Configure Intune device limit restrictions

Reading Time: 3 minutes

By default, Intune device limit restrictions set the maximum number of devices that a user can enrol into Intune (Microsoft End Point Manager). The default setting at the time of writing this blog post was 5 devices, with the option to configure up to a maximum of 15 devices.

In this blog post I will go through the process of how to reconfigure the default limit of 5.

  1. Visit the Microsoft End Point Manager Admin Center or visit endpoint.microsoft.com

2. Click Devices from the left pane

3. Click Enrollment restrictions

4. As you can see below, the default device limit is set to 5. Click ‘All Users’ to edit the default policy, or create a new device limit restriction policy as shown below within the second image.

Note: you may have noticed an option to amend the default Device Type Restriction policy and the option to create a new policy. The device type restriction policy allows you to control what devices can enrol into Endpoint Manager, for example you may only want to allow certain iphone devices with a minimum version, for example iOS 14.3. You may want to block MacOS. This is where you would configure such settings.

5. After clicking All users within the default device restrictions policy, click Properties

6. Click Edit

7. Configure as required, options available are from 1 – 15, click your preferred option, click review+save and save again

Note:
Priority of custom policies are used when a user exists in multiple groups that are assigned restrictions. Users are subject only to the highest priority restriction assigned to a group where they are included. For example, James is located in group one assigned to priority 5 restrictions and is also in group two assigned to priority 2 restrictions. James will be subject only to the priority 2 restrictions.

When you create a restriction, it’s added to the list just above the default policy and takes priority over the default policy.

As mentioned in this post earlier, device enrollment includes default restrictions for both device type and device limit restrictions. Both restrictions apply to all users by default unless they’re overridden by higher priority restrictions.

New Microsoft Exchange Admin Center

Reading Time: 4 minutes

You may have noticed the prompts to try out the new Exchange Admin Center when logging into the Exchange Online Portal within Microsoft 365.

In this blog I will be documenting some of the useful additions to the new Exchange Admin Center.

If you have anything further to share, please do leave a comment below

A feature which stood out when accessing the new Exchange Admin Center was the ability to set an out of office for any users within your organisation. I’ll start with documenting where to perform this action. Note that this feature is also available from within the 365 Admin Center. I’ll go into detail on this shortly.

How to set Out of Office for users from the new Exchange Admin Center

  1. From the new Exchange Admin Center, click Recipients and Mailboxes

2. Click the user

3. Click Manage automatic replies

As mentioned earlier in this post, you can also configure Out Of Office replies for users from within the 365 Admin Center. I’ll go through the process below.

How to set Out Of Office replies from the Microsoft 365 Admin Portal

  1. Login to portal.office.com
  2. Click Admin
  3. Click Users > Active Users

4. Click Mail

5. Click Manage Automatic Replies

Back to the new Exchange Admin Center, I would like to move onto another feature which I found useful. The ability for IT Admins to restore user deleted items from users recoverable deleted items folder.

In case you’re unsure about what a user recoverable items folder is, further details can be located at the following Microsoft url Recoverable Items folder in Exchange Server | Microsoft Docs

How to restore emails from a users recoverable deleted items folder

1. Within the new Exchange Admin Center, click Recipients
2. Click Mailboxes
3. Click the user
4. Click Recover deleted items under More actions

4. The portal is shown below. If the deleted item exists within the users recovered deleted items folder, you will be able to recover the deleted item back to the users mailbox. By default, emails are retained within the recoverable deleted items folder for 14 days, but can be configured to 30 days.

Note: users also have access to their own recoverable items folder and can restore emails as they wish. Users are also able to empty the recoverable deleted items folder and delete the emails permanently, unless you have a legal hold/retention in place.

The new portal available within the Exchange Admin Center offers a few useful options such as searching by time, words, item types and so on.

I find the new Exchange Admin Center is easier to navigate when managing users. Please do comment below and let me know your thoughts on the new Exchange Admin Center.

Another change which I find useful is the Groups menu. Groups are accessible from the classic Exchange Admin Center, by clicking Recipients and then the Groups link. All groups reside here. But, in the new Exchange Admin Center, Microsoft have split the groups menu as shown below.

Moving on, another change introduced by Microsoft is that Mailboxes and Shared Mailboxes are separated in the classic Exchange Admin Center, as shown below.

But, in the new Exchange Admin Center, both mailboxes and shared mailboxes exist in the same menu and can be filtered as required. See below.

If you have not already checked out the new Exchange Admin Center, give it a try and it would be great to know your feedback and any features you like or dislike within the new Exchange Admin Center.



Prevent users from downloading files from Microsoft Teams Channel

Reading Time: 3 minutes

In this blog post I will go through the process of preventing members from downloading a document from a Teams channel. I will also go through the process of amending permissions so members can only view the document in read only mode. Finally, I will go through the process of how to apply permissions to individual files where permissions have been inherited from a parent folder.

For the purpose of this post I have created a test word file named CloudBuild within my teams channel named Cloud Build Team


I would like to prevent members from editing or downloading my word document CloudBuild.docx

  1. Click the 3 dots visible to the right of the file and click Open in SharePoint

2. In Sharepoint, click the three dots by the side of the file and click manage access.

3. Click team members, click the edit icon and change from Can Edit to Can View. This config will prevent members from editing the document but not downloading. You could also apply this to visitors.

Once the permissions have been applied, the pencil icon displays a line through it to indicate that the edit permissions have been removed and is now read only.

4. Next, let’s prevent members from downloading the file

5. Click the Advanced link as shown below

6. Select members and click Edit User Permissions as shown below

7. Select the option Restricted View – Can view pages, list items, and documents. Documents can be viewed in the browser but not downloaded and click OK

You could also apply the above permissions to the folder level if there was a requirement to apply permissions to all files within a folder. The files within the folder will inherit permissions from the parent folder.

After applying the permissions to the folder level, I can no longer amend permissions on the individual files within the folder, as permissions are now inherited from the parent folder which makes sense.

But, what if there is a requirement to amend permissions on one of the files within the parent folder. It is possible to break the inherited permissions on individual files while new files created within the folder still inherit permissions from the parent folder. To configure,

  1. Click the file within the parent folder, click the 3 dots, click manage access
  2. Click Stop Inheriting Permissions

This process will break the inherited permissions for the individual file. Amend the permissions as required and save

That’s all. Stay tuned for further posts and please don’t forget to subscribe if you wish to stay up to date with the latest tech posts.

Increase One Drive For Business default 30 day retention Limit

Reading Time: 4 minutes

When a user account is deleted from the active users page located in the Microsoft 365 admin center, you can choose what you want to do with the user’s product licenses, email, and One Drive for business account.

You may grant another user access to the mailbox. This process converts the user’s mailbox to a shared mailbox. The benefit of shared mailboxes is that they don’t require a license.

But, today I would like to discuss what happens to the user’s One Drive For Business account upon account deletion and how you can increase the default 30 day retention limit.

If configured, by default, when a user is deleted, the user’s manager is automatically given access to the user’s OneDrive. In the event a manager is not configured, you will still receive a few options before hitting the button to delete the account. One of these options highlighted below allows you to give another user access to the leavers One Drive For Business files for 30 days after the user is deleted. You can also specify a secondary owner which I will cover further down this post.

30 days is the default limit to retain One Drive files after user deletion, but what if you wanted to retain the data for longer. There is an option to extend the default 30 day limit for all one drive for business accounts upon account deletion.

1. Login to the One Drive Admin center (admin.onedrive.com)
2. Click Storage from the left pane

3. Amend the 30 day limit as required. The maximum retention for One drive files after a user is marked for deletion is 3650 days. If you attempt to add a figure above 3650 days the figure will default to the maximum after clicking save and revisiting the storage section.

The user granted access will receive an email with a link and further instructions for accessing the deleted user’s OneDrive files.

As mentioned above, by default, when a user is deleted, the user’s manager is automatically given access to the user’s OneDrive. But what if a manager is not set and the admin accidentally bypasses the prompt to assign the OneDrive account to another user? You could assign a secondary owner in case a user doesn’t have a specified manager.

  1. To perform this action, visit the Sharepoint admin center

2. Click More features

3. Click Open User profiles

4. Click Setup My Sites under My Site Settings

5. Scroll down and locate My Site Cleanup

Specify a secondary owner account. This account will be the appointed owner of the OneDrive account if the user’s manager isn’t set in Azure AD. Email notifications will also be sent to the secondary owner account when the value is populated.

Notes:
Upon reaching the retention limit, the OneDrive account for the deleted user is moved to the site collection recycle bin, where it is kept for 93 days. During this time, users will no longer be able to access any shared content in the OneDrive but you can restore the account via Powershell.

If a OneDrive is put on hold as part of an eDiscovery case, managers and secondary owners will be sent email about the pending deletion, but the OneDrive won’t be deleted until the hold is removed.

The Recycle Bin is not indexed and therefore searches do not find content there. This means that an eDiscovery hold can’t locate any content in the Recycle Bin in order to hold it.

Revoke Office Apps activation from user device

Reading Time: 2 minutes

In this blog post I will go through the process of how to check the number of devices a user has activated Office Apps, and where to revoke access. Depending on your license, each user may have access to download 365 apps to five different devices. In the event a user allocates all licenses and requests for one of those devices to be removed, you could perform this action from the 365 Admin Center.

If you wish to prevent users from downloading Office apps to more than one device you could disable the download option so it’s no longer visible in the users office portal, see the following article Prevent Users from downloading 365 apps

Note: Deactivating a device doesn’t remove ‎Office‎ apps or data from a device, but it will sign the user out of ‎Office‎ remotely.

How many devices can people install Office and what license is required?

If your subscription includes any of the following products, each person can install Office on up to five PCs or Mac, five tablets, and five phones.

  • Microsoft 365 Apps for business
  • Microsoft 365 Apps for enterprise
  • Microsoft 365 Business Standard
  • Microsoft 365 Business Premium
  • Microsoft 365 A3
  • Microsoft 365 A5
  • Microsoft 365 E3
  • Microsoft 365 E5
  • Office 365 A1 Plus
  • Office 365 A3
  • Office 365 A5
  • Office 365 E3
  • Office 365 E5

Let’s get started

1. Login to the Office Portal Microsoft 365 admin center (admin.microsoft.com)

2. Click Active Users

3. Click the username

4. Click Account

5. Scroll to the bottom and click View Office activations

Here you can view the number of Office activations and revoke access

Note: Deactivating a device doesn’t remove ‎Office‎ apps or data from a device, but it will sign the user out of ‎Office‎ remotely.