Secure Your Office 365 Tenant – By Attacking It (Part 1)

By David Branscome

I’ve been waiting several months for this day to arrive. The Office 365 Attack Simulator is LIVE!

If you log into your Office 365 E5 tenant with the Threat Intelligence licensing, it shows up here in the Security & Compliance portal.

When you click on it, the first thing it will tell you is that there are some things you need to set up before you can run an actual attack. There’s a link that says, “Set up now” (in the yellow box shown below). After you click that link, it says the setup is complete, but you’ll have to wait a little while before running an attack. (I only had to wait about 10 minutes when I set it up)

 

It also reminds you that you need to have MFA (multi-factor authentication) set up on your tenant in order to run an attack. This makes a lot of sense, since you want to ensure that anyone who runs the attack is a “good guy” on your network.

To set up MFA, follow the steps here:

Go to the Office 365 Admin Center

Go to UsersActive users.

Choose MoreSetup Azure multi-factor auth

 

Find the people who you want to enable for MFA. In this case, I’m only enabling the admin account on my demo tenant.

Select the check box next to the people you want to enable for MFA.

On the right, under quick steps, you’ll see Enable and Manage user settings.

Choose Enable.

 

 

 

In the dialog box that opens, choose enable multi-factor auth.

The Attacks

Spear Phishing

With a spear phishing attack, I’m sending an email to group of “high-value” users – maybe my IT admins, the CEO/CFO, the accounting office, or some other user group whose credentials I want to capture. The email I send contains a URL that will allow me to capture user credentials or some other sensitive data as part of the attack. When I set up this attack, it needs to look like it’s coming from a trusted entity in the organization. Maybe I’ll set it up to make it appear as though it’s coming from the IT Security group asking them to verify their credentials.

Brute Force Password (a.k.a., Dictionary Attack)

In this attack, I’m running an automated attack that just runs through a list of dictionary-type words that could be used as a password. It is going to use lots of well-known variations, such as using “$” for “s” and the number 0 for the letter O. If you thought Pa$$w0rd123 was going to cut it as a secure password on your Office 365 account, this attack will show you the error of your ways.

This type of attack is pretty lengthy in nature because there are thousands of potential guesses being made against each user account. The attack can be set up to vary in frequency (time between password guesses) and number of attempts.

It’s important to note that if a password is actually found to be successful, that password is NOT exposed to anyone – even the admin running the attack. The reporting simply indicates that the attack was successful against Bob@contoso.com, for example.

Password Spray Attack

A password spray attack is a little different from the brute force password attack, in that it allows the admin/attacker to define a password to use in the attack. These would typically be passwords that are meaningful in some way – not simply an attempt using hundreds, or thousands of guesses. The password you use could be something like the name of a football team mascot and the year they won a championship, or the name of a project that people in one department are working on. Whatever criteria you select, you define what password or passwords should be attempted and the frequency of the attempts.

Ready? Let’s go hunting…

Launching a Password Spray Attack

First, I’ll try the password spray attack. I’ve set up several accounts in my test tenant with passwords that are similar to the one I’ll attempt to exploit – which is Eagles2018!. Notice that, by most criteria, that’s a complex password – upper and lower case, alphanumeric and it includes a special character, but it’s also a fairly easily-guessed password, since the Philadelphia Eagles won the Super Bowl in 2018 (though it pains me to say that).

I’ve set up a couple users with that password to ensure I get some results.

I go to my Attack simulator and click on Launch Attack.

The first screen is where I name the attack.

 

 

Next, I select the users I want to target. Notice that I can select groups of users as well.

 

 

Now I manually enter the passwords I want to use in the attack.

 

 

Confirm the settings, click Finish and the attack will begin immediately.

If I go back to my Attack Simulator console, I can see the attack running.

 

 

After the attack completes, I see the users who have been compromised using the password.

(Yes, I’ve reset their passwords now, so don’t try and get clever.) 😊

Now I politely encourage ChristieC and IrvinS to change their password to help ensure their account security.

Launching a Brute Force Password (Dictionary Attack)

Again, I’ve set up a couple accounts with some pretty common password combinations (P@ssword123, P@ssw0rd!, etc..)

I walk through the configuration of the attack, which is very similar to the Password Spray attack setup.

 

I set up my target users as before, and then I choose the attack settings.

In this case, I uploaded a text file containing hundreds of dictionary passwords, but you can create a sampling of several passwords by entering them manually one at a time in the field above the Upload button.

 

As the attack runs, you’ll see something like the screenshot below. Remember, if you have a large number of users and a very large wordlist for the dictionary attack, this attack will run for quite some time as the simulator cycles through all the possible variations for each user.

 

And again, when the simulation is complete, you’ll want to caution DiegoS on his lack of good password hygiene.

In my second blog post, I’ll show you how to do a Spear Phishing Attack. These are the REALLY sneaky ones….

Stay tuned!

 

“Argh…My Skype for Business Recording Failed!!”

By David Branscome

 

I recently received a call from a colleague who had been working on a two-hour Skype for Business meeting.

At the end of the call, she went into her Recording Manager to get the recorded meeting but saw that the recording for the meeting had failed. It was showing up as “0 bytes” in size.

When we browsed to C:Users%USERNAME%AppDataLocalMicrosoftCommunicatorRecording ManagerTemporary Recording Files we saw this:

So, we were pretty sure that the files were available, they just hadn’t been finalized at the end of the meeting into a single file. But how do you fix it?

Actually, the fix was pretty easy.

First, start a new Skype for Business meeting. It can be a meeting with just one person.

Once the meeting is started, share out your desktop.

Now start the recording.

 

Immediately afterward, pause the recording as shown below:

 

Go to the temporary recording files path:

C:Users%USERNAME%AppDataLocalMicrosoftCommunicatorRecording ManagerTemporary Recording Files and locate the folder with the temporary files for the RECORDING YOU JUST PAUSED. It should be easy to locate based on the time stamp.

Open that folder and delete all the files EXCEPT the file named lock.lock.

Next, go back to the C:UsersdabranAppDataLocalMicrosoftCommunicatorRecording ManagerTemporary Recording Files path and locate the folder for the FAILED recording. Again, you can use the timestamps on the files to ensure you have the right files. Select all the files in this folder and copy them using either CTRL-C or the Copy command

At this point, you should have all the files from the folder of the original FAILED Recording copied over into the folder for the NEW, paused recording.

Now, from your Skype for Business client, STOP the recording for the meeting you initiated earlier. This will start the process of combining all the files from the FAILED recording into a single, functional recording.

 

 

Go into your System Tray in the lower right corner and click on the Recording Manager icon and select “Open”

 

Ensure that the New recording is being compiled, as shown by the green progress bar.

 

 

In a few minutes (depending upon the length of the original meeting), your file should be completely recovered and ready to use!

The End of Support for Older TLS Versions in Office 365

by David Branscome, with a callout to Joe Stocker at Patriot Consulting for the heads-up!

The SSL/POODLE Attack Explained

UPDATE: As per the support article listed here (https://support.microsoft.com/en-us/help/4057306/preparing-for-tls-1-2-in-office-365) We will be extending support for TLS 1.0/1.1 through October 31, 2018 in order to help ensure our customers are adequately prepared for the changes.

 

As most of you know, there was a significant vulnerability identified in the SSL 3.0 protocol back in 2014, named POODLE (Padded Oracle On Downgraded Legacy Encryption).

The problem was this: SSL 3.0 is basically an obsolete and insecure protocol. As a result, it has been, for the most part, replaced by its successors, TLS 1.0 and TLS 1.2. The way a client-server encryption negotiation sequence would typically work is that the client would contact a server, and through a handshake process, agree on the highest level of security over which they both can communicate. So, for example, a client makes a request to a server and says, “I’d like to use TLS 1.2 for our communication, but I can also use TLS 1.0, if you need to.” The server responds with, “I don’t speak TLS 1.2, but I do speak TLS 1.0, so let’s agree to use that.” They then use that downgraded protocol as their preferred encryption method. The downgrade sequence could ALSO downgrade the encryption to use SSL 3.0, if necessary.

However, even in situations where client and server both support the use of the newer security protocols, an attacker with access to some portion of the client-side communication could disrupt the network and force a downgrade to the SSL 3.0 encryption. This is typically referred to as a man-in-the-middle attack, because the attacker sits on the network between two parties and captures their communication stream. This is an altogether separate type of attack, unrelated to the POODLE vulnerability itself, and must be defended against using other methods.

Anyway, now that the attacker has successfully forced SSL 3.0 encryption to be used, and the attacker has access to the communication stream, the attacker can attempt the POODLE attack and get access to decrypted information between the client and the server.

When this vulnerability came out, there was a significant amount of work done worldwide to mitigate the impact and scope of the issue. The vulnerability in SSL 3.0 itself couldn’t be remediated because the issue was fundamental to the protocol itself. Because of this, the best solution for organizations was simply to disable support for SSL 3.0 in their applications and systems.

So That Was 3 Years Ago….

As described in the links at the bottom of this article, Microsoft still supports the use of TLS 1.0 and 1.1 for clients connecting to the Office 365 service. However, due to the potential for future downgrade attacks similar to the POODLE attack, Microsoft is recommending that dependencies on all security protocols older than TLS 1.2 be removed, wherever possible. This would include TLS 1.1/1.0 and SSL v3 and V2.

The problem here is that many operating systems and applications have a hardcoded protocol version to ensure interoperability or supportability. In Windows 8 and Windows Server 2012 and higher, the default protocol that is used is TLS 1.2 – which is good.

However, in Windows 7 and Windows 2008 R2, TLS 1.0 was the default protocol. In fact, TLS 1.1. and 1.2 were actually configured as “disabled”. See the table below:

 

 

As outlined in the article “Preparing for the mandatory use of TLS 1.2 in Office 365”, this is going to present a problem if your organization is still using Windows 7/Vista clients. Why?

Because on October 31, 2018, Microsoft Office 365 will be disabling support for TLS 1.0 and 1.1. This means that, starting on October 31, 2018, all client-server and browser-server combinations must use TLS 1.2 or later protocol versions to be able to connect without issues to Office 365 services. This may require certain client-server and browser-server combinations to be updated.

Our internal telemetry of client connections indicates that this shouldn’t be a problem for most organizations, since the majority are not using TLS 1.0 or 1.1, anyway. However, for the network you manage it’s probably a good idea not to simply assume everything will be great. 😊

As an example, if you’re using any on-premises infrastructure for hybrid scenarios or Active Directory Federation Services, make sure that these infrastructures can support both inbound and outbound connections that use TLS 1.2.

How Do I Know if I Need to Take Action?

A new IIS functionality makes it easier to find clients on Windows Server 2012 R2 and Windows Server 2016 that connect to the service by using weak security protocols.

https://cloudblogs.microsoft.com/microsoftsecure/2017/09/07/new-iis-functionality-to-help-identify-weak-tls-usage/

There are also some simple checks available from Qualys Labs to check browser compatibility – https://www.ssllabs.com/ssltest/viewMyClient.html as well as the certificate and encryption configuration on your servers with SSL certificates – https://www.ssllabs.com/ssltest/ .

Hopefully these checks will help you to ensure that your organization is ready when the change is made to the Office 365 services early next year.

Additional Resources

Preparing for the mandatory use of TLS 1.2 in Office 365

https://support.microsoft.com/en-us/help/4057306/preparing-for-tls-1-2-in-office-365

Solving the TLS 1.0 Problem

https://www.microsoft.com/en-us/download/confirmation.aspx?id=55266 

Disabling TLS 1.0/1.1 in Skype for Business Server 2015 – Part 1 and 2

https://blogs.technet.microsoft.com/nexthop/2018/04/18/disabling-tls-1-01-1-in-skype-for-business-server-2015-part-1/

https://blogs.technet.microsoft.com/nexthop/2018/04/18/disabling-tls-1-01-1-in-skype-for-business-server-2015-part-2/

Implementing TLS 1.2 Enforcement with SCOM

https://blogs.technet.microsoft.com/kevinholman/2018/05/06/implementing-tls-1-2-enforcement-with-scom/

Exchange Server TLS Guidance

https://blogs.technet.microsoft.com/exchange/2018/01/26/exchange-server-tls-guidance-part-1-getting-ready-for-tls-1-2/

https://blogs.technet.microsoft.com/exchange/2018/04/02/exchange-server-tls-guidance-part-2-enabling-tls-1-2-and-identifying-clients-not-using-it/

https://blogs.technet.microsoft.com/exchange/2018/05/23/exchange-server-tls-guidance-part-3-turning-off-tls-1-01-1/

Intune TLS Guidance

https://blogs.technet.microsoft.com/intunesupport/2018/06/05/intune-moving-to-tls-1-2-for-encryption/

Preparing for TLS 1.0/1.1 Deprecation – O365 Skype for Business

https://techcommunity.microsoft.com/t5/Skype-for-Business-Blog/Preparing-for-TLS-1-0-1-1-Deprecation-O365-Skype-for-Business/bc-p/223608

Moving Your Office 365 Groups to Microsoft Teams – Getting Past the Gotchas

By now, most of us know that Microsoft Teams is built on Office 365 Groups. Additionally, many customers had been using Office 365 Groups for some of their collaboration before Microsoft Teams was released. That means that there are a number of Office 365 Groups out there, that may need to be converted to Microsoft Teams. The general process for using an Office 365 Group as the foundation for a Microsoft Team is well documented, and it would seem to be fairly straightforward. However, as anyone who has actually done this knows, it isn’t quite that simple.

The purpose of this article is to help you move the data that may exist in your Office 365 Group – such as email, OneNote, Planner, etc…over to a newly created Microsoft Team.

We’ll start with a brand-new Office 365 Group, create some content and then convert everything over to a new Team.

Let’s get started…

 

Creating the Office 365 Group and Populating it with “Stuff”

Let’s start by creating a new Office 365 Group so we know exactly what happens.

Here, I am creating an Office 365 Group named O365-TeamsUpgrade. Notice that it has been created with the default Privacy setting of “Private”.

 

 

 

 

 

 

 

 

 

 

 

 

Next, I add some of my team members to the Group.

 

 

 

 

 

 

 

 

 

 

 

 

Now my Office 365 Group is ready to go, and I have all the usual things in my configuration.

 

 

 

 

 

 

 

 

I can send email to the group, because every Office 365 Group has an associated email address. As expected, the email and meeting invites show up in the Office 365 Group mailbox, which exists in Exchange Online.

 

 

 

 

 

 

 

 

 

 

I go to Files and create a Word document.

 

 

 

 

 

 

 

 

 

 

 

 

Next, I go into my Notebook and create some content in the Office 365 Groups OneNote

 

 

 

 

 

 

I can go into Planner next and create some content there….

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Lastly, I click on the Site link and I see the SharePoint Site.

 

 

 

 

 

 

 

If I go to the Documents library I see the Word document that I created just a few minutes ago.

So, we all agree I have legitimate content in my Office 365 Group, right? Right.

Okay, now comes the fun part –converting it to Microsoft Teams.

 

Upgrading to a Microsoft Team

In my Microsoft Teams client, I click “Add team”.

 

 

 

 

 

 

 

Next, I click on Create team.

 

 

 

 

 

 

 

 

 

 

 

 

In the next dialog box, I can create a brand-new Team, or as shown below, I can create one from an existing Office 365 Group. That’s what I want to do, so I click on that link.

 

 

 

 

 

 

 

 

 

 

 

 

 

It now provides me with a list of the Office 365 Groups for which I am the Owner, and which are set to Private visibility.

 

 

 

 

 

 

 

I click the radio button and click Create team.

NOTE:

When upgrading an Office 365 Group to a Microsoft Team, there are several points that you must keep in mind:

You must be the Owner of the Office 365 Group

The Office 365 Group visibility must be set to Private. If it is not set to Private, you can set it to Private long enough to do the switch and then turn it back to Public once you’ve switched it over to a Microsoft Team.

There cannot be a Team that already exists with the name of the Office 365 Group you intend to convert. If it exists already, you’ll end up with two disconnected objects. For example, I created a brand-new Team with the same name as my Office 365 Group.

 

 

 

 

 

 

 

 

 

It lets me create the Team with that name, but it doesn’t bring over any of the content from the Office 365 Group with the same name.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Lastly, Teams doesn’t support these characters: ~#%&*{}+/:<>?|'”.. This, if any of your Office 365 Groups are named using those characters, you won’t be able to convert them to a Microsoft Team without renaming them.

Not cool, man…not cool

So far, everything is going just swimmingly, wouldn’t you say? Now I just open up my brand-spanking-new Microsoft Team and I see all the stuff from my old Office 365 Group, which has been converted over, just like magi……..wait….what happened? It only moved over the group membership? Where’s my super important Word document???? Where’s my Planner? Where’s the OneNote?

 

 

 

 

 

 

 

 

 

Let’s investigate…

Files

If we go back to our Office 365 Group (it still exists), we see our Word document still sitting in the Files area. On the far-right side, click on “Browse Library”.

 

 

 

 

 

 

Microsoft Teams stores documents and files in a folder in the SharePoint Document Library which is named for the Channel.  By default, the only channel that exists in a new Microsoft Team is named “General”. Therefore, the SharePoint library shows me that my Word document is sitting outside of the General channel, as you see below.

 

 

 

 

 

 

 

 

 

If I select my Word document and click on the ellipsis, I can choose to move the document.

 

 

 

 

 

 

 

 

 

Let’s move it to the General folder. You can move all of your documents to the General folder, or if you have more channels in your Team, you can move them to any channel you like.

 

 

 

 

 

 

 

 

 

 

 

 

I now go to my Team and there’s my Word document in the General folder!

 

 

 

 

 

 

 

 

 

 

OneNote

But wait, I also had some business-critical information in OneNote. Where did that go?

Well, unfortunately there aren’t any really great options for moving your OneNote from an Office 365 Group over to a OneNote in Teams.

Here’s one way to do it:

In your Teams client, go to the channel of your preference, and click on the “+” sign to add a tab to that channel. In this case, I’m adding a tab to the General channel.

 

 

 

 

 

 

 

You’ll be presented with a number of options. Select the one that says OneNote.

 

 

 

 

 

 

 

 

 

 

 

Create a new OneNote notebook, and name it whatever you like. For my example, I’ll name it O365-TeamsUpgrade01

 

 

 

 

 

 

 

 

 

If I go back now to my Office 365 Group, I see the newly created OneNote notebook, and it exists beneath the notebook that existed already.

 

 

 

 

 

 

 

 

Now I can copy the individual pages from one notebook to the other. I right-click on the page and select “Copy”.

 

 

 

 

 

 

 

I switch over to the new notebook, right-click and select “Paste”.

 

 

 

 

 

 

 

For my example, I deleted the “Untitled Page” and I’m left with only the page from my original OneNote.

 

 

 

 

 

 

 

And back in my Microsoft Teams client, everything looks good as well.

 

 

 

 

 

 

 

 

Planner

Mercifully, moving your Planner files over is relatively easy.

First you go into the new Microsoft Team and select the “+” sign to add another tab to the appropriate channel. Click on the Planner icon.

 

 

 

 

 

 

 

In the next dialog window, select “Use an existing plan”, and from the drop-down menu, select the name of the appropriate Office 365 Group.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

And just like that, all your Planner information is switched over to Microsoft Teams.

 

 

 

 

 

 

 

 

 

 

 

Email

The last thing that needs to be converted over is email.

Again, there unfortunately isn’t a great story there yet. Here’s one idea that you can use.

As we have seen, each Team channel has its own email address. You can get that email address by going to the channel (such as General), clicking the ellipsis and selecting “Get email address”.

 

 

 

 

 

 

 

Copy the SMTP address, which is the section that’s highlighted below – 62057b2c.microsoft.com@amer.teams.ms (Yours will be different).

 

 

 

 

 

 

 

 

Now, go back to your Office 365 Group, select the email you want to move and click on “Forward”. In the new email window, copy the email address for the Teams channel into the “To” field in the email and click “Send”.

 

 

 

 

 

 

 

 

Go back to your Teams – General channel and you’ll see the email that has been forwarded from the Office 365 Group email inbox.

 

 

 

 

 

 

 

 

This is definitely not the easiest process in the world, and it tends to be error-prone if you have lots of email, but it will get the email conversations moved over.

Now, there may still be some people who will accidentally use the Office 365 Group email address. How do you account for that? One way is to add the new Microsoft Team as a member of the Office 365 Group.

Go in to the membership of the Office365 Group and click “Add members”.

 

 

 

 

 

 

 

 

 

 

In the dialog window, select the email address of the Microsoft Teams channel where you want the new emails to be delivered.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

In my case, I select the email address beginning with “62057b2….” and click “Save”.

Next, go into the Group settings and select “Manage group email”.

 

 

 

 

 

 

 

 

 

 

 

 

In the dialog box, select “Follow in inbox” and click “Save”.

 

 

 

 

 

 

 

 

 

 

 

Now, when an email is sent to the address of the Office 365 Group, it is also sent to the email address of the Microsoft Teams channel that I have designated, as you can see below.

 

 

 

 

 

 

 

 

 

 

 

Well, that was easy, wasn’t it?

Obviously, I’m being a little sarcastic…this isn’t the easiest process, and there are certainly ways that much of it can be scripted, but for a quick and dirty way to move a few Office 365 Groups over to Microsoft Teams, it should be sufficient for your needs.

 

 

 

 

 

 

Killing Sessions to a Compromised Office 365 Account

David Branscome
Partner Technical Architect

We live in a world full of nasty threats to our online environments. One of your end users might click on a link that they shouldn’t and they get sent to a location where a piece of malware is installed on their machine and it captures their user credentials. In many cases, the goal of the attacker is to compromise a user account – ANY user account – and then move forward from there. Maybe their goal is to use that email account to send spam email or access organizational data for exfiltration. Or maybe the bad guy wants to have access to the environment so that he can gather confidential information and misuse it.

If an account in your Office 365 environment is compromised in this way, what can you do?

We have to recognize that there are two basic approaches to the problem:

Watch what the bad guy does so that you can take legal action against them

In this case, the actions we take will be done on the advice of the customer’s legal team and will be designed to establish a legal framework for prosecution. For example, there may be a scenario where an employee has been fired, but he knows the CEO’s password – maybe because the CEO left it on a sticky note on his monitor? Nah. That NEVER happens. The fired employee then decides to access the CEO’s mailbox for some nefarious purpose.

What can we do in this situation? Again, on the advice of the customer’s legal team, you may want to take steps such as the following:

  1. Put the CEO’s mailbox on Litigation Hold so that the data in the mailbox is preserved in its entirety. https://technet.microsoft.com/en-us/library/dn743673(v=exchg.150).aspx
  2. Configure Exchange Transport Rules so that all incoming as well as outgoing email is also forwarded to a second mailbox for preservation. https://technet.microsoft.com/en-us/library/jj919238(v=exchg.150).aspx
  3. If the compromise is severe enough, it may be advisable to set up a new, temporary Office 365 tenant so that communications related to the legal case are handled out-of-band and cannot be seen by the bad actor. This tenant would be where the legal team, IT and the users whose accounts have been compromised can communicate without the risk of their email being read by the bad guy.

Kill the session to block access to all Office 365 resources

The thing to remember about this effort is that we have to do more than simply block access to the mailbox. The user’s identity can be leveraged across multiple Office 365 services, so we have to block access to all those additional services as well. The challenge is that, in order to improve performance, the services often will cache the credentials of the user for a period of time, which means that EVEN IF you change the user’s password, there will be a period of time when the bad actor can remain authenticated and do damage.

That means that we have to break the sessions that allow them to connect to any of the services. There are three ways we can accomplish this:

For the first method, we need to sign in to the Office 365 Admin portal. Then go to Users –> Active Users, and then select the account of the compromised user. Expand OneDrive Settings, go to the Sign-out area, and click on the Initiate link. Notice that this will sign out users from all Office 365 sessions across all devices, but it will still allow the user to sign in. That means the bad actor can immediately sign back in and go about his day. We’ll address password change in a moment.

When you click Initiate, the service begins killing the sessions for the user on all their devices.

At this point, it’s a good idea to also block further sign-ins for the user. Granted, it’s impactful, but so is having a compromised account.

To block sign in, from the properties of the compromised user account, go up to Sign-in status and edit the status.

 

Change the status of the account to “Sign In Blocked

With the sign-in blocked, nobody (good or bad) can re-authenticate using that account until an administrator unblocks the account. When you click Save, notice the recommendation given.

This reminds us that another good idea is to change the user’s password.

 

The second method is specific to SharePoint and uses the SharePoint Online PowerShell Module, which can be downloaded here: https://www.microsoft.com/en-us/download/details.aspx?id=35588 . Once you have it installed and have connected to your tenant (Steps are here https://technet.microsoft.com/en-us/library/fp161372.aspx) run the Revoke-SPOUserSession cmdlet, as shown below.

The third method actually goes beyond just the Office 365 services and kills all active user sessions in any Azure AD application. To use this method, download the Azure AD PowerShell Module here (https://docs.microsoft.com/en-us/powershell/azure/active-directory/install-adv2?view=azureadps-2.0).

Once installed, connect to your Azure AD tenant and kill all sessions by using the Revoke-AzureADUserAllRefreshToken cmdlet, as shown below.

Changing the Password

All of this is great, but as we mentioned earlier, if we don’t change the user password, then all we’ve done is make the bad guy sign in again. This is where it can get kind of tricky, especially in a scenario where we have directory synchronization taking place between an on-premises environment and Azure AD.

Remember, it doesn’t do any good to just configure the user properties to have the user change their password at the next logon. The bad guy can try to login, get the prompt to change the password, and change it to whatever he or she wants to use!

If the password is being synchronized to Azure AD, you’ll need to use the Get-MSOLUser cmdlet to identify the LastDirSyncTime and LastPasswordChangeTimestamp value to ensure that the password change has also been synchronized to Azure AD. Make sure that, if the user changed their password in the on-premises directory, the password synchronization has taken place.

 

What Else Can I Do?

If none of these seem to have blocked access to the mailbox of the compromised user by the bad actor, one more thing you can do is perform a mailbox move. This would effectively break any current sessions the bad actor had open. If the password was changed and synchronized correctly, then the bad actor should not be able to log in again with the old credentials.

To move a mailbox in Office 365, use PowerShell to connect to Exchange Online using these steps: https://technet.microsoft.com/en-us/library/jj984289(v=exchg.160).aspx

Once you are connected, just run New-MoveRequest compromisedUser@contoso.com -PrimaryOnly.

Depending on the size of the mailbox, this could be fairly quick, but for very large mailboxes, it could take a couple hours to move.

One more thing! Don’t forget about mailbox delegates. If a bad actor granted Full Mailbox delegate access to another user, and the delegate user account was also compromised, then the bad actor would retain access to the original mailbox anyway! Therefore, make sure you check the mailboxes and accounts of any delegates of the compromised user so that you are removing all unwanted access to the original mailbox.

Conclusion

There aren’t many things as unnerving and disheartening to an IT admin as finding compromised accounts in your environment. When you find them, don’t panic!

Following a logical set of steps can help you clean up your environment and get things back to their natural order, where you sit back and collect accolades for a job well done, all day long!

 

 

 

 

 

“NOW it makes sense!” – Microsoft’s Collaboration Story in a Single Slide

By David Branscome

Partner Technical Architect

 

Who knew PowerPoint would make my day today?

One simple, elegant, PowerPoint slide.

And just like that, the picture of Microsoft’s collaboration strategy became clear and explainable.

This is the slide I’m talking about.

The slide was part of the presentation given by Microsoft’s Office 365 Marketing Chief, Ron Markezich at Ignite this week, and it answered visually what has often been a very challenging question to answer from partners and customers – namely, “What Microsoft collaboration tool should I use for scenario X?”

The reason for the question is obvious. There’s an abundance of tools available for communicating with people inside and outside your organization – Yammer, Teams, Skype for Business, Outlook, Office365 Groups, SharePoint – never mind all the other options like public folders, email distribution lists, OneDrive, and so on. The problem has never been “Is there a tool that will allow me to share this content with somebody?”. Rather, the problem has been “How do I explain to my end users or my customers which tool is best suited for a particular task?”

There is a very well written, detailed whitepaper named ““When To Use What” in Office 365” that you can download here. http://www.2tolead.com/whitepaper-when-to-use-what-in-office-365/ It does a great job of laying out the many options and the specific scenarios where a given tool would be the optimal solution. But here’s the problem: it’s more than 60 pages long.

Anybody in IT knows that you will never be able to get an end user to read a 60-page whitepaper – no matter how well written – and synthesize the information from it. It just won’t happen. To be honest, most of us would be lucky to get the end users to read the email pointing them to the whitepaper.

But Ron Markezich’s slide is digestible. It’s something you could show to an end user and they would “get it”. They would understand when to use a given tool and know how to use it.

Breaking Down the Slide

The principles are simple:

Microsoft Teams is best suited for scenarios where you are working with a group of people on a given project. These are the people in your “Inner Loop” (or “Circle of Trust” as I prefer to call them). Because Microsoft Teams is built on Office 365 Groups, this group of people will have access to the SharePoint site created by default for each Team. That’s where I can share documents and files with the Team. If you’re a member of that Team – you have access. Since an Office 365 Group is also mail-enabled, I can send email to the Team channel so that everyone has access to the information in the email. Teams also incorporates all the features you love from Skype for Business – Instant Messaging, Presence, Conferencing, calling capabilities, etc… Teams keeps the conversations in a persistent, threaded format, so we can always go back and review questions that came up or decisions that were made. And with the recently announced Guest Access capabilities for Teams, you can extend the reach of your Team outside your organization. In effect, Microsoft Teams is a portal into Office 365.

Yammer expands the scope of who has access to a given set of content and the conversations. The people in your Yammer group are the “Outer Loop”. Sure, you still like and trust the people in your Outer Loop, but it’s a different type of interaction. Information and conversations flow much more organically and is likely not going to be project -specific. At Microsoft, our Yammer groups are more likely to be centered around certain technologies (such as Skype for Business Voice) or areas of expertise (“Security” or “Education”) than to be focused on a project (“Contoso Azure Deployment”). This allows for people to jump into Yammer groups at any time and still benefit from the historical knowledge of the Yammer group. And just like with Teams, new Yammer groups are built on Office 365 Groups, so the Yammer group has access to OneNote, a Planner for managing tasks, a SharePoint team site and document library.

And then there’s Outlook. Good old, reliable, “I know how to use this”, Outlook. We all know that Outlook is often the easiest tool for sharing a file….one time. But things start to get sticky when you have to ask multiple people to edit the document or comment on it. Then we run into versioning issues, and you have to find the right copy of the file in your email thread…it’s just not the best tool for really collaborative work on a large team. Rather, Outlook is good for targeted communications – confirming an appointment with a customer, verifying information in a proposal, asking your boss for days off (which is personally my favorite email to write). Now the neat thing is that Outlook also allows you to connect to the mailboxes for Office 365 Groups. This allows you to view and reply to email messages that land in the mailbox of the Office365 Groups you are a member of directly from your Outlook client.

Back to Reality

Now let’s be honest for a moment, shall we?

Even with a single PowerPoint slide, some of your end users are going to get confused about when to use which tool. There will be questions that still come up:

  • How many users can be in a Team vs a Yammer group?
  • Can I restrict channels within a Team to only certain members of the Team?
  • What’s the right way to remove someone from a Team or a Yammer group?
  • How do I manage compliance concerns with Yammer or Teams?
  • How do I manage communications over SO MANY individual Teams and Yammer feeds?

…and the list goes on.

Those are all valid questions and they’ll require some end user training and guidance. But the basic framework of how to select the right tool for the job is still the same. My suggestion would be to take that one slide and use it when training your end users. It gives them something that is simple enough to understand in just a few moments and points them in the right direction. They will always have questions – and that’s why a great adoption planning and training program is so important or any rollout of new technology. But with the right planning and the right tools at your disposal, you’ll be successful.

Who would have thought one PowerPoint slide could help you do all that?

Guidance Available Now for Planning and Deploying Microsoft Teams!

David Branscome

September 25, 2017

 

For a couple months now, our partners and customers have been attempting to read the direction that Microsoft is taking with regard to Microsoft Teams and Skype for Business. I think it’s safe to say there’s been some confusion and *ahem*…. “gaps” in the guidance.

For example, the partners I’ve been working with have asked questions like:

“Is Microsoft Teams a replacement for Skype for Business?”

“How do I integrate Microsoft Teams into my Skype for Business infrastructure?”

“Are there best practices for how to configure my Teams and Channels?”

“How will Teams integrate with my existing audio/video systems?”

“Is there a certification program for Teams devices like there was for Skype for Business headsets, phones, etc…?”

These are especially important questions for partners because they have to (1.) be able to talk about how this will work with their own customers and (2.) they have to be able to deliver on those engagements.

Well, as of today, the clouds of confusion are beginning to part on many of these questions.

Partners can now go to https://docs.microsoft.com/en-us/MicrosoftTeams/Microsoft-Teams and get lots of great guidance to help them start planning and deploying Microsoft Teams in their customer environments. For example:

Now you might be saying, “That’s all well and good, David, but that’s just the technical considerations. I have people asking questions about the future of Skype, the licensing implications of moving to Teams from Skype for Business, and cloud video interop with Microsoft Teams. What am I supposed to tell them?”

Trust me, those questions have been on the minds of many partners and customers, and there is now some public guidance on these questions in the form of an FAQ, located here:

https://docs.microsoft.com/en-us/MicrosoftTeams/faq-journey

Clearly, there are still many more questions that partners and customers will have as we roll out more features and capabilities for Microsoft Teams, so we’ll keep answering those questions and creating articles to help guide you along on this journey.

For now, there’s lots to digest, and lots to use as you work with your customers in planning and deploying Microsoft Teams.

Enjoy!

 

Leveraging the Office 365 Service Assurance Portal in Customer Scenarios

August 23, 2017
By David Branscome

In the partner organization at Microsoft, we get lots of requests from partners that are in the process of responding to an RFP for Office 365 or Azure deployments. Maybe the partner has described the Microsoft datacenters to their customers as being ISO 27001 or FedRAMP compliant. But now the customer has stated that they need to know how certain controls are implemented in Microsoft’s datacenters. In many cases, the customer is audited regularly, and they have to be able to provide evidence that their data is stored in a specific manner or that access is controlled in a specific way.

The problem is, getting access into the Microsoft datacenters is REALLY difficult. Most Microsoft employees haven’t even been in one of the cloud datacenters – including myself. (There’s a decent virtual tour here, but I’d sure like to see all the blinky lights someday.)

In any case, partners don’t have to get a datacenter tour to respond to these types of information requests from customers. The information is literally at their fingertips in the Office 365 portal – just go to the Security & Compliance section and on the left side, find the Service Assurance section.

Wait…I Don’t See it!

But wait a second.

This data isn’t available to everyone. So, a compliance officer with no special permissions in Office 365 would see something like this:

They don’t even see the Admin or Security & Compliance application icons – let alone the Service Assurance menu. Now what?

As you’d expect, not everyone with an account in Office 365 needs to see that organization’s security configuration. If there are some users who need to be able to access the Service Assurance Center, here’s how to grant those permissions:

Log in to the Office 365 portal with Global Admin credentials.

Go to the Security and Compliance app and select Permissions.

In Permissions, check the box for Service Assurance User.

Select Edit role group and in the Members area, click on Edit.

Select Choose members to add the people who should have these permissions.

Click Add and then find the user.

Finish the wizard and you’ll see the user as a member of the Service Assurance User permissions group.

When the user logs in again, they will be able to go to https://protection.office.com and see the Service Assurance center:

Okay…Now What?

Now that you have the necessary permissions, you can start digging into the content in the Service Assurance center. You could start off by looking at all the controls and audited elements, but maybe you want to be more specific in your approach.

Let’s say you want to see how Office 365 meets ISO 27001 standards.

The first thing I’d recommend is to go to the Settings area and define the region whose controls are relevant – in this case, Europe. You’ll also need to select at least one of the industries whose regulations would be relevant to your search, then click Save.

As the green box indicates, you can now go into the Compliance Reports, Trust Documents and Audited Controls and review the content for the relevant region and industry. So, let’s take a look at what’s there.
If you look in the Compliance Reports area, you’ll see the listing of the certificates that Microsoft cloud datacenters have achieved, and you can click on and download the certificate itself.

For example, if I expand the ISO reports section and scroll down, I see a report named “Office 365 Germany ISO 27001 ISO 27017 and ISO 27018 Audit Assessment Report”. If I click on it, I can open the PDF file itself, which provides me with the final report stating that Office 365 meets the expectations for compliance.

But this only tells me if Microsoft complied with the controls or not. It doesn’t tell me what was actually tested as part of the process.

For that, I can go to the Audited Controls section, where I see the ISO 27018-2014 audit report and I can download it for review.

In this case, the report is an Excel spreadsheet which details things like the title of the control, the implementation and testing details, when it was tested and who performed the testing. This kind of information is generally enough for a customer’s audit team to be reassured of Microsoft’s compliance with the standard.
Don’t forget – if you want to change the scope of the controls (the region/country where the controls are relevant, which industry regulations apply, etc..) you can change the parameters in the Settings tab.

The Trusted Cloud

Microsoft is constantly working to achieve, maintain and even exceed compliance standards in order to secure customer data and make our cloud the most trusted one on the planet. The Service Assurance section of Office 365 is one evidence of that effort. Make sure to take advantage of it!
Additionally, check out the resources in the Microsoft Trust Center for information about GDPR, security, protection of user’s personally identifiable information and Microsoft’s commitment to providing customers with the controls necessary to secure their environment and user identities.

https://www.microsoft.com/en-us/trustcenter

Applying the Basics of Blockchain to a Real-World Scenario

So there I was in my kitchen yesterday, reading an article in ZDNet about how several organizations are teaming up to prevent fraudulent food production practices around the world. The group has created a “Food Trust Framework” that is designed to increase the integrity and quality of the food in a global supply chain.

And there it was. Another reference to blockchain.

Until a few months ago, all of the references to blockchain that I had seen centered around the cryptocurrency Bitcoin, and to be perfectly honest, I figured if I‘m not being forced to pay somebody off to remove ransomware, Bitcoin and blockchain technology don’t really touch my life.

But there was blockchain again – this time in the context of food safety.

And since I eat food on occasion – well, that’s interesting to me. The premise of the news article is that there are an increasing number of food suppliers in China that are using ingredients in the food they sell that probably shouldn’t be there. As an example, maybe a beverage is diluted with water, or a filler is put into the food to reduce their cost of production. Maybe diluting a drink with water isn’t going to kill me, but it still means I’m paying for something that I don’t receive. But what if the filler that was used in a particular food happened to be a nut that I’m allergic to? Then it starts to get scary. (If you really want to scare yourself about “food fraud”, read this article)

Anyway, this group is trying to find a way to ensure that food quality is maintained through the supply chain. But how can you do that in a supply chain that could have dozens of suppliers involved in the process, particularly if some of the suppliers are specifically trying to avoid getting caught?

The answer they decided upon was – you guessed it – “blockchain”.

Blockchain Basics

The basics of blockchain are not terribly hard to understand, but let’s use a simple example to explain the principle.

We all understand the concept behind money. If I want to pay someone with money, I can hand them a dollar bill, or four quarters, or a hundred pennies or whatever, and the deal is done. The other person has the physical, tangible object in their hand, so we don’t necessarily need a third party to confirm that the money has been transferred.

However, let’s say I owe ten dollars to each of six different people, but I only have ten dollars in my bank account. Let’s also say that it’s possible for me to pay people by emailing them PICTURES of money. Being a little bit sneaky, I take a picture of a ten-dollar bill and email it to all six people. At this point, nobody can definitively claim the ten dollars in my bank account because there’s no proof that they are the ONLY one who has the picture of that ten-dollar bill.

But what if there was somebody that I had to email the picture of my money to FIRST and who could then hold me accountable for the money transfer? He would receive my email, make a note of the transaction in a ledger, deduct it from what he knows to be in my account and then pass along the picture to the recipient. If I tried to email another picture of the $10 bill to someone, the person with the ledger would say “Sorry, that money is already spoken for. You can’t do that.”.

Expand the scenario a bit and say that HUNDREDS of people have a copy of the exact same ledger, and everyone keeps the ledger updated in near real-time. Then, even if I tried to get one person to change their ledger to my benefit, others in the chain would say “Nope, this is the accurate set of figures”.

That’s the concept behind blockchain – a shared digital ledger that allows you to verify and validate the transactions contained in that ledger. The ledger is shared among many machines in a decentralized, distributed, encrypted network, so nobody has the ability to artificially manipulate the data because all the other machines in the network serve as an integrity check.

But remember – it doesn’t have to be about validating financial transactions. It can be used to validate just about any kind of record.

And that would include records that impact food safety.

Preventing Counterfeiting and Abuse

Let’s think about the application of blockchain to our original scenario.

Imagine for a moment that you are a dishonest supplier of orange juice. You have an order come in that requires you to provide 500 gallons of pure orange juice. But, being a bit of a crook, you reason that if you use half the number of oranges and instead supplement the mixture with 250 gallons of water, you could nearly double your profits!

So how would blockchain possibly prevent this fraud?

The first assumption must be that all the suppliers in the chain are being required to put their business records into the blockchain in order to be able to accurately track what is taking place.

Now, if blockchain is being used to track all the suppliers in the orange juice production process, it would show that you are only receiving half the needed number of oranges from your orange grower to produce 500 gallons of orange juice. There may be IoT (Internet of Things) sensors tracking water consumption in your plant and sending their records to the blockchain network, and these would show that you are using a lot of water in your production process, potentially indicating that you are watering down the orange juice. Shipping records would show that you are shipping twice as much product without twice the number of oranges being purchased. Perhaps there is a quality control test performed as your product leaves the plant that verifies the makeup of the orange juice and then another test performed when it reaches the next stage in the supply chain, all of which are recorded in blockchain. The blockchain allows the end user (in this case, that might be the grocery store who buys the orange juice, and who has access to all the records in the blockchain) to watch for anomalies in the production process that would indicate fraudulent production processes.

If you attempt to go back and falsify your records, what happens? Let’s say you try to claim you used twice the number of oranges that you actually used. Well, you have an orange supplier whose records are also being stored in the blockchain, and his records show that he only delivered half the number of oranges that your records indicate. The trucking company that delivered the oranges would have a record of the weight of the oranges that were delivered, and that would also be stored in the blockchain, again making your claim suspect. Your records would possibly indicate orders for twice as many orange juice cartons – and unless you have a lot of unused cartons in the plant, that would be hard to explain. When you ship your product, the next stop in the process may perform a quality check. If that quality check indicates that the orange juice is 50% water, they are going to ask questions because now THEIR reputation is at stake.

At each stage of the process, any attempt to manipulate the data will be blocked because the entire set of blockchain participants (who may not even be known to you, and with whom you therefore cannot collude to falsify the records) will be validating that your records match the set of records that they have. The grocery store at the end of the supply chain can backtrack through the entire process and identify where the orange juice is being watered down.

The orange juice supply is saved! (And you potentially go to jail)

Conclusion

What this has taught me is that blockchain has some pretty interesting use cases. There are a number of industries that are already investigating blockchain scenarios very heavily. For example, the healthcare industry is investigating its use in tracking patient records and payment history; the financial services industry is using it to verify and validate financial transactions; and the energy industry is using it to protect themselves against intra-day price fluctuations in energy resources such as solar and wind-generated energy.

Microsoft Azure allows customers to set up blockchain solutions themselves to support their business initiatives. Some of the blockchain and distributed ledger protocols currently available are Ethereum, HyperLedger Fabric, R3 Corda, Quorum, Chain Core and BlockApps, as well as Azure Blockchain Service. These can be used to help customers provision their own blockchain network in just a few minutes in a globally distributed, highly-available network, using Azure’s massively scalable compute, storage and network infrastructure as the foundation.

Investigate blockchain at the link below and try it out for yourself!

https://azure.microsoft.com/en-us/solutions/blockchain/

Announcing Microsoft’s Coco Framework for enterprise blockchain networks

 

Microsoft Teams: Beyond the Basics

In a previous blog post, I talked through the basics of setting up a Microsoft Team and showed you how Teams are related to Office365 Groups, SharePoint Online and Skype for Business Online.
Now I’d like to walk through some of the nitty-gritty details related to your Microsoft Teams deployment. A much more comprehensive set of information can be found in the “Practical Guidance for Microsoft Teams.docx” found at http://www.successwithteams.com, but this article will give you an overview of what you should have in mind as you start talking with your customers.

A Peek Under the Covers

Now, we’ve discussed some of the basics of Microsoft Teams, but it’s important to have a “big picture view” of the other components that will factor into your planning process.
First of all, as we noted previously, a Microsoft Team creates an Office365 Group. If you are the owner of an existing Office365 Group, you also have the ability to convert it over to a Microsoft Team. When the Group becomes a Team, the existing SharePoint and OneNote are automatically ported over to Teams. Keep in mind, though, that Groups must be private and they cannot have more than 600 members.

[Update: As of 8/17/2017 you can have up to 999 members in a Group. Thanks for the note, Kyle!]

[Update: As of 10/18/2017 you can have up to 2,500 members in a team. See release notes here: https://support.office.com/en-us/article/Release-notes-for-Microsoft-Teams-d7092a6d-c896-424c-b362-a472d5f105de#PickTab=Mobile_devices%5D

You can see where your Office365 Group is created in the Office365 Admin Portal, as seen below:

Office365 Office365 Groups uses identities that are stored in Azure Active Directory. This means that all authentication and authorization capabilities are managed by Azure AD. This makes it possible for you to use things like Multi-Factor Authentication (MFA) in Microsoft Teams, as well. That means that an organization can use any identity model supported by Office365, including the following:

  • Cloud Identity: In this model, a user is created and managed in Office 365 and stored in Azure Active Directory, and the password is verified by Azure Active Directory.
  • Synchronized Identity: In this model, the user identity is managed in an on-premises server, and the accounts and password hashes are synchronized to the cloud. The user enters the same password on-premises as they do in the cloud, and at sign-in the password is verified by Azure Active Directory. This model uses the Microsoft Azure Active Directory Connect Tool.
  • Federated Identity: This model requires a synchronized identity with the user password is verified by the on-premises identity provider. With this model, the password hash does not need to be synchronized to Azure AD, and Active Directory Federation Services (ADFS) or a third-party identity provider is used to authenticate users against the on-premises Active Directory.

Now let’s dig into the components of the Microsoft Team itself: each Team that you create contains multiple elements, including a SharePoint Online (SPO) site. Each channel that you create in Teams gets its own folder on this SPO site, and the permissions and file security options that are set in SPO are automatically reflected in Teams. This is the data that is shared across the members of the Team. To be clear, for this functionality to be available, you must be using SharePoint Online.

However, you can also have 1:1 conversations using private chat in Microsoft Teams. What if you share a file with someone in one of those chat sessions? Where is that data stored? The files associated with those private chat sessions are hosted in your OneDrive for Business, and the permissions are automatically granted to all participants in that specific private chat. The OneDrive for Business license is tied to the SharePoint Online license, so again, we have to have SharePoint Online enabled for this to work. In the screenshot below, you can see where OneDrive for Business files are made available in Teams.

When we create an Office365 Group, we also get an associated OneNote notebook for the Team, and sections are created in the notebook for each channel in that Team. Any security settings applied within OneNote automatically apply to Notes within Teams. So, as you see below, there is a notebook for the Graphic Design Institute, and then a section would be created in OneNote for the channels – Art and Media Festival, Content Staging, Future Ideas, and so on.

What may not be quite so obvious is that each Team also has an associated Exchange Online (EXO) mailbox. This mailbox is used to store information including the group mailbox and a common calendar for the Team. When a meeting is created in Teams, the invite is pushed to your Exchange Online mailbox, and the meetings created in EXO are synced to the Meetings tab in Microsoft Teams. The meetings that show up here in the “Meetings” area are the same ones that show up in your Outlook mailbox.

What’s interesting is that Microsoft Teams does not strictly REQUIRE users to have an Exchange Online mailbox. Unlike the SharePoint and OneDrive for Business components, which MUST be hosted online, you are able to deploy Teams with mailboxes hosted on-premises. There will, however, be a few caveats for users with on-premises mailboxes. This table, taken from the Planning Workshop for Microsoft Teams.pptx document highlights the restrictions.

When it comes to Microsoft Teams and Skype for Business, there is an important fact to consider during your planning and deployment. At this time, interoperability between Microsoft Teams and Skype for Business is available only for peer-to-peer (P2P) instant messaging. In other words, you cannot have a conference where some users are on Skype for Business and other users are leveraging Microsoft Teams in the same conference. Additionally, in order for a Microsoft Teams user to send an IM to a SfB user, the Microsoft Teams user must be homed in Skype for Business Online.

The Dreaded Licensing Discussion

Yes, I know. I hate talking about licensing, too. But as we’ve seen above, there are a lot of online components that provide the core functionality to Microsoft Teams, so there may be some confusion around which SKU’s are required to get the needed functionality.

As of this writing (May 2017) the Microsoft Teams Licensing Requirements are actually quite straightforward. They are as follows:

With these licenses, the core functionalities (chat-based workspace, and meetings with audio, video, and content group calling) of Microsoft Teams are available to all supported subscription plans. All the supported subscription plans are eligible for access to Microsoft Teams’ Web client, desktop clients, and mobile apps.
However, if the organization where you are deploying Microsoft Teams has specific information protection (security and compliance) requirements, these may dictate the use of a specific subscription plan in order to get the functionality needed – not just for Microsoft Teams – but for the overall Office 365 solution for the organization. For example, if a customer requires the ability to perform eDiscovery against SharePoint data or Exchange mailboxes, they may require an Enterprise SKU, rather than a Business SKU.

More bandwidth, more bandwidth….

With all these capabilities being hosted in Office365, you may be wondering about bandwidth requirements.
The group that has developed Microsoft Teams leverages a planning methodology that closely mirrors the Skype Operations Framework (SOF) planning process, which encompasses the Plan, Deliver and Operate phases. So, if you’re familiar with SOF, you’ll understand the process for a successful Teams rollout.
Part of that successful planning involves determining bandwidth requirements. Since we know that there is a Skype component to Teams, a logical question comes up: “How do I plan for Teams from a network capacity standpoint? Can I just use the Skype for Business Bandwidth Calculator and be good to go?”
Well, probably. But if your deployment of Teams is not very large or complicated, you can use the Microsoft Teams bandwidth calculator located here for network planning: http://aka.ms/bwcalc/

However, keep in mind that, in order to get an optimal experience with real time media within Microsoft Teams, you have to meet the typical networking requirements for running Skype for Business in Office 365, which may require more than just meeting bandwidth requirements. In other words, your planning is going to include things like ensuring the quality of your WiFi connections, allowing access to the necessary Office365 URLs and IP address ranges, bypassing proxies, and enabling split-tunnel VPN. So there may be circumstances where

It also means you need to meet the following requirements on the two critical network segments: Client to Microsoft Edge and Customer Edge to Microsoft Edge:

To test these values, we recommend that you leverage the Network Assessment Tool located here: https://www.microsoft.com/en-us/download/details.aspx?id=53885). This tool can be deployed on both the client PC directly, as well as a PC/laptop connected at the Customer Network Edge. Documentation for how to use the tool can be found here: Network Readiness Assessment. By running this Network Readiness Assessment tool, you can validate your network’s readiness to run real-time media applications, such as Microsoft Teams. If the tool indicates that there may be network issues that would impact the quality of the audio/video experience for your end users, you should recommend that the customer have an Advanced Network Readiness assessment performed by a partner with qualifications in that area.

Conclusion

Now we’ve taken a little bit of a deeper look into Microsoft Teams. It’s a great tool for group collaboration, and it’s really very easy to set up and deploy in an organization. Make sure to read all the planning documentation on the http://www.successwithteams.com website – and Happy Teaming!