Microsoft 365

Under the leadership of the UniRZ of the TU Ilmenau, all Thuringian universities have joined the new "Microsoft Campus and School Subscription Framework Agreement" between the Leibniz Computing Center (LRZ) of the Bavarian Academy of Sciences and the company Microsoft Ireland Operations Limited as part of the work of the University IT Center of the Thuringian Universities.

This so-called Federal Contract 3.0 is seen by Microsoft as a hybrid contract for the transition to the cloud. For users of Microsoft products, this means that licensing will in future be personalized and no longer by license key (KMS activation). The prerequisite for the official use of Microsoft products will therefore be registration as a user in the new Microsoft Tenant of the University of Erfurt.

Employees and students of the University of Erfurt are entitled to a license according to §21, paragraph 1, ThürHG.

The software and services are to be used exclusively for study-related or official purposes or for student or official projects.

Use for commercial or private purposes is not provided for in the license terms. Only personal, non-transferable licenses are provided. Users are only entitled to use the software and services during the licensed period. To use the services, personal data from our local user directory will be transferred to Microsoft.

If the University of Erfurt terminates the contract or does not submit an accession or renewal order before the end of the licensed period or does not acquire licenses for an unlimited period, the services can no longer be used.

Use of the offer

The software and services are used in accordance with the current version of the Product Provisions (PT), the Online Services Provisions (OST) and the Data Protection Addendum for Online Services (DPA).

These are available at https://www.microsoft.com/de-de/licensing/product-licensing/products.aspx.

Use of the Software and Services is also subject to the terms of the Campus and School Agreement (CASA), including but not limited to limitations of liability, disclaimer of warranties, and exclusion of remedies and claims.

Use requires status as a student or employee of the University of Erfurt and registration with Microsoft.

The software is offered in the form of a subscription and gives users the option of installing the Office products on any number of devices (official and private; Windows, Macintosh) for use, for official purposes. Simultaneous login to Office with the M365 account is limited to a maximum of 5 devices. Cloud services, such as OneDrive, Teams, Planner, etc. are included in this offer. However, the University of Erfurt reserves the right to offer users only a selection of software and services or to restrict individual functions of the software and services. The use of individual software and services is regulated in detail by usage guidelines.

https://www.uni-erfurt.de/universitaetsrechen-und-medienzentrum/ueber-uns/richtlinien/regeln/spezielle-nutzungsrichtlinien

Microsoft Workplace Discount Program:

Through the Microsoft Workplace Discount Program, you have the opportunity to receive low prices on select Microsoft365 subscriptions and Surface devices and accessories.

https://www.microsoft.com/de-de/workplace-discount-program

Data protection

You can find information about data protection in the draft here: https://www.uni-erfurt.de/universitaet/datenschutz/im-buero/microsoft-365.

Other questions?

m365@uni-erfurt.de

The familiar Office programs Word, Excel, Power Point, Outlook, OneNote, Access and Publisher are installed locally on the devices as Microsoft 365 Apps for Enterprise.

An individual Microsoft account (business account) of the university is required to activate the software. Registration and license allocation is carried out centrally by the URMZ. All employees are automatically provided with a license. At least every 30 days, this account and an existing Internet connection are used to check whether a valid license is still available. If your computer is taken offline for more than 30 days, Microsoft 365 apps will switch to reduced functionality mode until the next time it can connect.

The user name of the business account corresponds to your business e-mail address. The password corresponds to that of your university account.

For Windows devices centrally managed by the University Computer and Media Center (URMZ), the business account is automatically created in Windows and used to log in to Microsoft 365 Apps for Enterprise. Microsoft 365 Apps for Enterprise is installed automatically via distribution.

Self-administrators obtain the software through their Microsoft Account page: https://myaccount.microsoft.com

Work account in Microsoft Edge browser

When Edge is started for the first time with a work account active in Windows, the desired synchronization settings are queried (Figure 1).

Here, by clicking on "Synchronize", the user has the possibility to synchronize the preset areas (favorites, settings and collections) with M365, so that they are available on any device where a login is made with the same account. By clicking on "Customize" the areas to be synchronized can be adjusted and by clicking on "No thanks" the synchronization can be completely denied.

Sensitive areas such as passwords, history or contents of form fields are not synchronized and cannot be activated (Figure 2).

available Microsoft 365 apps & services

The available Microsoft 365 apps and services are severely restricted for privacy reasons and technical reasons. An overview and corresponding notes can be found below: Apps and services (from a privacy perspective)

Microsoft 365 Apps for Enterprise versions and updates

The version of Microsoft 365 Apps for Enterprise provided by the University of Erfurt follows the semi-annual enterprise channel. This means that Microsoft 365 Apps for Enterprise will get feature updates twice a year (second Tuesday in January and July). Bug fixes and security updates will be provided monthly (second Tuesday) as usual. All updates are installed automatically in the background. If any applications are open, you will be notified that they need to be closed. Please note that for devices centrally managed by the URMZ, the release of updates is done in waves and therefore delayed by a few days to minimize any possible negative impact in case of problems.

The version designation follows the scheme year+month of release (e.g. 2208). On the following linked release notes page, a distinction is made between the individual versions, as several latest versions are supported.

The release notes for new features, resolved issues, and security updates can be found here: https://learn.microsoft.com/en-us/officeupdates/semi-annual-enterprise-channel

In Microsoft 365 Apps, you can find the version and update information under File -> Account (or Office Account). You can check for updates manually at any time via Update options -> Update now and update the Microsoft 365 Apps if necessary.

Registration and first login to Microsoft 365

Students can register for Microsoft 365 here: https://idmweb.uni-erfurt.de/m365

ATTENTION: When registering, the user name and password must be entered, which is also used for ELVIS, for example - NOT the e-mail address!

After successful registration, you can log in to your M365 account page with your university email address and your university account password (not mail password!): https://myaccount.microsoft.com

During the initial login, you will be prompted to set up measures for additional security (multi-factor authentication (MFA)). This is a second personal factor of authentication that is checked in addition to the authentication with email address and password. You can use the suggested Authenticator app from Microsoft Android iOS (see also FAQ) or any alternative Authenticator app such as the DSGVO compliant app "OpenOTP Token" Android iOS from the manufacturer RCDevs Security (see also FAQ).

Instead of an app for the second factor, you can also specify a phone number, to which you will then receive a phone call or an SMS, depending on your selection. These methods are possible, but not recommended. There is a higher level of security when using an app.

The various methods for logging in can be managed via https://mysignins.microsoft.com/security-info.

Office Download

If you have logged in at https://myaccount.microsoft.com, you can download Microsoft 365 Apps for Enterprise (Office) from the "Office Apps" section. If you click on "Install Office", an installation program is downloaded, which is adapted to the installed operating system and the language set there. If you click on "Show apps and devices", you can select the language and whether you want the 32- or 64-bit version of the installation package before the download.

Alternatively to the download, you can also log in to an already (pre-)installed Office 365 / Microsoft 365 Apps for Enterprise on your device with your M365 account (business account).

Enrollment and regular activation of Microsoft 365 Apps for Enterprise (Office).

The first time you start one of the installed M365 Apps for Enterprise, you need to log in with your M365 account for Office activation (Figure 1, 2 and 3). In the following dialog (Figure 4), uncheck the box "Allow my organization to manage my device" and click "No, only log in to this app". Important: Do NOT click on "OK." This would create their M365 account on Windows as a business account and register their device in the Microsoft 365 directory service (Azure Active Directory) at the University of Erfurt and store data from the device at Microsoft - possibly in third countries.

Subsequently, the license agreement must be accepted (Figure 5) and the desired standard file types (Office Open XML formats or OpenDocument formats) must be selected (Figure 6). Finally, a restart of the just opened Microsof 365 Apps is necessary (Figure 7).

A reactivation of the M365 Apps takes place regularly in the background. This checks whether a corresponding license is still assigned to your M365 account. For this, the device must be regularly connected to the Internet. If the computer is offline for more than 30 days, Microsoft 365 Apps switches to the mode with limited functionality until the next time a connection can be established.

Microsoft 365 Apps and Services available

The available Microsoft 365 apps and services are severely limited for data protection reasons and technical reasons. An overview and corresponding notes can be found below: Apps and services (from a privacy perspective)

Microsoft 365 Apps for Enterprise versions and updates

The version of Microsoft 365 Apps for Enterprise provided by the University of Erfurt follows the semi-annual enterprise channel. This means that Microsoft 365 Apps for Enterprise will get feature updates twice a year (second Tuesday in January and July). Bug fixes and security updates will be provided monthly (second Tuesday) as usual. All updates are installed automatically in the background. If any applications are open, you will be notified that they need to be closed.

The version designation follows the scheme year+month of release (e.g. 2208). On the following linked page with the release notes, a distinction is made between the individual versions, since several latest versions are supported.

The release notes for new features, resolved issues and security updates can be found here: https://learn.microsoft.com/en-us/officeupdates/semi-annual-enterprise-channel

In Microsoft 365 Apps, you can find the version and update information under File -> Account (or Office Account). You can check for updates manually at any time via Update options -> Update now and update the Microsoft 365 Apps if necessary.

• Microsoft Business Account

  • Description: your university identity at Microsoft

  • More info: What is Azure Active Directory?

  • Measures or control options: https://myaccount.microsoft.com

• Windows 10 Enterprise

  • Description: Operating system

  • Further information: Windows diagnostic events and fields.

  • Measures or control options: Data sparse level (Required) set for diagnostic data. Diagnostic data display overview

• Microsoft Defender Antivirus

  • Description: Malware protection

  • Further information: Data storage and data protection

  • Measures or control options: Currently not used. Uni standard is currently Sophos

• Microsoft Edge

  • Description: Browser

  • Further information: Documentation for Microsoft Edge

  • Measures or control options: Alternative browsers such as Mozilla Firefox or Google Chrome. Furthermore this whitepaper

• Microsoft 365 Apps for Enterprise (Office)

  • Description: Office desktop applications

  • Further information: Essential services for Office Diagnostic data required for Office Optional diagnostic data for Office.

  • Measures or controls: Data sparse level (required) set for diagnostic data. Using the diagnostic data display with Office Alternative: OnlyOffice integrated in the DFN cloud, LibreOffice

• Office Addin Store

  • Description: Extensions for Microsoft Office

  • Further information: Platform overview for Office add-ins

  • Measures or control options: Currently deactivated for data protection reasons.

• Office Mobile Apps

  • Description: Office applications for iOS and Android

  • Further information: Essential services for Office Diagnostic data required for Office Optional diagnostic data for Office.

  • Measures or control options: Data sparse level (required) set for diagnostic data. Using the diagnostic data display with Office

• Office for the Web

  • Description: Web applications for Microsoft Office

  • further information: Office for the Web - Service description

  • Measures or control options: Currently deactivated for data protection reasons.

• Office - Connected experiences

  • Description: Office consists of client software applications and connected experiences that enable you to create, communicate, and collaborate more effectively.

  • More info: Service data required for Office Connected experience in Office

  • Measures or controls: The use of connected experiences that analyze content is not possible for data protection reasons. The use of connected experiences that download online content is possible.

• Office - Optional Connected Experiences

  • Description: Services outside of the Microsoft 365 offering, such as services from Bing or LinkedIn.

  • More info: Service data required for Office Overview of optional connected experiences in Office

  • Measures or control options: Currently disabled for data protection reasons.

• Teams

  • Description: The customizable, chat-based team workspace in Office 365.

  • Further information: Microsoft Teams Help

  • Measures or control options: Deactivated for data protection reasons. Alternative: Cisco Webex (formerly Webex Teams) currently in use at the University of Erfurt.

• OneDrive

  • Description: Store, share and access your files in a central location.

  • Further information: OneDrive Help and Learning

  • Measures or control options: Deactivated for data protection reasons. Alternative for employees and teachers: DFN-Cloud of the University of Erfurt (hosted at the FU Berlin).

• SharePoint in Microsoft 365

  • Description: A cloud-based service hosted by Microsoft and offered to companies of all sizes. Company employees can create sites to share documents and information with colleagues, partners and customers.

  • more info: What is SharePoint?

  • Measures or control options: Disabled for data protection reasons. Alternative: Use the established SharePoint service hosted by TU Ilmenau.

• Project Online

  • Description: Develop project plans, assign tasks, track status and manage budgets.

  • more info: Project - Help & Learn

  • Measures or control options: Disabled for privacy reasons. Offline alternatives: free ProjectLibreorpaid classic Microsoft Project(softdist@uni-erfurt.de)

• Visio Online

  • Description: Simplify and convey complex information visually .

  • Further information: Visio - Help and learning

  • Measures or control options: Deactivated for data protection reasons. Offline alternatives: free yEd - graph editororpaid classic Microsoft Visio(softdist@uni-erfurt.de)

• Other M365 services and tools

  • Forms, Lists, Planner, Stream, To Do, Whiteboard, Booking, Delve, Dynamics 365, Exchange Online, MyAnalytics, Education Analytics, Power Apps, Power Automate, Power BI, Power Virtual Agents, School Data Sync, StaffHub, Sway, Kaizala, Viva Learning, Skype for Business, and Yammer are not available for data protection and technical reasons.

Basically, you should first log out of Office if you are still logged in with the account from the old tenant (@TechnischeUnivers049.onmicrosoft.com). In Windows, you should also check whether the business account from the old tenant is still present under "Windows Settings" -> "Accounts" -> "Access work or school account" and remove this as well (Figure 1) before logging into Microsoft 365 Apps (Office) with the M365 account from the new tenant (@uni-erfurt.de).

If logging in with the new account still does not work, you can try to uninstall the Microsoft 365 Apps for Enterprise or Office 365 (depending on the existing version) and install the Office installation package from the new tenant. To do this, log in to https://myaccount.microsoft.com with your ...@uni-erfurt.de email address, download the Office apps and install them (Figure 2).

Mac

Creating or editing Office files on the Mac is not possible (Figure 3):

• Please check whether the activation is still to be performed in the home screen of the respective Office application (Figure 4).
• If this does not help either, please follow the instructions on the following website: https://learn.microsoft.com/en-us/office/troubleshoot/activation/another-account-already-signed-in

You will get a message on the Mac that another account from your organization is already logged in:

• Please follow the instructions on the following website: https://learn.microsoft.com/en-us/office/troubleshoot/activation/another-account-already-signed-in

The login on a Mac always fails because the account of the old tenant (@TechnischeUnivers049.onmicrosoft.com) still exists:

• Please follow the instructions on the following website to remove the license data: https://support.microsoft.com/en-us/office/how-to-remove-office-license-files-on-a-mac-b032c0f6-a431-4dad-83a9-6b727c03b193

Windows

You cannot log in with your Uni-Erfurt Microsoft 365 account and receive an error message in which the old account (@technischeunivers049.onmicrosoft.com) appears.

1. If the account "...@technischeunivers049.onmicrosoft.com" can still be found under "Accounts" -> "Access work or school account" in the Windows settings, please click on "Disconnect".
2. Please download the Microsoft-Support and Recovery Assistant: https://aka.ms/SaRA_EnterpriseVersionFiles
3. Then unpack the ZIP file (Figure 1).
4. Copy the complete path to the unzipped file "SaRACmd.exe" -> hold down the Shift key and right-click on the file (Figure 2).
5. Open a command prompt as administrator (Figure 3) and paste the path to the "SaRACmd.exe" file copied in the previous step (Ctrl+V). Add the character string " -S ResetOfficeActivation -AcceptEula -CloseOffice" (without quotation marks and there must be a space between .exe and -S) and press Enter (Figure 4).
   Example: "C:\temp\SaRACmd_17_01_0495_021\SaRACmd.exe" -S ResetOfficeActivation -AcceptEula -CloseOffice
6. After the command has been executed successfully, you can try to open Word, for example, and log in again.

If you have any problems executing the above instructions, please come to the service desk in the KIZ during opening hours.

Essentially, the entry into force of the Federal Agreement 3.0 merely changes the license model from the previous device-related licenses to person-related licenses. Each user must now be assigned a personal license. In addition, the new Office version (Microsoft 365 Apps for Enterprise) must be installed on all business devices.

A license is initially granted to full-time employees and students of the University of Erfurt (according to §21, paragraph 1, ThürHG). For further inquiries, please contact the University Computer and Media Center (URMZ)- softdist@uni-erfurt.de.

The registration of all employees in the new Microsoft client of the University of Erfurt as well as the license assignment of the individual Microsoft products is carried out centrally by the URMZ. The employees do not have to do anything to continue using the Microsoft products. The installation on supervised devices is carried out centrally via a distribution of the University Computer and Media Center (URMZ). This will be done on a departmental basis, starting in November 2022 at the earliest, and will also involve installing a newer version of Office (Microsoft 365 Apps for Enterprise) on the devices. The interface will change only slightly; functionalities, e.g. in Excel, Word, etc., will remain the same, and new functions will be added in some cases.

Employees who administer their devices themselves can install Microsoft 365 Apps for Enterprise via their Microsoft account at https://myaccount.microsoft.com herunterladen.

Registration for students is available at https://idmweb.uni-erfurt.de/m365.

Responsibility for official data lies with the university. The university must comply with numerous regulations, such as archiving law, data protection law, budgetary law, and tax law. The necessary control is only possible with the Campus and School Agreement from Microsoft. In addition, in the case of a personal Microsoft account, the contract exists only between you and Microsoft. The Microsoft Campus and School Agreement has been concluded by the university.

The Microsoft license change affects all Microsoft products. The products that were previously available at the University of Erfurt (Windows, Office (Word, Excel, PowerPoint, etc.)) will continue to be made available.

All users have one license that entitles them to use Windows and Office (Microsoft 365 Apps for Enterprise). This allows them to install Microsoft 365 Apps for Enterprise on all their devices and to be logged into Microsoft 365 Apps for Enterprise on five devices at the same time. Windows 10/11 Enterprise may be installed on up to five devices per user.

With Microsoft 365, users can install Office on all their devices and be logged in to Office on five devices simultaneously (in the office and/or home office). Please remember that installation on private devices is only permitted for business or study-related purposes!

No. The software and services are to be used exclusively for study-related or official purposes or for student or official projects. Use for commercial or private purposes is not provided for in the license terms. Only personal, non-transferable licenses are provided. Users are also only entitled to use the software and services during the licensed period.

However, through the Microsoft Workplace Discount Program (formerly known as the Home Use Program), you may receive discounted pricing on select Microsoft365 subscriptions and Surface devices and accessories.

The University does not currently offer the ability to use the Office Add-In Store because the required "optional connected experiences" cannot be enabled.

The deactivation exists for the following reasons:

Unlike the enabled "connected experiences," there is currently no agreement in place between the Free State of Thuringia and Microsoft for commissioned data processing. In addition, the use of each add-in would have to be examined individually for data protection concerns and the University of Erfurt's data protection officer would have to be given the opportunity to comment.

This would also require a regular review of the service with a particular focus on barrier-free access, data protection, information security and licensing law in the event of changes/extensions to an add-in.

Some features in the M365 apps, such as dictation, are not available for data protection reasons. The optional connected experiences required for this as well as the connected experiences that analyze content have been disabled in Microsoft 365 Apps for Enterprise.

The use of connected experiences that download online content, on the other hand, can be used.

An overview of the individual affected features, can be found here: https://docs.microsoft.com/de-de/deployoffice/privacy/connected-experiences

Due to the deactivated OneDrive cloud storage for data protection reasons, OneNote can only be used to a limited extent.

Only with the installed OneNote from the downloaded office package of the university, the notebooks can be stored and used locally (or on a network drive) (under Microsoft Windows). On a Mac or iPad it is not possible to use OneNote, because a Microsoft cloud storage is mandatory for this. However, this is deactivated in the M365 tenant of the University of Erfurt for data protection reasons.

Employees: Place their notebooks on a network drive. Offline use is possible. Synchronization takes place the next time you connect to the notebook location (directly on the university network or via eduVPN).

Students: If you want to use OneNote on various devices, you have to log in with a private Microsoft accountand use the OneNote notebook there.

Due to the uninstallation of the old Office version and the complete reinstallation of the Microsoft 365 apps, the integration of the Citavi add-in is missing. However, this can be restored in a few steps:

1. Open the "Apps" section in Windows Settings and select Citavi 6 under "Apps and Features" and click "Change" (Figure 1).
2. Select "Custom" and click "Next" (Figure 2).
3. Leave the preselection and click "Next" (Figure 3).
4. Click on "Install" (Figure 4).
5. Click on "Finish" (Figure 5).
6. The next time you start Word, the Citavi add-in will be available again (Figure 6).

Information on versions and updates can be found here, in each case in the section "Microsoft 365 Apps for Enterprise versions and updates":

Employees

Students

Microsoft has comprehensive security certifications. However, there is no such thing as 100% security.

Customer data is at rest in the EU and Microsoft has a BSI C5 certification that would even allow federal agencies to use it in appropriate cases.

https://news.microsoft.com/de-de/microsoft-erfuellt-den-anforderungskatalog-cloud-computing-c5-des-bsi-fuer-mehr-als-100-seiner-weltweiten-rechenzentren/

Yes, personal data from our local user directory is transferred to Microsoft in order to use the services. A corresponding examination by our data protection officer has taken place in advance. Information on this can be found on our data protection pages: https://www.uni-erfurt.de/universitaet/datenschutz/im-buero/microsoft-365. The software and services are used in accordance with the current version of the Product Terms (PTs), the Online Services Terms (OSTs) and the Data Protection Addendum for Online Services (DPA). These can be viewed at https://www.microsoft.com/de-de/licensing/product-licensing/products.aspx .

The personal data is used to verify license eligibility for Windows, Office, and other Microsoft services. This is necessary due to Microsoft licensing regulations.

Microsoft 365 uses service-side technologies that encrypt customer data at rest and in transit. For Customer data at rest, Microsoft 365 uses encryption at the volume level and at the file level. For Customer data in transit, Microsoft 365 uses multiple encryption technologies for communications between data centers and between clients and servers, such as TLS (Transport Layer Security) and IPSec (Internet Protocol Security). Microsoft 365 also includes customer-managed encryption capabilities.

Microsoft automates most Microsoft 365 operations while reducing its own access to customer data. This allows Microsoft to manage Microsoft 365 to the extent necessary and more easily reduce the risks of internal threats to customer data. By default, Microsoft technicians do not have permanent administrative privileges or access to customer data in Microsoft 365. A Microsoft technician may have limited and logged access to customer data for a limited period of time, but only as required for normal service operations and only if approved by a member of senior management at Microsoft.

Excerpt from Microsoft documentation:

"Identity data is stored by Azure AD in a geographic location based on the address your organization provided when subscribing to a Microsoft online service such as Microsoft 365 and Azure. For information about where your identity data is stored, see the "Where we store your data" section in the Microsoft Trust Center.

Azure AD stores most identity data from customers who have provided an address in Europe in European data centers."

https://docs.microsoft.com/de-de/azure/active-directory/fundamentals/active-directory-data-storage-eu

Azure Active Directory (Azure AD) = Microsoft's directory service to which user data is synchronized.

Yes, as long as Microsoft provides legally appropriate safeguards. Microsoft processes the data as a processor bound by instructions for the provision of the service, including further development and support. Guarantees are in place with standard contractual clauses and additional measures. Residual risks have been assumed by the university management.

The Microsoft account will be deleted together with the university account after the person concerned has left the university. Any existing customer content remains stored by Microsoft for a maximum of 30 days. Personal identification data (e.g. user name or e-mail address) will be deleted after 180 days at the latest.

Login

To make logging in more secure, multi-factor authentication (MFA), also called multi-level authentication, is enabled for all users. If you log in to a centrally managed device and use only the M365 apps, no second authentication is required. A second authentication becomes necessary if you want to access other M365 web services that may be unlocked in the future or your business Microsoft account using a browser other than Microsoft Edge. This minimizes the risk of your account being misused.

Reduction of services

Services that are critical from a data protection perspective have been deactivated. Currently, only Microsoft 365 Apps for Enterprise (Office) can be used. Cloud storage services such as OneDrive and SharePoint are not active. A list of services and their status can be found here: Apps and services (from a privacy perspective)

Windows

If you are using a University managed device, then Windows diagnostic data is reduced to the data-saving level "Required".

Office

For the M365 apps, the diagnostic data has also been set to the data-saving "Required" level. In addition, optional connected experiences and connected experiences that analyze content are disabled in Microsoft 365 Apps for Enterprise.

Connected experiences that download online content, on the other hand, can be used.

An overview of each of the affected features, can be found here: https://docs.microsoft.com/de-de/deployoffice/privacy/connected-experiences

Analytics

Services such as MyAnalytics, the Productivity Score, Delve, and Viva will not be made available.

Even though for many it is not mandatory due to the default settings and the, at least temporary, limitation to the M365 Apps for Enterpise, we recommend activating the two-step verification (multi-factor authentication) at login and a regular examination of your account activity.

Enable two-step verification (multi-factor authentication): https://mysignins.microsoft.com/security-info

Regular examination of your account activity: https://mysignins.microsoft.com

In addition, you can later (should data storage be allowed in the future) use Cryptomator or Veracrypt, for example, to additionally secure particularly sensitive data against unauthorized access.

1. If you are asked to provide additional information to protect your account after the M365 login (Figure 1), you have the option to click on the link "I want to use another authenticator app" in the next dialog (Figure 2).
2. You will then be prompted to add a new account in your app (Figure 3). If you do not have the "OpenOTP Token" app installed on your smartphone yet, you can do so using one of these links: Android iOS
3. When you click on "Next" you will see a QR code, which you can use to add your M365 account to the "OpenOTP Token" app (image 4).
4. Launch the "OpenOTP Token" app on your smartphone and tap on the camera icon (Figure 5), grant appropriate necessary permissions and scan the displayed QR code.
5. After scanning the QR code, you will receive a corresponding success message (Figure 6) and your M365 account will appear in the app (Figure 7 - example account from the manufacturer).
6. Click "Next" and you will be prompted to enter the first code (Figure 8).
7. Select your account in the app and the current One-time password (OTP) will be displayed. This password changes every 30 seconds (Figure 9 - Manufacturer's example account).
8. Enter the code and confirm with "Next" (Figure 10).
9. Complete the MFA setup by clicking on "Done" (Figure 11).

1. If you are asked to enter additional information to protect your account after the M365 login (Figure 1), you will be offered the "Microsoft Authenticator" app directly for use in the next dialog (Figure 2). In addition to helpful information about the app, the "Download now" link also takes you to the download links for the two app stores Android iOS .
2. Click "Next" and you will be prompted to set up your account in the "Microsoft Authenticator" app (Figure 3).
3. Install the app on your smartphone (if you haven't already).
4. Launch the app and add your account using the + on the app's home page (Figure 4).
5. In the next step, select "Business or school account" (image 5) and select "Scan QR code" (image 6).
6. In the MFA setup dialog box, click "Next" (Image 3) and scan the displayed QR code (Image 7) with the app.
7. Your M365 account then appears in the app (Figure 8).
8. Click "Next" in the MFA setup dialog box (Figure 7).
9. The next window will test the authentication (Figure 9).
10. Shortly after, a notification should open on your smartphone with the number displayed in the previous window (Figure 10).
11. Enter the number on your smartphone and confirm with "YES".
12. With the success message (Fig. 11), the multi-factor authentication setup is complete.

With cloud-based Azure AD Multi-Factor Authentication, authentication takes place in the data center closest to the user's location. Azure AD Multi-Factor Authentication data centers are located in North America, Europe, and Asia Pacific.

• Multi-Factor Authentication phone calls originate from data centers in the customer's region and are routed from global carriers.
• Multi-Factor Authentication with SMS is routed from global carriers.
• Multi-Factor Authentication requests that use Microsoft Authenticator App push notifications from European data centers are processed in European data centers.
• Device and vendor-specific services, such as Apple push notifications, may be located outside of Europe.
• Multi-Factor Authentication requests using OATH codes (for temporary one-time passwords (TOTP) such as when using the smartphone app "OpenOTP Token") originating from European data centers are verified in Europe.

https://docs.microsoft.com/de-de/azure/active-directory/fundamentals/active-directory-data-storage-eu

Azure Active Directory (Azure AD) = Microsoft directory service to which user data is synchronized.

OATH = Initiative for Open Authentication

TOTP = Time-based One-time Password

See notes at the individual apps and servicesor https://www.uni-erfurt.de/universitaet/datenschutz/im-buero/microsoft-365.

Basic information on versions and updates of Microsoft 365 Apps for Enterprise at the University of Erfurt can be found here.

• Notes for employees
• Notes for students

The functions listed below are relevant to our configuration of Microsoft 365 Apps for Enterprise. However, this is only a part of all the new functions. The complete overview can be found here: New features in Microsoft 365 Apps for Enterprise version 2308

Access

• Enable the ability to code sign your Microsoft Access database and VBA code: This update enables the Tools/Digital Signature command within the VBA (Visual Basic for Applications) IDE (Integrated Development Environment) for current Microsoft Access database formats. Signing a database will allow VBA code in the database to be run even if Trust Center settings specify that only digitally signed code should be enabled.

Excel

• Faster filtering when cells contain unique or duplicate rules: When your workbook contains many unique or duplicate conditional formatting rules, it can often slow down the app’s performance. No longer! By optimizing the underlying comparison algorithm, we’ve enhanced the performance and sped up the filtering process.
• Reducing slowness and freezes when multiple workbooks are open: This feature reduces slowness and freezes experienced when working in a workbook due to calculations occurring in other unrelated workbooks also open at the same time and in the same Excel.exe instance. It achieves this by optimizing global automatic recalculation to the workbook being worked in, and its interdependent workbooks also open at the same time.
  See details in blog post
• Blocking XLL add-ins from the Internet: To address the increasing number of malware attacks in recent months, we are implementing measures that will block XLL add-ins coming from the Internet.
  See details in blog post

The features listed below are relevant in our configuration of Microsoft 365 Apps for Enterprise. However, this is only a part of all the new features. The complete overview can be found here: New functions in Microsoft 365 Apps for Enterprise version 2302

Excel

• Improvements to the touch input of the ribbon: The spacing of the buttons in the ribbon has been improved when using the device in tablet state.
• Fourteen new text and array functions: Use fourteen powerful new functions to easily split your text and rearrange your data. Try using TEXTSPLIT to split your text or VSTACK to combine multiple arrays.
  • See the blog post for more detailed information.
• Reduce unwanted fragmentation rules for conditional formatting: See improved performance and faster calculations when applying conditional formatting rules to cells. This has been done by reducing fragmentation of data when pasting copied cells into that cell range.
• Speed up filtering if your workbook contains many conditional formatting rules: If your workbook contains many conditional formatting rules, this can slow down the application of a filter such as a colour filter. This has become unnecessary! By optimising the underlying data structure, the filtering process has been sped up.
• Speed up formula entry: Excel has significantly sped up entering a formula into a cell by reducing memory usage, using allocated memory more efficiently and optimising redrawing. These optimisations are noticeable on devices with slower memory or slower CPU memory throughput, and with larger cell ranges.
• Paste copy is more efficient: Copy/paste now uses an index-based search instead of a linear check for optimal merging. The optimisations are particularly noticeable on low-end devices with limited hardware.
• PivotTable overlap improvements: The user experience has been improved when PivotTables overlap other content in your workbook.

Outlook

• New vertical navigation bar in Outlook: The new bar provides quick access to the different Outlook areas as well as other Office apps.
• Find events in your calendar faster than ever before: Improvements to Calendar Search make it faster and easier to find events, such as the next occurrence of a series.

PowerPoint

• Menu ribbon touch input improvements: Improved spacing of buttons in the menu ribbon when using the device in tablet state.
• Record videos with comments: Make your next presentation more dynamic with pre-recorded videos and comments. Or record the entire presentation in advance to ensure smooth delivery on presentation day.
  • More information
  • For more detailed information, see the blog post.
• Save media with subtitles: Now when you save media to a file in PowerPoint, the subtitles associated with the media are also saved.
• You can find more detailed information in the blog post.

Word

• Improvements to the touch input of the ribbon: The spacing of the buttons in the ribbon has been improved when the device is used in tablet status.
• More natural voice options for Read Aloud: Try a new, more natural-sounding voice on the Read Aloud toolbar.
  • More information
  • For more detailed information, see the blog post.

Office Suite

• Add SketchUp files to Office creations: SketchUp is a popular 3D graphics programme that allows you to easily create shareable concept designs, such as fully textured architectural models and other graphics used in industrial design, product design, and civil and mechanical engineering. Now, for the first time, SketchUp graphics (SKP files) can be integrated into your creations in Word, Excel, PowerPoint and Outlook!
  • For more detailed information, see the blog post.