The Importance of the Office 365 Audit Log for IT Forensics

Microsoft DART (cybersecurity response team) published an interesting article about the essential sources of Microsoft 365 audit data used for forensic investigations. The Office 365 audit log gets a big mention and DART seems pretty impressed by the new audit log search that’s available in preview in the Purview Compliance portal. I’m not impressed by the performance of the new interface and will continue to use PowerShell. As it turns out, so will DART.

Sharing Excel Workbooks in Teams Meetings

Teams meeting participants can open Excel workbooks through the Share Tray and collaborate with everyone in the meeting through Excel Live. The new feature builds on several existing capabilities, including co-authoring and autosave for Office documents and it’s a useful addition to how people can work together during online meetings. The only thing to remember is that all the workbooks used by Excel Live need to be in OneDrive for Business, but that shouldn’t be a big issue.

Teams Adds Video Messages to Chats

Teams video messages are clips of up to 1 minute in length that can be sent in 1:1, group, and meeting chats. They’re a powerful way to deliver a message to chat participants, but they come with a downside in that support for eDiscovery is poor. But that’s not a reason to eschew their usage. Who doesn’t like receiving video messages from their closest friends?

Checking Audit Logs for Azure AD Consent Permission Grants

Audit logs hold lots of information, including records for when Azure AD consent permission grants happen. Checking the audit data can detect illicit grants. Records are in the Azure AD audit log and are also ingested into the Office 365 (unified) audit log, so there’s two places to check. The audit data is interesting and could help administrators work out if a permission grant is illicit. But only if checks are made and people review the reports.

Outlook for Windows Gets Loop Components

Like OWA and Teams chat, Outlook for Windows boasts the ability to add Loop components in messages. The implementation is very similar to OWA, as you’d expect, which means that some of the same shortcomings seen in OWA are in Outlook for Windows. Such is life.

Microsoft Brings Scheduled Send to Teams Chat

The Teams scheduled send feature allows users to set a time when Teams will deliver chat messages. The feature works for Teams enterprise and consumer users. It isn’t available for channel conversations. If you’re used to the delayed send feature in OWA and Outlook, you’ll know the value of being able to schedule a message to arrive at the most appropriate time!

Recording Video Feature Now Available for Stream for SharePoint

The Stream for SharePoint browser client includes the ability for people to record short (up to 15 minute) videos. The input comes from workstation cameras (including software cameras like Snap Camera) or the screen. Videos are stored in OneDrive for Business and can be updated and shared from there. The question we have is what role will Clipchamp play in the Microsoft 365 video playbook?

End of the Road for Teams Linux Desktop Client

According to notifications sent by Microsoft to customers that have users of the Teams Linux client, Microsoft plans to retire the client in early December and replace it with a progressive web app (PWA). The news is not unexpected. The Teams Linux client has always lagged its Windows and macOS counterparts and was buggy to boot.

Microsoft Launches Expanded Reactions for Teams

Instead of being limited to five emojis to express reactions to Teams chat and channel messages, Microsoft is making over 800 emojis available as expanded reactions. Whether this will make any difference to the way anyone uses Teams is entirely personal. For me, I think I shall remain content by using the limited set available to date because it’s just too much hard work to choose from over 800 options.

Exchange Online Statistics Revealed at MEC 2022

Microsoft revealed some interesting Exchange Online statistics at the MEC 2022 event. 300 K physical mailbox servers is a staggering amount, but 7.3 billion mailboxes might be even more surprising. Also at MEC we discovered more about the campaign to remove basic authentication from Exchange Online and how well Microsoft’s Greg Taylor can communicate in Irish when he presents about the deprecation of basic authentication.

Viva Engage Storyline Appears in Preview

Viva Engage Storyline is a new way of posting information to Yammer. Instead of posting to communities, people can post to their personal storyline, with the aim of fostering better communication and creating their personal brand. Storyline works in both the Viva Engage app in Teams and the traditional Yammer browser UI. It’s a nice way to post stuff when you don’t have a good home for the information, but I do have a nagging doubt that storyline is just another way to share information inside Microsoft 365, which is exactly what’s needed.

Outlook Automapping and Offline Files

Outlook automapping is usually a good thing. Exchange marks a mailbox after a user receives full access permission for the mailbox. Autodiscover publishes details of the new access, and Outlook adds the mailbox to its resource list. But Some downsides exist, like the size of the OST, which mean that sometimes it’s better to add a mailbox manually to Outlook and forget about automapping.

MEC and TEC in Two Weeks

Over the next two weeks, I’ll attend and present at the Microsoft Exchange Conference and The Experts Conference (MEC and TEC). It should be fun! It’s nice to see conferences gradually returning to normal. I prefer in-person events and am looking forward to TEC in Atlanta on September 20-21. Before then, there’s the small matter of presenting two sessions at MEC 2022.

Tips for Working with the Graph Usage Reports API

This article offers some tips about working with the Microsoft Graph Usage Reports API. In particular, we cover how to detect if the concealment of display names setting is active and how to reset it to allow display names appear in reports. We also cover the strangeness of some of the numbers reported for Teams message counts.

Teams Reactions Captured in Audit Records

Every time someone reacts to a message in a team chat or channel conversation, Teams captures an audit record and sends it to the Office 365 audit log. The Teams reactions audit records are an interesting source of information. In this article, we show how to use PowerShell to interpret the contents of the reactions, and how to use the data to find the underlying messages.

Microsoft to Close Cortana Scheduler Service

After debuting in summer 2021, the Microsoft Cortana Scheduler service will close on September 1, 2023. High cost and a lack of users are among the likely causes for Scheduler’s demise, but it wouldn’t be surprising to see it reappear in the future as part of a high-end Office 365 or Microsoft 365 bundle.

Updating Extension Attributes for Azure AD Registered Devices with the Microsoft Graph PowerShell SDK

Azure AD registered devices have 15 extension attributes that tenants can use for their own purposes. In this article, we explore how to use the Microsoft Graph PowerShell SDK to update extension attributes for registered devices, and even better, access the content in the extension attributes afterward.

Microsoft Sets Out to Block Unmanaged Azure AD Guest Accounts

Microsoft launched an effort on September 2 to stop the creation of any more unmanaged Azure AD accounts in unmanaged tenants. A set of tools is available to help tenants to find unmanaged accounts and reset them by reissuing invitations to the affected guest members. There’s not much to complain about, but it is something to understand.

Outlook’s Strange Archive Folder

Outlook logo

Outlook boasts a useless Archive folder. At least, I can’t come up with any good reason to use the Archive folder. It only confuses people in discussions about archiving. The one good thing I discovered when I revisited the topic is that a registry key exists to stop Outlook moving items into the Archive folder with the backspace key.

Monthly Update 87 for the Office 365 for IT Pros eBook

The September 2022 update for the Office 365 for IT Pros (2023 edition) eBook is now available. This is monthly update 87 in a series stretching back to May 2015. Subscribers of the EPUB/PDF version can download the updated files from Gumroad,com while those who bought the Kindle version from Amazon will have to contact Amazon support. Now on to update #88!

Lessons Learned from Using Azure Automation with PowerShell Scripts

I’ve spent some time investigating Azure Automation PowerShell recently. In this article, I discuss three learnings that might be of interest to others. Debugging, cost, and tracking the use of Azure Automation PowerShell might not interest everyone, but they’ve certainly helped me to understand how the platform works.

How to Restrict the Creation of Regular Microsoft Teams Channels

No Teams administration policy controls the creation of regular channels. Policies are there to control the creation of shared and private channels, but not the regular variety. Team owners can restrict creation on a team-by-team basis, but if organizations want to apply central control, they’ll need to do it with PowerShell.

Use Graph Explorer to Sign into Microsoft 365 Tenants as a Guest

A little known fact about the Graph Explorer utility is that you can use it to sign into a tenant using a guest access. This might or might not be a good idea, but if you don’t want people to do this, it’s easy to block guest access by either disabling user access to the app (crude) or using a Conditional Access policy (much nicer).

Yammer Powers Viva Engage and Teams Q&A

Some recent announcements have shown Yammer’s new direction. The Communities app is now Viva Engage and Teams Meeting Q&A app is powered by Yammer. That’s all good because it negates some of the tension between Teams and Yammer in terms of positioning within Microsoft 365. The messages that make up Q&A in Teams meetings are captured for compliance purposes, and that’s also a good thing.

More Issues with Exchange Online Mailbox Audit Events

In March 2020, I wrote about mailbox audit events for Office 365 E3 accounts not showing up in the Office 365 audit log. As far as I can tell, Exchange Online deals with new mailboxes properly now. However, there might be some mailboxes in your organization that aren’t generating the audit records you thought they are… so it’s time to check.

Analyzing Document Label Mismatch Audit Records

Document label mismatches happen when users create, upload, or update Office documents in SharePoint sites and give the documents a higher-priority sensitivity label than the one assigned to the site. When this happens, SharePoint Online creates a DocumentSensitivityMismatchDetected audit event. Unhappily, that event doesn’t tell us who caused the mismatch, but some work with PowerShell reveals all.

Start Teams Group Chats with Distribution Lists, Groups, and Tags

A new feature allows Teams users to start new group chats by adding participants from the membership of distribution lists, Microsoft 365 groups, or mail-enabled security groups. It’s a neat way to add up to 249 participants to a new group chat. And while we’re covering the topic of adding people to group chats, we also mention the oft-overlooked feature that allows Teams tags to be used for this purpose.

The Odd Azure AD Selected Visibility is Not Allowed Problem

Like all apps, the Azure AD Admin center has its own quirks and inconsistencies. In this article, we cover issues creating groups when the admin center doesn’t apply sensitivity label container management settings properly, and group-based license management, which only works if the group’s security enabled property is set correctly.

How to Define a Default Sensitivity Label for a SharePoint Online Document Library

Microsoft is rolling out the public preview of the ability to set a default sensitivity label for SharePoint Online document libraries. This is likely to be a premium feature when it is generally available. For now, Office documents are supported, but Microsoft promises to support PDFs in the future.

Detecting Exchange Online Shared Mailboxes That Need Licenses

Exchange Online shared mailboxes only need licenses if they have an archive, exceed 50 GB in size, or are on litigation hold. The rules are there, but how many tenants check their shared mailboxes to make sure that they’re in compliance. This article explains how to use PowerShell to detect shared mailboxes that need licenses.

Report the Membership of Teams Private Channels

In this article, we explain how to create a report about the Teams private channels found in a tenant together with the members and owners of each channel. The PowerShell script is relatively straightforward and once the data is extracted from Teams, it can be sliced and diced in different ways.

Using Azure Key Vault with Microsoft 365 PowerShell

A previous article explains how to use an Azure Automation runbook to write information to a SharePoint Online site and Teams channel. At the time, I used a stored credential to authenticate and access SharePoint and Teams. Azure Key Vault offers another way to store secrets (bits of information) securely. This article explores how to store secrets in Azure Key Vault and retrieve and use the secrets in a runbook script and interactive PowerShell.

Microsoft Announces New Yammer Administrator Role

A new Yammer administrator role is available in Azure AD. Assignees of the new role become Yammer verified admins and can make changes to both native and non-native Yammer networks. It’s nice to see the new role appearing in Azure AD and no doubt it will be useful to Microsoft 365 tenants that use Yammer, but why did it take so long to happen?

Using the Get-AssociatedTeam Cmdlet to Report Team Memberships

The Get-AssociatedTeam cmdlet is part of V4.6 of the Microsoft Teams PowerShell module. It reports the membership a user account has in teams, including where the account has direct membership of shared channels. The cmdlet makes it easy to generate a report of teams membership, and the PSWriteHTML module makes it easy to output nice PDF reports.

Microsoft Reducing Recovery Time for ex-Inactive Mailboxes to 30 Days

Microsoft plans to reduce the recovery period for inactive mailboxes newly released from retention holds and policies from 183 to 30 days. The change will be implemented worldwide by the end of September. The reduction in recovery time sounds seriously but it’s really not. If you haven’t figured out that you need to recover some data from an old inactive mailbox within 30 days, the data probably isn’t needed. And anyway, if you really want to, you can keep inactive mailboxes forever.

Populate the Membership of a Teams Shared Channel for All Users

This article explains how to populate the membership of a Teams shared channel using PowerShell. The idea is to create a shared channel that’s used for organization-wide communications, like a HR questions and answers channel. Alternatives like using a dynamic Azure AD group with a filter to find Teams users are also considered.

Upgrading the Microsoft 365 User Activity Report with a 180-day Lookback Period

A new version of the Microsoft 365 user activity report PowerShell script is available. This version extends the activity lookback period to 180 days, which is helpful when assessing if user accounts are active when people might be on parental leave or sabbaticals.

Microsoft Revamps Its Guidance for Data Lifecycle and Records Management Licensing

In a welcome move, Microsoft has revamped its guidance for Microsoft 365 compliance licensing, specifically for Data Lifecycle and Records Management. The new text is much clearer about when different licenses are needed to use a feature, which is goodness even if you disagree that a feature should need a high-end license. Now if only Microsoft could do the same for the rest of its documentation…

Microsoft Releases 42 New Sensitive Information Types

Microsoft has released 42 new sensitive information types (SITs) in preview. The new SITs cover credentials used in services such as Azure, GitHub, Amazon, and Google, and can be deployed in Purview solutions like DLP and auto-labeling policies.