Use a Verified Domain to Send Microsoft 365 Service Messages

Announced as Microsoft 365 message center notification MC531211 (21 March 2023, Microsoft 365 roadmap item 103628) and now rolling out to tenants, organizations can choose one of the verified domains available for their tenant as the domain used for product advisory emails (Microsoft 365 service messages).

Microsoft 365 apps that support the feature include:

• SharePoint Online
• OneDrive for Business
• Office
• Stream
• Planner
• Project
• Viva Connections
• Viva Topics
• Viva Amplify

Microsoft 365 apps use email addresses like no-reply@sharepointonline.com and no-reply@planner.com when they generate informational messages to communicate alerts, events, or digest information to users. For instance, when someone stores a document with a higher-level sensitivity label in a SharePoint Online site, SharePoint generates an email to tell them about the potential problem caused by the label mismatch. Figure 1 shows an example of such a message after selecting the office365itpros.com domain to send service messages.

The messages don’t cover service alerts (when a service has an outage), nor do they cover One Time Passcodes (OTP) generated by sharing actions from OneDrive and SharePoint Online. Sharing notifications continue to use no-reply@notify.microsoft.com to ensure delivery of these emails.

Using a Verified Domain

The steps to select a verified domain for service messages are laid out in the Microsoft documentation. In essence, tenant administrators use the Send email notifications from your domain option in the Organization profile section of Org Settings in the Microsoft 365 admin center to select a username and domain (Figure 2).

The domain must be one of the verified domains for the tenant. After saving the new configuration, the Microsoft 365 apps switch to use the selected username and domain instead of their default domains when they send email. Messages are now routed by Exchange Online on behalf of the organization. Just like any of the verified domains used for mail routing, the DNS records for the chosen domain should be configured for SPF, DKIM, and DMARC. This is especially important if email is relayed to Exchange on-premises or an external email service.

The Username for Service Messages

By default, the username is set to no-reply. The intention of a no-reply address is that users know that replying to the address will result in an undeliverable message. However, it’s possible to change the username to one for a routable address such as a shared mailbox so that users can get a response to questions about why they received a service message. Be careful if you do this because service emails then appear to be like any other email sent by the chosen address. Figure 3 shows an example of a message sent by SharePoint Online to report updates to documents in a site. The message appears to come from a shared mailbox because that’s what matches the configured address for service messages.

Not External Messages

Because the tenant’s instance of Exchange Online routes the service messages, they are now internal rather than external and therefore will not be tagged with the external indicator. In some respects, this is a major advantage of choosing to use a verified domain as users might better accept the content of the messages if they don’t come from an external source. The downside is that users might need to adjust inbox rules to process service messages correctly.

If you use a mail flow rule to protect administrator accounts from external email, remember to update the rule to deal with messages from your chosen domain.

Not a Change to Worry Too Much About

After using this option for a couple of weeks, I don’t see any great downside to using a verified domain to send Microsoft 365 service messages. Something might have slipped my attention (and if so, I’d like to know), but overall I think this is a good change that all tenants should consider.

---

Make sure that you’re not surprised about changes that appear inside Office 365 applications by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers stay informed.

Teams Room Devices Need Proper Licenses by July 1, 2023

On March 24, Microsoft announced a major change in the licensing regime for Teams Rooms devices. In a nutshell, Microsoft wants to stop tenants assigning user subscription licenses (like Office 365 E3 or Microsoft 365 E5) to certified Teams Rooms systems like a Surface Hub. Instead, they will require tenants to assign a Teams Rooms Basic or Teams Rooms Pro license to each device (details of the licenses are available here).

In fact, you don’t assign licenses to a Teams Rooms device. Instead, you assign the license to the Exchange Online room mailbox that manages the calendar for the device. An Exchange Online room mailbox comes with an Azure AD account that holds the license.

Microsoft says that after July 1, 2023, tenants cannot assign user subscription licenses to Teams Rooms devices. More importantly, Microsoft will block sign-ins from devices with user subscription licenses until the devices receive a Teams Rooms license.

License Types

Small organizations can rely on the Basic (no cost) license. The basic license covers “core meeting experiences” meaning that the device can schedule and join meetings and share content and whiteboarding during meetings. However, Microsoft limits these licenses to 25 Teams Rooms devices per tenant and doesn’t allow tenants to assign basic licenses to Teams panels, which require Teams Rooms Pro or Teams Shared Device licenses.

After a tenant operates more than 25 Teams Rooms devices, they must buy Pro licenses (each costing $480 for the annual subscription). If you’ve assigned user subscription licenses to Teams Rooms devices in the past, this is roughly equivalent to the annual cost of an Office 365 E5 license. The extra cost pays for “enhanced in-room meeting experiences” like better audio and video and “advanced management” like remote device management. For more details about the functionality enabled by Teams Pro licenses, see Microsoft’s comparison.

Using PowerShell to Find Licensed Room Mailboxes

The process of switching from user subscription licenses involves finding devices with those licenses, removing the licenses, and assigning a new license. To help, Microsoft created a script using Microsoft Graph PowerShell SDK cmdlets to examine and report the licenses assigned to the accounts used by room mailboxes.

Microsoft’s script uses this code to find the room mailboxes.

$Room_UPNs = get-mailbox | Where-Object { $_.recipientTypeDetails -eq "roomMailbox" } | Select-Object DisplayName, PrimarySmtpAddress, ExternalDirectoryObjectId

It’s a good example of code that works perfectly in a test environment that will be horribly slow in production. First, the code uses the old Get-Mailbox cmdlet to find mailboxes. Second, it uses a client-side filter to extract room mailboxes from the set of mailboxes. That set could be tens of thousands, so deriving the set of room mailboxes will be very slow. This version is better:

[array]$Room_UPNs = Get-ExoMailbox -Filter {recipientTypeDetails -eq "RoomMailbox" } | Select-Object DisplayName, PrimarySmtpAddress, ExternalDirectoryObjectId

Apart from using Get-ExoMailbox to fetch mailboxes and taking advantage of the much better performance of the new REST-based cmdlets together with their ability to survive transient network failures, the code uses a server-side filter to force Exchange Online to do the heavy lifting of finding room mailboxes and only transmitting their details to the client. The golden rule is that time the Get-ExoMailbox cmdlet needs to filter objects, use a server-side filter.

Oddly, the original code doesn’t declare the variable to receive the result of Get-Mailbox to be an array and ends up reporting the count of room mailboxes using the Length rather than the Count property. Another golden rule is to always declare an array to receive results from cmdlets that return PowerShell objects as it makes it much easier to check the returned values.

Always Best to Be Efficient

A case exists that this script is a one-time operation that doesn’t need to be ultra-efficient. That might be so, but it’s nice when a few tweaks make the code run much faster, especially for large tenants that are likely to have many Teams Rooms devices that might need a license check.

Example of Ongoing Changes in Microsoft 365

I guess we all knew it was coming (after all, Microsoft published message center notification MC477013 in December 2022), but the news that the Microsoft Entra admin center (Figure 1) will replace the Azure AD admin center from April 1, 2023 is yet another example of the ongoing and constant changes in Microsoft 365. Those changes range from a massive introduction of fundamental new functionality, like Microsoft 365 Copilot, to a small update to how something appears.

In this instance, Microsoft portraits the replacement of the Azure AD admin center as a unification of its identity management platform (Azure AD) with its identity and access solutions. Another way of looking at the move is that it allows Microsoft to bring those identity and access solutions to the attention of some organizations who wouldn’t otherwise consider them. Every time you open the Entra admin center, identity governance and other solutions will be there to discover. To be fair to Microsoft, if you access Azure AD from the Microsoft 365 admin center, the link goes direct to the Azure AD section of the Entra admin center.

Microsoft says that the old Azure AD admin center will continue to function until May 2023. Azure customers who don’t use Microsoft 365 can manage Azure AD through the Azure portal.

Many Rebranding Campaigns

Microsoft is well known for its love of rebranding campaigns. Microsoft 365 has steadily embraced a huge ecosystem, including the subscription version of the Office apps, and we’ll probably have to rename the next version of the Office 365 for IT Pros eBook to use Microsoft 365 instead. Microsoft Purview is another example, albeit one that at least collected together a bunch of different compliance solutions under a common banner. Defender did the same for security solutions, and so on.

Sometimes, Microsoft makes changes for what appears to be no good reason. Take the announcement in MC532194 (March 23) that Teams now uses an “EA” indicator instead of “P” when users run the preview version of the software. I’m still wondering why “Early Access” is any better than “Preview.” The change appears to deliver zero added value except that it aligns with the nomenclature Microsoft uses in places like the Office Insider program. From my perspective, the change meant that we needed to update Chapter 15 in the Office 365 for IT Pros eBook and our article about Teams preview.

Naming Changes Affect the Wider Technical Community

Microsoft makes naming changes for its own reasons. I doubt that they take the wider community into consideration when they decide on these updates but the effect of a naming change or rebrand ripple through documentation and training. For instance, video training companies that have a program telling people how to use the Azure AD admin center must now update their collateral and perhaps even reshoot some or all of their video. That’s a big cost for the production company.

The same is true for books that cover Azure AD or any of the other topics affected by naming or branding changes. Switching references from the Azure AD admin center to the Entra admin center isn’t quite as simple as doing a search and replace. Microsoft often takes the opportunity to rename options in administrative consoles when they change things. Data lifecycle management is now the place in the Purview compliance portal that was once known as the location for the management of retention labels and policies. The justification is that the section of the portal now spans additional options such as adaptive scopes, policy lookup, and legacy Exchange mailbox retention policies and tags (both of which are still very useful).

Changes in Microsoft 365 Will Keep on Happening

I don’t expect Microsoft to poll the technical community before they change the name of anything inside Microsoft 365. It won’t happen and would be unreasonable. Microsoft will continue to make changes how and when they like, even if the outcome displeases some. Their decision to stop accepting inbound email from old and vulnerable on-premises Exchange servers to protect Exchange Online is a good example of a change that inflamed many opinions. However, we don’t get to vote.

Content producers like Office 365 for IT Pros simply need to be proactive and respond to Microsoft changes the best way we can. In that respect, being able to publish a complete new book every month is a major advantage, even if it takes a lot of hard work. Now back to the task of looking for all those references to the Azure AD admin center – a change that we’ll probably make in the May 2023 update.

Azure AD B2B Collaboration and Guest Accounts for SharePoint Sharing

Two recent message center notifications highlight closer integration between SharePoint Online and Azure AD. MC526130 (11 March) says that new tenants created after March 31, 2023 will automatically enable the SharePoint Online integration with Azure B2B integration. Existing tenants aren’t impacted by this change. The associated update, also scheduled for roll-out in late March, is MC525663 (10 March). The news here is that SharePoint Online site sharing will use the Azure B2B Invitation manager instead of the legacy SharePoint Invitation Manager (Microsoft 365 roadmap item 117557).

Rationalization Around Azure AD

The two updates rationalize existing sharing methods with external users and focus on Azure AD as the driving force for managing invitations. The journey toward Azure AD B2B Collaboration started in 2021, so it’s been a while coming. The project makes a lot of sense for both customers and Microsoft (their gain is through reduced engineering expenses).

Ten years ago, it was reasonable for SharePoint to manage site sharing invitations. Today, when the site collection-based architecture is replaced by single-sites and most sharing occurs through Microsoft 365 groups and Teams, it’s illogical for SharePoint Online to have its own mechanism. 280 million monthly active Teams users create a lot of work for SharePoint.

Another factor is that site sharing with external users is a relatively uncommon action today. Most external users join groups or teams and gain access to the group-connected site. Although non-group connected sites do exist, they’re in the minority and some of those sites (like hub and communication sites) aren’t candidates for sharing with external people. And of course, even site owners might be blocked from sharing sites by a sensitivity label.

Time to Review Applicable Policies

Overall, I don’t think the change will disrupt many organizations. As Microsoft notes “You may want to review your Azure B2B Invitation Manager policies.” Two policies are worthy of note. The first is the Azure B2B Collaboration policy, which includes an allow or deny list (but not both) of domains.

The policy is now found under Collaboration restrictions in the External Identities section of the Azure AD admin center (Figure 1). It is commonly used to block sharing with consumer domains (deny list) or to restrict collaboration to a set of known domains belonging to partner organizations (allow list). If the organization already supports guest accounts, it’s likely that the collaboration policy already exists. Even so, changes like this are useful reminders of the need for regular review of any policy that affects how external people access tenant resources.

Azure AD cross-tenant access policies are a more powerful and flexible mechanism to control external access through both Azure B2B collaboration and Azure AD direct connect (used for Teams shared channels). Cross-tenant access policies are still relatively new and don’t need to be implemented unless required for a specific reason, so your tenant might not use them yet.

Although the Azure AD B2B Collaboration policy is likely to dominate for the immediate future, over time, I expect a slow transition to take advantage of the granular control available in cross-tenant access policies. When an organization changes over, SharePoint Online will take advantage. Leveraging advances made in Azure AD is an excellent reason for SharePoint Online to embrace Azure AD more fully.

Review Guest Accounts Too

Azure AD B2B collaboration works but that doesn’t mean that you don’t need to manage guest accounts. As more sharing happens, more guest accounts end up in your Azure AD. Some guest accounts are used once to share a document. Others are in ongoing use as guest members of groups and teams access shared documents. It’s a good idea to keep an eye on guest accounts and remove them as they become obsolete.

---

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

Spatial Audio and Howling Detection Sound Interesting

Updated 13 April 2023

I’m no audiophile but I am interested in the changes in Microsoft Teams meetings to make the sound better for participants. Take the splendidly-named “ultrasound howling detection” feature (MC514081, February 10, Microsoft 365 roadmap item 92391) available for Windows and Mac desktop clients. In a nutshell, if multiple people (each with their own workstation) are in a physical room join a meeting, Teams allows the first person to join as normal and then advises the others that someone using a Teams device is nearby and is already in the meeting with an audio feed. To avoid a feedback loop (echo), Teams mutes the microphones and speakers of those users. If the muted participants want to, they can unmute their microphones and speakers (maybe after connecting headsets) or listen to the existing audio.

It’s a neat feature that is rolling out to commercial and GCC tenants. GCC-High and DoD tenants will see it in May.

Spatial Audio

Another interesting idea is spatial audio in Teams meetings (Microsoft 365 roadmap item 107783). According to Sonos, spatial audio “is an immersive, three-dimensional listening experience. Using multiple channels projecting outwards from each speaker, it can place individual sounds (or “objects”) with greater precision and variety than traditional stereo sound.” Sounds good.

Although the feature is still a while away (according to MC540153, targeted release clients should see it at the end of April 2023 with roll-out to standard release tenants due to finish by mid-June), Microsoft has published some documentation to put the feature into context. When users enable spatial audio for a Teams meeting, users will “hear their [other meeting participants] voices coming from their relative positions on the meeting screen.”

Conferencing provider Bluejeans figure that spatial audio helps participants minimize meeting fatigue, an assertion backed up by Forbes. The problem with claims like this is that they are highly subjective. I suspect that individuals will find different levels of benefits depending on the type, length, and content of meetings you attend. Plus the ability of people in the meeting to keep it interesting and worthwhile. If things get too boring, it might be possible to turn on an avatar (due to be available in May 2023) and tune out for a while.

To make the magic happen, you enable spatial audio before a meeting through the Devices section of Teams settings (Figure 1). Alternatively, you can enable it for a suitable device during a meeting.

You can opt for spatial audio only if the selected device meets the requirements of being USB-wired stereo headphones or speakers or the workstation’s built-in stereo speakers. Stereo (to highlight audio from individual speakers) and not Bluetooth are the key words here. It’s kind of disappointing that I can’t use my Microsoft Surface 2 headphones.

Meetings must run in gallery view rather than together mode. The reason here is that the feature attempts to figure out the relative position of the speaker from you and that isn’t possible when participants are framed in a special view. Another thing to pay attention to is that spatial audio consumes system resources. Teams will throttle back on spatial audio if it detects that the system comes under strain. Throttling is automatic and you can’t control it. The same is true for other features (like noise suppression) that process video or audio feeds for Teams meetings.

Making Better Meetings

There’s no guarantee that either feature will create better Teams meetings. Even spatial audio won’t improve what people say, but they will sound clearer and more distinct which can’t be a bad thing. That is, unless you do want to drift off to sleep..

---

Keep up to date with developments like Teams meeting enhancements by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers understand the most important changes happening across Office 365.

An Unreasonable Azure AD Sign-in Frequency Creates a Barrier to Productivity

I had an unpleasant surprise this week when the security team for one of the companies where I have a guest account decided to improve tenant security. I strongly support any effort to improve tenant security, especially when the effort means better use of multi-factor authentication. It’s a topic I’ll cover during the TEC Europe 2023 tour in London, Paris, and Frankfurt in April. Registration for those events is now open.

It’s always important to take a pragmatic and practical view of security and not to implement anything that has a significant impact on user productivity. All change can impact users, but most of the time people learn to live with change and it’s not disruptive. Unfortunately, deciding to increase the user sign-in frequency for Azure AD accounts can be extraordinarily disruptive if you go too far.

Azure AD sign-in frequency is the period before a user must sign in again when attempting to access a resource, like opening a SharePoint Online document, creating a message with OWA, or accessing a Teams channel. By default, Azure AD uses a rolling 90-day window for its sign-in frequency. In other words, once you successfully sign-into a tenant, Azure AD won’t ask you to sign-in again for another 90 days.

Revoking User Account Access

Ninety days sounds like a long time, and it is. But this period needs to be viewed through the prism of how Azure AD and Microsoft 365 applications work. For example, in early 2022, Microsoft enabled Continuous Access Evaluation (CAE) for all tenants. CAE is a mechanism that allows Azure AD to notify applications of a critical change in the directory, such as an updated password. Applications that understand CAE, like SharePoint Online, revoke existing access for the account to require the user to reauthenticate.

The Microsoft 365 admin center also includes an option to sign users out of all current sessions (Figure 1) to force them to reauthenticate.

Of course, you might want to do more than sign a user out. In some cases, like employee departures, you might want to block future sign-ins. This is an operation that’s easily scripted with PowerShell. For example, this code:

• Retrieves the identifier for an Azure AD user account.
• Disables the account.
• Sets a new password.
• Revokes all refresh tokens.

$UserId = (Get-MgUser -UserId Lotte.Vettler@Office365itpros.com).Id
# Disable the account
Update-MgUser-UserId $UserId -AccountEnabled:$False
# Set a new password
$NewPassword = @{}
$NewPassword["Password"]= "!DoneAndDusted?"
$NewPassword["ForceChangePasswordNextSignIn"] = $True
Update-MgUser -UserId $UserId -PasswordProfile $NewPassword -AccountEnabled:$True
# Revoke refresh tokens
$Status = Invoke-MgInvalidateUserRefreshToken -UserId $UserId

It might take a little time for the full block to be effective because tokens must expire, and clients recognize the need for reauthentication, but it will happen.

How Conditional Access Can Make Guest Accounts Miserable

The reason I had a problem was that the security team updated the conditional access policies for guest users to enforce a 60-minute sign-in frequency (Figure 2). This change had a horrible effect. Guests switching to the tenant with Teams inevitably resulted in an MFA challenge. Opening a document stored in SharePoint Online or OneDrive for Business in that tenant brought an MFA challenge. My day was filled with MFA challenges, except when sending email to people in the tenant to complain about the new policy. Email isn’t affected by conditional access policies.

As Microsoft notes in their documentation, “Based on customer feedback, sign-in frequency will apply for MFA as well.” They understate the matter. Sign-in frequency does apply for MFA too.

I understand the motivation on the part of the security team. Forcing people to reauthenticate before they can access resources is a good thing. Using MFA is a good thing. Forcing MFA challenges every hour must be a brilliant change to make.

Only it isn’t. As an external person working with another company, the change made my productivity much worse, and I doubt that it added one iota to the overall security effectiveness of the tenant. The tenant did not use number matching and additional context for MFA challenges, so the constant MFA challenges were a great example of how user fatigue creeps in as I clicked and clicked again to say “yes, it’s me.” System-preferred authentication wasn’t used either, so while I used the Authenticator app, other guests might use relatively insecure SMS challenge/response.

Overall, the change made it unpleasant to work with the tenant and that’s bad. A one-hour sign-in frequency is just too rigid and strict. I don’t know of any other tenant (where I am a guest) that uses such a short frequency. Most tenants I know of use the 90-day default. Some use 7 days. The most security-conscious (before now) uses a 1-day frequency.

No Best Answer for All Tenants

In truth, I don’t know the best user sign-in frequency to use for either tenant or guest accounts. It all depends on the security posture that an organization wants to assume. But I can say that most tenants would be better off making sure that all accounts use MFA and eliminating the use of the less secure authentication methods before reducing the sign-in frequency. If you’re concerned about guest hygiene (in this case, how secure a guest account is), have a different and more restrictive conditional access policy for guest access while remembering the need to get work done through Azure B2B collaboration. And review guest accounts annually to remove unwanted and obsolete crud.

To me, bringing users along on the journey to better security is a better tactic than ramming heightened security down their throats. It’s always been that way.

---

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

Multiple Ways to Make Teams Bulk Policy Assignments

It’s amazing what slips by in the torrent of changes that occur within Microsoft 365. Message center notification MC397476 (last updated 27 July 2022, Microsoft 365 roadmap item 90705) is an example. This is the unassign policies from users in bulk feature that completed roll-out in August 2022.

Revert User Accounts to the Global Policy (Bulk Unassignment)

The idea is simple. Over time, it’s possible that the Teams policies assigned to users become less appropriate. It’s a pain to select user accounts individually to update policy assignments, so this is a method to reset accounts back to the global tenant policy for the following policy types:

• Messaging policy.
• Meeting policy.
• Calling policy.
• Live events policy.
• App setup policy.
• App permission policy.
• Teams policy.

To use the bulk unassign policy feature, go to the Users section of the Teams admin center. The Unassign policies in bulk option is in the top right-hand corner in the Actions drop-down menu. Select the policy type to work with and the Teams admin center displays the set of policies of that type (Figure 1). The greyed-out policies are default policies that don’t currently have any assigned users.

When you select a policy, Teams loads information about the assigned accounts. Click the Unassign button and confirm the action. Teams doesn’t tell you which accounts it processes, just the number of accounts that it successfully reverts to the default (Global) policy for the policy type. Bulk policy unassignments are supported for up to 500 accounts at a time.

Using View Users to Perform Teams Bulk Policy Assignments

Nice as it is to be able to remove (unassign) a non-default policy from a bunch of accounts, the Teams admin center includes what might be a better way to reassign policies (including to revert to the Global policy). MC445744 (13 October 2022, Microsoft 365 roadmap item 97253) covers the change made to allow administrators to view the users and groups covered by a policy.

Many of the major policies managed through the Teams admin center include the Assigned to users and Assigned to groups columns when they list policies (Figure 2).

The links in the columns reveal the set of users assigned the selected policy (Figure 3).

Select the Edit settings option and you can edit the policies assigned to the set of selected users, just like you’d update policies for an individual user or a set of selected users. Direct policy assignments to accounts like this take precedence over group policy assignments.

Other Ways to Process Teams Bulk Policy Assignments

Apart from the options available in the Teams admin center, the other ways to perform Teams bulk policy assignments include:

• Using batch jobs to process policy assignments for up to 5,000 accounts.
• Using Azure Automation runbooks to process policy assignments. The advantage of this method is that you could have a scheduled job to find and process policy assignments for new accounts.

Of course, you can also use PowerShell to find a set of accounts based on some criteria and perform policy assignments on that basis. Here’s an example of assigning a Teams feedback policy (PowerShell is the only way to manage feedback policies) to a set of user accounts based on their department:

Connect-MgGraph -Scopes User.Read.All
[array]$Users = Get-MgUser -Filter "department eq 'IT' and UserType eq 'Member'" | Select-Object UserPrincipalName, DisplayName
ForEach ($User in $Users) {
  Write-Host ("Assigning the feedback policy to {0}" -f $User.DisplayName)
  Grant-CsTeamsFeedbackPolicy -Identity $User.UserPrincipalName -Policy "Tenant Bar Feedback Policy" }

Keep Tracking Change

So much ongoing change happens within the Microsoft 365 ecosystem that it’s impossible to keep up to date with everything. Reviewing older message center notifications (we synchronize message center notifications to a Planner plan) is a good way to catch changes that you missed first time round. After all, no one is perfect.

---

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

Intelligent Technology Depends on Machine Learning Access to User Data

Some years ago, I wrote about how Outlook uses machine learning to predict words to insert in messages. This was an early example of machine learning in Outlook. Text prediction is common practice today and we almost expect applications to include machine learning to help us compose notes, documents, and responses. Given the introduction of ChatGPT and Bing’s AI Bot, some worry about the prospect of increasing amounts of machine-generated text and its effect on human creativeness. It’s definitely a story to follow.

Over the last few years, Microsoft has steadily increased the use of “intelligent technology” in Outlook. Currently, the range of features covers features like birthday detection to text predictions to suggested replies, controlled through OWA settings (Figure 1). Regretfully, the Set-MailboxMessageConfiguration cmdlet doesn’t currently support updating these settings for a mailbox.

The combination of Microsoft Research and product engineering groups has driven the introduction of intelligent technology in OWA. For example, Outlook’s suggested replies feature is underpinned by the Azure Machine Learning Service.

Outlook Desktop Lags in Intelligence

Outlook desktop clients receive the intelligent technology features after OWA. This lag has always existed, but at least we can respond to email with an emoji. Oddly, there’s been a few recent reports of Outlook for Windows failing to display the “show text predictions while typing” setting in its options (here’s an example). I don’t see the setting on one PC and do on another, both of which run the same build of Outlook click to run. I even updated the system registry at HKCU\SOFTWARE\Microsoft\Office\16.0\Common\MailSettings to set the InlineTextPrediction DWORD value to 1 to enable text predictions with no effect.

Microsoft Processing of User Data

One thing that people get worried about is the notion that Microsoft “reads” their email to create suggested replies and to build models for text predictions. It’s true that Microsoft processes email to create the suggestions and predictions used by Outlook, but the important thing is that the data used by the learning models constructed to help machine learning understand how individual users work with text remain in user mailboxes. Microsoft doesn’t gather information from the 380-odd million active Office 365 users to improve its detection algorithms. The general foundation for the models come from public data (and I imagine, messages circulating within Microsoft), but the tweaks to make those models personal remain private to the user.

In its user documentation for suggested replies, Microsoft says that “Suggested replies are generated by a computer algorithm and use natural language processing and machine learning technologies to provide response options.” It also says that “Outlook uses a machine learning model to continually improve the accuracy of the suggestions. This model runs on the same servers as your mailbox within your organization. No message content is transmitted or stored outside of your organization.”

These statements don’t mean that the machine learning code runs on 300K Exchange Online mailbox servers. Instead, Microsoft uses a concept called Privacy Preserving Machine Learning (PPML) to transfer data to specialized AI computers in the Microsoft cloud. After processing, Microsoft erases the source information from the AI computers and background agents update mailboxes with user-specific results. It is this information that Outlook consumes locally when dealing with messages.

Email is worldwide, but the structures and syntax used by different languages means that Microsoft’s machine learning processes is limited to certain languages. For instance, at the time of writing, suggested replies are available in only 22 languages.

I’ve heard (but can cite no public evidence) that AI processing occurs on a tenant basis to allow some consolidation of generic results at the tenant level. For instance, if many users in a tenant use “OK” as a standard response, it’s likely that machine learning will consider “OK” as a prime candidate to be a suggested response for everyone in that tenant. The consolidated generic data remains in the tenant.

Viva Insights Processes User Email Too

In addition to the way Microsoft processes user email to understand text patterns, Viva Insights looks through email to detect commitments made by users. Its MyAnalytics predecessor started to scan emails for commitments in 2018. When users open the Viva Insights add-in or use the Viva Insights app in Teams, they see recommendations and insights derived from the contents of the calendar and inbox folders from their mailbox.

Among the information Viva Insights highlights are messages that might contain commitments that the user needs to follow up. Viva Insights displays details of the messages it has found and prompts the users to either note the potential task as complete or add it as a personal To Do task (Figure 2).

Viva Insights also finds messages where the user asks recipients to do something and prompts them to either follow up or mark the task as done.

There’s lots of deep research into finding commitments in email and highlighting those commitments to users. But again, the important thing is that the data used by Viva Insights remains in user mailboxes and is under the control of users.

Worrying About the Data Used by Machine Learning in Outlook

Those with responsibility for compliance and privacy in an organization are usually the people most worried about the processing of user data. With the growth of machine learning and AI-powered “experiences” and the resultant need for access to user data to learn from, this is a good concern to have. In the case of Microsoft 365, many “connected experiences” exist where people consume a cloud service without realizing where data comes from or is consumed.

Personally, I’m not concerned about how machine learning processes my email as the outcome is useful (when it works), but I realize that others have different feelings. It’s a topic for every organization to work through and figure out how happy they are to have Microsoft process their data to create new features.

To finish off, Figure 3 shows how Bing chat answered my question about how Outlook uses machine learning…

---

Learn how to exploit the data available to Microsoft 365 tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.

Users Can Decide What Pronoun to Display in Profile Card

Updated March 30, 2023

Announced in message center notification MC515531 (last updated 21 February 2023), the ability to enable pronouns in Microsoft 365 profile cards is available in the Microsoft 365 admin center. Once enabled, users can set their preferred Microsoft 365 pronouns using the preview version of Teams. The pronoun feature is covered by Microsoft 365 roadmap item 86352 (Teams) and 115511 (OWA).

I have been able to update pronouns in Teams, OWA, and the latest build of the Monarch (“One Outlook”) client.

Employee Engagement

Microsoft’s documentation for the pronoun feature says that “the simple act of using the right pronouns for one another can help build trust and improve communication among colleagues.” Microsoft goes on to highlight that “Whether or not to share or publicly display pronouns is always up to an individual. Pronouns should never be assigned to one person by another person. It should be up to the person using them to decide when, where, and which pronouns are used – including whether to use this feature.”

In other words, organizations should do some thinking and employee engagement before they implement pronouns for profile cards.

Implementing Pronouns on the Microsoft 365 Profile Card

The first step is to enable pronouns for the organization. Go to Org settings in the Microsoft 365 admin center and select the Security & privacy tab. Pronouns is one of the listed options (Figure 1).

Microsoft says that it can take up to 7 hours before users can change their pronouns. In practice, expect the change to take a day before it is effective. If you disable pronouns, it will take the same length of time before pronouns disappear from view for all users. Microsoft 365 removes pronoun data if an organization disables the feature. Like most deletions in Microsoft 365, deletion is not immediate and if you reenable pronouns, previously set values will reappear.

After the software change is effective, users will see the option to update pronouns on their profile card. For instance, I clicked on my photo for a message posted to a Teams channel to reveal my profile card and see the option to add pronouns (Figure 2).

Remember Microsoft’s point that pronouns are a personal decision for users? To enable freedom of choice, you can add whatever text you like for a pronoun. The profile card suggests the commonly-used values such as “She/Her,” but you can ignore these values and use whatever text you prefer (up to 30 characters).

The important thing to remember is that pronouns are visible to all members of the organization. There’s no way to restrict pronoun display to a certain segment, such as members of a group. Guest members and external members of shared channels can’t see pronoun information on profile cards.

Building the Profile Card

Microsoft 365 stores user pronouns in a hidden folder in user Exchange Online mailboxes. Apps that support the profile card retrieve the information from the mailbox along with other properties (including custom attributes) to display the profile card (Figure 4).

A Change to Plan

Microsoft’s FAQ for pronouns contains some other useful information to consult before implementation. Displaying pronouns in the profile card is obviously something that an organization should think through before implementation. For example, some organizations also add pronouns to account display names, meaning that the information shows up in address books and other places where people see display names, like email headers, listings of documents in SharePoint Online and OneDrive for Business, and so on. Don’t rush to deploy just because someone (maybe a vocal proponent) thinks that pronouns are a good idea. Pause, consider, and then decide.

---

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365. Even pronouns deserve analysis…

Get Ready to Deploy the New Teams Client to End Users

Updated March 27, 2023: The preview of the new Teams client is available.

With all the speculation that Microsoft will release a public preview of the new Teams (V2.1) client in late March 2023, it’s time to review how users can access the preview code once Microsoft makes it available.

Teams uses update policies to dictate which users have access to preview features. Teams also allows tenants to align with Office preview channels if they wish. The first job is therefore to define the user group to test the new Teams client and make sure to assign a Teams update policy that allows them to access preview features to their accounts. Once the policy is effective, users can switch between preview and production versions as they like.

A New Option in the Teams Update Policy

A hint that Microsoft will provide controls to allow customers to roll out the new Teams client at their own rate is in the PowerShell Get-CsTeamsUpdateManagementPolicy cmdlet. This reveals a UseNewTeamsClient setting. Microsoft added the setting in version 4.9.1 of the MicrosoftTeams PowerShell module in November 2022. The values accepted by the Set-CsTeamsUpdateManagementPolicy cmdlet are:

• MicrosoftChoice: Microsoft controls the use of the new client. This is likely how Microsoft will force customers to eventually move from the old to the new client.
• UserChoice: Individual users can choose to use the new client.
• AdminDisabled: The organization disables the new client for users assigned the policy.

The interpretations of the options are mine and are not formally confirmed by Microsoft. The point is that it will be possible for organizations to control when users get the new client and which users get the new client.

Building a New Teams Architecture

Microsoft has been working on the new Teams client architecture for a long time. Some hints came in my May 2021 discussion with Rish Tandon (the then VP for Teams Engineering). At the time, Rish acknowledged that client performance wasn’t where Microsoft wanted it to be. A further hint came when Microsoft revealed the Teams consumer client for Windows 11. The consumer client uses the new Teams client architecture based on ReactJS and the WebView2 Edge component.

Of course, the Teams consumer client is a pale shadow of its enterprise counterpart when it comes to features and functionality, as people will discover when they move from Teams Free (classic) to the new Teams (free) version. There are no channels to deal with (regular, private, or shared), the number of users is limited, there’s no Phone system or Teams room devices, and so on. Acknowledging these limitations, the Teams consumer client (2.0 in the architecture) proved a useful step to proving the concepts and components used in the next generation of the Teams enterprise client (2.1).

Microsoft’s recent press briefings have emphasized benchmarks like a 50% reduction in memory, less demand for CPU, and a consequent extended battery life for laptops. Cynics might say that all of this comes from removing the overhead imposed by Electron. Certainly there’s some truth in that assertion but the overall engineering effort required to move the Teams desktop and browser clients to the new architecture spans more than simply swapping code libraries.

When Production Software Arrives

After running the public preview for the new version of the Teams client for several months, Microsoft will make the client generally available (GA). At that point, a recent change will affect when organizations see the GA software.

Microsoft 365 message center notification MC510331 (February 2, Microsoft 365 roadmap item 117577) announced that Teams will support targeted release for commercial cloud customers. In other words, if your tenant opts in to use targeted release for some or all users, you’ll be amongst the first to get the new Teams client. Release preferences are in the Org settings section of the Microsoft 365 admin center (Figure 1).

Those who choose to remain with the standard release will receive the software later. Given the size of the Microsoft 365 infrastructure, the difference between first and last tenants receiving the new client could be several months.

A Big Moment Approaches for Teams

People have complained about the performance and memory consumption of the Teams client for years. Despite much tweaking and filling in performance gaps since 2016, it’s obvious that the road has run out for the original Teams client. Launching a new Teams client is an important point for Microsoft. They only have 280 million monthly active users to please. No pressure then!

---

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

Azure AD App Property Lock Feature Blocks Updates to App Credentials

In a relatively unpublicized move, the Azure AD development group has closed a hole exploited by attackers who add their own credentials to registered apps. The new app instance property lock feature (preview) allows developers to lock sensitive properties of apps. It’s intended for use by enterprise apps, which are the way that developers like Microsoft and Adobe install apps in other Azure AD organizations. The enterprise app stores app properties while the service principal created by Azure AD in the host organization holds the permissions assigned to the app in that organization. After provisioning the app into a new tenant, the developer can lock the app against change.

Why Attackers Go After OAuth Apps

In the past, attackers have been able to hijack an enterprise app by adding a credential like a X.509 certificate to the app. Unless the organization monitors the audit events created for application updates, the new credential will exist undetected and the attacker can use it to request Azure AD to issue an access token containing the permissions assigned to the app. Apart from its permissions, attackers don’t need any further access to the app. Instead, the attackers use the access token to access whatever data the permissions allow. In some cases, the attackers might access items in mailboxes; in others they might go after sensitive documents stored in SharePoint Online sites. Once they’ve compromised the target repository, the attackers can exfiltrate or wipe the data (potentially a Microsoft 365 “wiperware” attack).

Hijacking OAuth permissions assigned to apps is not a theoretical attack vector. It’s what was used in the Solarwinds campaign in 2021. The attackers generated an X.509 certificate and added it to Azure AD apps and used highly-permissioned apps to access data. Another example of OAuth app abuse is the September 2022 instance when attackers used an OAuth app to create an inbound connector to send spam.

Applying an Azure AD App Property Lock

The property lock feature allows developers to block any changes to some or all the sensitive properties for an app (the properties used in authentication flows). It’s important to emphasize that the property lock is not mandatory. Developers must apply it to their apps before the apps are used in other tenants.

You can lock properties for a registered app but cannot update enterprise apps created in your tenant by another organization (because an external organization owns the app). For instance, you cannot change the iOS accounts enterprise app used by Apple for some iOS device management, like the change needed to force the iOS mail app to use modern authentication.

To start, go to app registrations, select the app to lock and then access the authentication tab. The App instance property lock option is toward the bottom of the screen (Figure 1).

Click Configure and select the properties to lock (Figure 2).

Save the changes and the property lock is in force. Any subsequent attempt to update credentials will fail anywhere outside the home tenant.

Checking for App Credential Updates

Azure AD feeds audit information to the unified audit log, including events logged for app credential updates. Unfortunately, the information in the audit records follows an esoteric format that makes the data harder to interpret than it needs to be. Here’s a code snippet showing how to run the PowerShell Search-UnifiedAuditLog cmdlet to retrieve and report audit records for app credential changes.

$StartDate = (Get-Date).AddDays(-90)
$EndDate = Get-Date

[array]$Records = Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -Formatted -ResultSize 5000 -Operations "Update application – Certificates and secrets management "
$Report = [System.Collections.Generic.List[Object]]::new() 
ForEach ($Record in $Records) {
 $AuditData = $Record.AuditData | ConvertFrom-Json
  $Mods = $AuditData.modifiedproperties.NewValue
  $ReportLine  = [PSCustomObject] @{
     Timestamp        = $Record.CreationDate
     User             = $AuditData.UserId
     AppName          = $AuditData.Target[3].Id
     Modified         = $AuditData.modifiedproperties.NewValue }
 $Report.Add($ReportLine)
}

The same information is available in the Azure AD audit log (Figure 3).

Attacks Don’t Stop When a Hole Closes

Although regrettable that the holes existed in the first place, it’s good that Microsoft is closing off one of the vulnerabilities exploited by attackers with the Azure AD App property lock. It’s an example of the chess game played out between the attackers and defenders around the protection of cloud services. Now that this hole is closing, attackers will consider their next move. Stay vigilant and keep checking the audit log to detect suspicious events!

---

Learn about protecting your Microsoft 365 tenant by subscribing to the Office 365 for IT Pros eBook. Use our experience to understand features like the Azure AD app property lock and the most efficient ways to protect your data.

Classic Version of Teams Free Retires in April

On April 12, 2023, Microsoft will retire the Teams Free (classic) version that they launched in 2018 (Figure 1). I still have the Azure AD tenant created to support Teams Free and the software continues to work quite happily. The question is what to do when Microsoft brings the curtain down.

There’s been some ill-informed commentary about the retirement and what it means for users. Let’s discuss what’s happening.

Migration Options

The options presented by Microsoft are:

• Switch to the new free version of Teams, confusingly named Microsoft Teams (free). The big downside is that none of the information currently in Team Free (classic) will transfer.
• Upgrade to a paid version of Teams, such as Teams Essentials ($4/month) or the entry-level Microsoft 365 Business Basic subscription ($6/month). The big advantage of going for the Microsoft 365 subscription is access to the web and online versions of the Office apps.

When Microsoft retires Teams Free (classic), administrators will have until July 12, 2023, or 90 days the tenant was last used (whichever is earlier) to recover data. After the drop-dead date, Microsoft will remove the tenant and permanently remove the data.

No Migration for Free Versions

Unless you choose to upgrade to a paid-for version of Teams, it’s up to you to recover data created in Teams Free (classic). Essentially, if you want to continue using a free version of Teams, you’ll have to manually download the files shared in chats and channel conversations to a workstation and upload them to the new version. Given that Teams stores its files in OneDrive for Business and SharePoint Online, you can use the OneDrive sync client to synchronize the files to a workstation and download them that way. The Teams Wiki still features in Teams Free (classic). You’ll need to cut and paste information from wikis to OneNote or another document because Microsoft’s wiki migration tool might not run for the free version.

There’s no way to save the messages in channel conversations unless you use a third-party ISV product designed for tenant-to-tenant migrations (or write your own code with the Teams export API). However, if you’re using a free version of Teams, you’re unlikely to want to cough up for a migration product or start to write code using an API that you’ve got to pay for. At the most basic level, you can rescue important conversations by copying them to a Word or OneNote document.

Why No Migration Tools are Available for Teams Free

You might wonder why Microsoft is not offering migration tools to move from Teams Free (classic) to Teams (Free). Both a financial imperative and a technical limitation exist:

• There’s no revenue opportunity for Microsoft. The upside is to encourage people who’ve used Teams Free (classic) since 2018 to move to a paid-for version. Why encourage them to stay on a free platform? Making it easy for people to pay nothing does nothing to increase the average revenue per user from Microsoft 365.
• The new Teams (free) is based on Teams for Home. Microsoft is closing the infrastructure that serviced Teams Free (classic). This isn’t surprising because Teams Free (classic) came along quite soon after the launch of Teams and shared the same platform accessed through the teams.microsoft.com endpoint. Teams for Home uses a different infrastructure, accessed through teams.live.com. Teams (free) doesn’t have teams. Instead, it uses group chats to host conversations for the up to 300 people that a Teams (free) organization can host. Teams (free) doesn’t use SharePoint Online either. There’s no teams to organize discussions. Instead, Teams (free) offers communities, announced in January 2023 and currently available only for mobile clients. In a nutshell, the dramatic difference in the implementations of Teams Free (classic) and Teams (free) is the basic reason why Microsoft doesn’t support migration.

On the other hand, if you choose to upgrade to a paid-for version of Teams, your existing Azure AD tenant will remain in place and you’ll get licenses to allow you to continue to use Teams. No migration is necessary.

Less Functionality for Teams Free

It’s not surprising that Microsoft should want to move the free version of Teams off their production paid-for infrastructure to join their existing free Teams for Home offering. The change won’t affect those who simply want to use Teams for chat and calls. However, the new Teams Free represents a substantial downgrade in functionality that might affect how some organizations use Teams. If that’s your situation, maybe it’s time to think about using the paid-for version.

---

Learn about using Microsoft Teams (the paid-for version) and the rest of Office 365 by subscribing to the Office 365 for IT Pros eBook. Use our experience to understand what’s important and how best to protect your tenant.

Collaboration Platform Looks for More Success Under as Viva Engage

In a predictable development, Microsoft decided to dump the Yammer name and rebrand the app as Viva Engage. The first hint of the change came in August 2022 when Microsoft renamed the Yammer Communities app for Teams as Viva Engage (Figure 1). The next came in November 2022 when Yammer introduced video and photo stories to its Storyline feature and revealed that the files used for stores ended up in the VivaEngage folder in user OneDrive for Business accounts. Not everyone is quite as nerdy as the Office 365 for IT Pros team is when it comes to tracking change, but there you have it.

Microsoft’s PR announcement says that “For over 10 years, Yammer has been the social fabric for Microsoft’s productivity cloud, bringing community and conversations into the apps that people work in daily.” That’s wishful thinking of the kind often engaged in by Microsoft marketing people attempting to make more of Yammer than it ever achieved.

More correctly, since the acquisition of Yammer in June 2012, Microsoft has tried on many occasions to make Yammer more than an also-run in the Microsoft 365 app stakes. After being told that Yammer would make email redundant, the Exchange community ignored the prediction. Exchange Online powers Microsoft 365 at an ever-increasing rate with usage that Yammer could only dream about. Teams came along in 2016 and ate the lunch Yammer wanted and is the social fabric for Microsoft’s productivity cloud. At least, 280 million Teams users can’t be wrong, can they?

Year of Yammer

Despite loudly proclaiming that (insert any year from 2012) would be the “Year of Yammer,” it’s only recently that Microsoft started to make some headway, helped in no small part by Microsoft’s determination to build Yammer into as many places in Teams as possible. Nice as it is to have Yammer power the Q&A app for Teams, true progress only really started when Microsoft decided to embrace Microsoft 365 groups and to bring Yammer networks into alignment with the rest of Microsoft 365 with networks configured in Microsoft 365 native mode.

Native mode networks date back to 2020, but it was only on September 1, 2022 that Microsoft bit the bullet to set a retirement date for older Yammer networks (MC424414). Upgrades are happening now and due to continue through October 2023. All the Yammer networks I access within Microsoft’s own infrastructure have still not transitioned, largely because they’re used by external people.

What Now for Yammer

Microsoft is now beginning a rebranding exercise to eliminate Yammer from the Microsoft 365 vernacular and replace it with Viva Engage. Yammer fans who engaged in “YamJams” and the like will have to find a new term to describe their meetups, but the basic technology will remain the same. Microsoft describes some new functionality in their blog, most of which is incremental and builds on existing capabilities (for example, Answers seems to be like the Teams Q&A app on steroids).

Customers won’t have to pay more to use the rebranded Viva Engage/Yammer.

Microsoft did make one odd reference when they talked about “the existing Communities app for Outlook.” I had no idea what this app was until MVP Kevin Crossman pointed out the Yammer logo in the OWA app rail. Basically it’s a way to have the Viva Engage app display in OWA. The app doesn’t feature in Outlook desktop and I have never used it in OWA. If your organization uses Yammer/Viva Engage, I can see how that capability would be both interesting and beneficial. For most Outlook users, discovering Viva Engage in their app rail will be a “mah” moment of the kind when Microsoft introduced the ability to respond to email with an emoji.

A New Chance to Make a Difference

I always thought that Yammer was a missed opportunity for Microsoft. Had they dumped the Yammer database soon after the acquisition and replaced it with the Exchange (ESE) or SQL databases, the task of aligning Yammer more closely with the rest of Microsoft 365 and picking up features like compliance, retention, data loss prevention, and so on would have been much easier.

Maybe Microsoft would never have developed Teams if Yammer had been a fully-functional part of Microsoft 365. But it never was and Yammer became a sideshow. It’s been an important app for some customers but you’d wonder about its long term future as a supplier of software components to Teams and Viva. The Yammer superpowers (note to self, no software has superpowers) proclaimed by Microsoft marketing have waned. Perhaps the change and refocus will make Yammer more valuable. We’ll know after another decade.

---

Make sure that you’re not surprised about changes that appear inside Office 365 applications by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers stay informed.

Teams User Numbers Slow as Office 365 Grows 12%

One thing that’s obvious from the Microsoft FY23 Q2 results released on January 24 is that the woes of the wider economy is affecting the growth of the Microsoft Cloud. This is despite headline growth to achieve $27.1 billion in quarterly revenue ($108.4 billion annualized run rate), up 22% year over year (or 29% in constant currency, reflecting the recent strength of the dollar). However, Microsoft had “slower than expected growth in new business” in Office 365 and EMS.

Revenue for Office 365 commercial increased 11% YoY (18% in constant currency). Microsoft said that this reflected “healthy renewal execution” and growth in annual revenue per user (ARPU) because “E5 momentum remains strong.” A cynic might say that Microsoft is now sweating its massive installed base. Customers have no real choice but to renew as the costs and technical difficulties involved in getting off Office 365 are massive. Microsoft drives ARPU by making sure that new features appear in the high-end SKUs. For example, if you want any automation for compliance or security functionality, you need an E5 SKU.

Driving users to buy E5 to get better security functionality is one reason why Microsoft was able to announce that its security business surpassed $20 billion (annually) in revenue. The security business includes products commonly used with Office 365 like Microsoft Purview, Microsoft Entra (think Azure AD), Microsoft Sentinel, Microsoft Intune, and Microsoft Defender. Some of these capabilities are bundled with Office 365 E3, but high-end Purview security and compliance functionality like adaptive scopes or automatic label policies or Defender Plan 2 require Office 365 E5. And Azure AD Premium P1 and P2 licenses are needed for features like conditional access policies and privileged identity management.

Office 365 User Base Approaches 400 Million

Probably deliberately to obfuscate comparisons, Microsoft hasn’t given a firm number for Office 365 active users since October 2019 when they reported 200 million monthly active users. Since then, they’ve focused on reporting growth percentages and paid seats, like the 345 million paid seats highlighted in April 2022. This time round, they said that Office 365 commercial seats grew 12% YoY and observed that small-to-medium business and frontline worker offerings drove the growth. Microsoft also said that they “saw some impact from the slowdown in growth of new business” and that they expect revenue growth to be lower in the coming quarter by about one percentage point.

During the analyst Q&A, Brad Reback from Stifel put forward a 400 million seat number for Office 365 and asked if Microsoft would concentrate on growth in seats or ARPU. In his response, CEO Satya Nadella acknowledged “moderating seat growth” balanced by increased ARPU due to more customers taking up E5 licenses. Nadella also points to Teams Premium (referred to as Team Pro in the transcript) as an opportunity for increased ARPU.

I think the number of paid Office 365 seats is a tad below 400 million (maybe around 385 million) but it’s hard to know. The number of actual real-live human beings who use Office 365 daily is lower at maybe 360 million. Either way, it’s a big number of users that is still growing albeit slower than before.

Teams User Number Reaches 280 Million

Speaking of Teams Premium, Microsoft gave an updated number for the user base that they can sell the new product to when Teams Premium becomes generally available in February 2023. A year ago, Microsoft said that Teams had 270 million monthly active users. Now the Teams user number is 280 million (Figure 1).

Microsoft claimed that the 3.57% growth in the Teams user number represented “durable momentum since the pandemic.” It’s curious that Teams grew at about a third of the rate of increase in Office 365 seats (12% YoY). Perhaps this is because those who want to use Teams are using it and relatively few in the small-to-medium and frontline segments where Microsoft says the Office 365 growth came from need Teams.

Microsoft usually throws out some gee-whiz statistics about Teams to help people in games of Office 365 trivial pursuit. This time round, we learned that there are more than 500,000 active Teams Rooms devices (up 70% YoY) and the number of customers with more than 1,000 Teams rooms doubled YoY. This might mean that two customers now have more than 1,000 Teams rooms instead of one last year. Microsoft didn’t clarify the point. However, they did assert that Teams Phone continues to grow its share and is now the market leader for cloud calling. Over 5 million Teams users with licenses for PSTN calling joined the Teams user mix over the last 12 months.

Balance Between New Seats and More Money Per Seat

It’s hard to grow big numbers. Microsoft continues to add seats to Office 365, but it seems like the new seats have low-end licenses, which is why they need to sell more high-end add-ons or more expensive licenses to the installed base to offset the relative lack of revenue fgenrom the new seats. Growth in Teams users is slowing, but the same aspects are visible in selling add-ons (like PSTN) and hoping that customers like what they see in Teams Premium enough to cough up the extra $10/user/month for licenses. You’ve got to keep that quarterly revenue number growing…

---

If you’re a tenant administrator who looks after some of the 400 million Office 365 users, make sure that you’re not surprised about changes that appear inside Office 365 by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers stay informed.

Restore Soft-Deleted Groups Back to Good Health

In another article, I cover how to recover soft-deleted Azure AD accounts using the Microsoft Graph PowerShell SDK. The topic of how to restore deleted Azure AD groups (including Microsoft 365 groups) came up in discussion recently, and I realized that I don’t cover this point very well when discussing basic group management with the Microsoft Graph PowerShell SDK. This article addresses that deficiency and hopefully helps people update scripts before the deprecation of the Azure AD and Microsoft Online Services modules next June.

Find Soft-Deleted Groups

The same approach used with soft-deleted user accounts applies when restoring soft-deleted groups:

1. Find the set of soft-deleted groups. Soft-deleted groups remain in the Azure AD recycle bin for 30 days following their deletion. After this period lapses, Azure AD permanently removes the groups. Remember that even after Azure AD removes the group object, if the group comes within the scope of one or more Microsoft 365 retention policies, group resources (like the group mailbox and SharePoint site) remain available until the last retention period lapses.
2. Select the group to restore. You need the group identifier (GUID) to restore a group.
3. Restore the group. Groups that don’t have any connected resources should become available very quickly after restoration. Microsoft 365 groups with connected resources like a team, SharePoint Online site, and Planner plans need more time for individual workloads to reconnect everything back to the restored group.

Here’s some code to report the set of soft-deleted groups in the Azure AD recycle bin. The Get-MgDirectoryDeletedItem cmdlet returns a set of soft-deleted directory objects matching the object type (microsoft.graph.group). The cmdlet output appears blank, but the set of objects is in an array called Value in the AdditionalProperties property.

Why the cmdlet works in this manner is beyond me. Some justify the output with the statement that “it’s how the Graph API to list deleted items works.” That assertion is true, but just because an underlying API works in an odd manner is no reason to perpetuate the behavior in a cmdlet. I hope that Microsoft improves how cmdlets used for day-to-day Azure AD management work in V2.0 of the SDK, due later this year.

After we find the set of soft-deleted groups, it’s easy to extract the information and calculate how long remains before Azure AD deletes the group permanently.

Connect-MgGraph -Scopes Directory.Read.All, Group.ReadWrite.All
[array]$SoftDeletedGroups = Get-MgDirectoryDeletedItem -DirectoryObjectId Microsoft.graph.group
[array]$DeletedGroups = $SoftDeletedGroups.AdditionalProperties['value']
If ($DeletedGroups.count -eq 0) { Write-Host "No recoverable groups can be found - exiting"; break}
$Report = [System.Collections.Generic.List[Object]]::new(); $Now = Get-Date
ForEach ($Group in $DeletedGroups) {
     [datetime]$DeletedDate = $Group.deletedDateTime
     $PermanentRemovalDue = Get-Date($DeletedDate).AddDays(30)
     $TimeUntilRemoval = $PermanentRemovalDue - $Now
     $ReportLine = [PSCustomObject]@{ 
          Group                = $Group.displayName
          Id                   = $Group.id
          Deleted              = $Group.deletedDateTime
          PermanentDeleteOn    = Get-Date($PermanentRemovalDue) -format g
          DaysRemaining        = $TimeUntilRemoval.Days } 
       $Report.Add($ReportLine) 
}
$Report | Sort-Object {$_.PermanentDeleteOn -as [datetime]} | Out-GridView

Figure 1 shows some typical output. The Id property is the group identifier.

Restore Deleted Azure AD Groups

After finding the identifier of the group to restore, use it with the Restore-MgDirectoryDeletedItem cmdlet to move the group object from the Azure AD recycle bin and make it available to users:

Restore-MgDirectoryDeletedItem -DirectoryObjectId 4e9393c3-67e9-4f95-a0df-70103a667c0a

It can take a few minutes before the restored group shows up in Azure AD, Teams, and OWA and a little longer before SharePoint Online fully synchronizes the new state reported by Azure AD. Depending on service load, everything should be fully connected within an hour.

Admin Consoles and Group Restoration

Remember that you don’t need to use PowerShell to restore a deleted Azure AD group. The Microsoft 365 admin center and Azure AD admin center (Figure 2) both include options to restore deleted Azure AD groups, and the Manage groups section of OWA has the option for group owners to restore a deleted Microsoft 365 group that they own. These options use the same techniques to list soft-deleted groups and restore a selected group. OWA is slightly different because it applies a filter to find groups owned by the user.

In general, I use an admin center whenever I need to restore deleted Azure AD groups and revert to PowerShell when I need to do something special, such as a mass restoration of groups or to create reports about groups due for permanent deletion in the next seven days. It’s good to understand the technology behind a GUI and always nice to have the option to perform an action with PowerShell when the need arises.

---

Learn how to exploit the full set of capabilities available to Microsoft 365 tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.

Report a Concern about a Message in a Teams Personal or Group Chat

Communication Compliance policies are part of the Microsoft Purview suite designed to help organizations monitor the content of messages. Originally known as supervision policies (which gives an indication of their purpose), communication compliance policies could only process email until Microsoft introduced support for Teams in early-2020.

Communication Compliance Basics

The basics of communication compliance revolve around the analysis of messages captured in special supervision mailboxes against conditions defined in policies. Settings include:

• The accounts that come within the scope of the policy (the monitored mailboxes).
• Direction of message traffic (inbound, outbound, or both).
• The percentage of traffic captured for analysis. Although it’s possible to examine every message sent and received by the accounts within a policy scope, it’s more usual to examine a percentage. Purview extracts messages at random to meet the selected percentage.
• Whether to use Optical Character Recognition (OCR) to examine attachments and images sent in email and Teams.
• The classifiers and conditions used to select messages for further review. Microsoft Purview includes a default set of trainable classifiers such as Profanity and Threat to detect these conditions in messages. Organizations can train their own classifiers as required. Conditions (like those used in DLP and mail flow rules) can focus the review to specific messages such as those coming from certain domains.
• The supervisors responsible for reviewing messages detected by the policy.

Exchange Online redirects copies of messages needed for communication compliance as email passes through the transport service. Purview uses the compliance records created by the Microsoft 365 substrate to process Teams messages.

Teams Report a Concern

In mid-2022, Microsoft introduced the ability for Teams users to report a concern with messages sent in personal and group chats. By August 31, 2022, the feature reached all tenants with Office 365 E5 or Microsoft 365 E5 compliance licenses who had communication compliance policies. It can take up to 30 days before the feature appears in tenants after they start to use communication compliance policies.

Visibility of the Report a Concern option (Figure 1) is controlled by the AllowCommunicationComplianceEndUserReporting setting in the Teams messaging policy for an account. The setting is available in the Teams admin center or PowerShell. By default, the setting is enabled. To see the setting for all messaging policies, run:

Get-CsTeamsMessagingPolicy | Format-Table Identity, AllowCommunicationComplianceEndUserReporting

When a user reports a concern (Figure 2), Teams tags the message and up to five messages preceding the reported messages and five messages afterward (if available). Many messages sent in Teams chats are short and concise. The extra messages provide the context to allow a reviewer to decide if a problem really exists.

Reviewing Reported Messages

Apart from exposing the Report a Concern option in Teams chat, the other major piece of functionality is the automatic creation of the User-reported messages policy. The only change an organization can make to the User-reported messages policy is to update the supervisors responsible for reviewing reported messages.

As with all communication compliance policies, to review reported messages, head to the communication compliance section of the Purview compliance portal (Figure 3) and select the policy to review. The policies available to a user depends on the communication compliance administrative role assigned to their account.

Select the policy and open the Pending tab to see the messages requiring investigation. The default view is to see the summary, meaning the message reported by the user. The conversation view exposes the messages before and after the reported message to give context to the reviewer (Figure 4).

Like any other message detected by a communication compliance policy, the role of the investigator is to decide if the content violates the acceptable norms for communication. Because individual users make a subjective decision to report a message, the variation in content is likely broader than in the set of messages selected using a trainable classifier. This underlines the need to understand the tone and flow of the conversation within which the problem message occurred.

After reviewing the message, the investigator can resolve the problem (for instance, decide that the user overreacted when they reported the concern), notify the user (and others) about their assessment, or escalate the issue for further investigation. The Remove message in Teams option (available through the down arrow menu in Figure 4), replaces the reported message with a notification that the message “was blocked due to organizational policy” for the recipient and “This message was blocked” for the sender (Figure 5).

This action, which is similar to the way that Teams handles messages blocked by DLP policies, allows the organization to withdraw a problem message during an investigation. However, there’s no way to withdraw the block and expose the message again if it’s deemed acceptable.

Keeping Things Clean

Report a Concern is a useful feature (Teams Free has a similar feature where Microsoft takes care of investigations) if you have the right licenses. Then again, if the organization needs something like communication compliance, the cost probably doesn’t matter. In which case, it’s nice to have a way to keep everyone polite in their Teams chat.

---

Keep up to date with developments like the app support for sensitivity labels by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers understand the most important changes happening across Office 365.

Viva Briefing Highlights Data from Viva Insights

Microsoft’s history with the generation of personal insights for users based on their work patterns and activities goes back to the purchase of Volometrix in 2015. Volometrix helped organizations to figure out how to be more efficient based on information stored in user mailboxes and calendars, which later became Delve Analytics, MyAnalytics, and finally Viva Insights.

Viva Insights still aims to help people understand how they work so that they can make better use of their time. The Viva Insights suite includes the Viva Insights add-in for Outlook, the Viva Insights app for Teams, the twice-monthly digest email, and the daily briefing email. All surface information gleamed from user interaction with Microsoft 365 captured in the Graph.

Pausing Viva Briefings

Message center notification MC486289 (December 15) says that Microsoft plans to pause sending the Viva Briefing daily email to users who signed up to receive these messages. From an email perspective, Viva Briefing (Figure 1) and digest messages are not real email because Viva injects them directly into user mailboxes. Although the messages are mail items, they do not pass through the Exchange Online transport system and therefore are immune to processing by components like mail flow rules. Microsoft stamps the messages as coming from a trusted sender, so that makes the direct injection acceptable!

Microsoft plans to pause sending Viva Briefing messages after 15 January 2023. Following the normal time required to deploy changes within Microsoft 365, no users should receive these messages after 1 February 2023. Resumption will follow sometime later in 2023. I haven’t received a Viva Briefing message since last Monday. Perhaps my work life isn’t interesting enough to warrant a briefing, or maybe the pause kicked in early for the holiday period.

More Personalized Information

The pause is to allow Microsoft to make changes to the content of the Viva Briefing messages “to be more personalized for each recipient.” I don’t know what this means because the whole point of Viva Briefing is to deliver personalized content to the recipient. For example, Figure 2 shows items found by Cortana (lurking under the covers of Viva Insights) to remind me about things I might like to follow-up. This information comes from email in my mailbox, so it’s highly personalized.

Cortana finds follow-up items by scanning messages for key words and phrases that indicate when the recipient or sender might be committing to an action. The first item in Figure 1 is an example where Cortana highlights that fact that the mailbox owner made a commitment to take an action. The second item is a variation where the mailbox owner asked a recipient to do something.

I don’t depend on the Viva Briefing to find follow-up actions for me, but I do find the prompts to be moderately useful. Sometimes, Cortana highlights something that I have forgotten to do and proves its worth. I suspect that people who have busier calendars and take on more commitments than I do find the briefing email more valuable.

Finding Who’s Using Viva Briefing

Exchange Online automatically enables new mailboxes to receive the Viva Briefing email. However, users won’t receive briefing messages unless they are active. For instance, if you create a test mailbox and only use it from time to time, there’s no email activity for Cortana to analyze and highlight, so there’s no reason to send a briefing. Perhaps the reduced level of email traffic over the last few days is the reason why I haven’t received a briefing message since Monday.

To discover what mailboxes are enabled for Viva Briefing, run PowerShell to find the set of user mailboxes and check each mailbox with the Get-UserBriefingConfig cmdlet. Here’s an example:

$EnabledMbx = 0; $NonEnabledMbx = 0; [array]$EnabledUsers = $Null; [array]$NonEnabledUsers = $Null
[array]$Mbx = Get-ExoMailbox -RecipientTypeDetails UserMailbox -ResultSize Unlimited
Write-Host ("Checking {0} mailboxes for Viva Briefing status" -f $Mbx.count)
ForEach ($M in $Mbx) {
   $Status = Get-UserBriefingConfig -Identity $M.UserPrincipalName
   If ($Status.IsEnabled -eq $True) {
      $EnabledMbx++
      $EnabledUsers += $M.DisplayName
   } Else {
      $NonEnabledMbx ++
      $NonEnabledUsers += $M.DisplayName }
}
[string]$EnabledUsers = $EnabledUsers -Join ", " 
Write-Host ("Viva Briefing is enabled for {0} mailboxes and disabled for {1} mailboxes. The following mailboxes are enabled: {2}" -f $EnabledMbx, $NonEnabledMbx, $EnabledUsers)

Waiting for Briefings

Microsoft will likely describe the improvements they make to increase the personalized content in Viva Briefing messages when they relaunch the service. Until then, we’ll just have to track commitments and action items using Outlook tasks, To Do, Planner, Project, or any of the other methods available in Microsoft 365.

---

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

Release Status Only Present for Some New Notifications

Message center notification MC485549 (14 December, Microsoft 365 roadmap item 108078) brings news of a new launch status Microsoft is adding to notifications to make it clearer to administrators about the actual status of a change heading to their tenant. Until now it’s been difficult for administrators to know exactly when a software change will hit their tenant after release by Microsoft. The difficulty increases when Microsoft misses a predicted availability date, something that often happens regularly (the expanded reaction set for Teams is a notable example).

The new release status shows up as a property of new message center notifications. In Figure 1, we see that some updates have a launched status (update available to all tenant users) while the scheduled date for other updates has not arrived. The third status is “rolling out,” meaning that some users have received the update but not others.

Microsoft plans to unveil the new release status to targeted release tenants starting in mid-December 2022. All targeted release tenants should see notifications with release status by mid-January 2023. General roll-out to standard release tenants is due in mid-April 2023.

Initially, the release status will appear for Teams, Outlook, and Microsoft 365 admin center announcements. Over time, it will spread to all workloads. A release status only appears for updates that correspond to a Microsoft 365 roadmap item. Sometimes updates appear that aren’t on the roadmap. Logically, these messages won’t have a release status.

Continuum of Message Center Notification Improvements

The latest change to message center notifications is part of an ongoing continuum of improvements to customer communications for updates released to Microsoft 365. Recent examples include:

• Introduction of messages to inform tenants when data privacy incidents occur.
• Addition of a relevance tag for message center notifications to advise administrators when a change is especially pertinent to their tenant.
• Flagging how many users are likely to be affected by a change.

The project to improve communications around Microsoft 365 updates is led by Microsoft with considerable customer involvement.

Planner Tasks See the Release Status

The Planner tasks created by the Message Center-Planner synchronization capability include the release status in the Notes section (Figure 2). There’s no easy way to filter tasks with a certain release status in Planner.

I also don’t see any evidence of the release status (or the other recent enhancements like relevance and user count) in the Service Messages API. Perhaps Microsoft hasn’t had the chance to upgrade the API to output all the details now available for message center notifications.

Need for More Predictable Release Dates

The trick for Microsoft will be to make sure that the accuracy of the release status tag is high. At one point, nearly half of all the updates published in message center notifications failed to meet the scheduled dates. Software development is an inexact science when it comes to predicting when the last few bugs that hold up the deployment of a new feature will disappear.

Microsoft has become better at publishing believable and attainable dates in the recent past. Things aren’t perfect yet and are likely to never be. Perhaps a new highlight on release status will make Microsoft do even better when it comes to predicting feature availability. We can but hope!

---

Make sure that you’re not surprised about changes that appear inside Office 365 applications by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers stay informed.

Chatbot Delivers Answers, But Usable Responses Are a Different Matter

The launch of the free research version OpenAI’s ChatGPT project generated lots of reactions, with some journalists predicting that using AI in this manner could mark the end of Google search results. According to Chris Johns, an economist whose podcast I subscribe to, the chatbot is capable of producing answers that meet the standard of first year university exams. Closer to home, MVP Doug Finke (author of the ImportExcel PowerShell module) thought the results generated for PowerShell questions were impressive (here’s his YouTube video).

Given the opinions voiced, I decided to sign up to test ChatGPT. My conclusion is that the chatbot is an idiot savant when it comes to technology. The answers generated by ChatGPT are plausible and cogent in some areas, but once it goes outside its area of comfort, the answers become weaker and weaker.

The Need for Good Source Material

By its very nature, AI depends on the source material used to train models. Inside Microsoft 365, a trainable classifier doesn’t work in scenarios like auto-label policies unless the set of source documents used to create the model underpinning the classifier are good enough. In the case of ChatGPT, OpenAI admit that the material used to build the model comes from 2021 or earlier. Given the nature of technology, especially cloud services, out-of-date information leads to bad answers.

A problem also arises when source material is wrong or contains information that might be accurate at a point in time but will be superseded by developments. This happens all the time in blog posts. For example, if you search for something like “How to update Azure AD accounts with PowerShell,” you’ll get a bunch of responses describing how to perform the task using cmdlets from the Azure AD or Microsoft Online Services (MSOL) modules. Posts published last week that I know of still reference these cmdlets, but people working in this space know that Microsoft plans to deprecate both modules in June 2023. The upshot is that the answer is right, works today, but is flawed because the code will stop working in six months. The lack of awareness of context is a flaw of AI and that shows through in its answers.

Asking About Azure AD Accounts

Take the example shown in Figure 1. The chatbot response to the question is inaccurate for two reasons: I asked about finding Azure AD accounts with the Microsoft Graph. The response is to use the soon-to-be-deprecated Azure AD module. There’s no trace of a Graph API request or the Microsoft Graph PowerShell SDK cmdlets.

I have no idea why my question might have violated OpenAI’s content policy. That’s just a glitch. The important thing is that the code generated by ChatGPT works. Even though I wouldn’t use the Azure AD module now, the code runs perfectly and is a valid answer to the question

The Microsoft Graph PowerShell SDK existed in 2021, so I decided to check what the chatbot knew about the SDK. Figure 2 is the result. I think this is a good example of the ability of ChatGPT to generate a reasonably cogent (if wordy) answer in response to a question. The text is rather like the response you’d get from a Microsoft marketing person, but that’s another story.

Testing a Real-Life Question

As a test of a real-life question, I took one about mailbox archiving from Practical365.com and input it to ChatGPT. The answer (Figure 3) is just plain wrong. First, only Exchange Online mailbox retention policies operate against archive mailboxes. Second, neither Microsoft 365 nor Exchange Online retention policies (there is no such thing as an online archiving policy) operate on the basis of mailbox size. Retention, including move to archive, is driven by item age. Like any assertion from a consultant, the confident nature of the response means that it might be accepted by someone who doesn’t know the technology. It seems like the text might be influenced by the way that Exchange Online expandable archives work, but the context is all wrong and the answer isn’t at all helpful.

Finally, I asked about the world’s best Office 365 book. I was amused that ChatGPT recommended Office 365 for IT Pros but got the authors wrong. I have never met Ben Curry and he’s never been involved with the book, but hey, it’s still a highly plausible answer.

Interesting but Flawed

The bottom line is captured in OpenAI’s admission that “ChatGPT sometimes writes plausible-sounding but incorrect or nonsensical answers.” This, allied to the other flaw that “The model is often excessively verbose and overuses certain phrases, such as restating that it’s a language model trained by OpenAI” means that you can’t trust the chat bot’s responses to any question about technology that evolves quickly. Answering some basic PowerShell questions is fine. Seeking help to administer Office 365 is quite another matter.

ChatGPT is interesting and worthwhile technology that points to the way we might seek information in the future. Based on a $1 billion investment, Microsoft and OpenAI have been working since 2019 and OpenAI trained the ChatGPT model on Azure. With that kind of backing, I’m sure that OpenAI will improve the model and increase the accuracy of the answers that it generates. But for now, I think I shall stick with querying Google and sorting the wheat out of whatever chaff Google replies with.

---

Stay updated with developments across the Microsoft 365 ecosystem by subscribing to the Office 365 for IT Pros eBook. We do the research to make sure that our readers understand the technology.