You are currently browsing the category archive for the ‘Office 365’ category.

With Cloud on the ‘loose’, Microsoft has offered a very flexible platform which allows organizations to easily subscribe for trials or even register for a tenant on the fly. However, without a proper clean-up would create additional hassles and steps, especially if the Global Admin is no longer around or the login credential has been misplace – and this what happened to me in a recent Office 365 engagement.

In this implementation, we were supposed to activate the actual domain (Example: mydomain.com) to a new Ofifce 365 tenant. However, when attempting to associate the corporate domain into the Office 365 tenant, the portal had detected that our domain has been used and activated with another tenant – for Microsoft Power BI purposes, to make things complicated, nobody knows whom own the other domain.

To ‘regain control’ of the corporate domain, we’d to create an automated generated TXT record to proof that we’re the actual and will be the Global Admin taking over the Power BI tenant. After which we’d to remove the corporate domain that has been configured with the Power BI tenant but were thrown with an error message:

Dependencies on domain. To remove this domain, you’ll have to remove the following dependencies first.

Remove_Domain01

When expand, the alias and Skype addresses indicate the users which has been assigned within the tenant, although there wasn’t any Exchange Online and Skype for Business Online licenses are available. In the end, we’d to use PowerShell to remove the corporate domain:

  • Connect-MsolService
  • Remove-MsolDomain -DomainName $mydomain.com -Force

Refresh the Admin portal and we manage to remove the corporate domain that was initially assigned to the Power BI tenant and ‘migrated’ it to the actual Office 365 domain.

This is a continuity from my previous post on sharing my experience in dealing with Web Proxy and Office 365. You may browse through or select the following topics:

  • Office 365 & Web Proxy Part 1 – Conceptual Design & Preparation
  • Office 365 & Web Proxy Part 2 – Prepare Symantec .Cloud Web Gateway for Office 365
  • Office 365 & Web Proxy Part 3 – Setting up the Symantec Client Side Proxy & Cloud Web Gateway
  • Office 365 & Web Proxy Part 4 – Setting up Firewall for Office 365
  • Office 365 & Web Proxy Part 5 – Troubleshoot Skype for Business Online with Cloud Web Proxy

In this chapter, these are the components that are made up to make the solution work:

  1. Active Directory Users & Security Groups
  2. Symantec Directory Synchronization Tool (SCHEMUS)
  3. Active Directory Group Policy Object (GPO)

The key essence in this deployment is identifying the types of URLs or Web Categories that the users would be allow and prohibited to access, so before we begin the building the web policies, it is extremely crucial to identify the groups of users and types of materials (URLs) that they needed to access to ensure both productivity and restrictions are applied according to the corporate policies.

To start off, I’ve created the security groups, using the this format: Web-XYZ, where Web indicates for Web Proxy while XYZ stands for the type of access. For example: Web-YouTube, where users in this group are allowed to access to YouTube. Placed all of these groups into a dedicate OU which we’ll be using Symantec Synchronization Tool (SCHEMUS) to synchronous to the Symantec .Cloud. For general guideline, you may structure / plan the Security Groups in this manner:

  • Web-YouTube
  • Web-SocialMedia
  • Web-PublicWebMail
  • Web-BasicWeb

Once the security groups has been created, install SCHEMUS onto a designated system, SCHEMUS doesn’t required much resources so you may collocate with the Azure AD Connect which performs the same synchronization activity the cloud.

Configuring SCHEMUS very much similar to Azure AD Connect – select the OU Container (best practices) which holds all of your users and security groups:

1. Give a Name to the Synchronization (e.g. Sync Web) and select Users at the synchronization type column

schemus01

2. Select Microsoft Active Directory as the Source Type

schemus02

3. Fill-up the hostname of your Domain Controller along with your Domain Admin’s Username & Password

schemus03

4. Select the OU that you’ve store all of your corporate Users

schemus04

5. At the next screen, SCHEMUS will attempt to query a list of sample users from the last selection that you’ve made. If you’ve confirm that the queried objects are correct, move on to the next screen

6. Select Symantec .Cloud at the Repository Type

schemus06

7. During the initial launch after installing SCHEMUS, you’ll be prompt for Symantec .Cloud user credentials to activate the application. So can continue with the wizard by leaving this option on its default configuration.

schemus07

8. If you need to omit any objects in this synchronization, key in the filters or leave the values blank (default)

schemus08

9. Leave the limits to its default unless you’ve a good reason to limit the number of users that needs to be synchronized

schemus09

10. I would highly recommend that you configure the notifications for any synchronization failures as the synchronization tasks will be perform based on scheduled – which is similar to Azure AD Connect. Key in your SMTP relay server (I’m assuming that no active mail server are still available as we’re moving to Office 365 – duh!)

schemus10

11. On the final configuration screen of SCHEMUS, click on Verify to make sure all of the configuration are working as expected

schemus11

If everything is successful, you should get the (similar) screen as mine

schemus14

12. Schedule the synchronization tasks based on your desired time

schemus12

13. Click on Save to complete the synchronization for Users. Repeat Step 1 – 13 for Groups and Mail (if any)

14. Click on Update at the left of the SCHEMUS window screen and you should be able to see the list of users and groups being synchronized to the Symantec .Cloud

Next, we move on to configuring the Symantec .Cloud CA Root certificate, this is to allow HTTPS inspection when users attempting to browse to any HTTP Secure Sites. Grab the file from your ClientNet portal > Tools > Downloads

Symantec Web Security Cloud Root CA

After downloading it, publish it to all domain member workstations, desktops and / or laptops via the Active Directory GPO:

Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities

Import the downloaded Symantec Web Security .Cloud Root CA and all domain members machines will automatically download it to the local certificate store, this would allow all major browsers – Internet Explorer, Google Chrome & Microsoft Edge (Except FireFox) to automatically recognizes and accepts the certificate when the HTTPS inspection triggers at the Cloud level. I would recommend to link the Policy at the designated OU which you’ve stored all your client machines; if you’d been leaving the machines at the default container – Computers, update the configuration using the Default Domain Policy GPO.

symantec_rootca_gpo

Now that the core elements are in-place, we’ll now proceed to the next topic on configuring the Client Side Proxy (CSP) and setting up rules and policies at Symantec .Cloud Services.

As Office 365 (Cloud) Solution & Services are getting very common to most organization, restricting and controlling of bandwidth to ensure users’ experience are not impacted – as compared to the traditional method where internal communications are deemed to be seamless, where connectivity are between 100 Mbps to 1 Gbps.

This time around, I’ll be sharing a recent implementation that involves with Office 365 and Symantec Cloud Web Proxy:

In this engagement, the client has subscribe onto a mixture of Office 365 Business Essential, Exchange Online Plan 1 and Exchange Online Kiosk, with a total of 600 users within the organization. The plan was to migrate the existing on-premise Exchange Server 2007 to Exchange Online, activate all workloads and subsequently enforce the web browsing usage – this is to ensure the users’ experience while using the Cloud are not impacted by non-productive web browsing during office hours. (e.g. Audio & Video Streaming). Hence, two (2) elements are involve – The firewall and cloud-based web proxy.

To get things started, the following components has been deployed in the infrastructure:

  1. Active Directory – GPOs are highly used for this deployment
  2. WPAD script which has been customized and published onto a Windows Server 2012 R2 Internet Information Services (IIS)
  3. DHCP with option 252 enabled and mapped to the Web Server
  4. Symantec .Cloud Web Gateway subscription
  5. Symantec Directory Synchronization Tool (SCHEMUS)
  6. Symantec Client Side Proxy with customized configuration with the bypass URLs. The Symantec CSP underlying core runs on SQUID Services where most of the configuration are highly customizable
  7. Fortinet Firewall

Working mechanism:

office-365-symantec-cloud-web-proxy_01

  1. The DHCP Servers distributes the WPAD script as part of leasing IP addresses to the endpoints (during boot-up). The browsers will then make HTTP / HTTPS requests either directly to the Server Farm (Internal Web Servers) or through the Symantec Client Side Proxy (CSP).
  2. Based on the configuration and policies (ACL) within the Symantec SCP, the browsers either gets to entirely bypass without any authentication OR basically passes through the Symantec .Cloud Web Gateway for web filtering.
  3. In this scenario, we’ve set ALL Office 365 URLs and a set of the organization’s permitted web sites (e.g. Banking Sites) where web traffics will basically bypass the Symantec .Cloud Web Gateway filtering policies while the rest will be tunneled to the Cloud Gateway before reaching to the Internet

Before starting Part 2, is it important to identify the list of frequent URLs with their associated user groups to it, types of non-browser based applications and services, IP subnets and Web Browsers used within the organization; so far, Internet Explorer, Microsoft Edge, Google Chrome & Safari doesn’t impose any compatibility issues with the above infrastructure, however Mozilla Firefox requires attention and additional steps in order to get the browser working with the Cloud Proxy.

Finally, a lighter version of the Persistent Chat (within Skype for Business Server / Lync Server) is launched which can be easily activated with a simple flip of a switch. Microsoft Teams was launched earlier this month as part of the Office 365 subscription – which is available on Business Essentials, Business Premium, Enterprise E1, E3 and E5. (Reference: Introducing Microsoft Teams)

If you happen to be on either of the subscribed plan(s) mentioned earlier, login to your Office 365 Admin Center and follow the step-by-step guide:

Admin

  1. At the Admin Center, Select on Apps > Microsoft Team
    MS-Teams01
  2. “Flip” on the ON switch at the top right and click on Save
    MS-Teams02

 

So when that’s done, download the Microsoft Teams client App here and you can start creating your own Virtual Groups / Teams and start collaborating!

MS-Teams03

I’ve just notice my past articles that on Skype4B / Lync Room Systems, it appears that I’ve missed out a guide on how to provision the Room System via Office 365. To perform this tasks, it is assume that your tenant has an Exchange Online Plan 1 with Skype for Business Online Plan 1 (Office 365 Business Essentials / Premium / E1 / E3 / E4) in-place.

  1. First, logon to your Office 365 Admin Portal and launch the Exchange Admin Center page
  2. Create / Provision an Resource (Room) Mailbox.  Give the ‘Room’ a name (example: MY-KUA-Meeting Room) and an Email Address (Mandatory). The rest of the fields are optional
  3. Once complete, launch the Windows Azure Active Directory Module for PowerShell as Administration (Run As Administrator)
  4. Key in the following command line:

Set-ExecutionPolicy Unrestricted
$org=’yourdomain.com’
$cred=Get-Credential admin@$org
$sess=New-PSSession –ConfigurationName microsoft.exchange -Credential $cred -AllowRedirection -Authentication basic -ConnectionUri https://ps.outlook.com/powershell
Import-PSSession $sess
$rm=’MY-KUA-MR@$org’
$password = Read-Host “Enter password” -AsSecureString
set-Mailbox -Identity $rm -type Room -EnableRoomMailboxAccount $true -RoomMailboxPassword $password
Set-CalendarProcessing -Identity SmartRoom -AutomateProcessing AutoAccept
Set-CalendarProcessing -Identity SmartRoom -AddOrganizerToSubject $false –DeleteSubject $false

Close the PowerShell window screen and login using the account that has been provisioned earlier onto the Room System.

 

My colleague and I were running a project of Office 365 with a given THIN timeframe, we’d ran a couple of research looking for scripts to enable the Office 365 Users with the appropriate license and customized to fit into ours and I would like to take this opportunity to share this to those who need help on this as well.

With the given scenario & environment:

  • Running on Azure ADSync & ADFS 3.0
  • All User Objects has been synchronized to the Office 365
  • You manage to export all of the sync users into a CSV format

To do this, launch the Azure Active Directory module for PowerShell:

  1. Connect to the Microsoft Online Services (Connect-MSOLService)
  2. Find out what SKU or Plans that you’re entitled or Subscribed using Get-MSOLAccountSKU. The PowerShell cmdlet should return you with the following format: Tenant:ENTERPRISEPACK
    MSOL-License01
  3. Next, declare the environment variables for Path where the CSV is stored and the type of License queried earlier at Step 2
    $path = “<Drive Letter>:\Filename.csv” (“D:\MSOLE3.csv”)
    $lic = Tenant:ENTERPRISEPACK
    MSOL-License02
  4. Now, you’re ready to assign the licenses with this cmdlet
    Import-Csv $path | foreach {Set-MsolUserLicense -UserPrincipalName $_.UserPrincipalName -AddLicenses “$lic”} -Verbose
  5. Once it is done, verify the licenses are correctly assigned:
    Import-CSV $path | Get-MSOLUSer | Out-GridView

I’d a deployment recently where the customer wanted to seek feedback from the employees in a mass while leveraging on their Office 365 E3 Plan, in which Yammer Enterprise was the prefect answer to this scenario.

This was a greenfield deployment as no users was on the platform yet and we’ve decided to use Azure ADSync to synchronize all User Objects to the Office 365 Cloud. The synchronization was a smooth sailing one and activating Yammer based on this guide – Yammer Activation Guide and this guide – Changing SharePoint Online Newsfeed to Yammer Enterprise.

Upon logging onto the Microsoft Office 365 main page (https://portal.microsoftonline.com) and selecting the Yammer tile, Yammer page couldn’t seem to be loaded and we’re redirected to this page with an error message:

Sorry, but we’re having trouble signing you in. We received a bad request


Yammer-SSO 01

 

When attempting to directly login via Yammer, the page was not redirected to the Office 365 Portal Login page and we keep receiving that the username & password was incorrect. As the usage of the platform was top priority, we’d to raise a support service request with Microsoft Office 365 Support Team – luckily the issue was easily resolved by perform the followings:

  1. Login to the Office 365 Admin Portal, go to Admin > SharePoint
    Yammer-SSO 02
  2. Click on Settings
    Yammer-SSO 03
  3. Under the Enterprise Social Collaboration option, select back to Use SharePoint Newsfeed (default) and wait for an hour (personal recommendation) and click OK
    Yammer-SSO 04
  4. After an hour, switch back to Use Yammer Service and click OK
    Yammer-SSO 05

Once that is done, the Single-Sign On has been resolved and users can now login using the same credentials as the Office 365/On-Premise Active Directory.

 Take away lessons: During the troubleshooting process, the Yammer team had sent a separate activation email to the Portal Admin in which doesn’t fix the Single-Sign On issue but further complex the situation – in which all users are able to login to Yammer but the password will be different with the Office 365 Portal. Use the steps above and see whether if this works. Else fail, you can use the Yammer Directory Sync tool to synchronized both user accounts and password before escalating back to the Office 365 Technical Support. 

This is somewhat a “throwback” article (sigh, time to look for a new ISP Provider) as the post was stuck at my draft till it was “officially” published 😦

Although there’re various materials available from the Internet on how to join a Lync Online Meeting – either through Lync On-Premise or Office 365, I’d came out with a short guide to help some customers/readers especially users whom are part of the organization but still wishes to use Lync Online Meeting to join meetings.

  1. Usually you’ll receive an Online Meeting Calendar invite from the sender, within the content it as a hyperlink/URL with the word Join Online Meeting
  2. Upon clicking the Lync Meeting URL, the web page brings you to Online Meeting page which it’ll starts detecting whether you have a native Lync Client installed. If not, you’ve an option to use Lync Web App
  3. Usually you’ll join as a Participant (Guest). Upon loading up the page, type in your preferred display name to join the meeting. If this is the first time joining such meeting and there is not Lync Web App Plugin detected, you’ll see this:-
    LyncWebApp01
  4. Select the Install Lync Web App plug-in and click on Join the Meeting
    LyncWebApp02
  5. Select RUN when prompted
    LyncWebApp03
  6. Lync Web App plugin will then start the installation
    LyncWebApp05
  7. Once the installation completes, the web page will automatically refreshes. Type in an appropriate Name and Select on the Join the Meeting
    LyncWebApp05
  8. You’ll be placed at the Lync Virtual Lobby till the presenter verifies your identity and Admits you into the Meeting session
    LyncWebApp06
  9. If you receive a warning message, select on Allow to grant the plugin permission to interact with your machine. I would recommend to select the Always allow the plug-in for this domain to ease future access
    LyncWebApp07
  10. If you’re Windows Firewall is enabled, select on Allow access to grant access for the plugin. If this is not available, you may need to grant the it manually from the Windows Firewall option. If you do not grant the plugin through the Windows firewall, you’ll experience difficulties such as there’re no output for its audio and/or video during the meeting session
    LyncWebApp08
  11. Once you’re done, Enjoy the Meeting!
    LyncWebApp09

Many thanks to @KatherineChen as the meeting organization and initiator for this guide to help out the SEA MVP in joining our monthly MVP Meetings!

Recently I’d carried out a Proof-of-Concept (PoC) for a customer on a SMART Lync Room System (LRS) to replaced their existing Video Conferencing solution – which isn’t too “Unified”, several limitation when it comes to Group Meetings and worse off is the user experience was horrible (and that’s why I’d the opportunity to go in)

The PoC was straight forward where the LRS will be connected to Microsoft Office 365 account where it can be easily configured and demonstrated; simply just an account for the LRS which has Exchange & Lync license assigned would get the entire LRS up and running. However, it wasn’t as smooth as it seems as when the Exchange Calendar doesn’t appear and the “Round Loading Screen” keeps rotating.

Thanks to a good friend from the Lync/Skype for Business MVP @OliverMoazzezi, he’d pointed out that there was a bug within LRS and a temporary workaround can easily solve this issue:

  1. Reboot the System into Admin Mode
  2. Select the Network Connection Configuration. At the Network Connections Windows, activated the Address Bar and type Regedit which opens up the Registry Editor
  3. Maneuver to HKLM\Software\Microsoft\Office\15.0\Lync > Right Click on the Key (icon shows as folder) > Permissions.. > Click on Add > type in Everyone > Grant Full Control                LRS-Registry-Permissions
  4. Reboot the System and the Exchange Calendar will appear

For On-Premise LRS User, you may refer to www.Exchange2010.com for additional steps to resolve the similar issue.

Once again, I’d the privilege to attempt the technology that was introduced during Lync Conference 2014 where SMART Technologies, where they’d demonstrated how Lync and the interactive panel are able to bring people to collaborate further and be more productive. On top of the native Lync Online Meeting, it was extended to other file types such as AutoCAD – SMART Technologies: Taking the SMART Room System to the Next Level To enable to use have the features on top of the Native Lync Online Meeting interactive collaboration, SMART Technologies has introduced an add-on known as the USB Bridge.  This add-on allows machines such as laptops or workstation to be connected to the Lync Room System without needing to “switch channels” from the panel. This also enables direct interaction with the machine via the SMART interactive panel. For better understanding on how the USB Bridge works with SMART Lync Room System, here’s a Youtube video Interactive Sharing with the SMART Room System™ for Microsoft® Lync® (Wise Man says: Videos is worth a Million Words) 😀

To configure the USB Bridge, basically there’re only two (2) cables involve – the HDMI & USB Bridge Cable. These two (2) cables are to be connected to the Lync Appliance (known as AM70 Lync Appliance) and NOT the Interactive Panel. The USB Bridge connector can be connected to any of the available USB 2.0 ports EXCEPT the USB 3.0 while the HDMI cable is to be connect to the HDMI Capture Port (see illustration) below: USB-Bridge Once the cable connectivity is completed, you should expect such behavior – USB Bridge with SMART Lync Room System Another area to take note is the SMART Lync Room System must be running on 15.10.1 or higher (currently 15.10.2) – you would need to check the version through Admin Mode. If the LRS isn’t running on the specified version, just run a Web Update at the same mode (Admin) and allow the system to reboot a couple of times and it’ll complete the update easily.

Frankly, I’d troubles with the cable connectivity during my initial attempt as you may not find such document on the Internet – hope those whom will be implementing the SMART Lync Room System will find this article helpful.

%d bloggers like this: