Join the CIAOPS Office 365 Tech email newsletter

One of the greatest challenges faced by IT Professionals today is simply keeping up with the technology. The problem is there are so many different sources that it comes from as well as the volume that it flows at.

What makes it even more difficult for todays IT Professional is that they need to be able to administer the systems as well as assist end users get the most from the same systems. This means understanding both the front and back end of systems. In effect that means keeping abreast of the twice the amount of information.

I do my best to provide the best quality of technical information via a number of sources but not all information is relevant to all audiences. With that in mind I have created an new email list dedicated to IT professionals and administrators of products like Office 365. It is aimed at providing technical information about the products in more depth to help administer them better.

You can sign up for this new CIAOPS Tech email list directly at:

http://eepurl.com/bFYpEX

If you are also interested in end user information via email I’d encourage you to sign up to my free 23 part SharePoint Online training course at:

http://bit.ly/gs-spo

because after the end of the SharePoint course the information continues with detailed emails about getting the best from Office 365 products like OneDrive, Delve and more.

Why via email? Email provides the ability to automatically collect the information, store it for later review. I have found that many people still prefer to use email as their primary source of information for these reasons.

There’ll still be plenty of detailed information in this blog and via my other social media sources as usual but if you want to receive information from me about Office 365 and the Microsoft cloud then subscribe to one or both of the above email lists as suits your needs. Of course you should also feel free to send me any suggestions, at any time, about what topics you’d like to see covered on these lists as I want them to be as relevant as possible.

As always, I appreciate people consuming what I produce via various channels and I look to continue to improve what is offered.

All About Azure AD presentation

All About Azure AD—Robert Crane Docs.com

https://docs.com/d/embed/D25195405-4961-2496-7470-000053716511%7eMd4186d87-61d5-259a-4d26-00a8bd86cfff

I recently did an introductory presentation on Azure AD at Infrastructure Saturday in Brisbane. You can find the presentation embedded above or directly on my Docs.com site:

https://doc.co/KVcUYt/qcihGm

Hopefully it can provide benefit to some.

Using Azure AD B2B Sharing with SharePoint Online

A common problem that many businesses have is securely sharing their Office 365 resources, like a SharePoint Team site, with users outside their organisation quickly and easily.

Microsoft have added a great new feature called Azure AD B2B sharing that greatly simplifies making Office 365 resources like a SharePoint Online Team Site available to users who are not part of the same Office 365 tenant.

There will be typically two types of external users who reside outside an Office 365 tenant:

1. Those with an existing Azure AD account thanks to being an user of a Microsoft commercial product such as Office 365

2. Those without an existing Azure AD account

Here is the typical process for sharing an Office 365 Team Site with both an external Office 365 user (i.e. already has Azure AD) and an external user who just has an email address (i.e. doesn’t have Azure AD).

In this case I want to share the above Test site (https://tenantname.sharepoint.com/sites/test) with two external users. The Office 365 user will be admin@ciaops365.com and the standard user will be aston.martin@supercarhelp.com.

The Azure AD B2B process does not allow you to use consumer domains like @hotmail.com, @outlook.com, @gmail.com, etc. Youcan only use custom domains.

The first thing I need to do is ensure that the Team Site I want to share has been enabled for external sharing.

You do this by navigating to the SharePoint admin center after logging into the Office 365 portal as an administrator.

You select the site collection in question (here https://tenantname.sharepoint.com/sites/test/) and then select the Sharing button on the Ribbon Menu.

This will reveal a dialog box like that is shown above. Ensure either Allow external users who accept sharing invitations and sign in as authenticated users or Allow both external users who accept sharing invitations and anonymous guest links is selected an save any changes made.

You should then return to the Office 365 admin center and create a new security group for these external users to reside in. You do this via the Groups option on the left hand side of the Office admin center.

When you create a new Office 365 security group using the portal you must add at least one member to that group. In this case the group was created with a single member and then immediately afterwards the group was edited and that initial user was removed. The end result here is a new Office 365 security group called Externals that contains no members.

You now need to return to the SharePoint Online Team Site and assign the appropriate permissions to this new security group. In this case the whole Team Site will be shared with any member of the security group Externals and they will be permitted Edit rights as shown above (i.e. they will basically have ‘Member’ rights on that site).

You’ll then need to run PowerShell and connect to the Office 365 tenant you wish to share. I have detailed how to do that previously here:

Configuring PowerShell Access in Office 365

I also have an online course available that covers the material in more depth:

PowerShell for Office 365

Once you have connected to the tenant you’ll need to the command:

get-msolgroup | fl displayname, objectid

This will return a list of Office 365 security groups as shown above. You then need to record the ObjectId for the security group you just created that will contain the external users (here Externals).

You will then need to visit:

https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2b-collaboration-overview/#csv-file-format

and obtain the format for the CSV import file that is required.

Into the CSV file you enter the following information into the columns:

Email = users email address
Display Name = Firstname Lastname
InviteReplyURL = SharePoint Team Site being shared (here https://tenantname.sharepoint.com/sites/test/)
InviteAppresources = leave blank
InvitegroupResources = ObjectID obtained from PowerShell step
InviteContactUsURL = A contact URL. Here just my normal web site.

Once each user you desire to have access to the SharePoint site has been entered in its own row, save the CSV file.

You’ll then need to access the Azure AD for the tenant. If you haven’t yet enabled this see my blog post:

Enabling your Office 365 Azure AD

or my online course:

Integrating Azure Active Directory Features with Office 365

You’ll then need to navigate to the users area of you Office 365 Azure AD as shown above.

You’ll then need to select the Add User button at the bottom of the page.

In the dialog window that appears you’ll need to select the Users in partner companies option in the Type of User field. You’ll also need to specify the location of the CSV file to upload with the users to be provisioned that you just created.

When this is complete, select the check mark button in the lower right.

The import process will now run. When complete you will receive a status message at the bottom of the Azure management console as shown above. You can select the option to view the report to verify there are no errors.

If you do view the report and everything has worked as expected the status should say Email generation started as shown above for the external user and

and Directory invite operation finished for the Office 365 user.

Each user should then receive an email like the one above with a link to access the shared application at anytime.

The first time that the non-Office 365 user clicks on the link they will be taken to an Application Invite page as shown above.

(Side note – if you are wondering how the image on the left of the Application Invite page has been customised, see my my online course:

Integrating Azure Active Directory Features with Office 365

)

You should see that the email address has already been entered. All the user needs to do is select the Accept button.

Since this user doesn’t have an existing Azure AD account they need to create a new one. They will therefore be prompted to complete a password as well as confirm their name and country.

When this is complete select the Sign up button to continue.

It will take a few moments for the new Azure AD account to be created

The user will then need to login with their email address and the password just entered.

Then they will have access to the shared SharePoint site as shown above.

If they select the link in the email again, they will taken to a standard Office 365 login page where they need to again use their email address and password to access the site.

Now if the Office 365 external user clicks on their received email link they will be taken to a similar Application Invite page as shown before. Simply select the Accept button to proceed.

Because the Office 365 external user already has an Azure AD account they do not need to establish a password, they are instead taken to their own tenant login page as shown above.

But once they login they are automatically taken to the destination shared SharePoint Team Site just like the previous user.

If you return and view the securities of the SharePoint Team Site as an administrator you should see the Office 365 security group created previously as shown above.

If you then view the Office 365 security group from the Office 365 admin center you should see the two users as shown above.

So now both users can simply select the link in their email to return to the shared Team Site at any point in the future.

If the non-Office 365 user attempts to access Office 365 via the standard URL (i.e. https://login.microsoftonline.com) they can login and when they do they see the above screen.

If they select the App Launcher in the top left they see the above tiles.

If they then select the Admin tile they are basically stepped through the process of verifying their own domain and creating a full office 365 account. Some guerilla marketing there maybe?

What I have shown here is only what is possible with SharePoint but as the recent video from Microsoft Mechanics highlights you can use a similar process to share apps from the Windows Azure Single Sign On Apps portal that is also part of Office 365.

If you want to know more about setting up the includes office 365 Azure AD portal then

see my my online course:

Integrating Azure Active Directory Features with Office 365

What’s coming soon will be the ability to use social media accounts like Twitter, Facebook and Google Plus to login to externally shared Office 365 resources. That is going to really make external sharing of Office 365 information easy. I can’t want for when that is available and I’ll make sure I write an article on it.

In summary, using the built in B2B collaboration that comes with Office 365 you can now more easily share information with external parties that have their own domain.

What this stuff should also illustrate is how important Azure AD is to Office 365 and how you really need to enable it to get access to the additional options that are available with Office 365. In short, if you are not using Azure AD with Office 365 then you are driving around everywhere in first gear!

Also, please don’t forget to take a look at all my online courses at:

http://www.ciaopsacademy.com

You may even find a lesson about this very topic in there shortly.

Tips for maximum conference ROI

I have returned from presenting at another conference. You’ll find my presentations from the event embedded further down in this post or at my Docs.com.

I thought I’d also take a moment to share some techniques and tips I’d recommend you employ when attending a conference to ensure that you get the most from any conference.

1. Remember you are at the conference for business.

It is all well and good to take a step back and enjoy everything that a conference has to offer, the food, the drink, the location, the company, but remember it is all costing your business money. Thus, you should be asking yourself whether you are getting return on investment constantly. This may mean learning something new, meeting a new contact who can help your business, etc. but you need to ensure you GET something in return.

Don’t get caught in the trap of treating the whole event as a party. Don’t get caught in the trap of getting wiped out on the first night and then being unable to attend any of the sessions. Have fun, yes but always ask yourself, what return am I getting for my investment in time and money at the conference.

2. Have a plenty of business cards

Always ensure you have plenty of business cards before leaving for a conference. Every time you go anywhere near the conference venue ensure your pocket if full of business cards and you have an adequate supply elsewhere as a backup.

Don’t be shy handing out your business card as well as receiving cards from others. Every time your strike up a conversation with someone, make sure they leave that conversation with your card.

3. Carry a pen

As only fashioned as it seems having a pen ready and available is till the quickest way of writing notes and capturing information. In my case, I always ensure there is space to write on the back of my business card so I can write a URL or a note and give that to someone. If you don’t have a business card that allows this, carry some blanks cards just in case.

It is easy to say that you’ll send an email follow up, however jotting it down goes a long way to ensuring that you’ll follow through.

Also remember that battery power can be at a premium during conferences and you don’t want to be tethered to a wall and miss out on the hallway conversations. A pen is a great information recording device backup for your phone or tablet when it starts running low on juice.

4. Make yourself available for conversations

There is nothing wrong with waiting in a publically visible but off to the site location. Try and find an area that will accommodate at least one other person and is quieter than the middle of the conference throng.

By doing this you make it more enticing for someone to come up and have a chat with you, especially if they have been looking for a chance to do just that. Being immersed in the conference ‘mosh-pit’ is great and there is always something interesting happening but remember, you are looking to generate the most return for your business not listen to others pontificate constantly.

5. Convert business cards into Linkedin contacts asap

Whenever you get a chance, go through the business cards you have received so far in the day and connect with them on Linkedin. This is firstly a good backup in case you misplace their business card but it also give you deeper insight into that contact and their details thanks to Linkedin. It does likewise for your new contact but also indicates how keen and on the ball you are by making contact electronically shortly after meeting them.

6. Wear the uniform

Many people think that it is extremely boring to wear the same outfit to a conference every day. I purposely ensure I wear that same thing throughout the conference. One of the main things I ensure I do is wear a branded shirt. Why? People respond to consistency, the more consistent you are, in every aspect, the more comfort people derive. Also, if you wear the same thing you make it easier for people to identify you in the crowd if they are looking to seek you out to make contact.

Wearing the ‘uniform’ also reduces the decisions you need to make about packing for the event and dressing on the day. Personally, I don’t want to waste my precious decisions credits on working out what to wear each day, I simply don the uniform and get on with generating ROI for my business.

There are of course plenty more tips I could pass on but these hopefully should provide you some benefit next time you attend an event.

Let me know what you think works when you attend a conference. I’d love to hear.

Unleashing the Power of Azure

Unleashing the power of Azure to make on premise irrelevant – SMBITPro National Conference 2015—Robert Crane Docs.com

https://docs.com/d/embed/D25195773-6563-8190-0370-001714572934%7eMd4186d87-61d5-259a-4d26-00a8bd86cfff

Is Windows 10 the last version resellers will ever install?

Is Windows 10 the last version resellers will ever install? – SMBITPro National Conference 2015—Robert Crane Docs.com

https://docs.com/d/embed/D25195773-6441-7890-9780-002121714420%7eMd4186d87-61d5-259a-4d26-00a8bd86cfff

Azure AD Editions feature comparison

One of key technologies I tell people, especially resellers and IT Pro to be more aware of is Azure Active Directory. However, many ask where should they start with the product?

The first things to understand is that there are different editions:

Free – The Free edition of Azure Active Directory is part of every Azure subscription. There is nothing to license and nothing to install. With it, you can manage user accounts, synchronize with on-premises directories, get single sign-on across Azure, Office 365, and thousands of popular SaaS applications like Salesforce, Workday, Concur, DocuSign, Google Apps, Box, ServiceNow, Dropbox, and more.
Basic – Azure Active Directory Basic edition provides application access and self-service identity management requirements for task workers with cloud-first needs. With the Basic edition of Azure Active Directory, you get all the capabilities that Azure Active Directory Free has to offer, plus group-based access management, self-service password reset for cloud applications, Azure Active Directory application proxy (to publish on-premises web applications using Azure Active Directory), customizable environment for launching enterprise and consumer cloud applications, and an enterprise-level SLA of 99.9 percent uptime.
An administrator with Azure Active Directory Basic edition can also activate an Azure Active Directory Premium trial.
Premium – With the Premium edition of Azure Active Directory, you get all of the capabilities that the Azure Active Directory Free and Basic editions have to offer, plus additional feature-rich enterprise-level identity management capabilities explained below.

(Click to enlarge)

And that obviously the features differ between them as the above table highlights. Theses links point you to the most salient information on Azure AD.

Azure Active Directory features and capabilities

Azure Active Directory editions

Azure Active Directory pricing

i have written lots of posts on Azure AD, especially how it integrates with Office 365 and you’ll find these at:

I finally get Azure – https://blog.ciaops.com/2014/04/i-finally-get-microsoft-azure.html

Great Azure demo [VIDEO] – https://blog.ciaops.com/2014/03/great-azure-intro-demo.html

Introduction to Azure [VIDEO] – https://blog.ciaops.com/2014/12/introduction-to-azure.html

Add a custom domain to Azure – https://blog.ciaops.com/2014/08/add-custom-domain-to-azure.html

Enabling your Office 365 Azure AD – https://blog.ciaops.com/2015/01/enabling-your-office-365-azure-ad.html

Azure AD Connect tools – the basics – https://blog.ciaops.com/2015/07/azure-ad-connect-toolthe-basics.html

Azure AD Sync Services tool – the basics – https://blog.ciaops.com/2015/06/azure-ad-sync-services-toolthe-basics.html

Configuring an Azure Single Sign On portal – https://blog.ciaops.com/2015/02/configuring-azure-sso-portal.html

Creating a single Sign on portal using Azure [VIDEO] – https://blog.ciaops.com/2015/03/creating-single-sign-on-portal-using.html

Enabling self-service password resets in Office 365 – https://blog.ciaops.com/2015/02/enabling-self-service-password-resets.html

Creating a Domain Controller in Azure – https://blog.ciaops.com/2015/07/creating-domain-controller-in-azure.html

Upgrading an Azure virtual machine – https://blog.ciaops.com/2014/09/upgrading-azure-virtual-machine.html

Restricting remote access to an Azure virtual machine – https://blog.ciaops.com/2014/08/restricting-remote-access-to-azure.html

Azure desktop backup – https://blog.ciaops.com/2014/12/azure-desktop-backup.html

Azure VM backups – https://blog.ciaops.com/2015/06/azure-vm-backups.html

Connect Windows 10 to Azure AD – https://blog.ciaops.com/2015/07/connect-windows-10-to-azure-ad.html

So hopefully that gives people enough information to at least get started on the journey of learning Azure AD.

I plan to of course write lots more about Azure AD so stay tuned.

Connect Windows 10 to Azure AD

One of things that really excites me about Windows 10 is its ability to be directly joined to an Azure Active Directory. I think this ability is a major change in the way identity for desktops is going to be managed going forward.

The way that you facilitate a Windows 10 machine doing just that is to firstly go into your Azure AD and select the Configure option as shown above.

You then scroll down to the devices area and ensure that the Users may Azure AD join devices is either set to All or Selected, as shown above.

Then you go to the Windows 10 machine you wish to join to Azure AD and select Settings.

Then select About from the bottom of the menu options on the left.

Then on the right hand side select the link Connect to cloud as shown above.

From the window that appears select Continue.

Enter the credential of a user permitted to connect to your Azure AD and select Sign In.

A few moments later the process is complete and the Windows 10 machine is joined to Azure AD.

If you then check back in your Azure AD and select the user who completed the join and then select the Devices option from the options across the top. That should display a list of Windows 10 machines that are now connected as shown above.

To remove the device from Azure AD simply visit the Settings | About page again and this time select the link Disconnect from the organisation. You’ll be prompted to Disconnect as shown above.

You’ll then need to enter the credential for a local machine administrator (i.e. a users with admin privileges on the Windows 10 desktop).

Enter OK to proceed.

The last step will then be to restart the machine to complete the separation process, much like you would when joining an on premises AD.

So there you have it, joining an Azure AD is very simple on a Windows 10 desktop. Look out for more articles on Windows 10 and Azure AD soon.

Creating a Domain Controller in Azure

Setting up a Domain Controller (DC) in Azure is a little different than on premises. This post is by no means an extensive guide or best practices document on doing that. It is however designed to give you the basics so you can get up and running quickly.

I am going to assume you are starting totally fresh here. The first task is to create a new Azure network in the location that you desire. For more details on doing this see:

Tutorial: Create a Cloud-Only Virtual network in Azure

The next step is to run an Azure virtual machine that will be your Domain Controller. The only step that is slightly different from the norm is that you need to select the virtual network you created previously in the Region/Affinity Group/Virtual network option as shown above.

You then continue on as normal and create the virtual machine and allow it start up.

For more information on creating an Azure virtual machine see:

How to Create a Custom Virtual Machine

Before you connect to the new virtual machine that will be you file server you need to add an additional hard disk to it. From the list of virtual machines you have in Azure select your new machine. Then select the Add button at the bottom of the page. From the menu that appears select Attach empty disk.

Complete the details for the additional disk and save the configuration. For more information on adding an additional disk to a virtual machine see:

How to attach a data disk to a Windows virtual machine

When you log into the virtual machine you’ll see that it already has a dynamic IP address (here 10.0.0.4). This comes from the virtual network you created previously. It is important that you DON’T assign static IP addresses to Azure virtual machines, even in the case of a domain controller. All Azure virtual machines should ONLY have dynamically assigned IP addresses.

If you look at the storage layout of your new virtual machine you’ll see a C: and D:. Beware, D: drive is a temporary drive that gets erased and recreated on reboot. Thus, the only stuff you want on there is temporary stuff like the page file. Good practice is not to have the Active Directory databases on the boot partition, because if that becomes inaccessible then bye bye AD, unless you have a backup. This is the reason why we attached an additional disk to our new virtual machine.

Everything now is pretty as it would be with on premises equipment. Go into the Windows Disk Management console and initialise the new disk.

Create a new volume on this additional disk and format it. At the end you should have a drive letter you can access. Here, F:.

If you again view the storage configuration of your virtual machine you should see a new disk (here F:) which will be the destination for the AD database.

Things remain the same when you configure your server to be a domain controller. Simply go in and add the role as you would normally.

Allow the configuration to complete.

Once the role has been enabled you now need to raise the server to being a domain controller exactly how you would on premises. The only difference is that you should re-locate the AD DS database, log files and SYSVOL to the disk you added (here F:).

Just before you complete the process of raising the server to be a domain controller, you’ll see the above warning about a domain controller requiring a static IP address. Again, in Azure this DOES NOT apply. In Azure we want all servers to have dynamic IP addresses.

Once you Domain Controller is running go into the DNS manager, right mouse click on the DNS server (here the domain controller) and select properties. In the Forwarders tab remove any IP address listed.

The last step is to go back and edit the properties of your virtual network. In the Configure tab for the network you will find the option for dns servers as shown above. Add the IP address and machine name here and save it. Although, the IP address assigned is dynamic it is on a extended lease so it should effectively ‘remain’ static. if you do power up and down your DC regularly for testing like I do, simply ensure that your DC is the first machine your fire up on that virtual network.

So now you have an Azure hosted Windows Domain Controller (DC) without too much additional fuss.

So now, if I want to add another Azure virtual machine into this network and onto the domain, I simply run up an Azure virtual machine as normal. When you do you’ll see it get a different IP address (here 10.0.0.5, while the DC is 10.0.0.4).