Talking about Access Reviews…

Access reviews are a great feature to efficiently manage group memberships, access to enterprise applications, and privileged role assignments. For example, you can perform the following tasks:

  • Evaluate guest user access by reviewing their access to applications and memberships of groups. And with this info decide whether guests should have continued access.
  • Evaluate employee access to applications and group memberships
  • Collect access review controls into programs that are relevant for your organization to track reviews for compliance or risk-sensitive applications.
  • Evaluate the role assignment of administrative users who are assigned to Azure AD roles such as Global Administrator or Azure subscription roles.

Access reviews are great, aren’t? The only thing that you have to take into account to enable them in your tenant is that: are available with the Premium P2 edition of Azure AD, which is included in Microsoft Enterprise Mobility + Security, E5.

 

How to backup your Microsoft Authenticator Application

It happened to me, I had configured the Microsoft Authentication app in my phone and then I changed the phone, so the experience to recreate all the MFA accounts, was simply horrible… but now Microsoft Authenticator allows to backup your multi factor accounts and recover them.

It works for both personal and work profiles, the only requirement is to have a Microsoft Account (MSA) to backup your Microsoft Authenticator application; even if you use it from the device work profile. Something important: You can not use Corporate account to backup your Microsoft Authenticator application.

To enable the backup capability, just access the Options menu (the 3 dot shown at the top right of the application) and choose to Turn on backup – or access the Settings and enable the Cloud Backup feature.

Screenshot_2019-10-01-13-54-32-446_com.azure.authenticator

It will then automatically use your MSA account

Screenshot_2019-10-01-13-54-45-078_com.azure.authenticator

 

Keep in mind that, once you have enabled the backup for one instance, and try to enable it on the second one, you will be requested if you want to overwrite it if you use the same MSA account

O365 Groups Expiration Policy

By default every licensed user in the tenant can create office 365 groups, it is a great feature, but when you have a company where everyone can create a group which leads in storage, leakage of information, naming standards not allowed… it is not a great thing.

So it is very important to have a governance plan and create some plans to plan the process of group creation and maintenance.

So in this scenario, a great feature is the policy to block group creation, where the admin can configure who are allowed to create groups. Remember, when you are using this approach that you are blocking the creation of O365 groups for all applications, is not possible to choose which applications are allowed or whether not.

In addition to that, we can use the policy expiration group, which enable us to automatically remove obsolete groups. Policy control how long groups can exist within a tenant before a group owner must renew the group. As groups expire, Office 365 can automatically remove them from the tenant. The expiration policy applies to all Office 365 Groups, no matter how they are used.

Things to keep in mind:

  • Owners of the group are notified to renew the group as the expiration nears
  • Any group that is not renewed is deleted
  • Any Office 365 group that is deleted can be restored within 30 days by the group owners or the administrator
  • When you first set up expiration, any groups that are older than the expiration interval are set to 30 days until expiration. The first renewal notification email is sent out within a day.
  • Admins will need to have Azure Active Directory Premium P1 license
  • Configuring and using the expiration policy for Office 365 groups requires you to possess Azure AD Premium licenses for the members of all groups to which the expiration policy is applied.

That’s all!

O365 Group based license management

In many projects where I am involved, group-based license management involves a basic part.

Setting up the pilot users, the production groups of users and of course, defining the license assignment that should be applied to each group.

For smaller tenants with simple requirements license management is not a big deal, but as you can imagine for larger tenants, automation is essential, and scripting could be a good approach, but sometimes could be challenging when complex licensing scenarios appears.

So what we can do in those cases? Use Azure AD Goup license Management! It’s a great solution included in our subscriptions and the only requirement that we have is to have Azure AD Basic, which always it is included

Ok, sounds great but what about limitations?

  • Nested Groups: are not supported. If you try to apply a license to a nested group, only the first-level user members of the group will have the licenses applied.
  • Security Groups: You can ONLY assign license to security groups. Security groups can be synced from on-premises or you can create security groups directly in Azure AD. Also you can go ahead with O365 groups, is it a supported scenario
  • Inheritance: Inherited group licenses cannot be modified directly on a user. Not supported… if you need to change a license from a user, you will need to delete this user from the group
  • Office 365 Admin Portal: no support for group-based licensing. You will have to administer it through Azure Portal. Remember, AAD are shared between O365 and Azure
  • Conflicting service plans: Some service plans are configured in a way that they can’t be assigned to the same user as another, related service plan. For example: The E3 product contains service plans that can’t overlap with the plans that are included in E1, so the group license assignment will fail. To resolve this issue, you need to disable conflicting features.
  • Dependencies: for example, licencing group could have a feature enabled that was dependent on another that wasn’t enabled.

That’s all for now!

Office 365 Set mailbox default language

When I have to set up new O365 tenants in order to do PoC or even to  do large migrations, it might be convenient to change the default mailbox language settings for all the end users. By default each user needs to set the default language and time zone at first login to OWA in Office 365, if not you can find some problems due to this feature

With the following PowerShell Script you should be able to change it within a few seconds. Change it accordingly.

get-mailbox | Set-MailboxRegionalConfiguration -LocalizeDefaultFolderName: $true -DateFormat d/M/yyyy -Language 1027 -TimeZone "W. Europe Standard Time"

You can find the Local ID in the following web

That’s all folks!

Understanding App Password in Office 365

Multi-Factor Authentication (MFA) in Office 365 has several advantages. Once you enable MFA, it offers a much higher level of security because users can secure their credentials with a second level of authentication, such as:

  1. Call to phone
  2. Text message to phone
  3. Notification through mobile app
  4. Verification code from mobile app or hardware token

An important concept that is not usually clear to people who are new to Office 365 is the concept of App Password, short for application password.

However, the user can run into a problem when a non-browser application is used with O365, such as Outlook. To accommodate such scenarios, Microsoft offers app passwords that are used to essentially bypass the use of MFA for the non-browser applications. Keep in mind that the app password is tied to the user’s account in O365 portal so this password cannot be generated outside of O365 because it’s stored in Azure.

That’s all for now!

Best Practices for Configuring the Global Admin Account in Office 365

Use the following best practices to secure your Global Admin account in Microsoft Office 365.

  1. For maximum security, use the maximum allowed password length (16 characters) for your Global Admin accounts.
  2. Always create at least one additional Global Admin account as a backup. This account doesn’t need an Office 365 license.
  3. Instead of using AdminName@YourDomain.com account for the Global Admin account, use the AdminName@YourDomain.onmicrosoft.comaccount and DO NOT assign any licenses.
  4. Always use a phone number and an Alternative email address for your Global Admin account so it can be used for verification by Microsoft, if there’s a need.
  5. Limit the number of Global Admins in your organization to as few as possible. Two Global Admins are ideal for most small to medium-sized organizations. The rest of the administrators should be assigned a Customized administrator role, such as Billing administrator, Dynamics 365 service administrator, Exchange administrator, Password administrator, Skype for Business administrator, Power BI service administrator, Reports reader, Service administrator, SharePoint administrator,  or User management administrator. Keep in mind you can assign multiple roles to an individual.

Microsoft Teams How to define Holidays

Microsoft Teams now allows you to define your organization holidays (aka the period your organization is shutting down and won’t be available for business).

This can be linked with auto-attendant you may have configured for voice capabilities.

To start using it and configure your next organization time off, go to your Teams administration portal (https://admin.teams.microsoft.com) and reach out the Org-wide settings\Holidays configuration blade

You will reach the New Holiday option and you will need to set the start and end date between which your organization will be unavailable by using the Add new date and set the dates and times

If you want to link it with an auto-attendant, reach out the Voice\auto attendant after you have set your organization holiday and then select the auto attendant you want to set for the holidays period and click Edit

Finally, reach the auto attendant Holiday call settings and click the New Holiday

That’s all happy teaming!

Enabling OME in EXO

If you need to enable OME in EXo, you can follow the above steps:

#Connect to the Azure Rights Management service.

$cred = Get-Credential

Get-Command -Module aadrm

Connect-AadrmService -Credential $cred

#Activate the service.

Enable-Aadrm

#Get the configuration information needed for message encryption.

$rmsConfig = Get-AadrmConfiguration

$licenseUri = $rmsConfig.LicensingIntranetDistributionPointUrl

#Disconnect from the service.

Disconnect-AadrmService

#Create a remote PowerShell session and connect to Exchange Online.

$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $cred -Authentication Basic -AllowRedirection

Import-PSSession $session

#Collect IRM configuration for Office 365.

$irmConfig = Get-IRMConfiguration

$list = $irmConfig.LicensingLocation

if (!$list) { $list = @() }

if (!$list.Contains($licenseUri)) { $list += $licenseUri }

#Enable message encryption for Office 365.

Set-IRMConfiguration -LicensingLocation $list

Set-IRMConfiguration -AzureRMSLicensingEnabled $true -InternalLicensingEnabled $true

#Enable the Protect button in Outlook on the web (Optional).

Set-IRMConfiguration -SimplifiedClientAccessEnabled $true

#Enable server decryption for Outlook on the web, Outlook for iOS, and Outlook for Android.

Set-IRMConfiguration -ClientAccessServerEnabled $true

finally execute the following command to the configuration with the following command

Test-IRMConfiguration -Sender “YourOffice365AdminAccount.onmicrosoft.com”

O365 PowerShell Module Installs

If you need to configure a new machine in order to execute o365 PS commands, this is your post. You can see similar information in Todd Klindt’s post

suppress the warning you get when installing from the PowerShell Gallery, run this:

Set-PSRepository -Name PSGallery -InstallationPolicy Trusted

Official Microsoft Modules

Sign-in assistant (needed for MSOL and AzureAD Modules)

Microsoft Online
Original Tenant Directory Management
Prefix: MSOL
Install-Module -Name MSOnline

AzureAD
Newer Tenant Directory Management
Prefix: AzureAD
Install-Module azuread

AzureADPreview
Latest Tenant Directory Management
Prefix: AzureAD
Install-Module -Name AzureADPreview

SharePoint Online
Manage SharePoint sites and related services
Prefix: SPO
Install-Module -Name Microsoft.Online.SharePoint.PowerShell

Teams
Microsoft Teams Management
Prefix: Team
Install-Module MicrosoftTeams

Skype for Business
(No PowerShell module install from Gallery)

Flow and PowerApps
Flow and PowerApps management
Prefix: No Prefix
Install-Module -Name Microsoft.PowerApps.PowerShell
Install-Module -Name
 Microsoft.PowerApps.Administration.PowerShell –AllowClobber
(First module works for user, add the second module for Admin management cmdlets)

3rd Party Installs

SharePoint PnP PowerShell
Essential to manage SharePoint and related technologies
Install-Module SharePointPnPPowerShellOnline

Credential Manager
Used to create and retrieve Windows Stored Credentials
Install-Module credentialmanager

If you only need to update the modules, you can execute the follwing command: Update-Module cmdlet.