In the final post of this series, we highlight the importance of designating operational support and service monitoring guidelines for Office 365.

Have you just been handed your Office 365 tenant and been told to support it?

Hopefully not, but in smaller environments, I can see the potential for that happening.

Operational Support Structure

If you’re a large enough organization, you are likely transitioning teams from their on-premises duties to new cloud responsibilities. We typically recommend the following guideline for a support team:

  • .2% of the organization’s supported community – that’s two support people for 1,000 users

When we work with clients to plan, rollout, or remediate Office 365, we look at the IT structure as a whole, the number of users, what workloads are being rolled out, and how current support structures can be modified for the cloud.

Your first-level help desk will be key in taking some of the repetitive tasks away from your admins, and a knowledge base that is kept up-to-date will provide a reference to help them.

If you are the help desk and the global admin, keep a knowledgebase for yourself in a SharePoint list for easy reference.

Service Availability Monitoring

It’s up to us as consumers to ensure we are aware of the level of service we can expect, and that we are monitoring the availability of our own tenants.

If you have a service fall below the SLA documented by Microsoft, you will need to have some proof of that outage. Keep an eye on the Service Health dashboard in the Admin Center. Need service SLA documentation? Click here.

Service incidents can be found in your Office 365 Admin Portal and come in two varieties:

  • Planned maintenance events: Planned maintenance is regular Microsoft-initiated service updates to the infrastructure and software applications. Planned maintenance notifications inform customers about service work that might affect the functionality of an Office 365 service. Customers are notified no later than five days in advance of all planned maintenance through Message Center on the Office 365 Admin Portal. Microsoft typically plans maintenance for times when service usage is historically at its lowest based on regional time zones.
  • Unplanned downtime: Unplanned service incidents occur when one of the services in the Office 365 suite is unavailable or unresponsive.

Monitor the message center at least weekly, if not more often, for updated change notifications, any actions required and expected outages. The Security and Compliance center has default alert policies configured to send admins email messages in a variety of circumstances such as: a mail flow rule has been created, malware is detected, an unusual volume of email has been detected, unusual external user activities have been detected and more.

The Security and Compliance center dashboard is a good place to start for a visual look at anomalies. Take a look at the landing page and the Threat Management section for daily graphs of activity.

Besides the Admin portal you can also use the following to monitor service availability:

  • Office 365 Admin App
  • Add-in for Office 365 for System Center
  • The service communication API
  • Third party provider of monitoring solutions

Enhancing Monitoring and Supportability

If you are interested in enhancing the out-of-the-box security monitoring, check out Cloud App Security, an app available with an Azure AD Premium P2 license or an EM+S E5 license. This gives you further insight into activity, app use, alerts, and log review among other tasks. It allows you to create policies from templates or from scratch that give you deeper insight into shadow IT, allowing you to better control where sensitive information is being held.

Another security enhancement available in the same subscriptions as Cloud App Security is Identity Protection. Identity protection is a collection of algorithms that determine if a user sign-in is risky or not. If you’re already using conditional access, you can setup access to be denied if Azure determines the sign-in to be of a risky nature. This will take some testing but you can at least determine if the sign-ins are coming from unknown IP ranges (those not associated with a country) or if the sign-ins involve impossible travel (you can’t sign in from an IP address in London and five minutes later sign in from a different IP address in New York).

These monitoring and operations tasks usually take a few months to settle into the work pace set by your organization, so be flexible early on and also very attentive. You should quickly find repetitive tasks that you can manage and automate more effectively using PowerShell or other third party add-ins. Almost anything you can do with the UI you can customize and do through PowerShell. If the built-in reports don’t offer the data to meet the need of a specific report request, the information is usually available from the output of a script. You must be a global admin to use PowerShell with Office 365.

Final Thoughts

I hope that you have enjoyed this series of blogs about Office 365 security. I’ve tried to synthesize a large amount of information into bite-sized pieces for easy consumption, but if you need more or deeper information, please let me know.