Category Archives: Office 365

Script to generate office 365 groups created on last 30 days

By default it is enabled for users to create the office365 groups. There are few organizations where they do not need to restrict this group creation because these groups are heavily influenced on utilizing the office365 services Sharepoint,Yammer, Microsoft Teams, PowerBI , Outlook, Planner and Road Map which in turn might decline the office 365 user adoption rate.

The below script can be used to run in task scheduler on a monthly basis for reviewing the Office 365 groups which have been created in last 30 days and will email us the report.

Below is the sample output of the script which will provide us the below details.


########################################################################################################################
# Description   :- Powershell Script To extract office365 groups created less than 30 days time and send them in email
# Author        :- Sathish Veerapandian
# Created       :- 15-Jul-2019
# Updated       :- 15-Oct-2019
# Version       :- 0.2
# Notes         :- 
#########################################################################################################################

$Header = @"

TABLE {border-width: 1px; border-style: solid; border-color: black; border-collapse: collapse;}
TH {border-width: 1px; padding: 3px; border-style: solid; border-color: black; background-color: #6495ED;}
TD {border-width: 1px; padding: 3px; border-style: solid; border-color: black;}

"@

# Load MFA Module
$MFAExchangeModule = ((Get-ChildItem -Path $($env:LOCALAPPDATA+"\Apps\2.0\") -Filter CreateExoPSSession.ps1 -Recurse).FullName | Select-Object -Last 1)
. "$MFAExchangeModule"

# Initiate Session
Connect-EXOPSSession -UserPrincipalname mentionadminid@domain.com

# Get Office365 Groups
Get-UnifiedGroup -ResultSize unlimited | select DisplayName,PrimarySMtpAddress,WhenCreated,ManagedBy,RecipientTypeDetails,AccessType | Export-Csv C:\Scripts\365groups.csv -NoTypeInformation

# Define the date variable for Cutoffdate less than 31 days
$CutoffDate = get-date -date $(get-date).adddays(-31) -format "M/dd/yyyy h:mm:ss tt"

# Get the office365 groups created lesser than 31 days
$Data = Import-CSV "C:\Workspace\Messaging\Output\365groups.csv" | Where-Object {$_.WhenCreated -as [datetime] -gt $CutoffDate}


# Export the office365 groups  created lesser than 31 days in csv file
$data | ConvertTo-Html -Head $Header | Out-File -FilePath C:\Scripts\365.html


# Send the exported csv email to the helpdesk team for evaluation
Send-MailMessage -From senderemailID -To recipientemailid -Attachments "C:\Scripts\365.html" -BodyAsHtml -SmtpServer mentionsmtpserver -Subject Office365GroupStatus 

Thanks

Sathish Veerapandian

Configure Exchange Online to reject emails that fail DMARC validation with organizations having policy of reject

By default Office 365 DMARC validation for internet emails that fails for policy P=Reject will make the email to land in junk folder of the recipient mailbox.Microsoft 365 will treat DMARC policies of quarantine and reject in the same way, which means that if the sender’s DMARC policy is set to reject or quarantine, the emails that fail DMARC will be sent to the junk folder of the recipient mailbox.

Microsoft believes that the main agenda of doing this is to ensure that any legitimate emails which misses in DMARC alignment shouldn’t be lost and its better to get them delivered to recipient junk mail folder. There are few cases wherein few organizations would still need the DMARC policy to be stringent due to their security regulations.

Microsoft validates DMARC and overrides the failure with a header value for a domain whose DMARC TXT record has a policy of p=reject oreject. Instead of deleting or rejecting the message, Office 365 marks the message as spam.

To test it further we are publishing SPF, DKIM and DMARC record for the domain ezcloudinfo.com as below:

SPF record: Adding only Exchange online as authorized sender.

DKIM Record: Having the Signing key only for office 365

DMARC Record: Having strict policy of P=reject

For a successful email from a legitimate sender where it has passed spf, dkim & dmarc we see the below value for DMARC.

dmarc=pass action=none

Now we are triggering an email from a registered mailchimp account for ezcloudinfo.com where we do not have the SPF and DKIM records added in our DNS records.

The email from mailchimp from sender address sathish@ezcloudinfo.com gets landed in junk email.

We can see the header value of above email and the DMARC validation is failed.

WorkAround:

We received a workaround which can be accomplished to reject the emails that fails with DMARC validation from redsift cyber security analysis .

Create a Transport Rule:

Include the below value oreject or action=oreject or dmarc=fail in the message header include option.

Reject the message with the custom status code.

Now if we send a test email after this transport rule from an unauthorized sender the email will be rejected and could see the below NDR message.

So after this transport rule any spoof emails that are coming from a domain that is DMARC protected will not be delivered to the spam folder. They will all be rejected and never reach the recipient.

Thanks & Regards

Sathish Veerapandian

Readiness and steps to Configure Direct Routing in Microsoft Teams

Earlier to enable enterprise voice with calling plan on skype for business online we would need to install cloud connector locally on a virtual machines as a separate appliance which requires complex configuration for integrating with the certified session border controllers.

Now Microsoft have made it easier to configure them with direct routing where we do not need to deploy the cloud connector agent locally in the on-premise systems.

When paired with Microsoft Calling plans or direct routing with local ISP calling plan, they provide a full enterprise experience for office 365 users in Teams on a global scale. With Direct Routing we can Connect Existing Telephony Infrastructure to MS teams with the help of  local session border controllers. A SIP connection is created between the cloud call controllers and our local session border controllers.

In this article we will look at the options , readiness and steps  to Enable users for Direct Routing from the Microsoft office 365 perspective.

Readiness for Direct Routing:

Decide on Session Border Controller (Self or hosted SBC):

Session border controller connects Teams call to PSTN next hop or to the configured sip trunk with the local ISP. Here we have two options either to have own session border controllers on premise or to have this functionality hosted to a managed service provider who will host the session border controller for your organization to perform the SIP proxy and the PSTN routing for Microsoft Teams.

Make sure to select the supported session border controllers by Microsoft to configure direct routing in Microsoft Teams.

Figure out licenses based on deployment: Decide on media bypass Configuration

We need to figure out licenses on Microsoft office 365 to utilize the full enterprise functionality of Microsoft Teams.

Option1: Full Microsoft License

In this case no direct routing is required unless there is coexistence required with existing telephony system because we will be having the full calling plan with Microsoft and will utilize the Microsoft call controller, PSTN, Media controllers and Media processor.

Below Licenses are required:

  1. Enable Microsoft Teams.
  2. Office 365 Phone System License
  3. Skype for business online plan2  License
  4. Audio Conferencing
  5. Microsoft Calling plan (Available in selected regions as of now)

The first 4 licenses are available by default in office365 E5 License. For other license types separate SKus needs to be procured along with the calling plan available in the region

Below is the call flow for all in the cloud for Teams:

Option 2 : Full Teams feature plus Local Telcom Calling plan

This option requires to perform direct routing with Microsoft Teams SIP proxy  services to create the SIP trunk between Microsoft Teams in the cloud and local session border controllers to utilize the calling plan from local PSTN provider.

Below Licenses are required:

  1. Microsoft Teams
  2. Phone System
  3. Skype for business online plan2 
  4. Audio Conferencing
  5. Local SIP calling plan with your telecom provider

Phone System with own carrier via Direct Routing:

SBC readiness:

Decide on SBC Host Name:

Microsoft communicates to session border controllers only via FQDN. We need to decide on a hostname for Session border controller which will be public available to configure direct routing. In our case we will be having voicegw.ezcloudinfo.com

Configure the certificate:

The SBC must be configured with a certificate from public certificate authority with the decided host name. We could also use wild card and SAN certs but the CSR needs to be generated from the certified SBC.

Firewall:

Below source and destination ports needs to be opened for communication between Microsoft PSTN hub FQDNs and the session border controllers.

Above Necessary source and destination ports needs to be opened in Firewall for the SIP Signaling, SIP Proxy ,Media Processing and Media Bypass to happen for the STUN, TURN , ICE connectivity and for successful Teams audio/video call .

Direct Routing configuration in Microsoft Teams:

Ensure that the users are fully transformed to Teams Only Mode.

Pair the SBC to the Direct Routing Service of Phone System:

Connect to Skype for Business Online admin center using PowerShell

Verify the online PSTN gateways.

Get-Command *onlinePSTNGateway*

Now add the new online PSTN gateway to add our SBC in the list.

New-CsOnlinePSTNGateway -Fqdn voicegw.ezcloudinfo.com -SipSignallingPort 5067 -MaxConcurrentSessions 50 -Enabled $true

Check the added SBC configuration.

Get-CsOnlinePSTNGateway -Identity sbc.contoso.com

Configure the phone number and enable enterprise voice.

Set-CsUser -Identity “Will Smith” -OnPremLineURI tel:+97155368846 -EnterpriseVoiceEnabled $true -HostedVoiceMail $False

Create the Voice Route to go via SBC.

New-CsOnlineVoiceRoute -Identity “UAE” -NumberPattern “^\+9(71|206)(\d{7})$” -OnlinePstnGatewayList voicegw.ezcloudinfo.com -Priority 1 -OnlinePstnUsages “UAE and India”

IMP Notes:

  1. Flow differs for external and internal media bypass.
  2. Internal media bypass – Flows within the network teams and SBC and traffic is routed to local PSTN provider.
  3. External Media bypass – Flows users will try to connect via certified SBC if now will take the SIP Proxy Route.
  4. Office 365 network is enhanced for teams traffic.
  5. Call Queues and Auto attendant configuration needs to be verified and configured according to the current setup.

Thanks & Regards

Sathish Veerapandian

Script to offboard resigned employee in a hybrid environment

The below script can be used in off-boarding below tasks for a resigned employees as a bulk operation.

This script will help in below actions for Exchange online and AD tasks to be removed in a Exchange hybrid environment:

  1. Convert exchange online mailbox to shared Mailbox.
  2. Disable the Mailbox protocols – OWA,ActiveSync, POP, IMAP, MAPI & OWA for devices.
  3. Hide the user from GAL.
  4. Remove the user from respective licenses E3,E5,EMS E3 & EMS E5 Licenses.
  5. Cancel all the calendar future meetings.
  6. Remove the user account from all groups.
  7. Set the account expiry of the AD account.
  8. Remove the IP Phone Attribute.
  9. Remove the manager field.
  10. Set out of office.

Prerequisites:

1.Run this from a management server where it has Exchange, Active Directory, MSonline and exchange online MFA PowerShell modules installed on it.

2.This will run from MFA enabled Admin accounts from windows powershell,connect to exchange online and msonline. Make sure to run this script from an elevated windows powershell mode.

3.Change the csv file location to your location
Connect-EXOPSSession -UserPrincipalname adminid@domain.com – Change the admin userprincipalname to your admin id.
Export-csv “c:\ops\Output\disabledusers.csv” – mention the location of the csv file

4. Create a CSV file which has only the userprincipalname of the resigned employees.

5. Change the OOF message details with the required information.


$MFAExchangeModule = ((Get-ChildItem -Path $($env:LOCALAPPDATA+"\Apps\2.0\") -Filter CreateExoPSSession.ps1 -Recurse).FullName | Select-Object -Last 1)
. "$MFAExchangeModule"
$cred= Get-Credential
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn
Import-Module activedirectory
Connect-MsolService -Credential $cred
Connect-EXOPSSession -UserPrincipalname adminid@domain.com
$E3 = "tenantname:ENTERPRISEPREMIUM"
$E5 = "tenantname:ENTERPRISEPACK"
$EMSE3 = "tenantname:EMSPREMIUM"
$EMSE5= "tenantname:EMS"
Import-csv  "mention the CSV path location" | foreach {
$UPN = $_.userPrincipalName
#Convert to shared mailbox
Set-Mailbox $UPN -Type “Shared” 
#Disable the Mailbox protocols
Set-CASMailbox  -identity $upn -OWAEnabled:$false -ImapEnabled:$false -MAPIEnabled:$false -PopEnabled:$false -ActiveSyncEnabled:$false -OWAforDevicesEnabled:$false -Confirm:$false -verbose
#Cancel all the future meetings
Remove-Calendarevents -identity $UPN.userprincipalname -CancelOrganizedMeetings -Confirm:$False 
#Remove the license
$msolupn= Get-Msoluser -Userprincipalname $UPN | select Objectid,Userprincipalname,Licenses 
Set-MsolUserLicense -UserPrincipalName $UPN.UserPrincipalName -RemoveLicenses $E3 -ErrorAction SilentlyContinue
Set-MsolUserLicense -UserPrincipalName $UPN.UserPrincipalName -RemoveLicenses $E5 -ErrorAction SilentlyContinue
Set-MsolUserLicense -UserPrincipalName $UPN.UserPrincipalName -RemoveLicenses $EMSE3 -ErrorAction SilentlyContinue
Set-MsolUserLicense -UserPrincipalName $UPN.UserPrincipalName -RemoveLicenses $EMSE5 -ErrorAction SilentlyContinue
#Hide from GAL
Set-RemoteMailbox  -identity $upn -HiddenFromAddressListsEnabled:$True
#Set the OOF
Set-MailboxAutoReplyConfiguration -Identity $UPN -AutoReplyState Enabled -ExternalMessage "“Please note that i no longer work for ezcloudinfo anymore.Kindly contact HR department via hr@ezcloudinfo.com for further communication.“"    
#Remove from Distribution Lists
Get-ADUser -Identity $UPN -Properties MemberOf | ForEach-Object {
  $_.MemberOf | Remove-ADGroupMember -Members $_.DistinguishedName -Confirm:$false
#Remove the manager field
Set-Aduser -Identity $UPN -Manager $null
#Remove IP Phone attribute
Set-ADuser -Identity $UPN -Clear ipPhone
#Set the Account Expiry
Set-ADAccountExpiration -Identity $UPN -TimeSpan 0.0:30
Write-Host The Users have been offboarded successfully -ForegroundColor Green
Get-Mailbox $UPN | select-Object name,recipienttypedetails | Export-csv "c:\ops\Output\disabledusers.csv"  -NoTypeInformation -Force -Append
}
}

Thanks & Regards

Sathish Veerapandian

Microsoft Teams – Side load 3rd party & custom built apps in Microsoft Teams pane

With all the more new improvements in Microsoft Teams,we have more alternatives to modify the end user client choices from the application perspective to get access to the most frequently used applications from Microsoft Teams.

The Custom built in-house applications can be effectively side-stacked in Microsoft Teams which makes the end users to adequately use these applications.

To start utilizing these options login to Office 365 admin portal and verify if the teams side loading options are migrated to Teams admin portal.

Once logged in navigate to settings – services & addins – search for Microsoft Teams – And see if external apps in turned on.

In below case in this tenant these configurations have been migrated to Microsoft Teams admin portal and hence these settings are greyed out. This will be the case for almost every office 365 tenants.

Now we have got app permission policies in Microsoft Teams.

App permissions policies control what applications we need to make accessible to Teams clients in our organization. Now we have got the better flexibility to customize the default policy or create custom policy and assign to only targeted users. The better option is to create a custom policy and assign them to targeted users.

Login to Microsoft Teams Admin portal – Select Teams Apps – and choose permission polices – Click Permission policies – Click Add

Here we have the flexibility to control Microsoft Apps, Third party Apps and Self developed custom inbuilt tenant apps which are published in Microsoft Teams as an App Package.

Once the required applications are selected the created application is ready to be assigned to individual users.

We can create app setup policies which decides the way we want to display the prepinned apps in Microsoft Teams pane.

To create custom one navigate to setup policies and click on Add

We do have further customization of the default apps or remove them and add more custom applications.

In the policy there is option to select the appropriate app permission policies which makes the default policy not affected and apply only for targeted users.

Assigning the App Permission policies and Setup Policies to end users.

Having the policy created now it is easier to assign the custom policy to targeted users.

Navigate to users tab – select policies tab – Now we have option to assign custom app permission and app setup policy.

End user Experience –

Once the policy is assigned we have the custom apps side-loaded in Microsoft Teams.

With these above options Application arrangement strategies can be improved and modified dependent on the business prerequisites, integrated with Microsoft Teams and rolled out to the end users.

Thanks & Regards

Sathish Veerapandian

SharePoint Online – Enable External collaboration through B2B extranet Sites

On every business operations its crucial to sanction external partners,vendors to collaborate on their quotidian operations. Withal there are cases wherein only business to business collaboration like sharing between two organization is required and remains a vital factor to their business.

To felicitate a classical external collaboration site it was always bit challenging for administrators from SharePoint on premise workloads. Extensive orchestrating is required in terms of provisioning hardware or VM resource, security hardening and getting the access on the firewalls etc..,

With Office 365 B2B there are much more easier ways to roll out this feature to business with no additional server provisioning, no certificate requirement and simple administration. This magnificently reduces the traditional deployment costs. By default we get secure sharing, seamless collaboration and we have much detailed governance and audit reporting.

This article contours the steps involved in planning for an external business sharing in SharePoint online.

Configure External Authentication for Guest Users:

As an initial prerequisite we need to plan for the authentication and management through Azure AD for all the guest users.

At this moment we have the authentication via one-time pass code which will be sent to their email address for the non Microsoft accounts.Enabling one-time passcode feature can be used when external sharing of files,folders,document libraries and sites is done. Currently the one-time passcode is under preview and subsequently will replace the AD-Hoc sharing from onedrive and sharepoint in office 365.

Below are the major key points of enabling the azure B2B:

  1. MFA can be enabled for the B2B Invited Guest Users.
  2. If we have configured Google federation in our Azure AD tenant then the federated users can consume the permissible SharePoint and one drive resources shared with them.
  3. Much granular level of sharing options are present and subject to organization settings.

Follow the below steps to enable the pass code authentication:

login to azure portal – navigate to azure active directory – choose organizational relationship settings – Enable the option Enable Email one-Time Pass code for guests.

There are few other options on controlling the guest users permissions and can be added based on the requirement.

Now we have the one time pass code enabled we would need to enable the integration for SharePoint and one-drive with azure AD to enable this service on these workloads with the below two commands.

Set-SPOTenant -EnableAzureADB2BIntegration $true

Set-SPOTenant -SyncAadB2BManagementPolicy $true

Ensure that the below configuration is set

Having the authentication part configured now we would need to create an extranet site in few clicks.

1) Create an external business-sharing site in SharePoint Online (This site can be used for sharing between the Tenants)

On the Active sites page of the new SharePoint admin center, select Create – – select Other options —

Select More templates

Choose Team site (classic experience).

Here we need to provide a title and name for the site that we are creating.

There are few other options like timezone, admin, storage quota and server resource quota which can be configured based on our requirement.

Now the sharing capability needs to be enabled and there are 2 places where it can be controlled organizational level and site level.

The first step is to enable them at the organizational level

Login to office 365 portal – search for external

Choose the option new and existing guests

There are few other options which can be controlled from the SharePoint admin center

We can further restrict the site collaboration only to few selected domains.

The guest permissions must also be selected based on our business requirement .

Choose the first option which is applicable for the invited guest users. There are other options to limit the sharing option to least permissible users via targeting them to a security group.

Finally navigate to the sites and here we have option to further control the site permissions.

Here we have the option to share new and existing guests.

Now we have configured the org level settings we can test this behavior from site admin side

Navigate to the site with site admin privilege and create a folder with sharing partner.

While sharing a document to the external partner we will be notified with the message info as we see below.

The guest user will receive the invitation email with a link to access the folder.

They need to Enter their Microsoft credentials (the credentials for the account that the invitation was sent to). And User will be challenged for Verification code which will be sent to their email account.

This cool feature helps the admin to accomplish the business requirement with ease of operation , no additional resource cost and providing them with much controlled and tracking them through auditing and reporting of external users.

Office 365- Configure one drive for business file retention policy

Its always better to configure retention for office 365 work loads in order to ensure that the data is available as per the company legal requirements. Usually we pay more attention to Email data and retention policies are applied to all mailboxes, however we might miss out to configure the retention on other work loads.

In this article we will be focusing on the options available to retain the data in one drive for business personal files of an office 365 users.

Essentially we see there are 2 level retention policies available for one drive for business. We will be looking at how to configure them and grant the permission for a delegated assignee when required to access the retained data for a terminated employee.

User Level Retention:

To illustrate if a user resigns ,we remove the license and delete synchronized AD account.If we need to keep the deleted users one drive personal site to stay around for 5 years then we can configure the retention setting on the one drive admin center.

The maximum retention value is 10 years and in below example we are setting them to 2 years from the one drive admin center.

There is a small admonition on applying only this retention policy to the users because this policy is applicable only when the synchronized users are deleted and licenses removed. There could be more odds that a resigned employee can delete the required confidential data before leaving the organization from original location and 2 stages recycle bin.

File Level Retention:

To alleviate the above demeanor we can configure a new retention policy from the security and compliance center only for one drive for business files. As of now we have option to create retention policy based on newly created files and last modified date and time.

Navigate to –
security and compliance -> data governance -> retention ->create new policy -> 

Create retention policy by selecting – When it was created.

When selected we are deciding on a course of action to retain all the newly created files for 5 years. Upon this setting the new files can be preserved up to 10 years.

In the location we choose only one drive because in our case we are targeting only one drive file level retention.

Review and create the policy.

Same as above create a file level retention based on file modification date.

Once the above policy is created files based on created date and modified date will be retained for 5 years.

Where do these files gets stored ?

Based on the above configuration the files that have been modified/newly created will be preserved for 5 years.
During this interval if any attempt of file deletion that comes on above scope will be deleted however a copy of these files will be stored in the preservation hold library which only the admin of the folders and admins can access. After 5 years these files will be permanently purged.

The preservation hold library can be accessed by navigating to the below URL

https://domainname-my.sharepoint.com/personal/username_domain_com/_layouts/15/viewlsts.aspx

Once accessed above url we will get access to preservation hold library

Below options we have for recovery on choosing a required file

By merest chance if the admin tries to delete these files from the Preservation Hold Library it wouldn’t be successful and will throw the below error.

We also need to make a note that all the files which are deleted and getting retained in Preservation hold library will consume the end user one drive quota which we need to think of only for E1 licensed users who have maxed out of their quota.

Transferring ownership of a old resigned employee:

If we need to Transfer access to different user who resigned long back and his files are retained as per retention policy.
There are multiple ways of doing this, however on the below example shows only how to perform this via power-shell.

Connect to SPO

Connect-SPOService -Url https://tenantname.sharepoint.com


Restore Deleted Personal Site of the Resigned user

 Restore-SPODeletedSite -Identity https://tenantname-my.sharepoint.com/personal/username_domain_com 

Restore Site to requested user by mentioning his login name

 Set-SPOUser -Site https://tenantname my.sharepoint.com/personal/username_domain_com  -LoginName username@domain.com -IsSiteCollectionAdmin $True 

Thanks & Regards

Sathish Veerapandian

%d bloggers like this: