Users Test

User management is a critical administrative task. This is of more significance in an Exchange Online environment, which is characterized by numerous users.

There are many aspects to user management in an Exchange Online setup. Some of them are, namely - user password management, user activity management, and the management of user privileges/permissions. To manage user passwords, administrators should be able to alert users to a potential password expiry, at least a few days before it actually occurs. For that, the administrators should first track the validity of the password of each user closely. User activity management on the other hand is about tracking user logins and logouts and understanding whether/not users are actively using Exchange Online. The knowledge of active/inactive users helps administrators assess license usage and plan license procurement better. Lastly, by periodically revisiting which user has been assigned what permission in Exchange Online, an administrator is allowed the opportunity to review usage policies and if required, even reconfigure them. The Users test enables administrators to cover all these aspects of user management.

With the help of this test, administrators can find quick and accurate answers for the following management queries:

  • How many users have been granted administrative rights? Who are they?
  • How many users have been granted 'Send As' and/or 'Send on behalf of' permissions? Who are they?
  • Are there any users for whom ActiveSync is not enabled? If so, who are they?
  • Who are the most inactive users of Exchange Online? When was the last time they logged in? Are there any users who have never logged in?
  • Is any user's password nearing expiry? If so, who are they?

Target of the test : Exchange Online

Agent deploying the test : A remote agent

Outputs of the test : One set of results for the Office 365 tenant being monitored

Configurable parameters for the test

Parameters Description

Test period

How often should the test be executed

Host

The host for which the test is to be configured. By default, this is portal.office.com

Tenant Name

This parameter applies only if you want the eG agent to use Azure AD Certificate-based Authentication for accessing and monitoring an O365 tenant and its resources.

Azure AD certificate-based authentication (CBA) enables customers to allow or require users to authenticate with X.509 certificates against their Azure Active Directory (Azure AD) for applications and browser sign-in. When monitoring highly secure Office 365 environments, you can configure the eG agent to identify itself to a tenant using a valid X.509 certificate, so that it is allowed secure access to the tenant and its resources.

By default, the value of this parameter is none. This means that, by default, the eG agent does not use certificate-based authentication to connect to an O365 tenant.

On the other hand, if you want the eG agent to use this modern authentication technique to securely access a tenant's resources, you should do the following:

  1. Enable Azure AD Certificate-based authentication for the target O365 tenant; this can be achieved manually, via the Office 365 portal, or automatically, using Powershell scripts we provide. For the manual procedure, refer to Manually Enabling Certificate-based Authentication For an Office 365 Tenantunder Microsoft Office 365. For the automatic procedure, refer to Automatically Fulfilling Pre-requisites in a Modern Authentication-Enabled Environmentunder Microsoft Office 365.

    When enabling certificate-based authentication, an X.509 certificate will be generated for the target tenant.

  2. Configure the Tenant Name parameter with the name of the tenant for which certificate-based authentication is enabled. Using the tenant name, the eG agent will be able to read the details of the X.509 certificate that is generated for that tenant, and use that certificate to access that tenant's resources. To determine the tenant name, do the following:

    • Log in to the Microsoft 365 Admin Center as an administrator.

    • Under Setup, click on Domains.

    • Find a domain that ends with .onmicrosoft.com - this is your Microsoft O365 tenant name.

O365 User Name, O365 Password, and Confirm Password

These parameters need to be configured only if the Tenant Name parameter is set to none. On the other hand, if a valid Tenant Name is configured, then you should set these parameters to none .

For execution, this test requires the privileges of an O365 user who is vested with the View-Only Audit Logs, View-Only Recipients, Mail Recipients, and Mailbox Import Export permissions. Configure the credentials of such a user against O365 User Name and O365 Password text boxes. Confirm the password by retyping it in the Confirm Password text box.

While you can use the credentials of any existing O365 user with the afore-said privileges, it is recommended that you create a special user for monitoring purposes using the Office 365 portal and use the credentials of that user here. To know how to create a new user using the Office 365 portal and assign the required privileges to that user, refer to Creating a New User in the Office 365 Portal under Microsoft Office 365. You can also use eG's proprietary PowerShell script to automatically create a new user, or assign the required privileges to an existing user. To know how to use this script, refer to theAutomatically Fulfilling Pre-requisites in a Basic Authentication-Enabled Environmenttopic.

Domain, Domain User Name, Domain Password, and Confirm Password

These parameters are applicable only if the eG agent needs to communicate with the Office 365 portal via a Proxy server.

In this case, in the Domain text box, specify the name of the Windows domain to which the eG agent host belongs. In the Domain User Name text box, mention the name of a valid domain user with login rights to the eG agent host. Provide the password of that user in the Domain Password text box and confirm that password by retyping it in the Confirm Password text box.

On the other hand, if the eG agent is not behind a Proxy server, then you need not disturb the default setting of these parameters. By default, these parameters are set to none.

Proxy Host, Proxy Port, Proxy User Name, and Proxy Password

These parameters are applicable only if the eG agent needs to communicate with the Office 365 portal via a Proxy server.

In this case, provide the IP/host name and port number of the Proxy server that the eG agent should use in the Proxy Host and Proxy Port parameters, respectively.

If the Proxy server requires authentication, then specify the credentials of a valid Proxy user against the Proxy User Name and Proxy Password text boxes. Confirm that password by retyping it in the Confirm Password text box. If the Proxy server does not require authentication, then specify none against the Proxy User Name, Proxy Password, and Confirm Password text boxes.

On the other hand, if the eG agent is not behind a Proxy server, then you need not disturb the default setting of any of the Proxy-related parameters. By default, these parameters are set to none.

Inactive Period

Specify the number of days (before the current date) for which a user should not have logged into Exchange Online for him/her to be counted as an inactive user. The default value is 15 days. This means that by default, any user who has not logged in even once in the last 15 days will be counted as an inactive user.

Password Expire Period

By default, this parameter is set to 5 days. This means that the test will include all those users whose passwords will expire within 5 days in its count of users whose passwords are nearing expiry. You can change this value, if you so need.

DD Frequency

Refers to the frequency with which detailed diagnosis measures are to be generated for this test. The default is 2:1. This indicates that, by default, detailed measures will be generated every second time the test runs, and also every time the test detects a problem. You can modify this frequency, if you so desire. Also, if you intend to disable the detailed diagnosis capability for this test, you can do so by specifying none against DD Frequency.

Detailed Diagnosis

To make diagnosis more efficient and accurate, the eG Enterprise embeds an optional detailed diagnostic capability. With this capability, the eG agents can be configured to run detailed, more elaborate tests as and when specific problems are detected. To enable the detailed diagnosis capability of this test for a particular server, choose the On option. To disable the capability, click on the Off option. The option to selectively enabled/disable the detailed diagnosis capability will be available only if the following conditions are fulfilled:

  • The eG manager license should allow the detailed diagnosis capability
  • Both the normal and abnormal frequencies configured for the detailed diagnosis measures should not be 0.
Measurements made by the test
Measurement Description Measurement Unit Interpretation

ActiveSync enabled users

Indicates the number of users for whom the Exchange ActiveSync protocol has been enabled.

Number

Exchange Online supports the Microsoft Exchange ActiveSync protocol, which synchronizes mailbox data between mobile devices and Exchange Online, so users can access their email, calendar, contacts, and tasks on the go.

Non-active sync users

Indicates the number of users for whom the Exchange ActiveSync protocol has been enabled.

Number

Use the detailed diagnosis of this measure to view the users who are not ActiveSync-enabled.

Users with 'Send as' permission

Indicates the number of users who have been granted the permission to send mails as the group to which they belong.

Number

A member of an Office 365 Group who has been granted Send as or Send on behalf permissions can send email as the group, or on behalf of the group.

For example, if Allie Bellew is part of Training Office 365 Group in your organization, and has Send as permissions on the group, if she sends an email as the Office 365 Group, it will look like the Training department from your organization sent the email.

The Send on Behalf permission lets a user send email on behalf of an Office 365 Group. For example, if Donald Forster is a part of the Marketing Office 365 Group, and has Send on Behalf permissions, any email he sends to the group will look like it was sent by Donald Forster on behalf of Marketing Team.

Use the detailed diagnosis of each of these measures to know which users have been granted Send as and Send on behalf of permissions.

Users with 'Send on behalf of' permission

Indicates the number of users who have the permission to send mails on behalf of a group.

Number

Admin users

Indicates the number of users who have been assigned the Exchange Admin role.

Number

Here are some of the key tasks an Exchange Admin can perform:

  • Recover deleted items in a user's mailbox
  • Determine how long deleted email should be retained before it's permanently deleted.
  • Set up mailbox features such as the mailbox sharing policy: how users can share calendar and contacts information with others outside of your organization.
  • Set up "Send As" and "Send on Behalf" delegates for someone's mailbox. For example, an executive may want their assistant to have the ability to send mail on their behalf.
  • Create shared mailboxes so a group of people can monitor and send email from a common email address.
  • Set up anti-spam and malware filters for the organization.
  • Manage Office 365 Groups

To know which users have been assigned the Admin role, use the detailed diagnosis of this measure.

Active users

Indicates the number of active users of Exchange Online.

Number

By default, any user who has logged into Exchange Online at least once in the last 15 days is considered to be an 'active user'. This is governed by the Inactive Period setting of this test. By default, this parameter is set to 15 days.

Inactive users

Indicates the number of inactive users of Exchange Online.

Number

By default, any user who has not logged into Exchange Online even once in the last 15 days is considered to be an 'inactive user'. This is governed by the Inactive Period setting of this test. By default, this parameter is set to 15 days.

Use the detailed diagnosis of this measure to know who are the inactive users.

Never logged in users

Indicates the number of users who have never logged into Exchange Online.

Number

Use the detailed diagnosis of this measure to know which users have never logged in.

Users password nearing expiry

Indicates the number of users whose password is nearing expiry.

Number

By default, if a user's password is expected to expire in 5 days or less, then that user will be counted as a user whose password is nearing expiry. This computation is governed by the Password Expire Period configured for this test. By default, this parameter is set to 5. Use the detailed diagnosis of this measure to know who are the users whose password is about to expire.

The detailed diagnosis of the Non-active sync users measure lists the users who are not ActiveSync-enabled. The last time each such user logged into Exchange Online is also displayed.

Figure 1 : The detailed diagnosis of the Non-active sync users measure

The detailed diagnosis of the Inactive users measure lists the users who are inactive, and the last date/time they logged into Exchange Online.

Figure 2 : The detailed diagnosis of the Inactive users measure

Use the detailed diagnosis of the Users with 'Send as' permission measure to view the list of users who have been granted the permission to send mail as the Office 365 group to which they belong.

Figure 3 : The detailed diagnosis of the Users with 'Send as' permission measure

Use the detailed diagnosis of the Users with 'Send on behalf of' permission measure to view the users who have the right to send mails on behalf of the Office 365 group to which they belong.

Figure 4 : The detailed diagnosis of the Users with 'Send on behalf of' permission measure