Email alerts for Microsoft 365 Service Health incidents is now Generally Available! (as fellow MVP Greig Sheridan pointed out, although it’s GA, it’s gradually rolling out from December 2019 to March 2020 – but I already have this in my live tenant) In case you missed this one, there’s now an easy way to configure email alerts to go out when there’s an outage of some sort in the Microsoft 365 space.
Personally I’m used to checking out the portal once I hear about a complaint and seeing what might be broken. Instead, I’ll now see emails to keep across what’s going on in the Microsoft world, as well as have a ticket raised via email to helpdesk, so any potential user affecting outages are identified earlier in the troubleshooting process.
The advisory is MC196504 for those who want to read about it in the ‘Microsoft 365 admin center Message center’, but all you need to do to enable it is:
From the new Microsoft 365 admin center, go to Health > Service Health. Under the All services tab, click the Preferences button:
This will pop out a side window:
From this page, you can enter up to 2 email addresses – so if you want it to go to more than 2 recipients, use a distribution group. You can choose the services you want to receive alerts about (all are ticked by default), and as it will advise when saving, it may take up to 8 hours to apply.
This one’s a pretty simple feature, but one I’m very glad to see. Set it up for yourself today!
Microsoft has announced that they’re continuing the path away from Legacy Authentication, with the decommission of legacy auth to EWS on Exchange Online on October 13th 2020. Instead of waiting for that looming date, there’s a bunch of security reasons to only have Modern Authentication for Microsoft 365.
The guide from Microsoft on how to block Legacy Authentication doesn’t actually mention ActiveSync, so it’s easy to miss like I initially did! You’ll need to block ActiveSync altogether as far as I know, as it doesn’t support MFA.
Although I still think Conditional Access is easier to manage than Authentication Policies, there is one caveat; even with an ActiveSync block in place via Conditional Access, too many attempts by a user will lock their account briefly. This might cause problems or require work to get those users to clean up whatever device is trying to log in. With an Authentication Policy I don’t believe this happens because it’s blocked earlier in the sign-in process – you won’t see logs, and the account can’t get locked.
There is of course, a checkbox around ActiveSync, and a way to block it using Conditional Access, but I had mixed results in blocking it successfully until I did it exactly this way:
Create a new Conditional Access Policy and set these options:
Conditions > Client apps > Tick both ‘Mobile apps and desktop clients’ + ‘Exchange ActiveSync Clients’
Grant > Block Access
In the Users and Groups section, you can narrow this down from ‘All Users’ for testing or for a gradual rollout.
The user experience is interesting on this one – they can still sort of authenticate, but instead of getting their emails, they will see a single email advising that their access has been blocked:
On top of this, you can use Azure AD to audit who might be using ActiveSync before you put any sort of block in place. As per usual, there’s a good Microsoft article on Discovering and blocking legacy authentication which can walk you through this, but in short:
Via the Azure Portal, go to Azure Active Directory > Users. Under Activity, go to Sign-ins. Click Add filters, and choose Client App > Tick the three ‘Exchange ActiveSync’ options and press ‘Apply’. You’ll see the last 7 days of sign in attempts using ActiveSync, which should give you an idea of how many users are using it, and who.
Blocking Legacy Authentication, plus blocking ActiveSync will give you a much more secure environment, protecting from account attacks.
MyAnalytics is an extension to Microsoft 365 which provides productivity insights. It looks at what you do over email, OneDrive for Business and Skype for Business Online/Teams, and collates the data to present it with statistics.
The documentation for how this product works is quite good and worth a read. There’s privacy considerations in any product that’s scraping data, but they seem fairly well addressed. Two main points are that the data for MyAnalytics is processed and stored in the user’s Exchange Online mailbox, and nobody but the user can see this data (including system administrators).
MyAnalytics has been around for a while, but mostly for Office 365 E5 / Microsoft 365 E5 customers so many people have not heard of it, or have no experience in it. Microsoft are changing who gets access to this data, and are currently rolling out Digest emails to E3, E1 and Business customers.
If you have the feature already turned on, then your users can probably already access their dashboard at https://myanalytics.microsoft.com/ and start checking it out.
MyAnalytics is controlled by a license under the Microsoft 365 product. Many people probably have all the components on, and therefore although users have had access to this product, it hasn’t really been visible. The Welcome email comes first, and it seems to be rolling out right now to Targeted Release users in Microsoft 365.
Beyond just turning MyAnalytics on, there’s a few admin controls available at the tenant level and user level. You’ll need to consider items like ‘should users be opted-in by default, or opted-out’ if there are concerns around data scraping – even though this all lives in your Microsoft tenant, there could still be staff that are not comfortable with this.
Nascar use MyAnalytics if that helps you point to another company using it:
As you can see, I’ve linked to a bunch of Microsoft documentation around this rather than rewriting what they have – always nice to see quality doco!
It’s worth checking out MyAnalytics now and deciding if it’s something you want – at least check the state of your settings before users start getting Welcome emails!
Update 20th September
The product group have advised me on one extra tip – disabling the ‘Weekly insights email‘ option at the admin end will actually disable the Welcome email too – documentation to be updated shortly.
