User Profile
VasilMichev
MVP
Joined 10 years ago
User Widgets
Recent Discussions
Re: Alert on DLP Policy Change
Purview does not natively open such functionality, so you have to either integrate with Sentinel or similar solutions, or create your own based on the Graph API/PowerShell. Here's a sample article from Tony that explores a similar scenario: https://office365itpros.com/2025/01/28/azure-automation-for-audit-searches/9Views0likes0CommentsRe: Restrict access to Microsoft Entra admin center
View only access to basic directory data is impossible to restrict, so blocking access to the admin tools is your best option if that's your goal. For Groups they own, users can use the MyGroups portal and/or OWA. For app-related operations, it depends on which operations you want to allow for them, but in general there is no way to prevent them from seeing additional data if you allow them to manage apps via the portal.15Views0likes0CommentsRe: Exchange RBAC Challenge: Restricting Admin Level Access to Selected Mailboxes
Exclusive scopes is what you need: https://learn.microsoft.com/en-us/exchange/understanding-exclusive-scopes-exchange-2013-help Keep in mind that anyone with sufficient permissions to manage scopes/role assignments can grant himself access. For even better protection, you can configure PAM too... but a GA can override that as well.33Views1like2CommentsRe: Accessing Content explorer data via SPN
IIRC application permissions are not supported for the cmdlet, but you assign role groups to a service principal via PowerShell: Add-RoleGroupMember -Identity "ContentExplorerContentViewer" -Member xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx Make sure to provision the SP first via New-ServicePrincipal. But again, afaik even if you grant the permissions, it is not currently supported.9Views0likes0CommentsRe: On-prem shared mailbox access in hybrid Environment
There is, but it depends on the permissions. Full access is supported cross-premises, delegate/folder-level permissions require additional steps. Automapping is not supported, which is why the mailbox was removed from Outlook. It's usually best to move them (together with the corresponding user mailboxes) to ExO. See for example: https://learn.microsoft.com/en-us/exchange/permissions#mailbox-permissions-and-capabilities-not-supported-in-hybrid-environments19Views1like0CommentsRe: Exchange Hybrid Configuration HCW8001 Unable to determine the Tenant Routing Domain
The cmdlets listed in the article are from the Entra module, it also tells you how to install it (first cmdlet). Alternatively, you can use the Graph API/SDK cmdlets to the same effect: Update-MgOrganization -OrganizationId xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -OnPremisesSyncEnabled:$true35Views0likes0CommentsRe: Retention Compliance Policy exemption group honoring
The group itself will not be reflected, neither in the UI nor via PowerShell. Its members will, so the question here is was the membership populated at the time you configured the policy? Keep in mind that this is a one time operation, the current membership of the group will be stamped under ExchangeLocationException and no future changes will be reflected.8Views0likes0CommentsRe: Retention Compliance Policy exemption group honoring
Not sure I understand the above, are you saying that the UI/PowerShell does not reflect the exclusions you've configured? You should be able to see the (expanded) group reflected under exclusions in the UI, but IIRC, if the policy is disabled, you cannot even launch the wizard to get to that page. If you are looking at the right nav pane, it does not show exclusions. If using PowerShell, look under ExchangeLocationException (you must use the -DistributionDetail switch though).21Views0likes2CommentsRe: Blocking Downloads in Purview
Is the label applied on individual items or on the site/library level? For the former, use a DLP policy that checks for the presence of the label and blocks (external) access: https://learn.microsoft.com/en-us/purview/dlp-sensitivity-label-as-condition While technically not the same thing as "block download", it is the best you can do for per-item labels. For the latter, you can configure this restriction on the label itself. See for example: https://office365itpros.com/2024/12/12/block-download-policy-labels/56Views2likes2CommentsRe: Full Mailbox Access & opening another users Maibox
It should still work fine in classic Outlook, but if you have some form of SSO configured, it might be preventing you from getting to the "correct" login screen. The steps involved require you to go back one screen and change the UPN, but if you are getting auto-logged in, this will be a problem. If you are using the new Outlook client, support for this method is still not rolled out. I'd also advise you to add the Full Access permissions via PowerShell instead of the EAC, as with PowerShell you can specify the -Automapping:$false switch.59Views1like2CommentsRe: How to Send-As a Distribution Group (via SSIS ScriptTask) via Exchange Online using Modern Auth?
You can use application permissions. As you still need to use the /users/{id}/sendMail endpoint, a valid mailbox must exist, but other than that, no dependence on user credentials or anything.10Views0likes0CommentsRe: delete Teams Members from Azure Admin not sync on Teams App
It might take a while to reflect the changes in the Teams client. Here's a quote from the documentation: Note: The command will return immediately, but the Teams application will not reflect the update immediately. The Teams application may need to be open for up to an hour before changes are reflected.37Views1like1CommentRe: Enabling per-group MFA
There is no such functionality, you have to create your own solution that fetches the group's membership, then toggles per-user MFA. The issue with that approach is that the endpoint used for that is not an officially supported one (i.e. not part of the Graph API), so the method is a bit more involved. I wrote about the process here, if you decide to give this method a shot: https://www.michev.info/blog/post/6215/legacy-mfa-settings-in-the-entra-portal-and-how-to-control-them-programmatically20Views0likes0CommentsRe: Microsoft Teams Devices Report
If you are referring to the Teams device usage report in the M365 admin center, you can get the data via Get-MgReportTeamDeviceUsageUserDetail. If you are referring to the reports available in the Teams admin center, there is no supported method to fetch those programmatically. Doesn't mean it's not possible, but it's a bit more involved than running a single cmdlet: https://www.michev.info/blog/post/6103/how-to-fetch-data-for-reports-microsoft-is-yet-to-provide-graph-api-endpoints-for38Views1like1Comment
Recent Blog Articles
No content to show