Tuesday 16 April 2019

I have AADConnect Directory Synchronisation and users do not provision for Skype for Business Online

Just a quick one this morning. I recently I had an issue where a customer did not have users being provisioned for Skype for Business Online. The customer had remnants of a legacy Lync 2013 on-premises deployment and they were using AADConnect for directory synchronisation.

Digging in the tenant I could see that even with the Skype for Business Online license enabled, even after waiting several hours if I used Get-CsOnlineUser in the Skype for Business Online Management Shell, no users were there.

This led me to my good friend Jaap Wesselius Blog Post here - Aha, a possible eureka moment! This must be the issue. Unfortunately it wasn't, however it was this attribute that ultimately resolved the issue and led me to the resolution.

It appears since Jaap's post further logic and evolution has occured in the service, and these previous on-premises Lync enabled users could not be enabled for Skype for Business Online anymore using the above solution.

What I had to do was actually set the msRTCSIP-DeploymentLocator attribute to 'sipfed.online.lync.com' - once this was done the user would provision. Interesting as no previous Lync Hybrid deployment was in-place or had been attempted. It appears to be logic in the service for users that were previously enabled for Lync or Skype for Business on-premises.

Anyhow to cut a long story short, I wrote a little script to do this. I utilised a CSV file to import my users, as I didn't want to perform this operation across all user objects in the Active Directory. Similarly if you are planning to perform a cutover from on-premises Lync or Skype for Business rather than a Hybrid deployment and migration - again this will come in handy before you deprovision the users in the on-premises service. Just make sure you export the list of users via Get-CsUser first. Of course if you do plan on wanting to write across all user objects then substitute the first line "$users =" with Get-AdUser or similar rather than Import-CSV.

It's fairly self explanatory - And remember, even if you don't plan on using Skype for Business - be aware that Microsoft Teams still has some reliance on the service for services such as voice. So you will want to ensure there's no issues to provide your tenant and users a smooth Teams experience.

$users = Import-CSV -Path C:\yourfilehere.CSV
ForEach ($user in $users){
$u = $User.samaccountname -replace '"',''
Set-ADuser -Identity $u -Replace @{'msRTCSIP-DeploymentLocator' =  "sipfed.online.lync.com"}}

Thursday 11 April 2019

Enabling Azure Information Protection Unified Labelling Preview

Microsoft currently have Unified Labelling in preview, but if you are looking at migrating your Azure Information Protection labels over to the Compliance Center what do you need to do?
First and foremost I would advise against do this in a real in-life tenant right now unless you are well prepared and ready for users to utilise it in Office.

Migrating the labels and having a Unified Labelling experience is one thing, but currently not all settings are migrated and you have to check each migrated label with care and attention - and reconfiguring the labels as and where necessary.

If you have a test Office 365 tenant however, this is a great place to test the unified experience to help plan for when the service becomes generally available, and will also allow you to test out the experience in Microsoft Office clients with the Unified Label plug-in.

So - how do we unify the label experience to help us plan for the change as a administrator for when Microsoft push this change to the service later in the year?

First things first, let's take a look at what's in the Compliance Center | Classifications | Labels. You will see these have now been split into 'Sensitivity' and 'Retention'.

In my test tenant, any previous labels I had created before this change would have been for Retention only, as Sensitivity was not an option. So you can see I have zero Sensitivity labels available.

So how do we migrate labels from the Azure Portal to Compliance Center? If we login to the Azure Portal and select Azure Information Protection, you'll see 'Unified labeling (Preview)' at the bottom of the blade. You'll see that it is a one way process and cannot be undone was activated, you'll see any labels with duplicate names across the service will be renamed (so best to check this, or test it out like I did). The one thing it doesn't state is not all your settings are migrated over! Which is pretty poor to be honest and something it should absolutely state You can read up about this further at this docs.microsoft.com AIP documentation.

Let's take a look and then activate.

Once activated you will see your AIP labels appear in Compliance Center under 'Sensitivity'.

So comparing the migrated labels you'll see some settings are migrated, and others are not. So make sure you verify each and every migrated label. However it is generally pretty good at carrying most things over. Confirm all protection settings and headers and footers to re-affirm your configuration settings.

You can see for example the encryption settings and users specified for a label have been carried over succesfully in this example label.

So once you have tested the experience, you now need to ensure you have downloaded and installed the unified label plug-in for Microsoft Office. It requires a specific version of .Net and there's a specific KB to install to allow it to work on Windows 7 machines. It also supports Office 2010 which is a surprise too - you'll find all the caveats to these here.

Have fun!