Thinking of moving to Office 365? Or maybe you’re already in the process of planning an Office 365 migration? If so, you’re in good company. Microsoft reports that more than half of all its business Office users are already using Office 365, and expects that number to climb to two thirds in the next year or so. It’s not hard to see why adoption is so high: Office 365 offers a variety of benefits, including better user productivity, guaranteed uptime, predictable costs and easy scalability.
Unfortunately, though, IT pros often expect the new platform to absolve them of all their management and administrative tasks — and they are ill-prepared when they discover the truth is very different. The fact is, many of the native Office 365 management tools lack the maturity of their on-premise counterparts, so ensuring Office 365 security and keeping the environment running smoothly is going to take more work than you might have hoped.
Forewarned is forearmed, so here I’m going to outline the top 6 challenges that you’ll face in managing your new Office 365 environment, and where to learn about third-party tools that can help you meet those challenges.
- Backup and recovery
You know that backup and recovery are critical, and you’ve probably got an enterprise-level strategy for your on-premises environment. If you’re moving to a hybrid environment and synching from on-prem AD to Azure AD, you might think your existing solution has you covered. And if you’re moving to the cloud completely, you might think that Microsoft will take care of backup and recovery. In either case, you’d be wrong — and that mistake could really cost you when a critical account, mailbox or group is inappropriately changed or deleted in the cloud.
While your on-prem solution will help with some tasks, it’s practically impossible to consume Office 365 services without creating some cloud-only objects and attributes, and your on-prem solution simply can’t help you back up and restore them. Azure AD does provide a Recycle Bin, but it is not, and was never meant to be, an enterprise backup and recovery solution. First of all, it keeps deleted objects for a maximum of 30 days; if you discover a problem on day 31, you’re out of luck. What’s worse, certain objects don’t even get put into the Recycle Bin at all when they’re deleted, so you simply can’t recover them with native tools — and this exception includes some pretty critical objects, such as Azure AD groups and group membership. Last, you don’t get the kind of power you need. There’s no way to restore specific attributes that have been modified in a user object, or to restore multiple users and attributes at once without using PowerShell.
The reporting capabilities in Office 365 differ greatly depending on the particular platform; Exchange Online offers the most mature capabilities. But in general, native Office 365 and Azure AD auditing tools are difficult to configure and interpret, lack real-time alerting of suspicious activities, and retain logs only for a limited time before they’re lost permanently. As a result, reporting is difficult, whether it’s for routine auditing, troubleshooting, compliance audits or the myriad other tasks you’re faced with every day.
In addition, important data is often missing. For example, typical usage reports lack the user’s identity, long-term trends, historic details at the user level, and aggregate permissions. You get no visibility into who has access to what, how they received the access, who has elevated permissions or which systems are vulnerable to security threats.
Auditing of changes and access events is critical to security, compliance, system performance and availability, and business continuity. But Office 365’s native tools don’t make it easy. You have to configure auditing on one object at a time, and there’s no way to automatically configure new objects with the desired audit policy. Alerting is very limited and is not real-time; for example, you can’t get alerts whenever and audit policy is changed or disabled. The audit data is spread across the various platforms, and there is no normalized format or translation into human-friendly display names. Finally, the data retention period can be as short as 7 days, depending on your workload and subscription type, and Microsoft can change the retention period at any time.
- Provisioning and access management
Ensuring users have access to exactly the resources they need, no more and no less, is one of the fundamental principles of security and compliance. It’s also critical to user productivity and therefore the success of the business. But in Office 365, provisioning is largely a manual task, which means it’s not only tedious and time consuming but error prone. Having to constantly switch between multiple interfaces can result in inconsistencies and gaps in your security policies — which in turn can lead to data breaches and compliance audit failures. If you’re fluent with PowerShell, scripting can mitigate these risks to some degree, but then again, if you’re fluent with PowerShell, you know all about how hard it is to be writing, updating, documenting and running scripts all the live-long day.
- License management
One of the main benefits of Office 365 is that it’s a subscription-based service; you pay for what you need and nothing more. But that puts a burden on IT to accurately determine which subscriptions, and how many of them, the organization actually needs. After all, you don’t want to be paying for unused licenses or premium licenses that include features your users aren’t utilizing.
Therefore, in addition to knowing the basics of what subscription and services each user has, you also need to be able to analyze mailbox usage, track storage trends, and discover inactive accounts that can be removed. But Office 365 doesn’t provide any native automated reporting on license utilization, so you’ll have yet another tedious manual task on your plate.
As I’ve noted, most of the preceding challenges — reporting, auditing, and provisioning and access management — all have a significant impact on Office 365 and Azure AD security. If you’re running a hybrid environment, then any security vulnerabilities in your on-premises environment will be echoed up to the cloud, so you have to do everything you can to improve security on premises before you migrate. You’re also responsible for protecting your data during the migration, and following these four best practices for maintaining a secure environment afterward:
- Continually assess — Understand who has access to which sensitive data, who has privileged permissions, and which systems are vulnerable to security threats.
- Detect and alert — Proactively correlate data from across your environment to detect unusual or otherwise suspicious activity and events in real time.
- Remediate and mitigate — Remediate unauthorized actions immediately to mitigate the risk and damage.
- Investigate and recover — Analyze how incidents occurred to restore normal operations and prevent repeat incidents.
But don’t despair!
At this point, you might be thinking of simply scrapping your plans to move to the Microsoft cloud. But wait! There are proven Office 365 migration tools that help you deliver a smooth and secure migration, and management solutions that enable you to administer Office 365 and Azure AD efficiently and securely. Read our E-Book, "Surviving Office 365 Management Woes — An IT Pro's Guide to Understanding the Unexpected Challenges” to learn more about the six challenges I outlined here and how Quest solutions can help you overcome all of them.