Office 365

5 Things To Check In Your Microsoft 365 Apps (Office 365) Configuration

Word, Excel, PowerPoint, Outlook, OneNote, and Teams (unless you’re in the EU) are some of the apps that make up the Microsoft 365 Apps suite. We don’t call it Office 365 anymore, and they’ve been around for a very long time. Despite the name change, ‘Office’ is used across Microsoft documentation, the Essential Eight, Windows Registry settings etc so I will use also use it for the rest of this article.

Unsurprisingly, there’s both a lot of flexibility in configuration options for these apps, as well as many settings that have security considerations. As with my other blog posts of late, I wanted to have a look at the Center for Internet Security’s (CIS) Microsoft Intune for Office Benchmark 1.0 and pick my favourite 5 recommendations; ones that I think have a high impact, aren’t on by default, and/or ones you may not have considered.

As with other Intune benchmarks, you don’t have to use Microsoft Intune (you can use Group Policy/registry) but these options are natively supported via Intune. To create these policies via Intune from the Microsoft Intune admin center go to Apps > Policy > Policies for Office apps.

I’m not going to pick the obvious settings either – everyone should be following the Essential Eight guidance on blocking Office Macros which is:

Microsoft Office macros are disabled for users that do not have a demonstrated business requirement.
Microsoft Office macros in files originating from the internet are blocked.
Microsoft Office macro antivirus scanning is enabled.
Microsoft Office macro security settings cannot be changed by users.

and also should have in place all Attack Surface Reduction settings related to Microsoft 365 Apps such as these:

Block all Office applications from creating child processes
Block Office applications from creating executable content
Block Office applications from injecting code into other processes

…so if you aren’t doing the above (or if you’re not sure) – go sort that out first before you worry about these extra ones!

Alright, let’s get on with my 5 picks:

#1 – 2.3.23.2 Ensure ‘Block signing into Office’ is set to ‘Enabled: Org ID only’

Official description of the setting:
This policy setting controls whether users can provide credentials to Office using either their Microsoft Account or the user ID assigned by your organization for accessing Office 365.
If you enable this policy setting, you can specify one of the following options:

– If you select “Both IDs allowed”, users can sign in and access Office content by using either ID
– If you select “Microsoft Account only”, users can sign in only by using their Microsoft Account.
– If you select “Organization only”, users can sign in only by using the user ID assigned by your organization for accessing Office 365.
– If you select “None allowed”, users cannot sign in by using either ID.

If you disable or do not configure this policy setting, users can sign in by using either ID.

Note: This policy does not apply to licensing. A user can license their product using any applicable ID if they have a valid license associated with that account. Providing credentials for licensing purposes when that ID type has been disabled, however, will not affect the signed in state of Office.

This setting controls whether a consumer Microsoft Account can be used to sign into the Office suite. By default, both a work account and a Microsoft Account can be signed in, so changing it to Org ID only prevents that. This prevents a user either accidentally or wilfully saving and opening files from their personal OneDrive and anywhere else the Microsoft Account may have access to. You can imagine a user not realising they’ve been saving their last year of work on their personal unprotected OneDrive, or doing so because it made it easier to continue working on documents via their home computer. There should be no legitimate business need for this setting to be allowed, so change it.

In Intune, it’s under the ‘Block signing into Office’ setting, as is the Group Policy setting Block signing into Office (admx.help)

#2 – 2.3.38.1.1 Ensure ‘Improve Proofing Tools’ is set to ‘Disabled’

This setting controls whether data learnt from Office Proofing Tools (such as spell check) is sent back to Microsoft. This option is enabled by default. It will include information such as additions to the dictionary (maybe you keep writing Project Phoenixx but that’s actually the ‘correct’ spelling’) or maybe your drivers license combination of letters and numbers, or credit card. Here’s the actual description of the setting:

This policy setting controls whether the Help Improve Proofing Tools feature sends usage data to Microsoft. The Help Improve Proofing Tools feature collects data about use of the Proofing Tools, such as additions to the custom dictionary, and sends it to Microsoft. After about six months, the feature stops sending data to Microsoft and deletes the data collection file from the user’s computer.
If you enable this policy setting, this feature is enabled if users choose to participate in the Customer Experience Improvement Program (CEIP). If your organization has policies that govern the use of external resources such as the CEIP, allowing the use of the Help Improve Proofing Tools feature might cause them to violate these policies.
If you disable this policy setting, the Help Improve Proofing Tools feature does not collect proofing tool usage information and transmit it to Microsoft.
If you do not configure this policy setting, the behavior is the equivalent of setting the policy to “Enabled”.

Beyond this data going back to Microsoft, it’s also saving it on your computer in a secondary data collection file. Quite simply, it’s introducing extra risk in both a second location of data + sending off to Microsoft, with no direct immediate user benefit, and no obvious method of showing what data it’s transmitting so should be disabled. On this point, this isn’t questioning how much you trust Microsoft or not – you’re probably using their operating system, software, cloud storage, search results and AI – risk is risk and you reduce it wherever you can that makes sense, and this is one of those scenarios.

This setting can be found under ‘Improve Proofing Tools’ in Intune, or Group Policy/Registry here.

#3. Modern Office File Formats:
2.11.8.6.1 Ensure ‘Default file format’ is set to ‘Enabled: Word Document (.docx)’
2.2.4.6.1 Ensure ‘Default file format’ is set to ‘Enabled: Excel Workbook (*.xlsx)’
2.6.6.5.1 Ensure ‘Default file format’ is set to ‘Enabled: PowerPoint Presentation (*pptx)’

These are all the same but each application needs it’s own setting enabled. Worth noting is the same setting exists for Access – ideally you don’t have that anywhere, but if you do, change that setting too. It’s also actually two settings – enabling it, then setting the ‘Save x files as’ and choosing the above listed options, e.g. PowerPoint Presentation (*pptx).

Although this setting doesn’t block the older default Office document types (.doc, .xls, .ppt), it makes sure the default format for saving is the newer .docx, .xlsx, pptx. The older formats were the default up to Office 2003, and in Office 2007 onward is where the ‘x’ version (which is based on XML and if you rename any of these documents to .ZIP, you can check out what’s inside!) was introduced. Although I can’t find much officially around the differences, the general takes are that the newer format is less prone to corruption, more secure, better organised internally, and more open for other programs to be able to read the data inside.

Most companies will have the older file formats floating around still, but this setting works towards encouraging the new (and 16 years since release, it’s hard to still call it ‘new’!) file format.

Setting description from Word:
This policy setting determines the default file format for saving files in Word.

If you enable this policy setting, you can set the default file format from among the following options:

– Word Document (*.docx): This option is the default configuration in Word.
– Single Files Web Page (*.mht)
– Web Page (*.htm; *.html)
– Web Page, Filtered (*.htm, *.html)
– Rich Text Format (*.rtf)
– Plain Text (*.txt)
– Word 6.0/95 (*.doc)
– Word 6.0/95 – Chinese (Simplified) (*.doc)
– Word 6.0/95 – Chinese (Traditional) (*.doc)
– Word 6.0/95 – Japanese (*.doc)
– Word 6.0/95 – Korean (*.doc)
– Word 97-2002 and 6.0/95 – RTF
– Word 5.1 for Macintosh (*.mcw)
– Word 5.0 for Macintosh (*.mcw)
– Word 2.x for Windows (*.doc)
– Works 4.0 for Windows (*.wps)
– WordPerfect 5.x for Windows (*.doc)
– WordPerfect 5.1 for DOS (*.doc)
– Word Macro-Enabled Document (*.docm)
– Word Template (*.dotx)
– Word Macro-Enabled Template (*.dotm)
– Word 97 – 2003 Document (*.doc)
– Word 97 – 2003 Template (*.dot)
– Word XML Document (*.xml)
– Strict Open XML Document (*.docx)
– OpenDocument Text (*.odt)

Users can choose to save presentations or documents in a different file format than the default.

If you disable or do not configure this policy setting, Word saves new files in the Office Open XML format: Word files have a .docx extension. For users who run recent versions of Word, Microsoft offers the Microsoft Office Compatibility Pack, which enables them to open and save Office Open XML files. If some users in your organization cannot install the Compatibility Pack, or are running versions of Word older than Microsoft Office 2000 with Service Pack 3, they might not be able to access Office Open XML files.

This policy setting is often set in combination with the “Save As Open XML in Compatibility Mode” policy setting.

The 4 settings in Intune are below, and the Group Policy/Registry settings are here: Word Access Excel PowerPoint

#4. 2.3.23.3 Ensure ‘Control Blogging’ is set to ‘Enabled: All Blogging Disabled’

I partly like this one because not many people know this is even a thing. Description:

This policy setting controls whether users can compose and post blog entries from Word.

If you enable this policy setting, you can choose from three options for controlling blogging:

* Enabled – Users may compose and post blog entries from Word to any available blog provider. This is the default configuration in Word.

* Only SharePoint blogs allowed – Users can only post blog entries to SharePoint sites.

* Disabled – The blogging feature in Word is disabled entirely.

If you disable or do not configure this policy setting, the behavior is the equivalent of setting the policy to Enabled-Enabled.

Word can send off contents of documents to certain blogging platforms via a direct connection from inside the application, and is enabled by default. Although the amount of your user base that would even consider this is quite low, all it takes is for one person to decide to do it, then publish the wrong document to a public site.

As usual, there’s usually no great reason to allow this at all, so disable it – even restricting to SharePoint sites doesn’t mean it’s restricted to the SharePoint sites you control.

Intune setting is Control Blogging, which you need to Enable and set to All blogging disabled, or Group Policy/Registry settings here.

5. 2.5.14.3.4 Ensure ‘Outlook Security Mode’ is set to ‘Enabled’

There’s an Outlook Security Mode? Sounds like something that should be enabled! Description:
This policy setting controls which set of security settings are enforced in Outlook.

If you enable this policy setting, you can choose from four options for enforcing Outlook security settings:

* Outlook Default Security – This option is the default configuration in Outlook. Users can configure security themselves, and Outlook ignores any security-related settings configured in Group Policy.

* Use Security Form from ‘Outlook Security Settings’ Public Folder – Outlook uses the settings from the security form published in the designated public folder.

* Use Security Form from ‘Outlook 10 Security Settings’ Public Folder – Outlook uses the settings from the security form published in the designated public folder.

* Use Outlook Security Group Policy – Outlook uses security settings from Group Policy.

Important – You must enable this policy setting if you want to apply the other Outlook security policy settings mentioned in this guide.

If you disable or do not configure this policy setting, Outlook users can configure security for themselves, and Outlook ignores any security-related settings that are configured in Group Policy.

Note – In previous versions of Outlook, when security settings were published in a form in Exchange Server public folders, users who needed these settings required the HKEY_CURRENT_USER\Software\Policies\Microsoft\Security\CheckAdminSettings registry key to be set on their computers for the settings to apply. In Outlook, the CheckAdminSettings registry key is no longer used to determine users’ security settings. Instead, the Outlook Security Mode setting can be used to determine whether Outlook security should be controlled directly by Group Policy, by the security form from the Outlook Security Settings Public Folder, or by the settings on users’ own computers.

Intune has the option ‘Microsoft recommended baseline’ under ‘Outlook Security Mode’ in Intune, which is documented here on all the settings it controls: https://learn.microsoft.com/en-us/mem/intune/protect/security-baseline-v2-office-settings?pivots=v2306#microsoft-outlook-2016

If you need to change any of those related settings from the default, you instead need to change this from ‘Microsoft recommended baseline’ to Manually configured, and ‘Use Outlook Security Group Policy’ – and then ensure all related policies are configured the way you want.

The CIS benchmark documentation also mentions:
Note: This setting is essential for ensuring that the other Outlook security settings mentioned in this baseline are applied as suggested.

So, what all this means is the CIS benchmark overall has different configuration recommendations compared to the Microsoft recommended baseline, but in doing this option it’s worth assessing all the settings that the baseline would do!

Intune setting is ‘Outlook Security Mode’ and Group Policy/Registry settings here

I hope you found the above options interesting, and as always this is designed to grow awareness of what you need to consider in managing an environment, and always have that security mindset. These options are not set and forget either – you need frequent checks to make sure no gaps have been created either by reconfiguration or new settings coming in.

Cloud.Microsoft is coming (and already here a bit)!

Microsoft has been planning to migrate Microsoft 365 services to a new domain – cloud.microsoft – for over a year.

Back in April 2023, Microsoft announced the upcoming change with a starting sentence: “…today we’re excited to announce that Microsoft is beginning to reduce this fragmentation by bringing authenticated, user-facing Microsoft 365 apps and services onto a single, consistent and cohesive domain: cloud.microsoft.”

As pointed out to me by Microsoft MVP Karl Wester-Ebbinghaus, who in turn was reading this post from Dr Windows aka Martin Geuß, there is now an update on the Microsoft 365 Message Center called “Product transitions to the cloud.microsoft domain – February 2024” Message ID MC724837 (published on March 5th which is still almost February). It calls out that the new domains are starting to go live, in parallel with existing domains – meaning you won’t get redirected to the new ones yet.

A list of services that are already running on a cloud.microsoft domain are documented here: https://learn.microsoft.com/microsoft-365/enterprise/cloud-microsoft-domain which at the time of writing looks like this:

List of live cloud.microsoft subdomains as of 12/03/2024

As Microsoft has exclusive rights to the .microsoft top-level domain, any content on here can be held at a pretty high standard. Make your own decisions around what you may allow from the single .microsoft doamin, or the initial sub-domain of cloud.microsoft. You may need to add the domain/subdomain to allow lists.

What the above changes also mean for me personally, is a lot of ongoing work on MSPortals.io to keep it up to date, as well as keep the old links on there while they still function:

I’ll do my best to keep MSPortals.io as updated as possible, but if you notice anything that needs an update, please contact me or use the GitHub option on the site to submit an update.

Other notes and take aways from the message center post:

It appears the planned end-dates of non cloud.microsoft URLs for Microsoft 365 services is somewhere between June 2024 and September 2024.

Follow the guidance on Microsoft 365 URLs and IP address ranges and there should be no network administrative impact to these changes.

Update documentation and communicate the change to end users – this can be a good chance to train or rehash what domains are, which helps in user understanding of phishing attempts (both web based and email).

If you have any tools build that connect to Microsoft 365 services (3rd party, or internally developed) make sure they’re aware of the upcoming changes and have a plan to update.

Hornetsecurity Overview – 365 Total Protection


The Microsoft 365 Suite contains a lot of different solutions; and varying levels of security on those solutions, depending which tier of licensing you have. Microsoft’s security answers have varying levels of user experience, technical requirements, and administrative burdens.

For example, if you’ve used Microsoft native solutions to look at mailflow regularly compared to third-party solutions, you’d probably agree that Microsoft do not provide a quick and easy experience in troubleshooting why an email didn’t arrive. If you have to go back more than 2 days, then you’ll potentially have to wait a few hours just to get the results of the mailflow steps.

Third-party solutions must compete with Microsoft in their own space for security solutions, which means they need to be adding value somehow; cheaper, easier to use, more features, and/or quicker.

Hornetsecurity’s answer to this is their 365 Total Protection solution. I’m fairly experienced with Microsoft’s first party offerings, and a few other third-party mail security solutions, so was interested to see how this stacked up and where it might fit.

Hornetsecurity shows the 3 different tiers of licensing, and an option to start a free trial:

The above pricing based on the feature set seems quite reasonable to me, and from the page you can click on each feature and see more information including a screenshot.

The free trial process is well documented – the first page lays out what you’re in for which will unsurprisingly require tenant admin access to approve tenant permissions for Hornetsecurity.

Once you accept the permission request, a synchronisation will start. As I’m doing this in my own tenant of 1 user, it took about 20 seconds to perform. You’ll then need to update MX records so mail flows through the Hornetsecurity service, so it can do many of the services listed.

Not all services rely on mail flow, there is also an Outlook add-in. For older versions of Outlook it can be downloaded and installed like a traditional add-in, or there’s the much nicer modern method that’s controlled from inside Microsoft 365 admin center to deploy and show for users (I wish more vendors did this!).

Either way, the Outlook add-in provides several functions such as being able to report emails, block/allow emails, and view archived emails.

Some other notable features of the 365 Total Protection solution:

  • Email Archiving – something Microsoft can do, but don’t do a great job of exposing the archived emails. 10 years of email retention should be more than enough for most companies, and even if you have archiving enabled in your tenant natively, this gives you a backup of all your emails.
  • Email Live Tracking – a real time view of mail flow that works quickly and doesn’t require reports to be generated after 2 days that are CSV files.
  • Individual User Signatures – Centralised signatures that are also monitored for people who decide to change them away from the company standard. Different groups can get their own style of signature too. Microsoft still has nothing in this space natively and is still in the early days of having a signature saved to someone’s profile.
  • eDiscovery – Being able to search quickly across all emails in the company for keywords is a handy thing. Another one that Microsoft can do, but it’s clunky and far from quick.
  • Email Continuity Service – If Microsoft’s mail services go down, you can keep going until they’re back – delivering and sending emails directly through Hornetsecurity, then syncing up what happened after the event.
  • Automated backups for mailboxes, Teams, OneDrive and Sharepoint – this is really where all your Microsoft 365 data will live. Again, it gives you somewhere this data can be backed up and restored outside of Microsoft’s ecosystem.

There is of course a lot of security aspects to the solution such as Forensic Analyses, URL Malware Control and Realtime Threat Reports, but I quite like the Malware ex-post alert and Malware ex-post deletion. Malicious emails that get through on any system (and I’ve seen this with other third-party solutions as well as Microsoft) need to be detected and cleaned up, as well as investigated on whether anyone clicked the link. This ties into URL Malware control, which will do URL rewriting. Microsoft do this natively, but I’ve found the cleanup aspect can take a little while to perform and isn’t a seamless process from detection to cleanup.

One last point – it is good to see that they have a data centre in Australia as I see many of these companies ignore our region, which makes it hard when you need to keep your data in-country.

I look forward to playing around with Hornetsecurity further. If you’re curious too, then check out their free trial here.

Migrating Phone System from Skype for Business to Microsoft Teams

I thought I’d document a few lessons learned in this migration. The migration was from Skype for Business Server 2015 and Skype for Business 2016 clients with Enterprise Voice, moving users across to Microsoft Teams.


The steps to migrate a user for me were:

  1. Add user to AD Group “Azure AD Licensing Telstra Calling for Office 365” as this allocates a Telstra Calling for Office 365 license. These licenses are bought from https://marketplace.telstra.com/ and feed into Microsoft 365. I believe this is unique to Australia.
  2. From Skype for Business Server Management Shell:
    $cred=Get-Credential
    $url="https://adminau1.online.lync.com/HostedMigration/hostedmigrationService.svc" (different links here for different countries)
    Move-CsUser -Identity [email protected] –Target sipfed.online.lync.com -MoveToTeams -Credential $cred -HostedMigrationOverrideUrl $url

    set-csuser -identity [email protected] -LineURI $null
  3. Form a machine with the Teams PowerShell Module installed:
    $Session = New-CSOnlineSession -OverrideAdminDomain yourdomain.onmicrosoft.com
    Import-PSSession $session –AllowClobber
    Set-CsOnlineVoiceUser -Identity [email protected] -TelephoneNumber 61812341234
    Grant-CsTeamsUpgradePolicy -PolicyName UpgradeToTeams -Identity [email protected]
  4. Configure call forwarding in Gateway (Pilot Users only that were being given a new number out of our normal number range)

EHR Error on Teams Portal

We can’t get details of EHR usage. Please try again. If you continue to have problems, contact Microsoft customer support.

Seeing this error everywhere on the Teams Admin portal, unsure what the cause/fix is yet. It ended up disappearing by itself after a few weeks *shrug* – you’ll see this theme is common around portal errors.


Dial Plans error


We can’t get the effective dial plan so the dial plan can’t be tested.

Going into any Dial Plan brings up this admin portal error, as well as trying to run a Test Dial plan test:

Something went wrong while testing this phone number. If you continue to have problems, contact Microsoft customer support.

This problem was another portal issue – logged a case which Microsoft confirmed was at their end, and a few weeks later they’d resolved it.


Create Resource Account error

We can’t save changes to ___

When creating a Resource Account used for Auto Attendant or Call queues, I was getting a very unhelpful error. I believe this is because I’m running in hybrid mode, so Teams can’t create an account on my primary domain – changing the domain to @contoso.onmicrosoft.com then let me create the Resource Account.

This problem also disappeared later and now I can create accounts on my primary domain – put it down to another portal issue.


Desk Phones requiring PIN

Phones would be registered in Intune, because they’re running Android – and that means any ‘all user’ Android policy would apply.

I’ve since created Dynamic Device Groups and filtered by DeviceModel and DeviceOSType – only testing the Poly CCX500 at this stage, but will add more models as we get them. Also filtering by OStype which is not really necessary, but does make sure it’s only Android devices affected.

(device.deviceModel -eq "CCX500") and (device.deviceOSType -eq "Android")

If you use a test account 20 times, that account will hit its device limit in azure and get locked out.


Skype for Business users unable to call Teams users

Early in migration, we tested interoperability between the two platforms, as it wasn’t going to be an overnight company wide migration. A Skype for Business user trying to call a migrated to Teams user would instead get diverted elsewhere. This was because we had Unassigned Number range rules in place, that were designed to send calls somewhere if it wasn’t allocated to anyone. Removing these rules immediately fixed this issue.


Home Screen on Desk Phones Laggy

The default experience if the phone supports it, is to show a home screen. More details on what the Home Screen is here. This is in CsTeamsIPPhonePolicy with the default value ‘AllowHomeScreen’ set to ‘EnabledUserOverride’. Changing this to Disabled via the PowerShell command:

set-CsTeamsIPPhonePolicy -allowhomescreen Disabled

removed this. I like the idea of the Home Screen, but not at the cost of a fast functioning phone vs a slow one.

I later found out this is due to the 1GB RAM on some devices, and Teams now (at the time of writing) uses > 1GB RAM, and then the Home Screen uses even more RAM. Trying a phone model with 2GB RAM this all worked perfectly.

I believe this is also fixed now, but it took Microsoft about 5 months to resolve.


New Desk Phones not signing in

Testing the Poly CCX500 model, some wouldn’t sign in to Teams out of the box. As soon as I tried to sign in, they’d say:

‘Error Could not sign in. You will need to sign in again. If you see this message again, please contact your company support. OK’

I spent so long on this, unsuccessfully trying to update the firmware via USB etc. In the end, turning off the ‘DHCP Time’ setting under ‘Device Settings’ made it work – I assume it had some problems contacting a NTP server (settings appeared correct in the DHCP scope of the phone). Someone else found the same issue here, but this was due to the phone running a very old v1 firmware. This shouldn’t affect most people, but worth noting.


Microsoft Forms now has a shorten URL option

Such a basic thing, but great to see. As per this Forms Uservoice suggestion, Microsoft Forms now has a ‘shorten URL’ option. It’s still rolling out right now (March 2021) but it turned up in my tenants. You’ll find it under the Share menu, and then under ‘Send and collect responses’ :

The tick box is called ‘Shorten URL’:

Before ticking this box, the Forms URL for sharing looks like this:

https://forms.office.com/Pages/ResponsePage.aspx?id=gp6jfCyryEOFjHcqjfOQaicaufj5P4hCmrpZg_pruFhUNUFYSUlQMFEwRjVRNkZPUDBLOFYwUUtRVy4u

After ticking the box, it takes about a second or so to update, then looks like this:

The resulting link is of course, shorter. It also looks a lot nicer:

https://forms.office.com/r/Qca3qTjcMu

It’s nice to see a much more usable URL come out of Microsoft Forms, and still on the forms.office.com domain without having to resort to a third party URL shortener service.