For whatever reason, SharePoint Online doesn’t allow administrators to control the settings of document libraries. In particular, default sensitivity labels. It seems crazy that other Microsoft 365 workloads allow administrators to manage the settings of things like mailboxes, groups, plans, and teams, but SharePoint Online holds steadfast to not allowing administrators go deeper than a site. It would be nice to see consistency around administrator access across all workloads.
Teams Premium Trial licenses are to be offered to end users in commercial tenants worldwide for self-service purchases from September 2023. I quite like some of the functionality available in Teams Premium, but I think organizations are better off using the “regular” Teams Premium trial licenses to run a test involving up to 25 users for 30 days. The results are probably going to be more indicative of the worth of Teams Premium than any individual test can be.
Microsoft announced on August 17 that they are not proceeding with the implementation of dark mode support in the Teams Admin center. The news came as a surprise, but it’s an indication of the lack of user interface consistency across the different Microsoft 365 administrative consoles. Token handling is another example. I can live without dark mode, but being forced to sign out by the Teams admin center is a pain.
A reader asked why some deleted Microsoft 365 user accounts appear to have assigned licenses. That seemed strange because licenses are freed up for reuse when accounts are deleted, so we took a look behind the scenes to find out why some deleted user accounts keep license information in their properties and some do not.
At the Inspire conference, Microsoft briefed their partners about the Microsoft 365 Backup and Microsoft 365 Archive products they plan to launch at some time in the future. Microsoft’s biggest advantage is their access to data and the speed at which they can process the information. Whether this gets people past the “all digital eggs in the Microsoft basket” issue remains to be seen.
Outlook Monarch controls are available to help with the deployment of the new Outlook for Windows client in a mixture of Exchange settings and registry entries. You can block users from using the new client or adding consumer email accounts to Monarch. And best of all, you can disable the “try the new Outlook” toggle until you’re ready for people to plunge into the brave new world of the revamped Outlook for Windows.
In this article, we discuss how to create a report of registered devices known to the Exchange mobile device management framework. Microsoft hasn’t made many changes to the way Exchange Online manages mobile devices connected to its mailboxes over the past few years and would prefer if organizations used Intune instead. But if you just want simple device management, Exchange delivers, and PowerShell reveals what devices are active.
Microsoft has announced that Teams now supports the Microsoft 365 targeted release mechanism, meaning that new Teams features should appear more consistently. The Teams preview program continues, but targeted release takes precedence. In other news, the Teams chat client in Windows 11 is being replaced by the Teams Free client. This probably won’t make much different, but it’s good to know.
A new Microsoft 365 Audit Platform service plan is available to license solutions like App Governance in Microsoft 365 Defender for Cloud Apps. After a shaky start, App Governance includes some useful functionality, including a set of default policies to highlight apps that need some attention. If you don’t have the necessary licenses to use App Governance, there’s always the examination of raw data about app activity, like sign-in information for app service principals.
Sometimes administrators need to intervene and cancel meetings on behalf of users. That’s why the Remove-CalendarEvents cmdlet exists. The cmdlet scans a user mailbox to find meetings organized by the user for a defined period and cancels the events. Meeting participants receive a cancellation notice. It’s a useful cmdlet to know about, just in case.
Microsoft didn’t do a great job of announcing the side-by-side viewing feature for Microsoft 365 apps. It seemed like the only reason for the feature was to drive usage for the Edge browser. As it turns out, you can choose to have Microsoft 365 apps use a different browser, and the tools to do that are now available.
Microsoft 365 includes a framework to create, send, and manage organization messages to users. It’s a good idea, but the implementation is sadly limited. First, you’re restricted to messages that Microsoft wants administrators to send to boost consumption of the Office apps. Second, you can’t customize the text or the appearance of the messages. Last, the dashboard to manage organization messages is half-finished.
Microsoft 365 tenants can select any of the verified domains for the tenant to send Microsoft 365 service messages instead of using the default domains. The update also allows tenants to choose a routable recipient (username) instead of the traditional “no-reply” address. Overall, this seems like a very easy change to implement that shouldn’t cause any problems.
The new SharePoint block download policy applies at the site level to stop users downloading files, even to work with them using the Office desktop apps. It also stops people printing and synchronizing files. In this article, we explain how to apply the policy with PowerShell, including how to apply the SharePoint block download policy to all sites assigned a certain sensitivity label.
Applying a default sensitivity label to a SharePoint Online document library is just one of the set of security and management and governance features requiring the new Syntex Advanced Management license. The new license is in preview so all the features that it covers might not be fully baked. Microsoft 365 customers might well ask if this is yet another example of Microsoft bundling features into a new paid-for add-on license. Of course it is. You don’t expect new functionality for free, do you?
Microsoft 365 message center notifications now boast a “relevance recommendation.” This is a visual marker computed by Microsoft based on aspects of the change. It’s intended as a way to highlight important changes so that administrators can dedicate more time to understanding the impact of these changes on their tenants. Sometimes the recommendation isn’t perfect, but you can tell Microsoft what you think and go ahead with your own assessment of how important any individual change really is.
A new Software Updates page in the Microsoft 365 admin center is intended to help tenant administrators keep an eye on what Office and Windows software people are using. As you’d expect, the page offers no details about non-Microsoft clients connected to Microsoft 365. That’s OK, except when work is needed to make sure that clients can cope with the effects of a massive change, like the October retirement of basic authentication for seven email connection protocols.
Message center notification MC392289 highlights the need to keep the .NET Framework and the Edge WebView2 components updated to make sure that the Teams meeting add-in works with “degradation.” No further information is offered as to why Microsoft needs to sound this warning several years after introducing the Teams meeting add-in.
The message center notifications posted in the Microsoft 365 admin center are an invaluable source of information about change in a tenant. It’s curious that some administrators don’t think they have the time to keep abreast of the changes reported in these notifications. Microsoft is steadily improving the quality of what’s posted, but delayed features remain and issue.
With the demise of the AzureAD and MSOL PowerShell modules on the horizon, it’s time to figure out how to upgrade scripts to use cmdlets from the Microsoft Graph PowerShell SDK. This article books at basic account management and shows how to update, delete, restore, and find Entra ID user accounts using SDK cmdlets.
Microsoft has announced that it will be possible to recover a deleted service principal by the end of May. This is good news because it means that an accidental deletion can’t wreak the kind of havoc it can today. Microsoft hasn’t updated the APIs to manage soft-deleted service principals yet, but we can get an insight into what’s likely to happen by investigating how to manage deleted Entra ID accounts using cmdlets from the Microsoft Graph PowerShell SDK.
Microsoft has released the preview of an idle session timeout policy to control the automatic sign-out of Microsoft 365 web apps. Not every web app is covered, but those that are will be signed out automatically when one of the covered apps becomes inactive for a stated period in a browser session. At that point, Microsoft 365 signs out all the web apps and forces the user to sign in again. Sounds like a reasonable idea, and it replaces existing mechanisms available for OWA and SharePoint Online.
The Azure AD Keep Me Signed In (KMSI) feature uses a persistent cookie to allow users close and reopen browser sessions without sign-ins. If you don’t want to use KMSI, you can update Azure AD company branding to remove the option. Users will then have to reauthenticate each time they start a browser session. The decision to disable or keep KMSI is highly tenant-specific and depends on how authentication happens.
Message center notifications for service changes posted to the Microsoft 365 admin center will include monthly active user counts for affected workloads. That sounds good, until you realize some of the downloads incurred by depending on the Microsoft Graph Reports API as the source of user data. Still, it’s better than nothing and a welcome advance.
You might never need to use a break glass account, but if the need arises, you’ll be glad that you had the foresight to anticipate that bad things can happen and create a break glass account for your Microsoft 365 tenant. This article describes why you might want one or more of these accounts, their characteristics, some pitfalls to avoid, and how to check that the break glass accounts aren’t being used.
Finding the age of a Microsoft 365 tenant isn’t an important administrative operation. However, understanding how to retrieve this information (if asked) is an interesting question, which is why we spent several hours playing around with PowerShell and the Microsoft Graph to figure out how to answer the question. It’s the kind of in-depth analysis we do all the time to build content for the Office 365 for IT Pros eBook.
The Microsoft Teams feedback policy assigned to user accounts controls whether users can give Microsoft feedback through the Teams clients. Not every organization wants their users to communicate directly with Microsoft. If you’re in this category, you can disable the Give feedback option easily by updating the Teams feedback policy assigned to user accounts. All explained here!
The usage reports available in the Microsoft 365 admin center, Teams admin center, and other places now include anonymized user information by default. The new default became active on September 1, 2021 and the organization setting applies to any usage data generated by the Microsoft Graph usage reports API, which means that some scripts might create reports less interesting and useful than before. It’s a good change for privacy, but will organizations persist with the new default?
Microsoft is applying their Viva brand to the features currently known as MyAnalytics. Viva Insights will span a monthly email digest, the Outlook insights add-on, and the Insights dashboard. If you don’t want users to access these features, you can disable the features individually or remove the service plan from user licenses. The rebranding is happening now and due to complete in November.
You can now access videos and slides for sessions given at The Experts Conference 2021. The sessions cover a wide range of technology from Azure AD to Microsoft 365 to infrastructure modernization. And you can now register for TEC 2022, which will run as an in-person event in Atlanta on September 20-21, 2022. It should be great fun!
Microsoft has replaced the controls which disabled document insights in Delve with new Graph-based settings. However, you might still have a bunch of users with the Delve settings who need to migrate to the Graph settings. In this article, we explore how the settings work and how to query the Graph to find the set of users who disabled the setting in Delve. We can then use PowerShell to add those accounts to the group of disabled insights users for the Graph-based settings.
Microsoft has moved retention processing for SharePoint Online, OneDrive for Business, Teams, and Yammer from the Managed Folder Assistant to a new retention assistant. (background processing job). It’s part of an effort to use workload-agnostic processing whenever possible to perform retention actions across Microsoft 365.
In this post, we describe how to use PowerShell to remove a single service plan from Microsoft 365 licenses using PowerShell. The script can remove any service plan from any SKU (license) in a tenant. You might want to do this to disable access to an obsolete feature (like Sway) or to prevent access to a new feature until the organization is ready to support user activity.
Microsoft has updated the creation settings for security groups and Microsoft 365 groups in the Azure AD admin center. The changes impose consistency over administrator creation of these groups and probably won’t affect tenants, but it’s good to check. The change makes us ponder why Microsoft doesn’t improve the GUI for other group controls, like those controlling who can create new Microsoft 365 Groups.
Microsoft’s Whiteboard app is moving its storage off Azure to OneDrive for Business. The switchover will happen in October 2021, but tenants can opt-in to use OneDrive storage from the end of August. Some Whiteboard clients won’t be able to cope with OneDrive then, but Microsoft says that everything will be straightened out for the switchover in October. As we explain here, it’s a good idea (for many reasons) to move Whiteboard storage to OneDrive.
The message center in the Microsoft 365 admin center will soon use a new data privacy tag to highlight specific service updates to tenant administrators. No messages with the new tag have yet appeared, so it’s hard to know how Microsoft plans to use the new tag or what kind of attachments it will make available to administrators to help understand the sensitive data involved in data privacy. While we’re waiting, we took at look at the tags in use today and wrote some PowerShell to report which tag is most popular.
Office 365 tenants users will soon be able to execute self-service purchase Windows 365 licenses. That is, unless you stop them by running some PowerShell commands to disable the capability. In this article, we explain the Windows 365 options available for self-service purchase and the PowerShell commands necessary to disable the option, if you think it’s a bad idea (as some do).
Office 365 Cloud App Security (OCAS) is very good at identifying potential problems for tenant administrators to investigate. But don’t think that it’s always right. Humans are often better at resolving issues than computers are, simply because we can use our wider knowledge of how applications work and the Office 365 datacenter network to understand what might be behind an alert. Humans might be slower than computers, but when it comes to resolving OCAS alerts, we’re always better.
Licensing is everyone’s favorite topic. Combine it with information protection and governance and peoples’ eyes glaze over. Even so, it’s important to know what information protection and compliance features need which licenses as you don’t want to get into a position where something stops working because Microsoft enables some code to enforce licensing requirements. This post covers the basics of licensing and how Microsoft differentiates between manual processing and automated processing when deciding if a feature needs a standard or premium license.
The Microsoft 365 compliance center has a new content search UI. The new UI is prettier than before, but it’s also slower and more buggy. After several years of effort to develop content searches, you’d expect Microsoft to do better. A lot betterr. Unhappily, the beauty of the new interface seems to have distracted the engineers from the problems that become all too apparent when you try to use content searches to do real work. What, if any testing, was done to validate the new UI is unknown.
