Jared Matfess's Blog

Having fun with SharePoint, Office 365, and Microsoft Azure

How to remove a user’s access to their Exchange Online while allowing them access to other Office 365 Services — January 3, 2018

How to remove a user’s access to their Exchange Online while allowing them access to other Office 365 Services

Acquisitions and divestitures can create some very interesting requirements from organization’s Legal Departments. I am currently working at a client who is in the process of divesting part of their business and they posed a rather interesting challenge to help facilitate the transition period for departing employees. They requested the following:

  1. Maintain all ~100 Exchange Online mailboxes in-tact
  2. Provide “Auto-Replies” in order to alert mail senders that their e-mail address has changed
  3. Prohibit the users from accessing their old e-mail box including reading old e-mail or sending new e-mail
  4. Still allow the users access to other Office 365 services including OneDrive, OneNote, the Office client applications, & SharePoint Online.

When presented with this list I was doing rather well until I hit condition #4 which put a wrinkle in my plans. Traditionally when performing a divestiture, I would usually follow a process of generating PST’s, providing to the new company, putting the mailbox on Legal Hold, converting the mailbox to a Shared Mailbox, remove the O365 license, etc. However, the additional requirement to maintain their access to other O365 services made this quite challenging.

At first I tried going down the path of trying to change permissions on the user mailbox which proved to be useless. There was no way of removing the user’s access to their own mailbox. Next, I started thinking about some sort of a leap frog type approach of creating a shared mailbox, backing up / restoring the user mailbox into it, auto-forwarding all new e-mails from the user mailbox to the shared mailbox without keeping a copy, etc. As you might imagine this became overly complicated rather quickly.

I then shifted my focus to some of Office 365’s security tools and mainly InTune Conditional Access Security Policies. Since my client is currently licensed for E3 with Enterprise Mobility + Security, they have access to both InTune & Conditional Access Policies.

This all came together really nicely as I was able to create a Conditional Access Policy that would block Exchange Online. I could then select users or ideally a group that would receive that automatic block (across OWA, Client, and Mobile).

Block-Exchange-Online.JPG

When testing this out via OWA with the disabled user, I was greeted by this awesome error message:

Account-Disabled.png

And yet when I accessed OneDrive it loaded just fine:

OneDrive-Works.jpg

One interesting thing I did notice that when I applied that policy, the user’s mailbox disappeared from the Exchange Online admin console. Yet, I was still able to make changes to the mailbox using PowerShell (for example setting the AutoReply).

Here’s the order of operations for the actual cut over:

  1. We put all the mailboxes on litigation hold
  2. Ran a PowerShell script to set the Auto-Reply
  3. Create an O365 Group (either Mail-enabled Security or Distribution List)
  4. Create the Conditional Access Policy and Include that Group to the policy blocking access to Exchange Online

This was so much simpler than the other convoluted process we were pursuing to try and auto-forward messages between mailboxes, etc. Azure Conditional Policies were the absolute key to making this happen and I was very fortunate that my client was already properly licensed.

More info on Enterprise Mobility Suite Licensing can be found here:
https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility-security-pricing

 

Creating Restricted Booking Conference Rooms in Exchange Online — December 26, 2017

Creating Restricted Booking Conference Rooms in Exchange Online

I have recently been working with a client to migrate rooms & resources from Lotus Notes to Exchange Online and the topic of “restricted conference rooms” has come up quite a bit. Basically these are conference rooms that a select group of individuals have the ability to reserve – examples being an Executive Conference Room, or a conference room that a particular department owns. The main challenge with Exchange Online vs Lotus Notes is that all resources & equipment show up in the Global Address List.

Through the GUI in Exchange Online you can setup “Delegated Booking” which is essentially a workflow for reservation requests that will be routed to users you specify as part of the delegated booking process. However, you will find that in large organizations that there are some executive admins that would prefer to not receive those reservation requests and would rather the room just be locked down for only them to reserve.

There’s no easy way to do this through the user interface however there is some clever PowerShell to accomplish this. What the experience will be is when a user that users you designate having booking ability will receive accept/decline based on the room availability. Anyone else submitting a reservation request will receive an automated decline message from the room.

Let’s take an example: Conference Room: CTBerlinMainWestCRW001@matfessconsulting.com 

You’ll connect to Exchange Online from your PowerShell window and run a command called Set-CalendarProcessing against that room mailbox.

There’s 3 parameters you’ll want to include:
AutomateProcessing – basically this is saying to have the room either accept/decline the reservation if it meets other requirements. If you don’t set this to AutoAccept, the room won’t do anything when you send it a reservation request
AllBookInPolicy – this is either enabling/disabling all users to submit reservation requests to this room. For the purposes of a restricted conference room we will set this to false.
BookInPolicy – this is where you would submit a list of comma separated users that have the ability to reserve this room. This can also be a Distribution List or Mail-Enabled Security Group (recommended)

When you tie it all together, here’s the full command to make a conference room restricted:

Set-CalendarProcessing -Identity “CTBerlinMainWestCRW001” -AutomateProcessing AutoAccept -AllBookInPolicy $false -BookInPolicy “jared@matfessconsulting.com”

So there you have it – a restricted conference room! A small recommendation to improve the user experience would be to update the display name to include (RESTRICTED) so that other users know it’s restricted. Alternatively, you can always set a MailTip which would be displayed similarly to an Out of Office message prior to the user submitting the reservation request. This appears in both OWA as well as the Outlook client.

Example:

MailTip.JPG
See TechNet article for additional Set-CalendarProcessing parameters:
https://technet.microsoft.com/en-us/library/dd335046(v=exchg.160).aspx

Improving your Work/Life Balance with MyAnalytics — September 26, 2017
Accelerating your O365 Adoption with SharePoint Communications Sites & Chatbots! — July 23, 2017

Accelerating your O365 Adoption with SharePoint Communications Sites & Chatbots!

My two big passions right now are SharePoint Communications Sites & the Microsoft Bot Framework. So it made a whole lot of sense for me to try and find a way to combine those two. I recorded a quick video (see below) walking through the idea of embedding a QnA Bot within your Office 365 Adoption site to help drive the frequently asked questions your users might have. In the good ol’ days of IT we would normally just create a FAQ’s page that nobody would bother reading. These days though with the rise of chatbots in our personal lives such as Siri, Alexa, etc. I believe it is vital for IT to consider offering this technology within Enterprise services.

There’s a lot of other videos & posts that talk about how to build a simple chatbot using the Microsoft QnA Maker service along with the Bot Framework, so I didn’t go into much detail with that. So instead I give a quick video preview of what my sample O365 Adoption site looks like, and then demonstrate asking my adoption chatbot a question about Microsoft Teams.

Hope it’s worth your time to give a watch:

In case you want to try out my chatbot – you can access it here:

Enjoy!

SharePoint Communications Sites for your Office 365 Adoption Site — July 16, 2017

SharePoint Communications Sites for your Office 365 Adoption Site

For those of you who have been following my blog you will have noticed that the new SharePoint Communications Sites have been my new fixation. It seems that the rest of the SharePoint Community has certainly taken notice as well with webinars popping up comparing Communications Sites to Intranet in a Box solutions and some nice deep dive articles around the different webparts that come with these news sites.

I have been working on a new talk that helps navigate the challenge of when to use each of the O365 Services and in doing so I started to brainstorm what the “low hanging fruit” opportunity would be for the new SharePoint Communications Sites. Before I could take my first sip of coffee I had it – why not your Office 365 Adoption Portal! How simple right?

Excitedly I started pulling together what a nice Adoption Portal might look like.

First off – huge shout out to the WOCinTech site for providing access to beautiful stock photography.

Here’s what my portal started to look like:

O365-Adoption-Site.jpg

Notice that not every tile needs to have an image – kudos to Susan Hanley for her great article on getting started with Communications Site.

You’ll notice a few things ->

    1. I added a “Group Spotlight” story as the main tile in the Hero Webpart. Whenever I have been involved in building out an Adoption type portal I love to try and feature real stories of people making use the technology. Nothing helps to build up confidence than hearing how your co-workers are streamlining process, eliminating waste, and ultimately being more productive.

 

    1. Next to that tile, I went with a very simple “Request a collaboration solution.” I know the folks at Microsoft might shudder a bit, but a lot of enterprises still make users go through a request process to match them up with the right solution for their business need. So I had envisioned this either being a request form, or maybe an infographic if your organization allows you to provision sites/groups/teams/etc.

 

    1. Rounding out the top row is a “Collaboration Champions Network” which could of course link you anywhere, but I though a page which would have both an embedded Yammer feed for an “Adoption Group” in addition to highlighting some of the “Collaboration Champions” you might be able to reach out to with a specific question. I definitely understand some companies might not want to name people, but it’s a great way in the beginning to start onboarding people to Office 365.
      Collaboration Champions

 

    1. The last tile I marked as self-service training & resources. Again lots of options here, but if an organization is mature enough this could go to an O365 Stream Group where you can let users choose from pre-recorded videos. Alternatively, if you have created lots of handouts, PPT’s, etc. you could always have them navigate to a page with a listview webpart of a document library and then links to any additional resources.

 

    1. Below the fold I added the News Webpart featuring a few stories of how different Office 365 services are being consumed by colleagues. Always look for those engaging photos that will get people excited about reading your article!Adoption News

      Example article:Article.jpg

 

  • Rounding out the site, I included some events in you guessed it, the Events webpart! Again, when Office 365 starts to roll out it’s a great practice to have your Training Group host “Brown Bag” events where employees can attend remotely. Even better, you can record those videos and host them in the new O365 Stream Groups in an Adoption Channel!Events-Webpart

 

When pulling together this demo site I noticed just how easy it was to build a really nice looking site. The beautiful part of SharePoint Communications Sites is by simplifying the development/configuration experience you are able to focus more of your time on building the relevant content that you wish to communicate to your users vs worrying about going through lots of effort to design & develop the styling to make your site look different than the out of the box clunkiness of SharePoint Team & Publishing Sites.

Happy SharePointing!

Opting out of Microsoft Office 365 changes aka off by default — March 21, 2017

Opting out of Microsoft Office 365 changes aka off by default

I love Office 365. I want to put that right out there, because I mean it. The innovation that Microsoft keeps on pumping into the service continues to raise the bar for enabling collaboration. At my last company we were years away from moving to Office 365 and now that I’m at Slalom, we’re all in! It’s fantastic!

However, I do not like how new features & functions are being introduced to organizations – and by that I mean “on by default”. Case in point, there’s been a bit of noise on Twitter for the past two days about a change rolling in that will automatically provision an O365 Group for a manager and their direct reports: https://support.office.com/en-us/article/Automatic-creation-of-Direct-Reports-groups-in-Outlook-f43455ed-81a6-4588-8299-08caa62abedd?ui=en-US&rs=en-US&ad=UShttps://support.office.com/en-us/article/Automatic-creation-of-Direct-Reports-groups-in-Outlook-f43455ed-81a6-4588-8299-08caa62abedd?ui=en-US&rs=en-US&ad=US

Example of Twitter madness: (I blame Joanne Klein! LOL!)
2017-03-21_19-03-37

On the surface that might sound like a decent idea for some organizations – take my own team for instance. When my role changed and I became a supervisor I created a private Office 365 group for my team to collaborate. However, it was a conscience decision to meet a need that I had to collaborate with my team. I’m the only supervisor in our office that has their own Office 365 Group as the others aren’t quite ready to move there yet. I am picking on groups but there has been a lot of new features that are automatically added to tenants. I will concede that there certainly is the ability with a PowerShell command to disable that feature, but is that really the best user experience?

I’m a firm believer that the real value of Office 365 is realized with planning, communications, a bit of hand holding, and then some more communications. The “on by default” certainly presents opportunities where one could get “slipped by the goalie” and then there’s the apologizing as you have to back out that change and communicate to your customers that it’s just Microsoft being Microsoft and rolling stuff out. It’s not a good user experience, it’s uncomfortable to roll back changes that organizations are not prepared to support, and it leaves a bad impression of how Microsoft is managing the service. The reality too is what’s a good idea and right timing for an organization might not be applicable to another.

I think the counter-argument to rolling in new features as off by default is that there are some corporations that will “never” turn on the new stuff. The reality is, those could very well be the same organizations that immediately turn off the new functionality already. I would also say that shame on the admin that doesn’t enable Teams in their tenant, or whatever new service gets developed over the next 6 months.

My compromise would be this – why not set your preference at the tenant level?

I did a nice little mock-up to help show where that setting might go.

features

Again, I’m not knocking this particular change but I do believe it’s not a one size fits all.

I think enabling administrators to set their environment in a way that best meets the needs of their organization is the best approach for introducing new change. Happy collaborating!

UPDATE:

I submitted a user voice based on this blog post to help get the right attention:

https://office365.uservoice.com/forums/273493-office-365-admin/suggestions/18730039-allow-tenant-admins-to-control-new-features-being

Is Microsoft Flow the replacement for SharePoint Workflows? — February 12, 2017

Is Microsoft Flow the replacement for SharePoint Workflows?

I recently had the privilege to co-present a session on Microsoft Flow & PowerApps at the Microsoft Beyond US Roadshow in Hartford. I am a huge fan of Microsoft Flow and have done several sessions on showing how you can orchestrate data across Dropbox, OneDrive, SharePoint & Salesforce with clicks & not code. One of the attendees in my session asked a very common question that I thought would make a good short blog post: “Is Flow the replacement for SharePoint Workflows?”.

Over the past few years I have built dozens of business applications leveraging the SharePoint platform to route requests through approval processes, provided metrics for turnaround time on requests, and automated non-value added steps. These solutions undoubtedly would leverage the SharePoint workflow engine for sending e-mails, assigning tasks, etc. Since Microsoft introduced the Workflow Manager in SharePoint 2013, there has not been any additional enhancements to their workflow engine. Compounded with the fact that SharePoint 2016 did not include an updated version of SharePoint 2016 it would make sense to assume that Flow is the replacement for SharePoint Workflows.

However, I would argue that Microsoft Flow is really positioned as the next generation of business process management applications vs an outright replacement to SharePoint Workflows. From a feature parity perspective not all of the SharePoint Workflow actions are available in Flow (yet they seem to be added all the time). At the time of this blog there aren’t the basic string manipulation actions, or copy items (also not available in 2013 but are in 2010), content approval/publishing, check-in/check-out, and wait for field changes in list items. There is also the caveat that in order to access on-premises data that you would need to setup a Gateway in order to make it accessible to Microsoft’s cloud.

Microsoft Flow provides much more capability than SharePoint does which might initially frighten some Enterprise customers. While there is a lot of value in being able to orchestrate data across both line of business & public clouds there definitely needs to be some up front planning to ensure that you do not jeopardize the integrity of your company’s data. For example it is absolutely possible to develop a Flow to copy files from your OneDrive for Business to your personal DropBox.

Finally, from a licensing perspective Microsoft Flow is a pay by the drink kind of service (technically pay by the Flow run). There’s a bit of  math but essentially you are allocated an allotment of Flow runs per user in your Office 365 tenant based on your plan. Be sure to check out Microsoft’s Flow Pricing page for up to the minute guidance. Whereas with SharePoint Workflows it’s essentially as many workflow runs as what your infrastructure can support.

So getting back to the original question – is Microsoft Flow the direct replacement for SharePoint Workflows? In my opinion – No. Microsoft Flow is the evolution of business process management allowing you to build elegant solutions which have the ability to orchestrate data across various line of business applications leveraging “clicks” and not code. Combined with PowerApps as your mobile/responsive front-end the barrier to creating enterprise applications has absolutely been lowered to where you no longer need a team of developers to create basic applications.

Hope this helps & happy Flow-ing.

 

 

Microsoft Flow & Salesforce.com Integration — August 4, 2016

Microsoft Flow & Salesforce.com Integration

This afternoon I had a quick call with a fellow community leader Adam Levitan who works for Metalogix. We were recording a podcast which will hopefully air later this fall during the Collab365 Conference. We got onto the topic of the future of collaboration and I said that Microsoft is absolutely hitting a home run with their Flow service. For those of you who aren’t familiar with it, Microsoft Flow is a workflow automation solution which allows you to tie systems together through activities. While SharePoint does an amazing job of allowing users to automate business processes, Flow takes it a giant step forward.

One of the use cases that I’m very interested in is the ability to integrate the Office 365 Platform with Salesforce.com. Although I’m a big supporter of Microsoft technologies, many of my clients have decided to go with Salesforce.com instead of Dynamics or the new Dynamics 365 for their CRM platforms. One of the challenges with Salesforce is that the recurring subscription costs are expensive when you start trying to license all the users that may play some role within the sales cycle. The purpose of this post definitely isn’t to cover all the features of Salesforce or the many different clouds they have (Sales, Service, Health, etc.) but rather to focus on the future where you can tie cloud services together and build some really powerful solutions.

To illustrate what I mean, I’m going to walk through building a very simple “Flow” which mirrors a business scenario I’ve personally encountered. So I work for Slalom Consulting and we sponsor many community events like SharePoint & SQL Saturdays, various tech conferences, etc. Typically these sponsorships include a booth where we send a recruiter, sometimes a sales executive, but most of the time just members of that particular Practice / Vertical, etc. During these conferences there often times are potential leads generated based on discussions that happen at the booths, and the usually our folks capture a business card or just take down the person’s information. At the end of the event the team goes back to the office the next week and either sends the spreadsheet, or transposes that information from Excel into the CRM system for the sales team to go work. You might be saying to yourself “there has to be a better way” – and indeed there is!

What if you could generate those Leads from an Excel table and have it imported directly into CRM? Wouldn’t that be cool? Well guess what, that’s exactly what we are going to do.

First, let’s login to our Office 365 tenant which has Microsoft Flow enabled (as of this blog post it is still considered to be a Preview service). And we’re going to search up at the top for available templates to create our Flow from:

image_thumb.png

Let’s pick the Create Salesforce Leads from a Excel table template:

image_thumb.png

From here a new page will be displayed giving an overview of the template we selected:

image

Click the big “Use this template” button to bring up the connection configuration screen. We’re going to need to create connections for both the Excel file which will have the table of sales leads, and the connection to our Salesforce.com instance.

image

First click on the “Create” button for the connection to the Excel file.which will bring up a list of list of choices for where the Excel file can sit. Notice there are also non-Microsoft services such as Dropbox, Box, and even SFTP! For the purposes of this walk-through we are going to pick the OneDrive for Business but feel free to select the data source that best meets your requirements.

image

It will prompt you for credentials for your OneDrive For Business account after clicking the Sign In button:

image

So in truthful blogging, I’m going to tell you that it threw an error:

AzureResourceManagerErrors

I waited a bit, cleared out some of my old connections under my profile and then tried again and this time it made the connection.

Next, I created my connection to my Developer Salesforce instance: I logged into Salesforce.com:

image

Next, I allowed PowerApps access to my Salesforce tenant:

image

Of course I clicked, Allow and then continue on the main page to bring up the workflow canvas:

image

So working from the top, the very first thing you can do is setup recurrence for how often the flow will run. As of this time, this is still just a Preview service and there hasn’t been any real discussion on licensing or pricing. Like any service there are most certainly going to be service levels – ie; being able to guarantee computing power to run the job, amount of data perhaps to be processes, and likely some other elements that I haven’t even dreamed up yet – but you can rest assured that there’s a team at Microsoft figuring out how to price this service. Smile

For demo purposes, I am just going to have it recur every 15 minutes. So clicking the little ellipses in the corner of the recurrece box brings up the advanced options where I can set that information:

image

Before proceeding to the next step I’m going to create a sample Excel file with the following column headers:

First Name
Last Name
Company
Phone
Email

image

Click OK and the following Table will be generated:

image

Last, I’m going to save my file as SPSLeads.xlsx and drop it on my OneDrive for Business. Back to the flow I go to the Get rows section of my flow and click the folder expand button on the right, and find my SPSLeads.xlsx file:

image

Next, I select the table which I left as the Excel default of Table1:

image

Next we dig into the Create Object section of the flow which is really the “Create Lead” functionality in Saleforce. This is where you can map the different columns to the fields in a Salesforce Lead Object. I went with the bare minimum of what is required to generate the lead, but there are other fields such as Street and Zipcode that can also be captured and added to the record.

image

Some of the fields can also be defaulted which is what I am going to do for the Lead Source since these leads are being captured at my fictional SharePoint Saturday Connecticut event:

image

Last, I’m going to have it Delete the row after creating the lead in Salesforce, essentially following the same path of picking the Excel file on my OneDrive and Table1 as my table name:

image

Finally I’m going to give this Flow a name:and then click the Create Flow button and let Microsoft Flow work its magic!

image

I’ll click the Done button and then see that I’m all set:

image

When I go to the My Flows, I’ll now see that there’s the Flow I just created:

image

Next, I’ll click on the little information icon to see that my flow is actually running:

image

In reality though – it takes a bit for my Flow to run. I suspect it’s because I both didn’t set a start time and that I also put a recurrence of every 15 minutes. This is definitely still a Preview service so there will probably be a bit more polishing up of the user interface before it goes live.

Then I looked at my Flow to find out that it had errors:

Flow-Error2

Then when I went to edit the Flow I found myself in the spinning page of doom:

image

So then I decided to back it all out and pop my file up on my Dropbox. I created the service exactly the same way and it picked up the file no problems at all!

image

After allowing the Flow to run, I logged into Salesforce.com and noticed that the following leads were generated:

image

I then popped open Spoopy Matfess (my amazing dog) and low and behold all the lead data came over:

image

Then I logged into my Dropbox accoutn and opened my file and noticed that it had been touched by PowerApps:

image

I’m a little curious as to why it would leave that last record with the _PowerAppsId_ at the end, but maybe that is just part of the beta. I would expect that it would leave the table cleared out and then allow for users to continue adding new leads as they come in throughout the day.

So the big question is why did my original attempts using OneDrive for Business fail? I could be wrong but there might be something with my profile since I’ve got multiple profiles, multiple O365 accounts, etc. Now, I did create the connection to OneDrive and authenticated successfully to Azure AD and it was also able to find the Excel workbook and the table. However, when it came time for the job to actually run, it threw some connectivity errors. I also could have possibly hit some ironically timed Azure issue.

Regardless though, flipping over to Dropbox and seeing it run successfully should hopefully give you some ideas as to what’s possible with Microsoft Flow. You can have users working in systems that they are familiar with such as OneDrive, SharePoint, etc. – and then have the output of their work feed into downstream systems.