Teaching productivity soft skills at MVP Connection in Madrid June 1st

MVPCommunityConnectionI am super excited to be picked out to teach productivity soft skills to the MVP’s and Regional Directors attending MVP Community Connection in Madrid June 1st. For the past year I have developed my OneNote productivity framework that I still use and succeed with. By borrowing and combining known productivity methodology such as take back your life, Getting Things Done and the Pomodoro Technique, I will talk about stuff you already know, but still need to be reminded of.

Why OneNote? There are three factors that works well for me with OneNote

  1. Flexible notetaking tool, you can paste anything anywhere and it works great with touch and pen.
  2. Syncs across devices through OneDrive with great apps for all operating systems including mobile.
  3. OneNote tasks are key and works the same on all devices so I easily can complete a task on my mobile.

It is all about getting a finite list of all your activities and thoughts so that you can prioritize and execute on the most important task at any given time. And the result? A happy life, and a productive life :) People who have tested the framework report back that a burden has been taken off their shoulders. Turns out that your mind is for having ideas, not holding them as David Allen says. By dumping everything in your head, you free up space to relax, enjoy the moment and focus on your current task at hand.

Learn how in my LifeHack OneNote session at MVP Community Connection

LifeHackOneNote2

 

Proud to be contributing on the Fourth Edition of Office 365 for IT Pros book

I think that search engines are loosing their powers in an evergreen and ever changing Cloud World. When searching failed me for learning what I needed about Office 365 Groups I found that the Office 365 for IT Pros book had the angle and up to date answers I needed. It is kept up to date by MVPs who work with and understand the technology for what it is and what it’s not, so you know you get an up to date and thoughtful answer. It covers all of Office 365 with practical examples to get you started. I strongly believe in this format moving forward since it is difficult to search for Groups or Teams online, and when you find articles they are half a year old and may or may not be outdated. To make sure I stay up to date on my core knowledge, I offered my services to write about Skype for Business Online and hybrid. I am happy to be accepted in to the team with Tony Redmond, Michael Van Horenbeeck and Paul Cunningham. I look forward to contribute to a great collection of knowledge. The fourth edition is planned for a June 1st release, read more about it here

Totally recommend Office 365 for IT Pros if you are an Office 365 admin or consultant. Get it here

 

Microsoft Teams Preview and Office 365 Groups member mismatch and how to fix it

Office 365 Groups are at the core for next generation Office 365 services such as Planner, Microsoft Teams and Modern SharePoint Teamsites. At the time of writing (Teams preview before March 2017) I have discovered the following regarding Office 365 Groups and membership especially in an active Microsoft Teams environment, where you are adding new members directly in the Teams client.

The Short story

Microsoft Teams in preview (before march 2017) did not add new members to the Office 365 Groups in Exchange, only to the corresponding  Azure AD Group. The Azure AD Group is used to give access to SharePoint documents and adding a new Teams member gives access to the SharePoint Site. This would result in mismatch in member-count in these two groups that can be confusing for users when navigating around the different Office 365 Groups interfaces

The Long story, understanding the different groups

Creating Office 365 Groups

  • When creating an Office 365 Group a corresponding Azure AD Group also gets created
    • The Azure AD Group is used for Group write back with Azure AD Connect and permissions in SharePoint Teamsites
      • The Group write back option is only necessary if you have a hybrid Exchange environment and users hosted on-premises that needs to be able to resolve the distribution email address and its members
      • It may also be necessary for Skype for Business hybrid environments in order to be able to add the Office 365 Groups as group in the Skype contactlist
    • If you crate the Office 365 Group in GUI from Outlook, members gets added to that Azure AD Group
    • If you create the Office 365 Group using PowerShell with New-UnifiedGroup (this still applies post March 2017) and and use the -members option, members will not get added to the Azure AD Group and you get a mismatch in member count
      • New-UnifiedGroup -Members
      • Only the Office 365 Group Owner will get added to the Azure AD Group as member and this is an issue for the Group Write Back with AADC
      • A corresponding SharePoint TeamSite gets created with a member of the group with a SharePoint license logs on to either Office 365 Groups or creates a Microsoft Teams team
    • If you create the group in PowerShell and with New-UnifiedGroup without adding members and add the members using Add-UnifiedGroupLinks, then members will get added to the corresponding Azure AD Group
Recommended method to create Office 365 Groups via PowerShell

Make sure you are logged in to Exchange Online PowerShell before you start creating the group

$Owner = "stale@msunified.net"
$Users = "julia@msunified.net","Skype.buddy@msunified.net"
$alias = "MyNewOffice365Group"
New-UnifiedGroup –DisplayName $alias –Alias $alias –EmailAddresses "$alias@msunified.net" -owner $Owner -Verbose
#This is optional, but may be a good practice initally since Office 365 Groups may clutter your Global Addressbook
Set-UnifiedGroup –Identity $alias –HiddenFromAddressListsEnabled $true
#Add the member to the group
Add-UnifiedGroupLinks $alias -LinkType member -Links $users
#Validate that the members where added ok
Get-UnifiedGroupLinks $alias -LinkType member
#If you want to validate that the AD group is updated ok, run the script below without $alias=$null

Adding members to existing Office 365 Groups

  • Adding members using the Exchange Online cmdlet Add-UnifiedGroupLinks results in users getting added to both the Office 365 Group and Azure AD Group, all is good
    • If this is also a Microsoft Teams enabled group then the members will get added to the team as well within 24 hours (or so)
  • Adding members using the web UI as a user results in users getting added to both the Office 365 Group and Azure AD Group, all is good
  • Adding members from the SharePoint Teamsite UI resulted (before March 2017) in users only getting added to the Azure AD Group and you have a mismatch of user count between Azure AD and Office 365
  • Adding users from the Microsoft Teams client (before March 2017) would result in users only getting added to the Azure AD Group that gives full write access to all the corresponding SharePont Teamsite documents
    • This resulted in a mismatch between Azure AD Group and Office 365 Group and if users are expect to see the group under Groups in Outlook they will not
    • You would also get a mismatch in the memberlist in Microsoft Teams and Office 365 Groups on the web
      • if the user tried to access the Exchange components of the group they will get added to the memberlist, but not until they actively add the group or go via SharePoint Teamsite to the groupconversation button on the top right corner

Consequences

  • If you are not a member of the Office 365 Group, you are not a part of the distribution group and you will not get see the Group in either Outlook or Outlook Web App
  • If you are not added to the Azure AD Group you will not be part of the group that gets synced back to Active Directory and part of the on-premises distribution group for users hosted on Exchange Server
  • If you are not part of the Azure AD Group you will not be visible in the Graph API as there is not way to resolve member from an Office 365 Group via the API, only members from the corresponding Azure AD Group (at the time of writing, may change in the future)

Workarounds

  • Add the member in the web UI for Groups then it will get added to the Exchange part and Azure AD part of the Office 365 Group
  • Detect and remedy the different user memberships using PowerShell by detecting and adding the missing users to either Office 365 Groups or Azure AD Group

How to detect mismatch in member-count in Office 365 Groups and Azure AD Group

Below is a simple example on how to list all the groups that have a member-count mismatch between Office 365 Groups and Azure AD Groups. It is always the Azure AD group that has the most and correct set of members so that is why we add those members to the Exchange part of the Office 365 Group.

Before you run the example you need to install the latest MSOnline PowerShell V1 module and be logged in to Exchange Online PowerShell module

Find all groups with mismatch in member-count
$alias=$null
#find groups that have mismatching member-count in Office 365 groups and Azure AD groups
$Groups = @()
#Get all Office 365 Groups
$UnifiedGroup = get-unifiedgroup $alias
    ForEach ($Group in $UnifiedGroup){
        #Get the members of the group
        $UnifiedGroupLink=Get-UnifiedGroupLinks -Identity $Group.name -LinkType member | Select-Object -ExpandProperty PrimarySmtpAddress
        #If there are members in the group, check the corresponding Azure AD Group and find the members. Add the result in custom Powershell object
        if (($UnifiedGroupLink).count -ne 0){
            $AADGroup= Get-MsolGroup -GroupType DistributionList -All | Where-Object {$_.Emailaddress -eq $Group.PrimarySmtpAddress}
            $TempGroups = @()
            $TempGroups = New-Object PSObject -Property @{
                Emailaddress=$Group.PrimarySmtpAddress
                O365Members= $UnifiedGroupLink
                O365membercount= ($UnifiedGroupLink).count
                AADGUID=($AADGroup).ObjectId
                AADmembers=Get-MsolGroupMember -GroupObjectId ($AADGroup).ObjectId | Select-Object -ExpandProperty EmailAddress
                AADmembercount=(Get-MsolGroupMember -GroupObjectId ($AADGroup).ObjectId | Select-Object -ExpandProperty EmailAddress).count
            }
            #If there is a mismatch in the membercount, add the group to the final output variable and write the group to the console
            if($TempGroups.O365membercount -ne $TempGroups.AADmembercount){$Groups += $TempGroups; $TempGroups}
            $TempGroups
        }
}
#list all groups with mismatch
$Groups
#count the number of groups with a mismatch
Write-Host "Number of groups mismatching groups"($Groups).count
List all the members not present in the Office 365 Group
#Find all members that are present i the Azure AD group and needs to be added to the Office 365 Group
foreach ($CurrentGroup in $Groups){
    write-host
    write-host "Checking Group"$CurrentGroup.Emailaddress
    $NewMembers = $CurrentGroup.AADmembers | Where {$CurrentGroup.O365Members -NotContains $_} # Shows what items in $CurrentGroup.O365Members are missing in $CurrentGroup.AADmembers
    $NewMembers

}
Add the missing members to the Office 365 Group
#Add the users from the Azure AD group to the Office 365 group, the users added will not get a welcome mail.
foreach ($CurrentGroup in $Groups){
    write-host
    write-host "Checking Group"$CurrentGroup.Emailaddress
    $NewMembers = $CurrentGroup.AADmembers | Where {$CurrentGroup.O365Members -NotContains $_} # Shows what items in $CurrentGroup.O365Members are missing in $CurrentGroup.AADmembers
    Add-UnifiedGroupLinks $CurrentGroup.emailaddress -LinkType member -Links $NewMembers -Verbose
    Get-UnifiedGroupLinks $CurrentGroup.emailaddress -LinkType member

}

Office 365 Multi-Factor Authentication requirements explained

Short version

mf_authMulti-Factor Authentication (MFA) in Office 365 is dependent on Modern Authentication which is oAuth 2.0 via ADAL that authenticates the user in Azure AD

Longer version with links to deep dives

  • What is MFA?
    • Multi-Factor Authentication (MFA) in Office 365 requires Modern Authentication (oAuth2.0 + ADAL) to be enabled for the clients and services that are going to use MFA
    • MFA, Two-step verification, is a method of authentication that requires more than one verification method combined with the Azure Authenticator App, SMS or phone call verification
    • Read more here
  • What is Modern Authentication?
    • Modern Authentication is oAuth 2.0 used via ADAL to enable newer applications (Outlook, Word, OneNote, Skype for Business and other Office applications) to authenticate to services such as Skype for Business, Exchange and SharePoint
    • In Office 2013 march 2015 update and later Modern Authentication is supported and in Office 2016it is enabled by default and will use an in-application browser control to render the Azure AD sign-in experience
    • Read more here
  • What is oAuth?
    • Open Authentication 2.0 (oAuth 2.0) is used as a component via ADAL as the web-based authorization flow between servers or clients and servers
    • Read more here
  • What is ADAL?
    • Microsoft Azure Active Directory Authentication Library (ADAL) is a tool in the .NET framework that lets client applications authenticate users to Office 365 and Azure AD
    • Read more here
  • Two options are available for SSO with on-premises AD that requires Modern Authentication
    • Pass Through Authentication (PTA)
      • Works with Office 365 only
      • Enabled on latest AADC with outbound connection only, no DMZ server
      • Just set up several AADC and it is automatically loadbalanced resulting in low operational cost
      • Does not store password in Azure AD, authenticates user in on-premises AD first and presents MFA after that if enabled
      • In combination with password sync you are not dependent on AADC uptime
      • Read more here and here
    • ADFS 3.0
      • Used for hybrid Skype for Business and Exchange environments
        • Skype for Business server Hybrid supports Modern Authentication, but will do NTLM authentication to on-premises AD and give MFA pop-up when authenticating to Exchange Online, read more here 
        • I recommend Pointsharp MFA for on-premises and hybrid Skype for Business deployments
        • Exchange Server hybrid requires MFA Server, read more here
        • For best Azure MFA result an Online only deployment is recommended
      • ADFS is best for larger organizations
      • More complex and requires proxy servers in DMZ with public IP and Certificate
      • Requires loadbalancer for high-availability
      • Is required when doing MFA with Smart Card, 3rd party tokens and certificate based authentication
      • Read more here
  • You can now use Microsoft Intune to control MFA options and turn of MFA for certain subnets and conditions, read more here
  • Read about conditional access, MFA with Intune Hybrid and SCCM
  • Use Azure AD Premium with automated password roll-over for business social media profiles protected by a MFA enabled identity with centrally controlled delegation, read more here

mfastalehansen

Using Lync Mobile with Office 365 and Lync Online

Now that the Lync Mobile Client is released it is important to enable your Office 365 Lync Online domain to support these clients. This blog post will specify what you need to do

Lync Mobile features

Lync mobile client is released for Windows Phone 7, iPhone, iPad, Android and later on Nokia (Symbian). The feature set is about the same accross the platforms. There is no ability to view meeting content, video or do voice over IP. The main features is therefore

  • IM and presence
  • One Click join meetings (Requires audio conferencing provider)
  • View contacts

For a detailed feature list see the TechNet article: http://technet.microsoft.com/en-us/library/hh691004.aspx

Enable your domain for Lync Mobile automatic discovery

When using Lync Mobile over WiFi make sure you check the following

  • Open outbound port in firewall to TCP 5223 for Apple push notification
  • If you firewall proxy settings blocks SRV queries add
  • CNAME with your domain called lyncdiscover.yourdomain.com and point it to webdir.online.lync.com to your internal DNS

Thats is. Should be a simple process. In order for this to work you need to have published the Lync Online service as depicted in this kb article: http://support.microsoft.com/kb/2566790

References

Set up Lync mobile devices: http://community.office365.com/en-us/w/lync/1040.aspx
Deploying Lync Mobile Clients: http://technet.microsoft.com/en-us/library/hh691005.aspx
Ensuring Your Network Works With Lync Online: http://community.office365.com/en-us/w/lync/ensuring-your-network-works-with-lync-online.aspx

Slides and interview from TechDays Norway 2011 is now available online

September 7 2011 I had the honour to attend and speak at TechDays Norway 2011. My sessions where about Office 365 and more specific Exchange Online and Lync Online. The slides and interview is in Norwegian. Continue reading

Change the default Calendar AccessRight on all mailboxes to Reviewer

Back in july 2010 I created a script to set the default AccessRight to Reviewer for Exchange 2010. This was a new feature for Exchange 2010 that we could use the command Set-MailboxFoldersPermission to change AccessRights on specific folders on the server level. As the calendar is a folder we now could do this organization wide using PowerShell.

The reason for creating this script is when migrating customers in Norway most of them want to allow everyone to use side by side calendaring in Outlook and Oulook Web App. In Exchange 2003/2007 we needed to instruct users how to set Default to Reviewer. This script sets it for all users. The script works for both Exchange Online and Exchange Server 2010. For Exchange 2007 check out this post on how to do it: http://exchangeshare.wordpress.com/2008/05/27/faq-give-calendar-read-permission-on-all-mailboxes-pfdavadmin/

Get the script here: https://msunified.net/exchange-downloads/script-set-calendarpermissions-ps1/

What the script does

As the picture shows you get three menu items.

  1. Will set the permission on all users and resources
  2. Will set the permission on all users and reources created the last 30 days
  3. Will give a user you specify Editor access to a mailbox you specify
    • This is good for switchboard or secretary functions

How to run the script against an Exchange Online environment

  • Connect to Exchange Online through PowerShell Remoting
$cred = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $cred -Authentication Basic -AllowRedirection
Import-PSSession $Session
  • Set Execution Policy to unrestricted
Set-ExecutionPolicy Unrestricted
  • Run the script by copying the script, saving it as a ps1 file, navigate to it in PowerShell and start typing set-Cal and hit TAB to use TAB completion
.\Set-CalendarPremissions.ps1

Resources

Administering Microsoft Office 365 using Windows PowerShell: http://blog.powershell.no/2011/05/09/administering-microsoft-office-365-using-windows-powershell/

Office 365 Features and how to configure them

There is a lot of great resources about how to deploy and configure Office 365. I will in this article try to collect those blog posts and articles I find helpful. Please notify me if I am missing out on any good resources.

Last Updated 06.09.2011

Hybrid Solutions

Administration

Exchange Online