Tag: M365

Hardening update to Microsoft Entra Connect Sync AD FS and PingFederate configuration

Ray HwangLeave a comment

Microsoft released new versions (2.4.xx.0) of Microsoft Entra Connect Sync last month – October 2024, and advising all customers are required to upgrade to the minimum versions by April 7, 2025.

The expected impacts from not upgrading are as follows:

  • Configuration of AD FS scenarios through the Connect Sync wizard may not work
  • Configuration of PingFederate scenarios through the Connect Sync wizard may not work

So if you are configuring AD FS or using PingFederate – this looks like something to look into.

Upgrading Entra Connect (won’t auto upgrade!)

The minimum versions required to avoid the impact are as follows:

  • Customers in commercial clouds: 2.4.18.0 or higher.
  • Customers in non-commercial clouds: 2.4.21.0 or higher.

If you are a customer in non-commercial clouds, 2.4.18.0 won’t do as it looks like 2.4.21.0 contains a bug fix specifically for non-commercial clouds.

The documentation mentions the below on the automatic upgrade, however I do not find this to be accurate for these two specific versions.

When you check the ‘Release status’ of versions 2.4.21.0 and 2.4.18.0 on Microsoft Entra Connect version history, you will find that these two versions have been ‘Released for download’, rather than ‘Released for download and autoupgrade’.

Hence I believe a manual download and upgrade will need to be performed, and prior to upgrading, you will also need to ensure you meet the below minimum requirements for the versions:

  • .NET 4.7.2
  • TLS 1.2

Conclusion

I’ve since then committed a change to the documentation Hardening update to Microsoft Entra Connect Sync AD FS and PingFederate configuration.

You can also consider moving to Microsoft Entra Cloud instead of Entra Connect Sync as mentioned in the documentation. A good comparison between Entra Connect and cloud sync is available on What is Microsoft Entra Cloud Sync?.

If your organisation configures AD FS or PingFederate via Entra Connect – why not act now?

Less than 100 days left! – Changes to storage policies for unlicensed OneDrive accounts

Ray HwangLeave a comment

Back in July 2024, Microsoft announced via Message Centre (Message ID: MC836942) on the changes to storage policies of unlicensed OneDrive accounts for business and enterprise customers.

The message states that they will begin rolling out late 2025 and expect to complete by late March 2025. (you can see the full message from https://mc.merill.net/message/MC836942)

On Microsoft Learn – https://learn.microsoft.com/en-us/SharePoint/unlicensed-onedrive-accounts – you can also find the below ‘Important’ note.

I’ve seen multiple blog posts about this back in July/August – but now that there’s less than 100 days left till the 27th Jan 2025, I thought it’d be nice to bring it back to people’s attention.

Potential financial impact?

Admins can view a list of all the unlicensed OneDrive accounts and the storage used via the SharePoint admin centre > Reports > OneDrive accounts

As stated in MC836942, there is a fee of $0.05/GB/month to store unlicensed accounts in the Microsoft 365 Archive, so you can easily calculate the potential financial impact by looking at the ‘Storage used’ above.

One of the tenants I’ve seen had over 60TB under unlicensed accounts. So that’s over $3K per month or $36K per annum, or over $100K over 3 years…!

But you won’t start getting charged immediately from the 27th of January. (see below from the FAQ on Learn)

One might say – “Okay so I’ll never reactivate any OneDrive accounts!”.

But there’s always a returning employee, and unless you delete terminated user accounts (I’ve seen a lot of organisations that don’t) – it looks like a returning employee can be a trigger.

Even if you do delete the terminated user accounts – there’s always a ask to restore what they had from previous employment.

So what do I do?

Microsoft recommends that you take the following actions before January 27, 2025.

  1. Delete unlicensed accounts that you no longer wish to retain.
  2. Set up billing for accounts that you wish to retain.
  3. You may want to notify your users about this change and update any relevant documentation.

But I believe it is way more than just the above:

  • Some organisations might want to prepare new processes/policies around the reactivation of returning employees’ accounts.
  • There may be organisations wanting to look into a ‘charge-back’ model to the respective business units/departments.
  • Some may want to redefine their user offboarding process to ensure the user accounts are deleted upon termination – to prevent the impact from ‘automatic reactivation’ of the OneDrive accounts.
  • There may be orgnisations that applied x year retention policies on all OneDrive accounts, and need to revisit their strategy around it, starting with asking the question of ‘What do we really need to retain?’.

For an immediate action – I think it’s time to review and start doing a clean-up, unless your organisation has some legal/regulatory requirements preventing you from doing so.