Project recommendation

Microsoft Office 365 Employee Email Investigation

Project summary

Having grown organically over the years, the University of Waterloo’s current email environment is complex. Today, three main email systems are supported: Office 365 Exchange Online (undergraduate students); Connect Exchange on-premises (graduate students, employees, retirees); and Mailservices (alumni). The presence of multiple email platforms, each requiring its own set of implementation and support standards, poses challenges to both clients and the University. Maintaining this varied environment is unnecessarily difficult and costly, and results in inefficient end-user IT support, and a suboptimal experience for both clients and IT support staff.

In November 2018, Information Systems & Technology (IST) started discussions at the University Committee on Information Systems and Technology (UCIST), and the Campus Technology Services Committee (CTSC) regarding the possibility of moving employee email to Office 365. With support from these committees to move forward with this investigation, it was announced to Executive Council June 6, and to the campus community in the June 19, 2019 Daily Bulletin. The project website was announced in the August 15, 2019 Daily Bulletin, which included an online feedback form.

Project recommendation

Between April and November 2019, the project team and technical experts within IST completed an in-depth analysis of this potential migration, which included a successful Information Risk Assessment. Coupled with feedback received from consultations held with other Canadian Universities and Waterloo faculty, staff, computing and other committees, it is the recommendation of this project team that the University move forward with a staged migration of the majority of on-premises employee email to the Microsoft Office 365 cloud environment. It is also recommended that the University retain a small on-premises Exchange service, configured as an Exchange/365 hybrid deployment, to support a relatively small number of users with special requirements.

Microsoft Office 365 provides access to a robust set of productivity and collaboration tools. Moving employee email to the O365 cloud environment would provide employees with an Exchange Online email account, allowing increased access to additional applications and functionality, further leveraging University resources to engage, develop and build our capacity and infrastructure to create a sustainable and effective institution.

Supporting resources

Analysis and consultative resources that have informed this recommendation:

Completion of an Information Risk Assessment that was reviewed and approved, with recommendations, by a representative of the IST Security team and the Secretariat’s Privacy Officer (See full report).
A discussion of lessons learned from other higher education organizations who have deployed O365 email for employees. These schools included: University of Toronto, Queens University, Ottawa University and Western University (See Appendix 1 – Benchmarking with other Canadian universities).
Consultation with University faculties to uncover questions, issues and concerns (See Appendix 2).
Consultation with University staff to uncover questions, issues and concerns (See Appendix 2)
Commonly raised concerns and responses (See Appendix 3)

Campus consultation

Through the online feedback form announced in the Daily Bulletin August 15 and October 10, approximately 30 questions and comments were received from the campus community. Through the eight consultation sessions (see appendices 2 and 3), approximately 60 questions and comments were received from 120 attendees.

The approximately 90 questions and comments fell into several broad themes, as follows:

Theme	Questions & comments	Project team comments
Ease of use, compatibility with existing tools, completeness of functionality compared to current	31	This was the largest single group of types of questions. Our Exchange/365 hybrid deployment, implemented in 2017, provides interoperability between on-premises Exchange and Office 365, and ease of migration. In all cases, apart from uncertainty in support for Thunderbird email client, these questions have been addressed satisfactorily. Thunderbird is covered further in “Recommendations for Implementation” below.
Security and Privacy	16	The project website has been significantly expanded to answer questions around security and privacy. See the “Privacy and the Cloud”, additional questions in the FAQ, and Appendix 3.
Supportive comments for moving to Office 365	8	These were supportive comments, about half and half from faculty and staff.
Opposed to moving to Office 365	5	Comments were a mix regarding Microsoft, cloud concerns, or loss of innovation.
Cost savings, benefits, motivation	6	A benefits of Office 365 section has been added to the project website, and additional information is below.
Other general interest questions not related to above	24	These questions were general about how things worked, and did not indicate a concern, and were answered.

Benefits of migrating to Office 365

Moving employee email to the Office 365 cloud environment offers many benefits to both clients and the University as a whole. These benefits include:

Benefit

Description

Improved service

Moving to the cloud will result in an improved email service with features frequently requested by the campus community. Improvements include:

Enhanced resiliency due to Microsoft’s redundant servers and premier disaster recovery processes.
Automatic updates and patching (tasks that require a significant amount of staff time for on-premises solutions and are prone to error).  
There are several applications that require an Exchange Online account (i.e. Office 365 email in the cloud) including To-Do, Shifts, Bookings, and Power Automate (previously called Flow).  
Exchange Online users have an increased email quota of 100GB compared to the 50GB available on-premises (many accounts regularly hit this quota today).  
Collaboration opportunities in Teams, Stream, and OneNote that only work if both students and employees are on the same email system.

Environmental sustainability

By moving applications to cloud services, the University can take advantage of highly efficient cloud infrastructure, which will aid in a significant reduction of our carbon footprint. Several key factors enable cloud computing to lower energy use and carbon emissions from IT: 

Dynamic provisioning: Reducing wasted computing resources through better matching of server capacity with actual demand.  
Multi-tenancy: Flattening relative peak loads by serving large numbers of organizations and users on shared infrastructure.  
Server utilization: Operating servers at higher utilization rates. 
Data centre efficiency: Utilizing advanced data centre infrastructure designs that reduce power loss through improved cooling, power conditioning, etc.

Information on Microsoft's environmental commitments, policies, and initiatives is available at: https://www.microsoft.com/en-us/corporate-responsibility/sustainability.

Enhanced collaboration for teaching and learning

IST has received many requests from groups across campus to enable applications that would enhance the student experience while supporting teaching and learning. Many of these applications would also be valuable for managing and interacting with student staff. 

To fully realize the potential of these apps and use them more effectively, employees would require an Exchange Online account and employees and students would need to be on the same tenant. Requested applications and functionality include OneNote for Teachers, Stream, Shifts, Bookings, and shared calendars and collaborative editing/file sharing.

Enhanced security

Microsoft has security experts monitoring Exchange Online 24/7 to safeguard our data, and the contract includes a financially backed service level agreement with a 99.9% guaranteed up-time. The University can continue to use the anti-malware and anti-spam filtering products from Proofpoint we already rely on and have the option of investigating Microsoft's Advanced Threat Protection tool in future. Other security features include:  

Data Loss Prevention (DLP) - Allows us to build logic into the email system to ensure University policies are being followed. For example, if someone were to attempt to send a credit card number by email, a DLP policy would pop up to prevent this. We will be investigating the implementation of DLP for Exchange Online.  
Two-factor Authentication (2FA) - Duo 2FA is available today for O365. IST highly recommends enabling 2FA, regardless of whether an individual has a security concern, as it will keep accounts more secure and prevent most issues that arise from hacked accounts via phishing.  
Email encryption - Email encryption is available. The feature ensures that only the sender and the recipient can read the message being sent. By freeing up client support time currently committed to supporting a complex on-premises environment, IST will be able to focus on value-add services like support for encryption, and work with the faculty computing groups to identify those who may need assistance with this. We also have knowledge base articles available for those who would like to set it up themselves.

Important note: Email, whether in the cloud or on-premises, may not be the right tool for certain types of sensitive communications. There are likely cases today where email is being used to communicate highly sensitive information when another platform, such the encrypted messaging tool Signal, would be more appropriate. IST can assist with setting up such tools, as required.

Cost savings

Cost savings are difficult to quantify accurately at this point in time, however, if all employee email moved to the cloud there would be cost savings to the University.

Reduced software licensing – We currently pay for many different software licenses that have duplicate functionality available in O365. While we do not expect that we would be able to transition all of the existing use cases to O365, there is the opportunity to realize significant cost savings for the University if we are able to reduce these additional software licensing expenses over time. An example of this is the recent transition to MS Teams from Mattermost, which resulted in $20,000 saved. Other potential systems to be reviewed as licenses are up for renewal are several hundred thousand annually. If we can move email entirely to the cloud, we will no longer require our Windows server licenses or SCCM licenses for on-premises Exchange, at cost savings of $5,229 annually.   
Reduced dependency on our local data centre – If we were able to move email entirely to the cloud, we would no longer need the hardware we do today to run our on-premises Exchange servers. This would result in a cost savings of $46,621.53 annually.  
Reduced full-time employee count – In moving email to the cloud we anticipate a reduction in FTE that maintain and support email by 1.25 positions, through attrition. If staff in these, or similar, roles retire or move to other positions, we do not expect needing to fill them and thus would save approximately $125,000 annually. IST has considerable experience in careful review of vacancies, and reports savings in FTEs regularly at UCIST. IST also has a number of successful efficient use of resources projects, also reported regularly at UCIST.  
Reduced staff time supporting email – By standardizing our email to O365 in the cloud, we would drastically simplify our current environment. Today, we need to support three different email systems (Mailservices, Connect, and O365) and different email practices for every user group. There is a different troubleshooting process for each, and often for each faculty and academic support unit, resulting in an inefficient support model. We also need to maintain our own documentation on these varying email practices, while O365 documentation is provided. Supporting our current on-premises email systems and practices is expensive and we anticipate significant cost savings in terms of Service Desk staff time by moving to one email system in the cloud. We would then have more staff time to support other University strategic priorities. Through an analysis of our tickets related to Connect and Mailservices, we project an annual savings in the Service Desk area of 0.25 FTE.

Item	Annual cost savings
1.25 FTE	$125,000
Email hardware	$46,621.53
Connect backups	$10,000
Windows server licences and SCCM	$5,229
0.25 FTE Service Desk	$17,500
Total	$204,350.53

Recommendations for implementation

Feedback received throughout this investigation revealed concerns specific to use of certain email clients and the potential impact to University researchers. If the decision to migrate University employee email to the cloud is made, it is the recommendation of the project team that the scope of that work consider the following:

Training on O365 productivity and collaboration tools for all staff

The benefits of moving to email in the cloud are best achieved if employees are aware of these tools and how to use them. Feedback from other universities confirmed that the transition of employee email to the cloud was most successful when ample training and transition support was provided.

Training on privacy and risk management best practices for employees

The Privacy Officer recommends, “With regard to the training and support element, among other things, the campus community should be educated about the difference between the “old” and the “new”.  In particular, given the increased seamlessness, collaboration, sharing, and interconnectivity of services, emphasis should be placed on things such as ensuring appropriate permissions and access (e.g., identified user groups, read-only, password protection of files, etc.), sharing information on a strictly necessary need-to-know basis, awareness of important policies (e.g., Policy 46), reminder of information and privacy practices and resources https://uwaterloo.ca/privacy/.”

Email clients and support for modern authentication

To improve security of accounts, Microsoft announced that as of October 13, 2020, they will no longer support basic authentication (e.g. IMAP).  (As IST deploys two-factor authentication (2FA) broadly across campus IT services in 2020, we’ll be faced with the same issue of IMAP on Exchange, albeit with timing of changes under our control.)
University employees will be able to use any desktop or mobile email client that supports modern authentication. 
Support for Thunderbird is a specific concern and IST is actively tracking developments in this area. Thunderbird users can be accommodated on the on-premises Exchange server, with the understanding that 2FA will eventually need to be addressed in some manner.

Impact on University researchers

For most research contracts, email in the cloud is acceptable because it is as much, or more, secure than the current on-premises email used today. 
The Office of Research approves the use of O365 email and OneDrive file storage for corporate research with industry partners, unless otherwise specifically stated in the contract. 
IST will continue to work with researchers to support unique data privacy needs that may arise with certain contracts. In addition, the recommended privacy and risk training for employees will ensure researchers have the requisite knowledge and tools to ensure their research data is secure.     
IST will also create a suite of proven products to support unique requirements end users may have around data security (e.g. encryption tools, data loss prevention rules).

Moving to a single tenant

A separate but related initiative will move undergraduate student email accounts from their standalone Office 365 tenant to the University employee tenant, which is configured as a hybrid deployment with our on-premises Exchange instance (a tentative plan for this work is targeting spring 2020). This change is important as being on the same tenant will facilitate increased collaboration opportunities between students and employees, especially for applications that require an Exchange Online account (i.e. Office 365 email in the cloud). It will also:
- Provide the “@uwaterloo.ca” email domain to all user groups (i.e. “@edu.uwaterloo.ca” will no longer be used).
- Provide all users, regardless of their affiliation(s) with the University (e.g. an employee who is also a student) with a single email account.

Hybrid Exchange/365 deployment

Our on-premises Exchange, and uwaterloo.ca Office 365 tenant, were configured as an Exchange/365 hybrid deployment in 2017. This provides:

Secure mail routing between on-premises Exchange and Office 365, with a shared domain namespace. Both on-premises Exchange and Office 365 use the @uwaterloo.ca domain.
A unified global address list (GAL), also called a "shared address book."
Free/busy and calendar sharing between on-premises Exchange and Office 365
The ability to move existing on-premises Exchange mailboxes to Office 365, and back.

After undergraduate students are moved from the @edu.uwaterloo.ca to the @uwaterloo.ca tenant, we will be leveraging many of the hybrid deployment features.

If the decision to migrate University employee email to Office 365 is made, accounts can be easily migrated to Office 365 individually, or in groups of any size. Accounts can also be moved back if needed. The migration is expected to take place over a period of two years.

The current Exchange hardware reaches end of support toward the end of 2021. A full replacement of our existing Exchange environment is expected to cost approximately $200,000. However, a small system to support < 100 users with special requirements, without the same level of redundancy as today, would cost a very small fraction of that.

Project costs

There would be no costs associated with this project.

The work to migrate employee email to the cloud would be completed using internal (IST) resources.
Office 365 for employee email is included in the existing Microsoft Campus Agreement (i.e. no new licenses would be required; O365 would continue to be paid for, by virtue of the campus agreement, even if employee email remained on-premises).

Next steps

Upon approval of this recommendation, the project team would create a deployment plan.

Appendices

Appendix 1 – Benchmarking with other Canadian universities 

Between May 27 and June 5, 2019, members of the project team consulted with Queen’s University, Western University, University of Ottawa, and University of Toronto (UofT) to learn more about the approach each institution took when migrating employee email to the cloud, and any lessons learned.

Summary of approach

University	Approach
Queens University	Started with students; then moved employees; had to leave some on prem (no real reason, just reluctance to change), but have gradually reduced that number.  Soon, everyone will be on the cloud.  Staff/ faculty transition – started communicating in November, started syncing in January and then moved them in February over Family Day long weekend. It was all done after that.   If multiple affiliations (E.g. a student and an employee), then 2 accounts.    Everyone is on 1 tenant - 1 email domain @queensu.ca   Everyone is on Microsoft A3 license  Authentication:  Two factor authentication for everyone, Queens is are also disabling IMAP for everyone
University of Ottawa	University of Ottawa on 2 tenants (but one is Google apps)   Multiple accounts – 2 accounts on each tenant if you want 1 email domain (@uottawa)  Many different email systems supported
University of Toronto (UofT)	Student and most faculty/staff email accounts have been migrated to the cloud   Student email accounts migrated in 2010. It took a little more than a year to migrate   Faculty/ staff account migrated in 2017. 10,000 accounts were migrated by end of 2017.   UofT is currently on the A3 license which is sufficient for UofT
Western University	Migration - Started with students; then continued with staff; finished with the migration of faculty   Everyone on 1 tenant, 1 email domain, 1 account

Summary of responses

What worked well?

Smooth over night migration (E.g. at 5pm, email service shut down, after 5pm, migration was kicked-off;   
when faculty/ staff returned in the morning the next day, they had access to their email accounts in the cloud)

What made people move to the cloud? 

Initial reluctance in some cases, diminished after seeing that others had positive experiences in the cloud 
All users eventually moved, after remaining concerns addressed 
Greater concern was disruption during migration and impact to work, than issues with service itself  
We received less pushback than we anticipated  
Eventual decision to proceed

What other benefits have you experienced? 

With O365, no more storage quota (at UofT, the quota used to be 120MB; at the other schools it was 50mb for students, 250mb for staff)  
From a UofT perspective, less hassle for the help desk

How did you support the transition? 

Support was setup to help people update their mobile devices to access their email accounts in the cloud.  Onsite support was also provided 
The strategy to move people to Microsoft products was to identify a piece of functionality that would increase team productivity (e.g. Microsoft Teams for increased collaboration)  
Workshops to learn new tools were provided when required  
Help Desk was the main support for helping people learn the new applications

What were the key success factors for your O365 migration project? 

It came down to a lot of communication (in addition to testing)  
We engaged with users throughout process, provided hands-on help  
For Staff, we setup portable help desk support to help out with features and functions  
We also ran workshops and training sessions. (While these were not popular, they were important)  
Distributed IT folks across staff and faculty. Wanted to make sure the experience was good  
We provided a lot of support during process

What could have gone better? 

We are still competing with some of the tools from other vendors (E.g. Zoom versus Skype, etc.)

What was challenges did you have with the migration? 

Had to wait until Microsoft had a Canadian data centre 
Experienced some issues with syncing data and problems with throttling.  Worked with Microsoft on throttling to move data faster  
Large files would error out so needed to identify people/accounts with large files beforehand  
We also had to think about the number of corrupt files that would halt a batch job  
Many more email accounts and rogue emailing systems were discovered (thousands of email accounts were discovered) – a lot of work went into identifying active accounts vs. email accounts that should be deactivated 
Biggest challenge in calendars – recurring meetings. These were difficult to migrate. Easier to just re-create in new calendar from scratch

Appendix 2 – Campus consultations

Faculty sessions

Consultation sessions were held with each of the Faculties. A summary of their attendance is below.

Faculty	Number of attendees
Environment	10
Applied Health Sciences (AHS)	1
Arts	7
Science	30
Math	14
Engineering	2

Staff sessions

Two staff consultation sessions were held and approximately 60 staff members attended (combined).

Appendix 3 – Responses to commonly raised concerns 

Would IST maintain any on-premises email servers?

Yes, we plan to continue to provide a small on-premises Exchange environment to support a small number of users who have special requirements.

I have concerns about the privacy of my research data. Will Microsoft have access to my confidential work?

The investigation into migrating employee email to O365 in the cloud is predicated on a detailed privacy and security risk assessment, which is available on our website. This was completed with the University’s Privacy Officer Kathy Winter and a Security Analyst representing Information Security Services in IST. The Information Risk Assessment was approved, and it was determined that migrating employee email to O365 meets all the University’s privacy and security policies and guidelines, as well as federal and provincial legislation. 

Further, the contract with Microsoft specifies that we are the data owners and that Microsoft hosts the service, which assures that users own the intellectual property of their data and it is not shared with Microsoft. The specific section related to processing of customer data in the Online Services Terms (i.e. the Office 365 contractual terms) is here: 

Processing of Customer Data; Ownership 

Customer Data will be used or otherwise processed only to provide Customer the Online Services including purposes compatible with providing those services. Microsoft will not use or otherwise process Customer Data or derive information from it for any advertising or similar commercial purposes. As between the parties, Customer retains all right, title and interest in and to Customer Data. Microsoft acquires no rights in Customer Data, other than the rights Customer grants to Microsoft to provide the Online Services to Customer. This paragraph does not affect Microsoft’s rights in software or services Microsoft licenses to Customer. 

If you would like to investigate Microsoft’s data management policy, including how they treat University data, who owns the data, etc., the relevant links are here: 

The Office of Research approves the use of O365 email and OneDrive file storage for corporate research with industry partners, unless otherwise specifically stated in the contract. For those government research contracts where security clearances are required, university email services, including our on-premises Exchange service, should not be used to store, transmit, or share government classified research data as they have not received government security clearance. If a researcher has or is pursuing a government research contract, IST will ensure IT services are available to meet the environment requirements of the required government security level, including appropriate communication and data storage services.

Could a 3rd-party foreign country (i.e., neither Canada nor the U.S.) demand from Microsoft copies of email messages belonging to a UWaterloo employee who happens to be a citizen of that country, and, in this scenario, would Waterloo know about this?

These types of requests would be handled the same way regardless of whether email is on-premises or in the cloud. Here is Microsoft’s response to this concern: 

At the top level, we redirect law enforcement requests to the customer organization, unless otherwise prohibited by law.  In this case, let’s say MI-6 wants Office 365 data on a particular UW staff member.  Regardless of citizenship, Microsoft redirects MI-6 to the university for the data request.  If MI-6 believes that there isn’t anyone in the university chain of command that can be trusted with this request (i.e. the entire organization is corrupt), then we’d make them prove it.  In cases where criminal organizations are using cloud technology, we have provided access.  If it’s not a criminal organization, we’d likely legally challenge the request, as we’ve done before with US National Security Letters. If MI-6 wanted data on one of your employees, they’d ask the RCMP and/or CSIS, who would require you to provide it and compel you not to speak about it, including to the employee. 

This link provides additional information: https://blogs.microsoft.com/datalaw/our-practices/#what-is-process-disclosing-customer-information-legal 

We do record the number of requests for data, as well as the number of times we reject the request, find no data, or find non-content data.  This is broken out by country and by time period.  It’s worth looking at the Canadian data here: https://www.microsoft.com/en-us/corporate-responsibility/law-enforcement-requests-report 

In the first half of 2019, we received 115 requests for data that spanned 121 users. This includes corporate users and consumer users. Of the 115 requests, we rejected ~42% and responded to the rest with either no data found, or a non-content data response. 

How would the University/IST handle the General Data Protection Regulation (GDPR)?

There are a very limited number of situations where GDPR applies to Waterloo. When GDPR does apply, there would be no changes in how we operate as we still have control of data in Office 365.

If problems arise or costs go up for O365 email, will it be possible to "repatriate" our email without disrupting users' mail folders and calendars?

Yes, if for whatever reason it was decided to move email back on-premises we would be able to migrate email back to Exchange environment with no disruption to users. Regarding the potential for cost increases, O365 is provided based on our Microsoft Campus Agreement along with other Microsoft services the University relies on, so the cost is already being paid and any changes would entail changes to more than just email.  

Also, adoption of cloud services is not new territory for the University of Waterloo, as the institution has moved 50% of its major information systems to the cloud, and approximately 25% of small systems. As such, there is a significant history and understanding of the changes this model brings, and based on our experience, it is unlikely that license costs would drastically increase over time. 

Project recommendation

Microsoft Office 365 Employee Email Investigation

Project summary

Project recommendation

Supporting resources

Campus consultation

Benefits of migrating to Office 365

Recommendations for implementation

Project costs

Next steps

Appendices

Appendix 1 – Benchmarking with other Canadian universities

Summary of approach

Summary of responses

What worked well?

What made people move to the cloud?

What other benefits have you experienced?

How did you support the transition?

What were the key success factors for your O365 migration project?

What could have gone better?

What was challenges did you have with the migration?

Appendix 2 – Campus consultations

Faculty sessions

Staff sessions

Appendix 3 – Responses to commonly raised concerns

Would IST maintain any on-premises email servers?

I have concerns about the privacy of my research data. Will Microsoft have access to my confidential work?

Could a 3rd-party foreign country (i.e., neither Canada nor the U.S.) demand from Microsoft copies of email messages belonging to a UWaterloo employee who happens to be a citizen of that country, and, in this scenario, would Waterloo know about this?

How would the University/IST handle the General Data Protection Regulation (GDPR)?

If problems arise or costs go up for O365 email, will it be possible to "repatriate" our email without disrupting users' mail folders and calendars?

Appendix 1 – Benchmarking with other Canadian universities 

What made people move to the cloud? 

What other benefits have you experienced? 

How did you support the transition? 

What were the key success factors for your O365 migration project? 

What could have gone better? 

What was challenges did you have with the migration? 

Faculty sessions

Staff sessions

Appendix 3 – Responses to commonly raised concerns 

Could a 3rd-party foreign country (i.e., neither Canada nor the U.S.) demand from Microsoft copies of email messages belonging to a UWaterloo employee who happens to be a citizen of that country, and, in this scenario, would Waterloo know about this?