Configure mailbox permission alert Microsoft 365

Reading Time: 2 minutes

In this blog post I will go through the process of configuring an alert within the Microsoft 365 Compliance portal which will trigger an email whenever permissions are assigned to a mailbox.

  1. From the 365 Admin Center locate and click Compliance or visit the Compliance Admin Center directly via Security & Compliance (compliance.microsoft.com)

2. Click Policies

3. Expand Alert and click Office 365 alert

4. Click New Alert Policy

5. Complete details as required (Demo info below). Click Next

6. There are a number of activities to choose from. For the purpose of this demo, I have selected Granted Mailbox Permission

7. You could also add a condition based on IP address and username. For example, if you want to be alerted when a particular group of users assign permissions, you can do so here. Ignore the conditions box if you would like an alert to be triggered when any user in the organisation performs the action.

8. Click next and select your notification groups or emails. Click Next, review settings and click finish

That’s your mailbox permissions alert configured

How to create a dynamic group in Azure AD

Reading Time: 3 minutes

Dynamic group memberships reduce the administrative overhead of adding and removing users from a group as the process is automated and driven by attribute changes. For example, a user with a department attribute of Sales within AD could be automatically added to a dynamic group named Sales, and removed automatically if the user moved roles. For example, the user department attribute in AD was amended from Sales to Marketing. In this case, the user would be automatically removed from the Sales group and moved to the Marketing group if a dynamic group existed for Marketing.

In this blog post I will go through the process of creating a dynamic group within Azure AD and add a dynamic query/condition so staff from Sales UK are automatically added to a dynamic group.

  1. Access Azure AD
  2. Click Groups located in the left pane

3. Click + New group

4. Complete the fields for your group (Example below)

Group Type: Security
Group Name: CloudBuild_Sales
Group Description: Dynamic group for staff working in Sales UK
Membership Type: Dynamic User
Owner: I have assigned myself as an owner

The next step involved adding a dynamic query

5. Click Add dynamic query

6. Input details for your query, see example below

Property: department (This is the field located within the users Azure AD account properties)
Operator: Equals
Value: Sales UK (I want all users with a department of Sales UK to be added into my new dynamic group)

7. Click save

8. Click create

The result, all users with Sales UK included within the department field will automatically be added to your dynamic group. When the department field is changed, such as, the user moves departments, the process will automatically remove the user from the dynamic group.


Notes:

1. You can not manually add or remove a member of a dynamic group

2. You can create a dynamic group for devices or for users, but you can’t create a rule that contains both users and devices

3. This feature requires an Azure AD Premium P1 licence for each unique user that is a member of one or more dynamic groups. You don’t have to assign licences to users for them to be members of dynamic groups, but you must have the minimum number of licenses in the Azure AD organisation to cover all such users. For example, if you had a total of 300 unique users in all dynamic groups in your organisation, you would need at least 300 licences for Azure AD Premium P1 to meet the licence requirement. No licence is required for devices that are members of a dynamic device group.

Configure Intune device limit restrictions

Reading Time: 3 minutes

By default, Intune device limit restrictions set the maximum number of devices that a user can enrol into Intune (Microsoft End Point Manager). The default setting at the time of writing this blog post was 5 devices, with the option to configure up to a maximum of 15 devices.

In this blog post I will go through the process of how to reconfigure the default limit of 5.

  1. Visit the Microsoft End Point Manager Admin Center or visit endpoint.microsoft.com

2. Click Devices from the left pane

3. Click Enrollment restrictions

4. As you can see below, the default device limit is set to 5. Click ‘All Users’ to edit the default policy, or create a new device limit restriction policy as shown below within the second image.

Note: you may have noticed an option to amend the default Device Type Restriction policy and the option to create a new policy. The device type restriction policy allows you to control what devices can enrol into Endpoint Manager, for example you may only want to allow certain iphone devices with a minimum version, for example iOS 14.3. You may want to block MacOS. This is where you would configure such settings.

5. After clicking All users within the default device restrictions policy, click Properties

6. Click Edit

7. Configure as required, options available are from 1 – 15, click your preferred option, click review+save and save again

Note:
Priority of custom policies are used when a user exists in multiple groups that are assigned restrictions. Users are subject only to the highest priority restriction assigned to a group where they are included. For example, James is located in group one assigned to priority 5 restrictions and is also in group two assigned to priority 2 restrictions. James will be subject only to the priority 2 restrictions.

When you create a restriction, it’s added to the list just above the default policy and takes priority over the default policy.

As mentioned in this post earlier, device enrollment includes default restrictions for both device type and device limit restrictions. Both restrictions apply to all users by default unless they’re overridden by higher priority restrictions.

New Microsoft Exchange Admin Center

Reading Time: 4 minutes

You may have noticed the prompts to try out the new Exchange Admin Center when logging into the Exchange Online Portal within Microsoft 365.

In this blog I will be documenting some of the useful additions to the new Exchange Admin Center.

If you have anything further to share, please do leave a comment below

A feature which stood out when accessing the new Exchange Admin Center was the ability to set an out of office for any users within your organisation. I’ll start with documenting where to perform this action. Note that this feature is also available from within the 365 Admin Center. I’ll go into detail on this shortly.

How to set Out of Office for users from the new Exchange Admin Center

  1. From the new Exchange Admin Center, click Recipients and Mailboxes

2. Click the user

3. Click Manage automatic replies

As mentioned earlier in this post, you can also configure Out Of Office replies for users from within the 365 Admin Center. I’ll go through the process below.

How to set Out Of Office replies from the Microsoft 365 Admin Portal

  1. Login to portal.office.com
  2. Click Admin
  3. Click Users > Active Users

4. Click Mail

5. Click Manage Automatic Replies

Back to the new Exchange Admin Center, I would like to move onto another feature which I found useful. The ability for IT Admins to restore user deleted items from users recoverable deleted items folder.

In case you’re unsure about what a user recoverable items folder is, further details can be located at the following Microsoft url Recoverable Items folder in Exchange Server | Microsoft Docs

How to restore emails from a users recoverable deleted items folder

1. Within the new Exchange Admin Center, click Recipients
2. Click Mailboxes
3. Click the user
4. Click Recover deleted items under More actions

4. The portal is shown below. If the deleted item exists within the users recovered deleted items folder, you will be able to recover the deleted item back to the users mailbox. By default, emails are retained within the recoverable deleted items folder for 14 days, but can be configured to 30 days.

Note: users also have access to their own recoverable items folder and can restore emails as they wish. Users are also able to empty the recoverable deleted items folder and delete the emails permanently, unless you have a legal hold/retention in place.

The new portal available within the Exchange Admin Center offers a few useful options such as searching by time, words, item types and so on.

I find the new Exchange Admin Center is easier to navigate when managing users. Please do comment below and let me know your thoughts on the new Exchange Admin Center.

Another change which I find useful is the Groups menu. Groups are accessible from the classic Exchange Admin Center, by clicking Recipients and then the Groups link. All groups reside here. But, in the new Exchange Admin Center, Microsoft have split the groups menu as shown below.

Moving on, another change introduced by Microsoft is that Mailboxes and Shared Mailboxes are separated in the classic Exchange Admin Center, as shown below.

But, in the new Exchange Admin Center, both mailboxes and shared mailboxes exist in the same menu and can be filtered as required. See below.

If you have not already checked out the new Exchange Admin Center, give it a try and it would be great to know your feedback and any features you like or dislike within the new Exchange Admin Center.