Scanning With Microsoft Lens

Scanning With Microsoft Lens is a great way to get documents that are not on your phone scanned and sent to various outlets. Good examples are PDF, OneNote, PowerPoint, Word or Saved to OneDrive. You can later take the scans and share there using your normal methods on your phone (Email, Text, Teams, etc…). It definately can be used as part of the apps you deploy when you enroll devices like smartphones.

How To Scan With Microsoft Lens

This assumes you have already downloaded and installed the app from your normal app stores (Google Play, Apple. Samsung Galaxy, etc.).

Once installed do the follow:

• Tap the Lens Icon on Your Phone:

1. It will open to a scan window with the Setting Document:

• Tap the shutter button and then tap confirm on the focused document:

• Then click Done:

• Here you will have the options to save as. Once you choose your method, tap Save:

• The scan is saved to My Scans:

• Tap on the scan you just created and tap the share button :

• Your default PDF reader will open the document. In this example I am using Adobe. I do not have a cloud account to Adobe, so I tap “SEND A COPY”:

• Your default email app will open you will be able to send the document as an attachment.

As an aside, above I mentioned that there are several options you can choose to put your scan (PDF, Word, PowerPoint, OneDrive). If the device you are using is for personal reasons it really does matter what you choose. However, if it a business device, your O365 Administrator may disable some of those options even though they show as available.

I will give you an example. You have Microsoft Lens on a company enrolled device but the device is a general purpose used by many users. I explained in an earlier post how to deal with devices when MFA s not possible. You will want to disable option like OneDrive if you do not want items saved in the cloud.

This is just the start of what Microsoft Lens can do. If you want more info, go here.

Enhance Conditional Access

I wrote an article awhile ago about how to use conditional access when MFA is not possible. In some cases you need need to enhance conditional access.

What is Conditional Access?

As a refresher, Conditional Access is a part of Azure AD that helps organizations improve security and compliance. By creating Conditional Access policies, you can tweak your authentication process.

Think about the old way of authentication: You require user to supply a username and password. Most of the time, it’s the legitimate account owner typing them in, the user can go on to access all the data, applications and other resources they’ve been granted permissions for. But consider this, an attacker has stolen or guessed a user’s credentials. Now they are accessing your network, and could have a breach on your hands.

You can use Azure AD Conditional to strengthen the authentication process. For example, you can create a policy to require users in a certain group to only login on devices that are recognized by the organization (At least Azure AD registered) and block all others. This will also help you pinpoint a breach a lot quicker. I will show you how in the next section.

Limit A Users Login With Conditional Access

Login to your Azure Active Directory (AD) portal and go to Conditional Access and add a new policy:

Give your Policy a name and then add users or groups that you want to include in this policy ( In my example I added a group):

Next, you can move to the next step, which is what applications you want to restrict login to. In this example, I have chosen Office 365:

Enhancing Conditional Access

The next part enhance the access by making sure all types of apps are block. This means no browser access and no desktop or mobile app access. Click on conditions and then client apps:

Check other clients if you still use POP, IMAP and SMTP but I hope you don’t. Those are legacy protocols.

This is the most important part the Conditional Access Policy:

In the Filter for Devices Section, you exclude devices from the policy by “Trust type”. If a user account from the group specified above is NOT one or more of the trust types you specify, they ARE included. I kept it simple and chose Azure AD registered. I am in a Hybrid environment and our devices are not joined to the cloud, only registered.

The last section is to block all access to the aforementioned apps:

You could save the policy and start using it right away but that would not be a good idea. Save it as “Report-Only” and then check you Azure AD sign in logs to make sure it it working. Look at the logs by going to Azure AD / Users / Sign-in Logs. You will see a list of your users sign-ins. Filter for a time period where you have the Report-Only Conditional Access Policy in place.

Pick a user account that you know in included in the policy, if you see this then the policy would not block them if it were on:

If you see the following you the device would be blocked from signing in if it were on:

Users would expect to get this screen when they try to login:

You can investigate the sign-in to make sure it is not a false positive. Let the policy run in “Report-Only” Mode for awhile until you are sure it is running as it should and then turn it on. You have now enhance your conditional access policy.

Happy IT’ing

Dan

You may find a need to send an External Email to a Distribution List in Exchange. We always think of DL’s in Exchange as primarily internal but technically you can set up a list that only goes to external recipients,

A good example is sending a notification to a group of external recipients on a regular basis and you don’t want your users to address them individually each time.

This is similar to creating a list for a resource, but externally.

How do you create a DL for external recipients? It is quite easy. You create Mail Contacts and add them into an internal DL.

Here’s how:

Create an External Email to a Distribution List in Exchange

1. Open the Microsoft 365 Admin Center
2. From the Users Pane, select Contacts.
3. Click Add Contacts
4. Enter the details of the external contact. If you only want the contact(s) to only be used in the DL, check Hide from my organizations global address list:

• Once you have the external contacts you want to use for the DL, go to the Active Teams and Groups pane, click Distribution list tab and click Add a Group:

• Follow the wizard:

Choose Distribution

Assign an owner to the DL

Add the contacts you created in Step #4

Give the DL a name. Decide whether or not you want people to send email to this DL

When you are done, click Create Group:

Voila. You have created a DL that your company can use that sends to External recipients. You can also do this using Exchange online but it easy to set this up using the Microsoft Admin Center too.

The good thing about M365 is that there is a lot of functionality in it. If you look in the right places you will find out how to do most tasks well enough to administer your tenant effectively.

Happy IT’ing

Dan

As an administrator of M365 you may be required that Only Specific Users Can Reserve a Resource in Exchange. Normally a room or resource would be for the entire organization to reserve and the only things stopping them from booking it would be its availability. Other things like room capacity, equipment resources in the room, working hours, etc., can also be a factor.

However, sometimes the room might be an office used by one person but they need the ability for a group of users (maybe members in the department) to be able to book it like a resource. I will show you how to enable this through PowerShell.

You thought you only had to worry about a calendars working hours…

How Only Specific Users Can Reserve a Resource in Exchange

When you initially set up a resource mailbox, it processes meeting requests from all users. What if you need to restrict it to specific users?

We can use PowerShell for this:

Logon to Exchange Online (Connect-ExchangeOnline), then issue the command below.

Set-Mailbox -Identity “resourcemailbox@domain.com” -AcceptMessagesOnlyFrom “username1@domain.com ″,”username2@domain.com ″,”username3@domain.com”

AcceptMessagesOnlyFrom is used for specifying what users can send to email addresses and distribution groups. However, a resource has a mail box so why not use it to specify who can book meetings. You can’t hide the resource and only notify only the users who you want to use it so this is the next best thing!

The “Only specific users can book the resource” by sending meeting requests requirement is satisfied. The resource mailbox automatically process the meeting requests by accepting or rejecting depending upon availability.

A pretty neat hack if I do say so myself. Sometimes it takes a little digging but you can find out different ways to use what M365 already has available, you can pretty much accomplish anything you need to properly administer your M365 tenant.

Happy IT’ing

Dan

So you would like to try Windows 11? Well it is pretty easy. We are starting to see more of these installations and it is important that your currently running software works with it. It is better to test before upgrading so you know what works and what doesn’t before a full scale upgrade. I strongly suggest rolling it out in phases and per Microsoft’s Recommendations. All you have to is initiate the following five steps.

1. Have at least Windows 10 Professional
2. Install Microsoft Hypervisor Manager
3. Download the Windows 11 ISO
4. Create Your Virtual Machine
5. Configure Your Newly Installed Virtual Machine

I will show you how to do this in the next Sections:

Have at least Windows 10 Professional

Unfortunately you can’t just have “Widows 10” you also need to meet the following requirements:

• Windows 10 Enterprise, Pro, or Education
• 64-bit Processor with Second Level Address Translation (SLAT).
• CPU support for VM Monitor Mode Extension (VT-c on Intel CPUs).
• Minimum of 4 GB memory You will need at least 8 GB if you are going to use Microsoft Hypervisor Manager

The Hyper-V role cannot be installed on Windows 10 Home.

Install Microsoft Hypervisor Manager

To install the Hypervisor Manager, you need to go into settings or the control panel and add Windows Featires:

All that is left is a reboot and then you can proceed to the next step.

Download the Windows 11 ISO

Please go to Microsoft’s Windows 11 Site and Download the ISO file for your region. I would recommend the Multi-Edition ISO so you can decide what version is best for you. You can leave it in your download folder of your favorite browser or you can move it to a location you would like, Just remember where you saved it. You will need it for the next step.

Create Your Virtual Machine

First Verify that your computer can support Virtualization in the BIOS / UEFI. Start the Microsoft Hypervisor Manager and click New / Virtual Machine.

This will start the Virtual Machine Wizard.

Click Next.

Name Your Machine and Click Next.

You need to choose Generation 2 as Windows 11 uses these features in order to run. You will have to come back after configuration to set the number of processors you want your virtual machine to use.

Assign at least 4 GB of memory. This is a minimum requirement for Windows 11. Having said that you will need at least 8GB of RAM on your host machine to be able to run the virtual machine. I have 16 GB of RAM on my machine. It was really helpful.

For the Networking section. Choose “not connected” for now. We will set it up after the Virtual Machine is created. For now, just click Next.

For the Virtual Hard Disk, just accept the defaults and Click Next.

In this section, please choose “Install an operating system from a bootable image file” and browse to where you saved the Windows 11 installation ISO. Click Next.

Click Finish and your Virtual Machine has been created. Now lets configure it…..

Configure Your Newly Installed Virtual Machine

Go to the main window of the hypervisor manager and right click on the virtual machine you just created and choose “Settings”. We need to configure the processors so Windows 11 can run and the networking so it can access the internet / intranet through the host machine.

Adjust the processors by clicking the item on the left pane. On the right choose 2 processors to start. That should be enough for testing purposes.

Go back to the Main window and in the right pane you will see the Virtual Switch Manager. Double click that and you will be able to create a virtual switch so the VM can get networking:

Select External and Click Create Switch:

Name the Switch and click OK.

Go back to the settings of your VM and choose Network Adapter from the left pane. In the right pane choose the virtual switch you created from the drop down and click OK.

Conclusion

You are now ready to Try windows 11. Just double click the machine you created in the main window of the Hypervisor Manager and it will begin the installation process of Windows 11 like you you were running it on Bare Metal Hardware. It’s like Hardware Troubleshooting. You need to make sure your systems will work reliably and predictably with the new OS.

Happy IT’ing

Dan

You might think you have working hours in O365 Calendar are set up properly, but something is not right. Users are noticing that when they book appointments in a shared calendar or their own, the working hours for the organization do not match what is in the calendar. There are two places to check for this depending on which type of calendar you are booking in. Let’s go through the ways.

Set Working Hours in Your Own Calendar

This is set locally in your Outlook client and can be accessed by going to File / Options / Calendar and changing the Working Hours to your Organizations start and end time:

It is a good idea to make sure you have the proper time zone chosen as well:

If you are using the webmail version of Outlook, go to Settings (Gear Icon) and then view all settings at the bottom and change the working hours and time zone here:

Set Working Hours in a Shared Calendar

To accomplish this, you need to be an admin in O365. It requires some PowerShell commands. If you have a lot of shared calendars you need to change, you will want to use a for each loop to cycle through them all.

Use this command to ensure your calendars have the right working hours and are operating in the correct time zone:

Example:

Set-MailboxCalendarConfiguration -Identity <UPN> -WorkingHoursTimeZone "Eastern Standard Time" -WorkingHoursStartTime 08:00:00 -WorkingHoursEndTime 17:00:00

If you need configure many calendars, use a PowerShell Script:

## Declare Variables

$CSVPath = "FilePathHere\SharedCal.csv"

##Try import UPN CSV file

try {
    $SharedCals = import-csv $CSVPath -ErrorAction stop
}
catch {
    throw "Error importing CSV: $($_.Exception.Message)"
    break
}

foreach ($SharedCal in $SharedCals) {

Set-MailboxCalendarConfiguration -Identity $SharedCal.calname -WorkingHoursTimeZone "Eastern Standard Time" -WorkingHoursStartTime 08:00:00 -WorkingHoursEndTime 17:00:00

}

In this case, when a user wants to book into a shared calendar, they will only see the work hours as free (white space). They can book outside of the available working hours they just can’t see it until after they book.

If you follow these two ways to adjust Working Hours in O365 calendar, you will have absolutely no problem scheduling meetings!

Happy IT’ing

Dan

You would like to allow auto-forwarding to specific domains. Great! What if you want to allow specific users to Auto-Forward? Back in the day you could probably only allow / disable domains from auto-forwarding. However, with the ever changing landscape that is M365 you now can get more granular with the process. Now you can specify exactly what users are allowed to do this.

It is a bit of a trick. If you know a bit about Exchange Online Admin and the Security Portal, you will have no problem, especially if your users aren’t using Microsoft Flow. I can show you in two steps.

Allow Specific Domains to Auto-Forward in Exchange Online Admin

It is extremely important that you set this up correctly or the next step won’t work. Basically, you need to disable all domains (* – default domain) from auto-forwarding and then specify exceptions. When done like this, the exceptions are processed first. Go to Remote Domains in Exchange Admin:

These are the settings you need to have for the default domain:

Next, in the list of remote domains you want to allow forwarding for are set up like this:

Allow Specific Users to Auto-Forward in Exchange Online Admin

Now that you are done step one, navigate to the Microsoft Security Portal Under Email and Collaboration / Policies and Rules / Anti-Spam. Here you will see your Anti-Spam Policies:

The Anti-Spam Outbound Policy (Default) should already be there. You just need to add your own Custom Outbound Anti-Spam Policy. Below is what the Default Anti-Spam policy should look like:

Unfortunately specifying groups does not work. I have tried several ways and even reached out to Microsoft about this. They tried their best to help but, in the end, I was told it is a limitation of the software. They encouraged me to go to Microsoft’s Feedback Portal and put a request in. If it gets enough votes, it might make it into a future release.

Happy IT’ing

Dan

Your organization has turned off Automatic forwards for security reasons. It helps protect emails from being forwarded to a hacker’s email address if your account became compromised. It also stops a disgruntled employee from sending information to the wrong place. If you use Power Automate (Microsoft Flow) it is more secure.

So, what if you have an email that you always like to send to a coworker(s) and you do not want to use a DL? You can use Power Automate (which is included in Office 365) to do this for you.

Power Automate is different than using Inbox rules to forward email. It executes actions as you do instead of completing the action without a record (like auto-forwarding did). You can see what you have done, and it satisfies basic security that blocks forwarding of messages to external recipients.

If you use MFA to login to Office 365, it is pretty much a bullet proof way of forwarding mail. If an Admin has disabled Auto-forwarding across the organization, it is practically impossible to be compromised.

Steps To Use Power Automate (Microsoft Flow)

To set up an email re-direct to an external user, follow the steps below.

Step 1: Go to flow.microsoft.com and sign-in with your Office 365 account. Then click “Create”. We are going to create one from scratch.

Step 2: Name your flow and choose the trigger. The trigger you want is “When an email arrives.” Power Automate maintains its own API-Level access, like Microsoft Graph, to connect to services so no password is needed.

Step 3: Edit in your email “rule” We want to use the subject filter, so we choose “Show advanced options” and then type what we want in the Subject Filter. You will see there are many options, and other advanced conditions to filter email.

Step 4: Now tell Power Automate “What to do next”. In this example, Power Automate is looking for emails with what you are looking for in the subject line, but you need to tell it what to do next. You want to choose “New Step” and then choose “Forward an Email” for Office 365 Outlook

Step 5: Program your Forward Rule This is imperative. You must ensure that you choose the “Message ID” of your email from step 1. Use the search in the “Message ID” box you will get a list of options, choose Message ID.

Step 6: Program your rule continued – Finally, enter the email you want to send the email to and then hit Save. If you followed all the steps above, you should get a “Saved Successfully” message. If you get an error, you can use the flow checker to see what is broken.

Step 7: Run the rule – You may need to modify the rule. In the example, any email that is received with the subject line you specify will be forwarded externally. You test the flow prior to running the rule. Give it a few minutes so the cloud can do its thing and sync but you should be good to go!

Happy IT’ing

Dan