Categories
Microsoft 365 Office Office 365 Outlook Uncategorized

Deploying Zoom Add-In To All Outlook Users

With the sudden change in working practices, a (large) number of companies has start to use Zoom as their video conferencing software. Though this software is not from Microsoft, that does not stop an Office 365 or Exchange Server administrator helping their users out in terms of scheduling Zoom meetings via an add-in in Outlook.

On the Zoom website the user can download and install their own add-in and the Zoom application, but the steps below will push the Outlook add-in to all users (or all Zoom users if you have a group containing just these users).

These steps are run from the Office 365 Admin Center and not from Zoom, and they push the add-in to Outlook without end end-user interaction

To deploy an add-in, and in this case the Zoom Outlook add-in, first go to the Microsoft 365 Admin Center at https://admin.microsoft.com/.

Click Show All on the left and then select Settings > Add-ins from the expanded menu.

In the Add-In main page click + Deploy Add-In.

Deploy Add-In Screen
Deploy Add-In Screen

This screen outlines the Centralized Deployement service for Office Web add-ins. These add-ins work across the web version of the application, the desktop versions (PC and Mac) and in some cases the mobile version as well. The important thing to learn here is that they are not just for the web version, so not just for OWA. In the context of the Zoom add-in, on the Zoom website it says the add-in only works in Outlook for the Web (OWA), and this is not correct.

Click Next and click Choose from the Store as shown:

Choose from the Store
Deploy A New Add-In Screen

You will now see a list of all the add-ins in the Microsoft Store (once you have logged into the Store if you needed to do this).

Add-In Store
Select Add-In From Store

As we are discussing the Zoom for Outlook add-in at this point, type Zoom in the Search box.

Zoom for Outlook Add-in In the Add-In Store

Click Add next to the Zoom for Outlook add-in. Then accept the licence terms and privacy policy shown to you as shown below. If you click on the title of the add-in then you see a description of the add-in and can complete deployment from that screen.

Zoom Add-In Terms and Conditions
Zoom for Outlook License Terms and Privacy Policy
Zoom for Outlook Details
Zoom for Outlook Details

If after clicking Add and accepting the licence you get a correlation error similar to that shown, it means the add-in was already deployed. There is a bug in the new Admin Center that does not show existing deployed add-ins and you need to go to the old old Office 365 admin center (switch the slider top right) and search for the add-in:

Configure Add-In Error
Configure Add-In Error
Add-In Shown in Old Admin Center
Zoom for Outlook Add-In Shown in Old Admin Center

If you had no error on deploying the add-in, then you will be asked who to deploy the add-in to. The options are to Assign Users and choose all or some of the organization and also the Deployment Method and Fixed, Available or Optional. This last option controls whether the add-in is deployed for the user to the ribbon in the Office application and they cannot remove it (Fixed), where the user can choose to add the add-in to the office app (Available), or where the add-in appears on the application ribbon, but the user can remove it (Optional). This is shown below:

Configure Zoom for Outlook Add-In
Configure Zoom for Outlook Add-In

Select your user and deployment options. For users, any group cannot be a nested group and the requirements for groups is covered in the documentation. For this blog post I selected Everyone and Fixed. Click Deploy to start the deployment to the users.

Deploy Zoom for Outlook
Deploy Zoom for Outlook

The listed time is dependent upon the number of users in your deployment scope or your Office 365 tenant. You will get an email upon completion.

Once completed the add-in appears in the Office application. In this particular case, Zoom for Outlook appears in the New Appointment window in Outlook.

If you deployed the add-in as Available then the user needs to click the Get Add-In button in Outlook to install Zoom as shown:

Admin Add-Ins
Admin Add-Ins

Once the add-in is deployed, it will appear in the New Appointment screen as shown (on the right):

Zoom for Outlook New Appointment
Zoom for Outlook Add-In in New Appointment

Clicking the Add a Zoom Meeting button will present a dialog box where you can login with your Zoom account or if you have set up Zoom as an Enterprise Application then click the Sign in with SSO button.

Zoom for Outlook Add-In Login

In the below screenshot, Outlook Appointment shows the Zoom meeting details automatically added. The HTML view for the meeting details is an option available in your Zoom account settings, as is the location for your audio dial in settings (here shown as UK) as you don’t get to choose these options per meeting as you can do when meetings are made via the web browser on the Zoom site.

Zoom Meeting Created

The Settings button on the tool bar allows you to control other meeting settings such as Meeting ID (personal or auto-generated), password or not!, and video and audio settings for the meeting.

Zoom for Outlook Settings
Zoom for Outlook Settings

To edit the Add-In deployment you need to visit the old Microsoft 365 Admin Center (switch off “Try new admin center” to top right of admin center). From here you can adjust the status of the add-in and who it is deployed to, as well as removing the add-in.

Zoom for Outlook Add-In Settings
Zoom for Outlook Add-In Settings (old Office 365 Admin Center)

Finally, for info, the Teams Add-in to do the same thing in Teams is automatically added to Outlook if you have the Teams client installed and your deployment option is not Skype for meetings – for example if you are in Islands Mode you will be able to see both Skype and Teams buttons in Outlook!

Categories
AADConnect AADSync active directory Azure Active Directory Azure AD compliance conditional access device download enterprise mobility + security exchange online microsoft Office 365 OneDrive OneDrive For Business sharepoint Uncategorized

Read Only And Document Download Restrictions in SharePoint Online

Categories
Uncategorized

Installing and Updating Microsoft AntiMalware in Azure

The Microsoft AntiMalware agent is a virtual machine extension in Azure that adds support for build in antimalware management within your virtual machines hosted in Azure. The agent can be added easily when you are creating a new VM, which we will show first below using the resource manager model, but also can be added after the virtual machine creation and updated with changes as you need. We will show how to do that in the section part of this article.

Adding AV protection to new VM

The addition of malware protection to your new virtual machine happens during the VM creation process. To add it create a new VM in the Azure portal and from the Settings blade choose Extensions
Click Add Extension:

image
Click Add extension and then choose Microsoft Antimalware

image
From the Install Extension blade enter your exclusions, scan times etc. as required:

image

To enable antimalware with the default configuration, click Create on the Add Extension blade without inputting any configuration setting values. To enable antimalware with a custom configuration, input the supported values for the configuration settings provided on the Install Extension blade and click OK. Monitoring the antimalware is done via Windows Event Logs and is enabled automatically to your selected storage account.

Before you click OK, click Automation Options and grab the scripts needed to modify this extension later.  Copy the Template text into Wordpad (not Notepad) and then copy paste again into Notepad if you want to just quickly edit it. Or use an editor of your choice, but make sure the line breaks etc. remain the same as directly pasting into Notepad breaks the line breaks!

Click the PowerShell tab (shown) and copy the code from here. This code is used to upload the template that you just downloaded with changes to allow you to adjust the settings on the Microsoft Antimalware settings on your virtual machine later. See more on that below.

image

Once you have downloaded or copied the code close the Template blade and click OK on the Install extension blade.

Click OK on the Extensions blade. Click OK to create your virtual machine.

Adding Microsoft Antimalware To existing virtual machines

To customise the Microsoft Antimalware extension on an existing virtual machine or to install it on a virtual machine where it does not exist becuase it was not added when the server was initially provisioned. Both of these scenarios, updating settings and adding new are covered in this section.

Both of these scenarios require scripting and cannot be configured in the portal, unlike the install during virtual machine provisioning.

Adding Microsoft Antimalware to an existing virtual machine

The first thing that you need to do to add Microsoft Antimalware is the template. If you ran through the above steps you would have downloaded the template as an additional step in the creation process. If you did not grab a copy of the template then it looks similar to this. The template provided by Microsoft takes input from the PowerShell that you also downloaded. In its simplist form it can be reduced to the following:

{
 "AntimalwareEnabled": true,
 "RealtimeProtectionEnabled": "true",
 "ScheduledScanSettings": {
   "isEnabled": "false",
    "day": "7",
    "time": "120",
    "scanType": "Quick"
  },

  "Exclusions": {
    "Extensions": "",
    "Paths": "",
    "Processes": ""
  }
}

To customise this template just each of the values and save the file to the filesystem. If you use the above template without change then you get the default settings for the extension, so the “blank” template is actually functional. In the template Paths is a semicolon delimited list of file paths or locations to exclude from scanning, where each path is escaped, so for example c:\\temp\\blog would be the value if you wanted to exclude c:\temp\blog and all subdirectories from being scanned. Extensions is again a semicolon separated list starting with the dot, so “.ci;.edb;.log;” would be a valid string. Processes is again semicolon separated list of processes. RealtimeProtectionEnabled and isEnabled are true or false and day is 1=Sunday and 7=Saturday etc. Time is the number of hours past midnight, so 180 is 3am

We will take the default template and use it to add the extension to an existing virtual machine that does not have the extension.

To add the extension to an existing virtual machine we need to login to Azure using PowerShell. This starts with Login-AzureRmAccount cmdlet. Once you are logged in, if you have more than one subscription, use Select-AzureRmSubscription to select the subscription that contains your virtual machine.

To check if Microsoft Antimalware is already enabled on a virtual machine run the following PowerShell:

$resourceGroupName = "<name of resource group>"
$vmname = "<name of vm>"
Get-AzureRmVMExtension -ResourceGroupName $resourceGroupName –VMName $VMName -Name "IaaSAntimalware"

If some JSON is returned, then the Microsoft Antimalware extension (IaaSAntimalware) is enabled on this virtual machine. Note that PublicSettings “AntimalwareEnabled:” shows if the extension is actually running on the virtual machines, and not just that the extension exists on the virtual machine. If an error is returned then the extension is not enabled on the virtual machine.

To add the extension to an existing virtual machine you either need the full template JSON file above, if you want lots of customization, or if you want to do it simply then you can use a very small bit of JSON:

‘{ "AntimalwareEnabled": true,"RealtimeProtectionEnabled": true}’;

The above JSON enables the AV software and turns on real time protection. If you want more control, use the full JSON file above, with your customizations, saved to the filesystem.

The code to use the above JSON or the JSON file is:

# Use this "-SettingString $SettingsString" value for simple setup 
$SettingsString = ‘{ "AntimalwareEnabled": true,"RealtimeProtectionEnabled": true}’;
# Use this "-SettingString $MSAVConfigfile" to configure from JSON file
$MSAVConfigfile = Get-Content "C:\Scripts\IaaSAntimalware.json" -Raw

The code to add the extension is as follows. To run the below you need to set the $location variable to the same location string as the virtual machine. To get this you can run:

$location = (Get-AzureRmVM -VMName $VMName -resourceGroupName $resourceGroupName).location

You also need the available version numbers for the extension, and to use the latest version of the extension. To work this out you need the following script snippet:

$allVersions= (Get-AzureRmVMExtensionImage -Location $location -PublisherName "Microsoft.Azure.Security" -Type "IaaSAntimalware").Version
$typeHandlerVer = $allVersions[($allVersions.count)–1]
$typeHandlerVerMjandMn = $typeHandlerVer.split(".")
$typeHandlerVerMjandMn = $typeHandlerVerMjandMn[0] + "." + $typeHandlerVerMjandMn[1]

So to actually set the extension on the virtual machine, run the following:

Set-AzureRmVMExtension -ResourceGroupName $resourceGroupName -VMName $VMName -Name "IaaSAntimalware" -Publisher "Microsoft.Azure.Security" -ExtensionType "IaaSAntimalware" -TypeHandlerVersion $typeHandlerVerMjandMn -SettingString $SettingsString -Location $location

Customizing Microsoft Antimalware deployments in Azure

Once the extension is enabled you can customize the settings by uploading a config file or settings string with adjusted settings. For example is I took a copy of my above config file and changed time so the value was now 180 (instead of 120 as shown) and I set an Extensions and Paths value in the file, then I would update my virtual machine using the following:

$MSAVConfigfile = Get-Content "C:\temp\blog\Antimalware Azure\antimalware-edit.json" -Raw
Set-AzureRmVMExtension -ResourceGroupName $resourceGroupName -VMName $VMName -Name "IaaSAntimalware" -Publisher "Microsoft.Azure.Security" -ExtensionType "IaaSAntimalware" -TypeHandlerVersion $typeHandlerVerMjandMn -SettingString $MSAVConfigfile -Location $location

The other values have not changed from the above, so you still need to work out $typeHandlerVerMjandMn, $location etc.

Once you have applied the settings then you can use Get-AzureRmVMExtension -ResourceGroupName $resourceGroupName –VMName $VMName -Name “IaaSAntimalware” to check the settings have applied – it usually takes a minute or two for the correct data to be returned to show the change in place.

Categories
Uncategorized

DLP Templates

At the Microsoft Exchange Conference 2014 in Austin, Texas I ran a session on DLP templates. This blog post was linked from the slides and contains the examples I used in the session. To download any of the samples click the links below:

  • ContosoPharma.xml – the DLP data classification file to add the ability to detect new data patterns from the below sample documents
  • DLP Pharmaceutical Product Sheets.zip – these are pretend pharmaceutical product documents, some of which contain “company sensitive information” and so DLP can be configured to block this type of document.
  • DLPPolicyTemplate.xml – this XML file contains the settings to create a DLP policy, upload the above data classification and create some DLP rules.

The documents above contain the product code for products currently in development at Contoso Pharmaceuticals. The format of the product code is as follows:

  • Three letters (but never IJLOQUV)/Year of development/The letter D/Five digits/Letter(EGKP only)
    • i.e. AAA2013D2958K
    • Documents that contain product codes that match this rule must be blocked from sending to external recipients.
    • If product code ends in P then email containing code or documents containing code must be Private when sent to internal staff (never goes outside anyway) i.e. RMS must be applied to message.
    • If the code does not meet the above classification then it is not to be blocked, as it is a released product and so can be emailed freely.

To that end, the above DLP classification describes two document sets as follows:

  • Restricted: [A-HKM-NPR-TW-Z]{3}(19|20|21)\d{2}D\d{4}[EGK]
  • Private: [A-HKM-NPR-TW-Z]{3}(19|20|21)\d{2}D\d{4}[P]
Categories
Uncategorized

Outlook Profile Wizard

Fill in the information at the form here to create a valid profile for configuring Outlook 2003 to allow the client to connect to the Exchange Server without the need of a VPN from the internet (known as RPC over HTTP).

This will create a .PRF file that you can offer for download to users. Users will need to log-in twice for this to work though (or rather, be prompted twice for username and password, after which it will work)