Configuration

Update to Create-LabUsers Script

My colleague Andreas asked today for some help troubleshooting an issue he’d run into with the Create-LabUsers script failing while using the InflateMailboxes parameter.

The problem ended up being three-fold:

  • I had some pre-populated user names that had spaces in them
  • I hadn’t trimmed the spaces out when constructing the SMTP address (although I had for the UPN)
  • I didn’t test for a valid RFC sender address when constructing the mail

So, all of those things together conspired to generate errors whenever some of those user names were hit. … [ Continue reading ]

Configuration

Apply Security & Compliance Center Retention Labels to Outlook Folders

I couldn’t really come up with a cool-sounding title for this post, so I just went with the basics of what it does.

Last week, I worked with a customer that wanted to deploy custom retention labels to custom folders inside a user’s mailbox–the idea being that they would create a custom folder structure such as this under a user’s Inbox:

\Inbox
\Inbox\Retention Schedule
\Inbox\Retention Schedule\2 Year (apply a 2-year retention label to everything in this folder)
\Inbox\Retention Schedule\4 Year (apply a 4-year retention label to everything in this folder)
\Inbox\Retention Schedule\7 Year (apply a 7-year retention label to everything in this folder)
\Inbox\Retention Schedule\Forever (apply a ‘Never delete’ retention label to everything in this folder)

Seems easy enough, right? … [ Continue reading ]

Configuration

Exchange Online Protection (EOP) Best Practices and Recommendations

Yes. I said it.

Someone needed to put a line in the sand and today, that person is me.  I’m going to say these are some best practices.

But of course, your mileage may vary, depending on your type of organization (users at a local bank or city government will have different threats presented to them than an engineering firm with international customers, for example). … [ Continue reading ]

Configuration

Update to OneDrive for Business Admin tool

Based on some user feedback, I’ve made the following modifications to the OneDrive for Business Admin Tool:

  • Fixed a reference to the original function name for FolderToDelete
  • Added verbiage referencing the -Confirm parameter when using FolderToDelete parameter
  • Tidied up code indentations to make it more readable

I’ve got some additional feedback that I will incorporate as well (once I figure out how to do it).… [ Continue reading ]

Configuration

Cloud UPNs for AAD Connect users with Alt-ID don’t update after domain verified in tenant

A few weeks ago, I ran into an issue with a customer.  Scenario:

  • Customer had configured alternate-id sign in with AAD Connect (the gist is that it flows on-premises mail to cloud UPN)
  • Synced identity to tenant
  • Tenant did not have any verified domains

As expected, without a matching verified domain in the tenant, UPN suffixes in the tenant were actually set as @tenant.onmicrosoft.com. [ Continue reading ]

Configuration

DLP for Bitcoin Addresses

One of the up-and-coming combination phish-ransom attacks is to trick the mark into thinking that you’ve got access to their data, and then get them to send money to a Bitcoin address to protect them from data leakage.  You can create a DLP rule in the Office 365 Security & Compliance Center (or an Exchange Online transport rule) to try to combat this.… [ Continue reading ]

Configuration

Migrating from Exchange Online eDiscovery and In-Place Hold to the Security & Compliance Center

One of the issues that some of my larger customers have been dealing with is the lack of tooling and planning around moving legacy Exchange Online In-Place eDiscovery & Holds to the new(ish) Security & Compliance Center.  Our direction has been to either let them age out or manually recreate them the Security & Compliance Center.… [ Continue reading ]

Configuration

Alerting on OneDrive Deleted Item Activity

I had a customer recently raise some questions about how to provide further enhancements and protections around their OneDrive for Business deployments.  Suppose this scenario exists:

  • Users are site collection administrators over their OneDrive for Business sites (default configuration)
  • Retention policies are configured, but may only be configured to provide a very minimal amount of data protection (such as 90 days from creation or last modification of data) due to organizational legal compliance
  • No retention policies are in effect for the target data (as all the data we’re concerned with is technically older than 90 day creation or last modified date)
  • Malicious or disgruntled user deletes OneDrive data
    • Deletes data in OneDrive
    • Empties recycle bin
    • Empties second stage recycle bin

At this point, for any data older than 90 days, it is lost.… [ Continue reading ]

Configuration

Migrate-EOPSettings now does ATP!

ATP! ATP!

At long last, I’ve made a first pass at updating the Migrate-EOPSettings script to now include settings for Advanced Threat Protection.  I’ve had several customers moving their instances from commercial EOP to Office 365 GCC, and while my Migrate EOP script would capture just about everything, it came to my attention that we still had configuration to do for ATP. … [ Continue reading ]

Configuration

SharePoint Online and OneDrive for Business Custom Sharing Controls

Today, we’re going to explore two relatively new sharing controls in SharePoint Online (and, by extension, OneDrive for Business).  The two options we’re going to look at are located inside the SharePoint Admin Center (https://<tenant>-admin.sharepoint.com) under Sharing:

Overview

To test both of these functions out (as well as how other users are affected), I’m going to work with 3 test users and two security groups.… [ Continue reading ]