Office 365 Business Standard



-->

Tip

The information in this article is intended for administrators and IT Pros. For information about activating a personal copy of Office, see Activate Office.

Business Basic used to be known as Office 365 Business Essentials. Business Standard used to be known as Office 365 Business Premium. Business Premium used to be known as Microsoft 365 Business. Microsoft 365 F3 used to be known as Microsoft 365 F1. The other two packages did not have their names changed at all. The people on your team each need a user account before they can sign in and access Microsoft 365 for business. The easiest way to add user accounts is to add them one at a time in the Microsoft 365 admin center. After you do this step, your users have Microsoft 365 licenses, sign in credentials, and Microsoft 365 mailboxes. Before you begin.

Shared computer activation lets you deploy Microsoft 365 Apps to a computer in your organization that is accessed by multiple users. Here are some examples of supported scenarios:

  • Three workers at a factory share the same physical computer, with each worker using Office on that computer during their eight-hour shift.
  • Fifteen nurses at a hospital use Office on ten different computers throughout the day.
  • Five employees connect remotely to the same computer to run Office.
  • Multiple employees use Office on a computer that's located in a conference room or some other public space in the company.
  • Multiple users access an instance of Office that is hosted through Remote Desktop Services (RDS).

Microsoft Business

Shared computer activation is required for scenarios where multiple users share the same computer and the users are logging in with their own account. Normally, users can install and activate Microsoft 365 Apps only on a limited number of devices, such as 5 PCs. Using Microsoft 365 Apps with shared computer activation enabled doesn't count against that limit. If your users have dedicated computers and no other users work on those computers, you use product key activation for Microsoft 365 Apps.

How to enable shared computer activation for Microsoft 365 Apps

To use shared computer activation, you need an Office 365 (or Microsoft 365) plan that includes Microsoft 365 Apps and also supports shared computer activation. Shared computer activation is available for the following plans:

  • Any plan that includes Microsoft 365 Apps for enterprise (previously named Office 365 Plus). For example, Office 365 E3 or Microsoft 365 E5.
  • Any plan that includes the desktop version of Project or Visio. For example, Project Plan 3 or Visio Plan 2.
  • The Microsoft 365 Business Premium plan, which includes Microsoft 365 Apps for business.

Note

  • The Microsoft 365 Business Premium plan is the only business plan that includes support for shared computer activation. There are other business plans, such as Microsoft 365 Business Standard, that include Microsoft 365 Apps for business, but, those business plans don't include support for shared computer activation.
  • Shared computer activation is available for Education plans that include Microsoft 365 Apps for enterprise. For example, Office 365 A3 or Microsoft 365 A5.
  • Shared computer activation isn't available for Office for Mac.

Make sure you assign each user a license for Microsoft 365 Apps and that users log on to the shared computer with their own user account.

If you want to enable shared computer activation during the initial installation of Microsoft 365 Apps, you can instruct the Office Deployment Tool to do so during installation.

Office 365 Business Standard Login

  • When you are using the Office Customization Tool at config.office.com or the wizard built into Microsoft Endpoint Configuration Manager, make sure that you enable the option Shared Computer in the Product activation section.
  • When you are crafting the configuration file manually, make sure to include the following line:

If Microsoft 365 Apps is already installed and you want to enable shared computer activation, there are three options to choose from. A re-installation is not required. The device must be rebooted in order to apply the change.

  • Use Group Policy by downloading the most current Administrative Template files (ADMX/ADML) for Office and enabling the 'Use shared computer activation' policy setting. This policy setting is found under Computer ConfigurationPoliciesAdministrative TemplatesMicrosoft Office 2016 (Machine)Licensing Settings.

  • Use Registry Editor to add a String value (Reg_SZ) of SharedComputerLicensing with a setting of 1 under HKEY_LOCAL_MACHINESOFTWAREMicrosoftOfficeClickToRunConfiguration.

  • Download and run the Microsoft Support and Recovery Assistant. This is required to change the activation method from subscription mode to shared mode.

    Note

    Microsoft 365 Apps for business doesn't support the use of Group Policy, so you'll need to use another method to enable shared computer activation.If a user already activated the Microsoft 365 Apps before shared computer activation was enabled, you have to reset the activation to allow shared computer activation to work.

After Microsoft 365 Apps is installed, you can verify that shared computer activation is enabled on that computer.

How shared computer activation works for Microsoft 365 Apps

Here's what happens after Microsoft 365 Apps is installed on a computer that has shared computer activation enabled.

  1. A user logs on to the computer with their account.

  2. The user starts an Office program, such as Word.

  3. Microsoft 365 Apps contacts the Office Licensing Service on the internet to obtain a licensing token for the user.

    To determine whether the user is licensed to use Microsoft 365 Apps, the Office Licensing Service has to know the user's account for Office 365. In some cases, Microsoft 365 Apps prompts the user to provide the information. For example, the user might see the Activate Office dialog box.

    If your environment is configured to synchronize Office 365 (Azure Active Directory) and local Active Directory (AD) accounts, then the user most likely won't see any prompts. Microsoft 365 Apps should automatically be able to get the necessary information about the user's account in Office 365.

  4. If the user is licensed for Microsoft 365 Apps, a licensing token is stored on the computer in the user's profile folder, and Microsoft 365 Apps is activated. The user can now use Microsoft 365 Apps.

These steps are repeated for each user who logs on to the shared computer. Each user gets a unique licensing token. Just because one user activates Microsoft 365 Apps on the computer doesn't mean Microsoft 365 Apps is activated for all other users who log on to the computer.

If a user goes to another computer that also is enabled for shared computer activation, the same steps occur. There is a different licensing token for each computer that the user logs on to.

If a user logs on to a shared computer again, Microsoft 365 Apps uses the same licensing token, if it is still valid.

Additional details about shared computer activation for Microsoft 365 Apps

Licensing token renewal The licensing token that is stored on the shared computer is valid only for 30 days. As the expiration date for the licensing token nears, Microsoft 365 Apps automatically attempts to renew the licensing token when the user is logged on to the computer and using Microsoft 365 Apps.

If the user doesn't log on to the shared computer for 30 days, the licensing token can expire. The next time that the user tries to use Microsoft 365 Apps, Microsoft 365 Apps contacts the Office Licensing Service on the internet to get a new licensing token.

Internet connectivity Because the shared computer has to contact the Office Licensing Service on the internet to obtain or renew a licensing token, reliable connectivity between the shared computer and the internet is necessary.

Reduced functionality mode If the user is not licensed for Microsoft 365 Apps, or if the user closed the Activate Office dialog box, no licensing token is obtained and Microsoft 365 Apps isn't activated. Microsoft 365 Apps is now in reduced functionality mode. This means that the user can view and print Office documents, but can't create or edit documents. The user also sees a message in the Office program that most features are turned off.

Activation limits Normally, users can install and activate Microsoft 365 Apps only on a limited number of devices, such as 5 PCs. Using Microsoft 365 Apps with shared computer activation enabled doesn't count against that limit.

Microsoft allows a single user to activate Microsoft 365 Apps on a reasonable number of shared computers in a given time period. The user gets an error message in the unlikely event the limit is exceeded.

Single sign-on recommended The use of single sign-on (SSO) is recommended to reduce how often users are prompted to sign in for activation. With single sign-on configured, Microsoft 365 Apps is activated using the user credentials that the user provides to sign in to Windows, as long as the user has been assigned a license for Microsoft 365 Apps. For more information, see Microsoft 365 identity models and Azure Active Directory.

If you don't use single sign-on, you should consider using roaming profiles and include the %localappdata%MicrosoftOffice16.0Licensing folder as part of the roaming profile.

Licensing token roaming Starting with Version 1704 of Microsoft 365 Apps, you can configure the licensing token to roam with the user's profile or be located on a shared folder on the network. Previously, the licensing token was always saved to a specific folder on the local computer and was associated with that specific computer. In those cases, if the user signed in to a different computer, the user would be prompted to activate Microsoft 365 Apps on that computer in order to get a new licensing token. The ability to roam the licensing token is especially helpful for non-persistent VDI scenarios.

Office

To configure licensing token roaming, you can use either the Office Deployment Tool or Group Policy, or you can use Registry Editor to edit the registry. Whichever method you choose, you need to provide a folder location that is unique to the user. The folder location can either be part of the user's roaming profile or a shared folder on the network. Microsoft 365 Apps needs to be able to write to that folder location. If you're using a shared folder on the network, be aware that network latency problems can adversely impact the time it takes to open Office programs. The location is only needed if you prefer to not use the default location, which is %localappdata%MicrosoftOffice16.0Licensing.

  • If you're using Group Policy, download the most current Administrative Template files (ADMX/ADML) for Office and enable the 'Specify the location to save the licensing token used by shared computer activation' policy setting. This policy setting is found under Computer ConfigurationPoliciesAdministrative TemplatesMicrosoft Office 2016 (Machine)Licensing Settings.

  • If you're using the Office Deployment Tool, include the SCLCacheOverride and SCLCacheOverrideDirectory in the Property element of your configuration.xml file. For more information, see Configuration options for the Office Deployment Tool.

  • To edit the registry, go to HKEY_LOCAL_MACHINESOFTWAREMicrosoftOfficeClickToRunConfiguration, add a string value of SCLCacheOverride, and set the value to 1. Also, add a string value of SCLCacheOverrideDirectory and set the value to the path of the folder to save the licensing token.

    Note

    If you're using Microsoft Application Virtualization (App-V) to deploy Microsoft 365 Apps, the registry location is HKEY_LOCAL_MACHINESOFTWAREMicrosoftOffice16.0CommonLicensing.

Related articles

-->

This article compares encryption options in Microsoft 365 including Office 365 Message Encryption (OME), S/MIME, Information Rights Management (IRM), and introduces Transport Layer Security (TLS).

Microsoft 365 delivers multiple encryption options to help you meet your business needs for email security. This article presents three ways to encrypt email in Office 365. If you want to learn more about all security features in Office 365, visit the Office 365 Trust Center. This article introduces the three types of encryption available for Microsoft 365 administrators to help secure email in Office 365:

  • Office Message Encryption (OME).

  • Secure/Multipurpose Internet Mail Extensions (S/MIME).

  • Information Rights Management (IRM).

How Microsoft 365 uses email encryption

Encryption is the process by which information is encoded so that only an authorized recipient can decode and consume the information. Microsoft 365 uses encryption in two ways: in the service, and as a customer control. In the service, encryption is used in Microsoft 365 by default; you don't have to configure anything. For example, Microsoft 365 uses Transport Layer Security (TLS) to encrypt the connection, or session, between two servers.

Here's how email encryption typically works:

  • A message is encrypted, or transformed from plain text into unreadable ciphertext, either on the sender's machine, or by a central server while the message is in transit.

  • The message remains in ciphertext while it's in transit in order to protect it from being read in case the message is intercepted.

  • Once the message is received by the recipient, the message is transformed back into readable plain text in one of two ways:

    • The recipient's machine uses a key to decrypt the message, or

    • A central server decrypts the message on behalf of the recipient, after validating the recipient's identity.

For more information on how Microsoft 365 secures communication between servers, such as between organizations within Microsoft 365 or between Microsoft 365 and a trusted business partner outside of Microsoft 365, see How Exchange Online uses TLS to secure email connections in Office 365.

Watch this video for an introduction to Encryption in Office 365.

Office 365 Business Standard Mailbox Size

Comparing email encryption options available in Office 365

Email encryption technology
What is it?Office 365 Message Encryption (OME) is a service built on Azure Rights Management (Azure RMS) that lets you send encrypted email to people inside or outside your organization, regardless of the destination email address (Gmail, Yahoo! Mail, Outlook.com, etc.).
As an admin, you can set up transport rules that define the conditions for encryption. When a user sends a message that matches a rule, encryption is applied automatically.
To view encrypted messages, recipients can either get a one-time passcode, sign in with a Microsoft account, or sign in with a work or school account associated with Office 365. Recipients can also send encrypted replies. They don't need a Microsoft 365 subscription to view encrypted messages or send encrypted replies.
IRM is an encryption solution that also applies usage restrictions to email messages. It helps prevent sensitive information from being printed, forwarded, or copied by unauthorized people.
IRM capabilities in Microsoft 365 use Azure Rights Management (Azure RMS).
S/MIME is a certificate-based encryption solution that allows you to both encrypt and digitally sign a message. The message encryption helps ensure that only the intended recipient can open and read the message. A digital signature helps the recipient validate the identity of the sender.
Both digital signatures and message encryption are made possible through the use of unique digital certificates that contain the keys for verifying digital signatures and encrypting or decrypting messages.
To use S/MIME, you must have public keys on file for each recipient. Recipients have to maintain their own private keys, which must remain secure. If a recipient's private keys are compromised, the recipient needs to get a new private key and redistribute public keys to all potential senders.
What does it do?OME:
Encrypts messages sent to internal or external recipients.
Allows users to send encrypted messages to any email address, including Outlook.com, Yahoo! Mail, and Gmail.
Allows you, as an admin, to customize the email viewing portal to reflect your organization's brand.
Microsoft securely manages and stores the keys, so you don't have to.
No special client side software is needed as long as the encrypted message (sent as an HTML attachment) can be opened in a browser.
IRM:
Uses encryption and usage restrictions to provide online and offline protection for email messages and attachments.
Gives you, as an admin, the ability to set up transport rules or Outlook protection rules to automatically apply IRM to select messages.
Lets users manually apply templates in Outlook or Outlook on the web (formerly known as Outlook Web App).
S/MIME addresses sender authentication with digital signatures, and message confidentiality with encryption.
What does it not do?OME doesn't let you apply usage restrictions to messages. For example, you can't use it to stop a recipient from forwarding or printing an encrypted message.Some applications may not support IRM emails on all devices. For more information about these and other products that support IRM email, see Client device capabilities.S/MIME doesn't allow encrypted messages to be scanned for malware, spam, or policies.
Recommendations and example scenariosWe recommend using OME when you want to send sensitive business information to people outside your organization, whether they're consumers or other businesses. For example:
A bank employee sending credit card statements to customers
A doctor's office sending medical records to a patient
An attorney sending confidential legal information to another attorney
We recommend using IRM when you want to apply usage restrictions as well as encryption. For example:
A manager sending confidential details to her team about a new product applies the 'Do Not Forward' option.
An executive needs to share a bid proposal with another company, which includes an attachment from a partner who is using Office 365, and require both the email and the attachment to be protected.
We recommend using S/MIME when either your organization or the recipient's organization requires true peer-to-peer encryption.
S/MIME is most commonly used in the following scenarios:
Government agencies communicating with other government agencies
A business communicating with a government agency

What encryption options are available for my Microsoft 365 subscription?

For information about email encryption options for your Microsoft 365 subscription see the Exchange Online service description. Here, you can find information about the following encryption features:

Office 365 Business Standard Vs E3

Office 365 Business Standard
  • Azure RMS, including both IRM capabilities and OME

  • S/MIME

  • TLS

  • Encryption of data at rest (through BitLocker)

You can also use third-party encryption tools with Microsoft 365, for example, PGP (Pretty Good Privacy). Microsoft 365 does not support PGP/MIME and you can only use PGP/Inline to send and receive PGP-encrypted emails.

Office 365 Business Standard

What about encryption for data at rest?

'Data at rest' refers to data that isn't actively in transit. In Microsoft 365, email data at rest is encrypted using BitLocker Drive Encryption. BitLocker encrypts the hard drives in Microsoft datacenters to provide enhanced protection against unauthorized access. To learn more, see BitLocker Overview.

More information about email encryption options

For more information about the email encryption options in this article as well as TLS, see these articles:

OME

IRM

Office 365 Business Standard Price

S/MIME

TLS