Category: Skype for Business

September 24th, 2021 by Rudy Mens

Keeping track of your Office 365 Mailbox sizes is important. You don’t want the mailboxes of your users to reach their send and receive quota, to prevent errors like “Mailbox size limit Exceeded”. With the help of PowerShell, we can create an Office 365 Mailbox ... Read moreOffice 365 Mailbox Size Report with PowerShell

The post Office 365 Mailbox Size Report with PowerShell appeared first on LazyAdmin.

Posted in Skype for Business

September 24th, 2021 by Christian Buckley
Are you curious about the latest updates to Microsoft 365 analytics and how they've changed over the years? Click here to learn more.

Posted in Skype for Business

September 24th, 2021 by johnacook

https://blog.chiffers.com/2021/09/24/configuring-teams-handsets/

Posted in Skype for Business

September 24th, 2021 by johnacook

https://blog.chiffers.com/2021/09/24/configuring-teams-handsets/

Posted in Skype for Business

September 24th, 2021 by Craig Chiffers

 

Teams handsets are a great way of bringing Teams telephony in physical form to your users who prefer a traditional telephone over a headset, or to provide telephone services in common areas, meeting rooms or to guests.

Let’s take a look at how to get them set up in your organisation and how to manage them with your existing tooling.


Choosing Teams Handsets

There’s a whole range of Teams handsets available from well-known vendors like Poly, Yealink, Crestron, AudioCodes and Lenovo. You can review the full list here: Business Desk Phones with Displays | Teams devices (microsoft.com)


Configuring the user account

Teams handsets require a standard Office 365 user account – the same as what you’d assign a normal Teams user.

It’s advisable to set the password for your phone account to never expire – particularly if you’re setting the phone up as a meeting room or common area phone.

This is easily achieved in Powershell:

  1. Connect to Office 365:

    Connect-MsolService
  2. Set the password for the phone account to never expire:

    Set-MsolUser -UserPrincipalName handset01@chiffers.com -PasswordNeverExpires $true


Licensing

If you’re assigning a handset to an end user that already uses Teams, they can use the same account and licensing to login to their Teams phone.

If you’re setting up a handset for a common area, or meeting room you can license the account with any of the following Office/Microsoft 365 licensing:

  • E1, E3 or E5 licensing
  • Common Area Phone
  • Meeting Room

If you’re using E1 or E3 licensing, you’ll need to add a separate Phone system license if you want to make PSTN calls

If you’re using Common Area Phone licensing and wish to enroll the phone in Intune, you’ll need to assign a separate Intune license.

Of course, to actually make calls to/from the PSTN you’ll either need a Microsoft Calling Plan license (if you’re in one of the countries supported by Microsoft Calling Plans), A Direct Routing or Operator Connect solution, or if you’re in Australia you can also use Telstra Calling.


Intune Enrollment

You can enroll Teams handsets in Intune, and apply conditional access policies to them (e.g ensuring they are compliant, and have MFA enforced).

If your Enrollment Restrictions policy blocks personal device enrollment for Android devices, be sure to add the serial number of your Teams handsets under Devices > Enroll Devices > Corporate Device Identifiers to allow the phone to enroll.

If you’re having issues enrolling Teams Phones, check out my guide here: Teams Phone – Intune Enrollment Issues – Blog – Chiffers.com


Enforcing Multi-factor Authentication

Teams handsets do support multi-factor authentication, and will support sign on either directly from the phone screen itself, or via https://microsoft.com/devicelogin

Keep in mind that if the phone is a common area phone, or meeting room phone, enforcing MFA could become problematic if the phone needs to be signed back in and the administrator who’s device is registered to receive the MFA prompt/authenticator code isn’t around. Because of this, i’d recommend not enforcing MFA for common area or meeting room phones if you can get away with it in your environment.


Changing The Look And Feel Of The Phone

Teams phones support three different operating modes:

  • Normal “User sign in” mode
  • Common Area Phone mode
  • Meeting Room mode

The sign in mode affects how the interface looks on the phone handset, and what features and functions are available to the end user. You set the sign in mode via a Teams IP Phone Policy.

To create a new Teams IP Phone Policy:

  1. Connect to Microsoft Teams in Powershell:

    Connect-MicrosoftTeams
  2. Run the following command to create a new Teams IP Phone Policy

    New-CsTeamsIPPhonePolicy -Identity ‘CAP’ -Description ‘Common Area Phone Policy’ -SignInMode CommonAreaPhoneSignIn

    SignInMode can be: CommonAreaPhoneSignIn, UserSignIn, MeetingSignIn

    Let’s take a look at what each sign in mode looks like to the end user when the policy is assigned to the users account that’s used to sign in to the phone:


User “UserSignIn” Mode

UserSignIn mode is the typical desk phone experience. The handset displays Calls, People, Calendar, and Voicemail. You’d typically assign this policy to an end user who’d have the phone sat on their desk to make/receive calls.

In this mode, you can choose to enable Hot Desking (sign in and sign out) and set a HotDesking Timeout value that automatically signs the phone out after a set timeout period.

Enable hotdesking:
Set-CsTeamsIPPhonePolicy -Identity ‘DeskPhone’ -AllowHotDesking $true

Set Hotdesking timeout value (minutes):
Set-CsTeamsIPPhonePolicy -Identity ‘DeskPhone’ -HotDeskingIdleTimeoutInMinutes 480


Common Area “CommonAreaPhoneSignIn” Mode

In Common Area Phone mode, the phone displays a dial pad on screen (if using a touch screen device), and provides no access to calendaring or voicemail. As the name suggests, this mode is suitable for phones that are placed in common areas like hallways, or publicly accessible areas.

You can choose to enable or disable directory search when in this mode if you wish. The advice here is that if the phone is in a publicly accessible area, I’d recommend disabling directory search to stop someone searching your internal directory for contact information.

Disable Search:
Set-CsTeamsIPPhonePolicy -Identity ‘CAP’ -SearchOnCommonAreaPhoneMode Disabled

 

Meeting Room “MeetingSignIn” Mode

In Meeting Room mode, the phone displays any upcoming meetings the account has been included in. This makes joining these Teams meetings audio only from the phone super simple – you simply tap the meeting and tap join.

 

Configuration Profiles

In addition to the TeamsIPPhonePolicy settings that you can set in PowerShell, there are also a number of settings available to you within the Teams Admin Centre for Teams Phones.

General Settings

You can configure a number of different settings include a device lock, which will ask the user for a PIN after the set timeout value to unlock the phone.

Here is also where you set the correct time zone for the phone, so that it displays the right date / time information.

 

Device Settings

Device settings let you set display settings like setting a screensaver, backlight brightness and backlight timeout, as well as accessibility features like enabling high contrast mode.

Silent mode mutes the phone so that it doesn’t ring when called.

 

Network Settings

Network settings let you set IP, Hostname and DNS information, as well as the device’s local admin password and if the PC port on the back of the phone is enabled (useful if you want to daisy chain the users PC to the phone to share a single Ethernet port at their desk.

Note: You cannot set Proxy information here.

 

Accessing the phone via HTTP/HTTPS

If you’re used to being able to view the phones settings via a web browser, you’ll be happy to hear that this is still possible on Teams handsets too, but you’ll first need to enable “Web Server” mode on certain handsets to be able to connect.

On a Poly handset, this is found under Settings > Device Settings > Admin Only (enter admin password) > Network Configuration > Web User Inferface (switch ON).

You can then browse to https://ip-of-phone and login as the admin.

Note: when running in Teams mode, a number of options are unavailable (greyed out) under settings.

 

Final Thoughts

Are you considering deploying Teams handsets in your organisation?

Posted in Skype for Business

September 23rd, 2021 by Alex Simons (AZURE)

Howdy folks, 

 

I’m excited to share our recent improvements in risk evaluation and reporting visibility for Identity Protection. These changes are a step forward in our ability to detect emerging attack vectors and help you focus on the most critical alerts. We improved signal quality and reduced alert volume for low-risk sign-ins by more than 60%, introduced unfamiliar sign-in properties for refresh tokens and session cookies, and added visibility into non-interactive risky sign-ins. 

 

Sarah Handler, Senior Program Manager, and Feifan JianData Scientist, both from our Identity Security team, will take you through these improvements and the data science behind the scenes. 

 

Best Regards, 

Alex Simons (@Alex_A_Simons) 

Corporate Vice President Program Management 

Microsoft Identity Division 

 

------------------------------------------------------

 

Hi everyone – 

 

We’re excited to share with you how these changes can better protect your organization’s identities and improve your investigative experience! Identity-based attacks have evolved and expanded over the last year. In response, our team has expanded our detection surface area and improved our systems to ensure that we’re surfacing high fidelity alerts— so that you can focus on what matters most 

 

First, we expanded where we detect unfamiliar sign-in properties to include non-interactive sign-ins. Unfamiliar sign-in properties evaluates in real-time the amount a user’s current sign-in deviates from the user’s past sign-in behavior. This detection was previously available for interactive sign-ins, but now we also evaluate session cookies and refresh tokens. For most tenants, this will not lead to a significant increase in unfamiliar sign-in properties detections; but non-interactive sign-ins that do get flagged for unfamiliar sign-in properties deserve increased scrutiny due to the possibility of a token replay attack 

 

You can see these non-interactive unfamiliar sign-in properties detections in the Risk detections report and in the Risky sign-ins report, which were updated to support non-interactive sign-ins. The Risky sign-ins report now defaults to showing you both interactive and non-interactive risky sign-ins. You can toggle this using the “sign-in type” filter.  

 

Identity Protection.png

 

Additionally, we have significantly improved the signal-to-noise ratio for low-risk risky sign-insWe heard your feedback that for many organizations there were simply too many low-risk sign-ins to investigate. We want your admins and security professionals to focus on the most important detections and to trust the fidelity of our signal, so we tuned our detections and have reduced the number of low-risk Risky sign-ins by more than 60% while also significantly improving precision!  

 

Let’s hear from Fefian Jian, the data scientist behind these changes, on how we did it. 

 

Under the hood: the data science behind our changes 

Identity Protection’s detection systems run both in real-time (during authentication) and offline (post authentication) to understand whether sign-ins and users are compromised. Our offline machine learning model, which runs post authentication, scores sign-ins with different features and algorithms to determine whether a sign-in was compromised. The output of the model is the aggregate sign-in risk level, which represents our most recent evaluation of whether that sign-in was compromised.  

 

We made a change to our offline machine learning model to improve its accuracy, allowing us to reduce the noise for low-risk risky sign-insSince this change, the volume of sign-ins with low aggregate risk dropped by more than 60%, and the precision, which means the quality of alerts, improved by 100%. This means you will get fewer, but higher quality, low-risk risky sign-ins in your environment! 

 

Use these improved features today! 

These improvements have automatically rolled out in Identity Protection, and you can start using these improved features today! To best protect your environment and benefit from our risk evaluation, make sure you also set up conditional access policies to automatically mitigate risky sign-ins and risky users in your organization. To learn more, read how to configure risk policies. 

 

Stay secure! 

 

Sarah Handler (@sarahhandler) 

Senior Program Manager  

Microsoft Identity Security and Protection Team  

 

Feifan Jian 

Data Scientist II 

Microsoft Identity Security and Protection Team  

 

 

Learn more about Microsoft identity:

Posted in Skype for Business

September 23rd, 2021 by Pieter Veenstra
Very often I hear flow people telling others that we should use Compose actions instead of variables. But when you reference a compose action it just shows “Outputs”. The Compose … Read More

Posted in Skype for Business

September 23rd, 2021 by Author

Additions : 5
Updates : 2

New FeaturesCurrent Status
MyAnalytics: Delay delivery inline suggestion feature available to New SKUsIn Development
Microsoft 365 compliance center: OneDrive data in Content ExplorerIn Development
SharePoint and OneDrive: New capabilities in Microsoft 365 Information barriers for SharePoint, OneDrive, and M365 GroupsIn Development
Microsoft Teams: Global sign in and sign outIn Development
Microsoft Teams: Dynamic Emergency Calling for Work From Home for VDI – CitrixIn Development
Updated FeaturesCurrent StatusUpdate Type
Outlook for iOS: Sync contact subfolders as category labelsLaunchedStatus
SharePoint: SharePoint News BoostLaunchedStatus

Regards
The Author – Blogabout.Cloud

Posted in Skype for Business

September 23rd, 2021 by Author

Additions : 4
Updates : 2

New FeaturesCurrent Status
Microsoft Stream: Add or Edit captions and transcript for a video in SharePoint or OneDriveIn Development
OneDrive: Image Utility Edit ControlIn Development
Microsoft Teams: Career Coach – Improved IT onboardingIn Development
Microsoft Teams: 1:1 Calling in Safari Web BrowserIn Development
Updated FeaturesCurrent StatusUpdate Type
PowerPoint: PowerPoint modern comments for enterpriseRolling OutStatus
Microsoft Teams: Presenter Mode in desktop or window sharing for GCC-HighIn DevelopmentTitle, Description

Regards
The Author – Blogabout.Cloud

Posted in Skype for Business

September 23rd, 2021 by SharePoint Maven

I blogged extensively in the past about how security and permissions work on SharePoint sites. The topic of security is always on the mind of the users and never gets boring. However, if you are into Managed Metadata (also known as metadata within the Term Store), you might want to familiarize yourself with the concept of security/permissions in the Term Store. Security roles inside the Term Store have a life of their own, independent of the security one has on a given SharePoint site. In this article, I would like to explain to you, my loyal followers, the different levels of security roles of a SharePoint Term Store.

Term Store Administrator

To do anything within the Term Store, you need to be a Term Store Administrator. It does not matter whether or not you are a SharePoint Administrator or a Global Microsoft 365 Admin with access to anything in your organization. Term Store Admin Access is granted separately.

Here is how to grant someone (or yourself) Term Store Admin Access:

  1. Navigate to the Microsoft 365 Admin Center, App Launcher > Admin
  2. Navigate to the SharePoint Admin Center
  3. Once inside of the SharePoint Admin Center, navigate to the Term Store (under Content Services)
  4. Click on the Edit button next to Admins
  5. Type in the names of the users you want to add
  6. Click Savesecurity roles of a SharePoint Term Store

What Term Store Admin Access allows user to do

  • Add/edit/delete any Term Groups, Term Sets, Terms located inside the Term Store
  • Add/edit/delete other Term Store Administrators
  • Assign Term Store Group Managers and Terms Store Group Contributors to a given Term Group (more on this below)
  • Adjust settings for the Term Store, any Term Group, any Term Sets, and any individual terms

Term Group Manager

Term Store Administrator is a pretty serious role within the organization. These people have the power to delete any existing term sets within the Term Store, and this specific action is irreversible. So you better don’t go overboard with the number of Term Store Admins – the users have to know what they are doing to become one.

With that said, sometimes you might want to assign some department user the ability to manage terms within that department’s Term Group. In other words, you might have global metadata used by the whole organization, and that will be off-limits to others in terms of the ability to modify. Still, if a given department is using the Term Store to organize their own metadata, you might want to give that department a Term Group and assign the users to that group to edit metadata exclusively within that Term Group without the risk of messing the whole Term Store. Here is how to grant someone Term Group Manager Access:

  1. Click on a Term Group you want to assign Term Group Manager to, then click Edit on the right side
  2. Type in the name of a user and then choose Manager from the drop-down. Click Save.security roles of a SharePoint Term Store

What Term Group Manager Access allows user to do

  • Add/edit/delete any Term Sets and Terms located inside the given Term Group
  • Assign other Term Store Group Managers and Contributors (more on this below)
  • Adjust settings for the Term Group assigned, as well as any Term Sets inside this group, and any individual terms inside those term sets

Term Group Contributor

When you assign someone the role of a Term Group Manager as described above, those users can add/edit/delete metadata, as well as add and remove other managers and contributors. Sometimes though, you might want users to add/edit/delete metadata within a given Term Store Group, without the ability to alter permissions for the Term Group. This is where the role of Term Group Contributor comes in. It is essentially the same as Term Group Manager described above without the benefits of assigning others to the Group.

To assign a user the role of Term Group Contributor, follow the steps above, but choose Contributor from the drop-down instead.

security roles of a SharePoint Term Store

What Term Group Contributor Access allows user to do

  • Add/edit/delete any Term Sets and Terms located inside the given Term Group
  • Adjust settings for the Term Group assigned, as well as any Term Sets inside this group, and any individual terms inside those term sets

How to access the Term Store for users without the SharePoint Admin Role?

You might be wondering how Term Store Admins, and especially Term Group Managers and Contributors, will access/manage the Term Store if they have no access to the SharePoint Admin Center. Good question! They will not be able to navigate to it using the instructions above (via Admin Centers). Instead, they will need to access and maintain it via a SharePoint site (any SharePoint site they are an Owner of)

  1. For the example below, I am accessing the Term Store as Mary, who owns a SharePoint site and who was made a Term Group Manager of HR Term Group within the Term Store
  2. From any SharePoint Site you own, click on Gear Icon > Site Information
  3. Click on View all site settings
  4. Click on Term Store Management
  5. Mary now has access to her HR Term Group in the Term Store and can manage it from here. All the other Term Groups are grayed out because Mary is not a Term Group Manager or Contributor for those.security roles of a SharePoint Term Store

Term Set Owners, Stakeholders, and Contacts

If you click on any given Term Set inside of the Term Group I described above, you will notice 3 additional “roles” listed:

  • Term Set Owners
  • Stakeholders
  • Contacts

At first, it seems like you can set security on the Term sets as well, but these ARE NOT security roles and have nothing to do with the security roles of a SharePoint Term Store. These are just fields for the Term Store Admins and Term Group Managers and Contributors to keep track of the business owners/stakeholders of a given Term Set. So think of these as just names/contacts responsible for the Term Set (in case you are doing the cleanup in the Term Store in 5 years and wondering who the hell requested a certain set of terms)

security roles of a SharePoint Term Store

security roles of a SharePoint Term Store

The post 3 security roles of a SharePoint Term Store appeared first on SharePoint Maven.

Posted in Skype for Business