Microsoft 365 on justinverstijnen.nl

Encrypt your Microsoft 365 emails with S/MIME

Sun, 05 Apr 2026 00:00:00 +0000

A great way to encrypt your Microsoft 365 outbound emails using a similar technique as SSL is to use S/MIME. In this guide I will show you how to get certificates and configure S/MIME for your users.

Requirements

Around 30 minutes of your time
Exchange Online Powershell module installed
S/MIME certificate for your mailbox
Microsoft 365 tenant/mailbox to configure S/MIME

S/MIME explained

S/MIME means Secure / Multipurpose Internet Mail Extensions. It’s an email security standard defined by the Internet Engineering Task Force which allows you to encrypt your email messages and attachments sent. In simple terms:

Getting started with Microsoft 365 Backup

Fri, 03 Apr 2026 00:00:00 +0000

Requirements

A Microsoft 365 environment with Global Administrator permissions
An Azure Subscription with PAYG capabilities
Around 30 minutes of your time
Basic knowledge of Microsoft 365

What is Microsoft 365 Backup?

Microsoft 365 Backup is an integrated solution of Microsoft to backup Microsoft 365 items. This applies to these items:

Exchange Mailboxes
OneDrive accounts
SharePoint sites/Teams

Microsoft 365 Backup can be used to extend the retention period of certain data. By default, spaces like SharePoint sites have a retention of 93 days if you count the recycle bin and versioning. But this is not really a backup, only some techniques to quicky restore a single file or folder. This doesn’t include things like permissions, which Microsoft 365 Backup does.

What is MTA-STS and how to use it to protect your email flow

Thu, 08 Jan 2026 00:00:00 +0000

Requirements

Around 30 minutes of your time
Access to your domains’ DNS hosting to create DNS records
An Azure Subscription if you want to publish your policy with a Static Web App
- A Github account if you use this option
An Azure Subscription if you want to publish your policy with a Function App
Basic knowledge of DNS records
Basic knowledge of Email security

MTA-STS versus SMTP DANE

MTA-STS overlaps with the newer SMTP DANE option, and they both help securing your email flow but each in its own manner. Some differences:

Disable users' self service license trials

Thu, 04 Dec 2025 00:00:00 +0000

Why should you disable trial licenses?

You can disable self service trial licenses if you want to avoid users to use un-accepted apps. This could result in shadow-it happening in your environment.

Let’s say, your company uses Zoom to call with each other, and users are starting to use Microsoft Teams. Teams then is an application not accepted by your organization and users then should not be able to use it. If you give them the possibility, they will. This all of course assuming you don’t have paid licenses for Microsoft Teams.

Enhance email security with SPF/DKIM/DMARC

Mon, 16 Jun 2025 00:00:00 +0000

Microsoft announced that starting from May 5, 2025: SPF, DKIM and DMARC will become mandatory for inbound email delivery. Not configuring all three can result in your emails not being delivered correctly.

These 3 techniques are:

SPF: Sender Policy Framework
DKIM: Domain Keys Identified Mail
DMARC: Domain-based Message Authentication Reporting and Conformance

When using Microsoft 365 as your messaging service, I also highly recommend to configure SMTP DANE. A detailed guide of configuring this can be found here: https://justinverstijnen.nl/configure-dnssec-and-smtp-dane-with-exchange-online-microsoft-365/

Disable DirectSend in Exchange Online

Sun, 04 May 2025 00:00:00 +0000

What is DirectSend?

DirectSend (Microsoft 365) lets devices or applications (like printers, scanners, or internal apps) send email directly to users inside your organization without authentication. Instead of using authentication, it uses your MX record directly with port 25.

Some details about DirectSend:

Only works for internal recipients (same tenant)
No mailbox or license required for the sending device/app
Uses SMTP to your tenant’s MX endpoint
Commonly used for scanners, alerts, and legacy systems
Does not support sending to external email addresses
Possibly exposing public IP addresses in your DNS records

We can see it like a internal relay, possible to send email to all users in your tenant, which is actively used to distribute malicious activity. This consists of sending mailware or credential harvesting, bypassing different security controls active on normal email.

Set a domain alias for every user in Microsoft 365

Fri, 13 Dec 2024 00:00:00 +0000

Logging in Exchange Online Powershell

To configure a alias for every user, we need to login into Exchange Online Powershell:

POWERSHELL

Connect-ExchangeOnline

If you don’t have the module already installed on your computer, run the following command on an elevated window:

POWERSHELL

Install-Module ExchangeOnlineManagement

Source: https://www.powershellgallery.com/packages/ExchangeOnlineManagement/3.7.2

Adding the 365 domain alias to every user

After succesfully logged in, run the following command:

Configure DNSSEC and SMTP DANE Microsoft 365

Thu, 31 Oct 2024 00:00:00 +0000

Domain Name System Security Extensions (DNSSEC)

DNSSEC is a feature where a client can validate the DNS records received by a DNS server to ensure a record is originated from the DNS server and not manipulated by a Man in the Middle attack.

DNSSEC is developed to prevent attacks like in the topology below:

Here a attacker injects a fake DNS record and sends the user to a different IP-address, not the actual IP-address of the real website but a fake, mostly spoofed website. This way, a user sees for example https://portal.azure.com in his address bar but is actually on a malicious webserver. This makes the user far more vulnerable to credential harvesting or phising attacks.

Solved - Microsoft 365 tenant dehydrated

Fri, 20 Sep 2024 00:00:00 +0000

What is “Tenant dehydrated”?

Microsoft sometimes will dehydrate Microsoft 365 tenants where things will not often change to the tenant. This closes some parts of the tenant for changing, even if you have Global Administrator permissions.

The cause of this is for Microsoft to save on infrastructure cost. They will set the tenant in this sort of “sleep mode” where everything works properly but some configuration changes cannot be done. You can get this error with all sorts of changes:

Create a Catch all mailbox in Exchange Online

Thu, 11 Jul 2024 00:00:00 +0000

I also created a full customizable PowerShell script for this task which you can find here:

Download script from GitHub

This way you can skip the guide for a faster solution. Otherwise, follow the steps below to do everything by hand and get a better understanding of the relevant steps needed.

Requirements

Around 20 minutes of your time
A Microsoft 365 environment
Basic knowledge of Exchange Online
Basic knowledge of PowerShell

How does this solution work?

The solution described in this guide works with 3 components:

Microsoft 365 create a shared mailbox with same alias

Thu, 06 Jun 2024 00:00:00 +0000

The problem of multiple shared mailboxes with same alias

Let’s say, we have a Microsoft 365 tenant with 3 domains;

domain1.com
domain2.com
domain3.com

When you already have a mailbox called “info@domain1.com” you are unable to create a “info@domain2.com” in the portal. The cause of this problem is that every mailbox has a underlying “alias” and that this alias is the same when created in the portal. I have tried this in the Microsoft 365 admin center, Exchange Online admin center and Powershell. I get the following error:

Migrate data to SharePoint/OneDrive with SPMT

Mon, 20 May 2024 00:00:00 +0000

At the moment, SharePoint is a better option to store your files because it has the following benefits over a traditional SMB share:

Single permissions system (No SMB/NTFS permissions)
High available by default
No server infrastructure needed
Users can work at the same file simultaneously
Integration with Microsoft Teams

The Microsoft SharePoint Migration Tool

Microsoft has a tool available which is free and which can migrate your local data to SharePoint. The targets you can specify are:

Dynamic Distribution Groups in Microsoft 365

Sat, 21 Oct 2023 00:00:00 +0000

Sometimes you want to have a distribution group with all your known mailboxes in it. For example an employees@justinverstijnen.nl or all@justinverstijnen.nl address to send a mail company wide. A normal distribution group is possible, but requires a lot of manual maintenance, like adding and removing users.

To apply a little more automation you can use the Dynamic Distribution Group feature of Exchange Online. This is a feature like the Dynamic groups feature of Microsoft Entra which automatically adds new user mailboxes after they are created to make sure every new employee is added automatically.