Home » Posts tagged 'office 365'

Tag Archives: office 365

Prevent User Subscriptions to Office365 Services

Microsoft are releasing more and more application services as part of the Office365 platform. Its getting harder and harder to keep pace with the development and release cycle and new products seem to be launching month on month. Just recently we have seen the release of Microsoft Stream, Microsoft Forms, Staff Hub and Microsoft Flow to name but only a few. These services are part of almost every Enterprise plan with Office 365.

You may have assigned full E1,E3 or E5 licences to your users with a view of letting them become drunk on Office 365. However, most of you will undoubtedly have sub licenced your E plans so that users are only licenced for business approved Office 365 services. However, the default settings of Office 365 mean that a user can visit a services page such as Power BI, Microsoft Stream etc. and use their corporate credentials to sign up to these services.

Unbeknownst to you and the business, users can be consuming features that have yet to be baked into your business process. This could cause issues as a result. In order to prevent these ad-hoc sign ups there is a tenant setting accessible by PowerShell to disable this feature

You will need the Azure AD PowerShell module installed, then log in via PS and execute this command

Set-MsolCompanySettings –AllowAdHocSubscriptions $False


Now a user with selective licence assignments won’t be able to sign up for services that they have not been assigned to by an admin. Here we see a user that is only licenced for ProPlus


Now, when this user tries to sign up to Microsoft Stream for instance at https://stream.microsoft.com this is what happens


and when we try and complete the sign up the user is presented with a failure screen


This is a tenant setting that will affect all users, at the moment there appears to be no way to limit this to a user or sub group.

Blocking Office Store–Harder Than You May Think

Recently at a customer they were rolling out Office 2016 ProPlus to their early adopters. This was a significant change for the business and somewhat an experimental process. Their Information Security team had a problem with the Add-ins function within the Office applications and requested that we find a way to block Office from accessing the Office Store.

The Office store isn’t curated by Microsoft solely, so their concerns were valid and what potential risks to information could a unsolicited add-in cause.

To block the office store is harder than I first thought. There are blog posts out there that cover blocking, but they are single use cases, not a complete block as I found. So this post will cover all 4 steps you need to take to successfully block the office store.

Step 1 – Remove Office Store link from the App Launcher

In the Office 365 Portal, expand the Settings menu and click on Services and Add-ins


Next, scroll down to find the Office Store Service


Change the default value from On to Off and press save


This now removes the Store from the App Launcher

Step 2 – Block Office 2016 ProPlus from Accessing the Office Store

You can do this by using the Office Customisation Tool (OCT) when creating your deployment package, or by using the Office 2016 ADMX Group Policy template. This is well documented here: https://technet.microsoft.com/en-us/library/cc178992.aspx

Implementing this will stop the Office package from browsing the Office Store.

Step 3 – Blocking Access to the Store from Office Online

This one is something that I spent quite a bit of time on. Even with the above steps completed, if users go to Word, Excel, PowerPoint Online they are able to still browse the Office Store and add add-ins even with these settings applied. I couldn’t find a way to block this initially within the tenant, I even checked Azure AD Applications for Office Store and there was nothing in there that suggested this could be turned off. However, i found that there is a setting in Office 365 that will prevent this.

As you would logically think (sarc), this setting is located in SharePoint Admin Portal, so open this then click on Apps, and then Configure Store Settings


Then Select No to Should Apps for Office from the store be able to start when documents are opened in the browser, and press save


Now when Word, Excel, PowerPoint Online open and you try and browse the Office Store you get this


Step 4 – Block Access to https://store.office.com

So Even with these settings applied, users can still go to store.office.com browse the store, sign in and add an add-in to Office 2016 and Office Online… sigh. So you need to add this URL to your web blocking solution. But there is more, what if you have remote working and users are not connected to corpnet? The only dirty way I have found to prevent this is to edit the HOSTS file on the machine that sends requests to store.office.com to an IP address of or the IP of a web page that tells them access is blocked.

Office 2013 Click to Run Hot Desk Licencing

With the increasing popularity of Office 365 and Office 2013 Pro Plus available with E3 licencing it has rewritten the rule book on application licence activation. In the past Microsoft gave us two options of activation, KMS and MAK. KMS was a favourite amongst system administrators because of its ease of deployment and reliance on robust distribution and activation technologies such as DNS and Active Directory. MAK had its place in smaller networks of 20 machines or less.

Enter Office 365 licencing. Now system administrators have to get their head around another form of activation, user initiated activation. User initiated activation prompts the logged on user to enter their email address and password for activation. Office, then interrogates the Office 365 tenant associated with the email address and then activates that instance of Office for the user, if the user is suitably licenced in Office 365. Great for admins, who now do not need to worry about their KMS states, or MAK activations.


ADFS Multifactor Authentication – Not Good for Office 365

Continuing down the road for implementing ADFS Multi-factor Authentication (MFA) using PKI I have come across a few issues and a major show stopper when implementing this for Office 365 services. I wanted to share my experience so that this you can avoid the same pain as I have been through.


Get List of Users and Associated Office 365 Licences

Just a quick memory dump for myself really.

To export a report of all users from Office 365 and their associated licences run the following command in Azure Powershell Module

Get-MsolUser -All | Select UserPrincipalName, Licenses | fl | Out-File c:\office365users.txt

To only export licenced users

Get-MsolUser -All | Where {$_.IsLicensed -eq "True"} | Select UserPrincipalName, Licenses | fl | Out-File c:\office365users.txt


Multi Factor Authentication (MFA) Using ADFS 3.0 and Certificates

I had to implement MFA using ADFS 3.0 and internally signed certificates in order to authenticate external users against Office 365 services. There were a few niggles along the way but on the whole it was a relatively easy process to complete. The design brief stated that only domain joined devices from outside the corporate LAN can consume Office 365 services. In addition these users must perform multi-factor authentication when outside the corporate LAN only. I am pretty sure that the design could have been achieved using Azure MFA and a few claim rules in ADFS. However, the customer liked the idea of the relatively simple management and roll out that certificate based MFA provides.


Office 365 Single Sign On Gotchas (Green Field)

It is important to understand before reading this article that it is not a guide on how to install ADFS, WAP and AADSync. I hope to be able to do this sometime in the near future. This article bullet points some of the gotchas I have experienced whilst implementing this in a green field deployment.


Resetting Office 365 Password using Powershell

To reset an office 365 user’s password you need the Windows Azure Active Directory Module installed http://msdn.microsoft.com/en-us/library/azure/jj151815.aspx

Open the console and enter


Press Enter, enter your admin Office 365 account username and password in the logon box

Then issue this command

Set-MsolUserPassword -UserPrincipalName cphillip@domain.com -NewPassword London1234 -ForceChangePassword $false
%d bloggers like this: