Upgrade the Surface Hub 2s from Windows 10 Team OS version RS2 (build 1703) to Windows 10 Team OS version 20H (build 2020) and Enable them for Microsoft Teams

Microsoft Teams Room devices are a great way to have virtual meetings that provides us a amazing meeting experiences. This especially helps a lot in sharing content, collaborate easily and increases the work efficiency more subsequently by viably utilizing the Microsoft Teams Meetings. Surface Hub 2s have been a great fully integrated windows device capable of organizing the remote meetings, enhanced collaboration with the white board and provides great video quality with its astounding 4k camera.

So as per this article the Surface Hubs that are running Windows 10 Team OS version RS2 (build 1703) might reach end of support by March 16th 2021. So here we will go through the steps on how to update the Surface Hub 2s devices that are currently running Windows 10 Team OS version RS2 to Windows 10 Team OS 20H.

As per this article there are 3 options to achieve this via Windows Update, Windows Update for Business and Bare Metal Recovery.

We have the first 2 options which was not successful. So we decided to move to the last option Bare Metal Recovery. Currently the devices were on Exchange Online with Skype Accounts. Subsequently our next plan is to move them to Teams once the upgrade is completed.

Summing up below was the scenario in our deployment:
1) Exchange Online Accounts to fetch the calendar and show the availability.
2) Skype accounts to host the meetings.
3) Local AD joined.

Once it is downloaded all we need to do is to unzip the downloaded package – Copy them to USB in FAT32 – Allocation Size Unit Default. Plugin to the USB of Surface Hub – Press the Power Button and the Volume Down Key at the same time

Performing the upgrade (Bare Metal Recovery)

So starting up the Bare Metal Recovery all we need is to navigate to the below URL Use the below link and choose Windows 10 Team Update – Enter the Serial Number of the Surface Hub – Choose the version Windows 10 Team version – Download https://support.microsoft.com/en-us/surfacerecoveryimage

After a few minutes we will see the language selection menu. Tap on the preferred language setting to make a choice.

The next screen we will get the keyboard selection menu. Tap on the preferred keyboard setting to make a choice.

Now we have to choose the Bare Metal Recovery method. Tap on ‘Recover from a drive’.

Choose for the option ‘Fully clean the drive’.

And start the recovery by selecting the ‘Recovery’ button.

The Surface Hub will restart 3 times. The first restart will show the progress of the recovery process.

The second restart will show the progress of device driver setup.

The 3rd restart will show us the ‘Out-of-the-Box’ setup screen for a Surface-Hub.

Setup the Surface-Hub

Now we have successfully upgraded the Surface-Hub to Windows 10 Team OS 20H we can proceed with the initial setup of the Surface-Hub. In the language select menu select the language of choice and press ‘Yes’.

Now we have to wait until Cortana has ended the introduction before we can continue with the Region Select menu.

Select the region of choice and select ‘Yes’.

Select the keyboard of choice.

And skip (for now) a second keyboard layout.

Now we have to wait for the EULA message

Accept the EULA to continue the setup.

Now we have to setup the device account. Since we are behind a proxy, we have to authenticate to the local AD. For this we use the following naming convention: <FQDN Domain Name\SamAccountName> Example: x.y.z/samaccountname

Important point to note here is that the Surface Hubs require Mobile Device Mailbox Policy in the past for the old version.

The good news is if the mailbox is hosted on Exchange Online it does work with EWS.

On the next screen we can accept the settings and continue.

When there are no issues during this setup part we will be noticed a successful setup.

Next we have to do is to give the device a name. In the first field we enter user friendly information. The second field is used for the device name which will be used to join the Surface Hub to the local Active Directory.

Next we choose for ADDS

Here we have to use a username with Domain Admin access

Before the device can be managed we have to add the securiy group in which the users are place for administering the Surface Hubs.

In the upcoming 8 steps you will see options to send diagnostic data, enable device location, Improve typing, etc. It is totally dependent on our choice to elect them. Personally I feel it is not that benificial for any meeting room device to send this type of data. Especially for customers from Europe has to decide on their on based the GDPR regulations.

Meanwhile we have to wait for the setup to be finished.

Configuring the Surface Hub for first use

Before we can use the Surface Hub for Teams Meetings we have to configure the Surface Hub using the Settings Menu. To open the Surface Hub Settings menu we have to press the Windows button, select ‘All apps’, and in the list we have to scroll down and select the ‘Settings’ option.

Enter your credentials. These username has to be in the Security Group we have setup earlier in this blog.

Choose for Surface Hub menu.

And notice that the sync-state of the account is showing ‘Account is up to date’.

In the sidebar menu select the option ‘Device Management’. Add the device account using the UPN and select ‘Continue’.

Again we have to use the SamAccountName information using the naming convention x.y.x\samaccountname

And when everything goes well, we have a successful setup.

In the sidebar menu we then choose Calling & Audio.

In this field we have to set the online domain suffix information

Before we can continue we have to restart the Surface Hub. In the right below corner we now touch the UP arrow. Choose Restart and Restart now to

When the Surface Hub is back again we have to update all applications using the MS Store. So we again we enter the Settings > Surface Hub > Apps & features and select ‘Open Store’.

In the right upper corner select the hamburger menu (3 dots) and choose the option ‘Downloads and updates’.

Now in the second screen select the option ‘Get Updates’. When all the updates are installed restart the Surface Hub again.

Now we create a Teams meeting to see if the calendar update will show the upcoming meetings.

Finally Teams meetings is successful on Surface Hub running Windows 10 Teams OS version 20H.

We could see the gallery view, large gallery view and the Together mode.

We attempted the same approach we have used a couple of Months back. However the upgrade was not successful. With the new version build available now the Bare Metal Recovery process is successful.

Just feel free to share your thoughts on this topic.

Regards,

Ewald Hollestelle

Script to move bulk users to Teams Only mode from On Premise Skype for Business Servers

When we enable Teams for Skype for Business Hybrid users the final stage of action is to move the actual on premise Skype for Business Account to Office 365 to make them to Teams only mode. As more organization are adopting the Microsoft Teams in a full fast track approach the last stage of migration is to move all the local accounts to Teams Only Mode.

This script will help in moving the users on batches to Teams Only Mode from an input csv file. It also provides the time taken to complete the batch on screen once the migration is completed.

Example below:



Measure-Command {
[CmdletBinding()]
param( [string] $UsersList = $(Read-Host -prompt `
    “Input the CSV File with Location”))
$Users = Import-Csv $UsersList -Delimiter ";"

#To Connect to Teams, Skype Online Session and Import them. Make sure you have the new Teams Module installed.

$mycred= Get-Credential
Connect-MicrosoftTeams -Credential $mycred
Import-Module MicrosoftTeams
$sfbsession = New-CsOnlineSession
Import-PSSession $sfbsession


#Initialize parameters and variables.

$sip= $users.SipAddress
$count = $users.count

write-host "We have found" $count "Users to Migrate" -foregroundcolor Yellow -backgroundcolor Black
$pauseSeconds = 10
$Sleep = 20

Write-Host "Pausing for " $pauseSeconds " seconds to verify your count..." -ForegroundColor Yellow
Start-Sleep -s $pauseSeconds

#To Enable Logging and store them for failed migration and any errors.

$transcriptname = “MoveCSUserStatus” + `
    (Get-Date -format s).Replace(“:”,”-“) +”.txt”
Start-Transcript $transcriptname

#Take export of SFB enabled users before move.

$Users | % {get-csuser -Identity $_.SipAddress} | Where-object {$_.Enabled -eq $True} | Select-object  SamAccountName,sipaddress,Enabled,EnterpriseVoiceEnabled | Out-File SFBUsersBeforeMove.csv -append            

$URL= "https://adminof.online.lync.com/HostedMigration/hostedmigrationService.svc"

#Initiate Move-CsUser Operation.

$NewSession=0
$x=0
foreach ($user in $users) {

$x++
Move-CsUser -Identity $user.SipAddress -Target sipfed.online.lync.com  -HostedMigrationOverrideUrl $URL  -UseOAuth -MoveToTeams -BypassAudioConferencingCheck  -BypassEnterpriseVoiceCheck -Verbose -Confirm:$False
$NewSession=$x/250
if($NewSession -eq 1) {
get-pssession | remove-pssession
Disconnect-MicrosoftTeams
Connect-MicrosoftTeams -Credential $mycred
Import-Module MicrosoftTeams
$sfbsession = New-CsOnlineSession
Import-PSSession $sfbsession
$NewSession=0
$x=0
Write-Host "Refreshing the Skype online Session" -ForegroundColor Green
}
}


#Pause for 20 seconds 

Start-Sleep -s $sleep 

#Validate the Move and complete Successfully Moved and Failed Users.

$loop = foreach ($user in $users) {
Get-CsOnlineUser -Identity $user.sipaddress | Select-object  sipaddress,hostingprovider,TeamsUpgradeEffectiveMode,RegistrarPool} 
$loop| Out-File TeamsOnlyMigrationStatus.csv -append

#Validate the meeting Migration status
$loop = foreach ($user in $users) {
Get-CsMeetingMigrationStatus -Identity $user.sipaddress | Select-Object UserPrincipalName,State,MigrationType,LastMessage,FailedMeetings}
$loop| Out-File MeetingMigrationStatus.csv -append

Stop-Transcript
Write-Host "Migration Script Completed Please Refer Transcript File for any Errors" -ForegroundColor Green

#Close the sessions.
          
get-pssession | remove-pssession  

#Send Email report to Notify the Migration have completed - Mention your SMTP server
#Send-MailMessage -from "username@domain.com" -to "admin@domain.com"-subject "TeamsOnlyMigrationTaskCompleted: No File" -body "Teams Only Migration Batch have been completed.Please refer log file Location for further information" -SmtpServer "Mention your SMTP Server" 
}

Notes:

  1. Make sure that you whitelist the traffic to office365 services to establish successful connection to the SFBO session.
  2. If there are multiple number of users recommended to split up the batches and execute them from 2 servers.
  3. Ensure the SSL traffic inspection, IP connection limits are excluded from Firewall/Proxy from the network side.
  4. Moving this from a shared bandwidth might be a bit slower and moving this from a temporary dedicated IP address might provide a better performance.
  5. This script uses -UseOauth switch. Make sure the Onpremise SFB servers are patched to the required version. Else use the legacy option by removing this switch. Recommended to run this first with few users list verify based on your environment and then later run for bulk users.

Regards

Sathish Veerapandian

Part 2 – Configure AudioCodes SBC for Microsoft Teams Direct Routing

Continuing the previous article there are few more steps to complete the configuration of the Direct Routing with the office 365 tenant and in this article we will run through those steps.

Currently the SBC is up and running configured with the certificates and required SBC DNS records now the next step is to enable the direct routing. Well there are two options to enable the Direct Routing via skype online powershell session or via the Microsoft Teams Admin center. In our example we will try to enable them via the Teams admin center.

Before doing this make sure to meet the network prerequisite that is required for Direct Routing and have written an article about the same almost a year ago.

Login to the admin portal with the appropriate credentials.

Enter the DNS name of the SBC that was configured in our case its sbc.nl.exchangequery.com

Subsequently we must add all the required information over here. One important point to note over here is that the SIP signaling port that is present by default is port 5067. The Direct Routing SIP Trunk can be configured only by using a TLS connection. We can choose the SIP port any port of our choice. If we try to configure the port 5060 it will not work since the TCP connectivity is not supported due to security reasons.

Enabling SIP option defines if an SBC will or won’t send SIP options messages and will be included in the monitoring. Rest of all the information have to be enabled as per the requirement. Also look into Location based routing and media optimization based on the requirement. Once done click on save and the configuration is complete.

But we could see that the SBC status shows error message and the configuration seems to be unsuccessful. Even after the configuration is completed even after loading the named certificate, intermediate and the root on the audiocodes we could see that the TLS connectivity status still shows as inactive. In addition to that we also see the SIP option status shows us the warning message as well.

Now further drill down into the logs gives us more additional information of the reason why it is failing. Still we we do have the correct certificates uploaded but the connection seems not completed.

So the initial thought was the issue with the firewall however the firewall connectivity was already completed and could ping the SBC on port 5061.

When looking into the audiocodes documentation came to know that in addition to the normal named certificate for the DNS Name its mandatory to upload the Baltimore Trusted Root Certificates. This is mandatorily required for establishing a Mutual TLS Connection with the Microsoft Teams Network.

So the DNS name of Microsoft Teams pstnhub.microsoft.com is using this certificate provided from baltimore and hence this import is required for establishing the mutual TLS connection.

We can Download the certificate from https://cacert.omniroot.com/bc2025.pem and follow the same procedure stated on previous article part 1 to import them on the Audiocodes SBC and make sure they are present on the Trusted Root Certificates.

The first part that we need to complete before the certificate validation is to ensure that the NTP server is setup correctly. This is a mandatory requirement for these two remote parties validating the certificates for setting up the mutual TLS connection between them.

You can go to setup – Administration – Time & Date and configure your NTP server.

Further to the NTP server there are few more configurations that need to be performed on the AudioCodes SBC which we will see below.

Configure the Proxy Sets: Add Microsoft SIP PSTN FQDNs

We have 3 Microsoft FQDNs as of now and all of them needs to be added over here and make sure the transport type is set to TLS.

Navigate to SetUp – Signaling & Media – Proxy Sets and add the 3 FQDNs over here.

SIP Interfaces:

We need to configure SIP interfaces for Teams Direct Routing as well. Configure as below. Keep the Enable TCP Keepalive option. SetUp- Signaling & Media – Core Entities – SIP Interfaces

Media Realms:

We need to configure Media Realms for Teams Direct Routing. Configure the settings as below. Select the default media realm as No. SetUp – Signaling & Media – Core Entities – Media Realms

Configure IP Groups:

Configure IP Groups as below – Make sure the Topology location is set as Up

In the Advanced make sure to mention the SBC published external FQDN. Keep the classify by proxy set Disable and keep the Client Forking Mode as Sequential.

Configure Coder Groups:
We need to add the supported coder groups for the leg SBC and the Direct Routing Configuration.
Teams supports OPUS and SILK Coders.

Inorder to configure the coder groups navigate to SetUp- Signaling & Media – Coders & Profiles – Coder Groups and mention the below values for Teams Direct Routing Leg. Later you might need to configure one for the SIP Trunk based on the coders they support.

Its mandatory to enable the SIP options for the SBC to monitor and for that we need to enable some configurations on the session border controller. In order to do that go to Setup- Signaling & Media – SBC – Routing – IP-to-IP Routing and configure all the required routing as per your requirement.

So we need to make sure other options are configured as per the documentation of the Audiocodes. Finally after the all the steps are done we can see the Teams Direct Routing Configuration is showing successful in the Teams Admin Center.

In our example we have 1 SBC, 1 Voice Routes and 0 SBCs with Issues which is a good sign. Since we didn’t initiate any real traffic we could see the message no data.

We do have a very good option to validate the pairing between the Audiocodes SBC and our Tenant Direct Routing. We can see the connectivity is successfully established over here and we can see that the status is showing online without any issues.

Now we have completed the Direct Routing And established the connectivity between SBC and the Teams Tenant there are lot more other configurations that needs to be performed on the SBC to complete the entire enterprise voice configuration. We will look into those on the upcoming articles.

Regards

Sathish Veerapandian

Part 1 – Configure AudioCodes SBC for Microsoft Teams Direct Routing

Microsoft have been providing us the option bring your own sip trunk for enabling the enterprise voice functionality. With Microsoft Teams Direct Routing we can provide the phone system to Teams users ,connect the SIP Trunks and use the local telecommunications provider. This option provides most of the customers for an easy transition to Microsoft Teams in parallel by utilizing the existing infrastructure and moving the users to the new system.

In order to leverage this functionality we need to setup certified session border controllers. Previously there is an article written which can be referred to check the readiness and steps that is required to configure Direct Routing in Microsoft Teams.

In this article series we will see on setting up audiocodes session border controller that will help in configuring the Direct Routing.

There are multiple ways to achieve this and we have an option to configure this from the Azure Market place. We will see on configuring this from the Azure Market Place.

First prerequisite is we need a valid azure subscription. Login to Azure and search in the Azure Market Place for Audio Codes.

Below are the results that we receive and there are few options for us to select over here. For instance we do have an SAAS offering that is fully managed in Azure. For a full setup we have Mediant Virtual Edition Session Border Controller and Cloud Edition Session Border Controller. The Mediant CE edition is more robust ,utilizes the full cloud elasticity and can scale up and down based on the demand. The VE is more of a Virtual edition that can be built easily on Orchestration Solutions and available in the Azure Market place for easier deployments. More information on the description can be found here

Here in this example we choose to use the Virtual Edition Session Border Controller. There are few important key take aways to note down here. While creating it is not allowing us to add them on an existing resource Group and it mandates us to create a new resource group or any existing resource group that is empty. And one more important thing is that the virtual machine name must be all lower case because in the network settings it doesn’t allow to create the dns name with the upper characters.

Next in the virtual machine settings we have the option to choose the computing size. And we have options to choose the OS versions. Here have chosen the latest os version. The cloud-init file is an optional file that can be chosen for automatic provisioning.

Next is the network settings where it provides us the option to set up the NIC interfaces based upon our requirement. Since in this case its a demo we are going with the network interfaces option 1. One more important thing here is that the public ip address has to be static . It picks up the setting static from this template however its better to verify them from the NIC settings once the VM has been deployed.

Finally it comes to the validation screen where we can check all the required settings and click on create.

Once it has been created we see all the required resources have been populated.

You can also see the DNS name that has been created with the static IP

Now when we login to the SBC DNS name we get the Audiocodes console that is ready for configuration.

Now this is running the next important thing is create an A record in the Public DNS and point that to this public ip address. One more important tip here is that this name that has been selected the domain has to be registered in the Office 365 portal.

The next important thing is the certificates configuration on the Mediant SBC. Create a certificate from the public CA and upload them from here Ip Network – Security and TLS Contexts.

In my case im using a certificate that has been provided by digicert for this domain that we are testing. Make sure the file is in password protected and pfx format.

Click on change certificate. There are multiple options to upload the certificate. Here we are choosing the last option upload the certificates from your computer in PFX format and with a password and select load file.

After a successful load file we see the message that states the upload is successful and here we see the red save alert that forces us to update the modified configuration.

We can also see the associated root and intermediate certificates of digicert have been populated over here in the trusted root certificates section.

Finally we have to upload the same certificate in pem format for the SBC

We get the below message after a successful upload of the pem file.

Now we have completed half of the initial readiness of the direct routing configuration and in the next blog we will go through the next steps of the further configuration.

Thanks & Regards

Sathish Veerapandian

Move users to Teams only mode from on premise Skype for business environment

This article outlines the technical steps that is required to move an on premise skype for business account to Teams only mode. There are lot of other factors that needs to be considered before making this change and this step can only be a final stage almost in any environment.

If there is any PSTN integration with Skype for Business on-premise environment then these factors needs to be planned and executed in stages before phasing out Skype for Business On-premise and moving users to Teams Only Mode. These features and functionalities needs to be transferred completely to Microsoft Teams.

If you are moving from a Skype for Business 2015 environment, ensure that the supported CU version admin tools is Skype for Business Server 2015 with CU8.

In this example I have built a lab on my environment which has my local Directory identities below test accounts synched to the Azure AD.

And I have a standard Skype for Business 2015 environment running in the local active directory environment.

The next step is to configure the skype for business hybrid to the office 365 tenant where we are going to perform the move operation.

There are three simple steps involved in this procedure first part is to configure federation with the below command from the Skype for business server management shell.

Set-CSAccessEdgeConfiguration -AllowOutsideUsers $True -AllowFederatedUsers $True -EnablePartnerDiscovery $True -UseDnsSrvRouting

Next step is to configure shared sip address space with Office 365 tenant. In order to do that the first step is to check if there is already hosting provider enabled and just in case if its present can we must remove them with the below command.

Get-CsHostingProvider | ?{ $_.ProxyFqdn -eq “sipfed.online.lync.com” } | Remove-CsHostingProvider

And the next step is to enable the hosting provider with the below command.

New-CsHostingProvider -Identity Office365 -ProxyFqdn “sipfed.online.lync.com” -Enabled $true -EnabledSharedAddressSpace $true -HostsOCSUsers $true -VerificationLevel UseSourceVerification -IsLocal $false -AutodiscoverUrl https://webdir.online.lync.com/Autodiscover/AutodiscoverService.svc/root

As we can see executing both the commands were successful in my case.

Now we’ve made the required change on the on-premise Skype for Business environment we need to make the same change on the Office 365 tenant by enabling the shared sip address space with the below command.

Set-CsTenantFederationConfiguration -SharedSipAddressSpace $true

In the below example I have connected to Teams powershell session and have performed this task.

Once we have performed the server and tenant configuration now its very important that we need to allow requested URLs that will be resolved from the Management server where we are performing the operation.

The tenant URL for your subscription needs to be identified as per this Article . And this URL needs to be whitelisted on the outbound connection.

Get-CsTenant|ft identity

So in my tenant as per the article the hostedmigrationoverrideurl is adminof.online.lync.com

Permission:

Now need the required permissions to make this operation. The Skype On premise admin account will require a minimum of csserver administrator role. For Online permission we must have Skype for business Admin and user administrator role. In my case i attempted with Global Admin Credentials so not exactly sure about the behavior when we move directly to Teams only mode with granular permissions. It works with the split permission accounts OnPrem\Cloud with sessions established to SFBOnPrem and SFBO modules from the same PowerShell.

One more important thing to notify here is that the user that we are performing the move operation must have the appropriate license on the Office 365 so that the account gets enrolled on the Teams service.

Establishing the session:

Launch the PowerShell on the management server where you have the SFB admin tools installed and have connectivity to SFB on prem FE and required tenant to establish the PowerShell session to the new Teams Module. Make sure you install the Teams Module on the management server this as per this information.

Online:

OnPrem

Import the SFB powershell module on the same session. Since I have opened this session from a local SFB admin account I did not store the on prem credentials in this session.

Performing the move

We can perform the move with the below command. One important point to note here is that post CU8 the move operation will succeed only with the modern authentication by using the switch -UseOauth

$url=https://adminof.online.lync.com/HostedMigration/hostedmigrationService.svc

Move-CsUser -Identity Lionel.Augnel@nl.exchangequery.com -MovetoTeams -Target sipfed.online.lync.com -Credential $cred -HostedMigrationOverrideUrl $url -UseOAuthBypassAudioConferencingCheck

In the below case we can see that the move operation is successful.

In the move results log as well we get few useful information which provides us the time taken for move user preparation, start time and few more information that might be helpful.

On validation we can see that the moved users are showing as homed in office365 and no longer present in SFB on premise environment.

And in the Teams we can see that the user has been migrated successfully to Teams mode directly.

Now the initial setup is completed script can be created to move the accounts in batches.

Schedule Microsoft Teams Live Events from an external app OBS Studio

With Microsoft Teams Live Events ,we have an alternative to stream them from outside encoding sources. There are few advantages of playing out this activity from an external application. We can customize the presentation deck by including various sources and there is an option to include multiple cameras and cumulate them on the same deck.

So here I caught some eye over this subject to investigate this alternative from an open source free tool OBS Studio . The installer can be downloaded and installed on the PC from where we are going to stream the live event from this app OBS Studio. And they are present in the list of Supported Encoders provided by Microsoft.

Well before we setup the OBS studio the mandatory part is we need to schedule a live event to generate the URL to build up the connection between them.

So created live event with org wide option.

In the next screen choose the option external app or device.

The moment when the live event is created we could see the server ingest url is been generated. So now the required url to establish the connection from OBS has been generated here we need to populate this value on the OBS studio app.

From the OBS Studio app navigate to settings

Navigate to stream – in the service select Custom and populate the server URL that was copied from the generated live event. Its mandatory to paste the stream key over here. You can paste some random numbers and that will become your stream key. This part is completed and you can click on apply.

Customization of the presentation Deck

Now we need to go to scene and create a new scene.

Once that is done we have option to add the source. We could see over here that there are ample of options available over here to modify our presentation deck.

Furthermore when selected the video capture device , we do have the opportunity to add multiple cameras over here with our own customization.

When further drilled down into the configure video option we can see options. I was able to change zoom, focus and exposure and might change here based on the camera that is connected.

We have options to add images, media and browsers which might be beneficial during the live event from the same deck. For instance below is an example to add the media video. The tool really seems to be powerful in providing additional options on customization of the deck.

Once the customization is done we are good to go to start the setup.

After that we click on start streaming from the OBS Studio. Once the session is started we can see the frames per second ratio which is ready to stream on Teams Live events.

Then from Teams live event you can click on start event.

Finally we can see the live events streaming from external encoder app. Below is a sample where we can see the state it says encoder preview and the customized deck with images and browser page.

Regards

Sathish Veerapandian

PowerBI – Microsoft Intune Data WareHouse Beta connector

Now we can use PowerBI and use the Microsoft intune data warehouse to build reports for the entire organization to foresee the intune analytics and the status. PowerBI being a very potential platform for data gathering and analysis this intune data warehouse can help in terms of analyzing the Microsoft intune statistics and provide us the overall metrics.

When we look into the get data from the PowerBI desktop version, we do see the option Intune Data WareHouse Beta Preview connector. Once authenticated with the account we can select this connector

At this point of writing this blog , we could see that this connector is integrated with a 3rd party service as of now and it in the progress of full mature version and can expect more improvements in the future.

On further progress we have an option to pull data up to 60 days as of now.

Once connected we can see there are 48 datasets that can be helpful in building the required reports and the dashboard for Microsoft Intune.

Here just for an example have loaded few datasets that might be helpful for us in creating a reporting for the intune statistics.

For instance we could measure how many users have intune licensed , jailbroken devices , azure ad registered devices , trends of OS versions getting enrolled in intune and even see the amount if MAM getting enforced on devices.

Once the data is segregated and creating the report we can go ahead and publish them to the Workspace.

On a successful operation we get this below message. There is an option to create a portrait view of the report which is compatible for mobile phones.

We could publish this report to dashboard and share them to users which can provide insights to enterprise mobile environment. 

Finally below is an sample overview of the shared dashboard view.

There are lot of benefits in using the Data Warehouse when compared to the Azure Portal. The Data WareHouse is like accessing the raw data from the backend where the delta is refreshed in the daily fashion and we have option to pull the historical intune data.

One important point to note here is that the Intune Data Warehouse only contains Intune data. Just in case if co-management is utilized then additional steps to retrieve the data from configuration manager is required.

Power Bi desktop is used to create the reports and this can be done with the free version of the PowerBI. PowerBI Pro license is required for publishing the reports and share them for collaboration.

Regards

Sathish Veerapandian

Microsoft Teams – script to generate teams owners ,visibility type, owners count, members count and archive status

Microsoft Teams utilization have phenomenally increased with the current COVID situation where almost everyone of us are working from the home. Microsoft Teams being one of the top collaboration software helping all of us to stay better connected during this time.

Most of the organizations doesn’t restrict the Team creation from Microsoft Teams because this factor is heavily influenced on better adoption rate of the Teams communication platform. The below script can be used to run in task scheduler or in Azure Function on a monthly basis for reviewing the Teams Created in last 30 days especially to see the Teams that have been archived and to see the fashion of teams created private or public by the users.

Below is the sample output of the script which will provide us the below details.

############################################################################################################################################
# Description   :- Powershell Script To extract Teams Name,Owner,backup owner,owner count,member count,Group Type and Archive Status.
# Created Date  :- 10-Oct-2020
# Created By    :- Sathish Veerapandian
# Version       :- 0.2
# Imp Notes     :- Please ensure you have folder C:\Scripts and clear the output files generated every time when you run the script again.
# Info          :- If you want to send reports as email please uncommentlast line and use the from/to address with SMTP Server
############################################################################################################################################
Connect-MicrosoftTeams

$Path="C:\scripts\TeamsReport.csv"

$Header = @"


TABLE {border-width: 1px; border-style: solid; border-color: black; border-collapse: collapse;}<br />
TH {border-width: 1px; padding: 3px; border-style: solid; border-color: black; background-color: #48D1CC;}<br />
TD {border-width: 1px; padding: 3px; border-style: solid; border-color: black;background-color: #F0FFFF}<br />
"@

$Count = 0
Get-Team | foreach {
$TeamName = $null ; $TeamName = $_.DisplayName
$GroupId = $null ; $GroupId = $_.GroupId
$Visibility = $null ; $Visibility = $_.Visibility
$EmailAlias = $null; $EmailAlias = $_.MailNickName
$Archived = $null; $Archived = $_.Archived

$Count++
Write-Progress -Activity "`n Processed Teams count: $Count "`n"  Currently Processing: $TeamName"

$TeamMembersCount = $null ; $TeamMembersCount = (Get-TeamUser -GroupId $GroupId).count
$TeamOwners = $null ; $TeamOwners = Get-TeamUser -GroupId $GroupId -role Owner
$TeamOwnersCount = $null ; $TeamOwnersCount = ($TeamOwners).count
$Owner1 = ""
$Owner2 = ""

If ($TeamOwnersCount -eq 1) { $Owner1 = $TeamOwners[0].User}
Elseif ($TeamOwnersCount -ge 2) { $Owner1 = $TeamOwners[0].User; $Owner2 = $TeamOwners[1].User}

$Output = [PSCustomObject]@{
    TeamName = $Teamname
    Owner1 = $Owner1
    Owner2 = $Owner2
    TeamOwnersCount = $TeamOwnersCount
    TeamMembersCount = $TeamMembersCount
    TeamEmailAlias = $EmailAlias
    TeamVisibility = $Visibility
    TeamArchiveStatus = $Archived
}
$Output | select * | Export-Csv $Path -NoTypeInformation -Append
$Data = Import-CSV "C:\scripts\TeamsReport.csv"
$data | ConvertTo-Html -Head $Header | Out-File -FilePath C:\Scripts\TeamsReport.html
# Send the exported html as email for evaluation
#Send-MailMessage -From senderemailID -To recipientemailid -Attachments "C:\Scripts\TeamsReport.html" -BodyAsHtml -SmtpServer mentionsmtpserver -Subject TeamsGroupReport
}

Thanks & Regards

Sathish Veerapandian

Microsoft Teams – Utilize the Azure Sentinel to facilitate SOC and Monitor Teams critical events

Few days ago Microsoft has announced the new release which provides us the opportunity to integrate MS Teams related activities that are recorded in the audit logs to Azure Sentinel. Enabling this feature benefits organization where there is a separate SOC team monitoring and analyzing the security posture as an ongoing operational procedure.

We still have the Microsoft native cloud app security which benefits in creating the alerting mechanism for MS-Teams related activities.But with the Log Analytics and Azure Sentinel we can do a lot more than it can be done from the Cloud App Security. We can further fine tune the alerting, create workbooks and dashboards for Microsoft Teams related activities which will be useful for Teams Monitoring.

To start with this new feature ,we need to enable this new option to ingest Teams Data into Azure Sentinel Work Spaces. This article can be followed to start with connecting office 365 with the Microsoft Cloud native SIEM Azure Sentinel.

Navigate to Azure Sentinel Work Spaces – Select Data Connectors – Choose Office 365

Here we can see the new option for sending Teams Audit Logs to Azure Sentinel WorkSpace.

Once it is done after a while, we could see that the workspace have received the data types Office Activity (Teams)

Live Query Teams Monitoring :

When we navigate into the workspace we have the opportunity to fine tune and see the events that are written on the Audit Logs for Teams in a more refined way.

For instance to filter only Team creation can be checked from the workspace. This can be used for filtering even specific person and creating alert for them.

This helps the SOC Team for a live reactive analysis when any security incidents are reported for Teams related activities.

OfficeActivity
| where OfficeWorkload == "MicrosoftTeams"
| sort by TimeGenerated
| where Operation has "TeamCreated"
| where UserId has "sathish@exchangequery.com"
| project UserId,AddonName,TimeGenerated,RecordType,Operation,UserType,OfficeWorkload

Create Alerting Mechanism : Azure Monitor or Azure Sentinel

In a real example we can create alerts and notify the SOC Team when a bot has been added to the Team.

OfficeActivity
| where OfficeWorkload == "MicrosoftTeams"
| sort by TimeGenerated
| where Operation has "BotAddedToTeam"
| project UserId,AddonName,TimeGenerated,RecordType,Operation,UserType,OfficeWorkload

To create the alert once after writing the query we have the new alert rule where there is an opportunity to create alerting mechanism in two methods. Create Azure Monitor Alert or Create Azure Sentinel Alert.

To experience the behavior selected the option Create Azure Monitor alert. Used the same Query. Alert logic and the time period is set for demo and can be defined based on the period and frequency that suits best for the monitoring.

The action group can be selected to send this notification alert to a email addresses.

The notification type can be selected for other options like where ITSM can be chosen to trigger an incident for the same events.

In our case email was selected and after few minutes tested by adding a bot and got the alert notified on email address.

Further information about the bots that have been added can also been seen.

Create WorkBooks and Dashboards:

Here we do have the possibility to create workbooks and dashboards for Ms Teams related activities. There is one template present by default for Office 365 and there is a item Teams Workload present over here which will help in creating a workbook for Teams.

The default workbook provides decent information on monitoring the Teams related activity.

This will be a good start to create one dedicated work book for Microsoft Teams and pin them as a separate dashboards for Microsoft Teams related activities. I have also written post on creating Azure Monitoring Workbooks which can be referred for creating dashboards for Teams Activities.

Microsoft Teams logs in Azure Sentinel is really a welcoming native cloud integration feature set where lot of organizations can be definitely beneficial in terms of actively monitoring the Teams Activities with no additional cost of investing on 3rd party SIEM integrations.

Regards

Sathish Veerapandian

Synology DiskStation Active Backup for Office365

Recently i was requested to review the synology diskstation ActiveBackup for Office 365 . Though Microsoft 365 provides unlimited retention period and litigation hold for office 365 applications i always had one topic in my hit list to read on why there might be a reason to have a local backup instance for Office 365 applications.This made me to do some little bit research on this topic and could see there might be few business cases ,compliance/legal requirements which demands to maintain backup copies of electronic data.

Moreover the litigation hold and retention period is not applicable for all office 365 plans. I have seen organizations consuming wide variety of Office 365 plans based on their business models.

On the other hand i see most of the office 365 backup solutions provides faster efficiency of users able to restore the content on their own mostly from the user management portal. In an ideal scenario office 365 user data recovery can be executed from a native tool set where we use the native content search or an e-discovery case from the admin portal. In a real case scenario if we don’t have an SLA for restore of data that comes in everyday for a resigned employee or an existing employee there might be some delay where only few admins are responsible in handling the operations tasks. With these third party packages we can optimize the processes for data restore.

In this article we will have a look at Active Backup for Office365 from Synology. A little while back i setup DS920 + Diskstation with Sea Gate Iron Wolf HDD . SeaGate IronWolf is always BUILT FOR NAS Designed for 24×7 NAS workloads with better performance, spacious capacity, blazing-fast speeds and provides 2 applications sea tools and disk wizard for monitoring the drives.

In order to setup Active Backup for Office 365 we have to login to the Disk Station Manger.Keep this in mind the Active Backup for Office 365 supports only in 64 bit NAS and they must be running DSM 6.1 or later with atleast 2GB of ram.

After logged in to disk station manager in the package center , we can see the Active Backup for Office365 is present as an addon. Once its installed we can open them.

In the setup screen it provides us an option to choose in which office 365 data center our tenant resides.

Subsequent log in with the admin credentials we can see it requests for oauth permissions so that it can get the read and write access on all users data to perform the backup and restore operations.

Then it takes to the redirect page that we must confirm that we are ok with sending the office 365 data to the local DS domain.

Once it is completed Active Backup for Office 365 is opened. Navigate to Task Creation Wizard.

Here we have 2 highlighting features :

Account Discovery – When this option is turned on every new account in Office 365 gets the backup enabled automatically which is really a good features.

Enable the Active Backup Portal for end users – User logins with his own credentials and can see his own data and perform restore.

Here we have options to select the users where we need to take a backup for them. On a business standpoint we can think of 2 cases first one being the users not having the appropriate license for Litigation hold and retention policies and the latter one being VIP users or critical Financial Mailbox data that might require a local copy as per the business model concerning the audit and compliance requirements.

Selected few users for our testing and we also have the option to choose what service that needs to be backed up.

We have the site list where there is an option to choose the sites.

We have the backup and retention policy here to choose based on our requirement. We do have the file version retention policy as well.

Finally we choose the destination folder location in the NAS drive and the backup task creation is successful.

We can see the overall status and the backup summary in the Active Backup for Office 365 Dashboard once after few backup schedules have been successful.

Restore Operation:

There is an option to choose which service that we need to restore for the user. Here it can be one drive, Mail , Site , Calendar or Contacts. At the moment of writing this blog I do not see a separate option to restore for Teams Data.

Option 1 : Admin Restore

When admin logins he has the full privilege to navigate to all employees ,their data and restore them.

Option 2 : User Restore

User logins with his own credentials in the Office 365 Active Backup Portal and can see his own data.

Email Restore:

From the Admin console logged in – have the option to choose the users.

Here we can see the option to select our restore point date and choose the required emails individually. In the restore we have two options first one to restore them directly to users mailbox and the second one where we can export them as individual email messages.

We have the option to search for the individual files with keywords, subject ,date and including with attachments which looks like a promising feature.The ability to perform a granular brick level backup will minimize most of the native recovery operations task.

In the final screen we have the option to change the user destination. In a real case scenario this can be useful where a current employee might require a data from a resigned employee after getting prior approval for a valid business reason.

Once the restore operation is successful we can see in the user mailbox it has been stored them on a separate destination folder and only the selected emails are restored.

On a export operation we the selected files are exported individually as emails.

File Restore:

File restore is also very promising. It makes an easy task to restore the file directly to the destination or take an export which downloads the requested file in the same format.

On doing a direct restore we can see that there is an option to restore the file sharing permission which looks great.

Below were the highlights identified from the evaluation:

1) License-free for unlimited Office 365 backups.
2) Option Monitor and manage your backup even from multiple tenants from same single dashboard.
3) There is account discovery – when this option is turned on every new account in Office 365 gets the backup enabled automatically.
4) There is an advanced search engine which allows to find any files containing the keyword including mail attachments
5) Option to preview the content of each file before we could restore them

Of course Microsoft does provide enough ways to protect data against corruption, deletion , ransomware and disaster scenarios with security, retention policies and litigation hold. If that convinces then we are ok with the native backup mechanism.As an alternative we can choose these packages that can hold data locally mostly for compliance/legal purposes , Volume of users not covering the licensing requirements to retain their data and enhanced recovery mechanism based on the business requirements.

I find this software to be beneficial for organizations that might require to backup Office 365 data as a part of their legal and compliance regulatory requirements.

Thanks & Regards

Sathish Veerapandian

%d bloggers like this: