Microsoft 365 (M365) is a collection of online services and the classic Office applications. These are now called Microsoft 365 Apps for Enterprise and will replace the Office versions 2016 and 2019 currently in use at the University of Erfurt.
You will NOT receive any emails from Microsoft regarding your Microsoft 365 business account. Emails regarding this will only be sent by the University or the University Computer and Media Center (URMZ).
Under the leadership of the UniRZ of the TU Ilmenau, all Thuringian universities have joined the new "Microsoft Campus and School Subscription Framework Agreement" between the Leibniz Computing Center (LRZ) of the Bavarian Academy of Sciences and the company Microsoft Ireland Operations Limited as part of the work of the University IT Center of the Thuringian Universities.
This so-called Federal Contract 3.0 is seen by Microsoft as a hybrid contract for the transition to the cloud. For users of Microsoft products, this means that licensing will in future be personalized and no longer by license key (KMS activation). The prerequisite for the official use of Microsoft products will therefore be registration as a user in the new Microsoft Tenant of the University of Erfurt.
Initially, the employees and students of the University of Erfurt are licensed according to §21, paragraph 1, ThürHG.
The software and services are to be used exclusively for study-related or official purposes or for student or official projects.
Use for commercial or private purposes is not provided for in the license terms. Only personal, non-transferable licenses are provided. Users are only entitled to use the software and services during the licensed period. To use the services, personal data from our local user directory will be transferred to Microsoft.
All software must be deleted or services can no longer be used if the University of Erfurt terminates the contract or does not submit an accession or renewal order before the end of the licensed period or does not purchase licenses for an unlimited period of time.
Changeover to the new contract starting in May 2021:
Technical and organizational measures
from June 2022: Pilot phase with synchronization of user and device data and installation of the new Office version (Microsoft 365 Apps for Enterprise) on the service devices in the University Computer and Media Center (URMZ)
From November 2022 at the earliest: include other areas.
(Planned) use of the offer
The software and services are used in accordance with the current version of the Product Provisions (PT), the Online Services Provisions (OST) and the Data Protection Addendum for Online Services (DPA).
Use of the Software and Services is also subject to the terms of the Campus and School Agreement (CASA), including but not limited to limitations of liability, disclaimer of warranties, and exclusion of remedies and claims.
Use requires status as a student or employee of the University of Erfurt and registration with Microsoft.
The software is offered in the form of a subscription and gives users the option of installing the Office products on any number of devices (official and private; Windows, Macintosh) for use, for official purposes. Simultaneous login to Office with the M365 account is limited to a maximum of 5 devices. Cloud services, such as OneDrive, Teams, Planner, etc. are included in this offer. However, the University of Erfurt reserves the right to offer users only a selection of software and services or to restrict individual functions of the software and services. The use of individual software and services is regulated in detail by usage guidelines.
In the future, "Microsoft 365 Apps for Enterprise" (formerly "Office 365") will be used as standard on the devices of university employees, rather than "Office Professional Plus".
The familiar Office programmes Word, Excel, Power Point, Outlook, OneNote, Access and Publisher will continue to be installed locally on the devices.
What is new is that an individual Microsoft account (business account) of the university is now required to activate the software. At least every 30 days, this account and an existing Internet connection are used to check whether a valid license is still available. If your computer is taken offline for more than 30 days, Microsoft 365 apps will switch to reduced functionality mode until the next time it can connect.
The user name of the business account corresponds to your business e-mail address. The password corresponds to that of your university account.
For Windows devices centrally managed by the University Computer and Media Center (URMZ), the business account is automatically created in Windows and used to log in to Microsoft 365 Apps for Enterprise. Microsoft 365 Apps for Enterprise is installed automatically via distribution.
Please note that "Microsoft 365 Apps for Enterprise" cannot be installed simultaneously with older versions of Microsoft Office programmes. When "Microsoft 365 Apps for Enterprise" is installed, any existing older versions of the Office programmes will be automatically uninstalled.
If you want to use "Visio" or "Project" in addition to "Microsoft 365 Apps for Enterprise", you will need the latest version of these programmes. Since "Visio" and "Project" are not part of "Microsoft 365 Apps for Enterprise", additional licenses may have to be ordered for a fee. Please contact firstname.lastname@example.org for this purpose.
Work account in Windows
As soon as an M365 user signs in to a device synchronized to Azure Active Directory, the user account appears as a work or school account in Windows Settings under "Accounts" -> "Email and Accounts".
A click on "Manage" opens the page https://myaccount.microsoft.com. Here, information about the business account, security (authentication methods and login history) and data protection can be viewed and partially edited.
Azure Active Directory (Azure AD oder AAD) = Directory service from Microsoft, to which the data of the users are synchronized.
Work account in Microsoft Edge browser
When Edge is started for the first time with a work account active in Windows, the desired synchronization settings are queried (Figure 1).
Here, by clicking on "Synchronize", the user has the possibility to synchronize the preset areas (favorites, settings and collections) with M365, so that they are available on any device where a login is made with the same account. By clicking on "Customize" the areas to be synchronized can be adjusted and by clicking on "No thanks" the synchronization can be completely denied.
Sensitive areas such as passwords, history or contents of form fields are not synchronized and cannot be activated (Figure 2).
Multifactor authentication (MFA)
Multi-factor authentication is a second personal factor of authentication, which is checked in addition to authentication with e-mail address and password.
For security reasons, it is always necessary to set up multi-factor authentication (MFA) for every M365 account. The only exception is for business devices that are synchronized to Azure AD (all devices centrally managed by the URMZ) and when using the Microsoft Edge browser on these devices. On all other devices and when using other browsers, the setup is mandatory (prompt see picture on the right).
You can use the suggested authenticator app from Microsoft Android, iOS(see also FAQ) or any alternative authenticator app such as the GDPR-compliant app "OpenOTP Token" Android, iOSfrom the manufacturer RCDevs Security (see also FAQ).
Instead of an app for the second factor, you can also specify a phone number, on which you then, depending on the selection, get a phone call or an SMS. These methods are possible, but not recommended. When using an app, there is a higher level of security.
After successful registration, you can log in to your M365 account page with your university email address and your university account password (not mail password!): https://myaccount.microsoft.com
During the initial login, you will be prompted to set up measures for additional security (multi-factor authentication (MFA)). This is a second personal factor of authentication that is checked in addition to the authentication with email address and password. You can use the suggested Authenticator app from Microsoft AndroidiOS(see also FAQ) or any alternative Authenticator app such as the DSGVO compliant app "OpenOTP Token" AndroidiOSfrom the manufacturer RCDevs Security (see also FAQ).
Instead of an app for the second factor, you can also specify a phone number, to which you will then receive a phone call or an SMS, depending on your selection. These methods are possible, but not recommended. There is a higher level of security when using an app.
If you have logged in at https://myaccount.microsoft.com, you can download Microsoft 365 Apps for Enterprise (Office) from the "Office Apps" section. If you click on "Install Office", an installation program is downloaded, which is adapted to the installed operating system and the language set there. If you click on "Show apps and devices", you can select the language and whether you want the 32- or 64-bit version of the installation package before the download.
Alternatively to the download, you can also log in to an already (pre-)installed Office 365 / Microsoft 365 Apps for Enterprise on your device with your M365 account (business account).
Enrollment and regular activation of Microsoft 365 Apps for Enterprise (Office).
The first time you start one of the installed M365 Apps for Enterprise, you need to log in with your M365 account for Office activation (Figure 1, 2 and 3). In the following dialog (Figure 4), uncheck the box "Allow my organization to manage my device" and click "No, only log in to this app". Important: Do NOT click on "OK." This would create their M365 account on Windows as a business account and register their device in the Microsoft 365 directory service (Azure Active Directory) at the University of Erfurt and store data from the device at Microsoft - possibly in third countries.
Subsequently, the license agreement must be accepted (Figure 5) and the desired standard file types (Office Open XML formats or OpenDocument formats) must be selected (Figure 6). Finally, a restart of the just opened Microsof 365 Apps is necessary (Figure 7).
A reactivation of the M365 Apps takes place regularly in the background. This checks whether a corresponding license is still assigned to your M365 account. For this, the device must be regularly connected to the Internet. If the computer is offline for more than 30 days, Microsoft 365 Apps switches to the mode with limited functionality until the next time a connection can be established.
Description: A cloud-based service hosted by Microsoft and offered to companies of all sizes. Company employees can create sites to share documents and information with colleagues, partners and customers.
Forms, Lists, Planner, Stream, To Do, Whiteboard, Booking, Delve, Dynamics 365, Exchange Online, MyAnalytics, Education Analytics, Power Apps, Power Automate, Power BI, Power Virtual Agents, School Data Sync, StaffHub, Sway, Kaizala, Viva Learning, Skype for Business, and Yammer are not available for data protection and technical reasons.
FAQ - Conversion of framework agreement/licensing
Why does the contract need to be changed?
In order to be able to continue offering the Microsoft products currently on offer after the old contract expires, the University of Erfurt is obliged to conclude a corresponding new contract with Microsoft. This "Microsoft Campus and School Subscription Framework Contract" (Microsoft Federal Contract 3.0) was originally agreed between the Leibniz Computing Center (LRZ) of the Bavarian Academy of Sciences and Humanities and the Microsoft Ireland Operations Limited. The universities in Thuringia joined the contract under the leadership of the TU Ilmenau as part of the University IT Center.
The main difference in the content of the agreement is the licensing method. The new licensing model now provides for personal licenses instead of the previous device-based licenses.
What does the changeover actually change about the licensing model?
Essentially, the entry into force of the Federal Agreement 3.0 merely changes the license model from the previous device-related licenses to person-related licenses. Each user must now be assigned a personal license. In addition, the new Office version (Microsoft 365 Apps for Enterprise) must be installed on all business devices.
What do I have to do as an authorized user to continue using Microsoft products under the license provided to me?
The registration of all employees in the new Microsoft client of the University of Erfurt as well as the license assignment of the individual Microsoft products is carried out centrally by the URMZ. The employees do not have to do anything to continue using the Microsoft products. The installation on supervised devices is carried out centrally via a distribution of the University Computer and Media Center (URMZ). This will be done on a departmental basis, starting in November 2022 at the earliest, and will also involve installing a newer version of Office (Microsoft 365 Apps for Enterprise) on the devices. The interface will change only slightly; functionalities, e.g. in Excel, Word, etc., will remain the same, and new functions will be added in some cases.
Employees who administer their devices themselves can install Microsoft 365 Apps for Enterprise via their Microsoft account at https://myaccount.microsoft.comherunterladen.
Why can't the free personal Microsoft account be used for business use?
Responsibility for official data lies with the university. The university must comply with numerous regulations, such as archiving law, data protection law, budgetary law, and tax law. The necessary control is only possible with the Campus and School Agreement from Microsoft. In addition, in the case of a personal Microsoft account, the contract exists only between you and Microsoft. The Microsoft Campus and School Agreement has been concluded by the university.
Which products are affected by the changeover?
The Microsoft license change affects all Microsoft products. The products that were previously available at the University of Erfurt (Windows, Office (Word, Excel, PowerPoint, etc.)) will continue to be made available.
How many installations are allowed?
All users have one license that entitles them to use Windows and Office (Microsoft 365 Apps for Enterprise). This allows them to install Microsoft 365 Apps for Enterprise on all their devices and to be logged into Microsoft 365 Apps for Enterprise on five devices at the same time. Windows 10/11 Enterprise may be installed on up to five devices per user.
Are there also licenses for working at home/home office?
With Microsoft 365, users can install Office on all their devices and be logged in to Office on five devices simultaneously (in the office and/or home office). Please remember that installation on private devices is only permitted for business or study-related purposes!
Can I also use the license for private purposes?
No. The software and services are to be used exclusively for study-related or official purposes or for student or official projects. Use for commercial or private purposes is not provided for in the license terms. Only personal, non-transferable licenses are provided. Users are also only entitled to use the software and services during the licensed period.
However, through the Microsoft Workplace Discount Program(formerly known as the Home Use Program), you may receive discounted pricing on select Microsoft365 subscriptions and Surface devices and accessories.
FAQ - Microsoft 365 Apps for Enterprise (Office)
Should I register my self-administered device with my organization as part of the Office installation?
No. Please remove the checkmark in front of "Allow my organization to manage my device" in the corresponding dialog box and click "No, only log in to this app" (see image). If you click "OK" instead, the device will be stored in the Microsoft directory service (Azure Active Directory) in the cloud - possibly also in third countries. The only advantage this would have under our conditions would be fewer logins when you want to access your M365 account with Edge, for example.
Why does "Auto Save" not work?
"Auto Save" only works with files saved in OneDrive. Since OneDrive is disabled for privacy protection reasons, automatic saving is also not possible. You can remove the button from the Quick Access toolbar using the appropriate menu, as shown in the image.
Why can't I use Office add-ins?
The University does not currently offer the ability to use the Office Add-In Store because the required "optional connected experiences" cannot be enabled.
The deactivation exists for the following reasons:
Unlike the enabled "connected experiences," there is currently no agreement in place between the Free State of Thuringia and Microsoft for commissioned data processing. In addition, the use of each add-in would have to be examined individually for data protection concerns and the University of Erfurt's data protection officer would have to be given the opportunity to comment.
This would also require a regular review of the service with a particular focus on barrier-free access, data protection, information security and licensing law in the event of changes/extensions to an add-in.
Why are some functions in the M365 apps, such as dictation, deactivated?
Some features in the M365 apps, such as dictation, are not available for data protection reasons. The optional connected experiences required for this as well as the connected experiences that analyze content have been disabled in Microsoft 365 Apps for Enterprise.
The use of connected experiences that download online content, on the other hand, can be used.
Due to the deactivated OneDrive cloud storage for data protection reasons, OneNote can only be used to a limited extent.
Only with the installed OneNote from the downloaded office package of the university, the notebooks can be stored and used locally (or on a network drive).
Employees: Place their notebooks on a network drive. Offline use is possible. Synchronization takes place the next time you connect to the notebook location (directly on the university network or via eduVPN).
Students: If you want to use OneNote on various devices, you have to log in with a private Microsoft accountand use the OneNote notebook there.
My Citavi add-in in Word has disappeared. How do I get it back?
Due to the uninstallation of the old Office version and the complete reinstallation of the Microsoft 365 apps, the integration of the Citavi add-in is missing. However, this can be restored in a few steps:
Open the "Apps" section in Windows Settings and select Citavi 6 under "Apps and Features" and click "Change" (Figure 1).
Select "Custom" and click "Next" (Figure 2).
Leave the preselection and click "Next" (Figure 3).
Click on "Install" (Figure 4).
Click on "Finish" (Figure 5).
The next time you start Word, the Citavi add-in will be available again (Figure 6).
FAQ - Data privacy and security
Is Microsoft 365 secure as a service?
Microsoft has comprehensive security certifications. However, there is no such thing as 100% security.
Customer data is at rest in the EU and Microsoft has a BSI C5 certification that would even allow federal agencies to use it in appropriate cases.
The personal data is used to verify license eligibility for Windows, Office, and other Microsoft services. This is necessary due to Microsoft licensing regulations.
Does Microsoft 365 encrypt your data?
Microsoft 365 uses service-side technologies that encrypt customer data at rest and in transit. For Customer data at rest, Microsoft 365 uses encryption at the volume level and at the file level. For Customer data in transit, Microsoft 365 uses multiple encryption technologies for communications between data centers and between clients and servers, such as TLS (Transport Layer Security) and IPSec (Internet Protocol Security). Microsoft 365 also includes customer-managed encryption capabilities.
Is Microsoft accessing your data?
Microsoft automates most Microsoft 365 operations while reducing its own access to customer data. This allows us to manage Microsoft 365 to the extent necessary and more easily reduce the risks of internal threats to customer data. By default, Microsoft technicians do not have permanent administrative privileges or access to customer data in Microsoft 365. A Microsoft technician may have limited and logged access to customer data for a limited period of time, but only as required for normal service operations and only if approved by a member of senior management at Microsoft.
Where does Microsoft store my identity data?
Excerpt from Microsoft documentation:
"Identity data is stored by Azure AD in a geographic location based on the address your organization provided when subscribing to a Microsoft online service such as Microsoft 365 and Azure. For information about where your identity data is stored, see the "Where we store your data" section in the Microsoft Trust Center.
Azure AD stores most identity data from customers who have provided an address in Europe in European data centers."
Azure Active Directory (Azure AD) = Microsoft's directory service to which user data is synchronized.
May personal data be processed at all by Microsoft, a US corporation?
Yes, as long as Microsoft provides legally appropriate safeguards. Microsoft processes the data as a processor bound by instructions for the provision of the service, including further development and support. Guarantees are in place with standard contractual clauses and additional measures. Residual risks have been assumed by the university management.
Can the university's Microsoft account be deleted?
The Microsoft account will be deleted together with the university account after the person concerned has left the university. Any existing customer content remains stored by Microsoft for a maximum of 30 days. Personal identification data (e.g. user name or e-mail address) will be deleted after 180 days at the latest.
What measures have been taken for even more data protection?
To make logging in more secure, multi-factor authentication (MFA), also called multi-level authentication, is enabled for all users. If you log in to a centrally managed device and use only the M365 apps, no second authentication is required. A second authentication becomes necessary if you want to access other M365 web services that may be unlocked in the future or your business Microsoft account using a browser other than Microsoft Edge. This minimizes the risk of your account being misused.
Reduction of services
Services that are critical from a data protection perspective have been deactivated. Currently, only Microsoft 365 Apps for Enterprise (Office) can be used. Cloud storage services such as OneDrive and SharePoint are not active. A list of services and their status can be found here: Apps and services (from a privacy perspective)
If you are using a University managed device, then Windows diagnostic data is reduced to the lowest level "security".
For the M365 apps, the diagnostic data has also been set to the data-saving "required" level. In addition, optional connected experiences and connected experiences that analyze content are disabled in Microsoft 365 Apps for Enterprise.
Connected experiences that download online content, on the other hand, can be used.
Services such as MyAnalytics, the Productivity Score, Delve, and Viva will not be made available.
How can I use Microsoft 365 even more securely?
Even though for many it is not mandatory due to the default settings and the, at least temporary, limitation to the M365 Apps for Enterpise, we recommend activating the two-step verification (multi-factor authentication) at login and a regular examination of your account activity.
In addition, you can later (should data storage be allowed in the future) use Cryptomator or Veracrypt, for example, to additionally secure particularly sensitive data against unauthorized access.
How do I use the OpenOTP Token app for multi-factor authentication?
If you are asked to provide additional information to protect your account after the M365 login (Figure 1), you have the option to click on the link "I want to use another authenticator app" in the next dialog (Figure 2).
You will then be prompted to add a new account in your app (Figure 3). If you do not have the "OpenOTP Token" app installed on your smartphone yet, you can do so using one of these links: AndroidiOS
When you click on "Next" you will see a QR code, which you can use to add your M365 account to the "OpenOTP Token" app (image 4).
Launch the "OpenOTP Token" app on your smartphone and tap on the camera icon (Figure 5), grant appropriate necessary permissions and scan the displayed QR code.
After scanning the QR code, you will receive a corresponding success message (Figure 6) and your M365 account will appear in the app (Figure 7 - example account from the manufacturer).
Click "Next" and you will be prompted to enter the first code (Figure 8).
Select your account in the app and the current One-time password (OTP) will be displayed. This password changes every 30 seconds (Figure 9 - Manufacturer's example account).
Enter the code and confirm with "Next" (Figure 10).
Complete the MFA setup by clicking on "Done" (Figure 11).
How do I use the Microsoft Authenticator app for multi-factor authentication?
If you are asked to enter additional information to protect your account after the M365 login (Figure 1), you will be offered the "Microsoft Authenticator" app directly for use in the next dialog (Figure 2). In addition to helpful information about the app, the "Download now" link also takes you to the download links for the two app stores Android iOS .
Click "Next" and you will be prompted to set up your account in the "Microsoft Authenticator" app (Figure 3).
Install the app on your smartphone (if you haven't already).
Launch the app and add your account using the + on the app's home page (Figure 4).
In the next step, select "Business or school account" (image 5) and select "Scan QR code" (image 6).
In the MFA setup dialog box, click "Next" (Image 3) and scan the displayed QR code (Image 7) with the app.
Your M365 account then appears in the app (Figure 8).
Click "Next" in the MFA setup dialog box (Figure 7).
The next window will test the authentication (Figure 9).
Shortly after, a notification should open on your smartphone with the number displayed in the previous window (Figure 10).
Enter the number on your smartphone and confirm with "YES".
With the success message (Fig. 11), the multi-factor authentication setup is complete.
Where is the data for multi-factor authentication stored and processed?
With cloud-based Azure AD Multi-Factor Authentication, authentication takes place in the data center closest to the user's location. Azure AD Multi-Factor Authentication data centers are located in North America, Europe, and Asia Pacific.
Multi-Factor Authentication phone calls originate from data centers in the customer's region and are routed from global carriers.
Multi-Factor Authentication with SMS is routed from global carriers.
Multi-Factor Authentication requests that use Microsoft Authenticator App push notifications from European data centers are processed in European data centers.
Device and vendor-specific services, such as Apple push notifications, may be located outside of Europe.
Multi-Factor Authentication requests using OATH codes (for temporary one-time passwords (TOTP) such as when using the smartphone app "OpenOTP Token") originating from European data centers are verified in Europe.