Azure AD Join (Entra Join) vs Hybrid Azure AD Join vs Azure AD Registration (Workplace Join)
I still find it hard to understand the differences between Azure AD Join (Entra Join) vs Hybrid Azure AD Join vs Azure AD Registration (Workplace Join). I know Azure AD Registration (Workplace Join) is supposed to be nest for Personal devices (BYOD) but if you have security as an important part of your business why would you want to allow this? You could end up with a billion random machines in your Entra. What's the benefit of this? Also, if I have a Hybrid environment and I have booth cloud and on prem apps that do auth via both on prem (for on prem apps linked to AD) and Entra for cloud do I need to be Hybrid Azure AD Joined to support on prem an cloud? Or will a person working from a Azure AD Joined machine still be able to access on prem resources like file servers and any app that uses AD groups for auth, access provisioning etc?
Microsoft 365 Subscriptions
In fourth quarter of 2024, I decided to upgrade my machine and tried out a web only version (freeware) of Microsoft 365. After some time, I found out that I was not getting the qualities I needed for documentation to be presentable as Microsoft Word and Excel were not usable for print formats. I decided to buy a Microsoft 365 Business subscription (bought through my domain provider) which allowed me to use my email address attached to me and my website domain. This allowed me to also download desktop copies of Word and Excel. However, I ran into problems with old accounts colliding with my new ones..., for example, Skype for Business, Microsoft Store, and Microsoft Live would constantly appear in my installation admins. If I attempted to install them, the installation would fail and get stuck i.e, I could not remove them. Microsoft message pop-ups would state, "You cannot install this on a 'work' account." I thought to myself, "Okay, I installed my Windows OS as a "Work Account on my new machine." This made sense, because I could go to my browser on my new machine and I could go to my old laptop that had absolutely no Microsoft 365 on it and access my Office from my browser profile. My old laptop is the only machine that accepts the Windows Live email address i.e., it acts as a Windows Live access service via the 'free' outlook account to which it is attached. However, now that all these items are separated by Work or Home classification, I keep getting messages that state, "We cannot renew your Microsoft 365 account." But my Work account should not be attached to Microsoft Live accounts...should it? After all, it uses Entra ID for access and the subscription is bought through my domain vendor. Why is Microsoft Support sending me these emails? My original setup accessed Microsoft Live accounts via the web through my old laptop using my free Outlook email and looked something like the graphic below:
Compliance licenses at tenant level
Hi, We are a small organization of about 200 employees, and we have following requirements. DLP policies configuration at Exchange, OneDrive, SharePoint BYOD security Users should not be able to send files outside the org And so on as we evaluate We already have M365 Business Premium. However, after researching we figured out that M365 Business premium will alone not solve our requirements. May be compliance license will. We want to apply security policies at tenant level in our organization but definitely do not want every user to get licenses as this will be expensive for us and there is no requirement at all for our users. The question is, Is there a way to solve the above scenario?Hidden Group and Hidden Group Membership
Hi everyone! I have come across a requirement where the client would like to use an excel spreadsheet, a service account and application registration to manage group membership for a confidential group. They would like to create a group from which the members cannot leave, see other team members and cannot see the group itself. Now, I have the concept of the flow with me but for the life of me, I cannot get around to finding/configuring a group that meets the requirement. Have you guys come across this sort of scenario? Group Configuration: Users should not be able to view the group Users should not be able to view members of the group Users should not be able to leave the group Thanks in advance.
Microsoft 365 Windows 11 external user or guest user sign in
Consider the following situation: CompanyA has a Microsoft 365 tenant with licensed users. CompanyA has a business relationship with CompanyB which also has a Microsoft 365 tenant. All of CompanyB's Windows 11 Pro computers are Entra ID joined and Intune enrolled. All of CompanyB's users have Microsoft 365 Business Premium licenses. An employee of CompanyA is stationed at CompanyB's office and needs to use one of CompanyB's computers as his primary computer. How would a technician have to configure things so that CompanyA user can sign into CompanyB's Windows 11 Pro computer and work like normal? I've done some reading online but most of the articles focus on access to cloud resources, whether that be Microsoft Teams or Entra Enterprise Apps or similar resources. I haven't found an article touching on Windows 11 sign in. Matthew
Add EXTERNAL Teams account details to a contact in the GAL
We collaborate a lot with another company who have their own tenant. When we want to message an “external” user in Teams we have not messaged before, we must first search and type in the full email address, then select "(External)" to message them. We also have these same users as contacts in our GAL for email. The problem we have is that when you start searching for the user, the GAL contact comes up first, and users think that this is the correct Teams user account so they select this instead of typing further to bring up the real external account. If they do make it as far as to type out the full email address, then two users show up, one from the GAL and one with "(external)" in it. This is not a great user experience. We'd like to know if there is a way in which we can import the external user to our GAL, or if we can populate the GAL contact with the Teams attributes of the external user. The end goal is to have a GAL contact which the user can click to message in Teams. Has anyone come across this before and has a solution?Add EXTERNAL Teams user to GAL
We collaborate a lot with another company who have their own tenant. When we want to message an “external” user in Teams we have not messaged before, we must first search and type in the full email address, then select "(External)" to message them. We also have these same users as contacts in our GAL for email. The problem we have is that when you start searching for the user, the GAL contact comes up first, and users think that this is the correct Teams user account so they select this instead of typing further to bring up the real external account. If they do make it as far as to type out the full email address, then two users show up, one from the GAL and one with "(external)" in it. This is not a great user experience. We'd like to know if there is a way in which we can import the external user to our GAL, or if we can populate the GAL contact with the Teams attributes of the external user. The end goal is to have a GAL contact which the user can click to message in Teams. Has anyone come across this before and has a solution?Moving Exchange Account Source Account
I have a very complex environment I'm hoping someone might jump start my search. We have two domains syncing to Entra ID. One domain is a resource forest where our Exchange environment sits. That domain contains disabled stub accounts synced to our primary domain where the actual user accounts sit. The source for all EXO mailboxes are the stubs in the resource forest. Those accounts are kept in sync using FIM 2008. We're wanting to decom that entire resource environment and move all of the attributes to the primary domain. The resource domain schema is the last version of Ex 2016. The primary domain schema is Ex 2010 SP1. I know my first step is to update the primary schema, however, has anyone encountered a situation like this? Any help would be greatly appreciated.
