Great video! These 'gotchas' are so very useful! Couple of comments: 13:23 AFAIK, deleting the user account will always delete the mailbox (not potentially). Also, you can't have a Shared Mailbox without an associated user account. The Shared Mailbox user account is created with a system generated password (i.e. unknowable), but it is best practice to also disable sign-in. 14:15 AFAIK, you cannot 'detach' a mailbox from a user account, nor can you 'attach' an existing mailbox to a different user account. You can, however, change the name and username of an existing user account and mailbox, which, I guess, would achieve the same result. Any legal holds would, however, remain in place i.e. same directory object.

Regarding Global Admin... another reason you wouldn't just want to assign that role to an Administrator user account, is that just having the Global Admin role is often not enough to do the things you need to do in Microsoft 365. If you are global admin, and just global admin, you won't be able to view certain reports in the security portal; to see that info you have to have the specific role assigned on top of GA. That goes for Exchange Online as well. Now, having the GA role will allow you to add those additional roles you need as well, but it won't work out of the box without additional configuration.

Can you explain further how leaving a "TXT ms=" record in DNS in any way increases DNS security as it is easily copied by anyone trying to clone a DNS zone? I cannot see anywhere Microsoft claims that this record is needed after the domain has been verified, and for the love of the FSM I cannot see any way this is needed to be kept.

BROTHER, YOU ARE THE BEST!!! You oooh really helped me!! THANK YOU VERY MUCH!

Thank you! 🙏🙏🙏🙏

Loved it, especially the TXT record.

Really nice and helpful... Thanks!

Please explain why removing the TXT record in DNS is a risk. Thanks in advance!

"External user leave" really caused me a lot of headache, preventing me from leaving organizations I've been invited to as a guest. Very strange setting and ever more strange to turn it to "No".

Top class as always 👍👌

@AndyMalone Thanks for the video, and all the others I've watched. Reffering to your "Break Glass" account. I created a user with MFA disabled, but logging into that account, I'm still being prompted for MFA. Any hints?

Great video! Keep up the good work.

Why’d you not remove the license from Lee’s account after converting it to a shared mailbox, all shared mailboxes have a user account associated with it, they are just unlicensed. 🤔

Andy do you have a vid on how break glass account with SSPR Excluding. You mention several itmes in videos you should never have it linked to a phone or MFa but I can't find a way to disable the combined Registration prompt for our Break glass accounts when Password Reset is enable for All Users in Azure AD. thanks for you great vids.

Hi Andy. This is another great video with a wealth of information. Thank you for doing the work that you do. I do have a question. When adding users to a shared mailbox, it should add it to the user's Outlook without doing anything else, correct? I have one domain environment that does not work that way. I have had Microsoft support connect and look at this issue several times but haven't been able to get it resolved. I have tried several things to see if they will show up for the users but haven't had success. I'm not sure what the issue is. Do you have any ideas on what might be causing this?

For ex-employees, what I do is block the sign in, configure an out of office response that they have left and should instead e-mail whoever their replacement or another member of staff. I then convert their mailbox to a shared mailbox and give the relevant permissions to whichever staff may need it, maybe their line manager. Rename their first name to start with Z, also in their surname include a date of when the conversion took place, hide them from the global address list too. Remove the licence if no longer needed to avoid the cost of course. The shared mailbox should then be deleted when confirmed if no longer required, even though it doesn't cost you anything, if it's a large company with a high turnover, that list is going to get long! Microsoft might then impose some restrictions on shared mailboxes because of a lack of house keeping, you know they will. You used to be able to logon as a shared mailbox from the web, now that has been restricted because no doubt some were abusing it, one licence for 20 employees perhaps, but 20 "shared" mailboxes with people's names on them.

In MS360 I locked 1 of my laptops and got it back but now cannot remove the lock. What should I do?

Thanks for recommending the No MFA for Global Administrator. Asusal you are awesome...... However I have an issue with MFA enabled to External client users. When we add the External client ids for collaboration/share the data links of SharePoint site or OneDrive links to access the data and uploading the data to our site or Onedrive. If they already having MFA enabled in their company, how the user can enable MFA with our company MFA When the External user id/client ID added.??

Thank Andy. How do you disable MFA for one user. Our tenant requires MFA to be setup at first login. ??? 😣🤔

Why do so many people mess up when a user's name changes?

Nice job boss! Thank you!

In External Identities, what is the specific difference between the "Guest user access restrictions" options? I've watched a couple of your videos (which are great by the way) that just say that the "same access" and "limited access" options just give some more or less permissions. What are the specific differences between the options?

Hmmm, curious about the "Shared Mailbox" conversion. So, I've got an employee that's left. If I convert the mailbox to a shared mailbox, can I remove the Microsoft 365 Business subscription from the original user? I understand that you said that I can't delete it, but can I remove the $150 subscription license?

I have my old 2003, 2007 and 2010 and a lots of templates. It's enough and good for me; and my customers. 🤠

With all the settings in Azure, how does a small IT staff keep up with all of this? Yes, it requires taking courses and becoming certified but not every IT person will have the necessary training to handle all of this. Not every company has the means to staff the needed IT team like Microsoft does. I'm not sure why it still surprises me why Microsoft leaves settings off when they should be on or the other way around. Some of these settings shouldn't be available. For example, if a guest user wants to leave an organization, let them leave. There has been an absolute flood of settings offered that aren't necessary. Not only that, some settings are chained to other settings and unless you are aware of it, you will miss them.

Thank you Andy, love from Sri Lanka

Thank you! This is really useful stuff. I have one question: is there a way to create multiple accounts, with different roles and privileges, for a single user? The reason I'm asking is because I recently started a subscription for Microsoft 365 Business Premium, mostly to have a 'playground' to learn the functionality in my own time and for my own interest and educations sake. Now, paying for one user isn't that bad of a monthly cost... but if I would have to have multiple users just to 'set it up right' it will quite quickly become unfeasible.

I’m pretty sure I mentioned point 2 in your shared mailbox video about needing to keep the user as it’s an anchor for the shared mailbox… interesting 🤔 I know because I had to answer a question for one of your other users on shared mailboxes…

If MS would struggle so hard to restore control over an accidentally orphaned tenant, could they offer something like a managed Break Glass Account? Ie requiring that 3-5 admins/executives in an org upload various IDs and recent headshots, record voice samples, register phone numbers, non-org mail addresses, public digital mailboxes (Digipost in Norway), and maybe implement/subscribe to public/standardized digital IDs (BankID and Buypass in Norway). A meeting between 3+ MS managers and 3+ of the org registered restorers would be required to break the glass. I'm thinking it wouldn't be that expensive to sign up for, but there'd be a significant fee if utilized because of coordinated human involvement. A vital insurance tool for any org, and one less thing to worry about?

Thank you

Thanks Always

Great video

You from Oslo?🤓

Is it just me or does anybody else find it? Hilarious that he is an MVP that uses an Apple computer?

365 is awful. It’s clunky. Everything is unnecessarily convoluted. Desktop versions out perform and are much easier. Does anybody really find trying to save a document easy anymore? Why is it so complicated? no Microsoft I don’t want different versions of the document all linked together especially from external clients. You’re fixed something that wasn’t broken and made it much worse.

Great video