M365 Administration Articles - Altaro DOJO | Microsoft 365 https://www.altaro.com/microsoft-365 Microsoft 365 and Office 365 guides, how-tos, tips, and expert advice for system admins and IT professionals Fri, 03 Jun 2022 12:50:33 +0000 en-US hourly 1 How to Boss Device Management with Endpoint Manager (aka Intune) https://www.altaro.com/microsoft-365/device-management-intune/ https://www.altaro.com/microsoft-365/device-management-intune/#respond Fri, 03 Jun 2022 12:50:33 +0000 https://www.altaro.com/hyper-v/?p=23835 Learn how Microsoft Endpoint Manager enables organizations to solve modern device management challenges

The post How to Boss Device Management with Endpoint Manager (aka Intune) appeared first on Altaro DOJO | Microsoft 365.

]]>

Changed forever by the global pandemic beginning in 2020, organizations have shifted to a very hybrid, disaggregated workforce. In addition, remote workers may now reside anywhere globally. As a result, managing endpoints is a big challenge facing organizations.

Microsoft’s Endpoint Manager, formerly Intune, is a modern, cloud-based solution that allows businesses to manage devices anywhere, no matter where they may be located and from any network, without traditional management constraints. So what is Microsoft Endpoint Manager? How is it used, and what capabilities does it provide modern enterprise organizations? That’s what we’re talking about here. Let’s get started.

Modern Challenges Facing Organizations Today

One of the challenges for organizations has been rethinking traditional IT tasks such as end-user support and endpoint management. No longer are all employees located directly on the corporate LAN to connect to conventional solutions for endpoint management. With the shift to cloud technologies for communication, collaboration, and business productivity, organizations must adopt cloud technologies to successfully manage endpoints from any network or location.

Traditional endpoint management and monitoring architecture require direct connectivity to the corporate LAN due to the network architecture needed for conventional monitoring and endpoint management solutions. As you can see below, traditional endpoint management and monitoring solutions were architected to exist on the same corporate network as the endpoints they managed or use VPN connections from remote clients for management.

Traditional endpoint management solutions require conventional network architecture
Traditional endpoint management solutions require conventional network architecture

As we look at the architecture of corporate environments since the shift to a hybrid workforce, environments more closely resemble the following. As shown, the endpoints are no longer directly connected to the corporate LAN. These exist out on the Internet, relative to the enterprise datacenter.

Modern hybrid work connectivity
Modern hybrid work connectivity

As you can see, traditional solutions no longer provide the robust tooling, flexibility, and connectivity diversity for managing endpoints that may exist in remote sites and home networks of remote employees.

What is Microsoft Endpoint Manager (aka Intune)?

Microsoft Intune is part of the overall Microsoft Endpoint Manager solution. What’s more, it’s cloud-based, meaning as long as an endpoint has connectivity to the Internet, the Intune solution can manage it. It provides several different components that allow organizations to carry out effective management, including:

    • Cloud infrastructure
    • Cloud-based mobile device management (MDM)
    • Cloud-based mobile application management (MAM)
    • Cloud-based PC management

Pinpointing in on the mobile device management (MDM) functionality, Microsoft’s Intune platform allows businesses to manage many types of devices. These include desktops, laptops, tablets, and phones. In addition, the devices can be corporate-owned or “bring your own device” (BYOD) devices.

Corporate-owned devices receive the complete set of MDM policies and controls, including controls over settings, features, and security. Administrators configure the settings and security policies needed to meet compliance and governance policies decided upon for their organization. Users enrol their devices in Intune and receive the policies as assigned, based on identity and other factors. Examples of the controls and security protocols that can be enforced include:

    • Password
    • PIN
    • VPN connections
    • Threat protection

When fully managed, administrators can also:

    • Inventory devices accessing organization resources
    • Block jailbroken devices
    • Enforce security and health standards for enrolled devices
    • Push and enrol certificates on devices
    • Pull reports of user and device compliance
    • Wipe the device if it is lost or stolen

When using BYOD to access corporate resources, Microsoft Intune allows organizations to protect the business data access from the BYOD device while not infringing on the personal data and activities carried out on the user device. This management capability allows organizations to use a multitude of different devices without the need to use corporate devices in every situation. BYOD may be required as well when contractors or other third parties are involved in projects that require interacting with sanctioned business data while at the same time using their own devices for other clients and activities.

With BYOD Intune policies, administrators can allow users to retain control of the devices while allowing Intune app protection policies that require multi-factor authentication (MFA) to access their business data housed in email or Microsoft Teams.

Microsoft Intune architecture overview
Microsoft Intune architecture overview

Endpoint Manager Licensing

Most licenses that include Microsoft Intune also grant the rights to use Microsoft Endpoint Configuration Manager as long as the subscription remains active. Intune is included in the following licenses:

    • Microsoft 365 E5
    • Microsoft 365 E3
    • Enterprise Mobility + Security E5
    • Enterprise Mobility + Security E3
    • Microsoft 365 Business Premium
    • Microsoft 365 F1
    • Microsoft 365 F3
    • Microsoft 365 Government G5
    • Microsoft 365 Government G3
    • Intune for Education

Intune for Education is included in the following licenses:

    • Microsoft 365 Education A5
    • Microsoft 365 Education A3

Which Operating Systems are Supported by Microsoft Endpoint Manager?

While Microsoft Endpoint Manager supports a wide range of devices and operating systems, it is good to understand the operating system requirements with the solution. Microsoft Endpoint Manager supports the following operating systems for management with MDM:

Microsoft:

    • Windows 11 (Home, S, Pro, Education, and Enterprise editions) – ***Note*** – There are a few known issues with Windows 11 at the moment and Microsoft Intune. Currently, multi-app kiosk mode isn’t supported, and there are limitations with customized start and taskbar experiences.
    • Surface Hub
    • Windows 10 (Home, S, Pro, Education, and Enterprise versions)
    • Windows 10 and Windows 11 Cloud PCs on Windows 365
    • Windows 10 Enterprise 2019 LTSC
    • Windows 10 IoT Enterprise (x86, x64)
    • Windows Holographic for Business
    • Windows 10 Teams (Surface Hub)
    • Windows 10 version 1709 (RS3) and later, Windows 8.1 RT, PCs running Windows 8.1 (Sustaining mode)

Apple

    • Apple iOS 13.0 and later
    • Apple iPadOS 13.0 and later
    • macOS 10.15 and later

Google

    • Android 6.0 and later (including Samsung KNOX Standard 2.4 and higher)
    • Android enterprise

You can read further details on specific operating system support for Microsoft Endpoint Manager here: Operating systems and browsers supported by Microsoft Intune | Microsoft Docs

Windows 10 Microsoft Intune enrollment walkthrough

Let’s look at how to enrol Windows 10 in Microsoft Intune using the Company Portal app found in the Microsoft Store. For most Windows devices, organizations will use a combination of Autopilot and the Company Portal. With Windows Autopilot, device provisioning is simplified. It offers the ability to give new devices to end-users without building and maintaining custom operating system images that have traditionally been required.

Windows AutoPilot provisions the devices, and then Microsoft Intune manages policies, profiles, security settings, applications, and other tasks. Autopilot is a collection of technologies used to set up and pre-configure new devices and gets these ready for production use.

Autopilot can also be used to reset, repurpose, and recover devices, enabling IT to manage and provision end-user devices without any on-premises infrastructure. Once a machine is deployed with AutoPilot, devices can be managed with:

    • Microsoft Intune
    • Windows Update for Business
    • Microsoft Endpoint Configuration Manager
    • Other similar tools

It provides a workflow similar to the following:

Workflow of device provisioning with Windows Autopilot
Workflow of device provisioning with Windows Autopilot

What is the purpose of the Microsoft Intune Company Portal?

The Company Portal apps for Windows, IOS, and Android, allow users to access company data and do common tasks. These tasks include:

    • Enrolling devices
    • Installing apps
    • Locating information

You can also customize the available self-service actions shown to the end-users in the Company Portal. Admins can prevent unintended device actions. You can configure these settings in the Administration > Customization section.

    • Hide Remove button on corporate Windows devices
    • Hide Reset button on corporate Windows devices
    • Hide Remove button on corporate iOS/iPadOS devices
    • Hide Reset button on corporate iOS/iPadOS devices

Users also have access to self-service device actions from the Company Portal application. Available self-service device actions include:

    • Retire – Removes the device from Intune Management
      • In the company portal app and website, this shows as Remove.
    • Wipe – This action initiates a device reset
      • On the company portal website, this is shown as Reset or Factory Reset in the iOS/iPadOS Company Portal App.
    • Rename – This action changes the device name that the user can see in the Company Portal
      • It does not change the local device name, only the listing in the Company Portal.
    • Sync – This action initiates a device check-in with the Intune service.
      • This shows as Check Status in the Company Portal.
    • Remote Lock – This locks the device, requiring a PIN to unlock it
    • Reset Passcode – This action is used to reset the device passcode
      • On iOS/iPadOS devices, the passcode will be removed and the end-user will be required to enter a new code in settings. On supported Android devices, a new passcode is generated by Intune and temporarily displayed in the Company Portal.
    • Key Recovery – This action is used to recover a personal recovery key for encrypted macOS devices from the Company Portal website.

Company Portal app configuration

In the Microsoft Store, you will want to download and install the Company Portal app.

Download the Company Portal app
Download the Company Portal app

Once the Company Portal app is installed, log in with your Microsoft 365 credentials to enrol the device for management.

Sign in with your Microsoft 365 credentials to login to your account

Sign in with your Microsoft 365 credentials to login to your account

Select the checkbox to Allow my organization to manage my device.

Choose to allow my organization to manage my device
Choose to allow my organization to manage my device

The login to the Microsoft 365 account is complete. Click Done.

The account is added successfully to the application
The account is added successfully to the application

You will see a message that the device is not set up for corporate use. Click the message to begin the configuration of the device for corporate use.

Choose to set up the device for corporate use
Choose to set up the device for corporate use

You will want to connect the device to work. Click Next.

Choose to connect this device to work
Choose to connect this device to work

Beginning the process to connect this device to your work environment. Click the Connect button.

Click the connect button to add the device
Click the connect button to add the device

The login field will be prepopulated with the user you logged in with earlier.

Set up a work or school account
Set up a work or school account

After logging in, you will see the process for setting up the device begin.

Device is setting up for management in Intune
Device is setting up for management in Intune

After a few moments, the device will be connected to “work.”

The device is now connected to your work account
The device is now connected to your work account

The device is not set up for management and is ready to receive policies, applications, and other resources defined by the Intune administrator.

Device is now configured for management
The device is now configured for management

Grouping Users and Devices in Microsoft Endpoint Manager

With Microsoft Endpoint Manager, devices enrolled into Intune are added as objects inside Microsoft Azure Active Directory. Enrolled devices can be managed and grouped using Azure Active Directory constructs, including Azure Active Directory groups.

Intune-enrolled devices are created as objects inside Azure Active Directory

Intune-enrolled devices are created as objects inside Azure Active Directory

The “win10intune” machine enrolled above using the Company Portal app is displayed in the Devices blade for Azure Active Directory.

Enrolled Windows 10 machine listed in Azure Active Directory devices

Enrolled Windows 10 machine listed in Azure Active Directory devices

The device objects can be added to group objects. Below, I am creating a new group and adding members. The screen below shows a new group creation process with the member selector. As shown, you can easily add devices to groups. Dynamic device groups also can perform automatic group membership-based

Adding a Windows 10 workstation that is Azure AD-joined to an Azure AD group
Adding a Windows 10 workstation that is Azure AD-joined to an Azure AD group

User objects are the same as well. Native Azure Active Directory users and also users that have been synchronized with on-premises directories using Azure AD Connect can also be added to Azure AD groups. Below, testuser1 and testuser2 are synchronized users with Azure AD Connect.

Users listed in Azure Active DirectoryUsers listed in Azure Active Directory

Creating Endpoint Manager Configuration Profiles

Now that we have a device enrolled into Microsoft Endpoint Manager and have a group object created containing the device we have enrolled, we can move forward with creating policies. The policies will then be assigned to the group housing the devices. Next, navigate to Devices Configuration profiles.

Configuration profiles allow configuring system settings, security configurations, and other settings. It is important to note if there is a conflict between configuration profiles and compliance policies, compliance policies take precedence over configuration profiles.

On the Devices > Configuration profiles screen, click to Create a profile to begin the process of creating a new configuration profile for Windows 10 devices. Under the platform, select Windows 10 and later. On the profile type, choose Templates. The templates option contains groups of settings organized by functionality. It makes it easy to have a “cookie-cutter” approach to predefined policies to keep from building these out manually.

Beginning to create the configuration profile in Microsoft Endpoint Manager
Beginning to create the configuration profile in Microsoft Endpoint Manager

It begins the Create profile wizard. It will step you through the process of creating the configuration profile for the device. First, name the new configuration profile and click Next.

Configuring a name for your configuration profile
Configuring a name for your configuration profile

Next, you will have the opportunity to specify Configuration settings for your configuration profile. For those who have managed group policy, the configuration settings are eerily similar to what you would find with group policy settings templates.

Updating the configuration settings for a configuration profile
Updating the configuration settings for a configuration profile

You can define scope tags for your configuration profile.

Define scope tags for your configuration profile Define scope tags for your configuration profile

Next, on the Assignments screen, you assign the configuration profile to the specific group of devices you want to have received the configuration profile settings. Earlier, we created a group called Grp-Windows10Devices. This group will be the group targeted for the configuration profile.

Assign the configuration profile to the Azure Active Directory group containing devices you want to target
Assign the configuration profile to the Azure Active Directory group containing devices you want to target

Review and create the configuration profile.

Finalizing the creation of a new configuration profile
Finalizing the creation of a new configuration profile

Compliance policies

Compliance policies can be used in combination with conditional access to check to see if a device is compliant with certain policies or not. It is also a great way to report if certain settings are configured on end-user devices. An example would be to know which devices are encrypted using BitLocker.

When configuring a compliance policy, you will have the same wizardized experience to create and configure the policy.

Configuring compliance settings in a new compliance policy
Configuring compliance settings in a new compliance policy

Scrolling down further reveals very useful compliance settings for controlling device security on the compliance settings screen. These include configuring:

    • Firewall
    • Trusted Platform Module (TPM)
    • Antivirus
    • Antispyware
    • Defender
    • Microsoft Defender Antimalware
    • Microsoft Defender Antimalware minimum version
    • Microsoft Defender Antimalware security intelligence up-to-date
    • Real-time protection

Configure device security settings using Endpoint Manager Compliance Policies
Configure device security settings using Endpoint Manager Compliance Policies

Endpoint security with Endpoint Manager

Another really nice feature with Endpoint Manager is the Endpoint Security node. Admins can use the Endpoint Security blade to specifically configure device security and manage security tasks for devices when those devices are at risk. Think of the Endpoint Security node as specialized configuration policies focused on security and mitigating risk.

With Endpoint Security, you can:

    • Review security status of all managed devices – With the All devices view you can view device compliance from a high level. Also, you can view specific devices to understand which compliance policies aren’t met so you can resolve them.
    • Deploy security baselines that establish best practice security configurations for devices – Intune includes security baselines for Windows devices and a wide range of applications, like Microsoft Defender for Endpoint and Microsoft Edge. These are pre-configured groups of Windows settings that help apply configurations recommended by the relevant security teams.
    • Manage security configurations on devices through tightly focused policies – Each Endpoint security policy focuses on aspects of device security like antivirus, disk encryption, firewalls, and several areas made available through integration with Microsoft Defender for Endpoint.
    • Establish device and user requirements through compliance policy – With compliance policies, you set the rules that devices and users must meet to be considered compliant. Rules can include OS versions, password requirements, device threat levels, and more.
    • Gate access to corporate resources for both managed devices unmanaged devices – When you integrate with Azure Active Directory (Azure AD) conditional access policies to enforce compliance policies, you can.
    • Integrate Intune with your Microsoft Defender for Endpoint team – By integrating with Microsoft Defender for Endpoint you gain access to security tasks. These integrate Microsoft Defender for Endpoint and Intune together. This integration helps SecOps identify devices at risk and hand off detailed remediation steps to Intune admins.

What is the Difference Between Mobile Application Management and Mobile Device Management?

Microsoft Endpoint Manager allows organizations to protect business-critical data accessed by end-user devices using:

    • Mobile Application Management (MAM)
    • Mobile Device Management (MDM)

Mobile Application Management (MAM)

Mobile application management (MAM) is the component of Microsoft Endpoint Manager that allows controlling how all business-related data is accessed from end-user devices, such as Windows 10 & 11 PCs, and mobile devices like iPhones and Androids. In addition, MAM allows creating policies that help prevent data leakage and misuse of data to keep client devices aligned with compliance regulations and other governance initiatives. For example, you can prevent users from copying data between Office apps and personal applications. Finally, using MAM, organizations can also remove data from Office applications on personal devices used by end-user clients.

Mobile device management (MDM)

Using Microsoft Endpoint Manager Mobile Device Management (MDM), businesses can configure policies that allow controlling various aspects of the configuration and security of end-user devices, such as Windows 10 & 11 PCs. For example, the control given by Endpoint Manager MDM allows completely controlling the device and allows wiping data and resetting it to factory defaults if needed.

How Does Configuration Manager Work with Endpoint Manager?

An announcement at Microsoft Ignite 2019 brought together the Configuration Manager and Intune solutions as part of the Microsoft Endpoint Manager. Microsoft now refers to all of the configuration products under the single name of Endpoint Manager.

It includes:

    • Config Manager
    • Intune
    • Co-management
    • Desktop Analytics
    • Device Manage Admin console

Since all of the aforementioned solutions are now part of the Endpoint Manager solution, any Configuration Manager customer can now automatically use Intune to co-manage Windows devices with no licenses changes or additional costs. While they have changed the branding, the changes will help customers use the full capabilities of Endpoint Manager without traditional challenges.

Microsoft has purposely engineered the components of their Endpoint Manager solutions to work together seamlessly. Current Config Manager tasks and data are presented in the unified console of Endpoint Manager Devices. How should the different solutions be used together?

Customers have asked questions about which solution is the ultimate destination they should reach in their device management solution between Configuration Manager, Intune, and co-management. Is co-management a bridge or destination? Microsoft desires co-management to be the destination for customers.

Microsoft ideally wants customers to attach their Endpoint Manager Intune environment with their existing Configuration Manager deployments. Therefore, co-management allows attaching Microsoft 365 cloud intelligence to existing configuration solutions.

With the unified solution, customers can completely automate compatibility testing when upgrading to a new release of Windows. In addition, customers can test and deploy update patching much faster to bolster compliance much more quickly. Immediate actions can be taken on all devices using the Endpoint Manager solution.

Configuration Manager continues to function the same way it has functioned for customers. When referring to the on-premises component, Microsoft is calling the traditional Config Manager product: Microsoft Endpoint Configuration Manager. If you are licensed for Microsoft Config Manager, you are automatically licenced to use Microsoft Intune to co-management your end-user devices.

What are the Native Google Options Available for Managing Android Devices?

While Microsoft Endpoint Manager can manage Google devices and Microsoft endpoints, Google has its own native endpoint management solution called Google Endpoint Management. The solution provides both basic and advanced mobile security and app management as well as device management that can do the following:

    • Set password requirements for mobile devices
    • Wipe a user’s account from a device
    • Manage apps for Android devices
    • Require admin approval for mobile devices
    • Recommend and manage IOS apps
    • Standard and strong passcode enforcement
    • Network management
    • Android work profiles
    • Approve devices
    • Device audit log
    • Report inactive company-owned devices
    • Private Android web apps
    • Computer security – manage all company-owned devices, including mobile devices, laptops, and desktops, from your Google Workspace Admin console

Google Endpoint Management can manage macOS devices, whereas Intune is not compatible with macOS. One thing to note with Google Endpoint Management is it is not available for Business Plus or G Suite Business customers. It is only found in the Enterprise offering.

Intune provides more robust features as expected for managing Windows devices and health compliance features that are not listed with Google Endpoint Management.

What are the Native Apple Options Available for Managing iOS and ipadOS Devices?

Apple has something called the Apple Platform Deployment. It is a native solution provided by Apple to deploy and manage Apple hardware, software, and services in your organization. With Apple Platform Deployment, businesses can:

    • Lock and locate devices
    • Wipe devices remotely
    • Activation lock
    • Enforce device policies
    • Use persistent tokens
    • Use built-in network security features
    • Manage certificates
    • Perform user enrollment MDM information
    • Put restrictions in place for iPhone, iPad, Mac, Apple TV, and other supervised devices

Like much of the Apple ecosystem, Apple Platform Deployment only caters to Apple devices. As a result, it isn’t an MDM and MAM solution that organizations can use for multiple platforms and devices. Instead, it is specific to the Apple ecosystem. Here, Intune is a superior all-inclusive tool that can manage most devices used in the enterprise.

Apple’s Platform Deployment is the better choice for the most robust features and capabilities for managing Apple hardware, software, applications, and services.

My Thoughts on Endpoint Manager

The modern distributed hybrid workforce has presented challenges for organizations with remote employees in different continents worldwide. Legacy solutions that depend on endpoints connected to be directly connected to corporate networks are cumbersome and don’t scale well.

Cloud-based mobile device management and mobile application management platforms answer many of the challenges organizations face today. Microsoft’s Endpoint Manager is a robust platform for managing and controlling end-user devices, applications, and data.

Using Endpoint Manager configuration profiles, compliance policies, and endpoint security, businesses have cloud-based tools that effectively manage corporate-owned devices and BYOD. Additionally, as the modern workforce is more disaggregated and remote than ever before, cloud-centric solutions provide the flexibility and toolsets needed for modern device management.

The post How to Boss Device Management with Endpoint Manager (aka Intune) appeared first on Altaro DOJO | Microsoft 365.

]]>
https://www.altaro.com/microsoft-365/device-management-intune/feed/ 0
What are the Frontline Worker SKUs in M365 and Who are they for? https://www.altaro.com/microsoft-365/frontline-worker-skus-m365/ https://www.altaro.com/microsoft-365/frontline-worker-skus-m365/#respond Fri, 08 Apr 2022 12:52:05 +0000 https://www.altaro.com/microsoft-365/?p=1803 Understand the difference between the various Frontline Workers licenses to help you choose which suits your business best

The post What are the Frontline Worker SKUs in M365 and Who are they for? appeared first on Altaro DOJO | Microsoft 365.

]]>

Much like learning the difference between Formula 1 and Formula 3 cars by reading the proverbial “high-speed racing weekly” to help choose which car or racing format is for you, read on to understand the difference between the various Frontline Workers licenses to help you choose which suits your business.

Let’s ensure we have the definition right of Frontline workers.

From Microsoft:
“Frontline workers are employees whose primary function is to work directly with customers or the general public providing services, support, and selling products, or employees directly involved in the manufacturing and distribution of products or services.”

You can also think of these as people who are NOT in front of a keyboard all day.

What are the F1, F3 and F5 SKUs in M365

The world of Formula racing is complex. Similarly, the world of Microsoft licensing, although entirely different, is too. As of December 2021, there were 1858 different SKUs available. Today we will cover just 5, those designed for Frontline Workers: F1, F3 and the F5 add-ons.

So, let’s get into it.

For the most part, Frontline workers won’t have the need to use many of the applications used by their desk-bound counterparts. They need tools to do their job and do it securely and, in some circumstances, be compliant with relevant standards in that industry.

Microsoft appears to have considered the essential applications and services they need and offer plans to cover all your needs when it comes to Frontline Workers.

In the Frontline range of licenses, there are only 5 licenses:

    • F1
    • F3
    • F5 Security
    • F5 Compliance
    • F5 Security and Compliance

As you would expect, F1 is the simplest of the lot. It gets your worker online with the bare apps needed to do their jobs securely. Or as Microsoft refers to it: “Lay the foundation for secure communication.”

These are key apps like Office suite on the web (but not the desktop apps), Outlook, Teams, SharePoint, and OneDrive.

F3 builds on this “foundation” and adds a swag of other applications like Full Outlook and Office Desktop, Sway and Power Automate, amongst others.

Then there is F5 which is an add-on. It might come as a surprise, but F5 does not actually offer the same as F3 and then some. It isn’t a standalone license. F5 is all about Security and Compliance. All F5 add-ons require Microsoft F1, F3 (or Office 365 F3 Enterprise Mobility + Security E3).

The base F5 add-on comes in 2 flavors: “F5 Security” or “F5 Compliance.” Depending on the security requirements of the Frontline worker role or environment, a third SKU is available with security and compliance.

Have a look here to download the full breakdown and comparison for these licenses.
See here for an online comparison in a simpler tabular format.

Limitations of the different Frontline SKUs

Formula 3 racing is considered as the entry point for rookies getting into the racing game. The engines are limited to top out at only 270 kmph. You know where this is going. The Frontline Worker F1 license is like Formula 3 racing in this instance, it’s the starting point.

It can be tricky choosing the right license to ensure your Frontline Worker has access to the tools they need while, so here’s a summary with key services and what you get for each one.

Email

    • F1 does not give the user an actual mailbox. Access only to Teams Calendar.
    • F3 comes with a license for Outlook and a 2GB mailbox, available as an app or online.

Office

    • F1 and F3: PowerPoint, Word, Excel and OneNote

Device and app management

    • F1: Microsoft 365 admin center, InTune, Endpoint Configuration Manager
    • F3: All of the above plus Windows 11 Enterprise and Autopilot

Social

    • All plans include SharePoint, Yammer and Viva connections

Files and Content

    • F1: OneDrive (2GB) and Stream
    • F3: All of the above plus Sway

Work Management

    • F1: Microsoft Planner
    • F3: Microsoft Planner plus the Power suite, Forms and To Do

Meetings and Voice

    • F1 and F3 Teams

Automation

    • Available on F3 only

The summary above is intended to help in the decision-making process, comparing what you do or don’t get with each license. Read on for some examples of specific use-cases, followed by how it’s going to affect your bottom line!

Use cases for the different Frontline licenses

Frontline worker Productivity Tools

Frontline worker Productivity Tools | Microsoft 365 (courtesy of Microsoft)

Not all racing cars in Formula 1, Formula 2 and Formula 3 are created equal. In fact, F1 cars are uniquely designed, whereas F2 and F3 are all designed by an Italian firm called Dallara. Bet you didn’t know all that?

Circling back to who Frontline Workers are and typically where you’ll find them. Some of these Frontline Workers might be in a niche service or industry and need their own “unique” choice of which license combination suits them (see what I did there?).

The four photos above – taken from Microsoft’s 365 Enterprise page – capture places where you’ll find Frontline Workers, and helps to cement who they are and what they really do. It drives home the wide spectrum of how Frontline Workers are classed or considered.

My thoughts on the above and what to choose?

Starting top-left. Honestly, I’m just not sure what role or job this person is performing. Based on clothing, I’m picking a medical supply service. Drive-through-drugstore anyone?

Moving on to the first responders at top-right. I suspect high-end security and compliance probably won’t be necessary for them. They need the basics, so F1 for you. Thank you very much.

The Healthcare professional at bottom-left on the other hand will have access to patient data, and don’t forget about HIPAA in the US and similar regulations in other countries. That extra $13/month with the Security + Compliance add-ons are worth the spend to remain secure and compliant.

What’s it going to cost me?

The price of a Formula 1 car is around $20m. For a Formula 2 car, you’re looking at parting with only around $670,000 and a Formula 3 dropping to just $120,000.

Pricing for Frontline Workers licensing is a tad less, but still require due consideration when choosing.

Here’s the skinny on pricing for each of the Frontline Worker licenses.

SKU

F1

F3

F5 Security

F5 Compliance

F5 Sec +Compliance

User/month

$2.25

$8

$8

$8

$13

(All prices are based on an annual commitment)

At the top end of the scale, purchasing for Frontline Workers in a high-profile or sensitive industry (eg. Pharmaceutical or Bank), where security and compliance are common, you’ll probably opt for F3 + F5 Security + Compliance add-on, which will set you back $21 user/month.

On the other hand, Frontline Workers in a tin-can factory, or the first responders mentioned in the previous paragraph, the F1 license will be your likely choice.

Note that these are simply suggestions and my starting approach. Each business needs to do their own due diligence to decide what is right for the person and the business, and ultimately the budget!

Conclusion

Microsoft’s catchy terms like “Connect your workforce,” “Protect your organization” and “Empower with devices” to describe this class of license can’t be faulted. Collectively they explain the benefit you get from the Frontline Worker license and why you should hand over your shiny dollars.

Recall at the start of this article I stated the number of Microsoft license SKUs available: 1858. By offering such a variety of licenses, including those for Frontline Workers, there’s something to suit virtually any business, in almost any environment and in all industries.

I hoped you enjoyed learning as much as I did a bit about the world of Formula racing, and more importantly, Frontline Workers licenses and are now better informed when choosing.

The views expressed in this article are my own and are unrelated to my employer’s views.

The post What are the Frontline Worker SKUs in M365 and Who are they for? appeared first on Altaro DOJO | Microsoft 365.

]]>
https://www.altaro.com/microsoft-365/frontline-worker-skus-m365/feed/ 0
The Real Cost of Microsoft 365 Revealed https://www.altaro.com/microsoft-365/real-cost-m365/ https://www.altaro.com/microsoft-365/real-cost-m365/#respond Mon, 31 Jan 2022 16:57:48 +0000 https://www.altaro.com/hyper-v/?p=18688 A full breakdown of Microsoft 365's complicated pricing structure and how you can help your business maximize your M365 investment

The post The Real Cost of Microsoft 365 Revealed appeared first on Altaro DOJO | Microsoft 365.

]]>

Estimating the real cost of a technology solution for a business can be challenging. There are obvious costs as well as many intangible costs that should be taken into account.

For on-premises solutions, people tend to include licensing and support maintenance contract costs, plus server hardware and virtualization licensing costs. For Software as a Service (SaaS) cloud solutions, it seems like it should be easier since there’s no hardware component, just the monthly cost per licensed user but this simplification can be misleading.

In this article we’re going to look at the complete picture of the cost of Microsoft 365 (formerly Office 365), how choices you as an administrator make can directly influence costs, and how you can help your business maximize the investment in OneDrive, SharePoint, Exchange Online and other services.

The Differences Between Office 365 & Microsoft 365

As covered in our article about the death of Office 2019 there are naming changes afoot in the Office ecosystem. The personal Office 365 subscriptions have changed and are now called Microsoft 365 Family (up to six people) and Personal along with the Office 365 Business SKUs, that top out at 300 users, has also been renamed. The new SKUs are Microsoft 365 Business Basic, Apps, Standard, and Premium.

There’s no reason to believe that this name change won’t eventually extend to the Enterprise SKUs but until it does, from a licensing cost perspective it’s important to separate the two. Office 365 E1, E3 and E5 gives you the well-known “Office” applications, either web-based or on your device, along with SharePoint Online, Exchange Online and OneDrive for Business in the cloud backend.

Microsoft 365 F3, E3 and E5, on the other hand, includes everything from Microsoft 365 plus Azure Active Directory Premium features (identity security), Enterprise Mobility & Security (EMS) / Intune for Mobile Device Management (MDM) and Mobile Application Management (MAM) along with Windows 10 Enterprise.

Comparing M365 plans

Comparing M365 plans

So, a decision that needs to be looked at early when you’re looking to optimize your cloud spend is whether your business is under 300 users and likely to stay that way for the next few years. If that’s the case you should definitely look at the M365 Business SKUs as they may fulfil your business needs, especially as Microsoft recently added several security features from AAD Premium P1 to M365 Business.

If you’re close to 300, expecting to grow or already larger, you’re going to have to pick from the Enterprise offerings. The next question is then, what’s the business need – do you just need to replace your on-premises Exchange and SharePoint servers with the equivalent cloud-based offerings? Or is your business looking to manage corporate-issued mobile devices (smartphones and tablets) with MDM or protect data on employee-owned devices? The latter is known as Bring Your Own Device (BYOD), sometimes called Bring Your Own Disaster. If you have those needs (and no other MDM in place today), the inclusion of Intune in M365 might be the clincher. If on the other hand, you need to protect your on-premises Active Directory (AD) against attacks using Azure Advanced Threat Protection (AATP) or inspect, understand and manage your users’ cloud usage through Microsoft Cloud App Security (MCAS) you’ll also need M365 E5, rather than just O365.

Microsoft 365 Cloud app security dashboard

Cloud app security dashboard

The difference is substantial, outfitting 1000 users with O365 E3 will cost you $ 240,000 per year, whereas moving up to M365 E3 will cost you $ 384,000. And springing for the whole enchilada with every security feature available in M365 E5 will cost you $ 684,000, nearly 3X the cost of O365 E3. Thus, you need to know what your business needs and tailor the subscriptions accordingly (see below for picking individual services to match business requirements).

Note that if you’re in the education sector you have different options (O365 A1, A3, and A5 along with M365 A1, A3, and A5) that are roughly equivalent to the corresponding Enterprise offerings but less costly. And charities/not-for-profits have options as well for both O365 and M365. M365 Business Premium is free for up to 10 users for charities and $ 5 per month for additional users.

A la carte Instead of Bundles

There are two ways to optimize your subscription spend in O365 / M365. Firstly, you can mix licenses to suit the different roles of workers in your business. For instance, the sales staff in your retail chain stores are assigned O365 E1 licenses ($8 / month) because they only need web access to email and documents, the administrative staff in head office use O365 E3 ($20 / month) and the executive suite and other high-value personnel use the full security features in E5 ($35 / month). Substitute M365 F3, E3, and E5 in that example if you need the additional features in M365.

Secondly, you don’t have to use the bundles that are encapsulated in the E3, E5, etc. SKUs, and you can instead pick exactly the standalone services you need to meet your business needs. Maybe some users only need Exchange Online whereas other users only need Project Online. The breakdown of exactly what features are available across all the different plans and standalone services is beyond the scope of this article but the O365 and M365 service descriptions are the best places to start investigating.

Excerpt from the O365 Service Description

Excerpt from the O365 Service Description

And if you’re a larger business (500 users+) you’re not going to pay list prices and instead these licenses will probably be part of a larger, multi-year, enterprise agreement with substantial discounts.

If You Hate Change

If you want to stay on-premises Exchange Server 2019 is available (only runs on Windows Server 2019), as is SharePoint Server 2019 and you can even buy the “boxed” version of Office 2019 with Word, Excel, etc. with no links to the cloud whatsoever. This is an option that moves away from the monthly subscription cost of M365 (there’s no way to “buy” M365 outright) and back to the traditional way of buying software packages every 2-5 years. Be aware that these on-premises products do NOT offer the same rich features that O365 / M365 provides, whether it’s the super-tight integration between Exchange Online and SharePoint Online, cloud-only services like Microsoft Teams that build on top of the overall O365 fabric or AI-powered design suggestions in the O365 versions of Word or PowerPoint. There’s no doubt that Microsoft’s focus is on cloud services, these are updated with new features on a daily basis, instead of every few years. If your business is looking to digitally transform, towards tech intensity (two recent buzzwords in IT with a kernel of truth in them) using on-premises servers and boxed software licensing is NOT going to get you there. But if you want to keep going like you always have, it’s an option.

And if you’re looking at this from a personal point of view, a free Microsoft account through Outlook.com does give you access to Office Online: Word, Excel, and PowerPoint in a browser. There’s even a free version of Microsoft Teams available.

Transforming your Business

There’s a joke going around at the moment about the Covid-19 pandemic bringing digital transformation to many businesses in weeks that would have taken years to achieve without it. There’s no doubt that adopting the power of cloud services has the power to truly change how you run your business for the better. A good example is moving internal communication from email to Teams, including voice and video calls and perhaps even replacing a phone system with cloud-based phone plans.

But these business improvements depend on the actual adoption of these new tools. And that requires a mindset shift for everyone. Start with your IT department, if they still see M365 as just cloud-hosted versions of their old on-premises servers they’re missing the much bigger picture of the integrated platform that O365 has become. Examples include services such as Data Loss Prevention (DLP), unified labeling and automatic encryption/protection of documents and data, and unified audit logging that spans ALL the workloads. So, make sure you get them on board with seeing O365 as a technology tool to transform the business, not just a place to store emails and documents in OneDrive. And adding M365 unlocks massive security benefits, enabling zero-trust (incredibly important as everyone is working from home), identity-based perimeters, and cloud usage controls. But if your IT or security folks aren’t on board with truly adopting these tools, they’re not going to make you any more secure. Here’s free IT administrator training for them.

Finally, you’re going to have to bring all the end-users on board with a good Adoption and Change Management (ACM) program, helping everyone understand these new services and what they can do to make their working lives better. This includes training but make sure you look to short, interactive, video-based modules that can be applied just when the user needs coaching on a particular tool, not long classroom-based sessions.

And all of that, for all the different departments, isn’t a once-off when you migrate to O365, it’s an ongoing process because the other superpower of the cloud is that it changes and improves ALL the time. This means you’ll need to assign someone to track the changes that are coming/in preview and ensure that the ones that really matter to your business are understood and adopted. The first place to look is the Microsoft 365 Message Center in the portal where you can also sign up for regular emails with summaries of what’s coming. Another good source is the Office 365 Weekly Blog.

M365 portal Message Center

M365 portal Message Center

To help you track your usage and adoption of the different services in O365 there is a usage analytics integration with PowerBI. Use this information to firstly see where adoption can be improved and take steps to help users with those services and secondly to identify services and tools that your business isn’t using and perhaps don’t need, giving you options for changing license levels to optimize your subscription spend.

PowerBI Offie 365 Usage Analytics

PowerBI O365 Usage Analytics (courtesy of Microsoft)

Closing Notes

There’s another factor to consider as you’re moving from on-premises servers to Microsoft 365 and that’s the changing tasks of your IT staff. Instead of swapping broken hard drives in servers these people now need to be able to manage cloud services and automation with PowerShell and most importantly, see how these cloud services can be adopted to improve business outcomes.

A further potential cost to take into account is backup. Microsoft keeps four copies of your data, in at least two datacentres so they’re not going to lose it but if you need the ability to “go back in time” and see what a mailbox or SharePoint library looked like nine months ago, for instance, you’ll need a third-party backup service, further adding to your monthly cost.

And that’s part of the overall cost of using O365 or M365, training staff, adopting new features, different tasks for administrators and managing change requires people and resources, in other words, money. And that’s got to be factored into the overall cost using Microsoft 365, it’s not just the monthly license cost.

The final question is of course – is it worth it? Speaking as an IT consultant with clients (including a K-12 school with 100 students) who recently moved EVERYONE to work and study from home, supported by O365, Teams, and other cloud services, the answer is a resounding yes! There’s no way we could have managed that transition with only on-premises infrastructure to fall back on.

The post The Real Cost of Microsoft 365 Revealed appeared first on Altaro DOJO | Microsoft 365.

]]>
https://www.altaro.com/microsoft-365/real-cost-m365/feed/ 0
Office 365 vs Office 2019: Pros and Cons for IT Admins https://www.altaro.com/microsoft-365/office-365-vs-office-2019/ https://www.altaro.com/microsoft-365/office-365-vs-office-2019/#respond Tue, 25 Jan 2022 14:41:52 +0000 https://www.altaro.com/hyper-v/?p=18976 The differences between the standalone version of Office 2019 and Office bundled with Office 365, and how to decide which is best for you

The post Office 365 vs Office 2019: Pros and Cons for IT Admins appeared first on Altaro DOJO | Microsoft 365.

]]>

In this post, we will look at the differences between the standalone version of Office 2019 and Office bundled with Office 365, what the main differences are, and how to choose between these versions.

Microsoft Office is a bundle of products that include the very familiar Outlook, Word, Excel and PowerPoint. However, the edition of Office and the available features within those apps can change dramatically based on its origin and the installer used. For the sake of clarity, I’ll be writing about these as either the Office 365 edition recently renamed – more on this below – or the Office 2019 edition.

Office 365 Pro Plus Renamed

On April 21 2020, Microsoft renamed Office 365 for SMB to Microsoft 365. Microsoft also renamed the online version of Office which is bundled with certain SKUs of this service from Office 365 Pro Plus to Microsoft 365 Apps. Office 365 Pro Plus is now known as Microsoft 365 Apps for enterprise or Microsoft 365 Apps for business.

For the sake of this article, I want to point out that irrespective of the Microsoft 365 Apps edition, i.e. “for enterprise” or “for business”, this version of office is also known as the “click to run” version of Office containing the Office applications Outlook, Word, Excel, PowerPoint and others. For the rest of this article, I’ll be referring to it as Microsoft 365 Apps while reminding you of the old name to keep confusion to a minimum.

What’s in a Name?

Office 365 Pro Plus and Office 2019 sounds similar, which means it’s quite easy to confuse the two. Microsoft 365 Apps and Office 2019 sound less similar and allow us to differentiate easily between the two editions of Office. Both can be downloaded and installed on a user’s PC or Mac, however, the installer which is bundled with each of these versions is massively different. Microsoft 365 Apps is installed using Click-to-Run technology, while Office 2019 is installed using Windows Installer technology (MSI).

Each installer has a different way of handling versions of Office. MSI versions of Office have major versions such as Office 2013, Office 2016 and Office 2019 and are licensed using Volume Licensing and are perpetual licenses. Perpetual licensing means that once you’ve licensed, for example, Office 2013, you own it forever and you receive security patches and updates for that version of Office, specifically Office 2013 until its support lifecycle ends. That also means that you do not automatically qualify for a newer version of Office when it releases. Office 2016 and the current version of Office 2019 need to be bought as new versions.

You may decide that since the installers are different, you install both types of Office on the same machine. Assuming you still own and have Office 2013 installed and try to install the Click-to-Run version of Office on the same machine, you will encounter the following error and will have to uninstall the MSI version of Office first before continuing.

Microsoft Office Installer Problem

When installing the MSI version of Office, currently versioned as Office 2019, you will need to wait for the installer to finish before accessing one of the bundled applications like Word.

Click-to-Run which delivers the Microsoft 365 Apps versions of Word, Excel PowerPoint and others is dramatically different, as it utilised both streaming and virtualisation technology that is built into modern versions of Windows. Streaming implies that as Microsoft 365 Apps is being downloaded, a component like Word may be used before the entire Microsoft 365 Apps bundle has finished downloading. This way of delivering Office was first introduced in 2010 with the version of Office bundled available with Office 365 and allows users to start using Office components from the time the installer launches. The implication is that users are able to work within Office applications before they are finished downloading, as soon as the installer starts executing, compared to the MSI version of Office which needs to finish downloading and installing before any of the Office apps are available.

Are Microsoft Office 2019 and Microsoft 365 Apps the Same?

Earlier we noted that Office 2019 and previous versions are perpetually licenced, which means we have to buy the newer versions of Office as they appear if we want the new features which are bundled with those versions of Office.

The Click-to-Run version of Office, i.e. Microsoft 365 Apps are completely different. Microsoft 365 Apps and its predecessor Office 365 Pro Plus are subscription versions of Office, which means that you pay for it monthly. Since its installer method is so dramatically different, it’s able to continually update from an online or administrator-provided source. While there are “version numbers” aligned with release years, the new version of Office stays the same. It identifies as Microsoft 365 Apps, which is visible in the Product Information section similar to the below image.

Microsoft 365 Product Information

This means that Office 2019 is “locked” in terms of available features while Microsoft 365 Apps updates regularly, and new features appear.

What is the Support Lifecycle for Office 2019?

Office 2019 is the current on-premises version of Office. You may be wondering what operating systems are supported since Microsoft over the years has been relatively generous by supporting a range of versions of Windows. The Office 2019 Home & Student as well as Office 2019 Home & Business editions very specifically require Windows 10 if you wish to run it on a PC. If you’re looking for MacOS support, you’ll find it, since MacOS is explicitly supported, however only on the two most recent versions of MacOS.

Furthermore, Windows 10 support is restricted to any supported Windows 10 Semi-Annual Channel or Windows 10 Enterprise Long term Servicing Channel (LTSC).

If you require virtual desktop support to serve your users via Remote Desktop Services, then you require a Windows Server operating system. In this case, only Windows Server 2019 is explicitly supported.

The support lifecycle for Windows and Mac versions are slightly different. Both Windows and Mac editions start on the 24’th of September 2018 as illustrated below, however, note that Windows support ends on the 14th of October 2025, while Mac support ends two years beforehand in 2023.

Support lifecycle for Office 2019

What is the Support Lifecycle for Microsoft 365 Apps?

Remember that Microsoft 365 Apps is the Office 365 edition of Office and is the cloud-enabled version of Office. The support statement for this version of Office is completely different to the on-premises version of Office, i.e. Office 2019. Microsoft defines the support statement for Microsoft 365 Apps in a document called a Modern Lifecycle Policy, which basically requires customers to stay up to date all the time in order to be supported. However, in this case, Windows support extends all the way back to Windows 7 ending in January 2020, while Windows Server support extends to Windows Server 2008 R2, also ending in January 2020.

We can see that the different versions of Office Pro Plus including 2010, 2013, 2016, 2019 and the newly branded Microsoft 365 Apps are all explicitly called out and have a much wider-ranging support position than the on-premises version of Office 2019.

lifecycle for Microsoft 365 Apps

Are Microsoft Office and Office 365 (Microsoft 365 Apps) the same? Assuming that we would only want to license Office with no other bundling, we notice that licensing and costs are different between the perpetual version, Office 2019, and the online version Microsoft.

Remembering that Office 2019 is licensed perpetually, i.e. we purchase it in a single point in time and own it from that point onwards. An online purchase of office will cost us a one-time amount of $249.99 US.

Microsoft Office Home and Business 2019 pricing

Let’s browse to Microsoft.com > Office > Buy now, and note the two options, for Home and For business. Notice that in this yearly model we get a ton of value from a yearly subscription, and much less value from a one-time purchase. The subscription models automatically bundle both OneDrive storage as well as Skype calling credit.

Microsoft 365 Product Comparison

Microsoft 365 Product Comparing

Moving onto the For business tab shows a radically different value proposition based on pure subscription options only. Note that it’s very difficult to compare the value gained from the subscription options to the one time purchase of Office 2019 since so many of the bundles implicitly include cloud services that are integrated into the Office proposition.

How Much Does Office 2019 Cost?

The cost of Office 2019 then is pretty simple to predict, either $249.99 for Home and Business as a once-off purchase, or 149.99 for the Office Home & Student edition. Note that both of these are perpetual license that may be installed on a single Windows PC or Apple Mac. You’ll also notice that no cloud services are bundled with Office 2019, as illustrated in the screenshot below.

Office 2019 Cost

It’s easy to notice the stark contrast of what is and is not included in the bundle and how often you’re able to install it compared to the generous installation options presented by Microsoft 365 Apps.

Microsoft 365 Apps

Lastly, Microsoft is very explicit about the differences between Microsoft 365 and Office 2019. It’s worth calling out the bundled cloud and support options for Microsoft 365, and the reminder that Office 2019 cannot be upgraded to the next major release.

Difference Between Microsoft 365 and Office 2019

Which Version of Office is Better?

Due to the installation methods, it’s easy to think of the MSI versions of office as the on-premises version of Office and the Click-to-Run version of Office as the online version of Office. However, beyond installation methods, the online version of Office is able to perform functions using Microsoft AI and other technologies which the MSI version of Office simply isn’t enabled to do. This is by design, as customers who are using on-premises versions of Microsoft Exchange 2019 and Microsoft SharePoint 2019 would use Microsoft Office 2019, i.e. the MSI version. Those customers are primarily concerned with stability as opposed to features and often don’t allow many online services to be consumed due to security or regulatory restrictions.

Microsoft 365 Apps, or the Click-to-Run version of Office, bundles other applications like Microsoft Teams, Stream, and planner as part of its bundle. These applications along with the core set of Office applications such as Word, Excel and PowerPoint have features which are literally enabled by Microsoft cloud services as well as Microsoft AI services and do not function without connectivity. Some office applications such as Stream do not install anything on your users’ machines, while other applications like Microsoft To-Do offer an application but do not store data on your users machine.

Does Office 365 Automatically include Microsoft 365 Apps?

Office 365 is available in several editions, including Home, SMB, Enterprise, Government and Education. Each of these editions is broken up into further SKUs. For now, I’ll discuss Enterprise, Education and Government.

Office 365 for SMB

  • Microsoft 365 Business Basic
  • Microsoft 365 Business Standard – Included

Office 365 for Enterprise

  • Office 365 E1
  • Office 365 E3 – Included
  • Office 365 E5 – Included

Office 365 for Education

  • Office 365 A1
  • Office 365 A3 – Included
  • Office 365 A5 – Included

Office 365 for Government

  • Office 365 G1
  • Office 365 G3 – Included
  • Office 365 G5- Included

The E1, A1 and G1 SKUs offer online-only versions of Microsoft 365 Apps, however, all other versions include the downloadable version of Microsoft 365 Apps. The licensing of these apps is very different compared to the on-premises versions of office, as it allows Office desktop apps (Word, Excel, PowerPoint, OneNote, Access) to be installed on up to 5 PCs or Macs, as well as 5 tablets, as well as 5 smartphones per user. Note that the licensing is linked to the user so that each user is able to install Office Applications on multiple devices linked to that users licensing.

How do I Choose Between Office 2019 and Microsoft 365 Apps?

It’s fair to say that Office 2019 and Microsoft 365 Apps (previously Office 365 Pro Plus) are both versions of Office, however, we need to remember the distinction between the two.

Office 2019

Office 2019 is the on-premises version of Office with a very defined support model, which will end as documented earlier in this article. The features of Office 2019 are set – you get what’s in the package and nothing else. The upside is that you pay for it once and you own it, however, if a new version of Office releases you need to pay for the new version. Also note that Office 365 platform features like Microsoft Teams calling is not included and requires you to change the edition of Office to take advantage of this feature, depending on how your Office 365 is licensed or purchased.

Microsoft 365 Apps

Microsoft 365 Apps (previously Office Pro Plus) is the cloud-enabled version of Office. This edition has no end to its support date as long as you’re on a supported version of Windows 10 or macOS. The feature-set and application list are impressive compared to the on-premises version, as many online-enabled applications like Teams, Stream, Forms, as well as cloud-enabled features like AI proposing PowerPoint slide layouts, or automatic language translation during presentations are added as the Office 365 platform matures. The Office 365 roadmap documents what features are in development and when they are expected to be released so that customers are able to stay informed on what they can expect and when.

The cost of Microsoft 365 Apps ranges from a standalone monthly cost for the applications themselves to being part of a larger bundle for business, enterprise, education or government. For most businesses, these will simply be bundled in as part of the cost of the overall productivity solution.

How do I Choose?

If you are staying on-premises for a few more years and looking for a predictable once of CapEx cost (pay once) for Office, or are not invested in the Microsoft online ecosystem, then Office 2019 as a standalone purchase may make sense for you. However, if you are looking for a current feature set within Office that is constantly updated and enabled by cloud services, then an OpEx cost (pay monthly or yearly) for Microsoft 365 Apps may make complete sense.

[thrive_leads id=’18633′]

The post Office 365 vs Office 2019: Pros and Cons for IT Admins appeared first on Altaro DOJO | Microsoft 365.

]]>
https://www.altaro.com/microsoft-365/office-365-vs-office-2019/feed/ 0
R.I.P. Office 365, Long Live Microsoft 365 https://www.altaro.com/microsoft-365/office-365-death/ https://www.altaro.com/microsoft-365/office-365-death/#respond Mon, 24 Jan 2022 16:55:13 +0000 https://www.altaro.com/hyper-v/?p=18580 Microsoft has finally pulled the plug on the Office brand (kinda) - but what does this mean for its current users?

The post R.I.P. Office 365, Long Live Microsoft 365 appeared first on Altaro DOJO | Microsoft 365.

]]>

Microsoft just made sweeping changes to the Office 365 ecosystem, both for personal subscriptions (Office 365 Personal and Home) and Office 365 for Business, sunsetting the Office 365 brand and replacing it with Microsoft 365. This was put in place as of April 21, 2020.

This article will look at what these changes mean, explore the differences between Office 365, Microsoft 365 and Office 2019 and the subscription model underlying these offerings as well as make some predictions for the enterprise services that are still under the Office 365 name.

Office 365 Home and Personal

Let’s start with the home and family subscriptions. Over 500 million people use the free, web-based versions of Word, Excel etc. along with Skype and OneDrive to collaborate and connect. Then there are 38 million people who have subscribed to Office 365 Home or Office 365 Personal. Both provide the desktop Office suite (Word, Excel etc.) for Windows and Mac, along with matching applications for iOS and Android and 1 TB of OneDrive space. These two plans are changing name to Microsoft 365 Personal ($6.99 per month) and Microsoft 365 Family ($9.99 per month) respectively. Personal is for a single user whereas Family works with up to six people (and yes, they each get 1 TB of OneDrive storage for a maximum of 6TB). Otherwise, they’re identical and provide advanced spelling, grammar and style assistance in Microsoft Editor (see below), AI-powered suggestions for design in PowerPoint, coaching when you rehearse a PowerPoint presentation and the new Money in Excel (see below). Each user also gets 50 GB of email storage in Outlook, the ability to add a custom email domain and 60 minutes worth of Skype calls to mobiles and landlines.

Office 365 Microsoft 365 Plan Choices

Picking a plan for home use is easy

Microsoft Editor is Microsoft’s answer to Grammarly and is available in Word on the web, and the desktop Word version, along with Outlook.com as well as an Edge or Chrome extension. It supports more than 20 languages and uses AI to help you with the spelling, grammar, and style of your writing. The basic version is available to anyone, but the advanced features are unlocked with a Personal or Family subscription. These include suggestions for how to write something more clearly (just highlight your original sentence), plagiarism checking and the ability to easily insert citations and suggestions for improving conciseness and inclusiveness.

Settings for the Microsoft Editor browser extension

Settings for the Microsoft Editor browser extension

Money in Excel connects Excel to your bank and credit card accounts so you can import balances and transactions automatically and provides personalized insights on your spending habits. Money isn’t available yet and will be US only in the first phase when it rolls out over the next couple of months.

Outlook on the web will let you add personal calendars, not only marrying your work and home life but also providing clarity for others seeking to find appointment times with you – of course, they won’t see what’s penned in your calendars, only when you’re not available. Play My Emails is coming to Android (already available on iOS), letting Cortana read your emails to you while you’re on the go. The Teams mobile app is being beefed up for use in your personal life as well. Finally, Microsoft Family Safety is coming to Android and iOS devices, helping parents protect their children when they explore and play games on their devices.

You’ll have noticed that nearly all of these new features and services are on the horizon but not here yet. If you’re already an Office 365 Home or Personal subscriber your subscription just changed its name to Microsoft 365 Family or Personal but nothing else changed and until these new goodies are available – nothing has changed, including the price of your subscription. Note that none of these changes applies to the perpetual licenses Office 2019 which is Word, Excel etc. that you can purchase (not subscribe to) and that Office 2019 doesn’t provide any cloud-powered, AI-based features, nor gets the monthly feature updates that its Office 365 based cousin enjoys.

Microsoft 365 Business Basic, Apps, Standard and Premium

Of more interest to readers of Altaro’s blogs are probably the changes to the Office 365 SMB plans (that top out at 300 users). As a quick summary, (for a more in-depth look at Office & Microsoft 365, here’s a free eBook from Altaro) Microsoft 365 Business Basic (formerly known as Office 365 Business Essentials at $5 per user per month) gives each user an Exchange mailbox, Teams and SharePoint access, the web browser versions of Word, Excel etc. and 1TB of OneDrive storage.

Microsoft 365 Apps for Business (old name Office 365 Business, $8.25 per user per month) provides the desktop version of Office for Windows, Mac, Android, and iOS devices and 1TB of OneDrive storage.

Microsoft 365 Business Standard (prior name Office 365 Business Premium which is a name change that won’t confuse anyone weighs in at $12.50 per user per month) gives you both the desktop and web versions of Office.

Finally, Microsoft 365 Business Premium (formerly known as Microsoft 365 Business, again not confusing at all, at $20 per user per month) gives you everything in Standard, plus Office 365 Advanced Threat Protection, Intune based Mobile Device Management (MDM) features, Online Archiving in Exchange and much more.

Microsoft 365 Management Portal

Microsoft 365 Management Portal

In a separate announcement, Microsoft is bringing the full power of AAD Premium P1 for free to Microsoft 365 Business Premium. This will give SMBs cost-effective access to Cloud App Discovery which provides insight and protection for users in the modern world of cloud services, including discovering which applications your staff are using. It’ll also bring Application Proxy to be able to publish on-premises applications to remote workers easily and securely, dynamic groups make it easier to make sure staff are in the right groups for their role, and password-less authentication using Windows Hello for Business, FIDO 2 security keys and Microsoft’s free authenticator app.

Note that none of the Enterprise flavors of Office 365, E1, E3 and E5, F1 for first-line workers, the A1, A3 and A5 for education, nor the G1, G3 and G5 varieties for government organizations are changing at this time. My prediction is that this will change and before long, all of these will be moved to the unifying Microsoft brand.

Philosophically there are a few things going on here. As a consultant who both sells and supports Office / Microsoft 365 to businesses, as well as a trainer who teaches people about the services, there’s always been a pretty clear line between the two. Office 365 gives you the Office applications, email and document storage. If you wanted mobile device management (Intune), advanced security features (Azure Active Directory, AAD), Windows 10 Enterprise and Information Protection you went for Microsoft 365. These features are all available under the moniker Enterprise Mobility + Security (EMS) so essentially Microsoft 365 was Office 365 + EMS.

Adding Microsoft 365 Licenses

Adding Microsoft 365 licenses

This line is now being blurred for the small business plans which can make it even more difficult to make sure that small and medium businesses pick the right plans for their needs. Remember though that you can mix and match the different flavors in business, just because some users need Microsoft 365 Business Premium doesn’t mean that other roles in your business can’t work well with just Microsoft 365 Business Basic.

And this isn’t a surprise move, even Office 365 administrators have been using the Microsoft 365 management portal for quite some time, here’s a screenshot of the old, retired Office 365 portal.

Office 365 Admin Center

Office 365 Admin Center

More broadly though I think the brand changes are signalling that Office 365 is “growing up” and using the same name across the home user stack as well as the SMB stack (with the Enterprise SKUs to follow) provides a more homogenous offering.

Just as with the name changes to the personal plans there’s nothing for IT administrators to do at this stage, the plans will seamlessly change names but all functionality remains the same (including the lack of long term Office 365 backup, something that Altaro has a remedy for).

The post R.I.P. Office 365, Long Live Microsoft 365 appeared first on Altaro DOJO | Microsoft 365.

]]>
https://www.altaro.com/microsoft-365/office-365-death/feed/ 0
How to Use Microsoft Bookings to Streamline Admin Operations https://www.altaro.com/microsoft-365/microsoft-bookings/ https://www.altaro.com/microsoft-365/microsoft-bookings/#respond Thu, 28 Oct 2021 05:52:07 +0000 https://www.altaro.com/hyper-v/?p=23565 This article explains how Microsoft Office 365 Bookings can help you with meeting scheduling and customer contact.

The post How to Use Microsoft Bookings to Streamline Admin Operations appeared first on Altaro DOJO | Microsoft 365.

]]>

If you work as a consultant, engineer or have another role that requires a lot of customer contact and scheduling of meetings you know the struggle of managing it all.

    • You spend a lot of time finding slots in your calendar to send time options to your customers.
    • Then you spend more time managing blocked out times or chasing clients to accept one of them.
    • Then you spend even more time on emails with “can we change the blocked time or can you invite more people”.
    • Rinse and repeat, giving you very little time for actual work.

If this sounds familiar, read on. This article will explain how Microsoft Bookings addresses all these concerns and more.

As part of my job, I needed to arrange calls with customers and I ended up spending up to 90 minutes per day just managing appointments. In addition to my always busy schedule, that was very inefficient. 

Thanks to a Microsoft Partner, I learned about the new Microsoft Office 365 Bookings and I thought, can’t I use Bookings to help me out with that? I decided to give it a try but I asked myself some questions first as I didn’t want to lose control of my calendar. Let’s look at those questions first.

        1. What are the meeting scenarios I need to cover?

        • Regular customer calls, where I speak with customers on project topics with no urgency and where customers can wait for one to two weeks for a call.
        • Emergency customer calls, where they’re blocked and need to talk to me to proceed forward with their project.
        • Special scoped sessions with a clear guideline, which can be delivered by myself or my team.
        • Microsoft Internal Calls with peers.
      • For these different types of calls, I prefer different days and timeslots. For example, I don’t like regular customer calls on Friday because they involve a lot of process work afterwards. I prefer Friday for emergencies or Microsoft Internal Calls.

         2. How much time for learning and free time do I need to keep?

      • My schedule during the day is pretty tight with family responsibilities, customer and Microsoft calls, as well as other types of meetings. Learning and work/life balance is important at Microsoft, I need to take some time out of my busy schedule to spend time on learning and recharging. To be honest, I like to spend my Thursday and Friday afternoons on those topics.

        3. When do I want to have different types of meetings and personal time?

      • Because of family commitments, I can only have calls between 9.30 am and 3 pm. Outside of those times I have to bring or pick up kids from Kindergarten or cannot have a meeting for other reasons. Then there are days where I want to avoid intense customer calls, like on Friday where I’m pretty much exhausted from the week. On Friday I prefer to learn new things, write blogs, sit a Microsoft exam or do internal Microsoft calls.

After this process, I went through the Bookings structure and checked if it can fulfil these requirements. The answer was YES, it can. Let me show you how I managed it.

How did I solve my meeting scenarios?

To cover my different meeting Scenarios, I created four different Booking Calendars, one for each scenario. So, I ended up with the following structure:

    • Regular Customer Meetings
    • Emergency Customer Meetings
    • Microsoft Internal
    • Special Scoped Sessions

That gave me the opportunity to individualize the Time Slots, Staff and Sessions I want to offer. To create Bookings calendars, simply follow the guide here: Get Access to Microsoft Bookings | Microsoft Docs

How I created the meeting times for every scenario and prevented meetings from booking into the wrong timeslots

For the next step, I needed to create the timeslots where I allow the different bookings, I had two options.

Organizational Setup: With the organizational Setup, you configure the meeting hours as business hours as shown in the screenshot below.

Configuring Business hours in Bookings

Configuring Business hours in Bookings

Personal Setup: Here you set the configuration per Staff Member. That’s the configuration I prefer for my bookings. With personal bookings, there is one very important setting, you need to check the option “Events in Office Calendar Effect Availability”. That setting will prevent Booking from booking into slots where manual appointments were created so you will still be able to block time for private appointments or manually created meetings.

Defining staff settings in Bookings

Defining staff settings in Bookings

I made such a personal configuration for my scenarios like in the screenshot below.

Define availability for a staff member

Define availability for a staff member

Those settings are enough to make this solution work but I wanted to add some more improvements to make it even better.

Optional: Allow only coworkers to request a call and block search engines from discovering your calendar

There are two options I wanted to enable. First, I do not want the calendars to be searchable via search engines. No one should be able to find the links if I’m not sending them. The second option I wanted to enable was to ensure that Bookings for the Microsoft Internal and the Special Scoped Session calendar could only be made by other Microsoft peers and not by external customers.

To configure these options, you need to change the default Booking Page options for

Booking Page Access Control.

To ensure that only coworkers can book a session, you need to enable Require a Microsoft 365 or Office 365 account from my organization to book. To disable the direct search, you need to enable the Disable direct search engine indexing of the booking page option.

That’s basically all you need to do.

Optional: Add topics to your calls and set time limits for a call

To make it a bit easier to identify topics for a call, I pre-created a few I normally talk about with my customers and coworkers. That helps me to prepare and organize myself. To do so, just create a list of services.

Define topics - services for meetings

Define topics – services for meetings

I also predefined some options for the session like:

    • Length.
    • Online meeting which means it will automatically send a Teams invite to the person booking the meeting.
    • In the future, I will add some buffer times too and maybe add some more notes and custom fields.
    • If you scroll down, you can set reminders to be sent to the attendees, which is pretty nice.

If you now book a session, it looks like in the screenshot below.

Bookings interface for the person booking a meeting

Bookings interface for the person booking a meeting

I personally really like this structured approach as it helps me stay organized.

Optional: Create a landing page

I ended up with one issue, every Booking Calendar has its own link. That means for my calendar structure I now have four links, but I don’t want to send single links or several

links to a customer. That is why I came up with the idea to create a landing page for Bookings.

I wanted to keep it as simple as possible and as cost-effective as possible. I decided to take two simple static HTML pages hosted on Azure Blob storage, one for Customers and one for Microsoft internal bookings.

To create the static pages, I used the following tutorial. Tutorial: Host a static website on Blob Storage.

Afterwards, I used a link shortener to add a bit of statistics and monitoring and to make the link look a bit nicer. You can use a shortener like bitly or you can also create a CNAME in your own DNS Domain.

In the end, this solution works very well for me.

Conclusion

As you may have noticed, I focused more on the why and not on the how in this article. If you want to learn more about how to set up Bookings, I would suggest you read the documentation below.

Microsoft Bookings | Microsoft Docs

Maybe you’ll find your own way to use it to add value to your daily business or event calendar coordination.

If you have any questions or other ideas on how to use it, please leave a comment.

The post How to Use Microsoft Bookings to Streamline Admin Operations appeared first on Altaro DOJO | Microsoft 365.

]]>
https://www.altaro.com/microsoft-365/microsoft-bookings/feed/ 0
The Most Powerful Uses of PowerShell in M365 https://www.altaro.com/microsoft-365/powershell-for-m365/ https://www.altaro.com/microsoft-365/powershell-for-m365/#respond Thu, 28 Oct 2021 04:38:20 +0000 https://www.altaro.com/hyper-v/?p=23532 A PowerShell for M365 Deep Dive. Covers connecting and managing M365 services such as Azure AD, Exchange Online, SharePoint Online, & Teams

The post The Most Powerful Uses of PowerShell in M365 appeared first on Altaro DOJO | Microsoft 365.

]]>

Modern IT departments have to move quickly with operations, provisioning, and configuration tasks. As organizations move to cloud Software-as-a-Service (SaaS) environments, like Microsoft 365 (M365), they are looking at ways to automate these tasks for efficiency, expediency, and consistency.

PowerShell for Microsoft 365 is an excellent way for organizations to automate and streamline daily tasks in the Microsoft 365 SaaS environment. Let’s show you how, but first let’s cover some basics.

Office 365 or Microsoft 365?

You may quickly note that many references to the PowerShell modules refer to Office 365 PowerShell commands. Microsoft is still using both terms in various locations, with Microsoft 365 being the newest branding of Microsoft’s Software-as-a-Service (SaaS) platform. However, for most purposes, using Office 365 PowerShell commands is synonymous with PowerShell for Microsoft 365. Therefore, throughout this post, we will use the terms interchangeably.

Why use PowerShell for Microsoft 365?

Most Microsoft 365 or Office 365 administrators and helpdesk staff become proficient in using the Microsoft 365 admin center for managing and administering their Microsoft 365 environment. Utilizing the M365 admin center, you can take care of daily tasks that need to be accomplished. These tasks may include creating new M365 user accounts, troubleshooting passwords, managing licensing for users, and other user-specific administration.

It may also include administering services such as Exchange Online, Teams, SharePoint Online, and other Microsoft Office 365 solutions found in the Microsoft 365 cloud SaaS solution. While you can manage your Microsoft 365 effectively using the Microsoft 365 admin center, it may not be the most efficient way to administer, especially when it comes to managing your Microsoft 365 environment at scale.

Many administrators and junior administrators are familiar with GUI dashboards and “point and click” management interfaces. It is a great way to “get to know” a system and understand the management fundamentals. However, as you begin managing organizations at scale with hundreds or even thousands of users, the GUI-driven approach becomes very labor-intensive, slow, and inconsistent.

Organizations today are shifting to automated DevOps processes across the board, from provisioning workstations, cloud resources, and even cloud SaaS environment management. The heart of DevOps automation is scripting languages. There are many automation frameworks and scripting languages that businesses today can choose from for automation. However, PowerShell stands out as a frontrunner in many areas.

PowerShell has been around for quite some time, and many organizations have been heavily using PowerShell automation for years now in on-premises environments. In addition, PowerShell is a relatively straightforward scripting language to learn as it is very human-readable and consists of an intuitive verb-noun pairing for cmdlets used for scripting tasks.

Starting with PowerShell 2.0 integrated into Windows 7 and Windows Server 2008 R2, PowerShell has been integrated with each subsequent Windows release. In the newest releases of Windows 10, PowerShell is now the default command-line environment. So, it is a highly mature platform that most administrators are very familiar with at this point. Additionally, there are many PowerShell learning and other community-supported resources available.

Windows PowerShell environment in Windows 10
Windows PowerShell environment in Windows 10

One of the things that makes PowerShell robust is its modularized framework. You don’t have to wait for a new version of PowerShell to be compiled and released to include the capabilities you need. Instead, the PowerShell scripting environment allows the installation of modules. Modules are self-contained packages you install in PowerShell. These include the cmdlets, providers, functions, workflows, variables, and aliases for connecting to various technologies.

For example, many PowerShell modules provide the ability to interact with Microsoft and other technologies, such as Hyper-V. After installing the Hyper-V PowerShell module, you can configure, manage, and interact with Hyper-V installations.

PowerShell for Microsoft 365 or Office 365 PowerShell is not a separate PowerShell environment or tool. Instead, it is a set of specialized modules for Windows PowerShell that easily connects to your Microsoft 365 subscription and quickly runs commands from a management workstation located anywhere. The workstation only needs access to the Microsoft 365 environment and has the PowerShell for Microsoft 365 module installed and loaded.

Being the creator and curator of PowerShell, Microsoft has ensured PowerShell has robust and seamless functionality integrated with their cloud Software-as-a-Service (SaaS) environment, Microsoft 365. Long story short, it works very well with Microsoft 365 and provides many powerful automation capabilities.

There are some things you can only do with PowerShell for M365

Microsoft is quick to mention that PowerShell for Microsoft 365 does not replace the admin center, the default management tool for Microsoft 365. Instead, in most cases, PowerShell for Microsoft 365 is a complimentary administrative tool used to perform bulk operations, consistent processes, and efficiently view/export information.

However, there is a critical reason admins need to use PowerShell for Microsoft 365. Admins can only perform some configuration tasks using PowerShell for Microsoft 365. What are some of these unique capabilities of PowerShell for Microsoft 365?

    • PowerShell for Microsoft 365 can reveal information that you can’t see with the Microsoft 365 admin center
      • PowerShell allows seeing low-level configurations and other data that you can’t see using the admin center
      • Microsoft provides the example of Microsoft 365 licensing (and the Microsoft 365 features available to a user) depending on the user’s geographic location. With PowerShell for Microsoft 365, you can display this information for all of your users by using the command: Get-AzureADUser | Select DisplayName, UsageLocation
    • It has features that you can only configure with PowerShell for Microsoft 365
      • As with many technologies, the deeper-level configurations are only exposed using the command-line
      • As an example, Skype for Business Online, you can change the following with PowerShell for Microsoft 365 and not from the admin center:
        • Anonymous users to gain automatic entrance to each meeting
        • Attendees to record the meeting
        • All users from your organization to be designated as presenters when they join the meeting
          • Set-CsMeetingConfiguration -AdmitAnonymousUsersByDefault $False -AllowConferenceRecording $False -DesignateAsPresenter “None”

There are a couple of other strengths of PowerShell for Microsoft 365 that we have touched on but not detailed. What are these?

    • PowerShell for Microsoft 365 is an excellent tool for bulk operations
    • It allows easy data filtering

PowerShell for Microsoft 365 is an excellent tool for bulk operations

We touched on this earlier. However, PowerShell is great for bulk and automated operations. For example, when you have one task that needs to be performed on a Microsoft 365 object or service, logging into the admin center and completing the task manually through the GUI works well. A case in point would be changing the password for a single user in Microsoft 365.

However, what if hundreds or thousands of users need to have an attribute updated on their account. It might take hours, if not days, to go through the accounts manually and set the attribute. However, these types of tasks are well-suited for PowerShell for Microsoft 365 and may only take minutes to complete with a PowerShell script.

Additionally, once a PowerShell script is written, it can be reused repeatedly for the same types of processes in the future, saving even more time and administrative effort. Bulk operations may also involve many separate processes and tasks that need to be performed in a certain order or in a certain way. PowerShell allows capturing these processes in code to be repeated exactly the same way in the future.

Using PowerShell scripting in Microsoft 365 and Office 365 workflows facilitates a DevOps operational model. Code can be versioned, and changes documented as these are checked into the version control system. All the DevOps advantages come into play in this model, such as peer code reviews, change control, and other necessary requirements.

Data filtering with PowerShell with Microsoft 365

GUI management tools are usually not the best at filtering data. Filtering means you are searching on a subset of data based on the criteria specified. If the GUI tool is not explicitly written to display the data how you want to see it, you are out of luck. However, this is where the robust power of PowerShell for Microsoft 365 comes into play. With the filtering capabilities of PowerShell for Microsoft 365, IT admins can pull various data from the Microsoft 365 environment as they need to see it.

For example, note the following PowerShell for Microsoft 365 script that pulls Exchange Online users living in specific cities.

    • Get-User | Where {$_.RecipientTypeDetails -eq “UserMailbox” -and ($_.City -eq “New York” -or $_.City -eq “San Francisco”)} | Select DisplayName, City

This one snippet of PowerShell code shows PowerShell’s robust capabilities when filtering objects for management and reporting purposes. It works hand-in-hand with the point described earlier – it allows revealing things not shown or that can’t be changed in the admin center.

It bolsters data filtering in the same way since you have access to all the object’s attributes exposed via PowerShell, whereas these may not be visible in the admin center GUI.

How to connect to PowerShell for Microsoft 365

Now that we have explored the benefits and reasons for using PowerShell for Microsoft 365 let’s get down to how we use it. To begin using Powershell for Microsoft 365, you have to do two things:

    • Install the required PowerShell for Microsoft 365 modules – these provide the cmdlets, providers, functions, etc. needed to communicate with the cloud SaaS technologies
    • Connect your PowerShell installation to Microsoft 365 – After installing the modules, you need to connect to the cloud SaaS environment and authenticate accordingly.

Install the required PowerShell for Microsoft 365 modules

As mentioned earlier, PowerShell for Microsoft 365 is a collection of PowerShell modules that allow interacting with the various cloud services found in Microsoft 365. For this, you need to install the required modules. First, let’s look at installing the following primary modules that allow administering and managing your Microsoft 365 environment.

The primary modules required for interacting with the core Microsoft 365 services include:

    • Exchange Online
    • SharePoint Online
    • Skype for Business Online
    • Teams

***Note*** there are other services and features in Microsoft Office 365. However, these are the core solutions used by most businesses today.

AzureAD PowerShell module

To install the AzureAD PowerShell module, run the following cmdlet:

    • Install-Module -Name AzureAD

Installing the AzureAD PowerShell module
Installing the AzureAD PowerShell module

Accept the warning message displayed regarding the untrusted repository. You can check out a detailed AzureAD PowerShell module cmdlet reference here: AzureAD Module | Microsoft Docs.

Installing Exchange Online PowerShell Module

To install the Exchange Online Powershell module, run the following cmdlet:

    • Install-Module -Name ExchangeOnlineManagement

Installing the ExchangeOnlineManagement PowerShell module
Installing the ExchangeOnlineManagement PowerShell module

Accept the warning message displayed regarding the untrusted repository. For a detailed Exchange Online Management PowerShell reference, look at Microsoft’s Exchange Online PowerShell documentation here: Exchange Online PowerShell | Microsoft Docs.

Installing SharePoint Online PowerShell Module

To install the SharePoint Online PowerShell module, run the following cmdlet:

    • Install-Module Microsoft.Online.SharePoint.PowerShell

Installing the SharePoint Online PowerShell module
Installing the SharePoint Online PowerShell module

Accept the warning message displayed regarding the untrusted repository. You can find detailed information on the SharePointOnlinePowerShell documentation here: SharePointOnlinePowerShell Module | Microsoft Docs.

Installing Skype for Business and Teams PowerShell Module

The Skype for Business and Teams PowerShell module is a single module installed using:

    • Install-Module -Name MicrosoftTeams

Installing the Microsoft Teams PowerShell module
Installing the Microsoft Teams PowerShell module

Again, accept the warning message displayed regarding the untrusted repository. Note the detailed Teams PowerShell cmdlet reference here: office-docs-powershell/teams/teams-ps/teams at master · MicrosoftDocs/office-docs-powershell · GitHub.

Connect your PowerShell installation to Microsoft 365

Once you have installed the AzureAD PowerShell module, you need to import it into your PowerShell environment and then connect your PowerShell for Microsoft 365 using your Microsoft 365 account.

Use the following commands to import the module and begin connecting to your Microsoft 365 environment. The cmdlets include:

    • Import-Module AzureAD
    • Connect-AzureAD

Import the AzureAD PowerShell module
Import the AzureAD PowerShell module

Once you import the Azure AD module and connect to your AzureAD environment, you will be prompted to enter your Microsoft 365 credentials in the popup box displayed afterward.

Enter your Microsoft 365 credentials
Enter your Microsoft 365 credentials

After successfully logging in, you should be taken back to your PowerShell prompt displaying the connected Azure AD environment.

Successfully connected to the Azure AD environment
Successfully connected to the Azure AD environment

A note about Windows PowerShell vs. PowerShell Core

If you are not aware, Microsoft has produced and currently supports two PowerShell versions – Windows PowerShell and PowerShell Core. Windows PowerShell is the version of PowerShell that has been around for years now and is embedded in the Windows operating system.

PowerShell Core is the new version of PowerShell based on .NET Core and is a standalone PowerShell install that is installed using an installation package. Even Windows 11 or Windows Server 2022 do not have PowerShell Core installed by default.

It is worth noting the difference as it can cause you to perform unnecessary troubleshooting when connecting to your Microsoft 365 environment if you use one or the other PowerShell environment and don’t use the correct modules. As an example, the AzureAd module is not supported in PowerShell Core. Instead, the AzureAz module is the supported module for interacting with your Azure AD environment in PowerShell Core.

Below is the PowerShell one-liner to install the Azure AD module in PowerShell Core. As you can see, it is different from using the Windows PowerShell install-module process.

Installing the Az Module in PowerShell Core
Installing the Az Module in PowerShell Core

It is essential to keep the different PowerShell environments in mind when installing modules and work with PowerShell for Microsoft 365.

Connecting multiple PowerShell for Microsoft 365 services in a single window

As mentioned earlier, many organizations will be managing and administering multiple services with Microsoft 365, including:

    • Azure Active Directory (Azure AD)
    • Exchange Online
    • SharePoint Online
    • Skype for Business Online
    • Teams

How can you manage all services in one PowerShell session, instead of launching multiple windows connected to the various services? You can use the following example code block as a template for connecting to the various services across Microsoft 365 in a single session. Note the different services in bold.

$orgName = “mybusiness.onmicrosoft.com”

$acctName=”admin@mybusiness.onmicrosoft.com”

$credential = Get-Credential -UserName $acctName -Message “Type the account’s password.”

#Azure Active Directory

Connect-AzureAD -Credential $credential

#SharePoint Online

Import-Module Microsoft.Online.SharePoint.PowerShell -DisableNameChecking

Connect-SPOService -Url https://$orgName-admin.sharepoint.com -credential $credential

#Exchange Online

Import-Module ExchangeOnlineManagement

Connect-ExchangeOnline -ShowProgress $true

#Security & Compliance Center

Connect-IPPSSession -UserPrincipalName $acctName

#Teams and Skype for Business Online

Import-Module MicrosoftTeams

Connect-MicrosoftTeams -Credential $credential

As you can see, using the example code block above, you can store your credentials securely in the $credential variable, connect to the Azure AD service and import the relevant modules. It includes the modules to administer Azure AD, SharePoint Online, Exchange Online, Security & Compliance Center, Teams, and Skype for Business Online.

Connecting multiple PowerShell for Microsoft 365 services with MFA enabled

If you have multi-factor authentication (MFA) enabled on your Microsoft 365 accounts (and you should!), the code block is slightly different for combining all services in a single Microsoft 365 window. As you notice below, we aren’t storing the credential in a variable.

$orgName = “mybusiness.onmicrosoft.com”

$acctName=”admin@mybusiness.onmicrosoft.com”

#Azure Active Directory

Connect-AzureAD

#SharePoint Online

Connect-SPOService -Url https://$orgName-admin.sharepoint.com

#Exchange Online

Import-Module ExchangeOnlineManagement

Connect-ExchangeOnline -UserPrincipalName $acctName -ShowProgress $true

#Security & Compliance Center

Connect-IPPSSession -UserPrincipalName $acctName

#Teams and Skype for Business Online

Import-Module MicrosoftTeams

Connect-MicrosoftTeams

When you connect using this code block, you will see the popup asking you to sign in, and then it will push the one-time password to your mobile device. After receiving the one-time passcode, you will enter the code to finish authenticating.

MFA-enabled PowerShell for Microsoft 365
MFA-enabled PowerShell for Microsoft 365

Is Azure Cloud Shell an option for Office 365 PowerShell?

Microsoft is constantly working on improving the management tools available to admins managing Microsoft 365. Now, Microsoft 365 has a built-in way to access PowerShell “in the cloud,” right from your Microsoft 365 admin center. Admins can access the cloud version of PowerShell for Microsoft by logging into the admin center and clicking the terminal icon in the upper right-hand corner of the screen.

Accessing cloud shell from your Microsoft 365 environment
Accessing cloud shell from your Microsoft 365 environment

It will allow you to choose between Bash and PowerShell.

Select PowerShell in the Azure Cloud Shell prompt
Select PowerShell in the Azure Cloud Shell prompt

From Azure Cloud Shell, you can now use PowerShell to directly interface with your Microsoft 365 environment without the need for a management workstation with the PowerShell modules loaded.

What are common tasks well-suited for PowerShell for Microsoft 365?

PowerShell has been described as a “swiss army knife” tool that can do many different things. The same is true in the realm of Microsoft 365. PowerShell for Microsoft 365 is a robust and powerful scripting language that allows administrators to streamline bulk processes, filter data, and automate workflows. Let’s look at the following PowerShell for Microsoft 365 cmdlets and see how they allow completing common tasks. These are just a few of the common tasks among many others that can be accomplished with PowerShell for Microsoft Office 365.

    1. Get a list of Microsoft 365 AzureAD module commands
    2. List Microsoft Azure AD users
    3. List Microsoft Azure AD groups
    4. List Exchange Online Mailboxes
    5. Change a user password in Microsoft 365
    6. Add a new Azure AD user
    7. Add a new Azure AD group
    8. Get subscription details

1. Get a list of Microsoft 365 AzureAD module commands

With the above walkthrough, we have the AzureAD module installed. However, how do we know what commands are possible with the Azure AD module? Use the following:

    • Get-Command -module AzureAD

This command shows all the commands possible as part of the module.

Listing out commands included with the AzureAD module
Listing out commands included with the AzureAD module

2. List Microsoft 365 Azure AD users

What if you want to list out your Azure AD users? You can do that easily with the following one-liner:

    • Get-AzureADUser | Select DisplayName, City, Department, ObjectID

Listing Azure AD users
Listing Azure AD users

3. List Microsoft Azure AD groups

Use the following command to list out the Azure AD groups:

    • Get-AzureADGroup

Listing out Azure AD groups
Listing out Azure AD groups

4. List Exchange Online Mailboxes

What if you want to know the users with Exchange Mailboxes configured? Using the Exchange Online Management PowerShell module, we can query specific mailbox information.

    • Get-EXOMailbox | select UserPrincipalName, DisplayName

Viewing Exchange Online Mailboxes
Viewing Exchange Online Mailboxes

5. Change a Microsoft 365 user password

Changing a password is one of the most basic tasks of an administrator. Using PowerShell for Microsoft 365, you can easily change a user’s password from the command line.

    • Set-AzureADUserPassword -objectID <object ID>

Change a Microsoft 365 user password
Change a Microsoft 365 user password

6. Add a new Azure AD user

Below is a PowerShell template that will allow adding a new Azure AD user. This can be used to fill in data from other sources to the Powershell template and loop through creating new users, using variables in the appropriate placeholders.

$PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile

$PasswordProfile.Password = “<Password>”

New-AzureADUser -DisplayName “New User” -PasswordProfile $PasswordProfile -UserPrincipalName “NewUser@contoso.com” -AccountEnabled $true -MailNickName “Newuser”

7. Add a new Azure AD Group

Adding groups in Azure AD using PowerShell is equally easy. For example, you can use the below as a template for creating a new Azure AD group.

    • New-AzureADGroup -DisplayName “My new group” -MailEnabled $false -SecurityEnabled $true -MailNickName “NotSet”

8. Get subscription details

Having visibility to subscription details for your Microsoft 365 is extremely important. PowerShell for Microsoft 365 allows seeing this type of information quickly and easily. For a summary of the information about your current licensing plans and available licenses, use the following

    • Get-AzureADSubscribedSku | Select -Property Sku*,ConsumedUnits -ExpandProperty PrepaidUnits

Summary of licensing information
Summary of licensing information

For details about the Microsoft 365 services that are available in all of your license plans, use the cmdlet:

    • Get-AzureADSubscribedSku | Select SkuPartNumber

View Microsoft 365 services details for license plans
View Microsoft 365 services details for license plans

Debugging PowerShell code

Many may wonder how you get started debugging PowerShell code, especially if you are new to working with PowerShell with Microsoft 365. One of the best ways to get started debugging PowerShell code is using a good Integrated Development Environment (IDE). Arguably one of the best IDEs out there for PowerShell is free – Visual Studio Code.

Visual Studio Code (VS Code) is one of the easiest and fully-featured IDEs available that provides robust features for PowerShell coding and many other languages. VS Code works off plugins installed to allow the platform to “understand” the language in which you are coding.

It features intellisense, tab completion, syntax highlighting, and many other powerful features when you are writing your PowerShell code for scripting or other purposes. It also features seamless integration with Git workflows which allows easy integration with your existing version control system, a great feature (some would argue a requirement) for modern DevOps practices.

Using VS Code for PowerShell debugging
Using VS Code for PowerShell debugging

In addition to the official PowerShell plugin available for download in VS Code, there are dozens of third-party plugins that enhance VS Code’s coding and debugging experience. These plugins help extend the features natively found in VS Code and help those writing PowerShell scripts write more effectively and with fewer errors in their syntax.

Tab completion and intellisense in VS Code
Tab completion and intellisense in VS Code

What are some tasks where PowerShell isn’t the best tool?

PowerShell for Microsoft 365 is a great tool that can do some fantastic things for administrative tasks. However, when is it perhaps not the best tool for carrying out a task? While we have touched on this a bit, let’s think of when PowerShell might not be the best option for carrying out a task.

PowerShell is great for bulk operations and is well-suited for jobs that require many changes to be made or to make consistent changes for a large number of objects in the environment. However, PowerShell is generally not the best tool if a single change needs to be made as an ad-hoc operation. For example, an admin’s time would be better spent opening the admin center console and making the ad-hoc change there instead of formulating a one-off PowerShell script.

If there is no change control process in place, PowerShell may not be the best tool to introduce in the environment. Scripting languages are powerful and can perform many operations in very little time. However, it can be extremely dangerous if wielded without change control and a review of the changes made with the automated process. A single PowerShell script with incorrect logic could accidentally introduce devastating changes.

Following this same line of thinking, PowerShell is not the best tool when training new employees for management tasks. It is always better to understand management workflows from GUI tools as these are generally more intuitive for learning admin tasks.

Where can you find good PowerShell scripts for managing Microsoft 365?

There are many great resources on the web for PowerShell in general and Microsoft 365-specific PowerShell. Take note of the following resources, which are a great place to start:

The Future is Automated

Today’s challenging and fast-paced on-premises and cloud SaaS environments require organizations to be agile and move quickly to complete business-critical tasks. Microsoft 365 and Office 365 administration generally begin with IT admins performing tasks from the admin center. However, automation is a great way to complete very laborious tasks in bulk. Moreover, it allows doing these in a streamlined and consistent manner.

PowerShell is a robust scripting language that can easily form the basis of your organization’s automation platform. As we have discussed, PowerShell for Microsoft 365 is a collection of modules that allow easy interaction with the services contained in Microsoft 365, such as Azure Active Directory, Exchange Online, SharePoint Online, and Microsoft Teams.

Using PowerShell with Microsoft 365 provides tools to complete tasks that can only be achieved using the command-line and provides filtering capabilities for robust data queries. By using PowerShell for Microsoft 365, organizations can provision or change users in bulk. It can also programmatically create users and groups, configure user mailboxes, easily see licensing information, and create new SharePoint Online sites from the command line.

PowerShell’s automated and programmatic workflows bolster the DevOps processes adopted by businesses worldwide to ensure efficiency, consistency, change control, versioning, and many other benefits in the enterprise.

The post The Most Powerful Uses of PowerShell in M365 appeared first on Altaro DOJO | Microsoft 365.

]]>
https://www.altaro.com/microsoft-365/powershell-for-m365/feed/ 0