With Microsoft Teams Live Events ,we have an alternative to stream them from outside encoding sources. There are few advantages of playing out this activity from an external application. We can customize the presentation deck by including various sources and there is an option to include multiple cameras and cumulate them on the same deck.
So here I caught some eye over this subject to investigate this alternative from an open source free tool OBS Studio . The installer can be downloaded and installed on the PC from where we are going to stream the live event from this app OBS Studio. And they are present in the list of Supported Encoders provided by Microsoft.
Well before we setup the OBS studio the mandatory part is we need to schedule a live event to generate the URL to build up the connection between them.
So created live event with org wide option.
In the next screen choose the option external app or device.
The moment when the live event is created we could see the server ingest url is been generated. So now the required url to establish the connection from OBS has been generated here we need to populate this value on the OBS studio app.
From the OBS Studio app navigate to settings
Navigate to stream – in the service select Custom and populate the server URL that was copied from the generated live event. Its mandatory to paste the stream key over here. You can paste some random numbers and that will become your stream key. This part is completed and you can click on apply.
Customization of the presentation Deck
Now we need to go to scene and create a new scene.
Once that is done we have option to add the source. We could see over here that there are ample of options available over here to modify our presentation deck.
Furthermore when selected the video capture device , we do have the opportunity to add multiple cameras over here with our own customization.
When further drilled down into the configure video option we can see options. I was able to change zoom, focus and exposure and might change here based on the camera that is connected.
We have options to add images, media and browsers which might be beneficial during the live event from the same deck. For instance below is an example to add the media video. The tool really seems to be powerful in providing additional options on customization of the deck.
Once the customization is done we are good to go to start the setup.
After that we click on start streaming from the OBS Studio. Once the session is started we can see the frames per second ratio which is ready to stream on Teams Live events.
Then from Teams live event you can click on start event.
Finally we can see the live events streaming from external encoder app. Below is a sample where we can see the state it says encoder preview and the customized deck with images and browser page.
Now we can use PowerBI and use the Microsoft intune data warehouse to build reports for the entire organization to foresee the intune analytics and the status. PowerBI being a very potential platform for data gathering and analysis this intune data warehouse can help in terms of analyzing the Microsoft intune statistics and provide us the overall metrics.
When we look into the get data from the PowerBI desktop version, we do see the option Intune Data WareHouse Beta Preview connector. Once authenticated with the account we can select this connector
At this point of writing this blog , we could see that this connector is integrated with a 3rd party service as of now and it in the progress of full mature version and can expect more improvements in the future.
On further progress we have an option to pull data up to 60 days as of now.
Once connected we can see there are 48 datasets that can be helpful in building the required reports and the dashboard for Microsoft Intune.
Here just for an example have loaded few datasets that might be helpful for us in creating a reporting for the intune statistics.
For instance we could measure how many users have intune licensed , jailbroken devices , azure ad registered devices , trends of OS versions getting enrolled in intune and even see the amount if MAM getting enforced on devices.
Once the data is segregated and creating the report we can go ahead and publish them to the Workspace.
On a successful operation we get this below message. There is an option to create a portrait view of the report which is compatible for mobile phones.
We could publish this report to dashboard and share them to users which can provide insights to enterprise mobile environment.
Finally below is an sample overview of the shared dashboard view.
There are lot of benefits in using the Data Warehouse when compared to the Azure Portal. The Data WareHouse is like accessing the raw data from the backend where the delta is refreshed in the daily fashion and we have option to pull the historical intune data.
One important point to note here is that the Intune Data Warehouse only contains Intune data. Just in case if co-management is utilized then additional steps to retrieve the data from configuration manager is required.
Power Bi desktop is used to create the reports and this can be done with the free version of the PowerBI. PowerBI Pro license is required for publishing the reports and share them for collaboration.
Microsoft Teams utilization have phenomenally increased with the current COVID situation where almost everyone of us are working from the home. Microsoft Teams being one of the top collaboration software helping all of us to stay better connected during this time.
Most of the organizations doesn’t restrict the Team creation from Microsoft Teams because this factor is heavily influenced on better adoption rate of the Teams communication platform. The below script can be used to run in task scheduler or in Azure Function on a monthly basis for reviewing the Teams Created in last 30 days especially to see the Teams that have been archived and to see the fashion of teams created private or public by the users.
Below is the sample output of the script which will provide us the below details.
############################################################################################################################################
# Description :- Powershell Script To extract Teams Name,Owner,backup owner,owner count,member count,Group Type and Archive Status.
# Created Date :- 10-Oct-2020
# Created By :- Sathish Veerapandian
# Version :- 0.2
# Imp Notes :- Please ensure you have folder C:\Scripts and clear the output files generated every time when you run the script again.
# Info :- If you want to send reports as email please uncommentlast line and use the from/to address with SMTP Server
############################################################################################################################################
Connect-MicrosoftTeams
$Path="C:\scripts\TeamsReport.csv"
$Header = @"
TABLE {border-width: 1px; border-style: solid; border-color: black; border-collapse: collapse;}<br />
TH {border-width: 1px; padding: 3px; border-style: solid; border-color: black; background-color: #48D1CC;}<br />
TD {border-width: 1px; padding: 3px; border-style: solid; border-color: black;background-color: #F0FFFF}<br />
"@
$Count = 0
Get-Team | foreach {
$TeamName = $null ; $TeamName = $_.DisplayName
$GroupId = $null ; $GroupId = $_.GroupId
$Visibility = $null ; $Visibility = $_.Visibility
$EmailAlias = $null; $EmailAlias = $_.MailNickName
$Archived = $null; $Archived = $_.Archived
$Count++
Write-Progress -Activity "`n Processed Teams count: $Count "`n" Currently Processing: $TeamName"
$TeamMembersCount = $null ; $TeamMembersCount = (Get-TeamUser -GroupId $GroupId).count
$TeamOwners = $null ; $TeamOwners = Get-TeamUser -GroupId $GroupId -role Owner
$TeamOwnersCount = $null ; $TeamOwnersCount = ($TeamOwners).count
$Owner1 = ""
$Owner2 = ""
If ($TeamOwnersCount -eq 1) { $Owner1 = $TeamOwners[0].User}
Elseif ($TeamOwnersCount -ge 2) { $Owner1 = $TeamOwners[0].User; $Owner2 = $TeamOwners[1].User}
$Output = [PSCustomObject]@{
TeamName = $Teamname
Owner1 = $Owner1
Owner2 = $Owner2
TeamOwnersCount = $TeamOwnersCount
TeamMembersCount = $TeamMembersCount
TeamEmailAlias = $EmailAlias
TeamVisibility = $Visibility
TeamArchiveStatus = $Archived
}
$Output | select * | Export-Csv $Path -NoTypeInformation -Append
$Data = Import-CSV "C:\scripts\TeamsReport.csv"
$data | ConvertTo-Html -Head $Header | Out-File -FilePath C:\Scripts\TeamsReport.html
# Send the exported html as email for evaluation
#Send-MailMessage -From senderemailID -To recipientemailid -Attachments "C:\Scripts\TeamsReport.html" -BodyAsHtml -SmtpServer mentionsmtpserver -Subject TeamsGroupReport
}
Few days ago Microsoft has announced the new release which provides us the opportunity to integrate MS Teams related activities that are recorded in the audit logs to Azure Sentinel. Enabling this feature benefits organization where there is a separate SOC team monitoring and analyzing the security posture as an ongoing operational procedure.
We still have the Microsoft native cloud app security which benefits in creating the alerting mechanism for MS-Teams related activities.But with the Log Analytics and Azure Sentinel we can do a lot more than it can be done from the Cloud App Security. We can further fine tune the alerting, create workbooks and dashboards for Microsoft Teams related activities which will be useful for Teams Monitoring.
To start with this new feature ,we need to enable this new option to ingest Teams Data into Azure Sentinel Work Spaces. This article can be followed to start with connecting office 365 with the Microsoft Cloud native SIEM Azure Sentinel.
Navigate to Azure Sentinel Work Spaces – Select Data Connectors – Choose Office 365
Here we can see the new option for sending Teams Audit Logs to Azure Sentinel WorkSpace.
Once it is done after a while, we could see that the workspace have received the data types Office Activity (Teams)
Live Query Teams Monitoring :
When we navigate into the workspace we have the opportunity to fine tune and see the events that are written on the Audit Logs for Teams in a more refined way.
For instance to filter only Team creation can be checked from the workspace. This can be used for filtering even specific person and creating alert for them.
This helps the SOC Team for a live reactive analysis when any security incidents are reported for Teams related activities.
OfficeActivity
| where OfficeWorkload == "MicrosoftTeams"
| sort by TimeGenerated
| where Operation has "TeamCreated"
| where UserId has "sathish@exchangequery.com"
| project UserId,AddonName,TimeGenerated,RecordType,Operation,UserType,OfficeWorkload
Create Alerting Mechanism : Azure Monitor or Azure Sentinel
In a real example we can create alerts and notify the SOC Team when a bot has been added to the Team.
OfficeActivity
| where OfficeWorkload == "MicrosoftTeams"
| sort by TimeGenerated
| where Operation has "BotAddedToTeam"
| project UserId,AddonName,TimeGenerated,RecordType,Operation,UserType,OfficeWorkload
To create the alert once after writing the query we have the new alert rule where there is an opportunity to create alerting mechanism in two methods. Create Azure Monitor Alert or Create Azure Sentinel Alert.
To experience the behavior selected the option Create Azure Monitor alert. Used the same Query. Alert logic and the time period is set for demo and can be defined based on the period and frequency that suits best for the monitoring.
The action group can be selected to send this notification alert to a email addresses.
The notification type can be selected for other options like where ITSM can be chosen to trigger an incident for the same events.
In our case email was selected and after few minutes tested by adding a bot and got the alert notified on email address.
Further information about the bots that have been added can also been seen.
Create WorkBooks and Dashboards:
Here we do have the possibility to create workbooks and dashboards for Ms Teams related activities. There is one template present by default for Office 365 and there is a item Teams Workload present over here which will help in creating a workbook for Teams.
The default workbook provides decent information on monitoring the Teams related activity.
This will be a good start to create one dedicated work book for Microsoft Teams and pin them as a separate dashboards for Microsoft Teams related activities. I have also written post on creating Azure Monitoring Workbooks which can be referred for creating dashboards for Teams Activities.
Microsoft Teams logs in Azure Sentinel is really a welcoming native cloud integration feature set where lot of organizations can be definitely beneficial in terms of actively monitoring the Teams Activities with no additional cost of investing on 3rd party SIEM integrations.
Recently i was requested to review the synology diskstation ActiveBackup for Office 365 . Though Microsoft 365 provides unlimited retention period and litigation hold for office 365 applications i always had one topic in my hit list to read on why there might be a reason to have a local backup instance for Office 365 applications.This made me to do some little bit research on this topic and could see there might be few business cases ,compliance/legal requirements which demands to maintain backup copies of electronic data.
Moreover the litigation hold and retention period is not applicable for all office 365 plans. I have seen organizations consuming wide variety of Office 365 plans based on their business models.
On the other hand i see most of the office 365 backup solutions provides faster efficiency of users able to restore the content on their own mostly from the user management portal. In an ideal scenario office 365 user data recovery can be executed from a native tool set where we use the native content search or an e-discovery case from the admin portal. In a real case scenario if we don’t have an SLA for restore of data that comes in everyday for a resigned employee or an existing employee there might be some delay where only few admins are responsible in handling the operations tasks. With these third party packages we can optimize the processes for data restore.
In this article we will have a look at Active Backup for Office365 from Synology. A little while back i setup DS920 + Diskstation with Sea Gate Iron Wolf HDD . SeaGate IronWolf is always BUILT FOR NAS Designed for 24×7 NAS workloads with better performance, spacious capacity, blazing-fast speeds and provides 2 applications sea tools and disk wizard for monitoring the drives.
In order to setup Active Backup for Office 365 we have to login to the Disk Station Manger.Keep this in mind the Active Backup for Office 365 supports only in 64 bit NAS and they must be running DSM 6.1 or later with atleast 2GB of ram.
After logged in to disk station manager in the package center , we can see the Active Backup for Office365 is present as an addon. Once its installed we can open them.
In the setup screen it provides us an option to choose in which office 365 data center our tenant resides.
Subsequent log in with the admin credentials we can see it requests for oauth permissions so that it can get the read and write access on all users data to perform the backup and restore operations.
Then it takes to the redirect page that we must confirm that we are ok with sending the office 365 data to the local DS domain.
Once it is completed Active Backup for Office 365 is opened. Navigate to Task Creation Wizard.
Here we have 2 highlighting features :
Account Discovery – When this option is turned on every new account in Office 365 gets the backup enabled automatically which is really a good features.
Enable the Active Backup Portal for end users – User logins with his own credentials and can see his own data and perform restore.
Here we have options to select the users where we need to take a backup for them. On a business standpoint we can think of 2 cases first one being the users not having the appropriate license for Litigation hold and retention policies and the latter one being VIP users or critical Financial Mailbox data that might require a local copy as per the business model concerning the audit and compliance requirements.
Selected few users for our testing and we also have the option to choose what service that needs to be backed up.
We have the site list where there is an option to choose the sites.
We have the backup and retention policy here to choose based on our requirement. We do have the file version retention policy as well.
Finally we choose the destination folder location in the NAS drive and the backup task creation is successful.
We can see the overall status and the backup summary in the Active Backup for Office 365 Dashboard once after few backup schedules have been successful.
Restore Operation:
There is an option to choose which service that we need to restore for the user. Here it can be one drive, Mail , Site , Calendar or Contacts. At the moment of writing this blog I do not see a separate option to restore for Teams Data.
Option 1 : Admin Restore
When admin logins he has the full privilege to navigate to all employees ,their data and restore them.
Option 2 : User Restore
User logins with his own credentials in the Office 365 Active Backup Portal and can see his own data.
Email Restore:
From the Admin console logged in – have the option to choose the users.
Here we can see the option to select our restore point date and choose the required emails individually. In the restore we have two options first one to restore them directly to users mailbox and the second one where we can export them as individual email messages.
We have the option to search for the individual files with keywords, subject ,date and including with attachments which looks like a promising feature.The ability to perform a granular brick level backup will minimize most of the native recovery operations task.
In the final screen we have the option to change the user destination. In a real case scenario this can be useful where a current employee might require a data from a resigned employee after getting prior approval for a valid business reason.
Once the restore operation is successful we can see in the user mailbox it has been stored them on a separate destination folder and only the selected emails are restored.
On a export operation we the selected files are exported individually as emails.
File Restore:
File restore is also very promising. It makes an easy task to restore the file directly to the destination or take an export which downloads the requested file in the same format.
On doing a direct restore we can see that there is an option to restore the file sharing permission which looks great.
Below were the highlights identified from the evaluation:
1) License-free for unlimited Office 365 backups. 2) Option Monitor and manage your backup even from multiple tenants from same single dashboard. 3) There is account discovery – when this option is turned on every new account in Office 365 gets the backup enabled automatically. 4) There is an advanced search engine which allows to find any files containing the keyword including mail attachments 5) Option to preview the content of each file before we could restore them
Of course Microsoft does provide enough ways to protect data against corruption, deletion , ransomware and disaster scenarios with security, retention policies and litigation hold. If that convinces then we are ok with the native backup mechanism.As an alternative we can choose these packages that can hold data locally mostly for compliance/legal purposes , Volume of users not covering the licensing requirements to retain their data and enhanced recovery mechanism based on the business requirements.
I find this software to be beneficial for organizations that might require to backup Office 365 data as a part of their legal and compliance regulatory requirements.
Microsoft Teams Graph API have been there for a quite a long time and it can be beneficial in various ways to perform Teams related tasks in API operations. In this article we will go through the Teams Graph API overview and API calls available as of now.
Using Graph API developers have a unified Rest API to access Teams underpinned components. For instance, using Graph API we can post a survey notification to a channel with option to vote for the survey. With this we can create a Team, add members and owners ,configure team settings and even archive a Team.
The overview of Graph API can be explored by navigating to the below URL.
Before consuming the Graph API we need the required permissions on the Graph API to run the query. So we need to consent the required permission based on the action that will be performed from the Graph API. In below example have granted the below permissions to execute the Graph API operations for Teams.
Once logged in initially we can check for the basic me option which returns the user information as below.
As of now while writing the blog post the Teams has below graph options 9 general and 4 beta versions. So if any issues identified on beta while pulling from the applications, powerapps , logic apps or other APIs it will be fixed sooner.
Now moving to the Teams part below query shows the teams where im member of
So now trying with the post request to create a channel on a Team called Test Team.The prerequisite of creating a channel is to mention the Teams ID under which the channel needs to be created.
Upon a successful post we can see that the new channel called architecture discussion have been created.
Interestingly we have an option to send a channel message. Example below message.
The test post message we set have been received in Team Channel.
When attempted the get message present in a channel we get the actual messages present in them.
Now we have tested the API operations from the Graph explorer there are multiple ways to access them from different programs. In our example we will try to access them from the powershell and create a Team. The first prerequisite for Creating the Teams from Graph API is they need to be as an Office365 Group. The Office365 group is created as a Post Operation
Once the Office365 Team is created we can use the Put operation to enable Teams in them. While there are lots of samples available on the internet to create the teams i found this video which is very helpful start the graph API operations for Microsoft Teams via Powershell.
As a initial prerequisite we need o install the SharepointPNPPowershell online and connect to them.
Below is a sample script that can be used to create a Team from the Graph API via Powershell.
Upon a successful execution of the above script we will get the below message on the powershell session.
On verification could see the associated office 365 group and the Team have been created.
Also the team is automatically created and visible from the Teams client
With the Microsoft Graph APIs it becomes a unified REST API experience and it helps us to perform multiple Teams operations and automate the Team management life cycle.
Microsoft Teams have been the highly adopted collaborative platform in few months time.It has been helping a ton worldwide and the new features that is been released every now and then makes us stay connected and expands the efficiency in every organization who have been using them.
By default Microsoft Certified Room systems are forward compatible with the new Skype for Business or Teams services while maintaining the same client user experience.Usually when any organization has only Skype then these meeting rooms will have the options only Skype enabled on them.
In this article we will be looking at how to enable the existing Skype room systems to have the capacity to host Teams Meetings in them.
Example screen of a Skype room system panel where we have the below options on the supported meeting mode while configuring them at the initial stage .
These devices are basically on KIOSK mode running on recommended versions of Windows 10 currently supported one being 1909 at the time of writing this blog.
Ideally when a Skype room system account have been migrated to Teams with all the prerequisites this mode on the meeting room devices needs to be changed to support Skype for Business and Microsoft Teams.
This can be done by using the local admin credentials of this Skype room system , logging into the system context and change the mode to support both Teams and Skype. In a real scenario for a small scale deployment for lesser than 10 rooms changing them manually from the local IT support is possible. But in a huge deployments where there are 100 plus systems deployed across the globe and making them change manually will be a uncomfortable experience.
This supported meeting mode on the Skype room systems is controlled via an XML file present on below location. This location is standard for all the meeting rooms running on KIOSK mode and have a file named skypesettings.xml
At startup these devices looks up for this XML file named SkypeSettings.xml on the above location. If it finds them it applies the configuration settings indicated by the XML file then deletes the XML file. The best thing is that we can mention only the changes that we require on the system on the XML file and it will update the delta changes and keep the other settings as same.
In order to enable Teams, Skype and have Teams as default client we can use the below XML
Now this XML can be easily pushed to all the Skype Room Systems via Intune Scripting Profile.
Below are the prerequisites before performing this action:
The Skype Room Systems accounts must have thee Teams license assigned to them. This offers an easy migration path from Skype for Business to Teams by just enabling Teams on the device.
The Skype Room Systems must have been registered on Microsoft Intune to target this intune scripting profile to them.
Login to Microsoft Intune- Navigate to Device Configuration – Create the Scripts as below. Ensure the script settings have all the default settings. Target them to the meeting room devices which requires this change.
Copy save them as ps1 and Use the below script on the script settings page.
After the next azure AD sync is completed on the targeted devices we can see the XML file to be successfully deployed on the below location.
Also we can see the overview of assigned and failed devices on the intune script profile. In our case it was successful since it deployed to targeted system without any issue.
Once the Skype room systems gets this XML and usually these systems reboots every night to check for the system updates install them as a maintenance window. During that time this XML will be updated since the device will be rebooted. Once this change has been applied to all the systems the Intune Script profile can be removed since it is a one time configuration change on the systems after the user accounts have the teams enabled.
Option2:
Create storage container in Azure , store the XML file and make intune to pull the xml file from there. Keeping this option is beneficial just in case if we need to modify the XML file frequently for device settings.
With Microsoft PowerBI we can gather more details from the call quality dashboards. As of now Microsoft have released 7 power BI desktop templates to accumulate more details on the Microsoft teams call quality dashboard.
PowerBI being a very potential platform for data gathering and analysis these new templates for Microsoft Teams have been more outstanding in terms of analyzing the Microsoft Teams data.
We will go through the overview of the reports and the configuration on this post.
These are customizable templates which can be used to analyze data. These above are PBIT file formats which can be used from PowerBI desktop which has the data source configured. If we need to open them directly from the powerbi portal they need to be renamed as pbix. If we are importing them from the powerbi desktop the following file MicrosoftCallQuality.pqx needs to be imported to the location [Documents]\Power BI Desktop\Custom Connectors folder.
From Desktop:
The initial requirement is that the PowerBI Desktop version must be installed and the data gateway already configured. The steps from Microsoft can be followed from here
Place the pqx file in below location. The below location will be automatically created once the desktop version is installed.
Set the data source:
Option 1:Use the Microsoft Call Quality (Beta)
In-order to set the data source open Power Bi desktop – Select get data – choose Microsoft Call Quality (Beta)
Once it has been connected we could see the below message as disclaimer since it is on beta roll-out at the time of writing this blog.
Next we will be having the below option which has all the details to build the query.
The moment when we click on load we will be presented with the below screen. Here we need to select the option direct query since we are getting the data directly from the Microsoft call quality dashboards.
Once connected we will have all the options to build our own custom reports by selecting all the required fields from the right , visualizations and filter. This option is very beneficial where we have our office network details uploaded on the call quality dashboard for detailed analysis and building our own custom dashboards. Here we have selected few fields for example and could see they are populated on the dashboard.
Option 2: Import the Teams PowerBI Templates report and publish them from the desktop.
The second option is to import the PowerBI Templates and publish them on the desktop. Inorder to import them navigate to file- import – select power bi template and import all the pbit format files. These templates have to be imported one by one.
Once imported we get all the details as per the template imported. We do further have an option to customize the reports. Click on publish to publish the reports directly to the workspace.
Choose destination the workspace to be published. In our case we have selected Microsoft Teams – CQD and thats the workspace created in PowerBI for Teams CQD.
Once its published we have the dashboards published in the workspace and ready to share.
When clicked on share we have the below options while sharing the report. Users will need powerbi pro license and CQD access role to access this report.
Importing from the PowerBI Web Portal:
Importing them from the web portal is very much easier. We need to click on the datasets – files and select get option since we need to import the downloaded files here to create the new content.
Select files and click on local file and choose the powerbi templates. Here we need to rename all the file formats to pbix since the portal will not recognize the pbit format version.
Once uploaded we can see the dashboards. The template dashboards have lot of information especially with user details breakdown which is very nice. The below example is from CQD Helpdesk Report. Here we have an option to search by users, conference or by date which is very convinient.
Further from the user activities tab it gives us more report as example below. The good thing is that we could see the device information on the end point.
Below example comes from CQD Teams Utilization Report. This gives more info on how the Teams is utilized by users in our organization.Few samples from the templates. The call count summary gives all the information in one view.
We get the location details as well in the over all call quality and gives the data for past 180 days.
User details are very impressive where we can see the app version, drivers and further we have filters on the right to customize the view.
Below example shows day details breakdown with further customization filters and fields to get data based on our requirement. The default report itself has lots of required data which is very great.
The mobile devices all quality also have lot of useful information with overall summary.
We get the mobile devices call quality with rendered devices, call quality trend and number of conference attended from the mobile.
The desktop version is very much convenient to create customization dashboards.Well there are more reports which are handy and available from these default templates which will be definitely useful and in the above examples we have gone through few of them. These reports can be customized easily and shared with less efforts and it gives a very good view with rich data experience.
In the previous post we had a look at how to group multiple azure log analytics queries ,group them and display them in one screen. There are few real challenges in displaying the queries directly from the workbook. Firstly they are not having the capability to auto refresh the live data until we reload the workbook. There is no option to fit the dashboard and customize them as per our requirement. Finally there is no option to set the refresh rate, setting up the local time zone and sharing them to the required persons to view them with read access.
Creating the dashboards is much easier and there are multiple ways to do them. In this post we will have a look at creating one from the workbook.
Inorder to create a workbook navigate to Azure Log Analytics Workspace – Click on WorkBooks – Select the workbook that needs to be created in dashboard.
In below example just for demonstration the default health agent work book is selected. Once selected choose edit and go to pin options
We have the below pinning options
Pin Blade to Dashboard – Pins the entire workbook.
Show pin options has below ranges to choose
Pin Workbook – It again pins the entire workbook as a workbook template
Pin All – Pins all the created queries as dashboard. This is best recommended option
Individual Pin – Individual pin option can be used to choose only selected queries and pin them on the dashboard.
Once its pinned – We can navigate to Azure Dashboards – Navigate to azure portal – Click on Azure Dashboard we can see all the selected queries.
Now we need to align them by just clicking on edit on the dashboard. Here we get lot of options like add, pin , move and resizing the tiles. We have few metrics in the tiles gallery which can be added.
We have options in tile settings.There is option to configure the timespan and choose the time granularity as per our requirement.
Even we have an option to choose the time as per our requirement.
There option to name the dashboard as requested.
Once customized when navigated to full screen it shows the below option in the dashboard. Below is just a sample of dashboard created from the log analytics workspace.
Furthermore we have options to choose the refresh interval rate which refreshes the data from the logs present in the log analytics which is inturn collected from the agents installed in the active systems.
There are also other options like to download the created dashboard in json format. Even upload option is present which accepts json format file.
Sharing option is present where we can share this dashboard to a group of people by targeting them to a read only group. When clicked on share it is private.
After it has been shared we will get the access control options.
Once clicked on managed access we have option to add users in role assignments. There is an option to unpublish the dashboard as well and when done it is made again as private dashboard.
Clone option is also present where we can just clone one existing dashboard and modify the queries on the background.
Creating azure dashboards made admins life simpler in lot many ways in deployment of monitoring solutions for newly installed windows , linux , network devices and even databased through azure log analytics.
Currently there is no option as per this uservoice to delegate the MFA reset action to help desk team via an admin role. As of now only the global admin have the required privileges to perform this action from the azure portal. In this article we had a look into how to reset this option by creating an automation account and integrating with Microsoft Flow. Though this is a good option there is another way where this action can be delegated via ManageEngine AD manager plus.
Most of the organizations have AD Manager plus and its features integrated on their on premise tenant. This can be used to execute office 365 and Azure AD operations in a hybrid environment. In this article we will have a look at the steps to integrate AD manager plus with Azure AD to delegate this action to the help desk team.
Below are the prerequisites :
AD manager plus server must be present in the hybrid domain. Not necessarily a hybrid domain it works well for cloud only accounts as well.
The connectivity to the Azure IPs and URLs are required to connect azure module connect-msolservice
Azure AD modules must be downloaded on the AD manager plus server.
AD delegation must be already assigned to the help desk team with AD management role.
Global admin account is required to specify them as encrypted credentials with key on the AD manager plus server. This global admin account will only be used by the manage engine AD manager server in the backend and not exposed to the helpdesk team.
Implementation Steps:
First we need to create the encrypted credentials and key . Below command can be used.Kindly note that if we try to execute with plain text password it will not work, Since in our case we are doing an invoke session from AD manager plus and hence it works only with key file.
A very important note here is if there is a password policy for the global admin accounts, ensure to regenerate this key by re-running this script once after the new password is changed on the Global admin account.
The above script will also generate MFAActions.log file in the bin folder which will help us to track the MFA actions performed via AD manager by the help desk admins. Even this script must be placed in the bin folder in the AD manager plus server.
Now having done the Azure AD part we need to access Manage Engine AD Manager Plus admin portal and perform the below action:
Go to AD Mgmt – User Modification Templates – Click Create New Template.
Leave all the fields on all the tabs as default – Navigate to Custom Attributes – Select Run Custom Script on successful user modification script command: add the below format to call our script via AD manager plus – PowerShell -File mfa.ps1 %userprincipalname%
Once done click on save template.
Assign this template to the helpdesk team.
Once this above action is completed help desk can reset via below method –
AD mgmt – Modify Single user – Search for affected user – Modify user – Change template – Choose MFA reset template – then click on update user.
Now the MFA value will be cleared for the requested user.
We can also check the status from Azure AD connected Powershell
The value should return null for a user where the MFA reset is successful.
This action will help in achieving the delegation of MFA reset via manage engine. Helpdesk admins can for perform the MFA reset through the manage engine delegated help desk portal by selecting the assigned template and can perform this action.
