Outlook sensitivity labels can protect messages with rights management encryption. But looking at items in the Sent Items folder you might see different results. Some messages have sensitivity labels but don’t appear to be encrypted while others have both labels and encryption. Why should different Outlook clients produce such varying results. It’s all to do with the code built into the clients.
Two years ago, I wrote about how to generate a report about managers and the direct report from the information stored in Azure AD. As it turns out, the Get-User and Get-Recipient cmdlets have a little flaw that can make the data they return inaccurate. To make sure that the data is correct, a new version of the script uses cmdlets from the Microsoft Graph PowerShell SDK. We also format the output in a nicer way, so it’s all good.
In an unannounced move, Microsoft imposed a new limit on Graph requests using the List Users API that include the SignInActivity property. The old limit allowed a request to fetch 999 items; the new reduces it to 120 items. I’m sure that the change is made with the best possible motive, but introducing something like this without warning broke a lot of programs and scripts, and that’s just unacceptable.
Knowledge that Microsoft had plans for Azure AD PowerShell deprecation has been around for a couple of years. Now the time has come when things happen. Cmdlets that set licenses for Azure AD accounts are now retired and will stop working on or before June 30, 2023. If you haven’t already upgraded scripts, it’s time to do so.
The April 2023 update for the Office 365 for IT Pros eBook is available for subscribers to download. There’s lots of changes throughout the book. March saw many important Microsoft announcements about technology that will affect how Microsoft 365 tenants work in the future, but there’s lots of changes happening now that we need to cover. We’re also looking forward to the 10th edition of the book, which we should deliver in July 2023.
Microsoft’s plan to stop Exchange Online accepting email from unsupported Exchange Servers caused a lot of fuss and bother. Looking through the commentary and questions about the announcement, I’m not sure if people understand fully what’s happening. It seems clear to me, but as Richard Campbell of RunAs Radio fame wants me to rant about the topic, here’s my measured opinion (not a rant).
SharePoint Online now supports the Request Files feature to allow users to create links for external people to upload files to a folder in a document library. It’s a feature that will appeal to some organizations and horrify others who see the ability for external people to upload files to SharePoint Online as just another avenue for attack. The feature depends on the tenant allowing Anyone links, which are blocked by many organizations.
On March 24, Microsoft announced new rules for licensing Teams Rooms Devices. Instead of being able to assign a user subscription license (like Office 365 E3), tenants must assign a Teams Rooms Pro or Teams Rooms Standard license to the room mailboxes used by devices. If they don’t, the devices won’t be able to connect after July 1, 2023. Microsoft suggests a script to find licensed room mailboxes. It’s OK, but we can make the script run much faster, which might just be important in the types of tenants that use Teams Rooms devices.
Microsoft has made a preview version of the new Teams client available to commercial tenants worldwide. The preview runs only on Windows and isn’t yet available in browser sessions. Some functionality is missing because it’s incomplete but the new client is faster and snappier than the classic Teams client. To use the preview, you’ll need to enable the new client through a Teams update policy.
The changes in Microsoft 365 keep on coming thick and fast. Changes range from the introduction of fundamental new technology like Microsoft 365 Copilot to an update to a small product detail. In this case, the Azure AD admin center is moving to the Microsoft Entra admin center. Microsoft has its own reasons for making this change, which will ripple out across the community to affect content developers and trainers. Is that a problem? Only if you don’t respond.
Microsoft has overhauled the Teams Files App as part of its work to refresh the Teams client UI. We’re still waiting to know about the new channels experience which is supposed to appear at around the same time. This work will refresh and enhance the Teams V1 client while also appearing in the Teams V2.1 client that’s expected to be available in preview soon.
The Teams green screen effect allows people to select a uniform backdrop to apply effects upon using fewer system resources and achieving a cleaner output. Not everyone has a suitable backdrop, so I used the wall behind my desk to see what the Teams green screen effect could do with it. And although some imperfections resulted from the lack of uniformity for the wall, you can still see how this will be a useful feature. That is, if you use a proper backdrop!
Microsoft has integrated Authenticator Lite, a subset of the full Microsoft Authenticator app, into Outlook for iOS and Android. The code allows users to respond to MFA challenges using number matching or one-time codes without leaving Outlook and is intended to help organizations deploy and manage MFA with less friction. Although you can’t use Authenticator Lite if the Authenticator app is present on the same device, integrating MFA capabilities direct into apps sounds like a great idea.
SharePoint Online has a new block download file policy that stops users from downloading Teams meeting recordings. The policy applies to all sites and OneDrive for Business accounts in the tenant and is due to be part of the feature set covered by the Syntex-SharePoint Advanced Management license.
SharePoint Online is embracing Azure AD more closely by forcing new tenants to use the integration between the two Microsoft 365 components. In addition, site sharing will use the Azure AD invitation mechanism instead of SharePoint’s own code. The changes make a lot of sense and shouldn’t cause much disruption for tenants. It’s a good reminder to check the relevant policies that control external access via Azure B2B Collaboration.
Microsoft continues to improve the sound quality available in Teams meetings with support for spatial audio and ultrasound howling detection (feedback echo). Spatial audio depends on the right equipment and aims to help you know who’s speaking in a meeting. Howling detection means that Teams detects when multiple people in a physical room join a meeting and suppresses audio to avoid a feedback loop.
The first app in a new community project called IdPowerToys helps Azure AD tenants to document conditional access policy settings in PowerPoint. The information used to document the CA policies is extracted (manually or automatically) from Azure AD, analyzed, and output as a PowerPoint presentation. It’s a nice way to see what CA policies exist in a Microsoft 365 tenant and helpful if you want to rationalize the set of policies in use.
Teams now displays People Insights on the User Profile card. The insights come from LinkedIn and Viva Insights and are intended to keep people informed. The user profile card already includes lots of information and it’s debatable whether knowing when birthdays come around for your LinkedIn contacts adds much value. As always. beauty is in the eye of the beholder.
The Azure AD sign-in frequency controls how often accounts must reauthenticate. Setting an unreasonably short value makes it more difficult for people to work because Azure AD constantly nags for credentials, including MFA challenges. I experienced the effect of such a policy last week and it wasn’t nice. Security policies need to be practical and pragmatic as well as effective.
A new setting in the Teams meeting policy allows Microsoft 365 tenants to dictate that meetings organized by some or all users must gain explicit consent from users before they can be recorded. The new control is intended to help address privacy concerns that some users might have. This article describes how to apply the policy setting and its impact on meeting participants.
Teams bulk policy assignment options include two features in the Teams admin center, batch jobs, Azure Automation and plain-old PowerShell. In this article, we examine the options in the Teams Admin Center to revert policy assignments back to the global (default) policy and a way to perform Teams bulk policy assignments for selected accounts. And we mention the other methods that exist which don’t involve the Teams admin center.
Microsoft uses machine learning in Outlook and Exchange Online to create the basis for what they call intelligent technology like suggested replies and text prediction. To generate the language models used to figure out how Outlook should respond to users, Microsoft needs to copy data from user mailboxes for processing. The data is removed and the results stored in user mailboxes once processing is complete. Is this an issue for Microsoft 365 tenants? It all depends on your view of how data should be processed.
Microsoft 365 pronouns for display in apps like Teams and OWA can now be enabled on a tenant-wide basis. Displaying pronouns is a topic that can cause strong feelings for some, so organizations should take their time and plan an implementation before rushing to deployment.
Microsoft is dropping lots of hints to the press about the imminent arrival of the new Teams client (V2.1), due to arrive in public preview in late March 2023. According to reports, the new Teams client will deliver better performance while using 50% less memory and making fewer demands for CPU. It all sounds great. With the new client coming into sight, it’s time to prepare Teams update policies to make sure that the right users get the new software at the right time.
Version 5.0 of the Microsoft Teams PowerShell module contains a major overhaul for the Get-CsOnlineUser cmdlet, which receives better filtering capabilities. The overhaul is part of Microsoft’s ongoing efforts to modernize and enhance the cmdlets inherited from the Skype for Business Online connector. Although there’s still work to do to fix some glitches, the update is welcome.
The new Azure AD app property lock feature (in preview) prevents attackers updating the credentials for an Azure AD enterprise app so that they can get an access token and exploit the app’s permissions. This technique has been used in several attacks, notably the infamous SolarWinds exploit in 2021. The app property lock is not mandatory and it’s important to keep on checking the audit log to make sure that attackers don’t creep into your tenant.
Mail contacts have long been used by Exchange organizations to provide an identity for external people. Contacts show up in the GAL to make it easy for users to send messages to external people and they can be included in distribution lists. The downside is that mail contacts are only available to Exchange Online. Perhaps the time is right to consider switching focus to Azure AD guest accounts? We explore the option here.
The Office 365 for IT Pros March 2023 update is available. Subscribers can download the updated files from Gumroad or Amazon. The March 2023 update contains lots of new content and changes ranging from the fallout of the Yammer rebranding to the general availability of Teams Premium. It’s an important update to download and use.
The new SharePoint block download policy applies at the site level to stop users downloading files, even to work with them using the Office desktop apps. It also stops people printing and synchronizing files. In this article, we explain how to apply the policy with PowerShell, including how to apply the SharePoint block download policy to all sites assigned a certain sensitivity label.
The Test-Message cmdlet is a useful tool to check if Exchange transport rules and DLP policies work correctly. You can input a test message to see what happens as the Exchange transport service applies transport rules, DLP policies, and auto-label policies based on the message contents and properties. Nice as it is to have the Test-Message cmdlet, human knowledge of what transport rules should do is probably an even more important asset.
A recent Practical365.com article got me thinking about the Report Message and Report Phishing Outlook add-ins and how the new Monarch client can’t use COM add-ins. Microsoft is busily updating its add-ins to move away from COM to embrace the new approach based on HTML and JavaScript. If Microsoft is taking this action, I hope the same is happening in ISVs and in-house development teams who generated COM add-ins in the past.
The subscription versions of the Office desktop apps now boast a sensitivity bar to show users what sensitivity label applies to the document they’re working on. It’s a good change because it means that people have full access to information about available labels. You can opt to hide the sensitivity bar, meaning that you hide the name of the sensitivity label rather than the complete bar.
Exchange Online will create a new inbound connector but won’t activate it until the tenant gives a business justification to Microsoft Support. The restriction applies only to tenants created after January 1, 2023. Microsoft isn’t saying why they implemented the restriction, but it’s likely because of a security concern. In any case, the deafening silence from Microsoft has left ISVs that depend on inbound connectors in a very bad place.
Applying a default sensitivity label to a SharePoint Online document library is just one of the set of security and management and governance features requiring the new Syntex Advanced Management license. The new license is in preview so all the features that it covers might not be fully baked. Microsoft 365 customers might well ask if this is yet another example of Microsoft bundling features into a new paid-for add-on license. Of course it is. You don’t expect new functionality for free, do you?
As part of its rebranding of Yammer to Viva Engage last week, Microsoft added the Viva Engage Core service plan to user accounts. Which is nice, unless a tenant had blocked Yammer. The new service plan means that accounts can now use Yammer In many cases, it won’t matter too much that users can now access Yammer, but in other instances it will. In any case, we should tidy up by removing the Viva Engage Core service plan from any account that already blocks Yammer. Some PowerShell does the trick, but it would have been nice if Microsoft had thought things through a little more.
Microsoft announced that the new Message Recall feature is rolling out to tenants worldwide. They hope to increase the success rate for recalls imitated by users from 40% to 90%. Significant limitations exist. Message recall only works from Outlook for Windows and recall can only handle messages that remain within the same Exchange organization. Even so, the prospect of a huge improvement in the success rate will make the new feature very attractive to the people who really need to recall a message.
On April 12, 2023, Microsoft will retire the original version of Teams free introduced in 2018. If you want to stay using a free version, Microsoft has Teams for Home. However, the functionality isn’t the same and there’s no migration tools available to move from one platform to the other. In this kind of situation, it might just be time to bite the bullet and pay for Teams.
Mesh avatars are a new visual way for people to participate in Teams meetings. A mesh avatar is a 3D representation of a person used instead of a video image. Some will consider the notion of using an avatar in a meeting abhorrent, but it’s really not that bad and can be very useful at times. Using avatars is an intensely personal decision. For some, it might be their first step into the metaverse. For others, it could be their last (until something better comes along)…
Microsoft announced that they will rebrand Yammer as Viva Engage. The decision isn’t surprising given the relative lack of success the Yammer brand has had within Microsoft 365 since its acquisition in 2012. The hope is that the now-renamed Yammer can forge ahead and be more successful under the Viva brand. Time will tell.
After a while, you discover the holes in any technology. In the case of the Microsoft Graph PowerShell SDK, some inconsistencies await unwary developers. The SDK doesn’t like $Null, doesn’t support pipelining, insists on specific property casing at times, sometimes accepts user principal names and sometimes doesn’t, and sticks valuable data in hash tables hiding in a property you might know nothing about. Good as it is to have the SDK cmdlets, they need to be treated with care as you transition from the old Azure AD and MSOL modules.