Top 5 Azure Information Protection Limitations

Before I discuss the limitations of any product, I try my best to point out all of the things I appreciate about a product. In general, you will not hear Microsoft tell you about product limitations. I suspect it is a culture thing. But then again, do you expect a new car salesman to tell you about the limitations of the car they are trying to sell you?

So let me first point out that I have been a longtime fan of Microsoft’s Rights Management Services (RMS) which debuted in Windows Server 2003. As the product evolved over the years into what is now called Azure Information Protection, I became an even greater admirer of the product as well as the team within Microsoft responsible for its development.

A key milestone came when RMS was ported to Azure, because it became easy to enable (with one mouse click), eliminating the effort to configure servers on-premises, and especially the underlying Public Key Infrastructure (PKI) environment that RMS required.

With the rise in popularity of Office 365 (100 Million subscribers), many began to take advantage of RMS because it is included for free in the most popular business subscription (known as the “E3” license).

One of my favorite RMS features came in September of 2015, when Microsoft announced Document Tracking and Revocation capabilities (here). I’m still amazed by how cool this feature is, allowing you to see a map of the world and the location of where your documents have been opened!

Another key milestone in the evolution of RMS came when they acquired Secure Islands (announced by Takeshi Numoto on 11/9/2015). Six months later, Dan Plastina (@TheRMSGuy) first announced on 6/22/16 (here) that RMS would be rebranded as “Azure Information Protection” (AIP) and later reached general availability in October 2016 (here).

AIP is a truly jaw-dropping experience. As you are authoring content, the document will automatically be labeled and encrypted with a strong 2048 bit encryption key on-the-fly if sensitive information is found (ex: credit card numbers, social security numbers, or data you define as sensitive using regular expressions).

As a consultant, my job is to listen to customer problems, and then recommend solutions. This leads me to the title of this post – AIP Limitations.

Azure Information Protection Limitations

1. External Sharing using AIP with business partners who are still running Office 2010 (or older) needs improvement

When you protect a document with AIP, and you want to send that document to an external user, things go smoothly if they are running Office 2013 or Office 2016.

However, a lot of companies still run Office 2010. This is what their experience would look like:

“Dear External User,

We would like to share sensitive documents with you. If you are running Office 2013 or 2016, and if you have an Office 365 subscription, then you should be able to open the attachments without a problem.

Otherwise, if you are using Office 2010, you will need the following before you can open the documents we send you:

      1. Local Administrator Rights are required to install the Azure Information Protection Client
      2. Download and install the Azure Information Protection Client
        1. If you are running Windows 7, you first need to install KB 2533623 (This will require a reboot)
        2. Note: Office 2010 require Microsoft Online Services Sign-in Assistant version 7.250.4303.0. This version is included with the AIP client installation, however, if you have a later version of the Sign-in Assistant, uninstall it before you install the Azure Information Protection client.
        3. Note: The AIP Client will automatically install the .NET 4.6.2 Framework, so be sure not to deploy this on any machine that has known compatibility issues with the 4.6.2 framework.
      3. Be advised, that in some cases, even if you follow all of the steps above, you may still get an error message when attempting to open an RMS or AIP protected document in Office 2010. The work-around is to create a few registry entries for the service location as documented in the AIP Client Admin guide (here).

If you do not have an Office 365 Subscription, you will need to sign up for “RMS for Individuals” (this is a free identity platform that allows you to open the documents we send to you).”

2. Ad/Hoc External Sharing using an AIP Label is not possible

Let’s say you get a call from a new customer or business partner who wants you to send them a Microsoft Word document. The document is too large to email so you host it in online storage (ex: OneDrive, SharePoint, Dropbox, etc). You might be tempted to click an AIP label that says “Business Partner” or “Client Confidential” but that would not work in the current implementation of AIP, because the Labels must be associated with an RMS Template, and RMS Templates must be associated with Mail Enabled Security Groups, and those Groups must contain a Contact Object. Since normal end-users cannot create contact objects in their Active Directory or Azure Active Directory, they must submit a helpdesk ticket for the external contact to be created, then added to the appropriate Mail Enabled Security Group. You get the picture that this process just broke down fast. Essentially, there is no way with AIP today to associate a label with ad/hoc external sharing. Labels can only be used for defined and known business partners who are pre-configured as contact objects in a group associated with an RMS template that is then tied to a Label. It would be just as exhausting to implement this in a process as it was to type this all out I am sure!

3. There is no Mac OSX client for Azure Information Protection.
The work-around, as best as I can tell, is to have Mac users try the legacy “RMS Sharing App” for Mac OSX. This was the application written before the AIP client was released.

4.In April of 2016, there was a vulnerability discovered in the RMS technology that allows someone with View rights to escalate their privilege and change the document by stripping RMS from the document (which could be potentially undesirable if they then re-share that document with unauthorized parties, or if that document is exposed in the wild (ex: lost/stolen laptop, ransomware, etc). This is documented on Wikipedia here, and proof of concept code is available for testing from GitHub (here). This issue isn’t too great in my opinion, because it requires that one of the named users who is authorized to view the document has to compromise the document. In other words, an unauthorized party cannot break the 2048 bit encryption.

5.OneDrive.
Protecting documents with AIP or RMS automatically when they are uploaded to OneDrive is currently not a great idea. First, Microsoft has removed the navigation button permitting you to do this, so you would have to find the direct hyperlink to the document library settings to enable IRM on your OneDrive document library. Even if you were to do this, it would prevent you from sharing any of those documents with outside users because there is no straight-forward way to make a OneDrive library’s IRM settings understand external users. It essentially ends the ad/hoc sharing capabilities of OneDrive. Perhaps that is why MSFT removed the navigation button for site settings in OneDrive.

Guidance

So given these limitations, what do I recommend?

  • I recommend you use AIP to protect sensitive information that should be accessible to internal employees, or known/named individuals from business partners. When communicating with the business partner for the first time, try to find out if they use Office 2010, and if so, warn them that it will be a rocky road for them (see sample email template above). Fortunately, Office 2013 and 2016 seem to natively open AIP encrypted documents.
  • If you need to share documents with encryption in transit, then use Office 365 Message Encryption (OME). The limitation of OME (today) is that the recipient can save the document and do anything they want to it (the encryption does not follow the attachments after the recipient saves it to their computer). This will be resolved with the upcoming Secure Email feature that was announced at the 2016 Ignite conference.
  • If you need to securely share emails and documents with Gmail users, then wait for the upcoming Secure Email solution that was announced at the 2016 Microsoft ignite conference (watch the video here, starting around the 46 minute mark).

Roadmap

Will things get better? In many cases, yes, however, not for the external user who needs to edit the AIP/RMS protected document using Office 2010.
The proposed Secure Email solution will make it seemless for any user to VIEW AIP/RMS protected documents by providing a web-browser experience. But if the business process requires the external user to make changes and send those back, my understanding is that capability is not going to be in Secure Email when it is released (from what I have heard anyway). To be clear, if the external user is given edit rights, and if they are still on Office 2010, they are going to have the same pain points as I described above with Office 2010.

AIP Licensing

AIP can be licensed in one of four methods:

  1. You can get AIP as a standalone license for $2/user/month.
  2. You can get AIP as part of the Azure Active Directory Premium P1 or P2 license families.
  3. You can get AIP in the Enterprise Mobility + Security E3 or E5 license families.
  4. Or you can get AIP as part of the Secure Productive Enterprise E3 or E5 license families.

If you just need the original RMS capabilities (encryption, access control and policy enforcement) then you can license that individually or as part of the Office 365 E3 license.

If you need the Document Tracking and Revocation Capabilities, you’ll find that in the Enterprise Mobility + Security E3 or Secure Productive Enterprise E3.

Note: AIP automatic labeling is an advanced feature that requires the AADP P2, or EMS E5, or SPE E5 license. Otherwise, the down-level version of AIP requires the user to manually label documents they create.

Moving from Azure Classic to Azure Resource Manager (ARM)

Microsoft has made great strides it making it easy to migrate from Azure Classic (aka IaaS 1.0) to Azure Resource Manager, (aka ARM or what I consider IaaS v2.0).

At a very high level, the process involves migrating the vNet first, which automatically migrates the underlying VM’s. Then the next step is to migrate the storage accounts.

This process is straight-forward and easy to follow the step-by-step guidance in PowerShell (here) and there is a nice video walkthrough (here).

One interesting thing I observed is that the vNet, VM and Storage account will all have the “-Migrated” name appended to the end of the previously named object.

At this time it doesn’t appear possible to rename a resource group (feature request is marked as ‘pending’ on this website here).

The work-around is to create a new resource group and then migrate the migrated objects into the new group.

Avoid Cisco Meraki for S2S VPN with Azure

Just got off a phone call with some engineers at Microsoft who informed me that both Cisco and Microsoft have mutually agreed that using a Cisco Meraki firewall is not recommended for creating site to site (S2S) VPN tunnels to Microsoft Azure.

The issue is the Phase 1 IKE Timeout value that the Meraki uses is not supported.

This was rumored to be fixed in late 2016, and then later in a firmware update in February 2017, but as of yet, we have not seen it yet.

If anyone has updated information on this please post it in the comments as I have a few clients running the Meraki’s.

Thanks,

Joe

Error 1603 when Installing Skype for Business Server 2015

[Updated 3/25/2017]

During the installation of Skype for Business 2017 you may run into errors if you select ‘Connect to the internet to check for updates’ and you also change the default installation location to something other than the C:\ drive. There is a potential third variable that might be required to run into problems as well: If you do not initially deploy conferencing during the front end pool wizard in topology builder. (Additional testing would need to be done to further isolate it from here).

The error that you may run into actually happens later, during the server component installation, and it is:

failure code 1603
Error returned while installing OcsMcu.msi, code 1603. Error Message: A fatal error occurred during installation”

The solution was to uninstall just the Skype components from control panel and then re-run setup. Only took 10 minutes so wasn’t too big of a deal. But now we must remember to manually apply the latest cumulative updates after the installation completes =)

The Uninstall order (for what it is worth) is the following:

(First uninstall XMPP then proceed with uninstalling the core components last). It is not necessary to remove all the language packs and local SQL instances (at least in my case it wasn’t).

At this point you will be able to successfully complete the full installation of Skype for Business. But you are not out of the woods yet! Because when you attempt to apply the latest cumulative update (in my case it was February 2017) then you will have that same Error 1603 on the Conferencing Service (OCSMCU.msi). When digging into the log files it appears that it is trying to find some files on the C:\ drive despite that during the installation, we selected a custom install path to the E:\ drive. 

The solution for me was to uninstall again a 2nd time, and this time I updated the Topology builder to include all of the AV Conferencing Options.

So my recommendation is to deploy to the C:\ Drive (just make it a large drive like 250GB) and to initially deploy all of the conferencing features to avoid these issues.

Reference: https://social.technet.microsoft.com/Forums/ie/en-US/42e284fb-ae07-424c-9ed3-07b6a85748da/skype-for-business-server-components-install-fails-when-patching-ocsmcumsi?forum=sfbfr

Windows Information Protection

Windows Information Protection is a feature of Windows 10 Anniversary Update that helps protect corporation information by encrypting data using the Encrypted File System.

This is not to be confused with Azure Information Protection (which was rebranded from Azure Rights Management Services RMS).

How WIP works

Enterprise data is automatically encrypted after it’s downloaded to a device from SharePoint, a network share, or an enterprise web location, while using a WIP-protected device or if an employee marks the data as corporate. Then, when the enterprise data is written to disk, WIP uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity.

A WIP Policy includes a list of applications that are allowed to access corporate data. This list of apps is implemented through AppLocker functionality.

Requirements

Requires Intune or SCCM Policy

Devices requires Windows 10 Anniversary Update or devices that are enrolled with Intune or a supported 3rd party MDM (I was unable to find a list of supported 3rd party MDMs).

Limitations

  • Files encrypted with WIP cannot be shared externally. Each user would need the ability to disable WIP on a particular file and then re-encrypt the file using a separate technology such as Azure Information Protection.
  • All clients in your environment must be running Windows 10 Anniversary update or a mobile device managed by Intune or supported 3rd party MDM. For example, a Mac OSX machine that downloads data from SharePoint, a file share, or wherever, is not going to be protected by WIP and therefore that employee can bypass WIP and leak sensitive information. Think of WIP as a client side solution that is only truly effective when all client systems fit the mold.
  • WIP is not compatible with Direct Access. The workaround is to replace DirectAccess with Windows 10 Always-ON VPN for client access to Intranet instead.*
  • WIP is not compatible with Network Isolation (IPSEC feature).
  • Cortana must be disabled otherwise Cortana can leak encrypted information*
  • WIP is not compatible with shared workstations.* One user per device.
  • Marriage/Separation name changes can disrupt WIP. Workaround: Disable WIP before changing someone’s first or last name.* This is pretty time intensive as it requires decrypting all files that were protected by WIP.
  • Internet Explorer 11 with webpages using ActiveX controls can cause data leakage. Work-around is to use Microsoft Edge browser. Issue is that not all websites are compatible with Edge.*
  • There are only 11 applications that are considered WIP “Enlightened Apps” (see list below). All other apps will force encryption on all data saved, which cannot be shared externally unless the user manually removes the encryption and re-encrypts with AIP.

*https://technet.microsoft.com/en-us/itpro/windows/keep-secure/limitations-with-wip
References

Original Announcement from 6/29/2016

https://blogs.technet.microsoft.com/windowsitpro/2016/06/29/introducing-windows-information-protection/

Official Documentation for WIP

https://technet.microsoft.com/en-us/itpro/windows/keep-secure/protect-enterprise-data-using-wip

WIP “Enlightened Apps”

  • Microsoft Edge
  • Internet Explorer 11
  • Microsoft People
  • Mobile Office apps, including Word, Excel, PowerPoint, OneNote, and Outlook Mail and Calendar
  • Microsoft Photos
  • Groove Music
  • Notepad
  • Microsoft Paint
  • Microsoft Movies & TV
  • Microsoft Messaging
  • Microsoft Remote Desktop

*These apps allow you to save things as personal (unencrypted). All other applications not listed will encrypt everything 100% with EFS encryption.

Patriot Guidance

Use Azure Information Protection and Avoid WIP unless you have a regulatory reason that justifies the effort to deploy WIP because of its restrictive encryption policy and only 11 apps allow the user to save things without encryption. One look at the implementation page (here) below shows how difficult an implementation would be, and more so to maintain.

Extension Dialing (aka) Tenant Dial Plans in Skype for Business Online

Microsoft has announced that “Tenant Dial plans” are now in Public Preview in Office 365 Cloud PBX. This is relevant for companies that migrate to Office 365 Cloud PBX (Skype for Business Online) and come from legacy PBX environments that include dial plans, such as a “4-digit” or “5-digit” dial-plan. For example, dial 1234 for Jim in California, or 51234 for Juan in Mexico.

Another scenario where this is useful is when users want to dial a shorter number for outside calls. For example, in the United States, you may want to dial a 7 digit number instead of the full 10 digits including your area code. Tenant Dial Plans allow you to do this.

For example, you can create a rule that looks for 7 digits ‘^(\d{7})$’ and prepends the E.164 prefix, along with the country code and area code: ‘+1425$1’

So that if 5551234 is dialed by the end-user, the actual number sent out would be +14255551234.

TIP: A normalization rule like this would be considered a ‘tenant-user’ plan because it would need to be applied on a per-user basis, since you can’t assume that all users in that country dialing 7 digits will always want a Seattle area code.

Sign-up for Tenant Dial Plans at Skype Preview  http://skypepreview.com

To learn more, watch the Skype Academy training video (26 minutes) here:

https://www.youtube.com/watch?v=sA4p77Shmns&index=1&list=PLH5ElbTc1hWTsunfXvNVnDFCJCCzrL3R9

Lessons Learned from watching the video above:

  • Only supported for Soft clients because the firmware running on existing handsets were designed when this feature was not supported
  • Administrative interface is powershell, but a GUI was promised “in a few months” according to the Skype Academy training
  • The application of Tenant Dial plans are different than how they are deployed in an on-premises Skype deployment. For example, in the on-premises deployment, dial plans are applied based on the most specific one first, ex: User, then Pool, then Site, then Global. If a user dial plan is assigned, then all other dial plans are ignored. In the case of these new Cloud PBX Tenant dial plans, the “Service Country” dial plan is always applied, and it is merged together with one of two options: a tenant-user dial plan OR a tenant-global dial plan.
  • Before you can use tenant dial plans in your Cloud PBX tenant, you must first configure hybrid users to consume the tenant dial plan, for example:
    set-cstenanthybridconfiguration -useonpremdialplan $false

OneDrive NGSC for SharePoint Team sites is now GA

Yesterday 1/24/17, Microsoft announced (here) that the OneDrive Next Generation Sync Client (NGSC) which replaces the older Groove.exe sync client now supports syncing SharePoint Online document libraries (sorry, no NGSC for on-premises SharePoint).

First verify that the build number is 17.3.6743.1212

It is supposed to automatically update but you can also download it from: http://onedrive.com/download

If you were previously participating in the preview build so that you could test out this feature, you previously had to deploy a registry key called “TeamSitesPreview” to enable syncing SharePoint Team sites.

Now, as long as you have the client build 17.3.6743.1212, then the registry key is no longer necessary.

However, if you don’t have the registry key then you will need to change a brand new setting that just appeared in the SharePoint Online Admin Center called Sync Client for SharePoint.
As you can see in the screen shot below, the setting for ‘Sync Client for SharePoint’ defaults to ‘start the old client’.

Important: This needs to be changed to ‘start the new client.’

So if you don’t have access to your SharePoint tenant to change the default sync client for SharePoint to use the new client, you can use the registry key to override it locally on your system.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive]

“TeamSiteSyncPreview”=dword:00000001

 

Tip: If you are in there modifying the tenant, you might as well change the “OneDrive Sync Button” is set to “Start the new client.”

These changes take several hours to propagate. To check that they’ve propagated, go to a SharePoint Online site and click Sync. In the browser dialog box that confirms the request to open a program, the “Program” should appear as “Microsoft OneDrive” and the “Address” should start with “odopen://”

Troubleshooting

If you see either the OneDrive Setup Wizard or a dialog box asking “Which library do you want to sync?” after clicking “Allow” in Internet Explorer, then see Known issues for instructions on how to enable SharePoint site setup in Internet Explorer. There is a known issue that is actively being investigated by Microsoft: If you are using Windows 7 and your SharePoint Online site is still using the classic UI rather than the new modern UI, then you will need to use Edge, Chrome or Firefox until the integration issue with Internet Explorer is resolved.

 

On a Mac, you may find that you need to perform these additional steps:

  1. If you are currently using the OneDrive Mac Store app, you must first uninstall it before installing the latest build of the new OneDrive sync client.
    1. Open Finder and Search for “OneDrive.app” or “OneDriveDF.app” from “This Mac.”
    2. Move all returned items to the trash.
    3. Once you’ve removed the Mac Store app, you can install the preview build of the new OneDrive sync client.
  2. Exit the new OneDrive sync client by clicking on the OneDrive cloud icon in the Menu bar and selecting Quit OneDrive.
  3. Open a terminal window by using cmd+space and searching for “Terminal.”
  4. Run the following commands:
  5. Defaults write com.microsoft.OneDrive TeamSiteSyncPreview -bool True
  6. Defaults write com.microsoft.OneDriveUpdate Tier Team
  7. Killall cfprefsd
  8. Restart the sync client and log in again if prompted.

Reference: https://support.office.com/en-us/article/Enable-users-to-sync-SharePoint-files-with-the-new-OneDrive-sync-client-22e1f635-fb89-49e0-a176-edab26f69614?ui=en-US&rs=en-US&ad=US

How to restrict Office 365 Groups Creation to IT Department Only

Currently, an Office 365 Group can be created in OWA, the Outlook 2016 Client, Office 365 Planner, SharePoint, Microsoft Teams and PowerBI.

You may want to restrict Office 365 Group Creation to a group of authorized users (example: the IT Department): for testing, preparing support desk & training materials, etc. Then when ready, you can add additional authorized users to this group. Decide if you will use an existing Office 365 Group or Distribution Group, or create a new group, ex: “O365GroupCreators.” The catch is that the group cannot have other groups in it, group members must be users directly added.

Note: Users with higher tenant roles will always have the ability to create O365 Groups (ex: Global Admins).

Instructions:

Uninstall preview versions of Azure Active Directory Powershell

Download and install Azure Active Directory Powershell v1.1.130.0 Preview from Connect:

http://connect.microsoft.com/site1164/Downloads/DownloadDetails.aspx?DownloadID=59185

Launch Azure Active Directory Powershell, then run these commands:

  1. Connect-MSOLService
  2. Set-MsolCompanySettings – UsersPermissionToCreateGroupsEnabled $True
    ^^If this is set to $false, then the settings below will not take effect.
  3. $template = Get-MsolAllSettingTemplate | where-object {$_.displayname -eq “Group.Unified”}
  4. $setting = $template.CreateSettingsObject()
  5. New-MsolSettings –SettingsObject $setting
  6. $group = Get-MsolGroup -All | Where-Object {$_.DisplayName -eq “ENTER GROUP DISPLAY NAME HERE”}
  7. $settings = Get-MsolAllSettings | where-object {$_.displayname -eq “Group.Unified”}
  8. $singlesettings = Get-MsolSettings -SettingId $settings.ObjectId
  9. $value = $singlesettings.GetSettingsValue()
  10. $value[“EnableGroupCreation”] = “false”
  11. $value[“GroupCreationAllowedGroupId”] = $group.ObjectId
  12. Set-MsolSettings -SettingId $settings.ObjectId -SettingsValue $value

References:

https://support.office.com/en-us/article/Manage-Office-365-Group-Creation-4c46c8cb-17d0-44b5-9776-005fced8e618?ui=en-US&rs=en-US&ad=US

http://drewmadelung.com/managing-office-365-group-creation-via-azure-ad/

Sample Office 365 Group Syntax:

https://github.com/dmadelung/O365GroupsScripts/blob/master/DrewsO365GroupsScripts.ps1

OneDrive Admin Center First Look

[Post Updated 12/19 to correct the statement on Device Access with MAM settings]

At the Ignite conference, Microsoft announced (Here) that a new OneDrive Admin Center was coming before the end of 2016. It’s here now!

 

Accessing the new Admin Center is available via the hyperlink below for Office 365 tenants configured for ‘First Release.’ It is currently in preview ‘aka Beta’ and will eventually get added into the Admin menu. Until then, you need to access it via direct URL:

https://admin.onedrive.com

 

Here are my first impressions of the new admin center.

  • Better visibility into some settings that were previously only available through PowerShell

 

  • Some new MDM capabilities that previously required an Intune license

 

  • Nicely summarized Compliance Page with links for Auditing, DLP, Retention, eDiscovery, and Alerting. (No new capabilities, but it’s informative, educational and convenient to have them all listed for OneDrive Admin)

 

  • Several new settings are available in the OneDrive Admin Center that were previously not exposed in the SharePoint Admin Center:
    • Default Storage (ability to increase from 1TB to 5TB) (was previously only available in PowerShell)
      • Days to retain files in OneDrive after a user account is marked for deletion (was previously only available in PowerShell)
      • NEW Features: Device Access
        • Control access based on network location (this was briefly available in the SharePoint Admin center but was subsequently removed, but still configurable in PowerShell).
        • Control access from apps that can’t enforce device-based restrictions
        • Mobile Application Management (Requires Intune License, as this uses the Intune API to change the Intune MAM settings).

      • Allowing syncing only on PC’s joined to specific domains (was previously only available in PowerShell) here is a TechNet article on how to enumerate domain guids.
        • Block sync on Mac OSX (was previously only available in PowerShell)
      • Block syncing of specific file types (was previously only available in PowerShell)
  • Eleven OneDrive settings are not yet available in the OneDrive Admin Center (use the SharePoint Admin Center to manage these OneDrive settings)
    • External users must accept sharing invites using the same account that the invites were sent to
    • custom link expiration dates
    • Configuring the OneDrive experience (New or Classic)
    • Controlling whether all users or only specific users will get OneDrive sites created when a SharePoint license is assigned
    • Notifications (external sharing, or mobile push)
    • Show/Hide OneDrive Button
    • Script Setting that controls whether or not the ‘Copy to SharePoint’ button will appear in OneDrive
    • Ability to enable/disable IRM for OneDrive Globally
    • Ability to enable/disable IRM for individual OneDrive Sites
    • My Site Cleanup Access Delegation
    • My Site Cleanup Secondary Owner
    • My Site Secondary Admin
  • The following OneDrive settings are still only available in PowerShell and have not yet been surfaced in the SharePoint or OneDrive web admin interfaces:
    • Get-SPOTenant | ft ProvisionSharedWithEveryoneFolder
    • Get-SPOTenant | ft ShowEveryoneExceptExternalUsersClaim
    • Get-SPOTenant | ft ShowEveryoneClaim
    • Get-SPOTenant | ft ShowAllUsersClaim
    • Get-SPOTenantSyncClientRestriction | ft OptOutOfGrooveBlock
    • Get-SPOTenantSyncClientRestriction | ft OptOutOfGrooveSoftBlock
    • Get-SPOExternalUser

 

 

Here is a side-by-side comparison with the settings available in the existing SharePoint Admin Center (that apply to OneDrive)

Setting SharePoint Admin Center OneDrive Admin Center
Sharing outside your organization Same Capabilities
Anonymous Links Expiration Setting Unable to specify custom expiration date
Default Link Type Same Capabilities
Limit External sharing using domains Checkbox Same Capabilities
Prevent external users from sharing files they don’t own Checkbox Same Capabilities
External users must accept sharing invites using the same account that the invites were sent to Checkbox [Not Available]
Notifications [Not Available]
Show or Hide Options [Not Available]
OneDrive for Business experience [Not Available]
OneDrive Sync Button Same
Mobile Push Notifications – OneDrive for Business [Not Available]
Custom Scripts (determines whether or not the ‘Copy to SharePoint’ feature will be available in OneDrive) [Not Available]
Enable/Disable IRM for OneDrive [Not Available]
My Site Cleanup Access Delegation [Not Available]
My Site Cleanup Secondary Owner [Not Available]
My Site Secondary Admin [Not Available]
Controlling whether all users or only specific users will get OneDrive sites created when a SharePoint license is assigned [Not Available]
Delegating access to a OneDrive Site SharePoint Admin Center > User Profiles > User Profiles > Find the profile

Right Click > Manage site collection owners

This is not available in the OneDrive Admin Center, however, it was recently added to the main ‘Active Users’ options

SIP 500 internal server error “from or target user pool or deployment assignment is incompatible with split-domain traffic type”

Problem: User could not transfer a phone call.

Symptom: Bogus error message about split-domain traffic, with almost no articles on the internet or forums to help. Equally bogus error message was “request target is not assigned to a pool or deployment and is not a server GRUU”

Solution: Disable SIP Refer on the SFB Trunk

Explanation: Not all SBC gateways support SIP Refer, but this is the default option when creating a trunk in Skype for Business.