Office 365 for IT Pros covers a wide range of administration topics relating to the wider Microsoft 365 ecosystem. Learn a lot from our practical and no-nonsense approach to coverage.
At the Microsoft Ignite 2019 conference, Microsoft described how SharePoint Online will use Office 365 compliance features such as sensitivity labels and information barrier policies to better protect information stored in SharePoint sites. The Office Online apps also gain support for sensitivity labels. The new features will enter a mixture of public and private previews starting November 20.
Microsoft annoyed many Office 365 tenant administrators when they announced plans to allow self-service purchases for the Power Platform apps. A curious note in the FAQ might reveal how tenants can block this feature. If self-services purchases depend on accessing your tenant directory, maybe you can disable the service principal that holds the role enabling that access.
Azure Active Directory now features the public preview of the My Sign-Ins feature, which allows users to see where their sign-ins originate and what applications are used to sign-in. It’s a nice idea but Office 365 users are unlikely to find the page. We can help by creating a custom tile with a link to the My Sign-Ins page. The tile appears in the Office 365 apps menu and makes it easy for people to access their sign-in data.
In an Office 365 notification to tenants, Microsoft says that the Modern Lifecycle Policy means that users must keep the Teams desktop up-to-date. The result is that users must make sure that their desktop client is no more than three months behind the latest software. If it is, they won’t be able to use the desktop client until it is updated.
The Office 365 Admin Center includes reports of licenses assigned to users. The same information can be extracted with PowerShell, which means that you can analyze license assignments anyway you wish. The script is quick and easy, mostly because its error handling is non-existent, but it’s enough to get going.
The fight against spam and malware goes on unabated. ZAP, or zero-hour auto purge, is an Exchange Online Protection (EOP) feature that’s getting some extra features to deal better with spam and phish malware. New policy controls are available to control the feature.
The Microsoft Graph gives programmers a RESTful interface to Office 365 data. Flow allows even non-programmers to automate tasks by combining building blocks of Office 365 data and actions. Put the two together and you can generate some impressive results. In this example, we combine Graph and Flow to create some nagging emails to admins to encourage them to improve the tenant’s Secure Score.
Some Exchange Online mailboxes are quite small (2 GB for frontline users). Tenant administrators might want to monitor mailbox usage to make sure that quotas aren’t unexpectedly exhausted. This post explains how to use a PowerShell script to calculate the percentage of mailbox quota used and highlight the problem if a threshold is passed.
The Office 365 E5 plan includes Advanced Threat Protection (ATP), which builds on the anti-malware capabilities of Exchange Online Protection. ATP the includes Safe Attachments and Safe Links features, both of which can delay email delivery. I don’t notice the delay but others do. In any case, the more protection you have against malware, the better.
If you want to include SharePoint Online and OneDrive for Business locations in an Office 365 content search, you need to know the URLs of the target sites. Finding the URLs can be problematic, but here’s some easy ways to do the job. PowerShell, as usual, comes up trumps…
The Stream video service now boasts a recycle bin to allow Office 365 users 30 days to restore deleted videos. Stream administrators can access and restore videos deleted by anyone in a tenant. And, if necessary, users can permanently remove deleted videos before the 30-day retention period expires.
The topic of Teams tenant-to-tenant migration generated a lot of reaction after an article published last week. This lead to a chat with AvePoint, who have a product similar to BitTitan. What was interesting is that AvePoint use the same API to backup Teams. Although the backup isn’t as functional as you want and definitely not designed for backups, you do end up with data backed up that can be restored. The solution is imperfect, but it is available now.
Teams App Permissions policies allow Office 365 tenants to exert a fine degree of control over the apps users are allowed to install. You can amend the default policy or create new policies and assign the policies to user accounts through the Teams Admin Center or with PowerShell.
Microsoft has announced that the AdditionalStorageProvidersAvailable setting in OWA mailbox policies will now control access to both first-party and third-party storage providers. The new setting is now available and becomes active in August. Before then, you might want to adjust some of your OWA mailbox policies.
Office 365 Activity Alerts don’t seem to be working too well these days. At least, that’s what we found when we tried to create an alert for Teams creation events. Never mind, PowerShell will do the job as we can quickly whip up a PowerShell script to find audit records for team creations and put them into an email.
Exchange Online writes audit records into the Office 365 audit log when messages are deleted by delegates and administrative action. We can analyze the audit records to find out who deleted a specific message. Some challenges exist to interpret the audit records for admin-generated deletions (for example, when you run Search-Mailbox), but it’s easy enough to code the necessary checks in PowerShell.
Microsoft dropped support for the ExMerge tool in Exchange 2007. An ISV has taken the initiative to create a modern version of the tool, called Super ExMerge. The utility supports both Exchange on-premises and Exchange Online.
No one likes getting spam. Although EOP generally does a good job, Office 365 users can help themselves and help others by reporting spam that gets through to their mailboxes using Outlook’s Report Message add-in. And if they’d like someone else to report bad mesages, admins can do so through the Security and Compliance Center.
Microsoft makes a strong case that all Azure Active Directory accounts should be protected with multi-factor authentication (MFA). That’s a great aspiration, but the immediate priority is to check accounts holding administrative roles. This post explains how to use PowerShell to find and report those accounts.
Microsoft has introduced a new Roles page in the Office 365 Admin Center. The new page lists all the roles available in an Office 365 tenant and allows admins to quickly see who holds each role, and add or remove accounts from roles as needed. It’s a small but important change that is welcome because it makes it easier for tenants to manage permissions.
The ability to see the PowerShell commands executed by Exchange administrative centers has existed since Exchange 2007. Now something has changed in Exchange Online and the command log is blank. It’s sad because many administrators learned to use PowerShell by examining how Microsoft used it to manage Exchange. Let’s hope that Microsoft fixes this bug soon.
Teams does a good job of storing compliance records in Exchange Online mailboxes so that the data is available for Office 365 eDiscovery. But the number of records can impact the mailbox quotas of frontline workers, especially if they send graphics in personal and group chats. Here’s some PowerShell to help discover how much mailbox quota is being absorbed by compliance records.
Do people read the notifications posted by Teams to the General channel of a team when someone joins or leaves the membership? Maybe they don’t take much notice, but these messages can tell you that someone has joined or left the company. If you think that Teams should have a setting to suppress “add member” messages for a team, consider supporting the User Voice suggestion on the topic.
Microsoft launched the MailItemsAccessed audit event (to capture when email is opened) in January, reversed the roll-out in April, and now might restart sometime in Q3. It’s an odd situation that isn’t really explained by a statement from Microsoft. Are they going to charge extra for this audit event? Will they be analyzing the events? Or does Office 365 capture too many mail items accessed events daily?
Have you ever wondered how Microsoft secures SharePoint Online and OneDrive for Business data? Well, a recent article explains it all, and it is fascinating reading. Chunks and keys and blobs and encryption. A must-read article for anyone interested in SharePoint security.
Org-wide teams are great because they feature automatic membership management. But sometimes you don’t want new Office 365 accounts showing up in org-wide teams. The solution is to create the account with some dummy details to mask the identity of the real person and update the account after they join the company.
Microsoft is changing how the removal of an Office 365 retention policy affects the data held in the SharePoint Online Preservation Hold Library. Instead of an immediate purge, data will be kept for a period to allow administrators to recover it. Sounds like a good idea and it should help people rescue a situation when someone removes a retention policy in error. That is, if they notice that the policy is no longer in effect for a site.
Removing Office 365 accounts is easily done through the Admin Center. You can also restore deleted accounts within 30 days, but what if you want to remove accounts in such a way that they can’t be restored? The answer is that it can be done using a two-stage process. And if the mailboxes belonging to those accounts are on hold, they are kept as inactive mailboxes.
Much to our surprise, this blog is covering the availability of three new Office 365 browser themes. We’re only doing this so that we can avoid including it in the Office 365 for IT Pros eBook. We know this will upset some people, especially fans of the unicorn theme, but we really have to draw the line somewhere when deciding what should be in the book.
Exchange Online supports inactive mailboxes as a way to keep mailbox data online after Office 365 accounts are removed. Inactive mailboxes are available as long as a hold exists on them. You can update mailbox properties to exclude all or some org-wide holds. If you exclude holds from a mailbox, you run the risk that Exchange will permanently remove the mailbox. If that’s what you want, all is well, but if it’s not, then you might not be so happy.
The CISA report titled “Microsoft Office 365 Security Observations” makes five recommendations to improve security of an Office 365 tenant. The recommendations are valid, but competent administrators won’t take long to implement them. In fact, the worst thing is that consultants brought in to help organizations didn’t seem to have much expertise in securing Office 365.
On May 7, Microsoft eventually fixed a truncation bug that affected group events (creation, add member, etc.) ingested into the Office 365 audit log. The fix took far too long coming and the overall response is certainly not Microsoft’s finest hour. Audit events, after all, are pretty important in compliance scenarios and it’s not good when those events are incomplete.
One of the great things about Teams is the way that it orchestrates Office 365 resources like SharePoint Online sites. The downside is that a tenant’s valuable SharePoint storage quota might be absorbed by a profusion of Teams. To offset the problem, you can apply lower limits to sites belonging to Teams and the best approach is to use PowerShell for the job.
Depending on your tenant’s configuration and the applications in use, the prospect of a tenant-to-tenant (T2T) migration might be appealing or a horror story. Applications like Quadrotech’s Cloud Commander are designed to help move data between tenants. In this video, Tony Redmond and Mike Weaver discuss some of the complexities involved in T2T projects. The program is 15 minutes long.
No one can say that the role of an Office 365 admin is static. In fact, it changes all the time as new technologies appear or Microsoft changes existing applications. This video featuring MVPs Paul Robichaux and Tony Redmond explores the changing role of Office 365 Admins, and sometimes it even makes sense.
Microsoft has released the GA version of the Azure Information Protection client, which reads information about Office 365 sensitivity labels and policies from the Security and Compliance Center. It’s one more step along the path to making it easy for Office 365 tenants to protect their data. Work still has to be done, but at least we can see light at the end of the encryption tunnel.
Microsoft announced a new migration experience from Google G Suite yesterday, which is nice. Under the covers, the venerable Mailbox Migration Service (MRS) does the work to extract mailbox data from Gmail using IMAP4 and moves it to Exchange Online. But after the move is done, there’s still lots of work to do to help users make the cultural change to their new mailbox in the cloud.
The ThirdPartyFileProvidersEnabled setting in OWA mailbox policies controls if Exchange Online mailboxes can access services like Drop and Dropbox for attachments. Office 365 tenants need to decide if they want to allow this kind of access. There’s both good and bad in the feature, but it’s easily turned off if you feel the need.
Announced in January, paused in March – that’s the fate of the MailItemsAccessed audit record generated by Exchange Online for the Office 365 audit log. Microsoft found some problems that they are fixing, which is good (because you want audit data to be reliable). And when the fixes are available, the deployment of the new audit record will restart.
The Microsoft 365 Security and Microsoft 365 Compliance Centers are now generally available. The new consoles will eventually replace the Office 365 Security and Compliance Center (SCC) but some work is needed to fill out their functionality and make the switchover possible. In the meantime, the Office 365 for IT Pros eBook writing team will stay focused on the SCC. And when the time’s right, we’ll switchover.