Retrieve and export Office 365 Group Members (Part02)

This is the 2nd part of the article series “Retrieve and export Office 365 Group Members”. We are covering up the second part in this post.

1. Retrieve and export members of an specific Office 365 group (Part01)
2. Retrieve and export members of all Office 365 groups (Part 02)

The best tool to run these kind of scripts is the PowerShell ISE. Copy the following code and paste it in to PowerShell ISE and make sure that you have run it as the Admin.

### All users of all groups 

$CSVPath = "C:\Exports\AllGroupMembersList.csv"
 
### Get Credentials
$Credential = Get-Credential
   
### Create Session
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Credential -Authentication Basic -AllowRedirection
   
### Import Session
Import-PSSession $Session -DisableNameChecking

### Remove the CSV file if already exists
If(Test-Path $CSVPath) { Remove-Item $CSVPath}

### Retreive all Office 365 Groups
$O365Groups=Get-UnifiedGroup
ForEach ($Group in $O365Groups) 
{ 
    Write-Host "Group Name:" $Group.DisplayName -ForegroundColor Green
    Get-UnifiedGroupLinks -Identity $Group.Id -LinkType Members | Select DisplayName,PrimarySmtpAddress
 
    ### Get Group Members and export to CSV
    Get-UnifiedGroupLinks -Identity $Group.Id -LinkType Members | Select-Object @{Name="Group Name";Expression={$Group.DisplayName}},`
         @{Name="User Name";Expression={$_.DisplayName}}, PrimarySmtpAddress | Export-CSV $CSVPath -NoTypeInformation -Append
}
  
#Remove the session 
Remove-PSSession $Session

A closer look would be like this once you paste it. Ensure to replace the <CSVPath> parameter value before you run it.

Just hit the play button to run the whole thing or you can highlight a specific line to run that only.

If all went well, you would not get any prompts or errors except the credentials insertion prompt.

And the group members list with the respective group name will be listed right on the PowerShell result pane just like below.

And if you go back to your export folder, the CSV will also sit there just for you to open and see.

DISCLAIMER NOTE: This is an enthusiast post and is not sponsored by Microsoft or any other vendor. Please do not copy/duplicate the content of the post unless you are authorized by me to do so.

Advertisement

Retrieve and export Office 365 Group Members (Part01)

Members of an Office 365 group can retrieved and exported in to a CSV file using Office command-line capabilities.

I recently had an requirement in a large enterprise setup to retrieve the members list of specific set of top level groups and export them in to a CSV file for a auditing purpose. This could be a common requirement, hence here it goes as a quick blog.

We will cover up two scenarios here.

1. Retrieve and export members of an specific Office 365 group (Part01)
2. Retrieve and export members of all Office 365 groups (Part 02)

Let’s cover up the 1st scenario. Just log in to Office 365 portal and head on to Admin Center page –> Groups –> click on the respective group and copy the group mail

Now let’s run PowerShell as an Administrator and make sure the execution policy is set to remote sign (if you haven’t yet, run this on the device you are going to do this task – set-executionpolicy remotesigned)

Here are the next few lines piece by piece. Also I have given the full script of the whole thing at the end.

$Credential = Get-Credential

Enter the Admin credentials for your tenant here.

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Credential -Authentication Basic -AllowRedirection

Import-PSSession $Session -DisableNameChecking

Import command might take a few seconds just to load up the modules as shown below.

Get-UnifiedGroup -Identity "InternalIT@mantoso.onmicrosoft.com" | Get-UnifiedGroupLinks -LinkType Member

Now, replace the “Identity” parameter here and run this line.

Get-UnifiedGroup -Identity "InternalIT@mantoso.onmicrosoft.com" | Get-UnifiedGroupLinks -LinkType Member

And here’s the command to export what we retrieved. Again, replace the <Identity> and <Path> here before running.

Get-UnifiedGroup -Identity "InternalIT@mantoso.onmicrosoft.com" | Get-UnifiedGroupLinks -LinkType Member | Select DisplayName,PrimarySmtpAddress | Export-CSV "C:\Exports\MembersList.csv" -NoTypeInformation

And, after you running the last line, you should now be able to see the CSV file created under the given path.

Just open it and it should have all the entries as shown below in my example.

Here’s the full script of the same thing. You can run it all at once as well.

### Get O365 Credentials
$Credential = Get-Credential
   
### Provision the session
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Credential -Authentication Basic -AllowRedirection
   
### Import session
Import-PSSession $Session -DisableNameChecking
 
### Retrieve Members of Office 365 Group
Get-UnifiedGroup -Identity "InternalIT@mantoso.onmicrosoft.com" | Get-UnifiedGroupLinks -LinkType Member
  
### Remove the session 
Remove-PSSession $Session

### Export
Get-UnifiedGroup -Identity "InternalIT@mantoso.onmicrosoft.com" | Get-UnifiedGroupLinks -LinkType Member | Select DisplayName,PrimarySmtpAddress | Export-CSV "C:\Exports\MembersList.csv" -NoTypeInformation

DISCLAIMER NOTE: This is an enthusiast post and is not sponsored by Microsoft or any other vendor. Please do not copy/duplicate the content of the post unless you are authorized by me to do so.

### Get O365 Credentials
$Credential = Get-Credential
   
### Provision the session
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Credential -Authentication Basic -AllowRedirection
   
### Import session
Import-PSSession $Session -DisableNameChecking
 
### Retrieve Members of Office 365 Group
Get-UnifiedGroup -Identity "InternalIT@mantoso.onmicrosoft.com" | Get-UnifiedGroupLinks -LinkType Member
  
### Remove the session 
Remove-PSSession $Session

### Export
Get-UnifiedGroup -Identity "InternalIT@mantoso.onmicrosoft.com" | Get-UnifiedGroupLinks -LinkType Member | Select DisplayName,PrimarySmtpAddress | Export-CSV "C:\Exports\MembersList.csv" -NoTypeInformation

Turn an existing folder in to a Teams Channel

This is a small real world case that I resolved a few days back. Some may not understand the difference of Folders and Channels so they sometimes create folders inside SharePoint libraries to achieve what they need.

If you ever worried that these folders can be turned in to channels, worry no more ! here’s the quickest way to do it.

Head on to your Teams site and find out the folder name which you want to turn in to a channel. In my case its “Linda Scope” and “Northwind Scope” folders.

Now go to your respective Team from the Teams app and click on “Create more channels” to create a channel under the relevant Team.

Name it identical as the folder and hit “Add”

That’s it ! Now if you try to upload a file in to your original location (SharePoint Folder) and check back in Teams Channel, it should be right there.

This simply means that our goal is achieved.

Stay tuned for more interesting articles…..

DISCLAIMER NOTE: This is an enthusiast post and is not sponsored by Microsoft or any other vendor. Please do not copy/duplicate the content of the post unless you are authorized by me to do so.

Calling all SharePoint Admins: Have you patched your servers?

A critical vulnerability of SharePoint Server has been identified which could lead to potential hacking.

Many enterprises use Microsoft SharePoint as the prime collaboration and content management platform and there are still a significant amount of SharePoint on-premise deployments across the world. This alert for the admins who manage on-premise deployments which you better take seriously and act fast.

A critical security vulnerability identified as CVE-2019-0604 | Microsoft SharePoint Remote Code Execution Vulnerability which behaves as explained by Microsoft below.

• A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account.
• Exploitation of this vulnerability requires that a user uploads a specially crafted SharePoint application package to an affected versions of SharePoint.
• The security update addresses the vulnerability by correcting how SharePoint checks the source markup of application packages.

Critical: It is highly important that you follow the table below and update your servers accordingly. As of now, Microsoft have not identified any Mitigation facts or Workarounds for this issue, however, the list of security updates shall keep your server away from the vulnerability.

CVE-2019-0604 (Critical)

SharePoint Updates

And, following links shall help you on patching servers.

2016: https://docs.microsoft.com/en-us/SharePoint/upgrade-and-update/install-a-software-update
2013: https://docs.microsoft.com/en-us/SharePoint/upgrade-and-update/software-updates-overview-for-sharepoint-server-2013

Stay ahead on Hybrid Identities–Microsoft’s Azure AD Connect v1.3.20.0 has a lot to offer

Microsoft has released the latest version of Azure AD Connect last week which was long impending !

Azure AD Connect is the bridge that is used to synchronize identities (objects and their attributes) across on-premise and cloud environments by many organizations.  However, every feature that is bundled in this release doesn’t target every audience. You can choose the ones that are most applicable to your organization’s environment.

Download the latest version of AADConnect

Fixes this version carries:

1. Fix the SQL reconnect logic for ADSync service
2. Fix to allow clean Install using an empty SQL AOA DB
3. Fix PS Permissions script to refine GWB permissions
4. Fix VSS Errors with LocalDB
5. Fix misleading error message when object type is not in scope
6. Corrected an issue where installation of Azure AD PowerShell on a server could potentially cause an assembly conflict with Azure AD Connect.
7. Fixed PHS bug on Staging Server when Connector Credentials are updated in the old UI.
8. Fixed some memory leaks
9. Miscellaneous Auto upgrade fixes
10. Miscellaneous fixes to Export and Unconfirmed Import Processing
11. Fixed a bug with handling a backslash in Domain and OU filtering
12. Fixed an issue where ADSync service takes more than 2 minutes to stop and causes a problem at upgrade time.

New features and advancements (19 new stuff in one go !)

1. Add support for Domain Refresh
2. Exchange Mail Public Folders feature goes GA
3. Improve wizard error handling for service failures
4. Added warning link for old UI on connector properties page.
5. The Unified Groups Writeback feature is now GA
6. Improved SSPR error message when the DC is missing an LDAP control
7. Added diagnostics for DCOM registry errors during install
8. Improved tracing of PHS RPC errors
9. Allow EA creds from a child domain
10. Allow database name to be entered during install (default name ADSync)
11. Upgrade to ADAL 3.19.8 to pick up a WS-Trust fix for Ping and add support for new Azure instances
12. Modify Group Sync Rules to flow samAccountName, DomainNetbios and domainFQDN to cloud – needed for claims
13. Modified Default Sync Rule Handling – read more here.
14. Added a new agent running as a windows service. This agent, named “Admin Agent”, enables deeper remote diagnostics of the Azure AD Connect server to help Microsoft Engineers troubleshoot when you open a support case. This agent is not installed and enabled by default. For more information on how to install and enable the agent see What is the Azure AD Connect Admin Agent?.
    Updated the End User License Agreement (EULA)
15. Added auto upgrade support for deployments that use AD FS as their login type. This also removed the requirement of updating the AD FS Azure AD Relying Party Trust as part of the upgrade process.
16. Added an Azure AD trust management task that provides two options: analyze/update trust and reset trust.
17. Changed the AD FS Azure AD Relying Party trust behavior so that it always uses the -SupportMultipleDomain switch (includes trust and Azure AD domain updates).
18. Changed the install new AD FS farm behavior so that it requires a .pfx certificate by removing the option of using a pre-installed certificate.
19. Updated the install new AD FS farm workflow so that it only allows deploying 1 AD FS and 1 WAP server. All additional servers will be done after initial installation.

If you plan to upgrade, the following resources should be your first reads.

• Explore the steps to upgrade from a previous version to the new AADConnect – How to upgrade
• Automatic update approach – How to
• Release History – AADConnect Releases

Office 365 Multi-Geo Part03 (Configuring)

This is the part 03 of this article series where we will be going through the technical part of enabling Multi-Geo in Office 365.

Part 1: Get Started

Part 2: Planning and recommendation

Part 3: Configuration

Let’s ensure that we have the following in place before get started.

1. Office 365 Multi-geo capability is added to the tenant. As the introductory article stated, this capability is a user-level service plan that is optional for you to add. If you have worked closely with your account team this might be all set to go by now.

2. Test users created and are ready to use.

If you have enabled the Multi-geo, a new tab call “Geo Location Tab” should now appear under the settings in SharePoint and OneDrive admin panels.

To add new geo locations, open the SharePoint admin center –>
Navigate to the Geo locations tab. Click Add location –> Select the location that you want to add, and then click Next –>
Type the domain that you want to use with the geo location, and then click Add –> click Close.

Every new location that you add here are called “satellite locations”

If everything went well, you will receive an email notification in few hours after provisioning. It could take up to 72 hours which is up to the size of your tenant.

As the new geo location appears in blue on the map on the Geo locations tab in the OneDrive admin center, you can proceed to set users’ preferred data location to that geo location. Usually a new satellite location comes with the default settings, it gives you the freedom of localizing as per your compliance needs.

After you enabling the satellite locations, it is recommended to set the preferred Data Location (PDL) for every user in the directory. In Azure AD there are two types of identities as Cloud and Synchronized. You have to follow the right instructions to deal with each of them when it comes to setting PDL.

Setting PDL for cloud only users (Azure Users)

User objects that are not synchronized from a local AD are the cloud ones. You have to use Microsoft Azure AD PowerShell to set this configuration for such users. This procedure needs Azure AD Module for Windows PowerShell

1. Launch Microsoft Azure Active Directory Module for Windows PowerShell

Run the following line and enter the Admin Credentials for your Office 365 tenant.

Connect-MsolService

2. Now let’s run the next line to set the PDL for a specific user.

Set-MsolUser -userprincipalName manoj@mantoso.onmicrosoft.com -PreferredDatalocation AUS

3. To find out if this has executed properly, you can use the following command. It should return the new PDL value.

(Get-MsolUser -userprincipalName manoj@mantoso.onmicrosoft.com).PreferredDatalocation

Notes: During the new user creation process, its recommended that you include setting PDL command at the end of the workflow, so that you do not have to do it as a separate task.

User with no OneDrive provisioned yet, better be wait for at least 24 hours in order to allow the change to propagate in the backend. This ensures that  OneDrive sites are provisioned in the correct PDL for such users.

Setting PDL for Synchronized users (Hybrid Users)

Setting the preferred data location for Hybrid users is a bit lengthy process and is well explained in this post.

Search Experience in a Multi-Geo Setup

Every geo location acts as a Search Index (you must be familiar with this term if you are a SharePoint guy) in a Multi-Geo setup. When there is a search query, the results are usually returned as a merged result out of all indexes, which means all these satellite locations we added are works together behind the scenes towards one goal.

Following search clients are supported in Multi-Geo

• OneDrive for Business
• Delve
• The SharePoint home page
• The Search Center
• Custom search applications that use the SharePoint Search API

Consult this detailed article to understand and configure the search experience in a Multi-Geo setup.

End user experience validation

Validation is utmost important before you roll out the change widely across the organization. Following are some key scenarios for you to try out using test users before make it to everyone.

OneDrive Portal

Click on to OneDrive from the Office 365 App Launcher. You should be directed to the defined geo location automatically, and it will now begin to provision the service in that PDL. After provisioning, try to upload and download some files and ensure everything works as expected.

OneDrive App

Use a mobile device to login to the OneDrive App using the test account that you used to upload the files and verify if the files are available in the mobile and you have to the control to perform actions on those files.

OneDrive Client

Use a laptop or a desktop to verify if the OneDrive Sync client works are expected. You can download the latest client by heading on to the OneDrive Library and click “Sync”. this will prompt you to download the client automatically if it doesn’t exists in the particular device.

Office Integration

Open up Word or Excel and check if your OneDrive location appears there. Try to save a file to OneDrive from there and ensure they are synchronized across your devices.

Sharing Experience

Despite any of these changes we did, you should be able to share a OneDrive file seamlessly (based on your compliance settings). To verify, try to share a file from OneDrive and confirm that the people picker allows you to add any user within the organization regardless of their location.

Office 365 Multi-Geo Part02 (Planning and recommendations)

Multi Geo capability is a little complex topic to wrap up in a single article as Office 365 is a diverse platform with multiple set of business tool offerings. Eventually, Multi-geo configuration can affect to most of these workloads at highest level. That’s where the whole article was split in to 4 stages in order to give you a better and comfortable reading experience with necessary breaks.

Part 1: Get Started

Part 2: Planning and recommendation

Part 3: Configuration

Part 4: Managing and Maintaining

I have gone through the introductory and concept briefing in the part 01 of this article series. Now let’s continue with this 2nd stage which describes planning and recommendations for Office 365 Multi-geo.

Test run – Highly Critical

Try out with a test user/s first. Consider having some test users for each use case as shown below and try out the changes with these users before you roll out in production.

• Have an existing test user who has an active Office365 account with Exchange, SharePoint, OneDrive being used (with available content)
• Try to add the capability for this user only
• Move the user to new PDL
• Move OneDrive content accordingly
• Test the functionality for Exchange, OneDrive and SharePoint

Initial rollout (pilot run, targeted run) – Critical

After you have tested with the above single user, use a small group of people (5 would be ideal) as the pilot run. In most cases this group would be from IT staff as they are well aware of the approach and changes, technically.

every user should have the preferred data location (PDL) defined so that when the new workloads are created (such as those who do not use OneDrive right now perhaps later) they’ll be provisioned in the new PDL. Office365 will use central Location for those users with no PDL defined. The recommendation is, better to set PDL for all users.

Prepare a list of users with their User Principle Name (UPN) and include your Test users, pilot users and other groups batches in order. This will help you in the configuration stage and will make the procedures easily and well tracked.

Considerations for Hybrid Scenarios

Azure AD Connect supports Multi Geo by allowing synchronization of the PreferredDataLocation attribute for user objects from AADC version 1.1.524.0 onwards. However, this may vary for each organization  and if you are fully cloud with no on-premise dependency, please ignore.

The schema of the object type User in the Azure AD Connector is extended to include the PreferredDataLocation attribute. The attribute is of the type, single-valued string.
The schema of the object type Person in the metaverse is extended to include the PreferredDataLocation attribute. The attribute is of the type, single-valued string.

PreferredDataLocation attribute is not synchronized by default. This functionality is currently intended for larger organization (Its eventually the size than the scenario at the moment). You have to plan for an Local AD (on –premise) attribute which will hold the “Office 365 Geo Location” for your hybrid users as there is no PreferredDataLocation attribute by default in on-premise Active Directory. Further, PreferredDataLocation attribute can be managed by PowerShell for Azure Cloud User Objects but not for Synchronized Objects. For synchronized objects (Hybrid), you must make use of AD Connect application.

Before you start on technical configurations, I would highly recommend you to digest these articles and beware of the outcomes:

• Administering a Office 365 Multi Geo environment (By Microsoft)
• User Experience in a Multi Geo Office 365 Environment
• Configuring Synchronized identities for a Multi Geo setup using AADC

stay tuned for the part 03 (technical steps)

DISCLAIMER NOTE: This is an enthusiast post and is not sponsored by Microsoft or any other vendor. Please do not copy/duplicate the content of the post unless you are authorized by me to do so.

Office 365 Multi-Geo Part01 (Get Started)

Brief of the concept – The name of the feature says it all. Multi-Geo capability of Microsoft Office 365 allows you to have multiple geographical locations (based on Microsoft Data centers) for your Office 365 data other than having everything in one place for everyone in the company.

With this latest capability, your organization will now be able to expand the Office 365 presence to various countries/geographical locations using the existing tenant/subscription and as a result, you can give your users the ability to store their OneDrive, SharePoint and Outlook data in their preferred location.

Technically, this means, your Office 365 tenant consists of main central location and multiple other satellite locations across the globe. This is centrally managed via Azure active directory because your tenant information such as geographical locations, groups, user information are mastered in Azure active Directory (AAD).

So, Why you should/shouldn’t go Multi-Geo?

You don’t have to enable it just because its a buzzword or others are using. Multi-geo is not designed to meet performance optimization requirements but to comply with industry compliance requirements (such as GDPR), primarily. Therefore, you have to set/understand the business objective clearly before you start doing it. You may really need it or you may not.

Technical Eligibility

Doubtlessly, any Office 365 customer who operates across multiple countries/regions would like to have this functionality due to compliance (such as GDPR). However, currently there is an arbitrary limit for this feature where small organizations with less than 2500 seats can’t use it. So, yes ! you need more than 2500 licenses in office 365 to have this enabled.

It surely doesn’t make sense to decide the enablement based on the number of users. What matters is, whether you have the need or not. Small organizations even though they are small in number, they can be multi-national. This is a serious point where Microsoft need to act promptly. Small companies with global presence should not be limited on GDPR compliance (e.g. European multinational companies). Community is already raising the voice requesting Microsoft to bring this up for all and here’s the user voice item if you would like to vote. When there is strong amount of votes, Microsoft is well-known to take it to considerations so go ahead and vote/comment if you are in need of this function.

Available Locations

This is the list of all locations available as of now for you to add as a satellite location when you configure Multi-Geo.

Important: Not all locations are supported to add as an Multi-geo location (e.g. South America). And not all Office 365 workloads are supported to set a multi-geo in user level.

Key terms of Multi-Geo

Tenant – or Subscription in business terms, is the top level. A tenant represents an organization uniquely within Office 365 umbrella usually attached to one or more domain name/s (e.g. mantoso.com)

Geo Locations – Geographical locations (Microsoft Data center locations) available to host an Office 365 tenant’s data.

Satellite Locations – Other locations (e.g. North America, Australia) that you have added to the tenant apart from the Initial (Central) location (India)

Central Location – Where your tenant was originally provisioned

PDL (Preferred Data Location) – Location where a user prefers to store his data. Admins can set this to any location within the configured geos. Important: if you change the PDL for a user who utilizes OneDrive, his OneDrive content will not be automatically moved to the new Preferred Location (PDL). Yes it means you have to manually move them using this method. Exchange mailbox of the same user however, will be automatically moved to the new PDL.

Geo Admin – An administrator who can manage more than one defined geo locations in your tenant

Geo Code – a 3 letter code identifies a particular geo location (e.g. AUS, CAN)

Initial Steps (Fundamental) to get started

There are a few things need to be in place before you get started with Multi Geo. First and foremost, this is an organizational level major change. Therefore you can only go ahead if your senior level have advised to carry out the change so ensure if it comes from the correct authorities.

1. You need to work with the accounts team to add Office 365 Multi Geo in to your service plan. This is something you have to do offline as only the account team can guide you when it comes to licenses and commercials. So meet the right person who handles your Microsoft contract internally.

2. Then, discuss and finalize the Satellite locations with the respective authorities of your organization and add them to your tenant.

3. Set preferred  Data Location (PDL) for every user in the organization. When a OneDrive or Exchange mailbox is created, it resides in their PDL.

4. Migrate OneDrive content of the users you have moved to the new PDL manually using these steps. Nothing to worry on Exchange mailboxes here as they will be moved automatically.

Detailed technical steps are demonstrated in the part 02 of this series

DISCLAIMER NOTE: This is an enthusiast post and is not sponsored by Microsoft or any other vendor. Please do not copy/duplicate the content of the post unless you are authorized by me to do so.