Sharing your calendar in Outlook allows your colleagues to see your availability or even manage your calendar. To do this, we can use different Outlook calendar permissions that we can set in Outlook. Calendar permissions in Outlook determine how much details your colleagues can see ... Read moreOutlook Calendar Permissions – What you need to know
This month, Microsoft has been recognized by Gartner® as a Leader in the 2022 Magic Quadrant for Unified Endpoint Management (UEM) Tools. This blog post outlines the “so what” for IT leaders, and why we believe this Gartner analysis deserves your focus right now.
As you see in the Magic Quadrant in Figure 1, Microsoft is positioned as a Leader in the 2022 Magic Quadrant for Unified Endpoint Management Tools. You will also see that Microsoft is highest on the “Ability to Execute” axis. Microsoft was also recognized as a Leader in the 2021 Magic Quadrant for Unified Endpoint Management Tools.
Figure 1. Magic Quadrant for Unified Endpoint Management Tools.
Why customers choose Microsoft for UEM
Let me summarize three reasons we hear from customers as to why they see Microsoft as a dependable and cost-effective solution for UEM.
Microsoft Endpoint Manager is the native Microsoft solution, providing deep integration with Microsoft 365 and Microsoft Azure to improve employee security and the IT administrator experience. Seamlessly integrating management, identity, and security with your employees’ digital experience has two advantages. It improves employee satisfaction as their workplace tools don’t need them to juggle multiple security add-ons. Further, it reduces the amount of platform integration your IT team needs to do, allowing IT to focus on higher-order priorities and save money. Microsoft 365 integration is an ongoing project for us: our advanced endpoint management strategy means we are bringing more solutions into the Microsoft 365 platform, driving down the number of add-ons you need to integrate.
Customers like being in control of when they migrate to the cloud. The improvements we have made in tenant attach and hybrid Microsoft Azure Active Directory (Azure AD) mean that customers can have many choices in how to co-manage their devices. This puts the customer firmly in control. The accelerated shift to hybrid work in the past two years has taught us that there is no “one size fits all” for digital transformation. Some organizations are now fully remote and in the cloud; others have leaders that are very keen on a full return to the office. Many are in between. Microsoft Endpoint Manager capabilities accommodate all scenarios, leaving customers in control.
Customers are reassured by Microsoft’s ongoing investments in Endpoint Manager. We continue to improve the IT administrator experience and the experience for frontline workers, as well as integrate with Azure Virtual Desktop, Windows 365, and Microsoft Defender for Endpoint. Other recent innovations include new support for managing Linux desktops (currently in preview), macOS enhancements such as support for DMG and other apps, remote help, and Endpoint analytics such as work-from-home readiness and other reports to power a hybrid workforce. We look forward to sharing further advances soon.
Continued momentum for Microsoft Endpoint Manager
Strong rationale from analysts and customers is backed up by metrics. As our Chief Executive Officer (CEO) Satya Nadella revealed on our Q3 2022 earnings call, “the number of Windows, Android, and iOS devices protected by [Microsoft] Intune grew over 60 percent year over year.” More broadly, “the number of customers who trust our security solutions grew nearly 50 percent year over year to 785,000.” We work with our industry-leading more than 15,000 partners to analyze 24 trillion threat signals a day to keep customers like Domino’s Pizza, Fujitsu, Heineken, and Petronas safe.
So, I would encourage you to read the Gartner® report and explore what actions you should take. Specifically, customers looking for a dependable, cost-effective solution in three specific situations may find it particularly relevant:
If you are spending too much time managing third-party security plug-ins. Simplifying your endpoint management vendors could free up your time for other priorities.
If your security, identity, or management software vendors are influencing the timing of your migration to the cloud. The ability to migrate at your own pace remains critical.
If you selected your UEM vendor prior to the shift to hybrid work. The pandemic changed requirements for many customers and initiated deep investments to meet those new needs.
We believe any recognition from independent external analysts is an important milestone in building the best product we can; we thank our customers and partners for being on this journey with us.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
Gartner, Magic Quadrant for Unified Endpoint Management Tools, Tom Cipolla, Dan Wilson, Chris Silva, Craig Fisler. August 1, 2022.
Gartner and Magic Quadrant are registered trademarks and service marks of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved. This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Every marketing campaign is one part unique, one part “we’ve done this before and simply need to do it again and again in an organized fashion” – to keep everyone in sync and track what matters most. The main goals are to track up-to-date information, loop in the right people at the right time, and automate as much as possible. It will save you time and improve awareness.
The below video provides context for how Microsoft Lists + Power Automate + Teams helps streamline people + information across date-driven milestones. It’s mostly a demo video, to give you a nudge on how to take advantage of the technology. And then, let technology support you and your fellow marketers.
Based on the above video, let’s hit on the main components with further insight plus links to learn more about each capability.
Start with list templates that come with built-in Power Automate flows
For a marketing campaign, we suggest using the “Content scheduler” template. It’s recently got a powerful update: A built-in Power Automate ‘reminder’ flow. That’s right, it’s configured for you as a part of the common list creation process.
Once you create the list, the flow is automatically configured to send reminder three days in advance of the draft or publish date. And the reminder gets sent to the person you added to the “Author” column. Do nothing and it starts working as soon as you add your first list item. And if you wish to further configure the connected flow, go for it. You’ll find is under the Integrate menu > See your flows – and this will take you directly into the Power Automate flow designer.
Some Microsoft Lists templates have built-in Power Automate flows – like above, the “Content scheduler” template creates a list and a reminder flow automatically.
Add the list to the active Microsoft Teams marketing campaign channel
Adding information to a list is one thing. Collaborating with others is the thing that moves all things forward. It’s not a new feature and it’s a powerful one. You can use the Lists app in Teams to either create a new list or add an existing one as a tab in a Teams channel.
Once in place, you can start a conversation per list item. Just @mention someone and add context to what you are asking them to do or review. They’ll get a notification, and when they click on the list item from the chat, it’ll take them right to the list item with the chat (and context) side-by-side.
Work with Lists in Microsoft Teams and start conversations tied to individual list items.
Create multiple list views to help all your collaborators visualize the information
We know that every marketing campaign involves a bunch of people – from all walks of your organization. Some will want to review the visual elements of the campaign (branding), some will need to review and sign off on all messaging and positioning (PR and legal teams), and some just need to know who’s doing what (product marketing and leadership teams).
So, why not make distinct views of the campaign information tailored for each type of people – so it is customized visually for them to get into the list, see what they need to see, and get out. Thus, consider creating different list views for each group. We’ve got Gallery view for your brand team, Board view for your PR and legal teams, and Calendar view for product marketing and leadership teams.
Create numerous views for your list to help others better visualize the information. Above, you can see Board view - great for managing information across a business process.
At any time, anyone can select whatever view works best for them to visualize the information and progress.
Your information can speak to you, visually. Just add a little conditional formatting, and when certain criteria are met, the list item (row, column, or view) will adjust accordingly. And if something changes that is important for someone else to know about (each time it happens), write a simple list rule that triggers each time a status updates, or a list item gets reassigned.
Microsoft Lists supports the ability to color-code rows, columns, and views - in a statis fashion or when certain conditions are met.
Once you’ve created a list that looks just right and works for everyone involved, use the “Create a list from a list” feature to do it all over again in the same prescribed fashion (column structure, color coding, rules, and more) – saving you time to configure, to help get you more quickly to where you want to be – making progress on planning and executing your next marketing campaign.
Good luck with your next marketing campaign – knowing Microsoft Lists has your back as you plan, collaborate, and execute what matters most.
A summary of value across Microsoft Lists as you use the app in Microsoft 365, Microsoft Teams, in SharePoint and while on the go with Lists for Android and iOS.
So I’m working on a nice Public Folder migration from Exchange 2016 to Exchange Online. Last week all preparations were performed and this morning I was planning to start the migrationbatch. Fourteen Public Folder mailboxes in Exchange 2016 to eighteen Public Folder mailboxes in Exchange Online. What could possibly go wrong…. Creating the new endpoint … Continue reading Multiple mailbox users match identity “Mailbox1”→
Today, Microsoft is excited to publish our second edition of Cyber Signals, spotlighting security trends and insights gathered from Microsoft’s 43 trillion security signals and 8,500 security experts. In this edition, we pull back the curtain on the evolving cybercrime economy and the rise of Ransomware-as-a-service (RaaS). Instead of relying on what cybercriminals say about themselves through extortion attempts, forum posts, or chat leaks, Microsoft threat intelligence gives us visibility into threat actors’ actions.
RaaS is often an arrangement between an operator, who develops and maintains the malware and attack infrastructure necessary to power extortion operations, and “affiliates” who sign on to deploy the ransomware payload against targets. Affiliates purchase initial access from brokers or hit lists of vulnerable organizations, such as those with exposed credentials or already having malware footholds on their networks. Cybercriminals then use these footholds as a launchpad to deploy a ransomware payload against targets.
The impact of RaaS dramatically lowers the barrier to entry for attackers, obfuscating those behind initial access brokering, infrastructure, and ransoming. Because RaaS actors sell their expertise to anyone willing to pay, budding cybercriminals without the technical prowess required to use backdoors or invent their own tools can simply access a victim by using ready-made penetration testing and system administrator applications to perform attacks.
The endless list of stolen credentials available online means that without basic defenses like multifactor authentication (MFA), organizations are at a disadvantage in combating ransomware’s infiltration routes before the malware deployment stage. Once it’s widely known among cybercriminals that access to your network is for sale, RaaS threat actors can create a commoditized attack chain, allowing themselves and others to profit from your vulnerabilities.
While many organizations consider it too costly to implement enhanced security protocols, security hardening actually saves money. Not only will your systems become more secure, but your organization will spend less on security costs and less time responding to threats, leaving more time to focus on incoming incidents.
Businesses are experiencing an increase in both the volume and sophistication of cyberattacks. The Federal Bureau of Investigation’s 2021 Internet Crime Report found that the cost of cybercrime in the United States totaled more than USD6.9 billion.1 The European Union Agency for Cybersecurity (ENISA) reports that between May 2021 and June 2022, about 10 terabytes of data were stolen each month by ransomware threat actors, with 58.2 percent of stolen files including employees’ personal data.2
It takes new levels of collaboration to meet the ransomware challenge. The best defenses begin with clarity and prioritization, which means more sharing of information across and between the public and private sectors and a collective resolve to help each other make the world safer for all. At Microsoft, we take that responsibility to heart because we believe security is a team sport. You can explore the latest cybersecurity insights and updates at our threat intelligence hub Security Insider.
With a broad view of the threat landscape—informed by 43 trillion threat signals analyzed daily, combined with the human intelligence of our more than 8,500 experts—threat hunters, forensics investigators, malware engineers, and researchers, we see first-hand what organizations are facing and we’re committed to helping you put that information into action to pre-empt and disrupt extortion threats.
Learn more
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
In a rapid change of Office 365, Microsoft sends to Tenant Admin’s the news about what is changing and what is coming in Office 365. This is the 279th email that Microsoft has sent to Tenant Admin’s Newsletter with Office 365 changes. This Weekly digest is intended to reach the Administrators of Microsoft Office 365 within the latest changes that are happening to Office 365. Below is…
Hopefully, you have read some of our announcements around disabling Basic authentication in Exchange Online. We are getting close to the end of a more than three-year long journey.
Microsoft is going to disable Basic authentication for most Exchange Online protocols starting October 1, 2022. Seeing that we are past mid-August, you should have ample motivation to plan for the elimination of Basic authentication.
Recently, I have heard of two different types of questions related to implementation of OAuth – questions related to Exchange ActiveSync (EAS) use and POP/IMAP OAuth configuration.
Finding Basic auth ActiveSync usage in sign-in logs
Let’s start with EAS, which was widely used with Basic authentication in the past. Major mobile phone vendors and app developers now include OAuth support in their native email clients. As mentioned here, you can use the Azure AD sign-in logs to find users/clients who are still using Basic authentication with the "Client app" filter. In this case, look for the “Client app” value "Exchange ActiveSync" underneath “Legacy Authentication Clients”.
The report might give you a long list of users using Basic, but one corner case scenario comes when clients are using certificates to authenticate. In this case, the report might have “tricked” you and we just want to clarify that a bit here. Exchange Online has supported certificate-based authentication for EAS for a long time and this capability has been widely adopted. However, this report will also include certificate-based authentication under the Legacy Authentication Clients filter.
Even though certificate-based authentication is considered strong authentication, Azure AD consider it ‘Legacy’ as it’s not using OAuth. You can confirm the records are for certificate usage by opening the Authentication Details tab.
The Azure AD Sign-in report doesn´t allow you to filter out EAS using certificate-based authentication. So, let´s switch to the Azure AD Workbooks section, which allows you to query using Log Analytics (Workbooks are available for Azure Active Directory tenants with P1 or P2 licenses as described here.)
The Workbook named "Sign-Ins using Legacy Auth..." gives you a quick summary of the different protocols that are still using Basic authentication. But you also have the option to view the KQL query that’s used here by clicking the small button, "Open the last query in the Logs view."
Followed by:
This selection allows you to write your own queries by simply opening a new query beside the given one. We filtered out the certificate-based authentication clients with the following query:
SigninLogs | project TimeGenerated,AuthenticationDetails,UserPrincipalName,ClientAppUsed | where TimeGenerated > ago(2d) | where ClientAppUsed == "Exchange ActiveSync" | mv-expand authValue=todynamic(AuthenticationDetails) | where authValue.authenticationMethod != "Certificate" | project-away AuthenticationDetails | summarize count() by UserPrincipalName
This sample query should give you a good starting point to remove Basic authentication dependencies for EAS.
POP and IMAP OAuth delegated access (interactive logon)
Let´s talk about POP and IMAP access. Although SMTP AUTH is closely related, Microsoft is not disabling Basic authentication for SMTP AUTH on October 1st , so we’ll focus only on POP and IMAP. We have heard from our customers that there is some confusion about this.
We have documented the requirements and configuration steps to use OAuth with POP/IMAP in Microsoft 365 in this article: Authenticate an IMAP, POP or SMTP connection using OAuth. You’ll see details about the registration of the required Azure AD applications and the permissions required for the access token to give Exchange Online the authorization of the mailbox access request.
As time is ticking, I'm getting more requests from admins that they need to enable OAuth support for different POP/IMAP applications that are using in their environment, which they can configure by creating an Azure AD application as described in the aforementioned article.
Their primary question is how to test their implementation before sharing further information with their business. While testing it with Basic authentication and using OpenSSL Clients (check sources from here: Binaries - OpenSSLWiki) was easy and straight forward, authenticating with the needed SASL XOAuth2 string is more cumbersome.
To help, I created a PowerShell script “Get-IMAPAccessToken.ps1” accessible here. The script uses the MSAL.PS library to provide a managed interactive OAuth authentication flow. The script also includes a token cache in Windows PowerShell to safely store the access token and refresh token after successful authentication. It´s important to use scope "https://outlook.office365.com/.default" for POP/IMAP access. You need to install the MSAL.PS PowerShell module as a prerequisite for the script (as of now, the latest version is PowerShell Gallery | MSAL.PS 4.37.0.0).
Using the received access token and the referenced documentation to generate the SASL XOAUTH2 login string:
…the script builds the needed XOAuth2 login string:
The script then opens a TLS 1.2 connection to the IMAP service in Exchange Online and tries to authenticate using the SASL XOAUTH2 encoded string. If this action is successful, it executes a simple IMAP folder listing and logs off again. This also allows you to see authentication and access using IMAP with OAuth based login on the newly registered Azure AD application. If everything works, you’ll get a folder listing using IMAP after OAuth authentication that looks like this.
You might have noticed that the script also gives you a possibility to pass the email address of a shared mailbox. This optional parameter allows you to check OAuth access to shared mailboxes, a use case I see very often with enterprise customers.
The popular IMAP app Thunderbird provides integrated OAuth support for Exchange Online mailbox access. In this case, admins don´t need to register their own apps. Instead, the Mozilla foundation pre-created a multi-tenant Azure application with a unique ClientID/ApplicationID. This capability is incorporated into the Thunderbird client and can be found here.
The easiest way to add Thunderbird to the allowed applications and grant consent to the organization, is by constructing an admin consent URL. To construct the consent URL, take the following URL:
Replace <TenantID> with your Tenant ID. This piece of information can be found under the Azure Active Directory blade in the Azure portal.
Please note currently Microsoft does not have plans to enable POP/IMAP Modern authentication support for Outlook on the desktop. If you are using Outlook on the desktop, please use a more modern protocol.
The needed Exchange cmdlet changes have been rolled out now, therefore I worked through the updated documentation here and created a new Azure AD application with the new available permissions.
Furthermore, as described in the documentation the service principal which has been created during Azure AD Application creation needs to be created/mirrored to Exchange Online. Where the new Cmdlet “New-ServicePrincipal” comes into play.
We need details from the registered Azure AD App, so I am using the Get-AzureADServicePrincipal cmdlet out of the AzureAD Powershell Module, which will return us all needed information to use the new Exchange Online cmdlet with the right values.
From now on, this new ServicePrincipal can be used within Exchange Online to grant permission to access mailboxes. Using the Identity/ServiceID of the newly created ServicePrincipal.
Finally, I extended my referenced script to support the Client Credential flow using a client secret or certificate authentication. If you would like to use a certificate to authenticate as your registered app, take a look at steps described here. In the case of application permission usage, you would need to use script parameter “-targeMailbox” which is needed for the use case of application permission, as there is no associated mailbox to the service principal.
Summary
That's it! We hope that this article provides you with enough information to use more extended queries for your legacy authentication clients using the EAS example, and how to adopt OAuth for POP/IMAP more easily. Please use the comment section to ask questions or provide suggestions!
Special thanks to Greg Taylor, Mike Brown and Nino Bilic for all the help along the way.