As is traditional at this time of the year, it’s appropriate to look back on developments this year to find ways to do better in the future. I’ve spent some time reflecting on five topics I think will influence the operations of Microsoft 365 tenants during 2022. Here goes with my to-do list for the new year. Feel free to disagree!
On-Premises Hell
2021 was not a good year for advocates of on-premises infrastructures. The ongoing efforts of cybercriminals to find and exploit software vulnerabilities went from Solarigate (analyzed in detail by Microsoft’s Alex Weinert at TEC 2021) to the Hafinum attack against Exchange Server to the Apache Log4j problem. None of the attacks were pretty and the fall-out was brutally clear in underlining the need for ongoing dedication to protect on-premises servers. Yes, we can blame software developers, but many vulnerabilities come about because lack of knowledge (like granting consent without understanding what consent does) or incompetence (failure to patch servers for months after vulnerabilities become known). On-premises administration is tough and will become tougher as attackers continue to probe and the cloud sucks engineering investment away on-premises software. Stay on-premises if you want but be prepared to work hard to keep things running.
Remember, many Microsoft 365 tenants run in hybrid mode and have on-premises servers. Those servers and the infrastructure in which they run need ongoing maintenance. As a community, we all need to do better during 2022, if only by making sure to apply cumulative updates within a month of their release by Microsoft.
The End of Basic Authentication (for Email Anyway)
Attackers go after cloud services like Office 365 too, but out-of-the-box protection is better so fewer attacks succeed. That is, unless you insist on allowing people to authenticate using plain-text passwords. Microsoft says that 99% of all probing using attacks like password sprays run into a brick wall when tenants deploy multi-factor authentication, yet still a minority of Office 365 accounts use MFA. Things might change as Microsoft cranks up the heat during 2022 to finally eradicate basic authentication for many Exchange Online connectivity protocols next October. SMTP AUTH remains an outlier, but its time will come.
Don’t wait for Microsoft to turn off basic authentication. It’s time to move forward and embrace concepts like passwordless authentication and conditional access policies. Lots of work is there to do, from dealing with multi-function devices, programs and PowerShell scripts which depend on basic authentication, and user education. But if there’s one thing you should do straightaway in 2022, it’s to accelerate your tenant’s transition to modern authentication.
Teams Goes Native
First announced in March 2021, Microsoft aims to deliver Teams Connect (shared channels) in early 2022. The delay is due to Microsoft needing to sort out all the complexities involved in introducing a new authentication model for cross-tenant federated collaboration. With shared channels, you add individual users or complete teams from another tenant to collaborate in that channel. No guest accounts are necessary because the inbound connections use their native identities. Guest accounts will continue because they’re needed for regular and private Teams channels, Outlook groups, Yammer communities, and so on.
I think that 2022 will pose challenges for Teams tenants as they decide if they want to use shared channels, how they will federate to allow their users collaborate outside the tenant and accept inbound users in shared channels, and issues like compliance, control over confidential information, governance for shared channels, and more. In other words, Teams Connect is a nice step forward, but don’t expect to turn it on to create a bright new world of collaboration. Like many other software capabilities, features need planning, management, and thought. Be prepared to do this next year.
Everything Costs More
Inflation is rising and so are the costs of Microsoft 365. On a prosaic note, Microsoft will increase the monthly price for many Office 365 and Microsoft 365 products on March 1, 2022. To offset some of the pain of the extra $36/user/year for Office 365 E3 and E5 licenses, Microsoft is bundling Teams audio conferencing into the plans, not that this will make any difference to organizations who prefer Zoom to Teams for their online conferencing. The net result is that it’s time to take a long hard look at the licenses used in your organization to ensure that you’re not wasting money. Make sure to include add-on licenses like Viva Topics, Azure AD Premium, and SharePoint Syntex. Ask if you require all the licenses in your pool and if the right people have the right licenses. Do this review early in 2022 and make sure that you’re ready to negotiate new agreements with Microsoft or whoever provides your licenses.
On a more philosophical note, you might have noted that Microsoft introduced a ton of new features in the areas of compliance, information governance, and information protection in 2021. And then you might have been disappointed that any capability Microsoft can describe as automated requires high-end licenses. Adaptive scopes for auto-label retention policies are a great example.
Like any large corporation, Microsoft must keep Wall Street happy, and extracting higher prices (ARPU, average revenue per user) is important to achieving the kind of results expected by analysts. Expect more nice features for high-end licenses to appear 2022. If your business is happy with Office 365 E3 or a lower plan, continue as you are, but if some of those new compliance and governance features solve business problems, you should move to Office 365 E5.
The Primacy of the Graph
We’ve been talking about Microsoft Graph APIs for years. In many cases, organizations could ignore the Graph APIs and continue using PowerShell to automate common administrative operations. The situation is changing. First, Microsoft will move to a new license management platform on 30 June 2022. The upshot is that Azure AD PowerShell cmdlets for license management will cease working. Developers must update scripts to use either Graph API calls or the Microsoft Graph SDK for PowerShell (a wrapper around Graph API calls). Second, I see fewer Microsoft development groups bothering to create well-rounded PowerShell modules, complete with good documentation. Even Teams, which has had a PowerShell module for years, experienced multiple problems during 2021 as the developers struggled to upgrade their module to deal with the deprecation of the Skype for Business connector. Third, it’s become common for Microsoft development groups to ask customers to configure tenant settings using a Graph API (the Graph Explorer is a great tool for this purpose).
I don’t see any change in the primacy of the Graph in 2022, so on a very practical level, those who use PowerShell to develop tools to manage Microsoft 365 workloads should make sure that they are fluent in making Graph API calls and handling results in scripts.
Five Things to Do in 2022
In summary, my suggested list of 2022 resolutions for Microsoft 365 tenant administrators is:
- Keep your on-premises servers updated.
- Protect users by insisting on modern authentication and MFA everywhere.
- Check your licenses to restrict the impact of cost increases.
- Prepare for a new form of Teams collaboration based on native identities.
- Upgrade your PowerShell knowledge to embrace the Graph.
Now tell me what you plan to do and what important development I’ve missed in my list!
Any recommendations for the best resources to learn about administration through the graph?
The Real Person!
Author Tony Redmond acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
I don’t think there is any specific resource (apart from the Office 365 for IT Pros eBook https://gum.co/O365IT/, of course, but I am biased). We will continue to cover the Graph APIs here as they make sense for practical tenant administration. If you search back through articles for the last year, you’ll find a number of articles that cover the topic.
If only MS wouldn’t require on-premises Exchange Server to manage email properties of accounts in hybrid env… 1st point would be much easier
Thank you, Tony.
how we can covert the existing guest account to shared channel access
The Real Person!
Author Tony Redmond acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
You can’t. You’ll add new members to a shared channel and they will use their existing identities from their home tenant.