Microsoft Office 365 Employee Email Investigation

Project summary

Having grown organically over the years, the University of Waterloo’s current email environment is complex. Today, three main email systems are supported: Office 365 Exchange Online (undergraduate students); Connect Exchange on-premises (graduate students, employees, retirees); and Mailservices (alumni). The presence of multiple email platforms, each requiring its own set of implementation and support standards, poses challenges to both clients and the University. Maintaining this varied environment is unnecessarily difficult and costly, and results in inefficient end-user IT support, and a suboptimal experience for both clients and IT support staff.

In November 2018, Information Systems & Technology (IST) started discussions at the University Committee on Information Systems and Technology (UCIST), and the Campus Technology Services Committee (CTSC) regarding the possibility of moving employee email to Office 365. With support from these committees to move forward with this investigation, it was announced to Executive Council June 6, and to the campus community in the June 19, 2019 Daily Bulletin. The project website was announced in the August 15, 2019 Daily Bulletin, which included an online feedback form.

Project recommendation

Between April and November 2019, the project team and technical experts within IST completed an in-depth analysis of this potential migration, which included a successful Information Risk Assessment. Coupled with feedback received from consultations held with other Canadian Universities and Waterloo faculty, staff, computing and other committees, it is the recommendation of this project team that the University move forward with a staged migration of the majority of on-premises employee email to the Microsoft Office 365 cloud environment. It is also recommended that the University retain a small on-premises Exchange service, configured as an Exchange/365 hybrid deployment, to support a relatively small number of users with special requirements.

Microsoft Office 365 provides access to a robust set of productivity and collaboration tools. Moving employee email to the O365 cloud environment would provide employees with an Exchange Online email account, allowing increased access to additional applications and functionality, further leveraging University resources to engage, develop and build our capacity and infrastructure to create a sustainable and effective institution.

Supporting resources

Analysis and consultative resources that have informed this recommendation:

  • Completion of an Information Risk Assessment that was reviewed and approved, with recommendations, by a representative of the IST Security team and the Secretariat’s Privacy Officer (See full report).
  • A discussion of lessons learned from other higher education organizations who have deployed O365 email for employees. These schools included: University of Toronto, Queens University, Ottawa University and Western University (See Appendix 1 – Benchmarking with other Canadian universities).
  • Consultation with University faculties to uncover questions, issues and concerns (See Appendix 2).
  • Consultation with University staff to uncover questions, issues and concerns (See Appendix 2)
  • Commonly raised concerns and responses (See Appendix 3)

Campus consultation

Through the online feedback form announced in the Daily Bulletin August 15 and October 10, approximately 30 questions and comments were received from the campus community. Through the eight consultation sessions (see appendices 2 and 3), approximately 60 questions and comments were received from 120 attendees.

The approximately 90 questions and comments fell into several broad themes, as follows:


Questions & comments 

Project team comments 

Ease of use, compatibility with existing tools, completeness of functionality compared to current 


This was the largest single group of types of questions. 

Our Exchange/365 hybrid deployment, implemented in 2017, provides interoperability between on-premises Exchange and Office 365, and ease of migration. 

In all cases, apart from uncertainty in support for Thunderbird email client, these questions have been addressed satisfactorily.  Thunderbird is covered further in “Recommendations for Implementation” below. 

Security and Privacy 


The project website has been significantly expanded to answer questions around security and privacy. See the “Privacy and the Cloud”, additional questions in the FAQ, and Appendix 3. 

Supportive comments for moving to Office 365 

These were supportive comments, about half and half from faculty and staff. 

Opposed to moving to Office 365 

Comments were a mix regarding Microsoft, cloud concerns, or loss of innovation. 

Cost savings, benefits, motivation 

benefits of Office 365 section has been added to the project website, and additional information is below. 

Other general interest questions not related to above 


These questions were general about how things worked, and did not indicate a concern, and were answered. 

Benefits of migrating to Office 365 

Moving employee email to the Office 365 cloud environment offers many benefits to both clients and the University as a whole. These benefits include: 



Improved service 

Moving to the cloud will result in an improved email service with features frequently requested by the campus community. Improvements include: 

  • Enhanced resiliency due to Microsoft’s redundant servers and premier disaster recovery processes. 
  • Automatic updates and patching (tasks that require a significant amount of staff time for on-premises solutions and are prone to error).   
  • There are several applications that require an Exchange Online account (i.e. Office 365 email in the cloud) including To-Do, Shifts, Bookings, and Power Automate (previously called Flow).   
  • Exchange Online users have an increased email quota of 100GB compared to the 50GB available on-premises (many accounts regularly hit this quota today).   
  • Collaboration opportunities in Teams, Stream, and OneNote that only work if both students and employees are on the same email system. 

Environmental sustainability 

By moving applications to cloud services, the University can take advantage of highly efficient cloud infrastructure, which will aid in a significant reduction of our carbon footprint. Several key factors enable cloud computing to lower energy use and carbon emissions from IT:  

  • Dynamic provisioning: Reducing wasted computing resources through better matching of server capacity with actual demand.   
  • Multi-tenancy: Flattening relative peak loads by serving large numbers of organizations and users on shared infrastructure.   
  • Server utilization: Operating servers at higher utilization rates.  
  • Data centre efficiency: Utilizing advanced data centre infrastructure designs that reduce power loss through improved cooling, power conditioning, etc.  

Information on Microsoft's environmental commitments, policies, and initiatives is available at:

Enhanced collaboration for teaching and learning 

IST has received many requests from groups across campus to enable applications that would enhance the student experience while supporting teaching and learning. Many of these applications would also be valuable for managing and interacting with student staff.  

To fully realize the potential of these apps and use them more effectively, employees would require an Exchange Online account and employees and students would need to be on the same tenant. Requested applications and functionality include OneNote for Teachers, Stream, Shifts, Bookings, and shared calendars and collaborative editing/file sharing. 

Enhanced security 

Microsoft has security experts monitoring Exchange Online 24/7 to safeguard our data, and the contract includes a financially backed service level agreement with a 99.9% guaranteed up-time. The University can continue to use the anti-malware and anti-spam filtering products from Proofpoint we already rely on and have the option of investigating Microsoft's Advanced Threat Protection tool in future. Other security features include:   

  • Data Loss Prevention (DLP) - Allows us to build logic into the email system to ensure University policies are being followed. For example, if someone were to attempt to send a credit card number by email, a DLP policy would pop up to prevent this. We will be investigating the implementation of DLP for Exchange Online.   
  • Two-factor Authentication (2FA) - Duo 2FA is available today for O365. IST highly recommends enabling 2FA, regardless of whether an individual has a security concern, as it will keep accounts more secure and prevent most issues that arise from hacked accounts via phishing.   
  • Email encryption - Email encryption is available. The feature ensures that only the sender and the recipient can read the message being sent. By freeing up client support time currently committed to supporting a complex on-premises environment, IST will be able to focus on value-add services like support for encryption, and work with the faculty computing groups to identify those who may need assistance with this. We also have knowledge base articles available for those who would like to set it up themselves. 

Important note: Email, whether in the cloud or on-premises, may not be the right tool for certain types of sensitive communications. There are likely cases today where email is being used to communicate highly sensitive information when another platform, such the encrypted messaging tool Signal, would be more appropriate. IST can assist with setting up such tools, as required.  

Cost savings 

Cost savings are difficult to quantify accurately at this point in time, however, if all employee email moved to the cloud there would be cost savings to the University. 

  • Reduced software licensing – We currently pay for many different software licenses that have duplicate functionality available in O365. While we do not expect that we would be able to transition all of the existing use cases to O365, there is the opportunity to realize significant cost savings for the University if we are able to reduce these additional software licensing expenses over time. An example of this is the recent transition to MS Teams from Mattermost, which resulted in $20,000 saved. Other potential systems to be reviewed as licenses are up for renewal are several hundred thousand annually. If we can move email entirely to the cloud, we will no longer require our Windows server licenses or SCCM licenses for on-premises Exchange, at cost savings of $5,229 annually.    
  • Reduced dependency on our local data centre – If we were able to move email entirely to the cloud, we would no longer need the hardware we do today to run our on-premises Exchange servers. This would result in a cost savings of $46,621.53 annually.   
  • Reduced full-time employee count – In moving email to the cloud we anticipate a reduction in FTE that maintain and support email by 1.25 positions, through attrition. If staff in these, or similar, roles retire or move to other positions, we do not expect needing to fill them and thus would save approximately $125,000 annually. IST has considerable experience in careful review of vacancies, and reports savings in FTEs regularly at UCIST. IST also has a number of successful efficient use of resources projects, also reported regularly at UCIST.   
  • Reduced staff time supporting email – By standardizing our email to O365 in the cloud, we would drastically simplify our current environment. Today, we need to support three different email systems (Mailservices, Connect, and O365) and different email practices for every user group. There is a different troubleshooting process for each, and often for each faculty and academic support unit, resulting in an inefficient support model. We also need to maintain our own documentation on these varying email practices, while O365 documentation is provided. Supporting our current on-premises email systems and practices is expensive and we anticipate significant cost savings in terms of Service Desk staff time by moving to one email system in the cloud. We would then have more staff time to support other University strategic priorities. Through an analysis of our tickets related to Connect and Mailservices, we project an annual savings in the Service Desk area of 0.25 FTE. 
Item Annual cost savings
1.25 FTE $125,000
Email hardware $46,621.53
Connect backups $10,000
 Windows server licences and SCCM $5,229
0.25 FTE Service Desk $17,500
Total $204,350.53

Recommendations for implementation 

Feedback received throughout this investigation revealed concerns specific to use of certain email clients and the potential impact to University researchers. If the decision to migrate University employee email to the cloud is made, it is the recommendation of the project team that the scope of that work consider the following: 

Training on O365 productivity and collaboration tools for all staff  

  • The benefits of moving to email in the cloud are best achieved if employees are aware of these tools and how to use them. Feedback from other universities confirmed that the transition of employee email to the cloud was most successful when ample training and transition support was provided.  

Training on privacy and risk management best practices for employees  

  • The Privacy Officer recommends, “With regard to the training and support element, among other things, the campus community should be educated about the difference between the “old” and the “new”.  In particular, given the increased seamlessness, collaboration, sharing, and interconnectivity of services, emphasis should be placed on things such as ensuring appropriate permissions and access (e.g., identified user groups, read-only, password protection of files, etc.), sharing information on a strictly necessary need-to-know basis, awareness of important policies (e.g., Policy 46), reminder of information and privacy practices and resources”   

Email clients and support for modern authentication 

  • To improve security of accounts, Microsoft announced that as of October 13, 2020, they will no longer support basic authentication (e.g. IMAP).  (As IST deploys two-factor authentication (2FA) broadly across campus IT services in 2020, we’ll be faced with the same issue of IMAP on Exchange, albeit with timing of changes under our control.) 
  • University employees will be able to use any desktop or mobile email client that supports modern authentication.  
  • Support for Thunderbird is a specific concern and IST is actively tracking developments in this area. Thunderbird users can be accommodated on the on-premises Exchange server, with the understanding that 2FA will eventually need to be addressed in some manner. 

Impact on University researchers 

  • For most research contracts, email in the cloud is acceptable because it is as much, or more, secure than the current on-premises email used today.  
  • The Office of Research approves the use of O365 email and OneDrive file storage for corporate research with industry partners, unless otherwise specifically stated in the contract.  
  • IST will continue to work with researchers to support unique data privacy needs that may arise with certain contracts. In addition, the recommended privacy and risk training for employees will ensure researchers have the requisite knowledge and tools to ensure their research data is secure.      
  • IST will also create a suite of proven products to support unique requirements end users may have around data security (e.g. encryption tools, data loss prevention rules).    

Moving to a single tenant  

  • A separate but related initiative will move undergraduate student email accounts from their standalone Office 365 tenant to the University employee tenant, which is configured as a hybrid deployment with our on-premises Exchange instance (a tentative plan for this work is targeting spring 2020). This change is important as being on the same tenant will facilitate increased collaboration opportunities between students and employees, especially for applications that require an Exchange Online account (i.e. Office 365 email in the cloud). It will also: 
    • Provide the “” email domain to all user groups (i.e. “” will no longer be used).  
    • Provide all users, regardless of their affiliation(s) with the University (e.g. an employee who is also a student) with a single email account. 

Hybrid Exchange/365 deployment 

Our on-premises Exchange, and Office 365 tenant, were configured as an Exchange/365 hybrid deployment in 2017. This provides: 

  • Secure mail routing between on-premises Exchange and Office 365, with a shared domain namespace. Both on-premises Exchange and Office 365 use the domain. 
  • A unified global address list (GAL), also called a "shared address book." 
  • Free/busy and calendar sharing between on-premises Exchange and Office 365 
  • The ability to move existing on-premises Exchange mailboxes to Office 365, and back. 

After undergraduate students are moved from the to the tenant, we will be leveraging many of the hybrid deployment features. 

If the decision to migrate University employee email to Office 365 is made, accounts can be easily migrated to Office 365 individually, or in groups of any size. Accounts can also be moved back if needed. The migration is expected to take place over a period of two years.   

The current Exchange hardware reaches end of support toward the end of 2021. A full replacement of our existing Exchange environment is expected to cost approximately $200,000. However, a small system to support < 100 users with special requirements, without the same level of redundancy as today, would cost a very small fraction of that. 

Project costs 

There would be no costs associated with this project. 

  • The work to migrate employee email to the cloud would be completed using internal (IST) resources. 
  • Office 365 for employee email is included in the existing Microsoft Campus Agreement (i.e. no new licenses would be required; O365 would continue to be paid for, by virtue of the campus agreement, even if employee email remained on-premises). 

Next steps 

Upon approval of this recommendation, the project team would create a deployment plan. 


Appendix 1 – Benchmarking with other Canadian universities  

Between May 27 and June 5, 2019, members of the project team consulted with Queen’s University, Western University, University of Ottawa, and University of Toronto (UofT) to learn more about the approach each institution took when migrating employee email to the cloud, and any lessons learned. 

Summary of approach 



Queens University 

  • Started with students; then moved employees; had to leave some on prem (no real reason, just reluctance to change), but have gradually reduced that number.  Soon, everyone will be on the cloud.  
  • Staff/ faculty transition – started communicating in November, started syncing in January and then moved them in February over Family Day long weekend. It was all done after that.   
  • If multiple affiliations (E.g. a student and an employee), then 2 accounts.    
  • Everyone is on 1 tenant - 1 email domain   
  • Everyone is on Microsoft A3 license  
  • Authentication:  Two factor authentication for everyone, Queens is are also disabling IMAP for everyone   

University of Ottawa  


  • University of Ottawa on 2 tenants (but one is Google apps)   
  • Multiple accounts – 2 accounts on each tenant if you want 
  • 1 email domain (@uottawa)  
  • Many different email systems supported  

University of Toronto (UofT)  


  • Student and most faculty/staff email accounts have been migrated to the cloud   
  • Student email accounts migrated in 2010. It took a little more than a year to migrate   
  • Faculty/ staff account migrated in 2017. 10,000 accounts were migrated by end of 2017.   
  • UofT is currently on the A3 license which is sufficient for UofT   

Western University  


  • Migration - Started with students; then continued with staff; finished with the migration of faculty   
  • Everyone on 1 tenant, 1 email domain, 1 account 

Summary of responses 


Appendix 2 – Campus consultations 

Faculty sessions 

Consultation sessions were held with each of the Faculties. A summary of their attendance is below. 

Faculty Number of attendees
Environment 10
Applied Health Sciences (AHS) 1
Arts 7
Science 30
Math 14
Engineering 2

Staff sessions 

Two staff consultation sessions were held and approximately 60 staff members attended (combined).  


Appendix 3 – Responses to commonly raised concerns  

Back to top