Scripts and functions for M365 with dynamic parameters: Impossible? No!

Recently I wanted to updated an old function, which I use in my daily work for Privilege Identity Management. Initially I just wanted to move over from using AzureADPreview to Microsoft Graph PowerShell SDK, but sometimes you just do more.

However, this was a good learning curve for me and I thought sharing would be helpful.

Continue reading

MS servicePrincipals and verified publisher

When you are using Publisher verification, you might know the challenges I’m writing today about. Especially with 3rd party vendors. However, I never expected that it’s like that even the functionality is GA for quite a while.

What I mean by that is the fact that Microsoft introducing this feature, recommends this as best practises and starting with September 30, 2022 makes this as a default setting, but don’t get their own apps verified:

One example, while Christie tries connecting to MS Graph using PowerShell SDK
Continue reading

Format MessageTraceDetail in Exchange Online

Over the last weeks, I had to perform more than usual message traces in Exchange Online. For more details how to run such traces, Tony recently updated his article:

Exchange Online Message Traces are Different to On-Premises Searches (

However, the details you want to look at are not really formatted in a readable format.

Continue reading

Check for ApplicationAccessPolicy

Maybe you are aware that you can scope application registered in Azure AD and configured with OAuth 2.0 application permissions. It is well documented here Limiting application permissions to specific Exchange Online mailboxes – Microsoft Graph | Microsoft Docs and finally also Exchange Web Services (EWS) is supported.

However, I think it is important to perform regular checks in your tenant whether policies exists or not.

Continue reading

Maintain MAPI permissions recursive

I strongly believe that many of you already run into this scenario:

“Hey, can you help me and grant access to all my folders in my mailbox to this one person?”

When it starts like this, in most cases this user has folders, where the total number is for sure more than 2 digits.

Continue reading

When “block” doesn’t mean necessarily “block”

I just came across this and I was really puzzled as I never thought something like this would happen:

What do you expect, if you use a feature, which states that you could block specific senders?

Right, you feed the system and messages from these senders will never made it to protected recipient.

Well, let me tell you that the feature Tenant Allow/Block List (TABL) of Microsoft Defender for Office 365 (MDO)is exactly doing this:

Promising that you can block senders, but actually deliver messages to mailboxes depending on your anti-spam policy settings.

Continue reading

When OOF makes you hit EXO limits and you’re blocked from receiving emails

I recently came across something you might also run into at this time of the year or when a company wide announcement needs to be made via e-mail and the sender is in Exchange Online:

A person sent some season’s greetings, which results into being blocked by EXO as a limit was reached (you can find more about these limits here). My first thought was something like sending e.g.: 10.000 messages per day or too many recipients, but it turned out to be something different.

Continue reading

When AAD, EXO and MS Teams creating a mess

I’m dealing with these issues already for a long time. But meanwhile, after a couple of support cases, the fog seems to lifting.

When you don’t have the following setup, you can stop reading:

  • create accounts for partners in your on-premises Active Directory (AD)
  • sync these accounts to Azure Active Directory (AAD)
  • Exchange RecipientType is MailUser
  • you assign one of the following licenses:
    • Customer Lockbox (in combination with SPO)
    • Microsoft 365 Advanced Auditing

For the others, feel free continue reading. It might open your eyes for some issues your facing.

Continue reading