Distribution, Security and Office 365 Groups Nesting

reference to what groups can be added to what groups in Office 365/Azure


I have to face the facts here that this is as much for my help as everyone else’s. I get asked these questions over and over so here’s the quick and easy picture reference to what groups can be added to what groups in Office 365/Azure.

Keep in mind the “when to use what type of group:”

    Office 365 Group – a small to large group of users need to collaborate using shared files, group email, and shared calendar

    Distribution Group – large to very large group of users (i.e. All Employees group or All Boston Users group) to which a few users need to send communications to everyone on the list

    Mail-enabled Security Group – small to large group of people being assigned permissions to a shared location (i.e. a Network Folder, SharePoint site/library, shared printer) and to whom all will receive a notification if the shared resource becomes unavailable

    Security Group – small to large group of people logically grouped together for similar access to a resource; this group will not be notified by email if a resource becomes unavailable

Now I’ll describe which groups can include other groups as members.

First, the list of groups I used – please note that these are all cloud groups:

What can I add to an Office 365 Group (Public or Private)? Users Only

What can I add to a distribution list? Mail-enabled Security groups and other Distribution groups

What can I add to a Mail-enabled security group? Distribution groups and other mail-enabled security groups

What can I add to security groups? Distribution groups, mail-enabled security groups and security groups

Asset Protection: Operations and Monitoring in Office 365

In the final post of this series, we highlight the importance of designating operational support and service monitoring guidelines for Office 365.

Have you just been handed your Office 365 tenant and been told to support it? Hopefully not, but in smaller environments I can see the potential for that happening.

Operational Support Structure

If you’re a large enough organization, you are likely transitioning teams from their on-premises duties to new cloud responsibilities. We typically recommend the following guideline for a support team:

  • .2% of the organization’s supported community – that’s two support people for 1,000 users

When we work with clients to plan, rollout, or remediate Office 365, we look at the IT structure as a whole, the number of users, what workloads are being rolled out, and how current support structures can be modified for the cloud.

Your first-level help desk will be key in taking some of the repetitive tasks away from your admins, and a knowledge base that is kept up-to-date will provide a reference to help them.

If you are the help desk and the global admin, keep a knowledgebase for yourself in a SharePoint list for easy reference.

Service Availability Monitoring

It’s up to us as consumers to ensure we are aware of the level of service we can expect, and that we are monitoring the availability of our own tenants.

If you have a service fall below the SLA documented by Microsoft, you will need to have some proof of that outage. Keep an eye on the Service Health dashboard in the Admin Center. Need service SLA documentation? Click here.

Service incidents can be found in your Office 365 Admin Portal and come in two varieties:

  • Planned maintenance events: Planned maintenance is regular Microsoft-initiated service updates to the infrastructure and software applications. Planned maintenance notifications inform customers about service work that might affect the functionality of an Office 365 service. Customers are notified no later than five days in advance of all planned maintenance through Message Center on the Office 365 Admin Portal. Microsoft typically plans maintenance for times when service usage is historically at its lowest based on regional time zones.
  • Unplanned downtime: Unplanned service incidents occur when one of the services in the Office 365 suite is unavailable or unresponsive.

Monitor the message center at least weekly, if not more often, for updated change notifications, any actions required and expected outages. The Security and Compliance center has default alert policies configured to send admins email messages in a variety of circumstances such as: a mail flow rule has been created, malware is detected, an unusual volume of email has been detected, unusual external user activities have been detected and more.

The Security and Compliance center dashboard is a good place to start for a visual look at anomalies. Take a look at the landing page and the Threat Management section for daily graphs of activity.

Besides the Admin portal you can also use the following to monitor service availability:

  • Office 365 Admin App
  • Add-in for Office 365 for System Center
  • The service communication API
  • Third party provider of monitoring solutions

Enhancing Monitoring and Supportability

If you are interested in enhancing the out-of-the-box security monitoring, check out Cloud App Security, an app available with an Azure AD Premium P2 license or an EM+S E5 license. This gives you further insight into activity, app use, alerts, and log review among other tasks. It allows you to create policies from templates or from scratch that give you deeper insight into shadow IT, allowing you to better control where sensitive information is being held.

Another security enhancement available in the same subscriptions as Cloud App Security is Identity Protection. Identity protection is a collection of algorithms that determine if a user sign-in is risky or not. If you’re already using conditional access, you can setup access to be denied if Azure determines the sign-in to be of a risky nature. This will take some testing but you can at least determine if the sign-ins are coming from unknown IP ranges (those not associated with a country) or if the sign-ins involve impossible travel (you can’t sign in from an IP address in London and five minutes later sign in from a different IP address in New York).

These monitoring and operations tasks usually take a few months to settle into the work pace set by your organization, so be flexible early on and also very attentive. You should quickly find repetitive tasks that you can manage and automate more effectively using PowerShell or other third party add-ins. Almost anything you can do with the UI you can customize and do through PowerShell. If the built-in reports don’t offer the data to meet the need of a specific report request, the information is usually available from the output of a script. You must be a global admin to use PowerShell with Office 365.

Final Thoughts

I hope that you have enjoyed this series of blogs about Office 365 security. I’ve tried to synthesize a large amount of information into bite-sized pieces for easy consumption, but if you need more or deeper information, please let me know. Comment below or contact me.

Asset Protection: Business Continuity and Disaster Recovery in Office 365

You have plenty of options to make sure your data is protected in a worst case scenario. Find out what those are.

Whether you are just considering your move to Office 365 or are already there, you’ve no doubt been thinking about operations and disaster recovery.

Microsoft remains committed to transparency when it comes to service health monitoring and outage notifications and updates. They have also put into place a system of geo-redundancy that makes it extremely unlikely for a complete Microsoft service outage to happen across all data centers and all services.

Microsoft Responsibilities

Microsoft ensures that customer data is available whenever it is needed through the following features:

  • Data storage and redundancy:Customer data is stored in a redundant environment with robust data protection capabilities to enable availability, business continuity, and rapid recovery. Multiple levels of data redundancy are implemented, ranging from redundant disks to guard against local disk failure to continuous, full data replication to a geographically diverse data center.
  • Data monitoring:Office 365 services maintain high levels of performance by:
    • Monitoring databases:
      • Blocked processes
      • Packet loss
      • Queued processes
      • Query latency
    • Completing preventative maintenance:Preventative maintenance includes database consistency checks, periodic data compression, and error log reviews.

Administration Responsibilities

It’s up to us as the consumer, however, to ensure we are aware of the level of service we can expect and are monitoring the availability of our own tenants. Need service SLA documentation? Click here. Here are some basics for Office 365:


  • The recoverable Item store is set to only keep deleted items for 14 days.
  • This 14-day value can be increased, but can only be set to a maximum of 30 days on Office 365 plan E1; in plans E3 & E5 it can be set to any value.
  • All Office 365 licensing plans are limited to a 20GB Recoverable Items store per user, at which stage the system will delete oldest emails first.
  • Litigation Hold version of the Recoverable Items store has no size or version limits.

SharePoint and OneDrive:

  • Deleted items remain in the Recycle Bin for 30 days.
  • SharePoint Online data is backed up every 12 hours.
  • Backups are kept for 14 days.
  • One-hour RPO: Microsoft protects your SharePoint Online data and has a copy of that data that is equal to or less than one-hour old.
  • Six-hour RTO: Organizations will be able to resume service within six hours after service disruption if a disaster incapacitates a hosting data center.

Users have a tremendous amount of control over the deletion and restoration of their own personal documents. Administrators have at least 30 days to retrieve data from their tenant as data is soft-deleted first.

Did a user account get deleted accidentally? No problem, recreate it, synchronize it, and access the data. Of course, the two-stage recycle bin in SharePoint has been around for a while now so no problem there either.

OneDrive users have a point-in-time restore utility built-in so be sure users are aware of the feature.

Data Retention in Office 365

Also, don’t forget about retention policies for data across Office 365. These policies can ensure you remain legally compliant with any industry regulations you might have. Managing these policies typically requires two actions:

  • Retaining content so that it can’t be permanently deleted before the end of the retention period.
  • Deleting content permanently at the end of the retention period.

With a retention policy, you can:

  • Decide proactively whether to retain content, delete content, or both – retain and then delete the content.
  • Apply a single policy to the entire organization or just specific locations or users.
  • Apply a policy to all content or just content meeting certain conditions, such as content containing specific keywords or specific types of sensitive information.

Outside Help

If you’re interested in defining and managing what you keep, where you keep it, and how often you gather it, you also have a few options:

  • See if a hybrid or scripted solution would work.
  • Use a third party vendor of SaaS solutions that fill this gap.


If you’re interested in what Azure can do for you, there are options for that as well.

  • Failover your on-premises environment to Azure if you can’t move it all yet.
  • Use Azure’s site recovery.
  • Use an Azure partner for disaster recovery.

Final Thoughts

You won’t find 20-plus-year-old strategies any more for a continuity and disaster recovery scenario. Today it’s more convenient, cost-effective and simpler to find continuity and disaster recovery as a service.

There are still plenty of options available for you to take extra precautions with the data you think is better protected so it’s locked in a safe for a worst case scenario.

Check with a partner for help in making these decisions. And read the next blog in this series, Operations and Monitoring in Office 365, for more about ensuring service availability.

Asset Protection: Physical Architecture in Microsoft Office 365

Securing the physical infrastructure in Microsoft’s data centers is as important as data availability.

As is true with most Microsoft products, there are a number of ways you can architect Office 365 to work with your infrastructure or replace it entirely.

For smaller organizations, it’s an easier decision because those companies typically have fewer on-premises solutions and much less investment in infrastructure, so moving to the cloud is simpler.

Microsoft’s physical architecture uses the same principles most organizations do to secure a data center. Because of the nature of Microsoft data centers and the information kept in them, securing the physical infrastructure is as paramount as data availability.

Physical Architecture: Security Features

Some of the physical protection features in use by Microsoft’s data centers are:

  • High-security perimeter fences
  • 24/7/365 surveillance
  • Vehicle checkpoints
  • World-class access procedures to facilities
    • Multi-factor, biometric entry points
    • Full body metal detection
  • On-site hard drive destruction (shredding)
  • State-of-the-art fire suppression
  • Secure access to physical components
  • Geo-located and Geo-replicated data

You are likely using many of the security features and principles listed above where they make sense in your own organizations. That’s good.

Securing Your Architecture

The question is how you will architect your network for the change, and that depends on what the final goal is.

  • Will you peacefully coexist?
  • Are you going to extend your directory to the cloud?
  • Do you want an isolated tunnel between your location and Office 365?

Option 1

This one is really simple. You keep your infrastructure in place and allow the URLs and IP addresses required for Office 365 through your firewall(s).

This uses your current ISP and the public Internet in the same way your users access it today. Traffic is encrypted and flows through a secure channel. Microsoft SaaS solutions like Office 365 and Dynamics 365 are designed for this type of access.

Option 2

In certain situations Express Route is recommended. You still keep your infrastructure in place but this is a private connection between your infrastructure and Microsoft’s data center through an Express Route carrier, widely available in the U.S.

This type of connection offers higher security, reliability and speed with lower latencies than internet connections. Pairing these connections with other regions requires an add-on but ensures your routing remains optimal for performance.

You can use Express Route for any of the workloads in the chart below as it helps to secure connections to on-premises applications by apps that run in the cloud.

Option 3

If you’re planning to use an Azure infrastructure workload like a virtual network, or you plan to extend or replace your Active Directory entirely, then you have a few options.

You can use the Express Route solution as we discussed in Option 2, or you can connect your on-premises routers to an Azure Gateway using a site-to-site VPN. The gateway can then provide customized access to resources with user defined routing.

Option 4

If you’re in-between a site-to-site VPN and Express Route there are plenty of third-party network appliances in the Azure marketplace that can provide faster than site-to-site VPN with secure routing between your routers and an Azure Gateway. These devices sit between options 2 and 3 above. Barracuda and Cisco are popular device providers you can check out.

Final Thoughts

This is in no way a comprehensive look at the infrastructure configurations possible, rather it’s a broad overview to help you start planning.

There are plenty of considerations based on workload, size and directory structure that can either add complexity or simplify the above approaches. You’ll definitely want a partner for this journey!

Asset Protection: Security Policies in Office 365

Let’s review the Office 365 security policies that you need and why they’re important.

Everyone knows they need policies, especially for security. Do you have policies? Are they up-to-date?

Let’s first make a distinction between the two types of policies we have to work with. There are policies in Office 365 and Azure such as Password, DLP, Label, Threat Management, Data Governance and Mobile Device Management. These are the policies you can create in your Office 365 and Azure tenants and they consist of settings that were likely decided upon in your security requirements meetings. These should be part of your baseline platform documentation already.

But what I want to discuss in this article are the other policies that you’ll need and why they’re important. These are the policies in their documented form that have been decided upon and will not change without your governance board or boards’ approval.

Although we won’t talk about it until the Operations and Monitoring blog, post 7 in this series, you can use Secure Score and Cloud App Security for a bit to assist in making decisions about which policies are most important and which ones might wait awhile.

Identity Policy

This type of policy covers items that protect your users, their personal information, and access to your systems.

  • Passwords – It’s likely that your password policies are managed on-premises and not in the cloud but make sure they’re documented and up-to-date. NIST has new guidelines that may surprise you. Find them in the link above.
  • Multi-Factor Authentication – I’ll say it again and probably not for the last time – because of the new NIST guidelines, you will want to enforce this for all admins and all mobile/= or off-network logins.
  • Data Loss Prevention – Automatically label documents and emails containing social security numbers or credit cards and prevent them from being shared outside the organization.
  • Mobile Devices – Use some type of device management to govern what devices can connect to your tenant, what apps they can use, and what users can do with those apps.
  • Administration and support – Determine who will administer what portions of your tenant by using roles, and also when they will have access.
  • Onboarding/Offboarding – Be sure to document your process and make concessions for data handling when users leave, especially in a hybrid environment.

Information Policy

This type of policy governs the ingress and egress of your company’s data.

  • External Sharing – Document who can share, what can be shared, from where the sharing can take place and how to monitor sharing.
  • Classification and Encryption – Use Azure Information Protection to allow users to classify, automatically classify and encrypt information in your tenant.
  • Retention – Manage the lifecycle of your data and determine when or if it can be deleted so you retain critical data.

Governance Policy

This type of policy will help you maintain control over the permissions your users have to use your systems.

  • Exchange – Document what services are allowed, who can use them, and how to effectively monitor and adjust as needed.
  • Skype for Business – Determine what your users can and cannot do and share during meetings, chats, whiteboards…
  • Teams – Decide on a Group and Team creation strategy, as well as retention plans, external application use, and external sharing.
  • SharePoint – Determine strategies for storage management and usage, site creation and lifecycle management, and sharing.
  • OneDrive for Business – Decide on quotas and sharing strategy.
  • Yammer – Determine how you want to use Yammer, and how sharing and group creation will take place.
  • Flow, PowerApps, PowerBI, Dynamics, Flow, Planner, Sway, Forms… – These are apps that don’t have the traditional Office 365 Admin Center. But don’t let down your guard. They still have access, usage and sharing policies you need to govern.
  • Office 365 Groups – You’ll need a naming strategy and retention policy, ownership and membership policy and external sharing plan. Remember that these are the underlying organizational units for Teams, Planner, PowerBI…

Final Thoughts

In many cases, you’ll find that your existing policies will work fine and will only need to be tweaked a little. Many of these applications and processes, however, won’t have well defined policies in place and you will need to document and manage them.

This will be especially important in your operations management and organizational change management. There are many decisions you need to make during your transition so be sure that you have a partner to help.

Asset Protection: Identity Control in Microsoft Office 365

Your company’s assets can no longer be secured using old methodologies for on-premises networks. You need a hybrid strategy.

Originally published here.

Part three of a series.

Prior to transforming your business to meet the needs of today’s realities, you probably created an account for your user in your company’s directory. You likely provided that account with permissions to folders and applications on your network – perhaps individually or in groups. And you fully understand where your users will be logging in, from what devices and at what times.

But technology has stepped in and the old, tightly secured, impenetrable fortress of your on-premises network has been supplanted by this new “work from everywhere” mentality. This is a good thing, except your users’ identities and your company’s assets can no longer be secured using the old methodologies for on-premises networks.

You’ll need a hybrid strategy.

A Hybrid Strategy for Identity Control

Enter Role-Based Access ManagementPrivileged Identity ManagementRisk-based Identity Protection and the intelligent secure graph based on machine learning and AI.

When you make a move to a hybrid cloud scenario you will need these. You will also want Intune for device management, the other side of the identity control scenario.

I use the word “hybrid” because the idea that most companies can or will forego an established, on-premises solution is not realistic based on my client experiences.

The hybrid strategy will remain until all of your existing software solutions – HR, Payroll, BOM, Receivable – are also in the cloud and you’re prepared to decommission your entire local infrastructure (we’ll talk infrastructure topics in blog 5 of this series).

This is also the case whether you’re using a Microsoft Active Directory or another third-party directory/SSO/MFA provider. Good news is you’re not throwing out that investment yet!

Steps to Identity Control in a Hybrid Environment

First, determine your Identity Management Strategy.

If you already have infrastructure available for identity management, check to see if that can be federated with Office 365 and Azure. It’s a simple process even if you need to synchronize a .local domain. In this case, you will manage your accounts on-premises, including password policies, authentication management and resource requests.

Then, determine what applications will be available in the cloud, what roles you’ll use to assign users access to resources, and most importantly, clearly define a group strategy. There are consequences to different types of group creation in Azure Active Directory and Azure Active Directory Premium that you should be aware of prior to a migration.

Keep in mind that these decisions don’t take place in a vacuum and this will have to be a carefully considered sub-project of your overall cloud migration project.

Next, have a look at the additional options available to you in the Azure Active Directory Premium subscriptions, most importantly Identity Protection and Privileged Identity Management.

  • Identity Protection – risk-based logging and alerts to determine potentially harmful sign-ins, sign-ins from impossible locations, and automated remediation
  • Privileged Identity Management – assign JIT (just-in-time) access to provide a user with elevated access during a specified time window, and JEA (just-enough-access) to provide least privileged access to resources

Finally, in the Azure Active Directory Premium subscription you’ll find the opportunity to create Conditional Access policies. If you don’t already have a second-factor authentication provider and policy in place, I recommend exploring the use of conditional access policies to enforce MFA and for a variety of other reasons, especially with the use of mobile devices and your Windows 10 infrastructure.


Asset Protection: Legal Issues and eDiscovery in Office 365

Learn how the Office 365 Security and Compliance Center protects your data in the cloud and serves as a hub for legal needs.

Originally published here.

This blog does not provide any type of post-incident legal guidance but works instead to provide you with the tools available in Office 365 so you can match them to the needs of your organization and make such incidents more manageable.

This topic may include the discussion of tools related to other topics in this series as well, especially in the area of auditing and compliance that pervade throughout the lifecycle of the Office 365 journey.

For security and legal compliance, transparency, and reporting, the tools to use are in the Office 365 Security and Compliance Center and various external Microsoft sites specific to these topics. This Security and Compliance center is the hub for legal work and protects your data using specific user roles for different operations in the center.

Microsoft maintains a high-level of transparency, trust, and certifications surrounding the services it offers in the cloud and any information required by your legal department can be easily located using the above links.

How To Use Office 365 for Legal Issues

What about Office 365’s practical uses for legal issues? There was no shortage of security incidents in 2017 and all of them had legal implications in some measure. I was fortunate enough to be in a position to provide guidance and technical assistance in an incident involving an Office 365 user in a foreign country who was involved in a legal investigation.

The request from the legal team was to have the email held, which is as simple as a checkbox and a duration option (see note at the end about this product). But they were unaware that there were also options for locating and holding data in-place in other locations like Groups, Teams, SharePoint and OneDrive.

For this particular incident, we used an eDiscovery case to perform all the holds, content searches and exports required. An eDiscovery case allows us to create a case, assign users, search for content, select locations where we want to search, retain that data, report on it and finally export it for transport.

I only encountered a few issues at the time and that was the time frame. I didn’t know anything about the case – and I like to keep it that way – but we had 72 hours to make usable data available to the legal team in the other country.

With about 150Gb in the mailbox, it was slow – improvements have been made by Microsoft to increase the speed of operations and it is much faster now – and had to be split into multiple files.

One thing we know for sure: narrow down those searches using filters and locations to get exactly what you need for your case! You will save time, throughput issues like timeouts, space, and probably some more time.

Security and Compliance Center Capabilities

So what do you need and what are your capabilities in the Security and Compliance center for legal cases? Let’s talk about those.

First, you’ll need an Office 365 Enterprise E3 license and/or a la carte P2 licenses for Exchange and SharePoint in order to retain user data. Also, if you need more enhanced security and management, you’ll need an EM+S license to use AIP, Azure Information Protection, as well as advanced features of AD, MFA, and more.

Next, use the following tools as you need them in your organization:

  • Classification labels and DLP policies – To retain, detect or delete particular information for a period of time. The GDPR Dashboard brings these tools together quite nicely as well.
  • Content Search – To find the information you need, based on the criteria you have, in the locations you select, and for the individual who creates and uses it.
  • Audit Log – To search to locate any administrative activities for an individual or by a particular administrator.
  • eDiscovery – Serves as a complete management tool for legal cases, including to search, hold, export and report on user data. I’ve also used the eDiscovery tool in the past to retain departed employees’ information for a required period of time

There are plenty of tools available for this and, with the use of archive mailboxes and other strategies, plenty of storage available for these operations.

It is important to remember that once a user’s data location is put on hold, that data, and any data generated by the user from that point forward will be retained. I have yet to see any organization deplete their tenant space entirely, much less with eDiscovery as the reason (and I’ve seen some really large operations using a lot of space!).

Final Thoughts

These tools are easy to use, tightly controlled or secured, and really geared toward finding everything related to a user in response, of course, to the GDPR requirements enforceable at the end of May.

Introducing Microsoft Azure products will further enhance your ability to locate usable user data like sentiment analysis, a hot topic right now in the HR world.

*Note on duration option – This is being removed from the Exchange Admin Center, where it lives today, and best practice is to use the Security and Compliance Center for eDiscovery, Holds, Auditing, DLP and retention as they are now integrated with Groups, Teams, SharePoint and OneDrive.