Security

What You No Longer Need After Skype for Business Online’s Retirement

Many tenants still carry Skype for Business (SfBO) and Lync-era DNS baggage years after moving to Microsoft Teams. This post explains which legacy DNS records you can safely remove, when to keep the SIP federation record, and how to audit and clean up across all your verified domains.

Why these records existed

Historically, Skype for Business Online and Lync used several DNS records to enable client sign‑in, service discovery, and SIP routing:

Why SMTP DANE Is a Powerful Addition to Email Security

Email remains one of the most critical communication tools for businesses, but it’s also a frequent target for cyberattacks. To combat spoofing, phishing, and impersonation, many organizations already rely on SPF, DKIM, and DMARC. These protocols help verify the sender’s identity and ensure message integrity. However, they don’t fully protect the transport layer—the actual path your email takes across the internet.

Introduction

Email Security Challenges: A Brief Overview

In today’s digital age, email remains a fundamental communication tool for individuals and businesses alike. However, its widespread use also makes it a prime target for cyber threats. Email security challenges are diverse and evolving, ranging from spam and malware distribution to more sophisticated threats like phishing and spoofing attacks. These attacks not only compromise sensitive information but also damage the trust and integrity of communication channels.

With this post, I will take you on the journey to enable FIDO authentication for Office 365 as an alternative to the Authenticator app or as an addition to the Authenticator app.

What is FIDO

FIDO stands for “Fast IDentity Online” and provides a passwordless authentication method with a passkey like the Yubikey 5. FIDO allows you to log into many websites and devices without entering a password. In-depth information about FIDO can be found on the FIDO Alliance website.

Five years ago, I wrote an article about enabling PIM roles with Powershell, and last week I took it upon myself to convert it using the Microsoft Graph PowerShell modules

Why would you move?

The primary reason to start moving to the graph modules is that the AzureAD and other modules were declared deprecated last year; see this post for all the details https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/azure-ad-change-management-simplified/ba-p/2967456 The modules still work but will not get any updates anymore. All effort of Microsoft is being put into the Microsoft Graph and Microsoft Graph Modules.

I wanted to do a write up of the tips I found in Office 365 to reduce the number of unwanted messages in Office 365. I will skip the most basic ones like adding the SPF record as this is told by the domain configuration that you need that.

The more advanced once and usually not configured settings can bring you more.

Let us start with the anti-spam policy, this one is configured with the basic settings, but are very loose. By altering this policy you will remove some spam that is hitting your mailbox and dump it in the SPAM folder or even better the quarantine. The last one is not in your personal mailbox but stays on the server. So my recommendation is to go to the following URL https://protection.office.com/antispam and alter de default SPAM filter policy with the following settings

This weekend I had the privilege to speak at SharePoint Saturday in Madrid. The session was about Automation in Office 365. See the slides below

[slideshare id=151347967&doc=20190622-usingautomationinoffice365-190623120657]

So, what is Access Review? It is an Azure solution that can assist in the reduction of access to guests in your tenant and access to applications for your users. This tool can assist you in doing automated reviews of access to certain Enterprise applications or on AD groups in your tenant. See this YouTube video for a detailed explanation

https://youtu.be/kDRjQQ22Wkk

The downside of this tool is that it is only available when you have Azure AD P2 or EMS E5 license. You can use this link to activate Azure AD P2 trail or EMS E5 trail

Let’s kick this post of what I mean with a break glass account.

What is a break glass account?

A break glass account is a non-personal in case of an emergency account that is never used and is stored in a vault where only a few people have access too. This account is a global admin on your tenant and in some sense is the top-level account of your environment.

What is Azure AD Terms of use?

Within Azure AD conditional Access there is an option called Terms of use. As Microsoft explains it:

“Azure AD Terms of use provides a simple method that organizations can use to present information to end users. This presentation ensures users see relevant disclaimers for legal or compliance requirements.”

So basically, you will give the end users a popup or screen when they login with a disclaimer for legal or compliance reasons. It is similar when you start working at your company and have to sign a document about using the network and internet of when you click next for reading the terms of use of installing that piece of software.