Office 365 for IT Pros covers a wide range of administration topics relating to the wider Microsoft 365 ecosystem. Learn a lot from our practical and no-nonsense approach to coverage.
The Microsoft 365 Licensing Report PowerShell script has been upgraded to generate detailed license information and to deal with expired license subscriptions. You can download V1.94 of the script from GitHub. Before attempting to run the licensing report script, take the time to read previous articles to understand the basics of the script and how to generate the files used for pricing information.
The Microsoft 365 admin center will support continuous access evaluation (CAE) from September 2024 to help revoke access from accounts more quickly when critical events happen (like an account password being changed). Adding CAE support to an admin center is always a good idea, but it shouldn’t take away from the need to protect Microsoft 365 accounts with multifactor authentication. Stop compromise before you need to react to compromise!
Microsoft Purview and the Exchange Online Search-UnifiedAuditLog cmdlet both perform searches of the Microsoft 365 unified audit log. Both mechanisms support the concept of scoped searches to limit audit records returned by searches to the administrative units an account can manage. But the permissions assigned by the two mechanisms aren’t synchronized, which can lead to complications.
The decision to rationalize license management in the Microsoft 365 admin center wasn’t popular but the signs are that it could deliver benefits to customers in the form of new features and functionality. The first updates are a GUI to manage self-service purchases and trials together with notifications to administrators when a user makes a self-service purchase. More needs to happen, but positive indications are there.
Microsoft’s project to impose a mandatory MFA requirement for access to Azure management tools and sites will start enforcement on or after October 15, 2024. The new requirement will only affect administrator accounts who access Azure sites and tools (like PowerShell). Normal users shouldn’t notice any difference. The Azure MFA requirement is a great way to drive home the need for MFA to protect Microsoft 365 administrator accounts against attack. Prepare now!
The August 15 announcement that Microsoft Copilot (the version that doesn’t use the Graph) will benefit from enterprise data protection from September is good new. However, Microsoft said nothing about the security issues around Copilot for Microsoft 365 reported at the recent BlackHat USA 2024 conference. In other news, tenants can pin Microsoft Copilot to app navigation bars using a new control in the Microsoft 365 admin center.
The Usage Reports Graph API is now generally available, which means that it’s fully supported. In other news, a Graph API is available for Microsoft 365 Backup, The news demonstrates once again how widely the Graph APIs are used with Microsoft 365 and why tenant administrators should acquire some knowledge about how the Graph works.
Microsoft is removing license assignments from the Entra admin center. From Sept 1, new license assignments are done in the Microsoft 365 admin center. In other news, a new Self-service trials and purchases page is coming to the Microsoft 365 admin center to control the ability of users to purchase self-service licenses or use trial licenses.
Tenant administrators know that they need to deal with mailboxes and OneDrive accounts when people leave, but what about Teams chat messages? Or rather, the information stored in the compliance records captured in Exchange Online mailboxes? Reviewing chat messages can be an ardous task, so perhaps the solution might be to export the compliance records to a PST for long-term retention.
MC837081 announces that the Microsoft 365 admin center is to lose its ability to send password in email after updating a user account. It’s the right thing to do because sending passwords in email is bad practice and encourages people to treat passwords with less respect than they should. The long term solution is to move away from passwords, but it will take time before Microsoft 365 is passwordless.
Microsoft plans to archive unlicensed OneDrive sites starting in January 2025. The obsolete sites will end up in Microsoft 365 archive, from where the sites can be reactivated for a small per-gigabyte fee. Archived sites are indexed and discoverable. However, the message is clear: remove unlicensed OneDrive sites now. They’re only cluttering up your digital landscape and might give Copilot for Microsoft 365 a headache.
The Microsoft 365 licensing report now supports a cost center analysis based on cost center values stored in an Exchange custom attribute. The new analysis is entirely optional, but it seems like many tenants store cost center values in custom attributes, so this update might work well for them. That is, if the cost center data stored in Exchange is accurate… Rubbish in always means rubbish out…
Every Microsoft 365 tenant must deal with ex-employee mailboxes. The default choice is to make the mailboxes into shared mailboxes. But inactive mailboxes could be a better option to deal with the requirements to preserve user privacy and avoid inadvertent disclosure of PII to people who don’t need that information. Perhaps it’s time to reassess how your organization deals with ex-employee mailboxes?
I dislike the Microsoft 365 self-service purchase mechanism and disable it in any tenant where I can. Global and Billing administrators for tenants that allow self-service purchases will soon receive notifications when self-service purchases occur to allow them to take action to allow, cancel, or change the purchased subscription. Or they can do what I do and avoid the problem in the first place by prohibiting self-service purchases.
A reader wanted to know why the Purview Compliance portal doesn’t show who last updated sensitivity label policies. The reason why is unclear, but what’s for sure is that Purview doesn’t record the data anywhere. But PowerShell and the audit log soon reveal who last made changes to labels and policies. It’s yet another example of how PowerShell fills gaps Microsoft leaves behind.
The Teams and Groups activity report is a popular script that helps administrators identify inactive teams and groups within a Microsoft 365 tenant. The script code has been developed over the years. The last version converted to Graph API requests to improve performance. This time, the upgrade is to use the Microsoft Graph PowerShell SDK to make the code easier to maintain.
V1.2 of the User Passwords and MFA report includes the names of authentication methods registered for user accounts. V1.3 expands the amount of detail reported for each method, such as the phone number used for SMS challenges, or the email address used for SSPR. It’s a small but important detail that’s useful to administrators. However, it also comes with a potential privacy issue, so the script must handle that too.
The Microsoft 365 Licensing Report is a popular PowerShell script that’s just been updated to V1.9 with a bunch of changes to highlight different aspects such as license costs for disabled user accounts and inactive user accounts. Copious use of some very dubious color choices makes the HTML report created by the script look very nice (if you’re color blind) and the new version can generate an Excel worksheet.
A Microsoft Graph update makes per-user MFA state available for user accounts. Being able to access the data means that we can include it in the User Passwords and Authentication report. You can now see if accounts are disabled, enabled, or enforced for per-user MFA along with all the other information captured about passwqrd changes, MFA authentication methods, and so on.
Microsoft is deploying additional audit events to tenants with Purview Audit (Standard) licenses. Among the 15 Teams events in the set are Teams meeting audit events to capture details of meetings and participants. Unhappily, some of the data that you’d like to have for meetings, like the subject, are missing. And meeting participant information is available for some classes of user but not for others.
A May 20 post contains the welcome news that the new audit events promised for Purview Audit standard customers should be available in June 2024. Some of these events are for Exchange Online, like the famous MailItemsAccessed event. Others are for Teams and SharePoint Online. In the case of Exchange, tenant administrators might have to do some work to validate that mailbox audit configurations are correct.
On May 14, Microsoft announced that they will require Azure MFA for connections to services starting in July 2024. No details about the implementation are available, so it’s difficult to measure the likely impact on Microsoft 365 tenants. Given that very few people access services like the Azure portal, it’s probable that the impact will not be large, but it would be nice to hear more precise details from Microsoft.
Although the trend is toward password authentication, many Microsoft 365 tenants still use passwords and some force users to change passwords regularly. This article explains how to create a password expiration report with PowerShell. The script caters for where a tenant password expiration policy is set for passwords to never expire. If anything else, it’s yet another example of how to extract information using PowerShell.
The Maester tool is a community initiative to create a tool to help tenant administrators improve the security of their Entra ID tenants. It’s still in its early stages, but even so Maester shows signs that it will be a valuable asset for administrators who want to learn more about securing their tenant against possible external compromise.
A new major version of the MsCommerce PowerShell module makes you hope that something good is included in the new code. In this case, it’s hard to know if the developers did anything but increase the major version number for the MsCommerce module. Not much has changed. The module is as bad as ever, but at least it can be used to disable self-purchases of all supported licenses, which is all that’s really important.
Every Microsoft 365 tenant has a tenant identifier, a unique GUID that’s used within the Entra ecosystem to identify a tenant and its objects. Much has changed since I last wrote about this topic in 2021, including the introduction of new Graph APIs to resolve tenant names to identifiers and vice versa.
Microsoft 365 Backup costs are charged on a PAYG basis against an Azure subscription. You pay a flat fee of $0.15 per month per gigabyte of protected content. This article discusses calculating the sizes of protected data and reports the costs accrued over two months.
A recent article by a Microsoft MVP attempted to lay out a case that tenants should not use Microsoft 365 PowerShell and use ISV products instead. It’s a silly position to argue. PowerShell is an important automation tool for administrators that can’t be replaced by any ISV product. ISV products have their place and fill many gaps, but arguing to dump PowerShell and use ISV products instead just can’t be justified.
Microsoft has created an easy to use Microsoft 365 Backup solution. Its key feature is speed, including speed to restore data. I tested restores for Exchange Online (which worked) and SharePoint Online and OneDrive for Business (which didn’t). The lack of logging and error reporting when failures happen lead to frustration. Microsoft has some work to do to bulletproof this solution.
The latest version of the Microsoft 365 Licensing Report script includes code to generate cost analyses for the departments and countries assigned to user accounts. Everything works well if the properties of Entra ID user accounts are complete and accurate. Sometimes this isn’t so, and that leads to problems when attributing costs at a department or country level.
This article describes how to use the Microsoft Graph PowerShell SDK to retrieve and interpret Microsoft 365 message center posts with the intention of discovering what percentage of announcemengts end up being delayed (not being available at the predicted date). Teams makes lots of feature announcements and over 57% of those announcements are delayed.
The Microsoft Graph includes the Service Communications API. SDK cmdlets can use the API to retrieve and work with service health data. In this article, we show how to use Graph SDK cmdlets (based on the API) to fetch and work with service health data, including creating an email report to update people about the current state of tenant health.
Exchange mailbox statistics reports are usually produced using PowerShell cmdlets. However, using Graph usage data is a faster way to process mailboxes because it avoids the need to fetch mailbox statistics by running a cmdlet for each mailbox. This article describes how to speed things up in a way that will probably benefit larger organizations most, but every Exchange Online tenant can probably benefit.
On November 15, Microsoft announced Microsoft 365 Backup would enter a public paid preview in December 2023, Paid preview means that tenants must link a valid Azure subscription to Syntex pay-as-you-go to pay the $0.15 fee per GB per month for protected content. We’ll know more once the preview begins and we get the chance to see just how fast backup and restore is.
This article describes how to use the Microsoft Graph PowerShell SDK to customize the user account properties shown by the Microsoft 365 user profile card. Previously this was possible using a Graph API request to the beta endpoint. Now everything is in production and Graph SDK cmdlets are available to make customization a tad easier.
The MFCMAPI utility is of great help to Microsoft 365 tenant administrators who want to understand the data apps store in Exchange Online mailboxes. An on-premises mailbox stores email data, but in the cloud, Microsoft 365 apps use Exchange Online as a convenient place to store data that needs to be accessible to services like Search and eDiscovery.
A setting in the Teams meeting policy controls whether users can access the meeting chat in meetings hosted by non-trusted external tenants. By default, the setting is On, meaning that users can participate in chat for any meeting they join in any tenant. If you have concerns about this aspect of meetings, turn the setting Off and define trusted tenants.
Microsoft suggests that allowing every user to create new Microsoft 365 groups. That’s mad. Controlling group creation through policy settings is the only way to go. It will avoid group sprawl (or team sprawl) and avoid a lot of administrative effort that will otherwise be devoted to cleaning up the mess of unused and unwanted groups. This article explains how to update policy settings to control group creation using cmdlets from the Microsoft Graph PowerShell SDK.
This article explains how to use PowerShell to remove licenses from disabled accounts, including some caveats such as not removing Exchange Online licenses. Organizations might want to do this to save money on Microsoft 365 license fees while an account is temporarily unused. Removal of Exchange Online licenses can result in the loss of a mailbox, and you don’t want that to happen if you’re disabling accounts just because someone is on a long-term sabbatical or other leave of absence.
Microsoft 365 tenants with eligible licenses can use Bing Chat Enterprise (BCE). It’s a great way for users to become accustomed to dealing with AI prompts and generated results. First, users can discover how well-structured prompts generate better results. Second, they can see how a lack of care in reviewing results might get them into trouble because of AI-generated errors.