Unable To Install or Launch Exchange HCW

Unable To Launch Exchange Hybrid Configuration Wizard

You want to run the Exchange Hybrid Configuration Wizard (HCW) and after clicking the link to the HCW in the admin portal or manually browsing to the shortcut URL you are unable to either launch or install the HCW.  Despite using Edge, the HCW application just does not install and/or launch.  All you get is the initial prompt to open the file and nothing else.

For example, if we go to the shortcut … Read the rest “Unable To Install or Launch Exchange HCW”


Enable DMARC For OnMicrosoft.com Domains

DMARC Record For onmicrosoft.com Domain

It is possible to add a Domain Based Message Authentication Reporting and Conformance (DMARC) record for your onmicrosoft.com domain in M365.  Is that a good thing?

Well, your viewpoint may depend on your experiences with this domain.  If you actually use the onmicrosoft.com domain to send email, then yes!  Adding the DMARC record enables the DMARC alignment check to pass and the mail to be success… Read the rest “Enable DMARC For OnMicrosoft.com Domains”


Configure On-Premises Exchange For EOP Spam Thresholds

Exchange Online Anti Spam Threshold

A common issue when deploying Exchange Online Protection (EOP) and Microsoft Defender for Office 365 (MDO) with on-premises Exchange is making Exchange aware of the EOP spam filtering.  This is because EOP uses slightly different logic to stamp the spam results etc. into the message.  Exchange Server needs to be aware of this so that it can take action upon those settings.

On-Premises Spam Confiden

Read the rest “Configure On-Premises Exchange For EOP Spam Thresholds”

Check If AD FS WSTrust Endpoint Enabled

Check WSTrust Endpoint Configuration

Active Directory Federation Services (AD FS) uses endpoints to provide access to features.  There are a series of different endpoints which each serve a different purpose from password reset, publishing federation metadata or multiple web services protocols.  It is important to ensure that only the required features are actually enabled, and also if those features are to be made available internal… Read the rest “Check If AD FS WSTrust Endpoint Enabled”


How to Use NsLookup To Check DKIM Record

Check DMARC DNS Record Using NSLookUP

There are a multitude of online tools that help diagnose issues with various mail services, but understanding what these tools actually check is valuable.  One example is around manually checking published DomainKeys Identified Mail (DKIM) records.  DKIM is described in RFC 4871.  As an interesting piece of history DKIM went through a previous iteration "Domain-Based Email Authentication Using Pub… Read the rest “How to Use NsLookup To Check DKIM Record”


Migrate Safe Links Block Settings to TABL

Migration of MDO Global Block List to TABL

Note that there have been changes to Safe Links policy for Microsoft Defender for Office 365 (MDO).

Previously you could add URLs to the Safe Links policy to control how MDO would process the URLs.  As part of this change the URL blocking is moving to the Tenant Allow Block List (TABL).

Below is a screenshot showing that a previously entered URL needs to be migrated to TABL.


Migration of MDO Global Block List to TABL

Learn more


&nb… Read the rest “Migrate Safe Links Block Settings to TABL”


Upgrade to Azure AD Connect 2.0

Azure AD Connect Upgrade to 2.X

When delivering Office 365 Security Optimisation Assessments (SOA) to customers, one of the control items is the version of Azure AD Connect deployed along with some related configuration elements.  In many cases, Azure AD Connect is not updated to a build that resolves both security and feature issues.  Why is Azure AD Connect not current?  Good question.

There are two main scenarios that I see rig… Read the rest “Upgrade to Azure AD Connect 2.0”


SSL Labs Scan Outlook.Office365.com–June 2022

SSLLabs Scan Outlook.Office365.com June 2022

This post is a scan of Outlook.office365.com taken with the SSLLabs.com scan tool which analyses the TLS configuration of the server.



Deprecating support for 3DES

Since October 31, 2018, Office 365 no longer supports the use of 3DES cipher suites for communication to Office 365. More specifically, Office 365 no longer supports the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite. Since Februar… Read the rest “SSL Labs Scan Outlook.Office365.com–June 2022”


Defender Portal Enable Audit – Is That The Unified Audit Log?

Defender Portal Enable Audit - Unified Audit Log

This was a question from a recent customer engagement:  Why is the Microsoft Defender portal asking me to turn on the Unified Audit Log when I already have that enabled?

In the Defender portal https://security.microsoft.com this banner message was present: "To use this feature, turn on auditing so we can start recording user and admin activity in your organisation"

You can see that in the example scr… Read the rest “Defender Portal Enable Audit – Is That The Unified Audit Log?”


How To Use Nslookup To Check DMARC Record

Check DMARC Using NSLookup

One of my customers wanted to verify their Domain Based Message Reporting Conformance (DMARC) record, and followed the post How To Use Nslookup To Check DNS TXT Record but ran into issues. They were not seeing any results.  Hmm strange; the DMARC record had been created and was visible in online diagnostic tools.  Why was it not showing up for them in a manual check?

The below is an example of what… Read the rest “How To Use Nslookup To Check DMARC Record”