Force users to "entra register" their devices
Hi, is it possible to force user to register their devices when they log in with their company account to any other device than company owned? I tested on my private smarthphone. Logged in as normal user with company account and my device did not show up in entra as "Microsoft Entra registered" Any ideas? ThanksMTO and access to on premises file system
Let me preface this by saying I'm still fairly new to 365 Admin (it's been a steep learning curve) and haven't even got my feet wet with on premises stuff as yet. Also, I think some of the admin decisions made previously by others may have been based on just repeating what was found to work the first time rather than necessarily a deep understanding of the best solution. The situation when I arrived on the scene was this (actually it was a bit more complex and messy than this, but this simplified description covers the salient points at this stage) One tenant, with two domains, call them old-domain and new-domain. Two types of user, who I will refer to operations and corporate. An on premises Active Directory system running a file server. Well to be more precise on three premises with mirroring of data and a DFS, but from the user perspective when you're one of the office locations and connect to the network the same folders are available to you. Everyone was using Azure Joined Company Laptops to do this, so their laptop logins were also their network logins. Outside of the offices people connected to the DFS using a VPN (with three gateways in different countries). Operations Users had one account, @old-domain, this was licensed for 365 and had a mailbox associated with it. It was also synched to their on premises AD account Corporate Users had two accounts, one @old-domain with no license, synched to an on premises AD account. The second was new-domain with a 365 license and mailbox. If you're scratching your head wondering why two accounts rather than assigning the new-domain email address to the same account, I can't give you a definitive answer as I've never been given one, but for whatever reason when new domains were brought into play on corporate name changes the admins gave them new mailboxes rather than simply aliasing email addresses to the same mailbox (some people had three accounts as a result). What I did note was that when a new Corporate user was added the admins gave them both of the above accounts, I was told that the unlicensed old-domain one was required for the access to the DFS. Now for reasons not worth getting into here, a decision was made to move the Corporate users to a new tenant, along with new-domain and then to link the two tenants in a multi-tenant organization. It was also decided to leverage BYOD for Corporate users, so their devices will only be Azure registered. This has been done, there was some pain thanks to the reluctance of Microsoft applications to switch to the new account locations rather than redirecting back to the old tenant, but that's been sorted. So right now Corporate users still have two accounts, but on two tenants. On the Old Tenant they have their @old-domain account, no license, no mailbox, synched to the on premises AD (as before) On the New Tenant they have their new-domain account. This is where they actually do their work, and is the only account anyone should be communicating with internally or externally. Access to the DFS is being done using the VPN with the on premises credentials associated with the old-domain account. In terms of functionality, this works perfectly well, people across the two tenants appear in each other's address lists, they can chat and share information etc. Everybody also has access to the folders they should have access to on the DFS. However there are two issues. The first, and most detrimental in terms of just getting work done is that users in one of the overseas offices have found their access to the DFS has slowed considerably, despite being in physically the same location as the data. I believe the problem is that although the data is on-premises, the VPN gateway is not, therefore data does a round trip from the server, through that gateway IP address at the ISP and back to the user. Since they are in a remote location with poor internet this slows things considerably. So the first question is, how do we take that loop out of the equation so that when they are in the office they connect more directly to the servers on site? Ideally without having to revert to needing an Azure AD joined device. The second issue is that those remaining old-domain accounts (the ones for the Corporate users who are now working on the new tenant) on the old tenant are messy, in two ways 1) From an admin perspective, because every one of those corporate users still has two accounts, their local one that is synched to On Premises AD, and the the external account shared from the new tenant as part of the MTO 2) From a user's perspective. For reasons that I cannot fathom (but this is coming direct from Microsoft after many attempts on my part to find a way) it seems that while you can control which licensed accounts appear on Teams search by controlling whether they are in the GAL and setting the appropriate switch in Teams Admin, all the unlicensed users appear whether you like it or not. The net result is that when someone on the old tenant starts typing in a name of someone in Corporate, they get two suggestions coming up. So the second question is, are those accounts actually necessary?
Adding Proxy Addresses in AD Before Tenant-to-Tenant Migration Cutover
We're in the process of migrating users from another M365 tenant into our own, which is synced with on-prem AD. Before the cutover, we'd like to add the proxy addresses from the source tenant to our AD and have them sync to the cloud once the domain is added to our M365 tenant. Would this work as expected, or are there any potential issues to be aware of?
User able to send mail with account locked
Hello and Happy New Year! I tried to go through the official M365 support channels on this issue, but they were unable to help me. Environment: Local Active Directory synced to Azure/M365 via Azure AD Connect All user mailboxes reside on Exchange Online We found out, via a external security audit, that we had an user account, which was both locked and had an expired password, that was still able to send email out via the iOS Outlook app. We were under the impression that if an account was locked that they could still receive email, but not send. The account was for an employee that is no longer active and thus has been archived and deleted. We are just hoping for an explanation/root cause of this and how we can hopefully prevent it from happening in the future. Thank you, Tony Martinac AMIC
Remove On Premises exchange Hybrid and go fully Online
Hello, I currently have a scenario where there is a Hybrid Exchange environment with 1 server. All my mailboxes have been migrated online. I would like to completely remove dependency on local AD and I do not care about AD synchronization. How do I "tell" the O365 tenant not function on it's own so that I can manage 100% from 365 Administration? I do understand that my MX and other DNS records will need to be changed. Are there any solid guides out there on decommissioning the on premise exchange server. I want to do this with the least impact on users. Thanks, Keith
Address rewrite not working for Calendar items
Hi, We are running a hybrid environment with 3 active directory domains, 3 on-prem Exchange clusters and the majority of our mailboxes in O365. We have set up a default address rewrite so that emails from everyone across the 3 different legacy domain names appear to come from the new domain name. Emails are sent from O365 back to the on-prem clusters for rewriting. Lets use an example john@oldcompany1.com john@oldcompany2.com john@oldcompany3.com Address rewrite is set up so all emails from the above addresses are displayed to external recipients as: john@newcompanyname.com This works perfectly for all outbound emails, however it does not work with meeting/calendar invites. For example, my own mailbox has the default alias of @oldcompany1.com, and when I send an email to a recipient outside of our organisation, it shows as coming from @newcompanyname.com, but when I send a meeting/appointment to an external recipient, it shows as coming from @oldcompany1.com. Has anyone seen this before, if so - do you have any tips on where to start the troubleshooting process?Additional Microsoft 365 users not showing as registered users on an Entra ID joined device.
Most of our clients are on M365 these days, and they consist of the following variations in how they integrate: On-prem AD with no Entra ID sync to M365. On-prem AD with Entra ID sync to M365 but no hybrid connection for devices. On-prem AD with Entra ID sync and hybrid connection for devices with Intune. No on-prem AD with all devices connected directly to Entra ID and Intune. For clients using integration methods 1 and 2, we always see multiple device registrations in Entra ID, and for clients using integration method 3, we see a primary user that was used to hybrid join the device, along with additional users showing up as registered in Entra ID. However, we have just recently discovered that clients that use method 4, i.e. they are 100% Entra ID with no on-prem AD, the only user that shows in Entra ID is the user that joined the device. Any other use that logs in and creates a profile on one of these machines is not recorded as a registered user in Entra ID for that device. So, for clients that use integration methods 1-3, if we want to remotely block access on a particular device for a specific user, we just need to delete their Entra ID registration for that device. However, for clients using method 4, we have no visibility for the additional user, nor can we remotely block a user in this scenario. Is this behaviour a current bug in the Entra ID join/register process? Or is this the expected behaviour? If the latter, then this seems to be a flaw in the join/register process.M365 License Expiration- Enterprise Agreement
Scenario: I have 3050 M365 E1 plan license and going to expire soon. My Org planned to renew 1250 M365 E1 plan. As i have Exchange Hybrid environment we have plan to migrate 1800 user mailbox to exchange servers. As limited time, we may not complete all migration so what will happen to after the license expiration date? Does migration in-progress will stop or run until process complete? Does License will promptly remove from License portal or will stay for grace period?And if license not remove from portal, does user can login and use exchange online services? Please suggest??O365 Online Archiving Not Working
We migrated users to O365 last week. And for the most part everything is good. All using E3 licenses But one users mailbox is not archiving. I've confirmed that is OWA for the user right clicked on user name and Assigned Policy is what we configured right clicked on folders and they are set to use parent Can see the in-place archive folder but nothing is in it From Powershell Get-mailbox user | RetentionPolicy Set, ArchiveDatabase Set, ArchiveGuid set Run Start-ManagedFolderAssistant a few times From Security and Compliance Archive enabled But still nothing is moving to the archive
