Office 365 Saturday–Sydney

I have been lucky enough to be selected to speak at the Office 365 Saturday event in Sydney this weekend, the 13th June. My session is on the ‘Business of Yammer’ but I am also looking forward to a full day of Office 365 topics presented by some very knowledgeable people in the SharePoint and Office 365 space.

One of the sessions I am really keen to see is the one on PowerBI. So if you are interesting in attending you can register at:

http://www.o365saturdayaustralia.com/Pages/Sydney.aspx

O365 Saturday Sydney kicks off registrations at 8:30am on 13th June at Cliftons – 13/60 Margaret Street, Sydney NSW, 2000.

The whole day is free and great opportunity to do some networking and get those burning Office 365 questions answered. If you are planning on attending let me know and we can perhaps catch up.

I hope to see you there.

More granular admin roles now available in Office 365

You should now start seeing in your Office 365 tenants the ability to set more granular administration roles for your users in Office 365 as shown above.

You’ll see all the old favourites such as Billing Administrator, User Management administrator but you’ll also now see some new ones like SharePoint and Skype for Business administrator. This allows you to delegate administration for a particular services to a particular user.

Great some more options when it comes to assigning rights with Office 365!

Azure AD Connect (Preview)–Install

In a recent post I detailed the current replacement product to DIRSYNC:

Azure AD Sync Services tool – the basic

In there I noted that this will soon be replaced with Azure AD Connect which is currently in preview:

Azure AD Connect Preview 2 is available

I thought I’d run through a short walk through experience of installing Azure AD Connect just so you can see. When the product comes out of preview I’ll do something in more detail.

You download and run the tool.

This will give you an icon on your desktop and launch the install wizard.

You need to agree to the license terms.

You select the Continue button.

You’ll be prompted to install any prerequisites. Press the Install button to continue.

You can select any custom configuration you desire. Press the Install button to continue.

You should now see the service commence installing by installing SQL Express as AD Sync Services did.

It will then start installing the Synchronization Service.

Next, you’ll need to enter you Office 365 credentials and select Next.

You should then see the connection to your tenant being made.

At this point you can elect to use the express settings or work through the customised options. The express options will automatically:

– Configure synchronization of identities in the current AD forest

– Configure password synchronization from on premise AD to Azure AD

– Start an initial synchronization

– Synchronize all attributes

For most standard configurations this is fine but we will select the Customize option rather than the Use express settings here to see all the options.

Select the Password Synchronization option and Next to continue.

Next, enter you on premised domain credentials and select Add Directory. If you have more local domains you can add these but normally all you need to do after adding the local domain is select Next.

The local AD information will be retrieved.

Here is where you can now elect to filter what is synchronised. Since we only have one domain we’ll elect to synchronise everything and press Next to continue.

Normally you select User are represented once across all directories here and press Next.

This option allows you to match on premise users with those in the cloud via different attributes. best practice is normally to leave the default options and select Next to continue.

There are lots of options here that are in preview. Select the Password writeback to sync information from you local AD to Office 365. Remember, that at the moment two way sync will not occur unless you have an Azure AD Premium subscription, which is not part of Office 365. Office 365 only includes free Azure AD.

The hope however is that when Azure AD Connect comes out of preview the ability to sync passwords from local AD to Office 365 and back will be included with all Office 365 plans. However, right here, right now for two way syncing you need an Azure AD Premium subscription.

Select Next to continue.

Everything is now ready to configure so press the Install button to proceed.

The wizard will now do its thing.

Configuring you Office 365.

Updating rules

The on premises domain.

Then enables password sync.

In a few moments the process will be complete and you can press Exit to end.

As before, you’ll find a number of new applications installed.

The Synchronization Service will give you the ability to monitor the progress real time.

if a user tries to change a password in their web portal they will be greeted with the above message basically informing them that it has to be on premises NOT in the cloud.

An Office 365 administrator can reset the password via the admin portal for a user but after the next sync has run from the local AD that changed password will be overwritten with the one from on premises.

Thus, there is not a huge change between what we have now with Azure AD Sync Services and what is coming with Azure AD Connect. At this stage, you still need and Azure AD Premium subscription to do password write back to on premises as well as many of the advanced features. The hope is that this will change when Azure AD Connect come out of preview. Fingers crossed.

SharePoint Online Backups

I get lots of questions about how/if data is backed up with SharePoint Online. Remember, that SharePoint Online is composed of two items , Team Sites and OneDrive for Business. Both of these are SharePoint, OneDrive for Business is simply a very limited set of standard Team Site features, but it is STILL IS SharePoint.

As I say over and over and over again, SharePoint is a collaboration system not just a file share. It is very different from a traditional network share. Thus, the way that data is stored is very different to start out with.

Firstly, all of SharePoint’s data is stored in a database. Calendars, contacts, lists AND flies are all stored inside a database because they are objects. This means that when you upload a file to SharePoint Online it is wrapped inside an object that contains additional information not just the file. This information could be meta data, workflows, previous versions and more.

When a user deletes something from SharePoint Online it will generally be sent to their recycle bin. They can recover it from here themselves currently for a period of 93 days.

If in that 93 days the file is deleted from the users recycle bin it is moved to an administrator recycle bin for the remainder of those 93 days.

Points to remember with the recycle bin:

– Deleted items can be recovered up to 93 days after deletion

– Items in the users recycle bin count against the storage quote for that site. Items in the administrators recycle bin don’t count against the storage quota for the site.

– The administrator recycle bin can only be accessed by a Site Collection Administrator.

For more information about various recycle bins and how to recover see:

Manage the Recycle Bin of a SharePoint Online site collection

Document Libraries, i.e. where files are stored in SharePoint, have version history enabled by default and set to save 500 versions of a file. Each time a file is changed and save a new copy is retained. This versioning can be edited and disabled if required and also counts against your storage site quota.

For more on versioning see:

How does versioning work in a list or library?

Apart from that SharePoint Online

– Is backed up every 12 hours and kept for 14 days

– The only recovery option is a full site collection restore

– To perform a site collection restore you must contact technical support

– The restore location is the same as the source, so you will loose all data that is currently hosted there.

Further details are contained in this blog post:

Restore options in SharePoint Online

If none of these options are adequate then there are third party backup providers like:

Leaphq

and

CloudFinder

and others that can provide an alternate method of backing up SharePoint data.

With all SharePoint Online backup option, you need to understand that some allow recovery of any items (i.e. appointment, list item, contact, file etc) while some just allow recovery of files.

In my experience, with document library versioning now enabled by default and presence of a recycle bin, there is generally no need for a third party tool, however they are available if your needs are not adequately covered by the tolls built into SharePoint.

Azure AD Sync Services tool–the basics

The most popular post on my blog is currently:

Windows Azure Active Directory Sync tool (DIRSYNC) – the basics

The currently recommended tool for syncing your on premises AD to Office 365 is now is not DIRSYNC but:

Azure AD Sync Services

There is a further updated version that is currently in preview called:

Azure AD Connect

and you can read more about that preview here:

Azure AD Connect Preview 2 is available

I’ll do a blog post on that very soon, but for now let’s concentrate on what is generally available.

You can read more about Azure Active Directory Sync here:

https://msdn.microsoft.com/en-us/library/azure/dn790204.aspx

Firstly, download the tool from the link above. In this case I am installing on clean AD and I’m also going to install the tool onto a domain controller, which is supported but not best practice. I am also using a new demo empty Office 365 E3 tenant.

After you have made sure your on premises AD is in good health, and before installing the sync tool on your network, you should login to your Office 365 tenant as a global administrator and navigate to the Admin portal.

You then need to select the Active Users option from beneath the Users menu item from the option on the left of the Office 365 Admin portal.

Note: that I have no users apart from the Global Administrator in my new Office 365 tenant initially.

At the top of the Active Users dashboard you will see an option called Active Directory synchronization as shown above. Select the Set up hyperlink to the right.

This will then present you with a number of steps. You should complete Steps 1 and 2, which I have already completed.

Then select the Activate button under option 3.

You’ll then be prompted to confirm you do want to proceed with synchronization. Note the warnings and select the Activate button to proceed.

You should now see that option 3 displays Active Directory synchronization is activated as shown above.

Return to your on premises sync server and double click on the package you downloaded. It will be extracted.

Double click the icon it places on the desktop to commence the configuration process.

You are prompted for the location to install the software. The default location is:

c:\program files\microsoft azure ad sync

You can however change this if desired.

When you have entered in the appropriate installation directory and checked the I agree to the license terms box, you can select the Install button in the lower right hand corner.

You will now see the program install the files to the installation directory as shown above.

You will then see Microsoft SQL Express being installed. Having SQL on a domain controller is generally not best practice but is supported now. However, beware that they sync tool will install and use SQL Express by default.

You will then see it installing the actual Sync Service on your machine.

Amongst a few other Azure services installed on your machine you’ll now find the Microsoft Azure AD Sync service as shown above.

You’ll then be prompted to enter you details for Azure AD as shown above.

Remember, Office 365 is built on Azure AD and uses it to manage identity. Thus, here you now enter your Office 365 global administrator credentials.

Best practice is to use a dedicated global administration account that has not been assigned any licenses. That is, create a new user and make then a global administrator but don’t assign them a license in your Office 365. Then only use this user to synchronise your local AD to Office 365.

Here, I am am just going to use the default tenant administrator to keep it simple but importantly, the user you enter here MUST have the Office 365 Global Administration role.

When you have completed the required details here press the Next button to proceed.

The provided login will then be authenticated.

If you have not as yet enabled directory synchronization in your Office 365 tenant, as detailed previously, you will see the above error message.

You will be prompted to enable this before you can proceed further.

You’ll then be prompted for a local forest (domain) and domain administrator as shown above.

If you look at your local Active Directory Users and Computers you will normally find the forest name at the top of the tree. In this case it is kumoalliance.org.

Note, that you need to have users assigned to routable domain locally as their primary UPN, not something like .local or .lan. if they are, then you will need to change this prior to synchronisation or otherwise users won’t end up correctly in Office 365.

Take a look at this article:

How to synchronize a .local domain

on how to perform update your users if you only have a .local domain.

Also note here that I have four users in my local domain also shown above.

When the correct local domain administration credentials have been entered select the Add Forest button.

If that is successful you should see you domain listed below teh entry fields now as shown above.

Select the Next button to proceed.

You should now see the connector from your local AD to Azure being created and configured as shown above.

You are now given the options to match local users to Azure AD users if they exist. This will basically match on premise AD objects to those already in Azure AD.

Because there are currently no users in my Office 365 tenant there are none that require matching so best practice is to leave the default options configured and select the Next button to continue but as you can see, you can match users between your local AD and the cloud via a variety of options.

Remember again, that my Office 365 tenant is empty except for the default admin account as shown above.

You are now presented with the Optional features page. You can learn more about the options here at:

https://msdn.microsoft.com/en-us/library/azure/dn757602.aspx#BKMK_ConfigureSynchronizationOptions

Where many get confused is the difference between Password write-back and Password synchronization. Password write-back is an Azure Active Directory Premium feature. For more information on how to configure this, see:

Password writeback: how to configure Azure AD to amange on-premises passwords

and

http://blogs.technet.com/b/ad/archive/2014/04/29/deep-dive-password-reset-with-on-premise-sync-in-azure-ad-premium.aspx

Office 365 currently doesn’t include Azure AD Premium so the only option available is Password synchronization which you should select. More information on password synchronization can be found here:

https://msdn.microsoft.com/en-us/library/azure/dn835016.aspx

Remember, Azure AD sync allows the connection of more than just Office 365 to your local AD, that’s why there are more options here.

The new sync tool, Azure AD Connect, that is in preview, will support password writeback as the above blog post highlights towards the end of the post. As I said, I will also do a post on this soon.

So, in summary here, select Password synchronization and then the Next button to continue.

You can now review the information and when ready select the Configure button to continue.

The tool will now complete the configuration and enable the options you select. You see it connecting as shown above.

You will then see it enable the options you selected with any issues or errors highlighted.

When the process is complete you’ll have the option to Synchronize now, which you can uncheck if desired. Remember, this first sync may be quite large and take some time depending on how many objects are being copied to Office 365.

However, in most cases, you’ll leave this option checked and select the Finish button.

In a very short period of time you should see your users appear in the Office 365 console as shown above.

However, importantly, they will not have a license assigned to them so they won’t have things like a mailbox yet.

Why is that? Remember you can have many different types of licenses in Office 365 and you can allocate them to different users as you please. The sync client doesn’t know which licenses you want applied to which user so they need to be applied manually.

If all the users are going to get the same license simply select all the users in bulk as shown above, then select the Activate synced users hyperlink in the lower right hand side.

Then assign the location and license you want to apply to these users and select the Activate button at the bottom of the screen.

The process is now complete. Your local AD users are now synced to Office 365 using Azure Azure Sync Services. If they change their password on premises it is also synced using password hashing to Office 365.

Points to remember with Azure AD Sync (and DIRSYNC for that matter):

– By default, passwords changed in the cloud are overwritten when the next sync from on premises AD occurs.

– Information is copied from local AD to Office 365 not back. That is, the way it was installed above, it is a one way sync from on premises to Office 365.

– Owners of an on-premises distribution group that’s synced to Office 365 can’t manage the distribution group in Exchange Online

– Azure AD Sync services allow the configuration of object filtering

– Changes are synchronized based on a three hours interval (this is the same interval that is also used by DirSync). There is a scheduled task running as the service account which will run the cycle. If you unselected “synchronize changes now” during installation then the task is installed as “disabled”. You can force synchronization using a PowerShell command if required as well as running the following file:

C:\Program Files\Microsoft Azure AD Sync\Bin\directorysyncclientcmd.exe

– You can upgrade from DIRSYNC to Azure AD Sync Services

– The new Azure AD Connect tool is due soon with more features (blog post on that coming soon)

You’ll also find some tools installed on your sync machine to help manage and troubleshoot the sync process.

Like the Synchronization Service Manager show above that give you a low level insight into what the sync is actually doing. More on that again in an upcoming post.

Switching on to PowerBI

One of the most powerful applications just about every business has at their fingertips is Excel. What this product can do is truly amazing when you explore it fully. The downside is that most people use less than ten percentage of the product capabilities.

Some of the more advanced features of Excel are Pivot tables. In essence, these allow you to create basic data cubes to easily slice and dice your raw data to create information that has value and provide insight. Sadly again, few people even know what Pivot tables are, let alone even used them.

The growing demand in our increasing data driven world is having a method of producing meaningful information from a vast array of raw data input sources. Microsoft is providing such a solution in the form of PowerBI.

The latest version of PowerBI from Microsoft is now available in preview for free. You can sign up at:

http://www.powerbi.com

When you do you’ll be presented with some sample Retail Analysis data that look like this:

As interesting as that is it is a little abstract. Where you begin to appreciate the role that PowerBI can play for you is when you select the option to Get Data.

Here you’ll now see a variety of sources that PowerBi can report on. One of the options you’ll see from the above screen shot is Google Analytics web data.

When you connect up your Google Analytics you’ll get a new dashboard, as you see above, with all of the information about your web site. In this case, I’m look at data from my www.anzacsinfrance.com web site.

At the top of the dashboard you’ll see a box into which you can type a free form query. So if I type “total hits” the dashboard automatically shows me the result as you see above.

If I now extend that query to “total hits last month” the result is immediately updated and displayed as shown above.

If I extend that further to “total hits last month in turkey” I see a result of 6 website views from Turkey in the last month.

If I extend that once more to “total hits last month in turkey compared to france” i now get a graph as shown above.

Hopefully, you can see the possibilities and the depth of reporting that is possible. And of course you can pin these queries to your dashboard so they display upon your return.

Apart from the adhoc dashboard you can create multi page reports. The above is an example from my web site data. Again, you can customise these easily in the web browser or download the PowerBI Designer for your desktop.

As you saw earlier, one of the data sources I can use is a plain old Excel file, uploaded from your desktop or saved in OneDrive consumer or OneDrive for Business.

Once the spreadsheet is available to PowerBI, now you can start creating reports based on the Excel Pivot tables I alluded to earlier. You do this by simply dragging and dropping the desired column heading into the appropriate locations (axis, vales, etc). The difference here is that I am doing this in a browser in a way that I can pin the result to a dashboard and report.

I can also now quickly and easily change the style of graph that is display, change the data I report on, create more results on the page or create additional pages effortlessly.

I can also easily share my dashboards with others when they are complete.

Microsoft is announcing more and more options for data sources with PowerBI. One of the upcoming options will be analytics from Office 365 with the soon to be released Office 365 content pack for PowerBI.

Whats new in Office 365 Administration from Microsoft Ignite 2

Which should allow you to produce report from Office 365 like you see in the above screen shot taken from the announcement blog post.

At the core of PowerBi is the concept of data sets. Raw data sets are ordered by Excel style Pivot tables with the results being surfaced through PowerBI. Thus, to get meaningful results you need to understand Excel Pivot tables. If you don’t now might be the time to fire up that version of Excel and start learning!

Hopefully, giving you this small inkling of what is possible with PowerBI will inspire you to dive into the product and learn what it can offer. I know I am and am amazed everyday with what is possible and will be detailing more in upcoming posts. Given that it is also in preview and free to access is an even better reason not to hesitate but to dive in now and power up with PowerBI.

Troubleshooting OneDrive for Business links

Still working through all the recent Microsoft Ignite content but here are some handy links for troubleshooting OneDrive for Business that I’ll share.

Use the OneDrive for Business Sync Guide for initial setup – http://aka.ms/SetupOD4B

Make sure that the OneDrive for Business sync app is kept up-to-date – http://aka.ms/UpdateOD4B

Use valid file and folder names, and stay within file size, item count, and file path length limits – http://aka.ms/OD4BLimits

Resolve issues by following these best practices

First, try repairing the OneDrive for Business sync connection – http://aka.ms/RepairOD4B

Next, stop syncing and then restart syncing – http://aka.ms/StopOD4B and http://aka.ms/SyncOD4B

Next, try the OD4B Troubleshooter – http://aka.ms/TShootOD4B

Remember, the next gen sync client is due soon! See my previous post on the topic:

https://blog.ciaops.com/2015/05/more-onedrive-information-from-ignite.html

Office First Release filtering

A while back I posted how I had jumped the gun on wanting the First Release option of Office 365 being restricted to certain users inside an IOffice 365 tenant (mainly to restrict the potential use of Office 2016 Preview).

The good news is as you can see from the above it has arrived in my tenant. To access it you login to Office 365 as an administrator and then select Service Settings, Updates from the admin portal. You will now see the option to be on the Standard release (slower) or First release (faster) when it comes to new Office 365 features. You’ll also see the option, if you select First release, to select those people in your organisation who will receive First release features, leaving the remainder on the standard release path.

This allows you to elect a subset of users within your Office 365 tenant who can access the new features without them becoming available to everyone immediately.

Office 365 release options