MS 365 Admin Console Explained: Features, Tips, and Tricks

Table of Contents

Introduction

Managing Microsoft 365 services effectively is crucial for any organization leveraging the platform. From purchasing new products and managing users to configuring security policies, the MS 365 Admin Center offers a wealth of features designed to simplify administration. This guide walks you through the essential tasks and functions in the Admin Center, empowering you to maximize productivity while ensuring robust security and collaboration. Whether you’re setting up domains, creating groups, or implementing conditional access policies, this comprehensive overview will help you navigate the Microsoft 365 ecosystem like a pro.

How to purchase new products and services from Microsoft Admin Center:

From the left side bar, go to Billing >> Purchase Services

MS 365_Purchase_TechTales

In the Search box, enter the product you want

MS_365_TechTales

Choose the product >> Click on Details

MS_365_TechTales

You can either buy or start trial of the new product from here.

Users

Different types of users

In Microsoft 365 Admin, Active Users, Guest Users, and Contacts are distinct types of user entities, each serving different purposes within the organization. Here’s an overview:

1. Active Users

Who they are: Individuals with an account in your Microsoft 365 tenant who can sign in and access services like Outlook, Teams, SharePoint, etc.
Characteristics:
- They have a username and password.
- They are assigned licenses (e.g., Microsoft 365 Business Standard, E5).
- They are typically employees or full-time users within the organization.
Usage:
- Access organizational resources.
- Participate in Teams meetings, collaborate on documents, etc.

2. Guest Users

Who they are: External users who are invited to access specific resources, such as files, folders, or Teams, without having a full account in the tenant.
Characteristics:
- Often have an email address from a different domain (e.g., a partner company or personal email).
- They don’t consume a license unless specifically assigned.
- They can log in using their current credentials (Microsoft account, Google account, or another federated identity).
Usage:
- Collaborate on projects.
- Access shared documents, Teams, or SharePoint sites.

3. Contacts

Who they are: External entities (individuals or groups) added to the organization’s address book for communication purposes.
Characteristics:
- Cannot sign in to your tenant.
- Represent external users, such as vendors, clients, or partner organizations.
- Used for routing emails and communication purposes.
Usage:
- Appear in the organization’s Global Address List (GAL).
- Serve as a reference for external communication.

Comparison Table

MS_365_TechTales

These categories allow for better management of different types of users and relationships within and outside the organization.

Groups

1. Microsoft 365 Groups

Purpose: Designed for collaboration among team members.
Key Features:
- Provides shared resources like email, calendar, SharePoint site, OneNote notebook, and Planner.
- Ideal for Teams, projects, or departments requiring collaboration.
- Integrated with tools like Microsoft Teams and Outlook.
Membership:
- Can include internal and external users.
- Members have access to all shared resources.
Dynamic Membership: Can be set up with rules to automatically add or remove members based on criteria (requires Azure AD Premium).

In Microsoft 365 Admin, Microsoft 365 Groups, Distribution Lists, and Security Groups each have distinct roles in managing access, communication, and collaboration. Here’s a clear breakdown of each:

2. Distribution Lists (Distribution Groups)

Purpose: Primarily used for sending emails to multiple recipients simultaneously.
Key Features:
- Primarily for communication via email.
- Does not provide shared collaboration resources like a SharePoint site or Teams.
- Members only receive emails sent to the group; they don’t collaborate on shared files.
Membership:
- Can include internal and external email addresses.
- No access permissions or security roles involved.
Limitations:
- Not as feature-rich as Microsoft 365 Groups.
- Cannot be used for managing permissions.

3. Security Groups

Purpose: Manage access to resources (e.g., files, applications, or SharePoint sites).
Key Features:
- Used to assign permissions to resources securely.
- Members inherit the permissions assigned to the group.
- Does not include email or collaboration features.
Membership:
- Typically includes internal users.
- Can have dynamic membership rules with Azure AD Premium.
Usage Example:
- Granting specific users access to sensitive files or folders.

Comparison Table

MS_365_TechTales

How to create groups

Go to Groups >> select the type of group >> select New

MS_365_TechTales

Give the Group a name and description

Add an Owner
Add the members. You can add more members whenever required
Add additional details

MS_365_TechTales

Review and finish adding group and click Create Group

How to add a domain to MS 365 Admin Center

Adding a domain to Microsoft 365 allows you to use your custom domain (e.g., yourcompany.com) for email addresses and other Microsoft services. This can be found under settings.

Go to Settings >> Domains >> Add Domain and follow the steps on the screen

MS_365_TechTales

- Microsoft will need to confirm that you own the domain. You’ll see options to verify via:
  - TXT record: In the DNS configuration of your domain, add a TXT record.
  - MX record: Insert an MX record into your domain’s DNS.
- Choose the TXT record method (recommended) and copy the provided value.
Update DNS Settings:
- Log in to your domain registrar (e.g., GoDaddy, Namecheap, or any other provider).
- Access your domain’s DNS management page.
- Create a new TXT record with the provided values.
  - Host/Name: @
  - Type: TXT
  - Value: The string provided by Microsoft (e.g., MS=ms12345678).
  - TTL: 3600 (or use the registrar’s default).
- Save the changes.
Confirm Verification:
- Back in the Microsoft 365 Admin Center, click Verify.
- Microsoft will check the DNS record, which might take a few minutes to propagate.

Set Up DNS Records for Microsoft 365:
- After verification, you’ll need to configure DNS records to enable Microsoft 365 services:
  - MX records: For email routing.
  - CNAME records: For auto-discovery and Teams.
  - TXT records: For SPF (Sender Policy Framework).
  - SRV records: For Skype for Business and Teams.
- Microsoft will provide the exact records to add. Update your domain registrar’s DNS settings with the required records.
Finalize the Setup:
- Once all records are added, return to the Microsoft 365 Admin Center.
- Click Verify to ensure the setup is complete.
Set as Default Domain (Optional):
- If you want this new domain to be the default for new users, go to Settings > Domains.
- Select the new domain and set it as the default.

Notes:

DNS Propagation: DNS changes might take up to 48 hours to propagate fully, though it’s usually much faster.
Domain Registrar Help: If you’re unsure how to add DNS records, check your domain registrar’s documentation or support.

By following these steps, your domain will be successfully added and integrated with Microsoft 365 services.

Where can you check the data storage location for each Microsoft service you use?

It can be seen under Settings >> Organization settings >> Organization Profile >> Data Location

MS 365_TechTales

Where to update your organization’s contact info, such as your address, phone number, and technical contact.

It can be found under Settings >> Organization settings >> Organization Profile >> Organization Information

MS 365_TechTales

How to block/Unblock an IP Address in MS 365 Admin Center

Blocking an IP address in the Microsoft 365 Admin Center is typically done to prevent unwanted or malicious access to your email system or other services. This is achieved by creating a transport rule in Exchange Online Protection (EOP) or using the Microsoft Defender for Office 365 tools. Here’s how:

Method 01: By creating a transport rule in Exchange Admin Center

Open the Exchange Admin Center (EAC)

>> In the Admin Center, navigate to Admin Centers > Exchange.

>> Alternatively, go directly to the Exchange Admin Center.

Navigate to Mail Flow Rules

>> In the Exchange Admin Center, go to Mail Flow > Rules.

Create a New Rule

>> Click the + Add a rule button and select Create a new rule.

Configure the Rule

>> Name the Rule: Enter a descriptive name like “Block Specific IP Address.”

>> Set Conditions: Under Apply this rule if, select The sender > IP address is in any of these ranges or exactly matches.

Add the IP address or IP range you want to block (e.g., 192.168.1.1 or 192.168.1.0/24).

>> Set the Action:

Under Do the following, select Reject the message with the explanation.

Optionally, enter a custom rejection message (e.g., “Your IP address is blocked.”).

>> Optional Exceptions: If needed, add exceptions (e.g., internal or trusted IPs).

>> Enable the Rule: Ensure the rule is active by toggling it On.

>> Save the Rule: Click Save to apply the changes.

>> Test the Rule: Send a test email from the blocked IP address to confirm the rule is working.

Method 02: Using Connection Filtering

If you want to block an IP directly at the connection level:

Open the Security & Compliance Center:

>> Go to Microsoft 365 Defender Portal.

Navigate to Policies:

>> Go to Threat Management > Policy > Anti-spam.

Edit the Connection Filter Policy:

>> Under Connection Filter Policy, edit the default policy.

>> Add the IP address or range to the Blocked/Unblocked IP addresses list.

Save Changes:

>> Click Save to apply the changes.

Notes:

Testing: Test the changes thoroughly to ensure legitimate users are not impacted.

Whitelist Trusted IPs: Always whitelist your organization’s trusted IPs to prevent accidental blocking.

Monitoring: Use logs and reports in the Microsoft 365 Defender Portal to monitor blocked traffic.

By following these steps, you can effectively block unwanted IPs and secure your organization against potential threats.

How to Block/Unblock an email address or domain

Blocking or unblocking a domain or email address in Microsoft 365 can help you manage unwanted or suspicious emails. You can achieve this through the Microsoft 365 Defender portal by creating anti-spam policies. Here’s how:

How to Block/Allow a Domain or Email Address

Method 1: Using Anti-Spam Policies

Go to Microsoft 365 Defender Portal and log in with your global admin or security admin credentials.
Navigate to Anti-Spam Policies:

>> In the left menu, select Email & Collaboration > Policies & Rules > Threat policies.

>> Under Policies, select Anti-spam.

Edit or Create a Custom Spam Filter Policy:

>> Either edit the Default policy or create a new custom policy by clicking Create policy > Inbound.

Block a Domain or Email Address:

>> Under the Allow/Block List, find the Blocked Senders and Domains section.

>> Add the domain (e.g., example.com) or email address (e.g., spammer@example.com) to the Blocked Senders and Domains list.

Save and Apply:

>> Click Save to implement the changes.

Method 2: Using the Blocked/Allowed Senders List in Microsoft Outlook

For individual users, they can block or unblock domains or email addresses via Outlook:

Blocking an Email Address in Outlook:

Open Outlook (web or desktop).
Select the email message you wish to block.
Click Junk > Block in the toolbar (or right-click the email and select Junk > Block Sender).
Confirm the action to block the sender.

Unblocking an Email Address in Outlook:

Open Outlook (web or desktop).
Go to Settings (gear icon) > View all Outlook settings.
Navigate to Mail > Junk email.
Remove the email address or domain from the Blocked senders and domains list.
Save changes.

Notes:

Blocked Emails Behavior: Emails from blocked domains or addresses are sent to the Junk Email folder or rejected outright.

Scope:

Changes made in anti-spam policies affect the organization.

Changes in Outlook settings affect only the individual user.

Monitoring: Use the Microsoft 365 Defender portal for email tracing and monitoring to ensure legitimate emails are not incorrectly blocked.

These steps allow you to effectively manage email filtering for both individual users and your organization as a whole.

Conditional Access Policies in MS 365

In Microsoft 365, Conditional Access Policies let you control access to your organization’s resources based on specific conditions.. They enable administrators to enforce security requirements while providing flexibility for users.

Key Features of Conditional Access Policies

Access Control:

- Enforce access requirements such as multi-factor authentication (MFA) or device compliance.
- Block or allow access based on conditions like user location, device type, or application.
Conditions:

- User or Group: Apply policies to specific users, groups, or roles.
- Applications: Restrict access to specific apps like Exchange Online, SharePoint, or Teams.
- Location: Allow or block access based on IP or geographical location.
- Device Compliance: Require that devices meet compliance standards before granting access.
- Risk Levels: Use Azure AD Identity Protection to base conditions on user or sign-in risk.
Actions:
- Grant access under specific conditions (e.g., require MFA).
- Block access entirely.

How to Use Conditional Access Policies

Prerequisites

>> Ensure you have an Azure Active Directory Premium P1 or P2 license, as Conditional Access is part of Azure AD.

>> You need global admin or security admin permissions to configure policies.

Access the Azure Active Directory Admin Center

>> Go to Azure Portal.

>> Go to Azure Active Directory > Security > Conditional Access.

Create a New Policy

>> Select New Policy: Give the policy a meaningful name (e.g., “Require MFA for External Users”).

Assign Users and Groups:

>> Under Assignments > Users and groups, specify who the policy applies to (e.g., all users or a specific group).

>> Optionally, exclude certain users (e.g., administrators).

Select Cloud Apps or Actions:

>> Under Cloud apps or actions, specify the apps to which the policy applies (e.g., Microsoft Teams, SharePoint, or “All apps”).

Define Conditions:

>> Under Conditions, set criteria for applying the policy:

- Sign-in risk: Low, medium, or high risk (requires Identity Protection).
- Device platforms: Windows, macOS, iOS, Android.
- Locations: Apply the policy based on trusted or untrusted locations.
- Client apps: Control access based on app types (e.g., mobile apps, web browsers).
Set Access Controls:

>> Under Access controls > Grant, define requirements such as:

- - - Require MFA.
    - Require compliant or hybrid Azure AD-joined devices.
    - Require terms of use acceptance.

>> Alternatively, under Block access, prevent access entirely.

Enable the Policy:

>> Toggle the Enable policy switch to On.

>> Save the policy.

Test the Policy

>> Always test new policies with a small group of users to avoid locking out legitimate users.

Monitor the Policy

>> Go to Azure AD Sign-ins to monitor how the policy affects user sign-ins and adjust as needed.

Examples of Conditional Access Policies in Microsoft 365

1. Require Multi-Factor Authentication (MFA) for All Users

Scenario: Increase security for all users by requiring MFA during sign-in.
Conditions:
- Users: All users.
- Applications: All cloud apps.
- Locations: Exclude trusted IP ranges (e.g., your corporate network).
Access Control:
- Grant access but require MFA.
Use Case:
- Prevent unauthorized access by adding an additional layer of authentication.

2. Block Access from Risky Locations

Scenario: When access should be blocked from countries or regions where your organization isn’t active.
Conditions:
- Users: All users or a specific group (e.g., contractors).
- Locations: Untrusted or high-risk locations (e.g., geo-blocking countries).
Access Control:
- Block access entirely.
Use Case:
- Mitigate the risk of unauthorized access or attacks originating from specific regions.

3. Restrict Access to Managed Devices

Scenario: Ensure only devices compliant with your organization’s policies can access sensitive data.
Conditions:
- Users: All users or specific groups (e.g., finance team).
- Device Compliance: Require devices to be compliant with Intune policies.
Access Control:
- Grant access but require device compliance.
Use Case:
- Protect sensitive files and applications by restricting access to managed and secure devices.

4. Enforce MFA for High-Risk Sign-Ins

Scenario: Apply stricter security measures for sign-ins detected as risky by Azure AD Identity Protection.
Conditions:
- Sign-in Risk: Medium or high risk.
- Users: All users.
Access Control:
- Grant access but require MFA.
Use Case:
- Enhance security for accounts at risk of being compromised.

5. Block Legacy Authentication

Scenario: Prevent the use of outdated authentication protocols (e.g., IMAP, POP) that do not support MFA.
Conditions:
- Users: All users or specific groups.
- Client Apps: Select “Other clients” to target legacy protocols.
Access Control:
- Block access.
Use Case:
- Reduce vulnerabilities by eliminating access via insecure protocols.

6. Require MFA for Administrators

Scenario: Secure privileged accounts by enforcing MFA.
Conditions:
- Users: Directory roles (e.g., Global Administrators, Exchange Admins).
- Applications: All cloud apps.
- Locations: Exclude trusted IPs if necessary.
Access Control:
- Grant access but require MFA.
Use Case:
- Protect sensitive admin accounts from unauthorized access.

7. Limit Access to Specific Applications

Scenario: Restrict access to critical applications (e.g., Salesforce, HR systems) to specific users.
Conditions:
- Users: HR or finance team members.
- Applications: Select specific apps (e.g., Workday, Salesforce).
Access Control:
- Grant access but require MFA.
Use Case:
- Ensure only authorized users access sensitive applications.

8. Allow Access Only During Working Hours

Scenario: Restrict access to corporate resources outside business hours.
Conditions:
- Users: All users or specific groups.
- Sign-in Risk: Low risk.
- Locations: Trusted locations only.
Access Control:
- Grant access only within specified hours.
Use Case:
- Minimize security risks from off-hours access attempts.

9. Enforce Terms of Use for External Users

Scenario: Require external users to accept a Terms of Use agreement before accessing shared resources.
Conditions:
- Users: Guest or external users.
- Applications: SharePoint Online, Teams.
Access Control:
- Grant access but require Terms of Use acceptance.
Use Case:
- Ensure external collaborators acknowledge compliance requirements.

10. Block Access to Corporate Apps from Untrusted Networks

Scenario: Allow access only from trusted corporate networks.
Conditions:
- Users: All users.
- Locations: Trusted IP addresses only.
Access Control:
- Block access for untrusted locations.
Use Case:
- Prevent unauthorized access from unapproved networks.

11. Require Compliance for BYOD (Bring Your Own Device)

Scenario: Allow users to access corporate apps from personal devices only if they meet security requirements.
Conditions:
- Users: All users or specific groups.
- Device Compliance: Require Intune compliance.
Access Control:
- Grant access but require compliant devices.
Use Case:
- Ensure personal devices used for work comply with company security standards.

These examples show how Conditional Access can help secure your Microsoft 365 environment while maintaining user productivity and flexibility.

Best Practices for Conditional Access

Start with report-only mode to evaluate the impact of policies before enforcing them.
Use named locations to define trusted IP ranges or geographic regions.
Combine Conditional Access with Identity Protection for risk-based access decisions.
Regularly review and update policies based on evolving threats and organizational needs.

Conditional Access is a powerful tool for balancing security and user productivity in Microsoft 365.

Conclusion

The MS 365 Admin Center is a powerful hub for managing your organization’s resources, users, and security configurations. By understanding its various features and functionalities—such as purchasing services, creating groups, and enforcing security policies—you can streamline operations and enhance collaboration. With this guide as your reference, you can confidently manage your Microsoft 365 environment, ensuring it meets your organization’s dynamic needs while staying secure and efficient.