Getting started with MS Teams guest access

Finally guest access for Teams is RTM as you can read here and here.

I know pretty much every user in Ms Teams has been dying to start using this feature, but before you start inivting your external contacts en masse for all your teams and projects, there are a few things you should know.

  1. Read up on the feature with its capabilities and restrictions! No, really! Do it first! It’s the top sentence in this blog post for a reason.
  2. The guest user must reside in Azure AD, Microsoft account (MSA) is not supported yet
  3. Before you invite, you must at a minimum be a Limited admin in your Azure AD with “Guest inviter” role. Normal users can’t invite guests by default. Also the Team admin must allow you to invite guests.dfsfgeh2rwdf
  4. You need to enable guest access in your tenant
  5. The guest account can’t browse your Azure AD314ewdfsdfsg
  6. In the Teams client you must manually select which tenant you want to access. Teams in other tenants won’t show up side by side with yours.sdf346tgff

 

That’s it, a nice and quick blog post this time. See you in a Team I hope 😉

Advertisements

Setting up Office 365 using Azure DNS

Do you use Azure DNS? Azure DNS provide hosting of your DNS zones in the Azure infrastructure meaning that not only do you get the fault-tolerance, audit logging and SLA (99.99%) but you can also manage your DNS zones using Powershell. I recommend you read about it on https://docs.microsoft.com/en-us/azure/dns/dns-overview including the FAQ and pricing information.

Implementing Office 365 requires a bit of DNS changes, and using Powershell this is very, very easy in Azure DNS. You need an account in Azure with admin-rights for Azure DNS, the name of the zone and the resource group it belongs to.

Change the input values to match the your environment and run this script from an editor (Powershell ISE or Visual Studio Code)

# This script automatically configures Azure DNS for O365
# Written by Per-Torben Sørensen (per-torben.sorensen@advania.no)
#
# Version: 1.0
#*********************************************************************************************
#
# Input values below
$azureadmin = “me@example.onmicrosoft.com” # admin user in azure portal with DNS rights
$ttl = “600” # TTL for all records (in seconds)
$zonename=”azure.contoso.com”
$rgname = “testazuredns” # Use Get-AzureRmDnsZone after login to find this
$proofvalue = “MS=ms12345678” # Proof of ownership from the Office 365 portal
#
#*********************************************************************************************
#
# Variables below
$cred = Get-Credential -Message “Log on” -UserName $azureadmin
$runscript = $false # Failsafe for accidental running
#*********************************************************************************************
if ($runscript -eq $false)
{
Write-Host -ForegroundColor Red “Do NOT run this script non-interactively! Run from editor”
return
}
# Log on Azure RM and set DNS variable
Login-AzureRmAccount -Credential $cred
$dnszone = Get-AzureRmDnsZone -Name $zonename -ResourceGroupName $rgname
#
# Creating first TXT record (Proof of domain ownership)
New-AzureRmDnsRecordSet -Zone $dnszone -Name “@” -RecordType TXT -Ttl $ttl -DnsRecords (New-AzureRmDnsRecordConfig -Value “$($proofvalue)”)
#
# Create CNAME records
New-AzureRmDnsRecordSet -Zone $dnszone -Name “autodiscover” -RecordType CNAME -Ttl $ttl -DnsRecords (New-AzureRmDnsRecordConfig -cname “autodiscover.outlook.com”)
New-AzureRmDnsRecordSet -Zone $dnszone -Name “sip” -RecordType CNAME -Ttl $ttl -DnsRecords (New-AzureRmDnsRecordConfig -cname “sipdir.online.lync.com”)
New-AzureRmDnsRecordSet -Zone $dnszone -Name “lyncdiscover” -RecordType CNAME -Ttl $ttl -DnsRecords (New-AzureRmDnsRecordConfig -cname “webdir.online.lync.com”)
New-AzureRmDnsRecordSet -Zone $dnszone -Name “msoid” -RecordType CNAME -Ttl $ttl -DnsRecords (New-AzureRmDnsRecordConfig -cname “clientconfig.microsoftonline-p.net”)
New-AzureRmDnsRecordSet -Zone $dnszone -Name “enterpriseregistration” -RecordType CNAME -Ttl $ttl -DnsRecords (New-AzureRmDnsRecordConfig -cname “enterpriseregistration.windows.net”)
New-AzureRmDnsRecordSet -Zone $dnszone -Name “enterpriseenrollment” -RecordType CNAME -Ttl $ttl -DnsRecords (New-AzureRmDnsRecordConfig -cname “enterpriseenrollment.manage.microsoft.com”)
#
# Modifies the existing TXT record
$txtrecord = Get-AzureRmDnsRecordSet -Zone $dnszone -Name “@” -RecordType TXT
Add-AzureRmDnsRecordConfig -RecordSet $txtrecord -Value “v=spf1 include:spf.protection.outlook.com -all”
Set-AzureRmDnsRecordSet -RecordSet $txtrecord
#
# Create SRV records
New-AzureRmDnsRecordSet -Zone $dnszone -Name “_sip._tls” -RecordType SRV -Ttl $ttl -DnsRecords (New-AzureRmDnsRecordConfig -Priority 100 -Weight 1 -Port 443 -Target sipdir.online.lync.com)
New-AzureRmDnsRecordSet -Zone $dnszone -Name “_sipfederationtls._tcp” -RecordType SRV -Ttl $ttl -DnsRecords (New-AzureRmDnsRecordConfig -Priority 100 -Weight 1 -Port 5061 -Target sipfed.online.lync.com)
#
# Set MX record – THIS CHANGES THE MAIL FLOW!
#
$exchadr = ($zonename -replace “\.”,”-“)
$exchadr +=”.mail.protection.outlook.com”
$mxrecords = @()
$mxrecords = New-AzureRmDnsRecordConfig -Exchange $exchadr -Preference 0
New-AzureRmDnsRecordSet -Zone $dnszone -Name “@” -RecordType MX -Ttl $ttl -DnsRecords $mxrecords
#
# This line allows you to select one or several DNS records and delete them from zone
Get-AzureRmDnsRecordSet -Zone $dnszone | Out-GridView -Title “Select record to delete” -OutputMode Multiple | Remove-AzureRmDnsRecordSet
#

Automatically assign or revoke Office 365 licenses through AD group membership

Disclaimer: Your use of the script contained in this post is at your sole risk. All information is provided “as -is”, without any warranty, whether express or implied.

Recently a customer asked for a way to automatically assign and revoke licenses in Office 365 based on membership in a group in their local AD. It was a fun challenge so I wanted to share my solution with you. It mainly consist of a Powershell script which runs as a scheduled task, and the script compares the group membership with which users has the corresponding licenses and removes licenses from the users which is not a group member and adds the license if it is a member and doesn’t already have a license. The user account which runs the script must be able to query AD, assign licenses in the tenant and log on as a scheduled task on the server.

First challenge was the non-interactive logon to the tenant, where I also didn’t want the write the password in plain text. Now Powershell can store the password as an encrypted string in a text file and call upon that for logging in. Its encryption key is directly available only for the user which created the string so the password in unavailable for other users. This also means this script has to be run interactively once to create the encrypted password string. Just how secure this solution is, is a matter of discussion but in my opinion it’s better than writing the password in plain text inside the script.

Second part is just to assign the group names to correspond to the license types (SKUs) in the tenant, in this case AzureAD Premium license and O365 E5 license. Then it’s basically a few IF-loops to remove or add licenses to users. Remember the UPN suffix of the onprem-user must match the tenants.

Last thing: This script includes no error handling so if you’re going to put it to use, you should add some sort of error handling with alert (send e-mail, create event in eventlog or similar). Also I’m sure it can be streamlined further but it gets the job done and can easily expand to include several groups with individual license types assigned. Feel free to use this script as a starting point if you want, but at your own risk.


# Get user and UPN from selected group with subgroups
# Assigns location and license in Microsoft cloud
#
# Written by Per-Torben Sørensen
#
# Version: 1.0
#*********************************************************************************************
#
# Change the settings below
#
$sourcegroups = "Cloud_License_AADPremium","Cloud_License_E5" # Name of the groups which controls license assignment
$onlineusername = "cloud_lic_svc@starwarsm16.onmicrosoft.com" # Account which connects to Microsoft cloud and can run this script as a scheduled task
$securefile = "C:\scripts\cloud_lic_svc_securecred.txt" # Encrypted passwordfile for the user.
#*********************************************************************************************
#
# Variables below
#
IF ((test-path $securefile) -eq $false)
{
read-host -assecurestring | convertfrom-securestring | out-file $securefile # Set securestring with password - only need to run interactively once
}
$pass = cat $securefile | convertto-securestring # Building credential
$mycred = new-object -typename System.Management.Automation.PSCredential -argumentlist $onlineusername,$pass # Building credential
#*********************************************************************************************
#
# Logging on to Microsoft Online services
#
Connect-MsolService -Credential $mycred
#
foreach ($sourcegroup in $sourcegroups)
{
$groupname = Get-ADGroup $sourcegroup
$users = Get-ADGroupMember $groupname -Recursive | where {$_.objectClass -like "user"} | Get-ADUser
IF ($groupname.Name -eq "Cloud_License_AADPremium") # Assosiates license to AD group, use Get-MsolAccountSku to find your $sku name
{
$sku = "starwarsm16:AAD_PREMIUM"
}
IF ($groupname.Name -eq "Cloud_License_E5") # Assosiates license to AD group, use Get-MsolAccountSku to find your $sku name
{
$sku = "starwarsm16:ENTERPRISEPREMIUM"
}
#
# Check membership and removes license for non-members
#
$msolusers = Get-MsolUser | ? {$_.Licenses.accountskuid -like $sku}
foreach ($msoluser in $msolusers)
{
IF ($msoluser.LastDirSyncTime -ne $null) # Checks if the user is cloud-only, if so skip to next user
{
$check = Get-ADUser -Filter * -Properties * | ? {$_.userprincipalname -eq $msoluser.UserPrincipalName}
if ($check.memberof -notcontains $groupname) # Check groupmembership and remove license if the user is not a member
{
Set-MsolUserLicense -UserPrincipalName $msoluser.UserPrincipalName -RemoveLicenses $sku
}
}
}
#
# Check group membership and assign location and license
#
foreach ($user in $users)
{
$msoluser = Get-MsolUser -UserPrincipalName $user.UserPrincipalName
IF ($msoluser -ne $null)
{
IF ($msoluser.UsageLocation -ne "NO" ) # Check and set locaion "NO" (Norway)
{
Set-MSOLUser -UserPrincipalName $msoluser.UserPrincipalName -UsageLocation NO
}
IF ($msoluser.Licenses.accountskuid -notcontains $sku) # Check and assign license
{
Set-MsolUserLicense -UserPrincipalName $msoluser.UserPrincipalName -AddLicenses $sku
}
}
}
}