Higher Office 365 Revenue Per User Leads to Bigger Profits

Every time Microsoft releases a set of quarterly results, CFO Amy Hood takes the opportunity to reinforce growing the ARPU (average revenue per user) from its cloud customers. It’s a trend that’s existed for several quarters, including Microsoft’s recent FY23 Q2 earnings.

To understand why ARPU is so important to Microsoft, I tried to figure out how much it is and how ARPU has increased over time. The mathematics involved in the calculation are not difficult if you have the numbers. Unfortunately, Microsoft loves to obfuscate the information given about cloud revenues, so some detective work is necessary.

Microsoft uses a bucket called the Microsoft Cloud to report revenues associated with cloud products. It does not break out Office 365 or Azure revenues in the form of definite numbers. Instead, Microsoft gives details like Office 365 revenues grew 11% year over year. That’s only helpful if you know the base figure.

Microsoft Cloud revenues amounted to $27.1 billion in FY23 Q2. On an annualized basis, the ARR (annual run rate) is $108.4 billion, which is a lot of money. The ARR is calculated as if the revenue achieved for the quarter flowed in for four quarters. This doesn’t happen in the real world. For instance, Microsoft Cloud earned $25 billion revenues in FY22 Q4, or an ARR of $100 billion. The actual sum for Microsoft Cloud over the four FY22 quarters is $91.2 billion.

Office 365 Revenues within the Microsoft Cloud

Microsoft hasn’t defined the exact make-up of Microsoft Cloud. We know that it covers Office 365, Azure, LinkedIn, Dynamics 365, and other cloud products, so the first thing we need to figure out is how much does Office 365 contribute to Microsoft Cloud. One way to approach the problem is to ask what the other parts contribute. For FY22, we get some insight from:

• LinkedIn reported that their annual income was $11 billion across talent and marketing solutions.
• According to a CNBC report about a Google analysis of Azure revenue, the range could be as wide as $29 billion (Google’s figure) to $37.5 billion. Let’s say that Azure brought in $33.25 billion in FY22.
• Putting a figure on Dynamics 365 revenue is difficult. I can’t find any good source. Let’s say that it’s $4 billion.

Together, this amounts to $48.25 billion, which leaves Office 365 with revenues of $42.95 billion, or around 47.09% of the total revenues for Microsoft Cloud. That’s a bit over what I estimated in July 2022, but better data is now available.

Calculating ARPU

To determine the APRU, we need to know how many Office 365 users exist. Microsoft used to give this number on a regular basis, but has become more reticent recently, possibly because the number is not increasing at the same rate as it once did. In April 2022, Microsoft said that Office 365 had reached 345 million paid seats. That’s not the same as active users, which we need for apple-to-apple comparisons with previous years.

For this comparison, I used a figure of 335 million active users. This tracks the regular monthly growth of active users of about 3-3.5 million observed over the 2015-2020 period when Microsoft did report active user numbers. Using this number, we get an ARPU of $128.21 per Office 365 user in FY22. To give some context, that’s 28.49% of what Microsoft receives annually for a user with an Office 365 E5 license.

The number seems low, but you’ve got to account for the mix of license types that exist across the Microsoft 365 spectrum. Some are expensive (like E5), some are very cheap or zero cost, like those used by frontline workers or students. In FY22 Q4, Microsoft said that E5 represented 12% of their license mix.

But what we can say is that by using the information Microsoft releases and some analyst interpretations, the ARPU has increased since 2019 and is likely to increase again in the current fiscal year based on the reported revenues for the first two quarters. If anything, the FY23 numbers might be higher if the Teams Premium license (due in February 2023) is popular with customers. Table 1 summarizes the numbers. In a nutshell, Microsoft is steadily going towards extracting 30% of an annual E5 license from every user (the annual cost of an E5 license increased by $36 from March 2022).

These calculations assumes that Microsoft 365 licenses that include Office 365 are in the Office 365 revenues. Again, we don’t know if this is true. However, just like using Fitbit or any other fitness tracker, trends emerge by using the same measurements over time.

Growing ARPU is Good for Microsoft

Obviously, the more money you can extract from a customer base, the more profit you can make. With the size of the Office 365 installed base, Microsoft can extract more revenue and profit through:

• Continuing sales activity to convince customers to move licenses to more expensive variations.
• Engineering investments to make high-end licenses more attractive by bundling most new security and compliance functionality in those products.
• The introduction of new products like Teams Premium (which Microsoft is offering for $7/user/month for a limited period).

Some would call this the dark side of capitalism. To me, it’s just business and Microsoft is perfectly within its rights to monetize the user base it has built up. What it does mean for tenant administrators is that license management will continue to be a critical task. Office 365 and Microsoft 365 licenses can be expensive. If you buy licenses, make sure that the licenses are used efficiently.

Teams User Numbers Slow as Office 365 Grows 12%

One thing that’s obvious from the Microsoft FY23 Q2 results released on January 24 is that the woes of the wider economy is affecting the growth of the Microsoft Cloud. This is despite headline growth to achieve $27.1 billion in quarterly revenue ($108.4 billion annualized run rate), up 22% year over year (or 29% in constant currency, reflecting the recent strength of the dollar). However, Microsoft had “slower than expected growth in new business” in Office 365 and EMS.

Revenue for Office 365 commercial increased 11% YoY (18% in constant currency). Microsoft said that this reflected “healthy renewal execution” and growth in annual revenue per user (ARPU) because “E5 momentum remains strong.” A cynic might say that Microsoft is now sweating its massive installed base. Customers have no real choice but to renew as the costs and technical difficulties involved in getting off Office 365 are massive. Microsoft drives ARPU by making sure that new features appear in the high-end SKUs. For example, if you want any automation for compliance or security functionality, you need an E5 SKU.

Driving users to buy E5 to get better security functionality is one reason why Microsoft was able to announce that its security business surpassed $20 billion (annually) in revenue. The security business includes products commonly used with Office 365 like Microsoft Purview, Microsoft Entra (think Azure AD), Microsoft Sentinel, Microsoft Intune, and Microsoft Defender. Some of these capabilities are bundled with Office 365 E3, but high-end Purview security and compliance functionality like adaptive scopes or automatic label policies or Defender Plan 2 require Office 365 E5. And Azure AD Premium P1 and P2 licenses are needed for features like conditional access policies and privileged identity management.

Office 365 User Base Approaches 400 Million

Probably deliberately to obfuscate comparisons, Microsoft hasn’t given a firm number for Office 365 active users since October 2019 when they reported 200 million monthly active users. Since then, they’ve focused on reporting growth percentages and paid seats, like the 345 million paid seats highlighted in April 2022. This time round, they said that Office 365 commercial seats grew 12% YoY and observed that small-to-medium business and frontline worker offerings drove the growth. Microsoft also said that they “saw some impact from the slowdown in growth of new business” and that they expect revenue growth to be lower in the coming quarter by about one percentage point.

During the analyst Q&A, Brad Reback from Stifel put forward a 400 million seat number for Office 365 and asked if Microsoft would concentrate on growth in seats or ARPU. In his response, CEO Satya Nadella acknowledged “moderating seat growth” balanced by increased ARPU due to more customers taking up E5 licenses. Nadella also points to Teams Premium (referred to as Team Pro in the transcript) as an opportunity for increased ARPU.

I think the number of paid Office 365 seats is a tad below 400 million (maybe around 385 million) but it’s hard to know. The number of actual real-live human beings who use Office 365 daily is lower at maybe 360 million. Either way, it’s a big number of users that is still growing albeit slower than before.

Teams User Number Reaches 280 Million

Speaking of Teams Premium, Microsoft gave an updated number for the user base that they can sell the new product to when Teams Premium becomes generally available in February 2023. A year ago, Microsoft said that Teams had 270 million monthly active users. Now the Teams user number is 280 million (Figure 1).

Microsoft claimed that the 3.57% growth in the Teams user number represented “durable momentum since the pandemic.” It’s curious that Teams grew at about a third of the rate of increase in Office 365 seats (12% YoY). Perhaps this is because those who want to use Teams are using it and relatively few in the small-to-medium and frontline segments where Microsoft says the Office 365 growth came from need Teams.

Microsoft usually throws out some gee-whiz statistics about Teams to help people in games of Office 365 trivial pursuit. This time round, we learned that there are more than 500,000 active Teams Rooms devices (up 70% YoY) and the number of customers with more than 1,000 Teams rooms doubled YoY. This might mean that two customers now have more than 1,000 Teams rooms instead of one last year. Microsoft didn’t clarify the point. However, they did assert that Teams Phone continues to grow its share and is now the market leader for cloud calling. Over 5 million Teams users with licenses for PSTN calling joined the Teams user mix over the last 12 months.

Balance Between New Seats and More Money Per Seat

It’s hard to grow big numbers. Microsoft continues to add seats to Office 365, but it seems like the new seats have low-end licenses, which is why they need to sell more high-end add-ons or more expensive licenses to the installed base to offset the relative lack of revenue fgenrom the new seats. Growth in Teams users is slowing, but the same aspects are visible in selling add-ons (like PSTN) and hoping that customers like what they see in Teams Premium enough to cough up the extra $10/user/month for licenses. You’ve got to keep that quarterly revenue number growing…

If you’re a tenant administrator who looks after some of the 400 million Office 365 users, make sure that you’re not surprised about changes that appear inside Office 365 by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers stay informed.

Almost $100 Billion in Annualized Microsoft Cloud Revenues

Another three months have passed, and another set of Microsoft results appears (including an increased Office 365 number of users). The FY22 Q3 results delivered a bumper $23.4 billion number for the Microsoft Cloud (up 32% year-over-year), equivalent to a $93.6 billion annualized run rate. That’s a world removed from the relatively puny $8 billion achieved in July 2015 and demonstrates just how far Microsoft has come on its cloud journey (Figure 1).

Office 365 User Numbers

Microsoft has been cagey about providing data about the Office 365 number of users recently. A year ago, Microsoft stopped discussing active users (monthly or daily) and began focusing on paid seats. At the time, they claimed “Office 365 now has nearly 300 million paid seats.” Now, the Office 365 user number is “nearly 345 million,” broadly aligning with the 17% year-over-year increase in Office 365 commercial revenue. The number of active users is always less than those with paid licenses. I’ve tried to keep track of the active user number using growth numbers given by Microsoft and calculate that the active user number is now around 321 million (Figure 2). But only Microsoft knows, and they’re not saying.

Microsoft didn’t give a new number for Teams users, so we’re left with the 270 million claimed in the FY22 Q2 results. Possibly they didn’t want to draw attention to resignation earlier this week of Rish Tandon as Corporate VP of Teams engineering, something which might impact Microsoft’s ability to deliver the much-ballyhooed Teams 2.0 client, supposedly due later in 2022. On the other hand, the reason might also be that Teams growth is finally tapering off after the massive spurt during the Covid-19 pandemic.

Although all Office 365 plans include Teams, it’s not clear how the Teams number is made up. I assume it includes Teams usage in the Microsoft 365 business plans and maybe even Teams personal (aka Teams consumer). I certainly do not think that 78% of Office 365 paid seats use Teams. That would be a stretch.

Other Numbers

Other interesting data points released by Microsoft include:

• 45% of Office 365 seats are bought as part of Microsoft 365 plans. I assume these mean the Microsoft 365 E3 and E5 plans. In July 2021, Microsoft said that 8% of the Office 365 base had Microsoft 365 E5. Given Microsoft’s continued quest for increased average revenue per user (ARPU), that number is likely higher now.
• Enterprise Mobility and Security, which is included in the Microsoft 365 enterprise plans, now has 218 million users. That number was 196 million two quarters ago.
• Azure Active Directory has 550 million daily active users, an increase of 50 million in six months, and 125 million more since the 425 million mark achieved in January 2021. The numbers show that a good chunk of the Azure Active Directory user base comes from outside Microsoft 365.
• In the last quarter, Microsoft said that “Viva is being used by more than 1,000 paid customers.” This time round they said that Viva has “more than 10 million monthly active users.” However, Microsoft didn’t break out the usage for different parts of the Viva suite like Connections, Insights, Topics, and Learning.

For more results information, read the transcript of Microsoft’s post-announcement conference with market analysts.

Strong Growth in Microsoft Cloud

Although strong growth continues for Microsoft Cloud services, there’s no doubt that Microsoft results deliver a masterclass in selective obfuscation when it comes to informing people about what’s happening in terms of the Office 365 number of users and other data. On the one hand, this is natural because Microsoft doesn’t want to give away valuable information to competitors. On the other, shifting how they report usage from daily active users to monthly active users to paid seats makes it seem like there’s something to hide. Only Microsoft knows…

Keep up with the changing world of the Microsoft 365 ecosystem by subscribing to the Office 365 for IT Pros eBook. Monthly updates mean that our subscribers learn about new developments as they happen.

The Art of Performance Improvement

Mark Longton of the Microsoft Teams development group discussed some techniques Microsoft uses to improve the performance of Teams in a January 28 blog. He covers analysis of performance during code development, tools used for analysis, and the creation of debugging and monitoring tools. Finally, he looks at how Microsoft identifies strategic improvements they want to make in specific elements of the Teams client. The text explains that helping Teams to lose an unfortunate reputation for sluggish performance is an ongoing, persistent, and detailed-oriented task.

A response to the post raises the issue of memory consumption, reporting a Teams client taking 1.1 GB RAM. I haven’t seen such a large amount of memory reported for a while, probably not since Microsoft made some changes to Teams memory management in mid-2020. As I write this article, Teams occupies 501 MB RAM on my 16 GB Surface Book 2, which is after switching several times between different tenants to perform a variety of tasks. (12 hours later, Teams occupied 744 MB…)

Clear the Teams Cache

However, I rebooted my PC earlier today, so it’s less likely that the Teams cache of resources stored in memory has accumulated much debris. Over time, the cache can expand to hold data that isn’t used, not required, or corrupt. The solution is to “clear the cache,” or wipe and restart. Like signing out and back into Teams, it’s one of the go-to universal solutions for many odd Teams problems rooted in hard experience of helping end users cope with problems they have with Teams clients.

According to Mark Longton, signing out and back in again is enough to clear the Teams cache. This certainly seems like it should be the case because the cache is an in-memory structure and there’s no reason why Teams should keep data in memory after a user signs out.

However, as evident in this advice from Michigan State University, some support organizations go further and recommend that users of the Teams desktop client for Windows delete the contents of the cache folder in %appdata%\Microsoft\Teams plus a bunch of other folders. The logic appears to be that removing everything Teams downloads to store on the local workstation stops any lingering corruption finding its way back into the Teams cache. The next time the user signs into Teams, the client downloads the data from the cloud to rebuild the files.

Steps to Fix Problems

If someone experiences a problem with the Teams for Windows client, a phased approach is:

Sign out, wait a moment, and then sign back into the client. Sign out can be done from the taskbar (Figure 1) or by clicking the user photo in the title bar and selecting the sign out option. Apart from anything else, signing back in will ensure that access tokens and multi-factor authentication are not expired.

If the problem doesn’t go away, check the web client to see if the same problem exists there. If it doesn’t, the issue is with the desktop client, so go ahead and sign out and then remove local cache files as described above. Before you sign out, use the Collect support files option (available by right-clicking the Teams icon in the system tray – Figure 2) to capture information that Microsoft support might need to resolve problems you can’t fix.

The Great Hope of Teams 2.0

It’s no secret that Microsoft is working on an implementation of the Teams enterprise client based on a new architecture (Teams 2.0). The Teams chat client now available in Windows 11 uses the new architecture, but clearly it takes much more development effort to create a client supporting all the features available in the current enterprise client. Better performance and a reduced memory footprint are two advantages cited for the new architecture. Let’s hope we’ll see the Teams 2.0 enterprise client soon, and that the days of needing to clear cache are left behind. Then again, a new client based on a new architecture will likely bring a bunch of new performance and troubleshooting issues for administrators to consider.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

Update #80 for World’s Best eBook Covering Office 365 and the Microsoft 365 Ecosystem

Drafting the announcement of yet another monthly update for the Office 365 for IT Pros eBook and making the text interesting and different is a real challenge. After 80 monthly updates, seven of which are for the 2022 edition, you could say that we know how to process monthly updates. And we do. Every month. Each month throws up its own set of challenges, from authors being late submitting their chapter changes, to Word having a meltdown, or the OneDrive sync client becoming mildly confused. We suffer from the same minor crises that other Microsoft 365 users endure as we grapple with the cloud. But we persist and get the update done, which (boringly enough) has just happened (again).

The February 2022 update for Office 365 for IT Pros (2022 edition) is now available for subscribers of the EPUB/PDF version to download from their Gumroad.com account or by using the download link in the receipt received by email after subscribing. Amazon Kindle subscribers can ask Amazon to release the update to your account. See our FAQ for more details about downloading monthly updates.

About the Change Log

Changes made in the February 2022 update for Office 365 for IT Pros are described in the change log. We don’t note every edit, addition, or deletion across the 24 chapters, so the change log is more like a set of highlights rather than a comprehensive page-by-page notation of changes. For instance, we don’t usually note the fact when we remove text that we consider outdated, which happens all the time because of the way change occurs across Microsoft 365. We also don’t note tweaks made to text to improve its readability or to emphasize an important point, perhaps because someone has pointed out that we should (we love getting feedback from readers).

Although we do try to note the most important updates, life is too short for generating a tremendously detailed change log for a 650,000-word book, and we also doubt if people would read a very detailed change log. Suffice to say that more happens in a monthly update than meets the eye or gets written down.

Please Download and Use the Update

Which is one reason why we’d like subscribers to download and use the most recent text. You’ve paid us to deliver the most comprehensive and up-to-date material we can produce, so you deserve to take advantage of that content. Every month, we receive questions from Office 365 for IT Pros readers who cite information from an outdated version. Just like the Exchange development group have little sympathy for people who don’t install recent cumulative updates for on-premises Exchange servers, we don’t like getting questions already answered in available updates. In fact, it’s a little depressing, so please download and use the February 2022 update. We’d appreciate it if you do.

$22.1 Billion Revenues in FY22 Q2 Results

Microsoft closed out their FY22 Q2 results with revenue of $51.7 billion. Of this, Microsoft Cloud (mainly Office 365, Azure, Dynamics 365, and LinkedIn) accounted for $22.1 billion, up 32% year over year. It’s a very healthy outcome which underlines the importance of cloud services to Microsoft.

In remarks to analysts, CFO Amy Hood attributed the growth to “large, long-term Azure contracts, as well as increased usage of Teams and our advanced security and identity offerings.” She noted that the gross margin for Microsoft Cloud decreased slightly year-over-year to 70%. However, after excluding the impact from a change in how datacenter assets like servers and network controllers are accounted for over their useful life, she said that Microsoft Cloud gross margins increased by roughly 3%.

Office 365 Revenue and Numbers

In terms of Office 365, Microsoft failed to give specific user numbers for either active or paid seats. They said that Office 365 commercial revenue grew by 19% and cited higher average revenue per user (ARPU) and installed base expansion as driving factors. Microsoft noted that customer movement to higher-based plans such as Office 365 E5 to access better security (Microsoft Defender for Office 365 Plan 2), compliance (many features from auto-label policies to trainable classifier), and voice (calling plans, etc.) drove “continued momentum.” The increases in Office 365 and Microsoft 365 monthly subscriptions from March 1, 2022 will give another boost to cloud revenues.

Microsoft said that “paid Office 365 commercial seats increased 16% year-over-year.” In their Q3 FY21 results, Microsoft said that they had “nearly 300 million” paid seats. Nine months later, that number is probably around 330 million. However, that doesn’t mean that this is the number of monthly active users, with or without paid licenses. It could be that Microsoft has sold licenses that are not yet used but are still counted.

Interestingly, Microsoft said that growth was “driven by another strong quarter of growth in our small and medium business and frontline worker offerings. Later, in a response to an analyst question, Amy Hood noted that growth in SME tenants and those buying services for frontline workers “often come(s) at lower revenue per month than we would see in our enterprise businesses buying the full suite of products.” In other words, Microsoft can’t generate a high ARPU from SME customers.

Teams

In July 2021, Microsoft claimed 250 million monthly active users for Teams. At the time, I wondered if the number was believable. Now Microsoft has increased the figure to 270 million (Figure 2), a small percentage increase compared to recent large spurts in growth. The same doubts exist simply because Microsoft doesn’t give sufficient detail to understand how such a large percentage of the Office 365 base uses Teams. For instance, how many Teams users are in education versus enterprise? How many people use Teams consumer, even after the roll-out of chat interconnectivity between the consumer and enterprise versions? How many of the users logged as active are there because Windows 11 loads the Teams consumer client or Office loads the Teams enterprise client (both easy to turn off).

Instead of hard data, we get snippets designed for quotations, such as learning that Teams is “at the center of this digital fabric,” or that “over 90 percent of Fortune 500 companies used Teams Phone this quarter” (maybe they like the unlimited dial-in capabilities and Teams Phone plans). Or even that Walmart chose Teams for their “more than 2 million frontline users” (surely a Teams Walkie-Talkie case study in the making…). Huge customers like Walmart underpin the credibility of the Teams user number, while also underlining the point about lower profitability from frontline worker contracts (you can bet that Walmart got a good deal).

Viva

Microsoft launched Viva almost a year ago and rolled out Viva Insights, Viva Connections, Viva Learning, and Viva Topics since. Of all the offerings, I think Viva Topics has the most interesting technology. Microsoft has also rebranded MyAnalytics to bring it under the Viva brand, which is why Outlook and OWA now have the Viva Insights add-in.

Given the hype surrounding the launch and the importance of the “employee experience category” emphasized to the Microsoft sales force and partners, it was striking how little mention it received in the results briefing. Satya Nadella said that “Viva is being used by more than 1,000 paid customers… to help address challenges like employee burnout and retention.”

With the size of the Office 365 customer base and the emphasis on Teams as the delivery vehicle for Viva, I’m surprised that this number is so low. In July 2021, Microsoft said that 124 organizations had more than 100,000 Teams users and 3,000 organizations had more than 10,000 Teams users. You’d imagine that these organizations would be prime candidates for Viva. Perhaps the U.S.-centric approach often seen in Viva is an inhibiting factor for deployment in the rest of the world?

Keep up with the changing world of the Microsoft 365 ecosystem by subscribing to the Office 365 for IT Pros eBook. Monthly updates mean that our subscribers learn about new developments as they happen.

Use Teams, PowerShell, or the Graph

Vasil Michev, the Technical Editor of the Office 365 for IT Pros eBook, comes up with all sorts of weird and wonderful insights into Microsoft 365. A recent question he discussed on his blog was how to find the creation date for a tenant. It’s a good question because it forces respondents to know where to look for this information and is exactly the kind of poser we like to tease out as we write content for the book.

As Vasil points out, the obvious answer is to fire up the Teams admin center because the tenant creation date appears on a card displayed on its home screen (Figure 1). The Teams admin center is the only Microsoft 365 portal which shows this information. Why the Teams developers thought that it was useful to highlight the tenant creation date is unknown. After all, the date won’t change over time and static information is not usually featured by workload dashboards.

Opening an administrative portal is no challenge. Vasil suggests several alternate methods to retrieve the tenant creation date. It seemed like fun to try some of these methods against my tenant. Here’s what I found.

Using Exchange Online Data

If you’ve used Exchange Online from the start, you can check the creation date of the Exchange organization configuration object, created when an administrator enables Exchange Online for the first time.

(Get-OrganizationConfig).WhenCreated

Monday 27 January 2014 20:28:45

It’s an interesting result. Exchange Online reports its initiation in January 2014 while Teams is quite sure that the tenant existed in April 2011. I’ve used Exchange Online for email ever since I had a tenant, so the disconnect between Exchange Online and the tenant creation date is interesting.

Another way of checking Exchange data is to look at the creation dates for mailboxes. This PowerShell snippet finds all user mailboxes and sorts them by creation date. The first mailbox in the sorted array is the oldest, so we can report its creation date:

[array]$Mbx = Get-ExoMailbox -ResultSize Unlimited -Properties WhenCreated -RecipientTypeDetail UserMailbox | Sort {$_.WhenCreated -as [datetime]} 
Write-Host ("The oldest mailbox found in this tenant is {0} created on {1}" -f $Mbx[0].DisplayName, $Mbx[0].WhenCreated)

The oldest mailbox found in this tenant is Tony Redmond created on 27/01/2014 20:36:38

(Dates shown are in Ireland local format. The equivalent U.S. format date is 01/27/2014).

Grabbing all mailboxes to check their creation date will not be a fast operation. Even using the REST-based Get-ExoMailbox cmdlet from the Exchange Online management module, it will take time to retrieve all the user mailboxes in even a medium size tenant.

As it turns out, the oldest mailbox is my own, created about eight minutes after the initiation of Exchange Online. However, we’re still in 2014 when the tenant proclaims its creation in 2011, so what happened?

A search through old notes revealed that Microsoft upgraded my original Office 365 tenant created in 2011 to an enterprise version in 2014. It seems that during the tenant upgrade, Microsoft recreated the instance of Exchange Online. That explanation seems plausible.

Administrator Accounts

Another method is to examine the creation dates of administrator accounts to find the oldest account. This is usually the administrator account created during tenant setup. In other words, when you create a new tenant, you’re asked to provide the name for an account which becomes the first global administrator. If we look at the administrator accounts in the tenant and find the oldest, it should be close to the tenant creation date shown in the Teams admin center. That is, unless someone deleted the original administrator account.

Azure AD is the directory of record for every Microsoft 365 tenant, so we should check Azure AD for this information. The steps are:

• Find the set of accounts which currently hold the global administrator role. We omit the account returned with the object id 25cbf210-02e5-4a82-9f5c-f41befd2681a as this is a service principal used by Microsoft Rights Management services (you can confirm this by running Get-AzureADServicePrincipal -ObjectId 25cbf210-02e5-4a82-9f5c-f41befd2681a).
• Check each account to find the creation date. This is slightly complicated when using the Azure AD PowerShell module because the creation date is part of the extension properties. We therefore use the Get-AzureADUserExtension cmdlet to extract the date and then store it in the array used to hold details about tenant administrators.
• Sort the accounts by creation date and report the oldest.

Here’s the code I used:

# Find the identifier for the Azure AD Global Administrator role
$TenantAdminRole = Get-AzureADDirectoryRole | Where-Object {$_.DisplayName -eq ‘Global Administrator’} | Select ObjectId
# Get the set of accounts holding the global admin role. We omit the account used by
# the Microsoft Rights Management Service
$TenantAdmins = Get-AzureADDirectoryRoleMember -ObjectId $TenantAdminRole.ObjectId | ? {$_.ObjectId -ne "25cbf210-02e5-4a82-9f5c-f41befd2681a"} | Select-Object ObjectId, UserPrincipalName
# Get the creation date for each of the accounts
$TenantAdmins | ForEach-Object { $_ | Add-Member -MemberType NoteProperty -Name "Creation Date" -Value (Get-AzureADUserExtension -ObjectId $_.ObjectId ).Get_Item("createdDateTime") }
# Find the oldest account
$FirstAdmin = ($TenantAdmins | Sort-Object {$_."Creation Date" -as [datetime]} | Select -First 1)
Write-Host ("First administrative account created on {0}" -f $FirstAdmin."Creation Date")

The older Microsoft Online PowerShell module doesn’t require such a complicated approach to retrieve account creation data. Taking the code shown above and replacing the Get-AzureADUserExtension cmdlet with Get-MsOlUser, we get:

$TenantAdmins | ForEach-Object { $_ | Add-Member -MemberType NoteProperty -Name "Creation Date" -Value ((Get-MsOlUser -ObjectId $_.ObjectId ).WhenCreated) }

Using either cmdlet, the result is:

First administrative account created on 11/04/2011 17:35:11

The Teams admin center also reports April 11, 2011, so using administrator accounts might be a viable way to determine tenant age.

Use the Graph

Microsoft 365 stores information for each tenant in the Microsoft Graph, and it’s the Graph which is the source for the Teams admin center. We can retrieve the same information by running the https://graph.microsoft.com/V1.0/organization Graph query. The createdDateTime property returned in the organization settings is what we need.

Here’s the PowerShell code to run after obtaining the necessary access token for a registered app, which must have consent to use the Organization.Read.All Graph permission. Vasil used the beta endpoint when he showed how to fetch tenant organization settings using the Graph Explorer (which saves the need to write any code), but the V1.0 endpoint works too.

$Uri = "https://graph.microsoft.com/V1.0/organization"
$OrgData = Invoke-RESTMethod -Method GET -Uri $Uri -ContentType "application/json" -Headers $Headers
If ($OrgData) {
  Write-Host ("The {0} tenant was created on {1}" -f $Orgdata.Value.DisplayName, (Get-Date($Orgdata.Value.createdDateTime) -format g)) }

The Redmond & Associates tenant was created on 11/04/2011 18:35

The first administrator account appears to date from 17:35 while the tenant creation time is an hour later. This is easily explained because all dates stored in the Graph are in UTC whereas the dates extracted from Azure AD and reported by PowerShell reflect local time. In April 2011, local time in Ireland was an hour ahead of UTC.

An Old Tenant

After all the checks, it’s clear that I created my tenant in the early evening of April 11, 2011. Given that this was ahead of Microsoft’s formal launch of Office 365 in July 2011, I can claim to use an old tenant, for what that’s worth.

Teams External Access for Chat and Calling

Teams users have been able to chat and call people in other Teams tenants for some years. This is a very useful capability because it means that you don’t need to have a guest account in a tenant to communicate with its users. Microsoft added the capability to chat with Skype consumer users in 2020. Both features are enabled by external federation, the component which manages user ability to communicate outside the tenant. By default, the tenant external federation configuration allows communication with Teams users in any tenant. Administrators can manage the configuration through the External access section under Users in the Teams admin center. For instance, an organization might decide to limit external federation to a subset of tenants considered necessary for business communications.

Bringing Teams Consumer into the Chat Fold

Message center notification MC296208 (updated January 4, Microsoft 365 roadmap item 88381) expands external federation to cover chat (but not calling) with Teams consumer users. Given the presence of a Teams consumer client in Windows 11 and Microsoft’s fervent hope that people will embrace Teams consumer, it’s unsurprising that consumer and enterprise Teams users should be able to communicate. Up to now, any attempt to chat with a Teams enterprise user from Teams consumer results in an exchange of email, which is not quite the immediate connection delivered by chat.

According to MC296208, roll-out of Teams external access for Teams consumer starts in early January and should complete in mid-January. As always, this timing might change. Unlike external federation with Skype consumer users, Teams consumer supports both 1:1 and group chats. Another interesting aspect is that Teams enterprise users can find Teams consumer users with their email address or phone number (obviously, this must be the phone number registered by the user when they signed up for Teams consumer). But then again, you can also search for Teams enterprise users with their phone number, if you really must…

Tenant Controls for Teams External Access with Teams Consumer

Settings in the tenant’s external federation configuration control the communication with Teams consumer users (also called “Teams accounts not managed by an organization”). Two controls are available in the External access section of the Teams admin center:

• People in my organization can communicate with Teams users whose accounts aren’t managed by an organization: Set On to allow your users to communicate with Teams consumer users.
• External users with Teams accounts not managed by an organization can contact users in my organization: Set On to allow Teams external users to search for and contact users in your tenant using their SIP address (usually the same as their primary SMTP address and user principal name). Set Off to stop this happening and prevent unsolicited contact from Teams consumer users. Figure 1 shows that this setting is Off.

By default, both settings are On, meaning that if you don’t update them, full bi-directional chat is available between Teams enterprise and consumer users.

You can also update the Teams consumer controls with PowerShell by running the Set-CsTenantFederationConfiguration cmdlet. For example, this command disables both settings.

# Disable both outbound access (AllowTeamsConsumer) and inbound access (AllowTeamsConsumerInbound) for Teams consumer users
Set-CsTenantFederationConfiguration -AllowTeamsConsumer $False -AllowTeamsConsumerInbound $False

Other settings in the external federation configuration include:

• AllowFederatedUsers: Set to False to stop chat and calling with Teams users in other tenants.
• AllowPublicUsers: Set to False to stop chat and calling with Skype Consumer users.

Per-User Control for External Federation

The Teams external access policy assigned to an account controls the level of external access a user has.

Get-CsonlineUser -Identity Jane.Sixsmith@office365itpros.com | Select ExternalAccessPolicy  

ExternalAccessPolicy            : FederationAndPICDefault

Get-CsExternalAccessPolicy -Identity FederationAndPICDefault

Identity                          : Global
Description                       :
EnableFederationAccess            : True
EnableXmppAccess                  : False
EnablePublicCloudAccess           : True
EnablePublicCloudAudioVideoAccess : True
EnableOutsideAccess               : True
EnableAcsFederationAccess         : True
EnableTeamsConsumerAccess         : True
EnableTeamsConsumerInbound        : True

If an external access policy isn’t defined for an account, it uses the tenant settings.

Important settings for federated communications defined in the external access policy are:

• EnableFederationAccess: Allow communication with Teams users in other tenants.
• EnablePublicCloudAccess: Allow communication with Skype consumer users.
• EnableTeamsConsumerAccess: Allow communication with Teams consumer users.
• EnableTeamsConsumerInbound: Allow Teams consumer users to initiate communication with this account.

To gain maximum control over how Teams users communicate externally, you might want to create a new external access policy. This is done as follows:

• Create a new external access policy with New-CsExternalAccessPolicy.
• Update the settings in the new policy with Set-CsExternalAccessPolicy.
• Assign the new policy to user accounts.

For example:

New-CsExternalAccessPolicy -Identity "Block Teams Consumer"
Set-CsExternalAccessPolicy -Identity "Block Teams Consumer" -EnableTeamsConsumerAccess $False
Grant-CsExternalAccessPolicy -Identity Jane.Sixsmith@office365itpros.com -PolicyName "Block Teams Consumer"

Teams External Access with Teams Consumer

Once permitted, it’s easy for a Teams enterprise user to connect with a Teams consumer user by starting a new chat, entering the email address of the consumer user, and searching externally. The initial messages go to the external user, who must decide if they wish to accept or block the connection (Figure 2).

You can add a Teams consumer user to a group chat, but you can’t share previous chats as a new chat starts to accommodate the external user.

A similar check before acceptance is used when a Teams consumer user contacts a Teams enterprise user, with the subtle difference that the Teams enterprise user sees the warning that Messages from unknown or unexpected people could be spam or phishing attempts.

Recipients of inbound connections can preview the messages, which is a good reason for clearly stating the intent and purpose of the conversation in the initial messages, unlike those shown in Figure 3. Only a contravention of the don’t say hello in chat rule would be worse!

Some limitations exist in what can happen in a mixed-Teams chat. The biggest loss of functionality is the inability to make calls or share files. Given that Teams users can call Skype consumer users, the loss of calling is surprising (I anticipate this feature will come soon). Not being able to share files is likely because enterprise and consumer Teams use different versions of OneDrive.

From a compliance perspective, the Microsoft 365 substrate captures compliance records for eDiscovery in the enterprise tenant. Teams consumer doesn’t have this capability. On a more serious note, Microsoft documents that Data Loss Prevention (DLP) policies don’t apply to external access chats. If you’ve invested in DLP for Teams (which needs Office 365 or advanced compliance licenses), you’re unlikely to be impressed at the prospect that tenant users can share sensitive information in external chats. This is definitely a hole which Microsoft should close.

Generally, all went as expected. The only issue I ran into was when attempting to connect to an account signed into Teams consumer that I had previously communicated with from Teams using Skype consumer. Teams stubbornly refused to communicate using anything other than Skype consumer. There’s nothing wrong with the Teams consumer account because I was able to connect with it in a group chat when another enterprise account added the consumer account to the chat.

Connections for Those Who Want Them

I’m unsure as to how many Teams consumer accounts are ready to use Teams external access to communicate with enterprise tenants. Sure, the client is in Windows 11 and many people might have kicked the tires of the client but knowing how many persist and use Teams consumer on an ongoing basis is a different question. In any case, for those who use Teams consumer, the pathway to communication with their enterprise connections is now available. That is, if enterprise tenants enable the capability.

Keep up to date with developments in Microsoft Teams by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers understand the most important changes happening across Office 365.

Microsoft’s eCommerce System Will Figure Things Out

Earlier this month, I wrote about the need to link an Azure subscription to Azure AD to use Microsoft’s new Monthly Active User (MAU) model to license guest user access to premium Azure AD P1 and P2 features. The MAU model replaces the previous 1:5 ratio (one premium license covered five guest users).

After sorting out a small problem with the Azure providers available to my subscription, the transition for my tenant went well. That is, until I noticed costs creeping up for the subscription (Figure 1).

Examining invoice details shows that the Azure Active Directory service is accumulating the costs for its P2 monthly active user meter (Figure 2).

My tenant is small, but some guests access it to contribute to the Office 365 for IT Pros eBook. Because the tenant uses conditional access policies, the guest activity accumulates in the MAU meter. However, Microsoft says that the MAU model allows for 50,000 unique monthly active user authentications before any charges occur. Given that only 215 guest accounts are in the tenant directory, the level of unique guest authentications per month will never reach 50,000.

No Double Dipping

I contacted Microsoft to ask why the meter was running for Azure AD premium P2 activity generated by guests when the MAU model allowed for a huge number of free monthly unique authentications. The explanation I received is that Microsoft’s eCommerce system is not built to allow two allowances against charges.

My Azure subscription comes with a monthly allowance. Because I linked Azure AD with the subscription, I should also get 50,000 MAU. That’s the two allowances. The eCommerce system which generates the charges and invoices only allows tenants one benefit when it displays charging information in the Azure portal. However, when the time comes to generate an invoice and charge real money, the system takes all available benefits and offsets them against the charges. Because the allowance included in the subscription was larger than the charges for premium Azure AD activity, the invoice had a zero balance.

Learnings

Microsoft say they will update their documentation to reassure tenants that they’ll receive the benefit of the MAU model and won’t be charged for the first 50,000 unique MAU. The thing that I learned from this experience is that the tracking mechanism for MAU works well and is easier to manage than keeping track of licenses bought for guest users according to a 1:5 ratio that must be assessed manually.

Keep up with the changing world of the Microsoft 365 ecosystem by subscribing to the Office 365 for IT Pros eBook. Monthly updates mean that our subscribers learn about new development as they happen.

Microsoft Branding Toolkit for Internal Communications Only

I’m often asked what’s the best way to get hold of Microsoft logos and icons. People like to include these graphic I’m often asked what’s the best way to get hold of Microsoft logos and icons. People like to include these graphic elements in training material, presentations, and internal web sites. One way of finding a suitable image is to search microsoft.com to find images used in their documentation. Another way is to grab a screen capture from a Microsoft video (which is how I got the Microsoft Loop logo used in this blog post). Although it might take some searching, you can usually find a suitable illustration to meet your needs.

However, an easier way exists if you’re a Microsoft 365 customer. Microsoft Fasttrack is a program dedicated to helping customers use Microsoft 365. You can sign into the Fasttrack portal with your Microsoft 365 account to access different tools to help with planning, migration, and adoption. The Resources section of the portal allows access to different tools, one of which is the Branding toolkit (Figure 1).

Licensing and Guidelines

Choosing the branding toolkit downloads a ZIP file. Inside the ZIP is a folder called Microsoft Office App Icons and a PDF file describing the conditions under which Microsoft allows the use of the Microsoft 365 and Office graphics. For instance, you can’t use Office icons in any way that damages Microsoft’s reputation or to imply their endorsement of a third-party service or product. Essentially, Microsoft makes the graphics available in the branding kit for internal communications distributed to the licensee’s employees (the licensee is defined as the customer using the kit) to “increase the customer’s internal adoption and usage of Microsoft products and services.”. In addition, Microsoft expects that its icons and logos are used properly in line with Microsoft branding guidelines. You might think that Microsoft is a tad picky, but they are serious about people using their material to support their brand image instead of random insertions of Office icons in documents and presentations.

Inside the Folders

The Microsoft Office App Icons folder holds a bunch of other folders, each containing the icons for a separate product, like Exchange, Microsoft Lens, OneDrive, and Planner. Inside a product folder you’ll find full-color and monochrome (positive and negative) versions of its icons in PNG and PDF formats. The PNG files cover different icon sizes varying from 48×48 (pixels) to 256×256. Figure 2 shows the monochrome positive files available for Exchange with the 128×128 PNG file displayed in the Windows photo viewer.

External Use

Microsoft’s license included with the branding kit allows for internal use. External usage is not covered by the agreement. Does this mean that Microsoft will be upset if you use their graphics in public-facing activities, such as presentations given at conferences or blog posts? The fact is that Microsoft does not license people to use files contained in the branding toolkit for these purposes. However, given that Office icons and graphics can be found elsewhere, it’s reasonable to assume that Microsoft won’t object to their use unless a flagrant violation of their branding guidelines occurs. In other words, using the SharePoint or OneDrive logo to illustrate a blog post is unlikely to cause a problem.

Like any other company, Microsoft has limited resources to dedicate to chasing down trademark or other infringements of their intellectual property. For instance, I often see people incorporate a Microsoft icon in the opening titles of a YouTube video. Even if the graphics aren’t very professional and don’t match any of their branding guidelines, the sheer number of these types of videos mean that Microsoft probably won’t seek action unless the treatment of the icon is such that people watching a video might conclude that Microsoft endorses the content.

However, I’m not a Microsoft lawyer and I cannot offer any advice about how any individual could use Microsoft icons in external communications. Overall, it’s best to make sure that if you download the Fasttrack branding toolkit, you should follow Microsoft’s usage rules to avoid any trouble. As the old saying goes, “You can’t fight City Hall.”

Learn how to exploit the Office 365 data available to tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.

Discovering Some Nuggets from Microsoft’s Coverage

It’s been a busy week for anyone following the Microsoft 365 ecosystem as Microsoft released a slew of blog posts and announcements to support keynotes and other sessions at the Microsoft Ignite Fall event. You could spend hours reading about new features and functionality and wonder when the code will appear in your Office 365 tenant and if any additional licenses are necessary.

This post captures notes about several features available now that I noticed as I perused Microsoft’s coverage. By themselves, each is not enough to warrant a separate post, but they’re interesting all the same. These changes are examples of the stuff we track to maintain the content of the Office 365 for IT Pros eBook. All our chapter authors have been busy this week.

SharePoint Online and OneDrive for Business

Sharing links show who you’ve shared a document with. This feature was announced in June but seems to have taken its time to roll out. The idea is simple. When you send a new sharing link, SharePoint Online and OneDrive for Business tell you who the document is already shared with (Figure 1), including a thumbnail of each person (if available in Azure AD). You can hover over a thumbnail to see who the person is. The number of active sharing links also appears. It’s a small but useful change.

Easy to overlook, the SharePoint Online admin center now displays connected channel sites when a site used by Teams creates private channels (Figure 2). If you can’t remember which sites have private channel sites, connect to SharePoint Online PowerShell and run:

Get-SPOSite -Limit All -Template TeamChannel#0 | ? {$_.TeamsChannelType -eq "PrivateChannel"}

If you click the channel sites link, the admin center displays details of those sites. Teams manages the settings for these sites, but it’s nice to be able to have easy access to the information. Shared channels, which are delayed until early 2022, also use channel sites.

OneDrive for Business supports Known Folder Move (KMF) and Files on Demand on MacOS, which is nice if you’ve invested in a brand-new M1-powered Mac.

If your tenant uses sensitivity labels and has SharePoint Syntex, you can apply sensitivity labels to protect the document understanding models. The application of a label in this manner flows through to protect individual documents identified by models. It’s another way of automatically applying labels to sensitive content.

Sensitivity label control over sharing capabilities of SharePoint Online sites is now generally available. In addition, co-authoring and autosave of protected documents is generally available in the Microsoft 365 apps for enterprise (Word, Excel, and PowerPoint). We use protected documents heavily to store chapter files for the Office 365 for IT Pros eBook, so this is a welcome advance.

Exchange Online

Microsoft Scheduler can now dynamically adjust the scheduling of recurring meetings. This is message center notification MC295855 (November 2) and it’s a great idea. Static recurring meetings are all too often cancelled or rescheduled because someone is sick or otherwise unavailable. After a recurring meeting finishes, Scheduler looks for the best time slot for the next instance and books that time.

Everyone’s probably familiar with the Exchange Online campaign to remove basic authentication for email connection protocols (that October 2022 date is getting nearer!). PowerShell is on the list of protocols to be blocked for basic authentication, but the Exchange Online management PowerShell module still uses basic authentication to communicate with WinRM on a local workstation. Work is under way to remove the need to use WinRM. Microsoft has released a preview version (2.0.6-3preview) of the module to demonstrate how they will remove the dependency by using a REST API in the background. Exchange Online has many cmdlets, not all of which have been converted to use the new mechanism, but you can test the preview now.

On the downside, Microsoft didn’t say anything at Ignite about the next version of on-premises Exchange. This is strange given the September 2020 announcement said the next version of Exchange Server would be available in the second half of 2021.

Microsoft 365

Microsoft says that Visio web app is rolling out to Microsoft 365 commercial tenants (all tenants with Office 365 enterprise plans). The rollout goes through to the end of January 2022, so keep an eye on the app launcher to see when Visio web app (aka Visio in Microsoft 365) shows up in your tenant.

Microsoft Cloud App Security (MCAS) is now Microsoft Defender for Cloud Apps (surely MDCA?). The app governance add-on is now generally available. It’s a good way to chase down apps registered in Azure AD that are over-permissioned or not being used. If you don’t have MDCA or don’t want to pay for the add-on, use our DIY audit method for Azure AD apps.

Access to the knowledge available in topic cards created by Viva Topics has been restricted to some lesser-used applications up to now. Things will change when topic cards appear in OWA and Teams. Apparently, this will happen soon and should be a game changer for the organizations who have invested in the work needed to harvest organizational knowledge through Viva Topics.

Teams

Microsoft prioritized Teams at Ignite as the center of a new way to work (see my practical365.com article), so there were lots of Teams-related developments discussed, most of which can be left until they appear in a tenant near you. One snippet in a blog post about improving meeting quality is that noise suppression in Teams meetings will be available for iOS soon. Microsoft claims that they saw a “31% decline in comments about background noise distractions” after the launch of noise suppression. This sounds like a good thing, but a single statistic provided without any further context or detail is worthless. We don’t know the sample size, whether the clients were Windows or Mac. What kind of meetings, and what is meant by “comments” (good, bad, or indifferent). Like many Microsoft statistics, there’s plenty of room for fudging an issue.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what’s happening.

Teams is First Product to Use New Portal, Which Replaces User Voice

Update November 10: The feedback portal is now available for a bunch of other Microsoft 365 apps (OneNote, SharePoint, Stream, Planner, Yammer, Viva Topics, etc.. Exchange is a notable exception for now.

Much to customer dismay, Microsoft announced its intention to stop using the User Voice platform in March. Today, the Teams product group announced the preview of a feedback portal for Teams (aka “a community feedback experience”). Given the very active use of User Voice by the Teams community to suggest and press for product improvements, this is a welcome development. According to Microsoft, User Voice input has resulted in over 500 features and improvements since 2017, so it’s obvious that customers are listened to, even if they sometimes think this isn’t the case.

The new portal (Figure 1) also supports Edge, but that section isn’t as well populated as the Teams content is. Over time, you’d imagine that the portal will evolve from preview to become the central point for feedback for the entire Microsoft 365 ecosystem, assuming things go well.

Built on Dynamics 365

The new portal is built on the Dynamics 365 customer service technology. In the past, Microsoft has looked outside to replace its own technology with third-party code, notably when the Yammer-based Technical community was replaced by Lithium as the basis for the current Microsoft Technical Community. It’s good to see Microsoft eating its own dogfood here. Hopefully, the experience of handling customer feedback and feature requests through the new portal will inform future developments in Dynamic 365.

Data from User Voice

To ensure that the information from User Voice is not lost, it looks as if Microsoft has done a good job to populate the feedback portal with idea and comments already submitted by customers. The Teams product group has updated a bunch of requests with responses to tell people about the progress of ideas and suggestions, so if you’ve been missing out on wanting to know if Microsoft is going to do something, you can head over to the portal to browse ideas and responses (Figure 2).

Some responses address well-known recent developments, like quoted replies in chats (released in preview on September 17), while others are still being worked by engineering, like the request to sign-into the Teams client with accounts from  multiple tenants. According to some tweeted comments by Rish Tandon, Teams VP of development, support for multiple accounts will come when Microsoft releases an enterprise client based on the Teams 2.0 architecture sometime next year.

Given the use of Dynamics 365, it shouldn’t come as a surprise that you need to sign in to create a new suggestion (following Microsoft documentation on that point, naturally). However, the portal is available to all to browse without sign-in.

By the way, Live components in Chat are now available for preview users (here’s the official announcement). I mention this to illustrate that not every new feature developed by Teams will appear in the feedback portal. Live components are a good example of an interesting new technology coming from within Microsoft that has the potential to change the way people collaborate.

Overall, the new portal seems to work well. Give it a try. There’s no point about complaining about deficiencies in Teams or other Microsoft technologies if you can’t be bothered to provide feedback.

A Surplus of Teams Clients after Installing Windows 11

Following the successful upgrade of my PC to Windows 11, I have too many Teams clients, and I wanted to stop Teams from starting automatically. The Teams desktop client is an important part of my daily workload, and I also have the Teams personal version, more because of curiosity than usefulness. These have now been joined by the Windows 11 chat client, the first client iteration built on the Teams 2.0 architecture. Interestingly, Microsoft’s October 4 post covering the Windows 11 chat client says that “Windows 11 also includes the full Teams app experience for personal accounts, which powers Chat.” Later, they say “Chat on Windows 11 is powered by the version of the Teams app that uses your personal Microsoft account.”

In other words, if you use the Teams enterprise client for work (or school) and have a Microsoft personal account, Windows 11 ends up with two Teams clients.

The post then goes on to explain how users can identify which client is which by examining the logos used for the two clients. This is at the very least mildly confusing. It seems more natural to select the first Teams client found (the best match in Figure 1), but that launches Teams personal because its name comes first alphabetically.

In any case, multiple Teams clients running together is too much of a good thing for any workstation. I can’t possibly collaborate so extensively and there’s altogether far too many processes running (Figure 2). Something must be done.

Removing the Windows 11 Chat Client from the Taskbar

I don’t need the new chat client. Skype consumer remains available and that’s where my available credit is, so that’s what I will use (for now). If you want to stop the client appearing in the Windows 11 taskbar, this easily done by moving the slider for Chat to Off in the Personalization section of Windows settings (Figure 3).

Stopping Teams Enterprise Auto-Launching

In 2019, Microsoft added Teams to the Office click-to-run desktop apps (now Microsoft 365 apps for enterprise). This caused lots of grief for people who wanted to use Office but had no desire to see Teams start up every time the PC rebooted. Among the suggestions made then was a registry hack to stop Teams launching. Things are more elegant now and you can update the settings for the Teams enterprise client to suppress its willingness to start up automatically (Figure 4).

Stopping Teams Personal Auto-Launching

Although you might have removed the Teams personal client from the Windows taskbar, you might also want to stop it starting up. Fewer settings are available in the Teams personal client, but you control auto-starting in the same way (Figure 5).

Happiness is a Single Client

My Teams client surplus is trimmed and I’m happily coping with a single Teams enterprise client. In time, I look forward to a new full enterprise-ready desktop client when Microsoft moves all the features now in the enterprise client over to the 2.0 architecture. Microsoft has promised that the new client will be able to deal with signing into accounts in multiple Microsoft 365 tenants. It would be nice if that client had the ability to deal with personal Teams usage too.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what’s happening.

Administrators Need to Plan for Change in Clients and Apps

Last week’s announcement that Microsoft will disable basic authentication for Exchange Online connection protocols from October 2022 certainly got people’s attention. Hopefully the message is sinking in that it’s time to prepare for basic authentication to stop working for protocols like POP3, IMAP4, EWS, and ActiveSync. As we’ll discuss later, Microsoft is making an exception for SMTP AUTH, but that’s no excuse not to do the work to make sure a smooth transition occurs. Some tenant administrators and users might be going to receive a terrific surprise when the hammer descends.

Update (September 1): Microsoft is granting tenants the ability to get a three-month extension before retiring basic authentication. See this article for more detail. January 1, 2023 is the new drop-dead date.

Client Upgrades

One good thing to do now is plan for the replacement of old, insecure email clients. Many of the older clients still connecting with POP3 and IMAP4 tend to pass cleartext credentials. Microsoft has upgraded its implementation of POP3 and IMAP4 to support modern authentication, but even so, it’s time to consider the discontinuation of these antiquated protocols. Noble as their service has been to email, the best days for these protocols are long past.

When looking at the replacement options for older clients, including the versions of Outlook due to stop connecting to Exchange Online on November 1, 2021, consider asking people to try OWA. It’s a good client that works well as a progressive web app.

Many people like using the email client included in mobile devices. These clients connect using Exchange ActiveSync (EAS). Some clients support modern authentication with EAS, and some don’t (and will be affected when basic authentication disappears). Outlook Mobile is the obvious replacement. It’s solid, supports more features than EAS will ever do, and is included in Exchange Online licenses.

Applications

The deprecation of basic authentication will impact applications and devices too. Applications should move to the Microsoft authentication platform (MSAL) to achieve “modern” (OAuth-based) authentication. If you’re a PowerShell user, you should connect using the Exchange Online management module instead of traditional Remote PowerShell.

The SMTP AUTH Exception

And then we come to SMTP AUTH. This protocol poses a conundrum for Microsoft. They would very much like to disable it along with the other protocols but if they do, multi-function devices configured to send email using Exchange Online will stop being able to send messages. The same will happen for PowerShell scripts which use the Send-MailMessage cmdlet. This is the reason why Microsoft says: “effective October 1, 2022, we will begin to permanently disable Basic Auth in all tenants, regardless of usage (with the exception of SMTP Auth, which can still be re-enabled after that).”

After checking with Microsoft, here’s what will happen:

• If a tenant has never used SMTP AUTH, Microsoft is already actively blocking the protocol (see my earlier article) by setting the SmtpClientAuthenticationDisabled organization-wide control. Tenant administrators can disable SMTP AUTH for the organization today by running the command:

Set-TransportConfig -SmtpClientAuthenticationDisabled $True

• If a tenant is using SMTP AUTH, Microsoft will not disable the protocol. The presumption is that the organization knows how they use SMTP AUTH and has good business reasons to continue using SMTP AUTH.
• If a tenant discovers that they need to use SMTP AUTH after Microsoft disables the protocol, they can run the Set-TransportConfig cmdlet to update SmtpClientAuthenticationDisabled to $False. However, the big downside in taking this step is that it enables SMTP AUTH across the entire tenant. A per-mailbox setting is available to allow access to SMTP AUTH that overrides the organization configuration. It’s obviously better to limit access to potentially insecure protocols, so it’s recommended that you enable the protocol on a per-mailbox basis to restrict access just to the mailboxes which need to use SMTP AUTH. For example, this command allows the James Smith mailbox to use SMTP AUTH:

Set-CASMailbox -Identity "James.Smith@office365itpros.com -SmtpClientAuthenticationDisabled $False

The End for SMTP AUTH is Nigh, but Not Now

Eventually, I think Microsoft will disable SMTP AUTH permanently for Exchange Online. Granting an exception at this point is sensible because it smoothens the path to the October 1, 2022, target date for disconnecting the other protocols. Let’s face it, statistics and telemetry show that most Microsoft 365 account compromises arise through successful attacks using basic authentication protocols like POP3 and IMAP4. The priority must be to remove these routes routinely exploited by password spray and other attacks. Delaying the deprecation of SMTP AUTH for now buys Microsoft and customers some extra time, but the writing is firmly on the wall that the era of basic authentication for all Exchange Online connectivity protocols is coming to an end.

While working with end users to change their email clients, it would be a great idea to introduce them to the wonders of multi-factor authentication. If you’re going to have disruption in the user community because basic authentication disappears for email, you might as well disrupt users a little more to copper fasten their account security.

Learn more about how Office 365 really works on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.

Plugging a Gap in Teams Recording

In April 2021, Microsoft introduced a new setting in the Teams calling policy to control the ability of users to make 1:1 calls. The AllowCloudRecordingForCalls setting is now being leveraged to help plug a gap in the Teams call recording story. Message center notification MC279469 (updated August 24, Microsoft 365 roadmap item 83947) describes the capability to record and transcribe 1:1 Voice over IP (VOIP) and telephone (PSTN) calls. Until now, Teams users could record 1:1 calls with other Teams users. This announcement extends coverage to 1:1 VOIP and PSTN calls made using the Teams Phone system (which implies that users have a calling plan).

The need for PSTN calling varies from organization to organization. As Ståle Hansen argues in his article “Is PSTN connectivity for Teams relevant in 2021,” the fact that some 80 million people now use the Teams Phone system monthly indicates a strong demand for this capability, especially in businesses which depend on the phone for customer contact.

According to Microsoft, being able to record and transcribe these calls is a critical feature, saying “In absence of chat, PSTN callees do not have a way to view call recordings and transcriptions.” I think they mean that although you can’t note decisions and pass messages in chat in a PSTN call, you’ll at least be able to note important points in the spoken discussion and have those points captured in a transcript that’s available and can be shared afterwards.

Deployment begins to commercial and GCC tenants in late September and should be completed by mid-October. GCC High and DoD must wait another month.

Teams Calling Policy Requirements

To record calls and generate transcripts of calls to VOIP or PSTN numbers, the calling policy assigned to Teams user accounts must have the following settings enabled:

• AllowCloudRecordingForCalls: Controls if the user can record PSTN and VOIP calls. By default, the setting is True.
• AllowTranscriptionForCalling: Controls if the user can generate a transcript of a call. By default, the setting is False.

For example, to update the default Teams calling policy to allow users to record calls and generate transcripts, the command is:

Set-CsTeamsCallingPolicy -Identity Global –AllowCloudRecordingForCalls $True -AllowTranscriptionForCalling $True

A meeting recording is stored in the OneDrive for Business account of the user who records the call. It is available in the call history and call details panel. Teams creates the transcript in the same way as it does for other meeting recordings and the transcript is also available in the call history and call details panel. The recording owner can remove the recording if necessary (or recordings, if they record multiple segments of a call).

Learn more about how Office 365 really works on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.

Expanding the Scope of Microsoft Viva

Message Center notification MC282545 (published September 2) announces the expansion of the Microsoft Viva brand to replace the Insights moniker used for MyAnalytics, Outlook Insights, and the Cortana daily briefing email. It’s all part of the strategy to bring the technology used to analyze signals gathered from user activity within Microsoft 365 under the Microsoft Viva brand.

Viva Insights is the new name in town for insights derived from user email and calendar activity. This trend has already surfaced in the Viva Insights app for Teams, which surfaces the same user-based analysis of behavior as available in MyAnalytics, wrapped up with some mediation and mindfulness videos and audios from Headspace and some additional functionality for a virtual commute to close the working day.

What’s Happening in the Viva Insights Rebrand

In practical terms, the announcement means:

• The daily briefing message from Cortana now comes from Viva. Microsoft says that the content will be expanded with recommendations to help users prepare for the day and week ahead.
• The MyAnalytics digest will now come from Microsoft Viva and be delivered monthly rather than weekly. The first edition of the digest (Figure 1) turned up in my (targeted release) tenant. on September 5. Microsoft says that the new digest will “aggregate insights across these four outcomes: focus, wellbeing, network, and collaboration.” Like the weekly digests from MyAnalytics, the monthly digests are injected directly into user mailboxes and don’t pass through the Exchange Online transport system, which means that they’re not subject to inbox or transport rules.

• A new Viva Insights home page will be available to Microsoft 365 users.
• The Outlook Insights add-in will be rebranded as Viva Insights.
• The MyAnalytics settings available in the Microsoft 365 admin center (Figure 2) to control the defaults for new accounts will soon have the Microsoft Viva branding. The same will happen for the MyAnalytics user dashboard where individual users can see insights derived from their activity and control if they can access the dashboard, receive the monthly digest, and use the Outlook insights add-on.

Microsoft says that the changeover and rebranding should be complete in all tenants by the end of November.

Controlling User Insights Settings

The Viva rebranding will respect existing user and admin settings. To control the settings for individual users (mailboxes), you can:

Turn Viva Analytics on or off for individual mailboxes by running the PowerShell code in this article. Users can re-enable Analytics afterwards if they wish. As explained in the article, administrators can use the Set-MyAnalyticsFeatureConfig cmdlet to remove access to individual features. For instance, many users don’t like the twice-monthly digest message containing an analysis of personal work patterns. You can block the digest email while allowing users access to the Analytics dashboard and Outlook add-in by running a command like:

Set-MyAnalyticsFeatureConfig -Identity Vasil.Michev@office365itpros.com -PrivacyMode "opt-in" -Feature digest-mail -IsEnabled $False

Remove the Insights by MyAnalytics service plan from individual user licenses using the PowerShell script described in this article. It’s likely that Microsoft will rename the service plan in the future to reflect the Viva brand. Users cannot reenable Analytics after the service plan is removed from a license.

We don’t know yet if Microsoft plans to rename the Set-MyAnalyticsFeatureConfig and Get-MyAnalyticsFeatureConfig cmdlets (in the Exchange Online management PowerShell module) used to control individual mailbox settings. It wouldn’t surprise me if this happened or if Microsoft combined the controls with those exposed by the Set-VivaInsightsSettings cmdlet, currently only used to configure access to the Headspace feature.

Item Insights

Although the information extracted from user email and calendar activity now comes under the aegis of Microsoft Viva, the same is not true (yet) for the document (item) insights used in apps like Delve and the Office 365 profile card. If you want to disable item insights for user accounts, you need to update the tenant configuration using the Microsoft Graph by following the advice contained in this article.

Sensible Rebranding?

Branding exercises can be confusing (think of the absolute clarity Microsoft achieved when it renamed Office 365 Pro Plus to Microsoft 365 apps for enterprise). In this instance, it probably makes sense to bring everything relating to email and calendar insights together under the Viva brand. Come November, it probably won’t make a different as those who use insights won’t care too much that they then have the Viva moniker.

Learn more about how Office 365 really works on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.

Only Constantly Updated eBook Keeps Improving

The Office 365 for IT Pros eBook team is delighted to announce the availability of the September 2021 update. Subscribers for the EPUB/PDF version can download the updated files from Gumroad.com. We have updated the Kindle file on Amazon, but if you bought the book there, you’ll have to ask Amazon support to make the file available. See our FAQ for more details about how to access updates.

August Changes

Like any month, August 2021 featured some interesting things to cover (and some that aren’t quite as interesting). Here’s a selection:

• Microsoft plans to raise its prices for Office 365 and Microsoft 365 in March 2022.
• A new legacy SMTP endpoint is being introduced for those who can’t upgrade to TLS 1.2.
• Exchange Online will enable plus addressing for all tenants in January.
• IE11 is no longer supported by Office 365.
• A new method is available to incorporate third-party attack simulator tools with Microsoft 365 Defender for Office 365.
• Live (fluid) components are coming to Office 365 apps, so we cover how to enable them.
• The Teams advanced communications add-on will become active in January 2022, so we cover what’s licensed by the add-on.
• Teams live captions and transcripts now support more languages than just U.S. English (but no sign of Irish English being supported…).
• Stream will start to remove the automatic transcripts for some older videos in September.
• Information barriers support is now available for SharePoint Online.
• Microsoft has released several limitations which existed for auto-label policies for sensitivity labels.

In addition, we updated a bunch of PowerShell code (snippets or complete scripts) to illustrate points and updated the last available SLA data for Office 365 (Q2 CY21). We also detected and suppressed some annoying typos that had crept into text and some misformatting of figure references in Chapter 22. The complete change log is available online.

Thanks to our subscribers for their ongoing support for the Office 365 for IT Pros project. We couldn’t continue to track and document changes across all apps without this support.

Please download the new files at your earliest convenience. We wouldn’t like you to manage tenants based on obsolete information!

Now we start to process the September changes. The cloud never stays static!

Now Generally Available for Microsoft Defender for Office 365 Customers

The July 27 announcement of the General Availability of Safe Links for Teams is a welcome development. What it means is that if your tenant has Microsoft Defender for Office 365, you can update your Safe Links policy to include real-time checking of links posted to Teams chats and channel conversations.

Licensing Requirements

Licensing Microsoft Defender for Office 365 can be a little confusing. Two plans are available, both of which build on Exchange Online Protection (EOP):

• Office 365 E3 and below have Exchange Online Protection. These tenants can license Defender for Office 365 plans as standalone options.
• Microsoft 365 Business Premium includes EOP and Defender for Office 365 Plan 1.
• Office 365 E5/A5 and Microsoft 365 E5 includes EOP and Defender for Office 365 Plan 2.

Microsoft sometimes refers to the “security ladder from EOP to Microsoft Defender for Office 365” as a way of describing how the features in the Defender plans build on what you get in Exchange Online Protection (Figure 1).

In this case, you need at least Microsoft Defender for Office 365 Plan 1 to use Safe Links protection for Teams.

Configuring Defender for Teams

The Safe Links policy is managed through the Policies & rules section of the Microsoft 365 security center. To edit the policy, open Threat policies and select Safe Links. The important change is to set Select the action for unknown or potentially malicious URLs within Microsoft Teams to On (Figure 2).

At the same time, you should review the other Safe Links policy settings to make sure that they’re what you want. Three important settings used to detect and protect against malicious links in email also apply to links in Teams messages:

• Apply real-time URL scanning for suspicious links and links that point to files. In other words, before sending a user to a site, check that the link is not dangerous. If it is, display a warning.
• Do not track user clicks. This setting is normally off and isn’t needed unless you want to track user clicks against links.
• Do not allow users to click through to original URL. If a user clicks on a dangerous link, they see a warning page (Figure 3). You don’t want to allow people to click through the warning to open the dangerous page, so make sure that this setting is on.

You can also see in Figure 2 that I’ve opted to use organization branding on the warning page. The branding used here (and shown in Figure 3) is taken from the tenant’s browser theme.

Usually, Teams calls the default browser to open a web link and that’s when Defender steps in to display the warning page. If a malicious link is used in a channel tab (which means that someone has created a web site tab for that link), Teams opens the warning page in the tab and doesn’t call the browser. If Defender passes the link as safe, Teams opens the page as normal.

Nice Extension into Teams

It’s good that Microsoft has extended Safe Links protection into Teams. Although I suspect that most bad links will continue to arrive in user mailboxes (if not detected and placed in quarantine by Exchange Online Protection), it’s entirely possible that some users will share problematic links through Teams chats or channel conversations. If they do, and your tenant has Defender for Office 365 with a properly configured Safe Links policy, those links will be blocked. What’s not to like about that?

Learn about protecting Office 365 by subscribing to the Office 365 for IT Pros eBook. Use our experience to understand what’s importance and how best to protect your tenant.

Solid Q4 Results

Microsoft released its Q4 FY21 and overall FY21 results on Tuesday, July 27 and, as always, there were some interesting (and debatable) points raised in the data provided by Microsoft and the transcript of their call with analysts. Here’s my take on the highlights relating to Office 365, Microsoft 365, and Teams:

• Commercial Cloud revenue, which includes Office 365, achieved $19.5 billion in revenue for the quarter ($78 billion annualized run rate) and $69 billion for FY21.
• Office 365 commercial (the enterprise services) revenue grew 25% (20% in constant currency due to the weak dollar). Microsoft attributed this success to “installed base expansion” and “higher average revenue per user (ARPU).”
• Office 365 paid seats grew 17% year over year. Microsoft started to talk about paid seats in the Q3 FY21 results when they reported 296.7 million paid seats. They don’t give numbers for active users anymore. I reckoned that the number of active users was around 264 million three months ago. Given the normal rate of increase observed over the last six years, the number of active Office 365 users is likely around 280 million now with perhaps 315 million paid seats.
• Microsoft 365 E5 is now 8% of the Office 365 commercial base, or around 25 million. Microsoft has had steady success in upselling customers from Office 365 plans to Microsoft 365 plans. The demand for Microsoft 365 E5 probably reflects the need enterprises have for these licenses to access high-end compliance and data governance functionality along with the Enterprise Mobility and Security suite.
• Reflecting the steady reduction in on-premises servers, Microsoft said that they expect a 20% revenue reduction in this area for next year.
• The big surprise came when Microsoft reported “We have nearly 250 million monthly active users” for Teams. More on that number below. What was interesting is the 80 million Teams users who have Teams Phone licenses and make 1 billion calls per month. Although the imminent retirement (July 31) of Skype for Business Online has quickened the transition to Teams, these are impressive numbers.

Overall, strong growth and progress across Office 365, Microsoft 365, and Teams.

That Teams Number

In April 2021, Microsoft reported that Teams had 145 million daily active users. Three months later, the headline number Microsoft is using for Teams is “nearly” 250 million, nearly 80 million of whom use the Teams Phone system. The jump in numbers over time illustrated by in Figure 1 is quite remarkable, especially as factors like work from home and transition from Skype for Business Online were largely baked into previous data.

I have some difficulty reconciling the two numbers. Here’s why:

• The April 2021 number reported daily active users. These are people who use the product day-in, day-out. The July number is for monthly active users. You don’t have to do much to qualify as a monthly active user. Opening the Teams client and accessing a channel is enough. Moving to report monthly active users is simply a way to swell the numbers.
• Microsoft doesn’t breakdown the Teams numbers across Teams enterprise, Teams for education, and Teams for personal life. Even though a Teams personal client will appear in Windows 11, I doubt it contributes much to the overall number. However, in February 2021, Eran Megiddo, Microsoft CVP for Windows Product and Education claimed that 100 million students used Teams. Putting together the 145 million reported (presumably for enterprise users) in April and 100 million student users, we get close to the 250 million now claimed.
• Teams is a huge consumer of SharePoint Online. In December 2020, Jeff Teper said that SharePoint Online has 200 million monthly active users. If Teams has 250 million users now, SharePoint Online must be north of 300 million, and I would expect Microsoft to make a big thing of that achievement.
• If Teams has 250 million commercial users, it’s getting close to the point where every Office 365 user is a Teams user. I don’t consider this credible.
• The number of large organizations using Teams is a good measure of growth. Table 1 compares the figures given in January and July. 

Doing a simple sum, we compute the numbers of users in these organizations in January to be (117*100K) + (2700*10K) = 38,700,000 and in July (124*100K) + (3000*10K) = 42,440,000. Although growing the large organization bucket by 3.7 million is a fine achievement in two quarters, it doesn’t align with a claim to have increased the overall Teams number by 105 million in a single quarter.

There’s no doubt that Microsoft has a very successful product in Teams. There’s no doubt that the number of Teams users is growing strongly. But when Microsoft obfuscates the information it reports (no doubt for competitive reasons), it doesn’t help anyone when they go too far and don’t explain the basis for the numbers given three months ago and now.

Stay updated with developments across the Microsoft 365 ecosystem by subscribing to the Office 365 for IT Pros eBook. We do the research to make sure that our readers understand the technology.

Steady Development of Background Image Capabilities

It’s interesting to track the development of support for background images in Teams meetings from the original introduction of support for background blur in 2018 to the ability of users to upload custom images, for organizations to control what video effects people can use in meetings, and support for custom backgrounds in mobile clients. Overall, Microsoft has done a nice job of making custom background effects work for Teams users, spurred on by user demand during the pandemic and a healthy dose of competition from Zoom.

The question of how to obtain suitable background images for Teams meetings is often hotly debated. You can:

• Create and upload your own, if allowed by the organization. Most digital cameras and smartphones can capture suitable images without restoring to digital manipulation with Photoshop or similar editors. Overall, landscapes and scenery works best, but this is a matter of personal taste.
• Choose from the sets of images released by different companies, including IKEA and Microsoft.
• Download and use other images, such as the daily image displayed on the Bing home page.
• Select from a set of organization-approved background images (if you have the appropriate license).

See this post for more information about how to create and upload background images from different sources.

Customizing Together Mode

Up to now, it hasn’t been possible to create custom images for Together Mode when used in Teams meetings, largely because of the need to insert images extracted from the video feeds of participants and combine those images with a background. This is changing, as Microsoft has released a developer preview for how to use a scene creator to generate a suitable custom image for Together mode. The scene creator allows a designer to upload an image (like the bridge of the Starship Enterprise) and decide where to place user feeds in the image, including seats reserved for the meeting organizer and current presenter. When everything is ready, the creator generates a package (a Teams app) which users can sideload into Teams to use the custom background. This process will become smoother over time, and you can expect organizations to make corporate-approved Together Mode backgrounds available for meetings soon.

Microsoft’s Gallery of Teams Background Images

Microsoft has a Teams background gallery featuring images selected by both Microsoft and users. If you have a nice image, Microsoft allows you to upload it for consideration, and if they accept the image, it becomes available for others to download. And of course, you’ll love the two images I uploaded to test the feature (Figure 1), both of which come from scenes in the West of Ireland.

Slightly confusingly, Microsoft has a different page containing sets of themed background images, all of which are available for individual download from the gallery. I guess it’s a matter of packaging. In any case, the Nostalgia set (Figure 2) is the one I want to focus on here.

Selecting a set downloads a ZIP file containing the images. The Nostalgia set has four, featuring:

• Clippy, the Office Assistant. Marking a return from the graphic wilderness, Clippy is also due to feature in the new set of Microsoft Windows emoticons.
• The classic Windows XP “Bliss” or “rolling meadow” wallpaper.
• Paint.
• Solitaire.

The last two are stylized representation of the apps in use rather than the user interface of the apps.

Obviously, Clippy is the #1 choice for an inspiring Teams background image (Figure 3), even if I am not quite sure what Clippy is doing in the picture. Clippy’s position on top of a mass of paper reminds me of the famous series of “puppy dog” advertisements for Andrex toilet tissue.

On that thought, maybe I’ll use the Bliss image (or another of my own) in my next Teams meeting.

So much change, all the time. It’s a challenge to stay abreast of all the updates (even the slightly silly stuff) Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what’s happening.

On

July 12, Microsoft released version 16.0.21411.1200 of the SharePoint Online PowerShell module, installable from the PowerShell Gallery. The updated module is especially notable because the Get-SPOSite cmdlet boasts three new properties to inform administrators if sites are connected to Teams. The properties are:

• IsTeamsConnected: Set to True if the site is connected to a team.
• IsTeamsChannelConnected: Set to True if the site is connected to a Teams private or shared channel. These sites have IsTeamsConnected set to False.
• TeamsChannelType: Set to None for teams-connected sites and to Private for sites belonging to private channels or Shared for sites belonging to shared channels (due later this year).

New View of Teams Sites

The updated module aligns with the effort to make SharePoint Online more manageable for teams-connected sites through a UI refresh and by showing details of channel-connected sites in the SharePoint Online admin center with a new Sites connected to Teams view (Figure 1). This view is in preview at present and should become generally available later this year.

The new view lists all teams-connected sites and indicates how many of the channels in a team have a channel-connected site. Clicking the link for the channel sites exposes further information (Figure 2).

The net effect of the change is that SharePoint administrators will see information about teams-connected and channel-connected sites in the SharePoint Online admin center which isn’t available today. Access to information about channel-connected sites is read-only. This is because these sites inherit settings from the parent team site. It also ensures that management of the channel-connected sites remains with the channel owners.

Using the New Teams Site Properties in PowerShell

Coming back to PowerShell, the new properties make it easier to find and report details of Teams-connected sites. You can still do this using the Get-UnifiedGroup cmdlet, which offers the advantage of exposing group information more easily. Now you have the option to check if team-connected sites have private or shared channels.

Here’s some quick and dirty PowerShell to report channel-connected sites. The code:

• Creates an array of sites connected to Teams.
• Creates another array of channel-connected sites.
• Loops through the sites array to see if any matching channel-connected sites are present and reports these sites. Remember, a team can have up to 30 private channels.

# Find Teams-connected site
[array]$Sites = Get-SPOSite -Limit All | ? {$_.IsTeamsConnected -eq $True}
# Find channel connected sites
[array]$ChannelSites = Get-SPOSite -Limit All | ?{$_.IsTeamsChannelConnected -eq $True}

$SiteCount = 0
$ChannelData = [System.Collections.Generic.List[Object]]::new()
ForEach ($Site in $Sites) {
   [array]$MatchedSites = $ChannelSites | ? {$_.Url -Match $Site.Url}
   If ($MatchedSites) {
      $SiteCount++
      ForEach ($MSite in $MatchedSites) {
       $ReportLine = [PSCustomObject][Ordered]@{  
         Parent      = $Site.URL
         Title       = $Site.Title
         URL         = $MSite.URL
         ChannelType = $MSite.TeamsChannelType }
       $ChannelData.Add($ReportLine)
      } # End ForEach
   } # End if
} # End Foreach
Write-Host ("Total of {0} channel-connected sites found for {1} sites" -f $ChannelData.Count, $SiteCount)

Here’s an example of a record for a channel-connected site:

Parent      : https://office365itpros.sharepoint.com/sites/CorporateAcquisitionPlanning2020
Title       : Corporate Acquisition Planning 2020
URL         : https://office365itpros.sharepoint.com/sites/CorporateAcquisitionPlanning2020-LegalDiscussions
ChannelType : PrivateChannel

Figuring Out Inconsistencies

Interestingly, I found instances where the Microsoft 365 group which originally owned a team-connected site was no longer available in the tenant, but team-connected and channel-connected sites still existed. This is likely due to retention policies where sites come within the scope of a retention policy and the group did not. I used the following code to find these channel-connected sites:

# See if we can find parent groups
ForEach ($CSite in $ChannelSites) {
   $MatchURL = $CSite.URL.Split("-")[0]
   $Match = $Sites | ? {$_.Url -Match $MatchURL}
   If (!($Match)) {Write-Host "Can't find parent team-connected site for channel-connected"  $CSite.URL }
}

I also found some inconsistencies between the number of channel-connected sites reported using the new properties and the older method of using the site template to identity these sites:

$TTSites = Get-SPOSite -Limit All -Template "TEAMCHANNEL#0"

Some testing revealed that this is due to some provisioning delays in updating site properties. Essentially, if you update the membership of a channel, you force synchronization to update site properties.

Exposing Channel-Connected Sites

There’s no doubt that these updates add value. When Microsoft introduced private channels in November 2019, many complained that the sites used for sharing documents in private channels were invisible (they weren’t, but you had to use PowerShell to see them). Exposing details of private channels (and soon, shared channels) in the SharePoint Online admin center is a good thing: adding the properties to allow better filtering and reporting of channel-connected sites in PowerShell is even better.

Learn more about how Office 365 really works on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.

Usual Mix of Missed Dates

As is the norm for Microsoft engineering groups when the end of the company’s fiscal year approaches on June 30, a mad dash happens to complete and ship functionality. This has nothing whatsoever to do with performance reviews and associates bonuses. Instead, it’s all done in the spirit of wanting to make customers happy. Some features don’t make it in the rush to deliver commitments, which is why on July 1 you invariably see Microsoft issue a bunch of updates to previous new feature notifications published in the Microsoft 365 message center. 2021 is no different and the table below lists some of the more interesting delays.

Retirements in July

Two retirements for Office 365 components loom on the horizon for July:

• Skype for Business Online retires on July 31, 2021 (MC266078). If an organization needs to extend support in their tenant, they can ask Microsoft for an extension. No guarantee exists that Microsoft will agree, so it’s best for organizations to move on and transition to Teams.
• Site mailboxes, the unloved and unwanted child of SharePoint and Exchange, get the chop on July 15, 2021 (MC266256). If you haven’t moved data from these mailboxes to somewhere better (with a long-term future), you’ll lose the content.

New Graph Insights Control

In May, Microsoft replaced the privacy settings previously in the Delve app with Graph-based controls. The controls introduced at the time were:

• The isEnabledInOrganization setting to control if a tenant allows Item Insights (for example, information about the documents a user has recently worked on).
• The disabledForGroup setting to specify the GUID of an Azure AD group whose members are excluded from Item Insights. This setting only applies when a tenant allows Insights.

On July 1, Microsoft published MC266073 to remind everyone that the new Item Insights controls are now active. They also introduced a new personal-level setting in the Settings & Privacy section of the MyAccount page (Figure 1) to allow users to exclude themselves from Item Insights. The setting is only available when an organization enables Item Insights, and the user account isn’t a member of the group specified in the disabledForGroup control. Users who don’t want to share information about what they’ve been working on should set the slider to Off.

Setting the privacy control at a personal level does not add the user account to the membership of the Azure AD group specified in disabledForGroup.

Another Year, More Changes

We’re only a few days into Microsoft’s FY22 year. Already it looks as if lots will change. We’ll be busy tracking that change and updating the Office 365 for IT Pros eBook (2022 edition). Make sure you stay abreast of important developments in your Office 365 tenant by subscribing to Office 365 for IT Pros.

Eighth Edition of the Only Constantly Updated eBook About Office 365 Available Now

Microsoft begins its new fiscal year on July 1, which is why we chose that date to launch our annual refresh of the Office 365 for IT Pros eBook. Now in its eighth edition, the new eBook is available on Gumroad.com. We have emailed subscribers to the prior edition a code to enable a low-cost extension of their subscription to cover the 2022 edition.

Changes in the 2022 Edition

What’s changed in this edition?

• A new foreword by Jared Spataro, Corporate VP for Microsoft 365.
• We’ve refreshed the writing team by bringing in Christina Wheeler and Gareth Gudger, both very experienced MVPs. Christina covers the Power Platform in Chapter 22 while Gareth deals with the complexities of mail flow in Chapter 9.
• Added many new facts and insights covering recent changes.
• We’ve done an end-to-end technical and content review of all chapters to:
  • Remove redundant text. Some of this (such as the discussion about configuring Azure AD Connect) is now in the companion volume.
  • Track down bad hyperlinks (we found a few). We’ve also replaced a few links with new links to better articles or other explanatory text.
  • Fix any technical spelling, grammatical, and other errors found during the review. Errors do creep in over time. We know we should catch these issues during our monthly update cycles, but sometimes they are overlooked, which is why we do this exhaustive end-to-end check annually.
  • Checked screen shots to discover ones which are now outdated and to remove a few which we don’t think add much value.
  • Validate all code examples and improve the code in a few. Code examples are not fully-working solutions. They’re designed to show the principles of how things work. We rely on our readers to turn examples into full solutions. You can download many of the example scripts from our GitHub repository.
• Restructure content into what we think is a more logical flow.
• Move content around in the new structure to keep information together when appropriate (this also highlighted some redundancies which we’ve removed).

The volume of change across Office 365 has been immense since we started the Office 365 for IT Pros journey in mid-2014. We made over 200 major chapter updates to the 2021 edition and released 11 monthly updates since its release in July 2020. We do not anticipate doing less work for this edition. Overall, we feel that the new book lays a solid foundation for all the changes we know will happen and need coverage during the tenure of the 2022 edition.

Kindle Version Not There Yet

Some changes in the Amazon Kindle Direct Publishing (KDP) model prevented the release of a Kindle version. It could be that the 1,250 pages and 600,000 words of Office 365 for IT Pros challenges the KDP model. In any case, we will work with Amazon to see if a Kindle version is possible. For now, we recommend that anyone who wants to read the book on Kindle should buy the EPUB/PDF version and covert the EPUB file to MOBI format before transferring it to the Kindle. Apart from anything else, this route means that you’ll hear about the monthly updates as we release the files. We cannot communicate with people who buy from Amazon direct.

July 2 update: The book is now online in a Kindle version.

Thanks to Our Subscribers

We sincerely thank our subscribers for their support for the Office 365 for IT Projects since its first edition. Without your support, and the financial support of the book’s sponsors, Quest Software, we could not afford to spend the time needed to research, understand, analyze, and write about new Office 365 features as Microsoft makes updates available. Now that we’ve released the 2022 edition, the writing team will take a couple of days off before we start to prepare the August 2021 update for the new book. Yes, at times it feels like we’re like hamsters on a turn wheel!

Existing subscribers who haven’t received an update code should check their junk email folder to see if the message landed there. If not, please contact O365ITPros2022Edition at office365itpros.com and we’ll sort you out.

New subscribers can buy a subscription here.

The Science of Licensing Microsoft 365 User Accounts

The basics of Office 365 licensing are well known. Users access services through service plans bundled in composite plans like Office 365 E3 or E5 or individual offerings like Azure AD Premium P1. Users must have the relevant licenses to access a service like Exchange Online or Teams. Information about the licenses assigned to users are stored in their Azure AD accounts. This context helps us understand how to begin answering questions about licensing that isn’t available in the Microsoft 365 admin center (Figure 1).

The admin center tells you what licenses you have, the licenses assigned and available, and the accounts with assigned licenses. You can export lists of users with a selected license to a CSV file for reporting purposes or to import into Power BI for analysis. But one thing you can’t do is to find out what users have licenses for applications assigned through a composite license.

Individual Application Service Plans

Take the example of Teams, Exchange Online, SharePoint Online. These are core services bundled into the Office 365 E3 and E5 plans. You could assume that everyone with an E3 or E5 license can use these applications, but that’s not true because administrators can remove the service plans for applications from individual user accounts (a service plan is effectively a license for a specific application bundled into a plan; you can’t buy a service plan). Take the example shown in Figure 2. The user has an Office 365 E3 license but the service plans for Bookings, Forms, and Kaizala have been removed.

It’s relatively common to find that organizations remove individual service plans from users until they are ready to deploy an application. For instance, you might want to use Exchange, SharePoint, and OneDrive for Business immediately but want to block user access to Teams, Forms, Stream, and other applications bundled in Office 365 E3 or E5 until local support is ready and user training is available.

Accessing License Information with PowerShell

While the admin center doesn’t support reporting of service plans for individual applications, it’s possible to do this with some straightforward PowerShell. The key is to discover how to retrieve the licensing information from Azure AD accounts.

Licensing information is in the AssignedPlans property of an Azure AD account. If we examine the property, you’ll see a bunch of assignments and deletions as licenses are added and removed from the account.

(Get-AzureADUser -ObjectId Andy.Ruth@office365itpros.com).AssignedPlans

AssignedTimestamp   CapabilityStatus Service            ServicePlanId
-----------------   ---------------- -------            -------------
28/01/2021 22:11:05 Deleted          OfficeForms        2789c901-c14e-48ab-a76a-be334d9d793a
28/01/2021 22:11:05 Deleted          MicrosoftKaizala   aebd3021-9f8f-4bf8-bbe3-0ed2f4f047a1
28/01/2021 22:11:05 Enabled          CRM                95b76021-6a53-4741-ab8b-1d1f3d66a95a

The ServicePlanId is the important piece of information because it stores the unique identifier (a GUID) for the plan. Microsoft publishes an online list of application service plan identifiers for reference. The point to remember is that the same service plan identifier is always used. For instance, 2789c901-c14e-48ab-a76a-be334d9d793a is always Forms Plan E3 (the license for the Forms application included in Office 365 E3).

To confirm this, let’s use the Get-AzureADSubscribedSku cmdlet to retrieve the set of licenses known in a tenant.

$Licenses = (Get-AzureADSubscribedSku)
$Licenses | Select -Property SkuPartNumber, ConsumedUnits -ExpandProperty PrepaidUnits | Format-Table

SkuPartNumber                ConsumedUnits Enabled Suspended Warning
-------------                ------------- ------- --------- -------
STREAM                                   4   10000         0       0
EMSPREMIUM                               5       5         0       0
ENTERPRISEPACK                          22      25         0       0
FLOW_FREE                                3   10000         0       0
POWER_BI_STANDARD                        5 1000000         0       0
ENTERPRISEPREMIUM_NOPSTNCONF             5       5         0       0
TEAMS_EXPLORATORY                        0     100         0       0
SMB_APPS                                 2       3         0       0
RIGHTSMANAGEMENT_ADHOC                   3   50000         0       0

The online documentation tells us that the name of the Office 365 E3 SKU is ENTERPRISEPACK. It is license number three in our list, so we can look at this object to find out what’s included. As expected, the Service Plan Identifier for FORMS_PLAN_E3 is 2789c901-c14e-48ab-a76a-be334d9d793a.

$Licenses[2].ServicePlans | Format-Table ServicePlanName, ServicePlanId

ServicePlanName              ServicePlanId
---------------              -------------
POWER_VIRTUAL_AGENTS_O365_P2 041fe683-03e4-45b6-b1af-c0cdc516daee
CDS_O365_P2                  95b76021-6a53-4741-ab8b-1d1f3d66a95a
PROJECT_O365_P2              31b4e2fc-4cd6-4e7d-9c1b-41407303bd66
DYN365_CDS_O365_P2           4ff01e01-1ba7-4d71-8cf8-ce96c3bbcf14
MICROSOFTBOOKINGS            199a5c09-e0ca-4e37-8f7c-b05d533e1ea2
KAIZALA_O365_P3              aebd3021-9f8f-4bf8-bbe3-0ed2f4f047a1
MICROSOFT_SEARCH             94065c59-bc8e-4e8b-89e5-5138d471eaff
WHITEBOARD_PLAN2             94a54592-cd8b-425e-87c6-97868b000b91
MIP_S_CLP1                   5136a095-5cf0-4aff-bec3-e84448b38ea5
MYANALYTICS_P2               33c4f319-9bdd-48d6-9c4d-410b750a4a5a
BPOS_S_TODO_2                c87f142c-d1e9-4363-8630-aaea9c4d9ae5
FORMS_PLAN_E3                2789c901-c14e-48ab-a76a-be334d9d793a
STREAM_O365_E3               9e700747-8b1d-45e5-ab8d-ef187ceec156
Deskless                     8c7d2df8-86f0-4902-b2ed-a0458298f3b3
FLOW_O365_P2                 76846ad7-7776-4c40-a281-a386362dd1b9
POWERAPPS_O365_P2            c68f8d98-5534-41c8-bf36-22fa496fa792
TEAMS1                       57ff2da0-773e-42df-b2af-ffb7a2317929
PROJECTWORKMANAGEMENT        b737dad2-2f6c-4c65-90e3-ca563267e8b9
SWAY                         a23b959c-7ce8-4e57-9140-b90eb88a9e97
INTUNE_O365                  882e1d05-acd1-4ccb-8708-6ee03664b117
YAMMER_ENTERPRISE            7547a3fe-08ee-4ccb-b430-5077c5041653
RMS_S_ENTERPRISE             bea4c11e-220a-4e6d-8eb8-8ea15d019f90
OFFICESUBSCRIPTION           43de0ff5-c92c-492b-9116-175376d08c38
MCOSTANDARD                  0feaeb32-d00e-4d66-bd5a-43b5b83db82c
SHAREPOINTWAC                e95bec33-7c88-4a70-8e19-b10bd9d0c014
SHAREPOINTENTERPRISE         5dbe027f-2339-4123-9542-606e4d348a72
EXCHANGE_S_ENTERPRISE        efb87545-963c-4e0d-99df-69c6916d9eb0

Reporting Accounts Licensed for an Application

Now that we know how service plan identifiers work and how to find their values, we can use this knowledge to build a script to interrogate Azure AD user accounts to find license data for an application.

Not everyone likes inputting GUIDs, so we’ll make it easier by allowing an application name to be used for the query. The code creates a hash table of service plan identifiers and names (feel free to add more if you want) and then retrieves details of Azure AD user accounts. We ask the user to enter an application to check and validate the response against the hash table. Finally, we loop through the set of Azure AD accounts to check if the license is in their assigned set and report the details. Here’s the code (you can download it from GitHub):

$Plans = @{}
$Plans.Add(“199a5c09-e0ca-4e37-8f7c-b05d533e1ea2”, “Bookings”)
$Plans.Add(“efb87545-963c-4e0d-99df-69c6916d9eb0”, “Exchange Online”)
$Plans.Add(“5dbe027f-2339-4123-9542-606e4d348a72”, “SharePoint Online”)
$Plans.Add(“7547a3fe-08ee-4ccb-b430-5077c5041653”, “Yammer”)
$Plans.Add(“882e1d05-acd1-4ccb-8708-6ee03664b117”, “Intune”)
$Plans.Add(“57ff2da0-773e-42df-b2af-ffb7a2317929”, “Teams”)
$Plans.Add(“2789c901-c14e-48ab-a76a-be334d9d793a”, “Forms”)
$Plans.Add(“9e700747-8b1d-45e5-ab8d-ef187ceec156”, “Stream”)
$Plans.Add(“b737dad2-2f6c-4c65-90e3-ca563267e8b9”, “Planner”)
Write-Host “Finding Azure AD Account Information”
$Users = Get-AzureADUser -All $True -Filter "Usertype eq 'Member'"
CLS
$Product = Read-Host "Enter the Office 365 application for a license check"
if (!($Plans.ContainsValue($Product))) { # Not found
   Write-Host “Can’t find” $Product “in our set of application SKUs”; break }
Foreach ($Key in $Plans.Keys) { # Lookup hash table to find product SKU
   If ($Plans[$Key] -eq $Product) { $PlanId = $Key }
}
$PlanUsers = [System.Collections.Generic.List[Object]]::new() 
ForEach ($User in $Users) {
  If ($PlanId -in $User.AssignedPlans.ServicePlanId) {
    $Status = ($User.AssignedPlans | ? {$_.ServicePlanId -eq $PlanId} | Select -ExpandProperty CapabilityStatus )
    $ReportLine  = [PSCustomObject] @{
          User       = $User.DisplayName 
          UPN        = $User.UserPrincipalName
          Department = $User.Department
          Country    = $User.Country
          SKU        = $PlanId
          Product    = $Product
          Status    = $Status } 
    $PlanUsers.Add($ReportLine) }
}
Write-Host "Total Accounts scanned:" $PlanUsers.Count
$DisabledCount = $PlanUsers | ?{$_.Status -eq "Deleted"}
$EnabledCount = $PlanUsers | ? {$_.Status -eq "Enabled"}
Write-Host (“{0} is enabled for {1} accounts and disabled for {2} accounts” -f $Product, $EnabledCount.Count, $DisabledCount.Count)
$PlanUsers | Sort User | Out-GridView

The Graph Alternative

You can also use the Users Graph API to fetch license information for Azure AD accounts by running a call like:

https://graph.microsoft.com/v1.0/users?$filter=userType eq 'Member'&$select=id, displayName, licenseassignmentstates, assignedplans

The code to check the AssignedPlans data for a product identifier is the same. Although the Graph is usually faster than PowerShell cmdlets, in this instance only one call is needed, and the speed difference is marginal.

As ever, if you plan to use the Graph to fetch data, testing call syntax and returns using the Graph Explorer tool is a good thing to do. Figure 3 shows the result of querying the Graph to return user license data.

Processing Licenses in Different Plans

Because the script looks for a specific service plan identifier, it finds every instance of a licensed application. In other words, if you search for an application like Exchange Online, which included as EXCHANGE_S_ENTERPRISE (efb87545-963c-4e0d-99df-69c6916d9eb0) in both Office 365 E3 and E5), the report will list accounts enabled for Exchange in both plans. If you want to differentiate between the two plans, you need to check the AssignedLicenses property of each account for the identifier of the plan. For instance, looking at Microsoft’s reference list, we find that:

• 6fd2c87f-b296-42f0-b197-1e91e994b900 is the identifier for Office 365 E3.
• c7df2760-2c81-4ef7-b578-5b5392b571df is for Office 365 E5.
• 26d45bd9-adf1-46cd-a9e1-51e9a5524128 is for Office 365 E5 without audio conferencing.

The script available from GitHub includes code to output the names of license SKUs.

Outputting the License Data

The information in the report can be saved to a CSV file or viewed online. Figure 4 shows the result of the script as viewed through the Out-GridView cmdlet. We can see that the user we removed the Forms license in Figure 1 is reported accurately.

You might not need to interrogate Azure AD for details of individual licenses very often, but if you do (as when preparing to enable an application for a bunch of users), it’s much faster to get the information with PowerShell than using the admin center GUI.

For more great information about how licensing works, subscribe to the Office 365 for IT Pros eBook.

Keep Everyone Focused

Message center notification MC244745 posted 17 March (updated 22 April) contains news about the ability for meeting organizers to disable the video feeds of participants. Organizers can disable the video for a single user (roadmap item 70620) or for all participants (roadmap item 70621).

Reasons to be a Video Participant

Generally, the struggle is to convince meeting attendees to turn on their video. The reasons why it’s better when people enable video are varied and include:

• If others can see someone, they have a better connection. There’s no hiding behind an anonymous attendee card showing your initials or a static image. In other words, people like talking to live people. Given that most haven’t travelled to meet others in over a year, we all need some help to maintain our professional network. While video is a poor replacement for face-to-face contact and cannot substitute for the camaraderie of the coffee station or the ability to settle differences with co-workers or partners over after-office drinks, it’s as good as we can get for now.
• Video allows non-verbal cues to be seen, like nods of agreement or smiles. The Teams live reactions feature is an electronic attempt to convey feedback, but the set of reactions is limited and only cover positive feelings. You’ll never see a Teams emoticon to scowl at a presenter. Teams dynamic view gives priority to speakers with video enabled to highlight people who might otherwise be lost in a gallery of similar attendee images.
• Being able to speak directly to someone can improve accountability when assigning actions. Leaders can see the reaction of the person they ask to do something.

Of course, there will be times when you absolutely cannot enable video for a Teams meeting. For example, your network connection might be poor and only capable of audio (the reduced data mode can help for mobile clients).

Focus on Enabling Video but Controls Necessary

The bottom line is that the increased focus on online meetings created by the pandemic accelerated progress in the functionality available in Teams meetings since March 2020. Microsoft has delivered a slew of features from background effects to together mode to attendee spotlighting and presenter mode to make Teams meetings less fatiguing and more interesting. So why would Microsoft now introduce the ability to disable video feeds?

I can think of two reasons. First, it’s obvious that the potential exists that someone might become disruptive during a meeting. For instance, they might use an objectionable background image. Meeting organizers can mute a participant today. This is just another way of dealing with a disruptive influence.

Second, even before Microsoft shipped webinar functionality for Teams, it was used for public webinars. Once you open the doors (virtually) to all comers, you need some control over how the event is run. While Teams webinars are less restrictive than Teams Live Events, you still might want to restrict what attendees can do. Disabling video joins other controls, like disabling chat during the meeting or forcing attendees to go through the meeting lobby. It’s another lever to pull.

Controlling Video Feeds

Before a meeting begins or during a meeting, the organizer can use meeting options to set the Allow camera for attendees option from the default On to Off (Figure 1). Leaving the setting On means that it’s up to each attendee to decide if they want to enable their video feed. Setting it to Off means that attendees cannot enable their video feed. The setting does not affect meeting organizers or presenters, who always can use video.

During a meeting, the organizer or a presenter can update meeting options to enable cameras for all attendees. Alternatively, they can enable or disable video for a selected attendee by right-clicking on the attendee (in the participant list or on their card in the “meeting stage”) to choose the Disable camera or Enable camera option. Attendees with videos enabled are not forced to turn their camera on as they always retain the ability not to use video in a meeting if they wish.

Blocking Video isn’t for Everyone

Disabling cameras is not a feature I think I shall use much, but I suspect I am not in the target group Microsoft intends this feature for. We’ll just have to see what happens after the feature rolls out, especially in how it might be used in webinars hosted by Teams. As always, some will love the new control and others will hate it. Just like any product feature…

Understanding all the options available to accomplish any task in Teams is difficult. Although the Office 365 for IT Pros eBook doesn’t cover user-level functionality in detail, we do explain how and why technology works the way that it does so that tenant administrators understand what’s happening.

Don’t Assume Everything a Computer System Spits Out is the Truth

As Office 365 for IT Pros subscribers know, we publish a new edition annually. Part of the preparation for a new edition is an end-to-end technical review of all content. This happens to make sure that our material is current and accurate. The review picks up issues like dead hyperlinks, unnecessary (some might say verbose) text, and outdated graphics. It’s a good process to keep our authors focused on delivering the best possible book, something that’s only possible because of our ePublishing model.

Office 365 Client App Security

Microsoft 365 applications update GUIs on an ongoing basis. Sometimes it’s just a matter of adding a new option or changing the words on a button. Other times it’s a more fundamental makeover, such as the introduction of a new interface for content searches. Office 365 Cloud App Security (OCAS) is available to tenants with Office 365 E5 licenses. OCAS is a subset of the full Microsoft 365 Cloud App Security product, tailored for Office 365.

Figuring Out Impossible Travel

OCAS analyzes the data ingested from multiple workloads into the Office 365 audit log to identify anomalies and other potential issues. As we reviewed the chapter on reporting and auditing, the technical editor highlighted the need to refresh some screen shots to reflect the new OCAS GUI, which brings us to Figure 1, which shows how OCAS highlights a potential impossible travel activity issue.

In other words, the IP addresses captured by OCAS for client connection events over a certain period originate in multiple countries where it would be impossible for the user to travel between those countries during that time. In this case, the alert flagged interactions from Ireland and the Netherlands within a 99-minute period. It’s possible to fly from Dublin to Schiphol in this time, so that’s probably why OCAS uses this period to test for suspicious connections.

Applying the Human Touch

On the surface, this looks like a problem which deserves investigation to understand if an attacker has compromised the user’s account. In fact, it’s a good example of how human intelligence can quickly make sense of activity which a computer deems suspicious. At first glance, the facts are:

• The user signed in from two different IP addresses within a short period.
• The IP addresses indicate connections from Ireland and the Netherlands.
• In both cases, the application was Teams.

But when we examine the detailed records, we see a continuous set of connections first originating from The Netherlands and then switching to Ireland, all within a very short time (Figure 2). Most of the records are for login events. Some others (not shown here) record SharePoint Online activities like opening a document.

Searching the audit log with the Search-UnifiedAuditLog cmdlet to find the underlying records confirms that the user connected multiple times to work with Teams and SharePoint Online over the period. The IP addresses are correct, the connections valid, so what’s happening? Everything makes more sense when you consider that:

• Teams and its associated applications use Azure AD secure token service (AzureActiveDirectoryStsLogon) logons to validate user credentials. The logged sign-in events all use the token service.
• The tenant is in Microsoft’s EMEA datacenter region, and the Teams service runs in the region.
• The EMEA datacenter region includes datacenters in Ireland and the Netherlands.

Therefore, the most likely explanation is that the Teams client attempted to use its access token to connect. During this process, the server handling the request changed from a server in the Netherlands to one in Ireland. Azure AD captured details of the connections and sent them to the Office 365 audit log where OCAS picked up the information, analyzed the events, and concluded that a potential impossible travel situation exists. As it happens, I know that this is exactly what transpired, but it’s a great example of how tenant administrators need to apply their knowledge of Office 365 and how Microsoft’s datacenter infrastructure operates to assess and resolve a flagged alert.

Administrator in Office 365

Another thing to consider is that OCAS notes that the user is an administrator in Office 365. This doesn’t mean that the account is a tenant administrator. It means that the account holds an administrative role. In this case, the account holds the SharePoint administrator role. Again, when probing details of an incident, check before assuming the worst.

Resolving Issues

This case did not take much to resolve. Other OCAS alerts require substantially more effort to understand and conclude. The point I make is that OCAS is a tool to highlight issues to administrators which deserve some attention. Just because OCAS flags an alert isn’t evidence that a problem exists. Always use human intelligence to validate computer indications when resolving alerts. You’ll get better results that way.

Machine Learning Selects Most Appropriate Files

Message center notification MC255074 published on May 7 discusses a new way of highlighting recent Office documents to users on the File tab of Word, Excel, and PowerPoint. The text says that machine learning predicts which files a user is most likely to want to work on next and generates a set of cards for these files. Suggested files must be stored in OneDrive for Business or SharePoint Online. This is Microsoft 365 roadmap item 72233.

The Office MRU

Office has had a Most Recently Used (MRU) list for years. The MRU list shows the files last accessed and appears in places like when you right click on an Office app icon in the Windows toolbar. Figure 1 shows my current MRU list for Word. MRU files can be stored locally or in a cloud location.

Like many Office settings, the MRU list for an Office app is workstation-dependent and stores its data in the system registry. The exact location depends on the version of Office. For Microsoft 365 apps for enterprise (aka Office Pro Plus or Office click to run) on Windows, a set of identities used to sign into the PC is in HKLU\Software\Microsoft\Office\16.0\<app>\User MRU with the file MRU list stored in the File MRU value (at least, this is how Word and Excel works). Figure 2 shows my MRU list for Word documents in the registry. If you see ADAL in the identity name, it means that this list is for an identity signed in using the Azure Active Directory Authentication Library. LiveId means that authentication happened for a Microsoft Services Account (MSA).

Graph Based Suggestions

Storing MRU data in the system registry works acceptably well until your workstation changes. If you switch to a new PC or need to reinstall Office, the MRU list disappears. The MRU list is date based and shows files according to when they were used with the most recent file at the top.

The update to Office for Windows reflects changes previously made to Office.com and Office for Mac and uses machine learning to process Graph signals gathered for actions like edits (including updating properties in SharePoint, which show up as an edit), mentions, and comments to predict which files the user is most likely to want to open. Microsoft doesn’t say how far back the analysis of file activity looks back to suggest files. My experience is that the period covers the last week, but this might depend on how active you are in an application.

Each suggestion is in a card with a thumbnail showing some of the document (Figure 3). Two of the five files are shown because they are frequently opened; the others are due to recent edits. You can remove items from the list as a signal that you don’t want to see it again. The traditional MRU list is available as a list of recent files under the suggested documents.

Delve and Graph Privacy Settings Don’t Affect Suggestions

Suggestions are unique and personal to a user and only the owner of documents can see the set of recommended files. As such, this feature is unaffected by the privacy controls for insights applied through Delve or the Microsoft Graph. The privacy controls affect how people see insights derived from signals collected in the Office Graph for documents owned by other users (Figure 4). Although these insights also only work for files in SharePoint Online and OneDrive for Business, their focus is on making others aware of a person’s work. It wouldn’t make much sense if the privacy setting restricting visibility to others also stopped applications suggesting files to the author.

Hard to Know How Useful Suggestions Are

The value of suggestions is that they don’t depend on work done on a specific PC. The Microsoft Graph gathers signals about user activity no matter what client or device is used, so the suggestions surfaced in applications represent the totality of someone’s work rather than a snapshot from an individual device.

This change is yet another example of how Microsoft uses machine learning to process the signals gathered about user actions. Whether the suggestions prove useful will differ from person to person. If you’re the type to only open a file when you have good reason to, the suggestions probably won’t make much difference. Others who operate on a less structured basis might find them more useful.

Microsoft Reports Over 300 Teams Changes in the Last Year

During his remarks to analysts following Microsoft’s FY21 Q3 results, CEO Satya Nadella observed that Teams had added “over 300 features over the past year.” Although you can’t help but be impressed at the volume of new features created, tested, and deployed by Teams engineering, the sheer number of updates threatens to overwhelm Office 365 tenants at times. Every time you turn around, Teams has changed.

The problem is compounded by the volume of changes flowing for Exchange Online, SharePoint Online, OneDrive for Business, Planner, Yammer, Microsoft 365 Groups, Forms, Whiteboard, Azure AD, and anything else which might contribute to Microsoft’s cloud ecosystem. Collectively, a tenant might face dealing with over five hundred updates annually.

Both Small and Large Changes

It’s not as if the changes are small updates either. Some, like the introduction of Viva Topics, represent important new functionality. Others, like the transition of video storage from Stream to OneDrive for Business, affect the way people work, while it’s hard to put a value on other changes like the increase in Planner labels from six to 25.

It’s certain that change with the Microsoft 365 ecosystem will continue. When we started on the road to build the Office 365 for IT Pros eBook in 2014, we could already see that the cloud versions of Microsoft server applications developed faster than their cloud counterparts. Change became faster when Microsoft cut the ties between the on-premises and cloud code bases for Exchange and SharePoint in 2016 or thereabouts and began to develop cloud-only apps like Teams and Planner. We can confidently predict that what tenants see today won’t be the same that they will see in a year’s time. Or even in six months.

May Update for Office 365 for IT Pros

The degree of ongoing change within the ecosystem is why we update the Office 365 for IT Pros eBook every month. We believe that we are the only team covering Office 365 using a monthly republishing cycle for our eBook. Now spanning over 1,300 pages, Office 365 for IT Pros is packed full of practical and most importantly, up-to-date knowledge and guidance about Office 365, Exchange Online, SharePoint Online, OneDrive for Business, Teams, Planner, Azure AD, PowerShell, the Microsoft Graph, and many other topics.

We have just released the May 2021 update for Office 365 for IT Pros (2021 edition). Subscribers to our EPUB/PDF version can download the refreshed files from Gumroad using their account or the link in the receipt emailed to the address provided at the time of purchase. We have not updated the companion volume for May. Buyers of the Amazon Kindle version must ask Amazon support to make the new file available. See our FAQ for more information about how to download updates.

The May 2021 update contains changes to 20 of the 24 content chapters. Details of the change are available in the change log.

The writing team is moving forward with plans for the 2022 edition. We believe that we will release this edition on July 1, 2021. Before then, we will deliver the last (June) update for the 2021 edition early next month.

Happy reading!

But the Headline Number Doesn’t Tell the Whole Story

Announced on April 27 as part of Microsoft’s FY21 Q3 results and shared by Microsoft’s Jeff Teper in Twitter (Figure 1), we learn that Teams now has 145 million daily active users (DAU), an increase from the 115 million number reported in October 2020. In other words, growth of 30 million over six months, or five million new Teams users monthly.

Another factoid shared by Satya Nadella in his remarks to analysts was that Teams added more than 300 new features over the last year. Office 365 tenants are well aware of the number of new features appearing in Teams. It’s an ongoing challenge for many organizations to keep up with the volume of changes and the unpredictability in delivery caused when Microsoft adjusts roll-out dates.

Strong Growth Since 2020

The news about the new DAU number isn’t terribly surprising. The Teams DAU jumped massively due to the demands for people to work from home during the pandemic. What we see now is a relative flattening in the growth curve (Figure 2). The growth is still impressive, but Teams can only grow into the available pool of Office 365 seats. Right now, it seems like Teams accounts for about half of the available Office 365 base, assuming we’re comparing apples to apples based on Microsoft data.

Teams in Commercial, Education, and Large Organizations

Microsoft never releases numbers which tell the full story. For Teams, no differentiation is offered between commercial and education users. Teams is strong in education and a February report put the number at 100 million student users, with a growth of 30 million students since September 2020. The problem is that these users pay much less per license than commercial users do, and there’s usually no opportunity for Microsoft to upsell higher-priced plans or expensive add-ons to boost the average revenue per user (ARPU) figure beloved by Microsoft CFO Amy Hood and Wall Street analysts.

Unless you conclude that Teams has only 45 million commercial users, there’s no way to reconcile the 145 million number with 100 million student users of Teams. Microsoft isn’t saying what the real situation is. However, the detail revealed in their FY21 Q2 data about the growth of Teams in large organizations gives a helpful insight. According to Microsoft, 117 organizations now have more than 100,000 Teams users and 2,700 have more than 10,000 users. The largest customers (Accenture and the U.S. Department of Veteran Affairs) have more than half a million users. Although we don’t know if these organizations are all commercial or a mixture of commercial and education, the data indicates strong acceptance of Teams in large enterprises.

Nearly 300 Million Paid Office 365 Seats

Microsoft hasn’t revealed a hard number for Office 365 active users for about a year. This time round they said that “Office 365 now has nearly 300 million paid seats.” A year ago, that number was 258 million. Applying the 15% growth in Office 365 paid seats over the last year noted by CFO Amy Hood, the number is 296.7 million.

April 2020 marked a transition in reporting as Microsoft stopped talking about Office 365 active users and focused on paid seats. There’s a big difference between a paid seat and an active user, and if you applied the 15% growth rate reported by Microsoft to the last number for active users, you end up with a current number of 264.5 million active users, which is what I show in Figure 3. As Mark Twain said, “There are three kinds of falsehoods: lies, damned lies, and statistics.”

I’m not quite sure to make of the cited 38 billion collaboration minutes clocked up by Office 365 users in a single day. Microsoft doesn’t say if this includes email, document creation, sharing presentations, Teams chats, online meetings, or Yammer discussions. It seems like a catch-all statistic for everything people do within Office 365.

Microsoft also revealed that the number of customers who pay for Azure AD is now over 300,000. These are the folks who will qualify for the new 99.99% SLA for Azure AD. Hopefully, they’ll be able to avoid the kind of Azure AD authentication outage which occurred last month.

ISV Target

Microsoft said that “the number of organizations with more than 1,000 users integrating their third-party and LOB apps with Teams has increased nearly 3X year over year.” This points to a growth in interest in Teams as a development platform. The Teams admin center now lists 997 apps submitted by ISVs and Microsoft. The last time I checked, the number was around 600. All of which means that ISVs need to pay attention to Teams if they’re not already doing so.

Do you have difficulty keeping up with the 300+ changes released for Teams annually? Subscribe to the Office 365 for IT Pros eBook and let us do the heavy lifting of analyzing and documenting what’s important in the changes.

That is, if Meeting Attendees Cooperate…

Research commissioned by Microsoft says that your brain needs breaks when working over sustained periods and points to back-to-back video meetings as a problem. The article goes on to point to new calendar settings in Outlook (Windows and OWA for now, the other platforms are coming) to help users to shorten Outlook meetings to create breaks when they schedule events. The idea is that these breaks give users the opportunity to decompress a little before plunging into the maelstrom of their next meeting. It’s a nice idea, but one that can only work if everyone attending meetings cooperates to begin and end meetings on time, which is something that human beings fail to do.

Making Outlook Shorten Meetings

Outlook has been able to suggest shortened meeting durations for two years (here’s an article by MVP Brian Reid from 2019), with the idea being that people could gain some time back in their day by scheduling 30-minute meetings for 25 minutes and hour-long gatherings for 50 minutes (or whatever you choose). What’s different now is:

• An organization-wide default setting is available to complement the client-side settings. The change is described in message center notification MC251866 published on 21 April and Microsoft 365 roadmap item 72215.
• People can choose to shorten meetings at the start or end of a period by starting late or ending early.
• The organization defaults or user-selected settings apply to the full range of Outlook clients for Microsoft 365 (after Microsoft upgrades the software). Perpetual clients like Outlook 2019 don’t respect the settings.

For instance, I used version 2104 of Outlook for Windows (the option should be in version 2102 or later of Microsoft 365 apps for enterprise) to choose my preferred options (Figure 1).

On the basis that people always turn up late to my meetings, I choose to create a time barrier to my next meeting by ending early. The corporate culture in your organization might be different, but I hazard a guess that most meetings can focus on finishing by a defined meeting end time where they might struggle to begin on time. Of course, the period allotted to a meeting and the actual time consumed by the meeting can be two very different values. The behavior of people in a meeting might be affected by a shortened time, but when business or personal needs dictate, people will continue until they achieve the purpose of the meeting.

The periods available to shorten meetings of less than one hour are 5, 8, and 10 minutes, while for meetings of one hour or longer they are 5, 10, and 15 minutes. As we’ll see, more granularity is available when setting organization defaults with PowerShell. Figure 2 shows how to configure the event shortening settings in OWA. It’s interesting that Outlook desktop refers to meetings and appointments while OWA refers to generic “events.”

Shortening a Meeting

My calendar settings call for a default meeting duration of 30 minutes. After selecting my event shortening options, new meetings start off with a 25-minute duration set (Figure 3). If the default meeting duration is an hour or longer, Outlook shortens it by 10 minutes.

The new setting does not affect any meeting already in the calendar. And of course, because the owner has full control over an event, I can select other durations for the meeting as I like. The shortening feature is an advisory guide rather than a mandatory restriction.

When scheduling a meeting with OWA, users might see a MailTip saying: “Your organization shortens events by default.” This only applies when the user has not configured event shortening and an organization policy is active (see below). Microsoft says that the same MailTip will be visible in other Outlook clients in the future.

Shortening Teams Meetings

Given the multitude of Teams meetings occurring today, effective event shortening must apply to these events. Neither Teams calendar app nor the Teams channel calendar app respect organization-wide or personal event shortening settings at present. Events created by Outlook synchronize with the Teams calendar app, so Teams meetings created through Outlook will pick up the shortened times. According to Microsoft, an update is coming for the Teams calendar app to respect the shortening settings.

Configuring Shortening Events Settings with PowerShell

While users can decide on their personal event shortening settings and set these values through Outlook or OWA, organizations might want to apply default settings. This is done by updating the Exchange Online organization configuration with PowerShell. It’s critical to understand that once a user selects their own settings, the organization defaults do not apply to them.

Three organization-wide settings are available to control event shortening:

• ShortenEventScopeDefault: Sets whether event shortening is in effect (0 or none) or applies to ending meetings early (1 or EndEarly) or starting later (2 or StartLate). This parameter must be set to 1 or 2 before you can amend the periods.
• DefaultMinutesToReduceShortEventsBy: The number of minutes to shorten events by if they are scheduled for one hour or less. The default is five.
• DefaultMinutesToReduceLongEventsBy: The number of minutes to shorten events by if they are scheduled for over one hour. The default is 10.

To turn on event shortening for the organization using my preferred end early option, run:

Set-OrganizationConfig -ShortenEventScopeDefault EndEarly

Using Get-OrganizationConfig to examine the settings afterwards shows the current configuration:

Get-OrganizationConfig | fl defaultmin*, short*

DefaultMinutesToReduceShortEventsBy : 5
DefaultMinutesToReduceLongEventsBy  : 10
ShortenEventScopeDefault            : EndEarly

Like any organization-wide setting, some time is necessary to allow clients and servers to pick up new values (it can take up to 24 hours for the setting to reach all the mailbox servers used by a tenant). For now, there’s no way for administrators to use PowerShell to update settings for individual mailboxes as Microsoft hasn’t upgraded the Set-MailboxCalendarConfiguration cmdlet.

Teams is the Last Workload to Support Deidentification of Personal Data

On March 16, Microsoft published message center notification MC244599 to announce that the usage data in Teams reports would support the same obfuscation of personally identifiable information (PII) in usage reports as the other workloads do. On April 9, they said that the roll-out of the feature was complete. This is Microsoft roadmap item 70774.

The text in MC244599 and roadmap item 70774 might lead you to think that this is a Teams feature. It’s not. As evident in this December 2020 post, workloads like Exchange Online and SharePoint Online could disguise user-identifiable information like email addresses and display names as well as SharePoint site names in the Microsoft 365 admin center reports. This is a case of Teams catching up. What’s odd about Teams only now obscuring its usage data is that the Microsoft Graph was able to obfuscate the raw Teams usage data then (see the example in the previous post).

Obscuring Personal Data

The setting to control the display of obfuscated user, group, and site data is in the Org-wide Reports section (Figure 1).

After setting the switch, the usage reports for workloads available in the Microsoft 365 admin center contain obfuscated user data (Figure 2).

The setting also covers the usage reports available in the Teams admin center.

The Graph Reports API is to Blame

The setting to control the anonymization of personally identifiable data applies to all reports generated by the Microsoft Graph Reports API, which is the basis for the usage reports in the Microsoft 365 admin center. Deciding to obscure usage data can cause an admin to swap settings to access some information. For instance, the admin center has a report for Microsoft browser usage (Chrome, Brave, and Firefox are studiously ignored). The report is useful to find people who still use the legacy Edge browser, which Microsoft removed from the April 2021 update. But if you look at the report to find the names of people to contact to ask them to switch to a supported browser, you’ll be the deidentified strings like C58FABF670363F68A787078886FCB1A1.

The same issue exists in reports like active users or groups activity, which are examples where the data is all but useless if you don’t know what users are active (and who isn’t) and what groups are in use (and which are not). In all cases, an admin can fix the problem quickly by resetting the switch, but it does show how unintended consequences often flow from an action.

ISV and Your Own Reports as Well

Microsoft hypes the Graph Reports API to ISVs and customers as an easy way to integrate Microsoft 365 usage reporting into existing reporting solutions. This is true, but the downside is that the same switch used to control user anonymization in the Microsoft 365 admin center usage reports affects any other use of the API in a tenant.

For example, we have a PowerShell script to collect information about user activity from a range of Microsoft 365 workloads to present a per-user synopsis of how they interact with the service. The script uses the Reports API to fetch usage data from each workload and combines it together for each user to create the report. If the tenant switches on data obfuscation, the usage report fetched by the script is anonymized and returns data like this:

Report Refresh Date : 2021-04-13
User Principal Name : 47A3F2B66A3C6BF31F1C629D02B43A24
Display Name        : 24589499045E94C4FF5C4A681A467937
Is Deleted          : False
Deleted Date        :
Last Activity Date  : 2021-02-20
Send Count          : 76
Receive Count       : 123
Read Count          : 0
Assigned Products   : MICROSOFT 365 E5 DEVELOPER (WITHOUT WINDOWS AND AUDIO CONFERENCING)
Report Period       : 90

Although the user’s privacy is protected, from an organizational perspective the value of the report is negated.

Understand What Obfuscation Means

It’s easy to understand why Microsoft builds the ability to anonymize user data in reports into the admin center. Several user-assignable roles (like Reports Reader) can access the reports, so it’s good to have a way to protect user privacy, even if it’s only surface-deep. What’s less understandable is the impact the switch has on custom reporting. It just seems a little crude to have a binary switch which control all output.

Create a Testing Sandbox for Your Microsoft 365 Tenant

Not every administrator is happy to run test code in their production tenant, or enable new features, or install a new app, or make any of the changes which might just compromise service to end users. Developers or those involved in creating or deploying new code might want to make changes but don’t want to affect anyone else. The quandary is solvable by using either a test Microsoft 365 tenant or a developer tenant. Neither approach is intended for production use and you shouldn’t attempt to use these tenants for that purpose as no one will shed any tears if data is lost, corrupted, or otherwise compromised by a problem.

Signing up for a Test Microsoft 365 Tenant

A test Microsoft 365 tenant includes 25 Office 365 E3 or E5 licenses for a 30-day trial. These tenants are intended to allow organizations to check out basic functionality and prepare for a subsequent deployment. The downside of this type of tenant is its short lifetime. In essence, it’s a short-term test-and-leave kind of tenant.

To sign up for a test tenant, go to Microsoft’s Office 365 plan comparison page (Figure 1) and select the Try for free link for either E3 or E5.

A test Microsoft 365 tenant is a good choice for organizations who want to kick the tires and see how the latest Office 365 functionality works. Because it’s gated to a 30-day period, some up-front preparation is needed to make sure that maximum advantage is gained from the trial.

Developer Tenants

A developer tenant includes 25 Microsoft 365 E5 licenses (without audio conferencing) for a 90-day trial. Microsoft automatically renews the trial if the tenant is used for development. Software development and testing is often a slow process, so developer tenants are intended for the long haul.

To begin, head to Microsoft’s Developer program site and join the program. You can then create a developer tenant (the “Microsoft 365 instant sandbox”) including:

• Office 365 apps (Exchange Online, SharePoint Online, OneDrive, Forms, Planner, Teams, Stream, etc.) plus the Office Online apps.
• Microsoft 365 Defender for Office 365 (Advanced Threat Protection).
• Advanced analytics with Power BI
• Enterprise Mobility + Security (EMS).
• Azure Active Directory (including Azure AD Premium P2 licenses).

You’ll be asked to choose an available tenant name, country, and administrator username. The tenant will use the selected name with a onmicrosoft.com domain (like o365alpha.onmicrosoft,com) and is fully functional for inbound and outbound email. It’s a good sandbox to build apps or test new features. Like any Microsoft 365 tenant, the full creation process to make all services available can take up to 48 hours, but basics like Azure AD, Exchange Online and SharePoint Online should be functional within 15 minutes.

Once the tenant is operational, the Dev Center dashboard shows its details (Figure 2) and developer resources like course you might like to take. These learning resources are based on interest areas you choose when creating the developer tenant.

Because you create the test tenant, you become the global administrator and therefore have full control over the tenant. You can assign the 25 licenses to accounts you create (including your own) or install the Users sample data pack to create a set of test users. You can assign administrator permissions and roles to other accounts and configure the tenant to have whatever settings are needed for what you want to test.

Microsoft’s sample data packs for Users, email, and SharePoint use the Graph API to populate the tenant with sufficient information to make them useful for testing, but there’s nothing to stop you populating the tenant from scratch or supplementing what Microsoft does. For instance, you could use a developer tenant to test PowerShell scripts downloaded from the internet, such as those in the Office 365 for IT Pros GitHub repository.

As the name implies, developer tenant is intended for development. Microsoft uses telemetry to understand what’s happening in the tenant and if it is not used, it will lapse after 90 days and then be deleted. Although Microsoft isn’t specific about what constitutes a development action (for instance, I don’t know if running PowerShell cmdlets from a Microsoft 365 tenant counts, but I know that running cmdlets from the Microsoft Gaph PowerShell SDK does), it isn’t difficult to do enough to convince Microsoft that the tenant is involved in development by running some Graph API calls so that it renews automatically. You can also link your developer tenant to a Visual Studio subscription to allow Microsoft to use the Visual Studio activity as a source of information about developer activity.

One for Everyone

Anyone who builds code to run against Microsoft 365 applications or tenants should have a developer tenant. It avoids any clash with the folks who run your production tenant and gives you an environment under your control for application development, demos, proof of concepts, and deployment and testing of software builds.

All in all, it’s a great deal.

The Office 365 for IT Pros eBook authors use test and development tenants a lot. We mess up sometimes when we test new features, so we like to do it in safety.

Putting the Best Face on Every User

Updated 3 October 2023

Update: Microsoft announced (MC678855) the deprecation of the Exchange Online management cmdlets used to manage user photos (Set-UserPhoto, etc.). These cmdlets will be removed from use on 30 November 2023. You should upgrade scripts to use the cmdlets from the Microsoft Graph PowerShell SDK instead.

In April 2020, Microsoft introduced a policy to stop users being able to update their photo through the Teams client. More accurately, Teams adopted the SetPhotoEnabled setting in the Exchange Online OWA mailbox policy to control if a user can update their photo. Since then, I have noticed a flood of questions (or complaints) from people asking why their attempts to upload a photo is “blocked by policy.” Of course, the answer is that it is, and they should talk to their tenant administrator to have their photo updated, but that’s seldom a welcome response.

Given that user photos show up in places as diverse as the GAL, the Microsoft 365 user profile card, and avatars in applications like SharePoint Online and Teams, it’s a good idea to make sure that appropriate photos are available for users. For example, if a user photo is available, Teams meetings show the photo on a user’s attendee card when their video feed is turned off instead of the more generic “two-initials in a circle” card (Figure 1).

Two Strategies

Organizations usually consider two approaches before deciding on a strategy for user photo management.

• User-driven. While this strategy involves less work for administrators, it exposes the danger that some users might make less than suitable photo choices. It’s a poor choice for schools and other educational establishments.
• Organization-driven. This strategy usually means that some tool updates user photos based on a repository such as HR data. The upside of the strategy is the high standard of user photos. The downside is the need to either write a tool or find one to do the job (like Code Two Software’s Photos for Office 365).

Of course, given that control is exerted by OWA mailbox policies, you can run a hybrid strategy where some users can update their photos, and some cannot through the simple step of deploying multiple OWA mailbox policies, some of which enable photo updates and the others which don’t.

The Role Played by Exchange Online

Exchange Online plays a key role in user photo management for other Microsoft 365 applications. The SetPhotoEnabled setting in the Exchange Online OWA mailbox policy assigned to the mailbox controls the ability for users to update their photo. By default, this setting is $False, meaning that users are unable to upload a photo from apps and their Office profile. Users barred by policy see a message such as “picture options are disabled by policy” if they try to change their photo. To allow users to upload and update their photos, either:

• Update the OWA mailbox policies so that SetPhotoEnabled is $True in all policies, or:
• Create or update an OWA mailbox policy with SetPhotoEnabled set to $True and assign this policy to the mailboxes of accounts you want to allow to upload photos.

For example, to update an OWA mailbox policy, run the Set-OWAMailboxPolicy cmdlet:

Set-OWAMailboxPolicy -Identity OWAFullAccess -SetPhotoEnabled $True

To assign an OWA mailbox policy to a mailbox, use the Set-CASMailbox cmdlet:

Set-CASMailbox -Identity Chris.Bishop -OWAMailboxPolicy OWAFullAccess

Changes to an OWA mailbox policy take up to 30 minutes before they are effective.

OWA mailbox policies in Exchange Online obviously don’t affect users with an on-premises Exchange mailbox. These users are therefore able to update their photos in apps like Teams.

Updating User Photos Programmatically

Several PowerShell cmdlets are available to administrators to update user photos.

• The Exchange Online Set-UserPhoto cmdlet updates the photo data in a mailbox. Set-UserPhoto can also update a photo for a group mailbox (be sure to specify the GroupMailbox switch). You cannot use Set-UserPhoto to update other mail-enabled objects, like distribution lists or mail contacts. Photos loaded into Exchange Online are synchronized to other workloads, including SharePoint Online and Teams.
• The Teams Set-TeamPicture cmdlet updates the image for a team. This is analogous to running Set-UserPhoto to update the photo for a group mailbox. In most cases, it’s best to use Set-UserPhoto to avoid the need to load another module. It’s a good idea to highlight important teams with an appropriate image which conveys the purpose of the team.
• The Azure AD Set-AzureADUserThumbnailPhoto cmdlet writes photo data to an Azure AD user account. Use this cmdlet when you wish to update photo data for an Azure AD account which doesn’t have an Exchange Online mailbox, like guest accounts. As the cmdlet name suggests, the cmdlet processes thumbnail (small) photos. It does not generate the larger size photos which look better in Teams meetings. For this reason, always use Set-UserPhoto to upload photos for tenant accounts.

Update: With the deprecation of the Azure AD PowerShell module, you should upgrade scripts to use the Set-MgUserPhotoContent cmdlet from the Microsoft Graph PowerShell SDK to update photos for guest accounts.

Exchange Online and Azure AD synchronize photo data to make sure that user accounts have the latest picture. After a short delay to allow the apps to refresh their caches, an updated photo will be active across the ecosystem.

Teams owners can change the picture for a team by clicking the existing picture and uploading a new file (Figure 2). Group owners can do the same for Microsoft 365 groups by editing group properties in OWA’s Manage groups section. In both cases, the picture data is in the group mailbox and will synchronize to other apps.

Image files for user photos can be JPEG or PNG format and should be:

• Resolution: 648 x 648 pixels. This is the largest resolution supported. Behind the scenes, Exchange Online generates smaller 64 x 64 and 96 x 96-pixel thumbnails for apps to use when small thumbnails are appropriate. Most digital photos are much larger (in pixels) so some resizing is needed. Square photos are best as they won’t be cropped. Usually, best results are obtained when the user faces directly into the camera.
• Size: Less than 500 KB.

Although it can take 30 seconds or more to update a picture for a mailbox, running Set-UserPhoto is simple:

Set-UserPhoto -Identity Chris.Bishop@office365itpros.com -PictureData ([System.IO.File]::ReadAllBytes("c:\Temp\ChrisBishop.jpg")) -Confirm:$False

If you want to check if a mailbox already has a picture (to avoid overwriting it), use the Get-UserPhoto cmdlet. This cmdlet returns $Null if the mailbox has no photo. Remember to include the GroupMailbox switch if checking a group mailbox (including team-enabled groups).

If (Get-UserPhoto -Identity Chris.Bishop@Office365Itpros.com) {Write-Host "Chris has a photo"}

If you make a mistake and upload the wrong image, you can restart by removing the image with the Remove-UserPhoto cmdlet:

Remove-UserPhoto -Identity Chris.Bishop@office365itpros.com -Confirm:$False

An example of how to scan user mailboxes to update photos if none are found can be downloaded from GitHub.

The Personal Side of Users

User photos are extremely personal, and it should come as no surprise that people should be upset when they cannot change their image. If you decide to clamp down on user-initiated photo updates, perhaps it might be a good idea to create a process to allow users to request photo changes. It might just keep people happier.

Using Azure AD Accounts to Accumulate Microsoft Rewards with Bing Searches

Message center notification MC249775 published on April 9 says that tenants can soon allow their users to earn Microsoft Rewards points with their Microsoft Services (MSA) accounts. This is Microsoft 365 roadmap item 70634 and the toggle to turn the feature on or off is now available under Org-wide settings in the Microsoft 365 admin center (Figure 1). Rewards will accumulate from May 10, 2021, but not for government users.

Update April 16: Microsoft said: “At this time we will not be moving forward with rolling out the feature as outlined. We are evaluating changes based on feedback and will announce our new plan via Message center when we are ready proceed.”

Edge Profiles Make it Easy to Sign in

The option says that users connect their Azure AD and Microsoft Rewards account. It’s more accurate to say that before a user can accrue Microsoft Rewards, they must:

• Sign up for Microsoft Rewards using a personal Microsoft account.
• Sign into the browser with their Azure AD (work) account.
• Sign into the browser with their Microsoft account. This account is the one linked to Microsoft Rewards. Microsoft 365 then links the user’s Azure AD and personal accounts.
• Configure the browser to use Bing as the search engine (or go to Bing.com to perform searches). Microsoft doesn’t give people rewards when they use Google, Duckduckgo, or another search engine. The aim here is to create more demand for Bing.

I use Edge as my default browser and have work and personal profiles. The work profile uses my Azure AD account; the personal profile uses my MSA account.

Microsoft Rewards is currently available in a limited set of countries (the page says that Microsoft will gradually introduce the program “across the globe”). If your tenant is located outside one of the supported countries, you might not have seen MC249775.

Even More Bing

Optionally, if an organization wishes to make more use of Bing, they can configure Microsoft Search in Bing to include information from Office 365 sources (Teams, Yammer, SharePoint Online and OneDrive for Business, but not Exchange Online). Figure 2 shows an example of a Bing search in Edge configured to include work results. In this instance, we can see that the search has found some Teams and Yammer conversations. The Microsoft Rewards counter in the top right-hand corner tells me how diligent my collection of rewards has been (not very).

Obvious Attempt to Drive Bing Usage

I guess it’s unsurprising that Microsoft should use every means at their disposal to drive Bing usage. You could say that Microsoft shouldn’t try to take advantage of the captive Office 365 audience. The opposing view is that it’s up to a tenant to decide whether to enable the feature and the toggle is easily accessible in the Microsoft 365 admin center.

A more pragmatic perspective is that in many cases, users make their own minds up about their preferred search engine. Unless the organization insists that they use Bing, they might make another decision. And if they’re happy to use Bing, at least now they can collect some rewards (cynics will say that the rewards are necessary to tolerate the search results produced by Bing, but that’s a discussion for another day).

False Protests About a Teams Feature

In what can only be described as a vacuous clickbait attempt to generate some page views, on April 7 a web site (which I won’t point to) postulated that the Teams private preview camera feature might compromise user privacy. Calling the feature “faulty,” the post breathlessly reported that using the private preview “might concern users’ privacy by exposing their video when they are not prepared.” This is a pile of brown smelly bovine emissions.

Using the Private Preview

At first, I thought the post was a (very late) April Fool’s Day joke. Then I realized that the author was serious (as much as you can be when writing clickbait text). The problem focused on the feature where if you’re using the desktop client and the video feed is off, moving the mouse over the camera icon causes Teams to display a private preview of your video feed (Figure 1).

The feature addresses a problem commonly felt by users, which is how to know what others will see if they enable their video feed in a meeting (here’s a User Voice post on the topic). The preview allows the user to enable a background effect like blurring or a background image (if allowed by policy) to see what their video feed will look like if enabled for the meeting. No one else in the meeting sees the video preview. It is private and only exposed if the user decides to enable the camera.

Problems Cited

The report says that users might expose their camera view if they are sharing their desktop and move the mouse to reveal the preview. Another flavor of the reported problem is where you give control to another person and they move the mouse over the camera. All of this is true, but Teams is working as expected. I guess you might be surprised and upset if you were in a state of undress or otherwise unprepared for a preview to appear, but how likely is this to happen in practice. The mitigating factor is that the preview is a small thumbnail rather than a full attendee card view.

In addition, most people share an app window instead of a complete screen. Sharing the full desktop exposes other potential privacy issues as you might not realize what other people will pick up on from what’s shown. It’s always better to limit what you share to something like a presentation or document. And when sharing a window, the private preview is not visible because it’s not the shared app.

Nice to Have Previews

The report suggests that Teams should deactivate the private preview feature when a user shares their screen. It’s a reasonable suggestion. Now if only Microsoft hadn’t canned User Voice to allow them to make the suggestion…

Change Rolling Out in April 2021

Microsoft has pushed a bunch of recent changes to improve the capabilities of regular Teams meetings. With the ability to cope with up to 1,000 full participants and an overflow of up to an additional 20,000 view-only participants, Teams regular meetings are usable when Teams Live Events had to be used. Nevertheless, the need to run structured online events for large audiences still exists, especially when presenters use multiple video streams, and that’s where Live Events shine.

Which brings me to message center notification MC249250 published on 7 April, which announces support for anonymous external presenters. Microsoft 365 roadmap item 70599 is more specific and says that anonymous presenters are those who do not have an Azure AD or Microsoft Services (MSA) account. Up to now, external presenters have needed a guest or federated account. The update is rolling out in mid-April and should be fully deployed by the end of May.

Unlike regular meetings, where everyone can speak, share their video feed, and chat, only people assigned the organizer and presenter roles can speak, present information, and are visible during live events. Of course, presenters aren’t anonymous unless their identity is never revealed to those who schedule and attend an event. Instead, it’s a term indicating that the presenter is someone from outside the organization who doesn’t have a verifiable Microsoft identity. External experts are often invited to present at the kind of large public events which are the natural home for Live Events, so this is a useful change.

Adding External Presenters

Anonymous or external presenters must be specified when setting up the event (Figure 1) and they must use the Teams desktop client when they participate in the event. Presenters receive calendar invitations for the event. The invitations contain the special link which identifies the recipient as a presenter. Those who attend the event receive a different link.

When anonymous presenters are part of an event, only invited participants can bypass the meeting lobby, no matter what the default lobby setting is for the tenant.

More Go Local Regions Support Teams Live Events

Another important change for Teams Live Events is in MC249249, also published on April 7. This confirms that “go local” support for Live Events is available in France, Germany, South Africa, South Korea, Switzerland, and the United Arab Emirates (UAE). In other words, Microsoft has installed the necessary software to support Live Events in these country-level datacenters.

Microsoft says that tenants wishing to move support for events to the local datacenter must create a support ticket to “formally request the change in datacenter.”

Previously, regional datacenters (like EMEA) hosted the data used for events created by tenants located in these countries. Microsoft will not migrate data for older events to the country datacenters even when a tenant asks for the location of event data to move. This information remains in the regional datacenter.

Keep up to date with change inside Office 365 by subscribing to the Office 365 for IT Pros eBook. We update the book monthly to keep our subscribers informed about the important happenings across Office 365.

Every Chapter Updated This Time Round

The Office 365 for IT Pros writing team is happy to announce the availability of the April update for Office 365 for IT Pros (2021 edition). This is the ninth update we’ve issued for this edition and it’s a big one. We’ve updated every one of our 24 content chapters for April, which makes this the biggest ever update we have done. Some chapters are more heavily updated than others, but the big message is that change is pervasive across Office 365. You can’t afford to turn around for risk missing out on something, which is why we republish the book every month. We are the only Office 365 book to issue monthly updates and we’ve done this for six years. You could say that it’s become a habit.

Fetching Updates

Subscribers who bought the EPUB/PDF version of the book can download the updated files from Gumroad.com using their Gumroad account or the link in the receipt received when they bought the book. Kindle subscribers must contact Amazon support to arrange for the updates to be made available to their device (we don’t make the rules). See our FAQ for more information about how to retrieve updates.

Change List

Here’s a brief list of the changes in the April 2021 update. The changes made since the first publication of the 2021 edition are in our change log.

Why You Might Need to Know Your Microsoft 365 Tenant Identifier

Every Microsoft 365 tenant is identified by a GUID, a globally unique identifier, which looks something like abf988bf-86f1-41af-91ab-2d7cd011db46. Applications use the tenant identifier to know which organization data belongs to. Occasionally, administrators need to know the identifier too:

• Microsoft support might ask for the tenant identifier as part of the information gathered for a support incident.
• If you participate in a test of new functionality, the Microsoft engineering group responsible for the feature will need the tenant identifier to enable (or “flight”) the software.
• Apps registered in Azure AD which use the Graph APIs to access tenant data must pass the tenant identifier along with the app identifier and app secret when requesting an access token. The combination of the three pieces of data allows Azure AD to grant the necessary token.

Applications like Teams include the tenant identifier in the links used to identify data. For instance, the deeplink used for a Teams meeting contains the tenant identifier.

Available to Allow Apps to Authenticate

Tenant identifiers are exposed publicly. If they were not, applications based on the Graph APIs or any others using OAuth 2.0 could not connect to a tenant. These apps use OpenID Connect, described by MVP Curtis Johnstone as “a simple identity layer that sits on top of OAuth 2.0. For Office 365 there is an OpenID Connect metadata document for each tenant which contains more of the information required for apps to perform sign-ins (including the tenant id).”

For instance, an app can find the information for Microsoft’s own tenant at https://login.microsoftonline.com/microsoft.com/.well-known/openid-configuration (Figure 1). Apps can fetch this information to receive the necessary data needed to navigate the OAuth 2.0 authentication process.

Finding the Tenant Identifier

Several methods exist to find the tenant identifier within Microsoft 365. Here are the most common, starting with PowerShell.

When you connect to Azure AD with PowerShell, the response contains tenant information, including the identifier.

Connect-AzureAD

Account               Environment TenantId                            TenantDomain    
-------               ----------- --------                            
Administrator@xxx.com AzureCloud  a462313f-14fc-43a2-9a7a-d2e27f4f3478 xxxxxxxx.com 

Microsoft intends to deprecate the Azure AD module in June 2023. The equivalent cmdlet in the Microsoft Graph PowerShell SDK is Get-MgOrganization:

Get-MgOrganization | Select Id, DisplayName

Id                                   DisplayName
--                                   -----------
a462313f-14fc-43a2-9a7a-d2e27f4f3478 Office 365 for IT Pros

Much the same happens when connecting to Microsoft Teams with PowerShell. Again, the connection responds with tenant information with the tenant identifier shown for both the tenant name and identifier!

Connect-MicrosoftTeams

Account               Environment Tenant                               TenantId
-------               ----------- ------                               --------
Administrator@xxx.com AzureCloud  a462313f-14fc-43a2-9a7a-d2e27f4f3478 a462313f-14fc-43a2-

If you have a PowerShell session connected to Azure AD, you can run the Get-AzureADTenantDetail cmdlet. This is the method I typically use.

Get-AzureADTenantDetail

ObjectId                             DisplayName               VerifiedDomain
--------                             -----------               --------------
A462313f-14fc-43a2-9a7a-d2e27f4f3478 Office 365 for IT Pros    Office365ITPros.com

The Overview page of the Azure AD portal includes the tenant identifier and has the useful ability to copy the identifier to the clipboard (Figure 2).

Azure Where’s My Tenant

Azure operates a service to lookup using a tenant (Figure 3) to find details of a domain belonging to an Azure AD tenant (Figure 3). You can also input the Microsoft 365 tenant identifier.

ShareGate’s Service

ShareGate is an ISV specializing in SharePoint Online solutions. It offers a similar service to the Azure lookup at WhatIsMyTenantId.com. Figure 4 shows the result after checking for Quest.com. Remember, the tenant information is public!

I don’t ever use WhatIsMyTenantId.com, but I’m sure others do, especially when you have a bunch of tenants to manage.

The detail makes the difference. Learn about the detail of managing your tenant by subscribing to the Office 365 for IT Pros eBook. Updated monthly to include those changing details which make all the difference…

Get to Meeting Capacity and Then Overflow

Flagged in MC240169 on February 17, Microsoft has confirmed that the Teams view-only meeting experience to allow participation of up to an extra 20,000 people in a meeting is available worldwide. The 20,000 limit is temporary which Microsoft will reduce to 10,000 on July 1, 2021. This capability was originally launched in August 2020 as part of the Teams advanced communication license. It’s interesting that Microsoft now includes the feature in mainline Teams, perhaps because of demand created by many large organizations using Teams for corporate communications during the pandemic.

Attendees for regular Teams meetings enjoy access to the full interactive meeting experience, including meeting chat, file sharing, polls, reactions, and so on. Currently the interactive limit is 300 for commercial tenants and 250 for GCC. According to Microsoft 365 roadmap item 65951, the limit will soon increase to 1,000, a fact confirmed by multiple references in Ignite 2021 announcements and subsequently in MC242587 for deployment from early-April with worldwide availability expected by mid-April. The new limits apply to tenants with Office 365 E3/A3 and E5/A5 plans.

Whatever the current limit is, once the capacity of a meeting is reached, new attendees are limited to view-only. They can see the video feed for the active speaker and listen to active participants. View-only attendees can’t use the gallery, large gallery, and together mode views. They can also see any content shared through desktop sharing.

The effect is that you have a hybrid meeting of active and view-only attendees composed of a regular meeting and a streamed session. Sometimes the feature is referred to as an “overflow room” like those used for popular sessions at in-person conferences.

Letting People Know What’s Happening

When the limit is reached, the meeting organizer and presenters see a banner saying that the meeting is at capacity. At this point, if allowed by the Teams meeting policy assigned to the organizer’s account, Teams allows new attendees to join the meeting in view-only mode. These attendees are informed that the meeting is at capacity and that they’re joining in view-only (Figure 1).

View-only attendees can join using any Teams client, including mobile devices. However, they can’t join from Microsoft Teams Room systems or Cloud Video Interop (CVI) services because these features need updates to support view-only attendance.

Important for Administrators

People in the meeting do not see view-only attendees in the participant list, which means that organizers and presenters can’t remove a view-only attendee from a meeting. In addition, Teams doesn’t record their details in the meeting attendance report.

The lack of visibility for view-only attendees means that presenters need to be careful about who is invited to meetings and meeting settings for the lobby. Remember, anyone who has a meeting link can attempt to join that meeting, and if the meeting settings allow joining without pausing in the meeting lobby, someone you might not want to be in a meeting could be able to join. Teams makes sure that view-only attendees comply with lobby restrictions, but it’s always a good idea to check meeting settings and confirm that the correct lobby joining option is in place for any meeting where confidential or sensitive information is discussed.

No Automatic Promotions

People join and leave meetings as they progress. If some with the full experience drop out, the meeting has available capacity. However, Teams doesn’t promote view only attendees to active status. Instead, these people must leave and rejoin the meeting to enjoy full participation.

Teams Meeting Policy and License Requirements

The ability to have a meeting spill over into view-only is limited to meetings organized by accounts with Office 365 E3, E5, A3, or A5 licenses and a Teams meeting policy with the StreamingAttendeeMode setting enabled. By default, Teams meeting policies have this setting disabled, so if you want to use the feature, you need to update the policies assigned to the accounts who will organize large events.

For now, you can only update StreamingAttendeeMode using PowerShell. For example, here’s how to connect to the Teams module to update a meeting policy:

Connect-MicrosoftTeams
$SB = New-CsOnlineSession
Import-PSSession $SB
Set-CsTeamsMeetingPolicy -Identity "Allow Meeting Recording" -StreamingAttendeeMode Enabled

Update March 6, 2021: Microsoft has updated the Teams PowerShell module to V2.0. In general, it’s best to use the latest version of a module but test it first! This version doesn’t require using New-CsOnlineSession to connect to the management end point.

Like all Teams policies, it can take several hours before the policy change is effective. Microsoft says that they will update the Teams admin center to support this update for meeting policies in the future.

Streaming Meetings

As the setting name suggests (and confirmed in MC240169), Teams uses the streaming technology for Live Events to serve view-only attendees. This means that an inbuilt delay of 30 seconds is used to allow the technology to capture, process, and then stream the meeting. In other words, view-only attendees are always behind what’s happening live in a meeting. And like Live Events, view-only attendees see live captions (only for English).

Popular with Large Organizations

According to Microsoft’s FY21 Q2 results, 117 organizations have more than 100,000 Teams users and 2,700 have more than 10,000 users. Microsoft has experienced a 50% growth in both categories since July 2020 and large enterprises form a huge and important sector within the overall 115 million Teams active user base.

These organizations are the target market for view-only meetings. They accommodate scenarios like corporate announcements, product launches, and briefings. Teams Live Events will continue alongside because these events allow more control over the production of video content, but I’ll bet that view-only meetings will be good enough in many circumstances.

Change continues and new features appear across Office 365 in a constant flood of tweaks and updates. Subscribers to the Office 365 for IT Pros eBook receive monthly updates to make sure that they keep pace with new developments. Shouldn’t you take advantage of this resource?

The Office 365 for IT Pros eBook team is delighted to announce that the eighth update for Office 365 for IT Pros (2021 edition) is now available. Remember that every month we make a completely new book available to our subscribers with all the changes and new information integrated in the right place. Office 365 for IT Pros is the only book offering such an extensive update service.

Subscribers to the EPUB/PDF version can download the updated files from their Gumroad account. The link to download the files is also in the original receipt issued for the book. We have not updated the companion book this month.

Amazon Kindle subscribers can ask Amazon support to make the updated files available.

Almost Every Chapter Updated

Despite being a short month and one which you might expect to be quiet as Microsoft prepared for the virtual Ignite event, updates are present for 23 of the 24 chapters. The updates include new functionality such as template policies for Teams and Exchange Online health monitoring. We’ve also taken the opportunity to rewrite several sections across different chapters to improve their clarity and include new information. Finally, we have adjusted text where necessary because Microsoft has slipped dates for new features, such as the transition from Stream classic to OneDrive for the storage of Teams meeting recordings.

We’ll include coverage of anything Microsoft announces at Ignite in future updates.

Additional Resources

Additional resources are available online:

Office 365 for IT Pros FAQ

Office 365 for IT Pros Change log

Office 365 for IT Pros code example GitHub repository

TEC 2021 Waitlist Now Available

Many of our team will be involved in the TEC 2021 conference in September. You can register for the conference waitlist now.

Changes in the March Update

Here’s the set of changes included in the March update for Office 365 for IT Pros (2021 edition).

App Consent Events Amongst Thousands of Audit Events Generated Across Microsoft 365

Following the publication of the article describing how to report the use of sensitivity labels by using audit events, a reader asked what’s the best way to discover if a feature generates an audit event. At the time of writing, Microsoft 365 workloads store more than 1,600 different events in the audit log, so understanding every auditable operation is a massive task, especially if you’re looking for something specific, like app consent events. New audit events show up in the audit log on an ongoing basis as Microsoft introduces new features, hopefully with an accompanying audit event, or backfills by updating features so that they generate audit events.

Looking for New Audit Records like an App Consent Event

Our method to discover new audit events is simple. It depends on the fact that every audit event notes an operation, or action performed to generate the event. You can filter audit records by specifying the type of operations to see. For instance, to see who send email on behalf of a shared mailbox, you can look for audit events with the SendAs operation. Here’s what we do to find if a new feature is captured in an audit event.

• First, use the new feature. Ideally, perform actions several times with different accounts.
• Second, wait for at least an hour to allow the ingestion of audit events from the source workload and appear in the audit log.
• Next, run a search to find all audit events for the current day and group and sort the results by operation. Make sure to specify the user principal name of the account which performed the accounts in the UserIds parameter.

[array]$Records = Search-UnifiedAuditLog -StartDate (Get-date).AddDays(-1) -EndDate (Get-Date).AddDays(1) -ResultSize 2000 -Formatted -UserIds James.Ryan@office365itpros.com -SessionCommand ReturnLargeSet

$Records = $Records | Sort-Object Identity -Unique | Sort-Object {$_.CreationDate -as [datettime]}
$Records | Group Operations | Sort Count -Descending | Format-Table Count, Name

You should now be able to browse the sorted list of operations to find unfamiliar actions, such as Set-LabelPolicy (logged when someone updates a sensitivity label policy). You can take the same approach with the Audit search feature in the Compliance Center, but not all audit events show up there.

Investigating a New Audit Event

Typically, the new events appear at the end of the list. For instance, looking at a recent set, we see an event called Consent to application. This hadn’t come to our attention before:

    1 Consent to application.
    1 Get-DlpSiDetectionsReport
    1 New-Mailbox
    1 Set-TenantObjectVersion
    1 Set-AdminAuditLogConfig
    1 Get-ComplianceTag
    1 Send
    1 SoftDelete

Checking the event, we found that the event originated in Entra ID and relates to granting OAuth consent (permission to access data) to an application. Due to recent problems like the SolarWinds attack, there’s been heightened sensitivity to the need to understand what access to data has been granted within an organization. If you don’t know who can access data, you can’t detect and remediate illicit consents which might have been secured by attackers.

While other tools like the PowerShell script created by Microsoft (see this article) are better at enumerating and reporting consent grants for review, it’s interesting to find that Entra ID captures app consent events, In this case, an examination of the event data revealed that the consent was for the Microsoft Events app used for purposes like registering for the Microsoft Ignite online conference.

Checking the app registration in the Entra admin center, you can find the permissions assigned to the app. In this case, the app reads Entra ID to fetch details of people who register using their user account.

You can confirm that you’re looking at the same app by checking the application ID in Entra ID (e462442e-6682-465b-a31f-652a88bfbe51) with the details captured in the audit record:

{
                     "ID": "e462442e-6682-465b-a31f-652a88bfbe51;https://microsoft.onmicrosoft.com/aef17311-1f14-4e06-939b-42c0bcff5520",
                     "Type": 4
}

This example illustrates the value of checking for new audit events periodically. Now that we know that app consent events are available to track new consents, it’s easy to create a script to report consent grants over the last 90 days (the time audit events are kept for E3 accounts). You can grab an example script from the Office 365 IT Pros GitHub repository. See the Cloud Architect GitHub page for more information about resisting consent grant attacks.

If you want to distribute the report in other ways, you could:

• Format the content in HTML and send it via email (see this article for details).
• Create the report in a SharePoint document library (the basics of how to do this is explained here; the scenario is a script running in a Azure Automation runbook but the technique of using PnP cmdlets is the same in “regular” PowerShell).
• Post the report to a Teams channel or post a link to it in a message card created in a Teams channel using the inbound webhook connector. See this article for more information.

Microsoft Datacenter Operations

Searching the audit log to find new events also uncovers audit events logged when Microsoft updates tenant settings as part of their normal datacenter operations. For instance, Microsoft often updates OWA mailbox policies to introduce a control for a new OWA feature. When this happens, you’ll find audit events logged for a user called NT AUTHORITY\SYSTEM (Microsoft.Exchange.ServiceHost) for the policy updates.

You can do nothing about Microsoft configuration updates, but at least you can discover when they happen by poking around in the audit log.

Chapter 21 of the Office 365 for IT Pros eBook goes into how auditing works in great detail and describes several examples of how audit data answers important questions. If you’re running a tenant, you need to have this information!

World’s Only Always Current eBook About Office 365 Continues to Evolve

The Office 365 for IT Pros team is pleased to announce the availability of the 7^th update for the 2021 edition.

The February update includes changes to 22 of the 24 content chapters ranging from the end of life for IE11 support in Intune to the ability to create Flow from Visio diagrams and using distribution lists for Teams DLP policies. We also introduce several new example scripts. Several typos and errors are corrected and additional information about features (like using complex filters for dynamic distribution lists) are included. A ton of minor updates were made to improve the insight and accuracy of chapters. See the change log for full information about what’s been updated each month since the publication of the 2021 edition.

Please Download Updates

Subscribers to the EPUB/PDF version can download the updated files from their Gumroad.com account or by using the link in the original receipt for the book purchase. The FAQ includes information about downloading updated files. Subscribers of the Amazon Kindle version can ask Amazon to make the new files available.

Given the number of updated chapters this time round, we did not have the time to update anything in the companion volume. We have a couple of changes lined up that will appear in the March update.

Please download the updated files at your convenience. We appreciate your support for the Office 365 for IT Pros eBook project.

No Data for Office 365 Number of Users Given

Microsoft reported another good set of results and beat Street estimates for its FY21 Q2 quarter on Tuesday, 26 January (see online details). Looking through the press release, transcript of the analyst call, and slides, some interesting nuggets about Office 365 popped up. In a nutshell:

• No new number for Office 365 active users. Growth might be slowing.
• Upsell to more expensive licenses means that revenues are increasing.
• Teams deployments in large organizations is impressive.
• Azure AD also got a nice bump in monthly active users.

Office 365

Microsoft has not reported a number for Office 365 active users since October 2019. They now prefer to focus on revenue growth (21% year over year) and report only that Office 365 commercial seats grew 15% year over year.

Microsoft didn’t give a confirmed number for Office 365 active users in January 2020 but using the October 2019 as a base with three months of average growth to January 2020 and a 15% uplift since, we get to a current figure of approximately 240 million active users. In April 2020, Microsoft said that they had 258 million paid Office 365 seats, so there’s quite a gap between paid and used seats, at least based on the data Microsoft chooses to share in public.

Microsoft’s growing reluctance to talk about the number of Office 365 active user might be due to slowing demand. Three factors which might influence slowing demand are:

• All the easy migrations from on-premises Exchange and SharePoint servers are over. The ones left are harder and slower. Some organizations due to be migrated have already bought licenses, which accounts for some of the difference between paid and active seats.
• The same is true for migrations from other (and older) platforms. Lots of email seats were migrated from the likes of Lotus Notes in the past. That isn’t so much of a factor now.
• The Covid-19 pandemic has had a big impact on the small to medium business segment and Microsoft might be seeing some erosion in Office 365 seats in that base.

Microsoft 365

Even if the average growth per month for Office 365 active seats is slowing, Microsoft continues to increase revenue extracted from its base. Commercial cloud amassed $16.7 billion revenue in the quarter (a run rate of $66.8 billion), helped by upsell of expensive E5 licenses to boost the average revenue per user (ARPU). As CFO Amy Hood said: “Results were driven by installed base expansion across all workloads and customer segments, as well as higher ARPU. The strong demand for Microsoft 365 noted earlier, particularly for our security, compliance, and voice components, drove E5 revenue growth acceleration again this quarter.”

Don’t expect Microsoft to stop shipping features which need high-end or add-on licenses like Teams DLP policies (Office 365 E5) and Azure AD Access Reviews (Azure AD Premium P2). Increasing the amount charged each user per month drives profit very nicely.

Teams

Microsoft didn’t give a number for Teams daily active user, but the assumption is that some growth has happened since they reported 115 million in October 2020. Instead, Microsoft concentrated on the number of large organizations using Teams. This is important because it underscores the enterprise credentials of both Microsoft and Teams. The numbers for large organizations using Teams are summarized in Table 1.

Put another way, these 2,817 customers represent approximately 40 million users. The number of Teams users in large enterprises is more than the overall total claimed by its competitors. Microsoft also said that the U.S. Department of Veterans Affairs now has more than 500,000 Teams users and joins Accenture in the half-a-million Teams users club, a landmark reached in July 2020. Accenture’s use of audio conferencing is reported to have passed the billion minutes a month mark, up from the 900 million minutes claimed in December.

The success of Teams overall and in large enterprises in particular adds credence to Microsoft’s recent assertion of 200 million users for SharePoint Online. Teams makes SharePoint easier to use and the growth in SharePoint usage is powered by Teams.

Azure AD

Azure AD now has 425 million daily active users. This isn’t too earth-shattering until you realize that the figure given in Microsoft’s FY21 Q1 results in October was “nearly 400 million active users.” Growing over 25 million monthly active users in a quarter is impressive.

The Office 365 for IT Pros team has been tracking Office 365 numbers and statistics since 2014. The data forms part of our overview of Office 365 and Microsoft 365 in the Office 365 for IT Pros eBook.

Teams and DLP (and now OneDrive too)

Updated February 24, 2021

Almost two years ago, Microsoft added Teams to the workloads supported by Data Loss Prevention (DLP) policies (Figure 1). For Teams, DLP checking occurs after users send messages to chats or channels. Offending messages are blocked, sometimes after a short delay. The system works well, but whether it is worth spending extra for Office 365 E5 licenses is debatable (DLP checking for Exchange Online and SharePoint Online is covered in Office 365 E3).

In any case, message center update MC234475 published on January 15 says that “DLP for Microsoft Teams will soon support security groups and distribution lists as part of the Teams location picker.” (Microsoft 365 roadmap item 68874). Rollout is scheduled for mid-February with completion worldwide in mid-March.

Upgrading the Teams Location Picker

The title used for MC234475 is a tad obscure for even those accustomed to working with DLP policies. The Teams location picker is a Microsoft term for the UI component used to select the Teams user accounts to include or exclude in a DLP policy. Teams shares its location picker with Exchange Online while SharePoint and OneDrive for Business, which operate based on site URLs, have a different picker. Many DLP policies operate on a whole organization basis, meaning that no accounts are explicitly included or excluded as the DLP policy applies to every channel and every user in the organization. In these cases, you don’t worry about the location picker because it’s not used.

Things are more problematic when different policies are deployed to different user groups within an organization. Now the location picker is used to select which accounts come within the scope of a DLP policy. Exchange Online has always used distribution lists to select accounts to set the scope for policies, but up to now compliance administrators were forced to select individual accounts for Teams DLP policies (the Teams locations). The change being made in the Teams location picker allows administrators to select distribution lists and mail-enabled security groups instead of individual accounts (Figure 2).

Because distribution lists and mail-enabled security groups can contain more than accounts, Teams applies a filter to select only Teams-enabled accounts from the membership.

DLP Used in Large Organizations

Being able to use distribution lists and security groups to select the target accounts for DLP policies is a welcome update because it is much easier to add one or two distribution lists to a policy instead of finding and adding potentially hundreds of individual accounts. In addition, being able to specify distribution lists and mail-enabled security groups instead of individual accounts removes the previous limit of 1,000 individual accounts that could be added to a Teams DLP policy.

Microsoft said that Teams is used by 93 of the Fortune 100 in March 2020. Given that Teams had 44 million active users then and the latest data (October 2020) says Teams has 115 million daily active users, it’s obvious that a bunch of large organizations use Teams. Those are exactly the kind of tenants likely to use DLP to help control the sharing of confidential data. It’s also reasonable to assume that these tenants will be interested in granular control over policy scope (for instance, to apply a policy on a country or department-level basis) and therefore use the Teams location picker. Being able to use distribution lists or security groups reduces administrator workload and avoid the need to use PowerShell to update the Teams location in DLP policies when large number of accounts need to be added.

List and Group Updates Handled

Even better, if you use a distribution list or security group to define the scope of a Teams DLP policy, a background process keeps an eye on the membership of the list or group so that if accounts are added to or leave the list or group, the DLP policy is automatically adjusted to reflect the membership changes.

Picker for OneDrive for Business Accounts

Microsoft 365 notification MC241352 published on February 24 brought further good news in that the picker for OneDrive accounts in DLP policies will support distribution lists and security groups from March 2021 (Microsoft 365 roadmap item 70708). Exactly the same reasons exist why this is a welcome update.

DLP is covered in Chapter 22 of the Office 365 for IT Pros eBook. It’s not the most compelling topic we cover, but it is technically challenging and interesting in its own right.

It can be hard to become fluent in PowerShell, especially when working with a service where multiple modules (all with their own kinks) are used. However, PowerShell is very approachable and it’s surprising what you can do with just a couple of lines of code. Working examples are great learning tools to help PowerShell newcomers (and maybe experienced coders) come up with solutions to problems. A couple of years ago, we created the Office 365 for IT Pros GitHub repository. Since then, we’ve been populating the repository with PowerShell scripts created to illustrate new features or to demonstrate how to approach solving an administrative problem in an Office 365 tenant. The repository currently holds a collection of 81 scripts.

Apart from referencing scripts in the Office 365 for IT Pros eBook or writing articles to explain what a script does, we haven’t created any documentation. That gap is now closed with the publication of our GitHub script listing page, which lists the scripts alphabetically and gives a short explanation what each script does. We also link to a relevant article if one is available. We will update this page as new scripts are added to our collection.

Not Production Scripts

The scripts are not intended for production work. Instead, the code is intended to demonstrate how Office 365 features work and is part of our learning journey to understand and master functionality before we write about it. Writing scripts to interact with a component usually reveals something new and interesting. At least, that’s been our experience. The collection contains scripts for working with Azure AD, Exchange Online, SharePoint Online, Teams, Planner, and OneDrive for Business. We use a mixture of pure PowerShell and PowerShell combined with Microsoft Graph and other APIs.

Every tenant has a different approach to using PowerShell and any script needs to fit into the tenant framework before it can be used to do real work. The code we write works, but it might need some additional error handling or logging, or you might want to take some code and incorporate it into your scripts.

Those working in large tenants where the need exists to process tens of thousands of objects should consider taking the code explored in the scripts and using them with techniques such as those outlined in this post. Many of our scripts interrogate the audit log to extract information about actions such as user sign-ins or document edit. In large tenants where many thousands of audit records are generated daily, you may have to limit the timeframe for searches or use paging to download more than 5,000 records at a time. You’ll find this stuff out when you test a script before deciding if it’s useful.

Some Example Scripts

Among the scripts in the repository are:

• FindPotentialDirectoryProblems.PS1: This script scans Azure Active Directory to look for accounts which don’t have common attributes (like phone numbers or departments) populated. The idea is that the People Card and other Microsoft 365 features depend heavily on accurate Azure AD data, so it’s a good idea to make sure that the basics are done for all accounts. See this post for more information.
• GetBingImagesTeamsBackgrounds.PS1: Bing publishes nice images daily to use as the background for its home page. The same images often make good custom backgrounds for Teams meetings. This script downloads and installs the Bing daily images in the folder used for Teams custom backgrounds and removes old images after 30 days. See  for more information.
• PurgeMessagesWithContentSearch.PS1: Microsoft is busy getting rid of the Search-Inbox cmdlet, and the replacement is to use a content search to find items you want to purge and a content search action to purge the found items. This script shows how to do the job. This post covers the basics.
• ReportTeamsCreationbyEmail.ps1: A script to look back over the last 90 days and find audit records for the creation of new teams. An email message is created with details of the new team and is sent to a nominated recipient. See this article for more details.
• TeamsGroupsActivityReport.ps1: This script was created soon after the launch of Office 365 Groups and published in the TechNet Gallery. Its documentation is available here. The script was moved to GitHub after the retirement of the TechNet Gallery and is now at version 4.8. This version uses PowerShell exclusively and is therefore limited by the speed constraints of some cmdlets like Get-UnifiedGroup. It works, but the Graph-based version is much faster.
• TeamsGroupsActivityReportV5.PS1: The Graph-based (and much faster) edition of the Teams and Microsoft 365 Groups Activity Report script. To gain speed and be able to process tens of thousands of groups in a reasonable time, the original script was rewritten to use Graph API calls whenever possible. As such, it’s a good working example of how to swap out heavy PowerShell cmdlets for more performant Graph calls in a script.

Please Contribute

One of the delights of PowerShell is that it’s easy for people to write scripts (well, it is with a little practice). GitHub enables people to suggest ideas and propose changes to code, and we welcome any suggestions we receive to improve the scripts in the repository. We definitely appreciate any fixes for bugs found in our code. No one is perfect!

Programmatic Access to Service Incidents

A reader asked if an easy way exists for programmatic access to information about Microsoft 365 incidents. To set context, several standard methods are available for tenant administrators to learn about an incident concerning a Microsoft 365 application. The Service Health dashboard in the Microsoft 365 admin center lists ongoing incidents and their status (Figure 1).

Incidents are also available through the Microsoft 365 admin mobile app (Figure 2). The app is available for iOS and Android.

Administrators can choose to receive notifications for incidents affecting their tenant in Outlook for Windows. Finally, nominated individuals can receive email about incidents (Figure 3) with the understanding that if problems can components which prevent email being sent. And sometimes email arrives to announce the end of an incident before you know that an incident happened. To configure the email addresses (up to 2) to receive notifications, access Preferences in the Service Health dashboard and choose the types of events and workloads you want to receive email about.

Microsoft targets communications about incidents to the affected tenants, but if you don’t want to rely on the standard methods, you can keep a close eye on Twitter accounts like Microsoft 365 status to get a heartbeat across the entire infrastructure.

ISV Monitoring

An alternative is to invest in third-party monitoring products, which usually deploy probes and other artificial transactions to establish what’s working well and where problems might be about to break. ISVs active in this space earn their bread by detecting problems before Microsoft makes formal announcements that an incident is active. They also concentrate on your organization and the workloads most important to your users.

DIY Service Monitoring

To return to the original question, programmatic access to the same information used by the Microsoft 365 admin center is available through the REST-based Office 365 Service Communications API. You can use this API to check for and display information about incidents in whatever interface you choose, such as a dashboard which includes Microsoft 365 and other services. The API supports access to historical status of incidents, current workload status, and messages, which include informational messages in addition to those about incidents.

Note: Microsoft will deprecate the Office 365 Service Communications API on December 17, 2021. You should transition your code to the Microsoft Graph Service Health and Communications API. See this article for details.

The basic approach used with Microsoft 365 REST-based APIs is followed (see this post for more information):

• Register an app with Azure AD. Note the app identifier and secret.
• Assign the permission to access service information to the app. This is the ServiceHealth.Read permission for the Office 365 Management APIs.
• Use the tenant identifier, app identifier, and app token to get an OAuth access token.
• Use the access token to authenticate the call to get service incidents.
• Parse and display the service incidents as required.

Here’s an example in PowerShell. At this point we assume that a suitable access token has been obtained and included in the $Headers variable. The commands retrieve the current messages and filter them for incidents with a status of “Service degradation.” We then loop through the incidents to find any with recent updates (within the last 30 minutes, as dictated by the $Minutes variable) and write out anything we find:

# Fetch information from Service Communications API
Write-Host "Fetching Microsoft 365 Message Center Notifications..."
$MessageCenterURI = "https://manage.office.com/api/v1.0/$($tenantid)/ServiceComms/Messages"
$ServiceData = (Invoke-RestMethod -Uri $MessageCenterURI -Headers $Headers -Method Get -ContentType "application/json") 
$ServiceData = $ServiceData.Value | ?{$_.MessageType -eq "Incident" -and $_.Status -eq "Service degradation"}

$Now = Get-Date
ForEach ($Incident in $ServiceData) {    
   $TimeSince = ($Now - ([datetime]$Incident.LastUpdatedTime)) 
   If ($TimeSince.TotalMinutes -le $Minutes) {  
      If ($Incident.EndTime -eq $Null) { $IncidentColor = "Red" }
      Else { $IncidentColor = "Yellow" } 
   $Title = "[" + $Incident.WorkloadDisplayName + "] " + $Incident.Title + " (" + $Incident.Severity + ")"
   Write-Host ""
   Write-Host "Microsoft 365 Incident" $Incident.Id
   Write-Host $Title -foregroundcolor $IncidentColor 
   Write-Host "Start time:       " (Get-Date $Incident.StartTime)
   Write-Host "Last Updated:     " (Get-Date $Incident.LastUpdatedTime)
   Write-Host "Current minutes:  " $TimeSince.TotalMinutes.ToString().Split(".")[0]
   Write-Host ""
   Write-Host "Incident Details"
   Write-Host "----------------"
   $Incident.Messages.MessageText
    } 
}

Figure 4 shows what the output looks like for an incident.

Obviously, there’s lots that you could do to refine and prettify the output to make it work the way you’d like it to look (here’s an example of how to post service incident information to a Teams channel). The same approach will work with any language which supports REST APIs.

Knowing the ins and outs of Office 365 administration includes understanding how to extend the basic functionality. We cover this kind of stuff in detail in the Office 365 for IT Pros eBook. Subscribe and stay up to date as things change.

Twenty One Chapters Updated in Monthly Refresh

The Office 365 for IT Pros team is delighted to announce that the sixth update for the 2021 edition is now available. Updated files have been uploaded to Gumroad.com for subscribers of the EPUB/PDF version to download. We have not updated the companion volume, so you only need to download the main book. Please use the link in your Gumroad account or the receipt you received for the book to download the latest files. See our FAQ for more information.

Chapter Changes

Although Microsoft stopped pushing updates out into Office 365 in the middle of December, we still updated 21 of 24 chapters this month. Details of the changes are shown below (details for all updates are available in our change log):

If you’re not already a subscriber, you can secure your copy at Gumroad.com (EPUB/PDF version) or Amazon (Kindle version).

Use Corporate Colors and Logo to Customize the Microsoft 365 Theme

None of us likes to feel that we’re part of an anonymous crowd, all looking and behaving the same. When organizations sign up for a cloud service, they cede control over the scope of the service they receive, and they lose the ability to tailor how software works. In a nutshell, you get what the service provider delivers.

Which is why you might want to customize the default theme used for Office 365 browser apps to apply your choice of corporate colors and logo and generally make the apps appear a little less one size fits all. With a little up-front preparation and maybe some assistance from people who are good with colors, this is easily done.

Customizing Your Tenant’s Theme

To start, go to the Org settings section under Settings in the Microsoft 365 admin center and choose Custom themes. You’ll then have some options to change the appearance of the bar displayed at the top of browser apps.

The bar is made up of several components from the waffle menu on the far left-hand side to the avatar on the far right. The components you can customize are in the middle and comprise of your logo, the background image for the piece between the corporate logo and the settings (cogwheel icon etc.), the overall color for the bar, and the color used for the text and icons placed on the bar (Figure 1). You can also make the logo clickable (bring the user to another web page).

Things to Consider

Microsoft’s instructions about how to create a custom theme are helpful and don’t need to be repeated here. As I played with custom themes, some facts became apparent:

• When Microsoft specifies an image size, they mean it. It took a few tries to upload a custom logo. All attempts were rebuffed until I used an image sized at precisely 200 x 30 pixels. 199 x 30 pixels didn’t work.
• Microsoft recommends SVG files for the logo because the SharePoint Online mobile app won’t display other formats. If you don’t care about this then PNG or JPG work just fine.
• If you make the logo clickable, it closes the current page and goes to the place you specify. It doesn’t seem to be possible to make the link open in a new tab or window.
• Color choice is really important. A color palette picker is available to choose colors from (or you can input the hex value of a color). It’s easy to make a mess, so if you are color blind (like I am), get someone who isn’t to check your selections. Or even better, find out the hex values for the corporate approved colors and use those.
• A tenant can only have one custom theme.

If you make a mess, it’s easy to revert to the default theme and start over by using the Remove custom theming button at the bottom of the theme settings.

Figure 2 shows the result of some quick customizations to create an Office 365 for IT Pros theme. In this case, I chose a red background image with a red navigation bar with white text and icons. It was enough to validate that it’s easy to create a custom theme. I’m sure people can create something more artistic than I managed.

Once saved, the custom theme will be picked up by the Office 365 browser apps. Well, most apps, as Teams will do its own thing.

In addition to the default theme, you can create other themes that can be assigned to the members of Microsoft 365 groups. A custom group theme can be assigned to up to five Microsoft 365 groups.

Limiting Theme Choice

If you want to force people to use the custom theme, you can set this option in the settings (Figure 3).

With the setting in place, users won’t be able to select one of the many optional themes packaged with Office 365 (Figure 4) and will have to be content choosing between the custom theme and the default Office 365 high contrast theme. There’s no administrative method available to select a specific theme for users.

Limiting choice to a bland corporate theme and a high contract theme seems like a step too far. I can see why some people might consider it a good thing to eliminate themes like Cats and the splendidly named Super Sparkle Happy theme, but let’s give users the chance to express themselves, even if their personal choices might occasionally be doubtful.

Service Default Changes on February 8

In Office 365 notification MC228482 posted on December 3, Microsoft gives early warning of a change in the default tenant configuration for Teams. Up to now, the “service default” for guest access to Teams is Off, meaning that Teams doesn’t allow guest access unless an administrator updates the value to On. From February 8, 2021, the service default changes to On. In effect, Microsoft will then assume that tenants want to allow guest access to Teams.

Tenant control over guest access is set through the Org-wide settings section of the Teams admin center. Here you can define if guest access is allowed or not. As you can see in Figure 1, the option is set to On in my tenant.

The change in service default won’t affect tenants who have already opted to allow guest access to Teams, which is probably most of the tenants which now support over 115 million daily Teams users. It also won’t affect organizations which choose to disable guest access for Teams. However, organizations that have not yet started to use Teams should review if they wish to use guest access and if not, set the option to Off.

Teams depends on the Azure B2B Collaboration integration for Microsoft 365 Groups. Turning guest access on for Teams as the default doesn’t remove the need to enable the guest settings for Microsoft 365 Groups in the Org settings section of the Microsoft 365 admin center.

Limiting Guest Access at a Granular Level

Before disabling guest access, remember that other controls exist to limit guest access on a more granular level.

First, you can use sensitivity labels to control guest access for individual teams. If the container setting for the sensitivity label assigned to a team blocks guest access, team owners won’t be able to add new guests. However, existing guests in the team membership are not removed and tenant administrators can always add guests to team membership if necessary. The script described in this post creates a report of guests belonging to Microsoft 365 groups assigned a specific sensitivity label.

Second, you can block guest access from specific domains using an Azure B2B collaboration policy. For instance, you could include the domains for competitor companies in a blocklist to prevent team owners adding people from those domains as guests. Again, existing guests are not affected.

Tracking Down Unwanted Guests

If you need to scan the entire tenant for the presence of unwanted guest accounts, you can use the PowerShell script described in this post to create a report of guests in a tenant and the Microsoft 365 groups they belong to. The script can be adjusted to report guests based on the number of days since their account was created, so you can focus on all guests or guests created since a specific point in time.

Some guest accounts might have been created for a long-gone purpose. It’s a good idea to review guest accounts from time to time to figure out if any are no longer required and can be removed. This script helps by creating a report of guest user activity.

Teams Owners Can Restrict Guests Too

Within a team, you can restrict guest access by creating a private channel and limiting its membership to tenant accounts. This is a good way to create a barrier within a team for information which should remain confidential. If you want to be even more secure, apply a sensitivity label with encryption to any documents stored in the private channel and make sure that the label settings restrict access to tenant accounts.

The ins and outs of Azure B2B collaboration and guest account access to resources is explained in depth in the Office 365 for IT Pros eBook. Subscribe today to keep abreast of changes as they appear inside Microsoft 365.

The Option to Anonymize User Data and the Fuss About Microsoft 365 Productivity Score

Last week, I wrote about the criticism leveled at the Microsoft 365 Productivity Score feature. Leaving the hysteria aside, the biggest point missed in the criticism is that the usage data presented in the new feature has existed and been accessible to organizations for a very long time. Aside from the usage reports available in the Microsoft 365 admin center (originally based on the reporting service, which goes back to 2015), Microsoft made the Power BI analytics pack for Office 365 available in 2017 to allow tenants to do more deep-dive analysis of the data.

The standard usage reports and the Power BI app both use Graph data as their consistent source of knowledge. Most ISV reporting applications do the same, with the difference being that ISVs typically extract and process the Graph data before storing it in their own repositories to keep it longer than the 180 days allowed by Microsoft. It was therefore curious that no one has protested the acquisition, storage, and reporting of usage data over the last five years.

Anonymizing User Data in Reports

Moving on, if organizations wish to protect the privacy of usage data, they can anonymize the data by replacing user, group, and site names in reports by selecting an option in the Reports section under Org settings in the Microsoft 365 admin center (Figure 1).

After the option is selected, all views of usage data have group, user, and site names replaced with system generated values (Figure 2).

For SharePoint site usage, the site URL and site owner are obscured (Figure 3).

Anonymize User Data for Any Graph-Based Application

The protection extends to applications which make Graph API calls to fetch usage data. For instance, the extract below shows a user’s Teams usage data for 90 days returned by the Microsoft Teams user activity reports API.

Report Refresh Date        : 2020-12-02
User Principal Name        : FE7CC8C15246EDCCA289C9A4022762F7
Last Activity Date         : 2020-12-02
Is Deleted                 : False
Deleted Date               :
Assigned Products          : POWER BI (FREE)+OFFICE 365 E5 WITHOUT AUDIO
                             CONFERENCING+ENTERPRISE MOBILITY + SECURITY E5+BUSINESS APPS
                             (FREE)+MICROSOFT POWER AUTOMATE FREE
Team Chat Message Count    : 64
Private Chat Message Count : 233
Call Count                 : 14
Meeting Count              : 93
Has Other Action           : No
Report Period              : 90

Choosing the option to anonymize user data like this makes reports less useful because it’s all but impossible to apply context to the data. We can tell that some users are more active than others, but who are the active users and why are they more active than others? Do they use Teams more than email or do they still like email? Is Yammer in use? Are we seeing growth in cloud-based document storage? Do we see more traction in some parts of the company than others.

Anonymizing data also creates some coding challenges. For instance, because user principal names are returned, my User Activity Report script can’t fetch sign in information from Azure AD, which means that another piece of the usage puzzle is missing (Figure 4).

Anonymizing Usage Data Wisely

Obscuring usage data is a good thing to do as a default. It stops people casually browsing information that they might not need or should not see. But if you want accurate data that can be interpreted and used for planning purposes, to improve the effectiveness of your investment in Office 365, or to track down unused licenses that you shouldn’t be paying for, a global administrator can switch the setting back to permit reports to include full information for a limited period. After you’re finished extracting and reporting the data, you can restore anonymity to user data.

Learn much more about reporting Office 365 activity in the Office 365 for IT Pros eBook.

Cherish the Accuracy of Entra ID Account Properties

Every Microsoft 365 tenant uses Azure Active Directory to store information about the tenant configuration, accounts, and groups. Maintaining accurate Entra ID user account properties is important. Whether data comes from an external source like a HR feed or is maintained manually, people depend on directory information to find others, or even understand how the organization works. If the data in your directory is inaccurate, some features won’t work properly or at all. For example:

• The people card (which makes the Intelligent Search of Microsoft 365 rather stupid)
• Teams organization tab (Figure 1) because reporting relationships won’t be correct.
• Dynamic distribution lists and dynamic Microsoft 365 groups because the right people won’t be found by the queries underpinning dynamic lists and groups.

It’s always been important to maintain an accurate directory. Perhaps it was less so in the on-premises world where fewer application features are built with an expectation that directory data is accurate, but it’s obvious that Microsoft 365 just works better with a solid directory.

Setting Goals for a Healthy Directory

You can invest in a product like Hyperfish to help analyze and maintain your Entra ID data, but before you rush into acquiring a sticking plaster to cure your directory woes, it’s a good idea to set down some threshold for directory quality. For example, you could say that your baseline measurement for a healthy directory is that all the properties displayed on the people card should be fully populated for every user account. Separate guidelines might be defined for guest accounts and groups.

Figure 2 shows a customized people card. Being able to customize the people card using Microsoft Graph commands allows tenants to expose the information they consider essential in the card, and it’s important to consider customization when setting your threshold.

Checking Entra ID Account Properties with PowerShell

Setting an aspirational goal is nice, achieving that goal is even better. We need to understand how healthy our directory is in terms of missing properties that show up in the people card. Fortunately, this is easy to create a PowerShell script to:

• Find mailbox-enabled user accounts in Entra ID.
• Check accounts for missing properties (like not having values in the Office or Title properties).
• Report what needs to be done in terms of account updates.

I’ve written a quick and dirty script which you can download from GitHub. It uses the Get-User cmdlet from the Exchange Online Management module to fetch account information. The Get-MgUser cmdlet from the Microsoft Graph PowerShell SDK could also be used, but it’s easier to filter out mailbox-enabled accounts with Get-User, which exposes the Entra ID user properties we want to check. Remember that you’ll need to modify the script to suit the circumstances in your organization. For instance, if you place particular importance on a specific property, you might want to amend the script to include that property in the checks.

Figure 3 shows how the script reports the problems it finds with missing properties in user accounts. The results shown here are from a small test tenant so it’s unsurprising to discover that so many accounts have missing properties. It’s reasonable to expect better results in a production tenant.

To make it easy for administrators to track down and fix missing properties. a CSV file is also generated with details of the accounts which need adjustment (Figure 4).

Although it can be a boring task, maintaining the accuracy of Entra ID user data can be boring. It’s much more interesting to read the Office 365 for IT Pros eBook and learn about changes in Office 365 through the updates we release every month.

Decryption of Exported Documents

Office 365 notification MC225739 (3 November) reports that eDiscovery exports will support decryption for attachments in Exchange (Online). The pointer to the Microsoft 365 roadmap refers to item 68704, which says:

“eDiscovery managers will be able to collect and review content encrypted with Microsoft encryption technologies and attached as a local copy to an email in Exchange from the Advanced eDiscovery solution.”

I asked the engineering group if decryption for exports would also apply for Core eDiscovery (the type you get with Office 365 E3) and received an affirmative response.

Deployment begins soon and is due to be complete worldwide by early December.

Protected Messages and Their Attachments

Exchange Online decrypts protected messages (messages assigned a sensitivity label with encryption) when items found by a content search were exported. Decryption only happens when search results are exported to individual (MSG) files rather than to a PST. Up to now, any protected attachments (files assigned sensitivity labels with encryption) remained encrypted, which created a problem for investigators who needed to see the content, or when content needed to be reviewed before it was turned over as the result of a GDPR data subject request.

One solution is to assign an account super-user permission for rights management and have them use that permission to decrypt the documents. While effective, this is problematic because super-user permission allows access to any encrypted content in a tenant. It’s more convenient (and safer) to have Exchange use its permissions to decrypt both messages and attachments as search results are exported from mailboxes.

Edge and Exports

Although any browser supported by Office 365 can create and run content searches and eDiscovery cases, you must use the Edge browser to download and install the Microsoft 365 eDiscovery Export program. This tool is created with Microsoft’s ClickOnce technology, and is used to download the results of a search from Azure to local storage. A recent change to Edge means that you might have to configure your browser to enable support for ClickOnce.

To do this, open a tab in Edge and go to edge://flags/#edge-click-once. Make sure that ClickOnce support is enabled (Figure 1).

If ClickOnce is not enabled, you can download the Microsoft 365 eDiscovery Export tool, but it won’t run. It took me a couple of times before I figured out what was going on. I’m sure the penny will drop for you sooner.

Learn more about how content searches work and how to export the results found by the searches in the Office 365 for IT Pros eBook.

Teams Noise Suppression Generates Clear Audio Feeds for Teams Meetings

Office 365 Notification MC224751 announces the introduction of AI-based noise suppression in Teams meetings. According to Microsoft 365 roadmap item 68694, the feature will “automatically remove unwelcome background noise during your meetings. AI-based noise suppression works by analyzing an individual’s audio feed and using specially trained deep neural networks to filter out the noise and retain only the speech signal. This is an update to the existing noise suppression. Users will now have control over how much noise suppression they want. The “High” setting is new and will suppress more background noise.”

The feature rolled out for Teams for Windows clients in late 2020. On April 23, 2021, Microsoft posted message center notification MC252330 to announce that noise suppression for Teams meetings will be available for the Teams desktop client for Mac with a deployment starting in late April. The deployment will finish in August. This is Microsoft 365 roadmap item 82826.

Windows PCs must support Advanced Vector Extensions 2 (AVX2) to allow suppression to work. This is the original requirement that used to exist for background blur in meetings; Microsoft downgraded the requirement to AVX earlier this year. Given that most modern workstations support AVX2, this shouldn’t be a big problem.

AI-Based Noise Suppression

Microsoft began demonstrating AI-based noise suppression for Stream video playback at the Ignite 2019 conference and shipped the feature in June 2020. A Microsoft Technical Community post explains how deep neural networks are used to identify background noise in an individual’s audio feed and filter out everything but the person’s voice in the feed passed to a Teams meeting. Other meeting participants only hear what someone says rather than noise occurring in the background.

Noise suppression is automatically applied to recordings of Teams meetings stored in the Stream Azure-based service or OneDrive for Business, so the suppression applied by the Teams client is disabled when a meeting is recording.

The Teams client also disables suppression when live captions are used during meetings, possibly due to the processing needed to capture and recognize speech which is then transformed into captions.

Device Settings

Users can update the device settings in their profile (Figure 1) to choose the level of suppression in meetings. The choices are:

• Auto: Teams monitors the degree of audible background noise in a meeting and tunes suppression up or down to removes non-voice sounds like barking dogs or the rustling of papers.
• Low: Persistent background noise is suppressed, such as a computer or ceiling fan or air conditioner. Microsoft suggests that you use this setting when music is playing in the background.
• High: Suppresses all background noise that Teams considers not to be speech.
• Off: Noise suppression is disabled. Maybe you’re lucky enough to conduct meetings in low noise environments and can use this option.

Noise suppression applies to the sound generated by the microphone used for a meeting, not the audio feeds for other meeting participants. The idea is that you know about potentially distracting noises in your local environment and can therefore decide what level of suppression is needed. If everyone enables noise suppression, the meeting audio should be clear and distinct.

In most cases, it’s best to leave the option at Auto unless you have a reason to choose a different option. The AI might be better at detecting background noise than you are.

Enabling noise suppression consumes computer resources to analyze the sound captured by the microphone and remove unwanted noise. Higher levels of suppression consume more resources, so if a workstation begins to run hot or is resource constrained, you can disable noise suppression or select the Low option to see if this helps.

Teams-Certified Devices

Noise suppression during a Teams meeting does not remove the goodness to be had by using a Teams-certified device (headsets, speakerphones, desk phones, etc.) during calls. These devices deliver noise canceling and better audio quality for what you hear as well as better microphone performance. Noise suppression is all about making the audio feed from your workstation as clear as possible; devices designed for Teams focus on making what you hear as well as what you say as clear as possible.

During a Meeting

The noise suppression option set in your profile becomes the default for all meetings. If you need to change because specific conditions exist for a meeting, the same controls are available in Device settings when a meeting is active.

Need more information about how to deploy and manage Teams in an Office 365 tenant? The Office 365 for IT Pros eBook is packed full of useful and practical knowledge covering all aspects of a deployment. And best of all, it’s updated monthly.

Windows 10 and Edge Deliver Signals for DLP Evaluation

Announced as Generally Available on November 10, Endpoint DLP is a Microsoft 365 offering which uses signals generated by actions performed on Windows 10 workstations to evaluate against DLP policies. Supported actions include copying files to removable media like a USB or to a network share, printing files, uploading to a cloud app, or copying data to the clipboard.

Microsoft leverages its control of Windows and Edge by avoiding the need to deploy additional agents to monitor activity on a workstation. The necessary code to detect actions and submit them for DLP evaluation is incorporated into Windows 10 (version 1809 or later) and recent versions of the Edge browser.

Edge is the preferred browser because it understands how to respect endpoint DLP policies, and you can block other browsers from accessing files protected by policies. For instance, you could block Chrome or Firefox from opening a Word document if a specific retention label is present.

Not an Office 365 Feature

Before you can use Endpoint DLP, you need Microsoft 365 E5 licenses or either the Microsoft 365 E5 information protection and governance or compliance add-ons. This is understandable given that Windows 10 is bundled in the Microsoft 365 suite. Being able to gather information from Windows is a big part of the Endpoint DLP value proposition and it’s important that users have access to builds of Windows which include the DLP code. Having a Microsoft 365 license makes it more likely that users will be current, and not run something like an old Windows 7 or Windows 8 device.

Workstations used by licensed accounts can be onboarded (enabled) through the Microsoft 365 compliance center to start the flow of signals for DLP evaluation, unless they are already enrolled for Windows Defender, in which case Endpoint DLP works without any further configuration.

Looking for Violations

Once a workstation is enabled, actions taken by the user are monitored for potential violations against policy using the same kind of conditions as used to monitor Office 365 activity. For example, attempts to upload documents containing credit card numbers can be detected and stopped. Supported file formats include Office documents, PDF, text, and source code.

Endpoint DLP settings for the organization can be adjusted in the Microsoft 365 compliance center (Figure 1) to reduce the amount of noise in signals by excluding certain folders like the recycle bin, temp folder, or folders used for non-work files. It’s also possible to allow uploads to specific cloud services without generating a violation. Policy thresholds can be set to generate alerts when a large number of similar events happen. For instance, a policy could alert administrators if someone prints more than twenty documents assigned the Confidential sensitivity label.

Checking Devices

When Endpoint DLP is available in a tenant, DLP policies can be created for a target location called Devices, just like choosing SharePoint or Exchange as policy locations. The normal approach is to separate device policies from those used with Office 365 workloads, but you can combine them. Device policies have separate settings for restrictions to enforce when conditions are met (Figure 2).

Signals to SIEM

Apart from being used by DLP, the signals generated by devices can be gathered and analyzed in a SIEM. An example using Azure Sentinel is described in this article.

Good for Some Organizations

Some organizations will like Endpoint DLP very much. Others will not be interested because of the cost of Microsoft 365 licenses, presence of non-Windows devices, or because they’ve invested in other solutions. In either case, this is an area that’s worth keeping an eye on because the signs are that Microsoft is taking advantage of its Information Protection, Office, and Windows assets to create a compelling unified DLP story.

For more independent information about Endpoint DLP, read this article by MVP Anders Onevinn.

For more information about DLP for Office 365 workloads (Exchange, SharePoint, OneDrive, and Teams), read chapter 22 of the Office 365 for IT Pros eBook.

No Mobile App so the Dog’s Unhappy

When I wrote about Project Moca, a new personal productivity app that’s now in public preview for Office 365 commercial tenants, I bemoaned the fact that no Moca mobile app is available. Many of my best idea – some would say my only ideas – come when on the move, such as my daily dog walk (on a philosophical level, do I walk the dog or does the dog tolerate my presence on her walk?).

My point is that without a Moca mobile app on my phone, it’s hard to use Moca as the place to note thoughts, action items, and the like. And when an app isn’t available, its usefulness is reduced, and other apps become more attractive. So I complained as I am prone to do.

Linking To Do to Moca

While acknowledging that a Moca mobile app would be good, one of the Moca developers gently pointed out that a workaround exists that might help. If you create a To-Do item in a Project Moca space (Figure 1), it is synchronized to a list in To Do named after the Moca space (in this case, “Article Ideas”).

Creating a To Do task in Moca establishes a link between the space and To Do because the task becomes an “asset” belonging to the space. This is different to a To Do task created outside Moca which isn’t connected. The link means that any change made to a connected task using another To Do client, like the mobile app available on iOS and Android, is synchronized back to Moca.

In Figure 2, I’m using the To Do iOS client to update the task previously created in Moca. Changes to the checklist or adding a due date make their way back to Moca. Other changes like entering a note don’t. In any case, when I’m on the move, all I want to enter is a quick note that I can chase later. Adding it as a checklist item for a task is enough.

Synchronizing Back to Moca

Figure 3 shows the result after To Do synchronizes an update back to Moca. The checklist items are enough to capture what I need to get done.

A workaround built around To Do tasks is enough to meet my needs but it’s insufficient when Moca becomes generally available. For people to move from their preferred notetaking app, like OneNote, Word, or whatever else they use, they need a solid mobile app.

Outlook Integration Needed

And they might also need Moca to be integrated into Outlook desktop. This might not be a popular view to hold because Moca is very much a cloud app while Outlook exhibits all its on-premises roots at times. But people use Outlook and a way forward might be seen in Microsoft’s One Outlook initiative and the way that OWA powered experiences (OPX) can be integrated into desktop clients. Moca is, after all, an OWA app today, so it seems to meet the criteria for inclusion in Outlook via OPX.

Outlook might also answer a need that Moca can’t answer today: the ability to print off a space, hopefully preserving the nice layouts that people can achieve as they organize their thoughts.

Project Moca is a preview app, so it’s not covered in the Office 365 for IT Pros eBook. Unless we count all the underlying technologies like the Microsoft substrate, tasks, and so on.

Stop Forwarding Email Outside Exchange Online

There’s no doubt that automatically forwarding messages to an email address outside Office 365 can pose a significant risk for a business. Messages can end up in places where they shouldn’t go, including when an attack infiltrates an account and sets up forwarding on a mailbox by setting a mail forwarding address or with an inbox rule. In addition, removing email from Exchange Online compromises compliance and oversight because messages are no longer available for eDiscovery.

Various techniques exist to combat the problem, including:

• Restricting the ability of users to set forwarding addresses in OWA.
• Applying more general restrictions to block forwarding to specific domains.
• Blocking email forwarding from Power Automate (Flow).

These techniques work and all allow users to manually forward individual messages, but administrators must be aware of the problem caused by automatic forwarding and act to stop it. What’s different now is that Microsoft is making automatic forwarding more of an opt-in feature rather than forcing tenants to block automatic forwarding (roadmap item 63831) and make organizations more secure by default.

In some ways, it’s like the approach taken to disable basic authentication for Exchange connection protocols. Start by showing disapproval of something which contributes to insecure tenants and gradually escalate to close the hole.

Tuning Mail Forwarding in the Default Ant-Spam Outbound Filter Policy

A series of Office 365 notifications posted to the message center, starting with MC218984 (July) and more recently MC221113 (September), advised tenants of a change to the default outbound spam filter policy. The default outbound spam filter policy is present and active in all Exchange Online tenants.

First, Microsoft introduced automatic forwarding settings for anti-spam policies. The settings were inactive but allowed administrators to define how they wanted forwarding to happen. Tenants identified as having mailboxes with autoforwarding enabled also received notification that they had some work to do to decide how to handle these forwards. The next step was to enable the forwarding setting in the default anti-spam outbound policy using On as the Automatic (default) setting, meaning that mail forwarding acted as before.

This week, Microsoft changed the Automatic setting to Off to block mail forwarding. If you didn’t choose a different setting (possibly because you missed the notification), the Automatic setting is active. Some administrators overlooked the previous communications and were surprised when users began to report that forwarding doesn’t work. Life is full of surprises!

Mail Forwarding Settings

The available settings in anti-spam outbound policies to govern mail forwarding (Figure 1) are:

• Automatic: Exchange Online decides if mail forwarding is allowed or not. This is the default setting and normally means that users cannot forward email from Exchange Online mailboxes to external addresses.
• On: Users can forward email.
• Off: Users cannot forward email. Exchange will not change this value.
  

If automatic mail forwarding is blocked, users can still configure a mail forwarding address through OWA options (which is a good reason to remove the option from OWA) or create an inbox rule to redirect messages to an external address, but any attempt to send a message to that user which results in an attempted forward is rejected by the transport service and won’t be delivered. The sender receives an NDR to let them know about the problem (Figure 2).

The key thing for administrators to note is the NDR code: “5.7.520 Access denied. Your organization does not allow external forwarding.” Once you see this, you know a message was blocked by the outbound spam filter policy.

Allowing Automatic Forwarding for Specific Users

The default outbound spam policy is always active and cannot be disabled. If you want to stop mail forwarding in general and allow it for specific people, you should create a custom outbound spam filter policy and add the people and distribution lists to that policy. As you can see in Figure 3, SMTP addresses are used to specify people and distribution lists, not display names.

A Good Change to End a Bad Practice

There’s not much to argue about in this change. Automatically forwarding mail to an external address is not good practice. If someone really needs to forward email to an external address, they should be able to quantify the need in terms of a business justification to be added to a custom outbound spam filter policy. I doubt that many will be able to come up with such a justification, but those who do will be able to continue while the rest of the organization remains just a little bit safer.

Need to know more about the various policies used by Exchange Online to manage mail transport? It’s all described in the Office 365 for IT Pros eBook.

Combining Video Feeds Into a Common View

Announced in Office 365 notification MC225405 (29 October), Microsoft will make new scenes available for use with its Together Mode feature in mid-November. This is Microsoft 365 roadmap item 68749.

Together mode is intended to give participants in Teams meetings a more interesting and engaging experience than the standard gallery layout. The implementation isolates the head and shoulder of each video-enabled and combines these snippets with a background (scene) to create the impression that everyone is seated together in a shared space. Up to now, the only available background looks like seats in a theater.

Together mode is available when there are five or more participants in a meeting. Only organizers and presenters can enable together mode for a meeting. More information about the effective use of Together mode is available in this Microsoft article.

Update December 9: Microsoft has released a holiday background scene for Together mode.

New Scenes for Together Mode

Microsoft has shown other background scenes for together mode in conferences and now they are bringing that capability to customer tenants. MC225405 says that after starting together mode in a meeting, you can select a different scene to use as the basis for the shared space by choosing the Change scene option (Figure 1).

Teams displays the set of scenes (Figure 2). These are:

• Theater (the original Together mode scene).
• Cinema.
• Curved conference theater.
• Curved outside amphitheater.
• Round boardroom table.
• Straight boardroom table.

The first four scenes are suitable for large meetings up to the 49-participant limit Teams can display. The boardrooms scenes can be used with smaller gatherings (5 feeds can be shown).

To reduce processing demands, Teams combines video feeds in the back end before sending a single feed to clients. This means that everyone sees the same scene. It’s not a great idea to switch between scenes in a meeting. Instead, select the most appropriate scene at the start and stay with it.

I have many small meetings and like the straight boardroom scene, which looks as if it uses a background taken in Silicon Valley or perhaps the Redmond/Bellevue area. As Figure 3 shows, from an aesthetic perspective, the effectiveness of the combined feeds is dependent on the positioning of workstation cameras. If everyone’s camera is in approximately the same position, the combined scene looks quite natural. If not, it is less effective.

Update to Teams Meeting Recordings

The other notable update is MC225568 (30 October) to let tenants know that Teams meeting recordings will now use a 3×3 gallery view instead of a 2×2 view as previous. This is Microsoft 365 roadmap item 68935. Rollout is now proceeding with the aim of completion soon.

Recordings use a different video feed than the one delivered to meeting participants. After Microsoft started to increase the number of participants who could be viewed in a meeting from the original 2×2 to 3×3 and then 7×7, it was noted that the recording didn’t match what participants saw. Microsoft said that they’d improve the view, which is what they have now done.

The same meeting view is used when Teams saves recordings in OneDrive for Business rather than Stream.

To stay current with developments in all the Office 365 apps, subscribe to the Office 365 for IT Pros eBook and receive monthly updates about the most important and interesting changes.

The news that Quest Software has bought Quadrotech Solutions AG broke today. As the (now-ex) chairman of the Quadrotech board, you can say that I was a little invested in the project. It’s nice to see it complete as I think that the two Q’s are a good match. Both, for instance, showed immaculate taste by sponsoring the Office 365 for IT Pros eBook. We thank Quest for their sponsorship of the 2021 edition, which allows the writing team to spend more hours investigating, probing, understanding, and eventually writing about Office 365.

ISVs and the Microsoft 365 Ecosystem

A healthy ISV community is important for an ecosystem like Microsoft 365. Microsoft grew large Exchange and SharePoint on-premises businesses thanks in no small part to the way that ISV filled functionality gaps.

It’s more difficult inside Office 365 because many of the techniques ISVs can use with on-premises servers are unavailable. It’s becomes even more challenging when Microsoft ships new features on what seems like an almost daily basis.

I still think that ISVs have a future in the Microsoft 365 ecosystem. It’s harder to find the gaps to fill, but ISVs do take on challenges that Microsoft doesn’t want to invest in because of complexity, potential support cost, or it’s not aligned with their business goals.

Great Technology Solves Problems

Tenant to tenant migration is a good example. It’s never going to be a cookie-cutter solution because every company is different and the task of combining or splitting organizations varies based on their business needs, regulatory environment, and timing. Microsoft is working in this space, but I consider their vision to be very limited. I doubt that any solution engineered to move data from one Office 365 tenant to another can process everything automatically: there are just too many moving parts across Azure Active Directory, Exchange Online, SharePoint Online, OneDrive for Business, Teams, and Stream to make everything fall into place at the touch of a button.

But that doesn’t mean that you can’t innovate to solve individual aspects of the overall challenge, and work hard over time to bring meaningful automation to the table. When I look at the transformational technology Quest now has from its acquisitions of Metalogix, Quadrotech, and Binary Tree, I think great strides can be made in tenant-to-tenant automation, especially when driven by some of the people I know to work in this area.

More ISV Consolidation to Come

I expect more consolidation to happen within Office 365 ISVs. Scale matters, especially to protect cash flow at a time when the pandemic created some unique (and tight) business conditions, and investment is needed to drive new technology forward. Quadrotech could have survived on its own, but it will do much better as part of the Quest Platform Management group.

The Experts Conference

Speaking of Quest, their The Experts Conference (TEC) takes place (virtually) next week (November 17-18). There’s still time to register to listen to a great lineup of speakers, including my session about sensitivity labels (I know, thrilling!). Quest even had me make a video to explain why I think TEC is such a great event.

An Email Scenario Unknown in Teams

The traditional “manager-assistant” scenario is well-known in the world of email. Applications like Exchange Online include a wide range of features to support the ability of the assistant to perform actions as if they were the manager. These actions include sending messages as the manager (impersonation), on behalf of the manager (pp, or “per procurationem”), creating meetings and appointments in the manager’s calendar, and so on. In Outlook terminology, the assistant has delegated access to the manager’s mailbox. Delegate access is supported in Outlook desktop, OWA, and Outlook mobile.

Teams is very much an application built for personal interaction that doesn’t support delegation of messaging functionality to other users (call delegation is supported). As such, Teams doesn’t offer equivalent functionality to help an assistant support someone else, which creates a challenge for people who’d like to move some of their communications from email to Teams.

Personal Chats

Chats are personal, so the question is why an assistant should have access to personal interactions which might be highly confidential. Because delegation isn’t supported, if a manager wants their assistant to be able to read and respond to personal chats, the assistant must be able to sign in as the manager, perhaps using a private browser window because Teams desktop clients don’t currently support multiple work accounts.

There’s an obvious problem here. Apart from the undesirability of sharing passwords for manager accounts, these accounts should be protected with multi-factor authentication because they are otherwise prone to business email compromise attacks. The assistant therefore must be able to authenticate themselves to gain access. Using authentication methods like Windows Hello, SMS to a mobile phone, FIDO2 key, or the Microsoft Authenticator app isn’t really possible, which leaves us with MFA calling a phone number for the assistant to answer and respond with a PIN. Sharing a PIN is not good security practice, so it’s not recommended.

Channel Conversations

Participating in channel conversations are easier because the assistant can be added as a member of the teams where the manager might want to post or respond to topics. The problem is that the assistant can’t post as the manager in the same way as they can send email, so some convention is needed to allow the other team members know that a post by the assistant is on behalf of the manager. Perhaps the old “pp” convention will work, or the assistant could @ mention the manager to indicate their knowledge and approval of the post. Another suggestion is that the manager include the name and a link to their assistant in their Teams status so that people see this information when they @ mention the manager… and will know who they should contact if they need action.

Some channel conversations are likely to be very confidential. These can be restricted to private channels where the manager but not the assistant is added to the channel membership. Of course, this means that the manager must access the channels to see the confidential content (or the manager gives their password to the assistant to do so on their behalf).

Calendar Delegation

For calendar delegation, the best approach is for the assistant to continue using Outlook desktop or OWA to manage the manager’s calendar. Although Microsoft is steadily building out the functionality available in the Teams calendar app, Outlook’s calendar functionality is more developed, especially in the area of dealing with multiple calendars.

It’s as easy to create a Teams meeting from Outlook as it is through Teams. The things to remember are:

• The Teams Meeting add-in for Outlook only supports creation of meetings in the same calendar as the mailbox owner. This means that Teams meetings created from Outlook have the assistant as the organizer. The email notifications for the meeting come from the assistant, not the manager.
• To make sure that the meeting shows up on the manager’s calendar, add them as an attendee. Remember to add the manager as a presenter if they plan to present during the call.

Apps

Teams is increasingly becoming the fulcrum for many Microsoft and third-party apps. The authentication approach taken for Teams will cover Microsoft apps, like Microsoft Lists or Tasks in Teams. Separate arrangements must be made for third-party apps, which might or might not support some element of delegation.

Offline Access

Teams doesn’t have the same kind of comprehensive offline capabilities available in Outlook desktop. If people want to access Teams conversations offline, they must open the relevant channels or chats before they go on the road.

Tasks

The Tasks in Teams app supports shared tasks in a Planner plan which can be accessed by a manager and their assistant.

Printing

Some folks still like to have messages printed for review before meetings or when they travel. Teams doesn’t include any printing capabilities, so if someone wants to print a channel message or personal chat, they’ll need to use the Share to Outlook feature and print the message there.

In Summary

Even though Teams has reached 115 million daily active users, no massive demand seems to exist for Microsoft to support delegation in Teams (at the time of writing, this user voice request has gathered just 33 votes). This might be because managers with a more traditional mindset have not yet made the transition, or maybe it’s because everyone is embracing new ways of working and communications. Who knows!

To learn more about Teams and email co-operation, read Chapter 11 of the Office 365 for IT Pros eBook. Updated monthly to make sure that the text you read is as up to date as we can make it.

No Support for Multiple Work Accounts (Yet)

Much fuss and bother resulted in the interweb last week when commentators (including the redoubtable Mary-Jo Foley) decided that Teams would soon support multiple accounts. The origin of the idea came from a reading of Microsoft 365 roadmap item 68845, titled “Microsoft Teams: Additional settings for multiple Accounts and Organizations.”

Teams Has Problems with Multiple Accounts

Today, Teams clients allow a single work account per profile. Connections to multiple tenants can be in the profile, but the same account is used everywhere. The account belongs to a home tenant and is an Azure B2B collaboration guest account in the other tenants. All the accounts (home and guest) are linked to the same user principal name. People who need to use multiple accounts, like consultants who work with multiple customers, can work around the issue by using web apps for each tenant or private browser sessions. These are effective solutions, albeit kludgy.

A better solution would be to allow a Teams profile to support connections to multiple tenants from multiple accounts. Each connection would have an associated account, and when the client switched connections to another tenant, it would authenticate using the associated account. The Teams engineering group know that being able to switch between multiple work accounts is a popular requirement. The last update (November 5) covers what’s in roadmap item 68845 and says that “Support for multiple work accounts is still being worked on and will come at a later date.”

Teams at Home and Mobile Clients

Account switching is supported in the Teams mobile clients to allow users to move between work tenants and Teams for home. When you add a connection to Teams for home in a mobile client, you link the connection to a personal account, and when the client connects to Teams for home, it authenticates using the associated personal account. Even though I am uncertain about how compelling Teams at home is, the implementation of multiple accounts is shows the way Teams can support multiple accounts in a profile.

Accommodating Personal Accounts in Teams Desktop

But that’s not what the roadmap item promises. Instead, it’s simply a matter of updating the Teams desktop client to bring it to feature parity with the mobile client. The description says: “We’re adding support within Teams desktop to be able to add one personal account, along with one work/school account, change their profile picture, and switch between accounts and orgs through Settings.” In the defense of those who read more into the roadmap item than it actually promises, Microsoft added the caveat about one personal account after the initial reports appeared.

Just like the mobile client, you’ll be able to add a single personal account to a Teams profile. The account switcher in the Teams desktop client is being updated to allow the addition of a personal account (Figure 1).

When the personal account is added to the profile, you’ll be able to switch top it just like switching to a guest account in another tenant. In Figure 2, you see a work account at the top of the new account switcher (see below) with a list of tenants below. At the bottom, you see a personal account.

Overhauled Account Switcher

Part of the work to support personal accounts is an overhaul to the way the Teams client displays organizations and accounts available to a user (described in MC226759 of 13 November). Instead of the old-style account listing exposed when clicking the organization name in the title bar (Figure 3), Teams moves the set of organizations an account can access to a new Accounts & Orgs switcher under the avatar (user photo). The Accounts & Orgs switcher is what you can see in Figure 2. This change is rolling out in mid-November.

Work and personal experiences run in separate windows to differentiate between personal and work activities.

Update Rolling Out in November

Office 365 notification MC226037 published on 6 November confirms that the roll-out for the update to the Windows and Mac clients (no mention of the Linux client) will start on November 19, with multiple phases being used to deliver the update to tenants.

You can disable the ability of users to add private accounts by configuring registry settings on workstations to limit sign-in access to specific tenants.

The signs are that we must wait until next year (at least) to see an upgraded account switcher in Teams desktop clients which accommodates multiple work accounts. In the interim, those who want to use Teams at home with the desktop client will be delighted with the coming update.

Lots more information about using Teams can be found in Chapter 11 of the Office 365 for IT Pros eBook. Chapter 12 talks about managing Teams, which is rather a good idea… unmanaged software is seldom a good thing.

Update Rolling Out to Remove EEEU from pre-August 2019 Accounts

Everyone except external users (EEEU) is an internal SharePoint group automatically populated with all tenant users. The intent behind the group was to facilitate easy internal sharing. The need to share still exists, but a good case can be argued that better methods exist to achieve the need today, whether it’s something like an org-wide team or a Microsoft 365 dynamic group.

In August 2019, Microsoft implemented new default settings for OneDrive for Business accounts which meant that accounts created after this point do not include EEEU in OneDrive site permissions. For instance, my Office 365 account was created in 2011. OneDrive shows read access for EEEU in the list of permissions assigned to the account. You can check permissions through the site permissions section of site settings.

Note: The fact that EEEU permission is included in site permissions does not mean that everyone in the organization has access to the account owner’s OneDrive for Business document library. It’s there to enable access to items stored in OneDrive, not to grant general access to everything.

EEEU Removed from Older Accounts

What’s changing is that Microsoft is rolling out an update to these older accounts to align them with the settings used for accounts created since August 2019. As described in Office 365 notification MC225111, published on October 26, the update will remove EEEU from site permissions and perform a full permissions reset on any personal list stored in OneDrive. Microsoft says that “the result will be that any users that these personal lists were previously shared with will be unable to view the list until the list owner reinstates the sharing permissions.”

The change is due to start rolling out in early November and will continue through the end of 2020.

It’s hard to gauge how much effect this change will have. Microsoft has tweaked the sharing arrangements in OneDrive for Business before when they stopped creating a Shared with Everyone folder in all accounts in 2017. That didn’t cause too much fuss, but many fewer people were using OneDrive for Business at that time, and Lists have received new life with the launch of the Microsoft Lists app.

No Method Available to Analyze Tenant

Microsoft isn’t providing a method to allow tenant administrators understand which accounts are affected and how many lists are involved. The exact number affected comes down to people with older accounts who exploit the permission to share personal lists with internal users, and that’s going to be different from tenant to tenant. Clearly, the change will have zero impact on accounts created since August 2019 because these users have had to set explicit permissions to share personal lists with internal users.

If your tenant uses a lot of lists stored in OneDrive (not SharePoint), you might want to create a list of accounts created before August 2019 and check with these users to understand if they have lists in active use that depend on the EEEU permission.

For more interesting and useful information about SharePoint Online and OneDrive for Business, read Chapter 8 of the Office 365 for IT Pros eBook.

Outlook, iCloud, and Contacts

I last wrote about managing contacts in Outlook mobile in March 2017. Lots has happened since, especially to expand the functionality of Outlook mobile. But one thing that hasn’t changed is the frustration of multiple contacts in Outlook for iOS. I can’t say if the same thing happens in Outlook for Android because I have never used that client (in anger).

In any case, to set the context for iOS, we know that synchronization of Outlook contacts is one-way from Exchange Online to the device. Outlook for iOS needs a synchronization target to get contacts to the native contacts app. Often iOS contacts are stored in iCloud. In this case, Outlook synchronizes contacts to the contacts app and the contacts app then synchronizes to iCloud.

One advantage of storing contacts in iCloud is that this handles contact synchronization with multiple Apple devices (for example, an iPhone and an iPad). However, in this scenario, Microsoft recommends that contacts for an account are only saved on one device as otherwise the potential for contact duplication becomes very high.

Originally you could only add, update, or remove contacts through Outlook desktop or OWA, but in 2017 Microsoft added the ability to add, edit, and delete contacts through mobile clients. Contacts added through the iOS contacts app aren’t known to Outlook and therefore don’t synchronize back to the contacts folder in the user’s mailbox.

Outlook Contact Synchronization

Updates made in Outlook contacts (in desktop, OWA, or mobile) are synchronized by Outlook mobile to the iOS contacts app. Outlook must be running in the foreground (or active in memory) for synchronization to occur. Outlook contacts are clearly marked when viewed through the iOS contacts app because Outlook creates an application-specific link for the contact (Figure 1). When clicked, the link opens Outlook and displays the contact details.

The contact synchronization mechanism is different in Outlook for Android and isn’t handled here. However, the basics are similar. Outlook synchronizes with the native contact app and handles contact updates processed on the device.

Synchronization Woes

Synchronization glitches can happen from time to time. Microsoft is working with Apple to resolve why errors occur, especially in synchronization of Outlook contacts from iCloud to multiple devices. Making sure that Outlook mobile only saves contacts for an account on a single device is an easy step to limit the potential for duplication.

The symptoms of synchronization glitches might not be immediately obvious. In fact, they’re more likely to accrue over time. One day you might realize that something’s up when you look at your iOS contacts and find that duplicate contacts exist or that a bug caused bad contacts to be created. For instance, Figure 2 shows that a set of contacts are listed as “Microsoft.” This came about when I updated a bunch of contacts in Outlook to set their company to be Microsoft.

The Solution

One solution is to wait 24 hours for Outlook’s internal contact reconciliation process to run. The reconciliation process is designed to iron out synchronization problems. Most people aren’t aware that the process runs in the background to do things like quashing duplications, so you can leave Outlook alone to solve any problems it finds.

Those who want more immediate action can run one of the many duplicate contact detection and merge apps available in the iOS app store. However, Outlook is the master source for its contacts, so fixing issues on the device isn’t a good solution. Sometimes you need to go all in and have Outlook resynchronize all its contacts to the device. Here’s how to force a complete resynchronization:

Disable Save Contacts

In Outlook for iOS, open Settings and select your Exchange Online mailbox. Turn the Save Contacts slider (Figure 3) to Off. You’ll be asked what to do with the Outlook contacts saved on your iPhone. Select Delete from my iPhone. The last time I cleaned up, Outlook removed 1,522 contacts (most of these are synchronized from LinkedIn).

Check Contacts

Open the iOS Contacts app and check that the problems previously observed are resolved. If not, you can force a complete resynchronization with Outlook with these steps:

• Go to the Help and Feedback section of Outlook settings.
• In the Troubleshooting section, select Delete All Saved Contacts.

Outlook reports that it will retain the contacts and only remove them from the contacts app (and subsequently from iCloud) and the device (Figure 4).

Then go back to Settings, select your Exchange Online account, and reenable Save Contacts for the mailbox to restart the synchronization. You’ll be asked if you want to save your Outlook contacts to your device. Once you confirm, Outlook mobile will download the contacts from your Exchange Online mailbox to the device. You might see a prompt to plug in to a power source while this happens. I never had a problem running this process several times at different states of device power, but I guess it might be a factor if you wanted to resynchronize thousands of Outlook contacts over a slow connection.

Validate Your Contacts and Good to Go

The last step is to check contacts through the iOS app. At this point, you should see contacts that you have added on the device (or indeed, those added by Siri) and the set synchronized by Outlook. The process described above is a sort of fundamental reset to resolve all the synchronization errors since the last full download. Although I can’t guarantee it will work for you, and it won’t do anything to fix errors in contacts added manually, it’s done a good job for me.

Client-side stuff can be terribly specific to a device and versions of the app and operating system. We tend to stay away from this level of detail about mobile apps in the Office 365 for IT Pros eBook, but we like the ability to publish stuff like this here.

Teams Creates Many Guest Accounts

Propelled by the success of Teams, guest accounts are becoming more popular across the Microsoft 365 ecosystem. There’s goodness and badness here. The good comes from being able to share and collaborate through the Microsoft 365 group membership model and Azure B2B collaboration. The bad is that it’s easy to accumulate a large set of guest accounts from different tenants (organizations) over time. For instance, Teams is used by many conferences to deliver online events, so I now have guest accounts in five organizations used for just that purpose.

Because Teams makes users switch focus to a different tenant to access resources there, guest accounts are more obvious in Teams than in any other Office 365 application. It can become distracting when you have a long list of tenants to choose from when the time comes to switch. Should I just dip into that tenant to see what’s going on there? Or which tenant has that information I’m looking from.

By comparison, guests access SharePoint Online and OneDrive for Business documents and folders via URLs and sharing invitations which look like those used for content stored in the tenant. And guests participating in Outlook group conversations do so via email, just like they’d send messages to any other distribution list.

Tenant administrators have their own challenges to manage guest accounts in the tenant’s Azure AD instance. Last July, I wrote about the lack of visibility tenant administrators have about the other Microsoft 365 tenants where people have guest account. And it can be hard to figure out when guest accounts are past their best-by date and should be removed because they are unused (but here’s one approach).

Removing Your Guest Account from a Tenant

The simple fact is that tenant administrators are busy people and tend to leave guest accounts alone, even those which aren’t in active use. If you want to clean up the list of organizations you belong to, you can do so as follows. The first step is to open the Organizations section in your My account page to view the set of Azure AD tenants where you have a guest account (Figure 1). Microsoft has done a lot of work to improve the My account page recently to add features like the ability to see your account sign-in activity (My sign-ins). Overall, the page is easier to use and more informative, which is a good reason to check it out and highlight the page’s existence within your organization.

Select the organization you want to remove your account from and click Leave organization. If you are not already signed into that tenant, you’ll be asked to do so to authenticate your ownership of the account and right to remove it. I use a private browser session when cleaning up guest accounts because I have encountered some problems with the sign-in process in the past. Once connected to the target organization, you’ll be asked to confirm the decision to leave (Figure 2).

Clicking Leave starts the process of removing the guest account from the target organization. Once Azure AD has removed the account, you’ll receive an email confirmation that the deed is done (Figure 3). Removing the account has the effect of removing membership to all groups and teams and nullifying any sharing links to documents or folders in the tenant. In short, you’re now a nobody in the eyes of that tenant.

Caching means that it takes a little longer before all traces of your membership of a now-left tenant disappear. For instance, the list of organizations you belong to won’t update immediately and it can take up to a day or so before Teams desktop and mobile clients refresh their local cache and pick up the new organization list. Because it works online, the Teams browser client is much faster at detecting changes in the set of organizations (Figure 4).

If You Need to Rejoin

If you leave a tenant and then find that you need to rejoin to access some resource, someone (an administrator or team/group owner) must extend another invitation to join. This will create a new guest account. After you accept the invitation, you’ll be able to access any resource in the tenant available to the account – but not resources you previously could access until that access is regranted.

For this reason, it’s unwise to leave a tenant until you know that you don’t need anything stored there.

Need to know more about how Office 365 tenants use Azure AD? Look no further than the words of wisdom you’ll find in the Office 365 for IT Pros eBook. Some of the words even make sense!

Fourth Update for the 2021 Edition

The fourth update for Office 365 for IT Pros (2021 edition) is now available. Subscribers who bought the EPUB/PDF version through Gumroad.com can download the updated files from their account or by using the link in their receipt. Those who bought the Kindle version from Amazon can ask Amazon to make the updated files available to them. See our FAQ for more information.

The November update includes changes to 22 of the 24 chapters. We also updated the companion volume. You can find full information about the chapter changes in our change log. Among notable changes are:

• New numbers for Office 365 usages (and Azure AD) plus updated SLA results (1).
• SharePoint spaces is now GA and Syntex is available (8).
• The Teams desktop client supports offline working. A new ARM64 client is available. Teams meeting recordings can be stored in OneDrive for Business (11).
• Teams admin center supports more granular permissions control over third-party and LOB apps. The location for Teams compliance records in user and group mailboxes has changed (12/13).
• Tasks in Teams is now GA (15).
• New UI for creating retention labels (19).
• Three new crucial audit events (21).
• Microsoft believes Office 365 DLP policies are now equivalent to Exchange DLP policies. New sensitive data types (22)/
• Double-key encryption is available for sensitivity labels. Scoping for sensitivity labels (for either information protection or container management or both) is available, so lots of screen shots updated (24).

In addition, there’s a bunch of small detail changes which are important but never get headlines. It’s just part of keeping the book updated and accurate to as high a level as we can.

We encourage our subscribers to download the latest files. There’s no point in paying for updates if you don’t use them! And if you haven’t yet subscribed to Office 365 for IT Pros, what information are you missing every month?

A Rather Useful Add-in

The Teams Meeting add-in for Outlook is installed automatically when Outlook starts if:

• The user account is licensed to use Teams in the same Office 365 tenant.
• Outlook is configured to use modern authentication. Exchange Online enables modern authentication by default for Office 365 tenants. It might be off (but shouldn’t be) for tenants created before August 1, 2017.
• The Teams meeting policy assigned to the account allows the user to create personal meetings. All meetings created through Outlook are personal (rather than channel meetings, Meet Now meetings, or Live events). The Teams meeting policy for the account must also permit Outlook to load the Teams Meeting add-in.

If an account meets these criteria and Outlook desktop does not load the add-in automatically, the usual solution is to sign out of both Teams and Outlook, then restart Teams and connect to the home tenant. Finally, restart Outlook. The add-in should now detect the correct Teams configuration and load properly.

Meetings Created by Outlook

Teams personal meetings can be created by Outlook desktop (Windows and Mac), Outlook mobile, and OWA. Like a previous add-in for Skype for Business Online, its function is to allow users to create online meetings without having to use the calendar app in the Teams client. When Outlook creates a Teams meeting, the add-in creates the Teams thread for the meeting and populates the properties of the meeting to identify it as an online event, including the connection URL needed by participants to attend the meeting.

Administrators can configure a policy to create online meetings as the default for OWA, Outlook for Mac, and Outlook Mobile. Users of Outlook for Windows can configure client settings to make Teams online meetings the default.

Add-In Files and Registry Setting

Teams updates the Meeting add-in when it updates the desktop client. You can find information about where the add-in files are installed on Windows and how the add-in is launched in this post.

Updating Meeting Options

Until recently, the Teams Meeting add-in was only used to create new online events. The latest version of Outlook in the Current Channel (Preview) supports the ability to alter the settings for an event after it is scheduled (Figure 1). As I write, I am running build 2010 13328.20292 of the Microsoft 365 apps for enterprise, but the feature worked in the last released build too. The same capability doesn’t seem to be available in OWA or Outlook Mobile (yet). I haven’t tested Outlook for Mac.

To set meeting options, select a Teams meeting from the calendar and open it. You should see a Meetings Options choice in the menu bar (the icon might differ from that shown in Figure 1). Outlook opens the Teams meeting options dialog to update settings like who can bypass the lobby and join a meeting without being explicitly allowed in or if participants can unmute themselves during a call. The same web page is used as when meeting options are set from the Teams calendar app.

Behind the scenes, Outlook uses a URL like that shown below to open the meeting options page:

https://teams.microsoft.com/meetingOptions?language=en-us&tenantId=b762313f-14fc-43a2-9a7a-d2e27f4f3478&organizerId=efe4cd58-1bb8-4899-94de-795f656b4a18&threadId=19_meeting_NTQwZjY3ZjItNGQ4ZC00NWU5LTk2ODYtMDA5YWQ1N2FhMjJm@thread.v2&messageId=0&correlationId=webclient:6c86e496-88ac-4088-b430-575895275a09

The URL includes:

• Display language (en-us = U.S. English).
• GUID to identify the Office 365 tenant (tenanted).
• GUID to identify the Azure AD account of the meeting organizer (organizerid).
• Thread identifier for the online event.

The URL for the meeting is among the properties stored by Outlook for the calendar event.

A Logical Change

Updating the Teams Meeting add-in for Outlook to support changing meeting options is a good change. Even though Teams is the Office 365 app getting most focus from Microsoft today, many people prefer to use Outlook as their fulcrum for work (and personal activity). And while they might use Teams for online meetings, it doesn’t make sense to disrupt their workflow and force them to open the Teams calendar app just to update a meeting setting.

There’s tons of useful and insightful information like this in the Office 365 for IT Pros eBook. Best of all, we update the information when Microsoft changes something. That way our subscribers always have the latest insight at their fingertips

Crude Attempt That Could Trap the Unwary

With an increasing number of people using services like Teams for voice communications, scammers are trying out new ways to lure unsuspecting victims to click phishing links. One example is the message I received on Wednesday (Figure 1) purporting to let me know that a voicemail is waiting.

The message is a pretty crude attempt to convince anyone that it is a real voicemail notification. “Office VoIP” is used instead of a more believable service name (like Teams, Office 365, Microsoft 365) and the text contains spelling and grammar errors. The Play Voice Message button is clunky and the message comes from an account featuring three exclamation marks in its display name and an SMTP address of sam@v.c.smcozp.com.

Domain Built for an Attack

Looking up the domain with WhoIS, we find that it was registered on October 26 with Amazon.com. The message header tells us that the email came from a7-35.smtp-out.eu-west-1.amazonses.com, probably an SMTP server in a Western European datacenter that’s part of Amazon’s simple email service. In short, the domain was set up with the intention of being used for phishing attacks.

Outlook’s message header analyzer also tells us that the message passed Exchange Online Protection’s mail authentication anti-spam checks. The SPF pass is because the message came from a server authorized to send by Amazon. DKIM signature validation worked and DMARC’s result was a best guess pass.

spf=pass (sender IP is 54.240.7.35) smtp.mailfrom=eu-west-1.amazonses.com;; dkim=pass (signature was verified) header.d=v.c.smcozp.com;; dmarc=bestguesspass action=none header.from=v.c.smcozp.com;compauth=pass reason=109

The link to play the purported voicemail looks as if it will access a PDF file. I didn’t bother going any further.

url=https%3A%2F%2Fa.spiceworks.com%2Fcore%2Fclick%2F%3Facct%3Dm81-email%26direct%3Dtrue%26rt%3Dhttp%3A%2F%2Fej-group.com.my%2Ft-11-h11-v11-m11%2FdG9ueS5yZWRtb25kQHJlZG1vbmRhc3NvY2lhdGVzLm9yZw%3D%3D%2523%23c11c11n11b11k11u11o11b11.pdf&data=04%7C01%7Csome.person%40xxx.org%7Ce9645dd15a7f42495f0608d87b27fab9%7Cb662313f14fc43a29a7ad2e27f4f3478%7C0%7C0%7C637394760921548631%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0&sdata=pJw%2BgCh2QxgfeIIgLeU7rkHvGJHQcbuwDDolW7lB6UY%3D&reserved=0

I’ve reported the message to Microsoft so that they can take steps to block future attempts from the same source. Outlook’s Report Message add-in makes this very easy.

User Education

The problem with messages like this is that people often don’t look at the sender name or domain, question why large commercial organizations send poorly constructed messages, or even why they might be receiving such a message. The fear of losing out syndrome is exploited by attackers who rely on curiosity to lead people to click links. All we can do is continue to educate users to be careful and mistrust messages received from unknown sources.

For more information on running effective message hygiene defenses (a jazzy name for anti-spam), read Chapter 7 of the Office 365 for IT Pros eBook.

Teams Now at 115 Million Daily Active Users

Teams grabbed the headlines in Microsoft’s FY21 Q1 results in the Microsoft 365 space with a 53% jump in daily active user (DAU) numbers from 75 million reported in April 2020 to 115 million now. Adding 40 million active users over six months is impressive. It’s even better when you consider that Microsoft boasted a 13 million number in July 2019 (Figure 1) when it announced that Teams usage had surpassed Slack.

Adding 102 million daily active users in 15 months is a great streak that’s come on the back of people needing to work from home and leverage features like video and audio conferencing more extensively. Satya Nadella said: “Microsoft 365 users generated more than 30 billion collaboration minutes in a single day this quarter.” He was talking about Teams at the time, but this might also include Skype for Business Online use. Another interesting data point is that Teams is being used by nearly 270,000 educational institutions for remote learning.

Microsoft has responded to customer demand by shipping a huge number of improvements and new features to make Teams more usable, to push the boundary to accommodate larger number of people on calls, and meet the needs of enterprises. Recently, Microsoft announced the intention to increase the number of members in a team to 25,000, up from 999 when Teams launched in 2017. Although the system sometimes shows signs of growth-created strain, Teams is obviously a huge success story.

Marketing drives demand, and in the case of Teams marketing the spend to help create the level of growth now reported has become so large as to be cited as a reason why operating expenses for the Productivity and Business Processes segment (Office 365, LinkedIn, Dynamics 365, and some other smaller products) grew 4% in the last quarter (Figure 2).

Slower but Profitable Growth for Office 365

At times you’d be forgiven for thinking that Office 365 revolves around Teams (successful marketing!). In fact, Exchange Online and SharePoint Online are still larger workloads and without these Teams couldn’t function. At the same time, a lot of SharePoint Online usage is driven by Teams and the way that every Microsoft 365 group is provisioned with a team site for members to store documents in.

Curiously, Microsoft didn’t update the Office 365 active user number. They did talk about growth in the number of Office 365 consumer subscribers to 45.3 million, which is nice, but it’s not related.

The last number Microsoft gave for commercial Office 365 usage was six months ago, when they changed the metric and said that Office 365 had 258 million paid seats instead of monthly active users. This time, we learned that paid Office 365 commercial seats grew 15% year over year (CFO Amy Hood clarified that the figure was for paid seats not usage in their analyst briefing). In October 2019, Microsoft reported 200 million monthly active Office 365 users. If usage tracks payments for seats, a 15% year-over-year gain puts the current number for monthly active users at 230 million (Figure 3).

If Office 365 has 230 million active users then Teams is now used by half that population, which is pretty staggering for an application launched in 2017.

Difference Between Paid and Active

The delta in the numbers between paid seats and active usage is large enough to make me think that:

• Growth is slowing in Office 365. Amy Hood noted that Office 365 now accounts for “over 70 percent of our existing Office commercial paid installed base.” If Office 365 is at 258 million paid seats, then the overall base is around 360 million, including the on-premises servers. However, the organizations which remain on-premises are harder to move to the cloud and many have good reasons to stay on-premises, so the easy pickings which once existed aren’t around any longer.
• Companies are being more cautious with software licensing. Layoffs and furloughs resulting from the pandemic allied to some company failures reduce the demand for Office 365 licenses.

For several years, Microsoft grew Office 365 active users at between 3-3.5 million per month. A 30 million uptick in a year is good, especially on top of a large base, but the growth rate is slowing to around 2.5 million/month. This might be why Microsoft was so reticent in reporting a new number. On the upside, Office 365 commercial revenue grew 21%, reflecting the continued success in upselling customers to higher priced licenses and to use add-ons like Microsoft 365 E5 compliance. Overall, Productivity and Business Processes delivered operating income of $5.71 billion and the overall revenue for commercial cloud reached $15.2 billion, or an annualized run rate of $60.8 billion. That’s three times the $20 billion target set by Satya Nadella in 2015 reached three years ago.

Tracking License Usage

Obviously, there’s a big difference between licenses sold and people using them to interact with Office 365. Many large organizations buy substantial numbers of licenses and don’t use them all, which is one reason why ISVs offer license management products to help companies reduce the number of licenses back to what they really need. While ISV products offer lots of features, our Graph-based usage analysis script can help find inactive accounts free of charge. Either way, eliminating a bunch of $35/month Office 365 licenses assigned to inactive accounts is a good way of boosting the bottom line.

Azure AD Closes in on 400 Million Monthly Active Users

According to Nadella, Azure AD has “nearly 400 million monthly active users.” As Office 365 users discovered with recent outages, when Azure AD has a problem, applications like Teams come crashing to a halt because users can’t authenticate. Let’s hope that Microsoft continues to work on bullet-proofing Azure AD to avoid recurrences of those incidents.

Chapter 1 of the Office 365 for IT Pros eBook is where we cover stuff like this. Things move so fast in Teams, Office 365, and Microsoft 365 that we republish the book monthly.

The Financial Times cited the data used in this article in their piece on Microsoft looks to make 2021 the year of Teams on January 5, 2021. We must be going up in the world…

How to Share Sensitive Information Outside Your Tenant Through Planner Comments

Planner is the Office 365 group-based task management app. I like it a lot and the Office 365 for IT Pros team uses Planner to track things we need to do for the book, including importing Office 365 notifications as they appear in the Microsoft 365 message center. Sometimes the Planner developers can be accused of not telling people about new developments in the app, but here’s an example of where something in the app just doesn’t work the way it should.

A recent request by Mike Tilson on Planner User Voice asks Microsoft to close off what he considers a potential security issue. The issue is easy to reproduce.

• Create a new task in a plan and assign it to someone in the team.
• Add a comment to the task. Depending on the email distribution settings for the underlying Microsoft 365 group, team members will receive an email with the comment. Alternatively, they can open the group mailbox to see the messages containing the comments there.
• Reply to the message with the comment. Normally the message will go back to the person who created the comment and the Microsoft 365 group. Before you send the message, add the email address of someone else outside your tenant (not a guest account in the tenant).
• The external recipient receives the comment and any further comment added to the task. They can reply to the messages they receive with comment updates and those responses are added as comments to the task, which is what you can see in Figure 1.

Figure 2 shows the message thread as viewed by the external recipient. It’s obvious that they could learn about some sensitive information through this mechanism.

Obviously, people shouldn’t be able to add external recipients to task comments. The only people who should see this information are members of the team, which could include guests.

No Way to Fix the Problem

The big problem is that once an external recipient is added in this manner, there’s no way to highlight that an external person is receiving comment updates, nor can the plan owners remove the external recipient.

According to the user voice post, the problem was reported to Microsoft in a support ticket and the response came back that Planner is working “by design.” I can’t understand the logic of such an answer. There’s no good reason for anyone to design an app that allows possibly sensitive information to leak outside an organization without any method to prevent this happening or close the hole once it does. That doesn’t sound like normal Microsoft practice and it’s certainly not the response I would expect or accept from a product group.

It might be the case that the support agent handling the problem did not understand the potential impact that such a leak could have, but I think it’s more probable that the development group never anticipated that anyone would add an external recipient to a message containing comments and therefore did not think through what might then happen.

Vote for Change

If you’re concerned about this situation, please upvote the user voice request. I’ll share this information with some people who might take a more proactive stance than the support response. Let’s hope that this hole can be closed soon.

OWA Gets Remove External Access Feature

Office 365 notification MC216367 (updated August 27) announced that end users would be able to revoke messages protected by Office 365 Message Encryption (OME) if they are eligible for the advanced form of OME, licensed through Office 365 E5 or other licenses (like Microsoft 365 E5 compliance). OME allows users to encrypt or mark messages with Do Not Forward using OWA and Outlook desktop. Microsoft automatically enables OME for all Office 365 tenants with E3 or above licenses.

The new feature means that after you send a revocable message, you can use the Remove external access option to revoke access to the message (Figure 1). This feature is only available in OWA and only works for some external recipients (see below), but it’s still a nice option to have if you suddenly need to withdraw access to sensitive content that’s been distributed outside your tenant.

In addition to being able to revoke messages sent with the standard OME Encrypt-Only or Do Not Forward protection, the Remove external access feature also works for messages with an Office 365 sensitivity label, which can use rights management based encryption to secure access to content. Figure 2 shows a message protected by the Financial Data sensitivity label. Revoking access for external recipients works in the same way.

After the message is revoked, the OWA message header is changed to confirm that external access has been removed. At this point, any attempt by the recipient to open the content will be declined because “this message has been revoked by the sender.”

What Messages Can be Revoked

Revocation only works for external recipients. You can’t revoke a message delivered to recipients in your tenant. OME divides external recipients into two categories:

• Accounts in Office 365 domains and Outlook.com: You can’t revoke messages delivered to these recipients.
• Accounts in any other domain: Messages sent to these recipients can be revoked because the actual message is not delivered to their mailboxes. Instead, they receive a notification directing them to the OME portal. These notifications are called link-based messages. Recipients must authenticate with the OME portal by signing in or using a one-time passcode to access the protected content.

Revocation is possible for link-based messages because you can guarantee to block access at the OME portal. Revocation of messages delivered to other Office 365 domains or Outlook.com would require the ability to interfere with mail flow in those domains, and that’s not possible today.

Administrator Revocation

Prior to this development, protected messages could only be revoked by administrators using PowerShell or the Message encryption report in the compliance center. As the message encryption report is usually a few days behind real time and the need to retrieve sensitive information often makes revocation something that happens “now,” the best approach is to run a message trace in the new Exchange admin center (EAC) or the old Security and compliance center to find the message identifier and then revoke it with PowerShell.

Figure 3 shows the results of a message trace in the new EAC. After finding the message we want to revoke, we can check its properties to find the message identifier.

After saving the message identifier, we can use it with the Get-OMEMessageStatus cmdlet to check if it can be revoked (see below).

$msgId = "DB7PR04MB44108EE5BE4CD44B7452E20A8B050@DB7PR04MB4410.eurprd04.prod.outlook.com"
Get-OMEMessageStatus -MessageId $MsgId

ObjectState  : New
Container    : SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}@office365itpros.onmicrosoft.com

Subject      : Project Quarterdeck
ReceivedTime : 01/01/0001 00:00:00
Revoked      : False
IsRevocable  : True

In this case, the IsRevocable flag is True, so we can go ahead and revoke using the Set-OMEMessageRevocation cmdlet:

Set-OMEMessageRevocation -Revoke $True -MessageId $MsgId
The encrypted email with subject "Project Quarterdeck" and Message ID "DB7PR04MB44108EE5BE4CD44B7452E20A8B050@DB7PR04MB4410.eurprd04.prod.outlook.com" was successfully revoked.

Running Get-OMEMessageStatus for the message will now show that the Revoked property has changed from False to True and the recipient will no longer have access to the content.

One irritation is that Get-OMEMessageStatus shows that these messages can be revoked and you can try to revoke them with Set-OMEMessageRevocation (which tells you that the revocation is successful), but recipients will still have access to the messages. I guess the cmdlet can’t tell the difference between messages sent by link and those which go direct

Detail like this leads to a couple of lines in the Office 365 for IT Pros eBook. Even a book spanning 615,000 words can’t cover everything in depth, which is why we have this web site. But that’s no reason to not subscribe to the book.

Time to Kill Site Mailboxes

Office 365 notification MC224531 (October 19) came as a surprise because who could have known that site mailboxes are still around? After all, in January 2017, Microsoft announced their intention to block the creation of new site mailboxes. Nearly four years later, you might think that organizations had figured out how to dump these unfortunate creations.

The History of Site Mailboxes

Site mailboxes came about in a Microsoft effort to show that Exchange 2013 and SharePoint 2013 could work together to deliver value. In on-premises environments, the long checklist of steps needed to bring the two servers together put many off.

Things were much easier inside Office 365 where Microsoft took care of the configuration. Even so, site mailboxes were obsoleted by developments soon after they were released with the advent of Office 365 Groups (now Microsoft 365 Groups). Since Office 365 Groups came along, we’ve seen an increasing amount of integration across the Microsoft 365 ecosystem encouraged by the availability of a common platform (the substrate) and common Graph APIs.

In any case, the final curtain for site mailboxes descends in April 2021. Microsoft says that they will retire site mailboxes at that point.

If Your Tenant Has Site Mailboxes

If you didn’t receive the notification, Microsoft hasn’t found any site mailboxes in your tenant and you have nothing to worry about. Following Microsoft’s advice, I looked to see what site mailboxes existed and found three were present:

# Find details of site mailboxes known to the tenant
Get-SiteMailbox -BypassOwnerCheck -ResultSize Unlimited | Format-List Name, WhenCreated, SharePointUrl, Owners

Name          : SMO-Office365forExchangeProfessionals
WhenCreated   : 02/01/2015 10:33:33
SharePointUrl : https://office365itpros.sharepoint.com/O365Book
Owners        : {TRedmond, Ben Owens, Kim Akers}

Name          : O365-ExchangeConnections2015
WhenCreated   : 16/02/2015 11:22:14
SharePointUrl : https:// office365itpros.sharepoint.com/Exchange Connections 2015
Owners        : {TRedmond}

Name          : SMO-Projects
WhenCreated   : 27/01/2014 20:36:50
SharePointUrl : https:// office365itpros.sharepoint.com/Projects
Owners        : {TRedmond}

All the site mailboxes date from 2014-2015, right around the time when we first started working on the Office 365 for IT Pros book (the first two versions were called Office 365 for Exchange Professionals). Microsoft launched Office 365 Groups in November 2014 and we switched to Groups soon afterwards.

No trace of the SharePoint sites could be found. They might have been removed in the past during a purge of inactive sites. If the sites were available, their content could be retrieved using Office 365 content searches and exported (Microsoft has a script to do the job on GitHub).

Failure to Clean Up

Site mailboxes don’t really contain any real items. Instead, they hold stubs pointing to documents in SharePoint libraries. The stubs are small, so it’s easy to detect folders used for this purpose because they usually have many items but are quite small. A check of the site mailboxes with Get-ExoMailboxFolderStatistics revealed that there was nothing much in any mailbox:

# Get details of what's in site mailboxes
Get-ExoMailbox -RecipientTypeDetails TeamMailbox | Get-ExoMailboxFolderStatistics | Format-Table Name, ItemsInFolder

Site mailboxes have a recipient type of TeamMailbox because at one time that’s what they were going to be called. Luckily Microsoft changed the name to focus on sites as otherwise they would have had to find a new name for Teams.

In the knowledge that the site mailboxes were useless artefacts of the past, I tried to delete them. Unhappily, the attempt failed with some horrible errors because the linked SharePoint sites couldn’t be found:

Get-ExoMailbox -RecipientTypeDetails TeamMailbox | Remove-Mailbox

WARNING: Site mailbox "O365-ExchangeConnections2015" couldn't be unlinked from the SharePoint site "https://office365itpros.sharepoint.com/Exchange Connections 2015" because of the following error: "SharePoint site "https://office365itpros.sharepoint.com/Exchange%20Connections%202015" couldn't be
contacted because of the following the error: "WebException - Status:ProtocolError; Message:The remote server returned an error: (404) Not Found.;HttpStatusCode:NotFound;HttpStatusDescription:Not

I’m Leaving the Problem to Microsoft

I lost interest at this point. The site mailboxes don’t bother me and I’m sure Microsoft will clean up the mess when they retire site mailboxes next April. After ignoring the trio of site mailboxes for so long, I can wait a little longer. In the meantime, to avoid seeing any further trace of the site mailboxes, I hid them by running:

Get-ExoMailbox -RecipientTypeDetails TeamMailbox | Set-Mailbox -HiddenFromAddressListsEnabled $True

Others might not be in the same state and need to transition off site mailboxes to Microsoft 365 Groups (the logical choice). If so, follow Microsoft’s advice to export the content from your site mailboxes and let this unsuccessful foray into on-premises server integration fade into the background.

We dropped site mailboxes from the Office 365 for IT Pros eBook in 2016. But we have tons of other great information in the only book which tracks changes across Office 365 and has done so since 2015.

Improvements in Notification Center

Microsoft has steadily improved the control users have over the notifications generated by Teams for actions like @ mentions and channel activity. The default settings for notifications mean that users receive desktop (banner) and activity feed notifications for @ mentions, chat messages, and new channel conversations in their teams list. Teams can also send email to notify users when they’ve missed something. The notifications a user wants to receive are configured through their profile, available through Settings > Notifications.

Microsoft recently refreshed the Teams Notifications screen (Office 365 notification MC220702, 20 August) to make it easier to manage notifications. If you haven’t looked recently, you should review your settings and see if you can prioritize the notifications you receive and reduce the number of distracting interruptions, or maybe just disable notification sounds. Or indeed, to have Teams notify you when the presence status of selected users is offline or available.

Update July 22, 2021: Microsoft update MC271919 says the default notification type for new users will change from Teams to native O/S in late August 2021 and will be deployed worldwide by the end of September. The change in default type doesn’t affect existing users.

Moving Teams to Native Notifications

Traditionally, Teams generated its own notification like the “banner” shown in Figure 1. Usefully, the recipient can reply to the message.

What’s changing is that Teams will offer the choice to deliver its own notifications or native O/S applications. As described in Office 365 notifications MC224422 (Windows – roadmap item 66742) and MC222156 (macOS 10.14 – roadmap item 66743), this feature will roll-out in mid-November. According to comments on the Teams User Voice request for macOS notifications (pretty popular with 5,034 votes and over 700 comments), some folks have this running already.

Update (January 7): Microsoft’s new timeline to introduce native notifications for Teams in Windows is to start the roll-out in mid-January to complete in mid-February 2021.

Update (April 1). According to MC248006, the deployment timeline is now to complete this update by mid-April, 2021.

The notification style is chosen through Settings (Figure 2). In this case, Teams is running on a Windows PC.

After choosing OS notifications, Teams uses Windows notifications whenever a user selects banner notifications for an action (Figure 3).

And like all other Windows notifications, when the banner fades, it shows up in the Windows notification center alongside notifications from other apps (Figure 4) where the notifications can be reviewed and dismissed.

Remember that notification settings are tenant-specific. If you are a guest in other tenants, you’ll need to configure settings in that tenant to get the notifications you want.

Suppressing Message Preview in Notifications

In another development, MC22171 (15 September) reported the ability for users to disable the message preview in notifications. This is a privacy measure intended to prevent anyone else seeing potentially confidential information in the message preview (the first 30-characters) usually contained in a notification. The rollout of this update is now complete.

When message preview is disabled, no snippet is included in the notification (Figure 6).

Privacy Over Teams Previews for Mobile Clients

If privacy is a concern for your organization, you should also consider whether message previews should appear on Teams mobile clients. Office 365 notification MC223019 (September 29) describes a feature enabled in V2.0.22 of the iOS client and V1.0.0.2020091301) of the Android client (roadmap item 66744) to disable previews for chat notifications.

The feature depends on the value of the Org data notification setting in Intune app protection policies being set to Block Org Data. For more information, see this page.

Ongoing Frustration for Teams Users

A certain amount of frustration is evident in Teams users who schedule meetings and add teams as meeting attendees, only to find that the team members don’t receive individual meeting invitations. The same problem happens for channel meetings.

When you add a team as a meeting attendee (Figure 1), you add an Microsoft 365 group, and group settings dictate which (if any) of the members of that group receive meeting invitations. Creating a channel meeting adds the meeting to the group calendar, but team members don’t receive invitations unless they are explicitly added as a meeting participant.

As I explain in this post, the reason why this happens is due to the way Teams manages members of the Microsoft 365 group. Basically, Teams adds members to the membership list, which you expect, but it does not add the members to the group’s subscriber list. Because they are not subscribers, members do not receive copies of messages (like calendar events) sent to the group. There’s a lack of joined-up thinking between Teams and Microsoft 365 groups on this point that might be due to the fact that Groups were originally designed to serve Outlook before Microsoft changed their primary focus to be a membership and identity service for Microsoft 365 apps.

No doubt Microsoft is busily working out how to make things better. What seems clear is that people naturally assume that if they schedule a meeting with a team, the members of the team should receive invitations. This stance is eminently reasonable, even if it’s not currently implemented in Teams.

Scripting a Solution

What can you do about this? Well, as suggested in a response to Teams User Voice, you (in reality, a tenant administrator) can update group settings to automatically subscribe new users to receive event notifications and add existing users to the group’s subscriber list. Justin Horne contributed a script to do the job. I’ve taken the liberty of updating the script by:

• Only process Microsoft 365 Groups enabled for Teams. Then filter to find the groups where members are not auto-subscribed or where members are not auto-subscribed to calendar events.
• Update group settings to auto-subscribe new members to receive calendar events like meeting notifications. Note: guest members are always subscribed to groups.
• Update the group subscriber list with existing members. You’ll see that I use the external directory object identifier to reference the group and the primary SMTP address to reference members. This is to ensure that the values are unique.
• Reporting updates in a PowerShell list which is exported to a CSV file at the end of the script.

Updating subscriber lists for groups is not a swift process, so updating many groups will take time. You’ll also need to run the script on a regular basis to find and update new groups.

Code to Update Group Subscribers

Here’s the code. You can download a copy from GitHub. Feel free to improve it!

# UpdateSubscribersInGroupsUsedByTeams.PS1

CLS
Write-Host "Finding team-enabled Groups to process..."
$Groups = Get-UnifiedGroup -Filter {ResourceProvisioningOptions -eq "Team"} -ResultSize Unlimited
$Groups = $Groups | ? {$_.AutoSubscribeNewMembers -eq $False -Or $_.AlwaysSubscribeMembersToCalendarEvents -eq $False}

$Report = [System.Collections.Generic.List[Object]]::new() # Create output file 
#initialize progress bar
$ProgDelta = 100/($Groups.count)
$CheckCount = 0 ; $GroupNumber = 0 ; CLS
ForEach ($Group in $Groups) {
   $GroupNumber++
   $CheckCount += $ProgDelta
   $GroupStatus = "Processing " + $Group.DisplayName + " ["+ $GroupNumber +"/" + $Groups.Count + "]"
   Write-Progress -Activity "Updating subscriber information for group" -Status $GroupStatus -PercentComplete $CheckCount
   # Update group so that new members are added to the subscriber list and will receive calendar events
   Set-UnifiedGroup -Identity $Group.ExternalDirectoryObjectId -AutoSubscribeNewMembers:$True -AlwaysSubscribeMembersToCalendarEvents
   # Get current members and the subscribers list
   $Members = Get-UnifiedGroupLinks -Identity $Group.ExternalDirectoryObjectId -LinkType Member
   $Subscribers = Get-UnifiedGroupLinks -Identity $Group.ExternalDirectoryObjectId -LinkType Subscribers
   # Check each member and if they're not in the subscriber list, add them
   ForEach ($Member in $Members) {
     If ($Member.ExternalDirectoryObjectId -notin $Subscribers.ExternalDirectoryObjectId) { # Not in the list
    #    Write-Host "Adding" $Member.PrimarySmtpAddress "as a subscriber"
         Add-UnifiedGroupLinks -Identity $Group.ExternalDirectoryObjectId -LinkType Subscribers -Links $Member.PrimarySmtpAddress 
         $ReportLine = [PSCustomObject] @{
            Group      = $Group.DisplayName
            Subscriber = $Member.PrimarySmtpAddress
            Name       = $Member.DisplayName}
         $Report.Add($ReportLine) }   
     } #End ForEach
} #End ForEach
$Report | Export-CSV -NoTypeInformation c:\temp\SubscriberGroupUpdates.csv
Write-Host "All done. Details of updates are in c:\temp\SubscriberGroupUpdates.csv"

Remember that you’ll need to run this script periodically to update newly created teams. Alternatively, use a script to create teams and include the necessary code to update the group for each team. Also, while some team members will like to receive invitations for channel meetings, others will hate the idea. Be prepared to remove these users from the group’s subscribers list to stop them receiving invitations. You can do this by running the Remove-UnifiedGroupLinks cmdlet. For example, this command removes an account from a group’s subscribers list.

Remove-UnfiedGroupLinks -Identity "Group to Remove User from" -LinkType Subscriber -Links John.Smith@office365itpros.com

Optional and Required Attendees

Team members who receive invitations sent to channel meetings because they are subscribed to the group for calendar events are considered optional attendees. This is because they are not included in the set of required attendees and effectively only learn about the meeting because they are subscribers. If you want team members to be required attendees, you need to schedule a personal meeting and invite the team.

Describing solutions to problems in Office 365 tenants is what the Office 365 for IT Pros eBook is all about. Subscribe to support our project and allow us to continue helping people to probe the dark corners of Office 365.

Microsoft Responds to Teams User Voice

On October 3, Microsoft responded to a Teams User Voice request for the ability to work offline, saying: “You can now use Teams in Offline mode, which means users can browse their recent chats and channels as well as those they have pinned. Users can also compose messages for sending later as well.”

Teams has always been an application which demands a solid network connection. Although it’s got better at dealing with some of the more “interesting” Wi-Fi configurations, such as the high-latency connections available on many airplanes, Teams still works best when it has abundant, high-quality connectivity. This is especially so when participating in online meetings, even in audio mode.

But sometimes a network connection just isn’t available, even though a tethered smartphone, and as more work is done in Teams, people want continued access to that information.

What You Can Do with Teams when Offline

I’ve been experimenting with Teams in offline mode to see what’s possible. Table 1 outlines what I discovered using the Teams desktop app on Windows.

Cute graphics tell users when messages and other data are unavailable (Figure 1).

In addition to the items listed above, navigational information such as lists of chats, teams, and channels are available when offline.

The Meaning of Recent

Microsoft says that recent chats and (messages in) channels are available offline. Based on my tests, it seems that recent means the user accessed the chat or a channel in the last 30 days. This action forces Teams to refresh its local cache of messages, which makes the messages available offline. Limiting offline access to recent messages makes sense from the perspective that you’re most likely to need to work with that data and prevents the client from having to download information for (potentially) large numbers of channels. On the other hand, it means that if you know you’re going to be deprived of network connectivity for a while, some up-front preparation might be needed to access chats and channels you want to work with.

Not the Same as Outlook

In summary, what does the new offline capability for Teams mean in practice?

• Teams is not Outlook. Its synchronization model does not create a local cache of all its message data (like Outlook’s OST file).
• A major advantage of Teams is its ability to connect many parts of the Microsoft 365 ecosystem. If those parts (like SharePoint Online, Stream, and Planner) don’t support offline access, Teams can’t make data from those apps available. The same is true for third-party and LOB apps.
• Outlook desktop and the OneDrive sync client allow offline access to the calendar, personal tasks, and documents.
• Only expect to work with Teams messages when offline, and only messages that are recent.

Microsoft hasn’t yet announced this change in the notification center of the Microsoft 365 admin center. But we keep an eye out for updates like this so that the text of the Office 365 for IT Pros eBook is as up to date as we can. It’s a great example of the value of ePublishing monthly updates.

Like many others, I’ve been catching up on sessions delivered at the Microsoft Ignite 2020 virtual conference. The Microsoft 365 Groups developers delivered a good set of sessions, including a refreshed version of How Microsoft manages Microsoft 365 Groups that’s well worth watching.

In the Groups roadmap session, an interesting statistic was reported by Venkat Ayyadevara, who said that 79% of Groups managed by an expiration policy are auto-renewed. This sounds good, but then my mind turns to why over a fifth of all groups are not renewed.

Figuring Out Groups Numbers

No one outside Microsoft knows how many Microsoft 365 Groups are in use today, so we need to do some inspired guesswork. Given that:

• Groups are used by many applications to control membership, including Teams, Planner, Power BI, and SharePoint Online.
• There are 258 million paid Office 365 seats and 75 million active Teams users (both Microsoft figures from April 2020). The fast adoption of Teams by Office 365 tenants is a significant driver for the number of groups in use.
• Microsoft’s implementation spans over 350,000 groups alone. That’s approximately one for every user account. This is in line with the experience of many large on-premises Exchange deployments where the number of distribution lists often approached the number of mailboxes.
• The Enterprise Mobility and Security suite has 147 million users, implying that most Office 365 enterprise users possess the necessary Azure AD Premium licenses needed for expiration policies.

If the number of enterprise Office 365 seats is around 175 million, we could guess that the number of Microsoft 365 groups is close to that number. And if 80% of enterprise users have EMS licenses, the number of groups which might be eligible for coverage by an expiration policy could be around 120 million. Not all tenants use expiration policies and not all tenants which do use expiration policies set them up to cover all groups, so let’s say that half of the groups (60 million) are covered by expiration policies.

The Success of Auto-renewal

Microsoft tells us that 79% of the groups auto-renew, or 47.4 million (goodness because administrators are saved processing this number of renewal requests). On the downside, 21% of groups are ineligible for auto-renewal, meaning that 12.6 million groups do not come up to the low bar of activity across group-connected workloads set for auto-renewal. One can surmise that these groups are created and quickly become stagnant and inactive. Email conversations don’t happen, documents aren’t uploaded to the group’s SharePoint Online document library, and if the group is team-enabled, it fails to attract any chat activity.

Should We Care?

At this point you could ask “who cares?” Apart from a small amount of SharePoint storage quota, the unrenewed groups don’t occupy any resources that a tenant might be charged for. There’s a minor annoyance that some disused groups might clutter up the GAL and slow down administrative processing such as reporting on Teams and Groups activity, but no more than that.

In the cloud era, you’re right. Microsoft pays whatever the cost is to keep the stagnant groups around until they are aged out by the expiration policy. We should only care if we reflect on why these groups are created in the first place. Were they created as the result of a managed approval process or in organizations where users have free rein over group creation? In either case, the 21% expiration figure is sufficiently high for tenant administrators to ask if users receive enough guidance about their creation and use. That’s something worth thinking about.

The Office 365 for IT Pros eBook covers Microsoft 365 Groups in detail from concepts to automation with PowerShell. Like all our content, it’s based on hard experience and it’s kept updated as knowledge develops.

Time to Move to a New EAC

Update April 22, 2021: Microsoft announced in MC252053 that the new EAC will reach general availability for standard and GCC tenants at the end of April while GCC High gets it at the end May and DoD in June.

Among the Exchange announcements made at the virtual Ignite 2020 conference was the assertion that the new Exchange admin center (EAC) is ready for prime time. Microsoft said: “We’ve recently reached parity with the legacy admin interface and are now adding new features such as personalized dashboards, cross tenant migration and providing actionable insights. We have also invested in a better mobile experience for admins on the go.”

I don’t buy the statement about parity in functionality because the new EAC links back to the old EAC for some functions, like management user role assignment policies. Understanding that these are marketing words and that the developers will close the gaps over time, let’s consider what the new EAC brings.

Anyone taking the invitation to opt-in from the old EAC or by going direct to the new EAC might be underwhelmed at first look. The home screen is under inspiring and the new console (Figure 1) is just another bland Microsoft 365 portal, even if it’s regained some functionality (like Mail Flow from the Security and Compliance Center), some new tricks (like administrator recovery of deleted items), and is the go-forward target for investment in new functionality.

The new EAC also inherits some smarts from the Microsoft 365 admin center, like how groups are processed, but there’s no magic present to convince you to set the toggle to default to the new portal (sometime in the future, the toggle will be disabled and using the new EAC will be the only choice).

PowerShell Created Portal Magic

I know you’re going to think me crazy that magic can exist in an administrative tools, but this has been the case in the two previous generations of Exchange administrative portals and it’s all to do with PowerShell.

When Microsoft came to design Exchange 2007, they took the brave decision to base all the administrative tools on PowerShell. EMC, the Exchange management console became a wrapper around PowerShell cmdlets, as did the later web-based Exchange Control Panel (ECP) and EAC. The great thing about this approach was that the consoles exposed the PowerShell code they used to perform actions through a feature called command logging. Figure 2 shows how the EMC displayed the code used to create a new mailbox. You could copy the code and reuse it in your own scripts.

Given that PowerShell was very new (Exchange was the first major Microsoft server to embrace PowerShell), this was a fantastic way for administrators to learn how to interact with Exchange and manage objects through PowerShell. In a nutshell, it was the best learning tool available at the time. I haven’t seen much to beat it since.

The unfortunate thing is that following the transition to Exchange Online, Microsoft proved adept at breaking PowerShell command logging. I’m sure this wasn’t deliberate; the developers probably didn’t put as much value on the feature as its fans did. And to be fair, fewer people needed to use command logging as experience of PowerShell grew and more information was available online.

The Graph is the Strategy

The truth is that the new EAC doesn’t use PowerShell. Like the other modern administrative consoles used across Microsoft 365, the new EAC is based on the Microsoft Graph. This is in line with Microsoft’s strategy to use the Graph whenever possible as the basis for Microsoft 365 management. It’s an understandable and reasonable approach to build everything on a common foundation, even if it loses some magic. And no, the new EAC never tells you anything about the Graph code it uses. Some secrets must be kept.

The folks who subscribe to the Office 365 for IT Pros eBook seem to know their way around PowerShell, so we have never covered command logging in depth. It’s sad to see it go, but we dedicate our pages to new stuff and not the past.

Compliance Records Now Hidden in Non-IPM Section of Mailboxes

First reported by Jason Sherry, a very experienced ex-Exchange MVP, in a post to the Facebook Office 365 Technical Discussions group, Microsoft has changed the mailbox location where Teams stores its compliance records captured for personal chat and channel conversation messages. The change makes sense from Microsoft’s perspective even if it might cause some issues for tenants.

Uses of Teams Compliance Records

Originally introduced in April 2017, Teams compliance records are captured by the Microsoft 365 substrate and used for:

• Retention processing. Retention policies act against the compliance records to allow tenants dictate how long Teams messages are retained.
• eDiscovery and content searches. Because the compliance records are indexed along with other mailbox data, they are searchable and discoverable when tenants need to find information for investigations.
• Communication compliance policies. The compliance records are scanned by agents to find potential violations of company communication policies such as threatening or abusive behavior.

Changing Storage for Teams Compliance Records

The compliance records are mail items stored in:

• User mailboxes for personal and group chats, and channel conversations in private channels.
• Group mailboxes for standard channel conversations.
• Cloud-only (shard) mailboxes for messages sent by federated, hybrid, and guest users.

When Microsoft enabled compliance capture for Teams, they choose to store the records in the Team Chat sub-folder of the Conversation History folder. The folder name varies according to user language, but the folder type is always TeamChat, which makes the folder easy to find. The choice of location was logical at the time because Skype for Business Online stored its conversation transcripts in the Conversation History folder. However, unlike Conversation History, the Team Chat folder has never been accessible to clients like Outlook or OWA.

What’s changing is that Microsoft has relocated storage to a folder called TeamsMessagesData in the non-IPMRoot part of mailboxes. This is a more logical part of the mailbox to host the folder because it’s where system data is stored. Exchange Online and Microsoft 365 apps stash lots of information in mailboxes which email clients don’t see.

The Get-ExoMailboxFolderStatistics cmdlet reveals information about the folder:

# Report number of items in TeamsMessagesData folder
Get-ExoMailboxFolderStatistics -Identity Kim.Akers -IncludeOldestAndNewestItems -Folderscope nonipmroot| ? {$_.FolderType -eq "TeamsMessagesData" } | Format-List Name, ItemsInFolder, FolderType, NewestItemReceiveDate

Name                   : TeamsMessagesData
ItemsInFolder          : 65
FolderType             : TeamsMessagesData
NewestItemReceivedDate : 12/10/2020 21:32:20

Microsoft made the change to move creation of new Teams compliance records around 5 October 2020. For now, Teams compliance records exist in both the old and new locations. The plan of record is that a background process will move records from the Team Chat folder to TeamsMessagesData. No timeframe is available for when this might happen.

Update November 6: In my tenant the old compliance records have been moved to the new location.

Microsoft chose a similar location when Yammer networks began to generate compliance records, so it’s perfectly reasonable to move Teams compliance data to the same part of the mailbox.

The Downside of the Change

Microsoft didn’t communicate that the move would happen. In one respect, they had no need to do so through a notification posted in the Microsoft 365 message center. Compliance processing is a background task that tenants cannot control, so why should anyone need to know that a change happened?

The problem is that people use the presence of the Teams compliance records to know if teams are active. Although Microsoft would prefer tenants and ISVs like to use the Graph API to interact with Teams data(the User statistics script is an example of how to access Teams usage data with the Graph), in this instance, it’s easier to run a quick check using the Get-ExoMailboxFolderStatistics PowerShell cmdlet. You can still use the cmdlet to check the TeamsMessagesData folder, but access is slower because the FolderScope parameter doesn’t support a filter like the one available for Conversation History. Coders must therefore grab details of all non-IPM folders and then filter for TeamsMessagesData. As an example, the activity report script for Microsoft 365 Groups and Teams needed to be updated (V4.7 is now available).

Another unanticipated change is that backup products which purport to cover Teams by copying the compliance records along with other Exchange mailbox data must change their processing. They might not have realized that this problem exists and are therefore not copying the records today. All of which shows that you shouldn’t build a backup strategy based on data which might change. Then again, the lack of a scalable streaming API for Teams makes people do odd things.

A change like this which comes without warning is a great advertisement for an eBook. We cover Teams compliance processing in Chapter 12 and have updated the text for the November update for the Office 365 for IT Pros eBook. Do yourself a favor by benefiting from our work by subscribing to Office 365 for IT Pros.

Calendar Peeking

Outlook has a calendar peek feature where you can “dock” a calendar view in a small window to be able to see information about upcoming events. The Teams calendar synchronizes information from the Outlook calendar and the default view shows event names, organizers, times, and some basic information. To see more, you’ve got to open individual events. That is, until now as the latest update for the Teams desktop and browser clients include the ability to peek at the essential details of an event.

While double-clicking an event in the Teams calendar, single-clicking (peeking) reveals the event date and time, a join button (for online events), the status and organizer, and a link to chat with participants (Figure 1). If you’re the meeting organizer, you’ll also see a button to edit the event.

Like many good ideas, this is a simple but effective change that improves the usefulness of the Teams calendar. Force of habit means that I’ll continue to organize my days through Outlook, but those who live in Teams will probably like the new peek. I say “probably” because someone always finds faults when user interface changes (quite a few people hate the New conversation button).

Some Delayed Teams Features Now Available

Last month, I wrote about the reasons why Microsoft sometimes delays the delivery of announced Office 365 features. This week, several features rolled out to tenants:

• Language-Aware Spellchecking in Teams: announced in MC217362 on June 26. This feature detects when someone starts to write messages in a different language to the one configured in their profile and offers to switch to that language.
• Speaker attribution: announced in MC219651 on July 31. When you use closed captions in a Teams meeting, speaker attribution means that speaker names show up alongside captions.

Microsoft hasn’t said why these features were delayed, but it’s likely to be due to some bugs that needed to be squashed before general release.

Tasks App Now Generally Available

Finally, Microsoft has completed the initial roll-out of the Tasks app in Teams, so the app is now deemed to be generally available. The next stage is that the app will be renamed from Planner to Tasks by Planner and To Do. More importantly, you’ll soon be able to create a task from Teams chat or channel conversations, which is much more significant than the rebranding exercises Microsoft delights in.

None of this stuff shows up in the Office 365 for IT Pros eBook because its content is focused on what administrators need to know about running a tenant. But it’s good to know when things change, so we document it here.

Granting Consent for Data Access by Third-Party and LOB Apps

Described in Office 365 notification MC222892 (September 26), Microsoft has made several important changes to the way that third-party apps are managed in the Teams admin center. The changes are linked to Microsoft 365 roadmap item 67140 and are now available.

The Teams apps section of the admin center supports management of apps and the permission and setup policies used to deploy apps to users. The first change is that the listing of apps includes a permissions column to show when a third-party app needs permission, with the idea being that an admin can take care of consent centrally and so avoid the need for end users to have to seek consent when they want to use an app.

Apps published by Microsoft don’t need to be granted consent. Some third-party apps don’t need consent either because they do not interact with Microsoft 365 data like user accounts or sites. For instance, the Adobe Sign app allows users to sign documents with that service without accessing any Microsoft 365 data.

The Need for Permissions

Third-party apps or LOB apps created by a tenant can access Microsoft 365 data with the Microsoft Graph, but only if they receive permission to access the data. Microsoft Graph divides permissions into sets of actions that an app can perform. When you see View details in the Permissions column, you know that the app needs administrator consent (on behalf of the tenant) to access data via the Graph.

To give consent, select an app and look at the Permissions tab in its details and then Review permissions and consent. You must be able to sign in as a tenant administrator to give consent. Once signed in, you’ll see the permissions requested by the app. Figure 2 shows that the chosen app wants to read user profile information from Azure AD. Be aware that you’re granting consent for org-wide access to the requested information. If you’re happy that the app should have access to this data, click Accept.

When an app has received consent, you’ll see a notice to that effect under Org-wide permissions in the Permissions tab.

Azure AD App Registration

Apps that receive consent are registered with Azure AD. You can find details of all the apps registered in your tenant in the Enterprise applications blade of the Azure AD portal. Figure 3 shows details of an app which received consent through the Teams admin center. You can revoke permissions from an app at any time.

Resource Specific Consent

Office 365 notification MC218561 was announced in July (Microsoft 365 roadmap item 56605) to say that teams owners could give consent to apps to access data in the teams they managed. This feature is known as resource-specific consent (RSC) because the consent is limited to permissions for a specific resource (a group/team). Limiting the scope of the permissions assigned to an app to what it needs to function instead of giving it org-wide access makes a heap of sense.

Now fully deployed across Office 365, RSC is a Teams feature controlling access to team settings, channels, messages, apps, tabs, and membership. It depends on the tenant settings in the Consent and Permissions section of the Enterprise applications blade in the Azure AD portal (Figure 4). See this page for more information.

The ability to give resource-specific consent can be limited to a set of team owners rather than all team owners in the tenant.

Some apps don’t need access to data drawn from across the tenant and only need permissions to interact with specific Teams objects from the set supported by RSC (Figure 5).

You’ll recognize these apps because the RSC permissions they need are listed in the permissions tab of the app details. In Figure 6 we can see that the app needs to read a team’s settings, membership, and messages and create channels.

Add App to a Team

The last feature allows Teams admins to add apps to target teams to avoid the need for team owners to install the apps. This a preview feature that only works for apps designed to be installed within a team (normally accessed via a channel tab). By comparison, Teams app setup policies allow organizations to make apps available to users on a personal basis to use via the app navigation bar.

If you see that an app has “team” included in its capabilities listed under the About tab, you know it supports team scope. Template Chooser, Trello (Figure 7), and Zoho CRM are examples of apps with team scope.

To install an app into a team, select the app in the Manage Apps screen and then choose Add to team. You can then select the team to install the app into (Figure 8).

For more information, see the Teams documentation.

More Information About Apps

Given the growing number of apps in the Teams app store (760 as I write this), it’s obvious that a solid management framework is needed to control third-party apps, especially in how these apps use the Microsoft Graph to access data. The implementation of permission management is solid and is a very useful addition to the Teams admin center.

For more information about app permissions, consent, and RSC, view the Ignite session about Navigating the Microsoft Teams App Lifecycle (app permissions and consent is covered from about 34:20 in the video).

Managing Teams is what Chapter 12 of the Office 365 for IT Pros eBook is all about. You’ll find lots more interesting and useful information in Chapter 12 and all the other chapters of the book.

New Teams Presence Status Coming in October 2020

Office 365 notification MC223441 issued on 3 October brings the earthshattering news that Teams is adding the ability for users to mark their status as Offline. As explained in Microsoft 365 roadmap item 68727, this delivers the benefit that users “have full access to Teams while signaling to colleagues that they are unavailable.” Microsoft says that the feature will roll out in mid-October and will be complete by the end of the month.

Setting Offline Status

There’s not much to be said in terms of implementation. The new option appears at the bottom of the list of other status values (Figure 1). You can also set your status to Offline by typing /Offline into the command box.

In passing, notice the Teams admin center link in my settings menu. I haven’t seen this before but it’s a simple, good idea to put a link here to allow people who manage Teams for a tenant to have fast access to the admin center. The link doesn’t show up unless your account possesses a role which allows access to the Teams admin center, like global administrator or Teams service administrator.

How Offline Status Shows Up

Once set, offline status is shown as a white circle with a grey edge (Figure 2). It’s the same visual indicator shown when Teams determines that someone is offline because they aren’t signed in rather than just hiding behind the status for their own reasons, like getting some peace from the demands of pesky coworkers.

Offline and Do Not Disturb

Some might argue that the existing Do Not Disturb (dnd) status was quite sufficient to warn coworkers that they are busy and unavailable. The rebuttal is that when others see a do not disturb status, it’s a sign that although you are unavailable right now, some hope exists that you might soon become available. Setting your status to Offline puts you into a state where (hopefully) coworkers won’t even bother trying to get in touch. They’ll probably send email instead and maybe be bemused when they don’t receive an out of office notification.

Setting your presence status to Offline allow pop-up notifications for chat messages sent by other users. Use Do not disturb if you want to suppress these messages and only allow notifications people on your priority access list.

Skype Status

Interestingly, Skype consumer supports both Invisible and Offline statuses. In the consumer world, Invisible is like Offline for Teams while Offline in Skype is really offline, which is the same approach taken by Skype for Business Online. Confused? It’ll all be clear when everyone is on Teams…

This is an example of a change that translates into exactly one sentence in the Office 365 for IT Pros eBook. But if you don’t keep an eye on the small details, you’ll miss out on the really important material.

Microsoft 365 Audit Log is a Rich Source of Information About Workloads

The Microsoft 365 audit log (aka the unified audit log) is a rich source of information about what happens inside a tenant. Audit events generated by workloads go through an ingestion process to be added to the log to ensure that every event has a common set of fields like the date when the event occurred, the account responsible for the event, and the name of the event. In addition, a workload-specific payload of audit data is inserted into the AuditData property of events. This data varies from workload to workload. Interpreting the workload data is one of the challenges of dealing with the audit log that quickly becomes second nature (when you’ve done it often enough).

You can search the Microsoft 365 audit log using the Audit facility in the Microsoft Purview Compliance portal (Figure 1). This is acceptable when you’re looking for a specific event, but if you need to cast a wider net to look for events that might lead you to an answer, it’s easier and faster to do the job with PowerShell.

Who Did What or What Happened?

Most auditing queries are run to answer “who did what” questions. In other words, you want to know who performed a specific action. For instance, who deleted a document, created a group, recorded a Teams meeting, or sent a message from a shared mailbox. Chapter 21 of the Office 365 for IT Pros eBook contains many practical examples of parsing audit data from multiple workloads to answer who did what questions.

Sometimes you need to know what happened to a particular object, like a document or a user. Finding audit events for one or more documents is easy – all you need to do is pass the document names in the ObjectIds parameter. In this example, we create an array of document names to search for and then pass the array as the ObjectIds parameter for the call to Search-UnifiedAuditLog:

[array]$docs = "New Signature API for Email Signatures.docx", "Controlling default creation of online meetings with OWA.docx", "Anticipating Microsoft Ignite 2020.docx"
$Records = Search-UnifiedAuditLog -ObjectIds $docs -StartDate 1-Sep-2020 -EndDate 1-Oct-2020 -ResultSize 500

The events found are for all actions performed against the documents, such as being modified or downloaded. The same technique works for users:

[array]$Users = "Oisin.Johnston@office365itpros.com", "Kim.Akers@office365itpros.com"
$Records = Search-UnifiedAuditLog -ObjectIds $Users -StartDate 1-Sep-2020 -EndDate 1-Oct-2020

This search returns events for actions performed for these users (like being added to a group membership) rather than events performed by the users.

Actions Performed Against a Microsoft 365 Group

Microsoft 365 Groups are not users, so if we want to find the actions performed against a group, we must use the FreeText parameter to search audit records for instances of unique values that identify the group we’re interested in. Fortunately, the object identifier for a group is a good search term. In this example, we extract the object identifier for a Microsoft 365 group and use it to search for audit events. We then group the audit events to get an overview of the kind of activity performed against our target:

$ObjectId = Get-UnifiedGroup -Identity "Office 365 for IT Pros" | Select -ExpandProperty ExternalDirectoryObjectId
[array]$Records = Search-UnifiedAuditLog -FreeText $ObjectId -StartDate (Get-Date).AddDays(-90) -EndDate (Get-Date).AddDays(+1) -ResultSize 1000 -SessionCommand ReturnLargeSet

$Records | Group Operations | Sort Count -Descending | Format-Table Name, Count

Name                      Count
----                      -----
RecipientChange              17
TabUpdated                   10
TabAdded                      4
Remove member from group.     3
MemberRemoved                 3
Add member to group.          3
Update group.                 2
MemberAdded                   2
TabRemoved                    1
Set-UnifiedGroup              1
PutPermissions                1
Assign label to group.        1
StreamInvokeVideoSetLink      1

The technique also works for finding audit records for security groups (but not for distribution lists). It also works for Azure AD accounts, including guest users, but it’s much slower than using the ObjectIds parameter. As the name implies, FreeText means that a free text search is used to find matching audit events. In a large tenant, a free text search across potentially millions of records won’t be fast.

Remember that a single action can result in multiple events. For instance, if you add someone to a group, the MemberAdded and Add member to group events are captured by different workloads and ingested into the audit log. The duplication is easily detected by comparing the creation date for the events.

Mine the Audit Log

Every Office 365 administrator should know how to mine the Microsoft 365 audit log to answer questions about their tenant. It’s not hard and you’ll understand a lot more about how Office 365 works once you spend time deep in audit data. That doesn’t sound fun, but it’s better than it seems.

For Both Teams and Skype for Business Online Meetings

In May, Microsoft published Office 365 notification (MC213856) to say that OWA and Outlook Mobile would soon make online meetings the norm. This is now the case.

The calendar settings for OWA include whether an online meeting should be created for all meetings (Figure 1). By default, the setting is controlled by the OnlineMeetingsByDefaultEnabled setting in the Exchange Online organization configuration, which can be examined using the Get-OrganizationConfig cmdlet. Here we see that the setting is true, meaning that all meetings created by OWA are online:

Get-OrganizationConfig | Select OnlineMeetingsByDefaultEnabled

OnlineMeetingsByDefaultEnabled
------------------------------
                          True

Mailbox-Level Control

You can also control the setting on a mailbox basis by updating its calendar configuration with the Set-MailboxCalendarConfiguration cmdlet. The mailbox-level setting takes precedence over the organization setting. For example, this command disables online meetings by default for a mailbox:

Set-MailboxCalendarConfiguration -Identity James.Joyce –OnlineMeetingsByDefaultEnabled $False

OWA uses the Teams configuration to figure out if Teams or Skype for Business Online is the current provider of online meetings to the tenant. The provider is noted in the calendar configuration of each mailbox. We can check which provider is used by running code like this to report the provider and if online meetings are enabled. Fetching calendar configuration can take some time to complete for more than a few mailboxes:

$Mbx = Get-ExoMailbox -RecipientTypeDetails UserMailbox -ResultSize 50
$Mbx | Get-MailboxCalendarConfiguration |Select Identity, DefaultOnlineMeetingProvider, OnlineMeetingsByDefaultEnabled

Identity       DefaultOnlineMeetingProvider OnlineMeetingsByDefaultEnabled
--------       ---------------------------- ------------------------------
Andy.Ruth      TeamsForBusiness
Ben Owens      TeamsForBusiness
Ben.James      TeamsForBusiness
Brian Weakliam TeamsForBusiness
Imran Khan     TeamsForBusiness
James.Joyce    TeamsForBusiness             False
Kim Akers      TeamsForBusiness             True

Different Approach Used by Outlook Desktop

Outlook desktop takes a different approach to OWA. Outlook doesn’t use the calendar configuration settings stored in user mailboxes; its settings are in user profiles stored in the system registry. Currently, Outlook doesn’t have a setting to control whether all meetings should be online and instead loads an add-in to allow users to decide if a meeting should include Teams or Skype for Business Online.

When you create an online meeting, Outlook populates several properties for the meeting item stored in the mailbox containing links and other information about the online space for the meeting. The link allows users to join the online meeting at the appointed time. Apart from the link and the list of meeting attendees, Outlook has no connection to the online event, so items such as the meeting chat, participant list, and so on must be accessed through the online provider.

Microsoft 365 Roadmap item 58132 promises that Outlook for iOS will allow third-party online meeting providers like Zoom and WebEx to be the preferred provider. Microsoft was supposed to deliver the capability in August 2020, but there’s no sign of it still.

Who knows when you might need a nugget of information like this? We don’t know, so we find and document interesting bits of insight in the Office 365 for IT Pros eBook. Subscribe today to stay abreast of what happens inside Office 365.

The Great Debate, Hosted by AvePoint

In August, I wrote a review of a document issued by a well-known backup vendor proclaiming six reasons why backing up Office 365 is critical. My conclusion was that the document was full of FUD (fear, uncertainty, and doubt) designed to convince unwary Office 365 tenant administrators that they should invest in an expensive third-party backup solution.

Soon afterwards, AvePoint (not the vendor in question) contacted me to ask if would be willing to debate the issues around Office 365 backup with John Hodges, VP of product strategy at AvePoint. I have no problem in setting out why I think people need to eliminate the FUD surrounding this topic before deciding about backups, so I agreed. The debate takes place tomorrow, Wednesday October 7 at 10AM EST. Attendance is free. You can register to attend online and join the fun. AvePoint also plan to stream the debate live on their LinkedIn page.

Topics to Debate

I’m sure we’ll touch on many important (but sometimes misunderstood) topics like:

• What’s included in Office 365 and what added value do third-party backup solutions deliver?
• What data can Office 365 backup solutions process and what data can’t be handled today (largely because of a lack of suitable APIs from Microsoft).
• How easy is it to restore data when things go wrong and when should you think about restoring data (and what’s a suitable restore target).

Time to Restore Service

Developing the last point, situations like the recent Azure Active Directory outage invariably cause a chorus of criticism from cloud unbelievers and advocates of backups, especially when issues with a fundamental cloud service cuts access to popular applications like Exchange Online, SharePoint Online, or Teams. While the Azure Active Directory issue played out, I saw some silly comments by people who should know better that email traffic could be rerouted to another server. Such advice should be consigned to the wastebasket on the basis that:

• Exchange Online is not the only application used in Office 365. Although it’s the largest workload, if you don’t get SharePoint Online and Teams up and running, your services might only be limping along, and users won’t have access to important data. New messages might arrive, and users might have offline copies of (some of) their mailboxes in OST files, but it’s an incomplete service. In other words, users now expect a holistic view of the data they work with, not an application view.
• Rerouting email traffic to another server (where?) might compromise your organization’s data governance and compliance strategy.
• Protected (encrypted) email and documents will be inaccessible if sent elsewhere outside Office 365 unless they’re decrypted en route to the new target.
• Most organizations don’t have the necessary IT infrastructure to host anything other than a skeleton replacement service. It takes time to spin up servers, adjust network paths, reconfigure clients, and put in place security services.
• Finally, by the time you’ve made the decision to move service, even if you already have a suitable target system available and operational, Microsoft might well have fixed the original problem and restored service.

The Future Role for Backup Services

Don’t get me wrong. I think backup services and solutions have a role to play inside the Office 365 ecosystem. Microsoft’s tools can be overcomplicated and hard to use to restore data, especially on a highly granular basis. There’s lots of scope to come up with new ways to visualize the important data used in a tenant, protect that data by copying some or all of it to a separate location, and delivering easy ways for tenant administrators to access and restore information quickly and efficiently.

The old-style backup techniques developed for on-premises environments and brought into the cloud are not what’s needed. There’s too much data in cloud services and too many points of interconnection and dependencies to keep on using the “let’s stream data out of Exchange or SharePoint” approach that I see in so many offerings.

Come join us at the debate. I can promise nothing except some arguments. Let’s hope that the moderator maintains control and the participants remain cheerful and polite!

Update: You can access a recording of the debate online. I think AvePoint did a nice job of setting up and running the debate and I look forward to using this format to debate other issues in the future.

Keep Quiet Please

Office 365 notification MC223029 of 29 September tells us that Teams meeting organizers now have the option to stop participants unmuting themselves during meetings. This is Microsoft roadmap item 66575. The change is rolling out now. GCC and GCC-High tenants will see the update at the end of October.

People attending online meetings should mute themselves unless they need to speak. Muting stops extraneous noise leaking into the meeting to make it harder for other participants to hear what’s happening, so it’s simply good meeting etiquette to use the mute button. However, as we all know, it’s possible that some participants are more eager to contribute than others and can try to dominate proceedings, which is why meeting organizers can mute people. Stopping them being able to unmute themselves will keep people quiet, but it also stops them participating, so mute controls should be used judiciously.

Preventing meeting participants from unmuting themselves is probably focused on education rather than commercial or government Office 365 tenants. At least, I can see how a teacher would want to stop participants interrupting a class, but I have seldom been in a business meeting where the same need exists.

Update Teams Meeting Settings

In any case, you can select a meeting from the calendar app and update meeting options before it starts (Figure 1) to move the Allow attendees to unmute slider to Off if you want a quiet time.

Note that the settings shown in Figure 1 allow anyone in the organization to present. This means that the muting control doesn’t apply to these users because they are presenters rather than attendees. It wouldn’t make much sense to impose a muting control on people scheduled to present at a meeting.

During the Meeting

When the meeting is in progress, you can flip the switch to calm proceedings (Figure 2). Attendees see a note that the “mic is disabled for all attendees” if they try and unmute.

If someone really needs to say something, they can raise their hand (virtually) to let the meeting organizer know. If the organizer decides that the attendee has something useful to contribute, they can select their name in the participant list or in the list of attendees at the bottom of the screen (the meeting stage) and allow them to unmute (Figure 3).

Future Updates

The current implementation is quite a blunt instrument. Microsoft admits this and says that they will address some limitations during the last quarter of 2020, including:

• Allow the organizer or presenters to allow any attendee to unmute even if their hand isn’t raised.
• Allow the organizer or presenters to prevent a single attendee from unmuting even if “Allow attendees to unmute” is on.

Title

Overall, while I can’t see myself using this feature in the meetings I organize, I’m sure that others will find it useful to control unruly and vocal audiences. Perhaps in a presidential debate?

Stay current with important changes in Office 365 and its applications by subscribing to the Office 365 for IT Pros eBook.

Planner Has Poor Record of Notifying Office 365 Tenants About New Features

Updated February 24, 2021

As has become the norm with Planner, another change has crept into the application without anything being notified to Microsoft 365 tenants. The new change increases the number of Planner labels available in a plan from 6 to 25. But the lack of notification is a continuation of a sequence including:

• Highlighting when changes are made to the app and tasks in a plan.
• Support in the Planner browser client for (limited) offline mode (also available in Planner for iOS).
• Sharing iOS items to Planner.

Some of these are small changes which probably don’t deserve much highlighting because they are small evolutionary steps, but it’s a pity that Planner doesn’t do more to let people know what they’re up to.

Better Labels

Take a change that showed up in my tenant this week. Planner has always had the ability to add up to six colored labels to a task to mark the task in a way chosen by plan members. Some use the labels to give different levels of urgency to a task, others to mark the task as being in a certain category. It’s up to you. Figure 1 shows the old-style Planner labels, which pop-out of the right-hand side of a task.

The new method of accessing and applying labels is better. The old approach was often hidden to users, who can now simply use the Add label option when editing a task to view the set of labels available in the plan and choose the labels they wish to apply to a task (Figure 2).

Like in the past, any member of a plan can edit the text name given to a label. There’s no way for the plan owner to lock the names assigned to labels. This is a curious omission because it’s entirely possible that a member can edit a label to give it a completely different meaning to its previous use.

In any case, labels are now more accessible and easier to use, so it’s a good change.

Changes Coming to Planner

According to Microsoft, more changes are coming to Planner. According to the Get more done with Microsoft Planner session in the Microsoft Technical Community video hub, Effective February 24, Planner supports up to 25 labels instead of the previous six. (see Figure 2).

Planner will also has customized backgrounds (delivered in January 2021) and is due to get a more intelligent way of selecting files to attach to tasks. The Teams integration with Planner will allow users to create new tasks from any chat or channel conversation through the Create task option in the […] menu. I totally overlooked the advent of “confetti” in Planner, used to sign when a final item in a checklist is achieved or when a task is complete, as well as a checklist completion bar to show progress as you work through a set of tasks.

Details of the arrival of 25 labels for Planner are in MC241349 published on February 24. I can’t recall seeing details of the confetti and progress bar being published in a message center notification. Such is life. You need to keep a wary eye out in many places to learn what’s happening in Planner. It’s part of the ongoing work required from tenant administrators to keep track of what’s happening across the Microsoft 365 ecosystem.

Details, details, details… So much changes in so many ways across all the Office 365 apps on an ongoing basis. Stay current by subscribing to the Office 365 for IT Pros eBook!

Prepopulate New Teams with Channels, Apps, and Tabs

Microsoft announced the ability to create new teams based on customizable templates on May 19. As noted in Office 365 notification MC222406 (September 18), the feature is rolling out in October 2020. Teams templates are described in Microsoft 365 roadmap item 67110, where Microsoft says they expect templates to “standardize team structures, surface relevant apps, and scale best practices.”

According to a Microsoft representative, these templates won’t be available for education tenants as they already have education-specific templates. However, the two types will merge over time.

Out-of-the-box Standard Templates

Templates are prepopulated structures created by Microsoft to make it easy to create teams to do a specific job. Each template consists of a set of channels, tabs, and apps that are automatically added to teams created using the template. Some of the 13 out-of-the-box templates are for general use (like project management); others (like Organize a Store) are for a particular industry. Among the templates published by Microsoft are:

• Adopt Office 365.
• Manage a project.
• Manage an event.
• Onboard employees.
• Organize help desk.
• Coordinate incident response.

As an example of what happens when you create a team using a template, if you use the Manage a Project template, four channels and two apps are added to the new team. The channels are called General, Announcements, Resources, and Planning while the apps are OneNote and Wiki. During the creation process, you can rename the channels to make them more appropriate for the new team. Because it might take some time to create the channels, apps, and tabs contained in a template, you can close the Teams creation screen after you save the details of the new team. Teams will then notify you when the new team is available.

After the team is created, you need to fully build out the new team by taking actions such as:

• Adding team members and owners.
• Adding other apps and channels (including private channels).
• Updating the team photo and other settings.
• Installing connectors.
• Posting a welcome note.
• Uploading files.

Building New Teams Templates

The set of out-of-the-box templates are managed in the Team templates section of the Teams admin center. You can add, edit, or remove templates to meet the needs of the organization. Figure 1 shows the initial step in creating a new template to help teams work on new books. At this point, we define its name, description, and locale (English in this case).

The next step is to add the channels and apps which Teams will automatically create in new teams based on the template. The General channel is always present (essentially, this channel represents the team). For our template, we’ve elected to add two additional channels, each of which will have tabs created for Planner and Microsoft Lists (Figure 2) to help us organize the writing and production of our book.

Because Planner and Lists are added as tabs, they also feature in the list of apps installed by the template. It’s likely that those working on books will want to praise the efforts of authors, technical editors, reviewers, and the overall editor, so we’ve included the Praise app as well.

When everything is defined for the template, click Submit to publish the template and make it available to users. Custom templates are listed ahead of the set of standard templates when shown to people creating new teams (Figure 3).

Useful Tool for Administrators

Time will tell whether Microsoft’s expectation of the positive effects of templates will come true. If many of your teams are created using the same structure, like the teams used to support classes of the same type, templates are certainly a useful tool in the administration toolbox, including if you use the Graph to create teams. The current release of the Teams PowerShell module doesn’t yet support the creation of teams with templates.

This is a small detail of Teams administration and doesn’t feature heavily in the 1,200 pages of the Office 365 for IT Pros eBook. Which just goes to prove how much extra interesting and valuable information the book does contain!

September 2020 was an odd month. The Microsoft Ignite 2020 virtual conference happened over 48 hours to give us plenty to think about as we plan future monthly updates for the Office 365 for IT Pros eBook. We even managed to cover some of the new features which are available now in the October update. But what was strange was the amount of change which Microsoft introduced into Office 365 before Ignite. They certainly didn’t keep things wrapped up until the conference started and many updates appeared over the month. So much so that the result is updates for 21 of the 24 content chapters in the book. You can find full details of the chapter updates in our change log.

More Changes Coming

We expect the pace of change to pick up over the next several months as Microsoft release features announced at Ignite as previews or into general availability. This will add to other changes in the work that get posted as Office 365 notifications in the Message Center in the Microsoft 365 admin center.

Many of the changes announced in Office 365 notifications are tweaks to the UI of an application. We don’t tend to cover changes like that in the book unless they affect the way an application works or is managed. Office365itpros.com exists to document changes that we think are interesting at a level of detail that we can’t afford in the book unless the page count was to expand well past its current 1,200-odd limit.

Updates Available for Download

Subscribers can now download the October update through Gumroad.com (for EPUB/PDF subscribers) or Amazon (for Kindle). Our FAQ has lots of useful information about how to access updated files. Please download and use the updated files. We put a lot of effort into the monthly updates and it’s nice to know that the work is used.

We did not update the companion volume for October 2020.

Coming to Teams Commercial, Education, and GCC Tenants in Q4 2020

Many customers support the “introduce breakout room functionality” request on Teams User Voice. The feature is listed as “Virtual breakout rooms” in Microsoft 365 roadmap item 65332. According to the roadmap item, breakout rooms are due for general availability in October 2020. The date was confirmed by James Skay of Microsoft in the Master Virtual Breakout rooms in Teams meetings session at the recent virtual Ignite session, who said that breakout rooms would come to Teams education, commercial, and GCC Office 365 tenants in early Q4 (October).

Update: MC224343 says that the roll-out will now start in early December and complete in mid-December.

Managing breakout rooms depends on the pop-out meeting and chat experience, so the desktop client must be used by meeting organizers. Participants can use the desktop, browser, or mobile client.

Split Large Meetings into Sub-Meetings

Originally announced for as part of a package of new Teams features for education on July 30, Teams breakout rooms allow a Teams meeting to be split into several subordinate meetings (the breakout rooms) linked to the main meeting. The feature is designed to support scenarios like brainstorming sessions, online classes, and corporate events which often start by assembling all the participants to set the goals before dividing into smaller groups to work specific issues, and then come back together to report findings and make decisions.

To use breakout rooms, the Teams meeting policy assigned to meeting organizers must allow the following features:

• Schedule private meeting
• Meet now in channels.
• Channel meeting scheduling.
• Meet now in private meetings.

Figure 1 shows how to enable the first three settings in a Teams meeting policy. The last setting is in the Participants and Guests section of the policy.

How Teams Breakout Rooms Work

A Teams meeting starts as normal and the meeting organizer (creator) chooses the breakout rooms option in the meeting control bar to create the number of breakout rooms needed (Figure 2). Additional breakout rooms can be added or removed later, up to the maximum of 50 rooms.

To make their purpose clear, breakout rooms can be renamed. For example, a group working on a corporate merger might have breakout rooms for Finance, HR, and Legal. Microsoft says that in the future you’ll be able to predefine breakout rooms including room assignments before a meeting starts.

The meeting organizer assigns meeting participants to the different rooms (Figure 3) . This can be done manually or automatically (participants are evenly divided at random among the available rooms). Users can be moved between breakout rooms. After assigning users to rooms, the organizer uses the Start rooms command to allow the participants assigned to each room to begin work. It’s possible to open rooms individually if you don’t want them all to begin at the same time. A setting controls whether people are moved automatically into their assigned rooms (the default) or receive a prompt to join. Those assigned to a breakout room cannot add other people – this can only be done by the meeting organizer.

Participants meet in the breakout rooms and use normal meeting functionality such as chat, app sharing, turn on together mode, and collaborate with a whiteboard. To encourage people to participate, everyone in a breakout room is assigned the presenter role.

The meeting organizer can visit the breakout rooms to help keep everything on track. When they join a breakout room, the organizer can work with the other participants. The meeting organizer can also make announcements to all breakout rooms. For instance, they might send a note to remind people that the breakout rooms will close in five minutes and that someone should be nominated to present findings. Announcements are posted to the meeting chat in each open breakout room (Figure 4). If participants in a room need to contact the meeting organizer, they can send an @mention message in chat.

Wrapping Up a Meeting

To bring the meeting back together again, the organizer closes the breakout rooms. After a short delay, the participants from the breakout rooms rejoin the main meeting. If necessary, the organizer can reopen a breakout room to allow people to restart discussions. Attendees cannot close breakout rooms. After wrapping everything up with the complete set of participants, the organizer ends the meeting.

Separate meeting chats and notes are kept for each room and for the main meeting. Separate recordings and transcripts can be captured for each breakout. Access to the information shared or generated in a breakout room is limited to the participants in that room. For instance, if a file is shared in the Finance breakout room, the permissions on the file uploaded to the sharer’s OneDrive account are restricted to the people in the breakout room at that time. In the future, Microsoft says that it will be possible to share information more easily from a breakout room with the main meeting.

Expanding People Who Can Manage Breakout Rooms

It’s not always the case that those who schedule meetings are the people who run the meetings, and it’s also possible that a meeting creator might not be available when the meeting happens. To avoid the obvious issue that the meeting organizer is the only person initially allowed to manage breakout rooms, Microsoft says that it will be possible to assign multiple organizers in the future

It’s stuff like this which makes us update the Office 365 for IT Pros eBook on a continual basis. We’ll keep an eye on Teams breakout rooms and report our experience of using these useful rooms in Chapter 11.

Send Email to Filtered Sets of Recipients

After explaining how to use a custom attribute to store users’ beverage of choice and surface that information in Office 365 apps through the Microsoft 365 profile card, the question came up if it is possible to create a dynamic distribution list using the same custom attribute. The answer is “absolutely!”

Dynamic distribution lists are a very powerful way of addressing specific sets of mail-enabled recipients. Table 1 compares their capabilities against those of dynamic Microsoft 365 groups.

Some on-premises Exchange organizations use thousands of dynamic distribution groups. Because of the presence of other methods to address sets of users like Microsoft 365 Groups and Teams in Office 365, dynamic distribution lists are not as heavily used. But as we’ll see, these lists are easily to create and use.

Filters Against the Directory

The core of both types of dynamic groups is the filter used to find objects in the source directory. The filters can be very complex when multiple attributes are involved, but in this case the filter needed to find users with a particular value in a custom attribute is straightforward. For example, to create a dynamic distribution list of mailboxes whose owners like beer, we can either use the Exchange admin center or run the New-DynamicDistributionGroup cmdlet:

New-DynamicDistributionGroup -Name DynamicBeer -DisplayName "Dynamic Beer Drinkers" -ConditionalCustomAttribute9 Beer -IncludedRecipients MailboxUsers -PrimarySmtpAddress Beer.Drinkers@office365itpros.com -Alias Beer.Drinkers

In this case, because we use CustomAttribute9 to hold the drink preference, we can use what’s called a “precanned” filter. In other words, Exchange knows that custom attributes are often used for filters, so the cmdlet supports an easy way to include these attributes in filters. The ConditionalCustomAttribute9 parameter is set to “Beer” and the IncludedRecipients parameter is set to MailboxUsers. Together, this creates a filter to find any user mailbox whose CustomAttribute9 is “Beer.”

If the attribute you want to use isn’t covered by a precanned filter, dynamic distribution lists can also use custom filters to find mail-enabled recipients. This is a little more complex because you must construct the filter instead of Exchange doing the job for you.

To complete the setup of the new dynamic distribution list, we use Set-DynamicDistributionGroup to define who is the list owner and create a mail tip to give an indication to users about the list’s purpose:

Set-DynamicDistributionGroup -Identity Beer.Drinkers -ManagedBy James.Joyce@Office365itpros.com -MailTip "Mailbox users who like beer"

Some judicious cut and pasting will quickly generate a set of dynamic distribution lists for people who like water, wine, cola, and so on.

Testing Recipient Filters

If you want to be sure that the filter created for a dynamic distribution list will locate the correct mailboxes, you can run the Get-Recipient cmdlet and input the recipient filter for the list. Here’s how:

Get-Recipient -RecipientPreviewFilter (Get-DynamicDistributionGroup -Identity Beer.Drinkers).RecipientFilter | Select DisplayName

DisplayName
-----------
Kim Akers
Imran Khan
James Ryan

To have more mailboxes picked up by the filter, update their CustomAttribute9 with the value used by the filter. For example:

Set-Mailbox -Identity James.Joyce -CustomAttribute9 "Beer"

Using the List

Using the dynamic distribution list is as easy as using any distribution list. The notable difference from an end user perspective is that there’s no option to expand the list and reveal the individual members by adding them to the message header (Figure 1).

The list membership is evaluated each time a message addressed to the list passes through the Exchange transport service and messages for matching recipients are generated at that point.

We’re rather fond of dynamic distribution lists, so they are covered in the Office 365 for IT Pros eBook. It’s an Office 365 feature that hasn’t changed in years… but we still like it.

Include Important SharePoint Online Folders in OneDrive

First announced in public preview in June as the “Add to OneDrive” or OneDrive shortcut feature, the Add shortcut to OneDrive option is now showing up in SharePoint Online sites in Microsoft 365 tenants worldwide (Figure 1). The documentation is here. This feature is covered in message center notification MC217339 and Microsoft 365 roadmap item 56384.

Update (December 2, 2020): After some delays, the OneDrive shortcut feature is now generally available everywhere.

Shortcuts to Important Folders

In a nutshell, when you use the option for a selected folder (rather than an individual file), it creates a shortcut link or pointer in your OneDrive for Business My files view. The idea is that you can use OneDrive for Business to assemble links for the SharePoint Online folders and other folders shared with you by other users to make them more easily accessible. In my case, my work tends to focus on a small number of folders spread across different sites for chapter and book files for the Office 365 for IT Pros eBook, blog posts like this, and billing for consulting engagements. Figure 2 shows my setup. Note the different folder icon used for the shortcuts. Selecting a shortcut opens the folder in the My Files view.

Shortcuts Prove to Be Really Useful Feature

Creating shortcuts to folders in SharePoint Online document libraries is a simple but incredibly effective idea. Given the number of Microsoft 365 Groups and Teams in use today, Microsoft 365 users might have access to hundreds of different sites, which creates the challenge of how to quickly access the files most important to you, or the “where’s my stuff syndrome.” Opening the SharePoint or Teams app to navigate to the files is one way to accomplish the goal as is using Microsoft Search to find individual files.

And then there’s Delve. Once the poster child for the Microsoft Graph and the preferred access point to documents created within Office 365 but lately ignored in the rush to Project Cortex (now available as Viva Topics and SharePoint Syntex) and its offshoots, Delve is still offers an effective way to assemble sets of documents by adding them to one of its boards (Figure 3).

At this point, given that many have forgotten that Delve exists, adding shortcuts to OneDrive for Business is the most useful way of assembling pointers to the SharePoint Online folders you use most often. It’s just a pity and a little curious that Microsoft hasn’t told more people about shortcuts.

Disabling OneDrive Shortcuts

If you decide that you don’t like shortcuts, you can disable them by running the Set-SPOTenant cmdlet to set the DisableAddShortCutsToOneDrive switch to $True. Make sure that you update the SharePoint Online PowerShell module before attempting to run Set-SPOTenant to ensure that the switch is available.

Set-SPOTenant -DisableAddShortCutsToOneDrive $True
WARNING: Users in your organization will no longer be able to add new shortcuts to their OneDrive while the
feature is in Public Preview. However, existing shortcuts will remain functional.

The warning still applies even though OneDrive shortcuts are generally available. In December 2020, Microsoft said that administrators would be able to block OneDrive shortcuts “for the next few months” to “drive any required change management.” Microsoft plans to remove this option in the future (no timeframe has been announced).

If you disable OneDrive shortcuts, the Add shortcut to OneDrive command is removed from SharePoint Online document libraries. Existing shortcuts remain in place. Some people would like to keep the option to disable shortcuts. If you share this view, you can vote for this SharePoint User Voice request.

The world of Office 365 is full of detail. Stay acquainted with what’s happening by subscribing to the Office 365 for IT Pros eBook. Monthly updates ensure that we keep you in the loop about the important changes in Microsoft’s cloud office service.

API in Preview Revealed at Ignite 2020 Conference

The advent of support for roaming signatures for Outlook desktop caused some to question if the case to use third-party email signature management products had weakened. As it turned out, Microsoft delayed the deployment and the latest information published in Office 365 notification MC215017 on September 22 says:

• We will begin rolling this out to Microsoft 365 Monthly Channel, Targeted, in late September (previously July). (This is Insiders Slow Channel which will soon be called Microsoft Beta.)
• We expect to roll this out to the Monthly Channel, Production, in late October (previously August).

Update: According to Microsoft 365 roadmap item 60371, the latest date for the general availability of roaming signatures is July 2022.

Not Easy to Manage Outlook Signatures

My experience of using PowerShell to create and update signatures for Outlook desktop convinced me of the complexity of the task. By comparison, the signatures used by OWA are much easier to manipulate. Messages generated by Outlook mobile and other email clients connected to Exchange Online are typically handled by routing the email through an Azure-based cloud service and then back to Exchange Online for onward delivery. In a nutshell, managing corporate email signatures is not easy, especially when multiple client types are involved.

A New Signature API for ISVs

Still, ISVs need to improve their software to convince potential customers that it’s best to use their products instead of relying on what Microsoft delivers. What might surprise some is that Microsoft helps ISVs, as evident in the Build Outlook Add-ins that integrate your solution seamlessly into your users’ Outlook experience session​ (yes, that’s a mouthful) from Ignite 2020.

The session features Szymon Szczesniak, the genial CEO of Code Two software (Figure 1), discussing his company’s experience of using a new Signature API to create web add-ins which work for Outlook desktop (Windows and Mac) and OWA (now), and Outlook mobile (in the future).

As you might expect, Code Two created a web add-in to add a corporate signature to a message before it is sent. This has been possible in the past, but only by creating something like a COM add-in that had to be installed on individual workstations or distributed to sets of workstations using Group Policy Objects. The COM add-in worked by updating Outlook settings with the signature, which Outlook then applied to new messages.

What’s Possible with Signature Web Add-ins

The Signature API and web add-ins are a dramatic step forward. Signatures inserted by add-ins based on the API can be dynamic, meaning that they can be intelligent enough to detect the type of message to insert an appropriate signature. For instance, a new message might get the full treatment with a corporate slogan inserted along with user details while a reply or forward might have a cutdown signature inserted or none. If the company publishes multiple types of signature available (for instance, signatures with different graphic layouts), users can select which they’d like to use.

Finally, because the processing is done on the client before email is sent, protection applied by sensitivity labels or Office 365 message encryption works properly and solve the issues highlighted in this article, at least for Outlook clients. Challenges remain for dealing with mail traffic generated by Outlook mobile (until it supports the web add-ins) and non-Microsoft email clients, which will still need to be processed en route.

Expect December Developments

Although Code Two Software get the kudos for publicizing the new Signature API, they won’t be the only ISV to exploit the API (LetsSignIt announced that they have also been working with Microsoft to develop an add-in). I expect a batch of new products and offerings to appear soon after Microsoft makes the API generally available, expected before the end of this year. Overall, the new API will make email signature management easier to deploy and manage, and that can’t be a bad thing.

Update March 22, 2021: Code Two has released their “modern web add-in” for Outlook and OWA. Like many software developments, it took a little longer to get the add-in from early development to full production.

Update May 25, 2021: Announced at the Build 2021 conference, Code Two Software’s modern signatures add-in for OWA and Outlook for Windows is now generally available. Not to be outdone, Exclaimer has support for an OWA add-in too (but not Outlook desktop yet). Expect all the major email signature vendors to follow suit in the near future.

We don’t cover much about ISV software in the Office 365 for IT Pros eBook. In this case, email signature management has been such a pain for so many organizations for so long that we’re delighted to see progress in the space.

Wow! Where Did All Those Unread Items Come From?

Last Tuesday, I checked for updates for the Microsoft 365 apps for enterprise (Office click to run) and duly downloaded the available update to upgrade to version 2009 (build 13231.20200). Nothing strange happened and the upgrade proceeded without any issues. I was a happy camper.

That is, until I noticed that the unread count for my Outlook Groups suddenly displayed much higher numbers (Figure 1). Usually these groups have a very low number of unread items, especially those marked as favorites because I check them at least once daily.

The History of Groups

The reason why this happens is clouded in history. When Microsoft introduced Office 365 Groups (now Microsoft 365 Groups) in November 2014, they were characterized as a new way for email-centric collaboration. Teams didn’t exist at that point and although Microsoft’s marketing muscle was pushing Yammer (bought in June 2012) as the future for collaboration and a replacement for email (that strategy really worked out), the bulk of interpersonal electronic collaboration occurred over email.

In the on-premises world, many Exchange organizations combined distribution lists with public folders to give people an archive for discussions. Groups introduced a group mailbox to host discussions and a shared calendar and came with a SharePoint Online team site for document storage, including a shared group OneNote notebook. Given that the bulk of work that had been migrated to Office 365 at that point was email, Groups looked pretty good. In April 2017, Groups (now called Groups in Outlook) had 10 million active users, or roughly 10% of the Office 365 user count at the time. The latest figure for Office 365 is 258 paid seats (April 2020). It’s unlikely that Outlook Groups have kept pace and now has 25 million active users, but it’s possible.

The collaboration landscape within Office 365 changed upon the general availability of Teams in March 2017. Since then, Teams has taken the lead and Groups have concentrated on a new mission of delivering a membership and access service to applications like Teams. Usage of Outlook Groups as a fulcrum for email-based collaboration is much less important to Microsoft now, but Groups are still actively used in this way in many Office 365 tenants.

Choosing a Simpler Unread Count Model for Groups

When Groups were added to Outlook in 2015, the developers decided not to use the standard item read/unread model as used in other mailbox folders like the Inbox. This model depends on the unread status of items and operates on a per-user basis. In other words, in a shared resource like a group inbox or public folder, each user has a separate unread count generated by the number of items they have not read in the folder.

Instead, the group developers chose a “more simple triage model for the groups conversations list, where all the conversations would be marked as seen as you moved away from the group.” Apparently, the decision was based on user feedback that many groups contain conversations unimportant to some members, so you couldn’t expect them to read everything. As implemented in Outlook, the group seen/unseen model allowed users to scan a group for new items and then set the unread count to zero once the user moves from the group. The new item count for a group then becomes the number of items delivered to the group since the last access by the user.

By comparison, new messages delivered to an inbox are personal and the mailbox owner is expected to deal with them. The new item count for the inbox is therefore very important for the mailbox owner and is adjusted up and down as the unread status for messages change (you can mark a read item as unread).

OWA and Outlook Mobile Use Normal Unread Counts

At the time, the developers accepted that the difference in how folders reported unread counts caused user confusion and said that they were working on implementing an item read/unread model for Groups. That model was implemented by OWA in early 2019 and is in use today (Figure 2).

For whatever reason (prioritization, lack of resources, more pressing features, etc.), Outlook desktop is a long way behind OWA in moving to the item read/unread model. The latest builds of Outlook have switched to the item read/unread model, which is the reason why the unread counts for my groups suddenly exploded from their normal low levels. Outlook Mobile has also used item unread counts since early 2019.

Resetting the Unread Count for an Outlook Group

Another piece of good news is that the Outlook developers have included a Mark All as Read option to reset the unread count for a group. Select the group you want to reset, right-click, and select the option. Processing to reset the unread status for items occurs in a background thread, so it doesn’t stop you working while the unread count is reset. Depending on the number of unread items in the group, the option can take a little while to complete.

Unhappily, Outlook’s Mark All as Read option might not be able to update the status for all unread items. At least, it didn’t for me. My solution was to open the group with OWA and use its version of Mark All as Read, which worked flawlessly.

The good news is that as you open unread items in in a group using one client, the read status for the item and unread count for the group is updated and shown correctly across all Outlook clients.

Hindsight Always Best

The benefit of hindsight tells us that the decision of the Groups developers to go with the simpler read/unread model for their Outlook implementation was flawed. The change made in the other clients in 2019 is now showing up in Outlook desktop. A little preparation and user communication should be enough to get everyone over the shock of seeing elevated unread counts for their groups.

This one-time change will probably warrant a line or two in the Office 365 for IT Pros eBook. It’s an example of a small change that’s important for some users for a period. Once the change is done, it’s done. But change persists inside Office 365, which is why we keep updating the book.

Drink and the Active Directory Schema

Last week, Twitter was full of news about the drink attribute, which is part of the Active Directory schema and defined in Microsoft documentation as “The drink (Favorite Drink) attribute type specifies the favorite drink of an object (or person).” The Microsoft 365 profile card displays lots of information about people, but it doesn’t show their favorite beverage.

Quite why drink was ever added to Active Directory is a mystery, but it’s there for all versions of the Windows Server operating system from Windows Server 2003 and available for people to use as they wish. However, it’s not in Azure Active Directory, and again no one can explain why. But it’s not and, according to Microsoft, will not be.

Use Custom Attributes Instead for the Microsoft 365 Profile Card

The lack of drink in Azure AD poses a quandary to those who need to populate the attribute. You cannot extend the Azure AD schema to add attributes, so the only thing to do is to make the best of what’s available. In a nutshell, you can use one of the fifteen single-value custom predefined in Azure AD for organizations to use as they wish. You can’t rename the attributes, but you can use them to hold data.

A quick check of mailboxes revealed that CustomAttribute9 wasn’t in use. It’s important to check to make sure that the chosen attribute isn’t used to store information used for another purpose. With the decision made. To update CustomAttribute9 with a user’s drink preference, you can set the value for their mailbox with PowerShell using the Set-Mailbox cmdlet as follows:

Set-Mailbox -Identity James.Joyce -CustomAttribute9 "Beer"

Updating a custom attribute for an Exchange Online mailbox leads to synchronization of the information to the mailbox owner’s account in Azure AD. I spent some time looking at how to update the custom attribute using the Azure AD PowerShell module and could find no method to do this.

It would be nice to be allowed use one of the five multi-value custom attributes available for mailboxes and also in Azure AD (ExtensionCustomAttribute1 through ExtensionCustomAttribute5) as you could then store the preferred brand name along with the choice of beverage, but these attributes aren’t currently supported for customization of the profile card.

Update Azure AD Schema to Display Drink on the Microsoft 365 Profile Card

Once the chosen attribute is populated, we can use the Graph Explorer to update the Azure AD schema to make information about users’ preferred drinks appear in the profile card (also known as the people card). I used this payload to define that the contents of CustomAttribute9 is displayed as Drink in the Microsoft 365 profile card.

{
            "directoryPropertyName": "CustomAttribute9",
            "annotations": [
                {
                    "displayName": "Drink",
                    "localizations": [
                        {
                            "languageTag": "de",
                            "displayName": "Getränk"
                        }
                    ]
                }
            ]
        }

The customization to the profile card doesn’t happen quickly and it can take up to 24 hours before you see the effect. Eventually, all the necessary processes click into place and the profile card will display the information (Figure 1).

It’s unlikely that many organizations will decide that including drink in a customized profile card is an essential contribution to the business. But in the interest of completeness, we felt it important to let people coming from the on-premises world to the cloud that although the drink attribute doesn’t exist in Azure AD, they can still make it show up.

Sometimes we come across strange but interesting technical topics as we research and write the Office 365 for IT Pros eBook. This post falls into that category. On a serious note, it’s yet another example of using the Graph Explorer to do real work. But apart from that… it’s just an excuse to have a drink.

Latest Module of Exchange Online PowerShell Module is 3.1 (January 2023)

Last Updated: January 9, 2023

V3.1

Released on January 9, 2023, this version removes the dependency for basic authentication through the WinRM component. V3.1 completes the transition for Exchange Online Management cmdlets to use the REST API instead of Remote PowerShell and lays the foundation for the removal of remote PowerShell connections to Exchange Online (now due in September 2023).

V3.0

On September 20, 2022, Microsoft released V3.0 of the Exchange Online Management module. The updated module is available in the PowerShell gallery. The highlights of the release include:

• Support for certificate-based authentication (app-based authentication) for the cmdlets accessed through the Compliance endpoint.
• Virtually all of the older (non EXO-) cmdlets now use the REST API. This means that the module no longer needs to use Basic authentication in WinRM. The fact that the cmdlets are now REST-based means that they perform better and are more robust against transient failures.
• Support for managed identities in Azure Automation runbook scripts.

See this page for more information.

V2.0.5

On May 11, Microsoft released V2.0.5 of the Exchange Online Management PowerShell module to general availability. This is an update of what’s sometimes called Exchange Online PowerShell V2 (introduced at Ignite 2019). It is recommended that you update to the latest version at your earliest convenience.

The case for using the Exchange Online Management module instead of the older remote PowerShell cmdlets has been made many times. By now it should be a no-brainer, especially with Microsoft’s avowed intention to remove basic authentication for PowerShell as soon as possible and the consequent need to upgrade interactive PowerShell sessions and background scripts to use modern authentication. Here are the highlights of recent releases.

New Cmdlets (2.0.5)

V2.0.5 contains the cmdlets needed to manage the Ownerless Group policy (Get/Set-OwnerlessGroupPolicy) and features in the Viva Insights app for Teams (Get/Set-VivaInsightsSettings).

Support for Linux and MacOS (2.0.4)

As announced at Ignite 2020, this is the version version of the Exchange Online Management module to support Linux and MacOS. For Linux, you need to run Ubuntu version 18.04 or above. For MacOS, it’s Mojave (10.14), Catalina (10.15), and Big Sur (11) and above.

More Secure Connections (2.0.4)

In PowerShell 7, the 2.0.4 module supports browser-based single sign on. See this page for more information.

Real-time policy evaluation (Continuous Access Evaluation or CAE) is supported.

Updated Cmdlets (2.0.4)

The cmdlets used to update user preferences for MyAnalytics have been renamed to make their use more obvious.

Get-UserAnalyticsConfig is now Get-MyAnalyticsFeatureConfig.

Set-UserAnalyticsConfig is now Set-MyAnalyticsFeatureConfig.

The Get-ExoMailboxStatistics cmdlet supports two new properties: LastUserActionTime and LastInteractionTime.

Certified Connections (2.0.3)

The Exchange Online Management module comes with full support for modern authentication, multi-factor authentication, and now (in this version), certificate-based authentication (CBA) to allow scripts to run unattended as background jobs. Certificates can be stored in the certificate store of the local machine or current user. You can also use the CertificateFilePath parameter for the Connect-ExchangeOnline cmdlet to specify the file path to a .pfx file for a certificate. For more information, see this page.

Simultaneous Connections (2.0.3)

Following previous releases of the module, I complained bitterly that running the Connect-IPPSSession cmdlet to connect to the Security and Compliance endpoint removed the session connected to Exchange Online. In other words, you couldn’t do something like run Get-ExoMailbox to fetch a list of mailboxes, then run Connect-IPPSSession, do some work, and then run Get-ExoMailbox again. I may have used some bad words to fully express my opinion on the inanity of this approach.

The developers listened and V2.0.3 includes support for simultaneous connections to Exchange Online and the Security and Compliance endpoints.

Faster Connections (2.0.3)

One of the original characteristics of using the REST-based cmdlets like Get-ExoMailbox or Get-ExoMailboxStatistics was a need to “warm up” the connection. In other words, it took a while for the first connection to be established and ready for use. Microsoft says that V2.0.3 is much faster at making the initial connection and in practice it seems like the improvement is marked. Results will vary depending on the cmdlet and number of objects in the tenant, but the connections are certainly snappier than before.

Limited Cmdlet Imports (2.0.3)

Only 17 cmdlets are in the Exchange Online Management module, but when you connect to Exchange Online, over 700 cmdlets are imported into the session, all of which demand some memory. If you want to restrict memory usage to a minimum, you can specify the list of cmdlets needed by a session or script when you run the Connect-ExchangeOnline cmdlet. For example, this command will create a session with the 17 cmdlets from the module plus two imported from Exchange Online:

Connect-ExchangeOnline -CommandName Set-Mailbox, Set-CASMailbox

After the session starts, you will only be able to run Set-Mailbox and Set-CASMailbox from the set available for Exchange Online. Other cmdlets like Get-PublicFolder, New-TransportRule, or Get-UnifiedGroup are unavailable.

Take Care with Updates

When you do update the Exchange Online Management module, make sure that you include the Scope parameter to force the install of the module files onto the local disk. Otherwise you might end up like me and have some modules in OneDrive for Business and others local, with all the confusion that entails. After removing all traces of previous versions to give myself a clean start, I ran:

Install-Module ExchangeOnlineManagement -Scope AllUsers -Force

To check that the module is in the right place, run the command below and make sure that the module isn’t located in OneDrive for Business:

Get-Module ExchangeOnlineManagement | Select Path
Path
----
C:\Program Files\WindowsPowerShell\Modules\ExchangeOnlineManagement\2.0.3\ExchangeOnlineManag...

For more information and lots of examples of using PowerShell to manage Exchange Online, subscribe to the Office 365 for IT Pros eBook.

Easy Switch Away from Apple’s Mail App

In June, we reported that Apple would allow Outlook to be the default mail app for iOS14. This prospect proved popular for the many Outlook for IOS users who have no interest in using Apple’s Mail App. Because of the limitations of the Exchange ActiveSync protocol, Outlook for iOS is more functional when connected to Exchange Online than the Mail app is. The only place where the Mail app has an advantage is its ability to connect to accounts in Office 365 tenants across multiple datacenter regions, something that Outlook can’t do.

Now that iOS14 is generally available, it was time to download and apply the update and then check that Outlook can indeed take the place of Apple’s Mail app. The good news is that switching Outlook in is simple. Use the Select Default Email App link in Outlook settings (or go direct) to go to iOS settings, Now select Outlook and scroll down to the Default Mail App setting (Figure 1).

Mail means that the Apple Mail app is currently selected. Click the link to view the set of available options. You’ll need a recent version of Outlook for it to show up here. I used version 4.56.0 from the Testflight program, but any version from 4.55.1 will work. Select Outlook to make it the default mail app for iOS (Figure 2).

Rebooting iOS14 will reset the choice of apps back to the Apple apps. I experimented by rebooting iOS a couple of times and each time iOS made the Mail app the default. The problem is fixed in iOS 14.0.1, published on September 24.

Glitches like this are certainly something to be expected with a new version of an operating system and is one reason why people recommend waiting before upgrading. Microsoft is also aware of two other bugs:

1. Mailto: links in Safari will be opened in Apple’s Mail app instead of the chosen default app (Outlook in this case).
2. If you have a profile configured with the Mail app, certain compose sheet actions trigger Apple’s Mail app instead of the chosen default app. For example, apps that use MFMailComposeViewController.

Bugs like this might not affect you, especially if you choose to replace Safari with Microsoft Edge as the default browser.

Pin Outlook to the Home Screen

Another useful thing to do is to include Outlook and other apps which you commonly use into the set of four pinned apps at the bottom of the home screen. Apparently this is possible in iOS13 too, but I guess I missed that news. The set of default apps includes Mail, so if you’ve replaced it with Outlook, there’s no reason to keep it pinned. Click and hold on the Outlook icon until the Edit Home screen option appears. Then drag and drop it into the pinned set to replace Mail. As you can see in Figure 3, I also replaced the Music app with Teams.

Another way of doing the same job is to search for the app, press on the icon, and select Add to Home Screen.

Even though it takes some muscle memory adjustment to look for Outlook in the pinned set, I can’t tell you how useful it is to be able to access Outlook at one click no matter where you are in iOS.

Outlook No Longer Supports iOS12

Now that Apple has released iOS14, Microsoft’s support policy means that Outlook on iOS12 is no longer a supported platform: these devices will no longer receive Outlook updates and will eventually cease to connect to the service. You should look for devices running Outlook on iOS12 and ask their users to upgrade. Fortunately, a little PowerShell (see this article) will quickly identify the iOS12 devices by checking their connection status. After that, it’s a matter of communication and persuasion to get those devices up to the necessary level. Maybe they’ll upgrade to iOS14 to take advantage of Outlook’s new potential status as the default mail app.

Sometimes we share things that make our working lives better that never end up in the Office 365 for IT Pros eBook, but it’s good to know how things work, which is why we write about them.

New Module Includes Skype for Business Online Connector

In July 2020, the Teams development group started the process of removing the dependency on the Skype for Business Online PowerShell connector to manage Teams policies through PowerShell. At the time, Teams introduced a preview version of the MicrosoftTeams module (1.1.3-preview) which included the New-CsOnlineSession cmdlet needed to create a connection to the Skype for Business Online endpoint and download the other Skype for Business Online cmdlets.

Update March 6, 2021: Microsoft has updated the Teams PowerShell module to V2.0. In general, it’s best to use the latest version of a module but test it first!

Upgrade to Teams PowerShell Module 1.1.6

On September 14, Microsoft shipped version 1.1.6 of the MicrosoftTeams module. This is a full-blown production-quality release that includes New-CsOnlineSession. It’s recommended that you should download and use this module for PowerShell activity against Teams and Skype for Business Online.

To upgrade a workstation from a previous version of the MicrosoftTeams module, run the Update-Module cmdlet. For example:

Update-Module MicrosoftTeams -Force -Scope AllUsers

Once the new module is installed, you can connect to the Teams and Skype for Business Online endpoints as normal:

Connect-MicrosoftTeams -Credential $O365Cred
$SfbSession = New-CsOnlineSession -Credential $O365Cred
Import-PSSession $SfbSession 

In this example, the $O365Cred variable contains credentials prepopulated with a call to the Get-Credential cmdlet. After the session is established, you will be able to execute the cmdlets which used to be in the Skype for Business Online connector to manage Teams policies. For instance, you can call Get-CsTeamsMeetingPolicy to work with Teams meeting policies.

No Enable-CsOnlineSessionForReconnection

A small problem exists in that 1.1.6 does not include the Enable-CsOnlineSessionForReconnection cmdlet, which is used to maintain a connection to the Skype for Business Online endpoint. This is not an issue for short sessions where you connect, do some stuff, and terminate. It is if you want to leave a session open for hours. I am sure that Microsoft will update the module quickly to reintroduce the cmdlet, but in the interim you can use the workaround described here to get the cmdlet working as a script.

Alternatively, if you don’t remove the Skype for Business Online connector from your workstation, the Enable-CsOnlineSessionForReconnection cmdlet should be available after you connect to Skype for Business Online. I only noticed that the cmdlet was missing after removing the connector using Control Panel.

This is one of the small but important changes which happen all the time within Office 365. Stay up to date by subscribing to the Office 365 for IT Pros eBook. We’ll keep an eye on the important stuff for you!

Microsoft publishes notifications to the Office 365 message center to inform administrators of upcoming changes that affect their tenant. The idea is that you should get a period of between two to six weeks before new software appears to prepare by taking actions such as informing users about new functionality.

Most of the time the software described in notifications arrives on time, but recently Microsoft has had to publish updates for an increasing number of notifications to inform tenants that new features are delayed. Table 1 details some examples of notifications that have recently been updated. As an application that is delivering many new features to meet customer demand, it shouldn’t come as a surprise that Teams notifications are the most likely to be delayed.

Sometimes Software Needs More Tweaking

You might wonder why Microsoft announces that a new feature is coming and is then forced to adjust dates, sometimes several times. The answer is that this is the nature of software. If an update isn’t ready, it won’t be released to general availability. Tenants don’t want low-quality software and Microsoft doesn’t want the support load generated when users run into problems with new features. For this reason, previews which are scheduled to last a few weeks might extend much longer if the customers participating in the preview uncover problems.

The point is that a notification is only a signal that something new is coming. It’s not a definite commitment that the change will happen on the predicted date. It might, and that’s good, but it might not, and tenant administrators should be prepared to track updates to Office 365 notifications and adjust their plans as necessary. This can be disruptive, especially when a feature slips several times or if some users are waiting for specific functionality.

Tracking Tasks

Speaking of plans, linking Planner to the Office 365 message center is an excellent way of tracking the notifications to make sure that surprises don’t happen. Planner has a reasonable mobile app that allows people to track updates to their assigned tasks, and the same tasks can also be managed through the Tasks app in Teams.

Tracking change inside Office 365 is something that the writers of the Office 365 for IT Pros eBook are pretty good at. Well, we think we are…

Changes Don’t Always Show Up

It’s the nature of software engineering that small and incremental changes happen all the time to improve the stability and reliability of applications. Inside Office 365, most of the changes in this category don’t merit mention in the Microsoft 365 message center nor do they show up as a roadmap item. Microsoft makes the changes in the background, deploys the new code across the Office 365 datacenters, and users pick up the updates the next time they connect to the service or through a client refresh. It’s part of the ongoing unheralded work necessary to keep moving software forward.

Interestingly, Microsoft didn’t publicize the change made last week to introduce the New conversation button in the Teams desktop and browser clients in an Office 365 notification. Many considered this an important change to the UI which should lead to fewer “dangling replies.” I guess the change didn’t meet the bar for widespread publicity.

Keeping Notification Counts Updated

The introduction of the Teams Badge Count Service is another example. This is a component that serves an important purpose but known to few outside Teams engineering. A badge count, otherwise known as a pill count, is the count of new items shown to users in the home screen and inside apps on mobile devices. The purpose of the badge count is to let users know when new items are available inside an app. Operating systems like iOS and Android provide notification services to allow applications to push notifications to mobile devices and it’s then up to the app to decide how to deal with the notification through actions like displaying a message, playing a sound, or updating the badge count.

In Figure 1 we see badge counts visible for Teams, Outlook, and Yammer. The count shown here for Teams covers unread items in all tenants and you must open the Teams app to see separate unread counts for each tenant.

In the past, the ability of Teams clients (both mobile and desktop) to display accurate new item counts hasn’t been good. Given that people can have guest accounts in multiple tenants outside their home Office 365 tenant (eight tenants in my case), the problem of fetching accurate unread counts isn’t as simple as it is when people are constrained to a single domain. Add in the factor that someone can connect to Teams with multiple clients at the same time, and there’s a few things to consider when updating unread counts.

That being said, the issues involved in retrieving and displaying the count of new items in applications is not a new technical challenge. Email and other applications have solved the problem in countless iterations going back over forty years.

Accurate Pill Counts

The Teams development group is aware that sometimes badge counts haven’t been accurate or updated as quickly as they should have been. The Teams Badge Count Service is designed to solve the problem by delivering fast and consistent updates to badge counts. The new service filters notifications in the cloud before sending updates to clients to make sure that they’re accurate and necessary (for instance, multiple notifications might be combined into one) to reduce the number of notifications, messages, and sounds handle. According to Microsoft, this has a significant effect on battery usage for Teams mobile apps.

The Teams Badge Count Service is now in use by 100% of Teams for iOS users connected to Office 365 commercial tenants and Teams for Live users on iOS and Android. Roll-out continues this week for iOS users connected to government clouds followed by deployment to Teams for Android users. The BCS won’t solve everything that can cause incorrect badge counts (one of my tenants persists with 3 notifications where no new items exist), but it’s a good update to have.

Diving into the details of a new badge service isn’t really something that will help us develop the Office 365 for IT Pros eBook, but it’s interesting so we thought you should know about it!

Know When New Guest Accounts Are Added to Your Tenant

Updated 14-Aug-2023

A reader question asks if it’s possible to monitor the add member to Teams action, specifically the addition of new guest accounts. The easy answer is “of course” because you can create an activity alert to monitor the audit records generated in the Office 365 audit log by the addition of new members. The problem is that Teams doesn’t distinguish between the addition of tenant accounts or guest accounts when they are added to a team. Still, an activity alert is enough to check additions.

Process Audit Log Data with PowerShell

But given that audit records are generated (if you have Office 365 E3 or later), we can do a better job with some relatively simple PowerShell to extract and process the audit log data. The steps we need to perform are:

• Find audit records generated when members are added to a team and extract those relating to guest users.
• Figure out if the guest account is newly added or already exists (because they’re a member in another group or team or someone has shared a document or folder with them).
• Decide what to do next. For instance, email the person who added the guest user to ask them if the addition is warranted for business purposes.

These steps might sound complicated, but they are straightforward. An example script can be downloaded from GitHub.

Building the Script to Report the Add Member to Teams Action

The first part of the script finds audit records for additions to team membership – this example looks for any addition in the last week.

[array]$Records = Search-UnifiedAuditLog -StartDate ((Get-Date).AddDays(-7)) -EndDate ((Get-Date).AddDays(1)) -ResultSize 5000 -Operations MemberAdded -RecordType MicrosoftTeams

Next, we loop through the records returned by the search to find out if the user recorded as a new member is a guest and if so if it is a new guest account. Again, the check is for guest accounts added in the last seven days. Note that Teams records MemberAdded audit events for both users being added to a team and a group chat. This is why we need to check the CommunicationType property in AuditData.

If ($Records) {
   $Report = [System.Collections.Generic.List[Object]]::new() # Create output file for report
   Write-Host "Processing" $Records.Count "audit records for addition of users to Microsoft Teams"
   ForEach ($Rec in $Records) {
     $AuditData = Convertfrom-Json $Rec.AuditData # Get payload
     ForEach ($M in $AuditData.Members) { # Examine users added to see if any are guests
      If (($M -Like "*#EXT#@*") -and ($AuditData.CommunicationType -eq "Team")) { # We have a guest user who's been added to a team rather than a group chat
         $GuestUser = Get-MgUser -UserId $M.UPN -Property Id, DisplayName, Mail, CreatedDateTime
         $AccountAge = ($GuestUser.CreatedDateTime | New-TimeSpan).Days
         If ($AccountAge -le 7) { # Guest created within last 7 days so write out details
            $ReportLine = [PSCustomObject]@{ 
               Guest            = $GuestUser.Mail   
               Name             = $GuestUser.DisplayName
               Created          = $CreationDate 
               AgeInDays        = $AccountAge
               DateAddedTeams   = Get-Date($AuditData.CreationTime) -format g
               TeamName         = $AuditData.TeamName
               AddedBy          = $AuditData.UserId
               GruupId          = $AuditData.AADGroupId} 
            $Report.Add($ReportLine) 
         } # End if (AccountAge)   
     } # End if (Guest user check)
   } # End Foreach (Members)
 } # End ForEach (Records)
} #End if (Records)

Finally, we email the person who added the member to the team to ask them to provide a justification (Figure 1).

$htmlHeaderUser = "<h2>A new guest user has been created in our tenant</h2>"; $htmlbody = $htmlheaderUser + $BodyText + "<p>"
   $HtmlMsg = "" + $HtmlHead + $HtmlBody
  # Construct the message parameters and send it off...
    $MsgParam = @{
      To = $R.AddedBy
       From = $MsgFrom
       Subject = "New Guest User Added"
       Body = $HtmlMsg
       SmtpServer = $SmtpServer
       Port = $SmtpPort
       Credential = $O365Cred }
     Send-MailMessage @msgParam -UseSSL -BodyAsHTML

Script Will Need to be Updated

Send-MailMessage uses the SMTP AUTH protocol to connect and send the message. Microsoft has not yet said when they will deprecate SMTP AUTH as part of their ongoing effort to remove basic authentication. If they do, the script will need to be updated to use whatever method is provided to allow PowerShell scripts to send email using modern authentication.

In summary, this is yet another example of where the unified audit log holds valuable information to help tenant administrators understand what’s happening inside their organization. All it takes is a little PowerShell and some trial and error.

The Office 365 for IT Pros eBook features many practical examples of using Office 365 audit log data to solve problems. You never know when you might need our experience…

Gathering Data for Multiple Workloads to Understand User Activity

For the last few months, I have been dabbling with a PowerShell script to extract and report usage data for multiple Office 365 workloads from the Microsoft Graph. The idea is that an Office 365 user activity report generated by fetching activity data from all the workloads reported in the Graph helps administrators to figure out if accounts are in use and if so, what they are used for. If an account isn’t in use, then you might remove it and save some licenses.

One of the joys of PowerShell is how quickly you can put a solution together. The corollary is sometimes that the solution isn’t as efficient as it could be, which often happens when you’re not a professional programmer. When I write a script, the most important thing is often to illustrate a principle and show how something works. When PowerShell scripts are deployed into production, they’re usually upgraded and improved by programmers to meet organizational standards and fit in with other scripts used to manage the infrastructure. For this reason, I don’t bother too much with tweaking for performance.

This script is different. It’s been picked up by several tenants who reported that the script works but it’s slow when asked to process data for thousands of accounts. This deserved some investigation which produced some improvements, such as using PowerShell’s Where method to filter data.

PowerShell Hash Tables

But PowerShell is not a database and storing data about account usage in PowerShell list objects only scales so far. There are many web articles covering PowerShell performance with large amounts of data, many of which point to using hash tables because they are very efficient for finding and retrieving data (see this article about how to use hash tables).

A hash table is a collection of key/value pairs. The keys are unique, and the values are often some information associated with the key. For instance, because Office 365 objects like groups and sites store sensitivity labels as GUIDs, I often create a hash table composed of the GUID (key) and label display name (value) which I can then use to interpret the GUIDs stored in objects. Here’s what the code looks like:

$Labels = Get-Label # Get set of current labels
$HashLabels = @{} # Create hash table
$Labels.ForEach( { # Populate the hash table with the GUID and display name of each label
       $HashLabels.Add([String]$_.ImmutableId, $_.DisplayName) } )

Anytime I need to find the display name of a label, I can do something like this:

$GUID = (Get-UnifiedGroup -Identity “Office 365 for IT Pros”).SensitivityLabel.GUID
Write-Host “Display name of label is” $HashLabels[$GUID]
Display name of label is Limited Access

Apart from their usefulness in situations like described above, hash tables are very fast when you use keyed access. Speed being of the essence when thousands of records are to be processed, I decided to investigate if hash tables could replace the list objects used by the script.

Keys and Values

Finding a key is no problem because the user principal name is unique for each account. Figuring out how to store all the data in the hash table value was another matter. That is, until I noticed that: ”the keys and values in a hash table can have any .NET object type…” In other words, you’re not limited to storing simple values in a hash table.

When the script extracts usage data for a workload (like Teams or Exchange) from the Graph, it processes each record to create a list of accounts and their usage data for that workload. After some experimentation, I was able to populate the hash table by:

• Creating an array of the usage data for the workload for an account.
• Appending the array to the existing usage data extracted from other workloads for the account (as stored in the hash table).
• Writing the updated array back into the hash table.

This might be inelegant, but it works. After all workloads are processed, the result is a hash table keyed on the user principal name with a value composed of an array containing the usage data for all workloads for that user. Access to the data is via the user principal name. For example:

$datatable["Kim.Akers@Office365itpros.com"]

TeamsUPN             : Kim.Akers@office365itpros.com
TeamsLastActive      : 05-Sep-2020
TeamsDaysSinceActive : 5
TeamsReportDate      : 07-Sep-2020
TeamsLicense         : POWER BI (FREE)+ENTERPRISE MOBILITY + SECURITY E5+OFFICE 365 E5 WITHOUT
                       AUDIO CONFERENCING
TeamsChannelChats    : 7
TeamsPrivateChats    : 10
TeamsCalls           : 0
TeamsMeetings        : 5
TeamsRecordType      : Teams

ExoUPN             : Kim.Akers@office365itpros.com
ExoDisplayName     : Kim Akers
ExoLastActive      : 20-Aug-2020
ExoDaysSinceActive : 21
ExoReportDate      : 08-Sep-2020
ExoSendCount       : 8
ExoReadCount       : 19
ExoReceiveCount    : 392
ExoIsDeleted       : False
ExoRecordType      : Exchange Activity

The display is truncated here to show two of the six workload usage data extracted for an account.

Creating the report is then a matter of processing each account to extract the information and format the data. To do string comparisons and other calculations, I found that it was necessary to use the Out-String cmdlet to make the properties taken from the array into trimmed strings. It might be something to do with the way that the hash table values are stitched together from multiple arrays.

Faster Performance

After changing to hash tables, I observed a 70% performance gain in script execution time in my (small) tenant. I expect a much better gain in larger tenants where the advantages of hash table access become more pronounced. This feeling was realized in a test against 20K accounts which proved that the script is now capable of processing at circa 1,000 accounts per minute (Figure 1).

Update September 18: I received a note saying that the script processed 26,808 accounts at the rate of 3184.71 per minute!

The time required to fetch data from the Graph is the same as previous versions as is the time to prepare data for processing. All the improvement is in the report generation, which is where the hash tables excel. The tenant who processed the script against 20,000 accounts used the Office 365 user activity report (example shown in Figure 2) to identify 70 accounts assigned Office 365 E5 licenses that can now be reallocated or released (a potential saving of $29,400 annually).

The Office 365 user activity report script is available from GitHub. If you have a suggestion for improving the performance further, please let comment on GitHub.

OK, we should be writing text for the Office 365 for IT Pros eBook instead of trying to work out how to speed up PowerShell scripts. But you learn a lot about an infrastructure when you program against it, so we’ll keep on scripting…

An Improvement to the Teams Client User Interface

People have been complaining about how easy the Teams client user interface (desktop and browser) makes it to create new topics instead of posting replies to existing conversations. Signs that something might be happening to improve matters came in a tweet last month from the Teams development VP, covered in another article.

Fast forward to today, and news from Microsoft is that “the journey to reducing dangling replies” which started in early 2018 is reaching an important point with the roll-out of a New conversation button to all tenants. The roll-out has already started and should be complete worldwide by the end of next week.

Introducing the Conversation Button

Figure 1 shows the difference. At the top, you can see a topic with the new button in full view. It’s much more obvious how to start a new topic as opposed to a reply to the last topic. The bottom screenshot shows the old interface. You can argue that it’s still obvious how to “start a new conversation,” but the evidence is that many people mixed up replies and new topics when they responded to a conversation, leading to the infamous dangling replies (not connected to a topic), and a chaotic list of posts that made it harder for Teams users to find the information they want.

Important for Compliance Too!

Apart from the aesthetic irritation caused by dangling replies, it’s important from a compliance perspective that the replies to topics are linked together as this makes it much easier to reconstruct conversations. Investigators can reassemble conversations from individual messages but it’s much harder when messages do not share the same thread identifier and are therefore not linked. Microsoft tools like advanced eDiscovery present complete conversations by using the thread identifier, which can’t happen for dangling replies.

Ending Dangling Replies

Of course, users won’t care about the plight of compliance managers and investigators. Nor should they. Software interfaces should be clear and intelligent enough to help people take maximum advantage of applications, and Teams failed in this respect. Hopefully, the new button will lead to more coherence, less chaos, and few dangling replies.

You might not think that the team writing a book like Office 365 for IT Pros would be interested in a tweak to a client user interface. The compliance issue explained above is why we think this is important. You’ve got to think about things from multiple angles!