Microsoft

For some reason it seems I’m developing an Exchange theme in recent posts, but I came across an issue with this recently so decided to write it up for my own future reference. You had me at EHLO This was the name of the Exchange Team blog back in the day and it remains the high watermark of wit for an email nerd. Back when I was an Exchange server admin I could compose a message via telnet almost as quickly as I could do it in a mail client; I knew all of the commands and their sequence like the back of my hand as it was always easier to get the server’s response directly rather than trawl through logs when figuring out a problem....

Mailboxes in Exchange Online have two timezones; one in regional settings and the other in working hours. These are both set to Pacific Standard Time by default, regardless of where in the world the mailbox is created or what tenant or Exchange regional settings are in place. This behaviour is by design, according to Microsoft support. The first time a mailbox is accessed by a user, these settings are determined based on their location and the defaults are changed automatically (most of the time)....

In my last post I looked at the state of authentication for non-technical folk, pointing out that there are too many barriers and an insufficient amount of scaffolding to lift them off the ground floor. The answer that’s come back from Microsoft and others is ‘just use FIDO2’ – but this apex method isn’t without its own issues. No phone, no problem! If you’re not familiar with what FIDO2 involves, have a look at this session from last year’s Microsoft Ignite; it’s one of the clearest explanations I have seen....

At the February Microsoft 365 Security & Compliance user group, Eric Woodruff (@msft_hiker), author of Eric On Identity, gave an excellent presentation on the topic of passwordless authentication. This struck a chord with my recent experience in the field, particularly in terms of the new Authentication Strengths feature in Azure AD. This post is based on my Q&A with Eric and feedback I submitted to the Azure AD team (thanks to the brilliant @merill for that) and sets it in a wider picture, namely that we’re making better technology than we’re using; there seems to be a gap in terms of getting the security we know we need into widespread practice....

I’ve put this post together as an update for a number of schools who have asked me how we’re going on our Private Preview of MCC and will try to keep it generally updated on our progress. I’ll start with a bit of background though, for anyone new to this. You had me at DOINC The best product acronym Microsoft ever devised was DOINC, for the Delivery Optimisation In-Network Cache. This was a service that would store local copies of Windows and Office apps and updates so that client devices could access a fast, consistently-connected local copy rather than downloading from peers or over the Internet....

Microsoft made a decision to force what they consider to be insecure certificate bindings out of use, placing my great little workaround for modernising NPS onto life support. When their planned changes kick in, my own fleet of Azure AD-joined devices will be kicked out. Third-party products exist which solve this problem by operating independently of AD, however in a cash-strapped education context they aren’t financially viable against the negligible cost of running NPS....

I’ve been tacking in the direction of cybersecurity in recent years and specifically within the Microsoft 365 suite. I took the Security Administrator track on my Enterprise Admin certification and didn’t find that too difficult as it was grounded in my day-to-day. This one was pushing the boat out as it’s more Azure-based and honestly I wasn’t expecting to pass first time, but it fairly soaked up these dull days between Christmas and New Year!...

Schools can hardly be the only organisations with legacy applications in regular use for vital ’line-of-business’ functions. Hopefully for the most part these are visible to IT, securely contained and have an end-of-life date with a succession plan rather than being adopted through choice into a modern desktop environment. A while ago I encountered a nasty and unavoidable case of the latter and had to figure out a solution. The application I was tasked to deploy was for processing sensitive financial data on our most heavily-secured devices and relied on Internet Explorer and Java....

I’d love to see current global stats comparing use of Exchange on-prem vs cloud. Surely given the number of recent security disasters, any notion of physical ownership of mailboxes equating to their safety has been well and truly dispelled and only the bravest or most prodigiously-resourced organisations would attempt hosting it themselves. Exchange Online is doubtless the most popular version and would most often be deployed alongside an on-prem Active Directory, yet as soon as AD is in the mix the assumption is that Exchange is on-prem or hybrid....

In a masterful stroke of irony, within days of me sharing my solution for NPS RADIUS with AADJ devices, itself made necessary because Microsoft doesn’t consider the needs of their cloud-first customers, they made a major change to how certificates work in Active Directory in KB5014754 without considering the needs of their cloud-first customers. This change breaks the mechanism my solution relies on to operate and while there is a workaround, it is only viable until the change kicks in....