Controlling External Collaboration in Microsoft Teams

Most organizations are required these days to enable collaboration solutions and services with external parties. these may include b2b scenarios or b2c in some cases.

In this blog I’ll be specific to Office 365 Group resources, with Microsoft Teams as an example, you should be aware that each Team in Microsoft Teams corresponds to an Office 365 group.

A common ask is “We wish to enable only named people to join as a guest to our Teams, we don’t want anyone from the organization to invite anyone they like – we need to control this with an internal workflow.”  to satisfy this request, we will use native capabilities within Azure Active Directory and Office 365 to enable group owners to add existing external guests to their team/office 365 group. In addition, we will enable only specific people in the organization with the permission to create and add new guests accounts to the directory.

Note: This is the basic example, this can be adapted to more complex workflows of approval/automation to make this more customized to a specific requirement.

      1. In Office 365 Admin Center, navigate to “Services & add-ins”, select “Office 365 Groups” and enable “Let group owners add people outside the organization to groups”

         enable-office-365-group-guest
        Enabling the capability to add external guest accounts to Office 365 groups.
      2. To make sure your guests will also have access to the SharePoint files, enable external sharing using the SharePoint Admin Center. with alignment to our blog theme, we will enable access to Existing accounts only.

        enable-external-sharing-in-sharepoint
        Enabling external content sharing within SharePoint to allow guests to access the files within Microsoft Teams.
      3. We are now ready to limit who can invite external guests. we will configure this using the Azure Active Directory blade in the Azure portal.
        Azure-AD-manage-external-collaboration

        Azure-AD-only-admins-can-invite
        Disabling the capability for non-admin or users with the guest inviter role to add new external guest accounts to the directory

        Disabling “Members can invite” and “Guests can invite” will effectively achieve our goal – “Admins and users in the guest inviter role can invite”

      4. Finally add assign the “Guest inviter” role to whom ever you need

        Azure-AD-assigning-guest-inviter-role
        Assigning the “Guest inviter” role to a specific user account.

The configuration is now complete, a Guest Inviter or an Admin can now add new guests to the directory, and follow whatever internal due diligence or workflow prior to that. Using the (new) AzureAD PowerShell module is my personal recommendation, this way the guest user could be silently added to the directory – and an email will not be sent to him. later on an owner of an Office 365 Group or a Microsoft Teams group could add him easily like any other member – and that will trigger the email invite to the external user.

New-AzureADMSInvitation -InvitedUserDisplayName "John Doe (External)" -InvitedUserEmailAddress "john.doe@contoso.com" -SendInvitationMessage:$false -InviteRedirectUrl "http://just.a.placeholder.local"

Using the Azure AD portal is also available to the guest inviter role if PowerShell is out of the question

Adding a new external guest account to the directory.

And if you’ve wondered, this is the error if someone would try to add a new guest account and they don’t have the proper permissions in Microsoft Teams.

Enjoy!

EMS license assignment to all users made easy

So you’ve purchased Microsoft’s Enterprise Mobility Suite (EMS) licenses, now you need to assign them to users within your organization. A typical situation will be that you already have Office 365 licensed users, and it make sense that all of them will get EMS licenses too.

To achieve this, I would suggest using an Azure AD group with Dynamic Group membership. in this example, the group will include accounts that match ALL these conditions:

  • Enabled users accounts
  • Users with an email address
  • Users with a-non empty Usage Location
  • Synchronized user accounts

Within the Azure AD management portal (http://manage.windowsazure.com) navigate to your Active Directory tenant, and perform the following:

  1. Create a group in Azure AD
  2. Enable it for Dynamic Membership
  3. Enter the advanced rule: (user.accountEnabled -eq “true”) AND (user.mail -ne $null) AND (user.usageLocation -ne $null) AND (user.dirSyncEnabled -eq true)
  4. Assign EMS licenses to the Group

You can read more about Dynamic Group Membership here:

http://blogs.technet.com/b/ad/archive/2015/03/09/attribute-based-dynamic-group-membership-for-azure-ad-premium-is-now-in-preview.aspx

https://azure.microsoft.com/en-us/documentation/articles/active-directory-accessmanagement-groups-with-advanced-rules/

You can also assign licenses with the following methods:

  1. Using the Office 365 Portal – like you would add Office 365 licenses.  This was made available late 2015 – http://blogs.technet.com/b/microsoftintune/archive/2015/09/01/intune-and-ems-subscriptions-now-available-in-the-office-365-portal.aspx
  2. Using Azure AD PowerShell – http://blogs.technet.com/b/treycarlee/archive/2013/11/01/list-of-powershell-licensing-sku-s-for-office-365.aspx ,you can use the following example to assign EMS licenses (with all options) only to users with an Office 365 E3 license:
    $EMSSKU = (Get-MsolAccountSku | ? { $_.AccountSkuID -like "*:EMS"})[0].accountSkuId
    Get-MsolUser -All | ? { $_.licenses.accountsku.SkuPartNumber -eq "ENTERPRISEPACK"} | Set-MsolUserLicense -AddLicenses $EMSSKU
  3. Azure AD Graph API – https://msdn.microsoft.com/en-us/library/azure/ad/graph/api/users-operations#FunctionsandactionsonusersAssignalicensetoauser

Enjoy

ilantz

High Resolution User Photo Synchronization to Office 365

There are some known limitation and inconsistency with user photos synchronization from Active Directory (using the thumbnailPhoto attribute) to Azure AD and Office 365 apps: Exchange, SharePoint and Skype for Business (aka Lync), specifically if you want to upload high resolution photos of your users that will span across all of Office 365 services.

After spending some research time around this issue, here are my findings:

So to summarize at this point, we want to import high resolution photos to our users. If we rely on the thumbnailPhoto attribute value from Active Directory, we will end up with low resolution images (needs more JPEG effect) or inconsistent results if we look on the SharePoint case.

To upload high resolution photos to Office 365, you should use Set-UserPhoto. This approach works great for Exchange Online, Skype for Business and Azure AD. Although promising, my testing (and others..) showed that if your users’ photos were previously synced to SharePoint Online – they will not necessarily be updated using this method.

Here is my take on solving this, in a somewhat chronological order:

  1. If you need your on-premises thumbnailPhoto attribute populated, keep your current practice of maintaining them.
    1. To avoid future inconsistencies – use “Azure AD app and attribute filtering” to filter out thumbnailPhoto using Azure AD Connect – Custom installation of Azure AD Connect
  2. Utilize the Set-UserPhoto cmdlet in Exchange Online PowerShell to upload your users high resolutions (648×648 px) photos
    1. Note Uploading High Resolution Photos using PowerShell for Office 365 to workaround – “The remote server returned an error: (413) Request Entity Too Large” error if you get this.
  3. To upload your users high resolution photos to SharePoint online use the Core.ProfilePictureUploader sample app from the OfficeDev PnP GitHub repo.
    1. To make this easier to non coders 🙂 I’ve complied the code sample for your usage – http://ilantz.com/files/Core.ProfilePictureUploader.zip
      1. Get the source code here and also make sure to read the FAQhttps://github.com/OfficeDev/PnP/tree/master/Samples/Core.ProfilePictureUploader
      2. Follow the explanations in the GitHub page link above around how to run the utility (configuration.xml , the CSV input file and the command syntax).
      3. Make sure your pictures are JPEG files…
    2. This sample app is also documented here, with some additional explanations – Upload user profile pictures sample app for SharePoint

That’s it !

Hope this helps anyone, please comment if it did.

ilantz

How to reset OneDrive for Business when it’s crashing constantly

Recently I’ve messed with my Windows 8.1 profile account, and shortly after my OneDrive for business client started crashing in a loop… it just went crazy, filling my notification area with icons failing to stop. I had no way to reach any menu or remove the folders I’m syncing.

I’ve tried the easy (lazy) way of repairing / uninstalling / removing Office 365 ProPlus (in my case) which turned out useless.. did some manual clean up of registry entries, removed caching files and obviously looked-up forum threads and KB’s which also turned out as you’ve guessed it – useless…

Almost desperate, I’ve turned to the all mighty Process Monitor and started debugging the errors.

Thru closely examining the endless output of entries, I’ve spotted an undocumented registry entry that was being checked by the Groove.exe (which is your OneDrive sync process) upon start-up.

So there I was, crossing fingers,  editing the registry hoping… and BINGO! I have performed a reset to the OneDrive for Business client, and it behaved like the first time I’ve opened it up.

Here it is, Add/Modify these two DWORD values:

[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Groove]
"FirstSyncComplete"=dword:00000000


[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Groove\Development]
"IsResyncEnabled"=dword:00000001

Hope this post will help more good folks out there.

ilantz

The Windows PowerShell snap-in Coexistence-Configuration is not installed on this machine

Update 2 – February 24th 2016 – The new February AD Connect release has no schedule task anymore. So we now have a new command in the ADSync module – Start-ADSyncSyncCycle.

To initiate a synchronization locally or remotely (if enabled) , you could run the following command for example:

Invoke-Command -ComputerName DirSync-Server.domain.com -ScriptBlock {& Import-Module ADSync;Start-ADSyncSyncCycle}

Update – July 7th 2015 – For those who have installed the latest AADSync – Azure Active Directory Sync or AD Connect – Azure Active Directory Connect

There has been another change to the module name, it is now ADSync. and the great news is that forcing replication will no longer be a PowerShell cmdlet.

To initiate a synchronization locally or remotely (if enabled) , you could run the following command for example:

Invoke-Command -ComputerName DirSync-Server.domain.com -ScriptBlock {& "C:\Program Files\Microsoft Azure AD Sync\Bin\DirectorySyncClientCmd.exe"}

If you’re looking also to force a full password sync to Azure AD , visit this page – How to Use PowerShell to Trigger a Full Password Sync in Azure AD Sync


Just noticed now that the new build of Windows Azure Directory Synchronization Tool, is missing the DirSyncConfigShell.psc1 file.
Moreover, the Coexistence-Configuration PSSnapin is also gone. Trying to add the pssnapin would generate the error – The Windows PowerShell snap-in Coexistence-Configuration is not installed on this machine.

So if you’ve trying to use the known way to force a synchronization with DirSync, use these PowerShell commands to achieve what you were used to.

Import-Module DirSync
Start-OnlineCoexistenceSync

import-module-dirsync

enjoy !

This message could not be sent – Error 0x80070005 – Office 365 | Report non-inherited Send-As permissions script

After a few incidents from Office 365 deployments, I’d like to share this issue to help anyone facing it.

If you or anyone of your users tried to send an email and use the “From” option to send as another recipient you might face NDR’s (non delivery reports) which will include these errors:

  • Delivery has failed to these recipients or groups
  • This message could not be sent. Try sending the message again later, or contact your network administrator.  Error is [0x80070005-00000000-00000000]

Using Exchange Server Error Code Look-up (Download Err.exe), 0x80070005 resolves back to MAPI_E_NO_ACCESS or E_ACCESSDENIED which bring us to the actual cause of the issue.

SendAs / Send-as permissions are not retained in migrations to Office 365 just because it is based on an ACL set in Active Directory and ACLs are not synced to Office 365.

To add a SendAs permission use the Add-RecipientPermission cmdlet with Exchange Online Remote PowerShell or use the Exchange Admin Control Panel and add the Send As permission from the “Mailbox Delegation” menu.

Add-RecipientPermission "Help Desk" -AccessRights SendAs -Trustee "Ayla Kol"

See the full reference about the command here – http://technet.microsoft.com/en-us/library/ff935839(v=exchg.150).aspx

As a result of this issue, I’ve created a small script to report which recipients (of any type) have non inherited SendAs permissions ACL’s.  You can later use the report to re-create the permission in 365.

Download the script here: http://gallery.technet.microsoft.com/Report-non-inherited-Send-86ab658b

 

Setting Office 365 UsageLocation value using the Country attribute value

Hi,

Since Office 365 projects started, setting users` licenses with scripts has been somewhat of an issue.

There are great scripts out there to automate assigning licenses to users, but the prerequisite of assigning an Office 365 license to a user is to choose the Usage Location for that user. When dealing with several dozens or hundreds of users that might be fine, but for large scaled deployments this becomes also an issue. and I’ve decided to script it and share this in case anyone will need this as much as I did.

This script is has a really simple logic, trace down the Country attribute value for each user, match that with the two letter country code (required for the PowerShell Set-MsolUser command) and set that value for the user.

I’ve worked up to match the list from https://www.iso.org/obp/ui to the countries available for selection within the Office 365 portal.

Keep in mind that the script will not handle any spelling errors, so be sure to maintain the country value BEFORE you run this script. If you are using Directory Synchronization this should be more productive as your Active Directory will also benefit from this move…

The script will try to find an exact match of the country value, although – case Insensitive.

grab it here: http://gallery.technet.microsoft.com/office/Setting-Office-365-Usage-4d685175

Please share your comments if you have any, I would love hearing this script is being used.

ilantz

Exchange Hybrid Configuration failed with error Subtask Configure execution failed

Hi Again,

While setting up the Hybrid Configuration Wizard on an Exchange 2010 server for Office 365, I’ve encountered this error:

[2/4/2014 13:36:8] INFO:Running command: Get-FederationInformation -DomainName 'contoso.mail.onmicrosoft.com' -BypassAdditionalDomainValidation 'True'
[2/4/2014 13:36:8] INFO:Cmdlet: Get-FederationInformation --Start Time: 2/4/2014 3:36:08 PM.
[2/4/2014 13:36:16] INFO:Cmdlet: Get-FederationInformation --End Time: 2/4/2014 3:36:16 PM.
[2/4/2014 13:36:16] INFO:Cmdlet: Get-FederationInformation --Processing Time: 7690.8.
[2/4/2014 13:36:16] INFO:Disconnected from On-Premises session
[2/4/2014 13:36:17] INFO:Disconnected from Tenant session
[2/4/2014 13:36:17] ERROR:Updating hybrid configuration failed with error 'Subtask Configure execution failed: Creating Organization Relationships.


Execution of the Get-FederationInformation cmdlet had thrown an exception. This may indicate invalid parameters in your Hybrid Configuration settings.


Operation is not valid due to the current state of the object.
at System.Management.Automation.PowerShell.CoreInvoke[TOutput](IEnumerable input, PSDataCollection`1 output, PSInvocationSettings settings)
at System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings settings)
at System.Management.Automation.PowerShell.Invoke()
at Microsoft.Exchange.Management.Hybrid.RemotePowershellSession.RunCommand(String cmdlet, Dictionary`2 parameters, Boolean ignoreNotFoundErrors)
'.


Additional troubleshooting information is available in the Update-HybridConfiguration log file located at C:\Program Files\Microsoft\Exchange Server\V14\Logging\Update-HybridConfiguration\HybridConfiguration_2_4_2014_13_35_39_635271177398297855.log.

Looking at the application log in the Exchange server showed an Event ID 403 with source MSExchange Common:
The Certificate named xxxxxxx in the Federation Trust 'Microsoft Federation Gateway' is expired. Please review the Federation Trust properties and the certificates installed in the certificate store of the server.

The Certificate named xxxxxxx in the Federation Trust 'Microsoft Federation Gateway' is expired. Please review the Federation Trust properties and the certificates installed in the certificate store of the server.

After checking of course, the Federation certificate was just created… and is indeed valid…..

All that was required was a quick “restart” to the application pools on the server, I usually just restart the MSExchangeServiceHost and MSExchangeProtectedServiceHost services. after that the wizard completed successfully 🙂

Hope this helped anyone,

ilantz

Manually adding a secondary SMTP proxy address for hybrid Exchange Online and Office 365

Update – 05-02-2015 – Thanks for the feedback about this post, some more work has been done, please download the new version…

Update – 07-30-2014 – Thanks for the feedback about this post, I’ve republished the code. it is now wrapped as a script and also logs results to a log file. download the new version…

I’ve been busy with more Office 365 and Hybrid Exchange Online deployments and came up with a script I hope will help some of you out there.

While deploying an Hybrid Exchange Online setup, one of the steps the Hybrid Configuration Wizard is doing is modifying the email address policy and adding “alias@tenant.mail.onmicrosoft.com” to the relevant EAP policies. This is great although there’s a good chance you have some mailboxes that are set with EmailAddressPolicyEnabled:$false

I’ve written a function script that will help you add the additional secondary SMTP proxy address to those mailboxes easily 🙂

Here’s an example on how to use the script:

.\Add-OnMicrosoftSMTP.ps1 -Tenant:ilantz

The script will require your “Tenant” name, for example – if your Office 365 tenant is ilantz.onmicrosoft.com, enter ilantz as the tenant name. Once entered it will find all mailboxes with the property EmailAddressPolicyEnabled:$false and have no routing SMTP address like *@tenant.mail.onmicrosoft.com (following the default Exchange Hybrid Configuration Wizard settings).
Then the script will add the required SMTP proxy address following the PrimarySmtpAdress prefix, if that SMTP proxy address is already taken, the function will add a random 5 digit number to the prefix – John.Doe12345@tenant.mail.onmicrosoft.com.

The script will catch and display any exceptions that may occur during the process. and will automatically log the results to a log file.

Get the script here – http://gallery.technet.microsoft.com/Office-365-Add-Exchange-14c7f0c3
Revision History
——————————————————————————–

1.0 – Initial release

1.1 – Updated and rewritten as a script instead of a function which caused confusion

1.2 – Added Logging of successful addresses being added and failures

1.3 – Updated with server-side filtering to get all relevant users for better efficiency,
an updated logging mechanism and using now the PrimarySmtpAddress prefix value for the routing address.

Enjoy !

ilantz