This site needs a special mention, quick and easy to keep up and learn on the azure offerings.
Restrict Users From Creating New Teams in Microsoft Teams
If you have recently adopted the usage for Microsoft Teams, managing Teams within Teams becomes a toungue twister in itself, If you’re concerned about users creating teams or groups that don’t comply with your business standards, perhaps you want this to be delegated to set of mindful power users group.
- Create a Group – This could be a Active Directory Synced group or M365 group
- Install AzureAD Public Preview – AzureAD PowerShell Module.
- Run the below script, replace the value of “<GroupName>” with the name of the group you have created, enter the administrator credentials when prompted
$GroupName = "<GroupName>"
$AllowGroupCreation = $False
Connect-AzureAD
$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
if(!$settingsObjectID)
{
$template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}
$settingsCopy = $template.CreateDirectorySetting()
New-AzureADDirectorySetting -DirectorySetting $settingsCopy
$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
}
$settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID
$settingsCopy["EnableGroupCreation"] = $AllowGroupCreation
if($GroupName)
{
$settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString $GroupName).objectid
} else {
$settingsCopy["GroupCreationAllowedGroupId"] = $GroupName
}
Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy
(Get-AzureADDirectorySetting -Id $settingsObjectID).Values
Microsoft Admin Portals
Microsoft 365 Admin Portals
Azure IT Admin Portals
Portal Name | URL |
---|---|
Microsoft Azure Portal | https://portal.azure.com/ |
Microsoft Azure (Release Candidate) | https://rc.portal.azure.com/ |
Microsoft Azure (Preview) | https://preview.portal.azure.com/ |
Azure Resource Explorer | https://resources.azure.com/ |
Azure Cloud Shell | https://shell.azure.com/ |
Azure Active Directory admin center | https://aad.portal.azure.com/ |
Azure Cosmos DB | https://cosmos.azure.com/ |
Azure Data Factory | https://adf.azure.com/ |
Azure Cognitive Services Custom Translator | https://portal.customtranslator.azure.ai/ |
Azure Non-profit Portal | https://nonprofit.microsoft.com/#/ngoportal |
Azure IT Admin Portals – Sub Portal Links
Portal Name | URL |
---|---|
Azure Security Center | https://portal.azure.com… |
Microsoft Licensing/Support Portals
Portal Name | URL |
---|---|
Volume Licensing Service Center | https://www.microsoft.com/Licensing/servicecenter/ |
Next Generation Volume Licensing | https://businessaccount.microsoft.com/ |
Microsoft Azure Enterprise Portal | https://ea.azure.com/ |
Microsoft Services Hub | https://serviceshub.microsoft.com/ |
Microsoft License Advisor | https://mla.microsoft.com/ |
Microsoft Partner Center | https://partner.microsoft.com/ |
Azure Subscriptions | https://account.azure.com/Subscriptions |
Security / Defender IT Admin Portals
Portal Name | URL |
---|---|
Microsoft Cloud App Security | https://portal.cloudappsecurity.com/ |
Microsoft Defender for Endpoints (Previously Defender ATP) | https://securitycenter.windows.com/ |
Microsoft 365 Defender | https://security.microsoft.com/ |
Office 365 Security & Compliance | https://protection.office.com/ |
Microsoft Defender for Identity (Previously Azure ATP) | https://portal.atp.azure.com/ |
Multi-factor authentication | https://account.activedirectory.windowsazure.com… |
Developer Portals
Portal Name | URL |
---|---|
Graph Explorer | https://developer.microsoft.com/en-us/graph/graph-explorer |
Azure DevOps | https://dev.azure.com/ |
Visual Studio Subscriptions | https://my.visualstudio.com/ |
Visual Studio Subscriptions Management | https://manage.visualstudio.com/ |
Adaptive Cards | https://adaptivecards.io/ |
Other Useful Microsoft Portals
Portal Name | URL |
---|---|
Office 365 Anti-Spam IP Delist Portal | https://sender.office.com/ |
Azure Status | https://status.azure.com/ |
Azure DevOps Status | https://status.dev.azure.com/ |
Windows Virtual Desktop Consent Page | https://rdweb.wvd.microsoft.com/ |
Customer Digital Experiences | http://demos.microsoft.com/ |
Group Policy Search | https://gpsearch.azurewebsites.net/ |
Microsoft Startups | https://portal.startups.microsoft.com/ |
Office UI Fabric Icons | https://uifabricicons.azurewebsites.net/ |
Become Microsoft Certified | https://query.prod.cms.rt.microsoft.com… |
Tech Community Video Hub | https://techcommunity.microsoft.com/t5/video-hub/ct-p/VideoHub |
Microsoft Azure Sponsorships | https://www.microsoftazuresponsorships.com/ |
Microsoft Dynamics Lifecycle Services | https://lcs.dynamics.com/ |
Microsoft MVP | https://mvp.microsoft.com/ |
Third Party Useful Portals – Microsoft Related and Free
Portal Name | URL |
---|---|
What is my Microsoft Azure and Office 365 tenant ID? | https://www.whatismytenantid.com/ |
Office 365 ATP Safe Links Decoder | https://o365atp.com/ |
Message Header Analyzer | https://mha.azurewebsites.net/ |
Tenant Availability Check | https://o365.rocks/ |
Reference: https://msportals.xyz/
Block File Sharing in Teams
COVID-19 has led many IT Departments scrambling to roll out some form of conference/ collaboration tool as many had to work remotely. This has affected organizations that where were not agile or cloud agnostic by not adopting to modern workplace earlier on.
Microsoft Teams runs on SharePoint Online, OneDrive in its core, organizations running on-premises compliance/DLP solutions will find it hard to put in controls for data in the cloud, not being an early adopter, and having to enable collaboration tools such as Microsoft Teams is a daunting task when you want to protect the organizational data from going walkabouts. If your organization is one of those, which is like a cat on the wall – how do we do it?
Block File sharing in Teams by:
1. Not assigning a SharePoint Online license for End-users
2. Not creating a Teams or Channels, if you do….
3. Create Teams for your organization but remove the Teams members from having EDIT permission on the Teams SharePoint Site.
4. Additionally if the tenant has Microsoft Cloud App Security enabled – create a session based conditional policy, which blocks upload and download of files in Teams and SharePoint Online.
SharePoint Online License – by not assigning this you deprive the end users from accessing OneDrive for business, which is primary storage for file sharing when it comes to 1-1 and group chats.
Creating a Team – when a team is created with members, this creates a SharePoint online site, which by default allows members to have edit permission on the site. By removing the EDIT permission from the Team site leaves members with only read permission leaving only the owner of the Team/SharePoint site full permission, no just do not assign or delegate the owner permission to a regular user.
Microsoft Cloud App Security – is a Microsoft CASB solution (Cloud Access Security Broker) acts as a reverse proxy. A session based conditional policy can be configured to prevent file uploads/downloads in Teams/Sharepoint site, caveat this only works when accessing them via Web but not through desktop client, hence the above point – remove EDIT permission for Team members. MCAS gives you an insight and alert when someone does indeed try to upload a file as it will block and alert the admin.
Now that you have control of filesharing and enabled Microsoft Teams, start strategic roll out of cloud solutions for DLP, Information protection and governance, classification – all of this is available via Microsoft 365 through Azure Information Protection, DLP, Azure and Defender ATP which can scan and classify your organization data automatically based on data sensitivity you can control.
Licenses could not be assigned or removed due to an error -Azure AD group based licenses
Scenario: Group based licensing is enabled in Azure AD. Exchange online is not assigned through the group based licensed. Newly added users to the group fail to get licenses assigned via the group. Reprocessing the group based license throws error:
Licenses could not be assigned or removed due to an error
Solution: A recent service plan backfilled by the O365 Commerce Team into the Office and Microsoft SKUs Microsoft Bookings a has been added as Enabled on all the licenses. This service plan has a dependency on Exchange Online (Plan 1) or Exchange Online (Plan2).
Disabling the Microsoft Bookings service plan in the affected groups should resolve the licensing error.
Kill all active user sessions in any Azure AD/ Office 365 application
If you are are ever in a situation where you have to deal with a compromised O365 account or situation similar to mine where users were assigned Onedrive/SPO license and you want to revoke them and stop users from using them immediately, the below cmdlet is much helpful.
If you are dealing with a large group of users, you may tire your fingers clicking on “initiate sign-out” or better get all members of the group and use cmdlet Revoke-AzureADUserAllRefreshToken which invalidates the refresh tokens issued to applications for a user. The cmdlet also invalidates tokens issued to session cookies in a browser for the user. The cmdlet operates by resetting the refreshTokensValidFromDateTime user property to the current date and time.
Get the group objectid
Get-MsolGroup [groupname] | fl ObjectId
Next, export the users of the group to a csv
Get-MsolGroupMember -GroupObjectId xxxxx-xxxxx-xxxxx-xxxxx | Select-Object EmailAddress | Export-Csv -Path c:\temp\users.csv
Import the csv and revoke th refresh token for these users.
Import-CSV “c:\temp\users.csv” | % {Get-AzureADUser -SearchString $_.emailaddress | Revoke-AzureADUserAllRefreshToken}
Add Fullmailbox Permission in PowerShell using a CSV file
Create a CSV with following fields and save it in a temp folder
UserMailbox and User
copy the below and save as .ps1 file in the same temp folder e.g C:\temp
$csv = Import-csv -path “C:\temp\fullaccess.csv”
foreach($User in $csv)
{
Add-MailboxPermission -Identity $user.UserMailbox -User $user.User -AccessRights FullAccess -InheritanceType All
}
Run the script to apply permissions
Force a sync from Azure AD Connect to Office 365
AAD sync runs every 30 minutes, we are several situations where you cant wait 30 minutes for a change to sync across, you still want to force a sync. To do so, on the server which has AAD Connect installed and type the following to import the AAD Connect PowerShell module:
Import-Module ADSync
You check the current settings of the sync scheduler
Get-ADSyncScheduler
To force a delta sync, you the following PowerShell command:
Start-ADSyncSyncCycle -PolicyType Delta
If you want to force an initial (full) sync, use this command:
Start-ADSyncSyncCycle -PolicyType Initial
Export Calendar permissions for specific OU
The below has been tested on exchange 2010 to export calendar permissions for mailboxes in a specific OU.
# Get the mailboxes
$Mailboxes = get-mailbox -OrganizationalUnit “OU=Users,DC=Contoso,DC=local” -Filter {RecipientTypeDetails -eq “usermailbox”} -ResultSize Unlimited
# An array for the output
$Output = @()
# Loop through the mailboxes
ForEach ($Mailbox in $Mailboxes) {
# Get the name of the calendar folder
$Calendar = (($Mailbox.PrimarySmtpAddress.ToString())+ “:\” + (Get-MailboxFolderStatistics -Identity $Mailbox.DistinguishedName -FolderScope Calendar | Select-Object -First 1).Name)
# Get the permissions on the folder
$Permissions = Get-MailboxFolderPermission -Identity $Calendar
# Loop through the permissions, populating the output array
ForEach ($Permission in $Permissions) {
$Permission | Add-Member -MemberType NoteProperty -Name “Mailbox” -value $Mailbox.DisplayName
$Output = $Output + $Permission
}
}
# Write the output to a CSV file
$Output | Select-Object Mailbox, User, {$_.AccessRights}, IsValid | Export-Csv -Path C:\temp\Calendarpermissions.csv -NoTypeInformation
Filtering to the specific OU is very useful if you are managing multi-tenant exchange environment. Modify the above script as per your needs and save as .ps1 to run on powershell.
Get-MailboxStatistics to export Mailbox size in Exchange Powershell
Use the below to export mailbox statistics from exchange PowerShell. There are different commands which help you filter and manipulate the exported data.
The exported information is always useful during Office 365 migration to assess mailbox sizes and item counts, last login time and required bandwidth.
Export Mailbox size and statistics of all users
get-mailbox -resultsize unlimited | get-mailboxstatistics | ft DisplayName,TotalItemSize,Itemcount | export-csv C:\temp\mailboxstatistics.csv
Export Mailbox statistics for a specific OU (organizational unit)
get-mailbox -OrganizationalUnit “OU=Sales,OU=London Staff,DC=contoso,DC=local” -resultsize unlimited | get-mailboxstatistics | ft DisplayName,TotalItemSize,Itemcount | export-csv C:\temp\salesstaffmbstats.csv
Export Mailbox statistics based on domain address
In this example we use the where cmdlet to specify the search filter base. In the below example I am searching for users with specific email address, useful in a multi tenant environment.
Here I am trying to export mailbox statistics for specific set of users who have exchangekb as their email address suffix.
get-mailbox | where {$_.EmailAddresses -like “*exchangekb*”} | get-mailboxstatistics | select-object displayname, totalitemsize, itemcount, lastlogontime, exchangeguid | export-csv C:\temp\exchangekbstats.csv