Use a Verified Domain to Send Microsoft 365 Service Messages

Announced as Microsoft 365 message center notification MC531211 (21 March 2023, Microsoft 365 roadmap item 103628) and now rolling out to tenants, organizations can choose one of the verified domains available for their tenant as the domain used for product advisory emails (Microsoft 365 service messages).

Microsoft 365 apps that support the feature include:

• SharePoint Online
• OneDrive for Business
• Office
• Stream
• Planner
• Project
• Viva Connections
• Viva Topics
• Viva Amplify

Microsoft 365 apps use email addresses like no-reply@sharepointonline.com and no-reply@planner.com when they generate informational messages to communicate alerts, events, or digest information to users. For instance, when someone stores a document with a higher-level sensitivity label in a SharePoint Online site, SharePoint generates an email to tell them about the potential problem caused by the label mismatch. Figure 1 shows an example of such a message after selecting the office365itpros.com domain to send service messages.

The messages don’t cover service alerts (when a service has an outage), nor do they cover One Time Passcodes (OTP) generated by sharing actions from OneDrive and SharePoint Online. Sharing notifications continue to use no-reply@notify.microsoft.com to ensure delivery of these emails.

Using a Verified Domain

The steps to select a verified domain for service messages are laid out in the Microsoft documentation. In essence, tenant administrators use the Send email notifications from your domain option in the Organization profile section of Org Settings in the Microsoft 365 admin center to select a username and domain (Figure 2).

The domain must be one of the verified domains for the tenant. After saving the new configuration, the Microsoft 365 apps switch to use the selected username and domain instead of their default domains when they send email. Messages are now routed by Exchange Online on behalf of the organization. Just like any of the verified domains used for mail routing, the DNS records for the chosen domain should be configured for SPF, DKIM, and DMARC. This is especially important if email is relayed to Exchange on-premises or an external email service.

The Username for Service Messages

By default, the username is set to no-reply. The intention of a no-reply address is that users know that replying to the address will result in an undeliverable message. However, it’s possible to change the username to one for a routable address such as a shared mailbox so that users can get a response to questions about why they received a service message. Be careful if you do this because service emails then appear to be like any other email sent by the chosen address. Figure 3 shows an example of a message sent by SharePoint Online to report updates to documents in a site. The message appears to come from a shared mailbox because that’s what matches the configured address for service messages.

Not External Messages

Because the tenant’s instance of Exchange Online routes the service messages, they are now internal rather than external and therefore will not be tagged with the external indicator. In some respects, this is a major advantage of choosing to use a verified domain as users might better accept the content of the messages if they don’t come from an external source. The downside is that users might need to adjust inbox rules to process service messages correctly.

If you use a mail flow rule to protect administrator accounts from external email, remember to update the rule to deal with messages from your chosen domain.

Not a Change to Worry Too Much About

After using this option for a couple of weeks, I don’t see any great downside to using a verified domain to send Microsoft 365 service messages. Something might have slipped my attention (and if so, I’d like to know), but overall I think this is a good change that all tenants should consider.

---

Make sure that you’re not surprised about changes that appear inside Office 365 applications by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers stay informed.

SharePoint Block Download Policy Licensed by Syntex-SharePoint Advanced Management and Managed with PowerShell

One of the features covered by the new Syntex-SharePoint Advanced Management license blocks users from being able to download files from a SharePoint Online site or OneDrive for Business account. The idea is to protect sites that store very confidential material by forcing users to work with the files stored in the site using browsers. Users can’t even use the Office desktop apps because those apps download a temporary copy of files to work on them locally.

The block files from download feature is currently in preview. To enable a block download policy for a site, you’ll need to use the Set-SPOSite cmdlet from the latest version of the SharePoint Online management PowerShell module.

Restricting Download Access

I tested the feature by creating a new team called Project Aurora. I then configured the SharePoint Online site belonging to the team by running these commands to find all sites, select the URL for the Project Aurora site, and use it to configure a block download policy with an exclusion for site owners. In other words, site members can’t download files from its document libraries, but site owners can.

[array]$Sites = Get-SPOSite -Limit All
$Site = ($Sites | Where-Object {$_.Title -eq "Project Aurora"}) | Select-Object -ExpandProperty Url
Set-SPOSite -Identity $Site -BlockDownloadPolicy $True -ExcludeBlockDownloadPolicySiteOwners $True

The preview documentation says that site owners can grant exclusions to groups by passing the group identifiers in the ExcludedBlockDownloadGroupIds parameter. I see some issues here because Microsoft has long coached customers not to update membership of group-connected sites through SharePoint Online. In addition, adding a Microsoft 365 group to site membership creates an unsupported condition of nested Microsoft 365 groups. For now, I would avoid using group-based exclusions and concentrate solely on site owner exclusions.

After populating the default document library with some documents, I signed into the site with a member account. The site flagged the restrictions in place and removed the options to download files (Figure 1).

The Teams Files channel tab also removes the download option but doesn’t display a banner to inform the user about the restrictions. The Files channel tab does remove the option to use an Office desktop app to open a document. Before restricting downloads by policy, Microsoft recommends that you check any potential effect that the block might have on other applications, including Power Apps and Power Automate.

The file download restrictions are the same as when using a conditional access policy to limit access when users attempt to access SharePoint content from an unmanaged device. That’s the point of this feature: you don’t need to deploy conditional access policies to get equivalent protection. Although conditional access policies are a good way to control what people can do after they connect to a Microsoft 365 tenant, there’s no doubt that organizations can end up with many different policies to manage. Replacing a conditional access policy with a relatively simple download block applied at the site level might be a good thing to do, especially if you want to have finer-grained control over what sites block file downloads.

Applying the SharePoint Block Download Policy to Multiple Sites

As a practical example of how you might deploy block download policies, let’s assume that you want to stop downloads for all sites assigned the most stringent sensitivity label. In my tenant, that’s a label called “Confidential Access.” The important thing is to know the label identifier (GUID) because that’s how Microsoft 365 workloads connect to sensitivity labels. In this case, the GUID is c99e52c6-f5ff-4050-9313-ca6a3a35710f.

This script applies the SharePoint block download policy to all sites assigned the Confidential Access sensitivity label. First, we find the set of sites associated with Microsoft 365 groups. Because the Get-SPOSite cmdlet does not return all site properties when it processes multiple sites, we need to loop through the site of sites to check the sensitivity label for each site and apply the policy after detecting a matching label:

# Process sites and set the SharePoint block download policy
[array]$Sites = Get-SPOSite -Template "GROUP#0" -IncludePersonalSite:$False -Limit All
Write-Host ("Scanning {0} sites to find those with the Confidential Access label" -f $Sites.count)
[int]$i = 0
ForEach ($Site in $Sites) {
   $SiteData = Get-SPOSite -Identity $Site.Url
   If ($SiteData.SensitivityLabel -eq "c99e52c6-f5ff-4050-9313-ca6a3a35710f" -and $SiteData.BlockdownloadPolicy -eq $False ) {
      Write-Host ("Applying site download block policy to {0}" -f $SiteData.Title)
      Set-SPOSite -Identity $Site.Url -BlockDownloadPolicy $True -ExcludeBlockDownloadPolicySiteOwners $True; $i++
   }
}
Write-Host ("Finished processing. {0} sites updated with a block download policy" -f $i)

Remember Your Syntex Licenses

Remember that every member of a site that uses a block download policy to restrict downloads to site owners or groups must have a Syntex Advanced Management license. Given that you’ll probably only apply this kind of restriction to a limited number of sites, that shouldn’t be a big issue.

---

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

Syntex-SharePoint Advanced Management Covers Secure Collaboration for SharePoint Online

Updated 2 March 2022

I know that many Microsoft 365 organizations don’t use sensitivity labels, even if they have the necessary licenses to use labels to protect content. All Office 365 licenses allow users to read protected content, but you need Office 365 E3 or above to apply labels to files, and Office 365 E5 or Microsoft 365 Compliance E5 for auto-label processing. At least, that’s been the case up to now.

Applying a default sensitivity label for a SharePoint Online document library (Figure 1) counts as automatic processing. Apparently, Microsoft considers the fact that new and modified documents in the library pick up the sensitivity label (unless previously labeled) as reason enough. In late January 2023, Microsoft revealed that this feature was one of the set to be licensed through a new Microsoft Syntex-SharePoint Advanced Management license.

Features Enabled by the Microsoft Syntex-SharePoint Advanced Management License

The new license is in preview and includes other elements to improve secure collaboration based on SharePoint Online and OneDrive for Business, including:

• Using sensitivity labels with Azure AD authentication contexts to limit access to SharePoint Online sites. This feature has been in preview since 2021.
• Restricting access to a SharePoint Online site to members of a Microsoft 365 group. This restriction blocks users who have received access to a file in the site.
• Blocking the download of files from SharePoint Online sites or OneDrive for Business accounts without the need to use Azure AD conditional access policies. In other words, users are forced to use a browser to access the site or account and cannot download, print, or synchronize files. The restriction also blocks access to the Office desktop apps because these apps need to download files to work on them locally.

In addition, Syntex-SharePoint Advanced Management includes some management and governance features. The three examples cited appear to be instances where it’s possible for administrators to do the same thing with some effort. Microsoft is making it easier. For example, the ability to limit access to OneDrive for Business to those who are members of a specific security group stops people licensed to use OneDrive but who aren’t members of the security group from using the app. The same effect is possible by simply removing the OneDrive service plan from their assigned licenses.

I haven’t seen what actions are included in the feature to export recent SharePoint site actions, but it might be possible to replicate the functionality by fetching SharePoint management events from the unified audit log.

My assumption is that any user who takes advantage of a feature licensed by Syntex advanced management requires a license. For instance, site members of a site where a document library uses a default sensitivity label all require Syntex-SharePoint Advanced Management licenses.

I can’t find a public announcement by Microsoft about the Syntex-SharePoint Advanced Management license. Cynics will say that this is another example of how Microsoft creates licenses for new functionality to generate additional revenue from its installed base. A more benign view is that the new license allows people with Office 365 E3 licenses to use the security and governance features enabled by Syntex Advanced Management. When I find out more details about licensing, including if some features covered by Syntex Advanced Management are also available through other licenses, I shall share the information.

Viewing Metadata for Protected Files

On an associated topic, I was asked why the metadata of documents protected by sensitivity labels remains visible to people who have no right to access these files. It’s a good question because some get confused when they notice an interesting document in a library but can’t open it because they’re blocked by the rights assigned in the label. For instance, who wouldn’t want to open a document with a title like “Proposed Pay Rises for Staff”?

When you enable SharePoint Online and OneDrive for Business to support sensitivity labels, it allows the workloads to deal with protected (encrypted) content. SharePoint Online stores protected files in an unencrypted format to allow functions like indexing and data loss prevention policies to work. Any access to a document, such as a user opening or downloading a file, causes SharePoint Online to encrypt the document so that the application used to open the file (like Word) can apply the rights assigned to the user. Everything works very nicely and those who have access to files can work with that content and those who don’t cannot.

When browsing items in a document library, site members can see metadata like the titles and authors of protected documents. Attempts to open these documents fail if the user doesn’t have the necessary rights. Because SharePoint Online doesn’t encrypt or obscure the metadata, those users know that documents with potentially very interesting content are available.

How SharePoint Online Stores Documents

The reason why document metadata is visible to all site members is rooted in how SharePoint Online stores documents. SharePoint Online uses Azure SQL as its storage platform. Blob storage holds documents and other files while metadata is in a separate table (list). The Azure SQL data is heavily protected against illegal access. Once a user has access to a document library, the assumption is that SharePoint can show them all the items, which is what they see in the list shown in a browser or the Teams files channel tab. It’s only when a user attempts to access a protected document that SharePoint Online validates their right to open that content.

You can argue that SharePoint Online and OneDrive for Business should hide the existence of protected documents that the user can’t open, but this would require SharePoint Online to check that access before displaying documents in a library. Such a check would incur a huge performance penalty because SharePoint Online cannot assume that the rights assigned in a sensitivity label are the same as the last time it checked.

New Functionality, New Costs

Although the news about the Syntex-SharePoint Advanced Management license will disappoint some, it’s reasonable that Microsoft should charge extra for security and management features that not every Microsoft 365 tenant will want or need. Those that need the functionality will simply have to pay the $3/user monthly cost. Hasn’t that always been the way?

---

Stay updated with developments across the Microsoft 365 ecosystem by subscribing to the Office 365 for IT Pros eBook. We do the research to make sure that our readers understand the technology.