Empowering Nonprofits to Strengthen Digital Defenses
Did you know October is Cybersecurity Awareness Month? It’s the perfect time for nonprofits to strengthen their digital defenses and build a culture of security. This year’s theme— “Cybersecurity first, stay safe always”—is a powerful reminder to prioritize digital safety in every aspect of your mission. Whether you're protecting donor data, securing service delivery systems, or educating your team, cybersecurity is foundational to trust, resilience, and impact. What to Expect in October Throughout the month, Microsoft Elevate will be sharing a curated collection of resources designed to help nonprofit organizations build awareness, strengthen defenses, and elevate cybersecurity capabilities across their teams. Please see the resources below to explore and share with your teams: Cybersecurity Awareness Month Website - Explore best practices, infographics, videos, guidance tailored for organizations and individuals—and discover training and learning resources to build cybersecurity skills. Live: October 1, 2025 Link: https://aka.ms/CybersecurityAwareness Be Cybersmart Kit: - Infographics and tips to help your team stay secure in the age of AI. Live: October 1, 2025 Link: https://aka.ms/BeCybersmartKit Skilling Opportunities for Nonprofit Teams Cybersecurity is a shared responsibility. These free learning pathways and scholarship programs are designed to build skills and confidence across your organization: Career Essentials in Cybersecurity – LinkedIn Learning pathway with certification Link: https://aka.ms/Cyber-Pathway Securing You – MS Learn Pathway – Basics and Zero Trust modules Link: https://aka.ms/Cybersecurity_PreFundamentals Women in Cloud – Coursera access, mentorship, and certification vouchers for women in the US Link: https://aka.ms/WiC Last Mile Education Fund – Scholarships for US community college students pursuing cybersecurity careers Link: https://aka.ms/Cyber-Scholarship Why It Matters for Nonprofits Nonprofits are trusted stewards of sensitive data and critical services. Cybersecurity isn’t optional—it’s essential. By participating in Cybersecurity Awareness Month, you’re not just protecting your systems—you’re protecting your mission. A Final Word Cybersecurity isn’t just a technical priority—it’s a mission-critical responsibility. For nonprofits, safeguarding digital assets means protecting the communities you serve, the trust you’ve built, and the impact you strive to make every day. This October, let’s move beyond awareness and into action. With the right tools, training, and support, your organization can lead with confidence and resilience in an increasingly digital world. Together, we can make cybersecurity second nature—because when nonprofits stay secure, missions thrive. What’s Next As Cybersecurity Awareness Month continues, we’ll be spotlighting key insights from the upcoming Microsoft Digital Defense Report - a trusted annual resource that dives deep into emerging threats, evolving attack patterns, and actionable strategies tailored for nonprofits. This follow-up feature will offer timely intelligence to help your organization refine its security posture and stay ahead of the curve. Together, we can ensure nonprofits stay secure—so their missions continue to change lives.SharePoint and Power Apps: Managing Roles and Permissions
One of the key aspects of SharePoint security is managing permissions at the list or item level, which allows you to control who can view or edit the data. This granular control is essential for maintaining the integrity and confidentiality of sensitive information within your organization. By effectively managing permissions, you can ensure that only authorized personnel have access to specific data, thereby reducing the risk of unauthorized access. Whether you choose to restrict access to the entire list for simplicity or use item-level permissions for more advanced scenarios, SharePoint provides the tools you need to keep your data secure. Restrict Access to the Entire SharePoint List This happens in SharePoint itself, not Power Apps. You need to manage permissions at the list or item level: Go to your SharePoint site > Open the List. Click on the gear ⚙️ > List settings. Under Permissions and Management, click Permissions for this list. Stop inheriting permissions (click the ribbon command: Stop Inheriting Permissions). Remove default access groups (like "Members" or "Visitors"). Add a specific SharePoint group or individuals who should have full access —an admin or manager, not end users. End users will only interact with the list through Power Apps — they don’t need direct list access. Please keep in mind that if users need to edit entries, they must have access to the list. Without proper permissions, they won't be able to see or edit the list. The next user permissions option is ideal for users who need to edit their own entries. Use Item-Level Permissions in SharePoint This is only advisable if you can enforce it consistently: Go to List settings > Under Advanced settings. Scroll to Item-level Permissions. Choose: ✅ Read access: Only their own ✅ Create and Edit access: Only their own This works well only if users are submitting forms (e.g., time-off requests) that shouldn’t be visible to others. Prevent Users from Viewing or Editing Power App Code This is configured through Power Apps and Microsoft Admin Center. Limit Who Has Access to Edit the App In Power Apps Studio: Go to File > Share. Remove or do not add users as Co-owners. Instead, share as Users only — give them “Can use” permission. Use Environment Roles (Dataverse or Environment Scope) In the Power Platform Admin Center (https://admin.powerplatform.microsoft.com): Go to Environments > Click your environment > Security roles. Set roles so users: Are not Environment Admins or Makers. Only have User roles in production environments. Summary of What to Check: Task Where Goal Limit list access SharePoint List Settings Prevent users from directly viewing data Use item-level permissions SharePoint Advanced Settings Let users only see/edit their own submissions Limit app editing Power Apps Share Panel Ensure only owners can edit Secure environment roles Power Platform Admin Center Block access to Maker/Admin capabilitiesThe Role of Secure Sockets Layer (SSL) Certificates in Nonprofit Organizations
At the heart of this post is Kairos IMS, an innovative Impact Management System designed to empower human-serving nonprofits and social impact organizations. Co-developed by the Urban League of Broward County and our trusted technology partner, Impactful, Kairos IMS reduces administrative burdens, enhances holistic care, and enables organizations to leverage data for increased agility and seamless service delivery. In this blog series, we’ll take a closer look at the powerful technologies that fuel Kairos IMS, from Azure services to security frameworks, offering insight into how modern infrastructure supports mission-driven impact. Click here to learn more. What Is an SSL? Think of an SSL as a security guard for your website. It encrypts the connection between your website and your visitors, ensuring that sensitive data—like donor names, credit card numbers, and contact details—remains private and secure. When you visit a website with an SSL, you'll notice a padlock icon in the browser's address bar and the URL starting with "[URL] of "http://." These small details signal to visitors that your site is secure and trustworthy. For nonprofits, this layer of security isn't just a nice-to-have; it's a must. Nonprofits handle sensitive donor information, from payment details to personal data. Without an SSL, you risk exposing this data to hackers, which can erode trust and harm your reputation. How to Purchase an SSL for Your Nonprofit Acquiring an SSL certificate is easier than you might think. Here’s a step-by-step guide to get you started: Determine Your Needs: Decide what type of SSL certificate works best for your organization. Options include single-domain SSLs (for one website), wildcard SSLs (for a website and its subdomains), and multi-domain SSLs (for multiple sites). Choose a Trusted Provider: Reputable SSL providers like DigiCert, GlobalSign, and Let’s Encrypt offer certificates tailored to various needs. Let’s Encrypt, for instance, provides free SSL certificates that are particularly appealing for budget-conscious nonprofits. Purchase or Obtain Your SSL: If you're opting for a paid SSL, simply purchase it from your chosen provider. For free options like Let’s Encrypt, follow the instructions on their website to generate your certificate. Install the SSL: Most hosting providers make this step straightforward. Platforms like GoDaddy, Bluehost, and SiteGround often include SSL installation as part of their hosting services. If you’re unsure, tech support teams are generally happy to assist. Test Your SSL: Once installed, check that your website is displaying the padlock icon and "[URL] the URL. You can use online tools like SSL Labs’ SSL Test for additional reassurance. SSL Implementation: Easier Than You Think Some nonprofit leaders worry that implementing an SSL might be too technical or costly. The truth? It’s neither. Most hosting providers simplify the process, offering one-click SSL installation or including SSLs as part of their hosting packages. Free options like Let’s Encrypt further reduce barriers, making SSLs accessible to organizations of all sizes. Effortless Security with Let’s Encrypt and Cert Manager For nonprofits seeking budget-friendly and straightforward solutions, Let’s Encrypt stands out as a beacon of accessibility and innovation. As a free, automated, and open certificate authority, Let’s Encrypt empowers organizations to secure their websites without incurring additional costs. With just a few simple steps, nonprofits can acquire SSL certificates that enhance their credibility and shield sensitive donor information. Pairing Let’s Encrypt with Cert Manager, an efficient tool designed to manage TLS certificates in Kubernetes clusters, further simplifies the process. Cert Manager automates the provisioning, renewal, and deployment of SSL certificates, reducing the burden on technical teams and ensuring continuous website security. Together, these tools form a powerful combination, making SSL implementation accessible to nonprofits regardless of their technical expertise. Want to dive deeper into the world of Let’s Encrypt and Cert Manager? Check out their official resources: Let’s Encrypt Documentation Cert Manager- Microsoft Learn Want to know how to add and manage an SSL certificate via Azure App Service? Click Here By leveraging these user-friendly tools, nonprofits can fortify their websites and focus on their mission without being bogged down by technical hurdles. Troubleshooting SSL Certificate Issues Even with the best setup, SSL certificates can occasionally encounter problems. For nonprofits relying on a secure site to build trust, addressing these issues promptly is essential. Here’s a guide to troubleshoot common SSL certificate issues and ensure your website remains protected: Expired Certificates Problem: SSL certificates have a limited validity period, typically ranging from 90 days (for free options like Let’s Encrypt) to a few years. If your certificate expires, browsers will display a warning, potentially deterring visitors. Solution: Log in to your SSL provider’s dashboard and check the expiration date of your certificate. Renew the certificate through your SSL provider or hosting provider. Many providers offer auto-renewal options to avoid future expirations. Reinstall the renewed certificate on your hosting platform and test the site to verify functionality. Mismatched Domain Names Problem: The SSL certificate must match the exact domain name being accessed. For example, if your certificate is issued for "www.example.org" but users visit "example.org" (without the "www"), browsers may flag the site as insecure. Solution: Check the domain name listed on your SSL certificate to ensure it matches your site’s URL. If mismatched, update the SSL certificate to include all domain variations (e.g., "www" and non-"www"). Multi-domain or wildcard SSL certificates can cover these variations. Set up a proper domain redirection (e.g., redirect "example.org" to "www.example.org") to ensure consistency in how your site is accessed. Browser Errors Problem: Visitors might encounter errors like “Your connection is not private” or “SSL certificate error” due to incorrect SSL installation or configuration. Solution: Use online tools like SSL Labs’ SSL Test to diagnose issues with your certificate setup. Ensure the entire certificate chain, including intermediate and root certificates, is installed correctly. Many hosting providers guide you through this process or offer automated installations. Clear your browser’s cache and history, as outdated data can sometimes cause erroneous warnings. Mixed Content Warnings Problem: A secure site might still display warnings if it loads insecure content (e.g., images or scripts served over HTTP instead of HTTPS). Solution: Scan your website for mixed content using tools like WhyNoPadlock or your browser’s developer tools. Update all URLs on your site to use HTTPS. This often involves updating your CMS settings or modifying your theme files. Implement a Content Security Policy (CSP) to ensure all content is served securely. Misconfigured Server Settings Problem: Incorrect server configurations can prevent the SSL certificate from functioning as intended. Solution: Verify your server settings through your hosting provider’s control panel or documentation. Ensure that HTTPS is enforced by enabling a redirect from HTTP to HTTPS on your server. If you’re using a content delivery network (CDN), ensure that the SSL is correctly configured both on your server and the CDN. Revoked Certificates Problem: Certificates can be revoked by the issuing authority due to security breaches or errors in issuance. Solution: Check the certificate’s status using tools like Certificate Revocation Lists (CRLs) or Online Certificate Status Protocol (OCSP). If your certificate has been revoked, contact your SSL provider to understand the reason and obtain a new certificate if necessary. By proactively addressing these common SSL certificate issues, your nonprofit can maintain a secure and trustworthy online presence, ensuring a seamless experience for your supporters. Take Action Today Securing your nonprofit’s website with an SSL is one of the simplest and most impactful steps you can take to protect your donors and build trust with your supporters. Beyond security, it shows your commitment to transparency and professionalism—values that resonate deeply with your audience. To enhance your online security even further, we encourage you to dive deeper into the world of SSL certificates. Researching additional resources and staying informed about the latest updates can help you implement best practices and avoid common pitfalls. Explore guides and expert recommendations tailored to nonprofits to ensure your website remains secure and trustworthy. Don’t wait to make this critical update. Whether you're a small grassroots organization or a global nonprofit, an SSL certificate can strengthen your digital presence and help you achieve your mission. Ready to get started? Reach out to your hosting provider or explore SSL options today. For further reading, check out these links: Guide to Choosing the Right SSL Certificate Common SSL Issues and How to Fix Them Your supporters—and their data—will thank you.Exciting News for Nonprofits: Enhanced Security with Microsoft Enterprise E5 Add-On!
What Does the E5 Security Add-On Include? The Microsoft Enterprise E5 Security add-on offers advanced security capabilities, including: Microsoft Entra ID Plan 2: Advanced identity protection and governance. Microsoft Defender for Identity: Real-time identity threat detection and response. Microsoft Defender for Endpoint Plan 2: Comprehensive endpoint security. Microsoft Defender for Office 365 Plan 2: Enhanced email and collaboration security. Microsoft Defender for Cloud Apps: Cloud application security and monitoring. * Please note, that at the time this article was written, Microsoft's nonprofit grant included Business Premium licenses. Currently they are no longer free but offered at a nonprofit discount. In-Depth Look at E5 Security Add-On Features 1. Microsoft Entra ID Plan 2 (formerly Azure AD Premium P2) What it is: An advanced identity and access management (IAM) solution with capabilities beyond standard Entra ID. Key Benefits for Nonprofits: Conditional Access & Risk-Based Policies: Detect risky sign-ins automatically and apply controls like MFA or block access. Identity Protection: Uses machine learning to detect user and sign-in risks, helping prevent account takeovers. Privileged Identity Management (PIM): Provides just-in-time access to admin roles, reducing exposure to privileged account misuse. Governance & Compliance: Automates entitlement reviews and helps ensure appropriate access to resources. 2. Microsoft Defender for Identity What it is: A cloud-based solution that monitors and secures your identity within your organization. Key Benefits for Nonprofits: Real-Time Threat Detection: Identifies lateral movement, privilege escalation, and other advanced threats within your network. Insider Threat Detection: Highlights risky behaviors from internal users, mitigating potential insider threats. Attack Surface Reduction: Detects brute force attacks, pass-the-hash, golden ticket attacks, and other identity-related threats. 3. Microsoft Defender for Endpoint Plan 2 What it is: An endpoint detection and response (EDR) solution to secure servers, desktops, and mobile devices. Key Benefits for Nonprofits: Threat & Vulnerability Management: Detects and prioritizes software vulnerabilities for remediation. Behavioral Analytics: Uses AI and threat intelligence to flag abnormal activities on endpoints. Automated Investigation & Response: Reduces the load on IT staff by automating threat investigations and remediations. Cross-Platform Protection: Protects Windows, macOS, Linux, iOS, and Android devices. 4. Microsoft Defender for Office 365 Plan 2 What it is: An advanced security solution for email, Teams, and other Microsoft 365 collaboration tools. Key Benefits for Nonprofits: Threat Investigation & Hunting: Enables proactive threat hunting across email and collaboration platforms. Attack Simulation Training: Simulates phishing and other attacks to train staff on security awareness. Automated Incident Response: Automatically responds to and remediates malicious emails and collaboration-based threats. Safe Links & Safe Attachments: Protects users from malicious links and harmful file attachments. 5. Microsoft Defender for Cloud Apps What it is: A cloud access security broker (CASB) that monitors and protects SaaS applications. Key Benefits for Nonprofits: App Discovery & Shadow IT Detection: Identifies unsanctioned or unmanaged apps used by staff. Data Loss Prevention (DLP): Helps prevent accidental or malicious leaks of sensitive data across cloud apps. Threat Protection: Detects suspicious behaviors in cloud applications, such as unusual login locations or mass file downloads. Compliance Monitoring: Helps organizations enforce compliance policies across cloud platforms. Why Is This Important? The E5 Security add-on offers nonprofits enterprise-grade security tools that enable them to detect, investigate, and respond to threats with greater speed and confidence. It allows organizations to proactively manage identity security, secure devices, and protect communications and data across cloud applications. By adopting these advanced solutions, nonprofits can build resilience against evolving threats and maintain the trust of their communities and stakeholders. Valuable Training for Nonprofits One of the most valuable features for nonprofits is access to cyber-attack simulation training. This training provides a safe and controlled environment to simulate real-world cyber-attacks, helping to train employees in recognizing and responding to threats. How to Get Started Nonprofits can easily add the E5 Security to their existing Business Premium licenses for $12 per user per month. This add-on ensures that your organization is equipped with the latest security tools to protect against evolving threats. For more information on how to access this add-on, visit Cybersecurity for small and medium business | Microsoft Security and Add Microsoft 365 E5 Security to your Microsoft 365 Business Premium subscription - Microsoft Learn. Empower your nonprofit with the best security solutions and continue making a positive impact in your community!What’s Included with Microsoft’s Granted Offerings for Nonprofits?
Are you a nonprofit looking to boost your impact with cutting-edge technology? Microsoft is here to help! From free software licenses to guided technical documentation and support, this program offers a range of resources designed to empower your organization. In this blog, we’ll dive into the incredible tools and grants available to nonprofits through Microsoft, showing you how to make the most of these generous offerings. Whether you’re managing projects or just trying to simplify your day-to-day tasks, there’s something here for everyone. Let’s explore what’s possible!Privileged Identity Management + Just-in-Time Access: Grant Access Only When It’s Needed
At the heart of this post is Kairos IMS, an innovative Impact Management System designed to empower human-serving nonprofits and social impact organizations. Co-developed by the Urban League of Broward County and our trusted technology partner, Impactful, Kairos IMS reduces administrative burdens, enhances holistic care, and enables organizations to leverage data for increased agility and seamless service delivery. In this blog series, we’ll take a closer look at the powerful technologies that fuel Kairos IMS, from Azure services to security frameworks, offering insight into how modern infrastructure supports mission-driven impact. Click here to learn more. Why always-on admin access is so last season That’s where Privileged Identity Management (PIM) and Just-in-Time (JIT) access come in. These powerful tools help nonprofits like yours give the right people access at the right time—no more, no less. It’s smart, secure, and surprisingly simple. Let’s break down what these tools do, and how they can help protect your organization without getting in the way of the amazing work you do every day. So, what is PIM and JIT—like, really? Think of Privileged Identity Management (PIM) as your organization’s VIP list—the folks who have elevated access to do high-level stuff like reset passwords, access financial data, or make major system changes. Now, here’s the twist: with Just-in-Time (JIT) access, no one stays on the VIP list forever. Instead, they request access when they need it—and lose it when they don’t. It’s like giving someone the keys to the office only when they need to go in, rather than letting them walk in 24/7. Why should nonprofits care? Because you're dealing with sensitive data—donor info, volunteer lists, grant applications—and you’re probably working with a lean team wearing many hats. That means it’s easy for someone to get elevated access “just in case” and never lose it. That’s risky business. Enter PIM + JIT = Peace of Mind. Real-life use case #1: The “Finance Volunteer” Scenario Let’s say you have a seasonal volunteer who helps with your annual fundraising campaign. They need access to your donor database and financial reports for two months. Normally, you'd assign them a high-level role and forget about it. With PIM, you give them eligible access, not active access. They request what they need, when they need it—and only for a set amount of time. Once they’re done, the access vanishes automatically. No more “Oops, I forgot they still had access six months later.” Real-life use case #2: The “IT Consultant” You Hired Once You brought in an external IT consultant to help set up your new Microsoft 365 environment. They needed global admin rights (eek!) for just a few days. Instead of giving them full access that lingers forever, you assign them a role through PIM with JIT access. They activate their access, do their job, and then—poof—it’s gone. You can even require multi-factor authentication and approval workflows before access is granted. You’re still in control. Bonus Perks You’ll Love Audit logs – Know who accessed what and when. Notifications – Get alerted when someone activates elevated access. Time limits – Set access to expire automatically. Approvals – Make sure someone signs off before access is granted. Final Thoughts Security doesn’t have to be boring or burdensome. Tools like PIM and JIT are built right into Microsoft 365 (hello, E5 license!) and help you strike the perfect balance between productivity and protection. Here’s the best part for nonprofits: Microsoft gives eligible nonprofit organizations 10 free Microsoft 365 Business Premium licenses—which already include powerful security features like Defender for Business and Intune. To unlock PIM and JIT, you’ll need Microsoft Entra ID Plan 2, which is included in Microsoft 365 Enterprise E5 licenses. But no worries—you can add this advanced level of protection as an affordable add-on to your Business Premium licenses. So yes, your nonprofit can absolutely step up to enterprise-grade security—without paying enterprise-grade prices. Your nonprofit is doing amazing work—let’s make sure your data and systems are just as amazing (and secure). How to Enable PIM and JIT Access in Microsoft Entra Ready to level up your security with PIM and JIT? Follow these steps to get started: Step 1: Sign In Go to the Microsoft Entra admin center at entra.microsoft.com and sign in with a Global Administrator or Privileged Role Administrator account. Step 2: Navigate to PIM In the left-hand menu, select Identity Governance. Click on Privileged Identity Management. Step 3: Manage Microsoft Entra Roles Under the Manage section, click Microsoft Entra roles. Step 4: Assign Roles with JIT (Eligible) Access To Assign roles select, Assign Eligibility. Choose the role you want to manage (e.g., Global Administrator, User Administrator, etc.) or select + Add assignments and select a role there. Apply the scope: this defines where the role applies. Directory Scope: Grants access across the entire Microsoft Entra directory (tenant). Use this for org-wide roles like Global Administrator or User Administrator. Application Scope: Limits access to a specific registered application (like a third-party app or a custom-built app). Assign roles here when managing permissions for app-specific access. Service Principal Scope: Applies the role to a specific service principal, which represents the identity used by an app or automation to access resources. Use this when assigning roles to automation accounts, scripts, or non-user entities. Assign to a username or group. When assigning roles in PIM, you can choose between two types: Eligible: The user does not have the role by default, but they can activate it when needed. This is ideal for Just-in-Time (JIT) access and is the most secure option. Active: The user has the role assigned permanently and doesn't need to request or activate it. Use this only when ongoing access is absolutely necessary. Choose whether the assignment is permanent or for a specific time frame. Click Assign to save. Step 5: Users Activate Roles When Needed (JIT Access) When a user needs to perform an admin task: They go to the Privileged Identity Management section. Find their eligible role and click Activate. Complete any required justification, MFA, or approval steps. Step 6: Approvers Review Activation Requests (Optional) If you’ve set up approvals: Approvers will receive a notification and can review/approve requests directly from the PIM portal. Step 7: Stay Compliant and Secure Regularly review role activations and audit activity logs. Adjust role assignments as needed to maintain least-privilege access. Additional Resources: Assign Microsoft Entra roles in PIM Assign eligibility for a group in PIM Built-in roles in Microsoft EntraUnderstanding DNS: A Nonprofit's Guide to Website Security and Accessibility
At the heart of this post is Kairos IMS, an innovative Impact Management System designed to empower human-serving nonprofits and social impact organizations. Co-developed by the Urban League of Broward County and our trusted technology partner, Impactful, Kairos IMS reduces administrative burdens, enhances holistic care, and enables organizations to leverage data for increased agility and seamless service delivery. In this blog series, we’ll take a closer look at the powerful technologies that fuel Kairos IMS, from Azure services to security frameworks, offering insight into how modern infrastructure supports mission-driven impact. Click here to learn more. What is DNS? DNS, or Domain Name System, is often referred to as the internet's "phonebook." Think of it this way: when you want to visit a website, like www.example.org, you type in the domain name. However, computers don’t understand domain names—they communicate using numbers, called IP addresses, like 192.168.1.1. DNS acts as the translator, converting the user-friendly domain name into the machine-friendly IP address, ensuring you land on the correct website. For example, if you type in your nonprofit’s domain, let’s say www.mycharity.org, the DNS system takes that name, finds the matching IP address, and directs the internet to deliver your website to the user. Without DNS, navigating the web would mean memorizing strings of numbers for every site you wanted to visit—something no one wants to do! Why DNS Matters for Nonprofits A reliable DNS is essential for nonprofits for several reasons: 1. Website Accessibility Your website is often the first point of contact for donors, volunteers, and the communities you serve. If your DNS isn’t functioning correctly, it can lead to downtime, making your site inaccessible. This can result in lost donations, missed opportunities, and frustration for users trying to learn more about your mission. 2. Security A secure DNS setup helps protect your website from cyber threats like phishing attacks or DNS hijacking, where bad actors redirect users to malicious websites. A compromised DNS can damage your nonprofit’s reputation and erode trust among your supporters. 3. Improved User Experience A fast DNS ensures that your website loads quickly. Slow load times can frustrate users and may even discourage potential donors or partners from exploring your site further. Common DNS Issues Nonprofits Face—and How to Fix Them Let’s look at some common DNS-related problems and their solutions: 1. Website Downtime Issue: Your website suddenly goes offline, and users cannot access it. Solution: This could be due to an expired domain or issues with your DNS provider. Make sure your domain name is renewed promptly and work with a reputable DNS provider that offers high reliability and uptime guarantees. 2. Misconfigured DNS Records Issue: Users report being redirected to the wrong website or encountering errors. Solution: Double-check your DNS records, particularly the A records (which map your domain to your IP address) and CNAME records (used for subdomains). Tools like DNSChecker.org can help you verify your configurations. 3. Slow Load Times Issue: Your website loads slowly, frustrating potential donors. Solution: Invest in a DNS provider with a global network of servers. This ensures faster resolution times, especially for users accessing your site from different parts of the world. 4. Security Threats Issue: You suspect your DNS may have been hijacked or compromised. Solution: Implement DNSSEC (DNS Security Extensions) to add an extra layer of protection. Additionally, enable two-factor authentication on your DNS management account to prevent unauthorized changes. Tips for Nonprofits to Manage Their DNS Effectively Managing your DNS may sound intimidating, but with the right approach, it can be straightforward. Here are some tips to help your nonprofit succeed: Choose a Reliable DNS Provider: Look for providers with strong uptime records, robust security features, and excellent customer support. Regularly Monitor Your DNS Settings: Periodically check your DNS records to ensure everything is configured correctly and no unauthorized changes have been made. Educate Your Team: Make sure your staff or volunteers understand the basics of DNS and know who to contact in case of an issue. Enable Automatic Renewals: Avoid domain expiration by enabling automatic renewals for your domain registration. Backup Your Settings: Keep a record of your DNS settings so you can quickly restore them if needed. Conclusion In today’s digital age, having a reliable and secure DNS is crucial for nonprofits. It ensures your website remains accessible, secure, and user-friendly, helping you better serve your community and achieve your mission. By understanding how DNS works and addressing issues proactively, your nonprofit can create a strong online presence and build trust among your supporters. Remember, you don’t have to be a tech expert to manage your DNS effectively. With the right resources and support, you can empower your organization to navigate the world of DNS with confidence.Efficiently Removing Inactive Guest Users in M365/Azure
At the heart of this post is Kairos IMS, an innovative Impact Management System designed to empower human-serving nonprofits and social impact organizations. Co-developed by the Urban League of Broward County and our trusted technology partner, Impactful, Kairos IMS reduces administrative burdens, enhances holistic care, and enables organizations to leverage data for increased agility and seamless service delivery. In this blog series, we’ll take a closer look at the powerful technologies that fuel Kairos IMS, from Azure services to security frameworks, offering insight into how modern infrastructure supports mission-driven impact. Click here to learn more. Many organizations forget to offboard their guest users. Whether students drop out, graduate, or are removed from the program, their guest accounts often linger in your tenant—quiet, forgotten, and potentially risky. Let’s talk about why it matters and what you should be doing about it. The Hidden Risk of Inactive Guest Users It’s easy to think of guest users as harmless—after all, they’re just there temporarily, right? But the reality is that each inactive user is an open door. A door that, if left unlocked, could be used by someone with bad intentions. Here’s why: Their credentials may be compromised elsewhere. If a former student reused a password or their email account is breached, an attacker could gain access to your tenant through their still-active guest account. They may retain access to sensitive files. Even if you think they’ve moved on, inactive users might still be able to view shared documents, recordings, or internal communication threads. Your organization becomes a bigger target. The more accounts you have—especially inactive or unmonitored ones—the more surface area an attacker can exploit. Nonprofits are particularly vulnerable. You’re working hard to do good in the world, but limited time, resources, and staff often mean security takes a back seat. That’s why it’s critical to develop lightweight, repeatable processes that protect your community and your mission. Guest Access Shouldn’t Be Set and Forget Inviting students into your tenant helps them feel part of something bigger. But just as important as the welcome is the send-off. Not everyone who starts the program finishes it, and not everyone who finishes needs continued access to your resources. Here are a few things to consider: Do you have a system to track who’s still active? Are you reviewing guest user activity periodically? Do you know how to remove or disable users when they’re no longer part of the program? If the answer to any of these is “no,” you’re not alone—and you’re not too late. The Benefits of Cleaning Up Your Tenant Beyond improving your security posture, removing inactive guest users can: Keep your environment organized. It’s easier to manage active cohorts when your tenant isn’t cluttered with outdated accounts. Reduce licensing conflicts. Even though guest users don’t typically consume licenses, having too many users can complicate group access, permissions, and automated workflows. Show respect for your participants. Offboarding users when their participation ends is a sign of professionalism—and it protects their data, too. Up Next: How to Remove Inactive Guest Users Now that you understand why it's important to remove inactive guest users, the next step is knowing how. Fortunately, Microsoft 365 provides built-in tools and settings to help you manage and clean up guest access safely and efficiently. In our next section, we’ll walk you through a step-by-step guide to identify and remove inactive guest users from your tenant. How to Create a Dynamic Group for Guest Users in Microsoft Entra ID The first thing we need to do is create a dynamic group for guest users. This step is important because dynamic groups automatically include users based on specific attributes—in this case, identifying anyone with a user type of "Guest." Instead of manually adding or removing users from a group each time someone joins or leaves your program, dynamic groups keep everything up to date for you. It’s a simple way to ensure your access management stays clean, organized, and secure. Step-by-Step Instructions Sign in to the Microsoft Entra admin center You’ll need to access the admin portal to manage groups and set up dynamic rules. Go to https://entra.microsoft.com and log in with your admin credentials > navigate to Manage Entra ID. Access the Groups section This is where all your groups are managed within Entra ID. In the left-hand menu, select Groups under the “Manage” section. Create a new group This begins the process of defining your dynamic group. Click + New group to start creating a new group from scratch. Configure group settings You’ll choose the group type, give it a name, and specify that it will use dynamic membership. Select Security as the group type, enter a name (like "Guest Users"), and choose Dynamic User under Membership type. Add dynamic membership rule This is where you set the condition that defines who will be in the group. Under Dynamic user members, click Add dynamic query to build a rule based on user attributes. Define the membership rule We’ll configure the rule so that it targets users where the userType equals Guest. Select + Add expression > set the Property to userType, Operator to Equals, and Value to Guest. Add second expression to filter active guests This ensures only active guest accounts are included. Click Add expression again > set the Property to accountEnabled, Operator to Equals, and Value to true. Validate the rules This helps confirm that your rule works as intended before applying it. Select Validate Rules > click + Add users and choose a guest user from the list. Save the dynamic rule Once your conditions are set, saving them will apply the logic to the group. Click Save to finalize the rule and return to the group creation screen. Create the group Review all the settings and create the group so it begins auto-populating. Click Create, and your dynamic group will now include all guest users automatically. Navigate back to the group tab > select Dynamic Groups > and select your group to view the members and verify all guest users have been added. We're not done just yet! Now let's automate the review and removal of inactive guest users. 🔍 How to Set Up an Access Review for Inactive Guest Users in Microsoft Entra ID After establishing a dynamic group for guest users, the next crucial step is to regularly review their activity. Access reviews in Microsoft Entra ID allow you to automate the process of identifying and removing inactive guest users, thereby maintaining a secure and compliant environment. Step-by-Step Instructions Access the Identity Governance section In the Azure search bar, type and select Identity Governance, then click on Access Reviews. Initiate a new access review Click on + New access review to start the configuration process. Select what to review • Resource type: Choose Teams + Groups • Review scope: Select Select Teams + groups • Group selection: Choose the dynamic group you previously created for guest users • Scope: Set to Guest users only • User scope: Check the box for Inactive users only • Days inactive: Specify the number of days (e.g., 30) to define inactivity Configure the review settings • Reviewers: Select Selected user(s) or group(s) • Users or Groups: Select your desired reviewer(s) • Duration: Set the number of days the review will be open (e.g., 5 days) • Recurrence: Choose the frequency (e.g., monthly, quarterly) or set it as a one-time review • Start date: Specify when the review should begin • End date: Define when the review should end or select Never for ongoing reviews Set up review settings • Auto apply results to resource: Enable this to automatically apply the review outcomes • If reviewers don't respond: Choose Remove access or Take recommendations to revoke access for users not reviewed • Action to apply on denied guest users: Select Block user from signing in for 30 days, then remove user from the tenant Configure advanced settings (optional) • Justification required: Require reviewers to provide reasons for their decisions • Email notifications: Enable to send notifications to reviewers at the start and end of the review • Reminders: Set up reminders for reviewers during the review period • Additional content for reviewer email: Add any specific instructions or information for reviewers Review and create the access review • Name: Provide a descriptive name for the access review • Description: Optionally, add details about the purpose of the review • Review: Ensure all settings are correct • Create: Click Create to initiate the access review Managing guest access might feel like a behind-the-scenes task, but it plays a frontline role in protecting your nonprofit’s data, resources, and reputation. Whether a guest user is a student who graduated, a volunteer who moved on, or someone who left unexpectedly, leaving their access unchecked can expose your organization to unnecessary risk. By creating a dynamic group for guest users and setting up regular access reviews, you’re putting smart guardrails in place. These steps not only strengthen your security but also keep your Microsoft 365 environment tidy, efficient, and aligned with best practices. Security doesn’t have to be complicated—and it shouldn’t be an afterthought. With tools already available in Microsoft Entra ID, you can stay proactive, stay protected, and keep your mission moving forward with confidence.How to Add Microsoft 365 Apps to Windows 10/11 Devices Using Microsoft Intune
Managing applications across various devices is crucial for maintaining productivity and security in any organization. Microsoft Intune provides a comprehensive solution for app management, allowing administrators to deploy, configure, and protect applications seamlessly. It allows administrators to install and manage applications on multiple devices at the same time instead of logging into each device and installing applications one by one. This blog will guide you through the process of adding Microsoft 365 Apps to Windows 10/11 devices using Microsoft Intune. Microsoft 365 Apps include: Word, PowerPoint, Excel, Outlook, etc. Adding Microsoft 365 Apps to Intune Before you can assign, monitor, configure, or protect apps, you must add them to Intune. Microsoft 365 App can be added to Intune and deployed to devices running Windows 10/11. Here’s how you can do it: 1. Sign in to Intune: Access the Microsoft Intune admin center using your administrator account credentials by going to Intune Admin Center. 2. Navigate to Apps: In the admin center, select Apps > All Apps (manages all applications for all platforms) > Add. 3. Select App Type: In the App type drop-down box, choose Microsoft 365 Apps for Windows 10/11. 4. App Suite Information: In this step, you will provide information about the app suite. This information helps you to identify the app suite in Intune, and it helps users to find the app suite in the company portal. In the App suite information page, you can confirm or modify the default values: Suite Name: Enter the name of the app suite as it is displayed in the company portal. Make sure that all suite names that you use are unique. If the same app suite name exists twice, only one of the apps is displayed to users in the company portal. Suite Description: Enter a description for the app suite. For example, you could list the apps you've selected to include. Publisher: Microsoft appears as the publisher. Category: Optionally, select one or more of the built-in app categories or a category that you created. This setting makes it easier for users to find the app suite when they browse the company portal. Show this as a featured app in the Company Portal: Select this option to display the app suite prominently on the main page of the company portal when users browse for apps. Please note: If you select "Yes" the app will show as a featured app in the Company Portal and the user will have to go to Company Portal and install add manually. If you select "No" if plan to install automatically. Information URL: Optionally, enter the URL of a website that contains information about this app. The URL is displayed to users in the company portal. Privacy URL: Optionally, enter the URL of a website that contains privacy information for this app. The URL is displayed to users in the company portal. Developer: Microsoft appears as the developer. Owner: Microsoft appears as the owner. Notes: Enter any notes that you want to associate with this app. 5. Click Next to display the Configure app suite page Configuring App Suite Intune allows you to configure the Microsoft 365 app suite to meet your organization’s needs. You can use the configuration designer or XML data to customize the installation: 1. Configuration Designer: This tool provides a user-friendly interface to configure settings such as language, update channel, and app preferences. This does the deployment automatically with the help of Configuration Designer. Please see steps below: Configure app Suite: On the Configuration app suite page choose Configuration designer. Select Office apps: Select the standard Microsoft 365 apps that you want to assign to devices by choosing the apps in the dropdown list. Select other Office apps (license required): Select additional Microsoft 365 apps that you want to assign to devices and that you have licenses for by choosing the apps in the dropdown list. These apps include licensed apps, such as Microsoft Project Online desktop client and Microsoft Visio Online Plan 2. App Suite Information: Architecture: Choose whether you want to assign the 32-bit or 64-bit version of Microsoft 365 Apps. You can install the 32-bit version on both 32-bit and 64-bit devices, but you can install the 64-bit version on 64-bit devices only. Default file format: Choose whether you want to use Office Open Document Format or Office Open XML Format. Update Channel: Choose how Office is updated on devices. For information about the various update channels, see Overview of update channels for Microsoft 365 Apps for enterprise. Choose from: Monthly Monthly (Targeted) Semi-Annual Semi-Annual (Targeted) After you choose a channel, you can choose the following: Remove other versions: Choose Yes to remove other versions of Office (MSI) from user devices. Choose this option when you want to remove pre-existing Office .MSI apps from end-user devices. The installation won't succeed if there are pre-existing .MSI apps on end-user devices. The apps to be uninstalled aren't limited to the apps selected for installation in Configure App Suite, as it will remove all Office (MSI) apps from the end user device. For more information, see Remove existing MSI versions of Office when upgrading to Microsoft 365 Apps. When Intune reinstalls Office on your end user's machines, end users will automatically get the same language packs that they had with previous .MSI Office installations. Version to install: Choose the version of Office that should be installed. Specific version: If you have chosen Specific as the Version to install in the above setting, you can select to install a specific version of Office for the selected channel on end user devices. Properties: Use shared computer activation: Select this option when multiple users share a computer. For more information, see Overview of shared computer activation for Microsoft 365 Apps. Automatically accept the app end user license agreement: Select this option if you don't require end users to accept the license agreement. Intune then automatically accepts the agreement. Languages: Office is automatically installed in any of the supported languages that are installed with Windows on the end-user's device. Select this option if you want to install additional languages with the app suite. 2. XML Data: For more advanced configurations, you can use XML data to define the app suite settings. This method is particularly useful for deploying the Microsoft 365 Apps for business edition. Configuration options for the Office Deployment Tool Assignments Assignments in Microsoft Intune refer to the process of distributing and managing applications, policies, and configurations to users and devices within an organization. This ensures that the right apps and settings are available to the appropriate users and devices. 1. Select the Required, Available for enrolled devices, or Uninstall group assignments for the app suite. For more information, see Add groups to organize users and devices and Assign apps to groups with Microsoft Intune. 2. Click Next to display the Review + create page. Conclusion Microsoft Intune simplifies the process of deploying and managing Microsoft 365 Apps across Windows 10/11 devices. By following the steps outlined in this guide, you can ensure that your organization’s apps are deployed securely and efficiently, enhancing productivity and maintaining security.Security and Flexibility: Benefits of Mobile App Management for Nonprofits Using Personal Devices
Understanding MAM as an Alternative to MDM Both Mobile Device Management (MDM) and Mobile Application Management (MAM) serve important security purposes, with different approaches: Application vs. Device Focus: MAM secures specific work applications, while MDM provides a framework for managing enrolled devices. Enrollment Requirements: MAM can be implemented without requiring device enrollment, offering flexibility for personal device users. Security Scope: MAM applies security policies at the application level, focusing on protecting organizational data within those applications. Management Approach: MAM allows organizations to manage work-related applications independently from the device itself. Why Nonprofits Benefit from MAM Nonprofit work often happens beyond office walls, making MAM particularly valuable for these organizations: Field Mobility and Accessibility Your team needs secure access to information whether they're at community events, donor meetings, or working remotely. MAM enables this mobility with appropriate security controls. Protecting Sensitive Information When handling donor records, financial data, and beneficiary information, security is essential. MAM ensures this data remains protected within managed applications on personal devices. Budget-Friendly Security Resource constraints are real in the nonprofit sector. MAM provides effective security without requiring substantial infrastructure investments—especially when implemented through Microsoft's nonprofit program offering free Business Premium licenses. Simplified Management With MAM, IT teams can focus on securing specific applications and the organizational data within them, which can streamline security management for organizations with limited resources. The Bottom Line Mobile Application Management offers nonprofits a practical approach to securing organizational data on personal devices. Through Microsoft Intune and nonprofit licensing programs, organizations can implement this approach cost-effectively. By adopting MAM, nonprofits create an environment where security and flexibility work together supporting both organizational data protection needs and staff mobility in today's increasingly mobile work environment. Step-by-Step Guide to Add MDM to Personal BYOD Devices without MDM Overview This guide provides steps to configure Microsoft Intune Mobile Application Management (MAM) for Bring Your Own Device (BYOD) scenarios, allowing organizations to protect corporate data at the app level without enrolling devices into Mobile Device Management (MDM). For this example, we will be configuring an iOS device. Prerequisites Microsoft Intune subscription (Nonprofits have access to Intune through their 10 free Business Premium licenses offered by Microsoft’s nonprofit program). Microsoft Entra ID (formerly Azure AD). Supported apps (e.g., Microsoft 365 apps like Outlook, Teams, OneDrive) that integrate with Microsoft Intune App Protection Policies. Users must have the appropriate Intune license assigned. Step 1: Access the Microsoft Intune Admin Center Go to Intune Admin Center. Sign in with your admin credentials. Step 2: Configure App Protection Policies In the left navigation pane, select Apps > App protection policies. Click + Create policy. Basics Select the platform (iOS/iPadOS or Android) for which you want to create the policy. Enter a Name (e.g., "BYOD MAM Policy – iOS"). Enter an optional Description. Click Next. Step 3: Define Policy Settings Apps Target the policy to your choice (All Apps, All Microsoft Apps, Core Microsoft Apps). If you'd like to choose specific apps only, keep the selection as Selected apps and follow steps 2-4 below. Choose Public apps. Select Microsoft apps you want to protect (e.g., Outlook, OneDrive, Teams, etc.). Select Custom Apps (if applicable). Click Next. Data Protection Set policies as desired such as: Block backing up or data to iTunes and iCloud backups. Restrict sending org data to policy managed apps. Restrict cut, copy, paste between apps (e.g., allow only with approved apps). Encrypt app data. Block third-party backup services. etc. Configure additional settings based on your organization's security needs. Click Next. Access Requirements Configure access requirements such as: Blocking Simple PIN for access. Fingerprint or Face ID. Recheck access requirements after idle timeout. Etc. Click Next. Conditional Launch Set conditions for app usage such as: Minimum OS version. Wipe data after consecutive failed PIN attempts. Click Next. Step 4: Assign the Policy Under Assignments, choose: All users or Specific groups (e.g., a BYOD security group). Click Next and Review + Create the policy. Step 5: Exclude Devices from Device Management (Optional) If you want to ensure this is for MAM-only devices (non-enrolled BYOD): Under Devices > Enrollment restrictions in Intune Admin Center: Choose the device you want to restrict (Windows, Android, macOS, iOS) Create or edit a Device Type Restriction. Block personal device enrollment, if applicable. This ensures users can only use corporate apps with MAM policies and not enroll their personal devices into full MDM. Step 6: Inform End Users Inform users they will access corporate data through approved apps that enforce app-level protections (e.g., Outlook for iOS with MAM policy applied). Users will not need to enroll their personal devices in Intune but will be prompted to sign into apps with corporate credentials and comply with MAM policies. Step 7: Monitor & Review Go to Apps > Monitor > App protection status in Intune Admin Center. Review logs and reports to monitor: Policy deployment status. App protection compliance. Any issues users may encounter with BYOD access. Best Practices Regularly review and update your app protection policies based on evolving threats and business needs. Combine MAM with Conditional Access to ensure only compliant apps and users can access corporate data.
