Allow all users to see everyone’s calendar in an Office 365 environment

Yes you are right!. Setting this access right organization-wide is surely raises a major privacy concern specially when it comes to personal details (such as HR and Operation related events) in employee’s calendars.

Information-sharing

However, there can be exceptional scenarios where business decides what they need, such as the pandemic situation the whole world face right now (COVID-19) as every organization prepares to work from home and allow people to interact online in more efficient and effective ways. In my case, one of our top level client badly needed to enable everyone’s calendar visible to everyone in the company to allow people to efficiently get in touch.

This is possible and exchange online has the capability to do it, but, make sure you do it for an absolute purpose. In Exchange online, you can set the default internal sharing policy for Office 365 user’s calendars using PowerShell. You may decide to set the default for all current users to Limited Details, then add exceptions for users whose calendar is to be kept to Availability (Free/Busy) only. There are various roles to define as per your need.

The AccessRights parameter in the PS command below specifies the permissions that you want to modify for the user on the mailbox folder. The values that you specify replace the existing permissions for the user on the folder.

You can specify individual folder permissions or roles, which are combinations of permissions. You can specify multiple permissions and roles separated by commas.

I am emphasizing again, DO NOT DO THIS Unless there is an absolute necessity.

For None-MFA environment (even though MFA is a fundamental and very common security requirement, there can be exceptional cases) – Amend the AccessRights parameter accordingly

$credentials = Get-Credential -Credential elliot@gcits.com.au

Write-Output “Getting the Exchange Online cmdlets”

$Session = New-PSSession -ConnectionUri https://outlook.office365.com/powershell-liveid/ `

-ConfigurationName Microsoft.Exchange -Credential $credentials `

-Authentication Basic -AllowRedirection

Import-PSSession $Session

foreach($user in Get-Mailbox -RecipientTypeDetails UserMailbox) {

$cal = $user.alias+”:\Calendar”

Set-MailboxFolderPermission -Identity $cal -User Default -AccessRights Reviewer

}

For MFA environments

Preparation:

Run this to get the current state of all user mailboxes as exported to a CSV file. This will help on the verification later in case if you need to reverse this (Pre)

Connect-EXOPSSession

foreach($user in Get-Mailbox -RecipientTypeDetails UserMailbox) {

$cal = $user.alias+”:\Calendar”

Set-MailboxFolderPermission -Identity $cal -User Default -AccessRights Reviewer

}

$file=”C:\Temp\Calendar-Post.csv”
$Usermailboxes = Get-Mailbox -RecipientTypeDetails UserMailbox
foreach($user in $usermailboxes) {
$cal = $user.alias+":\Calendar"
$perms = get-MailboxFolderPermission -Identity $cal -User Default
$Perms | select identity, Foldername, AccessRights | export-csv $file -append
}

Applying Access Rights:

Now let’s change the access right for all user mailboxes. Amend the AccessRights parameter according to your requirement (applied to all user mailboxes)

foreach($user in Get-Mailbox -RecipientTypeDetails UserMailbox) {
$cal = $user.alias+”:\Calendar”
Set-MailboxFolderPermission -Identity $cal -User Default -AccessRights AvailabilityOnly
}

If you wish to avoid an selected user mailbox (May be CEO’s ?), you can use the following (with the “userprincipalname” “–ne” parameters to add an exception)

foreach($user in Get-Mailbox -RecipientTypeDetails UserMailbox | where userprincipalname -ne “mark@mantoso.onmicrosoft.com”) {
$cal = $user.alias+”:\Calendar”
Set-MailboxFolderPermission -Identity $cal -User Default -AccessRights AvailabilityOnly
}

Connect-EXOPSSession

foreach($user in Get-Mailbox -RecipientTypeDetails UserMailbox) {

$cal = $user.alias+”:\Calendar”

Set-MailboxFolderPermission -Identity $cal -User Default -AccessRights Reviewer

}

$file=”C:\Temp\Calendar-Post.csv”
$Usermailboxes = Get-Mailbox -RecipientTypeDetails UserMailbox
foreach($user in $usermailboxes) {
$cal = $user.alias+":\Calendar"
$perms = get-MailboxFolderPermission -Identity $cal -User Default
$Perms | select identity, Foldername, AccessRights | export-csv $file -append
}

Verification:

To verify the result against a single user mailbox, you can run this line

Get-MailboxFolderPermission neil@mantoso.onmicrosoft.com:\calendar

Or run the following to get the result of all user mailboxes exported as a CSV file so it can be compared with the CSV you got before applying the change (Post)

$file=”C:\Temp\Calendar-Post.csv”
$Usermailboxes = Get-Mailbox -RecipientTypeDetails UserMailbox
foreach($user in $usermailboxes) {
$cal = $user.alias+":\Calendar"
$perms = get-MailboxFolderPermission -Identity $cal -User Default
$Perms | select identity, Foldername, AccessRights | export-csv $file -append
}

clip_image001Testing:

Now let’s see how this works after changing the permissions. Details wise, this is how it shown now (looking at Chnau’s Calendar from Manoj’s Mailbox)

Private Events in Chanu’s Calendar (Only the date/time and Subject)

clip_image002

None Private Events in the Chanu’s Calendar (Shown Items in detail)

  1. Subject
  2. Location
  3. Organizer
  4. Attachments
  5. Attendees and response status
  6. Date/Time 
clip_image004

Item opened in full window

clip_image006

Here’s the full list of roles available to set. You can specify individual folder permissions or roles, which are combinations of permissions. You can specify multiple permissions and roles separated by commas.

Individual permissions:

  • CreateItems: The user can create items in the specified folder.
  • CreateSubfolders: The user can create subfolders in the specified folder.
  • DeleteAllItems: The user can delete all items in the specified folder.
  • DeleteOwnedItems: The user can only delete items that they created from the specified folder.
  • EditAllItems: The user can edit all items in the specified folder.
  • EditOwnedItems: The user can only edit items that they created in the specified folder.
  • FolderContact: The user is the contact for the specified public folder.
  • FolderOwner: The user is the owner of the specified folder. The user can view the folder, move the folder, and create subfolders. The user can’t read items, edit items, delete items, or create items.
  • FolderVisible: The user can view the specified folder, but can’t read or edit items within the specified public folder.
  • ReadItems: The user can read items within the specified folder.

The roles that are available, along with the permissions that they assign, are described in the following list:

  • Author:CreateItems, DeleteOwnedItems, EditOwnedItems, FolderVisible, ReadItems
  • Contributor:CreateItems, FolderVisible
  • Editor:CreateItems, DeleteAllItems, DeleteOwnedItems, EditAllItems, EditOwnedItems, FolderVisible, ReadItems
  • None:FolderVisible
  • NonEditingAuthor:CreateItems, FolderVisible, ReadItems
  • Owner:CreateItems, CreateSubfolders, DeleteAllItems, DeleteOwnedItems, EditAllItems, EditOwnedItems, FolderContact, FolderOwner, FolderVisible, ReadItems
  • PublishingEditor:CreateItems, CreateSubfolders, DeleteAllItems, DeleteOwnedItems, EditAllItems, EditOwnedItems, FolderVisible, ReadItems
  • PublishingAuthor:CreateItems, CreateSubfolders, DeleteOwnedItems, EditOwnedItems, FolderVisible, ReadItems
  • Reviewer:FolderVisible, ReadItems

The following roles apply specifically to calendar folders:

  • AvailabilityOnly: View only availability data
  • LimitedDetails: View availability data with subject and location

Reference – Set Mailbox Folder Permissions (Microsoft Docs)

A temporary alternative for message forwarding in Teams: Share to Outlook

Microsoft Teams currently doesn’t have the Forward chat option which sometimes makes it a little harder when you have to share a chat with someone else in the organization. There are valid use cases where we need to refer to a particular conversation in Teams and forward chat option would definitely be a handy add-in there. However, the new feature called “Share to Outlook” can also be used as a temporary alternative in such scenarios (not in all cases obviously).

In Teams, you now can forward a message embedded to an email. Let’s say i want to forward the following message to few people in my organization.

Annotation 2020-03-29 162651

To do this, I can simply hover to your desired conversation and click on the three dots.

clip_image002

And, click on “Share to Outlook” option from the dropdown list.

clip_image003

The send email flyout will pop up. Simply add the recipients and customize the subject or body as required and send it out.

clip_image004

This may not be a replacement for message forwarding but at least an temporary alternative for situations where you need it the most.

Allow Microsoft Teams owners to delete chats in channels

This sounds like it comes under moderation feature of Teams, but it’s not. If you are trying to configure Teams owners to allow deleting chats sent by other members, you are on the right place. Microsoft Teams has moderation features but this doesn’t falls under that setting.

image

To configure moderation for Teams, you can refer to my previous article which will walk you through the moderation configuration.

Let’s have a look at this scenario. As you can see below, Neil is a member of the “Project Delivery” team and he sent a few messages in the Linda Scope channel. Let’s think about a situation where some users post inappropriately in a channel and the Team owner would like to take it out immediately (when there is no moderation enabled). At this point, its fair that an owner might need the control to manage this.

clip_image001

By default, owners won’t be able to delete these messages from the channel. As the following screenshot elaborates, Manoj is the Team owner and he has no ability to delete the message.

clip_image002

Here are the owners of this channel (obviously, Manoj is an owner here)

clip_image003

To empower owners of this Team with delete permission, we can simply turn it on from the Message Policy. Login to Office 365 an administrator and head on to “Teams Admin Centre”

clip_image004

Navigate to “Messaging Policies”

clip_image005

By default, there is only one Messaging Policy which is “Global ORG Wide” policy. You can use this policy if you want every Teams owner should be granted (applies to all existing and upcoming Teams) with this privilege.

Note: If you are editing the Default Global policy, it might take a few hours to apply the changes (right now, 24-48 hours)

clip_image006

Just leave it as it is and create a new custom policy if you are looking to grant this for certain owners only.

clip_image007

Give it a meaningful name and a small description to recognize. And ensure the first switch (Owners can delete sent messages) is turned “ON

clip_image008

Once done, you should be able to see both policies listed down.

clip_image006[1]

Now let’s navigate to “Users” blade and click on the target administrator who you want to grant this privilege and navigate to policies in that profile (remember, you need to repeat this for every owner individually)

clip_image009

Click on the “Edit” link on the right pane and assign the custom policy under ” Messaging Policy” dropdown as shown below.

clip_image010

Give it a few minutes and check the same scenario. Log in as a member and try to post a new message then try to delete that by logging from Owners account (for testing, it is ideal to have two browser profiles and both users logged in side by side so you could monitor the behavior in real time).

As you can see from the following screen shot, Manoj can now delete this Neil’s message as an owner. Which means, the policy has applied to Manoj Successfully.

clip_image011

And if I needed, I still could Undo it so the message will restore

clip_image012

If you are editing the Default Global policy, it might take a few hours to apply the changes (right now, 24-48 hours)

Error when trying to open a OneDrive uploaded file from Outlook client application: The page that you are trying to access cannot be loaded

From the first look this error definitely sounds like “Office 365 ATP Safe links or Safe attachments” policy components blocking the files behind the scenes, but it’s not !. Well, it could be the same error in such scenarios but in my case, Safe Link or Safe Attachment policies were not the issue.

clip_image001

Scenario: Users trying to share content within the organization by uploading them to a OneDrive/SharePoint location chosen from the dropdown as attached to the Outlook email on the go.

Attach a file to email and upload it to OneDrive/SharePoint

clip_image002

Attach a file from SharePoint/OneDrive

clip_image003

Once added the cloud based file to the mail, this is how it looks. Then send it out

clip_image004

Emails are smoothly delivered to the recipients however, when they try to open them (by simply clicking on the URL), recipients get the above error (The page that you are trying to access cannot be loaded)

This happens only when:

  • Users use desktop application of Outlook (not happening in OWA, files are accessed in OWA without an issue)
  • Or, Attached the file in to OneDrive or SharePoint as shown below (not happening when file URL is pasted to Outlook email)

The environment had Office 365 ATP safe link and Safe attachment policies implemented properly. And the exceptions are added to trusted partners across the globe for this company (as a multi-national)

clip_image005

clip_image006

clip_image007

clip_image008

Resolution: Due to the criticality of this organization-wide behavior, I worked with Microsoft Support team towards a fix and here’s what we did.

We ran a fiddler session while opening the file from both OWA and Client App and reviewed the recording – OWA is working fine while outlook not able to access the wrapped URL. It looked like outlook API used for calling ATP is not functioning well.

Microsoft further analyzed by collecting below information and then engaged the Product Group:

  • Collect fiddler trace for both OWA and Outlook to make comparison
  • Copy the Wrapped URL from OWA and Outlook
  • Collect the corresponding message sample

As of now, Microsoft Product Group for ATP have not identified if it is a misconfiguration or product related bug, however, I receive constant responses stating that they are actively working towards a resolution. I will update this space as soon as I hear anything applicable towards a resolution/ETA.

Workaround: The only workaround for this is to request users to make use of Outlook Web whenever a file needs to be opened that is received via an email.

Legitimate emails (Including Internal Emails) get constantly quarantined in Office 365 Exchange

Sometimes emails hit the Quarantine state because the message is spam-ish or potentially malicious to be delivered to the end user (Admin quarantined). Usually when end users notify you regarding the legitimate email being quarantined, review section in Office 365 (https://protection.office.com/threatreview ) protection blade will help you to retrieve, review and release those legitimate messages to intended users. However, I faced an abnormal situation of “Internally shared emails were frequently quarantined for no valid reason”. And, they had no suspicious behavior/trend.

clip_image001

Whenever there is a legitimate email being quarantined, we can fetch it from the review section. Simply by typing the sender address or subject line will sort the message and allow us to review it and then take the necessary action.

clip_image002

These messages below are obvious Malwares and Phish. So this is not my concern at all ! O365 security is doing a great job here catching hundreds of malicious items daily !!

clip_image003

But how about these two cases?

  • Legitimate/genuine mails are admin quarantined – from a trusted partners or external vendors/customers being regularly admin quarantined even without reaching to end user spam folder?
  • Even internal emails shared within the organization being admin quarantined?

Workarounds?

Whitelisting won’t fix this – Filling up your whitelist is not a good idea as “Whitelisting” and address or domain means, it will completely bypass the spam filter which is an obvious risk.

On the 1st case, the external domain is a very valid domain with a valid SPF and email content didn’t seem to match any suspicious trend policy. I can simply go ahead and release these messages if this happens occasionally but that’s not the best practice in this modern era. Adding these internal addresses is not recommended either (you should not add your own domain/emails to whitelist in Exchange online) .

Resolution?:

Bottom-line is, those emails are marked as Phishing meaning that there’s a link somewhere in that email that’s broken and doesn’t go where it states it should. However, as I submitted these emails to Microsoft and raised a support ticket, I was informed that this is an issue Microsoft Spam team/product group is currently working diligently to fix this issue soon. Hence at this point of time, it is a waiting game and just a matter of baring with them during the process.

ETA: None as of now

I will update this post as soon as I receive a progress update from Microsoft support.

Blocking spam senders and domains in Office 365

Security is a one of the most significantly improved areas of Microsoft Office 365. If you are using Exchange Online mailboxes under your Office 365 tenant or a consumer of standalone exchange online protection (EOP), your emails are protected either way.

How_to_Block_Spam_Emails

Exchange online protection (a.k.a EOP) Is part of the Microsoft’s email safety roadmap which constantly evolves in a unmatched cross-product approach. As email usage has rapidly grown, so has the email security concerns. The idea behind EOP is to provide a range of comprehensive abilities in order to protect millions of users from Junk, phishing (fraudulent mail threats) and malware attacks which are some of the well-known types of email related abuses.

Exchange Online however, has the built in ability to protect you from many threats. Nevertheless, there could be some scenarios that you need to manually handle as an Exchange/Office 365 Administrator. The following article will show you on how to prevent receiving spamming emails from a specific address, domain because, there can be rare cases that one or few emails able to get through EOP and hit the user mailbox (again, very rarely).

In my case, it was the following email which arrived in few user mailboxes (looked obviously spam and the user immediately reported to me). At this point, we can make use of “Blocked Sender List” in Exchange to prevent this happening again. And, as EOP spam filtering learns from known spam and phishing threats and user feedback, it’s a great idea to submit these kind of messages to Microsoft so that they will use it to train the AI based component behind the EOP.


From: Sonia Luton <staffprojectz@post.cz>

Subject: Project

[EXTERNAL EMAIL]

Hi Melina,

There is something i need you to do for me. Let me know if you are available. I am going into a meeting with a limited access to phone calls, just reply my email and i will get back to you.

Thanks,

Sonia


So the address is staffprojectz@post.cz and the domain is post.cz. From Office 365 Exchange Admin Centre, navigate to Exchange admin center and “Protection” –> “Spam Filter” . Click on the “default policy”

clip_image001

The following flyout will be opened. Navigate to “Blocked lists”

clip_image002

Click on the + icon to add a new blocked sender and insert the desired address.

clip_image003

Then let’s add the domain too for blocking.

clip_image004

Once added, the domain will be in the blocked list and Office 365 will entirely block any emails from this domain.

clip_image005

Save it and monitor your email traffic time to time to identify if it’s being blocked.

clip_image006

Microsoft Teams getting more features in early 2020 (cool stuff to be rolled-out)

Microsoft Teams has recently hit 20M users and now undoubtedly one of the highest used productivity apps in the market. Not only the enterprises but also government and education sectors rapidly adopting Teams for their daily communication and collaboration needs as this simple handy tool is very effective and efficient.

microsoft-teams-banner

Teams get even better this year with more new features planned to be rolled out. Let’s have a sneak peak at the highlighting ones.

1. Multi Window

A fantastic new feature which allows you to be more efficient specially during those meetings where you struggle to switch across. Multi-window experience is something critical for productivity apps such as Teams and its now scheduled to roll-out in early this year. Definitely the most awaited one for me personally as a heavy Teams user (in fact I never close Teams interface)

2. Private Channels

All teams are split up into channels, private channels allow you to have a private space within your team only visible to the people you gave permission to.

3. Message extensions

Another great addition to Teams. You can now easily start polls and surveys from the chat window and meetings, so you can have real-time feedback and answers from the audience just within Teams.

4. Pinned channels

With Pinned channels, you can pin your most-used or favorite channels and easily find them in the top left corner of the Teams interface.

5. Share to Teams – Outlook Integration

A Share to Teams button is now available on Outlook, you can also reply to Team conversations within Outlook.

6. Whiteboard Integrated

During a Teams meeting, with this new feature, you can open the Whiteboard and take notes as well as inviting people to the board after the meeting which would be a great addition for Teams rather than using other tools.

7. Live Captions

As participants are speaking in Teams meetings, their words will be captured in real time and appear underneath, so people can easily follow along by reading in a particular language.

8. Tasks Integrated

One of those many integrations coming in early 2020, Tasks will now be right within your Teams interface. You can access your Microsoft To Do, Outlook and Planner tasks all in one window from Teams and you can also choose the view that works for you among boards, lists, charts, and schedules.

Identifying the creator of an Microsoft Team (Who created this Team)

This really sounds like its available out of the box right there in the group’s metadata column, apparently its not. You can see who the current admin is, but not the original creator (although usually that is probably the same). In PowerShell there is a property for “Created On” but no “Created By“.

magnifying-find-agent-lw

In my case, I had to find out the creator of a specific Microsoft Team but Teams didn’t have the metadata of the Creator so the only way to find out seemed by tracing the Office 365 Audit Logs.

Office 365 Audit Logs can get you plenty of information which you can’t observe directly from the workload UI or PowerShell.

First and foremost, in order to extract the logging details, Audit Log capability must be running in your tenant.

audit

Use this command via PowerShell to enable it if you haven’t. And, after enabling you must wait for a while to allow the logs analytics component to record the logs (won’t be available immediately)

Connect-ExchangeOnline
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

Detailed information of enabling/disabling Auditing in Office 365 is right here – https://docs.microsoft.com/en-us/microsoft-365/compliance/turn-audit-log-search-on-or-off?view=o365-worldwide

Searching for activities (Teams Creation in this case)

Head on to protection.office.com and navigate Search –> Audit Log Search

log search

Created Team” log activity is available under Microsoft Teams category in the Audit Log. You can simply type “Teams” to get the category and choose the event type underneath it.

created

Define the time period, select the activity type and search –> And there is it ! I now have the details I was looking for.

Team0This simply allow us to see the creation details of any Team within this tenant.

Team1

Moving Microsoft Teams Data Location

If you are a existing Office 365 customer who have been waiting Microsoft to allow you to move your Teams data location, It’s now time to do it.

Multi-GEOwAREZAF

Office 365 now allows you to decide where your Teams data residency should be. We have noticed that most of our clients got their Data residency set to Australia as the data region.

Microsoft now offer existing O365 customers listed in the following table an option to request early migration of organization’s core customer data at rest to their new datacenter geo.

data able

Changing the geo location is completely taken care by Microsoft behind the scene. You as a customer, only have to opt-in to allow Microsoft to do this in the backend (despite your request, this will anyway happen eventually) and the change is seamless with no user interaction, interruption.

To see your current data location for each workload, go to Office 365 Admin center –> Settings –> Settings –> Organization Profile

image

image

Navigate to Data Location to see where your data currently resides

image

Switch to Data Residency and “check the tick box” below to opt-in. You will not see this option if:

  • Your tenant is not eligible for the Office 365 Move Program. Eligibility is determined by tenant signup country.
  • All of your core customer data at rest is already located in the new geo (see Data Location section of the page).

image

And wait for a few months as advised in the notification. Microsoft will notify you stage-wise in the Office 365 Message center when the activity is being actioned or completed.

image

Note: The information on this page only applies to customers who had existing Office 365 tenants before the new datacenters in their geo launched.

More details are here – https://docs.microsoft.com/en-us/Office365/Enterprise/request-your-data-move

Change default File Open Behavior of SharePoint Online

The default option in SharePoint online to open files stored in document libraries is “Open in Browser”. You can leave it like that as long as you don’t have an specific requirement to change this behavior.

In some cases, end users prefer to open file by client application due to many reasons and they are fair reasons, mostly.

  1. Client application offers rich capabilities which allows users to get things done effectively and efficiently
  2. Some organizations using SharePoint as the central document management platform across the entire company. At this point they might prefer to have the files opened by client application as default.

There are various ways to enable this functionality which impact different levels.

  1. Document library level
  2. Single site collection level
  3. Across the entire tenant

If you’d like to set a specific document library to open files in client application by default. Simply log in to your SharePoint online tenant, direct to the desired library and select the radio button under the Advance Settings as you wish (This overrides the setting applied at site collection level and open documents in client application instead of browser)

Navigate to the Document Library –> Click on Settings gear –> Library Settings from the menu.

Under General Settings –> Click on “Advanced Settings”

clip_image001

To enable this for a specific site collection (applies for the entire collection unless you have chosen from individual libraries manually as shown in the screenshot above to opt out)

To do this for an specific site collection, we have to activate a site collection level feature. Simply log in to your SharePoint online tenant, direct to the desired site.

Go to Site Settings –> Site Collection Features

Click on “Activate” button next to “Open Documents in Client Applications by Default” feature

clip_image002

You can use the following PowerShell script to do get the same thing done in a bulk mode across all site collections in the tenant (ORG WIDE).

This is a SharePoint PnP PowerShell script which uses an CSV file as the source for site names.

  1. First you have to get all the site URLs exported from the SharePoint Admin Centre in Office 365 Admin Portal
  2. Then save it as an CSV file and point this script to that file (Change the CSV path in the script)

Your CSV should look like this (Site URLs separated in to individual columns, not rows. If you are having hard time getting this format, it’s quite easy, use the Transpose feature under Paste special)

clip_image001[1]

Note: Obviously, this script will only cover the existing site collections of your tenant. For any upcoming new site collection created after running this has to enable it manually again.

clip_image003

$username = Read-Host "Provide the username"
$password = Read-Host -Prompt "Password for $username" -AsSecureString
$O365credential = New-Object PSCredential($userName,$passWord)

# Chnage CSV path here
$site = Import-csv C:\Official\Tools\remain.csv

Foreach ($URL in $site.URL)
{
try {
    Connect-PnPOnline -Url $URL -Credentials $O365credential

    Write-Host "Connected to " $URL 
    Write-Host "Enabling features on" $URL 

	# Enter Feature Id & scope

    Enable-PnPFeature -Identity 8a4b8de2-6fd8-41e9-923c-c7c3c00f8295 -Force -Scope Site

    Write-Host "Disconnecting from " $URL 
    Disconnect-PnPOnline    
    }
    Catch 
    {
    Write-Host "Got error" $error
    }
}
Write-Host "Completed"