Cloud Services Like Good Networks

As a cloud service, Office 365 depends on good internet access between client and service. The last mile of customer networks are usually the area where most problems occur. Once network traffic enters Microsoft’s network, packets travel quickly to their destination over dark fiber connections.

As I say in this article, “if you use the principles of yesterday to protect the services of today, your network is likely to deliver degraded connectivity to users.” Unfortunately, too many Office 365 tenants have poor and outdated local networks.

In any case, keeping track of the IP addresses and ranges used by Office 365 is an important part of maintaining network connectivity. Microsoft makes that endpoint data available for anyone to consume, and from August 21, 2018, they are using a new publishing platform. Old links continue to work but it is still wise to acquaint yourself with what Microsoft is doing in this space to ensure that your network uses the latest and most accurate information.

Here’s a nice example of a script that might help you automate some endpoint housekeeping for Office 365. And here’s another idea based on Flow to help with much the same thing.

We cover this topic in Chapter 2 of Office 365 for IT Pros. Read more about the network principles to use with Office 365 there.

The post Keeping Up With Office 365 IP Ranges appeared first on Office 365 for IT Pros.

Microsoft’s announcement that they will open new datacenters in Germany to deliver Azure in late 2019 and Office 365 in 2020 marks the beginning of the end for the Black Forest datacenter region deployed in 2015 to satisfy the strict needs for data residency in the German market.

The new datacenters in Berlin and Frankfurt will be “consistent” with Microsoft’s other Office 365 operations. In other words, they will run like other country-level Office 365 datacenter regions like those in the U.K. and France.

The Need for Black Forest

Black Forest, aka Microsoft Cloud Germany, was deployed at a time when Office 365 was both simpler and less sophisticated. By handing over responsibility for operations to T Systems International as the data trustee, Microsoft avoided any problems associated with a U.S. company having oversight over German customer data.

The solution worked, but immediately ran into the conundrum that while Black Forest ran Office 365, it was a special version of Office 365 that offers different features to German tenants. One notable example is the lack of support for Azure Information Protection, meaning that German tenants can’t protect email and documents with rights management.

The Lack of Functionality for German Tenants

Black Forest can certainly deliver the basic Office 365 workloads of Exchange Online and SharePoint Online, but the new applications delivered since 2015 are notable for their absence in the feature menu. No Teams, no Planner, no Flow, no MyAnalytics, no Delve, no Sway, no StaffHub, no Video, and no PowerApps… It’s a pretty compelling list of functionality that’s unavailable to German tenants.

In most cases, the reason why Black Forest cannot offer new apps to German customers is that the necessary services are not deployed into the datacenter. It’s only relatively recently that Microsoft has begun to deploy more than base workloads into country-level datacenters, but the recent expansion of Teams into Australia and Japan is an example of how that kind of deployment is now commonplace.

The Difference from 2015

Adding features like multi-geo capabilities have made Office 365 operations more sophisticated now than when Black Forest started. In addition, Microsoft has poured enormous effort to make Office 365 a good platform for companies who need to comply with GDPR and other regulations. It seems reasonable to now draw a line under Black Forest and offer a more comprehensive service to German tenants.

Microsoft says that they are no longer accepting new customers for deployment within Black Forest. Instead, new customers can use one of the other European regions (EMEA, UK, or France) or the new German datacenter region when it begins operations. Existing Black Forest tenants will be offered migration options to move to another region. The migration is less complex than in other regions because Black Forest only supports a subset of Office 365 applications. We expect to hear more about these options in due course.

Learn more about Office 365 datacenter regions in Chapter 1 of Office 365 for IT Pros.

The post New German Office 365 Datacenter Region to Replace Black Forest appeared first on Office 365 for IT Pros.

The Golden Keys to User Data

Administrators have always had the ability to access user data and Office 365 is no different. This Petri.com article explains the situation and look at two methods administrators can use to retrieve content. One is the famous (or infamous) Search-Mailbox cmdlet and the other is Office 365 content searches.

Both actions are captured in the Office 365 Audit log, but how many people actually check that log regularly to pick up odd administrator activity? Of course, because it’s usually the administrators who look at the audit log, they already know what they’ve done.

But the advent of regulations like GDPR means that Office 365 tenants need to pay a lot more attention to the protection of personal data, so isn’t it time that your company had a policy to cover how and when administrators are allowed to retrieve user data?

See Chapter 6 of Office 365 for IT Pros for more information about the Search-Mailbox cmdlet and Chapter 20 for information about using content searches. And then follow up by reviewing Chapter 21 to learn about the Office 365 audit log and how to analyze its contents.

The post Verifying Office 365 Administrator Access to User Data appeared first on Office 365 for IT Pros.

Office 365 Audit Records Reveal Interesting Events

Over the last few days, I’ve noticed records being generated in the Office 365 audit log for an account called BOXServiceAccount. You can see an example above. The audit records are matched by alert policies (managed through the Security and Compliance Center) that cause email to be sent to my account when events that might need investigation occur. In this case, a use of Exchange Online administrative permission by an account.

A quick internet search turned up this Microsoft support article, which throws some light on the subject. Although the wording is odd (for example, “BOXServiceAccount is added to a role” is more likely “BOXServiceAccount is used to add an account to a role.”), the intent is clear. BOXServiceAccount is a system account used behind the scenes to carry out tasks within Office 365. A discussion in the Microsoft Technical Community from April 2018 and another in the Microsoft Answers forum from June 2017 provided some extra insight. Clearly, I haven’t been paying attention.

In this case, it seems like BOXServiceAccount comes into play when an administrator assigns another user one of the custom administrative roles through the Office 365 Admin Center. I assume the reason why a system account is used in this manner is that the administrator who assigns someone a role might not have the permission to add that account to the Azure Active Directory role groups which underpin the administrative roles.

Azure Active Directory Role Groups

To see the role groups defined in your tenant, run the Get-AzureADDirectoryRole cmdlet (from the Azure AD PowerShell V2 module).

Get-AzureADDirectoryRole

ObjectId                             DisplayName                      Description
--------                             -----------                      -----------
07308ce7-381b-4fb1-b31e-398b8a66c946 Billing Administrator            Can perform common billing related tasks like updating payme...
0f3a91cd-4fdd-436e-97ed-f2a01b19bfe2 User Account Administrator       Can manage all aspects of users and groups, including resett...
1402c923-f478-4a9c-82b1-0511726c43bd Customer LockBox Access Approver Can approve Microsoft support requests to access customer or...
268030c9-556f-47a6-a167-5970cb734558 Device Administrators            Device Administrators
36333bfe-4ff2-452a-a4a0-d11a668b44c7 Company Administrator            Can manage all aspects of Azure AD and Microsoft services th...
387f95ae-e47f-4156-b5d3-2d9150fdea7e Directory Readers                Can read basic directory information. For granting access to...
432e4ce3-ed50-4406-aeb6-1794283ad211 Lync Service Administrator       Can manage all aspects of the Skype for Business product.
4e0cabe2-fe25-49e1-8538-61a8b8422517 Reports Reader                   Can read sign-in and audit reports.
53add08e-5b0c-4276-a582-9ce02fb6c947 Exchange Service Administrator   Can manage all aspects of the Exchange product.
57122a2b-cd95-4370-a84b-4e90ec8e722a Service Support Administrator    Can read service health information and manage support tickets.
64503181-13d0-4ef6-8ee2-a08a7b690168 Power BI Service Administrator   Can manage all aspects of the Power BI product.
7ae4b349-1f17-429c-8795-dcc56096c0c7 Helpdesk Administrator           Can reset passwords for non-administrators and Helpdesk Admi...
88b6939a-ef4b-4e8e-9aba-00f4f8447e66 Compliance Administrator         Can read and manage compliance configuration and reports in ...
c7ba418f-9d1e-4bd2-b770-dba1cbc2c336 Directory Writers                Can read and write basic directory information. For granting...
f35c2f36-b60d-4b17-b261-0de8af7da552 SharePoint Service Administrator Can manage all aspects of the SharePoint service

The Lync Service Administrator listed is just an old display name. It equates to what you see as the Skype for Business Online Administrator when viewed through the Office 365 Admin Center. To see the current accounts assigned a role, run the Get-AzureADDirectoryRoleMember cmdlet and pass the object identifier of the role you want to examine.

Get-AzureADDirectoryRoleMember -ObjectId "f35c2f36-b60d-4b17-b261-0de8af7da552"

ObjectId                             DisplayName                            UserPrincipalName                  UserType
--------                             -----------                            -----------------                  --------
d44088a5-a5ea-47af-b724-cffb12c6ed3e Paul Smith                             Paul.Smith@office365itpros.com Member
d446f6d7-5728-44f8-9eac-71adb354fc89 James Abrahams                         James.Abrahams@office365itpros.com Member
67105a51-e817-493e-8094-f600babf5f62 Marc Vigneau                           Marc.Vigneau@office365itpros.com   Member

No Mystery – Move Along Please

So, apart from its odd name, there’s no mystery about BOXServiceAccount. It’s just one of the system accounts used by Office 365 to get work done. There’s nothing wrong with using accounts like this because system accounts have been used for years for different purposes, such as updating your Exchange Online configuration to match standards set by Office 365.

But what’s wrong is that Microsoft has never communicated the reason why BOXServiceAccount exists and how it is used. A note in the Message Center in the Office 365 Admin Center wouldn’t have gone amiss, well before administrators began to see the interesting audit events turn up in their Office 365 audit log. Maybe I missed that too.

For more information about custom Administrative roles, see Chapter 4 of the Office 365 for IT Pros eBook. And of course, you can have a great time reviewing the many interesting facts to be found in the Office 365 audit log in Chapter 21. And activity alerts and alert policies are covered in Chapter 21 too, just in case you don’t feel like browsing the audit log daily.

The post What that BOXServiceAccount Does in Office 365 appeared first on Office 365 for IT Pros.

A Live Demo Fails

The shifting sands of cloud services caught me out on Monday when I spoke at the UK Evolve conference. My topic was how to use PowerShell to manage Office 365 Groups and Teams (aka “Hacking your way to Happiness” – you can download a PDF of the deck here). During the session, I use several demos to show people how easy PowerShell really is and how quickly it lets you get real work done. All went well and then I came to an example where I look for records in the Office 365 audit log for “add group” events.

To make sure that demos run smoothly I use a cheat sheet of PowerShell code snippets in a Word document. Cutting and pasting known good code is faster and saves the embarrassment of getting code wrong in front of large audiences. I was therefore nonplussed to see an error from code that “used” to work perfectly well and is from an example in Chapter 21 of the Office 365 for IT Pros eBook.

Cannot index into a null array.
At line:1 char:7
+ $ReportLine = [PSCustomObject][Ordered]@{
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : NullArray

Add Group is Truncated

Looking at the code, I found that the problem happened after I used the Search-UnifiedAuditLog cmdlet to search for audit records for the “add group” event. The idea is that you can extract these audit records from the log and then analyze them to figure out who’s creating new Office 365 Groups and Teams. Audit records hold a lot of interesting information in the JSON content held in the AuditData field, so we need to unpack the content to extract information about the name of the newly created groups. The resulting $AuditData variable for an unpacked record contains the data shown below:

ObjectId       : Not Available
UserId         : Tony.Redmond@office365itpros.com
ClientIP       : 
Id             : a6ddc5dc-bfce-4d7c-b39b-775cba7b48ae
RecordType     : 8
CreationTime   : 2018-07-11T14:36:54
Operation      : Add group.
OrganizationId : b662313f-14fc-43a2-9a7a-d2e27f4f3478
UserType       : 0
UserKey        : 1003BFFD805C87B0@office365itpros.com
Workload       : AzureActiveDirectory
ResultStatus   : Success : Record Truncated
Version        : 1

Seeing “Record Truncated” in a status field doesn’t create a feeling of confidence that the audit records are complete. In fact, the data is missing two fields that used to be available called Actor and Target, the latter being the field that the group identifier and group name were available in. When my code tried to access the information in $AuditData with references to $AuditData.Target[0].Id and $AuditData.Target[1].Id, the null array error happened because that array was never populated by the JSON extract.

Something Changed

Something had clearly changed in the audit records generated for “add group” events since I used the same demo code at the European Collaboration Summit in late May.  I looked at all the audit events I could find for “add group” using the Audit log viewer in the Security and Compliance Center and found that every one of the events lack the data.

Office 365 only keeps audit log records for 90 days, so I could only go back to early July.  I found good records on July 5 and bad records after July 11. It therefore seems likely that the format of the audit records captured for Azure Active Directory events ingested into the Office 365 audit log changed sometime between July 5 and 11. I can’t be more definite than that.

Changing Audit Records is a Bad Thing

As it transpires, the problem of truncated information in Office 365 audit records exists for other Azure Active Directory group operations like add and remove user (see below) and group removal and updates. This is a real problem. Customers depend on this information to understand what happens with groups inside their tenant.

Looking at the Azure audit log, the details of the group (name and identifier) are present, so it seems likely that the problem occurs when Office 365 extracts information from Azure Active Directory and normalizes the data before ingestion into the audit log.

Activity
Date : 9/9/2018, 4:45:32 PM
Name : Remove member from group
CorrelationId : 3669b365-5346-4fb7-aeb5-0260a1e64305
Source : AzureAD
Category : Core Directory
Activity Status
Status : Success
Reason :
Initiated By (Actor)
Type : User
Name : Microsoft Teams Services
ObjectId : eff4cd58-1bb8-4899-94de-795f656b4a18
Upn : Tony.Redmond@office365itpros.com
IpAddress :
Target(s)
Target
Type : User
ObjectId : bd8ad08e-c964-41e0-b5e9-456ab487a0c1
Upn : O365-ExchangeConnections2015@office365itpros.onmicrosoft.com
Modified Properties
Name : Group.ObjectID
New Value : "37991751-f6dd-48e5-bc86-1967181a7e53"
Name : Group.DisplayName
New Value : "All R &A Users"
Name : Group.WellKnownObjectName
Target
Type : Group
ObjectId : 37991751-f6dd-48e5-bc86-1967181a7e53
Additional Details

Not a Good Situation

I don’t know why Microsoft decided to change the format of the Azure Active Directory audit records as they were ingested into the Office 365 audit log. I do know that they messed up by removing essential data from the records. Where once it was possible to easily determine the name of a newly created group, now it is not. The same is true when trying to find out who was added or removed from groups, or accounts that are added or removed from the tenant. Losing this information is not good and it doesn’t give you confidence in the testing regime used to validate code changes.

I also don’t like when changes happen to data that might be used for compliance purposes without any warning or documentation. It doesn’t help people who roll their own analysis with PowerShell and it doesn’t help the ISVs who extract audit data on behalf of Office 365 tenants and store that data for longer than the 90-day default retention period.

All the Office 365 for IT Pros writing team can do is to keep checking to make sure that the code examples we include in the book continue to work over time. I’m happy that I found this problem and have been able to report it to Microsoft; it just wasn’t so good to run smack into the issue when doing a live demo.

The post Office 365 Audit Records Truncated for Azure Active Directory Events appeared first on Office 365 for IT Pros.

RBAC for Teams Management

In my latest Petri.com article, I cover the release of four new administrative roles for Teams. The basic idea is that an Office 365 tenant administrator can delegate responsibility for looking after Teams to other people, especially in the more complicated areas of video and audio and telephony where specialized knowledge is often needed to sort out problems, especially when multiple countries, calling plans, and networks are involved.

For now, you must assign the new roles through the Azure Active Directory portal (or with PowerShell) and cannot assign them as custom roles through the Office 365 Admin Center yet, but I expect that change to come soon.

RBAC Common Across Office 365

Limiting administrative access via role-based access control (RBAC) isn’t new inside Office 365. Microsoft introduced RBAC in Exchange 2010 with management role groups, role assignments, and scopes. The Exchange Control Panel (ECP) was the first web-based administrative console to hide options from users based on the RBAC role groups to which they belonged, something that was extended into the Exchange Administration Center (EAC) in Exchange 2013. The technique is used today in Office 365 to control access to options in the Exchange Online EAC, the Office 365 Admin Center, the Security and Compliance Center, and now the Teams and Skype for Business Admin Center (TSBAC).

Suppressing TSBAC Options

Figure 1 illustrates the point. In this case, the user who accesses TSBAC is assigned the Teams Communications Administrator role. TSBAC detects that their account holds the role and limits the options available to the dashboard, user management, and some of the options to manage meetings. Live events policies are missing, but this might be an omission.

The user can’t see the options to manage messaging policies, org-wide settings, or other settings available in TSBAC.

Not every Office 365 tenant will use all the roles now available for TSBAC, but it’s good to see that they exist. It’s a sign of increased maturity in the Teams platform and that Microsoft is thinking about how to make the transition from Skype for Business Online easier for enterprise tenants.

We were able to include details of the new roles in chapters 13 and 16 of the September 20 update of Office 365 for IT Pros. It was kind of a last-minute thing, but it’s the type of late-breaking news that ePublishing accommodates so well and traditional publishing models can’t handle.

The post Microsoft Releases Teams Administrative Roles appeared first on Office 365 for IT Pros.

As expected, Microsoft has announced the unified Microsoft 365 Roadmap that includes all the technologies that are part of Microsoft 365: Office 365, Enterprise Mobility + Security and Windows 10. The new roadmap comes also with a new web site and a new URL (Note: the Old Office 365 Roadmap Url is still live, but as soon as you browse to it, you are redirected to the new Url).

The new Microsoft 365 Roadmap site supports:

• Search filters such as product (Enterprise Mobility + Security, Office 365, Windows 10), Platform (Online, Desktop, Android,iOS, MAC) and/or Cloud Instance (Education, GCC, GCC High, GCC High /DoD, Germany, Worldwide, All environments).

• For a Roadmap item, you can view additional information such as a short description of the roadmap item and when it’s going to be released to Targeted Release or to production.

• Subscribe to the Roadmap by means of a RSS feed so you can get the Microsoft Roadmap in your favorite RSS Reader Tool such as Outlook or my personal recommendation: Feedly.

In summary, the new Microsoft 365 Roadmap is the central point where we can search for updates about new features coming to Office 365, EM+S and Windows 10.

The post The unified Microsoft 365 Roadmap is here appeared first on Office 365 for IT Pros.

TSBAC and Team Management

Yesterday, I published an article on Petri.com covering the introduction of team management in the Teams and Skype for Business Online Admin Center (TSBAC). The new functionality is in private preview, but tenant administrators should see it sometime in October (depending on how the preview goes).

As I note in the article, the implementation is a first version and there’s lots to be done to build and deliver a truly comprehensive management UI for Teams. The good news is that the general availability of the new functionality should be accompanied by an upgraded PowerShell module for Teams. I don’t know if this will happen definitely, but it’s logical to assume that the combination of the new TSBAC functionality and the new Teams administration roles are likely backed up by improvements in the module.

The Microsoft View

In any case, if you’re at the Ignite conference this week in Orlando, you can get more information about team management in session BRK3113 “Deep Dive into the Modern Administration Portal for Microsoft Teams and Skype for Business” (a truly horrible name) featuring Isabella Lubin and Jamie Stark. The session takes place today, Thursday, at 16:00 in the Tangerine Ballroom in the OCC West.

And if you’re not in Orlando, you can live stream the session when it’s on or look at it later by accessing the recording through the Microsoft Technical Community. I do hope that they don’t contradict anything I said in my article!

We’ll include details of the new administration UI in the next update for the Office 365 for IT Pros eBook, expected around October 19. As you might imagine, we have a ton of work to do following all the announcements and news Microsoft delivered at Ignite, but the joy of an eBook is that we can release a fully-updated book soon after an event.

The post Managing Teams Through the Teams and Skype for Business Online Admin Center appeared first on Office 365 for IT Pros.

Slice and Dice the Roadmap

As reported earlier this week, Microsoft has merged the Office 365 Roadmap into a new Microsoft 365 Roadmap. The ability to filter roadmap items via feature (like Outlook) or service (like SharePoint Online) has always been in the roadmap, but it’s even more useful to use the Download button to write the filtered items (or the entire roadmap) to a CSV file that can be analyzed using Excel or imported into Power BI. This was supported for Office 365 in the past, now you can include Windows 10 and Enterprise Mobility & Security roadmap items.

The downloaded file is named Microsoft365RoadMap_Features_date.csv.

Each line in the file holds the information about a single roadmap item. The following fields are included:

• Id: A five-digit identifier for the roadmap item.
• Title: Headline descriptor for the item. For example, “SharePoint mobile: organizational news support.”
• Description: Notes about what the roadmap item involves. For example, “As you tap into the SharePoint mobile app News tab, you’ll now see support for organizational news – which brings more greater control, process and reach to how news can be published throughout your organization.”
• Status: The current deployment status for the roadmap item. This will be “Launched” or “In development” or “Rolling out.”
• MoreInfoLink: If available, the URL to a page containing extra information about the roadmap item.
• Tags: One or more tags to identify the parts of Microsoft 365 that the roadmap item belongs to. For example, “O365, SharePoint” or “Exchange.”
• Added Date: The date that Microsoft originally added the item to the roadmap.  The date is in U.S. format, so 8/29/2018 is 29 August 2018.
• Last Modified: The date that Microsoft last updated the item.
• PublicDisclosureAvailabilityDate: The time frame that Microsoft expects the roadmap item to be available to customers. This might be as specific as a month or use a longer period, such as Q4 CY2018 (fourth quarter of calendar year 2018).

Microsoft intends that customers can use the information in the download file to help plan for the introduction of Microsoft 365 features into their tenant. Given the number of changes that happen within Office 365 and the other Microsoft 365 components, it’s a worthwhile advice.

Head over to the Microsoft 365 roadmap, download items, and start analyzing…

We cover the topic of keeping up to date with Microsoft 365 in Chapter 1 of the Office 365 for IT Pros eBook. But keeping up to date is what we’re all about, so the entire book reflects our best effort at documenting what’s current inside Office 365. We hope that you like that.

The post Tip: Export Microsoft 365 Roadmap for Analysis appeared first on Office 365 for IT Pros.

The Lessons of Experience

Those given the job of planning the deployment of a new technology usually like to know how other companies approach the same task. After all, no one likes to make the same mistake as other companies have, so it’s always good to find out about successful techniques for the deployment and management of technology.

At the Ignite 2018 conference, Microsoft IT described the way they manage Office 365 Groups (here’s a recording of the session). Microsoft is different from most companies: they don’t have to worry about the cost of licensing advanced features (like those which need Azure Active Directory P1 licenses) and their user community is more technically-savvy than the norm. However, there’s still value in understanding their perspective towards groups.

First, Microsoft uses a dynamic group for all full-time employees (“blue badges”) and allows members of this group to create new groups. While allowing all full-time employees to create new groups (and teams) might lead to a lot of groups that don’t get much usage, Microsoft uses an aggressive 180-day expiration policy to age out groups that no one needs.

Microsoft doesn’t use a naming policy, possibly because they never used a naming policy for distribution lists. They have custom jobs to scan for groups with no owner (important when you have an aggressive expiration policy), to ensure that groups have at least two owners, and to make sure that groups that have certain classifications are disabled for guest membership. They also use Azure Active Directory group reviews to make sure that guest members only keep access to groups for as long as they need to.

Multi-Geo Too

Microsoft also uses the Office 365 multi-geo capabilities for SharePoint Online and Office 365 Groups (in preview and expected to be generally available in Q1 2019) to provision the team sites according to users’ preferred data locations (the Office 365 datacenter region they are deployed in).

Documenting a management framework for Office 365 Groups within an organization is a good idea because it brings clarity to the deployment and lays out how the groups policy and other associated policies (like the Azure B2B collaboration policy and expiration policy) fit into the framework.

For more information about how to use the Azure Active Directory policy for Groups to control Office 365 Groups (and Teams) and associated policies like the Azure B2B Collaboration policy or the Groups expiration policy, read Chapter 12 of the Office 365 for IT Pros eBook.  We have lots to say on this subject!

The post How Microsoft IT Manages Office 365 Groups appeared first on Office 365 for IT Pros.

A Team for Everyone

In the latest update distributed to Office 365 tenants, Microsoft includes the ability to create an org-wide team, but only if your tenant has fewer than 1,000 accounts. The new feature turned up in my tenant on 9 October and is visible in Teams desktop build 1.1.00.26355.

Editor’s Note: From May 2019, the limit for an org-wide team is 5,000 accounts.

Company-wide Communications

An org-wide team is designed to facilitate tenant-wide communications for small to medium companies without the need for an administrator or team owner to manually add all the employees to the team membership, including the need to check for new employees and add them periodically. As we explain in Chapter 14 of the Office 365 for IT Pros eBook, the process of creating a team and populating its membership with PowerShell is not difficult, but some work needs to be done to maintain the membership afterwards.

To create an org-wide team, choose Join or create a team as usual, and then select Org-wide from the Privacy drop-down list (see below). The choice only appears to global admins (for the Office 365 tenant).

Automatically-Generated Membership

When you create an org-wide team, Teams adds all the global admins as team owners. It then adds all “active users” as members. The theory is that accounts that don’t have Office 365 or Teams licenses are excluded, as are guest users. However, sometimes accounts that have no place in an org-wide team turn up in the automatically-generated membership. Among these are:

• Shared mailboxes.
• Room and resource mailboxes.
• Service accounts (if they have an Office 365 license).
• Mailboxes used for purposes such as DLP incident reports. These accounts might be licensed, but they shouldn’t really feature in a team.
• Accounts that have an Office 365 license but the Teams option is disabled.

Because some odd results can turn up in the automatically-generated membership, it is good practice to check the membership after the team is created and remove any account that doesn’t belong. Likewise, if you find that an account that should be in the membership has been omitted for some reason, you can add them manually. And like for any team with a large membership, consider updating team settings to stop members posting in the General channel, adding channels, or even using @team mentions (because they generate notifications for everyone in the team).

On an ongoing basis, employees leave and join the company and people lose or gain Teams licenses. When someone leaves the company and their Office 365 account is removed, their membership of the team is also removed. To handle new joiners and people who gain or lose Teams licenses, a background process scans the accounts in the tenant periodically (expect weekly) and adds or removes the user as required. Unlike normal teams, members can’t choose to leave an org-wide team.

An Oddity

One odd thing I noticed about the people added to the org-wide team membership is that if an account does not have its Office 365 license listed first in the set of product licenses, that account is ignored. Take the example of the Kim Akers account shown below where the first license is for EM&S. This account is not added to the org-wide team.

But I Already Have an Org-Wide Team

If you already created and use an all-employees team without benefit of Microsoft’s new feature, a tenant administrator can convert the team into an org-wide team and gain benefit of the automatic membership management. To do this, select the team you want to convert and then use the Edit team feature to change the privacy setting to org-wide. When you save the setting, Teams updates the membership with all valid accounts. Any users not included in the automatic membership remain in place, including guest users. You can also change an org-wide team to be a private or public team using the same approach, and in this case, the existing membership stays in place but the automatic background refresh of membership is disabled.

Alternatives

Larger tenants who have more accounts than the 1,000 limit can consider:

• Using dynamic Teams to support discussions for different parts of the organization. For example, you might have a team for each department or each country.
• Using Yammer for company-wide communications and collaboration. Yammer can easily scale up to handle very large organizations with hundreds of thousands of users.

Remember, a team can support up to 2,500 members, so you can always use PowerShell to generate and manage an org-wide team if your tenant falls between 1,000 and 2,500 accounts.

P.S. The formal documentation for org-wide teams is online. But the book tells you what really happens…

We have over 80 pages of content about Teams in Chapter 13 of the Office 365 for IT Pros ebook. And then even more when we discuss using PowerShell to manage Teams and Office 365 Groups in Chapter 14… and more about Teams Meetings and telephony in Chapter 16. In short, we have lots of Teams content for you to read.

The post Org-Wide Teams Now Available appeared first on Office 365 for IT Pros.

Behind the Scenes with Click to Run

When you install the click to run version of Office on a PC, the installation updates several settings in the system registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration. Among the settings are:

• O365ProPlusRetail.EmailAddress: The User Principal Name of the account used to install the software.
• TenantId: The GUID for the tenant.
• VersionToReport: The version of the software installed on the PC. For example, 16.0.10827.20138.

Using PowerShell to Read the System Registry

Some administrators use PowerShell to read these values from the system registry and send the data to a central location for reporting purposes. For example, to see the complete set of values for the click-to-run configuration, use the command:

Get-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\Configuration

VersionToReport                   : 16.0.10827.20138
ClientFolder                      : C:\Program Files\Common Files\Microsoft Shared\ClickToRun
ClientVersionToReport             : 16.0.10827.20138
WatcherInterval                   : 3600000
PipelineServerName                : ClickToRun_Pipeline16
PackageLockerPath                 : C:\ProgramData\Microsoft\Office
ScenarioCulture                   :
InstallID                         : C5FCDC94-269E-4D32-8A2B-19665F51837A
Platform                          : x86
InstallationPath                  : C:\Program Files (x86)\Microsoft Office
ClientCulture                     : en-us
CDNBaseUrl                        : http://officecdn.microsoft.com/pr/64256afe-f5d9-4f86-8936-88
                                    40a6a4f5be
AudienceId                        : 64256afe-f5d9-4f86-8936-8840a6a4f5be
AudienceData                      : Insiders::CC
O365ProPlusRetail.MediaType       : CDN
UpdatesEnabled                    : True
O365ProPlusRetail.ExcludedApps    : groove
StreamingFinished                 : True
ProductReleaseIds                 : O365ProPlusRetail
RSODReset                         : False
O365ProPlusRetail.OSPPReady       : 1
UpdateChannel                     : http://officecdn.microsoft.com/PR/64256afe-f5d9-4f86-8936-88
                                    40a6a4f5be
UpdateChannelChanged              : False
O365ProPlusRetail.TenantId        : 4,b662313f-14fc-43a2-9a7a-d2e27f4f3478
O365ProPlusRetail.EmailAddress    : Tony.Redmond@redmondassociates.org
BackgroundTransportMethodDefault  : cachedhttp
BackgroundTransportMethodFailures : 0
OneDriveClientAddon               : INSTALLED
PSPath                            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTW
                                    ARE\Microsoft\Office\ClickToRun\Configuration
PSParentPath                      : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTW
                                    ARE\Microsoft\Office\ClickToRun
PSChildName                       : Configuration
PSDrive                           : HKLM
PSProvider                        : Microsoft.PowerShell.Core\Registry

To retrieve the value of an individual key, use:

(Get-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\Configuration -Name "VersionToReport").VersionToReport

16.0.10827.20138

Or (as noted by Pat Richard):

Get-ItemPropertyValue -Path "HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\Configuration"
-Name "VersionToReport"

What you do with the value is entirely up to you!

This information comes from Chapter 10 of the Office 365 for IT Pros eBook. It’s the kind of tip that we find interesting. We hope that you do too.

The post Tip: Getting Information About Click to Run Configuration from the System Registry appeared first on Office 365 for IT Pros.

Proliferating Guests

Today’s Petri.com article covers the topic of how to manage guest users in an Office 365. tenant. Guest accounts are created by several Office 365 applications, notably Teams, SharePoint Online, and Office 365 Groups. If you leave the guest accounts alone, they accumulate in your Azure Active Directory. Some are used all the time but some gather dust after a one-time use.

The article outlines some basic techniques (including some PowerShell snippets) to review and manage guest user accounts. Given that Office 365 Groups are the cornerstone for membership management for these applications, a lot of the work that’s done is with the Groups cmdlets to find, report, and remove unwanted guests. In my small tenant, I have 82 guest accounts – and I know that only 45 or so are used on a weekly basis. I guess I have some clean-up to do.

The Office 365 for IT Pros eBook contains tons of examples for how to manage different aspects of guest user accounts from the invitation process to removing them from your tenant. Look in Chapters 12 and 13!

The post Managing Office 365 Guest Users appeared first on Office 365 for IT Pros.

Talking about Email and Teams

On October 17, I had the opportunity to speak at the Modern Workplace Conference at the Microsoft conference center in Paris. My topic was a discussion about whether Teams can replace email. I’m pretty definite that Teams can’t, but it certainly can replace some of the email traffic that circulates within Office 365 tenants today. The percentage of traffic that moves to Teams will be higher in some organizations than others, as it all depends on culture, training, and the flows of communication. For instance, a company that has a high percentage of its traffic going to external parties won’t see that traffic drop through Teams.

As always, it’s best to try and extract most value from all the technologies at your disposal. That means good preparation, intelligent choices of tools, user education, and ongoing management. Given that these factors are in place, I think Teams and email can live together well and complement each other in most organizations. But if Teams is launched within a company with poor preparation and no user training, it’s unlikely to be successful. At least, not as successful as it can be.

A Sketch Note

I am indebted to Luise Freese for coming to the session in Paris to generate a “sketch note” from my comments.

And the Presentation

For those wanting my slides, here’s a copy of the deck Can Teams Replace Email for your downloading pleasure.

Editor’s note: the deck is updated to reflect the content presented at the European Collaboration Summit in Wiesbaden, Germany on May 28, 2019.

For more information about Teams, head to Chapter 13 of the Office 365 for IT Pros eBook, where you’ll find 80+ pages of practical and insightful information to help plan your deployment.

The post Can Teams Replace Email appeared first on Office 365 for IT Pros.

Suppressing Password Spray Attacks

Microsoft’s October 17 announcement of a new method (in preview) to disable basic authentication for connections to Exchange Online is very welcome. Why? Basic authentication means what it says – a basic mechanism to authenticate a connection to a service. Basic authentication is simple to use and simple to abuse, which is why attackers try to exploit its simplicity in exploits like password spraying attacks.

Exchange Online supports many different connection protocols from ActiveSync to POP3 to IMAP4 to MAPI. This is a good thing because it allows people to use their client of choice to connect to their mailbox. Unfortunately, the profusion of connection protocols creates a difficulty too because each must be secured to stop penetration by attackers.

Protocol Authentication Policies

The preview method now available introduces a new cmdlet set to create and manage protocol authentication policies. Running the New-AuthenticationPolicy cmdlet creates an authentication policy that disables basic authentication for all the protocols supported by Exchange Online. For example:

New-AuthenticationPolicy -Name "No Basic Auth"

RunspaceId : fd030e40-053a-404c-90f9-3cf9f2c2dcef
AllowBasicAuthActiveSync : False
AllowBasicAuthAutodiscover : False
AllowBasicAuthImap : False
AllowBasicAuthLogExport : True
AllowBasicAuthMapi : False
AllowBasicAuthOfflineAddressBook : False
AllowBasicAuthOutlookService : False
AllowBasicAuthPop : False
AllowBasicAuthReportingWebServices : False
AllowBasicAuthRest : False
AllowBasicAuthRpc : False
AllowBasicAuthSmtp : False
AllowBasicAuthWebServices : False
AllowBasicAuthPowershell : False
AdminDisplayName :
ExchangeVersion : 0.20 (15.0.0.0)

The only protocol enabled here is Log Export, which is probably not going to be used by an attacker.

Modern Authentication Needed

Before you block basic authentication, you must enable modern authentication for your tenant and be sure that users have clients that support modern authentication, like Outlook 2016. Enabling a block on basic authentication will have an immediate effect on older clients if you’re not careful. See this support article for more details.

Changing Protocol Authentication Settings

If you want to change a setting to allow basic authentication for a protocol, run the Set-AuthenticationPolicy cmdlet. For example:

Set-AuthenticationPolicy -Identity "No Basic Auth" -AllowBasicAuthPop:$True

You can have multiple authentication policies in a tenant, each of which allows basic authentication for different protocols.

Assigning Policies to Users

After you’ve created the authentication policies you need, you assign them to user accounts to tell Exchange Online whether users can connect using basic authentication.

In my tenant, I decided to have a single policy applied to all user accounts and implement the policy immediately, which means that you also reset the baseline for user refresh tokens. This has to be done with PowerShell, so I used a command to find all user mailboxes and use the Set-User cmdlet to assign the authentication policy and reset the refresh token for the account to the current date and time. This will force Exchange to request clients using basic authentication for connections to reauthenticate using modern authentication.

Get-Recipient -RecipientTypeDetails UserMailbox -ResultSize Unlimited | Set-User -AuthenticationPolicy "No Basic Auth" -STSRefreshTokensValidFrom $([System.DateTime]::UtcNow)

Checking Policies Are Applied to Accounts

To check that policies are in place as you intend, check the accounts by running the Get-User cmdlet. As shown below, you should see that each account is assigned the desired authentication policy and the refresh token is reset to the time when the Set-User command executed.

Get-Recipient -RecipientTypeDetails UserMailbox -ResultSize Unlimited | Get-User | Format-Table
DisplayName, AuthenticationPolicy, Sts*

DisplayName   AuthenticationPolicy StsRefreshTokensValidFrom
-----------   -------------------- -------------------------
Deirdre Smith No Basic Auth        18 Oct 2018 14:30:42
Tony Redmond  No Basic Auth        18 Oct 2018 14:31:06
TempAdminAC   No Basic Auth        18 Oct 2018 14:31:11

Defining a Default Protocol Authentication Policy

New user accounts are assigned the default protocol authentication policy for the tenant. Unless you define a default protocol authentication policy in the organization configuration, the value assigned to new accounts is $Null, meaning that no policy is assigned. To change this, run the Set-OrganizationConfig cmdlet and define a new default:

Set-OrganizationConfig -DefaultAuthenticationPolicy "No Basic Auth"

You can check the value with the Get-OrganizationConfig cmdlet:

Get-OrganizationConfig | fl DefaultAuthenticationPolicy

DefaultAuthenticationPolicy : No Basic Auth

All Good So Far

The block on basic authentication has been in place in my tenant for a few days now and no problems have been seen so far. Apart from finding out whether people use obsolete clients to connect to mailboxes, the biggest issue you might face is that disabling basic authentication for PowerShell forces accounts to use multi-factor authentication when they connect to Exchange Online.

If a problem was encountered, it’s easily fixed by reversing course and either removing the authentication policy from the affected user accounts or allowing basic authentication for a specific protocol. To remove a policy, run Set-User again:

Set-User -Identity "John Smith" -AuthenticationPolicy $Null

No events are recorded in the Office 365 Audit Log to show that someone’s account was blocked for basic authentication. But this is a preview that’s designed to show customers what’s coming down the tracks and it’s likely that Microsoft will improve this aspect of the implementation when protocol authentication policies are generally available.

Limiting basic authentication for connections using a protocol policy only affects Exchange Online and has no influence over any other Office 365 workload.

Exchange Online is covered in Chapter 5 of the Office 365 for IT Pros eBook. Then again, Exchange is used by many Office 365 applications, so it turns up throughout the book.

The post Disabling Basic Authentication for Exchange Online (Preview) appeared first on Office 365 for IT Pros.

What Takes Priority?

As you might know, the Azure B2B Collaboration policy for a tenant can hold a deny (block) or an allow list. The list is used to stop owners of Office 365 groups adding guest users from specific domains or to restrict them to adding guest users from specific domains. Tenants use these lists to make sure that group owners don’t add guests from competitors, consumer email domains, and other domains that deemed objectionable for one reason or another.

Steve Crowe sent me a note to say that he had run into a problem using the B2B collaboration policy with Teams. He had blocked some domains but group owners were still able to add users from those domains as guests.

As it turned out, the reason was that guest accounts for the users being added already existed in Azure Active Directory. Teams doesn’t apply restrictions on guest accounts that are already present in your directory because an assumption is made that an administrator added the guest account, so it’s OK and can be added to other groups.

Guests in Place

The offending guest account was added before the block list was enforced, so that’s why it exists in the directory and why Teams assumes it’s OK to add the account to other groups. Guest accounts are now added by multiple applications, including SharePoint, Planner, and Office 365 Groups, so it’s hard to know where the account might have originated. In this instance, the guest account was added when someone shared a document in a SharePoint library.

You can argue that respecting existing guest accounts is the right approach. Administrators can add guest accounts from any domain they choose through the Azure portal, and if they do, shouldn’t team owners be allowed include these guests in their teams? On the other hand, administrators might assume that when they impose a block, they want applications like Teams to respect that block.

The “gap” in the block proves that you should use the Azure B2B collaboration policy to control domains for guest users AND check the guest user membership of groups on a regular basis, just to be sure that unwanted guests don’t slip through.

Keep Your Secrets

And if you have very confidential teams, consider blocking guest user access for the underlying Office 365 Groups. That way you’ll know that your organization’s most confidential discussions will never be shared with guests.

All of this is explained in Chapters 13 and 14 of the Office 365 for IT Pros eBook. It’s the kind of practical straightforward advice we offer to readers…

The post Existing Guest Accounts and the Azure B2B Collaboration Policy appeared first on Office 365 for IT Pros.

Learning from the Past

One of the reasons why the venerable Search-Mailbox cmdlet is so popular is that it can permanently remove items from user mailboxes. Administrators use this capability to delete offensive material, spam, malware, and other “interesting” messages that get into mailboxes.

If Teams is ever to replace email, then administrators must be able to do the same. Of course, Teams is very different because what gets posted in channels and private chats is largely generated by internal users instead of coming from external sources, so you don’t have to deal with threats like malware and spam. However, it is entirely possible that someone will post an offensive note (with or without thinking) that needs to be removed.

Hopefully the poster will realize the error of their ways and remove their message. Sometimes the team owner will need to prompt them and sometimes the team owner will have to take action to remove the content without the author’s buy in. This Petri.com article discusses the issue and reviews the tools that administrators have, including running an Office 365 content search to track down posts across multiple teams.

For more information about managing Teams, see Chapter 13 of the Office 365 for IT Pros eBook. Content searches are covered in Chapter 20. Search-Mailbox is covered in Chapter 6.

The post Purging Bad Stuff from Teams appeared first on Office 365 for IT Pros.

To Backup Or Not To Backup

In today’s Petri.com article, I venture once again into the choppy waters of asking if backups are necessary for Office 365 data.

In the old days when Office 365 was still new, it was possible to see how on-premises techniques and standards could be taken forward into the cloud. After all, in 2011 Office 365 ran barely-cloudified versions of Exchange 2010 and SharePoint 2010. Mailboxes were small, and the SharePoint migration hadn’t really started because of a lack of tools.

Roll on seven years and we have a completely different situation. First, the variants of Exchange and SharePoint running inside Office 365 are very different and have a different mission. Exchange Online is now a mailbox service for the rest of Office 365 (for example, Teams uses mailboxes to store compliance records). SharePoint Online is a document management service used by Teams and Planner. Everything is much more tightly interconnected. Mailboxes have a basic 100 GB quota but can store much more through expanding archives and the volume of SharePoint documents now stored in the cloud is growing at an enormous rate.

But what hasn’t changed is the notion of streaming mailbox and document data out to a backup location. This is all fine, providing that your network supports the transmission and that the backup vendor can deal with data sovereignty and handle regulations like GDPR.

Can Backup Solutions Cope with Office 365?

However, the problem is that most Office 365 backup solutions can’t handle Teams or Planner because the necessary APIs are not available to stream the data out to the backup datacenters and then restore teams and plans back to a point in time. Without the APIs, backup solutions have to resort to processing Teams compliance records held in Exchange mailboxes (but they don’t get a true copy because not all metadata is copied).

I also ask if tenants are making use of the Office 365 features available to them to avoid the need for backups. Some features are only recently available (protocol authentication policies), others have been around for a while (retention policies for Teams, SharePoint, and Exchange). Given the rate of change in the cloud, it might be the case that tenants are unaware of the features that they are paying for that could be deployed to avoid the expense and complexity of taking partial Office 365 backups. Read on!

We know it’s difficult for companies to keep track of Office 365 features and functionality. That’s why we write the Office 365 for IT Pros eBook and keep it updated with new information and insights as we learn more about the technology. Every Office 365 administrator needs a copy.

The post The Question of Office 365 Backups appeared first on Office 365 for IT Pros.

Searching for Mailbox Audit Records

The Office 365 audit log ingests mailbox audit records from Exchange Online. In the past, you might have used the Search-MailboxAuditLog cmdlet to look for audit records for a specific mailbox. For instance, here’s a command that looks for SendAs events recorded when a delegate (to a shared mailbox or user mailbox) sends a message and impersonates the mailbox:

#
Search-MailboxAuditLog -Identity "Customer Compliants" -LogonTypes Delegate -StartDate "1-Oct-2018 12:00" -EndDate "3-Nov-2018 17:00" -ShowDetails | ? {$_.Operation -eq "SendAs"} | Select LogonUserDisplayName, LastAccessed

LogonUserDisplayName LastAccessed
-------------------- ------------
James Ryan           2 Nov 2018 12:13:35
James Ryan           2 Nov 2018 11:57:33

You can still use the Search-MailboxAuditLog cmdlet, but it might be more convenient to use the Office 365 audit log, if only because the audit log is a common place to go looking for events ingested from all the Office 365 workloads, which means that the same technique works for all workloads. The audit records are available for up to 90 days for E1/E3 users and 365 days for E5 users.

Searching the Office 365 Audit Log

Here’s how to use PowerShell to search the Office 365 audit log for information about delegates sending messages for another user with the SendAs permission. The audit data property of each event is formatted in JSON, so we unpack it to find the values that we want to report. Each workload generates its own audit data payload, so some effort is necessary to figure out what the audit data contains for different events.

#
$Records = (Search-UnifiedAuditLog -StartDate 1-Nov-2018 -EndDate 2-Nov-2018 -Operations "SendAs" -ResultSize 1000)
If ($Records.Count -eq 0) {
    Write-Host "No Send As records found." }
Else {
    Write-Host "Processing" $Records.Count "audit records..."
$Report = @()
ForEach ($Rec in $Records) {
$AuditData = ConvertFrom-Json $Rec.Auditdata
$ReportLine = [PSCustomObject][Ordered]@{
    TimeStamp = $AuditData.CreationTime
    User      = $AuditData.UserId
    Action    = $AuditData.Operation
    Status    = $AuditData.ResultStatus
    SentBy    = $AuditData.MailboxOwnerUPN
    SendAs    = $AuditData.SendAsUserSmtp
    Item      = $AuditData.Item.Subject }
$Report += $ReportLine
}}
$Report | Select Timestamp, Action, User, SendAs

TimeStamp           Action User                           SendAs
---------           ------ ----                           ------
2018-11-02T12:13:28 SendAs James.Ryan@office365itpros.com Customer.Complaints@office365itpros.com
2018-11-02T11:57:29 SendAs James.Ryan@office365itpros.com Customer.Complaints@office365itpros.com

Mailbox events are available in the Office 365 audit between 15 and 30 minutes after they occur. The delay is due to the need for the ingestion process to run, find events in Exchange, and process them into Office 365 audit events before including them in the log.

Chapter 21 in the Office 365 for IT Pros eBook is the place to go to learn much more about using the Office 365 audit log. We have many more examples there.

The post Using the Office 365 Audit Log to Find SendAs Events appeared first on Office 365 for IT Pros.

Poor Fit and Finish Within Office 365 at Times

Yesterday, we discussed Microsoft’s decision to withdraw their plan to send email to Office 365 end users after receiving strong feedback from customers. Today’s Petri.com article discusses the introduction of Privileged Access Management (PAM) for Office 365. In writing the article, I wondered if some of the effort expended by Microsoft on plans that customers have never asked for might not be better used to refine some of the obvious flaws in important systems like PAM.

It’s at times like this that I wonder just how well the fabled DevOps model really operates when it comes to creating solid software. Almost every day, I seem to run into something inside an Office 365 application that doesn’t work as well or as smoothly as it should. The fit and finish of Office 365 can be pretty bad at times – the infamous tendency of the Office 365 Admin Center to barf because of cookie problems is just one example of what I mean. It seems like the rush to deliver features is all-encompassing and the need deliver quality is of secondary consideration.

Although Microsoft must take the majority of the blame when the standard of their software slips, customers are also at fault because we accept the problems. Or at least we don’t protest as much or as often as we should.

The Future of PAM

Getting back to PAM, I like the idea of controlling elevated access very much and think it’s good that Microsoft is introducing some of the experience gained from their internal Office 365 operations into the product. What’s not so good are some of the flaws that are obvious, most of which I am sure Microsoft will move to eliminate now that they’ve been highlighted. More strategically, I wonder how the current Exchange-centric model can be brought forward to cover the rest of Office 365 when applications don’t have the rich RBAC control system that’s been developed for Exchange for nearly a decade.

I’m sure the developers have plans for progression and it will be interesting to see how PAM expands to deal with SharePoint Online, OneDrive for Business, Teams, Planner, Yammer, and anything else that comes long. We’ll see in time.

The post Office 365 Privileged Access Management: Too Flawed and Too Exchange? appeared first on Office 365 for IT Pros.