As announced some time ago the Office 365 Admin mobile application has been updated with a brand new interface and features which provide more administration stuff than the previous version which was more providing health services than anything else (see http://blog.hametbenoit.info/Lists/Posts/Post.aspx?ID=667)
Even if almost everyone was happy to get this new version, there was still some missing point such as the ability to assign license to federated users.
Good news, since today this is now possible
It has been announced some time ago, Microsoft has now delivered a first release of the mobile devices management for Office 365.
You can now define complete access rules for mobile devices to access your Office 365 resources.
This feature is currently being roll out on Office 365 for all Office 365 commercial plans (Business, Enterprise, EDU and government).
If you are interested in cloud mobile devices management, the first thing is to choose between Intune and Office 365 MDM – see for the comparison https://technet.microsoft.com/library/dn957912.aspx
Then, if you want to use the Office 365 MDM, you have to activate the service by going to the Mobile Devices menu from the Office 365 admin portal to activating it; please note it may take some time to complete the activation
Then you will have to complete the configuration by:
Please note that the last entry may already exists and points to your ADFS end point or your Azure device registration as this entry is used for the Join Workspace feature.
Once this has been done, you can also additionally configure multi factor authentication requirements and setup the access rules.
Access rules are managed from the Compliance Center – which has been available since few days now.
NOTE this access rules are overriding the Exchange mobile devices access rule you may have already setup
To setup an access rule, just hit the + sign and follow the wizard
As part of the settings available you can:
Then you have the choice to apply or not the rule after the creation – this may take few minutes to apply on devices
NOTE if you want to apply now the new access rule, you have to select existing security group and you have to search for the DL; the interface does not gather automatically existing DL for performance reasons
From the Office 365 admin portal you can get compliance reports for registered devices
NOTE there is currently a defect as the user list returned contains sample Contoso data
From the Office 365 admin portal you can also have a quick look of these devices and perform a wipe operation – either FULL wipe which completely reset the device or a SELECTIVE wipe which removes ONLY your corporate data (OneDrive for Business, Mail…)
To enroll a device to for Office 365 MDM, you must use either:
UPDATE 30/03/2015 - After disabling BitLocker to solve the issue, you can re enable it
Today, I have installed the latest updates available through Windows Update on my Surface Pro 3 running Windows 10 Technical Preview build 10041: KB 3050653 and System Firmware Update.
My Surface has Bitlocker enabled.
Unfortunately, after the usual system restart and after the Surface Firmware has been updated, I ran into the issue than Windows does not start anymore.
After entering the Bitlocker PIN, the system immediately ran into the “Preparing Bitlocker Recovery” mode and failed to load Windows with the error 8007139f.
I have been able to correctly start Windows if I choose to run the Recovery mode when Bitlocker asks for the PIN and then enter the long recovery code. Then I uninstalled the potential KB involved, restart but still had the issue.
So, this means this is the firmware which is in cause and the only solution if it has been installed is to disable Bitlocker if you are running Windows 10 Build 10041.
I don’t know if this happen also for user running Windows 8.1 on their Surface Pro 3 with Bitlocker as I have only 1 Surface
Since last November and the introduction of the Clutter feature (see http://blogs.office.com/2014/11/11/de-clutter-inbox-office-365/ for more details), Microsoft has updated the Clutter feature to allow better management of this feature by administrators.
Now, administrators can define retention policies, define rules to bypass Clutter or personalize the message received by end-users.
See http://blogs.office.com/2015/03/03/making-clutter-office-365-even-better/ to know more
Starting March 24th, SharePoint Online has been updated by enabling by default document versioning on Document library.
This impact all new document library created since then, as well as new site. The document versioning enabled is the Create major version
So be aware of this change has some impact in the storage consumed as well as to the user experience as draft version may not be viewable
More details https://support.microsoft.com/en-us/kb/3050531
Following my previous post to announce the new Office 365 Compliance Center (http://blog.hametbenoit.info/Lists/Posts/Post.aspx?ID=666), here is a quick post on how to go with it.
Access to the compliance center is allowed to global administrator and based on the RBAC (Role Based Access Control) permission models, the same than the one used by Exchange (either online or on premises); that said Exchange role groups and Compliance Center role groups does not share membership or permission, so this means if you already have setup some compliance role group on Exchange this will NOT be reused by the compliance center
Ok, so let’s discover the Compliance Center.
You can access the compliance center from the administration portal through the Compliance Center from the left menu (the option is located at the end below the Admin section)
Then this open a new tab to connect you to the Compliance Center
For this first version, the compliance center is now the central place to manage compliance policies for both Exchange Online and SharePoint Online.
You can create and manage eDiscovery cases for SharePoint Online, enable/disable Exchange Online Archive for cloud hosted mailboxes (this first version does not allow to manage on premises mailboxes in the context of an hybrid scenario) or define the retention policies for Exchange Online and SharePoint Online
When you hit the Archiving option, you will be able to enabled/disable the online archive feature for Exchange Online mailboxes only. For mailboxes which has already the archive enabled, you get some usage statistics
The eDiscovery section allows you to create and manage eDiscovery cases
The first time you logon and reach this section AND if you don’t have any eDiscovery site created on SharePoint Online, the system will automatically creates a new eDiscovery site for you
Then you will be able to create/manage cases
NOTE if you want to delegate access to this section (see later for the Permissions management for the compliance center), you have to manage the permission to the eDiscovery site from the site itself; delegation from the compliance center does not grant access to the eDiscovery site
This section allows you to manage retentions policies for SharePoint Online and Exchange Online. Until then, it was relatively simple for Exchange Online (as soon as you have been granted the permission) to manage retention policies but not for SharePoint Online
Each links will open a new window
In case this is the first you reach this section and want to manage SharePoint retention policies, the system will automatically create a new Document Deletion Policy Center (which is the Compliance Policy Center template)
NOTE for some reason the automatic provisioning may failed, so just go to the SharePoint Admin portal and provision manually the required site using the Compliance Policy Center AND with the URL CompliancePolicyCenter (if you use another URL, it will continue to fail); then once the site has been provisioned, everything will go fine
Then you will be able to manage from this central point the retention policies
Once again, delegation from the compliance center does not grant access to the compliance policy SharePoint site
The last option allows you to delegate access to the compliance center.
You have default delegation permissions set but you can create your own to delegate specific tasks
As reminder global administrators have been automatically granted access to the compliance center
Once a user has been delegated to access the compliance center he will be able to access the site
The following screenshots shows the delegated views for eDiscovery Manager (as sample)
First, as the user is only delegated for the Compliance Center, there is no link available from anywhere (ie like the Office 365 portal); he has to logon using the URL https://compliance.protection.outlook.com/Ucc
So, it’s quite difficult to say what will come and when in the future for the Compliance Center (also because I’m not allowed to do so ) but there is one thing I can say: there will be a mobile device management feature coming which will allow you to define access policies to your Office 365 resources.
Following the announcement of the availability of a new AAD Connect preview build (March 2015 build), here is the some details regarding the installation and configuration steps for this build. I may not have covered everything here yet but will do new post if needed.
As quick reminder, if you already had the previous build installed, you have to uninstall it and restart your server as there is NO upgrade path to new build. But there is migration path from DirSync, with a limitation as attributes filtering configured this will NOT be migrated. That said, I would not recommend to perform such upgrade – especially for this build has this is still a beta version.
If you have to uninstall the previous build, please follow these steps:
Quite few improvements since the previous beta build; you can now:
We will see what are these new configuration settings.
If you check this box, you will be asked to define the SQL server\instance to use to host the database used by the synchronization tool. This provide the same installation option than for DirSync with the /fullsql switch (see https://msdn.microsoft.com/en-us/library/azure/dn441161.aspx)
This option allows you to define the service account to use to run the synchronization tool.
This service account does not need anymore any specific permission at the AD level (as it was the case with DirSync) BUT need the following permission on the local server where the tool is being installed
This setting allows you to define your own group name for the synchronization tool. As reminder, this tool (as well as the “old” DirSync) is based on ForeFront Identity Manager which used his own local group to grant access to some of his configuration set. If you leave this option uncheck (and so with the name fields blank), the tool will use the default names (FIMAdministrator….)
This last option allows you to import connection settings from previous installation. This would be very helpful when you have a bunch of filtering settings defined (like attribute based filtering or OU based); you will not have to reconfigure it each time you have to install a new instance
Once you have define the installation/configuration options, the next steps are the same than for the previous build:
Usually the express configuration just setup the password synchronization and a single AD forest. If you want to setup a federation and/or multi AD forest synchro you have to choose the customized configuration.
As for previous synchronization tool (DirSync) or previous build, the Office 365 credentials must be Global administrator and if directory synchronization has not been enabled, the tool will do it for you.
This build has been improved at this step as you can now choose to setup just password synchronization, the federation or do not configure for the single sign in experience.
The do not configure option allows you to keep your existing federation in place (meaning you don’t have to deploy a new federation server on your existing ADFS environment as it was the case with the previous build if you wanted to use federated authentication)
You can then choose to synchronize all users and devices or just a bunch of it using a group; this could be helpful for a pilot implementation
As almost all the configuration steps are the same than for the previous build, I’m going directly to the last step which has a lot of new features; you can now enable the following features:
NOTE1 if you plan to implement Device Writeback, ensure you have done the following:
NOTE2 the writeback feature for users and groups requires administrators have to define the OU where the Azure users/groups are writeback to AD. I recommend you use a dedicated OU for cloud users and groups synched back from Office 365
NOTE3 cloud users provisioned back on AD thanks to the writeback feature are still shown as Cloud after the synchronization while resetting the password on the AD “cloud” account does not reset the password for the account on Office 365 even if you have to have enabled the password synch off course
For each of the optional features enabled, an additional configuration steps may be required, like for Azure AD Apps or Azure AD attributes
With the release of the CU 8 for Exchange 2013 and the RU 9 for Exchange 2010, ActiveSync devices will be automatically reconfigured when the mailbox has moved from on premises to Office 365.
Previously, the device had to be reconfigured (either by deleting the EAS connection or by manually setting the URL to outlook.office365.com).
To know more about this, go to http://community.office365.com/en-us/b/office_365_buzz/archive/2015/03/23/exchange-activesync-on-boarding-to-office-365.aspx
As you may already know since some time, Azure Active Directory Connect (AAD Connect) will be the only tool to synchronize On Premises Active Directory with Azure Active Directory (so replacing DirSync for Office 365) as well as providing more features.
So, a new preview build has been delivered for testing today. There is no upgrade path from the previous build.
Go to http://connect.microsoft.com/site1164/program8612 to get the new build
After being announced some months ago and an internal/private beta program, support for Multi Factor Authentication for Office client is now available in public preview.
MFA support for Office client means if you are using the MFA feature available through Office 365 to secure access to your Office 365 tenant (or the Azure MFA to secure access to both online and on premises application) – see http://blog.hametbenoit.info/Lists/Posts/Post.aspx?ID=618 and http://blog.hametbenoit.info/Lists/Posts/Post.aspx?ID=556 to know more, you will no longer need to setup the app password to connect when using your Office client
To know more about this public preview go to http://aka.ms/blogadalpreview
I recommend you read the following pages as there are some limitations to get MFA for Office client working.
Benoit is specialized on Microsoft infrastructure (Active Directory, Azure, ForeFront products, Hyper-V, Identity Management, System Center, Windows) and collaboration (BPOS, Exchange, Office 365, SharePoint) technologies.
He has been awarded as Microsoft Most Valuable Professional (MVP) since 2002 - on Windows, then SharePoint and finally Office 365. Ha has been recoginzed as Microsoft Community Contributor for his work on the Office 365 community in 2013 and 2014.
He has been involved in early stage of testing phase for many Microsoft products - from Windows to Office 365, including Exchange, SharePoint or Office client and WindowsUpdate.
He has participated as speaker or Ask The Expert (ATE) at many Microsoft or Quest events. He also participed in writing several books on SharePoint (2003 to 2010).
With more than 10 years of professional experience, he has a deep knowledge of the Microsoft market and his competitor.
This blog is using tracking code for analytics purpose.
No personal data are stored and maintained.