Author: Bob Lin

1. Assign permissions to groups—never to users directly.
2. Whenever you change the membership of a SharePoint group, the next time the search passes with an incremental crawl, it will launch a full crawl to recalculate the entire access control list. So only give permissions to SharePoint groups. And the members of the SharePoint groups should be Active Directory groups, not individual users. This is best practice. When you assign permissions, please follow the steps.

• Give permissions to SharePoint groups so your library gives rights to SharePoint groups.
• Inside of your SharePoint groups, add Active Directory groups.
• Then, add your users to an Active Directory group.

3. The best thing to do—as long as you can, for as far as you can—is to leave permission inheritance intact. If you have to break it, try to do so at the site level, if possible. If you’re going to break permission inheritance, try to do it at the document library or folder level.

4. there are a number of important differences between managing NTFS permissions on your file server and managing SharePoint permissions, including the different permission levels and the fact that SharePoint automatically deactivates inheritance when you set custom permissions.

Q: When checking our Domain status, I see some are Authoritative domain and other are InternalRelay Domain. Why and what are different?

Note 1: Please save your data before remove the AAD computer from Azure AD. Otherwsie, you may lose the data.

Note 2: Please remember your local administrator credentials or create a new local administrator account. Otherwise, you may have a problem to login.

Note 3: After you unregister the windows 10/11 device, you will lose device access to school or work resources.

A. Remove Windows Device from Azure AD

• Login to Windows with your organizational account.
• Go to Start -> Settings.
• Select Accounts > Access work or school.

• Select the connected Azure AD domain account that you want to remove, and click Disconnect.

• Click Yes to confirm the removal of the account. This will remove your access to resources like email, apps, networks, and all content associated with it. Your organization might also remove some data stored on this device.
• Click on Disconnect, After disconnecting you won’t be able to sign in to this PC with your organization’s account.

Note: If this PC has BitLocker installed and running, make sure you save a copy of the BitLocker recovery key somewhere other than this PC.

• Enter the sign-in info for a local administrator account. This can be a Microsoft account or a local account. Here Enter the username and password for an existing account, If you don’t have one, you will need to create a new account, click OK.

• Click on Restart now or Restart later to remove windows device from Azure AD join, After restarting, your PC won’t be joined to Azure AD. You will need to sign in with another user account.

• Restart the computer and login. To validate the Join Status, run this command; dsregcmd /status

B. Remove Windows Device from Azure AD using Azure Intune

• Sign In to Azure Portal https://portal.azure.com/.
• Navigate to the Azure AD, Select the device from the list which you want to remove.
• Click Delete con on the top to remove it.

C. Remove Windows Device from Azure AD using Command Line

• Reseat steps on B and click on the device to copy the device’s Object ID

• You can use the Azure Active Directory PowerShell module, To Install Azure AD Module, Type the following command in PowerShell.

Install-Module AzureAD

• You will be prompted to confirm the installation and import of the NuGet provider. Enter Y in all confirmation dialogs. The package installation will take a few minutes, wait for the installation to finish, then close the PowerShell window.

• Type the Connect-AzureAD cmdlet to connect an authenticated account to use for Azure Active Directory cmdlet requests. You can use this authenticated account only with Azure Active Directory cmdlets.
• Once you connected,

Type the Remove-AzureADDevice cmdlet to remove a device from Azure Active Directory (AD). This command removes the specified windows device from Azure AD Join.

Remove-AzureADDevice -ObjectId "1c913ae1-ea7f-4589-8b42-b2140a13c304"

-ObjectId
Specifies the object ID of a device in Azure AD.
-Remove-AzureADDevice
Remove Windows device from Azure AD Join. 

. Right click Start Button or press  + X keys and select Settings.

2. In the Settings app, navigate to Accounts > Access work or school.

3. In right pane corresponding to Access work or school, click on your currently connected to Azure AD account and then click Disconnect.

4. Now click on Yes, when the confirmation prompt appears.

5. Then you’ll Disconnect from the organization box, after reviewing the information provided, click Disconnect.

6. Next, you need to enter the existing local or Microsoft account information. You can here simply type your local user account name and its password, like we did.

7. If your account info provided is correct, you’re asked to make a final restart to disconnect from Azure AD. Simply click on Restart now to finish the process.

8. After reboot, your system will no longer be connected to your Azure AD account.

To change the account email address in Windows 11, you can follow these steps:

1. Open the Start menu by clicking on the Windows icon in the taskbar or pressing the Windows key on your keyboard.
2. Click on your user profile picture or account name located at the top right corner of the Start menu.
3. In the drop-down menu, select “Settings” to open the Windows Settings app.
4. In the Settings app, click on the “Accounts” category.
5. In the left sidebar, select “Your info.”
6. On the right side, under the “Account info” section, you will see your current email address listed. Click on the “Manage my Microsoft account” link below it.
7. This will open a browser window and take you to the Microsoft account website. You may be prompted to sign in again for security purposes.
8. Once you’re signed in, navigate to the “Your info” section of your Microsoft account.
9. Look for the “Manage how you sign in to Microsoft” option or a similar setting related to account email addresses.
10. From there, you should have the option to add or change your email address associated with your Microsoft account. Follow the on-screen instructions to complete the process.

Note: The steps above assume you already have a Microsoft account linked to your Windows 11 user account. If you don’t have a Microsoft account yet or want to create a new one, you can do so from the Microsoft account website or during the initial setup of Windows 11.Regenerate response

Authenticating an IMAP (Internet Message Access Protocol), POP (Post Office Protocol), or SMTP (Simple Mail Transfer Protocol) connection using OAuth involves using OAuth tokens to verify the identity and authorization of the client accessing the email server. OAuth is an open standard protocol that allows users to grant limited access to their resources (such as email) to third-party applications without sharing their passwords.

Here’s a general overview of the process for authenticating an IMAP, POP, or SMTP connection using OAuth:

1. Register the application: The first step is to register your application with the email service provider (e.g., Gmail, Microsoft Outlook) to obtain the necessary credentials (client ID and client secret) for OAuth authentication.
2. Obtain authorization: When a user wants to grant access to their email account, your application initiates the OAuth authorization flow. This typically involves redirecting the user to the email service provider’s authorization endpoint with the necessary parameters, including the requested scope (e.g., read, write, send email).
3. User consent: The email service provider presents the user with a consent screen, explaining the permissions your application is requesting. The user can review the permissions and decide whether to grant access to your application or not.
4. Token exchange: If the user grants access, the email service provider generates an authorization code and redirects the user back to your application’s specified redirect URL. Your application then exchanges this authorization code for an access token and a refresh token by making a request to the email service provider’s token endpoint, along with the client credentials (client ID and client secret).
5. Store tokens securely: Once your application receives the access token and refresh token, it should securely store them for future use. The access token is used to authenticate the client during each API request, while the refresh token can be used to obtain a new access token when the current one expires.
6. Authenticating the connection: To authenticate the IMAP, POP, or SMTP connection, you need to include the access token in the respective protocol’s authentication mechanism. Typically, this involves adding the access token as part of the authentication headers or passing it as a parameter during the connection establishment.
7. Token expiration and refreshing: Access tokens have an expiration time, after which they become invalid. To ensure continuous access, your application needs to handle token expiration and use the refresh token to obtain a new access token when needed. This can be done by making a request to the email service provider’s token endpoint with the refresh token to obtain a fresh access token.

By following this process, your application can securely authenticate IMAP, POP, or SMTP connections using OAuth, allowing users to authorize access to their email accounts without exposing their passwords to third-party applications.

1. Access the Kaseya Console: Log in to the Kaseya Console using your administrator credentials. This is the web-based interface where you can manage your endpoints and perform various tasks.
2. Create an Application Package: In Kaseya, you need to create an application package before you can push it to your endpoints. To do this, navigate to the Agent Procedure>Installer Wizards>Application Deploy.

You have two options to deploy silently push, Send the installer from the KServer to the remote machine and execute it locally and Execute the installer from a file share on the same LAN as the remote machine.

In our example, we Send the installer from the KServer to the remote machine and execute it locally by adding the installer file.

Click on Private files.

Click on Upload a file.

Close the Upload file page and click Next.

Select the install package to send to the remote machine and installer type.

Name the agent procedure to deploy this application and the click on Create.

3. Customize Deployment Options: Configure additional deployment options, such as scheduling the deployment for a specific time, specifying the target endpoints or groups, and determining the deployment method (e.g., push installation or self-service portal). Navigate to Agent Procedures>Manage Procedures>Schedule / Create>Private>myProcesdure and click on the application package you just created.

Under Schedule, select the computers you want to install the application.

You have options to Schedule Agent Procedure or Run Now.

If you choose Schedule Agent Procedure, select running date and time. Then Submit.

Click Yes to confirm it.

Review and Test: Review all the settings and configurations for the application package. It’s advisable to test the deployment on a small group of test endpoints before rolling it out to a larger number of devices.

Deploy the Application: Once you are satisfied with the configuration, initiate the deployment of the application package. Kaseya will push the application to the specified endpoints based on your defined settings.

Monitor and Troubleshoot: Monitor the deployment progress within Kaseya to ensure the application is being installed successfully on the target endpoints. If any issues arise, use the built-in troubleshooting features of Kaseya or consult the application’s documentation for guidance.

You may be able to copy the Excel table to SharePoint. However, the best way to do is exporting excel to SharePoint. Here is how.

1. With Excel spreadsheet open, select the data range and Format it as a Table

2. Click on Table Design and then click on Export

3.  Select Export Table to SharePoint list.

4. Enter the Address and Name.

5. Sign in Office 365.

6. It may take a few seconds.

7. Click Done when You’re all set!

8. If it successful, click OK.

9. Go to the address to check the Excel on SharePoint.

10. With imported excel, you can Filter and see what you want to see.

In old version, we could not have multiple phone # in MFA. Someone people we can do it now. However, I can’t make it work. Instead, I added the second phone as alternative phone #. Perhaps, we can also add it as office phone #.

Q: What are different between Shared Mailboxes and Office 365 Groups?

A: Quoted from online:

Groups in Office 365 have many of the features that Exchange Online shared mailboxes do.

• Multiple users can access a Group mailbox, just as they would a shared mailbox.
• A Group mailbox can be used as a single point of email contact for a team or group of users, just as a shared mailbox can be.
• Users can send-as or send-on-behalf of a Group mailbox, just as they would a shared mailbox.
• Emails sent to Groups and shared mailboxes are preserved for historical reference, unless deleted by a user.

Office 365 Groups have additional features that shared mailboxes do not.

• Users (members) can subscribe to receive a copy in their own mailbox of the emails sent to the Group mailbox, which makes Groups work in a similar manner to distribution lists.
• Groups include additional collaboration apps and resources such as a SharePoint team site, OneNote notebook, Planner, and Teams.
• Groups have a guest access model for external collaboration that shared mailboxes do not.
• Groups have connectors for integrating other applications.

However, shared mailboxes have some capabilities that may make them more suitable to teams than Groups.

• Shared mailboxes can have sub-folders in the mailbox, whereas Group mailboxes can’t.
• Shared mailboxes have more granular permissions available than Groups do.

There is some demand for Group mailboxes to have sub-folders, as shown in the comments on this Uservoice suggestion. It’s quite common for teams that use a shared mailbox as an inbound communication channel to user sub-folder to sort or file away items that have been actioned. Although I prefer to recommend a proper ticketing/job management system instead, I understand that simpler scenarios don’t warrant setting up a whole separate system and that a shared mailbox with some sub-folders is quite sufficient.

The sub-folders capability is also a problem for anyone considering migrating public folders to Groups. If the public folders have a complex folder hierarchy that needs to be preserved, then you will basically lose that hierarchy due to the lack of sub-folders in Groups.

As it stands right now, the decision to go with Groups or shared mailboxes is a case of “it depends”. Work out which limitations are a showstopper for you, and which capabilities you need the most, and then make your decision based on that. Given the interest that Microsoft has in Groups adoption, perhaps we’ll see the sub-folders capabilities show up in the future.