Self-Service Purchasing II

It was in October 2019, that by means of Message Center bulletin MC163609 Microsoft announced that end users would receive the self-service purchasing option for Power Platform licenses (PowerBI, PowerApps and Flow). The announcement received quite some negative feedback, mostly because of the absence of administrative controls, with the risk of bypassing corporate purchasing as well as potential legal implications. Microsoft delayed the introduction, to launch it few months later in January this year, including the much requested controls.

Now MC220282 has appeared in the Office 365 Message Center, which announces the same self-service purchasing options for Microsoft Visio Plan 1 & 2 and Microsoft Project Plan 1 & 3. These purchasing options becomes available per September 15th.

The Message Center bulletin reads, “This change will not impact any existing settings you may have in place to manage self-service purchasing”. While true, administrators still might be faced with unexpected self-service capabilities for these new licenses. In this blog, I’ll talk you quickly through how to start managing these self-service capabilities, and how to modify these new ones.

Connecting and Managing

To start managing self-service capibilities, you need to install the MSCommerce PowerShell module, which Microsoft published at the PowerShell Gallery:

Install-Module MSCommerce

If you previously installed MSCommerce, update your module using:

Update-Module MSCommerce -Force

The current version of the module at the time of writing is 1.6. Now, to starting using the cmdlets provided in the module, you need to first connect to your Office 365 tenant:

Connect-MSCommerce

After completing login and succesfully completing any multi-factor authentication challenge, you can inspect the current self-service capabilities policy. First, there is a global policy named AllowSelfServicePurchase, which can be inspected using:

Get-MSCommercePolicies | Select PolicyId
Get-MSCommercePolicy -PolicyId AllowSelfServicePurchase | fl

As you can see, the default option for purchasing options is set to Enabled. This value can’t be modified, which means every new product added to self-service purchasing will be enabled by default. This also means admins may need to monitor the message center for self-service purchasing changes, and when required proactively monitor and disable this capability for new products. To inspect the current setting for every current product, use:

Get-MSCommerceProductPolicies -PolicyId AllowSelfServicePurchase

As you can see, the self-service purchasing for the Power Platform products have been disabled. However, because the DefaultValue is Enabled, the purchase capabilities for these new products have been set to Enabled. If we want to disable this capability for these products, use the following cmdlet:

Get-MSCommerceProductPolicies -PolicyId AllowSelfServicePurchase | % { Update-MSCommerceProductPolicy -PolicyId $_.PolicyId -ProductId $_.ProductId -Enabled $false }

Note that self-service purchase capabilities are not available for Office 365 Government, Nonprofit, and Education tenants.

Approval Flow

In another bulletin (MC213897), Microsoft announced the roll-out of an feature for end users to request licenses trough a customizable message or workflow. This option should become available when self-service purchasing has been disabled. It allows admins assign requested licenses from the pool or make required purchases, and also report on these requests to track interest. The bulletin has been updated recently to mark completion of roll-out of the message part of this feature; the request part is scheduled for completion in September. Unfortunately, I haven’t been able to locate settings related to these features yet, but these might appear any time soon. The screenshot from the bulletin gives an indication of what to expect:

To read more information on Self-Service Purchasing capabilities in the Self-Service Purchase FAQ,

Blocking Self-Service Purchases

o365logo

On October 23rd, Microsoft announced – a little out of the blue – they were going to introduce self-service purchase options for users on November 19th. The details of this change were put forward in a post in the message center, article MC193609 to be exact. In short, this option would introduce the following changes for commercial tenants:

  • Allow end users to purchase Power Platform related subscriptions using their own payment method, e.g. Power Apps, Automate (formerly Flow) or PowerBI Pro.
  • These subscriptions could be made in their employee’s tenant, with the exception of government, non-profit and education.
  • It would not end with Power Platform subscriptions.
  • To make purchases, end users would be able to open a restricted view of the Microsoft 365 Admin Center.

While a handful individuals cheered ‘Power to the end user’, the vast majority of organizations were very unhappy with this development to say the least. This adoption booster would not only be opposing Microsoft’s own ‘Cloud on your terms’ and ‘Your tenant, your data’ principles they have been telling customers for years, it could also severely impact enterprise security and governance policies (or absence thereof), let alone lead to discussions when people expense their PowerBI Pro purchase. And I’m not even talking about the absence of admin controls.

So, swiftly after the massive backlash on social media, UserVoice as well as other channels, the announcement was altered, and a FAQ was published, which you can read here. The change itself was postponed until January 14th, 2020, and organizations would be handed controls to turn self-service purchases off before roll out.

Rather quietly, details on how to disable self-service purchase have been added to the FAQ. To read on how to accomplish this, continue reading my original blog post over at ENow by clicking here.

Multi-Tenant Administration

imageNote: When writing this blog, the Azure portal received an update which allows for switching directories. Unfortunately, this feature hasn’t been ported to the other Office 365 admin UI’s at this moment.

Being a consultant, you often find yourself having to switch tenants, or having to keep multiple admin portals open to different Office 365 tenants. This may become a nuisance, as you can use only a single set of credentials per browser instance. In other words, if you connect to the Office 365 admin portal using credentials A, opening up the Azure portal will be in the same context.

A typical workaround for this situation would be to open up a new private browser session. From that private browser session, you need to provide credentials B. Any new tabs in that private window will also be in the same context. The whole private session is hosted in a new window.

A more neat solution for this scenario is leveraging browser containers, such as:

Notes:

  • This blog is written based on Firefox Multi-Account Containers, so your mileage may vary if you’re using Chrome or a 3rd party add-on.
  • Firefox also supports a basic version of context switching natively via about:config, setting privacy.userContext.enabled.
  • I’m not aware of similar features or 3rd party add-ons for other browsers.

imageUnlike the Chrome extension, FireFox’ Multi-Account Containers allows you to have multiple sessions from within the same browser. For this purpose, tabs are used to arrange sessions in what’s called containers. Each container shares the same set of site preferences, sessions, cookies etc. To identify containers, they can be assigned a (new) name, color and symbol.

After installing the add-in, you will get a button that will open the container selection window. In this example, I have set up 4 containers besides the default ones: one for every customer and one for my lab. Selecting Contoso will open a new blank tab. The right side of the address bar contains a visual reference to the active container, showing label and symbol in the configured color.

Keep Me Signed InNow, when you go to portal.office365.com, the Office 365 account picker may show up when connected before using this container. Pick one, or enter a new set of credentials. This account will be stored in this container. The question of wanting to stay signed in makes more sense now, as the token will be stored within the container, happily coexisting with other Keep-Me-Signed-In settings and sessions from other containers.

Now, when you open a different admin app in that tab, it will be in the same container and thus user context. You can also select to open a blank tab in that container, and navigate to portal.azure.com. You will notice it picks up the Contoso credentials provided earlier. This is because the session information is stored within the Contoso container.

image

Now click the container icon again, and select a different container, e.g. Fabrikam. Navigate to portal.office365.com, and you will notice you can provide new (or re-use) credentials which have a different context than Contoso. Also, opening the Azure portal after that in this container will be in the Fabrikam context.

Having set this up properly, you can easily switch between all admin portals from different tenants by selecting the different container tabs: no need to switch accounts or firing up separate private browser windows. This is a more elegant solution compared to private browsing sessions.

A final note that the above not only can be used to access the Office 365 admin portals of multiple tenants, but web-based applications such as Teams, Outlook Web Access or SharePoint as well.

 

Hybrid Configuration Wizard & F12

A small tip for those running the Exchange Hybrid Configuration Wizard. As announced at Ignite yesterday, a convenient feature was added to the HCW and is available now. Pressing F12 in the HCW will now open up a panel with shortcuts to the following tools and locations:

  • Exchange Management Shell
  • Exchange Online PowerShell
  • (current) Hybrid Configuration Wizard Log File
  • Create Support Package (to zip HCW logs for support)
  • Open Logging folder (of HCW)
  • Open Process Folder (of the HCW app)

Here is how it looks:

image

This might save you an occasional click or two.

Support Lifecycle changes for Office ProPlus & 2016 (a.o.)

Outlook 2013 IconIn a surprise – but welcomed – move, Microsoft announced yesterday that the office support lifecycle for Office 365 ProPlus on Windows 8.1 and Windows Server 2016 are extended to January 2023 (EOL of Windows 8.1) and October 2025 respectively. In addition, Office 2016 connectivity support for Office 365 services will be extended to October 2023 (was 2020).

Other announced changes in product support lifecycles were extending Windows 10 Enterprise & Education support from 18 to 30 months. Also, for Windows 7 Professional & Enterprise, paid security updates (Extended Security Updates) will be offered, and those Windows 7 ESU devices will be supported through January 2023 – parallel to Windows 8.1 – with Office 365 ProPlus.

The intention of these changes is to provide customers more flexibility in adopting modern desktops on the client end (i.e. Windows 10) and upgrade their Office suite, preferably to the susbscription-based ProPlus. The release cadence of the cloud has significant impact on organizations, which were told in February to keep in line with product releases as a lot of product support lifecycles were going to end in 2020.

Extending those dates not only gives them more flexibility to plan and upgrade, but also might prevent organizations to do only to the minimum, which is likely the reason many organizations are still on Windows 7 and why it took many organizations a long time to get rid of Windows XP.

 

Exchange Mailboxes and Signatures

vote!One of the longest standing requests of the community regarding Exchange features is the request to have the ability to share e-mail signatures between Outlook for desktop, Outlook Web Access (OWA) and mobile clients like Outlook for iOS. Several 3rd party vendors have been filling this gap with solutions with the possibility of adding standardized signatures on the transport layer or through application add-ins for the WYSIWYG approach.

The Outlook products don’t share signatures; Outlook Web Access does store the signature in a so-called Folder Associated Item (FAI) in the mailbox, making the signature persist when moving the mailbox around. But that unfortunately is only for Outlook Web Access; Outlook for desktop signatures are stored in files in one’s user profile, and Outlook for iOS only allows you to configure a single line, which often is used to apologize for any typos in the message, more common when using mobile devices, by setting it to ‘Mail sent using mobile’ or text of similar nature.

However, after a recent discussion with the relevant product groups by Jeff Guillet, the product groups challenged MVPs that there is indeed a significant demand for this feature by getting people to vote on UserVoice. Jeff with the MVPs designed a functional specification for this feature, which will be shared with the product groups at a later date. There is no reason why we can’t expect this feature to work for both Exchange Online as well as Exchange on-premises. Part of the request will also be to be able to manage the signature through PowerShell, similar to how the Outlook Web Access signature can now be managed using Set-MailboxMessageConfiguration.

So, power to the community and get your voice heard if you want this feature. You can vote on UserVoice here. Thank you.

Comparing Sets of Cmdlets

powershellWith the speed of development in Office 365, it is sometimes hard to track which changes have been made to your tenant. Of course, there is the roadmap and message board which you can use to keep up to date, but those are in general high level descriptions. Sometimes you may want to see what are the changes at the cmdlet level in your tenant, between tenants, or Azure Active Directory module. And there is also the occasional gem in the form of a yet undocumented cmdlet or parameter which could hint at upcoming features.

For this purpose I have created a simple script which has two purposes:

  1. Export information on the current cmdlets available through Exchange Online or Azure Active Directory.
  2. Compare two sets of exported information, and display changes in a readable way.

The script is in PowerShell (of course), and is called Compare-Cmdlets.ps1. To export information, you need to be already connected to either Exchange Online or Azure Active Directory (or both).

To export cmdlet information, use:

.\Compare-Cmdlets.ps1 –Export

For Exchange Online and Azure Active Directory, separate export files are created. The files are prefixed with a timestamp and postfixed with the Exchange Online build or Azure Active Directory module version, e.g. 201803121814-ExchangeOnline-15.20.548.21.xml or 201803121815-AzureAD-2.0.0.137.xml.

After a few days/week, or when connected to another tenant or using a new Azure Active Directory PowerShell module, run the export again. You will now have 2 sets of Exchange Online or Azure Active Directory cmdlets, which you can compare using the following sample syntax:

Compare-Cmdlets.ps1 -ReferenceCmds .\201801222108-ExchangeOnline-15.20.428.21.xml -DifferenceCmds .\201803120926-ExchangeOnline-15.20.548.21.xml

image

A progress bar is shown as comparison might take a minute. When the script has finished checking the two sets, you will see output indicating changes in cmdlets, parameters or switches, e.g.

image

Download
You can find the script on the TechNet Gallery or GitHub.

The UC Architects Podcast Ep64

iTunes-Podcast-logo[1]Episode 64 and last episode of The UC Architects podcast is now available. Contrary to the belief of some, people’s agendas rather than lack of contents made it more and more difficult to get sufficient people together for recording. Thanks for the great 5 year ride, people!

This episode is hosted by Pat Richard, who is joined by Tom Arbuthnot, Stale Hansen and John Cook. Editing was done by Andrew Price.

Topics discussed in this episode are:

  • 5 years of The UC Architects podcast.
  • What made it fun, the friendships, the guests, the topics, and how social media has changed how info gets disseminated about Skype for Business, Exchange, Office 365, Teams, and more.
  • We talk about what the crew are up to these days, and their involvement/sessions at Ignite.
  • Skype for Business v.Next and Teams.
  • Some of the issues that arise when deploying Skype for Business when there is no Exchange in the org.
  • The upcoming Ignite and UCDay events.

You can download the podcast here or you can subscribe to the podcasts using iTunes, Zune or use the RSS feed.

About
The UC Architects is a community podcast by people with a passion for Unified Communications; our main focus is on Exchange, Skype for Business or related subjects.

Office 365 Engage 2017 Wrap-up

Last week the inaugural Office 365 Engage conference took place in the small but charming city of Haarlem, The Netherlands. With hotels for speakers and attendees close by, the event took place in the Philharmonie, a venue normally used for concerts and theater performances. This lead to some amazing shots on social media of sessions being held in “Room A” (the theater), “Room B” (with bar) and “Room E” (the concert hall).


“Room A”

With Tony Redmond being the chair for this non-Microsoft event, one of the few big Microsoft-technology related events remaining in Europe, organizer BWW Media Group managed to attract an amazing line-up of speakers. Amongst them were quite a number of Microsoft MVP’s, some like Paul Robichaux or Chris Goosen even flying in from overseas. Being sort of a home game to me, it was other speaker’s turn to having to cope with jetlag.

Sessions presented were on all things Office 365 related, such as Azure AD, Exchange Online, SharePoint Online, Groups and Teams, and also more dev-oriented sessions on things like the Graph API. Also, more generic topics were also put to the table, like the roadmap and coping with continuous development, GDPR or hybrid strategies.


“Room B”

On Monday, Jaap Wesselius and I held a full-day workshop on PowerShell for Office 365. The attendees were coming from all over Europe, which shows that there is a demand for an European event of this size on this topic. On Tuesday, I presented a session on Managing Exchange Online using PowerShell, Tips & Tricks. Pending feedback from evaluations, the workshop and session went very well. For those that attended our workshop on Monday, PowerShell for Office 365, or my session on Tuesday on Exchange Online and PowerShell Tips & Tricks, the slide decks will be made available later through the organizer. Sample code from the session is available from the TechNet Gallery here.

Image may contain: one or more people and indoor
“Room E”

Finally, a big thank you to BWW’s Megan Keller, their CEO George Coll, and all the other staff as well, who made speakers and attendees feel welcome at this event, which was small and intimate, a different experience from more massive events like Microsoft Ignite. Also a big thank you to the folks of Quadro-Tech for sponsoring the post-conference drinks.

With everything being walking distance, and with pleasant summer weather, the after-conference hours for catching up with peers and attendees were very enjoyable. BWW was also so kind to offer us speakers a boat trip, where we could experience Haarlem from the waterside, including the obligatory snapshots of windmills, fields and cows.

Note that the organizer is still looking for feedback on the event. Share with them what you like or didn’t like, so they can improve next year’s conference. I am really looking forward to next year’s event, to be held in June 2018, and would highly recommend it to anyone. Hope to see you there next year!

The UC Architects Podcast Ep63

iTunes-Podcast-logo[1]Episode 63 of The UC Architects podcast is now available. This episode is hosted by Pat Richard, who is joined by Steve Goodman who’s joined by John Cook. Editing was done by Andrew Price.

Topics discussed in this episode are:

Exchange

  • Exchange 2007 was end of life on April 11th

Office 365

  • Microsoft Teams is GA
  • Microsoft Teams Bandwidth Calculator
  • Microsoft Advanced Threat Protection
  • Google Suite vs Office 365

Lync/Skype for Business

  • Skype for Business updates for Mac
  • Skype for Business Online Trusted Application API
  • Consult Transfer option
  • Lync 2013 CUs for March 2017
  • Skype for Business 2015 CUs
  • RUCT updated
  • Convert-SonusSBCConfigToWord

Events

  • MS Cloud UG
  • UC and Cloud Day UK
  • Office 365 Engage

You can download the podcast here or you can subscribe to the podcasts using iTunes, Zune or use the RSS feed.

About
The UC Architects is a community podcast by people with a passion for Unified Communications; our main focus is on Exchange, Skype for Business or related subjects.