Microsoft 365

Microsoft 365 (M365) is a collection of online services and the classic Office applications. These are now called Microsoft 365 Apps for Enterprise and will replace the Office versions 2016 and 2019 currently in use at the University of Erfurt.

Further information from the manufacturer: https://www.microsoft.com/de-de/microsoft-365

ATTENTION: Spam / Phishing

You will NOT receive any emails from Microsoft regarding your Microsoft 365 business account. Emails regarding this will only be sent by the University or the University Computer and Media Center (URMZ).

General information

Under the leadership of the UniRZ of the TU Ilmenau, all Thuringian universities have joined the new "Microsoft Campus and School Subscription Framework Agreement" between the Leibniz Computing Center (LRZ) of the Bavarian Academy of Sciences and the company Microsoft Ireland Operations Limited as part of the work of the University IT Center of the Thuringian Universities.

This so-called Federal Contract 3.0 is seen by Microsoft as a hybrid contract for the transition to the cloud. For users of Microsoft products, this means that licensing will in future be personalized and no longer by license key (KMS activation). The prerequisite for the official use of Microsoft products will therefore be registration as a user in the new Microsoft Tenant of the University of Erfurt.

Initially, the employees and students of the University of Erfurt are licensed according to §21, paragraph 1, ThürHG.

The software and services are to be used exclusively for study-related or official purposes or for student or official projects.

Use for commercial or private purposes is not provided for in the license terms. Only personal, non-transferable licenses are provided. Users are only entitled to use the software and services during the licensed period. To use the services, personal data from our local user directory will be transferred to Microsoft.

All software must be deleted or services can no longer be used if the University of Erfurt terminates the contract or does not submit an accession or renewal order before the end of the licensed period or does not purchase licenses for an unlimited period of time.

Changeover to the new contract starting in May 2021:

  • Technical and organizational measures
  • from June 2022: Pilot phase with synchronization of user and device data and installation of the new Office version (Microsoft 365 Apps for Enterprise) on the service devices in the University Computer and Media Center (URMZ)
  • From October 2022: Activation of the login for students https://idmweb.uni-erfurt.de/m365
  • From November 2022 at the earliest: include other areas.

(Planned) use of the offer

The software and services are used in accordance with the current version of the Product Provisions (PT), the Online Services Provisions (OST) and the Data Protection Addendum for Online Services (DPA).

These are available at https://www.microsoft.com/de-de/licensing/product-licensing/products.aspx.

Use of the Software and Services is also subject to the terms of the Campus and School Agreement (CASA), including but not limited to limitations of liability, disclaimer of warranties, and exclusion of remedies and claims.

Use requires status as a student or employee of the University of Erfurt and registration with Microsoft.

The software is offered in the form of a subscription and gives users the option of installing the Office products on any number of devices (official and private; Windows, Macintosh) for use, for official purposes. Simultaneous login to Office with the M365 account is limited to a maximum of 5 devices. Cloud services, such as OneDrive, Teams, Planner, etc. are included in this offer. However, the University of Erfurt reserves the right to offer users only a selection of software and services or to restrict individual functions of the software and services. The use of individual software and services is regulated in detail by usage guidelines.

https://www.uni-erfurt.de/universitaetsrechen-und-medienzentrum/ueber-uns/richtlinien/regeln/spezielle-nutzungsrichtlinien

Employees:

Registration and license assignment is done centrally by the University Computer and Media Center (URMZ). All employees are automatically issued with a license.

Installation on centrally managed devices is done centrally via distribution by the University Computer and Media Center (URMZ).

Students:

The use requires the status as a student of the University of Erfurt and a registration (opt-in) for Microsoft 365.

You can register here: https://idmweb.uni-erfurt.de/m365

Microsoft Workplace Discount Program:

Through the Microsoft Workplace Discount Program, you have the opportunity to receive low prices on select Microsoft365 subscriptions and Surface devices and accessories.

https://www.microsoft.com/de-de/workplace-discount-program

Data protection

You can find information about data protection in the draft here: https://www.uni-erfurt.de/universitaet/datenschutz/im-buero/microsoft-365.

Other questions?

If you have any further questions or concerns, please contact us at m365@uni-erfurt.de.

Notes for employees

In the future, "Microsoft 365 Apps for Enterprise" (formerly "Office 365") will be used as standard on the devices of university employees, rather than "Office Professional Plus".

The familiar Office programmes Word, Excel, Power Point, Outlook, OneNote, Access and Publisher will continue to be installed locally on the devices.

What is new is that an individual Microsoft account (business account) of the university is now required to activate the software. At least every 30 days, this account and an existing Internet connection are used to check whether a valid license is still available.

The user name of the business account corresponds to your business e-mail address. The password corresponds to that of your university account.

For Windows devices centrally managed by the University Computer and Media Center (URMZ), the business account is automatically created in Windows and used to log in to Microsoft 365 Apps for Enterprise. Microsoft 365 Apps for Enterprise is installed automatically via distribution.

Self-administrators obtain the software through their Microsoft Account page: https://myaccount.microsoft.com

Please note that "Microsoft 365 Apps for Enterprise" cannot be installed simultaneously with older versions of Microsoft Office programmes. When "Microsoft 365 Apps for Enterprise" is installed, any existing older versions of the Office programmes will be automatically uninstalled.

If you want to use "Visio" or "Project" in addition to "Microsoft 365 Apps for Enterprise", you will need the latest version of these programmes. Since "Visio" and "Project" are not part of "Microsoft 365 Apps for Enterprise", additional licenses may have to be ordered for a fee. Please contact softdist@uni-erfurt.de for this purpose.

Notes for students

Registration and initial application

Students can register for Microsoft 365 here: https://idmweb.uni-erfurt.de/m365

After successful registration, you can log in to your M365 account page with your university email address and your university account password (not mail password!): https://myaccount.microsoft.com

During the initial login, you will be prompted to set up measures for additional security (multi-factor authentication (MFA)). This is a second personal factor of authentication that is checked in addition to the authentication with email address and password. You can use the suggested Authenticator app from Microsoft Android iOS(see also FAQ) or any alternative Authenticator app such as the DSGVO compliant app "OpenOTP Token" Android iOSfrom the manufacturer RCDevs Security (see also FAQ).

Instead of an app for the second factor, you can also specify a phone number, to which you will then receive a phone call or an SMS, depending on your selection. These methods are possible, but not recommended. There is a higher level of security when using an app.

The various methods for logging in can be managed via https://mysignins.microsoft.com/security-info.

Office Download

If you have logged in at https://myaccount.microsoft.com, you can download Microsoft 365 Apps for Enterprise (Office) from the "Office Apps" section. If you click on "Install Office", an installation program is downloaded, which is adapted to the installed operating system and the language set there. If you click on "Show apps and devices", you can select the language and whether you want the 32- or 64-bit version of the installation package before the download.

Alternatively to the download, you can also log in to an already (pre-)installed Office 365 / Microsoft 365 Apps for Enterprise on your device with your M365 account (business account).

Enrollment and regular activation of Microsoft 365 Apps for Enterprise (Office).

The first time you start one of the installed M365 Apps for Enterprise, you need to log in with your M365 account for Office activation (Figure 1, 2 and 3). In the following dialog (Figure 4), uncheck the box "Allow my organization to manage my device" and click "No, only log in to this app". Important: Do NOT click on "OK." This would create their M365 account on Windows as a business account and register their device in the Microsoft 365 directory service (Azure Active Directory) at the University of Erfurt and store data from the device at Microsoft - possibly in third countries.

Subsequently, the license agreement must be accepted (Figure 5) and the desired standard file types (Office Open XML formats or OpenDocument formats) must be selected (Figure 6). Finally, a restart of the just opened Microsof 365 Apps is necessary (Figure 7).

A reactivation of the M365 Apps takes place regularly in the background. This checks whether a corresponding license is still assigned to your M365 account. For this, the device must be regularly connected to the Internet. If the computer is offline for more than 30 days, Microsoft 365 Apps switches to the mode with limited functionality until the next time a connection can be established.

Figure 1
Figure 2
Figure 3
Figure 4
Figure 5
Figure 6
Figure 7

Microsoft 365 Apps and Services available

The available Microsoft 365 apps and services are severely limited for data protection reasons and technical reasons. An overview and corresponding notes can be found below: Apps and services (from a privacy perspective)

Apps and services (from a privacy perspective)

  • Microsoft Defender Antivirus

  • Microsoft Edge

  • Office Addin Store

    • Description: Extensions for Microsoft Office

    • Further information: Platform overview for Office add-ins

    • Measures or control options: Currently deactivated for data protection reasons.

  • Office Mobile Apps

  • Office for the Web

  • Office - Connected experiences

    • Description: Office consists of client software applications and connected experiences that enable you to create, communicate, and collaborate more effectively.

    • More info: Service data required for Office Connected experience in Office

    • Measures or controls: The use of connected experiences that analyze content is not possible for data protection reasons. The use of connected experiences that download online content is possible.

  • Office - Optional Connected Experiences

  • Teams

    • Description: The customizable, chat-based team workspace in Office 365.

    • Further information: Microsoft Teams Help

    • Measures or control options: Deactivated for data protection reasons. Alternative: Cisco Webex (formerly Webex Teams) currently in use at the University of Erfurt.

  • OneDrive

  • SharePoint in Microsoft 365

    • Description: A cloud-based service hosted by Microsoft and offered to companies of all sizes. Company employees can create sites to share documents and information with colleagues, partners and customers.

    • more info: What is SharePoint?

    • Measures or control options: Disabled for data protection reasons. Alternative: Use the established SharePoint service hosted by TU Ilmenau.

  • Project Online

  • Visio Online

  • Other M365 services and tools

    • Forms, Lists, Planner, Stream, To Do, Whiteboard, Booking, Delve, Dynamics 365, Exchange Online, MyAnalytics, Education Analytics, Power Apps, Power Automate, Power BI, Power Virtual Agents, School Data Sync, StaffHub, Sway, Kaizala, Viva Learning, Skype for Business, and Yammer are not available for data protection and technical reasons.

FAQ - Conversion of framework agreement/licensing

Why does the contract need to be changed?

In order to be able to continue offering the Microsoft products currently on offer after the old contract expires, the University of Erfurt is obliged to conclude a corresponding new contract with Microsoft. This "Microsoft Campus and School Subscription Framework Contract" (Microsoft Federal Contract 3.0) was originally agreed between the Leibniz Computing Center (LRZ) of the Bavarian Academy of Sciences and Humanities and the Microsoft Ireland Operations Limited. The universities in Thuringia joined the contract under the leadership of the TU Ilmenau as part of the University IT Center.

The main difference in the content of the agreement is the licensing method. The new licensing model now provides for personal licenses instead of the previous device-based licenses.

What does the changeover actually change about the licensing model?

Essentially, the entry into force of the Federal Agreement 3.0 merely changes the license model from the previous device-related licenses to person-related licenses. Each user must now be assigned a personal license. In addition, the new Office version (Microsoft 365 Apps for Enterprise) must be installed on all business devices.

Who all gets a license?

A license is initially granted to full-time employees and students of the University of Erfurt (according to §21, paragraph 1, ThürHG). For further inquiries, please contact the University Computer and Media Center (URMZ)- softdist@uni-erfurt.de.

What do I have to do as an authorized user to continue using Microsoft products under the license provided to me?

The registration of all employees in the new Microsoft client of the University of Erfurt as well as the license assignment of the individual Microsoft products is carried out centrally by the URMZ. The employees do not have to do anything to continue using the Microsoft products. The installation on supervised devices is carried out centrally via a distribution of the University Computer and Media Center (URMZ). This will be done on a departmental basis, starting in November 2022 at the earliest, and will also involve installing a newer version of Office (Microsoft 365 Apps for Enterprise) on the devices. The interface will change only slightly; functionalities, e.g. in Excel, Word, etc., will remain the same, and new functions will be added in some cases.

Employees who administer their devices themselves can install Microsoft 365 Apps for Enterprise via their Microsoft account at https://myaccount.microsoft.comherunterladen.

Registration for students is available at https://idmweb.uni-erfurt.de/m365. The option to register for the previous "Office365 ProPlus for Students and Employees" offering has been discontinued. There is a transition phase during which users* using the old Microsoft Tenant (@TechnischeUnivers049.onmicrosoft.com) will have the opportunity to move or back up their data on their own. This transition phase is expected to end on December 31, 2022 (see also: https: //www.uni-erfurt.de/universitaetsrechen-und-medienzentrum/beratung-und-hilfe/studium-lehre/software-fuer-privatgeraete).

Why can't the free personal Microsoft account be used for business use?

Responsibility for official data lies with the university. The university must comply with numerous regulations, such as archiving law, data protection law, budgetary law, and tax law. The necessary control is only possible with the Campus and School Agreement from Microsoft. In addition, in the case of a personal Microsoft account, the contract exists only between you and Microsoft. The Microsoft Campus and School Agreement has been concluded by the university.

Which products are affected by the changeover?

The Microsoft license change affects all Microsoft products. The products that were previously available at the University of Erfurt (Windows, Office (Word, Excel, PowerPoint, etc.)) will continue to be made available.

How many installations are allowed?

All users have one license that entitles them to use Windows and Office (Microsoft 365 Apps for Enterprise). This allows them to install Microsoft 365 Apps for Enterprise on all their devices and to be logged into Microsoft 365 Apps for Enterprise on five devices at the same time. Windows 10/11 Enterprise may be installed on up to five devices per user.

Are there also licenses for working at home/home office?

With Microsoft 365, users can install Office on all their devices and be logged in to Office on five devices simultaneously (in the office and/or home office). Please remember that installation on private devices is only permitted for business or study-related purposes!

Can I also use the license for private purposes?

No. The software and services are to be used exclusively for study-related or official purposes or for student or official projects. Use for commercial or private purposes is not provided for in the license terms. Only personal, non-transferable licenses are provided. Users are also only entitled to use the software and services during the licensed period.

However, through the Microsoft Workplace Discount Program (formerly known as the Home Use Program), you may receive discounted pricing on select Microsoft365 subscriptions and Surface devices and accessories.

FAQ - Microsoft 365 Apps for Enterprise (Office)

Should I register my self-administered device with my organization as part of the Office installation?

No. Please remove the checkmark in front of "Allow my organization to manage my device" in the corresponding dialog box and click "No, only log in to this app" (see image). If you click "OK" instead, the device will be stored in the Microsoft directory service (Azure Active Directory) in the cloud - possibly also in third countries. The only advantage this would have under our conditions would be fewer logins when you want to access your M365 account with Edge, for example.

Why does "Auto Save" not work?

"Auto Save" only works with files saved in OneDrive. Since OneDrive is disabled for privacy protection reasons, automatic saving is also not possible. You can remove the button from the Quick Access toolbar using the appropriate menu, as shown in the image.

Why can't I use Office add-ins?

The University does not currently offer the ability to use the Office Add-In Store because the required "optional connected experiences" cannot be enabled.

The deactivation exists for the following reasons:

Unlike the enabled "connected experiences," there is currently no agreement in place between the Free State of Thuringia and Microsoft for commissioned data processing. In addition, the use of each add-in would have to be examined individually for data protection concerns and the University of Erfurt's data protection officer would have to be given the opportunity to comment.

This would also require a regular review of the service with a particular focus on barrier-free access, data protection, information security and licensing law in the event of changes/extensions to an add-in.

Why are some functions in the M365 apps, such as dictation, deactivated?

Some features in the M365 apps, such as dictation, are not available for data protection reasons. The optional connected experiences required for this as well as the connected experiences that analyze content have been disabled in Microsoft 365 Apps for Enterprise.

The use of connected experiences that download online content, on the other hand, can be used.

An overview of the individual affected features, can be found here: https://docs.microsoft.com/de-de/deployoffice/privacy/connected-experiences

What to consider when using OneNote?

Due to the deactivated OneDrive cloud storage for data protection reasons, OneNote can only be used to a limited extent.

Only with the installed OneNote from the downloaded office package of the university, the notebooks can be stored and used locally (or on a network drive).

Employees: Place their notebooks on a network drive. Offline use is possible. Synchronization takes place the next time you connect to the notebook location (directly on the university network or via eduVPN).

Students: If you want to use OneNote on various devices, you have to log in with a private Microsoft accountand use the OneNote notebook there.

FAQ - Data privacy and security

Is Microsoft 365 secure as a service?

Microsoft has comprehensive security certifications. However, there is no such thing as 100% security.

Customer data is at rest in the EU and Microsoft has a BSI C5 certification that would even allow federal agencies to use it in appropriate cases.

https://news.microsoft.com/de-de/microsoft-erfuellt-den-anforderungskatalog-cloud-computing-c5-des-bsi-fuer-mehr-als-100-seiner-weltweiten-rechenzentren/

Is personal data transmitted to Microsoft during use?

Yes, personal data from our local user directory is transferred to Microsoft in order to use the services. A corresponding examination by our data protection officer has taken place in advance. Information on this can be found on our data protection pages: https://www.uni-erfurt.de/universitaet/datenschutz/im-buero/microsoft-365. The software and services are used in accordance with the current version of the Product Terms (PTs), the Online Services Terms (OSTs) and the Data Protection Addendum for Online Services (DPA). These can be viewed at https://www.microsoft.com/de-de/licensing/product-licensing/products.aspx .

How is the collected data used?

The personal data is used to verify license eligibility for Windows, Office, and other Microsoft services. This is necessary due to Microsoft licensing regulations.

Does Microsoft 365 encrypt your data?

Microsoft 365 uses service-side technologies that encrypt customer data at rest and in transit. For Customer data at rest, Microsoft 365 uses encryption at the volume level and at the file level. For Customer data in transit, Microsoft 365 uses multiple encryption technologies for communications between data centers and between clients and servers, such as TLS (Transport Layer Security) and IPSec (Internet Protocol Security). Microsoft 365 also includes customer-managed encryption capabilities.

Is Microsoft accessing your data?

Microsoft automates most Microsoft 365 operations while reducing its own access to customer data. This allows us to manage Microsoft 365 to the extent necessary and more easily reduce the risks of internal threats to customer data. By default, Microsoft technicians do not have permanent administrative privileges or access to customer data in Microsoft 365. A Microsoft technician may have limited and logged access to customer data for a limited period of time, but only as required for normal service operations and only if approved by a member of senior management at Microsoft.

Where does Microsoft store my identity data?

Excerpt from Microsoft documentation:

"Identity data is stored by Azure AD in a geographic location based on the address your organization provided when subscribing to a Microsoft online service such as Microsoft 365 and Azure. For information about where your identity data is stored, see the "Where we store your data" section in the Microsoft Trust Center.

Azure AD stores most identity data from customers who have provided an address in Europe in European data centers."

https://docs.microsoft.com/de-de/azure/active-directory/fundamentals/active-directory-data-storage-eu

Azure Active Directory (Azure AD) = Microsoft's directory service to which user data is synchronized.

May personal data be processed at all by Microsoft, a US corporation?

Yes, as long as Microsoft provides legally appropriate safeguards. Microsoft processes the data as a processor bound by instructions for the provision of the service, including further development and support. Guarantees are in place with standard contractual clauses and additional measures. Residual risks have been assumed by the university management.

Can the university's Microsoft account be deleted?

The Microsoft account will be deleted together with the university account after the person concerned has left the university. Any existing customer content remains stored by Microsoft for a maximum of 30 days. Personal identification data (e.g. user name or e-mail address) will be deleted after 180 days at the latest.

What measures have been taken for even more data protection?

Login

To make logging in more secure, multi-factor authentication (MFA), also called multi-level authentication, is enabled for all users. If you log in to a centrally managed device and use only the M365 apps, no second authentication is required. A second authentication becomes necessary if you want to access other M365 web services that may be unlocked in the future or your business Microsoft account using a browser other than Microsoft Edge. This minimizes the risk of your account being misused.

Reduction of services

Services that are critical from a data protection perspective have been deactivated. Currently, only Microsoft 365 Apps for Enterprise (Office) can be used. Cloud storage services such as OneDrive and SharePoint are not active. A list of services and their status can be found here: Apps and services (from a privacy perspective)

Windows

If you are using a University managed device, then Windows diagnostic data is reduced to the lowest level "security".

Office

For the M365 apps, the diagnostic data has also been set to the data-saving "required" level. In addition, optional connected experiences and connected experiences that analyze content are disabled in Microsoft 365 Apps for Enterprise.

Connected experiences that download online content, on the other hand, can be used.

An overview of each of the affected features, can be found here: https://docs.microsoft.com/de-de/deployoffice/privacy/connected-experiences

Analytics

Services such as MyAnalytics, the Productivity Score, Delve, and Viva will not be made available.

How can I use Microsoft 365 even more securely?

Even though for many it is not mandatory due to the default settings and the, at least temporary, limitation to the M365 Apps for Enterpise, we recommend activating the two-step verification (multi-factor authentication) at login and a regular examination of your account activity.

Enable two-step verification (multi-factor authentication): https://mysignins.microsoft.com/security-info

Regular examination of your account activity: https://mysignins.microsoft.com

In addition, you can later (should data storage be allowed in the future) use Cryptomator or Veracrypt, for example, to additionally secure particularly sensitive data against unauthorized access.

How do I use the OpenOTP Token app for multi-factor authentication?

  1. If you are asked to provide additional information to protect your account after the M365 login (Figure 1), you have the option to click on the link "I want to use another authenticator app" in the next dialog (Figure 2).
  2. You will then be prompted to add a new account in your app (Figure 3). If you do not have the "OpenOTP Token" app installed on your smartphone yet, you can do so using one of these links: Android iOS
  3. When you click on "Next" you will see a QR code, which you can use to add your M365 account to the "OpenOTP Token" app (image 4).
  4. Launch the "OpenOTP Token" app on your smartphone and tap on the camera icon (Figure 5), grant appropriate necessary permissions and scan the displayed QR code.
  5. After scanning the QR code, you will receive a corresponding success message (Figure 6) and your M365 account will appear in the app (Figure 7 - example account from the manufacturer).
  6. Click "Next" and you will be prompted to enter the first code (Figure 8).
  7. Select your account in the app and the current One-time password (OTP) will be displayed. This password changes every 30 seconds (Figure 9 - Manufacturer's example account).
  8. Enter the code and confirm with "Next" (Figure 10).
  9. Complete the MFA setup by clicking on "Done" (Figure 11).
Figure 1
Figure 2
Figure 3
Figure 4
Figure 5
Figure 6
Figure 7
Figure 8
Figure 9
Figure 10
Figure 11

How do I use the Microsoft Authenticator app for multi-factor authentication?

  1. If you are asked to enter additional information to protect your account after the M365 login (Figure 1), you will be offered the "Microsoft Authenticator" app directly for use in the next dialog (Figure 2). In addition to helpful information about the app, the "Download now" link also takes you to the download links for the two app stores Android iOS .
  2. Click "Next" and you will be prompted to set up your account in the "Microsoft Authenticator" app (Figure 3).
  3. Install the app on your smartphone (if you haven't already).
  4. Launch the app and add your account using the + on the app's home page (Figure 4).
  5. In the next step, select "Business or school account" (image 5) and select "Scan QR code" (image 6).
  6. In the MFA setup dialog box, click "Next" (Image 3) and scan the displayed QR code (Image 7) with the app.
  7. Your M365 account then appears in the app (Figure 8).
  8. Click "Next" in the MFA setup dialog box (Figure 7).
  9. The next window will test the authentication (Figure 9).
  10. Shortly after, a notification should open on your smartphone with the number displayed in the previous window (Figure 10).
  11. Enter the number on your smartphone and confirm with "YES".
  12. With the success message (Fig. 11), the multi-factor authentication setup is complete.
Figure 1
Figure 2
Figure 3
Figure 4
Figure 5
Figure 6
Figure 7
Figure 8
Figure 9
Figure 10
Figure 11

Where is the data for multi-factor authentication stored and processed?

With cloud-based Azure AD Multi-Factor Authentication, authentication takes place in the data center closest to the user's location. Azure AD Multi-Factor Authentication data centers are located in North America, Europe, and Asia Pacific.

  • Multi-Factor Authentication phone calls originate from data centers in the customer's region and are routed from global carriers.
  • Multi-Factor Authentication with SMS is routed from global carriers.
  • Multi-Factor Authentication requests that use Microsoft Authenticator App push notifications from European data centers are processed in European data centers.
  • Device and vendor-specific services, such as Apple push notifications, may be located outside of Europe.
  • Multi-Factor Authentication requests using OATH codes (for temporary one-time passwords (TOTP) such as when using the smartphone app "OpenOTP Token") originating from European data centers are verified in Europe.

https://docs.microsoft.com/de-de/azure/active-directory/fundamentals/active-directory-data-storage-eu

Azure Active Directory (Azure AD) = Microsoft directory service to which user data is synchronized.

OATH = Initiative for Open Authentication

TOTP = Time-based One-time Password

What privacy-friendly alternatives are there to Microsoft 365?