multi-tenant cooperation
Hi everybody, I'm working at a university where we run two tenants, one for staff and one for students. The student tenant was set up for "Microsoft Azure Dev Tools for Teaching" but has not been used for anything else. The staff tenant has been pretty much dormant, because we don't trust the cloud and try to avoid using it. Today everybody is excited about getting Teams up and running for collaboration, so we want teams accessbile by both staff and students. I basically found two options. External access, related to sykpe for business (?), but limited. No group chat, etc. so not really what we are looking for. Guest users (at AAD) level sound way better, but there is a catch: inviting 20.000 students to our staff tenant isn't fun, getting them all to accept those invitations, etc. Invition staff to the students tenant isn't much better (but less staff than students...). All I see is problems while my boss is hoping for solutions. 😉 Putting all students in the staff tenant and ditching the student tenant might sound like the way to go, but there are compliance requirements that are easier to meet if those tenants stay separated. At least as far as I can tell. Would be nice if I could both invite and accept guest users. Like adding educatinoal staff to the student tenant as guest without the invitation process, since staff hired to teach the students can be told to accept the invitation to the student tenant anyway, so why bother with the process? 😉 I control both tenants anyway. Basically I'm looking for the least bad option. Teams has some more guest options than AAD, that's why I post here. By the way, we run local AD but it is not connected to the tenants in AAD. No directory synchronisation, no ADFS. Both tenants are managed by our IDM-system and federated with Shibboleth. Any help would be greatly appreciated Best regards Patrick
Removal of Unnecessary User Accounts/Emails from Teams
Hello, I come to this great community to ask a pretty specific question. Our MS tenant holds 4 domains and some of our members hold email addresses at different domains. For the most part, all have an email address at one specific company which we will call thehappycompany.com for this example. As best as we can, we try to assign our business standard licensing for our core 7 people at this thehappycompany.com domain. From there, some people have additional mailboxes at let's say thefuncompany.com and we have a IT Support mailbox being support@ for all domains under our tenant. The problem is that teams is recognizing all IT Support mailboxes as a user and it shows multiple addresses for the users that have multiple addresses. This is all very understandable as to why it's happening - I haven't done anything to prevent this from happening. I don't see some kind of administrative option in either Teams or 0365 Admin Center to turn off a specific user accounts access to Teams. Does anyone have any options that may work for me? I appreciate you taking the time to read into my issue - thanks.
Tenant Migration and Microsoft Chat Old Threads/Files
My company recently migrated from one tenant to another. Unfortunately I am not able to open old chat threads/files since before the migration. When I search I can see that the thread exists but when I click on the thread in question, I can't open it to view the entire thread. I'm on a Mac too. I have deleted my Microsoft Teams cache and uninstalled and reinstalled the Microsoft Team's app. But still nothing. All I can see is a preview of what I need to get to and that's it. How can I get to these old threads? To me it seems like they should be available but so far I don't have a solution to this problem. Thank you.Security Considerations for SMTP Add-on Service Receiving Emails from Exchange Online
Hello everyone, I'm developing an email processing service for Microsoft 365 / Exchange Online customers. This service acts as an SMTP endpoint that receives all outbound emails from our customers' Exchange Online tenants via Outbound Connectors, processes them, and then relays the messages back to Exchange Online for final delivery. I found the https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/integrate-office-365-with-an-email-add-on-service page with suggestions. We're currently evaluating security risks and would like to clarify how much trust can be placed in messages coming from Exchange Online. Scenario Summary Our customers configure an Exchange Online Outbound Connector to route outbound emails to our service. We process these emails and then reinject them to Exchange Online, possibly via a smart host or authenticated SMTP relay. All emails received by our service originate from Exchange Online IP ranges, and our SMTP service is restricted to accept connections only from those IPs. Questions Can messages from Exchange Online IPs be spoofed? Given that all customers share Exchange Online's IP ranges, can an attacker: Forge the MAIL FROM envelope address? Spoof the From: header field? Impersonate another customer (tenant) using the shared infrastructure? What level of trust can we place in the envelope sender (MAIL FROM) and header From address? What security signals or headers should we rely on? Are there Exchange Online-specific SMTP headers or identifiers we can use to validate the authenticity and origin of the message? For example: Is the tenant ID or authenticated user available in the headers? Can we reliably identify the sending customer? What authentication or validation mechanisms are recommended? What are Microsoft's best practices for: Validating tenant identity for messages received via connector? Preventing cross-tenant spoofing, especially when IPs are shared? Verifying message integrity (e.g., should we re-verify DKIM, SPF?) Any other Microsoft-recommended protections? Thanks in advance to anyone from the Microsoft team or the community who can provide insights or suggestions!
