Microsoft

Cloud.Microsoft is coming (and already here a bit)!

Microsoft has been planning to migrate Microsoft 365 services to a new domain – cloud.microsoft – for over a year.

Back in April 2023, Microsoft announced the upcoming change with a starting sentence: “…today we’re excited to announce that Microsoft is beginning to reduce this fragmentation by bringing authenticated, user-facing Microsoft 365 apps and services onto a single, consistent and cohesive domain: cloud.microsoft.”

As pointed out to me by Microsoft MVP Karl Wester-Ebbinghaus, who in turn was reading this post from Dr Windows aka Martin Geuß, there is now an update on the Microsoft 365 Message Center called “Product transitions to the cloud.microsoft domain – February 2024” Message ID MC724837 (published on March 5th which is still almost February). It calls out that the new domains are starting to go live, in parallel with existing domains – meaning you won’t get redirected to the new ones yet.

A list of services that are already running on a cloud.microsoft domain are documented here: https://learn.microsoft.com/microsoft-365/enterprise/cloud-microsoft-domain which at the time of writing looks like this:

List of live cloud.microsoft subdomains as of 12/03/2024

As Microsoft has exclusive rights to the .microsoft top-level domain, any content on here can be held at a pretty high standard. Make your own decisions around what you may allow from the single .microsoft doamin, or the initial sub-domain of cloud.microsoft. You may need to add the domain/subdomain to allow lists.

What the above changes also mean for me personally, is a lot of ongoing work on MSPortals.io to keep it up to date, as well as keep the old links on there while they still function:

I’ll do my best to keep MSPortals.io as updated as possible, but if you notice anything that needs an update, please contact me or use the GitHub option on the site to submit an update.

Other notes and take aways from the message center post:

It appears the planned end-dates of non cloud.microsoft URLs for Microsoft 365 services is somewhere between June 2024 and September 2024.

Follow the guidance on Microsoft 365 URLs and IP address ranges and there should be no network administrative impact to these changes.

Update documentation and communicate the change to end users – this can be a good chance to train or rehash what domains are, which helps in user understanding of phishing attempts (both web based and email).

If you have any tools build that connect to Microsoft 365 services (3rd party, or internally developed) make sure they’re aware of the upcoming changes and have a plan to update.

Microsoft Learn GitHub and Feedback Updates

Microsoft is changing the way feedback will be provided for Microsoft Learn content.

Microsoft Learn is an impressive resource for IT staff interacting with Microsoft technologies. It was first launched as docs.microsoft.com which came out all the way back in 2016. Before that, TechNet and MSDN were the sources of official Microsoft documentation, but they were incredibly lacking in both quality and quantity of information. It’s why most people relied on third party websites to find out how to ‘really’ do something in the Microsoft space – which is why it was great to see Microsoft spend time and money in something that gave them no immediate return on investment.

Microsoft Learn was built on customised GitHub architecture, allowing huge transparency on when documentation gets updated, what changed, and a way for customers to question and/or correct what they’re reading. It was also a pseudo feedback method where you could see what others may be complaining providing constructive criticism about when looking at a product yourself – similar to what Feedback Portal does for each product (which is still in beta, and replaced the decent third party UserVoice service) – but when you’re looking at feedback on a particular documentation page on a specific thing, the feedback you’re seeing is particularly relevant, rather than searching through an entire product’s history of feedback.

History lessons aside, Microsoft is now rolling out a change on how feedback works. It’s a bit of a mixed bag from what I can tell, so here’s the breakdown:

From the updated information on Provide feedback for Microsoft Learn content, there will be a few different options on what’s possible around providing feedback based on what page it is.

All pages will have the new feedback experience where you click the thumbs up Feedback button:

This will let you anonymously provide feedback. A single text box that you can write your thoughts on and submit into a black box:

I don’t like this because there’s no visibility, accountability, or any way I can actually engage with Microsoft. I can see why Microsoft wants this, but the old GitHub feedback method meant you could get a response, converse, clarify etc. That is completely gone with this method and personally I doubt I’d bother using it beyond a Yes/No response and maybe a 1 line. It doesn’t provide the customer with any real incentive to bother.

There is some good news however. Some pages will be configured to take you to the relevant Product Feedback page, and some will take you to a Q&A page for the product or community site. If these were widely implemented, it would go a long way to fill the above feedback gap.

Also, you can still use the pencil icon to submit changes and view page history… “for any repository that already had this capability enabled.“.

That implies any new repository (likely for any new product that doesn’t have it’s own content on Microsoft Learn yet) will not have this capability. Except, I can already see a repository that doesn’t have this capability – Purview related content. Check out any Purview page on Microsoft Learn such as Learn about data loss prevention | Microsoft Learn and you’ll notice there is no edit pencil, and feedback at the bottom of the page only has the new experience:

Compared to other pages such as this Publish on-premises apps with Microsoft Entra application proxy – Microsoft Entra ID | Microsoft Learn where the callout of the deprication of GitHub Issues is.

It is also worth noting that open source products will have a more open feedback experience using GitHub. A list of products that support this is available here and appears to be the same as the way we’ve been using feedback across the entire Microsoft Learn platform for a while.

Overall, I’d be guessing that the existing solution creates a lot of noise for Microsoft to manage based on the amount of feedback they’d get, and this is a way to stop it. If we see improvements in the other two-way feedback mechanisms, including Microsoft staff engaging more on these platforms, I can see it working well enough. Let’s hope that happens!

AI Powered Microsoft Q&A vs Bing Chat vs Bing Chat for Enterprise (Copilot)

Update 20th November 2023
Bing Chat for Enterprise has been renamed to ‘Copilot with commercial data protection‘ – General Availability 1st December 2023.

Original Post
Q&A Assist is a new feature Microsoft have launched on the Q&A ‘Ask a question‘ page, where you would normally pose a question to post in the forums and have another human answer for you. Now, backed by the Azure OpenAI Service, you can get AI based answers using data that Microsoft curates.

This is a bit different to Bing Chat (or Bing Chat for Enterprise) where it’s using knowledge from all over the internet, and as per any OpenAI setup, should be tailored a bit more to the sort of questions it expects.

Q&A Assist at the time of posting is in ‘Public Preview’:

I thought it would be worth comparing the two to see how they fare, but it took me down a bit of a different path than I expected.

The Example

Q&A Assist gave a fairly reasonable broad response and expected you to dig more into it only via official learn.microsoft.com content.

Bing Chat however, took me down a bit of an interesting path. It gave a step by step:

But that didn’t scale or have the automation of the above answer, so I tried to clarify:

Not too bad, but not the same answer as Q&A Answers – both valid depending how you buy your Windows 11 Enterprise licenses though. What if I limit Bing Chat to only use learn.microsoft.com content?

Proof that AI doesn’t do everything for you – OK I ask the same question piecing all the bits together:

The same answer as before but only from learn.microsoft.com? This gets stranger when I check reference 1, which is actually a Q&A page with the quesiton “Which Windows 11 version allows multiple remote desktop sessions” and doesn’t have anything about VAMT at all. Reference 2 which strangely tells me to do what I’ve already done on this query, links to another Q&A page which is on topic, but has no content that would have been helpful for this answer. Something wacky going on with those reference links, but I suspect it actually used the information in the same session and then limited the claims on where it could verify those answers to learn.microsoft.com only, which if you only saw this single answer woudn’t be right.

Is Bing Chat for Enterprise Different?

I pumped the same final all-encompassing question in, and received probably the best answer out of everything, great sources and almost only limited to learn.microsoft.com – a Youtube link turned up, but that was from one of the Q&A pages.

Giving Bing Chat another chance, I started a new session and asked the same question again:

Different again, but you can see Bing Chat gives more ‘consumery’ answers while Bing Chat for Enterprise didn’t – I was surprised by this but it does make contextual sense. The references also make sense this time, so this leans towards my theory on using previous answer information in the same question thread – something to be aware of.

Coming back from that tangent, what does this all mean for Q&A Assist? It’s good that it helps define a question and ask in both summary and detailed, needing a category and limiting answers only to trusted sources. You can see the design of it is to hopefully provide a quick answer before someone posts the forum question, or at least supplement their question with extra details on what they might be trying to ask.

Moreso, it’s a good example of what is fairly easy to achieve with Azure OpenAI pointed at a set of data – which could purely be a website. It takes a chatbot to the next level by not needing anyone to give it a set of questions and answers, it’ll work all that out itself. It’s also worth nothing that even in the Microsoft ecosystem there are multiple AI chatbot solutions, such as Power Pages also being able to point a chatbot to a page to do Q&A type work.

The hard habit to break for many people will be years of using a search engine to look up an answer and doing your own work going through it – any AI driven chat system should make this easier and more effiencent to look up detailed questions and follow the sources to get your truth, but it’s something that we’ll all need to get used to while becoming more ingrained with everything we do online.

MSPortals.io Analytics

I thought it might be interesting to share some stats/trends around https://msportals.io which currently uses Google Analytics. Most sites have a commercial aspect and don’t like to share this data, but as it’s purely community and no financial gain, let’s check out some stats:

Last 7 days from 31st May (Monday):

Last 28 days from 10th May:

Last 12 months:

All time – from October 2021 to June 2023.

Unsurprisingly, there is a constant peak/trough for weekdays and weekends. I’m not sure why it’s more evident over the ‘all time’ stats vs ‘last 12 months’, but ’28 days’ and ‘7 days’ show a good reflection of this. Those giant peaks on the ‘all time’ are from either a news article posting about the site, or someone having a very successful social media post bringing attention to msportals.io.

There is also a pretty steady user count between 1500 and 2000 a day, excluding weekends.

Where are users coming from? (last 90 days)

Another unsurprising statistic is that most users are coming from the US – UK is next, and probably more surprising is Australia being third – maybe because I have a wider audience and more connections here?

US is the first most common US city in 7th place, while London is 1st, which I’m sure matches the expected stats due to population distribution.

Which pages are most hit? (last 90 days)

Still more unsurprising stats, the main page accounts for the most hits, which contains the standard Microsoft Admin portals. Next up is the Government portals, which is only US Gov – so there is obviously fairly high usage of those; double the stats of the user page which I did think would be a bit more widespread – but I expect the waffle from office.com serves most users quite well.

How do users get to msportals.io? (last 90 days)

Most have the site bookmarked, or are typing the URL directly into their browser. The next most common is via search engine – testing via private browser mode, searching for ‘Microsoft Portals’ brings up msportals.io as the first result on both Bing and Google, but I can’t see any stats on what search terms refer people to my site the most.

Average Engagement Time (last 90 days)

If someone visits the main msportals.io site, the average engagement time is 36 seconds (based on the last 90 days). Most sites will want higher engagement times, but the point of this site is to get people to where they want to get to as quickly as possible, so I’m pretty happy with 36 seconds as an average. Other pages have similar times, although I have no idea how language conversion is happening, or why what I assume is the French language ‘Portails adminitraeur | Portails Microsoft’ has more than 2 minutes engagement time despite France not being in the top 7 countries (I’ll blame Canada – sorry).

Tech – Device, Platform (last 90 days)

These stats I find quite interesting. No surprise that Windows is vastly the main OS used to access msportals.io, with similar numbers of Macs vs iOS users, and slightly behind that, Android. There’s 90% desktop users vs 10% mobile users – rounding to nearest number and ignoring the 0.3% of tablet users.

Very similar browser stats on Edge vs Chrome (which compared to the stats for the sites’ entire life, Chrome has been used slightly over 2x as much as Edge, which shows Edge’s usage drastically increasing for at least my sites’ user base), and fair way behind are similar usage stats for Safari vs Firefox (and again comparing since the site launched, that’s been similar the whole way along with a tiny bit more Safari).

Screen resolutions I am happy to see the standard 1920 x 1080 being far ahead. Quad HD is second, with a bit of ultrawide 5th on the list. Again, historically 1920 x 1080 has always been far ahead, but 1366 x 768 makes up second place with half the amount of 1920 x 1080 hits – yet in the last 90 days, it’s not even top 7 so there must be a lot of monitor or laptop upgrades recently :)

I hope those stats gave you some insights into both what msportals.io sees, and also very easily what any site can learn about it’s visitors – this is using Google Analytics, without any costs involved.

Azure AD Cross-Tenant Synchronization is now in Public Preview

For a long time, the methods of having two Azure AD tenants aware of each other’s users needed to be managed in either a manual, or scripted way; accessing the data of another tenant or using their configured Apps would require each user to enrol to the other tenant and be given default guest permissions; or an admin at the destination tenant would need to set things up, send invites out, or do something else creative to make the user experience better.

I was on board Azure AD B2B in the early days; as a Microsoft MVP I had the privilege of speaking to a product manager for it that one time I went to Redmond, talking about my use case and seeing if I was ‘doing it right’. A combination of Azure AD B2B and Azure App Proxy I’d set up for guest accounts to get into an internally hosted web based application, and it worked quite well. I had my own script going through a many step process to send out an invite to the user, add the user to multiple groups and whatever other trickery I needed at the time.

Cross-tenant synchronization however, takes a lot of that pain away. You can set up a trust between two Azure AD tenants (which can be a one way sync) to allow users in Tenant A to be automatically created and managed in Tenant B as a guest user. This is great for organisations who have to frequently work with another org – and even though it’s early days for cross-tenant sync, there’s some rather good controls already. You aren’t limited to a single relationship either; I can’t see any documented limits.

Attribute Mapping allows you to configure extra rules around the attributes that get passed on, allowing you to manipulate, add or remove certain attributes (you might want to remove an employee number from employeeid, or add an extra attribute to define what tenant they were synced from; or do something that will in turn match a dynamic security group rule to automatically add your synced users to be allowed to access an application.

I’d often step through how to set this up in one of these articles, but the documentation is already detailed with step-by-step screenshots and clear instructions. It worked exactly as described when I set this up between two test tenants I have, and took about 15 minutes beginning to end, which included reading the documentation a few times to make sure I was following it correctly. It’s also possible to do via Graph API, but I did not try this method.

There’s even detailed sync logs, troubleshooting tips, and detailed reporting.

One question I’ve seen multiple people already ask is how does this relate to the Global Address List (GAL) and People Search – which the documentation claims this isn’t on by default, but easy to enable. In my testing however, the accounts showed up in the GAL with the little ‘blue person in front of world’ symbol with no extra configuration. They didn’t turn up instantly and I waited overnight, then they were there. People Search was the same. If you want to investigate this for yourself, check out the showInAddressList attribute. Other documentation also says guest objects aren’t in the GAL by default too:

and here’s the instructions on how to “Add guests to the global address list“.

As always, be aware that this is Public Preview so has less guarantees than a fully launched feature. If you have any feedback or want to see what others might be saying/asking, check out the official feedback for Azure Active Directory.

Edit 10/02/2023

Worth mentioning licensing.

As per What is a cross-tenant synchronization in Azure Active Directory? (preview) – Microsoft Entra | Microsoft Learn:

In the source tenant: Using this feature requires Azure AD Premium P1 licenses. Each user who is synchronized with cross-tenant synchronization must have a P1 license in their home/source tenant. To find the right license for your requirements, see Compare generally available features of Azure AD.

In the target tenant: Cross-tenant sync relies on the Azure AD External Identities billing model. To understand the external identities licensing model, see MAU billing model for Azure AD External Identities

The MAU billing section:

In your Azure AD tenant, guest user collaboration usage is billed based on the count of unique guest users with authentication activity within a calendar month. This model replaces the 1:5 ratio billing model, which allowed up to five guest users for each Azure AD Premium license in your tenant. When your tenant is linked to a subscription and you use External Identities features to collaborate with guest users, you’ll be automatically billed using the MAU-based billing model.

Your first 50,000 MAUs per month are free for both Premium P1 and Premium P2 features. To determine the total number of MAUs, we combine MAUs from all your tenants (both Azure AD and Azure AD B2C) that are linked to the same subscription.

The pricing tier that applies to your guest users is based on the highest pricing tier assigned to your Azure AD tenant. For more information, see Azure Active Directory External Identities Pricing.

Then from Pricing – Active Directory External Identities | Microsoft Azure:

Each synced user needs an Azure AD Premium P1 or P2 license in their home tenant.

Each tenant receiving synced users has the Azure AD External Identities billing model which used to be a 1:5 model, but is now 50k users free, the rest a small charge per active user.

Does a synced account count as an active user? Unsure, I would guess it’s a ‘probably not’ since there’s no active login for just existing as a guest in another tenant, but verify that for yourself with your licensing reseller.