Prevent users from downloading files from Microsoft Teams Channel

Reading Time: 3 minutes

In this blog post I will go through the process of preventing members from downloading a document from a Teams channel. I will also go through the process of amending permissions so members can only view the document in read only mode. Finally, I will go through the process of how to apply permissions to individual files where permissions have been inherited from a parent folder.

For the purpose of this post I have created a test word file named CloudBuild within my teams channel named Cloud Build Team


I would like to prevent members from editing or downloading my word document CloudBuild.docx

  1. Click the 3 dots visible to the right of the file and click Open in SharePoint

2. In Sharepoint, click the three dots by the side of the file and click manage access.

3. Click team members, click the edit icon and change from Can Edit to Can View. This config will prevent members from editing the document but not downloading. You could also apply this to visitors.

Once the permissions have been applied, the pencil icon displays a line through it to indicate that the edit permissions have been removed and is now read only.

4. Next, let’s prevent members from downloading the file

5. Click the Advanced link as shown below

6. Select members and click Edit User Permissions as shown below

7. Select the option Restricted View – Can view pages, list items, and documents. Documents can be viewed in the browser but not downloaded and click OK

You could also apply the above permissions to the folder level if there was a requirement to apply permissions to all files within a folder. The files within the folder will inherit permissions from the parent folder.

After applying the permissions to the folder level, I can no longer amend permissions on the individual files within the folder, as permissions are now inherited from the parent folder which makes sense.

But, what if there is a requirement to amend permissions on one of the files within the parent folder. It is possible to break the inherited permissions on individual files while new files created within the folder still inherit permissions from the parent folder. To configure,

  1. Click the file within the parent folder, click the 3 dots, click manage access
  2. Click Stop Inheriting Permissions

This process will break the inherited permissions for the individual file. Amend the permissions as required and save

That’s all. Stay tuned for further posts and please don’t forget to subscribe if you wish to stay up to date with the latest tech posts.

Increase One Drive For Business default 30 day retention Limit

Reading Time: 4 minutes

When a user account is deleted from the active users page located in the Microsoft 365 admin center, you can choose what you want to do with the user’s product licenses, email, and One Drive for business account.

You may grant another user access to the mailbox. This process converts the user’s mailbox to a shared mailbox. The benefit of shared mailboxes is that they don’t require a license.

But, today I would like to discuss what happens to the user’s One Drive For Business account upon account deletion and how you can increase the default 30 day retention limit.

If configured, by default, when a user is deleted, the user’s manager is automatically given access to the user’s OneDrive. In the event a manager is not configured, you will still receive a few options before hitting the button to delete the account. One of these options highlighted below allows you to give another user access to the leavers One Drive For Business files for 30 days after the user is deleted. You can also specify a secondary owner which I will cover further down this post.

30 days is the default limit to retain One Drive files after user deletion, but what if you wanted to retain the data for longer. There is an option to extend the default 30 day limit for all one drive for business accounts upon account deletion.

1. Login to the One Drive Admin center (admin.onedrive.com)
2. Click Storage from the left pane

3. Amend the 30 day limit as required. The maximum retention for One drive files after a user is marked for deletion is 3650 days. If you attempt to add a figure above 3650 days the figure will default to the maximum after clicking save and revisiting the storage section.

The user granted access will receive an email with a link and further instructions for accessing the deleted user’s OneDrive files.

As mentioned above, by default, when a user is deleted, the user’s manager is automatically given access to the user’s OneDrive. But what if a manager is not set and the admin accidentally bypasses the prompt to assign the OneDrive account to another user? You could assign a secondary owner in case a user doesn’t have a specified manager.

  1. To perform this action, visit the Sharepoint admin center

2. Click More features

3. Click Open User profiles

4. Click Setup My Sites under My Site Settings

5. Scroll down and locate My Site Cleanup

Specify a secondary owner account. This account will be the appointed owner of the OneDrive account if the user’s manager isn’t set in Azure AD. Email notifications will also be sent to the secondary owner account when the value is populated.

Notes:
Upon reaching the retention limit, the OneDrive account for the deleted user is moved to the site collection recycle bin, where it is kept for 93 days. During this time, users will no longer be able to access any shared content in the OneDrive but you can restore the account via Powershell.

If a OneDrive is put on hold as part of an eDiscovery case, managers and secondary owners will be sent email about the pending deletion, but the OneDrive won’t be deleted until the hold is removed.

The Recycle Bin is not indexed and therefore searches do not find content there. This means that an eDiscovery hold can’t locate any content in the Recycle Bin in order to hold it.

Revoke Office Apps activation from user device

Reading Time: 2 minutes

In this blog post I will go through the process of how to check the number of devices a user has activated Office Apps, and where to revoke access. Depending on your license, each user may have access to download 365 apps to five different devices. In the event a user allocates all licenses and requests for one of those devices to be removed, you could perform this action from the 365 Admin Center.

If you wish to prevent users from downloading Office apps to more than one device you could disable the download option so it’s no longer visible in the users office portal, see the following article Prevent Users from downloading 365 apps

Note: Deactivating a device doesn’t remove ‎Office‎ apps or data from a device, but it will sign the user out of ‎Office‎ remotely.

How many devices can people install Office and what license is required?

If your subscription includes any of the following products, each person can install Office on up to five PCs or Mac, five tablets, and five phones.

  • Microsoft 365 Apps for business
  • Microsoft 365 Apps for enterprise
  • Microsoft 365 Business Standard
  • Microsoft 365 Business Premium
  • Microsoft 365 A3
  • Microsoft 365 A5
  • Microsoft 365 E3
  • Microsoft 365 E5
  • Office 365 A1 Plus
  • Office 365 A3
  • Office 365 A5
  • Office 365 E3
  • Office 365 E5

Let’s get started

1. Login to the Office Portal Microsoft 365 admin center (admin.microsoft.com)

2. Click Active Users

3. Click the username

4. Click Account

5. Scroll to the bottom and click View Office activations

Here you can view the number of Office activations and revoke access

Note: Deactivating a device doesn’t remove ‎Office‎ apps or data from a device, but it will sign the user out of ‎Office‎ remotely.

Prevent users from uploading videos to Microsoft Stream

Reading Time: 3 minutes

In this blog post I will go through the process of preventing all users from uploading videos to Microsoft Stream. By default, everyone in your organisation can upload videos to Microsoft Stream, but you may want to limit the employees who can upload videos, for example, you may want to make sure the experience is always curated and hence want to assign a few content creators, or you are performing a proof of concept with a smaller audience before allowing anyone within your organisation to start creating content. Before I begin, let’s start with a little explanation about Microsoft Stream.

What is Microsoft Stream?
Microsoft Stream is an Enterprise Video service where people in your organisation can upload, view, and share videos securely. You can share recordings of classes, meetings, presentations, training sessions, or other videos that aid your team’s collaboration.

Microsoft Stream is a secure video service so you can manage who views your video content and determine how widely to share within your organisation. Secure application access is enabled by Azure Active Directory.

Microsoft Stream also helps you organise content into channels and groups so it’s easier to find. Microsoft Stream works well with other Office 365 apps like Teams, SharePoint, OneNote, and Yammer, giving even more ways to discover more relevant content.

Let’s get started

  1. Login to the Microsoft Stream Admin Center

    Note: If you’re wanting to manage content on behalf of users, the admin mode feature will need to be enabled

    When Admin mode is switched ON, Microsoft Stream admins can manage content on behalf of users, including private content or content they don’t normally have permission to edit.

2. Click the cog icon found towards the top right corner and click Admin settings as shown below

3. Click content creation

Note: by default, All users are currently allowed to comment on videos. If you wish to disable comments, you can do so by clicking comments displayed above the option Content creation

4. Switch the button to on

Note: here you may also prevent all users from company wide channel creation. You may restrict this to certain users

5. and specify who is allowed to upload videos

Don’t forget to click the save option when ready

Other options:

1. Configure live events policy in Microsoft Streams

By default, all users can create live events. Here you can restrict this action.

2. Configure company policy for Microsoft Stream users

Present your company policy to your users here

3. Restore videos in Microsoft Streams

Microsoft Stream Videos will only be accessible from the recycle bin for 30 days


We would love to hear from you, so if you have any further tips on Microsoft Stream that you wish to share, please comment below.

Enable Self Service Password Reset in Azure

Reading Time: 5 minutes

Azure Active Directory (Azure AD) self service password reset (SSPR) gives users the ability to change or reset their password, with no administrator or help desk involvement. If a user’s account is locked or they forget their password, they can follow prompts to unblock themselves and get back to work. This ability reduces help desk calls and loss of productivity when a user can’t sign in to their device or an application.

With Azure Active Directory (Azure AD) self service password reset (SSPR), users can update their password or unlock their account using a web browser. Please note that in a hybrid environment where Azure AD Connect is used to sync accounts from Active Directory to Azure AD, this scenario can cause passwords to be different between the two directories if password write back is not enabled. Password write back can be used to synchronise password changes in Azure AD back to your on premises Active Directory environment. Azure AD Connect provides a secure mechanism to send these password changes back to an existing on premises directory from Azure AD.

The password reset feature includes a set of capabilities that allow users to manage any password from any device, at any time, from any location, while remaining in compliance with company security policies.

In this blog post, I will go through the process of enabling password write back within Azure AD Connect, enabling self service password reset for a group of Azure AD users, go through the authentication methods and registration options.

  1. Login to your Azure AD Connect Server if you’re syncing your Active Directory accounts to Azure AD

2. Enabled Password Write Back in Azure AD Connect and save settings

3. Let’s confirm Azure AD has picked up the change

4. Login to the Azure Portal portal.azure.com

5. Click Azure Active Directory or locate via the search box

6. Click Password Reset located in the left menu

7. Click On-premises integration

8. Done, see screen shot below.

Notice the additional option to allow users to unlock accounts without resetting their password. This feature designates whether or not users who visit the password reset portal should be given the option to unlock their on premises Active Directory accounts without resetting their password. By default, Azure AD will always unlock accounts when performing a password reset, this setting allows you to separate those two operations. If set to yes, then users will be given the option to reset their password and unlock the account, or to unlock without resetting the password. If set to no, then users will only be able to perform a combined password reset and account unlock operation.

I have left the default settings

9. Now, let’s enable self password reset, click Azure Active Directory and click password reset

10. The password reset feature is disabled by default

11. I will be clicking selected and applying the policy to a security group named CloudBuildPR. Click select


12. Click Save

13. While in the password reset section, you’ll notice Authentication methods in the left menu. Here you can setup the number of authentication methods, including prompting your users to setup security questions as additional authentication options. You can specify your own custom questions that will be visible to the user or select the built in ones provided by Microsoft.

For the purpose of this demo, I will leave the default options enabled. Note that all features may not be available depending on your license type.


14. Moving down the menu, you’ll find Registration including the option on how often you require your users to re-confirm their authentication information they originally submitted. By default it’s 180 days and users are required to register when signing in.

15. The next option down is notifications. The default settings are shown below and are self explanatory.

16. Finally, it’s customization. You could add a link to your online helpdesk portal or an email address to allow users to contact IT in the event they require further assistance. I have already covered on-premise integration earlier so won’t cover that one again

17. Ok, so i’m all set. I have enabled password write back within Azure AD Connect and enabled Password Reset. I have confirmed the configuration has been picked up within Azure AD.

18. That’s it. Visit passwordreset.microsoftonline.com to test


If you’re using a free trial account, you’ll receive the below message. At the time of writing this blog post, the password reset option does not function with trial accounts.

Errors/notifications:

You can’t reset your own password because you haven’t registered for password reset.

You haven’t registered the necessary security information to perform password reset

Further Azure Password Reset FAQ’s can be located at the following Microsoft link Azure Self Password Reset FAQ