Administering Exchange Online
Because Exchange on-premises, Exchange Online, and the Exchange hybrid environment are based on a common set of technologies, the management tools and experience are similar across the different deployment models. The administration tools for Exchange are the following:
2010 SP3 Exchange Management Console (EMC)
Office 365 admin center and the browser-based EAC, including managing Exchange Online Protection (EOP) in the latest release of Office 365 with Exchange Online 2013
Forefront Online Protection for Exchange (FOPE) Administrator Console for Office 365 with Exchange Online 2010
This book does not cover all the intricacies of administering Exchange and messaging; there are dedicated Exchange books for that. What we will do is provide a summary of the different administration tools and focus on the specifics of administering Exchange Online and the Exchange hybrid environment and introduce you to the new capabilities in Exchange Online 2013.
Exchange Management Console
The EMC serves as a familiar interface for Exchange administrators. To manage Exchange Online through the EMC, you need to maintain an on-premises Exchange Client Access Server (CAS). To use EMC as the administration tool, simply add Exchange Online as a new organization into EMC, as shown in Chapter 11. However, note that there are differences between what you can administer in Exchange on-premises versus Exchange Online, and this is reflected in the EMC. For example, because there is no need for you to manage the server configuration in Exchange Online, the Server Configuration node is not present for the Exchange Online organization in EMC, as shown in Figure 12-36.
Figure 12-36 Difference between Exchange on-premises and Exchange Online in the EMC.
Implementation of an Exchange hybrid environment through Exchange 2010 SP3 CAS also provides the capabilities to create and manage the hybrid components as workloads, such as remote mailbox moves and managing the hybrid configuration, as shown in Figure 12-37 and through the tasks covered in Chapters Chapter 11 and Chapter 12.
Figure 12-37 Using EMC to manage hybrid configuration.
Exchange Online remote Windows PowerShell
A majority of Office 365 Windows PowerShell cmdlets are for Exchange Online, and Windows PowerShell is the recommended approach to managing Exchange. To manage Exchange Online through remote Windows PowerShell, you first need to establish a new session. We use the following base script as a template in the Windows PowerShell ISE:
#Base script for managing Exchange Online Import-Module MSonline $cred = Get-Credential Connect-MsolService -Credential $cred $Session = New-PSSession -ConfigurationName Microsoft.Exchange-ConnectionUri https:// ps.outlook.com/powershell/ -Credential $cred -Authentication Basic -AllowRedirection Import-PSSession $Session -AllowClobber # # <Exchange Online Management cmdlets> # # Remove-PSSession $Session
Between the Import-PSSession and Remove-PSSession commands, you can insert the vast array of remote Windows PowerShell cmdlets for Exchange Online.
Exchange Online administration user interface
Another management tool is a browser-based user interface (UI), which takes the form of the Exchange Control Panel (ECP) or the Exchange admin center (EAC), depending on which release of Office 365 your organization is using. One of the key new capabilities in Exchange is Role Based Access Control (RBAC). RBAC provides the ability to delegate administrative tasks, some of which may be handled by non-technical personnel. For example, the responsibility for conducting electronic discovery (eDiscovery) should belong to compliance or legal personnel. Therefore, there is a need for an easy interface to manage such functions without having to distribute special administrative software or grant excessive administrative privileges.
Exchange Control Panel
The ECP is hosted and accessed through the OWA. Accessing the ECP through OWA was covered earlier in this chapter. Figure 12-38 shows the ECP UI.
Figure 12-38 The ECP user interface.
Along the left side of the ECP is the navigation pane that groups the administrative functions. Figure 12-38 shows the administrative capability to manage mailboxes, distribution groups, and external contacts. Additionally, you can access the E-Mail Migration wizard on the Users & Groups page.
RBAC and compliance management capabilities are located on the Roles & Auditing page. A number of RBAC roles are available out of the box, as shown in Figure 12-39. However, you can modify the scope of each role’s capabilities and create new RBAC roles.
Figure 12-39 Roles & Auditing page in the EMC.
As mentioned earlier, we will leave the detailed administration of Exchange to other resources. However, before we leave this topic it is important to note that you can perform the majority of daily administrative functions through the ECP. As you explore the UI, notice that it is designed to be user friendly so that even non-technical administrators, such as the compliance and legal professionals we identified earlier, can perform administrative tasks.
At this point, we will leave the ECP and move on to discuss Forefront Online Protection for Exchange (FOPE).
Forefront Online Protection for Exchange administration
FOPE is responsible for email protection in Exchange Online 2010 and is a separate interface that is launched through the ECP. From the ECP, select Mail Control and click Configure IP safelisting, perimeter message tracking, and e-mail policies, as shown in Figure 12-40.
Figure 12-40 Accessing FOPE from the ECP.
This will start the FOPE administration interface, as shown in Figure 12-41. The FOPE administration interface provides statistics on mail hygiene and enables you to create reports, track messages, and create mail-handling policies.
Figure 12-41 FOPE administration interface.
Your core activity in FOPE is the creation of mail policies. Follow these steps to see how mail policies are created and maintained in FOPE:
From the FOPE administration console, click the Administration tab, and then select Policy Rules.
Click New Policy Rule located under Tasks.
Set the domain scope, set the traffic scope, and select the policy’s action, as shown in Figure 12-42.
Figure 12-42 New FOPE policy.
Provide settings for the Expiration date field, if applicable, and determine if you want to send notifications whenever this rule is triggered.
In the Match pane, define the data patterns that would lead to the triggering of this policy. As you can see, you have the option to match by header, sender, and recipient IP addresses, domains, or e-mail address, attachment, subject, body, and message properties.
Click Save Policy Rule on the Actions pane to save this policy.
As with the ECP, there are other administrative functions for FOPE that we will let you explore on your own. This section serves only as an introduction to FOPE administration. We will now move on to look at the Exchange admin center (EAC).
Exchange admin center
The EAC is the successor to the ECP in the latest release of Office 365 and, like the ECP, it is a browser-based interface that organizes administrative functions into groups, as shown in Figure 12-43.
Figure 12-43 The EAC.
The main difference between the ECP and the EAC is the introduction of several new capabilities in Exchange Online 2013 and the respective administration functions that are exposed in the EAC. One of the new capabilities is Data Leakage Prevention (DLP) that is located on the Compliance Management page, as shown in Figure 12-44.
Figure 12-44 Data loss prevention in the EAC.
Prior to the latest release of Office 365, you had to rely on on-premises DLP solutions and have Exchange Online route all email through that solution. With the latest release of Office 365, Exchange Online 2013 provides DLP capability. You can create content triggers that rely on ISO-based templates to recognize data patterns. ISO stands for the International Organization for Standardization and is the internationally recognized entity that develops and publishes international standards. Following are a few examples of the included DLP templates:
U.S. Health Information Portability Act (HIPAA)
U.S. Personally Identifiable Information (PII)
U.S. Social Security Act
U.S. Financial Information
There are international DLP templates included as well. To see the full list of DLP templates, click the + icon, as shown in Figure 12-44, and then select New DLP policy from template from the drop-down menu. For example, if we create a DLP policy based on the HIPAA template and name the policy HIPAA Rules, this rule will show up in the DLP list of policies. At the same time, the corresponding rules that dictate how to handle emails that trigger this policy will be created in the mail flow section, as shown in Figure 12-45. Notice that you have the granular ability to define actions such as whether to allow overrides, different handling for internal versus external recipients, and how attachments should be handled. You can clear the box next to a rule to disable it or delete it altogether if it does not apply.
Figure 12-45 DLP policy and the corresponding mail flow rules.
The new DLP feature is an important addition to Exchange Online because it further enhances the service by providing another built-in mechanism to prevent the accidental disclosure of sensitive information through email.
Exchange Online Protection
Exchange Online Protection (EOP), the successor to FOPE, does not have a separate user interface. EOP administration is now fully integrated into the EAC through the protection page, as shown in Figure 12-46.
Figure 12-46 EOP management incorporated into the EAC.
As with the other administration tools, we will not go into the details of administration and instead will continue in the following sections to look at other new capabilities of Exchange Online.