Podcasts

Exchange Online Cracks Down, Message Center Madness, and Conditional Access Done Right: Practical 365 Podcast S04 E37

Post author:Written By

In this week’s episode of the Practical 365 Podcast, Paul Robichaux and I discuss Exchange Online’s increasingly strict rules, the ever-growing mountain of Message Center updates. And Bastiaan Verdonk and I are joined by Microsoft MVP Louis Mastelinck to discuss how to actually secure your environment with Conditional Access.

The Experts Conference (TEC) Events

We kicked off the show with news about the upcoming The Experts Conference (TEC) events across Europe, with stops in London, Paris, and Dusseldorf. These events will focus on Microsoft security and AI, with our own Tony Redmond featured as a speaker.

Drowning in Notifications: A Million Message Center Alerts

First, a milestone that’s both impressive and slightly terrifying: the Microsoft 365 Message Center has officially crossed the one million message mark. That’s a million announcements, updates, and changes. It’s a testament to the rapid pace of development in the cloud, but it also means staying informed is a constant battle. Are you really reading all of those? We certainly hope not.

Exchange Online: New Limits You Need to Know About

Microsoft isn’t messing around with Exchange Online. They’re implementing some significant changes, clearly focused on security and preventing abuse. Here’s what you need to know:

1. Dynamic Distribution Group Limits (MC1024399):

If you’re a heavy user of Dynamic Distribution Groups (DDGs), brace yourselves. Microsoft is putting a hard cap of 3,000 DDGs per tenant, starting in April 2025. This is a clear signal to start cleaning house. If you’ve got DDGs sprawling all over your tenant, it’s time for an audit.

  • Action Item: Audit your DDG usage now. Consolidate, delete, or consider alternatives like Microsoft 365 Groups or mail-enabled security groups.

2. Tenant-wide External Recipient Rate Limit (TERRL):

This is the big one, and it’s already rolling out. TERRL is a tenant-level restriction on outbound email, aimed at preventing spammers from abusing newly created tenants. It limits the number of unique external recipients your tenant can send to in a rolling 24-hour period.

Important Exceptions:

  • Properly configured Multi-Tenant Organization (MTO) mail flow is excluded.
  • Mail sent from Exchange Online to on-premises Exchange servers in a hybrid configuration (using accepted domains) is also excluded.

Monitoring:

  • Use the “Tenant Outbound External Recipients Report” in the Exchange Admin Center (EAC).
  • Use the Get-LimitsEnforcementStatus PowerShell cmdlet (requires Exchange Online Management module v3 or later).

These limits are a good thing for overall security, but they require proactive management. Don’t wait until you hit a limit and your mail flow grinds to a halt. Start monitoring now. And if you’re sending large volumes of legitimate external email (marketing, etc.), seriously consider using a dedicated service like Azure Email Communications Service (ECS) or Exchange Online High-Volume Email (HVE).

Read more in Tony’s article here on Practical 365

Conditional Access: Getting it Right with Louis Mastelinck

We were lucky to have Microsoft MVP Louis Mastelinck, a true Identity and Access Management expert, join us to discuss Conditional Access. Louis didn’t mince words – he gave us the practical, real-world advice that many organizations need to hear.

We discussed:

  • Admin Accounts First: Secure your administrator accounts! Dedicated accounts, mandatory MFA for all admin access (no matter the role), and short sign-in frequencies. This is non-negotiable.
  • Break-Glass Accounts: Always exclude designated break-glass accounts from every Conditional Access policy. Don’t lock yourself out.
  • Context Matters: Go beyond basic MFA. Use Conditional Access to control access based on device compliance, location, client application, and sign-in risk.
  • Don’t Just Use Templates: Microsoft’s templates are a starting point, not a final solution. Customize them!
  • Get Executives On Board: Find those executives who are willing to be early adopters of better security (like passkeys).
  • Be Transparent About Risk: If someone wants an exception, document the risks clearly.
  • Constant Vigilance: Monitor your Entra ID sign-in logs, use Log Analytics and KQL queries, and look for anything suspicious.
  • Start Small, Then Scale: Don’t try to implement everything at once. Start with the basics (like MFA for everyone) and build from there.

Teams Facilitator Agent: We’re Not Sold (Yet).

Microsoft’s adding a “Facilitator agent” to Teams meetings (MC1023294). It’s supposed to take notes, generate action items, and maybe even “facilitate” the meeting. It uses Copilot Pages, and (of course) it requires a Copilot license.

Honestly, we’re skeptical. It sounds like a lot of overlap with existing Copilot features and intelligent meeting recap. And, a significant oversight, meeting sensitivity labels are not automatically applied to the notes.

Read more in the Message Center

On the Next Show

Join us in two weeks as we continue to explore the practical side of Microsoft 365, and another TEC speaker joins us live. Don’t forget to subscribe on iTunes or Spotify. Got thoughts on this episode or suggestions for future topics? Let us know in the comments!

Tags: , , , ,

About the Author

Steve Goodman

Technology Writer, Podcast Host and Chief Editor for AV Content at Practical 365, focused on Microsoft 365. A 13-time Microsoft MVP, author of several technology books and regular Microsoft conference speaker. Steve works at RootUK as Chief Technology Officer, advising business and IT on the best way to get the most from AI & Microsoft Cloud technology.

Leave a Reply