Category Archives: PowerShell

Make sure students are attendees by default in Microsoft Teams meetings

Posted on by
22

Microsoft recently announced a change to meeting policies where a Teams Service admin can make sure users are attendees by default, rather than presenters.

This can be especially valuable in education, where students with the presenter role can misbehave by muting the teacher and removing others from the meeting entirely.

So let’s apply this change to an existing meeting policy using PowerShell.

First run the New-CsOnlineSession cmdlet and login using your admin credentials.

# Connect to Skype PowerShell
$CSSession = New-CsOnlineSession
Import-PSSession $CSSession -AllowClobber

# choose teacher policy from grid view and store to variable
$Policy = Get-CsTeamsMeetingPolicy | select Identity, Description | Out-GridView -PassThru

Then choose the appropriate meeting policy from the grid view and click OK.

policy teachers

 

We then need to update the policy to change the DesignatedPresenterRoleMode attribute to OrganizerOnlyUserOverride.

# change policy
Set-CsTeamsMeetingPolicy -Identity $Policy.Identity -DesignatedPresenterRoleMode OrganizerOnlyUserOverride

# verify results
Get-CsTeamsMeetingPolicy -Identity $Policy.Identity | select Identity, DesignatedPresenterRoleMode

The end result should be something like this.

tag teachers

You now need to wait… and wait some more… and in about 24 hours you should see that  students will be attendees by default in any new meetings organized by a teacher with the policy applied.

Parent access in Microsoft Teams for Education

Posted on by
2

Parent access isn’t very prominent within Microsoft Teams for Education today, but there are ways to include them, one of which is  parent and guardian links in OneNote Class Notebook. In this post I will show you how to enable parent and guardian links in a class notebook part of a class team in Microsoft Teams.

Parents

Back in April 2017, the OneNote team announced read-only parent or guardian access in OneNote Class Notebook. Shortly after Microsoft Teams for Education was announced, and while class teams do include a class notebook, it’s stored in SharePoint, which require us to make some preparations before we can start sharing.

Disclaimer: While the content of this blog post was accurate at the time of writing September 22nd 2018, things change fast in the world of Microsoft Teams, so things might be different by the time you read this.

Let’s dive right in by first opening the class notebook within the class team, then choose Open in OneNote followed by Open in OneNote Online.

OpenInOneNoteOnline

The class notebook opens in the browser, we choose the Class Notebook tab followed by Manage Notebooks.

Manage_Notebooks

Choose Parent and guardian links

Notebook-links.png

Choose All students

ParentLinksAllStudents.png

Ouch! That doesn’t look good…

Error.png

The reason Parent Notebook Links can’t be generated is that the SharePoint site hosting the notebook doesn’t allow for anonymous sharing.

By default the teams underlying SharePoint site has the setting SharingCapability set to ExternalUserSharingOnly. To be able to create Parent Notebook Links it needs to be set to ExternalUserAndGuestSharing.

Luckily that’s easy, just get the site url…

GetSPSiteURL.png

and run the following PowerShell oneliner:

set-sposite -identity $Siteurl -sharingcapability ExternalUserAndGuestSharing

or follow my guide Anonymous guest sharing in Teams for a full tutorial.

If you would like to enable Parent Notebook Links for all class teams, and happen to use School Data Sync, you should instead see Anonymous guest sharing in Teams part two.

You can also modify the sharing settings from within the new SharePoint Admin Center:

SPAdmin.png

Choose Anyone and hit save.

Anyone.png

 

Once that is done, and the SharingCapability is set to ExternalUserAndGuestSharing, it looks much better:

ParentLinksOK.png

Just send the individual links to parents and they’re good to go!

This is one way to involve parent when using Microsoft Teams for Education. Let’s hope that we in a not so distant future will be able to also give parents insights into Assignments, or better yet, get a complete parent portal with messages and week plans.

If you don’t want to wait, have a look at how you can supplement Microsoft Teams for Education with learning management tools from 3rd parties like Skooler. Check out my two part series Teams + Skooler, better together – part 1 and Teams + Skooler, better together – part 2.

 

Microsoft 365 automation using SDS attributes, Intune & Graph

Posted on by
2

June 19th I had the pleasure of talking about how to move your education environment to the cloud with Microsoft 365, at Experts Live Netherlands. In this post I will discuss some of the examples from that talk.

Disclaimer: While these SDS attribute examples worked at the time of writing, they are not supported by Microsoft moving forward. For anything other than testing, please consider building on top of the Education APIs in Microsoft Graph.

 

EL_social_tempate_speakers_Magnus.png

Experts Live Netherlands is a conference held in Ede, Netherlands, with more than a thousand attendees. For me this was a first, I had never before spoken at such a large conference, neither outside Norway.

OnStage2.png

I obviously spoke about Teams, and how to automate using School Data Sync which I have blogged about before, but also on modern management with Autopilot and Intune, and how to utilize extension attributes from SDS to automate anything from application delivery to redeployment of Windows 10 devices.

 

School Data Sync

To recap, School Data Sync is a free service in Office 365 Education. It takes data about Students, teachers, class rosters and more, from the Student Information System, and use that data to create and license users in Azure Active Directory and Microsoft 365, create classes in Microsoft Teams, complete with teachers and students, and more.

2018-03-29 16_29_15-Welcome to the 2018 Learn Teams Conference.pptx - PowerPoint

School Data Sync also lets you get grades and graduation year from the Student Information System, which you could then use to assign apps dynamically, automate archiving of classes End Of Year and to trigger Autopilot Reset.

2018-06-23 14_16_01-Task Switching.png

I won’t go through the details of setting up SDS, since I already covered that in a previous post, but you can see above what properties are available. In the upcoming examples we will need Grade and Graduation Year.

Autopilot

Autopilot is a set of technologies designed to get Windows 10 devices quickly into a secure and managed state, as well as reset, repurpose or recover them when needed.

Those who manage Apple iOS devices will notice there are many similarities to the Apple Device Enrollment Program (DEP).

Microsoft-365-powered-device-Windows-Autopilot-Deployment.png

To get devices into Autopilot we need the hardware vendor or distributor to provide or upload the hardware IDs, and we need to assign a deployment profile.

Within the Device Management portal in Azure we go to Device Enrollment followed by Windows Enrollment and Deployment Profiles.

We click Create profile, give it a name and choose a deployment mode, User-Driven in this case, specify that it should be joined to Azure AD, hide the EULA and Privacy Settings to ease the setup process for the user, and set the User account type to Standard.

2018-06-23 14_40_43-Task Switching.png

 

We assign the profile to a group of users and we’re good to go.

Vendor or distributor ship the device directly to the school, the student unboxes the device and gets a customized Out Of Box Experience.

They need to choose a region and pick a keyboard layout, as well as choose the appropriate Wi-Fi network.

Windows will then fetch the latest updates for the OOBE experience, and query the Autopilot service to get the configuration we just created.

2018-06-04 17_20_00-Remote Desktop Manager [hyperv].png

Company branding has been applied even before the student logs on, ensuring a sense of familiarity.

After logon the device starts configuring, and since we’re licensed and setup with Microsoft 365 A3 it will auto-enroll into Intune and get any configuration profiles, compliance policies and apps pushed down.

Auto-enrollment requires Azure AD Premium as well as a Mobile Device Management service like Intune (part of EMS and Microsoft 365 SKUs like A3, A5 etc.)

 

Dynamic application delivery

By now the device is enrolled and managed with Intune, and apps are installing, but students in the first grade most likely need different apps than students in the 7th grade?

So let’s find the extension attributes available from SDS, and create dynamic groups for app association. Relevant attributes can be found with the format: extension_appId_attribute name, and the appId for SDS is fe2174665583431c953114ff7268b7b3.

We need to connect to Azure AD using the preview module, then search for a user and have a look at the extension attributes.

Get-AzureADUser -SearchString student@teams.rocks | select -ExpandProperty ExtensionProperty

2018-06-25 17_31_35-Task Switching.png

You can see we have attributes like GraduationYear and Grade, as well as ObjectType to distinguish between students and teachers.

Let’s add all our users to a variable and then create a custom object to show only what is relevant.

# add users to variable
$users = Get-AzureADUser

# create a custom object and list users, grade and role
foreach ($user in $users) {
$user | select –Property @{n = 'Name'; e = {$_.DisplayName}},
@{n = 'Role'; e = {$_.ExtensionProperty.'extension_fe2174665583431c953114ff7268b7b3_Education_ObjectType'}},
@{n = 'Grade'; e = {$_.ExtensionProperty.'extension_fe2174665583431c953114ff7268b7b3_Education_Grade'}},
@{n = 'GraduationYear'; e = {$_.ExtensionProperty.'extension_fe2174665583431c953114ff7268b7b3_Education_GraduationYear'}}
}

 

2018-06-23 18_01_02-Task Switching.png We’ve got students from grade 7 and 8 as well as a teacher, synced using SDS. We also have the Graduation Year, which we will use later. First let’s create dynamic groups for app association.

# create dynamic group for Grade 7
New-AzureADMSGroup -DisplayName "Grade 7" -MailEnabled $false -MailNickname "Grade7" -SecurityEnabled $True -GroupTypes DynamicMembership -MembershipRule "(user.extension_fe2174665583431c953114ff7268b7b3_Education_Grade -eq ""7"")" -MembershipRuleProcessingState On

# create dynamic group for Grade 8
New-AzureADMSGroup -DisplayName "Grade 8" -MailEnabled $false -MailNickname "Grade8" -SecurityEnabled $True -GroupTypes DynamicMembership -MembershipRule "(user.extension_fe2174665583431c953114ff7268b7b3_Education_Grade -eq ""8"")" -MembershipRuleProcessingState On

# create dynamic group for Graduation Year
New-AzureADMSGroup -DisplayName "Graduates 2021" -Description "Students that graduate in year 2021" -MailEnabled $false -MailNickname "Graduates2021" -SecurityEnabled $True -GroupTypes DynamicMembership -MembershipRule "(user.extension_fe2174665583431c953114ff7268b7b3_Education_GraduationYear -eq ""2021"")" -MembershipRuleProcessingState On

We created two dynamic groups for grade 7 and 8, as well as one for Graduation Year 2021.

# list groups
Get-AzureADMSGroup | select DisplayName, GroupTypes

Let’s also list the groups.

2018-06-23 18_14_45-Task Switching.png

Use dynamic groups like Grade 7 and 8 to assign applications. Whenever there is a new school year in august, students from grade 7 will be moved into the group for grade 8 and Intune will remove apps assigned to grade 7 and add any apps, or profiles for that matter, assigned to grade 8.

 

Autopilot Reset

Windows Autopilot Reset removes personal files, apps, and settings, resetting Windows 10 while still maintaining Azure AD Join and MDM enrollment.

Microsoft first announced this with 1709 as automatic redeployment, and said remote triggering would be available in the spring. Then remote triggering was pulled from 1803, but reappeared in insider build 17672 and was announced June 7th as Autopilot Reset.

Devices will retain the region, language, and keyboard settings, and connect to Wi-Fi using the network credentials provisioned prior to the reset.

This means that we can use the group we created earlier, based on graduation year, to automatically reprovision a set of devices!

When new students arrive after the summer they can log on to a fresh device in a managed and secure state, and all Intune needs to do is push any apps or profiles unique to the user or grade.

This example utilizes the Microsoft Graph to instruct the Intune service to reset one or more devices in a certain way. I will not cover the authentication part of working with Graph, but you can find the functions used in this example in Microsofts Github repository for powershell Intune samples.

First we need to construct a payload with the wipe instructions.

# construct JSON object (body) for wipe instructions
$payload = @{
keepEnrollmentData = $true
keepUserData = $false
}
$body = $payload | ConvertTo-Json

The object will look like this:

{
"keepEnrollmentData": true,
"keepUserData": false
}

 

We will then get the users from the dynamic group we created earlier, and the Device IDs of any devices they have enrolled in Intune. We use the Device ID to construct a URI, and trigger the wipe action using the Invoke-RestMethod cmdlet pointing to that URI together with the authToken as well as the JSON payload from the last step.

$users = Get-AzureADGroup -SearchString "Graduates 2021" | Get-AzureADGroupMember
foreach ($user in $users) {

# get user id (Intune device ID is not the same as Azure AD device ID)
$id = (Get-AADUser -userPrincipalName $user.UserPrincipalName).id
# get id from device registered to user
$DeviceID = (Get-AADUserDevices -UserID $id).id
if ($DeviceID) {
# construct uri
$Resource = "deviceManagement/managedDevices/$DeviceID/wipe"
$uri = "https://graph.microsoft.com/beta/$($resource)"
# reset device
Write-Host "Performing reset on device $DeviceID" -ForegroundColor Yellow
Invoke-RestMethod -Uri $uri -Headers $authToken -Method Post -Body $body

}
else {

Write-Host "User has no registered device" -ForegroundColor Cyan
}
}

 

The URI should look like this: https://graph.microsoft.com/beta/deviceManagement/managedDevices/7345bdbf-1f17-4b59-85e7-ac2e545d776c/wipe

And this is the result in our demo environment:

2018-06-24 13_38_20-Task Switching.png

We had two students fitting the description, you can see the first one didn’t have a registered device, but the second did.

We can see from the Intune console the action automaticRedeployment is now pending (status will change to completed when the device has registered back into the service).

2018-06-24 13_39_22-Task Switching.png

 

If a user is logged on they will first receive a toast message, informing them a restart is scheduled in 45 minutes for automatic redeployment.

2018-06-24 13_41_43-Task Switching.png

35 minutes later they will get a popup message counting down, warning that Windows will shut down in 10 minutes.

2018-06-25 08_28_27-Remote Desktop Manager [hyperv].png

When the device is reset and ready for a new student they will see the message above on the login screen.

 

Needless to say, you can customize the above script to better suit you environment, maybe you need to reset all devices in a particular school or you have some other criteria.

Microsoft Graph EDU

To sum’ up, when using School Data Sync, a set of extension attributes can be made available. Combine that with the power of the Microsoft Graph, and you can automate anything from application delivery to redeployment of Windows 10 devices, freeing up valuable time for IT and educators.

Anonymous guest sharing in Teams part two.

Posted on by
1

In this article I will show you how to allow anonymous sharing of folders and documents from Teams created by School Data Sync. This article will only cover the actual SharePoint permissions, for more information about sharing please read my initial post Anonymous guest sharing in Teams.

From the Docs we can learn that School Data Sync (SDS) is a free service in Office 365 for Education that reads the school and roster data from a school’s Student Information System (SIS). It creates Office 365 Groups for Exchange Online and SharePoint Online, class teams for Microsoft Teams and OneNote Class notebooks among other things.

Large schools and districts can save a lot of time using School Data Sync to automate the creation of teams, user accounts, teams membership, licensing etc. Just imagine creating class teams and adding memberships in a district with thousands of students and teachers, then imagine repeating that during every summer break… SDS can be a complex tool, luckily Microsoft also offer free one-to-one deployment support.

As I explained in the first part of this two part part series, default SharingCapability of the underlying SharePoint site is ExternalUserSharingOnly, not ExternalUserAndGuestSharing which is what is needed for anonymous sharing (sharing with users without an Azure AD account).

As previously shown we can easily change the SharingCapability of a single site, but to change in bulk all those created with School Data Sync, based on data from your Student Information System, we need to create a simple PowerShell script.

First up we need to save our admin credentials to a variable and connect to SharePoint Online PowerShell:


$Cred = Get-Credential

Connect-SPOService -Url https://tenantname-admin.sharepoint.com -Credential $Cred

Now we need to find all the SharePoint sites belonging to teams created by School Data Sync, first lets capture all sites in a variable:


$sites = Get-SPOSite -Limit All

School Data Sync will create teams based on what Microsoft refer to as Sections. A section could be a class, course or some other type of logical group in your SIS, and it will allways have a unique identifier that will be part of the URL of the underlying Sharepoint site. It would typically look like this:

https://tenantname.sharepoint.com/sites/Section_131408225065301513

At this point we have a variable containing all SharePoint sites, lets separate out those belonging to a team created by School Data Sync by filtering on the URL with a pipe to Where-Object:


$SDSSites = $sites | ? {$_.Url -like "https://tenantname.sharepoint.com/sites/Section_*" }

You can easily establish the total amount of SharePoint sites created by School Data Sync using the Count method.


$SDSSites.Count

Now that we have a variable containing the relevant SharePoint site objects, let’s summarize this whole excercise into a script to allow anonymous sharing in bulk:

# store admin credentials in a variable
$Cred = Get-Credential

# Connect to SharePoint Online PowerShell
Connect-SPOService -Url https://tenantname-admin.sharepoint.com -Credential $Cred

# store all SharePoint sites in a variable
$sites = Get-SPOSite -Limit All

# extract SharePoint sites created by SDS
$SDSSites = $sites | ? {$_.Url -like "https://tenantname.sharepoint.com/sites/Section_*" }

# set SharingCapability to ExternalUserAndGuestSharing

foreach($site in $SDSSites){

Set-SPOSite -Identity $site.Url -SharingCapability ExternalUserAndGuestSharing

}

Set-SPOSite is quite slow, depending on how many teams were created by SDS, this script can take hours to finish. Consider adding a progress counter using Write-Progress if $SDSSites.Count returns more than 100 sites.

When the script is finished you should be able to share anonymously from all teams created by SDS. Remember to repeat the process whenever new teams are added via your SIS (typically during winter and/or summer break).

Manage Teams on the go (like a boss…)

Posted on by
1

As an Office 365 admin you might get a request while out of the office or otherwise not in front of a computer. Continuing on the example from the education sector, a teacher might be home sick and the substitute teacher needs access to the class team.

There are several ways to add an owner to a team as an Office 365 admin, like the Office 365 Admin center, the Azure AD Portal or as usual PowerShell.

While on the go some of these options are just as viable with an appropriate device, you also have the option of using the native Office 365 Admin app or the Azure Cloud Shell.

The easy way out would be to download the Office 365 Admin app.

Log on, choose Groups in the left side menu and search for the relevant group. Click the group in the list and choose Edit owners in the right column menu.

On iOS the box on the right will surface and when you click Add owners you will be able to search for a user to add.

The rest of the process is quite self explanatory so let’s move on to the fun part of this post…

Azure Cloud Shell

As before mentioned you can accomplish the same using PowerShell in Azure Cloud Shell.

First up you need to download the Microsoft Azure app. Login with an appropriate admin account and launch the Cloud Shell.

The first time you use the Cloud Shell you need to let it provision a storage account. Choose a suitable Azure subscription and wait a few seconds until it is ready. You will see under resources that there has been provisioned both a resource group in your region and a storage account.

Unfortunately it seems you cannot use the Azure subscription provisioned with Office 365 for access to Azure AD, you will instead need to setup a regular subscription.

The Cloud Shell will launch Bash by default, make sure you change it to PowerShell in the upleft corner.

The Shell should connect to your tenant automatically and you will end up with a prompt like this:

img_0333

While you could use the Azure AD PowerShell cmdlets, I prefer doing this the Microsoft Teams way.

When you add a user as a member or owner to a team using Microsoft Teams, it’s available to the user instantly. When you add a user to the associated group in the Office 365 Admin portal, Azure AD Portal or with the Azure AD cmdlets, it can take hours until the changes are synced. While this unfortunately is the case also using the new Microsoft Teams PowerShell module version 0.9.1 [… The Teams application may need to be open for up to an hour before changes are reflected…], I believe this will change in a future version, so we might as well get used to doing this the Microsoft Teams way.

The Microsoft Teams PowerShell module is not installed by default in the Cloud Shell.

To install it we can simply run:

Install-Module MicrosoftTeams -force
Import-Module MicrosoftTeams

Check that the cmdlets are loaded with:

Get-Command -Module MicrosoftTeams

 

After we log on to the Microsoft Teams service we should be all set to add our teacher to the class team. For that we need credentials which we will save to a variable.

$creds = Get-Credentials
Connect-MicrosoftTeams -Credential $creds

To add a user to a team we need the users UserPrincipalName, which most commonly is their email address. We also need the GroupId of the team, which is where these beta cmdlets show their weakness. As of version 0.9.1 the Get-Team cmdlet is user centric.

“Gets all the teams the user is part of. The user must be you – you can only get information on yourself.” MS Docs

To be honest this doesn’t make much sense to me, and you should expect it to change in a later update.

Lacking a way to get the appropriate GroupId we must turn to the AzureAD cmdlets after all. Let’s first connect to the service and then store the class team’s group object in a variable.

Connect-AzureAD -Credential $creds
$group = Get-AzureADGroup -SearchString "Math 101"

We are now ready to add the substitute teacher to the class team, and promote her to Owner (teacher):

Add-TeamUser -GroupId $group.ObjectId -User miss.teacher@domain.com
Add-TeamUser -GroupId $group.ObjectId -User miss.teacher@domain.com -Role Owner

 

OK, I admit it’s neither the fastest nor the easiest way to add members to a team, but it opens up for scripting and automation which can reduce errors and ensure compliance. And it’s PowerShell, in the cloud, on a mobile device. Pretty cool right?

Anonymous guest sharing in Teams

Posted on by
5

To kick-start this blog I would like to show you how to share folders or documents, like the weekly schedule, homework etc., with anonymous guests like parents.

For the sake of clarity, these are not guests invited to the actual team, but rather anyone receiving or accessing the link, by email, a text message or from a webpage.

Unfortunately for our use case, when a team is created, the underlying SharePoint site has a default SharingCapability of ExternalUserSharingOnly. We can find the SharingCapability by logging onto Sharepoint Online with PowerShell, as an admin user with the appropriate permissions:

Connect-SPOService
Get-SPOSite -Identity siteurl | select SharingCapability

SharingCapability : ExternalUserSharingOnly

We can see in the docs that ExternalUserSharingOnly allows external user sharing (share by email), but not guest link sharing.

SharingAnyoneDisabled

What we need is ExternalUserAndGuestSharing, where both external user sharing, and guest link sharing are enabled; Let’s see how we can acomplish that using powershell.

First, we need to establish the site url. There are several ways to get the URL, but as an end user we can find it by navigating to the team’s general channel and the files tab, then choose open in SharePoint. A browser window will open with a long URL, where you will need to extract everything including what comes immediately after /sites/. The rest of the URL can safely be ignored.

The URL should look like this: https://tenantname.sharepoint.com/sites/teamname
(teamname at the end of the URL is not the displayname, but what is called mailnickname in Azure AD)

Let’s store the URL in a variable for later use:

$siteurl = https://tenantname.sharepoint.com/sites/teamname

The same information is accessible with Exchange Online powershell, you can easily while logged on get a list of Groups and their SharePointSiteUrl with the following command:

Get-UnifiedGroup | select DisplayName, Alias, SharePointSiteURL

Then all we need to do is change the SharingCapability property:

Set-SPOSite -Identity $siteurl -SharingCapability ExternalUserAndGuestSharing

To be sure let’s check the SharingCapability one last time:

Get-SPOSite -identity $siteurl | select SharingCapability

SharingCapability : ExternalUserAndGuestSharing

Now you can choose a folder or document whithin the team’s SharePoint site and share with Anyone. In this setting you would most likely also want to disallow editing. Once you hit Apply you can copy the link and distribute it as you choose. Happy sharing!

SharingAnyoneEnabled

Stay tuned for more on this, in a later article I will show you how to do this in bulk for teams generated by School Data Sync, and maybe all SharePoint sites belonging to Class, PLC or Staff teams.