Skype for Business Retention in Office 365

Much as I needed to configure a retention policy for Microsoft Teams, I also needed retention for Skype for Business conversations.  

The Data Governance area at https://protection.office.com has a Retention section, but a Skype for Business policy was giving me difficulty.  

When you build a retention policy, you specify the locations to apply it to, and Skype for Business is an option.  Other policies allow you to include all users or all areas by default.  SfB is not like that.

The added challenge was when I used the GUI to attempt to choose users, it shows 100 users.  My organization contains well over 100 users.  There were no ways to navigate between screens.  And there's no way I was checking hundreds of checkboxes to pick my users!

I wound up opening a support ticket to get some guidance.  

What we need can be accomplished by PowerShell.  Once I have established a retention policy that suits my needs, a single PowerShell command can add them to the existing policy:

Set-RetentionCompliancePolicy -Identity "MyPolicy" -AddSkypeLocation janedoe@mycompany.com

But what if I want everyone in my policy?  My basic strategy (and forgive me, as I am sure there are easier solutions, but my PowerShell skills are rudimentary at best) is as follows:

Get-MsolUser -All | where {$_.isLicensed -eq $true} | select userprincipalname | out-file AllLicensedO365Usersyyyymmdd.csv

I would then manipulate the list in a text editor (such as Notepad++).  I need to remove excess spaces.  The CSV needs to have a heading of User.  

Then:

Import-Csv AllLicensedO365Usersyyyymmdd.csv | ForEach {Set-RetentionCompliancePolicy -Identity "Keep Everything (Skype)" -AddSkypeLocation $_.User}

Voila, all my users have the policy of choice.

Teams Retention in Office 365

My organization is working on deploying Office 365.  It's been a slow process as our Exchange environment has lots of room for improvement.  Our users are drowning in PST files, so moving that data to Exchange Online is tedious.

We've recently enabled Teams for our organization and are currently piloting it, with possible plans for expansion.  Retention is a big deal for our organization, so configuring those settings quickly became important.  

I headed over to https://protection.office.com and went to Data Governance | Retention.  I edited our existing policy.  But, wait, there were no options for Teams.  The Teams retention settings are missing.  What was going on?

I ultimately found the answer... a Teams retention policy cannot contain any other products.  So, when you want to configure Teams retention, make a new policy that contains no other products.

Lots more helpful on retention for Office 365 here: https://docs.microsoft.com/en-us/office365/securitycompliance/retention-policies?redirectSourcePath=%252fen-us%252farticle%252fOverview-of-retention-policies-5e377752-700d-4870-9b6d-12bfc12d2423

Azure Active Directory Connect, High CPU Usage After June 2018 Patching

I did the latest Microsoft security updates for some servers, and was noticing my server running Azure Active Directory Connect for Office 365 was running at very high CPU.  I wasn't successful at restarting it from within the guest (or, wasn't patient enough, take your pick) and reset the VM.  The issue persisted.

My Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe was running at 99%.

Some research quickly tipped me off to the culprit.  (https://social.msdn.microsoft.com/Forums/azure/en-US/e9b621f6-f38c-488e-8fcb-ff85d406f256/azure-ad-connect-health-sync-monitor-high-cpu-usage?forum=WindowsAzureAD) .NET Framework 4.7.2 was the culprit.  Uninstalling the right KB depends on your OS.

• Server 2008 R2 - "Microsoft .NET Framework 4.7.2"
• Server 2012 - KB4054542
• Server 2012 R2 - KB4054566
• Server 2016 - KB4054590

I was dealing with Server 2016, so I uninstalled KB4054590, restarted, and the server seems fine.

My Azure Active Directory Connect is current at 1.1.819.0, released 5/14/2018.  (https://social.msdn.microsoft.com/Forums/azure/en-US/e9b621f6-f38c-488e-8fcb-ff85d406f256/azure-ad-connect-health-sync-monitor-high-cpu-usage?forum=WindowsAzureAD)

I'll be sure to monitor the version history to see if when I go to patch next month, if Azure Active Directory Connect has been updated to address this.

Resolving Crashing Skype for Business

Today, I found myself unable to open Skype for Business.  I would load the application and it would crash.

Examining my Event Viewer, I found the following:

Level: Error
Source: Application Error
Event ID: 1000
Faulting application name: lync.exe, version: 16.0.4690.1000, time stamp: 0x5acd052e
Faulting module name: KERNELBASE.dll, version: 10.0.15063.1029, time stamp: 0x99b50546
Exception code: 0xc06d007e
Fault offset: 0x000f0132
Faulting process id: 0x3364
Faulting application start time: 0x01d40178ed74b119
Faulting application path: C:\Program Files (x86)\Microsoft Office\Office16\lync.exe
Faulting module path: C:\WINDOWS\System32\KERNELBASE.dll
Report Id: fde33f51-913a-4302-9674-3a5370420999
Faulting package full name: 
Faulting package-relative application ID: 

I was a bit perplexed as I had run successfully last week after receiving updates.

I found the resolution here (thanks to Brian):
https://community.spiceworks.com/topic/2126287-skype-for-business-2016-problems-after-kb4018323

• Open your Playback devices menu by right-clicking on the volume icon on your taskbar (or your preferred method)
• Highlight your current playback device and select the Properties button.
• Select the Advanced tab on the resulting window.
• Under the heading ,"Exclusive Mode", ensure that both checkboxes are unchecked. Really, you can deselect the first checkbox and it will gray out the second for you.

Exchange Server 2010 to Exchange Online Message Tracking Does Not Work

My organization is currently working on moving from on premise Exchange to hosted Exchange from Microsoft via Office 365 and Exchange Online.

Prior to moving any mailboxes to our tenant, we have been testing from on premise mailboxes to test cloud mailboxes.  

We were tracking messages from Outlook Web Access.  Under Manage My Organization, Mail Control, we'd run Delivery Reports.

I would search from an on premise mailbox to a cloud mailbox for messages I had sent.  The search would work well and return results.






 













Once I double clicked one of the results to see detail, however, that wasn't successful.  It would not be successful and would fail after a timeout.

 








I opened a ticket with Microsoft Support.

It wound up being fairly involved and we did quite a bit for troubleshooting.  But the ultimate solution was to close the ticket as a known bug.

I consulted about the results of our last troubleshooting to get Message tracking report using EMS and we got the error related to “WARNING: The log search service was unavailable on server 'mwhpr09mb2047.namprd09.prod.outlook.com'.”

It’s a known issue on O365 which possibly might not be addressed any time soon, the alternate option would is to use the Messaging Tracing if they can in our  scenario. Message Tracing is available to admins only, can't directly search on Subject (but can search on recipient, sender, date/time then sort to locate specific subject).

As an administrator, you can find out what happened to an email message by running a message trace in the Exchange admin center (EAC). After running the message trace, you can view the results in a list, and then view the details about a specific message. Message trace data is available for the past 90 days. If a message is more than 7 days old, the results can only be viewed in a downloadable .CSV file.

Reference:

https://technet.microsoft.com/en-us/library/jj200712(v=exchg.150).aspx

Since this a known issue in product, you will not be charged for the incident. 

So, I can track messages from the Office 365 administrator center, and can do nothing to correct the issue impacting my on premise message tracking

How To Map A Network Drive to OneDrive for Business (or What To Do If You Don't Have Enough Free Space to Sync Your OneDrive for Business Data)

My organization is currently in the early stages of looking a migration to Office 365.  I welcome the possibility of getting out of the business of managing users' home folders by giving them 1TB of cloud space on OneDrive for Business and letting them use it as they see fit.

We are currently in the process of deploying SSD drives to some of our computers to help with performance issues.  As a cost savings measure, I know we are often deploying 120GB drives.  As we test and evaluate, several colleagues asked me what would happen if we had more data than we had hard drive space.  I would assume that a 120GB drive might have 80GB free after the installation of operating system and software. It's very possible that some of my users have more data than that.

I opened a support ticket with Microsoft and got a great option.  They confirmed that the OneDrive sync client might crash or slow the system down if it was trying to sync more data than space allowed.  There are options to not sync down the entire OneDrive contents, but I worried that might be cumbersome for users.  

The alternative is to skip the OneDrive sync client and map a network drive to the OneDrive for Business space.  This means you need Internet access to access your data, and there could be bandwith implications, but this sounds like a great option.

The steps to do this are as follows (as demonstrated on Windows 10):

• Open Internet Explorer
• Go to https://portal.microsoft.com. Keep me Signed In option box checked and Sign In 
• Depending on your version of Internet Explorer, take one of the following actions: 
• Click the Tools menu, and then click Internet options. 
• Click the gear icon, and then click Internet options.
• Click the Security tab, click Trusted sites, and then click Sites
• In the Add this website to the zone box https://*.sharepoint.com >add> ok 
• Click on Custom level> Scroll all the way down to select Automatic logon with Current username and Password.
• Browsed to   gear icon on IE >compatibility view settings > sharepoint.com> ok
• Start > Run > type Services.msc > Search Web Client >Change Startup to Automatic > Ok
• Browsed to the OneDrive Location which you want to map  > Click on return to Classic OneDrive >click on Gear icon >Ribbon On >click on Library >Open with Explorer>>and copy the  path 
• Open File Explorer>right click on This PC or My Computer> Map Network Drive> Select the drive and paste the URL> ok 

Unable to Sign In on Google Chrome to Office 365

My organization has been moving from hosting our own Exchange and Lync/Office Communications on premise to Microsoft hosted via Office 365.

I had implemented Active Directory Federation Services (ADFS) and Lync Online about 18 months ago.  ADFS had some challenges, but once I implemented it, it has been reliable.  During implementation, I got on-premise pass through Windows Authentication working and off-premise sign in working.  I had tested on versions of Internet Explorer, Mozilla Firefox, and Google Chrome successfully.

We're now readying to migrate to Exchange Online and away from our on-premise mail server.  During testing, several of us in IT began realizing that sign-ins from Google Chrome was not working.

On premise, you would be prompted with a Google Chrome pop up dialog.  You'd put in your credentials (email address and Active Directory password), and it'd take you right back to the logon prompt without error, and you'd never get in.

Off premise, you would be directed to our sign in page on our Federated Server Proxy server.  Same behavior, enter credentials, return right back to sign in page without error.

Googling this error tipped me off to the problem being that Google Chrome not supporting Extended Protection.  But I didn't know much about this, so I didn't know how to resolve the issue.

A case opened with Microsoft support got me directed to the fix, as documented here:
http://social.technet.microsoft.com/wiki/contents/articles/1426.ad-fs-2-0-continuously-prompted-for-credentials-while-using-fiddler-web-debugger.aspx
The article mentions problems when using Fiddler Web Debugger, but it's the fix for a Google Chrome issue as well.

It's a setting within IIS.  The above link documents where the setting is within IIS to change it manually on each affected server (typically you have multiple ADFS servers for fault tolerance), or PowerShell commands to set this universally across the farm.

Once I made this change, my users can leverage Office 365 from any of the major browsers.

Connecting with Lync on Mac via Office 365

My organization transitioned from running Office Communications Server 2007 to Lync via Office 365.  One of the benefits of the Office 365 implementation is that you can run applications like Lync while properly on the corporate network or while remote with Internet access.

Though our organization is strictly a Windows computing environment, there are a few people within the IT department that run Macs at home.  As I was one of them, I wanted to explore running Lync on Mac OSX 10.9 Mavericks.

I downloaded Lync for Mac 2011, but was having difficulty signing in.

Investigating online, I found this article:
http://onlinehelp.microsoft.com/en-us/office365-enterprises/hh534388.aspx

But still, things weren't working:

A support call to Microsoft didn't yield the answer at all.  I assumed it was a very minor detail, and that was correct.  After days of nothing, I stumbled across the correct configuration.

Ensure you've got all the updates downloaded for Lync / Office 2011 for Mac.

Correct syntax for sign in is to use your email address in both the email address AND user ID fields.  I was trying username or domain\username and getting no results.

In the Advanced options, you want Use Kerberos authentication unchecked, and the radio button to use Automatic Configuration, as shown below:

 

At that point, you'll be able to sign in.