Get to know Microsoft 365:

e1.pngYep you read it correctly, it’s not Microsoft Office 365 and its Microsoft 365. Well by saying so I didn’t mean that Microsoft Office 365 is going away or it’s getting renamed as Microsoft 365. This is a new service which was introduced by Satya Nadella 2 days back on Microsoft Inspire which brings together Office 365, Windows 10 and Enterprise Mobility + Security, delivering a complete, intelligent and secure solution to empower employees. I’m sure most of you would have already read about this today and if not please take a moment in reading this article where I’ve explained in detail about Microsoft 365 and what are the services it delivers and how it can enhance your business.

  1. What is Microsoft 365?

Well as I already mentioned above this is a new service which was introduced by Microsoft two days back which brings together Office 365, Windows 10 and Enterprise Mobility + Security.

  1. Is this something new or was this service already present?

To be very precise, this isn’t something new and in fact this is the successor of the most successful service , “Secure Productive Enterprise” which was introduced by Microsoft on October 2016 .

e2.png

  1. What happens to Secure Productive Service now?

Moving further, Secure Productive Service would be replaced by Microsoft 365.

  1. Do we have different flavors in Microsoft 365 as well like Secure Productive Enterprise?

Yes, we have two flavors in Microsoft 365, 1. Microsoft 365 Business which is meant for small organizations and 2. Microsoft 365 Enterprise which is meant for large organizations

  1. What are these two flavors meant for and how can they enhance my business?

Microsoft 365 Enterprise:

  1. Unlocks creativity by enabling people to work naturally with ink, voice and touch, all backed by tools that utilize AI and machine learning.
  2. Provides the broadest and deepest set of apps and services with a universal toolkit for teamwork, giving people flexibility and choice in how they connect, share and communicate.
  3. Simplifies IT by unifying management across users, devices, apps and services.
  4. Helps safeguard customer data, company data and intellectual property with built-in, intelligent security.

Microsoft 365 Business:

  1. Helps companies achieve more together by better connecting employees, customers and suppliers.
  2. Empowers employees to get work done from anywhere, on any device.
  3. Protects company data across devices with always-on security.
  4. Simplifies the set-up and management of employee devices and services with a single IT console.
  5. How about the plans for Microsoft 365?

Microsoft 365 Enterprise is available in two plans, E3 and E5

  1. When would Microsoft 365 be made available for the public?

Microsoft 365 Enterprise will be available for purchase from August 1st, 2017 onwards. You get to purchase both the plans (E3 & E5)

Microsoft 365 Business will be available in public preview on August 2nd, 2017. It will become generally available on a worldwide basis in the fall of 2017, priced at US $20 per user, per month.

  1. How do I get to know more about the services and features available in both the flavors of Microsoft 365 ?

        Please go through the links below to know more about the features and services available in both the flavors.

For Business: _ https://www.microsoft.com/en-us/microsoft-365/business

For Enterprise: _ https://www.microsoft.com/en-us/microsoft-365/enterprise

Thanks for reading the post. Good luck with Microsoft 365.

 

PowerShell to on-board list of users to Office 365 and assign them Office 365 licenses:

1.jpgOffice 365 is a SaaS platform which is  being used by many organizations these days and it becomes quite hard for IT administrators to on-board their users to Office 365 manually .Of course , this may not be the case when your user identities gets synced to Azure AD from on-premises AD using AAD connect tool .However, if you’re one of the organizations who totally buried all your IT infrastructure implementation and decided to go with a Cloud implementation completely then possibilities are such that you as an IT administrator should take care of on-boarding your users to Azure AD .As we all know , this is indeed quite a time consuming task if we have to do it manually and then assign the appropriate licenses to all the users . So, to surpass all those manual effort, I’ve put together this PowerShell script which will do the magic for you. Alright, let’s get into the details ….

1.Sign-in to your Office 365 admin center using your global admin account and navigate to the “Active users” section as shown in the image below.

2.png

2.At this moment, you might see only the user account which was used to set-up the Office 365 tenant.

Note: In my case, you might see 3 users as I manually created them using the “Add a user “option.

3.Create a CSV file which has the details of all your users by following the guidelines mentioned in this article. The below mentioned screenshot depicts the CSV file which I’ve prepared which has the list of all my users.

3.png

4. Once done, please login to the PowerShell window and type the below mentioned command as shown in the image below. This will tell you the type of license that your tenant is using and how many licenses have been utilized till now.

4

Note : In my case you can notice that my tenant is on  Office 365 E5 Enterprise E5 plan +EMS  (Enterprise Mobility ) and it also displays how many licenses have been consumed till now .

5. Prior to running the above command, please ensure that you’re connected to your Office 365 tenant via PowerShell, if not please follow the below article to do that first.

https://technet.microsoft.com/library/dn975125.aspx

6. Now, let’s specify the required variables for the PowerShell script.

$UsersToAdd = Import-Csv C:\Users\Vignesh\Documents\Import_User_Sample_en.csv

$LicenseToAdd = “sptech80:ENTERPRISEPREMIUM” à This information can be grabbed from the Get-MsolAccountSKU command which we ran in the above step.

$UsageLocation = “US”

$LicenseOptions = New-MsolLicenseOptions -AccountSkuId $LicenseToAdd

5

7.Once you’re done specifying the required variables, please go ahead and run the below mentioned PowerShell command as shown in the image.

$UsersToAdd | ForEach-Object {

New-MsolUser –UserPrincipalName $_.UserPrincipalName -DisplayName $_.DisplayName

Set-MsolUser -UserPrincipalName $_.UserPrincipalName -UsageLocation $UsageLocation

Set-MsolUserLicense -UserPrincipalName $_.UserPrincipalName -AddLicenses $LicenseToAdd -LicenseOptions $LicenseOptions

}

6.png

8.You may notice that your users are getting created after running the script as shown in the image above and the licensing tab might display the status as “False”. That’s due to the time taken for the script to reflect the licensing details as it first creates the user and then assigns the license to the user’s account. This is quite normal and hence you don’t need to panic about the “isLicensed” column

9. You can verify the status of the users as well as the licenses assigned to them by running the “Get-MsolUser” command. This time it should display the licensing details correctly.

10. Additionally, you can also navigate to the “Active users” section to verify the same.

8.png

Thanks for reading this post ….Good luck with Office 365 !!!

When to perform a Search full crawl in SharePoint 2013?

Search is indeed a mission critical component in SharePoint 2013 and it’s very important that it functions properly so that you get the desired results. As we all know, the search results and their relevancy is directly proportional to how often your content sources are crawled and what sort of crawling you’re running in your SharePoint farm (i.e. full crawl, incremental crawl and continuous crawl). So, in this post I’m not going to discuss about the different type of search crawls or the SharePoint 2013 search architecture, perhaps I would be discussing on when and under what circumstances should a SharePoint administrator perform a full search crawl. The reason for me picking up this topic is because I see a lot of misconception among SharePoint administrators in understanding when the Search full crawl has to be performed. For the most part, I’ve seen many folks turning on full crawl when it’s not required at all and before doing so we need to understand that turning on Search full crawl is going to consume a lot of your server’s resource and at worst case it could even make your SharePoint farm go to an unresponsive state and hence it’s very important that we do this only when it’s required.

1

Alright, let’s get into the details ….

Listed below are the reasons why and under what circumstances should a SharePoint farm Administrator perform a full search crawl:

1.You just created a new Search Service application and the default content source (i.e. Local SharePoint sites) that gets created along with the newly created Search service application hasn’t been crawled yet.

22. You recently added a new content source and it hasn’t been crawled yet (Note: This is applicable for all the types of content sources (i.e. Local SharePoint sites, File shares, Exchange public folders and External line of business data)

3.png

3.When there has been, a change made to the existing content source (meaning, when you’re trying to edit the existing content source for making some changes)

4.png

4.When you’re patching your SharePoint 2013 farm by installing a Cumulative update, Service packs and hot-fixes etc. For some reason I see a lot dilemma on this specific point because it brings up a question on why should a full crawl be performed post the patching .The reason for this is really simple ,  if you read my article on patching a SharePoint farm you would notice that I’ve mentioned a step where you need to suspend the search crawl before patching your farm and the reason for mentioning that is because it’s quite possible that when you check the crawling schedule  before patching you farm there may not be any instance of crawl running. However, if a crawl is triggered by schedule which occurs during the installation, the search application may crash or lead to inadvertent results. In worst case, you might end up rebuilding the entire search application. Hence, as a best practice it’s very important that you suspend the search service application before patching your farm and once you’re done with patching your farm please go ahead and resume it and run a full crawl.

5

6

7

5.When changes have been made to managed properties in search. A full crawl of all affected content sources is required for the new or changed managed property to take effect.

8.png

6.If you want to detect security changes that were made to local groups on a file share after the last full crawl of the file share

9.png

7.When the incremental crawl keeps failing continuously. If an incremental crawl fails many consecutive times for any content, the system removes the affected content from the search index. In such case, please look into the search crawl logs and try to identify the issue and fix it after which you need to run a search full crawl so that the failed content gets updated in the search index.

8.If you have made some changes to the search Crawl rules such as adding, deleting or modifying the crawl rule.

10.png

9.When your search index gets corrupted you need to perform a search index reset after which you need to run a full search crawl. Please check my article on search index reset to understand how to perform an index reset and under what circumstances should you be performing a search index reset.

11.png

10.The permissions given to the default content access account has been changed.

11. Apart from the above mentioned one’s the system by itself would be performing a search full crawl even when an incremental or continuous crawl is scheduled under the following circumstances:

   a)The SharePoint administrator stopped the previous crawl.

    b)A content database was restored, or a farm administrator has detached and reattached a content database.

    c) A full crawl of the content source has never been done from this Search service application.

     d)The crawl database does not contain entries for the addresses that are being crawled. Without entries in the crawl database for the items being crawled, incremental crawls cannot occur.

Thanks for reading this post. Happy SharePointing!!!

Demystifying MinRole in SharePoint Server 2016:

MinRole – I hope everyone would agree with me when I say that “MinRole” has become a buzz word among many SharePoint folks ever since Microsoft released SharePoint Server 2016. I myself have personally read many articles/blogs and viewed some videos on it to understand in detail about MinRole and how to make use of it. However, there has been times where I couldn’t really understand it completely and I had to work with many SharePoint experts in the industry to understand in detail about what MinRole is and how it works. But still I can sense a lot of uncertainty among few SharePoint folks in understanding MinRole and how to make use of it. Hence, in this article I’ll be explaining in detail about the below mentioned points….

  1. What is MinRole?
  2. How to deploy a SharePoint 2016 farm using MinRole topology?
  3. Different server roles in MinRole
  4. Different type of MinRole topologies
  5. MinRole -Before and after Feature Pack 1
  6. The benefits of using MinRole
  7. MinRole Administration
  8. MinRole compliancy
  9. Opting out of MinRole
  10. How/where to deploy 3rd party apps while using MinRole?

160121MinRole_lg.JPG

Alright, so let’s get started …

  1. What is MinRole?

To put it in very simple words, MinRole is a new farm topology based on a set of predefined server roles which got introduced in SharePoint Server 2016. Unlike the old traditional SharePoint farm topologies where you add a server to a farm and then configure it, here you can select the role of a server when you create a new farm or join a server to an existing farm and SharePoint will automatically configure the services on each server based on the server’s role. SharePoint Server 2016 by default has been optimized for the MinRole farm topology.

So, the point here to understand is, with MinRole you don’t need to add servers to a SharePoint farm and then configure each server in the farm as WFE, APP, Search etc.… MinRole will do that magic for you. Once you add a new SharePoint 2016 server to a farm and run the configuration wizard you would get a screen as shown below which asks you to choose the appropriate role .Once you select the appropriate role ,SharePoint will automatically turn on and configure the necessary services based on the server’s role.

2.png

Now that we have understood about MinRole, let’s understand how to deploy a SharePoint 2016 farm using MinRole topology.

2.How to deploy a SharePoint 2016 farm using MinRole topology?

Before I go ahead and discuss about how to deploy a SharePoint 2016 farm using MinRole topology, let’s refresh ourselves by taking a glance at the default SharePoint 2013 streamlined topology which we’re already used to. Let’s look at the image below to understand about the default SharePoint 2013 streamlined topology…

18.png

So as shown in the image above, in SharePoint 2013 when you create or add a new server to the farm you have to manually go to the “Manage services on server “section on Central administration site and turn on the required services after which you would be configuring the required service application (Ex: Search Service Application, Managed metadata service application, User Profile service application & Distributed Cache service application etc.…)

services-on-server.jpg

However, the good news with SharePoint 2016 you don’t need to spend time on turning on the required services under “Manage services on Server “. You just need to focus on choosing the required role on the “Specify server role “window which I just described above and SharePoint  will take care of the rest for you. Hang on, let’s be clear here …. SharePoint will only take care of automatically turning on the required services but the service application has to be configured by you as an admin. I guess while reading this, you must have this question in mind … “Well this is cool, but how does SharePoint manages to do this by itself? “…The answer to this follows, when you create a new farm or join a machine to an existing farm, SharePoint starts the base set of service instances that are required for the server’s role. It also detects which additional services have been enabled in the farm and starts the matching service instances as appropriate for the server’s role. Finally, it detects which service applications have been created in the farm and which services are necessary to support those service applications. Those service instances will be started as appropriate for the server’s role, as well.

MinRole management of service instances doesn’t happen only when you join a server to a farm. As you enable or disable services in the farm, or as you create and delete service applications in the farm, MinRole starts and stops service instances on the existing servers in the farm. This ensures that each server in your SharePoint farm is running exactly the services it needs.

So, the end result is, you as a SharePoint farm administrator can only focus on what services you want to run in your farm and not worry about where they’re running. The MinRole topology in SharePoint will take care of the rest.

Also, let’s take a look at the image below which illustrates how the SharePoint services are scattered between these different server roles while using MinRole topology.

1.PNG

All the user interactive scenarios would be running on the WFE role, all the background tasks such as Search, UPS etc. would be running on the APP role and finally the caching services would be running on the DC role .

Well, hang on …. I still didn’t tell you how to deploy a SharePoint 2016 farm using MinRole. There’s two variants to do this … 1. Using the SharePoint product configuration wizard 2. Using PowerShell.

  1. Using the SharePoint Configuration Wizard:

So, you can choose the role of a server while adding it to the farm using the below mentioned screen which you get while running the product configuration wizard.

2.png

  1. Using PowerShell:

POWERSHELL.png

Now that we have understood how to deploy a SharePoint 2016 server /farm using MinRole, let’s try to understand the different roles available in MinRole topology.

  1. Different server roles in MinRole:

The below mentioned image from one of my presentations on SharePoint 2016 clearly illustrates the different roles that are available in MinRole.

3.PNG

4.PNG

So, based on your need/architecture planning you can choose the appropriate role. However, this architecture might sound quite costly because with MinRole you can’t add two application roles together like how we used to do in SharePoint 2013 for small farms with 4 to 6 servers, meaning you don’t get to enjoy the privilege of having Search and Managed metadata or may be Search and User Profile service running on the same server. In MinRole if you do so then that particular server would be marked as non-compliant. But Microsoft has listened to its customers about this and has made some changes to the MinRole feature in Feature Pack 1 release for SharePoint 2016 and I’ll be talking in detail about that later on  this article.

Note: The concept of Service packs is gone in SharePoint 2016 and is now replaced with Feature packs. You don’t get to see Service packs anymore at least on SharePoint 2016. Also, the Feature packs won’t be as separate packages like your service packs which gets released separately( i.e. once in 12 months as a separate package ). A particular month’s CU/PU would be called as a feature pack where Microsoft would ship all the fixes/new features and that month’s CU would be called as Feature Pack. Till now Microsoft has release Feature Pack 1 (i.e. Nov 2016 CU) and you can find the details about that in this link below . So, a specific month’s CU would be released as a FP hereafter .

https://support.microsoft.com/en-us/help/3127940/november-8,-2016,-update-for-sharepoint-server-2016-kb3127940

Microsoft was quite ahead of their schedule while they released FP1 as the original release date was planned on 2017 .However they managed to release that on Q4 of 2016 itself .

This image below depicts the roadmap for SharePoint Server 2016 :

Roadmap.png

Alright , let’s jump into the different type of topologies in MinRole .

  1. Different type of MinRole topologies :

Now that we have seen a lot about MinRole , I guess it really begs the question of how to choose the appropriate SharePoint topology while using MinRole . Well , let’s go and take a look at it . Shall we ?

A typical SharePoint 2013 Topology :

This is how a typical SharePoint 2013 Topology would look like . Please check the image below .

9.png

In this case the SharePoint Administrators manually configure services on each server to fit these roles and in addition that as features and services are added, administrators have to determine where these components should run based on best practices, current server load, etc.

But this is not the case with SharePoint 2016 MinRole Topology , since this is a role based architecture you can directly choose the role you want to deploy and MinRole will take care of the rest . Please check the image below which depicts a SharePoint 2016 MinRole topology architecture .

SharePoint 2016 MinRole Topology :

MinRole topology.PNG

As shown in the image above, you need not less than 4 servers to deploy a SharePoint 2016 farm.  If you’re including SQL then in that case you need at least 5 servers for MinRole. Also , Minimum configuration does not have any resiliency.

Let’s see how this works when you want to plan a SharePoint 2016 HA farm with MinRole topology .

6.PNG

8.png

So, as you can see in the image above , two servers are required for each role . When it comes to  Distributed  cache three servers are required in a cluster quorum . We also need SQL availability groups to achieve HA in the SQL layer. So, in total you might require 13 servers altogether if you’re also adding Office Online server in HA .

However , this count may vary based on your architecture and planning . Please check the image below where I’ve designed a HA SharePoint 2016 farm with proper planning .In this case the total number of servers required is 18 .So the point to note here , based on your business needs you can scale out the total number of servers for HA .

10.PNG

Custom 3 Tier MinRole Topology:

This is how a custom 3 tier MinRole topology looks like. The front-end servers are benefited from MinRole. The custom server role is used to configure custom servers to run majority of SharePoint service applications and reduce the number of servers.  Unlike MinRole, the services have to be manually configured on the custom server role. It’s the job of the SharePoint Administrators to configure the required services on the custom server.

custome 3 tier.PNG

Custom HA Topology with Search:

custom HA with search

This is how this architecture has been planned,

  • Two load balanced servers with Front-end role.
  • Two custom servers running distributed cache, User Profile Sync, Secure Store.
  • Two servers with Search server role.
  • SQL servers configured with always on availability groups.

5.MinRole -Before and after Feature Pack 1:

Now, if you see the complete overview of MinRole you might understand that you need high budget to implement this due to the total number of servers required. Unlike SharePoint 2013, you don’t get to add the roles together in a single server (i.e. Custom Role) while using MinRole topology and this might increase the budget and many customers have reported the same concern to Microsoft. As always, Microsoft listened to their customer’s feedback and they’ve made some changes to this in Feature pack 1. Let’s look at that in the image below.

11.PNG

I guess the image above gives a detailed explanation about the changes to MinRole topology post FP1 . So, post FP1 you can add two roles together which will reduce the total number of servers required to build a SharePoint 2016 farm using MinRole.

post FP1.png

If you’re interested in knowing more about the new features that was introduced in Feature Pack 1, please take a look at the link below.

https://blogs.office.com/2016/09/26/announcing-feature-pack-1-for-sharepoint-server-2016-cloud-born-and-future-proof/

  1. The benefits of using MinRole:

Listed below are the benefits of using MinRole.

  1. Simpler Deployments
  2. Improved Performance and Reliability
  3. Simpler Capacity Planning and Farm Scalability.

Simpler Deployments:

  • SharePoint Administrators no longer need to worry about which services have been enabled on which servers.
  • Administrators can reduce the risk of slight misconfigurations during installation by leveraging a template-type deployment.
  • Administrators can focus on what functionality to enable in the farm and let SharePoint take care of the rest.

Improved Performance and Reliability:

  • Microsoft has been operating SharePoint online since 2011 and has analyzed key performance characteristics of operating SharePoint at an internet scale such as CPU, Memory, disk I/O and network latency.
  • SharePoint has been optimized for MinRole topology based on all that analysis /learning which Microsoft learned from operating SharePoint Online in their own datacenters for years.
  • Improved service application load balancer services requests from local service instances instead of going across the farm to another server.

Simpler Capacity Planning and Farm Scalability:

  • In SharePoint 2016, Microsoft bases capacity planning on the MinRole topology.
  • Leverage predictable and perspective capacity-planning guidance by deploying a farm based on the MinRole topology.
  • As SharePoint needs grow, easily add more servers to the farm and SharePoint will automatically configure the additional servers.
  1. MinRole Administration:

You can administer MinRole from the Central administration site and also via PowerShell

Using Central Administration site:

13.PNG

You can change the role of a server after it’s deployed and also check whether the server is complaint from the central administration site itself.  The same can be achieved using PowerShell as well. A server in the farm which was acting as WFE today can be made as a APP tomorrow and once you change the role SharePoint will automatically turn on and off the required services .

Using PowerShell:

POWERSHELL.png

Note: There’s some bugs that has already been identified and reported to MS while toggling the role of server from the Central Administration site and hence it’s better to use PowerShell to change the role of a server

8.MinRole compliancy:

  • Once a Server’s role is configured, only those services appropriate for that role can run on that server.
  • SharePoint 2016 has a new set of Health Analyzer rules and timer jobs to identify when a server isn’t MinRole complaint.
  • If a service is accidently turned on and shouldn’t be running on that server, SharePoint will automatically turn it off.

compliancy.PNG

 14.png

9.Opting out of MinRole:

As a SharePoint administrator, you can always say no to MinRole if you’re not planning to use it. This can be achieved by assigning some/all the servers in the farm to the custom role and then manually manage service instances on these servers. Also, you need to consider using “ServerRoleOptional” parameter when creating a new SharePoint farm if existing deployments script needs to remain intact.

10.How/where to deploy 3rd party apps while using MinRole?

Well, the answer to this simple. Yes, you guessed it correctly, so it’s the “Custom Role” that you need to choose while deploying any third-party applications such as (Ninetex Workflows, AvePoint etc.). In addition to that, services like PerformancePoint, PowerPivot etc. would best fit in the custom role.

MinRole is truly phenomenal and would definitely reduce the risk and the time taken by a SharePoint administrator to deploy a SharePoint 2016 farm. Microsoft has done an awesome job in introducing MinRole on SharePoint 2016 which would definitely reduce all our burdens as SharePoint administrators. Thanks for reading this post …. Happy SharePointing!!!

What is Secure Score in Office 365?

Secure-Keyboard-Hero

This post is on a new service which was introduced by Microsoft couple of months back called as “Office 365 Secure Score “. If you’ve ever wondered how secure your Office 365 tenant really is, then it’s time about time now to stop wondering because we have “Secure Score “now to take care of that. So, what’s this new service called as Office 365 secure score? What does it do? How do I make use of it? …. Well, I’m going to answer all those questions that you have in your mind about Office 365 secure score in this article and you will also learn about how to make use of this service to enhance your business with Office 365. Alright, let’s get started …. Shall we?

What is Office 365 secure score?

This is how Microsoft defines Office 365 secure score … “The Secure Score is a security analytics tool that will help you understand what you have done to reduce the risk to your data in Office 365, and show you what you can do to further reduce that risk “. To put it in very simple words, it’s a tool that runs on the background and checks the security standards of all the service used by you as an organization (i.e. SharePoint Online, Exchange Online, Skype for Business Online, Azure AD etc. …) and assigns a credit score.

What’ the idea behind Office 365 secure score?

The approach by Microsoft to this experience was very simple. First, they created a full inventory of all the security configurations and behaviors that customers can do to mitigate risks to their data in Office 365 (there are about 77 such things in total). Then, they evaluated the extent to which each of those controls mitigated a specific set of risks and awarded the control some points. More points means a more effective control for that risk. Lastly, they measured the extent to which the service has adopted the recommended controls, add up the points, and present it as a single score.

How to use Office 365 secure score?  

  1. The first thing you would notice once you login to the secure score portal is the welcome screen (check the screenshot below) which gives you a small definition about Office 365 secure score. In the below mentioned screenshot I’ve logged into the secure score portal of my Office 365 tenant by accessing this URL (i.e. https://securescore.office.com/ ) and I get this screen which gives me a welcome message about Office 365 secure score.

1.PNG

Note: If you already logged into your tenant you can directly access the Secure Score URL which I mentioned above and it will allow you inside the portal without prompting for your credentials once again.

2. Once you read all the welcome messages about Secure score you will get two different tabs as shown in the image below.

                    i)Dashboard.

                   ii )Score Analyzer.

2

3. The first tab which says “Dashboard” is where you get to see the secure score summary. This panel gives you your current Secure Score, and the total number of points that are available to you, given your subscription level, the date that your score was measured, as well as a simple pie chart of your score. The denominator of your score is not intended to be a goal number to achieve. The full set of controls includes several that are very aggressive and will potentially have an adverse impact on your users’ productivity. Your goal should be to optimize your action to take every possible risk mitigating action while preserving your users’ productivity. The below mentioned screenshot depicts the secure score summary of my Office 365 tenant where I’ve scored 61 out of 344 as on May 27, 2017.

14.PNG

4. The next section on the “Dashboard” tab after the “Secure score summary” section would be the section which tells how to improve your score. It gives you the targeted score that you can achieve for your tenant and lists out the action items to improve your score. You can make use of the slider to preview your improved score as shown in the image below.

15.PNG

5. The next section will list out all the pending action items that I’m supposed to complete to achieve the maximum score.

4

6. Now, let’s look at few pending action items to see what it means and how it would impact my Secure score in Office 365.

i) Designate less than 5 global admins:

16.PNG

This one says that I should designate less than 5 global administrators for Office 365 tenant and in my case, I’ve breached it by making it as 6. Hence, it’ asking me to correct it and it also gives me an overview about the score I would get by doing so.

ii) Enable MFA for all global admins:

17.PNG

This one says that I have to enable Multi factor authentication for all my 6 global admin accounts as none of accounts have that enabled and this is considered to be a security breach. It also tells me that I can achieve a score of 50 by doing so.

7) The next section under the “Dashboard” tab is the “Risk Assessment “section which gives me an overview about the top threats in my tenant. It is very important that Office 365 global administrators should read this and understand the risks they are mitigating every time they take an action.

18.PNG

Let’s look at the “Account breach” scenario here and see the details about the risk.

19Compare your score:

The Office 365 Average Secure Score is calculated from every Office 365 customer’s Secure Score. You can use this section to understand how your score stacks up against the average score.

Note: The Average Secure Score only includes the numerator of the score, not the denominator. So, the average points may be higher than you can achieve because there are points in controls associated with services that you have not purchased (meaning , you might be using a different plan such as E3 whereas other customers might be using E5 or other plans) .

5

 

Alright, now let’s look at the “Score Analyzer” tab in the Secure Score portal.

Score Analyzer:

As of now, it’s only the global administrators who have access to the “Secure Score “portal and in the future, it would be made available to other administrators as well such as SharePoint Online administrator, Exchange Online administrator & Skype for Business administrator. However, in the interim you can use the “Score Analyzer “tab to export the secure score results and share it with your executives or stakeholders or other administrators (i.e. SharePoint Online, Exchange Online etc.)  so that they’re aware of the progress that’s made on risk mitigation in Office 365. The Score Analyzer experience allows you to review a line graph of your score over time, to export the audit of your control measurements for the selected day to either a PDF or a CSV, and to review what controls you have earned points for, and which ones you could act on.

  1. The below mentioned image depicts the “Score Analyzer” tab of my secure score portal.

6.PNG

2. I can make use of the “Export “button on the top right corner to export these results in PDF & CSV format.

7.PNG

3. It also gives you an overview of all the “Complete “and “Incomplete” actions and the scores associated to those action items as shown in the image below.

10.PNG

4 .The “Complete “and “Incomplete” actions are classified based on three different categories as you see below (i.e. Account, Data & Device)

20.PNG

5. Finally, I can make use of the “Export “button which I mentioned above to export the results to a PDF/CSV Please check the image below to see a sample report.

8.PNG

So finally, to conclude, the Secure Score is indeed a great tool to keep your Office 365 tenant as secure as possible and at the same time you need to be aware that the Secure Score does not express an absolute measure of how likely you are to get breached. It expresses the extent to which you have adopted controls which can offset the risk of being breached. No service can guarantee that you will not be breached, and the Secure Score should not be interpreted as a guarantee in any way.

Resources to know in detail about Secure Score in Office 365:

Microsoft Mechanics video on Office 365 Secure Score: https://youtu.be/h__nxWlm5Nc

Office 365 Secure Score API:  https://blogs.technet.microsoft.com/office365security/using-the-office-365-secure-score-api/

You can also check my Webinar recording on Office 365 where I’ve shown a small demo on Office 365 secure score. Here’s the link to that: https://youtu.be/HYcfXWN30O0

Thanks for reading this post …. Good luck with Secure Score in Office 365!!!

 

Webcast of SharePoint Virtual Summit:

sharepoint-virtual-summit-2017.jpg

For those who missed to attend the SharePoint Virtual Summit session which was held on May 16th , please make use of the link below to watch the webcast on demand

https://event.microsoft.com/events/2017/1705/SharepointSummit/

Watch the webcast to learn how to create a connected workplace in Office 365 with OneDrive and SharePoint, integrated with Yammer, Microsoft Teams, Windows, PowerApps and Microsoft Flow.

In this webcast , Microsoft has unveiled the latest innovations and roadmap, and you’ll learn how industry-leading customers are leveraging these technologies as part of their digital transformation. Discover how Office 365, connected with Windows and Azure, is reinventing productivity for you, your teams and your organization.

Happy SharePointing !!!

Recording of my Webinar on Getting started with Microsoft Office 365 :

Thumbnail.PNG

Webinar Recording :_ https://youtu.be/HYcfXWN30O0

Link to the PPT Slides :_https://www.slideshare.net/VigneshGanesanMCPMCI/getting-started-with-microsoft-office-365-by-vignesh-ganesan

Please keep checking my blog site for more webinars and useful articles .

 

What is Customer Lock box in Office 365?

1.png“Customer Lock box” –This terminology was something new to me until I heard it at Microsoft Tech Summit this year .There was one of these sessions which I was attending on Office 365 and the speaker was talking about this feature .Sadly only few folks in the room were aware of it and I was one among those folks who haven’t heard that terminology before.

Anyways, now that I’m aware of it I decided to write an article on it so that my readers get to understand about this cool feature in Office 365 and they can start using it in their Office 365 tenants.

So what is Customer Lockbox? To put it in simple words, it’s a feature that’s available in Office 365 to ensure that there’s zero interaction by Microsoft on your contents that’s saved in Office 365(i.e. SharePoint Online, Exchange Online, Skype for Business Online etc…)

Roughly around couple of years back Microsoft has come up with this feature to maximize the data security and privacy for Office 365 customers by ensuring that there’s zero interaction with the customer’s content by Microsoft engineers.

Almost all the service operations performed by Microsoft are either fully automated so there is no human interaction, or the human involvement is abstracted away from the customer’s content that’s stored in Office 365.

Only during some circumstances where something is broken in your tenant and you raised a support case for that , Microsoft engineers will access your content to fix it .So with this feature  Microsoft enforces access control through multiple levels of approval, providing just-in-time access with limited and time-bound authorization. In addition to that all access control activities performed by the Microsoft engineer does gets logged and audited.

The below mentioned image depicts the complete approval process:

2.png

So with this feature Microsoft has given their assurance to its customers that their content will not be accessed by Microsoft employees without their explicit approval. It brings customers into the access approval process, requiring the customer to provide explicit approval of access to their content by a Microsoft employee for service operations.

Now that we have understood about this feature lets take a look on how this complete process works ….

3.png

Let’s consider a scenario where-in something is broken in SharePoint Online or Exchange Online and you raised a support case for that. The engineer upon reviewing your request feels that he/she might need access to your Exchange/SharePoint Online content to fix it .So this is how the process flows when you have Customer Lock box turned on in your tenant.

  1. Administrators in the customer’s Office 365 environment are notified via email that there is a request for access as shown in the image below.

4.png

2. In addition to this the Office 365 Admin Center portal will also display requests that have been submitted to the customer for approval as shown in the image below.

5.png

3. You as an Office 365 administrator can approve or reject Customer Lock box requests. Check the image below where you get the option to approve or reject a request.

6.png

4. Microsoft can only proceed following approval of a Customer Lock box request. See the image below where the customer has approved a request by the engineer.

7.png

5. If a customer rejects a Customer Lock box request, no access to customer content will occur.

Note: Customer Lock box requests have a default lifetime of 12 hours; after which they expire. Expired requests do not result in access to customer content.

Enabling Customer Lockbox in the Office 365 admin center:

  1. Sign in to Office 365 admin center
  2. Go to the Office 365 admin center.
  3. Navigate to Settings > Security & privacy and scroll to locate Customer Lock box

8.png

4. Click Edit and move the toggle on or off to turn lock box requests on or off.

9.pngApprove or deny a Customer Lock box request in the Office 365 admin center:

  1. Sign in to Office 365 admin center
  2. Go to the office 365 admin center
  3. Navigate to Settings > Support > Service requests.

10.png

4. Select a customer lock box request, and then select Approve or Reject.

5. This is how the view looks in the new Office 365 admin center .Check the image below.

11.png

12.png

How to avail Customer Lock box for Office 365?

Customer Lock box for Office 365 will be available as part of a new premium Office 365 Enterprise Suite called E5

Thanks for reading this post ….I hope you will enable this feature in your Office 365 admin center which gives an extra layer of security to your contents in Office 365.

Webinar on Getting started with Office 365 :

 

Office 365 pic 2.png

Hi All ,

On behalf of C Sharp corner Chennai chapter I’ll be delivering a session on “Getting started with Microsoft Office 365 “ . The details about the session as well as the registration link can be found below . Please make yourself available for the session and try to gain some insights on Office 365 .

Registration link :_ http://www.c-sharpcorner.com/events/getting-started-with-microsoft-office-365

Agenda:
  • Introduction to Office 365
  • Understanding the Office 365 features and services.
  • Touring the Office 365 Admin center
  • What’s new in Office 365?
  • Recap
  • Conclusion

Workflow Manager configuration for SharePoint Server 2013:

a.png

This article will give you a detailed explanation on how to configure Workflow manager for SharePoint Server 2013. Unlike SharePoint 2010, we don’t get the SharePoint 2013 workflows with the SharePoint 2013 product itself. We need to install and configure “Workflow Manager” which is a standalone product that was introduced along with SharePoint 2013 to get SharePoint 2013 workflows.  However, you would still get SharePoint 2010 workflows by default in SharePoint 2013. If you need to avail SharePoint 2013 workflows, then we need to install Workflow manager for SharePoint 2013 and configure a workflow farm with service bus farm.

Note: All your workflows that were built by using SharePoint Server 2010 will continue to work in SharePoint Server 2013.

The SharePoint 2013 Workflow platform uses the new Workflow Manager Service. Workflow Manager is built on top of Windows Workflow Foundation. Windows Workflow Foundation is part of the .NET Framework 4.5.

Architectural changes in SharePoint Workflow:

b.png

Installation and Configuration of Workflow Manager in SharePoint 2013:

Alright, now let’s look on how to install and configure Workflow Manager

Once configured, we need to register our SharePoint web application with the workflow farm. Once the SharePoint farm is registered with Workflow farm, SharePoint 2013 workflows will be available and we can use them in SharePoint sites.

Note: You can install Workflow manager on the SharePoint server itself or you can have separate environment for Workflow manager and attach your SharePoint 2013 farm to the Workflow manager farm

Prerequisites for Workflow manager:

If you want install workflow manager 1.0, here are the pre-requisites:

  • .NET Framework 4 Platform Update 3 or .NET Framework 4.5
  • Service Bus 1.0
  • Workflow Client 1.0
  • PowerShell 3.0

The following are the pre-requisites to configure Workflow Manager 1.0

  • Instance of SQL Server 2008 R2 SP1, SQL Server Express 2008 R2 SP1, or SQL Server 2012.
  • TCP/IP connections or named pipes must be configured in SQL Server.
  • Windows Firewall must be enabled. [Windows Firewall is Off on target server]
  • Ports 12290 and 12291 must be available.

Installation steps:

To install Workflow Manager, we need to first install Windows Platform Installer 5.0 x64 bit.

  1. Download Windows Platform Installer x64 bit version 5.0 from the link
  2. Run Windows Platform Installer
  3. Select the “I accept the terms in the License Agreement” and click Ok.

c.png

4. It’ll take some time to install Windows Platform Installer.

d.png

5. Once WEB PLATFORM INSTALLER is installed, go to start and search for “Web Platform Installer”, and then click on the “Web Platform Installer” icon.

e

6. The application will load all the required files.

f.png

9. Once done, you would get this screen as shown in the image below.

g.png

10. In this screen, go to the “Products” tab

h.png

11. Click on Add button for the below products:

  1. Workflow Manager 1.0
  2. Service Bus 1.o
  3. Workflow Client 1.0
  4. Workflow Manager 1.0 Refresh (CU2)

i.png11. Now, click on install.

j.png12. Click on “I Accept”

k.png

13. You may see a prompt as shown below, don’t worry and just click Ok

l.png

14. Now, the WEB PLATFORM INSTALLER will start installation process and may take some time to install the selected products.

m.png

15. After the installation of the selected products the wizard will tell you that some of the products require some additional configuration. Click on the:” Continue” button as shown in the image below.

n.png

Alright, so now we’re done with installing the workflow manager, let’s look on how to configure it.

Configuring Workflow Manager:

  1. Open Workflow manager and select “Configure Workflow Manager Farm using Custom Settings” option as shown in the image below.

o.png

2. For Farm Management Database, provide the SQL instance name and the database name. Click on “Test Connection” button. It will take some time to verify and show the green tick mark symbol once the connection is verified as shown in the image below.

1.png

3. Follow the same steps for “Instance Management Database” and “Resource Management Database”.

2.png

b3.png

4. Provide the service account and password which you want to use for Workflow manager configuration.

 

Note: Please bear in mind that you need to use a separate service account for Workflow manager configuration and not the same farm account. Else, you would get errors during the configuration.

3.png

5. Also, please note that this account should be part of the local administrators group on server(s) where you are going to configure Workflow Manager and should also have “Sysadmin” permissions on the SQL Instance

6. Next, you need to provide Certificate generation key. This is same as the “Passphrase” which we create while configuring SharePoint server farm. For adding new Workflow Host or Service Bus Host, you will need to provide the same key.

4.png

7. After setting certificate generation key, we need to configure ports for communication between workflow farm and SharePoint farm. Below are the ports we need to configure:

a) Workflow Manager Management Port for HTTPS – Default port is 12290 for HTTPS.

b) Workflow Manager Management Port for HTTP – Default port is 12291 for HTTP. If you want to use HTTP protocol for using Workflow management service, we need to select the checkbox “Allow Workflow management over HTTP on this computer”.

5.png

To open the ports, we need to create appropriate inbound rules in firewall. This wizard provides an option to create the firewall rules automatically. Select the check box to create firewall rules.

8. At this point, specify admin group for Workflow management farm. This means we need to specify the domain or local group whose members should be treated as administrators. By default, “BUILTIN\Administrators:” group is added as administrator group for the Workflow farm.

9.png

9. Click next [right arrow] at bottom of the dialog box. It will take some time to validate the configuration settings and save the same.

x.png

10. Now, it’s time to provide required details such as database info, service account and certificate generation key for Service Bus Farm.

10.png

11.png

11. If you want to use the same service account which you provided for Workflow Manager Farm in the previous window, you can select the check box “Use the same service account credentials as provided for Workflow Manager”.

12. For certificate generation, select the select the check box “Auto generate”.

13. If you want to use the same certificate generation key which you provide for Workflow Management Farm in the previous window, you can select the check box “Use the same certificate generation key as provided for Workflow Manager”.

13.png

14.Configure required ports for communication.

14.png

15. Enable firewall rules and provide Admin group.

15.png

16. After providing all the information, click on next step. Wizard will show you summary of the configuration you have provided. At this point, review the settings and if you want to change something, go back and make the required changes and then come back to summary page.

16.png

17. Now start configuring the farm.

17.png

18.png

b4.png

b5.png

17. It will take around 10 minutes to configure the Workflow Manager and Service Bus farm.

18. Once the processing completes, close the window.

b6.png

19. Now, browse the URL https://workflowhostserver.domain.com:12290 or https://localhost:12290, (if you receive certificate warning, click on continue option) this should display XML schema related to the Workflow farm.

a7.png

a8.png

20. Click on Certificate Icon in the address bar. Now, click on “View Certificate”.

a9

21. Navigate to details tab and click on “Copy to file” option.

a10.png

22. You will see Certificate Export Wizard. Click Next.

a11.png

23. Select Base x64 type.

a12.png

24. Select the directory and give a file name. Click on Save button.

a13.png

25. Click on Next button.

a14

26. Finally, click on Finish.

b7.png

27. Once the certificate is exported, you will get below message. Click Ok.

a15

28. Now copy the certificate file to the SharePoint server and paste it there. Once done, open SharePoint PowerShell using the Farm Service Account and run the below command to Add the certificate to SharePoint Trusted Root Authority.

$cert = Get-PfxCertificate <path of the certificate file with extension>

New-SPTrustedRootAuthority -Name “Workflow Farm Certificate” -Certificate $cert

  1. Next, register the web application to consume workflow service.

Register-SPWorkflowService -SPSite ‘https://webapp.domain.com/managedpath/sitecollection&#8217; -WorkflowHostUri ‘http://workflowhost.domain.com:12991&#8217; –AllowOAuthHttp

  1. Finally, navigate to Central Administration à Manage Service Applications à Workflow Service Application Proxy and verify that it says “Workflow is connected”.

b8

31. To verify if the SharePoint 2013 Workflow Template is now available, open SharePoint designer 2013, open the SharePoint site, go to workflows and click on New. In drop down, it should show you “SharePoint 2013 Workflow Template”.

b9.png

 

Common Issues and Solutions that you might encounter while configuring workflow manager:

Issue #1:

System.Management.Automation.CmdletInvocationException: The remote server returned an error: (400) Bad Request. The api-version in the query string is not supported. Either remove it from the Uri or use one of ‘2012-03’..TrackingId:0aef4968-6974-41db-bf43-fecd4fda4a38_GDS-SP2013-VM,TimeStamp:5/15/2014 1:27:51 PM —> System.ArgumentException: The remote server returned an error: (400) Bad Request. The api-version in the query string is not supported. Either remove it from the Uri or use one of ‘2012-03’..TrackingId:0aef4968-6974-41db-bf43-fecd4fda4a38_GDS-SP2013-VM,TimeStamp:5/15/2014 1:27:51 PM —> System.Net.WebException: The remote server returned an error: (400) Bad Request.

Cause: Service Bus version is not appropriately installed.

Solution:

Remove the server from SB Farm and WF Farm.

Delete the SB and WF databases from SQL instance.

Uninstall Workflow Manager and Service Bus applications.

Install appropriate versions using Windows Platform Installer. Workflow Manager Refresh 1.0 and servicebus 1.0 CU.

Issue #2:

System.Management.Automation.CmdletInvocationException: The token provider was unable to provide a security token while accessing ‘https://sharepoint0120.secam.sa.net:9355/WorkflowDefaultNamespace/$STS/Windows/&#8217;. Token provider returned message: ‘<Error><Code>400</Code>

Solution:

Make sure CU 2 for Workflow Manager is installed. The Workflow service account has dbo permission on SB and WF databases.

Issue #3:

Add-WFHost : The remote server returned an error: (401) Unauthorized. Manage claim is required for this operation.

Cause: Workflow service account is not part of ManageUsers group for WorkflowDefaultNamespace

Solution:

To find if service account is part of ManageUsers group or not, run below command

PS > Get-SBNamespace -Name WorkflowDefaultNamespace

SubscriptionId        : 00000000000000000000000000000000

State                 : Active

Name                  : WorkflowDefaultNamespace

AddressingScheme      : Path

CreatedTime           : 17-02-2015 14:31:09

IssuerName            : WorkflowDefaultNamespace

IssuerUri             : WorkflowDefaultNamespace

ManageUsers           : {srv_sp_test_admin@domain.com}

DnsEntry              :

PrimarySymmetricKey   : ******************************

SecondarySymmetricKey :

Since workflow account “srv_sp_workflow” is not listed here, we need to add it. For that, run below command.

Set-SBNamespace -Name WorkflowDefaultNamespace -ManageUsers @(‘srv_sp_workflow@domain.com’, ‘srv_sp_test_admin@domain.com’)

Now you can try to add the server using “Join the existing Workflow Farm” option. Or you may run Add-WFHost command.

Happy SharePointing!!!  Thanks for reading this post.