The Microsoft 365 usage reports are available inside the Microsoft 365 admin center. They are broad reports that can be used to get a high-level snapshot of how your organization uses the Microsoft 365 platform. Report data includes statistics about how many files are stored in SharePoint, how many Exchange mailboxes were active during the reporting period, as well as engagement with other products such as Yammer or Forms:
Figure 2.21 – Microsoft 365 usage reports
Usage reports can be accessed by navigating to the Microsoft 365 admin center (https://admin.microsoft.com), expanding Reports, and selecting Usage.
Viva Insights
Formerly known as Workplace Analytics, Viva Insights provides recommendations about personal and teamwork habits. Viva Insights has four core areas:
Personal insights
Teamwork habits
Organization trends
Advanced insights
Each of these areas has unique features that are part of the Viva story.
Personal insights
As the name suggests, personal insights are tailored to an individual. Personal insights are private and are only visible to the individual for whom they are intended. Personal insights are best viewed using the Viva Insights app in Microsoft Teams, as shown in Figure 2.22:
Figure 2.22 – Viva Insights app in Microsoft Teams
The Viva Insights app has functions to allow you to make a focus plan (sometimes referred to as the protect time feature), send praise to your colleagues either publicly or privately, and stay connected through AI-based task suggestions and meeting assistance.
The Viva Insights app also features Headspace guided meditation and mindfulness exercises, as well as prompts for taking a break and reflecting on your personal feelings. Using the Reflection activity card, you can even set daily reminders to check in on yourself:
Figure 2.23 – Reflection activity card
Viva Insights also has a daily ramp-up and wind-down micro-app called Virtual commute, which lets users review upcoming meetings and tasks, block focus time, and initiate a variety of mini-break, meditative, and reflective activities. See Figure 2.23:
Figure 2.24 – Virtual commute activity card
Together, these insights features can help users manage both their productivity and personal well-being.
While many cloud-based applications and services may use their own identity stores, it is becoming more common for application vendors to allow bring-you-own-identity scenarios. You might see this with websites allowing social media logins or other types of identity.
Like other identity providers, Azure AD identity can be used to authenticate users to external applications. While many of those applications are legitimate (and their use derives from a legitimate business use case), malicious websites or individuals can publish applications to steal data. As part of your operational practices, you should periodically review allowed applications in your environment and remove the authorizations for applications that look suspicious or are no longer being used.
Applications that are registered or authorized in Azure AD can be used to provide single sign-on to both SaaS cloud applications as well as internally managed applications. Depending on your organization’s settings, applications may be authorized by end users, administrators, or both.
There are several things you can do to monitor application access:
Create and manage access reviews
Review audit logs
Review the sign-ins report
Send activity log data to Azure Monitor
Let’s look at each of these areas briefly.
Creating and managing access reviews
The primary goal of an access review is to confirm that those who have access to an application or other resource still have access. If a user, whether internal or external, no longer requires the ability to use a resource, their access to that resource should be terminated.
Note
Access reviews are a feature of Identity Governance and require Azure AD Premium P2.
To create an access review, follow these steps:
Log in to the Azure portal (https://portal.azure.com) with a user that has one of the prerequisite role assignments (Global Administrator, User Administrator, Identity Governance Administrator, or Privileged Role Administrator) or who is an owner of the group for which the access review will be created.
In the search box, enter Identity Governance and select the Identity Governance item.
Under the Access reviews navigation menu item, select Access reviews:
Figure 2.9 – Access reviews
Select + New access review.
In the Select Review dropdown, select Teams + Groups or Applications:
Figure 2.10 – New access review – the Select Review dropdown
Depending on your selection, choose from All Microsoft 365 groups with guest users, Select Teams + groups (if you choose the Teams + Groups option), or one or more registered applications (if you choose the Applications option). If you select Teams + Groups, you may have additional selections regarding specific groups to include or exclude or specific scopes of users to include or exclude.
Click Next.
Under Specify reviewers, select the individuals who will be responsible for auditing the group. You may be asked to provide Fallback reviewers (if the ones you initially select cease to exist in the future), depending on the options you select.
Depending on your settings, you may see an option to perform a multi-stage review. Multi-stage reviews allow you to add up to three stages of reviewers to audit the membership of a group.
Under Specify recurrence of review, set a Duration (in days) period, a Review recurrence option (one-time, weekly, monthly, quarterly, semi-annually, or annually), and start and end date parameters. Click Next.
Under Upon completion settings, choose whether to Auto apply results to a resource and what to do If reviewers don’t respond:
Figure 2.11 – Access review additional settings
You can also choose to Enable reviewer decision helpers, which are like tooltips that provide additional information on the selected actions during the access review.
Under Advanced settings, you can choose additional options such as Justification required, enable Email notifications and Reminders to complete access reviews, and use a text box to specify Additional context for reviewer email, which can be used to further explain the access review process to the individuals you’ve selected.
Click Next.
Enter a name for the access review, review the configured options, and then click Create to create your access review.
After an access review has been created, Azure AD will evaluate whether it needs to run. If the workflow determines it is time for the access review to run, it will do so.
You can view the status of an access review by clicking on it on the Identity governance | Access reviews page.
Users who have been selected to be reviewers will receive an email notification with a link to the access review page. You can also view the access review by selecting Results under the Manage menu item. From there, you’ll be able to view the recommended actions and the audit information for review:
Figure 2.12 – Access review results
Next, we’ll look at some of the logging and reporting data available for applications.
If an incident occurs that affects the availability of services or features in your tenant, you need to be able to respond quickly. An incident response plan is a framework that you can prepare to help you address issues quickly.
While the details of each incident may differ, the steps you take to both prepare and work through one are the same:
Validate the incident scope details and confirm that your environment is affected. Not all incidents affect all tenants, so use the information in the Message Center (https://admin.microsoft.com/#/MessageCenter), as well as investigative procedures such as self-assessments and tests or synthetic transactions.
Determine whether the incident is relevant to your organization. If the incident involves a service that your organization hasn’t yet deployed or doesn’t interfere with business operations, it may not be relevant.
Once degradation and relevancy to your environment have been confirmed, review information sources for details on the timeline of Microsoft’s response. Microsoft will post regular status updates in the Message Center. If information such as a timeline has not been established, you can open a service ticket with Microsoft to request this information.
Develop a backup solution in case the service outage or degradation lasts longer than an acceptable time frame for your organization. Depending on the type of outage, this may mean working offline to fulfill business requirements.
Business continuity planning (BCP) is important regardless of the technology platforms or services being used. Work with various business unit owners to establish communication plans and methods to continue business operations should a service interruption occur.
Monitoring service health
Service health information is available from the Microsoft 365 admin center (https://admin.microsoft.com). Microsoft provides health information for a variety of services and features, including the SaaS services such as Exchange Online or SharePoint Online, the health of the directory synchronization environment, as well as the Windows operating system feature issues and service health.
You can check the overall service health by navigating to the health dashboard (Health | Dashboard), as shown in Figure 2.5:
Figure 2.5 – Service health dashboard
The health dashboard contains the current health status of all Microsoft 365 services. Normally, services will appear as Healthy, though this status will be updated when a service experiences an issue.
The Service health page (Health | Service health) will display the most detailed and comprehensive information on any ongoing or resolved issues:
Figure 2.6 – Service health page
If a service has an advisory or incident, you can expand the issue item under Active issues to display relevant events, as shown in Figure 2.7:
Figure 2.7 – Service health active issues
Selecting an individual item reveals expanded information about the particular issue. See Figure 2.8 for an example:
Figure 2.8 – Expanded active issue
Each service with an incident will display a status. Possible statuses include the following:
Normal service: This status indicates the service is available and has no current incidents or incidents during the reporting period.
Extended recovery: This status indicates that while steps have been completed to resolve the incident, it may take time for operations to return to normal. During an extended recovery period, some service operations might be delayed or take longer to complete.
Investigating: This status indicates that a potential service incident is being reviewed.
Service restored: This status indicates that an incident was active earlier in the day but the service was restored.
Service interruption: This status indicates the service isn’t functioning and that affected users are unable to access the service.
Additional information: This status indicates the presence of information regarding a recent incident from the previous day.
Service degradation: This status indicates that the service is slow or occasionally seems to be unresponsive for brief periods.
PIR published: This status indicates that a Post-Incident Report (PIR) of the service incident has been published.
Restoring service: This status indicates that the service incident is being resolved.
As an administrator, it’s important to frequently check the Service health dashboard to be apprised of alerts or incidents. If a service issue is affecting the Microsoft 365 admin center, you can also try the Office 365 status page (https://status.office.com) and the Azure status page (https://status.azure.com).
As you learned in the previous chapter, the Microsoft 365 tenant is the security and content boundary for your organization. You have control over the content that goes into your tenant, as well as the security controls that you apply to it. However, you don’t have control over external factors such as connectivity between platform services, errors that are introduced from the service provider’s side, or errors with your environment connecting to Microsoft 365.
That’s where monitoring the health of the tenant comes into play.
Like any other service that you are responsible for managing, you also need to be able to develop and execute an incident response plan.
In this chapter, we’ll discuss monitoring and managing the health of a Microsoft 365 tenant. The objectives and skills we’ll cover in this chapter include the following:
Creating and managing service requests
Creating an incident response plan
Monitoring service health
Monitoring application access
Configuring and reviewing reports
Reviewing usage metrics
By the end of this chapter, you should be able to describe day-to-day operations such as monitoring and reporting, as well as important tasks such as creating an incident response plan.
Let’s begin!
Creating and managing service requests
While Microsoft is committed to ensuring the Microsoft 365 platform is as reliable as possible, service interruptions may occur.
Service requests for Microsoft 365 issues are typically raised through the Microsoft 365 admin center. You can create a support request by performing the following steps:
Log in to the Microsoft 365 admin center (https://admin.microsoft.com) and navigate to Support | New service request:
Figure 2.1 – Creating a service request in the Microsoft 365 admin center
In the fly-out panel, type in a question or keywords that relate to your service issue or request. If applicable, a list of potential suggested solutions will be displayed. If no suitable options are displayed, you can select Contact Support:
Figure 2.2 – Microsoft 365 service ticket suggestions
On the Contact support view, you can fill out any required information, select the preferred option to be contacted, and, once ready, click Contact me:
Figure 2.3 – Contacting support
Once a support request has been created, you can select the Support | View service requests option in the Microsoft 365 admin center to track the status of your service request or update it with new information:
In this chapter, you learned about the fundamental aspects and terminology of configuring a Microsoft 365 tenant, such as selecting a tenant and subscription type, adding domains, and configuring the basic organization settings.
In the next chapter, we will learn how to monitor the Microsoft 365 tenant’s health.
Knowledge check
In this section, we’ll test your knowledge of some key elements from this chapter.
Questions
What is the maximum number of domains that can be added to a Microsoft 365 tenant?
100
500
900
1,000
You are the administrator for an organization with 250 employees. Which Office 365 subscription best fits the size of the organization?
Microsoft 365 Family
Microsoft 365 Business
Microsoft 365 Enterprise
Microsoft 365 Education
You recently took over the administration duties for a Microsoft 365 tenant for a start-up organization. The organization purchased a domain from a third-party registrar. Can this domain be used with Microsoft 365?
Yes
Yes, but it must be transferred to Microsoft first
No
Only domains purchased through the Microsoft 365 admin center can be configured for use with Microsoft 365
Your organization wants to turn off Microsoft Books for all employees until the support staff has had time to read the documentation. From the available options, what should you do?
Disable all Azure AD user accounts
Disable directory synchronization
Disable bookings from Org settings | Services
Disable bookings from Org settings | Security & privacy
The Service Desk manager for Contoso has asked you to update the help desk information for your Microsoft 365 tenant with the internal help desk contact information. Where would you make this update?
While there are no deep questions about what each of the service options do, we recommend you spend time exploring the options for the services in the Microsoft 365 admin center.
Security & privacy
The Security & privacy tab houses settings that govern various security controls for the organization. On this page, you’ll find access to the following settings:
Setting
Description
Bing data collection
Choose whether to allow Bing to collect organization query data.
Idle session timeout
Configure the idle session timeout period for Office web apps.
Password expiration policy
Choose whether to enable password expiration. Password expiration is disabled by default (and the password policy is governed by the on-premises Active Directory if password hash sync has been configured).
Privacy profile
Configure the URL for the organization’s privacy policy and the organization’s privacy contact. The privacy URL is displayed on the Privacy tab of the Settings & Privacy page in the user account profile and when a sharing request is sent to an external user.
Self-service password reset
Provides a link to the Azure portal to configure self-service password reset.
Sharing
Choose whether to allow users to add guests to the organization.
Table 1.3 – Security & privacy settings
These options can be used to broadly configure security and privacy settings for your organization. As with the settings on the Services tab, these are coarse controls. Fine-grained control is available for some of these items inside their respective admin centers.
Organization profile
Settings on the Organization profile tab are largely informational or used to manage certain aspects of the user experience. On this tab, you’ll find the following settings:
Setting
Description
Custom app launcher tiles
Configure additional tiles to show up on the Microsoft 365 app launcher.
Custom themes
Create and apply themes to the Microsoft 365 portal for end users, including mandating the theme as well as specific organization logos and colors.
Data location
View the regional information where your tenants’ data is stored.
Help desk information
Choose whether to add custom help desk support information for end users to the Office 365 help pane.
Keyboard shortcuts
View the shortcuts available for use in the Microsoft 365 admin center.
Organization information
Update your organization’s name and other contact information.
Release preferences
Choose the release settings for Office 365 features (excluding Microsoft 365 apps). The available options are Standard release for everyone, Targeted release for everyone, and Targeted release for select users. The default setting is Standard release for everyone.
Support integration
Use the settings on this page to configure integration with third-party support tools such as Service Now.
Table 1.4 – Organization profile settings
Like the other Org settings tabs, the settings on this page will be used infrequently—typically when just setting up your tenant and customizing the experience. As with the other Organization profile setting areas, you should spend some time in a test environment navigating the tenant to view these settings and update them to see their effects.
There are a number of early planning stages for a Microsoft 365 tenant, but the one you’re presented with first will be which kind of subscription and tenant you acquire. Tenants and subscriptions are available for different sizes of organizations as well as different industry verticals. Depending on what options you choose, you may not be able to easily change plans without performing a migration (for example, when moving between Microsoft 365 Commercial and Microsoft 365 GCC).
Selecting a tenant type
Microsoft has made a variety of packages available, targeting different types of organizations, as shown in Figure 1.1:
Figure 1.1 – Types of tenants
Tenant type deep dive
The MS-100 exam focuses on the feature set and product or service bundles available in Microsoft 365 Enterprise plans, though the technologies available are largely the same across all plans. Microsoft 365 for US Government is available only for local, state, and federal government customers (and their partners or suppliers) and has a subset of the currently commercially available features, trailing by anywhere from 6 months to 2 years, depending on the certification level of the environment. Microsoft 365 for Education has the same feature set as the commercial enterprise set, with a few added features targeted to educational institutions. Microsoft 365 for Education is only available to schools and universities.
Selecting a managed domain
After choosing what type of subscription and tenant you’ll acquire, one of the next steps you’ll be faced with is naming your tenant. When you sign up for a Microsoft 365 subscription, you are prompted to choose a name in the Microsoft onmicrosoft.com managed namespace. The name you select will need to be unique across all other Microsoft 365 customers.
Tenant name considerations
The tenant name (or managed domain name) cannot be changed after it has been selected. As such, it’s important to select one that is appropriate for your organization. The tenant name is visible in a handful of locations, so be sure to select a name that doesn’t reveal any private information and looks professionally appropriate for the type of organization you’re representing.
The auto-labeling policies, like other content automation policies in Microsoft Purview, use detection algorithms and processes (such as sensitive information types and trainable classifiers) to apply labels to content in the M365 environment. These are service-side labeling features. After you’ve laid out a labeling scheme consisting of labels and sublabels and decided how content should be classified, you can use and customize the templates in the auto-labeling wizard to apply labels to content matching your classifiers.
Suppose, for example, you need to identify and classify documents that have sensitive information, such as U.S. taxpayer identification numbers or social security numbers, and have created a label called Highly Confidential. You can use an auto-labeling policy with one of the predefined templates to detect taxpayer and social security number patterns and then apply a label to those matching documents.
To create an auto-labeling policy, follow these steps:
In the Microsoft Purview compliance portal (https://compliance.microsoft.com), expand Information protection and select Auto-labeling.
Click Create auto-labeling policy, as shown in Figure 10.51.
On the Info to label page, select the template that you want to use to detect sensitive data. You can choose from a variety of sensitive information types including financial, medical, and privacy continuum. You can select Custom to create a policy based on your own criteria and sensitive information types. In this example, the U.S. State Breach Notification Laws Enhanced template has been selected, which includes detections for a number of personal data elements including financial information, taxpayer data, government identification (such as passports and driver’s licenses), and medical terminology.
Figure 10.52 – Selecting a category template
Click Next.
Enter a Name value for the policy and click Next.
On the Admin units page, choose which administrative units to use for scoping the policy. By default, the entire tenant is selected. Click Next.
On the Locations page, choose where you want this policy to apply labels. By default, all Exchange email, SharePoint sites, and OneDrive accounts are selected as part of the application scope. Click Next.
On the Policy rules page, you can select either Common rules or Advanced rules. Both Common rules and Advanced rules start off with a base template that you can customize, though Advanced rules gives you more customization ability when it comes to email conditions. Select a rules option and click Next.
Figure 10.53 – Selecting policy rules
Review the rules that are in place, customize if desired, and click Next to continue.
On the Label page, select which label you want to apply to the detected content. Click Next.
Figure 10.54 – Selecting the label to apply
If you have Exchange email selected as a location on the Locations page, you have an Automatically replace existing labels that have the same or lower priority option. Additionally, if the label you selected has encryption settings, you can choose Apply encryption to email received from outside of the organization if required. If you do not choose Assign a Rights Management owner, encryption will not be applied to received emails.
Figure 10.55 – Specifying additional settings for email
Click Next.
On the Policy mode page, select how the policy will be implemented. There is no setting to turn the policy on immediately, though you can choose Run the policy in simulation mode and then select the Automatically turn on policy if not modified after 7 days in simulation option. You can also choose Leave policy turned off if you’re not ready to move forward with it just yet.
Figure 10.56 – Choosing the policy mode
Click Next.
On the Finish page, review the settings and adjust if necessary. Click Create policy.
A labeling policy (whether a standard label policy or an auto-label policy) can only apply a single label to content. Additionally, an item may only have one sensitivity label applied to it at a time. If you have multiple labels and sublabels and want to automatically apply multiple labels, you’ll need to create a separate policy for each label that you want to apply. Labels also have a concept of priority— where a higher number means it has a higher priority. If a labeling policy identifies content that could potentially match two labels with different priorities, M365 will apply the label with the higher priority to the content.
Exam tip The core takeaway from the two types of labeling policies is that label policies are generally focused on interactive activities (such as navigating a browser interface to apply a label or applying a label while creating and editing a document) while auto-labeling policies generally apply to content at rest.
If your domain is registered at a host that supports Domain Connect, you can provide your credentials to the Microsoft 365 Add domain wizard and click Verify. Microsoft will automatically configure the necessary domain records and complete the entire DNS setup for you. You can also select More options to see all of the potential verification methods available, as shown in Figure 1.7:
Figure 1.7 – Verify domain ownership
If you choose any of the additional verification options (such as Add a TXT record to the domain’s DNS records), you’ll need to manually add DNS records with your DNS service provider. Microsoft provides the value configuration parameters necessary for you to configure DNS with your own service provider. After entering the values with your service provider, you can come back to the wizard and select Verify, as shown in Figure 1.8:
Figure 1.8 – Completing verification records manually
If you’re using Domain Connect, enter the credentials for your registrar. When ready, click Connect.
Figure 1.9 – Authorizing Domain Connect to update DNS records
Select Let Microsoft Add your DNS records (recommended) to have the Microsoft 365 wizard update your organization’s DNS records at the registrar. However, if you are going to be configuring advanced scenarios such as Exchange Hybrid for mail coexistence and migration or have other complex requirements, you may want to consider managing the DNS records manually or opting out of select services. Click Continue.
Figure 1.10 – Connecting domain to Microsoft 365
Choose whether to allow Microsoft to add DNS records. Expand the Advanced options drop-down:
The first checkbox, Exchange and Exchange Online Protection, manages DNS settings for Outlook and email delivery. If you have an existing Exchange Server deployment on-premises (or another mail service solution), you should clear this checkbox before continuing. You’ll need to come back to configure DNS settings to establish hybrid connectivity correctly. The default selected option means that Microsoft will make the following updates to your organization’s DNS:
Your organization’s MX record will be updated to point to Exchange Online Protection.
The Exchange Autodiscover record will be updated to point to autodiscover.outlook.com.
Microsoft will update your organization’s SPF record with v=spf1 include:spf.protection.outlook.com -all.
Figure 1.11 – Adding DNS records
The second setting, Skype for Business, will configure DNS settings for Skype for Business. If you have an existing Skype for Business Online deployment or you’re using Skype for Business on-premises, you may need to clear this box until you verify your configuration:
Microsoft will add two SRV records: _sip._tls.@ and _sipfederationtls._tcp@.
Microsoft will also add two CNAMEs for Lync: sip. to point to sipdir.online.lync.com and lyncdiscover. to point to webdir.online.lync.com.
The third checkbox, Intune and Mobile Device Management for Microsoft 365, configures applicable DNS settings for device registration. It is recommended to leave this enabled:
Microsoft will add the following CNAME entries to support mobile device registration and management: enterpriseenrollment. to enterpriseenrollment.manage.microsoft.com and enterpriseregistration. to enterpriseregistration.windows.net.
Click Add DNS records.
If prompted, click Connect to authorize Microsoft to update your registrar’s DNS settings.
Click Done to exit the wizard or View all domains to go back to the Domains page if you need to add more domains.
You can continue adding as many domains as you need (up to the tenant maximum of 900 domains). ADDING A DOMAIN DEEP DIVE To review alternative steps and more information about the domain addition process, see https://learn.microsoft.com/en-us/microsoft-365/admin/setup/add-domain.
ICANN (short for Internet Corporation for Assigned Names and Numbers) is a non-profit organization tasked with providing guidance and policy around the internet’s unique identifiers (domains). It was chartered in 1998. Prior to 1998, Network Solutions operated the global domain name system registry under a subcontract from the United States Defense Information Systems Agency.
In addition to choosing a third-party registrar, organizations may also wish to use Microsoft as the registrar. Depending on your subscription, you may have direct access to purchasing domain names from within the Microsoft 365 admin center, as shown in Figure 1.4:
Figure 1.4 – Purchasing a domain through the Microsoft 365 admin center
When purchasing a domain through Microsoft, you can select from the following top-level domains:
.biz
.com
.info
.me
.mobi
.net
.org
.tv
.co.uk
.org.uk
Domain purchases will be billed separately from your Microsoft 365 subscription services. When purchasing a domain from Microsoft, you’ll have limited ability to manage Domain Name System (DNS) records. If you require custom configuration (such as configuring an MX record to point to a non-Microsoft 365 server), you’ll need to purchase a domain separately.
Configuring a domain name
Configuring a domain for your tenant is a simple procedure and requires access to your organization’s public DNS service provider. Many large organizations may host DNS themselves, while other organizations choose to pay service providers (such as the domain registrar) to host the services.
In order to be compatible with Microsoft 365, a DNS service must support configuring the following types of records:
CNAME: Canonical Name records are alias records for a domain, allowing a name to point to another name as a reference. For example, let’s say you have a website named www.contoso.com that resolves to an IP address of 1.2.3.4. Later, you want to start building websites for na.contoso.com and eu.contoso.com on the same web server. You might implement a CNAME record for na.contoso.com to point to www.contoso.com.
TXT: A Text Record is a DNS record used to store somewhat unstructured information. Request for Comments (RFC) 1035 (https://tools.ietf.org/html/rfc1035) specifies that the value must be a text string and gives no specific format for the value data. Over the years, Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and other authentication and verification data have been published as TXT records. In addition to SPF and DKIM, the Microsoft 365 domain addition process requires the administrator to place a certain value in a TXT record to confirm ownership of the domain.
SRV: A Service Locator record is used to specify a combination of a host in addition to a port for a particular internet protocol or service.
MX: The Mail Exchanger record is used to identify which hosts (servers or other devices) are responsible for handling mail for a domain.
In order to use a custom domain (sometimes referred to as a vanity domain) with Microsoft 365, you’ll need to add it to your tenant.
