Outlook

5 Things To Check In Your Microsoft 365 Apps (Office 365) Configuration

Posted on August 28, 2024August 28, 2024 by Adam Fowler

Word, Excel, PowerPoint, Outlook, OneNote, and Teams (unless you’re in the EU) are some of the apps that make up the Microsoft 365 Apps suite. We don’t call it Office 365 anymore, and they’ve been around for a very long time. Despite the name change, ‘Office’ is used across Microsoft documentation, the Essential Eight, Windows Registry settings etc so I will use also use it for the rest of this article.

Unsurprisingly, there’s both a lot of flexibility in configuration options for these apps, as well as many settings that have security considerations. As with my other blog posts of late, I wanted to have a look at the Center for Internet Security’s (CIS) Microsoft Intune for Office Benchmark 1.0 and pick my favourite 5 recommendations; ones that I think have a high impact, aren’t on by default, and/or ones you may not have considered.

As with other Intune benchmarks, you don’t have to use Microsoft Intune (you can use Group Policy/registry) but these options are natively supported via Intune. To create these policies via Intune from the Microsoft Intune admin center go to Apps > Policy > Policies for Office apps.

I’m not going to pick the obvious settings either – everyone should be following the Essential Eight guidance on blocking Office Macros which is:

Microsoft Office macros are disabled for users that do not have a demonstrated business requirement.

Microsoft Office macros in files originating from the internet are blocked.

Microsoft Office macro antivirus scanning is enabled.

Microsoft Office macro security settings cannot be changed by users.

and also should have in place all Attack Surface Reduction settings related to Microsoft 365 Apps such as these:

Block all Office applications from creating child processes
Block Office applications from creating executable content
Block Office applications from injecting code into other processes

…so if you aren’t doing the above (or if you’re not sure) – go sort that out first before you worry about these extra ones!

Alright, let’s get on with my 5 picks:

#1 – 2.3.23.2 Ensure ‘Block signing into Office’ is set to ‘Enabled: Org ID only’

Official description of the setting:
This policy setting controls whether users can provide credentials to Office using either their Microsoft Account or the user ID assigned by your organization for accessing Office 365.
If you enable this policy setting, you can specify one of the following options:
– If you select “Both IDs allowed”, users can sign in and access Office content by using either ID
– If you select “Microsoft Account only”, users can sign in only by using their Microsoft Account.
– If you select “Organization only”, users can sign in only by using the user ID assigned by your organization for accessing Office 365.
– If you select “None allowed”, users cannot sign in by using either ID.
If you disable or do not configure this policy setting, users can sign in by using either ID.

Note: This policy does not apply to licensing. A user can license their product using any applicable ID if they have a valid license associated with that account. Providing credentials for licensing purposes when that ID type has been disabled, however, will not affect the signed in state of Office.

This setting controls whether a consumer Microsoft Account can be used to sign into the Office suite. By default, both a work account and a Microsoft Account can be signed in, so changing it to Org ID only prevents that. This prevents a user either accidentally or wilfully saving and opening files from their personal OneDrive and anywhere else the Microsoft Account may have access to. You can imagine a user not realising they’ve been saving their last year of work on their personal unprotected OneDrive, or doing so because it made it easier to continue working on documents via their home computer. There should be no legitimate business need for this setting to be allowed, so change it.

In Intune, it’s under the ‘Block signing into Office’ setting, as is the Group Policy setting Block signing into Office (admx.help)

#2 – 2.3.38.1.1 Ensure ‘Improve Proofing Tools’ is set to ‘Disabled’

This setting controls whether data learnt from Office Proofing Tools (such as spell check) is sent back to Microsoft. This option is enabled by default. It will include information such as additions to the dictionary (maybe you keep writing Project Phoenixx but that’s actually the ‘correct’ spelling’) or maybe your drivers license combination of letters and numbers, or credit card. Here’s the actual description of the setting:

This policy setting controls whether the Help Improve Proofing Tools feature sends usage data to Microsoft. The Help Improve Proofing Tools feature collects data about use of the Proofing Tools, such as additions to the custom dictionary, and sends it to Microsoft. After about six months, the feature stops sending data to Microsoft and deletes the data collection file from the user’s computer.
If you enable this policy setting, this feature is enabled if users choose to participate in the Customer Experience Improvement Program (CEIP). If your organization has policies that govern the use of external resources such as the CEIP, allowing the use of the Help Improve Proofing Tools feature might cause them to violate these policies.
If you disable this policy setting, the Help Improve Proofing Tools feature does not collect proofing tool usage information and transmit it to Microsoft.
If you do not configure this policy setting, the behavior is the equivalent of setting the policy to “Enabled”.

Beyond this data going back to Microsoft, it’s also saving it on your computer in a secondary data collection file. Quite simply, it’s introducing extra risk in both a second location of data + sending off to Microsoft, with no direct immediate user benefit, and no obvious method of showing what data it’s transmitting so should be disabled. On this point, this isn’t questioning how much you trust Microsoft or not – you’re probably using their operating system, software, cloud storage, search results and AI – risk is risk and you reduce it wherever you can that makes sense, and this is one of those scenarios.

This setting can be found under ‘Improve Proofing Tools’ in Intune, or Group Policy/Registry here.

#3. Modern Office File Formats:
2.11.8.6.1 Ensure ‘Default file format’ is set to ‘Enabled: Word Document (.docx)’
2.2.4.6.1 Ensure ‘Default file format’ is set to ‘Enabled: Excel Workbook (*.xlsx)’
2.6.6.5.1 Ensure ‘Default file format’ is set to ‘Enabled: PowerPoint Presentation (*pptx)’

These are all the same but each application needs it’s own setting enabled. Worth noting is the same setting exists for Access – ideally you don’t have that anywhere, but if you do, change that setting too. It’s also actually two settings – enabling it, then setting the ‘Save x files as’ and choosing the above listed options, e.g. PowerPoint Presentation (*pptx).

Although this setting doesn’t block the older default Office document types (.doc, .xls, .ppt), it makes sure the default format for saving is the newer .docx, .xlsx, pptx. The older formats were the default up to Office 2003, and in Office 2007 onward is where the ‘x’ version (which is based on XML and if you rename any of these documents to .ZIP, you can check out what’s inside!) was introduced. Although I can’t find much officially around the differences, the general takes are that the newer format is less prone to corruption, more secure, better organised internally, and more open for other programs to be able to read the data inside.

Most companies will have the older file formats floating around still, but this setting works towards encouraging the new (and 16 years since release, it’s hard to still call it ‘new’!) file format.

Setting description from Word:
This policy setting determines the default file format for saving files in Word.

If you enable this policy setting, you can set the default file format from among the following options:

– Word Document (*.docx): This option is the default configuration in Word.
– Single Files Web Page (*.mht)
– Web Page (*.htm; *.html)
– Web Page, Filtered (*.htm, *.html)
– Rich Text Format (*.rtf)
– Plain Text (*.txt)
– Word 6.0/95 (*.doc)
– Word 6.0/95 – Chinese (Simplified) (*.doc)
– Word 6.0/95 – Chinese (Traditional) (*.doc)
– Word 6.0/95 – Japanese (*.doc)
– Word 6.0/95 – Korean (*.doc)
– Word 97-2002 and 6.0/95 – RTF
– Word 5.1 for Macintosh (*.mcw)
– Word 5.0 for Macintosh (*.mcw)
– Word 2.x for Windows (*.doc)
– Works 4.0 for Windows (*.wps)
– WordPerfect 5.x for Windows (*.doc)
– WordPerfect 5.1 for DOS (*.doc)
– Word Macro-Enabled Document (*.docm)
– Word Template (*.dotx)
– Word Macro-Enabled Template (*.dotm)
– Word 97 – 2003 Document (*.doc)
– Word 97 – 2003 Template (*.dot)
– Word XML Document (*.xml)
– Strict Open XML Document (*.docx)
– OpenDocument Text (*.odt)

Users can choose to save presentations or documents in a different file format than the default.

If you disable or do not configure this policy setting, Word saves new files in the Office Open XML format: Word files have a .docx extension. For users who run recent versions of Word, Microsoft offers the Microsoft Office Compatibility Pack, which enables them to open and save Office Open XML files. If some users in your organization cannot install the Compatibility Pack, or are running versions of Word older than Microsoft Office 2000 with Service Pack 3, they might not be able to access Office Open XML files.

This policy setting is often set in combination with the “Save As Open XML in Compatibility Mode” policy setting.

The 4 settings in Intune are below, and the Group Policy/Registry settings are here: Word Access Excel PowerPoint

#4. 2.3.23.3 Ensure ‘Control Blogging’ is set to ‘Enabled: All Blogging Disabled’

I partly like this one because not many people know this is even a thing. Description:

This policy setting controls whether users can compose and post blog entries from Word.
If you enable this policy setting, you can choose from three options for controlling blogging:

* Enabled – Users may compose and post blog entries from Word to any available blog provider. This is the default configuration in Word.

* Only SharePoint blogs allowed – Users can only post blog entries to SharePoint sites.

* Disabled – The blogging feature in Word is disabled entirely.

If you disable or do not configure this policy setting, the behavior is the equivalent of setting the policy to Enabled-Enabled.

Word can send off contents of documents to certain blogging platforms via a direct connection from inside the application, and is enabled by default. Although the amount of your user base that would even consider this is quite low, all it takes is for one person to decide to do it, then publish the wrong document to a public site.

As usual, there’s usually no great reason to allow this at all, so disable it – even restricting to SharePoint sites doesn’t mean it’s restricted to the SharePoint sites you control.

Intune setting is Control Blogging, which you need to Enable and set to All blogging disabled, or Group Policy/Registry settings here.

5. 2.5.14.3.4 Ensure ‘Outlook Security Mode’ is set to ‘Enabled’

There’s an Outlook Security Mode? Sounds like something that should be enabled! Description:
This policy setting controls which set of security settings are enforced in Outlook.

If you enable this policy setting, you can choose from four options for enforcing Outlook security settings:

* Outlook Default Security – This option is the default configuration in Outlook. Users can configure security themselves, and Outlook ignores any security-related settings configured in Group Policy.

* Use Security Form from ‘Outlook Security Settings’ Public Folder – Outlook uses the settings from the security form published in the designated public folder.

* Use Security Form from ‘Outlook 10 Security Settings’ Public Folder – Outlook uses the settings from the security form published in the designated public folder.

* Use Outlook Security Group Policy – Outlook uses security settings from Group Policy.

Important – You must enable this policy setting if you want to apply the other Outlook security policy settings mentioned in this guide.

If you disable or do not configure this policy setting, Outlook users can configure security for themselves, and Outlook ignores any security-related settings that are configured in Group Policy.

Note – In previous versions of Outlook, when security settings were published in a form in Exchange Server public folders, users who needed these settings required the HKEY_CURRENT_USER\Software\Policies\Microsoft\Security\CheckAdminSettings registry key to be set on their computers for the settings to apply. In Outlook, the CheckAdminSettings registry key is no longer used to determine users’ security settings. Instead, the Outlook Security Mode setting can be used to determine whether Outlook security should be controlled directly by Group Policy, by the security form from the Outlook Security Settings Public Folder, or by the settings on users’ own computers.

Intune has the option ‘Microsoft recommended baseline’ under ‘Outlook Security Mode’ in Intune, which is documented here on all the settings it controls: https://learn.microsoft.com/en-us/mem/intune/protect/security-baseline-v2-office-settings?pivots=v2306#microsoft-outlook-2016

If you need to change any of those related settings from the default, you instead need to change this from ‘Microsoft recommended baseline’ to Manually configured, and ‘Use Outlook Security Group Policy’ – and then ensure all related policies are configured the way you want.

The CIS benchmark documentation also mentions:
Note: This setting is essential for ensuring that the other Outlook security settings mentioned in this baseline are applied as suggested.

So, what all this means is the CIS benchmark overall has different configuration recommendations compared to the Microsoft recommended baseline, but in doing this option it’s worth assessing all the settings that the baseline would do!

Intune setting is ‘Outlook Security Mode’ and Group Policy/Registry settings here

I hope you found the above options interesting, and as always this is designed to grow awareness of what you need to consider in managing an environment, and always have that security mindset. These options are not set and forget either – you need frequent checks to make sure no gaps have been created either by reconfiguration or new settings coming in.

Microsoft Viva replaced MyAnalytics emails

Posted on September 6, 2021September 6, 2021 by Adam Fowler

Today I noticed for the first time, that the MyAnalytics emails that were coming through weekly, showing where your time was being spent, emails you may need to respond to etc had been replaced by Microsoft Viva. There’s also a post in TechCommunity covering this in detail.

The previous MyAnalytics emails would come in weekly, and be broken up into different editions – Wellbeing, Focus, Collaboration or Network edition. This new monthly digest indicates Microsoft Viva is the way forward. Note that this still works the same way as MyAnalytics where the contents of the email are private to you, and do not come as a normal email that would be trackable (more details in my MyAnalytics article)

The new emails still (for now) link back to the https://myanalytics.microsoft.com/ domain which again for now, shows the message that it’s becoming Microsoft Viva:

That ‘Learn more’ link takes you here: https://www.microsoft.com/en-au/microsoft-viva/insights/?s=mya with some details around Microsoft Viva. One of the main links there takes you to Viva Insights on Teams, which is the Insights addin option that’ll show up on the left menu and take you to the Viva Insights Home page.

The Stay Connected tab is worth checking out, as it will highlight email conversations it thinks are things you need to do, or highlight people (team members for me) that you don’t have a 1 on 1 meeting scheduled for the next twk weeks.

Going back to the web page for Microsoft Viva, there’s a lot more content then when I looked when it first launched. One section I thought was notable was under Network, you can see your Top Collaborators and their read percent and response time of emails.

My point on all this, is that there’s a lot going on here. People may find it and have questions around it, especially when these emails are generated to all staff by default. Someone may have stumbled across the ‘Delay Delivery enabled’ option and turned it on, then forgotten about it later, complaining about emails being slow to get to customers or clients:

What we’re seeing above with Microsoft Viva and MyAnalytics (now Viva Insights) is only a part of the full Microsoft Viva solution too – there’s also Viva Connections, Viva Topics and Viva Learning:

Viva Connections and Viva Insights are generally covered under an existing license, but Viva Topics and Viva Learning are at an extra cost.

Cloud Voicemail and Out of Office Greetings

Posted on November 18, 2020November 26, 2020 by Adam Fowler

Earlier this year, Microsoft changed how voicemail worked for Skype for Business on-premises customers. There was little difference to end users when Unified Messaging changed to Cloud Voicemail, but it did break a few Auto Attendant options for those not in the cloud.

At the time I remember it being rather difficult to find out information on, and the good contacts I had at vendors also struggled to gather intel on how the change would go.

In the end, the migration happened and it was thankfully a non-event. What I didn’t realise at the time, was that it introduced a new portal for Voicemail settings at https://admin1.online.lync.com/lscp/usp/voicemail (which has slight variations where you are in the world, for Australia it’s https://admin1au.online.lync.com/lscp/usp/voicemail – but the links seem to redirect to where they need to go) and there’s a few interesting settings:

The Call Answer Rules section (Choose how you want your calls to be handled when they reach the voicemail service) lets you pick what happens when someone hears your voicemail, including the last option ‘Play greeting, then allow the caller to recording a message or transfer to the target user’. If you set this, you can then enter the number you want calls to go to if someone does press ‘0’ – such as Reception, or your mobile phone. The default setting is ‘Play greeting, then allow the caller to record a message’.

The Prompt Language section (Changing this setting will change the greeting prompt language) will change the language and accent of the greeting – so if you’d like them to sound Australian, you can choose that.

The Configure Out of Office greeting section (Customize an Out of Office greeting message, and choose to play it to callers all the time, based on your Outlook auto-reply status, or calendar OOF status) was the one I liked the most. It can sync with your mailbox to know when you’re Out of Office via your current Outlook status (either with an autoreply, or just in a meeting with the status ‘Out of Office’), and when true, give a different message to the caller saying you’re out of the office.

There’s also another option Text-to-Speech Customized Greeting Option (Customize your Text-to-speech greeting message) that lets you customise the generic Out of Office greeting to whatever you like. Although you can only type your greeting message, the text-to-speech works really well and sounds natural.

To me, this is great. I can set a generic ‘I’m out of the office, please call X on this number’ which only plays when I’m actually out of the office. If I’m not, then a caller will hear my standard greeting and can leave a message, instead of hassling co-workers. I don’t have to remember to set it or change it, it just applies if I do the right thing in my Outlook calendar.

If you’ve got Cloud Voicemail; which you should if you’re on Skype for Business, Skype for Business Online, or Microsoft Teams as your phone system, check it out and save yourself some time from changing your voicemail when you go on leave, or just have a meeting when you’re not around.

Outlook Search Results Won’t Delete

Posted on April 10, 2019April 10, 2019 by Adam Fowler

I ran into this issue when migrating users to Exchange Online, while running Outlook 2016 MSI 32 bit.

Once a user is on Exchange Online, Outlook starts leveraging the power of FAST search. This search occurs on the Exchange Online end, rather than the device end, and is designed to give quicker results while being more reliable than Windows Desktop Search. There’s a great write-up on this on Microsoft’s TechCommunity that goes into much more detail.

It does depend what sort of search you do as to whether it’ll use FAST or Windows Desktop Search too, but the most basic of searches will use FAST. There’s also timeouts and speed checks that can force it to fail back to Windows Desktop Search.

However, there are some catches with this search from my testing. If you do an email search and decide to delete one of the emails in the results, it appears that nothing has happened. You can delete and delete, right click, press the delete key, click the X to delete and it all appears to do the same – nothing. In the background though, it has actually deleted your email, it just doesn’t display this in any way. It’s like the search results are a static result and won’t update on an action like this.

This behavior can be confusing for a user, especially when they’re used to seeing emails disappear and react when something’s done to them.

There’s another catch that depending on your environment, might be more of a deal breaker. If you use the category field, flag, or extra fields, for example when filing a document into a DMS system, those aren’t displayed or updated in a FAST search. If your users need this to effectively manage their emails, then it’s worth looking at just disabling FAST search via Outlook altogether.

As mentioned in the above post and this Technet article, there’s a single registry setting that can disable FAST search:

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Search
Value name: DisableServerAssistedSearch
Value type: REG_DWORD
Value: 1

A restart of Outlook is needed after this change, and users won’t be alerted of anything different. Search will just start using Windows Desktop Search (which was always running anyway) and not know any better.

Access An Exchange Online Mailbox Without a License

Posted on February 19, 2019November 25, 2019 by Adam Fowler

This is just a quick one. Most Office 365 admins will hopefully have a separate admin account to perform higher level tasks, compared to their normal user account.

Because of this, the admin accounts shouldn’t need any licensing, because they’re not being used like a normal user. One person shouldn’t need to have two sets of licenses – but there are some problems that can come up because of this.

For example, if you want to use your admin account to access someone’s mailbox, that can be difficult when you don’t have a mailbox yourself to log onto, to then open another user’s mailbox. Outlook can be used to work around this, where you set up a profile for the email address of the user you want to access, but enter your admin credentials when prompted:

Your Name is just a display name field, email address needs to be the user’s email. Don’t enter a password here and click ‘Next’

This login page will start by showing the user’s email address, use the option ‘Sign in with another account’ and use your admin account.

The above works OK, but is a little time consuming if you’re accessing a mailbox for a quick check.

If you try to go to Outlook Online, you’ll get a message saying your admin account doesn’t have a license or a mailbox. To get around this, you’ll need to use a URL like:

https://outlook.office.com/owa/[email protected]/?offline=disabled

or

https://outlook.office.com/mail/[email protected]/?offline=disabled
if you want the ‘new’ Outlook.

It will then jump straight to that user’s mailbox, assuming you have access rights to it, and have waited a few minutes for the rights to apply.

Using the URL method is really quick way of accessing another user’s mailbox without needing a license yourself.

Share this:

Share this:

Share this:

Share this:

Share this: