Killing Sessions to a Compromised Office 365 Account

David Branscome
Partner Technical Architect

We live in a world full of nasty threats to our online environments. One of your end users might click on a link that they shouldn’t and they get sent to a location where a piece of malware is installed on their machine and it captures their user credentials. In many cases, the goal of the attacker is to compromise a user account – ANY user account – and then move forward from there. Maybe their goal is to use that email account to send spam email or access organizational data for exfiltration. Or maybe the bad guy wants to have access to the environment so that he can gather confidential information and misuse it.

If an account in your Office 365 environment is compromised in this way, what can you do?

We have to recognize that there are two basic approaches to the problem:

Watch what the bad guy does so that you can take legal action against them

In this case, the actions we take will be done on the advice of the customer’s legal team and will be designed to establish a legal framework for prosecution. For example, there may be a scenario where an employee has been fired, but he knows the CEO’s password – maybe because the CEO left it on a sticky note on his monitor? Nah. That NEVER happens. The fired employee then decides to access the CEO’s mailbox for some nefarious purpose.

What can we do in this situation? Again, on the advice of the customer’s legal team, you may want to take steps such as the following:

  1. Put the CEO’s mailbox on Litigation Hold so that the data in the mailbox is preserved in its entirety. https://technet.microsoft.com/en-us/library/dn743673(v=exchg.150).aspx
  2. Configure Exchange Transport Rules so that all incoming as well as outgoing email is also forwarded to a second mailbox for preservation. https://technet.microsoft.com/en-us/library/jj919238(v=exchg.150).aspx
  3. If the compromise is severe enough, it may be advisable to set up a new, temporary Office 365 tenant so that communications related to the legal case are handled out-of-band and cannot be seen by the bad actor. This tenant would be where the legal team, IT and the users whose accounts have been compromised can communicate without the risk of their email being read by the bad guy.

Kill the session to block access to all Office 365 resources

The thing to remember about this effort is that we have to do more than simply block access to the mailbox. The user’s identity can be leveraged across multiple Office 365 services, so we have to block access to all those additional services as well. The challenge is that, in order to improve performance, the services often will cache the credentials of the user for a period of time, which means that EVEN IF you change the user’s password, there will be a period of time when the bad actor can remain authenticated and do damage.

That means that we have to break the sessions that allow them to connect to any of the services. There are three ways we can accomplish this:

For the first method, we need to sign in to the Office 365 Admin portal. Then go to Users –> Active Users, and then select the account of the compromised user. Expand OneDrive Settings, go to the Sign-out area, and click on the Initiate link. Notice that this will sign out users from all Office 365 sessions across all devices, but it will still allow the user to sign in. That means the bad actor can immediately sign back in and go about his day. We’ll address password change in a moment.

When you click Initiate, the service begins killing the sessions for the user on all their devices.

At this point, it’s a good idea to also block further sign-ins for the user. Granted, it’s impactful, but so is having a compromised account.

To block sign in, from the properties of the compromised user account, go up to Sign-in status and edit the status.

 

Change the status of the account to “Sign In Blocked

With the sign-in blocked, nobody (good or bad) can re-authenticate using that account until an administrator unblocks the account. When you click Save, notice the recommendation given.

This reminds us that another good idea is to change the user’s password.

 

The second method is specific to SharePoint and uses the SharePoint Online PowerShell Module, which can be downloaded here: https://www.microsoft.com/en-us/download/details.aspx?id=35588 . Once you have it installed and have connected to your tenant (Steps are here https://technet.microsoft.com/en-us/library/fp161372.aspx) run the Revoke-SPOUserSession cmdlet, as shown below.

The third method actually goes beyond just the Office 365 services and kills all active user sessions in any Azure AD application. To use this method, download the Azure AD PowerShell Module here (https://docs.microsoft.com/en-us/powershell/azure/active-directory/install-adv2?view=azureadps-2.0).

Once installed, connect to your Azure AD tenant and kill all sessions by using the Revoke-AzureADUserAllRefreshToken cmdlet, as shown below.

Changing the Password

All of this is great, but as we mentioned earlier, if we don’t change the user password, then all we’ve done is make the bad guy sign in again. This is where it can get kind of tricky, especially in a scenario where we have directory synchronization taking place between an on-premises environment and Azure AD.

Remember, it doesn’t do any good to just configure the user properties to have the user change their password at the next logon. The bad guy can try to login, get the prompt to change the password, and change it to whatever he or she wants to use!

If the password is being synchronized to Azure AD, you’ll need to use the Get-MSOLUser cmdlet to identify the LastDirSyncTime and LastPasswordChangeTimestamp value to ensure that the password change has also been synchronized to Azure AD. Make sure that, if the user changed their password in the on-premises directory, the password synchronization has taken place.

 

What Else Can I Do?

If none of these seem to have blocked access to the mailbox of the compromised user by the bad actor, one more thing you can do is perform a mailbox move. This would effectively break any current sessions the bad actor had open. If the password was changed and synchronized correctly, then the bad actor should not be able to log in again with the old credentials.

To move a mailbox in Office 365, use PowerShell to connect to Exchange Online using these steps: https://technet.microsoft.com/en-us/library/jj984289(v=exchg.160).aspx

Once you are connected, just run New-MoveRequest compromisedUser@contoso.com -PrimaryOnly.

Depending on the size of the mailbox, this could be fairly quick, but for very large mailboxes, it could take a couple hours to move.

One more thing! Don’t forget about mailbox delegates. If a bad actor granted Full Mailbox delegate access to another user, and the delegate user account was also compromised, then the bad actor would retain access to the original mailbox anyway! Therefore, make sure you check the mailboxes and accounts of any delegates of the compromised user so that you are removing all unwanted access to the original mailbox.

Conclusion

There aren’t many things as unnerving and disheartening to an IT admin as finding compromised accounts in your environment. When you find them, don’t panic!

Following a logical set of steps can help you clean up your environment and get things back to their natural order, where you sit back and collect accolades for a job well done, all day long!

 

 

 

 

 

“NOW it makes sense!” – Microsoft’s Collaboration Story in a Single Slide

By David Branscome

Partner Technical Architect

 

Who knew PowerPoint would make my day today?

One simple, elegant, PowerPoint slide.

And just like that, the picture of Microsoft’s collaboration strategy became clear and explainable.

This is the slide I’m talking about.

The slide was part of the presentation given by Microsoft’s Office 365 Marketing Chief, Ron Markezich at Ignite this week, and it answered visually what has often been a very challenging question to answer from partners and customers – namely, “What Microsoft collaboration tool should I use for scenario X?”

The reason for the question is obvious. There’s an abundance of tools available for communicating with people inside and outside your organization – Yammer, Teams, Skype for Business, Outlook, Office365 Groups, SharePoint – never mind all the other options like public folders, email distribution lists, OneDrive, and so on. The problem has never been “Is there a tool that will allow me to share this content with somebody?”. Rather, the problem has been “How do I explain to my end users or my customers which tool is best suited for a particular task?”

There is a very well written, detailed whitepaper named ““When To Use What” in Office 365” that you can download here. http://www.2tolead.com/whitepaper-when-to-use-what-in-office-365/ It does a great job of laying out the many options and the specific scenarios where a given tool would be the optimal solution. But here’s the problem: it’s more than 60 pages long.

Anybody in IT knows that you will never be able to get an end user to read a 60-page whitepaper – no matter how well written – and synthesize the information from it. It just won’t happen. To be honest, most of us would be lucky to get the end users to read the email pointing them to the whitepaper.

But Ron Markezich’s slide is digestible. It’s something you could show to an end user and they would “get it”. They would understand when to use a given tool and know how to use it.

Breaking Down the Slide

The principles are simple:

Microsoft Teams is best suited for scenarios where you are working with a group of people on a given project. These are the people in your “Inner Loop” (or “Circle of Trust” as I prefer to call them). Because Microsoft Teams is built on Office 365 Groups, this group of people will have access to the SharePoint site created by default for each Team. That’s where I can share documents and files with the Team. If you’re a member of that Team – you have access. Since an Office 365 Group is also mail-enabled, I can send email to the Team channel so that everyone has access to the information in the email. Teams also incorporates all the features you love from Skype for Business – Instant Messaging, Presence, Conferencing, calling capabilities, etc… Teams keeps the conversations in a persistent, threaded format, so we can always go back and review questions that came up or decisions that were made. And with the recently announced Guest Access capabilities for Teams, you can extend the reach of your Team outside your organization. In effect, Microsoft Teams is a portal into Office 365.

Yammer expands the scope of who has access to a given set of content and the conversations. The people in your Yammer group are the “Outer Loop”. Sure, you still like and trust the people in your Outer Loop, but it’s a different type of interaction. Information and conversations flow much more organically and is likely not going to be project -specific. At Microsoft, our Yammer groups are more likely to be centered around certain technologies (such as Skype for Business Voice) or areas of expertise (“Security” or “Education”) than to be focused on a project (“Contoso Azure Deployment”). This allows for people to jump into Yammer groups at any time and still benefit from the historical knowledge of the Yammer group. And just like with Teams, new Yammer groups are built on Office 365 Groups, so the Yammer group has access to OneNote, a Planner for managing tasks, a SharePoint team site and document library.

And then there’s Outlook. Good old, reliable, “I know how to use this”, Outlook. We all know that Outlook is often the easiest tool for sharing a file….one time. But things start to get sticky when you have to ask multiple people to edit the document or comment on it. Then we run into versioning issues, and you have to find the right copy of the file in your email thread…it’s just not the best tool for really collaborative work on a large team. Rather, Outlook is good for targeted communications – confirming an appointment with a customer, verifying information in a proposal, asking your boss for days off (which is personally my favorite email to write). Now the neat thing is that Outlook also allows you to connect to the mailboxes for Office 365 Groups. This allows you to view and reply to email messages that land in the mailbox of the Office365 Groups you are a member of directly from your Outlook client.

Back to Reality

Now let’s be honest for a moment, shall we?

Even with a single PowerPoint slide, some of your end users are going to get confused about when to use which tool. There will be questions that still come up:

  • How many users can be in a Team vs a Yammer group?
  • Can I restrict channels within a Team to only certain members of the Team?
  • What’s the right way to remove someone from a Team or a Yammer group?
  • How do I manage compliance concerns with Yammer or Teams?
  • How do I manage communications over SO MANY individual Teams and Yammer feeds?

…and the list goes on.

Those are all valid questions and they’ll require some end user training and guidance. But the basic framework of how to select the right tool for the job is still the same. My suggestion would be to take that one slide and use it when training your end users. It gives them something that is simple enough to understand in just a few moments and points them in the right direction. They will always have questions – and that’s why a great adoption planning and training program is so important or any rollout of new technology. But with the right planning and the right tools at your disposal, you’ll be successful.

Who would have thought one PowerPoint slide could help you do all that?

Leveraging the Office 365 Service Assurance Portal in Customer Scenarios

August 23, 2017
By David Branscome

In the partner organization at Microsoft, we get lots of requests from partners that are in the process of responding to an RFP for Office 365 or Azure deployments. Maybe the partner has described the Microsoft datacenters to their customers as being ISO 27001 or FedRAMP compliant. But now the customer has stated that they need to know how certain controls are implemented in Microsoft’s datacenters. In many cases, the customer is audited regularly, and they have to be able to provide evidence that their data is stored in a specific manner or that access is controlled in a specific way.

The problem is, getting access into the Microsoft datacenters is REALLY difficult. Most Microsoft employees haven’t even been in one of the cloud datacenters – including myself. (There’s a decent virtual tour here, but I’d sure like to see all the blinky lights someday.)

In any case, partners don’t have to get a datacenter tour to respond to these types of information requests from customers. The information is literally at their fingertips in the Office 365 portal – just go to the Security & Compliance section and on the left side, find the Service Assurance section.

Wait…I Don’t See it!

But wait a second.

This data isn’t available to everyone. So, a compliance officer with no special permissions in Office 365 would see something like this:

They don’t even see the Admin or Security & Compliance application icons – let alone the Service Assurance menu. Now what?

As you’d expect, not everyone with an account in Office 365 needs to see that organization’s security configuration. If there are some users who need to be able to access the Service Assurance Center, here’s how to grant those permissions:

Log in to the Office 365 portal with Global Admin credentials.

Go to the Security and Compliance app and select Permissions.

In Permissions, check the box for Service Assurance User.

Select Edit role group and in the Members area, click on Edit.

Select Choose members to add the people who should have these permissions.

Click Add and then find the user.

Finish the wizard and you’ll see the user as a member of the Service Assurance User permissions group.

When the user logs in again, they will be able to go to https://protection.office.com and see the Service Assurance center:

Okay…Now What?

Now that you have the necessary permissions, you can start digging into the content in the Service Assurance center. You could start off by looking at all the controls and audited elements, but maybe you want to be more specific in your approach.

Let’s say you want to see how Office 365 meets ISO 27001 standards.

The first thing I’d recommend is to go to the Settings area and define the region whose controls are relevant – in this case, Europe. You’ll also need to select at least one of the industries whose regulations would be relevant to your search, then click Save.

As the green box indicates, you can now go into the Compliance Reports, Trust Documents and Audited Controls and review the content for the relevant region and industry. So, let’s take a look at what’s there.
If you look in the Compliance Reports area, you’ll see the listing of the certificates that Microsoft cloud datacenters have achieved, and you can click on and download the certificate itself.

For example, if I expand the ISO reports section and scroll down, I see a report named “Office 365 Germany ISO 27001 ISO 27017 and ISO 27018 Audit Assessment Report”. If I click on it, I can open the PDF file itself, which provides me with the final report stating that Office 365 meets the expectations for compliance.

But this only tells me if Microsoft complied with the controls or not. It doesn’t tell me what was actually tested as part of the process.

For that, I can go to the Audited Controls section, where I see the ISO 27018-2014 audit report and I can download it for review.

In this case, the report is an Excel spreadsheet which details things like the title of the control, the implementation and testing details, when it was tested and who performed the testing. This kind of information is generally enough for a customer’s audit team to be reassured of Microsoft’s compliance with the standard.
Don’t forget – if you want to change the scope of the controls (the region/country where the controls are relevant, which industry regulations apply, etc..) you can change the parameters in the Settings tab.

The Trusted Cloud

Microsoft is constantly working to achieve, maintain and even exceed compliance standards in order to secure customer data and make our cloud the most trusted one on the planet. The Service Assurance section of Office 365 is one evidence of that effort. Make sure to take advantage of it!
Additionally, check out the resources in the Microsoft Trust Center for information about GDPR, security, protection of user’s personally identifiable information and Microsoft’s commitment to providing customers with the controls necessary to secure their environment and user identities.

https://www.microsoft.com/en-us/trustcenter

Microsoft Teams: Beyond the Basics

In a previous blog post, I talked through the basics of setting up a Microsoft Team and showed you how Teams are related to Office365 Groups, SharePoint Online and Skype for Business Online.
Now I’d like to walk through some of the nitty-gritty details related to your Microsoft Teams deployment. A much more comprehensive set of information can be found in the “Practical Guidance for Microsoft Teams.docx” found at http://www.successwithteams.com, but this article will give you an overview of what you should have in mind as you start talking with your customers.

A Peek Under the Covers

Now, we’ve discussed some of the basics of Microsoft Teams, but it’s important to have a “big picture view” of the other components that will factor into your planning process.
First of all, as we noted previously, a Microsoft Team creates an Office365 Group. If you are the owner of an existing Office365 Group, you also have the ability to convert it over to a Microsoft Team. When the Group becomes a Team, the existing SharePoint and OneNote are automatically ported over to Teams. Keep in mind, though, that Groups must be private and they cannot have more than 600 members.

[Update: As of 8/17/2017 you can have up to 999 members in a Group. Thanks for the note, Kyle!]

[Update: As of 10/18/2017 you can have up to 2,500 members in a team. See release notes here: https://support.office.com/en-us/article/Release-notes-for-Microsoft-Teams-d7092a6d-c896-424c-b362-a472d5f105de#PickTab=Mobile_devices%5D

You can see where your Office365 Group is created in the Office365 Admin Portal, as seen below:

Office365 Office365 Groups uses identities that are stored in Azure Active Directory. This means that all authentication and authorization capabilities are managed by Azure AD. This makes it possible for you to use things like Multi-Factor Authentication (MFA) in Microsoft Teams, as well. That means that an organization can use any identity model supported by Office365, including the following:

  • Cloud Identity: In this model, a user is created and managed in Office 365 and stored in Azure Active Directory, and the password is verified by Azure Active Directory.
  • Synchronized Identity: In this model, the user identity is managed in an on-premises server, and the accounts and password hashes are synchronized to the cloud. The user enters the same password on-premises as they do in the cloud, and at sign-in the password is verified by Azure Active Directory. This model uses the Microsoft Azure Active Directory Connect Tool.
  • Federated Identity: This model requires a synchronized identity with the user password is verified by the on-premises identity provider. With this model, the password hash does not need to be synchronized to Azure AD, and Active Directory Federation Services (ADFS) or a third-party identity provider is used to authenticate users against the on-premises Active Directory.

Now let’s dig into the components of the Microsoft Team itself: each Team that you create contains multiple elements, including a SharePoint Online (SPO) site. Each channel that you create in Teams gets its own folder on this SPO site, and the permissions and file security options that are set in SPO are automatically reflected in Teams. This is the data that is shared across the members of the Team. To be clear, for this functionality to be available, you must be using SharePoint Online.

However, you can also have 1:1 conversations using private chat in Microsoft Teams. What if you share a file with someone in one of those chat sessions? Where is that data stored? The files associated with those private chat sessions are hosted in your OneDrive for Business, and the permissions are automatically granted to all participants in that specific private chat. The OneDrive for Business license is tied to the SharePoint Online license, so again, we have to have SharePoint Online enabled for this to work. In the screenshot below, you can see where OneDrive for Business files are made available in Teams.

When we create an Office365 Group, we also get an associated OneNote notebook for the Team, and sections are created in the notebook for each channel in that Team. Any security settings applied within OneNote automatically apply to Notes within Teams. So, as you see below, there is a notebook for the Graphic Design Institute, and then a section would be created in OneNote for the channels – Art and Media Festival, Content Staging, Future Ideas, and so on.

What may not be quite so obvious is that each Team also has an associated Exchange Online (EXO) mailbox. This mailbox is used to store information including the group mailbox and a common calendar for the Team. When a meeting is created in Teams, the invite is pushed to your Exchange Online mailbox, and the meetings created in EXO are synced to the Meetings tab in Microsoft Teams. The meetings that show up here in the “Meetings” area are the same ones that show up in your Outlook mailbox.

What’s interesting is that Microsoft Teams does not strictly REQUIRE users to have an Exchange Online mailbox. Unlike the SharePoint and OneDrive for Business components, which MUST be hosted online, you are able to deploy Teams with mailboxes hosted on-premises. There will, however, be a few caveats for users with on-premises mailboxes. This table, taken from the Planning Workshop for Microsoft Teams.pptx document highlights the restrictions.

When it comes to Microsoft Teams and Skype for Business, there is an important fact to consider during your planning and deployment. At this time, interoperability between Microsoft Teams and Skype for Business is available only for peer-to-peer (P2P) instant messaging. In other words, you cannot have a conference where some users are on Skype for Business and other users are leveraging Microsoft Teams in the same conference. Additionally, in order for a Microsoft Teams user to send an IM to a SfB user, the Microsoft Teams user must be homed in Skype for Business Online.

The Dreaded Licensing Discussion

Yes, I know. I hate talking about licensing, too. But as we’ve seen above, there are a lot of online components that provide the core functionality to Microsoft Teams, so there may be some confusion around which SKU’s are required to get the needed functionality.

As of this writing (May 2017) the Microsoft Teams Licensing Requirements are actually quite straightforward. They are as follows:

With these licenses, the core functionalities (chat-based workspace, and meetings with audio, video, and content group calling) of Microsoft Teams are available to all supported subscription plans. All the supported subscription plans are eligible for access to Microsoft Teams’ Web client, desktop clients, and mobile apps.
However, if the organization where you are deploying Microsoft Teams has specific information protection (security and compliance) requirements, these may dictate the use of a specific subscription plan in order to get the functionality needed – not just for Microsoft Teams – but for the overall Office 365 solution for the organization. For example, if a customer requires the ability to perform eDiscovery against SharePoint data or Exchange mailboxes, they may require an Enterprise SKU, rather than a Business SKU.

More bandwidth, more bandwidth….

With all these capabilities being hosted in Office365, you may be wondering about bandwidth requirements.
The group that has developed Microsoft Teams leverages a planning methodology that closely mirrors the Skype Operations Framework (SOF) planning process, which encompasses the Plan, Deliver and Operate phases. So, if you’re familiar with SOF, you’ll understand the process for a successful Teams rollout.
Part of that successful planning involves determining bandwidth requirements. Since we know that there is a Skype component to Teams, a logical question comes up: “How do I plan for Teams from a network capacity standpoint? Can I just use the Skype for Business Bandwidth Calculator and be good to go?”
Well, probably. But if your deployment of Teams is not very large or complicated, you can use the Microsoft Teams bandwidth calculator located here for network planning: http://aka.ms/bwcalc/

However, keep in mind that, in order to get an optimal experience with real time media within Microsoft Teams, you have to meet the typical networking requirements for running Skype for Business in Office 365, which may require more than just meeting bandwidth requirements. In other words, your planning is going to include things like ensuring the quality of your WiFi connections, allowing access to the necessary Office365 URLs and IP address ranges, bypassing proxies, and enabling split-tunnel VPN. So there may be circumstances where

It also means you need to meet the following requirements on the two critical network segments: Client to Microsoft Edge and Customer Edge to Microsoft Edge:

To test these values, we recommend that you leverage the Network Assessment Tool located here: https://www.microsoft.com/en-us/download/details.aspx?id=53885). This tool can be deployed on both the client PC directly, as well as a PC/laptop connected at the Customer Network Edge. Documentation for how to use the tool can be found here: Network Readiness Assessment. By running this Network Readiness Assessment tool, you can validate your network’s readiness to run real-time media applications, such as Microsoft Teams. If the tool indicates that there may be network issues that would impact the quality of the audio/video experience for your end users, you should recommend that the customer have an Advanced Network Readiness assessment performed by a partner with qualifications in that area.

Conclusion

Now we’ve taken a little bit of a deeper look into Microsoft Teams. It’s a great tool for group collaboration, and it’s really very easy to set up and deploy in an organization. Make sure to read all the planning documentation on the http://www.successwithteams.com website – and Happy Teaming!

Why I Love Microsoft Teams

One of the great (and most challenging) things about working at Microsoft is the fact that we get to work on the latest, bleeding-edge stuff the company makes. In fact, we are encouraged to put each piece of software through its paces, using it in our daily life in what everyone at Microsoft refers to as “eating our own dogfood”. It’s fun to see the newest stuff first, but it can also be challenging to work with software that you have to “figure out” – products that seem to duplicate the capabilities of other products or overlap with other feature sets.

It was through that set of glasses that I started working with Microsoft Teams in my Office 365 test tenant. (For a brief overview of Microsoft Teams, check out the blog posts by Michael Panciroli or Mike Bosse.)

To begin with, Teams is activated at the tenant level of Office 365. The tenant admin just goes to the Office 365 Admin center, selects Settings –> Services & add-ins, and then clicks on Microsoft Teams in the main window.

Figure 1: Adding Microsoft Teams in Office365

From there, toggle the slider to On, and your users are ready to go.

Figure 2: Turning on Microsoft Teams

At this point, you can go to the web application at http://teams.microsoft.com and you’ll be prompted to create a new Team. Let’s walk through that process together:
First, I’ll give a name (Gizmo Gadgets Team) and a description to my Team and click “Create a team”.

Figure 3: Name your Team

Next, I can add people to my team. Note that I can add people individually, or I can add them as part of security groups or distribution lists.

Figure 4: Add Team members

Here’s where it started to get really cool for me….
Remember how I said there are sometimes areas where one piece of software overlaps another and you have to dig around and figure that out? Well, I just created a Microsoft Team named “Gizmo Gadgets Team”. Let’s now take a look at the Groups page in the Office 365 admin portal. What do we see?

Figure 5: Groups page

Okay, that’s nice. By creating a Microsoft Team, I’ve also created an Office 365 Group…
But now I’m left wondering “is this just a security group, a distribution group, or what?” I decided to check the admin mailbox and see if there is an actual Office 365 Group available. And there it is!

Figure 6: Gizmo Gadgets Office365 Group

Just like that, an Office365 Group named Gizmo Gadget Teams is created and available for me to use.
(It’s worth noting here that if I already had an Office365 Group of the same name, it would have offered to create a Team based on that existing group. That helps avoid duplication of names and creating confusion about where the team’s data is being stored.)

What does this mean for me?
Well, I know Office365 Groups have several capabilities associated with them – chat conversations, a shared calendar, file storage location, One Note and some other capabilities, as you can see from the Gizmo Gadgets Office365 Group page below.

Figure 7: Gizmo Gadgets Groups page

Okay, interesting enough…. but all the pieces still feel somewhat disconnected.
How is this Office365 Group linked back to my Microsoft Team of the same name?

In the same browser session, I go to http://teams.microsoft.com. I’m automatically logged in with my current browser credentials, and there I see my Gizmo Gadgets Team location as well. (I can also download the Microsoft Teams app from this location if I don’t want to use the web application.)

Figure 8: Gizmo Gadgets Microsoft Team

I’ll upload a couple documents to the Team site:

Figure 9: Upload Documents to Teams

Now, if I flip back over to the Office365 Gizmo Gadgets Group location, what do I see? Yep, the same documents are visible in my Office365 group location.
The Team and the Group are using the same back-end SharePoint location for document storage.

Figure 10: Documents Uploaded to Groups Location

Okay, so now I’m able to access the same set of documents from (1.) an Office365 Group named “Gizmo Gadgets Team”, (2.) the Microsoft Team named “Gizmo Gadgets Team” or (3.) directly from the common SharePoint location.

So now we have a common location for document storage. What else can we do?

Well, in Office365 Groups, you can create a Planner that can be used for managing resources, assigning tasks, tracking progress and so forth on a project.

Let’s connect the Gizmo Gadgets Planner in Office365 to the Gizmo Gadgets Team location.

In the Gizmo Gadgets Teams location, click on the “+” sign.

Figure 11: Adding Planner to Team

Now, select the Planner icon to add it as a tab in Teams. Notice I could also connect to my Office365 Group’s shared OneNote or an external website from here. I could also create an entire tab with just an Excel spreadsheet or a Word document, or maybe a really nice PowerBI dashboard.

Figure 12: Connecting the Planner to Teams

And just like that – I’ve added a tab for the Gizmo Gadgets Planner in Microsoft Teams – the same one that I can see in the Office365 Group!

Figure 13: Planner in Office365 Groups

Figure 14: Planner in Microsoft Teams

Now let’s look at the shared calendar in the Office365 Group. I created a Team Meeting in the Calendar tab.

Figure 15: Shared Calendar item in Office365 Groups

As you’d expect, it shows up in the Conversations tab of the Office365 Group so that all members of the Group are aware of the meeting. But it’s also showing up in Teams in the Meetings tab.

Figure 16: Office 365 Groups view

Figure 17: Microsoft Teams Meetings tab view

Let’s have some more fun. Let’s have some conversations.
In Teams, right click on the Chat icon and select “New Chat”. Choose the person you want to chat with, and you’re all set.

Figure 18: New Chat

But wait…. what’s this?

Figure 19: Video and phone call icons

I can do a video call or regular phone call from inside Microsoft Teams? This feels a lot like……Skype for Business!! This is getting fun!
To be fair, you can’t do a video or PSTN call from inside the web app yet. You’ll have to download the Teams app to place calls, but that feature is coming. For now, I’ll download the app and try out the video call capability.

If someone initiates a phone call to me from within the Microsoft Teams app, this is what I see. (Obviously, I’m using the pre-built personas in my Office365 tenant.😊 )

Figure 20: Meeting phone call

If we do a video call, I can share my desktop from within Microsoft Teams, just like in a regular Skype for Business meeting!

Figure 21: Share desktop from Teams

This is interesting to me for a couple of reasons:

  1. Most of my meetings and 1:1 interactions during the day are via Skype for Business, which means that most of my daily team collaboration can get done here within Teams.
  2. Most of the stuff I produce (documents, presentations, etc…) are stored in either OneDrive or SharePoint, so I can easily access them all from within Teams, and I don’t have to save URL’s all over the place. In fact, I don’t even have to KNOW the URL’s.
  3. I can save my favorite websites in a Team and avoid having to bookmark them in a browser.

So really, the only time I actually need to leave the Teams application is to check my email. But let’s think about this for a moment: if I could get all my coworkers to chat, conduct meetings and share documents with me via Teams…the only reason I would need to check email is for external communications.
Now, there are studies that indicate that you may actually get LESS done if you’re checking email continually throughout the day. So if I work within Teams most of the day, and check my email once in the morning and once at the end of the day, it’s possible I could actually be more productive using Teams!
Give Microsoft Teams a try. I’m sure you’ll love it.
Watch for another blog post where I’ll discuss the integration with Yammer, Twitter and other forms of social media, as well as how you can use Bots in Teams to automate some tasks in Teams.
Microsoft Teams is going to be awesome!

When You Just Gotta Have a Lab

I spend a lot of time working with partners and customers setting up and performing demos of new products.

In many cases, we are looking at features that are purely cloud-based – such as Skype for Business Cloud PBX or PSTN Conferencing. When that’s the case, I just go to the Office365 tenant that I have set up for my own testing and show everyone where things are configured or what features are available.

Every so often, though, I get asked to set up a demo using a somewhat more complex type of environment involving a set of virtual machines or some other cloud product like EMS.

I used to manually set up the lab virtual machines on my laptop, but I found a great new resource that lets me build the environment in Azure using a documented and scripted process.

It’s called the Cloud Adoption Test Lab Guides and they are located here: https://technet.microsoft.com/library/dn635308.aspx#O365

For example, if I needed to demonstrate how a highly-available SharePoint 2016 farm would be configured, I could use the guide found here, and it would walk me through building an Azure environment that looks like this:

There are a couple advantages to this approach:

  1. It frees up my laptop resources (VM’s tend to be storage hogs and I have a limited amount of CPU and RAM available for building out scenarios),
  2. I can access it from anywhere since the machines are in the Azure Cloud, and
  3. It gives me the chance to get more hands-on experience with Azure.

It’s a great option for those scenarios where you need to build a testing environment or as a way of demonstrating a product for customers.

The great thing is, you can build it in your own Azure environment so you always have a demo environment ready to go, or you can choose to build it in your customer’s Azure environment as a leave-behind for them to play with at their leisure. That also gives you the opportunity to talk to them about moving their existing on-premises workloads to Azure, or using Azure as a backup/recovery location, setting up test/dev environments in Azure and lots of other stuff.

The team that’s responsible for creating the Cloud Adoption Test Lab Guides is constantly creating new scenarios, so check back frequently to see which new scenarios they’ve created!

 

Skype for Business Client for Mac Goodness

I love updates.

I actually get geekily excited when I get prompted to shut down Office while Click-to-Run updates my Office install. When it’s done, I can’t wait to see “what’s different”.

On Sunday, my TV prompted me to apply a software update, and I had to force myself to not run the update in the middle of the football game.

Heck, I even like seeing that I have updated antivirus definitions.

I know…I need to get out more.

So you can imagine my excitement when I saw the announcement about a new Skype for Business client for Mac. Working with partners and customers over the last year has been a rising crescendo of “When is the new Skype for Business Mac client going to be released?” – frequently followed by “I thought you said it was coming in <insert month here>”.

Well, it’s here now, and it’s beautiful!

https://www.microsoft.com/en-us/download/details.aspx?id=54108

Edge-to-edge video and fully immersive content sharing and viewing means that Mac users truly get a first class experience!

If you rushed out to order yourself a new MacBook Pro this week – first of all, you should have bought a SurfaceBook. But I’ll assume you need the new MacBook “for testing purposes”. The new MacBook runs the Sierra OS, which is supported with the new SfB Mac client, so – you’re good! (It’s also supported on El Capitan if you aren’t an “update-aholic”.) To get Outlook integration, you’ll need to have the Outlook for Mac build 15.27.

But wait…there’s MORE!

What makes it doubly exciting is that the Skype Operations Framework (SOF) got an update to go along with the Mac client update! If you haven’t yet familiarized yourself with the Skype Operations Framework, you should stop reading this right now and go check it out here: http://www.skypeoperationsframework.com

It’s a fantastic set of documentation and guides that help ensure that your Skype for Business deployment are successful. And it now includes guidance for planning and deploying the Skype for Business client to end users who prefer to use a Mac! There’s even a video training module that shows you the differences between the Mac and other clients and gives some troubleshooting guidance.

Yes, I love updates. And I love it when the updates allow me to pass along good news to our partners and customers – and this news is certainly welcome.

Enjoy the new Skype for Business client on your Mac!