Email is the lifeblood of business communication, even in this age of Teams, Slack, and numerous other communication tools. It’s the lowest common denominator – the one tool that you can always use to reach someone if you’ve got their email address.

And email is a commodity – every business needs it, but no business is going to be more competitive by running it “more efficiently” than another.

One of the strengths of M365 over Google Workplace, for instance, is the clear migration path from what you have today to the cloud because of Microsoft’s large footprint in corporate data centers around the world. If you have Exchange 2013+ on-premises, you can pick any of the migration methods, some of which provide a hybrid co-existence.

The full hybrid option lets you continue running your on-premises infrastructure for as long as you’d like and chapmove mailboxes in batches to the cloud on your own schedule. You can even move mailboxes back to on-premises should the need arise.

As you’d expect, there are many details to manage in a hybrid setup, including prerequisites, ActiveSync connectivity, and mailbox permissions – especially when a user on-premises has permissions to a mailbox in the cloud or vice versa.

If all you’re looking for is a simple way to move mailboxes from Exchange to Exchange Online – Hornetsecurity has an excellent Mailbox Migration Tool.

One thing to realize about O365 is that Microsoft is going to make sure that you don’t lose your mailbox data, which they do through the native data protection in Exchange – keeping three copies of your mailbox data on separate servers, along with a “lagged copy” (behind in time, for instances where the data is corrupted rather than lost) on a fourth server.

They DON’T, however, keep backup copies of your data going back into the past, which may or may not be an issue for your business, depending on your regulatory needs. Several third-party services on the market will do backups of your Exchange and SharePoint online data. Hornetsecurity 365 Total Backup is an excellent backup solution for mailboxes, Teams, OneDrive for Business, SharePoint, and files on endpoints.

A deleted user account and mailbox can be recovered if no more than 30 days have passed.

Whether your Exchange server is in the cloud or on-premises it’s important that client applications can find it – this is the job of the Autodiscover records in DNS. There are a number of other DNS records required for M365 – find them in this article. 

If you have a hybrid Exchange deployment the Autodiscover records need to point to your on-premises Exchange 2016/2019 Mailbox Server.

There are many tasks associated with mailbox management, one of them is quota management. F3 licenses get 2 GB quotas, E1 are set at 50 GB (with a 50 GB archive) and E3+ have 100 GB quotas with archive mailboxes that can be max 1.5 TB.

The difference between a mailbox and an archive mailbox is that the archive is only available when you’re online. You can control how much mailbox data is stored offline on each device with a slider in Outlook.

If you’re migrating large mailboxes to Office 365, ensure they’re smaller than 100 GB and no item is larger than 150 MB before starting the move.

In the Exchange console you can configure settings for a mailbox such as adding email aliases, see quota usage, control which clients (OWA, Unified Messaging) and the protocols (EAS, MAPI, IMAP and POP) the user can use, message retention and mailbox delegation.

This last option lets you configure other users to Send As emails as the user, Send on Behalf where the recipient can see that the email is sent on behalf of the user, and Full Access.

As mentioned earlier you can enable an Archive mailbox for mailbox content which essentially serves as a “bottomless” storage area for older content, hopefully stopping users from adopting PST files as an archiving solution.

The Outlook mobile client (iOS and Android) cannot access Archive mailboxes. You can enable auto expanding archives for E3 and E5 licensed users using PowerShell:

Set-OrganizationConfig -AutoExpandingArchive

You can also enable Archive mailboxes on a per user basis. Note that the Archive folder that’s created in a mailbox when you right click an item and select archive isn’t related to the Archive mailbox.

Be aware that users can set up their mailboxes to forward mail to an external email address (optionally delivering to both inboxes).

This is something you should keep an eye on because while there may be legitimate business reasons to forward mail, it’s also a favored attack vector for hackers where they silently read emails and then use that for various nefarious purposes.

There’s a report in the Mail Flow dashboard to show you what forwarding rules exist. You can also block users from being able to forward mail in several ways.

There are times when you’d like a mailbox that doesn’t “belong” to a particular user, such as sales or support, where you have a team of users accessing the same alias.

As long as the Shared mailbox doesn’t have a larger quota than 50 GB or uses an Archive mailbox, it won’t consume a license.

It’s also one option for handling staff that have left your company while you still need to monitor their email for incoming emails; converting their mailbox to a shared mailbox and assigning access to the appropriate staff will free up the license to be assigned to a new user.

From a security point of view, make sure direct login to shared mailboxes is blocked – users should only access shared mailboxes by adding them as an additional mailbox in Outlook.

Both Mail Contacts and Users show up in All Contacts, the Global Address List (GAL), and the Offline Address Book (OAB). A contact is a pointer to an email address in an external system, whilst a user is also a pointer to an external address, but the user has O365 credentials to be able to access SharePoint Online or OneDrive for Business.

The latter is a remnant of on-premises Exchange, modern external sharing such as Teams, Planner, and others use Azure Business to Business (B2B) collaboration for guest access.

Grouping email addresses together to facilitate communication with teams of people is something that email systems have been doing for decades – in the Exchange Online Admin Center (EAC), you can create Distribution Lists (DL).

Note that the default is to create an M365 Group instead, and in fact, Microsoft is pushing to replace DLs with Groups.

Dynamic Groups make maintaining membership easier, basing the membership on an Entra ID attribute such as “department” – if that’s set to Marketing, for instance, the user is automatically included in the right group.

To properly protect your Microsoft 365 environment, use Hornetsecurity one-of-a-kind services: 

• 365 Total Protection 
• 365 Total Backup 
• 365 Permission Manager 
• 365 Total Protection Compliance & Awareness 
• 365 Total Protection Enterprise Backup 

To keep up with the latest Microsoft 365 articles and practices, visit our Hornetsecurity blog now.

In summary, Exchange Online offers a seamless transition to cloud-based communication, providing robust data protection and efficient mailbox management.

Leveraging features like Autodiscover and mailbox archives, organizations can enhance productivity and streamline communication processes.

The last pillar of M365 is Windows 11 Enterprise, five devices for each licensed user, which will automatically upgrade Windows 11 Pro to Enterprise as soon as a user logs in. Here, we will cover what additional security features this brings to your enterprise.

Enterprise adds Defender Application Guard and Defender Application Control on top of the security features you get in Windows 11 Pro. Application Guard protects your users when browsing potentially malicious sites using Edge in an isolated hardware manner. 

This technology has also been extended to Word, Excel, and PowerPoint. On the other hand, Application Control builds on earlier iterations of AppLocker and blocks untrusted applications, including plug-ins and add-ins, from running.  

Always On VPN doesn’t require Windows 11 Enterprise and is a successor to Direct Access if you still need to use client VPN in your business. 

Whilst it’s not exclusive to Windows 11 Enterprise, look at Windows Hello for Business to improve your user’s login experience as well as your security (a rare case of everyone winning in security) by moving away from passwords.

To properly protect your Microsoft 365 environment, use Hornetsecurity one-of-a-kind services: 

• 365 Total Protection 
• 365 Total Backup 
• 365 Permission Manager 
• 365 Total Protection Compliance & Awareness 
• 365 Total Protection Enterprise Backup 

To keep up with the latest Microsoft 365 articles and practices, visit our Hornetsecurity blog now.

If you’re deploying large numbers of Windows 11 devices and you want to reduce the burden of wiping each new device and installing your custom image, consider using Windows Autopilot; it’s a powerful way to “deploy” Windows 11 by simply transforming the pre-installed image as your OEM delivers it.

There are many pieces of software you can use to connect to M365 – in this article, we’ll look at these and how you manage them from a governance point of view.

Microsoft recommends the latest version of Chrome, Edge, Firefox, Safari, or Internet Explorer 11 for accessing M365. 

If you have the rich Office desktop client installed, all supported versions should work with M365, but using the Apps for Enterprise version for both Windows and Mac that’s included with Business Premium and E3+ is preferred. 

You can control which users get the recommended Current Channel and who gets the Monthly Enterprise channel or the Semi-Annual Enterprise Channel flavor. If you want to live on the edge, you can enroll in the Office Insider program to beta-test new features.  

Outlook Web App (OWA) or Outlook for the Web deserves special mention as it’s competent and not a “watered down” version of Outlook that runs in a browser. 

In fact, Microsoft often tests new features and approaches in the web client because they can deploy changes much quicker. You can use OWA policies to control which features are available to your end users. 

You can manage which protocols users can use to connect to Exchange with Client Access Rules.

For many years, the preferred way of connecting to Exchange Online for email was to use ActiveSync, a protocol that both the mail client in iOS and Android supports (sort of – not all features were supported by each vendor). 

Microsoft now recommends using the free Outlook client app, which lets Microsoft introduce new features much faster without having to wait for Apple or Google to catch up. This app has been steadily growing in capability, including the ability to connect to Gmail and other email services, and is now used by well over 100 million people. 

There used to be separate Word, Excel, etc. apps for mobile. Still, they’re all consolidated under the Microsoft 365 (Office) app that lets you open the different Office document types and edit them on mobile. 

It’s free to install, but functionality depends on what account you use to sign into it.

The sync client is automatically installed on Windows or Mac OS when Apps for Enterprise is installed, and you can control its behavior using this Group Policy template.

Please train your users to use OneDrive for Business – the power to have your files available on whatever device you happen to be using shouldn’t be underestimated, particularly the ability to go to any device (if you don’t have your own devices handy), sign in to www.office.com in any browser and edit those duplicate files.

The Teams application is Microsoft’s all-in-one collaboration client with support for instant messaging chats, group chats, voice calls, video calls, and, if you have the licensing, PSTN calling to and from regular phones. 

Teams are replacing Skype for Business, and starting in early 2019, the client is automatically installed when you install Apps for Enterprise; if you need to deploy it using your favorite software deployment tool, use this MSI. 

At the time of writing, a new Team’s client app is in public preview, which should fix people’s two main gripes with the current client: performance (the client is an electron app that uses a lot of CPU and memory) and swapping between different tenants.

The Microsoft 365 Apps admin center is a very interesting take on cloud management for Apps for Enterprise (Office on the Windows desktop).  

Instead of managing the customization settings using the Office Deployment Tool (ODT), you use the cloud portal to create the required XML files. The Apps admin center does so much more, however. 

It inventories your Office installations across your tenant, tracks which versions and build numbers are installed and which ones are out of support, and lets you build Servicing Profiles to deploy newer versions of Office. 

It also uses Security Policy Advisor to analyze current usage of the apps and allows you to create and deploy policy configurations to all Apps for Enterprise installations (without relying on GPOs or MDM), plus tracks which add-ins are in use across all your devices.  

Suppose you have a large number of users. In that case, you may want to turn off the option for users to download Apps for enterprise from www.office.com (M365 portal – Settings – Services & add-ins – Office software download settings) and instead deploy it using your favorite method. 

If your business is using System Center Configuration Manager, it can be used to deploy and update Apps for the enterprise. 

Since no additional licensing is required for the Apps admin center, you should investigate if it can make your life as an Office 365 administrator easier. 

If you need to provide a modern printing environment for your users without having to bother with print servers or installing individual drivers for each printer on each device, consider Universal Print. 

Another way you can tell how integrated the different components of M365 are is with Search. This lets you search in various places in M365 and get relevant content for you, only showing you content you can access from within your tenant.

To properly protect your Microsoft 365 environment, use Hornetsecurity one-of-a-kind services: 

• 365 Total Protection 
• 365 Total Backup 
• 365 Permission Manager 
• 365 Total Protection Compliance & Awareness 
• 365 Total Protection Enterprise Backup 

To keep up with the latest Microsoft 365 articles and practices, visit our Hornetsecurity blog now.

In conclusion, Microsoft 365 offers streamlined collaboration, efficient administration, and integrated features for enhanced productivity. Embrace the future of seamless innovation with confidence.

At least initially, a big challenge for us in IT is the loss of control that the cloud brings. If you have a problem on-premises with email delivery, you can check every part of the chain to see where the problem lies. Once you have migrated to M365, it’s now a shared responsibility between you and Microsoft.

In this article, we’ll look at two self-help tools I use when there’s trouble and then at how you open and work a support case with Microsoft.

For email and Teams, connectivity is a common cause of issues. Microsoft offers a valuable tool: Microsoft Remote Connectivity Analyzer (MRCA or RCA) at https://testconnectivity.microsoft.com/.

Here, you can test several things: DNS entries, ActiveSync connectivity to Exchange, Outlook, and Outlook Autodiscover functionality, inbound and outbound SMTP email, etc. Pick the test you need to perform and enter the required information.

Depending on the test, you may need to enter a valid username and password – I suggest resetting the password of this account after you’ve completed the troubleshooting.

The Captcha verification lasts for 30 minutes, so if you’re doing several runs as you change values, you don’t have to verify that you’re a human every time. The comprehensive test output should help you pinpoint the issue quickly.

Suppose the issue isn’t connectivity-related; instead, you suspect a problem on a particular client device.

In that case, you should use the Support and Recovery Assistant for Office 365 (SARA) to help identify Outlook, Dynamics 365, and OneDrive for Business issues and Apps for enterprise problems.

It’s a simple download that you run on the affected device; it steps you through a few questions to track down the problem. In my experience, when you’re struggling with a profile or intermittent connection issues (that aren’t due to a service side misconfiguration – see RCA), SARA is pretty good at tracking down the cause.

Another way to help end users help themselves is the My Sign-ins, My Groups, and My Access sites, which, along with My Applications, give users a good way to manage their access to M365 services. My Sign-ins is also an excellent education tool as it lists both successful logins and failed ones from attackers.

While the benefits of cyber insurance are evident, it’s essential to acknowledge the challenges that come with it. To give some perspective: The global cyber insurance market reached $7.8 billion in 2020 and is expected to grow to $20 billion by 2025.

In recent years, the cyber insurance landscape has seen premiums rise globally by an average of 20% per year, driven by the increasing frequency and severity of cyberattacks. Insurers are also imposing higher minimum IT security requirements on policyholders. These changes can be particularly burdensome for small and medium-sized businesses.

The Health section of the admin center provides the overall health of the different services in M365, and if any outages/incidents affect your tenant, you can access the portal.

If the outage affects the portal or its health portion, try https://status.office365.com/. Also, make sure to follow @Office365Health and @MSFT365Status on Twitter.

The Health section also offers an interesting new tool called Network connectivity, which uses the OD4B client, together with the Windows Location Service and optional manual data gathering tests to identify each client’s connectivity quality to Office 365. It’s even got it its own portal.

Many businesses provide a substandard experience for their users by forcing them to use VPN connections back to the office and then onwards to Office 365 (overall a slower experience but a killer for the Team’s voice and video calls) or even proxying all outgoing traffic for “security.”

This last one is based on the erroneous assumption that all web services/internet sites are “bad” and all traffic must be inspected, rather than differentiating between business services provided by Microsoft and others that can be trusted and dodgy websites and handling the traffic accordingly.

Here’s an excellent article outlining required and optional optimization techniques for M365. Microsoft has also partnered with many ISPs, internet exchange partners (IXPs), and software-defined cloud interconnect (SDCI) providers for optimal connectivity to M365, Dynamics 365 and Azure using the Azure Peering service. Suppose your business is using a Software Defined WAN (SD-WAN).

In that case, there’s a feature called informed network routing that will further help optimize your connectivity by enabling data sharing between Microsoft and the SD-WAN provider to reroute traffic automatically where appropriate.

Today, only Cisco’s IOS XE SD-WAN is supported, but expect others to be added as the preview progresses. The new Productivity Score is designed to help you understand where your business is in its digital transformation journey and tracks metrics across two categories:

1. people experiences
2. technology experiences

PowerShell has long had a feature called Desired State Configuration (DSC) – which defines how a system (VM, Application, etc.) should look and apply the policy, and the Local Configuration Manager ensures that the system has the correct settings, checking periodically for drift.

This is called Infrastructure as Code and is now available for M365, so you could have a test tenant where you evaluate new configurations and settings, which you can then export and apply to your production tenant.

It can also be used to export all your configurations as a “backup”, periodically reporting on changes in configuration and comparing your tenant’s settings with best practices.

To properly protect your Microsoft 365 environment, use Hornetsecurity one-of-a-kind services:

• 365 Total Protection
• 365 Total Backup
• 365 Permission Manager
• 365 Total Protection Compliance & Awareness
• 365 Total Protection Enterprise Backup

To keep up with the latest Microsoft 365 articles and practices, visit our Hornetsecurity blog now.

In conclusion, maintaining the seamless operation of Microsoft 365 demands a proactive approach to support.

If you’re a new business, this article doesn’t apply to you – simply create user accounts in the cloud, join your Windows 10/11 devices to Entra ID, and manage your iOS and Android devices with endpoint manager, and you’re good to go.

Most businesses, however, have investments in existing technology on-premises and need to migrate to M365. This article will cover your different options:

• Cutover migration
• Staged migration
• Express hybrid migration
• Minimal hybrid migration
• Hybrid migration
• PST-based migration
• IMAP migration
• Third-party tools

Suppose you don’t have Exchange on-premises, i.e., using Lotus Notes / Domino, another email system, Google Workspace, or another cloud email solution. In that case, you’re looking at either an IMAP migration or third-party migration services.

Most of the other migration methods rely on directory synchronization, where your on-premises AD accounts are synched to Azure AD. If you’re still on Exchange 2007, 2010, or 2013 (all no longer supported), a Staged setup allows you to migrate mailboxes in batches once you’ve configured directory synchronization.

Be aware that you must manually reconfigure each user’s Outlook profile to point to O365 when their mailbox has been migrated. For smaller environments, the Cutover approach is the easiest. Microsoft talks about this method for less than 2000 mailboxes (Exchange 2003+), but in the real world, it’s probably appropriate for 100-150 mailboxes or so, depending on internet bandwidth.

The idea is to move everyone’s mailbox from on-premises to the cloud over a weekend or other appropriate downtime. If you’re on Exchange 2010+ and plan to move all mailboxes to the cloud over a few weeks, consider the Express hybrid option. If you’re more extensive and are looking at a few months of migration time, look at the Minimal hybrid alternative.

If you have a larger environment (Exchange 2010+), you expect to be in a mixed state for an extended time, and you need the ability to move mailboxes from the cloud back to on-premises (offboarding). Consider Full Hybrid for a full breakdown of the different flavors of hybrids; see here.

The various types of hybrid provide prosperous co-existence with a unified Global Address list, sharing of Free/busy calendaring information, and seamless mailbox moves for end-users; when their mailbox has been moved, they’re just prompted to restart Outlook.

If you need to keep an Exchange server (or several) around on-premises, be aware of the need to keep it up to date so as not to be throttled, and if possible, look to retire it instead using PowerShell cmdlets to manage Exchange attributes in AD.

Microsoft’s documentation will point you to the mail migration advisor, which may lead you to the Hybrid Configuration Wizard (HCW), depending on your choices in the advisor. HCW will step you through the individual steps you must take, depending on your route, including the hybrid flavors and Staged and Cutover.

IMAP migrations let you move from non-exchange systems that support IMAP with a limit of 500,000 objects per mailbox and a maximum email size of 35 MB.

If you have PST files with email on-premises, you can migrate them to Office 365; there’s even a PST Collection tool to track them down on your network and collect them. If you have lots of them, you can even ship them to Microsoft on disk.

Once you have completed your migration, you’ll need to consider your Mail Exchanger (MX) DNS record, which will have been pointing to your on-premises mail server and now needs to be changed to Exchange Online instead.

You also need to revisit your Autodiscover DNS records, which is how Outlook and other email clients find the correct Exchange server automatically.

To properly protect your Microsoft 365 environment, use Hornetsecurity one-of-a-kind services:

• 365 Total Protection
• 365 Total Backup
• 365 Permission Manager
• 365 Total Protection Compliance & Awareness
• 365 Total Protection Enterprise Backup

To keep up with the latest Microsoft 365 articles and practices, visit our Hornetsecurity blog now.

If you’re looking for a simple mailbox migration experience, Hornetsecurity offers the Mailbox Migration Tool (MMT) as part of 365 Total Protection Enterprise / Enterprise Backup.