Category: Office 365

How to create a custom Address Lists in Exchange Online

Introduction

A lot of people are using the Address Book in Outlook or their web mail to find people, but sometimes it can be a hard time filtering on company or departments.
Therefore we will go thru how to create custom Address Lists, and in this case only users with a mailbox that have something typed into the Office-attribute will appear in these lists.



Microsoft Teams devices

So maybe you’ve read my article on Microsoft Teams Rooms? These solutions are just a part of Teams devices which offer smarter ways to connect and work together in the ever-changing workplace.

First of all, the Teams devices are certified to work with Teams and Skype for Business for that matter. Then they offer the best-in-class performance and crisp sound and picture that the certification requires.

Room Systems – check this article out.

Room phones – These are for smaller rooms which don’t need a complete Room System. These devices actually run Android and have the Teams client installed so essentially, the device and room is actually logged into a room. This way you can quickly book a room and join the meeting from the room phone. You don’t have to login with your personal credentials but it can also be a shared room which is always logged on. Here’s a sneak peek how it looks:

Personal devices – these devices are your personal ones. For example the Jabra 710 which has a Teams button/LED which will flash if you have a missed call and when you press it, it will get you to the missed calls list in the Teams client.

Desk phones are still used by many. For example the left one below is Plantronics Elara 60 which is a mobile dock. Just put your mobile phone in the dock for wireless charging and it will pair itself with the dock. You will get hard puttons for calling and also a Teams button which will flash if you have missed calls in Teams and will bring you to the missed calls list on your mobile phone and remind you when you have meetings.

The right is a Yealink phone which has a large touchscreen which is running Android and the Teams app. This means you can easily perform and receive Teams calls directly on the phone. You can have it as a companion to your computer where you have your daily meeting schedule open on the device at all times. For the IT-pro, this also means you will be able to manage these phones from the Teams admin center since the device itself is actually enrolled into Azure AD as Azure AD registered.

And of course, the headsets which comes in various models and sizes. At Xenit, we use Jabra which have a large portfolio of different models.

But seriously, what’s wrong with any-high-quality Bluetooth headset out there, won’t it work? Well, to be honest – it might. My personal experience is that you can definitely pair your headset to your phone and Windows 10 client. You might miss out on some special functionality like busy-light on, call control functionality but you might not get the crisp sound quality you otherwise get because to be honest, the built-in Bluetooth in some laptop devices are simply not manufactured with sound quality in mind. But when I tried to use a high-quality Jabra Bluetooth headset with the built-in Bluetooth in my laptop did not work well. It worked 9 out of 10 times but I experience some unplanned disconnections during some meetings which I didn’t with the Jabra dongle.. that’s sad since the USB dongle really annoys me.

So before you go shopping, make sure you check out the list of certified devices at http://office.com/teamsdevices.



Microsoft Teams Rooms for modern meetings

How easy is it at your company to start a Teams or Skype meeting online in your conference room without technical difficulties? Maybe you have a very large (and expensive) video conference system in your board room but you wish you also could equip the smaller huddle rooms with such systems? Then you should look into Microsoft Teams Rooms which is the new name for Skype Room Systems.

You cant  argue the trend of moving to a more modern and mobile workplace. In a few years, more and more employees will probably not be stationed at a certain office or desk. This requires better tools and services and a big part of this is the digital meetings. We have during the last 3 years seen a massive growth, installing more video conference rooms than the last 30 years and we have seen a switch moving from proprietary (and expensive) solutions to standardized and more affordable systems so even the smallest huddle room can get one…

In it’s simplest form, you book the room in Outlook as you have done for years and you choose if it should be a Teams or a Skype meeting:

When you enter the conference room, the control unit on the table lights up and show you the upcoming meetings:

All you have to do is to click Join on your meeting and within a few seconds the meetings is started, all participants are joined, no matter if it’s via the Teams/Skype client, the web client, app on their phone or have dialed in to the number in the invitation. You see the participants on the control unit and on the bigscreen in front of the room and of course their video if they share it. From the control unit you can mute/unmute and and instantly add participants to the meeting from the directory or call them.

Want to share your screen? Simple, just plug in the HDMI cable to your laptop and it will output to the bigscreen but also share it in the meeting with remote participants. Of course, remote participants can also share their screen in the meeting.

It’s the simplicity – one-click-join and the meeting is started. You no longer need to be a technician to get a meeting started, choosing the correct input on the bigscreen, choose the right speaker and mic.

Microsoft Team Rooms comes from different partners (Logitech, HP, Lenovo, Creston, Polycom, Yealink) which have certified systems in different sizes – from the smallest 4-people huddle room to the largest boardroom. A few examples:

Xenit has used Skype Room Systems for a long time and are extremely happy how it works.

So what about the tech and for IT?

Compared to other proprietary systems, Microsoft Teams Rooms run on Windows 10 with an Windows app. This means you can use your current tools for deploying and managing it as you would do for any other Windows client except that you need to make sure not all policies apply to the system. On-premise AD join, Azure AD join and Workgroup are all supported. The app itself, which only installs on certified devices so you can’t do this DIY, is automatically updated through the Windows Store. So for us at Xenit, it has been almost no support for this system since it was first setup – except for some occasional hardware issues where someone was “smart” to disconnect the HDMI cabling to connect it directly to their laptop.

Of course, Microsoft has done some work to cloud enable these devices if you want.

For example you can use Azure OMS (Operations Management Suite) to monitor these devices since they log a lot of information to the event log. For example you can get information regarding:

  • Active / Inactive Devices
  • Devices which experienced hardware / applications issues (disconnected cables anyone?)
  • Application versions installed
  • Devices where the application had to be restarted

All this can be alerted upon so you hopefully can solve problems before someone calls it in as a problem.

In a few months, the Microsoft Teams Rooms will light up in the Teams Admin Center for additional functionality. For example, if you enroll many of these devices, the admin center will enable you to more quickly enroll them with a profile with settings you want. It will also make it easier for inventory management, updates, monitoring and reporting.

Here’s a short demo:

Let us know if you want to discuss or even get a personal demo at our office.



Querying Microsoft Graph with Powershell, the easy way

Microsoft Graph is a very powerful tool to query organization data, and it’s also really easy to do using Graph explorer but it’s not built for automation.
While the concept I’m presenting in this blogpost isn’t something entirely new, I believe my take on it is more elegant and efficient than what I’ve seen other people use.

So, what am I bringing to the table?

  • Zero dependancies to Azure modules, .net Core & Linux compatibility!
  • Recursive/paging processing of Graph data (without the need for FollowRelLink, currently only available in powershell 6.0)
  • Authenticates using an Azure AD Application/service principal
  • REST compatible (Get/Put/Post/Patch/Delete)
  • Supports json-batch jobs
  • Supports automatic token refresh. Used for extremely long paging jobs
  • Accepts Application ID & Secret as a pscredential object, which allows the use of Credential stores in Azure automation or use of Get-Credential instead of writing credentials in plaintext

Sounds great, but what do I need to do in order to query the Graph API?

First things first, create a Azure AD application, register a service principal and delegate Microsoft Graph/Graph API permissions.
Plenty of people has done this, so I won’t provide an in-depth guide. Instead we’re going to walk through how to use the functions line-by-line.

When we have an Azure AD Application we need to build a credential object using the service principal appid and secret.

Then we aquire a token, here we require a tenantID in order to let Azure know the context of the authorization token request.

Once a token is aquired, we are ready to call the Graph API. So let’s list all users in the organization.

In the response, we see a value property which contains the first 100 users in the organization.
At this point some of you might ask, why only 100? Well that’s the default limit on graph queries, but this can be expanded by using a $top filter on the uri which allows you to query up to 999 users at the same time.

The cool thing with my function is that it detects if your query doesn’t return all the data (has a follow link) and gives a warning in the console.

So, we just add $top=999 and use the recursive parameter to get them all!

What if I want to get $top=1 (wat?) users, but recursive? Surely my token will expire after 15 minutes of querying?

Well, yes. That’s why we can pass a tokenrefresh and credentials right into the function and never worry about tokens expiring!

What if I want to delete a user?

That works as well. Simply change the method (Default = GET) to DELETE and go!

Deleting users is fun and all, but how do we create a user?

Define the user details in the body and use the POST method.

What about json-batching, and why is that important?

Json-batching is basically up to 20 unique queries in a single call. Many organizations have thousands of users, if not hundreds of thousands of users, and that adds up since much of the queries need to be run against individual users. And that takes time. Executing jobs with json-batching that used to take 1 hour now takes about 3 minutes to run. 8 hours long jobs now takes about 24 minutes. If you’re not already sold on json-batching then I have no idea why you’re still reading this post.

This can be used statically by creating a body with embedded queries, or as in the example below, dynamically. We have all users flat in a $users variable. Then we determine how many times we need to run the loop and build a $body json object with 20 requests in a single query, then we run the query using the $batch operation and POST method and put them into a $responses array and tada! We’ve made the querying of Graph 20x more efficient.

Sounds cool, what more can I do?

Almost anything related to the Office 365 suite. Check out the technical resources and documentation for more information. Microsoft is constantly updating and expanding the api functionality. Scroll down for the functions, should work on Powershell 4 and up!

Technical resources:

Creating an Azure AD application
https://www.google.com/search?q=create+azure+ad+application

Graph API
https://docs.microsoft.com/en-gb/graph/use-the-api

About batch requests
https://docs.microsoft.com/en-gb/graph/json-batching

Known issues with Graph API
https://docs.microsoft.com/en-gb/graph/known-issues

Thanks to:
https://blogs.technet.microsoft.com/cloudlojik/2018/06/29/connecting-to-microsoft-graph-with-a-native-app-using-powershell/
https://medium.com/@mauridb/calling-azure-rest-api-via-curl-eb10a06127

Functions



Enable Exchange Mailbox Auditing for all users

Enabling Mailbox Auditing as an Exchange Administrator has for a long time been something you have need to do manually.

Yesterday, Microsoft announced that they will be enabling mailbox auditing by default for all user mailboxes using Office 365 and Exchange Online. This is a welcome change, so you don’t need to manually enable mailbox auditing on new users or use a script that enables that for all users in Office 365 and Exchange Online.

For on-premises Exchange environment, there is no such feature (hopefully it will come with a future Cumulative Update) so you still need to change it manually. Either you add this as a process when creating a new mailbox, or you can use a PowerShell script as an Schedule Task on your Exchange Server that will automatically enable auditing.

Here’s an example on how such script can look like, and you can find it as a download here.



Device cleanup rules for Microsoft Intune

As an IT Administrator you want to keep your IT environment clean and tidy and the same goes for Microsoft Intune.

By default all devices that has been inactive or stale and hasn’t checked in for over 270 days will automatically been removed from the console.

In the latest update for Microsoft Intune dated July 2, Microsoft included a new feature, Device cleanup rules:.

New rules are available that let you automatically remove devices that haven’t checked in for a number of days that you set.

 

You will find it in the Intune pane, select Devices, and select Device Cleanup Rules:

By default, this is not enabled, so you need to change it to Yes and specific the numbers of days between 90 and 270 that suites your company’s policy and requirements.

If nothing is changed or you remain it set to No, it will use the default 270 days:



App Protection Policies for managed and unmanaged devices in Intune

In the latest update of Microsoft Intune, you now have the option to target App protection policies for Mobile apps if the device is Intune managed or if its unmanaged.

The two options that for now is available, if you select not to target all app types are:

  • Apps on unmanaged devices
    Unmanaged devices are devices where Intune MDM management has not been detected.
  • Apps on Intune managed devices
    Managed devices are managed by Intune MDM and have the IntuneMAMUPN app configuration settings deployed to the app.

With this new update, you are now able to create required settings for devices that are fully managed by Intune and separate policy for devices not managed by Intune.
For example you could allow saving files locally on devices managed by Intune and only allow saving to OneDrive or SharePoint (which is protected by App protection policies) on devices not managed by Intune.

If you are interested in learning more about App Protection Policies, you read more on docs.microsoft.com or drop a comment below!



Block external access for Service Accounts using Conditional Access in Azure AD

Conditional Access in Azure Active Directory is normally used for users and administrators to secure and control company data in Office 365 and Azure, but what about Service Accounts? Aren’t they a potential security risk?

Using Service Accounts for scripts and other tasks related to Office 365, Azure and Azure AD is a normal practice along companies, sometimes the accounts has full administrative permissions (Global Admin for Office 365, Owner of a subscription/resource group in Azure) and sometimes the accounts has delegated privileges but they all have more permissions than a regular user.

In this post we will cover how you can use Conditional Access to block sign-ins from service accounts outside the company main datacenter to make sure they are only used on servers located on networks that the company has control over.

  1. Open portal.azure.com and go to Azure Active Directory and Conditional Access under Security
  2. Go to Named locations and Add the external IP address of the data center(s) that should be allowed for the service accounts to sign-in from.
  3. Create a new policy and name it “Block external access for service accounts
  4. Select the Service Accounts or an Azure AD Group, in our case we use a groups that will contain all the service accounts
  5. In Cloud apps, select All cloud apps
  6. For Conditions, select Locations and Configure. Select Any location in the Include tab
  7. Also in Conditions and Locations, select the Exclude tab and select the location of the data center added in step 2.
  8. For Access, go to Grant and select Block access
  9. Select On for Enable policy, and verify all settings before creating it.
  10. The policy should now look like the following:
    Conditional Access policy - Block external access for service accounts

    Conditional Access policy – Block external access for service accounts

     

You can find out more about Conditional Access on docs.microsoft.com:

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal 



Sending CSS formatted tables in Outlook

If you’ve ever used Powershell to send HTML tables in Outlook containing CSS you’ve probably been disappointed of the outcome.
There is some archived documentation for Outlook 2007 that is still viable for Outlook 365 (https://msdn.microsoft.com/en-us/library/aa338201(v=office.12).aspx).

Basically the function accepts a csv and css file, hardcodes the css into the table and outputs a formatted HTML table that is compatible with Outlook.

Example table sent using the function and send-mailmessage
The css has odd/even for readability, bolded column 1/4 and red text for column 3.
This is by default impossible to achieve using just css in outlook.

Commandline

HTML output

CSS

Since the CSS does not work perfectly the style.css file imported needs some specific configuration..

  • classes has some specific name structure”
    • columns are named .coln
      • n is the number of the column starting with 1 to infinity. .col1 .col2 and so on
    • one whitespace is required between class name and the curlybrackets.
      • Curlybrackets must be on the same row as class name
      • Ending curlybrackets must be on a separate line
    • Data must be on separate rows
  • Odd/even css is the only tr handled code.
    • Must be named exactly
      • tbody tr:nth-child(odd) {
      • tbody tr:nth-child(even) {

Example style.CSS

Function

 



Azure AD Conditional Access – säkra upp access till Azure och Office 365

Azure och Office 365 erbjuder det Microsoft kallar mobile-first, cloud-first vilket innebär att användarna kan vara produktiva var de än är, med vilken device de vill och när de vill. Det går dock emot många säkerhetsaspekter att skydda företagets resurser.

Som standard i Office 365 kan en användare logga in varsomhelst ifrån med namn och lösenord men i många organisationer är det inte säkert nog. Azure AD Conditional Access försöker råda bot på det genom att säkra upp accessen till Azure och Office 365 genom att sätta ett villkor och en policy på hur access tillåts. Ett exempel är att man vid vissa villkor ställa krav på MFA (Multi Factor Authentication) eller att den enhet användaren loggar in i från är AD joinad eller till och med godkänd i MDM-lösningen eller alla dessa.