Teams Cautionary Tale

This is a reminder that personal chats within Microsoft Teams should NEVER be used to store essential business data.

This follows a report in The Register that, due to a policy being mis-applied globally instead of individually, KPMG staff mistakenly had their personal chat histories irrevocably erased.
Only personal chats were lost according to the article, not chats conducted as part of a Teams meeting or Teams channel, and not any files uploaded to personal chat threads. Although the circumstances that caused this issue are highly specific, and our processes make it unlikely that it would be repeated at the University, unfortunate accidents and mis-clicks can happen to anyone in any organisation at any time. It is never wise to be complacent.

For this reason it is important to set user expectations that personal chat data should be treated as ephemeral, rather than permanent: there are limited options to recover it.

Posted in Uncategorized | Comments Off on Teams Cautionary Tale

Teams and sidebar pinning

Microsoft have reported an issue which is affecting a number of their education tenancies, including ours. The issue is that when a user pins an app to their sidebar in Teams it may be removed automatically. Affected users sees a message like the one below:


However the management setting in our administrative console is set to ‘Allow User Pinning’ – this is not happening because of an administrative decision taken by the Nexus Team, and has not been set in any of our App-related policies. Other Universities have reported the same issue and are working with Microsoft to resolve this.  Microsoft support staff have said:

“I have reached out to the engineering team regarding the case and have found that this has been already noted and the team is actively working on the issue. This behaviour is found with most of the EDU tenants. I’m glad to tell you that a fix for this is already being developed and would be in future releases for teams.”



Posted in Uncategorized | Comments Off on Teams and sidebar pinning

Covid19: VPN optimisation for Nexus365

If you’re not using the central University VPN for your Nexus365 users you may be concerned about the load on your VPN from self-isolating remote workers.

VPN server load can be drastically reduced by ensuring that Nexus365 traffic is NOT routed over your VPN connection and is instead sent directly to the cloud service. To do this requires global routing to be disabled in the VPN’s configuration, limiting the traffic routed through the VPN’s tunnel to internal-only content. In Cisco’s VPN client this may be as simple as ticking a box.

To allow VPN-server-side direct internet routing for Nexus365 only, Microsoft provide a Powershell script which can be used to identify the current IP ranges used by their services and another for URL/IP/Port information. Microsoft’s suggestion is that you use their API which queries Microsoft Service Endpoints, which can also be queried via script.

By making this configuration change you can ensure that even with a significantly higher number of remote workers, the amount of traffic using your connection is limited to essential-only.

Posted in Uncategorized | Comments Off on Covid19: VPN optimisation for Nexus365

Nexus365 and Covid-19 Coronavirus

Microsoft have made plans to ensure service continuity should their staff be affected.  There are currently no known impacts to Microsoft 365 services
Heightened awareness is in place for the following areas:

Service scale and operations – One of the benefits of a cloud service is the ability to scale dynamically, including utilisation of supply chain, reallocation of resources between services, and redistribution of load.Microsoft have already seen an increase in the use of Teams to which they have responded.

Supporting systems – A general principle of cloud service operations is remote management and administration.  Microsoft anticipate no effect to their ability to manage the systems used to support Microsoft 365, and have confirmed adequate capacity for staff to work remotely at scale.

External systems – Microsoft are working across industry with a focus on networking infrastructure. They are seeing some utilisation issues with public ingress / egress to China, but otherwise there are no issues identified.

Impact to location –Microsoft’s services are designed for remote administration; however, with the recent news that the Seattle area represents a higher incidence of COVID-19 they have provided specific details around support of the service should Microsoft engineers be constrained to work from home. Microsoft employs a security first approach to administering Microsoft 365 service.  Each engineering resource that is accountable for managing the service has the ability to securely administer the service without direct access to the corporate location. Microsoft maintains multiple geographic locations outside the Seattle area with individuals who are capable of maintaining and managing the service.

People – As the largest provider of commercial services Microsoft have the capability of ensuring continued operations with multiple subject matter experts in each discipline, with geographic diversity being a consideration. Employees responsible for managing the service all have access to needed resources to take action from home or the office. An on-call rotation allows for sustained support should issues arise and ensures that resources are available should individuals fall ill.

While Microsoft puts the safety and well-being of its employees at the forefront, their “defence-in-depth” approach is expected to allow for uninterrupted service operation should the virus spread significantly.

Microsoft will make updates on the Message Centre should the situation change.

Posted in Uncategorized | Comments Off on Nexus365 and Covid-19 Coronavirus

Chrome search – why is it suddenly using Bing?

EDIT: Microsoft have backtracked on this policy. Now Bing will only be forced as the default search engine in Chrome/Firefox if the admins enforce that. We will not be enforcing this. 🙂


Microsoft have snuck a little ‘treat’ into version 2002 of Office 365 Pro Plus which, fortunately, does not yet affect educational institutions on our licencing model. From version 2002 – which starts being deployed in mid February 2020 – Microsoft are installing an add-in into the Chrome browser, if present, that makes Bing the default search engine. This will happen with new Office installations and when existing ones are updated. A further update due later will do the same for Firefox. The deployment is currently location-based, depending on IP address, so the add-in might appear suddenly on a laptop used at a new location. Currently deployment is limited to Australia, Canada, France, Germany, India, the UK, and the USA.

This isn’t just a shot at Google’s market share, however.  The logic is that if Bing is your search engine, you can query for your corporate Office365 content, whether it’s  in SharePoint Online, OneDrive, or  Teams, directly from your browser’s own search bar. If you use Google as your search engine, you can’t do that. Microsoft’s angle is therefore that this is a reasonable, sensible, and proportionate way for centrally-controlled business computers to operate. However comments on the proposal have not gone down well…


If you want to avoid this extension from being deployed to your users you may want to exclude it via the Office Deployment Tool, or via Group Policy. It can also be excluded via EndPoint Configuration Manager or InTune. A particularly nasty feature of the add-in is:

Once this feature has rolled out, your end users can change their search engine preferences only via the toggle in the extension; they cannot modify the default search engine in browser preferences.

Belatedly applying the exclusion will NOT uninstall this add-on: you must set your exclusions up before it is deployed to your users’ computers, if you wish to avoid it.
Microsoft’s admin guide on this whole can-of-worms can be found here:

Currently the University is on an A1 educational licencing model which exempts us from this feature but we will be moving to E3 soon which, alas, is one which applies this approach.

Posted in Uncategorized | Comments Off on Chrome search – why is it suddenly using Bing?

Teams & Private Channels

Microsoft have finally started to deploy support for Private Channels within the Teams application, allowing you to share content with a subset of a Team’s members. This is described as ‘rolling out’ in their roadmap here.

The functionality has started to appear to Teams users within the Nexus365 tenancy already, although you may need to quit and re-launch the Teams application to gain the functionality.

Posted in Uncategorized | Comments Off on Teams & Private Channels

Nexus365: An end to Basic Authentication support.

Executive Summary

From 13th October 2020 Microsoft will discontinue support for Basic Authentication for EWS, EAS, IMAP, POP and RPS. This does not (currently) impact SMTP AUTH. Only applications which use secure authentication technologies, such as OAuth 2.0, will continue to work.


In just over one year’s time Microsoft will end support for Basic Authentication. This method of logging in is very simple, and widely supported, but makes it far too simple for someone malicious to intercept your credentials. Quite simply it’s no longer good enough. Microsoft want all users of their service – which includes all Oxford University staff and students – to switch to ‘Modern Authentication’ technologies before October 2020. These use OAuth 2.0 token-based authentication which are more secure because they are application-specific and time-limited, and can’t therefore be re-used.
For message sending you can continue to use Basic Authentication in SMTP AUTH, for the foreseeable future, but we would urge you to seek a more secure alternative if possible.


It is likely that many POP/IMAP clients will be affected. Microsoft will be adding support for OAth to both POP3 and IMAP4 services over the next few months so you should update to a client that supports Modern Authentication as soon as possible.
Most mobile devices will be connecting via the ActiveSync protocol. Microsoft’s advice is to switch to Outlook Mobile, although there are other applications which also support Modern Authentication if you prefer a non-Microsoft client.
Mobile devices can also access Nexus365 via, which will detect a mobile device and reformat the screen appropriately to enable small-screen viewing.
Posted in Uncategorized | Comments Off on Nexus365: An end to Basic Authentication support.

Nexus365 Teams: now with guest access

We are pleased to announce that it is now possible to add almost anyone to a Nexus365 team. All that is required is for the individual you wish to add to your team to have a valid email address and a Microsoft account. If they don’t yet have a Microsoft account they will be prompted to create one (free). This Microsoft account will always remain separate from and unrelated to the Nexus service.

How to add a guest to a Team

These are the steps a team owner needs to follow in order to add a guest to their Nexus365 team:

  1. From within the Teams app, the owner needs to select ‘Add member’ as shown below.







2. In the ‘add members’ dialogue box you can now enter any valid email address – you are no longer limited just to Nexus365 user accounts:





3. Once you’ve added the email address an email is sent immediately to that address to notify the person that they’ve been added to the team. The link will open the Teams web app by default but will also provide a download link to the full Teams client software, if it’s available for their operating system:





4. If they already have an account with Microsoft associated with their email address, they’ll be prompted to log in. If not they will be asked to create an account with Microsoft:








5. The final step before they are granted access to the team is for them to review and accept the access permissions that Nexus will request in order to give them access to the team’s content.









Team owners can review the status of prospective members by checking the ‘source’ column when looking at their team’s members.

  • ‘Azure Active Directory’ is a Nexus365 user.
  • ‘External Azure Active Directory’ is someone from another organisation who also uses Office 365, which includes the Said Business School members.
  • ‘Invited user’ is an external email address for whom access has not yet been given, but they have been sent the team membership email.
  • ‘Microsoft account’ is an external email address to which access to the team has been granted.

Notes and queries

  1. It is not possible to remove a team, or the last owner of one, while guest accounts are still members of one. This is to ensure that there are no teams to which only external people have access.
  2. Guests can view the team’s membership but not amend it.
  3. Removing a guest from a team revokes their access instantaneously. If logged in at the time, their window will go blank.
  4. Reinstating a guest’s access is also instantaneous.
  5. Guests are unable to send email to the team’s email address.
  6. The maximum ratio is five guests per full team member.


Posted in Uncategorized | Comments Off on Nexus365 Teams: now with guest access

Teams toolbar transition

Microsoft are redesigning the Teams interface to introduce a single toolbar for the controls used in meetings and when calling. The rollout will begin in early June and will continue until the end of August 2019.

The intention is to improve discoverability and reduce clutter for users in meetings and calls by unifying session controls to a single toolbar at the bottom of the screen. This change will affect Windows, Mac, and web clients. There will be no impact for mobile or Microsoft Teams Rooms (MTR) devices.

Posted in Uncategorized | Comments Off on Teams toolbar transition

Nexus365 Teams on Linux

Nexus365’s TEAMS application has, to date, been predominantly targeted at the Windows desktop. Other operating systems have had access to limited functionality via a web browser but the inability to video-conference, share desktops or applications, or to give presentations has limited the usefullness of the feature for Linux users.

Forcing users to boot a Windows VM simply for a meeting, to send emails, or to collaborate with colleague is far from an ideal solution. Things are, thankfully, improving. There is yet to be an official Teams client for Linux but in the interim additional functionality is now available, albeit with some preparatory effort.

By using a Chromium -based browser, tweaking a few settings , and installing a single browser extension, you can achieve near-parity with the full Windows Teams client. This will allow in-private video calls, presentations, and other functions not previously possible for Linux users.

This should be considered as a beta, or a work-in-progress, rather than a permanent well-tested solution. Microsoft are asking the Linux community to feed back and are promising to make further updates based on those responses.

What do I have to do?

  1. Ensure you have either Chrome for Linux, or a Chromium for Linux browser.
  2. Install the following extension from the Google Webstore: User Agent Switcher for Chrome.
  3. Add one or both of the following user agent strings to the “User Agent Switcher for Chrome”. This will allow you to switch to the desired one that works for your system:
    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134
    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393X
  4. Click the User Agent Switcher and choose your Edge browser string. This should remain selected until you change it to something else or back to the browser default.
  5. Open the Chrome browser, in the address bar type Chrome://flags and hit the Enter key. In the search box provided, search for each of the settings below. Set each one to ENABLED:
    Hardware Acceleration
    – Override software rendering list: ENABLED
    – Enable PWA full code cache: ENABLED
    – Desktop PWAs: ENABLED
    – Desktop PWAs Link Capturing: ENABLED
    – Negotiation with GCM cipher suites for SRTP in WebRTC: ENABLED
    – Negotiation with encrypted header extensions for SRTP in WebRTC: ENABLED
    – WebRTC Stun origin header: ENABLED
    – WebRTC Echo Canceller 3: ENABLED
    – WebRTC new encode cpu load estimator: ENABLED
    – WebRTC H.264 software video encoder/decoder: ENABLED
    – Parallel downloading: ENABLED
  6. Verify that those settings work:
    – Open Microsoft Teams in your browser.
    – Start a private chat with someone and verify that the video chat icon switches from grey to purple and white. If so, you can start making video calls and you should also be able to make a presentation.

These same settings should also enable the same functionality on other operating systems, although naturally those cannot be assumed to have received any testing.

Known issues

While you can use the EDGE UA to participate in Conference calls it may cause issues with not displaying the most current posts in a TEAMS channel. So you may have to switch between the EDGE UA and the browser default UA.

Posted in Uncategorized | Comments Off on Nexus365 Teams on Linux