Author: Ståle Hansen
Teams Phone Number Management with Get-TeamsNumbers.ps1
I believe assigning phone numbers in Microsoft Teams can waste hours for an organization with multiple ranges and locations. What if you could run a PowerShell routine to find the next available number in a number range and at the same time know how many numbers you have left?😱 Now you can, with Get-TeamsNumbers.ps1. Watch … Continue reading Teams Phone Number Management with Get-TeamsNumbers.ps1 I believe assigning phone numbers in Microsoft Teams can waste hours for an organization with multiple ranges and locations. What if you could run a PowerShell routine to find the next available number in a number range and at the same time know how many numbers you have left?😱 Now you can, with Get-TeamsNumbers.ps1. Watch … Continue reading Teams Phone Number Management with Get-TeamsNumbers.ps1
Goodbye Skype for Business Online, you wont be missed
July 31st 2021 is the date when Skype for Business Online (SfBO) was decommissioned. It was a good run, but we wont be missing the service. Why? Because Microsoft Teams is a more modern, cloud native service which has proven itself during difficult times with over 250 Million Monthly active users. I wrote an article … Continue reading Goodbye Skype for Business Online, you wont be missed July 31st 2021 is the date when Skype for Business Online (SfBO) was decommissioned. It was a good run, but we wont be missing the service. Why? Because Microsoft Teams is a more modern, cloud native service which has proven itself during difficult times with over 250 Million Monthly active users. I wrote an article … Continue reading Goodbye Skype for Business Online, you wont be missed
Soo, you got access to Copilot, now what? Here are some best practices
Since Copilot got announced, I have been investigating what it means to be Copilot ready. There are three main topics when working towards Copilot ready, and we address all of them in our upcoming conference, https://m365revival.com/ February 15th in Oslo. Today, my team and I got access to Copilot in our production tenant. What I … Continue reading Soo, you got access to Copilot, now what? Here are some best practices Since Copilot got announced, I have been investigating what it means to be Copilot ready. There are three main topics when working towards Copilot ready, and we address all of them in our upcoming conference, https://m365revival.com/ February 15th in Oslo. Today, my team and I got access to Copilot in our production tenant. What I … Continue reading Soo, you got access to Copilot, now what? Here are some best practices
13 years of blogging and 2 000 000 views
Today, January 26th 2023, I hit a huge milestone. 2 000 000 views since I started blogging in 2009. msunified.net has been the home for me to share technical nuggets about Exchange, OCS, Lync, Skype for Business, Teams and Microsoft 365 for over 13 years. I have even shared productivity tips which has culminated in … Continue reading 13 years of blogging and 2 000 000 views Today, January 26th 2023, I hit a huge milestone. 2 000 000 views since I started blogging in 2009. msunified.net has been the home for me to share technical nuggets about Exchange, OCS, Lync, Skype for Business, Teams and Microsoft 365 for over 13 years. I have even shared productivity tips which has culminated in … Continue reading 13 years of blogging and 2 000 000 views
Digital Wellbeing and working smart in Microsoft 365
Digital Wellbeing in Microsoft 365 is about working smart with the tools you have at your disposal. There is a difference between having access to the tools and using them as intended. With the introduction of Microsoft Viva and specifically Viva Insights, we now see where Microsoft is headed. They are now all about using … Continue reading Digital Wellbeing and working smart in Microsoft 365 Digital Wellbeing in Microsoft 365 is about working smart with the tools you have at your disposal. There is a difference between having access to the tools and using them as intended. With the introduction of Microsoft Viva and specifically Viva Insights, we now see where Microsoft is headed. They are now all about using … Continue reading Digital Wellbeing and working smart in Microsoft 365
Why Entra ID can Restore Some Types of Deleted Groups and Not Others
Ability to Restore Deleted Groups Depends on Graph APIs
Yesterday, I covered a gap that exists between the Purview development group and the Exchange Online development group when it comes to applying scoped roles to audit log searches. Today, a blog post by ex-MVP Tony Murray-Smith reminds me about another functionality gap that exists in the area of groups. The problem described occurred when a user deleted a security group by mistake only to discover that the Entra admin center doesn’t support a method to restore deleted groups of this type.
In fact, Microsoft 365 groups are the only type of group that Entra supports for restoration via its admin center. There’s no way to restore a deleted distribution list, dynamic distribution list, security group, or mail-enabled security group. Apart from dynamic distribution lists, these objects are recognized by Entra ID and accessible through the Groups API. However, the only group objects supported by the List Deleted Items and Restore Deleted Items (directory objects) APIs remain Microsoft 365 groups. And if a Graph API isn’t available to support restoration, the administrative portals cannot create functionality from thin air.
This situation has persisted since the introduction of cmdlets to restore deleted Microsoft 365 groups in 2017 followed by a GUI option in the Exchange admin center, Microsoft 365 admin center, and Entra admin center. Microsoft subsequently removed the option to restore deleted groups from the new EAC, so the current GUI-based options to restore deleted Microsoft 365 groups are in the Entra admin center and Microsoft 365 admin center. And if you want to use PowerShell, there’s the Restore-MgDirectoryDeletedItem cmdlet.
The Gap Between the Exchange DS and Entra ID
The question is why Entra ID only supports the restoration of Microsoft 365 groups. I think the answer lies in two parts. First, the desire within Microsoft to make its brand-new cloud-only Office 365 groups (now Microsoft 365 groups) the “best group for everything” following their launch at the Ignite conference in May 2015.
The infrastructure to fully support Microsoft 365 groups took time to develop, and building the capability to reconnect all the different resources that a group might use made the process more complicated for Microsoft 365 groups. Being able to restore SharePoint Online, Teams, the group mailbox, and so on was a big undertaking that Microsoft quickly discovered needed to be tackled after the launch of Office 365 groups, especially after some early customers discovered that they couldn’t be restored. The functionality duly arrived in 2017. The campaign to make Microsoft 365 groups do everything is far less intense now than it was some years ago, but its legacy is evident sometimes.
The EXODS Objects
The second issue is heritage. Distribution lists and mail-enabled security groups originated in Exchange Server. Exchange Online still has its own directory (EXODS) to store details for mail-enabled objects. Synchronization and dual-write update operations keep Entra ID and EXODS aligned so that updates performed in one directory synchronize immediately to the other. The Graph APIs support distribution lists and security groups, including mail-enabled security groups, but Entra ID and the Graph APIs ignore dynamic distribution lists and can’t update settings for distribution lists and mail-enabled security groups because these objects are homed within Exchange Online.
Good reasons exist for why the differentiation exists. Dynamic distribution lists require Exchange Online to resolve their membership because the membership supports objects like mail-enabled public folders that don’t exist in Entra ID. Dynamic distribution lists also support nested lists. Regular distribution lists and their mail-enabled security group variants have many settings that aren’t supported in Entra ID, like message approval.
As far as I can remember, it has never been possible to restore deleted distribution lists (and some of the online answers are very misleading, like this example). Once an administrator removes a distribution list, it’s gone. The only thing that can be done is to recreate the distribution list from scratch. That might be possible if someone knows the membership and the list settings, but that might not be the case.
Some Work Necessary in This Area
Microsoft should do some work to make it possible to restore all forms of deleted groups. That work will need contributions from teams responsible for Entra ID, the Graph API, and Exchange Online. Mistakes do happen and administrators remove important distribution lists or mail-enabled security groups when they shouldn’t. Being told that it’s necessary to recreate an object from scratch is a royal pain, and it’s something that shouldn’t still be a problem in 2024. Customers assume that if they can restore one type of deleted group, they should be able to restore any type of deleted group.
Then again, other pains exist around distribution list management, like the Microsoft’s failure to produce a utility to move distribution lists from on-premises servers to the cloud. Tim McMichael’s DLConversionV2 solution is the best available. He’ll be discussing distribution list management at TEC 2024 in Dallas in October. Maybe I should ask Tim about restoring groups that aren’t Microsoft 365 groups.
Learn about using Exchange Online and the rest of Office 365 by subscribing to the Office 365 for IT Pros eBook. Use our experience to understand what’s important and how best to protect your tenant.
The Problem with Scoped Audit Log Searches
Purview and Exchange Online Disagree about Scoped Audit Log Searches
Like many Purview solutions, audit log searches support scoping using Entra administrative units. In other words, an account holding the Audit Manager Purview role scoped for a specific administrative unit is only able to find audit records linked to the administrative unit. An account can be scoped to manage a single or multiple administrative units. Alternatively, the scope assigned to an account can be “Organization,” meaning that the role applies to all audit events created in the tenant. Figure 1 shows that two accounts hold organization scopes for the Audit Manager role while another is scoped for a single administrative unit.
Administrative unit support for Purview scoped audit log searches has been available since November 2023.
Audit Records and Administrative Units
Each audit record is tagged with the user account or service principal responsible for the logged action. If a user account belongs to an administrative unit, the audit event captures the identifier of the administrative unit in an array called AssociatedAdminUnits in the audit payload. If the account belongs to multiple administrative units, the audit record captures the identifiers of all the administrative units. Capturing administrative unit details in audit records is what makes scoping possible.
For example, this code fetches the audit payload from an audit record and converts it from JSON before looping through the administrative unit identifiers to return the display name for each administrative unit:
$AuditData = $Records[0].Auditdata | ConvertFrom-JSON
ForEach ($AU in $Auditdata.AssociatedAdminUnits) {
$AUName = Get-MgDirectoryAdministrativeUnit -AdministrativeUnitId $AU.toString() | Select-Object -ExpandProperty DisplayName
Write-Host (“Found administrative unit {0} ({1})” -f $AUName, $AU)
}
Found administrative unit Ireland (112f5e71-b430-4c83-945b-8b665c14ff25)
Limiting Audit Log Searches with Administrative Units
When a user with a scoped Audit Manager role signs into the Purview Compliance portal to run an audit log search, they can select one or multiple of the administrative units they are scoped to manage for the search (Figure 2).
Purview audit log searches only return audit records matching the selected administrative units. It’s easy to validate that this is so by checking that audit records returned by the search have the identifiers for the selected administrative unit(s) in their properties (Figure 3).
Inconsistent Scoping
Administrative unit scoping works for audit log searches performed through the Purview compliance portal and with the AuditLog Query Graph API. However, despite almost a year lapsing since the introduction of scoping for audit log searches, the Purview scopes don’t work for searches performed using the Search-UnifiedAuditLog cmdlet.
This is an odd situation. Despite Microsoft’s sometimes unexplained messing with the Search-UnifiedAuditLog cmdlet, it remains a very significant and popular way to run audit log searches. However, the Search-UnifiedAuditLog cmdlet is part of the Exchange Online Management PowerShell module. The Exchange Online cmdlets use Exchange Role Based Access Control (RBAC) to limit their functionality and apply scoping and non-administrator accounts must be enabled to use the Exchange Online Management PowerShell module.
The requirements to use the Search-UnifiedAuditLog cmdlet are obviously very different to those needed to run Purview audit log searches. The mechanisms used also differ. Search-UnifiedAuditLog are synchronous, and the results are usually available much quicker than Purview searches (unless you use the high completeness option). Both Purview searches and those run using the Graph AuditLog Query API submit background jobs to find audit records. Depending on the number of records found by a search, audit results aren’t usually available for at least 10 minutes and can take far longer.
It’s odd that Microsoft allows a situation to persist where the scoping mechanisms used by Exchange Online and Purview are unsynchronized. The likely explanation is that two different engineering teams are involved who haven’t yet figured out how to implement common scoping behavior. It seems like this is a problem that should be well within the capability of the world’s largest software company, but logic doesn’t always hold true when different teams have different priorities in large organizations.
The net outcome is that inconsistent scoping for audit log searches creates the potential for inadvertent PII disclosure in customer tenants. It also means that managing scoped access to data is more difficult than it should be. Both are unacceptable when it comes to access to audit data. Let’s hope that Microsoft fixes this issue soon.
Keep up to date with developments like those affecting scoped audit log searches by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers understand the most important changes happening across Office 365.
The Benefits of Rationalizing License Management in the Microsoft 365 Admin Center
Decision to Rationalize License Management Not Popular
I think it’s fair to say that Microsoft’s decision to rationalize license management in the Microsoft 365 admin center has not met with universal approval. Among the complaints made are that license management in the Microsoft 365 admin center is slow, unwieldy, and lacks functionality when compared to the Entra admin center.
Some of the reaction is due to change. People don’t like change when they perceive it to be for no good reason. The argument advanced by Microsoft is that it makes more sense to collect all license management into a single console. Given that the majority of license management involves Microsoft 365 solutions, the Microsoft 365 admin center seems like the best place. What’s unsaid is that rationalization delivers reduced engineering, documentation, and support costs for Microsoft, none of which benefits the consumer. There’s no prospect of a reduction in Microsoft 365 license monthly fees due to a fall in Microsoft development costs.
Potential for Benefit
Even though I sympathize with those who dislike the change, the potential for benefit exists if Microsoft exploits the new focus on license management through the Microsoft 365 admin center to drive feature improvements. Hopefully, performance improves too. There’s nothing more annoying than waiting several seconds for a screen to display data when you know that better response is possible. The Entra admin center proves that greater alacrity can be achieved, as anyone who has worked with the Graph APIs for license management knows that the APIs are not slow.
The nature of cloud services is that customers don’t get to vote about the details of service delivery. Microsoft provides license management functionality. How they deliver that functionality and how quickly the UI responds is entirely up to the service provider.
Change in User and License Management Roles
Which brings me to message center notification MC810926 (last updated 15 August 2024) covering the enablement of the user administrator and license administrator roles to be able to process self-service license requests through the Microsoft 365 admin center. Previously, only those holding the global administrator role could process self-service license requests but the deployment of the change to enable the other roles should be complete worldwide by the end of August.
Microsoft says that the change brings consistency with the Azure portals (Azure, Entra, and Intune) where user and license administrators can already approve (or deny) requests. Of course, the fact that license management is rationalizing in the Microsoft 365 admin center has nothing to do with the change.
Of course, before anyone can process requests, administrators must enable products like Visio and Power BI Premium for self-service. As discussed in this article, many tenants use the infamous MsCommerce PowerShell module to manage the set of products permitted for self-purchase (or to disable all products). Microsoft 365 Copilot is the latest product (id CCFQ7TTC0MM8RS) to join the set.
According to message center notification MC853238 (6 August 2024), Microsoft plans to introduce a GUI (Figure 1) to allow tenant administrators to control self-service purchases and trials for individual products. Not having to use the dreaded MsCommerce module is good enough reason to welcome this capability.
Figure 1: GUI controls for self-service purchases in the Microsoft 365 admin center
Some Signs that Change Will Deliver for Administrators
As noted earlier, some don’t like to embrace change. It’s up to Microsoft to demonstrate that the rationalization of license management into the Microsoft 365 admin center is a good idea. Making sure that the Microsoft 365 admin center offers the same capabilities as the Entra admin center is mandatory. Introducing new functionality like the GUI to manage self-service license purchases and informing administrators when users make self-service purchases are two examples of how rationalizing around a single admin center makes the change better for all.
Keep up with the changing world of the Microsoft 365 ecosystem by subscribing to the Office 365 for IT Pros eBook. Monthly updates mean that our subscribers learn about new developments as they happen.
80 Guru Pelatih SMK dari SMK NTT Siap Tingkatkan Mutu Pengajaran dengan AI Generatif
Read the English version here
Kupang, 18 Juli 2024 – Kemajuan teknologi kecerdasan buatan (Artificial Intelligence-AI) harus bermanfaat bagi masyarakat Indonesia, termasuk bagi para pendidik Sekolah Menengah Kejuruan (SMK) di wilayah Nusa Tenggara Timur. Terutama, agar para guru dan murid SMK di wilayah ini bisa memanfaatkan AI Generatif dan bersaing lebih baik dalam memasuki bursa kerja, di tengah persaingan dengan 149,38 juta angkatan kerja nasional lainnya (BPS, 2024).
Yayasan Plan International Indonesia (Plan Indonesia) menggelar pelatihan untuk para pelatih (Training of Trainers–ToT) yang diikuti oleh 80 guru SMK dari Kota Kupang, Kabupaten Lembata, Kabupaten Timor Tengah Selatan, Kabupaten Nagekeo, dan Kabupaten Manggarai secara daring dan luring pada Kamis (18/07/2024). Kegiatan ini merupakan bagian dari program ketenagakerjaan dan kewirausahaan Plan Indonesia, AI TEACH, yang didukung penuh oleh Microsoft.
Dini Arifah, AI TEACH Project Manager Plan Indonesia, menjelaskan bahwa ToT ini merupakan lanjutan dari upaya berkelanjutan Plan Indonesia untuk meningkatkan akses penduduk di NTT terhadap pekerjaan digital. “Sebagai organisasi yang sudah bekerja lebih dari 50 tahun di NTT yang merupakan wilayah kerja utama kami, Plan Indonesia berharap dapat menggunakan kesempatan ini untuk meningkatkan kemampuan para guru dan kesiapan kerja murid SMK di NTT. Tujuannya agar mereka dapat bersaing di era industri digital 4.0,” sebut Dini dalam pembukaan acara ToT di Kupang, Kamis (18/07/2024).
Kegiatan ToT AI TEACH ini terselenggara melalui kerja sama antara Plan Indonesia dengan Dinas Pendidikan dan Kebudayaan NTT. Kedua lembaga ini bertujuan menjangkau 1.000 guru SMK melalui pelatihan berjenjang (cascading) dan menjangkau sekitar 60.000 murid SMK di NTT hingga akhir 2024.
Ambrosius Kodo, Kepala Dinas Pendidikan dan Kebudayaan NTT, menyambut baik inisiatif Plan Indonesia untuk memajukan kuailtas pendidikan di NTT, terutama untuk mengurangi tingkat pengangguran terbuka NTT yang mencapai 3,17 persen pada 2024.
“Kita tentunya diberikan kecerdasan, ruang untuk memanfaatkan teknologi dengan baik, teristimewa untuk kemajuan sektor pendidikan di NTT. Dengan adanya AI, sebetulnya segala sesuatu akan menjadi lebih mudah. Pendidik maupun peserta didik harus benar-benar memahami cara memanfaatkan AI untuk pengetahuan dan kemajuan karier, daripada melihatnya sebagai suatu ancaman,” sebut Ambrosius.
Sementara itu, Microsoft ASEAN Philanthropies Lead Supahrat Juramongkol mengatakan, “Sejalan dengan misi Microsoft untuk memberdayakan setiap individu dan setiap organisasi di planet ini untuk mencapai lebih, kami merasa senang dapat mempercepat pengimplementasian program AI TEACH bersama Plan Indonesia. Melalui AI Generative Toolkit yang kami siapkan, kami berharap tidak hanya dapat meningkatkan peluang karier dan pendidikan para peserta, tetapi juga membantu pemerataan akses pendidikan digital, serta mendorong pertumbuhan ekonomi digital inklusif di NTT.
Topik pembelajaran yang diberikan melalui AI TEACH adalah keterampilan AI Generatif di dunia pendidikan, soft skill (kesiapan kerja), keterampilan digital dasar, kesetaraan Gender dan Inklusi Sosial (GESI), hingga kesadaran terhadap perilaku berisiko. Seluruh pelatihan ini diakses melalui modul AI Generative Toolkit yang tersedia di platform pembelajaran kitakerja.id milik Plan Indonesia, dilengkapi dengan materi tambahan dalam platform LinkedIn learning.
Selain memberikan pelatihan awal kepada 80 guru yang akan menjadi pelatih di NTT, program AI TEACH oleh Plan Indonesia dan Microsoft juga bertujuan menjangkau 5.000 pendidik SMK yang akan melatih 300.000 murid SMK dari seluruh penjuru negeri. Para pendidik juga akan mendampingi setidaknya 60.000 murid untuk mendapatkan sertifikasi penyelesaian oleh Microsoft dan LinkedIn hingga akhir Desember 2024.
—-