User Profile
CRIB111
Brass Contributor
Joined 7 years ago
User Widgets
Recent Discussions
email delivery report in ExO
Where specifically in Exchange Online (ExO) would an admin need to navigate to if they needed to get a detailed report to show how many messages from a specific external address had landed in their recipients inbox(es), and how many had been quarantined and under what category (with details, e.g. date/time/recipient affected etc). Are there any out-of-the-box reports that can help with this and meet this criteria?no full time global admin priveleges
Is it commonplace, or even a formal Microsoft recommendation ,to not have any of your IT support admin accounts as permanent members of the global admins role in AAD? And rather to delegate them more fine-grained access permissions based on their requirements? Or practically speaking is there a need for global admin permissions in resolving issues etc in AAD/365 on say a daily basis? I was just analysing the role assignments report in AAD and the only accounts permanently in global admins were break glass accounts, and other admins are given different privileges roles but do not permanently reside in global admins which I hadn’t seen before – so I wondered if this is official guidance? I know Microsoft had similar advice about trying to avoid giving people permanent domain admin rights if at all possible so I presume this is similar thinking. I just wanted to see how practical it is to follow.SolvedIdentifying unmonitored mailboxes
Are there any reports/scripts that could be used to identify potentially unmonitored mailboxes. I was thinking those with no recent access, or a larger than expected unread message count (this could be somewhat unreliable for longer term absence however). If you have had any success in finding unmonitored mailboxes in your Exchange Online tenancy (or on-prem server), any metrics and techniques you used to flag them would be really interesting to learn about.Solved888Views0likes3CommentsRe: accessing sub folder of a shared mailbox 'directly'
Have you got any further info or links to articles on options 2 and 5 please? So I can try those manual mapping methods before we request a tweak to permissions? e.g. do you manually add the folder in OWA and specify the sub folder, e.g. mailbox @ company . com \inbox N/B these are sub folders of inbox or the inbox folder itself, and not calendars. For info access was granted by the owner of the mailboxes via 'folder permissions' and not via an admin in Exchange itself.7.6KViews0likes0Commentsaccessing sub folder of a shared mailbox 'directly'
In the classic desktop version of Outlook for Windows (version 2302) or Outlook web access, if someone has been granted access by a colleague to a particular folder on a shared or user mailbox, e.g. inbox or inbox\subfolder ONLY, but has not been granted full mailbox access or access to the 'top of the information store' folder, is there anyway to still access/map to the inbox folder directly (or whichever folder their colleague has granted them access too)? And if so how do you add the specific folder manually so you can make use of the permissions granted? I know there are many scenarios whereby someone may only wish to grant a colleague access to a specific folder of their mailbox, and not the full mailbox, but I'm not sure how they map directly if they havent been granted full mailbox access.Solved8.6KViews1like3CommentsBacking up Exchange Online data/config - best practices
Are there any general best practices when it comes to backing up exchange online data/configurations, in terms of frequency, backup types etc. I fully appreciate each organisation has their own policies, budgets, risk tolerance, availability requirements etc etc, I just wondered if there's any useful articles or recommendations you can suggest that discuss the ExO backup/restore best practices to assess against, e.g. frequency, scope, testing, alerts etc?591Views0likes0Commentsassessing security restrictions between 'internal' and external access to an ExO mailbox
Do MFA/conditional access security features (plus any other default security protections built into Microsoft 365/Exchange Online) behave different dependent on where a connection is coming from. For example, will the system do the exact same MFA prompts/conditional access checks for an employee ‘in the office’ connecting via outlook from a managed device (InTune), as opposed a connection from a completely external source connecting via a non-managed device (personal smartphone/laptop for example). And if so, how and where specifically can you check the configurations to see the difference in prompts/restrictions between the 2 types of access (internal and external). For example, is it common to relax certain checks/prompts for ‘internal access’, that aren’t relaxed for external connections?Solvedmailboxes of leavers in exchange online
What are the potential risks and impacts (if any) in leaving mailboxes relating to leavers in an exchange online database long after the leaver left employment with the organisation? Do you work to any particular standard retention period of mailboxes for leavers, e.g. 1 month post leave date before deletion? For what purposes do you keep the mailboxes for a period of time before deletion out of interest? Is there any logical reason why you would want to keep the mailboxes in Exchange Online for employees who left several months/even years previously that need to be considered?Solved1.3KViews0likes2CommentsRe: Exchange/Azure AD higher risk security roles
Thanks for the info. Out of interest, were an admin already logged into an account with Global Administrator permissions, and needed to perform so Exchange Online admin work, would they need to switch to an account with Organisation Mgmt permissions in Exchange, or does Global Admin essentially inherit all the admin permissions of each service specific (Exchange, SharePoint, Teams etc) admin roles such as Organisation Management?1.5KViews1like1CommentExchange/Azure AD higher risk security roles
Aside from organisation management, which other admin roles in Exchange Online (or AAD that grant access to manage aspects within ExO) would generally be considered the higher risk roles that should only ever be granted to authorised/senior email admins? There are tons of default roles available, but organisation management seems to have the most permissions out-of-the-box, I just wondered which other admin roles are generally considered 'higher risk' from a systems integrity/data protection perspective, so we can run some checks on current memberships. i.e. a 'top 5' higher risk admin roles.Solved1.8KViews0likes3CommentsMS365 tenancy security health check suggestions
Are there any useful key controls checklists that could be used as a template to run some checks over an office 365 business tenancy (including Azure AD), to look for common security & access related misconfigurations and risks. Or any tools that will scan current settings, permissions etc and report back with recommendations for improvements and where things could be tightened up? I was hoping for something like the 'top 10' common areas that systems admins could potentially get things wrong with risk implications (e.g. could result in unauthorised access to corporate data), to check we haven’t made the same mistakes, or if we have that we promptly address them.2.4KViews0likes4Commentsoffice 365 MFA preferences
are any of the MFA options in Azure AD/Office 365 'risky' from a security perspective, or considered significantly less secure than the other options (I've read various conflicting opinions). If yes, are there ways to take that option away from the users during MFA registration? If there are any specific security attacks that I could quote against certain MFA choices that may help build a case to warn users on the safer alternatives. Alternatively, should all global admins for argument sake be using a specific default MFA method over others from a security perspective?1.1KViews0likes1Comment365 security configuration
Are there any recommended tools/scripts to get an overview of the configuration of your 365 tenant and compliance against general 365 security/access related best practices? Rather than digging into the specifics of each service such as exchange, sharepoint etc, maybe the more 'central' security/access/admin settings that have an impact across 365 services.1.2KViews0likes1Commentadmin roles report
Is there a simple way to get a list of all users and corresponding roles, e.g. global admin, exchange admin, in a single report either via script or within one of the various admin consoles of 365 (if the latter, can you direct)? It would also be useful to get an indication if the account is active/enabled. thanksSolved3.3KViews0likes1Commentcloud-only accounts
I am still trying to understand ‘cloud-only’ accounts in a hybrid identity model a little more. In a setup whereby the majority of apps your employees use are hosted on servers in your local ‘on-premises’ domain, but users use the MS365 platform for certain apps, for example as their mailboxes are in Exchange Online. In such a scenario, under what circumstances would an admin create a ‘cloud-only’ account, or if your administer setups with a hybrid identity model, in what kind of scenarios would you create a ‘cloud-only account;, as opposed an account in the on-prem AD? As I don't work on the admin side I am still trying to gauge why certain accounts are created directly in AzureAD.2.5KViews0likes1Commentcontent search (all mailboxes)
Has anyone had any experience running a content search over all mailboxes in your tenancy especially in a larger environment without several thousand users/mailboxes? This article: https://docs.microsoft.com/en-us/microsoft-365/compliance/content-search?view=o365-worldwide Suggests if you ran your search over 10,000 mailboxes, it would run and provide the results in 10 minutes. Which sounds to good to be true based on the equivalent searches of on-prem Exchange Server releases. Is this your experience, that the searches are super quick to complete and return results?2.3KViews0likes1Commentsharepoint permissions reporting role
We have a requirement for data protection/information governance purposes to grant certain users the ability to report/document our SharePoint online system, in terms of: Documenting full overview of the architecture, e.g. site collections, sites, document libraries, documents held within, folders etc - and read/write/full access control permissions granted at the various levels of the SharePoint hierarchy. Are there any roles within SharePoint that would allow authorised users to do this (assuming they have the tools/scripts to do so), whilst at the same time not allowing them administrator level privileges to make any changes to the system, e.g. amend permissions/grant access etc? I am assuming if it works like a traditional file server, the role will require them to essentially have read level access to everything in SharePoint, as you need access to the folder/library in order to document the permissions assigned. Furthermore are there any reports within the relevant 365 admin centres that would assist them with the documentation and reporting aspects, or is it likely a 3rd party app/script would be necessary.1.1KViews0likes0CommentsRe: MS365 tenancy security health check suggestions
Thanks for the reply. Can you recommend any particular scripts you have found useful when doing equivalent checks at your company/clients? It would be interesting to learn about what kinds of issues and misconfigurations the scripts are checking for. And can you provide any pointers to the vendor implementation guides please.2.2KViews0likes1Comment
Recent Blog Articles
No content to show