r/microsoft365

We currently have about 70 odd users with Business Premium, however as most of our users prefer to use the google suite i'd like to try and cut down on license fees a little.

We currently rely on MS for

• IDP, for sign in to slack
• intune, to join and manage windows mac and mobile devices using the microsoft accounts.
• office suite on pcs, like outlook, word, excel, etc.

I would like to give everyone just an "apps for business" license, but my concern is this will break intune management. (and, possibly, IDP, or does only the global admin need an azure AD license?)
Thus, in order for intune to function

Can the global admin have 1 standalone intune license, and all other users just have apps for business? OR must everyone additionally have a standalone intune license for that to work?

is there a version of apps for business that includes intune as an addon?

Was not able to find a clear answer on this elsewhere unfortunately

It’s the weekend, which finally gives me time to finish things I’ve been building for way too long.
I’ve been working on this Azure Automation Runbook on and off for quite a while, and today I finally wrapped it up. Of course, I wanted to share it with you all.

In short:
The Runbook automatically identifies inactive Enterprise Apps (Service Principals) in your Entra tenant.
It checks the Microsoft Graph Beta sign‑in logs to see which tenant‑created apps had zero sign‑in activity in the last 30 days.
If inactive apps are found, it generates a clean HTML report and sends it via email.
If everything is healthy and no unused apps exist, it stays quiet, no unnecessary notifications 😉

As always, the full code is available in my GitHub repository, which I’ve linked below.

https://github.com/Mau2rice0/World-of-M365/tree/main/Entra/Reporting/UnusedEnterpriseAppsReport

If you have ideas, feedback, or want to see additional features, let me know, maybe that’ll be my next weekend project.

#Azure #M365 #Entra

I've tested across 4 different devices (all on different networks/domains/personal) and the behavior is the same across all of them. When you click the Install Office button, or the same button for any other app that is licensed to you, the button just disappears and nothing is downloaded. Tried Incognito, different browsers, and different accounts.

I really need help from an actual human because the automated Microsoft recovery system is completely unusable now.

Today I received an official Microsoft security email saying that a “Passkey / Hauptschlüssel” was removed from my account.

I clicked “review recent activity” and saw that the recovery email had been changed to:

virginiazahri1976@horseshitmail.net

which obviously is NOT mine.

At the same time:

- my password no longer works

- my recovery methods are gone

- and now the craziest part:

My Microsoft account under my original email address (julian0804h@gmail.com) apparently no longer exists anymore.

Even the Microsoft Account Recovery page says:

“There is no account with this email.”

So I cannot:

- reset the password

- use account recovery

- contact support properly through the normal flow

I have now recreated a Microsoft account using the same email address, which made everything even more confusing.

In the OneDrive app on one of my devices, where I am still logged into what seems to be my original/lost account, I can still see all my original files and OneDrive still shows my correct email address there too.

However, when I log into the newly created account with the same email, it behaves like a completely fresh account with no files or history at all.

So it seems like my original account still exists internally somehow, but the login/alias may have been changed or detached.

It honestly looks like the attacker changed the primary alias/login of the Microsoft account so the original email is no longer recognized.

Has anyone experienced this before?

Is there ANY way to reach a real Microsoft human support agent for account takeover cases like this?

I still have:

- the original security email from Microsoft

- screenshots

- old passwords

- device info

- proof that the account belonged to me

Any help would seriously be appreciated.

We were trying to transfer authenticator access from old device to a new one. But when i tried to login to the new device it still requires to send code/number to the old one and we already deleted the account in that device.

Now when we login again to the old device it is now asking for the code/number but it is not showing. Any solution for this one?

I am trying to sign into my company's onedrive from my ipad. In order to login, it asks me to punch in the code that I should receive on my authenticator app. The authenticator app has not received any codes in a year. So I try to re-add the account to the authenticator app. Here's the catch 22. On the app itself it wants me to type the code I receive on the very same app in order to add the account.

In other words, Authenticator app wants me to type a code I received on the authenticator app in order to add an account that is not receiving codes on the authenticator app.

The case has already been opened with the Microsoft Data Protection Team, there is an active case ID, and an engineer has been assigned.

The problem is that for almost two weeks now, communication has essentially been stuck in a loop of automated or repetitive responses. I send an email, and the engineer replies with the same information that was already sent two weeks ago. Then there are callback attempts, but either there is silence on the other end, the connection quality is too poor to communicate, or the call suddenly disconnects with no follow-up afterwards.

Meanwhile, we are still completely locked out of the tenant due to MFA failure on the only Global Admin account.

Has anyone successfully resolved a sole Global Admin MFA lockout or managed to reach the correct escalation path?

Hey everyone,

We have run into a bit of an administrative nightmare. Most of our clients are strictly geo-blocked to our home country via Conditional Access.

Lately, we have been getting a surge of "I'm going abroad for a week" tickets. Our current process is manually creating/editing Named Locations and CA policies for each user/trip. It’s becoming impossible to track, and we’re constantly finding "stale" policies for trips that ended months ago.
How are you scaling this?

Would love to hear how you guys keep your CA policies clean without spending 5 hours a week on travel tickets.

Hey folks,

long-time lurker, first time posting something this specific. We’re not new to M365 migrations, but this split has a few constraints that make me want a sanity check from people who’ve actually done it recently.

The setup:

• Company splits into two. We’re taking 23 users to a brand new tenant with a new domain

• Old tenant = M365 Business Standard, licenses expire in ∼2 months but tenant will stay up for 3-4 months (old MSP keeps it alive).

• New tenant = M365 Business Premium, fresh.

• Goal: move mailboxes, OneDrives, SharePoint team sites (4-5, nothing huge), and Teams. Client would really like to avoid third-party tools this time.

Budget = strict,they’ll accept losing Teams channel history if needed.

We’ve done plenty of tenant-to-tenant with BitTitan/MigrationWiz before, so I know the “easy” way. This time I’m trying to stay 100% native.

What I’m planning:

1. Mailboxes (23)

Native cross-tenant mailbox move. I know the drill: buy the one-time Cross-Tenant User Data Migration license (can be on target only), create the multi-tenant Entra app with Mailbox.Migration, grant admin consent on both sides, set up the Org Relationship inbound/outbound, mail-enabled security group for scoping, then New-MigrationBatch -ExchangeRemoteMove.

My question: anyone done this recently on small Business tenants (not EA)? Docs say it works, but in real life, how’s the reliability? Any gotchas with delegates, shared calendars, or recurring meetings blowing up? Throttling is my biggest fear for a 23-user cut.

Plan B if we skip the license: convert everything to Shared Mailboxes before the Standards expire (50GB each), PST export via Compliance Search, then Network Upload PST import into the new tenant. It’s ugly but doable for 23. Would you just pay for the 23 migration licenses and be done with it?

2. Mail flow / coexistence

Client suggested "just put a transport rule on old Exchange to redirect to @newdomain.com". Yeah, that works on shared mailboxes even unlicensed, but if we do the native move, Exchange automatically converts the source mailbox to a MailUser with targetAddress, so the rule is redundant.

Real-world experience: do you trust the automatic MailUser forwarding, or do you keep an explicit rule for the first couple months? Worried about the old MSP pulling the plug early and us getting NDR loops.

3. SharePoint

This is where Microsoft annoys me. The official Cross-tenant SharePoint Migration is EA-only and billed per 100GB. We’re Business Premium, so no dice.

SPMT doesn’t do tenant-to-tenant directly. So my native options are:

a) PnP.PowerShell copy (loses versions, have to rebuild perms)

b) Leave old sites read-only and give users B2B guest access for 3 months, then archive

Anyone managed to get the cross-tenant SharePoint tool enabled without EA (via CSP maybe)? Or do you have a PnP script that doesn’t make you want to quit IT? I’m fine losing version history, I’m not fine rebuilding 200 unique permissions by hand.

4. Teams

I know UDM (the new Orchestrated User Data Migration, still in preview last I checked) moves mailboxes, OneDrive, 1:1 chats, group chats, and meetings. It explicitly does NOT move channel messages. Microsoft’s own doc: “This feature doesn't include migration of Teams content, channels or associated structure.”

So what do you actually do for channel history in a split? Tell the client “it’s gone, start fresh”? Or dump it with Graph (Get-MgTeamChannelMessage) and stick the JSON/HTML into a SharePoint library as a read-only archive? I don’t need the threads to be live, I just need them searchable for “what did we decide in February”.

If you’ve scripted this, was it worth the effort or just pain?

TL;DR:

23 users, company divestiture, old tenant dies in 3 months. Trying to go full-native: pay for cross-tenant mailbox licenses, PnP SharePoint manually, accept loss of Teams channel posts. Am I saving the client $1k in tools just to create 40 hours of manual work for myself?

Not looking for vendor pitches or links to MS Learn (I’ve read it, twice). Looking for “yeah we did this last quarter and here’s where it bit us.”

Appreciate any war stories.

Pz

Apologies in advance, I bet this question has now been asked a thousand times.

I have a Dell XPS 13 that is now five years old but chugs along quite well.

I recently had to have the battery replaced: it was overheating and had swelled.

The technician who did this for me expressed horror at my having McAfee on the laptop and said that it hogged my memory and reduced performance. He said that Windows Defender was just as good and used up less memory. So, with my approval, he disabled McAfee.

Was this a good decision? Am I at risk of anything?

Is there any way of using the Microsoft suite for free on IPad other than the website? I am no longer a student and it is kind of driving me insane.
Edit: what I needed is a free version that I can use. I have The app, but I cannot edit because I am a free user. I guess I will just stick to Google Docs.

I’m trying to figure out if it’s possible to control access to a specific file in Microsoft 365 (SharePoint / OneDrive) based on the user’s IP address.

What I’m looking for is something like:

• Only allow a file to be opened if the user is coming from a specific IP address or range
• Block access to that same file if accessed from outside that IP range

I’ve looked into Sensitivity Labels in Purview and Conditional Access in Entra, but I’m not seeing a clear way to tie IP restrictions directly to an individual file.

Is this something that’s actually supported at the file level, or is IP restriction only possible at the SharePoint site level?

Would appreciate any clarification from folks who’ve implemented something similar. This is driving me nuts!

TIA

This started with our receptionist's phone (Yealink MP58) needing to be restarted after an update. She can't sign back in even after a full reset and Broker authentication, she get's the message "Sorry, but we're having trouble signing you in, please try again". I tried wth a different phone (MP54), same issue. Any phone that get's signed out of or restarted, now can't be signed back into.

I even reflashed one of the MP54s with Yealinks package, no change. As soon as you attempt to Broker auth and sign in, the phone displays the message.

As a paying customer for since 2009, why are customers being ignored when their accounts are stolen. I just realized, I have an account with PROOF of my identity... right down to an authenticator. Paypal receipts and all.. WHY cant CDOC or whatever their abbreviation is accept this? Even the department that manages that account identified me as me? Right down to the authenticator serial number. I provided PUID, CID, etc.. all confirmed.. even by the xbox team.

Hello,

 

We believe that our previous mails have adequately addressed your inquiry, and this will be our final correspondence on this matter.

This ticket will now be closed and will no longer be monitored. If you have a question on a new matter, please contact the privacy team: https://go.microsoft.com/fwlink/?LinkId=521839#mainhowtocontactusmodule . New tickets regarding the same matter will not be responded to.

You can learn more about Microsoft and your privacy at Privacy at Microsoft . Your privacy is important to us; our Privacy Statement  explains the personal data Microsoft collects, how Microsoft processes it, and for what purposes.

Please note that content like emails, contacts, and chats are accessible through in-product experiences. You can find more information about data you are able to control within Microsoft products by visiting our Privacy Frequently Asked Questions (FAQs) .

 

Best Regards,
Fryx
Microsoft Privacy