Author Archives: Joe Stocker

Azure AD Connect Password Sync fails for multiple forests

In two different environments I have reproduced behavior where Azure AD Connect does not synchronize passwords when it is configured for multiple source AD forests.

The fix has been to change the ‘Configure Directory Partitions’ credential setting from ‘Use default forest credentials’ to ‘Alternate credentials for this directory partition’

No service restart or reboot required. The way to test it is to reset a password and then monitor the Application event log on the Azure AD Connect Server. Within 2 to 3 minutes you should see an event log entry that the password has been successfully set.

How to see console output from a VM in Azure IaaS

Earlier this month (Sep ‘15) Microsoft announced a new diagnostic capability for VMs running in IaaS – the ability to see serial and console output from a running Virtual Machine. We take this capability for granted when we host our own data center, but having this capability for VM’s running in the public cloud is useful when troubleshooting boot failures.

This capability is available for new and existing version 2.0 virtual machines (aka Azure Resource Manager (ARM) created in the preview portal.

stackSelector

Then toggle the monitoring option

enableMonitoring

Note, screenshots and output can take up to 10 minutes to appear in your storage account.

Troubleshooting OneDrive for Business Synchronization Problems

The current ODFB synchronization engine is based on groove.exe and msosync.exe. If you see OneDrive.exe in your task manager, that is the consumer edition synchronization engine for Onedrive.

When OneDrive for Business is healthy, the icon in the task tray will not display a useful troubleshooting option “View synchronization problems”

However, as soon as you have a file that will not synchronize, this icon will indicate a yellow exclamation point.

The first troubleshooting step is to right-click this icon and select ‘View sync problems…’

This will usually tell you why the file will not synchronize. In this case, it was because the file name contained an unsupported character “#”. As of 9/15/2015, here is the list of unsupported characters: \ , / , : , * , ? , ” , < , > , | , # , % (Reference MS KB 2933738). Also, files cannot begin with a period “.” or a “tilde “~”. Note: In the MS KB article linked above, there is a “Fix it tool” that can rename invalid filenames automatically.
Note: Microsoft’s roadmap site, roadmap.office.com, lists that the # and % characters will eventually be supported.

Another reason why a file may not migrate is if it exceeds 2GB, which is the current maximum file size. This is also on the roadmap to eventually increase to 10GB per file.

Other limitations:

File names must be less than 256 characters
Folder names must be less than 250 characters
The combination of the Folder + Filename must be less than 250 characters
The total number of files synchronized must be less than 20,000. Note: Microsoft has publically stated that they are working on increasing this in the next generation synchronization engine (currently in beta as of 9/15/2015).

Outlook PST files

Whereas PST files aren’t actively blocked by OneDrive for Business, syncing PST files that are in an open state isn’t supported. If you decide to sync PST files (for example, an archive PST file that you don’t load or view in Outlook), they can’t be in an open state at any time by any application while they’re in the OneDrive for Business sync folder. A PST file that’s connected to Outlook will be updated regularly and therefore if synchronized, can result in too much network traffic and growth of the Office File Cache on your local drive.

OneNote notebooks

Because OneNote notebooks have their own sync mechanism, they aren’t synced by the OneDrive for Business sync client. You can upload OneNote notebooks to a SharePoint Online page. However, they won’t sync with through the OneDrive for Business sync client application. Additionally, if you add a OneNote notebook to a local folder that syncs with SharePoint Online, the notebook won’t sync with the SharePoint site and may cause other sync errors within the local folder.

Open Files

This is a big one. If you create a file in your OneDrive synchronization library, and attempt to open that file before it finishes synchronizing, you will get an error message within the application.

Other Gotchas

If you plan on migrating user file shares to OneDrive for Business (using 3rd party software) then keep in mind that the total file share size for each individual user should be less than the available hard disk space on the end-user’s computer. Otherwise, when they attempt to synchronize it, then they will fail. For example, the user may have a 32GB SSD drive on their Surface Pro tablet, and they may have 100GB of files on their file share. If that file share is migrated to ODFB, and the user clicks the Sync button in their ODFB folder, they will fill up their hard disk and synchronization will fail. It gets worse – I have observed behavior where you attempt to remove these files from the local hard drive, only to replicate that as a deletion task in ODFB. Fortunately, the files should be able to be recovered in the ODFB recycle bin. For now, just be aware of this issue and wait for the next generation synchronization engine, which may have the ‘selective sync’ option where the end-user can select which folders to synchronize.

Troubleshooting Methodology

1. Check the ‘View synchronization errors’ first to see if the problem is simple to resolve

2. Self-help articles that solve common problems like those explained above are found (here) and (here). If it is not simple, then the next step is to clean the cache with this command:

“Groove.exe /clean ”

Note: DO NOT use the /ALL command as described in this article (here). This is pretty destructive as described in this article here:
https://support.microsoft.com/en-us/kb/982279

3. Navigate to the hidden cache folder and shift-delete all the files inside this folder (delete the files inside this folder but leave the OfficeFileCache folder intact)

C:\Users\%username%\AppData\Local\Microsoft\Office\15.0\OfficeFileCache\

Follow this forum post: https://community.office365.com/en-us/f/154/t/281017

as it lists which processes to stop and then delete the contents of this folder:

C:\Users\%username%\AppData\Local\Microsoft\Office\Spw

Last resort method

If the above does not fix it, here is the last resort method of fixing synchronization problems:

1. Remove Office 2013 completely from the computer by using the fix it tool in the article: http://support.microsoft.com/kb/2739501. Then, the cache data and registry information can be removed automatically.

2. Clear all related windows credentials by running the following command in Command Prompt:

rundll32.exe keymgr.dll, KRShowKeyMgr

3. Reinstall the latest version of Office.

Disclaimer

I’m optimistic that many synchronization problems will be alleviated in the next generation synchronization engine due out in Q4 2015. Until then, hopefully the steps above will be helpful. Please note: this post is provided without warranty, and is for educational purposes only (use at your own risk –> always backup your files before performing any of these steps).

Pre-Sales Script to identify Microsoft Technology

Before speaking to a customer, it is often helpful to understand what technology they may have deployed.

By checking for the existence of DNS records in Public DNS, you can get a good idea on the email system and whether they have an Office 365 tenant established, whether they use ADFS and whether Lync or Skype have been deployed.

Peter Schmidt (MVP) authored a script on the Technet script gallery called Get-Office365DNSRecords.ps1. I enhanced the script to include more error checking and to check for common ADFS records.

For example, when checking Microsoft.com you find lots of Microsoft technology deployed.

However, when checking Google.com, you can see they have not been an adopter of Microsoft technology. Hmm… wonder why.

Reports

In addition to the on-screen information, this script also outputs two files: results.txt and report.csv. The text file contains the DNS records that were found and the CSV file contains a formatted report of each service that was found for each domain name checked.

Download

Download from the Script Center on TechNet here
Tips:

– Remember to set the execution policy to allow unsigned PowerShell scripts, and that has to be done in an elevated PowerShell session.

– You may need to unblock the script (see this article for more information on how to unblock)

Limiting access to Executive Mailboxes in Exchange Online

In my last blog post, I wrote about how the new workload specific role feature in Office 365 grants too much administrative ability when you simply want to restrict access to VIP mailboxes.

In this blog post, I will describe how you can create management “Scopes” to define boundaries so that external helpdesk organizations will not have the ability to manage your executives.

“Exclusive scopes are a special type of explicit management scope that can be associated with management role assignments. Exclusive scopes are designed to enable situations where you have a group of highly valuable objects, such as a CEO mailbox, and you want to tightly control who has access to manage those objects…
This behavior is similar to how a deny access control entry (ACE) on an Active Directory access control list (ACL) functions.”

This example creates an exclusive recipient filter-based scope that matches any user with “Executives” in the AD department field (this has to be run in a remote powershell session against Exchange Online):

New-ManagementScope “Executive Users Exclusive Scope” -RecipientRestrictionFilter { Department -Eq “Executives” } –Exclusive

or based on Job Tile

New-ManagementScope “Executive Users Exclusive Scope” -RecipientRestrictionFilter { Title –like “*Executive*” } –Exclusive

Or based on a custom attribute (you get the idea…

New-ManagementScope “Executive Users Exclusive Scope” -RecipientRestrictionFilter { CustomAttribute5 –eq “VIP” } –Exclusive

The next step is to assign the exclusive management to a group of highly trusted administrators. Anyone not on the list cannot manage the VIP mailboxes.

New-RoleGroup -Name “VIP Mailbox Administrators” -Roles “Mail Recipients”

At this point you can add add users or security groups into the VIP Mailbox Administrators role group.

Finally, this next command glues the RoleGroup to the Exclusive scope filter:

New-ManagementRoleAssignment -Name “VIP Mailbox Administrators” -SecurityGroup “VIP Mailbox Administrators” -Role “Mail Recipients” –ExclusiveRecipientWriteScope “Executive Users Exclusive Scope”

Going a step further…

The above commands lock out an external helpdesk from being able to manage your executives. But what if you want to restrict your external helpdesk even further, so that the actions they take on the rest of your users are limited as well?

You can create a custom role assignment for your external helpdesk that enables them to manage certain things but not others. For example, if you want to give them the ability to manage Archive rules, you would grant them the “Retention Management” role.

If you want your external helpdesk to manage ActiveSync policies on mailboxes and remotely wipe lost devices, see this article for more information.

In addition to “Retention Management” and the custom ActiveSync role described above, the other fine-grained roles to consider granting to your external helpdesk would be:

– UM Mailboxes (allows external helpdesk to enable voicemail on new mailboxes)

– View-only Recipients

– View-only configuration (this allows the external helpdesk to view non-recipient configuration such as transport config)

– Distribution Groups (this allows the external helpdesk to create distribution groups)

– Legal Hold (this allows the external helpdesk to place a mailbox on Legal Hold)

– Retention Management (this enables the external helpdesk to setup and manage Archives roles)

Note: If you stop here, the external helpdesk does not have enough permission to grant themselves the “full mailbox” permission to read the inbox contents of the VIP mailboxes, or any mailbox for that matter. By default, there is an implicit deny ACL that prevents an Exchange Admin from having full-mailbox access to read the contents of a mailbox. If you want the external access to be able to read the inbox of any end-user, then a nightly scheduled task can explicitly grant full-mailbox permission to all mailboxes except for the 5 VIP users, because there is already an implicit deny for all admins on the 5 VIP mailboxes. I would not recommend doing this as it should be exceptionally rare when a helpdesk user needs to read the contents of someone’s mailbox. You can consider having them escalate to the internal helpdesk when this need occurs and then it can be controlled.

The external helpdesk would manage Exchange by logging in directly to the ECP here:
https://outlook.office365.com/ecp

This is great – but what if you need your external helpdesk to add or remove O365 licenses? No problem – you can grant them the “User Management Role” in the O365 Admin Portal. This is a great role because it does not have any corresponding role mapping in Exchange Online. So you won’t be giving them any additional privs on mailboxes with this role.

The “User Management Role” in the O365 Admin portal is also how you would allow your external helpdesk to create a mailbox. This is because by simply assigning an Exchange Online license to a user – this is the actual step that does the mailbox creation.

One of my colleagues recommends this SaaS provider “delegate365.com” that can also create exclusive management scopes for you without you having to be an Exchange expert to set this all up. For example, you would just have your external helpdesk logon to delegate365.com to access some but not all of your users. They offer a 30 day free trial that you can use to evaluate whether it would meet your specific needs.

How to use the Workload-specific roles for delegated administration of Office 365

Many customers would like to reduce the number of Office 365 Global Admins to a small handful, while granting service specific admin roles to designated administrators.

Workload-specific admin roles began rolling out on June 11th, 2015 and provide more flexibility to organizations that want to structure admin access to Exchange Admin Center, SharePoint Admin Center, and Skype for Business Admin Center. For example, an Exchange admin will no longer require Office 365 global admin rights to manage Exchange Online. You can now give your SharePoint admin the ability to manage SharePoint site collections without giving them rights over your Exchange environment.

I’m going to grant John Doe the Limited Admin role of Exchange Administrator.

In addition to being an Exchange Administrator, John will also have the ability to perform six tasks in the Office 365 Admin portal:

View organization and user information
Manage support tickets
View users and roles
View user licenses
View service health and message center posts
Manage reporting

Limiting Access to Executive Mailboxes

Now, let’s assume a company wants to grant Exchange Administrators access to all mailboxes except a group of VIP users. In this case, you should not grant the user the limited role of Exchange Administrator, because that would give them too much access (Organizational Administration – the highest rights within Exchange). Instead of granting them rights within the Office 365 Admin Portal, you should instead create a role in the Exchange Admin center such as “View-Only Organization Management” and then grant them full mailbox access on all users except for the VIP users. This script could be scheduled to run as a scheduled task so that these limited admins would be granted access to new employees (or you would update the new employee onboarding account creation process to grant these admins full mailbox access to the new employees).

For these limited admins, they will not logon to the Office 365 Admin center (portal.office.com) but instead they will logon directly to the Exchange Online Control Panel at https://outlook.office365.com/ecp

June 2015 Office 2016 Update Breaks OneNote

After applying the June update to Office 2016 (Preview) 16.0.4201.1002, my OneNote notebooks would not open. The error message was that there were no accounts associated with an active Office 365 subscription. This was a bogus error because all my other Office Applications worked fine, and it only affected OneNote. I deactivated Office from the Portal, and then re-activated it – with no improvement.

The fix was to go into Control Panel and launch an Office Repair (The Online Option, not the Quick Repair).

ADFS behind Websense or Bluecoat causes CRL check to fail

Scenario: You configure a relying party trust in ADFS for SSO. ADFS event logs show this error: “The encryption certificate of the relying part trust … is not valid. It might indicate that the certificate has been revoked, expired, or that the certificate chain is not trusted.”

After verifying that the certificate chain is valid the next thing to check is whether the ADFS server can make an outbound port 80 call to the HTTP path defined in the relying part trust’s SSL certificate for the Certificate Revocation List (CRL).

The easiest thing to do is browse to the internet from the ADFS server to make sure outbound port 80 is open.

But if the ADFS server sits behind a proxy server, then the winhttp service will not automatically inherit the proxy server settings from Internet Explorer.

You can configure the winhttp service to use the proxy server. Run this on the ADFS server in an elevated CMD session:

netsh winhttp import proxy source=ie

https://social.technet.microsoft.com/Forums/windowsserver/en-US/47345c69-7b68-4f09-907e-43ed2805cac0/adfs-30-signing-certificate-crl-check-with-http-proxy-to-the-internet?forum=Geneva

The above article also says you can disable ADFS from performing a CRL check, but this should only be used for troubleshooting, because CRL checking is a good idea for security (what if the certificate was compromised?).
Set-AdfsClaimsProviderTrust -TargetName “<IDP name>” -SigningCertificateRevocationCheck None

What I learned at the Microsoft Ignite Conference (Chicago 2015)

The 2015 Microsoft Ignite Conference (May 4 – 8) was held in Chicago and included over 1,000 sessions on a range of Microsoft technologies. The conference sessions and focused intent seemed to me to be predominately focused on the new “Cloud First” and “Mobile First” mission statement for Microsoft.

Historically, Microsoft uses events like Ignite to announce new products and features, so it is always an exciting time for IT Pro’s and customers alike.

I was fortunate enough to attend several of the sessions on Azure and Office 365, and I’m eager to share some of the highlights here. This is not intended to be an exhaustive or comprehensive list of what was unveiled, but rather, just my own individual experience and take-aways. I plan on watching several sessions that I missed – and you can too (see ‘Catching Up’ at the bottom of this blog post).

For Julia White’s (General Manager of O365 Marketing) overview of Ignite, I recommend reading her blog post (here). Jennifer Marsman also wrote a great recap of the Build conference (here).

Azure Stack

Azure Stack is the private cloud version of what is known as Azure today. There was some initial confusion at the conference on whether this was a replacement for Azure Pack. When I spoke to the product managers at Microsoft, they said if customers are happy with their existing Azure Pack, that’s great, keep using it. But for those customers who want the same exact code as what is running in the Public Cloud, then Azure Stack is for them. Azure Pack relied upon System Center whereas Azure Stack will not. I would not be too shocked if Azure Pack is shelved because there appears to be clear overlap between these two private cloud offerings.

Azure Stack is scheduled for GA in H2 2015. When Azure Stack is released, it will not have all 48+ of the features in the public version of Azure, but it will have Compute and a few others.

Azure

Azure now has datacenters in more locations than Google and AWS combined
Venkat Gattamneni posted that Azure shines bright at Ignite! that “…in the last 12 months, we’re proud to have added over 500 features and services to the platform.”
Azure Resource Manager will allow you to deploy Gallery templates to both Azure Stack and Azure IaaS Public Cloud.
In his blog post, Corey Sanders goes into lots of detail about ARM, templates etc. He says “This new template language will enable you to easily stitch together VMs, Virtual Networks, Storage Accounts, NICs, Load-balancers, and other PaaS services, like App Service and SQL Databases, in a single coherent application model.”
The construction of a .JSON file is all that is required. Azure Resource Manager enables you to build and manage large scale applications in an agile and repeatable manner. Complex networking infrastructures can now be composed using simple JSON templates. Azure Resource Manager enables additional capabilities such as Role Based Access Control (RBAC), tagging of resources, and advanced auditing for resource usage. The significant change that ARM introduces is that when creating a VM in ARM mode, there is no dependency upon a cloud service. This enables ARM to spin up thousands of VM’s without the previous limitation that a cloud service imposed on a VM. For example, previously you could only deploy 50 virtual machines in a cloud service. So now, with a .JSON file, you can spin up 100 VM’s without the limitation of a cloud service holding you back.
DNS as a Service. Think GTM (Global Traffic Management) in the Cloud. Azure DNS uses anycast networking, so that each DNS query is answered by the closest available DNS server. The only drawback is there is no GUI interface (yet) – just PowerShell management for now. 50 cents per DNS zone and 20 cents per million DNS queries.
Azure Cloud Service now supports multiple VIP’s
Several security enhancements: Host Guardian Service, Virtual Secure Mode, and Shielded VM: This is a virtualized vTPM module to support the encryption of guest virtual machines. Requires TPM 2.0.
Several network enhancements, ex: User defined routes, IP Forwarding, Floating Nics, ExpressRoute Premium Add-on. This add-on enables up to 10,000 BGP routes. Once your traffic enters an ExpressRoute meet-me site, you can reach ANY Azure region across the globe. Reserved IP addresses can now be moved between services. This supports scenarios where you want to quickly move an external IP between VMs.
Azure VPN gateway now supports Site-to-Site VPN and ExpressRoute coexistence.
For additional details: http://azure.microsoft.com/blog/2015/05/05/new-networking-capabilities-for-a-consistent-connected-and-hybrid-cloud/
I learned that the Azure AD Proxy connector supports multiple connectors for automatic load balancing. On the roadmap is the ability to pin a particular app to a connector.
Azure Data Lake is “A hyper scale repository for big data analytic workloads.” See “What’s a Data Lake?” And check out Introducing Azure Data Lake for more info and to sign up to get notified when a preview is available. You might also watch this 3 minute video.
The public preview of client-side encryption in the Azure Storage client library for .NET. You can use client-side encryption to encrypt blob data, table data (you select the properties to encrypt), and queue messages. Client-side encryption also integrates with Azure Key Vault and allows for integrating with other key management systems if you prefer. client-side encryption blog post
Import/Export now also supports up to 6 TB hard drives. Click (here) for more information.
Azure Site Recovery enables customers to deploy application-aware availability on demand solutions. Azure Site Recovery solutions have been tested and are now supported for SharePoint, Dynamics AX, Exchange 2013, Remote Desktop Services, SQL Server, IIS applications and System Center family like Operations Manager. Read all the details in Abhishek Agrawal’s blog post
The Cloud Application Discovery feature is now Generally Available and integrated into the Azure preview portal. This tool can help identify ‘shadow IT’ where users are using 3rd party SaaS apps like DropBox without letting IT know about it. You get started by adding “Azure AD Cloud App Discovery” in the new Azure portal. You must first have an Azure AD Premium license assigned before you can use this tool. Cloud App Discovery enables you to:
- Discover cloud applications in use within your organization
- Identify which users in your organization are using an application
- Export data so you can analyze it offline in other tools
- Prioritize applications to bring under IT control, with single sign-on and user management.

Office 365

Equinix, AT&T, and BT will be the first MPLS carriers to enable connectivity between Office 365 and on-premises network (coming) Q3 2015. This enables end-to-end QoS which is particularly helpful when considering the Skype for Business Online (Formerly Lync Online) capabilities coming in September that will enable PSTN (dial tone) for outbound and inbound enterprise voice phone calls in the Cloud.
Sway is now part of Office 365. See this blog post for more information.
Office Delve organizational analytics. Provides an interactive dashboard for teams and individuals to identify key trends across employee engagement, team connections and even views like work life balance
Significant improvements in Office 365 Video management are coming. Admins will have the ability to remove or manage posted videos. Ability to share externally is coming too.
Significant improvements in Office 365 Groups management are coming (naming conventions, etc). A mobile app for Groups is coming.
Riverbed WAN optimization appliances can de-dupe Exchange Online traffic and SharePoint Online traffic by having your internal CA issue a certificate to masquerade as Outlook.com or Sharepoint.com. 90% traffic reduction in Exchange Online traffic! Downloading a 20 megabyte file from SharePoint Online would normally take ~60 seconds whereas with Riverbed it is 33x faster.
There is a new compliance center for Office 365 coming that will allow you to create one DLP policy that will then apply to SharePoint Online, OneDrive, Exchange and also the Office 2016 clients. For example, you can be in an Excel worksheet and type in a credit card number and you will get a policy tip notification that it is a violation of policy to have credit card data in Excel. Interesting!
There is a new Knowledge Management Portal for Office 365. Delve Boards are the building blocks. “Add to board” button will be added everywhere throughout Office 365.
This doesn’t belong in this category, but SharePoint 2010 farms will not have a direct upgrade path to SharePoint 2016. They will have to be upgraded to 2013 first (double-hop migration).
Modern Authentication for Office 2013 clients. http://channel9.msdn.com/Events/Ignite/2015/BRK3136

Exchange 2016

Architecture. CAS Role goes away. http://blogs.technet.com/b/exchange/archive/2015/05/05/exchange-server-2016-architecture.aspx
Deploying 2016
Exchange Server is now supported in Azure IaaS on Azure premium storage. Why anyone would do this… is for another blog post.
OAUTH now has a wizard in Exchange 2013 and 2016. This enables cross-premises Discovery and MRM. Also, cross-premises free/busy will attempt to use OAUTH first before the MSFT Federation Gateway, so it is a good idea to use OAUTH when possible. Why not?

Skype for Business

Broadcast Meetings up to 10,000 participants (up from 250 in Lync Online)
IIS ARR servers can be configured for Edge Caching – this enables users to view the skype broadcast meeting from the local cache rather than hammering the internet egress.
Call Quality Dashboard is available for download. Offers aggregated call quality information for on-premise deployments. In addition to a set of system reports that will be created as part of the install to help you view and diagnose network infrastructure issues affecting call quality, you will also be able to quickly and easily create additional reports tailored to your needs.
http://www.microsoft.com/en-us/download/details.aspx?id=46916
To get the new Skype directory to appear, you need to remove the previously configured Skype Public Provider.
See this article for more information: Enabling Skype Federation with Skype for Business Server or Skype for Business Online

Microsoft Operations Management Suite (OMS)

Click (here) for more details.
Includes Security Threat Analysis

Windows 10

Cortana is connected to PowerBI in the Windows 10 start menu
Device Guard in Windows 10
Windows Update for Business

Devops

Docker. Microsoft’s New Windows Server Containers (New Product)

In this session, we cover what containers are, what makes them such an exciting technology, how they will work in Windows Server, and how Docker will integrate with them.
Windows Nano Server

Nano Server: The Future of Windows Server Starts Now (New Product)

Nano server is a tiny version of Windows Server. Remember Windows Server Core? It’s like that but is 20x times smaller, hence the name “Nano.” In the demo I saw, the whole server consumed only 128 MB of Ram, and only 500 MB of hard disk space. Wow! From what I can tell, it is only managed externally through WMI or PowerShell, so there is no GUI or security logon inside of it.

Windows Nano Server was previously announced in April, but there were several more sessions on it at Ignite. Nano Server is best understood in the context of DevOps and the containerization of Docker. From what I can tell, Nano has little use outside of a development strategy that includes containerization (aka Docker).

Catching Up

All the ignite sessions and PPT presentations are available at Channel9 and here.

Vlad Catrinescu (MVP) posted a powershell script on Technet that allows you to download all the Ignite Videos and presentations. Or if you don’t have 300GB of disk space, you can also create a filter to just download the content you want, ex:

.\downloadignitevideosandslidesv4.ps1 -keyword “SharePoint,Azure,System Center
https://gallery.technet.microsoft.com/all-the-Ignite-Videos-and-b952f5ac

Read my LinkedIN post “Suggestions for staying on top of technology trends”

Random Insights

There are lots of changes coming to SCOM, SCCM and Intune but I didn’t get a chance to watch those sessions yet.
A SQL 2016 table can stretch between the cloud and on-premises. Interesting! This is called Azure SQL Elastic Database. http://azure.microsoft.com/en-us/documentation/articles/sql-database-elastic-pool/
Microsoft Data Management Gateway enables cloud access for on-premises data sources within your organization. Enables PowerBI to be able to query on-prem data sources.
http://www.microsoft.com/en-us/download/details.aspx?id=39717

Reviewing Office 365’s MDM Capabilities

Exchange and Exchange Online have had decent mobile management capabilities through ActiveSync policies prior to the March 30th 2015 announcement of new MDM capabilities for Office 365. For example, using Activesync you could require a pin to unlock a smartphone after a period of inactivity, wipe a device, and a few other options. You could automatically quarantine new devices that attempted to connect to ActiveSync.

This blog post is a review of the newly announced MDM capabilities in O365.

Conditional Access—You can set up security policies on devices that connect to Office 365 to ensure that Office 365 corporate email and documents can be accessed only on phones and tablets that are managed by your company and are compliant. Behind the scenes, Office 365 leverages Microsoft Intune and the Microsoft Azure Active Directory to deliver this capability. The Conditional Access policies apply to Office applications such as Word, Excel, PowerPoint and other business applications—making management easier for admins while ensuring users can securely work with their preferred productivity applications.
Device management—You can set and manage security policies such as device-level pin lock and jailbreak detection to help prevent unauthorized users from accessing corporate email and data on a device when it is lost or stolen. Additional settings and rich reporting are also available within the Office 365 admin center so you can gain critical insights about devices accessing your corporate data.
Selective wipe—You can easily remove Office 365 company data from an employee’s device while leaving their personal data in place. This is an increasingly important requirement as more businesses adopt a “bring your own device” (BYOD) approach to phones and tablets.

Requirements

You can use MDM for Office 365 to manage many types of mobile devices like Windows Phone 8.1, Android version 4+, iOS devices running version 6+. Management of BlackBerry devices isn’t supported by Mobile Device Management for Office 365, but you can still use the free BlackBerry Business Cloud Services (BBCS) from BlackBerry to manage BlackBerry devices.

To manage mobile devices used by people in your organization, each person must have an applicable Office 365 license and their device must be enrolled in MDM for Office 365.

How it works

The following diagram shows what happens when a user with a new device signs in to an app that supports access control with MDM for Office 365. The user is blocked from accessing Office 365 resources in the app until they enroll their device.

Policies and access rules created in MDM for Office 365 will override Exchange ActiveSync mobile device mailbox policies and device access rules created in the Exchange admin center.

Getting Started

You first need to Activate MDM for your Office 365 Tenant. As of 4/17/2015 – this has not been rolled out to all tenants. You’ll know when your tenant has this capability when you are able to go to Office 365 admin center > Mobile Devices, and then select Get started to kick off the activation process. It may take some time before the service is ready. When it’s done, you’ll see the new Mobile Device Management for Office 365 page.

Update: As of 5/20/15, MDM is starting to appear in Office 365 tenants. Check out Sean McNeil’s blog posts on this topic for a walkthrough:

office365evangelist.com/?p=2487 and office365evangelist.com/?p=2502

Want More?

Microsoft Intune, part of the Microsoft Enterprise Mobility Suite, provides additional capabilities including the ability to restrict the cut, copy, paste and save as functions in the Office Mobile and OneDrive for Business applications.

Intune also provides the ability to provision and manage certificates, Wi-Fi, VPN (device and app-specific), and email profiles automatically for devices that enroll, enabling users to access corporate resources with the appropriate security configurations.

Management Capabilities

The Office 365 MDM management capabilities include the following:

Wipe an entire device or Selectively wipe Corporate Data while leaving personal data intact
Block unsupported devices from accessing Exchange email using Exchange ActiveSync
Configure device policies like mobile device password requirements and security settingsView list of blocked devices
View what policies have been applied to a device
Unblock noncompliant or unsupported device for a user or group of users
Generate detailed report to see devices that are not compliant

Summary

The new Office 365 MDM capabilities allow you to manage the “Office Mobile”, “OneDrive for Business” and Exchange Activesync features by requiring a device to be enrolled and compliant with policies.

References:
Overview built-in Mobile Device Management for Office 365

Choose between Microsoft Intune and Built-in MDM for Office 365

The Cloud Technologist

Joe Stocker is the CEO of Patriot Consulting, a Microsoft Partner specializing in Microsoft Cybersecurity