CoNetrix

Blog: Microsoft Office

Many organizations are adopting Microsoft 365 (formerly Office 365) and businesses nationwide are seeing the benefits of improved productivity through its email and collaboration solution. Organizations of all sizes can benefit from a seamless user experience between mobile and on-premise environments.

While Microsoft 365 offers great flexibility, it mostly focuses on infrastructure management rather than data management. Meaning: You are responsible for your data.

Some businesses who have migrated their workloads to Microsoft 365 do not realize that the same reasons they had for backing up and protecting that data on-premises applies even in the cloud.

If you are still considering Microsoft 365 for office productivity and collaboration, this article may be for you: Microsoft 365: Is it the right choice for your business?

Without proper backup and recovery, your data is at risk, because Microsoft isn't providing complete protection. It's important to create a backup and recovery strategy to ensure you avoid permanently losing your critical data.

It's important to understand the difference in responsibilities of Microsoft and Microsoft 365 user organizations. Microsoft hosts the infrastructure, but you are responsible for your data.

What is Microsoft's Responsibility?

Cloud Infrastructure Uptime — Microsoft focuses on the infrastructure management rather than data management. By focusing on infrastructure, Microsoft ensures its cloud service is online and operational. Guaranteed uptime is based on your agreement level and outlined in the availability SLA (Service Level Agreement).

Basic Data Replication — Microsoft provides basic data replication with datacenter-to-datacenter geo redundancy, and limited retention for short-time data recovery.

Data Processing Compliance — Compliance and controls for data processing are limited to the processor, not the data itself. Microsoft ensures data privacy, regulatory controls, and industry certifications for compliance are in place and maintained for the infrastructure of its cloud service.

Physical Infrastructure Security — Security functions for Microsoft 365 are limited to physical infrastructure, not data. It includes app-level security, logical security, and access controls for users and administrators.

What is the Customer's Responsibility?

Business Data in Microsoft 365 — The customer is the owner of the data that resides in the Microsoft 365 data centers. As the owner, the customer controls the data and who can access the data. All responsibility of the data is on the user to ensure data security, privacy, and retention.

Enterprise-grade Backup and Long-Term Data Retention — Implementing an enterprise-grade backup solution for Microsoft 365 can give businesses confidence to recover from security breaches, compliance exposure, and data loss. With enterprise-grade backup, a copy of the data is stored outside the environment. In the event of an incident, it provides granular and point-in-time recovery options.

Data Owner Compliance — As the data owner, the customer has the ultimate responsibility of data for internal legal and compliance teams. The customer answers to the demands from corporate and industry regulations.

Security Functions to Protect Data — Protection of data is the responsibility of the user, not Microsoft. Security controls must be implemented to protect the data from internal threats, such as accidental deletion, insider threat, and disgruntled employees, and external threats, such as malware, ransomware, and rogue applications.

What happens when Microsoft 365 is used without backup?

Microsoft only provides basic and limited retention. If you don't implement a backup strategy outside of Microsoft's native capabilities, you are opening up your business for unnecessary risk. Lack of a Microsoft 365 backup plan is a risky data strategy.

Without proper backup and recovery, your organization can expose itself to the following risks:

  • Data loss from accidental deletions
  • Ransomware attacks and security breaches
  • Insufficient retention time for regulatory compliance policies
  • Lack of data control due to potential SaaS lock-in

Organizations investing in productivity and collaboration tools should also consider their backup and retention needs as a factor in efficiency and productivity. Considering a third-party backup solution is critical for data loss avoidance.

What is the best strategy for Microsoft 365 backup?

Your data is your business. By taking a data-driven approach to your backup strategy, you recognize the critical importance of your data for your business stability.

Make Microsoft 365 Backup a Key Priority

Backup for cloud services (SaaS), such as Microsoft 365, is imperative for security and data control. Full oversight and control of data is a boardroom priority. Without backup, organizations do not have an exit strategy or freedom from SaaS lock-in because they are not in complete control of their data. Backup should be part of the conversation when buying SaaS and not an afterthought.

Consider Enterprise-grade Data Protection

When investing in backup solutions, consider integration between the Microsoft 365 environment and your existing data protection environment. Evaluate automation, security, and integration between systems when comparing enterprise-grade data protection and recovery features. Integrating SaaS into enterprise data protection can help unify data management.

What to look for in a Microsoft 365 backup solution

1) Freedom to use existing on-premise capacity for Microsoft 365 backup, or the ability to leverage another cloud for cloud backup.
2) Basic features provided, such as incremental backups, granular recovery, automation, and policy-based retention capabilities.
3) A solution capable of managing and protecting hybrid deployments and the ability to ease the full adoption of SaaS.
4) Integration between Microsoft 365 and the customer's existing data protection environment.
5) Advanced security features such as access control, SaaS usage metrics, and multifactor authentication for additional security.
6) Ability to scale up or down as business and data demand changes and as SaaS is rolled out more widely within the company.


Investing in productivity tools and the corresponding backup is an exciting adventure. When you are ready for a guide, we are here to help. We can advise on and implement a solution that fits your business needs. Contact us today to schedule a consultation.

Financial Institutions, General, Networking, Security and Compliance, Backup, Recovery, Information Security Program, Microsoft, Exchange, Financial Institution, Credit Union, Microsoft Office, Cybersecurity, Microsoft Exchange, Microsoft 365, backup, Exchange Web Services,
 

Microsoft has been emphasizing Office 365 (now Microsoft 365) subscription services since the public introduction in 2011. As a result, the popularity of these services has grown to over 155 million active users as of October 2018, and is gaining new users at over 3 million seats per month. With this growth, on-going marketing, and the increasing acceptance of public cloud services, many businesses and financial institutions are starting to look at Microsoft 365.

In this article, we will highlight several pros and cons of Office 365 you should consider to determine if it's right for your business.

Microsoft 365 (formerly Office 365) encompasses several different products and services, but in this article, we will address these services in two primary areas: user applications and back-end services.

Microsoft 365 User Applications

Most Microsoft 365 subscription plans include Office applications like Word and Excel running on Windows, macOS, and portable devices running iOS and Android. Applications are also available through a web browser but most customers are interested in Microsoft 365 applications as a possible replacement for traditional Office licensing.

What are the primary differences between Microsoft 365 and traditional on-premise Office applications?
  • Microsoft 365 is an annual subscription per user or seat. Each user is entitled to run the Microsoft 365 applications on up to 5 devices for the term of the subscription. As long as you continue to pay the annual subscription, you are covered for the Office applications included in your plan.
  • Office applications through Microsoft 365 are designed to be downloaded from the O365 portal. There is no license key to determine if you have a valid license. After installation the applications routinely "check in" to the M365 (formerly O365) portal to ensure there is an active account. Because of this check-in process IT administrations must use a specific procedure for mass deployment of M365 applications. Additionally, installation on multi-user servers like Remote Desktop Services and Citrix requires a new approach.
  • Microsoft 365 applications are designed to install features and security updates directly from Microsoft when they are released. Legacy patch management solutions like Windows Server Update Services (WSUS) and 3rd party solutions will not work with M365. This can create a challenge for regulated customers who are required to report on patch status. Scanning tools used by auditors to determine patch levels will need the ability to recognize the differences between M365 and traditional Office applications. The M365 update process could also create an issue for Office-integrated applications if a hotfix is released that affects the compatibility of those applications, as there will be no option to block that update from being installed.
  • Microsoft 365 applications utilize a feature called Click to Run. This feature, which was originally introduced with Office 2016, provides a streaming method for installing features and patches for Microsoft 365 and Office 2019 applications. Our experience is that Click to Run can use a significant amount of bandwidth if you are installing Office applications or large updates on multiple systems simultaneously.
Is licensing through Microsoft 365 less expensive than traditional licensing?

For most customers the biggest question is: "Is licensing through Microsoft 365 less expensive than traditional licensing?" The answer is "It depends!" Microsoft 365 licensing could be financially attractive if:

  • Your business always updates to the latest release of Office.
  • You want the flexibility of per user licensing.
  • You want to take advantage of the licensing of up to 5 devices for multiple systems, mobile devices, home use, etc.
  • You need a simplified update process that works anywhere the PC has Internet connectivity.
  • You need to use the browser-based applications for a specific function or employee role.
  • You plan to implement one of the Office 365 back-end services.

Microsoft 365 Back-End Services

Microsoft provides several cloud server applications through Microsoft 365 including Exchange Online (email), Skype for Business (voice and messaging collaboration), SharePoint (file collaboration), and OneDrive (file storage and sharing). These back-end services can be implemented individually, or as part of a bundle with or without the Office applications depending on the plan. However, Exchange Online vs. Exchange on-premise is receiving the most attention from our customers.

What should I look for when performing due diligence?

The security and compliance of back-end Microsoft 365 services is not significantly different than any other cloud-based application or service. The areas to research include:

  • External audit attestation – SSAE 18 or similar
  • Data location residency – production and failover scenarios
  • Data privacy policies - including encryption in transit and at rest
  • Contracts and licensing agreements
  • Intellectual property rights
  • Service Level Agreements – service availability, capacity monitoring, response time, and monetary remediation
  • Disaster recovery and data backup
  • Termination of service
  • Technical support – support hours, support ticket process, response time, location of support personnel
A few more things to consider...

As a public cloud service, Microsoft 365 has several challenges that need specific attention:

  • The business plans listed on the primary pricing pages may include applications or services that you don't need. All of the various features can be confusing and it's easy to pick the plan that is close enough without realizing exactly what's included and paying for services you will never use.
  • Most of the back-end M365 services can integrate with an on-premise Active Directory environment to simplify the management of user accounts and passwords. This provides a "single sign-on" experience for the user with one username and password for both local and M365 logins. Microsoft has several options for this integration but there are significant security implications for each option that should be reviewed very carefully.
  • Microsoft has published several technical architecture documents on how to have the best experience with Microsoft 365. The recommendations are especially important for larger deployments of 100+ employees, or customers with multiple physical locations. One of the notable recommendations is to have an Internet connection at each location with a next-generation firewall (NGFW) that can optimize Internet traffic for M365 applications. Redundant Internet connections are also strongly recommended to ensure consistent connectivity.
  • The default capabilities for email filtering, encryption, and compliance journaling in Exchange Online may not provide the same level of functionality as other add-on products you may be currently using. Many vendors now provide M365-integrated versions of these solutions, but there will be additional costs that should be included in the total.
  • Microsoft OneDrive is enabled by default on most Microsoft 365 plans. Similar to other public file sharing solutions like Dropbox, Box, and Google Drive, the use of OneDrive should be evaluated very carefully to ensure that customer confidential data is not at risk.
  • Several other vendors provide Microsoft 365 add-on products that provide additional functionality which may be useful for some businesses. Netwrix Auditor for Microsoft 365 can provide logging and reporting for security events in your M365 environment. Veeam Backup for Microsoft 365 can create an independent backup of your data to ensure it will always be available. Cloud Access Security Brokers (CASB) such as Fortinet FortiCASB and Cisco Cloudlock can provide an additional layer of security between your users and cloud services such as M365.

Discover why the default retention policies of Microsoft 365 can leave your business at risk.

It is certainly a challenge to research and evaluate cloud solutions like Microsoft 365. Financial institutions and other regulated businesses with high-security requirements have to take a thorough look at the pros and cons of any cloud solution to determine if it's the best fit for them.

CoNetrix Aspire has been providing private cloud solutions for businesses and financial institutions since 2007. Many of the potential security and compliance issues with the public cloud are more easily addressed in a private cloud environment when the solution can be customized for each business.

The combination of Office application licensing with back-end services like Exchange Online can be a good solution for some businesses. The key is to understand all of the issues related to Microsoft 365 so you can make an informed decision.

Contact CoNetrix Technology at techsales@conetrix.com if you want more information about the differences between Aspire private cloud hosting and Microsoft 365.

Financial Institutions, General, Networking, Security and Compliance, Financial Institution, Microsoft Office, Cybersecurity, Microsoft Exchange, Cloud Hosting, Productivity, Office 365, Microsoft 365,
 

I came across a strange issue with one customer's multiple laptops where they could not print from Office programs or a test page. PDF documents printed through Adobe Reader were working.

While troubleshooting, I ran a capture of file access procedures through Microsoft's Process Monitor application. What I found in the capture was an access denied event to C:\Temp on the laptop.

I edited the permissions on C:\Temp by adding Everybody modify access to the folder and was able to print normally after that. This fixed the issue on the rest of the laptops also.

Microsoft Office,
 

I've increasingly had issues getting Excel to open other Excel files if I already had one open. I noticed it happened every time I was working in one of my spreadsheets that contained macros. However after some research, I discovered that Microsoft has intentionally designed this so that if Excel thinks you are editing a cell, it will not allow you to open any other Excel files (even if they are unrelated).
Although there isn't really a true solution, if you hit enter, or simply get out of the cell as if you're editing it, or hit save, you should be able to open other files.
Microsoft Office, Excel,
 

If you have ever been annoyed with Office AutoCorrect changing words like "VMware" to "Vmware", you'll be relieved to know there is help for you. In any Office application, go to File->Options->Proofing-> AutoCorrect Options->Exceptions->INitial CAps. There you can add the string in question (ex. "VMw") to the list to stop Office apps from constantly correcting your typing "errors".
Microsoft Office, autocorrect,
 

After installing each Windows 10 creator's update, I get the following error message when I try to click on any link in any email message or click on a table of contents link in a Word doc:

It's not an entirely bad thing to have email links require a copy and paste but it's a real problem with other links like the Table of Contents in a long Word document.

There is a KB article at https://support.microsoft.com/en-us/kb/310049 that discusses this issue. The solution for Windows 10 is to find a system that doesn't have the problem and export a registry key then import it into the offending system. The key it references gets deleted each time a new creator's update is installed.

HKEY_LOCAL_MACHINE\Software\Classes\htmlfile\shell\open\command

Then you export the subkey to a file, copy the file to the system having the problem and import it into that system's registry (either by double clicking the .reg file or importing it via regedit). There is a last verification step to verify the String (Default) value of "HKEY_CLASSES_ROOT \.html" key is "htmlfile".

That was several steps it took to make my system less secure. It's usually the other way around!

 

Networking, Microsoft Office, Windows 10,
 

After installing Windows 10 and Office on a new laptop, I started getting the following error message when I tried to click on any link in any email message or click on a table of contents link in a Word doc:

"Your organization's policies are preventing us from completing this action for you. For more info, please contact your help desk"

While it's not an entirely bad thing to have email links require a copy and paste, it's a real problem with other links like the Table of Contents in a long Word document.

There is a KB article at https://support.microsoft.com/en-us/kb/310049 that discusses this issue. The solution for Windows 10 is to find a system that doesn't have the problem and export a registry key then import it into the offending system. The key it references was missing from my system.

The steps that worked for me were to find a Windows 10 system that didn't have the problem, run regedit and locate the following subkey:

HKEY_LOCAL_MACHINE\Software\Classes\htmlfile\shell\open\command

Then you export the subkey to a file, copy the file to the system having the problem and import it into that system's registry (either by double clicking the .reg file or importing it via regedit).

There is a last verification step to verify the String (Default) value of "HKEY_CLASSES_ROOT \.html" key is "htmlfile".

Networking, Microsoft Office, Windows 10,
 

Recently I worked on a desktop system that was having issues connecting to WSUS and installing patches. This was a Windows 10 system (upgraded from Win 8.1) with Office 2016 (upgraded from Office 2013). Every time that I opened the Windows Update app, it listed several Office 2013 updates that couldn’t install. You could press the Retry Now button and it would run for a minute or two, but always fail with a non-specific and non-helpful error.

After running through troubleshooting steps of resetting the Windows Update agent, I finally started looking at the Office 2013 aspect. I decided to uninstall whatever 2013 components were still there and reinstall, if necessary. I loaded Programs and Features and Office 2013 was not listed.

I found a Microsoft utility to forcibly uninstall Office 2013/2016 products (link) and ran it on this PC. On the first run (and subsequent reboot), Office 2016 was removed, but 2013 was still detected by the Windows Update agent. On the second run (and subsequent reboot), Windows Update installed all of its normal patches without the Office patches listed.

I reinstalled Office 2016 and was able to bring the computer up to date. It really appears as if the 2016 upgrade didn’t fully remove all of the 2013 components as a part of the upgrade.

 

 

Networking, Microsoft Office, Windows 10, windows update,
 

I am constantly right-clicking the Outlook icon in the taskbar and choosing what I want from the jump list. However, after upgrading to Outlook 2016, this feature became unavailable. I followed the steps below to get the jump list working again.

  1. Unpin the Outlook 2016 icon from the taskbar
  2. Exit Outlook 2016
  3. Delete the HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\LastUILanguage registry key
  4. Start Outlook 2016, and then re-pin the icon
Networking, Microsoft Office, Outlook 2016,
 

Users of Microsoft Office 2013 32-bit may experience the following behavior on an RDS server. Each time a user starts Outlook 2013, a window is briefly shown with the message: "Configuring Microsoft Office 64-bit Components 2013." The message appears for restricted users and administrators alike, but there's no apparent effect that Outlook is impaired in functionality. [more]

Solution: To resolve the issue, install the Windows Search Service role. As soon as this role is installed and its services running, the message will no longer appear. A reboot is not required.

Cause: The components it configures are necessary to link the search indexer to the Outlook's data stores (OTS and PST). Because the Search Service is not installed, this part of the configuration process of Outlook fails, and therefore it is re-attempted each time.

Notes: Both XenApp and RDS best practices suggest to disable the Windows Search Service. In fact, the Citrix PVS Target Device Optimizer disables the service when it is run on the server. After installing the service, you might consider setting the service to disabled. This does not cause the message above to reappear; however, when the service is disabled, Outlook will display a message, "The Windows Search Engine is currently disable. Outlook will not be able to provide fast search results using the Instant Search functionality unless this service is running. Do not show this message again."

Networking, Microsoft Office, Outlook,