A framework for file migrations to Microsoft 365

One of the major points of confusion and poor execution I still see today is the approach that many take to migrating files to Microsoft 365 and Office 365.

Many years ago I wrote a number of articles about this:

The classic SharePoint migration mistake

SharePoint Online – Pilers and Filers

SharePoint Online migration – Start up is key

and all of that is still valid and I recommend you read it, however the technology has moved on somewhat and it is now perhaps time for an update.

What I’ll cover here is a framework for migrating on premises data, typically on file servers in network shares, into the collaboration tools in Microsoft 365. And that’s the first point. You need to look at this across all the services Microsoft 365 provides you today. Not just SharePoint. Not just OneDrive. And not just Teams. Microsoft provides a range of services that you should consider in this file migration process.

Now many claim that because of all these options it is too complex and therefore you should just dump your data in one place. I can’t tell you how many times I’ve see exactly this, everything from a file server F: drive dumped into a single Document Library in SharePoint. Oh the pain.

image

The secret of success is to have a “system” and not do things randomly without thought. Thus, my framework is shown above. Now let me break down the pieces for you.

image

You firstly start with the source (on the left i.e. a file server drive) and the destinations (on the right, i.e. collaboration services in Microsoft 365).

image

The first step is to filter the source information and remove (yes I said DELETE) stuff that doesn’t make sense to move. Old and duplicate files are example but I have highlighted this in more depth in a previous article:

Data discovery done right

Thus, you should now have less data to move because you have thrown some away. If you haven’t then you are not being serious about this. You should also have a better idea about what data to archive, what is user data, what is common data and so on.

image

With the remaining good data you move (yes, I said move NOT copy) users personal data to their OneDrive. You actually get them to do that so firstly they get familiar with the new environment, they move only what they want to keep and you crowd source this task reducing the workload. We all know that some people will never ‘get around’ to moving their data, so after a suitable time period has elapsed you move it for them. The typically data that is moved in this process is anything on the desktop, home drive or in user profiles.

image

Next, is to identify the common data by function or location and move it to a Microsoft Team. In a typical on premises file server the existing shares you will find data stored in folders like F:\Finance and F:\Administration and so on. These top level shares are most likely going to be the name of the Team and the next level down folders to be the channels inside that Team. In many cases, users may also wish to ‘clean up’ the existing or ‘start fresh’, which is also fine. However, it is relatively easy to find the data that should go into a Microsoft Team and move it there.

image

The next data to move is common data that makes sense living in it’s own dedicated SharePoint Team site. Data that goes into stand alone SharePoint is data that does not require chat and conversations around it, Teams is where that data would live.

The best example here is probably Archive data. This is data the business want to keep ‘just in case’ but won’t be updated by users. Thus, you move the archive data as is, into it’s own designated SharePoint Team site, mark it as read only for everyone so they can use it as a starting point if they need to. The major advantage of moving the archive data to SharePoint is that it is now searchable using the tools in Microsoft 365.

Another good example of a stand alone SharePoint Team site would be an Extranet from which you want external parties to come and download data. Having a stand alone SharePoint Team site makes managing securities much easier.

image

The data that is now left is typically company wide data like policies, procedures, manuals, etc. This is then moved into the traditional ‘Intranet’ using a nice pretty SharePoint Communications Site. This Intranet is available to all and typically used to consume data i.e. get something, read something. New data for this Intranet comes from the output of the individual Microsoft Teams created earlier. For example, imagine the Finance team produces an annual budget. They do this creation inside their own Team and publish the finished result into the Intranet for everyone in the business to consume. I’ve covered this concept in greater detail in a previous article:

The layers of Office 365 collaboration

image

Now you have data all over the place inside Microsoft 365 as many will point out correctly. What’s missing is a consistent method of navigation between all these sources to make it easy for users to navigate. This is where SharePoint Hub Sites come in. You uses this to provide a consistent navigation over the top of all your data. To users this makes it all appear very logical and structured (even perhaps like their old file server) and yet provides the flexibility to be reconfigured at any stage and have those changes automatically applied across the whole structure thanks to SharePoint Hub sites.

image

The final layer is Yammer. This is for company wide communications such as water cooler chat (birthdays, sports, holidays), information on how to better use Microsoft 365, questions about the business, messages from CEO, suggestion boxes, what’s happening with the business or competition, sales, wins and so on.

Like the Intranet, Yammer is designed for corporate wide chat that doesn’t fit into any specific Team (which are arranged by function or location). I have detailed the importance of Yammer in a previous article:

Why Yammer is still relevant

image

Now that you have a linear framework that builds on top of itself, hopefully you have a better picture of where you can put data from a file server into Microsoft 365. Having a framework is great but more importantly is how to get users to also adapt to working in this way. My approach is to start with Yammer and OneDrive first as I have detailed previously:

Focus on the ‘Me’ services first

In short, if users get used to working with just files using OneDrive and then with just chat in Yammer, they will find it much easier to then move to Teams which is effectively files and chat combined. This thinking stems from:

The rule of three

I advocate to not over load people. This is because you need to:

Stop making your users feel stupid

You can have the greatest technology in the world but if no one uses it then it is pretty much wasted. that’s what I see with Microsoft 365. Not enough through and time is devoted to adoption and transformation. Most migrations are done as fast as possible to ‘close the ticket’ and move onto the next. The fallacy of that rushed approach is evident in failed adoption and user frustration.

So there you have it, a framework for migration of file data into the world of Microsoft 365. You can use this framework in whatever way makes sense to you. You can use all of it, none of it or as a basis for your own approach. However, the key message is to HAVE a process rather than something random. Remember, moving to a world of collaboration from a world of storage requires transformation not just migration!

Once you have the top level framework or process, you can then start developing individual frameworks and adoption processes for each piece. That is, one for OneDrive, one for Teams, One for Yammer and so on. Once you have these processes, next you can start automating them to improve reliability and allow you to scale. Without a system you can’t automate. Without automation your effectiveness and profitability continue to fall, so investing the time in a collaborate system is definitely worthwhile. It makes users happier and it makes IT more profitable! A win – win. That is what a move to Microsoft 365 should be all about!

Microsoft Cloud URLs

apple-desk-internet-209151

I’ve started to put together a list of unique URL’s from Microsoft Cloud services such as Azure and Microsoft 365. Typically you navigate to individual services inside the main portal. However, this file I am maintaining on my Office 365 GitHub repository:

https://github.com/directorcia/Office365/blob/master/urls.txt

has a direct link to the services so you can navigate there directly.

I’ll keep adding to these over time, so ensure you check back regularly. if you know any URL’s you reckon should be included, let me know and I’ll add them.

Need to Know podcast–Episode 206

A short sharp episode focusing on the latest news and updates from Microsoft Build. Brenton and I cover off all the Microsoft Cloud news, good and bad as there is unfortunately some bad news to report in recent experiences with Azure. However, there is also lots of good news about updates to your favourite services. Tune in and give us your feedback.

This episode was recorded using Microsoft Teams

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-206-ghost-in-the-machine/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

@contactbrenton

@directoria

CIAOPS Patron program

Azure cheat sheet

Azure global outage

What’s new in Microsoft 365 user management

New people centered experiences in Microsoft 365

Microsoft Edge – All the news from Build

Minimize distractions and stay focused with AI powered updates in Microsoft 365

Script to disable direct Shared Mailbox logins

A while back I spoke about

The Insecurity of Shared Mailboxes

and how that even though they have an Azure AD Account they should have their logins disabled and access rights ONLY provided via the mailbox.

To make things easier for people I have now created a script that will allow you to view and potentially disable the direct logins for all your shared mailboxes to make them more secure.

image

The scripts requires that you are already connected to both Exchange Online and Azure AD.

At the top of the script, you’ll find a variable called $secure. If that is set to $false then no changes will be made to your environment, you’ll just get a report like shown above. Shared mailboxes that have direct login enabled will be displayed in red.

image

Now, if you change the variable $secure to $true then any shared mailbox that is currently enabled for direct connection will have that ability disabled. The output will display two lines for each mailbox that has direct access enabled. The first line indicates that direct logins are enabled and then the second line will show that has now been secured. In this scenario, all that is happening is that the shared mailbox identity is simply being blocked as I outlined in my earlier article.

image

 The last possibility is that the shared mailboxes direct logins have already been disabled, and in this case the results of the script should simply show that result in green.

In summary then, you can run this script with the variable $secure set to $false to just display the direct login condition of your shared mailboxes. You can run this script with $secure set to $true and then not only will the direct login condition of the shared mailboxes be reported but they will all then be blocked for direct login.

You will find this script in my GitHub Office 365 repository at:

https://github.com/directorcia/Office365/blob/master/o365-exo-sharedblock.ps1

CIAOPS Techwerks 6–Sydney June 6

bw-car-vehicle

CIAOPS Techwerks move to Sydney in June on Thursday the 6th. The course is limited to 15 people and you can now sign up and reserve your place. To do this just email me (director@ciaops.com) and I’ll add you to the list.

The content of these events is driven by the attendees. That means we cover exactly what people want to see and focus on doing hands on, real world scenarios. Attendees can vote on topics they’d like to see covered prior to the day and we continue to target exactly what the small group of attendees wants to see. Thus, this is an excellent way to get really deep into the technology and have all the questions you’ve been dying to know answered. Typically, the event produces a number of best practice take aways for each attendee. So far, the greatest votes are for deeper dives into Intune, security and PowerShell configuration and scripts, however that isn’t finalised until the day.

Recent testimonial – “I just wanted to say a big thank you to Robert for the Brisbane Techworks day. It is such a good format with each attendee asking what matters them and the whole interactive nature of the day. So much better than death by PowerPoint.” – Mike H.

The cost to attend is:

Patron level Price inc GST
Gold Enterprise Free
Gold $ 33
Silver $ 99
Bronze $ 176
Non Patron $ 399

The CIAOPS Techwerks events are run regularly in major Australian capital cities, so if you can’t make this one or you aren’t in Sydney on that date, stay tuned for more details and announcements soon. If you are interested in signing up please contact me via emails (director@ciaops.com) and I can let you know all the details as well as answer any questions you may have about the event.

I hope to see you there.

The insecurity of shared mailboxes

Shared mailboxes are a really handy component of Microsoft 365 in that they allow multiple users to access a single mailbox. This works really well for generic accounts like info@, accounts@, etc. However, there are some security issues with these that I don’t think many people are aware of.

The first point to note is that shared mailboxes in Microsoft 365 actually have a login and password. Thus, they can be accessed directly using these details. Don’t believe me? Well check out the following documentation:

https://docs.microsoft.com/en-us/office365/admin/email/create-a-shared-mailbox?view=o365-worldwide#block-sign-in-for-the-shared-mailbox-account

which says:

“Every shared mailbox has a corresponding user account. Notice how you weren’t asked to provide a password when you created the shared mailbox? The account has a password, but it’s system-generated (unknown). You aren’t supposed to use the account to log in to the shared mailbox”

So, by default, when you create a shared mailbox you are actually creating an account with a system password in your environment. No so bad you think right? Well, the problem is that, by default, IMAP and POP3 are enabled on all mailboxes, including shared ones.

image

Some actually use this IMAP ability to be able to open shared mailboxes on mobile devices, however doing this comes with a huge risk in my books.

Why? Well, if IMAP is enabled, that means basic authentication is enabled and that is bad as I have said previously:

Disable basic auth to improve Office 365 security

You may feel an unknown system or complex password on a shared mailbox is good enough but to remote bad actors running automated cracking programs against accounts on your tenant, it is only a matter of time until they generate a matching password for that shared mailbox. Once they have that, boom, they’re into that mailbox. From that foothold, they can then launch all types of attacks, but the most likely being phishing your users. It’s all down hill from there!

If you use shared mailboxes on mobile devices, this means you have to know the password for the shared mailbox prior to configuration on the mobile device. Because the shared mailbox has an account, it can have it’s password changed. That means, if you want to use shared mailboxes on mobile devices, you reset the password for the shared mailbox so you know it. You then give that to users so they can configure access on their phones. Anyone else see a problem here? You are providing multiple people access to a single resource with a shared password. What is a shared password? It ain’t a secret for sure now is it? So, what happens when a user leaves the business? I’ll bet most businesses don’t go and reset the password on all the shared mailboxes that user had access to. This means you now have someone outside your business who has a login (shared mailbox email address) and password to a resource in your tenant.

Here’s a scenario where that came back to bite the business. A disgruntled user was terminated and their individual login account was disabled. After the user has fired, they connected back into a shared mailbox directly using IMAP and started sending all sorts of nasty emails to all staff from this mailbox. Now if they had been smart, they would have done this from an anonymous IP address, not one assigned to them from their ISP so we could track them down. However, the damage was done. Why? All because access to the shared mailbox was permitted by insecure protocols and shared passwords.

Edit sign-in status flyout in the M365 admin center

As with most things security, it is pretty easy to protect yourself from this BUT it requires changing the defaults. The easiest way is to:

Block sign-in for the shared mailbox account

along with disabling IMAP, POP and basic auth. Yes, I fully appreciate that may have productivity ramifications, so you need to balance up the risk. However, given how easily this can be exploited, and the damage it could to the business, I’d rather be in the safe and secure camp than the ‘it’ll never happen to us’ blind faith camp personally. Anything that allows anonymous external users the ability to access accounts externally and allows them to keep guessing passwords as you can with IMAP spray attacks is very, very bad in my books. If you read this article:

https://www.proofpoint.com/us/threat-insight/post/threat-actors-leverage-credential-dumps-phishing-and-legacy-email-protocols

make sure you note the very last paragraph which says:

Update, March 21, 2019: This post has been updated to reflect specific cases in which IMAP-based password-spraying attacks were successful, particularly as threat actors targeted shared service accounts, (e.g., hr@company[.]com or helpdesk@company[.]com) or exploited weaknesses in MFA implementations and third-party email client logins.” 

So please, secure your shared mailboxes NOW! If you really, really need shared mailbox access on mobile devices I would suggest you use Office 365 groups instead until Microsoft enables shared mailboxes natively on mobile devices (which is on the roadmap).

Need to Know podcast–Episode 205

Welcome to episode 205. In this episode we’ll learn why Brenton has buyer’s remorse, how restoring files in SharePoint has been improved and how I protect my family using Microsoft 365 and the Microsoft Cloud. That and whole more are in this episode for your listening pleasure.

This episode was recorded using Microsoft Teams

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-205-buyers-remorse/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

@contactbrenton

@directorcia

CIAOPS Patron Community

Files restore for SharePoint and Microsoft Teams

Do you need to backup Office 365

How I protect my parents using Microsoft 365

New cloud based policy management service for Office 365 ProPlus

What’s new in OneNote for Windows 10

MDATP Threat and Vulnerability Management now publicly available

Microsoft Kaizala rolls out to Office 365 customers globally and will become part of Microsoft Teams

PowerShell Version 7

Introducing Security Policy Advisor

Azure Backup support to move Recovery Service vaults across subscriptions and resources groups

Gratitude

The 25th of April here in Australia and New Zealand marks the anniversary of our first major conflict, fighting under the national flag. The operation at Gallipoli was designed as a diversion to relieve the hard pressed allied forces fighting in France since 1914. This gave birth the legend of ANZAC that we celebrate today.

That anniversary is now more than a hundred years in our past but we continue to use it as the rally point for contributions made by all members of our armed forces over the years. To be willing to serve and die for your country and people within is a special trait indeed. The hope is that we will never see carnage on the scale we have seen in the World Wars, but yet sadly, conflict continues throughout the world.

As much as today is a time to reflect on the sacrifices of the past it should also be a time to express gratitude for what we have today. The people around us, our families, friends, work colleagues and more all add to the fabric of our lives in very positive ways. It is easy in today’s age to over look the simple things, to say thanks to those we love and to help others without the expectation of return. Those that went to places like Gallipoli did this. Those that fight today to keep us safe do this. Those that respond to every day emergencies do this. And for all that we should be grateful.

We can honour the past, we can live in the present but we must plan for the future. We need to take this opportunity to think about how we can make this world a better place. How we can live up to the standards we see from others? Yes, we will fail. Yes, it will be a challenge, but if we truly take the spirt of ANZAC to heart we will continue to sacrifice every day in whatever small way as a daily expression of gratitude.

Start today. Ask yourself, how can I be more grateful because things could surely be a whole lot worse than they are right now!   

For those interested in learning of the continued sacrifices that the ANZACs made after withdrawing from Gallipoli in World War 1, when they went to fight in northern France until the end of the war, should visit my web site:

ANZACs in France