Quantcast
Channel: Practical 365
Viewing all 520 articles
Browse latest View live

What’s New in Office 365 for May 2017

June 5, 2017, 7:53 pm
$
0
0

I’m a few days behind on this roundup because we’ve been busy getting the new fourth edition of Office 365 for IT Pros out the door. Here’s what’s new and changed in Office 365 for May.

Microsoft Teams, the Slack-like persistent chat service for Office 365 which became generally available in March, has switched to a default of “On” for the organization-wide setting in the admin portal. Microsoft recommends the use of per-user licensing for Teams, and is planning to remove the org-wide control from the portal in the near future. You can manage licensing for your Office 365 users with groups-based licensing or by using PowerShell.

The Advanced Threat Protection (ATP) roll out for Office 365 ProPlus applications began for customers that are ATP licensed (E5 or standalone licensing). ATP Safe Links policies can now be applied to links in Word, Excel, and PowerPoint documents. When end users click a link in a document it is checked by ATP to see whether the link is a known malicious website and the user is blocked and warned of the threat. My Word docs started exhibiting this behavior back in April with a few initial hiccups, but it seems to have improved now. The Safe Links policies in the Security and Compliance Center (or via the Exchange Admin Center) now have additional settings for organization-wide settings, which includes the option to turn on Safe Links for Office 2016 on Windows.

More changes were rolled out for Office 365 Groups. Mail Contacts can now be added as members of Groups, simplifying the process of adding external guests to Groups. Tony Redmond has a write up of how this works, as well as a few quirks to be aware of. One of the caveats, at least for now, is that this doesn’t remove the requirement for distribution groups having no mail contacts in them before they can be converted to Groups. DL conversion to Groups is now available for admins and DL owners, but has a long list of eligibility requirements before a DL can actually be converted (e.g. must be a cloud-only group, that isn’t a security group, with no nesting, no forwarding, not dynamic, and more).

Groups are also getting a digest email for Group members to catch them up on communications they may have missed. The details on this are a bit vague so I’ll be interested to see it in action. From the info available it seems that you must be subscribed to the Group to receive the digest, which to me seems to be needless duplication (I’ll get the Group messages plus a digest of the Group messages?). If it is available as a separate option (e.g. I don’t want every message but I do want the digest) then that would make more sense to me, as would options to control the day/time the digest arrives.

SharePoint (and OneDrive for Business) are getting per-group sharing controls. First release tenants will start to see the new options in June, with other tenants to follow later. Currently we can control external sharing for the entire organization and at the site collection level. The new controls allow you to specify security groups that are allowed to share with external users, so you can lock down the organization-wide settings and then use the per-group settings to create exemptions.

SharePoint Online is also changing the email sending behavior for sharing emails. Previously all sharing emails were sent from no-reply@sharepointonline.com. This will change so that sharing emails for any user who has an Exchange Online mailbox will be sent using the user’s email address instead. The sharing email will also be saved in the user’s sent items folder. For users without Exchange Online mailboxes the no-reply@ behavior will continue.

For SharePoint and OneDrive mobile users a quality of life improvement is being implemented to increase the token lifetime from 14 days to 90 days. The longer session timeout is a welcome change for anyone who is getting tired of repeatedly logging in to mobile apps.

To improve the end user experience for OneDrive, which will probably increase adoption as well, Microsoft also announced OneDrive Files On-Demand which is coming for Windows 10 computers that have the “Fall Creators Update”, as well as mobile applications. Files On-Demand allows users who are connected online to see all of the files in their OneDrive, not just the files that have been synced locally. This is somewhat similar to the user experience when placeholders existed in OneDrive, and reduces local storage usage by allowing users to only sync their most important and frequently accessed files locally. When an online file is accessed it will be automatically downloaded to the local computer for access.

In Compliance Land, Office 365 eDiscovery is receiving several improvements. RMS decryption is now supported for eDiscovery results that are exported to MSG files. For customers licensed for Advanced eDiscovery, unified case management has removed the need to create separate cases in Advanced eDiscovery by allowing eDiscovery case information to carry over to Advanced eDiscovery. Advanced eDiscovery is also getting support for optical character recognition (OCR) to be able to recognize text in image files.

Microsoft announced plans for general availability of Microsoft Stream, the replacement for Office 365 Video. When Stream arrives in tenants Microsoft will begin a phased migration of existing Office 365 Video content into Stream. Existing links and embedded content will continue to work, so there is no action required. If you’re planning to begin using Office 365 for video content today, start with Microsoft Stream. Stream is enabled by default and can be managed with per-user licensing.

Exchange Online received an enhancement to mail flow rules that allows you to create rules for Direct to Calendar meetings, which bypass the invitee needing to accept (or reject) the message and instead will add it directly to their calendar. I can think of a few customer cases where all meeting requests originating from a particular user or application were deemed mandatory, or were always sent as tentative/info-only meeting requests, so this capability would be useful for those customers.

Microsoft Planner users have finally got a mobile app to use. The initial version of the app allows you to view and update plans on your mobile device, but not create new plans. That feature, as well as Intune support, are coming in the near future. Since Planner tasks don’t integrate with Outlook tasks, Microsoft now has two separate task management apps for mobile (Planner and To-Do).

The public preview of the Power BI Office 365 adoption content pack has arrived. We’re well past the stage of initial onboarding being the big hurdle for Office 365, and now it’s adoption of features that many organizations are focusing on to get value from their investment in Office 365. The Power BI reports let you see how your organization is using services like Exchange Online, Skype, Yammer, OneDrive, and SharePoint, as well as report on activations of licensed Office applications.

Image via blogs.office.com

Finally, usage reporting for Office 365 has been added to the Graph API as a preview. The individual usage reports that the Office 365 admin portal presents are useful enough, but many organizations want to pull that data into their own reporting or consolidate it into a single report. Now that the Graph API provides usage reporting data Microsoft has also announced that many of the PowerShell cmdlets currently used for that purpose have been deprecated, and will be retired in October this year. If you depend on those cmdlets for your custom reporting then it’s time you got into the Graph API instead.

The post What’s New in Office 365 for May 2017 appeared first on Practical 365.

        
Search

Managing Projects with Office 365 Groups, Planner, and Teams

June 14, 2017, 5:58 am
$
0
0

With Office 365 Microsoft is on a mission to provide productivity applications to empower their customers to achieve more. One feature in particular, Office 365 Groups, goes a long way to achieving that goal.

Groups began as an Outlook collaboration feature that brought email communication together with file and note sharing.  Over time, Groups has also played the role of membership service to new applications such as Planner and Teams. As the integration between different applications has been established, the usefulness of Groups has grown.

Managing projects is one of the areas where Groups stands out. Project management in the Microsoft ecosystem has previously required the use of Microsoft Project or Project Server (or Project Online in the cloud services world). The Project suite of products has always come at an additional cost, and for smaller projects the cost isn’t always able to be justified. I’ve personally been involved in many internal and customer projects where the capabilities of Project would have been useful, but no budget was provided to pay for them.

With Office 365 Groups, Planner, and Teams, small to medium-sized projects get access to useful applications that help to manage the project without the additional cost. Here’s an overview of how Office 365 Groups can be used to manage projects.

Licensing for Office 365 Groups, Planner, and Teams

Office 365 Groups, Planner, and Teams are all included with Office 365 licenses that include Exchange Online and SharePoint Online. Today that means Business Essentials and Premium, and Enterprise E1, E3 and E5.

Let’s say for example that the following user accounts are already licensed for Office 365, and have Exchange Online mailboxes:

  • Jane Tulley, IT Operations Team Leader
  • Dave Bedrat, Senior Systems Engineer
  • John Dorey, Systems Engineer

The following user accounts are not already licensed for Office 365, and have Exchange on-premises mailboxes:

  • Alan Reid, IT Manager
  • Aaron Gardiner, Help Desk

To get the appropriate licenses assigned, the organization needs to assign Alan and Aaron an Office 365 license. This can be achieved using group-based license management, or you can also manage licenses with PowerShell, or you can do manual license assignment through the Office 365 portal.

Choosing a New vs Existing Office 365 Group

Both Planner and Teams can be used with an existing Group, or a new Group can be created for a new Plan or Team. When considering whether to use existing Groups or create new Groups, you should take into consideration:

  • Whether the people involved in the project aligns with an existing Group membership.
  • Whether the Group already has a Plan and Team attached that is used for other purposes (today Planner and Teams both have a 1:1 relationship with Groups, i.e. there can only be one Plan and Team per Group).
  • Whether the project has a life cycle that doesn’t align with the existing Group’s purpose.
  • Whether the project’s communications in email and Teams chat will clash with the existing communication running through that Group.

For most projects, it will make sense to create a new Group. A team that already has a Group might use that for micro-projects and general communication within their own team, but other projects with people from other areas of the company deserve their own Group.

When you create a Group you can invite all the project members, or add them later. The Group membership can change as the project moves through its different phases, and new members will gain access to all the previous conversations and information that the Group contains.

A Team is not automatically created for a Group, but you can attach a new Team to an existing Group.

However a plan is automatically created when the Group is created.

Using Planner for Project Tasks

Planner is a collaborative task management app, or as I like to think of it, a micro-project management app. When you create a Planner plan and add members to participate in that plan, each member can add their own tasks. However, only the managers of the Office 365 Group can edit the plan settings, or delete the plan entirely.

By adding tasks to Planner, the project team can see which tasks have been assigned to them, and when they are due to be completed. The project manager and other interested stakeholders can see project progress as well as conversations around individual tasks. It’s the type of dashboard view that managers love to look at, and with Planner they can check it any time they like without burdening the project team with requests for status updates.

With the Planner mobile app that is now also available, project team members can update their tasks from their mobile devices as well.

Using Teams for Communications

When you bring Teams into the picture the question needs to be asked, should you use Teams or Outlook for conversations during a project? The answer depends on the type of conversations that are taking place.

Broadcast communications to the entire project team, such as the summary of decisions made during a meeting, are well suited to email and are stored in the Group mailbox where they can be referenced later.

Real time conversations are better suited to the chat environment of Teams. The conversations are still preserved for historical reference, but are a little easier to read in their chronological order in Teams instead of needing to piece together email reply chains that can easily become fragmented as different people respond. Teams is also good for those members of the project team who don’t want to see email chains in their own inbox, but want to dip in and out of Teams to keep up to date on recent conversations.

Teams can also be used to host audio and video meetings, which is very useful for distributed teams. The Teams mobile clients also make it a useful real-time communication method for workers who aren’t at their desk. For example, a Help Desk officer providing post-migration desk side support to end users can chat with the rest of the team. Or a team member can provide remote support to others via Teams chat, instead of the comparatively slower conversations that occur over email.

Summary

Office 365 Groups, along with Planner and Teams, allows the users in an organization to spin up their own instances of collaboration, project management, and communications apps quickly and easily. Although Planner lacks some of the in-depth project management capabilities of Project, it is more than capable of providing task management for the type of small, simple projects that many organizations are constantly running.

There are still some rough edges that need polishing, however none of these are serious blockers at this stage. At least not for most organizations that I have dealt with.

There are some file storage inconsistencies between Groups, Planner, and Teams. In the Group view in Outlook, the files for individual Teams channels can’t be seen, but files attached to Planner tasks can be seen. The Teams client can see channel files, but not the files in the root of the document library that are visible in Outlook. However, all the files for the Group, Planner, and Teams can be viewed by opening the document library in SharePoint Online. Ideally that wouldn’t be necessary, but at least the workaround exists.

Planner integration with Teams is minimal. When you add a Planner tab to a Teams channel, it lets you view the tasks in the plan, but not anything else from Planner such as reporting views. Completing tasks in Planner doesn’t notify the channel, nor does it notify the Group manager. Ideally the option would exist for Planner activities to generate Teams notifications.

Adding a OneNote tab to Teams adds a section to the Group’s OneNote notebook, which is then visible when the notebook is accessed via Outlook. But you can’t add an existing OneNote section to Teams, you can only create a new one. Synchronization of content between Outlook and Teams is a little slow, but you’d probably only notice it if you quickly switched between the two. The OneNote tabs in Teams have no visual clues to differentiate them from other tabs. The same criticism exists for Planner tabs, but you can rename tabs to a more descriptive name after adding them.

Managing meetings in Teams is a little buggy. For meetings created in Teams you can’t invite the entire group as a single entry, which you can do in Outlook. Instead you need to invite each individual user. Selecting a meeting room also buggy, with room lists not working correctly. On the plus side, you can choose a Teams channel as the meeting location for IM or remote meetings.

The Office 365 road map has items in development to fix many of those issues as well as add more improvements such as guest access to Planner and Teams to allow collaboration with external users. But other than those few issues, the combination of Groups, Planner, and Teams is ready to provide good project management capabilities to many organizations today.

The post Managing Projects with Office 365 Groups, Planner, and Teams appeared first on Practical 365.

Outlook for iOS/Android Still Able to Connect After Disabling ActiveSync

June 14, 2017, 7:29 pm
$
0
0

When an Exchange Online mailbox has the ActiveSync protocol disabled, you may find that the Outlook app for iOS and Android mobile devices is still able to connect to the mailbox to send and receive emails.

PS C:\> Set-CasMailbox dave.bedrat -ActiveSyncEnabled $false

The reason for this is the architecture of the Outlook app and the infrastructure it connects to. From TechNet:

Outlook for iOS and Android uses a stateless protocol translator component that is built and run in Azure. This component routes data and translates commands, but it doesn’t cache user data. The app is coded with the Outlook device API, a proprietary API that syncs commands and data to and from the app. Exchange Online data is accessed via the publicly available REST APIs. The protocol translator enables communication between Outlook and Exchange Online.

Image via TechNet

Even when ActiveSync is disabled the REST API is still accessible by Outlook. To block access to the REST API we need to use a different method. There are a few approaches that we can use:

  • A device access rule to block Outlook for iOS and Android. This is an organization-wide block and requires you to manually approve Outlook app usage on a per-user basis for anyone who still needs to use it, so it may not be a practical approach if you’re just trying to block one user from having any mobile email access.
  • A client access rule to block REST API access. Client access rules can be targeted at specific users but managing the target list over time could be cumbersome. This approach also blocks all REST API access for the targeted users, not just the Outlook app.
  • Block the Outlook app using an EWS block list. This is the approach I’ll demonstrate here.

As I’ve previously written here, EWS policies can be used to block or allow specific applications on a per-user or per-organization basis. If you want to block Outlook app usage for the entire organization then you would use an organization-level EWS block list. Since this example scenario is for a user who has had the ActiveSync protocol disabled I will stick to the per-user option. As a side note, if your Office 365 tenant has any “K” (kiosk) licenses then the organization-level EWS controls will not work, and you’ll need to use per-user EWS controls.

First, let’s take a look at the mobile device association that shows Outlook connecting to the REST API.

PS C:\> Get-MobileDevice -Mailbox "Dave Bedrat" | Where {$_.FriendlyName -like "Outlook*"} | Select DeviceModel,DeviceUserAgent,DeviceAccessState,ClientType
DeviceModel        : Outlook for iOS and Android
DeviceUserAgent    : Outlook-iOS/2.0
DeviceAccessState  : Allowed
ClientType         : REST

Next, let’s look at the EWS configuration for the mailbox.

PS C:\> Get-CASMailbox "Dave Bedrat" | Select *EWS*
EwsEnabled                 : True
EwsAllowOutlook            :
EwsAllowMacOutlook         :
EwsAllowEntourage          :
EwsApplicationAccessPolicy :
EwsAllowList               :
EwsBlockList               :

To block EWS access for the Outlook app we need to block the user agent. The iOS version of Outlook currently has a user agent of “Outlook-iOS/2.0” (shown above), and the Android version uses “Outlook-Android/2.0”. Earlier versions had a user agent of “Outlook-iOS-Android/1.0” for both platforms, so we can expect the user agent to change in future as the version number increments. As such, it’s best to use a wildcard in the EWS block list. The example below will block the original user agent, the current user agents for both platforms, and any future user agent strings that follow the same pattern.

PS C:\> Set-CASMailbox "Dave Bedrat" -EwsBlockList @{Add="Outlook-iOS/*","Outlook-Android/*"}

Another look at the EWS configuration for the mailbox shows the two user agents have been added to the block list, and the EwsApplicationAccessPolicy option is now set to EnforceBlockList.

PS C:\> Get-CASMailbox "Dave Bedrat" | Select *EWS*
EwsEnabled                 : True
EwsAllowOutlook            :
EwsAllowMacOutlook         :
EwsAllowEntourage          :
EwsApplicationAccessPolicy : EnforceBlockList
EwsAllowList               :
EwsBlockList               : {Outlook-Android/*, Outlook-iOS/*}

This change doesn’t take effect immediately. In my demo environment it took about 30 minutes before the Outlook app on my iPad stopped retrieving new emails. The access token life is 1 hour by default though, so you should expect it to take at least that long.

To reverse the block, remove the two user agents from the block list, and if there’s no more block list entries you can also null the EwsApplicationAccessPolicy.

PS C:\> Set-CASMailbox "Dave Bedrat" -EwsBlockList @{Remove="Outlook-iOS/*","Outlook-Android/*"}
PS C:\> Set-CASMailbox "Dave Bedrat" -EwsApplicationAccessPolicy $null

As one last point to keep in mind, the DeviceAccessState for the mobile device association won’t change from Allowed to Blocked when you use an EWS block list.

The post Outlook for iOS/Android Still Able to Connect After Disabling ActiveSync appeared first on Practical 365.

Help Test V1.02 of the Office 365 Groups Report Script

June 15, 2017, 12:57 am
$
0
0

The Office 365 Groups report script helps you track new, modified, and deleted Groups in your Office 365 tenant. When the script was first developed there was no method for recovering deleted Groups. That has since been added, along with the Azure AD PowerShell cmdlets to support it.

Right now the PowerShell cmdlet Get-AzureADMSDeletedGroup, which lists soft-deleted Groups that are recoverable for 30 days, is available in the AzureADPreview module. I’ve taken the opportunity to start updating the Office 365 Groups report script to include information about deleted Groups that are still recoverable.

The new script adds two pieces of information:

  • Newly deleted Groups are now listed with the time stamp for when they were deleted. Previously the script could only detect that the Group had been deleted since the last time you ran the script, but not provide a specific time.
  • Recoverable Groups are now listed in a section of the report, including the number of days until they can no longer be recovered.

I’m releasing V1.02 of the script as a beta for now, until the PowerShell cmdlets are released in the Azure AD module, and so that any bugs that come up in the real world can be fixed before then. If you are willing to test it for me and provide feedback, please download this zip file. You’ll also need to install or update the Azure AD Preview module on your computer so that you have at least V2.0.0.127. All other dependencies and usage instructions listed here still apply.

Any feedback from your testing is appreciated, and can be provided in the comments below or by raising an issue on GitHub.

The post Help Test V1.02 of the Office 365 Groups Report Script appeared first on Practical 365.

Microsoft Forms Arrives for Commercial Office 365 Tenants

June 15, 2017, 4:37 am
$
0
0

Microsoft Forms is an Office 365 app that allows users to build surveys, questionnaires, quizzes, and other data collection forms. Until now Forms has been focused on the education market, and as such has only been available to Education customers in Office 365.

A recent addition to the Office 365 road map indicates that Forms is on its way to commercial tenants as well, noted as a Preview.

Today as I poke around the admin portal I’ve discovered that Forms has arrived for all of my tenants. My Message Center has no notices about it, nor does the official Office 365 blog. Perhaps the roll out has just begun and the announcements are forthcoming. Update: a Message Center notice has now appeared in my tenant, and refers to this Forms release as a Preview.

There’s nothing in my admin portal or in the Forms app itself to suggest this is a Preview, it actually looks like a GA release to me.

As with all new Office 365 features, Forms is enabled by default. It’s a useful app, but an immediate concern for some organizations may be the external collaboration feature, which is also enabled by default. You can find this setting in the Office 365 admin portal under Settings -> Services & Add-ins.

Obviously Forms is well suited to external data collection, such as running marketing surveys or collecting registration information for events. That’s where the trouble begins for some organizations though, with concerns over the type of data collection that their users might try to use it for, and where that data is subsequently stored. It would be bad if a user unwittingly designed an event registration form that collected credit card details or other sensitive information. The control above only limits external collaboration though, not external responses, so if you’d like to be absolutely sure that none of your users start collecting external data you’ll need to disable Forms entirely for them.

As an on-by-default feature, you need to disable Forms by managing licensing. Forms now appears in the per-user licensing options in the Office 365 admin portal.

Forms is also available as an option in Azure AD group-based licensing, if that is how you’re managing your licenses.

It’s good to see Forms finally show up in commercial tenants. I run a lot of surveys myself, so I’ll be exploring it with interest. It just would have been nice to get notified of its arrival. Update: My Message Center has been updated with a notice about the Forms Preview release.

The post Microsoft Forms Arrives for Commercial Office 365 Tenants appeared first on Practical 365.

Controlling Third Party Cloud Storage Access for Microsoft Teams

June 26, 2017, 5:58 am
$
0
0

Microsoft Teams now has the ability to connect to external cloud storage providers such as Dropbox and Google Drive. This change is rolling out to Office 365 customers now, and is enabled by default.

Microsoft takes a reasonably open approach to third party integration with their apps these days, especially cloud storage apps. The reality of course is that Microsoft’s own file storage solution, OneDrive for Business, has a patchy reputation for reliability and functionality, which means a lot of Office 365 customers ended up using third party services for file storage. Naturally Microsoft would like those customers to make use of Teams and other Office 365 apps, so integration is necessary. OneDrive for Business also has different use cases than other services, for example Dropbox works well for small teams as a file server replacement without a lot of complexity involved in setting it up, whereas OneDrive is a sync client that works with SharePoint-based stores which require more expertise to set up. Simply put, there’s a lot of non-Microsoft cloud storage usage out there, and integration with Teams helps it compete with other team chat apps.

For the end user, the option to add cloud storage is available in the Files tab of a Teams channel.

The user is prompted to authenticate to their cloud storage provider, such as Dropbox.

After adding a folder from cloud storage, the files will be accessible in Teams for any user who can authenticate to the same storage server and who has access to those files. For example, if Dave Bedrat adds a Dropbox folder to the IT Operations team, other team members such as Jane Tulley can’t access the files with their own Dropbox credentials if Dave has not shared the folder with them.

After the files have been shared and accepted in Dropbox they will be accessible by Jane in Microsoft Teams.

For organizations that do not want to allow access to cloud storage services there are controls available in the Office 365 admin portal. Navigate to Settings, Services & add-ins, and open the Microsoft Teams settings. You can disable some or all of the storage services here. It’s possible that in future other storage services will be added to Teams, so keep an eye on your Message Center notifications so that you can revisit these settings again in future when necessary.

In my testing the change took about 30 minutes before the Teams clients lost access to the options to add third party cloud storage to their channels. The Dropbox folder remained visible in Teams, but could not be opened. The only option available was to delete it.

The “Delete” button should probably be renamed to “Remove” since that is what it really does. The folder contents themselves are not deleted, and the dialog that pops up to confirm uses the word “Remove” which is a better description of what is happening. The user is also told they can add it back any time, even if all of the cloud storage options are disabled by an administrator, which is a bit misleading but probably won’t cause many issues.

If you decide to turn off cloud storage for Teams, and there’s a chance that your users are already making use of the feature, then you’ll need to plan how to communicate the change. Teams itself doesn’t surface any reports to indicate who is using what, so there’s no easy way to find out who is already using cloud storage. If your organization is already using Cloud App Security to discover app usage then that might give you some clues. Otherwise, you’ll just need to come up with the best communication plan that suits your organization.

The post Controlling Third Party Cloud Storage Access for Microsoft Teams appeared first on Practical 365.

June 2017 Updates Released for Exchange Server

June 27, 2017, 10:30 pm
$
0
0

Microsoft has announced the latest quarterly updated for Exchange Server 2016 and 2013.

For Exchange Server 2016 this release includes the following improvements for on-premises customers:

Those changes do not apply to Exchange Server 2013. From Microsoft’s blog post:

These features are targeted to Exchange Server 2016 only and will not be included in Exchange Server 2013. Exchange Server 2013 already has its own implementation of Sent Items Behavior Control which is different than the version we are releasing today. The Cumulative Update 6 behavior is more closely aligned with how this worked in Exchange Server 2010. Due to architectural differences, the configuration of this feature is not retained if mailboxes are moved between Exchange Server 2010 and Exchange Server 2016 or between Exchange Server 2013 and Exchange Server 2016.

Microsoft also shared progress on two other matters:

  • Support for TLS 1.2 is described as “improved”, but Microsoft is not ready to recommend deprecating TLS 1.0 and 1.1 yet.
  • .NET 4.7 compatibility testing is progressing well with no issues found so far, but they are not ready yet to declare .NET 4.7 supported for Exchange servers.

ADDITIONAL INFORMATION

The post June 2017 Updates Released for Exchange Server appeared first on Practical 365.

        

Securing Mobile Access with Intune MAM Conditional Access Policies

June 29, 2017, 3:48 am
$
0
0

Embracing a BYOD strategy is usually a good thing for your users and your company, but it also creates some concerns about the devices and applications that are being used to access corporate data.

To demonstrate the type of issues that arise I’ve connected an iPad to a user’s Exchange Online mailbox by setting up an account using the native email app on iOS. The user is able to make an ActiveSync connection to their mailbox, download email messages, and save any attachments to his personal Dropbox account that is also set up on the device.

Dropbox itself is not necessarily a problem. The concern for the organization is that users will save corporate data to untrusted or insecure external services that are owned by the individual user. There’s multiple strategies that can be implemented to mitigate this risk, one of which is Intune conditional access policies in combination with Intune mobile application management (MAM) policies.

To begin, lets set up conditional access in Intune for Exchange Online and SharePoint Online. In the Azure portal navigate to Intune mobile application management, and then go to the two conditional access settings. For each of Exchange Online and SharePoint Online, configure the Allowed apps to “Allow apps that support Intune app policies.”

After saving the change, go to Restricted user groups and add the groups that contain the users you want the conditional access policies to apply to. For this example I’m using the same Azure AD group that is used to assign the EMS licenses to users, rather than create a separate group. For your own deployment you might choose to target MAM conditional access policies at a separate group that represents approved BYOD users.

Make sure you repeat the same steps for SharePoint Online.

After creating the conditional access policies it will take a short time before they take effect for users. When the policies take effect the users who are targeted by the policies will no longer be able to connect to Exchange Online and SharePoint Online with apps that don’t support Intune policies. That will prevent the native mail app on iOS or Android from connecting, as well as a wide range of third party mail apps. An email notification is sent to the user to let them know that they need to use Outlook. This email notification will appear on the mobile device, but no other new emails will arrive on the device.

The user in this example will need to install the Outlook app for iOS. They’ll also need to install the Microsoft Authenticator app to act as an authentication broker for the managed Outlook app (Android devices need the Company Portal app instead). However, the user does not need to enrol their device in Intune, which is ideal for employee owned devices (BYOD).

When I was working through this demonstration I ran into what seems to be a bug with Outlook for iOS at the moment. When the user sets up Outlook to connect to the Exchange Online mailbox, they are prompted to authenticate via the Microsoft Authenticator app.

This is the normal process, but right now instead of a successful authentication the Outlook app returns an “Oops, something went wrong” message.

When I repeat the login process with another app on the device, the Microsoft Teams app, the authentication process takes me to the correct step to register the device. Registering a device for MAM conditional access is not the same as full enrolment in Intune, but is required for the MAM policies to be able to be enforced.

Registration takes just a few seconds, after which the user can access Exchange Online and SharePoint Online with managed apps (e.g. Outlook starts working after the device is registered successfully via Teams).

At this stage we’ve solved part of the original problem. Users are prevented from accessing Exchange Online or SharePoint Online using unmanaged apps such as the native mail app on iOS, and instead are required to use managed apps like Outlook, OneDrive, Teams and so on. However, the user can still access Dropbox from within the Outlook app.

The solution to that problem is to configure an App policy in Intune App Protection. App policies are quite comprehensive and flexible. Among other things, you can use an app policy to restrict the transfer of data in or out of policy managed apps, including copy and paste of data. For this example I’ve configured:

  • Policy managed apps to transfer data only to other policy managed apps. So the user can transfer data from Outlook to OneDrive or Excel, but not Outlook to Dropbox.
  • Policy managed apps can receive data from all apps. So the user can copy data from Dropbox to Outlook if they need to.
  • Cut, copy and paste can only be performed between policy managed apps, or from other apps to policy managed apps. But the user will not be able to copy and paste from a policy managed app like Outlook to an unmanaged app like Dropbox or Safari.
  • For good measure I have also required a PIN for access to the policy managed apps. The user has not enrolled the device in Intune for MDM, so a device-level PIN isn’t enforced. The app policy will enforce the PIN at the app level instead.

After creating the policy we then need to go into the policy settings and configure an assignment to target the policy to a security group. Again I am using the same security group that is used to assign my Intune licenses.

The policy assignment doesn’t take effect until the device or application checks in. You can see the status of the app policy for a user in the App protection user report that is available in the Intune App Protection area of the Azure portal. In the example below, the user’s Word app has picked up the app policy, but the other apps haven’t yet applied it.

Word will now enforce the configured policy by preventing the user from saving corporate data to unmanaged apps. For example, a Word document opened from OneDrive for Business can’t be saved to Dropbox.

As you can see it is possible to use Intune mobile application management to prevent corporate data from leaking when it is accessed by users on personal devices. These features do require an Intune license for the user, but do not require the user to enrol their personal device for full MDM, which is often more appealing to them as they don’t need to allow total control over the device by corporate IT.

The post Securing Mobile Access with Intune MAM Conditional Access Policies appeared first on Practical 365.

Search

What’s New in Office 365 for June 2017

July 5, 2017, 5:30 am
$
0
0

Office 365 for IT Pros, 4th Edition is continually updated with new information, changes and corrections. Customers who bought the book from this website can download the updated files from their purchase history. Updates applied to the Amazon Kindle version are available through your Kindle library after they are approved by Amazon.

During June Microsoft released Forms in public preview for Office 365 commercial customers. Previously available only for education customers, Forms allows you to create surveys, quizzes, and polls to collect information, and then analyse the results using Excel services. Forms is enabled by default and includes external collaboration features, which you can disable if necessary.

Image via blogs.office.com

Outlook for Mac, which has lagged behind in the past, is catching up to the Windows version with new features. Much like Office for Windows, the Mac version of Office has different update channels such as Insider Fast and Insider Slow where new features are released first before they are shipped to the general public. Send later, read and delivery receipts, email templates, creating calendar events and tasks from emails, and an improved account setup experience were all announced for Insider Fast, although some of those features actually arrived during May. Other quality of life features such as Outlook favorites are also making their way through the Insider channels. This may not seem like a big deal for Windows users, but it speaks volumes for how seriously Microsoft is looking at creating the best productivity experiences for Office users on Mac, which are a market segment that they can’t afford to ignore.

The Office app for iOS and Android also received an update in June to enable the ability to add and edit contacts directly within the app. This is one of the most requested features on the Outlook Uservoice site.

Image via blogs.office.com

Microsoft Teams gained new integrations with cloud storage providers. Teams users can now connect to Google Drive, Dropbox, Box, and ShareFile from within Teams. These integrations are enabled by default, but you can turn them off in the Teams settings for your organization.

Teams has also been added to the list of approved apps for Intune conditional access. Previously if you configured conditional access for Exchange Online and SharePoint Online it would mean that the Teams clients could no longer connect, unless you exempted the user from conditional access. Teams was in public preview back in November 2016, and went GA in March if this year, so only adding conditional access support now seems quite slow to me. Perhaps the Intune team was busy completing the migration of customers from the classic Intune portal to the new Azure portal. My own tenants have finally been fully migrated after a weird period where the Azure portal worked, then only partially worked, and then fully worked again a week later.

Intune has also rolled out a new capability to manage Windows 10 Bitlocker settings by using an Intune device profile. Intune is clearly positioning itself as the ideal device management platform for cloud-based customers. I’m finding it useful, but complex as well. As a former SCCM specialist it’s been interested getting drawn back into this type of device management system. Much like SCCM I am no fan of the Intune console (even the new one, sorry Microsoft), but the capabilities are quite powerful.

Microsoft Stream, the replacement for Office 365 Video, went GA in June. Enterprise and education customers can begin using Stream today, but existing Office 365 Video customers have a more complicated transition path to go through, as explained by Microsoft here and expanded on further by Tony Redmond here.

In Security and Compliance there were more improvements rolled out in June. EOP Advanced Threat Protection has some improved status reporting, and enhanced quarantine capabilities that allow admins to review and release or delete emails that were classified as malware. Often a “malware is malware” approach is taken by security products when it comes to malicious emails, but that stance doesn’t take into consideration file types that are blocked due to their potential to be harmful, but that might still have a legitimate use. ATP Safe Links has also been improved with a per-tenant block list, support for wildcards in domain names, customization of policies for different user lists, and support for longer URLs in policies.

Image via blogs.office.com

Exchange Online is getting a new PowerShell cmdlet to allow the removal of calendar items from the mailboxes of departed users. This cmdlet, named Remove-CalendarEvents, is intended to solve the problem of users leaving the organization without cancelling their future meetings, which clogs up user calendars as well as consuming bookable resources such as meeting rooms. The Remove-CalendarEvents cmdlet is designed to be used before the departed user’s mailbox is decommissioned, so it could form part of your normal user de-provisioning process. I’ve tried it, but it either doesn’t work in my tenants yet or it’s still buggy, as I wasn’t able to get it working.

SharePoint Online customers can get excited about the roll out of new communication sites, beginning with First Release customers. Communication sites “are perfect for internal cross-company campaigns, weekly and monthly reports or status updates, product launches, events and more,” and “allow people to create and share recurring updates beyond email.”

Yammer fans can also rejoice at the news of Skype for Business integration being added to the Yammer web interface. Similar to Outlook on the web (OWA), the Yammer UI will now include a Skype icon in the nab bar.

On the topic of Skype for Business, Microsoft also announced that Pulse, a voting app for online events, will no longer be a free public service and instead will be an exclusive feature of Skype Meeting Broadcast.

Finally, if you’re running Azure AD Connect (AAD Connect) and you have password writeback enabled, then this security bulletin describes a critical security vulnerability that you should be aware of. The solution is to upgrade to AAD Connect 1.1.553.0 or later. However, when planning your upgrade you should also be aware of this known issue of OU-based filtering not carrying forward in the upgrade.

The post What’s New in Office 365 for June 2017 appeared first on Practical 365.

        

PowerShell One-Liner: Summary of Mailbox Move Request Status

July 18, 2017, 4:00 am
$
0
0

When you’ve got a lot of mailbox move requests running during an Exchange migration, it’s useful to be able to pull a quick summary of how they’re all going. You can achieve this by piping the Get-MoveRequest cmdlet to the Group-Object cmdlet.

[PS] C:\>Get-MoveRequest | Group-Object -Property:Status | Select-Object Name,Count | Format-Table -Auto
Name                 Count
----                 -----
Queued                  36
InProgress               2
Completed              158
CompletedWithWarning     1

The post PowerShell One-Liner: Summary of Mailbox Move Request Status appeared first on Practical 365.

       

Related Stories

 

How to Use Azure Active Directory Conditional Access to Enforce Multi-Factor Authentication for Unmanaged Devices

July 19, 2017, 12:36 am
$
0
0

Microsoft provides some different options for securing Office 365 and Azure applications with multi-factor authentication (MFA). For your end users you can choose from:

  • MFA for Office 365, which provides basic MFA functionality for Office 365 applications only.
  • Azure MFA, which provides more advanced functionality, including the option to configure trusted IPs.

The trusted IP feature is attractive because it allows you to define IP address ranges, such as those of your corporate network, from which you will “trust” the logins and not prompt for MFA codes. This is useful for decreasing the annoyance factor of MFA for your end users, but doesn’t solve the problem for all types of organizations. For example, a staff of roaming sales people will frequently be accessing their applications from outside the corporate network, which will cause them to be repeatedly prompted for MFA codes. Yes there are some apps where you can “remember” the device and avoid repeated prompts, but not all apps provide that. App passwords, which are separate passwords for a user that bypass MFA, are also not practical in all cases as they become difficult to manage over time.

For some customers it’s not just a subset of their users, such as the sales staff, that access apps from “outside” the corporate network. It’s becoming more common for the concept of a corporate network to not exist at all for a company. And even for those that can define a network boundary that traditionally would separate “inside” from “outside”, it’s somewhat of a dated concept. Google’s “BeyondCorp” whitepaper explores this in more detail.

The goal of Google’s BeyondCorp initiative is to improve our security with regard to how employees and devices access internal applications. Unlike the conventional perimeter security model, BeyondCorp doesn’t gate access to services and tools based on a user’s physical location or the originating network; instead, access policies are based on information about a device, its state, and its associated user. BeyondCorp considers both internal networks and external networks to be completely untrusted, and gates access to applications by dynamically asserting and enforcing levels, or “tiers,” of access.

Looking at securing Office 365 access in that context, we can shift our thinking from using trusted IPs to avoid MFA prompts, and use signals about the devices and users. For this article I’m going to focus on the device aspect of the picture.

The devices that users connect from are either managed or unmanaged. A managed device is secured by way of being domain joined, or by being enrolled in Intune, which provides the organization with visibility of what is running on the machine, whether it complies with our security requirements, and so on. Put simply, you can tell whether the user is connecting from a rooted Android phone that is riddled with pirated apps containing malicious code, or whether they’re connecting from a Windows 10 laptop appropriate security settings applied.

Unmanaged devices are those such as home computers where the user might use their web browser to check email, or a mobile device that is not enrolled in Intune.

For this example scenario we’re going to achieve the following outcomes:

  • Users of managed devices of any platform are not required to use MFA, on the basis that they are secured and managed by way of being either domain joined or Intune enrolled. This effectively means that corporate owned devices, and BYOD devices that have been Intune enrolled, will not require MFA when the user logs on to Office 365 applications.
  • Users of unmanaged devices of any platform will be prompted for MFA when the user logs on to Office 365 applications. We can further secure access from unmanaged devices by using Intune MAM policies, which I demonstrated here so I will not cover that again in this article.

Both of those outcomes can be achieved with a single Azure Active Directory conditional access policy. Only one policy is required because there is no difference in how trusted and untrusted IP addresses are being treated. That said, you could define multiple policies if you needed to break them up for separate device platforms, different sets of users, or different Office 365 applications. For this demonstration a single policy is used.

To create the policy go to the Azure portal and navigate to Azure Active Directory, then choose Conditional Access.

Create a new policy and give it a meaningful name. Configure the assignments for the policy. I’m targeting this policy at the users in my tenant who are licensed for Azure AD Premium, which is required for conditional access. Azure AD Premium is available as a standalone license add-on, or it’s included in the Enterprise Mobility + Security (EMS) bundles. As a side note, if you’re testing any policy that might restrict access to Office 365 or Azure services you can exclude your admin account as a precaution against locking yourself out of all applications and portals by accident. Also, do keep in mind that if you do not target this policy at a user, they’ll be able to login without MFA from any device. Targeting “All users” may be the right approach for your organization.

Next, select the cloud apps that the policy will apply to. Again as a precaution, Microsoft recommends in their best practices doc that you avoid policies that apply to all user and all apps and require specific conditions that might result in completely locking yourself out of Office 365 and Azure.

For the conditions, I’ve chosen all platforms, all locations (no exception for trusted IP addresses), and all client apps.

Finally, set the access controls. This policy will grant access if any of the following conditions are met:

  • The user successfully provides an MFA code (the user must be enabled for MFA, and if they haven’t set up their code yet will be prompted to do so)
  • The user is logging in from a device that is marked as compliant (which means it must be enrolled in Intune first and meet the requirements of the compliance policy)
  • The user is logging in from a domain joined device

Enable the policy and save it. Conditional access policies usually apply quickly but in some of my testing I’ve had to wait more than an hour to see the results.

A simple way to test the policy is to log in to the Office 365 portal, which will not prompt for MFA even if the user is logging in from an unmanaged device, and then try to access one of the applications that the policy applies to (such as opening their Exchange Online mailbox in OWA). If the user is on a domain joined device, or an Intune enrolled and compliant device, they’ll be able to access the application successfully. Intune enrollment requires an Intune license for the user, which is available as a standalone license add-on or as part of the EMS bundle. If they are on an unmanaged device, the MFA prompt will be displayed instead.

This provides the user with a choice. They can live with the MFA prompts when logging in from their BYOD or personal devices, or they can enrol the devices for management by Intune. It’s up to the user to decide which option strikes a balance between convenience (fewer MFA prompts) and privacy (some users don’t like their employer having “control” of their personal devices).

For this managed vs unmanaged device scenario you can also further secure the unmanaged device access by configuring Intune MAM policies to control such things as copying of corporate data to unmanaged apps (e.g. from a user’s corporate OneDrive to their personal Dropbox). You can also look at Azure AD Identity Protection to detect and block high risk logins (e.g. suspicious IP addresses), which I’ll cover in a future article.

The post How to Use Azure Active Directory Conditional Access to Enforce Multi-Factor Authentication for Unmanaged Devices appeared first on Practical 365.

Microsoft Announces Discontinuation of Support for Session Border Controllers in Exchange Online Unified Messaging

July 19, 2017, 4:14 am
$
0
0

Microsoft has released a new announcement regarding the discontinuation of support for Session Border Controllers (SBC) in Exchange Online Unified Messaging. You can find the announcement on the Exchange team blog (comments closed) and the Microsoft Tech Community (discussion open).

In July 2018, we will no longer support the use of Session Border Controllers (SBC) to connect 3rd Party PBX systems to Exchange Online Unified Messaging (UM). We’re making this change to provide a higher quality of service for voicemail, using standard Exchange and Skype for Business protocols.

That’s only a year from now, which is a long time in the cloud but not very long at all for on-premises environments, particularly for large, complex on-premises environments which are the most likely to be impacted. As fellow MVP Jeff Guillet says:

While this affects “only a small number of customers”, those customers tend to be really, REALLY, big. We’re talking some Fortune 100 companies here. Transitioning completely to SfB or SfBO in a year’s time is no trivial task.

The transition to Sfb (Skype for Business) or SfBO (Skype for Business Online) that Jeff mentions above are two of the options that Microsoft suggests for customers who are impacted by this change.

  • Option 1: Complete migration from 3rd party on-premises PBX to Office 365 Cloud PBX.
  • Option 2: Complete migration from 3rd party on-premises PBX to Skype for Business Server Enterprise Voice on-premises.
  • Option 3: For customers with a mixed deployment of 3rd party PBX and Skype for Business, connect the PBX to Skype for Business Server using a connector from a Microsoft partner, and continue using Exchange Online UM through that connector. For example, TE-SYSTEMS’ anynode UM connector can be used for that purpose.
  • Option 4: For customers with no Skype for Business Server deployment or for whom the solutions above are not appropriate, implement a 3rd party voicemail system.

Aside from the time pressure, all of those options involve a cost to the customer. Migrating to Office 365 Cloud PBX may be the least expensive option for customers who are already paying for Enterprise E5 licenses. But none of the options is likely to be cheap or simple. Either way, I see this simply as part of Microsoft’s grand strategy to jettison legacy platforms and solutions that are complex and not highly profitable, and focus on services like Cloud PBX that they can deliver more efficiently.

If you’re looking for some more technical detail I suggest reading Jeff’s blog post here that breaks down the situation and explains how customers are impacted by this change, and also expands on Option 3’s suggestion of using a third party connector.

I assume Microsoft’s version of “only a small number of customers” is the same as mine and this change doesn’t have widespread implications, so I don’t actually expect to see this news cause a big stir in the community. Such is life in the cloud. The energy is probably better spent on planning a migration before July next year.

The post Microsoft Announces Discontinuation of Support for Session Border Controllers in Exchange Online Unified Messaging appeared first on Practical 365.

PowerShell One-Liner: Get a Count of Exchange Server Mailboxes Per Database

July 24, 2017, 2:24 am
$
0
0

When I’m planning Exchange Server migrations or just generally reporting on mailbox stats I use my Get-MailboxReport.ps1 script. But sometimes I just want a quick look at how many mailboxes are hosted on each database in the organization. To achieve this we can simply pipe the Get-Mailbox cmdlet into Group-Object.

[PS] C:\>Get-Mailbox | Group-Object -Property:Database | Select-Object Name,Count | Sort-Object Name | Format-Table -Auto
Name Count
---- -----
DB02   212
DB05    59
DB06    47
DB07    60
DB08    58

The post PowerShell One-Liner: Get a Count of Exchange Server Mailboxes Per Database appeared first on Practical 365.

PowerShell Script for TroubleShooting Exchange ActiveSync Devices

July 27, 2017, 1:18 am
$
0
0

On a recent case I was investigating a mobile device that couldn’t connect to a mailbox over ActiveSync. After spending a few minutes collecting information about the mailbox and its associated devices I realized that this task could be performed a lot faster by using a PowerShell script.

Most mobile device troubleshooting cases boil down to one of a few common issues:

  • AD accounts with permission inheritance disabled
  • Mailboxes with disabled protocols
  • Devices blocked by personal block lists, device access rules, or organization policies
  • EWS block lists (as is the case with Outlook for iOS when it connects using the REST API)

Even though Office 365 MDM and Intune are available, there’s still a lot of usage of ActiveSync out there in the world, especially for on-premises customers. So I am sharing the PowerShell script that I wrote for ActiveSync troubleshooting.

EAS Troubleshooter helps you to troubleshoot Exchange ActiveSync device problems by collecting relevant information about a mailbox’s configuration and device associations. When you run EAS Troubleshooter against a mailbox you’ll see information about the mailbox protocol configuration, associated devices, device status, and more. This information will give you a fast look at the state of ActiveSync for the mailbox, helping you to narrow in on any problems quickly.

Usage

You can download EAS Troubleshooter from the TechNet Gallery. Run the script from an Exchange Management Shell or Exchange Online remote PowerShell session.

[PS] C:\Scripts\EASTroubleshooter>.\Start-EASTroubleshooter.ps1 -Mailbox alan.reid

EAS Troubleshooter uses simple console output with color-coding to draw your attention to potential issues. The goal is to highlight factors that may be contributing to mobile device connectivity problems so that you know where to focus your investigation.

Frequently Asked Questions

Here are some answers and tips that will help you interpret the output of EAS Troubleshooter. If your question is not answered here please leave a comment below.

Q: What is the AD Perms Inheritance item?

For ActiveSync to work the Exchange servers need access to read information from the Active Directory user object of the mailbox user. If permissions inheritance is disabled on the user object then the correct ACLs may not be in place. You can enable permissions inheritance on the object by opening Active Directory Users and Computers, selecting View -> Advanced Features, and then in the properties of the user object choosing the Security tab and then selecting Advanced.

Note that permissions inheritance will be disabled automatically if the user is in a protected security group such as Domain Admins, Account Operators, or any other “admin” group.

This AD permissions check is not applicable to Exchange Online mailboxes.

Q: What do I do if the ActiveSync protocol is disabled?

You can re-enable the ActiveSync protocol for the mailbox using the Exchange Admin Center or the Set-CASMailbox cmdlet in the Exchange Management Shell.

Q: What do the EWS Protocol and EWS Access Policy items mean?

The EWS settings are applicable to Outlook for iOS and Android when connecting to Exchange Online mailboxes using the REST API. See this blog post for more details.

Q: What are the allow/block device ID lists?

Each mailbox can have specific device IDs blocked or allowed. These personal exemptions will override other controls such as device access rules or the organization-level ActiveSync settings. You can add or remove device IDs from these lists using Set-CASMailbox.

Q: What does the ActiveSync Access State mean?

Refer to this article about the allow/block/quarantine process and how ActiveSync device state is determined.

Q: What does the ActiveSync Access State Reason mean?

This property explains how the ActiveSync access state has been determined. Possible values include:

  • Global – access has been determined by the organization-level ActiveSync settings
  • Individual – access has been determined by a personal allow/block list (refer to earlier info in this FAQ)
  • DeviceRule – access has been determined by a device access rule (examples here, here and here)

Q: EAS Troubleshooter says a device is blocked/allowed but that doesn’t seem correct?

EAS Troubleshooter is just giving you information to help with your investigation. It can’t accurately diagnose every possible cause or account for every scenario. Use the information provided to lead you to a solution that takes into account your own environment and the specifics of your support case.

Q: What about Intune/MDM?

EAS Troubleshooter looks at configurations that impact ActiveSync devices/apps as well as the EWS configuration that impacts Outlook for iOS/Android REST API connectivity. If your devices are controlled by Intune, Office 365 MDM, or a third party MDM, then there may be other configurations in those systems that you need to look into.

Q: What else can I use to troubleshoot ActiveSync connections?

The Remote Connectivity Analyzer can be used to perform external ActiveSync connectivity tests. You can also use Exchange Analyzer to look for problems with your on-premises server configuration. For on-premises troubleshooting there is also the Exchange Server Troubleshooting Companion, and for Exchange Online there is Office 365 for IT Pros.

The post PowerShell Script for TroubleShooting Exchange ActiveSync Devices appeared first on Practical 365.

Azure Active Directory Conditional Access Policies and the Office 365 Portal

July 27, 2017, 4:46 pm
$
0
0

Microsoft is rolling out a change from August 9th 2017 for Azure Active Directory conditional access policies. Before this change rolls out any user logins to the Office 365 portal are not subject to conditional access requirements (e.g. enforcing multi-factor authentication or other conditions). It is only after the user clicks on a tile to access an application such as Outlook on the web, OneDrive, or Planner that they will be prompted to meet the requirements of your conditional access policies.

From August 9th this behavior will change, and conditional access policies that you apply to Exchange Online and SharePoint Online will also apply to the Office 365 portal. This is a positive change in that it levels the field for securing access to online portals, however it does introduce one potential issue. If a user wants to install the Office 365 ProPlus applications on a computer, they would normally log in to the portal to download the installer. If your conditional access policies require domain-joined or Intune-compliant devices, the user may not be able to login at all (e.g. from an unmanaged home PC).

To get around this, Microsoft advises that the user can still download the Office 365 ProPlus installer from this URL.

The post Azure Active Directory Conditional Access Policies and the Office 365 Portal appeared first on Practical 365.

Search

Surprise! New Office 365 Sign-In Experience for End Users

August 1, 2017, 7:53 pm
$
0
0

Microsoft is releasing a new Office 365 sign in experience to end users, a change that has not been communicated on the roadmap, Office Blog, or in Message Center. Upon visiting the login page for Office 365, users are shown a popup that will take them to the new sign-in experience.

Update: Microsoft has posted an announcement to the EMS blog, which is the wrong place to announce this kind of change, and has been posted after the change rolled out to customers.

The new sign-in page is functionally the same as the old one but uses a different layout. On some of my visits a background image has been displayed, but on most visits so far the background has been blank. It's unknown whether the background will be a single image, or a Bing-style rotating gallery of images.

The new Office 365 sign-in experience

The new layout will play havoc with any custom branding that has been specifically designed for the placement of page elements in the old sign-in experience. If you use custom branding for your login pages I would recommend you start working on the necessary adjustments now, and try for a design that works in both layouts.

The popup suggesting to try the new sign-in experience may or may not be related to First Release tenants. The popup appears pre-login and also appears for me in private mode browser sessions, although it is not appearing for me when tested with a ToR browser. Perhaps the rollout is limited to certain geographic regions. There's no administrative control I can see for disabling the popup.

The new sign-in experience in a private mode browser session

A fresh new look is all well and good. The old sign-in page has some annoying UX quirks when I visit it in a Chrome browser. The new one seems to behave much better, at least for now. After you try it the first time you will continue to be taken to the new sign-in experience on subsequent visits, presumably due to a cookie being set in your browser. You can switch back at any time and that change will stick as well.

As an unannounced change this has naturally caused some concern among customers. Which is not surprising. A similar change back in April caused quite a stir, with one Microsoft representative pledging to do better in future.

The concerns are valid. When users are surprised it usually ends up creating a spike in support calls. Customers also put considerable effort into training their users to treat such changes as potential phishing attacks. Being able to tell users about a change beforehand helps to smooth the transition. At the very least, anyone who invests in internal training materials for their users would appreciate some warning so they can update their documents accordingly.

Communication is key.

Update: see the comments below for reports of what the new sign-in experience breaks.

The post Surprise! New Office 365 Sign-In Experience for End Users appeared first on Practical 365.

What’s New in Office 365 for July 2017

August 3, 2017, 1:06 am
$
0
0

Office 365 for IT Pros, 4th Edition is continually updated with new information, changes and corrections. Customers who bought the book from this website can download the updated files from their purchase history. Updates applied to the Amazon Kindle version are available through your Kindle library after they are approved by Amazon.

Microsoft held their Inspire partner conference during July and announced Microsoft 365, a new product suite that bundles Office 365, Windows 10, and Enterprise Mobility + Security. There's no new features in Microsoft 365 that don't exist in those products already. Instead, Microsoft 365 is a licensing bundle available in two packages – Enterprise and Business. Microsoft 365 Enterprise has two plans for E3 and E5 which align with the Office 365 and EM+S licensing (i.e. Microsoft 365 Enterprise E3 will get you Office 365 Enterprise E3 and EM+S E3, along with Windows 10). I haven't seen pricing yet, I imagine this will be sold through sales and partner channels only.

For customers who have a licensing mess right now from buying different products at different times this is no doubt great news and will simplify their purchasing. For the technical audience, it might mean a stronger uptake in the higher tier features (e.g. EM+S features like Intune, Azure AD Premium, ATP, ATA, ASM, and many other acronyms). Microsoft's focus in those areas is clear. Not only is it a way to achieve their revenue targets for cloud services, but it's also where the cloud really starts to differentiate itself from just being a way to use basic services like Exchange and SharePoint without running your own servers. Most of the higher tier features, such as Azure AD Identity Protection, are near impossible to replicate in on-premises environments.

Microsoft also used Inspire to announce new applications for Business Premium customers. They are:

  • Microsoft Connections – An email marketing service with the features you'd expect like newsletter templates, open and click tracking, and campaign analytics. This is an interesting feature considering Microsoft has previously used rate limits to discourage the use of Office 365 as a bulk email marketing service. Even though Connections is only available for Business Premium customers, that doesn't mean that the customers won't have large email marketing lists. So perhaps the rate limits won't apply to emails from Connections. They also use high risk pools for outbound traffic that looks spammy so as to protect the IP reputation of Exchange Online. Presumably Microsoft Connections will use dedicated pools to segregate email marketing traffic from regular email.
  • Microsoft Listings – A tool for managing business listings on websites such as Facebook, Google (which I assume to mean Maps, Places, and Local), Bing, and Yelp. For bricks and mortar businesses that are doing their own in-house marketing and social media management this is a much needed tool, providing a dashboard for monitoring performance and dealing with things like online review.
  • Microsoft Invoicing – A system for sending and tracking professional-looking sales quotes and invoices. Invoicing integrates with PayPal for processing payments, and QuickBooks for accounting. Ideally they will add more integrations with other payment providers like Stripe and Pin Payments, and more accounting applications like Xero and MYOB as well.
  • MileIQ –  A vehicle miles tracking application that automatically detects vehicle trips and allows the user to quickly swipe to classify a trip as personal or business, saving time on tracking and lodging reimbursement requests for business travel.
Microsoft Connections – Image via blogs.office.com

Connections and Invoicing are both web and mobile applications (iOS and Android only), and join Bookings and Outlook Customer Manager in the suite of small business applications that Microsoft is releasing to their Business Premium customers. The apps are also manageable through the Office 365 Business Center to give users a unified web console for running their businesses. My only complaint is that none of these applications has arrived here in Australia yet.

Office 365 Secure Score received an update to address two issues that customers were experiencing. When Secure Score rates your tenant's compliance with certain recommendations, such as use of multi-factor authentication, it would not give you points for mitigating the risk with a third party control. Similarly, recommendations that do not apply to your organization at all were counting against your target score. The update to Secure Score addresses both of those issues by allowing you to tag a control has being met by a third party solution, and the ability to ignore a control.

The Sharepoint Online user interface for tenants that have opted in to the new user experience has been improved with the addition of a “Exit classic experience” link. This resolve the issue of users clicking on the “Return to classic experience” link to work around any issues they're having with the new experience, but then being unable to get back to the new experience reliably. SharePoint Online is also receiving new column headers for modern lists and libraries. Among the new column types are Number, Yes/No, Person, Choice, Hyperlink, Picture, and two types of text fields.

Microsoft has also been busy releasing the Visio Online public preview to more tenants. If your SharePoint Online preview features settings are enabled, then you might have access to it already. Visio Online will be a paid service eventually, but you can try the public preview for free. The functionality is about as basic as you would expect for an early public preview. You can view Visio diagrams using the Visio Online viewer, or you can create new Visio diagrams directly in Visio Online from the new document menu in OneDrive or SharePoint. Only a basic set of shapes is available. Custom stencils for more advanced diagramming are not available, and if you try to open a Visio file in Visio Online that contains unsupported shapes you'll be prompted to open it in Visio desktop instead. Still, this is a promising start and a much needed move of Visio into more cross-platform compatibility to complete with Visio alternatives like LucidChart and Omnigraffle.

OneDrive for Business (are we just calling it OneDrive now?) is getting improved search and auto-detection of images. It seems that people love drawing on whiteboards during meetings, then taking photos of the whiteboard and storing them in OneDrive. Now OneDrive can recognize whiteboards in photos, as well as other common image types such as photos of receipts, screenshots, envelopes, and even x-rays. You can now search for terms such as “whiteboard” in OneDrive to narrow your results to those specific types of images. Microsoft is also keen to add the capability to extract text out of images, which means we'll potentially be able to search for the actual words written on the whiteboard in the photo. Interesting times.

If you're lagging behind on your OneDrive client upgrades to the Next Gen Sync Client (in other words, stop using the old Groove.exe-based OneDrive client), you'd better get a move on. SharePoint Online and OneDrive will both start linking to the new sync client from the Sync button in the web interface. OneDrive's file version history has also been improved by expanding support to all file types, not just Office files.

Azure Active Directory is expanding the coverage of conditional access to include macOS as a platform. If you have conditional access policies defined with “All platforms” then they will begin taking effect for macOS. The macOS clients will be considered compliant if you haven't configured any macOS compliance policies in your Intune configuration. Microsoft is recommending that you create a compliance policy for macOS clients to meet your organization's security requirements.

Conditional access will also begin applying to the Office 365 home page (portal.office.com and office.com). Currently these pages are not protected by conditional access policies, so a user is able to login to them without meeting any of the requirements of a conditional access policy for either Exchange Online or SharePoint Online. After this change rolls out, clients will need to meet the requirements of your EXO or SPO conditional access policies to reach the Office 365 home page (e.g. provide MFA code, use a compliant device, use a domain-joined device). The rollout of this change may vary from tenant to tenant, but is expected to happen in August (I've seen Message Center notices for August 9th and August 24th).

In Security & Compliance land, Office 365 data loss prevention (DLP) is receiving improvements to matching capabilities. This includes support for large dictionaries of up to 100000 terms per dictionary, and grouping sensitive types and operators for a much richer and more specific set of matching requirements in policies. Also included are policy matches for uniques (Microsoft's example scenario is the same social security number being found on multiple pages of a single document now counting as a single match instead of multiple matches). The accuracy of detection of HIPAA-related content has also been improved.

A few more quick items for July:

  • The Microsoft Forms Preview, which began appearing in First Release Office 365 commercial tenants during June, has begun rolling out to all commercial tenants. Microsoft expects to complete the rollout during September.
  • Call Analytics for Skype for Business is in open preview. Call Analytics is a voice quality reporting system that allows Skype admins to troubleshoot call data in real time.
  • Office 365 Groups can now have up to 100 owners (increased from a limit of 10 previously). Distribution groups that were previously ineligible for upgrade to Office 365 Groups due to the number of owners they had are now eligible if they have 100 or fewer owners and meet all of the other upgrade requirements (note this documentation hasn't been updated yet).

 

The post What’s New in Office 365 for July 2017 appeared first on Practical 365.

        

Using Exchange Shared Mailboxes for Help Desk and Customer Service Scenarios

August 8, 2017, 11:16 pm
$
0
0

Shared mailboxes in Exchange Server and Exchange Online are a great way for a team of your users to share the workload of reading and responding to emails. Shared mailboxes are often used in customer service scenarios, whether that be internal customer service (such as Payroll or Human Resources matters), or external customer service (such as providing service and support to buyers of your products).

Although shared mailboxes provide a basic, single point of contact for customer service, they're not well suited to any situation that requires one of more of the following:

  • tracking of individual cases (e.g. by assigning ticket numbers)
  • tracking against SLAs or response targets (e.g. time to answer, time to close)
  • task assignments (e.g. to avoid duplicating effort, or to assign to specialists)
  • easy access to historical correspondence (e.g. looking up previous support requests from a customer)
  • communications between support team members (e.g. adding notes for others to understand the context of a ticket)
  • integration with knowledge bases (e.g. keywords in customer requests surfacing existing KB information)
  • workflows and business rules (e.g. routing requests through multi-stage processes for resolution)
  • any type of reporting (e.g. number of tickets received vs closed per day/week/month)
  • mobile access (a long-standing pain point for Exchange shared mailboxes)

Those features, and many others that are common to support scenarios, are not natively available in Exchange mailboxes. While it's quite normal for an organization to initiate a basic customer support model using a shared mailbox, it's also quite normal to quickly outgrow the limitations of shared mailboxes. Even a small organization with a single IT support person can struggle with managing cases through a basic helpdesk@company.com shared mailbox.

I see a lot of questions in forums, especially from IT pros, and also field a lot of questions from customers about how they can achieve any of the above features for their shared support mailboxes. And while it's true that almost anything is possible in the world of technology, I generally advise to use a service like Zendesk, Help Scout, or SupportBee instead of trying to DIY a solution with custom scripts or other bits and pieces. Pretty much any of those three services, or one of the many others that are available on the market today, will do the job better than any custom script you throw at the problem. You'll be happier using a service that is designed to provide those required features, and your customers will get better support as well. It's win-win.

But there are a few things to consider. Integration with third party SaaS is a common approach these days, but not all SaaS is equal. At the most basic level you should consider how your support users will be logging in to the system. The Azure marketplace helps you to identify SaaS applications that support Azure AD identities for SSO. Your sales team might also like to ensure that your support application integrates with their CRM, so that they can check a customer's latest support interactions before they call them to avoid surprises. Similarly, it's helpful for support agents to understand who a customer is when they're handling a ticket (all customers are treated equally, but some are treated more equally than others).

There are also general cloud service considerations, the same ones you've likely applied to your decisions about utilizing Office 365 services. For example, data sovereignty, compliance with industry regulations for privacy and personal data, encryption and general security of your customer data, auditing, retention/preservation, and so on. Those are all issues that will be specific to your organization, which is why I am only making general recommendations in this article.

For integration, you should look at whether the SaaS application needs access to an Exchange mailbox to ingest customer support emails, e.g. via EWS, IMAP, or POP. Some systems work by utilizing a forwarding email address instead, removing the need for access to your Exchange servers. The SaaS application also needs to be able to send email back to customers (e.g. to let them know their ticket number, and update them on the status of their request). If it will be sending email using your domain name, then SPF configuration needs to be taken into consideration as well. Alternatively, running the SaaS application on a separate email domain (e.g. @support.company.com) can simplify the SPF configuration by separating it from your primary email domain.

But the main point that I'm making here is that shared mailboxes are not a good solution for anything but the most basic support scenarios. Hopefully you're able to use the guidance in this article to convince your organization to invest in proper support tools that will benefit both you and the customers that you serve.

The post Using Exchange Shared Mailboxes for Help Desk and Customer Service Scenarios appeared first on Practical 365.

Does OneDrive for Business Prevent Ransomware Attacks?

August 9, 2017, 11:48 pm
$
0
0

I delivered a talk about ransomware risks for businesses at an industry event last year. Since then, awareness of ransomware has grown due to a number of high profile outbreaks around the world. This has lead to the same types of questions from customers that I got at the end of my talk last year. One of the questions is whether cloud storage services like OneDrive for Business can prevent ransomware attacks.

As with may security-related questions, the answer is not a simple one. As consultants are fond of saying, “it depends”. Mitigating the risk of ransomware is not as simple as just using OneDrive for Business to store files. However, the capabilities of OneDrive for Business might help you in a recovery scenario. As Microsoft themselves wrote in a blog post on dealing with ransomware:

OneDrive for Business can be used as a protection mechanism against ransomware. If your organization utilizes OneDrive for Business, OneDrive will allow you to recover files stored in it.

So OneDrive doesn't prevent ransomware attacks, but in the event of an attack you can use OneDrive to restore previous versions of files. The version history feature of OneDrive only supported Office file types until recently. Microsoft announced last month that version history has been extended to all file types.

So as I advise customers, simply deploying OneDrive isn't the solution. For starters, OneDrive is not a good replacement for traditional file servers. It provides a good replacement for user home drives, but it's SharePoint Online that is a more suitable replacement for file servers when using Office 365. OneDrive does allow users to sync document libraries to their computer for local and offline editing of files. But that's the problem. The locally stored files are exposed to ransomware attacks, and will sync to SharePoint Online. And anyone who uses one of those third party tools to mount SharePoint libraries as a drive letter to emulate old school file shares runs into the same problem. Any file the user can access via network shares is also exposed to ransomware.

Yes, you will probably be able to restore your files after an attack, but you did nothing to reduce the likelihood of the attack in the first place and will still suffer the downtime while you go through the recovery process.

So what can you do with Office 365 and other Microsoft services to reduce the likelihood of a ransomware attack?

  1. Email protection – Exchange Online Protection has basic mail flow rules for blocking executable content in file attachments, but a more effective option is to enable Advanced Threat Protection (ATP). ATP provides additional protection from email-borne attacks, both in attachments (Safe Attachments) and in links (Safe Links) within emails. The Safe Attachments feature checks for malicious behaviours, allowing it to potentially block a zero day attack. The Safe Links feature also extends to Office applications like Word, to protect users from clicking malicious links within documents.
  2. Web protection – obviously using secure and up to date web browsers is important, as is running good anti-malware on your desktops and laptops. You can also use “next generation” firewalls such as Palo Alto and Barracuda to perform similar behaviour-based analysis of file downloads to reduce the risk of a zero day attack from a drive-by download or malicious link. For bonus points, if you choose a firewall that integrates with Cloud App Security you can feed that to Microsoft for analysis so that abnormal and malicious behaviours can be detected and responded to.
  3. Device compliance – use Intune to manage user devices to ensure they meet your security standards.
  4. Backups – SharePoint Online has options for restoring files in the event of a ransomware outbreak, but if you're unsatisfied with the speed of those restore scenarios then you can look into third party backup solutions. Office 365 backups are typically limited to Exchange Online and SharePoint Online and don't cover other applications like Teams and Planner. But if your primary concern is restoration of files in SharePoint Online and OneDrive libraries then that may be enough for you. One of the most important considerations with backups is ensuring they are not accessible by users (and therefore the ransomware itself), which would only result in your backups being ransomed as well.
  5. Intelligent detection – Microsoft has a good write up here on using Advanced Threat Analytics and Cloud App Security to proactively detect abnormal behaviour such as file types that indicate a ransomware attack, in order to alert administrators and suspend the infected user to prevent further spread of the ransomware. Note in the comments at the end of that blog post, Advanced Security Management (ASM) provides similar detection and prevention but only for Office 365 apps.

Obviously all of those things involve costs that need to be weighed up in a cost vs risk analysis for the business in question. Hopefully you have found the information useful when considering the use of OneDrive for Business as part of your ransomware mitigation approach, and are willing to look into a more comprehensive and multi-layered solution to protect your business.

The post Does OneDrive for Business Prevent Ransomware Attacks? appeared first on Practical 365.

Removing On-Premises Exchange Servers after Migrating to Office 365

August 10, 2017, 7:21 am
$
0
0

For some customers after a migration from on-premises Exchange Server to Exchange Online there is a desire to completely decommission the on-premises Exchange servers. Whether it can actually be done will depend on a few different things.

At the beginning of an Office 365 project I like to discuss with the customer what they need for their long term identity model. I start with identity, even though some customers want to jump straight to how mailboxes and other data will be migrated, because the identity model is a big factor in determining the best migration method. The discussion usually comes down to one of two scenarios:

  • The customer plans to retain the on-premises Active Directory for other requirements, and wants directory synchronization and password hash sync so that users have a single set of credentials to remember for authenticating to Office 365 cloud services
  • The customer has no intention of retaining the on-premises Active Directory and doesn't need directory synchronization

The key here is the use of directory synchronization. Microsoft has published guidance on TechNet for decommissioning on-premises Exchange in a hybrid deployment. The title is a bit misleading because it's not the hybrid configuration that ultimately determines whether you can decommission on-premises Exchange or not.

When directory synchronization is enabled for a tenant and a user is synchronized from on-premises, most of the attributes cannot be managed from Exchange Online and must be managed from on-premises. This is not due to the hybrid configuration, but it occurs because of directory synchronization. In addition, even if you have directory synchronization in place without running the Hybrid Configuration Wizard, you still cannot manage most of the recipient tasks from the cloud.

The article links to an older blog post that was written in the Exchange 2010 era, but still applies to later versions of Exchange.

For organizations intending on keeping DirSync in place and continuing to manage user accounts from the on-premises organization, we recommend not removing the last Exchange 2010 server from the on-premises organization. If the last Exchange server is removed, you cannot make changes to the mailbox object in Exchange Online because the source of authority is defined as on-premises. The source of authority refers to the location where Active Directory directory service objects, such as users and groups, are mastered (an original source that defines copies of an object) in a hybrid deployment. If you needed to edit most mailbox settings, you would have to be sure the Active Directory schema was extended on-premises and use unsupported tools such as Active Directory Service Interfaces Editor (ADSI Edit) for common administrative tasks.

To summarize the two quotes above, if you have directory synchronization in place, then you need to manage the mail attributes of users, groups, and contacts in the on-premises Active Directory, and then allow those changes to synchronize to Azure Active Directory. And the only supported way to manage the mail attributes on-premises is using the Exchange management tools, which requires at least one Exchange server to be running.

So where does that leave customers? Here's a few scenarios to consider:

  • If you need directory synchronization, a cutover migration is not a good choice. I am no fan of cutover migrations in general, but in particular for directory sync scenarios it is very difficult to retrofit directory synchronization after completing a cutover migration. Better to choose a migration method that utilizes directory sync up front.
  • If you need directory synchronization, strongly consider using a hybrid configuration to facilitate the migration to Exchange Online and the ongoing management. Hybrid requires a little more work to set up at the beginning, but offers a far better admin and end user experience during the migration of mailboxes to the cloud. Yes, you will retain the on-premises Exchange server, but you can downsize it to the minimum hardware spec or run it as a small VM.
  • If you need password synchronization for ease of user login, but don't need sync of other Active Directory attributes, then consider using the Windows Server Essentials role. Essentials supports up to 100 users and allows you to link on-premises users with Office 365 users so that on-premises password changes are automatically synced with Azure Active Directory. An on-premises Exchange server is not required for Essentials-based integration with Office 365. This solution is ideal for customers who need to retain Active Directory on-premises, perhaps for just a few requirements like a legacy app that won't run in the cloud. I've migrated former SBS customers to Essentials-based solutions and it works fine.

What if you absolutely insist on removing Exchange but keeping directory synchronization running? For those scenarios you've probably found some third party tools, or someone who tells you that it works just fine and all you need to do is write some scripts or use ADSIEdit. Yes, from a technical perspective it's possible. But using anything other than Exchange to manage mail attributes in Active Directory is not supported by Microsoft, and I'm not in the habit of promoting unsupported solutions.

In all of the above I haven't gone into complex scenarios, nor have I mentioned AD FS. For customers with a lot of complexity or who have federation requirements I generally find that they have already learned and accepted the requirements for on-premises Exchange Server in certain scenarios. The advice above is mostly for the small to mid-size customer who feels the need to remove all on-premises Exchange servers to reduce their management overhead.

Maybe one day it will be possible, but not for now.

The post Removing On-Premises Exchange Servers after Migrating to Office 365 appeared first on Practical 365.

Viewing all 520 articles
Browse latest View live
Search