Cayosoft https://www.cayosoft.com Best way to manage and protect the Hybrid Office 365 Enterprise Tue, 28 Jul 2020 14:35:50 +0000 en-US hourly 1 https://www.cayosoft.com/wp-content/uploads/2018/04/cropped-CayosoftConfigurationConsole-32x32.png Cayosoft https://www.cayosoft.com 32 32 Cayosoft Guardian “Clearly Delivers on Its Promises;” Gets 4.6/5 Rating From Microsoft MVP https://www.cayosoft.com/cayosoft-guardian-clearly-delivers-on-its-promises-gets-4-6-5-rating-from-microsoft-mvp/?utm_source=rss&utm_medium=rss&utm_campaign=cayosoft-guardian-clearly-delivers-on-its-promises-gets-4-6-5-rating-from-microsoft-mvp Tue, 28 Jul 2020 14:35:50 +0000 https://www.cayosoft.com/?p=18381 Microsoft MVP Nuno Mota reviewed Cayosoft Guardian, a solution for Azure and hybrid AD recovery and protection.  The review, which includes some useful tips on requirements, step-by-step installation, and product functions, gave Guardian 4.6/5 rating. “Guardian clearly delivers on its promises. Its continuing monitoring and protection of on-premises and/or Azure Active Directories guarantees that most changes can be rolled back swiftly and at […]

The post Cayosoft Guardian “Clearly Delivers on Its Promises;” Gets 4.6/5 Rating From Microsoft MVP appeared first on Cayosoft.

]]>
Microsoft MVP Nuno Mota reviewed Cayosoft Guardian, a solution for Azure and hybrid AD recovery and protection.  The review, which includes some useful tips on requirements, step-by-step installation, and product functions, gave Guardian 4.6/5 rating.

Guardian clearly delivers on its promises. Its continuing monitoring and protection of on-premises and/or Azure Active Directories guarantees that most changes can be rolled back swiftly and at the touch of a button, without administrators having to go through numerous logs or resort to backup scripts or files.

“The fact that it is extremely easy to install and configure makes its deployment painless and hassle-free. All in all, an awesome tool that I would not have any problems in recommending to anyone responsible for managing Active Directory!” 

The post Cayosoft Guardian “Clearly Delivers on Its Promises;” Gets 4.6/5 Rating From Microsoft MVP appeared first on Cayosoft.

]]>
Class-action lawsuit has accused Microsoft of sharing customer data https://www.cayosoft.com/class-action-lawsuit-has-accused-microsoft-of-sharing-customer-data/?utm_source=rss&utm_medium=rss&utm_campaign=class-action-lawsuit-has-accused-microsoft-of-sharing-customer-data Thu, 23 Jul 2020 19:14:02 +0000 https://www.cayosoft.com/?p=18373 A lawsuit has been filed with Microsoft for allegedly sharing the content of business customers’ emails, documents, contacts, calendars, location data, audio files, and video files, among other forms of data, without consent.  According to the lawsuit, Microsoft is routinely sharing business customers’ data, including personal and corporate information, with Facebook and other third parties despite publicly claiming it doesn’t.  “Like a mantra, Microsoft has […]

The post Class-action lawsuit has accused Microsoft of sharing customer data appeared first on Cayosoft.

]]>
A lawsuit has been filed with Microsoft for allegedly sharing the content of business customers’ emails, documents, contacts, calendars, location data, audio files, and video files, among other forms of data, without consent. 

According to the lawsuit, Microsoft is routinely sharing business customers’ data, including personal and corporate information, with Facebook and other third parties despite publicly claiming it doesn’t. 

“Like a mantra, Microsoft has repeatedly promised business customers that it will use their content and data exclusively to provide them with the purchased services; that, solely for those purposes, it will share their data with its subcontractors and certain others only on a need-to-know basis; and that it will never share the customer’s data with third parties at all,” the lawsuit said. 

Read more from an interview between a Microsoft representative and ITPro here 

The post Class-action lawsuit has accused Microsoft of sharing customer data appeared first on Cayosoft.

]]>
4 Reasons Why the Recycle Bin Can’t Fully Protect Azure Active Directory https://www.cayosoft.com/4-reasons-why-the-recycle-bin-cant-fully-protect-azure-active-directory/?utm_source=rss&utm_medium=rss&utm_campaign=4-reasons-why-the-recycle-bin-cant-fully-protect-azure-active-directory Wed, 22 Jul 2020 18:37:35 +0000 https://www.cayosoft.com/?p=18367 Let’s face it, user errors are a reality, and the threat of malicious actors breaching Active Directory –both on-premises and in Azure – is on the rise.  Protecting your data has never been more important, yet no native tooling exists to tracks changes, store previous values or enable administrators to rollback those changes immediately. Microsoft provides limited tools to recover […]

The post 4 Reasons Why the Recycle Bin Can’t Fully Protect Azure Active Directory appeared first on Cayosoft.

]]>
Let’s face it, user errors are a reality, and the threat of malicious actors breaching Active Directory –both on-premises and in Azure – is on the rise.  Protecting your data has never been more important, yet no native tooling exists to tracks changes, store previous values or enable administrators to rollback those changes immediately.

Microsoft provides limited tools to recover a deleted user account, but what about when an AD object is changed?  Restoring the object and associated permissions, groups, roles and applications can be a manual, expensive and error-prone process.

As Microsoft MVP Brien Posey outlined recently in his paper there are four items related to Recycle Bins that are critical for IT teams to understand if they want to avoid Azure AD outages, or at least to fix them before they impact end users.

  1. Microsoft Won’t Restore Your AD Directory Data

The primary protective mechanisms for on-premises Active Directory environments are the Active Directory Recycle Bin and any backups that you create yourself.  For Azure AD, Microsoft’s cloud-based Active Directory, many users believe that Microsoft backs it up on their behalf.  In reality, organizations are 100% responsible for backing up their own Azure AD environments. The only significant protective mechanism that Microsoft provides is the Azure AD Recycle Bin, which is helpful, but not a complete solution.

  1. The Active Directory Recycle Bin Only Protects Against Deletions

The Recycle Bin is the go-to mechanism for recovering from Active Directory problems, so it is important to understand both its capabilities and its limitations. While the AD and Azure AD Recycle Bins offer a degree of protection, they never were intended to take the place of backups.

In many ways, the AD and Azure AD Recycle Bins function similarly to the Recycle Bin that is built into Windows 10. If a user deletes a document from a Windows 10 PC’s hard disk, that item is not physically deleted, but rather is placed into the Recycle Bin. This allows the item to be easily recovered if necessary.  But if the documents on a user’s Windows 10 PC were to become encrypted by ransomware, the Recycle Bin would not provide any means for recovering the now encrypted documents. That’s because the Windows 10 Recycle Bin protects only against deletions, not accidental modifications.

The Azure and Azure AD Recycle Bins serve a similar purpose. It exists as a tool for protecting organizations when an Active Directory object is accidentally deleted, but it does nothing to protect against unwanted modifications to objects. Only backups can give you point-in-time recovery capabilities for Active Directory deleted objects, unless you’re using a third-party tool.

  1. The Recycle Bin Won’t Always Protect You Against Accidental Deletions

So the AD and Azure AD Recycle Bins exist as a tool for protecting you against the accidental deletion of directory objects, and it helps for some objects with 30 days…but not all of them. If an administrator accidentally deletes an Active Directory user, for example, it is possible to retrieve the user object from its deleted state in the Recycle Bin. Even so, the Recycle Bin has a number of inherent limitations, and there is a possibility that an object that needs to be restored may not be exist within the Recycle Bin.  We covered 3 Reasons The Recycle Bin Won’t Always Protect You Against Accidental Deletions in a previous blog.

  1. Not All Object Types Are Protected

Another critically important thing to know about the Recycle Bins is that not all objects are protected. As previously mentioned, the Active Directory Recycle Bin protects any deleted Active Directory objects, so long as the Recycle Bin is enabled.

In contrast, the Azure AD Recycle Bin was primarily designed to protect user objects. It will also protect Office 365 groups (which are sometimes called unified groups). It does not however, offer any protection for security groups or Exchange Server distribution groups.

To learn more download “8 Truths & Tips: Avoiding Outages in Azure Active Directory and Hybrid AD”, a paper by Microsoft MVP Brien Posey or register to view our on-demand webinar, “Preventing Azure and Hybrid AD Outages: The Unsettling Truth”.

Looking for a solution to help prevent Azure AD outages? Cayosoft Guardian recovers and protects Azure Active Directory and hybrid AD data. With Guardian monitoring all directory changes, administrators can quickly see, understand and rollback mistakes or malicious changes across their entire hybrid AD environment.  Try it free today!

The post 4 Reasons Why the Recycle Bin Can’t Fully Protect Azure Active Directory appeared first on Cayosoft.

]]>
6 Tips to Optimize and Reduce Microsoft Office 365 Licensing Costs – Part Two https://www.cayosoft.com/6-tips-to-optimize-and-reduce-microsoft-office-365-licensing-costs-part-two/?utm_source=rss&utm_medium=rss&utm_campaign=6-tips-to-optimize-and-reduce-microsoft-office-365-licensing-costs-part-two Mon, 29 Jun 2020 17:22:34 +0000 https://www.cayosoft.com/?p=18332 Welcome to part two of this blog, where we’re covering six tips to optimize Office 365 license costs.  We recently introduced the first three tips in part one of the blog. Microsoft provides numerous license options and flexibility for organizations, but it’s difficult to make informed decisions on the “best” license for each user and ultimately get the most from […]

The post 6 Tips to Optimize and Reduce Microsoft Office 365 Licensing Costs – Part Two appeared first on Cayosoft.

]]>
Welcome to part two of this blog, where we’re covering six tips to optimize Office 365 license costs.  We recently introduced the first three tips in part one of the blog. Microsoft provides numerous license options and flexibility for organizations, but it’s difficult to make informed decisions on the “best” license for each user and ultimately get the most from Office 365 subscriptions.

As a quick recap, we covered these three tips in our previous blog:

  1. Adopt a license assignment strategy and save up to $372 per user
  2. Eliminate scripting and human error. Automatic license assignment and ongoing enforcement can eliminate manual assignments
  3. Simplify ongoing license management and avoid hidden operational expenses with granular delegation and control of license assignments

Let’s dive right into our final three tips to optimize the value of your Office 365 license assignments.

3. Review License Usage to Get the Most for the Investment

It sounds simple, but one key method to optimize and reduce Office 365 license costs is to thoroughly understand how licenses are being consumed. Monitoring, alerting and communicating how licenses are being used may uncover new ways to minimize costs.

Monitor License Consumption & Validate License Assignments – As a best practice, we recommend that you monitor license use at both the macro and micro levels.  For example, a weekly high-level e-mail license consumption report will provide insight into license distribution. On the micro level, twice-monthly license will provide visibility into possible assignment mistakes, allowing for them to be corrected before incurring additional expense.

Avoid Service Interruptions Caused by a Lack of Licenses – Alert the administrative staff to critically low available license levels before Office 365 licenses are exhausted and operations are interrupted. Depending upon the size of the organization, the rate of consumption, and any planned bumps in hiring, we recommend a threshold of between 10% and 20%.

Communicating license count usage to managers or department heads will allow people in other areas to share responsibility for the licenses their direct reports consume. Coincidentally, this is the information normally used for internal or inter-departmental billing/chargeback scenarios where each department is notified about its share of license costs.

Drive User Adoption to Maximize Office 365 ROI – Microsoft provides service-level usage detail, but user-level details are not easily extracted natively. By allowing IT or business managers to view the user-level Office 365 license services in use the business can focus on maximizing the Return on Investment (ROI) of each license. With this detail, license assignments and training regiments can be aligned to get the most out of the powerful Office 365 and Azure platforms.

2. Leverage third-party tools to help improve control and visibility

Optimizing licenses manually is difficult, time-consuming and introduces inconsistencies across an organization.

Find a third-party management solution that can help you automate license assignments, provide in-depth reports, and generally improve your visibility and control into Office 365 licenses.

Of course our recommendation is Cayosoft Administrator, which uses rules-based license assignments to target users, automatically assigning the exact license and options they require.

Key Cayosoft Administrator features to optimize licenses include:

  • Granular delegation over Office 365 License Administrators & Help Desk: Control which licenses advanced administrators can see and assign down to the individual license option
  • Office 365 License Reporting: Cost savings & optimization by seeing who is not assigned the correct license
  • Automate License Assignments: Rules automatically & dynamically assign the Correct license every time

1. Define a License Recovery and Account Cleanup Policy

Nobody wants to pay for something that is not being used.  Identifying licensed Office 365 user accounts that are not using the software and making those licenses available for others is an effective way to reclaim licenses and keep license costs manageable.  The criteria used to identify inactive accounts varies widely, but most organizations set a policy of 60 or 90 days of inactivity before they officially consider a user inactive. Other users, such as those that were deprovisioned or simply disabled, should also be considered because licenses are not removed from those users automatically.

Office 365 license cost calcuator

After identifying an inactive user, or when proactively deprovisioning a user, we advise that you carefully consider your license-relation actions. Because revoking a license also flags the mailbox for deletion, there are times this is not the best option. In other cases, legal, regulatory or internal compliance policies may require mailbox remediation, making license revocation an imperative.

As an alternative, consider changing the license to a less expensive license or even to an unlicensed shared mailbox. For example, if the inactive user has an E4 license, change the license to an Exchange Online license that will not only reduce the cost, but will maintain the mailbox. Converting the mailbox to a shared mailbox is another option and requires no license be assigned. In both cases, the result is a significant cost savings and the number of “extra” licenses is kept to the minimum.

Want to learn more about Office 365 license optimization?

Check out our on-demand webinar, “Controlling Office 365 License Assignments and Costs with Optimizations and Advanced Management” to learn more about ways to automate and optimize Office 365 license management.

The post 6 Tips to Optimize and Reduce Microsoft Office 365 Licensing Costs – Part Two appeared first on Cayosoft.

]]>
Hybrid Microsoft Administration with Powershell and Microsoft Graph: Understanding the Basics  https://www.cayosoft.com/hybrid-microsoft-administration-with-powershell-and-graph-understanding-the-basics/?utm_source=rss&utm_medium=rss&utm_campaign=hybrid-microsoft-administration-with-powershell-and-graph-understanding-the-basics Tue, 16 Jun 2020 20:26:08 +0000 https://www.cayosoft.com/?p=18283   Blog by: Dmitry Sotnikov Find him on LinkedIn or Twitter. Scripting in the Microsoft world has evolved significantly in the last few decades.   For a long time Microsoft administrators were stuck with MS-DOS command line and batch files for any scripting around it. While the batch language included some basic capabilities such as parameters, if clauses and goto instructions, it was too limited […]

The post Hybrid Microsoft Administration with Powershell and Microsoft Graph: Understanding the Basics  appeared first on Cayosoft.

]]>
 

Blog by: Dmitry Sotnikov

Find him on LinkedIn or Twitter.

Scripting in the Microsoft world has evolved significantly in the last few decades.  

For a long time Microsoft administrators were stuck with MS-DOS command line and batch files for any scripting around it. While the batch language included some basic capabilities such as parameters, if clauses and goto instructions, it was too limited for any complex scripting and the set of commands was miniscule. In most of the systems — be it for the local Windows server or network services such as Active Directory or Microsoft Exchange — administrators had to use various command-line tools. Each tool working in a different fashion and not integrating with other tools led to steep learning curves and painful scripting experience.  

In 2006, Microsoft made a bold move to overcome these issues by introducing Windows PowerShell. PowerShell tried to strike a balance between being compatible with MS-DOS-style command line and providing full modern programming language, pipe integration between commands, and unified approach and extensibility to cover all Microsoft systems. In 2018, Microsoft made another bold move by going cross-platform and releasing PowerShell Core 6.0 cross-platform (Windows, MacOS, Linux) and open source. 

PowerShell Core 6.0 cross-platform (Windows, MacOS, Linux) and open source

While the PowerShell team innovated on datacenter management automation, another megatrend happened – Cloud. Microsoft has innovated to re-invent itself from being a software company to becoming a cloud services company. Azure, Office 365, OneDrive, InTune, Teams – the list can go on and on. It is clear that Microsoft is now “all in” and cloud-first. 

These cloud offerings faced the same challenges as early on-premises systems of each exposing a different model of automation, integration, and administration. 

Recognizing this as a potential problem, Microsoft introduced Microsoft Graph – a unified set of APIs providing a consistent data model and programmability approach across all Microsoft cloud offerings. 

a unified set of APIs providing a consistent data model and programmability approach across all Microsoft cloud offerings

Microsoft has done a great job not only providing the API consistency, they did their best to help developers discover and learn the APIs with interactive Graph Explorer and off the shelf SDKs for many programming languages. 

Graph Explorer

However, in its turn, the presence of two systems: IT professional-oriented PowerShell and developer-oriented Microsoft Graph created an experience gap. In the companies basing their infrastructure on Microsoft cloud services, IT administrators had to essentially become developers. While PowerShell can invoke REST APIs, the experience one gets from these calls is far closer to programming than day-to-day administration and IT scripting. 

To fix the situation and make Microsoft cloud administration and scripting accessible to IT professionals, Microsoft is now working on a Microsoft Graph PowerShell SDK. 

With it, administrators can run PowerShell cmdlets against Microsoft Graph services just like they can for on-premises systems. For example, to create a new user, administrator might run something like: 

PowerShell cmdlets

The SDK is still in technical preview and has many rough edges that you need to be aware of. 

To learn more about how you can use Microsoft Graph PowerShell SDK today, its limitations, and workarounds, please come to our webinar, Microsoft Graph Basics for PowerShell Admins. 

The post Hybrid Microsoft Administration with Powershell and Microsoft Graph: Understanding the Basics  appeared first on Cayosoft.

]]>
Exchange Online Down in Europe – EX216336 https://www.cayosoft.com/exchange-online-down-in-europe/?utm_source=rss&utm_medium=rss&utm_campaign=exchange-online-down-in-europe Mon, 15 Jun 2020 16:06:37 +0000 https://www.cayosoft.com/?p=18275 Reports are showing up online that users may be unable to connect to the Exchange Online service. Several users here at Cayosoft report not being able to connect to the full-Outlook client to Exchange Online, however the web based version of Outlook appears to be working. Current status as of 11:55 AM 6/15/2020: We’re investigating an issue with the Outlook […]

The post Exchange Online Down in Europe – EX216336 appeared first on Cayosoft.

]]>
Reports are showing up online that users may be unable to connect to the Exchange Online service.
Several users here at Cayosoft report not being able to connect to the full-Outlook client to Exchange Online, however the web based version of Outlook appears to be working.
Current status as of 11:55 AM 6/15/2020: We’re investigating an issue with the Outlook client within Europe. Please follow EX216336 in your dashboard for further information.

The post Exchange Online Down in Europe – EX216336 appeared first on Cayosoft.

]]>
Cayosoft Administrator v7.2 is Now Available! https://www.cayosoft.com/cayosoft-administrator-v7-2-is-now-available/?utm_source=rss&utm_medium=rss&utm_campaign=cayosoft-administrator-v7-2-is-now-available Mon, 15 Jun 2020 12:00:24 +0000 https://www.cayosoft.com/?p=18272 Even with all of the recent cloud adoption, on-premises infrastructure still exists. Purpose-built for hybrid environments, Cayosoft Administrator provides management that follows you on the journey to the cloud.   From on-prem to Office 365, Administrator delivers a single  solution  to automate and  streamline day-to-day IT administration.   Administrator simplifies management with role-based delegation, rule-based automation, self-service, Office 365 license optimization and more.   Administrator v7.2 includes numerous enhancements, including:   Improved Microsoft Azure […]

The post Cayosoft Administrator v7.2 is Now Available! appeared first on Cayosoft.

]]>
Even with all of the recent cloud adoption, on-premises infrastructure still exists. Purpose-built for hybrid environments, Cayosoft Administrator provides management that follows you on the journey to the cloud.  

From on-prem to Office 365, Administrator delivers a single  solution  to automate and  streamline day-to-day IT administration.   Administrator simplifies management with role-based delegation, rule-based automation, self-service, Office 365 license optimization and more.  

Administrator v7.2 includes numerous enhancements, including:  

Improved Microsoft Azure Integration  

The Cayosoft Administrator like Cayosoft Guardian now offers improved support for Azure AD authentication, including support for multi-factor authentication (MFA) and Single-Sign On (SSO). 

Guest Account Management 

Collaboration with users in other organizations can be a challenge, especially when it comes to the onboarding of new guest accounts and delegating the management of those accounts. Cayosoft now supports ongoing delegated management of Guest accounts and the bulk creation of Guest accounts without complex or hardtomaintain workflow and scripts. 

Improved Support for Microsoft Teams 

Administrator now supports private channels, and this version includes improved Teams audits  

View all of  Cayosoft  Administrator v7.2 enhancements here.  

Get a  free  Cayosoft  account here  and start your free trial!  

The post Cayosoft Administrator v7.2 is Now Available! appeared first on Cayosoft.

]]>
5 Keys To Successful Group Management in Hybrid Microsoft Environments https://www.cayosoft.com/5-keys-to-successful-group-management-in-hybrid-microsoft-environments/?utm_source=rss&utm_medium=rss&utm_campaign=5-keys-to-successful-group-management-in-hybrid-microsoft-environments Mon, 08 Jun 2020 14:12:59 +0000 https://www.cayosoft.com/?p=18258 In collaboration with Microsoft MVP Joel Oleson, based on a recent webinar that we jointly delivered. It was difficult enough to keep Active Directory group memberships secure and accurate before Microsoft Azure Active Directory/Microsoft 365 which throws new group types and group settings into the mix.  Today’s hybrid environments more than double the potential for errors and security issues related […]

The post 5 Keys To Successful Group Management in Hybrid Microsoft Environments appeared first on Cayosoft.

]]>
In collaboration with Microsoft MVP Joel Oleson, based on a recent webinar that we jointly delivered.

It was difficult enough to keep Active Directory group memberships secure and accurate before Microsoft Azure Active Directory/Microsoft 365 which throws new group types and group settings into the mix.  Today’s hybrid environments more than double the potential for errors and security issues related to group management.  Because the number of groups has more than doubled, the administrative burden is now higher than ever.

While the task of creating a group or putting a user into a group is not difficult, keeping up with the volume of group changes (on-premises and in cloud), and the fact that it’s not done automatically is quite challenging for many of the IT professionals I’ve spoken with over the years.

Potential Costs

Organizations that are unable to keep groups accurate may find themselves facing catastrophic consequences related to security and compliance. Beyond the obvious cost of a breach, service outage or a regulatory fine, there is also cost in terms of lost productivity or lost reputation that can be equally damaging.

Groups give directory accounts power because they assign permissions in the Microsoft model.  Due to this, you must be incredibly careful about who is in a group and who, ultimately, has access to the resources on which your business runs.

How Groups Become Compromised

It’s no wonder that group management can become a security threat.  Groups can have incredible power, but at the same time, some groups are so innocuous that adding people (and/or not keeping up with the daily changes) seems insignificant.  For example, you most likely don’t care much about how many people get access to a company newsletter.  But for other content, perhaps something that is compliance sensitive, it’s a completely different story.

To make matters worse, in many organizations, there are more groups than IT has resources to keep up. We find in our customer environments, it’s common to see more groups than users, and each user might end up being a member of 50 or more different groups.

In addition to all of that, consider the following points:

Accuracy is hard to maintain. Especially if you have high turnover or a heavy amount of organizational changes and shifts.  Maintaining group accuracy in organizations with such frequent moves is difficult due to the volume of changes.  For example, was guest access granted but never revoked? Unfortunately, if your groups are inaccurate, then your access grants are inaccurate.

Group membership is more often granted than revoked. With no way to easily track why a user was added to a group, later when it comes time to clean-up group membership members are left in the group for fear of revoking the wrong person’s access.  Over time the number of group memberships increases for users putting security and compliance goals further at risk.

Group cleanup is often ignored until something breaks. It’s human nature to let maintenance items slip.  Group management is no different, and I’ve talked to many IT people over the years who only realized that they had an out-of-date group when someone called to say they cannot get access they expected.  The story is worse if the “realization event” is a security breach or compliance failure.

Keys to Success

There are numerous approaches to streamline group management, making it easier to keep your groups accurate and ensure that they’re always up to date.  And this can be done without creating a straining workload for your IT administration team.

  1. Define a Hybrid Management Group Strategy

If you rewind even a few years ago, this advice may have been to “try and stay on-premises unless something forces you to the cloud” and that advice today seems much less useful than it once did.  Today, most organization run hybrid environments, and it’s critical for IT teams to have a strategy for on-prem security groups and Microsoft 365 groups with a least privilege/zero trust model.

It’s also important to understand the native tools available to them, like Azure AD Connect and others, to define a strategy and philosophy that can be followed for managing users and groups.

  1. Plan Self Service or IT Led Group Management with Oversight

You can – and you should – delegate group management where possible.  That said, it’s critical that you delegate tasks to users carefully and use caution regarding what control you do (and do not) give, especially in a hybrid environment.

Consider the example of a Help Desk, which is likely going to see all groups because of the flatness of the directory structure (ie, they don’t have organizational units). Do you really want your help desk to be able to access any Microsoft 365 groups?

  1. Provision Groups with Governance and Lifecycle in Mind

Doing so, of course, means that somebody must make sure that each group has a person that’s responsible for it. There are different ways to do this.

  • Assign AD owners to Groups directly in Active Directory using the Active Directory Users and Computers console. A Group owner can be a user or a group with several members.
  • Use Exchange on-premises console to assign owners and secondary owners.
  • Use Exchange online to assign owners to cloud-based groups.
  • For other groups (unified groups) in Office 365 online you can also assign ownership.

Regardless of how you assign group owners, it’s important to audit the group changes. Make sure you have a good approach to audit changes to your groups, including adds, removes, etc on the Windows side. Whether you use the Windows event log or you have a change auditing solution, please make sure you’re watching, auditing and reporting those events so you can go back and see who added whom to which groups.

Another simple strategy here is to use meaningful descriptions on group objects that clearly indicate what the group does in order to make it easier to assign ownership. Without it, you may have no good way to get a true sense of everything a group may grant access to.

  1. Use Group Lifecycle Management

Periodically audit groups and review ownership and usages to help ensure that group owners regularly review group membership. There are different approaches you can take, but one simple tactic is to do it by email or survey.  Send each group owner a list of the groups they own and ask questions that make sense for your organization. It could be as simple as “Do you still need this group?”

If you have any security concern around memberships of any of your groups or distribution lists, or any of the groups you own are subject to legal or regulatory compliance, then you may also want to ask group owners to certify the membership.  Doing this helps reinforce that the owner is responsible for the membership and responsible for compliance burden.  You don’t want IT to be responsible for who has access to unannounced financial results for the next quarter.

  1. Clean up: Archive or Delete Obsolete Groups

It takes some effort, but it’s important to clean up groups as you go.  If you find a bunch of empty groups and you don’t need them, you can get rid of them in a safe manner, without requiring a complicated recovery scenario to recover the deleted group’s security ID.

Active Directory has two physical types of groups: regular security groups, which most people are familiar with, and non-exchange DLs, which are simple lists that cannot be used to grant access to resources.

Next Steps

Properly managing and maintaining groups in a secure, efficient way can be difficult without the right tools. Cayosoft Dynamic Groups keeps groups accurate and eliminates errors. Granular membership rules for groups automatically update memberships when changes occur, allowing administrators to concentrate on more important issues.

To deep dive on group management, check out our on-demand webinar with Microsoft MVP Joel Oleson.

The post 5 Keys To Successful Group Management in Hybrid Microsoft Environments appeared first on Cayosoft.

]]>
Why Office 365 changed to Microsoft 365 and How it Affects Me https://www.cayosoft.com/why-office-365-changed-to-microsoft-365-and-how-it-affects-me/?utm_source=rss&utm_medium=rss&utm_campaign=why-office-365-changed-to-microsoft-365-and-how-it-affects-me Wed, 03 Jun 2020 15:29:34 +0000 https://www.cayosoft.com/?p=18247 New Microsoft product names went into effect on April 21, 2020. This was a change to the product name only, and there are no pricing or feature changes currently—Microsoft 365 includes everything you know in Office 365. So, why the name change? Microsoft explains, “We changed the name to be more reflective of the range of features and benefits in […]

The post Why Office 365 changed to Microsoft 365 and How it Affects Me appeared first on Cayosoft.

]]>
New Microsoft product names went into effect on April 21, 2020. This was a change to the product name only, and there are no pricing or feature changes currently—Microsoft 365 includes everything you know in Office 365. So, why the name change? Microsoft explains, “We changed the name to be more reflective of the range of features and benefits in the subscription, to meet the unique needs of individuals and businesses.”

Many Office 365 subscriptions automatically became Microsoft 365 subscriptions. No action is needed from your end.

  • Office 365 Personal becomes Microsoft 365 Personal.
  • Office 365 Home becomes Microsoft 365 Family.
  • Office 365 Business Essentials becomes Microsoft 365 Business Basic.
  • Office 365 Business Premium becomes Microsoft 365 Business Standard.
  • Microsoft 365 Business becomes Microsoft 365 Business Premium.
  • Office 365 Business becomes Microsoft 365 Apps for business.
  • Office 365 ProPlus becomes Microsoft 365 Apps for enterprise.

There are no changes to the following Office 365 for enterprise plans:

  • Office 365 E1
  • Office 365 E3
  • Office 365 E5

These are simply name changes. Microsoft says, “These changes represent our ambition to continue to drive innovation in Microsoft 365 that goes well beyond what customers traditionally think of as Office.”

The new naming convention may seem confusing when trying to connect your previous subscription name to your current. However, we suggest taking a look at what you need out of a subscription instead of the name of the subscription. This could be an opportunity to review usage data within your organization and discover ways to save money on unused or underused licenses. We cover Office 365 license management and optimization in “5 Common Frustrations with Office 365 License Management (And How to Avoid Them”.

Learn more about Microsoft 365 here.

The post Why Office 365 changed to Microsoft 365 and How it Affects Me appeared first on Cayosoft.

]]>
Protect Azure Users! Complimentary Subscription of Cayosoft Guardian https://www.cayosoft.com/protect-azure-users-complimentary-subscription-of-cayosoft-guardian/?utm_source=rss&utm_medium=rss&utm_campaign=protect-azure-users-complimentary-subscription-of-cayosoft-guardian Tue, 19 May 2020 16:00:40 +0000 https://www.cayosoft.com/?p=18217 Whether you’re fully on Azure Active Directory or operating in a hybrid or on-premises world, it’s more critical than ever to avoid breaches, outages and data loss. That’s why Cayosoft is proud to offer a free 90-day subscription to recover and protect the data across all of your Active Directories.  Spend 5 minutes to protect the following:  All Users, guests, groups […]

The post Protect Azure Users! Complimentary Subscription of Cayosoft Guardian appeared first on Cayosoft.

]]>
Whether you’re fully on Azure Active Directory or operating in a hybrid or on-premises world, it’s more critical than ever to avoid breaches, outages and data loss. That’s why Cayosoft is proud to offer a free 90-day subscription to recover and protect the data across all of your Active Directories. 

Spend 5 minutes to protect the following: 

  • All Users, guests, groups & contacts 
  • Microsoft Teams 
  • Conditional access policies 
  • Azure roles 
  • Privileged groups 
  • Admin Units 
  • On-premises Active Directory 

Try Guardian Now 

What is Cayosoft Guardian? 

Cayosoft Guardian recovers and protects Azure Active Directory and hybrid AD data. With Guardian monitoring all directory changes, administrators can quickly see, understand and rollback mistakes or malicious  changes across their entire hybrid AD environment.   When rollback is needed, Guardian provides an automated recovery plan that does not involve incomplete or time-consuming backup files. 

Try it today 

No credit card. No commitment.  Just peace of mind that you and your users are protected from  AD  outages.  Offer ends June 30. 

Start Now!

The post Protect Azure Users! Complimentary Subscription of Cayosoft Guardian appeared first on Cayosoft.

]]>
Azure Active Directory Security Defaults—not for everyone https://www.cayosoft.com/azure-active-directory-security-defaults-not-for-everyone/?utm_source=rss&utm_medium=rss&utm_campaign=azure-active-directory-security-defaults-not-for-everyone Tue, 05 May 2020 17:53:34 +0000 https://www.cayosoft.com/?p=18163 Microsoft’s powerful array of cloud offerings—Microsoft Azure, Dynamics, and Office 365—offer paths to business growth without the huge capital investment. Most organizations on the cusp of implementing and experimenting with those services may not make security  the first priority in the quest for productivity. The first phase of the exciting journey into the cloud is to set up that new customized […]

The post Azure Active Directory Security Defaults—not for everyone appeared first on Cayosoft.

]]>
Microsoft’s powerful array of cloud offerings—Microsoft Azure, Dynamics, and Office 365—offer paths to business growth without the huge capital investment. Most organizations on the cusp of implementing and experimenting with those services may not make security  the first priority in the quest for productivity.

The first phase of the exciting journey into the cloud is to set up that new customized application, mine customer records, or launch those great office tools. Then everyone has to be brought on board. The organization’s business practices have to be retooled to get everyone working together.

Just leave those legacy passwords in place and let the IT sort it out. Right?

Besides, don’t those tools come with security default settings? Why not just rely on the security defaults in Azure Active Directory (Azure AD) with its multifactor sign in? Isn’t Azure AD security sufficient to thwart cyber attackers, who try to gain access through tactics like password spray?

Actually, it’s a double-edge sword. Azure AD provides no escape from security-related responsibilities. You either accept the default security settings or get busy setting up the best conditional access settings that meet your unique requirements.

The reality is that default settings aren’t for everyone. High security can get in the way of productivity. It’s not so much a matter of compromise; rather, it’s getting excessively stringent access controls out of the way of productivity.

Let’s investigate what those settings are, and see how default settings should either be disabled or tweaked, because they aren’t for everyone.

The default settings in Azure AD

Azure AD security defaults come with the following security settings:

  • Multi-Factor authentication (mfa) for users in the administrator role and for end-users. Activation is required within 14 days of the first single sign in. Azure multi factor authentication can thwart over 99% of password hacking attempts.
  • Block Legacy authentication for Azure resources and cloud apps. This security feature restricts access from older systems that do not support up-to-date traditional methods of managing Exchange Online using Remote PowerShell. This feature blocks legacy authentication, which has been a hacker’s end run around MFA.
  • Immediate MFA protection for privileged accounts. Provides Azure AD functionality via through the Azure Resource Manager API (such as Azure Portal Access, etc.).

Microsoft Office 365 subscribers could experience difficulties with the new Azure AD security defaults. Outlook clients, for example, might expect automatic account transition for connection to Exchange Online.

The problem is that when a mailbox migrates, it takes its legacy authentication with it. Subsequent sign-ins fail. According to Microsoft, this problem “can be solved, by switching off Security Defaults during your migration.” If you have control over your Outlook clients, you can deploy your registry key explained in this Microsoft Support article.

Note: Before changing any security settings in an Office 365 account, read more on how to enable and disable defaults. Test any security setting changes before applying them to a core business system. When toggled on, the defaults will be enforced across the entire organization.

The Trouble with Azure Active Directory Defaults

Rather than going with a “one size fits all” approach for access management, IT admins can turn on conditional access. The organization will have varying degrees of standards for security and compliance. Simply focusing on who can access a network resource or application is not enough.

It is a balance of security and productivity. The first criterion is how a resource is accessed.

Azure AD Conditional Access addresses that requirement through configurations that allow accessed based on work group, their location, and how the application integrates with SaaS and Azure AD-connected apps.

Conditional access is similar to its default counterpart in that the security configurations are from the same array. With conditional access, however, you just turn off what you don’t need. Leave the default settings in place, and everyone, regardless of location, must jump through the extra hoop of multi-factor sign in.

With MFA disabled for workers on the site, for example, the user could remove the annoying extra sign-in step throughout the workday. The organization could also opt to integrate its on-premises active directory privileged identity roles with the Azure AD in the cloud—while assigning special group and individual access privileges.

Summary

Whether the user opts for basic Azure AD connect or Azure AD premium, Microsoft has taken a giant step in securing its vast community of cloud services. Azure’s security defaults make it easier to inject the best security settings into its Azure AD director and Office 365 services.

Those default settings aren’t best for everyone, but anyone who has disabled multi-factor authentication or legacy authentication is placing an open invitation to hackers, thieves, and malware.

Check out a recent white paper, “8 Truths and Tips: Avoiding Outages in Azure Active Directory and Hybrid AD.” Understanding the eight concepts discussed in this paper should help you better protect your environment and plan for the inevitable recovery event. 

The post Azure Active Directory Security Defaults—not for everyone appeared first on Cayosoft.

]]>
Microsoft Azure AD Single Sign-on Now Free to Customers https://www.cayosoft.com/microsoft-azure-ad-single-sign-on-now-free-to-customers/?utm_source=rss&utm_medium=rss&utm_campaign=microsoft-azure-ad-single-sign-on-now-free-to-customers Tue, 05 May 2020 13:58:09 +0000 https://www.cayosoft.com/?p=18137 Microsoft announced any customer using a subscription of a commercial online service can connect all their cloud applications to Azure AD for single sign-on (SSO), and protect this access with multi-factor authentication (MFA) as a security default at no extra cost.  SSO reduces the number of sign-in prompts for employees and enables one-click access to popular apps, and it should make working remotely even easier.  […]

The post Microsoft Azure AD Single Sign-on Now Free to Customers appeared first on Cayosoft.

]]>
Microsoft announced any customer using a subscription of a commercial online service can connect all their cloud applications to Azure AD for single sign-on (SSO), and protect this access with multi-factor authentication (MFA) as a security default at no extra cost. 

SSO reduces the number of sign-in prompts for employees and enables one-click access to popular apps, and it should make working remotely even easier. 

Microsoft also introduced several Azure AD enhancements to simplify identity and access management and improve the experiences for working remotely, including the following: 

  • Streamline identity management 
  • Improve application configuration and security 
  • Seamless and secure collaboration 
  • Safeguard identities with industry-leading security 
  • App gallery integration 

The post Microsoft Azure AD Single Sign-on Now Free to Customers appeared first on Cayosoft.

]]>