Setting the ground for Microsoft 365 configuration best practices
It is very common for Microsoft 365 customers to request external consultation on how to properly setup a new Microsoft 365 tenant and subscriptions or re-configure their existing subscription(s) according to Microsoft best practices.
This article attempts to put together a Microsoft 365 configuration best practices guide, which accumulates all best practice configuration areas related to Microsoft 365 services.
Microsoft 365 configuration audit areas
Similarly to Azure Advisor and the Azure Well-Architected Framework pillars, the following Microsoft 365 configuration areas should be considered when performing an as-is audit of a Microsoft 365 tenant.
The following sections provide a compilation of Microsoft 365 configuration best practices for each of the above areas.
Reliability is the ability of a system to recover from failures and continue to function. All Microsoft 365 services are highly available and reliable. However a key question you should consider is whether or not you require backup of your Microsoft 365 data or not. This includes the Exchange Online mailboxes, Sharepoint Online sites and OneDrive for Business accounts, Teams teams and channels as well as users and groups created in Azure AD.
First off, you should review the native data protection mechanisms provided by Exchange Online and SharePoint Online. These are presented in detail in the following article: https://stefanos.cloud/exchange-online-and-sharepoint-online-data-protection-mechanisms/. In case that you need point-in-time restores for your data and if you need thorough protection against cyber attacks, including ransomware, you should definitely invest in a Microsoft 365 backup solution. This can be either a cloud-to-cloud backup solution or a cloud-to-on-premise backup solution. Some notable examples of Microsoft 365 backup software applications are the following:
Besides backup and restore, you also need to have a solid monitoring and technical support (proactive and reactive) team for your Microsoft 365 users. You first need to run a Microsoft 365 health assessment report. Review the following article for step-by-step instructions on how do this.
Then you also need to have a health monitoring and reporting mechanism for all Microsoft 365 apps and services, as described in the following article: https://stefanos.cloud/kb/how-to-monitor-microsoft-365-service-health-status/.
Security relates to protecting applications and data from threats. You need to make the following design considerations to apply best practices.
- Microsoft 365 secure score is a consolidated security score based on Microsoft best practice security configurations for Microsoft 365 tenants. The higher the score the higher theoretically your overall Microsoft 365 tenant security levels. The score comprises a list of improvement actions based on your current security posture. Ensure that you apply the top 10 improvement actions for Microsoft secure score, as described at: https://stefanos.cloud/microsoft-365-secure-score-top-10-improvement-actions/. Microsoft secure score can be viewed from three (3) different places.
- Azure AD secure score for identity: https://aad.portal.azure.com/#view/Microsoft_AAD_IAM/IdentitySecureScoreV2Blade.
- Microsoft 365 security admin center (Microsoft 365 Defender): https://security.microsoft.com/securescore.
- Microsoft Defender for Cloud in the Azure portal: https://portal.azure.com/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/23
- Evaluate the usage of Microsoft 365 Defender, as per the instructions in the following article: https://learn.microsoft.com/en-us/microsoft-365/security/defender/get-started?view=o365-worldwide. Evaluate all features in the Microsoft Security Portal.
- Evaluate all features in the Microsoft Purview Portal (compliance).
- You need to evaluate which method is being used for user and group creation. Do you use provisioning templates for Microsoft 365 user and group creation or not? Which users have the permissions to run provisioning templates or manually provision any user or group in your Microsoft 365 subscription?
- Does your organization have M365 usage policies and procedures?
- Do you have an internal internal IT help desk team?
- How many accounts within your department have Microsoft global admin rights?
- Do you have clearly defined and monitored goals to measure adoption of Microsoft 365 apps and services inside your organization?
- Do you have control and visibility on the resources which are created in your Microsoft 365 tenant (users, groups, mailboxes, sites, teams, channels, etc)?
- Do you have policies and strategies in place for shadow IT?
- Do you have an antimalware alerting policies and procedures in your Microsoft 365 environment?
- Do you have alerting policies of any abnormal security incidents?
- How do you manage application and content permissions as well as external sharing and guest access policies in all Microsoft 365 applications?
- Check if you have centralized visibility on all externally shared links.
- Check if guest access and external sharing are automatically enforced based on a team’s or group’s sensitivity.
- Check whether there are procedures to revoke guest access to documents, chats, and resources once the sharing is not needed any longer.
- Check whether there are procedures to review and delete externally shared links which are no longer needed.
- Check if you have a list of all the external collaborators (external and guest access).
- Review the following article for more details on which settings to check in Microsoft 365 admin portal for all Microsoft 365 services, to ensure external and guest access best practices are applied: https://stefanos.cloud/microsoft-365-external-sharing-design-considerations/.
- Do you keep all your Microsoft 365 software up to date?
- Do you apply zero trust principles in your M365 tenant?
- Check purview portal (compliance) and security portal, also check deployment of Microsoft Defender for Microsoft 365.
- Do you have data labels and sensitivity policies? Do you have data encryption and DLP policies?
- Ensure you are aware of Microsoft 365 data residency, especially if you need to achieve compliance with ISO 27001, PCI-DSS, HIPAA or similar certification.
Cost optimization relates to managing costs to maximize the value delivered. You need to consider the following questions.
- Do you monitor extra storage space, for example in SharePoint Online sites as well as any paid add-on licenses? You can review the following site for a full list of features and feature comparison among the various Microsoft 365 licensing plans: https://m365maps.com/matrix.htm.
- Check if you can replace licensed mailboxes with shared mailboxes and distribution lists or Microsoft 365 unified groups.
- Check the resource utilization of each of your licenses and see if you can safely downgrade to a more cost effective plan for some of your licenses.
- Do you have a procedure for Microsoft 365 license optimization and automatic assignment and release of licenses?
- Group-based licensing automatically assigns or removes licenses for a user account based on group membership. Dynamic group membership adds or removes members to a group based on user account properties, such as Department or Country.
- An auto-claim policy lets users automatically claim a license for a product the first time that they sign into an app. As an admin, you typically assign licenses to users either manually, or by using group-based licensing. By using auto-claim policies, you manage the products for which users can automatically claim licenses. You can also control which products those licenses come from.
Operational excellence relates to operations processes which keep a system running in production. Consider the following questions.
- Do you have an automated solution for managing your Microsoft 365 environment? This may involve extended usage of a Powershell automation framework, usage of a cloud orchestration framework with tools such as Terraform, Chef, Puppet, Ansible or Powershell Desired Configuration or usage of low code automation framework such as Microsoft Power Automate.
- Do you have a procedure for monitoring, removing and automatically disallowing the creation of duplicate resources in your Microsoft 365 environment?
- If you are running Microsoft 365 apps inside a VDI solution, refer to the following best practices: https://stefanos.cloud/office365-best-practices-for-itrix-virtual-apps-and-desktops/.
- Do you have an alerting mechanism for inactive or orphaned teams and groups?
- Thoroughly check the configuration of all Org Settings in the Microsot 365 admin center and adjust according to your organization’s requirements.
- Carry out a similar check for Microsoft 365 integrated apps.
- To get a better understanding of the usage of your Microsoft 365 organization, periodically run and review M365 usage reports and the M365 adoption score. After your org has enabled Adoption Score, it can take up to 24 hours before insights are available.
Performance efficiency relates to the ability of a system to adapt to changes in load. In summary, the following factors should be taken into account in terms of Microsoft 365 application performance.
- Ensure that you have a healthy Microsoft 365 Apps installation, whether that be on Windows, MacOSX or a mobile device (iOS or Android).
- Optimize the file size limit for all your .ost and .pst files in Outlook.
- Run the mailbox cleanup and compact tools for all your .pst and .ost files.
- Check that your Outlook setup does not break the software performance limitations and take appropriate remediation actions, if needed.
- If you have a VDI solution with hybrid profiles, such as FsLogix or Citrix Profile Management, you should consult with the profile solution vendor for a profile shrink or profile compact script which should be run periodically to keep the overall disk size of the profile relatively low and always within set boundaries.
- Ensure you configure your Windows local group policy or domain group policy to set a proper size for the Outlook Cached Exchange Mode setting.
- If you are using an Exchange Online mailbox which comes with Online Archiving, make use of the Online Archive Mailbox to periodically move old and unneeded emails from the primary mailbox to the online archive mailbox.
- Ensure that you remove as many Microsoft 365 App add-ons as possible.
- Beware of the impact which your local machine or VDI machine hardware specifications might have on the overall Microsoft client performance.
- Test your IP network connectivity to the Internet and to the Microsoft 365 services by utilizing the Microsoft Office Connectivity tool available at https://connectivity.office.com/.
- You should generally consider your on-premises egress and ingress available bandwidth and consider a quality of service policy for your email traffic, so that your network is not a factor which contributes to Microsoft Outlook low performance.
- If you are using a VPN connection, ensure that you follow Microsoft’s guidelines on optimizing the VPN traffic.
- If you are using Azure ExpressRoute, considering implementing the Microsoft best practices for M365 users in ExpressRoute architectures.
- To optimize Microsoft Teams in a VDI environment, consult with your VDI vendor and review the Microsoft best practice document for details on how to configure Microsoft teams in VDI topologies.
The following article provides a detailed list of recommendations on How to optimize Microsoft 365 application performance.
Microsoft 365 training
Do you have an administrator and end-user training plan in place for Microsoft 365 apps and services?
Microsoft 365 migration best practices
If you are considering to migrate to Microsoft 365 services, you should review some of the most common migration design considerations and best practices, as analyzed in the following articles.
Microsoft 365 technical assessment reporting tools
Last but not least, when evaluating your Microsoft 365 tenant for best practices, you should run and evaluate the reports of the following assessment tools.