office 365

Security & Privacy Life Hack: advantages of a personal mail alias

Table of Contents

Introduction

You’ve probably got one or more personal and professional mail addresses. Who doesn’t?

And you probably want to keep that mail address safe from spammers, scammers or data theft.

Althoug you primarily use mail to communicate (send/receive messages), many platforms also use your mail address for authentication.

Security remark: It’s not always the best option to use single sign-on with platforms like LinkedIn, Facebook, Microsoft Account, Google, …

What’s the security issue?

The main issue with single sign-on is: when your mail address is breached or hacked, the hacker can use the breached mailbox fairly easily to login to the linked platforms.

And from a practical point of view, if you use that single personal mail address to subscribe to newsletters or you use that mail address for downloads protected by a “registration” wall, you’ll quickly experience a mailbox overload because of ‘spam’, eh.. .sorry commercial messages you didn’t ask for.

Another issue is, you usually have only 1 (one) personal mail address available on your mail platform, certainly for enterprise systems, you can’t create other alternative mail addresses at free will. Unless you own the domain name, of course, but that’s rather possible for personal use or small companies…

And except for the mail overload, you’ll notice that many companies sell your mail address to address brokers. And even with the GDPR in place, many of these address brokers have bad habits to scrape mail addresses from the internet, incl. public sources, government sources…

So, the question is, how do you manage this, to protect your personal data, to protect mailbox overload and abuse of your mail address?

First option is using MFA to increase security and block illegal authentication.

But MFA does not stop mail abuse. The mail alias to the rescue!

Implementing the mail alias

What is a mail alias?

A mail alias is an alternative name for the master mailbox. Usually a mail alias is forwarding mail to the target mailbox.

In many cases, that mail alias can also be setup or used as a temporary name for the target mailbox. It’s pretty cumbersome or difficult to switch a master mailbox on or off when you need it.

Purchase a Custom domain name

The most interesting option is purchasing a custom domain name (by preference a short URL).

In most cases, local domain registrars can offer you a custom mail domain of choice for a few bucks a year. It’s worth the money, I promise. Further explanation below.

Just a practical hint: make sure to use a domain registrar that offers unlimited mail aliases.

When you control the mail domain, you can forward any mail alias of the custom domain to your mailbox (eg news@short.url to subscribe to newsletters and filter them in your mailbox in a subfolder for newsletters).

Furthermore, when you own a domain, you can enable/disable a mailbox or alias. Meaning: block mail reception without deleting the mail address (keep the address, but desactivate it.)

Using the “+” mail alias option

If purchasing a custom domain is not an option, you can check with your mail platform or mail administrator to use a “+” alias.

That’s format supported by the internet standards (RFC 5233: https://tools.ietf.org/html/rfc5233), that allows to extend a master mail address with receiver suffixes (BEFORE the @ sign), that still deliver the mail to the receiver. Google calls it “task based” variations of the mail address.

You’ll generally find it back on the internet as “+” aliases (“plus” aliases).

Some examples:

See the references section at the end of the article, for details how this “+” alias works for the well known mail platforms… Google, Microsoft, … and the major free mail providers support the plus-alias.

Using dummy or temporary addresses against spam and registration walls

I don’t know how you do it, but it frequently happens that I need to download a “free” white paper, which only seems to be free if you ‘pay’ with your contact details.

In most of the cases, they force you to “consent” with the requirement to send you marketing,… in GDPR terms it’s not considered consent if it’s forced… But essentially they force you to submit your personal data.

If you don’t want to disclose your data, just for that single download, or … if you want to avoid getting too much spam, what do you do?

One-time use, temporary mail domains (not your own domain)

First and easy option is to search the internet for “temp mail”, “temporary mail addresses” or “disposable mail“, … synonyms for one time use mails.

You use these addresses for quick use, one shot hit.

Samples:

  • mailinator.com
  • temp-mail.org
  • guerillamail.com
  • mail.tm
  • many more…

Use your custom domain

An easier, but less free, but still cheap option, is to purchase your own custom domain (on the condition you can have multiple mailbox aliases).

The quick and dirty: create an alias like download@yourdomain.url, keep it disabled by default and only enable it when you need to receive a download link. Afterwards, disable it again.

In some cases you literally need to have a mail address just once. Eg, when you want to download a “free” white paper, many companies harvest your mail, put it in a CRM system and keep spamming you afterwards. It’s fairly difficult to escape the forced consent or registration.

Then you can use a temporary mail alias:

  1. you enable an alias or dummy address,
  2. register for the download with the alias/dummy,
  3. then disable the alternative mail address again.

That way the address cannot be harvested for spam or marketing you don’t need. Easy.

(When a address broker tries to use the disabled alias, they will get an NDR, non-delivery report, and delete the invalid mail registration from their farm…)

Advantages

Keep your inbox clean : Mail filtering using simple mail rules

One the most prominent advantages of using aliases is that most of the mail clients can use the receiver address (or alias) to filter and manage incoming mail.

Based on the target receiver alias, you can set simple rules to move incoming mail from your inbox to another folder.

Basically an mail alias offers a simple mailbox optimization technique to make your life easy.

Securing internet logins

Another major advantage of aliases: use it as an alternative identifier for single sign-on.

Instead of logging in to multiple platforms with the same mail address, you better use 1 unique alias address per platform.

For example:

Of course it’s quite important to use different passwords or authentication methods too (incl. MFA).

The main reasoning behind this approach is: if 1 login is breached or leaked, the other accounts are not impacted. If you don’t think you can manage this collection of passwords, there is one good tip: use a password manager to replace your memory.

Use a password manager anyway.

Detecting data breaches

When you use 1 mail address (alias) for every internet login, you can also trace very easily if a website is selling your data to partners, other companies or personal data brokers. You can simply see who sends mail, if that source domain is correctly linked to your alias… or not. If your login is used by unauthorized party you can initiate GDPR subject data access request to track how it got there (against both the original data controller and the secondary party).

And when using a custom domain (or some “+” alias mail providers), you can simple disable or remove the mail alias, so it becomes useless for the perpetrators.

On/Off Temporary mail (when using your custom domain)

In some cases you literally need to have a mail address just once. Eg, when you want to download a “free” white paper, many companies harvest your mail, put it in a CRM system and keep spamming you afterwards. It’s fairly difficult to escape the forced consent or registration.

When you can use a temporary mail, you enable an alias or dummy address, register for the download with the alias/dummy, then disable the alternative mail address again. That way the address cannot be used for spam or marketing you don’t want. Easy.

One-time use temporary mail domains

First and easy option is to search the internet for “temp mail” or “temporary mail addresses”

You use these addresses for quick use, one shot hit. No hassle, no admin. Quick and dirty.

Some more advantages

You can also link your custom domain to shortener tools like bit.ly. This way you can manage your social media and easily track your popularity or maintain statistics on your articles and views. (For Bitly, search for “bitly custom domain”)

Disadvantages

Custom domain management

Managing your own custom domain might be cumbersome, depending how user friendly the management of aliases is. Certainly managing dynamic aliases for multiple users… can time consuming. Certainly if you have a large volume of mailboxes and/or aliases to manage.

But managing a custom domain for own personal use, for a few bucks a year, is really worth the time and money. 

If you cannot disable “+” aliases …

… then you might be in trouble, because you cannot stop the abuse once the senders have registered the alias in their mail system.
In many cases, you’ll need to unsubscribe or directly contact the platform owner and demand to remove your data, which can be cumbersome or time consuming… Or you need to excercise your right to be forgotten in the official way. (Ref. GDPR, …)

Temporary mail domains blocked & open access

The major disadvantage is that a lot of spam (eh sorry), marketing websites that offer these ‘free’ downloads, will recognize and block public temporary mail domains (like mailinator, guerilla mail, temp mail, …).

In most cases you’ll have to try a few options, as some of these temporary mail domains have alternative mail domain options, like dynamic domains not only hosting main on the master domain.

VERY IMPORANT SECURITY NOTICE: whatever mailbox you use on these temporary domains, anyone can read or access these mailboxes, so make sure nothing important or private is sent to these mailboxes.

Bonus: the “oh shit rule”

While I’ve been focusing on the security & data protection features of the mail alias, I still want to mention an important principle to protect your reputation: the “oh shit rule”.

The principle is simple: delay the sent articles with one or more minutes before the mails are actually sent to the receiver.

It gives you a bit of slack if you want to fix a mail, or in worst case scenario cancel the mail if you have second thoughts or regret sending the mail, to avoid embarrassment or being forced to search for a new job.

Some useful references

Below you’ll find some interesting articles on managing aliases on the well-known mail providers

Gmail

Microsoft Office 365 “+” alias

Yahoo

Other providers

Other providers, like Protonmail, … also provide the alias “+” option, sometimes by default. Carefully check if you can remove the “+” alias or not, in case the alias got listed by address brokers.

Custom mail address RFC standard

https://tools.ietf.org/html/rfc5233

BTW, did you know… that following the RFC standards, an email address is case sensitive. 😉

Excel Security and Not Excel security, that’s the question

Executive overview

Excel has various levels of protection.
Many people use worksheet protection.  This feature is designed as a simple blocker to avoid unwanted edits to your sheet. Users can open and use the file without the protection password.

By design, Excel sheet protection is NOT a security measure, to keep data secret or to hide IP or formulas from unauthorized parties. The worksheet protection password is fairly easy to remove as explained below.

If you want actual protection in your Excel sheet, you need to use the encryption feature, but then every user will be forced to enter a password to open the file.  Which is difficult from usability point of view. And you need to apply security for each user separately.

Applies to

This discussion actually applies to the latest version of Excel in the Office 365 version. Some options or features might not be available or might not apply to previous/older versions of MS office.

Introduction

If you spend a lot of time to build a smart calculations or data management solutions in Excel, it’s very likely that you want to protect your hard word, or the smart layout or the intelligence behind your calculations. Or simply avoid any accidents crippling the nice layout.

Most people will first think about worksheet protection to achieve this, but there are some more options.

Excel Security options

If you create or open an Excel sheet (in current version of Office 365), you can add security via the menu “FIle” then choose the “Info” option.

Then click the “Protect Workbook” option.

Worksheet protection

In short: Worksheet protection is not intended to be a security feature.

And that’s documented at: https://support.microsoft.com/office/protect-a-worksheet-3179efdb-1285-4d49-a9c3-f4ca36276de6

From the Microsoft support document, the security impact of the protection features is explained as (quote):

Important: 

  • Worksheet level protection is not intended as a security feature. It simply prevents users from modifying locked cells within the worksheet.
  • Protecting a worksheet is not the same as protecting an Excel file or a workbook with a password. See below for more information:

Even with worksheet protection, the formulas are stored in the file as this is what allows you to later modify the formulas and for the cells to update their values. Because the file is not encrypted, a user could inspect the file contents to determine what the formulas are.

For advanced Excel users:

  • There are mechanisms that allow you to remove formulas from the workbook while keeping the cell values the same. When this is done, these cell values no longer update as they no longer have a formula.
  • If you want to strip out a formula that refers to another workbook, you can use the break link feature for external links (Data tab > Queries and Connections section > Edit Links > Break Link) – this keeps the current value of the cell and removes the formula referencing the external workbook.
  • If you want to strip out a formula regardless of where it refers to, the easiest way to do this is to copy the cell and paste as value to the same cell.

Implementing worksheet protection

Implementing worksheet security using encryption

Managing cell security

Before you activate worksheet protection, you need to consider unblocking cells to allow edit when protection is activated. Right click the target cells, you want to leave unprotected.

In the cell format options, “Locked” is enabled by default. Uncheck if you want to edit after password lock.

Next, to activate worksheet protection, right click the worksheet tab (below) and click the Protect sheet option.

You  can select which kind of protection you need on the level of the sheet and cells.

You need to enter the password and then reconfirm, of course.

Now, when you try to edit the cells that are blocked, you’ll get an error.

The actual Excel security: sheet encryption

To implement actual security, you need to encrypt the file.
When you want to use encryption, go back to the file menu and workbook protection, as explained earlier.

Choose the encryption option

When you save the file and try to reopen it, you’ll get a password prompt.

In one of the next chapters below, I’ll show what happens with the file security, and if you can hack it… or not.

Hacking Excel worksheet protection

The actual reason for this article, is that the worksheet protection is NOT a security feature and more important, the worksheet protection can be broken in a matter of seconds.

You’ll find a lot of password cracking tools, brute force password guessing or macro scripts to crack the passwords. Don’t bother if you simply want to remove the password protection.

The worksheet protection is embedded in the XLSX file, as XML. And you should consider the XLS sheet as a compressed/zipped dossier/file collection of config files containing the hashed password.

And that’s exactly the easy shortcut to remove the password, remove the password hash.
I won’t go in detail on the steps, but it’s about renaming the XLS file to zip, opening the zip, removing the pasword hash, saving the file, rename to XLS and open your sheets without password protection.

The method is explained over here: http://www.excelsupersite.com/how-to-remove-an-excel-spreadsheet-password-in-6-easy-steps/

Hacking encryption? (Nope!)

Using the XLS to Zip rename, you can inspect the file content of the encrypted file.

When you try the same technique, removing the encryption info…you’ll notice that the “EncryptionInfo” is not allowing to save. And you can’t remove the encryption (at least not this way, here we stop… )

When you try to remove the encryption tag, including the cipher and password hash, you’ll notice it won’t work.

Reporting security issues to Microsoft

If you think or suspect to have found a security issue in a Microsoft product, don’t hesitate to report it.

To report a vulnerability in a Microsoft product or service, got to the Microsoft Security Response Center (MSRC) website at : https://www.microsoft.com/msrc.

You can track the status of your report as the MSRC team will work with you to investigate and resolve the issue. Or confirm that a suspected behaviour is not a security issue, but a light-weight protection to avoid layout incidents.

Note-to-self: You lost access to your initial Office 365 admin?

Although Microsoft has built in quite some methods to regain access to your 0365 tenant/account, you might have some bad luck one day… (experience talking here)

First of all you should try the default options, meaning : the password reset options.

The direct way to get there is the first link to bookmark: https://passwordreset.microsoftonline.com/

Another way to get there is in the 0365 logon page (also for Azure),

o365_1

If you forgot your password or can’t access the account, hit the link at the bottom.
You get directed to :

o365_2

If you know the logon, you can proceed to

o365_3

You notice that the verification is pointing to your alternative mail address or your mobile number…

But what if you forgot your original logon ID (mail address), eg in case you have setup a test tenant in 0365 with an mail address you don’t use frequently? (yes, that happens)

If that is not working or you need more help, check these options:

And if you really ran out of luck: you might raise a ticket and ask for help. https://portal.office.com/support/newsignupservicerequest.aspx

Anyway, as shown there are some options when configuring 0365 that should keep you out of trouble in the first place

  • make sure to add a mobile number to your user account
  • make sure to add a secondary email address to your account (not belonging to your O365 domain)
  • Configure and test MFA (multifactor Authentication), eg with the Authenticator app
  • add a secondary admin account with sufficient rights (with the same security measures!)

(Last update: 2020-12-31)

Note-to-self: OneDrive (For Business) vs SharePoint Online

Just got a question about the differences between OneDrive (for Business) and SharePoint Online… As it’s not my core knowledge, I just did some quick research, which might serve your knowledge too… Here we go.

Sources:

The page on OneDrive for Business Service Description has a very interesting comparison, but IMHO, it’s missing a bit of color.
So, I’ve reworked the page slightly (but all credits to the Microsoft Product team.

 

Table of Contents

 

Developer features OneDrive for Business Plan 1 OneDrive for Business Plan 2 SharePoint Online Plan 1 SharePoint Online Plan 2

Access Services
Yes Yes Yes Yes

App Catalog (SharePoint)
Yes Yes Yes Yes

App Deployment: Cloud-Hosted Apps
Yes Yes Yes Yes

App Deployment: SharePoint-Hosted Apps
Yes Yes Yes Yes

App Management Services
Yes Yes Yes Yes

BCS: Alerts for External Lists
No No No Yes

BCS: App Scoped External Content Types (ECTs)
No No No Yes

BCS: Business Data Webparts
No No No Yes

BCS: External List
No No No Yes

BCS: OData connector
No No No Yes

BCS: Profile Pages
No No No No

BCS: Rich Client Integration
No No No No

BCS: Secure Store Service
No No No Yes

BCS: Tenant-level external data log
No No No Yes

Browser-based customizations
Yes Yes Yes Yes

Client Object Model (OM)
Yes Yes Yes Yes

Client-side rendering (CSR)
Yes Yes Yes Yes

Custom Site Definitions
No No No No

Custom Site Provisioning
No No No No

Developer Site
No No Yes Yes

Forms Based Applications
No No Yes Yes

Full-Trust Solutions
No No No No

InfoPath Forms Services
No No No Yes

JavaScript Object Model
Yes Yes Yes Yes

List and Library APIs
Yes Yes Yes Yes

Remote Event Receiver
No No Yes Yes

REST API
Yes Yes Yes Yes

Sandboxed Solutions
Yes Yes Yes Yes

SharePoint Design Manager
No No Yes Yes

SharePoint Designer
No No Yes Yes

SharePoint Store
2
Yes Yes Yes Yes

Workflow 2010 (.NET 3.5)
No No Yes Yes

Workflow 2010 (out of the box)
No No Yes Yes

Workflow 2013
No No Yes Yes

Workload API: ECM APIs
No No Yes Yes

Workload API: Search APIs
No No Yes Yes

Workload API: Social APIs
No No Yes Yes

 

IT Professional features OneDrive for Business Plan 1 OneDrive for Business Plan 2 SharePoint Online Plan 1 SharePoint Online Plan 2

Active Directory Synchronization
Yes Yes Yes Yes

Alternate Access Mapping (AAM)
No No No No

Analytics Platform
No No Yes Yes

Anti-malware protection
Yes Yes Yes Yes

Claims-Based Authentication Support
No No No No

Configuration Wizards
No No No No

Data loss prevention
No Yes No Yes

Deferred Site Collection upgrade
Yes Yes Yes Yes

Distributed Cache
No No No No

Encryption at rest
Yes Yes Yes Yes

Host Header Site Collections
No No No No

Improved Permissions Management
Yes Yes Yes Yes

Improved Self-Service Site Creation
No No No No

Managed Accounts
No No No No

Minimal Download Strategy (MDS)
Yes Yes Yes Yes

OAuth
Yes Yes Yes Yes

Patch Management
No No No No

Quota Templates
No No No No

Read-Only Database Support
No No No No

Remote BLOB Storage
No No No No

Request Management
No No No No

Request throttling
No No No No

Resource throttling
No No No No

Service Application Platform
No No Yes Yes

SharePoint Health Analyzer
No No No No

SharePoint admin center
Yes Yes Yes Yes

Shredded Storage
Yes Yes Yes Yes

Site Collection Compliance Policies
Yes Yes Yes Yes

Site Collection Health Checks
Yes Yes Yes Yes

State Service
No No No No

Streamlined Central Administration
No No No No

System Status Notifications
No No No No

Unattached Content Database Recovery
No No No No

Upgrade evaluation site collections
No No Yes Yes

Usage Reporting and Logging
No No No No

Windows PowerShell Support
Yes Yes Yes Yes

 

Content features OneDrive for Business Plan 1 OneDrive for Business Plan 2 SharePoint Online Plan 1 SharePoint Online Plan 2

Accessibility Standards Support
Yes Yes Yes Yes

Asset Library Enhancements/Video Support
Yes Yes Yes Yes

Auditing
Yes Yes Yes Yes

Auditing & Reporting (e.g. doc edits, policy edits, deletes)
Yes Yes Yes Yes

Content Organizer
No No Yes Yes

Design Manager
No No Yes Yes

Document Sets
Yes Yes Yes Yes

Document Translation in Word Online
Yes4 Yes4 Yes4 Yes4

eDiscovery Search
Yes Yes Yes Yes

eDiscovery Hold
No Yes No Yes

eDiscovery Export
No Yes No Yes

Email enabled lists and libraries
No No No No

External Sharing: External Access
Yes Yes Yes Yes

External Sharing: Guest Link
Yes Yes Yes Yes

Folder Sync
Yes Yes Yes Yes

IRM using Azure AD Rights Management
No1 No1 No1 No1

IRM using Windows Server AD RMS
No No No No

Managed Metadata Service
No No Yes Yes

Metadata-driven Navigation
No No Yes Yes

Multi-stage Disposition
Yes Yes Yes Yes

Office Online (create/edit)
Yes Yes No No

Office Online (view)
Yes Yes Yes Yes

Office Web Apps Server integration
No No No No

PowerPoint Automation Services
No No No No

Preservation hold library
No Yes No Yes

Quick Edit
Yes Yes Yes Yes

Records management
No No Yes Yes

Recycle Bin (SharePoint admin center)
Yes Yes Yes Yes

Recycle Bin (site collection)
Yes Yes Yes Yes

Related Items
No No Yes Yes

Rich Media Management
No No Yes Yes

Shared Content Types
Yes Yes Yes Yes

SharePoint Translation Services
No No Yes Yes

Site mailbox
No No Yes Yes

Surveys
Yes Yes Yes Yes

Unique Document IDs
Yes Yes Yes Yes

Video Search
No No No Yes

WCM: Analytics
No No Yes Yes

WCM: Catalog
No No No Yes

WCM: Category page and catalog item page
No No No Yes

WCM: Search web parts
No No No Yes

WCM: Cross-Site publishing
No No No Yes

WCM: Designer Tools
No No Yes Yes

WCM: Faceted navigation
No No No No

WCM: Image Renditions
No No Yes Yes

WCM: Managed navigation
No No Yes Yes

WCM: Mobile and Device Rendering
No No Yes Yes

WCM: Multiple Domains
No No No No

WCM: Recommendations
No No Yes Yes

WCM: Search Engine Optimizations (SEO)
No No Yes Yes

Word Automation Services
No No No No

 

Insights features OneDrive for Business Plan 1 OneDrive for Business Plan 2 SharePoint Online Plan 1 SharePoint Online Plan 2

Business Intelligence Center
No No No Yes

Calculated Measures and Members
No No No Yes

Data Connection Library
No No No Yes

Decoupled PivotTables and PivotCharts
No No No Yes

Excel Services
No No No Yes

Field list and Field Support
No No No Yes

Filter Enhancements
No No No Yes

Filter Search
No No No Yes

PerformancePoint Services
No No No No

PerformancePoint Services (PPS) Dashboard Migration
No No No No

Power View for Excel in SharePoint
No No No Yes

Power Pivot for Excel in SharePoint
No No No Yes

Quick Explore
No No No Yes

Scorecards & Dashboards
No No No No

SQL Server Reporting Services (SSRS) Integrated Mode
No No No No

Timeline Slicer
No No No Yes

Visio Services
No No No Yes

 

Search features OneDrive for Business Plan 1 OneDrive for Business Plan 2 SharePoint Online Plan 1 SharePoint Online Plan 2

Advanced Content Processing
No No No No

Continuous crawls
Yes Yes Yes Yes

Custom entity extraction
No No No No

Deep links
Yes Yes Yes Yes

Event-based relevancy
Yes Yes Yes Yes

Expertise Search
Yes Yes Yes Yes

Extensible content processing
No No No No

Graphical refiners
Yes Yes Yes Yes

Hybrid search
Yes Yes Yes Yes

Manage search schema
No No Yes Yes

On-premises search index
No No No No

Phonetic name matching
Yes Yes Yes Yes

Query rules—Add promoted results
No No Yes Yes

Query rules—advanced actions
No No No No

Query spelling correction
No No Yes Yes

Query suggestions
No No Yes Yes

Query throttling
No No Yes Yes

Quick preview
Yes Yes Yes Yes

Ranking models
No Yes Yes2 Yes2

Refiners
Yes Yes Yes Yes

RESTful Query API/Query OM
Yes Yes Yes Yes

Result sources
Yes Yes Yes Yes

Search connector framework
No No No No

Search results sorting
Yes Yes Yes Yes

Search vertical: “Conversations”
Yes Yes Yes Yes

Search vertical: “People”
Yes Yes Yes Yes

Search vertical: “Video”
No No No Yes

“This List” searches
Yes Yes Yes Yes

 

Sites features OneDrive for Business Plan 1 OneDrive for Business Plan 2 SharePoint Online Plan 1 SharePoint Online Plan 2

Change the look
No No Yes Yes

Connections to Microsoft Office Clients
Yes Yes Yes Yes

Cross Browser Support
Yes Yes Yes Yes

Custom Managed Paths
No No No No

Governance
Yes Yes Yes Yes

Large List Scalability and Management
Yes Yes Yes Yes

Mobile Connectivity
Yes Yes Yes Yes

Multi-Lingual User Interface
Yes Yes Yes Yes

My Tasks
No No Yes Yes

OOTB Web Parts
No No Yes Yes

Permissions Management
Yes Yes Yes Yes

Project functionality for team sites
No No Yes Yes

Project site template
No No Yes Yes

Project Summary web part
No No Yes Yes

Project workspace
No No Yes Yes

SharePoint Lists
No No Yes Yes

SharePoint Ribbon
No No Yes Yes

Site folders
No No Yes Yes

Task list
No No Yes Yes

Team Site: Drag & Drop
No No Yes Yes

Team Site: Notebook
No No Yes Yes

Team Site: Simplified Access
No No Yes Yes

Templates
No No Yes Yes

Themes
No No Yes Yes

Usage Analytics
No No Yes Yes

Variations
No No Yes Yes

Work Management Service
No No Yes Yes

 

Social features OneDrive for Business Plan 1 OneDrive for Business Plan 2 SharePoint Online Plan 1 SharePoint Online Plan 2

Ask Me About
Yes Yes Yes Yes

Blogs
No No Yes Yes

Communities Reputation, Badging, and Moderation
No No Yes Yes

Community
No No Yes Yes

Company Feed
No No Yes Yes

Document Conversations with Yammer
Yes Yes Yes Yes

Follow
Yes Yes Yes Yes

Microblogging
No No Yes Yes

Newsfeed
No No Yes Yes

One Click Sharing
Yes Yes Yes Yes

People, Sites, Document Recommendations
No No Yes Yes

Personal Site
Yes Yes Yes Yes

Photos and Presence
Yes Yes Yes Yes

Profile
Yes Yes Yes Yes

Ratings
Yes Yes Yes Yes

Shared with Me
Yes Yes Yes Yes

Site Feed
No No Yes Yes

OneDrive for Business
Yes Yes Yes Yes

Tag profiles
No No Yes Yes

Tasks integrated with Outlook
Yes Yes Yes Yes

Trending Tags
No No Yes Yes

Wikis
No No Yes Yes

 

Add-Ons OneDrive for Business Plan 1 OneDrive for Business Plan 2 SharePoint Online Plan 1 SharePoint Online Plan 2

Additional Storage
No No No No

Azure Provisioned Apps: Access Services
Yes Yes Yes Yes

Azure Provisioned Apps: Custom Code in Azure LWR
Yes Yes Yes Yes

Duet Online
No No No No

(Last update: 2020-12-31)