Changelog

Click here if you like to subscribe the ChangeLog as an RSS feed.

Delegate365 changelog version 7.0-Office 365 Groups, Alias addresses, Logging and more

Wednesday, October 11, 2017

We have been busy during summer time and we have been developing and testing our new Delegate365 version 7. We added new features like the support for Office 365 Groups and further useful extensions and made a technical refresh behind the scenes. So, the latest version of Delegate365 is available now and ready for updates. See the details described here.

Delegate v7 is the successor of version 6.6. Besides new features, this is a major update since this version takes advantage of using new Microsoft APIs. So, here’s the news:

  • User Mobile Phone number fix: When a user’s Mobile phone number was modified or deleted in the additional details of a user, the changes were not visible instantly. This was caused by the Microsoft interface that the mobile phone number is an Exchange property that needs to be synced in the background. So, changes of that specific property sometimes took minutes or was lost. This has bee fixed in the latest Delegate365 version by using a new Microsoft interface.
    image
    Now, any modifications of the user’s Mobile phone number property are visible instantly.
  • Office 365 Groups: Delegate365 now can manage Office 365 groups (historically also named Unified groups sometimes) as well. You can find the Office 365 groups management in the groups menu. The module works exactly as the other group types, each Office 365 group is assigned to one OU in Delegate365. Hint: Office 365 Groups fully exist only in Office 365 and are shown as distribution groups in Exchange on premises.
    image
    If one Office 365 group is selected, Admins can modify the members and owners, as in the existing group types modules. This allows Delegate365 Administrators to create and manage the new Office 365 Groups easily.
    image
    The general box allows to set Display name, the group Alias email address (with the assigned domains), the description, the Privacy level (Public or Private), if copies of group conversations shall be sent and if sender authentication is required or not.
    image
    For modifying, click Save changes.
    If a new Office 365 group is created, the Alias is automatically prefilled in an email-safe way (as used in Delegate365).
    image

    If the email Alias is not available in the Office 365 tenant, the Admin gets a warning…
    image
    …and the Alias must be modified to an unique email address as here (project-a2).
    image
    The creation of an Office 365 group takes just some seconds. The new Office 365 group is created in Azure Active Directory, a SharePoint site is triggered to been provisioned, the email address is created in Exchange Online and members and permissions are added. So, there’s a lot of things happening in the background, but Admins can continue to work with Delegate365 right after the process.
    Info for Portal Admins: Of course, Office 365 Groups can be (un)assigned manually in administration / organizational units as the other group types…
    image
    …and there are rules for automatic OU-assignments in administration / sync / sync rules as well.
    image
  • Users E-Mail address options: Administrators can manage and add Alias addresses for their users (if permitted). After a user is selected, the EMail address menu opens the email management pane.
    image
    In here, the addresses can be modified, added or deleted. There’s a new switch for SMTP addresses: Set as primary defines if the current email shall be the primary one or not.
    image
    When the changes are saved, the primary email address is bold and SMTP is in upper case (otherwise in lower case).
    image
    Modifications are done in Exchange Online. So, it can take some minutes, till they are active in Exchange.
  • Daily notifications for Admins: Admins in Delegate365 can now get daily notifications about their manages users and groups. When clicking the user menu in the top right corner and the Properties, the user properties opens. In the new Notifications box, each Admin can switch Daily Notifications to Yes or No and set the desired email address for the notifications.
    image
    This means, that Admins receive a daily email with the numbers of objects managed in Delegate365 and if less than 10% of Office 365 licenses are available (or the licenses limit is exceeded). The email delivers an overview about all managed OU’s and looks as follows: Text in orange means warning, Text in red means limit reached or exceeded.
    image
    Each user can define if he wants to get the notification or not. By default this switch is set to No.
    Info for Portal Admins: These settings are the same as in the manage administrators admin properties, so they could be set not just by the Admin himself, but also by Portal Admins for their Admins if needed.
    image
    Warning notifications are sent if Office 365 licenses are ordered within Delegate365, or if license limits are exceeded or Delegate365 licenses are exceeded.
  • Logging extended: As described in Delegate365-Working with Audit Logs, Delegate365 stores logs on a daily and monthly basis. With version 7, there now is an additional logging to a summarized log with the name AuditLogSearch. Storage in the cloud is expandable as needed, so we thought, it’s easier to work with one single log table instead of working with monthly logs. To simply the reporting in external tools, the Power-BI file works with this single table log.
    image
    So, we recommend to use the AuditLogSearch (red box) table for dashboards and reports (so does the Power-BI file) while the monthly logs logYYYYMM (blue box) are to search for specific actions that happened in that month and the last 7 day logs logYYYMMDD (green box) for actions by day (these are deleted automatically if older than 7 days). The following picture shows Microsoft Azure Storage Explorer connected to a Delegate365 log.
    SNAGHTML2b2e95a
    See Delegate365-Working with Audit Logs for more info.
    Also, the logging itself has been extended to log all user Exchange properties modifications.
  • Upgrade from version 6.4 (if necessary): If your existing Delegate365 version is less than 6.5, it is necessary to re-run the Delegate365 setup once because of required app permissions to read the Office 365 service status shown on the Delegate365 dashboard. We will inform you about the planned update date and the steps to update your Delegate365 app as described in Delegate365 changelog version 6.5 and in Delegate365-(Re)run the setup.

All existing productive Delegate365 tenants will be updated starting mid of October. New Delegate365 trials will automatically be available in the latest version.

We hope you enjoy the new features of Delegate365! More features are about to come this year!



Delegate365 changelog version 6.6-Mailbox features and logging

Tuesday, September 12, 2017

During summer time the next Delegate365 version was born that brings more mailbox and distribution group features, more sync rule options and some minor changes in logging and some fixes. See the details here.

Delegate365 version 6.6 brings some improvements on the basis of version 6.5.

  • New sync rules: The menu administration / sync / "sync options" has been renamed to "sync rules" in Version 6.5. Now, the "user license assignments" have been extended with additional options as in the screenshot below. A sync rule can now be switched on or off with the "Active" switch to simplify testing ("On" is the default setting for existing rules). The new "order" allows to reorder the rules. "Action" now allows not only to add Office 365 licenses, but also to remove the selected licenses, which was a often requested feature. "Apply to" allows to execute the rule against "all users", "sign-in allowed" or "sign-in blocked" users. The new options deliver a much more granular control of license settings.
    image
    The active sync rules are considered at each sync operation in Delegate365. Don’t forget to save any changes at the page bottom "Save" button!
    Remember, the more rules are enabled, the longer the sync operation will run, in large Office 365 tenants this might take hours, since every object must be checked and the operations will be executed.
  • New Mailbox features: In the users list, admins can modify the mailbox settings of a user (if the admin owns permissions).
    image
    The “general” box came with version 6.5 to enable admins to hide the user from address lists.
    Below that, now there exists a new box title "mailbox features" with a bunch of switches as follows:
    image
    In here, admins can restrict the user’s access to specific features as enabling or disabling Outlook (on the web), using IMAP, POP3 or MAPI access, Litigation hold and Archiving. So, we do have much more settings to define the behavior of Exchange Online for a user’s mailbox.
    Below that, further mailbox features are available as before.
    image
  • Distribution group new features: There have been new settings added in the distribution groups.
    image
    The new “email addresses” section allows to manage multiple email addresses for one distribution group as follows.
    image
    When saving the new email alias is added to the group.
    image
    Info: In this version, this works for mail enabled security groups and distribution groups only. With the next version, support for Office 365 groups will be available as well.
  • Auditing history (reminder): We experienced, that the auditing log can become really large and that admins usually don’t need to go back for a long time frame when searching for operations. To reduce the storage and to fasten operations within Delegate365, the audit log now goes back for the last 7 days. Usually, going back a week is sufficient for a quick find of logs.
    Also, the Audit logging was changed from a single table to monthly tables. Both feature have already been introduced with Version 6.5 (pls. see Audit logging per day, Audit logging per month and Direct access to audit logs), just as a reminder.
    image
    Due to technical reasons, search works with the "startswith" operation. So, if we search for "kelly" in this scenario above (the name property is "bob kelly (tailspin)"), the entry will not be found. If we search for "bob" or "seattle", the entry will be found (lower an uppercase is ignored, leading or ending spaces are trimmed). Therefor, we recommend using the auditing module in Delegate365 just for quick lookups. If you need more detailed search, we recommend using the "reporting" module where you can get direct access to all logging data and use tools as Microsoft Excel or Power-BI or similar.
  • New Dashboard element Service health (reminder): If your tenant has not been on version 6.5 before, you need to re-run the Delegate365 setup once to enable the service health dashboard. Please look up Delegate365 changelog version 6.5-Service health, logging and more and how to Delegate365-(Re)run the setup.
  • Fixes: The Sync operation was optimized again to reduce the runtime and some minor fixes have been made in the UI.

All existing productive Delegate365 tenants will be updated starting with mid of September. New Delegate365 trials will automatically be available in the latest version.

We hope you enjoy the new features of Delegate365!



Delegate365 and the Exchange issue update

Wednesday, August 30, 2017

In the last days, some customers of Delegate365 experienced a warning in the Delegate365 portal that informed about the failing communication to Exchange Online. This issue was caused by the Microsoft Exchange Online PowerShell endpoint. We are glad to announce that this issue should be fixed soon.

Delegate365 informed users about the reduced functionality with a message “Access denied – please check the credentials of your Office 365 account…” when opening the yellow warning icon in the portal.

image

This message pops up when the Delegate365 services cannot communicate with the customer’s Office 365 tenant and the Microsoft endpoint delivers an error. The detailed error message generated by Microsoft was “…Processing data from remote server ps.outlook.com failed with the following error message: The EndpointConfiguration with the http://schemas.microsoft.com/powershell/Microsoft.Exchange identifier is not in a valid initial session state on the remote computer. Contact your Windows PowerShell administrator, or the owner or creator of the endpoint configuration. For more information, see the about_Remote_Troubleshooting Help topic.”

At atwork we were concerned about this issue since we were using exactly this service which was working properly since years and there has been no change on our side. We started doing research, checked our code, made tests in various regions and Office 365 tenants and tried to figure out if there is any solution for the problem - with various results. In the end, we found out that the results were absolutely unpredictable and more or less random. There’s one related thread in social.technet.microsoft.com Exchange Online error: Identifier is not in a valid session state on the remote computer where we saw that more users were affected by this issue. We contacted Microsoft and continued to seek for a solution.

Today, Microsoft announced a new status message in the service health in the Office 365 portal in many tenants:

EX116717 - PowerShell issue: User Impact: Users may be unable to perform administrative actions when using Remote PowerShell commands.

image

The PowerShell issue started by Friday, 25th August 2017. The status says “Restoring service” and Microsoft expects this to be completely resolved within the next 24 hours.

image

The PowerShell connection issue was caused by an update that was deployed in Microsoft Office 365 Exchange systems.

So, we hope that the Exchange PowerShell service will be working properly in all tenants again soon (in the next hours).

On the Delegate365 side, there will be no changes. Once the service is completely available again, the next Delegate365 sync operation will update all deltas again and the warning message will be removed in the Delegate365 portal.

Thanks to all customers for your understanding. The good news is that the services will be fixed soon and Delegate365 will work properly again!




Delegate365-Working with License Assignments

Thursday, June 29, 2017

Delegate365 provides various automation tasks. One of these is the new License Assignment rule to automatically assign Office 365 licenses to users based on their user properties or on their group membership. See how this works in real world with a demo scenario here.

The License Assignment is available since version 6.4. For details, pls. see the description here. This new feature allows to assign Office 365 licenses in a very custom way to users and runs at each Delegate365 synchronization operation, So, whenever a SyncOp runs, Delegate365 checks the sync rules and assigns licenses as specified. So let’s see how this works step-by-step as follows.

Security Groups

Many organizations work with security groups to simplify their user management. In my scenario, I created some security groups within Delegate365 and added some users as members. Security group Finance has Alan and Christa as members.

image

Security group IT has Dan as member, to keep that sample very simple.

image

Just to mention: In this demo, I created OU’s with the same name (Finance, IT, …) to keep the management simple. To clarify, there is no correspondence between OU’s in Delegate365 and any security groups. You can organize your tenant and your Delegate365 environment as needed.

Existing licenses

License tasks in Delegate365 always add licenses. This means, if a user already has a license set, this will stay untouched and new licenses will be added.

So, here we have a specific set of license set just for user Christa: MDM, Yammer and Exchange in E3 are activated, all other license plans are disabled.

image

The other two users Eric and Dan do not have any licenses set.

Sync rules

A Portal Admin can define the sync rules in administration / sync / sync rules. Here, the User sync options are disabled, but the User license assignment will be enabled. We create a new rule where Security group contains Finance. This means, all current members of the security group Finance shall get a specific set of licenses. In our sample that’s Office Web Apps, SharePoint and Exchange in SKU E3 and additionally AAD_PREMIUM_P2.

image

Ok. Now we add another rule for member of the security group IT. The IT personal shall get the Skype and Teams license within the E3 SKU.

image

Ok. Don’t forget to Save the sync rules at the bottom of the page.

image

We’re done here. Since you can add many rules with various conditions, many custom scenarios can be defined.

Optional: Don’t forget the UsageLocation

Office 365 requires to have a UsageLocation set for each user who shall get any license. As administrator you need to take care of that fact. It can be the case, that some users have a UsageLocation set and others not. With Delegate365 this can be set in the OU Auto License Assignments if needed, in module administration / organizational units / manage ou’s (see Delegate365 changelog version 6.5-Service health, logging and more “Assign OU Licenses and UsageLocation”).

Select the OU and click Edit licenses. In here, enable Use license auto assignment and select a country to set for UsageLocation as shown here. Usually, it’s a good idea to enable Check existing OU assignments as well to ensure that all users that are already assigned to that OU are checked for UsageLocation. No licenses are selected in here, we just want to set the UsageLocation .

image

The UsageLocation defined in here will only be set, if a user has NO UsageLocation set. If that user property is already set, this will be ignored (we do have the UsageLocation then already and do not need to re-assign one).

To ensure we will also have a UsageLocation for all members of OU IT, we do the same for that OU.

image

Remember, this step is optional- If you are sure, all users have a UsageLocation set, you can skip this step.

Run a sync

Now let’s try it. We could wait for the next automatic SyncOp (which usually runs all 4 hours), or to see the result instantly, we run the SyncOp manually. This can be done in administration / sync / sync operations. Click the Sync button.

image

The progress box below shows the details. Depending on the size of your Office 365 tenant and your settings, this can take some minutes or even hours. In my demo tenant with just about 250 users and few groups, this takes about 3 minutes. The page must not stay open, you can continue to work in other Delegate365 pages.

After the SyncOp has finished, you can check the result in the same page in the Sync history box. Here we see the manual triggered SyncOp.

image

Check the result

Now let’s see the result in the user licenses. First, we check the licenses of Christa. We should see that she now has additional licenses in E3 (Office Web Apps and SharePoint) and AAD_Premium_P2. The existing licenses for MDM, Yammer and Exchange are set as before. So, the new licenses have been added.

image

The result for Eric now shows just the new licenses (MDM has been added automatically through AAD Premium by a role, this was not manually defined by us). So, we see the licenses for MDM, Office Web Apps, SharePoint and Exchange. and for AAD_Premium_P2. These licenses have been assigned since Eric is member of the security group Finance.

image

Let’s check user Dan who is member of IT. He got Teams and Skype as defined (plus MDM as above).

image

Well perfect, or?

Stumbling stones

As we have seen, the License Assignment is basically easy to use. But of course, it can happen, that you don’t get the desired result. If licenses are not added after a sync, the following issues can have happened:

  1. In Delegate365, there is a license quota defined for an OU and the limit is exceeded.
  2. You are out of Office 365 licenses in your tenant. Licenses could not be assigned since there are no licenses left.
  3. Licenses could not be set because of license conflicts. For example, you tried to assign the license EOP_ENTERPRISE that cannot be assigned to a user. Delegate365 tries to set the defined licenses, but if Office 365 restricts specific licenses, this license cannot be set and an error is logged (see below).

Recommendations

So, if something goes wrong, we recommend:

  • Check the result after a sync with some single users.
  • Check the Delegate365 error message that are collected in the notification center in the top menu bar (the message icon). Click Read all messages and see any error that may have occurred, as shown here.
    image

ad 1) If a license quota is exceeded

So, how does it look like if there is a license quota defined? I created another new user: Molly (without any Office 365 license in OU Finance) and added her to the Finance security group.

image

Then, a license quota is defined for the OU Finance with an enforced maximum of 2 licenses for SKU E3 as shown here.

image

After Save, we see that 2 license-quota for OU Finance.

image

Remember, we had already two users, Christa and Eric in that OU, with two E3 licenses. So the License Assignment for Molly should not work. We are set now, and can re-run the SyncOp (as above).

After the SyncOp, let’s check Molly’s licenses. This looks as follows: The E3 licenses have NOT been set. You see the information “Microsoft Office 365 Plans E3 (2 of 2 used)”.

image

If we check the notifications, we see the reason: “No more licenses available for OU: Finance and Licenses: Microsoft Office 365 Plans E3”. The license could not be assigned because of the license quota of 2.

image

So, the notifications are important to check.

If we now change the quota to, let’s say, 3 licenses and re-run the SyncOp, Molly will get the E3 license automatically. I did this and checked the result here. Molly got the E3 licenses now.

image

ad 2) If no more 365 licenses are available in the Office 365 tenant

The same as described above, happens when exceeding the available Office 365 licenses of the tenant. You see the warning in the notification center.

ad 3) If a license cannot be assigned

Some licenses sets are not possible since they are not permitted by Office 365. For example, the message “User Licence(318) ericg@d365v6.onmicrosoft.com: License EOP_ENTERPRISE cannot be assigned to a user.” informs that that license could not be assigned. Microsoft is continuously adding licenses and plans and combinations and such messages (as for example, double license plans in different SKU’s) are possible. The notification center informs about such issues.

Summary

I hope this sample demonstrates the License Assignment functionality and allows you to automate your Office 365 user and license management. Check automatic license assignments after the SyncOp and see the notification center for any issues. With that toolset, it’s easy to automate license assignments. Benefit from working with Delegate365!




Delegate365 changelog version 6.5-Service health, logging and more

Wednesday, June 28, 2017

Delegate365 version 6.5 is here soon. With that update, there comes new functionality and some further improvements. Read the details here.

  • Notification center: Now, the notification center shows just the last 100 messages (instead of all unread messages) to reduce the loading time for all unread messages that can be produced in a large number by the synchronization process. Anyway, you can access all messages as before by clicking the “Read all messages” link. “Clear all messages” sets all messages to “read”, so that they no longer show up in the notification center.
    image
    This step improves the dashboard’s loading time.
  • New: Hide from address lists: In the mailbox settings of a user, administrators now can hide the user’s email address from address lists by setting the Hide from address lists switch to Yes. By default, this switch is set to No. Click Save to persist that mailbox setting for the user. [Updated 29th June]
    image
  • New Dashboard element Service health: To inform Delegate365 administrators about any issues with the Office 365 services, the Delegate365 dashboard now shows the service health (and in a new menu on the left). Since this requires new permissions for accessing that data, it’s necessary to re-run the Delegate365 setup once. If the message in the new “Service health” box shows "You must run a new Setup to enable reporting. Click here to go to setup.", then click that link.
    image
    The link opens the /setup URL. You need to have the Delegate365 configuration password (you get that from atwork) and a Global Admin user of your Office 365 tenant. Fill out the three fields and click “Complete”. See Delegate365-(Re)run the setup for a step-by-step guide and more information about re-running the setup.
    After the setup, that takes about 1 minute to run, login again with the Global Admin you used in setup step 1 and confirm the Delegate365 consent with “Accept”.
    image
    As you can see, the Delegate365 app now asks for permissions to read activity, usage data and service health from your Office 365 tenant. This permission set also includes permissions for reports that will be available in the next versions of Delegate365. Then, it will not be necessary to re-run the setup since these permissions are already included. The consent is valid for all Delegate365 users in your tenant - it’s important to accept this here once. You’re done with the setup.
    Now, when entering the Delegate365 dashboard, you should see the status of the Office 365 services for your tenant. If you do not see the service status but the message “Cannot load service health.”, it can take some minutes or hours, until the new app permissions are effective in your tenant. In that case retry later by refreshing the browser window.
    The service health box on the dashboard shows the current and previous status in an overview.
    image
    The items have an icon with traffic light colors representing the functionality. In the screenshot above, there’s a warning for Exchange Online, the rest is green.You can click at the details of each service to open the service health page. The service health is also available for all admins in the left menu. In that list, click on the desired service to see the service messages. The text will be loaded and shows all messages for the last 30 days.
    image
    If there are no current messages, you can investigate for older messages with the “View history” link. Again, this loads the requested messages.
    SNAGHTML12d8b30
    ”Hide history” collapses the messages.
    SNAGHTML12f1af8
    The new service health module is available for all Administrators in Delegate365 and informs about possible issues with Office 365.
  • Renamed: Sync options to Sync rules: The sync options provide a bunch of automation. Now there can be rules defined to assign Office 365 licenses (which will be extended in near future as well). So, we decided to rename the “sync options” to “sync rules” to better describe the adapted module. The module itself got no changes in this version.
    image
  • Audit logging per day: The Delegate365 audit logging hast been changed in the past, see Delegate365 changelog version 6-Logging. Since the amount of actions can become very large, the new audit log is available per day to reduce data and improve the loading time. Before, in administration / audit / auditing, the time filter went back for 1 or more days up to 6 months. In real world, Admins usually search for specific events in the last days, so this filter now shows the last 7 days. Select the desired log (per day) first, then search or browse the audit data.
    image
    All logs older than 7 days are automatically deleted. The purpose of the daily logs is to have them accessible within Delegate365 in a quick way as shown above.
  • Audit logging per month: According the same principle to reduce data, now there is an log table for each month. When working with data exports or Power-BI, now the data size is much smaller and comes per month. The monthly logs are never deleted and are stored forever.
  • Direct access to audit logs: The internal table names now are “log201706” (for June 2017) for the monthly table and “log20170626” (for 26th June 2017) for the daily log in the Delegate365 storage and so on. See details on exporting and reporting of audit data at Delegate365-Working with Audit Logs. The “old” single table “AuditLogSearch” (which is used until the update to version 6.5) will be untouched and stays forever.
    image
    The old log files stored in the Blob containers are automatically deleted, since they were written just as backup and had no usage (cleanup). This will be discontinued in version 6.5 and there are no more Blob-files used.
  • Assign OU Licenses and UsageLocation: The automatic license assignment in the OU’s (in administration / organizational units / manage ou’s) has been slightly changed. Now the usage location can be set without the need of assigning any Office 365 license below. So, this module can now set the usage location only. In former versions, this has been ignored if no license was selected.
    image
    To clarify: the usage location is set just in case if the user not already has a usage location set. Then, the selected usage location is assigned (before the license assignment rules are executed in the SyncOp, so that they are valid for setting any Office 365 licenses).
  • Design of scripts has been optimized: The page design of the administration / sync / scripts page has been optimized to work on small screen sizes as well.
    image
    This module is currently in Beta and designed to save and execute recurring PowerShell tasks.
  • Optimizing SyncOp (License Assignments): Since there can be a bunch of different sync rules active, Delegate365 needs to check the existing user assignments and needs to execute each rule. With a large number of users and licenses, this can be time consuming and a lot of operations need to run. Delegate365 tries to reduce all read and write operations with the optimized SyncOp. The user object is read only if needed and the operations are summarized to see if an update is necessary. All in all, the optimized sync should save time (and operations against the Microsoft Graph) and run faster than before, especially in large Office 365 tenants with ten-thousands of users.

All existing productive Delegate365 tenants will be updated starting with begin of July and in the following weeks. New Delegate365 trials will automatically be available in the latest version.

We hope you enjoy the new features of Delegate365!




Delegate365-(Re)run the setup

Tuesday, June 27, 2017

Delegate365 runs as an app in Microsoft Azure on top of Office 365. You can connect to any Office 365 tenant with your Delegate365 portal. You just need a configuration password and a Global Admin user of your Office 365 tenant. The Setup must be executed once, as initial setup or during operation to renew the permissions of the Delegate365 app. See how the new and simplified setup process works here.

Delegate365 can be bound to any Office 365 tenant with the setup process. This must be done before the first use of Delegate365 once. Then, when Delegate365 is already operating, you can re-run the setup again anytime. A reason to re-run the Delegate365 setup is if permissions for Delegate365 must be renewed. Usually, a setup renewal is necessary all 2 years, or if Delegate365 gets new functions and needs additional permissions (as for example, accessing reports from Office 365). The setup process now just consists of two simple steps. It’s easy to accomplish and takes one to two minutes.

Important: If you are already working with Delegate365, ensure that during setup, you are entering the same tenant as originally in the first setup, so that Delegate365 keeps all your settings for your tenant.
To clarify: if you have run the setup with a Global Admin "admin@mytenant1.onmicrosoft.com", use the same tenant (but any Global Admin) for each additional setup as "myadmin@mytenant1.onmicrosoft.com" (or the same Global Admin "admin@mytenant1.onmicrosoft.com"). The setup checks if mytenant1.onmicrosoft.com equals mytenant1.onmicrosoft.com. If yes, all Delegate365 settings stay as before. If no, all Delegate365 settings will be resetted and you start with the new Office 365 tenant from scratch. This is helpful for demo scenarios, but not for productive ones.

No MFA: There is one restriction for the setup: The Global Admin used must have Multi Factor Authentication (MFA) disabled. If MFA is enabled, pls. create another Global Admin account with MFA disabled and use that account for the Delegate365 setup process. This will change in future, but currently this scenario is not supported. The Global Admin must not have any Office 365 licenses assigned, just the role is sufficient to create the Delegate365 service account.

So, here’s the step-by-step guide for running the Delegate365 setup.

  • When you receive the Delegate365 provisioning email, there is a Delegate365 password included. This is issued by atwork (the manufacturer) and cannot be changed. You get an email with the setup URL, the Delegate365 configuration password and the final URL of your Delegate365 portal after the setup has been accomplished. Please save that configuration password and keep it safe. You will need this for each setup. The Welcome-email looks as follows:
    SNAGHTMLe76916
    The configuration password is your secret to use Delegate365 with any Office 365 tenant. As mentioned above, keep it safe!
  • Open the setup address <Your Delegate365 tenant URL>/setup. You can do this anytime in an operating Delegate365 as well.
    Here, you need to have the Delegate365 configuration password (you get that from atwork) and a Global Admin user of your Office 365 tenant. Fill out the three fields and click “Complete”. It’s important that you enter the same tenant as originally in the first setup, so that Delegate365 keeps all your settings for your tenant.
    image_thumb[19]
  • After about a minute, the setup should be completed. Click “Login”.
    image_thumb[23]
  • Now login again with the Global Admin you used in step 1 (above) and confirm the Delegate365 consent with “Accept”.
    image_thumb[27]
    As you can see, the Delegate365 app now asks for the necessary permissions for your Office 365 tenant. This consent is valid for all Delegate365 users in your tenant (it’s important to accept this here once). Then, you’re done with the setup.
  • After the sign in to the Delegate365, the dashboard follows.
    image
  • From now on, all users can reach your Delegate365 portal with the <Your Delegate365 tenant URL>.

Issues? If any errors happen during or after the two-step setup, pls. check the following:

  • Ensure that the Global Admin is valid. You can test that by opening the Office 365 portal https://portal.office.com and sign in with that account (without MFA).
  • Also ensure, that you are working in a browser in Private-mode (usually CTRL+SHIFT+N) to ensure you are not already logged in by cookies with another Microsoft Office 365 account.
  • If the steps above work, pls. re-run the Delegate365 setup.

The process for production environments is exactly the same, just the URLs are named https://<customername>.delegate365.com. Add /setup to the URL for running the setup as described above.

So, running the Delegate365 setup can be accomplished anytime and is an easy-going task that runs for one or two minutes. After the setup, you instantly can use your Delegate365 environment with your Office 365 tenant.




Delegate365-Working with Audit Logs

Monday, June 26, 2017

Delegate365 protocols all modifications of users, licenses and groups within the solution. This is essential to comprehend actions accomplished by Delegate365 administrators or by automated tasks. See how to work with that audited data here.

So, all actions are logged to the Delegate365 Audit Log. In the current versions, the audit logs are saved to an Azure Storage Account. There are three ways of working with the audit data:

  1. See audit data within Delegate365
  2. Access the data directly with Microsoft Storage Explorer
  3. Connect to the data with tools as Microsoft Excel or Power BI

All methods are available for Portal Admins in the administration / audit menu and are described here.

Important: The audit logs can grow very fast since all actions of all administrators and of the sync operations are logged. Depending on the number of objects that were changed, there can be a log of ten thousands of lines at each sync. Delegate365 provides various methods for accessing that data and for handling large amounts of data.

[Update 29th June: The following screenshots will open in full size for better readability when clicked.]

1. Seeing audit data within Delegate365

The auditing menu shows the latest audit data for quick lookups. This list can be filtered by Date range and by a simple search expression, like a AdminName or OU column. Depending on the changed being made, the Details column shows all changed properties or assignments. Auditing currently shows the last data up to 6 months (depending on the size of the log and the Office 365 tenant, so this can vary in your environment).

image

Since the data is logged in a variable data format, the admin can navigate through the details by opening the tree objects as shown here. For example, this user has been changed by the SyncOp automatically and some licenses have been added, so that there are now 27 active plans assigned .

image

This list can be browsed with the Previous and Next buttons at the end of each page.

Important: If the auditing log gets too extensive no data will be shown (the auditing list stays empty then). This happened at some Delegate365 tenants in the past. We are currently developing a workaround for that scenario in future. With the next update, the log will be divided into smaller parts per day to enable access in the Auditing module in all scenarios. This will be described here soon. If this happens in your tenant now, pls. follow the alternative steps as described below.

2. Working with the Microsoft Storage Explorer

The second method to work with audit data is to access it directly from the Delegate365 storage. Here, the amount of data is better to handle and the audit data can be exported for further use, for example for custom reporting.

  • Open the administration / audit / reporting menu and follow the steps below.
    image
  • Now it depends, how you want to use the Delegate365 audit logs: You can download the data with a tool like Microsoft Storage Explorer, or you can access the data directly with Excel, Power BI or other tools.
  • If you want to access the data directly on your computer, you need to install the cost free tool Microsoft Storage Explorer from storageexplorer.com once. This allows you connect to the Delegate365 storage in a similar way as the Windows Explorer.
  • Download and install StorageExplorer.exe on your computer.
    image
  • After starting, select “Use a storage account name and key” to connect and click Next.
    image
  • Now we need to enter the Account name and Account key. Leave the other settings as defaults (and as shown here).
    image
  • Switch to Delegate365 and get the access keys from there by clicking the Get account button.
    image
  • Copy both keys (Account name and Account key) into the Microsoft Storage Explorer form and click Next.
    image
  • Confirm by clicking Connect.
    image
  • Now you should be connected to the Delegate365 storage account. Navigate to your storage account name (d365demo5 in this sample) / Tables / AuditLogSearch. In here you can access all the log data.
    image
  • Info: Edit shows one row in a better readable format.
    image
    The changes itself are stored in JSON format in the Value column which can look as here. To split these values, we recommend to use Microsoft Excel or Power BI (see the below).
    Sample data:
    {  "Fields": [    {      "FieldName": "Id",      "CurrentValue": "0",      "OldValueIfAny": ""    },
        {      "FieldName": "Identity",      "CurrentValue": "projecta",      "OldValueIfAny": ""    },
        {      "FieldName": "Name",      "CurrentValue": "projecta",      "OldValueIfAny": ""    },
        {      "FieldName": "DisplayName",      "CurrentValue": "Project A",      "OldValueIfAny": ""    },
        {      "FieldName": "Alias",      "CurrentValue": "projecta",      "OldValueIfAny": ""    },
        {      "FieldName": "Guid",      "CurrentValue": "4c317d67-fac5-4896-b4a0-fc005be01fb9",      "OldValueIfAny": ""    },
        {      "FieldName": "Synced",      "CurrentValue": "4/20/2017 5:19:52 PM",      "OldValueIfAny": ""    },
        {      "FieldName": "PrimarySmtpAddress",      "CurrentValue": "projecta@CIE4851707.onmicrosoft.com",      "OldValueIfAny": ""    },
        {      "FieldName": "DirSyncEnabled",      "CurrentValue": "False",      "OldValueIfAny": ""    },
        {      "FieldName": "ExternalDirectoryObjectId",      "CurrentValue": "0e4fb799-c968-4561-b92d-1637692bcb43",      "OldValueIfAny": ""    }  ],
      "UserMembershipChanges": {    "DistributionGroupAdded": "",    "DistributionGroupRemoved": "",    "SecurityGroupsAdded": [],
        "SecurityGroupsRemoved": [],    "SharedMailboxAdded": "",    "SharedMailboxRemoved": ""  },  "Licenses": [],  "MembersAdded": [],  "MembersRemoved": [] }
  • You can query the result for filtering, as for example to see all objects, the user admin@….onmicrosoft.com has changed, combined with further filter expressions. If you need recurring queries, a query can be saved as .stgquery file and reused later. The Storage Explorer is a powerful tool.
    image
  • The (filtered) data can be exported easily and reopened, for example with Microsoft Excel for further usage.
    SNAGHTML6472cc4
  • Storage Explorer can manage multiple connections. You also can add another connection anytime with the Connect Icon. Then, simply follow the wizard as shown above to connect to other data sources within the Azure Storage.
    image

Microsoft Storage Explorer is a powerful tool for exporting or querying Delegate365 audit data.

3. Using Power-BI

The third approach is to use Delegate365 audit logs directly from the storage with Microsoft Power BI.

  • Open powerbi.microsoft.com/desktop/ and install the Desktop client PBIDesktop_x64.msi on your computer.
    image
    (It is not necessary to use the client version. You can also access and work with the data in the online client directly in a browser at https://app.powerbi.com/, but the desktop client usually provides more features and more convenience.)
  • Start Power BI Desktop and sign in (you need to have an Office 365 Power BI license).
  • In Delegate365, open the administration / audit / reporting menu and follow the steps below.
    image
  • Download the Delegate365 Power-BI file by clicking the “Get Power-BI file” button.
  • Unzip Delegate365-Dashboard.zip. That extracts Delegate365-Dashboard.pbix.
  • Change to Power BI Desktop and open Delegate365-Dashboard.pbix. This should look as follows:
    image
  • In the ribbon, click Edit Queries and Data source settings.
    image
  • In the data source settings, click the “Change source” button.
  • You need to get the access Delegate365 storage account settings as described in (2). Now copy the Azure account name (in our sample “d365demo5”) into the Account name or URL field. Confirm with “Ok”.
    image
  • If asked, confirm the message “There are pending changes in your queries that haven’t been applied.”. Click the “Apply changes” button.
  • Then, Power BI Desktop will ask you for the Account key. Paste the account key (in our sample “bO/GmPYD00ci+….”) from the Delegate365 settings into that field and click “Connect”.
    image
  • Now data should be transferred from the Delegate365 storage to the Power BI client. Depending on the log size, this can take some seconds or longer…
    image
  • That’s it. The dashboard will be populated with the (Pivot) queries of the AuditLogSearch table.
    image
  • In the Delegate365 Power BI data source, all (possible) data is already transformed from JSON to extra data fields. This allows to easily access all kind of data in the dashboard editor. The following screenshot shows the applied steps for the data source to extract all data from JSON format to fields.
    image
  • To refresh the dashboard, click the Refresh button in the ribbon any time (and wait for the latest data that will be visualized then instantly).
    image
  • Feel free to modify your dashboards with the data provided by Delegate365 Audit Logs (and don’t forget to save your dashboard with the current data).
  • Power BI provides a quick and cool toolset to get the data you are interested in.

Summary

All actions executed in Delegate365 are logged, whether it’s a manual action or an automated process. Portal Administrators get access to all the audit data of Delegate365. There are several ways to get all audit data easily for further usage in other tools. Opening the Delegate365 data storage is based on Microsoft standards and supports further scenarios and custom development.

We hope you like the (new) way of working with data out of Delegate365 and we appreciate your feedback.




Delegate365 changelog version 6.4-automate additional licenses assignments

Monday, May 8, 2017

In Delegate365 version 6.2 update we added an important feature to save Delegate365 licenses. With this Delegate365 version, there comes a new, powerful feature for more Office 365 automation.

The new version number is 6.4. No worries, you have not missed version 6.3, since this was an internal version for adding the new user license assignment feature, testing and fixes. Delegate365 version 6.4 will be rolled out in the next two weeks. So, what does this update do?

  • Why additional license assignments: In Delegate365, all manageable objects as users and groups are assigned to an Organizational Unit (OU). This can be combined with automatic license assignments which is available since about two years (see the basic functionality here). Recently, we got requests to add additional features for automatic Office 365 license assignments from some of our customers.
    Most of the Delegate365 customers are adding the desired OU name to a specific user attribute to ensure that new users or user changes are automatically assigned to the corresponding OU in Delegate365 through the SyncOp. As mentioned above, this can be combined with assigning an additional Office 365 license coming with the OU assignment which is a very common scenario. Sometimes, additional Office 365 licenses shall be added automatically. Now there comes an additional feature in the Sync options to add Office 365 licenses to users based on custom values as follows.
  • How to set additional license assignments automatically: In administration / sync / sync options there’s a new region named User license assignment. This works as the other available options and can be set to Yes or No with the Use license sync options switch. Below that, multiple conditions can be added as follows.
    image
    By default, the Use license sync options are set to No.
    If switched to Yes, the region below becomes active and can be configured. Portal admins can add multiple lines and define conditions to assign a specific condition which could be as follows:
    If “Department” contains the value “E3”, then assign specific plans of the E3 license (or similar).
    As first step, the user property selection is made and the string to compare is added (here: “E3”).
    image
    Then, a click on the Licenses icon opens the license panel on the right. Here, a custom set of licenses can be selected.
    in this sample, the user shall get “Skype” and “SharePoint” plans, if the condition is met.
    image
    The license set must be stored by clicking “Save”. Now the condition (that line) is defined.
    Click the Save button at the bottom to save all Sync options on that page. The configuration is persisted and will be used by the following Sync operations.
  • Matching rules: The Sync options can be used for comparing user properties (as Department, CustomAttributes, etc.) or if the user is member of a security group as well – same as the user sync options for assigning to an OU. The value must be part of the selected property (upper and lowercase and spaces at the start or end are ignored) so the condition always says “contains”. So in this example, the condition works and will be executed, if the user property in department is set to “E1, E3, E5”, or “set license to e3 and e5” or simply “e3”. With that mechanism, administrators can create powerful automations for assigning any license set, defined by any custom value.
  • License selection: The Licenses icon visualizes if there are licenses selected or not. This helps to see at a glance if licenses will be added or not.
    image
  • Remove a license condition: To remove a condition, click the Remove icon “x”. There is no confirmation needed. Th enew configuration is saved by clicking the Save button at the bottom of the page and is valid immediately for the next SyncOps.
  • All sync options are used when the next sync operation runs (automatically or manually). This means, you will see a result – the users matching the defined condition will receive the Office 365 licenses - after the next SyncOp.
  • Additional licenses: To keep in mind: As in all automatic license assignments in Delegate365, Office 365 licenses are always added additionally. So, licenses are never removed from a user with any automatic task.
  • To make it short: The new User license assignment options help to automatically add Office 365 licenses independently of OU-assignments in Delegate365. This only affects users that are assigned to an OU in Delegate365 – to users that are visible in Delegate365.
  • Manage administrators fix: If the display name of an administrator contained round brackets (as “John Doe (Scope administrator)”), the text within the brackets was not saved. This has been fixed.
  • Login process fix: In some rare cases and specific tenant configurations, an error could occur after the login process denying access to Delegate365. We identified that issue which seemed to be a misconfiguration of the Microsoft AAD login methods and workarounded that scenario. So the login process will now react to that situation and deliver a meaningful error message that there’s a false identity used for that Office 365 tenant.

Delegate365 version 6.4 allows to automate custom license requirements. This is a powerful addition for auto license assignments within Delegate365. Now Office 365 licenses can be set by simply adding a user property to any custom value and by defining one or more conditions in the Sync options.

The deployment of the update will start by May 8th and during the following two weeks. Enjoy automating with the new new user license assignment feature!




Delegate365 changelog version 6.2-license and further improvements

Friday, April 7, 2017

Delegate365 version 6.2 comes with some updates and improvements. See the new features described here.

  • License counting update: Delegate365 is licensed per user that shall be managed. There comes just one peculiarity with that: shared mailboxes and resources are delivered from the Office 365 interface as users. This causes that D365 counts such users (but only) if they are assigned to an OU as well although they do not need to have an Office 365 license. So, this can lead to uncertainty, why licensing in D365 can be different from Office 365. Again, this is only the case if the user objects are assigned to an OU in D365. For more information about that topic pls. see Delegate365 license information (Q&A 4 to 6). With the new feature this behavior can be compensated and is obsolete.
    The following graphics shows such a scenario where a shared mailbox “support” is assigned to an OU in D365 (and counts as a D365 user license).
    image
    We wanted to simplify that licensing in D365 to make it equal to Office 365 licensing in that specific case. With this D365 update, there come two new switches “Ignore shared mailbox users” and “Ignore resource users” in the administration / sync / sync options user region.
    image
    By default, these two switches are set to “No”. This means, existing users for shared mailboxes and resources stay in the users list, as it was before.
    If set to ”Yes”, this means that shared mailboxes and resources are ignored as “user” in D365. Such user objects that were existing in the users list will be removed from the users list. (No worries, nothing bad happens, they just no longer show up – and are not counted for D365 user licenses.)
    After the next SyncOp (of course, with “Use user sync options” switch to “Yes”), these user objects will no longer shown in the users list.
    image
    The shared mailbox “support” is gone from the users list.
    Of course, the object is still manageable in the more / shared mailboxes list and can be managed there. The same goes for the resources.
    image
    Our recommendation: Set both new switches to “Yes”. Usually there is no need to manage a shared mailbox or a resource in the same way as a user.
    With “Ignore shared mailbox users” and “Ignore resource users” activated, this saves D365 licenses.
  • D365 license check: See the D365 license status in the menu bar by opening the information (bell) icon.
    image
  • Create new users: The creation of a new user in D365 has been updated. The editing works as before…
    image
    After clicking “Save”, the provisioning starts. Now you can watch the various processes in real time. Now, D365 first checks if the UPN is available in the Office 365 tenant (and various other options) and only completes if all prerequisites are met.
    image
    This new behavior allows admins to immediately see if any issues occur during the user creation process. For example if the UPN was already used somewhere in the Office 365 tenant (as contact, alias or similar), the user creation could not be finished but the admin did not know what caused the problem. This now is transparent to the admin.
  • Resources OU assignment fixed: There was an issue in version 6.1 if resources were automatically assigned to an OU by a property during the SyncOp. The automatic OU assignment of resource did not work. This has been fixed with this version.
  • Automatic service communication check: D365 runs with service accounts that need to be valid for communicating with Azure Active Directory and Exchange Online. If, for any reason, these accounts are no longer valid (for example if the user object has been deleted or a password has been changed or similar), D365 now checks if it can communicate with the Microsoft interfaces. If not, alerts are shown in the menu bar. When opening the alert (triangle) icon, you see the details.
    image
    The same goes for the D365 AAD Service Account that is usually valid for two years. If the validity does not exceed one month in the future, you get an alert as well. The Service account’s expiration date will be shown in that case.
    image
    If you get such a warning and any of these two accounts is expired, D365 will no longer work (for any user).
    Please renew the Office 365 account or rerun the setup as said in the warning, simply follow the links.
  • Manual service communication check: Additionally, you can test the connectivity anytime in administration / configuration / office 365 account settings with “Test credentials”. In case of failure, alerts are shown:
    image
    Again, pls. renew the Exchange account in that case and re-test.

Delegate365 version 6.2 brings improvements and will be deployed to all existing productive tenants starting by 10th April during the following two weeks.




Components of Delegate365

Monday, February 27, 2017

Since the beginning, Delegate365 developed to an extensive cloud solution for Microsoft Office 365. This article delivers a short overview about the components of Delegate365 in the Microsoft Cloud.

The following graphics shows the involved Azure services that are used in D365.

image

Delegate365 is using Platform-as-a-Service components that are maintenance-free. In detail, Delegate365 consists of the following Azure services.

  • Web App – this hosts the Delegeate365 portal website.
  • Jobs – these are tasks that run automatically in the background, currently these are the Synchronization Job, the License Aggregator Job, the Log Sink Job and the Sync Notifications.
  • Cloud Service – handles operations against AAD and Exchange Online.
  • Database – is used for caching objects to deliver a good user experience and for storing OU assignments.
  • Storage – Audit Logs are stored in Azure Table Storage. In former versions the logs were stored as log files. With version 6 this has been changed to Azure Table Storage. This storage can be accessed directly if needed, for example for further use of the logs with Excel or Power BI.
  • Monitoring – anonymized usage data is sent to a central App data pool to get metrics about the usage of pages and functions and monitoring.
  • AAD – this is your Office365 tenant which is bound to the D365 tenant.

When provisioned, every customer gets his own environment which looks as described above. The provisioning process is done with a management tool called “D365 Worker”. This tool runs completely in Azure as well and takes care about automated provisioning of all necessary components and the upgrade process.

Since Delegate365 is provided as Software-as-a-Service, there is no need for customers to install any software or to take care about update process. See the latest Delegate365 features here.

Happy Delegate-ing!




If you want to see the full changelog, please visit our blog.