Office 365 End Of Support For Office 2013 Is Near

As announced last year by Microsoft, Office 365 support for Office 2013 is ending very soon. From October 12th 2020, the Office 2013 suite will no longer be directly supported for use with Office 365.

What does this mean?

Essentially, the end of support for Office 2013 does not mean that Office 2013 will stop working from that date. It means that Office 2013 will not be a consideration when Microsoft are developing and upgrading the Office 365 platform. If Office 2013 doesn’t work with a particular feature, the only resolution will be to upgrade to Office 2016/19 or Microsoft 365 Apps for Business (formerly Pro Plus).

What can I do to get ready?

Luckily, for business customers there are many ways to upgrade. The below are all viable options that can suit many configurations:

  • Apps package available directly to users via the Office Portal
  • Endpoint Manager (SCCM) Microsoft 365 Apps deployment
  • Endpoint Manager (Intune) Microsoft 365 Apps deployment
  • Third party configuration management tool deployment
  • GPO deployment of Office

All of this can be made better using the Microsoft 365 Apps Admin Center which can allow you to create custom packages of Microsoft 365 Apps complete with update policy and even allow cloud policy to control how the Office apps work and configure some GPO style settings on all apps linked to an account in your tenant.

What about my Macros and Plugins?

When preparing to update Office across the business, a key consideration in large organizations is Macros and Plugins which interact with Office. Knowing how they will perform and assessing compatibility is key to a successful deployment and remediation of any potential compatibility problems. While a pilot upgrade is still very much recommended as part of any upgrade, Microsoft have also made available the Readiness Toolkit for Microsoft 365 Apps.

The Readiness Toolkit will help to assess and highlight potential issues with VBA Macros and Plugins. It’s very common for the compatibility problem to not be as widespread as you might first think so this is a fantastic tool to assess the environment and call out remediation that needs to take place before migrating. Given that a lot of these tools have become part of integral business processes, assessing and preventing issues is always better than fixing post rollout.

Upgrade Now!

With the tools available to administrators, it’s never been easier to plan and perform this type of upgrade, minimizing risk as much as possible. If you are still using Office 2013 in your business, while it won’t just stop working in the coming weeks, you need to upgrade before you experience problems.

By the way, if you’re still using Office 2010, then this is even more of a priority as Office 2010 is fully out of support and not capable of providing a secure authentication experience through Modern Authentication – putting your users and data at risk!

Happy Upgrading!

Using Cloud App Security Session Controls to Protect Sensitive Data

Microsoft Cloud App Security (MCAS) is an amazing tool that a lot of organizations don’t seem to use to it’s full potential. There are a huge amount of third party apps supported and the flexibility it brings is fantastic. As a baseline, Cloud App Security Discovery is a great way to get insights into the web apps in use in the organization but in my opinion, the real value comes with controlling the functionality available to users on a very granular level.

One use case I have come across recently, is a customer who has fully adopted Unified Labelling for controlling classification of data, and had a requirement to control what could happen to that data based on some information about the particular session.

For example, let’s take the below scenario:

  • The customer has all new content labelled and classified using Sensitivity Labels
  • They have Intune Managed – Hybrid Azure AD Joined Devices
  • They have no location or device restrictions on access to Microsoft 365 via a Web Browser
  • The requirement is that documents without classification are only available to download from corporate, Intune managed devices
  • When data is classified, external download becomes available

To achieve this, we can implement MCAS Session Control Policies.

Conditional Access

The first step is to ensure our users are redirected to MCAS. To do this we can configure a Conditional Access policy in Azure AD, in this policy we specify the following:

  • This policy applies to all users except the Global Administrator
  • This policy applies to the “Office 365” suite of applications
  • This policy applies to
  • All authentications matching this policy are proxied via MCAS

With this policy set up, all Office 365 sessions will be redirected via MCAS. We can test this by visiting an Office 365 application in a web browser and verifying that everything looks correct, except we have a different URL, pointing to the MCAS service.

Configure Session Policy

Now that our users are connecting to Office 365 via MCAS, we need to set up some logic to protect our files. We create a new session control policy with the below configuration:

We could also take extra steps such as automatically apply protection to the data or link to a PowerAutomate flow for alerts.

Test

Now when our user tries to download unclassified content on a non-corporate device, they get this nice friendly message reminding them of our corporate policies:

Using MCAS Policies is a really nice way to secure those edge cases where that built in tools don’t offer a solution. This is just one example of many interesting use cases I’ve come across. Not to mention the integration with third party apps and the powerful discovery functionality.

Using Microsoft Teams as a Walkie Talkie for Frontline Workers

There are an amazing number of great apps available to integrate into Microsoft Teams. Some of these apps are published by Microsoft and many more are third part integrations ranging from handy productivity tools to line of business apps surfaced in a users Teams console. One cool app that is now available is the Teams ‘Walkie Talkie’ app. ‘Walkie Talkie’, essentially brings Push to Talk (PTT) functionality to Teams. Among the many use cases for this app, allowing Frontline Workers to communicate efficiently and quickly is a great application of Teams functionality and something that many third party vendors are currently providing.

Deploy Walkie Talkie

To deploy Walkie Talkie, we can create an App Setup Policy and deploy to the users we want the app available to. We add it into the pinned apps and deploy the policy to whoever needs it.

Given a little time to replicate, when our user logs in, they’ll see the app available in their App bar.

Using Walkie Talkie

Using Walkie Talkie is very easy. Simply open the Walkie Talkie app and select that Teams Channel we want to talk in.

Now when we hit ‘Connect’ we simply push the button to talk!

We can see how many other users are connected and also perform our other Teams tasks while remaining connected.

While this functionality is pretty straightforward, the value it provides is pretty impressive. I can definitely see this being used to replace a lot of legacy third party PTT systems.

eDiscovery Functionality Moves to Microsoft 365 Compliance Center

eDiscovery and content search has been a staple of Microsoft 365 compliance since the early days of Office 365. Providing extremely flexible and efficient searching and actioning of data that resides anywhere in Microsoft 365, it has improved over time with a lot of extra functionality and is one of the most widely used compliance tools in the Microsoft 365 platform.

eDiscovery, which has first found in the Exchange Online Admin Center for mail discovery, was subsequently moved to the Microsoft 365 Security & Compliance Center (https://protection.office.com). The Security & Compliance Center itself has undergone a lot of changes recently and is coming near its end of life, being replaced with the Microsoft 365 Security Center (https://security.microsoft.com) and the Microsoft 365 Compliance Center (https://compliance.microsoft.com) which cater to Security tools and Data Governance/Compliance tools respectively.

The splitting of the SCC into two different portals makes sense as a lot of the time, in enterprise scenarios, these aspects of the tenancy are managed by two, completely separate teams. There will often be a dedicated security team, who deal with the identity protection and security aspects of the tenancy, and a dedicated Data Protection Team who are more concerned with the information governance side of things.

As of Oct 30th 2020, the eDiscovery suite of tools will be moving fully to the Microsoft 365 Compliance Center and the Security & Compliance Center links will redirect to the new page. This is the next step in the process of moving all the features from the old portal to the new model so if you haven’t checked out the two new pages, see below for more information.

Microsoft 365 Compliance Center: https://docs.microsoft.com/en-us/microsoft-365/compliance/microsoft-365-compliance-center?view=o365-worldwide

Microsoft 365 Security Center: https://docs.microsoft.com/en-us/microsoft-365/security/mtp/overview-security-center?view=o365-worldwide

Direct links:

SCC: https://protection.office.com

MCC: https://compliance.microsoft.com

MSC: https://security.microsoft.com

Azure Active Directory Administrative Units

Segregation of admin roles in Microsoft 365 has always been a challenge. Different admin roles help to apply the principal of least privilege for admins but there was always an issue where multiple logical groupings existed in a single tenant. They are not always managed globally and not every admin should have access to every user where divisional barriers exist. Exchange Online Management Role Scopes do a good job of facilitating different groupings in Exchange Online but for user management in Azure AD or Microsoft 365, this became a challenge.

Do we give the local IT support for a particular division access to our entire userbase or do we take on the support of the M365 accounts for these users at a group level?

When we use AD Connect and local Active Directory as our identity source, we can use delegated permissions to provide a lot of the required access. Couple this with some cool features like group-based licensing and we can effectively delegate management to local or divisional IT support.

With more organizations forgoing local AD completely for cloud based Azure AD/Intune, this management delegation became trickier. Microsoft appreciate this challenge in the platform and have made available (in preview) Azure AD Administrative Units.

Administrative Units allow us to define logical groupings of users and delegate admin roles for these specific groups to our administrators.

To achieve this we first create an Administrative Unit in the Azure AD Portal.

From here we can add our users / groups to the unit so they can be managed.

We can then assign our administrators and grant the the appropriate roles.

Once complete, our administrator can log in to the Admin Portal and only see the Administrative Units they have been assigned.

This feature is bound to be a blessing for large organizations who can now feel more confident to delegate day to day management to divisional or local IT, reducing the management overhead involved in new user creation, Group Membership, Licensing and password resets