Bulk Assigning Customized licenses in Office 365 using Powershell

Introduction

Bulk assigning customized licenses in office 365 using PowerShell is one of those rare asked that customer can ask you to do based on their business and technical requirements. I have been working with many enterprise customers and many of them come up with the same request to only assign the license for specific workloads in Office 365 as they do not prefer to assign the license of any workload for which they haven’t done the planning and implementation according to their business angod security requirements. I do support and highly recommend this approach and it’s a best practice to make your services highly secure and controlled. If you have a customer with few thousand licenses than it’s not feasible to assign them a license via office 365 GI and bulk assigning customized license in office 365 using PowerShell is the optimal method to achieve your goal.

This blog post is focused on customizing the E3 license to only assign Exchange online, Skype for Business, Azure Rights Management and Office ProPlus license to user population

Bulk Assigning Customized licenses in Office 365 using PowerShell

Bulk assigning customized licenses in Office 365 using PowerShell requires you to perform the following steps in PowerShell.

  • Login to a machine that has Windows Azure PowerShell module installed and launch the powershell console
  • Run the following cmdlet and enter your Office 365 Global Admin credentials in the prompt

$creds = Get-Credential

Bulk Assigning Customized licenses in Office 365 using Powershell

  • Enter the following cmdlet to connect to Office 365 PowerShell

Connect-MsolService -Credential $creds

Bulk Assigning Customized licenses in Office 365 using Powershell

  • Once you are connected with Microsoft Online Services, run the following cmdlet to get the AccountSkuId and SkuPartNumber

Get-MsolAccountSku |ft AccountSkuId,SkuPartNumber

Bulk Assigning Customized licenses in Office 365 using Powershell

  • Make a note of AccountSkuId and SkuPartNumber as we need these for our next step
  • Run the following cmdlet to get the status of your services provisioned. Use the SkuPartNumber that you received in previous cmdlet. As we are only working on E3 license, our SkuPartNumber is “EnterprisePack”

$ServicePlan = Get-MsolAccountSku | Where {$_.SkuPartNumber -eq “EnterprisePack”}

Bulk Assigning Customized licenses in Office 365 using Powershell

 

  • Run the following cmdlet to check the status of service provisioning

$ServicePlan.ServiceStatus

Bulk Assigning Customized licenses in Office 365 using Powershell

Ignore the status of PendingActivation for Intune_O365 as we are not leveraging Intune in our infrastructure.

All service plans that are available as part of your EnterprisePack will be returned that comes with E3 license. As you can see, we have received the following services as part of our E3 license

  • FLOW_O365_P2
  • POWERAPPS_O365_P2
  • TEAMS1
  • PROJECTWORKMANAGEMENT
  • SWAY
  • INTUNE_0365
  • YAMMER_ENTERPRISE
  • RMS_S_ENTERPRISE
  • OFFICESUBSCRIPTION
  • MCOSTANDARD
  • SHAREPOINTWAC
  • SHAREPOINTENTERPRISE
  • EXCHANGE_S_ENTERPRISE
  • Now we have all the services plans available as part of our E3 license, next step is to create a custom license SKU based on your requirements. In our current scenario, i was required to only allow Exchange, Azure Rights Management, Skype and Office ProPlus to end users. This is done by disabling the plans that we do not want to make available to end users. Run the following cmdlet to disable the undesired plans

$LicOptions = New-MsolLicenseOptions -AccountSkuId “365talk:ENTERPRISEPACK” -DisabledPlans FLOW_O365_P2,POWERAPPS_O365_P2,TEAMS1,PROJECTWORKMANAGEMENT,SWAY,YAMMER_ENTERPRISE,SHAREPOINTWAC,SHAREPOINTENTERPRISE

Bulk Assigning Customized licenses in Office 365 using Powershell

  • Once the license options are customized, you can proceed to apply the licenses to users

$AccountSkuId = “365talk:ENTERPRISEPACK”

$UsageLocation = “PK”

$Users = Import-Csv “C:\Temp\users.csv”$Users | ForEach-Object {
Set-MsolUser -UserPrincipalName $_.UserPrincipalName -UsageLocation $UsageLocation
Set-MsolUserLicense -UserPrincipalName $_.UserPrincipalName -AddLicenses $AccountSkuId -LicenseOptions $LicOptions
}

Bulk Assigning Customized licenses in Office 365 using Powershell

  • Once the license is assigned, login to Office 365 and navigate to users > User active users and search for the user account to which you have assigned a custom license. You will see a customized E3 license with desired workloads is being assigned to the user with the usage location set to Pakistan

Bulk Assigning Customized licenses in Office 365 using Powershell

This script and the sample CSV file is being uploaded to TechNet Gallery. You can download the script and modified the workloads based on your need to bulk assign licenses users leveraging PowerShell.

 

Configuring Office 365 Preferred Language Settings

Introduction

Office 365 empower organizations to use cloud based services for their business to ensure anytime anywhere access to corporate information. When you setup Office 365 tenant for an organization with offices in different regions then you’re also required to empower your end users to setup up their own preferred language settings in Office 365. For example, if you have a user in Japan then his preference will be to use Japanese language for his Office 365 portal instead of using English. In Office 365 you can set up language settings for users based on how you setup identities in Office 365. You can easily update language settings for users using PowerShell. Preferred language settings depends on how user identity is provisioned. If you have cloud based identities then you need to use Azure AD to modify the user account properties in Office 365. If you are using Azure AD Connect to sync on-premises active directory accounts with Office 365, then you have to update the settings in local active directory.

Configuring Office 365 Preferred Language Settings for Cloud Identities

Configuring Office 365 language settings for cloud based identities requires you to connect with Azure AD powershell. Perform the following steps to configure these settings.

  • Connect with Azure AD powershell using global admin credentials

C:\> Connect-MsolService

Configuring Office 365 Preferred Language Settings

  • Run the following cmdlet to configure the preferred language settings for user pgarcia@msexperttalk.com to Urdu

PS C:\> Set-MsolUser -UserPrincipalName pgarcia@msexperttalk.com -PreferredLanguage “ur-PK”

  • To verify the language settings for the user account, run the following PS cmdlet

PS C:\> Get-MsolUser -UserPrincipalName pgarcia@msexperttalk.com | fl PreferredLanguage

Configuring Office 365 Preferred Language Settings

Configuring Office 365 Preferred Language Settings for Synced Identities

When you are using synced identities with Office 365, you need to modify the on-premises user attribute in Active Directory to setup preferred language in Office 365. To modify the preferred language in Office 365 to Urdu for a user Phil, you need to set the “PreferredLanguage” attribute in user account properties in Active Directory. By default, this attribute does not contain any value and set to use English as default language.

  • To modify the individual user account properties, you can run the following PowerShell cmdlet.

Set-ADUser pgarcia@msexperttalk.com -Replace @{‘PreferredLanguage’=”ur-PK”}

  • To update the preferred language attribute in a specific OU, run the following cmdlet.

Get-ADUser SearchBase “OU=Test,OU=IT, DC=msexperttalk,DC=com” Filter * Properties PreferredLanguage | ForEach-Object {Set-ADUser $_.SAMAccountName –replace @{PreferredLanguage=“ur-PK”}}

  • To update the preferred language attribute of users in a specific domain, run the following cmdlet. Following cmdlet will set the attribute for those users who do not have any this attribute setup.

Set-AdServerSettings -RecipientViewRoot “msexperttalk.com”
#Change language to ur-PK for all users with a setting of NULL in the MSExpertTalk.com domain
Get-ADUser -SearchBase “DC=msexperttalk,DC=com” -Filter * -Properties PreferredLanguage | where {$_.PreferredLanguage -eq $null} | Select SAMAccountName | ForEach-Object {Set-ADUser $_.SAMAccountName –replace @{PreferredLanguage=”ur-PK”}}

Preferred Language attribute settings will update the language for the following in Office 365.

  • Office 365 Default Landing page
  • General settings and menu
  • Office 365 Management portal
  • Video
  • Groups
  • OneDrive for Business
  • Delve
  • Office Online
  • Planner

To review a complete list of available language codes, please visit the Microsoft TechNet site.

Configuring Office 365 Modern Authentication

Introduction

Modern authentication in Office 365 leverage Active Directory Authentication Library (ADAL)-based sign-in to Office client apps. Modern Authentication allows administrators to enable features such as Multi-Factor Authentication (MFA), SAML-based third-party Identity Providers with Office client applications, smart card and certificate-based authentication, and it removes the need for Outlook to use the basic authentication protocol.

Why we need Modern Authentication?

Office 365 Multi-Factor Authentication (MFA) enables you to configure additional layer of security for user sign-in process to ensure data protection and minimize the security risk. Users who are enabled for multi-factor authentication are required to configure App Password in order to use Office desktop applications, including Outlook, Skype for Business, Word, Excel, PowerPoint and OneDrive for Business. An App Password is a 16-character randomly generated password that can be used with an Office client application as a way of increasing security in lieu of the second authentication factor. App passwords are randomly generated and its hard for end users to memorize these passwords. Modern Authentication in Office 365 help desktop applications to user ADAL based authentication and eliminate the need to memorize app password.

Modern Authentication requires minimum of Office 2013 client (15.0.4753.1001) installed on workstations

By default, Office 2016 client apps are enabled for modern authentication and do not require any additional configuration on client side. For Office 2013 client apps, we need to have a registry keys set up on end user operating system to enable support for modern authentication.To enable modern authentication support for Windows workstation running Office 2013 client apps, following registry keys are required.

Configuring Office 365 Modern Authentication

Configuring Modern Authentication for Office Apps

Modern authentication in Office 365 is enabled per user basis for workloads in Office 365. By default, modern authentication is enabled for SharePoint online and you do not have to configure anything in SharePoint online to enable modern authentication.

Configuring Exchange Online for Modern Authentication

Follow the steps to configure Exchange online for Modern authentication in Office 365.

Get-OrganizationConfig | ft OAuth*

Configuring Office 365 Modern Authentication

  • To enable the modern authentication for Exchange online, run the following cmdlet

Set-OrganizationConfig -OAuth2ClientProfileEnabled $True

Configuring Office 365 Modern Authentication

  • To verify that the Modern Authentication is enabled for Exchange online, Re-run the Get-OrganizationConfig cmdlet

Configuring Office 365 Modern Authentication

Configuring Skype for Business Online for Modern Authentication

Follow the steps to configure Modern Authentication for Skype for Business online in Office 365.

Get-CsOAuthConfiguration

  • To enable modern authentication for Skype for Business online, run the following cmdlet

Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed

Configuring Office 365 Modern AuthenticationOnce the Modern authentication is enabled for Office 365 workloads and client side is updated as well with registry key for Office 2013 clients, app password requirement will be eliminated. MFA enabled users will get the same experience during the authentication process that other user have who do not have MFA enabled on their account.

 

Disable Skype for Business IM History

What is Skype for Business IM?

Skype for Business IM is an efficient way to connect with your coworkers in real time. Instant Messaging is much faster then a formal email or a phone call. You can send and receive IM from anywhere in Skype for Business based on your company federation policies and improve employees productivity.

Skype for Business stores the IM history in outlook client (Exchange Mailbox) under Conversation History folder that you can use to search for previous conversations when and if required. Recently i came across a scenario where i was being asked to disable the Skype for Business IM history in Office 365. This was the first time I heard such request from customer. I thought to share the steps with the community for their reference if they come across such scenario.

Note: I do not recommend to disable Skype for Business IM history. You can use IM history for future reference purpose or compliance reasons if required.

Disable Skype for Business IM History

To disable Skype for Business IM History, follow the instructions mentioned below.

  • Run Windows Azure PowerShell as Administrator
  • Import LyncOnlineConnector Module

Disable Skype for Business IM History

You need to download and install Skype for Business online module before you run the Import cmdlet. The module can be downloaded from Microsoft

  • Connect with Skype for Business online. When prompted enter the global admin credentials of Office 365

Disable Skype for Business IM History

  • Run the cmdlet > $CSSession = New-CsOnlineSession -Credential $cred

Disable Skype for Business IM History

  • Run the cmdlet to import Skype for Business online session “Import-PSSession $CSSession -AllowClobber

Disable Skype for Business IM History

  • Review the CsClientPolicy that has IMAutoArchiving and CallLogArchiving enabled
    • Get-CsClientPolicy | Where-Object {$_.EnableIMAutoArchiving -eq $False -and $_.EnableCallLogArchiving -eq $false}
  • Modify the CsClientPolicy to disable Skype for Business IM History
    • Grant-CsClientPolicy -policyname tag:ClientPolicyNoSaveIMNoArchivingNoIMURL –Tenant “TenantGUID”
  • Once you run the command, it takes about 4-6 hours to apply the policy. The last command will disable IM Archiving history for your tenant, so all the domains in the tenant and all users under all domains would get this policy applied.

Conclusion

Disabling Office 365 Skype for Business IM history is not recommended as this can cause compliance issues for the organization. Office 365 Security and Compliance center provides you the capabilities to search the IM history for compliance reasons as well. If your organization performs frequent eDiscovery and has compliance requirements than it’s not advisable to disable Skype for Business IM. I have seen this a rare case where i was being asked to disable Skype for Business IM history.

Configure Exchange 2013 Virtual Directories

Configure Exchange 2013 Virtual Directories

When you’re working with more then 1 exchange servers then configuring exchange virtual directories is always a concern. You can either manually configure each virtual directory on each server or you use powershell cmdlets to configure the virtual directories. To ease your deployment, I’ve created a powershell script which will help you configure virtual directories URLs on your all exchange 2013 servers within minutes. You only have to provide 3 inputs for Internal, External URL and AutodiscvoerServiceInternalURI and rest this script will do for you.

#       Author: Riaz Javed Butt
#       Date: 03-June-2015
#       Description: This scirpt will help you configure your exchange 2013 organization URLs

#Get all exchange 2013 CAS Servers
$Exchange2013Servers = Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 15*”) -And ($_.ServerRole -Like “*ClientAccess*”)} | Get-ClientAccessServer

#Get Internal & External URL

$CASInternalURL = Read-Host “Please enter your internal URL e.g. https://mail.contoso.com”
$CASExternalURL = Read-Host “Please enter your external URL e.g. https://mail.contoso.com”

#Get autodiscoverServiceURI

$AutoDServiceInternalURI = Read-host “Please enter your autodiscoverserviceinternalURI e.g. https://autodiscover.contoso.com”
Write-Host “Thank you for providing Required URLs”

#Setting up AutodiscoverInternalServiceURI
Write-Host “Setting up Exchange AutodiscoverServiceInternalURI”
$Exchange2013Servers | Set-ClientAccessServer –AutodiscoverServiceInternalUri “$AutoDServiceInternalURI/autodiscover/autodiscover.xml”

#Setting up virtual Directories URLs
Write-Host “Setting up Virtual Directory Internal and External URLs”
$Exchange2013Servers | Get-OWAvirtualDirectory | Set-OWAvirtualdirectory –Internalurl “$CASInternalURL/OWA” –Externalurl “$CASExternalURL/OWA”
$Exchange2013Servers | Get-ECPVirtualdirectory | Set-ECPvirtualdirectory –Internalurl “$CASInternalURL/ECP” –Externalurl “$CASExternalURL/ECP”
$Exchange2013Servers | Get-WebServicesVirtualDirectory | Set-WebServicesvirtualdirectory –InternalURL “$CASInternalURL/ews/exchange.asmx” –ExternalURL “$CASExternalURL/ews/exchange.asmx”
$Exchange2013Servers | Get-OABvirtualdirectory | Set-OABvirtualdirectory –internalurl “$CASInternalURL/oab” –Externalurl “$CASExternalURL/oab”
$Exchange2013Servers | Get-ActiveSyncVirtualDirectory | Set-ActiveSyncVirtualDirectory -InternalUrl “$CASInternalURL/Microsoft-Server-ActiveSync” -ExternalUrl “$CASExternalURL/Microsoft-Server-ActiveSync”

#Verify URLs Configuration

$Exchange2013Servers | fl Identity,AutodiscoverServiceInternal*
$Exchange2013Servers | Get-OWAvirtualdirectory | fl identity,Externalurl,Internalurl
$Exchange2013Servers | Get-ECPvirtualdirectory | fl identity,Externalurl,Internalurl
$Exchange2013Servers | Get-Webservicesvirtualdirectory | fl identity,Externalurl,Internalurl
$Exchange2013Servers | Get-OABvirtualdirectory | fl identity,Externalurl,Internalurl
$Exchange2013Servers | Get-ActiveSyncVirtualDirectory | fl identity,Externalurl,Internalurl

#######You can also run Michael Van Horenbeeck Exchange MVP PowerShell Script to generate a HTML based report of your URLs configuration.
####### Please go to http://www.vanhybrid.com and downloaded the script get-virdirinfo.ps1 v1.6 and run as instructed

You can run this script go to Exchange Management Shell and run the script as shown below.

11

Once you run the script and provide the following 3 inputs then the script will configure everything for you on all exchange 2013 servers.

  • First input is InternalURL: In my case it was https://mail.mstechtalk.com
  • Second input is ExternalURL: In my case it’s same as of internal URL
  • Third input is AutodiscoverServiceInternalURI: I’ve configured that as https://autodiscover.mstechtalk.com

Once the configure is completed this script will give you the output of all configured virtual directories along with new URLs as shown below.

 

2

3

You can download this script from TechNet Gallery.

To generate a HTML based report of Exchange 2013 virtual Directories URLs, Please run the powershell script of Michael Van Horeenbeeck that can be downloaded from http://www.vanhybrid.com.

1 2