Microsoft 365

Microsoft Briefing Emails Are Coming

Posted on June 15, 2020November 26, 2020 by Adam Fowler

More Microsoft driven emails will be hitting your user’s mailboxes if you’re a Microsoft 365 Customer.

The last ones I wrote about were MyAnalytics, and now we have Microsoft Briefings. The first I heard about this was an admin email I received, which I think is a good idea that Microsoft are following, probably from feedback when they rolled out MyAnalytics and many IT Admins were caught unaware:

So, as you can read above, Microsoft Briefings reads what the users are up to, and presents it to them in hopefully a useful fashion to catch emails they might have missed that sound like they need actioning, will give some ideas on how someone can be more efficient and healthy etc

I received my first email today, and here’s how it looked:

I blurred out the email that I’d already actioned, and marked it as completed. Just like MyAnalytics, these emails are only visible by someone who has access to your mailbox – the emails that turn up don’t traverse the internet like other emails; instead, Microsoft are popping them up straight into the mailbox. You won’t find any mailflow trackings of these.

A user can opt out if they don’t like them, or an admin can follow the documentation to pre-emptively disable this on a user by user basis. ~~There appears to be no org-wide setting to disable, so if you need to disable it, make sure you include it as a provisioning step for new users too~~. See the update at the bottom of the page.

There’s also a portal users can use to unsubscribe: https://cortana.office.com/

Once the magic Microsoft switch is set to ‘on’ for your tenant, users will get an email every day that they have some sort of content to be in the briefings email – if there’s no content, there’s no email.

Just like MyAnalytics, I recommend communicating this soon to your company that the emails are coming. Some people might not like it, but preparing staff for a something that can help them should help with adoption, rather than an out of the blue starter email.

I’m keen to see how effective the Briefings emails will be and how much value they provide. I think it’s a good idea, and as long as it works as the box describes, should add value for staff at the start of each day to remind them what they’ve got going on, and potentially pick up something they forgot to action.

Update 17th June 2020

Microsoft have listened and acted quickly – you can now toggle this feature on or off at the tenant level. To do so, go to the Microsoft 365 admin center, and under Services > Org settings, the Services tab contains the item ‘Briefing emails (Preview)’. From here, there’s your tickbox to turn it off or on.

Service health dashboard email notifications GA

Posted on November 26, 2019November 29, 2019 by Adam Fowler

Email alerts for Microsoft 365 Service Health incidents is now Generally Available! (as fellow MVP Greig Sheridan pointed out, although it’s GA, it’s gradually rolling out from December 2019 to March 2020 – but I already have this in my live tenant) In case you missed this one, there’s now an easy way to configure email alerts to go out when there’s an outage of some sort in the Microsoft 365 space.

Personally I’m used to checking out the portal once I hear about a complaint and seeing what might be broken. Instead, I’ll now see emails to keep across what’s going on in the Microsoft world, as well as have a ticket raised via email to helpdesk, so any potential user affecting outages are identified earlier in the troubleshooting process.

The advisory is MC196504 for those who want to read about it in the ‘Microsoft 365 admin center Message center’, but all you need to do to enable it is:

From the new Microsoft 365 admin center, go to Health > Service Health. Under the All services tab, click the Preferences button:

This will pop out a side window:

From this page, you can enter up to 2 email addresses – so if you want it to go to more than 2 recipients, use a distribution group. You can choose the services you want to receive alerts about (all are ticked by default), and as it will advise when saving, it may take up to 8 hours to apply.

This one’s a pretty simple feature, but one I’m very glad to see. Set it up for yourself today!

Blocking ActiveSync with Conditional Access

Posted on September 27, 2019October 20, 2020 by Adam Fowler

Microsoft has announced that they’re continuing the path away from Legacy Authentication, with the decommission of legacy auth to EWS on Exchange Online on October 13th 2020. Instead of waiting for that looming date, there’s a bunch of security reasons to only have Modern Authentication for Microsoft 365.

I’ve already written up on Protect Your Office 365 Accounts By Disabling Basic Authentication and Blocking Legacy Authentication – Conditional Access vs Authentication Policies – but when I migrated from Authentication Policies to Conditional Access, I didn’t realise ActiveSync wasn’t included as part of blocking Legacy Authentication, even though it connects without MFA.

The guide from Microsoft on how to block Legacy Authentication doesn’t actually mention ActiveSync, so it’s easy to miss like I initially did! You’ll need to block ActiveSync altogether as far as I know, as it doesn’t support MFA.

Although I still think Conditional Access is easier to manage than Authentication Policies, there is one caveat; even with an ActiveSync block in place via Conditional Access, too many attempts by a user will lock their account briefly. This might cause problems or require work to get those users to clean up whatever device is trying to log in. With an Authentication Policy I don’t believe this happens because it’s blocked earlier in the sign-in process – you won’t see logs, and the account can’t get locked.

There is of course, a checkbox around ActiveSync, and a way to block it using Conditional Access, but I had mixed results in blocking it successfully until I did it exactly this way:

Create a new Conditional Access Policy and set these options:

Cloud apps or actions > Select Apps > Office 365 Exchange Online

Conditions > Client apps > Tick both ‘Mobile apps and desktop clients’ + ‘Exchange ActiveSync Clients’

In the Users and Groups section, you can narrow this down from ‘All Users’ for testing or for a gradual rollout.

The user experience is interesting on this one – they can still sort of authenticate, but instead of getting their emails, they will see a single email advising that their access has been blocked:

On top of this, you can use Azure AD to audit who might be using ActiveSync before you put any sort of block in place. As per usual, there’s a good Microsoft article on Discovering and blocking legacy authentication which can walk you through this, but in short:

Via the Azure Portal, go to Azure Active Directory > Users. Under Activity, go to Sign-ins. Click Add filters, and choose Client App > Tick the three ‘Exchange ActiveSync’ options and press ‘Apply’. You’ll see the last 7 days of sign in attempts using ActiveSync, which should give you an idea of how many users are using it, and who.

Blocking Legacy Authentication, plus blocking ActiveSync will give you a much more secure environment, protecting from account attacks.

MyAnalytics is Coming (for the rest of us)

Posted on September 19, 2019October 20, 2020 by Adam Fowler

MyAnalytics is an extension to Microsoft 365 which provides productivity insights. It looks at what you do over email, OneDrive for Business and Skype for Business Online/Teams, and collates the data to present it with statistics.

The documentation for how this product works is quite good and worth a read. There’s privacy considerations in any product that’s scraping data, but they seem fairly well addressed. Two main points are that the data for MyAnalytics is processed and stored in the user’s Exchange Online mailbox, and nobody but the user can see this data (including system administrators).

MyAnalytics has been around for a while, but mostly for Office 365 E5 / Microsoft 365 E5 customers so many people have not heard of it, or have no experience in it. Microsoft are changing who gets access to this data, and are currently rolling out Digest emails to E3, E1 and Business customers.

If you have the feature already turned on, then your users can probably already access their dashboard at https://myanalytics.microsoft.com/ and start checking it out.

MyAnalytics is controlled by a license under the Microsoft 365 product. Many people probably have all the components on, and therefore although users have had access to this product, it hasn’t really been visible. The Welcome email comes first, and it seems to be rolling out right now to Targeted Release users in Microsoft 365.

Beyond just turning MyAnalytics on, there’s a few admin controls available at the tenant level and user level. You’ll need to consider items like ‘should users be opted-in by default, or opted-out’ if there are concerns around data scraping – even though this all lives in your Microsoft tenant, there could still be staff that are not comfortable with this.

Nascar use MyAnalytics if that helps you point to another company using it:

As you can see, I’ve linked to a bunch of Microsoft documentation around this rather than rewriting what they have – always nice to see quality doco!

It’s worth checking out MyAnalytics now and deciding if it’s something you want – at least check the state of your settings before users start getting Welcome emails!

Update 20th September

The product group have advised me on one extra tip – disabling the ‘Weekly insights email‘ option at the admin end will actually disable the Welcome email too – documentation to be updated shortly.

Share this:

Share this:

Share this:

Share this: