This post is for Students who attend the M20347 or other Office 365 courses and anyone else who is interested Smile

General / Misc stuff:

Myth busting office 365 ebook.  Download Here

http://o365info.com/disable-access-to-service/

http://o365datacentermap.azurewebsites.net/

Find out what’s coming to Office 365 soon (Roadmap):

https://fasttrack.microsoft.com/roadmap

DNS:

https://support.office.com/en-gb/article/Create-DNS-records-for-Office-365-at-any-DNS-hosting-provider-7b7b075d-79f9-4e37-8a9e-fb60c1d95166

https://support.office.com/en-gb/article/External-Domain-Name-System-records-for-Office-365-c0531a6f-9e25-4f2d-ad0e-a70bfef09ac0?ui=en-US&rs=en-GB&ad=GB

To test your records are correct remember to use: https://testconnectivity.microsoft.com/ 

Limitations of the platform:

https://technet.microsoft.com/en-GB/library/exchange-online-limits.aspx 

https://support.office.com/en-gb/article/SharePoint-Online-software-boundaries-and-limits-8f34ff47-b749-408b-abc0-b605e1f6d498

Legal Sector:

https://www.microsoft.com/en-us/legal/productivity/mattercenter.aspx 

Important note in regards to IP Based Filtering:

“Microsoft Office 365 relies on third-party content caching engines to achieve good performance and response times. The types of content cached with these third parties are non-SSL resources, such as the images downloaded to draw the Outlook Web App user interface. As stated above, it’s possible and supported to use IP-based filtering for the SSL content downloaded from Office 365 and for the Office 365 end-points that make in-bound calls to an on-premises environment. However, it isn’t possible or supported to use IP-based filtering for the non-SSL resources hosted on third-party content caching engines. To express filtering rules that allow those non-SSL resources to be downloaded to clients on your intranet, you need to use hostname-based filtering (as opposed to IP-based filtering). This is because the IPs used by the third-party content caching engines change frequently in a manner which makes it impractical to track each individual IP change. Allow the following hostnames for these non-SSL resources:

r3.res.outlook.com
r4.res.outlook.com
prod.msocdn.com”

For more reading and understanding here is the technet blog URL 

http://blogs.technet.com/b/exchange/archive/2013/12/02/office-365-url-based-filtering-is-just-better-and-easier-to-sustain.aspx

What is Delve?

http://en.share-gate.com/blog/office-365-delve-blogs-explained

What are Microsoft Teams?

https://www.youtube.com/watch?v=tAqAtI6K7NY

Which Blogs should you use?:

Random:

 

Service Descriptions:

https://technet.microsoft.com/en-us/library/office-365-service-descriptions.aspx

https://technet.microsoft.com/en-GB/library/office-365-plan-options.aspx

Check out the Service Comparisons too:

Office 365 Service Comparison Spreadsheet

 

PowerShell:

https://www.groupware-migration.com/en/knowledge-base/connect-to-office-365-with-powershell.html

https://blogs.technet.microsoft.com/exchange/2016/10/06/tip-a-few-useful-powershell-scripts-for-exchange-and-office-365-admins/ 

https://support.office.com/en-gb/article/Managing-Office-365-and-Exchange-Online-with-Windows-PowerShell-06a743bb-ceb6-49a9-a61d-db4ffdf54fa6

Setting up PowerShell:

Install required software

These steps are required once on your computer, not every time you connect. However, you’ll likely need to install newer versions of the software periodically.

  1. Install the 64-bit version of the Microsoft Online Services Sign-in Assistant: Microsoft Online Services Sign-in Assistant for IT Professionals RTW.

  2. Install the 64-bit version of the Windows Azure Active Directory Module for Windows PowerShell: Windows Azure Active Directory Module for Windows PowerShell (64-bit version).

Awesome site for command:

http://powershell.office.com/

Useful Commands:

Capture administrative credential for future connections.

$credential = get-credential

Imports the installed Azure Active Directory module.

Import-Module MSOnline

Establishes Online Services connection to Azure Active Directory.

Connect-MsolService -Credential $credential

Imports the installed Skype for Business Online services module.

Import-Module LyncOnlineConnector

Create a Skype for Business Powershell session using defined credential.

$lyncSession = New-CsOnlineSession -Credential $credential

Imports Skype for Business session commands into your local Windows PowerShell session.

Import-PSSession $lyncSession

Imports SharePoint Online session commands into your local Windows PowerShell session.

Import-Module Microsoft.Online.Sharepoint.PowerShell

This connects you to your SharePoint Online services. Substitute the ‘tennantid’ with the URL with the name of your SharePoint Online tenant.

Connect-SPOService -url https://tennantid-admin.sharepoint.com -Credential $credential

Creates an Exchange Online session using defined credential.

$ExchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Credential $credential -Authentication "Basic" -AllowRedirection

This imports the Office 365 session into your active Shell.

Import-PSSession $ExchangeSession

Adding and Managing Users in PowerShell:

Use the Get-MsolUser command to get an overview of all users in Azure Active Directory:

image

And use the Get-MsolAccountSku command to see what license is available:

image

When creating a new user in Azure Active Directory you can use the New-MsolUser command, combined with the results of the Get-MsolAccountSku command for the license information. You can use the –LicenseAssignment and –UsageLocation options to assign a proper license.

New-MsolUser –UserPrincipalName bob@gk365.co.uk –FirstName Bob –LastName Builder -DisplayName 'Bob Builder' -Password 'Pa$$w0rd' –ForceChangePassword:$TRUE -LicenseAssignment "gk365london:ENTERPRISEPACK" -UsageLocation GB

image

The –ForceChangePassword option is to ensure the user changes his password the first time he logs on, either to the Online Portal or to OWA. Optional is the -BlockCredential $true option, which create a disabled or blocked account in Azure Active Directory.

It is also possible to create multiple users in Azure Active Directory from a CSV file. For example when using the following CSV file:

image

You can use a PowerShell command similar to this:

$Users = import-csv e:\users.csv

ForEach ($User in $Users) {New-MsolUser -UserPrincipalName $User.UserName -FirstName $User.FirstName -LastName $User.LastName -DisplayName $User.DisplayName -Password 'Pa$$w0rd' -ForceChangePassword:$TRUE -LicenseAssignment "gk365london:ENTERPRISEPACK" -UsageLocation GB}

image


Change licenses using PowerShell

To add, remove or change a license for a specific user you can use the Set-MsolUserLicense command which accepts the –AddLicenses and –RemoveLicenses options. For example, to add a license to a user named Paul@office365labs.nl you can use a command like this:

Set-MsolUserLicense –UserPrincipalName joe@gk365.co.uk –AddLicenses “gk365london:ENTERPRISEPACK”

Or remove a license from a user:

Set-MsolUserLicense –UserPrincipalName joe@gk365.co.uk –RemoveLicenses “gk365london:ENTERPRISEPACK”

You can also combine the –AddLicenses and –RemoveLicenses options to replace a license, for example:

Set-MsolUserLicense –UserPrincipalName joe@gk365.co.uk –RemoveLicenses “gk365london:ENTERPRISEPACK” –AddLicenses <other license>

It is also possible to use only specific Service Plans in a subscription. For example, you can use the Get-MsolAccountSku command to retrieve the individual service plans:

Get-MsolAccountSku | Where {$_.SkuPartNumber –eq “ENTERPRISEPACK”} | ForEach {$_.ServiceStatus}

image

If you want to disable Yammer, Rights Management Server, Office Web Apps and SharePoint Enterprise you can use the following commands:

$Options = New-MsolLicenseOptions –AccountSkuId gk365london:ENTERPRISEPACK –DisabledPlans YAMMER_ENTERPRISE,RMS_S_ENTERPRISE,SHAREPOINTWAC,SHAREPOINTENTERPRISE

Set-MsolUserLicense –UserPrincipalName joe@gk365.co.uk –LicenseOptions $Options

Be careful with removing licenses. When you do the data stored in the accompanying application will be deleted as well!

Block Users using PowerShell

When a user leaves the organization it is not uncommon to block his user account. You can use the Set-MsolUser command with the –BlockCredential option, like this:

Set-MsolUser –UserPrincipalName joe@gk365.co.uk -BlockCredential $true

To enable the account again, just change the –BlockCredential option to $false, like this:

Set-MsolUser –UserPrincipalName joe@gk365.co.uk -BlockCredential $false

Remove Users using PowerShell

Removing users from Azure Active Directory is just a matter of using the Remove-MsolUser command with the –UserPrincipalName option. The –Fore option is to suppress the confirmation that normally followes a Remove PowerShell command, for example:

Remove-MsolUser –UserPrincipalName joe@gk365.co.uk –Force

Clearly visible in the following figure is the confirmation message when the –Force option is omitted:

image

When users are deleted, they are not permanently deleted but they are stored in the Azure Active Directory recycle bin where they stay for another 30 days. Only then they are (automatically) permanently deleted. You can use the –RemoveFromRecycleBin option with the Remove-MsolUser command to remove the user account permanently, without temporarily storing them in the recycle bin.

Please be aware that when you remove a user account the user’s data is also deleted!

  • Disabling an account does not necessarily remove access to the mailbox immediately
  • Deleting an account will mark the mailbox for deletion unless other action is taken!

Restore Users from Recycle Bin

As explained above users are stored in the recycle bin when they are deleted using the Remove-MsolUser command. To get a list of all users that are located in the recycle bin you can use the Get-MsolUser command with the –ReturnDeletedUsers option, like this:

Get-MsolUser –ReturnDeletedUsers

As shown in the following figure:

image

To restore a user joe@gk365.co.uk from the recycle bin, you can use the Restore-MsolUser command with the –UserPrincipalName, like this:

Restore-MsolUser –UserPrincipalName joe@gk365.co.uk

image

Managing Passwords and Password Policy using PowerShell

It is not uncommon for an administrator to change a user’s password, and in an Office 365 environment this is not different. To reset a user’s password using PowerShell you can use the Set-MsolUserPassword command with the –UserPrincipalName and –NewPassword options, for example:

Set-MsolUserPassword –UserPrincipalName joe@gk365.co.uk –NewPassword ‘Pa$$w0rd’ –ForceChangePassword $TRUE

The –ForceChangePassword will make sure the user changes his password after the first logon to Office 365.

By default a user’s password in Azure Active Directory expires every 90 days with a 14 days notification interval. To change the password policy you can use the Set-MsolPasswordPolicy with the –DomainName, -ValidityPeriod and the –NotificationDays options, like this:

Set-MsolPasswordPolicy -ValidityPeriod 60 -NotificationDays 14 -DomainName gk365.co.uk 

The ValidityPeriod determines the time the password can be used and this can range from 14 days to 730 dayes (2 years). The NotificationDays is the number of days a user gets a notification before the password expires. This can range from 1 day to 30 days.

To set the password to never expires on a user (which is not a best practice, but can be very useful for Service Account passwords, for example when setting up Directory Synchronization) you can use the Set-MsolUser command, for example:

Set-MsolUser -UserPrincipalName ADConnect@gk365.co.uk -PasswordNeverExpires $true

For more information you can check the Manage Azure AD users on TechNet: https://msdn.microsoft.com/en-us/library/azure/dn919674.aspx

Set Password never expired for Office 365 user:

Set-msoluser –UserPrincipalName <UserPrincipalName> -PasswordNeverExpires $True

Disable Password never expired option for a Office 365 user

Set-MsolUser –UserPrincipalName &lt;UserPrincipalName&gt; -PasswordNeverExpires $False

Set Password never expired for ALL Office 365 users (Bulk Mode)

Get-MsolUser | Set-MsolUser –PasswordNeverExpires $True

Display Password settings for all Office 365 users

Get-MsolUser | Select UserPrincipalName,PasswordNeverExpires

Display information about Office 365 Password Policy

Get-MsolPasswordPolicy –DomainName <Domain Name>


Managing Administrative Roles using PowerShell

Office 365 admin center role name

Windows PowerShell role name

Role tasks

Global administrator

Company administrator

Perform all administrative tasks

Billing administrator

Billing administrator

Make purchases, manage subscriptions, manage support tickets, and monitor service health

Password administrator

Helpdesk administrator

Change and reset passwords, manage service requests, and monitor service health

Service administrator

Service support administrator

Manage service requests and monitor service health

User management administrator

User account administrator

Create and delete users and groups, reset passwords, manage service requests, and monitor service health

To assign a role in PowerShell use the following command:

Add-MsolRoleMember –RoleMemberEmailAddress <UPN Address> –RoleName <FromListAbove>

To view who is a member of a role:

$role = Get-MsolRole –RoleName “Company Administrator”
Get-MsolRoleMember –RoleObjectId $role.objectid

The reason that the RoleName has to be an attributed is because the ObjectID for “Company Administrator” is unique to every Office 365 tenant.

Outline of Commands:

User:

Command

Description

Convert-MsolFederatedUser

The Convert-MsolFederatedUser cmdlet is used to update a user in a domain that was recently converted from single sign-on (also known as identity federation) to standard authentication type. A new password must be provided for the user.

Get-MsolUser

The Get-MsolUser cmdlet can be used to retrieve an individual user, or list of users. An individual user will be retrieved if the ObjectId or UserPrincipalName parameter is used.

New-MsolUser

The New-MsolUser cmdlet is used to create a new user in Windows Azure AD. In order to give the user access to services, they must also be assigned a license (using the LicenseAssignment parameter).

Remove-MsolUser

The Remove-MsolUser cmdlet is used to remove a user from Windows Azure AD. This cmdlet will delete the user, their licenses, and any other associated data.

Restore-MsolUser

The Restore-MsolUser cmdlet restores a user that is in the Deleted users view to their original state. Users will remain in the Deleted users view for 30 days.

Set-MsolUser

The Set-MsolUser cmdlet is used to update a user object. Note that this cmdlet should be used for basic properties only. The licenses, password, and User Principal Name for a user can be updated through Set-MsolUserLicense, Set-MsolUserPassword and Set-MsolUserPrincipalName cmdlets respectively.

Set-MsolUserPassword

The Set-MsolUserPassword cmdlet is used to change the password of a user. This cmdlet can only be used for users with standard identities.

Set-MsolUserPrincipalName

The Set-MsolUserPrincipalName cmdlet is used to change the User Principal Name ([Template Token Value]) of a user. This cmdlet can be used to move a user between a federated and standard domain, which will result in their authentication type changing to that of the target domain.

Redo-MsolProvisionUser

The Redo-MsolProvisionUser cmdlet can be used to retry the provisioning of a user object in Windows Azure Active Directory when a previous attempt to create the user object resulted in a validation error.

 Group:

Command

Description

Add-MsolGroupMember

The Add-MsolGroupMember cmdlet is used to add members to a security group. The new members can be either users or other security groups.

Get-MsolGroup

The Get-MsolGroup cmdlet is used to retrieve groups from Windows Azure AD. This cmdlet can be used to return a single group (if ObjectId is passed in), or to search within all groups.

Get-MsolGroupMember

The Get-MsolGroupMember cmdlet is used to retrieve members of the specified group. The members can be either users or groups.

New-MsolGroup

The New-MsolGroup cmdlet is used to add a new security group to Windows Azure AD.

Remove-MsolGroup

The Remove-MsolGroup cmdlet is used to delete a group from Windows Azure AD.

Remove-MsolGroupMember

The Remove-MsolGroupMember cmdlet is used to remove a member from a security group. This member can be either a user or a group.

Set-MsolGroup

The Set-MsolGroup cmdlet is used to update the properties of a security group.

Add-MsolRoleMember

The Add-MsolRoleMember cmdlet is used to add a member to a role. Currently, only users can be added to a role (adding a security group is not supported).

Get-MsolRole

The Get-MsolRole cmdlet can be used to retrieve a list of administrator roles.

Get-MsolUserRole

The Get-MsolUserRole cmdlet is used to retrieve all of the administrator roles that the specified user belongs to. This cmdlet will also return roles that the user is a member of through security group membership.

Get-MsolRoleMember

The Get-MsolRoleMember cmdlet is used to retrieve all members of the specified role.

Remove-MsolRoleMember

The Remove-MsolRoleMember cmdlet is used to remove a user from an administrator role.

Redo-MsolProvisionGroup

The Redo-MsolProvisionGroup cmdlet can be used to retry the provisioning of a group object in Windows Azure Active Directory when a previous attempt to create the group object resulted in a validation

 

Exchange:

Free Product key for Exchange Hybrid:

http://www.garethjones294.com/exchange-hybrid-product-key-distribution-now-free/

Office 365 Data Import Service

https://support.office.com/en-gb/article/Use-network-upload-to-import-PST-files-to-Office-365-103f940c-0468-4e1a-b527-cc8ad13a5ea6.

https://support.office.com/en-gb/article/Overview-of-importing-PST-files-and-SharePoint-data-to-Office-365-ba688e0a-0fcb-4bd7-8e57-2b669564ea84

https://blogs.office.com/2015/09/16/office-365-import-service-migration-to-sharepoint-online-and-onedrive-for-business-just-became-easier/

IMAP / Staged / Cutover / Hybrid?  Which one should I choose?

http://o365info.com/mail-migration-office-365-mail-migration-methods-part-14/

https://support.office.com/en-gb/article/Ways-to-migrate-multiple-email-accounts-to-Office-365-0a4913fe-60fb-498f-9155-a86516418842?ui=en-US&rs=en-GB&ad=GB&fromAR=1

Hybrid & Migration Links:

http://aka.ms/stagedguidance

https://jaapwesselius.com/2015/11/02/moving-mailboxes-in-a-hybrid-configuration-part-i/

https://jaapwesselius.com/2015/06/23/the-operation-on-mailbox-failed-because-its-out-of-the-current-users-write-scope/

http://www.peters.com/migrating-mailboxes-to-office-365/

Cross Premise Mailbox Permissions (Send As / On Behalf Of)

http://www.msexchange.org/articles-tutorials/office-365/exchange-online/exchange-hybrid-cross-premises-mailbox-permissions-demystified-part1.html 

Office 365 Groups

http://www.alexpearce.tech/microsoft/office-365/prevent-users-from-creating-groups-in-office-365/

https://support.office.com/en-gb/article/Use-PowerShell-to-manage-Office-365-Groups-Admin-help-aeb669aa-1770-4537-9de2-a82ac11b0540

Misc Stuff:

http://o365info.com/manage-email-address-using-powershell/

https://www.cogmotive.com/blog/office-365-tips/access-denied-when-connecting-to-exchange-online-using-powershell

http://blogs.technet.com/b/exchange/archive/2015/01/13/a-better-way-to-recover-a-mailbox.aspx

 

Skype for Business:

Broadcast:

https://skype4b.uk/2015/11/11/configuring-and-controlling-skype-broadcast-meetings-using-powershell/

https://support.office.com/en-gb/article/Enable-Skype-Meeting-Broadcast-5299cce0-850e-42dc-b6ae-2d0ee775c4a9?ui=en-US&rs=en-GB&ad=GB

PBX:

https://technet.microsoft.com/en-us/library/mt631190.aspx

https://technet.microsoft.com/en-gb/library/mt612869.aspx

https://blogs.technet.microsoft.com/skypehybridguy/2016/02/15/cloud-pbx-modern-voice-pstn-calling-in-office365/

PSTN Conferencing:

https://support.office.com/en-gb/article/Set-up-dial-in-or-PSTN-conferencing-for-Skype-for-Business-d01954f1-4f37-4cf5-a636-20039e5c59e9

https://support.office.com/en-gb/article/Phone-numbers-for-dial-in-conferencing-95a08f84-04e5-4f72-88a8-d6472a7c89d7?ui=en-US&rs=en-GB&ad=GB

https://technet.microsoft.com/en-us/library/skype-for-business-online-limits.aspx#bkmk_Meeting_LyncOnlineLimits

https://support.office.com/en-gb/article/Dialing-out-from-a-meeting-so-other-people-can-join-it-3c2db9a5-3a19-4e19-b59e-8e5587f25d31

SharePoint:

Using Powershell to manage SharePoint Online:

http://www.garethjones294.com/using-powershell-to-manage-sharepoint-2013-online/

Important changes to the Storage for SharePoint:

http://www.microsofttrends.com/2016/02/18/major-increases-to-available-storage-for-office-365-sharepoint-and-onedrive-users/

Migrations:

https://blogs.office.com/2015/09/16/office-365-import-service-migration-to-sharepoint-online-and-onedrive-for-business-just-became-easier/

https://support.office.com/en-gb/article/Use-network-upload-to-import-SharePoint-data-to-Office-365-ed4a43b7-c4e3-45c8-94c8-998153407b8a

OneDrive for Business:

http://www.microsofttrends.com/2016/02/18/major-increases-to-available-storage-for-office-365-sharepoint-and-onedrive-users/

https://support.cloudhq.net/migration-of-dropbox-for-business-accounts-to-office365/

Migrations

https://blogs.office.com/2015/09/16/office-365-import-service-migration-to-sharepoint-online-and-onedrive-for-business-just-became-easier/

Managing access & other settings:

https://blogs.office.com/2015/07/16/new-it-management-controls-added-to-onedrive-for-business/

What to do when a user leaves the organisation:

RMS / IRM:

http://www.concurrency.com/blog/w/office-365-%E2%80%93-rms-irm-external-sharing

https://blogs.office.com/2015/05/21/analyze-office-365-data-with-equivio-zoom/

DirSync / AD Connect / ADFS:

AD Connect Articles:

Force replication with Azure Active Directory Connect (AAD Connect) (old Dirsync Start-OnlineCoe

Force AD Connect Synchronization – v1.1.105.0 onwards

Azure AD Connect Health Monitoring and Insights – Step by Step

Enabling and Disabling the AAD Connect Automatic Update / Upgrade Feature

ADFS Articles:

http://thinketg.com/adfs-3-0-logon-page-customization/

http://eimagine.com/adfs-3-0-logon-page-customization/

Deploy ADFS in Azure rather than on prem: https://technet.microsoft.com/library/dn509539.aspx

To change the UPN for ALL users in an OU or Domain:

Import-Module ActiveDirectory
 
Get-ADUser -Filter {UserPrincipalName -like "*@corp.msft"} -SearchBase "OU=Test,DC=ad,DC=corp,DC=msft" |
ForEach-Object {
    $UPN = $_.UserPrincipalName.Replace("corp.msft","azurenutters.co.uk")
    Set-ADUser $_ -UserPrincipalName $UPN
}

Workflow on what to do when a user leaves the organisation:

Office 365 Pro Plus / Client:

Office 365 Configuration XML Editor (MUST USE!)

https://officedev.github.io/Office-IT-Pro-Deployment-Scripts/XmlEditor.html

Office 365 ProPlus and the Office Deployment Tool

https://www.petri.com/using-office-365-proplus-with-office-deployment-tool

Getting started guide for deploying Office 365 ProPlus

https://technet.microsoft.com/en-us/library/jj839718.aspx

Deploying Office 365 – Essential Info for every admin (note a couple of things are out of date, you do not need to use VL for Office on an RDS Server any longer!):

http://www.itninja.com/blog/view/deploying-office-365-essential-info-for-every-admin

Standard Info for deploying Office 365 Pro Plus:

https://technet.microsoft.com/en-us/library/jj219422(v=office.15).aspx

https://technet.microsoft.com/en-us/library/jj219426(v=office.15).aspx

Channels and Name Changes:

https://technet.microsoft.com/en-gb/library/mt455210.aspx

  • New: Current Channel = Old: Current Branch
  • New: First Release for Current Channel = Old: First Release for Current Branch
  • New: Deferred Channel = Old: Current Branch for Business
  • New: First Release for Deferred Channel = Old: First Release for Current Branch for Business

A collection of useful PowerShell scripts to make deploying Office 2016 and Office 365 ProPlus easier:

https://github.com/OfficeDev/Office-IT-Pro-Deployment-Scripts/wiki/Office-ProPlus-Deployment 

Deploy via Group Policy:

http://c7solutions.com/2015/10/installing-office-2016-click-to-run-via-group-policy

Deploy Via Intune:

https://www.intunewithit.com/2016/04/27/deploy-office-365-proplus-via-intune/

Installing Office365 ProPlus on a RDS Server (Terminal Server) using Shared Computer Activation

http://blog.powerbiz.net.au/office-365/installing-office365-proplus-on-a-rds-server-terminal-server-using-shared-computer-activation/

Deploy via SCCM:

http://blogs.technet.com/b/pauljones/archive/2013/08/28/office-2013-click-to-run-with-configuration-manager-2012.aspx

Telemetry:

https://technet.microsoft.com/en-us/library/jj219431.aspx