Built-in MDM for Office 365 is launched!

MDM Philosoraptor

Fantastic news follow nerds….one of my must have features for 2015 has been launched! I am super excited about this one and I believe that it will help give many new customers the peace of mind and confidence to start moving to Office 365 in earnest.

One of the great things about Office 365 is that you can get to your corporate data from anywhere, on any device. This is what users expect in todays modern world, and Office 365 lets us give our users the functionality they expect. However the services greatest benefit was also its greatest drawback. How can we make sure that data is secure if users can access it from anywhere. The answer to this before today was to either;

a. Use Microsoft Intune to control access to specific, enrolled devices. This came at additional cost and was a hard sell if a company had already got in bed with a different MDM provider.

b. Use ADFS and Conditional Access Policies to control access. This functionality was limited in scope and took away an awful lot of the benefits of Office 365 from a portability perspective.

c. Use the only control method available to try to limit data leakage; Exchange ActiveSync Quarantine. The problem with this is that it only applies to ActiveSync connections, and cannot control OneDrive for Business use. It also lacks granularity with regards to compliance.

Yesterday, the Office team announced that built-in MDM will be rolled out to all Office 365 commercial plans over the next 4-6 weeks. I am on the First Release program (http://doubledit.co.uk/2015/01/08/office-365-first-release-program/) and have not got the feature yet, but as soon as I do I will be playing around and reporting back!

The main features are as follows:

Conditional Access – this ensures that only managed, compliant devices can connect to your corporate data. This is the biggie and helps us control which mobile devices can access data stored in Office 365, not just Exchange Online.

Device Management – Jailbreak detection, PIN lock controls and rich reporting.

Selective Wipe – Remove corporate data from a managed device while leaving personal data in place.

For those wanting more advanced capabilities such as VPN/Wi-Fi profile management, PC Management and Mobile App management, InTune is still the go to Microsoft product.

You can find out more about the MDM capabilities being rolled out to Office 365 customers at the official blog here: http://blogs.office.com/2015/03/30/announcing-general-availability-of-built-in-mobile-device-management-for-office-365/

Modify AADSync Default Schedule

When using the AADSync tool to synchronise your Active Directory environment with Azure Active Directory (AAD), the default schedule for an incremental sync is 3 hours. This is done using a Scheduled Task. There are many reasons why you may want to change this schedule; maybe you have a high rate of change in your AD environment and you need a 1 hour sync to keep Office 365 up to date, or it might be that you have such a slow rate of change in your AD environment that you only want to sync your identities once every few days. It is worth mentioning that Password Synchronisation does not follow this schedule and is done immediately following a change of password, so this shouldn’t play a part in your decision to modify any scheduling of sync tasks.

Whatever your reasons, you are likely to become a little befuddled when trying to modify the regularity of your scheduled task. If you go into Task Scheduler, find the Azure AD Sync task and go into Properties, you can change the frequency of the task to make it run more or less often. However when you try to save the task it will ask you for the password of the account under which the task runs, the name of which looks something like ‘AAD_a6a4cefedc741’. It uses a random hex code at the end of the name so this could be slightly different to the example I’m using.

Modify AADSync Schedule

This account is used to run the AADSync service, is the account used to access the MIIS client database, and also to run the Scheduled Task. It is a local account which is created during the initial installation of AADSync, and the password is randomly generated. It may be tempting to change the password of this account, but please don’t. I have only come across this happening twice but both times have involved the internal database becoming completely inaccessible, meaning that the service simply won’t start, even with correct credentials.

If you really must change the frequency of your sync, create a new Scheduled Task and configure it to run the following application:

“C:\Program Files\Microsoft Azure AD Sync\Bin\DirectorySyncClientCMD.exe”

Ensure the Task is running with the highest possible priveleges and configure the task to use a user account which is a member of the following groups:

  • ADSyncAdmins
  • ADSyncBrowse
  • ADSyncOperators
  • ADSyncPasswordSet

This new task will run under whatever schedule you fancy, and for good measure you can disable the original task if you’d like. When dealing with default configuration items in any piece of software, I would always recommend creating cloned configurations rather than modifying the default, as it gives you a way to back out of changes and allows you to compare old with new.

Office 2016 Preview & Skype for Business

Big news today from the Office team!

The Office 2016 IT Pro and Developer Preview is now available! This is a very early build however those who choose to use the preview will receive updates and new functionality along the way, much like the Windows 10 Technical Preview. From an Office 365 point of view there are some lovely new features such as MAPI/HTTP built into Outlook, much better deployment and update management options for Click to Run deployments. If you want to grab the Preview, you can log in or sign up for a Microsoft Connect account and get your grubby mitts on it!

More information can be found here: http://blogs.office.com/2015/03/16/announcing-the-office-2016-it-pro-and-developer-preview/

In other news, the Skype for Business Preview has also been announced. This is the replacement for the Lync client and has been forthcoming for some time now. The concept is to bring the Skype experience to Office 365 customers, whilst retaining the Enterprise features which make Lync such a popular product, much like OneDrive and OneDrive for Business. Just like the Lync client, this will be built into Office 2016, however this product is much further down the development timeline and will be rolling out to Office 365 Lync Online customers starting next month!

The announcement can be found here with further information: http://blogs.office.com/2015/03/16/get-ready-for-skype-for-business/

Office 365 MSOnline PowerShell and Proxy Servers

If you administrate Office 365 regularly, especially from different locations, you may well have seen this error:

There was no endpoint listening at https://provisioningapi.microsoftonline.com/provisioningwebservice.svc

The number one cause for this error is a proxy servers. The likely cause is that your Internet Explorer browser has a proxy server configured. If this is in the format of a .pac file, you will need to go into IE>Internet Options>Connections>LAN Settings and remove the Proxy entry. Your connection will now be successful.

However if you have a proxy server manually set to a specific server, you need to tell PowerShell to go via the proxy. First though, check your winhttp configuration by running CMD as Administrator and running the following command:

netsh winhttp show proxy

This will probably show the following result:

netsh winhttp show proxy

Now run the following command:

netsh winhttp import proxy ie

This will import your proxy settings into your winhttp configuration and PowerShell should now navigate through the proxy and (hopefully) get to Office 365. Remember to restart PowerShell before attemping this! If this still doesn’t work, try removing the proxy settings in IE completely and retrying. If even this doesn’t do it, then you likely have a web filter blocking your traffic, in which case you will need to make sure the Office 365 IP addresses and/or URLs are allowed through your filter.

A lot of the above information depends on your network configuration and whether you are using transparent proxies or not, so information may not be 100% accurate to your specific setup. If you end up with incorrect winhttp settings and need to reset to defaults, run:

netsh winhttp reset proxy

from an Administrative CMD prompt and you will be back to square one.

Hopefully this helps some of you suffering from issues when trying to connect to Office 365 PowerShell.

Office 365 in 2015 – What I’m Looking Forward to!

Office 365 Roadmap

As an evergreen service, Office 365 is always expanding and updating it’s service, providing users with new features and admins with more granular controls and functionality. Here is a list of updates I am particularly looking forward to this year.

  • MDM for Office 365 – at the moment this is a weak spot in the security of Office 365. Using ActiveSync Quarantine, you can control which devices are able to connect to corporate email, however you currently have no controls over which devices can connect to OneDrive for Business, SharePoint and Office apps. This is still in development but should be rolled out in the first half of 2015. http://blogs.office.com/2014/10/28/introducing-built-mobile-device-management-office-365/
  • Drive Shipping and Network Based Data Import for Office 365 – this will allow for large scale import of PST data into Exchange Online Archive mailboxes centralised technologies such as drive shipping or network imports. This is a big feature request for customers, as the current method is to either import PSTs into Outlook and let the client sync (not ideal), or to use third party tools. This feature has no rollout date yet.
  • Compliance Center for Office 365 – this will provide a single pane of glass (SPOG) approach to managing compliance across all Office 365 services. You will be able to configure central policies that will apply across Exchange and SharePoint data and control data retention. This is available in preview as of Jan 2015.
  • MAPI over HTTP for Exchange Online – this is the long term replacement for RPC over HTTP (aka Outlook Anywhere) and simplifies and improves Outlook connectivity. This is being rolled out at the moment and will be complete at the end of Q1 2015.
  • Yammer integration with Office 365 – admittedly the rollout of this service is almost complete (due to be completed by the end of March) but if you don’t have it yet, then you can look forward to being able to seamlessly login to your existing or new Yammer network with your Office 365 credentials.

These are just a handful of the updates coming this year. As you can see, Microsoft are working hard to make this a service which provides real benefit and control to its customers. This is the benefit of using an evergreen service; it can constantly evolve and respond to customer feedback quickly and easily.

Remember to check the roadmap at http://roadmap.office.com to find out about features being worked on and rolled out!

Let me know in the comments which features you are looking forward to most 🙂

Office 365 Hybrid Mailbox Move stuck in ‘Removing’ state

This is an issue I’ve come across more than once now. An attempted mailbox move from Exchange 2010/2013 to Office 365 has failed and you want to remove the migration batch and try again. You try to remove the batch, but it just gets stuck in the ‘Removing’ state for an extended period of time. We need to give this request the finger and start from scratch, but how?

First things first, lets check the status of the move using Powershell, as Powershell will never lie! Login to Exchange Online Powershell, and run:

get-migrationbatch -identity <nameofbatch> | fl

If the status does read as ‘Removing’ and it’s been a long time since you started the removal, then you likely have a corrupted batch. Let’s forcefully remove it. To remove the batch, run:

Remove-migrationbatch -identity <nameofbatch> -force

If you now run the get-migrationbatch command above, you should get an error which states that the batch does not exist. Good news! We now just need to clear out the migration user requests which will still be lingering. To see which user requests exist, run:

Get-MigrationUser

If the only users in here are the users which were associated with your migration batch, then you can run:

Get-MigrationUser | Remove-MigrationUser -Force

to remove all of the migration user requests. However if there are other user requests in here which you do not want to remove, then remove the users individually by running:

Remove-MigrationUser <Identity> -Force

Now if you run the Get-MigrationUser command, you should see that the users who were in the corrupted batch are no longer listed. You can start a new batch once you’ve resolved whatever issue caused the mailbox move to fail and all should be tickety-boo 🙂

In our case we were running mailbox export commands at the same time as mailbox migrations, and we had some timeout issues with the Mailbox Replication Service. The error we received in the migration report was “Relinquishing job because of large delays due to unfavorable server health or budget limitations”. Simple fix, just remove the migration batch once the exports were complete, and start again. What we didn’t bank on would be that the migration batch would become corrupted. To resolve this, we allowed our mailbox exports to complete, and then restarted the Microsoft Exchange Replication Service. We then cleared the corrupted batch using the commands shown above, and started in again. It completed successfully this time.

Office Online overhaul!

Office Online Recent Files list

I am excited to see that Office Online (formerly known as Office Web Apps) is having a major overhaul at the moment, with new functionality coming out of it’s ears! This is good news for all Office 365 users, making what was a strong but basic editing suite into something which is much more akin to the traditional desktop Office suite experience.

The main new features which the Office team are enjoying bragging rights over are:

  • Enhanced Reading View experience – Edit, Print, Share and Comment functions are now right at your fingertips.
  • Saving and Managing your files – My favourites here are the Save As button, and the Download as PDF options.
  • Add to OneDrive – This is like Save As, but puts an editable copy of a read only file in your OneDrive. Awesome!
  • Recently Used Files list and template availability – Just like in desktop Office 🙂
  • Integrated Help – Shame Clippy hasn’t returned though! I did love having Clippys company.

You can find out more by hitting the Office Blog post on Office Online below:

http://blogs.office.com/2015/02/11/office-online-gets-even-better-2015/

Blocking Outlook App for iOS & Android

I just wanted to share this great article from EighTwOne on how to block the new Oulook app for iOS & Android. I don’t usually share other people’s posts but I thought this was particularly useful as there is quite a storm brewing in the proverbial teacup over this app. If you have concerns about the privacy and security of this app, use the commands listed in the linked article to create a device block or quarantine policy for the app.

EighTwOne (821)

imageYesterday, Microsoft announced the immediate availability the Outlook for iOS and Outlook for Android preview. These apps are the former app named Acompli, which was acquired by Microsoft in December, last year. It is unlikely that Microsoft will develop and support two similar apps, so one can assume the new Outlook app will replace the current OWA for iOS and OWA for Android (or just OWA for Devices) apps.

The app isn’t without a little controversy:

  • The app stores credentials in a cloud environment from Amazon Web Services for e-mail accounts that don’t support OAuth authorization.
  • The app makes use of a service sitting between the app and your mailbox. This service acts as a sort of proxy (hence it requires those credentials), fetching, (pre)processing and sending e-mail. In some way this is smart, as it makes the app less dependent on back-end peculiarities, using a uniform protocol to communicate…

View original post 375 more words

Remote Mailboxes in Exchange Hybrid configuration

I’ve been asked a few questions recently about Remote Mailboxes in Office 365 hybrid configurations. The Remote Mailbox exists on the On Premise Exchange server and is the link between the Office 365 mailbox and the On Prem Exchange Organisation. Without one of these for each Office 365 mailbox, you can’t effectively manage certain Office 365 mailbox properties, you can’t offboard it back to the On Prem Exchange Server, and most importantly, not having a Remote Mailbox breaks mail flow between users On Prem and users in Office 365.

Quite often, when administrators first start using Office 365 in Hybrid mode, they will create a new user simply by creating the AD account, synchronising it using DirSync/AADSync, and then licensing the user. This will give you a mailbox in Office 365, but will also cause the problems listed above. The correct way to provision new users in Office 365 is to create new Remote Mailboxes. If a Remote Mailbox isn’t present or has been accidentally deleted, you can create one and link it up to the Office 365 mailbox.

To do this:

From Exchange Management Shell (On Premise):

Enable-RemoteMailbox username –RemoteRoutingAddress alias@domain.mail.onmicrosoft.com

The RemoteRoutingAddress is always in the format of alias@domain.mail.onmicrosoft.com, for example:

Enable-RemoteMailbox joeb –RemoteRoutingAddress joeb@doubledit.mail.onmicrosoft.com

You then need to get the Mailbox GUID of the Office 365 mailbox. To do this, go into Office 365 PowerShell and run:

Get-Mailbox –Identity emailaddress | fl Identity,ExchangeGUID

Copy the Mailbox GUID into your clipboard and go back to the Exchange Management Shell (On Premise):

Set-RemoteMailbox username –ExchangeGUID 8e992097-24c1-432c-8a89-98e3c7a7d283

Anything in italics needs to be changed to a parameter relevant to your requirements. Once you’ve completed this, perform a delta/incremental sync and the two shall become one (so to speak!)

There is a KB article from Microsoft on a similar issue (trying to Offboard a mailbox where the Remote Mailbox GUID is not the same as the 365 GUID) here: http://support.microsoft.com/kb/2956029/en-us

Thanks for reading 🙂

Office 365 – Outlook Profiles in a Cutover Migration

One of the drawbacks of performing a cutover migration from an On Premise Exchange environment to Office 365 is that Outlook profiles must be recreated to connect to the Office 365 servers. If done manually on every single workstation in your company, this could be a very time consuming process as you would have to create a new profile, set it as the default and configure it for the user.

One way of automating some of this process is to use Group Policy to run a script to create a new, blank Outlook profile and set it as the default profile. The user will then be presented with the first time profile setup screen when opening Outlook and should be able to use Autodiscover to automagically find their new Office 365 profile settings:

Outlook New Profile SetupOutlook Configure Profile

Outlook Profile Complete

To create the batch file required to do this, copy and paste the following text into a file and save it as a .bat file:

For Office 2010:

reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\O365"
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles" /v DefaultProfile /t REG_SZ /d "O365" /F
reg add "HKCU\Software\Microsoft\Exchange\Client\Options" /v PickLogonProfile /t REG_DWORD /d "0" /f

For Office 2013:

reg add HKCU\Software\Microsoft\Office\15.0\Outlook\Profiles\O365
reg add "HKCU\Software\Microsoft\Office\15.0\Outlook" /v DefaultProfile /t REG_SZ /d "O365" /F

The script will create a new profile called O365 and set it as the default profile. Create a new Group Policy object to run the .bat file in Group Policy Preferences. You can safely leave the GPO in place for a few days to allow for people who may not be in the office for your go live day as it will not overwrite or remove existing profiles.

When this process in used in conjunction with the Group Policy for controlling Autodiscover (http://doubledit.co.uk/2014/10/21/controlling-autodiscovery-using-group-policy/) you can have a 80% automated cutover migration which should be smooth sailing for yourself and your users!

Thanks to my colleague Kevin for sharing his experiences and allowing me to blog about this.