Dank je wel, Haarlem!

Last week, I was fortunate enough to speak at the inaugural Office 365 Engage conference in Haarlem, Netherlands. I had been looking forward to it for months, not only because it was my first time visiting the Netherlands, but I had heard about how picturesque the city was and had been told that the conference venue, the Philharmonie, was something quite special. I can honestly say that no description could do it justice, it really is the nicest conference venue I’ve ever seen.

The conference itself was extremely well organized and I definitely have to compliment the organizers for the level of thought that went into every detail. There were more than 40 speakers, 31 of which were Microsoft MVPs. We were encouraged to call on our real world experience and be independent voices so this was a true technical conference and not just another marketing junket. There were 6 tracks with plenty of great content to go around:

  • Azure Infrastructure
  • Exchange Online
  • Office 365 Administration
  • Office 365 Applications
  • Office 365 Development
  • SharePoint Online

My sessions on Office 365 management and mobile device management were well received and I even managed to pull off an elaborate demo using a couple of devices. A special thanks to MVH for helping me getting around the need for multiple HDMI inputs, it definitely made the demo flow more smoothly.

After a few great days, I can only imagine that Office 365 Engage 2018 will be even better. If you are looking to build your skills and network with some of the best in the business, I’d definitely encourage you to check out Office 365 Engage in 2018 – I hope to see you there!

I am speaking at Office 365 Engage!

I’m really excited to announce that I’ll be speaking at Office 365 Engage in Haarlem, Netherlands 19-22 June 2017.

Office 365 Engage is Europe’s foremost conference on Office 365 and will be hosted at the Philharmonie Theatre in the energetic picturesque city of Haarlem.

I am thrilled to be one of more than 30 Microsoft MVPs speaking at the event so if you are interested in learning all about Micrsoft Office 365, it isn’t too late to register today!

Use discount code ‘SPRCG378’ to receive a 20% discount when registering.

Script: Connect-365.ps1 - Connect to Office 365 services using remote PowerShell

I'm excited to announce the release of Connect-365! Back 2012, I put together a basic script with a GUI to simplify connecting to Exchange Online via remote PowerShell. I had never intended to make the script publicly available and it was just something I used myself. After a couple years I realized that it had been shared with so many colleagues and clients that I decided to clean it up and publish it on the TechNet gallery. Connect-EXO was born! Here's a screenshot of the original first version:

Over time the script matured into what Connect-EXO is today. One of the challenges in the early version was that I used WPF for the GUI, this was problematic for older versions of PowerShell so I made the decision to port it to Windows Forms for backward compatibility. Forms is old and added a lot of bloat and since backwards compatibility is no longer a concern, I decided to move back to WPF. Connect-365 is essentially the next version of Connect-EXO, I renamed it so more accurately reflect it's purpose and this will allow me to continue to maintain Connect-EXO.

Connect-365 features a GUI that will prompt for your tenant credentials and then connect to various Office 365 services using remote PowerShell. The built-in prerequisite checker will check to ensure that the correct modules are installed and provide a download link for those that are not.

The current version of the script allows connectivity to:

  • Exchange Online
  • Azure Active Directory (using v2 module)
  • Office 365 Security & Compliance Center
  • Skype for Business Online
  • SharePoint Online

Requirements:
This script will work natively in PowerShell 4.0+

Usage:
There are no parameters or switches, simply execute the script: .\Connect-365.ps1

Execution Policy:
This script has been digitally signed and will run just fine under a "RemoteSigned" execution policy

Screenshots:

Roadmap:

  • Support Azure AD v1 and v2 - Removed as v1 is depreciated
  • Support for Exchange Online MFA (via module) - Done!
  • Derive SPO Admin URL
  • Auto-install prerequisites
  • Much more..

Download:
I have published it to the TechNet Gallery, it can be downloaded by clicking here…

Connecting to Exchange Online with remote PowerShell from a Mac

Yes! it is finally possible to connect to Exchange Online from PowerShell installed on MacOS. I noticed some tweets about this being possible on Linux earlier in the week so I thought I’d re-visit testing it on MacOS. PowerShell remoting has been available in the MacOs version since powershell-6.0.0-alpha.15, but it didn’t include the ability to specify a “ConnectionUri’ as the endpoint – it only worked with server names and IP addresses. powershell-6.0.0-alpha.17 which was recently released now includes this functionality.

The first thing you need to do it download and install the latest release from here, you’ll want to download at least powershell-6.0.0-alpha.17

Next launch PowerShell and confirm the version:

1
$PSVersionTable

We are now ready to run establish our remote session. First let’s define our credentials:

1
$UserCredential = Get-Credential

Then create the session:

1
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid -Credential $UserCredential -Authentication Basic -AllowRedirection

And finally, import that session:

1
Import-PSSession $Session

Once connected you have all the Exchange Online cmdlets available to you:

I haven’t thoroughly tested it yet, but I look forward to spending some time using it soon!

Changes to RSS feeds

Since starting this blog in 2008, I have been using Google Feedburner to publish my RSS feeds and enable 'subscribe by email' functionality. At the time it was a great platform and it provided many benefits, but after nearly 9 years that is no longer the case.

Feedburner has been pretty stagnant since 2012 and I have recently started to notice RSS validation errors in my feed which in-turn cause issues with some of the current and planned integrations I have running on the blog. Over the next month, I will be making some changes to the way RSS feeds work on the blog. I will not remove RSS feeds entirely but will be transitioning them from Feedburner.

My analytics data shows that I do have a bunch of subscribers using RSS and email and I do expect the transition to be fairly smooth. Unfortunately, those subscribing via email will need to resubscribe once the transition is done - I figure that an 'opt-in' strategy would be best in this instance. All in all, I'm hoping for minimal disruption.

TLDR; I will continue to offer RSS feeds, but some upcoming changes may mean that you need to resubscribe.

Single Sign On with Azure AD Connect

Ever since the launch of Office 365 (and BPOS before that) there has been a desire to make accessing these services as seamless as possible. Single Sign On (SSO) has long been high on the requirements list for many organizations and while it has been possible for some time now to provide a near seamless login experience, it has historically come at a cost in the form of additional infrastructure - usually deployed on-premises and at the very least carrying some sort of administrative burden. I’m not against identity federation, I think it definitely has it’s place and most of the customers I work with already have some federation solution deployed so it makes a lot of sense leveraging it for Office 365 as well, but there are always those organizations who don’t already have a solution in place or those smaller environments where it doesn’t make a whole lot of sense to implement a highly-available AD FS deployment.

Password Sync has long been the best compromise, offering a “Same Sign On” experience where users are able to use their existing AD credentials to access Office 365 services. The recent announcement of Pass-Through Authentication and Single Sign-on means that things are about to get a whole lot better!

I wanted to put together a quick post and run through how easy it is to setup Single Sign On and review the user experience when it is used with Password Sync. Single Sign On can also be enabled with the new Pass-through authentication option, but that’s a story for another post!

Before getting started, it is important to understand the client requirements. The client should:

  • be using a domain-joined machine
  • be using Windows and a supported browser (Edge is not supported)
  • have direct access to a domain controller
  • have the Kerberos end-points defined in the browser’s Intranet zone (AD Group Policy is the easiest way to do this)
    • https://autologon.microsoftazuread-sso.com
    • https://aadg.windows.net.nsatc.net

Once the client requirements have been taken care of, we need to update AAD Connect. At the time of writing, version 1.1.380.0 is the latest version. It looks like these new features were introduced in version 1.1.370.0. If we compare the the “User sign-in” page to that of an older build you’ll notice the addition of a few more features:

 

To upgrade AAD Connect, follow your regular upgrade procedure. If you don’t have any customizations or special considerations, you can just let the wizard perform the upgrade for you:

Once upgraded, you’ll want to run the configuration wizard again and tick the “Enable single sign on” checkbox on the “User sign-in” page (shown above) and that is all there is to it!

Let’s compare the user experience before and after enabling Single Sign On. Here is the user experience before:

and here is the user experience after implementing Single Sign On with AAD Connect (you’ll notice that I do not have to re-enter my password this time):

Note: In the demo videos, I have my home page set in a way that forces my custom branding before any user credentials are entered. You can do this by either creating a web redirect or setting your home page to: https://login.microsoftonline.com/login.srf?whr=your_domain.com (replace your_domain.com with your actual domain name!)

There is a lot of great documentation available about Single Sign On on the Microsoft website, I highly recommend that you check it out as well:

Configuring session timeouts for Outlook on the Web (OWA) in Exchange Online

In today’s browser first, cloud first world, many organizations look at reducing risk by imposing strict session timeout settings on their productivity tools and applications. The idea generally is that if a user is not actively using and application for 10 –15 mins, they have completed the task they were working on and have forgotten to logoff correctly. This can be especially dangerous when these applications are accessed on shared terminals or public computers. Given that email remains a vitally important business tool for many organizations, reducing the session timeout on Exchange Online (and Exchange 2016) is a fairly common request and it is really simple to do.

By default, session timeout is enabled for OWA (let’s just call it that, shall we?) and it set to 6 hours. You can confirm this configuration via PowerShell using the Get-OrganizationConfig cmdlet:

1
2
  Get-OrganizationConfig | FL ActivityBasedAuthenticationTimeout*
  

There are two parameters in particular worth paying attention to:

  • ActivityBasedAuthenticationTimeoutEnabled
  • ActivityBasedAuthenticationTimeoutInterval

ActivityBasedAuthenticationTimeoutEnabled is pretty self-explanatory, you will want to keep it enabled if you intended to set the timeout interval. The ActivityBasedAuthenticationTimeoutInterval parameter controls the actual timeout interval in hh:mm:ss format where hh = hours, mm = minutes and ss = seconds. Note that this parameter has a range of 5 min - 8 hrs. Changes can be made using the Set-OrganizationConfig cmdlet, for example to set the timeout interval to 15 mins we'd issue the following cmd:

1
2
  Set-OrganizationConfig -ActivityBasedAuthenticationTimeoutInterval 00:15:00
  

During my testing, it took a really long time (12+ hrs) for this to take effect so don't be alarmed if it doesn't work right away.

For more information on the Set-OrganizationConfig parameters, see TechNet.

Getting started with AAD conditional access - Location based access rules

Azure Active Directory (AAD) conditional access is something I’ve been wanting to post about for a while now. A scenario I come across fairly often is the desire to prevent access or add an additional layer of security to certain Office 365 workloads when the user is connecting from a remote, non-corporate location. In the past, this could be achieved by making use of claims rules and Active Directory Federation Services (AD FS) which meant that it wasn’t possible for those organizations not making use of federated identities with Office 365.

AAD conditional access solves this problem and makes it really simple to apply access policies to AAD connected applications. Conditional access does require an AAD premium license (P1). In this post we’ll cover a simple location based scenario where we prevent users from accessing Outlook on the web (OWA) from outside of the organization’s network. In order to configure conditional access you will require:

    • Azure Active Directory premium licensing
    • Access to the Azure management portal (classic portal)

Conditional access policies are configured via the classic Azure management portal (http://manage.windowsazure.com). Locate “Active Directory” on the left-hand side, select your Office 365 directory and click the “Applications” option.

Next, select the “Office 365 Exchange Online” application and turn access rules “On” under the “Multi-factor authentication and location based access rules” section. You have the option of applying your rules to all users or select groups. You then select the “Block access when not at work” option. You also have to option to enforce MFA for an application which is useful if you would like to enable MFA only for specific applications or you could require MFA only when users are accessing the application from outside the corporate network.

It is important to ensure that you define your corporate network ranges by clicking link. All connections from locations outside the definted network ranges will be treated as remote.

Once configured, you will notice that users are still able to access the Office 365 portal however, once they click the mail option in the app launcher they will no longer be able to access Outlook on the web unless they are connecting from a approved location.

This is a very simple example of how to use location based access rules. It is also possible to configure device based access policies which provide an incredible amount of control over which devices can access your applications. I’ll cover device based access policies in a future post.

 

Welcome to Ignite 2016!

It’s here! We’ve all had to wait a little longer than usual for our yearly conference fix since Ignite in May last year, but the wait is finally over and here I am on the eve of Ignite 2016 in my hotel room in Atlanta. There are so many great speakers this year so I wanted to put together a short post listing some of them and highlighting some of the great Office 365 and Exchange sessions that I am personally looking forward to attending.

Monday:

  • Take control of your security and compliance with Office 365 (THR1003) - Caroline Shin: 12:30pm - 12:50pm, Microsoft Theater 4
  • Design global voice deployments with Skype for Business (THR3057) - Ståle Hansen: 1:30pm - 1:50pm, MVP Hub Talk 1
  • Learn how Microsoft IT governs SharePoint Online and Office 365 Groups (THR2031) - David Johnson: 5:40pm - 6:00pm, Microsoft Theater 4

Tuesday:

  • Debate the top 10 reasons not to move your Exchange on-premises mailboxes to Exchange Online (BRK2215) - Greg Taylor, Tony Redmond, Steve Conn: 9:00am - 10:15am, B401 – B402
  • Experience Scott Schnoll's Exchange tips and tricks (BRK3253) - Scott Schnoll: 10:45am - 12:00pm, B401 – B402
  • Meet twin sons of different mothers - Exchange Engineers and Exchange MVPs (BRK2219) - Tony Redmond, Jeff Mealiffe, Andrew Higginbotham, Jeff Guillet, Karim Batthish :12:30pm - 1:45pm, C112
  • Unplug with the experts on Exchange Server and Exchange Online (BRK2216) - Wendy Wilkes, Greg Taylor, Ross Smith IV, Jeff Mealiffe, Timothy Heeney: 2:15pm - 3:30pm, B401 – B402
  • Access intelligence in the Microsoft Graph and API (BRK3199) - Jon Meling, Andreas Eide: 4:00pm - 5:15pm, A311 – A312

Wednesday:

  • Run Microsoft Exchange Hybrid for the long haul (BRK3217) - Timothy Heeney, Nicolas Blank: 9:00am - 10:15am, Georgia Ballroom
  • Prepare for the future with Windows 10 & Office 365 - better together (THR3061) - Raphael Köllner: 10:20am - 10:40am, Expo Theater 2
  • Explore the ultimate field guide to Microsoft Office 365 Groups (BRK3001) - Tony Redmond, Benjamin Niaulin, Amit Gupta: 10:45am - 12:00pm, Georgia Ballroom
  • Understand the Microsoft Exchange Server 2016 Architecture (BRK3221) - Ross Smith IV, Mike Cooper: 12:30pm - 1:45pm, Georgia Ballroom
  • Migrate to Exchange Online via Exchange Hybrid (BRK3219) - Michael Van Horenbeeck, Timothy Heeney - 2:15pm - 3:30pm, Thomas Murphy Ballroom 2&3
  • Design your Exchange infrastructure right (or consider moving to Office 365) (BRK2093) - Adrian Moore, Boris Lokhvitsky, Robert Gillies: 4:00pm - 5:15pm, B312 – B314

Thursday:

  • Deploy Microsoft Exchange Server 2016 (BRK3220) - Jeff Guillet: 9:00am - 10:15am, Sidney Marcus Auditorium
  • Unplug with the experts on Microsoft Exchange Top Issues (BRK3000) - Nino Bilic, Nasir Ali, Amir Haque, Shawn McGrath, Timothy Heeney, Scott Landry, Gabe Bratton, Angela Taylor: 10:45am - 12:00pm, B401 – B402
  • Investigate tools and techniques for Exchange Performance Troubleshooting (BRK3007) - Jeff Mealiffe, Nasir Ali: 12:30pm - 1:45pm, Georgia Ballroom
  • Automate Exchange deployment with Powershell Desired State Configuration (THR3040) - Ingo Gegenwarth: 2:10pm - 2:30pm, Expo Theater 2
  • Deploy Microsoft Office 365 Client using Configuration Manager (BRK3002) - Amesh Mansukhani, Doug Davis: 4:30pm - 5:15pm, B211 – B212

There is so much great content this year that conflicts are inevitable. Many sessions are repeated throughout the conference, especially on Friday so be sure to look at the alternate times if you are torn between two sessions that are scheduled at the same time.

Outside of the content, there are a bunch of activities taking place this year. ENow Software will once again host one of their legendary “Scheduled Maintenance” parties,  these are usually one of the must-attend events of any conference but are for registered guests only so hopefully you have already registered. QUADROtech has put an interesting spin on the Pokemon Go craze with their “QTmon” competition where contestants have the chance to win $2,220 in cash. Tony Redmond has a great post about this on his blog here, you can also visit this QUADROtech page for more info.

Enjoy the week!

Disabling Modern Attachments in Outlook 2016

The modern attachments (aka cloudy attachments) feature in Outlook 2016 makes it simple for users to share documents stored in OneDrive for Business or SharePoint with each other as links instead of actually attaching the file and emailing it around. This is a great way to reduce the number of different document versions floating around the organization and helps promote collaboration and co-authoring. Once a cloudy attachment is attached to an email, the user can grant view only or edit permissions to the recipient and Exchange will automatically take care of applying the appropriate permission to the document.

This feature is available out of the box for Exchange Online users using Outlook 2016 and can be enabled for on-premises users with mailboxes on Exchange 2016 provided OAuth between Exchange 2016 and Office 365 has been configured properly and the appropriate prerequisites are in place, but what happens to on-premises customers who do not have Exchange 2016 deployed? The scenario is really interesting in that Outlook will still allow users to send cloudy attachments, but because the backend Exchange environment isn’t able to apply the appropriate permission to the document the recipient will be unable to view the attachment:

This behavior may confuse users and may not be desirable in some environments and while there is no way to specifically disable modern attachments, there is a workaround that may help achieve similar results. There are two options in Outlook that enable modern attachments:

  • The “Browse Web Locations” option allows users to select files from OneDrive for Business, SharePoint sites or Groups.
  • The “Recent items” list provides a list of recently saved documents and when these documents are saved to OneDrive for Business or SharePoint it will automatically provide the option to attach a cloudy attachment version of the document.

Disabling these two options in Outlook will effectively prevent users from being able to send cloudy attachments and change the user experience from this:

To this:

In order to do this, the following registry keys need to be added to the client machine for each user:

To simplify this, you can download the registry keys here