Like many modern left sidebar navigation trees, this menu will collapse down to a narrow column of icons if you click the left-pointing carat on the right side of the bar, but the default on most browsers is for it to be full-sized. On mobile, you might find that it defaults to being minimized. (It's also small enough to be almost unreadable on a phone. I'd recommend that if you're going to be using mobile devices to access administrative functions more than occasionally, you should probably get the Office 365 admin app, available for iOS, Android, and Windows mobile. But a discussion of that app is outside the scope of this book.)
The options underUsers are Active users, Contacts, Guest users, and Deleted users.
There's a lot you can do in Active users, and you're going to be doing a lot of it. Interacting with your active users—adding new ones, disabling terminated ones, resetting passwords, and adding and removing licenses—is the bulk of the work that most Office 365 administrators do:
The Active users panel
The top bar for Active users gives you the options to add a user, change which users you're viewing, search users, export your list of users to CSV, and other functions, available under the More drop-down menu.
Again, the options you see here may vary, depending on what products you have (you won't see an option for Directory synchronization if you're not syncing Office 365 to Active Directory, for instance).
The most common activities are adding a user and resetting passwords (particularly if you don't sync to Active Directory), but a dynamic, quickly changing company may also have a lot of setting licenses to do. We'll go over those functions and how to work with the views of your users (a vital skill, if you're a large company with a lot of users) in some detail. Most of the other functions are fairly self-explanatory.
We'll go over much of this information again in Chapter 3, Administering Azure Active Directory, drilling down into PowerShell and some of its more obscure details.
To add a user, you'll enter the user's First nameandLast name, and this will assemble the Display name by default. If you want the display name to be something different than the first and last names, change it after it populates by default; this won't affect the first or last names:
Add a new user
Most instances of Office 365 have more than one domain, but usually, one's the real domain, and one's domain.onmicrosoft.com, which hardly anyone uses. In most Office 365 tenants, the default domain has been set to whatever your company usually uses for public websites and the like. However, there might be circumstances where a user needs to be assigned to a different domain name. Enter the username, and use the drop-down menu to select the correct domain name if the default isn't the right one.
It's important to select a location if it hasn't prepopulated for you. You won't be able to add licensing until the location is set.
Whether you fill out the contact information or not is probably a matter of your company's policy. It won't affect a user's capabilities if you don't do it, but if you do, that information will be carried into Exchange and SharePoint, so it won't need to be reentered in the global address list or user profiles:
Password and role options
The options for setting the password include either autogenerating it and emailing it to the email you choose upon completion of the new user task, or creating it manually by yourself. For either option, you can force the user to change it when they sign-in, or allow them to continue to use it.
Most users will be assigned User (no administrator access), and most IT staff who need administrative access will probably be assigned Global administrator, but in a large organization, you may well want to use the Customized administrator setting to fine-tune which rights you grant.
Finally, you will need to set the licenses. You'll see a series of toggle switches that represent all of the licenses your company has available:
Assign licenses
The last toggle is Create user without product license. While Microsoft labels this as Not recommended, it might be a perfectly reasonable thing to do if you're not the one with the authority to purchase extra licenses; get the user created without a license, and they'll be able to get into the Office 365 portal and set their new password while you're waiting for the purchasing people to acquire the license. (This is also what you're likely to do if you need to create a service account.)
You must set one of the toggle switches, or it won't allow you to create the user. So, if there are no available licenses, use the one that creates the user without a license.
After you're done, you'll get a window telling you the user's password (if it was autogenerated) and offering to email that password to the default address (usually yours, if you're the primary Office 365 administrator.)
You can reset passwords, set licenses and roles, disable or enable Office 365 sign-in, add new aliases and change which email address is primary, and perform many other functions, via the user panel.
To access the user panel, simply click on an active user, and it'll open to the right.
A lot of these functions are very similar to the equivalent that you'd perform for new users. For example, resetting a password is just like setting it for the first time for a new user:
The user panel
Assigning a license is just like assigning a license to a new user. But there are some functions that can be performed via the user panel that don't have an equivalent in the Add a user task:
- Group memberships aren't something that you can assign in
Add a user, because the mailbox needs to be provisioned before groups can be assigned. By clickingEditunderGroup membershipsin the user panel, you can add the user to a group, see the groups they're already in, and delete them from groups they are members of. - You can also change the sign-in settings. If you have an employee that's leaving the company at the end of the day, you can cut off their ability to sign in to Office 365 products without either deleting them or changing their password by simply setting their
Sign-in statustoSign-in blocked. (There will be more on this topic in Chapter 3, Administering Azure Active Directory.) This is especially useful if they're synchronized with Active Directory and it's handled by a different department, so you don't have the rights to change their password or delete them. You should note, though, that because this disables sign-in, it won't affect a user who is already signed in until that sign in expires. So it's not the best tool to use for the person who's being frog-marched out the door by security right now and might still be signed in on their personal tablet. - You can view the devices that a user has installed Office onto, and deactivate their installation. (Possibly a good idea to do to the home laptop of that employee in the previous example! However, you can only perform it on PC and macOS devices, not mobile ones, so you still can't get that tablet.) If an employee had a device stolen or destroyed, and they're at their five-device limit for Office installations, you can deactivate the lost device here, so that they can install it on their replacement device.
- If you click the expanding carat for
Mail Settings, you can directly work with mailbox permissions, email forwarding, litigation hold, auto replies, what apps the user is allowed to use to access email with, and whether they're in the global address list, without having to go into Exchange. (We'll go into what these options mean in more detail in Chapter 3, Administering Azure Active Directory and Chapter 4, Administering Exchange Online – Essentials.) There's also a direct link to Exchange, which will take you straight into this user's Exchange properties. - The expanding carat for
OneDrive Settingsgives you the option to get access to the user's OneDrive, which is very helpful if they're out of the office or have left the company, and there's important business information that they are storing in there. You can also turn external sharing to the user's OneDrive (meaning that the user can share with users outside of your company) on or off. - You can kick off a one-time sign-out event that kicks the user out of every instance of Office 365 they're signed into. This is useful if you're changing their username, or in the case of that employee being frog-marched out the door in the example. Oddly, though this has nothing to do with OneDrive; it's stored under the
OneDrive Settingscarat. - The direct links at the bottom let you edit the user's Skype for Business properties, or go directly to their multi-factor authentication settings.
Views are covered in detail in Chapter 3, Administering Azure Active Directory, so we won't delve too deeply here.
There's a default view that shows all users. If you have a small company, that might be fine. As soon as you have a large number of users (or accounts, such as service accounts that were assigned email addresses, external contacts who were invited as guest users, former employees, special-purpose administrator accounts, and so on), the list can get unwieldy. You may want to use one of the other default views, or create one of your own. See Chapter 3, Administering Azure Active Directory for more information on how to do this.
Finally, the last function of the Active users page that we'll discuss is the Import multiple users function. If you have a moderately large organization and you are not planning to synchronize with AD, you might want to import a large number of users at the same time:
Import multiple users
You get to this feature by clicking the More drop-down menu at the top of Active users. Download a CSV file to use as a template (you can choose one with just the headers, or one with sample user data, to help you understand how to format your users), enter all of your users into it, upload with the Browse button, and then click Verify to make sure your formatting is correct. Click Next and follow the prompts. You'll be able to set a sign-in status and choose product licenses on the next page, and then send the results to yourself or someone else. (Note that the passwords handled this way will be in plain text, so you may want to require your users to change their passwords as soon as possible.)
Other functions of the Active users page are fairly self-explanatory, such as Delete a user or Export. Let's move on.
Contacts are email addresses from outside of your organization that are recorded in Exchange so that users can find them in the global address list:
Contacts
It's easier to enter a contact than it is to enter a user—there are a lot fewer fields to fill out.
Display name and Email are the only required fields, although if you are going to use contacts heavily and need to be able to search for them with multiple criteria, you might want to fill in the other fields.
By default, contacts appear in the global address list, although you can exclude them with the Hide from my organization address list toggle. Contacts, as a concept, come from Microsoft Exchange, and are a means to include people from outside the company in distribution lists. They can also be included in Office 365 Groups, as of May 2017.
Guest users, as a concept, are more closely related to SharePoint and OneDrive. A guest user has been granted access, via sharing, to a resource on SharePoint or OneDrive. They're only relevant if your organization allows external sharing.
A guest user will automatically be created if you create a sharing link for a specific email address within SharePoint or OneDrive. You can't create them here, but you can view and delete them.
Note that guest users don't have a presence in the global address list, and the same email address can't be both a contact and a guest user. If you have a need to give people who are frequently contacted by your users access to SharePoint and OneDrive while also having them as a global contact, and also having them on a list that automatically sends them and other people email, it might make more sense to use an Office 365 Group rather than a traditional distribution list, because members of those Groups can be both guest users and mail contacts at the same time.
Up to 30 days after you delete a user, they can be restored:
Deleted users
Use the Deleted users screen to see who has been deleted, export them if you need a CSV report, and restore them.
More vital information about the user recycle bin will be covered in Chapter 3, Administering Azure Active Directory.
While there's more functionality for working with groups in the Exchange Administration Center, many of the most common functions have been made available directly in the Office 365 administration portal, under Groups.
The two headings you'll find here are Groups (yes, really, it's the same word) and Shared mailboxes.
There are four types of groups within Office 365: distribution lists, security groups, mail-enabled security groups, and Office 365 lists. There are also shared mailboxes, but they have their own heading. We'll discuss the differences in Chapter 4, Administering Exchange Online – Essentials:
The Groups page
When you click on any group, a panel will open (usually to the right) displaying its properties, and you can edit many of the properties right there.
Distribution lists and mail-enabled security groups primarily live in Exchange, so their panels offer direct links to Exchange, to do further editing there, if desired.
Office 365 Groups and regular security groups are accessible via the Exchange administration site, but the Office 365 administration portal is equally competent at handling them, so Microsoft hasn't bothered including those links on their panels.
Within Office 365, you can edit:
- The name, description, ownership, and membership of a distribution list, and whether external senders are allowed.
- The name, description, ownership, and membership of a security group.
- The name, description, ownership, and membership of a mail-enabled security group, and whether external senders are allowed.
- The name, description, ownership, and membership of an Office 365 group, whether external senders are allowed, and whether senders should be automatically subscribed. It'll display your privacy settings—that is, is the group public or private—but you can't edit them after creating a group.
For a new group, there's a lot less functionality for creation than there is for editing, and particularly for the traditional types of groups; distribution, security, and mail-enabled security groups can't have owners or members defined during creation, and Office 365 Groups can only define the owner at creation, if you're using the administration portal.
You can edit a lot of the properties of a shared mailbox by using the shared mailbox panel when you click on one of the shared mailboxes on this page:
The Shared mailboxes page
Using this panel, you can edit the name, email, email aliases, forwarding, auto-replies, litigation hold status, membership, and other settings, such as whether sent items get copied to the mailbox, whether the mailbox is in the global address list, and so on. You can also delete the mailbox, go directly to Exchange administration to work with the mailbox, or read about how to use Shared mailboxes in Outlook:
The shared mailbox panel
Again, there's a lot less functionality for actually creating mailboxes. You can set the name and the email address, and that's all. For all other properties, you'll need to wait for it to be created, and then edit it.
The next heading on the side navigation bar is Resources. The three subheadings are Rooms & equipment, Sites, and Public website.
In Exchange, you can assign a room or a piece of equipment (for example, a projector) to a meeting by giving it an email address:
Rooms and equipment
To enter a room or equipment, you click Add and choose which one—Room or Equipment. You then fill out the name and the email address you're assigning to it (it would also be a good idea to fill in the capacity, location, and phone number).
Rooms can be abstract entities; my company, for instance, has no physical conference rooms, but we assign conferencing vendors, such as GoToMeeting and WebEx, as rooms.
The panel for editing a room allows you to edit the same things you set when you created the room, but it also allows you to set whether repeated meetings are allowed, whether automatic processing (inviting a room to a meeting automatically reserving the room without requiring human intervention) is allowed, and who's a delegate for the room (the person who receives the room's email; also, the person who can choose to reject a booking for the room). There's also a direct link to the settings in Exchange.
The Sites page displays all SharePoint site collections in the tenant (excluding individual OneDrive sites), and shows what type of sharing is allowed (that is, no external sharing, new and existing external users, or anonymous guest links allowed). You can edit the type of sharing here.
If you choose Add a site, you jump to the SharePoint management portal, to the page for creating a new site collection. That's outside the scope of this chapter, but is covered in Chapter 6, Administering SharePoint Online.
This entry seems to be purely vestigial. Office 365 hasn't allowed new public websites to be created in several years, and as of this writing, Microsoft is planning to eliminate all the existing ones at the end of March 2018. Don't be surprised if, by the time you are able to buy this book, this entry has disappeared entirely.
In many organizations, the people who handle the billing aren't the site administrators; responsibilities are often divided between finance and IT departments. If that's your position, you'll probably only ever need to touch the subheadings Subscriptions and Licenses; and possibly, not even Subscriptions. Sometimes, though, particularly in small organizations, the person who manages Office 365 also manages the spending on it, so we'll cover the various parts.
This page is more to provide information than to be a place with things that you can edit or act on. It'll show your active product subscriptions (and when you click on one, it'll tell you how many licenses you have for it), expired subscriptions, disabled subscriptions, and deprovisioned subscriptions:
The Subscriptions page
Expired subscriptions will have run out 30 days ago (or less), and all of the data in them is still accessible; disabled subscriptions will have run out between 31 and 90 days ago, and the data in them can be accessed by an administrator, but not by the user. Deprovisioned subscriptions have had their data deleted. Often, a free trial your company might have used at one point will show up as a deprovisioned subscription.
You can add a subscription here. Clicking on Add subscriptions takes you to the Purchase services page.
If your company purchases directly from Microsoft, you'll see the invoices for your services on this page. You can use the drop-down menu to access This month, Last month, the Past 3 months, Past 6 months, Past year, and Specify date range quickly. If you want more detailed breakdowns or to view individual invoices prior to the last month, click on View details. You can also view the invoices as PDFs:
Bills page
If you purchase your Office 365 from a Microsoft partner through the CSP program, another reseller, or through a specialty program (for example, there is special handling for nonprofits, as well as annual purchases through MS Open), you will not see anything here. The Bills page only shows Microsoft invoices.
If you purchase your licenses directly from Microsoft, your Licenses page will show your products, the number of valid licenses you have for each product, the number of expired licenses (this includes disabled licenses, but not necessarily deprovisioned ones), and the number of licenses assigned, with a prompt to assign licenses if you have unassigned ones, or unassign licenses if you don't have enough. There will also be a link for each product, to allow you to buy more:
Licenses page
If you purchase through a CSP partner or another distribution program, you won't see the prompts to assign, unassign, or buy now. Your distributor or Microsoft partner handles that; you should contact them for more licenses. Instead, you may see a link directing you to contact information for your Microsoft partner.
Even if you generally purchase your licenses through a CSP partner or reseller, Microsoft will still offer you the chance to buy products directly from them on this site.
Believe us when we say that this creates no end of opportunities for confusion.
Avoid doing this. If your company's buying through a distributor or CSP, you are probably getting a better deal than what Microsoft offers directly. They've actually rigged the incentives so that distributors can offer a better deal than they do, because they'd rather that partners and distributors do the selling; Microsoft isn't famous for its keen interest in support and customer service for large numbers of individual consumers and small business users:
Purchase services page
Of course, if you are purchasing directly from Microsoft, there's no reason not to use this site to purchase products, as long as whoever authorizes spending in your company has given you the OK.
Each carat by a suite listing (such as Small Business Suite, Enterprise Suite, Dynamics 365 Suite, and Other plans) expands so that you can see the full listing of all the products for sale in that category. Most products require an annual commitment if you're buying from Microsoft, so be sure you've got funding secured for a full year.
Regardless of whether your tenant shows invoices to view (meaning that you purchase some services directly from Microsoft) or not, you'll have a list on this page of everyone that's authorized to receive billing statements. Whether the billing statements will be directly attached to the emails or not is a switch you can toggle On and Off:
Billing notifications page
You cannot directly add to this list; it's a list of all global and billing administrators, and any custom administrator that contains billing administration rights. However, by clicking on a user in this list, you can change what administration rights they have, which can effectively delete them from the list if you downgrade their rights.
There are two styles of Supportscreen that you might see, depending on if Microsoft has rolled out their newer Support UI to your company or not. In one, clicking on New service request or View service requests takes you to a separate page; in the other, you get a right-side pop-out panel, like all of the other pop-out panels you've encountered thus far. We'll touch on both, since how long it will take Microsoft to decommission the older version fully is not easily predictable.
The Customer Lockbox feature comes with an Office 365 E5 plan automatically, and can be purchased as an add-on to any Enterprise plan. If your company has no such plans, you can safely skip this section. (However, this is one among many reasons that we recommend that every Office 365 customer purchase at least one E3 plan.)
When Microsoft support engineers answer service requests, they sometimes need to access your company's data. Without the Customer Lockbox feature, they will access what they need as they need it, and will relinquish access after they're done; but you, the customer, will have no control of or knowledge of their access. With the lockbox feature, you receive an email telling you there's a customer lockbox request, and you log in to the page to approve or deny the request.
The Customer Lockbox feature, if your tenant has a license that gives you access to it, can be turned on and off in Security & privacy, under Settings. More on that will follow.
The Settings page covers a variety of different functions that apply to your organization and don't fit particularly well in any of the other subsections.
The Services & add-ins page will show you a long, long list of various services and add-ins that an Office 365 administrator can activate or administer from this page. It's outside the scope of this chapter to go over them all; some will be covered in more detail in Chapter 13, Administering PowerApps, Flow, Stream, and Forms:
Services & add-ins
In the top-left corner, there's a button for uploading an add-in, which could be something purchased from a third party or created by developers in your company. The add-ins that you can deploy here are Office web add-ins that you can globally deploy for all users of Word, Excel, Outlook, and/or PowerPoint, in your company.
This is the page you use to set your Office 365 Password policy (options include the days before passwords expire and the number of days before a user is notified of imminent password expiration), the Sharing settings (whether your users can add guest users—with this setting off, users cannot share with external users from OneDrive or SharePoint), and self-service password reset:
The Security & privacy settings
If your company has the Customer Lockbox feature, this is also where you can turn it on or off.
The DirSync errors report shows all objects that are experiencing a conflict in DirSync. In our experience, many of these errors are false alarms, or at least not particularly serious. However, keep in mind that all high-level admins will get emails alerting them to their (continued) existence. These issues are caused when properties that are supposed to be unique—for example, the UserPrincipalName—are assigned to more than one record. A common cause of this would be the existence of a mail contact within a distribution group with the same email as a guest user. Clicking on the object in error will give you more details on how to resolve the error.
Here is where you keep information about your company, including the email address of the technical contact, up to date. In small companies, it's often the case that the CEO or owner of the company assigned themselves as the technical contact when the Office 365 tenant was created, and later, they ended up flooded with error messages that clogged their inbox and should have been going to IT, anyway. You can fix that issue here:
The Organization profile page
There are other settings that affect your organization here. You can decide what the release schedule for your company will be: Will you get the new Microsoft releases of Office 365 updates as soon as they come out? Will you get them when Microsoft pushes them out to everyone? Or, will you choose a few users to bravely go where no user has gone before, so that they can break what no one has broken before, and advise everyone else accordingly?
There are settings here for managing custom themes, custom tiles, and custom help desk information, as well, and you can find out what continent your data centers are on.
If you purchase Office 365 from Microsoft and you don't have any Microsoft partners that you're working with, this page will be blank. Distributors, CSPs, partners of record, and other Microsoft partners that you may have granted delegated administration privileges to, will be listed here:
The Partner relationships page
You can look up your Microsoft partner's phone number and email address. If, for some reason, you need to move on, you can remove them from delegated administration access.
There are actually many more setup-related pages available than Microsoft makes available in the Setup heading of the sidebar navigation. It might be that Microsoft will eventually make those available in the sidebar, as well; as of right now, you can access the others through the dashboard component setup guides, discussed at the beginning of this chapter. The ones that you can access through the sidebar as of this writing are Products, Domains, and Data migration.
The Products page is actually very similar to the Licenses page, but much more user-friendly and attractive. It displays the products your company is subscribed to, with icons showing what applications those products entitle you to. (Sometimes, the same application has multiple licensed products that can apply to it; for example, Audio Conferencing and Domestic Calling Plan both apply to Skype for Business. And many products offer multiple applications within; any Office plan that includes software will include Word, Excel, PowerPoint, and Outlook, for example.):
The Products page
As with the Licenses page, it'll show you how many licenses you have, how many are free to be used, and what their status is, and will give you the opportunity to assign licenses if some are free, or buy more if none are. Disabled and deprovisioned products won't show in this view. Note that Buy more just takes you to the Subscriptions page and Assign licenses takes you to Active users.
For most companies, you're only likely to engage with the initial setup of domains once or twice, and if you're coming on board to administer an existing Office 365 site that's already been set up with the company domain, you might never need to touch this page.
Because having a domain is very important to how your users are provisioned, we'll cover setting up a domain in detail in Chapter 3, Administering Azure Active Directory.
The Data migration page shows various common email providers that you might be migrating data from, as well as giving you a convenient link for uploading a PST file.
There are also many guides of various types for onboarding onto and migrating to various Office 365 services, such as SharePoint, Teams, OneDrive, and so on, and detailed instructions for migrating from Gmail.
If this is your very first experience with Office 365, quite probably, you'll want to skip the extra helping of antacids and get the assistance of a Microsoft partner to help you make the switch. Microsoft partners will bring the experience of many different migrations for many types of organizations, and will have the tools and processes needed to make your transition to Office 365 a smooth one.
The reports that are available here are Usage and, under the heading Security & compliance, Rules and DLP (DLP stands for data loss prevention) reports. The more detailed security and compliance reports, such as protection and auditing, have moved to other areas, and we'll cover them in later chapters.
The Usage reports show an overview of the usage of some of the most important online components of Office 365 (such as Exchange, OneDrive, SharePoint, and so on) for 7 days, 30 days, 90 days, or 180 days, followed by detailed bar charts of various types of activities within those components (for example, the charts for Exchange track messages sent, received, and read, separately):
Usage reports page
These are the effective ways to track user adoption and see if there are any issues that need addressing. (If there's very little content on your company's main SharePoint team site, and yet usage and the number of files are unusually high, there may be a site collection that someone else created and is using that isn't being tracked by your centralized governance, for instance.)
The protection reports that were at one point under this heading have moved to the Security & Compliance center, and will be discussed in Chapter 8, Understanding Security and Compliance. The auditing reports have moved to the Exchange administration center, and will be discussed in Chapter 4, Administering Exchange Online – Essentials. What's left are reports on Rules and the DLP policies:
The Security & compliance page
Rules are created in Exchange, and the DLP policies are created in the Security & Compliance center, so they will be discussed in more detail in the future chapters mentioned in the preceding paragraph. The reports are on the number of rule and DLP policy matches that have passed through your Office 365 systems within 7, 14, or 30 days, or a custom date range.