[{"content":" 🏷️ Tags # conditional access (1) copilot (1) entra id (2) exchange online (1) hybrid identity (1) intune (4) microsoft 365 (1) microsoft bookings (1) teams (2) ","date":"June 1, 2026","externalUrl":null,"permalink":"/en/blog/","section":"Blog","summary":"","title":"Blog","type":"blog"},{"content":"","date":"June 1, 2026","externalUrl":null,"permalink":"/en/","section":"DaKo365 Tech Blog","summary":"","title":"DaKo365 Tech Blog","type":"page"},{"content":"–\u0026gt; Auch auf deutsch verfügbar!\nThis article was translated from German with the help of Claude.\nIn the April 2026 Entra update, Microsoft announced the transition from Entra Connect Sync (formerly Azure AD Connect) to Entra Cloud Sync. Both tools synchronize users, groups, and contacts from on-premises Active Directory to Entra ID. According to Microsoft, Cloud Sync is the strategic direction for hybrid identity synchronization and the recommended path for most organizations. This article breaks down what was announced and what it means for everyday admin work.\nWhat Microsoft Announced # The key points of the announcement:\nMicrosoft is beginning the transition from Entra Connect Sync to Entra Cloud Sync. As reasons, Microsoft cites lower on-premises complexity, higher security and reliability, and simpler management. The change happens in phases, depending on the features an organization uses. Starting in July 2026, Microsoft will inform affected organizations about their individual transition window. Notifications go through the M365 Message Center, Entra Connect Health, and targeted emails. The first to go are tenants whose current Connect Sync use cases are already fully covered by Cloud Sync. Later waves follow as soon as Cloud Sync supports the functions they require. Microsoft frames it so that later groups are only notified once the corresponding support is available in Cloud Sync. A hard, global shutdown date for Connect Sync was not named in this context. According to the official migration FAQ, you don\u0026rsquo;t have to migrate as long as the functions you need are not yet supported in Cloud Sync. Until then, you can keep running Connect Sync and migrate once those functions become available.\nKeep Two Separate Dates Clearly Apart # In Microsoft\u0026rsquo;s communication, two different processes run side by side. They do not belong together and have different consequences.\nMandatory Connect Sync upgrade (hard deadline). Connect Sync versions older than 2.5.79.0 will stop syncing on September 30, 2026. The reason is a backend security change. Anyone below this version who does not update will have their synchronization stop. The installer is only available through the Entra Admin Center (the \u0026ldquo;Microsoft Entra Connect\u0026rdquo; blade), no longer through the Microsoft Download Center. The corresponding Message Center entries are MC1262584 and MC1263280. Microsoft staggers enforcement per tenant, so the dates that apply to you are in your Message Center notifications. This step affects you even if you stay on Connect Sync, because it is maintenance, not a migration step.\nMigration to Cloud Sync (phased, notified from July). This is the actual move to the new tool with individual windows and notifications. As of today, there is no hard shutdown date here.\nSo the practical order is: first the mandatory upgrade by September 30, 2026, then, if your tenant and environment are ready for it, the migration to Cloud Sync.\nIn parallel, starting June 1, 2026, hard-match hardening also takes effect, where Entra blocks certain hard-match takeovers on role-bearing cloud objects. That is a separate topic, but worth keeping in mind, since several sync changes coincide in the same period.\nHow Cloud Sync Is Built # Cloud Sync moves the configuration into the cloud. Instead of a dedicated Connect server, you install a lightweight provisioning agent on a domain-joined server. The sync engine runs at Microsoft, and the entire configuration lives in the Entra Admin Center. According to Microsoft, this results in the following characteristics:\nCloud-managed configuration. Configuration, status checks, and troubleshooting are done through the Entra Admin Center, without direct server access or VPN. Configuration changes are automatically distributed to the agents. Multiple active agents. Cloud Sync supports multiple active provisioning agents with automatic failover. If one agent fails, the others take over. Connect Sync, by contrast, is a single point of failure. Automatic agent updates. The agents receive updates and security patches automatically from Microsoft. Native support for disconnected forests. Disconnected forests, typical with mergers and acquisitions, are supported without forest consolidation. Platform for new features. Microsoft develops new synchronization and provisioning functions primarily on Cloud Sync. Examples include group provisioning to Active Directory and extended source-of-authority management. On the agent requirements: Windows Server 2016, 2019, or 2022, at least 4 GB RAM, .NET 4.7.1 or higher, no Server Core. The agent must be able to reach the domain controllers via LDAP (TCP 389) and Global Catalog (TCP 3268).\nCloud-First: Entra ID as the Leading Directory # Cloud Sync is not limited to the classic direction from Active Directory to Entra ID. It is also the foundation for a cloud-first model in which Entra ID becomes the source of authority (SOA). In practice, this means an existing object synchronized from AD is switched to cloud-managed. After that, it is no longer overwritten from AD but behaves as if it had originally been created in the cloud.\nThere are two related building blocks for this:\nSource-of-authority switch. For users and contacts, Microsoft provides a documented way to switch the SOA to Entra ID, allowing individual synchronized AD objects to be converted into cloud-managed identities. For these objects, the dependency on AD synchronization is removed. The SOA switch for synchronized groups is in public preview at the time of the announcement. Because the feature state differs per object type, it\u0026rsquo;s worth checking the docs before you start to see whether your specific scenario is already generally available (GA) or still in preview. Group provision to AD DS. Cloud Sync can provision cloud-managed security groups back to Active Directory (in the Cloud Sync setup, this is the \u0026ldquo;Microsoft Entra ID to AD sync\u0026rdquo; configuration). This lets you manage AD- and Kerberos-based applications from the cloud via Entra ID Governance. This direction is available exclusively in Cloud Sync; Connect Sync cannot do it. Two points are important here. First, this is not dual-write: once an object\u0026rsquo;s SOA is in the cloud, direct changes to the on-premises object are overwritten again on the next provisioning cycle. The cloud is the leading source. Second, this is about groups and shifting authority for existing users, not about creating new users in AD from the cloud. Cloud-to-AD user provisioning is currently supported by neither Connect Sync nor Cloud Sync.\nRequirements for the SOA scenarios include, among other things, a current provisioning agent, the AD schema attribute msDS-ExternalDirectoryObjectId (included from Windows Server 2016 onward), and the appropriate Microsoft Graph permission to change the SOA.\nFeature Scope: What Cloud Sync Can and Cannot Do # Cloud Sync does not yet have the full feature set of Connect Sync. That is precisely the reason for the phased migration. The following overview is based on the official comparison table in the Decision Guide.\nFull parity exists for: synchronization of users, groups, and contacts, single and multiple connected forests, Password Hash Synchronization, password writeback (SSPR), directory extensions (1 to 15), basic attribute customization via the Expression Builder, OU-based filtering, and Seamless Single Sign-On.\nNot available (or only limited) in Cloud Sync:\nFeature Status in Cloud Sync Device synchronization (Hybrid Entra Join) not supported Device writeback discontinued in favor of Cloud Kerberos Trust Scale per domain max. 150,000 objects (Connect Sync unlimited) Group size max. 50,000 members (Connect Sync up to 250,000) Pass-Through Authentication config managed separately from sync AD FS integration separate tools required Advanced sync rules Expression Builder only Attribute-based filtering limited Cross-forest references not supported Attribute merge across multiple domains not supported Reconciliation (out-of-band correction) not supported User provisioning to AD not supported in either On authentication, Microsoft notes: PHS, PTA, and Seamless SSO continue to work after a migration. The PTA and AD FS configuration is simply managed separately from the sync in Cloud Sync.\nMigration Readiness: Who Can, Who Waits # In the Decision Guide, Microsoft divides organizations into three groups.\nReady to migrate immediately if all criteria are met: fewer than 150,000 objects per domain, groups with fewer than 50,000 members, no Hybrid Entra Join (or willingness to switch to Cloud Kerberos Trust), authentication via PHS or separately managed AD FS/PTA, OU-based filtering instead of complex attribute rules, single forest or connected forests.\nPlan migration for the near future if you currently need Hybrid Join device synchronization, complex attribute filtering, or user provisioning to AD. These points may be supported in the future, so keep an eye on feature announcements.\nEvaluate migration for later if your environment is beyond the scale limits, maintains extensive custom sync rules, has cross-forest dependencies, or strictly depends on reconciliation. For large environments, Microsoft recommends segmenting the migration by domain or OU.\nWhat You Should Check Now # Determine your Connect Sync version. Use the Synchronization Service Manager console to check whether the version is at least 2.5.79.0. If it\u0026rsquo;s below that, update. The deadline is September 30, 2026, and the installer is in the Entra Admin Center. Check feature dependencies against the feature overview. Even a single unsupported feature means staying on Connect Sync for now. Watch the Message Center. The individual transition windows will be announced there starting in July 2026. Plan a step-by-step migration and testing. Running both tools in parallel for the same objects is not supported. Instead, you migrate OU by OU, so each OU is managed by only one tool at a time. During the migration, Connect Sync is put into staging mode, and a rollback is possible. Back up your Connect configuration via import/export beforehand. For piloting, a test forest and on-demand provisioning are suitable, with which you can check configuration changes on a single user. Conclusion # Microsoft has officially started the move from Entra Connect Sync to Cloud Sync. The migration runs in phases, begins with the tenants whose requirements Cloud Sync already covers, and will be notified individually starting in July 2026. There is currently no hard shutdown date for Connect Sync.\nTwo points are decisive in practice. First, the mandatory upgrade to version 2.5.79.0 by September 30, 2026 must be separated from the migration. It affects all Connect Sync installations. Second, Cloud Sync is not yet at feature parity with Connect Sync. Environments with Hybrid Join, device writeback, complex sync rules, or cross-forest dependencies stay on Connect Sync for now. For everyone else, the switch is already possible today.\nSources # Microsoft Learn: Migrate from Microsoft Entra Connect to Cloud Sync (Decision Guide) Microsoft Learn: Migrate from Microsoft Entra Connect Sync to Cloud Sync FAQ Microsoft Learn: Migrating from Microsoft Entra Connect to Microsoft Entra Cloud Sync Microsoft Learn: Microsoft Entra releases and announcements (What\u0026rsquo;s new) What\u0026rsquo;s New in Microsoft Entra: May 2026 (Tech Community) Microsoft Learn: What is Microsoft Entra Cloud Sync? (Source of Authority management) Microsoft Learn: Configure user Source of Authority (SOA) Microsoft Learn: Provision groups to AD DS using Microsoft Entra Cloud Sync ","date":"June 1, 2026","externalUrl":null,"permalink":"/en/blog/entra-connect-sync-cloud-sync-umzug/","section":"Blog","summary":"","title":"Entra Connect Sync Moves to Cloud Sync: What Microsoft Announced","type":"blog"},{"content":"","date":"June 1, 2026","externalUrl":null,"permalink":"/en/tags/entra-id/","section":"Tags","summary":"","title":"Entra ID","type":"tags"},{"content":"","date":"June 1, 2026","externalUrl":null,"permalink":"/en/tags/hybrid-identity/","section":"Tags","summary":"","title":"Hybrid Identity","type":"tags"},{"content":"","date":"June 1, 2026","externalUrl":null,"permalink":"/en/tags/","section":"Tags","summary":"","title":"Tags","type":"tags"},{"content":" Folge 108 - Teams Tipps \u0026amp; Tricks - Volume 3\nMan sagt ja: Aller guten Dinge sind drei! Und daher: Willkommen zur dritten Episode von MS Teams Tipps \u0026amp; Tricks. Es erwarten euch viele spannende Tipps, die euch den Umgang mit Teams erleichtern werden\n🔔 Abonniert unseren Kanal für weitere Alltagstipps rund um Microsoft 365!\nFolge uns auf Bluesky ✘ @DuRM365.bsky.social ✘ @renewasel.bsky.social ✘ @dako365.bsky.social\nUnsere Blogs ✘ https://dako365.com/ ✘ https://wasel365.de/\n#M365 #Microsoft365 #Microsoft #Office365 #Alltag #Techies #Geeks #teams #tipps #tricks\n","date":"15. May 2026","externalUrl":null,"permalink":"/videos/folge-108-teams-tipps-tricks-volume-3/","section":"Videos","summary":"Folge 108 - Teams Tipps \u0026 Tricks - Volume 3 Man sagt ja: Aller guten Dinge sind drei! Und daher: Willkommen zur dritten Episode von MS Teams Tipps \u0026 Tricks. Es erwarten euch viele spannende Tipps,","title":"Folge 108 - Teams Tipps \u0026 Tricks - Volume 3","type":"videos"},{"content":" Folge 107 - Teams Admin Hack: Apps ausblenden, die du nie genehmigt hast\nKann ich eigentlich Apps in Teams mittlerweile wieder ausblenden, wenn ich diese blockiert habe? Ja, das geht. Schau mal rein \u0026hellip; ;-)\n🔔 Abonniert unseren Kanal für weitere Alltagstipps rund um Microsoft 365!\nLinks zur Folge ✘ MS Blog: https://learn.microsoft.com/en-us/graph/api/resources/teamsappsettings?view=graph-rest-1.0\u0026WT.mc_id=MVP_405640\nFolge uns auf Bluesky ✘ @DuRM365.bsky.social ✘ @renewasel.bsky.social ✘ @dako365.bsky.social\nUnsere Blogs ✘ https://dako365.cloud ✘ https://wasel365.de/\n#M365 #Microsoft365 #Microsoft #Office365 #Alltag #Techies #Geeks #teams #apps\n","date":"1. May 2026","externalUrl":null,"permalink":"/videos/folge-107-teams-admin-hack-apps-ausblenden-die-du-nie-genehmigt-hast/","section":"Videos","summary":"Folge 107 - Teams Admin Hack: Apps ausblenden, die du nie genehmigt hast Kann ich eigentlich Apps in Teams mittlerweile wieder ausblenden, wenn ich diese blockiert habe? Ja, das geht. Schau mal rein","title":"Folge 107 - Teams Admin Hack: Apps ausblenden, die du nie genehmigt hast","type":"videos"},{"content":" Folge 106 - Entra ID Backup \u0026amp; Recovery in Preview: Endlich da, aber was kann es wirklich?\nWer aufmerksam das Entra Admin Center verfolgt, sieht, dass es seit einiger Zeit neue Features in Preview gibt. Eines davon ist Entra ID Backup \u0026amp; Recovery. Microsoft möchte damit die Möglichkeit geben, Verzeichnisobjekte aus Entra ID zu sichern und im Bedarfsfall wiederherzustellen. Wir schauen uns heute mal an, was schon geht und wo es noch Potenzial zur Verbesserung gibt.\n🔔 Abonniert unseren Kanal für weitere Alltagstipps rund um Microsoft 365!\nLinks zur Folge ✘ MS Learn: https://learn.microsoft.com/en-us/entra/backup/?WT.mc_id=MVP_405640\nFolge uns auf Bluesky ✘ @DuRM365.bsky.social ✘ @renewasel.bsky.social ✘ @dako365.bsky.social\nUnsere Blogs ✘ https://dako365.com/ ✘ https://wasel365.de/\n#M365 #Microsoft365 #Microsoft #copilot #Alltag #Techies #Geeks #entraid #backup #recovery\n","date":"17. April 2026","externalUrl":null,"permalink":"/videos/folge-106-entra-id-backup-recovery-in-preview-endlich-da-aber-was-kann-es-wirkli/","section":"Videos","summary":"Folge 106 - Entra ID Backup \u0026 Recovery in Preview: Endlich da, aber was kann es wirklich? Wer aufmerksam das Entra Admin Center verfolgt, sieht, dass es seit einiger Zeit neue Features in Preview","title":"Folge 106 - Entra ID Backup \u0026 Recovery in Preview: Endlich da, aber was kann es wirklich?","type":"videos"},{"content":"","date":"April 13, 2026","externalUrl":null,"permalink":"/en/tags/conditional-access/","section":"Tags","summary":"","title":"Conditional Access","type":"tags"},{"content":"–\u0026gt; Auch auf deutsch verfügbar!\nThis article was translated from German with the help of Claude.\nIf you work with external users (guests) in Microsoft Entra ID, you probably know this problem: A guest tries to access a resource in your tenant, gets prompted for MFA, and fails. The error message is cryptic, the user is frustrated. What\u0026rsquo;s going on?\nIn this article, I explain why external users are often treated as Microsoft Accounts (MSA), why Inbound Trust Settings don\u0026rsquo;t work in that case, and what additional trap Authentication Strengths in Conditional Access Policies set.\nThe Problem: External Accounts Are Treated as Microsoft Accounts # When you invite an external user via B2B Collaboration into your tenant, they redeem the invitation (\u0026ldquo;Redemption\u0026rdquo;). Entra ID uses a Redemption Order to decide which identity provider is used. The default order is:\nMicrosoft Entra ID (if the guest has an Entra ID account in their home tenant) External Federation (SAML/WS-Fed) Microsoft Account (MSA) as fallback The problem: If Entra ID cannot associate the guest with an Entra ID tenant, e.g. because the email domain is not linked to any Entra ID tenant, the guest is treated as an MSA account (Microsoft Account). And that\u0026rsquo;s where the trouble starts:\nInbound Trust Settings only apply to Microsoft Entra Tenants, not to MSA accounts Your tenant cannot trust the MFA of an MSA account, even if you enabled \u0026ldquo;Trust multifactor authentication from Microsoft Entra tenants\u0026rdquo; The guest is prompted to register for MFA in your resource tenant, or access fails entirely Solution Part 1: Disable MSA as Fallback # The first step is to ensure that external users don\u0026rsquo;t redeem their invitation as an MSA account. To do this, disable Microsoft Accounts as a fallback identity provider in the Cross-Tenant Access Settings.\nHow to do it # Sign in to the Microsoft Entra Admin Center (at least as Security Administrator) Navigate to Entra ID → External Identities → Cross-tenant access settings Select the Default settings tab and click Edit inbound defaults Switch to the B2B collaboration → Redemption order tab Under Fallback identity providers: Disable Microsoft service account (MSA) Click Save Note: Email One-Time Passcode (OTP) is enabled by default in all tenants and automatically takes over as fallback when MSA is disabled. Only if someone has explicitly disabled Email OTP does it need to be re-enabled under External Identities → All identity providers.\nImportant: Existing guest users who have already signed in with an MSA will continue to use it. You need to reset their redemption status for the new setting to take effect.\nWith this configuration, guests that cannot be associated with an Entra ID tenant will be authenticated via Email One-Time Passcode (OTP) instead of being treated as MSA.\nWhy Disable MSA? # Disabling MSA in the default settings is not just a workaround, but generally recommended for enterprise scenarios:\nMFA Trust does not apply to MSA: \u0026ldquo;Trust MFA from Microsoft Entra tenants\u0026rdquo; only applies to Entra ID tenants. As long as MSA is active as a fallback, some guests will fall into this gap. No organizational control: MSA are personal accounts (@outlook.com, @hotmail.com etc.). No admin manages them. You don\u0026rsquo;t know whether MFA is enabled, what password policies apply, or whether the account is compromised. Conditional Access works better: For MSA guests, CA Policies work differently than for Entra ID guests. You cannot trust Device Compliance or Hybrid Join claims, for example. Email OTP is the better fallback: A time-limited one-time code via email is more secure and predictable than an uncontrolled MSA login. With MSA disabled, you have two clean paths: Entra ID (with trust) or Email OTP (no trust, but controlled). No uncontrolled third path.\nNote: For guests with personal Microsoft Accounts (@outlook.com etc.), the sign-in experience changes: They will receive an Email OTP code instead. In typical B2B partner scenarios with corporate accounts, this has no impact.\nReference: Prevent your B2B users from redeeming an invite using Microsoft accounts\nSolution Part 2: Configure Inbound Trust Settings # For guests that actually come from a Microsoft Entra Tenant, you also need the Inbound Trust Settings. This tells your tenant to trust MFA claims from other Entra ID tenants.\nIn the Microsoft Entra Admin Center → External Identities → Cross-tenant access settings Default settings → Edit inbound defaults → Trust settings tab Enable Trust multifactor authentication from Microsoft Entra tenants Save Tip: You can also configure this setting per organization if you don\u0026rsquo;t want to trust all external tenants by default. Create a specific configuration for the partner tenant under Organizational settings.\nSo far, so good. For many scenarios, these two steps are sufficient. But not for all.\nThe Trap: Authentication Strength and External Users # If you have configured your Conditional Access Policies with Authentication Strengths, as recommended by Microsoft, guest users can still fail despite enabled Inbound Trust Settings. The reason is more nuanced than it appears at first glance.\nWhat Works and What Doesn\u0026rsquo;t # Authentication Strength and Inbound Trust are not fundamentally incompatible. What matters is which Authentication Strength you require and which MFA method the guest used in their home tenant:\nBuilt-in \u0026ldquo;Multifactor authentication\u0026rdquo; Strength (the weakest of the three): Works with Inbound Trust as long as the guest used one of the methods accepted by Microsoft for cross-tenant scenarios in their home tenant (e.g. Microsoft Authenticator Push, FIDO2, Software OATH Token). \u0026ldquo;Passwordless MFA\u0026rdquo; or \u0026ldquo;Phishing-resistant MFA\u0026rdquo; Strength: This is where it gets tight. Your resource tenant cannot reliably validate which specific method the guest used in their home tenant. If you require Phishing-Resistant but the guest authenticated via Authenticator Push (not Passwordless) in their home tenant, validation fails. Custom Authentication Strengths: Same problem. The more specific the requirement, the more likely external users will fail. The Additional Trap: External Authentication Methods # If the guest\u0026rsquo;s home tenant uses a third-party MFA provider via the External Authentication Methods (EAM) integration, things get definitively problematic. Microsoft explicitly warns about this in the documentation:\n⚠️ Warning: External authentication methods are currently incompatible with authentication strength. You should use the Require multifactor authentication grant control.\n— Microsoft Learn: Require multifactor authentication for all users\nThis warning primarily refers to External Authentication Methods (EAM), meaning scenarios where the home tenant has integrated a third-party provider (e.g. Duo, RSA SecurID) as MFA provider via the EAM interface. In this case, your resource tenant cannot validate the guest\u0026rsquo;s MFA method via Authentication Strength, regardless of which strength level you have configured.\nWhy This Affects Almost Everyone in Practice # A typical baseline policy looks like this:\nUsers: All users (incl. Guests) Target resources: All resources Grant: Require authentication strength → Multifactor authentication This is the Microsoft recommended baseline policy. Even with the weakest Built-in Strength, guests frequently fail in practice because:\nAs the resource tenant, you don\u0026rsquo;t know which MFA provider the home tenant uses (native Entra MFA or EAM third-party) You cannot control which MFA method the guest actually uses The error message does not clearly point to Authentication Strength as the cause Everything works perfectly for internal users This makes the safe fallback to the classic \u0026ldquo;Require multifactor authentication\u0026rdquo; grant control for guests the more pragmatic choice in most environments.\nTrade-off: With the classic MFA grant control, you lose the ability to enforce Phishing-Resistant MFA for guests. If this is relevant for your security concept (e.g. for access to sensitive resources), you can configure tighter settings for specific partner tenants via Organizational Settings and keep Authentication Strength there. Prerequisite: You have confirmed with the partner that they use native Entra MFA with appropriate methods.\nSolution Part 3: Separate CA Policy for Guests # The most pragmatic solution: A dedicated Conditional Access Policy for external users with the classic grant control instead of Authentication Strength.\nCreate a CA Policy for Guests # Create a new Conditional Access Policy for external users:\nUsers: Select users and groups → Guest or external users → B2B collaboration guest users Target resources: All resources (or the relevant apps) Grant: Require multifactor authentication (not \u0026ldquo;Require authentication strength\u0026rdquo;!) Exclude Guests from the Existing Policy # In your existing policy for all users (that uses Authentication Strength), exclude guest users:\nUnder Exclude → Select Guest or external users This way, you keep Authentication Strength for internal users (e.g. phishing-resistant methods) while guests are covered by the separate policy with the classic MFA grant control.\nFor regulated environments: If you need to enforce Phishing-Resistant MFA for specific partner tenants, you can additionally create a third CA Policy scoped to a specific group of known partner guests that uses Authentication Strength. Prerequisite: You have verified with the partner that they use native Entra MFA with compatible methods (FIDO2, Windows Hello for Business, Certificate-Based Auth), so no third-party providers via EAM.\nSummary # For MFA to work with external users / guests in your Entra ID tenant, you need three things:\nStep What Where 1 Disable MSA as fallback Cross-tenant access settings → Redemption order → Fallback identity providers → Disable MSA, enable Email OTP 2 Enable Inbound Trust Settings Cross-tenant access settings → Trust settings → \u0026ldquo;Trust multifactor authentication from Microsoft Entra tenants\u0026rdquo; 3 Separate CA Policy for guests Dedicated policy with \u0026ldquo;Require multifactor authentication\u0026rdquo; instead of \u0026ldquo;Require authentication strength\u0026rdquo; (see Solution Part 3) Sources:\nPrevent your B2B users from redeeming an invite using Microsoft accounts Cross-tenant access settings: Inbound Trust Settings for MFA Require multifactor authentication for all users: Conditional Access Policy Require authentication strength for external users Authentication and Conditional Access for External ID: MFA method comparison External authentication method provider reference ","date":"April 13, 2026","externalUrl":null,"permalink":"/en/blog/mfa-externe-gaeste-entra-id/","section":"Blog","summary":"","title":"MFA with External Users in Entra ID: Why Inbound Trust Alone Is Not Enough","type":"blog"},{"content":"","date":"April 7, 2026","externalUrl":null,"permalink":"/en/tags/copilot/","section":"Tags","summary":"","title":"Copilot","type":"tags"},{"content":"–\u0026gt; Auch auf deutsch verfügbar!\nThis article was translated from German with the help of Claude.\nFor years, Microsoft has been courting European businesses with the so-called \u0026ldquo;EU Data Boundary\u0026rdquo;. The promise: all data is stored and processed within the EU. However, a new exception for the Microsoft 365 Copilot has now been announced. And it is significant.\nWhat is Flex Routing? # With \u0026ldquo;Flex Routing\u0026rdquo;, Microsoft allows the AI processing (LLM inferencing) of Microsoft 365 Copilot to take place outside the EU Data Boundary during peak demand. In practice, this means your Copilot requests can be processed in data centers in the US, Canada, or Australia when EU capacity is insufficient.\nThis applies to the processing step where the AI model executes your input, for example summarizing documents or answering questions. The exact moment when your company data runs through the language model.\nWhat does Microsoft promise? # Microsoft emphasizes that data remains encrypted in transit and at rest, even with Flex Routing. Permanent storage is supposed to continue within the EU. The exception is pseudonymized data, which may be stored outside the EU for security and operational purposes. At first glance, that does not sound too dramatic.\nHowever, the wording in the official documentation is rather vague. It is not clearly defined which data leaves the EU for which purpose.\nWhat should be viewed critically? # Opt-Out instead of Opt-In # The biggest criticism: Flex Routing is enabled by default. For tenants created after March 25, 2026, it is active right away. Existing customers should check the Message Center (ID MC1269223). It informs that Flex Routing will be enabled as well. The lead time? Just 14 days.\nThis is particularly problematic for organizations that have deliberately chosen the EU Data Boundary, whether due to internal compliance requirements, regulatory obligations, or simply on principle.\nThe EU Data Boundary is being weakened # Anyone who has previously assured their customers or management that all Microsoft 365 data stays within the EU now has to qualify that statement. Flex Routing is a clear breach of the EU Data Boundary promise, even if Microsoft frames it as temporary load balancing.\nHow to disable Flex Routing # You can disable Flex Routing at any time in the Microsoft 365 Admin Center:\nSign in to the Microsoft 365 Admin Center with the AI Administrator role. Navigate to Copilot → Settings → Flexible inferencing during peak load periods. Select \u0026ldquo;Do not allow flex routing\u0026rdquo;. If you disable Flex Routing in the M365 Admin Center, the setting is also applied in the Power Platform Admin Center. LLM inferencing will then take place exclusively within the EU Data Boundary, even during peak demand.\nMy conclusion # I understand that Microsoft has not yet sufficiently expanded its AI capacity in Europe and wants to handle peak loads globally. Nevertheless, the way Flex Routing is being introduced is problematic: enabled by default, short lead time, and vague documentation.\nIf you are an admin responsible for data privacy and compliance, you should act now:\nCheck your Flex Routing setting in the M365 Admin Center. Evaluate together with your Data Protection Officer whether Flex Routing is acceptable for your organization. Disable Flex Routing if your compliance requirements do not allow data processing outside the EU. Document your decision, regardless of which direction you choose. This topic is only going to grow, as the demand for AI computing power is increasing rapidly. Stay on top of it and keep an eye on your settings.\nSources # Microsoft Learn: Flex routing (EU and EFTA) Microsoft Learn: EU Data Boundary – Ongoing partial transfers ","date":"April 7, 2026","externalUrl":null,"permalink":"/en/blog/flex-routing-m365-copilot-eu-datengrenze/","section":"Blog","summary":"","title":"Flex Routing in Microsoft 365: What EU Admins Need to Know Now","type":"blog"},{"content":"","date":"April 7, 2026","externalUrl":null,"permalink":"/en/tags/microsoft-365/","section":"Tags","summary":"","title":"Microsoft 365","type":"tags"},{"content":" Folge 105 - QuickSteps in SharePoint - Mit weniger Klicks zum Ziel\nMicrosoft Lists bekommen das nächste gamechanging Feature! QuickSteps (oder in deutsch: SchnelleSchritte :-D) kennen wir schon seit ein paar Monaten aus Outlook. Dieses Feature haben wir nun auch in SharePoint. Und gerade in Lists, sind sie extrem gut einzusetzen. Das zeigen wir euch heute!\n🔔 Abonniert unseren Kanal für weitere Alltagstipps rund um Microsoft 365!\nLinks zur Folge ✘ MS Learn: https://support.microsoft.com/en-us/office/create-a-quick-step-for-your-list-or-library-b37c2c7f-2ae1-49f9-b4b0-a8d501f5f99e\nFolge uns auf Bluesky ✘ @DuRM365.bsky.social ✘ @renewasel.bsky.social ✘ @dako365.bsky.social\nUnsere Blogs ✘ https://dako365.com/ ✘ https://wasel365.de/\n#M365 #Microsoft365 #Microsoft #Office365 #Alltag #Techies #Geeks #sharepoint #lists #quicksteps\n","date":"3. April 2026","externalUrl":null,"permalink":"/videos/folge-105-quicksteps-in-sharepoint-mit-weniger-klicks-zum-ziel/","section":"Videos","summary":"Folge 105 - QuickSteps in SharePoint - Mit weniger Klicks zum Ziel Microsoft Lists bekommen das nächste gamechanging Feature! QuickSteps (oder in deutsch: SchnelleSchritte :-D) kennen wir schon seit","title":"Folge 105 - QuickSteps in SharePoint - Mit weniger Klicks zum Ziel","type":"videos"},{"content":" Folge 104 - Microsoft 365 E7 - The Frontier Suite!\nLange haben wir drüber gewitzelt: \u0026ldquo;Dafür brauchst du die E9 Lizenz!\u0026rdquo; E9 ist es nicht geworden, aber Microsoft 365 E7 ist nun Realität. Und wenn man genauer hinschaut, macht das Ganze durchaus Sinn. Das wollen wir heute mit euch machen: Genauer hinschauen.\n🔔 Abonniert unseren Kanal für weitere Alltagstipps rund um Microsoft 365!\nLinks zur Folge ✘ MS Blog: https://blogs.microsoft.com/blog/2026/03/09/introducing-the-first-frontier-suite-built-on-intelligence-trust/\nFolge uns auf Bluesky ✘ @DuRM365.bsky.social ✘ @renewasel.bsky.social ✘ @dako365.bsky.social\nUnsere Blogs ✘ https://dako365.cloud ✘ https://wasel365.de/\n#m365 #microsoft365 #Microsoft #Office365 #Alltag #Techies #Geeks #e7 #frontier #suite\n","date":"20. March 2026","externalUrl":null,"permalink":"/videos/folge-104-microsoft-365-e7-the-frontier-suite/","section":"Videos","summary":"Folge 104 - Microsoft 365 E7 - The Frontier Suite! Lange haben wir drüber gewitzelt: “Dafür brauchst du die E9 Lizenz!” E9 ist es nicht geworden, aber Microsoft 365 E7 ist nun Realität. Und wenn man","title":"Folge 104 - Microsoft 365 E7 - The Frontier Suite!","type":"videos"},{"content":" Folge 103 - Microsoft 365 Local: Das musst du wissen!\nDas Thema souveräne Cloud bzw. allgemein Souveränität ist gerade genauso fokussiert, wie AI. Auch Microsoft hat dazu im letzten Jahr einen Ansatz präsentiert. Mit Azure und M365 local haben sie Services an den Markt gebracht, die hier eingesetzt werden können. Ganz neu nun GA: Azure und M365 local disconnected. Was das bedeutet, schauen wir uns mal an.\n🔔 Abonniert unseren Kanal für weitere Alltagstipps rund um Microsoft 365!\nLinks zur Folge ✘ MS Learn: https://learn.microsoft.com/en-us/azure/azure-local/concepts/microsoft-365-local-overview?view=azloc-2602\u0026WT.mc_id=MVP_405640\nFolge uns auf Bluesky ✘ @DuRM365.bsky.social ✘ @renewasel.bsky.social ✘ @dako365.bsky.social\nUnsere Blogs ✘ https://dako365.com/ ✘ https://wasel365.de/\n#M365 #Microsoft365 #Microsoft #copilot #Alltag #Techies #Geeks #M365local #azurelocal #souvereignitycloud\n","date":"6. March 2026","externalUrl":null,"permalink":"/videos/folge-103-microsoft-365-local-das-musst-du-wissen/","section":"Videos","summary":"Folge 103 - Microsoft 365 Local: Das musst du wissen! Das Thema souveräne Cloud bzw. allgemein Souveränität ist gerade genauso fokussiert, wie AI. Auch Microsoft hat dazu im letzten Jahr einen Ansatz","title":"Folge 103 - Microsoft 365 Local: Das musst du wissen!","type":"videos"},{"content":" Folge 102 - Cloud‑PC in unter 5 Minuten? So einfach ist Windows 365 Business\nEs gibt viele Gründe, warum man spontan einen virtuellen Windows 11 PC benötigt. Mit Windows 365 Business haben wir eine super Option dies zu bewerkstelligen. Wir zeigen euch heute, wie ihr in kürzester Zeit euren persönlichen Cloud PC aufbauen könnt. Windows 365 Enterprise wird folgen! Versprochen!\n🔔 Abonniert unseren Kanal für weitere Alltagstipps rund um Microsoft 365!\nLinks zur Folge ✘ MS Learn: https://learn.microsoft.com/en-us/windows-365/business/get-started-windows-365-business?WT.mc_id=MVP_405640 ✘ Windows 365 Link: https://www.microsoft.com/en-us/windows-365/link?msockid=354916548ee9688514d600788f1769cb ✘ Graph Call: GET https://graph.microsoft.com/beta/deviceManagement/virtualEndpoint/cloudPCs\nFolge uns auf Bluesky ✘ @DuRM365.bsky.social ✘ @renewasel.bsky.social ✘ @dako365.bsky.social\nUnsere Blogs ✘ https://dako365.com/ ✘ https://wasel365.de/\n#M365 #Microsoft365 #Microsoft #copilot #Alltag #Techies #Geeks #windows365 #cloudpc\n","date":"20. February 2026","externalUrl":null,"permalink":"/videos/folge-102-cloudpc-in-unter-5-minuten-so-einfach-ist-windows-365-business/","section":"Videos","summary":"Folge 102 - Cloud‑PC in unter 5 Minuten? So einfach ist Windows 365 Business Es gibt viele Gründe, warum man spontan einen virtuellen Windows 11 PC benötigt. Mit Windows 365 Business haben wir eine","title":"Folge 102 - Cloud‑PC in unter 5 Minuten? So einfach ist Windows 365 Business","type":"videos"},{"content":" Folge 101 - Microsoft Places jetzt für (fast) alle!\nBei Microsoft Places ist im letzten Jahr einiges passiert. In diesem Video sprechen wir mit euch über die Neuerungen aus dem Summer release 2025 und den brandneuen Ankündigungen zur Lizenzänderung.\n🔔 Abonniert unseren Kanal für weitere Alltagstipps rund um Microsoft 365!\nLinks zur Folge ✘ MS Learn: https://learn.microsoft.com/en-us/microsoft-365/places/places-overview?WT.mc_id=%3Fwt.mc_id%3DMVP_405640 ✘ Microsoft Places Website: https://www.microsoft.com/en-us/microsoft-places?msockid=063da0fd8320632f18c7b1cf824362fa ✘ Office Hours: https://aka.ms/PlacesOfficeHours\nFolge uns auf Bluesky ✘ @DuRM365.bsky.social ✘ @renewasel.bsky.social ✘ @dako365.bsky.social\nUnsere Blogs ✘ https://dako365.com/ ✘ https://wasel365.de/\n#M365 #Microsoft365 #Microsoft #copilot #Alltag #Techies #Geeks #places #teams\n","date":"6. February 2026","externalUrl":null,"permalink":"/videos/folge-101-microsoft-places-jetzt-fr-fast-alle/","section":"Videos","summary":"Bei Microsoft Places ist im letzten Jahr einiges passiert. In diesem Video sprechen wir über die Neuerungen und die brandneuen Ankündigungen zur Lizenzänderung.","title":"Folge 101 - Microsoft Places jetzt für (fast) alle!","type":"videos"},{"content":" Folge 100 - Microsoft Teams Update: Notizen direkt im Chat\nDas besondere Special zu unserer 100. Folge! Back to the roots - back to the Teams!\n🔔 Abonniert unseren Kanal für weitere Alltagstipps rund um Microsoft 365!\nLinks zur Folge\nFolge uns auf Bluesky ✘ @DuRM365.bsky.social ✘ @renewasel.bsky.social ✘ @dako365.bsky.social\nUnsere Blogs ✘ https://dako365.com/ ✘ https://wasel365.de/\n#M365 #Microsoft365 #Microsoft #copilot #Alltag #Techies #Geeks #places #teams\n","date":"23. January 2026","externalUrl":null,"permalink":"/videos/folge-100-microsoft-teams-update-notizen-direkt-im-chat/","section":"Videos","summary":"Das besondere Special zu unserer 100. Folge! Back to the roots - back to the Teams!","title":"Folge 100 - Microsoft Teams Update: Notizen direkt im Chat","type":"videos"},{"content":" Folge 99 - Microsoft führt Baseline Security Mode ein – Was bedeutet das?\nMicrosoft 365 ist seit Jahren gewachsen und hat mittlerweile nicht nur eine Fülle an Admin Center, sondern schon immer eine Vielzahl an Konfigurationsmöglichkeiten. Für viele ist es eine große Herausforderung alle Einstellungen zu finden und dann noch die passende Konfiguration einzustellen. Auf der Ignite 2025 hat Microsoft ein neues Feature vorgestellt, was hier Abhilfe schaffen soll. Baseline Security Mode. Was das im Detail ist und heute schon kann, schauen wir uns im ersten Video 2026! Wir hoffen, dass ihr alle einen guten Start hattet und wünschen euch ein super Jahr 2026!\n🔔 Abonniert unseren Kanal für weitere Alltagstipps rund um Microsoft 365!\nLinks zur Folge ✘ MS Learn: https://learn.microsoft.com/en-us/microsoft-365/baseline-security-mode/baseline-security-mode-settings?view=o365-worldwide\u0026WT.mc_id=MVP_405640\nFolge uns auf Bluesky ✘ @DuRM365.bsky.social ✘ @renewasel.bsky.social ✘ @dako365.bsky.social\nUnsere Blogs ✘ https://dako365.com/ ✘ https://wasel365.de/\n#M365 #Microsoft365 #Microsoft #copilot #Alltag #Techies #Geeks #AdminCenter #BaselineSecurityMode #BSM\n","date":"9. January 2026","externalUrl":null,"permalink":"/videos/folge-99-microsoft-fhrt-baseline-security-mode-ein-was-bedeutet-das/","section":"Videos","summary":"Microsoft 365 hat mittlerweile eine Vielzahl an Konfigurationsmöglichkeiten. Auf der Ignite 2025 hat Microsoft Baseline Security Mode vorgestellt – was das im Detail ist, schauen wir uns an!","title":"Folge 99 - Microsoft führt Baseline Security Mode ein – Was bedeutet das?","type":"videos"},{"content":" Folge 98 - Microsoft macht ernst: Intune Suite bald in jeder E3/E5‑Lizenz\nLetzte Folge für dieses Jahr! Und da hat Microsoft doch ein kleines Geschenk unter den Tannenbaum gelegt.\nWir sehen uns nächstes Jahr wieder. Kommt gut rein!\n🔔 Abonniert unseren Kanal für weitere Alltagstipps rund um Microsoft 365!\nLinks zur Folge ✘ MS Intune Blog announcement: https://techcommunity.microsoft.com/blog/microsoftintuneblog/microsoft-365-adds-advanced-microsoft-intune-solutions-at-scale/4474272 ✘ Preisanpassung: https://news.microsoft.com/source/2025/12/11/local-currency-price-adjustments-for-microsofts-commercial-cloud-2/ ✘ Folge 57 - Verwenden von Endpoint Privilege Management mit Microsoft Intune: https://youtu.be/Mh9iZOX36iY\nFolge uns auf Bluesky ✘ @DuRM365.bsky.social ✘ @renewasel.bsky.social ✘ @dako365.bsky.social\nUnsere Blogs ✘ https://dako365.com/ ✘ https://wasel365.de/\n#m365 #microsoft365 #Microsoft #Office365 #Alltag #Techies #Geeks #intune #intunesuite\n","date":"26. December 2025","externalUrl":null,"permalink":"/videos/folge-98-microsoft-macht-ernst-intune-suite-bald-in-jeder-e3e5lizenz/","section":"Videos","summary":"Letzte Folge für dieses Jahr! Und da hat Microsoft doch ein kleines Geschenk unter den Tannenbaum gelegt.","title":"Folge 98 - Microsoft macht ernst: Intune Suite bald in jeder E3/E5‑Lizenz","type":"videos"},{"content":" Folge 97 - Die neuen Microsoft Bibliothek Formulare erleben\nFrisch auf dem Markt und schon werden sie bei uns vorgestellt: Forms in SharePoint Bibliotheken. Wir kennen das Feature schon aus Lists. Jetzt gibt es das Feature auch in Bibliotheken, um das Sammeln von Dokumenten zu vereinfachen. Wie das funktioniert zeigen wir euch heute.\n🔔 Abonniert unseren Kanal für weitere Alltagstipps rund um Microsoft 365!\nLinks zur Folge ✘ MS Roadmap: https://www.microsoft.com/de-ch/microsoft-365/roadmap?id=489834 ✘ Folge 52 - Die neuen Microsoft Lists Formulare erleben: https://youtu.be/EdvYSERvOwA\nFolge uns auf Bluesky ✘ @DuRM365.bsky.social ✘ @renewasel.bsky.social ✘ @dako365.bsky.social\nUnsere Blogs ✘ https://dako365.com/ ✘ https://wasel365.de/\n#M365 #Microsoft365 #Microsoft #Office365 #Alltag #Techies #Geeks #sharepoint #bibliotheken #forms\n","date":"12. December 2025","externalUrl":null,"permalink":"/videos/folge-97-die-neuen-microsoft-bibliothek-formulare-erleben/","section":"Videos","summary":"Frisch auf dem Markt und schon werden sie bei uns vorgestellt: Forms in SharePoint Bibliotheken. Jetzt gibt es das Feature auch in Bibliotheken, um das Sammeln von Dokumenten zu vereinfachen.","title":"Folge 97 - Die neuen Microsoft Bibliothek Formulare erleben","type":"videos"},{"content":" Folge 96 - Microsoft Ignite 2025\nHerzlich Willkommen zu unserem 4. Ignite Recap. Traditionell veranstaltete Microsoft im November ihre größte Konferenz - die Microsoft Ignite! Dieses Jahr vor Ort im Moscone Center in San Francisco, aber auch mit vielen Live und on-demand Sessions online. Der klare Fokus dieses Jahr wurde sehr schnell klar: Agents, Agents, Agents. Wie die vergangenen Jahre auch sprechen Daniel und René über ihre persönlichen Highlights und beleuchten dabei vor allem auch die Ankündigungen hinter den Hypethemen.\n🔔 Abonniert unseren Kanal für weitere Alltagstipps rund um Microsoft 365!\nLinks zur Folge: ✘ Book of News: https://news.microsoft.com/ignite-2025-book-of-news/ ✘ What\u0026rsquo;s new in Microsoft Intune at Ignite: https://techcommunity.microsoft.com/blog/microsoftintuneblog/whats-new-in-microsoft-intune-at-ignite/4471043?WT.mc_id=MVP_405640 ✘ Announcing Microsoft Baseline security mode: https://techcommunity.microsoft.com/blog/microsoft_365blog/ignite%E2%80%9925-spotlight-announcing-microsoft-baseline-security-mode/4469709?WT.mc_id=MVP_405640 ✘ What’s New in Microsoft Teams | Microsoft Ignite 2025: https://techcommunity.microsoft.com/blog/MicrosoftTeamsBlog/what%E2%80%99s-new-in-microsoft-teams--microsoft-ignite-2025/4470387?WT.mc_id=MVP_405640 ✘ Edge for Business presents: the world’s first secure enterprise AI browser: https://blogs.windows.com/msedgedev/2025/11/18/edge-for-business-presents-the-worlds-first-secure-enterprise-ai-browser/\n✘ Azure Meetup Bonn Ignite Recap: https://www.meetup.com/azure-bonn-meetup/events/311306764/?eventOrigin=group_upcoming_events\nFolge uns auf Bluesky ✘ @DuRM365.bsky.social ✘ @renewasel.bsky.social ✘ @dako365.bsky.social\nUnsere Blogs ✘ https://dako365.com/ ✘ https://wasel365.de/\n#M365 #Microsoft365 #Microsoft #Office365 #Alltag #Techies #Geeks #AI #Copilot #microsoft #ignite #agent\n","date":"28. November 2025","externalUrl":null,"permalink":"/videos/folge-96-microsoft-ignite-2025/","section":"Videos","summary":"Herzlich Willkommen zu unserem 4. Ignite Recap. Der klare Fokus dieses Jahr wurde sehr schnell klar: Agents, Agents, Agents.","title":"Folge 96 - Microsoft Ignite 2025","type":"videos"},{"content":" Folge 95 - Von Basis- bis Hochsicher: Authentication Strengths richtig nutzen\nConditional Access ist in jedem Unternehmen ein zentrales Sicherheitsfeature – oder sollte es zumindest sein. Früher konnte man lediglich festlegen: MFA ja oder nein. Welche Art von MFA genutzt wurde, musste separat geregelt werden. Jetzt gibt es von Microsoft eine spannende Neuerung: „Authentication Strengths“. Damit können wir selbst definieren, welche Faktoren als zweiter Faktor gelten, diese als Profile speichern und gezielt in Conditional-Access-Richtlinien einsetzen. Dieses Feature macht Conditional Access noch flexibler und präziser konfigurierbar. Aber überzeugt euch selbst!\n🔔 Abonniert unseren Kanal für weitere Alltagstipps rund um Microsoft 365!\nLinks zur Folge ✘ MS Learn: https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-strengths?WT.mc_id=MVP_405640 ✘ Folge 3 - Regeln für Zugriffe auf M365 Dienste: https://youtu.be/mFB4mqgT3uI\nFolge uns auf Bluesky ✘ @DuRM365.bsky.social ✘ @renewasel.bsky.social ✘ @dako365.bsky.social\nUnsere Blogs ✘ https://dako365.com/ ✘ https://wasel365.de/\n#M365 #Microsoft365 #Microsoft #copilot #Alltag #Techies #Geeks #entraid #conditionalaccess #authenticationstrengths\n","date":"14. November 2025","externalUrl":null,"permalink":"/videos/folge-95-von-basis-bis-hochsicher-authentication-strengths-richtig-nutzen/","section":"Videos","summary":"Conditional Access ist in jedem Unternehmen ein zentrales Sicherheitsfeature. Jetzt gibt es von Microsoft eine spannende Neuerung: Authentication Strengths.","title":"Folge 95 - Von Basis- bis Hochsicher: Authentication Strengths richtig nutzen","type":"videos"},{"content":" Folge 94 - Copilot ohne Risiko: Datenklassifizierung mit Purview als Schlüssel (Gast: Julian)\nDie meisten Unternehmen beschäftigen sich mit dem Einsatz von Copilot bzw. AI generell. Die sichere Verwendung und der Schutz der Daten steht dabei nicht immer an oberster Stelle. Dabei bietet Microsoft Services, die dabei sehr einfach grosse Wirkung erzielen. Julian Kusenberg, MVP für Purview, zeigt uns heute, was zum sicheren Einsatz von Copilot alles gemacht werden muss. Lieber Julian: Vielen Dank für die coolen Insights.\n🔔 Abonniert unseren Kanal für weitere Alltagstipps rund um Microsoft 365!\nLinks zur Folge ✘ MS Learn: https://learn.microsoft.com/en-us/purview/sensitivity-labels?WT.mc_id=MVP_405640 ✘ Julians LinkedIn: https://www.linkedin.com/in/juliankusenberg/\nFolge uns auf Bluesky ✘ @DuRM365.bsky.social ✘ @renewasel.bsky.social ✘ @dako365.bsky.social\nUnsere Blogs ✘ https://dako365.com/ ✘ https://wasel365.de/\n#M365 #Microsoft365 #Microsoft #copilot #Alltag #Techies #Geeks #purview #insiderrisk\n","date":"31. October 2025","externalUrl":null,"permalink":"/videos/folge-94-copilot-ohne-risiko-datenklassifizierung-mit-purview-als-schlssel-gast-/","section":"Videos","summary":"Die meisten Unternehmen beschäftigen sich mit dem Einsatz von Copilot bzw. AI generell. Julian Kusenberg, MVP für Purview, zeigt uns, was zum sicheren Einsatz von Copilot alles gemacht werden muss.","title":"Folge 94 - Copilot ohne Risiko: Datenklassifizierung mit Purview als Schlüssel (Gast: Julian)","type":"videos"},{"content":" Folge 93 - Mehr Produktivität, weniger Klicks – die neuen M365 Companion Apps im Überblick\nEnde Oktober rollt Microsoft über die Office Updates 3 neue Apps aus. Die sogenannten Companion Apps bestehen aus People, Files und Calendar. Sie sollen uns im Alltag helfen, die wichtigen Dinge für unsere Arbeit noch schneller zu finden. In diesem Video verschaffen wir euch einen Überblick über die Apps, Diskutieren die Vor- und Nachteile und geben für Admins wertvolle Tipps zum Roll-Out.\n🔔 Abonniert unseren Kanal für weitere Alltagstipps rund um Microsoft 365!\nLinks zur Folge ✘ MS Learn: https://learn.microsoft.com/en-us/microsoft-365-apps/companions/overview?WT.mc_id=MVP_405640\nFolge uns auf Bluesky ✘ @DuRM365.bsky.social ✘ @renewasel.bsky.social ✘ @dako365.bsky.social\nUnsere Blogs ✘ https://dako365.com/ ✘ https://wasel365.de/\n#M365 #Microsoft365 #Microsoft #Office365 #Alltag #Techies #Geeks #apps #companion #office365\n","date":"17. October 2025","externalUrl":null,"permalink":"/videos/folge-93-mehr-produktivitt-weniger-klicks-die-neuen-m365-companion-apps-im-berbl/","section":"Videos","summary":"Ende Oktober rollt Microsoft über die Office Updates 3 neue Apps aus. Die sogenannten Companion Apps bestehen aus People, Files und Calendar.","title":"Folge 93 - Mehr Produktivität, weniger Klicks – die neuen M365 Companion Apps im Überblick","type":"videos"},{"content":"","date":"October 5, 2025","externalUrl":null,"permalink":"/en/tags/intune/","section":"Tags","summary":"","title":"Intune","type":"tags"},{"content":"–\u0026gt; Also available in German!\nThis article was translated from German with the help of Claude.\nWelcome to my next blog article.\nYou have successfully deployed LAPS (Local Administrator Password Solution) in your environment – an important step towards better security and compliance. But what comes next? Many organizations want to take the next comfort step: integrating password retrieval into their self-service.\nIn this article, I\u0026rsquo;ll show you exactly how to do that – using the Microsoft Graph API in combination with a Logic App. This allows you to automate the process and provide your users with a simple, secure way to retrieve the administrator passwords they need on their own.\nAll you need for this scenario is a Microsoft Forms form and a Logic App.\nStep 1 – Trigger # Every Logic App needs a trigger. In my scenario, I use a Microsoft Forms form where the requesting user enters the required information. The most important piece of information is the name of the device for which the LAPS password is needed.\nAdditionally, other helpful details can be collected – for example, information relevant to creating a ticket in the IT system. It can also be useful to capture a justification that is subsequently stored in the ticket.\nAfter creating the form, we now integrate it into our Logic App. The first step is to configure the trigger to respond to new form submissions. As soon as a user fills out the form, the Logic App is automatically started.\nIn the next step, we retrieve the submitted response data. This data forms the basis for all subsequent actions in our workflow. Typically, this includes the device name for which the LAPS password is needed, as well as additional details like a ticket number or justification.\nWe can then flexibly process this information in the following steps.\nStep 2 – Authorize the Managed Identity # Before we integrate the Graph API calls into our Logic App, we need to ensure that the necessary permissions are in place. For authentication, we use the Logic App\u0026rsquo;s Managed Identity.\nHow to set up a Managed Identity and assign the appropriate permissions can be found in the official Microsoft documentation. It is important that the Logic App\u0026rsquo;s identity receives the following Microsoft Graph permissions:\nDevice.Read.All – to retrieve device information such as the Device ID DeviceLocalCredential.Read.All – to read the LAPS passwords These permissions must be configured as Application Permissions in the app registration and approved by an administrator. Only then can the Logic App successfully access the required data.\nThe following PowerShell script helps you with this:\n#Connect to AzureAD with an appropriate admin account Connect-AzureAD #New Service Principal Permissions using Azure AD module $ServicePrincipalId = \u0026lt;ID of your managed identity\u0026gt; # App ID of the required Graph API $GraphResource = Get-AzureADServicePrincipal -Filter \u0026#34;AppId eq \u0026#39;00000003-0000-0000-c000-000000000000\u0026#39;\u0026#34; #Set role DeviceLocalCredential.Read.All $Permission = $GraphResource.AppRoles | Where-Object {$_.value -eq \u0026#39;DeviceLocalCredential.Read.All\u0026#39;} New-AzureADServiceAppRoleAssignment -ObjectId $ServicePrincipalId -PrincipalId $ServicePrincipalId -Id $Permission.Id -ResourceId $GraphResource.ObjectId #Set role Device.Read.All $Permission = $GraphResource.AppRoles | Where-Object {$_.value -eq \u0026#39;Device.Read.All\u0026#39;} New-AzureADServiceAppRoleAssignment -ObjectId $ServicePrincipalId -PrincipalId $ServicePrincipalId -Id $Permission.Id -ResourceId $GraphResource.ObjectId Before executing the calls in the Logic App, it may be wise to wait a few minutes or hours until the permissions are fully effective.\nStep 3 – Determine the Device ID # To retrieve the LAPS password for a specific device via the Microsoft Graph API, we first need the Device ID. This ID is the unique key that the API expects for accessing the local administrator credentials.\nSince we currently only have the device name, we first need to resolve it to the corresponding Device ID. To do this, we execute a GET request to the Graph endpoint, passing the dynamic value from Forms:\nhttps://graph.microsoft.com/v1.0/devices?$filter=displayName+eq+\u0026#39;\u0026lt;dynamic_content_forms_Device Name\u0026gt;\u0026#39; Make sure you use both the correct URI and the right HTTP method. To insert the dynamic value from the Microsoft Forms form, you can use the \u0026ldquo;/\u0026rdquo; shortcut. This opens a selection menu showing all available dynamic content.\nFinally, it is crucial to configure the correct authentication. For this, we use the Managed Identity created at the beginning.\nIn the HTTP action, select Managed Identity as the authentication type. The Audience field must be set to:\n00000003-0000-0000-c000-000000000000 This value represents Microsoft Graph and is required for the Logic App to successfully execute the API calls.\nThe API call returns a JSON response that we need to prepare for further processing. For this, we use the \u0026ldquo;Parse JSON\u0026rdquo; action in the Logic App.\nIn the Content field, we specify the dynamic value Body from the previous HTTP call. Then we provide the matching schema so that the Logic App knows the structure of the response, allowing us to easily reference individual values (e.g., the password) in the next steps. We have now determined the required Device ID from the specified device name.\nStep 4 – Retrieve the LAPS password # With the determined Device ID, we can now retrieve the LAPS password. To do this, we execute another Graph API call that uses the Device ID as a parameter.\nThe corresponding endpoint is:\nhttps://graph.microsoft.com/beta/directory/deviceLocalCredentials\u0026lt;dynamic Device ID\u0026gt;?$select=credentials Additionally, in this step we need to include certain header information for the API call to be processed correctly. These include:\nUser-Agent = Dsreg/10.0 (Windows 10.0.19043.1466) ocp-client-name = My Friendly Client ocp-client-version = 1.2 Don\u0026rsquo;t forget to configure the correct authentication again at the end – as described above, via the Managed Identity with the corresponding Audience value for Microsoft Graph.\nDepending on the LAPS configuration and the set password validity period, the API call may return multiple valid passwords. For this reason, the Logic App automatically creates a \u0026ldquo;For Each\u0026rdquo; loop at this point to process all returned entries.\nNote: To ensure you use the most current password, check the backupDateTime field in the JSON response. Sort the entries by this value and select the password with the most recent timestamp. In the Logic App, you can implement this using a \u0026ldquo;Select\u0026rdquo; action followed by a \u0026ldquo;Sort\u0026rdquo; function before processing the first element.\nStep 5 – Deliver the password to the user # Now that we have successfully retrieved the password, we of course need to deliver it to the user. In my example, I use Microsoft Teams and send a chat message to the user who submitted the form via the Flow Bot. This requires an additional account to establish a Teams connection. Alternatively, a ticketing system or other tool can be used for this purpose.\nThe name of the local admin can again be obtained via a dynamic query from the Graph call.\nThe password returned by the Graph API is Base64-encoded. Before we display it in the message, we need to decode it. In the Logic App, this is easily done using the decodeBase64() function:\ndecodeBase64(item()?[\u0026#39;passwordBase64\u0026#39;]) This ensures that the user receives the password in plain text without needing to perform any additional steps.\nConclusion # The combination of Microsoft Forms, Logic Apps, and the Microsoft Graph API allows for efficient and secure automation of LAPS password retrieval. The process not only offers convenience for users but also ensures traceability and reduces manual intervention. Through the use of Managed Identities, clearly defined permissions, and best practices like logging and justification, the solution remains secure and compliant. The process can be further customized and extended, for example with an approval workflow.\n","date":"October 5, 2025","externalUrl":null,"permalink":"/en/blog/laps-prozessautomatisierung/","section":"Blog","summary":"","title":"LAPS Process Automation","type":"blog"},{"content":" Folge 92 - Neue Threadansicht in Microsoft Teams Kanälen: Mehr Chat, weniger Struktur? (mit: Nicole)\nMicrosoft ändert sukzessive die Art und Weise, wie wir in MS Teams kommunizieren. Begonnen haben sie Anfang des Jahres mit der neuen Chat- und Teamsansicht. Eine Änderung die anfangs zu viel Aufruhr gesorgt hat. Jetzt kommt ein weiterer Schritt: Eine neue Ansicht direkt in den Kanälen. Mit Threads gleicht Microsoft nun auch Kanäle den Chats an. Oder nicht? Wir schauen uns das heute mal an und haben uns dazu wieder einmal Verstärkung geholt. Nicole Wiske, MVP für Copilot und Teams, zeigt uns, was Threads können und wie man die neue Ansicht einstellt. Lieben Dank Nicole, dass du da warst und für die spannenden Einblicke.\n🔔 Abonniert unseren Kanal für weitere Alltagstipps rund um Microsoft 365!\nLinks zur Folge ✘ MS Blog: https://techcommunity.microsoft.com/blog/microsoftteamsblog/from-threads-to-workflows-microsoft-teams-features-that-boost-everyone%E2%80%99s-product/4430879 ✘ LinkedIn Nicole: https://www.linkedin.com/in/nicolewiske/\nFolge uns auf Bluesky ✘ @DuRM365.bsky.social ✘ @renewasel.bsky.social ✘ @dako365.bsky.social\nUnsere Blogs ✘ https://dako365.com/ ✘ https://wasel365.de/\n#M365 #Microsoft365 #Microsoft #Office365 #Alltag #Techies #Geeks #teams #threads #channel\n","date":"3. October 2025","externalUrl":null,"permalink":"/videos/folge-92-neue-threadansicht-in-microsoft-teams-kanaelen-mehr-chat-weniger-strukt/","section":"Videos","summary":"Microsoft ändert sukzessive die Art und Weise, wie wir in MS Teams kommunizieren. Jetzt kommt ein weiterer Schritt: Eine neue Ansicht direkt in den Kanälen mit Threads.","title":"Folge 92 - Neue Threadansicht in Microsoft Teams Kanälen: Mehr Chat, weniger Struktur? (mit: Nicole)","type":"videos"},{"content":" Folge 91 - Microsoft 365 Copilot + PowerPoint: Geniale Präsentationen im Unternehmenslook! (Gast: Fabio)\nDer Microsoft 365 Copilot unterstützt uns täglich schon in so vielen Aufgaben, aber richtig cool wäre es, wenn er mir auch schnell Präsentationen im Unternehmensstil erstellen könnte. Leider geht das nicht so richtig. Oder doch? Mit der richtigen Konfiguration und ein wenig Vorbereitung kann man auch hier mittlerweile bemerkenswerte Ergebnisse erzielen. Was es dazu braucht zeigt uns heute unser Gast Fabio Bonolo. Als MVP für Microsoft 365 Copilot ist er ein wahrer Experte, wenn es um den Einsatz von Copilot geht. Vielen Dank lieber Fabio für die Insights.\nWie findet ihr diese Funktion? Ist das ein mehrwert für euch?\nLinks zur Folge ✘ Setup Assest Library: https://learn.microsoft.com/en-us/sharepoint/organization-assets-library?WT.mc_id=MVP_405640 ✘ Fabios Socials: https://www.fabiobonolo.com, https://www.youtube.com/@UCy7K3OSAgZneEIbPsU7wo0A\nFolge uns auf Bluesky ✘ @DuRM365.bsky.social ✘ @renewasel.bsky.social ✘ @dako365.bsky.social\nUnsere Blogs ✘ https://dako365.com/ ✘ https://wasel365.de/\n#M365 #Microsoft365 #Microsoft #azure #Alltag #Techies #Geeks #copilot #powerpoint\n","date":"19. September 2025","externalUrl":null,"permalink":"/videos/folge-91-microsoft-365-copilot-powerpoint-geniale-praesentationen-im-unternehmen/","section":"Videos","summary":"Der Microsoft 365 Copilot unterstützt uns täglich in vielen Aufgaben. Mit der richtigen Konfiguration kann man auch in PowerPoint bemerkenswerte Präsentationen im Unternehmensstil erstellen.","title":"Folge 91 - Microsoft 365 Copilot + PowerPoint: Geniale Präsentationen im Unternehmenslook!","type":"videos"},{"content":" Folge 90 - Microsoft Teams Profi Tipp: Meeting Hintergründe per Explorer hinzufügen\nBenutzerdefinierte Hintergründe in Teams Meetings sind ein essenzielles Feature. Im neuen Teams-Client lassen sich diese auf verschiedenen Wegen hinzufügen. Besonders für Administratoren hat sich jedoch einiges geändert – insbesondere bei der zentralen Verteilung ohne Teams Premium.\nIn diesem Video zeigen wir euch, wie ihr eure Hintergründe weiterhin über den Windows Explorer setzen könnt – ganz ohne Zusatzlizenz.\nLinks zur Folge ✘ Link im Explorer: %LOCALAPPDATA%\\Packages\\MSTeams_8wekyb3d8bbwe\\LocalCache\\Microsoft\\MSTeams\\Backgrounds\\Uploads ✘ Renés Blog: https://wasel365.de/2025/09/05/microsoft-teams-meeting-hintergrunde-per-explorer-hinzufugen/\nFolge uns auf Bluesky ✘ @DuRM365.bsky.social ✘ @renewasel.bsky.social ✘ @dako365.bsky.social\nUnsere Blogs ✘ https://dako365.com/ ✘ https://wasel365.de/\n#M365 #Microsoft365 #Microsoft #Office365 #Alltag #Techies #Geeks #teams #hintergründe #meeting\n","date":"5. September 2025","externalUrl":null,"permalink":"/videos/folge-90-microsoft-teams-profi-tipp-meeting-hintergruende-per-explorer-hinzufueg/","section":"Videos","summary":"Benutzerdefinierte Hintergründe in Teams Meetings sind ein essenzielles Feature. In diesem Video zeigen wir euch, wie ihr eure Hintergründe über den Windows Explorer setzen könnt – ganz ohne Zusatzlizenz.","title":"Folge 90 - Microsoft Teams Profi Tipp: Meeting Hintergründe per Explorer hinzufügen","type":"videos"},{"content":" Folge 89 - From Mess to Maester: So machst du M365 wasserdicht (Gast: Fabian)\nSecurity und Governance sind zentrale Bestandteile einer sicheren Verwendung von IT Ressourcen. Auch in M365 müssen wir dafür Sorge tragen, dass unser Tenant sicher und nach best practice konfiguriert ist. Aber was sind denn eigentlich best practices und wie kann ich schnell und einfach feststellen, wie der Stand meines Tenants ist? Hier kommt das Community Tool Maester ins Spiel. Fabian Bader hat selbst maßgeblich an diesem Tool mitgearbeitet und zeigt uns heute, was man damit alles tracken kann. Für weitere Infos rund um Cloud Security folgt Fabian auf seinen Socials. Und jetzt viel Spass mit Folge 89!\n🔔 Abonniert unseren Kanal für weitere Alltagstipps rund um Microsoft 365!\nLinks zur Folge ✘ Maester: https://maester.dev/ ✘ Cloud Identity Summit: https://www.identitysummit.cloud/\nFolge uns auf Bluesky ✘ @DuRM365.bsky.social ✘ @renewasel.bsky.social ✘ @dako365.bsky.social\nUnsere Blogs ✘ https://dako365.com/ ✘ https://wasel365.de/\n#m365 #microsoft365 #Microsoft #cloud #Alltag #Techies #Geeks #maester #security #governance\n","date":"22. August 2025","externalUrl":null,"permalink":"/videos/folge-89-from-mess-to-maester-so-machst-du-m365-wasserdicht-gast-fabian/","section":"Videos","summary":"Security und Governance sind zentrale Bestandteile einer sicheren Verwendung von IT Ressourcen. Fabian Bader zeigt uns, was man mit dem Community Tool Maester alles tracken kann.","title":"Folge 89 - From Mess to Maester: So machst du M365 wasserdicht (Gast: Fabian)","type":"videos"},{"content":" Folge 88 - Pimp my list - Deine Listen können mehr als du denkst\nWir haben ja schon viel über Lists gesprochen. Als Alternative zu Planner oder auch die allseits beliebten Lists Forms. Heute wollen wir mal ansehen, wie man MS Lists so anpassen kann, dass sie jedem UseCase entsprechen können. Und wir versprechen: Man kann es soweit auf die Spitze treiben, dass man niemals mehr eine Liste dahinter vermutet. Viel Spass!\n🔔 Abonniert unseren Kanal für weitere Alltagstipps rund um Microsoft 365!\nLinks zur Folge ✘ MS Learn: https://learn.microsoft.com/en-us/sharepoint/dev/declarative-customization/column-formatting?WT.mc_id=MVP_405640 ✘ GitHub Community Repo: https://github.com/pnp/List-Formatting/tree/master ✘ Folge 68 - Microsoft Lists - der bessere Planner? (Gast: Adrian): https://youtu.be/Vk_ZnZeWdaM\nFolge uns auf Bluesky ✘ @DuRM365.bsky.social ✘ @renewasel.bsky.social ✘ @dako365.bsky.social\nUnsere Blogs ✘ https://dako365.com/ ✘ https://wasel365.de/\n#M365 #Microsoft365 #Microsoft #Office365 #Alltag #Techies #Geeks #sharepoint #lists #forms\n","date":"8. August 2025","externalUrl":null,"permalink":"/videos/folge-88-pimp-my-list-deine-listen-koennen-mehr-als-du-denkst/","section":"Videos","summary":"Heute wollen wir mal ansehen, wie man MS Lists so anpassen kann, dass sie jedem UseCase entsprechen können. Man kann es soweit auf die Spitze treiben, dass man niemals mehr eine Liste dahinter vermutet.","title":"Folge 88 - Pimp my list - Deine Listen können mehr als du denkst","type":"videos"},{"content":" Folge 86 - Nie wieder Patch-Stress: Windows Autopatch im Check!\nUnser Kanal erscheint im neuen Gewand. Nach über 85 Folgen ist es nun mal Zeit das Design zu ändern. Wir starten mit den Thumbnails und mehr wird folgen. In der heutigen Folge sprechen wir über Windows Autopatch. Eine hervorragende Möglichkeit eure Windows Devices immer up to date zu halten. Und das jetzt auch in M365 Business Premium integriert. Nutzt ihr es schon?\nWas sagt ihr zum neuen Thumbnail?\n🔔 Abonniert unseren Kanal für weitere Alltagstipps rund um Microsoft 365!\nLinks zur Folge ✘ MS Learn: https://learn.microsoft.com/en-us/windows/deployment/windows-autopatch/overview/windows-autopatch-overview?WT.mc_id=MVP_405640\nFolge uns auf Bluesky ✘ @DuRM365.bsky.social ✘ @renewasel.bsky.social ✘ @dako365.bsky.social\nUnsere Blogs ✘ https://dako365.com/ ✘ https://wasel365.de/\n#m365 #microsoft365 #Microsoft #Office365 #Alltag #Techies #Geeks #windowsupdate #windowsautopatch #intune #windows11\n","date":"25. July 2025","externalUrl":null,"permalink":"/videos/folge-86-nie-wieder-patch-stress-windows-autopatch-im-check/","section":"Videos","summary":"Unser Kanal erscheint im neuen Gewand. In der heutigen Folge sprechen wir über Windows Autopatch – eine hervorragende Möglichkeit eure Windows Devices immer up to date zu halten.","title":"Folge 86 - Nie wieder Patch-Stress: Windows Autopatch im Check!","type":"videos"},{"content":" Folge 87 - Robopack: Intune Pakete einfach \u0026amp; schnell erstellen\nM365 im Alltag bedeutet für uns auch, dass wir an manchen Stellen mal links und rechts schauen, welche Tools es gibt, die uns die Verwaltung von M365 Services vereinfacht oder automatisiert. Hier ist Daniel vor ein paar Wochen das Tool Robopack vor die Füße gefallen. Mit Robopack habt ihr das perfekte Add-On, um Applikationsverwaltung und Updateprozesse in Intune zu vereinfachen. Und das Beste: Für SMBs und NGOs ist es kostenlos. Es werden auch noch weitere Videos zu diesem Tool kommen, da wir nicht alle Features verpacken konnten. Viel Spass!\n🔔 Abonniert unseren Kanal für weitere Alltagstipps rund um Microsoft 365!\nLinks zur Folge ✘ Robopack: https://robopack.com/\nFolge uns auf Bluesky ✘ @DuRM365.bsky.social ✘ @renewasel.bsky.social ✘ @dako365.bsky.social\nUnsere Blogs ✘ https://dako365.com/ ✘ https://wasel365.de/\n#m365 #microsoft365 #Microsoft #Office365 #Alltag #Techies #Geeks #appdeployment #intune #robopack\n","date":"25. July 2025","externalUrl":null,"permalink":"/videos/folge-87-robopack-intune-pakete-einfach-schnell-erstellen/","section":"Videos","summary":"M365 im Alltag bedeutet für uns auch, dass wir an manchen Stellen mal links und rechts schauen, welche Tools es gibt. Hier ist Daniel das Tool Robopack vor die Füße gefallen – das perfekte Add-On für Applikationsverwaltung in Intune.","title":"Folge 87 - Robopack: Intune Pakete einfach \u0026 schnell erstellen","type":"videos"},{"content":"–\u0026gt; Also available in German!\nThis article was translated from German with the help of Claude.\nWhat is LAPS? # \u0026ldquo;LAPS\u0026rdquo; stands for \u0026ldquo;Local Administrator Password Solution\u0026rdquo;. It is a tool developed by Microsoft to manage local administrator passwords on Windows computers. The idea behind LAPS is to ensure that a unique, randomly generated administrator password is used on every Windows computer in a network. This reduces the risk of attackers gaining access to the entire network if they obtain a single administrator password.\nLAPS works by randomly generating and storing the local administrator password on each computer. The stored passwords are saved in an Active Directory attribute field that only authorized users or groups can access. Since October, LAPS has also been available in Intune (GA). Here, the generated passwords are stored in the properties of the device object and can be viewed by various roles, such as helpdesk. The password changes after a defined period following usage.\nBy using LAPS, organizations can improve their network security by ensuring that local administrator passwords are regularly changed and securely stored.\nWhy LAPS? # Let\u0026rsquo;s configure LAPS # Enable LAPS in Entra # First, we need to enable LAPS in our tenant. To do this, navigate to Entra and go to Devices settings. Here, set the \u0026ldquo;Enable Microsoft Entra Local Administrator Password Solution (LAPS)\u0026rdquo; option to \u0026ldquo;Yes\u0026rdquo;. After a short time, LAPS will be available in Intune.\nConfigure the LAPS policy # As already mentioned, LAPS is a configuration in Intune. You can find it under Intune admin center → Endpoint security → Account protection.\nHere we create a new LAPS policy. First, we need to give our policy a name and ideally a description.\nNow we get to the actual configuration. At first glance, we see six items to configure:\nBackup Directory # First, we need to define where the local admin password should be stored. In addition to Entra, we also have the option of the local Active Directory or not storing it at all. Since I want to demonstrate LAPS in Intune in this post, we configure the option \u0026ldquo;Backup the password to Azure AD only\u0026rdquo;.\nAdditionally, under this item we can set \u0026ldquo;Password Age Days\u0026rdquo;. This setting has a minimum allowed value of 7 days and a maximum allowed value of 365 days. If not configured, the default is 30 days.\nAdministrator Account Name # This setting is used to configure the name of the managed local administrator account. If not specified, the default built-in local administrator account is found by its well-known SID (even if it has been renamed). If specified, the password of the specified account will be managed. (Create a local admin account → here) In my case, it is \u0026ldquo;LocAdmin\u0026rdquo;.\nAttention: This setting does not create a new local admin account on the client. We need to create this via Intune first. If the account specified here is not available on the client, LAPS cannot be applied.\nPassword Complexity # The complexity of the generated password can be configured as follows. In my example, I chose uppercase and lowercase letters and numbers. You need to decide for yourself what makes sense for your environment.\nPassword Length # As the name suggests, we can configure the length of the managed local administrator account password here. If not specified, this setting defaults to 14 characters. This setting has a minimum allowed value of 8 characters and a maximum allowed value of 64 characters.\nNote: The user must manually enter the password on their client in the User Access Control (UAC). Copy \u0026amp; paste is not possible there. For usability reasons, it should therefore not be too long or too complex.\nPost Authentication Actions # This is where the real magic of LAPS happens. We configure what should happen after the password has been used and the grace period has expired.\nThe following options are available:\nValue Description 1 Reset password: After the grace period expires, the managed account password is reset 2 Reset password and log off the managed account: After the grace period expires, the managed account password is reset and all interactive logon sessions with the managed account are terminated. 3 (Default) Reset password and restart: After the grace period expires, the managed account password is reset and the managed device is immediately restarted. In my example, I use option 2.\nPost Authentication Reset Delays # Here we can specify the grace period, i.e., how long (in hours) to wait after an authentication before the password is reset. If not specified, this setting defaults to 24 hours. This setting has a minimum allowed value of 0 hours and a maximum allowed value of 24 hours.\nFinally, you need to assign your configuration to the appropriate groups. The LAPS policies are now applied and the password is made available in the device profile.\nRetrieve the LAPS password # You can now retrieve the LAPS password from the properties of your device. There are several ways to do this: either via Entra in the Device Overview, in the Entra Device Object, or of course in Intune.\nYou\u0026rsquo;ll find it under the \u0026ldquo;Local Admin Password\u0026rdquo; entry. First, you\u0026rsquo;ll see when the last password rotation occurred and when the next one is scheduled. Clicking the link will display the local admin account along with its password.\nManual password rotation # The password is rotated in the cycle you defined in the policy. In the Intune Admin Center, we can also trigger the rotation manually. You can initiate this in the device object from the action bar.\nPlease note that the password is generated locally on the client and therefore takes some time.\nRequired admin roles # To view or change the password for a device\u0026rsquo;s local administrator account using the Intune administration center, your account must have the following Intune permissions assigned:\nManaged devices: Read Organization: Read Remote tasks: Rotate Local Admin Password To view password details, your account must have one of the following Microsoft Entra permissions:\nmicrosoft.directory/deviceLocalCredentials/password/read to read LAPS metadata and passwords. microsoft.directory/deviceLocalCredentials/standard/read to read LAPS metadata excluding passwords. Retrieve LAPS password with PowerShell and Graph # To reduce manual effort, you should automate the LAPS password process. I will demonstrate one approach here on my blog. If you have already automated existing processes, here is the corresponding cmdlet. You first need to authenticate with PowerShell to Microsoft Graph.\n#Connect to Microsoft Graph Connect-Mggraph -Scope DeviceLocalCredential.Read.All, Device.Read.All #Define your device name here Param ( [string]$DeviceID ) # Get the LAPS password Get-LapsAADPassword -DeviceIds $DeviceID -IncludePasswords -AsPlainText The user\u0026rsquo;s perspective and discussion # Check out our video on #DuRM365 for more details!\n","date":"December 15, 2023","externalUrl":null,"permalink":"/en/blog/intune-local-admin-password-solution-laps/","section":"Blog","summary":"","title":"Intune: Local Admin Password Solution (LAPS)","type":"blog"},{"content":"–\u0026gt; Also available in German!\nThis article was translated from German with the help of Claude.\nCreating local accounts, including admin accounts, can be useful not only for LAPS. In this short blog article, I\u0026rsquo;ll show you how to create the account and move it to the appropriate permissions group.\nCreate a device configuration # First, we need to create a new \u0026ldquo;Configuration profile\u0026rdquo; for Windows devices in the Intune Admin Center. The configuration we need is unfortunately not available in the catalog and must be configured manually via OMA-URI entries. Therefore, we select \u0026ldquo;Templates\u0026rdquo; as the \u0026ldquo;Profile type\u0026rdquo; and choose the \u0026ldquo;Custom\u0026rdquo; template.\nThen name your policy accordingly and you can start adding manual settings.\nCreate a local account # To create a user account with a corresponding password, we need to add the following entry:\nOMA-URI ./Device/Vendor/MSFT/Accounts/Users/$DisplayNameOfTheAccount$/Password It is important that you replace the second-to-last value in the string with your desired name.\nIf you use LAPS, the password assigned here will be overwritten by the LAPS policy.\nAdd the account to the local administrators group # With this, we have only created a local user. For this user to also become a local admin, we need to add them to the local administrators group. This is also done via an OMA-URI entry in the same profile. We add another entry with the following values:\nOMA-URI ./Device/Vendor/MSFT/Accounts/Users/$DisplayNameOfTheAccount$/LocalUserGroup Again, please make sure that the second-to-last value is identical to the account you created before.\nAfterwards, assign the profile to the desired groups.\nConfiguration shows as failed # After the profile has been distributed to the devices, Intune shows errors in the overview.\nLooking at it in detail, we see that the error code \u0026ldquo;-2016281112\u0026rdquo; is returned.\nThe fact is, however, that the configuration works and the local admin is created. In my research so far, I could not find any answers to this error. Various forums suggest that it is simply a bug. Regardless: the main thing is that it works.\n","date":"December 15, 2023","externalUrl":null,"permalink":"/en/blog/lokales-admin-konto-mit-intune-erstellen/","section":"Blog","summary":"","title":"Create a local admin account with Intune","type":"blog"},{"content":"","date":"July 14, 2023","externalUrl":null,"permalink":"/en/tags/exchange-online/","section":"Tags","summary":"","title":"Exchange Online","type":"tags"},{"content":"–\u0026gt; Auch auf deutsch verfügbar!\nCyber attacks through phishing mails are still one of the most popular methods. Additionally, these attacks are becoming more and more sophisticated and authentic. Of course, there are security mechanisms, such as DKIM, DMARC or SPF. The use of these is also strongly recommended. However, even with these, we cannot guarantee one hundred percent protection. It is therefore all the more important to train our users in the use of IT and to make them aware of security risks. Exchange Online offers a few features to make it easier for users to recognize dangers:\nExternal E-Mail Tags Manipulation of the subject of the e-mail Color warning in the body of the email Additionally, in this blogpost I would like to show you a MailTip in Outlook that is not enabled by default, but gives the user a hint when sending an email to a person outside the organization. This tip can protect against internal/trusted document leakage.\nExternal E-Mail Tags # Let\u0026rsquo;s start with a relatively new feature. We now have the ability to tag external emails in Outlook clients with an \u0026ldquo;External\u0026rdquo; tag.\nYou must enable this feature once tenant-wide for all mailboxes:\nSet-ExternalInOutlook -Enabled $true Please note that it can take up to 48 hours until the setting takes effect. If you want to exclude email addresses or domains of partner organizations, for example, you can put these domains on an \u0026ldquo;AllowList\u0026rdquo;:\nSet-ExternalInOutlook -AllowList @{Add=\u0026#34;daniel@dako365.de\u0026#34;, \u0026#34;dako365.com\u0026#34;} And that\u0026rsquo;s it! In my opinion, simply activate, because it actually does not bother at all. Now, of course, one can discuss how well this rather small hint works. Especially since this, as already briefly mentioned, is only visible in Outlook (whether web, client or app). Furthermore, the setting options are very limited. Actually, only on or off is possible. Sure, you can maintain a whitelist via PowerShell, but this also directly undermines the basic idea. If not all external emails are tagged, how should a user then interpret whether this email is good or bad?\nIf you\u0026rsquo;re looking for a different way that offers more configuration options, check out the next chapter.\nManipulation of the subject of the e-mail # This is probably the classic way it has been done in Exchange on-premises. Using one (or more) transport rules, we manipulate the subject of each external email as it arrives. A common approach here is to give the subject a prefix, such as \u0026ldquo;*EXTERNAL*\u0026rdquo;.\nI would like to show you how to configure this in Exchange Online.\nFirst of all we have to go to the Exchange Online Admin Center. Here you click under \u0026ldquo;Mail flow\u0026rdquo; on the \u0026ldquo;Rules\u0026rdquo;.\nHere we create a new rule under the tab \u0026ldquo;Add a new rule\u0026rdquo; with \u0026ldquo;Create a new rule\u0026rdquo;.\nThen we give the rule an appropriate name and choose the settings below. You can see that the transport rules give us much more room for customization. For example, we can exclude users or entire groups from the rule (Except if) and assign them other rules with a different prefix. This way it is much easier to do justice to one\u0026rsquo;s own ideas.\nFinally, you can set a test mode if you want to test your rules first. The severity of the rule should be set according to your other rules. We can set the priority of the rule afterwards.\nBecause it is important that you still activate the rule after creating it. Otherwise nothing will happen 😉\nFor all those who simply need more design freedom when marking emails, the transport rules are still the tool of choice. But it has another advantage: by manipulating the subject, we always have a warning regardless of the client we use. So if you use other clients than Outlook (for example the native mail app on your smartphone), you won\u0026rsquo;t have any losses here, as for example with variant 1.\nEven S/MIME-encrypted e-mails can be manipulated in this way, even if decryption only takes place in the Outlook client. The subject is in the header and is therefore not encrypted.\nColor warning in the body of the email # You have accounts that require special protection and you still don\u0026rsquo;t have enough information? Then you can use transport rules to insert colored hints into the body of the email. This way you also have a colored trigger. However, I often refrain from doing this, because it can be annoying for the user, since these hints are in the body as text and are therefore also sent with the reply (as with the subject).\nIf you still want to test it, create a transport rule again, as shown above. In the \u0026ldquo;Do the following\u0026rdquo; area you can now use HTML to enter a warning with text and color as you like. I chose the following one, because it has the \u0026ldquo;Microsoft Style\u0026rdquo;:\nCaution: This email was sent from an external address. If you do not know the sender, do not click on any links or open any attachments. If you are unsure, always contact the Service Desk.\n\u0026lt;!-- Yellow caution banner --\u0026gt; \u0026lt;table border=0 cellspacing=0 cellpadding=0 align=\u0026#34;left\u0026#34; width=\u0026#34;100%\u0026#34;\u0026gt; \u0026lt;tr\u0026gt; \u0026lt;!-- Dark yellow border --\u0026gt; \u0026lt;td style=\u0026#34;background:#ffb900;padding:5pt 2pt 5pt 2pt\u0026#34;\u0026gt;\u0026lt;/td\u0026gt; \u0026lt;!-- Textbox --\u0026gt; \u0026lt;td width=\u0026#34;100%\u0026#34; cellpadding=\u0026#34;7px 6px 7px 15px\u0026#34; style=\u0026#34;background:#fff8e5;padding:5pt 4pt 5pt 12pt;word-wrap:break-word\u0026#34;\u0026gt; \u0026lt;div style=\u0026#34;color:#222222;\u0026#34;\u0026gt; \u0026lt;span style=\u0026#34;color:#222; font-weight:bold;\u0026#34;\u0026gt;Caution:\u0026lt;/span\u0026gt; This email was sent from an external address. If you do not know the sender, do not click on any links or open any attachments. If you are unsure, always contact the Service Desk. \u0026lt;/div\u0026gt; \u0026lt;/td\u0026gt; \u0026lt;/tr\u0026gt; \u0026lt;/table\u0026gt; \u0026lt;br /\u0026gt; When you create such a rule, it is important to include a fall back option in case the rule cannot be applied, in order not to produce errors.\nUnlike subject manipulation, mails that are encrypted cannot be edited this way. Changing the body is not possible due to encryption.\nMailTips in Outlook # You have surely all seen the MailTips in Outlook. Most of you will have noticed that you get hints when you write an e-mail to a person with an out-of-office message or when the recipient group is larger than 25 people.\nBut did you know that there is exactly one MailTip that is turned off by default?\nAs mentioned in the introduction, we can enable a MailTip that warns us when a recipient\u0026rsquo;s address is outside the organization. This is again a simple hint for your users to be attentive when sending information. Especially when using mailing lists, this feature can be very useful.\nBut how do you activate it? Via PowerShell, of course:\nSet-OrganizationConfig -MailTipsExternalRecipientsTipsEnabled $true And herewith you can display all MailTips:\nGet-OrganizationConfig | select *Mailtips* My clear recommendation for activation is that this feature is more useful than it is detrimental to anyone.\nLinks and Facts # MailTips in Exchange Online | Microsoft Learn Native external sender callouts on email in Outlook – Microsoft Community Hub Set-ExternalInOutlook (ExchangePowerShell) | Microsoft Learn ","date":"July 14, 2023","externalUrl":null,"permalink":"/en/blog/external-email-warning-in-office-365-und-outlook/","section":"Blog","summary":"","title":"External email alert in Office 365 and Outlook","type":"blog"},{"content":"–\u0026gt; Auch auf deutsch verfügbar!\nIn today\u0026rsquo;s digitized world, many work processes have changed. Team communication in particular has undergone an enormous transformation. The introduction of Microsoft Teams revolutionized the way companies, organizations and teams work together. This revolution is still in full swing. With Mesh, Microsoft has already announced a virtual space where we can move freely and hold meetings in a whole new style. An exciting new feature that takes us in this direction and that takes team communication to a new level: the Microsoft Teams Avatars.\nWhat are Microsoft Teams avatars? # Microsoft Teams avatars are personalized digital images of you, as they are already known from many other tools. Snapchat, Apple or even Nintendo have been working with this concept for many years. We can now use our Teams avatar in the virtual environment of Microsoft Teams Meetings. As a replacement for the webcam being on, you allow users to visually represent their identity and presence and provide a unique way to express themselves in virtual meetings and chats. To make sure your avatar looks as much like you as possible, you can be customized to reflect your personal style, preferences, and personality. Different clothes for different occasions, is of course also available.\nConnect the Avatar App # To create avatars, you first need to add the Avatar app to your Teams client. The best way to do this is to search for \u0026ldquo;Avatar\u0026rdquo; under the Apps tab. If you can\u0026rsquo;t find the app, it\u0026rsquo;s probably because your administrator hasn\u0026rsquo;t unlocked it. In this case, talk to your administrator.\nOnce you have added the app, you will automatically enter the Avatar Builder, where you can create up to 3 different avatars.\nCreate your own avatar # In the Avatar Builder you can now design your avatar as you wish. You can choose from the 5 main categories:\nBody Face Hair Appearance Wardrobe To list every single subitem here would be too much. Just click through and design your own avatar.\nAvatars in Teams Meeting # You have created one or more avatars? Then of course you want to use them in the meeting. When you attend a meeting, you now have the option to use your avatar instead of the camera. The only important thing is that you turn off your camera beforehand. Choose your avatar and if you want you can use a default background. Custom backgrounds are currently still in preview and therefore still have their pitfalls.\nOnce you have joined the meeting, you can access the avatar menu to perform various actions with your avatar. In the avatar menu you have an overview of various settings options:\nYour Avatars – Here you can quickly switch between your created avatars Avatar reactions – So that your avatar doesn\u0026rsquo;t just stand around motionless in the meeting, you can choose between various reactions. Even the classic reactions are transferred to your avatar. A really cool feature is that your avatar\u0026rsquo;s lips move when you speak. Avatar backgrounds – Use different default backgrounds Avatar mood – Here you can set the mood of your avatar. From a grumpy, disinterested avatar to a joyfully smiling avatar, everything is possible. Avatar camera – As in the real webcam, you can have your avatar not only frontal in the camera, but also right/left sideways offset Experimental Settings – Custom backgrounds are still in preview. But you can check out how it works here. Requirements and Limits # Licenses # Teams users can access the Avatar feature if they have one of the following licenses: Teams Essentials, Microsoft 365 Business Basic, Microsoft 365 Business Standard, Microsoft 365 Business Premium, Microsoft 365 E3/E5 and Office 365 E1/E3/E5.\nHardware # Component Required Suggested Computer and processor Two core Four core or better Memory 4 GB RAM 8 GB or better In my tests on virtual machines with 4 GB RAM, I noticed that avatars did not run smoothly or even aborted. With 8 GB, these problems no longer occurred.\nClient # Currently, avatars only work in the client for Windows and Mac. They are not available in the browser and on mobile devices.\nConclusion # The introduction of Microsoft Teams avatars is the next step to Mesh and the virtual space. Avatars allow users to express their personality and connect with their team members regardless of their location, especially when using the webcam is simply not possible. In my opinion, however, there is still a lot of room for improvement here as well. Creating the avatar is very cumbersome. Other tools, such as Snapchat, already offer the option to automatically generate avatars via pictures and videos here, which you only have to customize slightly. Furthermore, the stability in the meeting is not yet completely given. In many tests, the meeting participants either did not see my avatar at all or did not see the actions. Now and then even my entire client crashed.\nBut still: With the increasing importance of remote work and virtual collaboration, avatars will make a significant contribution to improving team communication and will shape the future of the working world. I\u0026rsquo;m curious to see where the development will go.\nYouTube video # On our YouTube channel you can also find a video (in german) about it.\nLinks and Facts # Join a meeting as an avatar in Microsoft Teams – Microsoft Support Set up avatars for Microsoft Teams – Microsoft Teams | Microsoft Learn ","date":"June 30, 2023","externalUrl":null,"permalink":"/en/blog/avatare-in-ms-teams-meetings/","section":"Blog","summary":"","title":"Avatars in MS Teams Meetings","type":"blog"},{"content":"","date":"June 30, 2023","externalUrl":null,"permalink":"/en/tags/teams/","section":"Tags","summary":"","title":"Teams","type":"tags"},{"content":"–\u0026gt; Auch auf deutsch verfügbar!\nIn this article, we will explore the process of installing printer drivers using Microsoft Endpoint Manager (MEM) and pnputil.exe. Printer driver installation is an essential step in configuring printers on Windows devices, and MEM provides a convenient way to streamline the deployment process. We will also discuss the usage of pnputil.exe, a command-line tool that allows for the management of device drivers on Windows.\nOn clients without local admin rights, it is not possible to download and install drivers, for example, from a print server. To address this issue, I have developed a procedure for installing drivers on clients using pnputil.exe.\nPrerequisites # To perform the driver installation using pnputil.exe, you will need the following:\nDriver files from the manufacturer: You need the driver files provided by the manufacturer, specifically the .INF and .CAT files. PowerShell environment: You can use tools like Visual Studio Code, PowerShell ISE, or any other PowerShell-compatible environment. Microsoft Win32 Content Prep Tool Make sure you have the necessary permissions and access to Microsoft Intune.\nUnpack the drivers # We download the drivers from the printer manufacturer and unpack them in the desired path. In the folder where the installation file is located (*.INF) we create 3 PowerShell scripts:\nInstall-Driver.ps1 Remove-Driver.ps1 Detectionscript.ps1 Install-Driver.ps1 # To install the driver on the client, we use the pnputil.exe tool. We invoke it using the \u0026ldquo;Start-Process\u0026rdquo; command in PowerShell and provide the necessary arguments along with the installation file. Once the driver is loaded with pnputil, the desired driver can be added using the \u0026ldquo;Add-PrinterDriver\u0026rdquo; command. If a driver package contains multiple printer drivers, all desired drivers can be added, of course.\nSince we package the script into a WIN32 app, Intune defaults to launching a 32-bit PowerShell during distribution. However, this version cannot execute pnputil.exe. Therefore, at the beginning of the script, we need to specify that the script should be run in 64-bit PowerShell.\nIn my example, I am using drivers from the THERMOMARK printer series by Phoenix.\n#starts script in 64bit powershell If ($ENV:PROCESSOR_ARCHITEW6432 -eq \u0026#34;AMD64\u0026#34;) { Try { \u0026amp;\u0026#34;$ENV:WINDIR\\SysNative\\WindowsPowershell\\v1.0\\PowerShell.exe\u0026#34; -File $PSCOMMANDPATH } Catch { Throw \u0026#34;Failed to start $PSCOMMANDPATH\u0026#34; } Exit } #install driver #pnputil arguments $INFARGS = @( \u0026#34;/add-driver\u0026#34; \u0026#34;PHOENIX.inf\u0026#34; ) Start-Process pnputil.exe -ArgumentList $INFARGS -wait -passthru Add-PrinterDriver -Name \u0026#34;THERMOMARK ROLL 2.0\u0026#34; Add-PrinterDriver -Name \u0026#34;THERMOMARK CARD 2.0\u0026#34; Printer driver without trusted certificates # There are printer drivers that are not classified as trusted by Windows by default. This must first be confirmed during installation.\nIn an Intune installation this user interaction is not desired and also not possible, because local admin rights are necessary. However, we can solve this by exporting the certificate from the *.CAT file in the PowerShell script beforehand and saving it in the certificate store under \u0026ldquo;Trusted Publisher\u0026rdquo;.\nSo we now have a script that installs printer drivers using pnputil.exe.\n#starts script in 64bit powershell If ($ENV:PROCESSOR_ARCHITEW6432 -eq \u0026#34;AMD64\u0026#34;) { Try { \u0026amp;\u0026#34;$ENV:WINDIR\\SysNative\\WindowsPowershell\\v1.0\\PowerShell.exe\u0026#34; -File $PSCOMMANDPATH } Catch { Throw \u0026#34;Failed to start $PSCOMMANDPATH\u0026#34; } Exit } #transfer driver certificate to local trusted cert store $signature = Get-AuthenticodeSignature PHOENIX.cat $store = Get-Item -Path Cert:\\LocalMachine\\TrustedPublisher $store.Open(\u0026#34;ReadWrite\u0026#34;) $store.Add($signature.SignerCertificate) $store.Close() #install driver $INFARGS = @( \u0026#34;/add-driver\u0026#34; \u0026#34;PHOENIX.inf\u0026#34; ) Start-Process pnputil.exe -ArgumentList $INFARGS -wait -passthru Add-PrinterDriver -Name \u0026#34;THERMOMARK ROLL 2.0\u0026#34; Add-PrinterDriver -Name \u0026#34;THERMOMARK CARD 2.0\u0026#34; Remove-Printer.ps1 # Uninstalling program packages is also important for smooth operation via Intune. Thus, the uninstallation of old printer drivers that are no longer needed can also be realized. For this purpose, we again use pnputil.exe and the same approach as for the installation.\nIf ($ENV:PROCESSOR_ARCHITEW6432 -eq \u0026#34;AMD64\u0026#34;) { Try { \u0026amp;\u0026#34;$ENV:WINDIR\\SysNative\\WindowsPowershell\\v1.0\\PowerShell.exe\u0026#34; -File $PSCOMMANDPATH } Catch { Throw \u0026#34;Failed to start $PSCOMMANDPATH\u0026#34; } Exit } #delete driver $INFARGS = @( \u0026#34;/delete-driver /force\u0026#34; \u0026#34;oemsetup.inf\u0026#34; ) Start-Process pnputil.exe -ArgumentList $INFARGS -wait Remove-PrinterDriver -Name \u0026#34;THERMOMARK ROLL 2.0\u0026#34; Remove-PrinterDriver -Name \u0026#34;THERMOMARK CARD 2.0\u0026#34; Detectionscript.ps1 # In order for Intune to recognize that the operation was successful after installation, we need to upload a detection script to Intune during deployment. This script checks if the printer drivers are found via PowerShell. If you install multiple drivers, all drivers must also be included in the detection.\nThis could then look like this, for example.\nIF ( (Get-PrinterDriver| Where-Object {($_.Name -Match \u0026#34;THERMOMARK ROLL 2.0\u0026#34;)})` -and (Get-PrinterDriver| Where-Object {($_.Name -Match \u0026#34;THERMOMARK CARD 2.0\u0026#34;)})){ $True } Packaging # Now we have all the necessary files and scripts and can package the Intune package. It is important for the packaging that all scripts are in the folder with the *.INF and *.CAT file. The detection script does not need to be packed as it is uploaded to Intune separately.\nOnce the folder is complete, we launch the Microsoft Win32 Content Prep Tool and enter all the relevant information.\nThe tool now packs us an Install-Driver.intunewin file that we can upload to Intune.\nMicrosoft Endpoint Manager settings # We now upload our INTUNEWIN file as Win32 App in Endpoint Manager and give the package the desired name.\nUnder the item \u0026ldquo;Program\u0026rdquo; we enter the installation command\npowershell.exe -executionpolicy bypass \u0026#34;.\\Install-Driver.ps1\u0026#34; as well as the uninstall command.\npowershell.exe -executionpolicy bypass \u0026#34;.\\Remove-Printer.ps1\u0026#34; Under the prerequisites, Windows must be entered as 64-bit architecture. The operating system version should always be in the supported range.\nIn the next step we upload our Detectionscript.ps1.\nNow you just need to assign the package to the appropriate users, devices or groups. Of course, as always, before you roll it out, test it extensively on a few machines.\nHave fun building it!\nIf you have any questions, feel free to contact me.\n","date":"February 22, 2022","externalUrl":null,"permalink":"/en/blog/druckertreiber-installation-mit-mem-und-pnputil/","section":"Blog","summary":"","title":"Printer Driver Installation using MEM and pnputil.exe","type":"blog"},{"content":"–\u0026gt; Also available in German!\nThis article was translated from German with the help of Claude.\nAt the TeamsCommunityDay 2021, René and I presented four Teams App Templates in our session that can help strengthen company culture in the home office. I would like to present these apps and their use cases here once again. Additionally, you\u0026rsquo;ll find our slides from the session here.\n1. Icebreaker # First, we introduced the Icebreaker. This app randomly pairs members of a team so they can get to know each other and have personal conversations. The bot works on a configurable schedule and offers two buttons that allow partners to either chat with each other immediately or schedule a meeting.\nThis app essentially brings the conversation at the coffee machine or the chance encounter in the hallway to Teams. Furthermore, it can also bring together people who don\u0026rsquo;t know each other because they work in completely different teams or even locations.\nBest practices:\nDedicated team for Icebreaker Announce Icebreaker in the team Promote through key users Regularly bring in \u0026ldquo;fresh\u0026rdquo; participants Need a break? Every user can pause the bot Leave the team Microsoft Teams app templates – Teams | Microsoft Docs\n2. Company Communicator # Internal communication is fundamentally an important tool in any organization. For employees in the home office, it is even more important to remain part of the company through transparency and information flow.\nThe \u0026ldquo;Company Communicator\u0026rdquo; app can help shift corporate communications from email to Microsoft Teams. With the author mode, cards can be created in no time and sent to Teams channels or directly to employees\u0026rsquo; chats.\nPractical: Authors can be designated independently of their position in the company through a dedicated permission parameter.\nBest practices:\nDedicated team for Company Communicator authors Add Company Communicator recipient to the global app setup policy Either Company Communicator or email Don\u0026rsquo;t spam! 3. Reflect # After bringing employees together and improving communication in the company, we also want a way to capture the mood and personal well-being of employees. With \u0026ldquo;Reflect\u0026rdquo;, we implement a Microsoft Teams messaging extension app that allows collecting feedback on questions through a simple form. These questions can be customized. The response options are smileys on a scale from \u0026ldquo;laughing\u0026rdquo; to \u0026ldquo;angry\u0026rdquo;.\nThis extension is available in any type of chat and is inclusive and secure through various privacy settings.\nBest practices:\nCreate a public team so employees can join voluntarily Respond openly to feedback Microsoft Teams app templates – Teams | Microsoft Docs\n4. New Employee Onboarding # When many or even all employees are in the home office, onboarding and training new employees is very challenging. Making connections and understanding company processes is particularly difficult for new colleagues due to the distance.\nThe \u0026ldquo;New Employee Onboarding\u0026rdquo; app integrates a SharePoint Lookbook solution into Teams. Through a SharePoint list, all onboarding stations can be captured and handed over to the new employee via Teams. This provides a consistent and high-quality onboarding experience for all employees.\nThe SharePoint list additionally offers HR and managers constant monitoring of the process.\nBest practices:\nAdapt and evolve to your own processes Involve all relevant departments Collect feedback Microsoft Teams app templates – Teams | Microsoft Docs\n","date":"January 31, 2021","externalUrl":null,"permalink":"/en/blog/teamscommunityday-2021/","section":"Blog","summary":"","title":"TEAMSCommunityDay 2021 – Strengthening company culture in the home office with Teams App Templates","type":"blog"},{"content":"–\u0026gt; Also available in German!\nThis article was translated from German with the help of Claude.\nWith Bookings, Microsoft offers a simple and clear tool for publishing a booking calendar for services. Setting it up is quick and straightforward, and the configuration options are well-organized. However, some administrative settings are missing.\nUsers of hybrid environments should note that Bookings is a purely online service and can only be used with Exchange Online mailboxes. When creating a Bookings calendar, a mailbox is created in Exchange Online. However, this cannot be found in the Exchange Online Admin Center and can only be queried via PowerShell. (Important: install the PowerShell module and connect to Exchange Online first)\nGet-Mailbox -RecipientTypeDetails Scheduling Additionally, I noticed after creating several Bookings calendars that the user who creates the calendar is added to the forwarding list. This means they receive an email for every booking or change to the calendar. To change this, the \u0026ldquo;ForwardingSMTPAddress\u0026rdquo; attribute needs to be modified. The attribute can be set to another mailbox or left empty.\nGet-Mailbox -Identity $Name | Set-Mailbox -ForwardingSmtpAddress $null Deleting a Bookings calendar is also easiest to accomplish via PowerShell.\nGet-Mailbox -Identity $Name | Remove-Mailbox The \u0026ldquo;Get-Mailbox\u0026rdquo; and \u0026ldquo;Set-Mailbox\u0026rdquo; cmdlets allow us to make all the same adjustments we can make to user mailboxes. This means PowerShell extends the administrative settings of a Bookings calendar and additionally offers automation capabilities.\n","date":"January 8, 2021","externalUrl":null,"permalink":"/en/blog/microsoft-bookings-mit-powershell-anpassen/","section":"Blog","summary":"","title":"Customize Microsoft Bookings with PowerShell","type":"blog"},{"content":"","date":"January 8, 2021","externalUrl":null,"permalink":"/en/tags/microsoft-bookings/","section":"Tags","summary":"","title":"Microsoft Bookings","type":"tags"},{"content":" Hi, I\u0026rsquo;m Daniel! 👋 # My name is Daniel Kordes, born in 1991 and based in Kilchberg near Zurich, Switzerland. I work as a Senior Expert at Cyberfy.\nSince 2017 I have been deeply involved with Microsoft Cloud technologies. Through many projects in mid-market and enterprise environments, I gained deep insights into setups ranging from 100 to 32,000 users.\nI\u0026rsquo;m a Microsoft MVP and regularly share my knowledge at conferences, community events, and here on my blog.\nWhat I do # 🔧 Microsoft 365 consulting and implementation 🎤 Speaker at community events and conferences 📝 Tech blogger covering M365, Intune and Azure 🎬 YouTube content creator at Daniel und René - M365 im Alltag Speaker Profile # I regularly speak at conferences and community events about Microsoft 365 topics. You can find my current and past sessions here:\nSessionize run.events Certifications \u0026amp; Awards # Microsoft MVP Various Microsoft certifications Contact # Have questions about me or my work? Send me an email at kontakt@dako365.de or follow me on social media:\nLinkedIn GitHub YouTube I\u0026rsquo;m always happy to connect.\nTogether we are all smarter. #communityrocks\n","externalUrl":null,"permalink":"/en/about/","section":"About","summary":"","title":"About","type":"about"},{"content":" Information pursuant to Art. 3 UWG (Swiss Unfair Competition Act) # Daniel Kordes Mönchhofstrasse 22 8802 Kilchberg ZH Switzerland\nContact # Email: kontakt@dako365.de\nDisclaimer # The author assumes no liability for the correctness, accuracy, timeliness, reliability, or completeness of the information provided on this website.\nLiability claims against the author for damages of a material or immaterial nature arising from access to, use of, or non-use of the published information are excluded.\nAll offers are non-binding. The author expressly reserves the right to change, supplement, or delete parts of the pages or the entire content without prior notice, or to cease publication temporarily or permanently.\nLiability for Links # References and links to third-party websites are outside our area of responsibility. Any responsibility for such websites is declined. Access to and use of such websites is at the user\u0026rsquo;s own risk.\nCopyright # The copyrights and all other rights to content, images, photos, or other files on this website belong exclusively to Daniel Kordes or the specifically named rights holders. The written consent of the copyright holder must be obtained in advance for the reproduction of any elements.\n","externalUrl":null,"permalink":"/en/impressum/","section":"Legal Notice","summary":"","title":"Legal Notice","type":"impressum"},{"content":" 1. Responsible Party # Daniel Kordes Mönchhofstrasse 22 8802 Kilchberg ZH Switzerland\nEmail: kontakt@dako365.de\n2. General Information # Based on Article 13 of the Swiss Federal Constitution and the data protection provisions of the Swiss Confederation (Data Protection Act, DSG), every person is entitled to protection of their privacy and protection against misuse of their personal data.\nThe operator of this website takes the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection regulations and this privacy policy.\nThis website can generally be visited without registration. No personal data is transmitted to us unless you voluntarily provide it.\n3. Hosting # This website is hosted by Cloudflare, Inc. (101 Townsend St, San Francisco, CA 94107, USA). When you visit this website, Cloudflare automatically stores information in so-called server log files that your browser automatically transmits. These are:\nBrowser type and version Operating system used Referrer URL IP address of the accessing computer Time of the server request This data cannot be assigned to specific persons. This data is not merged with other data sources.\nCloudflare is certified under the EU-US Data Privacy Framework. For more information, see Cloudflare\u0026rsquo;s Privacy Policy.\n4. Embedded YouTube Videos # Videos from the YouTube platform (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) are embedded on this website.\nWhen you visit a page with an embedded YouTube video, a connection to YouTube\u0026rsquo;s servers is established. YouTube is informed which page you visit. If you are logged into your YouTube account, you enable YouTube to associate your browsing behavior directly with your personal profile.\nYouTube uses cookies and similar recognition technologies. Data processing may also take place in the USA.\nFor more information, see Google\u0026rsquo;s Privacy Policy.\n5. Links to Third Parties # This website contains links to external websites (e.g., social media platforms). We have no influence on their content or privacy practices. Please refer to the respective websites for their privacy policies.\n6. Your Rights # Under the Swiss Data Protection Act (DSG), you have the following rights:\nRight of access: You may request information about your personal data stored by us. Right to rectification: You may request the correction of inaccurate data. Right to deletion: You may request the deletion of your data. Right to data portability: You may request the release of your data in a commonly used format. To exercise these rights, please contact: kontakt@dako365.de\n7. Changes # We reserve the right to amend this privacy policy at any time. The current version is published on this website.\nLast updated: March 2026\n","externalUrl":null,"permalink":"/en/datenschutz/","section":"Privacy Policy","summary":"","title":"Privacy Policy","type":"datenschutz"},{"content":"","externalUrl":null,"permalink":"/en/series/","section":"Series","summary":"","title":"Series","type":"series"},{"content":"I regularly speak at conferences and community events about Microsoft 365, Intune and cloud technologies.\nSessionize | run.events\nUpcoming Events DateEventLocationTopicSlides 30.09.2026 Cloud \u0026amp; Datacenter Conference Germany 2026 Hanau Lokale Adminrechte unter Kontrolle: Intune Suite, E3/E5 und die neue Security-Strategie – 31.07.2026 SysAdminDay 2026 Leipzig Lokale Adminrechte unter Kontrolle: Intune Suite, E3/E5 und die neue Security-Strategie – 2026 DateEventLocationTopicSlides 29.04.2026 M365 Summit Online Forms, List Forms \u0026amp; SharePoint Forms – Welche Formulare gehören wohin? 📥 Slides 28.04.2026 M365 Summit Online Automatisiere deine Microsoft 365 Governance – Best Practices um Compliance zu garantieren 📥 Slides 16.03.2026 Easy Way 365 - LearningDays Online Forms, List Forms \u0026amp; SharePoint Forms – Welche Formulare gehören wohin? 📥 Slides 03.03.2026 Experts Live Germany 2026 Leipzig Lokale Adminrechte mit Intune smart verwalten 📥 Slides 23.01.2026 CollabDays Bremen 2026 Bremen Von KI bis Kollaboration: Wie Copilot und Microsoft Places die Arbeitswelt transformieren 📥 Slides 2025 DateEventLocationTopicSlides 28.08.2025 EMPOWER 2025 Zurich Automating M365 Governance: Ensuring Enterprise Compliance with Best Practices – 21.02.2025 CollabDays Bremen 2025 Bremen Eine Reise durch Microsoft Places – ","externalUrl":null,"permalink":"/en/speaking/","section":"Speaking","summary":"","title":"Speaking","type":"speaking"},{"content":"Here you\u0026rsquo;ll find my videos from the YouTube channel Daniel \u0026amp; René - M365 im Alltag.\nGo to YouTube Channel\n","externalUrl":null,"permalink":"/en/videos/","section":"Videos","summary":"","title":"Videos","type":"videos"}]