Microsoft Authenticator to support account backup & recovery

Good news for everyone who, like me, uses the Microsoft Authenticator app for all his (or hers) multifactor authentication needs: a much requested feature will soon be available!

Microsoft announced that they will soon start rolling out the account backup and recovery functionality for their authenticator app. This way, when you switch devices, you won’t need reconfigure all your account credentials on the new device.

The Microsoft Authenticator app beta for iOS already supports this feature, so I went ahead and configured the backup functionality.


The backup is encrypted with your personal Microsoft-account and then stored to iCloud. Because building the foundations using iCloud storage simplified the development process, Microsoft is starting the roll-out on iOS devices the next few weeks. After that, the function will become available in the Android-app too.

More information, and a form to sign up for the beta-release of the Authenticator app for iOS, can be found here.

New in OneDrive: File Restore

A few days ago, Microsoft announced a new feature for the Office 365 Suite, specifically within OneDrive: the ability to restore files as a user.

When you navigate to your OneDrive page and click the settings-icon, you can select ‘Restore OneDrive’.

After that, it’s pretty straightforward. There is a great instruction on the OneDrive blog, so I won’t be going into detail here 🙂

The feature is currently rolling out across all tenants and should be globally available by mid-februari.

OneDrive Files on Demand: the new OneDrive experience

One of the things I’m looking forward to in the new Windows 10 Creators Fall update is the new OneDrive sync-client, which enables the files on demand functionality. In fact, I’m looking forward to it that much, I decided to enroll my device in the Windows 10 Insiders Fast Ring, so I could take the new client to a test drive right now.

So, here it is! Right after finishing the upgrade and logging in, I’m greeted by the welcome screen of the new sync client.

The three icons in the welcome screen explain nicely how files on demand works: you can choose to have the file in the cloud only (without syncing it to the device), to have the file available in the cloud ánd on the device, where the client decides what files are actually being synced, or to have the file always being synced to the device, whether or not it is being used.

So, how does this work out in practice?

This is the view of my OneDrive folder. Please note I did some editing to protect the privacy of some of my clients 😉 The view in Windows Explorer for the OneDrive folder is the same as I’m used to. The only thing that changed, is the icon next to the folder, indicating the status of the folder.

Navigating in to the folder, we see the same icons. In this case, some files have been marked to use only in the cloud, or to always keep on the device. This can be done by right clicking on the file and selecting the appropriate option in the context menu.

So, where is the use in this? For starters, it allows you to sync only specific files to your device, which makes sure you don’t run in to problems with the capacity of your disks. In my case, the Surface Pro 4 I ran this test on has a 256GB SSD-disk in it, where Office 365 gives me 1TB of personal storage in OneDrive. That won’t fit 😉 Second of all, when you choose to keep a file only in the cloud, the file is still visible in your normal explorer view. You can select it, upload it from a browser context menu, do everything you would normaly do with it. When you actually ‘open’ the file, it’s pulled in from the cloud to be used. This greatly enhances the user experience!

So, can you see how much space this saves you? Of course you can 😉 At first, I checked it with just one file. Note the difference between the ‘size’ and ‘size on disk’ info.

After some manual checking on which files I don’t need to be available offline, I managed to really save some space on my device.

Of course, your mileage may vary depending on what sort of files you store in your OneDrive and what you need to be available offline, but the OneDrive team managed to greatly enhance the experience! Coming soon to Windows 10 computers near you 😉

Checking out Staffhub in Office 365

Mid January, Microsoft announced the general availability of a new member of the Office 365 family: Microsoft Staffhub.

Staffhub is aimed primarily at deskless workers, like those in retail stores, hotels, restaurants, or service-related industries. These people typically don’t have their own desk or office, or even a computer, which makes it hard to keep up with information that might be important for their day-to-day work. Just think about printed workschedules, cluttered bulletin boards with information or the many phone calls or text messages to cover or trade a work shift. Enter StaffHub!

The primary function for StaffHub is to provide managers with an easy way to update, create and manage shift schedules for their team. What used to be a pretty labor-intensive process has become a pretty streamlined one. For employees, all they need is the StaffHub mobile app to access their shift information, including the possibility to easily swap shifts with their co-workers.

As you can see, the interface for the manager is quite simple. It’s an easy way to create, update and manage shifts.

From the mobile app, available on both Android and iOS (yeah, where’s the UWP app Microsoft?), the team can easily view their shifts and request to swap a shift with a colleague.

The app’s home screen provides a summary of upcoming shifts, as well as any important notes for the workday. Employees can also see who else is scheduled for the day, which is useful if they want to know who they’ll be working with or if they want to swap shifts.

When schedule conflicts come up, Microsoft StaffHub makes it easy to swap a shift or offer a shift to someone else. Requests are always routed to the manager for approval, and updates and notifications are automatically sent to the team.

Apart from creating and viewing work shifts, sharing information is another important part of StaffHub. Managers can quickly provide their team with important information, such as policy documents, news bulletins or videos.

For the team, this information is available directly from the mobile app.

Managers also have a fast and reliable way to send quick messages to team members. For example, to let an employee know “there is a spill on the floor” or “the VIP guest is arriving in 20 minutes,” simply tap the employee’s name and type a message. Employees can also send messages directly to each other or to the entire workgroup.

With all this functionality, StaffHub can be a great way to keep you deskless team up to date with current work schedules and information, from their own smartphone. No need for duct-tape to hang your announcements on the canteen wall!

On introduction, Microsoft announced that StaffHub can be integrated with existing systems. To start off with, you can connect StaffHub with Kronos, a leading provider of workforce management and human capital management cloud solutions. Initially, this integration will enable managers to import individual and team schedule information from Kronos’s Workforce Central platform directly into Microsoft StaffHub. This functionality will initially be in private preview to a small group of Office 365 and Kronos customers. Other connections are expected to arrive in the future.

Want to try it out? StaffHub is enabled directly for Office 365 customers with a K1, E1, E3 or E5 plan.

Team managers can sign in at, and employees can download the app on iOS or Android.

Want more info? Check out the introduction video from Microsoft Mechanics no YouTube.

Pass-through authentication and SSO

In an earlier blogpost I wrote about the new ‘pass-through authentication’ feature that is in public preview in the new Azure AD Sync client.

One of the most common reasons to use ADFS in an Office 365 setup, is that it allows you to do Single Sign-On. You only have to authenticate once, when you log on to your domain joined device, and your Kerberos ticket is used to authenticate you against Azure AD and therefore Office 365.

With the pass-through authentication feature, you get the same benefits. Because the PTA agent authenticates you against your on-premises Active Directory, you can use PTA to do single sign-on as well. So lets take this setup for a test-drive!

Basis of this test is the setup from my previous blog: an on-premises AD with PTA enabled in Azure AD Connect combined with the 365Dude Office 365-tenant. I added a Windows 10 machine to the mix, and domain-joined it to the on-premises AD. I use the Mr. Dude account to log on to this machine.

There are a few prerequisites to take into account when doing SSO. Mainly, they regard the OS and browser used. It is required to use a Windows machine, as it uses Kerberos for the underlying authentication. When using Windows 10, 8.1 or 8 clients, Internet Explorer, Chrome and Firefox are supported, where Edge isn’t.  Lower Windows-versions aren’t supported. When installing Azure AD Connect with the PTA / SSO option, a computer account is created in AD to handle your authentication requests.

First, we need to make sure that the Office 365 tenant is configured to allow OAuth. We do this with one single line of PowerShell:

Furthermore, we need to add the Microsoft authentication servers to the Intranet zone of the browser’s security settings. They need to be explicitly added to the machine’s Intranet zone, so that the browser will automatically send the currently logged in user’s credentials in the form of a Kerberos ticket to Azure AD. The easiest way to add the required URLs to the Intranet zone is to simply create a group policy in Active Directory.

There are two URL’s that need to be configured here:

When done, the GPO should look as follows:

That’s it! After configuring our tenant and setting up the URL’s to be in the Intranet zone, you can ‘single sign-on’ to your Office 365 service.

So, what’s the user experience here? Let’s check it out.

After logging on the machine, we open IE and navigate to the URL.

We are prompted to enter username and password. After we enter the username part, and navigate to the password field, the computer checks for a Kerberos ticket for this username. When it exists, the client is automatically logged on without the need of entering the password.

Well, it’s a bit hard to capture that on a screenshot. But you catch my drift, right? 😉 When the login completes, we just find our Outlook for the Web logged on and ready to use.

So that’s the webmail part. Most of my clients however, prefer to use Outlook as part of the Office suite for their e-mail work. How does SSO work there? Well, almost in the same way.

Prerequisite for SSO to work with client apps, is that the apps support modern authentication. So for our Windows-based clients, that will be Office 2013 and 2016. For this test, I used Office 2016.

When first starting Outlook, we are prompted to connect to Office 365.

So lets do just that. When we click the ‘connect’ button, we get a login screen equal to the one being used in the Outlook for the Web based interface.

And there we are. After checking the username and navigating to the ‘password’ field, the dialog box checks to see if a Kerberos tickets exists for this account and when it does, it uses that to log on to the Office 365 service. No further user interaction is required, It Just Works.

So, it’s a wrap. This single sign-on functionality provides you with all the ease of use you have with ADFS, without the need of a complete ADFS infrastructure. Ofcourse, when you plan on (or need to be) running ADFS in your environment for single sign-on with other applications, such as CRM or ERP software for example, there is no use in using PTA with SSO for Office 365, you just take the ADFS route. If you however want to provide your user with the same experience without the need for the infrastructure, PTA with SSO can be a great alternative!


Finally: SharePoint Online storage increase

Extra strorage for SharePoint Online

The future is here! It was announced several times, but Microsoft finally upgraded the default available SharePoint Online storage for an Office 365 tenant to 1TB.

This means that every tenant will get 1TB of pooled storage for SharePoint Online, increased with 500MB for each licensed user. That’s a big upgrade from the previous 10GB + 500MB.

And the best part is that the increased storage is available directly!

Extra strorage for SharePoint Online

I think this is a huge improvement: it makes the Team Sites in SharePoint online a better candidate to store your shared documents, in stead of placing them on OneDrive for Business. And a team site is where those files belong, as OneDrive for Business is designed to be used just for personal files. The increase to 1TB will make that most businesses can start using SharePoint Online without the need for purchasing extra storage.

Talking about OneDrive for Businesss: there is an update there to. Where the current storage limit for OneDrive for Business is 1TB per user, Microsoft is offering unlimited OneDrive for Business storage for premium plans. Other Office 365 plans will get 5TB for each user. The first fase of rolling these upgrades has finished recently.

More information on these changes can be found in this announcement bij Microsoft.

Tagging someone in your email

One of the previously announced features just showed up in our Office 365 tenant: tagging someone in an email.

It’s fairly simply: by adding someone in the body of your email using the @-sign, you automatically add them to the recipients list of the mail. Check it out:

I start off by creating a new email. I address it to my manager and start typing.

Email tag - image 1





Somewhere along the line, I decide I want to include my colleague Robert in the conversation. I add him inline using the @-sign. Outlook for the Web picks this up, and displays some possible people I want to include. I click to select the right one.

Email tag - image 2






After I select Robert, he gets added in the to-field of the message.








As you can see, the name becomes a clickable link to his email address.








And that’s it! I really like this feature; it makes sure that when you add someone in an email with a ‘call to action’, the get added to the recipient list and you are sure they receive this email, even if they weren’t in the conversation before!


Redesigning your meeting room? Think Vytru.

One of the highest scoring devices when it comes to coolness, at least in my humble opinion, are Lync Room Systems.

These are ready-to-go devices to bring the Lync, or should I say Skype for Business, meeting experience to your meeting- or board room. The big downside of these however, is the price. Especially if you invested in, for example, a big TV-screen for your meeting room before, you might want to look in to something that allows you to build on those previous investments.

Vytru jumps into this gap with their Lync Room Video System, RVC for short.

The heart of the system is the ‘codec’. This is basically a NUC-based PC loaded with the Vytru software. You can attach all your existing devices to this base, be it TV-screens, USB webcams, audio devices, etcetera. This way, you can reuse your existing equipment in your new meeting room setup. The software can be used with a touchscreen device, but if you don’t have one of those you can control it using any keyboard and mouse.

You can attach any camera you want, as long as it is connected through USB. This way, you can adjust the set, and with that the price, according to your needs. Setting up a simple system for a small huddle room? Connect any HD monitor-mounted webcam and use a relatively small screen. Going all the way? Use 80″ screens and a full HD PTZ-camera like the Logitech CC3000e.

Vytru can be used with a single screen, or in a dual screen setup. When using the dual screen setup, one screen will be used for displaying the video streams, while the other will show the meeting content such as a powerpoint presentation.

And for the good news: while Vytru used to charge an extra licensing fee when using dual screen, they recently dropped that. Dual screens for everyone!

Vytru Lync Room Video System with dual screen setup

If you want to know more about these systems or want to figure out if it fills your meeting room needs and you live in the Netherlands, feel free to drop me an email and have a chat.

Surface hub now available for purchase

For a while, Microsoft pushed the Lync Room System as the go-to product when designing your meeting room to use with Lync / Skype for Business. Those systems created an integrated experience to bring Lync or Skype for Business to the meeting room. Those room systems are not an actual Microsoft product, but were 3rd-party solutions based on the guidelines provided by Microsoft.

With the announcement of Windows 10, Microsoft anounced a new product to be used on the workfloor or in the meeting room: the Surface Hub.

The Surface hub is more than a huge Surface tablet: it’s a computer fit into a large touchscreen. There are two different sizes: a 55-inch display housing an Intel Core i5 and a 84-inch one built around an intel Core i7 and a special nVidia graphics chip.

The big screens enable user to colleborate more efficiently on project or have a remote meeting with colleagues or external participants.

The Surface hub wil play nice with your meeting room. Once you enter the room, all you have to do is activate the device and all participants can connect. In a session, you can simply set up a Skype for Business meeting, collaborate on Office documents or share images or 3D models. All files shared during a session using Office, OneNote or other Windows Universal apps are combined and sent to the participants after the meeting if you choose to do so.

The price for the Surface hub Is fairly high, but does beat most Lync Room Systems. The ‘small’ 55-inch version is sold for around 7869 euros, the large 84-inch one goes for 22.449. The Surface hub is available since July 1st.

You can check out Youtube if you want to see the Surface Hub in action: