Getting ready for the Great Information Barrier in Microsoft Teams

Getting ready for the Great Information Barrier in Microsoft Teams

Information Barrier is now in Preview in Microsoft Teams but what does this mean? Information Barriers enables organizations to prevent users segments from communicating with each other or only allows defined groups of users to communication with certain business units. This will help organizations maintain their compliance with all relevent industry standards and regulations, and protect users against conflict of interests. The main driver for delivering this functionality came from the Financial Service industry (FINRA 2241, Debt Research Regulatory Notice 15-31).

Information Barriers are configured by using Policies within Office 365 Security & Compliance Centre using PowerShell and like with all Microsoft product there are several prerequisites before implementing.

Important Note:

Information barrier groups cannot be created across tenants.

Using bots to add users is not supported in version 1.

Information barriers version 1 doesn’t include support for SharePoint and OneDrive for Business. We are working on enabling the feature in SharePoint and will communicate once it’s available.

Prerequisites

License(s)

You will need to have the listed Microsoft subscriptions in order to use Information Barriers.

  • Microsoft 365 E5
  • Office 365 E5
  • Office 365 Advanced Compliance
  • Microsoft 365 Information Protection and Compliance

Permissions

You will need to have the following Admin roles to configure Information Barriers.

  • Microsoft 365 Global Administrator
  • Office 365 Global Administrator
  • Compliance Administrator
  • IB Compliance Management (This is a new role)

Directory Data

You need to ensure Account Attributes like Group Membership, Department Name, etc. are populated correctly in Azure Active Directory or Exchange Online. As this information will be used later on in this post.

Scope Directory

Please Note:

Before you set up or define policies, you must enable scoped directory search in Microsoft Teams. Wait at least 24 hours after enabling scoped directory search before you set up or define policies for information barriers.

Auditing

Audit logging must be enabled within your Security & Compliance centre. The most simple way of switching on Auditing is using Exchange Online PowerShell with the following command;

1
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

Exchange Address Book Policies

You need to ensure that your organisation doesnt have any Exchange Address Book Policies. If you are unsure how to check this then following this url https://docs.microsoft.com/en-us/exchange/address-books/address-book-policies/remove-an-address-book-policy

PowerShell

You will need to ensure that you have the AzureRM module is installed on your client machine, this can be done by running the following command;

1
Install-Module AzureRM

Admin Consent for Information Barriers

When your policies are in place, information barriers can remove people from chat sessions they are not supposed to be in. This helps ensure your organization remains compliant with policies and regulations. Use the following procedure to enable information barrier policies to work as expected in Microsoft Teams.


1
2
3
4
5
Login-AzureRmAccount
$appId="bcf62038-e005-436d-b970-2a472f8c1982"
$sp=Get-AzureRmADServicePrincipal -ServicePrincipalName $appId
if ($sp -eq $null) { New-AzureRmADServicePrincipal -ApplicationId $appId }
Start-Process  "https://login.microsoftonline.com/common/adminconsent?client_id=$appId"

When prompted, sign in using your work or school account for Office 365.

In the Permissions requested dialog box, review the information, and then choose Accept.

Regards,
The Author – Blogabout.Cloud

Watching the Office 365 Roadmap with Microsoft Team Channel Messages

Watching the Office 365 Roadmap with Microsoft Team Channel Messages

Do you find it hard to keep up to date with all the latest Office 365 Roadmap news?
Would you like an easier way to keep you and maybe your colleagues informed?

Image result for Super Microsoft Teams

Then look no further, with power of Microsoft Teams you can now post the Roadmap updates directly into a Microsoft Teams Channel. By using the super powers of Microsoft Flow we can now publish the Office 365 Roadmap cleanly into a Microsoft Teams Channel and heres how we can do it.

Launch http://flow.microsoft.com

Creating the Microsoft Flow for RSS to Microsoft Teams Channel

Select My Flows
Create New
Automated – from Blank

Give you Microsoft Flow a name and choose the RSS trigger for “When a feed item is published” then click create 🙂

Provide the following URL http://feeds.feedburner.com/Office365RoadmapWatcher and select New Step as will now be defining the Microsoft Teams element to this flow

Please Note:

You must be signed into Flow with an account that has Microsoft Teams access.

Browse for Microsoft Teams and select Post a message (V3) (preview). The Microsoft Teams element in Flow are relatively new and all in public preview.

You will now need to specify your Team, Channel, Message and Subject. As you can see from below I am using Feed summary as the message and Feed title as the subject.

At the next trigger you will receive a message like below into your specified Microsoft Teams Channel.

Regards
The Author – Blogabout.Cloud

And you bring me Flow in Microsoft Teams, well preview at least!!

And you bring me Flow in Microsoft Teams, well preview at least!!

Microsoft Teams and Microsoft Flow are now a match made in the cloud. These features are only in preview currently but no doubt we can expect more and more as the Microsoft Team wagon rolls on.

So whats in preview today!!

  • Get Messages
  • Post a choice of option as the Flow bot to a user
  • Post a message (v2)
  • Post a reply to a message
  • Create a channel
  • List channels
  • List Teams
  • Post a message as the Flow bot to a channel
  • Post a message as the Flow bot to a user
  • Post your own adaptive card as the Flow bot to a channel
  • Post your own adaptive card as the Flow bot to a user

I am currently playing with these options and will blog about the usage as soon as possible.

Regards
The Author – Blogabout.Cloud

Microsoft Teams arrives to Office ProPlus, so what do I need to know

Microsoft Teams arrives to Office ProPlus, so what do I need to know

As a big advocate for Office ProPlus I am delighted to now see that Microsoft Teams now apart of the ProPlus deliver mechanism. However, just like any Microsoft product, it does have its caveats.

Microsoft Teams will only be included with NEW installations of Office 365 ProPlus dependent on the channel you are using. The below shows the schedule of the introduction but this is subject to change.

Update channelVersionDate
Monthly ChannelVersion 1902March 4, 2019
Semi-Annual Channel (Targeted)Version 1902March 12, 2019
Semi-Annual ChannelVersion 1902July 9, 2019

Important Note:

Teams are also included with the following new installations:
Office 365 Business, starting with Version 1901, which was released on January 31, 2019. Office 365 Business is the version of Office that is included with certain business plans, such as the Microsoft 365 Business plan and the Office 365 Business Premium plan.

Office for Mac, starting with Version 16.21, which was released on January 16, 2019. Office for Mac comes with any plan that includes Office 365 Business or Office 365 ProPlus. For more information, see Microsoft Teams installations on a Mac.

Now Microsoft Teams is apart of the Office Deployment tool it is now subject to all the controls we are common use to so we exclude Teams if we really to 🙂 but why would we do that.

What about existing deployments of Office 365 ProPlus?

At the time of this post, it is not possible to get Microsoft Teams if you have an existing deployment of Office 365 ProPlus. Microsoft has announced that in Version 1906 Microsoft Teams will be shipped to existing deployment running this version. The table below gives an indication of when we can expect the rollout of Teams but if you are using Monthly Channel (Targeted) you should be seeing Microsoft appearing approximately on 25th June 2019.

Update channelVersionDate
Monthly ChannelVersion 1906July 9, 2019
Semi-Annual Channel (Targeted)To be determinedSeptember 10, 2019
Semi-Annual ChannelTo be determinedJanuary 2020

If you don’t want Teams to be added to existing installations of Office 365 ProPlus when you update to a new version, you can use Group Policy or the Office Deployment Tool to exclude the installation.

Always keep up to date.

Make sure you’re using the most current version of the Office Deployment tool available on the Microsoft Download Center.

Be sure you’re using at least version 4867.1000 of the Administrative Template files (ADMX/ADML), which were released on June 7, 2019.

Temporarily, the name and help text for this policy setting is available only in English. The name and help text will be available in the usual set of languages by June 14, 2019.

Updating Microsoft Teams !! It doesnt follow the normal ProPlus cycles.

Once Microsoft Teams is installed, it automatically updates approximately every two weeks with new features and quality updates. This doesnt follow the normal update cycle for Office 365 ProPlus as other applications receive updates depending on which channel they’re on.

Regards
The Author – Blogabout.Cloud

ForEach Installed PowerShell Module Thanos Wipe.

ForEach Installed PowerShell Module Thanos Wipe.

In recent times I have been playing with a number of PowerShell modules and now decided to have a bit of a clean up or in the world of PowerShell and Marvel Install-Thanos

Image result for thanos

This process couldnt be any easier if I try,


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$Array = @(Get-InstalledModule)

   Foreach ($Module in $Array)
   {
     $ModuleCheck = Get-InstalledModule -name $Module.Name -ErrorAction SilentlyContinue  

     if ($ModuleCheck) {
     Write-Host 'Info: Detected an installation of the',$Module.Name,'Module' -ForegroundColor Green
     $Module = Get-Module -Name $Module.Name -ListAvailable
       
     # Identify modules with multiple versions installed
     Write-Host 'Info: Removing',$Module.Name,'Module' -ForegroundColor Yellow
     Uninstall-Module -Name $Module.Name -Force
   }
   }

And just like magic, all your PowerShell Modules should disappear like the Spiderman.

Regards
The Author – Blogabout.Cloud

Microsoft 365 Device Management Part 1 – Device Enrollment

Microsoft 365 Device Management Part 1 – Device Enrollment

Microsoft 365 Device Management otherwise known as InTune, is a very popular and command device management solution you will see in most organizations. The evolution of InTune has moved very quickly with the times and you probably have the correct licenses within your organization but are currently using something like AirWatch. This post is going to dive into my personal tenant where I have configured 365 Device Management for my Android phone. In this post I am going to run through the basics of getting Microsoft 365 Device Management up and running for mobile devices likes phones and tablets. All configuration is based on what is current set within my own environment and may not apply to your organisation.

The Dashboard

Microsoft 365 Device Management Dashboard

The Microsoft 365 Device Management dashboard is configurable to your requirements. If there is something on the dashboard you would like to see or not, you can easily edit the page and add in additional tiles as shown below.

Editing the Dashboard

You can also create your own Dashboard leaving the defaults as they are;

Customized Dashboard

All Services

This section contains all the services that available within the M365 Device Management Portal, as you can some of the options dont know contain a gold star. All this basically means is that the option is not displayed on your left hand panel which is customizable to the options you want to see.

All M365 Device Management Services

Device Enrollment

Apple enrollment

In order to support iOS device Microsoft inTune requires an Apple MDM Push Certificate to manage and support multiple enrollment methods.

Android enrollment

Microsoft Intune by default supports all Android devices. Managed Google Play enables management of Work Profile and other Android Enterprise functionality.

Android Enterprise provides 3 additional functions within this selected once Managed Google Play is configured.

Personal devices with work profiles

This options allows your corporation to manage corporate data and apps on user-owned Android device. You are able to approve applications within the Google Play Store which you organization would like to manage for example Outlook. Once the applications are approved, Enrollment Restrictions allows you to configure with greater control, which groups of users should be managed using Work Profiles.

Corporate-owned dedicated devices

This option allows your corporation to manage manage device owner enrollments for kiosk and task devices using with QR Codes or tokens.

Corporate-owned, fully managed users devices (Preview)

This option is only in Preview currently and more developments are expected. In its current state, end users are able to enroll their corporate-owned devices by sending a company token. You can also use the Zero Touch Portal for auto provisioning deployment, this features apart of the InTune portal but will be coming soon.

Windows enrollment

In this section we can configure Microsoft Intune enrollment for Windows devices.

Automatic Enrollment

This options allows your corporation to configure Automatic Enrollment when a Windows devices join or register with Azure Active Directory. You can configure user scopes for MDM and MAM.

Unsure of the the different between the two?

MDM: addresses lack of control over corporate and personal devices, and lost device security

  • Ensures device compliance through user and device registration, configuration on-premises and passcode management
  • Secures devices on the network so you can monitor, report, track and update devices – and even locate, lock and wipe devices, if lost or stolen

MAM: addresses lack of compliance with data and privacy requirements, and lost data retrieval

  • User identity policy, single sign-on and conditional access tailored by role and device (with Intune or Active Directory on premises or in the cloud)
  • Monitors and pushes app updates, including mobile document management for online or cloud-provisioned apps like SharePoint and OneDrive

Windows Hello for Business

This option allows your corporation to replace password with strong two-factor authentication. Please note: This is a default Windows Hello for Business configuration applied with the lowest priority to all users regardless of group membership. Devices must be Windows 10, Windows 10 Mobile or later to be supported.

CNAME Validation

This option is a must for all organizations as its removes the need for end user to provide the MDM server address when enrolling this devices.

Enrollment Status Page

This option allows your end user to see the status of how the enrollment process. However, you can also block devices until all apps and profiles are installed.

Deployment Profiles

Windows Autopilot deployment profiles lets you customize the out-of-box experience for your devices

Devices

Windows Autopilot lets you customize the out-of-box experience (OOBE) for your users.

Intune connector for Active Directory

This option requires your organisation to download the Intune connector for Active Directory to support the Hybrid connection for Azure AD.

Terms and conditions

This option can be configured with Intune but the look and feel is quite basic as shown below;

Intune T&Cs

However, if you configure Azure AD T&C it gives a better slicker output within your Company Portal.

Enrollment restrictions

A device must comply with the highest priority enrollment restrictions assigned to its user. You can drag a device restriction to change its priority. Default restrictions are lowest priority for all users and govern userless enrollments. Default restrictions may be edited, but not deleted.

Device categories

Create device categories from which users must choose during device enrollment. You can filter reports and create Azure Active Directory device groups based on device categories

Corporate device identifiers

This option you add devices in based on the IMEI or serial, this can be done manually or via CSV upload.

Device enrollment managers

This option allows certain users to enroll larger quantities of devices. More details can be obtained from https://docs.microsoft.com/en-us/intune/device-enrollment-manager-enroll

Monitor

This sections allows you to monitor device enrollment failures, incomplete user enrollments and audit logs.

This completes Part 1, in Part 2 I will be looking at Device Compliance.

Regards
The Author – Blogabout.Cloud

Selectively wipe data using app protection policy access actions in Intune

Selectively wipe data using app protection policy access actions in Intune

Just a bit like Thanos you can selectively wipe your corporate data if you have implemented app protection policy. This provides extra flexibility for managing your corporate data across company and non-company owned device. I am currently working on an organisation where users are nervous enrolling their personal devices via the Company Portal. As an Administrator has the ability to completely Factory Reset their devices but with selectively wiping only corporate data using a particular app like (Outlook) has calmed their woes.

Don’t get me wrong, everyone is human and mistakes can be made but educating your Service Desk or responsible parties for InTune in using selective wipe reduces the risk of the Thanos Factory Reset Button.

Image result for thanos captain america
Captain America “No you won’t Factory Reset my device”

Create an app protection policy using access actions

Launch https://devicemanagement.microsoft.com
Click Client Apps –> Click App Protection Policies

Create Policy

Create Policy

Provide Information for Name, Description and Platform Fields
Select Apps

Select all the applications you would like to manage with selective wipe
Press Select

Under Settings you can either leave the defaults or modify to your requirements.
Press Create to finish the creation of the Application Protection Policy you can repeat this process for other platform you if you require.

Wiping Applications

Under App selective wipe
Click Create wipe request

Under Users
Find a select the users who you would like to wipe
Under Device
Select the device you would like to wipe

Important Notice

Please note: It can take anywhere up to 30 minutes for this process to complete, I have seen it take up to nearly 45 minutes within my own testing.

Once the applications are listed as completed, on the select device all corporate data will be removed safety not affecting another the users normal mail accounts or applications.

Regards
The Author – Blogabout.Cloud

Changing Window Updates setting using PowerShell

Changing Window Updates setting using PowerShell

In this post, I will look at how to modify the required Registry Keys for Windows Server 2012R2 / 2016 Update settings using PowerShell. PowerShell is one of the gems within Microsoft and enables us to work with systems without the help of a GUI.

Windows always looks at registry keys located in the following hive:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

Typically there is a key named ‘NoAutoUpdate’ with a value in the range 2-5, and have the following meaning:

– 1 = Disable Updates – Only supported on Windows 2012 R2.
– 2 = Notify before download.
– 3 = Automatically download and notify of installation.
– 4 = Automatically download and schedule installation. Only valid if values exist for ScheduledInstallDay and ScheduledInstallTime.
– 5 = Automatic Updates is required and users can configure it.

But if there is a ‘NoAutoUpdate’ key with the value of ‘1’, no updates will be processed by Windows.

You can change the registry key with the help of Powershell directly:

1
Set-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -Name NoAutoUpdate -Value 3

Regards
The Author – Blogabout.Cloud

Say goodbye to your legacy PSGallery modules with Get-InstalledModuleUpdate.ps1

Say goodbye to your legacy PSGallery modules with Get-InstalledModuleUpdate.ps1

Working as a Microsoft Cloud Consultant sometimes its hard to keep update to all the latest release of the required PowerShell modules installed on your client machine. Would it be nice if there was a script that took all that pain away?

Say hello to Get-InstalledModulesUpdate.ps1 script

Image result for groot wave

This script is based off my Microsoft Teams Detection script but instead of looking at just that module. I am grabbing all your installed PowerShell module and checking each one against the PSGallery

Module checking

As you can see from my screen shot the script has looked at each modules installed on my client machine and compared to the online version. If a legacy module was detected the update process would start to remove the old version and install the latest from the gallery.

This script is available via my Github or via this site.

Download

Get-InstalledModulesUpdates.ps1 (19 downloads)

Change Log

Version 1.0 – Features

  • Initial release

Version 1.1 – Features

  • Minor updates to code structure

Version 1.2

  • Minor updates to code structure

Version 1.3

  • Minor updates to code structure
  • Transcript of the changes made and dumped to Desktop.

Regards

The Author – Blogabout.Cloud

New functionality now in preview for Conditional Access

New functionality now in preview for Conditional Access

So I was happily minding my own business looking at the configuration of my Conditional Access and notice 3 new options have appeared;

  • Baseline policy: End user protection (Preview)
  • Baseline policy: Block legacy authentication (Preview)
  • Baseline policy: Require MFA for Service Management (Preview)

Baseline policy: End user protection (Preview)

This policy protects users by requiring multi-factor authentication (MFA) during risky sign-in attempts to all applications. Users with leaked credentials are blocked from signing in until a password reset.

Once the policy is enabled, users are required to register for MFA within 14 days of their first login attempt. The default method of MFA registration is the Microsoft Authenticator App.

This policy is either On or Off and you can also exclude users from receiving this policy

Baseline policy: Block legacy authentication (Preview)

This policy blocks all sign-ins using legacy authentication protocols that don’t support multi-factor authentication (such as IMAP, POP, SMTP). The policy does not block Exchange ActiveSync.

  • Office 2013 (without registry keys)
  • Office 2010
  • Thunderbird client
  • Legacy Skype for Business
  • Native Android mail client

This policy is either On or Off and you can also exclude users from receiving this policy. This policy is great as I have configured a custom built policy for just this but my policy also includes Exchange Active Sync.

Baseline policy: Require MFA for Service Management (Preview)

This policy requires users logging into services that rely on the Azure Resource Manager API to perform multi-factor authentication (MFA).

Services requiring MFA include:

  • Azure Portal
  • Azure Command Line Interface (CLI)
  • Azure PowerShell Module

This policy is either On or Off and you can also exclude users from receiving this policy

Its great to see some more brilliant developments in Conditional Access and really excited to see these go live with customers.

Regards
The Author – Blogabout.Cloud