Purchasing a new service to your Office 365 tenant:

1

This is going to be a very simple article where I’ll be describing about how to add a new service to your Office 365 tenant. Let’s say there comes a scenario where your organization has been using Office 365 for quite some time and all of a sudden, the business shows interest on a new Office 365 service then you need to follow the steps mentioned in this article below to purchase that new service for your existing Office 365 tenant. Alright, let’s get started….

Note: Please ensure that you have global admin access in your tenant to perform these steps.

  1. Sign into the Office 365 admin center and navigate to the “Billing “section as shown in the image below.

2.png

2. Under the billing section, please click on the “Purchase services” option as shown in the image below.

3.png

3. Once you click on the “Purchase service “option it will take you to a page where you can see the list of services that’s available for you to purchase as shown in the image below.

4.png

4. Choose the one that you’re looking for, you can either go for a trial subscription or purchase it completely. In my case I’ve chosen the “Enterprise Mobility + Security E5 “service as shown in the image below.

5.png

5. Once done it will take you to the screen where it says “Try now “, please click on it as shown in the image below.

6

6. After that you would be taken to the Order receipt page where you can see your confirmation number as well as your Order details. Please review it and click on Continue as shown in the image below.

7.png

7. So, this concludes the process of purchasing a new service, you can validate this by going to the “Subscriptions “section under the “Billing “category in the Office 365 admin center as shown in the image below. You should be able to see the service that already existed and the one you purchased now.

8.png

8. In addition to that you can also run the “Get-MsolAccountSku “command to verify it.

9

 

 

Thanks for reading this post …..Good luck with Office 365 !!!

Advertisements

User guide to enroll your iOS Device with Microsoft Intune and to configure your Outlook mobile app

31.png

If your company or school uses Microsoft Intune for Mobile Device Management and Mobile application management, you can enroll your iOS device to get access to company email, files, and other resources. When you enroll your devices, your IT department can manage the resources, keep them secure, and give you the freedom to use your preferred device to get your work done.

The steps mentioned below should be followed by all users who hold an Apple device to enroll their iPhone/iPad with Microsoft Intune so that your device can be managed by Microsoft Intune.

Note:

  • Please make sure that your device has a good Wi-Fi connectivity or a good 3G/4G connection before doing the below mentioned steps.
  • Please ensure that your iOS version is not less than 8.0

Detailed steps:

  1. Open the App Store and search for Microsoft Intune company portal app as shown in the image below.

1

  1. Download and install the Microsoft Intune Company Portal app. Once done you should be able to see it in your Apple device home screen as shown in the image below.

2.jpg

3. Open the Intune company portal app and sign in with your Office 365 UPN address as shown in the image below.

3

  1. Enter your Office 365 UPN password as well as shown in the image below.

4

5. Once done you would be redirected to the Company Access setup page as shown in the image below.

5

6. Click on Begin on the top right corner of the screen and this will start preparing your portal as shown in the image below.

6

7. You would be taken to a screen which describes why you need to enroll your device , you can go through the guidelines if required and click on continue as shown in the image below.

7

8.The next screen will tell you what can be viewed by your IT Admin once the device has been enrolled with Intune and what cannot be viewed by the IT Admin. You can go through all the details if you’re concerned about your privacy and click on continue.

8

9. Now the next screen will ask you to click on “Enroll” to enroll your device with Intune, please go ahead and click on Enroll.

9.jpg

  1. Once done the next screen will prompt your for Multi-Factor Authentication which is nothing but an extra layer of security just to ensure that your connection is legitimate.

10.jpg

11. Based on which option you chose above you would either get a text message or a phone call with a passcode, please go ahead and enter the code correctly and click on next as shown in the image below.

11.jpg

12. Once done the device enrollment process will start and you would see the below mentioned screen.

12.jpg

13. After that would get the below mentioned screen asking you to install the profile for Mobile Device management, please go ahead and click on install as shown in the image below .

13.jpg

14. You would also get the installation prompt in the next few screens, please go ahead and click on install on the next screens. Once done if you already have a passcode for your device it would prompt for that, please key-in that passcode as shown in the image below .

30.jpg

15. On the next screen you would be asked if you trust this profile for Mobile device management, please go ahead and click on Trust as shown in the image below.

14

16. You would be taken to the certificate enrollment process in the next screen as shown in the image below.

15.jpg

17. Once done you would be taken to the below mentioned screen asking you to open the Company portal app as shown in the image below. Please go ahead and click on open.

16

18. After that’s completed you would get the below screen where you can notice that the portal is getting prepared.

17

19. You would get the below mentioned screen post that, please go ahead and click on install as shown in the image below.

18.jpg

20. The next screen will ask you to choose your device category, please go ahead and choose the correct option. In my case I’ve chosen “personal-owned device “ as I’m enrolling my personal iPhone with Intune .

19

21. Once done you would be prompted to change your passcode as shown in the image below, please go ahead and change it and confirm it once again as shown in the image below.

 

Note: Please make sure that you don’t forgot your passcode

20.jpg

22. After confirming the passcode, you would be taken to the below mentioned screen which confirms that your device has been successfully enrolled with Intune.

21.jpg

22.jpg

23.  Now go back to home screen in your iPhone and open the Intune company portal app .You can check the list of apps which are available for download from company portal app as shown in the image below.

23

24. Now you can search for the “Outlook” mobile app in the portal and install it as shown in the image below.

Note: If you’re IT admin has configured a policy in Intune such that you should only be using the Outlook mobile app that’s available in the Intune Company portal to configure your emails, then you won’t be able to download and use the Outlook mobile app that’s available in the App store. This is part of Mobile application management in Intune. In addition to that you won’t be able to do the below mentioned things based on the policies which your IT admin has enforced.

  1. A user tries to copy the content from his Office 365 mailbox and tries to paste it in his personal email account (i.e. Gmail, Hotmail etc..) and Intune restricts it.
  2. ii) A user tries to download an attachment from his Office 365 mailbox and tries to save it to his Drop box or personal OneDrive and Intune restricts it.

Please go through the link below to know more about the MAM policies in Intune :_ https://docs.microsoft.com/en-us/intune-classic/deploy-use/configure-and-deploy-mobile-application-management-policies-in-the-microsoft-intune-console

24.jpg

25. Once you’re done installing the “Outlook” mobile app from the Intune company portal, please go back to the home screen and open the “Outlook” app as shown in the image below.

25.jpg

26. Open the Outlook mobile app, you would be prompted to choose the email account which you want to setup. In my case it prompts to either add both my Office 365 email account as well as my Hotmail account. I’ve chosen to configure Office 365 email account only as shown in the image below. In your case you might only see your Office 365 email account.

Note: Even if you have added your Hotmail account , Intune will take care of only your Office 365 mail address and not your Hotmail account .

26.jpg

  1. Once you’ve chosen your Office 365 email account, please give it some time and your mailbox will start downloading all the emails, contacts and meetings etc. as shown in the image below.

28.jpg

28. You can also use some cool features like @mentions and focused inbox in Office 365 as shown in the image below.

29.jpg

29. In addition to this you can also remotely manage your mobile device from your laptop or PC once it’s enrolled with Intune by accessing the Intune Company portal site. In order to do that, please login to the below mentioned URL using your Office 365 UPN address and password.

https://portal.manage.microsoft.com/

30 .Once done you should be able to see your Apple device which has been enrolled with Intune as shown in the image below.

30.png

31. You can rename, remove, reset the passcode as well as remotely lock your device from your laptop/PC from here. So if you ever encounter a scenario where your device has been lost/stolen you can remotely wipe if from here.

Thanks for reading this post!!!  Good luck with Intune.

 

Recording of my Webinar on SharePoint Online Communication Sites:

Webinar logo

Webinar Recording :_ https://youtu.be/rmpdFA0XiAg

Link to the PPT Slides :_ https://www.slideshare.net/VigneshGanesanMCPMCI/overview-of-communication-sites-in-sharepoint-online

Please keep checking my blog site for more webinars and useful articles .

Webinar on SharePoint Online Communication Sites

Hi All,

Please join us for a webinar on August 12th,2017 at 6:00 pm IST on ” Overview of Communication Sites in SharePoint Online” .

WEBINAR

Agenda:

  1. Introduction to Communication sites in SharePoint Online​

2. Different designs and what’s inside a communication site?​

3. Demo on creating Communication sites​

4. Demo on Customizing Communication sites​

5. Benefits of using Communication sites​

6. What’s lacking in Communication sites?

We’ll be discussing in detail about SharePoint Online Communication Sites and all it’s new features and functionalities.

Webinar details : http://www.c-sharpcorner.com/events/overview-of-communication-sites-in-sharepoint-online

Get to know Microsoft 365:

e1.pngYep you read it correctly, it’s not Microsoft Office 365 and its Microsoft 365. Well by saying so I didn’t mean that Microsoft Office 365 is going away or it’s getting renamed as Microsoft 365. This is a new service which was introduced by Satya Nadella 2 days back on Microsoft Inspire which brings together Office 365, Windows 10 and Enterprise Mobility + Security, delivering a complete, intelligent and secure solution to empower employees. I’m sure most of you would have already read about this today and if not please take a moment in reading this article where I’ve explained in detail about Microsoft 365 and what are the services it delivers and how it can enhance your business.

  1. What is Microsoft 365?

Well as I already mentioned above this is a new service which was introduced by Microsoft two days back which brings together Office 365, Windows 10 and Enterprise Mobility + Security.

  1. Is this something new or was this service already present?

To be very precise, this isn’t something new and in fact this is the successor of the most successful service , “Secure Productive Enterprise” which was introduced by Microsoft on October 2016 .

e2.png

  1. What happens to Secure Productive Service now?

Moving further, Secure Productive Service would be replaced by Microsoft 365.

  1. Do we have different flavors in Microsoft 365 as well like Secure Productive Enterprise?

Yes, we have two flavors in Microsoft 365, 1. Microsoft 365 Business which is meant for small organizations and 2. Microsoft 365 Enterprise which is meant for large organizations

  1. What are these two flavors meant for and how can they enhance my business?

Microsoft 365 Enterprise:

  1. Unlocks creativity by enabling people to work naturally with ink, voice and touch, all backed by tools that utilize AI and machine learning.
  2. Provides the broadest and deepest set of apps and services with a universal toolkit for teamwork, giving people flexibility and choice in how they connect, share and communicate.
  3. Simplifies IT by unifying management across users, devices, apps and services.
  4. Helps safeguard customer data, company data and intellectual property with built-in, intelligent security.

Microsoft 365 Business:

  1. Helps companies achieve more together by better connecting employees, customers and suppliers.
  2. Empowers employees to get work done from anywhere, on any device.
  3. Protects company data across devices with always-on security.
  4. Simplifies the set-up and management of employee devices and services with a single IT console.
  5. How about the plans for Microsoft 365?

Microsoft 365 Enterprise is available in two plans, E3 and E5

  1. When would Microsoft 365 be made available for the public?

Microsoft 365 Enterprise will be available for purchase from August 1st, 2017 onwards. You get to purchase both the plans (E3 & E5)

Microsoft 365 Business will be available in public preview on August 2nd, 2017. It will become generally available on a worldwide basis in the fall of 2017, priced at US $20 per user, per month.

  1. How do I get to know more about the services and features available in both the flavors of Microsoft 365 ?

        Please go through the links below to know more about the features and services available in both the flavors.

For Business: _ https://www.microsoft.com/en-us/microsoft-365/business

For Enterprise: _ https://www.microsoft.com/en-us/microsoft-365/enterprise

Thanks for reading the post. Good luck with Microsoft 365.

 

PowerShell to on-board list of users to Office 365 and assign them Office 365 licenses:

1.jpgOffice 365 is a SaaS platform which is  being used by many organizations these days and it becomes quite hard for IT administrators to on-board their users to Office 365 manually .Of course , this may not be the case when your user identities gets synced to Azure AD from on-premises AD using AAD connect tool .However, if you’re one of the organizations who totally buried all your IT infrastructure implementation and decided to go with a Cloud implementation completely then possibilities are such that you as an IT administrator should take care of on-boarding your users to Azure AD .As we all know , this is indeed quite a time consuming task if we have to do it manually and then assign the appropriate licenses to all the users . So, to surpass all those manual effort, I’ve put together this PowerShell script which will do the magic for you. Alright, let’s get into the details ….

1.Sign-in to your Office 365 admin center using your global admin account and navigate to the “Active users” section as shown in the image below.

2.png

2.At this moment, you might see only the user account which was used to set-up the Office 365 tenant.

Note: In my case, you might see 3 users as I manually created them using the “Add a user “option.

3.Create a CSV file which has the details of all your users by following the guidelines mentioned in this article. The below mentioned screenshot depicts the CSV file which I’ve prepared which has the list of all my users.

3.png

4. Once done, please login to the PowerShell window and type the below mentioned command as shown in the image below. This will tell you the type of license that your tenant is using and how many licenses have been utilized till now.

4

Note : In my case you can notice that my tenant is on  Office 365 E5 Enterprise E5 plan +EMS  (Enterprise Mobility ) and it also displays how many licenses have been consumed till now .

5. Prior to running the above command, please ensure that you’re connected to your Office 365 tenant via PowerShell, if not please follow the below article to do that first.

https://technet.microsoft.com/library/dn975125.aspx

6. Now, let’s specify the required variables for the PowerShell script.

$UsersToAdd = Import-Csv C:\Users\Vignesh\Documents\Import_User_Sample_en.csv

$LicenseToAdd = “sptech80:ENTERPRISEPREMIUM” à This information can be grabbed from the Get-MsolAccountSKU command which we ran in the above step.

$UsageLocation = “US”

$LicenseOptions = New-MsolLicenseOptions -AccountSkuId $LicenseToAdd

5

7.Once you’re done specifying the required variables, please go ahead and run the below mentioned PowerShell command as shown in the image.

$UsersToAdd | ForEach-Object {

New-MsolUser –UserPrincipalName $_.UserPrincipalName -DisplayName $_.DisplayName

Set-MsolUser -UserPrincipalName $_.UserPrincipalName -UsageLocation $UsageLocation

Set-MsolUserLicense -UserPrincipalName $_.UserPrincipalName -AddLicenses $LicenseToAdd -LicenseOptions $LicenseOptions

}

6.png

8.You may notice that your users are getting created after running the script as shown in the image above and the licensing tab might display the status as “False”. That’s due to the time taken for the script to reflect the licensing details as it first creates the user and then assigns the license to the user’s account. This is quite normal and hence you don’t need to panic about the “isLicensed” column

9. You can verify the status of the users as well as the licenses assigned to them by running the “Get-MsolUser” command. This time it should display the licensing details correctly.

10. Additionally, you can also navigate to the “Active users” section to verify the same.

8.png

Thanks for reading this post ….Good luck with Office 365 !!!

When to perform a Search full crawl in SharePoint 2013?

Search is indeed a mission critical component in SharePoint 2013 and it’s very important that it functions properly so that you get the desired results. As we all know, the search results and their relevancy is directly proportional to how often your content sources are crawled and what sort of crawling you’re running in your SharePoint farm (i.e. full crawl, incremental crawl and continuous crawl). So, in this post I’m not going to discuss about the different type of search crawls or the SharePoint 2013 search architecture, perhaps I would be discussing on when and under what circumstances should a SharePoint administrator perform a full search crawl. The reason for me picking up this topic is because I see a lot of misconception among SharePoint administrators in understanding when the Search full crawl has to be performed. For the most part, I’ve seen many folks turning on full crawl when it’s not required at all and before doing so we need to understand that turning on Search full crawl is going to consume a lot of your server’s resource and at worst case it could even make your SharePoint farm go to an unresponsive state and hence it’s very important that we do this only when it’s required.

1

Alright, let’s get into the details ….

Listed below are the reasons why and under what circumstances should a SharePoint farm Administrator perform a full search crawl:

1.You just created a new Search Service application and the default content source (i.e. Local SharePoint sites) that gets created along with the newly created Search service application hasn’t been crawled yet.

22. You recently added a new content source and it hasn’t been crawled yet (Note: This is applicable for all the types of content sources (i.e. Local SharePoint sites, File shares, Exchange public folders and External line of business data)

3.png

3.When there has been, a change made to the existing content source (meaning, when you’re trying to edit the existing content source for making some changes)

4.png

4.When you’re patching your SharePoint 2013 farm by installing a Cumulative update, Service packs and hot-fixes etc. For some reason I see a lot dilemma on this specific point because it brings up a question on why should a full crawl be performed post the patching .The reason for this is really simple ,  if you read my article on patching a SharePoint farm you would notice that I’ve mentioned a step where you need to suspend the search crawl before patching your farm and the reason for mentioning that is because it’s quite possible that when you check the crawling schedule  before patching you farm there may not be any instance of crawl running. However, if a crawl is triggered by schedule which occurs during the installation, the search application may crash or lead to inadvertent results. In worst case, you might end up rebuilding the entire search application. Hence, as a best practice it’s very important that you suspend the search service application before patching your farm and once you’re done with patching your farm please go ahead and resume it and run a full crawl.

5

6

7

5.When changes have been made to managed properties in search. A full crawl of all affected content sources is required for the new or changed managed property to take effect.

8.png

6.If you want to detect security changes that were made to local groups on a file share after the last full crawl of the file share

9.png

7.When the incremental crawl keeps failing continuously. If an incremental crawl fails many consecutive times for any content, the system removes the affected content from the search index. In such case, please look into the search crawl logs and try to identify the issue and fix it after which you need to run a search full crawl so that the failed content gets updated in the search index.

8.If you have made some changes to the search Crawl rules such as adding, deleting or modifying the crawl rule.

10.png

9.When your search index gets corrupted you need to perform a search index reset after which you need to run a full search crawl. Please check my article on search index reset to understand how to perform an index reset and under what circumstances should you be performing a search index reset.

11.png

10.The permissions given to the default content access account has been changed.

11. Apart from the above mentioned one’s the system by itself would be performing a search full crawl even when an incremental or continuous crawl is scheduled under the following circumstances:

   a)The SharePoint administrator stopped the previous crawl.

    b)A content database was restored, or a farm administrator has detached and reattached a content database.

    c) A full crawl of the content source has never been done from this Search service application.

     d)The crawl database does not contain entries for the addresses that are being crawled. Without entries in the crawl database for the items being crawled, incremental crawls cannot occur.

Thanks for reading this post. Happy SharePointing!!!

Demystifying MinRole in SharePoint Server 2016:

MinRole – I hope everyone would agree with me when I say that “MinRole” has become a buzz word among many SharePoint folks ever since Microsoft released SharePoint Server 2016. I myself have personally read many articles/blogs and viewed some videos on it to understand in detail about MinRole and how to make use of it. However, there has been times where I couldn’t really understand it completely and I had to work with many SharePoint experts in the industry to understand in detail about what MinRole is and how it works. But still I can sense a lot of uncertainty among few SharePoint folks in understanding MinRole and how to make use of it. Hence, in this article I’ll be explaining in detail about the below mentioned points….

  1. What is MinRole?
  2. How to deploy a SharePoint 2016 farm using MinRole topology?
  3. Different server roles in MinRole
  4. Different type of MinRole topologies
  5. MinRole -Before and after Feature Pack 1
  6. The benefits of using MinRole
  7. MinRole Administration
  8. MinRole compliancy
  9. Opting out of MinRole
  10. How/where to deploy 3rd party apps while using MinRole?

160121MinRole_lg.JPG

Alright, so let’s get started …

  1. What is MinRole?

To put it in very simple words, MinRole is a new farm topology based on a set of predefined server roles which got introduced in SharePoint Server 2016. Unlike the old traditional SharePoint farm topologies where you add a server to a farm and then configure it, here you can select the role of a server when you create a new farm or join a server to an existing farm and SharePoint will automatically configure the services on each server based on the server’s role. SharePoint Server 2016 by default has been optimized for the MinRole farm topology.

So, the point here to understand is, with MinRole you don’t need to add servers to a SharePoint farm and then configure each server in the farm as WFE, APP, Search etc.… MinRole will do that magic for you. Once you add a new SharePoint 2016 server to a farm and run the configuration wizard you would get a screen as shown below which asks you to choose the appropriate role .Once you select the appropriate role ,SharePoint will automatically turn on and configure the necessary services based on the server’s role.

2.png

Now that we have understood about MinRole, let’s understand how to deploy a SharePoint 2016 farm using MinRole topology.

2.How to deploy a SharePoint 2016 farm using MinRole topology?

Before I go ahead and discuss about how to deploy a SharePoint 2016 farm using MinRole topology, let’s refresh ourselves by taking a glance at the default SharePoint 2013 streamlined topology which we’re already used to. Let’s look at the image below to understand about the default SharePoint 2013 streamlined topology…

18.png

So as shown in the image above, in SharePoint 2013 when you create or add a new server to the farm you have to manually go to the “Manage services on server “section on Central administration site and turn on the required services after which you would be configuring the required service application (Ex: Search Service Application, Managed metadata service application, User Profile service application & Distributed Cache service application etc.…)

services-on-server.jpg

However, the good news with SharePoint 2016 you don’t need to spend time on turning on the required services under “Manage services on Server “. You just need to focus on choosing the required role on the “Specify server role “window which I just described above and SharePoint  will take care of the rest for you. Hang on, let’s be clear here …. SharePoint will only take care of automatically turning on the required services but the service application has to be configured by you as an admin. I guess while reading this, you must have this question in mind … “Well this is cool, but how does SharePoint manages to do this by itself? “…The answer to this follows, when you create a new farm or join a machine to an existing farm, SharePoint starts the base set of service instances that are required for the server’s role. It also detects which additional services have been enabled in the farm and starts the matching service instances as appropriate for the server’s role. Finally, it detects which service applications have been created in the farm and which services are necessary to support those service applications. Those service instances will be started as appropriate for the server’s role, as well.

MinRole management of service instances doesn’t happen only when you join a server to a farm. As you enable or disable services in the farm, or as you create and delete service applications in the farm, MinRole starts and stops service instances on the existing servers in the farm. This ensures that each server in your SharePoint farm is running exactly the services it needs.

So, the end result is, you as a SharePoint farm administrator can only focus on what services you want to run in your farm and not worry about where they’re running. The MinRole topology in SharePoint will take care of the rest.

Also, let’s take a look at the image below which illustrates how the SharePoint services are scattered between these different server roles while using MinRole topology.

1.PNG

All the user interactive scenarios would be running on the WFE role, all the background tasks such as Search, UPS etc. would be running on the APP role and finally the caching services would be running on the DC role .

Well, hang on …. I still didn’t tell you how to deploy a SharePoint 2016 farm using MinRole. There’s two variants to do this … 1. Using the SharePoint product configuration wizard 2. Using PowerShell.

  1. Using the SharePoint Configuration Wizard:

So, you can choose the role of a server while adding it to the farm using the below mentioned screen which you get while running the product configuration wizard.

2.png

  1. Using PowerShell:

POWERSHELL.png

Now that we have understood how to deploy a SharePoint 2016 server /farm using MinRole, let’s try to understand the different roles available in MinRole topology.

  1. Different server roles in MinRole:

The below mentioned image from one of my presentations on SharePoint 2016 clearly illustrates the different roles that are available in MinRole.

3.PNG

4.PNG

So, based on your need/architecture planning you can choose the appropriate role. However, this architecture might sound quite costly because with MinRole you can’t add two application roles together like how we used to do in SharePoint 2013 for small farms with 4 to 6 servers, meaning you don’t get to enjoy the privilege of having Search and Managed metadata or may be Search and User Profile service running on the same server. In MinRole if you do so then that particular server would be marked as non-compliant. But Microsoft has listened to its customers about this and has made some changes to the MinRole feature in Feature Pack 1 release for SharePoint 2016 and I’ll be talking in detail about that later on  this article.

Note: The concept of Service packs is gone in SharePoint 2016 and is now replaced with Feature packs. You don’t get to see Service packs anymore at least on SharePoint 2016. Also, the Feature packs won’t be as separate packages like your service packs which gets released separately( i.e. once in 12 months as a separate package ). A particular month’s CU/PU would be called as a feature pack where Microsoft would ship all the fixes/new features and that month’s CU would be called as Feature Pack. Till now Microsoft has release Feature Pack 1 (i.e. Nov 2016 CU) and you can find the details about that in this link below . So, a specific month’s CU would be released as a FP hereafter .

https://support.microsoft.com/en-us/help/3127940/november-8,-2016,-update-for-sharepoint-server-2016-kb3127940

Microsoft was quite ahead of their schedule while they released FP1 as the original release date was planned on 2017 .However they managed to release that on Q4 of 2016 itself .

This image below depicts the roadmap for SharePoint Server 2016 :

Roadmap.png

Alright , let’s jump into the different type of topologies in MinRole .

  1. Different type of MinRole topologies :

Now that we have seen a lot about MinRole , I guess it really begs the question of how to choose the appropriate SharePoint topology while using MinRole . Well , let’s go and take a look at it . Shall we ?

A typical SharePoint 2013 Topology :

This is how a typical SharePoint 2013 Topology would look like . Please check the image below .

9.png

In this case the SharePoint Administrators manually configure services on each server to fit these roles and in addition that as features and services are added, administrators have to determine where these components should run based on best practices, current server load, etc.

But this is not the case with SharePoint 2016 MinRole Topology , since this is a role based architecture you can directly choose the role you want to deploy and MinRole will take care of the rest . Please check the image below which depicts a SharePoint 2016 MinRole topology architecture .

SharePoint 2016 MinRole Topology :

MinRole topology.PNG

As shown in the image above, you need not less than 4 servers to deploy a SharePoint 2016 farm.  If you’re including SQL then in that case you need at least 5 servers for MinRole. Also , Minimum configuration does not have any resiliency.

Let’s see how this works when you want to plan a SharePoint 2016 HA farm with MinRole topology .

6.PNG

8.png

So, as you can see in the image above , two servers are required for each role . When it comes to  Distributed  cache three servers are required in a cluster quorum . We also need SQL availability groups to achieve HA in the SQL layer. So, in total you might require 13 servers altogether if you’re also adding Office Online server in HA .

However , this count may vary based on your architecture and planning . Please check the image below where I’ve designed a HA SharePoint 2016 farm with proper planning .In this case the total number of servers required is 18 .So the point to note here , based on your business needs you can scale out the total number of servers for HA .

10.PNG

Custom 3 Tier MinRole Topology:

This is how a custom 3 tier MinRole topology looks like. The front-end servers are benefited from MinRole. The custom server role is used to configure custom servers to run majority of SharePoint service applications and reduce the number of servers.  Unlike MinRole, the services have to be manually configured on the custom server role. It’s the job of the SharePoint Administrators to configure the required services on the custom server.

custome 3 tier.PNG

Custom HA Topology with Search:

custom HA with search

This is how this architecture has been planned,

  • Two load balanced servers with Front-end role.
  • Two custom servers running distributed cache, User Profile Sync, Secure Store.
  • Two servers with Search server role.
  • SQL servers configured with always on availability groups.

5.MinRole -Before and after Feature Pack 1:

Now, if you see the complete overview of MinRole you might understand that you need high budget to implement this due to the total number of servers required. Unlike SharePoint 2013, you don’t get to add the roles together in a single server (i.e. Custom Role) while using MinRole topology and this might increase the budget and many customers have reported the same concern to Microsoft. As always, Microsoft listened to their customer’s feedback and they’ve made some changes to this in Feature pack 1. Let’s look at that in the image below.

11.PNG

I guess the image above gives a detailed explanation about the changes to MinRole topology post FP1 . So, post FP1 you can add two roles together which will reduce the total number of servers required to build a SharePoint 2016 farm using MinRole.

post FP1.png

If you’re interested in knowing more about the new features that was introduced in Feature Pack 1, please take a look at the link below.

https://blogs.office.com/2016/09/26/announcing-feature-pack-1-for-sharepoint-server-2016-cloud-born-and-future-proof/

  1. The benefits of using MinRole:

Listed below are the benefits of using MinRole.

  1. Simpler Deployments
  2. Improved Performance and Reliability
  3. Simpler Capacity Planning and Farm Scalability.

Simpler Deployments:

  • SharePoint Administrators no longer need to worry about which services have been enabled on which servers.
  • Administrators can reduce the risk of slight misconfigurations during installation by leveraging a template-type deployment.
  • Administrators can focus on what functionality to enable in the farm and let SharePoint take care of the rest.

Improved Performance and Reliability:

  • Microsoft has been operating SharePoint online since 2011 and has analyzed key performance characteristics of operating SharePoint at an internet scale such as CPU, Memory, disk I/O and network latency.
  • SharePoint has been optimized for MinRole topology based on all that analysis /learning which Microsoft learned from operating SharePoint Online in their own datacenters for years.
  • Improved service application load balancer services requests from local service instances instead of going across the farm to another server.

Simpler Capacity Planning and Farm Scalability:

  • In SharePoint 2016, Microsoft bases capacity planning on the MinRole topology.
  • Leverage predictable and perspective capacity-planning guidance by deploying a farm based on the MinRole topology.
  • As SharePoint needs grow, easily add more servers to the farm and SharePoint will automatically configure the additional servers.
  1. MinRole Administration:

You can administer MinRole from the Central administration site and also via PowerShell

Using Central Administration site:

13.PNG

You can change the role of a server after it’s deployed and also check whether the server is complaint from the central administration site itself.  The same can be achieved using PowerShell as well. A server in the farm which was acting as WFE today can be made as a APP tomorrow and once you change the role SharePoint will automatically turn on and off the required services .

Using PowerShell:

POWERSHELL.png

Note: There’s some bugs that has already been identified and reported to MS while toggling the role of server from the Central Administration site and hence it’s better to use PowerShell to change the role of a server

8.MinRole compliancy:

  • Once a Server’s role is configured, only those services appropriate for that role can run on that server.
  • SharePoint 2016 has a new set of Health Analyzer rules and timer jobs to identify when a server isn’t MinRole complaint.
  • If a service is accidently turned on and shouldn’t be running on that server, SharePoint will automatically turn it off.

compliancy.PNG

 14.png

9.Opting out of MinRole:

As a SharePoint administrator, you can always say no to MinRole if you’re not planning to use it. This can be achieved by assigning some/all the servers in the farm to the custom role and then manually manage service instances on these servers. Also, you need to consider using “ServerRoleOptional” parameter when creating a new SharePoint farm if existing deployments script needs to remain intact.

10.How/where to deploy 3rd party apps while using MinRole?

Well, the answer to this simple. Yes, you guessed it correctly, so it’s the “Custom Role” that you need to choose while deploying any third-party applications such as (Ninetex Workflows, AvePoint etc.). In addition to that, services like PerformancePoint, PowerPivot etc. would best fit in the custom role.

MinRole is truly phenomenal and would definitely reduce the risk and the time taken by a SharePoint administrator to deploy a SharePoint 2016 farm. Microsoft has done an awesome job in introducing MinRole on SharePoint 2016 which would definitely reduce all our burdens as SharePoint administrators. Thanks for reading this post …. Happy SharePointing!!!

What is Secure Score in Office 365?

Secure-Keyboard-Hero

This post is on a new service which was introduced by Microsoft couple of months back called as “Office 365 Secure Score “. If you’ve ever wondered how secure your Office 365 tenant really is, then it’s time about time now to stop wondering because we have “Secure Score “now to take care of that. So, what’s this new service called as Office 365 secure score? What does it do? How do I make use of it? …. Well, I’m going to answer all those questions that you have in your mind about Office 365 secure score in this article and you will also learn about how to make use of this service to enhance your business with Office 365. Alright, let’s get started …. Shall we?

What is Office 365 secure score?

This is how Microsoft defines Office 365 secure score … “The Secure Score is a security analytics tool that will help you understand what you have done to reduce the risk to your data in Office 365, and show you what you can do to further reduce that risk “. To put it in very simple words, it’s a tool that runs on the background and checks the security standards of all the service used by you as an organization (i.e. SharePoint Online, Exchange Online, Skype for Business Online, Azure AD etc. …) and assigns a credit score.

What’ the idea behind Office 365 secure score?

The approach by Microsoft to this experience was very simple. First, they created a full inventory of all the security configurations and behaviors that customers can do to mitigate risks to their data in Office 365 (there are about 77 such things in total). Then, they evaluated the extent to which each of those controls mitigated a specific set of risks and awarded the control some points. More points means a more effective control for that risk. Lastly, they measured the extent to which the service has adopted the recommended controls, add up the points, and present it as a single score.

How to use Office 365 secure score?  

  1. The first thing you would notice once you login to the secure score portal is the welcome screen (check the screenshot below) which gives you a small definition about Office 365 secure score. In the below mentioned screenshot I’ve logged into the secure score portal of my Office 365 tenant by accessing this URL (i.e. https://securescore.office.com/ ) and I get this screen which gives me a welcome message about Office 365 secure score.

1.PNG

Note: If you already logged into your tenant you can directly access the Secure Score URL which I mentioned above and it will allow you inside the portal without prompting for your credentials once again.

2. Once you read all the welcome messages about Secure score you will get two different tabs as shown in the image below.

                    i)Dashboard.

                   ii )Score Analyzer.

2

3. The first tab which says “Dashboard” is where you get to see the secure score summary. This panel gives you your current Secure Score, and the total number of points that are available to you, given your subscription level, the date that your score was measured, as well as a simple pie chart of your score. The denominator of your score is not intended to be a goal number to achieve. The full set of controls includes several that are very aggressive and will potentially have an adverse impact on your users’ productivity. Your goal should be to optimize your action to take every possible risk mitigating action while preserving your users’ productivity. The below mentioned screenshot depicts the secure score summary of my Office 365 tenant where I’ve scored 61 out of 344 as on May 27, 2017.

14.PNG

4. The next section on the “Dashboard” tab after the “Secure score summary” section would be the section which tells how to improve your score. It gives you the targeted score that you can achieve for your tenant and lists out the action items to improve your score. You can make use of the slider to preview your improved score as shown in the image below.

15.PNG

5. The next section will list out all the pending action items that I’m supposed to complete to achieve the maximum score.

4

6. Now, let’s look at few pending action items to see what it means and how it would impact my Secure score in Office 365.

i) Designate less than 5 global admins:

16.PNG

This one says that I should designate less than 5 global administrators for Office 365 tenant and in my case, I’ve breached it by making it as 6. Hence, it’ asking me to correct it and it also gives me an overview about the score I would get by doing so.

ii) Enable MFA for all global admins:

17.PNG

This one says that I have to enable Multi factor authentication for all my 6 global admin accounts as none of accounts have that enabled and this is considered to be a security breach. It also tells me that I can achieve a score of 50 by doing so.

7) The next section under the “Dashboard” tab is the “Risk Assessment “section which gives me an overview about the top threats in my tenant. It is very important that Office 365 global administrators should read this and understand the risks they are mitigating every time they take an action.

18.PNG

Let’s look at the “Account breach” scenario here and see the details about the risk.

19Compare your score:

The Office 365 Average Secure Score is calculated from every Office 365 customer’s Secure Score. You can use this section to understand how your score stacks up against the average score.

Note: The Average Secure Score only includes the numerator of the score, not the denominator. So, the average points may be higher than you can achieve because there are points in controls associated with services that you have not purchased (meaning , you might be using a different plan such as E3 whereas other customers might be using E5 or other plans) .

5

 

Alright, now let’s look at the “Score Analyzer” tab in the Secure Score portal.

Score Analyzer:

As of now, it’s only the global administrators who have access to the “Secure Score “portal and in the future, it would be made available to other administrators as well such as SharePoint Online administrator, Exchange Online administrator & Skype for Business administrator. However, in the interim you can use the “Score Analyzer “tab to export the secure score results and share it with your executives or stakeholders or other administrators (i.e. SharePoint Online, Exchange Online etc.)  so that they’re aware of the progress that’s made on risk mitigation in Office 365. The Score Analyzer experience allows you to review a line graph of your score over time, to export the audit of your control measurements for the selected day to either a PDF or a CSV, and to review what controls you have earned points for, and which ones you could act on.

  1. The below mentioned image depicts the “Score Analyzer” tab of my secure score portal.

6.PNG

2. I can make use of the “Export “button on the top right corner to export these results in PDF & CSV format.

7.PNG

3. It also gives you an overview of all the “Complete “and “Incomplete” actions and the scores associated to those action items as shown in the image below.

10.PNG

4 .The “Complete “and “Incomplete” actions are classified based on three different categories as you see below (i.e. Account, Data & Device)

20.PNG

5. Finally, I can make use of the “Export “button which I mentioned above to export the results to a PDF/CSV Please check the image below to see a sample report.

8.PNG

So finally, to conclude, the Secure Score is indeed a great tool to keep your Office 365 tenant as secure as possible and at the same time you need to be aware that the Secure Score does not express an absolute measure of how likely you are to get breached. It expresses the extent to which you have adopted controls which can offset the risk of being breached. No service can guarantee that you will not be breached, and the Secure Score should not be interpreted as a guarantee in any way.

Resources to know in detail about Secure Score in Office 365:

Microsoft Mechanics video on Office 365 Secure Score: https://youtu.be/h__nxWlm5Nc

Office 365 Secure Score API:  https://blogs.technet.microsoft.com/office365security/using-the-office-365-secure-score-api/

You can also check my Webinar recording on Office 365 where I’ve shown a small demo on Office 365 secure score. Here’s the link to that: https://youtu.be/HYcfXWN30O0

Thanks for reading this post …. Good luck with Secure Score in Office 365!!!

 

Webcast of SharePoint Virtual Summit:

sharepoint-virtual-summit-2017.jpg

For those who missed to attend the SharePoint Virtual Summit session which was held on May 16th , please make use of the link below to watch the webcast on demand

https://event.microsoft.com/events/2017/1705/SharepointSummit/

Watch the webcast to learn how to create a connected workplace in Office 365 with OneDrive and SharePoint, integrated with Yammer, Microsoft Teams, Windows, PowerApps and Microsoft Flow.

In this webcast , Microsoft has unveiled the latest innovations and roadmap, and you’ll learn how industry-leading customers are leveraging these technologies as part of their digital transformation. Discover how Office 365, connected with Windows and Azure, is reinventing productivity for you, your teams and your organization.

Happy SharePointing !!!