Nov 18
Intune – Conditional Access is moving to be only on Azure AD

On January 2018, conditional access policies for Intune will be moved for good to Azure AD.

Until now (and January 2018), conditional access configuration is/was available through the ‘classic’ Silverlight Intune portal, Intune App Protection (MAM) blade and classic Azure AD portal.

If you have policies configured on any of these previous access point, you need to review them and start configuring these policies using the new Azure AD portal.

Enjoy the new experience

Nov 17
Teams – Planner and Who integrated to Teams

Planner (the Office 365 solution to help you manage project plan and tasks) and Who (a Teams app to help you search people within your organization) have been integrated to Microsoft Teams.

When I say integrated this does not mean you have to search and add these apps, there are inside the Teams client; just check the 3 dots () just below the Files option


Then when you launch them, these applications will be displayed directly within the Teams client

NOTE you may be requested to authenticate again



Nov 17
Office 365 – New Compliance Center is now in preview

As announced few weeks ago at the Ignite Conference, a new compliance center is now live in preview.

You can access the preview from


From there you will be to access all relevant information for your compliance – from the trust documentation to compliance and audit reports


If you need to grant/manage access you can use the Settings option to select the user role and then grant permissions


While the new compliance center is in preview, you can still continue to access the ‘old’ portal.

NOTE to access the preview you must use either Edge, Chrome, FireFox or Safari. You can not use Internet Explorer. One would say this is to force you using Edge


Nov 13
Intune – Enrollment status screen

With Windows 10 build 1709 (Fall Creators Update) and Intune, you can now provide details to the end-user while enrolling the device.

This can be quite helpful to let them know what is going on as well as for troubleshooting purpose.

To enable and configure it, you need to logon to your Azure ARM portal and go to Intune


Then you need to go to the Device enrollment\Windows enrollment section


Next open the Enrollment Status Screen blade


And from there you can configure a welcome message, including a title and support desk details


Once saved, this will be applied to all new device being enrolled with your Azure AD; showing your greeting (title – here in the screenshot ‘Your device is being enrolled”), your message (here ‘Please wait while your device is being enrolled with Azure AD) and the current progress of policy(ies) installation


During this period, your end-user can still click the Got it button and start working using their session.

Once the process is completed they will got a notification to inform them the device is ready.


Nov 13
Azure – New major version for Azure PowerShell

Azure PowerShell has reached a new major milestone with the release of the latest major version (5.0.0).
As for any new version there is a lot of improvements and new cmdlets but also few breaking changes.
To get the MSI package go there
To know all the breaking changes and update accordingly your scripts, go there

Nov 10
SharePoint Online – Configure Idle session timeout

A new SharePoint Online settings is being rolled out to let you configure the idle session timeout.

The idle session timeout setting will let you configure how long the system is waiting before notifying and then logging out an inactive user.

This setting applies only on web browser session and should not impact OneDrive for Business client.

To configure it – including enabling the setting which is disabled by default – you need to use the latest version of the SharePoint Online PowerShell module available at (at the time of writing this post the latest version is 16.0.7018.1200)

Once you have the latest SPO PowerShell module installed execute the following commands

  • Connect to your SharePoint Online tenant using Connect-SPOService –Url <your SPO tenant admin URL – like>


  • Then run the command Get-SPOBrowserIdleSignOut to check the current state; if this is the first you configure it you should have as a result the following

Enabled WarnAfter SignOutAfter
------- --------- ------------
  False 00:00:00  00:00:00


  • If you want to enable it then run the command Set-SPOBrowserIdleSignOut -Enabled $true –WarnAfter (New-TimeSpan –Seconds <seconds before notifying user>) –SignOutAfter (New-TimeSpan –Seconds <seconds before signing out>)

For the purpose of this post I set a very low timespan (respectively 10 and 15 seconds of inactivity)


  • One applied, the setting will take place for new sessions only; currently opened session will not get the setting applied.
  • After the timespan for the notification is reached, the user will be notified he is going to be logged out because of long inactivity period


  • Then once the timespan for log out is reached the user is automatically logged out and user will have to sign in again



You can change the timespans by re running the command Set-SPOBrowserIdleSignOut -Enabled $true -WarnAfter (New-TimeSpan –Seconds <new value>) -SignOutAfter (New-TimeSpan –Seconds <new value>). If you do not include the –Enabled parameter you will be asked for the value ($true – or $false but as you want to change the timespan it must be true


or disable it with Set-SPOBrowserIdleSignOut -Enabled $false


Nov 10
Azure – Get your ExpressRoute monitored with this preview feature

A new feature is coming on Azure to help you gaining insight on your ExpressRoute.

With this new ExpressRoute monitoring solution you will be able to gain a comprehensive network monitoring between your branch offices, VNet and now ExpressRoute, including lost packets, bandwidth usage and network route analysis.

This monitoring feature is using the Network Performance Monitor on Azure introduced earlier this year (see

To enroll to the preview go to

Nov 06
Azure AD – Allow end-users to reset password or PIN from the login screen

With Windows 10 Fall Creators Update (build 1709) you can allow your end-user to self reset their password (or PIN) directly from the login screen.

To do so you need to have enable the self service password reset on Azure AD, use Intune as MDM and must be using Windows 10 1709 in Azure AD Joined configuration.

Intune Configuration

Logon to your Intune portal from the Azure ARM (


Then you need to create a custom profile from Device configuration\Profiles


The profile need to be configured as follow

  • Name: name the profile as you wish – I always recommend to use an understandable name like ‘Windows 10 Reset Password/PIN from Login Screen’
  • Platform: Windows 10 and later
  • Profile type: custom
  • Setting: add the following OMA-URI settings
    • For Password reset
      • Name: name the profile as you wish – I always recommend to use an understandable name like ‘Service Password Reset from Login Screen’
      • OMA-URI: ./Vendor/MSFT/Policy/Config/Authentication/AllowAadPasswordReset
      • Data type: Integer
      • Value: 1


    • For PIN reset
      • Name: name the profile as you wish – I always recommend to use an understandable name like ‘Service Password Reset from Login Screen’
      • OMA-URI: ./Device/Vendor/MSFT/PassportForWork/c56dd45b-1da6-4bd0-a53b-1466782d6ee5/Policies/EnablePinRecovery
      • Data type: Integer
      • Value: 1


Once the profile has been saved, you can assign it (deploy) to your users


Once the configuration for the self service reset password/PIN from the login screen, the users will have the ability to reset their password or PIN directly from the login screen without having to use a colleague device to access the self service password reset portal.

The following screenshots are taken for a password reset but the result is similar with a PIN reset.


When the end-user use the reset password option, the Windows GINA (in charge of the authentication) redirects the user to the reset password page


At this time they need to enter their user logon – for the system to look for their account


Then they have to choose which verification method to use – i


Once they have chosen the verification method and have been successfully verified, they will be able to change the password


And if you have enable the password reset notification, your end user will also receive a notification to confirm the password has been reset to their main mailbox and recovery mailbox


Nov 04
Teams – PowerShell module is now available for Microsoft Teams

As for all other Microsoft cloud services (Azure, Office 365…) Microsoft Teams now has his own PowerShell module.

You can get it by opening a PowerShell prompt (as usual always runas Administrator) and run the command

Install-Module -Name MicrosoftTeams


If required you will need to install NuGet and trust the repository


The current version (0.9.0) allows you to perform “basic” management operations like create/remove Team or Channels, set Guest access settings or off course add/remove user to a Team.


Nov 03
Exchange Online – New Client Access Rules for Exchange Online

An update is currently under way (scheduled to be completed by end of December) to help you better manage client access to Exchange Online.

Client Access Rule for Exchange Online can only be managed by PowerShell.

With this new capability, you can define access rules to authorize/block access based on client IP addresses, clients used, protocol or even group membership.

The client access rule is composed by 4 components:

  • the condition(s) to be matched to apply the rule (see for conditional details)
  • the exception(s) (if any) to not apply the rule if the condition(s) is/are matched
  • the actions which authorize (AllowAccess) or deny (DenyAccess) the access
  • and finally the priority which defines the order of application; the lower value, the higher priority. This means the processing stops when the client match the first access rule condition

When implementing client access rules you need to keep in mind that your corporate network is not automatically set to grant access.

Complete details for implementing, managing and testing client access rule are available at

For example, thanks to the new access rule capability you will be able to “disable” POP and/or IMAP protocol by blocking the access instead of having to disable the protocols at the mailbox level.

1 - 10Next

 ‭(Hidden)‬ Blog Tools


Benoit is specialized on Microsoft infrastructure (Active Directory, Azure, ForeFront products, Hyper-V, Identity Management, System Center, Windows) and collaboration (BPOS, Exchange, Office 365, SharePoint, Lync/Skype for Business) technologies.

He has been awarded as Microsoft Most Valuable Professional (MVP) since 2002 - on Windows, then SharePoint and finally Office 365. He has been recoginzed as Microsoft Community Contributor for his work on the Office 365 community in 2013 and 2014.

He has been involved in early stage of testing phase for many Microsoft products - from Windows to Office 365, including Exchange, SharePoint or Office client and WindowsUpdate.

He has participated as speaker or Ask The Expert (ATE) at many Microsoft or Quest events. He also participed in writing several books on SharePoint (2003 to 2010).

With more than 10 years of professional experience, he has a deep knowledge of the Microsoft market and his competitors.


​Privacy Information

This blog is using tracking code for analytics purpose.

No personal data are stored and maintained.

 Follow me on

 Share This

 Office365 Undercover by Arnaud ALCABEZ

Retrieving Data


Microsoft Certified Systems Administrator 
Microsoft Certified Systems Administrator - Messaging
Microsoft Certified Systems Engineer 
Microsoft Technology Specialist 
 Microsoft Certified IT Professional

 Translation Tool

Translate this page

 FaceBook Fan's Page

 Books I wrote

Le portail Microsoft SharePoint 
Microsoft Office SharePoint Portal Server 2003 et WSS au quotidien 
Microsoft Office SharePoint Server (MOSS) et Office 2007  
Microsoft Sharepoint 2010