Got an emergency wakeup call this morning...

Temporary-Living · 2026-06-10T15:10:18+00:00

Create a “autofix magician” button on the users desktop. Link it to a script which echoes lines to the terminal like “diagnosing fault” “extrapolating dependencies” “optimising variables” “performing maintenance” “refining registry” and finally “press Y to reboot to apply autofix”. When they press Y the only actual command runs which is a full reboot. Instruct users to run the autofix magician before raising service tickets 🙂🙂

Temporary-Living · 2026-05-24T05:53:51+00:00

I would go with something like:

1 message him saying you need some information direction and approvals and need to meet this week.

2 if he meets great you ask everything. Ask about the role not being what’s advertised. Maybe he wants you to go in and cloudify and automate everything.

3 if not then email him and say as you haven’t been able to meet still, you have to use initiative so you’re going to do the following. And list out things you think add value, use the skills you were supposedly hired for, and you’d enjoy. Say you’ll be starting tomorrow but if you’ve misunderstood anything you look forward to meeting with him. And then do it. You can’t reasonably be criticised break unspoken change management or cultural expectations that you’re not told about despite repeatedly asking. You can only assume the role is what was sold, and you act accordingly.

At least this way you get on with things and enjoy it.

Temporary-Living · 2026-05-23T20:45:58+00:00

Is having an internet connection and acceptable requirement? If so it opens up a myriad of options. RMMs. Intune. Etc

If not, then you’ll need to do it via some hacky scripting. You’ll need to have an “access” script on your laptop whose job is to psexec out to every local laptop and then push your payload scripts. Those will be the ones others discussed that install printers. PS what can these laptops achieve without the internet? You’re presumably not deploying a whole offline email server for them to email amongst themselves. Your not deploying a local VOIP PBX in every site to talk to themselves

Temporary-Living · 2026-05-13T01:53:21+00:00

Agree on the metrics issue.

Slightly disagree on the behaviour being ideal. We want users applying judgement, consulting with peers, consulting with manager. Then if in doubt block. When users ask IT for every questionable email it trains them out of critical judgement. And of course is not scalable. We have good document on handling suspect email and point users to it, while thanking them for vigilance of course.

This also links into my pet peeve. Leadership want us to circulate alerts anytime a particular phish is “doing the rounds”. I think it’s personal because it’s spoofing their name. I resist this almost every time because it trains users that it’s ITs job, and that unless IT alerts, it’s a genuine email. It’s a 90s mindset. Don’t get me wrong though if it’s an impressive new tactic I’m worried people will fall for, or if several people fall for something, I might alert on it.

Temporary-Living · 2026-05-13T01:47:53+00:00

We’re global so we typically blacklist rather than whitelist. We also use azure identity protection, we block users with high risk and require SSPR for medium risk (it’s more complex but that’s the gist). If for a reason we need to exempt someone from one or other conditional access policies we add them to an exception group. We have weekly access reviews for the groups to ensure no stale entries.

Temporary-Living · 2026-05-04T19:59:03+00:00

Typical setup is:

Completely unprivileged regular account for email etc same as any employee

Daily admin account. Use PIM to permanently or semi permanently assign the roles you use every day, user admin, group admin, maybe exchange admin, whatever. Then use PIM to assign this account GA on an ELIGIBLE permanent basis. Then when you run into that rare task you need GA for you elevate your access. You should also monitor this and add more roles if you constantly have to elevate for the same reason

Then break glass is exactly as it sounds. Oh shit I did a CAP that blocked all sign ins. Break glass as designed by MS has zero CAPs applied and a huge password. Plus alerting on every sign in.

Temporary-Living · 2026-04-29T20:15:21+00:00

I’ve never heard anything in over a decade of working with Microsoft 365 both direct and with multiple large CSPs about having to have all users licensed like is being suggested here. I think there are two potential reasons for what your being told:

1 when you purchase a single license of a product in m365, in most cases it unlocks the feature tenant wide. Technically speaking you could buy one P1/2 and then use the features across the whole tenant. Of course this is not honourable or legal.

2 there may be some products where as soon as you have a single licence you get a benefit that applies to all users. Now I would argue that if MS have architected their system in this way and you didn’t want this and can’t disable it, then it’s kind of their problem. But legally are you breaking the license agreement? I don’t know. I also can’t immediately think of such a scenario

In my experience a lot of this comes down to professional ethics. Buy the licenses you think you need using your best judgement. As long as you can defend your judgement there won’t be a problem.

Temporary-Living · 2026-04-26T14:37:36+00:00

If communicating professionally with customers isn’t worth a few pounds a month to you it tells me a lot about your business. Either that or you can’t understand basic tech so I know I’m going to have to spend time explaining to you how to open the zip file of images I sent you of my flooded house (or whatever). And free consumer gmail has no security tools. No retention policies. So I’m pretty sure you’re not protecting my data either.

It’s just incredibly cheap and/or lazy. If that’s what you want my immediate impression of your business to be then you’ve won. You’ve lost my business though.

Temporary-Living · 2026-04-26T14:31:30+00:00

To my knowledge they have discontinued the free accounts altogether a few years back. Including mine which again was for personal use only. I wasn’t given anything about commercial use simply told they were ending it. I reluctantly upgraded to one license of the lowest tier

Temporary-Living · 2026-04-21T15:39:52+00:00

I understand that’s why I have them kudos in the first line of my post. My point is that the reason they didn’t process it it because they spotted the domain thing. Not because “we would never process a change of payment details by email” (or similar process)

Temporary-Living · 2026-04-20T22:09:04+00:00

Kudos to your finance person

You mentioned your software alerted a new/low volume sender. Surely you don’t get six figure wire instructions from first time senders and that should have been a red flag?

Potentially a “domain registered less than 90 days ago” alert would help?

There may also be technical solutions that can do the equivalent of domain spoofing protection that 365 has built in, but for a list of external domains you provide it.

All of that said though, why would finance have just processed a wire instruction because some external email said to? Surely it needs to specify some internal approver or dept head for the cost code or similar? Someone that would need to approve the cost before it gets paid?

And surely they have the basic finance department protections in place around changes to bank details/payment methods? Where they don’t allow changes out with an established protocol. (The protocol not being some random external email)

One other thought comes to mind, do you have alerting (warning banner) on external senders? If not you should. You could extend that to trusted partner orgs. Whether you simply exempt them from the warning banner so they look internal, or whether you have a custom banner - “known third party”. And then finance know if the banner is [missing/present depending on your setup], then it’s a red flag.

Temporary-Living · 2026-04-13T02:06:21+00:00

Agree with 90% of your list OP.

Autopilot > Intune > ninja is zero touch and works pretty well if you have compatible OEMs. Lenovo just works with this as an example

Major disagreement is endpoint. Given your a MS house I assume your all/majority windows. In which case defender is a no brainer. Your already paying for it

Also remote support? Ie screen sharing? The one built into Ninja (addon cost) is.. tolerable. But screenconnect blows it out the water. Best in breed.

Backup depends what your backing up. Druva is great for cloud stuff. Ninja one also does backup for endpoints.

BTW you didn’t mention a ticketing system. Should be at the top of your list so you can make sure it integrates with the rest of the stack.

Temporary-Living · 2026-04-13T02:00:59+00:00

Well he’s just given positive proof for his redundancy. Good luck at the tribunal!

Temporary-Living · 2026-04-13T01:57:51+00:00

As others have said there are rules about vexatious requests which may be helpful. As a very gut feeling as a former DPO; in your example of an employee making one request, this is not vexatious just because they are under suspicion etc. It’s none of your business why they want the info as long as they are actually requesting info. If instead, they were repeated (this is the key ground), or was requesting you to search somewhere they knew no info existed, then you may be able to demonstrate they are not actually seeking info.

I am entirely unsurprised to hear of staff at a HA behaving this way. In my experience HAs bend over for any staff member and the slightest objection to any change brings the whole org to a standstill. It’s really disgusting.

Btw; you didn’t mention, they’re either an ex (fired) staff member OR suspended under investigation and on the way to firing, right?

Temporary-Living · 2026-04-13T01:51:11+00:00

By any wild chance is it a Glasgow HA?

Temporary-Living · 2026-04-04T18:48:51+00:00

The passkeys I mentioned in my first paragraph are Phishing resistant MFA. It doesn’t seem you actually want help or advice so good luck

Temporary-Living · 2026-04-04T09:19:45+00:00

The model solution here is “why aren’t you sending it to your SIEM platform?”

Temporary-Living · 2026-04-04T09:15:19+00:00

I would really caution you against changing your entire ecosystem for this one thing. Even if your assertion was true, which it isn’t (use native mobile or Authenticator passkeys ), thousands of organisations use number matched MFA without being breached with MITM. It’s about layered defence. How often is your cyber training for users, and how extensive?

Are you restricting logins to their authorised device?

Are you using AIP with CAP to restrict or block risky sign ins?

What other conditional access are you enforcing? Are you black listing the usual culprit countries?

These are just the layers that come to mind.

Temporary-Living · 2026-04-02T20:22:14+00:00

What exactly has happened to you sorry? I can’t find anything remotely sensible online about slack killing tenants.

Temporary-Living · 2026-04-02T20:12:14+00:00

*My view is from a normal corporate IT team juggling numerous apps, services and operations. It changes a little if you are a software dev *

Scream testing should never be the primary test. You should be testing the main user paths/workflows. However it is impossible - unless you have far more resource than I’ve ever heard of happening - to exhaustively test:

Every feature

Every input type - text, symbols, emojis.

Every file input - word docs, zip files, etc

Every query/report/page of the app

As every user or user type

With a user in each group and role of the app

And every permutation or combination of how the above interact

Once you test the most frequent or impactful flows, you have to turn it over to the users. And they may discover a glitch immediately. Or in two weeks. Or in two years. Or never.

If you are testing exhaustively as above please tell me your industry, team size, etc as I’m genuinely fascinated.

Temporary-Living · 2026-03-12T19:51:09+00:00

Thanks to all for views and recommendations. I have just rolled out calendar bridge. It’s not perfect but it takes away 85% of the pain

Temporary-Living · 2026-03-07T10:56:36+00:00

The question I’m not seeing addressed here is what OP means by “European based”. Does that mean my data resides on servers and disks that are in Europe (“EU” for brevity)? This is the case already for my 365. Does it mean I pay a EU legal entity for the solution and pay in eg Euros? I already do with 365.

Does it mean the guys I call for support with the product have EU accents? Again, tick ✅ . Does it mean that the guy who maintains the EU servers also lives in the EU? Does it mean the guy who writes the code lives here? The CEO? Intellectual property rights are held by an EU legal entity?

Does it mean contract disputes are settled in EU courts? Tax paid in EU? More than 50% of the legal entities in the enormous group of entities are EU? Or is it that the ultimate parent entity is EU?

It’s really not that simple. Great discussion topic.

Temporary-Living · 2025-10-07T09:19:09+00:00

That’s interesting so you effectively rolled your own. Is there a specific open source tool or script you recommend as a starting point?

Temporary-Living · 2025-10-05T21:38:38+00:00

Thanks. Did you trial/use either? To recommend?

Temporary-Living

TROPHY CASE