Table of Contents
Overview Microsoft 365
Microsoft 365 (formerly Office 365) is a software suite by Microsoft that combines the familiar Office applications (Excel, Word, and PowerPoint) in online versions with cloud-based storage and collaboration applications in one subscription service. The goal is to provide a comprehensive range of applications and services that simplify daily work from anywhere with any device.  The Microsoft in-house cloud storage OneDrive serves as file storage, on which 1TB storage space is available for each user by default.  For efficient team communication via text, audio and video, the platform Teams is available so that both large and small working groups can work together from anywhere.
Microsoft 365 is offered in several different models for private, business and educational use. Via the Microsoft Campus Agreement basic licenses (Office 365 A1) are available for employees, which can be activated for interested users through our GWDG portal.
Once a user account has been activated and synchronized, access to the Microsoft 365 applications is enabled via office.com using GWDG login credentials. After authentication via the ADFS service of the GWDG (adfs.gwdg.de) the portfolio of available web applications appears. Links to download the client applications are also provided.
Who can use Microsoft 365?
Currently, using Microsoft 365 is possible for the employees of the University of Göttingen and the GWDG. Excluded from this are the employees of the UMG and the University's central administration. There, the use of Microsoft 365 with Teams is not approved and therefore the use is not possible.
Important! According to the guidelines of the University of Göttingen, it is not permitted to store business data and especially data that is worthy of protection in the Microsoft cloud.
Activating for Microsoft 365
The following steps are necessary for independent activation for Microsoft 365 via the GWDG:
- Registration at Customer Portal of the GWDG
- In the account management under External services click on Edit
- Click Activate for Office 365 / Teams
- Read the data protection information and submit the displayed data protection dialog if you agree
- After max. 30 minutes you will receive a confirmation email as soon as the activation has been completed
The pool of Microsoft 365 licenses includes the basic package called Office 365 A1 (for details see License Overview). Licenses are assigned to individual users via groups in the Active Directory (AD) of the GWDG. These groups are created exclusively for this purpose and are equipped with licenses for the individual applications in Microsoft 365.
The following services are currently activated for the Microsoft 365 users of the GWDG:
The classic Office applications Word, Excel and PowerPoint are only available in an online version and can be used in parallel with locally installed Office programs that were installed using the Office 2019 package (for details see License Overview). In the Web applications, only OneDrive can be used as data storage, whereby the data is stored on Microsoft servers and therefore some notes must be observed, especially from a data protection perspective (see Data Security). Locally installed Office applications also allow access to local resources, so that the processed data can still be stored at the GWDG.
User authentication is provided by the ADFS service adfs.gwdg.de operated by the GWDG. The Active Directory Federation Service (ADFS) enables a single sign-on with the login credentials stored at the GWDG and access to connected services. Microsoft itself therefore does not receive access to the login password (or other login factors) when logging on to Microsoft 365.
When a user is activated for Microsoft 365, his account is synchronized from the AD of the GWDG to the Azure AD of the GWDG mandate at Microsoft. This is necessary so that Microsoft can assign all customer data to this account and so that the logon via the ADFS service of the GWDG works. During synchronization, the amount of account information transferred can be fine-grained, so that only the user attributes necessary for proper operation are shared with Microsoft by the GWDG AD. In addition, the groups described above are indispensable for license distribution. The following two tables show which objects from AD are generally synchronized and which associated attributes are involved.
|object type||AD → Azure AD||Azure AD → AD||Reason for synchronization||Object filter|
|user||X||Access to Microsoft 365 for users||User must be given authorization for Azure access through the IDM, either by an administrator or in self-service.|
|group||X||Organization of synchronized users, especially for license distribution||Groups must be manually marked as Azure groups by an AD admin.|
When selecting the object attributes to be synchronized, Microsoft provides a short list of mandatory and an extensive list of recommended attributes. The GWDG has decided to share only the most necessary user data from its own AD with Microsoft.
|Attribute||Description||Reason for synchronization||user||contact||group||device|
|accountEnabled||defines whether an account is activated ||mandatory||X||X|
|displayName||A string representing the name that is often displayed as the display name (firstname lastname). ||User identification using real name for the user||X||X||X|
|Complete e-mail address ||Contact possibility for system and user||X||X|
|userPrincipalName||This user principal name is the login ID for the user. Usually identical with the value [mail].. ||mandatory||X|
|sourceAnchor||Mechanical property. Invariable identifier which maintains the relationship between AD DS and Azure AD. ||mandatory||X||X||X|
|member||List of group members as AD Distinguished Name||License distribution via AD groups||X|
|securityEnabled||Defines whether a group is a security group||Required for group synchronization ||X|
|deviceId||Identifier of the device belonging to the object||mandatory||X|
Data Management at Microsoft
Microsoft promises in its own Microsoft Trust Center not to use the stored data for advertising or marketing purposes. In addition, Microsoft safeguards such policies with the Code of practice for protection of personally identifiable information in public clouds (ISO/IEC 27018).  The Online Service Terms set forth all rules for data management. These include the following points:
- The customer retains all rights and ownership of his customer data.
- The use of customer data is limited exclusively to the provision of the agreed services.
- Customer data protection measures comply with the requirements of ISO 27001, ISO 27002 and ISO 27018
- Data transfers outside the European Economic Area or Switzerland are secured and documented in accordance with the GDPR.
- Customer data is deleted 90 days after the end of the subscription.
Data Protection Information according to GDPR Art. 13
This information supplements the data protection information of the GWDG (https://www.gwdg.de/privacy-notice) wherever applicable:
Purpose and Legal Basis, Right of Withdrawal
The processing, including the transfer of personal data to Microsoft, takes place within the scope of providing the online services described above. Since the use of the services represents an additional offer, the legal basis is consent in accordance with GDPR Art. 6 Paragraph (1) Letter a).
The right of revocation results directly from the consent, which is possible via the GWDG customer portal, just like the consent. The other rights of the persons concerned (right to information, correction, deletion, blocking, transferability) can be exercised as described in the GWDG data protection declaration.
Processed Data, Recipient of the Data, Third Country Status
The following data is collected and shared as part of the Microsoft cloud services, which include Microsoft 365 incl. OneDrive:
- User ID (for details see User Synchronization)
- Membership of the institution “University of Göttingen”
- Stored data (OneDrive), if necessary also data actively used in Microsoft 365 applications
The data will be passed on to Microsoft Inc. and a transfer of data to the USA cannot be ruled out. The USA is a so-called third country in terms of data protection. The PrivacyShield Agreement between the EU and the USA guarantees a data protection standard comparable to the GDPR, but the CloudAct nevertheless grants US investigative authorities access to the data in case of doubt.
After the end of the subscription by revocation of the user or expiration of the Microsoft Campus Agreement, the customer data will be kept for 90 days and restored in case of reactivation. After 90 days, the data is automatically deleted.
When using the Microsoft online services, the guidelines for information security of the University of Göttingen (only available in german) must be observed. Every user must be aware that data in Microsoft 365 is stored in OneDrive and thus on Microsoft servers. With sensitive data (e.g. personnel or financial data), storage on external servers is prohibited.
Help and Support
- GWDG Teams Guide: Microsoft Teams via GWDG
Microsoft 365 Overview
- Video training: Microsoft 365 training center