Change Teams Guest Profile Picture

In tenants with lots of Guests, the massive display of user initials – the default profile picture – isn’t very pleasing to the eye. Now while regular user can change their profile picture, Guest users cannot. Therefor, a long standing and popular request on UserVoice has been the ability to change profile pictures for Guest users. End of 2020, this request was updated, indicating a change was planned to incorporate the ability to change this profile picture. No signs on the roadmap yet, so what options – if any – does one currently have?

Last week, Teams MVP Yannick Reekmans posted a blog containing instructions on how to change your profile picture for tenants in which you are a Guest. It requires quite some steps and fiddling to accomplish this. One might also wonder, isn’t this possible “the programmatic way”? Well, yes, and here are the steps:

First, open up PowerShell, install the AzureAD PowerShell module it is not yet installed using Install-Module AzureAD, and connect to Azure Active Directory, specifying the tenant where you are a guest:

Connect-AzureAD -TenantDomain contoso.onmicrosoft.com

When the authentication challenge pops up, specify the credentials of the Guest account and approve the Multi-Factor Authentication challenge when required.

Next, use Set-AzureADUserThumbnailPhoto to set the profile picture for your Guest account, specifying your User Principal Name as ObjectId, as well as the picture you want to use, e.g.

Set-AzureADUserThumbnailPhoto -ObjectId 'michel_fabrikam.com#EXT#contoso.onmicrosoft.com' -FilePath 'c:\pic.jpg'

Regarding the User Principal Name, you can use Yannick’s method of determining your Guest’s ID. You can also try to guesstimate it by taking the e-mail address of your original account, replacing ‘@’ with ‘_’, adding a trailing #EXT# followed by ‘@’ and the default domain of the hosting tenant. The picture can be JPEG or PNG format, size 100kb at most, and square dimensions work best.

To verify the image has been set successfully, use Get-AzureADUserThumbnailPhoto -ObjectId <ID>. Then, have some patience for the change to propagate throughout the directories and caching mechanisms. To verify your update was successful and your picture looks properly, you can close the Teams client, clear the locally cached Teams data by removing everything under %AppData%\Microsoft\Teams (Windows), and start Teams again.

To easily spot tenants where you are a guest user and not a regular user, you might want to alter your standard issue profile picture a bit. For example, I have added a text label ‘Guest’ to mine. It doesn’t look as good as the high resolution photos that you can store in Exchange Online, but it certainly looks less boring than a set of intilials.

Note that all of the above is not an officially supported way to manage this picture. So, until there is one, these steps might help you out.

Outlook Connectivity changes per Nov2021

In the past, using outdated clients with Microsoft 365 services was a matter of being in an unsupported state with all the risks that go with it. This meant, that things might not work or you could experience reduced functionality. Overall, things usually kept working with a few consequences or glitches here and there.

A change in this stance was announced today per Message Center bulletin MC229143:

To ensure that we meet performance expectations, we are updating the supported versions of Outlook for Windows that can connect to Microsoft 365 services. Effective November 1, 2021, the following versions of Outlook for Windows, as part of Office and Microsoft 365 Apps, will not be able to connect with Office 365 and Microsoft 365 services.

This means, running old unsupported Outlook versions will go from “possible performance and reliability issues” to becoming actively blocked. This block will apply to these versions in the table below; as indicated, these builds were surpassed somewhere in 2017:

ApplicationAffected BuildsBuild Superseded
Office 201315.0.4970.9999
and older
October 2017
Office 201616.0.4599.9999
and older
October 2015
Microsoft 365 Apps for Enterprise
(formerly Office 365 ProPlus)

Microsoft 365 Apps for Business
(formerly Office 365 Business

1705 and olderJune 2017

While it is true that many customers are stretching the lifetime of their on-premises products beyond their support dates, I’m sure – apart from functionality and management options – performance and reliability is becoming more and more of an issue.

Finally, when this notice concerns you, it means you have not been updating your clients for at least 3 years. So, get planning, as you have around 11 months to update your clients. It also may affect any existing plans of moving to Exchange Online in the future, as getting your client-base in a supported state will become a requirement, and will no longer be a serious recommendation.

Self-Service Purchasing II

20Jul2021: Added Windows 365 SKUs.

It was in October 2019, that by means of Message Center bulletin MC163609 Microsoft announced that end users would receive the self-service purchasing option for Power Platform licenses (PowerBI, PowerApps and Flow). The announcement received quite some negative feedback, mostly because of the absence of administrative controls, with the risk of bypassing corporate purchasing as well as potential legal implications. Microsoft delayed the introduction, to launch it few months later in January this year, including the much requested controls.

Now MC220282 has appeared in the Office 365 Message Center, which announces the same self-service purchasing options for Microsoft Visio Plan 1 & 2 and Microsoft Project Plan 1 & 3. These purchasing options becomes available per September 15th.

The Message Center bulletin reads, “This change will not impact any existing settings you may have in place to manage self-service purchasing”. While true, administrators still might be faced with unexpected self-service capabilities for these new licenses. In this blog, I’ll talk you quickly through how to start managing these self-service capabilities, and how to modify these new ones.

Connecting and Managing

To start managing self-service capibilities, you need to install the MSCommerce PowerShell module, which Microsoft published at the PowerShell Gallery:

Install-Module MSCommerce

If you previously installed MSCommerce, update your module using:

Update-Module MSCommerce -Force

The current version of the module at the time of writing is 1.6. Now, to starting using the cmdlets provided in the module, you need to first connect to your Office 365 tenant:

Connect-MSCommerce

After completing login and succesfully completing any multi-factor authentication challenge, you can inspect the current self-service capabilities policy. First, there is a global policy named AllowSelfServicePurchase, which can be inspected using:

Get-MSCommercePolicies | Select PolicyId
Get-MSCommercePolicy -PolicyId AllowSelfServicePurchase | fl

As you can see, the default option for purchasing options is set to Enabled. This value can’t be modified, which means every new product added to self-service purchasing will be enabled by default. This also means admins may need to monitor the message center for self-service purchasing changes, and when required proactively monitor and disable this capability for new products. To inspect the current setting for every current product, use:

Get-MSCommerceProductPolicies -PolicyId AllowSelfServicePurchase

As you can see, the self-service purchasing for the Power Platform products have been disabled. However, because the DefaultValue is Enabled, the purchase capabilities for these new products have been set to Enabled. If we want to disable this capability for these products, use the following cmdlet:

Get-MSCommerceProductPolicies -PolicyId AllowSelfServicePurchase | % { Update-MSCommerceProductPolicy -PolicyId $_.PolicyId -ProductId $_.ProductId -Enabled $false }

Note that self-service purchase capabilities are not available for Office 365 Government, Nonprofit, and Education tenants.

Approval Flow

In another bulletin (MC213897), Microsoft announced the roll-out of an feature for end users to request licenses trough a customizable message or workflow. This option should become available when self-service purchasing has been disabled. It allows admins assign requested licenses from the pool or make required purchases, and also report on these requests to track interest. The bulletin has been updated recently to mark completion of roll-out of the message part of this feature; the request part is scheduled for completion in September. Unfortunately, I haven’t been able to locate settings related to these features yet, but these might appear any time soon. The screenshot from the bulletin gives an indication of what to expect:

To read more information on Self-Service Purchasing capabilities in the Self-Service Purchase FAQ.

Windows 365
Per MC271483, Microsoft informed Office 365 customers in July 2021 end users are going to be able to buy Windows 365 (announcement) licenses through the self-purchase license mechanism as well. Windows 365 will come in 2 flavors: Windows 365 Enterprise and Windows 365 Business; the latter is aimed at smaller organizations, while the Enterprise edition will offer Cloud PCs with Endpoint Manager and Defender integration a.o.

The currently announced SKUs are:

  • CFQ7TTC0HHS9 for Windows 365 Enterprise
  • CFQ7TTC0HX99 for Windows 365 Business with Hybrid benefit
  • CFQ7TTC0J203 for Windows 365 Business

If you did not configure the option as disabled by default, you can disable new Enabled options using the code example above, or if you need to block these individual Windows 365 options upfront, use the following processing the Windows 365 SKU’s:

$W365Options= 'CFQ7TTC0HHS9', 'CFQ7TTC0HX99', 'CFQ7TTC0J203'
$W365Options | % { Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId $_ -Enabled $False }

Blocking Self-Service Purchases

o365logo

On October 23rd, Microsoft announced – a little out of the blue – they were going to introduce self-service purchase options for users on November 19th. The details of this change were put forward in a post in the message center, article MC193609 to be exact. In short, this option would introduce the following changes for commercial tenants:

  • Allow end users to purchase Power Platform related subscriptions using their own payment method, e.g. Power Apps, Automate (formerly Flow) or PowerBI Pro.
  • These subscriptions could be made in their employee’s tenant, with the exception of government, non-profit and education.
  • It would not end with Power Platform subscriptions.
  • To make purchases, end users would be able to open a restricted view of the Microsoft 365 Admin Center.

While a handful individuals cheered ‘Power to the end user’, the vast majority of organizations were very unhappy with this development to say the least. This adoption booster would not only be opposing Microsoft’s own ‘Cloud on your terms’ and ‘Your tenant, your data’ principles they have been telling customers for years, it could also severely impact enterprise security and governance policies (or absence thereof), let alone lead to discussions when people expense their PowerBI Pro purchase. And I’m not even talking about the absence of admin controls.

So, swiftly after the massive backlash on social media, UserVoice as well as other channels, the announcement was altered, and a FAQ was published, which you can read here. The change itself was postponed until January 14th, 2020, and organizations would be handed controls to turn self-service purchases off before roll out.

Rather quietly, details on how to disable self-service purchase have been added to the FAQ. To read on how to accomplish this, continue reading my original blog post over at ENow by clicking here.

Multi-Tenant Administration

imageNote: When writing this blog, the Azure portal received an update which allows for switching directories. Unfortunately, this feature hasn’t been ported to the other Office 365 admin UI’s at this moment.

Being a consultant, you often find yourself having to switch tenants, or having to keep multiple admin portals open to different Office 365 tenants. This may become a nuisance, as you can use only a single set of credentials per browser instance. In other words, if you connect to the Office 365 admin portal using credentials A, opening up the Azure portal will be in the same context.

A typical workaround for this situation would be to open up a new private browser session. From that private browser session, you need to provide credentials B. Any new tabs in that private window will also be in the same context. The whole private session is hosted in a new window.

A more neat solution for this scenario is leveraging browser containers, such as:

Notes:

  • This blog is written based on Firefox Multi-Account Containers, so your mileage may vary if you’re using Chrome or a 3rd party add-on.
  • Firefox also supports a basic version of context switching natively via about:config, setting privacy.userContext.enabled.
  • I’m not aware of similar features or 3rd party add-ons for other browsers.

imageUnlike the Chrome extension, FireFox’ Multi-Account Containers allows you to have multiple sessions from within the same browser. For this purpose, tabs are used to arrange sessions in what’s called containers. Each container shares the same set of site preferences, sessions, cookies etc. To identify containers, they can be assigned a (new) name, color and symbol.

After installing the add-in, you will get a button that will open the container selection window. In this example, I have set up 4 containers besides the default ones: one for every customer and one for my lab. Selecting Contoso will open a new blank tab. The right side of the address bar contains a visual reference to the active container, showing label and symbol in the configured color.

Keep Me Signed InNow, when you go to portal.office365.com, the Office 365 account picker may show up when connected before using this container. Pick one, or enter a new set of credentials. This account will be stored in this container. The question of wanting to stay signed in makes more sense now, as the token will be stored within the container, happily coexisting with other Keep-Me-Signed-In settings and sessions from other containers.

Now, when you open a different admin app in that tab, it will be in the same container and thus user context. You can also select to open a blank tab in that container, and navigate to portal.azure.com. You will notice it picks up the Contoso credentials provided earlier. This is because the session information is stored within the Contoso container.

image

Now click the container icon again, and select a different container, e.g. Fabrikam. Navigate to portal.office365.com, and you will notice you can provide new (or re-use) credentials which have a different context than Contoso. Also, opening the Azure portal after that in this container will be in the Fabrikam context.

Having set this up properly, you can easily switch between all admin portals from different tenants by selecting the different container tabs: no need to switch accounts or firing up separate private browser windows. This is a more elegant solution compared to private browsing sessions.

A final note that the above not only can be used to access the Office 365 admin portals of multiple tenants, but web-based applications such as Teams, Outlook Web Access or SharePoint as well.

 

Hybrid Configuration Wizard & F12

A small tip for those running the Exchange Hybrid Configuration Wizard. As announced at Ignite yesterday, a convenient feature was added to the HCW and is available now. Pressing F12 in the HCW will now open up a panel with shortcuts to the following tools and locations:

  • Exchange Management Shell
  • Exchange Online PowerShell
  • (current) Hybrid Configuration Wizard Log File
  • Create Support Package (to zip HCW logs for support)
  • Open Logging folder (of HCW)
  • Open Process Folder (of the HCW app)

Here is how it looks:

image

This might save you an occasional click or two.

Support Lifecycle changes for Office ProPlus & 2016 (a.o.)

Outlook 2013 IconIn a surprise – but welcomed – move, Microsoft announced yesterday that the office support lifecycle for Office 365 ProPlus on Windows 8.1 and Windows Server 2016 are extended to January 2023 (EOL of Windows 8.1) and October 2025 respectively. In addition, Office 2016 connectivity support for Office 365 services will be extended to October 2023 (was 2020).

Other announced changes in product support lifecycles were extending Windows 10 Enterprise & Education support from 18 to 30 months. Also, for Windows 7 Professional & Enterprise, paid security updates (Extended Security Updates) will be offered, and those Windows 7 ESU devices will be supported through January 2023 – parallel to Windows 8.1 – with Office 365 ProPlus.

The intention of these changes is to provide customers more flexibility in adopting modern desktops on the client end (i.e. Windows 10) and upgrade their Office suite, preferably to the susbscription-based ProPlus. The release cadence of the cloud has significant impact on organizations, which were told in February to keep in line with product releases as a lot of product support lifecycles were going to end in 2020.

Extending those dates not only gives them more flexibility to plan and upgrade, but also might prevent organizations to do only to the minimum, which is likely the reason many organizations are still on Windows 7 and why it took many organizations a long time to get rid of Windows XP.

 

Exchange Mailboxes and Signatures

vote!One of the longest standing requests of the community regarding Exchange features is the request to have the ability to share e-mail signatures between Outlook for desktop, Outlook Web Access (OWA) and mobile clients like Outlook for iOS. Several 3rd party vendors have been filling this gap with solutions with the possibility of adding standardized signatures on the transport layer or through application add-ins for the WYSIWYG approach.

The Outlook products don’t share signatures; Outlook Web Access does store the signature in a so-called Folder Associated Item (FAI) in the mailbox, making the signature persist when moving the mailbox around. But that unfortunately is only for Outlook Web Access; Outlook for desktop signatures are stored in files in one’s user profile, and Outlook for iOS only allows you to configure a single line, which often is used to apologize for any typos in the message, more common when using mobile devices, by setting it to ‘Mail sent using mobile’ or text of similar nature.

However, after a recent discussion with the relevant product groups by Jeff Guillet, the product groups challenged MVPs that there is indeed a significant demand for this feature by getting people to vote on UserVoice. Jeff with the MVPs designed a functional specification for this feature, which will be shared with the product groups at a later date. There is no reason why we can’t expect this feature to work for both Exchange Online as well as Exchange on-premises. Part of the request will also be to be able to manage the signature through PowerShell, similar to how the Outlook Web Access signature can now be managed using Set-MailboxMessageConfiguration.

So, power to the community and get your voice heard if you want this feature. You can vote on UserVoice here. Thank you.

Comparing Sets of Cmdlets

powershellWith the speed of development in Office 365, it is sometimes hard to track which changes have been made to your tenant. Of course, there is the roadmap and message board which you can use to keep up to date, but those are in general high level descriptions. Sometimes you may want to see what are the changes at the cmdlet level in your tenant, between tenants, or Azure Active Directory module. And there is also the occasional gem in the form of a yet undocumented cmdlet or parameter which could hint at upcoming features.

For this purpose I have created a simple script which has two purposes:

  1. Export information on the current cmdlets available through Exchange Online or Azure Active Directory.
  2. Compare two sets of exported information, and display changes in a readable way.

The script is in PowerShell (of course), and is called Compare-Cmdlets.ps1. To export information, you need to be already connected to either Exchange Online or Azure Active Directory (or both).

To export cmdlet information, use:

.\Compare-Cmdlets.ps1 –Export

For Exchange Online and Azure Active Directory, separate export files are created. The files are prefixed with a timestamp and postfixed with the Exchange Online build or Azure Active Directory module version, e.g. 201803121814-ExchangeOnline-15.20.548.21.xml or 201803121815-AzureAD-2.0.0.137.xml.

After a few days/week, or when connected to another tenant or using a new Azure Active Directory PowerShell module, run the export again. You will now have 2 sets of Exchange Online or Azure Active Directory cmdlets, which you can compare using the following sample syntax:

Compare-Cmdlets.ps1 -ReferenceCmds .\201801222108-ExchangeOnline-15.20.428.21.xml -DifferenceCmds .\201803120926-ExchangeOnline-15.20.548.21.xml

image

A progress bar is shown as comparison might take a minute. When the script has finished checking the two sets, you will see output indicating changes in cmdlets, parameters or switches, e.g.

image

Download
You can find the script on the TechNet Gallery or GitHub.

The UC Architects Podcast Ep64

iTunes-Podcast-logo[1]Episode 64 and last episode of The UC Architects podcast is now available. Contrary to the belief of some, people’s agendas rather than lack of contents made it more and more difficult to get sufficient people together for recording. Thanks for the great 5 year ride, people!

This episode is hosted by Pat Richard, who is joined by Tom Arbuthnot, Stale Hansen and John Cook. Editing was done by Andrew Price.

Topics discussed in this episode are:

  • 5 years of The UC Architects podcast.
  • What made it fun, the friendships, the guests, the topics, and how social media has changed how info gets disseminated about Skype for Business, Exchange, Office 365, Teams, and more.
  • We talk about what the crew are up to these days, and their involvement/sessions at Ignite.
  • Skype for Business v.Next and Teams.
  • Some of the issues that arise when deploying Skype for Business when there is no Exchange in the org.
  • The upcoming Ignite and UCDay events.

You can download the podcast here or you can subscribe to the podcasts using iTunes, Zune or use the RSS feed.

About
The UC Architects is a community podcast by people with a passion for Unified Communications; our main focus is on Exchange, Skype for Business or related subjects.