Office 365

CIAOPS Academy

Today I’m sharing Robert Crane‘s CIAOPS Academy service. He’s an Australian based Microsoft Office Servers and Services MVP, and seems to be rather busy with all his different projects, including the CIAOPS Need To Know podcast.

That podcast I highly recommend as an easy way to keep on on the latest Office 365 and Azure news. Even though I try to keep on top of it myself, they often raise other new features or changes that I hadn’t come across yet.

Beyond that though, the CIAOPS Academy is a service I personally pay for that Robert provides. I am on the lowest tier, but the private Facebook group that Robert runs is an invaluable source of fellow professionals who ask and help all things in the Microsoft tech space.

It’s different to other communities with it’s paywall, as everyone is invested and cares about the topics raised.

There’s also a referral program for signups – sure you can use my affiliate link to CIAOPS Academy or use one that doesn’t help me pay for my own access here. I’m not one to suggest services or products I don’t believe in myself, but I’ve had several questions raised already which has more than paid for the service in my mind.

The bronze level (which is what I use) is enough for me right now, but higher levels give you access to videos and other training materials.

The bonus news I can share here is that there is now a 7 day trial available, which is mentioned at the bottom of the patron page above. If you want to see what it’s about and check it’s worthwhile, you can now do it for free!

In summary, if you’re someone who is either new to, or currently managing Office 365 and Azure, this is a great group of people to be a part of. I’m not the only other Microsoft MVP there, which I think shows the value of this service.

Microsoft Forms Preview

Microsoft Forms has been around for a while. A year ago, it was released only to Office 365 Education customers as a nice, simple way to make surveys and quizzes. There’s a bunch of content out there about it already, for those who want to learn more.

More recently, it’s been released to the wider population with a bunch of improvements, albeit still in ‘Preview’. As I can now access it from one of my Office 365 tenants, I thought it was worth having a play with.

Forms is a lightweight, easy way of creating questionnaires and gathering the responses. Having no experience with it previously, I made up this survey within a minute (half the time was picking a theme!).

Have a look and feel free to enter data, and try to break it:

Test Quiz

Right now, there’s two options on the main Forms page: Create a form, or create a quiz. Creating a quiz looks pretty blank from the beginning, with a title and the option to add a question. It’s worth mentioning that I couldn’t tell what the difference between the form or quiz option was!

Using the ‘Add question’ button gives you the options on what sort of question it is; Choice, Text, Rating or Date. From that, you’ll see a very easy to configure form, where you can configure the question to your liking. Points are possible if it’s checking someone’s knowledge and you want an end score. You can choose if a question is mandatory with the ‘Required’ toggle, or if multiple answers are allowed.

The elypsis hides a few more options depending on the question type – maths, if you need to use an equation (you can see the education influence here). but also if your question needs a subtitle, or if you want the answers shuffled to reduce bias (there’s that type of person that always picks ‘C’ when they don’t know).

There’s also a ‘Branching’ option which lets you configure what path the quiz will take, depending on which answer is given. How long until someone creates a ‘Choose your own adventure’ with this :) ?

I posted this on Twitter not too long ago, and at the time of writing this, there was 26 responses. I haven’t done anything beyond clicking the ‘Responses’ tab to see this data:

To me, this looks incredibly useful. So little effort required to start getting feedback, and the data displayed easily. There’s also the option to open the data in Excel, which shows the raw data and lets you manipulate the views.

The survey by default requires access in your organisation to respond. With that, you can choose if names are recorded, and if only one response is allowed per person.

It’s possible and easy to change this restriction to ‘Anyone with the link can respond’, but it does mean all entries will be marked as ‘anonymous’ and you’ll have no guaranteed tracking of who entered the data.

Another note is that forms is fully supported on mobile browsers. A few people tried this quiz and reported a great experience.

As pointed out on Practical 365, Microsoft Forms is turning up and on by default on Office 365 tenants, if you don’t want this on please read that post.

This is a free component of Office 365, and worth investigating even in it’s preview state for internal surveys – maybe it will replace Survey Monkey (which I’m a fan of)?

Zero-click Single Sign-On Without ADFS

Login prompts to websites are a pain. Enterprise employees these days expect to have a single sign-on experience (meaning the same username/password everywhere) and a minimal amount of logging in to systems each day.

It’s a very different from years ago where every system had it’s own unique login, and users got into the habit of synchronizing password changes when the regular password expiries hit (and I’m sure some companies still run this way), but it’s a problem IT as a whole has worked on for many years.

Microsoft has had a big focus in identity management for many years, with products such as FIM/MIM and ADFS along with the old faithful Active Directory, controlling and giving framework for authentication. The on-premises approach didn’t work for cloud based technologies though. Going to a site such as Office365.com will show an area to sign in:

 

Going back to the requirements of getting logged out of sites, or needing to log into each different Microsoft service is a pain and time sink for users. The original answer to this problem was ADFS. This works well, but requires the ADFS infrastructure to be set up, and needs to be highly available. If ADFS goes down, your users can no longer authenticate to Azure AD, which is what powers the identity management and authentication orchestration for Microsoft enterprise users (this includes Office 365).

More recently, another native solution was released – Pass Through Authentication for Azure AD Connect (Azure AD Connect being the service that syncs your on premises AD to Azure AD). This removes the requirement for entering a password to these Microsoft services which is great for users, but still requires the entry of the username (which in Azure AD, is the User Principal Name, and looks the same as an email address to confuse things more for users). It’s a good start, but still not the seamless authentication many users expect.

There is another way of providing zero-touch logins to Microsoft services without ADFS, which is Azure AD Domain Join. Windows 10 is a requirement here, but beyond that, the setup is quite easy if you’re already configured for Azure AD. Maurice Daly has written a great guide on this, which outlines all the requirements and steps to follow to be up and running. (Thanks Maurice for your help on this!)

Gotcha for myself: I found that I had an old version of the Microsoft Azure Active Directory Module for Windows PowerShell which didn’t have the get-msoldevice cmdlet at all, and had to download an updated version. I also updated the AzureRM module for good measure since it was also out of date, but shouldn’t have been a requirement.

This is a rather complex topic, so I’ve tried to give a fly-over view of the native options available. There’s also Smart Links which can speed up and improve the user experience.

If you’re on Azure AD and Windows 10, give Azure AD Domain Join a try. It may save you the hassle of building and maintaining an ADFS server, and give your users a better experience overall.

Azure AD Group-Based License Management For Office 365

It’s finally here! At least in public preview…

The ability to allocate Office 365 licenses via groups is now available for everyone to use. This has been a long-awaited feature, up until now licenses have either been applied manually via the portal, or via scripts/3rd party software with logic applied for automation.

Now, you can automatically apply and manage license allocation using whatever logic you like. You can create on-premise AD groups, apply a license set to the groups, and members will be allocated the relevant licensing. If that doesn’t work for you, there’s also cloud based Dynamic Groups which let you use whatever logic you can come up with to add members to the group. You could do it on something like a department name, or use an extension attribute and populate that based on what license you want to allocate.

The above link covers a lot of information about how to deploy this. At the time of writing, I couldn’t get to the Azure Licensing page by searching for the word ‘Licensing’, and instead had to use a direct link: https://portal.azure.com/#blade/Microsoft_AAD_IAM/LicensesMenuBlade/Products

I’ve already deployed it, it seems to work quickly and without issue.

 

Once you’re done, you’ll need to remove the Office 365 licenses applied manually. This TechNet article shows the commands to use for removal. I used this:

$Users = Get-MsolUser -All | where {$_.isLicensed -eq $true}; $Users | foreach {Set-MsolUserLicense -UserPrincipalName $_.UserPrincipalName -RemoveLicenses "litwareinc:ENTERPRISEPACK"}

This removes licenses from all your users, to be more specific add extra criteria to the first ‘Get-MsolUser’ command. Also note you need to swap ‘litwareinc’ with your tenant ID, and ENTERPRISEPACK with whichever license you’re removing. I’d recommend testing on one account first!

To see what your tenant’s license options are just use:

Get-MsolAccountSku

And you’ll see a list of the license options along with existing allocations.

If you have any questions please comment below.

Microsoft StaffHub General Availability

Microsoft StaffHub has now globally been released (General Availability). StaffHub is a very simple web and smartphone app based scheduling system, primarily designed for shifts.

It lets admins set and modify member’s shifts, and gives simple day/week/month overviews. I quite like this simplistic approach, sometimes these solutions can be a bit overwhelming when it’s linked to several other Office 365 features that you haven’t used yet.

Microsoft StaffHub

I was honestly up and running with this in 5 minutes, including the tutorial. I’ve invited other staff members as part of adding them, and both web and smartphone views are clean and easy to read. The product itself doesn’t really do anything else – there’s chat options for the app, and file sharing, but it’s perfect for staff that don’t do much (or any) of their work on computers; or just staff that want to be able to see what shift they’re on quickly.

One point of confusion I noticed, was the invite it sends out to staff you invite only wants them to use the smartphone app, and that link won’t work from a browser. They’ll need to manually go to https://staffhub.office.com for the browser experience.

Microsoft have a great starter page along with video showing how it works. There doesn’t seem to be any integration with other systems – It’d be nice to be able to send shifts as calendar appointments and maybe we’ll see that in the future.

It’s part of the Office 365 suite, so if you already have a license you should be able to go to http://staffhub.ms/ and start playing.

Softerra Adaxes – Several Months In

logo-1

Softerra Adaxes is an Active Directory management & automation tool which I’ve grown very fond of.

First I reviewed Softerra Adaxes, then I actually bought Softera Adaxes and even did a brief case study for them. I thought it would now be good to share how far we’ve come through using this tool, and what the experience is like for those considering this option of automation. Here’s my thought process and how I personally approached the rollout, along with my experiences along the way:

Initially to me, the idea of having an ‘Outlook rules’ style approach to building a system that automated user management was enough to me. We’d been creating accounts manually for a long time, and the process was documented but took 20 minutes or so to perform. There was also a lot of room for human error, especially when someone was interrupted while creating an account.

There was of course the ‘selfish’ reason of not wanting to do these user management tasks myself, but it’s hard to pass those tasks off with the inherit risks or lack of knowledge of the tools being used to ease the process. This is what had held me off writing my own giant PowerShell script to automate all the steps.

After mucking around with the Adaxes basics, I started to realise that this software solution seemed to actually deliver on what I was personally looking for – something that wasn’t complex, but also let me define whatever criteria, business rules and caveats to the user creation process that I wanted. On top of that, there was inbuilt webpages where I could deliver these options to other staff requiring no software installs, and the ability to show or lock down whatever I chose, to both control and protect the Active Directory environment.

It did take a few weeks to set up properly, but I wouldn’t have really spent more than an actual day’s worth of work in those few weeks doing it. That was just to create a new user in all the various systems I wanted, with our unique user setting requirements. I wouldn’t say the entire system is so simple and easy to navigate that you can get cracking, but it’s also not complex. Once you find the setting or understand how Adaxes achieves a solution, it’s not difficult to set things up.

The inbuilt functionality of website templates – where you can create multiple sites displaying whichever fields you like to whichever users you like – is a good way to deliver the solution to end users. You can have a page for IT and another page for Finance with completely separate functions to best fit each use case.

For me, it was great that I could create websites with zero programming requirements. It’s all driven by a GUI, and somehow it’s still very flexible in what it can do. It might be frustrating to someone who actually writes code, but that’s not who would normally be using this solution. I really feel it’s aimed at someone like me, the IT Pro/Sys Admin who wants to automate and allow others to use the tools, without needing to code or expect others to run PowerShell commands themselves.

adaxes1Basic site with one option – menu and right side options can even be hidden if required.

Once I’d finished the user creation process and published the method of doing so to a website, I had internal staff muck around with it and use it, purely for new user creations. The feedback I received was immediately positive – that 20 minute or so process had been reduced to a few minutes, and even generated out an email saying the account creation was done. This in itself to me was the tick of a successful project, and I knew I could do a lot more around automation and empowering others to do repeatable tasks.

Some of the problems I hit on the user creation automation were:

  • After upgrading from Lync 2010 to Skype for Business 2015, there were intermittent errors popping up for creating a SfB user. This was a known problem to Softerra, and took several months to resolve with a new version of Adaxes. I did have a workaround luckily, so it only took some rule modifying to work around it until a proper solution was found.
  • ‘User unknown’ – I ran into some problems where I’d create the user or enable them for Exchange, but then the next command wouldn’t find the account. Adaxes was faster than what other systems could replicate changes, so some tactful ‘start-sleep’ PowerShell command steps during the workflows to allow replication to occur before the next step triggered. This does mean that the overall process can take a minute or two, and the person who triggered the user creation has to wait for it to finish.
  • Not all functionality was available that I needed in the GUI. For example, creating a Skype for Business user is easy, but you can’t assign a policy. Instead you need to use PowerShell commands to do what you want. That took a bit longer and needed more testing, but wasn’t much of an issue once I found that out.
  • When a new user was created that already existed (e.g. another John Smith – john.smith) I hadn’t considered that scenario. I asked in the Adaxes forums and was told how to run some pre-checks to make sure the username and phone number were unique and bomb out if they weren’t, rather than half creating an account and having to clean it up afterwards.
  • The upgrade process isn’t painful when a new version of Adaxes comes out (which came out while I was doing the user creation and I wanted to try upgrading early on), but there’s a few more steps than next, next finish. An uninstall is required with backing up a few files, then a fresh install and importing what you backed up. I’m hoping that will be streamlined a bit in the future.

After the user creation process was settled, I started to create more automation tasks. Deprovisioning was an obvious one, and was a lot easier than user creation as well as taking a lot less time to set up. This command would clean up all the bits and pieces from an account, including home drives and Exchange settings (along with moving the mailbox to a different database). This was rolled out relatively quickly.

I should also note, the logging is very helpful. If someone triggers a command from the website, they can see if it was successful or not, or where it failed. It made testing easy to do, but I was also able to read through logs via the GUI on the server to find out more about what failed and why.

adaxes2Updating options on one of the web interfaces – no coding required.

I then decided to wait for common scenarios to come up and build them as needed. We often had ‘returning staff’ which if their Active Directory account still existed, I couldn’t use my user creation method when the account already exists. This took a rethink of how I’d designed my rules so far, and decided to re-do a lot of it in a more modular fashion. Because there’s the ability to copy and paste rules, this was a lot easier than I expected. The end result was that I’d have a list of modules to run against a task – e.,g. a new user would call commands such as ‘enable email’ and ‘enable Skype for Business’ which my new ‘returning staff’ would call ‘re-enable email’ but the same ‘enable Skype for Business’ command as a new user. This now meant I could move a mailbox from one database to another and unhide the user from the Global Address Book when they returned, but because all users have their Skype for Business disabled, that step was the same in either scenario.

Another valuable idea I had was to let users control the membership of Active Directory groups that they were the owner of. After some mucking around, I created a website solely for that purpose. The great part about it was that whomever logged onto the site (with passthrough authentication so no extra typing required) could only see groups they were an owner of, based on the Manager field in Active Directory. This gives anyone in the company who is in control of a group, the ability to add or remove members without any IT assistance required. Perfect for application owners who control who can get to their application or not via a security group.

My next task will be the automation of a user name change. With the updated modular design, I can copy out the steps that I need and modify them to my new requirements; of course finding the hour or two to build and test this is the hardest part. (Note: Between the week of writing this and publishing, I’ve now done it.

I’ll give praise to both the Adaxes forums and their helpdesk support via email- almost always, within 24 hours max (and usually 4-5 hours) I’d get a specific and clear answer on how to do something I couldn’t work out personally, and it was from someone who knew the product rather than a basic 1st level helpdesk type response.

I hope this gives a real impression of my experience and opinion of Softera Adaxes at a high level, after using it for an extended time. There’s no real gaps to the product that I’ve found. and you can pick and choose as to how much customisation you want to do through PowerShell scripting. I’m still happy with the product, and it will continue to evolve with us.

Intune – Couldn’t Enroll your Device

We started having issues with new enrolments to Intune. Nothing had changed that we were aware of, but registering a new device brought up the error “Couldn’t enroll your device. You can try again or send the error information to your IT admin in an email.” iOS or Android, didn’t matter:

screenshot_20160922-180510Intune Enrollment Error

After testing multiple accounts and multiple devices, I logged a call with Office 365 support, and eventually we worked out that for my account, I didn’t have a license applied. Intune sits under our Enterprise Mobility Suite package:

licenseIntune License is “Off”?

After checking other users, I found that everyone was in this ‘Off’ state. Weird, because we hadn’t done this, and Intune licensing was being managed by a group via Azure AD as per these instructions. That configuration was still in place too when I checked. I decided to do the logical thing and ‘turn it off and back on again’ – so I disabled the assignment on that page, then re-enabled the same group with the Intune license.

After then going back to the Office 365 User search, I found that all the users had now changed to ‘on’ again. The only recent event in the last few weeks was a renewal of our licenses, so I wonder if something happened in the back end as a part of that?

Anyway, if you see the ‘Couldn’t enroll your device’ message when using the Intune Company Portal app, make sure the user has their Intune license enabled!