Microsoft has created an easy to use Microsoft 365 Backup solution. Its key feature is speed, including speed to restore data. I tested restores for Exchange Online (which worked) and SharePoint Online and OneDrive for Business (which didn’t). The lack of logging and error reporting when failures happen lead to frustration. Microsoft has some work to do to bulletproof this solution.
A Microsoft Technical Community article gave some interesting information about how to report soft-deleted Entra ID objects. We think we can improve the information by tweaking the script, especially to include the object type in the output. As always, you can download the script from GitHub.
If you wanted to write a PowerShell script to create a OneDrive storage report, you’d probably use the cmdlets from the SharePoint Online management module. But accessing OneDrive usage data via the Graph is much faster. And you can include information from other sources, such as user properties, to build out the report. All explained here.
Microsoft has released the preview of the Entra ID usage insights for premium license consumption. This could be the harbinger of a more restricted licensing regime for Entra ID premium features such as conditional access. Putting any barrier in place to stop more accounts being protected by multifactor authentication seems like a bad idea. Let’s hope that this isn’t the case here.
The Viva Topics retirement announced on February 22, 2024 is an inevitable side-effect of Microsoft’s ongoing focus on Copilot. It is difficult to argue against the retirement. Business, technology, and implementation factors stack up against Viva Topics. The future of Microsoft Knowledge Management is firmly in the grasp of Copilot.
Teams Tags Support for Private and Shared Channels should arrive in targeted tenants soon. The new tag capability uses channel memberships instead of the team roster. It’s a small but useful change, as is the option to start a chat with tagged members. On the downside, Microsoft is deprecating suggested tags. But on the upside, you can include emojis in tag names.
Two methods exist to exclude a SharePoint sites from Copilot being able to use its contents – you can exclude the site (or document library) from search results or use sensitivity labels. Given the choice, sensitivity labels are more flexible and powerful, but removing sites from search indexes is easier to implement.
Usually, we recommend that Microsoft 365 tenants use the latest version of the Microsoft Graph PowerShell SDK. However, a serious bug in V2.14 means that this (and perhaps V2.13.1) should be avoided until Microsoft fixes a problem that causes spurious output to be included when cmdlets like Get-MgUser and Get-MgGroup are run.
A longstanding problem (SP676147) open since September 2023 causes problems retrieving important SharePoint usage data like site URLs and user activity data. The problem shows up in the usage reports section of the Microsoft 365 admin center and affects any attempt to fetch SharePoint usage data via Graph API requests. It’s odd that the problem has lasted so long.
The Office 365 for IT Pros team welcomes Michel de Rooij as a new author. As a PowerShell Pro, he’ll like the code to update the impersonation protection list for anti-phishing policies. Or maybe he’ll rewrite it to make the code better. Either way, we win and the Mail Flow chapter should get a new lease of life.
Microsoft originally said that Copilot for Microsoft would only support the Monarch client. Now it turns out the Outlook Win32 Copilot support is coming. No formal announcement is available and Microsoft hasn’t shared when the support will turn up in an Office channel, but it’s good news that this deployment blocker is no more. And Teams has a new Copilot experience, so things are moving in the world of AI-powered assistants.
The latest version of the Microsoft 365 Licensing Report script includes code to generate cost analyses for the departments and countries assigned to user accounts. Everything works well if the properties of Entra ID user accounts are complete and accurate. Sometimes this isn’t so, and that leads to problems when attributing costs at a department or country level.
If your Microsoft 365 tenant has Entra P2 licenses, you can use the Entra Identity Secure Score feature to measure your tenant against Microsoft benchmarks and recommendations, including expiring app credentials. The fact that credentials expire is one of the reasons why I don’t use apps as much any more. Using the Microsoft Graph PowerShell SDK is just easier.
If conditional access policies impose MFA for all cloud apps, it gives external users a problem when they use Outlook desktop to read protected email. The issue is because Outlook can’t obtain a use license to decrypt the content because it can’t satisfy the MFA challenge. It’s an example of how two good parts of the Microsoft 365 ecosystem clash.
This article describes how to use the Microsoft Graph PowerShell SDK to retrieve and interpret Microsoft 365 message center posts with the intention of discovering what percentage of announcemengts end up being delayed (not being available at the predicted date). Teams makes lots of feature announcements and over 57% of those announcements are delayed.
Message center notification MC711019 covers the ability to hide the General channel for a team, a feature designed to free up space in the teams and channels list. Team members (including guests) can decide if they want to see the General channel in their list. Because teams can have up to 1,000 channels, being able to hide the General channel is a useful change.
The Microsoft Graph includes the Service Communications API. SDK cmdlets can use the API to retrieve and work with service health data. In this article, we show how to use Graph SDK cmdlets (based on the API) to fetch and work with service health data, including creating an email report to update people about the current state of tenant health.
This article explains how to check Managed Identity permissions, or rather the set of consented Graph and other permissions held by the service principals used for managed identities. These can become highly permissioned over time, and that’s why checking periodically is a good idea.
The latest version of the MSIndentityTools PowerShell module includes the Export-MsIdAppConsentGrantReport cmdlet to generate a report of OAuth app permissions. Allied with the ImportExcel module, the cmdlet can produce a very nice workbook containing lots of information about permissions held by the apps in a tenant. But even better, you can export the data to PowerShell and use it in your scripts.
A question asked if it’s possible to hide individual distribution list members. It’s easy to hide the complete membership but not as simple to hide just a few. However, an old technique dating back to the early days of Exchange Server works. Sometimes the old tricks are the best!
The February 2024 update for the Office 365 for IT Pros eBook (monthly update #104) is now available for download. Lots happened during January in terms of breakthrough announcements, hacks, new features, and deprecated functionality. All grist to the mill for a book that’s been through 104 monthly updates.
Office 365 Reaches 400 million. Well, to be precise, in their FY24 Q2 results, Microsoft said that the figure is “over 400 million paid seats,” but who’s going to quibble with the ongoing success that Office 365 has had in adding users over many years. Not much was learned about the financial impact of Copilot. We’ll have to wait to see how that plays out.
The Graph User.ReadBasic.All permission is now available for both delegated and application usage. Think before rushing to use the permission. Although the permission does what it sets out to do, the restriction on filtering means that many scenarios need the full User.Read.All permission.
A January 26 post announces the deprecation of four old Exchange audit cmdlets in favor of the Search-UnifiedAuditLog cmdlet. Removing old cmdlets is fine, but it would be nice if Microsoft took the opportunity to make Search-UnifiedAuditLog work better. Too many inconsistencies exist in how workloads provide information in audit events and Microsoft has made some recent unannounced changes.
Microsoft is changing the way that Exchange Online address book updates work to force users to use search rather than browsing through the GAL/OAB. That’s fine and should improve things. When playing with finding how many items are in the GAL, I found that the Get-MgDomainNameReference cmdlet appears to have some issues. First, it can only return up to 999 items, which isn’t a lot when you’re dealing with users and groups that have a connection to a domain. Second, it doesn’t return a nextlink, so you can never fetch all available items. It just goes to prove that Microsoft Graph PowerShell SDK cmdlets are at the mercy of the underlying APIs.
The ability to apply custom corporate branding for Entra Id screens has existed since 2020. You can update elements through the admin center or PowerShell. This article explains how to use the Microsoft Graph PowerShell SDK to customize the sign-in text and background image for the sign-in screen.
Recent attacker activity made me think that access might have been gained through an OAuth app. Keeping an eye on app permissions is important. From a PowerShell perspective, it is reasonably straightforward to retrieve details of app permissions using the Microsoft Graph PowerShell SDK. Several methods are available to do the job.
Microsoft plans to change the way that the Teams website channel tab works in early April 2024. Instead of the client opening a site, a new browser tab opens. Microsoft says that the change better aligns with best practice for web security and privacy. Even so, it creates an administrative challenge to find what teams have website channel tabs that might need to be adjusted. Fortunately, we have a script to do just that.
Lots of hype surrounds Copilot for Microsoft 365, but I like the way that Copilot for Teams extracts real value from meeting transcripts to generate meeting notes. Even better, Copilot for Teams allows meeting participants to interrogate the transcript to find questions asked and answered (or not) among other capabilities. It’s one of the most obvious ways to extract value from Copilot.
MC705357 (9 Jan 2024) says that the dynamic group rule builder in the Entra ID and Intune admin centers no longer supports the contains and notContains operators. There’s no real cause to worry because existing rules continue to work and if you need to use contains or notContains in a membership rule, you can edit the rule manually.
Microsoft’s January 15 announcement reduced deployment costs and opened the possibility for Copilot for Microsoft 365 deployments to many Office 365 tenants. Reducing costs is great, but just because Copilot for Microsoft 365 is now available to many more tenants doesn’t mean that it is a silver bullet to address all IT woes.
The essence of a good teams naming convention is simplicity and clarity. This article explains why those aspects are so important in terms of helping users. We suggest some guidelines that tenant administrators can use to make sure that their team names are simple and clear.
Entra ID registered apps can authenticate using app secrets and certificates. These credentials expire over time, so it’s good to review app credential expiration dates periodically. This article explains how to use the Microsoft Graph PowerShell SDK to generate a report about app credential expiration dates to allow tenant administrators to manage registered apps a little better…
Document mismatch notifications tell users when they apply a higher-priority sensitivity label to documents than applied to the site. Some organizations don’t like these messages because they think the notifications confuse recipients. In this article, we discuss how to use a mail flow rule to redirect the messages to an address who can help people understand how to use sensitivity labels.
Entra ID supports user extension attributes but the same facility is unavailable for group objects. That seems strange, but it might be due to the way that Entra ID thinks about group object. In any case, it’s an inconsistency that Microsoft should address. Also covered is how to report problems with Graph SDK cmdlets and a new function to help you understand the permissions needed to run a script.
Audit events generated for the new Stream look like any other SharePoint Online event. Extracting the Stream audit events takes a little more effort than before when Stream classic generated its own dedicated set of events. In this article, we examine the advanced Stream audit events that are apparently coming to Purview Audit standard customers and how to extract the Stream audit events from the unified audit log.
The Stream browser app has received a bunch of recent enhancements, some of which are still deploying to tenants. The changes make it easier for Microsoft 365 tenants work with video. While investigating recent changes, we found some stuff that works well and some limitations that we never knew about before.
A new Share Someone’s Contact Info feature is available for Teams one-to-one and group chats. The option inserts a link to the person’s profile card in a chat message. Contact information can only be shared for members of the tenant (guests are unsupported). It’s a small but useful addition to Teams chat.
Password profiles store the password settings for Entra ID user accounts. By updating the password profile, you can update an account’s password and force actions like force the user to change their password on the next sign-in or force the user to enable multifactor authentication for the account. All done with cmdlets from the Microsoft Graph PowerShell SDK.
In message center notification MC703706 Microsoft announces yet another attempt to retire the Search-Mailbox cmdlet. This time it’s due to happen in March 2024. I don’t mind Microsoft removing old technology from its products, but it’s important that the old functionality is replaced by newer, better technology. And that’s not the case here. At least, not so far.