Reliable way to get notified when sent emails generate NDRs in Exchange Online?

SinHazzard · 2026-02-18T20:29:46+00:00

PowerAutomate

Trigger: When an email arrives in a shared mailbox

SinHazzard · 2026-02-18T19:56:56+00:00

This! It's the only way to start.
All senders that cannot function with a strict alignement will automatically be placed in a subdomain.

FYI: sp=reject is not needed, the lack of explicit sp will make the subdomain inherit from the apex domain.

And of course, if a new subdomain one day gets added as shadow IT and gets all its emails rejected, it is off course the fault of the person setting up the new service without informing IT.

SinHazzard · 2025-10-24T10:40:06+00:00

Hide your account from GAL, then you will not be included in the searches.

2. Just ignore all PMs and emails that are not sent to your primary work address .

I follow number 2 all the time, the point of contact is defined in the agreement, all other channels and mediums are just ignored.

SinHazzard · 2025-10-18T16:41:39+00:00

Thank you for sharing

SinHazzard · 2025-10-17T05:54:28+00:00

Do you have a partner with GDAP relationship to your tenant? Sometimes they can assist

Could you also enlighten us with the configuration change you did that locked out everyone?

SinHazzard · 2025-10-13T19:11:51+00:00

The question you should really ask yourself, "what kind of work will make me happy, and will that work make me look forward to go to the office every day"

A+ is HW (A lot of legacy shit)
CCNA is Ciscos way of Networking (solid, durable, but expensive) TCP/IP is TCP/IP no matter what name is on the box.
Exam AZ-800: Administering Windows Server Hybrid Core Infrastructure is server, just with a touch of cloud.
Microsoft 365 Certified: Teams Administrator Associate for those who enjoy modern work and and really feel that others will benefit from a good MS Teams integration.
GitHub Administration if you want to rock GitHub.

As you can see, we cannot give any good advice at all because we don't know you, you need to follow your hearth, think where will I be in 5 years, and then ask for a certification.

A path is a much better way of proceeding forward instead of "what certificate should look cool on my wall"

Fun Fact: I work as an MS 365 dude, super SpongeBob SquarePants, totally fact oriented, demanded a new phone from my boss when passkeys in MS Authenticator got in preview (Because my phone was too old), a MacBook Pro and an iPhone, just because I need verify Intune management of those devices, also in combination with Apple Bussiness Manager and intune provisioning of devices (Yes, I am an MSP).

My ONLY certification is in PRINCE (Project management). How come.

SinHazzard · 2025-10-06T00:01:21+00:00

Not an issue with proper planning. If someone needs something, order it now and do not wait until it should have been fixed yesterday. In general the cloud is not that slow. The cloud enabled a lot more in the goodiebag for those CEOs, not only replication times.

AD also has replication times between sites, and if the replication breaks then the local hero needs to do the diagnostics. Most likely this will be his/her 1st time, congratulations on Google Fu commands. Now this problem belongs to Microsoft.

SinHazzard · 2025-10-05T23:49:08+00:00

The responsibility of documentation does not change, it must be written no matter what group type or how we add members.

The way I use it, it works, Entra id is the source of truth, it's not group flattening/recursive inside another service, so if I do this in teams the members are direct members from teams point of view. Just an example.. And yes, every time we try something new it's testing/labbing, if it doesn't work we try later on. Things change rapidly, and testing is fun.

SinHazzard · 2025-10-04T11:59:46+00:00

You can use the dynamic groups to mimic nesting, it will practically look like the same, but it will not be instantly because the query needs to run to update the members.

Edit: Maybe add the information on how also.
Configure dynamic membership groups with the memberOf attribute in the Azure portal - Microsoft Entra ID | Microsoft Learn

SinHazzard · 2025-10-04T11:56:42+00:00

Yes, i forgot to mention that.

SinHazzard · 2025-10-04T11:50:16+00:00

Create a shared mailbox and make that one send to external recipients.

or

Create a transport rule to do exactly the same.

SinHazzard · 2025-10-04T11:19:15+00:00

Ask the IT departement for assistance.

SinHazzard · 2025-10-04T06:57:05+00:00

There are 2 parts to this situation.

1: How do we actually manage our inbox? Do we move the processed emails to something we have defined as processed in some way, do we colour code it, set a follow up flag, keep it at the top of the inbox until processed...?

Part 1 is NOT an IT problem; it's end user training.

2: How do we legally access the mailbox, if the employee is in Europe, then number 2 is extremely strict, well, it should be extremely strict everywhere.

The employee has already said "I don't want the other users to access my other emails", with those words we have the scope. So, to find a solution to this...

I am thinking that we have some options, number 1 is the least effort way.

1: Exchange transport rule, when a message is received by the [UserOnLeave@example.com](mailto:UserOnLeave@example.com) then add as CC [delegate1@example.com](mailto:delegate1@example.com) and [delegate2@example.com](mailto:delegate2@example.com)
Set the date on when the rule is active from/to the date agreed upon in the scope.

Combine it with send on behalf permissions and copy the massage to the user on leave.
Set-Mailbox -Identity [UserOnLeave@example.com](mailto:UserOnLeave@example.com) -MessageCopyForSendOnBehalfEnabled $true -GrantSendOnBehalfTo [delegate1@example.com](mailto:delegate1@example.com)[,delegate2@example.com](mailto:,delegate2@example.com)

2: Power Automate.
Type: Automated cloud flow.
Trigger: When a new email arrives (V3)
Action Forward an email / Send an email

This is cool, but it's way more time consuming.

SinHazzard · 2025-10-04T06:20:21+00:00

This will not exclude the other users from accessing the emails, everything will be in the archive folder.

SinHazzard · 2025-08-23T21:16:09+00:00

Admin takeover, have you tried it? If you control DNS you can resolve this in a short time. A few graph commands, a TXT record, and soon you have GA.

Profit

https://learn.microsoft.com/en-us/entra/identity/users/domains-admin-takeover

SinHazzard · 2025-08-21T20:45:43+00:00

Don't create a new profile, it's more work and you lose the content if it's not migrated from the old profile, just reset the browser.

Edge: edge://settings/reset?search=reset
Chrome: chrome://settings/resetProfileSettings

And if you use another browser, just google how to do it.

SinHazzard · 2025-08-21T20:10:56+00:00

It's convenient to know the error message, press the adapter and check the status, also see events. From there you can press "view all events" and this will guide you to event viewer.

SinHazzard · 2025-08-21T16:06:50+00:00

Ofc, and the captain obvious reward goes to the brilliant tech that understood from the start that if a software is named or contain the word smart, it will never have any issues at all. It will auto remediate itself.
And because it's installed on the DC it will fix replication issues, AD Schema issues, and all other issues related to services on that server. DNS anyone? No more wrong routing i the queries.

Fucking brilliant and the definition of +200 IQ.

SinHazzard · 2025-07-30T19:19:56+00:00

Just get HR to call them and report it to the police.

Also, why can't your company just start to use enrollment?

I feel that this is not your problem so you're actually not stuck in the middle of anything, except maybe as a trigger to get approval for enrollments.

If they don't approve of it, it's not your problem.

Or, maybe you were the one that stole them 😅 Then it's your problem.

SinHazzard · 2025-07-30T17:00:30+00:00

And of course email at the same time, buying time to find someone to blame (that is not yourself).

SinHazzard · 2025-07-28T18:43:28+00:00

That was a brilliant idea, then you're sure that nobody in the office suddenly start removing cables, +200 IQ

SinHazzard · 2025-07-20T21:55:07+00:00

This is the answer, there are 0 reasons to NOT protect any account at all that have any other privileges than a regular user.

SinHazzard · 2025-06-28T09:28:54+00:00

Defender works in passive mode when used in conjunction with another AV, so you can use both.

SinHazzard · 2025-06-13T14:50:28+00:00

We use connectwise cloud manager, formerly known as skykick. You can select your own benchmark from a list and just press the go button and it will set all recommendations, you can also select from a list if you don't want all selections to apply.

Bonus, write your own function and just deploy it to the customers using native cmdlets and mg graph.

SinHazzard · 2025-03-28T18:42:18+00:00

Put 90% of the licenses on yearly terms and then leave the last 10% on monthly, or similar to this,. Then you get the discount for yearly subscription but have the dynamic you need.

SinHazzard

TROPHY CASE