The usage reports available in the Microsoft 365 admin center, Teams admin center, and other places now include anonymized user information by default. The new default became active on September 1, 2021 and the organization setting applies to any usage data generated by the Microsoft Graph usage reports API, which means that some scripts might create reports less interesting and useful than before. It’s a good change for privacy, but will organizations persist with the new default?
Microsoft is applying their Viva brand to the features currently known as MyAnalytics. Viva Insights will span a monthly email digest, the Outlook insights add-on, and the Insights dashboard. If you don’t want users to access these features, you can disable the features individually or remove the service plan from user licenses. The rebranding is happening now and due to complete in November.
You can now access videos and slides for sessions given at The Experts Conference 2021. The sessions cover a wide range of technology from Azure AD to Microsoft 365 to infrastructure modernization. And you can now register for TEC 2022, which will run as an in-person event in Atlanta on September 20-21, 2022. It should be great fun!
Microsoft has replaced the controls which disabled document insights in Delve with new Graph-based settings. However, you might still have a bunch of users with the Delve settings who need to migrate to the Graph settings. In this article, we explore how the settings work and how to query the Graph to find the set of users who disabled the setting in Delve. We can then use PowerShell to add those accounts to the group of disabled insights users for the Graph-based settings.
Microsoft has moved retention processing for SharePoint Online, OneDrive for Business, Teams, and Yammer from the Managed Folder Assistant to a new retention assistant. (background processing job). It’s part of an effort to use workload-agnostic processing whenever possible to perform retention actions across Microsoft 365.
In this post, we describe how to use PowerShell to remove a single service plan from Microsoft 365 licenses using PowerShell. The script can remove any service plan from any SKU (license) in a tenant. You might want to do this to disable access to an obsolete feature (like Sway) or to prevent access to a new feature until the organization is ready to support user activity.
Microsoft has updated the creation settings for security groups and Microsoft 365 groups in the Azure AD admin center. The changes impose consistency over administrator creation of these groups and probably won’t affect tenants, but it’s good to check. The change makes us ponder why Microsoft doesn’t improve the GUI for other group controls, like those controlling who can create new Microsoft 365 Groups.
Microsoft’s Whiteboard app is moving its storage off Azure to OneDrive for Business. The switchover will happen in October 2021, but tenants can opt-in to use OneDrive storage from the end of August. Some Whiteboard clients won’t be able to cope with OneDrive then, but Microsoft says that everything will be straightened out for the switchover in October. As we explain here, it’s a good idea (for many reasons) to move Whiteboard storage to OneDrive.
Office 365 tenants users will soon be able to execute self-service purchase Windows 365 licenses. That is, unless you stop them by running some PowerShell commands to disable the capability. In this article, we explain the Windows 365 options available for self-service purchase and the PowerShell commands necessary to disable the option, if you think it’s a bad idea (as some do).
Office 365 Cloud App Security (OCAS) is very good at identifying potential problems for tenant administrators to investigate. But don’t think that it’s always right. Humans are often better at resolving issues than computers are, simply because we can use our wider knowledge of how applications work and the Office 365 datacenter network to understand what might be behind an alert. Humans might be slower than computers, but when it comes to resolving OCAS alerts, we’re always better.
Licensing is everyone’s favorite topic. Combine it with information protection and governance and peoples’ eyes glaze over. Even so, it’s important to know what information protection and compliance features need which licenses as you don’t want to get into a position where something stops working because Microsoft enables some code to enforce licensing requirements. This post covers the basics of licensing and how Microsoft differentiates between manual processing and automated processing when deciding if a feature needs a standard or premium license.
The Microsoft 365 compliance center has a new content search UI. The new UI is prettier than before, but it’s also slower and more buggy. After several years of effort to develop content searches, you’d expect Microsoft to do better. A lot betterr. Unhappily, the beauty of the new interface seems to have distracted the engineers from the problems that become all too apparent when you try to use content searches to do real work. What, if any testing, was done to validate the new UI is unknown.
Compliance role groups control access to Microsoft 365 compliance functionality. A new permissions page makes it easier to manage these groups in the Microsoft 365 compliance center, where you can also manage the Azure AD roles used by Microsoft 365 compliance. If you want to generate a report about who holds what role, you’ve got to use PowerShell. The code is easy once you know which roles you want to report.
Microsoft 365 eDiscovery features will respect documented limits from May 10. The changes are likely made to conserve resources consumed by searches against the massive amounts of data now found in Office 365 tenants. The changes probably won’t affect eDiscovery investigators except in reminding everyone that the items shown in search preview are only a representative sample of what can be found by a full search.
For whatever reason, Microsoft decided to cancel plans to remove the Top Senders and Recipients report from the SCC, citing customer feedback as the reason. The thing is that the SCC report and its underlying cmdlet use an old data source. The Microsoft Graph Reports API is the modern approach and an adequate replacement usage reports is available in the Microsoft 365 admin center. I really can’t understand why anyone would want to keep the old report as it’s not very good at all.
Over time, a Microsoft 365 tenant might accumulate many Azure AD integrated apps. Do you know what these apps do or who uses them? It’s good to do a regular audit and cleanout of unwanted apps left behind for tests, trials, or expired applications. We use a script published on Practical365.com to grab the data from Azure AD and then import it into Microsoft Lists. The results we got might surprise you.
The Teams usage data reported in the Microsoft 365 admin center can now be obfuscated. Teams is the last workload to support this facility. It’s all very well to anonymize, deidentify, or obfuscate user data to protect individual privacy and it’s appropriate to do so in the Microsoft 365 admin center where people with several roles can access the data, but having a single on/off switch for data obfuscation for the Microsoft Graph Reports API is a real pain.
Office 365 administrators can update Azure AD guest accounts with photos. Guests can do the job themselves using three PowerShell commands. Other approaches work too, but this is the easiest and quickest method to do the job, especially if you have guest accounts in multiple tenants.
Organizations can choose to control updates of user photos by policy in their Office 365 tenants or allow users to go ahead and use any image they like. In this article, we explore the value of having a user photo for every Office 365 account (and Teams and Groups too) and the choices organizations must make when they decide whether to control user-driven updates.
Every Microsoft 365 tenant has a tenant identifier. Sometimes you need to know what the identifier is, so here are several options to find it from PowerShell to the Azure AD portal to an external service. Tenant identifiers are public and need to be, otherwise apps wouldn’t be able to find the data they want.
A new Microsoft 365 admin center feature allows tenants to create an auto-claim policy to assign licenses when users sign into Teams for the first time. It seems like a good idea, but it’s limited by the fact that only Teams supports the auto-claim policy. No scoping exists either, which will disappoint those who like to manage licenses on a granular level. There’s some work to do before these policies will be right for everyone.
A new preview feature allows the resources available to an Azure AD guest account to be reassigned to another email address. It’s a nice feature, but Teams has some problems with it at present. On the upside, everything works great with SharePoint Online and Planner, and we’re sure that Microsoft will fix the problem with Teams soon.
The Office 365 audit log is packed full of information about what happens inside workloads. New events show up all the time. The question is how to understand what actions these events relate to. We outline a simple procedure to discover the presence of new audit events and dive into the investigation of an event called Consent to application, which is pretty important in the context of recent high-profile attacks.
From April 2021, Exchange Online will apply hard limits for the number of messages a mailbox can receive per hour. The limit remains the same (3,600), but now Exchange will block the mailbox receiving any more email for an hour. The new version of the Exchange Admin Center (EAC) promises to highlight problem mailboxes so that admins can ask owners why their mailboxes receive so much email.
Audit records are a great way to gain an understanding of what happens inside Office 365. We use PowerShell to report actions taken with sensitivity labels such as protecting files and containers. The latest development is the addition of support in the Microsoft 365 apps for enterprise (Office desktop) to log audit events when users interact with sensitivity labels. Unsurprisingly, more events are often logged by the desktop apps than their online equivalents.
Microsoft’s Edge browser recently introduced sleeping tabs to conserve resources. Although this is a good idea, putting SharePoint Online tabs to sleep stops them reconnecting. I suspect it is because a refresh token times out and isn’t renewed. The solution is to add SharePoint Online sites to the list of sites that don’t sleep. Always-on document management is the best approach.
Viva Topics is one of the four modules in the Microsoft Viva employee engagement platform. You can run a 25-user trial for 30 days to create some topics and see how things work. A trial should help an organization decide if they want to pay the $5/user/month Microsoft asks for Viva Topics licenses – and everyone needs a license to see topic cards, which is the point of Topics.
Microsoft wants to remove basic authentication from Exchange Online connection protocols. But pressures have forced Microsoft into a new strategy and away from the mid-2021 date for deprecation of basic authentication for five protocols. Instead, Microsoft will disable basic authentication for protocols where it’s not used, include four addition protocols in its target set, and pause action for tenants where basic authentication is in active use. When they restart, Microsoft will give tenants 12 months’ notice that basic authentication will be blocked for a protocol. You can argue that Microsoft should have pressed ahead with their original plan, but would widespread disruption of service be worth the benefit gained from blocking vulnerable protocols? Balancing risk versus reward is often not easy.
All services suffer outages or incidents. The Service Communications API allow Office 365 tenants to retrieve information about incidents programmatically and report details in whatever way they want. In this post, we show how to use PowerShell to fetch service messages with the API and filter for recent incidents. After that, it’s just a matter of presenting the details.
Exchange Online has the Enable-OrganizationCustomization cmdlet to “hydrate” the settings in an organization. Most Exchange Online organizations use common configurations, which saves the Office 365 infrastructure some directory space and CPU cycles to deal with custom settings. A hydrated organization has customized settings. The one-time cmdlet switches organizations from a dehydrated state to a hydrated state. Forcing administrators to run the cmdlet is just a little odd.
Microsoft says that the new EAC is ready to use. While we don’t deny the fact, we think some of the magic that existed in previous portals has gone. PowerShell is replaced by the Graph as the foundation for the EAC. Progress happens, but it’s sad when a feature like command logging is left in the mists of the past.
The Office 365 audit log is a great source of information about what happens inside a Office 365 tenant. Searching the audit log takes practice, but it turns up lots of insight. This article covers how to use the ObjectIds and FreeText parameters to find information about what happens to an object,
Following some recent criticisms of how some ISVs use FUD to convince Office 365 tenants that they need backup services, AvePoint asked Office 365 for IT Pros to debate the issues. We go toe-to-toe on Wednesday, October 7 at 10 AM EST in a free online debate. Come along and join the fun.
Office 365 usage data for several workloads is available through the Microsoft Graph. A PowerShell script is available to grab Graph data and use it to figure out if accounts are in active use. V1.2 of GetGraphUserStatisticsReport.PS1 is available in GitHub and should be better performing when processing thousands of accounts.
A change made to an Office 365 retention policy for Teams personal chats in the KPMG tenant removed data for 145,000 users. That’s unfortunate, and it underlines the need for admins to understand how retention policies work. Maybe the people involve did and it was a simple slip that could happen to anyone, but perhaps it will cause tenant admins to reflect on how they make changes to organization configurations.
Office 365 Tenants need to stop people using Internet Explorer. On November 30, Teams stops support for IE11; nine months later, the rest of the Microsoft 365 apps cease support. According to Microsoft, the only browser in town is the new Edge (which has an IE mode), but most will keep on using Chrome, Firefox, Brave, or Safari as they do today.
The need (or not) for a backup solution for Office 365 data is hotly debated. Although good reasons can exist for buying a backup service, some of the reasons advanced by backup vendors are classic FUD (fear, uncertainty, and doubt). A recent report issued by a major backup vendor contains some points that deserve close examination. Here’s what we think.
Microsoft announced that Office 365 tenants can customize the user profile card, which is nice. The only thing is that an update to the Microsoft Graph is done to apply the customization. Most tenant administrations probably aren’t literate with Graph programming, so that presents a problem. Until you realize that the Graph Explorer can be used to do the job without you needing to write a single line of code.