Author: Brian Reid
-
B2B Collaboration and Easy Multifactor Authentication in Microsoft 365/Entra ID
A couple of conversations this week, including this prompt by Daniel Glenn – https://x.com/DanielGlenn/status/1812952597759992149 have led me to write up this quick guide to making your cross-tenant, resource account, guest, B2B Collaboration users (note, these are all the same thing) multi-factor authentication easy. If you don’t do this, then the user needs to set up…
-
International Cross-Tenant Sync, Or Fun With Entra Sync Expressions!
I have a client with a parent company in Asia and a subsidiary in the USA and Europe. To provide cross-tenant access to the Intranet and other resources we have used Entra ID Cross-Tenant Sync to populate users from the Asian tenant into the USA based tenant. The issue with this is that the Asian…
-
Enforced MFA on the Azure Portal and Emergency Access (breakglass) Accounts
An emergency access (or break-glass) account is a key design consideration of your M365/Entra tenant. This would be an account that would bypass MFA and you would store the very long and unique credentials offline somewhere. This would be used in the case of configuration breakages that would lock out all your other admins or…
-
Microsoft Information Protection Broken in Gmail
Just a short note to help you fix this error: This message is protected with Microsoft Information Protection. You can open it using Microsoft Outlook, available for iOS, Android, Windows, and Mac OS. Get Outlook for your device here: https://aka.ms/protectedmessage. With Microsoft Information Protection, you can prevent your email messages from being copied or forwarded without…
-
Exporting Named Properties From Exchange Online Mailbox
An undocumented Exchange Online cmdlet came my way the other day – the “Get-MailboxExtendedProperty”. This returns all the named properties, or extended properties in the mailbox and can be exported to a file for review: Get-MailboxExtendedProperty username | Export-CliXml MailboxExtendedProperties_username.xml A mailbox should only have a few thousand of these, but if you get too…
-
Implementing High Volume Email with Exchange Online
High Volume Email (HVE) is a new service from Microsoft to allow the sending of up to 100,000 internal emails per day (with a small number external) which is in excess of the current limits of 10,000 per day (depending upon your licence). Here are my initial observations on setting this service up. During preview…
-
Multi-Tenant Organizations: What Configuration Changes
When you configure a Multi-Tenant Organization in the Microsoft 365 Admin Center a number of changes occur across a number of services. These allow for features like member or guest sync, cross-tenant people search and different behaviours for joining meetings (treating people in other tenants as internal for meeting join). You can put all these…
-
Configuring and Migrating From Entra ID Custom Controls to External Authentication Methods
Custom Controls date back to the Azure AD days and the ability to link an external MFA provider into authentication but without the full step of federation. This feature was in preview for years and never left preview, and was limited to I think three companies. Over the years I have seen this a number…
-
Deleting a Rogue Passkey Device
If you try and set up a passkey in Windows there is the possibility that if it goes wrong you will end up with an entry for a device but no passkey. I got this for a OnePlus device as the OnePlus Android OS (at the time of writing) does not support allowing Microsoft Authenticator…
-
Export Conditional Access Named Locations Using PowerShell
The named locations can be used in Conditional Access rules as a way to block or allow countries by IP address to geo-lookup database. Whilst not always accurate, and can be bypassed by VPN or a virtual machine in an allowed location, they do have their uses as a basic block to where services can…
-
Blocking onmicrosoft.com Emails in Exchange Online Protection
There is a considerable uptick in emails from the default domain in Microsoft 365 tenants. These emails come from senders @ tenant.onmicrosoft.com and are not your tenant. Microsoft recently announced recipient external sender limits to reduce this, as the default is 10,000 recipients per day, but will get an additional restriction of no more than…
-
Integrating Microsoft 365 SafeLinks and Mimecast Targeted Threat Protection
If your email protection filter is provided by Mimecast, then you might also have enabled Mimecast Targeted Threat Protection (TTP). TTP, like Microsoft Defender for Office SafeLinks will rewrite the URLs in email messages, but unlike SafeLinks will not rewrite or redirect them in Office documents or Teams chat, channel and meetings. Therefore as both…
-
What Is “mx.microsoft”?
mx.microsoft is the new MX delivery domain for Exchange Online. For years now it has been mail.protection.outlook.com, but this domain will not work with the new DNSSEC extensions that Exchange Online will start to support. When you added a new domain (called a vanity domain) to Microsoft 365, it would show you the MX record…
-
Copilot 365 in Teams Meetings – To Transcribe or Not?
In my opinion, one of the clear best features of Microsoft Copilot 365 is the integration with Microsoft Teams Meetings. The ability to ask for meeting notes, unanswered questions, and more is fantastic. But it needs to be (minimally) configured, so this is what you need to check. Some of these settings are per user,…
-
Outlook Reactions – Unsubscribe and Resubscribe
You can “answer” and email in Outlook with a emoji, called a reaction. If you get a reaction in response to a message you will see the reaction in the message, via a notification on the “bell” icon on the top of the Outlook desktop window and in other places, and importantly for this blog…
-
Testing Entra ID Claims and Single Sign-On Enterprise Apps
There is a class of Enterprise App in Entra ID (previously known as Azure Active Directory) that provides SSO (Single Sign-On) for apps outside of Microsoft 365 provided by other vendors. Some of these will be very commonly used apps and others not so. For these apps to sign you into their application with your…
-
Windows LAPS and Granting Roles to Administrative Units
This blog post discusses how to create both a custom admin role for reading the LAPS password and settings stored in Entra ID and then assigning that role so that only device administrators of an Entra ID Administrative Unit can see the local admin password for the subset of devices they are able to manage.…
-
Entra ID Multi-Factor Authentication/Conditional Access and External Federation Implementation
I have a few clients (not many) who have external federation for Entra ID (previously Azure Active Directory) and over the last year or so have been looking into these and integrating them with Entra ID Conditional Access. This has become more of an issue recently with Microsoft’s recently creation of “Microsoft Managed” Conditional Access…
-
Renewing Apple Tokens in Intune
To sync Apple OS devices to Intune you need a token created by Apple and uploaded to Intune. There are at least 3 seperate tokens that you might use and each of these expires one year after creation and needs renewing before they expire. The three (plus) tokens you need are: Apple MDM Push Certificate…
-
Inviting Google (Gmail) Users To Collaborate In Your Teams Channels
This post is not about inviting Google users to your meetings, where you just send them the meeting invite and all is good. This is about adding the Gmail user as a member of a Team, so they can see the Teams channels, chat and collaborate with files and apps along with everyone else in…
-
Teams v2 Machine Wide Installer
There was a “machine wide installer” for Teams v1 (version 1) that was an .msi file (as opposed to an .exe file) that would install Teams in the “Program Files” folder area (in contrast to the %appdata% folders) so that on machines that had many users (shared devices, hotdesks, multi-user VDI or remote desktops) you…