Delegate365 changelog 9.2.4-Service health, guests, and teams templates

Wednesday, January 19, 2022

Delegate365 v9.2.4 is the latest update that brings new service health, guest user information, teams templates and other improvements. See the details here.

• Important: To upgrade to this version, Delegate365 setup must be run. We will inform all customers to make an appointment for the setup. This is required because the Delegate365 app needs additional permissions to read the service health (see below). Follow the steps at Delegate365-(Re)run the setup.
• The dashboard service health: As described at Delegate365 changelog 9.3-Service health, the old Microsoft Service Communications API has been retired by Microsoft. Therefore, the service health components in Delegate365 had to be changed. After the setup, the dashboard shows the service health properly again. The new service health shows more detailed information. Each service can be opened by clicking on it.
  
• New Health menu: The Health menu now includes the Service health (as in the dashboard) with status, overview and history, and the new Message center. The Service health is specific to your own Microsoft 365 tenant and provides up-to-date data on each cloud service for up to 60 days.
  
• New message center: Another new module is the Microsoft 365 message center that provides an overview of planned changes and how it may affect your tenant and services for up to 200 days.
  
  The list can be filtered by Service, by Tag, and with a Search text.
  
  Also, the messages can be opened by clicking on the item. Click outside of the panel to close the message.
  
• The user list explicitly shows guest users: The users list now shows a new column with the "User type". Internal users in your tenant have Member status, while external users have Guest status. The column "Type" has been renamed to "Mailbox type" (which can have User, Shared, Resource, and Equipment as value).
  
  The export also includes this new column so it can be easily filtered.
• Guest user status: When a user is opened with Edit, the title now shows the Guest status as well. Guests who have been invited are given a status of PendingAcceptance,
  
  Guests who have already accepted the invitation to the organization's tenant are given a status of Accepted.
  
  Also, the date of the last status change is shown. This helps to identify inactive users.
• OU Assign/Unassign new filter: To filter users more easily, a filter for the user type was added in the OU / Assign and OU / Unassign module. This allows you to filter by members, guests, and all user types. The default is set to Members.
  
• Sync rules with comma as separator: All sync rules available for DisplayName now include a comma as a new separator. The OU name can also be extracted if the DisplayName of an object contains a "," between the OU name and the group name, like "New York,Human Resources".
  
  

• Create a new team with a teams template: Delegate365 allows to add teams templates that can be used for creating a new team and for converting a Microsoft 365 group to a team. See a description at Teams templates.
  
• Clone a team: This feature allows to duplicate an existing team with selected properties. See a description at Teams templates.
  
• Fix Add user to group: Previously, admins could add a user to a group that was assigned as Group OU only. The feature was recently added to users, but in this case this was incorrect as the intent for Group OU´s is to be read-only. This has been fixed, so that Group OU objects are no longer be available in that function.
• Fixes: Various minor fixes are included in this release.

This version will be updated in all Delegate365 tenants over the next month. New Delegate365 tenants will automatically get the latest version.

Delegate365 changelog 9.2.4-Teams templates

Tuesday, January 18, 2022

In Delegate365, a new Microsoft Team can be deployed using a teams template. Teams can also be cloned. Details can be found here.

• Menu Teams: A Microsoft Team is built on a Microsoft 365 Group. The Teams module can be found in the Groups / Teams menu. The following screenshot shows the new and adjusted functions.
  
• Create a new team with a teams template: As usual, click on the plus icon in the top left of the list. In the groups pane, enter the new team name and properties. By default, the Create a Team switch is set to Yes. Below that, there is a new dropdown control Template that allows to specify which teams template shall be applied to the new team.
  
  When done, click Save at the bottom of the panel. Usually the new team is ready after a few seconds to a minute.
• Available templates: By default, one template is available, which is also the default choice: the Standard template. To make more templates available, an admin needs to create team templates that need to be added to the Delegate365 administration, as described here.
• Create a new teams template: The quickest way to create a teams template is to customize an existing team. For example, new channels are created here in a team and a tab with an app or a link (here it is the tab Website) is added.
  
  When finished, the team can be used for the template creation. As a Microsoft 365 Global Administrator, open https://admin.teams.microsoft.com/teams/templates. Click Add.
  
  The wizard allows to create a new template, use an existing team as a template, and to start with an existing template. Here, we select the second option and click Next.
  
  Now we select the Project Tango team and click Next.
  
  In the next step, the template description must be added. It is absolutely necessary to set the LOCALE to ENGLISH (UNITED STATES)!
  
  Currently, the provisioning process only works when the locale is set to "en-US". This is a known issue at Microsoft and will hopefully be fixed at some point. Therefore, please make sure that the locale is correctly set to "English (United States)". Click Next.
  In the last step, modify the Channels or Apps, if needed. Click Submit when done.
  
  The template is created and will be shown in the list of the Team templates.
  
  Now, click on the template. We need to copy the Template ID (here it´s 02b3…) to insert it into Delegate365.
  
  We´re done in the Teams Admin Center. See more about this process at Create a custom team template in Microsoft Teams.
• Add a teams template to Delegate365: In Delegate365, open Administration / Teams Templates. This new module allows to manage these templates.
  
  Click on the plus icon to add the new template. In the panel, add the name and paste the Template ID that we remembered earlier (here 02b3…). The Active switch allows the template to be made available to the users.
  
  Click Save when done. The teams template is now available. Only templates that are active are available in the selection.
  
• Apply a teams template: As described above, select the new template when a new team is created, as here.
  
• Check the new team: In the Teams app, find the provisioned team and see the predefined channels and apps. Here, "Project Victor" looks the same as the underlying template "New project".
  
• Teamify with a template: An existing Microsoft 365 Group can be converted to a team with a template as well. Select the group and open Convert to team.
  
  Select the template to use. By default, Standard is selected.
  
  After the conversion, the team will be available based on the selected template. It might take some time until the team shows up in the Teams app.
• Clone a team: This new option allows to duplicate an existing team with selected properties. Select the group and open Clone team.
  
  The panel looks very similar to the "Create Team" panel, but allows you to choose which data to clone. By default, all options are selected. Note that some parts are dependent on others.
  
  Click Clone when done and check the new team once it shows up in the Teams app.
  
  The cloned team is a copy of the source team, depending on the parts selected.

The new Teams capabilities provide more options for managing Microsoft Teams for your OUs and for the organization. More new features in this update are available at Delegate365 changelog 9.2.4-Service health, guests, and teams templates.

Delegate365 changelog 9.3-Service health

Wednesday, December 8, 2021

Microsoft announced the retirement of the Microsoft Service Communications API (Msg MC299902). Therefore, we changed the service health components in Delegate365 to use the successor API functions with immediate effect and to get more data. A new setup of Delegate365 is required. See the details here.

The Service health module in Delegate365 shows, what´s happening in a specific Microsoft 365 tenant at a glance to all authorized users. Contrary to the required authorizations in M365, this is not necessary in Delegate365. All admins can view the service health and the message center posts.

With this update, this module changed.

• The old Service Health module showed a list of M365 services, and messages from the last 14 days, as here.
  
• When the user opens a message, all notifications for that topic are shown.
  
• The new Health module consists of two features: Service Health and the (new) Message center.
• Service Health now shows shows only the latest news (and no longer all messages from the past two weeks). Closed messages are not displayed by default. These messages can be shown in the View history panel. The icons are now the same as in the M365 admin center, and the status is the current status, delivered from the health service of the tenant.
  
• The details are now shown more clearly:
  
• The View history panel shows messages, that are already closed. These are messages are no longer valid:
  
• The new Message center shows tenant-information to keep track of upcoming changes, including new and changed features, planned maintenance, or other important announcements. The list shows any messages from the last 200 days.
  
• Here, each message informs, how the topic may affect your users, and links out to more detailed information to help you prepare.
  
  Close the message panel, or simply click outside of the panel to close it.

Since the old Service health API will be deactivated on December 17th, 2021, it is required for a Delegate365 Admin to renew the Delegate365 app and to consent to the new required permissions as a global administrator. Pls. see the article Run the Delegate365 setup and follow the steps.

All Delegate365 tenants will be upgraded to the new version this December.

Delegate365-Empty Reports

Wednesday, September 8, 2021

In some tenants, sometimes reports appear blank. This can happen when reports are obfuscated in the Microsoft 365 admin center. See more here.

Reports can be scheduled and downloaded in the Reports menu. When the report generation is completed, they show up in the list, as here.

When the report is open and "no data available" is displayed (although you see users and groups in the Delegate365 pages)…

…the reason will likely be that Microsoft 365 obfuscates user, group and site data in the report settings. In this case, as administrator, check as Admin Center / Settings / Org Settings / Reports settings (Microsoft 365 admin center), as here. Note that in new tenants this feature can be set to On by default.

While it may be understandable to activate this "report obfuscation" feature for reasons of security and compliance, it results in Delegate365 receiving no data and displaying empty reports when users, groups or SharePoint sites are included. M365 then only delivers Id´s that cannot be mapped to a user that is assigned to an OU in Delegate365.

If your organization's compliance guidelines allow, disable this report setting in your M365 tenant to view report data.

As a result, data will appear again in Delegeate365 in newly created reports. You can find a list and samples of all available reports in Delegate365 here.

Delegate365 changelog 9.2.3-Add users to groups

Monday, July 26, 2021

Delegate365 v9.2.3 brings a fix for the Message Trace function and offers a mechanism to add multiple users to one or more groups directly from the user list. See it here.

• Bulk add users to groups: In the users list, select more than one user. The menu on the right then shows the new option "Add users to group". In this sample, 3 users are selected: Debra, Pradeep and Lee.
  
  The panel "Add users to group" opens and allows to select multiple groups of all types: Security groups, Distribution Groups, and Microsoft 365 Groups. The admin can search for the groups and add them to the Groups picker. By clicking on the Save button, a confirmation popup appears. When clicking Ok, the selected users will be added as members to these groups.
  
  A quick toast message shows the result in the bottom right corner.
  
  If the user already was a member of a group, this is ignored.
• Check group assignments: As before, admins can check existing group assignments anytime in the Users list as well by opening the "Member of" function.
  
  A panel then shows all groups where Debrah is member of.
  
• Trace Messages Shared/Resource Mailbox Fix: If a message trace was executed, and the traced mailbox was a Shared Mailbox, or a Resource Mailbox, in some scenarios the output did not show all results. Also, SM and RM OU assignments are now fully considered. Both issues that could happen in some scenarios have been fixed.

This version has already been updated in all Delegate365 tenants and is available as of today.

Message Trace in Delegate365

Friday, July 9, 2021

When you run a message trace operation to get status information about specific emails, the result can vary, depending on time zone settings. See a sample here.

Show messages in the mail client

In this sample, we work with an email sent from azure-noreply@microsoft.com. In Outlook we see the timestamp at Mon 7/5/2021 7:08 PM (2021-07-05 19:08).

Message Trace in Delegate365

In Delegate365, admins can run a message trace to get information about the delivery status. When we run the message trace with the filter Startdate 2021-07-05 to Enddate 2021-07-05 - just this one day - and that user as recipient…

…we do not get a result. The Message trace result shows an empty list.

Why is that? Let´s check.

Message Trace with PowerShell

When we check with Remote Exchange PowerShell (you can also preferably use the EXO V2 module) and the Get-MessageTrace cmdlet, and an extended time frame from one day before (2021-07-04) to to one day after  (2021-07-06) as here…

$session = New-PSSession -ConfigurationName Microsoft.Exchange `
  -ConnectionUri https://outlook.office365.com/powershell-liveid/ `
  -Credential $cred -Authentication Basic -AllowRedirection
Import-PSSession $session -AllowClobber

Get-MessageTrace -StartDate '07/04/2021 0:00AM' -EndDate '07/06/2021 11:59PM' `
  -RecipientAddress 'admin@tenant.onmicrosoft.com'

…we get two results. The second result from azure-noreply@microsoft.com is the one message we are interested in.

Received            Sender Address                           Recipient Address                 Subject                                    Status
--------            --------------                           -----------------                 -------                                    ------
06.07.2021 20:33:18 ProjectAlpha@M365x398760.onmicrosoft.com admin@tenant.onmicrosoft.com You've joined the Project Alpha group      Delivered
06.07.2021 02:08:34 azure-noreply@microsoft.com              admin@tenant.onmicrosoft.com Azure AD Identity Protection Weekly Digest Delivered

We see, that the one message is not from 2021-07-05 19:08 as shown in Outlook, but from 2021-07-06 02:08. The time difference between the two dates is 7 hours. Let´s search for the reason.

Get the tenant information

As a Global Admin, we can check the location of the Exchange Online servers in the Microsoft 365 admin center - Org settings.

So, the Exchange Server is located in the European Union, which means Central European Time (CET) which is UTC/GMT+1.

Check the mailbox time zone

The Delegate365 message trace did not return the same result. When we check the user´s mailbox with Get-Mailboxregionalconfiguration, we see that the mailbox settings are in a different time zone (in Pacific Standard Time, which means UTC−08:00) than the Exchange server (in Central Europe Time):

Get-Mailboxregionalconfiguration -Identity 'admin@tenant.onmicrosoft.com'

Identity             Language        DateFormat TimeFormat TimeZone
--------             --------        ---------- ---------- --------
admin                en-US           M/d/yyyy   h:mm tt    Pacific Standard Time

# To get all available time zones, we can run
Get-TimeZone -ListAvailable

The mail was delivered at 06.07.2021 02:08:34 CET, but the mailbox shows one day earlier, 2021-07-05 19:08 PST, which results in a time difference of -7 hours on the previous another day.

This is the reason, why different dates are shown, and why the message trace with the filter for one full day (2021-07-05) did not deliver that email(s).

Solution: Extend the date range in Delegate365 Message Trace

So, we add one day to the message trace filter in Delegate365. The Startdate goes from 2021-07-05 to Enddate 2021-07-06. Delegate365 always is using the full day, so in this sample, this covers 2 days.

We now get the two messages, including our sample email.

The time here differs because of the time zones of the mailbox, the Exchange server and the client. Between the local client time (CET: UTC+1) and the mailbox time zone (PST: UTC-8), there are 9 hours difference. The email that was delivered for the user on 2021-07-05 19:08 plus 9 hours makes 2021-07-06 04:08. This is the result that is shown in Delegate365.

Summary

To ensure, to get all messages of a specific time range with message trace, add or substract one day, depending on varying time zones of the Exchange server location and the user´s mailbox, as in this sample. Check the configuration to know about such possible settings.

Also, admins can set the Exchange server time zone as described at Configure the time zone in Exchange Online, and modify the mailbox time zone with Set-MailboxRegionalConfiguration.

I hope this sample helps to clarify and to avoid unexpected results in the message trace functions.

Delegate365 changelog 9.2.2-Manage group owners

Wednesday, June 16, 2021

Delegate365 v9.2.2 allows to manage group owners. The permission policies have been extended and the current admin can add him- or herself or additional group owners for Security Groups and Microsoft 365 Groups. See a description of the latest features here.

• Enable (or disable) the manage owner feature: To enable the "manage owner" feature, you have to set the corresponding permission policies in the Groups - Security Groups - Manage owner from No to Yes, as here. Then, click on the Save button at the page end of the permission panel.
  
  By default, this new setting is disabled. So, don´t forget to switch it on, if your admins shall be able to set the group owner for security groups (in the same way as for Microsoft 365 Groups). Once the setting is set, it will be effective for all admins that have that permission policy assigned. To learn more about setting permission policies, see here.
• Check the Manager owner permission: To modify owners of a group, the "Manage owner" and "Ownership" settings in the policy should look as here:
  
• Test it with Logout and Login: Note that the policies are applied, when a users signs in. If you modified a policy, the users must sign-out and sign-on again that changes take effect. Close the browser and open Delegate365 again.
  Alternatively, the user can click on the Log Out menu in the user account menu, as here.
  
  The user will be signed-out. After that process, the Delegate365 portal shows an info page. The user can click on the Delegate365 name in the top left corner to sign-in again.
  
  After the successful sign.in, any modified policies are effective.
• Create a new Security Group and add users as owner: When creating a new security group with the "+" icon, the panel now shows the owner selection- The set owner section  is only visible, if the permissions are set as above. The admin can add him- or herself with the "Add me as the owner of the security group" switch set to Yes. Additionally, the admin can select users from his or her OU´s as security group owner, as here.
  
• Modify the owners of a Security Group: When a group is selected, the menu on the right shows the Manage owner feature.
  
  This opens the owners list, where new group owners can be added, or existing users can be removed.
  
  Use the people picker to select new users.
  
  A toast message shows the success of the operation.
  
  Please note that the people picker follows the Delegate365 concept and shows only users that are assigned to an OU the admin is allowed to see. Admins cannot assign a user as an owner, that they are not allowed to manage (OU) or to see (Group OU).
• Microsoft 365 Groups: Microsoft renamed the "Office 365 Groups" to "Microsoft 365 Groups". We did the same in Delegate365. The menus and text now is named Microsoft 365 Groups.
  
• Create a new Microsoft 365 Group and add users as owner: The behavior for adding the current admin or additional users as owners of a new Microsoft 365 Group or Microsoft Team is now the same as for the Security Group.
  
• General note for adding owners: For Security groups and Microsoft 365 Groups, it is not required to set an owner. If you create a Microsoft Team (as in the screenshot), it is mandatory to assign at least one owner. As a result, Delegate 365 adds the current administrator as the team owner, even if the "Add me as the owner of Microsoft 365 Group" switch is set to No, but the "Team" switch is set to Yes. In addition, the owner must be assigned a Teams license, otherwise Microsoft 365 delivers an error that is also displayed in Delegate365.
  To make it short, we recommend to add the current user as an owner of a group, or to add another owner in all cases.
• Message Trace modifications: The Mailboxes / Message trace function got updated and now shows a StartDate and an EndDate dropdown instead of the Date range dropdown that showed Past 24 hours, Past 48 hours and Past 7 Days. The new StartDate and EndDate Pickers allow to select a date between today and the last 7 days (from midnight to 11:59 PM). The default setting is to go back from today and display the last 3 days. This should make it easier to use. Also, the admin can now select the operator OR (only that was available before) and AND (that is new) to specify, if both conditions (sender an recipient), or just one condition must be met by the messages to be shown.
  
• Small fixes: This version also includes some minor improvements from the previous Delegate365 version 9.2.1, such as exporting users fix, improved performance for the users list and the latest PowerShell module update.

Delegate365 version 9.2.2 will be available for all tenants next Monday, June 21st. Happy Delegating!

Delegate365 changelog 9.2-PowerShell module update

Friday, June 11, 2021

The Delegate365 PowerShell module got a small update to expand a user´s assigned licenses, license plans and proxy addresses. See the following description.

See the description at https://github.com/delegate365/PowerShell how to use the Delegate365 PowerShell module-

Check the Delegate365 PowerShell module version

First, ensure you have the latest version of the Delegate365 PowerShell module installed. Check with Get-Module as here. The version must be 1.0.0.10 (or in future a higher version).

If you don´t have v1.0.0.10 installed, update your Delegate365 PowerShell module, as follows.

Update the Delegate365 PowerShell module

Run Install-Module Delegate365 (if not already installed), or Update-Module Delegate365 as here.

Afterwards, check the version as above.

Test the Get-DAADUser expandable feature

Connect to your Delegate365 tenant as described here. Then, to get the advanced user properties, run the Get-DAADUser cmdlet with a user as here.

Get-DAADUser -Identity AdeleV@<tenant>.OnMicrosoft.com

The output shows the AssignedPlans, AssignedLicenses and ProxyAddresses properties of that user as list objects.

We can now expand these properties as in the following code samples:

Get-DAADUser -Identity AdeleV@<tenant>.OnMicrosoft.com | Select-Object -ExpandProperty AssignedLicenses

As result, the SkuId and the DisabledPlans are shown.

To see the assigned plans, we can expand the AssignedPlans property.

Get-DAADUser -Identity AdeleV@<tenant>.OnMicrosoft.com | Select-Object -ExpandProperty AssignedPlans

This shows a list of the assigned plans.

Note: Unfortunately, the Microsoft Graph delivers just the ServicePlanId and in the best case an "internal" (not-pretty) license name and there is no "publicly official Microsoft table" with all possible license names. For example, the first ServicePlanId "efb0351d-3b08-4503-993d-383af8de41e3" is the license "Information Protection for Office 365 - Premium". You can check some of the license Ids in the list at Product names and service plan identifiers for licensing. Delegate365 has an internal list for showing "better" license names. We are planning to improve the output by using the Delegate365 license mapping list in near future.

The ProxyAddresses show all assigned email addresses, such as alias addresses) of the given user, as here.

Get-DAADUser -Identity AdeleV@<tenant>.OnMicrosoft.com | Select-Object -ExpandProperty ProxyAddresses

Happy administrating with Delegate365 PowerShell!

Work with the Delegate365 PowerShell in the Azure Cloud Shell

Friday, May 21, 2021

Delegate365 provides a PowerShell module to access data in Delegate365 in scripts. You can import the Delegate365 module locally, or use it in the Azure Cloud Shell as well. See here, how to use the module in Azure Cloud Shell.

Here, you can find a description of the Delegate365 PowerShell module. It is hosted in the PowerShell Gallery and can be easily installed. So, here´s a step-by-step guide how to use the Delegate365 PS module.

Use the Azure cloud shell

See more about the cloud shell at Overview of Azure Cloud Shell. Users who have access to _any_ Azure subscription can use the cloud shell. A user only needs a Reader permissions to a resource, but a write permission to one specific Azure Storage account for storing the user´s profile is required (see below). So, every user who has access to Azure can use the Azure Cloud Shell.

Open the Azure cloud shell here: https://shell.azure.com/

Setup your cloud shell environment (once)

At the very first call, the cloud shell opens a wizard as here. Select "PowerShell" as environment.

To store the user´s profile, an Azure storage is required. The wizard asks to create a new storage at the first time the user opens the cloud shell.

Done.

Import the Delegate365 PowerShell module

When the storage has been created, the cloud shell opens with the PowerShell environment. Now, we can import and install the Delegate365 module from the PowerShell Gallery.

Install-Module Delegate365

Import-Module Delegate365

The next step is to connect to the Delegate365 API. Just to mention, all operations a user is doing in Delegate365 PowerShell are protocolled.

Let´s connect to Delegate365 with your API key.

You need the Delegate365 URL and an API key. You get a user´s API key in Delegate365 as shown here. Use the Connect-Delegate365 cmdlet to connect with your data as here:

$baseUrl = https://<your-company>.delegate365.com
$apiKey = "<your-api-key>"

Connect-Delegate365 -WebApiSasKey $apiKey -WebApiBaseUrl $baseUrl

Use the Delegate365 cmdlets

Now we can use the Delegate365 cmdlets as here:

Get-DOU
Get-DUser -OU 'Seattle'

See the cmdlets at https://github.com/delegate365/PowerShell.

Use VS Code in Cloud Shell

To run scripts, use the integrated VS Code editor, as in this sample here.

Happy scripting with the Delegate365 PowerShell module in Azure Cloud Shell!

Delegate365 changelog 9.2-More improvements

Monday, March 8, 2021

Delegate365 v9.2 will be extended with some new features this March. See the latest features here.

• See the latest features of Delegate365 v9.2 such as extended reports retention dates, new message tracing options, a new license order process, some fixes and more at Delegate365 changelog 9.2-improvements
• Schema Extensions: Another new feature is described at Introducing user schema extensions in Delegate365. This allows to add custom user data to Azure AD. The custom data can be used with PowerShell for own business processes. See more at how to use Azure AD schema extensions in Graph PowerShell.
  
• Invite guests: When inviting guest users to the M365 tenant, the admin has to fill out a form with the Display name and the email address of the external user. The panel was extended with First Name and Last Name.
  
  The invited user will show up in Delegate365 in the Users list automatically and can be administrated in the same way as internal users. The new fields are stored in the user object, as shown in the Azure Portal.
  
  By default, the guest user gets an invitation to join the M365 tenant. See a detailed description at Delegate365-Working with guest users

The update will be rolled out in March for all Delegate365 tenants. Also, we are working on the next version Delegate365 v9.3 that will come in spring with some more improvements. Stay tuned!

If you want to see the full changelog, please visit our blog.