Skype Meeting Broadcast is GA!

The preview period has ended, and Skype Meeting Broadcast is now general available!

I blogged about Skype Meeting Broadcast before and spoke at Experts Live 2015 about the features and functionality, and it’s nice to see that now all Office 365 costumers can start using this feature.

There are some steps you need to perform to get Skype Meeting Broadcast running for your organization. As always, Microsoft has documented this well. You can find all relevant documentation here.

Have a good meeting!

Fingerprint readers and corporate email

Fingerprint readers are hot. Many phones now sport this nifty future helping you to unlock your phone even faster. Despite the fact that this Is pretty cool, it does bring some challenges to the admin. Ever since Exchange 2003, and all the way up to Office 365, Exchange has had the option to define a policy to secure the devices connecting through ActiveSync. You can disable camera’s or Bluetooth to protect data leakage from your organization, or define a policy that requires the user to set up a PIN on his device when connecting to his (or her) corporate email account.

There are a few options that can be set here. Simply requiring a PIN, defining the minimum length of the PIN, the time-out before requiring a PIN, and more. What you can’t define, is to allow or disallow certain security options, like fingerprint readers.

If your fingerprint-enabled device plays nice with these settings, varies per device. It turns out that Apple implemented the fingerprint reader on their iPhones to be a substitution for the PIN. When you use the fingerprint reader, the chipset will in the background just use the PIN to unlock the device.

Android phones, or at least the Samsung Galaxy ones, work differently. The fingerprint reader here is just that: a fingerprint reader. The system sees this as a different authentication option and doesn’t use the PIN function as underlying technology. When connecting to Exchange, a PIN will be enforced despite the fact that the fingerprint technology is used, because the Exchange server enforcing this policy isn’t aware of the fact that this reader is there.

Currently, the only way to work around this issue is to not require a password in the mobile device policy, which is a security risk, or to use 3rd party applications to sync your mail. Which is of course an even bigger security risk.

Naar Experts Live 2015?

As Experts Live is a Dutch event, this post is in Dutch. ­čÖé

Op 19 november is Experts Live weer te bezoeken in Cinemec in Ede. Het is het grootste Microsoft-gerelateerde community-event in Nederland en biedt met 49 breakout-sessies heel veel informatie over O365, Azure, OMS, EMS, Hyper-V, Azure Stack en Windows.

In de O365-track mag ik zelf ‘s ochtends mijn ervaringen delen met Skype Meeting Broadcast. Ik laat zien hoe de verschillende rollen technisch zijn ge├»mplementeerd, wat de (on)mogelijkheden zijn en laat in een aantal demo’s zien hoe een Skype Meeting Broadcast georganiseerd en geproduceerd wordt en wat de gebruikerservaring is voor de kijkers.

Wil je ook naar Experts Live maar heb je nog geen kaartjes? Ik mag een aantal kaarten weggeven! Stuur me een mailtje met je contactinformatie en wellicht kan ik je blij maken!

stopped-extension-dll-exception when running DirSync

Today I ran into a problem at a costumer. They are running an Exchange 2013 server in a hybrid configuration with O365. Part of the users are on the local Exchange server, but the main part of the users use O365 for their mailbox needs.

Some new mailboxes were needed, so I created the users in Active Directory and ran the enable-remotemailbox cmdlet to provision their mailboxes. Next step is to assign a license in O365, so I kicked of DirSync with the start-onlinecoexistencesync cmdlet and reverted to the O365 portal to license my new users…. But they didn’t show up.

I checked the MIIS client to see that the export to Azure AD failed with the ‘stopped-extension-dll-exception’ error.

After some research, I found that this can be related to the execution policy in PowerShell. For DirSync to run successfully, it turns out the PoSH execution policy should be set to ‘unrestricted’. Earlier this week, a GPO was activated at this costumer to enable PowerShell remoting, including the option to set the execution policy to ‘ remote signed’. After creating a deny for this policy for the server running DirSync and manually setting the execution policy back to ‘unrestricted’, DirSync worked again and my newly created users started showing up in the O365 portal.

Wise lesson: for DirSync to run successfully, the execution policy for PowerShell on the server running DirSync needs to be set to ‘unrestricted’. Pretty weird, as in IMHO ‘remote signed’ is the preferred and most secure setting. It is strange, at least, that Microsoft’s own products don’t work in this scenario. I haven’t tried this with the newer AADSync yet, so maybe this flaw was fixed in the newer releases.

There are a few issues on the O365 support pages regarding this issue, some of which stating that even if the execution policy is set to ‘unrestricted’ via GPO DirSync won’t work; the GPO must set the execution policy to undefined and the execution policy on the server needs to be set manually. However, only some of the people responding could confirm this, so your mileage may vary…

Managing O365 groups with PowerShell

One of the much appreciated features in Office 365 are the new Office 365 Groups.

An Office 365 group provides a way to collaborate on a project with co-workers. When created, the Office 365 system creates a shared mailbox, shared calendar, a Sharepoint teamsite and a OneNote notebook for the team to use. When allowed by their tenant administrator, users can create a new Office 365 group themselves, without the need to contact their IT department.

When looking at these functionalities for our internal network, we decided they might come in handy for certain projects. To keep things as standard as possible, we needed a way to automate the creation of these groups as much as possible. And when you talk automation, you talk Powershell.

It turns out you can manage new Office 365 groups through Powershell without hassle. In Powershell, these groups are referred to as ‘unified groups’. As you know, there are only three commands you know to learn Powershell: get-command, get-help and get-member. Let’s use these commands to check out what we can do with these groups in Powershell.

Ofcourse, we need to log on to our O365 tenant with Powershell first. After that, we’ll need to find out which commands are available.

As you can see, there are multiple cmdlets to add, remove and manage new Office 365 groups. I would like to start out with creating a new group, so I’ll need some info on that.

To get some pointers on the use of this cmdlet, we can ask for some examples.

So, let’s create a new group! Because I don’t want my colleagues to be able to see this group, I’ll set the accesstype to private.

Office 365 will no create the new group. It takes some time to complete the command, because the system will provision all parts of the group: a shared mailbox, shared calendar, OneNote notebook,

When the group is live, we can see what is stored about the group.

After creating the group, we might want to add some members to it. The new-unifiedgrouplinks is what does just that.

Ofcourse, you can use the get-unifiedgrouplinks cmdlet to retrieve the members or owners of a group. A unifiedgrouplink can be of different types: owner, member or subscriber.

By using this cmdlets, you could automate the creation, management and deletion of Office 365 groups. That way, you can set up all the groups you deploy in exactly the same way and perform these tasks automatically on certain triggers!

Message trace retention in O365

There seems to be some misunderstanding about the retention of message trace data in Office 365. To be clear: this data is stored for 90 days. You can find this info on TechNet.

I can see where the confusion comes in, tho. When you run the get-messagetrace cmdlet from Powershell, you only get the information for messages from the last 7 days. If you wish to retrieve data for older messages, you should start a new historical search.

This Powershell command starts the search job with the specified criteria. For information on the parameters you can use with the cmdlet, check the documentation. When searching for a large timeframe or in heavily used mailboxes, it can take op to a few hours to collect al the date. If you specify the NotifyAddress parameter in your cmdlet, you will be notified when the report is ready.┬áResults will be sent to the specified address. If you don’t specify an address for the notification, you can revert to the Exchange Online admin portal to retrieve the data. You can find you historical searches on the mailflow -> message trace section of the Exchange Online portal.

It can be wise to discuss the 90 days retention period of Office 365 with your customer. If the organization requires a larger retention, for example because of legal reasons, you may need to implement 3rd party products to achieve this.

365 Dude at Experts Live 2015

On November 19th I’ll be at Experts Live 2015 in Ede. This year I will not only be there listening to the cool sessions on all new Microsoft technology and absorbing all the knowledge, but I’ll also present a session myself.

Early in the morning, at 07:45, i’ll be talking about Skype Meeting Broadcast. We’ll cover the technological architecture, when to use a broadcast in stead of a regular Skype for Business meeting and of course do some live demo on setting up and producing a broadcast, as well as the view you’ll have when attending such a broadcast.

If you’re at Experts Live this year, be sure to check this out! Want more information about the event or buy tickets? Check out the Experts Live website or watch the video in which some of the speakers are presented. See you there!

New in Outlook Web App: email reminders for meetings

One of the features that was recently released in Outlook Web App is the email reminder for meetings in your calendar.

If you’re on the ‘first release’ ring in Office 365, you should have this function already. If you’re not, you will get the feature sometime soon.

Adding an email reminder is quite straightforward: simply open the meeting and click the ‘add an email reminder’ link
In the screen that opens up, you can set just a few things.

First of all, you can set when the reminder will be sent.

Next, we set the recipients for the reminder. We can send the reminder to only the organizer, or to all attendees.
And last but not least, we set the message we would like to send.As you can see, this is a very nice way of reminding attendees of a meeting, especially if you want everyone to come prepared!

Redesigning your meeting room? Think Vytru.

One of the highest scoring devices when it comes to coolness, at least in my humble opinion, are Lync Room Systems.

These are ready-to-go devices to bring the Lync, or should I say Skype for Business, meeting experience to your meeting- or board room. The big downside of these however, is the price. Especially if you invested in, for example, a big TV-screen for your meeting room before, you might want to look in to something that allows you to build on those previous investments.

Vytru jumps into this gap with their Lync Room Video System, RVC for short.

The heart of the system is the ‘codec’. This is basically a NUC-based PC loaded with the Vytru software. You can attach all your existing devices to this base, be it TV-screens, USB webcams, audio devices, etcetera. This way, you can reuse your existing equipment in your new meeting room setup. The software can be used with a touchscreen device, but if you don’t have one of those you can control it using any keyboard and mouse.

You can attach any camera you want, as long as it is connected through USB. This way, you can adjust the set, and with that the price, according to your needs. Setting up a simple system for a small huddle room? Connect any HD monitor-mounted webcam and use a relatively small screen. Going all the way? Use 80″ screens and a full HD PTZ-camera like the Logitech CC3000e.

Vytru can be used with a single screen, or in a dual screen setup. When using the dual screen setup, one screen will be used for displaying the video streams, while the other will show the meeting content such as a powerpoint presentation.

And for the good news: while Vytru used to charge an extra licensing fee when using dual screen, they recently dropped that. Dual screens for everyone!

Vytru Lync Room Video System with dual screen setup

If you want to know more about these systems or want to figure out if it fills your meeting room needs and you live in the Netherlands, feel free to drop me an email and have a chat.

Enable single sign on when joining Azure AD

One of the perks of Windows 10 in combination with Office 365 and Azure AD is the new ‘join Azure AD’ function.

This enables a few things. One of them is the automatic enrollment in MDM or Intune, which I’ll cover in an upcoming blog post. Another cool thing I’ll demonstrate here: it enables single sign-on to Azure-bases services such as the various Office 365 services.

We’ll start with a sparkling new Windows 10 system. It’s the Pro-version on x64, but you’ll experience will be the same on other versions.

After the basic installation, the system will be set up. One of the first things it’ll ask, is who actually owns this device. In this case, ofcourse, we’ll specify that it’s a company-owned device

The next question is if we’ll connect to Azure AD, or to an legacy on-prem domain. Ofcourse, we’ll connect to Azure AD for this demonstration.

The wizard will ask for credentials. I’ll specify my work account, the same credentials that I use to sign up to Office 365.

Because my company uses a customized sign-in logo, after specifying the username I’ll be redirected to this custom page to enter my password

After signing in, the system will be enrolled and the company policy is applied.

After a few moments, the lockscreen appears and I can log on using my Azure AD / O365 account.

Because it’s the first time I log on using that account on this machine, my profile will be set up.

Luckily, this won’t take long ­čśë

Being enrolled, certain policies will be enforced on the PC to comply with the company requirements.

I need to set up a PIN to unlock the PC, because that’s part of the policy.

So I will. For setting up a PIN I must use two-factor authentication, because company policy requires that. A push message is sent to my smartphone so I can authenticate.

After the second factor of the authentication is completed, I can actually set up the PIN.

Ofcourse, the company has some requirements for this PIN.

And after that I’m signed in! First thing I do is to check the Outlook mail app. Being signed in with my Office 365 account, I’d expect the app to be preconfigured with my Office 365 mail account.

It is!

Next up, I’ll fire up a web browser to navigate to Because I’m logged on with my Office 365 account, I don’t need to log on in the browser and I’m being logged on to my mailbox automatically.

Note that this doesn’t only work for Outlook Web App, but for all Office 365 and Azure apps, including for example Sharepoint Online and Delve.

If you don’t use a company owned device but log on to Windows using your private Live ID, you can still Azure AD join the machine. To do this, go to the settings app and open the ‘accounts’ settings. On the ‘work access’ tab, you can click the ‘Join or leave Azure AD’ link to connect using your Azure AD account.

Next, click the ‘join Azure AD’ button

You will be taken through the wizard to join the Azure AD, with the same experience as the ‘out of box’ setup demonstrated above.

When joining devices to Azure AD, you can also automatically enroll the device to Intune. That itself brings a lot of possibilities on managing the device and enforcing policies and pushing software and apps. I’ll cover that in one of my next blog posts!