Wednesday, May 9, 2018

Automate OneDrive for Business Hold with Azure Automation

I was working on a project for a customer recently that wanted to automate the process of placing ODFB sites on hold the same way we can automate all Exchange Online mailboxes being placed on hold.

So I created a script and uploaded it to Technet Gallery , Available HERE

Readiness Toolkit to assess application compatibility for Office 365 ProPlus


Microsoft recently released a new Readiness Toolkit to assess application compatibility for Office. The toolkit can be downloaded HERE.

This blog post describes how I used this toolkit to gather analysis for approx 1500 machines.


  1. Install the toolkit on a Windows client.
  2. Create a network share and provide sufficient permissions for each client machine and user. Then copy all of the files from the local installation to the file share.
  3. Create a new folder in the file share called readiness.
  4. Add this executable as an exclusion to your endpoint protection service 'Readinessreporter.exe' 
  5. Create a .bat file : '\\fileshare\ReadinessReportCreator.exe -mru -addinscan -output \\fileshare\readiness\ -silent'
  6. Add the .bat file into a group policy start up script
  7. After a number of days when client machines have logged on, Their will be a sufficient number of .json files.
  8. Launch the readiness toolkit and choose the option
    'Previous readiness results saved together in a local folder or network share'
  9. This will then produce the report
This toolkit is very useful for providing a detailed report on add-ins and macros. The most common Office applications that use specific add-ins are Word and Excel. A use case where this type of report becomes critical is for legal organisations that use case management systems or document management systems.
































Friday, March 30, 2018

Block native mail app on Apple IOS using Azure conditional access policies


I recently set up EMS for a customer and they wanted to ensure all ios native mail apps were blocked and that all client phones must use the Microsoft Outlook app and that devices are enrolled before they can access corporate email.

Azure conditional access policies make this really simple and the following screenshots ill show how we can create this conditional policy.

Browse to the Azure Active Directory admin center / Azure Active Directory/ Conditional Policies

   Firstly Create the Policy

    Next we assign what users the policy will be applied to

   Select the cloud app - Exchange Online

    Select the client app - Active Sync


    Select the controls to enforce

Finally save & enable the policy


Now when a client attempts to setup and use the native Apple IOS app , this message will appear in the end users mailbox, the native app will be unusable for sending and receiving messages. The user can then proceed with the device enrollment process.








   



Wednesday, September 27, 2017

Clear down Exchange 2016 Transaction Logs


During enterprise migrations to Exchange 2016 , Logfiles can grow very large and the role of an Exchange backup service becomes critical to clear down log files and ensure log file volumes do not run out of space.

Quite often businesses request bulk upload migrations are performed outside business hours, the problem with this is that backups run at the same time as bulk uploads and then prevents the backup program from truncating log files.

Circular logging is not an option when there Exchange is hosting a DAG.

These simple commands can trick Exchange into thinking a full backup has been performed and then Exchange will take care of truncating the logs and not cause any corruption to databases.

  1. Log on to Exchange server that hosts the volume running low on space
  2. Launch a command prompt with elevated privilages
  3. Type : Diskshadow and press enter

    ####Browse to the root of the volume, NTFS mount points are fine, the following command mounts DBVolume1
  4. Add volume C:\-Exchange-Disks\DBVolume1
  5.  Begin backup and press enter
  6. Create and press enter
  7. End backup and press enter
Exchange will then truncate the logs 

Thursday, June 15, 2017

Skype for Business - Network password required to connect



Most enterprises use a corporate proxy to control Internet access for an organisation. Skype for Business makes connections to the Internet to display the tips on start up and this can cause the dreaded error message displayed above and a lot for help desk calls.

So this is how we can stop this from happening

Whitelist the following URS for unauthenticated access







Then we can add the following reg keys via group policy or res workspace depending on the environment.

We then need to create some reg keys.

Open Regedit and go to location HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Lync 
Create new Dword name “IsBasicTutorialSeenByUser” with value:1 
Create new Dword name TutorialFeatureEnabled with value:0

###############################################################
 HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ClientTelemetry
Name: DisableTelemetry
Type: DWORD
Value: 160000 (Decimal)
######################################################################
[HKEY_LOCAL_MACHINE\Software\Microsoft\Office\16.0\User Settings\ClientTelemetry]
"Count"=dword:00000001
###############################################################
[HKEY_LOCAL_MACHINE\Software\Microsoft\Office\16.0\User Settings\ClientTelemetry\Create\Software\Microsoft\Office\Common\ClientTelemetry]
"DisableTelemetry"=dword:29810
###############################################################

Credit:





Thursday, March 30, 2017

How to lock down Office365 Global Admin access with managements scopes.


I have not posted a blog entry in quite some time, I have been crazy busy working for my new employer Evros and busy with my kids. I hope this blog will prove useful to anyone out there that follows my blog and promise a lot Blog posting to follow focusing on data protection, advanced threat analytics and AZURE

To help describe why an enterprise would like to lock down global admin access, I would like to describe a typical enterprise organisation and scenario.

Contoso.com is an enterprise organisation that consists of 15 companies. 
Contoso.com is the root AD Forest of the organisation and all other companies have their own child domains.
Contoso.com is the head office of the organisation and are responsible for data protection and governance within the organisation.
AD Connect synchronizes the root forests and child domains.

Contoso would like to remove global admin privileges from ICT Admin staff in one of the organisation's companies Fabrikam and grant the ICT admin staff some custom Exchange Online administration privileges. The Fabrikam ICT admin staff must also have the ability to log Office365 service requests.

The following steps are required to lock down the Fabrikam ICT staff access to Office365 as per Fabrikam's parent company Contoso's new security and data protection policies.

#####################Exchange Management Shell############################
####Create Management Scope
New-ManagementScope -Name "EO-FABRIKAM" -RecipientRestrictionFilter {customattribute10 -like "FABRIKAM"}
####All mail enabled objects  in the Fabrikam child domain will have the value 'Fabrikam' added to Active Directory attribute: Extenstionattribute10
####Create a Role Group
New-RoleGroup -NameEO-FABRIKAM-Roles "User Options", "Address Lists", "Distribution Groups", "Team Mailboxes", "Mail Recipients", "Reset Password", "Mail Recipient Creation", "Message Tracking", "Move Mailboxes","Migration","Retention Management","UM Mailboxes", "UM Prompts" , "Unified Messaging"    -Members “EO Fabrikam Admins” -CustomRecipientWriteScopeEO-FABRIKAM-ManagedBy “Organization Management”

####Note: When assigning the members to a security group. The security group must be a mail enabled security group.

####################Windows Azure Active Directory###########################
 

Function

Commandlet

Import CSV

$Users = Import-Csv "CSV PATH"

Assign Role

$Users | ForEach-Object {Add-MsolRoleMember -RoleMemberEmailAddress $_.UserPrincipalName -RoleName "Service Support Administrator"}

####Note: It is not possible to assign service administrator roles per security group


############################Summary####################################

Fabrikam ICT admins can access the Exchange Online Control Panel via this URL: https://outlook.office365.com/ecp
Fabrikam ICT admins can log Office365 service request via this URL:

#############################Next Steps##################################
The next steps would be to create similar management scopes and role groups for SharePoint Online and Skype for Business. (New Blog Post to Follow)
Once Contoso have locked down access for all the companies within their organisation the next step will be developing compliance and governance policies in the Security and Compliance center in Office365




Tuesday, April 19, 2016

One Drive for Business next gen client


Finally OneDrive really is OneDrive, The next gen client uses the same engine for OneDrive personal and OneDrive for business. I have always found the OneDrive personal client better than the OneDrive for business client.

The next gen client uses the same engine and it just works, no more sync issues. To ensure you are using the correct client browse to https://onedrive.live.com/about/en-us/download/ and click on the download link and update your client.

After your client is updated you should have version 17.3.6381.0405 as per the image below



After the client has been updated, Sync your personal OneDrive and select only the folders required. Then right click on the OneDrive icon in the system tray and select : settings. You can now add a business account as per the image below and select only folders required for syncing.



If you have Office installed the next thing is to disable OneDrive for Business client startup which is part of the Office suite as per image below.


So now finally , OneDrive simply works and a lot of the old limitations like the 20,000 item sync limit have been removed.