Facebook at Work provisioning using "built-in" Azure SCIM

Facebook at Work (https://work.fb.com/) is the business variant of Facebook. This gives enterprises the possibility to own, manage and use Facebook in a Enterprise context. As Facebook at Work is born in the cloud it comes with modern API's for user manangement and also exists in the Microsoft Azure Marketplace (link).

When integrating Facebook at Work into Azure you get two pre-built options from Microsoft;

  • Single Sing On (using Azure AD)
  • User Provisioning (using a pre-built Azure AD SCIM connector to facebook)

Configure Single Sign On


Below is a short guide for setting up Single Sign On between Facebook and Azure AD:

  1. Create a Azure AD user (with email) facebook@yourdomain.com
  2. Create a Facebook user with username facebook@yourdomain.com
    (make this user a global admin)
  3. Logon to Facebook at Work and Azure with your newly created users
    (there will be a match check when setting up
  4. Logon to your Facebook at Work instance
    1. Community Center > Settings
    2. Note down information under SAML configuration
      • Audience URL
      • Recipient URL
      • ACS URL
  5. Open Azure AD
    1. Add Azure application: Facebook  at Work
    2. Assign the Azure facebook@yourdomain.com as a user to Facebook at Work app
    3. Setup SSO
      1. Sign on URL = Tenant URL for Facebook (https://yourcompany.facebook.com)
      2. Identifier = Audience URL (from above)
      3. Reply URL = ACS URL (from above)
      4. Certificate; create a new 3 year certificate
      5. Store information from Azuire
        • Download the certificate file
        • Note down the SAML SSO URL
        • Note down the SAML Issure URI
  6. Back to the Facebook at Work
    1. Community > Settings
    2. SSO settings
      1. Change to SSO logon: SSO Only
      2. Expire setting: 3 weeks
      3. Certificate = Open the cert-file downloaded and paste the text
      4. SAML URL = SAML SSO URL from Azure
      5. SAML Issuer URI = SAML Issuer URI from Azure
      6. Click "TEST SSO"
        SSO should now work and be successful. Save settings. Remember that now must all authentication go through the Azure AD (not possible with multiple authentication providers in Facebook at Work at the moment). 
  7. Back to Azure AD (finish the settings)
    1. Add a notification email (for errors on certificate)

SCIM provisioning

It's also easy to setup SCIM provisioning to Facebook. 
  1. Logon to Facebook at Work
    1. Community > Settings
      1. Note down Access token
      2. Note down SCIM URL
      3. Note down Community ID
  2. Azure AD > Applications > Facebook at Work > Configure
    1. Setup provisioning
      1. User Security Token = Facebook Access token
      2. Facebook at Work Tenant URL = SCIM URL
    2. Test the connection
    3. Setup notification email (for errors on provisioning)

Username vs. E-mail address

Facebook as a cloud service provider expects that the users logon name and e-mail address are the same (at the moment). In a standard configuration Azure will create users with [UserPrincipalName] and expect these to work. You can suppressEmail (however not recommended as the service uses e-mail for driving engagement and remind users to check posts in Facebook AtWork).

E-mail invitation 

When new users are provisioned by Azure (using the SCIM integration) the service will send a invite e-mail to the newly provisioned user. This is to quickly get the user onboarded and active on the Facebook AtWork social platform.

Prevent e-mail invitation (and e-mail communication): Facebook at Work have a property suppressEmail that will stop Facebook from sending e-mails to the user. 

SuppressEmail

This is possible to configure using the Azure provisioning engine. The settings are changed in the Azure > Applications > Facebook AtWork > Attributes > Provisioning:

To add the "SuppressEmail" click on "add attribute mapping", choose "suppressEmail" (in the Facebook AtWork attribute) and then you have two options.

  • Suppress all email communications for all users (using Constant = true)
              
  • Suppress email communications for e-mail less users - no mail attribute in Azure AD(and allow for users with mail)
            


    This will check the mail attribute on the users in Azure AD, if present set suppressEmail to "false" and if blank set it to "true". My little piece of magic! 

Office 365 Clutter stuff

What is Clutter ?
Clutter is an email filtering option available to Office 365 customers.  It is similar to an anti-spam filter as it moves less important email (based on your reading habits) into a 'Clutter' folder where they can be ignored or reviewed later.  Most of the mail going into the folder should be bulk mail (advertisements) and messages from mailing lists.  However, you will want to periodically check the Clutter folder as it may move legitimate email into this folder.

When is Clutter applied ? 
Messages are handled in the following way in Exchange online:

  1. Message are scanned by Exchange online protection (EOP)
  2. Message rules in the tennant/Exchange online
  3. If the mail gets to the user mailbox
    1. Junk e-mail filtering
    2. Mailbox rules (if a message is handled by a rule clutter processing will not happen)
    3. Clutter processing


Disable Clutter (as a user)
It's possible to disable Clutter per user. Just follow the guide below:

  1. Log into OWA
  2. Click on the Gear > Options > Automatic Processing > Clutter
  3. Select Don't separate items identified as Clutter 
  4. Click Save.

Disable Clutter for the company (using a transport rule) ?
Create a new transport rule and use the following header/vaule to bypass Clutter for that e-mail:

  • HeaderName X-MS-Exchange-Organization-BypassClutter
  • Value true

Links



Remove "orphaned" meetings in RoomMailboxes

When users are leaving the company there should be a "phase out" routine to be followed with different IT tasks to be perfomed (below is just an example);
  • Log and revoke system access and permissions
  • Hand over data to manager and/or other owners
  • Delete all other data (mail, home folders, etc)
  • Cancel meetings (and/or transfer them to other responsible organizers)
However sometimes users that have left the company haven't canceled meetings and you need to remove the bookings from the RoomMailboxes (or EquipmentMailboxes) in Exchange.
Powershell to the rescure:
# Define email to search for
# Requirements
# Connection to Exchange (online) using Powershell
# Administrator account with "Mailbox Import Export" role in Exchange (online)

# Task flow
# Lookup primary email address for user
# Search meetingrooms for meetings (if needed)
# Delete meetings from meetingrooms (backup if needed)

#Search in Powershell (output in console)                               
get-mailbox -recipienttype roommailbox | search-Mailbox  -SearchQuery 'From:user@domain.com AND kind:meetings' -EstimateResultOnly -Verbose | ft identity,success,resultitemscount

#Search in Powershell (output to targetmailbox)                               
get-mailbox -recipienttype roommailbox | foreach { search-Mailbox $_.alias -SearchQuery 'From:user@domain.com AND kind:meetings' -Verbose -TargetMailbox Administrator -TargetFolder "SearchAndDeleteLog" -LogOnly -LogLevel Full }

#Delete                
get-mailbox -recipienttype roommailbox | search-Mailbox  -SearchQuery 'From:user@domain.com AND kind:meetings' -DeleteContent -Force -Verbose

#Delete (with moving messages) - enter correct targetmailbox and folder
get-mailbox -recipienttype roommailbox  |  foreach { search-Mailbox $_.alias -SearchQuery 'From:user@domain.com AND kind:meetings' -DeleteContent -Force -Verbose -TargetMailbox Administrator -TargetFolder "BackupFolder" -loglevel Full }

Find erroneous AD Connect sync object (cannot sync object)

Today I was faced with an error in ADConnect. It couldn't sync one of the contact objects from on premise AD to Azure AD (Office 365). The error was on the AADConnect log:

  • Error in Connector operations
    • Status:completed-export-error
  • In error log (on the object)
    • Error:
      Object TypeMismatch
    • Connected data source error code:
      0x8023134a
    • Detailed data source error:
      A object with same proxyaddress does already exist in Azure Active Directory, but have a objecttype that is not compatible (objectclasses: contact, group or user). Solve this issie in the local catalog services or in Azure Active Directory, and try again. 
After a lot of trouble shooting I found that it was a guest account in Azure AD that caused the error. A guest account is normally created when a user is inviting/sharing a Sharepoint site or document with a external user. These users show up as email_domain.com#EXT#yourdomain.com.

TO actually find objects with a specific email address in Azure AD and/or Exchange online you can do the following with PowerShell:
  1. Start PowerShell
  2. Connect to connect-msolservice
  3. Connect to Exchange online
  4. Run the script below (change the mail address)
Script
# Define email to search for
$mail = "rikard.strand@external.elkjop.no"

# Do the different searches (requires connect-msolservice)
Get-MsolGroup -All | where {$_.ProxyAddresses -match $mail } 
Get-Msoluser -All | where {$_.ProxyAddresses -match $mail } 
Get-Msoluser -ReturnDeletedUsers -All | where {$_.ProxyAddresses -match $mail } 
Get-MsolContact -All | where {$_.EmailAddress -match $mail } 

# Do the different searches (requires connection to Exchange online)
Get-Group -ResultSize Unlimited | where {$_.WindowsEmailAddress -match $mail } 
Get-DistributionGroup | where {$_.EmailAddresses -match $mail } 
Get-Mailbox -ResultSize unlimited | where {$_.EmailAddresses -match $mail } 
Get-Mailbox -SoftDeletedMailbox | where {$_.EmailAddresses -match $mail } 
Get-MailUser -ResultSize unlimited | where {$_.EmailAddresses -match $mail } 
Get-User -ResultSize unlimited | where {$_.UserPrincipalName -match $mail } 
Get-User -ResultSize unlimited | where {$_.WindowsEmailAddress -match $mail } 
Get-MailContact -ResultSize Unlimited | where {$_.EmailAddresses -match $mail } 
Get-Recipient -ResultSize Unlimited | where {$_.EmailAddresses -match $mail } 
Get-MailPublicFolder -ResultSize unlimited | where {$_.EmailAddresses -match $mail } 

Office 365 - convert a deleted mailbox to a inactive mailbox

In Office 365 you can convert mailboxes for old employees to inactive mailboxes. This will preserver the mailbox in Office 365 (and can later be connected and/or searched with eDiscovery).
 .
  • Put an active mailbox on LitigationHold
    Set-Mailbox rikardst -LitigationHoldEnabled $true
  • Remove LitigationHold
    Set-Mailbox rikardst -LitigationHoldEnabled $false
  • Convert a deleted mailbox to inactive (put it on LitigationHold)
    • First assign a license to the user
    • Then put it on LitigationHold
      Set-Mailbox rikardst -LitigationHoldEnabled $true
    • Wait 60 minutes
    • Remove license
You cannot place LitigationHold on a deleted object (thats why you need to assign a license first).



Links


OneDrive for Business (web interface)

Just a quick reminder for the old and new interface URL's:

  • OLD interface
    • https://domain-my.sharepoint.com/personal/user/_layouts/15/start.aspx
  • NEW interface
    • https://domain-my.sharepoint.com/personal/user/_layouts/15/onedrive.aspx

Remember that soon will the new OneDrive for Business sync client be available. Get in line for the preview: https://preview.onedrive.com/sync 

Microsoft Edge browsers crashes directly after start [FIX]

Today I had problems with my Microsoft EDGE browser (the new and cool browser in Windows 10). Directly after launch the application crashed:
Activation of app Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge failed with error: The remote procedure call failed. See the Microsoft-Windows-TWinUI/Operational log for additional information.
Steps to solve:

  1. Open a powershell with admin permissions (run as administrator)
  2. Find the installationfolder
    Get-AppxPackage *edge* | fl name,*location*
  3. Navigate to the installation folder (see location from command above)
    set-location C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe
  4. Repair the Edge browser
    Add-AppxPackage -DisableDevelopmentMode -Register ".\appxmanifest.xml"



Remove a Office 365 User/Mailbox from all distribution lists

Remove all groups on a user with Powershell;
# Get the correct mailbox
$mbx = ( Get-Mailbox UserPrincipalName )

# Process all DistributionGroups and if mailbox is member remove (with simple console output)
foreach ($group in Get-DistributionGroup -ResultSize unlimited) {
 if ((Get-DistributionGroupMember $group.identity | select -Expand distinguishedname) -contains $mbx.DistinguishedName){
  write-host "Removing user from" $group.name
  Remove-DistributionGroupMember $group.name -member $mbx.DistinguishedName -BypassSecurityGroupManagerCheck -confirm:$false
 }
}