The only always up-to-date eBook about the Microsoft 365 cloud Office system, covering Exchange Online, SharePoint Online, OneDrive for Business, Microsoft Teams, Planner, Azure Active Directory, and more
Microsoft says that the roaming (or cloud) email signatures feature is now fully deployed. The new approach solves an Outlook problem, but it’s not a universal panacea for the management of email signatures within large organizations where you want consistency in the signatures used by everyone. You’ll need an ISV solution to get that kind of functionality.
SharePoint Online is a critical piece of the Microsoft 365 ecosystem. Its document management service is consumed by many apps like Teams, Yammer, and Planner. OneDrive for Business, the personal side of SharePoint Online, also contributes to SharePoint’s success with components like the synchronization client. Without SharePoint Online, Microsoft 365 would be a very different offering and a worse platform to work with.
A policy setting called RestrictTeamsSignInToAccountsFromTenantList is available to restrict the ability of Teams desktop clients to connect to Azure AD tenants. It’s a fact that floated under our radar for a while, but now that we know about it, we’re telling you too. Of course, you probably knew about this capability anyway, but someone probably didn’t!
The Azure AD admin center now includes the option to pause processing for the membership query for an Azure AD dynamic group. This article reviews how the new feature works and what it might be used for, including a PowerShell script to report the membership processing status of all Azure AD dynamic groups.
Microsoft has released the Teams Games for Work app to enterprise and education tenants. The intention is to bring people together through game play. The technology in the game isn’t very different to anything we’ve seen before and the games are OK, even if it’s slightly weird to play them in a Teams meeting. The question is, is an app like Games for Work needed? If not, it’s easy to block the app.
Yammer stories are an extension of the previously announced storyline feature. A story is a short photo or video snippet to update other people about an event, happening, or other news. You can create stories through the Yammer apps or Viva Engage in Teams. Creating stories is easy and the interaction is smooth. The question for an enterprise is how best to use this new capability,
Microsoft 365 message center notifications now boast a “relevance recommendation.” This is a visual marker computed by Microsoft based on aspects of the change. It’s intended as a way to highlight important changes so that administrators can dedicate more time to understanding the impact of these changes on their tenants. Sometimes the recommendation isn’t perfect, but you can tell Microsoft what you think and go ahead with your own assessment of how important any individual change really is.
The Teams Delete chat option allows people to remove chats from their chat list. It’s a nice way to restore some order to a list that can be very cluttered with long-dead chats. Some subtle differences exist between leaving a chat and deleting a chat that you might need to explain to users before deploying the feature, which is controlled by a setting in the Teams messaging policy.
The unified audit log contains records generated when users and applications apply sensitivity labels to emails and documents. This article explains how to use PowerShell to retrieve the data and create a report to help tenant administrators understand the usage of sensitivity labels.
Outlook Groups now boast support for folders and rules. In other words, group owners and members (if allowed) can create new folders and move and copy items from the inbox to those folders. They can also create rules to process inbound email arriving into the group inbox. It’s all well and good, but there are a few points to understand about how things work.
Azure AD custom security attributes can mark user and service principal objects for special processing, which is how the app filter for conditional access policies works. It’s nice to be able to interact with data through PowerShell and the Microsoft Graph PowerShell SDK cmdlets support setting, updating, and retrieval of Azure AD custom security attributes. Everything works, but it’s a pity that it’s a little clunky.
Microsoft Teams doesn’t come with a Teams Directory, so it’s hard to know if a suitable team already exists when people ask for a new team. This fact contributions to teams sprawl where multiple teams exist to serve the same purpose. Teams sprawl creates an obstacle to effective collaboration and runs the danger that some important information is tucked away inside teams that no one ever goes near. Creating a Teams Directory helps team owners and users know what teams already exist inside a tenant. It’s an idea that just makes sense.
A reader asks how to monitor membership changes for some specific high-profile groups. You can buy a commercial product to do the job or use PowerShell to exploit the information held in the Office 365 audit log. A combination of a custom attribute assigned to the sensitive groups and an audit log search does the job.
Microsoft is moving the creation and management of mail flow rules to the new EAC from November. The UX in the legacy EAC should disappear in December 2022. The new UX is prettier and works better (apart from the rule wizard), but it’s a little disappointing that we have essentially the same way of managing mail flow rules in 2022 as we had in 2006. You can only hope that things might improve in the future.
Message center notification MC454809 announces that Microsoft will deploy a new Teams Webinars experience to tenants at the end of November with worldwide availability complete in early December. The new Teams Webinars experience is based on customer feedback and addresses issues like branding, registration control, and scalability. A new Teams events policy is available to control who can create webinars.
A November 3 announcement says that Microsoft will deprecate the bulk distribution list migration feature in the legacy EAC on February 1, 2023. Although no one will probably be surprised by the news, it’s disappointing that all Microsoft can suggest is a manual conversion process for those who want to move (simple) distribution lists to Microsoft 365 groups. Is it too much to ask to have a PowerShell script to do the job?
This article explains how to make Teams policy assignments using an Azure Automation runbook and some of the modernized cmdlets available in the Teams PowerShell module. Not everything worked as smoothly as we’d like, but like most PowerShell scenarios, there’s usually a workaround available to get the job done. It just needs to be found.
Exchange Online historical searches are the way to retrieve message trace information that’s older than 10 days (but less than 90 days). You might not have to run historical searches very often, but when you need to, you’ll be glad that the facility exists.
The 89th monthly update for the Office 365 for IT Pros eBook has been released for subscribers to download. The November 2022 update contains the normal mixture of new features, updates to existing features, corrections and clarifications, and all the other stuff that happens to keep the world’s best book covering Office 365 as up-to-date and technically accurate as we can make it.
Azure AD conditional access policies can now use an app filter based on custom security attributes to restrict access to specific apps. It’s a neat idea that should be popular in larger enterprises where the need exists to manage large numbers of apps. In other news, the Graph X-Ray tool is available in the Windows Store and a neat cmd.ms tool is available to provide shortcuts to Microsoft 365 sites.
Microsoft Cloud revenues reached $25.7 billion in Microsoft’s FY23 Q1 results. That sounds good, but it’s a slowing over the rate seen in previous quarters. It might be the case that the size of the installed base is not growing as quickly as it once did, but Microsoft is making sure that it extracts as much revenue as it can from its cloud customers. That’s a trend you can expect to continue
Azure AD conditional access policies can exert fine-grained control over the type of external users who can connect and what tenants they belong to. The new capability works especially well alongside Azure B2B Collaboration (guest users) and Azure B2B Direct Connect (used by Teams shared channels). It’s yet another way to impose control over who you allow to connect to your tenant.
Microsoft has made number matching and additional context generally available for its Authenticator app. The new capabilities help users to avoid MFA fatigue. In other words, instead of being challenged with a simple request to approve a sign-in, users must respond by entering a number selected by Azure AD. At the same time, Authenticator can display additional information, such as where the sign-in originated from. It all helps to make Authenticator a more secure way of approving user sign-ins.
Microsoft has released the preview version of the Stream migration tool to move videos from Stream classic to Stream on SharePoint. The tool uses the same Mover technology as employed to migrate data from other repositories to SharePoint Online. Generally, it works well. The big decisions are all around what content to move and what can be left behind.
Users will soon have the option to use Outlook reactions to respond to emails received from people inside the same tenant (well, it also works with some other tenants). It’s the same kind of feature that already exists in Yammer and Teams, but whether this kind of response works with email remains to be seen. It’s a cultural thing!
The new Teams Premium product ($10/.user/month) and Outlook both claim that they will support sensitivity labels and a meeting recap. That’s confusing, especially if Outlook delivers the features at no cost. However, when you look into the matter a little deeper, it’s obvious that what Teams Premium will deliver is very different to what you can expect to see in Outlook. All of which proves why it’s important to read announcements carefully and put them into context with what you already know about how products work.
In most situations, it’s a good idea to enable Azure AD accounts for SSPR (self-service password reset) to avoid the need for administrators to update user accounts when things go wrong. This article explains how to report accounts that are not yet set up to use SSPR. It’s a check that should happen regularly, perhaps with the aid of Azure Automation.
Before an app or an Azure Automation account can use the Teams PowerShell cmdlets in a script or runbook, it must have the permission to act as an administrator. In this article, we cover how to assign the necessary role to a service principal.
A reader asked how to update user email addresses and UPNs. As it turns out, this is not a very difficult technical challenge. The problem lies in the aftermath. It’s easy to update the primary SMTP address for a mail-enabled object or assign a new user principal name to an Azure AD account. Then problems might come into view, like needing to adjust the Microsoft Authenticator app to make MFA challenges work for the new UPN.
An October 14 report says that Office 365 Message Encryption shouldn’t be used because its encryption scheme might reveal email content. Well, that might be the case if an attacker can hijack connectivity from Office 365 to another email service. But the relatively low levels of OME usage and the difficulty of acquiring enough email to understand message structure makes this a less than practical attack in the wild.
This article explains how to use PowerShell and the Office 365 audit log to report Azure AD license assignments. The output isn’t pretty, but it works. The code works by finding two different audit events for each license assignment and combining information from both events to create a view of what happened. It’s rough and ready and can be improved, but the principal is proven and that’s what I set out to do.
This article describes how to use the Exchange.ManageAsApp permission to allow Azure AD apps to run Exchange Online PowerShell cmdlets. You can do this in the Azure AD admin center for registered apps, but when the time comes to allow Azure Automation runbooks to sign into Exchange Online with a managed identity, you must assign the permission to the automation account with PowerShell. Easy when you know how, hard when you don’t!
The Outlook Sweep feature is available in OWA and the Outlook Monarch client. The idea is that you clean up your mailbox by ‘sweeping’ unwanted items into somewhere like the Deleted Items folder. As it turns out, the Sweep feature uses both Inbox and Sweep rules to get its work done. Overall, Sweep is a pretty useful piece of functionality.
Teams clients now have an unread only toggle for the activity feed. The toggle hides previously read notifications to highlight messages awaiting attention by the user. Apart from hiding work you’ve already done, the toggle might just surface some items you haven’t yet taken care of.
A new setting for Azure AD conditional access policies allows organizations to dictate the authentication strength of accepted connections. This is part of a Microsoft effort to move MFA-enabled Azure AD accounts away from the relatively insecure SMS-based challenges to methods that are less susceptible to attack.
A script written by a Microsoft program manager to remove authentication methods from an Azure AD account caused me to write a script to capture all the authentication methods used in a tenant. I have other similar scripts, but this one records some additional detail for each method. And I have a moan about why the Microsoft Graph PowerShell SDK includes so many cmdlets for interacting with authentication methods. Some consolidation would be nice.
External tagging has been available for OWA, Outlook mobile, and Outlook for Mac since 2021. Now it’s coming to Outlook for Windows. Some might wonder about why it’s taken Microsoft so long to add external tagging to the Windows client. It might be that they’re waiting for the Monarch client, but it’s more likely the difficulty of retrofitting new features into the Outlook GUI.
Microsoft is moving the listing of archived mailboxes from the Purview Compliance portal to its natural home in the Exchange Admin Center. In this post, we look at how you can report the current status of archive mailboxes (both user and shared mailboxes) in a Microsoft 365 tenant.
Hidden membership is supported for Microsoft 365 Groups and distribution lists. Hidden membership means that no one except members and admins can see who’s in a group. It’s a useful feature if you don’t want people poking around to find out who’s in a group or distribution list. One thing to be aware of is that once a Microsoft 365 group has hidden membership, it has it forever. Distribution lists on the other hand can flip between hidden and visible membership.
Now that October 1 has arrived, Microsoft has started the process to permanently remove basic authentication from 7 email connection protocols. So what happens next? Well, for many organizations, not much. They’re the ones that have already transitioned to modern authentication. For others, some unpleasant surprises might lie ahead as people discover that stuff just doesn’t work anymore.