This post is for Students who attend the M20347 or other Office 365 courses and anyone else who is interested
General / Misc stuff:
Myth busting office 365 ebook. Download Here
http://o365info.com/disable-access-to-service/
http://o365datacentermap.azurewebsites.net/
Find out what’s coming to Office 365 soon (Roadmap):
https://fasttrack.microsoft.com/roadmap
DNS:
To test your records are correct remember to use: https://testconnectivity.microsoft.com/
Limitations of the platform:
https://technet.microsoft.com/en-GB/library/exchange-online-limits.aspx
Legal Sector:
https://www.microsoft.com/en-us/legal/productivity/mattercenter.aspx
Important note in regards to IP Based Filtering:
“Microsoft Office 365 relies on third-party content caching engines to achieve good performance and response times. The types of content cached with these third parties are non-SSL resources, such as the images downloaded to draw the Outlook Web App user interface. As stated above, it’s possible and supported to use IP-based filtering for the SSL content downloaded from Office 365 and for the Office 365 end-points that make in-bound calls to an on-premises environment. However, it isn’t possible or supported to use IP-based filtering for the non-SSL resources hosted on third-party content caching engines. To express filtering rules that allow those non-SSL resources to be downloaded to clients on your intranet, you need to use hostname-based filtering (as opposed to IP-based filtering). This is because the IPs used by the third-party content caching engines change frequently in a manner which makes it impractical to track each individual IP change. Allow the following hostnames for these non-SSL resources:
r3.res.outlook.com
r4.res.outlook.com
prod.msocdn.com”
For more reading and understanding here is the technet blog URL
What is Delve?
http://en.share-gate.com/blog/office-365-delve-blogs-explained
What are Microsoft Teams?
https://www.youtube.com/watch?v=tAqAtI6K7NY
Which Blogs should you use?:
- Steve Goodman’s Exchange & Office 365 Blog
- Office 365 Evangelist
- Office 365 Technical Support Blog
- Jesper Stahle’s Notes From the Field
- The Cloud Mouth
- Rene Modery
- Webster
- J-Solutions Blog
- CIAOPS
- Brendon Ford
- Office 365 Answers
- Mike Crowley’s Whiteboard
- Mike Pfeiffer
- Glen’s Exchange Development Blog
- Mary Jo Foley ZDnet
- Nuno Silva Office 365 Blog
- The UC Guy- Notes on Exchange, Office 365, and Lync
- Greg Plum – Office 365: Voice Options/Channel Choices
Random:
- Lync Quick Reference Guide
- SharePoint Quick Reference Guide
- Office 365 Quick Start Guide
- Office 365 Quick Reference Guide
- Office 365 On Apple Devices Quick Reference Guide
- Why Microsoft
- Office 365 Deployment Guide
- Office 365 ROI Tool
- Office 365 System Requirements
- Office 365 for Business FAQ
- Using PowerShell to Manage Office 365
- Office 365 Marketplace
- Office 365 for Business Roadmap
- Office 365 Service Descriptions
- Office 365 Customer Success Center
- Office 365 Groups
- Office 365 Wiki
- Office 365 URLs and IP Address Ranges
- Microsoft Exchange Server Made Easy
- Microsoft Planner
Service Descriptions:
https://technet.microsoft.com/en-us/library/office-365-service-descriptions.aspx
https://technet.microsoft.com/en-GB/library/office-365-plan-options.aspx
Check out the Service Comparisons too:
Office 365 Service Comparison Spreadsheet
PowerShell:
https://www.groupware-migration.com/en/knowledge-base/connect-to-office-365-with-powershell.html
Setting up PowerShell:
Install required software
These steps are required once on your computer, not every time you connect. However, you’ll likely need to install newer versions of the software periodically.
-
Install the 64-bit version of the Microsoft Online Services Sign-in Assistant: Microsoft Online Services Sign-in Assistant for IT Professionals RTW.
-
Install the 64-bit version of the Windows Azure Active Directory Module for Windows PowerShell: Windows Azure Active Directory Module for Windows PowerShell (64-bit version).
Awesome site for command:
Useful Commands:
Capture administrative credential for future connections.
$credential = get-credential
Imports the installed Azure Active Directory module.
Import-Module MSOnline
Establishes Online Services connection to Azure Active Directory.
Connect-MsolService -Credential $credential
Imports the installed Skype for Business Online services module.
Import-Module LyncOnlineConnector
Create a Skype for Business Powershell session using defined credential.
$lyncSession = New-CsOnlineSession -Credential $credential
Imports Skype for Business session commands into your local Windows PowerShell session.
Import-PSSession $lyncSession
Imports SharePoint Online session commands into your local Windows PowerShell session.
Import-Module Microsoft.Online.Sharepoint.PowerShell
This connects you to your SharePoint Online services. Substitute the ‘tennantid’ with the URL with the name of your SharePoint Online tenant.
Connect-SPOService -url https://tennantid-admin.sharepoint.com -Credential $credential
Creates an Exchange Online session using defined credential.
$ExchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Credential $credential -Authentication "Basic" -AllowRedirection
This imports the Office 365 session into your active Shell.
Import-PSSession $ExchangeSession
Adding and Managing Users in PowerShell:
Use the Get-MsolUser command to get an overview of all users in Azure Active Directory:
And use the Get-MsolAccountSku command to see what license is available:
When creating a new user in Azure Active Directory you can use the New-MsolUser command, combined with the results of the Get-MsolAccountSku command for the license information. You can use the –LicenseAssignment and –UsageLocation options to assign a proper license.
New-MsolUser –UserPrincipalName bob@gk365.co.uk –FirstName Bob –LastName Builder -DisplayName 'Bob Builder' -Password 'Pa$$w0rd' –ForceChangePassword:$TRUE -LicenseAssignment "gk365london:ENTERPRISEPACK" -UsageLocation GB
The –ForceChangePassword option is to ensure the user changes his password the first time he logs on, either to the Online Portal or to OWA. Optional is the -BlockCredential $true option, which create a disabled or blocked account in Azure Active Directory.
It is also possible to create multiple users in Azure Active Directory from a CSV file. For example when using the following CSV file:
You can use a PowerShell command similar to this:
$Users = import-csv e:\users.csv ForEach ($User in $Users) {New-MsolUser -UserPrincipalName $User.UserName -FirstName $User.FirstName -LastName $User.LastName -DisplayName $User.DisplayName -Password 'Pa$$w0rd' -ForceChangePassword:$TRUE -LicenseAssignment "gk365london:ENTERPRISEPACK" -UsageLocation GB}
Change licenses using PowerShell
To add, remove or change a license for a specific user you can use the Set-MsolUserLicense command which accepts the –AddLicenses and –RemoveLicenses options. For example, to add a license to a user named Paul@office365labs.nl you can use a command like this:
Set-MsolUserLicense –UserPrincipalName joe@gk365.co.uk –AddLicenses “gk365london:ENTERPRISEPACK”
Or remove a license from a user:
Set-MsolUserLicense –UserPrincipalName joe@gk365.co.uk –RemoveLicenses “gk365london:ENTERPRISEPACK”
You can also combine the –AddLicenses and –RemoveLicenses options to replace a license, for example:
Set-MsolUserLicense –UserPrincipalName joe@gk365.co.uk –RemoveLicenses “gk365london:ENTERPRISEPACK” –AddLicenses <other license>
It is also possible to use only specific Service Plans in a subscription. For example, you can use the Get-MsolAccountSku command to retrieve the individual service plans:
Get-MsolAccountSku | Where {$_.SkuPartNumber –eq “ENTERPRISEPACK”} | ForEach {$_.ServiceStatus}
If you want to disable Yammer, Rights Management Server, Office Web Apps and SharePoint Enterprise you can use the following commands:
$Options = New-MsolLicenseOptions –AccountSkuId gk365london:ENTERPRISEPACK –DisabledPlans YAMMER_ENTERPRISE,RMS_S_ENTERPRISE,SHAREPOINTWAC,SHAREPOINTENTERPRISE Set-MsolUserLicense –UserPrincipalName joe@gk365.co.uk –LicenseOptions $Options
Be careful with removing licenses. When you do the data stored in the accompanying application will be deleted as well!
Block Users using PowerShell
When a user leaves the organization it is not uncommon to block his user account. You can use the Set-MsolUser command with the –BlockCredential option, like this:
Set-MsolUser –UserPrincipalName joe@gk365.co.uk -BlockCredential $true
To enable the account again, just change the –BlockCredential option to $false, like this:
Set-MsolUser –UserPrincipalName joe@gk365.co.uk -BlockCredential $false
Remove Users using PowerShell
Removing users from Azure Active Directory is just a matter of using the Remove-MsolUser command with the –UserPrincipalName option. The –Fore option is to suppress the confirmation that normally followes a Remove PowerShell command, for example:
Remove-MsolUser –UserPrincipalName joe@gk365.co.uk –Force
Clearly visible in the following figure is the confirmation message when the –Force option is omitted:
When users are deleted, they are not permanently deleted but they are stored in the Azure Active Directory recycle bin where they stay for another 30 days. Only then they are (automatically) permanently deleted. You can use the –RemoveFromRecycleBin option with the Remove-MsolUser command to remove the user account permanently, without temporarily storing them in the recycle bin.
Please be aware that when you remove a user account the user’s data is also deleted!
- Disabling an account does not necessarily remove access to the mailbox immediately
- Deleting an account will mark the mailbox for deletion unless other action is taken!
Restore Users from Recycle Bin
As explained above users are stored in the recycle bin when they are deleted using the Remove-MsolUser command. To get a list of all users that are located in the recycle bin you can use the Get-MsolUser command with the –ReturnDeletedUsers option, like this:
Get-MsolUser –ReturnDeletedUsers
As shown in the following figure:
To restore a user joe@gk365.co.uk from the recycle bin, you can use the Restore-MsolUser command with the –UserPrincipalName, like this:
Restore-MsolUser –UserPrincipalName joe@gk365.co.uk
Managing Passwords and Password Policy using PowerShell
It is not uncommon for an administrator to change a user’s password, and in an Office 365 environment this is not different. To reset a user’s password using PowerShell you can use the Set-MsolUserPassword command with the –UserPrincipalName and –NewPassword options, for example:
Set-MsolUserPassword –UserPrincipalName joe@gk365.co.uk –NewPassword ‘Pa$$w0rd’ –ForceChangePassword $TRUE
The –ForceChangePassword will make sure the user changes his password after the first logon to Office 365.
By default a user’s password in Azure Active Directory expires every 90 days with a 14 days notification interval. To change the password policy you can use the Set-MsolPasswordPolicy with the –DomainName, -ValidityPeriod and the –NotificationDays options, like this:
Set-MsolPasswordPolicy -ValidityPeriod 60 -NotificationDays 14 -DomainName gk365.co.uk
The ValidityPeriod determines the time the password can be used and this can range from 14 days to 730 dayes (2 years). The NotificationDays is the number of days a user gets a notification before the password expires. This can range from 1 day to 30 days.
To set the password to never expires on a user (which is not a best practice, but can be very useful for Service Account passwords, for example when setting up Directory Synchronization) you can use the Set-MsolUser command, for example:
Set-MsolUser -UserPrincipalName ADConnect@gk365.co.uk -PasswordNeverExpires $true
For more information you can check the Manage Azure AD users on TechNet: https://msdn.microsoft.com/en-us/library/azure/dn919674.aspx
Set Password never expired for Office 365 user:
Set-msoluser –UserPrincipalName <UserPrincipalName> -PasswordNeverExpires $True
Disable Password never expired option for a Office 365 user
Set-MsolUser –UserPrincipalName <UserPrincipalName> -PasswordNeverExpires $False
Set Password never expired for ALL Office 365 users (Bulk Mode)
Get-MsolUser | Set-MsolUser –PasswordNeverExpires $True
Display Password settings for all Office 365 users
Get-MsolUser | Select UserPrincipalName,PasswordNeverExpires
Display information about Office 365 Password Policy
Get-MsolPasswordPolicy –DomainName <Domain Name>
Managing Administrative Roles using PowerShell
Office 365 admin center role name |
Windows PowerShell role name |
Role tasks |
Global administrator |
Company administrator |
Perform all administrative tasks |
Billing administrator |
Billing administrator |
Make purchases, manage subscriptions, manage support tickets, and monitor service health |
Password administrator |
Helpdesk administrator |
Change and reset passwords, manage service requests, and monitor service health |
Service administrator |
Service support administrator |
Manage service requests and monitor service health |
User management administrator |
User account administrator |
Create and delete users and groups, reset passwords, manage service requests, and monitor service health |
To assign a role in PowerShell use the following command:
Add-MsolRoleMember –RoleMemberEmailAddress <UPN Address> –RoleName <FromListAbove>
To view who is a member of a role:
$role = Get-MsolRole –RoleName “Company Administrator” Get-MsolRoleMember –RoleObjectId $role.objectid
The reason that the RoleName has to be an attributed is because the ObjectID for “Company Administrator” is unique to every Office 365 tenant.
Outline of Commands:
User:
Command |
Description |
The Convert-MsolFederatedUser cmdlet is used to update a user in a domain that was recently converted from single sign-on (also known as identity federation) to standard authentication type. A new password must be provided for the user. |
|
The Get-MsolUser cmdlet can be used to retrieve an individual user, or list of users. An individual user will be retrieved if the ObjectId or UserPrincipalName parameter is used. |
|
The New-MsolUser cmdlet is used to create a new user in Windows Azure AD. In order to give the user access to services, they must also be assigned a license (using the LicenseAssignment parameter). |
|
The Remove-MsolUser cmdlet is used to remove a user from Windows Azure AD. This cmdlet will delete the user, their licenses, and any other associated data. |
|
The Restore-MsolUser cmdlet restores a user that is in the Deleted users view to their original state. Users will remain in the Deleted users view for 30 days. |
|
The Set-MsolUser cmdlet is used to update a user object. Note that this cmdlet should be used for basic properties only. The licenses, password, and User Principal Name for a user can be updated through Set-MsolUserLicense, Set-MsolUserPassword and Set-MsolUserPrincipalName cmdlets respectively. |
|
The Set-MsolUserPassword cmdlet is used to change the password of a user. This cmdlet can only be used for users with standard identities. |
|
The Set-MsolUserPrincipalName cmdlet is used to change the User Principal Name ([Template Token Value]) of a user. This cmdlet can be used to move a user between a federated and standard domain, which will result in their authentication type changing to that of the target domain. |
|
The Redo-MsolProvisionUser cmdlet can be used to retry the provisioning of a user object in Windows Azure Active Directory when a previous attempt to create the user object resulted in a validation error. |
Group:
Command |
Description |
The Add-MsolGroupMember cmdlet is used to add members to a security group. The new members can be either users or other security groups. |
|
The Get-MsolGroup cmdlet is used to retrieve groups from Windows Azure AD. This cmdlet can be used to return a single group (if ObjectId is passed in), or to search within all groups. |
|
The Get-MsolGroupMember cmdlet is used to retrieve members of the specified group. The members can be either users or groups. |
|
The New-MsolGroup cmdlet is used to add a new security group to Windows Azure AD. |
|
The Remove-MsolGroup cmdlet is used to delete a group from Windows Azure AD. |
|
The Remove-MsolGroupMember cmdlet is used to remove a member from a security group. This member can be either a user or a group. |
|
The Set-MsolGroup cmdlet is used to update the properties of a security group. |
|
The Add-MsolRoleMember cmdlet is used to add a member to a role. Currently, only users can be added to a role (adding a security group is not supported). |
|
The Get-MsolRole cmdlet can be used to retrieve a list of administrator roles. |
|
The Get-MsolUserRole cmdlet is used to retrieve all of the administrator roles that the specified user belongs to. This cmdlet will also return roles that the user is a member of through security group membership. |
|
The Get-MsolRoleMember cmdlet is used to retrieve all members of the specified role. |
|
The Remove-MsolRoleMember cmdlet is used to remove a user from an administrator role. |
|
The Redo-MsolProvisionGroup cmdlet can be used to retry the provisioning of a group object in Windows Azure Active Directory when a previous attempt to create the group object resulted in a validation |
Exchange:
Free Product key for Exchange Hybrid:
http://www.garethjones294.com/exchange-hybrid-product-key-distribution-now-free/
Office 365 Data Import Service
IMAP / Staged / Cutover / Hybrid? Which one should I choose?
http://o365info.com/mail-migration-office-365-mail-migration-methods-part-14/
Hybrid & Migration Links:
https://jaapwesselius.com/2015/11/02/moving-mailboxes-in-a-hybrid-configuration-part-i/
http://www.peters.com/migrating-mailboxes-to-office-365/
Cross Premise Mailbox Permissions (Send As / On Behalf Of)
Office 365 Groups
http://www.alexpearce.tech/microsoft/office-365/prevent-users-from-creating-groups-in-office-365/
Misc Stuff:
http://o365info.com/manage-email-address-using-powershell/
http://blogs.technet.com/b/exchange/archive/2015/01/13/a-better-way-to-recover-a-mailbox.aspx
Skype for Business:
Broadcast:
https://skype4b.uk/2015/11/11/configuring-and-controlling-skype-broadcast-meetings-using-powershell/
PBX:
https://technet.microsoft.com/en-us/library/mt631190.aspx
https://technet.microsoft.com/en-gb/library/mt612869.aspx
PSTN Conferencing:
SharePoint:
Using Powershell to manage SharePoint Online:
http://www.garethjones294.com/using-powershell-to-manage-sharepoint-2013-online/
Important changes to the Storage for SharePoint:
Migrations:
OneDrive for Business:
https://support.cloudhq.net/migration-of-dropbox-for-business-accounts-to-office365/
Migrations
Managing access & other settings:
https://blogs.office.com/2015/07/16/new-it-management-controls-added-to-onedrive-for-business/
What to do when a user leaves the organisation:
RMS / IRM:
http://www.concurrency.com/blog/w/office-365-%E2%80%93-rms-irm-external-sharing
https://blogs.office.com/2015/05/21/analyze-office-365-data-with-equivio-zoom/
DirSync / AD Connect / ADFS:
AD Connect Articles:
Force replication with Azure Active Directory Connect (AAD Connect) (old Dirsync Start-OnlineCoe
Force AD Connect Synchronization – v1.1.105.0 onwards
Azure AD Connect Health Monitoring and Insights – Step by Step
Enabling and Disabling the AAD Connect Automatic Update / Upgrade Feature
ADFS Articles:
http://thinketg.com/adfs-3-0-logon-page-customization/
http://eimagine.com/adfs-3-0-logon-page-customization/
Deploy ADFS in Azure rather than on prem: https://technet.microsoft.com/library/dn509539.aspx
To change the UPN for ALL users in an OU or Domain:
Import-Module ActiveDirectory Get-ADUser -Filter {UserPrincipalName -like "*@corp.msft"} -SearchBase "OU=Test,DC=ad,DC=corp,DC=msft" | ForEach-Object { $UPN = $_.UserPrincipalName.Replace("corp.msft","azurenutters.co.uk") Set-ADUser $_ -UserPrincipalName $UPN }
Workflow on what to do when a user leaves the organisation:
Office 365 Pro Plus / Client:
Office 365 Configuration XML Editor (MUST USE!)
https://officedev.github.io/Office-IT-Pro-Deployment-Scripts/XmlEditor.html
Office 365 ProPlus and the Office Deployment Tool
https://www.petri.com/using-office-365-proplus-with-office-deployment-tool
Getting started guide for deploying Office 365 ProPlus
https://technet.microsoft.com/en-us/library/jj839718.aspx
Deploying Office 365 – Essential Info for every admin (note a couple of things are out of date, you do not need to use VL for Office on an RDS Server any longer!):
http://www.itninja.com/blog/view/deploying-office-365-essential-info-for-every-admin
Standard Info for deploying Office 365 Pro Plus:
https://technet.microsoft.com/en-us/library/jj219422(v=office.15).aspx
https://technet.microsoft.com/en-us/library/jj219426(v=office.15).aspx
Channels and Name Changes:
https://technet.microsoft.com/en-gb/library/mt455210.aspx
- New: Current Channel = Old: Current Branch
- New: First Release for Current Channel = Old: First Release for Current Branch
- New: Deferred Channel = Old: Current Branch for Business
- New: First Release for Deferred Channel = Old: First Release for Current Branch for Business
A collection of useful PowerShell scripts to make deploying Office 2016 and Office 365 ProPlus easier:
https://github.com/OfficeDev/Office-IT-Pro-Deployment-Scripts/wiki/Office-ProPlus-Deployment
Deploy via Group Policy:
http://c7solutions.com/2015/10/installing-office-2016-click-to-run-via-group-policy
Deploy Via Intune:
https://www.intunewithit.com/2016/04/27/deploy-office-365-proplus-via-intune/
Installing Office365 ProPlus on a RDS Server (Terminal Server) using Shared Computer Activation
Deploy via SCCM:
Telemetry:
https://technet.microsoft.com/en-us/library/jj219431.aspx