AuthorJulian Rasmussen

AIP is deprecated, move to Unified labels now!

At 06.01.2020 Microsoft released the deprication notice for Azure Information Protection client and Label management in the Azure portal. The service is deprecated as of March 31, 2021.

The notice is telling us that within 15 months you all need to migrate all your labels from AIP in the Azure portal over to the new Unified label experience within Office 365 portals.

You find the new label management in several places;

So heres a easy pointer on how to migrate you labels from Azure Information Protection to Unified labels within Office 365.

Navigate to portal.azure.com and head into the Azure Information Protection pane.

From there click on “Unified Labeling” in the left menu and acitvate it.

When this is done you can start using the Unified labeling clients and stop rolling out the classic Azure Information Protection client.

Please keep in mind that you need to have a specific version of Office applications installed on your machine or phone.

  • Windows Desktop – 1910 or higher
  • Mac Desktop – 16.21 or higher
  • iOS mobile – 2.21 or higher
  • Android mobile – 16.0.11231 or higher

For the licensing part here is the license requirement to use Sensitivity labels.

  • Microsoft 365 E3 or above
  • Office 365 E3 or above
  • Azure Information Protection P1

For more advanced use like Automated labeling with sensitivity labels you need to go to E5

  • Microsoft 365 E5
  • Office 365 E5
  • Azure Information Protection P2

Azure AD Connect sync issues

Now and then we get errors in our Azure AD Connect syncronization, or that said – my customers get errors.

And every now and then there is a error wich are not easy to spot what can be wrong.

In this case the sollution was not that easy – but when you think of it, it makes kind of sense sort of.

So this is the Error i got.

Other Error 
onmicrosoft.com 
Description 
Error Details 
pro perty 
Error Type 
Last Attem pted At 
Related Articles: 
Attribute 
o 
x 
The object failed synchronization. For more information, please see the error details. If the problem continues and 
cannot be fixed, please contact Microsoft Support. 
Value 
WorkflowException 
12/17/2019, PM 
1. Azure AD Connect: Troubleshooting Synchronization Errors 
user Principal Name 
Object GUID 
Synchronization Status 
Details 
Attribute Value 
0625<71 
On premises AD only 
52fde7d7eab1

Looking into Azure AD Connect it throwed a error on syncronization.

After some investigation back and forth i with the GUID who did not match the Azure AD Sync error – i found out that a deleted group was configured as a licensing group within Azure AD. Therefor when it was deleted from On-prem AD it could not be deleted in Azure AD since it still was in use.

By removing it from the license sku it removed it self on next sync.

Using the new Sensitivity labels in Teams and SharePoint

These days the preview of Sensitivity labels in Microsoft Teams and SharePoint is rolling out, and I got the new feature up and running in my tenant allready!

If you have been waiting on this feature you may have noticed that the rollout came in stages and is taking some time to be rolled out.

After opt-in to the preview feature by following the guide lines from docs.microsoft.com. You can start creating your new Sensitivity labels tailord for Office 365 groups, SharePoint sites and Microsoft Teams.

Head into Compliance center and create a new label and set the settings you want to test! In my case i created two new labels (naming is for test and to make it easy for me to divided these two :))

Basicly now you finally can block untrusted devices to gain access to higly confidential information stored within SharePoint or Teams – AND also prevent guests to be invited into the site.

For this to be working you need to be using Intune aswell so that company devices such as computers, laptops and mobile devices can be marked as compliant devices.

A usefull scenario also for this is when you only allow Limited, web only access to site or team then you block downloads from untrusted devices such as kiosk, home computers etc.

What do you think of this new feature?

I can`t wait to be going production with this!

How do I know all my users are enabled for and using MFA?

More and more organizations is taking advantage of using MFA for their users and there is no reason for them not to since it`s free for all Office 365 users and also for all Azure AD users if you are not using the Office 365 services. But after you enable it for your users, are you sure everyone is enabled?

You may have seen at the Secure Score that not all users are registred for MFA, and if you do so you have users with no MFA! So these users may be victims for bruteforce attacks so it`s super important to remediate all users to see how everything is configured! Some of the users with no MFA maybe legit and should not have it.

So let`s dig into the materials for a second or two.

First thing is that there is a “Secure Score” check for MFA registered users that will show you how many of your users which are not registered (if any)

If you have any users in that list it would not show who the users are so we need to go deeper in the material to retreive this status.

So to get the list of users who don`t have setup MFA you need to run this PowerShell command with the AzureAD PowerShell module loaded.

Connect-MsolService

Get-MSOLUser -all | where {$_.StrongAuthenticationMethods.methodtype -eq $null} | Select Displayname,UserPrincipalName,BlockCredential,LastPasswordChangeTimestamp,UserType |Out-GridView

And now that we have found all users we can check them out why they don`t use MFA and make sure that they use it 🙂

Further on we can check what method users are using when authenticating with MFA. For this I use this script located in Technet PowerShell archives HERE

If you have deployed MFA the Conditional Access way (recommended) you will see that the MFA status on all user are set to “Disabled” but the method is set to what the user are using.

Have checking status on your users! 🙂

SharePoint Online PowerShell module

To install, update og uninstall the SharePoint Online PowerShell module there are some few simple PowerShell commands you can use.

First of all, set your Execution policy to restricted

Get-ExecutionPolicy #for checking the current ExecutionPolicy setting
Set-ExecutionPolicy -ExecutionPolicy  Unrestricted

Install

 Install-Module -Name Microsoft.Online.SharePoint.PowerShell

Check current version

Get-Module -Name Microsoft.Online.SharePoint.PowerShell -ListAvailable | Select Name,Version

Update

Update-Module -Name Microsoft.Online.SharePoint.PowerShell

Uninstall

Uninstall-Module -Name Microsoft.Online.SharePoint.PowerShell

Ignite – some of the news I got first day

So! Day one at Ignite is over and what a day! A lot of new features, services and everything.

But Imust say, arriving from Norway – EVERYTHING IS SO BIG here in USA!

Anyhow – Here is a short summary from me of some (few) new features and services that where unvailed at the keynotes and some sessions

There are much more also that I did not cover in this post!

Azure Arc

Azure Synapse Analytics

Power Automate (Flow)

  • MS Flow is getting new name
  • Gives you ability to create autmations against applications which are missing API`s

Power Virtual Agents

  • Bot or “Chat” agent on websites
  • Together with Power Automate you can fill contacts schemes from a chat on a website directly into your on-prem crm system (which are missing API)

Microsoft 365

  • Project Cortex
    • Based on AI
    • Creates a Enterprise wiki automatically with the use of AI
    • Creates a “Knowledege” card on word shortnings and links you to the “Knowledge Center”
    • Greate for new employees or just as a company wiki
  • MS Stream uses AI to remove background noice on videos
  • MS Teams uses AI to remove backgrouds or bluring them
  • Fluid Framework
    • Collaboration between Outlook, MS Teams chat, PowerPoint ++
  • Office.com is more important for end-users than ever – a onestop for all services
  • Office.com gets ability to be customized with themes, company branding etc.
  • OneDrive gets filesize increased to 100GB pr. file
  • All files in OneDrive now has Delta-sync

SharePoint

  • In Search you now can edit resultspage and configure how the result is presented
  • SharePoint Homesites is in GA
  • Content Auditing
    • Highligt of changes in versions
    • Scheduled publishing of pages
    • Multi-lingual support
  • SharePoint Spaces goes Public preview arround q1 2020 (somehow togheter with Edge Chromium)
  • Modern term-store

Security & Compliance

  • Unified labes is even more unified
    • Labeled Teamsites, MS Teams and files are now the same
    • Auto labeling si based on content on a complete site
  • Information barrier
    • Based on classifications (labels) you can block out a whole department or group of people from certain areas
    • That said, Finance investors can get blocked out from the auditors filespaces for exapmle.

Edge Chromium

  • Browser in GA Q1 2020
  • Will get a Fast Track “track” to help companies embrace it

Managed Meeting Rooms

  • Monitoring of equipment in the rooms like monitors, cameras, microphones etc.
  • In Private preview right now!

On my way to Ignite!

Enroute! I`m on my way to Orlando as we speak (write). I`m so exited to meet the HUGE community which are present at Microsoft Ignite and can`t wait to meet friends and new people in the community. That said there are mucho to-do this week!

I`m arriving my hotel late Sunday and preparing to head into OCCC EARLY to try to get a space for Sataya`s keynote in The Hub at OCCC.

Game plan!

  • Get my luggage
  • Check in at MS Ignite at Orlando airport (rumors says there is almost no queue there)
  • Grab an Uber straight to the hotel
  • Go to sleep fast
  • Get up early and head directly over to OCCC
  • Enjoy Ignite! 🙂

That said – i have thought about how to store, use and structure all the information and knowledge i get this week.

My plan is to use One Note for taking notes on stuff from sessions and all over – Use Microsoft To-Do to add task that i need to follow up on and LinkedIn for connecting with all the great community people and ofcourse use Twitter to follow the great speakers and people i meet at the conference.

Ignite is 7 days away – it’s a problem!!

Well.. it’s not that big of a problem, or yes it is! There is to many sessions I want to be at at the same time. As a first timer at Ignite this will be alot of fun and i’m looking forward to meet alot of people and learn much new stuff!

So over to the problem, I have added all the sessions i want to experience and i now have up to 8 sessions at the same time at almost all hours theough out the week. So now the work of fixing my schedule for the week. Good thing is that we can watch almost all content on video on demand after the conference 🙂

Even tho its my frist time to ignite, i have some tips!

  1. Arrive early to your sessions
  2. Have some break time between your sessions.
  3. Wear good and comfy shoes
  4. Keep hydrated
  5. Meet people and have fun!

Hope to you at ignite this year!

Block AdHoc subscriptions in Office 365

To block users from creating trial and adhoc subscriptions for Office 365 services or even PowerPlatform services you can turn a switch and block it.

Set-MsolCompanySettings -AllowAdhocSubscriptions $false

To check if this is set to “False” for your tenant you can run this

Get-MsolCompanyInformation |fl AllowAdhocSubscriptions 

Sensitivity labels available in Outlook Web

The first step into enabling the use of Unified labels in Office Web apps is here! Today i got the “Sensitivity” bar enabled in my tenants.

Sorry for the Norwegian text in the picture, as “Følsomhet” is the Norwegian word for “Sensitivity”

To get started with Sensitivity labels – head over to Microsoft 365 Security portal and open the “classification” menu.

From there head in to “Sensitivity” and create a label.

Next – choose the tab for Label Policies and publish the label you created.

When testing the feature, remember to only publish the label to your self so that you not enable all users in your company to use and test it. 🙂

© 2020 IdefixWiki

Theme by Anders NorénUp ↑