Hidden Group and Hidden Group Membership
Hi everyone! I have come across a requirement where the client would like to use an excel spreadsheet, a service account and application registration to manage group membership for a confidential group. They would like to create a group from which the members cannot leave, see other team members and cannot see the group itself. Now, I have the concept of the flow with me but for the life of me, I cannot get around to finding/configuring a group that meets the requirement. Have you guys come across this sort of scenario? Group Configuration: Users should not be able to view the group Users should not be able to view members of the group Users should not be able to leave the group Thanks in advance.MTO and access to on premises file system
Let me preface this by saying I'm still fairly new to 365 Admin (it's been a steep learning curve) and haven't even got my feet wet with on premises stuff as yet. Also, I think some of the admin decisions made previously by others may have been based on just repeating what was found to work the first time rather than necessarily a deep understanding of the best solution. The situation when I arrived on the scene was this (actually it was a bit more complex and messy than this, but this simplified description covers the salient points at this stage) One tenant, with two domains, call them old-domain and new-domain. Two types of user, who I will refer to operations and corporate. An on premises Active Directory system running a file server. Well to be more precise on three premises with mirroring of data and a DFS, but from the user perspective when you're one of the office locations and connect to the network the same folders are available to you. Everyone was using Azure Joined Company Laptops to do this, so their laptop logins were also their network logins. Outside of the offices people connected to the DFS using a VPN (with three gateways in different countries). Operations Users had one account, @old-domain, this was licensed for 365 and had a mailbox associated with it. It was also synched to their on premises AD account Corporate Users had two accounts, one @old-domain with no license, synched to an on premises AD account. The second was new-domain with a 365 license and mailbox. If you're scratching your head wondering why two accounts rather than assigning the new-domain email address to the same account, I can't give you a definitive answer as I've never been given one, but for whatever reason when new domains were brought into play on corporate name changes the admins gave them new mailboxes rather than simply aliasing email addresses to the same mailbox (some people had three accounts as a result). What I did note was that when a new Corporate user was added the admins gave them both of the above accounts, I was told that the unlicensed old-domain one was required for the access to the DFS. Now for reasons not worth getting into here, a decision was made to move the Corporate users to a new tenant, along with new-domain and then to link the two tenants in a multi-tenant organization. It was also decided to leverage BYOD for Corporate users, so their devices will only be Azure registered. This has been done, there was some pain thanks to the reluctance of Microsoft applications to switch to the new account locations rather than redirecting back to the old tenant, but that's been sorted. So right now Corporate users still have two accounts, but on two tenants. On the Old Tenant they have their @old-domain account, no license, no mailbox, synched to the on premises AD (as before) On the New Tenant they have their new-domain account. This is where they actually do their work, and is the only account anyone should be communicating with internally or externally. Access to the DFS is being done using the VPN with the on premises credentials associated with the old-domain account. In terms of functionality, this works perfectly well, people across the two tenants appear in each other's address lists, they can chat and share information etc. Everybody also has access to the folders they should have access to on the DFS. However there are two issues. The first, and most detrimental in terms of just getting work done is that users in one of the overseas offices have found their access to the DFS has slowed considerably, despite being in physically the same location as the data. I believe the problem is that although the data is on-premises, the VPN gateway is not, therefore data does a round trip from the server, through that gateway IP address at the ISP and back to the user. Since they are in a remote location with poor internet this slows things considerably. So the first question is, how do we take that loop out of the equation so that when they are in the office they connect more directly to the servers on site? Ideally without having to revert to needing an Azure AD joined device. The second issue is that those remaining old-domain accounts (the ones for the Corporate users who are now working on the new tenant) on the old tenant are messy, in two ways 1) From an admin perspective, because every one of those corporate users still has two accounts, their local one that is synched to On Premises AD, and the the external account shared from the new tenant as part of the MTO 2) From a user's perspective. For reasons that I cannot fathom (but this is coming direct from Microsoft after many attempts on my part to find a way) it seems that while you can control which licensed accounts appear on Teams search by controlling whether they are in the GAL and setting the appropriate switch in Teams Admin, all the unlicensed users appear whether you like it or not. The net result is that when someone on the old tenant starts typing in a name of someone in Corporate, they get two suggestions coming up. So the second question is, are those accounts actually necessary?
Question About OneDrive "Physical" Storage Location for Microsoft 365 Business Basic Plan
Dear Microsoft 365 Experts, I have a question. I recently signed up for a Microsoft 365 account with the "Microsoft 365 Business Basic" plan, where the domain name ends with "@onmicrosoft.ca" and I selected Canada as my home country. After creating this account, I was pleased to see that Microsoft Teams and Exchange Online are hosted in Canada. However, for OneDrive, the storage location is not specified. Why is the storage location not in Canada? I need to store my data in Canada for work-related compliance reasons. How can I change the OneDrive storage location to Canada? Thank you! MikeMismatch between exchange recipients list and mailboxes set up in 365 Admin?
I'm a little new to 365 administration, so please excuse me if I am being a little thick here. I am looking at a 365 Tenant, there are around 100 licensed users (and therefore around 100 mailboxes allocated), but if I go to exchange admin and look at recipients, there are only 40, including shared mailboxes. My first thought was that perhaps only mailboxes that had actually been used were listed, but I checked one of the "missing" mailboxes in the 365 admin centre and apparently they have 8 Gigabytes of emails in that mailbox. Indeed the same user has three accounts, each with their own license and mailbox (don't ask why, I didn't set this up), I see two of them in the recipients list in Exchange admin. What am I missing?Where does Teams get its user list from? I can't make sense of which accounts I see vs which I can't
OK, so I have a currently rather unusual situation. I am looking at a 365 Tenant. A number of users have four accounts on the same tenant (let's not even get into why, cleaning things up is part of the reason I got called in). When you start typing their name into teams it comes up with three of them as a suggestion (I only want one) Account 1: has just been used for ActiveDirectory for permissions to the company's Distributed File System (stored in on on premises servers in various locations). This account has to the best of my knowledge never had a license or mailbox associated with it, and so has never been on the global address list, it's also never had the teams app enabled for it. I don't want this one to show, but it does Account 2: A now defunct account which used to have a Business Standard license assigned to it, but has now had the licensed removed. Before the license was removed this account was hidden from the GAL and its teams app disabled. I don't want this one to show, but it does Account 3: An now defunct account which still has a Business Standard license, but with Teams deselected in the Apps. I don't want this one to show... and it doesn't Account 4: An account shared via a multi tenant organization (the users in question have been migrated to a new tenant). So these are members (not guests) but external ones. I want this to show, and it does. Now, accounts 2 and 3 will be deleted soon, whether we can get rid of account 1 depends on whether the necessary access to the DFS can be done using account 4 (which I need to look into next). However for the time being they are all there so I was trying to hide accounts I don't want users trying to message on teams from teams, and I cannot make any sense of which I see which I don't. To sum up. Account that has never been on the Global Address List and never been activated for Teams - Shows Account that used to have a license and was on the GAL, and used in teams - Shows Account that still has a license, but has been removed from GAL and had teams app disabled - Doesn't show Account that has no license and is not on the GAL, but has teams on it's host tenant - Shows After a previous inquiry I set "Scope directory search using an Exchange address book policy" in the teams setup, but I have not set up any specific address book policy as yet. I have tried showing and hiding people from the global address list, and also the "ShowInAddressList" setting in Entra (which seems to only be available through graph?). Nothing seems to make a difference (it doesn't help that Teams takes forever to update its local cache for this stuff, so maybe a change DID make a difference at some point and I missed it). I cannot find any logic as to which of these accounts is showing in the auto suggests and which not, most notably that account 1 shows but account 3 doesn't. So, where is Teams getting its list of contacts from?
Login problems, continuously getting the same message
Every time i login on an app i get the same message: "More information required" "Your organization needs more information to keep you account secure". Then i have the options to Use a different account or Learn more. I can just press Next and the message goes away. After that i get another message: "Keep your account secure" "Your organization requires you to set up the following methods of proving who you are." Below that, there is a message: "Success!" "Great job! You have successfully set up your security info. Choose "Done" to continu signing in". "Default sign-in method:" When i press done, the message goes away. But i keep getting the 2 messages every time i change an app or even a menu option. So to be clear, this happens every time i switch apps. I.e. from Exchange to Azure, to Outlook. When i press "Next" and "Done" i get access to the app. But this is really annoying. What am i doing wrong? I'm the admin of a small company, and i cannot figure out what setting i changed or need to change. The property "Enable Security Defaults" is already set to no.Multi Tenant Organization - one shared user not showing up in Global Address List
I set up a multitenant organization with two tenants. Overall it seems right, users can find each other and chat fairly seamlessly on teams, and shared users appear on the opposite global address list. However, one user is an exception. They appear on their home tenant's Global Address list, but not on the other tenant's (all other shared users appear to). They are members on the other tenant (as are the rest of the shared users), and are not set as hidden on a global address list anywhere I can see. I can't see anything different about them in any way. They were neither the first nor the last to be shared, and I have tried unsharing then sharing them again. They can however be found on teams by typing their name. Probably not related, but I will point out that the one other thing I have not managed to get working is a "chat" link on people's outlook directory listings. None of the shared users have one, despite being chatable with on teams. Any idea where I might look for the culprit?I've set up a Multi Tenant Organization, but I'm not sure if the user contact information is correct
I have two 365 tenants (divisions of the same company) that want to be able to communicate as seamlessly as possible without merging the tenants. Now from what I could read and see on videos, a Multi Tenant Organization was the way to achieve this. I've found a number of YouTube videos explaining how to set one up (easy enough it seemed) but none that really showed the effects of this (I think they are pitched at people who probably have experience of B2B collaboration in 365) so I'm not sure exactly what I should expect. Anyway, I set up the MTO, shared a few users, and also found the "External Access With Trial Tenants" setting (one of the tenants is new, and so still in the trial period). I see the users show in the user lists, with the expected EXT address and a "No" for the "Guest" column, and they appear in each other's "Default Global Address List" in Outlook.. so far, so good I seem to be able to instigate chats within Teams, which is good. But if I look at their profiles in outlook or teams, then they always seem to show as offline unless I've got an active chat going on with one, and there is "chat" link for them. I don't know because so far I haven't found anything that shows, from the user perspective, the result of a correctly set up MTO. So should I expect the status of a synced user to show their actual connection status to their tenant"? So far they haven't unless I've instigated a chat, and in that case the recognition of the other party being connected only seem to go one way, so only one of the two parties in a cross tenant chat shows as connected in their respective tenants. And should there be a "Chat" link? (there isn't) Note: the above is the profile of a local user who was actually offline not one synchronized in from another tenant. I just used that as it could illustrate the two parts I have questions about.
Microsoft 365 Windows 11 external user or guest user sign in
Consider the following situation: CompanyA has a Microsoft 365 tenant with licensed users. CompanyA has a business relationship with CompanyB which also has a Microsoft 365 tenant. All of CompanyB's Windows 11 Pro computers are Entra ID joined and Intune enrolled. All of CompanyB's users have Microsoft 365 Business Premium licenses. An employee of CompanyA is stationed at CompanyB's office and needs to use one of CompanyB's computers as his primary computer. How would a technician have to configure things so that CompanyA user can sign into CompanyB's Windows 11 Pro computer and work like normal? I've done some reading online but most of the articles focus on access to cloud resources, whether that be Microsoft Teams or Entra Enterprise Apps or similar resources. I haven't found an article touching on Windows 11 sign in. MatthewA little confused by multi-tenant organization and teams
I've recently set up a Multi Tenant Organization with two Tenants, and set a few users to sync between the two. They all show up correctly in the opposite tenant users list in the admin centre, though sometimes it takes a while. Some seem to be added to the global address directory, but not others (I think possibly the first I added was, later additions are not). But most crucially, they do not seem to come up as people to do teams chats with, which is the most required feature. I'm guessing there is something I haven't set correctly, or some manual sync I am not running, but the example videos all seem to stop at showing that the user has appeared in the other tenant as a member, there's nothing showing how to then make use of this fact (such as including them in a teams chat). Can anybody point me in the right direction?
