For some organizations there is a concern when deploying OneDrive for Business that users will access corporate data from their personal computers. If the personal computers are not well secured, such as having encrypted drives and good antivirus software, or if the personal computers are shared with unauthorized people, then the corporate data could be exposed.

To address those concerns it’s possible to restrict OneDrive so that it only synchronizes files to domain-joined computers. The general idea is that a domain-joined computer that is within the control of corporate IT will be more secure than the average personal computer that staff own. OneDrive sync restrictions can be configured using the OneDrive admin portal, or the SharePoint Online PowerShell module.

Before you can restrict OneDrive to domain joined computers, you first need to know the GUID of the Active Directory domains that will be allowed to sync. To retrieve the domain GUID, run the following command from a computer or server that has the Active Directory PowerShell module available.

[PS] C:\>(Get-ADForest).domains | foreach {Get-ADDomain $_ | Select Name,ObjectGuid}
Name                                  ObjectGuid
----                                  ----------
exchangeserverpro                     4764a27a-1465-445b-8697-ce1086805439

Next, connect to SharePoint Online and view the current sync restrictions. By default there are no sync restrictions configured.

PS C:\> Get-SPOTenantSyncClientRestriction
TenantRestrictionEnabled   : False
AllowedDomainList          : {}
BlockMacSync               : False
ExcludedFileExtensions     : {}
OptOutOfGrooveBlock        : False
OptOutOfGrooveSoftBlock    : False
DisableReportProblemDialog : False

To enable sync restrictions and add the domain GUID to the allow domain list, run the following command.

PS C:\> Set-SPOTenantSyncClientRestriction -Enable -DomainGuids "4764a27a-1465-445b-8697-ce1086805439"
TenantRestrictionEnabled   : True
AllowedDomainList          : {4764a27a-1465-445b-8697-ce1086805439}
BlockMacSync               : False
ExcludedFileExtensions     : {}
OptOutOfGrooveBlock        : False
OptOutOfGrooveSoftBlock    : False
DisableReportProblemDialog : False

The sync policy change takes around an hour before it is effective. After the new configuration is in place, a user trying to add a OneDrive account to a computer that is not domain joined will receive an error message after they sign in and choose a location to sync to.

Sorry, OneDrive can’t add your folder at this time. Please contact support.

Any existing sync relationships for computers that are not domain joined will begin showing a “sync blocked” message in the system tray, and when OneDrive is opened from the system tray will display a more detailed error message.

Your IT Department requires that you use a computer that is joined to an approved domain to sync this folder. For assistance, contact your IT Department.

When you restrict OneDrive sync to specific domains you should be aware of the following caveats:

• Computers that already have files synced to their local hard drive will not have the files removed.
• The domain join requirement does not apply to Macs, however you can enable or disable Mac sync as a separate restriction in the OneDrive admin portal (or via PowerShell).
• The policy will not restrict sync to mobile devices. For that you should use a device access policy, or use Intune.

The post Restricting OneDrive Sync to Domain Joined PCs appeared first on Practical 365.

       

Related Stories

• Migrate Home Drives to OneDrive for Business

 

The recently announced Office 365 feature that will automatically create Groups based on manager/reports relationships in Active Directory reignited the debate about new features being enabled by default. The discussion in the Microsoft Tech Community was robust, and outlined many flaws in the proposed feature. But regardless of the merits of that particular feature, the discussion brought up the point that defaulting new features to “enabled” (or opt-out) is the wrong approach for many customers.

The issue is a big enough concern that a Uservoice item has been opened to collect votes from the community.

Tenant administrators should have the ability to specify whether or not new features such as Teams, Sway, etc. are enabled by default within their tenants. Just like there’s the ability to set a tenant to receive First Release, Admins should be able to specify how changes are introduced to their environment. It’s great that there are PowerShell commands to turn features on/off but it would be much easier to either set these new features to be off by default, or enable Admins to enable when organizations are ready to absorb those changes. Functionality like Teams is absolutely fantastic, but without the right change management planning it becomes confusing for users. For Tenant Admins that either ignore announcements of new features, or are unavailable to turn them off when they become available – this is an appropriate solution to enable organizations to effectively manage how they are consuming Office 365.

As I wrote in my article on managing change in Office 365, changes can create a burden for support staff, especially front line staff who will be hit with a wave of new questions when something changes. For organizations that have strict controls around change management, being able to control the deployment of new features is essential. I’ve heard from customers who use the ITIL framework, and they say that Office 365 has increased their costs because every single change needs to be managed in that framework. For them, being able to disable new features like Teams, or Focused Inbox, or Groups is essential. And while most new features can be disabled on a per-tenant or per-user basis so that the roll out can be managed through their change control processes, others such as the change in email sending behavior for Groups have no opt-out mechanism and are basically enforced on all customers. The ITIL organization has no choice but to adapt to those enforced changes.

The burden on IT departments is one side of the issue. There is also the impact that adding more complexity and variance to Office 365 will create. Taking the example of the email sending behavior for Groups, if that was presented as an option, that means more code is required to deal with Groups that have the option set one way or the other. The more code and complexity involved, the more development, testing and support costs are incurred, and the more risks there are of bugs surfacing. A service as large and complex as Office 365 is only possible when things are consistent and predictable across the entire environment.

We also need to consider whether innovation in Office 365 would slow down if adoption rates plummeted due to features being disabled by default. It should come as no surprise that one of the reasons new features are enabled by default is so that they are adopted faster by customers. For customers with minimal IT support, being able to use Teams, or StaffHub, or Bookings without needing an IT person to switch it on for you first is a positive thing. If features were always opt-in, those customers would simply miss out. And it’s entirely feasible that some IT consultants doing one-off projects to migrate customers to Office 365 would flip the switch to disable new features, with the justification that it’s for the good of the customer, and then walk away. I have no special knowledge of Microsoft’s internal decision making process around development of new features, but I assume that it would be difficult to justify investment in features if adoption is going to be limited.

This is an issue with no clear answer. If the option to disable all new features by default were made available, where do you draw the line on what constitutes a feature vs a change? If you call Teams a feature, and the Groups sending behavior a change, customers will still be caught out by unexpected changes if they’re not paying attention. That brings us back to what is perhaps the core of the issue – tenant admins who “either ignore announcements of new features, or are unavailable to turn them off when they become available.” Should we be advocating a change that caters to admins who are ignoring announcements? Or should the onus be on them to get with the program and deal with the reality of cloud services?

Clearly some folks are unhappy with the current situation, hence the Uservoice suggestion above. What do you think? Should there be an option to opt-out of all new features by default? Would you use that option for your own Office 365 deployments?

The post The Debate Over Enabling New Office 365 Features by Default appeared first on Practical 365.

       

Related Stories

• What’s New in Office 365 for February 2017
• Help Shape the Fourth Edition of Office 365 for IT Pros
• March 2017 Updates Released for Exchange Server

 

Microsoft is rolling out the long-awaited capability to restore a deleted Office 365 Group. When Groups are deleted they are now retained for 30 days by default in a “soft deleted” state, and administrators can restore the group within that period if desired. All of Group data including associated applications such as Teams and Planner is included in this restore capability, but as I discovered in my testing, Teams still has a few issues that need working out.

To give this new capability a test I created three new Groups using Outlook, Teams, and Planner (actually four, because of an error in Planner). The new Groups appeared in my Office 365 Groups report output as new Groups.

Next, I deleted each Group through the same application that was used to create it. Another run of the report script shows the Groups as deleted.

To view a list of soft deleted Groups we can use the Get-AzureADMSDeletedGroup cmdlet in PowerShell. This cmdlet is available today in the AzureADPreview PowerShell module, and we can expect it to be added to the AzureAD module in the near future.

PS C:\> Get-AzureADMSDeletedGroup
Id                                      DisplayName                             Description
--                                      -----------                             -----------
7c3d972b-0e25-49ab-baaa-4dcb3a0c39dc    GRP-CreatedViaPlanner                   GRP-CreatedViaPlanner
d1ddaca7-22e6-4267-9795-d208592f2ef1    GRP-CreatedViaOutlook                   GRP-CreatedViaOutlook
fcb8e99e-ca17-441f-8ba0-66bb8c435b12    GRP-CreatedViaTeams                     GRP-CreatedViaTeams

Once you know the Id of the Group you want to restore, the Restore-AzureADMSDeletedDirectoryObject cmdlet is used to restore it.

PS C:\> Restore-AzureADMSDeletedDirectoryObject -Id d1ddaca7-22e6-4267-9795-d208592f2ef1
Id                                      DisplayName                             Description
--                                      -----------                             -----------
d1ddaca7-22e6-4267-9795-d208592f2ef1    GRP-CreatedViaOutlook                   GRP-CreatedViaOutlook

Microsoft warns that this process should take only a few minutes, but can take up to 24 hours in some cases. When the restore is complete, the Group will be available using Get-AzureADMSGroup.

PS C:\> Get-AzureADMSGroup -Id d1ddaca7-22e6-4267-9795-d208592f2ef1
Id                                      DisplayName                             Description
--                                      -----------                             -----------
d1ddaca7-22e6-4267-9795-d208592f2ef1    GRP-CreatedViaOutlook                   GRP-CreatedViaOutlook

The restored Group now appears as a new Group in my report.

One thing I noticed in my testing is that the Group members are restored along with the Group, except for the Group admin. In my case, all three Groups that I deleted using Jane Tulley’s account, did not restore her membership of those Groups. For the Outlook and Planner-created Groups, Jane was able to simply rejoin them, because they were public Groups (which is the default).

For the Teams-created Group, the Group type defaulted to private. When Jane attempts to rejoin, an approval request is sent to the Group admin, which is herself in this case. Clicking the link to “go to Group members” and add herself didn’t work.

The dialog for adding members shows that she is the admin, but won’t let her add herself as a member.

If she uses the Approve button in the email instead, then her membership is approved successfully.

However, although the rejoined Group appears in Jane’s Outlook, it does not appear in her Teams desktop client or web client. As a private Group, the Team also can’t be seen in the list of available public teams to join. However, after changing the Group from private to public, and then waiting a short time, the Team appeared as a public Team for other users who were not already members, but not for Jane Tulley who is a member and admin for the Group. Presumably the Team doesn’t appear in the list of Teams to join for Jane because she’s already a member. Eventually, a few hours later, the Team appeared in Jane’s Teams client.

This seems to be a wider issue with Teams when Groups are restored. I ran the test again, this time with a public Team that had multiple members. Again, the restored Team did not appear in any Teams desktop or web clients until the member was removed from the Group, then they could see the Team in the list. However, attempting to join a restored Team fails.

I ran through a variety of test scenarios, creating and deleting Teams. As a side note, here’s a simple one-liner for restoring all soft deleted Groups.

PS C:\> Get-AzureADMSDeletedGroup | foreach {Restore-AzureADMSDeletedDirectoryObject -Id $_.Id}

In some cases, public Teams that had been restored appeared almost immediately for other users to join, however could be joined by new members. The same error shown above was occurring.

After a few hours of testing, eventually all of the restored Teams were able to be accessed again, and the public Teams could be joined by new members. This may have all been just a symptom of the delays during restoration that Microsoft indicated could take up to 24 hours.

It’s good to see recovery of Office 365 Groups is now available, but it looks like there’s still a few wrinkles to iron out for Teams to smooth out the user experience.

The post Restoring Deleted Office 365 Groups appeared first on Practical 365.

       

Related Stories

• Making Sense of Automatic Group Creation in Office 365
• Microsoft is Changing the Groups Behavior to Stop Senders Receiving a Copy of Their Own Message

 

March has been a huge month for Office 365 Groups. We kicked things off with a change to the email sending behavior for Groups, which immediately confused people who were used to seeing their own Group emails arrive in their own inbox.

After that relatively minor change, a robust debate erupted around the surprise announcement that Microsoft will be automatically creating Office 365 Groups based on manager/reports relationships in Active Directory. The change appeared on the Office 365 road map with an immediate status of “Rolling out”, but was met by almost unanimous disapproval by the customers and IT pros who jumped into the conversation. Microsoft has since backed down and will roll the change out to a select group of customers first to give it a proper smoke test. They haven’t withdrawn the change entirely though, so you should still plan accordingly.

Microsoft’s newest Groups-based service, Teams, became generally available for business and enterprise customers, and then a few days later also became available for education customers. Teams improved quite a lot between preview and general availability, and is an immediately useful collaboration tool with a lot of integration options for third party services. Key features such as external guest access are also coming to Teams over the next few months, so this is definitely an application to pay close attention to and get it out to your users as soon as possible.

Rounding things out for Groups developments in March, we finally have the ability to restore deleted Groups. Deleted Groups now sit in a soft-delete state for up to 30 days, during which time an administrator can restore the Group along with all associated application data such as Teams, Planner, and SharePoint. The inability to recover deleted Groups has been big reason that many customers have held off on adopting them. So this change should see an upswing in Groups usage among customers. This is the right way to increase Groups adoption, by shipping features that customers want. Not by automatically creating them

As you start to use Groups in your organization, make sure you run the Office 365 Groups report script to keep an eye on what is being created, changed, or deleted.

In Exchange Online, the Focused Inbox roll out continues, and has actually appeared in one of my tenants now. An important note for Focused Inbox is that it is only available in supported versions of Outlook. Today that includes Outlook for iOS and Android, Outlook for Mac, Outlook on the web, and Outlook 2016 (but only the Office 365 subscription version, not the standalone MSI version). Focused Inbox will not be available in any other versions of Outlook.

Exchange Online has also rolled out a change that allows the sent items behavior to be configured for user mailboxes, so that when delegates use send as or send on behalf the sent message is copied to the owner’s mailbox. Previously this functionality was only configurable on shared mailboxes, but now user mailboxes can be configured as well.

In other news this month:

• Skype for Business Online voicemail transcription is rolling out on March 31st to all customers. Users will receive a transcription of their voicemail messages in the email body.
• Flow integration with SharePoint Online lists and libraries has been added, including the ability to launch Flows on demand from lists and libraries. This feature is rolling out between now and the end of April.
• Yammer Analytics are moving to the Office 365 admin portal, starting with overview and access information.

As a heads up for next month, DirSync and AADSync support ends on April 13th, 2017. They won’t immediately stop working, but you won’t be able to get support from Microsoft if you have directory synchronization problems. Time to upgrade to Azure AD Connect.

The post What’s New in Office 365 for March 2017 appeared first on Practical 365.

        

Comments

• It looks the same as what the recipient sees, either the send ... by Paul Cunningham
• when the delegate user sent mail from the owner mail box, due ... by sankara

 

Microsoft has provided a variety of directory synchronization tools to customers over the years, most recently Azure AD Connect (AADConnect). Previously, customers could choose from DirSync or Azure AD Sync (AADSync) as well.

Development of DirSync and AADSync ended long ago, with the announcement in April 2016 that both tools were now deprecated. One year of further support was provided, and that ends on April 13th, 2017. Although the tools won’t stop working (at least not yet, but it will happen one day), you will no longer be able to get support from Microsoft if you are having directory synchronization issues.

As a side note, customers using AADConnect who have not enabled automatic upgrade, and have not been manually upgrading, will also become unsupported if their AADConnect build number is earlier than 1.1.

For more information about your upgrade options, refer to these articles that Microsoft has published:

• Upgrading from DirSync
• Upgrading from AADSync or earlier versions of AADConnect

The post DirSync and AADSync Support is Ending, Time to Upgrade to Azure AD Connect appeared first on Practical 365.

        

I’m pleased to announce that my latest Pluralsight course, Managing Exchange Mailboxes and Distribution Groups in PowerShell, has emerged from the production cycle and is now available to watch.

I enjoyed creating this course because it brings together the two technologies that have had the most impact on my career to date – Exchange Server, and PowerShell. In some respects, Exchange admins had a head start on the rest of the IT pro community because of Exchange Server 2007, a product that coincidentally is reaching end of life in just a few days time. As I explained in my blog post, Why PowerShell, it was working with Exchange that pushed me into learning how to use PowerShell.

I was supporting far more users and servers than I ever had before, and I realized there was no way I could keep up without the help of scripting and automation. And that meant a lot of time writing PowerShell. Automation became critical to our team’s ability to perform our duties, as our head count shrank but our responsibilities grew. Doing “more with less” was the reality we were dealing with.

Not much has changed today. PowerShell is a critical skill for IT pros who work with Microsoft technologies. We see it in job ads, and there are strong communities built around sharing of PowerShell scripts and code. And quite a lot of the most popular blog posts here either relate to using PowerShell for an administration task, or have a PowerShell solution for a problem.

Which brings us to my new course with Pluralsight. When I created this course I had two types of people in mind:

• An IT pro who has Exchange admin responsibilities, but is inexperienced with PowerShell. Exchange Server is a great way to learn about PowerShell, and this course is suitable for beginners (I make a few recommendations in the first module for some introductory content to go watch first, if you need it).
• An IT pro comfortable with PowerShell, but new to Exchange administration. If that is you, then you can either watch the course from start to finish, or you can dip into specific lessons to learn the tasks you need.

In either case, if you also need a test lab environment to learn in, you can build one on two VMs following the lab setup guide that’s included with the course, or just grab a free copy of my Exchange Server 2016 Quick Start Guide.

The complete list of modules, which total just over 3 hours of content, are:

• Module 1 – Course introduction
• Module 2 – Managing user mailboxes
• Module 3 – Managing shared mailboxes and delegate scenarios
• Module 4 – Managing resource mailboxes
• Module 5 – Managing archive mailboxes
• Module 6 – Other mailbox management scenarios
• Module 7 – Managing distribution groups
• Module 8 – Reporting and automation

If you’re a Pluralsight subscriber you can find the course here. If you’re not already a Pluralsight subscriber, you can sign up for a free trial to watch this course and others for 30 days.

The post New Pluralsight Course – Managing Exchange Mailboxes and Distribution Groups in PowerShell appeared first on Practical 365.

       

Related Stories

• March 2017 Updates Released for Exchange Server
• How Important Are Important Security Updates?
• What’s New in Office 365 for March 2017

 

Signing up to a cloud service like Office 365 means you’re on board for whatever changes the vendor deploys to customers. That is one benefit of cloud services, but some customers see it as a risk and prefer to at least make sure they are not the first customers to receive new features. Other customers prefer to be slower to receive new features to allow time for following appropriate change management processes and preparing end user communication. Microsoft accommodates these needs with the concept of First Release for Office 365 tenants.

When a new feature or change is developed for Office 365, Microsoft first releases it to their own internal development team, and then roll it out to their corporate user base. For some developments there may also be a preview program that customers or third party vendors can take part in to see the early versions of the feature and provide testing feedback.

When the time comes to release a feature to the general customer base, it first goes to tenants who have opted in for First Release. The First Release customers will receive the new feature anywhere from a few weeks to a few months ahead of the general customer base.

Gaining access to new features first is appealing to some customers, such as those who provide consulting or training to other customers. In return, First Release customers must accept the risk (albeit a low risk) that some bugs or problems might appear in the feature as it is rolling out. You should not be taking part in First Release if you’re not willing to accept that risk.

To view your First Release configuration, log in to the Office 365 admin portal and navigate to Settings, and then Organization profile. Then, click on the Edit button next to Release preferences.

The options you can choose from are:

• Standard release – your tenant receives updates as they roll out to the general Office 365 customer base. You might still receive updates before or after other tenants because features roll out in stages instead of to all customers at once.
• First release – your tenant will be among the first to receive updates.
• First release for selected users – individual users you select in your tenant will receive updates before the rest of your organization’s users.

By default, an Office 365 tenant is configured for Standard release.

You can check the release configuration for a tenant by connecting to Exchange Online and running the Get-OrganizationConfig cmdlet.

PS C:\> Get-OrganizationConfig | Select ReleaseTrack
ReleaseTrack
------------
StagedRollout

Note that in the example above, StagedRollout shows that “First release for selected users” is configured. If you’ve configured your tenant for staged rollout, you can check the list of individual users who are enabled for First Release by connecting to Office 365/Azure AD and running Get-MsolUser.

PS C:\> Get-MsolUser | Where {$_.ReleaseTrack}
UserPrincipalName                    DisplayName    isLicensed
-----------------                    -----------    ----------
adam.wally@exchangeserverpro.net     Adam Wally     False
aaron.gardiner@exchangeserverpro.net Aaron Gardiner True
john.dorey@exchangeserverpro.net     John Dorey     True
jane.tulley@exchangeserverpro.net    Jane Tulley    True
Alan.Reid@exchangeserverpro.net      Alan Reid      False
dave.bedrat@exchangeserverpro.net    Dave Bedrat    True

For a quick count, run the following command instead.

PS C:\> Get-MsolUser | Group-Object -Property:ReleaseTrack | Select Name,Count | ft -auto
Name             Count
----             -----
                   431
StagedRolloutOne     6

You can’t use PowerShell to configure First Release for your tenant or for individual users yet. This capability will hopefully be added to a future release of the Azure AD PowerShell module.

If your organization is not willing to have full or partial First Release for your production tenant, but still want early access to features for testing and training purposes, then you should create an Office 365 test tenant and configure it for First Release.

The post First Steps: Configure Office 365 First Release Settings appeared first on Practical 365.

       

Related Stories

• The Debate Over Enabling New Office 365 Features by Default
• New Pluralsight Course – Managing Exchange Mailboxes and Distribution Groups in PowerShell
• What’s New in Office 365 for March 2017

 

A customer asked about a situation in which they’re unable to remove mailboxes from users’ Outlook profiles. In this case they were shared mailboxes and appeared in the left pane of Outlook. Although this case was for shared mailboxes, the cause and solution apply equally to user mailboxes. This can occur for on-premises Exchange Server and cloud-hosted mailboxes in Exchange Online.

In the Outlook account settings for the user, the shared mailbox does not appear as an additional mailbox.

The reason that the shared mailbox appears in Outlook, but does not appear in the Outlook account settings, is that auto-mapping is enabled by default when a user is granted access to a shared mailbox or to another user’s mailbox. When auto-mapping is enabled, Outlook receives extra information in the Autodiscover response that tells it to open the additional mailbox.

The auto-mapping option can only be configured at the time the permissions are granted. If you want to remove auto-mapping for a user’s access to a shared mailbox, then you must remove their mailbox permissions and then re-add the permissions again. Also, this will need to be performed using PowerShell, because the Exchange Admin Center doesn’t expose the option to enable or disable auto-mapping when configuring mailbox permissions.

To remove and re-add a user’s mailbox permissions using PowerShell, we can use the following steps. First, for an on-premises mailbox open the Exchange Management Shell, or for a cloud mailbox connect to Exchange Online.

Using the example from the screenshot above, the user in question is Adam Wally, and the shared mailbox is named ShareOnPremMailbox. Use Get-MailboxPermission to check that the permissions have been granted as mailbox permissions.

[PS] C:\>Get-MailboxPermission -Identity SharedOnPremMailbox -User Adam.Wally | fl
RunspaceId      : 1af8b9f0-d64e-4cb8-b8e1-e905c6923ed5
AccessRights    : {FullAccess}
Deny            : False
InheritanceType : All
User            : ESPNET\adam.wally
Identity        : exchangeserverpro.net/Company/Head Office/Shared/SharedOnPremMailbox
IsInherited     : False
IsValid         : True
ObjectState     : Unchanged

Next, use Remove-MailboxPermission to remove the mailbox permission for the user.

[PS] C:\>Remove-MailboxPermission -Identity SharedOnPremMailbox -User Adam.Wally -AccessRights FullAccess
Confirm
Are you sure you want to perform this action?
Removing mailbox permission "SharedOnPremMailbox" for user "Adam.Wally" with access rights "'FullAccess'".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): y

Finally, re-add the mailbox permission by running Add-MailboxPermission, this time using the -AutoMapping parameter to disable auto-mapping.

[PS] C:\>Add-MailboxPermission -Identity SharedOnPremMailbox -User Adam.Wally -AccessRights FullAccess -AutoMapping:$false

The change will not immediately be obvious to the end user, because there is a delay before their Outlook client picks up the change via Autodiscover. When Outlook receives the updated Autodiscover response, it will remove the auto-mapped mailbox from the user’s Outlook profile. If the user needs to access the mailbox for anything, they must add it to their profile, or open it via the Outlook File menu.

As a side note, there’s nothing in the Get-MailboxPermission output that will tell you whether a user who has access to a mailbox will be auto-mapped. However, for on-premises mailboxes you can query the Active Directory user object properties to determine who will be auto-mapped to a mailbox. The property that stores this information is named msExchDelegateListLink, and it can be queried using Get-ADUser. For example, to view the list of auto-mapped users for a mailbox named Payroll, we can run the following command.

[PS] C:\>Get-ADUser -Filter {Name -eq "payroll"} -Properties msExchDelegateListLink | Select -ExpandProperty msExchDelegateListLink
CN=Bruce.Thillainayagam,OU=Users,OU=Head Office,OU=Company,DC=exchangeserverpro,DC=net
CN=Alex.Heyne,OU=Users,OU=Branch Office,OU=Company,DC=exchangeserverpro,DC=net

The post Removing an Auto-Mapped Mailbox from Outlook appeared first on Practical 365.

        

A new version of Test-ExchangeServerHealth.ps1 is now available for download. This update contains the following fixes and improvements:

• Shadow redundancy queues are no longer included in the transport queue size
• Recovery DBs are now excluded from all Get-MailboxDatabase commands, to avoid issues running tests against them
• Content index state of “Autosuspended” (introduced in recent CUs) is now catered for as a healthy state
• Incorrect reporting of Test-ReplicationHealth results for different versions has been fixed
• Various formatting, readability and other minor issues fixed

You can download the script from the TechNet Script Gallery. For more information on how to use Test-ExchangeServerHealth.ps1, please refer to this blog post.

The post Test-ExchangeServerHealth.ps1 Has Been Updated to V1.16 appeared first on Practical 365.

       

Related Stories

• New Pluralsight Course – Managing Exchange Mailboxes and Distribution Groups in PowerShell
• March 2017 Updates Released for Exchange Server
• How Important Are Important Security Updates?

 

Office 365 allows organizations to delegate administrative privileges in a granular fashion. There is an over-arching “Global Administrator” role, as well as a series of lower privilege roles for specific administrative tasks. A partial list of the admin roles is visible in the user management area of the Office 365 admin portal.

That’s not the complete list though. There’s several other administrative and non-administrative roles in Office 365. While looking for a complete list, I happen to stumble across some differences between how the old MSOnline PowerShell module reports the list of roles, compared to the new AzureAD PowerShell module. Get-MsolRole returns 30 groups, while Get-AzureADDirectoryRoleTemplate returns 34 groups. I’ve highlighted the differences in the table below.

It’s good practice to review the membership of admin groups on a regular basis, to make sure that only those users who require admin privileges in your tenant actually have them, and nobody else has sneaked in there and been forgotten.

If you’re familiar with the Exchange RBAC permissions model you will notice that none of the Exchange RBAC roles are included in that list above. If you want to report on those you can use my RBAC role group membership report script.

You should also be aware that if you’re using Get-AzureADDirectoryRole as the equivalent cmdlet to Get-MsolRole, the Get-AzureADDirectoryRole cmdlet only returns roles that have been enabled. It seems that a role becomes enabled when you first add a user to the role, or when an admin enables the role using the Enable-AzureADDirectoryRoleTemplate cmdlet. Since the point of this exercise is to report on membership of Office 365 roles, I’m going to use Get-AzureADDirectoryRole as the basis of a PowerShell script, which will effectively ignore roles that have not been enabled yet.

If you just want to download the reporting script, go to the end of this blog post.

To begin with, let’s look at the output of Get-AzureADDirectoryRole for one of my tenants.

PS C:\> Get-AzureADDirectoryRole
ObjectId                             DisplayName
--------                             -----------
1e5b0ce4-381f-4554-93fc-1fdea462c7eb Billing Administrator
32554153-2f11-43f0-aadc-0c3c0e9540c6 CRM Service Administrator
4d7ba3db-b65c-46f8-8fc5-8f5803e7809c Company Administrator
5a12811f-e5d4-4794-b9e7-a604b3881a26 Lync Service Administrator
67780c9d-4aa7-4ff5-986f-c04b07b70546 Power BI Service Administrator
7cbef213-fcb9-43b5-8b65-eee6dd79e2f4 Service Support Administrator
83c85103-dd8e-4d24-bd17-922fc40dd7d4 Directory Readers
a75585d4-38b8-4e14-9a40-8f694cb4164f User Account Administrator
ad9c6fdb-d8c9-4c57-9b2d-070f75bc30db Helpdesk Administrator
daaca1b7-f6f2-4cbb-82e4-f8adcfcdd02e Exchange Service Administrator
e58f4d04-b5fc-406b-a2bd-cc114499ac53 SharePoint Service Administrator
e7b328f2-2839-400c-ac6a-299c2487aa16 Directory Writers
f603a44f-df89-4a46-89b1-aedfe5f52ce8 Directory Synchronization Accounts
fde1b62b-4d9d-4a1b-96ca-381266264055 Device Administrators

To see the membership of a role, such as Company Administrator (which is the same as Global Administrator when you’re editing a user’s roles in the Office 365 admin portal), we need to run Get-AzureADDirectoryRoleMember and supply the ObjectId.

PS C:\> Get-AzureADDirectoryRoleMember -ObjectId 4d7ba3db-b65c-46f8-8fc5-8f5803e7809c
ObjectId                             DisplayName     UserPrincipalName
--------                             -----------     -----------------
8db8b044-b825-4456-b6f7-3994f9296872 Paul Cunningham admin@exchangeserverpro.onmicrosoft.com
b2149a88-327c-4f61-afb5-f8a7374f6d28 Paul Cunningham paul_domain#EXT#@exchangeserverpro.onmicrosoft.com

The standard output looks different depending on the role that you’re querying. For example, Directory Readers looks like this.

PS C:\Scripts> Get-AzureADDirectoryRoleMember -ObjectId 83c85103-dd8e-4d24-bd17-922fc40dd7d4
ObjectId                             AppId                                DisplayName
--------                             -----                                -----------
a6bb4c6f-657c-439f-8b52-9ca3dee1b5fd 00000009-0000-0000-c000-000000000000 Microsoft.Azure.AnalysisServices
fc7627c0-4b51-4bfc-8ea1-0a9dd14644d2 00000005-0000-0ff1-ce00-000000000000 Microsoft.YammerEnterprise
1b6f4fb3-25c5-43c6-b414-77da6ec221a1 0711fa10-367d-4adb-93fd-123456789000 O365SecureScore
c462bdd3-b0e3-4737-9b5a-6939e31dd4e2 2dd1318c-77a5-44df-9bd8-123456788999 CiraSync Contact Management
e365650e-697d-498e-bdc9-046e81fe9103 0000001a-0000-0000-c000-000000000000 MicrosoftAzureActiveAuthn

The properties that are returned are also different, depending on the type of object that is a member of the group. Users have properties such as JobTitle, Mail, and PasswordPolicies. Service principals (such as the Office 365 Secure Score service) have properties such as AppId, Homepage, and Oauth2Permissions. Both types of objects have common properties such as ObjectType and DisplayName though, so reporting on both types of objects together is not too difficult.

For this script I’m going to report on:

• DisplayName
• ObjectType
• AccountEnabled
• UserPrincipalName (for users)
• Homepage (for service principals)
• PasswordPolicies (for users)

PS C:\> Get-AzureADDirectoryRoleMember -ObjectId 4d7ba3db-b65c-46f8-8fc5-8f5803e7809c | Select DisplayName,ObjectType,Ac
countEnabled,UserPrincipalName,HomePage,PasswordPolicies
DisplayName       : Paul Cunningham
ObjectType        : User
AccountEnabled    : True
UserPrincipalName : admin@exchangeserverpro.onmicrosoft.com
HomePage          :
PasswordPolicies  : DisablePasswordExpiration
DisplayName       : Paul Cunningham
ObjectType        : User
AccountEnabled    : True
UserPrincipalName : paul_domain#EXT#@exchangeserverpro.onmicrosoft.com
HomePage          :
PasswordPolicies  : None

Retrieving that information for the members of an admin group/role is not difficult, as you can see above. To generate a full report it’s really just a matter of looping through the roles, collect the desired info, and present it in a readable format for the report. I’ve chosen to used CSV as the file format. You can then load the CSV into Excel to filter and sort the data as required.

This script, Get-O365AdminGroupsReport.ps1, relies on the AzureAD PowerShell module. If you do not have the module installed the script will throw an error. You can install the AzureAD module from the PowerShell Gallery.

To use the script, simply run the following command and you’ll be prompted to authenticate to Azure AD.

PS C:\Scripts> .\Get-O365AdminGroupsReport.ps1

To see script progress, use the -Verbose switch.

PS C:\Scripts> .\Get-O365AdminGroupsReport.ps1 -Verbose

The script will output a CSV file named Office365AdminGroupMembers-ddMMyyyy.csv, where “ddMMyyyy” is the current date (e.g. 17042017). If the file already exists, a unique string of characters is added to the filename.

There are two optional parameters that you can use to change the output behavior:

• ReportFile – You can provide a custom output file name. The file name you specify will be modified with the current date, for example MyReportFileName.csv will become MyReportFileName-ddMMyyyy.csv. If a file of the same name exists, a unique character string will also be appended to the file name.
• Overwrite – Overwrites an existing report file of the same name, instead of appending a unique character string.

You can download Get-O365AdminGroupsReport.ps1 from the TechNet Script Gallery.

The post Reporting Office 365 Admin Role Group Members appeared first on Practical 365.

        

When you are granting access for one user to access another mailbox, whether that be another user’s mailbox or a shared mailbox, you can configure the access using either mailbox permissions or mailbox folder permissions. The two approaches are suitable for different scenarios.

Mailbox Permissions

Mailbox permissions are used to grant access to an entire mailbox. Every folder within the mailbox, whether it be the Inbox, Calendar, or Contacts, allows the same level of access, when mailbox permissions are used.

The access granted through mailbox permissions is “Full Access”, meaning that the user can read, write, edit, create, delete, and so on.

When you assign mailbox permissions, you have the option to enable or disable auto-mapping. Auto-mapping will automatically connect Outlook users to mailboxes that they have been granted mailbox permissions to. This happens through Autodiscover, and Auto-mapping is enabled by default. When you grant a user mailbox permission to another mailbox you can optionally disable auto-mapping, in which case the user needs to manually open or add the mailbox to their Outlook profile.

However, Auto-mapping only works if you grant mailbox permissions to a user directly. If you grant mailbox permissions to a security group that the user is a member of, they’ll get access to the mailbox but auto-mapping won’t work at all.

More info:

• How to Grant Full Mailbox Access for a User
• How to List All Users Who Have Access to Other Exchange Mailboxes
• Exchange Best Practices: Administrator Access to User Mailboxes
• Unexpected Permissions Appearing on Exchange Server Mailboxes
• Removing an Auto-Mapped Mailbox from Outlook

Mailbox Folder Permissions

Mailbox Folder Permissions grant access to specific mailbox folders only. So if you grant a user permissions to the Inbox, they won’t get access to the Calendar as well.

Mailbox Folder Permissions can actually be configured by the mailbox owner themselves using Outlook. But administrators can do it as well, and are usually asked to handle it for the users anyway, especially for shared mailboxes.

When you use mailbox folder permissions, there’s a lot more control for the level of access granted. You can grant full access, or editor access, or reviewer access (which is like Read Only access). It’s not an all or nothing approach.

As a potential downside though, when you configure mailbox folder permissions, auto-mapping is not used at all. Users will always need to manually add mailboxes to their Outlook profile, if their access has been granted using mailbox folder permissions.

A common usage of mailbox folder permissions is granting read-only access to a specific mailbox folder. This can be achieved by granting a user the Reviewer role for the folder. Reviewer allows read access to the mailbox folder items, but no other access (e.g. the user can’t create items or delete existing items).

More info:

• How to Grant Read-Only Access to an Exchange Mailbox
• PowerShell Script to Remove Mailbox Folder Permissions

The post Mailbox Permissions vs Mailbox Folder Permissions appeared first on Practical 365.

       

Related Stories

• Exchange Online Advanced Threat Protection Dynamic Delivery Behavior with Journaling

 

Groups are a collaboration feature of Office 365 that allow teams to work together using a shared mailbox, calendar, SharePoint file repository, and OneNote notebook. Office 365 Groups are also a membership service for other applications such as Planner, Teams, and StaffHub. Groups should not be confused with security groups (which control access/permissions to resources) or distribution groups (which are used to distribute email to multiple recipients, although Groups can also do this).

Groups are enabled by default for Office 365 tenants, and Group creation is also enabled for any user in the organization. This allows users to create a Group for their team to collaborate, or create a team in Teams, or start using Planner, without any interaction from the IT department. It’s the type of freedom that many modern workplaces thrive on.

However there are also environments where complete openness and free reign on Groups usage is a problem. Shortly after Groups first appeared in Office 365 a systems engineer at a large university commented to me that their students starting creating hundreds of Groups with no real purpose. Some of the Groups were named specifically to make a joke or insult another person, knowing that the Group would appear in the Outlook address book and be visible to everyone.

There is also the recent controversy over Microsoft’s plans to implement automatic Group creation in Office 365 based on manager/reports relationships in Active Directory. The roll out of that change has slowed down so that more testing can be performed, and more feedback can be gathered, but at this stage it is still intended for the change to go ahead in the near future.

With those issues in mind, there are two configurations to look at:

• The settings that control Group creation by users.
• The setting that controls automatic Group creation based on manager/reports relationships.

Managing Office 365 Groups Settings

In the past the Groups controls have been applied using OWA mailbox policies to allow or disallow the creation of Groups. This approach was fine when Groups were primarily created and used via Outlook. But Groups is a feature that spans many Office 365 services (e.g. as mentioned earlier, Teams and Planner use Groups). So the OWA mailbox policy approach was only effective in preventing creation of Groups via Outlook, and would not prevent Groups from being created via other workloads (e.g. when a new Planner plan is created).

Eventually a tenant-wide control was added, and could be managed using PowerShell. However, this required a specific preview build of the MS Online PowerShell module (also known as Azure Active Directory Module V1). Getting the right build installed just to perform one configuration task was a bit frustrating, but fortunately only necessary as a one-time change (unless you wanted to modify the config again later on).

Fortunately, the controls are now coming to the Azure Active Directory Module V2, which I’ll just refer to here as the AzureAD module. As I’m writing this the necessary cmdlets are available in the AzureADPreview module, which can happily coexist with the AzureAD on the same computer if necessary. You can check the PowerShell Gallery page for the AzureAD module to find out if the cmdlets used in the demos below (Get-AzureADDirectorySetting, Get-AzureADDirectorySettingTemplate, etc) are included yet. If not, use the AzureADPreview module.

To get started, install the AzureAD or AzureADPreview module on your management workstation.

PS C:\> Install-Module AzureAD

Next, use connect to Azure AD for your tenant, and then run Get-AzureADDirectorySetting to check for existing settings.

PS C:\> Connect-AzureAD
PS C:\> Get-AzureADDirectorySetting

Note, if you have both PowerShell modules installed and want to explicitly use the AzureADPreview module, run the following command to connect.

PS C:\> AzureADPreview\Connect-AzureAD

If you see no output from Get-AzureADDirectorySetting then there are no settings currently in place. However, if you see an entry that uses the TemplateId of 62375ab9-6b52-47ed-826b-58e47e0e304b with a DisplayName of Group.Unified, then you have an existing Groups settings configuration in place.

PS C:\> Get-AzureADDirectorySetting
Id                                   DisplayName   TemplateId                           Values
--                                   -----------   ----------                           ------
d9ac5e4f-f76e-4b0d-838e-d40aa97741fd Group.Unified 62375ab9-6b52-47ed-826b-58e47e0e304b {class SettingValue {...

To view the settings, run Get-AzureADDirectorySetting for the Id of your settings object, which in my example is d9ac5e4f-f76e-4b0d-838e-d40aa97741fd.

PS C:\> (Get-AzureADDirectorySetting -id d9ac5e4f-f76e-4b0d-838e-d40aa97741fd).Values
Name                          Value
----                          -----
ClassificationDescriptions
DefaultClassification
PrefixSuffixNamingRequirement
AllowGuestsToBeGroupOwner     False
AllowGuestsToAccessGroups     True
GuestUsageGuidelinesUrl
GroupCreationAllowedGroupId   489c22bb-beba-4915-80b0-85c85f4c64e8
AllowToAddGuests              True
UsageGuidelinesUrl
ClassificationList
EnableGroupCreation           False

In the example above, Group creation is disabled except for members of the Group with Id 489c22bb-beba-4915-80b0-85c85f4c64e8, which is a group named Groups Admins in my tenant.

PS C:\> Get-AzureADGroup -ObjectId 489c22bb-beba-4915-80b0-85c85f4c64e8
ObjectId                             DisplayName   Description
--------                             -----------   -----------
489c22bb-beba-4915-80b0-85c85f4c64e8 Groups Admins

From here there’s a few different ways to go, depending on the outcome that you want to achieve. For this article I’ll demonstrate:

• How to update an existing Groups settings configuration
• How to remove an existing Groups settings configuration
• How to configure Groups settings if no settings are already in place

How to Update an Existing Groups Settings Configuration

In the example shown above there is already a Groups settings configuration in place. For this demonstration I’ll modify the configuration so that Groups creation is available for all users, instead of being restricted to the members of one security group. The steps are:

1. Retrieve the existing directory settings into an object
2. Update the properties of the object
3. Set the directory settings with the new object properties

PS C:\> $GroupsConfig = Get-AzureADDirectorySetting -Id d9ac5e4f-f76e-4b0d-838e-d40aa97741fd
PS C:\> $GroupsConfig["GroupCreationAllowedGroupId"] = $null
PS C:\> $GroupsConfig["EnableGroupCreation"] = $true
PS C:\> Set-AzureADDirectorySetting -Id d9ac5e4f-f76e-4b0d-838e-d40aa97741fd -DirectorySetting $GroupsConfig
PS C:\> (Get-AzureADDirectorySetting -id d9ac5e4f-f76e-4b0d-838e-d40aa97741fd).Values
Name                          Value
----                          -----
ClassificationDescriptions
DefaultClassification
PrefixSuffixNamingRequirement
AllowGuestsToBeGroupOwner     False
AllowGuestsToAccessGroups     True
GuestUsageGuidelinesUrl
GroupCreationAllowedGroupId
AllowToAddGuests              True
UsageGuidelinesUrl
ClassificationList
EnableGroupCreation           True

Remove an Existing Groups Settings Configuration

If you’d prefer to just remove the settings entirely and let Office 365 apply the default Groups settings to your tenant, then you can do that by running the following command.

PS C:\> Remove-AzureADDirectorySetting -Id d9ac5e4f-f76e-4b0d-838e-d40aa97741fd

Configure Groups Settings for Office 365

If you have no Groups settings configuration already in place, you can create a new one with the controls that you want for your organization. The controls that are available include:

• EnableGroupCreation – this can be configured to True or False, and controls whether users who do not have admin rights can create Groups.
• GroupCreationAllowedGroupId – this can be configured with the Guid of a security group that will be allowed to create Groups when EnableGroupCreation is set to False.
• UsageGuidelinesUrl – a link to Groups usage guidelines for your organization. This could be the URL of an intranet page that informs users about how to effectively use Groups for collaboration.
• ClassificationList – a comma-delimited list of classifications that can be applied to Groups, such as Internal Only, Confidential, Public, or any other classifications that are part of your information architecture. These classifications are a visual cue for your users to understand the nature of the information in the Group, but are not actually enforced by Office 365.
• DefaultClassification – the default classification that will be applied if the Group owner or an administrator has not applied a classification yet.
• AllowGuestsToAccessGroups – controls whether external users will be allowed to have access to Groups content. Note that external access to all Groups-based applications is not currently available (e.g. Teams does not support external/guest access at this time).
• AllowGuestsToBeGroupOwner – controls whether an external user can be made the owner of a Group.
• GuestUsageGuidelinesUrl – same as the UsageGuidelinesUrl but applies to guest users. Logically this would be an externally-accessible URL.
• AllowToAddGuests – controls whether guests can be added at all.

Other settings for DefaultClassification, ClassificationDescriptions, and PrefixSuffixNamingRequirement are all slated for future releases.

For this example we’ll apply a Groups settings configuration that:

• Enables Group creation for end users
• Makes classifications of Internal Only, Confidential, and Public available
• Disallows guest access
• Links to an intranet page for Group usage guidelines

The steps are:

1. Create a new settings object based on the available Group.Unified template
2. Configure the desired settings in the settings object
3. Set the Azure AD directory settings using the settings object

PS C:\> $GroupsConfig = (Get-AzureADDirectorySettingTemplate -Id 62375ab9-6b52-47ed-826b-58e47e0e304b).CreateDirectorySetting()
PS C:\> $GroupsConfig["AllowToAddGuests"] = $false
PS C:\> $GroupsConfig["AllowGuestsToAccessGroups"] = $false
PS C:\> $GroupsConfig["ClassificationList"] = "Internal Only,Confidential,Public"
PS C:\> $GroupsConfig["UsageGuidelinesUrl"] = "https://intranet/help-desk/groups-guidelines"
PS C:\> New-AzureADDirectorySetting -DirectorySetting $GroupsConfig

Note that there was no need to set EnableGroupCreation to True in the above commands because that is already the default value.

Configuring Automatic Group Creation Settings

In March 2017 Microsoft announced a change to Office 365 that will automatically create Groups based on manager/reports relationships in Active Directory. There are some conditions that Microsoft will be applying to determine whether a Group should be created for a manager and their team of direct reports, which you can read more about here.

If your organization wants to prevent the automatic Group creation from occurring, you can disable it by connecting to Exchange Online using PowerShell, and then running the following command.

PS C:\> Set-OrganizationConfig -DirectReportsGroupAutoCreationEnabled:$false

Summary

Office 365 Groups are a useful feature that customers can use for team collaboration. However, some organizations will need to control how Groups are created, or prevent them from being created at all, in order to comply with their own internal IT requirements. Every organization should at least check the Groups settings for their tenant to ensure they meet their expectations.

The post First Steps: Configuring Office 365 Groups Settings appeared first on Practical 365.

       

Related Stories

• Restoring Deleted Office 365 Groups
• Microsoft is Changing the Groups Behavior to Stop Senders Receiving a Copy of Their Own Message
• Deploying the Microsoft Teams Desktop Client

 

Office 365 for IT Pros, 3rd Edition is continually updated with new information, changes and corrections. Customers who bought the book from this website can download the updated files from their purchase history. Updates applied to the Amazon Kindle version are available through your Kindle library after they are approved by Amazon.

During April Microsoft has launched quite a few new apps and features in Office 365. The new To-Do app is available in Preview, and is built by the same team that created Wunderlist (acquired by Microsoft in 2015). Wunderlist lives on while features are added to To-Do, but will eventually be shut down. As a preview release To-Do is a basic personal task list app with a few nice features such as the “My day” list of tasks. To-Do integrates with Outlook tasks but doesn’t integrate with tasks from other services like Planner or SharePoint.

Outlook Customer Manager, which is a lightweight CRM for Outlook users released last November, is now rolling out to Office 365 Business Premium customers around the world, and is also now being added to Outlook for iOS for mobile access. Interestingly it also adds the ability to delegate the scheduling of customer meetings to Cortana. It will be interesting to see the results of that. AI-driven scheduling could be very efficient, but on the other hand there’s bound to be someone who gets offended at the lack of personal interaction.

In Security and Compliance Land the new Office 365 Threat Intelligence features have just arrived in my tenant. Threat Intelligence, available for Enterprise E5 tenants or as a separate add-on license, combines threat information gleaned from industry reports, telemetry from Microsoft’s cloud services, and analytics from within your own tenant to provide you with what Microsoft refers to as “actionable intelligence”. I’m still exploring this in my own tenant, but the idea is that you can look at reports such as malware detection, identity users in your organization who are being targeted, or creates alerts when a user has been targeted by malware.

Custom sensitive information types have also been added to the Security and Compliance Center. If you’ve worked with Exchange Data Loss Prevention (DLP) in the past then you might already be familiar with the process of creating definitions based on regex or keywords to meet specific DLP requirements that aren’t covered by the built-in functionality. Creating a sensitive information type involves authoring a specially formatted XML file that is imported using PowerShell, so it’s not a simple task. But the good news is if you’ve already invested the time to define sensitive information types in your Exchange Online DLP configuration, they’ll be ported automatically to the Security and Compliance Center for use across all workloads.

A new enhanced reporting dashboard has also been added to the Security and Compliance Center. Everybody loves a good dashboard.

Office 365 Groups receives another big round of updates and improvements, including:

• The addition of guest management controls in the Office 365 admin portal and Exchange Admin Center. You can add existing guest users to Groups, or remove them. But at this stage you can’t invite new guests to your organization.
• In a big step forward for compliance, Groups can now have retention policies applied to them. Tony Redmond walks through the new capabilities, including a few gotchas to be aware of, in his article on Petri.
• The ability to upgrade Exchange distribution lists to Office 365 Groups has been added as a one-click option for distribution list owners. PowerShell scripts have also been provided for bulk conversions. Only cloud-managed, non-nested distribution lists that have no moderation or send-on-behalf settings, aren’t hidden from address lists, and only contain user mailboxes, team mailboxes, shared mailboxes, or mail users can be upgraded. That narrows the use case quite a bit, but should result in more adoption of Groups by customers.
• Groups access has also been added to the latest Outlook for iOS and Android apps, as well as Outlook for Mac. The standalone Groups mobile apps will remain available as well until Outlook has full support for Group files, calendars, and notebooks.
• The New-UnifiedGroup cmdlet has been modified to remove the SuppressWarmupMessage when creating new Groups, apparently due to confusion over its purpose.

Office 365 ProPlus received big news in April:

• Advanced Threat Protection (ATP) Safe Links has been added to Office applications. Now when users in ATP-enabled tenants click on hyperlinks in documents, the links will receive the same checking that Safe Links performs on links in emails. However, unlike emails, the links themselves are not rewritten in the documents. The experience so far has been a little rough for me, with multiple timeouts on the link checks, but it seems to be improving.
• The update model for Office 365 ProPlus is changing to align with Windows 10 updates. There will now be two updates to Office 365 ProPlus per year instead of three, with the updates targeted for March and September. Support for each release is being extended from 12 months to 18 months as well. These changes should take some of the pressure off support staff who are trying to manage deployment and updates across large fleets of desktops. As part of the change, the update channels for Office 365 ProPlus are being renamed, again. For example, from September 2017 the Current Channel will now be called the Monthly Channel, and the Deferred Channel will be called the Semi-annual Channel (Broad). I don’t think the names are an improvement but I guess they were deemed necessary.

In other Office 365 news:

• The MyAnalytics Outlook add-in received an update to help you with your big rocks and dwell time.
• Planner now supports assigning multiple users to a task.
• You can now edit posts in Yammer.

The post What’s New in Office 365 for April 2017 appeared first on Practical 365.

        

In Office 365 we have three methods of managing license assignments for individual or multiple user accounts.

• Using the Office 365 admin portal
• Using Azure AD group-based license management
• Using PowerShell

The Office 365 admin portal provides a simple web interface for managing license assignments. It’s easy to add a license for a user, or for multiple users, enable or disable sub-SKU features (the individual services that are included in a license), or remove a license. Licenses for multiple users can be managed at the same time. This method is useful for ad-hoc license management, or for bulk assigning licenses when you first provision an Office 365 tenant. The web interface is friendly for even a non-technical user, so license management tasks can be delegated to people outside of IT support if necessary.

Azure Active Directory group-based licensing, which I wrote about here, simplifies license management by mapping license assignments to groups. License management for end users is then a simple task of adding or removing users in groups, and doesn’t require the ongoing use of Office 365 management tools.

In this article I’m going to demonstrate how to manage Office 365 licenses using PowerShell. This is more complex than either of the previous methods, but is useful for automating license assignments as part of a user provisioning process. PowerShell is also a good method for querying license usage and generating your own custom reports for license consumption, which can help you to manage your costs over time.

We’ll look at:

• The Azure AD V2 PowerShell Module
• Listing Available Licenses
• Querying License Assignments for User Accounts
• Assigning a Single License Using PowerShell
• Assigning Multiple Licenses Using PowerShell
• Assigning Licenses with Sub-SKU Features Disabled
• Removing Licenses Using PowerShell

The Azure AD V2 PowerShell Module

License management in Office 365 is performed using the Azure Active Directory PowerShell module. The first version of this PowerShell module is also known as the MS Online module, and uses cmdlets with “Msol” in the name, for example Connect-MsolService and Get-MsolUser.

While the MS Online module is still available today, it will be deprecated in the near future. A new Azure Active Directory PowerShell V2 module has been developed to replace it. This module is also known as the Azure AD module. The Azure AD module uses the Office 365 Graph API to interact with Office 365. Microsoft aims to migrate the functionality of the MS Online module to the Azure AD module, and recommends that you use Azure AD for any script development. In this blog post I will demonstrate license management using the Azure AD module.

The Azure AD module is installed using PowerShellGet, which is included with Windows Management Framework (WPF) 5.0 (PowerShell 5.0). Windows 10 and Windows Server 2012 R2 or later ship with PowerShell 5.0 installed by default, which means that PowerShellGet is already available. For earlier operating systems, you’ll either need to upgrade to WMF 5.0, or install PowerShellGet for PowerShell 3.0 or 4.0. Some applications such as Exchange Server are sensitive to changes in the version of WMF that is installed on the system, so you should not upgrade WMF until you’ve verified that all your installed software will continue to work

PS C:\> Install-Module AzureAD

After the Azure AD module is installed you can connect to your Office 365 tenant by running the Connect-AzureAD cmdlet, and then entering your admin credentials when prompted. The Azure AD module supports the use of multi-factor authentication (MFA).

PS C:\> Connect-AzureAD

To explore the available cmdlets in the Azure AD module, run the following command.

PS C:\> Get-Command -Module AzureAD

As a side note, Connect-AzureAD will work with stored credentials function as long as your account does not require MFA or you’re connecting from a network that allows MFA to be bypassed.

PS C:\> Connect-AzureAD -Credential (Get-StoredCredential -UserName admin@exchangeserverpro.onmicrosoft.com)

Listing Available Licenses

The Get-AzureADSubscribedSku cmdlet is used to query the licenses that your organization has subscribed to in Office 365.

PS C:\> Get-AzureADSubscribedSku | Select Sku*,*Units
SkuId                                SkuPartNumber  ConsumedUnits PrepaidUnits
-----                                -------------  ------------- ------------
6fd2c87f-b296-42f0-b197-1e91e994b900 ENTERPRISEPACK            14 class LicenseUnitsDetail {...
efccb6f7-5641-4e0e-bd10-b4976e1bf68e EMS                        2 class LicenseUnitsDetail {...

A more detailed view of the licenses that are enabled and consumed is available by expanding the PrepaidUnits property.

PS C:\> Get-AzureADSubscribedSku | Select -Property Sku*,ConsumedUnits -ExpandProperty PrepaidUnits
SkuId         : 6fd2c87f-b296-42f0-b197-1e91e994b900
SkuPartNumber : ENTERPRISEPACK
ConsumedUnits : 17
Enabled       : 25
Suspended     : 0
Warning       : 0
SkuId         : efccb6f7-5641-4e0e-bd10-b4976e1bf68e
SkuPartNumber : EMS
ConsumedUnits : 2
Enabled       : 5
Suspended     : 0
Warning       : 0

In the output above we can see that my tenant has 25 “ENTERPRISEPACK” licenses, and 5 “EMS” licenses. The SkuPartNumber for each does not precisely match the name of the license that you’ll see in Office 365 documentation or in the license management sections of the Office 365 admin portal. For example, ENTERPRISEPACK is the SkuPartNumber for the Enterprise E3 license, while EMS is the SkuPartNumber for the Enterprise Mobility and Security E3 license. A complete list of part numbers and friendly names isn’t available on Microsoft online documentation sites, although with a little searching and common sense you can usually work out what they mean. If there’s any confusion, opening a support ticket with Microsoft will get you the answers you need.

The individual license features and services, also referred to as sub-SKU features, can also be inspected. As with the SkuPartNumber values, the ServicePlanName values are not a match for the friendly names that you see in the Office 365 or Azure admin portals, but names like SWAY, POWERAPPS_O365_P2, and EXCHANGE_S_ENTERPRISE are obvious. Others are not so obvious, such as MCOSTANDARD (Skype for Business Online), but again some searching online will usually clear up any confusion.

PS C:\> $licenses = Get-AzureADSubscribedSku
PS C:\> $licenses[0].SkuPartNumber
ENTERPRISEPACK
PS C:\> $licenses[0].ServicePlans
AppliesTo ProvisioningStatus ServicePlanId                        ServicePlanName
--------- ------------------ -------------                        ---------------
User      Success            8c7d2df8-86f0-4902-b2ed-a0458298f3b3 Deskless
User      Success            76846ad7-7776-4c40-a281-a386362dd1b9 FLOW_O365_P2
User      Success            c68f8d98-5534-41c8-bf36-22fa496fa792 POWERAPPS_O365_P2
User      Success            57ff2da0-773e-42df-b2af-ffb7a2317929 TEAMS1
User      Success            b737dad2-2f6c-4c65-90e3-ca563267e8b9 PROJECTWORKMANAGEMENT
User      Success            a23b959c-7ce8-4e57-9140-b90eb88a9e97 SWAY
Company   Success            882e1d05-acd1-4ccb-8708-6ee03664b117 INTUNE_O365
User      Success            7547a3fe-08ee-4ccb-b430-5077c5041653 YAMMER_ENTERPRISE
User      Success            bea4c11e-220a-4e6d-8eb8-8ea15d019f90 RMS_S_ENTERPRISE
User      Success            43de0ff5-c92c-492b-9116-175376d08c38 OFFICESUBSCRIPTION
User      Success            0feaeb32-d00e-4d66-bd5a-43b5b83db82c MCOSTANDARD
User      Success            e95bec33-7c88-4a70-8e19-b10bd9d0c014 SHAREPOINTWAC
User      Success            5dbe027f-2339-4123-9542-606e4d348a72 SHAREPOINTENTERPRISE
User      Success            efb87545-963c-4e0d-99df-69c6916d9eb0 EXCHANGE_S_ENTERPRISE
PS C:\> $licenses[1].SkuPartNumber
EMS
PS C:\> $licenses[1].ServicePlans
AppliesTo ProvisioningStatus ServicePlanId                        ServicePlanName
--------- ------------------ -------------                        ---------------
User      Success            6c57d4b6-3b23-47a5-9bc9-69f17b4947b3 RMS_S_PREMIUM
User      Success            c1ec4a95-1f05-45b3-a911-aa3fa01094f5 INTUNE_A
User      Success            bea4c11e-220a-4e6d-8eb8-8ea15d019f90 RMS_S_ENTERPRISE
User      Success            41781fb2-bc02-4b7c-bd55-b576c07bb09d AAD_PREMIUM
User      Success            8a256a2b-b617-496d-b51b-e76466e88db0 MFA_PREMIUM

Querying License Assignments for User Accounts

There are two user properties that reveal the license assignments for a user. The first is the AssignedLicenses property, which can be retrieved using Get-AzureADUser.

PS C:\> Get-AzureADUser -SearchString jane.tulley@exchangeserverpro.net | Select -ExpandProperty AssignedLicenses
DisabledPlans                          SkuId
-------------                          -----
{7547a3fe-08ee-4ccb-b430-5077c5041653} 6fd2c87f-b296-42f0-b197-1e91e994b900

In the output above we can see the SkuId of the license that is assigned to the user. The matching license can be found by running Get-AzureADSubscribedSku, which in the ouput below we can see is the ENTERPRISEPACK license (Enterprise E3).

PS C:\> Get-AzureADSubscribedSku | Where {$_.SkuId -eq "6fd2c87f-b296-42f0-b197-1e91e994b900"}
ObjectId                                                                  SkuPartNumber
--------                                                                  -------------
2b9bca49-687e-4e5f-8a52-21350b719b06_6fd2c87f-b296-42f0-b197-1e91e994b900 ENTERPRISEPACK

The Get-AzureADUser output shown above also reveals the DisabledPlans property. This property contains the ServicePlanId values of the sub-SKU features that have been disabled for the user. There are two ways to match those ServicePlanId values to the actual names of the sub-SKU features. The first is to use the output of Get-AzureADSubscribedSku to view the ServicePlanId values for the individual services, as demonstrated earlier. For the example of Jane Tulley, the ID of the disabled plan is “7547a3fe-08ee-4ccb-b430-5077c5041653”, which is YAMMER_ENTERPRISE in the list of service plans for the ENTERPRISEPACK license.

The other approach is to look at the AssignedPlans property of the user.

PS C:\> Get-AzureADUser -SearchString jane.tulley@exchangeserverpro.net | Select -ExpandProperty AssignedPlans
AssignedTimestamp     CapabilityStatus Service                       ServicePlanId
-----------------     ---------------- -------                       -------------
1/05/2017 11:01:50 AM Enabled          PowerAppsService              c68f8d98-5534-41c8-bf36-22fa496fa792
1/05/2017 11:01:50 AM Enabled          ProcessSimple                 76846ad7-7776-4c40-a281-a386362dd1b9
1/05/2017 11:01:50 AM Enabled          RMSOnline                     bea4c11e-220a-4e6d-8eb8-8ea15d019f90
1/05/2017 11:01:50 AM Enabled          Deskless                      8c7d2df8-86f0-4902-b2ed-a0458298f3b3
1/05/2017 11:01:50 AM Enabled          Sway                          a23b959c-7ce8-4e57-9140-b90eb88a9e97
27/02/2017 5:43:09 AM Enabled          TeamspaceAPI                  57ff2da0-773e-42df-b2af-ffb7a2317929
27/02/2017 5:40:56 AM Suspended        YammerEnterprise              7547a3fe-08ee-4ccb-b430-5077c5041653
19/01/2017 6:24:33 AM Enabled          exchange                      efb87545-963c-4e0d-99df-69c6916d9eb0
19/01/2017 6:24:33 AM Enabled          SharePoint                    5dbe027f-2339-4123-9542-606e4d348a72
19/01/2017 6:24:33 AM Enabled          SharePoint                    e95bec33-7c88-4a70-8e19-b10bd9d0c014
19/01/2017 6:24:33 AM Enabled          MicrosoftCommunicationsOnline 0feaeb32-d00e-4d66-bd5a-43b5b83db82c
19/01/2017 6:24:33 AM Enabled          MicrosoftOffice               43de0ff5-c92c-492b-9116-175376d08c38
19/01/2017 6:24:33 AM Enabled          ProjectWorkManagement         b737dad2-2f6c-4c65-90e3-ca563267e8b9

In the output above we can see that the “YammerEnterprise” service is suspended, and has a ServicePlanId matching the ID in the list of DisabledPlans we saw earlier.

You will also notice that the service names returned in the Get-AzureADUser output do always not match the service plan names returned in the Get-AzureADSubscribedSku output. For example, Get-AzureADUser shows a service name of “TeamspaceAPI” whereas Get-AzureADSubscribedSku shows the same service as “TEAMS1”. These differences are mildly irritating but do reinforce the idea that you should match two difference pieces of data by the ServicePlanId, not by the friendly name, whenever you are running PowerShell cmdlets or writing scripts to manage your licenses.

For administrators who are familiar with using the MS Online PowerShell module to manage licenses, there is one minor difference to be aware of. The Get-AzureADUser and Get-MsolUser cmdlets return slightly different information for the same user object. Get-AzureADUser will only return sub-SKU features that are Enabled, Deleted or Suspended, whereas Get-MsolUser will return the status of all sub-SKU features. Here’s an example, using an account where I’ve disabled several sub-SKU features to demonstrate the differences in cmdlet output.

PS C:\> Get-AzureADUser -SearchString aisha.bhari@exchangeserverpro.net | Select -ExpandProperty AssignedPlans
AssignedTimestamp     CapabilityStatus Service               ServicePlanId
-----------------     ---------------- -------               -------------
1/05/2017 11:12:19 AM Enabled          SharePoint            5dbe027f-2339-4123-9542-606e4d348a72
1/05/2017 11:12:19 AM Enabled          SharePoint            e95bec33-7c88-4a70-8e19-b10bd9d0c014
1/05/2017 11:12:19 AM Enabled          MicrosoftOffice       43de0ff5-c92c-492b-9116-175376d08c38
1/05/2017 11:12:19 AM Enabled          ProjectWorkManagement b737dad2-2f6c-4c65-90e3-ca563267e8b9
1/05/2017 11:12:19 AM Enabled          TeamspaceAPI          57ff2da0-773e-42df-b2af-ffb7a2317929
1/05/2017 11:12:19 AM Enabled          PowerAppsService      c68f8d98-5534-41c8-bf36-22fa496fa792
1/05/2017 11:12:19 AM Enabled          ProcessSimple         76846ad7-7776-4c40-a281-a386362dd1b9
PS C:\> (Get-MsolUser -UserPrincipalName aisha.bhari@exchangeserverpro.net).Licenses[0].ServiceStatus
ServicePlan           ProvisioningStatus
-----------           ------------------
Deskless              Disabled
FLOW_O365_P2          Success
POWERAPPS_O365_P2     Success
TEAMS1                Success
PROJECTWORKMANAGEMENT Success
SWAY                  Disabled
INTUNE_O365           Success
YAMMER_ENTERPRISE     Disabled
RMS_S_ENTERPRISE      Disabled
OFFICESUBSCRIPTION    Success
MCOSTANDARD           Disabled
SHAREPOINTWAC         Success
SHAREPOINTENTERPRISE  Success
EXCHANGE_S_ENTERPRISE Disabled

Assigning a Single License Using PowerShell

The Set-AzureADUserLicense cmdlet assigns and removes Office 365 licenses to user accounts. A simple example is assigning a license to a new user account. Before assigning the license, the usage location of the account also needs to be configure. The license assignment process involves a series of steps to:

1. Create an assigned license (singular) object
2. Add the assigned license object to another object representing the assigned licenses (plural)
3. Run Set-AzureADUserLicense and provide the value for the assigned licenses (plural)

To perform those steps we need to know the ObjectId of the user account, and the SkuId of the license.

PS C:\> Get-AzureADSubscribedSku | Select Sku*
SkuId                                SkuPartNumber
-----                                -------------
6fd2c87f-b296-42f0-b197-1e91e994b900 ENTERPRISEPACK
efccb6f7-5641-4e0e-bd10-b4976e1bf68e EMS
PS C:\> $User = Get-AzureADUser -SearchString sharon.butler@exchangeserverpro.net
PS C:\> $user
ObjectId                             DisplayName   UserPrincipalName                   UserType
--------                             -----------   -----------------                   --------
9930a287-640e-4670-a2ae-2ba3eb5fca33 Sharon Butler Sharon.Butler@exchangeserverpro.net Member

Now we can go ahead and create the license assignment.

PS C:\> Set-AzureADUser -ObjectId $User.ObjectId -UsageLocation AU
PS C:\> $License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
PS C:\> $License.SkuId = "6fd2c87f-b296-42f0-b197-1e91e994b900"
PS C:\> $LicensesToAssign = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses
PS C:\> $LicensesToAssign.AddLicenses = $License
PS C:\> Set-AzureADUserLicense -ObjectId $User.ObjectId -AssignedLicenses $LicensesToAssign

The user now has a single license SKU assigned, and the plans for that license are enabled.

PS C:\> Get-AzureADUser -ObjectId $User.ObjectId | Select -ExpandProperty AssignedLicenses
DisabledPlans SkuId
------------- -----
{}            6fd2c87f-b296-42f0-b197-1e91e994b900
PS C:\> Get-AzureADUser -ObjectId $User.ObjectId | Select -ExpandProperty AssignedPlans
AssignedTimestamp    CapabilityStatus Service                       ServicePlanId
-----------------    ---------------- -------                       -------------
2/05/2017 2:41:26 AM Enabled          TeamspaceAPI                  57ff2da0-773e-42df-b2af-ffb7a2317929
2/05/2017 2:41:26 AM Enabled          MicrosoftCommunicationsOnline 0feaeb32-d00e-4d66-bd5a-43b5b83db82c
2/05/2017 2:41:26 AM Enabled          PowerAppsService              c68f8d98-5534-41c8-bf36-22fa496fa792
2/05/2017 2:41:26 AM Enabled          ProcessSimple                 76846ad7-7776-4c40-a281-a386362dd1b9
2/05/2017 2:41:26 AM Enabled          SharePoint                    e95bec33-7c88-4a70-8e19-b10bd9d0c014
2/05/2017 2:41:26 AM Enabled          ProjectWorkManagement         b737dad2-2f6c-4c65-90e3-ca563267e8b9
2/05/2017 2:41:26 AM Enabled          RMSOnline                     bea4c11e-220a-4e6d-8eb8-8ea15d019f90
2/05/2017 2:41:26 AM Enabled          SharePoint                    5dbe027f-2339-4123-9542-606e4d348a72
2/05/2017 2:41:26 AM Enabled          YammerEnterprise              7547a3fe-08ee-4ccb-b430-5077c5041653
2/05/2017 2:41:26 AM Enabled          Deskless                      8c7d2df8-86f0-4902-b2ed-a0458298f3b3
2/05/2017 2:41:26 AM Enabled          MicrosoftOffice               43de0ff5-c92c-492b-9116-175376d08c38
2/05/2017 2:41:26 AM Enabled          Sway                          a23b959c-7ce8-4e57-9140-b90eb88a9e97
2/05/2017 2:41:26 AM Enabled          exchange                      efb87545-963c-4e0d-99df-69c6916d9eb0

Assigning Multiple Licenses Using PowerShell

Using the same steps as above you can assign an additional license to a user. For example, if we wanted to add the EMS license to the user who is already licensed for Enterprise E3, we could simply re-run the steps above using the SkuId for the EMS license.

If you would like to assign multiple licenses at the same time you can do so with just a small modification to the process. Remember, we’re creating an assigned license (singular) object, and adding it to an assigned licenses (plural) object. We can add multiple assigned license (singular) objects by repeating those commands. Here’s an example of licensing a user for Enterprise E3 and EMS at the same time.

PS C:\> $User = Get-AzureAdUser -SearchString vik.kirby@exchangeserverpro.net
PS C:\> Set-AzureADUser -ObjectId $User.ObjectId -UsageLocation AU
PS C:\> $E3License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
PS C:\> $EMSLicense = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
PS C:\> $E3License.SkuId = "6fd2c87f-b296-42f0-b197-1e91e994b900"
PS C:\> $EMSLicense.SkuId = "efccb6f7-5641-4e0e-bd10-b4976e1bf68e"
PS C:\> $LicensesToAssign = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses
PS C:\> $LicensesToAssign.AddLicenses = $E3License,$EMSLicense
PS C:\> Set-AzureADUserLicense -ObjectId $User.ObjectId -AssignedLicenses $LicensesToAssign
PS C:\> Get-AzureADUser -ObjectId $User.ObjectId | Select -ExpandProperty AssignedPlans

The user now has multiple license SKUs assigned, and the services for both of those SKUs are enabled.

PS C:\> Get-AzureADUser -ObjectId $User.ObjectId | Select -ExpandProperty AssignedLicenses
DisabledPlans SkuId
------------- -----
{}            efccb6f7-5641-4e0e-bd10-b4976e1bf68e
{}            6fd2c87f-b296-42f0-b197-1e91e994b900
PS C:\> Get-AzureADUser -ObjectId $User.ObjectId | Select -ExpandProperty AssignedPlans
AssignedTimestamp    CapabilityStatus Service                       ServicePlanId
-----------------    ---------------- -------                       -------------
2/05/2017 2:39:08 AM Enabled          TeamspaceAPI                  57ff2da0-773e-42df-b2af-ffb7a2317929
2/05/2017 2:39:08 AM Enabled          MicrosoftCommunicationsOnline 0feaeb32-d00e-4d66-bd5a-43b5b83db82c
2/05/2017 2:39:08 AM Enabled          PowerAppsService              c68f8d98-5534-41c8-bf36-22fa496fa792
2/05/2017 2:39:08 AM Enabled          AADPremiumService             41781fb2-bc02-4b7c-bd55-b576c07bb09d
2/05/2017 2:39:08 AM Enabled          ProcessSimple                 76846ad7-7776-4c40-a281-a386362dd1b9
2/05/2017 2:39:08 AM Enabled          SharePoint                    e95bec33-7c88-4a70-8e19-b10bd9d0c014
2/05/2017 2:39:08 AM Enabled          ProjectWorkManagement         b737dad2-2f6c-4c65-90e3-ca563267e8b9
2/05/2017 2:39:08 AM Enabled          RMSOnline                     bea4c11e-220a-4e6d-8eb8-8ea15d019f90
2/05/2017 2:39:08 AM Enabled          RMSOnline                     6c57d4b6-3b23-47a5-9bc9-69f17b4947b3
2/05/2017 2:39:08 AM Enabled          SharePoint                    5dbe027f-2339-4123-9542-606e4d348a72
2/05/2017 2:39:08 AM Enabled          YammerEnterprise              7547a3fe-08ee-4ccb-b430-5077c5041653
2/05/2017 2:39:08 AM Enabled          Deskless                      8c7d2df8-86f0-4902-b2ed-a0458298f3b3
2/05/2017 2:39:08 AM Enabled          MultiFactorService            8a256a2b-b617-496d-b51b-e76466e88db0
2/05/2017 2:39:08 AM Enabled          MicrosoftOffice               43de0ff5-c92c-492b-9116-175376d08c38
2/05/2017 2:39:08 AM Enabled          Sway                          a23b959c-7ce8-4e57-9140-b90eb88a9e97
2/05/2017 2:39:08 AM Enabled          SCO                           c1ec4a95-1f05-45b3-a911-aa3fa01094f5
2/05/2017 2:39:08 AM Enabled          exchange                      efb87545-963c-4e0d-99df-69c6916d9eb0

In the output above you might notice that Intune, which is included with the EMS license, is not listed as a service. This is another example of how Get-AzureADUser doesn’t show services that are not in an enabled, suspended, or deleted state. Intune requires activation for the user, and is in a “PendingInput” state when the license is initially assigned to the user as you can see in the Get-MsolUser output below.

PS C:\> Get-MsolUser -UserPrincipalName vik.kirby@exchangeserverpro.net | Select -ExpandProperty Licenses | Select -Expa
ndProperty ServiceStatus
ServicePlan           ProvisioningStatus
-----------           ------------------
RMS_S_PREMIUM         Success
INTUNE_A              PendingInput
RMS_S_ENTERPRISE      Success
AAD_PREMIUM           Success
MFA_PREMIUM           Success
...

Assigning Licenses with Sub-SKU Features Disabled

Office 365 licenses such as Enterprise E3 and E5 allow access to multiple services and applications. For some organizations it is required to disable some of the features of a license, either because the feature should not be used in that environment, or simply to manage a staged roll out and adoption of Office 365 features.

To assign a license with sub-SKU features disabled we use the same process demonstrated earlier, but this time we need to configure the license object with enable and disabled plans before applying the license to the user. For this example I’ll assign an E3 license but only enabled the Exchange Online mailbox and the Office 365 ProPlus applications.

PS C:\> $User = Get-AzureADUser -SearchString blake.johnson@exchangeserverpro.net
PS C:\> Set-AzureADUser -ObjectId $User.ObjectId -UsageLocation AU
PS C:\> $SkuFeaturesToEnable = @("EXCHANGE_S_ENTERPRISE","OFFICESUBSCRIPTION")
PS C:\> $StandardLicense = Get-AzureADSubscribedSku | Where {$_.SkuId -eq "6fd2c87f-b296-42f0-b197-1e91e994b900"}
PS C:\> $SkuFeaturesToDisable = $StandardLicense.ServicePlans | ForEach-Object { $_ | Where {$_.ServicePlanName -notin $SkuFeaturesToEnable }}
PS C:\> $License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
PS C:\> $License.SkuId = $StandardLicense.SkuId
PS C:\> $License.DisabledPlans = $SkuFeaturesToDisable.ServicePlanId
PS C:\> $LicensesToAssign = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses
PS C:\> $LicensesToAssign.AddLicenses = $License
PS C:\> Set-AzureADUserLicense -ObjectId $User.ObjectId -AssignedLicenses $LicensesToAssign

The user now has the license SKU assigned, but with multiple disabled plans. Only the two enabled features are showing as enabled services for the user as well.

PS C:\> Get-AzureADUser -ObjectId $User.ObjectId | Select -ExpandProperty AssignedLicenses | fl
DisabledPlans : {8c7d2df8-86f0-4902-b2ed-a0458298f3b3, 76846ad7-7776-4c40-a281-a386362dd1b9,
                c68f8d98-5534-41c8-bf36-22fa496fa792, 57ff2da0-773e-42df-b2af-ffb7a2317929...}
SkuId         : 6fd2c87f-b296-42f0-b197-1e91e994b900
PS C:\> Get-AzureADUser -ObjectId $User.ObjectId | Select -ExpandProperty AssignedPlans
AssignedTimestamp    CapabilityStatus Service         ServicePlanId
-----------------    ---------------- -------         -------------
2/05/2017 2:58:15 AM Enabled          MicrosoftOffice 43de0ff5-c92c-492b-9116-175376d08c38
2/05/2017 2:58:15 AM Enabled          exchange        efb87545-963c-4e0d-99df-69c6916d9eb0

Removing Licenses Using PowerShell

For the final demonstration in this article let’s look at how to remove an assigned license using PowerShell. The Set-AzureADUserLicense cmdlet is used for this task, and the process is similar to adding a license. The difference is that when creating the assigned licenses (plural) object we use RemoveLicenses instead of AddLicenses, and provide only the SkuId instead of the full license object.

PS C:\> $User = Get-AzureAdUser -SearchString sue.cooper@exchangeserverpro.net 
PS C:\> $License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
PS C:\> $License.SkuId = "6fd2c87f-b296-42f0-b197-1e91e994b900"
PS C:\> $LicensesToAssign = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses
PS C:\> $LicensesToAssign.AddLicenses = @()
PS C:\> $LicensesToAssign.RemoveLicenses = $License.SkuId
PS C:\> Set-AzureADUserLicense -ObjectId $User.ObjectId -AssignedLicenses $LicensesToAssign

The user has now had each of the previously licensed features marked as deleted due to the license being removed.

PS C:\> Get-AzureADUser -ObjectId $User.ObjectId | Select -ExpandProperty AssignedPlans
AssignedTimestamp    CapabilityStatus Service                       ServicePlanId
-----------------    ---------------- -------                       -------------
2/05/2017 3:08:16 AM Deleted          TeamspaceAPI                  57ff2da0-773e-42df-b2af-ffb7a2317929
2/05/2017 3:08:16 AM Deleted          MicrosoftCommunicationsOnline 0feaeb32-d00e-4d66-bd5a-43b5b83db82c
2/05/2017 3:08:16 AM Deleted          PowerAppsService              c68f8d98-5534-41c8-bf36-22fa496fa792
2/05/2017 3:08:16 AM Deleted          ProcessSimple                 76846ad7-7776-4c40-a281-a386362dd1b9
2/05/2017 3:08:16 AM Deleted          SharePoint                    e95bec33-7c88-4a70-8e19-b10bd9d0c014
2/05/2017 3:08:16 AM Deleted          ProjectWorkManagement         b737dad2-2f6c-4c65-90e3-ca563267e8b9
2/05/2017 3:08:16 AM Deleted          RMSOnline                     bea4c11e-220a-4e6d-8eb8-8ea15d019f90
2/05/2017 3:08:16 AM Deleted          SharePoint                    5dbe027f-2339-4123-9542-606e4d348a72
2/05/2017 3:08:16 AM Deleted          YammerEnterprise              7547a3fe-08ee-4ccb-b430-5077c5041653
2/05/2017 3:08:16 AM Deleted          Deskless                      8c7d2df8-86f0-4902-b2ed-a0458298f3b3
2/05/2017 3:08:16 AM Deleted          MicrosoftOffice               43de0ff5-c92c-492b-9116-175376d08c38
2/05/2017 3:08:16 AM Deleted          Sway                          a23b959c-7ce8-4e57-9140-b90eb88a9e97
2/05/2017 3:08:16 AM Deleted          exchange                      efb87545-963c-4e0d-99df-69c6916d9eb0

Summary

As you can see, managing Office 365 licenses with the Azure AD V2 PowerShell module is a complex task at first, but once you’ve performed the steps a few times it should become much more comfortable. Azure AD group-based license management is simpler, but won’t fit everyone’s needs. Using PowerShell to manage licenses like this will suit organizations who want to automated license assignments into other processes. The use of the Graph API also means you can ignore the Azure AD module itself and write custom code to interact with the REST API to perform the same tasks. That is out of scope of this blog post, but it’s something you can explore if custom development and integration into third party systems is a requirement for you.

The post Managing Office 365 Licenses with the Azure AD V2 PowerShell Module appeared first on Practical 365.

        

Comments

• very nice article thanks by turbomcp

Related Stories

• Test-ExchangeServerHealth.ps1 Has Been Updated to V1.16
• New Pluralsight Course – Managing Exchange Mailboxes and Distribution Groups in PowerShell
• What’s New in Office 365 for April 2017

 

When an Exchange Online mailbox is created in Office 365 it has all of the mailbox features and protocols enabled by default. This makes sense for the average Office 365 customer who doesn’t want to fiddle with settings to get basic functionality like email on mobile devices to work. But it is less suited for enterprises that have specific requirements for mailbox features that their users should have access to. For example, a business might decide that POP and IMAP access to mailboxes should be disabled by default, and only enabled for specific cases.

For some time we’ve had access to configure mailbox plans for Exchange Online mailboxes. Each tenant has a pre-configured set of mailbox plans that you can see by connecting to Exchange Online with PowerShell and running the Get-MailboxPlan cmdlet.

PS C:\> Get-MailboxPlan | Select Name,IsDefault
Name                                                          IsDefault
----                                                          ---------
ExchangeOnline-095c913d-92fa-42bf-8943-48439432cd00               False
ExchangeOnlineDeskless-bbae14c5-e979-420b-988b-7105d6efa9f3       False
ExchangeOnlineEnterprise-d9a554dc-79a1-41a9-a238-fc3f27ee8f97      True
ExchangeOnlineEssentials-a5e5ae5a-e03e-400b-8f1d-aa723a5902ff     False

There’s been cases in the past where modifying mailbox plans was necessary to take advantage of new Office 365 capabilities. For example, two years ago Microsoft increased the maximum email message size for Exchange Online to 150MB, but kept the default maximum message size set to 35MB. To increase the maximum message size for your existing mailboxes you needed to run a Set-Mailbox command. To increase the maximum message size for newly created mailboxes you needed to modify the mailbox plan.

Now Microsoft is rolling out further enhancements to mailbox plans, per the Office 365 road map.

A limited set of configuration options are available for modifying mailbox plans, which we can see by looking at the parameters for the Set-MailboxPlan cmdlet.

PS C:\> (get-command set-mailboxplan).Parameters
Key                      Value
---                      -----
ErrorAction              System.Management.Automation.ParameterMetadata
IssueWarningQuota        System.Management.Automation.ParameterMetadata
Force                    System.Management.Automation.ParameterMetadata
MaxSendSize              System.Management.Automation.ParameterMetadata
RoleAssignmentPolicy     System.Management.Automation.ParameterMetadata
OutVariable              System.Management.Automation.ParameterMetadata
WhatIf                   System.Management.Automation.ParameterMetadata
Verbose                  System.Management.Automation.ParameterMetadata
RetentionPolicy          System.Management.Automation.ParameterMetadata
WarningVariable          System.Management.Automation.ParameterMetadata
Debug                    System.Management.Automation.ParameterMetadata
Confirm                  System.Management.Automation.ParameterMetadata
ProhibitSendQuota        System.Management.Automation.ParameterMetadata
OutBuffer                System.Management.Automation.ParameterMetadata
ErrorVariable            System.Management.Automation.ParameterMetadata
Identity                 System.Management.Automation.ParameterMetadata
RetainDeletedItemsFor    System.Management.Automation.ParameterMetadata
ProhibitSendReceiveQuota System.Management.Automation.ParameterMetadata
WarningAction            System.Management.Automation.ParameterMetadata
MaxReceiveSize           System.Management.Automation.ParameterMetadata
IsDefault                System.Management.Automation.ParameterMetadata
AsJob                    System.Management.Automation.ParameterMetadata

Stripping out the non-generic parameters from the output above, we see that Set-MailboxPlan can be used to configure these settings for newly created mailboxes:

• IssueWarningQuota
• ProhibitSendReceiveQuota
• ProhibitSendQuota
• MaxSendSize
• MaxReceiveSize
• RoleAssignmentPolicy
• RetentionPolicy
• RetainDeletedItemsFor

There’s quite a few more parameters listed on the Set-MailboxPlan documentation on TechNet, but most of them a reserved for internal Microsoft use. Whether more of them become available to customers in future is unknown.

Another cmdlet, Set-CASMailboxPlan, can also be used to pre-configure mailbox properties. While Set-MailboxPlan manages settings that are otherwise configured by the Set-Mailbox cmdlet, the Set-CASMailboxPlan cmdlet manages settings that are otherwise configured by Set-CASMailbox. This basically includes mailbox access options, such as whether specific mailbox protocols are enabled or not.

The parameters that are currently available for Set-CASMailboxPlan are:

PS C:\> (get-command set-casmailboxplan).Parameters
Key               Value
---               -----
ErrorAction       System.Management.Automation.ParameterMetadata
ImapEnabled       System.Management.Automation.ParameterMetadata
Verbose           System.Management.Automation.ParameterMetadata
OwaMailboxPolicy  System.Management.Automation.ParameterMetadata
OutVariable       System.Management.Automation.ParameterMetadata
WarningVariable   System.Management.Automation.ParameterMetadata
Debug             System.Management.Automation.ParameterMetadata
Confirm           System.Management.Automation.ParameterMetadata
ErrorVariable     System.Management.Automation.ParameterMetadata
Identity          System.Management.Automation.ParameterMetadata
OutBuffer         System.Management.Automation.ParameterMetadata
WarningAction     System.Management.Automation.ParameterMetadata
PopEnabled        System.Management.Automation.ParameterMetadata
ActiveSyncEnabled System.Management.Automation.ParameterMetadata
WhatIf            System.Management.Automation.ParameterMetadata
AsJob             System.Management.Automation.ParameterMetadata

Again, stripping out the generic PowerShell parameters leaves us with these options:

• IMAPEnabled
• OWAMailboxPolicy
• POPEnabled
• ActiveSyncEnabled

Many more parameters of Set-CASMailboxPlan are reserved for internal Microsoft use, including useful parameters like setting EWS block lists.

As with mailbox plans, each tenant is pre-configured with a set of CAS mailbox plans that you can view by running Get-CASMailboxPlan.

PS C:\> Get-CASMailboxPlan | Select Name,IsDefault
Name                                                          IsDefault
----                                                          ---------
ExchangeOnline-095c913d-92fa-42bf-8943-48439432cd00
ExchangeOnlineDeskless-bbae14c5-e979-420b-988b-7105d6efa9f3
ExchangeOnlineEnterprise-d9a554dc-79a1-41a9-a238-fc3f27ee8f97
ExchangeOnlineEssentials-a5e5ae5a-e03e-400b-8f1d-aa723a5902ff

There is no IsDefault property for CAS mailbox plans, unlike mailbox plans. However the names and GUIDs match, and I assume that when a mailbox plan is assigned to a mailbox that the matching CAS mailbox plan is also applied. There is little sense in de-coupling the two.

As with mailbox plans, CAS mailbox plans take effect for newly created mailboxes, not for existing mailboxes. For example, let’s take a look at the IMAP protocol status for the existing mailbox user Jane Tulley.

PS C:\> Get-CASMailbox Jane.Tulley | Select Imap*
ImapEnabled                             : True
ImapUseProtocolDefaults                 : True
ImapMessagesRetrievalMimeFormat         : BestBodyFormat
ImapEnableExactRFC822Size               : False
ImapSuppressReadReceipt                 : False
ImapForceICalForCalendarRetrievalOption : False

The IMAP protocol is enabled for Jane’s mailbox. If we then set the CAS mailbox plan to disable IMAP, it has no effect on Jane as an existing mailbox user.

PS C:\> set-CASMailboxPlan ExchangeOnlineEnterprise-d9a554dc-79a1-41a9-a238-fc3f27ee8f97 -ImapEnabled:$false
PS C:\> Get-CASMailbox Jane.Tulley | Select Imap*
ImapEnabled                             : True
ImapUseProtocolDefaults                 : True
ImapMessagesRetrievalMimeFormat         : BestBodyFormat
ImapEnableExactRFC822Size               : False
ImapSuppressReadReceipt                 : False
ImapForceICalForCalendarRetrievalOption : False

For a mailbox created after the CAS mailbox plan was modified, the IMAP protocol is disabled.

PS C:\> Get-CASMailbox TestUser10 | Select Imap*
ImapEnabled                             : False
ImapUseProtocolDefaults                 : True
ImapMessagesRetrievalMimeFormat         : BestBodyFormat
ImapEnableExactRFC822Size               : False
ImapSuppressReadReceipt                 : False
ImapForceICalForCalendarRetrievalOption : False

What this means is that you can use mailbox plans and CAS mailbox plans to control how your newly created mailboxes are configured, at least for a limited set of options. However you can’t use mailbox plans to roll out broad changes to mailbox configurations. For that you will need to write your own PowerShell commands or scripts to make the changes to existing mailboxes. Also, mailbox plans can’t be relied upon to re-enforce mailbox configurations to ensure they remain compliant with your organization’s policies. For that you will need to write your own scripts to scan and remediate any mailbox configurations that drift away from your desired settings.

The post Controlling Exchange Online Mailbox Features with Mailbox Plans appeared first on Practical 365.

       

Related Stories

• Mailbox Permissions vs Mailbox Folder Permissions
• Exchange Online Advanced Threat Protection Dynamic Delivery Behavior with Journaling

 

One of the tests that was developed earlier in the life of Exchange Analyzer looked at the version of .NET Framework installed on the server to determine if it was supported with the version of Exchange running on the server. After that test was originally written the support matrix for Exchange and .NET Framework became more complex. The test was not providing accurate guidance and was removed from Exchange Analyzer.

The version of .NET Framework running on your Exchange server is very important for performance and stability reasons, so adding the test back to Exchange Analyzer has been on my to-do list since it was removed. This week I’ve rewritten the test so that it should be accurate today, and maintainable in future as the support matrix changes.

However, it’s difficult to test this one thoroughly because there are so many possible combinations of Exchange Server and .NET Framework that are supported, not to mention all the unsupported ones. So I need some help, and that’s where you come in. I would appreciate some testers to give this new version a try before it is released publicly.

If you’re willing to test this new Exchange Analyzer version, please download a Zip file of the branch here.

The normal instructions for running Exchange Analyzer apply, which you can find here. But you should make sure you update your copy of the ExchangeAnalyzer module on your PC or server where you are running this updated version from. You’ll see new sections in the report for the .NET Framework support status, highlighted in the screenshot below.

After running your test please leave a comment below if the report was accurate. If you think that there was a problem with the results please email your report and script output to feedback@exchangeanalyzer.com.

The post Help Test the .NET Framework Checks for Exchange Analyzer appeared first on Practical 365.

        

Comments

• .net check worked in my prod and lab environment Prod : 8 x ... by John Mello
• Script works well. I have two 2016 CU5 Servers running .NET ... by n8_sirly
• The scripts works fine for my setup (Exch 2013 CU15 + .Net ... by FMustafa

Related Stories

• Exchange Analyzer v0.2.5 Released
• Test-ExchangeServerHealth.ps1 Has Been Updated to V1.16
• Managing Office 365 Licenses with the Azure AD V2 PowerShell Module

 

A new build of Exchange Analyzer is available, which includes the following fixes and improvements:

• Rewritten .NET Framework test added back
• Fix for bug in number formatting when reporting number of hours since last DB backup
• Update to Wiki base URL for “More Info” links in report
• Rewrite of POP3 and IMAP4 service status tests to use helper function, now reports startup modes of services
• Other general code cleanups

Download the latest build here.

The next development milestone is targeting a v1.0.0 release.

The post Exchange Analyzer v0.2.5 Released appeared first on Practical 365.

       

Related Stories

• Help Test the .NET Framework Checks for Exchange Analyzer
• Test-ExchangeServerHealth.ps1 Has Been Updated to V1.16
• Managing Office 365 Licenses with the Azure AD V2 PowerShell Module

 

As our business workforce becomes more mobile every year, and security risks for corporate data increase, it’s important to consider how you will manage mobility for your organization. Office 365 customers have a choice of solutions that can be used for mobile device management (MDM) and mobile application management (MAM). Each has different features available, with different strengths and weaknesses.

Some of the considerations that come into play include which devices and operating systems will need to be managed, and who will own those devices (BYOD vs corporate). We also need to consider whether non-Microsoft applications such as SaaS apps or custom business apps need to be managed. Diversity in the user population is also an important consideration. For some organizations a single approach to mobility is required, whereas other needs to apply different policies and configurations to different groups of uses. Specific compliance requirements are also important, as some organizations fall under strict government or industry regulations.

The solutions that we can choose from are:

• Exchange ActiveSync
• Office 365 MDM
• Microsoft Intune

In addition to those Microsoft solutions there’s an extensive range of third party mobility solutions provided by other vendors. For this article I’m going to focus solely on the Microsoft solutions, but as part of your own assessment you should certainly evaluate third party options as well.

Exchange ActiveSync

Exchange ActiveSync has been available for mobile device management since the very early days of on-premises Exchange Server, and it is also available in Exchange Online. ActiveSync provides a basic MDM solution that allows you to configure policies that devices should comply with before they allowed to connect to Exchange mailboxes. The policies cover basic device security options such as PIN/passcode strength, encrypted storage, and some features such as cameras. However, ActiveSync relies on the device honestly reporting its own compliance with the policy, so it’s not a guarantee that the policy requirements will actually be met.

There are also ActiveSync controls for either allowing, blocking, or quarantining (ABQ) a device or application based on characteristics such as the device family, operating system, or specific device IDs. You can read more about the ABQ process here.

For Office 365 customers ActiveSync is a quick and easy way to access email on mobile devices. As long as you have configured the Autodiscover records in DNS when you set up your Office 365 tenant (Microsoft provides the exact DNS records to use), mobile devices will be able to connect to Exchange Online mailboxes.

In fact, even devices that are not secured with a PIN or passcode will be able to connect, because the default mobile device policy in Office 365 is quite weak. If you plan to use ActiveSync for mobility you should review those policy settings and consider strengthening the policy requirements for devices.

One of the long-standing weaknesses of ActiveSync has been the inability to perform selective wipes. If a remote wipe was issued to an ActiveSync device, the entire device would be wiped and the user could potentially lose personal data. This became less of a problem once applications such as Touchdown or Outlook for iOS and Android became available, because the application itself became the “device” as far as Exchange Online is concerned. Any remote wipe issued to the application would only erase application data, not the entire mobile device. Microsoft made further investments in the development of the ActiveSync protocol and released EAS 16.1 which includes the ability to perform selective wipes (or “account-only wipes“) for compatible devices. Apple added support for EAS 16.1 in iOS 10.

ActiveSync works for connectivity to Exchange Online mailboxes for email, calendar, contacts, notes and tasks. ActiveSync is not used for other Office 365 workloads such as SharePoint, OneDrive, Planner, Teams, and so on. If your users are licensed only for an Exchange Online mailbox then you might consider ActiveSync to be a suitable solution. If you are using more features of Office 365 than just Exchange Online, then you should consider securing mobile access using Office 365 MDM or Microsoft Intune.

Office 365 MDM

Office 365 includes a mobile device management capability that extends beyond what ActiveSync can provide. Office 365 MDM is included free with Office 365 business and enterprise subscriptions. While ActiveSync takes a device-centric approach to mobile device management, and only works for Exchange Online, Office 365 MDM is able to enforce management and security policies on devices and applications that are access other Office 365 workloads as well, for example OneDrive for Business. MDM policies can also be targeted at groups for ease of management.

The security settings that can be applied include the same PIN/passcode and device encryption options as ActiveSync provides, with additional detection of “jail broken” or “rooted” mobile devices. Office 365 MDM is also capable of managing the email profile on iOS devices and block users from creating their own profiles.

Selective wipes are also available in Office 365 MDM. Even though ActiveSync can perform account-only wipes for devices that are compatible with EAS 16.1, that still leaves a large number of older devices and applications among the user population that are not compatible. Office 365 MDM can perform selective wipes without the requirement of EAS 16.1 compatibility. However, very old devices are not compatible with Office 365 MDM at all. The current supported devices include:

• iOS 7.1 or later
• Android 4 or later
• Windows Phone 8.1 or later
• Windows 8.1 and 8.1 RT (limited to ActiveSync connections only)
• Windows 10 and 10 Mobile (for Azure AD joined devices that have enrolled in Office 365 MDM)

Compared to ActiveSync, Office 365 MDM requires more initial setup and configuration. MDM is not activated by default, and an APNs certificate needs to be acquired from Apple for supporting iOS devices. The APNs certificate must also be renewed each year to prevent MDM-enrolled devices from losing access. I’ve written about the Office 365 MDM process in this series of articles:

• Activate MDM for Office 365
• Create MDM policies
• Enroll Apple and Android devices

Microsoft Intune

Microsoft Intune is paid product that provides cloud-based mobile device and application management. Intune is available as a standalone license, and is also included in the Enterprise Mobility + Security (EMS) license. Intune has all of the capabilities of ActiveSync or Office 365 MDM but also offers a range of other features. Intune can be used to deploy business applications and application store apps to devices, as well as deploy configuration items such as certificates, VPN profiles and wifi network details. Web browsing from mobile devices can also be secured using the Intune Managed Browser app.

Intune also offers mobile application management (MAM) capabilities for preventing data being copied or saved from applications such as Word or OneDrive for business into other apps on managed devices. For example, you can allow users to download business documents using OneDrive, and edit them in the Word app on their device, but still prevent them from saving the file to their personal Dropbox app on the device.

Intune is not just for mobile devices, it can also be used to manage Windows PCs. Intune is also capable of operating in a hybrid mode with System Center Configuration Manager (SCCM) to unify the management of corporate on-premises and mobile/BYOD devices.

In an upcoming series of articles we’ll look closer at the capabilities of Intune and how to use it for specific scenarios.

The post Comparing Solutions for Mobile Device and Application Management in Office 365 appeared first on Practical 365.

        

Comments

• For IOS/Android you have to confirm each app installation. ... by RKast
• Thanks Paul for the wonderful write up. I was also wondering ... by Vinod
• Skip it… Intune is not a true Enterprise Mobility Management ... by Simon
• Mixed messages about support of InTune for OSX devices. What's ... by David
• We've deployed intune to all our mobile devices with a policy ... by Eric

 

I’m excited to announce that Office 365 for IT Pros, 4th Edition is nearly ready to be released. Assuming there are no last minute problems we’re expecting to release the new book later this week.

I wanted to give you this heads up because I know from feedback after previous releases that some of you need a few extra days to get approval for business purchases. If that is you, then here’s some information to help you with that process. For everyone else, this info should also answer the most frequently asked questions we get about buying or upgrading Office 365 for IT Pros.

Q: When will Office 365 for IT Pros, 4th Edition be available?

We’re expecting to have it available later this week. If you’re an email subscriber you will receive an email to let you know. The release will also be announced here on the blog, Twitter, and Facebook.

Q: What’s in the new edition?

Office 365 is a continually evolving and growing cloud service. The third edition of Office 365 for IT Pros has been updated regularly to adjust to those changes (full change log here), but structurally the book was losing alignment with the changes to Office 365’s services in a few key areas. A good example is the Office 365 Governance framework which has unified multiple, separate tools and capabilities into the Security and Compliance Center.

The new edition of the book has provided the opportunity to overhaul how those capabilities are covered, and better position the book for what will no doubt be a wave of further changes announced later this year at Microsoft Ignite.

In addition to the security and compliance changes, coverage has been expanded for important areas like Office 365 Groups, and the growing number of services that leverage Groups, such as Teams and Planner. There is also new content for Intune and Skype for Business Online, which have been among the most requested topics when we surveyed readers.

The cleanup has also allowed us to remove some obsolete material. Even so, the book has now grown to over 1000 pages, not including the separate bonus material that we also offer.

Essentially what you can expect to receive is the most up to date and comprehensive guide to Office 365 that is available anywhere.

Q: What is the price?

Office 365 for IT Pros, 4th Edition, will have the same pricing as the previous edition when purchased directly from Practical 365.

• Standard Package – eBook (PDF + EPUB) + bonus PDFs, $39.95 (USD)
• Premium Package – all of the above plus additional audio and video material, $49.95 (USD)

For a limited time we will be offering the above packages with a 20% discount.

For existing customers of Office 365 for IT Pros, 3rd Edition, you will receive an email with details of a discount upgrade offer. The emails will be sent when the new edition is ready for release. By upgrading you will receive the new edition plus ongoing updates to that edition. Updates to the 3rd edition will be ending after the 4th edition has been released.

Q: Will there be a Kindle version?

Yes. The Kindle version will appear in the Amazon Kindle Store in a few weeks. There’s some extra work involved, plus any delay in approval by Amazon.

The pricing for the Kindle version will remain the same. We are not able to offer a discount or upgrade to previous Kindle buyers due to the limitations of the Kindle store. If receiving upgrade offers in future is important to you then we recommend you purchase the PDF/EPUB version directly from Practical 365. The files are suitable for reading on a computer or tablet (I simply use iBooks my iPad, it works great).

We’re really looking forward to getting Office 365 for IT Pros, 4th Edition, out the door and continuing the work of maintaining and updating it in future. If you have any other questions that haven’t been answered here please feel free to ask in the comments below.

The post The Fourth Edition of Office 365 for IT Pros is Nearly Here appeared first on Practical 365.

        

Comments

• I was one of the authors of that book but it was published by ... by Paul Cunningham
• Please submit a customer service request here with your details ... by Paul Cunningham
• Great Job.. Is there discount for those who bought MS Press ... by Mohamed
• Bought Office 365 for IT Pros, 3rd Edition yesterday. Now I ... by Jos
• The email will be sent later this week when the book is ... by Paul Cunningham
• Plus 2 more...

Related Stories

• Help Shape the Fourth Edition of Office 365 for IT Pros
• Exchange Analyzer v0.2.5 Released
• Help Test the .NET Framework Checks for Exchange Analyzer

 

I’m pleased to announce the release of Office 365 for IT Pros, 4rd Edition. This new edition of the industry’s leading Office 365 book has been updated with the very latest changes and new features in Microsoft’s Office 365 cloud services.

For this new edition we had four primary goals:

• Restructure the book to better align with the way that Office 365 services co-exist today
• Add new material, including Skype for Business Online coverage by MVP Ståle Hansen
• Improve the coverage in other areas such as Office 365 Groups, Teams, and Intune
• Remove obsolete material such as deprecated features

With 26 chapters spanning more than 1000 pages, Office 365 for IT Pros is the perfect eBook for:

• Consultants and sysadmins tasked with migrating an organization to Office 365
• IT professionals expected to manage or support Office 365 services
• Experienced IT professionals who may be tasked with supporting services in Office 365 that they previously did not support on-premises
• Help desk staff required to support Office 365 services and clients
• IT pros looking for practical, real-world material to complement their training

To celebrate this release we’ve got a special offer for you. For a limited time you can get 20% off the regular price of Office 365 for IT Pros, 4th Edition. You can find out more details here.

The post Office 365 for IT Pros, 4th Edition is Now Available appeared first on Practical 365.

        

Comments

• Hi Ali, check your email and your spam/junk folder for an email ... by Paul Cunningham
• Hi Paul, I purchased the 3rd edition a while back, do I ... by Ali Inam
• Thank you. by Paul Cunningham
• I have upgraded to show my support for all the hard work you ... by Ejaz Ahmed
• Thank you for your support, we appreciate it. by Paul Cunningham
• Plus 3 more...

Related Stories

• The Fourth Edition of Office 365 for IT Pros is Nearly Here
• Help Shape the Fourth Edition of Office 365 for IT Pros
• Exchange Analyzer v0.2.5 Released