Ignite is fast approaching and I have an impossible schedule at the event, so I’ll be viewing a lot of Channel 9 videos afterward. Questions about what guest users might do when they gain access to Office 365 Groups need careful thought. You might be surprised that mail-enabled objects are limited in terms of proxy addresses, and the code for one of the new U.K. data centers is odd, but explainable.
The Difficulty of Scheduling at Ignite
If you’re one of the 22,000 souls who will make their way to Atlanta for the Microsoft Ignite conference starting on September 26, you’ll be able to browse the session catalog and construct a personal agenda online. I’ve found quite a lot of sessions that I would like to attend, but when I add them to the schedule (as shown in Figure 1), it’s obvious that I cannot achieve my goal unless I master the art of co-location (in four different places at times).
Figure 1: The sessions I would like to attend at Microsoft Ignite
Tant pis, as my French friends would say. The solution is to view the session videos afterward on Channel 9. I believe all of the 75-minute sessions are being taped and should be available online within 48 hours. Channel 9 is a great resource for those who can’t attend Ignite or, like myself, find too much to do in too little time because of competing attractions.
Bad Guest Behavior in Office 365 Groups
After any new feature is introduced, people start to think through how the functionality actually works and where any weaknesses might lurk. So it was last week following the announcement of external guest access for Office 365 Groups, a much-awaited feature because so much teamwork and collaboration extends across company boundaries.
In any case, a worry was voiced that guest users might act badly when they were allowed access to a group document library. All users – both guest and internal – share the same level of access to items in document libraries (guest users don’t have direct access to the group shared mailbox, however). I guess that internal users are kept under control because they are employed by the company, but the same discipline might not extend to guests, who might suddenly decide to delete everything in the document library. Of course, the deleted items can be recovered from the site recycle bin and no great harm will be done even if a guest user loses control of themselves and goes on a delete splurge.
Joking apart, the question does raise a valid issue, which is whether to allow guest access to “complete” groups where all information is available, or “special” groups created specifically to allow guests to work only with the information they need to access.
For instance, let’s assume a team needs some advice about a contract document from an external legal advisor. Is it better to allow the advisor full access to the group in which the contract is stored along with other confidential information or to create a special group that holds just the contract document? I think the latter is a better approach in the circumstances, but it’s equally true that great value might be gained if the advisor can access more than the bare-bones contract and can also see the supporting documentation held in the library. All of which goes to prove that people always have to think about how to best use technology rather than rushing to deploy.
Looking forward, the previously announced and soon-to-be-rolled-out integration between SharePoint team sites and Office 365 Groups might make it possible for different document-level permissions to be assigned to individual group members. That concept flies in the face of the idea that a group represents a common identity shared by all members, but you never know…
New Office 365 Reports
Microsoft took the opportunity on September 13 to announce a new set of reports that they’ll provide to tenants through the Office 365 Admin Center. Gaining any insight into how tenant users are consuming the various services a company has paid for in Office 365 is a good thing, and I like the fact that Microsoft is continuing to increase the number and quality of the reports that it offers. However, that remark has to be balanced by the realization that Microsoft only stores and reports on a moving 180-day window of tenant data. That’s fine if all you care about is the most recent data but not so good if you need a more comprehensive analysis of consumption and usage over an extended period, which tends to be the case when large enterprises come to plan and manage cloud usage. This is one of the niches exploited by ISVs who specialize in reporting Office 365, including the kind of slicing and dicing of data that makes it more understandable and usable for planning purposes.
Blowing the Recoverable Items Quota
As I am sure you know, Exchange Online mailboxes are assigned a recoverable items quota of 100GB, which should be quite sufficient to handle the need to retain information required by eDiscovery in-place or litigation holds. A question from a reader revealed that some mailboxes seem to have the older 30GB quota assigned, which can obviously lead to difficulties if the lower quota is exceeded. As explained in this article, bad things happen when quotas are bust, with the two most severe being that items can’t be deleted from the mailbox and the Managed Folder Assistant can’t process the retention policy assigned to the mailbox. If this happens, it’s time to ask Office 365 support to increase the recoverable items quota. Once things settle down and start working as normal, you might then review why so much information is accumulating in recoverable items and perhaps take action such as releasing some of the holds that are in place (if possible).
Office 365 Admin Center and Guest Users
The Security and Privacy section of the Office 365 Admin Center now contains an option to “control access for people outside your organization” In fact, the name given to the option is a little misleading because it controls the ability of tenant users to send invitations to external users. To clarify, four levels of controls exist with regard to the ability of Office 365 Groups to support guest users:
- The AAD instance for the tenant must allow invitations to be sent to external users. This is the control that exists in the Office 365 Admin Center.
- SharePoint Online must allow sharing. This option is set through the SharePoint Online Admin Center.
- The AAD policy for Office 365 Groups must allow guest users to access groups.
- If necessary, individual groups can be enabled or disabled for guest access.
The only way to manipulate the settings for 3 and 4 above is through PowerShell. For more information about how to update the AAD settings for Office 365 Groups, see this article.
Figure 2: Controlling sharing for guest users
An Important Security Update
Old code creates all manner of legacy issues, an adage of the IT industry proven correct once again by the discovery of yet more vulnerabilities in the Oracle Outside In libraries used by all supported versions of Exchange to view documents. These libraries surely hold the record for the buggiest and most insecure modules used by any Office server (perhaps someone else has another code library to nominate?) as they have been the subject of many security bulletins over the years. In any case, it’s certainly something that anyone running an Exchange server needs to pay attention to and fix using the MS16-108 patches released on September 13 2016.
Maximum Proxy Addresses
Office 365 MVP Vasil Michev, who is known to delve into the darker corners of the service, draws my attention to the fact that Office 365 limits a mail-enabled object to 100 proxy addresses. Vasil says that the actual limit is higher at around 200, but I guess it all depends on the size of the proxy address. The question here is surely why any mail-enabled object needs to have so many proxy addresses? One use case is when you have a shared mailbox that is assigned the proxy addresses for departed employees so that an auto-reply can be dispatched if anyone sends a message to those people. Oh well, I guess we’ll have to restrain ourselves to 100 — or just keep going until an error message is seen.
The Curious Code for the Durham Data Center
As you know, Microsoft opened two U.K. based data centers for business on September 3. One is in London and is referred to as “LO” while the other is in Durham and boasts the code “MM,” all of which creates the question how Durham could be reduced to “MM”. It’s not as if Durham is the world center for chocolate sweets. The answer is more prosaic and is linked to the IATA code for the nearly Durham-Tees Valley airport (MME).
The U.K. data centers host only Exchange Online and SharePoint Online data at present, which is fine if all you’re concerned about is data residency for email and documents. It’s enough for launch customers such as the U.K. Ministry of Defence. Things get more complicated if you throw Office 365 Video, Sway, or Skype for Business into the mix, as data will end up elsewhere. Sway, for instance, is only hosted in the U.S. You can gain an insight into where your tenant’s services are hosted by running the PowerShell command
Good luck in interpreting the response, which actually does contain a lot of clues as to where different Office 365 services are hosted.
All of this goes to prove that having an in-country data center isn’t a complete answer for all Office 365 services until Microsoft moves the capability to host those services into those data centers.
Follow Tony on Twitter: @12Knocksinna
Want to know more about how to manage Office 365? Find what you need to know in “Office 365 for IT Pros,” the most comprehensive eBook covering all aspects of Office 365. Available in PDF and EPUB formats (suitable for iBooks) or for Amazon Kindle.