How Teams System Messages Can Give Away Personal Secrets

Do people read the notifications posted by Teams to the General channel of a team when someone joins or leaves the membership? Maybe they don’t take much notice, but these messages can tell you that someone has joined or left the company. If you think that Teams should have a setting to suppress “add member” messages for a team, consider supporting the User Voice suggestion on the topic.

What’s Happening with the MailItemsAccessed Audit Event

Microsoft launched the MailItemsAccessed audit event (to capture when email is opened) in January, reversed the roll-out in April, and now might restart sometime in Q3. It’s an odd situation that isn’t really explained by a statement from Microsoft. Are they going to charge extra for this audit event? Will they be analyzing the events? Or does Office 365 capture too many mail items accessed events daily?

Microsoft Reveals Secrets of SharePoint Online Storage

Have you ever wondered how Microsoft secures SharePoint Online and OneDrive for Business data? Well, a recent article explains it all, and it is fascinating reading. Chunks and keys and blobs and encryption. A must-read article for anyone interested in SharePoint security.

Stopping New Employees Appearing in Org-Wide Teams

Org-wide teams are great because they feature automatic membership management. But sometimes you don’t want new Office 365 accounts showing up in org-wide teams. The solution is to create the account with some dummy details to mask the identity of the real person and update the account after they join the company.

Important Change to SharePoint Online Retention Policy Processing

Microsoft is changing how the removal of an Office 365 retention policy affects the data held in the SharePoint Online Preservation Hold Library. Instead of an immediate purge, data will be kept for a period to allow administrators to recover it. Sounds like a good idea and it should help people rescue a situation when someone removes a retention policy in error. That is, if they notice that the policy is no longer in effect for a site.

Removing Office 365 Accounts Fast

Removing Office 365 accounts is easily done through the Admin Center. You can also restore deleted accounts within 30 days, but what if you want to remove accounts in such a way that they can’t be restored? The answer is that it can be done using a two-stage process. And if the mailboxes belonging to those accounts are on hold, they are kept as inactive mailboxes.

Three New Themes Available for Office 365

Much to our surprise, this blog is covering the availability of three new Office 365 browser themes. We’re only doing this so that we can avoid including it in the Office 365 for IT Pros eBook. We know this will upset some people, especially fans of the unicorn theme, but we really have to draw the line somewhere when deciding what should be in the book.

Excluding Inactive Mailboxes from Org-Wide Retention Holds

Exchange Online supports inactive mailboxes as a way to keep mailbox data online after Office 365 accounts are removed. Inactive mailboxes are available as long as a hold exists on them. You can update mailbox properties to exclude all or some org-wide holds. If you exclude holds from a mailbox, you run the risk that Exchange will permanently remove the mailbox. If that’s what you want, all is well, but if it’s not, then you might not be so happy.

CISA Report Only Scratches Surface of Securing Office 365

The CISA report titled “Microsoft Office 365 Security Observations” makes five recommendations to improve security of an Office 365 tenant. The recommendations are valid, but competent administrators won’t take long to implement them. In fact, the worst thing is that consultants brought in to help organizations didn’t seem to have much expertise in securing Office 365.

The Sad Case of Truncated Office 365 Audit Events

On May 7, Microsoft eventually fixed a truncation bug that affected group events (creation, add member, etc.) ingested into the Office 365 audit log. The fix took far too long coming and the overall response is certainly not Microsoft’s finest hour. Audit events, after all, are pretty important in compliance scenarios and it’s not good when those events are incomplete.

Limiting SharePoint Storage for Teams

One of the great things about Teams is the way that it orchestrates Office 365 resources like SharePoint Online sites. The downside is that a tenant’s valuable SharePoint storage quota might be absorbed by a profusion of Teams. To offset the problem, you can apply lower limits to sites belonging to Teams and the best approach is to use PowerShell for the job.

The Complexities of Office 365 Tenant to Tenant Migration

Depending on your tenant’s configuration and the applications in use, the prospect of a tenant-to-tenant (T2T) migration might be appealing or a horror story. Applications like Quadrotech’s Cloud Commander are designed to help move data between tenants. In this video, Tony Redmond and Mike Weaver discuss some of the complexities involved in T2T projects. The program is 15 minutes long.

The Changing Role of Office 365 Admins (Video)

No one can say that the role of an Office 365 admin is static. In fact, it changes all the time as new technologies appear or Microsoft changes existing applications. This video featuring MVPs Paul Robichaux and Tony Redmond explores the changing role of Office 365 Admins, and sometimes it even makes sense.

Unified Labelling Version of Azure Information Protection Client Now Generally Available

Microsoft has released the GA version of the Azure Information Protection client, which reads information about Office 365 sensitivity labels and policies from the Security and Compliance Center. It’s one more step along the path to making it easy for Office 365 tenants to protect their data. Work still has to be done, but at least we can see light at the end of the encryption tunnel.

Microsoft’s “New Migration Experience” from G Suite to Exchange Online

Microsoft announced a new migration experience from Google G Suite yesterday, which is nice. Under the covers, the venerable Mailbox Migration Service (MRS) does the work to extract mailbox data from Gmail using IMAP4 and moves it to Exchange Online. But after the move is done, there’s still lots of work to do to help users make the cultural change to their new mailbox in the cloud.

OWA’s ThirdPartyFileProvidersEnabled Setting

The ThirdPartyFileProvidersEnabled setting in OWA mailbox policies controls if Exchange Online mailboxes can access services like Drop and Dropbox for attachments. Office 365 tenants need to decide if they want to allow this kind of access. There’s both good and bad in the feature, but it’s easily turned off if you feel the need.

Microsoft Halts Deployment of MailItemsAccessed Audit Records

Announced in January, paused in March – that’s the fate of the MailItemsAccessed audit record generated by Exchange Online for the Office 365 audit log. Microsoft found some problems that they are fixing, which is good (because you want audit data to be reliable). And when the fixes are available, the deployment of the new audit record will restart.

Microsoft 365 Security and Compliance Centers Now Generally Available

The Microsoft 365 Security and Microsoft 365 Compliance Centers are now generally available. The new consoles will eventually replace the Office 365 Security and Compliance Center (SCC) but some work is needed to fill out their functionality and make the switchover possible. In the meantime, the Office 365 for IT Pros eBook writing team will stay focused on the SCC. And when the time’s right, we’ll switchover.

New Office 365 Admin Center Offers to Create DLP Policy

In a sign of how automation based on signals gathered by Office 365 will emerge to help administrators do a better job, the preview of the new Admin Center offered to create a DLP policy to protect some sensitive information that I had clearly overlooked. Well-intended as the portal was, its efforts to create the new policy failed. That’s not really important – it’s the glimpse into the future which is.

Configuring PowerShell for Office 365

If you work with Office 365 through PowerShell, you probably have your own script to connect to the various services. If you don’t want to write your own script, you can download one from GitHub or the TechNet Gallery. This article covers two that you might like to try, including one with a GUI to choose which Office 365 services it should connect to.

Automating Office 365 with PowerShell and Flow

PowerShell is hugely useful when the time comes to automate Office 365 processes. Other tools exist that can help, including Flow. Maybe it’s the right time to consider Flow, especially when it is highly capable of knitting together different Office 365 components to get work done.

Office 365 Captures Audit Records for Teams Compliance Items

Office 365 Audit Log Search

In one of those interesting (but possibly worthless) facts discovered about Office 365, we find that audit records are captured for Teams compliance records written into Exchange Online group mailboxes. The Search-UnifiedAuditLog cmdlet reveals details that we can interpret using some techniques explained in Chapter 21 of the Office 365 for IT Pros eBook.

Cloud App Security Alerts Flow into Office 365 Audit Log

Security alerts from Office 365 Cloud App Security now flow into the Office 365 Audit Log, which means that you can run the Search-UnifiedAuditLog to find the alerts. Unhappily, more work than should be needed is necessary to extract the interesting information from the alert records.

Office 365 Network Performance (POC) Tool

Microsoft’s new Network Performance Tool is a proof of concept for Office 365 tenants to check network connections to Microsoft’s network and Office 365. The tool might help you understand more about your connection into Microsoft, but it won’t fix any last mile problems.

Office 365 Sensitivity Labels Bring Rights Management to the Masses

Azure Information Protection and Office 365

Rights management and encryption are likely to be a much more common Office 365 feature in the future. Sensitivity labels makes protection easy for users to apply through Office apps. The downside is that protection makes content harder to access for some Office 365 and ISV functionality.

Tip: Make Sure to Add Owners as Members When Creating New Teams

Teams offers a number of ways to create new teams, which is good. However, if you create a new team with PowerShell, make sure that you add the team owners to the members list as otherwise they won’t be able to access Planner.

How to Restrict What Audit Data for User Office 365 Activities Flows to Microsoft

Following a Dutch report saying that Office 365 might violate GDPR, some thoughts about how to restrict some of the flows of information from an Office 365 tenant to Microsoft.

Office 365 Privileged Access Management: Too Flawed and Too Exchange?

Microsoft has launched Privileged Access Management (PAM) for Office 365. The name’s incorrect because PAM only works for Exchange Online right now. PAM is based on RBAC, which is good, but is the implementation too Exchange-centric?

How to Find Send As Records in the Office 365 Audit Log

Exchange administrators are accustomed to looking through mailbox audit logs to find details of events. Those same events are in the Office 365 audit log, so that’s the place to go look for information, like when you want to find out who sent a message from a shared mailbox using the SendAs permission.

The Vexed Question of Microsoft 365 Backups

Backup vendors say you should definitely use their products to protect your valuable Microsoft 365 data. Backup products can do a good job, but the nature of Microsoft 365 creates many challenges at a technical level. A lack of APIs is the most fundamental issue, but the connected nature of Microsoft 365 apps is another.

Existing Guest Accounts and the Azure B2B Collaboration Policy

When you impose a block on certain domains, you’d like to think that applications like Teams will respect that block. As it turns out, if you have some lingering guests in your Azure Active Directory, the B2B collaboration policy might not be as effective as you’d hope.

How to Disable Basic Authentication for Exchange Online Connection Protocols

Microsoft has released a preview of the cmdlet set to allow tenants to create and manage protocol authentication policies for Exchange Online. It’s a great chance to disable basic authentication and reduce the attack surface for password spraying.

Managing Guest Users in a Microsoft 365 Tenant

How many guest users does your Office 365 tenant have? And how many of those accounts are actually used? Given that many Office 365 applications now generate guest user accounts to facilitate external access to content, managing these accounts is a growing concern.

How to Find Click to Run Configuration in the System Registry

Microsoft would like Office 365 tenants to use the Click to Run (C2R) version of the Office desktop applications because C2R is automatically updated with new features. We like C2R, but we also like knowing what’s installed on user workstations. Here’s how to check the Click to Run configuration with PowerShell.

How to Create and Manage Org-Wide Teams in Microsoft Teams

The latest version of Teams supports the ability to create org-wide teams, but only if your tenant has fewer than 1,000 accounts. It’s a neat idea, if you can use it, but if you have more than 1,000 accounts, there are other ways to foster company-wide communications.

How Microsoft IT Manages Microsoft 365 Groups

Details of how Microsoft IT manages its deployment of Office 365 Groups were discussed at the recent Ignite 2018 conference. It’s a good idea to write down the basic framework of your Office 365 Groups deployment, if only to understand how all the different policies and features fit together.