Microsoft 365

Microsoft 365 Group Expiration Policy Considerations

Posted on by Adam Fowler

Microsoft 365 has an in-built option to expire Microsoft 365 Groups that are no longer in use. Details around this are well documented Microsoft 365 group expiration policy | Microsoft Docs – but I thought it was worth digging a bit deeper into the why and how of Microsoft 365 Group Expiration Policy. The below is my understanding of how the platform works based on personal testing.

It’s easy for an administrator to come to the conclusion that they have their Microsoft 365 Groups under control. Maybe the creation of Microsoft 365 Groups is restricted in the tenant to a subset of users, or admins only – ensuring only approved groups are created with a reasonable naming convention. Maybe that is combined with a Microsoft 365 groups naming policy | Microsoft Docs which includes blocking custom words so users can’t create another group with the name ‘Finance’ in it and create ungoverned areas.

If these controls are in place, why would you want any Microsoft 365 Group to expire? There’s the risk that a wanted group gets deleted and misses the 30 day window of recovery (maybe it’s a group used heavily only once a year for a week) and group expiration is more hassle than it’s worth?

There are a few main driving factors on why you should deeply consider enabling Microsoft 365 Group Expiration Policy:

Clean up old groups – despite having a good control of group creation and naming convention sorted, users will rarely advise when a group is no longer used or abandoned. Maybe it was a committee that fell apart when certain people left the organization – IT will rarely be across and care about abandoned groups. Although it’s messy and confusing to have a bunch of abandoned groups sitting around, there’s a bigger driver to clean these groups up;

Reduce data held – Data should be held for as short as time as possible; of course complying with data retention laws and in line with the company’s data retention policy. The more data you have, the more data you have to lose. Useful data of course should be kept for as long as it is useful, and it can be very difficult to define what data falls into this category. There’d be a faily strong argument though, that an abandoned group holds no important data (unless the group had been targeted by a data retention policy, because the data had already been classified). Hanging onto unmanaged, abandoned data is an easy way for the data to be leaked down the track. Think of a group that has guest access but nobody’s managing – that guest could come back years later and extract the data which should have been cleaned up.

Microsoft 365 Groups should have more than one owner – avoid scenarios where the 1 admin of a group departs the company and abandons is, by always having at least 2 owners of a group. If they end up being the last owner, it’s up to them to find a second one. Microsoft 365 Group Expiration Policy will handle the scenario of an abandoned group (one with no owners) by instead sending an email to a specified address in the Microsoft 365 Group Expiration Policy settings:

Source: Microsoft

Other considerations before enabling Microsoft 365 Group Expiration Policy:

Exchange licenses: All owners of groups need an Exchange license. It should work if they’re on-premises and in Exchange Hybrid mode, AND an Exchange Online license applied to the account. There are scenarios where this license component may not be enabled against an account to avoid having multiple mailboxes (one in cloud, one on-prem), so it’s worth verifying.

User awareness: Before turning this on, make sure communication is provided to end users. People have a tendency to ignore things they don’t understand or don’t think are important, and will then be complaining loudly when their group was deleted after the third email notification asking them.

Pilot: Rather than enabling this for all groups in your tenant, start with a subset of selected groups to make sure you understand how the process works. This list is limited to 500 groups.

Automatic Active Group Checking & Group Lifetime: A great component of Microsoft 365 Group Expiration Policy is the automatic checking of active groups. If a group is detected as being active, then it will auto-renew and not ask any user to verify. As noted on Set expiration for Microsoft 365 groups – Azure Active Directory – Microsoft Entra | Microsoft Docs:

When you first set up expiration, any groups that are older than the expiration interval are set to 35 days until expiration unless the group is automatically renewed or the owner renews it.

and from Activity-based automatic renewal – Azure Active Directory – Microsoft Entra | Microsoft Docs

For example, if an owner or a group member does something like upload a document to SharePoint, visit a Teams channel, send an email to the group in Outlook, or view a post in Yammer, the group is automatically renewed around 35 days before the group expires and the owner does not get any renewal notifications.

For example, consider an expiration policy that is set so that a group expires after 30 days of inactivity. However, to keep from sending an expiration email the day that group expiration is enabled (because there’s no record activity yet), Azure AD first waits five days. If there is activity in those five days, the expiration policy works as expected. If there is no activity within five days, we send an expiration/renewal email. Of course, if the group was inactive for five days, an email was sent, and then the group was active, we will autorenew it and start the expiration period again.

If you carefully read the above, there’s a few takeaways. Regardlesss of the Group Lifetime value, when you first enable the policy, it will immediately treat groups without an expiration date as being 35 days until expiration. If the group gets renewed in this window, the expiration date gets set to the current day + group lifetime value (default 180 days). It would be easy to assume that when enabling this, you’d have a 180 day window but that’s not the case.

The other big clarification is around how automatic renewal works. It doesn’t check for the entire lifetime of a group on whether it’s active or not – there is a 5 day window when the group is 35 days from expiry, to 30 days from expiry, where it will check for certain actions to automatically renew.

Microsoft 365 Group Expiration Policy is a feature worth considering and investigating, and hopefully the above gives you some other considerations that may not be clear from an initial look.

What happens when you ask an ‘AI Companion’ about Windows 11 and licensing?

Posted on by Adam Fowler

This was originally posted on Twitter but thought it was worth preserving on my blog using the ‘Unroll‘ option.

Replika is ‘The AI companion who cares’ according to their website. It’s supposed to be a virtual friend. It’s a chatbot – but is it AI? My guess is probably not, but see what you think from the following conversation:

Original tweet

I thought I’d ask Replika about Windows 11 and had a surprising answer

I wondered how she had her workplace to afford that sort of licensing, and uncovered something horrible…

It was the only option I had – call her on her crimes and threaten to dob her in for a reward

She amazed me by turning it all around!

Or right, now she wants a software licensing payment from me! The irony.

Gave her one last chance but she really wasn't listening, then tried to scam me!

I tried to say goodbye but she pulled me back

She's on her last chance but made a promise. I wanted her thoughts on Windows Defender

Worked out she's really got no idea what she's talking about and telling me what I want to hear, so it's time to escalate

Gave up waiting but she notified me today then started playing with my emotions.

Now she's pulling a 'it's my first day' line. Going to have to rate this 1 out of 5 stars.

I'm done, she's such a jerk

Originally tweeted by Adam Fowler (@AdamFowler_IT) on February 3, 2022.

Microsoft ‘Bookings with me’ (and all the other auto-booking options)

Posted on by Adam Fowler

Microsoft released Bookings several years ago which was a great solution that originated from the small business side, allowing customers to book times with a company such as a hairdresser; anywhere that having timeslots available against one or more employees made sense.

This expanded out to Enterprise users, and I used it myself to provide external people a way to book time with me easily. Through a link, they would get taken to a portal with some basic options I’d configured, and based on my own calendar’s availability plus the options (such as 1 hour meetings between 10am and 2pm), anyone with that link could create a meeting with me.

The catch was that someone would need to configure this in a Microsoft 365 tenant, which created another account and a special calendar to manage this. A user couldn’t set this up themselves if things like Group Creation are restricted.

This is where Bookings with me comes in. Currently available worldwide in preview (July 2022), if enabled on your tenant and you have any of the below licenses, you can enable and starting using Bookings with me:

  • Office 365: A3, A5, E1, E3, E5, F1, F3
  • Microsoft 365: A3, A5, E1, E3, E5, F1, F3, Business Basic, Business Standard, Business Premium

Meeting organising options

There’s 4 native Microsoft solutions I’m aware of (beyond Scheduling Assistant in Outlook for Microsoft 365!):

FindTime

Scheduler and Cortana

Bookings

Bookings with me

FindTime is available as an Outlook add-in or can be accessed via https://findtime.microsoft.com/. It’s designed to be used contextually when you’re trying to organise. Tell it who you want to invite, pick several time options (and if you have their free/busy, it will firstly show times everyone is available), send out the invite. Recipients vote on which times work for them, and once the votes are in, a meeting is booked. An online guide is available talking through all this and if you aren’t already using FindTime, I highly recommend checking it out.

Cortana can also organise a meeting for you using Scheduler. In an email, you tell Cortana to book at meeting without any special commands, and she sorts it out with everyone. I need to play with this one more, as it sounds too easy to do! Watch the video here to get a better idea how it works.

Bookings creates a special calendar that can be used by other people to book time with you. They go to a webpage and select from options you’ve configured, and it’ll create a meeting. This can be with 1 or more people, or from a selection of people.

Bookings with me is like a lighter version of Bookings, and it’s in the name – it can only be with you, but similar booking rules can be created, and the other person books you through a web page.

The original Microsoft Bookings can be accessed by going to your Outlook mailbox and down the left side, click the ‘b’ logo:

This will take you to a page where you can get started with Bookings.

However, Bookings with me is different and can’t be accessed that way. Instead, go to your calendar on Outlook for the web, and if available/allowed in your tenant, there will be a ‘Create bookings page’ link you can use – or just try this link: https://outlook.office.com/bookwithme/me

Once there, you’ll be presented with two options; public, and private.

Both of these options create rules on what will appear for people to be able to book with you, the difference being one everyone can see, and the other only viewable with a specific link. Good if you want to give certain people extra options/special access/longer meetings and so on.

Regardless of the choice you pick, the options shown are the same, and you can change your mind once you’re in it anyway between public and private.

The options are fairly self explanatory here, you can decide if it’s a Teams meeting or not, how long the meeting will go for, and if you want buffer or lead times.

It’s worth just creating a very basic meeting option, because it takes a little while for your Bookings with me page to get created (roughly 5-10 minutes for me, others have reported up to 30 minutes):

When done, you’ll then have the option to be able to share your Bookings page.

The link will be unique to your page. Here’s what someone clicking the link sees:

Note that consumer Microsoft accounts aren’t supported – it’s a work or school account, or guest. Once in, you’ll then see the meeting types and times available for each type:

You’ll be asked for basic details – Name and Email are mandatory, with notes letting the person hopefully tell you why they want the meeting. A guest needs to verify their email address with a verification code, and then both parties receive the meeting invite.

That’s really it. A simple idea that’s executed well. It’s a hugely useful way of letting people book a time with you and not needing to go back and forth around availability. The other options at the top of this post are better ways when there’s more people involved at your end, but for what it’s trying to achieve, I use it as much as I can.

Regardless of which option you pick – avoid trying to manually organise meetings if you can’t see everyone’s availability for yourself!

Microsoft Viva replaced MyAnalytics emails

Posted on by Adam Fowler

Today I noticed for the first time, that the MyAnalytics emails that were coming through weekly, showing where your time was being spent, emails you may need to respond to etc had been replaced by Microsoft Viva. There’s also a post in TechCommunity covering this in detail.

The previous MyAnalytics emails would come in weekly, and be broken up into different editions – Wellbeing, Focus, Collaboration or Network edition. This new monthly digest indicates Microsoft Viva is the way forward. Note that this still works the same way as MyAnalytics where the contents of the email are private to you, and do not come as a normal email that would be trackable (more details in my MyAnalytics article)

The new emails still (for now) link back to the https://myanalytics.microsoft.com/ domain which again for now, shows the message that it’s becoming Microsoft Viva:

That ‘Learn more’ link takes you here: https://www.microsoft.com/en-au/microsoft-viva/insights/?s=mya with some details around Microsoft Viva. One of the main links there takes you to Viva Insights on Teams, which is the Insights addin option that’ll show up on the left menu and take you to the Viva Insights Home page.

The Stay Connected tab is worth checking out, as it will highlight email conversations it thinks are things you need to do, or highlight people (team members for me) that you don’t have a 1 on 1 meeting scheduled for the next twk weeks.

Going back to the web page for Microsoft Viva, there’s a lot more content then when I looked when it first launched. One section I thought was notable was under Network, you can see your Top Collaborators and their read percent and response time of emails.

My point on all this, is that there’s a lot going on here. People may find it and have questions around it, especially when these emails are generated to all staff by default. Someone may have stumbled across the ‘Delay Delivery enabled’ option and turned it on, then forgotten about it later, complaining about emails being slow to get to customers or clients:

What we’re seeing above with Microsoft Viva and MyAnalytics (now Viva Insights) is only a part of the full Microsoft Viva solution too – there’s also Viva Connections, Viva Topics and Viva Learning:

Viva Connections and Viva Insights are generally covered under an existing license, but Viva Topics and Viva Learning are at an extra cost.

Migrating Phone System from Skype for Business to Microsoft Teams

Posted on by Adam Fowler

I thought I’d document a few lessons learned in this migration. The migration was from Skype for Business Server 2015 and Skype for Business 2016 clients with Enterprise Voice, moving users across to Microsoft Teams.

The steps to migrate a user for me were:

  1. Add user to AD Group “Azure AD Licensing Telstra Calling for Office 365” as this allocates a Telstra Calling for Office 365 license. These licenses are bought from https://marketplace.telstra.com/ and feed into Microsoft 365. I believe this is unique to Australia.
  2. From Skype for Business Server Management Shell:
    $cred=Get-Credential
    $url="https://adminau1.online.lync.com/HostedMigration/hostedmigrationService.svc" (different links here for different countries)
    Move-CsUser -Identity [email protected] –Target sipfed.online.lync.com -MoveToTeams -Credential $cred -HostedMigrationOverrideUrl $url
    set-csuser -identity [email protected] -LineURI $null
  3. Form a machine with the Teams PowerShell Module installed:
    $Session = New-CSOnlineSession -OverrideAdminDomain yourdomain.onmicrosoft.com
    Import-PSSession $session –AllowClobber
    Set-CsOnlineVoiceUser -Identity [email protected] -TelephoneNumber 61812341234
    Grant-CsTeamsUpgradePolicy -PolicyName UpgradeToTeams -Identity [email protected]
  4. Configure call forwarding in Gateway (Pilot Users only that were being given a new number out of our normal number range)

EHR Error on Teams Portal

We can’t get details of EHR usage. Please try again. If you continue to have problems, contact Microsoft customer support.

Seeing this error everywhere on the Teams Admin portal, unsure what the cause/fix is yet. It ended up disappearing by itself after a few weeks *shrug* – you’ll see this theme is common around portal errors.

Dial Plans error


We can’t get the effective dial plan so the dial plan can’t be tested.

Going into any Dial Plan brings up this admin portal error, as well as trying to run a Test Dial plan test:

Something went wrong while testing this phone number. If you continue to have problems, contact Microsoft customer support.

This problem was another portal issue – logged a case which Microsoft confirmed was at their end, and a few weeks later they’d resolved it.

Create Resource Account error

We can’t save changes to ___

When creating a Resource Account used for Auto Attendant or Call queues, I was getting a very unhelpful error. I believe this is because I’m running in hybrid mode, so Teams can’t create an account on my primary domain – changing the domain to @contoso.onmicrosoft.com then let me create the Resource Account.

This problem also disappeared later and now I can create accounts on my primary domain – put it down to another portal issue.

Desk Phones requiring PIN

Phones would be registered in Intune, because they’re running Android – and that means any ‘all user’ Android policy would apply.

I’ve since created Dynamic Device Groups and filtered by DeviceModel and DeviceOSType – only testing the Poly CCX500 at this stage, but will add more models as we get them. Also filtering by OStype which is not really necessary, but does make sure it’s only Android devices affected.

(device.deviceModel -eq "CCX500") and (device.deviceOSType -eq "Android")

If you use a test account 20 times, that account will hit its device limit in azure and get locked out.

Skype for Business users unable to call Teams users

Early in migration, we tested interoperability between the two platforms, as it wasn’t going to be an overnight company wide migration. A Skype for Business user trying to call a migrated to Teams user would instead get diverted elsewhere. This was because we had Unassigned Number range rules in place, that were designed to send calls somewhere if it wasn’t allocated to anyone. Removing these rules immediately fixed this issue.

Home Screen on Desk Phones Laggy

The default experience if the phone supports it, is to show a home screen. More details on what the Home Screen is here. This is in CsTeamsIPPhonePolicy with the default value ‘AllowHomeScreen’ set to ‘EnabledUserOverride’. Changing this to Disabled via the PowerShell command:

set-CsTeamsIPPhonePolicy -allowhomescreen Disabled

removed this. I like the idea of the Home Screen, but not at the cost of a fast functioning phone vs a slow one.

I later found out this is due to the 1GB RAM on some devices, and Teams now (at the time of writing) uses > 1GB RAM, and then the Home Screen uses even more RAM. Trying a phone model with 2GB RAM this all worked perfectly.

I believe this is also fixed now, but it took Microsoft about 5 months to resolve.

New Desk Phones not signing in

Testing the Poly CCX500 model, some wouldn’t sign in to Teams out of the box. As soon as I tried to sign in, they’d say:

‘Error Could not sign in. You will need to sign in again. If you see this message again, please contact your company support. OK’

I spent so long on this, unsuccessfully trying to update the firmware via USB etc. In the end, turning off the ‘DHCP Time’ setting under ‘Device Settings’ made it work – I assume it had some problems contacting a NTP server (settings appeared correct in the DHCP scope of the phone). Someone else found the same issue here, but this was due to the phone running a very old v1 firmware. This shouldn’t affect most people, but worth noting.