Office 365® For Dummies®
Published by: John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030-5774, www.wiley.com
Copyright © 2019 by John Wiley & Sons, Inc., Hoboken, New Jersey
Published simultaneously in Canada
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the Publisher. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions
.
Trademarks: Wiley, For Dummies, the Dummies Man logo, Dummies.com, Making Everything Easier, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and may not be used without written permission. Microsoft and Office 365 are registered trademarks of Microsoft Corporation. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.
LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ.
For general information on our other products and services, please contact our Customer Care Department within the U.S. at 877-762-2974, outside the U.S. at 317-572-3993, or fax 317-572-4002. For technical support, please visit https://hub.wiley.com/community/support/dummies
.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com
. For more information about Wiley products, visit www.wiley.com
.
Library of Congress Control Number: 2018956414
ISBN 978-1-119-51335-3 (pbk); ISBN 978-1-119-51337-7 (ebk); ISBN 978-1-119-51336-0 (ebk)
Over the last few years, a massive shift has occurred at Microsoft. Microsoft has transitioned from selling software that large customers install locally to a company that sells cloud-based services. Office 365 is just such a service. Microsoft is not the only company that has done this. Just about every traditional software company now offers its product over the Internet as a service.
As a user in this new service-based software world, you have all the power. You can start using advanced software in a matter of minutes that only a decade ago was reserved for the largest corporate entities with dedicated teams and huge budgets. You can decide to start using software one day and decide to stop using it — and stop paying for it — a week later. You can add more user licenses to your subscription or remove them when you don’t need them. In short, it is a great time to be a consumer of software.
This book is about understanding Microsoft Office 365 at a fairly high level. It includes some of the administrative tasks of setting up and managing the software along with using some of the most well-known applications. The Office 365 product consists of many applications, and the book walks you through some of the major ones.
Microsoft is constantly adding new features and products to Office 365 so this book should be used as a base to get started. You can then explore further on your own. In fact, in most cases there are books dedicated to each app in particular. For example, if you want to learn more about Excel, you can pick up a book about Excel. The same goes for other apps like Outlook and Word, as well as apps that need extensive administration and management like SharePoint, Exchange, Teams, and others. We try to balance our coverage to provide a high-level view that can be used to get you started. Think of this book as the entry door to the whole enchilada known as Office 365.
If you are considering moving to Office 365 or have already moved, then this book is the first book you should read to get up to speed on the concepts and terms as quickly as possible.
This book is designed to be read as you want to find out about specific components of Office 365. You do not need to read the chapters of the book in any order; however, we recommend you read the first part first to gain foundational knowledge of service-based software and in particular Office 365. Then feel free to jump around as you see fit.
The familiar For Dummies icons offer visual clues about the material contained within this book. Look for the following icons throughout the chapters:
The Internet is huge! Search www.dummies.com
for additional information about Office 365. Simply enter Office 365 For Dummies Cheat Sheet in the Search box to bring up several additional articles about the Office 365 tools.
Office 365 is a service-based offering by Microsoft and bundles software such as SharePoint, Exchange, Teams, along with the traditional Office apps, Word, Excel, PowerPoint, OneNote, Outlook, and countless other new products into a single subscription. The software is accessed over the Internet and paid for on a monthly basis per user.
The traditional Office products are downloadable to many different devices, including iPhones, iPads, Macs, and Android-based phones and tablets, in addition to the familiar Windows-based devices. Microsoft runs the server products in their data centers with their engineers looking after them. You can be assured that they know what they are doing. After all, who better to manage these products than the same people who actually built them in the first place? To ease the mind of the risk averse, Microsoft puts their company name and piles of cash behind Office 365 in a very attractive service-level agreement.
This book is the first step in your Office 365 journey and is designed to get you up to speed as quickly as possible. If you’re ready to take your first step, then you can get started!
Part 1
IN THIS PART …
Start with an overview of how the workplace has changed since the arrival of cloud computing.
Get an understanding of the current threat landscape with the proliferation of hacking as a cottage industry. Learn how bad actors use social engineering to trick you into giving away the keys to your kingdom.
Get your feet wet with a broad understanding of the Microsoft cloud and how Office 365 fits into the mix.
Look into Office 365 and all the products stuffed into the offering, including Exchange Online for email, SharePoint Online for your portal needs, Microsoft Teams for instant and ad-hoc meetings and communication, and Office ProPlus for your desktop productivity needs.
Chapter 1
IN THIS CHAPTER
Understanding cloud computing and its value in the current threat landscape
Getting to know the cloud deployment and service models
Determining the right Office 365 plan for your organization
The way we work today is vastly different from the way we worked in the past. Gone are the days when we worked from 9 a.m. to 5 p.m. in one location using one desktop computer and software that didn’t connect to the Internet. Today we get our work done using a desktop, a laptop, a smartphone, or a tablet while on the bus, at the doctor’s office, during a run, at a coffee shop, and even when we’re on vacation.
Welcome to the new world of work. It is the way most organizations are working, and it is the way the modern and younger workers expect to work.
As more companies embrace the opportunities presented by cloud and mobile computing, they also take on new risks. One of the most significant challenges in today’s computing environment is ensuring security, privacy, and compliance. In fact, there is a consensus in the business world that there are only two types of organizations: those that know they’ve been hacked, and those that don’t know they’ve been hacked. By the end of 2017, more than 28,800 data breaches had occurred globally with over 19 billion — again, that’s billion — records exposed stemming from over 20,000 types of vulnerabilities.
The security issues we know today are not isolated to Fortune 500 companies. The reality is that small and medium-sized businesses (SMBs) are just as vulnerable to attacks. In fact, SMBs face more serious risks for a variety of reasons, including the scarcity of security talent in the industry; their inability to identify, assess, and mitigate security risks; the lack of familiarity with security best practices and the overall threat landscape; and confusion from the multitude of security solutions from which to choose.
One might conclude that the best defense against cyberattacks is to have a computing environment that’s not in the cloud (rather on-premises, as technologists call it), and is protected by firewalls using the best encryption technology and running the latest anti-virus software. The problem with this approach is that all it takes to start a breach is one simple human error, such as clicking on a link or opening an attachment in an email. The reality is that as software and platforms are getting better at combatting cyberthreats, attackers are shifting their focus to the human element to hack the users through social engineering.
But what is social engineering? Consider the following real-life example:
Cloud611, a Microsoft Cloud Solutions Provider, resells Office 365 licenses to SMBs. Recently, a customer forwarded an email to Cloud611 asking why the company was warning him that his account could be deleted or closed. The exact language of the email read:
Under the guise of being a solutions provider, the attacker tried to use a scareware tactic to trick the customer into clicking on the word “here,” which is hyperlinked to a site that then downloads and installs malware on his computer. Fortunately, the customer did not completely fall for it, and the attacker failed — this time.
Social engineering comes in many forms: phishing, spear phishing, scareware, and more. These tactics all attempt to psychologically manipulate a user into divulging information or influence an individual to perform a specific action. The end game is usually to gain access to the computing environment to do harm.
The good news in this story is that the customer did not have to invest thousands of dollars to implement an end-to-end security solution nor hire an expensive security expert to protect his small business. For a mere $2 per user per month, the customer added Advanced Threat Protection (ATP) to his Office 365 Business Premium license to secure his mailboxes, files, online storage, and even his Office applications against advanced threats.
This chapter is for those of you who have a keen interest in understanding the basic principles of cloud computing with the intent of utilizing the benefits of the cloud to run your business in a way that increases employee productivity while keeping your environment secure. It covers the various services offered within Office 365, including what they cost and the latest security and privacy features built into the services. With the knowledge you gain from this chapter, you will be better prepared run a more secure, productive organization.
The “cloud” is a metaphor for the “Internet.” In simplistic terms, cloud computing means that your applications or software, data, and computing needs are accessed, stored, and occur over the Internet “in the cloud.”
If you’ve had a Facebook account, played online games, shared files with Dropbox, or shared a photo of your new haircut on Instagram, you’ve been computing in the cloud. You’re using the services of an entity to store your data, which you can then access and transfer over the Internet. Imagine what life would be like if you wanted to share photos of your lunch with all of your 500 friends and cloud computing didn’t exist.
For businesses and other organizations, cloud computing is about outsourcing typical information technology (IT) department tasks to a cloud service provider who has the experience, capability, and scalability to meet business demands at a cost that makes sense.
For example, let’s look at a small business such as a boutique accounting firm that services over 200 businesses locally. Email is a critical communication platform for the firm. To be productive, the firm decided to hire an independent IT consultant to install an email server in the office. The deal was that the IT consultant would train a couple of people from the firm to do basic server administration. Beyond the basics, the consultant would be available to remotely access the server to troubleshoot or show up in person if something breaks.
Like most horror stories we’ve heard from people who try to manage their own servers without a highly trained IT staff, the situation turned out to be a nightmare for this firm. The email server went down during tax season when the IT consultant wasn’t immediately available. In an industry where highly sensitive data is exchanged and customer trust is paramount, you can imagine the stress the company owner experienced dealing with email that contained sensitive attachments ending up in a black hole, irate customers who didn’t get a response to their time-sensitive requests, and lost opportunities beyond quantifying.
Cloud computing for members of this firm meant migrating their email to Office 365. So instead of running their own email server, fixing it, patching it, hounding their IT consultant, and dreading another doomsday, they simply paid a monthly subscription to Microsoft, which is the entity responsible for ensuring the services are always up and running. They also know that email will not be lost, because they don’t rely on one piece of equipment getting dusty in a corner of their office break room. Instead, they’re taking advantage of Microsoft’s huge and sophisticated data centers to replicate and backup data on a regular basis.
The basic premise of cloud computing is that organizations of any size can take advantage of the reduced cost of using computing, networking, and storage resources delivered via the Internet while at the same time minimizing the burden of managing those complicated resources.
Not all organizations are created equal. For example, a financial organization has different requirements than a nonprofit organization or a government organization. To address these varied needs, cloud service providers offer different deployment options.
The type of deployment model the boutique accounting firm used in the previous section is referred to as the public cloud, where the cloud computing service is owned by a provider (Microsoft) and offers the highest level of efficiency in a shared but secure environment. The firm did not own or maintain any hardware. It accessed and used the email and other services from the public cloud on a subscription model. In cloud computing-speak, this firm is referred to as a tenant in a public cloud. There are multiple tenants in a public cloud. Each tenant is isolated from the other with security boundaries so there is no data leakage. As illustrated in Figure 1-1, Enterprises A, B, and C can access the same application services in a public cloud, but their data is isolated from each other.
Using a public cloud is like using electricity. You only pay for what you use. And just like electricity, you don’t need to maintain the power plants — the provider does that. You only maintain the devices using the electricity. In this example, you don’t need to maintain and patch the servers running your cloud services, but you do need to maintain the computers and laptops accessing or using the cloud services.
A private cloud typically is dedicated to one organization on its own highly secure, private network located at a company’s on-site data center or at a colocation facility or colo. A colo is a data center facility that rents space for servers to other companies.
Unlike the public cloud, a private cloud doesn’t share computer, networking, and storage resources with other tenants. This allows for a higher degree of flexibility in customizing the cloud environment, as any configuration done in a private cloud only applies to that environment. Industries with privacy concerns such as financial institutions and healthcare organizations typically opt for a private cloud. The same is true for government organizations, which have more stringent security and privacy requirements.
A hybrid cloud is simply a combination of the public and private clouds. For example, an organization may run its email applications in a public cloud, but store customer information in a database in a private cloud to meet business and regulatory requirements. This scenario can be seen as the best of both worlds because an organization can maintain control of the resources it is running on the private cloud, while at the same time take advantage of the scalability of the public cloud to quickly provision additional resources to meet spikes in demand. This is called “cloud bursting.”
Regardless of the deployment model used, cloud computing has afforded organizations of any size the flexibility of being able to scale resources up or down based on its needs at a faster pace and lower cost than before. In fact, cloud computing is the greatest equalizer for businesses as it breaks down the barriers for small and even one-man-show businesses from competing in the global market. For a small monthly fee, any business can use the same productivity tools and built-in security features that large enterprises use.
Contrary to general belief, cloud computing isn’t a new concept. The idea of an “intergalactic computer network” was first introduced in the 1960s by J. C. R. Licklider, one of the most influential men in the history of computer science. Other people attribute the emergence of cloud computing to John McCarthy, another computer scientist who in the 1960s proposed that computing be delivered as a public utility similar to service bureaus that provided services to businesses for a fee.
Back then, massive computing was conducted with supercomputers and mainframes occupying whole buildings. Thousands of central processing units (CPUs) were connected to divide the computing tasks of supercomputers in order to get results faster. The high cost of creating and maintaining these supercomputers precipitated the discovery of more economical computing means, which brings us to where we are today.
With cloud computing today, not only can businesses use the services of specialized providers for massive computing, they also benefit from the lower cost of these services stemming from the efficiencies of shared infrastructure. Generally, there are three types of cloud computing service models (see Figure 1-2):
A software as a service (SaaS) service model is where a software application is paid for on a subscription basis and installed from the cloud provider’s data center. Office 365 is an example of a SaaS model where all your collaboration and productivity applications are bundled together as part of your subscription. You don’t have to run your own email servers, for example, nor do you need to maintain and update the servers. For desktop applications like Office 365 Pro Plus, you can install the software from a web-based portal instead of buying the packaged software from a store. After you’ve installed the software, updates and bug fixes automatically are installed in the background.
In a platform as a service (PaaS) service model, developers can create online applications (“apps” for short) in platforms provided by the PaaS provider. The developers develop their own code for the apps, store it in the PaaS provider’s data center, and then publish the apps. They don’t have to worry about planning for capacity, security, or managing the hardware to run the apps — the PaaS provider does that. A PaaS model also cuts the time it takes to develop apps because of the availability of pre-coded application components such as workflows, security features, search, and so on. To some extent, PaaS is similar to creating a macro in Microsoft Excel where you use the built-in components of the software to run a code that automate tasks.
In an infrastructure as a service (IaaS) service model, organizations have access to computing power, network connectivity, and storage capacity, using a cloud provider’s hardware. This model enables organizations to have control over the infrastructure and run applications in the cloud at a reduced cost and at a faster pace. The organization, however, is responsible for managing and updating the operating system running the applications. While capacity planning, security, and hardware management is the responsibility of the IaaS provider (similar to PaaS), it is the organization’s job to monitor the performance of its apps and/or add more resources to meet the demand. Amazon Web Services (AWS) offer several IaaS cloud-hosting products that can be purchased by the hour. Rackspace is another player in the IaaS market offering managed and cloud hosting services. Microsoft Azure started out with a PaaS offering, but has since extended its services to include robust IaaS capabilities.
Office 365 is a SaaS solution running in the public cloud offered on a subscription basis by Microsoft. Each subscription is comprised of one or more licenses depending on the organization’s needs. Subscriptions can be purchased directly from Microsoft or through a Microsoft Cloud Solutions Provider (CSP). When you purchase your subscription directly from Microsoft, your support comes from Microsoft. If you purchase your subscription from a CSP, support for the services is provided by the CSP.
Office 365 comes with four key technologies (or “workloads” as your IT team might call it):
In additional to the four key technologies listed here, the Office 365 suite also comes with a host of other features, some of which may only be available in the Small Business plan, such as Microsoft Bookings, and others that are available in all plans, such as Planner, StaffHub, Forms, PowerApps, and more. As a SaaS solution, Office 365 will continue to evolve, so don’t be surprised to find new features in your subscription that may not be covered in this book.
https://technet.microsoft.com/en-us/library/office-365-platform-service-description.aspx
While it’s true that all organizations should have access to productivity and security tools, not all organizations need the same bells and whistles to run their business or pay the same price for the services. It doesn’t make sense for a small business, for example, to pay the same fees as a large enterprise that has more advanced needs such as eDiscovery for legal purposes.
To address this need, Microsoft designed a variety of plans and subscriptions from which organizations can choose. There are, however, so many plans, subscriptions, and license combinations that sometimes it can be difficult to know which one is right for your organization. To help narrow down your options, refer to the decision tree shown in Figure 1-3 to quickly determine what’s best for you by answering three questions.
The Small Business plans are designed to meet the typical needs of small businesses with 300 or fewer users. There are three key offerings in the Small Business plans:
For small and mid-sized nonprofits, Microsoft offers two plans that correspond to the Business Essentials and Business Premium plans but at zero cost and $3 per user per month, respectively.
There are four key offerings in the Office 365 Enterprise plans ranging from $8 per user per month to $35 per user per month:
The education, government, and nonprofit sectors have corresponding Enterprise plans. The education plans are called A1, A3, and A5; government plans are called G1, G3, and G5; and nonprofits are called Nonprofit E1, Nonprofit E3, and Nonprofit E5. Take note that prices are different for these sectors, so check with your CSP or at https://office365.com
.
If you run a business with deskless workers, shift workers, retail store employees, truck drivers, or similar employees, you probably don’t need all the features from any of Enterprise plans. Most of these workers share a PC or work out of a kiosk and have minimal collaboration requirements and limited communication needs. It doesn’t make sense for these workers to pay the full price for plans that have more features than they need or exclude them from the benefits of using Office 365.
To solve this challenge, Microsoft designed an offering called Office 365 F1 that is targeted for the “firstline workforce.” For $4 per user per month, the F1 plan gives this workforce most of the productivity and collaboration tools focused on these key areas:
When Office 365 was first launched in 2011, most of the pushback from organizations about using the service was around security. People were worried that having their data in the cloud would make them more vulnerable because they don’t have full control of the environment. Today, it’s exactly the opposite. More organizations are moving to the cloud because of security reasons. They are realizing they don’t have the budget, manpower, and expertise to outsmart the attackers who are getting more sophisticated every day, so they rely on companies like Microsoft — with its highly trained engineers and robust infrastructure — to combat cyberattacks.
Especially for small and mid-size companies, it doesn’t make sense to invest thousands of dollars to implement an end-to-end security infrastructure, hire top talent, and stay on top of the cybersecurity trends when they can pay for the service at a fraction of the cost.
Every month, Microsoft scans 400 billion emails for malware and phishing attacks from Office 365 and Outlook. 450 billion authentications are processed by Microsoft every month from its 200-plus cloud consumer and commercial services globally. In addition, Microsoft has scanned more than 18 billion Bing web pages and collected data from 1 billion Windows devices. These insights provide Microsoft with visibility into the current threat landscape like no other company can. On top of that, Microsoft is investing $1 billion in cloud security every year. So, if any company is well-positioned to address security challenges in today’s computing environment, it would be Microsoft.
In Hollywood, con men or women typically are portrayed as well-dressed, suave, and attractive. Whether it’s Ocean’s 11 or its all-female version, Ocean’s 8, the con artists are smart, methodical, and manipulative.
Today’s hackers are similar to con artists portrayed in movies with the advantage of not needing to be well-dressed, suave, or attractive. The con does not even require the con artist to be physically close to the target. With social engineering, hackers are able to carry out a con from hundreds of miles away in the comforts of their dorm room — or parent’s basement.
The 2015 Data Breach Investigations Report published by Verizon illustrated that attacks can happen very fast. Here’s what the statistics tell us in simple terms:
If you think you are immune from social engineering, think again. Hackers have gotten so good at this to the extent that your best line of defense is to acknowledge that at some point, you’re going to get hacked and therefore, you need to have a plan in place to recover from it. To plan your defense, it’s helpful to understand the mindset of a hacker and the anatomy of an attack.
Just like the Hollywood con movies, a cyberattack typically involves planning and preparation. Hackers have figured out that it’s better to focus on human weaknesses than fight security-hardened software or platforms. A starting point for them is usually doing a reconnaissance or recon to figure out who the targets are. Believe it or not, there are actually free tools on the Internet to help with this effort, such as Maltego Teeth or a practice called Google Dorking, which is a technique of applying advanced Google searches to discover confidential company information.
From reading the news, we are seeing a rising trend of attack on not just small business but also on local governments. For the most part, the hackers are not necessarily targeting a particular person or public organization but rather, their recon is focused on who is vulnerable. The recent attack on the town of Rockport, Maine in April 2018 that forced the town of 3,400 to suspend operations was due to an attacker inserting malicious software in its network through a vulnerable backup server.
Once the targets are identified, the breach is initiated via phishing scams or other social-engineering methods. Modern hackers have realized that phishing emails are so common that people now know how to deal with them, so they’ve started putting malicious macros and code within Word or Excel documents or within a PDF file. An example of this may be a hacker posing as a vendor asking an employee to open an “invoice” posted in an organization’s file share or document library. As soon as the employee opens the file, the breach is initiated.
Once the attackers gain access to the target’s environment, they then use tools to get a dump of all the users in the organization. From there, they then figure out who the administrators are. Admins are the best because they have a lot of power in the IT environment. Once the attackers have the credentials of the admins, they can pretty much do anything they want to do in the environment.
The entrenchment is the scary part. This is the stage when the attackers typically get really sophisticated. While the duration has gotten shorter as to how long attackers are stealthily and merrily beep-bopping along the breached environment, studies have shown that it still takes an average of 99 days between the initial breach and the detection of the attack. That’s three months the attackers have to start impersonating users, delegating permissions, injecting mail-forwarding rules, and more.
Security in a cloud-computing environment is a partnership between the tenant organization and the cloud service provider. Both parties have responsibilities that, if done right, will enhance the security posture of an organization.
In Office 365, Microsoft, as the cloud service provider, takes care of the physical security of its data centers where all of its customers’ data is stored. It has 24-hour monitoring and biometric scanning technologies implemented to secure the access to its data centers. Faulty drives and hardware are not taken out of the data centers — they are demagnetized and destroyed in huge shredding machines.
Microsoft has policies in place to limit human access to customer data. It has dedicated threat-management teams whose sole job is to proactively anticipate, prevent, and mitigate malicious access. The networks are constantly scanned for vulnerabilities and intrusion.
If your Office 365 plan comes with Exchange Online, you automatically have Exchange Online Protection or EOP. This service is what filters your incoming or outgoing email from spam, viruses, malware, or email policy violations, all to keep your environment safe.
On the customer side, there are tasks a tenant admin can do and actions end users can perform to enhance security. An admin can implement multi-factor authentication (MFA), which requires a user to prove his or her identity using a second factor such as a phone. If you’ve ever been asked by your mobile banking app to enter a code sent as a text message after you’ve entered your username and password, you’re interacting with MFA.
Office 365 admins can implement policies to prevent users from accidently leaking confidential data. For example, an admin can create a policy that will prevent a user from sending an email if the email contains a string of characters that look like a credit card number or social security number.
Mobile device management (MDM) is another way for admins to increase security in the organization. For example, if a user loses his phone or laptop, an admin can remotely wipe the data from those devices so that even if someone finds the device and manages to log in, all the corporate data will no longer be present on the device.
Office 365 also offers advanced security functionalities such as the ability to send encrypted email to recipients outside of Office 365 (for example, to people with Gmail accounts). This feature, called Office 365 Message Encryption, is available in the E3 license. With an E5 license, Exchange Online Advanced Threat Protection is built-in, so if a user inadvertently clicks on a bad link, it won’t cause damage because links are first “detonated” in a virtual machine in the Microsoft cloud. In essence, if a link is good, the user will be taken to the site; if the link is bad, the user will be blocked and a notification will display warning the user of the suspicious link.
The Security and Compliance Center in Office 365 (see Figure 1-4) is your one-stop-shop to manage policies, reports, investigations, security posture, and even compliance with GDPR, a European Union (EU) regulation that took effect on May 25, 2018. GDPR stands for “General Data Protection Regulation” and is designed to serve and protect the personal data of all EU citizens.
The dashboard also provides a link to Microsoft Secure Score, a security analytics tool designed to help you understand what your current risk profile is and how you can improve your security posture (see Figure 1-5).
An Office 365 Global Admin can create custom policies or update existing policies in the Security and Compliance Center. If you’re an admin and would like to mark a certain user or domain as spam and apply that policy to your entire organization in Office 365, follow these steps:
portal.office365.com
.Click Security & Compliance from the list of options.
You are taken to the Security and Compliance Center dashboard.
You can also go directly to the dashboard by following this link: https://protection.office.com
. However, it is recommended that you log in to the Office 365 portal first because this link may change as Microsoft works to consolidate its numerous portals and online assets.
Click the edit icon next to Block Sender and enter the email address of the sender you want to block.
This will prevent this sender from sending email to your entire organization.