Office 365 for IT Pros covers a wide range of administration topics relating to the wider Microsoft 365 ecosystem. Learn a lot from our practical and no-nonsense approach to coverage.
Microsoft didn’t do a great job of announcing the side-by-side viewing feature for Microsoft 365 apps. It seemed like the only reason for the feature was to drive usage for the Edge browser. As it turns out, you can choose to have Microsoft 365 apps use a different browser, and the tools to do that are now available.
Microsoft 365 includes a framework to create, send, and manage organization messages to users. It’s a good idea, but the implementation is sadly limited. First, you’re restricted to messages that Microsoft wants administrators to send to boost consumption of the Office apps. Second, you can’t customize the text or the appearance of the messages. Last, the dashboard to manage organization messages is half-finished.
Microsoft 365 tenants can select any of the verified domains for the tenant to send Microsoft 365 service messages instead of using the default domains. The update also allows tenants to choose a routable recipient (username) instead of the traditional “no-reply” address. Overall, this seems like a very easy change to implement that shouldn’t cause any problems.
The new SharePoint block download policy applies at the site level to stop users downloading files, even to work with them using the Office desktop apps. It also stops people printing and synchronizing files. In this article, we explain how to apply the policy with PowerShell, including how to apply the SharePoint block download policy to all sites assigned a certain sensitivity label.
Applying a default sensitivity label to a SharePoint Online document library is just one of the set of security and management and governance features requiring the new Syntex Advanced Management license. The new license is in preview so all the features that it covers might not be fully baked. Microsoft 365 customers might well ask if this is yet another example of Microsoft bundling features into a new paid-for add-on license. Of course it is. You don’t expect new functionality for free, do you?
Microsoft 365 message center notifications now boast a “relevance recommendation.” This is a visual marker computed by Microsoft based on aspects of the change. It’s intended as a way to highlight important changes so that administrators can dedicate more time to understanding the impact of these changes on their tenants. Sometimes the recommendation isn’t perfect, but you can tell Microsoft what you think and go ahead with your own assessment of how important any individual change really is.
A new Software Updates page in the Microsoft 365 admin center is intended to help tenant administrators keep an eye on what Office and Windows software people are using. As you’d expect, the page offers no details about non-Microsoft clients connected to Microsoft 365. That’s OK, except when work is needed to make sure that clients can cope with the effects of a massive change, like the October retirement of basic authentication for seven email connection protocols.
Message center notification MC392289 highlights the need to keep the .NET Framework and the Edge WebView2 components updated to make sure that the Teams meeting add-in works with “degradation.” No further information is offered as to why Microsoft needs to sound this warning several years after introducing the Teams meeting add-in.
The message center notifications posted in the Microsoft 365 admin center are an invaluable source of information about change in a tenant. It’s curious that some administrators don’t think they have the time to keep abreast of the changes reported in these notifications. Microsoft is steadily improving the quality of what’s posted, but delayed features remain and issue.
With the demise of the Azure AD and MSOL PowerShell modules on the horizon, it’s time to figure out how to upgrade scripts to use cmdlets from the Microsoft Graph PowerShell SDK. This article books at basic account management and shows how to update, delete, restore, and find Azure AD accounts using SDK cmdlets.
Microsoft has announced that it will be possible to recover a deleted service principal by the end of May. This is good news because it means that an accidental deletion can’t wreak the kind of havoc it can today. Microsoft hasn’t updated the APIs to manage soft-deleted service principals yet, but we can get an insight into what’s likely to happen by investigating how to manage deleted Azure AD accounts using cmdlets from the Microsoft Graph PowerShell SDK.
Microsoft has released the preview of an idle session timeout policy to control the automatic sign-out of Microsoft 365 web apps. Not every web app is covered, but those that are will be signed out automatically when one of the covered apps becomes inactive for a stated period in a browser session. At that point, Microsoft 365 signs out all the web apps and forces the user to sign in again. Sounds like a reasonable idea, and it replaces existing mechanisms available for OWA and SharePoint Online.
The Azure AD Keep Me Signed In (KMSI) feature uses a persistent cookie to allow users close and reopen browser sessions without sign-ins. If you don’t want to use KMSI, you can update Azure AD company branding to remove the option. Users will then have to reauthenticate each time they start a browser session. The decision to disable or keep KMSI is highly tenant-specific and depends on how authentication happens.
Message center notifications for service changes posted to the Microsoft 365 admin center will include monthly active user counts for affected workloads. That sounds good, until you realize some of the downloads incurred by depending on the Microsoft Graph Reports API as the source of user data. Still, it’s better than nothing and a welcome advance.
You might never need to use a break glass account, but if the need arises, you’ll be glad that you had the foresight to anticipate that bad things can happen and create a break glass account for your Microsoft 365 tenant. This article describes why you might want one or more of these accounts, their characteristics, some pitfalls to avoid, and how to check that the break glass accounts aren’t being used.
Finding the age of a Microsoft 365 tenant isn’t an important administrative operation. However, understanding how to retrieve this information (if asked) is an interesting question, which is why we spent several hours playing around with PowerShell and the Microsoft Graph to figure out how to answer the question. It’s the kind of in-depth analysis we do all the time to build content for the Office 365 for IT Pros eBook.
The Microsoft Teams feedback policy assigned to user accounts controls whether users can give Microsoft feedback through the Teams clients. Not every organization wants their users to communicate directly with Microsoft. If you’re in this category, you can disable the Give feedback option easily by updating the Teams feedback policy assigned to user accounts. All explained here!
The usage reports available in the Microsoft 365 admin center, Teams admin center, and other places now include anonymized user information by default. The new default became active on September 1, 2021 and the organization setting applies to any usage data generated by the Microsoft Graph usage reports API, which means that some scripts might create reports less interesting and useful than before. It’s a good change for privacy, but will organizations persist with the new default?
Microsoft is applying their Viva brand to the features currently known as MyAnalytics. Viva Insights will span a monthly email digest, the Outlook insights add-on, and the Insights dashboard. If you don’t want users to access these features, you can disable the features individually or remove the service plan from user licenses. The rebranding is happening now and due to complete in November.
You can now access videos and slides for sessions given at The Experts Conference 2021. The sessions cover a wide range of technology from Azure AD to Microsoft 365 to infrastructure modernization. And you can now register for TEC 2022, which will run as an in-person event in Atlanta on September 20-21, 2022. It should be great fun!
Microsoft has replaced the controls which disabled document insights in Delve with new Graph-based settings. However, you might still have a bunch of users with the Delve settings who need to migrate to the Graph settings. In this article, we explore how the settings work and how to query the Graph to find the set of users who disabled the setting in Delve. We can then use PowerShell to add those accounts to the group of disabled insights users for the Graph-based settings.
Microsoft has moved retention processing for SharePoint Online, OneDrive for Business, Teams, and Yammer from the Managed Folder Assistant to a new retention assistant. (background processing job). It’s part of an effort to use workload-agnostic processing whenever possible to perform retention actions across Microsoft 365.
In this post, we describe how to use PowerShell to remove a single service plan from Microsoft 365 licenses using PowerShell. The script can remove any service plan from any SKU (license) in a tenant. You might want to do this to disable access to an obsolete feature (like Sway) or to prevent access to a new feature until the organization is ready to support user activity.
Microsoft has updated the creation settings for security groups and Microsoft 365 groups in the Azure AD admin center. The changes impose consistency over administrator creation of these groups and probably won’t affect tenants, but it’s good to check. The change makes us ponder why Microsoft doesn’t improve the GUI for other group controls, like those controlling who can create new Microsoft 365 Groups.
Microsoft’s Whiteboard app is moving its storage off Azure to OneDrive for Business. The switchover will happen in October 2021, but tenants can opt-in to use OneDrive storage from the end of August. Some Whiteboard clients won’t be able to cope with OneDrive then, but Microsoft says that everything will be straightened out for the switchover in October. As we explain here, it’s a good idea (for many reasons) to move Whiteboard storage to OneDrive.
The message center in the Microsoft 365 admin center will soon use a new data privacy tag to highlight specific service updates to tenant administrators. No messages with the new tag have yet appeared, so it’s hard to know how Microsoft plans to use the new tag or what kind of attachments it will make available to administrators to help understand the sensitive data involved in data privacy. While we’re waiting, we took at look at the tags in use today and wrote some PowerShell to report which tag is most popular.
Office 365 tenants users will soon be able to execute self-service purchase Windows 365 licenses. That is, unless you stop them by running some PowerShell commands to disable the capability. In this article, we explain the Windows 365 options available for self-service purchase and the PowerShell commands necessary to disable the option, if you think it’s a bad idea (as some do).
Office 365 Cloud App Security (OCAS) is very good at identifying potential problems for tenant administrators to investigate. But don’t think that it’s always right. Humans are often better at resolving issues than computers are, simply because we can use our wider knowledge of how applications work and the Office 365 datacenter network to understand what might be behind an alert. Humans might be slower than computers, but when it comes to resolving OCAS alerts, we’re always better.
Licensing is everyone’s favorite topic. Combine it with information protection and governance and peoples’ eyes glaze over. Even so, it’s important to know what information protection and compliance features need which licenses as you don’t want to get into a position where something stops working because Microsoft enables some code to enforce licensing requirements. This post covers the basics of licensing and how Microsoft differentiates between manual processing and automated processing when deciding if a feature needs a standard or premium license.
The Microsoft 365 compliance center has a new content search UI. The new UI is prettier than before, but it’s also slower and more buggy. After several years of effort to develop content searches, you’d expect Microsoft to do better. A lot betterr. Unhappily, the beauty of the new interface seems to have distracted the engineers from the problems that become all too apparent when you try to use content searches to do real work. What, if any testing, was done to validate the new UI is unknown.
Compliance role groups control access to Microsoft 365 compliance functionality. A new permissions page makes it easier to manage these groups in the Microsoft 365 compliance center, where you can also manage the Azure AD roles used by Microsoft 365 compliance. If you want to generate a report about who holds what role, you’ve got to use PowerShell. The code is easy once you know which roles you want to report.
Microsoft 365 eDiscovery features will respect documented limits from May 10. The changes are likely made to conserve resources consumed by searches against the massive amounts of data now found in Office 365 tenants. The changes probably won’t affect eDiscovery investigators except in reminding everyone that the items shown in search preview are only a representative sample of what can be found by a full search.
For whatever reason, Microsoft decided to cancel plans to remove the Top Senders and Recipients report from the SCC, citing customer feedback as the reason. The thing is that the SCC report and its underlying cmdlet use an old data source. The Microsoft Graph Reports API is the modern approach and an adequate replacement usage reports is available in the Microsoft 365 admin center. I really can’t understand why anyone would want to keep the old report as it’s not very good at all.
Over time, a Microsoft 365 tenant might accumulate many Azure AD integrated apps. Do you know what these apps do or who uses them? It’s good to do a regular audit and cleanout of unwanted apps left behind for tests, trials, or expired applications. We use a script published on Practical365.com to grab the data from Azure AD and then import it into Microsoft Lists. The results we got might surprise you.
The Teams usage data reported in the Microsoft 365 admin center can now be obfuscated. Teams is the last workload to support this facility. It’s all very well to anonymize, deidentify, or obfuscate user data to protect individual privacy and it’s appropriate to do so in the Microsoft 365 admin center where people with several roles can access the data, but having a single on/off switch for data obfuscation for the Microsoft Graph Reports API is a real pain.
Office 365 administrators can update Azure AD guest accounts with photos. Guests can do the job themselves using three PowerShell commands. Other approaches work too, but this is the easiest and quickest method to do the job, especially if you have guest accounts in multiple tenants.
Organizations can choose to control updates of user photos by policy in their Microsoft 365 tenants or allow users to go ahead and use any image they like. In this article, we explore the value of having a user photo for every Office 365 account (and Teams and Groups too) and the choices organizations must make when they decide whether to control user-driven updates.
Every Microsoft 365 tenant has a tenant identifier. Sometimes you need to know what the identifier is, so here are several options to find it from PowerShell to the Azure AD portal to an external service. Tenant identifiers are public and need to be, otherwise apps wouldn’t be able to find the data they want.
A new Microsoft 365 admin center feature allows tenants to create an auto-claim policy to assign licenses when users sign into Teams for the first time. It seems like a good idea, but it’s limited by the fact that only Teams supports the auto-claim policy. No scoping exists either, which will disappoint those who like to manage licenses on a granular level. There’s some work to do before these policies will be right for everyone.
A new preview feature allows the resources available to an Azure AD guest account to be reassigned to another email address. It’s a nice feature, but Teams has some problems with it at present. On the upside, everything works great with SharePoint Online and Planner, and we’re sure that Microsoft will fix the problem with Teams soon.