Reporting on any email addresses configured for Teams and channels via the Graph API

Since apparently I’m the go-to person for everything Graph-related in the company, a colleague asked me the other day how can we report on any channels that have the email functionality enabled and correspondingly gather their email addresses. Turns out it’s not that complicated – one call to fetch all Teams, then for each Team one more call to fetch all Channels. Information about any email addresses configured for the channel is returned in the default output, so no need to query anything else. Then, it’s just a matter of formatting the output.

I didn’t bother to ask why exactly they need the report, but just in case anyone else needs the same, I published the script over at the TechNet Gallery and GitHub. In addition, the script will also return any email addresses configured on the Team itself. Even the nasty SPO ones, which you might want to filter out. And, since all we do is iterate over each object and fetch some properties, as an added bonus you can use the script to generate a report of all Teams and channels in the company. Simply add any other properties you deem important to the output. Speaking of which, here’s how the output looks like for a Demo tenant:

Now for the obligatory explanation on how the script works. Since we are doing Graph calls via PowerShell, we need few things configured first. Most importantly, an Azure AD application with sufficient permissions to enumerate all Groups (yes, Groups) in the tenant. The Group.Read.All scope should suffice. Get the AppID and client secret for the app and populate them in the corresponding variables at the beginning of the script. Do the same for your tenant ID. Lastly, point to a version of Microsoft.IdentityModel.Clients.ActiveDirectory.dll installed on your system, the one that comes with the AzureAD module should do fine. If you need more help with setting this up or want to better understand the concepts involved, this article is a good starting point.

Posted in Graph API, Microsoft Teams | Leave a comment

Conditional Access has a new home – meet the Azure AD Security blade

In what seems an effort to drive adoption for the Azure Security Center, Microsoft has made some reorganizational changes in the Azure AD blade. With the added benefit of puzzling and annoying users by failing to provide any kind of indication or announcement for the changes. As it took me few moments to locate the new home of Conditional Access, I figured it might be helpful to share this in a short article.

So, if you have logged to the Azure AD blade in the past few days, you’ve probably noticed that Conditional Access tab/page is missing from its usual location on the left pane. Going over the entries in either the Manage or Monitoring sections on the left pane didn’t yield any results and neither did going over the Overview page. It wasn’t until I noticed the new Security entry (third down from the top) that I was able to find Conditional Access’s new home.

If you are using a direct link/shortcut to access the page, you will notice that the good old https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies one continues to work. However, the path displayed on the top when accessing the page directly does not reflect the steps to getting to its new location, instead it simply shows “Dashboard -> Conditional Access – Policies”. Similarly, using the Search box takes you directly to the CA page, without revealing the steps to get there if you are using the UI. In what seems like another interesting tidbit, Search actually lists two entries for Conditional Access now.

Anyway, now that you know where the Conditional Access pages have moved to, you might as well try the other functionalities available there. Notably, you can find the new Authentication methods page under Manage, where you can enable the freshly available passwordless sign-in via the Microsoft authenticator app. You can also find entries for Azure AD Identity Protection, the Identity Security Score, MFA setting and more. Last but not least, you will see the Security Center page.

The Security Center page looks a bit barren at the moment, and the only functionality it offers currently is a link to the Azure Security Center. Apart from that, few insights are shown as well as sections for Identity and access recommendations and Security alerts. I expect that this will change in the coming weeks or months, but at this point it looks like yet another (extremely) minimum viable product release on Microsoft’s side. And of course released without any prior notice.

Posted in Azure AD, Office 365 | Leave a comment

Submit spam, phish and malware messages via the Security and Compliance Center

A new functionality has appeared over at the Office 365 Security and Compliance Center, namely a UI-driven method for submitting messages that made it past the various EOP layers and into user’s mailboxes. Found under the Threat management -> Submissions tab, and accessible directly via https://protection.office.com/reportsubmission, the page looks very similar to the Threat Explorer itself. Actually, if you select the newly added Submissions option under the View dropdown in Threat Explorer itself, you will be presented with the exact same UI seen on the Submissions page, so it’s a bit puzzling why Microsoft decided to duplicate this. Perhaps to make it easier to discover the submission tool.

Anyway, to report a false-positive or false-negative message to Microsoft, press the New Submission button on top. You will be presented with the New submission pane, where you need to select the type of submission (Email, URL or attachment) and provide some additional details. For an Email type submission, you can directly point to the Network Message ID, which is a very convoluted way of saying “the GUID of a message trace you’ve run that lists the corresponding message”. My initial expectations were for a MessageID, however the example value populated in the field is in GUID format, so definitely not a MessageID. So I went ahead and run a message trace for one of the spam messages that made it to my Inbox (sadly I see a big increase in those lately):

Get-MessageTrace -SenderAddress no-reply@notices.yola.com | fl

Message Trace ID  : 0ac9b5cf-9e62-4f69-6325-08d706be7a9a
Message ID        : <2121197565.5791741562931944839.JavaMail.app@rapp43.atlis1>
Received          : 12/07/2019 11:45:46
Sender Address    : no-reply@notices.yola.com
Recipient Address : vasil@michev.info
From IP           : 74.112.67.187
To IP             :
Subject           : fgagag  it's time to start building your website.
Status            : Delivered
Size              : 135540

Providing the Message trace ID value from above did the trick, and after a short validation the value was accepted. Next, I had to provide a Recipient, which I was able to select from the automatically populated drop down list (nice touch!). After that, one must specify the Reason for submission, in other words whether you are reporting a false-positive or false-negative item. Lastly, select the Item type: Spam, Phishing or Malware. In my case, the submission looked like this:

Alternatively, one can provide a sample of the message in .eml format, instead of pointing to a network trace id. Why only .eml is supported is beyond me, given Outlook cannot natively save messages to this format. Apart from reporting messages, one can use the tool to submit URLs or Attachments as well. The UI used for those is similar to the above, with some of the unnecessary controls removed.

After you submit a message, an entry will appear in the Report section, where submissions from the last week will be visualized as a Graph. Again, the UI here is pretty much a copy of the Threat explorer UI, so you might already be familiar with it. A separate tab (and graph) is available for any user-submitted messages (via the Outlook or OWA add-ins). Item-level details can be obtained from the corresponding Item tab below, grouped under Email, Url, Attachment respectively. Clicking a particular entry will bring up the right pane with some additional details, including the result of the scan performed.

In my case, the verdict was that the item in question was not spam, which fills me with confidence about the effectiveness of the process of evaluating user- and admin-submitted items. Still, it’s nice to have an UI-based method to do this, as well as a way to check the status. The old method of submitting messages directly to email should still work as well.

Posted in Exchange Online, Office 365 | Leave a comment

Renewed as MVP and the 2020 edition of Office 365 for IT Pros is out

Time for our yearly update. The good folks at Microsoft have renewed my MVP award for another year. This time around, I’m awarded for two categories: Office Apps & Services and Enterprise Mobility. This officially makes it my fifth year in the program, although technically I’m 5 years 9 months in (first awarded October 2014). It continues to be an honor to be part of this select group of individuals and I hope my contributions on the different communities continue to bridge the gap between Microsoft and their customers and occasionally even help people.

In other news, the latest, 6th edition of the Office 365 for IT Pros eBook has been released today. With most of Microsoft’s announcements in the past years happening around the Ingite timeframe, we pondered whether we should change the release date. Keeping it as July 1st allows us to do a more comprehensive review of the existing content and clear up any remaining issues in the next month or two. As the book is constantly updated with new information, the authors will of course make sure to quickly catch up on any interesting features we hear about or see at this year’s Ignite conference.

The new edition is down to 1115 pages, with 344 more as part of the companion volume. There has been a slight reorganization in the list of chapters, which we believe correctly reflects the current state of Office 365 products and services. You can get the new edition from either Gumroad.com (PDF/EPUB version) or Amazon (Kindle). And you can get additional details as well as information about the upgrade offer for existing subscribers from Tony’s latest blog post over at https://office365itpros.com/2019/06/30/announcing-office-365-for-it-pros-2020-edition/

Posted in Office 365 | 1 Comment

Compare plans in the Office 365 Admin Center

Another small, but meaningful update – you can now compare features across different Office 365/Microsoft 365 plans directly in the Admin Center. The functionality is available when you select the Billing -> Purchase Services menu, as shown below:

Up to three different SKUs can be selected. Once you have made the selection, press Compare products button. You will be taken to a new screen with side-by-side information for the selected SKUs, along with links to get more details or Buy licenses. The interesting part is the breakdown between individual services, organized as follows:

  • License coverage – details about the number of installs you get for the Office suite
  • Office apps – list of all the individual Office applications included in the SKU, with a separate node for Enterprise management tools
  • Collaboration and communication – includes the basic Office 365 workloads: Exchange Online, SharePoint Online and OneDrive for Business, Skype for Business Online, Teams, Yammer, Audio conferencing and Phone system
  • Accounts and security – basically the EMS components: Azure AD, Intune, Cloud App Security, Azure Information Protection, Azure MFA, and so on
  • Operating system – since I’m comparing the Microsoft 365 plans, the corresponding version of Windows is listed here
  • Business apps – everything else that doesn’t fall into the above categories: Flow and PowerApps, Flow, To-Do, Bookings, Stream, Planner, etc
  • Additional services – the last group features eDiscovery, Archiving, MyAnalytics and Privileged Access Management

The functionality is convenient as it will limit the amount of times you have to go over the Service Description documents to compare different plans. Many of the individual entries can be expanded to show additional details, for example here is what the Exchange group reveals:

At a glance, you can compare the mailbox storage limits across plans, as well as other features such as Archiving and anti-malware protection. Similarly, for SharePoint you will have some workload-specific details, such as cross-site publishing or the app catalog. In addition, you can hover over any of the entries and get more information about specific feature, illustrated below for the Azure AD entry (which has a tons of individual items underneath, and it’s well worth exploring):

While all of the information presented here can be gathered from other sources, and in some cases is also available in comparison form, I find this tool a nice addition to the portal. Which is not to say it doesn’t have some glitches 🙂

Posted in Office 365 | 2 Comments