Transcript: How to Master Office 365 Management After Your Migration
This post is a brief transcript of the webinar that took place in March 2020. You can watch the on-demand recording here.
O365 Management Challenges
Doug: Now, you have to understand, why do these global admin problems keep happening? The challenge was that Microsoft doesn’t do global admin accounts, but you will keep hitting rights where you need to give somebody just a little bit, but the only available right to give to that person is global admin rights.
You want them to do a little bit of team management or a little bit of Exchange management, and there’s no sort of delegated right to do that. Microsoft has introduced role-based access controls, but Microsoft Office 365 is a huge environment. There’s a lot of different teams at Microsoft, they’re under the same constraints and challenges that everybody else has when we’re building software.
You have people who are writing the RBAC capabilities within Office 365, the biggest number of people that they possibly can. They’re simplified, but you can’t get any more precise in a large environment. You need to have very granular rights to do that, so from that perspective, it is something that continues to lead to too many global administrators. We will talk about how to get around that management constraint.
Who gets the keys?
One thing you need to do is understand, “Who gets the keys?”. So again, as you go through your management planning you need to put together a permission plan. This permission plan is basically where you set the guidelines for who has access to what. You have to really educate yourself. Education is crucial any time that we do this stuff.
So any time you give out some rights, this usually gives them more than you expected. One of the biggest challenges is when you’re merrily working away in your admin tools and it says you need to give somebody access to a particular workload. It says they don’t just give this person access, so you agree to it, not realizing in the back end you’ve actually gone through and given them some fairly weighty access across the line.
There’s no way that you can really go and see where everybody has each little bit of access. Even for the global administrators, you’re getting into some pretty heavy-duty permissions and settings in the background. You need some really strong audit capabilities as well. This is where we are really saying that you need to consider a delegated access control system.
To be able to take all those locks and delegate access, to have tons of keys instead of just a small set of keys. When that’s in place, using delegated access, or just the built-in access from Microsoft, review these permissions all the time. It happens time and time again that we get into situations because we have some audit capabilities. Customers will say, “I need to download your software so I can audit my event log because somebody who wasn’t a global administrator perhaps did something 3/4 weeks ago and I’m not sure how that happened.”
You need to be able to review those permissions all the time so that they are fairly cleaned up.
Reporting beyond the admin tools
One of the key frustration points in the Office 365 administration tools is that it’s like every team took their own approach to reporting. The Exchange team built their reporting infrastructure, the SharePoint team built their own reporting, the Teams team did as well, the new stuff that comes online like Sway and Flow, etc. – they have their own as well, so there’s a lot of different UI, UX, settings, configurations, and access. It gets very tiring.
Time is of the essence in this environment. If we’re continually being asked to somehow put together these reports that feed into our governance plan. How do we do this? There are a few options to improve upon this space set.
One is to leverage Power BI, especially already have it in your license. So Power BI is included in some license sets from Microsoft. Naturally, the higher you go, the more likely it is to be included. There’s also a lot of third-party tools that are out there. If you are using those they should be cloud-based (cloud on cloud). So, if you’re going to a SaaS environment, then downgrade your capabilities to an on-premises environment for management tools. These people will start to get comfortable using the cloud to do these things as well.
So, let’s look at Power BI. Power BI is something that feeds into this concept that a governance plan is really at the hub of what we’re trying to do to keep this thing configured. Power BI is very powerful, it can be very complex, so it requires a lot of setup and configuration. You have to manage your configuration and keep it up-to-date, so one of the things is that you have to bring your data to Power BI.
There are some report packs and other things that make it easier, but as you get a little bit deeper, it’s more difficult to get through. As you can see in the below image, this is a typical Power BI dashboard. It’s giving me a pretty good sense of my Office 365 adoption: active users by-product; how many people are using email and Yammer/Skype or whatever else might be out there. This is a much nicer consolidated view, if you know any of the admin tools, you have to bounce back and forth between different tools to get some of this information, and you can change it up as well.
And then there are third-party tools. This is something that Quadrotech fits into, for example, with our Nova platform for Office 365 management. One of the things that is usually a hallmark of third-party tools is that they’re easier to set up. We have to have something ready for you to use as soon as you want to use it. Data collection optimization is done for you, so that’s one challenge.
I like to think Admin Center has a challenge where nothing really is the same and it’s very frustrating to get the data. Power BI’s challenge is that the data is not there. Where third-party tool make the data presented to you, it’s optimized, it’s already configured, and you have the ability to give people just access to the data and nothing else within the environment. So Admin Center tools, for example, require them to have at least some basic administration capabilities in Office 365. Third-party tools can totally separate that.
Something you want to make sure of as well is that you’re not digging into anything else. So, check for encryption of data… what does it store? Can you anonymize? Can you be selective with the data that it shows? Things of that nature as well.
Advantages of a Third-Party Tool
Here are some advantages of third-party tools. All the reports are in one place. If you look at the image below, this is our product and you have these things that are in these nice clusters. We want to have security reports… so who’s administrating stuff? What security events are there? What are my password policies? What’s my mailbox security? What’s my adoption reports? How is Teams being used? SharePoint? OneDrive? What’s the Mail traffic stats? How are my mobile devices being used? What’s my license reporting like?
I can go in and continue to change and modify these in particular. If you were in admin tools, you’d have to go into each individual one. But this is the type of stuff that you want to have managed. So when you’re going through to make those fundamental changes to your environment, the data is gathered, enhanced, and automated. There’s a data collector in the background. It keeps doing that and this can be used for pre-migration reporting as well.
So, if you take that step back, when we’re talking about the planning phase, you want to be able to run this against your target/source environment, to be able to analyze what types of things are there.
So, if we look, we can review who has rights. This is a major tenant and with tenants of these types of migrations, this is what you would have to do on the source site. Basically, who are the global administrators? Who has access? Should they have it? Do we need to remove them/change them?
Then, run this again when you’re in your target environment. Simple things, like, if somebody has an administrative role but they’ve been disabled or they haven’t logged in for eight months, you need to purge those as well. There’s an insane amount of old data in all of these environments which are making them not able to be managed and moved forward.
Managing Events: Reporting Event Logs
In this new environment, often with what’s happening, you’re going to have challenges. So how do you report around event logs and security events? There’s a huge consolidated log in Office 365. In the on-premises world, you had workstation logs, domain controller logs and server logs, and all kinds of different things.
Every workload feeds into the same log within Office 365. Security and Compliance Center is a pretty good start. A challenge with security and compliance is that you really need to know what you’re looking for. So, if you look into an audit exploration tool, this really allows you to fully unpack and review things that happen within a particular environment. When you have your group setup, you have your user setup and you want to make sure that they continue to be configured and used properly. You can go through the audit log and prove that.
For example, anybody logged in who shouldn’t log in for a particular resource, you can go through the event logs and find those, and again, this is all part of your management/governance plan moving forward.
This is a huge component of management and there’s no single Admin Center report on inactive and underused objects. So this is something that you could, if you’re good at PowerShell, try this in PowerShell… if you’re good with Power BI… If you want to use a third-party tool for it… it doesn’t matter. This is one of those things that you have to get into place. You have to be able to go through this list on a regular basis. A networking environment like Office 365 is a living organism and is going to change continually so it will always require cleanup.
For example here, in the image below, there are tons of users with no Exchange activity. So if you have a big email/Exchange environment and people aren’t using it, are they even active or are they even around anymore? Furthermore, users with no activity in the past three months… empty or one-person Teams which are completely useless… inactive SharePoint sites. It’s amazing how much deadwood comes around here. You can run hundreds of these types of little views and get even deeper into these things and a lot more.
With delegated access, you can then parse these out to end-user administrators, etc. as well. For example, if you have empty or one-person Teams, you can see who the manager of the teams are and you can delegate that down to particular people. You can ask people to clean them up.
One of the things here is: don’t try to do it all your own. A good structure with top-level administrators and then a tier of sub administrators and end-user administrators is a really good way of doing that.
Make cleanup something you proactively engage with as part of your migration. Continue to do cleanup on a scheduled basis. Weekly, monthly, quarterly, whatever works. Organizations don’t do clean-up for years at a time, so even to do it four times a year or 10 times a year is going to be well above the industry norm.
For the remaining parts of the session, including a deep dive into Delegation & Policy Control and best practice for Office 365 Management, please download the full session.