Richard works as a Cloud Consultant for Fordway Solution where his primary focus is to help customers understand, adopt and develop with Microsoft Azure, Office 365 and System Center.

Richard Green is an IT Pro with over 15 years' of experience in all things Microsoft including System Center and Office 365. He has previously worked as a System Center consultant and as an internal solutions architect across many verticals.

Outside of work, he loves motorbikes and is part of the orange army, marshaling for NGRRC, British Superbikes and MotoGP. He is also an Assistant Cub Scout Leader.

Xbox One Streaming with Windows 10

This week, I decided to give Xbox One Streaming for Windows 10 a try and thought I would just briefly post up my experiences.

First off, I cannot speak highly enough of how well it works. Due to not getting around to installing extra Ethernet ports in my living room, I have only one port which gets used by the Plex Home Theatre PC so the Xbox One right now is wireless on my 802.11n network. I tested the streaming in a number of different scenarios including laptop and Xbox One both wireless connected to the same access point, laptop and Xbox One both wireless but with the laptop in a different part of the house on a different access point and also the Xbox One wireless with the laptop connected to a switch port.

In all scenarios, it worked flawlessly and using the little menu button in the toolbar on the app, you can bring up a bandwidth meter which appears in the bottom left corner of the stream. Over wireless I’ve seen it streaming up to about 6Mbps although I haven’t been watching this extensively so it could be going even higher. Right now I’m playing Assassin’s Creed IV Black Flag which was free on Games on Gold this month in July and even a fast paced high motion game like Assassin’s Creed, I’m not seeing any negative effects compared to being locally on the console in terms of input controls.

Streaming Assassins Creed Black IV Flag

Currently, the only way to use the Xbox One controller is via a Micro USB cable. Microsoft do have an adapter in the works but there is no news on when this is going to ship right now. When the adapter does ship it means you will be able to connect your controller wirelessly to your Windows 10 PC however I personally don’t like the physical look of this adapter based on the images released thus far as it looks pretty darn big and I would have much preferred to see something a bit more sleek and minimalist like the nano receivers we see for mice and keyboards.

The problem with the current scenario and the future one though is that it all hinges on having a USB port available. One of the great potentials with the Xbox One streaming in Windows 10 was the ability to use a low-end specification, cheap and cheerful Windows 10 tablet like a HP Stream (for example) and play your Xbox anywhere in the house however the requirement for a USB port means that actually a lot of tablets are out of favour because they are too thin to incorporate a USB port into their design. I’m really hoping that Microsoft come up with a solution to this – perhaps a Bluetooth to Xbox One controller bridge as most of these small tablets have Bluetooth so it’s an ideal protocol to use and has no physical port requirements on the tablet then.

I have found one flaw with the experience I should point out. It’s only a minor thing and truth be told, I’m not even sure this is a console related issue which is why I didn’t mention it above but a game specific issue. If I am playing the game on the console locally and then I later come back to it with my USB connected controller and streaming, the controller operates the console no problems, the start screen and menus however the game, Assassin’s Creed IV Black Flag doesn’t acknowledge that a controller is connected and sticks at the reconnect a controller page. This is obviously something to do with switching between a local controller and a streaming attached controller mid-session.

To work around the problem, hit the Xbox button on the controller to return to the home screen. With the large game tile selected, press the menu button on the controller, the button with the hamburger menu three lines just above the right thumb stick and select the Quit option from the menu. This completely closes the game or app that is active. After doing this, I can re-launch the game and the controller is detected no problems.

 

Managing Offline Sync in OneDrive for Business

Yesterday, I released a post explaining how we can control and manage some of the sharing capabilities of SharePoint Online. Those changes applied not only to SharePoint Online but also to OneDrive for Business such as whether or not a user can share a file publicly with an anonymous link.

In this post, I am going to focus on the offline sync capability of OneDrive for Business. This feature allows a user to have access to their OneDrive for Business files on their PC or Mac device and work on them offline and when they come back online, changes are synchronised back up to OneDrive for Business. The OneDrive for Business client allows not only syncing for offline access of a users personal site folders but also of team site folders and data. In some cases, people are even using this feature to replace their Folder Redirection shares on the local network to a file server and have users work go up to OneDrive for Business by default making the most of that 1TB per user allowance and reducing your on-premise storage management and purchasing costs. In other cases, you could use this to allow employees working remotely to have access to a central team site that contains all of your document templates or marketing collateral.

While this offline sync capability is very useful, it also comes with a price. Imagine a scenario with a disgruntled employee: Using their home PC, they login to OneDrive for Business and configure their client to sync their folders and files at home. Now, this user has copies of all of their corporate work product at home, free to take it or sell it to a competitor or such. Another scenario is that somebody gains access to your SharePoint Online environment and takes a copy of a sensitive folder of documents and then publishes them online, exposing your company.

Luckily, after all this scaremongering, we can control it although this is a new feature so it’s not something we could have done before.

Turn Off Offline Sync for a Library

The easiest way to protect sensitive content is to prevent it from being synchronised for offline access so that OneDrive for Business clients cannot take copies of it with them offline. Yes, this method as no neither of the methods given stop someone physically downloading a copy of files but it stops them doing it en-masse using the OneDrive for Business client as a bulk collection tool.

Within SharePoint Online, access the Library Settings for your particular library type and then head into the Advanced Settings section.

SharePoint Online Disable Offline Sync

As you can see, in the Advanced Settings, we have the option to disable offline sync. As I said before, this is a great option for really sensitive areas that you just flat-out do not want kept offline but it’s not ideal for your honest corporate employee nor is it very scalable as this is a per library setting so unless you want to iterate all your libraries with PowerShell or some automation tool, this will get old and very time consuming fast.

Limiting Offline Sync to Domain Clients

With this new feature for OneDrive for Business, we can now control whether or not a client is able to sync offline content based on whether their computer is a member of a given number of Active Directory domains. With this feature, we can allow our employees to sync files offline but we can limit the scope of it to our domain managed client PCs.

There are two caveats that come with this new capability. First, this is a tenant-wide setting so once you apply this, you will not be able to perform offline sync with OneDrive for Business for any library in your tenant outside of one of the configured domains. The second is in the detail in the previous paragraph – PCs. Because a domain joined Mac client is not really a fully-fledged domain member like a Windows Client OS, changing this setting disables offline sync for Mac devices regardless of whether they are joined to your domain or not. We can hope this is something that might get fixed in the future as this is the first release of this feature but we just don’t know right now.

Right now, this change does not effect or limit mobile OneDrive for Business apps in any way just as an FYI but that is where Office 365 MDM comes in to play which I will hopefully get a chance to cover in a future post.

So to get started implementing this, we first need to get the GUIDs for our domains. These are unique hexadecimal strings which uniquely identify our domain. To get the GUIDs for all of the domains in our forest, we can use the following PowerShell Cmdlets from a PC with the Active Directory PowerShell Module installed from the RSAT Tools.

Import-Module ActiveDirectory
$Domains = (Get-ADForest).Domains; ForEach($D in $Domains) {Get-ADDomain -Identity $D | Select Name, ObjectGuid}

This Cmdlet comes from the Microsoft TechNet page at https://technet.microsoft.com/en-us/library/dn938435.aspx on how to get domain GUIDs but I have added the Name column to the output. I know that it is likely in the real world that we may have resource or selected domains that we don’t want to allow sync to occur in so this way, we can see which domains relate to which GUID and we can filter them out as needed.

With the domain GUIDs in hand, we can now configure SharePoint Online. Using a PC with the SharePoint Online PowerShell Module installed, enter the following Cmdlets:

Connect-SPOService -Url https://tenantname-admin.sharepoint.com -Credential admin@domain.com
Set-SPOTenantSyncClientRestriction  -Enable -DomainGuids "786548DD-877B-4760-A749-6B1EFBC1190A; 877564FF-877B-4760-A749-6B1EFBC1190A"

So as you will be able to see in the example above, firstly, you need to change the Url parameter to match your Tenant Admin URL and you also need to enter your Global Administrator or SharePoint Online Administrator credentials. On the second line, I’ve entering the domain GUID for two domains which are semi-colon separated. If you have just one then omit the semi-colon.

Once the change is applied, users will no longer be able to sync content for offline access with OneDrive for Business unless they are using a corporate managed, domain joined machine in one of the domains you have specified or from any Mac clients. Any users who have configured offline sync with OneDrive for Business on non-domain joined machines prior to the change will stop syncing any new changes but the existing content will not be deleted from the client so it is important to implement this change early if you are starting out in Office 365 today.

 

Managing Sharing and Access in SharePoint Online

For many organisations using SharePoint on-premise, SharePoint Online is a very appealing proposition. For administrators, it’s easy to deploy as you no longer have to worry about farm topology design and sizing your SQL Server disks to meet your capacity and performance objectives nor do you have to open firewall holes left, right and centre to give your users the collaboration tools they require when they are on the move as access to your corporate SharePoint sites and OneDrive for Business is all done in the cloud.

For some organisations, SharePoint Online and it’s broad sharing capabilities will present a headache at the same time because managing the risk that comes with this open accessibility of information can add up and depending on your particular circumstances, you may want to restrict certain aspects of this to ensure that your corporate data stays safe. In this post, I’m going to address some of the things we can do to configure SharePoint Online to manage those risks using both some existing features and some newly added features.

Default Sharing Settings

By default, SharePoint is actually a pretty open book allowing your end-users to share anything with potentially anyone. We can share files with selected users within our organisation, all users within our organisation or external parties. The default configuration allows us to generate a sharing link that we can send out to third-parties and they will be able to view the file without needing to authenticate or prove who they are.

Get the SharePoint Online PowerShell Module

For this post, we are going to be working with the SharePoint Online PowerShell Module and you will need to have the latest version which includes all of the new Cmdlet parameters. To download this, you can get it from http://www.microsoft.com/en-gb/download/details.aspx?id=35588.

Connect to Your SharePoint Online Tenant

In order to use the SharePoint Online PowerShell Cmdlets, you need to be either a SharePoint Administrator a Global Administrator in your Office 365 tenant. Once you have the relevant permissions, open PowerShell and enter the Connect-SPOService to authenticate as follows:

Connect-SPOService -Url https://tenantname-admin.sharepoint.com -Credential admin@domain.com

You will be prompted to enter your password for the credential provided and once entered you will be connected to your SharePoint Online tenant. We can view the current configuration of the tenant sharing configuration using the Cmdlet Get-SPOTenant.

Restricting External User and Guest Sharing Setting

By default, SharePoint Online allows us to share with both registered external users and guest users with a link. We can control this setting with the SharingCapability parameter with the following examples:

Set-SPOTenant -SharingCapability ExternalUserAndGuestSharing
Set-SPOTenant -SharingCapability ExternalUserSharingOnly
Set-SPOTenant -SharingCapability Disabled

The top setting, ExternalUserAndGuestSharing is the default and allows sharing links to be sent to both authenticated users who sign in to access content with a Microsoft Account and guest users. The risk with this is that the links sent to guest users could be forwarded to other people once sent out or even shared publicly online exposing your content.

The second setting, ExternalUserSharingOnly allows sharing to take place but limits it to users who sign in with a Microsoft Account to access the content. Additionally, these links are one-time use which means once a user has accessed the link they will continue to be able to view that content but forwarding or outwardly sharing the link will not allow anyone else access to it without the original Microsoft Account credentials.

When applied using the above Cmdlets, this is set at the tenant level. Administrators of Site Collections within the tenant can change this setting on a per Site Collection basis however they cannot make the setting less secure that the tenant level setting. If for example, you set the tenant level setting to only allow authenticated users to access shared content, a Site Collection administrator would only be able to select between externally authenticated sharing or no sharing at all and the guest sharing option would be disabled.

We can couple the above setting for only allowing external users who are authenticated with another PowerShell Cmdlet.

Set-SPOTenant -RequireAcceptingAccountMatchInvitedAccount $True

This setting which is disabled by default but can be enabled, ensures that only the person who is sent an authenticated user sharing link can use the link. In it’s default state, a link for sharing can be sent out to a third-party user for them to authenticate with using a Microsoft Account however if they do not click the link to perform the initial binding to their Microsoft Account and instead, forwarded it to somebody else who signed in using their Microsoft Account would allow this alternate individual access to the document. Although this is quite a rare scenario to consider, it is still possible none-the-less.

For example, you send a link to dave@richardjgreen.net but Dave forwards the link to bill@richardjgreen.net and Bill opens the link and binds it to his Microsoft Account allowing Bill access to the document rather than Dave as you had intended.

This setting when enabled records the email address that the sharing link was sent to and will only allow the Microsoft Account named in the original invitation to use it and bind to it. My personal take on this is that if you are changing the default sharing behaviour to only allow authenticated user sharing then this setting is a must have.

Hiding Wide-Scoped Sharing Options

In SharePoint Online, not only can we share content externally but we can share content internally. Sometimes, especially in large organisations, this over-sharing can lead to people seeing things they perhaps shouldn’t. Microsoft have very recently added new Cmdlets to the PowerShell library for SharePoint Online to allow us to control this as shown below:

Set-SPOTenant -ShowAllUsersClaim $False
Set-SPOTenant -ShowEveryoneClaim $False
Set-SPOTenant -ShowEveryoneExceptExternalUsersClaim $False

These settings when configured as False using these Cmdlets remove certain groups from the people pickers in SharePoint Online when we invoke a sharing request.

The first setting, ShowAllUsersClaim controls whether users have the ability to share something with everyone within your Azure Active Directory tenant. This object includes both users who are internal to your organisation and users who have previously accepted sharing invitations. When this is disabled, users will not be able to see the All Users objects listed in the people picker so will not be able to broadly share anything to the entire organisation

The second setting, ShowEveryoneClaim controls whether to show or hide the Everyone object. The everyone object includes both internal users and external users but it includes external users of the authenticated and unauthenticated varieties so this object is the most damaging in terms of scope. You could argue this is less of an issue if you have already disabled the ability to share with unauthenticated users using the Cmdlets in the previous section but if that is the case, why confuse your end-users with the two different entities.

The final setting option is ShowEveryoneExceptExternalUsersClaim. This last option controls the Everyone Except External Users object. This object controls whether or not you are able to share something to your entire organisation but not to individuals outside it whether they are authenticated or not.

My personal feeling on this is that All Users and Everyone should be hidden for most people and that you could leave the final option for Everyone Except External Users enabled if you want to give your users the ability to broadly share within the organisation.

Limiting OneDrive for Business Sync Capabilities

UPDATE: In a partner post which I released the day after this was published, I have covered how we can manage and limit the OneDrive for Business client and it’s offline synchronisation capabilities to managed devices. You can see that post at http://richardjgreen.net/managing-offline-sync-onedrive-for-business/.

Configuring Global Service Monitor for SCOM

As System Center people, we all know that SCOM is very powerful and capable at monitoring but unless you deploy Management Servers or Gateway Servers into a public cloud environment like Azure, all of your monitoring comes with the perspective of inside your environment. If you are hosting web services that are externally accessible, one important aspect to consider is outside-in monitoring, otherwise known as monitoring your externally facing services from outside of your organisation.

Licensing and Registering

Global Service Monitor (GSM) for SCOM has been around for quite some time now since 2013 and I still see people running SCOM who are entitled to GSM not using it. To be eligible for GSM, you most importantly need to be running System Center Operations Manager 2012 SP1 or higher. You need to have a properly licensed SCOM deployment and you need to have Software Assurance for your System Center licenses as GSM is an SA benefit if you want to use the service permanently or you can also sign up for a free 90 day trial of GSM if you don’t have SA on your licenses to try the service out as I did.

To activate your SA benefit for GSM or to register for a 90 day trial, you first need to visit the Microsoft Commerce Portal at http://go.microsoft.com/fwlink/?LinkId=275502. You need an Organisational Account to sign in here which means in a sly way, you need to be using Office 365, Azure or Intune as well or at least have a working Azure Active Directory deployment ready for you to consume one of these services in the future.

Preparing the Management Servers

Once you get yourself either signed up or activated according to whether you are going trial or permanent, we need to download the GSM Management Pack. You can obtain this from the Microsoft Download Center at http://www.microsoft.com/en-us/download/details.aspx?id=36422. The download is a .msi file which you need to install to extract the Management Pack Bundle files.

With the files extracted but before we can install the Management Packs, you need to check you have the relevant Windows Features installed. GSM requires the Windows Identity Foundation 3.5 feature to be enabled on the Management Servers which will participate in the monitoring so make sure you install this on all the relevant Management Servers and not just the once you perform the installation on.

To avoid posting a screenshot of clicking through Server Manager and Add Roles and Features Wizards, the PowerShell Cmdlets for installing this feature is below.

Import-Module ServerManager
Install-WindowsFeature Windows-Identity-Foundation

Once that is out of the way, you can import the Management Packs into SCOM.

Import GSM Management Packs

Configuring Global Service Monitor Settings

Once you have the Management Packs imported, a new view will be added to the Administration pane of the Operations Manager console for Global Service Monitor and you can start the configuration wizard. You will be asked to sign-in using your Organisational Account as part of the process and from this, your GSM Subscription ID will be discovered.

Configure GSM Resource Pool

GSM uses Resource Pools for determining which Management Servers will communicate with the service. You can use the All Management Servers Resource Pool however this is not recommended. I have created a new resource pool for as recommended. You also here have the option to configure a proxy server to use to access the GSM service.

Creating Web Application Availability Monitors

Once you have completed the wizard above and GSM is configured, you can start to configure monitors using the service. I already had an existing Web Application Availability Monitor configured for my blog so I have modified this to use GSM. It is important to note that GSM only works with Web Application Availability Monitors and not with Web Application Transaction Monitors so you will need to make sure that you are using the appropriate type. There is a good article on System Center Central that compares the two types of monitor and what each can do at http://www.systemcentercentral.com/which-is-the-best-synthetic-web-transaction-to-use-in-operations-manager-for-my-requirements-scom-sysctr/ if you need to understand the difference.

Web Application Availability Monitor Locations

As you can see above, I have my existing Web Application Availability Monitor and I have one internal location configured, my resource pool however we have an empty field above called External Locations. Select the Add button to add a new external location.

Web Application Availability Monitor Set External Locations

Selecting this option now presents us with a list of the available GSM monitoring locations. Those familiar with the Azure datacentre locations will note that they are the same as the GSM locations. I selected a few choice locations but which ones you use or how many is entirely up to you. If your service that you are trying to outside-in monitor is truly global, you may want to use them all but if you are only interested in the availability of your service within a particular geographic region then just use those relevant to you.

Once you apply the changes it takes a little while for the request to be sent up to Global Service Monitor and for the monitoring data to start coming back down but after a short wait, about fifteen minutes in my case, I started to see the health state for the various monitoring sites in the Monitoring view.

Web Application Availability Monitor Health

In my lab, I am using SquaredUp to provide rich HTML5 visualizations of my SCOM environment so I decided to take this a step further and I am using the Azure SQL Database Management Pack to monitor my Azure SQL databases that host my WordPress database and I built a Distributed Application for it and presented it via SquaredUp as shown below.

Web Application Distributed Application  Web Application Monitor via SquaredUp

And there we have it, a setup and working outside-in monitoring solution for web services using SCOM and taking advantage of SA licensing benefits. One of the best things about this is that each monitored location retrieves the counters you specify whilst configuring your Web Application Availability Monitor so you get the response time, DNS resolution time and other counters for each region so you can see really clearly how latency plays a part in your applications performance.

I hope you found this useful and it helps you to monitor your own solutions with GSM.

 

 

Office 365 Limited Administration Roles

In the past when managing Office 365 permissions, we had several options for granting ‘super user’ rights to users however these stopped somewhat short of allowing us to be selective over what parts of our Office 365 deployment an administration could have control. You could either make somebody a Global Admin which essentially gave them the keys to the kingdom or you could assign them one of the reduced adminsitration roles such as Password Admin or User Management Admin.

Fortunately, Microsoft listened to the vast feedback they must have recieved about this and in Office 365 we now have three new limited administration roles for Exchange Online Admin, SharePoint Online Admin and Skype for Business Admin as well as the existing roles including Global Admin. These new roles allow us to assign users permissions more appropriately scoped to their role in the organisation. If an admin is only responsible for SharePoint then no longer do we need to him them unnecessary rights to amnage Exchange so that they can perform Site Collection administration in SharePoint for example.

To take advantage of these new roles, you need to ensure that you are using the Office 365 Admin site to manage the permissions and not the Azure Active Directory settings in the Azure Management Portal (you knew that you could manage users there too right).

Azure Active Directory Organisational Roles

The image above shows the roles that are available if you are managing a user through the Azure Management Portal and as you can see, the same old options limiting you to using a Global Admin role are present. If you use the Office 365 Admin site however as shown below, you can see the new roles.

Office 365 User Roles

When changing permissions of your users, be careful that you don’t take away permissions from users that they actually need. As always, an element of caution should be applied.

If you want to see what permissions map to each role and how they differ, you can view the full table at https://support.office.com/en-us/article/Assigning-admin-roles-d58b8089-cbfd-41ec-b64c-9cfcbef495ac#__choose_an_admin

 

 

Microsoft Announce E5 Plan for Office 365

Currently in Office 365 when selecting Enterprise plans, we have the choice of four ranging from E1 up to E4.

At the Worldwide Partner Conference this week, a new SKU was announced called E5 which will be replacing the current E4 SKU. This new E5 SKU takes everything that was offered in E4 (namely E3 plus Enterprise Voice for Skype for Business) and adds even more features to help you adopt Office 365. Although this is not an available SKU right now, it looks set for the features to include the new Skype for Business services that are currently being trialled along with Power BI for Office 365 and potentially more stuff that we just don’t know about right now. Skype for Business currently has three new services in trial although these are limited to customers in the US at the moment.

The Cloud PBX feature will allow you to use Skype for Business Online without the need for a hybrid deployment with a Skype for Business Mediation Server hosted on-premises connected to SIP Trunks or ISDN circuits for

PSTN Conferencing allows you to host normal Lync meetings with the added capability of allowing parties to join the call from a telephone using Dial-In Conferencing. This can already be achieved using either a hybrid solution where PSTN callers join the call via a mediation server hosted on-premise or using a cloud based service such as those from InterCall or BT but the Skype for Business native offering brings it all under one roof with a single vendor to manage your billing and support.

The Meeting Broadcast feature allows you to broadcast your Skype for Business meetings online in instances where you need to have thousands of attendees joining such as a company-wide update meeting or a webinar. Although I confess to not having looked into this in-depth, there is no doubt this is being powered by Azure Media Services behind the scenes.

There are going to be questions that need to be answered for all of these new services such as how the billing model works, what countries it will be available in and will there be limited features in others. There is also the question (for existing Lync on-premise customers) or how the Cloud PBX solution will work with the likes of PSTN devices such as fax machines and whether or not ethernet based Lync clients (Tanjay devices) will work with the new Skype for Business but the promise of being able to have a fully cloud based PBX solution all under one umbrella of Skype for Business is very appealing.

Skype for Desktop Installation Switches

Some time ago, I was working to perform a silent installation of Skype for Desktop via a task sequence with Configuration Manager. Skype for Desktop is provided as an executable and the installation switches are pretty hidden for the most part which makes using SCCM to install it difficult.

A post on the Skype Blog at http://community.skype.com/t5/Windows-archive/Unattended-install/td-p/184628 details all of the installation switches that we can use to help with installing the client in a managed environment where we don’t want the user to be prompted to interact with the installer or we want to configure certain options such as to disable one of the browser plugins for example.

I hope this helps someone out there trying to deploy Skype for Desktop.

Azure Updates Arrive En Masse

It seems that the folks in the various Azure teams at Microsoft have been really busy since the Build conference earlier this year getting products to various states of ship and it appears that this month is the mountain when it comes to releases and announcements. I got my usual Microsoft Azure new features and pricing announcements email last night and the number of new features here and features entering GA this month is astonishing.

Azure AD Connect

First and foremost, we have Azure AD Connect entering general availability. This is the replacement to all existing versions of DirSync and the Azure AD Sync tools. Whilst the directory synchronisation feature in itself isn’t anything special to talk about, for anyone still using DirSync, this is certainly a lot nicer to interact with and operate. Additionally, we have a number of the optional features available (a number of which are still classed as preview) to make synchronising your users between on-premise and Azure Active Directory that bit more rich. Sadly, there is still no Yammer integration with this version of Azure AD Connect so you still need to run the Yammer Directory Sync tool.

Azure Key Vault

This is a new service for Azure as opposed to an update to an existing service. Key Vault provides FIP 140-2 certified HSMs in the cloud. A HSM is a Hardware Security Module, a device used to manage security keys in encryption and it commonly found in Certificate Authorities and SQL Servers. I’ve worked with a number of PKI and SQL projects and none of them have ever had technical requirements for HSMs to be in-place. I suspect this has been added to Azure as a service by the request of one or more major companies sitting on the fence over public cloud right now because they need HSMs in order to meet some kind of regulatory or certification.

Azure Application Gateway

This is another new service and one which is really quite amazing in both it’s simplicity and the features that it brings. Azure Application Gateway is essentially an application request routing engine or reverse proxy as an Azure service. It allows you to publish Azure hosted, non-Azure publicly hosted or even on-premise applications to the world. It supports SSL offload to take the key processing workload away from your servers and it can be integrated with Azure Traffic Manager to provide geographic awareness for your applications.

Where I see this being especially useful is for companies currently hosting applications on-premise that are either publicly accessible or published to allow employees or partners access to a service. By publishing applications via Azure Application Gateway instead, companies can have their applications published but without the need to break holes in their own firewalls for those incoming connections.

The pricing on Azure Application Gateway seems very reasonable to me also which is going to make it extremely popular I think.

Azure SQL Data Warehouse

While all the previous service offerings have been general availability, this one is just a limited public preview however Azure SQL Data Warehouse was one of the brand new services announced earlier this year at Build so it’s great to see it moving along. I tend not to get involved so much with large SQL data warehousing work being more of an infrastructure specialist than a data specialist however I can see how if priced suitably, this is going to be a major service of interest for some businesses who want to leverage the cost benefits of the public cloud due to the fact that Data Warehousing can be extremely expensive to properly implement on-premise. This coupled with the fact that Azure SQL Data Warehouse is going to be tightly integrated with Power BI from Office 365 as well as Azure services like Machine Learning is going to make it very easy for customers to do more with their data.

Automatically Label the OS Drive on New VMs

In my quest for private cloud (and public) nirvana, I’m always looking for ways to automate parts of the first run user experience so that as IT Pros, we can build and deliver services to users which fit the bill right out of the gate. In a previous post from earlier this year, in a post entitled Automatically Assign DVD Drive Letter VMM Private Cloud, I walked you through the process of using a PowerShell script that would run as a GUI Run Once script as part of a VMM initiated virtual machine deployment to set the DVD Drive letter.

Since I posted this article, I’ve made a couple of improvements to the environment that I wanted to share with you all and in this first post, I will cover off how to automatically label and name the OS drive on our newly deployed virtual machines. This process involves applies registry keys. As with my first post, you could achieve the same results with Group Policy, however I like all of my modifications to be applied to the local machine so that if the machine is deployed as a non-domain joined server into a DMZ or if there is an issue with the first time Group Policy gets processed, these settings still get applied but I will cover both methods here. This would also work in a multi-tenant or hosting environment where VMs may not being landing in your own domain or environment.

Add the Script to the VM Template

If you followed my previous post, you will be familiar with mounting the .vhd file for the VM Template on another server to modify the local file system. If you are unsure of this, please refer back to my original article Automatically Assign DVD Drive Letter VMM Private Cloud for guidance.

With the .vhd file mounted, we are going to add a new PowerShell script to the FirstRun folder named Set-OSDriveLabel.ps1 and it will contain the following.

# Set-OSDriveLabel.ps1
# v1.0 2nd June 2015 by Richard J Green

# Sets the OS Install Volume Label to the Value in the DriveLabel Variable
$DriveLabel = "OS"
$OSDrive = $env:SystemDrive
$OSDrive = $OSDrive.Substring(0,$OSDrive.Length-1)

New-Item -Path HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons -Name $OSDrive -Force
New-Item -Path HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\$OSDrive -Name DefaultLabel -Force
Set-Item -Path HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\$OSDrive\DefaultLabel -Value $DriveLabel -Force

Short and sweet, this script will detect the Windows installation drive from the PowerShell SystemDrive environment variable and set this drive letter to use the label OS as defined in the DriveLabel variable.

One important note here is that this setting is applied to the Wow6432Node on a 64-bit server. If you were applying this to a client OS that was 32-bit then you would need to remove the Wow6432Node portion of the registry key location. I find this a peculiar one given that this change effects Windows Explorer which is a 64-bit process.

With the PowerShell script saved in the FirstRun folder, we need to update the FirstRun.cmd wrapper script that invokes the containerised PowerShell scripts in the appropriate escalated manner. Simply add the following lines to the script before the clean-up section at the end.

:: Launch PowerShell and Label the OS Drive to OS
echo Set OS Drive Label to OS
PowerShell.exe -NoLogo -Sta -NoProfile -ExecutionPolicy Unrestricted -File %SystemDrive%\FirstRun\Set-OSDriveLabl.ps1

I hope this takes away another manual step from your VM build processes and brings you one step closer to nirvana. In another post coming soon, I will have instructions on how to hide some of the folders from the This PC or “My Computer” folder which don’t really belong on a server and another post to clarify the steps on creating Network Locations for the This PC folder.

Yammer Enterprise for Office 365

If you have an Office 365 subscription on any plan Small Business Essentials or above, you will be entitled to Yammer Enterprise. Yammer, if you are unaware is an enterprise social networking product that Microsoft acquired a while back and is billed to replace the social features in SharePoint Online over time. Enterprise social networking I think is like marmite and some companies promote the idea whilst others shy away from it which I think has held back adoption and therefore, Yammer isn’t as widely used as you would think, especially for a free service as part of your existing Office 365 license.

Regardless of this, in this post, I will walk you through the very simply steps to activate your Yammer Enterprise network for your Office 365 Tenant and explain some of the next steps you can take to make Yammer more integrated into your business functions and make it more functional for end-users.

Activate Your Yammer Enterprise Network

Activating the Yammer Enterprise Network is actually very simple. First, login to your Office 365 Admin Center as a Global Admin.

Office 365 Dashboard Activate Yammer

From the Dashboard presented when you login, you will have an option for Activate Yammer Enterprise under the Manage Your Organisation heading. Once you have selected this, you will be taken to the domain selection page.

Yammer Enterprise Domain Selection

On this page, you must select which of your verified Office 365 domains you want to activate Yammer for.

Yammer is designed primarily for single domain use so if you work at an organisation which has multiple domain names such as regional domains for each country or territory that you operate in then you will need to activate your Yammer Enterprise network for one domain initially. Once you have your network setup with a single domain, you can follow the instructions on the TechNet article Combine Multiple Yammer Networks (https://technet.microsoft.com/en-us/library/dn804812(v=office.15).aspx) to contact Yammer Technical Support to add the secondary domains.

Once you have selected your domain and you select the Activate Yammer Enterprise button, after a few minutes your new Yammer network will be created.

By design, Office 365 Global Admins will automatically be provisioned as Network Admins in Yammer to administer your network however I found this didn’t work as it should and I had to follow a fix I found on the Office 365 Community by adding a new Global Admin afer the network creation which did get added to Yammer and then I logged in as that user and re-added my other Global Admins manually.

Syncing Domain Users to Yammer with DSync

Whilst Yammer Enterprise is made available via your Office 365 Tenant and allows your users to use their Office 365 credentials for logging in to Yammer Enterprise (be it as a cloud user, an on-premise AD user via DirSync or AADSync or whether you have ADFS setup and configured), the user on-boarding and off-boarding processes for Yammer are distinct. What this means for your end-users is that whilst they can visit yammer.com and try and login using their Office 365 credentials, they actually need to be registered in your network first.

Microsoft provides a tool called Yammer Directory Sync or DSync which functions in a similar fashion to the DirSync or AADSync tools for Azure Active Directory. The DSync tool doesn’t sync any passwords because those are provided via Office 365 and Azure Active Directory however DSync will sync the Name, Job Title, Office, Telephone and Mobile fields of an AD object to Yammer and will provision an account for the user. Setting up Yammer DSync is outside of the scope of this post but you can find out more from the TechNet article Install Yammer Directory Sync (https://technet.microsoft.com/en-gb/library/dn799032).

Yammer Directory Sync will automatically create Yammer users in your network as new AD users are created and it will also remove users when they are deleted from AD covering off the provision and deprovision processes. As you would expect, the tool updates user attributes as they are changed in AD.

If you don’t setup Yammer Directory Sync then each of your users will need to manually register for Yammer the first time they visit the site and accounts will not be automatically deprovisioned when you remove an AD user account.

Replacing the SharePoint Newsfeed with Yammer

SharePoint Online as with all versions of SharePoint 2010 and 2013 provides the Newsfeed functionality which is designed to be your timeline of information for your companies collaboration world. The Newsfeed in SharePoint is part of a users’ My Site area however Yammer being an enterprise social network provides a better capability for newsfeed and maintaining two systems for one function is redundant. Luckily, there is an option we can change that will replace the native SharePoint Newsfeed with the Yammer service.

As a Global Admin, login to the Office 365 Admin Center and browse to your SharePoint Admin Center. From the SharePoint Admin Center, among the options, you will find a setting titled Enterprise Social Collaboration. Under this heading, change the setting from Use SharePoint Newsfeed (Default) to Use Yammer.com Service. As per the description for this setting, it can take up to 30 minutes for the setting to propagate all of the Office 365 servers so for a short period of time, some users may still be directed to their Newsfeed after this is changed.

Embedding Yammer Feeds into SharePoint

SharePoint is where your company stores its documents and data so it makes sense to have related comments and social interaction from staff in the same place. On the Yammer site, you can find out how to use Yammer Embed to incorporate Yammer Feeds and Pages into your SharePoint sites or even any HTML web site your company may have. You can find out more about Yammer Embed at https://developer.yammer.com/v1.0/docs/embed.

It’s worth noting here that there is currently, a Yammer Web App for SharePoint however this is being discontinued later this year therefore there is no point building a system using the Web App now as you will have to re-create it before not too long and it makes better sense to develop using the long-term solution now.

I hope this post sheds a bit more light on what Yammer is, how to get it and how to start using it.