Thursday, July 26, 2018

July Azure Resources

Slides from this month’s webinar are at:

If you are not a CIAOPS patron you want to view or download a full copy of the video from the session you can do so here:

Watch out for next month’s webinar.

July Office 365 Webinar Resources

Slides from this month’s webinar are at:

If you are not a CIAOPS patron you want to view or download a full copy of the video from the session you can do so here:

Watch out for next month’s webinar.

Need to Know podcast–Episode 186

We'll keep it simple for this episode and just give you a run through of the latest from Office 365 and Azure with Brenton and myself. A shorter episode for a change. Let us know what you think.

Take a listen and let us know what you think

You can listen directly to this episode at:

Subscribe via iTunes at:

The podcast is also available on Stitcher at:

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.




Four new ways Microsoft takes the work out of teamwork

How to use Cortana commitments

Roko's Basilisk

Free Microsoft Teams

OneDrive updates - July

OneDrive updates - June

Microsoft Whiteboard App

Microsoft Inspire

Microsoft Financial results

CIAOPS Office 365 Security course

Wednesday, July 25, 2018

You need to re-enable Whiteboard


If you are like me and have been using the preview version of the Microsoft Whiteboard, then you’ll need to go back in and able the non-preview version as shown above.


You’ll find the option in the Office 365 Admin Center under the Services & add-ins as shown above.

If haven’t yet played with Microsoft Whiteboard, what are you waiting for?

Enable Microsoft Whiteboard for your organization

Monday, July 23, 2018

Configuring DKIM In Office 365

DKIM is a configuration that you can easily add to your Office 365 environment to improve the security of your custom domains.

To configure DKIM, you need to add two DNS records and then enable the setting in Office 365. Then, your outbound emails will have an encrypted portion added to their headers that a receiver can verify securely to ensure the email came from you.

You can read more about how all this works and how to configure it here:

Use DKIM to validate outbound email sent from your custom domain

What my video shows you is how to do this setup using PowerShell combined with Azure DNS. This means the DNS records for the custom domain are hosted in an Azure DNS zone and thanks to PowerShell I can do the whole DKIM configuration via a script. In fact, you can do your whole Office 365 records in Azure DNS using a single script. That’s how I do it, to save time and be more consistent.

Here are the PowerShell commands you’ll need:

$dkim = Get-DKIMSigningConfig $domain

$cname1 = $dkim.Selector1Cname

$cname2 = $dkim.Selector2Cname

$hostname1 = "selector1._domainkey"

$hostname2 = "selector2._domainkey"

New-AzureRmDnsRecordSet -Name $hostname1 -RecordType CNAME -ZoneName $domain -ResourceGroupName $res_grp -Ttl 3600 -DnsRecords (New-AzureRmDnsRecordConfig -Cname $cname1)

New-AzureRmDnsRecordSet -Name $hostname2 -RecordType CNAME -ZoneName $domain -ResourceGroupName $res_grp -Ttl 3600 -DnsRecords (New-AzureRmDnsRecordConfig -Cname $cname2)

set-dkimsigningconfig -identity $domain -enabled $true

Make sure you are connected to both Azure and Exchange PowerShell environments and that you put the custom domain in the variable $domain first. You’ll also need the Azure resource group ($res_grp) for the DNS zone as well.

Now DKIM is not the be all and end all when it comes to domain spoofing protection but having it configured helps and using a scrip to deploy it makes it much easier to implement across all your custom domains in Office 365.

You should also note the following from the above article:

If you do not enable DKIM, Office 365 automatically creates a 1024-bit DKIM public key for your custom domain and the associated private key which we store internally in our datacenter. By default, Office 365 uses a default signing configuration for domains that do not have a policy in place. This means that if you do not set up DKIM yourself, Office 365 will use its default policy and keys it creates in order to enable DKIM for your domain.

Also, if you disable DKIM signing after enabling it, after a period of time, Office 365 will automatically apply the Office 365 default policy for your domain.

Although DKIM is not mandatory for emails sent via the Internet having it enabled does help others with DKIM detection enabled to better ensure legitimate emails are received from your email. It doesn’t take long to configure and once done doesn’t require any maintenance, so best practice is to set it up and help the Internet better detect and protect against spoofing.

Friday, July 20, 2018

Final discount to my new Microsoft 365 Security course

security-protection-anti-virus-software-60504 (1)

If you missed the first discount round and you want deep dive training into Office 365 security, with video demonstrations, included PowerShell configuration scripts, reference material and more then don’t hesitate. I’m offering one last round of discounts before I completely finish my course.

Use the coupon code LASTCALL at check for:

Microsoft 365 Security

or this direct URL that includes the discount:

That will give you access to the complete course immediately, plus any coming additions for only US$249. There are already over 40 lessons in the course that you can take advantage of and I have lots more to add but that won’t take me long.

Remember, this is the last round of discounts I’ll do. After this the price reverts to the standard price of US$399.

So, if you want to learn more about the security options for Microsoft and Office 365 then sign up today to advantage of the discount while it lasts.

Don’t show folders in SharePoint


Best practice with the structure in SharePoint is to keep things as flat as possible. This typically means avoiding multi level folders within Document Libraries because doing so reduces the visibility of information and make it hard for people to find information if they don’t understand the folder structure it lives in.

However, best practices is not what always happens I appreciate. So is there any easy way to see all in the file in a structure with a SharePoint Document Library? There certainly is and it requires working with Views.


The recommended starting point is to navigate to the Document Library in question and then in the top right select the All Documents button. This should display a menu like shown above.

Select the Save view as option to create a duplicate of the way the Document Library is currently being displayed.


For this example, I’m looking for Visio files in my folder structure so I’ll call this new view Visio as shown above.


You should now see that the menu option on the right now show an item called Visio as shown, with a check to the left. This indicates that we are viewing the Document Library with a View called ‘Visio’.


Because the ‘Visio’ view is simply a copy of the default All Documents view, we now want to go in and customise what is displayed with this View. To do this, select the Edit current view option from the menu as shown above.


You are now taken into an area where you can customise all sorts of aspects of the current View.


If you now scroll down to the bottom of all these options, you will find one called Folders, which you should expand as shown above. There you will find an option, Show all items without folders, which you need to select.

Scroll down to the bottom of the page and select Save to update your preferences.


You should no be returned to the list and you should no longer see any folders but every file in the structure shown together as shown above.


With this new list of just documents, you can select the Type column (first from the left) and from the menu that appears the Filter by option as shown above.


On the right hand side a filter menu will appear as shown above. Here, select Visio and then the Apply button.


You should now only see Visio files as shown above.

This has achieved our aim but, all the filtering options are temporary. If we return to this Document Library later we’ll again see a full list of files. If we want our new View to continue to show just Visio files we’ll need to go in a edit the View again and make some changes.


Once we are again editing the Visio view we can locate the Filter section and set conditions for what we want to see. Here, I’m adding filtering on the Type column in that I only want to see VDW or VSD file types.

Again, make sure you Save you changes before exciting the editing options.


Now, every time I go to that Document Library and select the Visio vie win the top right I will see my filtered list of all Visio files in that structure. If you want to make this new filter View the default, just go back to editing the View and select that option. Easy.

SharePoint views therefore allow to easily view your Document Libraries the traditional way with folders or roll up to single ‘non-folder’ View.

Tuesday, July 17, 2018

Cleaning up orphaned SharePoint Online sites


A while back I made a script available that allows you to find all the external users in your environment. You can learn about this here:

Checking SharePoint External Users PowerShell Script

Now when I ran the script on my own tenant I noticed a number of SharePoint sites that didn’t seem right. As you can see from the above screen shot, these typically have the word “management” (e.g.management71, management93, management59, etc).

Hmm…ok, seems like I have some orphaned SharePoint sites. I kinda of remember playing around when Microsoft Teams came out, creating and deleting Teams to test the functionality. So it seems that when I deleted the Teams stuff in the early days it didn’t delete everything.

Ok, time for a clean up


So I started with site Management71 and checked to see whether I could get to it. As you can see from the above, yes I can.

So back in the day, this would have been connected to the Office 365 Group. If I delete the site and it is isn’t fully orphaned (i.e. no Office 365 Group still exists) then I could have issues. So to see whether an Office 365 Group still existed with the word “management” in the title I ran this command to give me a list of every Office 365 Group in my tenant:

Get-UnifiedGroup | Format-List DisplayName,EmailAddresses,Notes,ManagedBy,AccessType

Turns out there still is an Office 365 Group called Management in my tenant as you can see from the results below.


So the question now, is whether the existing Office 365 Group called Management tied to the SharePoint site Management71 or another site also with management in the name? See how confusing I’ve made things?


So next I checked whether I could discover this operational Office 365 Group I see via PowerShell and indeed I could see it in my tenant as you see above.


To determine whether this indeed was connected to Management71 I navigated to the SharePoint site connected to the Office 365 Group from the Group page. Low and behold, the Group Site in question is a different site, with a URL that includes the word Management not Management71. Hopefully you get why I’m trying to make all this go away!

So, not needing this valid Office 365 Group I decided the best way to remove it was to use the PowerShell command to delete it which you will find here:

Remove-UnifiedGroup -Identity "Management"


To see the sites created by Office 365 Groups you’ll need to go into the new SharePoint Online Admin console as you see above. Problem is, that this new portal doesn’t as yet allow you to delete sites. That means I’ll have to user PowerShell.


I was then able to locate the orphaned site in question – Management71 as shown above.


But if I look carefully at the properties for the site I see that it still thinks this site is connected to an Office 365 Group.


So I once again ran the PowerShell command to check the Office 365 Groups in the tenant and there is no longer one with the name management. I am therefore going to assume the site in question is orphaned and I’ll remove it using PowerShell.


When I look in the new SharePoint administration console, in the recycle bin for deleted sites I now see the site that was tied to the valid group that I just deleted called Management. To keep things tidy, I decided the best option was to purge unwanted items from here so the rogue SharePoint sites are completely gone from my tenant. To do that I ran:

remove-spodeletedsite -Identity –NoWait

To remove the other rogue SharePoint sites I firstly run:

remove-sposite -Identity –NoWait

Followed by the initial command to also remove them from the recycle bin and my tenant completely.

In the end, I have been able to remove active SharePoint sites in my tenant that appear to have been created by now defunct Office 365 Groups. I did all this via PowerShell to ensure that they weren’t still connected to something else in Office 365.

I feel much better have a clean tenant without these additional SharePoint sites float around and I got to also user PowerShell to get the job done. Win!

Monday, July 16, 2018

Join my free Microsoft Team


A while ago I create a free Yammer network for people to see what Yammer is all about as well as share Microsoft Cloud information. Since then, Microsoft has announced that it is making a version of Teams freely available, so I thought why not do the same there as well.

So I have gone out and created a free Microsoft Team which you are more than welcome to join. All you need to do is send me an email ( and I’ll arrange an invite for you that will allow access.

I think making a free version of Teams is great move by Microsoft and will allow more people to see what Teams is all about without the need for Office 365.

Of course, you can go out and create your own free Microsoft Team but hopefully, if we can get some people into this free Team I have created, you’ll get a better idea of exactly how it works with a group of people.

Sunday, July 15, 2018

Locate all Office 365 Site Collection Administrators


One of the other things you probably need to check in your tenant is exactly who is a Site Collection administrator in your SharePoint sites in Office 365.

Site Collection administrators have full access to that SharePoint site and can only be removed by another Site Collection administrator. Also, they generally don’t appear inside the permission settings inside a site. So, knowing who has full rights to your SharePoint sites is a good thing I feel.

You can find the script to display all your SharePoint sites and Site Collection administrators inside those sites in my GitHub repository here:

The interesting thing I discovered when I ran the script was that I have a number of site with no Site Collection administrator (most likely deleted sites it seems) and a number of sites I didn’t have access to (again, seems to have something to do with becoming orphaned during deletion). So, I have some further work to do now to clean all this up.

The script won’t fix or deal with any errors, but it will tell you about them and you can go investigate further.

Run it and see what it turns up for you!

Friday, July 13, 2018

Need to Know podcast–Episode 185

A great interview this episode with Marcus Dervin from Webvine focused on Digital Transformation. Marcus has some real insights to share from his recent book on this very subject and we even have a special offer to listeners of this podcast to also grab a copy and learn from an experienced operator. If you are looking to digitally transform or help other business do the same, don't miss this episode.

You'll also get the latest round of Microsoft cloud updates from Brenton and myself as we aim to keep you up to date with the ever changing face of the cloud.

Take a listen and let us know what you think

You can listen directly to this episode at:

Subscribe via iTunes at:

The podcast is also available on Stitcher at:

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.





Marcus's book - Digital Transformation, from the inside out (use coupon code CIAOPS for 20% off)


Page metadata coming to SharePoint and Office 365

Idle session timeout policy in SharePoint and OneDrive is now generally available

New Office ribbon

Microsoft Surface Go

New Planner capabilities

Thursday, July 12, 2018

Determining Office Add ins

After posting how to protect your Office tenant from malicious add-ins recently:

Thwarting the Office 365 Ransomware cloud

I was asked whether you could determine what add-ins users had already authorised? Thanks to PowerShell the answer is always “Yes”.

You need to ensure that you are connected to Exchange Online first and then you can run:

$mailboxes = get-mailbox –resultsize unlimited

foreach ($mailbox in $mailboxes) {
     write-host "Mailbox =",$mailbox.primarysmtpaddress
     get-app -mailbox $mailbox.primarysmtpaddress | Select-Object displayname,enabled,appversion | Format-Table

This will basically spit out something that looks like:


So you can easily see what is already configured for each mailbox.

I have uploaded the file to my GitHub repository here:

if you want it.

Wednesday, July 11, 2018

Thwarting the Office 365 Ransomware cloud

The above video is an interesting presentation around a ‘new variant of ransomware’ (to quote the video). In essence, what it does is trick the user to installing a malicious plug-in in for their Office 365 environment. That malicious plug can then effectively run riot across everything the user has access to, including shared files. The video shows how this control can be used to encrypt the users emails even though they are ‘in the cloud’. This is simply because the user has been tricked to giving the malicious application full access to their environment.

Is there a way to prevent or mitigate this risk? First the bad news. Generally, every Office 365 out of the box allows all users to add these types of add-ins to their environment. Typically, the ability is designed to allow legitimate Outlook plugins like Boomerang or to be added to help the user be more productive. However, that also means malicious add-ins can also be easily added just as the video demonstrates. So, it is definitely a security issue to pay attention to.

You can verify whether this option is enabled in your Office 365 tenant by firstly connecting to Exchange Online PowerShell and then running the following command:

get-MsolCompanyInformation | fl DisplayName,UsersPermissionToUserConsentToAppEnabled

If the result comes back as True then you are potentially vulnerable to this style of attack.

However, if you run this command:

set-MsolCompanysettings -UsersPermissionToUserConsentToAppEnabled $false

You can disable the ability for users to authorise plug-ins. They can still add plug-ins to their environment but they cannot authorise applications that ask for permissions to their environment.

Thus, add ins like the Exchange Message Header Analyzer are fine as they simply report on email headers but something like, which requests access to resources will be blocked.


So above you can see the user has added the add in to their environment. To use it, they need to select the Connect to Office 365 button highlighted.


Normally the user would see the above Permission Request dialog, click Accept and the add-in would have access.

However, after disabling the ability for users to consent for apps this will appear as:


As you can see the user isn’t permitted to provide permissions, it can only be done by an administrator. This is going to prevent the user randomly installing add-ins as well as protecting them from potentially malicious apps.

Of course, the downside for administrators is the fact that they will have to consent to user added apps manually but that is small price to pay for better security I would suggest. As I like to say ‘Got access denied when you doing something silly? GOOD! That means the security is doing it’s job!”

My own experience is that users rarely add legitimate applications and if there is a need for them to be added they can be pushed out from the Office 365 Admin Center by an administrator and then authorised as needed on a per user basis. Alternatively, the required apps can be pushed out and authorised by users and then the tenant can be locked down.

However, in my opinion, out of the box, most Office 365 tenants should have this default ability blocked as shown to thwart the ‘new Ransomware cloud’ threat.

Tuesday, July 10, 2018

CIAOPS Need to Know Azure Webinar–July 2018


We are going to take a closer look at the newest Azure service – Intune. You’ll learn what Intune is and how you can use it to manage and secure your devices all from the Azure console There’ll also be news, updates and Q and A. I hope to see you there.

July Azure Webinar Registrations

The details are:

CIAOPS Need to Know Azure Webinar – July 2018
Thursday 26th of July 2018
2pm – 3pm Sydney Time

All sessions are recorded and posted to the CIAOPS Academy.

There of course will also be open Q and A so make sure you bring your questions for me and I’ll do my best to answer them.

The CIAOPS Need to Know Webinars are free to attend but if you want to receive the recording of the session you need to sign up as a CIAOPS patron which you can do here:

or purchase them individually at:

Also feel free at any stage to email me directly via with your webinar topic suggestions.

I’d also appreciate you sharing information about this webinar with anyone you feel may benefit from the session.

CIAOPS Need to Know Office 365 Webinar–July


A new financial year here in Australia is good reason to start planning. Luckily, Office 365 has just the right tool to help us – Planner, which is what we’ll be taking a look at in detail during this month’s webinar. I’ll also bring you up to date with everything happening in the Microsoft and Office 365 space as always.

You can register for free at:

July Webinar Registrations

The details are:

CIAOPS Need to Know Webinar – July 2018
Thursday 26th of July 2018
11am – 12am Sydney Time

All sessions are recorded and posted to the CIAOPS Academy.

There of course will also be open Q and A so make sure you bring your questions for me and I’ll do my best to answer them.

The CIAOPS Need to Know Webinars are free to attend but if you want to receive the recording of the session you need to sign up as a CIAOPS patron which you can do here:

or purchase them individually at:

Also feel free at any stage to email me directly via with your webinar topic suggestions.

I’d also appreciate you sharing information about this webinar with anyone you feel may benefit from the session.

Preventing Malware downloads from Office 365


If you are unfortunate enough to somehow get malware in your Office 365 tenant you may not appreciate that by default you can still download this, even though it gets detected as shown above.


Best practice would be to use the PowerShell command:

Set-SPOTenant –DisallowInfectedFileDownload $true

to prevent users from having the option to download the infected file. Basically, it removes the Download button as shown above. Doing this will apply the setting across all SharePoint Sites, including OneDrive for Business, Teams and stand alone site collections.

From the Microsoft documentation:

If the Set-SPOTenant cmdlet has the DisallowInfectedFileDownload parameter set to:

true (recommended), this happens:

  • All actions, except Delete, are blocked for detected files.

  • People cannot open, move, copy, or share detected files.

  • People see a visual cue that indicates that a file has been identified as malicious. No one can download the file.

false, this happens:

  • All actions, except Delete and Download, are blocked for detected files.

  • People cannot open, move, copy, or share detected files.

  • People see a visual cue that indicates a file has been identified as malicious, but they can choose to accept the risk and download the file anyway.

Allow up to 30 minutes for your changes to spread to all Office 365 datacenters.

The recommended best practice is then to turn this on for all tenants as it is not on by default.

Monday, July 9, 2018

Early access to my new online Microsoft 365 Security course

security-protection-anti-virus-software-60504 (1)

I’m working hard to complete an online course focused on Microsoft 365 Security. What I have decided to do is provide early discounted access to the course while I am still building it. If you sign up at the discounted rate you continue to get full access to all the course the modules without any additional payment.

The course will eventually sell for US$399 but while I’m still building it you can sign up for only US$99. This means that you’ll continue to get full access to everything I add to the course going forward as I build it out.

There are however already a number of modules in there you can take advantage of and I’m working hard to add more every day. Already in there are modules around enabling audit logging as well as Office 365 ATP and Data Loss Prevention.

To take advantage of this limited offer use the coupon code EARLYBIRD at check out for the course or this direct URL with the discount already applied:

Remember this offer can’t last so sign up now.

Sunday, July 8, 2018

Azure AD and SharePoint Online user differences

I’ve been developing scripts to work with OneDrive for Business when I fell into a bit of a rabbit hole that lead me to an interesting revelation.

Part of the challenge with working with OneDrive for Business in Office 365 is that not all users have one, even though they are licenses for it. The reason for this is simply that a user’s OneDrive for Business isn’t generally provisioned for them until they start using it. Thus, in my demo tenant there are probably users who haven’t as yet been through the process of having a OneDrive provisioned. No issues.

Secondly, when you share information with external users in SharePoint and Teams you may also find an AD account but that user hasn’t as yet access SharePoint resources for some reason. Maybe, they haven’t accepted the sharing request and so on. Again, no big deal.


So I created a script that goes through each active Azure AD user in the Office 365 tenant and check to see whether there is a corresponding SharePoint Online user. To do this I used the following commands:




So I trained these commands on the OneDrive for Business URL which is typically:

As you can see from the above report, the green lines indicates matches to accounts in my Azure AD and in my OneDrive for Business. The green tenant users, with a custom domain typically have their own OneDrive for Business. The green External users, distinguished by an account that includes #EXT# are typically accounts outside the tenant that have been shared information with and accepted that sharing request.

Now the red tenant users, typically haven’t had their OneDrive for Business provisioned yet and the red external users typically haven’t accepted the sharing request that has been sent them as yet. All understood.


Here’s where the rabbit hole opened up. Ok, I thought, now what happens if I do the reverse? That is, check my SharePoint users against my Azure AD users? So off I went to create a script.

The script came back with the results you see above. All the the yellow accounts are SharePoint users that don’t have a match Azure AD account. Quite a few eh? When I first saw this I panicked a bit, because many of the accounts I didn’t recognize. What was going on here I wondered? Had I been compromised?

In a perfect world, there would be a one to one mapping between Azure AD accounts and SharePoint account. However, things aren’t that perfect, so in my demo tenant, I had created lots and lots of accounts over the years and many had become ‘orphaned’ leaving behind information in SharePoint. Many were just so old I forgotten that I created them and then later deleted the Azure AD account.

Is this a problem? Not really I don’t think, because without an Azure AD account to login to, these ‘orphaned’ resources aren’t much use. Still, if they aren’t needed then they really should be deleted to my mind.

Interestingly, some of these ‘orphaned’ SharePoint users actually still had their own OneDrive for Business that clearly wasn’t being displayed anywhere else. Once I took control of these ‘orphaned’ sites by making myself a Site Collection Administrator I could see what they actually contained. When I was happy it wasn’t needed or in use I deleted these, again using PowerShell.

So what did my trip down the rabbit hole teach me? Firstly, I learned that Azure AD and SharePoint user accounts don’t always line up. Next, I learned that you can end up with ‘orphaned’ SharePoint users and resources that you may want to clean up using PowerShell. I don’t believe these represent any security issues but if they aren’t necessary then they probably should be deleted. However, be careful of system accounts which shouldn’t be removed. Just get rid of those you recognise as no longer being required.

The biggest thing that my exploration taught me is the value of PowerShell to get behind the standard interface of Office 365 and see what is really going on. It gives you much better control and for me it helps me understand much better how everything works.

If you want the scripts that I used to do these comparisons then I suggest you sign up to my Patron community – where you’ll find these and whole lot more Office 365, Microsoft 365 and Azure resources.

Saturday, July 7, 2018

Checking SharePoint External Users PowerShell Script


Another things that you should keep your eye on in your Office 365 environment are the external users who have been give access to any of your SharePoint sites. You’ll probably find that many of these should no longer have access, so I’ve done a simple script which you can get here:

that will basically loop through all your SharePoint sites (including OneDrive and those created by Teams and Groups) and list out all the external users on the screen.

As you can see from the above screen shot, it will tell you the external users name, email, when they were invited and by whom. Importantly, it also shows you which email actually accepted the invitation as this may vary in some cases (another point of investigation potentially).

I’ll continue to work on this script and the others I have in my GitHub repository. So please send me your feedback and suggestions on how to improve what I have developed as well as any ideas for scripts you’d like to see.

Friday, July 6, 2018

Microsoft Video Indexer

Don’t forget to adjust the caption and font on the above from the menu that appears when you mouse over the the panel.

Thought I’d show you the results of what happens when you use the Microsoft Video Indexer. I have written about this before but now you can upload just audio files. So I uploaded the latest Need to Know podcast to see what happened.

You can see the embedded results above and the direct page here:

I haven’t made any editing changes and there are few funny interpretations and translations there but overall it is very impressive what this technology can do.

There are plenty more options that I’m going to start playing with at the back end but I thought I’d share with you the raw results before I start tinkering going forward.

Thursday, July 5, 2018

PowerShell script to check Outlook mail rules


After I finished the recent PowerShell script to check for Exchange style mailbox forwards I received some motivate from Robert Pearman to develop a script to also go and check what the Outlook rules are doing for Office 365 mailboxes.

Taking what Robert provided I decided to extend my initial script to report on what I consider suspect Outlook mail rules. Here’s my thinking:

- Firstly there are going to potentially be lots and lots of Outlook rules when you look across all mailboxes in Office 365, so I decided to focus on actions that one could deem to more suspicious than others. I settled on the following rule actions as ones to check: forward to, redirect to, copy to folder, delete message, forward as attachment to and send text message notification to.

-  Turns out you can create an Outlook rule that forwards, redirects and fowards as an attachment messages to alternate email addresses. A bad party could set this up to send themselves emails from a compromised mailbox.

- If a rule copies rather than moves a message then that to me is also suspicious. Why would you want two copies of the same email message in different locations in your inbox unless you aren’t in full full control of the inbox and someone is squirrelling away messages to a location the owner never created?

- If a rule deletes a message then there is a chance that a bad actor is trying to prevent the mailbox owner from seeing something.

- If a rule notifies someone via SMS that may be the fingerprint of a bad actor trying to keep tabs on a mailbox.

I will also admit, that there are plenty of situations where the above situations are the results of legitimately configured inbox rules. However, for the reasons I have indicated, I believe the actions to warrant the most inspection.

As you can see from the above image, the script will do what it did before and check the mailbox rules to see if there are any forwardings as before but now the script will also dig through each mailbox and throw up warnings when a suspect rule is enabled or disabled for a user.

Once you have located any suspect rules, you can then start digging further to see whether there is a business justification for such. If not, then you may have a compromised mailbox on your hands.

You’ll find the updated script at:

and remember to keep coming back as I’ll continue to update and extend it over time. if you have any feedback on this script of suggestion for things you’d like to see please let me know so I can look at developing them. Thanks again to Robert Pearman for this input on this.

Turn an Office 365 user ‘off’ with PowerShell


A common situation in the field is when a user or a business discovers a user account has been compromised or they no longer wish that user to have access to Office 365.

Of course they can go into the Office 365 Admin Center and block the user’s sign-in but the user may still have access via mobile devices and active browser sessions. So, fully suspending a user’s account as soon as possible requires more than just disabling the login.

Anything that requires a sequence of steps is better completed using a script and this is what you’ll find I have created at:

The script requires you to already be connected to Azure AD, Exchange Online and SharePoint Online. It then goes through the following:

- block user login to Office 365

- invalidates refresh tokens for applications

- disables Exchange features like OWA, POP, IMAP, etc

Importantly, it doesn’t change the users password because this script is designed to be reversible. That is, suspicious activity has been detected on the account and you want to suspend access to do some checking. Hopefully, everything is good and you can simply re-enable when checking is complete. If not, further action can be taken.

Importantly, access to all Office 365 information is not immediately revoked even using this script. By default, mobile applications use a token for authentication that generally lasts one hour before it is renewed. So the worst case is that the token is renewed just before you suspend the account using the script. It will take a further one hour until the token renewal is required and the lock out is enforced. That means the account could still be active on a mobile device for up to one hour after suspension.

Now you can change this one hour time period but that requires using a preview version of the Azure AD PowerShell modules and I’ll leave that to you if you want to go down that route. You can find out more here:

Configurable token lifetimes in Azure AD (Public preview)

There are some other device management commands I have come across that may also be handy here but for now the script should do the job.

Remember to continue to check on my GitHub repo to see when I update and improve this script. of course, any feedback is welcome on how the script can be improved or if you find any errors.

Wednesday, July 4, 2018

PowerShell script to check email forwards

A while ago I wrote an article about how important it is to check the email forwards that all your mailboxes have in Office 365. Why? Because, the first things most bad actors set up after successfully phishing a user’s credentials is to forward all email to their own account. This effectively mirrors everything a users receives. Doing so allows the bad actors to gather intelligence about the user and the organisation and potentially impersonate that user.

If you look at the configured email forwards for your tenant, as I detailed here:

Check those Office 365 email forwards

are much more likely to detect something that could be an issue and take action.

As the article details, the easiest way to do this is to use a PowerShell command. However, an even easier way to use the script that I have just made available for free in my GitHib repo here:

You’ll need to connect to Exchange Online prior to running this script.


The script will report back on all mailboxes and show you any forwards configured. It will show those in place but disabled (in yellow) and those in place and enabled (in red). The enabled ones are the ones you really should check to ensure that they are required and not implemented by some bad actors.

I’ve also uploaded many more scripts to my GitHub repo to allow you to connect to Office 365 services directly or using multi factor authentication. I’ll keep adding scripts and updating existing ones regularly, so ensure you check back there regularly.

Tuesday, July 3, 2018

Need to Know podcast–Episode 184

This week Brenton flies solo again and speaks with Corch about cyber security. Corch bring a wealth of enterprise knowledge around cyber security to the mid market and SMB space with a focus on ensuring that customers understand how important good IT security is in this day and age.

Of course we also give you an update on everything that's happening in the Microsoft Cloud, with new and updates around Office 365 and Azure. Don't forget to send us your feedback and questions.

Take a listen and let us know what you think

You can listen directly to this episode at:

Subscribe via iTunes at:

The podcast is also available on Stitcher at:

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.



Shogun Security



Office 365 Roadmap

Microsoft Fasttrack

Microsoft Fasttrack Branding kit

Office 365 updates

Migrate your files to OneDrive easily with known folder move

New updates to Planner comment and notification settings

What's new with Teams

OneDrive updates

Modernize your SharePoint Team Sites by connecting them to new Office 365 Groups

Centralized deployment for Outlook add ins

Microsoft to deliver intelligent cloud from Norway datacenters

Baseline policy for Azure AD admin accounts in public preview

How we rebuilt Intune

CIAOPS GitHub Repositories


I have now created 2 GitHub repos for Office 365 and Azure content. You can find these at:


At the moment they mostly contain basic connection PowerShell scripts but I am looking to grow the content over time and include other information that people can use. For example, in the Azure repo you’ll find my Azure bucket spreadsheet which is a basic way of pricing and bundling Azure services.

Much of the content is under development but using GitHub allows me to easily work on the content across different machines and have a development environment to work with (i.e. versions, branches, etc).

Using GitHub I also see as a way for me to gain experience with the technology given the recent Microsoft purchase of GitHub as well as the general move to a DevOps world.

So, take a look at what is there, hopefully you’ll find some handy PowerShell scripts and don’t forget to check back regularly for new and updated content. As always you can send me feedback directly or in GitHub for each project.

Monday, July 2, 2018

MVP for 2018-19


It is with a great deal of humility and pride that I can report that Microsoft has once again recognised my community contributions with its Most Valuable Professional (MVP) award for 2018 in the Office Servers and Services category.

This is now my seventh consecutive award and just as special as the first. This recognition is however not possible without the support of so people who follow and support what I do, especially those that take the time to read this blog. To each and every one of you I say thanks again.

I’ll be sure to work hard again to bring you more information about Office 365 and Azure. Some additional stuff coming real soon! However, all of that wouldn’t be possible without Microsoft making such great products and making them available to people like me. I look forward eagerly to what they’ll be bringing out in 2018-19. It is going to be another very exciting year for Microsoft and being in the Microsoft ecosystem.

Being an MVP is great and unique honour. Being part of a community of really smart and passionate technology people who are also MVPs is truly inspiring and I hope to live up to their dedication and enthusiasm. I congratulate all those who where also awarded the same MVP recognition today.

But again, I thank Microsoft for this honour and will work hard to live up top the expectations it sets again for 2018-19.