MSB365

How to lock down Exchange Online so EOP refuses direct external mail

drago — Mon, 27 Apr 2026 14:36:48 +0000

Microsoft 365 · Email Security

A practical, step-by-step guide for tenants running a centralized mail flow with a third-party
Secure Email Gateway (SEG) — and discovering that mail and spoofing attempts still slip in
directly through Exchange Online Protection.

Security-relevant
Exchange Online
EOP / Defender
Production-ready

The problem in a nutshell

In a centralized mail flow setup, every inbound message is supposed to travel a single,
well-defined path: the public MX record points at a third-party Secure Email Gateway
(Mimecast, Proofpoint, Cisco IronPort, Barracuda, an on-premises Exchange edge — pick your
flavor), the gateway scans and filters the message, and only then is it handed off to
Exchange Online Protection through an authenticated connector.

In the real world, things are messier. Many organizations notice — sometimes only after
a successful phishing attempt — that mail is reaching mailboxes directly through
EOP, completely bypassing the gateway that was supposed to be the first line of
defense. Often these messages are spoofed, claiming to come from internal addresses such
as ceo@yourcompany.com.

The desired state

Allowed mail flow

Internet

→

SEG / Gateway

→

EOP (via connector)

→

Mailbox ✓

Mail flow to be blocked

Attacker

⨯

tenant.mail.protection.outlook.com

⨯

EOP direct

Gateway bypass via direct SMTP connect to the EOP MX endpoint

What we want to achieve:

Block Direct Send — anonymous mail using your own domains, sent straight to EOP, must be rejected.
Restrict the inbound connector — only the SEG’s IPs or TLS certificate may deliver mail.
Stop spoofing — strict SPF, DKIM and DMARC, plus EOP anti-spoofing in enforcement mode.
Stay auditable — message trace and Defender reports must show every bypass attempt.

Why does EOP accept mail directly in the first place?

Every Microsoft 365 tenant has a publicly resolvable MX endpoint of the form
.mail.protection.outlook.com. Regardless of where your MX record
actually points, that endpoint is reachable from the internet and — by default —
accepts anonymous SMTP connections for any of your accepted domains.
Microsoft calls this mechanism Direct Send.

Direct Send is officially intended for printers, scanners, and legacy line-of-business
apps that need to drop mail into internal mailboxes without authenticating. Convenient —
but it’s also exactly the mechanism attackers exploit to bypass your gateway and impersonate
internal senders.

Important to understand

A centralized mail flow or an MX record pointing somewhere else does not
protect you against Direct Send. The MX record is just a DNS hint. Attackers can connect
to the EOP endpoint directly at any time — unless you’ve explicitly hardened the tenant.

The fix is multi-layered: the tenant-wide RejectDirectSend flag, a tightly
restricted inbound connector, a transport rule as a safety net, and proper anti-spoofing
configuration. We’ll walk through each of them.

Prerequisites

Permissions

Organization Configuration (for Set-OrganizationConfig)
Exchange Administrator or Global Administrator (connectors and rules)
Security Administrator (Defender policies and anti-phishing)

Tooling

# Install the Exchange Online module if you haven't already
Install-Module -Name ExchangeOnlineManagement -Scope CurrentUser

# Connect
Connect-ExchangeOnline -UserPrincipalName admin@yourcompany.com

Information to gather upfront

The full list of public IP addresses or ranges used by your SEG, including DR/secondary regions.
Optionally, the TLS certificate subject / SAN the SEG presents when delivering to EOP — preferred over IP binding.
All accepted domains of the tenant: Get-AcceptedDomain.
Document existing inbound connectors: Get-InboundConnector | Format-List.
Current SPF, DKIM, and DMARC records for each sending domain.

Recommendation

Before changing anything, take a JSON or XML snapshot of the current state via
Get-OrganizationConfig, Get-InboundConnector, and
Get-TransportRule. It makes rollback trivial if something breaks.

Step 1 — Enable Reject Direct Send

The simplest and most powerful single switch is the tenant-wide
RejectDirectSend flag. When it is enabled, EOP rejects any anonymous
message whose P1 Mail-From address matches one of your accepted domains, unless
it arrived authenticated through an inbound connector. The sender receives the NDR
550 5.7.68 TenantInboundAttribution; Direct Send not allowed for this organization from unauthorized sources.

Check the current state.
```
Get-OrganizationConfig | Select-Object Identity, RejectDirectSend
```
On existing tenants the default is False. Microsoft has announced that new tenants will get True by default starting in 2026.
Enable Reject Direct Send.
```
Set-OrganizationConfig -RejectDirectSend $true
```
Propagation across all EOP servers takes up to 30 minutes.

Verify.

Get-OrganizationConfig | Format-List RejectDirectSend
# Expected: True

Watch out — possible side effects

Before flipping the switch, identify any legitimate Direct Send sources in your environment:
multifunction printers, ERP systems, monitoring tools, marketing platforms — anything that
sends as one of your domains directly to EOP. Each of those needs a partner inbound connector
beforehand, otherwise their delivery breaks the moment the flag is enabled.

A useful starting point: review your domain’s SPF record. Every entry there is a candidate
for a dedicated connector.

Step 2 — Restrict the inbound connector to SEG IPs or certificate

RejectDirectSend only covers messages whose sender domain is one of your own
accepted domains. Spoofed mail from foreign domains delivered straight to
EOP would still be accepted. To close that gap, configure your Partner inbound
connector so that EOP only accepts inbound mail from the SEG’s IPs or matching TLS
certificate.

Option A — Configuration in the Exchange Admin Center

Open EAC at https://admin.exchange.microsoft.com →
Mail flow → Connectors → Add a connector.
Define the connection:
- Connection from: Partner organization
- Connection to: Office 365
Authenticate the partner: prefer
“By verifying that the subject name on the certificate that the sending server uses to
authenticate with Office 365 matches this domain name” and enter the certificate the
SEG actually presents. As a fallback — when no TLS certificate is available —
“By verifying that the IP address of the sending server matches one of the following
IP addresses” with all of the SEG’s outbound IPs.
Enforce delivery rules:
- Reject email messages if they aren’t sent over TLS
- Reject email messages if they aren’t sent from within this IP address range (with the SEG IPs)
Save and enable the connector.

Option B — PowerShell (idempotent and auditable)

# Example: SEG identifies itself via certificate (recommended)
New-InboundConnector -Name "From Secure Email Gateway" `
    -ConnectorType Partner `
    -SenderDomains "*" `
    -RestrictDomainsToCertificate $true `
    -TlsSenderCertificateName "*.mail-gateway.example.com" `
    -RequireTls $true `
    -Enabled $true

# Alternative: SEG identifies itself by IP range
New-InboundConnector -Name "From SEG (IP-bound)" `
    -ConnectorType Partner `
    -SenderDomains "*" `
    -RestrictDomainsToIPAddresses $true `
    -SenderIPAddresses "203.0.113.10","203.0.113.11","198.51.100.0/28" `
    -RequireTls $true `
    -Enabled $true

What RestrictDomainsTo* actually does

With these flags set to $true EOP effectively tells the world:
“Mail addressed to my domains is only accepted when it arrives via IP X or certificate Y.”
Any other source receives 550 5.7.51 TenantInboundAttribution; There is a partner connector configured that matched the message’s recipient domain and is rejected.

Method	Pros	Cons
TLS certificate	Robust against IP changes, cryptographically verifiable	Requires a valid third-party certificate at the SEG
IP range	Simple to set up	Maintenance burden when IPs change, slightly weaker

Step 3 — Add a transport rule as a safety net

Beyond the connector, it’s smart to add a transport rule as a second layer that rejects
any external mail not arriving from your allowed IP range. It protects you
against connector misconfiguration and produces a very clean audit trail in message trace.

Configuration in the EAC

EAC → Mail flow → Rules → Add a rule → Create a new rule.
Name: BLOCK – Direct internet ingress without SEG
Apply this rule if…
- The sender → is external/internal → Outside the organization
Do the following: Block the message →
Reject the message and include an explanation →
Reason: “Mail to this organization must be delivered via the official Secure Email Gateway.
Direct delivery to EOP is not permitted.”
Except if:
- The sender → IP address is in any of these ranges → your SEG IPs
- or The message headers → includes any of these words → header
  X-MS-Exchange-Organization-AuthAs with value Internal
  (prevents breaking internal hybrid mail flow)
Rule mode: start in Test with policy tips, then switch to Enforce after validation.

PowerShell variant

New-TransportRule -Name "BLOCK - Direct EOP Ingress (Bypass SEG)" `
    -FromScope NotInOrganization `
    -ExceptIfSenderIPRanges "203.0.113.10","203.0.113.11","198.51.100.0/28" `
    -ExceptIfHeaderMatchesMessageHeader "X-MS-Exchange-Organization-AuthAs" `
    -ExceptIfHeaderMatchesPatterns "Internal" `
    -RejectMessageEnhancedStatusCode "5.7.1" `
    -RejectMessageReasonText "Mail not delivered via SEG." `
    -Mode AuditAndNotify `
    -Enabled $true

Mind the rule order

Place this rule before any bypass or allow-list rules (lower priority value).
Otherwise an upstream rule may silently override your block. Starting in
AuditAndNotify mode gives you a safe pilot phase before flipping to
Enforce.

Step 4 — Anti-spoofing and DMARC

The previous steps lock down the transport path. Spoofing attempts that travel correctly
through the SEG (because an attacker hijacked some other domain or abused an open relay)
still need to be caught by authentication checks.

4.1 SPF, DKIM and DMARC for your domains

SPF: hard fail (-all), only your SEG egress IPs and legitimate cloud senders (e.g. spf.protection.outlook.com).
DKIM: enable signing for every sending domain in the Defender portal under
Email & collaboration → Policies → Email authentication settings → DKIM.
DMARC: at minimum p=quarantine, target p=reject with
rua=mailto:dmarc-reports@yourcompany.com. Use a DMARC reporting service
(dmarcian, Valimail, Postmark, etc.) to make the RUA/RUF data actionable.

# SPF record
yourcompany.com.   IN TXT "v=spf1 ip4:203.0.113.10 ip4:203.0.113.11 include:spf.protection.outlook.com -all"

# DMARC record
_dmarc.yourcompany.com.  IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@yourcompany.com; ruf=mailto:dmarc@yourcompany.com; fo=1; adkim=s; aspf=s"

4.2 Anti-phishing policy (Defender for Office 365)

In the Defender portal under Email & collaboration → Policies & rules
→ Threat policies → Anti-phishing, harden the default policy or create a
dedicated one for high-value recipients:

Spoof intelligence: Enabled
Honor DMARC policy: Enabled (so messages with p=reject are actually rejected)
Action for unauthenticated senders: Quarantine
Impersonation protection: explicitly cover sensitive mailboxes (CEO, finance, HR)
Mailbox intelligence: Enabled

4.3 Anti-spam policy

Bulk Complaint Level (BCL) threshold: 6 or lower
Spam action: Quarantine
High-confidence phish action: Quarantine
Avoid allow lists — they’re a frequent root cause of spoofing slip-throughs.

Step 5 — Enhanced Filtering for Connectors

Because the SEG overwrites the original sender IP, EOP would normally evaluate SPF against
the SEG’s IP rather than the actual sender — meaning every phishing attempt passes SPF
effortlessly. Enhanced Filtering for Connectors (also known as skip listing)
fixes this by telling EOP to look further back in the Received header chain to find the real
sender IP.

Open the Defender portal at https://security.microsoft.com/skiplisting
(or Email & collaboration → Policies & rules → Enhanced filtering).
Select the inbound connector you created in Step 2.
Choose Skip these IP addresses that are associated with the connector
and add all public IPs of the SEG (including any intermediate hops).
Apply to entire organization after a small pilot phase with a few mailboxes.

Don’t do this

Do not add on-premises hybrid server IPs to the skip list when your MX points to EOP.
Microsoft does not support this in a centralized mail flow scenario; it can lead to
false positives in spam scoring.

Verification & testing

Test 1 — Direct Send from an external host

From an external system, attempt a direct SMTP delivery to the EOP endpoint:

Send-MailMessage `
    -From "ceo@yourcompany.com" `
    -To "recipient@yourcompany.com" `
    -Subject "Direct Send Test" `
    -Body "Testing the Reject Direct Send flag" `
    -SmtpServer "yourcompany-com.mail.protection.outlook.com" `
    -Port 25

Expected result:

550 5.7.68 TenantInboundAttribution;
Direct Send not allowed for this organization from unauthorized sources

Test 2 — Spoof from a foreign domain bypassing the SEG

External test using a foreign sender domain (e.g. fake@gmail.com) directly to the EOP endpoint:

Expected result:

550 5.7.51 TenantInboundAttribution;
There is a partner connector configured that matched the message's recipient domain

Test 3 — Legitimate mail through the SEG

Send an external test message from Gmail or Outlook.com to an internal recipient. In message
trace, verify that the mail arrived from the SEG IP, was accepted by the inbound connector,
and delivered correctly.

Get-MessageTrace -RecipientAddress "recipient@yourcompany.com" -StartDate (Get-Date).AddHours(-1) -EndDate (Get-Date) |
    Select-Object Received, SenderAddress, FromIP, Status, Subject

Test 4 — Header analysis

Inspect a delivered message via File → Properties in Outlook or paste the headers
into the Message Header Analyzer.
The following headers confirm a healthy configuration:

Authentication-Results-Original shows SPF pass against the real sender IP — not the SEG IP.
The Received chain shows the SEG as the last hop before EOP.
X-MS-Exchange-SkipListedInternetSender is set, indicating Enhanced Filtering is working.

Monitoring & reporting

Daily / weekly

Message trace: filter on status Failed with reason 5.7.68 or 5.7.51 — every hit is a blocked bypass attempt.
Defender → Reports → Mailflow: Threat protection status and Spoof detections.
Transport rule reports: Mail flow → Reports → Mail flow rule matches — your safety-net rule from Step 3.
DMARC aggregate reports: review RUA reports — every unknown source is a signal worth investigating.

Useful KQL queries (Defender for Office 365 hunting)

// Direct Send attempts in the last 7 days
EmailEvents
| where Timestamp > ago(7d)
| where DeliveryAction == "Blocked"
| where DeliveryLocation == "Failed"
| where AdditionalFields has "5.7.68"
| project Timestamp, SenderFromAddress, RecipientEmailAddress, SenderIPv4, Subject

// Mail that did NOT arrive from your SEG IPs
EmailEvents
| where Timestamp > ago(1d)
| where SenderIPv4 !in ("203.0.113.10","203.0.113.11")
| where EmailDirection == "Inbound"
| summarize count() by SenderIPv4, SenderFromDomain

Alerting

Defender alert policy on Mail flow rule match for the safety-net rule.
SIEM forwarding (Sentinel, Splunk, etc.) of the EmailEvents table.
A weekly review report sent to the security team.

Rollback plan

If business-critical mail flows break after activation, the commands below let you revert
quickly. The rollback order is the reverse of the activation order.

# 1. Disable the transport rule
Disable-TransportRule -Identity "BLOCK - Direct EOP Ingress (Bypass SEG)"

# 2. Loosen the inbound connector (drop IP binding)
Set-InboundConnector -Identity "From Secure Email Gateway" `
    -RestrictDomainsToIPAddresses $false

# 3. Disable Reject Direct Send
Set-OrganizationConfig -RejectDirectSend $false

# Confirm
Get-OrganizationConfig | Format-List RejectDirectSend

Recommended rollout phases

1) Enable the transport rule in audit mode (one week of observation) →
2) Harden the inbound connector (one to two days of observation) →
3) Enable RejectDirectSend →
4) Switch the transport rule to Enforce. Each step is small and quickly reversible.

Final checklist

Direct Send sources inventoriedSPF analyzed, every printer / app / cloud service sending as your domain documented
Configuration backup takenGet-OrganizationConfig, Get-InboundConnector, Get-TransportRule exported
Inbound connector with IP/cert binding activeRestrictDomainsToIPAddresses or RestrictDomainsToCertificate set to $true
Reject Direct Send enabledSet-OrganizationConfig -RejectDirectSend $true applied and propagated
Transport rule (safety net) activeReject rule for non-SEG IPs in enforce mode, correctly prioritized
SPF / DKIM / DMARC enforcedSPF -all, DKIM signing for all sending domains, DMARC at least p=quarantine
Anti-phishing policy hardenedSpoof intelligence + Honor DMARC + quarantine for unauthenticated senders
Enhanced filtering configuredSkip listing of SEG IPs at the inbound connector enabled
Tests performedDirect Send blocked (550 5.7.68), legitimate mail via SEG delivered, headers correct
Monitoring in placeMessage trace reviews, KQL hunting, DMARC reporting, alerting

References & further reading

Microsoft Learn — Email routing in Exchange hybrid deployments
Microsoft Learn — Enhanced Filtering for Connectors
Microsoft Learn — Configure the default connection filter policy
Microsoft Tech Community — Introducing more control over Direct Send
Microsoft Learn — Mail flow rules in Exchange Online
Defender portal — https://security.microsoft.com/skiplisting
Exchange Admin Center — https://admin.exchange.microsoft.com

Mass Email with Exchange Online: Pros, Cons, Limits & Better Alternatives

drago — Tue, 17 Mar 2026 09:36:22 +0000

Email Strategy

Exchange Online excels at business email but was never built to be a bulk marketing engine.
This article provides a complete technical overview of limits, risks, best‑practice architecture and alternatives for high‑volume or marketing email delivery.

Per‑mailbox limit (24h)

~10,000

Send rate

~30/min

Tenant external cap

License‑based TERRL

When Exchange Online can work

Exchange Online works fine when message volume stays low and recipients are primarily internal.

Small internal communications.
Department updates, announcements, emergencies.
Internal distribution lists count as 1 recipient.
No additional systems or APIs required.

Technical and deliverability limitations

Exchange Online includes strict policies to protect the service from abuse, spam and compromised accounts.

Not designed for marketing or bulk sending.
High risk of throttling (per‑minute and per‑day limits).
Risk of IP warm‑up issues and reputation drops.
No proper bounce handling or suppression lists.
Limited analytics (opens, complaints, deliverability).
CAN‑SPAM / GDPR compliance must be handled manually.

Key technical limits

Mailbox-level limits

~10,000 recipients per 24h per mailbox.
~30 messages per minute.
Dynamic throttling when patterns look like bulk sending.
Automated lockout if Exchange detects spam‑like patterns.

Tenant-wide TERRL (Tenant External Recipient Rate Limit)

TERRL depends on your M365 license count. Higher license volume → more outbound capacity.

Licenses	Recipients / 24h
1	10,000
25	≈14,000+
100	≈28,000+
1,000	≈72,000+

TERRL is not officially published in detail. Microsoft adjusts thresholds dynamically to protect global capacity.
As a rule: **Exchange Online is not a bulk sender and scales poorly for newsletters**.

Deliverability challenges

Shared Microsoft IP pools → reputation varies.
No ability to warm up IPs for new volumes.
No feedback loops with major ISPs (Outlook.com, Gmail, Yahoo).
Risk of domain reputation damage if recipients mark mails as spam.
Lack of automated bounce categorization (hard/soft/subscription).

Domain strategy: Use a dedicated subdomain

Separating marketing email protects your primary business domain.

Use e.g. news.yourdomain.tld, mail.yourdomain.tld or updates.yourdomain.tld.
Independent SPF, DKIM, DMARC policies.
Protects your main domain from reputation damage.
Allows independent DNS routing (e.g., towards ACS or Mailchimp).

Recommended DNS setup

SPF: include only required platforms.
DKIM: sign from dedicated selector.
DMARC: use p=none for warm‑up → later quarantine → reject.
Optional: BIMI increases trust at Gmail/Yahoo.

Better platforms for newsletters

For real newsletters or any type of marketing automation:

Professional templates & responsive layouts.
List management (subscriptions, bounce lists, suppression lists).
A/B testing, analytics, link tracking.
Compliance (opt‑in, double opt‑in, unsubscribe pages).
High deliverability via dedicated warm IP pools.

Examples

Mailchimp
Brevo (Sendinblue)
HubSpot
Klaviyo
CleverReach

Azure Communication Services (ACS)

For automated or transactional email

ACS is excellent for application‑driven email delivery:

API-first, scalable email service.
Supports templating & dynamic content.
Custom domain support with DKIM/DMARC.
High throughput and queue-based delivery.
Ideal for apps: invoices, password resets, confirmations.

When ACS is better than Exchange Online

You send >5,000 external transactional emails/day.
You need automated retries, bounce classification, webhooks.
You require custom integration via Node.js, .NET, Python.
You want to avoid throttling and protect your business domain.

Best practices and recommendations

If you must use Exchange Online

Send slowly (intervals between batches).
Use dynamic distribution lists to reduce message count.
Do not send marketing mail from shared mailboxes.
Limit daily volume to 2,000–3,000 recipients to avoid throttling.
Implement SPF, DKIM, DMARC correctly.
Monitor message trace for throttling patterns.

If you want zero risk

Use a marketing platform for newsletters.
Use ACS for system-generated mail.
Separate domains and DNS policies per use case.

Conclusion

Exchange Online is a world-class business email platform but fundamentally not designed for
marketing, bulk or high-volume transactional email.
For newsletters use a dedicated marketing platform;
for scalable transactional email use ACS.
This protects your domain reputation, increases deliverability and ensures full compliance.

Cleaning Meetings in M365

drago — Mon, 09 Mar 2026 10:25:09 +0000

This documentation describes how to properly cancel and remove meetings and recurring meetings organized by a departed employee from the calendars of all attendees and resource calendars (e.g., conference rooms) in Microsoft 365.

Important Prerequisite: The departed employee’s mailbox must not be permanently deleted yet. Execute these steps as part of the offboarding process, before the account is completely removed from Microsoft 365.

Method 1: The Best Practice Approach (PowerShell)

This is the official and most efficient method. It automatically sends cancellations to all attendees and frees up previously booked rooms.

Step 1: Check Prerequisites & Install Module

Launch PowerShell as an Administrator. If you haven’t already, you need to install the Exchange Online module:

Install-Module -Name ExchangeOnlineManagement -Force

Step 2: Connect to Exchange Online

Connect-ExchangeOnline -UserPrincipalName [email protected]

Step 3: Delete Meetings (Remove-CalendarEvents)

Use the Remove-CalendarEvents cmdlet to cancel the meetings. Here are two typical use cases:

Use Case A: Standard Cleanup (1 Year)

Employee John Doe is leaving the company. All of his future meetings for the upcoming year should be canceled.

Remove-CalendarEvents -Identity "[email protected]" -CancelOrganizedMeetings -QueryWindowInDays 365

Use Case B: Preview Affected Meetings (WhatIf)

If you are unsure and want to see which meetings would be deleted without actually executing the command, use the -WhatIf switch:

Remove-CalendarEvents -Identity "[email protected]" -CancelOrganizedMeetings -QueryWindowInDays 120 -WhatIf

Step 4: Disconnect Session

For security reasons, always disconnect your session after successfully completing your tasks:

Disconnect-ExchangeOnline -Confirm:$false

Method 2: The Manual Workaround (Web Interface / GUI)

Use this method only if you lack PowerShell permissions or if you need to manually manage a specific, single recurring meeting.

Step 1: Convert to a Shared Mailbox

Open the Microsoft 365 admin center.
Go to Users > Active users.
Click on the departed employee’s name.
Select the Mail tab and click on Convert to shared mailbox.

Step 2: Grant Full Access Permissions

Scroll down in the user’s Mail settings to Mailbox permissions.
Click on Manage mailbox permissions.
Add your own Admin account under Read and manage (Full Access).

Note: It can take up to 60 minutes for the permissions to fully synchronize across the cloud.

Step 3: Open Mailbox and Cancel the Series

Open Outlook on the web (OWA) with your Admin account.
Click on your profile picture in the top right corner and select Open another mailbox…
Enter the email address of the departed employee and open it.
Switch to the Calendar view.
Locate the recurring meeting in question.
Right-click it and select Cancel -> Cancel series.
Send the cancellation. The meeting will now be removed from all attendees’ calendars.

How to Configure a PIN-Protected PSTN Call Flow in Microsoft Teams (Calling Plans)

drago — Fri, 27 Feb 2026 07:01:57 +0000

Securing a specific phone number so that only authorized callers can reach the destination is a common request in modern telecommunications. But how do you achieve this in Microsoft Teams Phone when you are using Microsoft Calling Plans and don’t have a Session Border Controller (SBC) to handle complex pre-routing logic?

In this guide, we will walk you through a highly effective configuration workaround that uses native Teams features to create a PIN-protected entry point.

[Insert your flowchart diagram here showing PSTN call routing with PIN authentication]

The Use Case: Why Are We Doing This?

Imagine you have a dedicated VIP support hotline, an emergency IT-escalation number, or an exclusive dial-in for remote field workers. You publish a standard PSTN number, but you only want the call to ring the target team if the caller knows a specific secret code (PIN).

The Desired Flow:

Caller dials the PSTN number.
Caller hears an announcement: “Please enter your access code.”
If correct: The call is routed to the target user or Call Queue.
If incorrect / no input: The caller is told the code is invalid, and the call drops.

The Challenge: Microsoft Teams Calling Plans Limitations

If you use Direct Routing, an SBC (like AudioCodes or Ribbon) would intercept the call, ask for the PIN, verify it, and then forward the call to Teams. However, with Microsoft Calling Plans, the call goes straight into the Microsoft cloud. Microsoft Teams does not have a native “Require PIN” toggle for Auto Attendants.

The Solution: The “Dial by Extension” Hack. We will configure an Auto Attendant to ask for the PIN, but technically, Teams will be using its Dial by extension feature. The “PIN” will actually be the target user’s configured extension.

Pros and Cons of This Configuration

Advantages (Why we do it this way)	Disadvantages (What you need to know)
No Extra Costs: Uses existing Teams Phone licenses and Auto Attendants. Fully Cloud-Native: No SBC, on-prem hardware, or Azure Communication Services development required. Simple to Maintain: PINs can be updated by changing a user’s extension in Entra ID.	Not Enterprise-Grade Security: This is a routing trick, not cryptographic multi-factor authentication. Static System Prompts: If the user enters a wrong PIN, Teams plays a default system message (e.g., “We didn’t find a match”) before dropping the call. You cannot fully customize the “Wrong PIN” audio prompt. Directory Search Limits: The PIN (extension) must be uniquely assigned to a user in your directory.

Advantages (Why we do it this way)

Disadvantages (What you need to know)

No Extra Costs: Uses existing Teams Phone licenses and Auto Attendants.
Fully Cloud-Native: No SBC, on-prem hardware, or Azure Communication Services development required.
Simple to Maintain: PINs can be updated by changing a user’s extension in Entra ID.

Not Enterprise-Grade Security: This is a routing trick, not cryptographic multi-factor authentication.
Static System Prompts: If the user enters a wrong PIN, Teams plays a default system message (e.g., “We didn’t find a match”) before dropping the call. You cannot fully customize the “Wrong PIN” audio prompt.
Directory Search Limits: The PIN (extension) must be uniquely assigned to a user in your directory.

Step-by-Step Configuration Guide

Follow these steps to set up the PIN-protected routing in your Microsoft 365 environment.

1 Prepare the Target User (Assigning the “PIN”)

First, we need to assign the secret PIN as an extension to the user who should receive the calls.

Go to the Microsoft 365 Admin Center > Users > Active users.
Select the target user (this user must have a Teams Phone license).
Go to Manage contact information.
In the Office phone field, enter a dummy number with the desired PIN as the extension. Format it strictly like this: +10000000000;ext=8524 (Assuming 8524 is your desired PIN).
Save the changes. Note: It can take up to 24 hours for the Teams directory sync to recognize the new extension, though it often takes only a few hours.

Pro Tip: If you want the call to go to a Call Queue instead of a single person, assign this extension to a “dummy” licensed user account, and set that user’s Teams client to immediately forward all calls to the desired Call Queue.

2 Create the “PIN Gateway” Auto Attendant

Now, we create the Auto Attendant that will act as the gatekeeper.

Open the Teams Admin Center.
Navigate to Voice > Auto attendants and click Add.
Name it something like AA – PIN Gateway.
Set the Operator to “Disconnect” (since we don’t want callers bypassing the PIN).
Set the Time Zone and Language. (The language determines the voice of the default system error messages).

3 Configure Call Flow & Menu Options

This is where the magic happens. We will use the Menu Options to force the caller to interact, allowing the Directory Search to capture their DTMF (keypad) input.

Under Call flow, choose Play menu options.
For the audio, choose Play an audio file. Upload a professionally recorded MP3 or WAV file that says: “Welcome. Please enter your 4-digit access code to proceed. If you do not have a code, please hang up.”
Crucial Step: Do NOT assign any keys (0-9) to routing options. Leave the dial pad assignments empty.
Under Directory search, select Dial by extension.

What happens here? The Auto Attendant plays your custom audio. Because “Dial by extension” is enabled, it listens for keypad inputs. If the caller types 8524, the system searches the directory, finds the user from Step 1, and routes the call to them.

4 Configure Default Routing (For incorrect / no PIN)

We must define what happens if the caller just waits and presses nothing.

Still in the Call flow section, look for the setting regarding what happens when callers don’t make a choice (Timeout).
Set the default action to Disconnect.

What about wrong PINs? If a caller enters 1111, Teams will look for extension 1111. When it doesn’t find it, the Microsoft default voice will say “We couldn’t find a match.” After a few failed attempts, the system automatically drops the call. This fulfills the requirement that invalid codes cannot proceed.

5 Assign the PSTN Number via Resource Account

Finally, we need to make this Auto Attendant reachable from the outside world.

Create a new Resource Account in the Teams Admin Center.
Assign a Microsoft Teams Phone Resource Account license to it.
Acquire a PSTN number from your Microsoft Calling Plans inventory and assign it to this Resource Account.
Assign this Resource Account to your newly created Auto Attendant.

Conclusion

While Microsoft Teams doesn’t offer a simple “PIN toggle,” utilizing the Dial by extension feature provides a robust, zero-cost workaround for Microsoft Calling Plan users. It successfully gates a phone line behind a numeric code, ensuring only authorized callers reach your internal teams, all while keeping your infrastructure 100% in the cloud.

Bridging the Gap: Mastering M365 Cross-Tenant Calendar Sharing

drago — Mon, 23 Feb 2026 07:27:10 +0000

In today’s interconnected business world, organizations rarely operate in isolation. Whether it’s a merger, a holding structure with multiple subsidiaries, or a long-term joint venture, the need to see “when” a colleague from another organization is available is critical.

Scheduling meetings via email ping-pong (“Are you free Tuesday at 2?” – “No, how about Wednesday?”) is inefficient. The solution lies within Exchange Online Organization Relationships. This guide walks you through the “Why”, the “How”, and the “What to Expect”.

Real-World Use Cases

Before we dive into the configuration, let’s look at where this setup delivers the most value:

Mergers & Acquisitions

Scenario: Company A buys Company B. Migration takes months, but management needs to schedule meetings today.

Benefit: Instant visibility of Free/Busy times across both tenants without waiting for full IT integration.

Holding Structures

Scenario: A parent company has 5 subsidiaries, each with its own M365 tenant.

Benefit: Seamless scheduling across the entire group while keeping data and administration strictly separated.

Joint Ventures

Scenario: Two independent companies work on a major project for 12 months.

Benefit: Teams can collaborate as if they were in the same office, without needing Guest Accounts for every single user.

Technical Guide: Setting Up Organization Relationships

This configuration establishes a trust relationship specifically for calendar data. It does not give access to emails or files.

Admin Requirement: This configuration must be performed mirrored on both tenants (Tenant A -> Tenant B, and Tenant B -> Tenant A) for the access to work bi-directionally.

Step-by-Step Configuration

Step 1: Access the Exchange Admin Center
Navigate to admin.exchange.microsoft.com with Global Admin or Exchange Admin credentials.

Step 2: Locate Sharing Settings
In the left-hand menu, go to Organization > Sharing.

Step 3: Add Relationship
Find the Organization Sharing section and click on Add organization relationship.

Step 4: Configure Domain & Permissions

Relationship Name: E.g., “To Partner Company”.
Domains to share with: Enter the partner’s domain (e.g., partner-company.com).
Sharing Level: Enable “Calendar free/busy information sharing”.

Decision Point: Choose your level of transparency:

Time only: Users see “Busy” blocks. Good for loose partnerships.
Time, subject, and location: Users see “Meeting with Client X in Room 202”. Recommended for M&A and internal holdings.

Propagation Time: Once both sides have configured this, it can take up to 24 hours for Microsoft’s backend to replicate the settings. Patience is key!

User Experience: How to View the Calendar

Unlike internal colleagues, external calendars don’t just “appear.” Users need to add them once.

In Outlook (New / Web / Classic)

Go to the Calendar View.
Select Add Calendar > From Directory (or use the search bar).
Type the full email address of the external colleague (e.g., john.doe@partner-company.com).
Click Open/Add.

Outlook will now query the external tenant and display the availability side-by-side with your own calendar.

The Capabilities Matrix: Managing Expectations

It is crucial to understand that an Organization Relationship is a “Look but don’t touch” scenario. Here is a breakdown of what is technically possible:

Feature	Status	Details
View Free/Busy Status	Yes	You can see when they are available for a meeting.
View Subject & Location	Yes	Only if enabled by Admins in Step 4.
Edit/Delete Appointments	No	Read-Only access. You cannot modify their calendar.
Create Items in their Calendar	No	You cannot place an appointment directly into their calendar; you must send a meeting invite.
View Private Items	No	Private appointments remain private (shown only as “Private” or “Busy”).
Open Attachments	No	You cannot see meeting agendas, files, or body text inside the appointment.
Mobile App Sync	Partial	External calendars often require adding via Desktop first to appear in the Outlook Mobile App.

Conclusion

Setting up an Organization Relationship is a quick, high-impact win for IT departments managing split environments. It solves the number one scheduling headache without the security complexity of full Guest Access or Trust setups.

Need to go a step further and allow users to act as delegates or sync users as contacts? Contact us to discuss Cross-Tenant Synchronization.

Microsoft Teams Shared Locations

drago — Mon, 26 Jan 2026 07:42:35 +0000

Technical Deep Dive 2026

A comprehensive guide to mobile sharing, AI-driven Wi-Fi detection, and enterprise privacy.

In the modern era of hybrid work, the question “Where are you?” has replaced “How are you?” as the most common workplace icebreaker. As of 2026, Microsoft has significantly expanded how Teams handles physical presence—moving from simple manual pin-drops to AI-driven, network-aware location intelligence.

1. The Three Faces of Location in Teams

To understand the functionality, we must distinguish between three different features that often get confused in the Microsoft 365 ecosystem:

Feature	Primary Use Case	Device	Data Type
Shared Location (Chat)	Real-time GPS sharing with a specific contact.	Mobile (iOS/Android)	Precise GPS Coordinates
Work Location (Status)	Indicating “In the Office” or “Remote”.	Desktop & Mobile	Building name or generic status
Smart Detection (2026)	Auto-updating office location via Wi-Fi.	Desktop & Mobile	Network-based (BSSID)

2. Deep Dive: Shared Location in Mobile Chat

This remains the most “active” form of sharing. It is a mobile-centric feature that allows users to share their physical coordinates via a Teams chat or group channel.

Static vs. Live Location

Static Location: A snapshot of your current position. Once sent, the pin stays where you were at that moment.
Live Location (Real-Time): A continuous stream. As of the latest updates, users can share this for 30 minutes, 1 hour, or 8 hours.

How to trigger it:
Tap the “+” (Plus) icon in a mobile chat > Select Location.

Note: Since 2025, a mandatory App-level Consent Popup appears, ensuring users are aware of the tracking duration.

3. The 2026 Game Changer: Automatic Wi-Fi Detection

Following the roadmap milestones of late 2025, Microsoft has finalized the rollout of Smart Work Location Tracking (Roadmap ID: 409534).

Teams now recognizes your organization’s Wi-Fi access points (BSSIDs). When your laptop connects to a registered corporate network, Teams automatically updates your status to “Working from Building A, Floor 3”.

Privacy Guardrail

This feature only triggers during your defined “Working Hours” in Outlook. It stays dormant during personal time.

Opt-in Culture

It is Off by default. Both Admin policies and User consent must be granted simultaneously to activate tracking.

4. Administrative Configuration & Compliance

For IT Admins, the control center has evolved. Location-Based Services (LBS) are now managed under a unified privacy framework.

The Messaging Policy

In the Teams Admin Center (TAC), the toggle “Send location in messages” controls whether the mobile sharing icon is visible to your users. If disabled, the entire Location sub-menu disappears from the mobile app.

Data Residency

A critical point for compliance officers: Microsoft Teams does not store a historical movement log. The data is transient. Once a live session ends, the real-time coordinates are purged from the active session, though the chat message itself follows your organization’s standard retention policy.

5. Frequently Asked Questions

Can my manager see a map of my movements all day?

Absolutely not. Microsoft Teams does not provide a “surveillance dashboard.” Location data is only used to update your status or shared manually in a chat. There is no admin command to “ping” an employee’s location without their knowledge.

Why can’t I see the “Location” button on my Desktop app?

Precise GPS sharing is a mobile-only feature because desktops generally lack GPS hardware. Desktop users can only set their “Work Location” (status) or use the Smart Wi-Fi detection if enabled.

Official Sources & Technical Documentation

The Deep-Dive Guide: Microsoft Graph API for PowerShell

drago — Mon, 12 Jan 2026 07:20:15 +0000

In the modern Microsoft 365 landscape, the “Portal-Clicker” is being replaced by the “Automation Architect.” Microsoft Graph is the engine behind this transformation. While legacy modules like AzureAD or MSOnline were siloed, Graph provides a single endpoint, a single authentication model, and a single data schema.

The Architect’s Logic: Every PowerShell command in the Microsoft Graph SDK is a wrapper for a REST API URL.
Get-MgUser -UserId "bob@contoso.com" is actually a GET request to https://graph.microsoft.com/v1.0/users/bob@contoso.com.

1. Professional Setup & API Profiles

Before scripting, you must decide which API version to target. The SDK supports v1.0 (Production-ready) and Beta (latest preview features like Sign-in logs or specialized Teams settings).

# Switch to Beta for advanced features
Select-MgProfile -Name "beta"

# Connect with specific permissions (Scopes)
Connect-MgGraph -Scopes "User.Read.All", "Group.ReadWrite.All", "Mail.Read", "Sites.Read.All"

2. Unattended Automation (App-Only Auth)

For background tasks (Azure Automation, Task Scheduler), interactive logins are impossible. You must use an App Registration with a certificate for maximum security.

$params = @{
    ClientId              = "YOUR_APP_ID_GUID"
    TenantId              = "YOUR_TENANT_ID"
    CertificateThumbprint = "A1B2C3D4E5F6G7H8I9J0"
}
Connect-MgGraph @params

3. Service Deep-Dives: Read & Write

A. Entra ID: OData Filtering Mastery

A true deep dive requires moving beyond Where-Object. Filter at the source to prevent script lag and memory exhaustion.

# Efficient: Server-side filtering for active Finance users
$Filter = "Department eq 'Finance' and AccountEnabled eq true"
$Users = Get-MgUser -Filter $Filter -All -Property "Id", "DisplayName", "JobTitle"

B. Microsoft Teams: Resource Provisioning

Creating a Team is a multi-step process. In Graph, you often create a Group first and then “Team-enable” it.

$teamBody = @{
    DisplayName = "New Project Team"
    "template@odata.bind" = "https://graph.microsoft.com/v1.0/teamsTemplates('standard')"
}
New-MgTeam -BodyParameter $teamBody

C. SharePoint & OneDrive: The “Drive” Logic

SharePoint Sites contain Drives (Document Libraries), which contain DriveItems (Files/Folders).

# Search for a site and list its library root
$Site = Get-MgSite -Search "Marketing"
Get-MgSiteDriveItem -SiteId $Site.Id -DriveId (Get-MgSiteDrive -SiteId $Site.Id).Id

4. Advanced Query Parameters

To optimize performance, use -ExpandProperty to join related data into a single request, avoiding multiple round-trips.

# Fetch user AND their manager in one call
$User = Get-MgUser -UserId "admin@domain.com" -ExpandProperty "manager"
$ManagerMail = $User.Manager.AdditionalProperties["mail"]

5. JSON Batching: Combining 20 Requests

Batching allows you to group up to 20 individual API calls into a single HTTP POST. This is essential for high-speed synchronization tools.

$batchRequest = @{
    requests = @(
        @{ id = "1"; method = "GET"; url = "/users/user1@domain.com" },
        @{ id = "2"; method = "GET"; url = "/users/user2@domain.com" }
    )
}
$BatchResult = Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/v1.0/`$batch" -Body $batchRequest

6. Delta Queries: Tracking Changes

Instead of scanning 50,000 users every hour, use **Delta Queries** to only pull objects that were created, updated, or deleted since your last sync.

# Initial sync gets the deltaLink
$Delta = Get-MgUserDelta
$SyncToken = $Delta.AdditionalProperties["@odata.deltaLink"]

# Future runs use the $SyncToken to fetch ONLY changes
$Changes = Invoke-MgGraphRequest -Method GET -Uri $SyncToken

7. Expert Error Handling

Graph errors are JSON objects. A professional script parses these to understand if a failure was due to a missing resource (404) or throttling (429).

try {
    Update-MgUser -UserId "ghost-id" -Department "IT"
} catch {
    $Err = $_.Exception.Message | ConvertFrom-Json -ErrorAction SilentlyContinue
    Write-Error "Code: $($Err.error.code) - Message: $($Err.error.message)"
}

Summary Checklist

Scenario	Best Practice
Large Data Sets	Use `-All` and `-Filter`. Avoid `Where-Object`.
Security	Use Certificates for Auth; use Least Privilege Scopes.
Speed	Use `-ExpandProperty` and `$batch`.
Troubleshooting	Append `-Debug` to see raw HTTP traffic.

Next Steps: Start by experimenting in the Graph Explorer to visualize the JSON responses before writing your PowerShell logic.

Strategic Implementation Concept: Microsoft Teams Walkie-Talkie for Airport Operations

drago — Tue, 06 Jan 2026 07:10:55 +0000

Aviation Digital Operation Blueprint

Executive Summary

Modernizing airport communication is a critical safety and efficiency factor. This document outlines the transition from traditional LMR/TETRA radio systems to an integrated Microsoft Teams Walkie-Talkie solution. By merging voice communication, digital identity, and compliance archiving, we achieve seamless coverage (WLAN/5G/LTE) while reducing hardware costs and infrastructure complexity.

1. Operational Use Cases (Deep Dive)

Airport Security

Instant PTT group communication for terminal incidents. Integration of location data for rapid responder positioning. Military-grade encryption for sensitive security channels.

Baggage Handling

Direct coordination between check-in and loading bays. Use of high-performance noise-canceling headsets to ensure clear communication despite heavy machinery noise.

Airside & Ground Ops

Marshaling instructions and FOD (Foreign Object Debris) checks on the apron. Utilization of ruggedized devices (e.g., Samsung XCover) built for extreme weather.

2. PowerShell Configuration (Admin Guide)

Automated deployment via PowerShell ensures that all frontline workers have the Walkie-Talkie app pinned to their mobile navigation bar.

# Connect to Microsoft Teams
Connect-MicrosoftTeams

# Define Policy Parameters
$policyName = “Aviation_Frontline_WT”
$appId = “0048126e-44b2-4404-8740-1f951e707a0c”

# Create Policy and Pin App
New-CsTeamsAppSetupPolicy -Identity $policyName -Description “Airport Ops PTT Policy”
Set-CsTeamsAppSetupPolicy -Identity $policyName -PinnedApps @{Add=$appId}

# Batch Assignment to Entra ID Group
$groupId = “YOUR-GROUP-ID-HERE”
New-CsGroupPolicyAssignment -GroupId $groupId -PolicyType TeamsAppSetupPolicy -PolicyName $policyName -Rank 1

3. Security: Conditional Access & Geofencing

Geographical Access Control

To ensure security, Walkie-Talkie access is restricted to the airport perimeter. Communication is blocked once a user leaves the trusted network zone.

# Define Trusted Airport Location (IP-Range)
New-MgNamedLocation -DisplayName “Airport-Fence-Zone” `
    -IsTrusted $true `
    -OdataType “#microsoft.graph.ipNamedLocation” `
    -IpRanges @{ “cidrAddress” = “192.168.1.0/24” }

4. Compliance & Recording

Audit-Ready Communication

Legal requirements (e.g., ICAO/FAA) often mandate the archiving of operational radio traffic. Teams uses the Compliance Recording Framework for this purpose.

# Create Compliance Recording Policy
New-CsTeamsComplianceRecordingPolicy -Identity “Airport_Safety_Archive” `
-Enabled $true -Description “Audit-Log for Runway Ops”

# Assign to Safety Personnel
Grant-CsTeamsComplianceRecordingPolicy -Identity “ops-team@airport.com” `
-PolicyName “Airport_Safety_Archive”

5. Hardware Integration & Button Mapping

Device Type	Configuration Tool	Intent Action
Zebra TC-Series	StageNow / KeyMappingMgr	`com.microsoft.office.outlook.ptt.PUSH_TO_TALK`
Samsung XCover	Knox / Android Settings	Direct App Link: Teams Walkie-Talkie
Jabra Headsets	BlueParrott App/SDK	Trigger via BLE (Bluetooth Low Energy)

6. Implementation Roadmap

Phase 1: Pilot (Weeks 1-2): Testing in Terminal 1 with Security Key Users. Focus on Wi-Fi roaming stability.

Phase 2: Transition (Weeks 3-6): Expansion to Ground Handling. Parallel operation with legacy radio for risk mitigation.

Phase 3: Full Go-Live: Complete decommissioning of analog frequencies and activation of all recording bots.

7. Training & Radio Etiquette

Discipline: Keep messages short. Wait for the “Beep” before speaking.
Hardware: Use the physical side-button (no need to unlock the screen).
Channels: Ensure you are connected to the correct operational channel (e.g., ‘Ramp-Ops’).

Mastering Exchange Online Security: Automating Send-As & Impersonation Audits

drago — Wed, 24 Dec 2025 09:17:08 +0000

PowerShell • Exchange Online • Security • Auditing

As Exchange Online administrators, visibility is our most valuable asset. One of the most common security “blind spots” in growing organizations involves mailbox delegation. Specifically: Who has the right to send emails as someone else?

While the Microsoft 365 Admin Center allows you to check permissions one mailbox at a time, auditing an entire tenant for Send As permissions and global ApplicationImpersonation roles can be a nightmare. Today, I’m sharing a PowerShell solution that automates this process and generates a beautiful, searchable HTML report.

            Why is this important?

            “Send As” allows a user (or hacker) to send an email that appears to come directly from the mailbox owner, with no “on behalf of” tag. “ApplicationImpersonation” is even more powerful, allowing applications to act as the user completely.

The Solution: A Custom PowerShell Auditor

I wrote a PowerShell script that bridges the gap between raw data and actionable insights. Instead of staring at a CSV file, this script generates a modern, interactive HTML dashboard.

Key Features

Full Tenant Scan: Iterates through all User and Shared Mailboxes.
Send-As Detection: Identifies explicit AD permissions (Active Directory Rights).
Impersonation Checks: Scans RBAC (Role Based Access Control) for the high-privilege ApplicationImpersonation role.
Visual Reporting: Produces a user-friendly HTML file with directional arrows indicating flow (Who → Can Access → Whom).
Searchable: Includes an embedded JavaScript search engine to filter results instantly.

How It Works

The script operates in three distinct phases:

1. Data Collection (Send As)

First, it connects to Exchange Online. It then loops through every mailbox using Get-Mailbox. For each mailbox, it runs Get-RecipientPermission to find any security identifier (SID) that has “SendAs” rights, filtering out the owner themselves (Self).

2. RBAC Analysis (Impersonation)

Unlike standard folder permissions, ApplicationImpersonation is an administrative role. The script uses Get-ManagementRoleAssignment to find service accounts or users who have been granted this role, and importantly, checks the Scope (whether it applies to the whole organization or just specific users).

3. Report Generation

Finally, it constructs an HTML file. It embeds CSS for styling and a small JavaScript snippet to handle the search bar logic, ensuring the report is a single, portable file you can share with auditors or management.

The Script

Here is the complete PowerShell code. Save this as Audit-ExchangePermissions.ps1 and run it in a PowerShell terminal with Exchange Online Administrator rights.

<#
.SYNOPSIS
    Generates an HTML Report for "Send As" and "ApplicationImpersonation" permissions.
.DESCRIPTION
    Scans all User and Shared mailboxes for 'SendAs' rights.
    Checks RBAC assignments for 'ApplicationImpersonation'.
    Outputs a searchable HTML file.
#>

# --- Configuration ---
$ReportPath = "$env:USERPROFILE\Desktop\Exchange_SendAs_Impersonation_Report.html"
$LogoUrl = "https://img.icons8.com/color/48/000000/microsoft-exchange.png"

# --- Connection Check ---
try {
    Get-Mailbox -ResultSize 1 -ErrorAction Stop -WarningAction SilentlyContinue | Out-Null
    Write-Host "Connection to Exchange Online verified." -ForegroundColor Green
}
catch {
    Write-Host "Connecting to Exchange Online..." -ForegroundColor Yellow
    try {
        Connect-ExchangeOnline -ErrorAction Stop
    }
    catch {
        Write-Error "Could not connect. Please check internet and permissions."
        exit
    }
}

# --- Data Collection ---
$ReportData = @()

# 1. Mailbox SendAs Checks
Write-Host "Scanning Mailboxes for 'Send As' rights..." -ForegroundColor Cyan
$Mailboxes = Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails UserMailbox,SharedMailbox

$Counter = 0
$Total = $Mailboxes.Count

foreach ($Mailbox in $Mailboxes) {
    $Counter++
    Write-Progress -Activity "Auditing Permissions" -Status "Processing: $($Mailbox.DisplayName)" -PercentComplete (($Counter / $Total) * 100)
    
    # Filter 'SendAs' rights, excluding the user themselves (Self)
    $Permissions = Get-RecipientPermission -Identity $Mailbox.Id -ResultSize Unlimited -Trustee $null | Where-Object { 
        ($_.AccessRights -like "*SendAs*") -and 
        ($_.Trustee -ne "NT AUTHORITY\SELF") -and 
        ($_.Trustee -ne $Mailbox.UserPrincipalName)
    }

    foreach ($Perm in $Permissions) {
        $ReportData += [PSCustomObject]@{
            OwnerName    = $Mailbox.DisplayName
            OwnerUPN     = $Mailbox.UserPrincipalName
            Type         = if ($Mailbox.RecipientTypeDetails -eq "UserMailbox") { "User Mailbox" } else { "Shared Mailbox" }
            Direction    = "Sent By"
            Actor        = $Perm.Trustee
            AccessRights = "Send As"
        }
    }
}

# 2. ApplicationImpersonation Checks (RBAC)
Write-Host "Checking for 'ApplicationImpersonation' roles..." -ForegroundColor Cyan
$ImpersonationRoles = Get-ManagementRoleAssignment -Role "ApplicationImpersonation" -ResultSize Unlimited -ErrorAction SilentlyContinue

foreach ($RoleAssignment in $ImpersonationRoles) {
    $ScopeName = "Entire Organization"
    if ($RoleAssignment.CustomRecipientWriteScope) {
        $ScopeName = "Scope: " + $RoleAssignment.CustomRecipientWriteScope
    } elseif ($RoleAssignment.RecipientReadScope -ne "Organization") {
        $ScopeName = "Scope: " + $RoleAssignment.RecipientReadScope
    }

    $ReportData += [PSCustomObject]@{
        OwnerName    = $ScopeName
        OwnerUPN     = "RBAC Scope"
        Type         = "App Impersonation" 
        Direction    = "Impersonated By"
        Actor        = $RoleAssignment.RoleAssigneeName
        AccessRights = "ApplicationImpersonation"
    }
}

Write-Progress -Activity "Auditing Permissions" -Completed

# --- HTML Generation ---
Write-Host "Generating HTML Report..." -ForegroundColor Cyan

$CSS = @"

"@

$ScriptJS = @"

"@

$HTMLHeader = @"


Exchange Permissions Report$CSS $ScriptJS

    
         Exchange Permissions Audit
        
            Audit Summary:

            Found $($ReportData.Count) permission entries.
        
        
        
"@

$HTMLRows = ""
foreach ($Row in $ReportData) {
    $BadgeClass = switch ($Row.Type) {
        "Shared Mailbox" { "badge-shared" }
        "App Impersonation" { "badge-imper" }
        Default { "badge-user" }
    }
    
    $HTMLRows += @"
                
"@
}

$HTMLFooter = @"
            
            
                
                    Type Target (Owner/Scope) Access Actor (Delegate)
                
            
            
                    $($Row.Type)
                    $($Row.OwnerName)
$($Row.OwnerUPN)
                    ← $($Row.AccessRights) ←
                    $($Row.Actor)
                
        
        Generated on $(Get-Date -Format "yyyy-MM-dd")
    


"@

$FinalHTML = $HTMLHeader + $HTMLRows + $HTMLFooter
$FinalHTML | Out-File -FilePath $ReportPath -Encoding UTF8
Invoke-Item $ReportPath

Type	Target (Owner/Scope)	Access	Actor (Delegate)
$($Row.Type)	$($Row.OwnerName) $($Row.OwnerUPN)	← $($Row.AccessRights) ←	$($Row.Actor)

Conclusion

Regular auditing of Exchange permissions is critical for maintaining a “Zero Trust” environment. By automating the discovery of Send As and Impersonation rights, you ensure that no unauthorized account holds keys to your organization’s communication channels.

Feel free to customize the script to add more checks (like “Full Access” permissions) or change the branding to match your company colors!

Setting Up Calendar Sharing Between Microsoft 365 Tenants

drago — Thu, 04 Dec 2025 13:08:42 +0000

Introduction

In today’s interconnected business world, collaboration across organizations is essential. Microsoft 365 offers robust tools for cross-tenant calendar sharing, allowing users from different tenants to view availability (free/busy) or even full calendar entries. This guide walks you through the setup process, drawing from official Microsoft documentation and practical examples. We’ll cover free/busy sharing via organization relationships and full calendar access, which requires enabling external sharing and per-user configurations.

Possible Scenarios for Cross-Tenant Calendar Sharing

Cross-tenant sharing is useful in various contexts. Here are some common scenarios:

Business Partnerships: Two companies collaborating on a project need to schedule meetings without conflicts. Free/busy sharing ensures visibility into availability, while full sharing allows detailed event insights for closer coordination.
Mergers and Acquisitions: During integration, teams from acquired and parent companies can share calendars to align on timelines, reducing miscommunication.
Supply Chain Management: Vendors and clients can view each other’s schedules for deliveries or reviews, enhancing efficiency.
Hybrid Work Environments: Freelancers or consultants from external tenants can integrate calendars for seamless booking.
Multi-Tenant Organizations (MTO): In advanced setups like MTO, sharing extends to groups, but starts with basic free/busy for all users.
Challenges in Regulated Industries: Sectors like finance or healthcare may limit to free/busy only for compliance, avoiding full entry details.

Note: Full sharing beyond free/busy isn’t automated tenant-wide; it’s user-initiated. For large-scale needs, consider automation scripts or policies.

Prerequisites

Global or Exchange Admin permissions in both tenants.
Access to Microsoft 365 Admin Center and Exchange Admin Center.
Exchange Online PowerShell module for advanced setups.
Domain names of both tenants (e.g., contoso.com and fabrikam.com).
Changes may take up to 24 hours to propagate.

Step-by-Step Setup

Step 1: Enable External Calendar Sharing (Required for Full Access)

This allows users to share calendars externally.

Log into the Microsoft 365 Admin Center (admin.microsoft.com).
Go to Settings > Org settings > Services > Calendar.
Enable Let your users share their calendars with people outside of your organization who have Office 365 or Exchange.
Select access levels (e.g., full details).
Save and repeat in the other tenant.

Step 2: Set Up Organization Relationship (for Free/Busy Sharing)

This enables tenant-wide visibility of availability. Perform in both tenants for bidirectional access.

Using Exchange Admin Center

Log into Exchange Admin Center (admin.exchange.microsoft.com).
Navigate to Organization > Sharing > Organization sharing tab.
Click + Add organization relationship.
Enter a name (e.g., “Contoso-Fabrikam”).
Add the other tenant’s domain.
Enable Calendar free/busy information sharing.
Choose level: Time only or Time, subject, location.
Select scope: Everyone or a security group.
Create and repeat in the other tenant.

Using PowerShell

Connect:

Connect-ExchangeOnline -UserPrincipalName admin@contoso.com

Create:

New-OrganizationRelationship -Name "Contoso-Fabrikam" -DomainNames "fabrikam.com" -FreeBusyAccessEnabled $true -FreeBusyAccessLevel LimitedDetails

Verify:

Get-OrganizationRelationship | Format-List

Step 3: Perform Full Calendar Sharing (Per-User)

Once external sharing is enabled:

In Outlook, right-click your calendar and select Share > Permissions.
Add the external user’s email.
Set permissions (e.g., Can view all details).
Send invitation; recipient accepts in Outlook.
To view: Add the shared calendar via link or invitation.

Verification and Troubleshooting

Test by inviting cross-tenant users to meetings. If issues arise, check domains, wait for propagation, or use PowerShell diagnostics. For advanced scenarios like MTO, refer to Microsoft docs.

Conclusion

Cross-tenant calendar sharing boosts productivity but requires careful setup for security. Start with free/busy for broad access, then enable full sharing as needed. Stay updated with Microsoft changes!