Latest Posts

Retaining leaver's data in Microsoft 365 - Onedrive for business

No comments:

In most organisations, compliance with data retention policies is driven by statutory or legal requirements. By default, when a person disassociates from the company, email/One Drive for Business is retained for a month of deletion of the account. To avoid permanent deletion of the data after 30 day period, you can use Inactive mailbox or Shared mailbox features to forever keep the mailbox contents within the service (for FREE!), but OneDrive data needs to be handled manually (or automated by a separate process which is beyond the scope of this article). One Drive for Business data can be copied to SharePoint sites and kept for reference purpose.

Microsoft 365 Data retention policies can be customised to meet your specific business, legal requirements. Standard behaviour when a user is deleted from AD or unlicensed in O365 is you have 30 days to recover the mailbox and OneDrive content. SharePoint and Yammer data is not lost when the user leaves.

If you are synchronising your Active Directory (AD) with Azure AD by Azure AD Connect, you should consider populating the manager attribute in local AD. If you use accounts created directly in the Cloud, Manager can be set within the Office 365 Exchange Admin Center or Azure AD. With the manager attribute populated the users ‘manager’ is provided access to their OneDrive site contents automatically upon deletion of the account. They are notified by automatic emails as well  - one notification immediately upon deletion (i.e. 30 days before permanent deletion) and one a week before permanent deletion. They can decide if the content is worth keeping or not. If they need the contents, from within the OneDrive site, files and folders can be moved or copied to another SharePoint sites. Alternatively, they can 'sync' the location to a Windows machine using OneDrive sync client.

Version control is enabled by default for OneDrive and SharePoint. So, a user can go as far back as they want to assuming the version wasn’t deleted manually.
OneDrive keeps the deleted items in its recycle bin for a maximum 30 days. To restore deleted files from OneDrive in Windows 10, follow the instruction in below part.

STEP 1. Right-click OneDrive icon and select view online;
STEP 2. Sign in your OneDrive account on the OneDrive for business;
STEP 3. Click the Recycle Bin button on the left pane;

recover OneDrive deleted files from recycle bin within 30 days

STEP 4. All the deleted files and folders will be displayed on the right pane. To restore specific files or folders, pick them by selecting their checkbox; to restore all items, tap or click Restore all items.

NOTE: When you delete files on OneDrive using File Explorer, they're moved to your computer's desktop Recycle Bin. You can simply restore them from there unless you emptied Windows Recycle Bin or Recycle Bin is overflowing, by then old items would be removed automatically.

This page includes some details about OneDrive for Business site retention and deletion i.e. process followed when OneDrive site is deleted.

Note - 
Retention policies always take precedence to the standard OneDrive deletion process, so content included in a policy could be deleted before 30 days or retained for longer than the OneDrive retention. For more info, see Overview of retention policies. Likewise, if a OneDrive is put on hold as part of an eDiscovery case, managers and secondary owners will be sent email about the pending deletion, but the OneDrive won't be deleted until the hold is removed.

The retention period for cleanup of OneDrive begins when a user account is deleted from Azure Active Directory. No other action will cause the cleanup process to occur, including blocking the user from signing in or removing the user's license. For info about removing a user's license, see Remove licenses from users in Office 365 for business.
Read More

Disable Self Service Purchase for Microsoft Power Platform (PowerBI, PowerAutomate, PowerApps)

No comments:
Microsoft requires you to be a Global Administrator or a Billing Administrator if you want to purchase any subscription within Office 365. This holds true no more!

Starting 14 January 2020, Microsoft is giving this control to end-users for its Microsoft Power Platform which currently has three apps  - PowerBI, PowerAutomate (Flow) and PowerApps. With this change, the end-users can really 'Self-Purchase' the subscriptions for these three apps as well as the new apps which will get launched under Power Platform in future.

For now, this change only applies to the Power platform and not other traditional plans like E1/E3/E5. 

While this change can make it easier and faster for your users to access and consume Power platform apps like PowerBI Pro a faster, it can significantly swell your bills as users may start purchasing service they don't necessarily need, or business won't approve for everyone.

Don't worry, it's not too late. You CAN turn this OFF so things go back to normal once again. You'd need to run the following PowerShell Cmdlets -

Step 1. Install PowerShell Module "MSCommerce"

Import-Module -Name MSCommerce 

Step 2. Check how your tenant is currently set for these new controls

Get-MSCommerceProductPolicies -PolicyId AllowSelfServicePurchase

As of today, you see three products - Power Apps, Power BI Pro and Power Automate based on the subscriptions your tenant has.

Step 3. Disable the Self-Service Purchase Options for your subscriptions

Import-Module -Name MSCommerce
Connect-MSCommerceGet-MSCommerceProductPolicies -PolicyId AllowSelfServicePurchase | Where { $_.PolicyValue -eq “Enabled”} | forEach {Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId $_.ProductID -Enabled $false  }

Above code disables ALL services at the same time. If you prefer disabling only one service at a time, you can use a line similar to below for 'Power Automate'

Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId CFQ7TTC0KP0N -Enabled $False 

Once this cmdlet is run you can see the change by running cmd from step 2 again -

Read More

Important information about your Office 365 single sign-on deployment

No comments:
“Dear Administrator,

In order to provide your organization with uninterrupted access to Office 365 and Microsoft Azure Active Directory (Azure AD), you need to ensure your certificate for the domain(s) is renewed and updated in Azure AD right away.”

This alert may raise a few hair strands if you are new to ADFS, or just seeing the alert for the first time. You are indeed receiving this alert because Microsoft was not able to automatically check for updates on your ADFS token signing certificates in, hence unable to update them in Azure AD. There are other possible reasons like AD FS server’s federation metadata is not published externally, or simply because are using a 3rd party STS. I’ll focus this article only for ADFS scenarios. 

If you’ve received such alert from MSFT about a possible incorrect configuration of your ADFS for one or more federated domains. To ensure your users keep enjoying the office 365 services uninterruptedly, you should check the following from your Primary ADFS Server.

1. ADFS Certificates

ADFS certificates can be checked from the ADFS Management Snap-in, or PowerShell (get-adfscertificate). Please check the following to confirm that the certificates are valid and can be automatically updated before expiry. All ADFS certificates should be currently valid i.e. Not Expired. 

Service Communication certificates:

Service Communication certificates need to be replaced manually. I'll write another article for the steps.

Token signing and decrypting certificates

For these certificates, the AD FS property AutoCertificateRollover should be set True. This ensures AD FS will automatically generate new token signing and token decryption certificates before the old ones expire. Token Decrypting and Token signing certificates are self-signed. New certificates are generated before the expiry of current ones if you turn AutoCertRollover True in your ADFS Properties. Newly generated certificates are first set secondary before they are automatically promoted to primary certificates, 5 days before the expiry of old certificates.  

Get-AdfsProperties | select *Cert*

Administrator: Windows Azure Active Directory Module for Windows PowerSheII 
urn : oasis: names : SAML : 2.8: ac:classes: TLSClient, 
urn :oasis: names :SAML : 2.8: ac:classes :XSB9... } 
. True 
. 728

To save yourself from dealing with a possible ADFS Certificate related alert in the M365 admin centre, you should change the "CertificateGenerationThreshold" is set to more than 30, for example, 35. 

Set-AdfsProperties -CertificateGenerationThreshold 35

2. ADFS Federation Metadata

The AD FS federation metadata should be accessible publicly. This helps Microsoft alert (or not raise a false alarm) about token signing or decrypting certificates due for expiry. Check that your federation metadata is publicly accessible by navigating to the following URL from a computer on the public internet (off of the corporate network):
https://(your_FS_name)/federationmetadata/2007-06/federationmetadata.xml where (your_FS_name) is replaced with the federation service hostname your organization uses. 

If the metadata is publicly accessible, from home office or 3G/4G hotspots, the page will look like below.  If the page does not load, check for network connections being blocked on your firewall.

Read More

Un-Federating a domain in Office 365

No comments:
Usually, un-federating a domain is pretty straight forward. You run the Convert-MSolDomainToStandard cmdlet from PowerShell Console on the ADFS Server. However, there may be situations when you can't access into the ADFS server, and you get a similar error  -

Convert-MsolDomainToStandard -DomainName -PasswordFile C:\Temp_Password_File.CSV -SkipUserConversion $False 

What to do now? How to unfederate the domain without fixing the ADFS issue first?

If you know ADFS Server is completely down or inaccessible for any reason, you can still convert the domain to 'standard' use below steps -

You can use the following cmdlet to convert the domain to 'managed'. This can come handy when you want to remove a domain from Microsoft 365 (formerly Office 365) tenant as soon as possible.

Set-MsolDomainAuthentication -DomainName –Authentication Managed

Step 1: Connect to Microsoft 365 / MSOL Service using PowerShell


Step 2: Verify the domain's current authentication method

get-msoldomain -DomainName

Step 3: Convert the Domain's method to 'Managed'

Set-MsolDomainAuthentication -DomainName –Authentication Managed

Step 3: Verify the domain's new authentication method

get-msoldomain -DomainName


Read More

Azure AD Connect On-Demand Sync

No comments:

If you've just installed Azure AD Connect or upgraded from a different directory sync engine like FIM, MIM or even the ancient DirSync, one of the first things you realize as an admin is that the sync engine is MUCH faster and consistent than the previous versions. Most of the time, the changes sync automatically without you having to do any manual override. However, there still may be some cases when you'd like to force a directory synchronization cycle IMMEDIATELY. How do you do it in the Azure AD connect? The PowerShell cmdlets you used earlier have changed. Welcome to the new world. 
If you use AAD Connect Server, here's how you can use a forced synchronization - 

To initiate a Delta Sync, open Windows PowerShell and run:
Start-ADSyncSyncCycle -PolicyType Delta

To initiate a Full Sync, open Windows PowerShell and run:
Start-ADSyncSyncCycle -PolicyType Initial

If the commands are not available, try to load up the below PowerShell module:
Import-Module "C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync\ADSync.psd1"
Read More

Get Computer name using PowerShell

No comments:
How to find your computer's host-name? What users are you logged in as? Sometimes this information is what you need when you are invited to troubleshoot an issue. How to find basic information about your computer in a handy way? Use PowerShell!

How to find your computer's hostname in 3 easy ways?

# Checking current computer name using PowerShell




gwmi win32_computersystem

How to change a computer name using PowerShell?

# Rename a computer -
$(gwmi win32_computersystem).Rename("NewCompName")

This one would need:
1) Local Admin Credential
2) Domain controllers must be available

Some more tips available here -  like Adding a computer to the domain using PowerShell.
Powershell is cool, huh!

Read More

Export a list of all users in Office 365

No comments:
Some time ago, someone asked me how to export user information from office 365. My answer was simple he could export the user details (technically, mailbox details) from the Exchange Admin Center (that ellipse icon on the toolbar), or use PowerShell.

While the GUI method is all easy and fine, it is quite a limited in functionality. The GUI will not let you export all the information you may want. For example, exporting proxy addresses, or exporting the guest accounts. In these scenarios, you'll need to use Windows PowerShell. The command you can use can look something like below -

# Export Office 365 use data (MSOLUSER)

# Connect to MSOL Service. You will be prompted to enter an office 365 admin username and password.
# Get a list of ALL users 
$MSOL_users = Get-msoluser -All | Select-Object DisplayName,FirstName,LastName,Password,PreferredLanguage,UsageLocation,UserPrincipalName,UserType, @{L = "ProxyAddresses"; E = { $_.ProxyAddresses -join ";"}} 
# Export the results to a CSV file!
$MSOL_users | Export-Csv -Path C:\Temp\MSOL_Users.csv -NoTypeInformation

Bingo! Yes, it is that simple.

If you have never used PowerShell to connect to Office 365,  you'll need to do a one-time setup of configuring PowerShell to work with office 365. You can see the instructions here.
Read More

Compare office 365 plans - Office 365 E1 Vs E3

No comments:

You'd think Microsft already must have published the differences between all their subscriptions clearly, but at the time of writing this article, it hasn't. Period. At least there aren't many resources which clearly tell what's the difference!
So, as simple as it may sound, it's not that easy to find a reliable comparison of Office 365 E1 plan Vs Office 365 E3. A log of people want to save on licensing cost by replacing some E3 licenses with E1 but they do not know what features will they miss while doing that. So, I decided to write this article. Hopefully, you will find it helpful.

E3 gives you a bigger mailbox, unlimited archive, litigation hold, unlimited OneDrive etc. It has some other features too which are not available in E1 mentioned below. For E3 users using Office ProPlus today, you can apply S1 (i.e. E3 + ProPlus). This will put some limits on the mailbox, OneDrive etc. based on the E1 plan and remove access to E3-only features which are not available in E1.

Flow for Office 365
Microsoft Planner
Microsoft StaffHub
Microsoft Teams
Office Mobile Apps for Office 365
Office Online
PowerApps for Office 365
Skype for Business Online (Plan 2)
Stream for Office 365
Yammer Enterprise
Exchange Online
  Plan 1: 100 GB mailbox + Archive combined
  Plan 2: 100 GB mailbox + Unlimited Archive
Plan 1
Plan 2
Microsoft Forms
Plan 1
Plan 3
SharePoint Online
  Plan 1: 1TB OneDrive Storage
  Plan 2: Unlimited OneDrive Storage, DLP, In-place Hold
Plan 1
Plan 2
Plan 1
Plan 2
Azure Rights Management
Office 365 ProPlus
Data Loss Prevention
Litigation Hold
eDiscovery, Content Search

So, that's it. Now go ahead, swap those licenses. If you need some automation on it, I will soon post a script. Keep checking this space. :)
Read More

Federate a domain in Office 365 | Setting up Single Sign On

No comments:

Image result for single sign on office 365

When you setup ADFS for your domain, you can use Single-Sign-On (SSO) for user authentication. It lets your users access corporate applications/resources like Office 365 with his/her network credentials. If they are using domain-joined computer, they sign-in automatically without having to provide user credentials at all. This magic happens after you federate the domain with Azure AD or Office 365. To do so, follow the below steps.
Prerequisites - You'd need Azure AD Module for PowerShell installed on your primary ADFS server. You will need to provide Global Admin account's username and password when prompted for credential.
Go to your Primary ADFS Server and connect to your Azure AD Tenant.
  1. On the Primary ADFS server, open an Administrator PowerShell window and import the MSOnline module
Import-Module MSOnline
  1. Connect to your Azure AD Tenant
Sign in with a Global Admin account in the credential pop-up

  1. Once you are connected to your Azure AD Tenant, let’s make sure your domain is currently recognized as a “Managed” domain.
Get-MsolDomain -Domainname

      4. Run the command to convert your domain.
Convert-MsolDomainToFederated -DomainName <> -SupportMultipleDomain

     5. Run the following PowerShell cmdlet to confirm the domain is converted:

If you see the Authentication is set to Federated, you should start observing Single-Sign-On in a few minutes. When you sign in to Office 365, it’ll start redirecting you to your ADFS sign-on page.

Read More