Disable the lobby in a Teams meeting

In larger Teams meetings it can be distracting with the constant ding-ding sound when people join the lobby:

If you are the organizer of a meeting, you can choose to skip the Lobby feature.

In an active meeting

In the Teams meeting window, click on the three dots.

Click on Meeting Options.

In the Meeting options, at the option Who can bypass the lobby?, select Everyone (or another scope you prefer), then click on Save.

Before the meeting

Open the Calendar in Microsoft Teams.

Find the future meeting that you want to disable the Lobby for, click on it, and chose Edit.

In the meeting details, click on Meeting options.

In the Meeting options, at the option Who can bypass the lobby?, select Everyone (or another scope you prefer), then click on Save.

Teams couldn’t unmute (SOLVED)

During Teams meetings, I am sometimes unable to unmute my microphone:

It usually occurs when I use the Teams Web app (https://teams.microsoft.com) and Bluetooth headsets that mute when I raise the microphone arm.

If I am on my Lenovo laptop, I can usually solve it by using the function key for microphone mute/unmute:

But on my desktop computer’s keyboard, I do not have that key.

To solve it, I right-click the volume icon in the system tray and select Sounds:

Click on the Recording tab, select the microphone you want to unmute and click Properties:

Click on the Levels tab. Here I can see that my microphone is muted in my computer’s sound settings (just as Teams said):

Click on that icon to unmute:
Remember to lower the microphone arm on your headset if you have automatic mute when it is raised.

The mute symbol is gone, and I am automatically unmuted in the Teams meeting, yay!

You can go directly to the Recording tab in Sound settings using this command:

control.exe mmsys.cpl,,1

I have created a shortcut on my desktop for this for quick access:

Please comment and let me know if this solved it for you or not. I can update this post with other solutions you may have.

Also, let me know if you have more information about why the microphone is muted in Windows in a way so that Teams or my headset cannot unmute it.

Update 2022-02-16!

The free tool SoundVolumeView from NirSoft solves this in a fantastic way! You can download it here:

https://www.nirsoft.net/utils/sound_volume_view.html

It does not require any installation, just download it, extract the zip file, and run the app called SoundVolumeView.exe. Select the microphone you are using and Press F8 (or right-click) to unmute:

Even better, you can easily create a Desktop Shortcut to specific actions. Here I chose to create a shortcut to toggle the mute status on my headset’s microphone:

Now I can just double-click this icon on my Desktop to unmute:

Another thing, the is a global microphone mute/unmute button coming to the taskbar in Windows 11, that may solve this issue without third party apps. Here is a 7 sec video of how it will look:

Prevent clickable links with a fake dot

If you want to share a URL without it being clickable (for visual reasons or to avoid accidental clicks), you can use the so-called fake dot.

The fake dot looks like a regular dot but will usually not be recognized as a link and therefore not be converted to a clickable link.

I haven’t found a way to easily type it on the keyboard, so you can copy the fake dot from here  ->    ․

The fake dot is technically the Unicode character called ONE DOT LEADER (U+2024). The regular period is FULL STOP (U+022E) {period, dot, decimal point}.

So, how does it look? Here are two versions of the same URL, the last one is using the fake dots:

https://www.test.com  https://www․test․com

Interestingly enough, WordPress seems to display both as clickable links once the post is published, but in the WordPress editor view, the fake dots work as expected:

When you click the “link” with the fake dots however, it will not take you to the shown URL, in Edge I only get to the page about:blank#blocked.

Right-clicking on them also indicated that the last one is not seen as a link:

The link might be shown differently in different browsers, in Firefox for instance, the link points to https://xn--wwwtestcom-7k10dea/.

Note that some programs may show the fake dot differently:

You can also use fake dots to prevent unwanted link shortening, such as in Twitter. The link will not be clickable, but it will not be shortened by twitter either.

Here is what I entered:

Here is what is shown in the Twitter mobile app:

And here on Twitters website:

The regular link looks like a direct link, in the link-text and in the mouse-over info text, but as you can see in at bottom left it is actually shortened by twitter with the t.co.domain.

The Fake dots link is however untouched.

As always, I hope this helps someone out. Feel free to comment 😊

How to receive files using OneDrive for Business

If you want to receive files without using email, you can use the Request files feature in OneDrive for Business.

Locate the folder you want the incoming files to end up in, click on the three dots next to it, and select Request files:

Enter a descriptive text. This will be shown to the users sending you the files (as you will see in screenshots later):

You are now presented with two options:

1. A link that you can copy and share with people that are going to send you files

2. Add email addresses to send a file request email to

The link looks something like this:
https://onevinnab-my.sharepoint.com/:f:/g/personal/tom_aafloen_onevinn_se/EmRFfuOt2aFMsheK8XsVz4Qroqv-J7MhU2-cahd-x2b65Q
Note that the link exposes your tenant and UPN (thanks to my colleague Daniel Bugday for clarifying it wasn’t your email address).
If you lose the link, it can be retrieved again, see Managing Access below.

Here I added two email recipients and added a message. Notice the warning that one of them is outside of my organization:

After sending the request, I am shown this message:

The recipients will get an email that looks like this:

You will see the request name and custom message. Notice that I can not see the other recipients of the file request here.

When you click on the link in the email (or the copied link, if you chose not to send emails), you will end up here:

Clicking on Select files opens a local Open dialog, where you can locate the file you want to send:

You can add more files here, but you can also upload more files later by returning to the same link (as long as the Request file access has not been removed).
When you are done adding files, click on Upload:

In the example above I was already logged in to OneDrive, so you can see that my name was prepopulated (and not editable).

You do not have to be signed-in to OneDrive, or even have a OneDrive account to upload files. In those cases, you must add a name yourself:

Upload progress will be shown:

Then you will see this message:

As the receiver, I will receive a notification email about uploaded files:

Clicking the link takes me to the folder in my OneDrive for Business and I can see the files that have been uploaded. Every file will have a prefix to help you identify who uploaded it:

If two files with the same name are uploaded, OneDrive will automatically add a number to the second file’s name.

To stop the possibility to upload files, click on the three dots next to the folder and select Manage access:

On the Manage Access pane, click on the three dots next to the sharing link:

Click on the X to remove the sharing link.
Notice that the sharing description says Anyone with the file request link can upload only, so you are technically not sharing anything.

Approve the warning about link deletion to complete the removal.

The next time someone uses the link they will see this message:

Maybe a more File request related message would have been better (it is not access to a document that has been removed), but the link stopped working, and that is what is important.

Some important notes:

· Your admin must have enabled Anyone links in OneDrive

· Uploaders cannot see the content of the folder, edit, delete, or download files, or even see who else has uploaded files

· This feature is not available for Office 365 Government, Office 365 operated by 21Vianet, OneDrive for home, or Office 365 Germany

· The maximum file size is 100GB

If you try to upload a larger file you will get this message:

Files prefixed with ~tmp are still uploading or failed attempts. You can see that the file size is not displayed for these:

I hope this was helpful!

Manage External Identities with Azure AD B2B/B2C

Last week I hosted a webinar together with our partner Condatis, where we talked about how to manage External Identities with Azure AD B2B/B2C.

Thanks to all who attended it live!

You can now watch it anytime on YouTube:

Stay safe!

Using FIDO2 security keys with PowerShell

If you are using a FIDO2 Security Key, such as a YubiKey, you may have run into the issue that you cannot use it to authenticate with your Azure AD account using PowerShell:

As you can see, the needed Sign in with a security key option is missing here.

This is because PowerShell still uses the older Active Directory Authentication Library (ADAL) when prompting for Azure AD credentials. That login prompt is actually rendered using Internet Explorer, and IE will likely never have support for WebAuthN, the protocol that FIDO2 logon requires.

So we have four options:

Wait until PowerShell moves from ADAL to MSAL, and sign in prompts are rendered by a modern browser that supports WebAuthN.

Wait until each PowerShell Module you need starts supporting its own implementation of modern authentication to Azure AD.

Use Cloud Shell, where you can run PowerShell directly in your browser:http://shell.azure.com/powershell

This option works with FIDO2, but a web-based shell has its limitations.

Use Device Authorization Grant Flow to login.

This post explains the last option.

What is Device Authorization Grant Flow

The Device authorization grant flow is usually used when you need to sign in on “input-constrained devices”, such as IoT devices and printers. In this case, we can view PowerShell as a “device”. The sign in flow is initiated on the device, but the user needs to visit a web page (on any device with a browser that hopefully supports WebAuthN) to complete the sign in. Once the user has signed in, the device (or PowerShell window) can get the needed access tokens and refresh tokens.

Initiate the Device Authorization Grant Flow

Run this code in the PowerShell window you want to sign in to Azure AD:

Note: You do not need to register any new app in Azure AD for this to work since we are using the well-known ClientID for Azure AD PowerShell. You do not have to add any custom values for your tenant either, since we use the Common endpoint. This means that you will automatically be redirected to the tenant the user belongs to when signing in.

$ClientID = '1b730954-1685-4b74-9bfd-dac224a7b894'
$TenantID = 'common'
$Resource = 'https://graph.windows.net/' #Service Endpoint for Azure AD Graph

$DeviceCodeParameters = @{
    Method = 'POST'
    Uri    = "https://login.microsoftonline.com/$TenantID/oauth2/devicecode"
    Body   = @{
        client_id = $ClientId
        resource  = $Resource
    }
}

$DeviceCodeRequest = Invoke-RestMethod @DeviceCodeParameters
Write-Host $DeviceCodeRequest.message -ForegroundColor Green

A code will be shown that you need to enter at the following web page to continue the sign in:

Besides https://microsoft.com/devicelogin, you can also use http://aka.ms/devicelogin. Both will redirect you to https://login.microsoftonline.com/common/oauth2/deviceauth.

Enter the code in the prompt:

As you can see, we are now signing in on a remote device or service.

Be aware that this sign in method can be misused in phishing attempts. Only enter codes you generated yourself!

You can sign in using your regular account name and password, but to sign in using a FIDO2 key, click on Sign-in options:

Now we can use our FIDO2 key to authenticate:

Once authentication is successful, you can close the page in the web browser. The next step (obtaining tokens) will happen in the PowerShell window:

Obtain the tokens

Again, no customization is needed for this script block. We are re-using the device_code from the DeviceCodeRequest we made earlier.

$TokenParameters = @{
    Method = 'POST'
    Uri    = "https://login.microsoftonline.com/$TenantId/oauth2/token"
    Body   = @{
        grant_type = "urn:ietf:params:oauth:grant-type:device_code"
        code       = $DeviceCodeRequest.device_code
        client_id  = $ClientId
    }
}

$TokenRequest = Invoke-RestMethod @TokenParameters
$Token = $TokenRequest.access_token

You now have a valid access token in the variable $Token that can be used to authenticate when using Connect-AzureAD. Note that the variable $TokenRequest also contains refresh_token and id_token, if you want to use them.

Connect to Azure AD

When using the Connect-AzureAD cmdlet with an access token, you also need to specify the username you used to authenticate and the TenantId. You can find your TenantID using PowerShell:

$TenantDomain = "tomdemo.se"
(Invoke-WebRequest https://login.windows.net/$TenantDomain/.well-known/openid-configuration|ConvertFrom-Json).token_endpoint.Split('/')[3]

or by going to :

https://www.whatismytenantid.com/

Now we are ready to connect to Azure AD:

Connect-AzureAD -AadAccessToken $Token -AccountId admin@tomdemo.se -TenantId <insert-tenant-id-here>

Now you should be able to run commands from that module, like this one to get the first group:

Get-AzureADGroup -Top 1

What if I need to use the Microsoft Graph?

That will also work, but you need to change $Resource variable in the first script block to the Service Endpoint of Microsoft Graph (“https://graph.microsoft.com/”) and repeat the process.

Then you should be able to run queries against the Microsoft Graph, like this one to get the first group:

$GroupsParameters = @{
    Method  = 'GET'
    Uri     = 'https://graph.microsoft.com/v1.0/groups?$top=1'
    Headers = @{
        'Authorization' = "Bearer $Token" 
    }
}

$GroupRequest = Invoke-RestMethod @GroupsParameters
$GroupRequest.value  

How about Exchange Online?

For this to work, you need to change both the $Resource and the $ClientID variables in the first script block to:

ClientID = 'a0c73c16-a7e3-4564-9a95-2bdf47383716' # Exchange Online PowerShell Azure Active Directory
$TenantID = 'common'
$Resource = 'https://outlook.office365.com/' # Service Endpoint for Exchange Online

When you sign in, you will see that you are signing in to Microsoft Exchange Online Remote PowerShell:

After you obtain the token you need to create a new credential object based on your username and the token:

$upn = 'admin@tomdemo.se'
$TokenAsSecString = ConvertTo-SecureString "Bearer $($token)" -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential($upn,$TokenAsSecString

Now you can connect to Exchange Online using these commands:

$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid?BasicAuthToOAuthConversion=true" -Credential $credential -Authentication Basic -AllowRedirection
Import-PSSession $session

Thanks

Big thanks to Stefan Schörling (@stefanschorling) for pointing me in the right direction and to Simon Wahlin for his writeup about Device login flow for MS Graph access.

Highlight custom text on any Microsoft Docs page

Sometimes I want to highlight specific text when I’m sharing a Microsoft Docs-page to someone, like in this example:

You can do this yourself by appending the following text after the Docs-link:

?view=o365-worldwide#:~:text=Text To highlight

Unfortunately, this only works in Edge and Chrome, not in Firefox or IE.

Here’s an example:

Original Docs-link:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis

Appended text:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis?view=o365-worldwide#:~:text=cloud-based identity

Result:

The yellow highlighting goes away when you click anywhere on the page or reload it.

If you want to highlight more text, you can add start text and end text. Everything in-between will be highlighted:

?view=o365-worldwide#:~:text=Start of highlight,End of Highlight

Example:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis?view=o365-worldwide#:~:text=Azure Active Directory (,Microsoft 365.

Result:

I needed to add the ”(” there since the text Azure Active Directory existed many times on the page. Without it, it looked like this:

In other words, you will have to test your link to make sure it looks as expected.

Note that any spaces need to be converted to %20 for the entire link to be clickable:

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis?view=o365-worldwide#:~:text=Azure Active Directory (,Microsoft 365.  <- Missed

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis?view=o365-worldwide#:~:text=Azure%20Active%20Directory%20(,Microsoft%20365.

You don’t have to add them all manually. If you copy/paste the entire link into a web browser, it will convert %20 (and any other special characters according to standard HTML URL Encoding) wherever needed.

I hope this was a helpful tip!

The consequence of not renewing ATA certificate in time

A customer who uses Microsoft Advanced Threat Analytics (ATA) recently had severe issues with their ATA implementation. At first, the portal started to behave strangely, not showing all information in alerts and some configuration settings were missing. After a restart of the ATA servers, the services failed to start at all.

The Microsoft.Tri.Center-Errors.log file contained many errors like this:

2020-01-09 12:34:27.9920 1140 98 Error [CertificateExtension] Microsoft.Tri.Infrastructure.Utils.ExtendedException: There are no matching certificates [StoreLocation=LocalMachine StoreName=My thumbprint=89E1C9790B175D2E6B716CFDDABA3D9F444829F6]

It turned out that their internal PKI had automatically renewed the certificate that ATA was configured to use. In general, this is what you want from a PKI (auto-renewed certificates), but unfortunately, ATA does not support renewing an existing certificate.

The reason is that some ATA data is encrypted using the configured certificate, and during certificate renewal, the old certificate is removed, so you lose the ability to decrypt that data.

So you need to create a new certificate before the old one expires and manually configure ATA to use the new certificate.

This requirement is clearly stated in the Microsoft ATA-documentation:

Source: https://docs.microsoft.com/en-us/advanced-threat-analytics/modifying-ata-center-configuration#the-ata-center-certificate

You will even get alerts in ATA Health Center about upcoming certificate expiration:

Source: https://docs.microsoft.com/en-us/advanced-threat-analytics/monitoring-alerts

Replacing the certificate is not really that difficult or time-consuming. But if you do not replace the certificate before it expires you will get this alert:

Source: https://docs.microsoft.com/en-us/advanced-threat-analytics/monitoring-alerts

You can see that that when this happens, the only resolution is to redeploy your ATA, and you will lose all your configuration, alerts, and behavior analysis history.

Other services that use certificates can usually be recovered really easy from issues caused by expired certificates by simply getting a new certificate and pointing the service to the new certificate, but since the “certificate pointing” in ATA is done in the ATA Configuration, which is encrypted by the previous certificate, there is a catch 22 situation here.

Some people have tried to manually add the thumbprint of a new certificate in the SystemProfile_date.json configuration file, and they have gotten the ATA up and running again. However, they could not edit all ATA settings after that, so they eventually ended up redeploying from scratch.

Restoring from backup after redeployment will not work either since the backup still points to the old removed certificate. You can still use that backup configuration file as a manual reference on how to configure ATA again , since it is in cleartext.

So go ahead and make sure that your ATA implementation does not use a certificate that will be automatically renewed, and/or put a reminder in your calendar to renew it before it expires. And monitor those health alerts!

Update 2020-09-14

In the newly released ATA version 1.9.3, Microsoft has updated the functionality around certificate renewal notifications:

Increased advance notice for Center certificate expiration to three months prior to expiration (previously three weeks). Additionally, the notice now provides a clearer description of the severity of failing to renew the certificate.

You can get the new version by using Windows Update or downloading it here::
https://www.microsoft.com/download/details.aspx?id=56725

Teams on iOS now supports Sensitivity Labels

In the newly released version 1.0.91 of Teams for iOS it was announced that it now supports Sensitivity Labels for your Teams:

(Sorry that the screenshots are in Swedish, you’ll have to trust me or translate it 😀)

I first tried to create a Team before I upgraded the Teams app, and I did not see any option to select Sensitivity Labels:

I then updated Teams to the new version, and sure enough, I could now select the Sensitivity of my new Team:

Always great to see Microsoft Information Protection getting adopted in more and more places.

Copy your AIP Polices to the Security & Compliance Center

You have for a while been able to copy your AIP Labels to the Security & Compliance Center from the Azure Information Protection Portal.

But you can now also copy your AIP Policies (in Preview)!

You get a warning that any existing policies with the same name will be overwritten.
Click Yes to proceed:

It just takes a moment until you see the completion notification:

You will see a summary of the polices that was copied:

(I only had one policy in this tenant)

And sure enough, the new policy appeared right away in the Security & Compliance Center:

The policy settings I had configured was also copied:

Remember that this feature is still in Preview, so use with caution in production. And as always: test first!

/Tom