The only always up-to-date eBook for Microsoft 365
The user authorization policy defines user role permissions, or actions that non-admin users can take within an Entra ID tenant. The default settings are silly. I can’t think of good reasons to allow non-admin users to create new registered apps, tenants, or security groups. Why default settings allow these actions is a mystery, and it could be they’re just outdated.
In a May 2 announcement, Microsoft said that they have signed up 9 ISVs to add support for Entra ID authentication methods. The third-party methods work the same way as native Entra ID authentication (like the Authenticator app), meaning that verified connections can be used by other Entra solutions like Privileged Identity Management.
The Teams iOS client can send one-minute Teams video messages (or clips) to chats or channels conversations. Now, the videos can use image or blur backgrounds. Nice as it is to be able to expose your artistic side in Teams messaging, the compliance problem with Teams video messages remains. If you allow users to send video messages, remember that they could use this route to get around compliance barriers.
Some problems emerged in V2.17 and V2.18 of the Microsoft Graph PowerShell SDK. In one case, Microsoft changed cmdlet names. In another, it’s an identity issue caused by incompatible assemblies. In both cases, questions have to be asked about the level of testing done by Microsoft before they release a new module. Bugs do happen, but testing should catch the obvious problems.
On May 2, 2024, Microsoft announced the retirement of the Stream Mobile app on July 1, 2024. It’s all to do with rationalization and focus, or so Microsoft says. In any case, the suggested replacements are the OneDrive and Microsoft 365 apps, both of which are capable of handling video uploads, management, and playback.
The Share to Teams Outlook add-in posts an email to a Teams chat or channel conversation. I was asked how to disable the add-in for some mailboxes. Here’s how to do the job using PowerShell to find a set of target mailboxes and then turn off Send to Teams for each mailbox.
Another month, another update for the Office 365 for IT Pros eBook. In this case, it’s monthly update #107 for Office 365 for IT Pros (2024 edition), now available for download by subscribers from Gumroad.com and Amazon.com. Like every month, update #107 contains a mixture of new features and revised knowledge, all essential information for Microsoft 365 tenant administrators to have.
The Copilot for Microsoft 365 license has 8 service plans to govern feature availability. You can disable individual components, if you know what you’re doing. One thing that’s not possible is to disable Copilot for individual Office apps. A single service plan covers all the “productivity apps,” so they’re either all on or all off.
The Teams classic client has been replaced by the Teams 2.1 client. Microsoft will block access to the Teams classic client for people running the app on unsupported platforms in October 2024. The final block swings into place for everyone on July 1 2025. The migration to the new client appears to be going well, so I’m not sure if many will miss the old client.
The Microsoft FY24 Q3 results didn’t contain any new user numbers for Office 365 or Teams. However, we did learn that Copilot and Azure are popular words in the Microsoft lexicon. As usual, statistics were introduced without context, but investors won’t really care too much as Microsoft continues to generate tons of revenue at a healthy margin, especially from its cloud business.
Teams group chats are getting a new Meet Now experience. Is that good news? Well, it’s not an earthshattering change, but it is a nice change because it simplifies the way the Meet Now feature works. It’s the kind of change that software vendors make to tidy up the loose ends in a product.
A reader asked if it is possible to script sending chat messages. In this article, we explore how to compose and send Teams urgent messages to a set of recipients using Microsoft Graph PowerShell SDK cmdlets. The conversation with each recipient is a one-to-one chat that Teams either creates from scratch or reuses (if a suitable one-on-one chat exists).
Some years ago, I wrote a script to demonstrate how to remove service plans with PowerShell. This article describes some upgrades to make the script even better by improving the code and leveraging complex Microsoft Graph queries against the license information stored for Entra ID user accounts. It’s PowerShell, so feel free to change the script!
The M365 Conference takes place in Orlando, FL from April 28 to May 2, 2024. I have two sessions, but my attempts to find sessions that cover all of Microsoft 365 failed because there’s no coverage of Entra ID and Exchange Online. Instead, the Microsoft priorities like Copilot, Viva, and SharePoint take front and center stage. I think that’s a pity, but maybe the reason is because speakers don’t submit sessions covering Entra ID and Exchange Online topics?
License management is a core competence for Microsoft 365 tenant administrators. This article explains how to use PowerShell to remove licenses from accounts when an equivalent service plan is available from another license. It’s the kind of fix-up operation that tenant administrators need to do on an ongoing basis.
April 11 saw the general availability of Microsoft Graph activity logs, a new set of data recording details of Graph API HTTP requests made in a tenant. The logs are intended to help security analysts understand actions taken by apps in a tenant such as data access or configuration updates. Before working with Graph activity logs, security analysts will need to understand Graph API requests and the context they’re made.
Although the trend is toward password authentication, many Microsoft 365 tenants still use passwords and some force users to change passwords regularly. This article explains how to create a password expiration report with PowerShell. The script caters for where a tenant password expiration policy is set for passwords to never expire. If anything else, it’s yet another example of how to extract information using PowerShell.
Exchange Online announced two important changes on April 15. SMTP AUTH is being depreciated and a new external recipient rate limit is being introduced. The changes are intended to improve the security of Exchange Online. The introduction of an external recipient rate limit is also intended to reduce the ability of spammers to abuse the platform.
The Maester tool is a community initiative to create a tool to help tenant administrators improve the security of their Entra ID tenants. It’s still in its early stages, but even so Maester shows signs that it will be a valuable asset for administrators who want to learn more about securing their tenant against possible external compromise.
Microsoft Teams now boasts the ability to add customizable group chat pictures to what might be otherwise a set of chats with not-very-good generated pictures. The idea is to make it easier for people to find the right group chat in their chat list, Of course, it might be difficult to find just the right picture to use, but Microsoft has selected 36 illustrations and there’s over 1,800 emojis to choose from.
Monarch client security became an issue last year when a German website reported some issues. It turns out that the reported problems are mostly hyperbole, but that hasn’t stopped them persisting, especially when email client competitors like Proton weigh in. It’s regrettable that much of the commentary is based on an incomplete understanding of how Monarch works, but Microsoft doesn’t help themselves by not explaining the facts.
A recent note from Microsoft advised that if your tenant uses classic Azure administrative role, you need to switch to Azure RBAC roles by 31 August 2024. This forced me to think about how many Azure services does my tenant consume. The number was surprising and it’s grown over time, which is why Microsoft 365 tenant admins should pay attention to Azure.
A new parameter for the Set-CsTenantFederationConfiguration cmdlet made me look at the Teams tenant federation configuration again to improve how a script works. Instead of taking all the domains guest accounts came from and adding them to the configuration, I created a function to check if the tenant uses Microsoft 365. If it does, we add the tenant to the allow list in the tenant federation configuration. If not, we ignore the domain.
A previous attempt to write a script to report all Loop workspaces in a tenant was flawed because it only retrieved the first 200 workspaces. I hadn’t realized that the Get-SPOContainer cmdlet supported an odd form of pagination to retrieve workspace data. In any case, I figured out how to page top find all available workspaces and updated the script. It’s just another example of oddness in the SharePoint Online PowerShell module
According to Microsoft 365 notification MC736438, Microsoft is getting tougher at enforcing the rules for Purview information protection licenses. In a nutshell, if administrators and end users don’t have premium licenses, features like automatic labeling policies or default sensitivity labels for document libraries won’t work. Users can still apply sensitivity labels manually.
A new major version of the MsCommerce PowerShell module makes you hope that something good is included in the new code. In this case, it’s hard to know if the developers did anything but increase the major version number for the MsCommerce module. Not much has changed. The module is as bad as ever, but at least it can be used to disable self-purchases of all supported licenses, which is all that’s really important.
The unified audit log includes Copilot for Microsoft 365 audit events captured when users interact with Copilot through apps. The information is very helpful in terms of understanding the usage of Copilot in different apps (apart from Outlook, which isn’t captured). Some care needs to be taken to understand the data and interpret the audit events, but that’s usual when dealing with Microsoft 365 audit data.
Microsoft announced a new component for OWA distribution list management but clearly the engineers never took role assignment policy customizations into account. If they had, they wouldn’t have created something that ignores the way organizations block end user ability to create new distribution lists. It’s just a sad indication of Microsoft’s attitude to one of the workhorses of Exchange.
The April 2024 update for the Office 365 for IT Pros eBook is now available for subscribers to download from Gumroad.com or Amazon.com. Like every month, update #107 covers lots of new material to document the changing landscape of Microsoft 365. The author team would appreciate if subscribers download and use the updated version – there’s no point in using old stuff to navigate an ecosystem that changes all the time.
On March 27, SharePoint history reached its 23rd year. That’s a great achievement and SharePoint Online powers many apps. But dark clouds are on the horizon as information governance becomes a real issue for Microsoft 365 tenants. Too much information that is never cleared out is held in SharePoint, a fact revealed by the ability of Copilot to find and consume documents.
Every Microsoft 365 tenant has a tenant identifier, a unique GUID that’s used within the Entra ecosystem to identify a tenant and its objects. Much has changed since I last wrote about this topic in 2021, including the introduction of new Graph APIs to resolve tenant names to identifiers and vice versa.
After the welcome announcement that the Loop app will support external access, thoughts might turn to figuring out who uses the app. Fortunately, it’s easy to answer the question by using data extracted from the unified audit log. Activity records tell us about both licensed user interaction and unlicensed user activity. It’s good to know what people are up to.
A new preview feature supports high completeness audit log searches. These searches are optimized to make sure that they find every matching audit instead of finishing as quickly as possible. High completeness audit log searches do take more time but their results are accurate and they find more records than Search-UnifiedAuditLog was able to in the past. Looks like a good new feature.
Message center notification MC734281 explains that Copilot for Microsoft 365 will get better grounding for Word, Excel, PowerPoint, and OneNote from April 2024. After the update, the apps will be able to ground user prompts by using Graph and web searches to find relevant information. Being able to generate accurate text seems like a good thing for an AI tool, and there’s no doubt that better grounding will help. But why is it appearing six months after the general availability of Copilot for Microsoft 365?
The Microsoft 365 Groups and Teams Activity Report is a PowerShell script that I’ve worked on since 2016 (not all the time). Some recent Graph hiccups meant that I had to apply some fixes and workarounds. At the same time, some users hit the infamous ‘not recognized as a valid datetime’ problem, so another update was needed. All good, clean fun.
A new convert to internal user preview feature allows Entra ID administrators to convert external accounts to internal accounts. An option is available in the Users section of the Entra admin center or PowerShell can be used to automate the conversion of accounts. It’s a useful feature that should prove popular.
Microsoft 365 Backup costs are charged on a PAYG basis against an Azure subscription. You pay a flat fee of $0.15 per month per gigabyte of protected content. This article discusses calculating the sizes of protected data and reports the costs accrued over two months.
Microsoft’s support for SharePoint Online PowerShell has degraded over the last few years. Pnp.PowerShell is now the best option as not much is happening in the official SharePoint Online management module or the tenant settings Graph API. the lack of progress is a pity, but perhaps it’s also true that community-driven projects sometimes deliver better results.
An article by security researchers Black Hills pointed to some vulnerabilities with incoming webhook connectors and email connections for Teams channels. Fortunately, it seems like Microsoft is making changes to Teams to improve security. Even so, it’s always wise for tenants to keep an eye on how information flows into Teams.
The Loop app is a powerful collaborative platform that has been handicapped up to now with a restriction on its External Sharing capabilities. That restriction is being lifted in a two-phase process starting in April 2024. Tenants without sensitivity labels will get the capability first followed by those that use sensitivity labels.