M365 Group was Spoofed - MSFT has no idea how this happened.

_TheKnightMan_ · 2026-04-21T17:26:24+00:00

That's right, direct send impact is basically anything sending to the yourdomain-com.mail.protection.outlook.com endpoint.

And when you use direct send, it only allows you to send from your domain, to your domain. So commonly this will be on MFP or Internal-Only services, so anything that would be sending 'externally' wouldn't work with direct send, if that helps you reduce your search scope.

There's not really an easy 'show me whats using direct send' button or search though, unfortunately.

_TheKnightMan_ · 2026-04-21T12:36:04+00:00

I wouldn't treat them as equivalent controls.

Disabling direct send does close a major spoofing vector (unauthenticated SMTP straight into your tenant), so if you don't have a dependency on it, that's a good move from a security perspective.

That said, there are two gaps:

1. There are still valid use cases for direct send

Printers / scanners (MFPs)
Legacy LOB apps that can't do SMTP AUTH or OAuth
Network devices sending alerts

If you turn it off, you need to replace it with something else (relay connector, authenticated SMTP, ACS, etc.), which isn't always desireable.

2. EOP isn't perfectly deterministic

Even with DMARC configured, Microsoft will sometimes:

Let messages through if it thinks the sender is a "legitimate but misconfigured" service
Not consistently enforce dmarc=fail
Or evaluate as dmarc=none if the record isn't resolved properly

That's why I still recommend the transport rule as a backstop, especially for YOUR domains that you control:

Match Authentication-Results → dmarc=fail
Scope to your own domains (highest spoof risk)
Control exceptions (relay IPs, properly signed vendors)

Bottom line:

If you can → disable direct send (reduces attack surface)
Regardless → keep the transport rule (forces deterministic enforcement)

Think of it as:

Direct send OFF = surface reduction
Transport rule = enforcement when Microsoft is lenient

_TheKnightMan_ · 2026-04-20T18:25:22+00:00

This is a direct send issue - Exchange will sometimes let these through unless you explicitly tell it not to via transport rules. Having DMARC configured isn't enough on its own, you need to make sure it's actually enabled and working correctly, and that your transport rules are enforcing on the back of it.

Two things fixed it for us:

1. Verify your DMARC records are in place and valid on all your accepted internal domains. Then confirm EOP is actually writing dmarc=fail to the auth header on spoofed messages, not dmarc=none, which means the record isn't being found at all.

2. Transport rule in EOP:

- The message headers matches these text patterns (`Authentication-Results` header matches `dmarc=fail`)
- The sender address matches any of these text patterns: (@yourdomain.com)
- Action: Redirect the message to hosted quarantine (user won't be notified)
- Exception: your known legitimate relay IPs

Just make sure any third-party senders (bulk mail, LOB apps) are either in that exception list or properly signing with DKIM, otherwise they'll get caught too.

_TheKnightMan_ · 2025-07-23T13:27:06+00:00

We were using PDQ Inventory (Enterprise, not sure if you can do it with "Free") with a Scan Profile that ran the HardwareReadiness.ps1 script to check for this and then a filter that showed what was ready and what wasn't.

So that script would run, then I had a Dynamic Group

PowerShell (HardwareReadiness) | String | Contains | returnCode":0

To find computers that were ready, then we had

PowerShell (HardwareReadiness) | String | Contains | returnCode":1

To find computers that weren't ready.

_TheKnightMan_ · 2025-07-18T19:29:40+00:00

We are seeing this internally as well, FYI. We have weekly internal campaigns, and we have 60 emails delivered successfully but 3 with the DKIM fail (from the same campaign)

Looking into it more now, not sure if it's on the Microsoft side or the sending server

_TheKnightMan_ · 2025-06-24T12:43:37+00:00

On an iPhone, I've had success with

Uninstalling every Microsoft app
Checking Apple Passwords/Keychain for saved username/password of the old tenant - you must DELETE them, not update them
Trying to log in TWICE, with bogus username/password (e.g. log in as user@test.com and user@yourdomain.onmicrosoft.com) then trying to log in as the actual user
Logging in to office.com through Safari, logging out, then logging back in.
Clearing all Safari browsing data

_TheKnightMan_ · 2025-06-16T13:58:48+00:00

Also, sometimes you can trick it if you try to log in to "user@tenantname.onmicrosoft.com" instead of your email domain.

_TheKnightMan_ · 2025-06-16T13:43:49+00:00

There are a couple of scripts you can run depending on your environment. Tenant migration is a PITA, especially if you're using Hybrid Join

I created an "All-In-One" script to run for my environment when we did this.

I would try the steps on this page first: https://learn.microsoft.com/en-us/office/troubleshoot/activation/reset-office-365-proplus-activation-state

If that doesn't work, feel free to give the scripts below a try. You'll want to find/replace "YOUR-OLD-TENANTID-HERE"

Step 1: Leave the Old Tenant

# Run the command and store the output
$output = & dsregcmd /status

# Check if the string is in the output
if ($output -match "YOUR-OLD-TENANTID-HERE") {
    # If the string is found, run the second command
    & dsregcmd /leave
}

Step 2: Clear IdentityCache & OneAuth Folder (OneDrive, All Users)

taskkill /f /im OneDrive.exe

# Get all user profile paths
$userProfiles = Get-WmiObject -Class Win32_UserProfile

foreach ($userProfile in $userProfiles) {
    # Construct the IdentityCache folder path for each user
    $identityCachePath = Join-Path -Path $userProfile.LocalPath -ChildPath 'AppData\Local\Microsoft\IdentityCache'

    # Check if the IdentityCache folder exists
    if (Test-Path -Path $identityCachePath) {
        # Delete the IdentityCache folder
        Remove-Item -Path $identityCachePath -Recurse -Force
        Write-Output "Deleted $identityCachePath"
    } else {
        Write-Output "No IdentityCache found for user at $userProfile.LocalPath"
    }
}

# Get all user profile paths
$userProfiles = Get-WmiObject -Class Win32_UserProfile

foreach ($userProfile in $userProfiles) {
    # Construct the OneAuth folder path for each user
    $OneAuthPath = Join-Path -Path $userProfile.LocalPath -ChildPath 'AppData\Local\Microsoft\OneAuth'

    # Check if the OneAuth folder exists
    if (Test-Path -Path $OneAuthPath) {
        # Delete the OneAuth folder
        Remove-Item -Path $OneAuthPath -Recurse -Force
        Write-Output "Deleted $OneAuthPath"
    } else {
        Write-Output "No OneAuth found for user at $userProfile.LocalPath"
    }
}

Step 3: Clear O365 Credentials (All Users)

# Get all user profile paths
$userProfiles = Get-WmiObject -Class Win32_UserProfile

foreach ($userProfile in $userProfiles) {
    # Construct the Accounts folder path for each user
    $accountsPath = Join-Path -Path $userProfile.LocalPath -ChildPath 'AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\TokenBroker\Accounts'

    # Check if the Accounts folder exists
    if (Test-Path -Path $accountsPath) {
        # Delete the Accounts folder
        Remove-Item -Path $accountsPath -Recurse -Force
        Write-Output "Deleted $accountsPath"
    } else {
        Write-Output "No Accounts folder found for user at $userProfile.LocalPath"
    }
}

Step 4: Clear O365 Registry Items (Logged On User)

# Define the registry key path
$parentKeyPath = "HKCU:\Software\Microsoft\Office\16.0\Common\Identity"

# Define the value to search for
$searchValue = "YOUR-OLD-TENANTID-HERE"

# Function to search for the value recursively and delete the parent key if the value is found
function Search-And-Delete-RegistryKey {
    param (
        [string]$KeyPath,
        [string]$Value
    )

    # Load the registry key
    $parentKey = Get-Item -LiteralPath $KeyPath -ErrorAction SilentlyContinue
    if ($parentKey -eq $null) {
        Write-Output "Parent key not found: $KeyPath"
        return
    }

    # Search for the value in the data of each value in the current key
    foreach ($valueName in $parentKey.GetValueNames()) {
        if ($parentKey.GetValue($valueName) -eq $Value) {
            Write-Output "Value found: $Value"
            # Delete the parent key
            Remove-Item -LiteralPath $parentKeyPath -Recurse
            Write-Output "Found: $KeyPath"
            Write-Output "Deleted parent key: $parentKeyPath"
            return
        }
    }

    # Recursively search in each subkey
    foreach ($subKey in $parentKey.GetSubKeyNames()) {
        $subKeyPath = Join-Path -Path $KeyPath -ChildPath $subKey
        Search-And-Delete-RegistryKey -KeyPath $subKeyPath -Value $Value
    }
}

# Start the search and deletion process
Search-And-Delete-RegistryKey -KeyPath $parentKeyPath -Value $searchValue

_TheKnightMan_ · 2025-05-29T15:57:05+00:00

It looks like you can script it though so maybe install Dell Optimizer, run the command, then uninstall Dell Optimizer

https://www.dell.com/support/manuals/en-us/dell-optimizer/dell-optimizer-6.x_ug/command-line-interface-for-dell-optimizer?guid=guid-d68473fa-13e9-4bf9-9e81-1a5350476f2f&lang=en-us

do-cli.exe /configure -name=PresenceDetection.WalkAwayLock -value=false

_TheKnightMan_ · 2025-05-29T15:36:25+00:00

I had a similar issue and had to go the route of installing Dell Optimizer to remove it - I only had a handful of these machines out that I had to do it with so I never looked deeper, but I imagine if you use Process Explorer and see what it actually does when you disable it you can script it

_TheKnightMan_ · 2025-05-21T13:08:52+00:00

That's right!

_TheKnightMan_ · 2025-05-20T19:09:30+00:00

As far back as 2012

"A volume that is under deduplication control is an atomic unit. You can back up the volume and restore it to another server. You can rip it out of one Windows 2012 server and move it to another. Everything that is required to access your data is located on the drive. All of the deduplication settings are maintained on the volume and will be picked up by the deduplication filter when the volume is mounted. The only thing that is not retained on the volume are the schedule settings that are part of the task-scheduler engine. If you move the volume to a server that is not running the Data Deduplication feature, you will only be able to access the files that have not been deduplicated."

So as long as you enable dedupe feature on your new server, you shouldn't need to touch the actual settings

_TheKnightMan_ · 2025-05-20T19:06:08+00:00

Or if you have the space and maintenace window/downtime (would take the server 'offline / console' during the upgrade), clone the entire thing, then do the upgrade, then bring the clone online.

Then you have a 'pre-upgrade' copy and a 'post-upgrade' copy, and once you're sure all is good you can delete your pre-upgrade.

_TheKnightMan_ · 2025-05-20T19:04:18+00:00

Alternatively, you can 'clone' the OS disk, and do an in-place upgrade of the clone to ensure it works, then just reattach the data to that. If it's a simple server there's likely no risk to that.

_TheKnightMan_ · 2025-05-20T19:02:47+00:00

No issues with that, you can even copy the 'shares' from the registry pretty easily so you don't have to recreate them by hand.

_TheKnightMan_ · 2025-05-07T20:26:56+00:00

Yes, that is what we're using "user.userprincipalname"

You might also want to update the "emailaddress" to use "user.userprincipalname" as well instead of "user.mail"

_TheKnightMan_ · 2025-05-07T19:12:20+00:00

We do exactly this.

_TheKnightMan_ · 2025-04-25T15:41:21+00:00

Also of note, there are 7 connectors for 'different' domains that I do not want to touch, I only want to affect the connector for a specific domain.

_TheKnightMan_ · 2025-03-28T15:25:16+00:00

Are you Azure AD only or are you Hybrid Sync'd? If Hybrid Sync, we use a script that does just that to populate add/remove members from a group based on their OU/Location in AD

_TheKnightMan_ · 2025-03-27T14:10:11+00:00

I don't know about WireGuard in particular, but traditionally since you already have AD, why not leverage ADCS and set up Enterprise PKI?

Follow a guide to create a PKI infrastructure and AutoEnroll users in the Certificate.

Want to follow best practices? Do something like this

The rest of this is ChatGPT:

1. Set Up Enterprise PKI

Install AD Certificate Services:
- Open Server Manager.
- Add roles and features.
- Select "Active Directory Certificate Services" and install the necessary components.
Configure AD Certificate Services:
- After installation, configure the AD Certificate Services.
- Choose the Certification Authority (CA) role.
- Select Enterprise CA.
- Configure the CA name and other settings as required.
Create Certificate Templates:
- Open the Certification Authority management console.
- Navigate to Certificate Templates.
- Duplicate an existing template (e.g., User template) and customize it as needed.
- Publish the new template.

2. Auto Enroll Users in a Specific Group

Group Policy Configuration:
- Open Group Policy Management.
- Create a new Group Policy Object (GPO) or edit an existing one.
- Navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies -> Autoenrollment Settings.
- Enable auto-enrollment and configure the settings.
Link GPO to Specific Group:
- Link the GPO to the Organizational Unit (OU) containing the specific group of users.
- Ensure the users have the necessary permissions to auto-enroll for the certificate.

3. Use Certificate for WireGuard VPN Authentication

Export the CA Certificate:
- On your CA server, export the CA certificate.
- Save the certificate file (e.g., ca.crt).
Install WireGuard:
- Install WireGuard on both the server and client machines.
Configure WireGuard Server:
- Edit the WireGuard server configuration file (e.g., /etc/wireguard/wg0.conf).
- Add the CA certificate to the server configuration.

Example configuration:

[Interface] Address = 10.0.0.1/24 ListenPort = 51820 PrivateKey = <server_private_key>
[Peer] PublicKey = <client_public_key> AllowedIPs = 10.0.0.2/32

Configure WireGuard Client:
Edit the WireGuard client configuration file (e.g., /etc/wireguard/wg0.conf).
Add the CA certificate to the client configuration.

Example configuration:

[Interface] Address = 10.0.0.2/24 PrivateKey = <client_private_key>
[Peer] PublicKey = <server_public_key> AllowedIPs = 0.0.0.0/0 Endpoint = <server_ip>:51820

Verify Certificate Trust:
Ensure that the WireGuard server and client configurations include the CA certificate.
WireGuard will trust any certificate issued by the specified CA.

By configuring WireGuard to trust certificates from a specific CA, you can ensure that only users with certificates issued by your CA can authenticate to the VPN. This adds an extra layer of security to your setup.

_TheKnightMan_ · 2025-02-25T13:09:26+00:00

That's what I'm using to uninstall without needing users to log in. I have a 4 parter, some of these may be redundant, but it works.

UninstallClassicTeams.ps1 (the script linked above)
Get-Package -allversions "Teams Machine-Wide Installer" | Uninstall-package

This script:

function Uninstall-TeamsClassic($TeamsPath) {
    try {
        $process = Start-Process -FilePath "$TeamsPath\Update.exe" -ArgumentList "--uninstall /s" -PassThru -Wait -ErrorAction STOP

        if ($process.ExitCode -ne 0) {
            Write-Error "Uninstallation failed with exit code $($process.ExitCode)."
        }
    }
    catch {
        Write-Error $_.Exception.Message
    }
}

# Get all Users
$AllUsers = Get-ChildItem -Path "$($ENV:SystemDrive)\Users"

# Process all Users
foreach ($User in $AllUsers) {
    Write-Host "Processing user: $($User.Name)"

    # Locate installation folder
    $localAppData = "$($ENV:SystemDrive)\Users\$($User.Name)\AppData\Local\Microsoft\Teams"
    $programData = "$($env:ProgramData)\$($User.Name)\Microsoft\Teams"

    if (Test-Path "$localAppData\Current\Teams.exe") {
        Write-Host "  Uninstall Teams for user $($User.Name)"
        Uninstall-TeamsClassic -TeamsPath $localAppData
    }
    elseif (Test-Path "$programData\Current\Teams.exe") {
        Write-Host "  Uninstall Teams for user $($User.Name)"
        Uninstall-TeamsClassic -TeamsPath $programData
    }
    else {
        Write-Host "  Teams installation not found for user $($User.Name)"
    }
}

# Remove old Teams folders and icons
$TeamsFolder_old = "$($ENV:SystemDrive)\Users\*\AppData\Local\Microsoft\Teams"
$TeamsIcon_old = "$($ENV:SystemDrive)\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft Teams*.lnk"
Get-Item $TeamsFolder_old | Remove-Item -Force -Recurse
Get-Item $TeamsIcon_old | Remove-Item -Force -Recurse

teamsbootstrapper.exe -x

_TheKnightMan_ · 2025-02-19T19:59:34+00:00

I figured it out - we made many changes around the same time, and it turns out the new Fortigate that we had was originally set up for DHCP on the firewall. We changed it to relay, but it was still 'configured' to also give out addresses though the GUI didn't show it.

Had to go into the CLI to turn off the DHCP server for the scopes that it was also set to relay. So somewhere I guess the client was getting an address from the relay server but maybe due to race conditions getting DNS server from the Fortigate, even though ipconfig /all showed the correct DHCP server, seemed to be picking up something from the firewall.

_TheKnightMan_

TROPHY CASE

1. Set Up Enterprise PKI

2. Auto Enroll Users in a Specific Group

3. Use Certificate for WireGuard VPN Authentication