Server Guy is a new initiative by Microsoft UK to build and maintain an audience of IT professionals with an interest in Windows Server 2016.

Server Guy will be blogging, tweeting holding hangouts / meetups and producing newsletters to help you buy, sell, use and enjoy Windows Server 2016.

In addition Server Guy will be providing a 5 hour SLA on Email enquiries. (Mon-Fri 0900-1700 UK Time)

Got a question on Core licensing, Storage spaces direct, how to perform a rolling cluster upgrade?

Send it to Server Guy at ServerGuy@microsoft.com or send him a tweet at https://twitter.com/ServerGuyUK

Coming soon - Who is Server Guy? What will Server Guy do and when?

Welcome to the July 30 - August 5, 2017 edition of the Office 365 Weekly Digest. Please see this page for details on a change regarding the inclusion of Message Center notification details in these weekly posts.

The Online Immersion events have returned with three options - productivity hacks (Office 365, Windows 10 and Dynamics 365), business analytics (Power BI), and teamwork (Office 365, Microsoft Teams and Windows 10). Seating in these sessions is limited, so be sure to reserve your seat as soon as possible.

A summary of new features and updates for July 2017 kicks off last week's blog posts, followed by a couple of announcements for Microsoft Teams including new admin controls for third-party apps, as well as an Outlook add-in for scheduling meetings in Microsoft Teams. Details on policy recommendations in Office 365 data loss prevention, access to Communication Sites in the SharePoint mobile apps, and improvements to SharePoint links and announcement lists are also provided.

The noteworthy items have a little of everything from Microsoft Planner enhancements and allow/block guest access based on domain in Office 365 Groups, to an update on the deprecation of SharePoint Online Site Mailboxes, and the announcement of new auto attendant and call queue features in Skype for Business. Also highlighted are pertinent posts from the Azure Active Directory Team regarding upcoming changes to the sign-in experience and conditional access for Office.com.

UPCOMING EVENTS

Free Microsoft Innovative Educator (MIE) Teacher Academy

When: August 8, 2017 through September 29, 2017 at various US locations | Microsoft Innovative Educator (MIE) Trainers are leading fun, professional development sessions this summer and they’re coming to a city near you. Join us for these BYOD workshops showcasing Microsoft’s hottest tools and resources for K-12 teachers, built to empower students to achieve more. Attendees will get to explore tools such as Microsoft Teams, Office Online, OneNote Class Notebooks, Microsoft Forms and Sway, and learn how technology can provide their students with learning experiences beyond the four walls of their classroom, thanks to Skype in the Classroom and the Microsoft Educator Community. Register today and join us at an upcoming Teacher Academy near you!

Azure Active Directory Webinars for August

When: Multiple sessions currently scheduled from August 8 - August 17, 2017 | New for August - Azure AD Identity Protection and Privileged Access Management! Sessions include Azure AD Connect Health, Getting Ready for Azure AD, Securing Your Identities with Multi-Factor Authentication (MFA), Accessing Your Organization’s Internal Applications via Azure AD App Proxy and more. Each 1-hour or 75-minute webinar is designed to support IT Pros in quickly rolling out Azure Active Directory features to their organization. All webinars are free of cost and will include an anonymous Q&A session with our Engineering Team. So, come with your questions!  Capacity is limited. Sign up for one or all of the sessions today!  Note: There are also some sessions available on-demand.

Productivity Hacks to Save Time & Simplify Workflows

When: Wednesday, August 23, 2017 and Wednesday, August 30, 2017 at 1pm ET | This 90-minute hands-on experience will give you the opportunity to test drive Windows 10, Office 365 and Dynamics 365. A trained facilitator will guide you as you apply these tools to your own business scenarios and see how they work for you. During this interactive session, you will: (1) Discover how you can keep your information more secure without inhibiting your workflow, (2) Learn how to visualize and analyze complex data, quickly zeroing in on the insights you need, (3) See how multiple team members can access, edit and review documents simultaneously, and (4) Gain skills that will save you time and simplify your workflow immediately. Each session is limited to 12 participants, reserve your seat now.

Visualizing, Analyzing & Sharing Your Data Without Having to be a BI Expert

When: Thursday, August 24, 2017 at 1pm ET | This 90-minute hands-on experience will give you the opportunity to test drive the latest business analytics tools. A trained facilitator will guide you as you apply these tools to your own business scenarios and see how they can work throughout your organization. During this interactive session, you will explore how to: (1) Locate and organize large amounts of data from multiple sources, (2) Visualize complex data and identify trends quickly without having to be a BI expert, (3) Find and collaborate with company experts on the fly, even if they work in another part of the country, and (4) Gather colleague’s opinions easily and eliminate communication and process bottlenecks. Each session is limited to 12 participants, reserve your seat now.

Connecting, Organizing & Collaborating with Your Team

When: Wednesday, August 31, 2017 at 1pm ET | During this session, you will have the opportunity to experience Windows 10, Office 365 and Microsoft’s newest collaboration tool: Microsoft Teams. A trained facilitator will guide you as you apply these tools to your own business scenarios and see how they work for you. During this interactive session, you will explore how to use Microsoft Teams and Office 365 to: (1) Create a hub for team work that works together with your other Office 365 apps, (2) Build customized options for each team, (3) Keep everyone on your team engaged, (4) Coauthor and share content quickly, and (5) Gain skills that will save you time and simplify your workflow immediately. Each session is limited to 12 participants, reserve your seat now.

BLOG ROUNDUP

New to Office 365 in July—Microsoft 365, business apps and more

In July, we hosted more than 17,000 attendees at Microsoft Inspire, our annual conference for partners, where we announced Microsoft 365, which brings together Office 365, Windows 10 and Enterprise Mobility + Security to deliver a complete, intelligent and secure solution to empower employees. We also debuted three new business apps to help companies of all sizes empower their employees and unlock growth and innovation. This month's Office 365 updates to Office apps make it easier to create professional-looking presentations and to identify and correct errors while editing documents. There were also additional updates for Office 365 commercial customers, with updates to Outlook on the web and Windows desktop, the Outlook app for iOS and enhancements to Microsoft StaffHub. Learn more about what’s new for Office 365 subscribers this month at: Office on Windows desktop | Office for Mac | Office Mobile for Windows | Office for iPhone and iPad | Office on Android Phones and Tablets.

New admin controls for apps in Teams

Earlier this year, we introduced a rich platform for Microsoft Teams including bots, tabs, and connectors. We are now introducing a way for admins to control which third parties can integrate with Microsoft Teams. Third party services are building rich and super powerful experiences by extending Microsoft Teams in multiple ways. We're calling these experiences apps. For example, developers can implement an app with a bot and a tab, or an app with a tab and a connector, or an app with all three capabilities at once! And now as an IT admin you can have complete control over which apps are available to your end users. There will be three new controls that will allow you to manage in detail which third party apps can be used in Microsoft Teams. As an admin, you can: (1) Choose to allow or block all third-party apps, (2) Individually choose which apps to allow or block, or (3) Choose what happens as new apps get submitted into the Microsoft Teams app catalog.

Now available: Outlook add-in to schedule meetings in Microsoft Teams

We are pleased to announce that we’ve released an add-in for Outlook that allows you to schedule Microsoft Teams meetings from Outlook. In your calendar view in Outlook, you will now see a new button called “New Teams Meeting.” Clicking this button opens a new Outlook invite that includes the coordinates for your Microsoft Teams meeting, which you can customize with your meeting details. Once saved, this meeting will show up in both the meeting list within your Microsoft Teams client and in your Outlook calendar. Invited participants will also have this invite on their calendar and will be able to join the meeting from either Teams or the Outlook calendar invite – all they have to do is simply click the link from within the invite or switch to the Teams client and click on the meeting link there. The add-in will be automatically installed for users who have Microsoft Teams and either Office 2013 or Office 2016 installed on their Windows PC. If you do not want the add-in to appear, you can learn how to manage Outlook add-ins here. Note: The Teams Outlook Add-in requires users to sign-in to Teams using Modern Authentication. If a user does not use this method to sign-in, they’ll still be able to use the Teams client but will be unable to schedule Teams online meetings using the Outlook add-in.

New policy recommendations in Office 365 data loss prevention

We’re excited to announce the release of new DLP recommendations for unprotected sensitive information in Office 365. This insight-driven recommendation helps you keep your sensitive content secure when its stored and shared in Office 365 by informing you when there’s a possible gap in your DLP policy coverage – we even provide an “easy button” to turn on a customized DLP policy to keep that content protected. To see the recommendation, visit the Office 365 Security and Compliance Center homepage and look for the “Recommended for you” section on the right side. (If you don’t see it yet – click “+More”) If you have content that isn’t protected by one of our top 5 sensitive information types, you’ll see a breakdown of what kind of content was detected, and an option to “Get started” for more details.

Announcing Communication Sites on the SharePoint Mobile Apps

We are excited to announce support for your communication sites this week on the SharePoint mobile apps for iOS (version 3.0, released to the store) and Android (version 2.0, released to public beta, general availability in August)! The broad-reach communication sites that you can create in seconds on the Web, are mobile-friendly out of the box.  When you publish a site, page or news post, you can be confident that your content reaches your audience wherever they are, no matter what device they are on. Your communication site looks great on the web, on PC and Mac, on mobile browsers, and in your SharePoint mobile apps. Tap on links within your site to seamlessly enjoy native experiences, where available. The result is a vibrant, interactive, dynamic experience for your site visitors. We are eager for you to give it a try and do let us know how it works for you. Tell us how we can make this feature better and more useful moving forward. Note: Communication sites are rolling out gradually to all organizations. If you can’t create one yet, the update hasn't rolled out to your organization yet. As of August 2, 2017, the team was close to 50% rollout worldwide.

Improving SharePoint Links and Announcement Lists

As we continue to improve SharePoint, we're updating two more list types. Links and Announcement lists now have improved page performance, responsiveness and accessibility, just like your other lists. Last year, we introduced two new web parts -- Quick Links and News. These provide even more capabilities to share dynamic information about related sites and team updates on any page to any device on a SharePoint site. For most scenarios, we recommend the use of Quick Links and News. This announcement is not intended to replace Quick Links or News but rather to give users of those lists a more consistent experience with the rest of SharePoint. Links and Announcement lists are not supported by the Lists web part. If you need to add links or updates in a web part on a modern SharePoint page, we recommend the Quick Links and News web parts. Currently, these lists automatically fallback to classic mode.  This update will eliminate the need for auto-fallback. Administrators can choose the classic experience for Announcement and Links lists in advance of the rollout by implementing the steps in this support article, Switch the default experience for lists or document libraries from new or classic. We expect to start the rollout of this feature around August 8, 2017.

NOTEWORTHY

Microsoft Mechanics: Microsoft Planner Updates

Format: Video (10 minutes) | This episode of Microsoft Mechanics takes a look at the recent updates to Microsoft Planner, including the updated look and feel, as well as faster web interface, deeper integration with Office 365 app experiences such as Microsoft Teams, assigning multiple users to a task, new ways to access your plans on the go via mobile and how you can automate your plans with Microsoft Flow.

New Office 365 Groups Feature Announcement: PowerShell support of Allow/Block guest access based on Domain list

We are happy to announce the world-wide roll-out of Allow/Block list support for guest access in O365 Groups. With this feature, IT Admins can set-up a list of domains to (a) Allow guest users of specific domains to be invited to Groups, (b) Block guest users of specific domains to be invited to Groups. This policy currently can be set-up through PowerShell & coming soon through UI. We have provided a user-friendly script to set-up allow/block list for your tenant. This policy works for all workloads with Guest access through O365 Groups such as Outlook,  Teams & Planner in future. This work independently with SPO settings but we have provided support to: Migrate SPO allow/block list to O365 Groups. We will be supporting this functionality in OAC(Office Admin Portal) through user interface soon. Complete documentation, and the script referenced above, are available in the Allow/Block guest access to Office 365 groups article.

Deprecation of SharePoint Online Site Mailboxes

In March 2017, we took the first step towards deprecating site mailboxes by announcing that we will stop the creation of new ones. Today you can no longer create site mailboxes and over time we will stop support for the product completely. We understand that this decision will be disappointing for a few of you. But after a lot of internal deliberation, we have decided to deprecate site mailboxes and invest in Office 365 groups. In its short duration of existence, Office 365 Groups have already seen a much larger adoption than site mailboxes. This, coupled with the ability to associate a group with a SharePoint team site make Office 365 Groups the ideal replacement for site mailboxes. We understand that we have a lot of customers still actively using site mailboxes and that this deprecation will affect their day to day operations. We assure such customers that we are working on providing a solution for the transition process. By the end of 2017 we will have a process in place which will let you connect your classic experience SharePoint team site to an Office 365 group.

What's new for Auto Attendants and Call Queues in July 2017

We are always working to improve Auto Attendants and Call Queues in Skype for Business, and we are excited to tell you about the July 2017 features and updates, as summarized below:

• Users can now receive Auto Attendants and Call Queues calls on Mac, iPhone, iPad and Android Skype for Business clients
• Admins can now use O365 Groups (both public and private) to limit the scope of users reachable with Dial by Name feature in Auto Attendants
• The maximum size of the name list supported for name recognition with Speech has been increased from 50,000 to 80,000 users in Auto Attendants
• Improved accuracy of recognition for similar-sounding names for name recognition with Speech in Dial by Name feature of Auto Attendant
• To protect user anonymity, admins can now use PowerShell to enable users to make outbound calls on behalf of an Auto Attendant or Call Queue using a policy called CallingLineIdentity
• Auto Attendant has been updated with an enhanced English (US) Text to Speech voice

An update to Azure AD Conditional Access for Office.com

On August 24th, a change will roll out that requires users to satisfy any policies set on Exchange Online and SharePoint Online when accessing Office.com. For example, if a policy requiring multi-factor authentication (MFA) or a compliant device has been applied to SharePoint or Exchange, this policy will also apply to users signing into Office.com. The main impact will be to users who use Office.com but have not already satisfied SharePoint and Exchange policies. In these cases, they can take the steps to satisfy policy or, in cases in which this is not an option, where users are attempting to access Office.com to install Office applications, they can do so from https://aka.ms/office-install.

The new Azure AD Sign-in Experience is now in Public Preview

We’re continuing to make progress on converging the Azure AD and Microsoft account identity systems. One of the big steps on this journey is to redesign the sign-in UI so both systems look consistent. We're happy to announce that this updated design is in public preview! Azure AD & Microsoft account sign-in pages will both change to have a consistent look and feel, so you won’t experience anymore jarring transitions when you move between the two. The new design prompts you to enter your username on the first screen followed by a credential (typically a password) on a second screen. We’ve done a lot of testing of this design and our telemetry shows that people are able to sign in with a notably higher success rate using this approach. It also sets us up to be able to easily introduce new forms of authentication like phone sign-in and certificate-based authentication. As of August 2nd, you’ll see a banner on the Azure AD sign-in page giving users the option to opt-in to see the new experience. We know that this will be a disruptive change for some of you, but we believe that this sets us up for an exciting future of innovation in the sign-in space. To give you time to prepare for the change, we’ll leave the new experience as an opt-in public preview for the next few weeks. We plan to switch over to the new UI by default during the last week of September.

The goal of this post is to compile all announced Office 365 service changes for 2018, especially those that may require admin action, into a single reference. These changes are listed below in chronological order, based on the "Action Required" date. Additional information and resources related to these changes are provided where applicable. Updates will be made to this post as new service changes are announced, or updates to announced changes are provided.

Note: All changes may not have been communicated to your tenant / environment.

Update Log:

2017-08-07

• Added Discontinuation of support for Session Border Controllers in Exchange Online Unified Messaging

Discontinuation of support for Session Border Controllers in Exchange Online Unified Messaging

Status: Active

Action Required by: July 2018

Details: In July 2018, we will no longer support the use of Session Border Controllers (SBC) to connect 3rd Party PBX systems to Exchange Online Unified Messaging (UM). We’re making this change to provide a higher quality of service for voicemail, using standard Exchange and Skype for Business protocols. Customers considering a new deployment of this scenario should be aware that they will have a little less than a year to complete one of the migrations below. Customers with existing deployments remain fully supported until July 2018, including moving voicemail-enabled mailboxes from Exchange on-premises and voicemail-enabling new mailboxes.

The following configurations are not affected by this change:

• Skype for Business Server (on-premises) connected to Exchange Online UM
• 3rd party voicemail solutions that deposit voicemail messages into Exchange Online mailboxes through APIs, rather than an SBC connection
• All forms of Exchange Server UM (on-premises)

There are several alternative solutions for impacted customers, all listed in the Exchange Team blog post announcing this change.

Additional Information: Microsoft Tech Community Discussion

The goal of this post is to compile all announced Office 365 service changes for 2020, especially those that may require admin action, into a single reference. These changes are listed below in chronological order, based on the "Action Required" date. Additional information and resources related to these changes are provided where applicable. Updates will be made to this post as new service changes are announced, or updates to announced changes are provided.

Note: All changes may not have been communicated to your tenant / environment.

Update Log:

2017-08-07

• Added Office 365 system requirements changes for Office client connectivity

Office 365 system requirements changes for Office client connectivity

Status: Active

Action Required by: October 13, 2020

Details: When customers connect to Office 365 with a legacy version of Office, they’re not enjoying all that the service has to offer. The IT benefits—particularly security—are cut short. And the end user experience in the apps is limited to the features shipped at a point in time. To ensure that customers are getting the most out of their Office 365 subscription, we are updating our system requirements.

• Office 365 ProPlus or Office perpetual in mainstream support required to connect to Office 365 services: Starting October 13, 2020, Office 365 ProPlus or Office perpetual in mainstream support will be required to connect to Office 365 services.
• Applies to Office 365 commercial services only: This update does not change our system requirements or support policies for the Office perpetual clients, Office perpetual clients connecting to on-premises servers, or any consumer services.
• More than three years' notice: We're providing more than three years' notice to give IT time to plan and budget for this change. Until this new requirement goes into effect in 2020, Office 2013 and Office 2016 perpetual clients will still be able to connect to Office 365 services.

Additional Information:

• Office 365 ProPlus updates (Office Blog)
• Microsoft Tech Community Discussion
• New upgrade readiness tools for Office 365 ProPlus
• Office 365 ProPlus Deployment Guide
• Microsoft FastTrack Deployment Assistance

A quick post announcing the recent updates to the Office 365 Planned Service Changes posts:

• Office 365 Planned Service Changes for 2017 | Updated: August 5, 2017
• NEW! Office 365 Planned Service Changes for 2018
• NEW! Office 365 Planned Service Changes for 2020

Hopefully this information is helpful in keeping pace and managing change in Office 365.

Please post in the comments if there is information you would like to see included in these posts, or if you have additional feedback.

Thank you,

Thomas

Firms need IT investments to help them stay agile and competitive

ISV partnerships: Expand your services faster and smarter

Partners can benefit from opportunities within financial services by expanding their services through ISV partnership. This applies whether your company currently provides services to financial firms or is targeting new verticals. Either way, this is a market which can increase your margins, fuelling business growth.

VeriPark

VeriPark allows banks to keep up with and exceed the pace of digital transformation, without the need for expensive infrastructure.

One of the biggest obstacles to digital transformation in financial services is knowing what the customer wants. VeriPark's product, Next Best Action, provides actionable data analysis allowing banks to improve engagement and the customer experience.

Watch Mark Foyster, VP of Worldwide Sales at VeriPark, explain how they help banks get to know their customers.

BioCatch

BioCatch provides cyber security for banks using biometrics, while maintaining a seamless digital experience for customers. Their product helps banks protect data and identities through web and mobile apps, without lengthy authentication processes.

Watch Richard Perry, VP of Sales at BioCatch explain how the technology works for banks and their customers.

ISV partnership boosts business growth and profitability

Im alten Azure Portal gab es ja die Möglichkeit, sich ein Management-Zertifikat herunterzuladen und dieses für Logins zum Beispiel in PowerShell zu nutzen (.publishsettings hieß das Zauberwort). Mit dem Azure Resource Manager und dem neuen Azure Portal ist das nicht mehr möglich, hier kommt eine alternative Anmeldemöglichkeit über einen sogenannten "ServicePrincipal" ins Spiel, und so einen wollen wir hier mal anlegen, um uns künftig auch von PowerShell aus per Zertifikat anmelden zu können.

Mit dem Azure Resource Manager können wir Benutzer oder Gruppen, oder eben auch Applikationen oder Skripten Rechte an Ressourcen zuweisen. Hierzu müssen wir eine Identität erzeugen und dafür sorgen, dass sich die App mit den Credentials dieser Identität authentifiziert. In unserem Fall wäre die App quasi PowerShell, und die Identität eben der genannte ServicePrincipal.

Das Gute an diesem Prinzip ist, dass wir diesem "ServicePrincipal" (also dem Skript oder der Shell) ganz genau Rechte zuweisen können an Subscriptions, Ressourcengruppen oder Ressourcen, basierend auf RBAC, und auch das schauen wir uns an.

Wir brauchen für unser Vorhaben 3 Zutaten:

• ein Zertifikat
• eine ApplicationID für den ServicePrincipal, und
•  notwendige Berechtigungen.

Fangen wir mal mit ein paar Voraussetzungen an…

Voraussetzungen

Applikationsregistrierungen können unter Umständen nur vom Tenant-Admin angelegt werden. Im Portal findet man diese Einstellung wie folgt:

• Azure Active Directory wählen
• User Settings
• App Registrations

Ist diese Einstellung auf "No", dann kann nur ein Admin eine Applikation registrieren, und wenn wir keiner sind, dann müssen wir betteln gehen (ich mein natürlich, einen Change Request stellen und begründen). Nehmen wir mal an, wir dürfen oder wir sind sogar Admin, dann können wir weitermachen.

Zutat 1: Das Zertifikat

Wir brauchen ein Zertifikat, am einfachsten ein selbstsigniertes, es gehen aber auch offizielle. Auch hier der Einfachheit halber (wir wollen hier ja kein PKI Tutorial draus machen) erzeugen wir ein selbstsigniertes (selfsigned) Zertifikat. Als Profils machen wir das direkt in PowerShell:

[code gutter="false"]
$cert = New-SelfSignedCertificate -CertStoreLocation "cert:CurrentUserMy" -Subject "CN=myServicePrincipalCert" -KeySpec KeyExchange
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
[/code]

Wir haben gerade lokal im Zertifikatsspeicher "My" (oder "Eigene Zertifikate") ein Zertifikat samt Schlüssel erstellt. Das können wir uns übrigens auch anschauen, entweder über den Zertifikatsmanager (certmgr.msc) oder wieder über PowerShell:

[code gutter="false"]
get-childitem -Path "Cert:CurrentUserMy"
[/code]

Unsere erste Zutat ist damit erledigt. Weiter geht's:

Zutat 2: Eine ApplicationID

Wie gelernt brauchen wir eine Applikationsregistrierung. Das können wir entweder via Portal oder auch wieder in der PowerShell machen:

[code gutter="false"]
$sp = New-AzureRMADServicePrincipal -DisplayName "myServicePrincipal" -CertValue $keyValue -EndDate $cert.NotAfter -StartDate $cert.NotBefore
[/code]

Das verwendet Variablen, die wir beim Anlegen des Zertifikats benutzt haben. Falls ein schon vorhandenes Zertifikat verwendet werden soll, dann müssen die Werte entsprechend ausgelesen werden. Als DisplayName bitte irgendwas Aussagekräftigeres wählen als ich hier, eventuell werden das im Laufe der Zeit ein paar mehr ServicePrincipals, und dann findet man die zum Beispiel wieder mittels:

[code gutter="false"]
Get-AzureADServicePrincipal -SearchString "myServicePrin"
[/code]

Um Rechte zuweisen zu können, benötigen wir später die ApplicationID. Die bekommen wir mit:

[code gutter="false"]
$appID=$sp.ApplicationID
[/code]

Zutat 3: Berechtigungen

Erstmal hat die Applikation bzw. der ServicePrincipal keine Rechte. Aber das können wir ändern, natürlich immer vorausgesetzt, wir selber haben die notwendigen Rechte… So detailliert müssen wir RBAC (Role Bases Access Control) hier nicht betrachten, da gibt es eine prima Doku dazu. Wir nehmen uns einfach die aktuelle SubscriptionID (und die Tenant-ID können wir uns auch bei der Gelegenheit gleich merken, die brauchen wir unten noch für's Login).

[code gutter="false"]
Get-AzureRmContext
[/code]

Noch ein kleiner Hinweis: Zwischen dem Anlegen des ServicePrincipals und der Sichtbarkeit des Selbigen im AAD können ein paar Sekunden vergehen, also lieber mal ne Minute oder so warten. Dann aber geht's ab:

[code gutter="false"]
New-AzureRmRoleAssignment -Scope "/subscriptions/<sub-id>" -RoleDefinitionName Contributor -ServicePrincipalName $appID
[/code]

So. Jetzt hat die Applikation bzw. der ServicePrinzipal "Contributor"-Rechte auf der Subscription. Soll es ein anderer Scope sein, einfach die entsprechende ResourceID verwenden, zum Beispiel für eine Resourcengruppe:

[code gutter="false"]
Get-AzureRmResourceGroup
[/code]

Login per Zertifikat

Alle Zutaten wurden gut verrührt und bei 42 Grad gebacken. Dann können wir jetzt probieren. Wir brauchen die folgenden Angaben:

• Den Thumbprint des Zertifikats
• Die ApplicationID
• Die TenantID

Ok, statt einem Passwort brauchen wir jetzt 3 Angaben, und das auch noch recht komplizierte. Wo liegt jetzt nochmal der Vorteil? Nun, diese Angaben bleiben immer gleich, also kein Problem, die in einem Skript zu verwenden. Niemand, der nicht auch gleichzeitig Zugriff auf das Zertifikat (genauer den privaten Schlüssel) hat, kann sich damit anmelden. In der Umkehrung heißt das auch, dass das Login erstmal nur auf dem Computer möglich ist, auf dem das Zertifikat erzeugt wurde. Nach einem Export (mit private Key) und Import auf einem anderen Computer würde es dann auch dort gehen.

Den Thumbprint bekommen wir ganz einfach:

[code gutter="false"]
$Thumbprint = (Get-ChildItem cert:CurrentUserMy | Where-Object {$_.Subject -match "myServicePrincipalCert" }).Thumbprint
[/code]

Als Subject verwenden wir hier die Angabe bei der Erstellung, siehe oben bei Zutat 1.

Das Login sieht dann so aus:

[code gutter="false"]
Login-AzureRmAccount -ServicePrincipal -CertificateThumbprint <thumbprint> -ApplicationId <appID> -TenantId <TenantID>
[/code]

Oder mit einem realen Beispiel:

[code gutter="false"]
Login-AzureRmAccount -ServicePrincipal -CertificateThumbprint B007B51B911914E6CA5630137374A08648D02C8F -ApplicationId 919e6448-9c30-4481-ab5f-be29aa9021e4 -TenantId afa16547-9d30-4591-ac6f-be29aa9031e3
[/code]

Zukünftig könnten wir also einfach beim Starten der PowerShell diese Zeile ausführen, und schon wären wir eingeloggt. Ganz ohne Passwort, denn das Zertifikat befindet sich ja in unserem Zertifikatsspeicher, und mit dem Windows-Login wird auch der Zugriff darauf erst freigegeben. Das heißt aber auch, wer das Zertifikat bekommt (mit dem privaten Schlüssel), und sich die restlichen Angaben beschafft, der kann sich solange anmelden, bis wir die Applikationsregistrierung wieder löschen (oder das Zertifikat abgelaufen ist). Also Aufpassen bei einem eventuellen Kopieren des Zertifikats auf andere Computer!

Microsoft Azure Deutschland

Für Azure Deutschland steht das alte Portal ja nicht mehr zur Verfügung, der hier beschriebene Weg ist damit der einzige (und auch generell der empfohlene) Weg, um sich mit Zertifikat anzumelden. Allerdings benötigt das Login noch zusätzlich die Angabe des Environments. Vollständig sieht das also so aus:

[code gutter="false"]
Login-AzureRmAccount -EnvironmentName "AzureGermanCloud" -ServicePrincipal -CertificateThumbprint <thumbprint> -ApplicationId <appID> -TenantId <TenantID>
[/code]

Für Azure Deutschland gibt es übrigens hier ein kostenloses Testaccount…

Eine ausführlichere Beschreibung der Möglichkeiten gibt es übrigens bei AzureDocs.

By Dave Randall | Sr. PM

I’m Dave, a Program Manager in the Intune team. Many of you – our customers and partners – are now using the Azure Portal to manage Intune. One new area of functionality is role based access control (RBAC). This feature offers much greater flexibility and control to ensure your IT administrators have the right permissions to perform their job, and no more. I want to walk you through some of the features of RBAC, plus help you understand how Azure Active Directory (Azure AD) Directory Roles are supported by Intune. They are an important part of the overall permissions management story for Intune. This post will help you get started by explaining the Intune on Azure role experience and show you just how granular you can get in your role based access!

Starting at the top

Azure AD provides four Directory Roles which are used in conjunction with Intune.

• Global Administrator / Company Administrator: Users with this role have access to all administrative features in Azure AD. Users with this role can manage all of Intune. Also provides management of Azure AD’s Conditional Access.
•   User Administrator – User with this role can manage users and groups, but cannot manage all of Intune.
•  Intune Service Administrator: Users with this role can manage all of Intune. Additionally, this role can manage users and devices as well as create and manage groups. This role cannot manage Azure AD’s Conditional Access settings.
•  Conditional Access Administrator – Users with this role can manage Azure AD’s Conditional Access policies, but not all of Intune.

You can select one or more Limited Administrator directory roles to an administrative user. For example, you might want to select both the Intune Service Administrator and the Conditional Access Administrator. The full description of these roles and their uses are documented here: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-assign-admin-roles.

Azure AD Directory Roles provide full access to one or more services (Exchange, Intune, Sharepoint, etc). If you want finer-grained controls and not full access to the service, each service offers its own roles with more fine-grained permissions specific to the service’s features.

Intune Roles

Intune Roles are designed to mirror your IT Department employee’s job functions. There are four built-in roles. See Table 1 for a full list of permissions by role.

• Policy and Profile Manager – manages the configuration and compliance policies.
• Application Manager – manages mobile and managed applications.
• Helpdesk Operator – enables tasks appropriate for end-user service desk support personnel.
• Read Only Operator – allows viewing of Intune information without the ability to change Intune.

You cannot change the permissions for a built-in role. If you need to customize the permissions, you can simply create a custom role that includes any permissions required for a job function. For example, if an IT department group manages applications, policies and configuration profiles, you can add all those permissions together in one custom role.

NOTE: When your company is migrated from the classic Intune experience to Intune on Azure, your Service Administrators with “Read Only” or “Helpdesk” console access are not migrated to the new Azure Portal. However, “Full” Service Administrators in the classic Intune console still have full permission to perform all activities in Intune; both in the classic Intune (Silverlight) Console and the Intune Azure Portal. You should re-assign your service administrators to new Intune roles and remove them from the old portal to transition those users unless they still need access to manage PC’s using the classic PC agent. Or, you can assign them to one of the Azure AD directory roles as appropriate.

Licensing: Administrators with an Intune Role require an Intune license.

Automation: You can automate any RBAC task such as creating custom roles, or adding/modifying role assignments using the Microsoft Graph API. We have a set of PowerShell scripts that can help you get started.

• Microsoft Graph API’s for Intune: https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/resources/intune_graph_overview
• Sample PowerShell Scripts: https://github.com/microsoftgraph/powershell-intune-samples

Role Assignments

A role assignment ties together the permissions with your IT staff and end users. This is a key concept to understand – it’s how permissions are enforced.

You can create one or more assignments for a role.

Example – Contoso Helpdesk

At Contoso, we have a distributed helpdesk staff. There are three helpdesk groups, one that supports the Engineering Department, another for the shipping department and a third for the cooking department. We want to set up three separate role assignments to ensure each group of helpdesk operators can only manage their respective departments.

Let’s add an assignment for one of those departments – Engineering. Start by clicking “+ Assign” in the Assignments for the Helpdesk Operator role.

Then, we’ll give it a name (1), click Members (2), Add (3) and pick the Contoso Helpdesk for Engineers user group.

Save the members with OK. Remember, the members represent your IT staff who have the helpdesk permissions.

NOTE: you can add the same Azure AD Security Group to multiple role assignments as necessary. For example you may have a small team of IT administrators that provide backup support for several roles. That Azure AD security group for the small team of IT Administrators can be added to each role for which they provide support.

Next, we’ll add the scope group – by picking Scope Groups (1), then Add (2), then selecting the user group (3) – Engineering Department Employees.

Choose OK to save the assignment.

Remember – scope groups limit the users who can have remote tasks or assignments performed to only the members in this role assignment.

I’ve made assignments for my other groups – Shipping and Cooks – they have the matched set of IT Admins (Helpdesk Operators for Cooks/Shipping) and Users (Cooks Department/Shipping Department).

Now that I have the assignments, “Helpdesk for Shipping” administrators can’t assign apps or perform remote tasks for Engineering users, or Cooks. And, the “Helpdesk for Engineers” can’t assign apps or policy or perform remote tasks for Shipping or Cooks, etc.

To demonstrate how this works, if Emma wants to assign an app to the Engineering Department, she can. But, if she tries to assign an app to the Shipping Department, she’ll see the following error message:

But, if she tries to add a deployment to Engineering, that will work.

One last topic…

Although not permissions related, sometimes you’ll see messages such as “We’re not quite ready for you yet…” Or “Coming Soon”

These are simply placeholders that indicate we’re making some service updates and we haven’t finalized the update quite yet. There isn’t anything you need to do on your side. Of course, you can always check the What’s New Page to see what’s changed recently.

Table 1 – Intune Role Permissions

There is not much to say here. Hope you'll find it useful! Feel free to share your opinions.

Prerequisites:

-Create a new RBAC group or use an existing one from Exchange Admin Center – Permissions – Admin Roles. Add the ‘ApplicationImpersonation’ role to the group and add as member the service account that will impersonate the mailbox that is a member/owner of the declared group mailbox (it can be your Global Admin account).

DISCLAIMER: This application is a sample application. The sample is provided "as is" without warranty of any kind. Microsoft further disclaims all implied warranties including without limitation any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the samples remains with you. in no event shall Microsoft or its suppliers be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss arising out of the use of or inability to use the samples, even if Microsoft has been advised of the possibility of such damages. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you.

# The script requires EWS Managed API 2.2, which can be downloaded here: https://www.microsoft.com/en-gb/download/details.aspx?id=42951
# Make sure the Import-Module command matches the Microsoft.Exchange.WebServices.dll location of EWS Managed API, chosen during the installation



$a = Read-Host -Prompt "Mailbox name"
$b = Read-Host -Prompt "Group mailbox"

Import-Module -Name "C:Program FilesMicrosoftExchangeWeb Services2.2Microsoft.Exchange.WebServices.dll"

$service = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService -ArgumentList Exchange2013_SP1

#Provide the credentials of the O365 account that has impersonation rights on the mailbox that you declare
$service.Credentials = new-object Microsoft.Exchange.WebServices.Data.WebCredentials -ArgumentList "serviceaccount@domain.onmicrosoft.com","Password"

#Exchange Online URL
$service.Url= new-object Uri("https://outlook.office365.com/EWS/Exchange.asmx")

#User to impersonate
$service.ImpersonatedUserId = new-object Microsoft.Exchange.WebServices.Data.ImpersonatedUserId([Microsoft.Exchange.WebServices.Data.ConnectingIdType]::SmtpAddress,$a)


$InboxFolderid = new-object Microsoft.Exchange.WebServices.Data.FolderId([Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Inbox,$b)

$CalendarFolderid = new-object Microsoft.Exchange.WebServices.Data.FolderId([Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Calendar,$b)

$DumpsterFolderid = new-object Microsoft.Exchange.WebServices.Data.FolderId([Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::RecoverableItemsDeletions,$b)


$ItemView = new-object Microsoft.Exchange.WebServices.Data.ItemView(1000)

#Emtpy the Inbox folder

$FindItemResults = $service.FindItems($InboxFolderid,$ItemView)

if($FindItemResults.TotalCount)
{

write-host "$($FindItemResults.TotalCount) item(s) have been found in the Inbox folder. Select 'Yes' if you want to remove it/them or 'No' to cancel." -ForegroundColor White

$op1 = "Yes", "No" | Out-GridView -Title "Empty your Group mailbox" -PassThru

if($op1 -eq 'Yes') {

$Inbox = [Microsoft.Exchange.WebServices.Data.Folder]::Bind($service,$InboxFolderid)

$Inbox.Empty([Microsoft.Exchange.WebServices.Data.DeleteMode]::SoftDelete,$null)

                   }
}

else {

 Write-Host "No items were found in the Inbox folder" -ForegroundColor Yellow

 }

#Move the calendar events in the dumpster  (The .Empty method is not supported for the Calendar folder)

do
{

$FindItemResults2 = $service.FindItems($CalendarFolderid,$ItemView)

if($FindItemResults2.TotalCount)
{
write-host "$($FindItemResults2.TotalCount) item(s) have been found in the Calendar folder. Select 'Yes' if you want to remove it/them or 'No' to cancel." -ForegroundColor White

$op2 = "Yes", "No" | Out-GridView -Title "Empty your Group mailbox" -PassThru


if($op2 -eq 'Yes') {

foreach ($Item in $FindItemResults2.Items)
{
$Calendar = [Microsoft.Exchange.WebServices.Data.Appointment]::Bind($service,$Item.Id)

$Calendar.Move($DumpsterFolderid)
}
                   }
}
        else {
               Write-Host "No items were found in the Calendar folder" -ForegroundColor Yellow
             }

$ItemView.offset += $FindItemResults.Items.Count

}while($FindItemResults.MoreAvailable -eq $true)

Note: In order to run the script above, you have to copy paste it into a Notepad file and save it with the extension ".ps1". Then, you have to connect to Exchange Online with PowerShell and run it: https://technet.microsoft.com/en-us/library/jj984289(v=exchg.160).aspx.

In case you're interested in recovering the deleted items from a group mailbox...

Prerequisites:

-Create a new RBAC group or use an existing one from Exchange Admin Center – Permissions – Admin Roles. Add the ‘ApplicationImpersonation’ role to the group and add as member the service account that will impersonate the mailbox that is a member/owner of the declared group mailbox (it can be your Global Admin account).

DISCLAIMER: This application is a sample application. The sample is provided "as is" without warranty of any kind. Microsoft further disclaims all implied warranties including without limitation any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the samples remains with you. in no event shall Microsoft or its suppliers be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss arising out of the use of or inability to use the samples, even if Microsoft has been advised of the possibility of such damages. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you.

# The script requires EWS Managed API 2.2, which can be downloaded here: https://www.microsoft.com/en-gb/download/details.aspx?id=42951
# Make sure the Import-Module command matches the Microsoft.Exchange.WebServices.dll location of EWS Managed API, chosen during the installation



$i=$j=0;
$a = Read-Host -Prompt "Mailbox name"
$b = Read-Host -Prompt "Group mailbox"
Import-Module -Name "C:Program FilesMicrosoftExchangeWeb Services2.2Microsoft.Exchange.WebServices.dll"

$service = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService -ArgumentList Exchange2013_SP1

#Provide the credentials of the O365 account that has impersonation rights on the mailbox that you declare
$service.Credentials = new-object Microsoft.Exchange.WebServices.Data.WebCredentials -ArgumentList "serviceaccount@domain.onmicrosoft.com","Password"

#Exchange Online URL
$service.Url= new-object Uri("https://outlook.office365.com/EWS/Exchange.asmx")

#User to impersonate
$service.ImpersonatedUserId = new-object Microsoft.Exchange.WebServices.Data.ImpersonatedUserId([Microsoft.Exchange.WebServices.Data.ConnectingIdType]::SmtpAddress,$a)

$DeletionsFolderid = new-object Microsoft.Exchange.WebServices.Data.FolderId([Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::RecoverableItemsDeletions,$b)

$InboxFolderid = new-object Microsoft.Exchange.WebServices.Data.FolderId([Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Inbox,$b)

$CalendarFolderid = new-object Microsoft.Exchange.WebServices.Data.FolderId([Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Calendar,$b)

$ItemView = new-object Microsoft.Exchange.WebServices.Data.ItemView(1000)

do
{
$FindItemResults = $service.FindItems($DeletionsFolderid,$ItemView)

write-host "$($FindItemResults.TotalCount) item(s) have been found in the Recoverable items folder" -ForegroundColor White

foreach ($Item in $FindItemResults.Items)
{

#Restore the emails

if ($Item.ItemClass -match "IPM.Note")
{

$Message = [Microsoft.Exchange.WebServices.Data.EmailMessage]::Bind($service,$Item.Id)

$Message.Move($InboxFolderid)

$i++;

}

#Restore the calendar events

if ($Item.ItemClass -match "IPM.Appointment")
{

$Message = [Microsoft.Exchange.WebServices.Data.Appointment]::Bind($service,$Item.Id)

$Message.Move($CalendarFolderid)

$j++;

}

if(!$i -and !$j) { Write-Host "The Item with the Subject:'$($Item.Subject)' has the ItemClass '$($Item.ItemClass)' and will not be recovered" -ForegroundColor Yellow }

}

$ItemView.offset += $FindItemResults.Items.Count

}while($FindItemResults.MoreAvailable -eq $true)

Write-Host "$($i) Email(s) were recovered and moved to the Inbox folder" -ForegroundColor White
Write-Host "$($j) Appointment(s) were recovered and moved to the Calendar folder" -ForegroundColor White

Note: In order to run the script above, you have to copy paste it into a Notepad file and save it with the extension ".ps1". Then, you have to connect to Exchange Online with PowerShell and run it: https://technet.microsoft.com/en-us/library/jj984289(v=exchg.160).aspx.

Security researchers play an essential role in Microsoft’s security strategy and are key to community-based defense. To show our appreciation for their hard work and partnership, each year at BlackHat North America, the Microsoft Security Response Center highlights contributions of these researchers through the list of “Top 100” security researchers reporting to Microsoft.

This list ranks security researchers reporting directly to Microsoft according to the quantity and quality of all reports for which we’ve issued fixes. While one criteria for the ranking is volume of reports a researcher has made, the severity and impact of the reports is very important to the ranking. Higher-impact issues carry more weight than lower-impact ones. While this list does not include security researchers who report to our partners ZDI and iDefense as we do not always have full information to recognize their efforts, we very much appreciate the partnership with ZDI and iDefense as they ensure that we know about any reports affecting Microsoft products.

Given the number of individuals reporting to Microsoft, anyone ranked among the Top 100 is among some of the top talent in the industry. Regardless of where security researchers are ranked in this list, we appreciate their active and ongoing participation with the Microsoft Security Response Center, and encourage new researchers to report potential vulnerabilities to us at secure@microsoft.com.  We’re excited to see who’s going to be on the list next year.

MSRC team

If you need to find out who a site owner is in SharePoint Online you can do this leveraging the SharePoint Online Management Shell. You must first have the SharePoint Online Management Shell installed on your computer. You need to be a Global Administrator or have a role that allows you to have access to the Tenant Admin site to perform the below steps.

1. Download the SharePoint Online Management Shell from https://www.microsoft.com/en-us/download/details.aspx?id=35588
2. Install the SharePoint Management Shell by launching the MSI installation package
3. Once installed open the SharePoint Online Management Shell
4. Use Connect-SPOService to connect to your tenant admin site. Below is an example to find the site owner:

Connect-SPOService -Url https://contoso-admin.sharepoint.com -Credential jason@contoso.onmicrosoft.com

$site = Get-SPOSite -Identity https://contoso.sharepoint.com

$site | select Url,Owner

Url Owner
--- -----
https://contoso.sharepoint.com/ jason@contoso.onmicrosoft.com

Compare-Object gotcha down? Slower than my old 300 baud modem? Have no fear. Today we go faster using hash tables.

Let me state first that I love the cmdlet Compare-Object, and I have used it many times with great results. But at scale my customer had some serious performance issues.

The Problem - “I feel the need. The need for speed.”

So my customer has employed all the tricks from the last blog post on making your scripts go faster. But still the script takes hours to run. Between each command he dropped a timestamp into a log file. The culprit… Compare-Object. That single command was taking hours.

But let’s be fair. He’s comparing about 800,000 email addresses between two lists. It would take me weeks to do that by hand with a pencil and paper. Compare-Object is pretty quick at 13 hours. But let’s get this down to seconds.

The Research

First things first. What exactly is Compare-Object doing? To find out, view the source code over at the PowerShell open source GitHub location. So I did that. But I’m not a .NET developer. However, I did notice the comments starting on line 120 helped me understand what it does. That is very similar to my idea.

All I know is that when I want list processing to go faster in PowerShell I use hash tables. I’ll write my own version in native PowerShell and see if it is faster.

The Approach

We have two lists, and we need to know what is different. We want to make the most efficient use of both memory and computation.

If I compare every item in List1 against every item in List2, well, that’s going to take a while (n*m).

Each list comes in as an array. I need to look up all the items in List1 against List2. The fastest way to do lookups is with a hash table.

To find the differences, I will delete the matching entries from both List1 and List2. Arrays are slow at removing a single item, so again I will use hash tables.

After deleting all of the equal values, the only things left in each list are the unique values.

If you want to see what is equal, then I will stuff that into a third list (hash table) containing only the equal values.

The Code

I have placed the hash table comparison into a function called Compare-Object2.

<#
.SYNOPSIS
Faster version of Compare-Object for large data sets with a single value.
.DESCRIPTION
Uses hash tables to improve comparison performance for large data sets.
.PARAMETER ReferenceObject
Specifies an array of objects used as a reference for comparison.
.PARAMETER DifferenceObject
Specifies the objects that are compared to the reference objects.
.PARAMETER IncludeEqual
Indicates that this cmdlet displays characteristics of compared objects that
are equal. By default, only characteristics that differ between the reference
and difference objects are displayed.
.PARAMETER ExcludeDifferent
Indicates that this cmdlet displays only the characteristics of compared
objects that are equal.
.EXAMPLE
Compare-Object2 -ReferenceObject 'a','b','c' -DifferenceObject 'c','d','e' `
    -IncludeEqual -ExcludeDifferent
.EXAMPLE
Compare-Object2 -ReferenceObject (Get-Content .file1.txt) `
    -DifferenceObject (Get-Content .file2.txt)
.EXAMPLE
$p1 = Get-Process
notepad
$p2 = Get-Process
Compare-Object2 -ReferenceObject $p1.Id -DifferenceObject $p2.Id
.NOTES
Does not support objects with properties. Expand the single property you want
to compare before passing it in.
Includes optimization to run even faster when -IncludeEqual is omitted.
#>
function Compare-Object2 {
param(
    [psobject[]]
    $ReferenceObject,
    [psobject[]]
    $DifferenceObject,
    [switch]
    $IncludeEqual,
    [switch]
    $ExcludeDifferent
)

    # Put the difference array into a hash table,
    # then destroy the original array variable for memory efficiency.
    $DifHash = @{}
    $DifferenceObject | ForEach-Object {$DifHash.Add($_,$null)}
    Remove-Variable -Name DifferenceObject

    # Put the reference array into a hash table.
    # Keep the original array for enumeration use.
    $RefHash = @{}
    for ($i=0;$i -lt $ReferenceObject.Count;$i++) {
        $RefHash.Add($ReferenceObject[$i],$null)
    }

    # This code is ugly but faster.
    # Do the IF only once per run instead of every iteration of the ForEach.
    If ($IncludeEqual) {
        $EqualHash = @{}
        # You cannot enumerate with ForEach over a hash table while you remove
        # items from it.
        # Must use the static array of reference to enumerate the items.
        ForEach ($Item in $ReferenceObject) {
            If ($DifHash.ContainsKey($Item)) {
                $DifHash.Remove($Item)
                $RefHash.Remove($Item)
                $EqualHash.Add($Item,$null)
            }
        }
    } Else {
        ForEach ($Item in $ReferenceObject) {
            If ($DifHash.ContainsKey($Item)) {
                $DifHash.Remove($Item)
                $RefHash.Remove($Item)
            }
        }
    }

    If ($IncludeEqual) {
        $EqualHash.Keys | Select-Object @{Name='InputObject';Expression={$_}},`
            @{Name='SideIndicator';Expression={'=='}}
    }

    If (-not $ExcludeDifferent) {
        $RefHash.Keys | Select-Object @{Name='InputObject';Expression={$_}},`
            @{Name='SideIndicator';Expression={'<='}}
        $DifHash.Keys | Select-Object @{Name='InputObject';Expression={$_}},`
            @{Name='SideIndicator';Expression={'=>'}}
    }
}

Note that for my purposes I did not need to compare multiple properties, so this approach does not entirely duplicate functionality of the native Compare-Object. You could probably adapt this code for that purpose. I would drop each list object into a hash table value, while making the key a string representation of the one or more properties to be compared. I’ll leave that bit up to you.

Also note that, yes, I used ForEach. General consensus is that ForEach is slower than For. Feel free to adjust and see if that makes a difference in execution time for you.

The Results

# Native Compare-Object
Measure-Command -Expression {
    Compare-Object -ReferenceObject (Get-Content .file1.txt) `
        -DifferenceObject (Get-Content .file2.txt) -IncludeEqual
} | Select-Object TotalMilliseconds

# Hash table comparison
Measure-Command -Expression {
    Compare-Object2 -ReferenceObject (Get-Content .file1.txt) `
        -DifferenceObject (Get-Content .file2.txt) -IncludeEqual
} | Select-Object TotalMilliseconds

When racing the native Compare-Object against my hash table implementation here are the results:

• For test lists of 1,000 items, Compare-Object finishes in five seconds while the hash table version finishes in <1 second.
• For test lists of 100,000 items, the hash table finishes in five seconds while Compare-Object had not finished after multiple minutes (so I just killed the task).
• For the customer’s 800,000 items, the hash table finished in 30 minutes, as opposed to 13 hours for Compare-Object. To be fair, the script does other tasks besides this Compare-Object. Regardless that is a 25x performance improvement!

How is that for efficiency gain?!

The Moral of the Story

Learn hash tables today! They are the single most versatile, powerful, and fun data structure in all of PowerShell. Let me know your results in the comments area below.

“Goose, it’s time to buzz the tower.”

Hello World, Daniel Lucas and Eroilton Borges is here, with a special thanks to Rodrigo Fonseca to helping about Hybrid Identity and review and contribute for this one, to talk about how to automatically assign Office 365 licenses in Azure AD, without need to run Powershell commands.

Nowadays, when a new user needs to have Office 365 License, it is necessary run a Powershell command to set a location (Some Microsoft services are not available in all locations. Before a license can be assigned to a user, the administrator should specify the Usage location property on the user.) and assign a license.

But now, it is possible to assign license in Azure AD based on groups, and it´s extremally helpful, because you don´t need to run script for every new user in your organization.

To complete this task, it´s necessary complete two steps:

1 – Add a AAD Connect Synchronization rule, to populate the attribute UsageLocation in Azure AD.

2 – Select Office 365 Products to assign license based on groups.

AAD Connect Sync Rules:

We´ll create two rules in AAD Connect:

1 – If the attribute "UsageLocation" is Null or Empty, we´ll populate with an unique country code (In my example "US").

2 – Populate the ADDS Attribute with the Country Code

1^st rule:

1. Launch the Synchronization Rules Editor.
   
2. Under Rule Types, click Inbound, and create a new rule.
   
3. Set the precedence to 108.
   

   
   

4. In the Transformations tab, Add Transformation "Expression" target: Usage Location – Source: IIF(IsNullOrEmpty([c]),"US",[c]), Merge Type: Update.
   

   
   

5. Click in Save.
   

2^nd rule:

1. Launch the Synchronization Rules Editor.
   
2. Under Rule Types, click Outbound, and create a new rule.
   
3. Set the precedence to 110.
   
4. In the Transformations tab, Add Transformation "Direct" target: C – Source: UsageLocation, Merge Type: Update.
   

   
   

5. Run the Sync Cycle and check if the Attribute is Populated.
   

   Start-ADSyncSyncCycle -PolicyType Delta
   

6. Open the Windows Azure Active Directory Module for Windows Powershell
   
7. Run the command: Connect-MsolService
   
8. Check the user: Get-MsolUser -UserPrincipalName user@domain.com | fl UserPrincipalName, UsageLocation
   

   
   

Assign Office 365 License based on Groups:

First, in this example, I created in my on-premises Active Directory, 3 security groups to select different Office 365 products:

1 – Outlook_License

2 – Skype_License

3 – Sharepoint_License

After created, force a new Sync Cycle, and check in the Azure Portal if the Groups are populated.

In the Azure Portal portal.azure.com , select the Azure Active Directory, then select "Licenses".

Under All Products, select Office 365 Enterprise E3.

Under Licensed Groups, select the Group that you want to assign

Under Assignment Option, select which Products will be available for the Group.

Now, you just need to populate your groups, and wait the Azure AD to assign the Licenses.

Note: When a user is a part of two or more groups, the user will inherit the licenses combined and all products will be available for the user.

If you want to know, how is the correct country code for my user, here is the information:

https://en.wikipedia.org/wiki/ISO_3166-2

For more examples in how to assign group licenses using Powershell: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-licensing-ps-examples

Hope that this article helps you.

Daniel Lucas.

Over on the Australian Partner Network blog they have released the latest training schedule for the next few months, and for OEM and System Builder partners there are several options I recommend checking out. I'll focus on courses for the server partners looking at hybrid cloud integration, but check out the link in case there are other options suitable for your business.

ARCHITECTING AZURE IAAS AND HYBRID SOLUTIONS

Training Event Code: AUWW208

Type: Technical (L300)

Audience: IT Professional / Architects

Cost: $699

Product: Microsoft Azure

Date & Locations: Sydney (August 28 – 30); Brisbane (November 6-8); Melbourne (November 20 – 22)

The Azure IaaS and Hybrid Architect workshop is designed to prepare the architect to design solutions with Microsoft Azure. This workshop is focused on designing solutions using Infrastructure as a Service (IaaS) and other technologies to enable hybrid solutions such as data centre connectivity, hybrid applications, and other hybrid use cases such as business continuity with backup and high availability. Individual case studies will focus on specific real-world problems that represent common IaaS and Hybrid scenarios and practices. Students will also experience several hands-on labs to introduce them to some of the key services available. REGISTER HERE

IMPLEMENTING MICROSOFT AZURE INFRASTRUCTURE

Training Event Code: AUWW207

Type: Technical (L300)

Audience: IT Professional / Developers

Cost: $899

Product: Microsoft Azure

Duration: 5 days

Location: Canberra (August 28 – September 1); Brisbane (September 4-8); Sydney (September 4-8); Perth (September 11-15); Melbourne (September 18-22)

This training explores Microsoft Azure Infrastructure Services (IaaS) and several PaaS technologies such as Azure Web Apps and Cloud Services from the perspective of an IT Professional. This training provides an in-depth examination of Microsoft Azure Infrastructure Services (IaaS); covering Virtual Machines and Virtual Networks starting from introductory concepts through advanced capabilities of the platform. The student will learn best practices for configuring virtual machines for performance, durability, and availability using features built into the platform. Throughout the course the student will be introduced to tasks that can be accomplished through the Microsoft Azure Management Portal and with PowerShell automation to help build a core competency around critical automation skills. REGISTER

Import-Module ActiveDirectory
$photo=[byte[]](Get-Content C:picskarl.jpg -Encoding byte)
Set-ADUser "karl" -Replace @{thumbnailPhoto=$photo}

However, I still have zero profiles that are showing pictures:

Update-SPProfilePhotoStore -createthumbnailsForImportedPhotos $true -MySiteHostLocation http://j16mysite

Update-SPProfilePhotoStore : UserProfileDBCache_WCFLogging ::
ProfileDBCacheServiceClient.GetUserData threw exception: Access is denied.
At line:1 char:1
+ Update-SPProfilePhotoStore -createthumbnailsForImportedPhotos $true

• Just like in 2010 and 2013, you need to run the "Update-SPProfilePhotoStore -createthumbnailsForImportedPhotos" command after every Sync (full and incremental).  It's the only way to create the thumbnails and set the new picture for the user.  I recommend creating  scheduled task or custom timer job to automate this.
• SharePoint logging (ULS) is only useful for troubleshooting the Sync steps for the SharePoint Management Agent (SPMA).
• If you see errors during any Sync step in the MIM client, check the Application event log on the MIM server for details.

When demonstrating Microsoft Intune I’m often asked about reporting and historical data.  Microsoft Intune now offers the ability to connect to Intune data and create reports either in Power BI or in your own reporting service or tool.  There’s even an Intune Data Warehouse API. 

More details here: https://docs.microsoft.com/en-us/intune/reports-nav-create-intune-reports

Fortunately there’s not a whole lot of details to dive into here as connecting to the Intune DW is straight forward, however below I walk through connect to the Intune DW via Power BI.

Let’s get started

To connect to the Intune Data Warehouse navigate to portal.azure.com and locate the Intune admin portal.  From there select Overview and at the right of the page select the Intune Data Warehouse icon:

Once the Intune Data Warehouse blade opens you’ll see something similar to the image below.  Either select the custom feed URL to use with a 3rd party reporting service service or tool or simply download Power BI desktop and the report content file.  Once Power BI desktop is installed you’ll be asked to sign-in to the Intune service.

The Power BI file contains a few canned reports and after the data is processed data will populate in each report tab.  For example a device summary is shown for a the selected user below:

Or we can see device enrollment trends:

Or the status of app protection policies (aka MAM policies) and so on:

Don’t like the canned reports?  Feel free to create your own either by using a 3rd party tool, Power BI, or access the Data Warehouse APIs.

As you can see connecting to the Intune Data Warehouse consists of just a few steps and you’re off to viewing and creating reports.

利用者のバス離れが進むことで経営状況が厳しくなり、過疎地域の廃線も増えているバス業界。この問題を解決するため、最新技術を活用したバス ロケーション システム「バス予報」を Microsoft Azure 上で提供しているのが、アーティサン株式会社 (以下、アーティサン) です。

それでは「バス予報」を普及させるために、アーティサンはどのような取り組みを進めているのでしょうか。そしてその提供基盤として Azure を採用した理由とは。代表取締役の小山 才喜 氏にお話をお聞きしました。

アーティサン株式会社 代表取締役 小山 才喜 氏

会社概要と展開しているビジネス

――　まず御社の概要についてお教えください。

小山　当社は 2014 年 7 月に設立された IT 企業です。アーティサンという社名の由来はフランス語の「Artisan」に由来しており、この言葉には「腕のよい職人」「職人的芸術家」といった意味があります。主な事業内容はシステムの要件定義支援やシステムの設計、構築、開発コンサルティング、法人向けマイクロソフト製品に関する技術的およびデザイン的な支援などです。翔泳社やジョルダンブックスから書籍も出版しています。

――　まだ若い会社なのですね。特に得意とする分野は何ですか。

小山　Microsoft Dynamics CRM をベースにした CRM ソリューション、Microsoft SharePoint と Microsoft Office 365 の活用支援、そしてジオ ロケーション システムです。たとえば CRM の領域では、感情分析やロボット、人工知能の各機能を搭載した「EMOROCO (エモロコ)」や、学校情報統合ソリューション、病院情報統合ソリューションなどを製品化しています。またジオ ロケーション システムの領域では、バス到着予測サービス「バス予報」を提供しています。

――　2017 年 2 月には、国際東北グループの十和田観光電鉄株式会社と、「バス予報」の実証実験を開始したことを発表しましたね。

小山　はい。この実証実験は 2017 年 2 月～ 5 月にかけて、十和田市から三沢市を結ぶ路線で実施されました。当初は 4 月で終了する予定だったのですが、お客様からの評価が高いこともあり、5 月まで延長されました。

――　この実証実験を始めることになったきっかけは？

小山　実はこれ以前にも宮崎交通で実証実験を行っており、そのことを宮崎日日新聞が 2016 年 10 月に報道しています。これを国際東北グループ オーナーの本田 社長がお知りになり、私のところに連絡をくださったのが、最初のきっかけです。

――　連絡が来たのはいつですか。

小山　2016 年 12 月でした。すぐにオーナーとミーティングを行い、その翌月には実証実験開始が決定していました。

「バス予報」の特徴と開発の背景

――　実にすばやい決断ですね。その背景にはどのような事情があったのでしょうか。

小山　「バス予報」のようなシステムは、一般に「バス ロケーション システム」と呼ばれており、大都市を中心に多くのバス会社が利用しています。しかし従来型のバス ロケーション システムは導入コストが億単位と高く、収益の厳しい地方のバス会社に導入するのは簡単ではありません。しかし本当は、運行本数が少ない地方のバス会社こそ、このようなシステムを導入すべきなのです。「バス予報」は基本的に、導入するバス単位での月額課金にすることで、導入のハードルを下げています。

――　月額課金によって初期投資を抑えられるわけですね。

小山　料金体系だけではなく、しくみも従来のものと大きく異なっています。従来のものは、バスに搭載する機器がバスそのもののシステムと連動しているため、どうしても高額になってしまいます。また通信手段もバス無線や PHS を使用しているため、エリアによっては通信が途絶えてしまうという問題も抱えています。これに対して「バス予報」はスマートフォンと同様の技術を採用し、バスのシステムから独立させています。そのため機器のコストを抑えることができ、サイズもコンパクトになっています。また通信手段も、カバレッジの広い LTE を使用しています。

――　利用者に提供しているサービス内容は？

小山　スマートフォンで「バス予報」のサイトにアクセスし、近くのバス停を選択することで、次のバスが何分後に到着するのか、定刻に対してどの程度遅れているのかがわかります。またバスがいまどのバス停間を走っているのかも確認できます。近くのバス停を検索して「地図」ボタンをタップすれば、バス停の場所を調べることも可能です。

▲ スマートフォンの画面例：左より、トップ メニュー、バス停での表示、現在のバスの位置、時刻表

――　「バス予報」を開発しようと考えた理由は？

小山　地方の公共交通が抱えているさまざまな問題を、解決したいと思ったからです。地方では、交通渋滞によるバス遅延、バス利用者離れによるバス事業者の収益悪化、バス路線の廃止による地域の過疎化などが起きています。たとえば宮崎市では、朝夕の交通渋滞が社会問題になっており、バスがいつバス停に到着するのかわからないといった不安を、多くのバス利用者が抱えています。バス ロケーション システムを低コストで導入できれば、このような問題を解決することで利用者離れを防ぐことができ、収益悪化による路線廃止も回避しやすくなるはずです。

サービス基盤として Azure を採用した理由

――　「バス予報」の基盤として Azure を採用していますね。これはなぜですか。

小山　最大の理由は Azure の利用コストが安いことです。これによって「バス予報」の月額料金も抑えられます。さらには、全世界で提供されているサービスのため費用が低減され、我々のようなスタートアップ企業を支援するさまざまなプログラムが用意されています。また IaaS だけではなく、PaaS の機能も充実しているため、アプリケーションの実行やスケーリングなどの運用も簡単に行えます。他社のクラウド サービスに比べて、スピード感が圧倒的に高いことも大きな魅力です。さらに、当社自身がマイクロソフト テクノロジーに特化した技術者集団だということもあります。アプリケーションの開発も行いやすいので、より使いやすくするための表示方法の工夫や、バス位置情報の精度向上に向けたアルゴリズム改善なども、スピーディに行えます。

――　具体的に Azure のどの機能を使っていますか。

小山　PaaS としては、Azure App Service にある Web Apps や Mobile Apps を主に利用し、システムの実行やその運用を主に行っています。また、API Apps や API Management 機能を使い、他システムに対する API 発行や管理なども行っています。

――　Azure を使うと開発やシステム立ち上げがスピーディになるということですが、実証実験の準備期間はどの程度でしたか。

小山　宮崎交通の実証実験は開発も兼ねていたため、約 4 か月かけて準備を行いました。十和田観光電鉄のケースでは、1 か月半で準備を完了しています。その時間の多くは、バス路線と運行ダイヤに関する情報収集と登録に費やされています。

――　利用者の満足度は？

小山　今、十和田観光電鉄の実証実験に関するアンケート集計を進めている最中なのですが、ほとんどの回答は好意的な内容です。「今後本格的に導入してほしい」という意見が 7 ～ 8 割を占めており、「これは便利」「他の路線にも入れてほしい」というコメントも多数ありました。

今後の展望

――　「バス予報」の今後の展望は？

小山　国際東北グループには十和田観光電鉄の他に、秋北バスと岩手県交通という 2 社のバス会社があるのですが、2017 年 6 月から岩手県交通でも実証実験を行うことになっています。この実証実験は釜石市の 3 つのバス路線を対象にしたもので、路線の分岐もあるため、これまでよりも複雑です。ここで実績を積むことで、大規模な路線でも活用しやすくなると考えています。

――　機能面での拡張などは検討していますか。

小山　「バス予報」のシステムは API モデルを採用しており、外部システムに API 経由で情報を配信できます。この特長を活かし、バス停に設置したデジタル サイネージにバス運行状況を表示する、といった使い方を考えています。ここで問題になるのが電源の確保ですが、当社では太陽光パネルと電子ペーパーを組み合わせたデバイスも開発しており、「省電力 IoT 機器と位置情報を活用した地域情報配信システム」として、平成 28 年度補正予算の「革新的ものづくり・商業・サービス開発支援補助金」に採択されています。

――　API が用意されているのであれば、他にもさまざまな使い方が考えられますね。

小山　他社の経路検索システムとの連携や、バス停周辺の観光情報の配信なども検討しています。既に岩手県交通のポータル サイトで経路検索サービスを提供する予定になっており、ここから「バス予報」にリンクするという話も出ています。さらに、「バス予報」をベースにしたバス運行管理システムの開発も進めています。これは運行中のバスの位置をトラッキングして地図上で表示し、おかしな動きが見られたらアラートを出すというものです。このようなしくみが普及すれば、バス利用者の利便性向上だけではなく、運行管理の効率化も可能になると思います。

▲バス運行管理システムの画面例：バス事業者はこの画面にてバスの運行状況の確認が可能

――　いろいろと夢が広がっていきますね。本日はありがとうございました。

アーティサン株式会社

2014 年 7 月に設立。システムの要件定義支援やシステムの設計、構築、開発支援コンサルティング、法人向けマイクロソフト製品の技術支援事業を展開しています。またここで紹介した「バス予報」などの、独自の製品開発も推進。最先端の技術を積極的に活用することで、企業や社会が抱える課題の解決を支援しています。

こんにちは、Office サポート チームです。
今回の投稿では、Chrome を使用し Excel Online でセルに日本語文字を入力するとき、最初に入力したキーが取り消される現象について説明します。

現象

Chrome を使用し Excel Online でセルに日本語文字を入力するとき、最初に入力したキーが取り消されます。

例えば、マイクロソフト とセル内に日本語文字を入力する場合、ローマ字変換では maikurosofuto と入力し、かな変換では まいくろそふと と入力します。
この場合、セル内に入力した文字の実際の表示結果は以下のようになります。

ローマ字変換の場合 :

ma と入力したタイミングで、最初の m が取り消され、表示結果は、あいくろそふと となります。

かな変換の場合 :

まい と入力したタイミングで、最初の ま が取り消され、表示結果は、いくろそふと となります。

回避策

以下いずれかの方法で運用回避をご検討いただきますようお願いいたします。

方法 1.

文字を入力したいセルをダブル クリックします。

セル内にカーソルが表示され、編集モード (カーソルが点滅します) になってから、文字を入力します。

方法2.

文字を入力したいセルを選択し、F2 キーを押下します。

編集モード (カーソルが点滅します) になってから、文字を入力します。

方法 3.

最初の文字が取り消された場合は、一度、文字を全て削除してから、再度入力します。

状況

現在この問題について、調査中です。

今回の投稿は以上です。

本情報の内容（添付文書、リンク先などを含む）は、作成日時点でのものであり、予告なく変更される場合があります。

I am often looking for or need to refer others to the best security guidance around Azure and Azure Active Directory, so this will be my new landing spot for such resources.  Recently, we had an internal convention before the more public MS Ignite coming soon. From the resources presented at those internal sessions, I've grabbed their shortcuts to include below.  Additionally, I'll do my due diligence and scour the places I know best.

• Azure Trust Center and all Certifications
• Azure Security Information – What We’ve Done, Where We’re Going
• Understanding Cyber crime whitepaper
• Security and Identity Resources on Azure site
  • Download All Security documentation on Azure site
• Microsoft Cloud Services and Network Security aka.ms/Azure/Dmz
• Azure Security Videos on Channel 9
• Azure Security on Microsoft Virtual Academy

Just a quick start...more to come!