How to Block Self-Service Purchases in Microsoft 365

Thursday, November 21, 2019
On October 23, Microsoft announced that they were going to introduce self-service purchase options for Microsoft 365 users on November 19, 2019. Microsoft says this was "due to customer demand," but I don't know a single customer that has EVER asked for this. <snarkymode>It was likely cooked up by someone at Microsoft who thought this would be an excellent way to boost adoption and help make their revenue targets.</snarkymode>

After getting a ton of REAL feedback from customers, Microsoft decided to delay implementation of this change till January 2020 and, more importantly, give tenant administrators a way to turn it off ahead of time. While this opt-out model is welcome, I believe an opt-in model is more appropriate. Organizations should be in control of their corporate data by default.

Fellow MVP Michel de Rooij wrote an article for the Enow ESE Blog explaining how to block self-service purchases. It only takes a few minutes to read and implement. Do it now or spend a lot more time explaining why you didn't do it later.
Read more ...

Recap of Microsoft Ignite 2019

Friday, November 15, 2019
I had a GREAT time at Microsoft Ignite 2019 in Orlando! I hope you were able to attend or at least catch some of the online sessions that were streamed in real-time.

One of the big highlights for me this week was attending the ENow VIP dinner where I sat between Greg Taylor (Exchange Marketing Lead extraordinaire) and Jeffrey Snover (the father of PowerShell).

I was very pleased to see how many people made the trek to Theater 9 to see my two sessions, "Reading SMTP Headers Like a Boss" (please ignore the fact that they got the photo wrong - I have no idea who that is) and "Twenty minutes to a secure environment".

Please read my recap of Microsoft Ignite 2019 on the ENow ESE Blog and learn about some significant improvements coming to Exchange Online.

Read more ...

Come see me at @MSIgnite in Orlando!

Tuesday, October 29, 2019

I'm pleased to be speaking at Microsoft Ignite in Orlando next week. This will be a fabulous conference with lots of fantastic content!

BRK3145: IT burnout - the state of the industry panel (45 minute breakout)
Have you been working non-stop and never taking a break? Do you go on vacation, but still find yourself working? Does your leadership expect you to be available all the time even when you are not on-call? Do you go home, answering email in between all of the family things going on that evening? Are you truly present in all the things you do?
Recently, our team conducted a survey about IT burnout to get a real sense of how IT professionals are functioning and managing their personal well-being. We learned some interesting things that will surprise you, and have some statistics you won't want to miss.  Join me and a panel of MVPs to have a discussion on this tough topic.
Session ID: 78641
When: OCCC W224 F-H
Where: Tuesday 10:15-11:00am

THR3033: Reading SMTP headers like a boss (20 minute theater session)
Learn how to read SMTP headers for fun and profit! In this demo-tastic session, learn how to read SMTP headers to troubleshoot mail flow, SPF, DKIM, and DMARC. Also, see some of the online tools available to analyze headers and turn you into an SMTP rock star.
Session ID: 78655
When: Thursday 11:30-11:50am
Where: The Hub - Theater 9

THR3034: Twenty minutes to a secure environment (20 minute theater session)
Legacy authentication is an attacker's best friend. Learn how to secure your environment using modern authentication in the cloud and hybrid modern authentication for on-premises. Then, learn how to turn off legacy authentication in your Microsoft 365 and Exchange 2019 environments to keep the bad guys out!
Session ID: 78663 
When: Friday 12:05-12:25pm
Where: The Hub - Theater 9

In addition to my sessions you'll find me at the Exchange booth on the expo floor and at various Exchange and identity sessions throughout the week. I hope you'll come to these great sessions and say hi!

Read more ...

Postpone upgrading AAD Connect if you deployed Hybrid Azure AD join

Tuesday, October 8, 2019
Microsoft has reported an issue with Azure AD Connect and Hybrid Azure AD joined devices. They recommend not deploying this version if you have deployed Hybrid AAD join.

We are investigating an incident where some customers are experiencing an issue with existing Hybrid Azure AD joined devices after upgrading to this version of Azure AD Connect. We advise customers who have deployed Hybrid Azure AD join to postpone upgrading to this version until the root cause of these issues are fully understood and mitigated. More information will be provided as soon as possible.

This version has been removed from manual download until their incident investigation is complete. The latest version available now on the website is AAD Connect

Details of the incident are not available, but if you have deployed AADC and are experiencing problems, I recommend completely uninstalling AAD Connect and installing version

Read more ...

The Death of Basic Authentication in Office 365

Tuesday, September 24, 2019
Microsoft posted the article, "Improving Security - Together" where they explain that they will be turning off Basic Authentication in Exchange Online for EWS, Exchange ActiveSync (EAS), POP, IMAP and Remote PowerShell on October 13, 2020. That means that only apps that support modern authentication using OAUTH 2 will be able to connect to Exchange Online after that time. There are currently no plans to override this behavior.

I applaud this move, since it greatly improves the security posture for your tenant and Office 365 as a whole. The vast majority of bad actors use Basic authentication (username/password credentials) for their attacks. That said, there are caveats you should be aware of.

Exchange ActiveSync is probably the most heavily utilized protocol in this list. EAS has been shipping with every version of Exchange since Exchange Server 2003. Millions of users across the globe count on it to manage emails from their mobile phones and tablets. Many of these users have moved over to the Outlook mobile apps for iOS and Android, but a very significant number are still using the native email apps on their phones.

Apple started supporting modern auth in iOS 11, so any reasonably up-to-date iOS device should be unaffected by the removal of Basic auth for EAS. Android is a different story. There are so many older devices out there with different Android versions from different vendors, it's hard to say which devices will be affected. Some versions may have native support for OAUTH 2 using the AppAuth for Android library, while some mail apps in the Play Store may have built-in support in the app (Outlook for Android is one example). In the end, you really need to test your apps.

The best way to do that is to setup or reconfigure a mail account on your mobile devices. If you're prompted for modern auth to setup your account, as below, you should be good to go.

OAUTH 2 (Modern Auth) prompt

If you get a Basic authentication prompt within the app, you're app probably doesn't support OAUTH 2. Download the Outlook mobile app for iOS or Android, or another email app that supports it.

The POP and IMAP protocols are less often used, but when they are, it's typically for app integration with a line of business app. Examples include help desk ticketing systems, ERP solutions, life-cycle management systems, etc. These apps are usually critical to the business, so anything that affects email connectivity must be carefully planned. Microsoft is planning to add OAuth support to both POP and IMAP in the next few months, but the apps that use these protocols must also be updated to support it. That means software updates for these LOB apps (assuming they will support OAUTH 2), possible additional support costs, contracts, etc. Plan ahead and talk with these vendors now to see how they plan to support OAUTH 2. You may even need to go so far as to change LOB solution providers.

Read more ...

An Overview of Tenant to Tenant Migrations in Office 365

Wednesday, September 18, 2019

Recently I wrote a chapter for the eBook, "Everything you need to know about Tenant to Tenant Migrations" for Practical 365. You can download the eBook for free here.

You can read a quick teaser for that chapter here on the Practical 365 site.

Read more ...

Syncing Email Signatures Across Devices is soon to become a reality!!

Tuesday, September 10, 2019
Will wonders never cease. Just when I was convinced that Outlook UserVoice was the place where all good ideas go to die, I received the following update:

"Thank you to everyone who voted. We’re happy to report that we’re working on sync’ing signatures across devices. More details to come as we have them.


Ricardo, Duncan, Sunder and David on behalf of the Outlook team"

After I posted the article, "Storing email signatures in the Exchange mailbox" on this blog, this UserVoice request became the top voted request on the Outlook UserVoice website by a wide margin, with over 7,915 votes. It has more than twice the number of votes than the #2 most voted item. Thank you to all of you who voted!

This new feature will undoubtedly come to Office 365 ProPlus customers first, so if you're hot on seeing it, make sure you're using the latest and greatest version of Outlook. I'll let you know when the new feature lands.

Read more ...