Configuring information barriers in Teams

Pre reqs:

  1. First make sure scoped directory search is turned on:

Teams admin center, select Org-Wide settings –> Teams settings

Under search, next to Scope Directory search in Teams using an Exchange address book policy (ABP), turn the toggle on.

Please note this can take up to 24 hours to replicate. https://docs.microsoft.com/en-us/MicrosoftTeams/teams-scoped-directory-search

2. Licensing and permissions:

  • Microsoft 365 E5
  • Office 365 E5
  • Office 365 Advanced Compliance
  • Microsoft 365 E5 Information Protection and Compliance

    3. To define or edit information barrier policies, you must be assigned one of the following roles:
  •  Microsoft 365 global administrator
  •  Office 365 global administrator
  •  Compliance administrator
  • IB Compliance Management (this is a new role!)

    4. Turn on audit logging
  • 0365 admin –> compliance –> Search –> Audit log search
  • Click “turn on auditing”

The banner is then updated:

You can also do this via the Exchange online Powershell:

Turn on audit log search:

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

Turn off audit logs search:

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $false

To verify that audit log is off via Powershell

Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled

Or via the Admin Center 

5. Make sure no exchange address book policies are in place

https://docs.microsoft.com/en-us/exchange/address-books/address-book-policies/remove-an-address-book-policy

6. Provide admin consent for Microsoft Teams:

On this step first you need to make sure you have the permissions for the 0365 security and Compliance:

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/permissions-in-the-security-and-compliance-center?view=o365-worldwide#permissions-needed-to-use-features-in-the-security–compliance-center

Login-AzureRmAccount $appId=”bcf62038-e005-436d-b970-2a472f8c1982″ $sp=Get-AzureRmADServicePrincipal -ServicePrincipalName $appId if ($sp -eq $null) { New-AzureRmADServicePrincipal -ApplicationId $appId } Start-Process “https://login.microsoftonline.com/common/adminconsent?client_id=$appId

Step 2 Segment users:

  1. Before we proceed to this section make sure your directory data has values that you can use to define segments. List of attributes you can use with information barriers can be found here:

https://docs.microsoft.com/en-us/microsoft-365/compliance/information-barriers-attributes?view=o365-worldwide#reference

2. Create the “segment”

New-OrganizationSegment -Name “Sales” -UserGroupFilter “Department -eq ‘Sales'”

New-OrganizationSegment -Name “Research” -UserGroupFilter “Department -eq ‘Research'”

Now we set it so Sales and Research are not able to communicate

New-InformationBarrierPolicy -Name “Sales-Research” -AssignedSegment “Sales” -SegmentsBlocked “Research” -State Inactive

Since the above cmdlet is no symmetrical we need to also block research from talking with sales:

 New-InformationBarrierPolicy -Name “Research-Sales” -AssignedSegment “research” -SegmentsBlocked “sales” -State Inactive

Apply the information barrier policy:

  1. First run Get-informationbarrierpolicy to see a list of our policies we defined:

In this example the Guid from running the above cmdlet is 15912fe7-0dd5-4b90-b3e0-4b94168cb63e so we will run:

Set-InformationBarrierPolicy -Identity 15912fe7-0dd5-4b90-b3e0-4b94168cb63e -State Active

Then you must also run this same cmdlet for the other segment we created using its guid.

Now that we have defined our two segments  you must run the following cmdlet to “start” the policy:

Start-InformationBarrierPoliciesApplication

At this point you should be all setup. However, After approximately a half hour, policies are applied, user by user, for your organization. If your organization is large, it can take 24 hours (or more) for this process to complete. (As a general guideline, it takes about an hour to process 5,000 user accounts.)

How to give a Teams channel a new owner

At times we have users that create channels leave the org and we end up with a rouge channel. When this happens we need to assign ownership to a new user. This blog will quickly touch on that and hopefully give some guidance on how to do so.

We will go through creating a private room then disable the creator in AD.

First we login and build a team from scratch

Once the channel has been created we add a few users to the room.

After this we disable the owner in AD

Wait for AD replication and then try to sign in as the current owner

As you can see this user is no longer valid in AD but they are still considered the owner of the channel

To fix this simply go into your Teams admin center select Teams –> Manage Teams –> select the Team you want to edit –> then select the user that will be the new owner. This should then take care of a rouge user being an owner of the channel in question.

Comments and feedback is welcome.

How to stop Microsoft Teams from starting at startup

Method 1: Disable from Task Manager

You can disable Microsoft Teams from Task Manager and it will not start up automatically:

  1. Press Ctrl + Shift + Esc key to open Task Manager.
  2. Go to Startup tab.
  3. Click on Microsoft Teams, and click on Disable.

Method 2: Change settings

You can the settings in Microsoft Teams and see if that helps:

  1. Launch Microsoft Teams.
  2. Click on the Profile icon on the top right corner and click on Settings.
  3. Scroll down and clear the checkbox for Auto Start Application.

Method 3: Modifying Registry

You can delete the entry for Microsoft Teams from Registry and check:

Note:  Important this section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs.

Follow the steps to take backup of registry.  

  1. Press Windows key + R, to open Run dialog box.
  2. Type regedit and click on OK.
  3. Go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  4. On the right pane, right click on the registry entry for Microsoft Teams and select Delete.

If you want to uninstall Microsoft Teams from the computer, refer the steps mentioned in the article Uninstall Microsoft Teams.

Meeting delegation Microsoft Teams

Super quick post how to setup delegation for meetings with Microsoft Teams.

The easiest way is to allow Outlook to configure delegation.

File –> Account settings –> Delegate Access

Add your delegate. In this case we will be using guy1.

Once delegation is set in Outlook have your delegate open your calendar and simply create a Teams meeting.

The recipient in this case test 4 gets a meeting invite “on behalf” of guy2 from guy1.

Unable to create Skype meeting from Outlook on a MAC

Are you a MAC user? Do you also happen to use Skype for communication? Are you trying to create a Skype meeting from Outlook and getting an error? Is the message “To create the online meeting, sign in to Skype for Business (Lync) and try again” ?

Well there is a simple fix for this.:

On the MAC desktop go to Security & Privacy –> Privacy –>Automation. In the Automation box should have some apps listed. If you scroll down to the SFB app it should have Outlook underneath it. Make sure that box is checked. You may also want to log out of Skype and Outlook and back in and test. This should now be resolved.

Skype for Business / WAP 2019

Recently I assisted a customer that had removed TMG from their environment and installed WAP 2019 for the reverse proxy. As we all know mobile devices are being used more and more in corporations and with security being a big concern its time to get some of the older technologies updated.

The issue was not with the installation of the WAP server. This issue in particular had to with the Android devices. When logging into Skype the first time everything went as planned. However, when logging out and back in we would see errors stating trying to connect to server and presence stuck at updating….

Reviewing Skype for Business server side logs and client logs we get different errors. The server side logs show a 401 and for whatever reason the client (Droid) was getting a 500. iOS worked just fine.

After some research I found there is a know issue currently with the WAP 2019 server. Server 2019 has HTTP2 enabled by default and this does not support Windows Auth.

To fix this simlpy set to 0 on HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\EnableDefaultHttp2 on all the 2019 servers and reboot/test.

More information can be found here

DEBUGGING TOOLS INSTALL ERROR (VISUAL C++ 2015 X64 MINIMUM RUNTIME – 14.0.23026)

Are you trying to install the Skype for Business debugging tools or the Reskit? Are you getting the below error message?

To fix this simply run the following cmdlet:

msiexec /a c:\software\SkypeForBusinessDebugTools.msi /qb TARGETDIR=C:\yourpathhere

You will have to change the above cmdlet to match what you are trying to do and where you are trying to extract it to. Once this is done you should now be able to run the debugging tools or the Reskit.   

Office Web Apps Server

Recently worked an issue with Office Web Apps Server aka OWA or even WAC server. The issue simply was it would not work.

There is not to much to these things. Couple of configuration settings and you are pretty much good to go.

So I checked the basics:

verify you can reach the discovery url from the browser
Collect client logs and server logs
Server components are as followed:

Component: DataMCU
=> Level: Verbose
=> Flags: All
Component: DataMCURunTime
=> Level: Verbose
=> Flags: TF_COMPONENT,TF_PROTOCOL,TF_NETWORK
Component: DataProxy
=> Level: Verbose
=> Flags: All
Component: GraphListener
=> Level: Verbose
=> Flags: All
Component: GraphService
=> Level: Verbose
=> Flags: All
Component: Infrastructure
=> Level: Verbose
=> Flags: All
Component: InternalCommon
=> Level: Verbose
=> Flags: All
Component: LDM
=> Level: Verbose
=> Flags: All
Component: WebInfrastructure
=> Level: Verbose
=> Flags: All

Also have fiddler running while reproducing the issue.

So, once I collected all the logs its obviously time to review. Client logs were showing the following:

<diagHeader>54031;reason=”The WAC presentation failed with a server error.”; There is a few other lines like the url for the OWA server etc.

So Fiddler captures the error and we look at the url its trying to use. There I noticed that the url that was being created was pointing outside my network. I then checked my topology for the Office Web App and where it thinks the server location is:

Well this is not correct. My WAC server is internal. I then proceeded to change the topology and set my Office Web Apps servers location to internal and then published the topology. Once this was done testing proved that it is now working.

Hopefully this will help anyone that is having that “odd: issue.