10 Mistakes that a Microsoft 365 Admin Must NEVER Make!

แชร์
ฝัง
  • เผยแพร่เมื่อ 18 ธ.ค. 2024

ความคิดเห็น • 77

  • @Jeffero28
    @Jeffero28 10 หลายเดือนก่อน +7

    Good video, thanks for the tips.
    As someone who is fairly new to 365 administration, I find it a bit discouraging that so many important security features are hidden in obscure areas, or paywalled behind licenses.
    Security defaults are great, but once you enable them you cant go in and customize things. For example when security defaults are enabled there is no option to turn off the "first contact safety tip" for emails, even if the setting is disabled in the spam policy.

    • @AndyMaloneMVP
      @AndyMaloneMVP  10 หลายเดือนก่อน

      Well said👍

    • @Don-Carillo
      @Don-Carillo 4 หลายเดือนก่อน +1

      welcome to the world of Microsoft

  • @adrianclarke9651
    @adrianclarke9651 10 หลายเดือนก่อน +3

    One of the best video's you've ever done, Andy. Superb presentation !!! Loved it !!! Thank you.

  • @bingbonus9636
    @bingbonus9636 10 หลายเดือนก่อน +12

    On the "Using RBAC wisely", i prefer to assign permissions to a user via PIM & JIT, then when the role is activated have a CA rule that allows admins access only after MFA (number matching) and with no persistent browsing and session life of max 4 hours (or the max hours a role can be activated). Then to top it off only from an Intune managed marked as compliant device and/or hybrid domain joined device. No use of safe zones allowed, zero trust. And if you really want to kill it, plug it in with the Defender suite (identity/endpoint)

    • @AndyMaloneMVP
      @AndyMaloneMVP  10 หลายเดือนก่อน +3

      I completely agree with you, and if I had more time, I would’ve done more on that. I wanted to keep it simple, but thanks for your comments and a great contribution 👍

    • @moepskie
      @moepskie 9 หลายเดือนก่อน +1

      We even have a policy on top of it which requires global admins to use physical keys

    • @jerseypaul6983
      @jerseypaul6983 9 หลายเดือนก่อน

      100% agree with this. The separate admin account is very much a necessity in an on-prem environment and sound advice, as the traditional tech was never designed with todays security considerations in mind. However in a modern cloud environment it takes a different approach, as the market is constantly evolving towards one identity = one account, even across tenants and providers, with JIT & PIM being part of the package to control the what, why and when an account is elevated. As the Authentication element of the AAA model continues to evolve, you’ll increasingly struggle with managing multiple accounts.

  • @standardnerd9840
    @standardnerd9840 3 หลายเดือนก่อน

    Thanks as always Andy! And thank you so much for putting that banner in at 5:13 telling people which license they need! That's very helpful indeed!

    • @AndyMaloneMVP
      @AndyMaloneMVP  3 หลายเดือนก่อน

      You’re very welcome and thanks for the kind comment. 👍

  • @aaron328
    @aaron328 10 หลายเดือนก่อน +3

    Hi Andy, I really enjoy your content, it's clear and always well presented.
    It's something I can't really say about Microsoft. I find azure and a lot of Microsoft products/services (with the exception perhaps of 365 as I spend so much time in it), so poorly laid out, difficult to navigate around and also confusing - especially their licensing models - I don't think many Microsoft employees know themselves when it comes to licensing! Part of it, is of course the sheer complexity and breadth of what is on offer.
    As an MSP based in the UK, and, dealing with a lot of SMBs, the IASME cyber security certification is gathering a lot of traction, (it's now often a requirement in order for a business to be eligble for a tender etc.).
    I know there are lots of elements (intune, entra id - conditional access etc.) that are relevant to this, but I really wanted to ask you if there is a specific format or logical order in which to learn and deploy azure services - ie. the full understanding of one element of azure builds the foundations neccessary to understand and deploy another, or is it more of a cherry picking excerise?
    For example, I am personally interested at this very moment in intune, for mobile device management, and, it's something i am currently playing with / reading up on (i have watched your video on this also). Before we would ever offer a service to customers, I always want to be sure that we are best placed to get the best out of it and to be able to use all of the particular services' features to it's maximum potential. I tend to stumble across another feature on top of another when really delving into it to the point of "brain freeze".
    Dealing with I.T. firms (large and small and a couple of well known names), I don't think I've come across any one person in particular that has a full grasp of azure and the majority of it's abilities leading me to believe there must be lots of wrongly configured or not very efficient deployments.

    • @AndyMaloneMVP
      @AndyMaloneMVP  9 หลายเดือนก่อน +1

      Hello Aaron, thanks for reaching out. I totally agree with you and understand your frustrations when it comes to Microsoft 365 Admin there are a number of inconsistencies between the various portals, which I can imagine. Many will find frustrating. In terms of licensing, I totally get you, it’s an absolute minefield and this is something that Microsoft definitely need to get a grip on the various plans, with all the individual add-ons are very confusing. That, alongside Microsoft recent decision to stop individuals and companies taking out trial P2 licenses. If you want this, you now have to put a credit card in which is going to be a nightmare for training. In terms of logical order the best advice that I could give is that I teach a course called SC 100, which is the Microsoft cyber security architect course, it’s very good and for planning purposes, it can help you structure things in terms of security and compliance. Beyond that it just comes down to experience. I’m afraid know the difference between plan one and plan two services, alongside the various sku’s. A great learning resource is learn.microsoft.com this is pretty much where you’ll find all the Microsoft documentation and learning materials. If you are additional materials, check them out. So that you have it. I’m afraid, I suspect not the answer you were looking for, but it’s the best I can give at the moment. I wish you all the best and good luck with your journey, Andy

    • @aaron328
      @aaron328 9 หลายเดือนก่อน

      @@AndyMaloneMVP thanks for the reply, and i would absolutely love to take your course younhad mentioned. I will get myself enrolled for it.

  • @harryanderson9775
    @harryanderson9775 10 หลายเดือนก่อน +2

    Great video. I have learnt alot from you since subscribing. From this tutorial, I realized I was making 5 mistakes. I have changed those settings. Thank you.

    • @AndyMaloneMVP
      @AndyMaloneMVP  10 หลายเดือนก่อน

      Awesome thanks so much👍

  • @secondlast322
    @secondlast322 6 หลายเดือนก่อน +1

    Thanks Andy im about start my work role.
    Ill be hear more of you in your videos on YT to get some ideas and basic.

  • @Alphazero77
    @Alphazero77 9 หลายเดือนก่อน +1

    Hey Andy, I love your Videos. Thank you for sharing so easy to learn stuff, keep up the good work. I have a question. I am studying for the AZ-500. I keep coming to questions that are sign-in risk Level related, but i can't find a List with recommended risk Levels (already in Azure as standard). I know that you choose them for every policy. My question is. Are the Questions just old. Or does Azure have the recommended risk Levels already in Azure as standard that i need to learn. Thanks!

  • @ggoben
    @ggoben 10 หลายเดือนก่อน +2

    Interesting at the 9min mark. So, are you saying you highly recommend SSPR be switched to Off for the entire tenant if you are hybrid (running Azure AD connect for example)? In a hybrid scenario, with a on-prem AD, what do you recommend for users to reset their passwords?

    • @AndyMaloneMVP
      @AndyMaloneMVP  10 หลายเดือนก่อน +5

      Please note, these comments are my own personal thoughts. Personally, I believe that any system that continues to use passwords is vulnerable. Recent hacking attacks have shown that password Write back is a potential floor. Yes tools like defender for identity, can play an important role in protecting a hybrid Infrastructure. But the very thought of writing passwords back to active directory seems risky in my opinion. Best to look forward not backward. As I said this is just my personal opinion though🙂👍

  • @Avraum
    @Avraum หลายเดือนก่อน

    Great video as always!!

  • @BillCooperOK
    @BillCooperOK 10 หลายเดือนก่อน +1

    Thank you for this!

  • @mshamatuli
    @mshamatuli 10 หลายเดือนก่อน

    Great stuff Andy. Worth watching over and over.

    • @AndyMaloneMVP
      @AndyMaloneMVP  10 หลายเดือนก่อน

      Thanks so much👍

  • @undixgalore
    @undixgalore 9 หลายเดือนก่อน +3

    I'm considering setting "Allow external users to remove themselves from your organization" to No instead of the recommended Yes. If a guest user has unintended or unwarranted access to the tenant and exfiltrates data or whatever, and then the guest user removes itself, unless one has a routine for going through access and security logs, then the data exfiltration may well go under the radar and remain undiscovered. Checking the user list and discovering a guest user that should not be there is more of a low hanging fruit than perusing logs.

  • @mrnonsensetalktv
    @mrnonsensetalktv 3 หลายเดือนก่อน

    Great lesson. Thanks.

  • @EllyOguttu
    @EllyOguttu 5 หลายเดือนก่อน

    SOLID best practices i will surely practice these tips

  • @unificomp
    @unificomp 8 หลายเดือนก่อน

    Fantastic video! Lots of useful info here. Question, what if you are using Per-User MFA and enable Security Defaults, do users have to do anything like re-register MFA or is it transparent to them?

    • @AndyMaloneMVP
      @AndyMaloneMVP  8 หลายเดือนก่อน

      No, it will work fine you don’t need to re-register

  • @vegasjosejavier
    @vegasjosejavier 5 หลายเดือนก่อน +1

    Hey Andy, I wonder how can password writeback be used as a backdoor.

    • @AndyMaloneMVP
      @AndyMaloneMVP  4 หลายเดือนก่อน +2

      Social engineering

  • @driver288
    @driver288 10 หลายเดือนก่อน +1

    Well in some cases admins DO need a license. For administering and checking some aspects of Teams for instance a mailbox teams and SharePoint license is needed. Mostly for administering org wide teams. but for most tasks a license isn’t needed. We do separate admin accounts of course but in some instances they do have a license. Business basic for instance.

    • @AndyMaloneMVP
      @AndyMaloneMVP  10 หลายเดือนก่อน

      Great Point I forgot to mention that :-)

    • @PrinceJohn84
      @PrinceJohn84 9 หลายเดือนก่อน +1

      Universal Print is another example where a license is required to manage the service 👍

  • @denisgitonga6797
    @denisgitonga6797 10 หลายเดือนก่อน

    Very informative content as usual

    • @AndyMaloneMVP
      @AndyMaloneMVP  10 หลายเดือนก่อน

      Much appreciated

  • @newtonapplemusic
    @newtonapplemusic 10 หลายเดือนก่อน

    Hi Andy, I'm a regular viewer of your TH-cam videos and have just subscribed. On your Patreon site, you have a course that has MS-900 (MS 365 Fundamentals) in the artwork, but SC-900 (security, compliance and identity...) in the description. I'm confused as to what the course actually is. Please can you confirm? Thanks. Kevin.

    • @AndyMaloneMVP
      @AndyMaloneMVP  10 หลายเดือนก่อน +1

      Oops I'll correct it.

  • @drewcross9927
    @drewcross9927 9 หลายเดือนก่อน

    For SP permissions, is there a way to prevent items from being shared at all? Even internally?

    • @AndyMaloneMVP
      @AndyMaloneMVP  9 หลายเดือนก่อน

      Yes you can do this from within classic SharePoint permissions stop it’s a bit of work but it can be done.

  • @aldoferretti4869
    @aldoferretti4869 5 หลายเดือนก่อน +1

    nn from mr andy aclear idea what to do re reduction of passwords!!!!

  • @serdartokgoz9380
    @serdartokgoz9380 10 หลายเดือนก่อน

    a question for P2 or other licenses. As an Global admin, If I buy only to myself and configure it. Is that possible? Or whole organization needs this licenses for the configurations

    • @AndyMaloneMVP
      @AndyMaloneMVP  10 หลายเดือนก่อน

      Licenses are a fickle thing. Some features you can get away with this, but most will require a full license for every user. Unfortunately 👍

  • @CapitainHook
    @CapitainHook 10 หลายเดือนก่อน

    It would be great to have an how admin can fix worst end users mistakes:
    Example: level 1 deleted sites (because the button is sooo close to site information..), level 2 deleted massive data(because the recycle bin on onedrive sync doesn't only delete the link sometime...) , level 3 deleted massive access that wasn't grant by a group (because they share with external by links,etc and sometime they change their mind after restoring the access from the parent site...) any other?

    • @AndyMaloneMVP
      @AndyMaloneMVP  10 หลายเดือนก่อน

      Great suggestion, and thanks for your input. 😊

  • @lifeslooker
    @lifeslooker 10 หลายเดือนก่อน

    why is it that when using authenticator, more than one number comes up and confuses users with more than one pop-up? is that due to apps being aut configured to open at startup, eg Teams when opening OneDrive to sign in?

    • @AndyMaloneMVP
      @AndyMaloneMVP  10 หลายเดือนก่อน

      The numbers have a finite life and will time out after a short time.

  • @lifeslooker
    @lifeslooker 10 หลายเดือนก่อน

    why is it when you change passwords in the cloud using Azure it fails, even when you have all the roles you need enabled, eg Helpdesk admin, reports admin, entra, teams etc?

    • @AndyMaloneMVP
      @AndyMaloneMVP  10 หลายเดือนก่อน

      User Interface changes can take a few moments to update.

  • @zubaircrude
    @zubaircrude 9 หลายเดือนก่อน

    Could you please help me in creating an IRM policy to disable reply all option in outlook

    • @AndyMaloneMVP
      @AndyMaloneMVP  9 หลายเดือนก่อน +1

      Session for the future perhaps

    • @zubaircrude
      @zubaircrude 9 หลายเดือนก่อน

      @@AndyMaloneMVP do you have any playlist for azure 900 ? I am in a dire need of that

  • @driodsworld
    @driodsworld 9 หลายเดือนก่อน

    What would be a good way for high school student to authenticate as they not allowed to have mobile phones in class for MFA?

    • @AndyMaloneMVP
      @AndyMaloneMVP  9 หลายเดือนก่อน

      FIDO 2.0 or Passkey.

  • @MegaSlowmoman
    @MegaSlowmoman 9 หลายเดือนก่อน +2

    Great tips, unfortunately Microsoft dangle the carrot of features that should be standard. Why have a product that has security flaws built it that you have to pay to guard against them.

    • @AndyMaloneMVP
      @AndyMaloneMVP  9 หลายเดือนก่อน +2

      I totally agree, 👍

  • @andrewjutub
    @andrewjutub 10 หลายเดือนก่อน

    Greetings from Poland

    • @AndyMaloneMVP
      @AndyMaloneMVP  10 หลายเดือนก่อน

      Greetings from Scotland 🙂

  • @mrnonsensetalktv
    @mrnonsensetalktv 3 หลายเดือนก่อน

    Sir, a year ago, I came across a video that I can use office 365 for free if I create a Microsoft administrative account. I created the account and started using office 365 for free but now I have been asked to buy office 365 or put a serial key before I can use it.
    Can you please help me fix it please.
    Thank you..

    • @AndyMaloneMVP
      @AndyMaloneMVP  3 หลายเดือนก่อน

      This is incorrect although it’s true you don’t technically need a license to be an administrator. It does not give you access to use the applications unless you do have a license.

  • @willrun4fun
    @willrun4fun 10 หลายเดือนก่อน +1

    I’ve never liked how Microsoft locks security behind add on licenses

    • @AndyMaloneMVP
      @AndyMaloneMVP  10 หลายเดือนก่อน

      Totally agree👍

  • @DeanEllerbyMVP
    @DeanEllerbyMVP 6 หลายเดือนก่อน +1

    If you create a Global Admin account without a license, they won't be protected by most of the security features that require a license.

    • @AndyMaloneMVP
      @AndyMaloneMVP  6 หลายเดือนก่อน

      Licensing is a fickle thing. Make yourself a security and compliance admin as well as a global admin

  • @ThomasAeschbacher-s8h
    @ThomasAeschbacher-s8h 4 หลายเดือนก่อน

    It is a shame that user risk and sign in risk requires an Entra ID P2 License

  • @Hans_Magnusson
    @Hans_Magnusson 9 หลายเดือนก่อน

    Installing the software from the beginning 😂😂😂

  • @mdekleijn
    @mdekleijn 4 หลายเดือนก่อน

    Great video, however, I would not name my recovery account "recovery" or "breakglass". Better to give it an inconspicuous name.

  • @pdjhh
    @pdjhh 6 หลายเดือนก่อน

    Ms admin. Using edge. On a Mac? What the?!

  • @12Burton24
    @12Burton24 9 หลายเดือนก่อน

    I wish some people could stop using some short cut letters for everything...just write the full word please ever industry has ita own meaning for the letters you write and not all are that much in IT(Information Technology) to know everything thank you.

    • @AndyMaloneMVP
      @AndyMaloneMVP  9 หลายเดือนก่อน +1

      Hear you brother 🙏😀

  • @chrundlethegreat2251
    @chrundlethegreat2251 10 หลายเดือนก่อน +6

    Dude...stop calling your viewers 'fellow youtubers'. YOU are a youtuber. A youtuber is a content creator for the YT platform. We're just viewers.

    • @AndyMaloneMVP
      @AndyMaloneMVP  10 หลายเดือนก่อน +18

      A bit tetchy aren’t you🥺

    • @AlexiYoung
      @AlexiYoung 10 หลายเดือนก่อน +6

      Don’t mind the haters, Andy!
      We appreciate you.

    • @schylerjones5722
      @schylerjones5722 10 หลายเดือนก่อน +3

      You’re fine Andy, don’t change a thing. 😊

    • @Mpiechow93
      @Mpiechow93 9 หลายเดือนก่อน

      @@AndyMaloneMVPI mean in Internet world TH-camr is content creator, that’s how it used :)