Managing Licensing In Office 365

Harold Llyod Hanging from Clock

Migrating your Exchange, SharePoint and Lync (or, as it’s now known, Skype for Business) services to Office 365 can be very challenging.  So challenging in fact, that once you’ve leapt all the technical hurdles and your users are reasonably happy (or perhaps ecstatic, let’s be positive!) you may be unprepared for what will probably be one of your most demanding tasks: managing licenses and associated costs.

In my next post, I’ll write in detail about the method I used to decrease a large firm’s license count and, in turn, the bill due to Microsoft.

Until then, here’s an overview of the tools and skills needed:

  • A method for gathering in-depth information about the status of user accounts (i.e., active vs. inactive, license type used, etc.) I’ve found Cogmotivediscussed in this post -to be invaluable
  • Good familiarity with PowerShell (really key to managing large groups of accounts in an intelligent way)
  • An agreed upon workflow for un-licensing and removing dormant or terminated accounts in a timely way

Here’s one of Microsoft’s guides to managing accounts.  It’s informative, but isn’t quite right for admins who need to control very large data sets.

Next time, I’ll walk you through the approach I took.


Data Loss Prevention in Office 365: Part Four

In part three of this mini series on data loss prevention, we examined a PCI policy’s properties in some detail.  Today, we’ll finish our look at this policy.

When we left off, we were examining the options available via the policy’s “Custom content”  option (see screenshot below) –

screenshot one

The custom content option gives you the ability to determine what properties of the examined message will be sent to the DLP report’s recipient:

screenshot two

As you can see, it can get pretty involved.  This feature is not only useful because of what can be included, but also because of what can be excluded.  For example, the details of a message can be removed to preserve privacy while tracking incidents of your DLP rule being triggered.

Note also that actions can be added to create even more sophisticated, compound logic conditions.

And there can also be exceptions:

screenshot three

These exceptions can be very precise, for example:

screenshot four

The remaining properties are shown in the screenshot below:

screenshot five

You can:

  1. Choose the rule’s priority (this determines the priority it receives relative to other rules.  For example, rules with a priority of 0 are processed first, 1 second and so on).
  2. Choose the rule’s severity level – Low, Medium and High
  3. Choose the rule’s mode – Enforce, Test with Policy Tips, Test without Policy Tips.
  4. Choose a date range for the rule to be in-effect (leave this blank to configure the rule to run without date restrictions).
  5. Choose whether or not to use the “stop processing more rules” option (see this Office 365 community blog post regarding when and how to use this)
  6. Choose what component of the (analyzed) message will be examined for the sender’s address – Header, Envelope or both Header and Envelope
  7. Choose which DLP policy the rule-set will be applied to.


Needless to say, we’ve only scratched this topic’s surface. Hopefully this series of posts has given you a good idea of what’s possible and where to look for more information.

Happy hunting!

Data Loss Prevention in Office 365:

Part One.

Part Two.

Part Three.

Oh and it should also be noted that you can (of course) create and modify DLP Policies using PowerShell’s New-DlpPolicy and Get-DlpPolicy cmdlets.