Wednesday, September 4, 2013

New OWA Delegation Features for Exchange Online

There was a huge announcement today by the Exchange Online team for expanded support of delegation inside of OWA - http://blogs.office.com/b/office365tech/archive/2013/09/04/configuring-delegate-access-in-outlook-web-app.aspx.

I am asked this a lot as organizations have user bases that do not require the full Outlook experience to do email; they only need OWA. Plus OWA has been closing the gaps with Outlook. Traditionally if you wanted to do granular delegation, a user is required to use Outlook to do this delegation.

When the new Exchange Online was released in the cloud (Exchange 2013), it included the ability to delegate your calendar through the browser. This has been expanded to support delegation of email folders, like your Inbox. Plus this delegation feature is being supported in the new Outlook Web Apps for iPhone and iPad; which is great for people who need to work with Exchange Online across devices and platforms. Please read the post for details - http://blogs.office.com/b/office365tech/archive/2013/09/04/configuring-delegate-access-in-outlook-web-app.aspx.

Now if you still need to delegate more than just email and calendar, Exchange Online admins can delegate an entire user’s mailbox to another user. They can then use the “Open Another Mailbox…” feature in OWA to completely manage and do “Send As”. Please review my blog posting in July 2013 on this topic - http://www.astaticstate.com/2013/07/delegating-mailbox-through-browser.html.

Exchange Online Troubleshooting Tool

The Exchange Product team posted a new useful tool that I started playing around with called the Mail Flow Guided Walkthrough (GWT) - http://blogs.technet.com/b/exchange/archive/2013/09/03/office-365-mail-flow-troubleshooter-now-available.aspx.

You can access the tool here - http://support.microsoft.com/common/survey.aspx?scid=sw;en;3568&showpage=1.

What it will do is ask you basic questions that challenges you may have and help you debug them. There are several scenarios for Office 365, Exchange Online and hybrid. I see this as a very useful tool to help with debugging initial deployments as well.

For instance I followed the path for checking to see if an Exchange Online mailbox is having issues sending an email. First you need to check if DNS is configured. Second check your NDRs. Third check the health of the service. Fourth run a message trace report. Fifth check the users Outbox, connectivity, third party add-ins, OST files, etc. Really found this to be a great tool.

Tuesday, September 3, 2013

7 Year Blog Birthday

I figured I take a second to reflect on my 7 years on running this blog. First I cannot believe it has been 7 years. Keeping this blog going has been extremely important to me professionally. It allows me to refine my thoughts and communicate to others the solutions I am work through. I work very hard to ensure that I post at least one new item a month. Sometimes I crank out a lot of stuff and in only one instance did I miss a month (still annoys me).

This blog got its start when on a long Labor Day weekend when I has some time available and wrote my first blog (http://www.astaticstate.com/2007/09/automation-testing-or-simulation-with.html). No kids jumping on me either <g>.

My series that I wrote on Silverlight MVVM Patterns (http://www.astaticstate.com/2010/04/silverlight-4-using-mvvm-patter-ria.html) is still the most populate series I have written. My series on SharePoint 2010 Architecture is in second (http://www.astaticstate.com/2010/01/sharepoint-2010-service-architecture.html) and third my series on SharePoint Branding (http://www.astaticstate.com/2011/05/branding-master-page.html). Along the way I have written a lot about SharePoint App Dev, Enterprise Search, etc.

Most of my days for the past two years have been totally focused on Office 365. Given the role I am now, I do not do application development anymore. I am really excited to be working with Office 365 and you may have seen my work expand to Exchange Online, Lync Online and Office.

SkyDrive Pro Sync Considerations

Initial Thoughts

I was recently asked is it possible to turn off the sync capability of SkyDrive Pro?

Before we go down the path of showing you how, let’s put this into perspective.

From a historical perspective Microsoft acquired a technology several years ago called Groove which could sync document offline. In SharePoint 2010 timeframe, a solution called the SharePoint Workspace 2010 was created to sync documents and data offline (http://technet.microsoft.com/en-us/library/ee649102(v=office.14).aspx). The SharePoint Workspace 2010 client is a good solution and can still be used with SharePoint 2013 – I wrote a blog about this a few months ago - http://www.astaticstate.com/2013/04/skydrive-pro-sync-and-sharepoint-2010.html.

With SharePoint 2013 (and available in SharePoint Online) there is the new SkyDrive Pro Sync Client. When it was first released there was some confusion. Here are some important points:

So what is the concern as the Sync capability is a great solution to allow end users to work on documents centrally in corporate resource that is managed and discoverable? Well some may have concerns about providing a capability that easily allows users to download large amounts of documents. Let’s address that from multiple different angles as this can be mitigated.

  • Information Architecture – An organization must make a determination of how to manage the content and who will have access to it. SharePoint Online can be configured so that content that is of high business impact is accessible to smaller amounts of people using granular access controls. Additionally there is audit reporting available to track access to content and how it is being utilized.
  • Device Connectivity – I think this overlooked the most. Remember your organization will have IT policies that dictate who can connect to your SharePoint Online and SkyDrive Pro. For instance, if you want to lock access to content by devices, use ADFS Client Access policies to control where devices can connect from to access your cloud content. A common scenario is to only allow specific IP ranges to only allow devices connecting from the corporate network or VPN. As well your IT staff should already have policies around what devices are allowed on the network. They probably have MDM Wipe Solutions or encryption solutions (like BitLocker) to ensure the content is protected on those devices. You can even incorporate solutions such as Forefront Unified Access Gateway (UAG) to do endpoint protection for remote devices connecting. With this, you know that if content is being Sync’ed it is protected by your corporate policies.
  • Authentication - Additionally utilization of ADFS also ensures that a corporate username and password are used to access the content; even two-factor authentication can be required. These policies are under your organization’s control and are not managed by Office 365 or SharePoint Online.
  • Data Loss Protection (DLP) – AD RMS can be incorporated into document libraries which store high impact documents – read up on it here - http://office.microsoft.com/en-us/office365-sharepoint-online-enterprise-help/set-up-information-rights-management-irm-in-sharepoint-online-HA102895193.aspx.
  • Etc.

Ultimately it is of a question of how you want your end users to access your content management services and you have control over your data. Blindly turning of Sync is not really the total answer because remember all Enterprise Content Management systems need to allow their users to download documents.

Configuration

At this point you have still identified scenarios where you need to limit the ability for end users to do Sync of content. There can be numerous reasons why. Let’s talk through how you would do it for SharePoint Online.

Specifically there is a property on a SharePoint List called ExcludeFromOfflineClient. This was originally introduced in SharePoint 2010 to block people using the SharePoint 2010 Workspace. This same property is also used to block SharePoint 2013 Sync capability.

Option - PowerShell

If you are an on-premise SharePoint 2013 customer, no problem PowerShell can easily be written to remove the ability to Sync. Please review this reference - http://technet.microsoft.com/en-us/library/dn169080.aspx

However if you are a SharePoint Online organization, the SharePoint Online PowerShell for SPOSite does not support ExcludeFromOfflineClient - http://technet.microsoft.com/en-us/library/fp161397.aspx.

Option – Turn Off via UI

As many of you know the Sync button is available in the top right hand corner. To get rid of it is pretty simple.

clip_image002

Go to Site Settings >> Search >> Search and Offline Availability >> and turn the Offline Client Accessibility to No.

clip_image003

The result is the Sync button not available removed (see below screen capture). The only consideration for this option is that it removes the Sync capability from the entire site and all the document libraries in that site. It will not remove the Sync button from each sub site.

clip_image005

Option – Using the Sandbox Solution

I did some digging and saw that the ExcludeFromOfflineClient property was available in the SharePoint Sandbox API and is supported in SharePoint Online - http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.splist.excludefromofflineclient(v=office.14).aspx.

I then then looked at the SharePoint 2013 listing of that API to see if it was supported for Sandbox or SharePoint Online but there was no mention - http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.splist.excludefromofflineclient(v=office.15).aspx.

My goal was to create a solution for SharePoint Online administrators that will allow them to disable a large amount of sites without having to manually disable the Sync capability on each and every site. My idea was that you could create a Feature that uses the FeatureActivated event handler to flip the ExcludeFromOfflineClient property to false. I was able to confirm that yes, it does work.

public override void FeatureActivated(SPFeatureReceiverProperties properties) {

SPWeb web = properties.Feature.Parent as SPWeb;

SPList list = web.GetList(“Documents”);

list.ExcludeFromOfflineClient = true;

list.Update();

web.Update();

}

Ultimately you will need to write some code to recursively loop over all the sites and libraries to remove the Sync capability. Only limitation of this solution is that a Site Administrator has the ability to go back turn Sync back on. That issue can be dealt by rerunning the feature or training your Site Administrators.

Since this is a Feature, you can get a lot more creative too. For instance you could build an entire UI to manage the Sync capability on per library basis, you can make library template, you can make a ribbon button, etc.

My colleague Ed Hild created the code snippet for me as I had not installed Visual Studio on my new machine – scary – thanks Ed.

Non-Option – Client Side Object Model

This is something I at least investigated but is not possible. If you look at the CSOM API for List you will see that ExcludeFromOfflineClient is not available - http://msdn.microsoft.com/en-us/library/office/microsoft.sharepoint.client.list.aspx.

Non-Option – Disable the Sync client

This is something I at least explored but determined it was not the best approach.

As I mentioned earlier, the Sync client I part of Office 2013 and is available as a standalone install of Office 2010, 2007, etc. Yes it is possible that you can create group policies to not allow the standalone Sync client to be installed. However if you are using Office 2013 I did not find a quick solution to block it.

Plus it is just not a realistic option. From a management perspective you should create policies based on your information architecture that drive security which is implemented by your SharePoint Online configuration. You will identify types of content where you may not want to allow syncing and therefore you will turn it off using the options I discussed above.

SkyDrive Pro “Shared with Me” View

Sometimes, it is the little things that count. Well there is a new feature being added to SkyDrive Pro in SharePoint Online called “Shared with Me”. It is awesome!

This provides an end user with a single place to go to review and edit documents / folders that have directly shared with them. Now you no longer have to bookmark or dig through old emails trying to find a link to a specific document that was shared with you.

Additionally adding this feature really helps people share files with each other using SkyDrive Pro. I am heavy user of SkyDrive Pro. I commonly create presentations for customers or write-ups that I only want to share with specific individuals. I always put them in SkyDrive Pro and then just share it with those specific people. Now all they need to do is just go to the “Shared with Me” view in SkyDrive Pro to find the documents I gave them permissions too.

clip_image001

And remember, sharing documents with SkyDrive Pro and with SharePoint 2013 sites is general is really simple! No more digging through complex permissions screens. It is so easy for end users.

clip_image003

Note the new “Shared with Me” feature does not show you documents / folders that been shared with you because you are associated to a group. It only retrieves items that are directly shared with you. This makes a lot of sense because you could have permissions to a Document Center that may have thousands of documents. You do not want to see all those documents clutter up this list. Remember you can always click the Follow button to follow large repositories or sites that you are most interested in.

Resource - http://blogs.office.com/b/office365tech/archive/2013/08/27/skydrive-pro-increases-storage-and-ease-of-sharing.aspx

New EOP Spam Notification Email

EOP Spam Notification Email

The Exchange Online Protection (EOP) service description has been update - http://technet.microsoft.com/en-us/library/anti-spam-and-anti-malware-protection-in-eop.aspx.

One feature in particular I am excited to write about is the new Quarantine End User Self-Management feature. Some of you may know in the previous FOPE solution that allowed end users to be given direct access to the quarantine management in FOPE administration. This is no longer allowed in the new EOP solution with Exchange Online.

Now end users can receive a spam notification email which contains a list of spam-quarantined messages received in the last three days. End users can release the quarantined email to their inbox and report the email as Not Junk through the email.

clip_image002

Turning It On

For instructions, go here - http://technet.microsoft.com/en-us/library/dn296367(v=exchg.150).aspx

As you can see here, I just went to my Content Filter policy and simply clicked the link turn on End-user spam notifications.

clip_image004

From a Policy Perspective

EOP has some really flexible configurations that will allow you to create a policy that meets the needs of your end users. Really your end users do not need direct access to the quarantine management area; the Junk Mail folder is recommended. Think about these points:

  • Content Filter Policies – For each content filter policy you create, you have the ability to send email to either the quarantine or the junk mail folder (there are actually several other options but let’s just keep with this line of thought). In a content filter policy you can create rules that send some spam to the quarantine and other spam to the junk folder. A common configuration would be to send High Spam Confidence Level (SCL) to the quarantine, while sending Low SCL email to the junk mail folder. This is good because it allows end users to have direct access low SCL email. If email has a high SCL (it was tagged that for a reason) and there is a strong chance the end user really does not need to have immediate access to it.
  • Multiple Filter Policies – Remember you can create multiple content filter policies in EOP that can be assigned to users, groups and even email domains. So it is possible to only turn on end user spam notifications for a subset of end users.
  • Transport Rules – Remember you have transport rules at your disposal that can analyze the email. You can create your own rules that change SCL of a message.
  • Outlook / OWA Safe Senders – Remember end users’ safe and block lists (set in Outlook or OWA) are taken into consideration as the email is being filtered. Why is that important? Remember one end user may regard an email as spam while another user may believe the emails is completely legitimate email (let’s take phishing out of the picture for a second <g>; and yes EOP has solutions for that too).
  • Retention on Junk Mail Folder – I have also had people say to me, well if the email is going to in the Junk Mail folder is that going to take up space in their mailbox? Well yes, but that is what retention rules are for. By default the Junk Mail folder retention period is set to 15 days. You can make that shorter or longer.

The point that I want to make is that organizations have choice in their configurations. You can use quarantine, junk mail folder, transport rules, safe sender lists, etc. to come up with a great solution.