#MicrosoftCloudSecurity – Microsoft Cloud Quick Fix

Transfer Exchange State of Authority to the Exchange Online!!!

Managing remote Exchange Online hosted mailboxes post migration has been a pain for some time. Some attributes are managed in the cloud, others on premises, and to do it right you needed to keep an Exchange Server around… Well Microsoft has a new feature which allows admins to manage the Exchange properties of directory-synchronized users with remote mailboxes directly from the cloud and THIS jaw dropper is today’s #MicrosoftCloudQuickFix !!!

A new capability in preview for Exchange Online allows administrators to manage Exchange attributes for directory-synchronized users with mailboxes hosted in Exchange Online. With the update, the Source of Authority (SOA) for Exchange-specific attributes can be transferred to the cloud, while the SOA for identity-related attributes remains under the control of Windows Active Directory.

After moving the SOA for Exchange-specific attributes to Exchange Online / Entra ID, these attributes can be managed using EXO PowerShell, the Microsoft 365 Admin Centre, or the Exchange Admin Centre with future support for write-back support of designated attributes via Entra Cloud Sync.

Microsoft is providing this feature in two phases:

Phase 1 (Preview): allows admins to enable cloud management of Exchange attributes per mailbox by setting IsExchangeCloudManaged to true. Mailboxes can be reverted to on-premises management by resetting IsExchangeCloudManaged to false.

Phase 2: will include write-back support for specified attributes and Entra Cloud Sync integration. During this phase, updates to key Exchange properties made in Entra ID will be automatically synchronized with the on-premises Windows Active Directory. This process keeps the on-premises AD current; for example, changes to a proxy address in Exchange Online will be updated in Active Directory. To access write-back functionality, customers must implement Entra Cloud Sync.

The new cloud-managed mailbox capability allows organizations that use on-premises Windows Active Directory for identity to manage their Exchange Online mailbox attributes in the cloud. As a result, it is no longer necessary to maintain an Exchange server or management tools on-premises for routine Exchange administration tasks!

For more information see:

#MicrosoftCloudQuickFix #Microsoft365 #MicrosoftCloudSecurity #MicrosoftEntra #MicrosoftEntraID #WindowsActiveDirectory #ActiveDirectory #SecurityGroups #IdentityAccessManagement #IdentityGovernance #ExchangeOnline #ExchangeServer

Transfer an AD Group Source of Authority to the Entra ID!!!

Still using on premises Security Groups to manage access to apps? Do you have old Distribution Lists from a legacy Exchange environment and cringing recreating them in Exchange Online? Or worst you still have the dreaded Mail-enable Security Groups kicking around? Well Microsoft has finally come up with a solution to transfer these to Entra ID and THIS game changer is today’s ‘Bonus Edition’ #MicrosoftCloudQuickFix !!!

Contained within the July 31, 2025 Microsoft Entra Connect Update 2.5.76.0 is the listing for the added Group Source of Authority conversation feature (Public Preview) which will allow on a per Active Directory Group basis an administrator to transfer the Group Source of Authority from Windows Active Directory to Microsoft Entra ID. The per group basis allows for a nicely phased approach for the transfer!

You will need to make sure you upgrade your production and staging Microsoft Entra Connect servers in order to utilize this new capability which was also announced this week during the Microsoft Entra Suite Summer Camp

Note: For Entra ID Cloud Sync you must be at minimum version 1.1.1370.0

Once you move the Active Directory Group Source of Authority to Entra ID you gain the ability to use the advanced modern identity governance capabilities such as Access Reviews, Entitlement Management, Group Expiration and Naming Policies, and Dynamic Group membership assignment all in that single Entra ID pane. You can then use Group Writeback if the group is needed to govern any on premises applications / resources. If need be you can rollback the Group Source of Authority from Entra ID back to Active Directory!

See what I mean about THIS is a game changer!

You can watch the demo from #Microsoft here:

This new capability is in Public Preview and rolling out worldwide in August 2025 and is included in Entra ID Free and Basic (and above) licensing however to take advantage of Access Reviews and Entitlement Management capabilities an Entra ID P2 license is needed.

I am certain I will have more to discuss about this new capability so stay tuned!

For more information see:

Change to Microsoft user sign-in background

Microsoft is releasing a new default background image for the Microsoft Entra Personal and Work/School sign-in experience. This is today’s #MicrosoftCloudQuickFix !

Microsoft is making a change to the sign-in experience to align with the new modern design principals with the modernized end-user UX which aims to provide a cleaner experience across all authentication flow.

This update is visual only, no user or admin action is required, and it will not affect sign-in functionality nor will it supersede any corporate company branding configured in a Work or School Microsoft Entra ID tenant. This update will only affect screens where Company Branding doesn’t apply.

This update is already in General Availability and rolling out worldwide in August 2025 for personal Microsoft accounts, in late September 2025 for Microsoft Work and School accounts, with an expected completion by mid-October 2025.

Although no administrator action is needed to prepare for this change it is recommended to notify users of the change and update training documentation.

For more information see:

#MicrosoftCloudQuickFix #Microsoft365 #MicrosoftCloudSecurity #MicrosoftEntraID

Change to user sign-in experience with Microsoft Authenticator

Ever had connectivity issues that delayed your MFA authentication? Left your phone by the coffee pot but have your cup ready for the meeting? One-time code expired before you could use it? Microsoft is changing the user sign-in experience to help reduce duplicate request errors and allow the user to refresh their notifications in the Microsoft Authenticator app. This is today’s #MicrosoftCloudQuickFix !

With the rollout of this change the user sign-in experience will include the message, “Didn’t receive a sign-in request? Swipe down to refresh the content in your app.” advising the user that they can refresh notifications in the Microsoft Authenticator app (or Microsoft Authenticator Lite for Outlook mobile) if they have not received the sign-in notification. Once refreshed the user can complete the sign-in.

Screenshot of new user sign-in experience

This is already in General Availability and began rollout worldwide in late March 2025 with an expected completion by mid-April 2025.

Although no administrator action is needed to prepare for this change it is recommended to notify users of the change and update training documentation.

For more information see:

#MicrosoftCloudQuickFix #Microsoft365 #MicrosoftCloudSecurity #MicrosoftEntraID #MicrosoftAuthenticatorApp

Malicious Intra-Organizational Emails are now protected by default

Today’s #MicrosoftQuickFix is that Microsoft has enabled in Microsoft Defender for Office 365 intra-organizational email protection by default for high-confidence phishing messages containing malicious or spam-based URLs!

This new feature in the Windows Defender for Office 365 Anti-spam policy controls whether spam filtering and the corresponding selected action for the spam verdict is applied to internal messages (email sent between users in your Exchange Online organization).

Screen shot of Anti-spam policy settings

The deployment of this feature is complete for intra-organizational messages with the default value of High confidence phishing messages selected which will quarantine the message. This feature is available in all Microsoft Tenants worldwide!

If you don’t want to utilize this feature on intra-organizational messages it can be disabled by modifying the Anti-spam Policy setting for ‘Intra-Organizational messages to take action on’ to none.

You can also modify the Anti-spam Policy setting to apply to other spam filter verdicts.

For more information about this see:

Configure anti-spam policies in EOP | Microsoft Learn

#Microsoft #Microsoft365 #MicrosoftDefender #ExchangeOnline #MicrosoftCloudSecurity #MicrosoftCloudQuickFix

Microsoft to begin sending DMARC Reports

Today’s #MicrosoftQuickFix is that #Microsoft will soon begin sending DMARC Aggregate Reports as part of the #DMARC standard and as the owner of a domain you can request reports be sent to wherever your DMARC DNS record RUA setting points to. Is it time to revisit your #Microsoft365 domains DMARC, DKIM and SPF security settings?

Phishing attacks are getting more sophisticated and most organizations have implemented email security measures like SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to help mitigate these risks.

Unfortunately SPF and DKIM alone do not provide 100% protection against email attacks or nefarious hackers spoofing a companies domain regardless of SPF and DKIM implementation.

DMARC (Domain-based Message Authentication, Reporting) works with SPF and DKIM to authenticate your mail senders. With a DMARC record configured you’ll get reports that provide the status of your email authentication so you can improve it if needed. This helps you detect malicious emails that claim to be from your domain.

Note: DMARC reports are in XML format and contain a lot of technical data. There are several DMARC report analyzer tools available as well as third-party vendors offering DMARC reporting capabilities.

Using DMARC with SPF and DKIM gives organizations more protection against spoofing and phishing of email. DMARC also helps receiving mail systems decide what to do with messages from your domain that fail SPF or DKIM checks thru the actionable DMARC policy you specify.

DMARC Aggregate Reports will be available for all Exchange Online Protection customers beginning in late February 2023 with expected rollout to complete in late March 2023.

For more information about DMARC in Microsoft 365 see:

#Microsoft #Microsoft365 #MicrosoftDefender #ExchangeOnline #DMARC #DKIM #SPF #MicrosoftCloudSecurity #MicrosoftCloudQuickFix

Microsoft Authenticator Number Matching enabled by default at the end of February 2023

Upgrades to how your Microsoft Authenticator works to include number matching by default are coming at end of February 2023. That is today’s #MicrosoftCloudQuickFix !

With so many alerts on our phones these days from text messages, email messages, stock price alerts, Amazon reorder messages, new Spotify release notifications, Elon’s Tweets, and LinkedIn post alerts from me, its easy to get fatigued and just hit whatever to dismiss the alert (except this one of course 😎) and move on.

The increasing adoption of strong authentication and use of multi-factor authentication on corporate and personal accounts has added to this fatigue and spawned a technique called ‘MFA spamming’. These attacks rely simply on the users alert fatigue to approve a notification without any context to gain access.

To combat this for users using Microsoft Authenticator #Microsoft365 administrators can require users enter a number displayed on the sign-in screen when approving an MFA request in the #Microsoft Authenticator app. This feature is critical to protecting against MFA spamming attacks.

Note: If you are using ADFS/NPS there may be are some additional steps so please consult the full documentation below.

Microsoft will begin enabling this security feature for all users of the #MicrosoftAuthenticator App starting at the end of February 2023. Feature rollout controls will also be removed and as such it is recommended to begin testing and create training / change management documentation now.

For guidance on how to enable this security feature now and target users for testing and documentation see this link on Microsoft Doc – Enable number matching in the portal – Microsoft Entra

For more information please see:

#Microsoft #Microsoft365 #AzureAD #MultifactorAuthentication #MicrosoftAuthenticator #NumberMatching #MicrosoftCloudSecurity #MicrosoftCloudQuickFix

Exchange Server 2013 End of Support April 11, 2023

Yesterday was Groundhog Day and in honor of the great movie with the same name today’s #MicrosoftQuickFix is once again (get the reference now 😉) that Exchange Server 2013 is reaching end of support in 67 days from today on April 11, 2023!

After April 11, 2023, #Microsoft will no longer provide technical support for problems that may occur, bug fixes for newly discovered issues, security fixes for vulnerabilities that are discovered, and time zone updates.

Now look this doesn’t mean that because the Exchange Server software is out-of-date and no longer supported that it is going to stop working. Email will still flow, databases will still store data, mailboxes will still be accessible, but nefarious hackers will breathe a sigh of relief as the code now remains stagnant and despite “network magic” mitigation attempts all it takes is one zero-day venerability making its way in…

So your options are to Upgrade to Exchange Server 2019 – See the following page on Microsoft Docs for to Exchange Server 2019 system requirements, Exchange 2019 Requirements, Exchange 2019 Memory Requirements, Exchange 2019 Client Compatibility to begin.

Note: It is a supported coexistence scenario for Exchange 2019 and Exchange 2013 provided all your Exchange 2013 servers in your organization are patched to Exchange Server Cumulative Update 21 or higher.

and/or

Migrate to Exchange Online – See Decide on a migration path in Exchange Online on Microsoft Docs – Anyone still need a business case for migrating to #ExchangeOnline ?

In either case we recommend seeking assistance and using the Exchange Deployment Assistant which is a web-based tool that asks you about your current Exchange environment and generates a custom step-by-step checklist that will help you.

For more information about Exchange Server see:

#Microsoft #Microsoft365 #MicrosoftExchange #ExchangeOnline #MicrosoftCloudSecurity #MicrosoftCloudQuickFix

Sept 23, 2022 – New Podcast Available

In this episode Ryan McKay is joined by Andrew Lowes and discuss the deprecation of Basic Authentication in Microsoft 365 on October 1, 2022 and its impact to user experience along with the upcoming #MicrosoftIgnite2022

URLs shown in today’s video podcast include:
Deprecation of Basic authentication in Exchange Online
One Last Chance to Pause the Great Exchange Online Basic Authentication Shutoff
Microsoft Ignite Home

#Microsoft #Microsoft365 #BasicAuthentication #ModernAuthentication #MicrosoftCloudSecurity #MSIgnite #MicrosoftCloudQuickFix

Exchange Online – Basic Authentication Disabled Oct 1, 2022 – Part Deux

So you have done your due diligence and are sure your in the clear. You would like to manage this change and turn off Basic Authentication and test yourself before and not wait for Microsoft. That is todays #MicrosoftCloudQuickFix !

As outlined in my previous blogpost to prepare for the change check the Azure Active Directory Sign-In logs per New tools to block legacy authentication in your organization – Microsoft Tech Community which will help track down any clients still using Basic Authentication.

If you don’t have any Basic Authentication sign-ins then you can move on to block Basic Authentication for protocols on your tenant.

In your Microsoft 365 Admin Portal Next navigate to settings > Org Settings > under Services > Modern Authentication and ensure that “Turn on modern authentication for Outlook 2013 for Windows and later” is enabled and then under “Allow access to basic authentication protocols” uncheck any protocols you wish to no longer use Basic Authentication. Click “Save” and test.

For more information check out the following Disable Basic authentication in Exchange Online | Microsoft Docs in Microsoft Docs.

#Microsoft365 #ExchangeOnline #BasicAuthentication #ModernAuthentication #MicrosoftCloudSecurity #MicrosoftCloudQuickFix