Writing PowerShell scripts over the last couple of weeks has been a steep curve. I’ve watched PowerShell from afar over the years but don’t really use it enough to say I know it. Luckily, many others do, and they’ve posted their knowledge on the ‘net. This is what I drew upon:
Office 365 and proxy servers don’t mix very well. Well, to be more accurate, thousands of Outlook, Skype for Business and OneDrive for Business clients, each with multiple connections to online services can quickly build up to a lot of (persistent) connections. If you haven’t already, it’s well-worth reading Paul Collinge’s blog post on ensuring your proxy server can scale to handle Office 365 traffic.
Microsoft recommends that the network is configured to allow unauthenticated direct outbound access to a published list of URLs and IP ranges (there’s also an RSS feed) – although I’ve had customers who take issue with this and don’t think it’s a reasonable expectation in the enterprise. My view? You’re adopting cloud services; your network boundary has moved (disappeared?) and the approach you take to managing the connectivity between services needs to change.
Perhaps as more people take advantage of services like ExpressRoute for Office 365, things will change but, for now, every Office 365 implementation I work on seems to involve a degree of proxy bypassing…
Some of the issues I experienced in a recent implementation included:
- OneDrive for business unable to perform an initial synchronisation, but fine on subsequent syncs. It seems that the OneDrive client downloads http://clientconfig.microsoftonline-p.net/fplist.xml when it first syncs. We could get it to work when going through a different proxy server, or direct to the Internet; but the main proxy server had to have a list of trusted sites added. The managed services provider had previously allowed access to some known IP addresses (a risky strategy as they change so frequently and the use of content delivery networks means they are not always under Microsoft’s control), but the proxy server had the capability to trust a list of target URLs too.
- Outlook unable to reliably redirect after Exchange mailboxes were migrated to Exchange Online. In this case, we found that, even with the trusted URLs in place on the proxy, as part of the Outlook Autodiscover process, Outlook was trying to contact autodiscover-s.outlook.com. The proxy wasn’t allowing unauthenticated access and Outlook didn’t know how to cope with the authentication request. Once autodiscover-s.outlook.com had been added to the proxy server’s unauthenticated access list, Outlook Autodiscover began to work as intended.
- Lync/Skype for Business Online calls working internally, but not with external parties. Users dropping off the call after a few seconds. We still haven’t got to the bottom of this, but strongly suspect the network configuration…
- Exchange Hybrid free/busy information not available cross-premises. Again, this seems to be related to the Exchange servers’ ability to see the Internet (free/busy lookups are performed by the server, not the client)/
This time last year, Office 365 gained an App Launcher as part of a new navigation experience for Office 365 on the web. Users can add and remove tiles from this launcher – and administrators can provide new tiles to point to corporate resources – for example a CRM platform or the company intranet.
Unfortunately, not all customers want their users to use all of the features and functionality in Office 365 and the administrative controls to manage the App Launcher for all users are limited. I’d argue that part of consuming a cloud service is adapting to new features and functionality as they are released but that doesn’t go down well with everyone, often leaving me trying to find ways to disable or hide parts of the service. The following settings may help to selectively remove tiles from the Office 365 App Launcher but It’s not always straightforward – and it’s also subject to change (with a new admin center on the way):
- Admin: revoke a user’s administrative rights.
- Instant messaging and web conferencing: remove the Skype for Business Online licence and this functionality will disappear (there is no associated tile).
- Mail, Calendar, People, Tasks: remove the Exchange Online licence and these tiles will go too.
- OneDrive for Business, Sites, Office Web Apps: remove the SharePoint Online licence (which also requires that you remove the Office Online licence).
- Office 365 Store: a switch was recently added to disable this tile, under Service Settings, User Purchasing, Display Office 365 App Store Tile.
- OneDrive for Business: hide in the SharePoint Admin Center settings, under show or hide options.
- Office 365 groups: Using PowerShell against Exchange Online, edit the Outlook Web Access policy with
Set-OwaMailboxPolicy -GroupCreationEnabled $False -Identity PolicyName. If you only want to apply the change to a subset of users, create a new policy and apply it accordingly.
- Sites: hide in the SharePoint Admin Center settings, under show or hide options.
- Delve: turn off the Office Graph in the SharePoint Admin Center settings. Delve will still be there in parts though: for example when users access their profile.
- Sway: turn off under Service Settings, Sway, Let people in your organization use Sway. Unfortunately it won’t remove the tile.
- Video: in the SharePoint Admin Center settings, under Streaming Video Service, disable streaming video through Azure Media Services and disable the Video Portal
- Yammer: for this one you’re between a rock and a hard place: Yammer Basic is anarchic; Convert to Yammer Enterprise and the tile will be visible to users – you cannot turn it off.
Some of these options merely hide capabilities – they may not be entirely disabled – and my recommendation would always be to leave settings enabled and teach users how to make use of the platform. In particular, turning off the Office Graph may have wider reaching implications.
Meet the Office 365 App Launcher
For the last few months, I’ve been getting more and more infuriated with my PowerShell sessions opening in a tiny raster font (4×6). On a high resolution display like the one on the Surface Pro 3, that’s a complete pain and, whilst I could change the font in the properties for that session, it wasn’t “sticky”, with an error that said:
Error Updating Shortcut
Unable to modify the shortcut: Check to make sure it has not been deleted or renamed.
For reference, I’m experiencing this on Windows 8.1, 64-bit and it only applies to the Windows PowerShell shortcut and the Microsoft Azure PowerShell shortcut – not to the PowerShell ISE, nor to the various shortcuts created by modules like the SharePoint Online Management Shell, Lync Server Management Shell or the Windows Azure Active Directory Module for Windows PowerShell.
Solving the “stickiness” of my changes was simple enough – I asked our support team to change the permissions on the shortcut to allow Users to Modify it – but I still couldn’t get it to stay on my preferred setting: Lucida Console 20.
I could set it to Consolas, or raster fonts (urgh), but Lucida Console just wouldn’t stick. It’s been recorded as a bug in Microsoft Connect for a couple of years but there’s no sign of a fix yet (not even in Windows 10).
Being unable to set the default PowerShell font to Lucida Console seems to be a widely recognised problem. Various options are discussed on this SuperUser post including that it may be a language issue. Others have suggested the issue is the space in the font name, with a workaround that involves installing a new font and editing the registry (not an option for me without administrator permissions). I also looked at using the SetConsoleFont module to change the font within my PowerShell profile but struggled to work out the settings I would require.
In the end, I gave up and accepted that Consolas 24 is vastly preferable to a 4×6 raster font!
For a long time now, the default behaviour in OneDrive for Business has been to provide a folder (called “Shared with Everyone”) which is an easy way to share files with everyone in the organisation. By default, the permissions on this allow editing of files in the folder by “Everyone except external users” (and guest links can be provided for others – either on a view-only or an edit basis).
From 1 August 2015, Microsoft changed the default setting for OneDrive for Business so that the Shared with Everyone folder is no longer provisioned. It can be created manually by a user, or the tenant settings for the entire organisation can be set to provision the folder by default:
Set-SPOTenant –SharingCapability Disabled –ProvisionSharedWithEveryoneFolder $true
It’s also possible to remove users’ to use the “Everyone,” “All Users” and “Everyone except external users” groups from the people picker in OneDrive for Business and SharePoint Online with the following commands:
Set-SPOTenant -ShowEveryoneClaim $false
Set-SPOTenant -ShowEveryoneExceptExternalUsersClaim $false
Set-SPOTenant -ShowAllUsersClaim $false
Enabling them is achieved with the equivalent commands but set to
One of the side effects of no longer having a company car is that I’m having to take direct responsibility for maintenance again. It’s a world away from my days of learning how to maintain my Mum’s 1980 Ford Fiesta! For example, I recently learned how the wiring in modern cars is totally changed so that it uses a controller area network (CAN) and a serial bus to integrate the various electronic components and to reduce the amount of physical wiring in use. This CANbus system uses common wiring (CAN high and CAN low) and each device communicates using its own frequency… or at least that’s how it was explained to me.
Last month, I had a new car stereo fitted in my family’s 2008 Golf. The Pioneer DEH-4700BT was a bargain at just under £79 (from Halfords) including Bluetooth connectivity to multiple phones for calls and media playback but, by the time fitting and the various cables/adapters/fascia components had been added, the cost had gone up by another £100!
I’m amazed what a difference the new head unit makes on the existing speakers (apparently manufacturers tend to over-specify the speaker to avoid warranty claims if they are “blown” early in the vehicle’s life) but I also learned a little about the car electrics whilst it was being fitted for me.
Initially, the unit was wired in with a live feed taken from the cigarette lighter socket; however that wasn’t needed once all of the necessary parts arrived – the final piece being a stalk control adapter for integration with the steering wheel controls (I can re-use the permanent live if I buy a dash cam in future). Unfortunately, the use of these third party interfaces to the Volkswagen CAN has an interesting side-effect as it seems it listens for control on a range of frequencies, rather than a specific signal. This means that, when I use the steering wheel controls to adjust the car’s multi-function computer (e.g. to switch from fuel economy to distance driven), it skips forward/back a track on the stereo! One workaround is to switch the stereo to Aux input before changing the computer settings, then switching back again – but it is a bit clunky really!
I’ve since found a Mk5 Golf GTI forum post that suggests using Volkwagen’s own single-DIN facia unit and a Connects2 steering wheel interface. It certainly looks like a better finish but having already shelled out over £100, our car (which is certainly no GTI) will keep the AutoLeads version for now (I have an AutoLeads PC99-505 with PC99-SON, which I’m told is the same as the PC99-PIO Pioneer version, a PC2-75-4 harness adapter and an FP-17-03 fascia adapter with removable pocket).
I’ve been trying to write a weekly Windows 10 blog post but this week has been incredibly hectic and the planned post on Windows Hello isn’t complete yet. Hopefully that will come next week…
In the meantime, I’ve been looking at updating Office on some of my PCs. Regular readers may recall that I wrote about Office 365 Home last month. I’ve been waiting for theh Windows Update process to tell me that Office 2013 was ready to be updated to 2016 but it seems that’s not how it works. Instead, log into your Office account and click install. This will then download an installer that does the rest of the work for you and a few minutes later you’ll have the latest Office apps (replacing the existing 2013 versions).
Some more mini-snippets, this week with a focus on Windows 10 and Office/Office 365.
Windows 10 shortcuts and other productivity guides
A few days ago, I added a link to my delicious account with a useful list of shortcut keys for Windows 10. Quite why it’s a Word document downloaded from the Microsoft Download Center is anyone’s guess but I did find it’s one of many potentially useful productivity guides at the Microsoft IT Showcase.
Office and Office 365 training
Another resource for IT training materials, particularly around Office (and Office 365) is the Office Training Center. I’m a little embarrassed that it was one of my customers who alerted me to this… but it’s worth knowing about, with some useful guides for users – for example this quick reference card for OneDrive for Business.
In common with most platforms, Office 365 has a mechanism of password policies to set intervals after which a password must be changed; however there are cases where it may not be desirable to force password changes. In those cases, it’s possible to disable password expiry.
I came across an issue recently though where, once the password expiry notification was displayed in the Office 365 portal, even changing the account to disable password expiry wouldn’t dismiss the notification. I think this only occurs if the password expiry has been disabled after the initial notification has triggered. I’m not sure what would have happened if I had left it to run through to expiry (I didn’t, because that would have clashed with a major milestone on our project) but it seems I’m not alone in experiencing this.
In the end, the only way I could get the notification to disappear was to changed the password (after which I changed it back again…).
I have a growing collection of PowerShell scripts for Office 365 management and, whilst I may not be the best scripter/coder out there (I’m pretty sure there are many people who could look at my scripts and say “there’s a better way to do that”), I’m open-sourcing them in the hope that others will contribute.
The current scripts are:
- Connect-O365.ps1 – connect to multiple Office 365 sessions in a single PowerShell window.
- Check-ODBQuotas.ps1 – checking a list of UPNs to see if their OneDrive for Business folders have been created and, if so, if their quotas need to be set.
- Set-O365Licences.ps1 – setting usage locations and applying/removing licences for Office 365 users.
- Set-ODBQuota.ps1 – setting a quota for a user’s OneDrive for Business folder.
More details on the use of these scripts can be found in the readme file for the project.
Others scripts are in development for:
- Setting restrictions on audio/video settings in Skype for Business Online.
This collection is up on github under the name of posh-o365 and I’d be interested to hear what people think of these, and what other scripts might be useful for performing Office 365 management tasks at scale in an enterprise context.