Creating Custom App tiles in Office 365

If you select the ‘waffle’ in the top left corner of Office 365 (the 9 dots), you’ll see a list of your applications as shown above. This menu is known as the App launcher. Most users will simply see their Office 365 apps. What you might not appreciate is that you can add your own apps to this list a number of different ways.

The easiest way is to login to the Office 365 console as an administrator. In the top right you’ll find a link for the business name (here Contoso). Select this.

On the screen that appears select Custom Tiles from the menu on the left hand side.

Then select the + icon to add a new entry.

Enter the details for the new tile and select Submit.

You should then see you new listing (here, CIAOPS).

The new app is available for all users to add to their own App launcher. To do this, select ‘waffle’ in the top left (the 9 dots). When the App launcher appears select the My apps link at the bottom of the page as shown above.

They will now see a list of all the app available to be ‘pinned’ to their App launcher. The ones at the top are the ones already on the launcher and the ones at the bottom are those that can be added.

To add a new app to the launcher simply mouse over it and select the ellipse (3 dots) in the top right corner. Then from the menu that appears select Pin to app launcher.

Now when the ‘waffle’ is selected you’ll see the app displayed on the launcher as shown above. When you select the new app it will open is a new browser tab.

The other way is via the Azure Single Sign On Web portal. I covered how to set that up in a previous post that you need to review:

Configuring an Azure SSO Portal

When the portal is complete it should look something like that shown above for users.

Now when that same user goes to modify their own App launcher via the previously detailed method they will see the custom app just added above via the the admin portal (the CIAOPS App) but also all the other already configured in the Azure SSO portal.

They can then add any of these Azure SSO apps to their App launcher using the previously detailed method (in this case Linkedin).

When they select this new app, added from Azure AD SSO portal, it will function the same as it does inside the actual Azure AD SSO portal. It will log them into that web based app automatically without the need for entry of a login and password.

You can now customise the Office 365 App launcher to include any web based app and if you also enable the Azure AD SSO portal you can take advantage of automated login for these apps. That makes life a lost easier and more productive for users.

Need to Know podcast–Episode 85

I’m joined once again by Tas Gray as well as Long Tran from AxiomIT to talk Office 365. In this episode we talk about using Azure AD that is part of all Office 365 subscriptions to manage identity for third party applications. We also talk about using Azure Active Directory Single Sign on portal as a better way to manage web application access in a business.

You can listen to this episode at:

http://ciaops.podbean.com/e/episode-85-tas-gray-and-long-tran/

or subscribe to this and all episodes in iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send me any feedback or suggestions you may have for the show. I’m also on the hunt for some co-presenters so if you are interested on being a regular part of the show please contact me.

Resources

Skype for Business preview

PowerShell for Office 365

Changing Office 365 plans

Azure AD Connect gets released

Office 2016 for Mac is here

Skype for Business Windows Phone app

Cloud Business Blueprint

Azure AD Connect tool – the basics

Azure AD Connect tool–the basics

Microsoft recently announced that Azure AD Connect has come out of preview and is now generally available. This now means that Azure AD Connect is the preferred tool for synchronizing on premises AD to Office 365 replacing DIRSYNC and Azure AD Sync Services.

I detailed how to install the preview of Azure AD Connect here:

https://blog.ciaops.com/2015/06/azure-ad-connect-previewinstall.html

and the process is pretty much identical for the released version so I’ll only detail the express install here. Refer to my previous post if you need more details of all the options available but not really required for Office 365.

The first thing you’ll need to do to configure synchronisation with your on premises AD and Office 365 is login to the Office 365 portal as an administrator. You’ll then need to select the Users area and then the Active Users.

At the top of the page you’ll find an option Active Directory synchronization as shown above. Here you select the Set up hyperlink.

On the page that is displayed you need to select the option to Activate synchronization as shown above.

You’ll be promoted to confirm that you wish to Activate.

After which you should now see that synchronization is activated.

Next, you’ll need to downloaded the released version of Azure AD Connect which you can do from here:

http://www.microsoft.com/en-us/download/details.aspx?id=47594

After you have downloaded the software you can install it. It is best practice to install Azure AD Connect onto a member server in your domain but installation on the domain controller is supported.

At the Welcome screen select Continue in the lower right.

In this case we simply want to configure synchronisation with Office 365 so select Use express settings. If you want to learn about the other options available to you with azure AD Connect check out the following documentation:

https://azure.microsoft.com/en-gb/documentation/articles/active-directory-aadconnect/

The express options will automatically:

– Configure synchronization of identities in the current AD forest

– Configure password synchronization from on premise AD to Azure AD

– Start an initial synchronization

– Synchronize all attributes

The installation will now commence.

You’ll be prompted for your Azure AD credentials, these are the credentials for the Office 365 global administrator account that will be used to connect to Office 365. Remember, Office 365 allows you to have accounts that are global administrators without them having to have a license for the Office 365 services.

The account details you provided will now be verified.

You’ll now be prompted for credentials for a local on premise administrator for your AD.

These credentials will be verified and you’ll now see a summary of the actions that will take place.

You’ll then see SQL Express being installed as part of Azure AD Connect.

You’ll then see the Synchronization Service being configured.

Then the Directory connector.

You should then see it connecting to you Office 365 tenant.

Then your local AD (here kumoalliance.org)

Finally, you should see the Microsoft Online Services Sign-in Assistant restarting.

You should then receive a message that the process is complete.

After a short while, if you compare you local on premises AD users

to those in Office you should find local users have synchronised to Office 365 as expected. You will see their status as Synced with Active Directory as shown above.

As usual, the synced users won’t have been assigned an Office 365 license. You’ll need to do this via the browser or PowerShell to allow users access to Office 365 services.

If you look at the machine you just installed Azure AD Connect onto you’ll see the above new program group as shown above.

If select Synchronization Service from this list you’ll be taken to the sync troubleshooting tool to help you see what is happening underneath the covers and perform and diagnostics.

If you need to force a synchronisation at any stage navigate to:

\program files\microsoft azure ad sync\bin

and run the file

directorysyncclientcmd.exe

So there you have it. No more DIRSYNC. No more Azure AD Sync Services. Azure AD Connect is you preferred option when it comes to syncing an on premises AD to Office 365.

Controlling Office 365 integrated applications

Unfortunately, average users tend to click ‘Yes’ a lot more than they really should. If they could but restrain themselves somewhat the world would have far less viruses. BUT, we know they just can’t help themselves sometimes and administrators and IT Pros are left to clean up the damage.

In the the world of security, prevention is far easier and cheaper than the cure so taking pro-active steps to control when users allow third party applications access to their data can be handy. Office 365 provides the administrator the ability to do just this via Azure Active Directory that is included free with all Office 365 subscriptions. Here’s how.

Firstly, login to your Office 365 admin center.

In the bottom left select Azure AD.

If you haven’t already enabled Azure AD as part of your Office 365 tenant (which is free), see my previous post:

Enabling your Office 365 Azure AD

Select the Active Directory option on the left and then select the name of your directory (there should only be one).

Select the configure tab from the options across the top.

Scroll down until you locate the integrated applications area towards the bottom. here you can disable (by changing to No) all users ability to add integrated applications and have those applications access the users data.

If you make a change you’ll need to select the Save button at the bottom of the page that appears to update the directory with the new configuration.

With these options configured administrators can have piece of mind that none of their users can add applications from places like the SharePoint Store that could access Office 365 data and potentially cause information leakage or worse.

Azure VM backups

I’ve previously detailed how you can use Azure Backup to backup desktops as well as servers here:

Azure desktop backup

Which basically does files and folders but in such a way that only the differential changes are sent each time. The question for many IT Pros is how do I recover a complete Azure VM like I can on premises using my traditional disk imaging tools?

The good news is that Azure now has such a services called Azure VM Backup and here’s how to use it.

Best practice is probably to go in and create a new Backup Vault in Azure to ensure you know what storage ‘bucket’ these backups are in. This is because you can back up a lot of different things using Azure services.

It will take a few moments for the new Backup Vault to spin up once you have selected a region for it. Which region you select is important because you can, by default at the moment, only backup VMs from the same region.

Once the new Backup Vault is ready select it, then select Registered Items from the menu across the top. Ensure that the type is set to Azure Virtual Machines and then select the Register link at the bottom of the page.

Place a check in the VM(s) you wish to backup. Then select the check icon in the lower right to save the configuration.

The machine you selected will then be ‘registered’ This means it will have the appropriate configurations made to allow it to be backed up. The VM will need to be running during this process or the registration will fail.

If you now select the Jobs option from the menu you should see the registration process proceeding. The registration should take around 5 minutes but may vary on what type of VM you are backing up.

If you now return to the Registered Items menu option you should see your machine listed as shown above.

With that machine still selected, you will see a number of buttons at the bottom of the page. Select the Protect button to commence a backup of this VM.

Select the items to protect and press the continue arrow in the bottom right of the window.

You’ll then be prompted to create a protection policy. Best policy is to create a new policy, given it a meaningful name and then select the backup frequency.

At this point in the time the most frequently you can backup a VM using this process is once a day.

After you have selected an appropriate Retention Range, select the check to save the settings.

If you wish to do an immediate backup at any time outside the configured schedule, select the Protected Items from the menu at the top of the page.

Ensuring that the desired VM is selected, press the Backup Now button at the bottom of the page.

If you return to the Jobs menu you should see a new job that is “InProgress” as shown above and the Operation is “Backup”.

The VM being backed up of course needs to remain up and accessible during this process.

Even though you can’t schedule backups more frequently than once a day via the browser I’m betting you can via PowerShell and perhaps even use the automated Run Book features of Azure to do this.

The VM you are backing up continues to run as normal and I saw no performance impact occur in this test environment during the process. That may of course vary depending on loads and amount of data to be backed up of course.

From – https://azure.microsoft.com/en-us/documentation/articles/backup-azure-vms-introduction/

How does Azure virtual machine backup work?

To back up a virtual machine, first a point-in-time snapshot of the data is needed. The Azure Backup service initiates the backup job at the scheduled time, and triggers the backup extension to take a snapshot. The backup extension coordinates with the in-guest VSS service to achieve consistency, and invokes the blob snapshot API of the Azure Storage service once consistency has been reached. This is done to get a consistent snapshot of the disks of the virtual machine, without having to shut it down.

After the snapshot has been taken, the data is transferred by the Azure Backup service to the backup vault. The service takes care of identifying and transferring only the blocks that have changed from the last backup – making the backups storage efficient. When the data transfer is completed, the snapshot is removed and a recovery point is created. This recovery point can be seen in the Azure management portal.

Azure virtual machine backup architecture

So as a I test I used Azure VM Backup to initially backup a Windows 10 machine with Office 2016 installed. That took 37 minutes. Immediately after that backup completed I run another and it took 23 minutes. The Windows 10 system reported about 25 GB of total used space.

Now, what happens when you want to restore? Basically you’ll be restoring the whole machine to a new VM. The current preview of Azure VM Backup doesn’t permit restoring to the original VM, however I’m sure down the track that will become available.

To restore your VM go to the Protected Items options from the menu and ensure the machine you wish to restore is selected.

From the button at the bottom of the page select Restore.

Select a recovery point from the list (this is basically all the backups you have performed). Press the continue arrow in the lower right to continue.

You now need to give the restored VM a name (it can’t be the same as an existing machine so if the original still exists you’ll need to delete it first as source over writing is not yet available).

You’ll also need to select a storage account, virtual network and subnet.

Once you have done that select the check icon in the lower right to commence the restore process.

If you go and check the Jobs option again you should see a restore job in progress as shown above.

For me, after only 8 minutes the restore job completed (that is for a 25GB of data) and if you now look in your Azure Virtual Machines you will see the item your restored, just as it was when you backed it up.

Azure VM Backups are still in preview and there some limits on what features are not available as yet. You’ll find that details in this blog post:

http://azure.microsoft.com/blog/2015/03/26/azure-backup-announcing-support-for-backup-of-azure-iaas-vms/

Most of the limitations I would expect to disappear in a very short space of time. That is going to make Azure VM Backup a pretty powerful option for your Azure IaaS solutions.

Here are some additional articles with more details about:

Introduction to Azure VM Backups

Backing up with Azure VM Backup

Restoring with Azure VM Backup

So now you can use Azure to backup up you Azure VMs as you would have typically done on premises using imaging software. Using Azure VM Backup is going to however provide improved ease of use and scalability as well as the ability to more rapidly improve than an existing on premises options.

Azure VM Backup is yet another example of the power the cloud is bringing to traditional infrastructure by making it easier and better.

Azure AD Sync Services tool–the basics

The most popular post on my blog is currently:

Windows Azure Active Directory Sync tool (DIRSYNC) – the basics

The currently recommended tool for syncing your on premises AD to Office 365 is now is not DIRSYNC but:

Azure AD Sync Services

There is a further updated version that is currently in preview called:

Azure AD Connect

and you can read more about that preview here:

Azure AD Connect Preview 2 is available

I’ll do a blog post on that very soon, but for now let’s concentrate on what is generally available.

You can read more about Azure Active Directory Sync here:

https://msdn.microsoft.com/en-us/library/azure/dn790204.aspx

Firstly, download the tool from the link above. In this case I am installing on clean AD and I’m also going to install the tool onto a domain controller, which is supported but not best practice. I am also using a new demo empty Office 365 E3 tenant.

After you have made sure your on premises AD is in good health, and before installing the sync tool on your network, you should login to your Office 365 tenant as a global administrator and navigate to the Admin portal.

You then need to select the Active Users option from beneath the Users menu item from the option on the left of the Office 365 Admin portal.

Note: that I have no users apart from the Global Administrator in my new Office 365 tenant initially.

At the top of the Active Users dashboard you will see an option called Active Directory synchronization as shown above. Select the Set up hyperlink to the right.

This will then present you with a number of steps. You should complete Steps 1 and 2, which I have already completed.

Then select the Activate button under option 3.

You’ll then be prompted to confirm you do want to proceed with synchronization. Note the warnings and select the Activate button to proceed.

You should now see that option 3 displays Active Directory synchronization is activated as shown above.

Return to your on premises sync server and double click on the package you downloaded. It will be extracted.

Double click the icon it places on the desktop to commence the configuration process.

You are prompted for the location to install the software. The default location is:

c:\program files\microsoft azure ad sync

You can however change this if desired.

When you have entered in the appropriate installation directory and checked the I agree to the license terms box, you can select the Install button in the lower right hand corner.

You will now see the program install the files to the installation directory as shown above.

You will then see Microsoft SQL Express being installed. Having SQL on a domain controller is generally not best practice but is supported now. However, beware that they sync tool will install and use SQL Express by default.

You will then see it installing the actual Sync Service on your machine.

Amongst a few other Azure services installed on your machine you’ll now find the Microsoft Azure AD Sync service as shown above.

You’ll then be prompted to enter you details for Azure AD as shown above.

Remember, Office 365 is built on Azure AD and uses it to manage identity. Thus, here you now enter your Office 365 global administrator credentials.

Best practice is to use a dedicated global administration account that has not been assigned any licenses. That is, create a new user and make then a global administrator but don’t assign them a license in your Office 365. Then only use this user to synchronise your local AD to Office 365.

Here, I am am just going to use the default tenant administrator to keep it simple but importantly, the user you enter here MUST have the Office 365 Global Administration role.

When you have completed the required details here press the Next button to proceed.

The provided login will then be authenticated.

If you have not as yet enabled directory synchronization in your Office 365 tenant, as detailed previously, you will see the above error message.

You will be prompted to enable this before you can proceed further.

You’ll then be prompted for a local forest (domain) and domain administrator as shown above.

If you look at your local Active Directory Users and Computers you will normally find the forest name at the top of the tree. In this case it is kumoalliance.org.

Note, that you need to have users assigned to routable domain locally as their primary UPN, not something like .local or .lan. if they are, then you will need to change this prior to synchronisation or otherwise users won’t end up correctly in Office 365.

Take a look at this article:

How to synchronize a .local domain

on how to perform update your users if you only have a .local domain.

Also note here that I have four users in my local domain also shown above.

When the correct local domain administration credentials have been entered select the Add Forest button.

If that is successful you should see you domain listed below teh entry fields now as shown above.

Select the Next button to proceed.

You should now see the connector from your local AD to Azure being created and configured as shown above.

You are now given the options to match local users to Azure AD users if they exist. This will basically match on premise AD objects to those already in Azure AD.

Because there are currently no users in my Office 365 tenant there are none that require matching so best practice is to leave the default options configured and select the Next button to continue but as you can see, you can match users between your local AD and the cloud via a variety of options.

Remember again, that my Office 365 tenant is empty except for the default admin account as shown above.

You are now presented with the Optional features page. You can learn more about the options here at:

https://msdn.microsoft.com/en-us/library/azure/dn757602.aspx#BKMK_ConfigureSynchronizationOptions

Where many get confused is the difference between Password write-back and Password synchronization. Password write-back is an Azure Active Directory Premium feature. For more information on how to configure this, see:

Password writeback: how to configure Azure AD to amange on-premises passwords

and

http://blogs.technet.com/b/ad/archive/2014/04/29/deep-dive-password-reset-with-on-premise-sync-in-azure-ad-premium.aspx

Office 365 currently doesn’t include Azure AD Premium so the only option available is Password synchronization which you should select. More information on password synchronization can be found here:

https://msdn.microsoft.com/en-us/library/azure/dn835016.aspx

Remember, Azure AD sync allows the connection of more than just Office 365 to your local AD, that’s why there are more options here.

The new sync tool, Azure AD Connect, that is in preview, will support password writeback as the above blog post highlights towards the end of the post. As I said, I will also do a post on this soon.

So, in summary here, select Password synchronization and then the Next button to continue.

You can now review the information and when ready select the Configure button to continue.

The tool will now complete the configuration and enable the options you select. You see it connecting as shown above.

You will then see it enable the options you selected with any issues or errors highlighted.

When the process is complete you’ll have the option to Synchronize now, which you can uncheck if desired. Remember, this first sync may be quite large and take some time depending on how many objects are being copied to Office 365.

However, in most cases, you’ll leave this option checked and select the Finish button.

In a very short period of time you should see your users appear in the Office 365 console as shown above.

However, importantly, they will not have a license assigned to them so they won’t have things like a mailbox yet.

Why is that? Remember you can have many different types of licenses in Office 365 and you can allocate them to different users as you please. The sync client doesn’t know which licenses you want applied to which user so they need to be applied manually.

If all the users are going to get the same license simply select all the users in bulk as shown above, then select the Activate synced users hyperlink in the lower right hand side.

Then assign the location and license you want to apply to these users and select the Activate button at the bottom of the screen.

The process is now complete. Your local AD users are now synced to Office 365 using Azure Azure Sync Services. If they change their password on premises it is also synced using password hashing to Office 365.

Points to remember with Azure AD Sync (and DIRSYNC for that matter):

– By default, passwords changed in the cloud are overwritten when the next sync from on premises AD occurs.

– Information is copied from local AD to Office 365 not back. That is, the way it was installed above, it is a one way sync from on premises to Office 365.

– Owners of an on-premises distribution group that’s synced to Office 365 can’t manage the distribution group in Exchange Online

– Azure AD Sync services allow the configuration of object filtering

– Changes are synchronized based on a three hours interval (this is the same interval that is also used by DirSync). There is a scheduled task running as the service account which will run the cycle. If you unselected “synchronize changes now” during installation then the task is installed as “disabled”. You can force synchronization using a PowerShell command if required as well as running the following file:

C:\Program Files\Microsoft Azure AD Sync\Bin\directorysyncclientcmd.exe

– You can upgrade from DIRSYNC to Azure AD Sync Services

– The new Azure AD Connect tool is due soon with more features (blog post on that coming soon)

You’ll also find some tools installed on your sync machine to help manage and troubleshoot the sync process.

Like the Synchronization Service Manager show above that give you a low level insight into what the sync is actually doing. More on that again in an upcoming post.