Onboarding Windows 10 Devices to the Microsoft 365 Compliance Portal

The Microsoft 365 Compliance Portal has a huge amount of nice features which can be used with cloud services. I’ve previously posted about the new Compliance Manager tool and how it can help to assess the controls in place in the tenancy while also recommending improvements. There are also tools such as DLP, Unified Labelling and Trainable Classifiers which provide some really flexible ways of protecting Data.

These features so far relate to how a user operates within the Microsoft 365 service but we also have some cool functionality available to us which we can extend to the end users device. We can leverage tools like Insider Risk Management and Endpoint DLP to extend our protection even further.

Prerequisites

To enable the device functionality, we first need to ensure we meet the prerequisites. Microsoft have published the below list for us to verify on our devices:

  1. Must be running Windows 10 x64 build 1809 or later.
  2. Antimalware Client Version is 4.18.2009.7 or newer. Check your current version by opening Windows Security app, select the Settings icon, and then select About. The version number is listed under Antimalware Client Version. Update to the latest Antimalware Client Version by installing Windows Update KB4052623. Note: None of Windows Security components need to be active, you can run Endpoint DLP independent of Windows Security status.
  3. The following Windows Updates are installed. Note: These updates are not a pre-requisite to onboard a device to Endpoint DLP, but contain fixes for important issues thus must be installed before using the product.
    • For Windows 10 1809 – KB4559003, KB4577069, KB4580390
    • For Windows 10 1903 or 1909 – KB4559004, KB4577062, KB4580386
    • For Windows 10 2004 – KB4568831, KB4577063
    • For devices running Office 2016 (and not any other Office version) – KB4577063
  4. All devices must be Azure Active Directory (Azure AD) joined, or Hybrid Azure AD joined.
  5. Install Microsoft Chromium Edge browser on the endpoint device to enforce policy actions for the upload to cloud activity. See, Download the new Microsoft Edge based on Chromium.
  6. If you are on Monthly Enterprise Channel of Microsoft 365 Apps versions 2004-2008, there is a known issue with Endpoint DLP classifying Office content and you need to update to version 2009 or later. See Update history for Microsoft 365 Apps (listed by date) for current versions. To learn more about this issue, see the Office Suite section of Release notes for Current Channel releases in 2020.

Enable Device Onboarding

When we have met the prerequisites in our environment, we can now enable Device Onboarding from the Compliance Portal. Navigate to https://compliance.microsoft.com and open up “Settings” then “Device Onboarding”.

From here, we turn on device onboarding and we’ll see that any of our devices already onboarded to Microsoft Defender for Endpoint will already be included… more on this in a bit. For now, click OK to enable Onboarding.

We might need to wait a few minutes for everything to kick in but when it is we are ready to onboard machines.

In the onboarding section, we can see the list of onboarding options available to us, you might notice that the list looks kind of familiar. For now we’ll select Local Script as we are testing on a small scale but there is a lot of flexibility in how we can deploy.

Select Local Script and download the package. Once it’s downloaded let’s open it up and see what it’s doing.

Opening up the downloaded script confirms the feeling of Déjà vu we might have been having. The onboarding process isn’t a unique Compliance Portal process, we are enrolling in Windows Defender for Endpoint which we may have already done in our tenancy. So the enrollment is the same thing. This makes sense as Windows Defender is the agent on the machine which actually enforces our controls.

Onboard a Device

Ok, now that we have our onboarding script (or whatever method we chose earlier) we just need to run it on the device. For the Script, we just copy to the machine and run as an admin.

We get the standard warning which we accept and the script will continue and onboard the machine for us.

On a larger scale I recommend using Microsoft Endpoint Manager / Intune for onboarding but for this demo the script has worked fine.

Verify The Machine Has Been Onboarded

After a minute or two we can hop back over to the Compliance portal and see our machine has been onboarded.

If we have the licensing, we will also see the device in the Windows Defender for Endpoint page.

Now that the device is onboarded, we can use some of the device based features of the Compliance center. I’ll be going through some if these in subsequent posts!

Exchange Online Native Tenant to Tenant Migrations (Preview)

With the proliferation of Microsoft 365 as the collaboration platform of choice in the enterprise space, it’s rare to find a large organization that hasn’t undergone some form of tenant to tenant migration. This can be a result of mergers, acquisitions or divestitures. Microsoft have not previously had any native tooling to facilitate this and third parties such as BitTitan and Quest have built up some really slick products to help organizations manage this technical transition.

This has slowly begun to change with the Microsoft acquisition of Mover in 2019 to help facilitate file migrations to Office 365. Microsoft seem to be making more native migration functionality available as part of the service. The most mature of the migration tools is also the oldest, the native Exchange on-premises migration tools using Exchange MRS functionality. This has also been improved recently with the availability of the Exchange modern hybrid configuration, removing the need to open up on-premises endpoints to the cloud by leveraging application proxy technology.

This Exchange functionality has now been extended to cross-tenant migrations allowing the migration of mailboxes from one tenancy to another using the familiar Exchange migration tools.

Prepare for Migration

First we need to set up our environments for the tenant to tenant migration. To understand the configuration, Microsoft have published the below diagram which explains the process in detail:

So from this diagram, we can see the high level componants of the migration infrastructure are:

  • A Tenant relationship application registration in the destination tenancy with the below API permissions
    • Exchange: Mailbox.Migration
    • Graph: Directory.ReadWrite.All
  • Azure KeyVault stores the app secret details for this app
  • The Source Tenant grants consent to the tenant relationship app created in the destination tenant
  • A two way Organization Relationship
  • A mail enabled security group in the source tenant to scope mailboxes for migration

Luckily, Microsoft have automated a lot of this setup with PowerShell scripts located on GitHub:

Source – SetupCrossTenantRelationshipForResourceTenant.ps1

Target – SetupCrossTenantRelationshipForTargetTenant.ps1

Prepare the Target Tenant

To prepare the target tenant, download the SetupCrossTenantRelationshipForTargetTenant.ps1 script.

To run the setup script, ensure you have the ExchangeOnlineManagement, AzureAD (the Preview Module doesn’t seem to work) and AzureRM PowerShell modules installed, if you don’t, you can do that with the below commands:

Install-Module ExchangeOnlineManagement
Install-Module AzureRM
Install-Module AzureAD

Once the modules are installed, connect to Exchange Online with:

Connect-ExchangeOnline

Now we can finally run the first script. The following paramaters are required to run:

  • -ResourceTenantDomain The mail domain of the source tenant
  • -ResourceTenantAdminEmail The email address for the admin account in the source tenant. Ensure this account has a valid mailbox.
  • -TargetTenantDomain the mail domain of the target tenant
  • -ResourceTenantId The source tenant Azure AD Directory ID
  • -SubscriptionId The Subscription ID to create the KeyVault in
  • -ResourceGroup A name for the KeyVault Resource Group
  • -KeyVaultName A name for the KeyVault
  • -CertificateName A name for the certificate
  • -CertificateSubject A certificate subject name: “CN=admin_seanmc”
  • -AzureAppPermissions The permissions to grant: Exchange, MSGraph
  • -UseAppAndCertGeneratedForSendingInvitation
.\SetupCrossTenantRelationshipForTargetTenant.ps1 -ResourceTenantDomain <Source Tenant mail domain> -ResourceTenantAdminEmail <Source Tenant Admin Account Email> -TargetTenantDomain <Target tenant domain> -ResourceTenantId <Source Tenant Directory ID> -SubscriptionId <Azure Subscription ID> -ResourceGroup "CrossTenantMoveRG" -KeyVaultName "adminseanmc-Cross-TenantMovesVault" -CertificateName "adminseanmc-cert" -CertificateSubject "CN=admin_seanmc" -AzureAppPermissions Exchange, MSGraph -UseAppAndCertGeneratedForSendingInvitation 

This script will prompt for destination tenant credentials twice during its run and then will pause, asking for you to grant consent to the new app registration. In Azure AD App Registrations, open the new app and grant consent to the API permissions.

When consent is granted, hit enter on the script to continue and set up the Organization relationship.

Finally, note down the Application ID that is saved to the $AppID variable in the PowerShell session. If you miss this you can get it from the Azure AD app registrations page also.

Prepare the Source Tenant

Now that the destination tenant is configured, we can move on to the source tenant. When running the previous script, we were asked for an admin email address in the source tenant. When we log into this account we will find a B2B invitation from the destination tenant admin. Open this mail and accept the invitation.

Next, accept the permission request from the application to allow it to pull mailbox data.

With the permissions in place, we now create a mail-enabled security group to manage our migration scope. All mailboxes to be migrated will be part of this group. To create a group you can run the below Exchange Online PowerShell Command in the source tenant.

New-DistributionGroup t2tmigrationscope -Type security

Then add any in-scope mailboxes to the group with the below command.

Add-DistributionGroupMember -Identity t2tmigrationscope -Member <Mailbox to add>

With our scope in place, we can now prepare and run the source tenant preparation script. To run the script, we need the following parameters:

  • SourceMailboxMovePublishedScopes – This is our mail enabled security group created previously
  • ResourceTenantDomain – This is our source tenant mail domain
  • TargetTenantDomain – This is our target tenant mail domain
  • ApplicationId – This is the Application ID we noted during the target configuration
  • TargetTenantId – Azure AD Directory ID of the target tenant

With all of this information to hand, run the script SetupCrossTenantRelationshipForResourceTenant.ps1 as below:

SetupCrossTenantRelationshipForResourceTenant.ps1 -SourceMailboxMovePublishedScopes <security group identity> -ResourceTenantDomain <source tenant mail domain> -TargetTenantDomain <target tenant domain> -ApplicationId s<AppID> -TargetTenantId <source tenant directory ID>

When this is complete we have all permissions in place and our Organization Relationship is in place so we can move on to preparing our users.

Prepare Destination User Accounts

To migrate a mailbox cross-tenant, we need to have a valid mail user in the destination tenant. There are several attributes we need to ensure align between the two to make sure the migration is successful. To gather the required data, run the below command against the mailbox(s) you wish to move in the source tenant.

get-mailbox <mailbox> |select exchangeguid,archiveguid,legacyexchangedn,userprincipalname,primarysmtpaddress 

This will give an output similar to the below.

Use this output to create a new mail user in the destination tenant. This setup can vary depending on if your destination environment is synchronized with Active Directory but for a non-synchronized environment, the below commands in Exchange Online PowerShell should create the user with the appropriate attributes.

New-MailUser <alias> -ExternalEmailAddress <source tenant email> -PrimarySmtpAddress <destination tenant email> -MicrosoftOnlineServicesID <destination tenant username>    

PS C:> Set-MailUser debrab -ExchangeGuid <exchangeGUID from source> -ArchiveGuid <archiveGUID from source> -EmailAddresses @{Add="x500:<LegacyExchangeDN from Source>"}                                                          

Finally, once these attributes are present, give the new user(s) a valid Exchange Online license. If everything was done correctly, no Exchange Online mailbox will be provisioned when the user is licensed.

With the account(s) created, finally all the prep work is done so we can now move on to testing migrations.

Start Cross-Tenant Migration Batch

Before starting the migration, we can create a comma delimited CSV file so we can import our batch. the CSV only needs a single column named ‘EmailAddress’ and should specify each target tenant email address for our user batch.

To create a new cross tenant migration request, we navigate to the new Exchange Admin Center at https://admin.exchange.microsoft.com from the destination tenant and open up the “Migration” section. From here we create a new migration batch and select “Migration to exchange Online”

Next we select the migration type “Cross tenant migration”

We can see the prerequisites we’ve worked through listed on the next page, since we’ve done all the work already, we can hit next.

On the next page, we select the migration endpoint our script configured and hit next.

Next, upload the CSV file we prepared earlier.

Finalize the standard move configuration settings.

Configure any scheduling we need to perform and finally hit “save” to kick off the migration batch.

When the batch is created, we’ll see the success page below and then we can check the status throughout via the migration batches or by PowerShell.

After a little while the migration is synced. We can complete it as we would with any other migration batch.

We have now successfully migrated from one Exchange Online Tenant to another with native tools. When this functionality goes GA, it could really change the way a lot of Organizations approach multi-tenant configurations and migrations. For more information on Tenant to Tenant migrations, see the official Microsoft documentation here: Cross-tenant mailbox migration – Microsoft 365 Enterprise | Microsoft Docs

Using Delegated Access Permissions in PowerShell to Manage all Microsoft 365 Services

I recently posted about how we can use Delegated Access Permissions via a partner relationship to connect to an Exchange Online organization through PowerShell. This is a fantastic piece of functionality for MSPs and CSPs to manage multiple tenancies securely without having managing a set of admin identities for all of their customers.

To expand on the previous post, I thought I would put together each of the PowerShell modules that support delegated admin permissions in one place and also highlight any that I feel are missing.

In this post I will go through the connection methods (where available) using DAP for each of the below modules:

  • ExchangeOnline
  • MSOnline
  • Azure AD
  • MicrosoftTeams
  • Skype for Business
  • SharePoint Online
  • Security & Compliance Center

Exchange Online Module (v2)

I’ve gone through this one recently in another post so full information is available there. In short, we cann connect to Exchange Online Powershell using the Exchange Online (v2) PowerShell Module by specifying the tenant domain in our connection command.

First, install the module as normal:

Install-Module ExchangeOnline

Once installed, restart PowerShell and connect using the customer tenancy domain:

Connect-ExchangeOnline -DelegatedOrganization <customerdomain.onmicrosoft.com>

MS Online Module

The MS Online Module works a little differently in that we don’t connect directly to our customer tenancy, we specify the tenancy in our commands.

We install the module with:

Install-Module MSOnline

Then we connect to our own service as normal:

Connect-MsolService

Once we are connected, we need to locate the Tenant ID of our target organization. If we don’t have it to hand we can find it using the tenant domain in the below command:

Get-MsolPartnerContract -DomainName <customerdomain.onmicrosoft.com> | Select-Object TenantID

Once we have the TenantID output (which will be a GUID), we can run commands against the tenant as below, using the -TenantID flag:

Get-MsolUser -All -TenantId <TenantID>

Azure AD Module

To connect to Azure AD, we need the Tenant ID from above to use in our connection. We can install the AzureADPreview Module:

Install-Module AzureADPreview

We then connect using our Tenant ID with the below command:

Connect-AzureAD -TenantId <TenantID>

Microsoft Teams Module

For Microsoft Teams we use the Tenant ID again. Install with:

Install-Module MicrosoftTeams

And then we connect with the Tenant ID as below:

Connect-MicrosoftTeams -TenantId <TenantID>

Skype for Business Module

The Skype for Business Module is interesting in that a lot of organizations have moved off Skype to use Microsoft Teams. The Skype module is still required to manage certain aspects of Teams though. The connection to the module is equally as strange. Once we have connected to Teams as above, we then new to create out connection to Skype using the below commands to create the session and then import it:

$session = New-CsOnlineSession
Import-PSSession $session

This will connect our existing Teams session to the Skype for Business module!

SharePoint Online Module

Unfortunately the SharePoint Online Module does not support DAP at the moment. I will update this post when/if it becomes available.

Security & Compliance Center Module

The Security and Compliance Center Module is installed as part of the Exchange Online (v2) module and allows connection to services such as DLP and Information Protection.

To connect to the Security & Compliance Center we can install the Exchange Online (v2) module as above and use the -DelegatedOrganization flag to specify our customer domain:

Connect-IPPSSession -DelegatedOrganization <CustomerDomain>

And that’s it, that’s pretty much all the modules I use on a daily basis, I will update this post as/when more updates or modules are available.

Managing Office 365 Integrated Apps From The Admin Center

For all the cool features of Office 365 and the Office suite, there are always use cases for third party integrations. These apps provide an extension to the Office platform and add some specific functionality that might not be something that Microsoft can, or want to deliver to the entire platform.

These apps are hosted on the AppSource catalog where they can be searched and deployed to users by an admin. Now, this functionality has been given a new home directly on the Admin Center in the Settings section.

Deploy An Integrated App

In this section we will deploy the Outlook “Report Message” add-on from Microsoft. I tend to deploy this for almost all modern Office 365 builds as it allows users to directly report spam and phishing attempts to Microsoft, helping to improve the overall message filtering backend while also cutting down on support tickets by given the power directly to end users.

To deploy our first app, click the “Get apps” option to open the AppSource menu.

From here we can search for the app we want and get ready to deploy by clicking “Get it now”

Now we can configure our deployment scope, for the Report Message Add-On, I’ll deploy to all users by selecting “Entire organization”.

Finally, we verify the permissions we will be giving the app and deploy it when we are happy.

Now with the app deployed, we can return to modify it any time from the integrated apps section.

Protect Corporate Data Within Windows 10 Apps With Windows Information Protection

With the massive shift towards user mobility and BYOD devices, it’s important to consider how we can help users be at their most productive while maintaining control over data. For mobile devices (Android, iOS) we have Microsoft Endpoint Manager (Intune) Mobile Application Management (MAM) Policies. MAM Policies work extremely effectively for BYOD devices and help provide the security needed by sandboxing the mobile applications used to connect to our corporate data.

For Windows devices, there are session control policies which can allow limited, read only access via a web browser from any device and even put some complex rules in place to define what exactly can happen within that session. This is great for web access but when users need some more flexibility around client applications, or when a web application just doesn’t meet the requirements, we need to add some control to how the application works in the context of the users device.

To meet this use case, we have Microsoft Windows Information Protection (WIP). WIP allows us to control how data moves throughout the end user device by designating data as either corporate or personal. Through the use of WIP Enlightened Apps, we can add controls around locations that data will be protected such as SharePoint Online or specific network shared, whether non-enlightened apps can access data marked as corporate, control copy/paste functionality and also add Microsoft Information Protection / Sensitivity Labels to data extracted from corporate locations.

NOTE: It’s important to note the limitations of WIP, as it is not a rock solid DLP solution, but rather another layer in the stack of protections available.

Creating a WIP Policy

To test out WIP, first ensure that the MAM Scope and URLs are up to date in Azure AD by Navigating to ‘Azure AD’ -> ‘MDM & MAM’ -> ‘Microsoft Intune’, verify the MAM user scope contains your target users and hit ‘Restore default MAM URLs’ if you have changed them previously.

Now we can create an App Protection Policy in the Microsoft Endpoint Manager Admin Portal. Navigate to ‘Apps’ -> ‘App Protection Policies’ and create a new Windows 10 Policy.

We create a new policy and choose if it applies to enrolled (MDM) or unenrolled devices (MAM). There are a few important differences to consider when deciding this as outlined in the Microsoft Documentation

  • MAM has additional Access settings for Windows Hello for Business.
  • MAM can selectively wipe company data from a user’s personal device.
  • MAM requires an Azure Active Directory (Azure AD) Premium license.
  • An Azure AD Premium license is also required for WIP auto-recovery, where a device can re-enroll and re-gain access to protected data. WIP auto-recovery depends on Azure AD registration to back up the encryption keys, which requires device auto-enrollment with MDM.
  • MAM supports only one user per device.
  • MAM can only manage enlightened apps.
  • Only MDM can use BitLocker CSP policies.
  • If the same user and device are targeted for both MDM and MAM, the MDM policy will be applied to devices joined to Azure AD. For personal devices that are workplace-joined (that is, added by using Settings > Email & accounts > Add a work or school account), the MAM-only policy will be preferred but it’s possible to upgrade the device management to MDM in Settings. Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access.

Next we choose the targeted and excluded apps. Targeted apps will be the “enlightened” apps that we protect. Excluded apps will be able to access corporate data without restrictions applied.

We can then choose the mode our policy operates in. We can straight away block moving data out of corporate locations, we can allow a user to override the corporate classification or we can run in a silent “monitoring” mode where we can view reporting and assess the impact of enabling WIP. This is recommended before enabling to ensure the impact is understood.

Next we configure the settings of our policy. We can configure for our Proxy server also to ensure endpoints that use a proxy are still protected. We can also assign an RMS template ID to corporate data to add an extra layer of security.

For now, we will just specify our cloud resources to protect as our SharePoint and OneDrive locations. We can add the following list of locations to our scope:

We add SharePoint and OneDrive as Cloud resources, specifying the URL <contoso.sharepoint.com> and <contoso-my.sharepoint.com>.

Now when we assign our policy to a user we can see the added functionality to help protect corporate data.

User Experience

When our user now connects to corporate data using the apps specified, we can see WIP in action. The first thing to note is that in the policy we enabled the “Show the enterprise data protection icon” which is off by default. This essentially tells the user that the app is working in a “corporate” context.

Clicking on the icon informs the user that they are working in a managed app.

When our user tried to download a file from our corporate location, they will see a briefcase icon indicating that the document came from the corporate environment. We also see the “File ownership” column in file explorer which tells us if the file is corporate data or personal

If we allowed overrides in our policy the user can right click to change the file ownership. We didn’t in our policy so this is greyed out.

The user can however, classify personal documents as corporate.

Once this txt file is classified, we can see the WIP icon appear in Notepad.

Extracting Corporate Data

With all this protection in place, let’s look at what happens when a user drops a corporate document into their personal OneDrive folder. As OneDrive personal is not listed as a corporate location, the user get’s a message telling them that this action isn’t allowed.

We can see similar behavior when the user tries to copy to a removable drive or an unprotected network share.

Summary

WIP does not meet every use case and is not a complete protection solution. There are ways around the controls here for savvy users who really want to do it. It is however a great addition to help protect users from making mistakes and make it a little bit harder for someone to carelessly extract corporate data without thinking.

Overall a great technology and another layer of protection that is (relatively) seamless to end users. For more information on configuring WIP, check out the Microsoft Documentation for an in depth guide.

How To Use Microsoft 365 Productivity Score To Drive Digital Transformation

With the recent public release of the Microsoft 365 Productivity Score. It has never been easier to assess your organization’s adoption of Microsoft collaboration tools, identify areas for improvement and plan to help users get the most out of the tools available.

The productivity score is a great baselining tool in the same vein as the Secure Score and Compliance Score. Giving a numerical value based on a wide set of statistics, along with suggestions for improvement.

Enable the Productivity Score

The first step to understand how Microsoft 365 tools are used in your organization is to enable the tool. This can be done from the Microsoft 365 Admin Center by navigating to ‘Reports’ -> ‘Productivity Score’. From here, we can enable the tool, this might take up to 24 hours to finish, then we can start using it.

Once the Productivity Score dashboard is enabled, it will show up in this section of the Admin Center.

Score Breakdown

The overall Productivity Score is broken down into two overall ‘buckets’. The total score is the sum of the ‘People’ score and the ‘Technology’ score. You can track your score against the benchmark set by similar organizations.

This provides an ‘at a glance’ metric of how the Microsoft 365 toolset is being used in our organization. Along with the current score, we also see how our score has changed over time, this gives us insight into the usage trend in the organization.

People Score

The ‘People’ Score helps us track how our users are leveraging the tools available to them across the various classifications (‘Communication’, ‘Meetings’, ‘Content Collaboration’, ‘Teamwork’ and ‘Mobility’).

We can dive into one of these classifications to see the metrics that make up our score in a particular area. In ‘Communication’ for example, we can see the different methods our users are using to communicate.

For each metric, we can view content such as videos and articles to help promote the particular method of communication. This gives us access to some prepackaged user training and communications which can help maximizes the utilization.

We can also see a per-user breakdown of active communication methods, allow us to identify areas of the business that need the most help.

Using the resources in the ‘People’ score, we can easily get a view of how the tools are being used, and by who, and guide our adoption and change management efforts efficiently. In the above examples we can see that our efforts should focus on promoting and providing materials around Yammer much more than Teams chat. We can also see a subset of our users are actively using ‘@ mentions’ however some users aren’t, despite active Teams chat usage.

Technology Score

In our ‘Technology’ score, we can see how the Technical aspects may be affecting our user productivity. In Technology, we see Endpoint Analytics from Microsoft Endpoint Manager (this needs to be enabled), The impact of Network Connectivity and the health of our Microsoft 365 Apps.

In the Microsoft 365 Apps health section for example, we can see the versions of the Office apps our users and connecting with and the associated update channels.

In this example, we can see quite number of our users have unsupported versions of the Microsoft 365 Apps suite and the update channel is configured to ‘Semi-Annual’. This will

As with the ‘User’ score, we can dive into some useful resources around how to manage and improve this baseline, which will in turn increase our total score.

Summary

As with the Secure Score and Compliance Score, I do recommend that these metrics are taken with a pinch of salt and context is considered before circulating the score. For instance if corporate structure or policy blocks a large group of our users from using Teams, our score there will always be lower. If licensing models or technical restrictions dictate we are using Office 2019 in our organization, that will obviously affect our score.

The Productivity Score is a great addition to the toolset, providing some quick insights and prepackaged metrics that are easily consumed at C-Level in our organization. Overall it is nice to have this information readily available but please don’t rely on any of the Microsoft ‘Scores’ to accurately depict the nuances of your organization.

Keeping Up With Change: Planning For Microsoft Teams Public Preview

With the ‘evergreen’ nature of Microsoft Cloud services, we get a constant stream of new features and fixes that could never be matched in an on premises environment. The technical change itself would take up way too much time to plan, implement and support. Many organizations are still running legacy, out of support versions of Microsoft apps for example (Office 2010 is still hanging around in a lot of environments).

No service has seen as much innovation at such a rapid pace as Microsoft Teams. Coming from a new concept in the Microsoft ecosystem to being the fastest growing product Microsoft have ever seen, reaching 115 Daily active Users in October 2020, jjust three years after launch. The support and development of Teams has scaled to match this, with new major features being released at a monthly, if not weekly pace.

Adoption and Change Management

For large organizations, the key to keeping up with the pace of technical change in the cloud is a proper Adoption and Change Management plan. If we’re not training our users on how to use all these new tools correctly, we are not seeing the full productivity benefit or return on investment from our licensing costs.

This doesn’t just go for Teams, all cloud services are subject to constant updates and feature releases. Recently I’ve posted about ‘Project Moca‘ and the ‘Pin Email feature in Oulook‘, just two recent updates that I now can’t see myself going without!

Managing change for Microsoft 365 is different from a lot of on premises applications as it’s not just a single push for training and adoption, but a mindset and ongoing process to keep our users up to date on the tools available to them. True, the initial gap needs to be filled to get users up to date on the service as it is, that is generally a larger program which may include classroom based training, webinars, training material etc. But after this initial upskilling, there should also be a constant stream of much smaller communications to ensure our users stay up to date with what new features are available to them and benefit from them.

Assess the Features Early

With Microsoft Apps for Business and Windows 10 Enterprise, there have always been ‘update channels’ to allow us to deploy the newest features early to a set of users. This is critical to assessing and embracing what’s coming as we can test with a real world group of users, build any comms or training packages we need to and discover/mitigate any potential issues the new features could have in our environment.

These early adopters are generally key members of the business who can help by being ‘Change Champions’ and essentially singing the change management song to the rest of the organization while also assessing and giving feedback on any new features not yet deployed to the rest of our users.

Teams Public Preview Option

Along with the Microsoft Apps for Business and Windows 10 update channels, in November 2020 Microsoft Teams is getting it’s own public preview policy. Admins will be able to specify the group of users who will receive updates early and get to assess them.

A new section of the Teams Admin Center will be made available called ‘Update Policies’ where, similar to Apps and Windows, an admin can determine who has preview features available to them by creating and deploying update policies.

Select the Update policies option

Once this feature rolls out to your tenant you will be able to onboard your targeted users and enable all the new cool features for them to test (and possibly break) before finalizing any comms or training material/

Teams update policies are set to roll out in Mid-November 2020. For more information check out the Microsoft Article here.

Microsoft Defender for Office 365 Configuration Analyzer

Microsoft Defender for Office 365 (or Office 365 Advanced Threat Protection if you’re old fashioned) is an amazing toolset for securing your Office 365 environment with some extremely powerful features. Previously, I have written about the built in Preset Security Policies that Microsoft have recently made available. These policies help to provide a baseline for your Defender for Office 365 configuration. While not every setting will meet requirements for every environment, they are a great start towards a best practice configuration.

To make assessing and remediating your policies even easier, Microsoft have made available the Microsoft Defender for Office 365 Configuration Analyzer which is an evolution of the Office 365 Recommended Configuration Analyzer tool. The Configuration Analyzer takes these baseline policies and essentially runs a gap analysis for your existing policies. The analyzer then allows for simple, one click remediation of policies to bring them back to baseline and also monitors and logs changes to policies to capture configuration drift.

Using the Configuration Analyzer

To use the Configuration Analyzer, we simply navigate to the Policies section of the Office 365 Security & Compliance Portal and choose the Configuration Analyzer option.

There are two sections to the Analyzer, the ‘Settings and Recommendations’ page provides a list of all current settings which skew from the baseline best practices. Not all of these settings will suit your environment so it’s important to consider the specific needs of your organization before accepting any baselines.

To implement the recommended setting, we simply click “Adopt” on the right column to change our current value, very easy!

The other section of the Configuration Analyzer presents us with “Configuration Drift Analysis and History”. This page gives us the drift from baseline in our tenant along with details of when the option was changed and even if the change increased or decreased the security posture of the environment. We can see who made the change, to what policy it was made and when. Great for enforcing desired state.

The Configuration Analyzer doesn’t bring a whole lot that wasn’t available in the ORCA tool previously but having it integrated and showing drift and history is a fantastic addition. Keep in mind when implementing the specific needs of your organization, not all default policies will apply to all organizations.

End of Support for Teams Web App on IE11

As Microsoft work to finish the move to Microsoft Edge, the new version of Edge that is, more and more services are becoming unsupported on Internet Explorer. Internet Explorer 11 is now considered by Microsoft to be a legacy browser and all efforts for functionality and supportability are going into Microsoft Edge (Edge Chromium) going forward.

A big step in this process is the end of support for Microsoft 365’s golden child at the moment – Microsoft Teams. As of the 30th of November 2020, the Microsoft Teams web app will no longer be supported on Internet Explorer 11. This is the first step towards removing support for Microsoft 365 apps and by August 2021, all Microsoft 365 apps will cease to support Internet Explorer.

What do I need to do?

The good news is that it’s very easy to upgrade to the new Microsoft Edge browser! There are GPOs and deployment methods available to you. It is also available as part of a standard Windows update to all Windows 10 (1803 and higher) devices. For downlevel devices, new Edge can be downloaded here.

If you haven’t already deployed new Edge, then now is the time to do it. The browser performs brilliantly and is leaps and bounds ahead of the classic Microsoft Edge and Internet Explorer. Personally I’ve switched from a longtime Google Chrome user fully to Microsoft Edge this year and haven’t looked back.

Any required version of IE can be kept on the machine for legacy web apps or line of business apps that don’t support Edge or Chrome but for the Microsoft 365 web apps, it’s important to plan this upgrade now if you haven’t already!

For more information on the roadmap for support of IE11 in Microsoft 365, check out this Microsoft article.

Project Moca – Organize Your Content in Outlook on the Web

With so many different productivity tools at our disposal today it can be hard to stay organized. We have apps like Planner and To-Do (which now roll up into Tasks in Teams) that can help track progress on work and remind us of our task list. We also have OneNote which is great for personal or shared note taking. We can flag or pin mails in outlook, pin channels in Teams and create collections in Edge. All of these tools help us work towards being organized and efficient but at times can feel disjointed, particularly when we are looking for flexibility for personal organization.

A underutilized tool that a lot of users swear by is the Notes in Outlook functionality, which essentially brings the Windows 10 Sticky Note function into the Outlook client. This functionality has been around for a long time but never really became a key feature as it was quite limited.

Microsoft’s new “Project Moca” tool aims to provide users with a flexible, user driven organizational space which can be used for a large array of use cases. Project Moca which is currently in preview, is based in Outlook on the Web and provides users with the ability to create a ‘space’ dedicated to a particular area such as projects, daily tasks, personal plans etc.

Enabling Project Moca in your Organization

To enable Project Moca all users or a subset of users in your Organization, we need to set it as enabled in the OWA Mailbox Policy for the users. If there are no custom policies then we can set in the default policy to enable for all users. Run the below command in Exchange Online Management Shell, entering the name of your desired policy:

Set-OwaMailboxPolicy <PolicyName> -ProjectMocaEnabled $true 

Once enabled it can take a little while to apply to all users.

Using Project Moca

Once it is enabled, you will find Project Moca in Outlook on the Web from the Outlook module switcher at the bottom left:

When we first navigate to Project Moca, we are given a list of templates to start from, or we can start a new space from scratch. Here I’ve selected a new Project Plan space where we can collect details about a new customer project:

We give the space a name and add some keywords and people to help identify the content relating to this project:

Now that our space is set up, we can begin adding content. We can add new buckets and post tasks, notes, documents, locations, weather, mails, URLs and events to our space and organize then into the buckets we create. We are also presented with a list of dynamically detected content based on the users and keywords we entered when we set up the space:

We can customize the space to look however we want

We can add touches like color and icons to each bucket to help keep things organized and easy to understand.

While Project Moca won’t suit everyone, there is a lot of flexibility here to help the people who buy into it to stay organized and capture a lot of information in one place. No doubt there will be improvements and additions over time but as a new addition, there are a lot of use cases for Project Moca, even if it won’t suit every user.