Microsoft Previews Nested Dynamic Azure AD Groups

A new preview feature supports the creation of dynamic Azure AD groups based on the membership of other groups, including dynamic groups and distribution lists (aka nested groups). It’s a nice feature that adds value, even if dynamic groups require Azure AD Premium P1 licenses.

Guest Accounts Can’t Update Their Photos with the Microsoft Graph PowerShell SDK

The Azure AD PowerShell module allows guest accounts to sign into target tenants and update their account photo there. The Microsoft Graph PowerShell SDK includes a cmdlet to do the job, but it doesn’t work when connected to a target tenant. Permissions are the reason why, which is what we explain in this article.

Don’t Give Up on Azure AD Guest Accounts

Despite the advent of shared channels in Teams and the wonders of Azure AD Direct Connect, the chances are that Azure AD B2B Collaboration (Azure AD guest accounts) will remain the predominant method for external collaboration for the immediate future. That’s not so bad, as long as you maintain good guest hygiene!

Why Teams Sometimes Won’t Allow External Users In

Teams supports external access through guest account membership in teams and external sharing of shared channels. Sometimes, things go wrong and sharing can’t happen. In this article, we explore some common reasons and explain the solutions. And the need for patience!

Outlook Org Explorer Gives More Reasons to Pay Attention to Azure AD User Data

Outlook’s Org Explorer (available in Insider builds) brings together information from multiple Microsoft 365 sources to help users understand the people they work with in an organization. It’s like an Office 365 profile card on steroids, but only for user accounts as guest accounts and other external people are ignored. In other news, roaming signatures for Outlook desktop are getting closer as OWA now supports the creation and use of multiple web signatures, all of which can be used by Outlook desktop.

Graph X-Ray Tool Helps PowerShell Developers Master the Graph

The new Graph X-Ray extension available for the Chrome and Edge browsers gives developers an insight into how the Azure AD admin center uses Graph API commands to retrieve user and group objects. The insight is invaluable when teasing out some of the syntax needed to get work done with the Graph. It’s much appreciated.

Use Azure AD Access Reviews to Check for Inactive Guests

A new feature for Azure AD access reviews allows Microsoft 365 tenants to check for inactive guest accounts in group memberships. It’s useful functionality if your Microsoft 365 groups are used for Teams rather than Outlook groups. Email activity is ignored by these access reviews, so all guest members are deemed to be inactive!

Track User Access to Teams Shared Channels with Azure AD Sign-In Logs

Teams shared channels are now in public preview, meaning that many organizations are trying them out to see how effective a means of collaboration these channels are. One of the administrative challenges of implementing shared channels for cross-tenant collaboration is knowing who uses the channels. An answer can be found in the Azure AD sign-in logs, but only after you go looking.

Assign Azure AD Roles to User Accounts with the Microsoft Graph PowerShell SDK

Assigning Azure AD roles to user accounts is the way users receive permissions to perform certain administrative actions. You can automate these assignments using cmdlets from the Microsoft Graph PowerShell SDK. That is, until the time comes to remove assignments.

Basic Azure AD Group Management with the Microsoft Graph PowerShell SDK

The Microsoft Graph SDK for PowerShell includes cmdlets for management of Azure AD Groups. The cmdlets work, and in some places they are screamingly fast compared to Exchange Online or Azure AD cmdlets. In other places, the cmdlets are a tad bizarre and expose a little too much of their Graph underpinnings. Oh well, at least after reading this article, you’ll know where the holes lie.

Delete Azure AD User Accounts and Restore Them Afterwards with the Microsoft Graph PowerShell SDK

Microsoft has announced that it will be possible to recover a deleted service principal by the end of May. This is good news because it means that an accidental deletion can’t wreak the kind of havoc it can today. Microsoft hasn’t updated the APIs to manage soft-deleted service principals yet, but we can get an insight into what’s likely to happen by investigating how to manage deleted Azure AD accounts using cmdlets from the Microsoft Graph PowerShell SDK.

Why It’s Difficult to Transfer Membership Rules from Exchange Online to Azure AD

It seems like it should be possible to transfer a membership rule from an Exchange dynamic distribution list to a dynamic Microsoft 365 group/team, but it’s not. Different directories, schemas, properties. and syntax conspire to stop easy conversion. It’s a pity, but that’s the way life and technology sometimes go…

Microsoft Sets New Deprecation Schedule for Azure AD PowerShell

Lots of news has emerged from Microsoft recently regarding the deprecation of the Azure AD PowerShell module and the older MSOL module. Although dates have slipped from the original June 30, 2022 deadline, the signs are that Microsoft will retire the modules in early 2023. However, the Azure AD and MSOL license management cmdlets will stop working on August 26, 2022, so that’s the immediate priority for script upgrades.

Creating an Authentication Method Report for Azure AD Accounts

With the upcoming deprecation of the Azure AD and Microsoft Online Services (MSOL) PowerShell modules, it’s time to upgrade scripts which depend on the cmdlets from these modules. In this example, we use the Microsoft Graph SDK for PowerShell to create a report for Azure AD accounts showing the authentication methods each account uses. The idea is to highlight accounts not protected by strong authentication so that administrators can help users to upgrade their protection against attack.

Understanding How App Certification for Microsoft 365 Apps Works

By now, Microsoft 365 tenant administrators realize the need to understand how apps use consent to access Microsoft 365 data. App certification helps by reassuring tenant administrators that third-party apps meet certain criteria set by Microsoft. Achieving Microsoft 365 certification is the highest bar in the program. It’s just a pity that many of the apps now appearing in the ecosystem don’t achieve this level of app certification.

How Microsoft Teams Displays Local Time in Profile Cards

A new Microsoft Teams feature means that local time zone information appears on user profile cards. While it seem simple, the feature is very useful when arranging meetings because you know up-front about the working hours of your colleagues. It’s a detail that makes sense!

Understanding What’s in an Azure AD Access Token

Access tokens are an important part of accessing data using modern authentication through APIs like the Microsoft Graph. But what’s in an access token and how is the information in the access token used by PowerShell when the time comes to run some Graph queries in a script? In this article, we look behind the scenes to find out what’s in the JSON-structured web tokens issued by Azure AD.

Managing Azure AD’s Keep Me Signed In (KMSI) Feature

The Azure AD Keep Me Signed In (KMSI) feature uses a persistent cookie to allow users close and reopen browser sessions without sign-ins. If you don’t want to use KMSI, you can update Azure AD company branding to remove the option. Users will then have to reauthenticate each time they start a browser session. The decision to disable or keep KMSI is highly tenant-specific and depends on how authentication happens.

Microsoft Launches Azure AD Cross-Tenant Access Policies

On February 7, Microsoft announced the preview of Azure AD cross-tenant access, a new capability to allow users obtain credentials in their home tenant and use these credentials to access resources in other Microsoft 365 organizations. Microsoft Teams Connect (aka shared channels) is likely the first app to use cross-tenant access, with public preview of that feature expected in March 2022.

How to Determine the Age of a Microsoft 365 Tenant

Finding the age of a Microsoft 365 tenant isn’t an important administrative operation. However, understanding how to retrieve this information (if asked) is an interesting question, which is why we spent several hours playing around with PowerShell and the Microsoft Graph to figure out how to answer the question. It’s the kind of in-depth analysis we do all the time to build content for the Office 365 for IT Pros eBook.

Continual Access Evaluation Enabled for Critical Azure AD Events in Microsoft 365 Tenants

On January 10, Microsoft announced that the base Office 365 workloads support Continuous Access Evaluation (CAE) for critical Azure AD events like password changes or account deletions. Although you can take CAE even further with conditional access policies, giving Exchange Online, SharePoint Online, and Teams the ability to react to critical events in almost real-time is a very big thing indeed.

Stopping Microsoft Teams Posting System Messages About New Members

Microsoft Teams posts system messages to a team’s information pane to let people know about membership changes. You can’t stop Teams doing this because Microsoft doesn’t provide control over the system messages at the tenant or team level. You can obscure the names of new members by changing their display name, but maybe the best idea is not to add new members until the time is right.

Latest AAD Connect Removes On-Premises Disabled User Accounts from Azure AD

Microsoft pushed out version 2.0.88.0 of the AAD Connect synchronization utility earlier this month. Unfortunately, the new software removes disabled on-premises user accounts from Azure AD, which means that on-premises shared mailboxes disappear for cloud users. Microsoft has released version 2.0.89.0 but maybe it’s better to go back to a version that you know works. At least until after the holidays.

How Microsoft Aims to Cure Azure AD Authentication Problems with New Backup Service

Azure AD has a history of outages which have caused problems for Microsoft 365 tenants over the years. Microsoft hopes to solve the problem with a backup authentication service that’s capable of keeping things going if the primary Azure AD service goes offline. Basically, the backup service has copies of successful authentications over the last three days which can be used to process authentication requests for most sessions when the primary service fails. It seems like a good idea.

How to Find When Azure AD User Accounts Receive Microsoft 365 Licenses

A reader asked how to find when Azure AD accounts received certain licenses. As it turns out, this isn’t as simple as it seems. PowerShell can tell use when user accounts are enabled with service plans, but to get dates for licenses (products or SKUs), we need to go to the Graph API, and those dates aren’t quite there yet. In any case, it’s an interesting question which deserves some exploration to see if we can find an answer.

How to Switch Azure B2B Collaboration (External Identities) to the Monthly Active User Billing Model

Office 365 tenants using Azure AD external identities (like Azure B2B Collaboration guest accounts with apps like Teams) are moving to a monthly active users (MAU) billing model. The new model replaces the 1;5 ratio for Azure AD premium licenses used up to now. Microsoft allows tenants to have the first 50,000 unique external identities free of charge each month and bills for access thereafter. If you don’t already have an Azure subscription, you’ll need one to link to Azure AD. Linking the subscription should be an easy task, until it’s not…

How to Use /Any Filters in Microsoft Graph API Queries with PowerShell

Understanding how to create effective queries using the Microsoft Graph APIs takes some work, especially with some of the more complex filters used to refine the data returned by the Graph. In this article, we look at how filters using lambda qualifiers work and explore some examples of these qualifiers in use.

Inconsistencies Using Reserved Aliases with Groups in Microsoft 365

Azure AD administrators should be able to assign a reserved alias to a new group. At least, that’s what the documentation says. As it turns out, this isn’t strictly true as there are places where administrative interfaces (GUI and PowerShell) block any attempt to use reserved aliases. Does this matter? Probably not, unless you like consistency… which we do!

How to Remove a Single Service Plan from Multiple Microsoft 365 Accounts with PowerShell

In this post, we describe how to use PowerShell to remove a single service plan from Microsoft 365 licenses using PowerShell. The script can remove any service plan from any SKU (license) in a tenant. You might want to do this to disable access to an obsolete feature (like Sway) or to prevent access to a new feature until the organization is ready to support user activity.

How to Control the Creation of Microsoft 365 Groups (and Teams) in a Tenant

Controlling the creation of Microsoft 365 Groups might seem complex, but it’s not as complicated as it might seem. Make sure Azure AD allows group creation, and then you can either allow everyone to create new groups or restrict the right to a limited set of accounts (a capability requiring Azure AD Premium licenses). And don’t forget OWA, because it’s got its own mailbox policy with a group creation setting. All good, clean, honest fun.

Updates to Group Creation Settings in Azure AD Admin Center

Microsoft has updated the creation settings for security groups and Microsoft 365 groups in the Azure AD admin center. The changes impose consistency over administrator creation of these groups and probably won’t affect tenants, but it’s good to check. The change makes us ponder why Microsoft doesn’t improve the GUI for other group controls, like those controlling who can create new Microsoft 365 Groups.

Microsoft Launches Preview of App Governance for Cloud App Security

The preview of a new app governance add-on for Microsoft Client App Security gives Office 365 administrators insight into Graph-based apps. The add-on depends on information gathered from Azure AD and MCAS to generate insights about apps and their usage, including highlighting apps which are overprivileged or highly privileged. Although you can do some of the auditing yourself, the add-on makes it easier. It’s a preview, so some glitches are present.

Microsoft Security Report Points to Basic Authentication as Root of BEC Attacks

The need to remove basic authentication from Exchange Online is underlined by a June 14 report from the Microsoft Threat Intelligence Center pointing to how attackers compromise mailboxes using antiquated protocols like POP3 and IMAP4 to connect to accounts which don’t use MFA. After accounts are penetrated, the attackers plant inbox rules to forward copies of interesting messages and use the information received to plan and execute business email compromise attacks. Tenant administrators still have some work to do to secure Exchange Online and Azure AD…

How to Use Azure AD Authentication Contexts with Microsoft 365 Sensitivity Labels

A preview for Sensitivity Labels show how they can use Azure AD authentication contexts and conditional access policies to protect SharePoint Online sites. Although you can link conditional access policies to sites with PowerShell, it’s a lot easier to make the connection through sensitivity labels. Any SharePoint Online site which receives a label configured with an authentication context automatically invokes the associated conditional access policy to protect its contents.

How to Find the Accounts Assigned Licenses for Individual Office 365 Applications

Finding out which Azure AD accounts have licenses (service plans) for different applications isn’t difficult. You can do it with either PowerShell or the Microsoft Graph API. This article explains how to use PowerShell (and the equivalent Graph API call) to find accounts which have a certain license (service plan) enabled or disabled. Once you know how to navigate license data in Azure AD accounts, you can take the code and adapt it for different purposes.