Disable Self Service Purchase for Microsoft Power Platform (PowerBI, PowerAutomate, PowerApps)

Microsoft requires you to be a Global Administrator or a Billing Administrator if you want to purchase any subscription within Office 365. This holds true no more!

Starting 14 January 2020, Microsoft is giving this control to end-users for its Microsoft Power Platform which currently has three apps  - PowerBI, PowerAutomate (Flow) and PowerApps. With this change, the end-users can really 'Self-Purchase' the subscriptions for these three apps as well as the new apps which will get launched under Power Platform in future.

For now, this change only applies to the Power platform and not other traditional plans like E1/E3/E5. 

While this change can make it easier and faster for your users to access and consume Power platform apps like PowerBI Pro a faster, it can significantly swell your bills as users may start purchasing service they don't necessarily need, or business won't approve for everyone.

Don't worry, it's not too late. You CAN turn this OFF so things go back to normal once again. You'd need to run the following PowerShell Cmdlets -

Step 1. Install PowerShell Module "MSCommerce"

Import-Module -Name MSCommerce 

Connect-MSCommerce

Step 2. Check how your tenant is currently set for these new controls

Get-MSCommerceProductPolicies -PolicyId AllowSelfServicePurchase

As of today, you see three products - Power Apps, Power BI Pro and Power Automate based on the subscriptions your tenant has.

Step 3. Disable the Self-Service Purchase Options for your subscriptions

Import-Module -Name MSCommerce

Connect-MSCommerceGet-MSCommerceProductPolicies -PolicyId AllowSelfServicePurchase | Where { $_.PolicyValue -eq “Enabled”} | forEach {Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId $_.ProductID -Enabled $false  }

Above code disables ALL services at the same time. If you prefer disabling only one service at a time, you can use a line similar to below for 'Power Automate'

Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId CFQ7TTC0KP0N -Enabled $False 

Once this cmdlet is run you can see the change by running cmd from step 2 again -

Read More

Important information about your Office 365 single sign-on deployment

“Dear Administrator,

In order to provide your organization with uninterrupted access to Office 365 and Microsoft Azure Active Directory (Azure AD), you need to ensure your certificate for the domain(s) mydomain.com is renewed and updated in Azure AD right away.”

This alert may raise a few hair strands if you are new to ADFS, or just seeing the alert for the first time. You are indeed receiving this alert because Microsoft was not able to automatically check for updates on your ADFS token signing certificates in, hence unable to update them in Azure AD. There are other possible reasons like AD FS server’s federation metadata is not published externally, or simply because are using a 3rd party STS. I’ll focus this article only for ADFS scenarios. 

If you’ve received such alert from MSFT about a possible incorrect configuration of your ADFS for one or more federated domains. To ensure your users keep enjoying the office 365 services uninterruptedly, you should check the following from your Primary ADFS Server.

1. ADFS Certificates

ADFS certificates can be checked from the ADFS Management Snap-in, or PowerShell (get-adfscertificate). Please check the following to confirm that the certificates are valid and can be automatically updated before expiry. All ADFS certificates should be currently valid i.e. Not Expired. 

Service Communication certificates:

Service Communication certificates need to be replaced manually. I'll write another article for the steps.

Token signing and decrypting certificates

For these certificates, the AD FS property AutoCertificateRollover should be set True. This ensures AD FS will automatically generate new token signing and token decryption certificates before the old ones expire. Token Decrypting and Token signing certificates are self-signed. New certificates are generated before the expiry of current ones if you turn AutoCertRollover True in your ADFS Properties. Newly generated certificates are first set secondary before they are automatically promoted to primary certificates, 5 days before the expiry of old certificates.  

Get-AdfsProperties | select *Cert*

To save yourself from dealing with a possible ADFS Certificate related alert in the M365 admin centre, you should change the "CertificateGenerationThreshold" is set to more than 30, for example, 35. 

Set-AdfsProperties -CertificateGenerationThreshold 35

2. ADFS Federation Metadata

The AD FS federation metadata should be accessible publicly. This helps Microsoft alert (or not raise a false alarm) about token signing or decrypting certificates due for expiry. Check that your federation metadata is publicly accessible by navigating to the following URL from a computer on the public internet (off of the corporate network):

https://(your_FS_name)/federationmetadata/2007-06/federationmetadata.xml where (your_FS_name) is replaced with the federation service hostname your organization uses. 

Example: https://sts.mydomain.com/federationmetadata/2007-06/federationmetadata.xml

If the metadata is publicly accessible, from home office or 3G/4G hotspots, the page will look like below.  If the page does not load, check for network connections being blocked on your firewall.

Read More

Unfederating a domain in Office 365 | Domain un-federation

Usually, un-federating a domain is straight forward. You run the Convert-MSolDomainToStandard cmdlet from PowerShell Console on the ADFS Server. However, there may be situations when you can't access into the ADFS server, and you get a similar error -

Connect-MsolDomaintoStandard : Failed to connect to Active Directory Federation Services 2.0 on the local machine. Please try running set-msolADFSContext before running this command again. 

Convert-MsolDomainToStandard -DomainName vermasandeep.in -PasswordFile C:\Temp_Password_File.CSV -SkipUserConversion $False 

What to do now? How to un-federate the domain without fixing the ADFS issue first?

If you know ADFS Server is completely down or inaccessible for any reason, you can still convert the domain to 'standard' use below steps -

You can use the following cmdlet to convert the domain to 'managed'. This can come handy when you want to remove a domain from Microsoft 365 (formerly Office 365) tenant as soon as possible.

Set-MsolDomainAuthentication -DomainName <Domain Name>  –Authentication Managed


Step 1: Connect to Microsoft 365 / MSOL Service using PowerShell

connect-msolservice

Step 2: Verify the domain's current authentication method

get-msoldomain -DomainName vermasandeep.in

Step 3: Convert the Domain's method to 'Managed'

Set-MsolDomainAuthentication -DomainName vermasandeep.in –Authentication Managed

Step 3: Verify the domain's new authentication method. Managed means standard.

get-msoldomain -DomainName vermasandeep.in

Simple!

Read More

Azure AD Connect On-Demand Sync

If you've just installed Azure AD Connect or upgraded from a different directory sync engine like FIM, MIM or even the ancient DirSync, one of the first things you realize as an admin is that the sync engine is MUCH faster and consistent than the previous versions. The changes sync automatically every 30 minutes without you having to do any manual override. However, there still may be some cases when you'd like to force a directory synchronization cycle IMMEDIATELY. How do you do it in the Azure AD connect? The PowerShell cmdlets you used earlier have changed. Welcome to the new world. 

If you use AAD Connect Server, here's how you can use a forced synchronization - 

To initiate a Delta Sync, open Windows PowerShell and run:

Start-ADSyncSyncCycle -PolicyType Delta

To initiate a Full Sync, open Windows PowerShell and run:

Start-ADSyncSyncCycle -PolicyType Initial

If the commands are not available, try to load up the below PowerShell module:

Import-Module "C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync\ADSync.psd1"

Read More

Get Computer name using PowerShell

How to find your computer's host-name? What users are you logged in as? Sometimes this information is what you need when you are invited to troubleshoot an issue. How to find basic information about your computer in a handy way? Use PowerShell!

How to find your computer's hostname in 3 easy ways?

# Checking current computer name using PowerShell

Hostname

OR

$env:computername

OR

gwmi win32_computersystem

Bonus! 

How to change a computer name using PowerShell?

# Rename a computer -

$(gwmi win32_computersystem).Rename("NewCompName")

This one would need:

1) Local Admin Credential

2) Domain controllers must be available

Some more tips available here -  like Adding a computer to the domain using PowerShell.
Powershell is cool, huh!

Read More

Export a list of all users in Office 365

Some time ago, someone asked me how to export user information from office 365. My answer was simple he could export the user details (technically, mailbox details) from the Exchange Admin Center (that ellipse icon on the toolbar), or use PowerShell.

While the GUI method is all easy and fine, it is quite a limited in functionality. The GUI will not let you export all the information you may want. For example, exporting proxy addresses, or exporting the guest accounts. In these scenarios, you'll need to use Windows PowerShell. The command you can use can look something like below -

# Export Office 365 use data (MSOLUSER)

# Connect to MSOL Service. You will be prompted to enter an office 365 admin username and password.
Connect-msolservice
# Get a list of ALL users 
$MSOL_users = Get-msoluser -All | Select-Object DisplayName,FirstName,LastName,Password,PreferredLanguage,UsageLocation,UserPrincipalName,UserType, @{L = "ProxyAddresses"; E = { $_.ProxyAddresses -join ";"}} 
# Export the results to a CSV file!
$MSOL_users | Export-Csv -Path C:\Temp\MSOL_Users.csv -NoTypeInformation

Bingo! Yes, it is that simple.

If you have never used PowerShell to connect to Office 365,  you'll need to do a one-time setup of configuring PowerShell to work with office 365. You can see the instructions here.

Read More

Compare office 365 plans - Office 365 E1 Vs E3

You'd think Microsft already must have published the differences between all their subscriptions clearly, but at the time of writing this article, it hasn't. Period. At least there aren't many resources which clearly tell what's the difference!

So, as simple as it may sound, it's not that easy to find a reliable comparison of Office 365 E1 plan Vs Office 365 E3. A log of people want to save on licensing cost by replacing some E3 licenses with E1 but they do not know what features will they miss while doing that. So, I decided to write this article. Hopefully, you will find it helpful.

E3 gives you a bigger mailbox, unlimited archive, litigation hold, unlimited OneDrive etc. It has some other features too which are not available in E1 mentioned below. For E3 users using Office ProPlus today, you can apply S1 (i.e. E3 + ProPlus). This will put some limits on the mailbox, OneDrive etc. based on the E1 plan and remove access to E3-only features which are not available in E1.

Feature	E1	E3
Flow for Office 365	Yes	Yes
Microsoft Planner	Yes	Yes
Microsoft StaffHub	Yes	Yes
Microsoft Teams	Yes	Yes
Office Mobile Apps for Office 365	Yes	Yes
Office Online	Yes	Yes
PowerApps for Office 365	Yes	Yes
Skype for Business Online (Plan 2)	Yes	Yes
Stream for Office 365	Yes	Yes
Sway	Yes	Yes
Yammer Enterprise	Yes	Yes
Exchange Online   Plan 1: 100 GB mailbox + Archive combined   Plan 2: 100 GB mailbox + Unlimited Archive	Plan 1	Plan 2
Microsoft Forms	Plan 1	Plan 3
SharePoint Online   Plan 1: 1TB OneDrive Storage   Plan 2: Unlimited OneDrive Storage, DLP, In-place Hold	Plan 1	Plan 2
To-Do	Plan 1	Plan 2
Azure Rights Management	-	Yes
Office 365 ProPlus	-	Yes
Data Loss Prevention	-	Yes
Litigation Hold	-	Yes
eDiscovery, Content Search	-	Yes

So, that's it. Now go ahead, swap those licenses. If you need some automation on it, I will soon post a script. Keep checking this space. :)

Read More