User Profile
Newlife
Brass Contributor
Joined 7 years ago
User Widgets
Recent Discussions
Questions on Office 365 Tenants integration
Hi Community, One of our customer has the below environment: Forest A AD Citrix thin clients are installed. Office 365 enabled with Teams licenses (Tenant A) Forest B AD ADFS installed. SSO is enabled. Laptops are provided by vendor and those accounts are hosted in this AD. Office 365 enabled for Exchange mailboxes. (Tenant B) The fact is that the end-users would be using the Citrix Virtual Desktop environment in a full-screen mode. So while Forest B / Tenant B does provide workplace services (like a mailbox) the end-users would not access those directly from their desktop session. Requirement: As a Forest B user, the user should be able to log on to their laptop using Forest B’s AD credentials. (As they’ve SSO enabled they can access Tenant B mailboxes without entering the credentials again) Then the user would be able to log on to the Citrix session using Forest A credentials. User would be able to use Teams with Forest A / Tenant A credentials Then the user would be able to run an outlook fat client logging in using Forest B / Tenant B credentials. Question Teams and Outlook clients from different O365 tenants will create some issues and wanted to find out if such a scenario was supported? Any pointers would be of great help.Office 365 global admin question change
Hi Community, One of our customer raised the below query: There is a single Global Admin for their tenant that the organisation want to remove this account and there is no other Global Admins accounts in this Office 365 tenant. They are unable to use Delegated Admin at this stage as they do not want to inform the existing global admin account that they are planning to remove this account. What does the customer need to do to reclaim the tenant immediately once the the existing global admin user account has been removed without informing that account user? Any help would be much appreciated. Thanks!!Security of SPO
Hi Experts, One of our customer operates in the finance industry and they are looking to migrate all data into SharePoint Online. They have specific regulatory requirements surrounding their data and one of these is BS 10008. The concern is with using SharePoint in relation to documentation that can be used for legal service and whether the Microsoft 365 platform has any certifications to negate this or not. Please advise. Any pointers would be of great help. Many thanks!!Questions on Permissions management
Hi Community One of our customer who wants to use Teams/Sharepoint/Exchange, but they want to manage it from 1 single point. For example, they have 3 groups. - Management - Team Lead - Sales So when they make 1 new user a member of Management, it should also get the rights from Team Lead and Sales. And when we make 1 new user a member of Team lead, it should also get the rights of Sales. Similarly there’ll be ‘n’ number of Groups to be managed. Currently, they’re using Office 365 Security Groups to achieve the same, but it limits the control only to SharePoint resources and not for Teams and Exchange. Questions: Can we leverage Dynamic group membership type + Conditional Access to achieve this requirement? Any other best practices would you recommend?Questions on Office 365 - Nonprofit E3 plan - RDS support
Hi Community One of our customer raised the below query regarding RDS usage rights of Office 365 desktop applications when using the Office 365 Nonprofit E3 plan. They’re aware that the Office 365 Enterprise E3 plan allows for Office 365 desktop applications to be installed and run from a Remote Desktop Services machine and have previously proposed this for customer environments that require an RDS or Citrix hosted desktop environment. However – the customer is a registered charity and can therefore take advantage of the lower pricing available as part of the Office 365 Nonprofit E3 (They believe they’re currently utilizing a Business Premium plan – presumably the Office 365 Nonprofit Business Premium Plan). Our query is – does the Office 365 Nonprofit E3 plan include usage rights on a Remote Desktop Services machine similar to the Office 365 Enterprise E3 plan? When they checked the service description for ‘Desktop virtualization’ (which they believe is the required feature that allows for RDS usage rights) they couldn’t see the Office 365 Nonprofit E3 plan listed amongst the plans. They noticed there are some subtle differences between the Office 365 Nonproft E3 and Enterprise E3 plans (such as different mailbox sizes as well as Yammer and Stream not listed as available services in the Nonprofit E3 plan), therefore they didn’t want to assume the Nonprofit E3 plan included RDS usage rights. Any pointers would be of great help. Many thanks in advance.Office 365 questions
Hi Community, One of our customer raised the below query: We have only 2 single domain forests. So only ‘forest A’ and ‘forest B’. The users in both are to be moved to ‘forest NEW’. Customer is looking to use sid history hoping it may make things easier. Customer wants to gradually move the mailboxes of these users to Exchange online, in parallel to their move to Forest NEW. What are the (im)possibilities that result from the desire to perform the user and exchange online migration at the same time? Any inputs would be of great help. Many thanks in advance!!Lower office version with Office 365
Hi Experts, One of our customer has the below requirement: Our customer has 600 users to move from on premise to Office 365 including email. they're struggling with Office applications as the customer has an LOB application that only works with Office 2016, but as they're new to Office 365, they will get 2019 which is not going to work. Is there anything we can do here to allow them to get 2016 for 12 months or so before they're ready to upgrade? It seems that there is an option for volume licensing but this is a huge investment on the client side. So, they don't want to go for it. Any pointers would be of great help. Many thanks!!Questions on SQL Server hybrid solution authentication with 2 domains via Azure Application Proxy /
Hi Community, One of our customer raised the below query: They've got Azure VM (running SQL 2019 Analysis Services) connected to Azure AD via Azure Domain Services. It is on DomainX.com domain. For Quest Users works well, when using B2B collaboration scenario in Azure service like PowerBI.com, They can share on-premise datasets with guest users and grant different level access as well in my local VM. https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpower-bi%2Fadmin%2Fservice-admin-azure-ad-b2b&data=02%7C01%7Cbalgan%40microsoft.com%7C374c797132974915f6e008d839b880e0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637322812258394604&sdata=ReEYoJ4tggRvw8lP63sJcB6b1Jb4KnKR08dXbZtyrts%3D&reserved=0 Question: They need those same quest users to work with on-premise programs as well. For example mailto:quest.user@DomainY.com is defined in DomainX.com Azure AD and they've set permissions in SQL Server Analysis Services (in local VM) for that user. Now this same person mailto:quest.user@DomainY.com is logged into in his/hers personal computer in DomainY.com domain/network environment. They want local programs like Excel etc. to be able to connect to their VM and authenticate using the same quest accounts. Basically they need help setting up this. https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fb2b%2Fhybrid-cloud-to-on-premises&data=02%7C01%7Cbalgan%40microsoft.com%7C374c797132974915f6e008d839b880e0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637322812258404598&sdata=BCdtuiqyxfODNLi22uzP6RTty%2FBDAb2xKKRqP9tBz44%3D&reserved=0 Any pointers would be of great help! Many thanks!Question on SAML authentication
Hi Community, One of our customer raised the below environment and raised couple of queries. Current environment >> AAD sync that syncs Office 365 proplus + AD attributes to Office 365 >> MX is pointing to MIMEcast. >> Mailboxes are currently hosted with Exchange on-prem 2013 >> Citrix NetScaler in place. Plan >> Plans to deploy Exchange Hybrid. >> Then move the mailboxes to EXO >> Then completely decommission Hybrid and Keep an on-prem exchange for administrative tasks >> MX is still going to MIMECast Questions: 1) How will the SAML authentication be handled from an outlook client on BYOD devices (phones, Tablets) and home PCs? Both internal and External. 2) If they have a shared RDS server with Outlook installed will they still be able to access and use the service with same security. 3) If they were to use MFA - they will be required to use the application password - Can we have application password per online service or is it one password per user for all online service? Meaning that there are scenarios where in SAML may not work on outlook, or RDS servers and it might require application password, In those scenarios, if we are forced to application password, is this same for one user? ( For all the applications such as outlook client, RDS server etc ) Any pointers would be of great help. Many thanks in advance.Permission management in SharePoint online
Hi Community, One of the customer is currently tying to create SharePoint site and would like to know how to assign permission to the different type of SharePoint sites. Let’s say for example, In SharePoint Admin when they select the option to create a new site the listed options are Team site or Communication site. If they select Team site it will create a new MS Team with a default document folder. If theyuse the sync tool to sync folders here and use the option to retain file and folder security in the migration tool it will migrate to the Documents folder as required with their AD security group assigned but any user who happens to be made an owner of the Team site by default will have access to all the folders and files migrated when in reality there may be files they are not to have access to. More worrying is the fact Team owners can delete a Team and with it all the files and folders uploaded to it. They’re aware that there is a third option for a SharePoint site which is more of a custom site and there is a template to create a Document Centre but they’re looking for an advise on best practice. If they are going to migrate their data to SharePoint what is the best way (option) for creating the initial SharePoint site to host the data. Any guidance would be of great help!TMO for on-premise windows client.
Hi Community, One of the customer has query that Microsoft recently announced https://docs.microsoft.com/en-us/azure/virtual-desktop/teams-on-wvd solution (Teams media optimization) for using Microsoft Teams on Windows Virtual desktop (WVD). This solution is comprised of the below installation/configuration on the RD Session Host: Teams WebSocket Service Teams version 1.3.00.21759 or higher The “IsWVDEnvironment” registry key Customer currently can validate if above works, by starting Teams, going to your icon -> About -> Version. It should show something like “WVD Media….. ” However, on the client-side the “Windows Desktop client” (WDC) is required. According to this https://docs.microsoft.com/en-us/azure/virtual-desktop/connect-windows-7-10 this client is different from the Remote Desktop Connection client (mstsc). The WDC will ask you to connect to a Workspace URL; or login/subscribe through your e-mail address. It uses a URL like: https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Frdweb.wvd.microsoft.com%2Fapi%2Farm%2Ffeeddiscovery&data=02%7C01%7Cbalgan%40microsoft.com%7Ce2ba76f4eddd4f8c966e08d85f9fca6c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637364487201212903&sdata=IJ%2Bi8p7HM91KGBZ%2BeBqwYx%2FZKhkNUO%2B%2BTttNV6bDYj4%3D&reserved=0 Personal experience of the customer/ understanding on how it works: What customer has noticed is that – since Windows 10 1809 and Server 2016 – it’s possible to redirect the local video capture device to the Remote Desktop session (basically redirected the encoded video stream directly to the server, so it could forward the stream where needed). This solution – in contrast to the older USB RemoteFX – allows for the local video to be directly streamed to Teams (or “proxied” through the RD SH), with low latency. Other participants will see this video stream without latency on their local device (assuming they run Teams locally); since the ‘Upstream Video’. The video stream will show up at other participants that also use RD Session Host with a delay, because the stream is basically displayed ‘at the RD Session Host’ and then captured and send to the RD client (the ‘downstream video’). So it’s not the original stream that is directly transported back to the RD Client. Questions: From this experience, customer has a query that, What new redirect ‘video capture devices’ feature in the RD Client does with the upstream video; is what the Teams Media Optimization would do with the downstream video? In their case they have a client with an On-Prem Remote Desktop environment (comprising of a few RD Session Host, an RD Broker Server, RD Web and RD Gateway server). All based on Window Server 2019 (but they could test this on Server 2016 as well). This is basically a very similar setup as the WVD solution. Is it also possible to use Teams Media Optimization in an On-Prem environment? Either using the RDC in combination with the webfeed from RD Web; or future MSTSC software? Is it on the roadmap? Will the functionally only be available for WVD (and never become available for on On-Prem environment)? Any guidance would be of great help.ER provider migration
Hi Community, One of the customer has a setup that they’re using MPLS SD1 provider who is providing ER services to handle the workload. Goal is to migrate Express route provider from MPLS SD1 to some other provider and decommission the current one. Looking for the best way to keep a co-existence wherein we can have two ERs on the same Virtual Network Gateway during the migration. Questions: 1. Is it possible to easily keep and manage the routing between the two ERs? If not any other best practices? 2. Will there be any impacts/implications etc? Any guidance would be of great help. Many thanks in advance.Questions on availing db encryption key and licence limitation.
Hi Community, One of our customer has below queries. Customer is active in the Financial industry, very sensitive to data protection and access. Customer does have already D365 Marketing installed and would like to extend its usage but need to fulfill certain compliance requirements BYOK is a good, valid technical option but unfortunately they seem to be “too small” to be able to use it: https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpower-platform%2Fadmin%2Fmanage-encryption-key&data=02%7C01%7Cbalgan%40microsoft.com%7C4da7e97e49b44411cc8108d854c883e5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637352567487573717&sdata=jiExC5ewzUYvzcfqcgWjyKpZxy8Y82UpWnnIaqMKUNc%3D&reserved=0 They have users /potential licenses is more ~ the 100 than the 1’000 For this market, besides the big 2 major banks they would probably won’t be much opportunity for D365 Marketing with environment with more than 1’000 licenses. Customer would be a great reference to penetrate the Financial market with D365 Marketing. Requirements: They’re looking for an alternative technical solution to BYOK one as self-managed database encryption keys are only available for customer who has more than 1000 Power Apps plan or D365 plan. Question: Is there a way to consider the license level requirement for smaller markets? Any guidance would be of great help!SRV record conflict between on-prem SfB server and Teams
Hi Community, One of our customer currently has Teams tenant and the required DNS records in Public DNS. But there are some higher officials accounts requires on-prem SfB server for security reasons. Customer would like to enable SRV records in on-prem for automatic sign in, external sign in etc. They don't want to create hybrid deployment. The reason is we need create the SRV record, _sipfederationtls_tcp.contoso.com pointing to on-prem Access edge for external signin. Similarly we need to create the SRV record for online Teams signin pointing to sipfed.lync.online.com Questions: 1.Is there any conflict on SRV records required for on-prem external, automatic sign in and Teams users sign in ? (Because we don't have hybrid deployment but the domain is same for on-prem and online, but there is no hybrid, split domain, for example Contoso.com) 2. Will public DNS accept two similar entries (_sipfederationtls) one for on-prem and another one for Teams tenant? Any guidance would be of help. Many thanks!Single on-prem AD forest Exchange migration to Multiple Office 365 tenants
Hi Community, One of our customer has about 12 Exchange servers in single AD forest with 10,000 mailboxes. They've multiple organizations segregated by Organization Units (OUs), Let's Say they've the below forest, On-prem AD Exchange 2016 server Organizations are segregated by OU1, OU2, OU3 etc. They'd like to migrate OU1 to M365 tenant 1 and OU2 to M365 tenant 2 and OU3 to M365 Tenant 3. Question: 1. What is the best approach for this type of migration, having single AD forest and migrate the mailboxes from different OUs to different tenants? 2. Can we get this done with Hybrid or 3rd party migration? Any guidance would be of great help! Many thanks!
