Thursday, 21 June 2018

Azure Active Directory Seamless Single Sign-On


This article explains how Seamless single sign on works. Is a new (relatively) sign on process available for hybrid scenarios.

Get the full article here


Azure Active Directory Seamless Single Sign-On (Azure AD Seamless SSO) automatically signs users in when they are on their corporate devices connected to your corporate network. When enabled, users don't need to type in their passwords to sign in to Azure AD, and usually, even type in their usernames. This feature provides your users easy access to your cloud-based applications without needing any additional on-premises components.

Wednesday, 20 June 2018


Taken from Tom Arbuthnots Post

Options and Considerations for Testing your Network for Skype for Business and Microsoft Teams

Published 18/06/2018
Ideally, and strongly recommended by Microsoft, before deploying Microsoft Teams or Skype for Business, you should test your network to ensure it can cope with real-time media and give users a good experience.
Microsoft refers to this as a “Network Readiness Assessment” and some kind of assessment is a requirement of what previously called the Skype Operations Framework, now called Practical Guidance for Cloud VoiceA series of best practices for rolling out and maintaining Skype for Business.
When testing networks, you are looking to test/understand, some or all of the following:
  • Does the network allow good connectivity between all users/services (i.e. ports/protocols are not blocked)
  • Does the network allow adequate throughput to support the level of traffic (i.e. plan your expected load and test the network can transfer that load in a performant way)
  • Testing if QoS markings are kept intact/respected
When we say “the network”, you should be thinking about
  • Site to Site. Wi-Fi and Wired (P2P sessions)
  • Site to SfB Servers and or SFB Online (PSTN, Conferences)
  • From the managed network to the internet, considering working from home and federated calls
Usually, network readiness will fall into two parts; a paper-based understanding of network topology and projected bandwidth use and a test where real or simulated traffic is sent over the network and actual performance measured.

“Paper Based” Exercises

For doing the “paper-based” excise, Microsoft provides an older excel calculator (considered on-premises and online, and a newer, easier to use Network Planner (only considered online):
image
As well as some great document resources:
image

Testing the network with real traffic

image
When it comes to actually testing the network, Microsoft kindly provide a free test tool and there are third party options, so what are the differences/use cases?
Microsoft’s free Network Test Tool is a great way to do a basic connectivity and performance test. It’s free so it’s a quick easy place to start. It will test:
  • From a PC to the nearest Azure edge for a single SfB Audio stream (i.e. Cloud PSTN Calling plan call or Conference scenario)
  • By default runs a single 17-second test, but can be configured to iterate, Each call will take 17 seconds (non-configurable) + the wait interval (5 seconds default)
  • Reports on:
    • Packet loss
    • Jitter
    • Round-trip latency
    • Reorder packet percentage
  • Network connectivity – Verify network IP addresses and ports needed for Microsoft Teams calls can be connected to
  • Outputs results to a Results.tsv file (Tab-separated)
  • ‘ResultsAnalyzer.exe’ to read results.tsv and give a basic text report of network performance
What a third party can add:
  • Test from PC to PC/site to site within your network, not just from site to Office 365. A common issue we see is not just bandwidth between sites and Office 365, but internal WAN links affecting User to User P2P sessions on the enterprise network
  • Load Test – Microsoft’s test tool only tests one media stream, which can tell you if one media stream meets the SLA’s, but how will your network perform with 10,100 or 100’s of sessions?
  • Stack multiple real SfB calls. Some network tests throw one stream of UDP from point A to point B, logic being that 64Kbps x 10 is that but can your network deal with the setup/teardown and signalling of 10,100 or 100’s of real SfB Calls – we often see Firewalls and Proxies struggle at load, dropping packets or issuing TCP resets on signalling
  • Continuous testing for a period of time, centralised data and reporting
  • Services to help design, deploy and interpret the results of a network assessment
  • Fuller visual reports and recommended actions
Modality Systems have such an offering, Impact Assessment, by all means, consider me biased and do your own research into the options. There are other third parties like Nectar, IR Prognosis and Ixia that offer different network test solutions.
Microsoft provides a partner certification program for SfB network assessment tools. Unfortunately for Modality, part of the spec to be certified is checking packets can get from one location to another with the QoS markings intact. As our test SfB bots run on windows, there is no way for Windows applications to query the windows network stack programmatically to know if packets are marked. Just like SfB, we can QoS mark our test calls, and can do manually check they arrive marked with Wireshark where required. Other network test providers can do this via dedicated Linux machines where that level of networking stack is more available to applications.
In a Modality Systems Impact Assessment, we have two models, a basic connectivity test and a load test. Both use a real skype endpoint (virtual static user) build on UCMA making real skype calls.
A connectivity test places our Windows-based SfB “virtual users” in your sites and does a 2 concurrent call mesh, site to site and each site to an Azure VM (testing to an Azure VM). The Azure VM represents the connectivity route to Office 365. This ensures everything can route directly and not be relayed in and out of your network.
Taking it up a gear, our load test has SfB virtual users actually make multiple concurrent real SfB calls between each other. With the ability to scale to hundreds of calls (an i5, 4GB PC can do about 25 concurrent audio calls, more hardware is needed for larger call volumes). We often find a network will “pass” under a Microsoft basic test or our network connectivity test, but show issues under load. This could be due to raw bandwidth availability at certain times or the throughput capacity of network equipment under load.
Critically both types of test are performed over time, typically 30 days, to give a true appreciation of the continuous performance around other network traffic and business processes.
Azure Powershell Scripts

Create a VPN Gateway with PowerShell


Script is here


# Create a resource group
New-AzureRmResourceGroup -Name TestRG1 -Location EastUS
# Create a virtual network
$virtualNetwork = New-AzureRmVirtualNetwork `
  -ResourceGroupName TestRG1 `
  -Location EastUS `
  -Name VNet1 `
  -AddressPrefix 10.1.0.0/16
# Create a subnet configuration
$subnetConfig = Add-AzureRmVirtualNetworkSubnetConfig `
  -Name Frontend `
  -AddressPrefix 10.1.0.0/24 `
  -VirtualNetwork $virtualNetwork
# Set the subnet configuration for the virtual network
$virtualNetwork | Set-AzureRmVirtualNetwork
# Add a gateway subnet
$vnet = Get-AzureRmVirtualNetwork -ResourceGroupName TestRG1 -Name VNet1
Add-AzureRmVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -AddressPrefix 10.1.255.0/27 -VirtualNetwork $vnet
# Set the subnet configuration for the virtual network
$vnet | Set-AzureRmVirtualNetwork
# Request a public IP address
$gwpip= New-AzureRmPublicIpAddress -Name VNet1GWIP -ResourceGroupName TestRG1 -Location 'East US' -AllocationMethod Dynamic
# Create the gateway IP address configuration
$vnet = Get-AzureRmVirtualNetwork -Name VNet1 -ResourceGroupName TestRG1
$subnet = Get-AzureRmVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -VirtualNetwork $vnet
$gwipconfig = New-AzureRmVirtualNetworkGatewayIpConfig -Name gwipconfig1 -SubnetId $subnet.Id -PublicIpAddressId $gwpip.Id
# Create the VPN gateway
New-AzureRmVirtualNetworkGateway -Name VNet1GW -ResourceGroupName TestRG1 `
-Location 'East US' -IpConfigurations $gwipconfig -GatewayType Vpn `
-VpnType RouteBased -GatewaySku VpnGw1
The Evolution of Skype Operations Framework (SOF) into Practical Guidance for Cloud Voice

The Skype Operations Framework (SOF) has proven to be a very successful resource to help customers and partners roll out and operate Cloud Voice capabilities. 

Skype Operations Framework (SOF) has evolved into our Practical Guidance for Cloud Voice services.

Get it here

What are some of the new Practical Guidance for Cloud Voice tools and assets?

Introducing MyAdvisor
We are proud to introduce MyAdvisor, a new platform to provide targeted practical guidance tailored for your Skype for Business or Microsoft Teams deployment. MyAdvisor has the capability to provide feature-based practical guidance to help you extend your current deployment at your own pace.

pic 2.png

We are including new operational tools, such as the Network Planner in this tool and will continue to innovate and provide additional contextual guidance over time.
You can access MyAdvisor here.

Introducing Network Planner
The Network Planner is your centralized networking administration hub. With the Network Planner, you can model your environment and get an estimated required bandwidth for your Skype for Business or Microsoft Teams deployment. You can also identify sites and network links where additional attention may be required to deliver an excellent end user experience. With both logical and graphical representations of your sites, as well as the ability to import and export your site data to CQD, organizing and reporting of your network requirements is made easy.

pic 3.pngYou can access Network Planner here via MyAdvisor.

Quality Champion
We are introducing the Quality Champion role as part of our Practical Guidance for Cloud Voice to highlight the importance of a continued focus on quality during deployments. The Quality Champion role is a customer role that is passionate about their user's experience; this role has the skills to identify trends in their environment, as well as the sponsorship to work with other teams to effect remediation.
The Quality Champion leverages existing tools and processes, such as CQD and the monitoring playbook, to monitor user experience, identify trends, and drive remediation where needed. This new role doesn't necessarily implement new tasks, but instead drives accountability for the user experience.
Customers currently implementing the Quality Champion role have very effectively improved the quality and reliability of their deployments, resulting in better user experience.

The Quality Champion role is woven into the Practical Guidance for Voice available in MyAdvisor.

New Microsoft Teams Guidance
We have added practical guidance for the Preview of Microsoft Teams Audio Conferencing to help you prepare to deploy this exciting new capability in Teams. We will be adding to this guidance over time. You can access this guidance via MyAdvisor.

New practical guidance assets from Sonus and Plantronics
We are pleased to announce two new assets created by our hardware partners Sonus and Plantronics as an extension of our Practical Guidance for Cloud Voice. These assets will help you to integrate their products as part of your project.

Sonus Networks, a global leader in secure and intelligent cloud communications is helping the world embrace the next generation of cloud-based SIP solutions by enabling and securing latency-sensitive, mission critical traffic for VoIP, video, instant messaging, and online collaboration with Practical Guidance for Cloud Voice collateral to plan, deliver and operate Sonus solutions. Sonus offers a complete portfolio of hardware-based and virtualized session border controllers (SBCs), diameter signaling controllers (DSCs), policy/routing servers, network intelligence applications, media and signaling gateways and network analytics tools to drive Unified Communications for Microsoft deployments.

Plantronics is an audio pioneer and a global leader in the communications industry. Plantronics creates intelligent and adaptive solutions that support your customers most important needs: experiencing and facilitating simple and clear communications while enjoying distraction-free environments. You work from everywhere, and need to make everywhere work. Together Microsoft and Plantronics understand today's communication challenges and provide the tools you need to work effectively, wherever you need to focus. Our partnership provides simple, highly integrated audio solutions to bring technology and people together. As a key to a successful Skype for Business deployment, this practical guidance will help take you there. Please visit the Partner Asset page on the MyAdvisor site to download these great new assets.

How can I find partners?
Microsoft has invested in our partners to deliver customer success via the practical guidance previously delivered as part of SOF and continues to be delivered via MyAdvisor.  These partners have implemented our practical guidance in their delivery and managed services practices as well as validated product and process knowledge via an assessment.  To date we have over 160 partners worldwide ready to assist you in your journey to success.   

We encourage customers to engage with our partner ecosystem for deployment and ongoing management of Skype for Business. It is important to note that now all SOF and Microsoft Gold Certified Communication partners can be found at: https://partnersolutions.skypeforbusiness.com/partners.

How you can get started on our new assets
The guidance, tools, assets, and training we provided via SOF continue to be available through our Practical Guidance for Cloud Voice. As we build and evolve our self-service assets and toolsets, such as MyAdvisor and Network Planner, we hope to continue providing you with a unified framework which is easy-to-use, and easy-to-consume.

To get started, please head on over to the FastTrack Cloud Voice page and click the MyAdvisor link to get started, you will find helpful resources right on the main page, including an FAQ. Have your Office 365 login ready to sign up!

We look forward to hearing your feedback on our Practical Guidance for Cloud Voice evolution, including your thoughts on MyAdvisor and the Network Planner. To provide your feedback, please contact us at myadvisor@microsoft.com.

Wednesday, 13 June 2018

Can you dial premium rate or shared cost numbers with Microsoft PSTN Calling Plans? It depends....


Have a look at Toms Arbuthnots post here



This one took a while to get to the bottom of, but fortunately, the online documentation has been updated now to make it easier. My question was can users with Microsoft PSTN Calling plans, in either Skype for Business Online or Microsoft Teams, ring premium rate or shared cost numbers?
The term “premium number” is a broad term, there are a variety of “premium number” types. In the UK premium rate numbers begin 09. Call costs can be up to £3.60 and your phone company’s access charge, plus 5p to £6 per call
“Shared cost” or “Business rate” numbers generally cost less per minute than premium rate numbers, in the UK these are 0843, 0844, 0845. Call costs can be up to 7p and your phone company’s access charge. Reference https://www.gov.uk/call-charges
Each calling plan now has this detail listed on docs.microsoft.com:

France supports full premium dialling

The UK supports shared cost but not premium rate

image

At this time all other countries don’t support shared cost or premium rate dialling.


Rates

From this site ,you can download the rates for calling plans for each country: https://products.office.com/en-us/microsoft-teams/voice-calling
image
If you select The UK you can see the rates for the shared numbers on the outbound dialling costs tab
image
Other countries also have shared cost prefixes:
image
I couldn’t find any specific listing for the premium rate numbers allowed in France or the costs.
As always, I’m sure Microsoft is open to feedback on this if you have specific business requirements, be sure to let them know.


Tuesday, 12 June 2018

Verify Computer Name against Active Directory in SCCM task sequence

by Idan Vexler

Blog post is here

Recently, I have been asked by one of my customers, for computer name checks against Active Directory before setting it in SCCM task sequence for new computer deployment.
Searching the web didn't came up with any results, and since the request sounded really reasonable to me, I decided to take the challenge.

My solution had to be secure. meaning, password cannot be written in clear text or any other non-secure method in any way.

After a lot of research I came up with the following steps to complete this request:

  1.  Enable PowerShell in boot images.
  2. Create a package that copy's Active Directory module files to the boot image, and run it in task sequence.
  3. Create a PowerShell script that do the following:
    • Interact with task sequence.
    • load PowerShell form for prompting computer name selection.
    • Import Active Directory module, securely connect to Active Directory and check the name against Active Directory.
    • Set computer name as OSDComputername TS variable (assuming that the name not exists).

Enable PowerShell in boot images

In order to run the PowerShell form within WinPE environment, PowerShell needs to be enabled in the boot image first.
To do that, right click the relevant boot image and go to properties.
Go to Optional Components tab and add Windows PowerShell component and additional components as well. (don't forget to update your distribution point):

 
 
  

Create Active Directory module files package

In order to connect to Active Directory and check if the computer name exist, Active Directory module needs to be imported within PowerShell.
My solution is coping Active Directory module files to the boot image before running PowerShell script step in task sequence, with a regular package.
  • From any computer with RSAT, copy the following folders:
%windir%\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory 
%windir%\SysWOW64\WindowsPowerShell\v1.0\Modules\ActiveDirectory (x64-image only) 
%windir%\Microsoft.NET\assembly\GAC_32\Microsoft.ActiveDirectory.Management
%windir%\Microsoft.NET\assembly\GAC_32\Microsoft.ActiveDirectory.Management.Resources
%windir%\Microsoft.NET\assembly\GAC_64\Microsoft.ActiveDirectory.Management (x64-image Only)
%windir%\Microsoft.NET\assembly\GAC_64\Microsoft.ActiveDirectory.Management.Resources (x64-image Only)
%windir%\WinSxS\amd64_microsoft.activedir..anagement.resources_31bf3856ad364e35_6.3.9431.0_en-us_fb186ae865900ae8 (x64-image Only)
%windir%\WinSxS\x86_microsoft.activedirectory.management_31bf3856ad364e35_6.3.9431.0_none_b85eb2e785c286ef
%windir%\WinSxS\msil_microsoft-windows-d..ivecenter.resources_31bf3856ad364e35_6.3.9431.0_en-us_38f21d039944539f

  • Create a simple batch script that creates the relevant folders in the boot image and copy the files to it:

md x:\windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory
xcopy ActiveDirectory\* x:\windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory /e /y

md x:\windows\Microsoft.NET\assembly\GAC_32\Microsoft.ActiveDirectory.Management
xcopy Microsoft.ActiveDirectory.Management x:\windows\Microsoft.NET\assembly\GAC_32\Microsoft.ActiveDirectory.Management /e /y

md x:\windows\Microsoft.NET\assembly\GAC_32\Microsoft.ActiveDirectory.Management.Resources
xcopy Microsoft.ActiveDirectory.Management.Resources x:\windows\Microsoft.NET\assembly\GAC_32\Microsoft.ActiveDirectory.Management.Resources /e /y

md x:\windows\WinSxS\x86_microsoft.activedirectory.management_31bf3856ad364e35_6.3.9431.0_none_b85eb2e785c286ef
xcopy x86_microsoft.activedirectory.management_31bf3856ad364e35_6.3.9431.0_none_b85eb2e785c286ef x:\windows\WinSxS\x86_microsoft.activedirectory.management_31bf3856ad364e35_6.3.9431.0_none_b85eb2e785c286ef /e /y

md x:\windows\WinSxS\msil_microsoft-windows-d..ivecenter.resources_31bf3856ad364e35_6.3.9431.0_en-us_38f21d039944539f
xcopy msil_microsoft-windows-d..ivecenter.resources_31bf3856ad364e35_6.3.9431.0_en-us_38f21d039944539f x:\windows\WinSxS\msil_microsoft-windows-d..ivecenter.resources_31bf3856ad364e35_6.3.9431.0_en-us_38f21d039944539f /e /y


I have uploaded the files with the script for x86 and x64 boot images: AD PS files 
Just extract the files as is and set it as a source for the following SCCM package.

Create a regular package in SCCM without any program, and set the source files for the file you just download and extract (or created manually). 



PowerShell form script

The script will do the following:
  • Place task sequence visibility in the background.
  • Load the computer name form.
  • Prompt for credentials (with get-credentials command).
  • Import Active Directory module.
  • Check against Active Directory for computer name and loop until the name cannot be found.
  • Set the computer name as OSDComputername task sequence variable.
######## Close the TS UI temporarily
$TSProgressUI = New-Object -COMObject Microsoft.SMS.TSProgressUI
$TSProgressUI.CloseProgressDialog()

function button ($title,$mailbx, $WF, $TF) {
###################Load Assembly for creating form & button######
[void][System.Reflection.Assembly]::LoadWithPartialName( “System.Windows.Forms”)
[void][System.Reflection.Assembly]::LoadWithPartialName( “Microsoft.VisualBasic”)

#####Define the form size & placement
$form = New-Object “System.Windows.Forms.Form”;
 $form.Width = 500;
 $form.Height = 150;
 $form.Text = $title;
 $form.StartPosition = [System.Windows.Forms.FormStartPosition]::CenterScreen;

##############Define text label1
 $textLabel1 = New-Object “System.Windows.Forms.Label”;
 $textLabel1.Left = 25;
 $textLabel1.Top = 15;

$textLabel1.Text = $mailbx;
############Define text box1 for input
 $textBox1 = New-Object “System.Windows.Forms.TextBox”;
 $textBox1.Left = 150;
 $textBox1.Top = 10;
 $textBox1.width = 200;


#############Define default values for the input boxes
$defaultValue = “”
$textBox1.Text = $defaultValue;

#############define OK button
 $button = New-Object “System.Windows.Forms.Button”;
 $button.Left = 360;
 $button.Top = 85;
 $button.Width = 100;
 $button.Text = “Ok”;

############# This is when you have to close the form after getting values
 $eventHandler = [System.EventHandler]{
 $textBox1.Text;
 $form.Close();};

$button.Add_Click($eventHandler) ;
#############Add controls to all the above objects defined
 $form.Controls.Add($button);
 $form.Controls.Add($textLabel1);
 $form.Controls.Add($textBox1);
 $ret = $form.ShowDialog();


#################return values
return $textBox1.Text
 }

$return= button “Enter Computer Name” “Computer Name” 
#################Below variables will get the values that had been entered by the user
$return 

#######################
#Import AD Module#
#######################
$C = Get-Credential
import-module activedirectory -force

while (get-adcomputer -filter * -credential $c -server YOUR-DC-NAME | Where-Object { $_.Name -eq ("$return") })
{$return= button “Enter Computer Name” “Computer Name Exist”  {break;}} 

########## Enter OSDComputername Value To TS

   $OSDComputerName = $return
   $TSEnv = New-Object -COMObject Microsoft.SMS.TSEnvironment
   $TSEnv.Value("OSDComputerName") = "$($OSDComputerName)"
   $Form.Close()

  
 
In order to interact with the PowerShell from within the task sequence, you need to run it with a file called ServiceUI.exe from MDT.
The file located in the following path:
C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\X-Your Architecture (be sure to run it with the correct Boot Image architecture).

Create another package (no program needed) with the following files in it:
  • ServiceUI.exe
  • PowerShell script. (can be download from here - change DC name in line 77)


Task Sequence

In your task sequence add two steps:
Place those steps right after partition disk step. this is very important, otherwise your task will fail.
  • Copy AD Module Files step:
    This would be a "Run Command Line" step and will be using the first package that was created.

  
  • Choose Computer Name step:
    This would be a "Run Command Line" step again .
    This time, we'll use the second package created to run the PowerShell Script with ServiceUI.exe.
    Command:
    serviceUI.exe -process:TSProgressUI.exe %SYSTEMROOT%\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -File OSDComp.ps1
For x64 boot image, change for ServiceUIx64.exe file.
     
     
     

    Task Sequence appearance

    Running the task sequence with the following changes will prompt for computer name:
     
     
    Ask for credentials:
    
     
     
    Prompt for name exist until name cannot be found in Active Directory:
     
     
     
    
    
    
     References:
     

    My Blog List