PennO365 IT Provider Guide

Eligibility for ProPlus Accounts

PennO365 ProPlus eligibility grants access to the Microsoft ProPlus applications.  (Additional steps are needed to have a PennO365 email account and are outlined below.)

Eligibility for a PennO365 account is based on 3 things.  To be eligible for a PennO365 account, the following must exist:

A PennCommunity record with a PennKey username

The PennCommunity record is either created automatically from a source system (Workday for Staff/Faculty or SRS for Students) or entered manually.   The PennKey username is typically set up by the user.

If the PennCommunity record is entered manually, the user will need to be added to the school/center's UsersFunctional group in ARS to be eligible for a PennO365 license.

At least one active eligible affiliation

At least one PennO365-eligible affiliation has to exist for the account and this affiliation has to be in active status.  The account can have multiple active affiliations; as long as one of the active affiliations qualifies the account for PennO365, it will be eligible.

An eligible center affiliation

The center affiliation will automatically transfer over for accounts created in Workday or SRS.  If the account was entered manually, or if the PennO365 account is being sponsored and managed by a different school or center then the original one, then the account will have to be added to the correct UsersFunctional group in ARS.

Eligibility for ProPlus+Mailbox Accounts

Eligibility for PennO365 email requires that all of the PennO365 ProPlus eligibility criteria are met in addition to the following:

School/center participation in PennO365 Email

Participating in PennO365 Email is at the discretion of the school or center.   For various reasons, some schools and centers do not issue PennO365 email accounts.

Mailbox license

If the account is eligible for a PennO365 account based on the criteria above, it can be assigned a mailbox license in the ARS application.

Persons in Penn Community with the following active affiliation codes are eligible for a PennO365 account. Affiliations are a form of association to the University, and Penn Community can store multiple affiliations for a person.

[1] These affiliations are derived from employment records in the University's Workday system.

[2] These affiliations are derived from enrollment records in SRS.

[3] These affiliations are derived from records manually entered into PennCommunity. They are eligible for PennO365 but will only have access if the account is added to the UsersFunctional group in ARS. 

[4]  An ERF affiliation is only eligible for PennO365 if they are Emeritus faculty.   Emeritus faculty are indicated by a job classification in the job family of either "Emeritus,"Tenure" or "Clinician Educator" in Workday.

NOTE: Non-emeritus Retired Faculty (ERF) and Retired Staff (RTSF) are no longer eligble affiliations as of November 15, 2018.

PennO365 offers 4 different kinds of account types. See this page for a breakdown of the types and attributes.

ARS (Active Roles Server) is the key tool to manage PennO365 mailboxes.  Please see the ARS FAQ for detailed instructions.

Several steps are needed to create an email account for someone prior to the actual start date.

1. The local PennKey Administrator adds the new member to PennCommunity with an eligible affiliation.
2. The new person (or proxy) completes the PennKey registration process.
3. The LSP adds the account to their UsersFunction group via ARS.
4. The LSP enables the mailbox via ARS.

IMPORTANT: Changes to accounts take approximately 30 minutes to fully propogate.

Microsoft may block an email account that seemed to be sending a large volume of email marked as spam or engaging in other suspicious behavior.  To unblock the account:

1. Change the user's PennKey password. If not already enrolled, encourage the user to enroll in Two-step Verification to better protect their PennKey.
2. Change the user's Windows and/or Mac login password(s).
3. Check the user's mailbox for any unauthorized mailbox forwarding rules.
4. Do a malware scan of the local computer(s) used by this user.
5. After completing the above 5 steps, submit a request to ISC Client Care, help@isc.upenn.edu, to have the account unblocked.

If an account loses any of the criteria needed for it to be PennO365-eligible, it is flagged for deprovisioning. The account will still be functional but will show up in deprovisioning reports.

After 60 days, it will be deprovisioned.   At that time, it is inaccessible and will not receive new mail.

After 30 more days, the account is permanently deleted and cannot be retrieved.

Sometimes a person separates from the University but the department needs for their email account to continue to function.  See this page for special considerations related to mail access and retention, and contentious separations.

1. Give the person an appropriate affiliation in PennCommunity.
2. Wait for 15-20 minutes for the PennCommunity information to sync with PennO365 and for autoprovisioning to complete.
3. Add the account to your school/center's UsersFunctional group if the autoprovisioning did not allow you to manage the account.
4. Use ARS to mailbox enable the person as usual.
5. Wait for up to an hour for all stages of mailbox enablement and licensing to complete.

If you want the contents of the old mailbox to be attached to the newly reinstated account, you must reinstate the account within 30 days of deprovisioning.

When the Deceased Flag is added to an account in PennCommunity, PennCommunity inactivates all affiliations causing the account to be flagged for deprovisioning.

During the standard 60-day grace period that follows, the LSP can administer the account as normal. Many of the same considerations will exist as with standard user separation accounts. However, at the end of 60 days, the account will be deleted and unrecoverable. (This is unlike standard accounts that will still be able to be recovered for 30 more days.)

To prevent the account from being deleted, LSPs can request an extension to the account by submitting a ticket requesting a deceased override. This will preserve the account for 6 months (unless a different time frame is specified in the request). During this time, sign-ins to the account will be blocked, but the LSP will be able to manage the account and assign delegates to retrieve needed data. At the end of 6 months or the requested time frame, the account will be deleted and not recoverable.

Mailbox Size Limits

The maximum size for mailboxes in PennO365 is 100GB for user accounts and 50GB for shared accounts. Microsoft has its own Exchange Online Limits that set the cap of what can be made available in the PennO365 tenant.

Mailbox Size Increases via Online Archive with Auto-Expanding Archive

The PennO365 mailbox size limits are the largest allowed by Microsoft so they cannot be expanded outright; However, turning on the auto-expanding archive allows the account to be larger than 100GB. Online archiving expands the account to 110GB and then auto-expands by increments of 10GB until the archive reaches 1.5TB.

After online archiving is turned on, retention policies must be applied to the mailbox folders. See the section below about Online Archining.

Online Archiving can be requested by IT Support via the O365 tile in Support Center.

Managing Mailbox Size

When possible, we suggest that users manage the size of their mailboxes. Some options for mailbox management include:

• Deleting unneeded emails
• Emptying the Deleted Items folder on a regular basis
• Setting Outlook to empty the Deleted Items folder upon exit
• Using online file-sharing tools to share large files/attachments

Restrictions on Numbers of Items in Mailbox Folder

Once a folder in the mailbox gets to 100,000 items, performance may be degraded. It is the best practice to check the item count when inconsistent or unusual problems are reported with the PennO365 mailbox.

Viewing Number of Items in Folders

OWA: Click the gear in the top right; Scroll to the bottom of the menu and click View all Outlook settings; Go to General, then Storage

Outlook, Status Bar: Right-click the Status Bar and check Items in View

Outlook, Beside Folder Name: Right-click the folder and click Properties; On the General tab, select Show total number of items

Summary

When a mailbox reaches its mailbox quota (see the section above), the account will be set up to use the Online Archive with auto-expanding feature. The user and their IT Support will receive an email notification when the account is nearing its maximum size.

After enabling the Online Archive, the archive must be activated by manually assigning retention policies to mailbox folder(s). This will initiate the process of moving data to the online archive folder.

The online archive allows for a total of 1.5TB of additional storage. Please work with your client to apply archive policies appropriate to their business needs.

Assigning Retention Policies

1. Login to the user's webmail or the New Outlook version of the Outlook Desktop application.
2. Right-click on the folder for which the user wishes to apply a retention policy,
3. Select the appropriate policy to apply. 

After the new retention policy is applied to the mailboxes, it can take up to seven days for the new retention settings to start working. This is because a process called the Managed Folder Assistant processes mailboxes at least once every seven days.

Focused Inbox helps you focus on the emails that matter most to you. It separates your inbox into two tabs: Focused and Other. Your most important emails are on the Focused tab while the rest remain easily accessible but out of the way on the Other tab. You’ll be informed about email flowing to Other, and you can switch between tabs at any time to take a quick look.

How does Focused Inbox work?

Focused Inbox works with you to prioritize what's most important. What lands in Focused Inbox is based on the content of the email (e.g., newsletters, machine-generated email, and so on) and who you interact with most often. If you need to fine-tune your Focused Inbox, Move to Focused and Move to Other options are available to do that.

Refer to Microsoft's Focused Inbox for Outlook page for more information.

The PennO365 environment does not store mail or calendar data on-premise. This data is now stored on Microsoft servers off-premise.  Microsoft does not offer comprehensive, service-level data recovery tools. Instead, Microsoft provides Recover Deleted Items, a self-help tool which enable users to restore their own email and calendar within 28 days.

ISC recommends deleted item recovery be done in Outlook on the Web. 

Deleted Items Process

Deleted Items is the folder containing mail, calendar events, contacts, or tasks the user has deleted. Items remain in the Deleted Items folder for 30 days, after which they are moved to the Recoverable Items folder.

Recoverable Items (formerly known as the Dumpster) is a hidden folder where items are moved when a user performs one of the following actions:

• Deletes an item from the Deleted Items Folder
• Empties the Deleted Items folder
• Permanently deletes an item with Shift+Delete

Items remain in the Recoverable Items folder for 14 days, after which they are permanently deleted and irrecoverable – even by Microsoft. From the time an item is deleted by the user, they have 44 days total before the item cannot be recovered.

Recovering Deleted Items

There are two folders to recover items from, Deleted Items and Recoverable Items. How the user recovers an item depends on which folder the item is in.

To recover an item in Deleted Items:

1. Log in to Outlook on the Web.
2. Navigate to the Deleted Items folder.
3. Right-click on the item(s) to be recovered, select Move, then the destination folder. (Note: mail can only be moved to a mail folder, Contacts to the Contacts folder, calendar events to the Calendar folder, etc.)

To recover an item in Recoverable Items:

1. Log in to Outlook on the Web.
2. Right-click on the Deleted Items folder, select "recover deleted items…"
3. Select the item to recover and click Recover. The item is moved to the default location for its type (e.g., email is moved to user’s Inbox, calendar events are moved to user’s Calendar, etc.)

Email delivery is not instantaneous, and delivery times up to five minutes are considered reasonable in Penn's complicated email environment. Factors like inbound and outbound sanitation services, number and size of attachments, message content and format, and the number of recipients can all affect the delivery time of a message.

If you think there is an unreasonable delay in delivering an email message, please consider the following before reporting it to ISC:

• Please allow at least 5 minutes for the message to appear.
• If there is an attachment or any unusual content in the body of the message, please increase that wait time to at least 15 minutes.

If the message doesn't arrive after 30 minutes, follow the troubleshooting and reporting steps below.

Compose messages in plain text or HTML, not RTF. Formatting messages in RTF adds an invisible attachment (winmail.dat) to outbound messages, increasing the size of the message.

If sending an attachment over 10MB, consider uploading the file to a cloud-based storage service like Microsoft OneDrive or Penn+Box, and share a link to the document instead.

If sending to many recipients, consider using a mailing list service like PennNet Mailing Lists, or some other method to distribute your message (Teams, a website, etc...).

If a client is reporting a problem with email delivery, please ask them to provide the following information:

• Is this a problem with receiving email at Penn or sending email to Penn?
• Has the recipient checked the Junk folder?
  • If the email was sent to Penn you can use the Junk mail reporting process to report this problem.
  • If the email was sent to an external email recipient, we will need additional information as outlined below.
• For email unexpectedly going to Junk:
  • How was the message sent?
    • Using an email client, such as PennO365 Outlook or Outlook on the Web?
    • Via PennNet Mailing Lists?
    • Using a third-party vendor or other methodology:
      • Has the third-party vendor or alternative process been configured with the correct DNS records [link to 3rd party page]?
• For unexpected bounces or other non-delivery reports (NDR):
  • Please have the client attach the bounce message as a saved message.
• For all email delivery problem reports, please indicate:
  • What was the time frame of the sent message? A precise timeframe (preferably within a 30-minute window) is important for timely resolution of any potential issue.
  • What is the subject of the email?
  • What is (are) the recipient(s) address(es)?
  • What is the sender’s email address?

A description of our email hygiene rules can be found here (PennKey authentication required). Note that these rules include blocking of emails with executable content. Messages with such content do not generate an NDR and will be discarded silently by the message sanitation service.

When reporting mail delays, please be aware that we must have all pertinent information as soon as possible. If we have to escalate the issue to our mail sanitation vendor, we must adhere to their service requirement of reporting such delays within a 5-day window.

When reporting PennO365 email problems, it's often helpful to have the full message headers of an email message. Full message headers help PennO365 email administrators to troubleshoot the issue. Follow the instructions below to extract the full email message headers whenever they are requested.

1. Locate the message in your Inbox and open it.
2. Click File from the menu bar.
3. Click Save As.
4. The Save As window opens to prompt you for a location to save the email message.

VERY IMPORTANT: Be sure to select Outlook Message Format (*.msg) in the Save as type dropdown menu. Click Save to save the email message (preferably to your desktop for easy retrieval).

Go to the file’s saved location, right-click on the file, select Send to, and then select Compressed (zipped) folder.

A new zipped file will be created in the same location. Attache the newly created zipped file to your ticket or email to ISC Client Care.

Foolproof email sanitation is difficult. Spammers constantly change their tactics to get around the private heuristics of mail sanitation services. Mail sanitation services constantly change their heuristics to address the ever-changing tactics of spammers. Email delivery is imperfect by nature. Penn's O365 environment is complicated by the fact we have multiple mail sanitation services.

Submitting mis-flagged messages provides mail sanitation vendors feedback that will make their services better, and consequently, our service will be better.

Definitions

False Positive : a legitimate message that was incorrectly flagged as junk

False Negative: a spam or phishing message that was not flagged as junk.

Self-reporting

False Positive Reporting:

False Negative Reporting:

To have ISC report:

Used for PennO365 mailbox management, check and apply overrides for various Schools/Centers

ARS Website

ARS FAQ

Grouper is a centralized middleware system allowing distributed management of permissions and groups of people/entities for authorization or other reasons.

Grouper performs overrides that can create an association for faculty, staff and students not formally associated to an affiliation. Grouper can also be employed to make a user look, to O365, like that user is part of a different School or Center. In cases where a user to be provisioned with O365 has several affiliations (ex: A student at school "B" who is also an employee at "C"), Grouper must first determine a primary affiliation. The synchronization of multiple affiliations can generate a conflict if the relationship between School, Center, Organization, Division, etc. falls outside of an established hierarchy. 

Audiencce

The audience and user community for this homegrown app is defined as Email Admins who utilize it in the process of carrying out Employee and Student Overrides for O365 enrollment.

Login

Penn WebLogin credentials are required to access Grouper.

Creating a New Group

On the Grouper home page, the "+ Create New Group" menu offers a drop-down menu with tools available to create a new folder, create a new group, and add members to the group.

Resources

Grouper Wiki

Glossary

Video Training

Grouper Resources

Used to determine an account's PennO365 email status

Enrollment Tool

A Microsoft tool for auto-discover, connectivity issues, and message header analysis (for checking spam issues)

O365 web troubleshooting tool