Wednesday, 13 June 2018

The curious case of changing background colour for Office 365 Message Encryption

An interesting issue cropped up earlier this week when working with a customer to brand their OMEv2 experience to their corporate website and utilise the same colours and logo where appropriate. We had already branded Office 365 and we were to utilise an HTML colour code from their website into Office 365 Message Encryption.

Now Microsoft are usually very good with their documentation, but this did initially bring around some frustration as changing background colour simply didn't work.

The article explaining the Set-OMEConfiguration cmdlet is here, and states the following:

The BackgroundColor parameter specifies the background color. Valid values are:

  • An HTML hexadecimal (hex triplet) color code value (for example, #FFFFFF is white).
  • $null (blank). This is the default value.

However it doesn't work with an HTML colour code as you can see below.

Interestingly utilising Get-Help Set-OMEconfiguration -full didn't shed anymore information on the matter than what I was reading on, even after using Update-Help

 Utilising Get-Command Set-OMEConfiguration -Args -backgroundcolor didn't really give me any insights and nor did expanding the parameter set using $a = Get-Command Set-OMEConfiguration 
$a.ParameterSet [0] | select -ExpandedProperty parameters

 However this did give me information on what values it was expecting, which could be anything.

In a moment of frustration I just typed a colour in. for example Black, and the change was honoured.

 Which frankly is hilarious. As my client wanted a certain blue whilst I was not able to give him the exact blue they wanted I found I could support light blue - although it had to be added as lightblue, 'light blue' was not accepted.

 This made me think how many blue options were available to me. It's safe to say you can't have navy blue but royal blue is fully supported.

I've raised this to Microsoft to hopefully get the cmdlet match what's on and give us our HTML colour codes. I am pleased to confirm however $null does indeed work and remove any background colour change you have made :)

Update! 15/06/18 - 48 hours after raising this to Micosoft they have acknowledged the issue and created this article for the list of 140 available colours , as well as updating the original article.

Take care!

Wednesday, 30 May 2018

Convert an RMS template to an AIP label

So you can convert an Azure Rights Management template into a an Azure Information Protection label in less than 30 seconds, but delving a little deeper does it keep the settings? Let's take a look.

Select 'Protection'

Let's look at the settings of the label

The original test RMS template allowed me to share contact with an external user - something that had to be managed using a custom template in Azure Rights Management unless you used the Azure RMS Sharing App. Anyhow - looking at the configuration of the label you can see it's succesfully converted my RMS template and carried over the settings I originally configured. I would of course advise you to check every single RMS template you convert to an AIP label and of course it needs user education on the productivity change.

Have fun!


Thursday, 10 May 2018

An Introduction to Microsoft Teams

Just a heads up to join me on 11/05/2018 as I am hosting a webinar on Microsoft Teams: The New Way of Working.

See you there!


Friday, 4 May 2018

Secure your Twitter account with Multi Factor Authentication and the Microsoft Authenticator App

Yesterday, Twitter notified it's followers and the press that a bug had potentially allowed some 330 million user accounts to have their passwords stored without encryption. They have advised users to change their passwords even though they believe no compromises of this data has occured. You can read the whole story via Twitter here and the BBC News story here

I have indeed changed my Twitter password this morning - and I also went one step further, by securing my Twitter account with Multi Factor Authentication.

Now there's primarily two ways you could do this.

You could have the app integrated with Office 365 by assigning it to users through the Azure Marketplace, but assigning multi factor authentication to gallery applications this way requires Azure AD Premum P1 or better licensing whether it is deployed by Administrators or available for users via self service. Plus it would also utilise your Azure AD identity for authentication and verification to Twitter.

The other way is to natively integrate it directly through Twitter. Microsoft has made great gains in ensuring the Authenticator app in the relevant app stores can provide both corporate, personal and third party app support through a single application pane.

So, now that you've woken up and changed your Twitter password this morning, here's how you protect your account with Multi Factor Authentication and the Microsoft Authenticator app.

Login to Twitter and go to 'Settings and privacy'

Select 'Set up login verification'

You will go through a process to get a verification code to your registered mobile device

Once you have entered the verification code and completed this process you'll be able to review your login verification methods for Twitter

From here you'll be able to select a 'Mobile security app' to protect your Twitter account

Select it and start the process

Twitter will provide a QR code which you can use with the Microsoft Authenticator app to add your Twitter account

Open the Microsoft Authenticator account on your mobile device and select 'Add account'

Select 'Other account (Google, Facebook, etc.)

Once you have scanned the QR code in, Twitter will be added to your Microsoft Authenticator app

Back at Twitter, you can now add the code for Twitter from the Microsoft Authenticator app to complete the process

And that's it. You're all set up!

You can now use the Microsoft Authenticator app for your Azure Active Directory MFA requests, and your personal accounts and personal apps like Twitter.

Have fun!


Thursday, 3 May 2018

Help! Where's my Office 365 Message Encryption Encrypt Button in Outlook

Office 365 Message Encryption v2 based on AIP offers improved capability over the v1 release. Including automatic protection for documents and also encryption functionality.

However there are some user experience differences based on what client you are using if you are specfically looking to deploy the encrypt functionality OMEv2 provides.

If we take a look in Outlook Web App / Outlook on the Web for an Office 365 with AIP and OMEv2 capabilitites we will see the Encrypt is available in the Protect function

But the confusion lies in where that functionality is for Outlook. First of all you won't have any AIP functionality inside Office or integrated into your Windows experience unless you deploy Azure Information Protection.

        Outlook 2016 without Azure Information Protection

         Outlook 2016 with Azure Information Protection

 You can grab the installer here. There's both the executable and an MSI if you're looking to auto-deploy with Intune or another MSI deployment tool.

However, even with AIP installed there is no encrypt functionality that is availabine in OWA/OotW

I've seen some instances where users find the security properties for the message and try to utilise encryption this way.

But of course that's for certificate signed email S/MIME

So is there an OME configuration setting to expose it to Outlook clients? Well the answer is no. There's a universal setting in Get-OMEConfiguration that exposes the message encryption capability to clients, but by default this is set to $True

So where is the Outlook client encrypt button? Well the answer is it isn't availble yet. Expect an update to the AIP installer with integrated functionality into the Office suite coming at a later date - a bit like Rights Management already has been doing for some years to come pretty quick too.

So how can we help Outlook clients utilise this feature? Well the answer at this time is to create an OMEv2 capable Transport Rule in the Office 365 Exchange Admin Centre. We can create self service capability to any destination recipient, for example setting it up to auto-encrypt by putting the word encrypt into the subject line, or we could utilise domain enforcement to encrypt messages going to certain domains and/or email addresses.

Have fun!


Friday, 20 April 2018

Utilising App ID to find apps in the Intune Portal faster

Just a quick one this Friday afternoon from me. Ever been in the Intune portal and getting frustrated at finding the correct App from the returned results? Well just use the App ID instead.

Find the app in the actual app store.

Take note of the App ID

Use the App ID to search within Intune

Et voila! You'll find that not so well known app much faster.

Have fun,


Branding Azure Information Protection OME with your Company Logo

Microsoft recently release Office 365 Message Encryption v2, overhauled on Azure Information Protection rather than Azure Rights Management.

The solution, like it's predecessor, allows you to encrypt messages and have them encapsulated in the browser when being sent to recipients. The likely scenario for this is external recipients, and you can enforce encryption on specific domains, to specific people, or allow users to specify when to encrypt a message by, as an example, putting the word 'encrypt' into the subject line.

Exchange Online through the browser using Outlook on the Web/Outlook Web App and an updated version of Outlook 2016 allows recipients to decrypt these messages on the fly, as such does the web browser experience. (note Outlook version support requires 2016 as is being rolled out).

However the majority of users on other services will recieve the following.

The user will then have to authenticate with their username and password if they're on a supported platform such as gmail (where Microsoft is using gmail as an authentication provider), or the user will have to opt for a One Time Code (OTP). This is basically the same experience as Office 365 Message Encryption v1 offered. All well and good so far.

I was keen to see if you could still brand the OME experience, and I am pleased to say you can.

First, fire up a session to Exchange Online in PowerShell, then let's view the OME configuration using Get-OMEConfiguration

Next, let's upload a logo and see if OME continues to honour it even through we're utilising AIP.

Set-OMEConfiguration -Identity "OME Configuration" -Image (Get-Content c:\yourimage.png -encoding byte)

Finally let's check the image has been uploaded with Get-OMEConfiguration

You can see the image is uploaded to blob storage in Azure - but specifically mentions OMEv2 branding with the url

So to users that cannot auto decrypt OME encrypted emails, is the OME experience now branded? It is!

On another note, it's nice to point out you can also add disclaimer and additional text using these commands.

Set-OMEConfiguration -Identity "OME Configuration" -DisclaimerText "Your Text Here"

Set-OMEConfiguration -Identity "OME configuration" -PortalText "Your Text Here"

And don't forget, with AIP integrated you can use 'encrypt' via the 'Protect' button to auto encrypt emails rather than creating an OMEv2 Transport Rule for encryption self service or recipient or domain enforcement processes

Have fun!


Tuesday, 20 March 2018

Help! My imported Visio stencils are blue!

Just a quick one. But I know this annoys everyone that it happens to!

You download some visio stencils to 'My shapes' go to use them, and then they are blue. Very frustrating.

To resolve the issue, go to Design | Themes and specify the 'no theme' setting. And voila.

This post will no doubt be archived by the internet search engines soon so it will hopefully make everyones life a lot easier.

Take care,


Monday, 12 March 2018

Changing phones when using the Microsoft Authenticator app for Azure MFA in Office 365

Hi all,

I've had a busy beginning start of 2018 moving customers to Office 365 and have had a few blog posts and blog post ideas queueing up on me for a while now. So, here's the first post for March.

How does one change their Azure MFA settings once you an administrator has forced you to enroll and you're now a year in and you're changing your mobile phone?

Good question! It's not discussed on any kb article or Microsoft blog post. So if you need to change your device or even your 2nd factor type, for example from text or phone to the App, then follow this process.

1. Login to Office 365 and go to 'My Account'

2. Go to 'Security and Privacy'

3. Select 'Update your phone numbers used for account security'. Now it will ask you to go through multi factor authentication at this stage. So if you have lost your device then contact IT support to help resolve your issue (their solution will be that they will make you re-enroll).

4. Select 'Configure' and setup the Microsoft Authenticator app on your new phone by either using the QR code or the manual url.

5. You can of course change your 2nd factor type by changing your preferred option. Note that you will only be able to select what your IT Administration team has made available to you.

And that's it. If you don't want the cumbersome process of going all the way through to the 'My Accounts' page you can also use this link:

Take care,


Monday, 4 December 2017

Microsoft Teams gets Usage Reports

Just a quick update from me as we start this week. Microsoft has added two usage reports for Microsoft Teams. User Activity and Device Usage reporting.

Log into the Admin Portal and select Reports | Usage | Microsoft Teams

We can expect to see more in the coming days and weeks as the transition from Skype for Business to Microsoft Teams continues.

Have fun

Oliver Moazzezi