Need to Know podcast–Episode 248

I speak with Michael Van Horenbeek who is one of the authors of a new Microsoft 365 Security eBook. We talk everything Microsoft 365 security as well a little about the challenges of publishing. I also get you up to date with the latest news from the Microsoft Cloud.

This episode was recorded using Microsoft Teams and produced with Camtasia 2020

Take a listen and let us know what you think –

You can listen directly to this episode at:

Subscribe via iTunes at:

The podcast is also available on Stitcher at:

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.


@vanhbrid – Michael Van Horenbeek


Microsoft 365 Security for IT Pros eBook

Microsoft Lists begins general availability roll out to Microsoft 365

Connecting tasks experiences across Microsoft 365

Announcing Tasks in Microsoft Teams public rollout

Teams is shaping the future of work with low code features to enhance your digital workspace

The new Yammer is generally available worldwide

Announcing public preview of Microsoft Endpoint Data Loss Prevention

Introducing the Bing Enterprise Homepage

End users can now report “This wasn’t me” for unusual sign-in activity

CIAOPS Need to Know Microsoft 365 Webinar–August


Capturing data electronically is key to being more productive. Businesses can achieve this using Microsoft Forms that is part of Microsoft 365.  This month I’ll show you what Microsoft Forms is, how to use it effectively and how it can help your business. I’ll also have the  the latest Microsoft Cloud updates plus open Q and A as well.

You can register for the regular monthly webinar here:

August Webinar Registrations

The details are:

CIAOPS Need to Know Webinar – August 2020
Thursday 27th of August 2020
11.00am – 12.00am Sydney Time

All sessions are recorded and posted to the CIAOPS Academy.

The CIAOPS Need to Know Webinars are free to attend but if you want to receive the recording of the session you need to sign up as a CIAOPS patron which you can do here:

or purchase them individually at:

Also feel free at any stage to email me directly via with your webinar topic suggestions.

I’d also appreciate you sharing information about this webinar with anyone you feel may benefit from the session and I look forward to seeing you there.

Reasons to move to Microsoft 365 from a file server environment

There are many who still fail to see the benefits of moving from a traditional on premises, centralised file server to a modern collaboration system like Microsoft 365. Here is a list of what I believe to be the major reasons that what is offered in a service like Microsoft 365, is superior to what is offered by an on premises file server.

1. Search

I did a recent presentation around this exact topic, which you can find here:

It’s all about Search

It’s all about Search – video

All the file information you move to a service like Microsoft 365 is indexed. This includes both the title and the content, especially common document formats like Office, PDF, text and so on. Even images these days can also be indexed if they contain discernible text.

The benefit here is that people spend over 30% or more of their day looking for information. Data trapped in a deep folder structure remains untapped unless people ‘know’ where to look. People’s expectation these days with the Internet is to use a search engine to find what they want. Shouldn’t all data, no matter where it resides also be as easily accessible as it is using Internet search engine? Microsoft 365 provides this out of box for data hosted there.

2. Remotely accessible

Recent times have demonstrated that those with information stored in a single location that isn’t available from anywhere will struggle. The trend, accelerated even more so now by current pandemic conditions, is the requirement to access data from almost anywhere, quickly and easily. There is also little doubt that the demand for remotely accessible data will only continue to grow as people desire the flexibility to work where ever and whenever is convenient.

Enable employees to work remotely and stay more secure

3. Different methods of accessibility

Another important factor is the need to be able to access file data using a variety of methods. With Microsoft 365, you can access data via a web browser, via the desktop, via a mobile device. You are not limited to a single mechanism. You can also access this data on just about any form of device, from any supplier, running any operating system. Most on premises data access is largely limited to using a limited functionality file explorer mechanism that does not provide rich information (like metadata) about the data as as not support modern functionality either (such check in/out).

4. Accessible on mobile devices

The need to access data on a variety of mobile devices is only growing. This needs to be done quickly and easily. You can access Microsoft 365 data typically via a dedicated application for that service such as using the OneDrive for Business app, or the SharePoint app, or the Teams app, or the Outlook app and so on. You can also access it via the default browser on any mobile device as well. Dedicated apps also support native search as well for this data, but again all accessible via an app on a device.

Office mobile app

5. Automatic versioning

By default, and you can customise this, 500 versions of each file are maintained in the Microsoft 365 storage services. This means that every time a file is updated a previous version of that file is retained. This provides the ability to examine and potentially restore from any point in time quickly and easily. Effectively, 500 backups of every file is maintained in Microsoft 365.

How does versioning work in a SharePoint list or library

6. Multiple people can work on the same Office document together

With Office document in Microsoft 365, it is possible for multiple people to work on the same Word document, for example, at the same time. The typical on-premises scenario is that if a file is in use, another user will make a second copy of the original to work on, with the hope that such changes will be merged into the original. This rarely happens and you then typically end up with duplicates of the original, with few people knowing what the current ‘source of truth’ is. Microsoft 365 allows users to work on a single Office document at all times and therefore maintain a single copy, or ‘source of truth’.

Document collaboration and co-authoring

7. Data resides with metadata

People don’t just work on files. in a silo. Files are only part of the information story today. There are also calendar appointments, free form notes, chat, emails, tasks and so on. An on premises arrangement typically silos file data. Microsoft 365 allows common data to live together in SharePoint Team Sites or Microsoft SharePoint sites for examples. This means that common data can be stored in a common location where it provides far more value in aggregate than in isolated siloed environments.

How to make Tagging & Searching easier with metadata

8. Check in/Check out

Data in Microsoft 365 can be ‘checked in’ and ‘checked out’. Doing so provides detailed audit information around who and why the files was being edited. It allows users to gain ‘exclusive’ access to a file to make changes. Image a policy document that is under going change. It can be ‘checked out’ while it is being updated. All other users will still be able to view the original document prior to it being ‘checked out’ but they can’t make changes to that document until it is ‘checked back in’. This means that the document if ‘effectively’ read only for the time that it is ‘checked out’. When a document is ‘checked back in’ audit information about the ‘check in’ can be added to that documents properties.

Check out or check in files in a document library

9. Approvals

You can also add an approval level to data in Microsoft 365 data. This means, that after a document has been ‘checked back in’ it has to undergo a further ‘approval’ stage before all other users can access it. For example, a current policy is ‘checked out’ and worked on. When it is completed, it is ‘checked back in’ by the original editor. With approvals in place, a supervisor now needs to typically review the document and ‘approve’ it before the updated document is available for all users in the environment.

Require approval of items in a site list or library

10. History

When you examine the properties of individual documents, you can easily see the activity on that document. That means you can quickly see who has not only edited that document but also who has viewed it.

File activity in a document library

11. Sharing

Sharing documents with others is far easier in the Microsoft 365 environment. This can be done using a link to the original source location, importantly maintaining the ‘single source of truth’. This is especially true when sharing data outside the organisation. Attaching a file from a file share, creates multiple copies of the original file. It also surrenders control of that file to the receiver. That is, the send has no idea whether the user has received that file, viewed that file, sent that file to others, modified that file or take other actions with that file. Attaching a file not only creates an additional copy but also surrenders complete control of that data to the receiver. Via sharing options in Microsoft 365, far more control can be retained over the file since it remains in a single location, inside the source Microsoft 365 environment. The business can easily run reports to see what information is being shared, with whom and then take actions on that, such as blocking unsanctioned sharing.

Share a document using SharePoint or OneDrive

12. Personal user storage

Each individual licensed Microsoft 365 user gets at least 5TB of storage in their own OneDrive for Business. By default, this area is private for that user. They can share directly from here. They can sync that information to any location. They can access that information on their mobile device or remotely via the web. This overcomes the typical on premise scenario of needing to work on a document ‘at home’, in which the data is emailed via an attachment (creating another copy of the data again), typically to a personal non corporate and non compliant email address. It is then worked on outside the business, typically leaving a copy on the home PC as well as the personal email account, then emailed back into the business. OneDrive for Business again, allows for a single source of truth for data that can be accessed from any location using a variety of means. This prevent data leakage and for the business it provides much more control over their data.

Pssst…want some free GBs in your OneDrive for Business

13. Hardened against infection

Data sent to the Microsoft 365 environment is checked for infection. If data is subject to something like a crypto locker attack that it can easily be recovered by the user thanks to the in built version control. This protection is in addition to protection provided on devices and locations in which that data is accessed. It is something the Microsoft 365 service provides by default.

Virus detection in SharePoint Online, OneDrive, and Microsoft Teams

Restore your OneDrive

14. Compliance

The data can have compliance policies applied to it automatically. An example of this would be Data Loss Prevention (DLP) that could prevent sensitive information like credit cards being sent outside the organisation. Such policies apply to wherever that data is accessed. It is even possible to prevent users accessing data on devices and in locations that are considered insecure or not compliant (for example on a home PC).

Microsoft 365 compliance center

Overview of data loss prevention

15. No infrastructure costs

The costs of managing and maintaining servers adds up. Equipment fails. Equipment needs updating. Operating systems needs updating. Someone has to do this, and continue to do this. Resources devoted to maintaining on premises equipment are resources not devoted to the business achieving it’s business goals.

16. Retention

Not only is version control the default with files in Microsoft 365 but it is also possible to implement retention policies to not only specify how long data should be maintained for but what should be done at the end of that period. Most businesses, simply hoard data because they can. That however encourages duplication of information and maintenance of irrelevant and potentially confusing information. Good governance of data should not only state how long it needs to be maintained but also when it should be deleted. Microsoft 365 allows this all to be managed automatically using retention policies.

Create and configure retention policies

17. Delve

I have spoken a lot about the benefits of Delve which you can find here:

Delve should be the center of your Office 365 universe

but in essence it provides a single location for a user to go and find data that is relevant to them either via search, activity feed or interaction with others. This capability is constantly updated and managed by Microsoft 365, there is nothing that needs to be done by the user. Delve takes care of that for them.

18. Project Cortex

It shouldn’t be too much longer before we get Project Cortex. Imagine that every time you viewed Microsoft 365 it presented you with a fully customised view of the data that you need. No need to worry about where it actually lives, what structure it resides in, Project Cortex will build a customised ‘intranet’ for you on the fly each and every time you visit.

Project Cortex

19. Integrations

It has been previously pointed out that file data no longer lives in vacuum. Far more benefit is derived from integrating data with services other than pure storage. Microsoft Teams is a great illustration of how the integration of storage, chat and conferencing have grown to be the central requirement of many organisations today. As new and innovative ways are created to boost productivity, they largely rely on the ability to integrate this functionality with access to file data. Solutions like Microsoft 365 make this relatively simple and straight forward. In many cases, the integration simply becomes ‘available’. It only relies on the end user effectively learning to make advantage of these abilities.

Answering common questions with Office 365 Part 3

20. Great people expect great tools

A major battle for business today is recruiting and maintaining the best talent. Great people, expect to work with the latest technologies. Without that, they will leave and move to businesses that provide them with the most modern tools they need to get their jobs done. These modern tools are what is already available on the Internet. Many of the best and brightest have grown up with these modern web based applications and will expect these as default inside any business they work for. Don’t have the latest tech? Then don’t expect to attract the best talent. It is that simple.

21. The rise of the machines

A growing importance to all businesses, large and small will be Artificial Intelligence in some shape or form. This means allows algorithms to examine large amounts of data and then make judgements, take actions, present information and generally assist the information worker. It is going to next to impossible to achieve that if a businesses data is siloed and locked away on antiqued environments on premises. One huge advantage of the Microsoft 365 environment is the Graph that captures all sorts of signals from all sorts of locations in the service and then make those available. Not only is this important for productivity but it will become increasingly important for security

Overview of the Microsoft Graph

Put AI into action and empower everyone in your organization

22. Simple automation

Thanks to the integration of services like Microsoft Power Automate it is very simple to start automating common business processes in Microsoft 365. For example, the handling of an employee leave request form, complex document approvals, attachment routing and so on can be achieved with a ‘no code’ tool that is integrated into the platform already at no additional cost. There is so much inside every business that can be automated. All of these add up to greater productivity and in the end make the business for efficient and effective.

23. AutoSave

We all have had the situation of investing a lot of time into a document and then have the application crash or hang resulting in all the changes being lost. Painful to say the least. Microsoft 365 applications automatically saves files you are working on every few seconds via a feature known as AutoSave. It will also be enabled by default when a file is saved into OneDrive for Business, SharePoint Online or Teams. This is going to greatly reduce the chance of users losing time and effort they have invested in working with data in Microsoft 365.

What is AutoSave?


In summary, moving to a ‘modern’ collaboration environment like Microsoft 365 has many benefits, even more than I have listed here. As with any change, there will be challenges moving from a familiar comfortable environment to something that is new and in many ways quiet different. Change is never easy but change is a fact of life with technology and something that eventually most businesses cannot avoid if they want to stay competitive. You don’t see many horse drawn carriages on our streets these days do you? The trick is that any change doesn’t have to happen in total or immediately. It is not something that needs to be completed overnight. In fact, the best approach is to ease into it using something like the migration framework that I have recommended here:

A framework for file migrations to Microsoft 365

Of course, there maybe constraints and requirements to change faster than some are comfortable with. As I have highlighted in this article:

Stop making your users feel stupid!

Training and a formal adoption processes are so important to ease people these changes. Businesses should want their workers to be even more productive in this new ‘modern’ collaboration environment but that isn’t going to happen without providing users with assistance in making this change. You should be investing in people as much as technology because they form the critical partnership in any business. Only working in combination will this allows a business to progress. The longer they remain in conflict, the less productive a business will be. Technology is a mere tool but those who wield it cannot do so effectively using antiquated and blunt instruments. Likewise, the most modern and sharp instruments, operate well below their capacity when wielded by the unskilled.

All businesses should be focused on profitability in whatever measure that may be. All resources, people, technology and so on, inside a business should aim to serve and maximise that end. In this day and age, there are not many businesses that would be well served with utilising antiquated technology. A desire to stick with the status quo and not embrace the benefits technology can provide is not doing that business any favours. That flows onto every person in the business and every supplier to that business and every customer of that business and every family with members in that business and so on. The ramifications are much wider than most give it credit for.

As I said, it is not an all or nothing choice. It is about making the BEST choice from the available options. To me, at this time, the best choice is consideration for what services like Microsoft 365 can provide a business, not simply to maintain things the way they have always been ‘just because that is easier’. Hopefully, the items above help provide some evidence as to why consideration should be made along with the information to do so.

Need to Know podcast–Episode 247

FAQ podcasts are shorter and more focused on a particular topic. In this episode I speak about what Office 365 Alerts is and provide some best practice suggestions.

This episode was recorded using Microsoft Teams and produced with Camtasia 2020

Take a listen and let us know what you think –

You can listen directly to this episode at:

Subscribe via iTunes at:

The podcast is also available on Stitcher at:

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.


FAQ 13

CIAOPS Patron Community

Microsoft Cloud App Security options


Automating the deployment of an Attack Surface Reduction policy across multiple tenants

A while ago I wrote an article on:

Using the Microsoft Graph with multiple tenants

which showed you how to embed a ‘static’ Azure AD application in all the tenants you wish. I then showed how to give those ‘static’ Azure AD applications, in all those tenants, the appropriate permissions to access various tenant configuration settings in this article:

Reporting on multiple tenants with the Microsoft Graph

This meant that you could now run Microsoft Graph requests across all those tenants, securely and without needing a login to each tenant.

Recently, I also wrote about the:

Attack Surface Reduction rules for Windows 10

and how to set these in an automated way via PowerShell. I’m now going to bring these two concepts together and show you how to deploy an Attack Surface Reduction (ASR) policy into Microsoft Endpoint Manager across multiple tenants WITHOUT the need to login to each to do it!

Before you can do all this you’ll need to embed an Azure AD App into all the desired tenants. The information to do this I have previously covered here:

Using the Microsoft Graph with multiple tenants

Once you have an Azure AD application inside your tenants you can continue to use this for continued configuration processes like this. Thus, you only need to add an Azure AD application to the desired tenants once. You can then simply re-use it as needed.

With the Azure AD application in place, the next step is to provide the appropriate permissions for that Azure AD application to do to what it needs. In the case of working with ASR the Azure AD application will need the following Graph API permissions:

Read and write Microsoft Intune Device Configuration and Policies


Read Microsoft Intune Device Configuration and Policies

You can add these manually which I have covered off previously here:

Using interactive PowerShell to access the Microsoft Graph

However, I have also made available an automated tool to do this.


In this case, my pre-existing Azure AD application is called ciaops-S6 as shown above.


In this first tenant, you see that there are current no API permissions associated with my Azure AD application.


In the second tenant, there are already existing permissions as you can see above, but they currently don’t include the ones I want detailed above, so they will also need to be added here.

What I want to achieve for both tenants, is to add these two Graph API permissions:

  • Read and write Microsoft Intune Device Configuration and Policies
  • Read Microsoft Intune Device Configuration and Policies

to my existing Azure AD application, while also leaving any existing permission in place.

You’ll need to visit my Office 365 GitHub repository and down the program:


You’ll need to put the graph-adapp.per.exe in the same directory as the XML configuration files for the tenant, as shown above. Then you’ll need to run:

graph-adapp-per.exe 89a0934cc6064c1a95caffdaec4e5429

The 89a0934cc6064c1a95caffdaec4e5429 parameter tells my program which permissions you wish to add to the existing Azure AD application.


The program will check whether the Azure AD PowerShell has been loaded. If not, it will terminate.

In this case enter A when prompted to ADD permission to those that exist.


You’ll then be prompted to login as an administrator to the first tenant. This is required once for each tenant because you are ADDING permissions to an existing Azure AD application. Once these permissions have been added, you won’t need to repeat for any access to the same properties. For example, say you later on want to configure the Microsoft EndPoint Manager Firewall policy, you won’t need to complete this permissions step because what you are doing here adds the same  permissions you need to do the Firewall policy.


The required permissions are added and you will be then prompted to ‘consent’ to these. Unfortunately, I can only find a way to do this via a browser. Selecting Y here will open a browser in-private mode and allow you to complete consent. The required ‘consent’ URL is also copied to the clipboard, so if you already have the tenant open is a browser somewhere, just paste the clipboard there to complete ‘consent’ like so:



You should now see the permissions request as shown above that you need to Accept. What you see will vary slightly. You will always see:

  • Read and write Microsoft Intune Device Configuration and Policies

  • Read Microsoft Intune Device Configuration and Policies

as these are new permissions. However, if you have existing rights, as this first tenant did, you will also see those.

Simply select Accept to continue.


If you now return to the program, you’ll be prompted to confirm that ‘consent’ has been completed. Enter Y to continue.


That will complete the first tenant and then commence the same process on all subsequent tenants as shown above.


The only difference you’ll probably see is the list of permissions you need to accept. This is because, in this case, the option to ADD permissions was selected. The above shows you the prompt from the second tenant in this example which started off with no permissions for the existing Azure AD application.


Once the program is complete, it will pause as ask you to hit ENTER as shown.


If you now look at the API permissions for the Azure AD application that was added you should see that they now have:

  • Read and write Microsoft Intune Device Configuration and Policies

  • Read Microsoft Intune Device Configuration and Policies

As shown above.


And if you check an Azure AD application that already had permissions, like the second example here shown above, you will see that the appropriate permissions have been added to any that previously existed.

Remember, you only need to go through this process when you want to ADD permissions to your Azure AD application. As mentioned, now that these permissions have been added to the Azure AD application you can work with just about any EndPoint Manager configuration for the tenant.

Now that the permissions are in place, the next step in the process is to run the program to add the ASR policy to EndPoint Manager for the tenant. To do that you’ll need to download the following program from my Office 365 GitHub repository:


and copy into the same directory you have been using as shown above. That is the one with all the tenant configuration files.

Run the program:



The program will run and work through the required tenants without any prompts.


You will see the policy settings for each tenant, as shown above, as a confirmation.


If you return to Microsoft EndPoint manager for the tenants and refresh that ASR policy listing as shown above, you should a new ASR policy as shown.


If you scroll down to the Configuration settings:


You will see that the individual settings have been configured.


The only you’ll need to do manually, is to actually assign this policy to your environment as shown above. I have chosen not to do this automatically for all users and or devices in the tenant, because there may need to some tweaking of the individual settings as applying to a test group first to ensure there are no issues. Maybe in a future iteration I’ll look at providing that option.

If you run the graph-asr-set.ps1 program again, it will create an additional policy of the same name with the same settings. Another to-do item will be a program to adjust an existing script.

If for some reason you wish to remove ALL the permissions from your Azure AD application in ALL your tenants, use the command:

graph-adapp-per.ps1 693cb755244848a2a556025710cec086

Youi can also, of course, do this manually via the portal as well as selectively by the same method if you wish. However, I see no major not to leave the permissions in place, having gone to all that trouble, so you can make additional configuration changes later on (without the need to login to the tenants as I will again point out!)

So there you have it! An automated way to set ASR policies in Microsoft EndPoint Manager, across multiple tenants, without individually logging in, using the Microsoft Graph.

Setting text language in Office Online

Some people don’t wish to use the default English (U.S.) as their preferred language for Office Online when they create new documents there. Interestingly, you can change the option but it doesn’t seem to work for all languages. Here’s how to change the setting, but it has limitations.


In my case, my production tenant is set up in Australia. The language I use everywhere is English (Australia). You would think that this applies to any new document created using Office Online. Not so, it seems. If I create a new Word document using the web interface as shown above, I get:


but if you look in the lower left you see:


If you click on the language text you get:


Here I can select English (Australia) as my language. Now my document reports:


All good right? Sure, until you create a new document using Office Online. You are then back to original language. In my case  English (U.S.) not English (Australia)! I don’t want to be changing the language manually for every new document I create with Office Online. How do I therefore make my preferred language ‘stick’ with Office Online?

As far I can tell, to make a different language ‘stick’ for a user when they use Office Online they will need to do the following:

1. Login to the Microsoft 365 portal ( with their own credentials.

2.  Select their Account Manager icon in the top right of the portal window like so:


3. From the menu that appears select My Office profile like so:


4. Select the Update profile button the Delve page like so:


5. On the Update your profile page, locate and select How can I change language and region settings? as shown:


6. This reveal a new line that includes a hyperlink on the word “here” as shown below, which you need to select. Note the additional instructions it also gives you – click the ellipse (…) and then choose Language and Region.


7. As the previous instructions detailed, on the Edit Details page select the ellipse (…) like so:


8. From the items that are displayed, select Language and Region as previously directed:


9. Select the option to Show Advanced Language Settings as shown:


10. Select the Pick a new language for both of the selection boxes displayed like so:


11. It is at this point that not all options are accepted it turns out. In my case if I select English (Australia), the Office Online documents continue to open with English (U.S.). As it turns out, the best I can do in my case is set the language to English (United Kingdom) and then select the Add button like so:


If you want another language, you’ll probably have to try a few to see whether they ‘stick’.

12.  My end result looks like:


You’ll also need to either remove the existing language (as I have done, so English (U.S.) no longer appears) or change the priority of the language added, via the up/down arrows on the right of the language, and place it at the top of list to make it the default.

13. Scroll to the bottom of the page and make sure you select Save all and close to update your preferences:


14. Lastly, you’ll need to wait about 15 minutes or so it seems for this to take effect.

If you now open a new Office Online document, you should now see the selected language as default like so:


Phew, that’s a lot of work isn’t it? It may not be English (Australia) but it is now much closer to that than what it used to be. Remember, that each individual who wants their language changed for Office Online will need to complete these steps.

Next challenge, how to script it with PowerShell for bulk deployment? Not sure I want to go down that rabbit hole. We’ll see. Let me know if you’d find value in a script to make these changes across your tenant.

Case sensitivity is important with the Microsoft Graph

I recently wrote an article about implementing Attack Service Reduction (ASR) which you can read here:

Attack Surface Reduction for Windows 10

The next step was now to automate ASR policies with Microsoft EndPoint Manager via PowerShell. Luckily I found a great blog article by Ben Leader which you’ll find here:

Creating EndPoint Security policies with PowerShell

Ben’s article focused on BitLocker, while mine focused an ASR. It took a little time to reverse engineer things with ASR and I had my script working without error.


However, the problem was that the changes that the script made didn’t show up in the web interface as shown above? There were no errors reported. Strange? Maybe, it was a timing thing? Nope. what could it be?

Puzzled, I contacted Ben again and it turns out that the syntax with the Microsoft Graph is case sensitive!. A simple solution once you know but super frustrating until your do.


So the original code I have set the “value” to Enable as shown above. That is with a capital ‘E’, which is invalid.


As it turns out (thanks to Ben), I learned it should be a lower case ‘e’ as shown above.


As shown above, this works as expected in the web interface. Phew.

The moral or the story is that you need to be careful when it comes to setting values with the Graph. That hopefully, hopefully should accelerate my development of automating ASR across environments!