Microsoft 365 on One Page

I often get questions on what features / services are available for different license types in Microsoft 365.

Some questions:

  • What if I only have Office 365 E3?
  • What additional features do I get with Office 365 E5?
  • What are the differences between Enterprise Mobility + Security (EMS) E3 and E5?

Without needing to memorize features available for each, I reference this: (credit goes to Aaron Dinnage for putting it together).

Microsoft 365 One-Page

The image can be downloaded from here M365 On One Page.

Hope this helps those who need to support Microsoft licensing!

New and Easier Way of Managing Office 365 Groups Naming Policy

A while back I wrote a post on Creating Office 365 Groups Naming Policy which includes steps in PowerShell.  You could also find instructions from Microsoft here.

Today, I noticed that creating custom blocked words and group naming policy can be done in Azure Active Directory Portal.

I decided to test it out by creating a few blocked words as well as adding a prefix.

My blocked words: Test, Sample, and DeleteMe.  My Office 365 Group prefix is “Vee_”

Group Naming Policy Azure Portal

I then tried to create an Office 365 Group in Outlook Web, and here’s the result:

Group Naming Prefix and Blocked Word in OWA

Pretty Cool!

Office 365 Supervision Missing in Outlook on the Web

As companies rollout collaboration tools, they have an important role to play in safeguarding against regulation violations such as HIPPA or PII, or protecting their data from inappropriate sharing and/or breaches of confidentiality.

One of the tools available in Office 365 to monitor and protect your data is Supervision Policy.  Office 365 Supervision Policy is a feature in Security & Compliance which provides administrators with the ability to define policies to capture communications from Exchange Online and Microsoft Teams in your organization.  You can designate reviewers (ex: HR, Legal, or Security team) to review and tag these messages to ensure they’re compliant with your corporate policies.

Microsoft provides step by step instructions on how to configure a supervision policy here.

I want to highlight Step 5 – Test your supervision policy from the instructions above.

I opened my Outlook on the Web as one of the Reviewers using the new Outlook experience.  I could see a new section called “Supervision – <Policy Name>”

I clicked on the message itself, so I could use the Supervisory Review function.  It’s missing!!

New Outlook Supervision Message

I switched back to the “old” Outlook experience, and voila!  The Supervisory Review function was there.

Current Outlook Supervision Message

I hope this helps those who are trying to test out this feature but were not able to do so using the new Outlook experience.

Thanks for reading!

Azure Information Protection – Any Authenticated Users

If you protect your emails and documents with Azure Information Protection, you can configure existing or new labels with Any Authenticated Users; this option is only available when you select Azure (cloud key).  Microsoft confirmed that this feature is generally available (GA).

Keep in mind when you select this option:

  • You don’t mind who views the content, but you want to restrict how it is used. For example, you do not want the content to be edited, copied, or printed.
  • You don’t need to restrict who accesses the content, but you want to be able to track who opens it and potentially, revoke it.
  • You have a requirement that the content must be encrypted at rest and in transit, but it doesn’t require access controls.

The steps to enable this are very simple:

  • Select the label you want to protect
  • Select Protect
  • Be sure to select Azure (cloud key), and select Add permissions
  • Select Add any authenticated users, and select a preset or set custom permissions

Any Authenticated Users

In my testing, I configured one of my labels to use Any Authenticated Users with custom permissions and it worked great!  This is a giant improvement, in my opinion, because previously I could only “whitelist” users or domains if I wanted to set specific permissions.

Thanks for reading!

Office 365 Message Encryption (OME) – Do Not Forward – Not Working as Expected

Today, I completed a demo of Azure Information Protection (AIP) and Office 365 Message Encryption (OME), specifically on the Do Not Forward feature with one of my clients.

My goal was to demonstrate that when a message is protected with OME with Do Not Forward, it cannot be forwarded, printed, or copied.

I created a rule to encrypt messages with OME when sent externally on a specific label.

OMERule1

I started in Outlook client and I could not forward, copy or print the message. Because the message is encrypted, I could not capture the screen to show it here.  Great! Right?

I opened the same e-mail message in Outlook Web App.  Though I was not able to forward or copy, I COULD take a screenshot and print.

OMEScreenshot

Yes, I know users can find ways to share information no matter how it’s locked down like taking pictures with their phones.  I simply want to share another gap I found.

Thanks for reading!

Different Multi-Factor Authentication (MFA) States with Conditional Access

I’ve been working with MFA on my recent projects where the clients want to leverage conditional access.  The objective was a to bypass MFA when the users are on corporate network or on any of the trusted IPs.  Pretty simple. Right?

I create a few Named locations to simplify trusted locations.

I create a conditional access policy with these settings:

  1. Assign to two specific users (initial testing – avoid impact on all users)
  2. Only Exchange Online is selected (once again – initial testing)
  3. Apply to Any location exclude Named locations
  4. Grant access – Require multi-factor authentication

I run through What if to validate the policy.  All is working as expected.

Testing

My two test users set up their MFA methods.

Test user 1: Megan – OneWaySMS (text message) as indicated by MethodType:5

Test user 2: Raul – TwoWayVoiceMobile (phone call) as indicated by MethodType:0

 

Both user are on the same corporate network.  Megan launches OWA – no MFA prompt.  This achieves the objective above.  However, when Raul launches OWA, he is prompted for MFA.

Why does the same conditional access policy apply to Megan but not Raul?

The difference is how a user is enabled for MFA.  Here you can see that Megan’s MFA status is set to disabled while Raul’s is set to enforced.

MFA-Disabled

MFA-Enforced

Enabling and enforcing MFA for users using this traditional method requires users to perform a two-step verification every time they sign in and overrides conditional access policies.

Summary

If you’re trying to bypass MFA while on corporate or a trusted network, let conditional access do the work for you – by prompting users for MFA to access your Office 365 applications when they are outside of your network, instead of enabling and enforcing MFA using the traditional method.

Thanks for reading!

SharePoint – Quick Edit – Missing Required Columns

Have you ever tried to perform a quick edit on a SharePoint list and get the “Sorry, you can’t create a new item with Quick Edit because this view is missing one or more required columns. To create a new item, please click “New Item” or add required columns to this view.”?

QuickEditMissingRequiredColumn

You checked and indeed, your list contains a required column.

One of the main offenders is the missing “Name” field in the view. I found a method to get rid of this error without needing to add the “Name” field to your view via PowerShell.

Resolution:

#Get the site

$Web = Get-SPWeb -Identity “http://<Your Portal>/<Your Site>”

#Get the list that you need to work with – In my example below my list is called “Assets”

$List = $Web.Lists[“My Custom List”]

#To see the “Name” field

$List.Fields | Select Title, InternalName, Required | Sort Title

#It should look similar to this

RequiredNameField

#Change the field to not required and update

$Field = $List.Fields[“Name”]

$Field.Required = $False

$Field.Update($True)

Here’s a screenshot of what worked for me.SetNameField

That’s it!

Thanks for reading!