Advice needed: Multitenant organization issues
Hey peeps, a client of mine is asking for an optimal solution to their sub-optimal organization structure. I want to see if there's something more I can do here or if we are stuck with our environment the way it is. It's such a strange ask that it will take a few paragraphs to describe, so bear with me. Client has a central corporate entity, but the "branch" entities operate separately and have a fair amount of self-governance. This central corporate entity has a Microsoft365 tenant and that's what everyone's email matches, including branch members. Let's call it corp.onmicrosoft.com with a verified domain of corp.com. So, everyone at corporate and the branches have addresses/UPNs of @corp.com. Before my time, one of the self-governing branches chose to setup a Sharepoint site specific to their branch. They put all the files on a separate 365 tenant of corp-ny.onmicrosoft.com with verified domain corp-ny.com. There are a couple of identities on that 365 tenant, but since everyone uses their corp.com email, they access the Sharepoint data from their primary corporate identities as GUESTS of the branch's tenant. So the branch tenant has 3 members and 100+ guests. We perform IT for just the BRANCH, not the corporate structure. Since corporate IT is not interested in changing infrastructure at this time, we would like to convert all the guest identities on the branch tenant to members and we can then leverage technologies like Intune & CA and move them off of their on-premise AD server that is not doing AD Connect. I have a quick script that will do all of that - convert, license, set some properties for all 100 members. Seems okay! After the change, members will have their corporate identity for email, and the branch identity for Sharepoint and Windows login. We've identified a problem, however, with notifications. When you comment on a file in Sharepoint, a notification is generated for anyone that participates in that file. The notification is sent from the commenter's identity. Currently, that means notifications come from @corp.com . However, after the change those notifications will come from corp-ny.com. This domain does NOT have an MX record associated with it 😞 and we think this will lead to a LOT of confusion if people try to reply directly to the emails. It might also have the potential(?) to fail email spoofing checks or be flagged as suspicious by email servers. Additionally, the notifications would be sent to their branch identities, which I assume would not deliver. Even if it did deliver and we added an MX record, it would be in an inbox that's not checked by the team. My question is: Can I mask the notification email to be from "email address removed for privacy reasons" for all of the notifications? Or, Can I "spoof" the emails so that they appear to be sent from the corporate identity? Secondly, What's the best way to deal with notifications headed to the wrong inbox? Can a transport rule redirect these emails to their corporate emails?
Getting the content (links and embedded object from Pages in Notebook on Sharepoint )
I was able to retrieve the content from a page in a Notebook on Sharepoint (via the content_url). After parsing the html page, I extracted the text from the page, and urls from (a href) and embedded objects (object data-attachment - via data attribute). I make a request.get to the URL and pass in the valid token (with all the API Permissions set) but I still get a 401 error. link URLS : teams.microsoft.com/file/blabhlbh&filetype=xlsx&objectUrl=https://domain.sharepoint.com/sites/sitename... https://domain.share.point.com/:w:s/sites/[blahblahblah embedded objects URL : https://graph.microsoft.com/v1.0/siteCollections/domain.sharepoint.com,blahbha,onenote/resources/id/$value I would like to retrieve the byte content of these documents. Is there a way to retrieve these attachments or links via their url.
O365 Email Migration to Another Tenant while Deferring Migration of Sharepoint files
Hi, This is the context: ChildCompany has O365 and it has an Azure AD in hybrid mode synchronizing to a on-prem AD server. They have an internal domain ChildCompany.com, and an external domain ChildCompany.com where they also receive and send email using O365. ParentCompany is going absorb the ChildCompany some time in next year, and I was asked about the integration options. According to this https://download.microsoft.com/download/b/a/1/ba19dfe7-96e2-4983-8783-4dcff9cebe7b/microsoft-365-tenant-to-tenant-migration.pdf I could do a phased migration, where the end state is that they decomm their onprem AD and that they only use our ParentCompany systems. The business requirement is to start their integration with Email, and then in later phases do the Sharepoint integration as that requires way more analysis on their data sources, as they also have wikis and many other on prem legacy stuff. They are less than 50 users, so I can use Quest migration tools for the email part, but I wonder what needs to happen in what order. This is what I have in mind: Migrate their current O365 into our ParentCompany Office 365 subscription, so that they can continue logging in into their domain joined windows machines using childCompany.co, so they start using ParentCompany.com email addresses, but the problem then is how can they continue using their sharepoint and onedrive resources associated with the Azure and local domain at ChildCompany.com? This is more or less what I have in mind, for the intermediate step, the cutover: Child Company ParentCompany --------------------- ---------------- On-Prem | MS Cloud: | MS Cloud: ---------------|----------------------|-------------- Local AD (ADFS)| Azure Subscription | Azure Sub | Azure AD | Azure AD |--------------------- |--------------------- | O365 Sub -> | O365 Sub | Exchange mailboxes-> | Exchange mailboxes | Sharepoint? -> | ??? | -------------------- |--------------------- I wonder how could it be possible to defer the sharepoint and onedrive migration, so that the child company users can still work on their sharepoint files using their normal auth methods, while disabling childcompany.com as MX so they start using ParentCompany.com mailboxes.Is that even possible? Would make more sense to try to migrate everything at once? That is way more work, but I'm weighting my options.
Office 365 Guest Accounts - Sharing vs SharePoint Permissions
More people are beginning to the use the share functionality in our SharePoint Online instance instead of the traditional adding the users to the permissions of the site. One thing we've noticed is, sometimes when a new guest user is added through the share button, they never get any notification email and when they try to access the link, they'll get a user not found error. When this occurs, I'll just have them add the user to the permissions and it works fine. Why is this happening?
Full Migration to MS365
Hello everyone, I'm reaching out for some insights concerning a recent transition we've embarked on. Initially, our business operated with 10 users on Windows Server Essentials 2016, utilizing SSLVPN for remote access via RDP for remote users. All ran smoothly until about a month ago when we took the step to incorporate MS365 Business Premium, coinciding with a slight increase in users, now totaling 12. Given our team's familiarity with the new system and the company's demanding schedule, we decided to phase in the transition. Thus far, I've successfully migrated our emails to MS365 and integrated Teams. Currently, the team still relies on VPN for accessing shared drives. However, we aim to pivot to a setup where access to shared folders is governed via SharePoint, but exclusively for managed devices while blocking all other access points. All our computers are AD-registered. The goal is a full migration to the cloud: transitioning shared folders to SharePoint, user profiles to OneDrive for Business, and utilizing Intune for comprehensive desktop management. I've considered employing a third-party tool, specifically ForensiT, for user migration. Before moving forward, I'd appreciate any feedback or alternative suggestions you might have. Ultimately, we'd like to retire the current server and SSL VPN setup. Thank you for your time and guidance.Connect-SPOService : Could not authenticate to SharePoint Online
Hi I am unable to connect to SPO from SharePoint online management shell (6802.1200) using my federated account (no MFA set). I am executing command: Connect-SPOService -Url https://TENANTNAME-admin.sharepoint.com My response is: Connect-SPOService : Could not authenticate to SharePoint Online https://TENANTNAME-admin.sharepoint.com/ using OAuth 2.0 At line:1 char:1 + Connect-SPOService -Url https://TENANTNAME-admin.sharepoint.com + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Connect-SPOService], Authenti cationException + FullyQualifiedErrorId : Microsoft.Online.SharePoint.PowerShell.Authentic ationException,Microsoft.Online.SharePoint.PowerShell.ConnectSPOService I am able to connect using cloud only account using with using something like this: Connect-SPOService -Url https://$orgName-admin.sharepoint.com -Credential $userCredential Can you please help me to use federated account to connect to SPO? Thanks
Self-prevision guest account to AzureAD from ODFB sharing, but not MS Teams guest invitation
Our Tenant currently has "Sharing - Let users add new guests to the organization" set to Off. All the external sharing settings for SharePoint/OneDrive for Business (ODFB) and Microsft Teams guest are set to on to the maximum permissive level. When users share a file in ODFB to a specific external user who has an external Microsft account, such as Hotmail account, or another O365 Tenant account, the account will be automatically added as Azure AD guest. However, in Microsoft Teams when users add a guest user as the Teams member who has a different O365 Tenant account, the guest user has to already exist in the Azure AD or it will report no permission. The account cannot be automatically added to Azure AD as a guest user. I wonder how come ODFB can override the Tenant level setting "Sharing - Let users add new guests to the organization", which cause the inconsistent behavior and hard to control the guest provision? Is there any way to disable this gust account self-provision with ODFB but not affect it guest link sharing?
How to add alias domain for all users?
Hi, There's a company with their company's full name as their domain name and a shorter domain name. So, contoso.com and conto.so. They need all their users to have an alias of contoso.com and conto.so to be their primary email address. This way, they can: Send/Send as/Receive emails as both domain names for the respective users Receive shared files (OneDrive for Business and SharePoint Online) on both domain names for the respective users Call as/receive call/book meeting on Skype for Business using both domain names for the respective users Send and receive calendar shares or event invitations on both domain names for the respective users This needs to be automatic, rather than adding the domain alias for each user. How can this be configured? Thanks,SPO - Guests inviting Guests - No AAD guest account created
Hi All, This lies across two products Azure B2B and SPO. I'm looking to test the "Allow Guests to Share items they don't own" global SPO control. I've noted with New and Existing Guests on a SPO site, that a folder or file can be shared to a guest. During the sharing process, the guest account is created in Azure AD and all is working well with the Azure B2B integration configured. I've then set the allow guests to invite guests - the invitation is sent as expected from one guest to another. However, it looks like the guest inviting another guest doesn't trigger the guest account creation in Azure AD. SPO shows the secondary guest with access to the file, they just cant login receiving the "does not exist in tenant error due to no guest account created. I am sure it would work if I create a guest account for the user in AAD, however, I was hoping it to be the same as a member sharing to a guest to remove additional overhead. I haven't found any information on this looking through all the docs.microsoft.com articles, is this by design, or does this operate on a really long synchronisation schedule between SPO and AAD? Thanks!
