AIP Microsoft 365 Office 365 sensitivity labels

Removing a Default Sensitivity Label

In Microsoft 365 Sensitivity Labels you can have a label policy that requires that all content is labelled. If you enable this and then later decide this is not for you, you can republish your label policy and disable the default label and the require label policies.

That is, your settings start like this:

Policy settings before change

And then you change the settings in the label policy and you end up with these settings, which are published to the end users upon you saving the changes to the policy:

Policy settings after the change

As you can see from the before/after screenshots, the label required by default on documents has gone from Confidential to None.

But I have found sometimes this changes does not take full effect! You can only see it though if you look in PowerShell for this policy. The PowerShell module to use is the Exchange Online Management module (Install-Module ExchangeOnlineManagement if you don’t have it already) and then run Connect-IPPSSession to connect to the Microsoft 365 Protection Center. Once connected run Get-LabelPolicy and then (Get-LabelPolicy <name_of_your_policy>).Settings to return the settings.

If I get the settings as above before I remove the mandatory requirement for a label I see:

[requiredowngradejustification, true]
[mandatory, true]
[defaultlabelid, be5e9727-67cc-4056-a87b-1dbbf67b7b9b]

Where the DefaultLabelID matches the GUID for the default label (Get-Label GUID should return the label that is the default).

But, once I remove the mandatory label and the default label, the “mandatory” setting should change to false and the “defaultlabelid” should be removed.

If the defaultlabelid does not get removed and the users do not see the policy change pushed out then it time for PowerShell to the rescue.

Set-LabelPolicy <Name> -AdvancedSettings @{defaultlabelid=""}

The above cmdlet changes the named policy label to remove the defaultlabelid value. Once you have run this, (Get-LabelPolicy <name>).Settings should not show the requirement for a default label.

exchange exchange online Microsoft 365 Office Office 365 Raspberry Pi

Microsoft 365 From A Raspberry Pi 400 Personal Computer

So my new computer arrived today, its a keyboard and a few cables, and as my first computer was a ZX Spectrum when I was 14, this brings back a few memories.

New boxed Raspberry Pi 400 PC kit

But, is it usable today with services such as Microsoft 365? Lets see…

First, the actual computer is in the keyboard, but its smaller than a standard PC sized keyboard. Indeed the manual the comes with it! is almost as big and heavier than the computer.

The manual, the Pi Keyboard (white) and a standard PC keyboard (black)

Plugging it in was easy, and once connected to the monitor and powered on it runs through a first use series of steps. With all that out of the way and the latest updates downloaded and installed the device rebooted and I logged in.

Cables everywhere. It supports WiFi as well so I could have avoided the purple Ethernet cable

Starting the web browser is easy – there is an icon top left and Chromium opens. Logging into Office 365 via is as you would expect, though some of the fonts used are not present and so the login screen looks slightly wrong.

From Office homepage I clicked Teams icon and it presented me with the below – an offer to install the Teams Linux client and two choices, Linux DEB or Linux RPM.

Teams on Pi and an offer of two installers though neither of these work on an ARM processor

Neither of these work with ARM based Raspberry Pi computers though, so need to use the web application. Also from the Teams perspective, there is no built in camera or microphone, but it did only cost £95 for the entire kit. A Bluetooth microphone might connect, but I don’t have one to hand to test with. Any USB microphone would work and a USB camera, with a microphone, can be enabled with a few commands run at the prompt.

Enabling video with the fswebcam installer

Chromium comes with the uBlock Origin extension enabled, which blocks some functionality in Teams such as notifications. I just turned off the EasyPrivacy list for the rest of my introductory testing and not a lot was blocked after that.

Outlook Web App, Word etc all worked efficiently though slightly slow for my preference, but again – its a sub £100 computer.

When using Office in Chromium it offers to add a link to the desktop – this adds the Office icon and then Office appears like an app, though its only Chromium. This is a nice feature akin to Chromebooks.

Office icon on the desktop and Office open and not looking like its really a browser

This functionality is not limited to Office, for example in Outlook Web App I can choose to “Install Outlook” from the three dots icon top right of the browser. This opens Outlook as a separate web app and adds an icon to the desktop like Office got when I opted to “pin” Office when prompted to do so in that web page.

Install Outlook menu item in Chromium when OWA is the open tab
Install App confirmation
Outlook – on the Raspberry Pi

So that will do for now – everything else I can do in the Raspberry Pi for Microsoft 365 is generally as I can do it in any of the web apps on any platform.

enhanced filtering EOP exchange exchange online Exchange Online Protection Exchange Server mimecast Office 365 spam

Enable EOP Enhanced Filtering for Mimecast Users

Enhanced Filtering is a feature of Exchange Online Protection (EOP) that allows EOP to skip back through the hops the messages has been sent through to work out the original sender.

Take for example a message from to where uses Mimecast (or another cloud security provider). The MX record for is Mimecast in this example. When EOP gets the message it will have gone from > Mimecast > > EOP, or it will have gone > Mimecast > EOP if you are not sending via any other system such as an on-premises network.

EOP though, without Enhanced Filtering, will see the source email as the previous hop – in the above example the email will appear to come from Mimecast or the on-premises IP address – and neither of these are the true sender for and so the message fails SPF if it is set to -all (hard fail) and possibly DMARC if set to p=reject. EOP won’t, because of this complexity in routing, reject hard fails or DMARC rejects immediately.

So how can you tell EOP about your complex routing – this is Enhanced Filtering. You add the IPs of your on-premises network and your cloud filter to the inbound connector that you create in EOP to receive your emails. For any source you need the list of IPs and here are the IPs at the time of writing for Mimecast EU datacenters in an easy to use PowerShell cmdlet to add them to your Inbound Connector in EOP.

Set-InboundConnector "Inbound from Mimecast EU" -EFSkipIPs,,,,,,

In the above, get the name of the connector correct and it adds the IPs for you. It takes about an hour to take effect, but after this time inbound emails via Mimecast EU are skipped for spf/DMARC checking in EOP. For organisations with complex routing this is something you need to implement.

attribution domain enhanced filtering EOP exchange exchange online Exchange Online Protection Exchange Server mimecast Office 365 smtp transport

Mail Flow To The Correct Exchange Online Connector

In a multi-forest Exchange Server/Exchange Online (single tenant) configuration, you are likely to have multiple inbound connectors to receive email from the different on-premises environments. There are scenarios where it is important to ensure that the correct connector is used for the inbound message rather than any of your connectors. Here is one such example.

With multiple inbound connectors you might be happy and successfully complete your testing if the email from on-premises appears in the correct cloud mailbox. But what about when you use Enhanced Filtering. Here you need to add the intermediate IP addresses of all the hops the message can go through to the specific connector so that Exchange Online Protection can determine the real source IP address and then do spam/spf etc. on the true sender IP and not the hop before Exchange Online Protection (likely your on-premises server and not the actual source).

For example, lets send an email from to, where uses Mimecast, has Exchange Servers and has moved mailboxes to Exchange Online. The mail flow for this scenario is:

SenderDomainServer Public IP > MX (Mimecast) > Mimecast IPs > On-Premises IPs (internal) > Public IP for on-premises servers > EOP

From the EOP view point, the email is received from the public IP for the on-premises servers and not from the actual sending IP address. This means that the message will fail SPF as you have complex routing in-front of the receipt by EOP. This, out of interest, is the reason why EOP will not reject SPF failures even if DMARC reject is in place.

When the message arrives at EOP, the message needs to be attributed to the correct connector. If you have multiple Exchange Server orgs in separate on-premises environments you need to make sure that the message is associated (attributed) to the correct Inbound Connector.

This message attribution is done by looking for all Inbound Connectors of type On-Premises in your tenant. If you have more than one connector of type On-Premises, looking up the TlsSenderCertificateName value on the Inbound Connectors to find the connector that best matches the certificate used to encrypt the inbound message. So lets take a look at the example above again. In the “Public IP for on-premises servers > EOP” hop this message will be encrypted with a certificate called (lets say) “” and the Exchange Hybrid Wizard will have created the Inbound Connector for this mail flow with TlsSenderCertificateName set to * Other Inbound Connectors from other on-premises orgs are possibly going to have similar certificates (they should not have the same one) with similar subject names and the Hybrid Wizard could have made more than one Inbound Connector with * as the TlsSenderCertificateName value. If you have multiple Inbound Connectors of type On-Premises and more than one connector with TlsSenderCertificateName set to * then the message could be attributed to the wrong connector.

If you have set Enhanced Filtering IPs to the other connector though, the Enhanced Filtering will not work because the message is not received by the connector you think it should be received by.

So how do you fix this. You modify the Hybrid Wizard created Inbound Connector TlsSenderCertificateName value to be the subject name of the certificate, so not * but and you register as a domain in Office 365. You need to do both. The reason the Hybrid Wizard sets TlsSenderCertificateName to * is to avoid you needing to add domains to Office 365 that match your certificate precisely, but if you have multiple connectors this is the only way to guarantee message attribution to the correct connector.

Now you can add the IPs you want to skip with Enhanced Filtering to the specific connector, mail flow will use the specific connector and the IPs will be skipped. EOP will resolve the correct sender IP (SenderDomain Public IP in the above example) even though the message has gone through Mimecast and on-premises servers as well. The message headers will now show:

X-MS-Exchange-SkipListedInternetSender ip=[Sender Server IP Address];domain=FQDN of sender

And not list Mimecast (or whomever you are using as a second cloud filter) or your on-premises IP addresses as the true sender.

Microsoft 365 Office Office 365 Outlook

Deploying Zoom Add-In To All Outlook Users

With the sudden change in working practices, a (large) number of companies has start to use Zoom as their video conferencing software. Though this software is not from Microsoft, that does not stop an Office 365 or Exchange Server administrator helping their users out in terms of scheduling Zoom meetings via an add-in in Outlook.

On the Zoom website the user can download and install their own add-in and the Zoom application, but the steps below will push the Outlook add-in to all users (or all Zoom users if you have a group containing just these users).

These steps are run from the Office 365 Admin Center and not from Zoom, and they push the add-in to Outlook without end end-user interaction

To deploy an add-in, and in this case the Zoom Outlook add-in, first go to the Microsoft 365 Admin Center at

Click Show All on the left and then select Settings > Add-ins from the expanded menu.

In the Add-In main page click + Deploy Add-In.

Deploy Add-In Screen
Deploy Add-In Screen

This screen outlines the Centralized Deployement service for Office Web add-ins. These add-ins work across the web version of the application, the desktop versions (PC and Mac) and in some cases the mobile version as well. The important thing to learn here is that they are not just for the web version, so not just for OWA. In the context of the Zoom add-in, on the Zoom website it says the add-in only works in Outlook for the Web (OWA), and this is not correct.

Click Next and click Choose from the Store as shown:

Choose from the Store
Deploy A New Add-In Screen

You will now see a list of all the add-ins in the Microsoft Store (once you have logged into the Store if you needed to do this).

Add-In Store
Select Add-In From Store

As we are discussing the Zoom for Outlook add-in at this point, type Zoom in the Search box.

Zoom for Outlook Add-in In the Add-In Store

Click Add next to the Zoom for Outlook add-in. Then accept the licence terms and privacy policy shown to you as shown below. If you click on the title of the add-in then you see a description of the add-in and can complete deployment from that screen.

Zoom Add-In Terms and Conditions
Zoom for Outlook License Terms and Privacy Policy
Zoom for Outlook Details
Zoom for Outlook Details

If after clicking Add and accepting the licence you get a correlation error similar to that shown, it means the add-in was already deployed. There is a bug in the new Admin Center that does not show existing deployed add-ins and you need to go to the old old Office 365 admin center (switch the slider top right) and search for the add-in:

Configure Add-In Error
Configure Add-In Error
Add-In Shown in Old Admin Center
Zoom for Outlook Add-In Shown in Old Admin Center

If you had no error on deploying the add-in, then you will be asked who to deploy the add-in to. The options are to Assign Users and choose all or some of the organization and also the Deployment Method and Fixed, Available or Optional. This last option controls whether the add-in is deployed for the user to the ribbon in the Office application and they cannot remove it (Fixed), where the user can choose to add the add-in to the office app (Available), or where the add-in appears on the application ribbon, but the user can remove it (Optional). This is shown below:

Configure Zoom for Outlook Add-In
Configure Zoom for Outlook Add-In

Select your user and deployment options. For users, any group cannot be a nested group and the requirements for groups is covered in the documentation. For this blog post I selected Everyone and Fixed. Click Deploy to start the deployment to the users.

Deploy Zoom for Outlook
Deploy Zoom for Outlook

The listed time is dependent upon the number of users in your deployment scope or your Office 365 tenant. You will get an email upon completion.

Once completed the add-in appears in the Office application. In this particular case, Zoom for Outlook appears in the New Appointment window in Outlook.

If you deployed the add-in as Available then the user needs to click the Get Add-In button in Outlook to install Zoom as shown:

Admin Add-Ins
Admin Add-Ins

Once the add-in is deployed, it will appear in the New Appointment screen as shown (on the right):

Zoom for Outlook New Appointment
Zoom for Outlook Add-In in New Appointment

Clicking the Add a Zoom Meeting button will present a dialog box where you can login with your Zoom account or if you have set up Zoom as an Enterprise Application then click the Sign in with SSO button.

Zoom for Outlook Add-In Login

In the below screenshot, Outlook Appointment shows the Zoom meeting details automatically added. The HTML view for the meeting details is an option available in your Zoom account settings, as is the location for your audio dial in settings (here shown as UK) as you don’t get to choose these options per meeting as you can do when meetings are made via the web browser on the Zoom site.

Zoom Meeting Created

The Settings button on the tool bar allows you to control other meeting settings such as Meeting ID (personal or auto-generated), password or not!, and video and audio settings for the meeting.

Zoom for Outlook Settings
Zoom for Outlook Settings

To edit the Add-In deployment you need to visit the old Microsoft 365 Admin Center (switch off “Try new admin center” to top right of admin center). From here you can adjust the status of the add-in and who it is deployed to, as well as removing the add-in.

Zoom for Outlook Add-In Settings
Zoom for Outlook Add-In Settings (old Office 365 Admin Center)

Finally, for info, the Teams Add-in to do the same thing in Teams is automatically added to Outlook if you have the Teams client installed and your deployment option is not Skype for meetings – for example if you are in Islands Mode you will be able to see both Skype and Teams buttons in Outlook!

Azure Active Directory Azure AD conditional access enterprise mobility + security Office 365 security self-service password reset sspr

Register For Azure AD MFA From On-Premises Or Known Networks Only

A long request within Azure AD/Office 365 has been the request to be able to register your security info from a known location or only on certain other conditions. Well it looks like this has appeared in Azure AD in the last few days!!

Its visible under Azure AD > Conditional Access > New/Existing Policy > Cloud Apps or Actions:


So, what does this look like in practice? Lets put this preview to the test.

Create the Conditional Access Policy for User Actions

Open the Azure AD portal at and click Enterprise Applications

From here click Conditional Access (this is also accessible under Azure AD > Security as well)

Click Add Policy and give the policy a name. I have chosen “Register Security Information On-Premises” for here

Click Users and Groups. I have selected “Users and Groups” rather than “All Users” as I plan to test this out first! I have picked the group that I use for testing Conditional Access changes. Eventually I will change this to All Users so that no-one can register security info apart from when on a trusted location. Note that this would also I think include guest users – I need to test that! Guest users are by their very nature not on my network but I might have MFA required for them – so they need to register, but I don’t want to apply the below to them


Select Cloud Apps or Actions (this was recently renamed to support this functionality we are describing here)

Select User Actions in the slider and check the option for Register Security Information (Preview)

Select Conditions and select the conditions you want to apply when users are registering security information. Its probably location based, so I will set that up here.

Select Locations, click Yes under Configure and select Any Location under Include and then under Exclude select Trusted Locations. Note that you need to have set up trusted locations in Conditional Access as well – I’m going to assume the public IP of all your offices is added and marked as trusted.

This setting will ensure that all locations other than trusted locations cannot register security information – note that this is the reverse of what you might expect. We need to block the locations we don’t want to access the MFA/SSPR registration process rather than the reverse. This is because we are required to add a control to the rules


With Azure AD P2 licences you could user a sign-in risk condition, ensuring that registration does not happen on medium or high risk sign-ins!

Click Done to bring you back to the first blade of settings and set Enable Policy to On to turn on this feature

Under Access Controls, click Grant and choose Block Access – be very careful here – don’t block all your access to everything!


Click Done

This takes us back to the first blade in the Conditional Access settings.

Click On in the Enable Policy slider

Now the Create button is available – this is not available if you do not create the reverse of what you might expect to do – block unknown locations rather than allow trusted locations!


Click Create

You will get your notification – you can test this in a few minutes:


Enable The New Combined MFA/SSPR Registration Page

Though I noticed that this conditional access restriction works against the older MFA registration page, Microsoft have said in their release blog article for this feature that it will only work against the new MFA/SSPR combined registration page. Therefore you should turn this on for your users impacted by the above policy – initially for your pilot users and then for all users.

See for more on setting up the combined MFA/SSPR registration page.

Testing Register Security Information (Preview)

In an in-private browser session on the Wi-Fi of your favourite coffee company, browse to (as this is not a trusted location!)

After logging in you would expect to be take to the registration page for MFA and SSPR – but you are not!


Repeat your test from on-premises, and you will get the MFA and SSPR registration pages (or both if you have the new combined MFA+SSPR wizard enabled):

Note that for a brand new user where you have SSPR enabled, they are required to register by default every 180 days. This will mean they have to register at first login – therefore first login needs to be from a trusted network (in this example) – you could use Trusted Device as the only place to register from, but adding a user to a trusted device requires MFA by default, so watch out for an issue here and if you want to do this, test it very well.

I have not had the opportunity to test this with the 180 day refresh of your settings – presumably that should work from any location and only changing them would be blocked, but this is something that needs to be tried out.

cyber bullying exchange exchange online Exchange Server offensive Office 365 supervision

Review and Audit Offensive Language in Office 365 Communications

A new feature as of May 2018 in Office 365 is to filter communications based upon the offensive language machine learning filter. This is part of the Supervision settings that have been available for a number of years. The Offensive Language model uses a combination of machine learning, artificial intelligence, and keywords to identify inappropriate email messages as part of anti-harassment and cyber bullying monitoring requirements.

Here we will walk through the process of setting up the offensive language filter and testing it out (without offending anyone)!

Setting Up Offensive Language Supervision

Open the Compliance Center at and select Supervision on the left as shown:


At the time of writing, the Compliance Center is new and not everything is visible here. By the time you read this article it might be possible to create your supervision reviews from this portal, but for now we need to go to the Security and Compliance Center – so click the link at the top of the page. You will see this:


If you cannot see this then you do not have the right permissions. Add yourself to the Supervisory Review role group so you can set up policies. Anyone who has this role assigned can access the Supervision page in the Compliance Center.

Click Create to create a supervision review. Enter a name and a description. You cannot change the name later on.


In the next page, select the users to supervise. Start with a test group before editing this policy to add a group that contains everyone.


You can also select users who are in the group and specifically exclude them if needed. Communications via Exchange and Teams are included by default. Third party sources can be added as well.

Click Next and move to the Choose communications to review tab. Here select Internal communications (which is not selected by default) and choose Use match data model condition. There is only one model, and that is the Offensive Language model – so that gets selected by default.


If you want to scope the filter a bit more then you can select Add a condition and set up rules – for example you could exclude a specific domain inbound.

Click Next and get to the Specify percentage to review tab


Here you get to set the percentage of communications to review. The default is 10%. This means that only 10% of all communications are reviewed, and the results you see are based on what was found in that 10%. In large organizations, 10% could be a lot of communications, and therefore could be a fair amount of offensive content. Therefore ensure both your reviewers are able to manage the review process without undue impact and understand that whatever you find – there is 10 times more of it happening. Smaller organizations might want to increase the percentage to review, or at least consider increasing the percentage to review.

Click Next and enter the email addresses of the reviewers. They need to have an Exchange Online mailbox to be able to do this, but the content for review does not go into the reviewers mailbox.


Click Next and get to the Review your settings tab. Check everything is okay and click Finish.


Your policy will be listed so that you can update it, apart from the name, in the future.

The policy is also displayed in a pop-out as shown:


In this pop-out you can see the name of the mailbox that the content for review will go into – therefore those users who are reviewers will need to have access to this mailbox if they want to use Outlook to do their review process. If the reviewers have access to the Compliance Center then review can be done there instead of in Outlook/OWA. Permissions need to be granted to the mailbox using PowerShell. The two cmdlets are, using your supervisory review mailbox as listed in the policy results.

Add-MailboxPermission "SupervisoryReview{GUID}" -User "alias or email address of the account that has reviewer permissions to the supervision mailbox" -AccessRights FullAccess
Set-Mailbox "SupervisoryReview{GUID}" -HiddenFromAddressListsEnabled: $false

You can add “-AutoMapping $false” to the Add-MailboxPermission if you want the review mailbox not always to appear as an additional mailbox in Outlook.

To Review Your Supervision Policy

In the Supervision Review pop-out (which you can get back by clicking on the policy name), click Open at the top.

This takes you to:


Here I can see I have nothing to review or pending items to look at. If you want to test this, think of something offensive and send it to yourself! It might turn up in the review portal, or it might not – remember only 10% of communications are subject to review.

Note: Emails subject to defined policies are processed in near real-time and can be tested immediately after the policy is configured. Chats in Microsoft Teams can take up to 24 hours to fully process in a policy.

I’m not going to send anything, but I will take a look back here later and I might update this blog if I ever get any hits!

To review the content, the menu across the top for Review and Resolved Items will show you the items and those that have been resolved. The actual HR and discipline process is obviously not covered by anything in this review process. Once resolved in the company, mark it as resolved here.

In OWA, you can open an additional mailbox and enter “super” and the supervisoryreview{GUID} mailbox appears:


Inside the supervisory review mailbox, there is a folder for the policy you just created and inside that are subfolders that indicate review (Non-Compliant and Questionable) and Resolved:


Blocking Offensive Language

This is just a review process. If you want to block content, then create a DLP policy that uses a dictionary of words to block. For more on the dictionary creation see

AADConnect AADSync active directory Azure Active Directory Azure AD compliance conditional access device download enterprise mobility + security exchange online microsoft Office 365 OneDrive OneDrive For Business sharepoint

Read Only And Document Download Restrictions in SharePoint Online

Both SharePoint Online (including OneDrive for Business) and Exchange Online allow a read only mode to be implemented based on certain user or device or network conditions.

For these settings in Exchange Online see my other post at

When this is enabled documents can be viewed in the browser only and not downloaded. So how to do this.

Step 1: Create a Conditional Access Policy in Azure AD

You need an Azure AD Premium P1 licence for this feature.

Here I created a policy that applied to one user and no other policy settings. This would mean this user is always in ReadOnly mode.

In real world scenarios you would more likely create a policy that applied to a group and not individual users and forced ReadOnly only when other conditions such as non-compliant device (i.e. home computer) where in use. The steps for this are:

The pictures, as you cannot create the policies in the cmdline, are as follows:

  1. New policy with a name. Here it is “Limited View for ZacharyP”
  2. Under “Users and Groups” I selected my one test user. Here you are more likely to pick the users for whom data leakage is an issue
  3. Under “Cloud apps” select Office 365 SharePoint Online. I have also selected Exchange Online, as the same idea exists in that service as well
  4. Under Session, and this is the important one, select “Use app enforced restrictions”.

SharePoint Online will then implement read only viewing for all users that fall into this policy you have just created.

Step 3: View the results

Ensure the user is licensed for SharePoint Online (and a mailbox if you are testing Exchange Online) and an Azure AD Premium P1 licence and ensure there is a document library with documents in it for testing!

Login as the user under the conditions you have set in the policy (in my example, the conditions where for the specific user only, but you could do network or device conditions as well.

SharePoint and OneDrive Wizard Driven Setup

For reference, in the SharePoint Admin Centre and Policies > Access Control > Unmanaged Devices, here you turn on “Allow limited web-only access” or “Block access” to do the above process of creating the conditional access rule for you, but with pre-canned conditions:

In the classic SharePoint Admin Center it is found under that Access Control menu, and in SharePoint PowerShell use Set-SPOTenant -ConditionalAccessPolicy AllowLimitedAccess

Turning the settings on in SharePoint creates the Conditional Access policies for you, so for my demo I disabled those as the one I made for had different conditions and included SharePoint as well as a service. This is as shown for SharePoint – the banner is across the top and the Download link on the ribbon is missing:


And for OneDrive, which is automatic when you turn it on for SharePoint:

calendar exchange online Exchange Server monthly channel Office 365 Office 365 ProPlus Outlook semi-annual channel

Save Time! Have All Your Meetings End Early

I am sure you have been in a meeting, where the meeting end time rolls around and there is a knock at the door from the people who want the meeting room now, as their meeting time has started and yours has finished.

What if you could recover five, eight, ten or more minutes per meeting so that the next meeting party can get into the room on time, and you have time to get out and get to your next meeting, and be on time.

Well since the beginning of 2019, Microsoft have come to your rescue.


The above are the new calendar “End appointments and meetings early” option. It is available in Outlook for Windows that is part of Office 365 ProPlus and you need to have a version of the software released new in 2019 for the feature to be available – more on the version and what to do in the technical section below.

The above option is found from File > Options > Calendar and then looking under Calendar Options as shown.

Check the option ”End appointments and meetings early” and then choose the time that a meeting under 1 hour will end early, and you can choose 5, 8 or 10 minutes, and then a second option for meetings over 1 hour – these can end 5, 10 or 15 minutes early. You can also enter your own preferred end early time.

Click OK and go create a new meeting. It should not matter how you create the meeting.

As you can see from my options above, my default meeting is 30 minutes – so on creating a new meeting I see the following:


I’ve highlighted the new end time – its 25 minutes after the meeting starts! The adjustment applies to the default meeting length and shortens it for me.

If for this meeting I want it to be the full 30 minutes, I can just write in the new time – all Outlook is doing is setting a new adjustable default for me.

For meetings where you drag out a custom duration in your calendar – it works here as well:


As you can see I have dragged out 1pm to 4pm on Thursday. Look what happens when I enter some text for the meeting subject:


The meeting is created with an end time ten minutes early (my preferred time saving duration for meetings over one hour). As with the above, I can adjust the time of this meeting to the full hour if I want to very easily – just drag the meeting block to the full hour and it is kept. Its just the default time when I first create the meeting that is adjusted.

Note that existing meetings are not changed – but if you go into an existing meeting and look at the end time drop down, you will see suggestions for the duration that take the early end time into consideration:


So, that’s how you can save time on your meetings (or at least one way, being prepared for them is another and technology cannot help there – yet!)

Changing The Defaults For Everyone

But what if you are the HR department or the representative of the department for digital change – what if you want to try and improve company culture and change these defaults across the board – well this is a job for IT, but they can easily roll out a setting to all your computers that set a end early time for both short and longer meeting durations.

They need to deploy a group policy setting that changes the registry at HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Options\Calendar and updates both EndEarlyShort and EndEarlyLong values as well as the EndEventsEarly key. EndEarlyShort is of course the value that affects meetings under one hour – and you do not need to accept the Microsoft suggested durations of 5, 8 and 10 minutes. For example if I edit this DWORD registry key and set the value to 3, upon restarting Outlook my new meetings under one hour end three minutes early:


The EndEventsEarly value is the setting that turns the feature on. So as well as setting the end early times, you need to set this value to 1 as well.

If you want to roll out this change centrally and ensure that the end user cannot set their own custom end early time then you can change the registry key policy settings via HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\Outlook\Options\Calendar. Changes in this registry location mean the user cannot adjust the end early times.


You can disable this option centrally as well by setting EndEventsEarly DWORD value to 0 – this has the effect of disabling the check box and so users cannot turn the option on.

All these three settings are included in the latest update to the Office365 Administrative Templates, available on Microsoft Download Center: as well.

Checking Your Outlook Version

Version 1812 or later in use on the Monthly Channel is required before you can use this feature. In most businesses you are probably using the Semi-Annual channel, and this has features deferred by at least six months. So to check, click File > Office Account in any Office application (shown below). To the right hand side you will see the below. You need to check you are running the Subscription Product and that under About Outlook (or whatever Office app you are checking), it reads Version 1812 or later and Monthly Channel. The Semi-Annual Channel is released in January and July each year and is deferred by at least six months, so as this feature was released in Dec 2018, this feature will not appear in the Semi-Annual Channel until at least July 2019 – build 1812 of the Semi-Annual Channel (and possibly not until build 1907). More on this release cycle can be found at


groups Microsoft Teams Office 365 Office 365 Groups Teams

Convert Office 365 Group to Microsoft Team Totally Failing

This one has been annoying me for a while – I had an Office 365 Group that I created many years ago in Office 365 that I cannot convert to a Microsoft Team.

This is what I see in Teams to do this process. First, click “Create a team”


Followed by “Create a team from an existing Office 365 group” which is found at the bottom of the creation dialog in the Teams app:


I get a list of Office 365 Groups but not the one I want. In my example I see six groups:


The rules for converting an Office 365 Group to a Team is the following:

  • Must be private
  • Must have an owner

Both of these are true for the group I want to convert, but the group still does not appear in the Teams conversion page shown above:

So I resort to PowerShell:

Get-UnifiedGroup returns all my groups and shows that the group exists (I know it does – its got content in it!)


So I get the Group ID using Get-UnifiedGroup <name> | FL *id*


Specifically I am after the ExternalDirectoryObjectID value

Then I try to make a new Team using PowerShell using the ExternalDirectoryObjectID. This is New-Team -Group <ExternalDirectoryObjectID>


I get back a lot of red text. In this is reads “Message: Team owner not found”. This is odd, as the Team does have an owner – I can see this in OWA for the Office 365 Group


And I can see this using Get-UnifiedGroupLinks as well:


So I decide to set the owner back to the owner again using Add-UnifiedGroupLinks PowerShell cmdlet (Add-UnifiedGroupLinks <group_name> -Links <myemailaddress> -LinkType Owner)


This returns nothing, so I presume nothing has changed.

I take a look in New Team > Convert Group option – and as if by magic, I can see the Office 365 Group I want to make into a Team


Its the one at the top in all these redacted images – the logo matches the group above, and I now have seven Office 365 Groups that are candidates for Teams.

Conversion then happens seamlessly!

AADConnect exchange exchange online Exchange Server migration Office 365 Public Folders

Public Folder Sync–Duplicate Name Error

I came across this error with a client today and did not find it documented anywhere – so here it is!

When running the Public Folder sync script Sync-ModernMailPublicFolders.ps1 which is part of the process of preparing your Exchange Online environment for a public folder migration, you see the following error message:

UpdateMailEnabledPublicFolder : Active Directory operation failed on O365SERVERNAME.)365DATACENTER.PROD.OUTLOOK.COM. The
object ‘CN=PublicFolderName,,OU=Microsoft Exchange Hosted
Organizations,DC=)365DATACENTER,DC=PROD,DC=OUTLOOK,DC=COM’ already exists.
At C:\ExchangeScripts\pfToO365\Sync-ModernMailPublicFolders.ps1:746 char:9
+         UpdateMailEnabledPublicFolder $folderPair.Local $folderPair.Remote;
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
     + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,UpdateMailEnabledPublicFolder

This is caused because you have a user or other object in Active Directory that has the same name as the mail enabled public folder object.

In Exchange Online PowerShell if you run Get-User PublicFolderName you should not get anything back, as its a Public Folder and not a user, but where you see the above error you do get a response to Get-User (or maybe Get-Contact or any other object that is not a Public Folder. This class of object name (common name or cn) means the script can create the public folder in the cloud, but not update it on subsequent runs of the script.

The easiest fix is to rename the common name of the public folder object in Active Directory for all clashing public folders, unless you know you do not need the other object that clashes – as renaming that and letting AADConnect sync process the change is another way to resolve this.

To rename the mail public folder, in Exchange Server management shell run Set-MailPublicFolder PublicFolderName –Name NewPublicFolderName

I have changed my names to start with pf, so PublicFolderName becomes pfPublicFolderName and then the script runs without issue.

MFA Office 365

Configuring Multi Factor Authentication For Office 365

Given that Office 365 is a user service, the enabling of multi-factor authentication is very much as admin driven action – that is the administrators decide that the users should have it, or that it is is configured via Conditional Access when limiting the login for the user to certain applications and locations.

For a more security conscious user, enabling it themselves if harder! To do this, follow these steps:

  1. Go to My Apps –
  2. Click your picture icon top right and choose Profile from the menu
  3. Click Additional Security Verification from the menu to the right
  4. Select your preferred method of second factor of authentication from the first drop-down box. You need to ensure that the option you choose is enabled below.

You will now be prompted for your second authentication factor that you choose when you try to do a password change or change your verification info.

Azure Azure Information Protection cloud firewall Office 365 proxy SSL

SSL Inspection and Office 365

Lots of cloud endpoint URL’s break service flow if you enable SSL Inspection on the network devices between your client and the service. My most recent example of this Enterprise State Routing in Windows 10.

Microsoft have a list of URLs for the endpoints to their service, where they are categorised as Default, Allow or Optimize. The URLs that are Allow or Optimize should avoid SSL inspection.

The endpoint list is found at and the JSON for this can be downloaded, as well as a PowerShell script to return the IPs and URLs.

Within this JSON file you can look for the category and if the category is Allow or Optimize then ensure the matching URLs are not SSL inspected.

active directory Azure Active Directory Azure AD AzureAD EM+S enterprise mobility + security microsoft Office 365 password security

Improving Password Security In the Cloud and On-Premises

Passwords are well known to be generally insecure the way users create them. They don’t like “complex” passwords such as p9Y8Li!uk%al and so if they are forced to create a “complex” password due to a policy in say Active Directory, or because their password has expired and they need to generate a new one, they will go for something that is easy to remember and matches the “complexity” rules required by their IT department. This means users will go for passwords such as WorldCup2018! and Summ3r!!. Both these exceed 8 characters, both have mixed case, both have symbols and numbers – so both are complex passwords. Except they are not – they are easy to guess. For example, you can tell the date of this blog post from my suggestions! Users will not tend to pick passwords that are really random and malicious actors know this. So current password guidance from NIST and UK National Cyber Security Centre is to have non-expiring unknown, not simple passwords that are changed on compromise. Non-expiring allows the user to remember it if they need to (though a password manager is better) and as it is unknown beforehand (or unique) means its not on any existing password guess list that might exist.

So how can we ensure that users will choose these passwords! One is end user training, but another just released feature in the Microsoft Cloud is to block common passwords and password lists. This feature is called Azure AD Password Protection. With the password management settings in Azure AD, cloud accounts have been blocked from common passwords for a while (passwords that Microsoft see being used to attempt non-owner access on accounts) but with the password authentication restrictions you can link this to block lists and implement it with password changes that happen on domain controllers.

So how does all this work, and what sort of changes can I expect with my passwords.

Well what to expect can look like this:


Note all the below is what I currently know Microsoft do. This is based on info made public in November 2018 and documented at and is subject to change as Microsoft’s security graph and machine learning determines change is needed to keep accounts secure.

Password Scoring

First, each password is scored when changed or set by an administrator or a user on first use. A password with a score less than 5 is not allowed. For example:

spring2018 = [spring] + [2018] = 2 points

spring2018asdfj236 = [spring] + [2018] + [asdf] + [f] + [j] + [2] + [3] + [6] = 8 points

This shows that common phrases (like Spring and 2018) can be allowed as part of password that also contains stuff that is hard to guess. In this, the asdf pattern is something straight from a Qwerty keyboard and so gets a low score. In addition to the score needing to exceed 5, other complexity rules such as certain characters and length are still required if you enforce those options. Passwords are also “normalized”, which lower cases them and compares them in lower case – so spRinG2018 is as weak as spring2018. Normalization also does common character replacesments such as $=s, so $PrinG2018 is the same as spring2018 and also just as weak!

You name is not allowed in any password you set and the logic applies to an edit distance of 1 character – that is if “spring” is a blocked word then “sprinh” would also be blocked, h being one character away from g.

Common and Blocked Lists

Microsoft provide the common password lists, and these change as Microsoft see different passwords getting used in account attacks. You provide a custom blocked list. This can contain up to 1000 words, and Microsoft apply fuzzy logic to yours and the common list. For example we added all our office locations as shown:


This means that both capetown and C@p3t0wn would be blocked. The @=a, the 3=e and the 0=o. So the more complex one is really not complex at all as it contains common replacements.

In terms of licences, the banned password list that Microsoft provides is licence free to all cloud accounts. You need AAD Basic if you want to add your own custom banned password list. For accounts in Windows Server Active Directory you need the Azure AD Premium (P1) licence for all synced users to allow downloading of the banned password list as well as customising it with your words so that Active Directory can apply it to all users on-premises to block bad passwords (even those users not synced to AzureAD).

Hybrid Password Change Events Protected

The checks on whether a password change should be stopped is included in hybrid scenarios using self-service password reset, password hash sync, and pass-through authentication, though changes to the custom banned password list may take a few hours to be applied to the list that is downloaded to your domain controllers.

On-Premises Changes

There is an agent that is installed on the domain controllers. Password changes are passed to the agent and it checks the password against the common list and your blocked list. The agent does the password check, and it checks it against the most recently downloaded list from Azure AD. The password for on-premises is not passed up to Azure AD, the list is downloaded from Azure AD and processed locally on the domain controller. This download is done by the Azure AD password protection proxy. The list is then downloaded once per hour per AD site to include the latest changes. If your Azure AD password protection proxy fails, then you just use the last list that was successfully downloaded. Password changes are still allowed even if you lose internet access.

Note that the Azure AD password protection proxy is not the same as the Pass-Through Authentication agent or the AAD Connect Health agent. The Azure AD password protection proxy can though be installed on the same servers as the PTA or Connect Health agent. Provisioning new servers for the proxy download service are not required.

The Azure AD password protection proxy wakes up hourly, checks SYSVOL to see the timestamp of the most recently downloaded copy and decides if a new copy is needed. Therefore if your intra-site replication is within the hour, proxy agents in other sites might not need to download the list as the latest is already available via DFSR between the domain controllers.

The Azure AD password protection proxy does not need to run on a domain controller, so your domain controllers do not need internet access to obtain the latest list. The Azure AD password protection proxy downloads the list and places it in SYSVOL so that DFSR replication can take it to the domain controller that needs it.

Getting Started

To set a custom password block list, in the Azure Portal visit the Azure AD page, click Security and then click Authentication Methods (in the Manage section). Enter your banned passwords, lower case will do as Microsoft apply fuzzy logic as described above to match your list to similar other values. Your list should include common words to your organization, such as location, office address keywords, functions and features of what the company does etc.

For Active Directory, download the agent (from the Microsoft Download Center) to one or more servers (for fault tolerance). These will download the latest list and place it in SYSVOL so that the domain controllers can process it. Two servers in two sites would probably ensure one of them is always able to download the latest copy of the list.

The documentation is found at

Microsoft suggests that any deployment start in audit mode. Audit mode is the default initial setting where passwords can continue to be set even if they would be blocked. Those that would fail in Enforce mode are allowed in Audit mode, but when in audit mode entries in the event log record the fact that the password would fail if enforce was turned on. Once proxy server(s) and DC agents are fully deployed in audit mode, regular monitoring should be done in order to determine what impact password policy enforcement would have on users and the environment if the policy was enforced.

This audit mode allows you to update in-house policy, extend training programs and offer password advice and see what users are doing that would be considered weak. Once you are happy that users are able to respond to an password change error because the password is too weak, move to enforce mode. Enforce mode should kick in within a few hours of you changing it in the cloud.

Installing the Proxy and DC Agent

Domain Controllers need to be running Windows Server 2012 and later, though there are no requirements for specific domain or forest functional levels. The Proxy software needs to run on a Windows Server 2012 R2 or later server and be running .NET 4.6.2 or later. Visit the Microsoft Download Center to download both the agent and the password protection proxy. The proxy is installed and then configured on a few (two at most during preview) servers in a forest. The agent is installed on all domain controllers as password changes can be enacted on any of them.

To install the agent, run AzureADPasswordProtectionProxy.msi on the server that has internet connectivity to Azure AD. This could be your domain controller, but it would need internet access to do this.

To configure the agent, you need to run once Import-Module AzureADPasswordProtection followed by Register-AzureADPasswordProtectionProxy and then once the proxy is registered, register the forest as well with Register-AzureADPasswordProtectionForest all from an administrative PowerShell session (enterprise admin and global admin roles required). Registering the server adds information to the Active Directory domain partition about the server and port the proxy servers can be found at and registering the forest settings ensure that information about the service is stored in the configuration partition.

Import-Module AzureADPasswordProtection
Get-Service AzureADPasswordProtectionProxy | FL
$tenantAdminCreds = Get-Credential
Register-AzureADPasswordProtectionProxy -AzureCredential $tenantAdminCreds
Register-AzureADPasswordProtectionForest -AzureCredential $tenantAdminCreds

If you get an error that reads “InvalidOperation: (:) [Register-AzureADPasswordProtectionProxy], AggregateException” then this is because your AzureAD requires MFA for device join. The proxy did not support MFA for device join during the early preview but that should now be resolved – make sure you are using the latest download of the agent and proxy code. you need to disable this setting in Azure AD for the period covering the time you make these changes – you can turn it back on again (as on is recommended) once you are finished configuring your proxy servers. This setting, should you need to disable it, is found at:

  • Navigate to Azure Active Directory -> Devices -> Device settings
  • Set “Require Multi-Factor Auth to join devices” to “No”
  • As shown
  • Then once the registration of your two proxies is complete, reverse this change and turn it back on again.

Once at least one proxy is installed, you can install the agent on your domain controllers. This is the AzureADPasswordProtectionDCAgent.msi and once installed requires a restart of the server to take its role within the password change process.

The PowerShell cmdlet Get-AzureADPasswordProtectionDCAgent will report the state of the DCAgent and the date/time stamp of the last downloaded password block list that the agent knows about.


Changes In Forest

Once the domain controller the agent is installed on is rebooted, it comes back online, finds the server(s) running the proxy application and asks it to download the latest password block list. The proxy downloads this to C:\Windows\SYSVOL\domain\AzureADPasswordProtection. Older versions of the proxy and agent used a folder called
{4A9AB66B-4365-4C2A-996C-58ED9927332D} under Policies folder. These versions of the agent stop working in July 2019 and need to be updated to the latest release.

In the Configuration partition at CN=Azure AD Password Protection,CN=Services,CN=Configuration,DC=domain,DC=com some settings about the service are persisted. If the domain controller has the agent installed then

CN=AzureADConnectPasswordPolicyDCAgent,CN=<DomainControllerName>,OU=Domain Controllers,DC=domain,DC=com is created.

And then on each domain controller, in the Event Viewer, you get Application and Services Logs > Microsoft > AzureADPasswordProxy with DCAgent on the DC’s and ProxyService on the proxy servers. The EventID’s are documented at

The monitoring Event ID will cover things like user password change differently than admin password set. This allows you to audit who (end user or service desk) is setting weak passwords.

Once the proxy starts to work, the above folder starts to get content. In my case in the preview it took over 2 hours from installing the proxy as well as the documented installation and configuration PowerShell cmdlets listed above to get the proxy to download anything. The above listed Configuration folder contained some cfge files and the above listed PasswordPolicies contains what I assume is the downloaded password block list, compressed as its only 12KB. This is the .ppe file and there is one of these per hour downloaded. Older versions of this download are deleted by the proxy service automatically.

Audit Mode

Using the above Event ID’s you can track the users who have changed to weak passwords (in that they are on your or Microsoft’s banned password list) when the user or admin sets (or resets) the users password. Audit mode does not stop the user choosing the password that would “normally have been rejected” but will record different Event IDs depending upon the activity and which block list it would have failed against. Event id DCAgent/30009 for example has the message “The reset password for the specified user would normally have been rejected because it matches at least one of the tokens present in the Microsoft global banned password list of the current Azure password policy. The current Azure password policy is configured for audit-only mode so the password was accepted.”. This message is a failure against Microsoft’s list on password set. The user doing a password change and the Microsoft list gets DCAgent/30010 Event ID recorded instead.

Using these two Event ID’s along with DCAgent/30007 (logged when password set but fails your custom list) and or DCAgent/30008 (password changed, fails your custom list) allows you to audit the impact of the new policy before you enforce it.

Enforce Mode

This mode ensures that password set or change events cannot have passwords that would fail the list policies. This is enabled in the password policy in Azure AD as shown:


Once this is enabled it takes a few hours to be picked up by the proxy servers and then for the agent to start rejecting banned passwords.

When a user changes their password in enforce mode they get the following error (different graphic depending upon Windows versions). If the admin changing the password uses a blocked password then they see the left hand graphic as well (Active Directory Users and Computers).



This is no different to the old error you get when your password complexity, length or history is not met. Therefore there is no indication to the user that the password they chose might be banned rather than not allowed for the given reasons. So though password policy with a banned list is an excellent step forward, there needs to be help desk and end user awareness and communications (even if they are just a simple notification) as the user would not be able to tell from the client error they get. Maybe Microsoft have plans to update the client error?

Password changes that fail once enforce mode is enabled get Event ID’s such as DCAgent/30002, DCAgent/30003, DCAgent/30004 and DCAgent/30005 depending upon which password list the fail happened against and the method of password set or change. For example when I used the password Oxford123, as “oxford” is in the custom banned password list, Event ID 30003 returns “The reset password for the specified user was rejected because it matched at least one of the tokens present in the per-tenant banned password list of the current Azure password policy”. As mentioned above, the sequence of 123 following the banned word is not enough to make to score more than 5 points and so the password change is rejected.

On the other hand, 0xf0rdEng1and! was allowed as England was not on my banned list an so although my new password contained a banned word, there were enough other components of the password to make it secure enough. Based on the above mentioned scoring of 5 or more is required to have a password accepted, [Oxford] + [E] + [n] + [g] + [1] + [a] + [n] + [d] + [!], a total of 9. 9 >= 5 and so the password is accepted.

Finally, when testing users, other password policies like the date that the password can next be changed and “user cannot change password” property etc. will take effect over the banned password list. For example, if you have a cannot change password for 5 days setting, and you set the users password as an administrator – that will work or fail based on the password you enter, but if you change the password as the user within that time period, that will fail as five days have not gone by and not because the user picked a guessable password.

aadrm Azure Information Protection certificates exchange exchange online IRM Office Office 365 rms SSL

Azure Information Protection and SSL Inspection

I came across this issue the other day, so thought I would add it to my blog. We were trying to get Azure Information Protection operating in a client, and all we could see when checking the download of the templates in File > Info inside an Office application was the following:

02-Setup RMS Menu

03-Setup RMS Menu

04-Setup RMS Menu Error

The sequence of events was File > Info, click Set Permissions. You get the “Connect to Rights Management Servers and get templates” menu item. Clicking this shows a box saying “Retrieving templates from server” (which you might not see as this step takes no real time at all) and then an error that reads “Your machine isn’t set up for Information Rights Management (IRM). To set up IRM, sign into Office, open and existing IRM protected message or document, or contact your helodesk”.

For each of these recommendations, we tried them and still got the same message.

So what was the issue?

In Microsoft state the the IRM client in Windows uses Certificate Pinning. This is where the client application knows what certificate it expects to see at the service it is connecting to. If it gets a different certificate it will fail to connect. Within enterprise organizations, firewalls and proxy devices that do SSL Inspection change the certificate in use so that they can see the content being sent to the service in the clear. For the IRM client in Windows, this means that IRM does not trust the certificate and so will not work.

You can test for SSL Inspection on a URL by browsing the target URL in Chrome. For example, for IRM go to and click the Secure banner in the address bar:


You will get a popup – hover over the “Certificate (Valid)” message. If the certificate is not valid then either your PC is missing some important updates or SSL inspection is happening, but not implemented correctly!

You can use this same test to check for SSL Inspection on any network.

The certificate listed when you hover over the “Certificate (Valid)” message should read (for AIP) a Microsoft CA issued certificate. It should not list your company or proxy service as the issuer. Do not terminate the TLS client-to-service connections (for example, to do packet-level inspection) to the Azure Rights Management service. Doing so breaks the certificate pinning that RMS clients use with Microsoft-managed CAs to help secure their communication with the Azure Rights Management service.

For network performance, Microsoft also have a list of URLs that they recommend you do not inspect for Office 365 services. This list of endpoints that should not be inspected are those categorised as Optimize or Allowed when you browse Interestingly at the time of writing this lists as Default, which means it can be inspected – I have reported this to the team that manages the endpoint service so that this URL can be moved up in its classification.

Once you bypass SSL Inspection for * you will find that the Office and RMS clients work fine (assuming everything else is enabled correctly of course).