Microsoft 365 changes regularly, changes are implemented almost on a daily basis and as an Admin responsible for the service you must be aware of which changes are coming to your tenant.
In order to inform administrators Microsoft uses the Message Center. From within the message center administrative users are also automatically subscribed to weekly digest and major update emails. Within the message center message are categorized in the following categories:
In February this year I blogged about Stopping automatic email forwarding in your Exchange Online environment in a controlled way providing a structural way to disable automatic email forwarding within your organization, while still allowing exceptions.
This week Microsoft announced through the message center (MC220853) they are rolling out the External Email Forwarding Controls functionality for customers with Office 365 Advanced Threat Protection (ATP) licensed.
Update August 31, 2020: Microsoft has now communicated the following in the message center: For organizations that have some users externally forwarding prior to September 1st 2020 the setting “Automatic” will default to “On” and we will contact you separately when this will change for your tenant. The setting in my own tenant is still set to automatic though, perhaps it will change tomorrow (September 1). I’m for sure will test whether this has impact.
If your goal is to restrict the usage of Office applications on non-managed devices and only allow Web access in limited mode (as explained in my article: Limit Access to Outlook Web Access, SharePoint Online and OneDrive using Conditional Access App Enforced Restrictions) you might ask yourself if you want the Office applications to be downloadable from the different portals.
You should ask yourself, do I want my users to able to download the Office Apps on devices on which they have rights to install software and use Office Apps on those devices consuming one of the licenses the user has? Of no keep reading.
On August 13th 2020, Alex Simons (Microsoft Identity PM) announced that assigning groups to Azure AD roles in now in public preview. This feature is one of the most requested features to be found in the Azure AD feedback forum.
I have been following this feature request for a while now, and up until recently Microsoft stated that implementing Azure AD role assignment for Azure AD groups wasn’t the issue, the issue was more related to who is able to manage those groups. For example, if enabled how can we circumvent that someone with the “User Administrator” role (capable of adding users to groups) is capable of adding someone to the group used to assign Global Administrator rights. When implemented incorrectly, this new “feature” could then introduce a new security risk in your environment.
Assigning groups to Azure AD roles requires an Azure AD Premium P1 license at minimum, for the Privileged Identity Functionality an Azure AD Premium P2 license is needed.
Disclaimer: This post reflects the status of assigning groups to Azure AD roles as of August 20, 2020. Functionality may change, even right after this post has been published.
So, let’s walk through on what was announced and see..
In October 2019, Microsoft announced that it would enable end users to buy and manage their own licenses within their corporate account. At that time this “feature” was announced for the Power Platform: PowerApps, Flow (now Power Automate) and Power BI.
After that announcement Microsoft received critical feedback from tenant administrators where eventually Microsoft allowed tenant administrators to disable this functionality using PowerShell, the self-service feature is enabled by default in every tenant though.
Last week, on August 12th Microsoft announced that they will expand this functionality and also allow end users to buy Visio and Project licenses in the same way starting September 15th 2020 (at time of writing in less than a month).
In my deep dive article on Office 365 Advanced Threat Protection (ATP) I mentioned that Microsoft provides best practices as described in the following article: “Recommended settings for EOP and Office 365 ATP security“. When implementing the settings in the article you either have the option to go for a “Standard” or “Strict” security level, and you can check your environment towards these best practices using the Office 365 ATP Recommended Configuration Analyzer (ORCA).
After returning from my holiday this year, I noticed a welcome addition to the Threat Management Policy page in the Office 365 Security & Compliance center called “Templated Policies”, for now the section Templated policies contains one section called “Preset security policies”