With all the more new improvements in Microsoft Teams,we have more alternatives to modify the end user client choices from the application perspective to get access to the most frequently used applications from Microsoft Teams.
The Custom built in-house applications can be effectively side-stacked in Microsoft Teams which makes the end users to adequately use these applications.
To start utilizing these options login to Office 365 admin portal and verify if the teams side loading options are migrated to Teams admin portal.
Once logged in navigate to settings – services & addins – search for Microsoft Teams – And see if external apps in turned on.
In below case in this tenant these configurations have been migrated to Microsoft Teams admin portal and hence these settings are greyed out. This will be the case for almost every office 365 tenants.
Now we have got app permission policies in Microsoft Teams.
App permissions policies control what applications we need to make accessible to Teams clients in our organization. Now we have got the better flexibility to customize the default policy or create custom policy and assign to only targeted users. The better option is to create a custom policy and assign them to targeted users.
Login to Microsoft Teams Admin portal – Select Teams Apps – and choose permission polices – Click Permission policies – Click Add
Here we have the flexibility to control Microsoft Apps, Third party Apps and Self developed custom inbuilt tenant apps which are published in Microsoft Teams as an App Package.
Once the required applications are selected the created application is ready to be assigned to individual users.
We can create app setup policies which decides the way we want to display the prepinned apps in Microsoft Teams pane.
To create custom one navigate to setup policies and click on Add
We do have further customization of the default apps or remove them and add more custom applications.
In the policy there is option to select the appropriate app permission policies which makes the default policy not affected and apply only for targeted users.
Assigning the App Permission policies and Setup Policies to end users.
Having the policy created now it is easier to assign the custom policy to targeted users.
Navigate to users tab – select policies tab – Now we have option to assign custom app permission and app setup policy.
End user Experience –
Once the policy is assigned we have the custom apps side-loaded in Microsoft Teams.
With these above options Application arrangement strategies can be improved and modified dependent on the business prerequisites, integrated with Microsoft Teams and rolled out to the end users.
On every business operations its crucial to sanction external partners,vendors to collaborate on their quotidian operations. Withal there are cases wherein only business to business collaboration like sharing between two organization is required and remains a vital factor to their business.
To felicitate a classical external collaboration site it was always bit challenging for administrators from SharePoint on premise workloads. Extensive orchestrating is required in terms of provisioning hardware or VM resource, security hardening and getting the access on the firewalls etc..,
With Office 365 B2B there are much more easier ways to roll out this feature to business with no additional server provisioning, no certificate requirement and simple administration. This magnificently reduces the traditional deployment costs. By default we get secure sharing, seamless collaboration and we have much detailed governance and audit reporting.
This article contours the steps involved in planning for an external business sharing in SharePoint online.
Configure External Authentication for Guest Users:
As an initial prerequisite we need to plan for the authentication and management through Azure AD for all the guest users.
At this moment we have the authentication via one-time pass code which will be sent to their email address for the non Microsoft accounts.Enabling one-time passcode feature can be used when external sharing of files,folders,document libraries and sites is done. Currently the one-time passcode is under preview and subsequently will replace the AD-Hoc sharing from onedrive and sharepoint in office 365.
Below are the major key points of enabling the azure B2B:
MFA can be enabled for the B2B Invited Guest Users.
If we have configured Google federation in our Azure AD tenant then the federated users can consume the permissible SharePoint and one drive resources shared with them.
Much granular level of sharing options are present and subject to organization settings.
Follow the below steps to enable the pass code authentication:
login to azure portal – navigate to azure active directory – choose organizational relationship settings – Enable the option Enable Email one-Time Pass code for guests.
There are few other options on controlling the guest users permissions and can be added based on the requirement.
Now we have the one time pass code enabled we would need to enable the integration for SharePoint and one-drive with azure AD to enable this service on these workloads with the below two commands.
Set-SPOTenant -EnableAzureADB2BIntegration $true
Set-SPOTenant -SyncAadB2BManagementPolicy $true
Ensure that the below configuration is set
Having the authentication part configured now we would need to create an extranet site in few clicks.
1) Create an external business-sharing site in SharePoint Online (This site can be used for sharing between the Tenants)
On the Active sites page of the new SharePoint admin center, select Create – – select Other options —
Select More templates
Choose Team site (classic experience).
Here we need to provide a title and name for the site that we are creating.
There are few other options like timezone, admin, storage quota and server resource quota which can be configured based on our requirement.
Now the sharing capability needs to be enabled and there are 2 places where it can be controlled organizational level and site level.
The first step is to enable them at the organizational level
Login to office 365 portal – search for external
Choose the option new and existing guests
There are few other options which can be controlled from the SharePoint admin center
We can further restrict the site collaboration only to few selected domains.
The guest permissions must also be selected based on our business requirement .
Choose the first option which is applicable for the invited guest users. There are other options to limit the sharing option to least permissible users via targeting them to a security group.
Finally navigate to the sites and here we have option to further control the site permissions.
Here we have the option to share new and existing guests.
Now we have configured the org level settings we can test this behavior from site admin side
Navigate to the site with site admin privilege and create a folder with sharing partner.
While sharing a document to the external partner we will be notified with the message info as we see below.
The guest user will receive the invitation email with a link to access the folder.
They need to Enter their Microsoft credentials (the credentials for the account that the invitation was sent to). And User will be challenged for Verification code which will be sent to their email account.
This cool feature helps the admin to accomplish the business requirement with ease of operation , no additional resource cost and providing them with much controlled and tracking them through auditing and reporting of external users.
Its always better to configure retention for office 365 work loads in order to ensure that the data is available as per the company legal requirements. Usually we pay more attention to Email data and retention policies are applied to all mailboxes, however we might miss out to configure the retention on other work loads.
In this article we will be focusing on the options available to retain the data in one drive for business personal files of an office 365 users.
Essentially we see there are 2 level retention policies available for one drive for business. We will be looking at how to configure them and grant the permission for a delegated assignee when required to access the retained data for a terminated employee.
User Level Retention:
To illustrate if a user resigns ,we remove the license and delete synchronized AD account.If we need to keep the deleted users one drive personal site to stay around for 5 years then we can configure the retention setting on the one drive admin center.
The maximum retention value is 10 years and in below example we are setting them to 2 years from the one drive admin center.
There is a small admonition on applying only this retention policy to the users because this policy is applicable only when the synchronized users are deleted and licenses removed. There could be more odds that a resigned employee can delete the required confidential data before leaving the organization from original location and 2 stages recycle bin.
File Level Retention:
To alleviate the above demeanor we can configure a new retention policy from the security and compliance center only for one drive for business files. As of now we have option to create retention policy based on newly created files and last modified date and time.
Navigate to – security and compliance -> data governance -> retention ->create new policy ->
Create retention policy by selecting – When it was created.
When selected we are deciding on a course of action to retain all the newly created files for 5 years. Upon this setting the new files can be preserved up to 10 years.
In the location we choose only one drive because in our case we are targeting only one drive file level retention.
Review and create the policy.
Same as above create a file level retention based on file modification date.
Once the above policy is created files based on created date and modified date will be retained for 5 years.
Where do these files gets stored ?
Based on the above configuration the files that have been modified/newly created will be preserved for 5 years. During this interval if any attempt of file deletion that comes on above scope will be deleted however a copy of these files will be stored in the preservation hold library which only the admin of the folders and admins can access. After 5 years these files will be permanently purged.
The preservation hold library can be accessed by navigating to the below URL
Once accessed above url we will get access to preservation hold library
Below options we have for recovery on choosing a required file
By merest chance if the admin tries to delete these files from the Preservation Hold Library it wouldn’t be successful and will throw the below error.
We also need to make a note that all the files which are deleted and getting retained in Preservation hold library will consume the end user one drive quota which we need to think of only for E1 licensed users who have maxed out of their quota.
Transferring ownership of a old resigned employee:
If we need to Transfer access to different user who resigned long back and his files are retained as per retention policy. There are multiple ways of doing this, however on the below example shows only how to perform this via power-shell.
Microsoft is investing and focusing on Teams for the
Collaboration platform, Skype for Business have become volatile. We can see
every day new features and enhancements are coming on the way for Microsoft
Teams. Moreover, Microsoft have provided all the requirements and materials available
for transition from Skype for Business to Microsoft Teams. This makes much
simpler for any customers to completely move to teams only mode.
On a comparison of the road map improvements in Microsoft
Teams the features have been enhanced and loads of new functionalities are
being added very often. Currently the default configuration of all the tenants
will be on Island mode which will make the users to communicate on both Microsoft
Teams and Skype for Business. This might create more confusion for the end
users to choose which platform to communicate for their daily activities since
they are provided with couple of options.
This article focusses readiness on environment before we
completely migrate to teams only mode.
Skype for Business
Interop Mode Removed:
Earlier 6 months ago we had the Skype for Business Interop
mode which helped the team’s users to communicate with Skype for business users.
This will show teams chats in skype for business for users who don’t have teams.
But this option has been removed and we have teams only mode added in the
As of now there are 3 options available for all office 365 tenants:
When we run the command Get-CsTeamsUpgradePolicy we will get additional options.
While coming to talk about transition mode only below 3 options are feasible for most of the organizations.
As the name indicates this is a big sign of warning. Island
mode is an indication of a temporary place where we can stay only for some time
and not denoted to settle down for a long period. With this mode the User
experience are completely different. There is no interconnection between Skype
for Business and Microsoft Teams and they both work as an independent system.
Only below workflow in Island Mode:
Teams Communication – Teams Communication
Skype Communication – Skype Communication
Teams Only Mode:
In this mode we are enforcing all the users to use only
Microsoft Teams. Meaning no users will be able to login to Skype for business
even if they have the client system installed on their PC from their office 365
pro plus package. However, users present in Skype for Business only mode will
be still able to reach teams only mode users and teams only mode users can reply
to Skype users. However, we need to note that a new conversation chat cannot be
initiated from a Teams only mode user to an Island or Skype for Business only user’s
Only below workflow
in Teams only Mode:
SFB Users Sends to Teams User – Message will be received in
Teams Users responds to SFB User – Message will be received
in teams only for the SFB user.
Teams User Tries to establish a new Chat with SFB user –
Will not be successful
Also, we need to note that only limited functionalities will
be working between team’s user and SFB user communication in this mode. For instance,
a remote desktop cannot be shared by an SFB user who is on Teams and in Teams
Skype only Mode:
Only Skype Client no matter from where the IM is initiated.
Note: In any modes
as of now the Meetings will be accessible in the cross platforms.
Be ready for this
change target pilot users first:
Before we make this transition it’s very important to
understand the current usage model of collaboration platform by end users. For instance,
a Marketing head might be more comfortable with Skype for Business and never had
a chance to explore Microsoft Teams. There might be a heavy dependency on
Enterprise Voice Integration with Skype for Business which needs to be
considered before making this change. It’s always better to choose few pilot
If we are planning for Teams Transition its better to slowly
move users to teams only mode based on current user dependency on Skype for
Business. Its better to identify few pilot users in each department and slowly
transition them to Microsoft Teams only Mode.
After identifying the capable team leaders in every
department better to switch them to teams only mode.
Below action needs to be verified:
1.Verify if you have Skype online connector module installed.
7. Push and install the Teams desktop Client for the targeted users.
By default the teams is not included in the
Pro plus package as of now. Microsoft have recently announced that Teams will
be added in ProPlus package in future roadmap as per this Article.
Until we get this as a bundle we have
Download the Teams app in the Background.
This option will only download the teams
app in the background for users in Teams only mode.
However it does not install the app and we need to perform some action of installing them to all users PC via group policy or SCCM. There is one amazing article written by Paul Cunningham for pushing them via GPO.
Before making these changes educate the L1
support team to address end user queries.
We can make use of the Microsoft Teams Customer
If there is any PSTN integration with Skype for
Business Online, then these factors needs to be planned before phasing out
Skype for Business Online until they are transferred completely to Microsoft
When a user with MFA enabled loses his mobile phone then he wouldn’t be able to login to new devices or in the old devices where the token life time have expired.
Currently in this scenario the user have to report to help desk team. Unfortunately only the global admins can perform the force reset of MFA account for the user to reset his Strongauthenticationmethods value to null to clear the old lost device.
There is a work around which can be used until we get a delegated RBAC role for performing this action. With Azure Automation account, creating a flow, integrating with flow and delegating this action to helpdesk admins will reduce the load on global admins performing this action.
Create New Automation Accounts from azure portal. Azure subscription required.They provide 500 minutes free every month.
Create new Work Flow from global admin account.This action needs to be performed from global admin account.
Enter the Global admin Credentials in the created automation account. Very Important that this account used to execute must not have MFA enabled.
Choose – Flow Button for Mobile , Flow Button for Mobile – manually trigger a Flow , Select AA- Type useremail as input flow.
Navigate to triggers – Select Manually trigger a flow.
Type UserEmail as input flow-Click on New Step – Add an Action
Click on Choose an action – Select Azure Automation – Create a Job – Provide the required credentials and subscription details.
Provide the required credentials and subscription details.
This part is very important we need to select the input as UserEmail as below. This parameter is required for the run book to execute the operation.After that we can see that the RunBook Parameter is UserEmail.
Now we will see the flow is connected to Azure automation account
Now Navigate to My Flows- Select the new flow – Click on – Run Now
We can see the flow will be successfully started and execute the requested operation of resetting the MFA value to null for the user.
We can run them on automation accounts and see them for verification and they will be successful.
From the global admin Flow login – Delegate this flow to helpdesk admins as manage run only user permission.
The actual operation is executed by the global admin account however the helpdesk team will be triggering this action through the delegated run only permissions assigned to them in created Microsoft flow.
We can enable and provide self service application access to end users.If an organization is using Office 365 applications and the user is licensed for them, then the Office 365 applications will appear on the user’s Access Panel.Microsoft and third-party applications configured with Federation-based SSO can be added into this access panel.
We can create multiple groups example like HR,Marketing and required apps both internal corporate apps and social media apps can be published.
In order to logon access panel we must be authenticated using organizational account in Azure AD.We can be authenticated to azure AD directly or federated authentication and consume this service.
For organizations that have deployed Office 365, applications assigned to users through Azure AD will also appear in the Office 365 portal
The azure access panel is a web based portal which provides user with below features:
1)View and launch cloud apps. 2)Configure self service password reset. 3)Self manage groups. 4)See account details. 5)Modify MFA settings.
IT admin can be benefited and reduce first level calls by enabling below features: 1)Provide easy portal for users. 2)Launch cloud based, federated onprem apps. 3)Links to URLs. 4)Control access to corporate application. 5)Restrict access to Users by Groups ,device and location.
Navigate to URL – Azure AD – Enterprise Applications – All applications.
Select the application which we need to add – In below case LinkedIn – Click on Self-Service.
Below are the options we have at this moment:
Select the option allow users to request access to this application. – By enabling this option end users can view and request access to this application.
To which group the users must be added:
Require approval before granting access to this application:
Who is allowed to approve access to this application:
To which role users should be assigned to this application:
We have these option to add an app:
App that your developing- Register an app you’re working on to integrate it with Azure AD.
On prem app (app proxy)- Configure Azure AD Application Proxy to enable secure remote access.
Non gallery app- Integrate any other application that you don’t find in the gallery
Add from the Gallery – There are close to 3000 apps in gallery which can be added.
Example below of when adding an application we have the following options:
In below case we are adding twitter from the gallery- Custom name can be provided for the application.
Single sign on mode-we have 2 options:
Federated SSO – Allow users to access apps with their organizational accounts applicable mostly for on premise apps published here, application you are developing and any application which is integrated with on premise IDP. Only one time login is required. After signing in, the user can launch applications from the Office 365 portal or the Azure AD MyApps access panel.
Password based Sign-on- Users must remember application-specific passwords and sign in to each application.
Hide application from end user:
This option can be used if we would like to hide application from end user.
We have below option to hide office 365 apps from the access panel. Doing this will allow end users to see office 365 apps only from office 365 portal.
Further more end user settings features for access panel can be managed:
For on premise applications we need to configure federated single sign on and add them on the access panel.
Navigate to Azure AD – Click Enterprise Applications – Click all Applications – Select the application that needs Single sign on configuration
We have the below options: SAML – Use SAML whenever possible. SAML works when apps are configured to use one of the SAML protocols.For SAML we need to provide the signon url, user attributes , claims , signing certificate
And then we need to provide the azure url in the application to link with azure AD. Here we are creating an relying party trust between the application and Azure AD for the SAML configuration to work.
Linked – Can be used for cloud and on premise apps.we can use this when the application have single sign-on implemented using another service such as Active Directory Federation Services or any other IDP solution.
Disabled – Use this option If your application is not ready and integrated for SSO. Users will need to enter the user name and password every time the application is launched.
The defaults office 365 apps will be shown if its not hidden.
After Clicking on Add app users can explore the apps added by admin from the admin portal. In our case it shows only LinkedIn since we added only LinkedIn.
If there is any approval process required as per admin config it goes for approval and post approval the application will be available for requested user.
As per the recent update Microsoft recommends to use In-tune Managed Browser My-apps integration for mobile scenarios. This integration supports lots of additional cool stuff like home screen bookmark integration, azure ad app proxy integration.
The access panel will definitely help end users to access all office and their corporate applications all in one place without any confusion and will reduce the burden on the front line first level end user access requests.
Following features can be enabled :
We have 4 options at this moment:
Now we need to select this option to Microsoft Intune device enrollment.
After this is enabled we can run the what if and see if its working for the targeted user. In our case we can see the policy that we enforced is getting applied below.
Client User Behavior- Android Device Enrollment through conditional access policy.
On expanding we can see that the term detail as per the company policy.
Its always better to roll out this policy to pilot users at the initial stage, verify the behavior and later plan this roll out in a phased approach for remaining users
The IT policy terms can be added for different languages as well based on the different geographic locations.
We have an option to review the users who have accepted the policy and rejected from the policy tab.
End user accounts consuming this service will require Azure AD Premium P1, P2, EMS E3, or EMS E5 subscription inorder to activate this service to them.
Post July 2018 the mailbox audit will be enabled by default for all mailboxes in the cloud.
In a hybrid setup ,Once after the mailboxes are moved to the cloud the mailbox audit will be enabled after they are converted to mailboxes from mail enabled users.
Earlier we have to run the Set-Mailbox -AuditEnabled $True every time we add a new mailbox or a mailbox is migrated to the cloud so that mailbox Audit is turned on.
Once the mailbox audit logging is enabled for owner actions we might see lots of items getting occupied for user actions in audit folder. This Audit logs is stored individually on users mailboxes itself in Hidden audit folder.
This audit folder will not come under the user mailbox quota. It will consume the recoverable items quota for each user mailbox. In order to overcome this mailbox quota limit for these recoverable items the storage quota for the recoverable items folder is automatically increased from 30 GB to 100 GB when a hold is placed on a mailbox in Exchange Online.
Without hold the default value will be 30 GB
We can also see that the audit will be enabled by default in the organizational config.
To enable audit org level – Set-OrganizationConfig -AuditDisabled $false To disable audit orglevel – Set-OrganizationConfig -AuditDisabled $True
We can see the mailbox login which will record the client logins for the owner actions inclusive of protocols POP and IMAP. Apart from this we have for inbox rules and calendar delegation which will be definitely useful in terms of troubleshooting or investigation of an compromised account.
When your tenancy begins auditing all mailboxes by default, the per-mailbox AuditEnabled setting will be overridden. However, you may still choose to disable audits for a subset of your users if there is a business need. You can elect this option by configuring audit bypass associations on the identities you intend to ignore with the Set-MailboxAuditBypassAssociation cmdlet. We can also customize the audit logging entries based on our requirement using set-mailbox and -AuditOwner option.
Below command will bypass audit for the specified mailbox.
We can run a audit report from the security and compliance center to generate audit report during an investigation. We have export operation as well.
More filter options are available
Based on the monitored mailbox audit actions we can also create an alert and notify the information security team mailbox/group for these actions which are not meeting the organization compliance.
Over the next several months, Microsoft will enable the default-auditing configuration on all tenants with a steady ramp-up with all commercial customers to be covered by the end of the calendar year. So we can expect this to be covered for all tenants by the end of this calendar year.
Mailbox audits will be stored for all user mailboxes within the commercial service by default.
The default audit configuration will change and include more audit events.
In office 365 the search can be used to search in-place items from email, documents, Skype for business and Microsoft Teams.In this article we will look into the steps to search emails from mailboxes present in office 365.
The search and delete operation can be executed when an important confidential message is sent by mistake to unintended recipients, a suspicious message have been circulated to few users or it can be even a phishing email. Admin can run into any of the above scenario and can be requested to perform this action.
In office 365 we can use the native search-mailbox , compliance search or the content search available in the office 365 security and compliance center.
The search-mailbox is exactly similar to what we have in on premise.We have to be a member of Mailbox Search and Mailbox Import Export role group to execute the search and delete operation.
We need to establish PSSession to office 365 with below:
In this article we will go through the steps to enable DKIM in pure office 365 cloud environment.
For understanding DKIM concepts and Enabling DKIM in on premise environment you can follow my previous blog
The main difference between enabling DKIM in on premise environment and office 365 is:
In on premise we keep the private keys in our outgoing Anti spam gateway or DKIM agent which will be responsible for signing every outbound emails with DKIM stamp. Later we publish the public key in the DNS record.
But office 365 requests the customers to publish the CNAME and point them to a public key in DNS which will delegate the corresponding name space to office 365.
With this office 365 CNAME option we can rotate the keys whenever required. Because in this case the private key is owned by Microsoft and the public key is maintained in their office365 DNS records. We just need to create CNAME in our DNS console only for the first time. Later we need to create CNAMES only for the new domains we are adding in office 365.
First we need to enable DKIM from the Exchange admin center from the office 365 portal – navigate to protection – click on DKIM tab
We can enable for the routable domains registered with office 365. But when we enable them without publishing the DNS records for DKIM then we will get the below error.
We have to publish DKIM DNS records as below:
Create 2 CNAME records for 2 selector’s to sign the outgoing emails with DKIM.
In our case we need to create below records from the DNS hosting provider console.
Host name: selector1._domainkey.exchangequery.com Points to address or value: selector1-exchangequery-com._domainkey.exchangequery.onmicrosoft.com TTL: 3600
Host name: selector2._domainkey.exchangequery.com Points to address or value: selector2-exchangequery-com._domainkey.exchangequery.onmicrosoft.com TTL: 3600
Once we create these 2 CNAME records office 365 will take care of signing all the outgoing emails with DKIM with their signing agents.
Now if we go to office 365 portal and enable the DKIM it will get enabled. If we have a closer look we have an option to rotate DKIM keys just in one radio button which is amazing option. Ideally its not required to do this option from our side since office 365 will do the rotation of their keys once in a while as a part of their security checks.
To verify if the mail is signed by DKIM we can send one test email to gmail and if it says signed by your domain name then its DKIM enabled outbound email.
In the message headers we can see the DKIM status as passed.
Further if we look into the message headers we can see
Authenticated Received Chain (ARC)- New email security mechanism standard Which is currently used by office 365. DomainKeys Identified Mail (DKIM)- If the DKIM is enabled we see the DKIM value as pass. Sender Policy FrameWork(SPF)- SPF verification results.
Also in the DKIM signature we can see the selector and the domain name like below
Further we can look into the DKIM public keys by running the below command.