Office 365 is becoming increasingly important to companies. One reason is that Exchange Server 2013 now works in hybrid environments in combination with Office 365 without any problems. Administrators can therefore use local Exchange servers and gradually migrate users into the cloud. The cloud solution's security is also important in this context, however, and a few points need to be considered regarding this matter.

Corporations that run Office 365 and Exchange Server 2013 in parallel or want to migrate to Office 365 can use all the same tools from Exchange Server 2013. Microsoft enormously improved the Hybrid Configuration Wizard in Exchange Server 2013 with Service Pack 1 and upgraded the subsequent cumulative updates to CU7. You can connect your local Active Directory (AD) forest to Office 365 using a wizard. It used to be possible only to connect one AD forest and thus just one Exchange organization to each Office 365 client.

However, since SP1 for Exchange 2013, you can join multiple AD forests, each with their own Exchange organizations, in a single Office 365 subscription. Companies can therefore also group distributed Exchange organizations in a common organization. This alone increases security because connectors are no longer needed and fewer administrative accounts and interfaces are required. The backup process is also simpler, and it's easier to keep track of things.

Microsoft also provides instructions for hybrid deployment on TechNet [1], which can help you plan the transition. The certificates in the various AD environments are an important aspect in hybrid deployments as well as in the security field. You need to use a separate certificate from a trusted certification authority in each forest: You can't work with one common certificate for all forests (Figure 1).

Figure 1: The certificates for local Exchange servers play an essential role in the migration to Office 365.

The hybrid deployments require synchronization with the local Active Directory. For this, you can use Microsoft Forefront Identity Manager (FIM) 2012 R2 or, even better, Microsoft Azure Active Directory Connector [2]. The data must be synchronized before you configure the hybrid deployment. You should also set up a single sign-on between Office 365 and the forests based on this synchronization.

Unlocking Intrusion Detection and Firewalls

You should also check the firewall logs when moving mailboxes from local Exchange environments to Office 365. Any problems or deleted packages should appear in the firewalls' logs. Technologies in the intrusion detection and prevention area like to interfere with the network traffic between Exchange and Office 365. This is especially true for businesses that use Microsoft Forefront Threat Management Gateway (TMG).

You should generally enter the IP addresses [3] for the Office 365 servers in your exception lists and trusted subnets for the firewalls. Load balancers often cause problems in this context because connections to Office 365 via the firewall can be lost when IP addresses change. You should define corresponding fixed routes in this area, too.

Keeping an Eye on Email Security

Once you've moved the first users to Office 365, you should make sure to keep an eye on the security of the email environment here, as well. Microsoft provides Mail Protection Reports for Office 365 [4] for this purpose. These reports can be used to prepare reports from Office 365 completely in Excel. You'll need Excel 2013 and .NET Framework 4.5 on your computer to perform an analysis using this tool. After logging on to Office 365, the tool will download the necessary data from the Internet and display comprehensive reports. You can also run separate queries in the table based on days or mailboxes. You have the option to analyze virus attacks and show the most common recipients and senders. Spam messages that were received or sent can also be evaluated in the same way as mailbox rules, Data Loss Prevention (DLP) actions and events, and much more.

Once you've installed the extension on a computer, launch the special Excel table either using the new icon on the desktop or via the C:\ProgramData\Microsoft\MailProtectionReports directory (Figure 2). Then, log in to Office 365 and select the period for which you want to create a report. Mail Protection Reports for Office 365 then loads the necessary data from your Office 365 subscription and displays an evaluation.

Figure 2: Comprehensive analyses can be conducted using the Mail Protection Reports tool for Office 365.

You will see the number of email messages sent and received in your company in the top section. In the bottom section, you will see the most common recipients and senders of email. You can, of course, also look at data with the exact date. You can view current data or create new queries at any time using the Query and Update buttons in the top section. If you have the data you want in the table, you can store the intermediate results.

Right-click Spam to get an overview of spam email and frequent recipients. Additionally, you can also filter email according to DLP rules or virus mail. You just need to click on the appropriate buttons. You'll find different tabs containing this information in the bottom section. The report is part of any comprehensive security analysis in Office 365.

Encrypting Messages

Microsoft has also included functions for encrypting email in Office 365. The encryption works not only within your Office 365 subscription, but also for external companies. Message encryption is included for free in the E3 and E4 license editions of Office 365. Azure Active Directory Rights Management is also part of these editions. This cloud technology contains the functions for Office 365 encryption.

Companies that use the smaller E1 and E2 editions can license the functions for about $2 per user. The corresponding options are in the Office 365 portal. Office 365 automatically encrypts email that meets the criteria based on transport rules:

1. Click Administrator in the web interface and select Exchange .
2. Click mail flow and then rules .
3. Create a new rule using the plus sign. Select Create new rule .
4. Give the rule a name.
5. Select the criteria under which Office 365 should encrypt email in Apply this rule if .
6. Click More options .
7. Select the Modify the message security | Apply Office 365 Mail Encryption option under Do the following .