsoft Azure VMs. This seems like an enormous engineering effort for an organization that already have four different antimalware solutions. Instead of creating a fifth service to protect against antimalware, it would seem far more logical to take one of the existing services and adapt it to protect Azure VMs. I would have thought that extending Windows Intune Endpoint Protection (WIEP) to run on Azure VMs was the most sensible approach. One of the nice benefits of WIEP is that it has a very simple UI which is ideal for businesses that lack the technical expertise to run System Center Endpoint Protection. But Microsoft chose to build an entirely new antimalware product instead which make System Center Endpoint Protection look simple by comparison.

I sincerely hope that Microsoft will take this feedback in the spirit in which it is intended. The concept behind Microsoft Antimalware for Azure is terrific. It is a fantastic idea whose time has come. But Microsoft needs to prioritize their investment in a user interface so that the major of administrators can deploy and use the product successfully. Otherwise, it offers no real benefit to customers.

Kloud Solutions Microsoft Partner Competencies

Many customers are curious about Kloud’s qualifications to provide consulting and managed services for the technologies in which we specialize. Many of these technologies are very new. How can customers be assured that Kloud Solutions has the right qualifications?

Kloud Solutions has completed the requirements for the following Microsoft competencies:

1. Gold Communications Competency Partner

2. Gold Identity and Access Competency Partner

3. Silver Application Development Competency Partner

4. Silver Collaboration and Content Partner

Here are some of the reasons why Kloud has pursued and earned these competencies with Microsoft:

1. Kloud’s partner competencies focus on technologies that we use to build solutions for customers including Office 365, Exchange, SharePoint, Lync, Microsoft Azure, and Forefront Identity Manager.

2. Microsoft Gold partners can provide delegated administration for customer’s Office 365, Microsoft Azure, and Windows Intune environments

3. Microsoft Gold partners have access to business critical support from Microsoft to resolve cloud related support issues

4. Microsoft Gold partners have access to advisory support and assistance from Microsoft consulting

5. Microsoft Gold partners have unlimited access to training from the Microsoft Partner Learning Center

6. Microsoft Gold partners have access to the latest product news and technical information

In order to achieve a Microsoft competency, and organization must complete the following:

1. Pass a number of qualifying certification exams

2. Pass a number of business-focused assessments

3. Provide customer evidence

Your organization must have five customer references that feature how, within the previous 12 months, you have provided solutions based on the products and technologies associated with this competency. After a reference has been approved by your customer and by Microsoft, it can be used toward earning or renewing a competency for up to two years.

4. Gather customer feedback

Your organization must use the Customer Satisfaction (CSAT) Index survey to measure performance and help drive customer satisfaction.

If you have any questions about the experience or qualifications of Kloud Solutions to provide consulting or support for your business, please contact us using the following URL below.

http://www.kloud.com.au/contact-us/

We can provide customer references upon request.

Proactive DNS Record Checking in Office 365

​Microsoft has released a new feature for Office 365.  It can automatically detects if DNS records are misconfigured for a custom domain.  This is a useful feature when you are setting up a new custom domain for an Office 365 tenant.  It also helps when Microsoft updates the Office 365 service in a way that requires DNS changes.

When Office 365 detects that DNS is misconfigured, an alert is generated in the Office 365 admin center.  The message indicated which record needs to be updated in DNS.  An administrator can log into the website for the DNS provider and manually update the record.  There is an integration between Office 365 and GoDaddy which can make this process easier.  If the domain is hosted with GoDaddy, there is the option to log into GoDaddy from the Office 365 admin cetner and automatically update the records.  This makes it simpler to keep DNS up to date which can be a benefit to Office 365 administrators who are not comfortable making DNS record changes.

One the required records are update in DNS, the alert in the Office 365 admin center will be cleared.  This lets the administrator know that the changes in DNS were successful.  This feature helps to simplify the Office 365 admin experience and reduce the number of outages related to DNS configuration.

If you need help setting up and managing a custom domain for Office 365, please contact Kloud Solutions using the following URL:

http://www.kloud.com.au/contact-us/

Windows Intune Features and Policies for Samsung KNOX

Microsoft and Samsung have announced a partnership whereby Samsung KNOX devices can be managed by Windows Intune using both Direct Management and Exchange ActiveSync.  ​Windows Intune now supports direct configuration of Samsung KNOX devices.  This feature allows IT administrators to manage Samsung KNOX mobile devices via the Windows Intune administration console.  Samsung KNOX devices are designed to be used in high security environments.

 

Here are the list of Windows Intune policies which are available today for managing Samsung KNOX devices:

Group
Policy
Security / Password Require a password to unlock mobile devices
Security / Password Password quality
Security / Password Minimum password length
Security / Password Number of repeated sign-in failures to allow before the device is wiped
Security / Password Minutes of inactivity before screen turns off
Security / Password Password expiration (days)
Security / Password Remember password history –> Prevent reuse of previous passwords
Security / Encryption Require encryption on mobile device
Device Capabilities / Hardware Allow camera

 

If you are looking for assistance managing your corporate owned or personally owned mobile devices, please contact Kloud Solutions using the following URL:

http://www.kloud.com.au/contact-us/