Practical 365

A new notification appeared in my Message Center email digest to let me know that Microsoft is rolling out a change to the behavior of Office 365 Groups.

We have recently fixed the email sending behavior to a group, where senders had complained about receiving the emails they send to a group, back in their personal inbox. With this fix, senders will no longer receive the emails they send to a group in their personal inbox.

The primary complaints we heard were about reading the same message users sent to a group multiple times – in their sent messages and their inbox. This fix makes it convenient for those users who have a habit of adding themselves to CC to keep track of their sent messages in inbox.

We are rolling out this fix now, and it will be completed by the end of February.

A few days ago, a Reddit user posted the following:

I have had an influx of people complaining that when they send a message to a 365 group, they no longer get a copy of their own message. Does anyone know what is causing this and how to make it go back to it’s original behavior?

Office 365 Groups provide the option for users to subscribe to receive a copy of emails that are sent to the group. The option is available in Outlook and OWA.

Before this change was rolled out, if you emailed a Group that you were also subscribed to, you received a copy of your own email message just like everyone else who is subscribed to the group. As Microsoft points out, this is inconvenient for people who are in the habit of CCing themselves on their own emails, a habit which I find strange given that your email will be easily found in your Sent Items, and any replies will still reach you whether you CC yourself or not.

Apparently the complaints (none of which I could find on Uservoice) were loud enough to prompt Microsoft to roll out a change for all customers. The fresh complaints about the changed behavior only go to show how difficult it is to please everyone when you are delivering a cloud service to millions of customers. The obvious middle ground would have been to modify the subscription options to allow users to choose whether they wanted to receive copies of their own messages or not. Perhaps the engineering to make that possible was too challenging or risky.

In any case, if you’re curious why your users are seeing different behavior, now you know the reason.

The post Microsoft is Changing the Groups Behavior to Stop Senders Receiving a Copy of Their Own Message appeared first on Practical 365.

Getting Started with Azure AD Group-Based License Management

Microsoft has made group-based license management available through the Azure portal. Choose Azure Active Directory from the list of services in the portal, and then select Licenses.

The groups that you can assign licenses to can be created in Azure AD, or synchronized from on-premises Active Directory. The license assignments can be static (i.e. to the members of a group) or dynamic (e.g. based on user attributes such as ExtensionAttribute1). For this demonstration I’m using groups synchronized from on-premises Active Directory with static membership.

The groups I have created will allow me to demonstrate basic license assignment, as well as a more granular approach, and how license assignment is cumulative for users who are members of multiple groups. I’ve created groups named:

Licensing_Office365_E3_Base
Licensing_Office365_E3_Teams
Licensing_Office365_EMS_E3

My goals are:

To assign Office 365 E3 licenses with what my organization considers “base” functionality, which is all E3 features except for Yammer, Sway, StaffHub, and Teams
To assign Teams access only to specific users in the organization, due to Teams currently being in Preview
To assign EMS (Enterprise Mobility + Security) E3 licenses to specific users only

My tenant currently has licenses assigned to users, so I will need to transition users from direct license assignment to groups-based licensing without disrupting their existing services (e.g. Exchange Online mailboxes).

Assigning Licenses to Groups

After navigating to the Licenses section of Azure Active Directory in the Azure portal, you can view the list of products that your organization currently has licenses for.

Select a product license and click on the Assign button. From the Users and Groups selection, choose the group that you want to assign licenses to, and then click on Select. You can select multiple groups at this stage, for example if you were using department-based groups to assign product licenses to users. I am using product-based groups instead. Either approach will work, it really just depends on how your organization views license management.

In the Assignment options you can select the sub-features for the license that you’ve chosen to assign to the group. I’ve turned off StaffHub, Teams, Sway, and Yammer for this demonstration.

Click OK when you’re happy with your selections, and then click Assign to create the license assignment. If there’s any errors at this stage you’ll receive a notification in your Azure portal. On my first run through this feature I was getting a notification that “Licenses could not be assigned or removed due to an error”, which I was unable to work out a solution for.

It appears that the problem was that I was using a Microsoft Account associated with my Azure subscription, and even though the account has access to the Office 365 tenant’s Azure AD (and is a Global Admin) it is not able to be used for administering groups-based license management. Logging on to the Azure portal with the Office 365 tenant admin account allowed me to continue without errors. A strange issue that might impact partner or delegated permissions scenarios, but nonetheless I was able to proceed with the correct account.

After completing the steps above I went back through the same steps to create a license assignment for Teams only, and another for EMS E3. For Teams, I created a license assignment that only enables Teams, which will allow me to fully demonstrate the cumulative nature of groups-based license management.

Transitioning from Direct to Groups-Based License Management

A few minutes after setting up my group license assignments the Azure portal showed my users’ license status as below. Notice how most of the users have both direct and inherited assignment paths. The names of the groups that licenses are being inherited from, such as Licensing_Office365_E3_Base, are also displayed. Notice also that most users have the fully 13/13 services included in an E3 license showing as enabled.

To transition from direct to groups-based licensing, all we need to do is remove the direct license assignment. This is as simple as selecting one or multiple users who are assigned a specific type of license, and then clicking the Remove button. In the example below, the list of E3 license holders is shown, and I’m removing the direct assignment from the users who also have an inherited assignment via a Group.

After clicking Remove you’ll get one final prompt before the change is made.

This transition is best performed in stages so that you can be confident that you’re not disrupting your users’ access to services. If you’re transitioning a full E3 direct license to a full E3 group-based assignment, then the risk is fairly small. However in cases where you’re adjusting the number of services that the user has access to, you should be more cautious.

Cumulative License Assignments

As I mentioned already, I am using multiple groups to assign licenses. Most of the users in my organization will have a subset of the E3 license features, and a select few will also get access to Teams. After removing the direct license assignments, the groups-base licensing is in full effect. You can see below that:

Users who are only members of the Licensing_O365_E3_Base group get 9/13 services, for example Alannah Shaw
Users who are members of both Licensing_O365_E3_Base and Licensing_O365_E3_Teams get 10/13 services, for example Dave Bedrat
Users who are only members of the Licensing_O365_E3_Teams group get 1/13 services, for example David Abbott

This is the level of control that customers have been asking for, so it’s great to see Microsoft delivering on it.

The license assignments are also visible in the Office 365 admin portal, and reflect the same sub-feature license assignment that you can see in Azure. For example, Alannah Shaw has access to most E3 features except for Teams, Sway, StaffHub, and Yammer.

FAQs, Limitations and Caveats

Group-based license management is currently in Preview, and as I’m writing this article the following limitations and caveats apply:

The features, behaviors, or availability of group-based license management may change between now and when it becomes generally available.
If a user is assigned a license directly as well as via group membership, they only consume a single license.
An Azure subscription (trial or paid) is currently required to use group-based license management.
Although new and modified license assignments take effect within minutes (e.g. enabling Sway in an existing license assignment), there are situations where a license will not assign automatically, for example if you have more members of a group than available licenses, or when license assignments conflict. Notifications in the portal will advise you of how to remediate the issues, and there’s a Reprocess button available as well to reapply assignments after fixing issues.
Membership changes to groups synchronized from on-premises Active Directory will not take effect until after the next sync cycle.
Users can have a mix of direct and group-based licenses assigned, for example an E3 license that is group-based, and an EMS license that is directly assigned. Group-based license assignments can only be managed via the Azure portal, and will cause an error if you attempt to modify them via the Office 365 admin portal (at least for now).
When new sub-features (or sub-SKU features) are released, Microsoft may enable them automatically by default, requiring you to revisit your group-based license assignments to disable new features from time to time. This should encourage you to keep your group-based license assignments as simple as possible.
Nested groups are not currently supported.
Removing a user from a license group will result in services being set to a “suspended” stage instead of disabled. Microsoft is using this approach to avoid data loss issues due to accidental removal of group members. You can expect in future that suspended services will eventually age out to a disabled state and data will eventually purge as it does today for de-licensed users.

The post Simplifying Office 365 License Control with Azure AD Group-Based License Management appeared first on Practical 365.

Comments

You should ask F5, I'm sure they'll have documentation to guide ... by Paul Cunningham
Hi, We want to set up F5 Load balancer for the office 365 ... by SANKARASUBRAMAN PARAMESWARAN

Comments

Thats awesome – thanks for collating the info. by Matt Seeds
Very Neat. Thanks for putting this together Paul. by vinod

In January of this year Microsoft added two new features to Advanced Threat Protection for Exchange Online. One of the new features, called Dynamic Delivery, provides an additional option that administrators can configure for the delivery of emails while ATP scanning of attachments is occurring.

To set the scene for those who might be unfamiliar with ATP, when ATP’s Safe Attachments feature scans email attachments for signs of malicious behavior, it causes a short delay before the email is delivered to the destination mailbox. This is not simple signature-based scanning, this is a behavioral analysis that opens the email attachment in a sandbox environment, so naturally it will take some time. I’ve seen delays of 1-2 minutes, all the way up to 10-12 minutes. But that’s only noticeable when I’m actually expecting an email with an attachment, such as when I’m in a discussion with someone and they send me a document to look at while we are talking.

Of course, that delay is not always acceptable for some customers. Perhaps the file attachment is less important than the contents of the email itself, and they’d prefer to receive the email promptly and wait for the attachment. That’s where Dynamic Delivery comes in. With Dynamic Delivery enabled, the recipient of the email receives the message in their inbox, but with the original attachments replaced by a message explaining that ATP is still scanning the files.

When the ATP scan has completed, assuming the file is safe, the message is replaced in the mailbox with the real attachments.

You can see a more detailed look at the Dynamic Delivery behavior in Tony Redmond’s article on Petri. What I want to cover here is something that a customer raised to me as a concern when they were considering turning on Dynamic Delivery.

This customer uses journaling as part of their overall compliance and archiving strategy. As you’re probably already aware, Exchange Online mailboxes can’t be used as journaling targets. The reasons are fairly obvious to anyone who has ever managed a journal mailbox. They grow very big, very fast. The economics and support implications just make it unreasonable to expect Microsoft to deal with thousands of exploding journal mailboxes for customers. At least not for the price we’re currently paying for Exchange Online.

So this means that the customer needs to use an externally hosted email address as the journaling target, provided by a third party cloud-based journaling service, or hosted on their own on-premises server. Since the journal mailbox is not hosted in Exchange Online, Dynamic Delivery can’t make changes to a delivered message (i.e. to redeliver or re-inject the attachment) the same way it can for an EXO mailbox. Meanwhile, the expectation of the customer is that their journaled copy of emails will match what was delivered to the recipient. The concern from the customer is that the journaled item will be a copy of the message at one point in time, but the message is then modified by Dynamic Delivery.

I did a little testing to see what would happen with Dynamic Delivery and external journal targets, and here’s what I found.

First, when ATP is not enabled for Dynamic Delivery, the external journal target sees the same delay for delivery of a message as the recipient themselves. In other words, ATP delivers to the recipient and to the journal address after completing its behavioral analysis (that 2-12 minute delay I mentioned earlier).

When Dynamic Delivery is enabled, the behavior changes. Both the recipient and the journal target receive the email almost immediately. The recipient’s copy is missing the attachments while ATP continues its analysis, but the journal target receives the attachments intact. Several minutes later, when the ATP scan is complete and Dynamic Delivery updates the message in the Exchange Online mailbox, no changes are sent to the journal target. In other words, the journal target receives only one copy of the email message, with attachments included, regardless of the ATP scan results or subsequent Dynamic Delivery behavior (which could include removing the email messages from the recipient’s mailbox).

A look at a message trace in Exchange Online shows the sequence of events.

As you can see above, the journal events occur before the dynamic email delivery event. So the email I sent during my test was journaled, and then delivered to the recipient without the attachments, and then only after ATP completed its scans did Dynamic Delivery update the delivered message several minutes later.

For your own assessment of the suitability of Dynamic Delivery, you should consider the behavior above and whether it impacts your compliance and archiving strategy. I would assume that for most organizations it will not be an issue, since Exchange Online still journals the complete message to the external journaling service. Any subsequent actions taken by ATP can be found in the message trace results for up to 90 days. If there’s concerns about cases older than 90 days not being available in message tracing, you may need to review your use of preservation policies, litigation hold or in-place hold and how you utilize Office 365’s eDiscovery tools for such matters.

The post Exchange Online Advanced Threat Protection Dynamic Delivery Behavior with Journaling appeared first on Practical 365.

Reviewing Home Drive Data

OneDrive for Business has some limitations for synchronizing files, which includes things like:

Invalid characters in file names (e.g. #, %, ?)
Specific strings of characters in file names (e.g. COM1)
Specific strings in folder names
Maximum of 30 million documents per library
10GB file size limit
Files names or paths with more than 256 characters

Those limitations may change over time, so you should always review the latest information on Microsoft’s support site. There’s a variety of other limits and user experience caveats to be aware of as well.

But for the file limitations, an analysis of the data your planning to migrate would be advisable. This could be as simple as a PowerShell script that recursively scans the file server to look for the issues above. If you qualify for FastTrack support from Microsoft, that service includes analysis and remediation as part of the process (and you can use them for the entire migration, so you don’t need to read this article at all if you don’t want to).

Reviewing OneDrive for Business Admin Settings

The OneDrive for Business Admin portal allows you to control a variety of settings for OneDrive users, such as whether they are able to share content external to the organization, sync with non-domain joined computers, how files can be used from mobile devices, DLP policies, and more. Before you proceed with your OneDrive migration, it’s worth reviewing the settings to make sure they align with your expectations and security policies.

For example, you might consider it necessary to disable sharing of SharePoint and OneDrive content with external users, or limit syncing of files to domain-joined computers only.

Configuring a Group Policy

OneDrive has a Group Policy template available from Microsoft. The OneDrive GPO can be used to set the default location for the OneDrive folder, among other useful settings. That particular setting, in combination with a standard folder redirection policy, is how I’ll be handling the migration in this environment.

The objective of the Group Policy is to:

Create an environment variable representing the OneDrive sync location, so that the variable can be used in the Group Policy folder redirection settings. I’ve used Microsoft’s guidance here. The variable in this example is set to “%userprofile%\OneDrive – Exchange Server Pro”.
Create a new folder in the %OneDriveSync% location. This can be achieved with a Group Policy preference.
Preventing users from choosing a different OneDrive location on the user’s computer. Note that this requires editing the Group Policy template (ADMX file) in the Central Store with your tenant ID. This ensures that the default path of “%userprofile\OneDrive – Tenant Name” is used. Although the GPO template can also be edited to specify a different sync folder, it doesn’t seem to work with variables at all. In my experience it’s easiest to just accept the default path and then restrict users from changing it.
Apply a new folder redirection policy that directs Documents and other folders to the %OneDriveSync% location instead of the home drive on the file server (the policy will move existing files as well).

For this environment I’ve placed the OneDrive GPO as a higher priority than the existing folder redirection GPO. I’ve also scoped the OneDrive GPO only to members of the “OneDrive for Business Users” security group, and denied the “Apply” permission for the previous folder redirection GPO for the “OneDrive for Business Users” group. Note that after removing Authenticated Users from the scope of the new policy, you then need to go to the Delegation tab and delegate the “Read” permission for the GPO, or you may find it does not process at all.

So in effect this all means I can roll out OneDrive to users by adding them to that security group. There is also some end user communication involved in the whole process. You’ll want to make sure your users are expecting the change so there’s no surprises or confusion.

Something to be aware of is that the folder redirection will overwrite any existing data in the destination location that has the same file name and path. If any of your users have already begun using OneDrive and storing files, you should manually deal with those to avoid conflicts. You can find active OneDrive users in the usage reports in the Office 365 admin portal.

Configuring the OneDrive for Business Sync Client

After the GPO has applied, when the user signs in to OneDrive, it will begin syncing that existing data in the local path to the cloud. For environments without any SCCM or other systems in place to initiate a program running in the context of the user, a workaround is to email the user a link to odopen://, which will trigger the OneDrive client to launch. Since you likely want to send them some login instructions and other general adoption advice for OneDrive, you can simply bundle all that up into a single email.

When the user opens OneDrive they’ll be able to walk through the setup process. You should ensure that the instructions you provide are clear about what they should do at each step of the initial configuration wizard.

Monitoring the Deployment

The initial synchronization of files to OneDrive may have a detrimental impact on your network performance. Monitor your network utilization so that you don’t roll out too many users simultaneously.

You can continue to use the OneDrive usage reports in the Office 365 admin portal to track the adoption of OneDrive by your users.

It’s also possible to quickly pull a report of OneDrive usage by using PowerShell.

PS C:\> Connect-SPOService -Url https://exchangeserverpro-admin.sharepoint.com
PS C:\> Connect-MsolService
PS C:\> $urlbase = "https://exchangeserverpro-my.sharepoint.com/personal/"
PS C:\> $users = Get-MsolUser -All | Where {$_.IsLicensed -eq $true}
PS C:\> $odusage = $users | Foreach-Object {Get-SPOSite ($($urlbase)+$($_.UserPrincipalName.Replace(".","_"))).Replace("@","_") | Select Owner,StorageUsageCurrent}
PS C:\> $odusage
Owner                                   StorageUsageCurrent
-----                                   -------------------
tom.jarvis@exchangeserverpro.net                          1
alannah.shaw@exchangeserverpro.net                        1
john.dorey@exchangeserverpro.net                          1
admin@exchangeserverpro.onmicrosoft.com                   1
jane.tulley@exchangeserverpro.net                       278
mike.ryan@exchangeserverpro.net                         130
dave.bedrat@exchangeserverpro.net                         1

Completing the Migration

Once you’re satisfied that user home drives have been migrated to OneDrive for Business, you can do a scan of your file server to confirm that the home drives for users are empty, and then start decommissioning those shares so that the storage can be reclaimed. For any users who have not logged on and completed their migration you can manually assist them, or back up their home drive files elsewhere, or even upload the files to their OneDrive in the cloud yourself so that they’re waiting for initial sync to the client.

The post Migrate Home Drives to OneDrive for Business appeared first on Practical 365.

Comments

One thing we have noticed preservation policy will occupy the ... by SANKARASUBRAMAN PARAMESWARAN

Microsoft Teams is now generally available for Office 365 customers, and for those of you who are planning to use it you may be looking for a way to deploy the Teams client to your user’s computers.

The Microsoft Teams desktop client installer is available from Microsoft here. It’s a .exe package, with basic command-line switches for silent install and uninstall. For example, to silently install Microsoft Teams, the following command line can be used:

C:\temp\> Teams_windows_x64.exe -s

To silently uninstall Teams, the following command line can be used:

C:\temp> %userprofile%\AppData\Local\Microsoft\Teams\Update.exe" --uninstall -s

The Teams installer runs in the context of the logged on user and installs to the %userprofile%\AppData\Local\Microsoft\Teams folder, so any deployment script needs to run in the context of the user. A logon script assigned by Group Policy meets that requirement.

Teams is a self-updating application. It will check for, and download, any available updates each time the user runs the program. That makes it simple to maintain (as long as you allow it to self-update), and means that deploying Teams is basically a task of running the installer once, and then not running it again. So with a little scripting logic you can check for the existence of the Teams application in the user’s AppData folder, and run or not run the installer depending on the results.

As a side note, when Teams is uninstalled it leaves the Update.exe file in place. So checking for Update.exe in your script logic will give misleading results. Instead, you can check for the existence of a folder named “.dead”, which is placed in the application folder when Teams is uninstalled. For my deployment script which I’m sharing here, I’ve checked for “.dead”, and if found, will run the Teams installer again.

Preparing to Deploy Microsoft Teams

Before you deploy the Teams client you should verify that Teams in your Office 365 tenant is configured the way you want it. Teams configuration is demonstrated in my Getting Started with Microsoft Teams article.

Although Teams is included with eligible Office 365 plans, it can be enabled and disabled on a per-user basis. If you have had Teams disabled during the preview phase, now is the time to turn it back on. For my demonstration environment I’m using Azure AD group-based license management, and have an Active Directory group that is configured to enable the Teams option for users’ licenses. Helpfully, that also means I have a security group already in place that I can target my Group Policy to.

Download the Microsoft Teams installer and place the file on a network share that can be accessed by your users when the logon script runs. For this demonstration, the installer will be running from the path \\mgmt\installs\MicrosoftTeams.

Using Group Policy to Deploy Microsoft Teams

Download the Install-MicrosoftTeams.ps1 PowerShell script from the TechNet Script Gallery.

Create a Group Policy that assigns a logon script to run the Install-MicrosoftTeams.ps1 PowerShell script, and provide the -SourcePath as a script parameter.

If you are filtering the GPO to a specific security group, remember to also add Authenticated Users to the Delegation tab of the Group Policy and grant them Read (but not Apply) permissions.

At next Group Policy refresh and logon the Teams client will silently install for the user, and place a Microsoft Teams icon on their desktop.

The post Deploying the Microsoft Teams Desktop Client appeared first on Practical 365.

Comments

I installed the March 2017 Windows Updates yesterday and it ... by Bob
CU15 is currently supported, therefore if it was vulnerable ... by Paul Cunningham
Thanks for the article. Still I have the following question ... by Benediktd Jameson

What Will Automatic Group Creation Do?

The roll out of automatic Group creation for Office 365 tenants will result in an auto-created Office 365 Group (that’s big G) for anyone who has between 2 and 20 direct reports.

An Office 365 Group includes a mailbox that acts in a similar manner to a shared mailbox and distribution group combined (members can subscribe to emails sent to the Group, and the mailbox preserves a history of all messages). The Group also has a shared file storage area hosted in SharePoint Online, shared OneNote notebook, and can act as the underlying membership service for Planner and Teams.

The Group will be named “Manager Name’s Direct Reports”, and have an email address of “Manager Alias-dr@yourdomain.com”. The direct reports will be added as members. The manager will be granted ownership of the Group so that they can perform ongoing management of the Group membership.

The benefit to the team is that they can begin to leverage the features of Office 365 Groups for collaboration. As a simple replacement for a traditional Exchange distribution group, the Office 365 Group has the benefit of keeping a history of all communications sent to the Group. However, Groups do not behave the same as Exchange distribution groups, because the sender does not receive a copy of their own message. For some people that is not the desired behavior.

The manager/reports relationships are based on the fields in Active Directory. If those relationships are not defined, no Groups will be created.

So in the above example, a Group named “Jane Tulley’s direct reports” with an email address of “jane.tulley-dr@exchangeserverpro.net” will be created. Jane Tulley will be the Group owner/manager, and the four direct reports will be added as members.

When the Group is created, the Group manager and their direct reports will be emailed automatically to let them know that the new Group is ready for them.

Will Groups be Automatically Created in Tenants That Have Disabled Groups?

No. If your Office 365 tenant has disabled the Groups feature entirely, then no Groups will be automatically created.

How Can We Prepare for Automatic Group Creation?

If you want the Groups to be automatically created, then you should review your manager/reports relationships in Active Directory to make sure they are populated and accurate before the April roll out of this feature.

If you do not want automatically created Groups, or you want to delay the feature from creating any Groups while you clean up your manager/reports relationships, then you can disable automatic Group creation by connecting to Exchange Online using PowerShell, and then running the following command.

PS C:\> Set-OrganizationConfig -DirectReportsGroupAutoCreationEnabled:$false

You can revert that setting to $true later when you’re ready for auto-creation of Groups.

We Already Use Groups for Each of Our Teams, Will New Groups Be Created?

Microsoft says that their algorithm will check whether an Office 365 Group containing the same manager and direct reports already exists. In the example above, if Jane Tulley already has a Group for her team, then a new Group will not be created.

However, if Jane Tulley already has a Group with her direct reports as members, but it also has additional members that fall outside of the manager/reports relationship, then a new Group will be created for “Jane Tulley’s Direct Reports”.

Note that the algorithm checks for Groups with matching membership, not Exchange distribution groups. Even if the team already has a distribution group, they’ll get a new Office 365 Group created as well.

Where this creates duplication, the unneeded Groups can be deleted.

How Can We Remove Automatically Created Groups?

Group owners can delete Groups that they do not want. Microsoft says that if an auto-created Group is deleted, another Group will not be created automatically for that manager in future.

If you want to remove all of the auto-created Groups from your Office 365 tenant, you can identify them all by a special property called “Groupsona:AutoDirectReports”. To find all of the automatically created Groups, connect to Exchange Online using Powershell, and then run the following command.

PS C:\> Get-UnifiedGroup -ResultSize Unlimited | Where-Object {$_.GroupPersonification -eq 'Groupsona:AutoDirectReports'}

Is the Group Membership Automatically Updated?

No. When the Group is created, the membership is populated once and then not automatically updated later when manager/reports relationships change. The Group owner/manager can add and remove Group members to keep the Group membership aligned with their manager/reports relationships, or to add other interested parties to the Group.

What Happens if a Manager or Group Member Changes Teams?

This is where things get a bit messy, so I’ll do my best to accurately communicate what has been shared by Microsoft so far.

If a Group member changes teams (e.g. no longer works for Jane Tulley, and reports to someone else instead), it is up to Jane and the new manager to adjust their Group memberships accordingly.

If a manager changes roles, the ownership of the Group will not be automatically updated. One of two approaches can be used from here:

If all of the Group content needs to stay with the new manager, Jane will need to manually grant the new manager of her previous direct reports ownership of the Group, and then the new manager can rename the Group accordingly. However, renaming the Group does not change other values such as the email address and Group URL, which will retain the old manager’s name. The Group ownership should be changed *before* the manager/reports relationships are updated to avoid the possibility of a new Group being auto-created for the new manager.
If all of the Group content needs to move with Jane, she will need to remove all of the existing Group members, and then manually add her new direct reports to the existing Group.

If a team is completely disbanded, as often happens, the Group should be decommissioned. There is no archive process for Groups at this time, but you can use Tony Redmond’s guidance here for removing obsolete Groups.

Any content migration between Groups will require manual effort. Some workloads such as Planner and Teams do not have a method to copy or move content though.

Where Can I Learn More?

Microsoft is updating documentation for this feature as more questions and scenarios are put to them by admins and customers.

Manage automatic creation of direct reports groups – Admin help (use the Yes/No feedback buttons at the bottom of the article to leave direct feedback)
Automatic creation of Direct Reports groups in Outlook (this is user-centric documentation you can use to help build your internal awareness and education)
Microsoft Tech Community discussion thread (join the discussion with fellow IT pros and the Microsoft product team responsible for the change)

The post Making Sense of Automatic Group Creation in Office 365 appeared first on Practical 365.

Changes to .NET Framework Support

Microsoft has previously announced that the support requirements for .NET Framework versions would be changing with the March 2017 releases. The current state of .NET Framework support is documented in the Exchange Supportability Matrix. Microsoft recommends that you install .NET Framework 4.6.2 on Exchange servers that are running the currently supported CU builds (Exchange 2016 CU4/5, and Exchange 2013 CU15/16).

If you’re running earlier Exchange server builds with older .NET Framework versions, use the supportability matrix to determine an upgrade order that will keep you within the bounds of supported versions. For example, if you’re running Exchange 2013 CU14 today, and want to upgrade to CU16, you should upgrade to CU15 first, deploy .NET Framework 4.6.2, then upgrade to CU16.

ADDITIONAL INFORMATION

The post March 2017 Updates Released for Exchange Server appeared first on Practical 365.

As announced earlier this month, work has begun on the fourth edition of Office 365 for IT Pros. For those of you who are not familiar with the history of this book, here’s a quick summary.

The first edition, titled Office 365 for Exchange Professionals, was released in May 2015 during Microsoft’s Ignite conference. At 623 pages long it was the culmination of months of writing (and rewriting, as Office 365 kept changing) by the author team, and focused primarily on transitioning to Office 365 from an Exchange Server admin’s perspective. As a side note, we used a different document layout in that edition. In today’s format, it would come in at about 580 pages.
The second edition, titled Office 365 for Exchange Professionals, September 2015 edition, grew to 750 pages, by expanding coverage of existing topics, updating everything that had changed or been made obsolete, and adding coverage of new topics.
The current edition, titled Office 365 for IT Pros, 3rd Edition, was released in June 2016. At around 800 pages, plus hundreds of pages more in supplemental material, coverage was expanded even further to address the needs of the wider IT pro community when it comes to Office 365. Hundreds of changes and new features released by Microsoft needed to be included, and ongoing weekly updates have grown the book to more than 900 pages today.

Now it’s time to bring the fourth edition to life. Microsoft has shipped entirely new features and services that deserve inclusion in the book, as well as making changes such as introducing an entirely new Azure Active Directory PowerShell module (necessitating the testing and and replacement of nearly 200 PowerShell samples in the book). We also need to go through the entire book, end to end, and make sure that it remains clear and technically accurate.

Most importantly, we want to make sure that the fourth edition continues to address your needs as an IT pro in a cloud-first world. For that, we’re asking for your help in shaping the content that will be included in the new edition. We’ve created a short survey to collect your thoughts and feedback. It should take only 5-10 minutes to complete.

Click here to answer the survey

The goal is to have the fourth edition available in May, depending on the release of some features on Microsoft’s road map.

We understand that news of a new edition of Office 365 for IT Pros will raise some questions, so here are some answers to the questions we hear the most:

Q: Will the fourth edition be free for people who already own a copy of the book?

A: We provide free updates for the edition of the book that you purchase (here’s the list of updates that have been shipped for the 3rd edition so far). New editions are sold separately, which is necessary to justify the huge investment of time required to update and maintain the book. We will, as always, provide a discounted upgrade to existing Office 365 for IT Pros, 3rd Edition customers for a limited time when the new edition is released.

Q: What happens to the third edition?

A: Updates will continue for the third edition until the fourth edition is released. After that, no further content updates are planned for the 3rd edition, however we may still make updates to fix significant errors (as we did for previous editions after they were superseded).

Q: How long before the fourth edition gets replaced?

A: By the time the fourth edition is released, the third edition will be 11 months old. We expect the fourth edition will remain current for at least 9 months as well. With the number of changes and new features in Office 365 every year, a 9-12 month publishing cycle seems to be the best way to stay current.

Q: What formats will the eBook be available in?

A: We plan to continue with the PDF/EPUB format, and also make available a Kindle format via the Amazon store. If you have other preferences, please take the survey and let us know. If there is enough demand for another eBook format we will look into it.

Q: Will there be a print edition?

A: We don’t plan to provide a print edition. The rate of change in the book would render any print book almost immediately out of date.

If you have any other questions, please feel free to leave a comment below.

The post Help Shape the Fourth Edition of Office 365 for IT Pros appeared first on Practical 365.

Comments

when the delegate user sent mail from the owner mail box, due ... by sankara

Microsoft has provided a variety of directory synchronization tools to customers over the years, most recently Azure AD Connect (AADConnect). Previously, customers could choose from DirSync or Azure AD Sync (AADSync) as well.

Development of DirSync and AADSync ended long ago, with the announcement in April 2016 that both tools were now deprecated. One year of further support was provided, and that ends on April 13th, 2017. Although the tools won’t stop working (at least not yet, but it will happen one day), you will no longer be able to get support from Microsoft if you are having directory synchronization issues.

As a side note, customers using AADConnect who have not enabled automatic upgrade, and have not been manually upgrading, will also become unsupported if their AADConnect build number is earlier than 1.1.

For more information about your upgrade options, refer to these articles that Microsoft has published:

The post DirSync and AADSync Support is Ending, Time to Upgrade to Azure AD Connect appeared first on Practical 365.

I’m pleased to announce that my latest Pluralsight course, Managing Exchange Mailboxes and Distribution Groups in PowerShell, has emerged from the production cycle and is now available to watch.

I enjoyed creating this course because it brings together the two technologies that have had the most impact on my career to date – Exchange Server, and PowerShell. In some respects, Exchange admins had a head start on the rest of the IT pro community because of Exchange Server 2007, a product that coincidentally is reaching end of life in just a few days time. As I explained in my blog post, Why PowerShell, it was working with Exchange that pushed me into learning how to use PowerShell.

I was supporting far more users and servers than I ever had before, and I realized there was no way I could keep up without the help of scripting and automation. And that meant a lot of time writing PowerShell. Automation became critical to our team’s ability to perform our duties, as our head count shrank but our responsibilities grew. Doing “more with less” was the reality we were dealing with.

Not much has changed today. PowerShell is a critical skill for IT pros who work with Microsoft technologies. We see it in job ads, and there are strong communities built around sharing of PowerShell scripts and code. And quite a lot of the most popular blog posts here either relate to using PowerShell for an administration task, or have a PowerShell solution for a problem.

Which brings us to my new course with Pluralsight. When I created this course I had two types of people in mind:

An IT pro who has Exchange admin responsibilities, but is inexperienced with PowerShell. Exchange Server is a great way to learn about PowerShell, and this course is suitable for beginners (I make a few recommendations in the first module for some introductory content to go watch first, if you need it).
An IT pro comfortable with PowerShell, but new to Exchange administration. If that is you, then you can either watch the course from start to finish, or you can dip into specific lessons to learn the tasks you need.

In either case, if you also need a test lab environment to learn in, you can build one on two VMs following the lab setup guide that’s included with the course, or just grab a free copy of my Exchange Server 2016 Quick Start Guide.

The complete list of modules, which total just over 3 hours of content, are:

Module 1 – Course introduction
Module 2 – Managing user mailboxes
Module 3 – Managing shared mailboxes and delegate scenarios
Module 4 – Managing resource mailboxes
Module 5 – Managing archive mailboxes
Module 6 – Other mailbox management scenarios
Module 7 – Managing distribution groups
Module 8 – Reporting and automation

If you’re a Pluralsight subscriber you can find the course here. If you’re not already a Pluralsight subscriber, you can sign up for a free trial to watch this course and others for 30 days.

The post New Pluralsight Course – Managing Exchange Mailboxes and Distribution Groups in PowerShell appeared first on Practical 365.