Office 365

OneDrive for Business Auto Sign In – Windows 10

If you’re looking at starting to use OneDrive for Business and you’re working with a PCs joined to a local domain, you can now have a seamless sign in experience for end users (Note that the Group Policy setting for this is in preview according to the documentation).

OneDrive for Business from the client’s perspective has been dropped. It’s just OneDrive now, even though the backend is OneDrive for Business as part of an Office 365 subscription.

You’ll need Windows 10 1709+ for this, as that’s the first version of Windows 10 that has OneDrive baked in. There’s no deployment of the app required then, so you won’t need to use or modify OneDrive for Business. The newer client has much less syncing issues too – if you’re not sure what one you’re using, check what executable is running. OneDrive.exe is the new client, where Groove.exe is the older.

Since OneDrive is part of Windows 10 now, if you aren’t ready for this or don’t want it yet, you’ll need to use the Group Policy setting ‘Prevent the usage of OneDrive for file storage’ which is found in Computer Settings > Policies > Administrative Tempates > Windows Components > OneDrive (note that this is different to the location of where the above new policies sit for OneDrive, which is one level down straight under Administrative Templates).

If you’re migrating from an existing install, then you’ll need to follow this process. Otherwise if you’re starting fresh, there’s a great guide here to go through.

The short version of these steps is:

  1. Windows 10 1709 already has OneDrive, so no deployment required.
  2. Get the ADML and ADMX Group Policy files and deploy them in your environment. Make sure they’re the latest ones too, which you should be able to get from any Windows 10 1709 PC in the path %localappdata%\Microsoft\OneDrive\BuildNumber\adm\
  3. Configure your Group Policies to the settings you want, but the one you’ll need for auto sign in is “Silently configure OneDrive using Windows 10 or domain credentials“. This setting should set the regsitry key [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\OneDrive] “SilentAccountConfig”=dword:00000001. With this setting, there’s an extra registry settings to configure:[HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive] “EnableADAL”=dword:00000001 – This setting enables Modern Authentication for OneDrive.

That’s it!

After this is configured and you log on, the OneDrive client will automatically sign in as the logged on user – assuming you’re properly set up on the Azure AD and Office 365 side of things. There’s no prompt, no notification and users can start using it straight away at their convenience.

Note that if you disabled OneDrive from running at first user login (usually via the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run with something like “C:\Windows\SysWOW64\OneDriveSetup.exe /silent”, you’ll need to retrigger the install. That /silent switch will make OneDrive install and sign in automatically with the above settings.

If you’re planning on moving user’s home drives to OneDrive, you’ll need to manually move the files or run a script like this to migrate the data – or find a paid solution.

Update 26th April 2019:
I had this broken for a while, and found many others that also had it broken. For me, after spending months with OneDrive for Business support, I ended up working out the Group Policy was corrupt in some way. Completely disabling the policy and creating a new one with the identical settings worked.

For context, I had one Group Policy object that disabled OneDrive. A second one with a higher link order, was targeted at certain users and groups to enable OneDrive. That second one was somehow the problem – maybe an update to ADMX files broke it?

Anyway, re-doing that, and using the reg key to deploy OneDriveSetup.exe to run at login with the switch ‘/thfirstsetup’ was all that was needed, and it worked again.

If you’re having problems yourself with this, put a user and computer in an OU that has all policy inheritance disabled, create new GPOs and try to get it to work that way.

Exchange Online and Exchange On-Premises Security Groups

I had a requirement come up where I needed a list of Exchange Online users as well as Exchange On-Premises users. If you’re hybrid or going through a long migration, there’s many scenarios where you want certain products or settings applied against the users and accounts based on where their mailbox is.

You could maintain that manually, but why do that when you can automate it!

Thankfully there’s two easy commands that will return accounts based on where they are – get-mailbox and get-remotemailbox. As long as you’re in Exchange Hybrid mode, you can run both of these commands against your local Exchange server.

Here’s the quick script I wrote up:

$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://exchange server name/Powershell -Authentication Kerberos
Import-PSSession $session
$remoteusers = Get-RemoteMailbox -resultsize unlimited
$onpremusers = Get-mailbox -resultsize unlimited
$remotegroup = "Exchange Online Users"
$onpremgroup = "Exchange OnPrem Users"

Get-ADGroup $remotegroup | Set-ADObject -clear member
Get-ADGroup $onpremgroup | Set-ADObject -clear member

foreach ($user in $remoteusers){
Add-ADGroupMember -Identity $remotegroup -Members $user.SamAccountName
}

foreach ($user in $onpremusers){
Add-ADGroupMember -Identity $onpremgroup -Members $user.SamAccountName
}

Remove-PSSession $Session

All I’m doing here is getting the two user types and putting them into variables – $remoteusers and $onpremusers. I’ve also used the group names as variables, so you can create whatever AD groups you like and put them into the $remotegroup and $onpremgroup variables.

Also I’m clearing out all members of the group before adding users, which means if someone gets migrated or leaves, they’ll be cleaned up from the old group properly.

Finally I’m going through the two users lists and using ‘foreach’ to add each user to the relevant group, using the SamAccountName value of each result to identify them.

It’s only a basic script, but you can easily add extra filters to the Get-Mailbox and Get-RemoteMailbox commands to do things such as only getting users from certain OUs.

This was tested on Exchange 2010, so if you get different results on Exchange 2013 or 2016 please let me know.

Microsoft Bookings for E3 and E5 Customers

There’s a few Office 365 features that were released only for Business customers; there’s a nice list of all the Office 365 Features and what subscription they sit under on Technet. The good news is that they’re coming to Enterprise customers too!

The first service to be available is called Bookings which lets you build a booking system for your customers to use. There’s actually a lot to it – you can set rates, who’s available, what times to book, what sort of appointments customers can choose.. I can see it being a big benefit to a small business to have a very easy to configure and professional booking system.

I can see why Microsoft originally didn’t let Enterprise customers have this product – it’s not going to work well if you have 1000 staff that can be booked using it, and have more complex requirements.

Regardless, I’m sure many Enterprise customers want to at least have a look at a new free addon that’s part of their subscription.

There’s a few steps to getting access to Bookings, and it’s different to other products such as Teams. Again, Microsoft have a Technet Guide on getting Bookings but here’s the abbreviated version;

In Office 365 Admin, go to Billing > Purchase Services. Find Business Apps (it’s near the bottom), and follow the bouncing ball from the ‘Buy Now’ button which shows up when you hover over or click the Business Apps tile. It’s a bit strange to go through a purchase process for an E3/E5 subscription.

Although there’s an option to “Automatically assign to all of your users with no licenses” I found that at the end of the process, nobody actually had the license applied. You’ll need to follow your normal license allocation procedure (which at the basic level, can be choosing a user from the admin console, going to Product Licenses, finding ‘Business Apps’ and changing the switch to ‘on’).

I also hit an issue when going through the purchase process when choosing to pay. I had the message ‘Sign-in required For security reasons, please try signing in again. If you receive this notification again, a specific browser setting is preventing you from utilizing this page. Please follow this support article to fix the issue.’ Trying again ended up going in a loop to see that message. Google Chrome I couldn’t resolve this; Internet Explorer however, set your browser settings as per the support article but then completely close all IE windows, or it doesn’t seem to work.

Once you’ve purchased, it only takes a minute or less for the licenses to appear. As above, make sure you’ve then checked and applied the license to an account you plan to test on. The app itself may take longer to show up in the dots menu, but you can go direct to bookings.office.com and you will hopefully see a page like this:

From there, you can start to check out settings and configure it up!

Removing Unwanted SMTP Records From Exchange Hybrid

I’m still new to Exchange Online and Office 365 mailbox management, but got stuck on this scenario for a bit.

After testing an E-mail Address Policy, I wanted to remove what the policy had done. I’d already discovered that taking an address off a policy itself doesn’t remove it from the accounts, and run this simple script to remove the unwanted SMTP record off each account. However, accounts that had been migrated to Office 365 didn’t change and still had the unwanted SMTP record.

I checked on Exchange Online itself, and the address I’d added hadn’t flowed through. I believe this was because it was using a domain that Office 365 didn’t know about – but that also meant that I had no records to change at that end. I could however go into the mailbox itself via the Exchange console and remove the unwanted record.

It turns out, that I had to use the ‘Get-RemoteMailbox’ and ‘Set-RemoteMailbox’ command in place of the ‘Get-Mailbox’ command. Although I was working with Exchange PowerShell on-premises, the mailbox type is “RemoteUserMailbox’. ‘Get-Mailbox’ against any migrated item will not find those objects that live in the cloud.

 

If you want to see which Exchange objects have a particular SMTP record in Exchange 2010, regardless of what mailbox type they are or where it lives, there’s an easy way.

Make sure the ‘Recipient Configuration’ tree option in the Exchange Console is selected, and filter with E-Mail Addresses > Contains > your unwanted SMTP record:

This will make sure all object types (including groups, contacts etc) don’t have the unwanted SMTP record.

Office 365 Extra Features Overview

In September 2017, I presented at the user group I co-own with Brett Moffett on the topic of Office 365 Extra Feature Overview. I wanted to show some of the key parts of Office 365 beyond Exchange, SharePoint and Skype for Business. Here’s a recording of that presentation:

 

Forms is still my favorite ‘quick win’ feature, which I previously covered along with a sample form and results.

If you’re ever in Adelaide and want to come along to our monthly catchups, here’s our Meetup page: https://www.meetup.com/preview/Adelaide-Microsoft-ITPro-Community