RM Cloud Service Delivery can assist you with your Microsoft® 365™ federation and Microsoft 365 email migration. For further information, please speak to your Sales representative on 01235 645 316 or email getintouch@rm.com, quoting this article.

You can choose advanced tenancy configuration as one of the educational customisation options when ordering an RM Microsoft 365 service package.

Please find a list of the available Microsoft 365 (M365) tenancy customisation services below:

• Malware protection
• Banned words filtering.
• Configure dynamic distribution groups.
• Filtering of emails to other domains.
• Filtering of emails with attachments.
• Allow XML email attachments.
• User roles.
• Address book policies.
• Mobile devices policy.
• Adding proxy/alias accounts in bulk.
• Disable external sharing for Microsoft OneDrive.
• Prevent users creating Microsoft 365 groups in the Microsoft 365 tenancy.
• Configure DMARC, SPF and DKIM for up to three email domains.
• Modern authentication (if not already enabled).
• Enforcement of MFA for users with admin privileges.
• Restrict non-admin users to view-only Azure AD Portal access.

The chosen tenancy configuration is applied to your Microsoft 365 domain during the fulfilment of your RM Microsoft 365 service order.

Note: To apply the required services to the Microsoft 365 tenancy, the administrator credentials of the Microsoft 365 tenancy should be provided.

An overview of each of the Microsoft 365 advanced tenancy customisations can be found below:

Malware protection
To reduce the risk from malware and to supplement the protection provided by Exchange Online Protection, we will enable a transport rule that will be configured to block messages that have attachments with executable content. This will reduce the risk of malware being distributed by email and also reduce the risk of exposure to malware invoked from email attachments.

Banned words filtering
It is an email filter which rejects emails containing words from a pre-defined list of Banned words. The filter works on the receiving end, i.e. users will not be able to receive the mails containing banned words.

A distribution group will be created as part of this service and administrator can add the required users as members to this group. Only the members in this group will have the filtering applied.

Configure dynamic distribution groups
These groups can be used in the To field by the users when sending emails within the school's Microsoft 365 tenancy. Once this service is applied:

• The default dynamic distribution groups are created (i.e. Administrators, All Non-Teaching Staff, All Teaching Staff, All Staff, All Students etc.) based on the user's Microsoft 365 role type.
• In addition to the above, a maximum of ten distribution groups which are present in the source system can be created in Microsoft 365 and the corresponding members can be added on request. The list of distribution groups and its corresponding members should be provided to create these groups in Microsoft 365. The groups which are present in the source system will not be migrated to Microsoft 365 as part of the standard migration process. Using this service, the custom distribution groups in the source system can be transferred to Microsoft 365.

Filtering of emails to other domains
A filter that prevent users from sending and receiving emails outside the school's Microsoft 365 domain. This is useful for younger children just getting started with emails. This can be used for security purposes as well.

A distribution group will be created as part of this service and administrator can add the required users as members to this group. Only the members in this group will have the filtering applied.
Note: This service will work as expected only if the user accounts in Microsoft 365 are provisioned using RM Unify.

Filtering of emails with attachments
It is a filter that prevent users from sending and receiving emails with attachments.

A distribution group will be created as part of this service and administrator can add the required users as members to this group. Only the members in this group will have the filtering applied.
Note: This service will work as expected only if the user accounts in Microsoft 365 are provisioned using RM Unify.

Allow XML email attachments
As a security feature, xml attachments are blocked in Microsoft 365 OWA by default. The tenancy configuration service modifies the default Outlook Web App policy thus allowing the users to receive xml email attachments.

This will be useful if the users need to download files related to MIS using OWA.

User roles
The Default Role Assignment policy grants permissions to end users to set their Outlook Web App options and perform other self administration tasks. This tenancy service modifies the Default Role Assignment Policy in such a way that it allows the users to view and access limited features of their accounts.

As an example, the default user role allows users to change their description in the global address list, but the custom roles can prevent this.

Once applied, the service will create additional user roles for staff and administrator. M365 Administrator can set user roles to required users via UI in bulk.

Address book policies
The address book policies are set so that students can't see teachers in their address book, i.e. if the staff email addresses need to be made hidden for students, this policy can be used.

Once applied, the service will create address book policies for students and staff. M365 Administrator can set address book policies to the required users via UI in bulk.

Mobile devices policy
Configures the Microsoft 365 default mobile device policy and applies the following settings:

• A minimum four digit password for connected devices.
• The password will expire every 90 days.
• The device will be wiped after ten failed passwords.
• Password recovery is enabled.
• Inactivity timer: 15mins.
• Password recycle count: 5.
• Policy refresh interval: 12 hour.

This protects Microsoft 365 data when users have configured their mobile devices to connect to their accounts. If a user has connected their device to Microsoft 365 and then loses the device, this policy will keep the data secure by enforcing a password policy on the device.

Adding proxy/alias accounts in bulk
Once this service is applied, alias or proxy accounts will be added to all or selected user accounts in Microsoft 365 in bulk, i.e. if the users are moving from domain1.com in the source system to domain2.com in Microsoft 365, but require the emails send to the domain1.com to be redirected to the domain2.com in Microsoft 365, then the domain1.com should be added in Microsoft 365 and the old email addresses (e.g. user@domain1.com) should be added as alias accounts to existing accounts (user@domain2.com) in Microsoft 365.

Also, if the existing email address format needs to be changed in Microsoft 365, the required format can be added as alias account in Microsoft 365.
Using this service, the above can be done and for this, the matching list of alias accounts should be provided.

Disable external sharing for Microsoft OneDrive
Configure the following settings in the OneDrive admin center:

• Turn off the setting 'Let users share SharePoint content with external users'.
• Turn off the setting 'Let users share OneDrive content with external users'.

Prevent users creating Microsoft 365 groups in the Microsoft 365 tenancy
By default, all users have the ability to create new Microsoft 365 groups from the Outlook Web App. Users are able to create groups, including private groups, in Microsoft 365. But you wish to limit this only to specific users or groups of users. It may be that you do not want your Microsoft 365 users, particularly students, to use this new functionality or it may be due to concerns about the groups being used for anti-social behaviour such as bullying by exclusion.

This service will configure a security group and only the members of the security group will be able to create Microsoft 365 groups in apps like Outlook, SharePoint, Yammer, Teams, Planner etc. Admin roles like Global Admin, Exchange Administrator, SharePoint Administrator, Teams Administrator, User Management Administrator etc. are not affected by this configuration and can continue to create Microsoft 365 groups as required.

For more information, please refer to:
https://docs.microsoft.com/en-us/office365/admin/create-groups/manage-creation-of-groups?view=o365-worldwide

Configure DMARC, SPF and DKIM
Domain-based Message Authentication, Reporting and Conformance (DMARC) works with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to authenticate mail senders and ensure that destination email systems trust messages sent from your domain. Implementing DMARC with SPF and DKIM provides additional protection against spoofing and phishing emails. DMARC helps receiving email systems determine what to do with messages sent from your domain that fail SPF or DKIM checks. The RM baseline configuration for DMARC will be set up as simple monitoring-mode with a policy of 'None'.

Enable Modern authentication in Microsoft 365 (if it is currently disabled)
Modern authentication enables Active Directory Authentication Library (ADAL)-based sign-in for Office client apps across different platforms. This enables sign-in features such as Multi-Factor Authentication (MFA), smart card and certificate-based authentication.

Enforce MFA for users with admin privileges
Enables the baseline conditional access policy for users with admin privileges. Baseline policies are available in all editions of Azure AD. Microsoft is making these baseline protection policies available to everyone because identity-based attacks have been on the rise over the last few years. Enabling this will enforce MFA for all users with admin privileges.