Great video! These 'gotchas' are so very useful! Couple of comments: 13:23 AFAIK, deleting the user account will always delete the mailbox (not potentially). Also, you can't have a Shared Mailbox without an associated user account. The Shared Mailbox user account is created with a system generated password (i.e. unknowable), but it is best practice to also disable sign-in. 14:15 AFAIK, you cannot 'detach' a mailbox from a user account, nor can you 'attach' an existing mailbox to a different user account. You can, however, change the name and username of an existing user account and mailbox, which, I guess, would achieve the same result. Any legal holds would, however, remain in place i.e. same directory object.
@@AndyMaloneMVP You are most welcome, sir. Keep up the good work. You channel is rapidly becoming my go-to place for M365 knowledge and skills. Outstanding.
@@TimoSorvoja Shared mailboxes do not require a license, therefore, if you convert a user mailbox to a shared mailbox, you can remove the license. I believe it is best practice to block access to the user account.
"External user leave" really caused me a lot of headache, preventing me from leaving organizations I've been invited to as a guest. Very strange setting and ever more strange to turn it to "No".
Can you explain further how leaving a "TXT ms=" record in DNS in any way increases DNS security as it is easily copied by anyone trying to clone a DNS zone? I cannot see anywhere Microsoft claims that this record is needed after the domain has been verified, and for the love of the FSM I cannot see any way this is needed to be kept.
With or without the presence of the verifier TXT record in your DNS, I fail to see how this would leave you vulnerable to domain hijacking to be honest. A domain can only be registered in Office 365 with verified access to your domain, so it matters not.
My impression is that the TXT ms= is only checked when initialy adding a domain to a tenant. In my experience once a domain is affiliated with a tenant, it can't be added to another tenant, and I don't think the TXT ms=record has anything to do with that. (You can of course remove a domain from a tenant, and then it's free to use in another tenant) If there is guidance about leaving it, or if this record is checked or used after inital validation I'd like to know more please.
Regarding Global Admin... another reason you wouldn't just want to assign that role to an Administrator user account, is that just having the Global Admin role is often not enough to do the things you need to do in Microsoft 365. If you are global admin, and just global admin, you won't be able to view certain reports in the security portal; to see that info you have to have the specific role assigned on top of GA. That goes for Exchange Online as well. Now, having the GA role will allow you to add those additional roles you need as well, but it won't work out of the box without additional configuration.
Additionally, the problem I run into with RBAC is that the roles required to do specific actions aren't clearly detailed or intuitively named under the roles... also, if you don't have certain roles enabled, you may do a search, find nothing, and then think "Huh, guess there isn't anything to see here"... when in actuality, there is something to see there, you just don't have the specific role added to your account.
@@AndyMaloneMVP excellent video Mr Andy, and you're right, I'm not getting back into my global admin account. I've tried it with another account a few times, and just won't be able to elevate it enough to get that 2FA turned off. I don't even know who I'm supposed to call? Everytime I've ever called Microsoft it's the wrong number. :( I was thinking, you think I could just pull the rug out from under and revoke the domain name? Force the organization to bust or anything? I mean it's mine, and it's not super serious.
@@AndyMaloneMVP Right but 365 keeps saying it's a windows problem, I'll call em. I'll tell ya what mr. Andy, since you've got so many rockstars that say the txt dns record should be pulled and tossed, extend the challenge to them of how they'd go about reversing back in! :-D I have linked accounts too, you'd thnk this would be easy.
Hi Andy. This is another great video with a wealth of information. Thank you for doing the work that you do. I do have a question. When adding users to a shared mailbox, it should add it to the user's Outlook without doing anything else, correct? I have one domain environment that does not work that way. I have had Microsoft support connect and look at this issue several times but haven't been able to get it resolved. I have tried several things to see if they will show up for the users but haven't had success. I'm not sure what the issue is. Do you have any ideas on what might be causing this?
some resources for you. www.nucleustechnologies.com/blog/how-to-add-a-shared-mailbox-in-outlook/ and here support.microsoft.com/en-us/office/open-and-use-a-shared-mailbox-in-outlook-d94a8e9e-21f1-4240-808b-de9c9c088afd
@AndyMalone Thanks for the video, and all the others I've watched. Reffering to your "Break Glass" account. I created a user with MFA disabled, but logging into that account, I'm still being prompted for MFA. Any hints?
Andy do you have a vid on how break glass account with SSPR Excluding. You mention several itmes in videos you should never have it linked to a phone or MFa but I can't find a way to disable the combined Registration prompt for our Break glass accounts when Password Reset is enable for All Users in Azure AD. thanks for you great vids.
That’s a great suggestion let me see what I can come up with. Although you should know that SSPR is being retired next year. Watch out for more detail soon.
@@AndyMaloneMVP Thanks Andy. I did see the notice appearing in the the Authentication methods section. If this can be transitioned I'd consider starting to do that now. SSRP and having a cell number assigned to a device doesn't help a Breakglass situation when you have no Cell service. Like in a disaster situation due to Extreme weather. Your insight is greatly appreciated, thanks for the reply mate!
For ex-employees, what I do is block the sign in, configure an out of office response that they have left and should instead e-mail whoever their replacement or another member of staff. I then convert their mailbox to a shared mailbox and give the relevant permissions to whichever staff may need it, maybe their line manager. Rename their first name to start with Z, also in their surname include a date of when the conversion took place, hide them from the global address list too. Remove the licence if no longer needed to avoid the cost of course. The shared mailbox should then be deleted when confirmed if no longer required, even though it doesn't cost you anything, if it's a large company with a high turnover, that list is going to get long! Microsoft might then impose some restrictions on shared mailboxes because of a lack of house keeping, you know they will. You used to be able to logon as a shared mailbox from the web, now that has been restricted because no doubt some were abusing it, one licence for 20 employees perhaps, but 20 "shared" mailboxes with people's names on them.
This is a great article :-) answers.microsoft.com/en-us/msoffice/forum/all/what-is-the-best-practice-for-handling-departing/a4323c35-46f2-4028-ac3f-72a766e5f442
I’m pretty sure I mentioned point 2 in your shared mailbox video about needing to keep the user as it’s an anchor for the shared mailbox… interesting 🤔 I know because I had to answer a question for one of your other users on shared mailboxes…
Thanks for recommending the No MFA for Global Administrator. Asusal you are awesome...... However I have an issue with MFA enabled to External client users. When we add the External client ids for collaboration/share the data links of SharePoint site or OneDrive links to access the data and uploading the data to our site or Onedrive. If they already having MFA enabled in their company, how the user can enable MFA with our company MFA When the External user id/client ID added.??
In Azure active directory, external collaboration settings, there is an option for you to use trusted MFA authentication from a tenant that you collaborate with. I’ve covered this on previous videos, see shared channels as an example. Do you remember you can also configure conditional access an essay for guest and external users. I hope this helps, also remember that docs.microsoft.com is a great repository of information in this area.
I read somewhere a couple of days ago (I think in the MS docs), that 2FA should be enabled for the global admin user using two (one for backup) Fido2 security keys located in different safe places, along with this user's credentials. What is your take on that? And another question: Does the global admin user need to have a license? If yes, which one?
Why’d you not remove the license from Lee’s account after converting it to a shared mailbox, all shared mailboxes have a user account associated with it, they are just unlicensed. 🤔
In External Identities, what is the specific difference between the "Guest user access restrictions" options? I've watched a couple of your videos (which are great by the way) that just say that the "same access" and "limited access" options just give some more or less permissions. What are the specific differences between the options?
Thanks for the question, here’s a great article which I think will help learn.microsoft.com/en-us/azure/active-directory/external-identities/external-identities-overview
It's not recommended, but you can either exclude the user in your conditional access policy. Or set an excluded IP address as a trusted address. or manage it in Microsoft 365 MFA (though this is the older way). Here's an article you may find useful. theitbros.com/disable-mfa-office-365/ and here learn.microsoft.com/en-us/answers/questions/54167/disabling-mfa-for-global-admin.html (The latter is the break glass account as mentioned in my video)
As I mentioned, yes, you can remove the DNS record, however MS highly recommends not to delete the txt records as it can lead to domain hijacks due to dangling domains. Prevent dangling DNS entries and avoid subdomain takeover docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover
@@AndyMaloneMVP I can't see how the TXT-record for verifying domain ownership relates to this link. MS just reads the record one time, and will never look for it again. It even says when you add it that you can remove it.
@@AndyMaloneMVP The example cited in the Microsoft document refers to a CNAME record in DNS that gets "dangled" due to the retirement of the Azure resource to which the FQDN refers. In that case, a threat actor could discover the CNAME record and then create a new Azure resource (i.e. a malicious web server), using the same FQDN that the CNAME points to, thereby in effect hijacking the legitimate CNAME record. However, this isn't relevant for a TXT record that contains only a text string as no FQDN is present in that text string. Also, TXT records aren't used for DNS resolution to an IP nor for redirection - they are simply a way to store a text string that can be "read" via a DNS lookup. I spent some time learning more about dangling DNS and came across this excellent video explainer that also provides mitigation strategies: ruclips.net/video/5ecz8B_Scig/видео.html I highly recommend it to anyone looking to better understand dangling DNS with respect to public Cloud resources pertaining to CNAME records.
Thank you! This is really useful stuff. I have one question: is there a way to create multiple accounts, with different roles and privileges, for a single user? The reason I'm asking is because I recently started a subscription for Microsoft 365 Business Premium, mostly to have a 'playground' to learn the functionality in my own time and for my own interest and educations sake. Now, paying for one user isn't that bad of a monthly cost... but if I would have to have multiple users just to 'set it up right' it will quite quickly become unfeasible.
Hi John, not that I’m aware of, do you remember though you can have as many unlicensed users as you want and these can be used as admin accounts. The best way to play with Microsoft 365 is to create a trial subscription. I do believe that Microsoft Learning will soon start to offer hands-on labs, although I do not know if there would be a cost involved. Anyway, I hope this helps and thanks for reaching out.
@@AndyMaloneMVP Hello Andy! Thank you for responding to my question. I didn't remember that, so that's a great help knowing. I will set up a couple of unlicensed account as admin and to test with. And I will have an eye on Microsoft Learning. I appreciate your channel as a resource to learn more.
I assume here, you’re talking about user templates for Microsoft office. I’ll be honest with you I’m not an expert in user stuff, however I believe the previous templates are compatible. Do you remember though as long as they support a docx extension.
Hmmm, curious about the "Shared Mailbox" conversion. So, I've got an employee that's left. If I convert the mailbox to a shared mailbox, can I remove the Microsoft 365 Business subscription from the original user? I understand that you said that I can't delete it, but can I remove the $150 subscription license?
With all the settings in Azure, how does a small IT staff keep up with all of this? Yes, it requires taking courses and becoming certified but not every IT person will have the necessary training to handle all of this. Not every company has the means to staff the needed IT team like Microsoft does. I'm not sure why it still surprises me why Microsoft leaves settings off when they should be on or the other way around. Some of these settings shouldn't be available. For example, if a guest user wants to leave an organization, let them leave. There has been an absolute flood of settings offered that aren't necessary. Not only that, some settings are chained to other settings and unless you are aware of it, you will miss them.
If you want to survive in IT, you must keep your IT skills up-to-date. Don’t just learn about current technologies, learn about the emerging technologies. This is the way you will survive. Failure to do so then, I believe that McDonald’s are hiring. Best of luck😊
The key is to not be resistant to change but then don't go overboard and put static loads that incur out of control costs into "the cloud" because its fashionable.
If MS would struggle so hard to restore control over an accidentally orphaned tenant, could they offer something like a managed Break Glass Account? Ie requiring that 3-5 admins/executives in an org upload various IDs and recent headshots, record voice samples, register phone numbers, non-org mail addresses, public digital mailboxes (Digipost in Norway), and maybe implement/subscribe to public/standardized digital IDs (BankID and Buypass in Norway). A meeting between 3+ MS managers and 3+ of the org registered restorers would be required to break the glass. I'm thinking it wouldn't be that expensive to sign up for, but there'd be a significant fee if utilized because of coordinated human involvement. A vital insurance tool for any org, and one less thing to worry about?
365 is awful. It’s clunky. Everything is unnecessarily convoluted. Desktop versions out perform and are much easier. Does anybody really find trying to save a document easy anymore? Why is it so complicated? no Microsoft I don’t want different versions of the document all linked together especially from external clients. You’re fixed something that wasn’t broken and made it much worse.
Great video! These 'gotchas' are so very useful! Couple of comments:
13:23 AFAIK, deleting the user account will always delete the mailbox (not potentially). Also, you can't have a Shared Mailbox without an associated user account. The Shared Mailbox user account is created with a system generated password (i.e. unknowable), but it is best practice to also disable sign-in.
14:15 AFAIK, you cannot 'detach' a mailbox from a user account, nor can you 'attach' an existing mailbox to a different user account. You can, however, change the name and username of an existing user account and mailbox, which, I guess, would achieve the same result. Any legal holds would, however, remain in place i.e. same directory object.
Awesome feedback David as usual 👍
@@AndyMaloneMVP You are most welcome, sir. Keep up the good work. You channel is rapidly becoming my go-to place for M365 knowledge and skills. Outstanding.
@@davidadams421 thanks David I appreciate that. It’s hard work but I’m trying my best 😊
Does the the converted user mailbox still require user specific licensing? E.g. E3? Or is other licencing compatible with it?
@@TimoSorvoja Shared mailboxes do not require a license, therefore, if you convert a user mailbox to a shared mailbox, you can remove the license. I believe it is best practice to block access to the user account.
"External user leave" really caused me a lot of headache, preventing me from leaving organizations I've been invited to as a guest. Very strange setting and ever more strange to turn it to "No".
Can you explain further how leaving a "TXT ms=" record in DNS in any way increases DNS security as it is easily copied by anyone trying to clone a DNS zone? I cannot see anywhere Microsoft claims that this record is needed after the domain has been verified, and for the love of the FSM I cannot see any way this is needed to be kept.
SPF mail checks ok dkim
@@elmsroth8850 what?
With or without the presence of the verifier TXT record in your DNS, I fail to see how this would leave you vulnerable to domain hijacking to be honest. A domain can only be registered in Office 365 with verified access to your domain, so it matters not.
My impression is that the TXT ms= is only checked when initialy adding a domain to a tenant. In my experience once a domain is affiliated with a tenant, it can't be added to another tenant, and I don't think the TXT ms=record has anything to do with that. (You can of course remove a domain from a tenant, and then it's free to use in another tenant) If there is guidance about leaving it, or if this record is checked or used after inital validation I'd like to know more please.
I mean it is a rule. If a tree falls in the woods..... lol
Regarding Global Admin... another reason you wouldn't just want to assign that role to an Administrator user account, is that just having the Global Admin role is often not enough to do the things you need to do in Microsoft 365. If you are global admin, and just global admin, you won't be able to view certain reports in the security portal; to see that info you have to have the specific role assigned on top of GA. That goes for Exchange Online as well. Now, having the GA role will allow you to add those additional roles you need as well, but it won't work out of the box without additional configuration.
Additionally, the problem I run into with RBAC is that the roles required to do specific actions aren't clearly detailed or intuitively named under the roles... also, if you don't have certain roles enabled, you may do a search, find nothing, and then think "Huh, guess there isn't anything to see here"... when in actuality, there is something to see there, you just don't have the specific role added to your account.
You are correct compliance and security roles are needed for certain job roles 😊
@@AndyMaloneMVP excellent video Mr Andy, and you're right, I'm not getting back into my global admin account. I've tried it with another account a few times, and just won't be able to elevate it enough to get that 2FA turned off. I don't even know who I'm supposed to call? Everytime I've ever called Microsoft it's the wrong number. :( I was thinking, you think I could just pull the rug out from under and revoke the domain name? Force the organization to bust or anything? I mean it's mine, and it's not super serious.
@@PivotF00t sorry to hear about your predicament. I’d place a support call to get you sorted out👍😊
@@AndyMaloneMVP Right but 365 keeps saying it's a windows problem, I'll call em. I'll tell ya what mr. Andy, since you've got so many rockstars that say the txt dns record should be pulled and tossed, extend the challenge to them of how they'd go about reversing back in! :-D I have linked accounts too, you'd thnk this would be easy.
Top class as always 👍👌
Thank you! 🙏🙏🙏🙏
BROTHER, YOU ARE THE BEST!!! You oooh really helped me!! THANK YOU VERY MUCH!
You are most welcome and thanks for the kind comment. Great to have you on board 😊
Hi Andy. This is another great video with a wealth of information. Thank you for doing the work that you do.
I do have a question. When adding users to a shared mailbox, it should add it to the user's Outlook without doing anything else, correct? I have one domain environment that does not work that way. I have had Microsoft support connect and look at this issue several times but haven't been able to get it resolved. I have tried several things to see if they will show up for the users but haven't had success. I'm not sure what the issue is. Do you have any ideas on what might be causing this?
some resources for you. www.nucleustechnologies.com/blog/how-to-add-a-shared-mailbox-in-outlook/ and here support.microsoft.com/en-us/office/open-and-use-a-shared-mailbox-in-outlook-d94a8e9e-21f1-4240-808b-de9c9c088afd
@AndyMalone Thanks for the video, and all the others I've watched. Reffering to your "Break Glass" account. I created a user with MFA disabled, but logging into that account, I'm still being prompted for MFA. Any hints?
Do a search for brake glass account in learn.microsoft.com explains exactly how it all works. Good luck and all the best, Andy
Great video! Keep up the good work.
Really nice and helpful... Thanks!
Andy do you have a vid on how break glass account with SSPR Excluding. You mention several itmes in videos you should never have it linked to a phone or MFa but I can't find a way to disable the combined Registration prompt for our Break glass accounts when Password Reset is enable for All Users in Azure AD. thanks for you great vids.
That’s a great suggestion let me see what I can come up with. Although you should know that SSPR is being retired next year. Watch out for more detail soon.
@@AndyMaloneMVP Thanks Andy. I did see the notice appearing in the the Authentication methods section. If this can be transitioned I'd consider starting to do that now. SSRP and having a cell number assigned to a device doesn't help a Breakglass situation when you have no Cell service. Like in a disaster situation due to Extreme weather. Your insight is greatly appreciated, thanks for the reply mate!
Loved it, especially the TXT record.
For ex-employees, what I do is block the sign in, configure an out of office response that they have left and should instead e-mail whoever their replacement or another member of staff. I then convert their mailbox to a shared mailbox and give the relevant permissions to whichever staff may need it, maybe their line manager. Rename their first name to start with Z, also in their surname include a date of when the conversion took place, hide them from the global address list too. Remove the licence if no longer needed to avoid the cost of course. The shared mailbox should then be deleted when confirmed if no longer required, even though it doesn't cost you anything, if it's a large company with a high turnover, that list is going to get long! Microsoft might then impose some restrictions on shared mailboxes because of a lack of house keeping, you know they will. You used to be able to logon as a shared mailbox from the web, now that has been restricted because no doubt some were abusing it, one licence for 20 employees perhaps, but 20 "shared" mailboxes with people's names on them.
This is a great article :-) answers.microsoft.com/en-us/msoffice/forum/all/what-is-the-best-practice-for-handling-departing/a4323c35-46f2-4028-ac3f-72a766e5f442
I’m pretty sure I mentioned point 2 in your shared mailbox video about needing to keep the user as it’s an anchor for the shared mailbox… interesting 🤔 I know because I had to answer a question for one of your other users on shared mailboxes…
Cool thanks for being a great member of the community Rich it’s great to have folks like yourself onboard 😊👍
Thanks Always
Always welcome
Nice job boss! Thank you!
Thanks for the comment 😊
Thanks for recommending the No MFA for Global Administrator. Asusal you are awesome......
However I have an issue with MFA enabled to External client users. When we add the External client ids for collaboration/share the data links of SharePoint site or OneDrive links to access the data and uploading the data to our site or Onedrive. If they already having MFA enabled in their company, how the user can enable MFA with our company MFA When the External user id/client ID added.??
In Azure active directory, external collaboration settings, there is an option for you to use trusted MFA authentication from a tenant that you collaborate with. I’ve covered this on previous videos, see shared channels as an example. Do you remember you can also configure conditional access an essay for guest and external users. I hope this helps, also remember that docs.microsoft.com is a great repository of information in this area.
I read somewhere a couple of days ago (I think in the MS docs), that 2FA should be enabled for the global admin user using two (one for backup) Fido2 security keys located in different safe places, along with this user's credentials. What is your take on that? And another question: Does the global admin user need to have a license? If yes, which one?
@@frankfix247 I totally agree. This is in fact what I do in reality. You make a great point here and thanks for the contribution 👍
Why’d you not remove the license from Lee’s account after converting it to a shared mailbox, all shared mailboxes have a user account associated with it, they are just unlicensed. 🤔
Good point 😊
In External Identities, what is the specific difference between the "Guest user access restrictions" options? I've watched a couple of your videos (which are great by the way) that just say that the "same access" and "limited access" options just give some more or less permissions. What are the specific differences between the options?
Thanks for the question, here’s a great article which I think will help learn.microsoft.com/en-us/azure/active-directory/external-identities/external-identities-overview
Thank you
Thank Andy. How do you disable MFA for one user. Our tenant requires MFA to be setup at first login. ??? 😣🤔
It's not recommended, but you can either exclude the user in your conditional access policy. Or set an excluded IP address as a trusted address. or manage it in Microsoft 365 MFA (though this is the older way). Here's an article you may find useful. theitbros.com/disable-mfa-office-365/ and here learn.microsoft.com/en-us/answers/questions/54167/disabling-mfa-for-global-admin.html (The latter is the break glass account as mentioned in my video)
In MS360 I locked 1 of my laptops and got it back but now cannot remove the lock. What should I do?
Contact support
Thank you Andy, love from Sri Lanka
My pleasure!
Please explain why removing the TXT record in DNS is a risk. Thanks in advance!
As I mentioned, yes, you can remove the DNS record, however MS highly recommends not to delete the txt records as it can lead to domain hijacks due to dangling domains.
Prevent dangling DNS entries and avoid subdomain takeover
docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover
@@AndyMaloneMVP I can't see how the TXT-record for verifying domain ownership relates to this link. MS just reads the record one time, and will never look for it again.
It even says when you add it that you can remove it.
@@AndyMaloneMVP The example cited in the Microsoft document refers to a CNAME record in DNS that gets "dangled" due to the retirement of the Azure resource to which the FQDN refers. In that case, a threat actor could discover the CNAME record and then create a new Azure resource (i.e. a malicious web server), using the same FQDN that the CNAME points to, thereby in effect hijacking the legitimate CNAME record. However, this isn't relevant for a TXT record that contains only a text string as no FQDN is present in that text string. Also, TXT records aren't used for DNS resolution to an IP nor for redirection - they are simply a way to store a text string that can be "read" via a DNS lookup.
I spent some time learning more about dangling DNS and came across this excellent video explainer that also provides mitigation strategies: ruclips.net/video/5ecz8B_Scig/видео.html I highly recommend it to anyone looking to better understand dangling DNS with respect to public Cloud resources pertaining to CNAME records.
Why do so many people mess up when a user's name changes?
Thank you! This is really useful stuff. I have one question: is there a way to create multiple accounts, with different roles and privileges, for a single user? The reason I'm asking is because I recently started a subscription for Microsoft 365 Business Premium, mostly to have a 'playground' to learn the functionality in my own time and for my own interest and educations sake. Now, paying for one user isn't that bad of a monthly cost... but if I would have to have multiple users just to 'set it up right' it will quite quickly become unfeasible.
Hi John, not that I’m aware of, do you remember though you can have as many unlicensed users as you want and these can be used as admin accounts. The best way to play with Microsoft 365 is to create a trial subscription. I do believe that Microsoft Learning will soon start to offer hands-on labs, although I do not know if there would be a cost involved. Anyway, I hope this helps and thanks for reaching out.
@@AndyMaloneMVP Hello Andy! Thank you for responding to my question. I didn't remember that, so that's a great help knowing. I will set up a couple of unlicensed account as admin and to test with. And I will have an eye on Microsoft Learning. I appreciate your channel as a resource to learn more.
Microsoft Developer tenants come free with 25 x Microsoft Developer E5 licenses.
@@davidadams421 Thank you for that tip! =)
@@johnekare8376 You're welcome. Makes for a nice playground.
Great video
You’re very welcome and thanks for the comment. 😊
I have my old 2003, 2007 and 2010 and a lots of templates. It's enough and good for me; and my customers. 🤠
I assume here, you’re talking about user templates for Microsoft office. I’ll be honest with you I’m not an expert in user stuff, however I believe the previous templates are compatible. Do you remember though as long as they support a docx extension.
Hmmm, curious about the "Shared Mailbox" conversion. So, I've got an employee that's left. If I convert the mailbox to a shared mailbox, can I remove the Microsoft 365 Business subscription from the original user? I understand that you said that I can't delete it, but can I remove the $150 subscription license?
Yes you can.
@@AndyMaloneMVP Great, thank you!!
With all the settings in Azure, how does a small IT staff keep up with all of this? Yes, it requires taking courses and becoming certified but not every IT person will have the necessary training to handle all of this. Not every company has the means to staff the needed IT team like Microsoft does. I'm not sure why it still surprises me why Microsoft leaves settings off when they should be on or the other way around. Some of these settings shouldn't be available. For example, if a guest user wants to leave an organization, let them leave. There has been an absolute flood of settings offered that aren't necessary. Not only that, some settings are chained to other settings and unless you are aware of it, you will miss them.
If you want to survive in IT, you must keep your IT skills up-to-date. Don’t just learn about current technologies, learn about the emerging technologies. This is the way you will survive. Failure to do so then, I believe that McDonald’s are hiring. Best of luck😊
The key is to not be resistant to change but then don't go overboard and put static loads that incur out of control costs into "the cloud" because its fashionable.
If MS would struggle so hard to restore control over an accidentally orphaned tenant, could they offer something like a managed Break Glass Account? Ie requiring that 3-5 admins/executives in an org upload various IDs and recent headshots, record voice samples, register phone numbers, non-org mail addresses, public digital mailboxes (Digipost in Norway), and maybe implement/subscribe to public/standardized digital IDs (BankID and Buypass in Norway). A meeting between 3+ MS managers and 3+ of the org registered restorers would be required to break the glass. I'm thinking it wouldn't be that expensive to sign up for, but there'd be a significant fee if utilized because of coordinated human involvement.
A vital insurance tool for any org, and one less thing to worry about?
I totally agree Peter :-) Verified IDs seem to be going that way.
You from Oslo?🤓
No, but I work in Oslo.
Is it just me or does anybody else find it? Hilarious that he is an MVP that uses an Apple computer?
Seriously! I'm a Microsoft 365 MVP not Windows. It's not about the device, it's about how I can consume my data in a secure way on ANY device :-)
365 is awful. It’s clunky. Everything is unnecessarily convoluted. Desktop versions out perform and are much easier. Does anybody really find trying to save a document easy anymore? Why is it so complicated? no Microsoft I don’t want different versions of the document all linked together especially from external clients. You’re fixed something that wasn’t broken and made it much worse.
You should feed this back to Microsoft :-)
Great video
Glad you enjoyed it
@@AndyMaloneMVP very very well