Wednesday, November 05, 2014

Managing Office 365 Cloud changes

With some of the recent releases of new functionality in the cloud, many customers are finding themselves scrambling to document the new functionality for their end users, or find ways of disabling it until they can communicate, train, and document the new features.

In the past few months, Office 365 Groups was deployed for all Office 365 tenants, and the new Delve feature is available in preview as well.

First, I want to cover the Service Settings -> Updates section.  This allows you to enable or disable previewing new features.  This impacts all users in your tenant!  This allows you to control if your users will see new features first, or when they come out of preview mode.

One nice thing about First Release is that you do get to see and work with the newest features, but it also means your users will see new features "light up" immediately, meaning you won't have much time to document and instruct them on using it.

Of course, with First Release off, you won't prevent the new features from coming, but you will have more opportunity to read up on the feature and gain some intelligence on how other organizations are using them effectively.  The BEST place to read for this is the Office team blog at

UPDATE (5/21/2015) As of May 2015, there is now an option that allows administrators to select first release not only for the entire organization, but for select users as well.

Another question I am constantly helping customers with is "what kind of data goes in an Office 365 group versus a distribution group versus a Lync persistent chat versus an Exchange Public Folder" - the answers here depend greatly on what licensing and resources you have and what kind of business process you already have developed, but I have found this link on Office 365 Collaboration to be very helpful for customers trying to find the right place for their data.

Recently released features and how to control them:


Microsoft Delve has a TechNet article on administering it - Delve is based on Office Graph, a new SharePoint function that collects data from Exchange, SharePoint and OneDrive to display data that is most relevant to your users in one place.  It uses machine learning to build and learn what content your users share and who they share it with to display documents, files, posts and content relevant to your users' workflows.

Instantly turn off Delve and the Office graph
You can instantly turn off access to the Office graph and remove Delve from the Office 365 global navigation.
  1. Sign in to Office 365 with a global admin account.
  2. Choose Admin > SharePoint. You’re now in the SharePoint admin center.
  3. Choose Settings.
  4. Under Office graph, select Don’t allow access to the Office graph.

Office 365 Groups  (updated 4/14/2015)

Currently there is not a way to completely remove Office 365 Groups, but you can prevent usage and creation of them until a time arrives that your organization is ready to deploy them and have had time to communicate and train business units on what content belongs in a group.

Tony Redmond has a great article covering Office 365 groups here, and so far it has the most detail of any article I have read.  Blocking Office 365 groups is done using OWA policy and the –GroupCreationEnabled attribute set to $false.   I would recommend setting your default OWA policy to $false, and then testing and training with groups with a pilot group of users with a separate OWA policy with this setting set to $true.   However, keep in mind, we are only blocking group CREATION.  So once a pilot user creates a group, all users with permissions in that group could participate in using the group.

In February 2015, Microsoft released the White Paper "An End-to-end Experience with Groups" - recommended read before deploying groups so you understand how the program expects people to utilize them!

Exchange Online Inbox Clutter  (updated 11/19/2014)

Microsoft unvailed Clutter this week to first release customers as an additional way for Outlook Web Access (OWA) users to help control their inboxes better.   There is not currently any way to control this administratively, it is a per user mailbox view setting.   Microsoft is also in the process of updating the "options" dialogs, but the below screenshot shows how a user may enable or disable this feature today.  By default, Clutter is disabled.  Tony Redmond has a great clutter FAQ.

Office 365 Video (Added on 11/20/2014)

Office 365 Video was introduced on 11/20/2014 on the Office Blog.  They had this administrative guide published on day one, and from it, we learn how to disable this feature as well.  For now, Office 365 video is only available if you have First Release enabled in your tenant.

To disable Office 365 Video
  1. Sign in to Office 365 with your SharePoint Online admin account.
  2. Go to the SharePoint admin center.
  3. In the left navigation pane, select settings.
  4. In the Streaming Video Service section, select Disable streaming video through Azure Media Services and disable the Video Portal.
    Disable Office 365 Video setting in SharePoint Online admin center Note   While this change is propagated through the system, the Video link on the Office 365 top navigation bar or the Video icon in the Office 365app launcher might still be visible. Even while the link or icon is still visible, no one in your organization will be able to use Office 365 Video.

Outlook App for iOS and Android (Added on 2/4/2015)

Microsoft announced on 1/29/2015 that the Outlook application was coming to Apple iOS and Android devices as the rebranded Accompli application from their acquisition late last year.  The application is very slick and well done, but was immediately met with some resistance from infosec bloggers.

Thankfully, there are ways to prevent this client from being used - much thanks to Paul Cunningham for his post on this.

To block the Outlook for iOS and Android app in Office 365, Exchange Server 2010 or 2013:
[PS] C:\>New-ActiveSyncDeviceAccessRule -Characteristic DeviceModel -QueryString "Outlook for iOS and Android" -AccessLevel Block
To quarantine instead:
[PS] C:\>New-ActiveSyncDeviceAccessRule -Characteristic DeviceModel -QueryString "Outlook for iOS and Android" -AccessLevel Quarantine
Devices should now appear as blocked or quarantined with the reason of “DeviceRule”.
[PS] C:\>Get-MobileDevice -Mailbox alex.heyne | fl FriendlName,Device*,Client*,Is*

DeviceId                : 94B42B2A37D109AE
DeviceImei              :
DeviceMobileOperator    :
DeviceOS                : Outlook for iOS and Android 1.0
DeviceOSLanguage        :
DeviceTelephoneNumber   :
DeviceType              : Outlook
DeviceUserAgent         : Outlook-iOS-Android/1.0
DeviceModel             : Outlook for iOS and Android
DeviceAccessState       : Blocked
DeviceAccessStateReason : DeviceRule
DeviceAccessControlRule : Outlook for iOS and Android (DeviceModel)
ClientVersion           : 14.1
ClientType              : EAS
IsManaged               : False
IsCompliant             : False
IsDisabled              : False
And, if you already had users get their app installed and configured, the easy way to remove them all would be:
Get-MobileDevice | where { $_.deviceos -match "outlook for ios" } | remove-MobileDevice 
Skype for Business (Added on 4/21/2015) 
Lync 2013 renamed to Skype for Business and deployed it as a Windows Update.  Both Lync Server Administrators and Lync Online Administrators have a way to control this using Client Policy as documented by the team blog here.  
Since this is an Office 365 only article, I will focus on the Lync Online options.

Once you’re logged into the online service via PowerShell, you can use Grant-CsClientPolicy Cmdlet as shown below, to control the experience:
Disable Skype user interface (UI) for all users:
Grant-CsClientPolicy -PolicyName ClientPolicyDisableSkypeUI
Enable Skype UI for all users:
Grant-CsClientPolicy -PolicyName ClientPolicyEnableSkypeUI
These Cmdlets will control the UI presented to all users in your Office 365 or Lync Online tenant. There are more options for controlling the experience at an individual user or group level on TechNet.
Microsoft Garage Applications
#Send Application for iOS (Added on 7/23/2015)
Microsoft announced a new email integrated application for iOS (in case the native app, Outlook and OWA apps were not enough) This app is similar to SMS messaging, but is email based, but without subject lines.  It utilizes Exchange EWS for connectivity and it DOES NOT obey ActiveSync policies, so it may be of concern to security administrators to lock this down or prevent usage of this application.  Thanks to Paul Cunningham, here's how to block #Send from use in your Office 365 Organization (or On premises, I suppose)

At an organization level:
PS C:\> Set-OrganizationConfig -EwsApplicationAccessPolicy EnforceBlockList

PS C:\> Set-OrganizationConfig -EwsBlockList @{add="MicrosoftSend/*"}
At a user level:
PS C:\> Set-CasMailbox Alan.Reid -EwsApplicationAccessPolicy EnforceBlockList

PS C:\> Set-CasMailbox Alan.Reid -EwsBlockList @{add="MicrosoftSend/*"} 

Groups Application for iOS (Added on 9/24/2015)
This application to connect to and participate with Office 365 groups was announced and can be blocked similarly to the Send application using EWSBlockLists.  The User Agent for Groups is:

Groupies/1.5 (iPhone; iOS 9.0; Scale/2.00)

So same as above, but "Groupies/*"   

Invite Application for iOS (added on 9/24/2015)
The Invite application was announced on 9/24 and allows users to schedule and manage meetings within the application.   I am hoping this is EWS based as well, but it doesn't work when I use a proxy.  

The user agent appears to be:
Invite/44 CFNetwork/758.0.2 Darwin/15.0.0 

So same as above but "Invite/*"

It also has an ominous security warning that it needs additional permissions (more than other Garage apps that you could argue access the same data)

No comments: