Skip to main content

M365 Roundup, December 2021: GDAP Reaches Technical Preview

Nick Ross4 min read

TL;DR

  • As of December 2021, Partner Center reports on existing DAP connections under Settings > Account Settings > Security Center > Administrative Relationships, with self-service removal.
  • Microsoft launches the GDAP technical preview in January 2022, letting partners test granular, time-bound access to workloads in production and sandbox environments.
  • Exchange Online begins rolling out outbound SMTP DANE with DNSSEC in mid-January 2022, enabled by default at the system level and finishing by late May 2022.
  • SharePoint Online audience targeting officially supports Azure AD Dynamic Groups, alongside the previously supported AD security groups and Microsoft 365 groups.
  • Teams users gain control over activity feed noise in mid-January 2022, turning off reactions and per-app notifications directly from the feed item.

December 2021 closes the year with the partner security story accelerating: the DAP monitoring tools announced earlier are live in Partner Center, and GDAP moves from announcement to technical preview in January 2022. Beyond Partner Center, Exchange Online picks up state-of-the-art mail transport security, and Teams and SharePoint ship a batch of quality-of-life features. Partner items first.

Microsoft 365 admin logo

Partner Center: DAP gets watched, GDAP gets real

DAP monitoring and self-service removal (new feature)

Partners use delegated administrative privileges (DAP) to manage and support their customers' services. To improve security across the partner and customer ecosystem, Microsoft recommends turning off DAP when it is not in use.

Microsoft has launched new reporting tools so partners' administration agents can audit existing DAP connections with their customers. The reporting captures how partner agents are accessing customer tenants across all tenants through DAP, so you can review and remove DAP connections that are not in active use.

In Partner Center, navigate to Settings > Account Settings > Security Center > Administrative Relationships.

Administrative Relationships DAP reporting in Partner Center

GDAP technical preview opens (security enhancement)

Microsoft is launching a technical preview for GDAP so partners can test granular and time-bound access to workloads in production and sandbox environments.

We covered GDAP in depth when it was announced in November 2021: https://tminus365.com/granular-delegated-admin-privileges/

GDAP technical preview announcement details
GDAP granular role and duration capabilities

Rollout: January 2022.

Exchange Online: SMTP DANE and DNSSEC arrive (security enhancement)

Microsoft is adding support for SMTP DANE and DNSSEC to Exchange Online (EXO). DANE combined with DNSSEC is the state of the art for securing email, and to maximize effectiveness both standards will be enabled by default at the system level for all EXO customers.

When your users send email to business partners and customers outside Exchange Online, and the receiving side has correctly configured DANE and DNSSEC, you get the enhanced security automatically. The flip side is deliberate: if the recipient's admin has misconfigured DANE or DNSSEC, or configured them correctly but had their system compromised, mail flow to those recipients is blocked. A failed DANE or DNSSEC validation signals to EXO that the receiving system cannot be trusted and your email should not be sent. Microsoft's analysis shows only 0.00023% of all EXO domains send to recipients in either category.

When a DANE or DNSSEC failure blocks a message, the sender receives a bounce (NDR) describing the problem. Email admins can also diagnose recipient-side issues with:

  • Message Trace Details for pending and failed blocked messages
  • The Microsoft Remote Connectivity Analyzer (RCA) tool, to run validation tests against recipient domains
  • Note: the RCA tool is being updated to support DNSSEC and DANE validation tests, with the new functionality estimated for Q1 2022

Rollout: the first phase, DANE and DNSSEC for outbound email, rolls out slowly beginning mid-January 2022 and finishes by late May 2022.

Microsoft Teams logo

Teams: three features, all about signal versus noise

Activity feed notifications become configurable (new feature)

Users will be able to control which notification types appear in their activity feed: right-click the feed item to turn off all reactions or stop a specific app's notifications from surfacing.

The pain point is real: important information gets buried in the activity feed, and reaction and app activities are the top culprits. The controls have always existed in Global Notification Settings, but discovery was so low that users kept asking for them, making this a top-three user request. The first release lets users:

  • Turn reactions on or off directly from the activity feed
  • Turn notifications for a specific app on or off directly from the activity feed

Rollout: mid-January 2022 (in public preview as of December 2021).

Pin your own video on the meeting stage (new feature)

Users can already pin other participants' video feeds to enlarge them. This update extends pinning to your own video, putting it on the stage at increased size. What it fixes:

  • No more overlap between your own video box and other participants' video
  • Your own video at a larger scale, with adjustable framing
  • A better view of yourself when presenting an object or using sign language
  • A balanced view where your video no longer reads as "less important" than everyone else's
Pinning your own video feed in a Teams meeting
Enlarged self-video on the Teams meeting stage

Rollout: early January 2022, expected complete early February 2022.

Music detection stops suppressing the wrong audio (new feature)

To avoid suppressing music when music is the point, Microsoft built an ML-based music detector that notifies the user whenever music is present. The end user then chooses: is the music unwanted background noise, like calling into a meeting from a coffee shop, or the desired signal, like a music lesson? The notification also offers the new high-fidelity music mode.

Teams music detection notification offering high-fidelity music mode

Rollout: early January 2022, expected complete mid-February 2022.

Microsoft SharePoint logo

SharePoint: admin center catches up with Teams

Teams-connected sites become manageable in the SharePoint admin center (new feature)

Microsoft is enhancing the Active sites experience in the SharePoint admin center to include channel sites, the sites provisioned when a private or shared channel is added to a Team. This release includes:

  • A new Teams view that filters the sites list to only Teams-connected sites
  • A new column identifying that a site is connected to Teams
  • A new column identifying whether a Teams-connected site has associated private or shared channel sites
  • Additional entry points from the Teams-connected site info panel
  • A new Active sites pivot showing the channel sites associated with the Teams-connected site; the list includes private sites for now and will expand to other special sites later. Channel sites are view-only and inherit properties from Teams, managed in the Teams admin center.
  • A new Type column accessible from the new Active sites pivot
  • The ability to manage channel site storage limits
Managing Teams-connected channel sites in the SharePoint admin center

Rollout: early December 2021, expected complete by late January 2022.

Azure AD Dynamic Groups now work for audience targeting (new feature)

SharePoint Online's audience targeting system now officially supports Azure Active Directory Dynamic Groups as audiences. Previously, Active Directory security groups and Microsoft 365 groups were supported; dynamic group support expands the kinds of groups you can target with.

Rollout: generally available.

Frequently asked questions

What should MSPs do with the new DAP reporting?

Audit which partner agents are accessing customer tenants through DAP across all tenants, then review and remove DAP connections that are not in active use. Microsoft recommends turning off DAP when it is not in use.

Can SMTP DANE failures block legitimate mail from Exchange Online?

Yes, by design. If the recipient domain's DANE or DNSSEC validation fails, whether from misconfiguration or compromise, the message is blocked and the sender receives an NDR. Microsoft's analysis put only 0.00023% of EXO domains in that situation.

What tools diagnose a DANE or DNSSEC mail block?

Message Trace Details for pending and failed blocked messages, plus the Microsoft Remote Connectivity Analyzer, which was being updated to support DNSSEC and DANE validation tests, estimated for Q1 2022.

Reading the roundup is the easy half

Every month ships new controls, and last month's settings quietly drift. CloudCapsule checks 250+ controls per tenant in about 60 seconds so the changes that matter actually land.

Run a free assessment
Nick Ross

Written by

Nick Ross

CEO · Microsoft MVP · Founder, T-Minus 365

Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.

Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.

Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.

Keep reading