Did you create a meeting either through Outlook 365 or directly in Microsoft Teams and can’t join teams meeting online? You used the Teams Meeting Button in Outlook, or you checked the “Online Meeting” Check box in Teams, but you still can’t join?

If you already tried signing in and signing out or deleting your Teams’ cache, here is a hack to get it back.

When you create a meeting in Teams directly it is supposed to automatically have the online option. The join button in the meeting should show up when it gets close to the meeting time. In fact, the only way at this point where it won’t be online is if you use a version of Outlook that doesn’t support the Microsoft Teams Meeting.

You Invite the others in the meeting, and they get the meeting info like this:

But the meeting you created in your calendar does not have the Join Button like what you see below:

If this happens to you there are two ways to Join Online.

Right Click on the Meeting

You can right click on the meeting and choose the “Join Online” option:

Still Can’t Join Teams Meeting Online? Refresh.

It is a hack, but it works.

1. Open the meeting in Teams.
2. Invite someone to the meeting.
3. Remove them from the meeting.

Now, when you right click on the meeting. The “Join Online” Option is there. This refreshed the meeting details and brought the Join Online back!

The good news is at least you can fix the meeting and do not have to call the HelpDesk!

Happy IT’ing,

Dan

So your organization has decided to do away with their phone system an go directly to Microsoft Teams Voice. Now all that is left to do is Adding a Number to a Teams User. The only prerequisite is that you have a block of DID assigned to you by your Telco.

If you don’t have many users to add telephone numbers to, you can manually enter them using some PowerShell commands. However, if you have a lot to do I can show you a way to automate them. Let’s add some numbers!!

You Only Have a Few Users To Do

This is also a good way for adding the odd number after the migration.

Connecting to the Teams Module

Connect-MicrosoftTeams

Add User Number

Set-CsPhoneNumberAssignment -Identity userid@company.com -PhoneNumber ‘+1XXXXXXX’ -PhoneNumberType DirectRouting

Grant-CsOnlineVoiceRoutingPolicy -Identity userid@company.com -PolicyName “Policy set up by you or Telco”

Set-CsOnlineVoiceMailUserSettings -Identity userid@company.com -VoicemailEnabled $true

If you make a mistake you can easily remove the number and start again:

Remove User Number

Grant-CsOnlineVoiceRoutingPolicy -Identity userid@company.com -PolicyName $null

Remove-CsPhoneNumberAssignment -Identity userid@company.com -RemoveAll

But what if you have a lot of users to to???

You Have a Many Users To Do

You can run these commands in a batch but I would recommend testing it with a small block of users before you go ahead with the whole group. You could run a batch delete and start from scratch but that sounds like a headache….

You can use a for each loop going through each user in an import CSV you created. Create a CSV file with two field names: UPName and PNumber. Populate it with your users and then create this PowerShelScript:

$CSVPath = “<Path To File Goes Here>”

Connect-MicrosoftTeams

#MAIN

#Try import CSV file

try {
$Users = import-csv $CSVPath -ErrorAction stop
}
catch {
throw “Error importing CSV: $($_.Exception.Message)”
break
}

#Add Numbers

foreach ($User in $Users) {

Set-CsPhoneNumberAssignment -Identity $User.UPName -PhoneNumber $User.PNmuber -PhoneNumberType DirectRouting

Grant-CsOnlineVoiceRoutingPolicy -Identity $User.UPName -PolicyName “PolicyNameGoesHere”
Set-CsOnlineVoiceMailUserSettings -Identity $User.UPName -VoicemailEnabled $true

}

Write-Host User Numbers Added!

This should help you get your phone numbers added quickly.

Happy IT’ing

Dan

Don’t you wish you could Delete Tap Scheduler Reservations when a user makes them by mistake or realizes they don’t need the reservation anymore? It is fairly straight forward.

Making a Reservation Using The Logitech Tap Scheduler

The Logitech Tap Scheduler is a useful display board device that shows the status of a resource room in your organization. It has the ability to work with several calendaring systems (Teams, Zoom, Meetio and Robin). You can set up a system where a user can easily reserve a meeting room through a shared resource calendar or ad hoc right at the device. But what if you reserve a the room on the fly and realize you don’t need it?

How to Delete Tap Scheduler Reservations

Unfortunately there is no way to delete on the device itself. I researched high and low and even reached out to Logitech support. They agreed that the way I chose was the best way. For the future, they put a feature request with Microsoft Teams since that is the Calendar provider I use.

The best way is to make a member(s) of your support staff have at least Editor rights to the resource calendar that is connected to the Tap Scheduler. Have you users put in a request to delete it. Then your HelpDesk Staff can go to the calendar in question and delete the reservation and it frees up the room.

You can use PowerShell to quickly execute this task but it is just as easy to open the shared calendar and delete the reservation!

Happy IT’ing

Dan

O365 admin is funny. There a lot of things that you do a certain way if you came from an on premise environment. You don’t think about it (Like disabling a user). Well you have now moved into a hybrid environment and hopefully soon and all cloud environment. You need to Reclaim O365 Licenses.

Why do you need to start thinking about licensing when you disable / delete a user. If you don’t, you will need to reclaim O365 Licenses From Deleted Users. After awhile it might get expensive. Recycle the licenses as much as you can! Here I will show you how to quickly do this in a cloud environment and what steps you need to do differently in a Hybrid environment.

How to Reclaim O365 Licenses From Deleted Users in a Cloud Environment

This can be done very easily using power shell. A disabled used in strictly the cloud is deleted. You can go into the admin panel of O365 (now it’s called Entra??) and go into “Delete Users”. Pick the user with the license you want to recover and click “Restore User”. From there you can uncheck the license and then delete the user again….or…you can use PowerShell for if you need to reclaim more licenses.

Using PowerShell

Here is a great script that will help you with what I mentioned above especially if you have several users to go through (This is similar to the one I wrote on MFA):

#Connects to your Office365 tenant

#Connect-MsolService

#MAIN

$delUsers = Get-MsolUser -ReturnDeletedUsers | select UserPrincipalName,IsLicensed | Where-Object {$_.IsLicensed -eq $true} | export-csv c:\Temp\IsLisc.csv

$delUsers| foreach{
$UPN = $_.UserPrincipalName
Restore-MsolUser -UserPrincipalName $UPN
(get-MsolUser -UserPrincipalName $UPN).licenses.AccountSkuId |
foreach{
$License = $_
echo “Removing license: $License”
Set-MsolUserLicense -UserPrincipalName $UPN -RemoveLicenses $License -ErrorAction SilentlyContinue
}
Remove-MsolUser -UserPrincipalName $UPN -Force
}

#showing list again for verification

Write-Host Show list of deleted users so you can verify that there are no outstanding licenses. List should all be false

$delUsers = Get-MsolUser -ReturnDeletedUsers | select UserPrincipalName,IsLicensed | Where-Object {$_.IsLicensed -eq $false}

Return $delUsers

In a nutshell, this script connect to the MSOLservice, writes all delete users who are still licensed to a CSV file (located in C:\Temp – you can change this to whatever folder you want). Restores the user in the list, removes all the the licenses attributed to it and then deletes it again.

It is a little different in a hybrid situation.

How to Reclaim O365 Licenses From Deleted Users in a Hybrid Environment

You will need to go into AD and find all the disabled users and re-enabled them. Then either wait for an AD sync or perform a sync with a Start-ADSyncSyncCycle -PolicyType Delta on a domain controller. Then rerun the script minus the lines about deleting the users:

#Connects to your Office365 tenant

#Connect-MsolService

#MAIN

$delUsers = Get-MsolUser -ReturnDeletedUsers | select UserPrincipalName,IsLicensed | Where-Object {$_.IsLicensed -eq $true} | export-csv c:\Temp\IsLisc.csv

$delUsers| foreach{
$UPN = $_.UserPrincipalName
Restore-MsolUser -UserPrincipalName $UPN
(get-MsolUser -UserPrincipalName $UPN).licenses.AccountSkuId |
}

Go back to AD and disable the users again. That should do it.

Happy IT’ing

Dan

I am sure your organization has a lot of automated process in place for its workflow. Most organizations have this set up to get things done more efficiently. However, some parts of this flow are still somewhat manual. For example, remembering to send an email after a process is completed. If it is not built in to the process, why not Automatically Carbon Copy in EAC?

A good option for an individual is to use Microsoft Flow for automation. But what if this process needs to be done by a department or the entire organization? If it is simple enough, it can be set at the server level using Exchange Online Mail Flow Rules. I will show you how…..

What Mail Flow Do You Need To Automate?

What process are you trying to automate? I will give an example. You have a department that either manually or through a system sends an email notification to email@companyA.com. They have been instructed to CC (Carbon Copy) email@companyB.com every time they do so. That’s fine but what if they forget? What if the system cannot accommodate this request. You can set up a Mail Flow Rule.

How to Set Up Automatically Carbon Copy in EAC

1. First, go to your EAC (https://admin.exchange.microsoft.com/#/transportrules) and click add a rule / create a new rule.
2. The Rule should look like the following:

When this rule is Saved and then Enabled (Don’t forget to enabled the rule after you have created it). Any email send to Company A will have Company B CC’ed on it. This is great for email addresses that serve one purpose like receiving reports. Maybe another company you work with closely with needs these reports too and you do not have to remember to CC them anymore. It is all done automatically!

Happy IT’ing

Dan

I was tasked with automating how Outlook contacts are written to a users profile using Microsoft Graph. I wrote about how to do it in my situation here. However, my last task was to accomplish this but with a much larger contact list. This required trapping errors in MS Graph. I will show you the behavior of the MS Graph Rest API when it writes many records.

Possible Errors You Will Get

Microsoft clearly outlines what errors you could get while writing / reading data. In my case the ones I came across were the following: 400, 401,503 and 429

400 – Bad Request – This will happen when the command your are sending or the data you are trying to write are malformed.

A “reading “example is when you have constructed a command in PowerShell that using the $ and ? characters together. It works find in Graph explorer but errors in PowerShell. Using an escape character between the two symbols remedies this ($`?).

A “writing example” is when you have data in a format (a cell in a CSV) that can not be read by the command so it errors out with a 400. When you are writing thousands of records it might be hard to check for format beforehand.

401 – Unauthorized – You would think a token for a session would last for the entire time your are issueing commands in a PowerShell session but it doesn’t. I have learned it lasts about 1 hour.

429 – Too Many Requests – if you issue too many reads or writes in an allotted period of time, Microsoft will throttle you. It is best to wait before you write again. If you keep trying , you will keep getting throttled. Even though I was issuing several writes in a 10 minute period, it wasn’t enough to trigger this error but it is still a consideration.

503 – Service Unavailable – This is mostly to do with network traffic. I am sure the service actually is not down. MS has built enough redundancy in their infrastructure to take care of this. It is like being in a very bad rain storm. Just pull over and wait a few minutes. Then you can start up again.

Trapping these errors will allow you to start up again. I will show you how.

Trapping the Errors

For this section it is good to download the sample script I provided in a previous article and tweak it as necessary.

How to you trap the errors? The part of your script that writes the records needs two things. One, a while loop that counts the records that goes through each record and knows exactly what record number it is (sorry, a for each x in x’s loop won’t do the trick here) and a try / catch block to handle the error.

$Results = “”
$Script:StatusCode = “”

While ($script:x-lt $tot) {

try {

$NewContact = ImportContact -Mailbox $mailbox -token $token -contact $contacts

$Script:StatusCode = $Results.StatusCode

} catch {

$Script:StatusCode = $_.Exception.Response.StatusCode.value__
$script:x = $script:x – 1
Write-Host Error processing contact. Backing up and trying again in 30 seconds…
Start-Sleep -seconds 30

#Login again

#Get Graph Token

Try {
$Token = GetGraphToken -ClientSecret $ClientSecret -ClientID $ClientID -TenantID $TenantID
}
catch {
throw “Error obtaining Token”
break

}

}

$script:x++

}

You can get a little more granular by specifying what to do with each exact error I mentioned about with an if statement inside the catch block but since I know exactly what errors I am going to get I left it general.

What this code accomplishes is it goes through each record and writes it to the users contact folder. If it encounters an error a long the way, it waits 30 seconds, tries the record that failed again and if successful, keeps writing records until it encounters an error again (hopefully not) and starts the process over again.

I have tested this several times with a contact list of thousands of records. and it works like a charm. One test showed three errors but every single record was written.

Happy IT’ing

Dan

Why Revoke a Sign-in?

Need to revoke a M365 Users Sign-in? Maybe it is for one one user or many users. A good example is for a security breach. Another example is when a user leaves the company and you want to make sure their are no cached logins for any device they might be signed into as you disable their account. Maybe you are changing something on the network and maybe you want to get a baseline of the change. There could be a lot of reasons.

Another good reason is to re-enforce MFA on your users when they sign-in. Either way, I can show you two very good ways how to make sure your users can have their M365 sign in revoked. It will log them out every single service they have a connection to.

It can be a lot more than you think. For example, when I tested it on myself, it took a good two days for me to get through all the devices I was signed into to get re-signed in! There was Outlook, Teams, the admin portal, and a reMarkable tablet I was testing, to name a few.

I will show you two ways on how to do this. The first way will be through the admin portal and the second way will be using PowerShell. Using PowerShell is a great way to revoke a M365 Users Sign-in for many users through the use of a script.

Revoke a M365 Users Sign-in Using the M365 Admin Portal

In this case all you have to do is login to you Microsoft admin portal and go to active Users in the left hand pane of the page. Click on the user you want to revoke all sign-ins for other right side and click on “Sign-Out of all sessions”.

If you need to do this for only a few users, this is a good way to go. If you have many more to sign out, this is not a very efficient way. Thank goodness there is PowerShell…..

Revoke a M365 Users Sign-in Using PowerShell

The best feature of using PowerShell is its ability to automate pretty much any task you need to accomplish in M365. I have written several articles about it. In this case, you would need to run the Get-AzureADUser command with the revoke-azureaduserallrefreshtoken. As mentioned in the previous section if you need to do this for a few users you can also use this PowerShell command. However, if you need to run it for many users or your whole organization, you would need a CSV list of your users and a script that can loop through the list running the Get-AzureADUser command.

An example of the command is as follows:

Make sure you are connected to the Azure AD module the run the command

Get-AzureADUser -SearchString <M365username or email> | revoke-azureaduserallrefreshtoken

If you need to run this command for many users, this example script will help:

#Declare Variables

$CSVPathUPN = “C:\Files\Users.csv”

Connect-AzureAD

#Run Script

Write-Host Signing out all users….

#Try import UPN CSV file

try {
$UPNUsers = import-csv $CSVPathUPN -ErrorAction stop
}
catch {
throw “Error importing CSV: $($_.Exception.Message)”
break
}

foreach ($UPNUser in $UPNUsers) {

$Uname = $UPNUser.UPName
$Dname = $UPNUser.displayName

Get-AzureADUser -SearchString $Uname | revoke-azureaduserallrefreshtoken

Write-Host Signing Out $Dname ….

}

Write-Host Done Signing Out All Users…

The above script takes a CSV file with field headings UPName and displayName, loads them into variables $Uname and $Dname and runs the the “for each” loop and runs the revoke command for each user in the list.

Easy Peesie.

So now you have 2 ways to revoke a M365 users sign-in depending on your situation.

Happy IT’ing

Dan

This is how you can be enrolling an android device in Endpoint with corporate-owned, fully managed user device. These are the following steps to get an Android device enrolled with screenshots. If you need a refresher on how do enroll a device with a personal device with a work profile, please check out Part 1.

Prerequisites to Enrolling an Android Device in Endpoint

Like mentioned above, the proper profile must be set-up.

Getting the QR code

A profile has been set up to enroll devices (Android only now) with a QR code. The code is located here:

Since this profile is different then the others it shows up different. One the setting is toggled on you will see a QR code similar to what you see above.

Here is the QR Code:

You can print this code out and have it ready when you need to enroll a mobile device.

Enrolling a Mobile Device

The mobile device you are enrolling must be set to factory defaults. If it is a brand-new phone this has been done already. If it is a phone that has never been enrolled in Endpoint Manager, it needs to be factory reset. If the phone is already enrolled in Endpoint Manager and you need to redeploy it to another user, also need to wipe the phone and re-enroll. The Device Name and Management Name field in the portal need to be changed to reflect the new user (See Renaming the Device and Description in Endpoint Manager)

1. To begin enrolling, at the first screen you see when the phone is turned on, tap continuously in the center of the screen until you see the QR code scanner. Samsung S10 and above the QR code scanner is built in. If the phone is lower than an S10 you will have to install QR Code scanning software first. Scan the QR code mentioned above. The process will begin.

• Next you will be asked to connect to Wi-Fi. Connect

• Tap Next

• Tap agree,

• Uncheck the check box and Tap “Agree and Continue”.

• Sign the user in.

• Once you have signed in the user, tap “Install Apps”

• The following Apps are installed. Outlook for mobile and Teams will be installed after due to a configured and applied App Configuration Policy. Tap done.

• Tap “setup” to register the device.

1. Tap “sign in” to for Intune.

1. Sign in with the users’ credentials again.

1. Tap “Register”.

1. Tap “Next”

1. Tap “Done”.

1. Tap “Next”.

1. If you want to add the users Google Account, you can do it here. If not, Tap “Skip”.

• Swipe up and tap “Accept”.

• Give the phone a passcode. I would use password as it is more secure.

• Check the first two radio buttons and tap “Agree”.

The phone is now set up in endpoint manager.

Renaming the Device and Description in Endpoint Manager

The device is now in endpoint manager.  To view the Android devices that are enrolled go here in Endpoint Manager:

It looks like this:

The two fields you need to change are the Device name and Management name. When the device is first registered the fields are auto generated. Change them so it is easier to read and distinguish who the device belongs to. I changed the  Device Name to <userId>_model_number (i.e., abc123_S22). Change the Management Name to <User_Full_Name> <Model Number> (i.e., John Doe S22)

Common Tasks Performed in Endpoint Manager

With the Corporate Owner with Work profile enable you can perform the following tasks:

Retire – Good for when person leaves company but wants to take the phone. It removes all company data and email profiles assigned through Intune but leaves personal data.

Wipe – For Mobile devices it resets the phone back to factory defaults. Good for a lost or stolen devices

Delete – Removes the device from Endpoint but does not remove company data

Remote Lock – Locks the phone. Good for when phone is lost but the user may know where it is.

Reset Work Profile Passcode – Locks the Work Profile on the phone. A temp password is generated in Endpoint manager that allows for the workspace to be unlocked. DOES NOT reset the passcode of the device. You still need to let the user know to NOT change the assigned device passcode.

Play Lost Device Sound – Good for when user misplaces phone but is sure it is nearby. The lost alert sound can be played from one to 5 minutes on the phone while the user looks for it.

I will be writing an article on how to deploy apps to the device very soon. Stay tuned for that!!

Happy IT’ing

Dan