Exchange Online

MyAnalytics is Coming (for the rest of us)

MyAnalytics is an extension to Microsoft 365 which provides productivity insights. It looks at what you do over email, OneDrive for Business and Skype for Business Online/Teams, and collates the data to present it with statistics.

The documentation for how this product works is quite good and worth a read. There’s privacy considerations in any product that’s scraping data, but they seem fairly well addressed. Two main points are that the data for MyAnalytics is processed and stored in the user’s Exchange Online mailbox, and nobody but the user can see this data (including system administrators).

MyAnalytics has been around for a while, but mostly for Office 365 E5 / Microsoft 365 E5 customers so many people have not heard of it, or have no experience in it. Microsoft are changing who gets access to this data, and are currently rolling out Digest emails to E3, E1 and Business customers.

If you have the feature already turned on, then your users can probably already access their dashboard at https://myanalytics.microsoft.com/ and start checking it out.

MyAnalytics is controlled by a license under the Microsoft 365 product. Many people probably have all the components on, and therefore although users have had access to this product, it hasn’t really been visible. The Welcome email comes first, and it seems to be rolling out right now to Targeted Release users in Microsoft 365.

Beyond just turning MyAnalytics on, there’s a few admin controls available at the tenant level and user level. You’ll need to consider items like ‘should users be opted-in by default, or opted-out’ if there are concerns around data scraping – even though this all lives in your Microsoft tenant, there could still be staff that are not comfortable with this.

Nascar use MyAnalytics if that helps you point to another company using it:

As you can see, I’ve linked to a bunch of Microsoft documentation around this rather than rewriting what they have – always nice to see quality doco!

It’s worth checking out MyAnalytics now and deciding if it’s something you want – at least check the state of your settings before users start getting Welcome emails!

Update 20th September

The product group have advised me on one extra tip – disabling the ‘Weekly insights email‘ option at the admin end will actually disable the Welcome email too – documentation to be updated shortly.

Converting a user mailbox to shared in Exchange Online Hybrid

This is a useful process a lot of companies follow when an employee departs: Instead of deleting the mailbox, or continue to leave the mailbox in place and pay for licensing, it’s possible to instead set it as a shared mailbox and keep the data there for free.

There are some catches to this, such as the maximum amount of data is 50gb. You also can’t delete the user’s account, but it can be disabled and moved.

Setting the mailbox from User to Shared in Exchange Online is easy (from docs.microsoft.com):

In the admin center, go to the Users > Active users page.

Choose the user whose mailbox you want to convert.

In the right pane, choose Mail. Under More actions, choose Convert to shared mailbox.

…but there’s two tricks I’ve found when doing this in a hybrid environment. First, docs.microsoft.com says to update the status of the mailbox for Exchange On-Premises:

If this shared mailbox is in a hybrid environment, we strongly recommend (almost require!) that you move the user mailbox back to on-premises, convert the user mailbox to a shared mailbox, and then move the shared mailbox back to the cloud.

That’s a tedious process to do just to make it shared. As they point out, you can change some AD attributes locally to get around this, but there’s still some scenarios where it might get set back as a user, have no license, and end up getting deleted.

This other article on support.microsoft.com however, mentions the main way of getting around this: by setting the account’s msExchRemoteRecipientType and msExchRemoteRecipientTypeDetails attributes to the corresponding values that would match it’s state in Exchange Online:

Set-ADUser -Identity ((Get-Recipient PrimarySmtpAddress).samaccountname) -Replace @{msExchRemoteRecipientType=100;msExchRecipientTypeDetails=34359738368}

This 1 line command will set the attributes correctly, you can check via PowerShell or the Exchange Management Console to see that the mailbox will now show as ‘Shared’.

The other problem I’ve seen is if a mailbox is Unified Messaging (UM) Enabled, and converted to Shared. You’d think that it would either just lose it’s UM status, or let you configure the UM settings after the fact; but neither are correct. If it’s holding onto an extension number as part of UM, even in it’s Shared Mailbox state it will continue to hold it, and block any other account from using the extension in the future.

To get around this issue, the account will need to both be changed back to a user account from shared, and given a license that supports UM. If you try to disable UM on the account with either of these requirements, you’ll see an error like these:

User testuser@domain.com is already disabled for Unified Messaging.

License validation error: the action ‘Disable-UMMailbox’, ‘Identity’, can’t be performed on the user ‘Test User’ with license ‘BPOS_S_Standard’.

With all of the above, changing a user to a departed mailbox in a hybrid environment with Unified Messaging should be:

  1. Disable Unified Messaging on the user
  2. Set the attributes of the AD account as shared
  3. Set the Exchange Online mailbox as shared

It should work well if you do things in the right order, but it’s easy to not be aware of this and get things into a mess.

There’s also the scenario where you might create an account, give it Office 365 licenses and have a mailbox automatically created before you did it on-premises, or used Exchange On-premises to create the mailbox remotely.

You can fix that by using this script from Adaxes (doesn’t need their software!) which will tell on-premises Exchange about the mailbox and create the record.

I’ve come across another blog that goes into some of this http://jetzemellema.blogspot.com/2016/02/convert-user-mailbox-to-shared-in.html but I haven’t needed to change the license status, but it’s worth mentioning in case there’s a scenario you hit where you do.

Office 365 Group as a Distribution List Gotchas

Office 365 Groups aren’t that new, but they still sound more alluring than a plain Distribution List or Shared Mailbox. They aren’t the solution that applies to all situations however, and you’ll need to weigh up each scenario as to what fits best.

(for Office 365 Group fundamental considerations, please read Michael Mardahl’s blogpost “Getting off to a good start with Microsoft Office 365 Groups”)

Here’s some things around Office 365 Groups and using them as an email distribution list (DL) that caught me out, or are differences worth pointing out. If you’re thinking of migrating a DL or a shared mailbox to an O365 Group, these are worth considering:

  • If a member of an Office 365 Group sends an email to the group, they won’t get that email. It makes sense that you probably don’t want an email that you sent, but it is a change of behavior from traditional DLs. This may change in the future, at least as a toggle-able option.
  • An Office 365 Group mailbox can’t have folders created in it. If staff have access to a shared mailbox and use that to manage their emails under different folders, that’s a no-go for an Office 365 Group. There’s a bunch of other ways you can manage this, but if they specifically want that option, then an Office 365 Group won’t help them.
  • By default, users will see a ‘Groups’ option in Outlook (either client or web) which they can drop down, see the groups they’re in, and see the inbox. That’s the only folder that’s visible though, and it can be easy to assume that’s the only folder. There are however, several folders available. You can’t open an Office 365 Group as another mailbox, as you’ll be told via Outlook Web that you don’t have access to the mailbox, and Outlook client won’t recognise the name of the mailbox.
    You can however, use the ‘Open Shared Mailbox’ option in Outlook Web by right clicking on your mailbox in the folder view, or right clicking on ‘Folders’ (depending on if you’re using the ‘old’ or ‘new’ Outlook) and add the Office 365 Group that way. This will give you visibility of all folders and their contents:
  • Automating Office 365 Group membership is harder. You either automate membership with a dynamic group, or let the owner(s) do it themselves. Neither are bad options, but dynamic group membership exceptions to rules are harder to do. How do you have a group that’s all Finance, plus these 4 people that aren’t finance? You could have an expression like this, but that is something that could get rather messy to maintain:

(user.department -eq “Finance”) -or (user.mail -eq “user1@domain.com”) -or (user.mail -eq “user2@domain.com”) -or (user.mail -eq “user3@domain.com”) -or (user.mail -eq “user4@domain.com”)

  • Meeting responses work differently to a DL. Say you send a meeting appointment, and have the respones go to a DL – all members of the DL see the response. This can be useful in certain scenarios, but probably not that common. An Office 365 Group works differently, where the ‘Meeting Message Processing Agent’ in Exchange Online will see the meeting response, and send it directly to the Deleted Items folder. This action skips members receiving a copy of the response which might be good generally, but again it’s another different way that Office 365 Groups work when you’re expecting the same as a DL.

That’s what I’ve found so far – if you have any yourself please share and I’ll test/add to the list, and will update with any other tricky scenarios that I come across.

Access An Exchange Online Mailbox Without a License

This is just a quick one. Most Office 365 admins will hopefully have a separate admin account to perform higher level tasks, compared to their normal user account.

Because of this, the admin accounts shouldn’t need any licensing, because they’re not being used like a normal user. One person shouldn’t need to have two sets of licenses – but there are some problems that can come up because of this.

For example, if you want to use your admin account to access someone’s mailbox, that can be difficult when you don’t have a mailbox yourself to log onto, to then open another user’s mailbox. Outlook can be used to work around this, where you set up a profile for the email address of the user you want to access, but enter your admin credentials when prompted:

Your Name is just a display name field, email address needs to be the user’s email. Don’t enter a password here and click ‘Next’
This login page will start by showing the user’s email address, use the option ‘Sign in with another account’ and use your admin account.

The above works OK, but is a little time consuming if you’re accessing a mailbox for a quick check.

If you try to go to Outlook Online, you’ll get a message saying your admin account doesn’t have a license or a mailbox. To get around this, you’ll need to use a URL like:

https://outlook.office.com/owa/user@mydomain.com/?offline=disabled

so it jumps straight to that user’s mailbox, assuming you have access rights to it, and have waited a few minutes for the rights to apply.

Using the URL method is really quick way of accessing another user’s mailbox without needing a license yourself.

Protect Your Office 365 Accounts By Disabling Basic Authentication

(AKA Legacy Authentication)

This had been on my to-do list for a little while since I heard about it (mostly from Daniel Streefkerk who quite rightly has been drawing attention to this via Twitter, thanks!)– and it should be on yours too.

By default, Basic Authentication is allowed as an authentication method in Exchange Online. This is because that’s the ‘standard’ way things have worked for a very long time – you want to get your emails, you provide a username and password and you’re done.

In our modern world, that doesn’t work too well anymore. It’s too risky in that many ways, and things like 2FA and Conditional Access add an extra layer of security when logging in. That’s great, but many systems weren’t built or haven’t been updated to support this – they’ll just fail when logging in.

What this leaves us with, is an internet exposed authentication system that accepts username and password logins without any other layers of authentication, even if you have 2FA and conditional access turned on.

As per Microsoft’s documentation around disabling basic authentication covers, this lets attackers use brute force or spray attacks to try different credentials to get into your tenant. With the amount of leaks we see these days (register on Troy Hunt’s https://haveibeenpwned.com/ if you haven’t already), it’s likely attackers are hitting Microsoft servers with correct accounts of your staff members. If they manage to get the right password – which is very possible if people end up using an old password they used years ago, or password changes were disabled because you thought you were covered with 2FA – they now have valid credentials to get in and pretend to be that staff member, often to then send emails to all their contacts with a malicious link or some other scam.

If you want to see what’s going on for your tenant, go to the Azure portal and into Azure Active Directory > Monitoring – Sign-ins. Set the Status to ‘failure’ and apply, and see what’s there.

Here’s an example, where you can see the client app is ‘Other clients, IMAP’. This account is disabled, and if you look in the device info there’s no data.

Once you have a look here, you might start to get worried – so it’s time to see if you can disable basic auth!

Only certain email clients will work without basic auth, so your first step is to work out what people are using, and get approval to force the usage of only these:

  • Outlook 2013 or later (Outlook 2013 requires a registry key change)
  • Outlook 2016 for Mac or later
  • Outlook for iOS and Android
  • Mail for iOS 11.3.1 or later

That can be a tough ask, and you’ll need to weigh up the risk of leaving basic authentication in place (to me this is an easy choice, but can still be difficult to get approved and implement).

Again, the Microsoft documentation explains how to do this quite easily – create a new Authentication Profile which has Basic Auth disabled by default, and apply it to test users:

New-AuthenticationPolicy -Name “Block Basic Auth”

Set-User -Identity testuser@yourdomain.com -AuthenticationPolicy “Block Basic Auth”

Set-User -Identity testuser@yourdomain.com -STSRefreshTokensValidFrom $([System.DateTime]::UtcNow)

That’s all you need to do to test. The third command forces an immediate refresh on the test user.

I would recommend leaving this in place for a while, and get as many test users on as possible as you might find certain systems using basic authentication that you weren’t aware of.

If you need to drop the policy off of a user, use this command:

Set-User -Identity testuser@yourdomain.com -AuthenticationPolicy $null

If you’re then ready to apply this policy to all accounts company wide, these three commands will do it:

$users = Get-User -ResultSize unlimited
$usersid = $users.MicrosoftOnlineServicesID
$usersid | foreach {Set-User -Identity $_ -AuthenticationPolicy “Block Basic Auth”}

You’ll also want any new accounts to get your new policy by default, which can be done with this command:

Set-OrganizationConfig -DefaultAuthenticationPolicy “Block Basic Auth”

And with that, you’ll have all existing and future accounts protected from the risks of leaving Basic Auth enabled. Of course if you have a special requirement where a few accounts do need Basic Auth, create another policy, enable basic auth on it, and apply it to those accounts. Your attack surface will still be greatly decreased, and hopefully you’ll eventually be able to disable basic auth on those too.

Note: There’s also an option for OneDrive for Business around this same setting, more details here: https://www.adamfowlerit.com/2019/03/onedrive-for-business-rollout-considerations/

Update 26th April 2019:

There’s also now a Conditional Access option that supports ‘other clients’ –
“This includes older office clients, other mail protocols(POP, IMAP, SMTP, etc), and ACS”. This might help you if you either want to block those older clients, or allow them through in certain circumstances: