What is an HSM in Office 365’s Azure RMS?

Security is a big focus for Microsoft, especially with Office 365; their enterprise-class data centers are some of the most secure in the world.  Above and beyond data center security, Microsoft has implemented technologies that allow organizations to further secure their data, even from Microsoft themselves.  One way this is done is with Rights Management Services, or RMS.  The mile high explanation for RMS is that it “provides the ability to safeguard sensitive information created using Office applications and services such as email or other memos or correspondence that requires confidential treatment. Rights are assigned to content when it is published and the content is distributed in an encrypted form that provides persistent protection wherever the content travels. Rights that can be assigned include the ability to allow or deny viewing, printing, copying of messages or documents as needed using template-based assignment.” (http://technet.microsoft.com/en-us/library/jj585024.aspx)

“Well, that’s great – but if Microsoft is securing their own data, how does that prevent their own engineers from decrypting the data themselves,” you ask, long-windedly.  That is done by deploying a Thales Hardware Security Module, of course referred to as an HSM.  According to Thales, “Thales nShield HSMs create tight controls around the management and use of the keys used by Microsoft Rights Management Services (RMS)” and “Thales nShield HSMs ensure that your key is always under  your control and never visible to Microsoft. The capability neutralizes the  perception that sensitive data maintained in the cloud is vulnerable because  the cloud can only be a shared service with a shared security infrastructure.”  Thales provides a 3rd party security mechanism to encrypt RMS data, leaving even Microsoft in a position where they need to gain access to the security mechanism in order to decrypt the information – an action that can be logged, with logs that are visible to the tenant owner.


“Okay,” my skeptical reader thinks, “but if Thales is held in the data center, Microsoft can just access Thales to get the key.  Logged or not, they still have access to my data.” Microsoft and Thales are on top of that one, too, by allowing organizations the option of Bring Your Own Key or…you guessed it, BYOK.  Per Thales, “Organizations subscribing to Windows Azure RMS in the cloud can choose to generate and maintain custody of their own key independent of Microsoft”.  This means you have the option to revoke your key, rendering RMS-encrypted data unreadable.  Future capabilities even include the option “lend” your key to Microsoft for short periods of time, meaning that revocation would not need to be proactive; rather, permission would need to be persistent to keep functionality, maximizing security of the data.


So, as you can see, organizations can secure their data, using Azure RMS, from even Microsoft themselves.  This functionality comes “out of the box” with Azure RMS, no added hardware or licensing purchases required.

The images used are from the Thales cloud security solution brief, which can be found/downloaded here: http://www.thales-esecurity.com/msrms/cloud

Exchange Online Mail Protection Reports

Aside from the great reporting options available directly within the Office 365 portal, there is also an Excel add-in that allows administrators to download information directly in to Excel for data manipulation.  Obviously once the data is in Excel, then all of the various options with Office also exist, such as exporting to Word, PowerPoint, etc. and choosing which charts are appropriate for different organizations.


The Mail Protection Report is a separate MSI file, so it needs to be installed separately from Excel. Download it here


After downloading the file, a Setup wizard will be started (with Excel 2013 and .NET Framework 4.5 as pre-requisites):



Whether using Exchange Online or simply using Exchange Online Protection for your on-premises e-mail solution, the reports work the same:






Once finished, you can now open Mail Protection Reports from your Desktop (don’t try to find it simply by opening Excel 2013 – it’s not there).


Install the customization, after which Excel 2013 will open.  From here, select Query to get the admin authentication prompt and then choose your time interval:

MPR-11 MPR-12

You can see that the spreadsheet is blank until authentication is provided.  After entering the username and password, you will see the reports downloading:

MPR-13 MPR-14 MPR-15

Once all the information is imported, you can now navigate between the available tabs within Excel to view available data.  Different traffic types can be selected individually or collectively, and the data available based upon the time interval you selected have the same options (dragging the mouse even works for selecting multiple dates).


All of the standard Excel capabilities are available, as well, so edit and manipulate the data as needed, and then export to the proper reports or save as spreadsheet.

OWA Offline Mode

For organizations wishing to put greater emphasis on OWA use for their employees, network connectivity has always been a concern.  “How can I read my email if the Internet is down and I only have OWA?  I need Outlook for Cached Mode.”  That is no longer true with Exchange Online.  OWA can now be put in to Offline Mode, allowing for the Inbox, Drafts and 5 other folders to be accessible even in the event of a network outage.  Offline Mode can be enabled for any user by clicking through the following setup:

1. Click Offline settings in the user settings

2. Turn on offline access and then move through the 4-step setup/verification by clicking OK


3. Step 1 is verification of that other users can see your email if they access a computer storing your offline files


4. Step 2 is information on how to handle browser requests for more storage


5. Step 3 is a “tip of the day” on how to easily access OWA in an offline state


6. Step 4 is a final confirmation


If you then go back in to your Offline settings, you’ll also find the option to dictate which 5 folders are synched alongside your Inbox and Drafts.  By default, the 5 most recently used folders will be synchronized, but you have the ability to customize this view:



And that’s it!  OWA could potentially replace Outlook as a full-featured tool many years ago, but now it can also withstand a network outage.

Previous versions of Office available in Office 365 for Download

One of the advantages of using Office 365 is that you have always the latest version of Office Pro Plus, which is at this time the Office 2013 version. Until now it was not possible to get the Office 2010 version from the Office 365 Portal.

Now it is! How to get it?

  1. Within the Admin Center,  navigate to Service Settings
  2. Select the User Software section.
  3. Go to “Previous Versions” section that contains Office Professional Plus 2010 and Lync 2010 (both 32 and 64-bit).

This is only available for the Administration, not for the End User

Setting Up Multi-Factor Authentication in Office 365

Office 365 now supports multi-factor authentication “out of the box”.  You can enable users to require additional authentication mechanisms, including a phone call, a text message and an option to support a mobile app. The mobile app is available for Windows, iOS and Android devices, and works similarly to an RSA token in that a 6-digit number is generated every 10-15 seconds.

Once enabled, you can either input additional security information as an administrator or have the user set up their own contact methods.  If this is not done by the administrator, the user will be required to do upon their next login.  Multiple authentication mechanisms are required, in the event that the primary choice is inaccessible/lost.

A couple of additional items to note: