[Archived] Teams Real Simple with Pictures: Removing and Modifying users appearing in the Org Chart

This week I am off to Ireland in person for the first time since the pandemic. Exciting. But I have a ton to get through. My own conference Metaverse One is on Wednesday (please feel free to register it's 100% free to attend), speaking at Microsoft Ireland is on Wednesday, and to top things off I have Bizz Summit on Saturday. So yeah. Full on. This week is going to be something short and it's another enquiry I got from the Microsoft Tech Community a few weeks back. It was as follows: I can't remove a person I want to from the org chart in Microsoft Teams. So how do we do it? Seemed a pretty fair question: people move in organisations all the time, and it's unlikely Microsoft would set a functionality which couldn't be modified. Not of this nature. But the thing was I knew how to do it and was pretty familiar having deployed Azure AD hundreds of times in the past in addition to reviewing Profile+ some time back which is also dependent on this functionality. So how do we do it?

[Archived] Teams Real Simple with Pictures: Nested Dynamic Groups via Azure AD in Entra

So imagine this scenario. Say we have two teams in our organisation. One team is the Sales Team. The other is the Marketing Team. I need to ensure specific users are part of the Sales Team dependent upon their role. I need to then make sure that specific users are part of the Marketing Team dependent upon their role. For this? We can use Dynamic Groups. But now we need to ensure that everyone in the Sales and Marketing Team need to be in a third team - the Commercial Team, and this also needs to be done automatically without manual adds. For this we are going to use a new functionality called Nested Dynamic Groups. Users of Dynamic Group A comprise of Users dynamically added and removed within Dynamic Group B and Dynamic Group C. Sounds pretty nuts. But it's straightforward as I'll show you. Nested Dynamics Groups support Security Groups and Microsoft 365 groups - so we can use them for Teams. As a public preview feature there is some caveats such as they aren't supported in the rule builder. The full list is in the footnotes I'm sure they'll knock them out soon.

[Archived] Teams Real Simple with Pictures: Setting up a Multi-Stage Access Review for Inactive Users in a Team

So Build is in the books. And it was awesome. And I got to catch up with friends such as Vesa Nopanen, Chirag Patel, Sharon Sumner, Al Eardley, Kevin McDonnell, Chris Huntingford and Claire Smyth. I got to speak a bit on Metaverse and delivering next-gen experiences at scale at Microsoft 365. I got to start an Anti-Sticker and Pro-Golf (the car) movement with Garry Trinder. And then there was great food - and I am going to call out the wall full of doughnuts up on the first floor where I was speaking in particular. But all good things must come to an end. And by end I mean an opportunity to do other good things such as getting back to the blog. Now, I was torn between doing something quick and dirty this week, and doing something a bit more intricate. This is because Stranger Things Season 4 came out a few days ago. But however interesting the Mind-Flayer is, the Demogorgon - whoever they got this time running around going off their nut in Hawkins, Azure AD has a few new pieces currently in Preview regarding the old Identity Governance. So this is going to show off both multi-stage access reviews, as well as the ability to now remove Azure AD inactive users within the context of Teams. This will be another tool in the toolkit for dealing with Stale Users and Stale Guests: all of which could be used to get through to your users or your data.

[Archived] Teams Real Simple with Pictures: Adding Number Matching and Context to Authenticator Notifications via Azure Active Directory

Its Sunday night. 9pm. I am teaching Microsoft 365 Fundamentals the next few days. I am speaking at Build the week after. So you know the score. Yes - that's right it's Jack Bauer time all over again. And so this week I'm gonna change tack (yet again) and return to talking about Azure AD: this time about authenticator notifications and lighting up two preview functionalities. The first is Number Matching which requires users to enter the number displayed on the sign-in screen, and Additional Context which adds the app the user is signing into as well as their IP location. Why are these important? Well, imagine a user who simply - without thought - approves an authenticator request when it pops up on their device. What if that approval isn't actually legit at all. What if it's a malicious actor who has phished the users credentials and knows that if they periodically enter the username and password, that there is a high probability the user will approve the request. By default authenticator doesn't ask you to take any further actions apart from approval or denial nor does it make you second guess that. It doesn't give you any information to say what app is being accessed or where they are signing in from. If I put my security hat on that's problematic especially when accessing apps such as Teams which could contain a lot of sensitive information. So two nice adds to the authentication experience. They make the user more mindful and this should - in theory at least - harden the security posture.

[Archived] Teams Real Simple with Pictures: You want to block your own users being guests in other tenants? Well, now, you can with Cross Tenant Access Settings

This series on Teams has been running for a while now - about two and half years. And during that time I've returned periodically to the subject of guests. Enabling/Disabling Guest Access in the TAC, purging from Azure AD, Self Service Removal, Sensitivity Labels, Entitlement Management. In the last few months I have covered Terms of Use, B2B Management Policy to block guest invitations and regulating guests with PIM and RBAC. But the perennial question - the elephant in the room as it were - has always been this "I have the tools now to control adding guests to my tenant but how can I - as an administrator - prevent my own users from joining other tenants as guests" How can I control that? Block that? Up until this point we would typically say one of two things. One - it's the responsibility of the destination to control guest invitations even though typically we know from our own field experience that many orgs are always very active when it comes to guest management. Number two. It's by design - and if we simply turn off Guest access lock stock then we shoot ourselves in the foot collaboratively. But reaching for that security and compliance hat as I have so often done of late, there is legitimate reasons that we may want to stop our own users being guests in other tenants. What if a competitor invites one of our users into their tenant to collaborate on something they aren't supposed to? What is our users were spending most of their time as a guest in tenants that have nothing to do with our business? What if I as an admin want to limit certain users who are prone to accidental data leakage, or what if we just wanted to limit overall sprawl? So it should please administrators that we now have Cross Tenant Access Settings (CTAS) in preview which can do what we need. CTAS is defined as giving granular control over how external Azure AD organizations collaborate with you (inbound access) and how your users collaborate with external Azure AD organizations (outbound access). We'll focus on outbound access in this one. To note right off the bat, this is designed to work with other Azure AD organizations - if for example you are working with other organisations who are non-AAD or have personal domains you'll need to use Azure B2B Management. You'll need Global Admin or Security Admin roles to configure - and AAD P1 licencing if you want to go granular with users or groups.