Skip to main content

Azure Blob and Azure Lifecycle Management

· 7 min read

Azure Blob storage (Platform-as-a-service (PaaS)) is used for streaming and storing documents, videos, pictures, backups, and other unstructured text or binary data… however the functionality extends beyond just a place to “store stuff”, it can save you money and time by automating the lifecycle of your data using Azure Blob Lifecycle Management and access tiers.

As of January 2021, Blob storage now supports the Network File System (NFS) 3.0 protocol. This support provides Linux file system compatibility at object storage scale and prices and enables Linux clients to mount a container in Blob storage from an Azure Virtual Machine (VM) or a computer on-premises.

Blobs - “Highly scalable, REST-based cloud object store”

  • Data sharing, Big Data, Backups
  • Block Blobs: Read and write data in blocks. Optimized for sequential IO. Most cost-effective Storage. Ideal for files, documents & media.
  • Page Blobs: Optimized for random access and can be up to 8 TB in size. IaaS VM OS & data disks and backups are of this type.
  • Append Blobs: Like block blobs and optimized for append operations. Ideal for logging scenarios and total size can be up to 195 GB.

Aren’t there only 2 access tiers?

When you create an Azure Storage account, you get presented with 2 options for the Access Tier:

  • Hot
  • Cool

Hot access tier

The hot access tier has higher storage costs than cool and archive tiers, but the lowest access costs. Example usage scenarios for the hot access tier include:

  • Data that is in active use or is expected to be read from and written to frequently.
  • Data that is staged for processing and eventual migration to the cool access tier

Cool access tier

The cool access tier has lower storage costs and higher access costs compared to hot storage. This tier is intended for data that will remain in the cool tier for at least 30 days. Example usage scenarios for the cool access tier include:

  • Short-term backup and disaster recovery
  • Older data not used frequently but expected to be available immediately when accessed.
  • Large data sets need to be stored cost-effectively, while more data is being gathered for future processing.

These options are set globally for your Azure Storage account blobs, however, there is a third tier, the Archive Access Tier:

Archive access tier

The Archive access tier has the lowest storage cost, but higher data retrieval costs compared to hot and cool tiers.

Data must remain in the archive tier for at least 180 days or be subject to an early deletion charge. Data in the archive tier can take several hours to retrieve depending on the specified rehydration priority.

While a blob is in archive storage, the blob data is offline and cannot be read or modified. To read or download a blob in the archive, you must first rehydrate it to an online tier.

How is this charged?

Depending on which tier your data is in, depends on the costs, Azure Blob Storage is charged on Read/Write and list operation and other factors, for example:

  • Hot Tier: Lower access prices for frequent use
  • Cool Tier: Lower storage prices for high volume
  • The volume of data stored per month.
  • Quantity and types of operations performed, along with any data transfer costs.
  • Data redundancy option selected.

More information here: https://azure.microsoft.com/en-us/pricing/details/storage/blobs/

What is data lifecycle management?

There are many versions of it, but at its core, there are 5 stages to simple data lifecycle management:

  • Creation – When the data is first created.
  • Storage -Where the data is stored.
  • Usage – When the data is useful and relevant and used.
  • Archival – When the data is not as useful, but still helpful to have around due to knowledge or legal requirements.
  • Destruction – When the data is completely irrelevant and there is no need to store or use it anymore.

Right... so, tell me more about the Azure Blob Lifecycle Management?

Azure Blob Storage has a lifecycle management feature built-in. Azure Blob Storage lifecycle management offers a rich, rule-based policy for General Purpose v2 and blob (and Premium Block blob) storage accounts.

  • Imagine you working on a project, such as purchasing a new company you not only want somewhere to store that data, but you want to make sure it is accessible quickly, so you put it in an Azure Blob Storage account under the Hot Tier.
  • You’ve then spent some time working on new documents using the data you acquired when you purchased the ‘new’ company, but don’t touch them anymore, you don’t want them sitting on fast storage costing you additional money, so they get migrated to a ‘Cool’ access tier.
  • A few months later, you realized that you needed some of the original data from the company acquisition, you find the files and use them, it took a bit longer to open as the data needed to be migrated to the ‘hot tier’ but you are happy because the data that you want was there.
  • A year later, you are onto acquiring another company and the data from the company acquisition which seemed a lifetime ago is forgotten about, however, you know you might need it for legal or finance auditing purposes, the data goes into the Archive tier, costing you less than the cool tier, but could be reacquired at a later date if needed (for an extra charge).
  • 7 years down the track, you’re now a multi-million-dollar firm, and have completely forgotten or no longer need the data from your original acquisition, the data then gets deleted, saving you money and data management costs.

Microsoft Azure and Lifecycle Management for Blob Storage automate the entire lifecycle for you.

How do I enable or configure Azure Blob Lifecycle Management?

  1. Log in to the Azure Portal
  2. Find the Azure storage account you want to configure Lifecycle Management on
  3. On the Storage account left-hand side Blade, under Blob Service click on Lifecycle Management
  4. Click on Add a rule
  5. Enter in a Rule name any name that suits your naming standards, for example, AzureBlobLifecyclePolicy. Azure Blob Lifecycle Policy Note: Make sure Append Blobs is unselected, this is un-supported for moving access tiers (however supports being deleted after x amount of days).
  6. Click Next
  7. This is where the magic happens, we are going to go with the following: Azure Base Blob Policies
  8. Base Blobs that were last modified 90 days ago will be moved to Cool storage.
  9. Click on + Add if-then block, now we will select the Archive Storage, the example we will now archive data that has been in Cool storage for 90 days, so we enter in: 180 days. Note: Migrating the data between Access Tiers, does not change the last modified date of the file, so it's 90 days for migrating to Cool, then another 90 days to move to archive.
  10. Click on + Add if-then block, now we will select the Delete the blob, data that has been in Archive storage for 90 days will now be deleted, so we enter in: 270 days.
  11. Click Next and do the same for Snapshots and versions and click Save.
  12. Congratulations, you have now created an Azure Blob Lifecycle policy!

Once the Policy has been saved, it is Enabled by default. You can disable it by selecting the Policy and select Disable on the top banner.

!Azure Blob Lifecycle Management

#ProTip - You can also view the policy as Code in Code View, which is a simple and quick way of documenting and modifying your lifecycle policy.

#ProTip - You can have multiple Lifecycle Policies on a single storage account.

#ProTip - You can learn more about Lifecycle policies by going to the Microsoft documentation here: Optimize costs by automating Azure Blob Storage access tiers.

#ProTip - If you are looking for integration with Azure AD or Active Directory NTFS permissions, replicating data from fileservers, you are better off looking at Azure File Shares and not blob storage.

Azure DevOps and creating your Cloud Adoption Framework

· 5 min read

Do you want to make a start on Azure Adoption and Governance, Server Migration or Azure Virtual Desktop and do not know where to start, or whether you are asking the right questions?

If you want to create a framework for your cloud adoption or migration plans, you can look at... using Azure DevOps Demo Generator

Azure DevOps is not only a continuous integration and deployment tool, along with the Repos, Pipelines, Test plans and Artifacts – there is Azure Boards, with Boards you can plan and track your work items and use the Kanban board functionality to easy update or track your work in progress items and add to the backlog, although Agile squads and sprint planning organizations primarily use Azure Boards – it does not have to be.

The Azure DevOps Board’s come with your MSDN license or free under the Basic plan for the first 5 users.

The Azure DevOps Demo Generator can create projects in your Azure DevOps organization, already prepopulated with relevant Epics, Features and Tasks that can help you on your cloud journey!

Azure DevOps Demo Generator

There are many prepopulated projects in the Demo Generator, from Security to Learning; you can even import prepopulated templates from other people.

The ones we are going to concentrate on is the: Cloud Adoption Framework projects.

Azure DevOps Generator - Choose a template

The following projects are available under the Cloud Adoption Framework heading to help you on your journey (as of the date this article was published):

ProjectDescription
Cloud Adoption PlanThe Cloud Adoption Plan template creates a backlog for managing cloud adoption efforts based on the guidance in the Microsoft Cloud Adoption Framework.
CAF Strategy-Plan-Ready-GovIn this checklist we share all the decision points needed to successfully build a Cloud Adoption Plan as well as the Landing Zone with Governance
ServerMigration_CAF_DevOps_ProjectTaskListServer migration has many different activities. In the Azure DevOps Project we will provide the steps necessary to go from zero to a complete Server migration and management.
AKS_CAF_DevOps_Project_TaskListAKS deployment has many different activities. In the Azure DevOps Project we will provide the steps necessary to go from zero to a complete AKS deployment and management.
SQL MigrationSQL migration has many different activities. In the Azure DevOps Project we will provide the steps necessary to go from zero to a complete SQL migration and management.
Windows Virtual DesktopProject work plan templates in Azure DevOps that provide the steps necessary to go from zero to a complete WVD deployment with ongoing management
Knowledge MiningKnowledge project simplifies the process of accessing the latent insights contained within structured and unstructured data. Use this project to help you address all the steps.
Azure Governance ReadinessThe standalone Azure governance project provides guidance and tools on how to ensure that your Azure environment is governed in the correct way.
Modern Data WarehouseBuild your modern data warehouse using this ADO checklist of items, in this checklist we have links to assets, code and learning material.
Retail Recommender with Azure SynapseThis Solution Accelerator is an end-to-end example on how to enable personalized customer experiences for retail scenarios by leveraging Azure Synapse Analytics, Azure Machine Learning Services, and other Azure Big Data services.
Modern IOTConnected sensors, devices, and intelligent operations can transform businesses and enable new growth opportunities. In this project you will get the work items needed to plan and implement your IOT solution using the Azure IoT Platform.

Once the project has been created, you can go into Azure Board and click on: Work Items.

If we take a look at the CAF Strategy-Plan-Ready-Gov Team one, we can see the Epics, Features and Tasks associated with Cloud Adoption:

Azure DevOps - Cloud Adoption Strategy

If we click Boards, we can see the Kanban board, the state of the Epics, features etc. and where they are.

Azure DevOps - Kanban

Depending on the Tasks, it may have a description of the task with links to the relevant documentation, such as this SQL Deployment and Migration testing:

Azure DevOps - Kanban

As you can see, the Azure DevOps Generator offers not only a place to track your progress but relevant data to help you put a framework around your cloud journey, and these projects work well with the Microsoft Cloud Adoption and Azure Well Architected Framework!

These are guidelines, and they do not need to be followed to the letter; however, in my opinion, they offer an excellent base to build your cloud adoption and implementations upon.

I have extracted the following work items from the projects as CSV, in case you prefer to start with excel or want to take a look at the epics, features and tasks that come with these projects:

Azure Resource Graph Explorer and the PowerShell Azure Resource Graph

· 6 min read

Every now and again you come across something that you pay little attention to until you actually spend the time to sit down, work through and try to break stuff! The Azure Resource Graph was that for me!

The idea was to create an export of Azure Recommendations, directly from the Azure Advisor into PowerShell, Microsoft Azure has this functionality out of the box with a few tools:

Azure Graph Resource Explorer

The Azure Graph Resource Explorer is built into the Azure Portal, it can be found by going to https://portal.azure.com/#blade/HubsExtension/ArgQueryBlade or by logging into the Azure Portal and typing in 'Resource Graph' and select Explorer.

Azure Resource Graph

The Azure Resource Graph Explorer, allows you to explore the Microsoft Azure Resource Graph, using inbuilt Sample Queries and the Kusto Query language.

The Powershell queries mentioned in the section below, started by clicking on the 'microsoft.advisor/recommendations' field and selecting Run Query.

advisorresources
| where type == "microsoft.advisor/recommendations"

Azure Resource Graph Explorer

I then clicked on the 'See Details' on the right-hand side to see all the details that were being brought in, in each object or row. Example below:

{
"recommendationTypeId": "7262dc51-c168-41b5-b99b-b5b98f8fe50a",
"extendedProperties": {
"assessmentKey": "7262dc51-c168-41b5-b99b-b5b98f8fe50a",
"score": "0"
},
"resourceMetadata": {
"resourceId": "/subscriptions/0673a0bd-0c9b-483f-9aee-c44795ae739f",
"singular": null,
"plural": null,
"action": null,
"source": "/subscriptions/0673a0bd-0c9b-483f-9aee-c44795ae739f/providers/Microsoft.Security/assessments/7262dc51-c168-41b5-b99b-b5b98f8fe50a"
},
"shortDescription": {
"solution": "Subscriptions should have a contact email address for security issues",
"problem": "Subscriptions should have a contact email address for security issues"
},
"suppressionIds": null,
"impactedField": "Microsoft.Subscriptions/subscriptions",
"impactedValue": "0673a0bd-0c9b-483f-9aee-c44795ae739f",
"lastUpdated": "2021-04-08T13:15:54.2870000Z",
"category": "Security",
"metadata": null,
"impact": "Low"
}

And no, that isn't my real Subscription ID etc, I've replaced the field with randomly generated GUIDs.

We can see that there is a good amount of actionable data here such as:

  • This is a Security Category recommendation
  • It is Low Impact
  • The problem is that the Azure subscription should have a contact email address to be used for Security alerts and it does not have one set up (Oops!)

So we need to turn it into something a bit more useable, I know that the Azure Advisor has the following categories:

  • Cost
  • HighAvailability
  • OperationalExcellence
  • Performance
  • Security

The same syntax can be used for any of these categories, for my example, we will continue with Security, Looking at the Details (or Example above) we can see that Category is simply listed on its own at the top level, inside the 'microsoft.advisor/recommendations' field, so we now need to add another pipe to the query:

| where properties['category'] == 'Security'

This will now only select the 'Security' category. However as you can see below, it's hardly something you can action on or read.

Azure Resource Graph - Category 'Security'

The next step is to look into making it a bit more readable because we know this is a Kusto Language, its time to hit the Microsoft Docs page and read up about the 'Project Operator' - https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/projectoperator. Project = "Select the columns to include, rename or drop, and insert new computed columns." That sounds like what we want.

If we take a gander back at the 'Full Details' (or Example above) there are 3 fields I am looking at that would add the most value to a report or digest for the security posture of my Azure ecosystem:

  • Solution
  • impactedField
  • impactedValue

We now need to add our final pipe to remove everything we don't want and add the properties that make the most sense to use, because we are using multiple properties we will do it separated by commas. It's worth noting that unlike the 'Security' property above (and the impactedField, impactedValue), which was a top-level property, the Solution property is a sub-properties of 'shortDescription', so we have to select the shortdescription property and then expand out to the extended solution property like below:

| project properties.shortDescription.solution

That now gives us a list of the security alerts on the subscription, but without a heading that makes sense:

Azure Resource Graph

To add a header called: Recommendation, we need to do the following

| project Recommendation=tostring(properties.shortDescription.solution)

Now we are ready to add the impactedField and impactedValue.

The final query should look like this:

advisorresources
| where type == 'microsoft.advisor/recommendations'
| where properties['category'] == 'Security'
| project Recommendation=tostring(properties.shortDescription.solution), ImpactedType=tostring(properties.impactedField), ImpactedResources=tostring(properties.impactedValue )

and the Azure Resource Graph Explorer should display something like this:

Azure Resource Graph

Protip, on the Azure Resource Graph Explorer page, click on 'Get Started', underneath the Query window to view Example Queries, such as Listing all Public IP addresses or even getting the Security Center Recommendations. They are really good to use as a base and see how they work.

Azure Graph PowerShell

Using the Azure Resource Graph Explorer is a good way to create the Kusto queries you want, which you can then run the queries in PowerShell and turn them into PowerShell objects, which opens up a few possibilities for things like:

  • Automated Reporting on Cost, Security etc
  • Proactive remediation actions.

First things first you need to install the Az.ResourceGraph module, then you can use the Search-AzGraph to run the queries that you created above. I am going to rely on the gist below to give you a few examples.

Azure Resource Graph

AzGraph.ps1

<#
.SYNOPSIS
Installs the Az.ResourceGraph Module and has example queries
.NOTES
Version: 1.0
Author: Luke Murray (Luke.Geek.NZ)
Website: https://luke.geek.nz/azure-resource-graph-explorer-and-the-powershell-azure-resource-graph
Creation Date: 09.04.21
Change History:
09.04.21 - Intital script development

#>

# Install the Resource Graph module from PowerShell Gallery
Install-Module -Name Az.ResourceGraph -Scope CurrentUser

# Imports the Resource Graph module into the PowerShell session
Import-Module -Name Az.ResourceGraph

#Connects to Microsoft Azure
Connect-AzAccount

#Grabs the acount of all recommendations under each Category that the Azure Advisor Has

Search-AzGraph -Query "advisorresources | summarize Count=count() by Category=tostring(properties.category) | where Category!='' | sort by Category asc"

#Following on from the Blog post, this is the query we created to list all Security recommendations, their resource type and what resources were impacted

Search-AzGraph -Query "advisorresources
| where type == 'microsoft.advisor/recommendations'
| where properties['category'] == 'Security'
| project Recommendation=tostring(properties.shortDescription.solution), ImpactedType=tostring(properties.impactedField), ImpactedResources=tostring(properties.impactedValue )"

#List of Performance recommendations

Search-AzGraph -Query "advisorresources | where type == 'microsoft.advisor/recommendations' and properties.category == 'Performance' | project Solution=tostring(properties.shortDescription.solution) | summarize Count=count() by Solution | sort by Count"

#List of Cost recommendations

Search-AzGraph -Query "advisorresources | where type == 'microsoft.advisor/recommendations' and properties.category == 'Cost' | summarize Resources = dcount(tostring(properties.resourceMetadata.resourceId)), Savings = sum(todouble(properties.extendedProperties.savingsAmount)) by Solution = tostring(properties.shortDescription.solution), Currency = tostring(properties.extendedProperties.savingsCurrency) | project Solution, Resources, Savings = bin(Savings, 0.01), Currency | order by Savings desc"

Keep up to date with Azure changes using PowerShell

· 3 min read

Keeping up with what is happening with changes and previews in Microsoft Azure is difficult, change happens all the time - and being able to stay informed on what is happening with the Azure ecosystem is half the battle, whether it is a new feature or security fix.

Microsoft publishes the latest updates on Azure Products and features to their Azure Updates blog: https://azure.microsoft.com/en-us/updates/

So you can browse the website each week, or... monitor the RSS feeds. Sometimes this isn't enough, you may want to do something with this information such as:

  • Create Alerts or Notifications to specific teams who may work with Azure SQL, or Azure Automation and not care about any other product.
  • Not have to go to the website to keep up-to-date with what is happening, maybe your happy with it popping up in your PowerShell session each time you open it.
  • Publish the information to Microsoft Teams channels to keep people informed.

I have created a basic PowerShell function, that will retrieve the latest updates from the Microsoft Azure Updates RSS Feed and turn it into a PowerShell object you can actually use to keep informed.

The Script - Get-AzureBlogUpdates

The script is hosted on my Github repository. Feel free to clone/recommend improvements or fork, I can add parameter sets instead of relying on the PowerShell methods listed in the examples section - if you find this script useful:

Get-AzureBlogUpdates.ps1

function Get-AzureBlogUpdates {
<#
.SYNOPSIS
Retrieves the latest Updates of Azure, from the Azure Blog RSS feed.
.DESCRIPTION
Retrieves the latest Updates of Azure, from the Azure Blog RSS feed.
.NOTES
Version: 1.0
Author: Luke Murray (Luke.Geek.NZ)
Website: https://luke.geek.nz/keep-up-to-date-with-latest-changes-on-azure-using-powershell
Creation Date: 03.04.21
Purpose/Change:
03.04.21 - Intital script development
.EXAMPLE
Get-AzureBlogUpdate

#>
#Retrieving RSS Feed Content - as XML, then converting into PSObject
$xml = [xml](Invoke-WebRequest -Uri 'https://azurecomcdn.azureedge.net/en-us/updates/feed/').content
$Array = @()
foreach ($y in $xml.rss.channel.selectnodes('//item'))
{
$PSObject = New-Object -TypeName PSObject
$Date = [datetime]$y.pubdate
$PSObject | Add-Member NoteProperty 'Title' $y.title
$PSObject | Add-Member NoteProperty 'Date' $Date
$PSObject | Add-Member NoteProperty 'Category' $y.category
$PSObject | Add-Member NoteProperty 'Description' $y.content.InnerText
$PSObject | Add-Member NoteProperty 'Link' $y.link


$Array += $PSObject
}
#Some article had multiple categories, to make it easier for reporting, joined the categories together and got rid of duplicates.

$results = @()
ForEach ($item in $Array) {
$Category = Foreach ($title in $item.Title)
{
$results += [pscustomobject]@{
'Title' = $item.Title
'Category' = $item.Category -join ',' | Select-Object -Unique
'Published Date' = $item.Date
'Description' = $item.Description
'Link' = $item.Link
}
}
}
$results
}

Examples

#Runs the actual Function:
Get-AzureBlogUpdates

Get-AzureBlogUpdates

#EXAMPLE - Gets Azure Blog Updates, that have been published in the last 7 days.
$PublishedIntheLastDays = (Get-Date).AddDays(-7)
Get-AzureBlogUpdates | Where-Object 'Published Date' -GT $PublishedIntheLastDays

Get-AzureBlogUpdates

#EXAMPLE - Gets all Azure Blog Updates, and displays it as a Table, organised by Category
Get-AzureBlogUpdates | Sort-Object Category -Descending | Format-Table

Get-AzureBlogUpdates

#EXAMPLE -Gets the latest 10 Azure Blog Articles
Get-AzureBlogUpdates | Select -Last 10

Get-AzureBlogUpdates - Select Last 10 Articles

#EXAMPLE - Gets the Azure Blog Update articles, where the title has Automation in it.
Get-AzureBlogUpdates | Where-Object Title -match 'Automation'

Get-AzureBlogUpdates - Title matches Automation

Microsoft Teams Recommendations

· 13 min read

In the age of remote working and collaboration, Microsoft Teams is one of the most popular tools being used to increase communication and productivity.

Especially those undergoing implementation and migrations from Skype for Business to Microsoft Teams - it is a good opportunity to take a step back and evaluate and clarify your implementation, the recommendations below as good as a place to start as any.

Please keep in mind that like any recommendations, do not blindly follow them, make sure to determine the impact on your users on enabling some of this functionality, there may also be recommendations that you will not be able to apply, do to business constraints.

RecommendationDescription
Add the Microsoft Teams SMTP domain as an allowed list in Microsoft Exchange Online Spam filter protectionWhether you create an Office 365 Group in the admin console or by using Outlook, Exchange Online is used to send notifications of a team member being added to a Group. These messages are generated from your tenant as they represent your default domain SMTP FQDN.Teams uses Microsoft Exchange Online as well to send notifications to team members when they’ve been added. The difference being the domain FQDN of the SMTP message is “@email.teams.microsoft.com” and could be caught by spam filtering. Outlook considers message from Teams as an external sender which is subject to standard security features such as blocking images and certain content.
Allow the following User Agent Strings for Microsoft Teams within the EWS configurationTeams users may not be able to access Teams meetings/connectors though their mailboxes are in Exchange Online.
Assign a valid security group that can be used for controlling who can create Office 365 groups as well as Office 365 services that depends on groups such as Teams, Planner, etcA security group is configured to restrict which users are allowed to create groups. However this security group does not exist anymore which prevents the creation of new groups.
Assign Teams Meeting Room license to your Teams meeting room accountWithout the proper license, you may have some Teams Meeting room features that are not working properly or not available such as the ability to dial-out attendees into your meeting.
Associate registered SBC with Office domainCheck as part of the Direct Routing configuration is missing the domain name associated with one of your SBCs.
Check Skype for Business to Microsoft Teams meeting migration failuresSome of your user’s meeting may not have been successfully migrated from Skype for Business to Teams. Users might be unable to join the affected meetings.
Check Microsoft Stream license is assigned to users if cloud recording is allowedYour users who can do Teams meeting and recordings may not have the necessary Microsoft Stream license to store /upload meeting recordings / playback to Microsoft Stream.
Check the SBC gateway(s) associated with voice routesMakse sure that none or more of your SBC gateway(s) defined in Voice Routes are in disabled state. This could cause unexpected call failures.
Configure your Meeting Room accounts with the recommended setting of AddAdditionalResponseMicrosoft Teams Rooms will only work in a properly configured Microsoft Teams or Skype for Business environment where the device accounts are set up correctly. To provide optimal meeting experience, you should configure your meeting room accounts meeting the recommendations.
Configure your Meeting Room accounts with the recommended setting of AddOrganizerToSubjectMicrosoft Teams Rooms will only work in a properly configured Microsoft Teams or Skype for Business environment where the device accounts are set up correctly. To provide optimal meeting experience, you should configure your meeting room accounts meeting the recommendations.
Configure your Meeting Room accounts with the recommended setting of DeleteCommentsMicrosoft Teams Rooms will only work in a properly configured Microsoft Teams or Skype for Business environment where the device accounts are set up correctly. To provide optimal meeting experience, you should configure your meeting room accounts meeting the recommendations.
Configure your Meeting Room accounts with the recommended setting of RemovePrivatePropertyMicrosoft Teams Rooms will only work in a properly configured Microsoft Teams or Skype for Business environment where the device accounts are set up correctly. To provide optimal meeting experience, you should configure your meeting room accounts meeting the recommendations.
Create meeting room lists for room mailboxes to allow for searching and booking rooms with Microsoft TeamsYou need to create room list distribution group to be able to specify a meeting room when you schedule a Teams meeting.
Create multiple Microsoft Teams IP Phone Policies to cater for the different phones and meeting rooms devices that you have in the organizationTo provide more tailored user interfaces to different phones and meeting room devices that you've, it is recommended to create different IP Phone policies to them.
Create Office 365 Groups ClassificationYou can create classifications that the users in your organization can set when they create an Office 365 group. For example, you can allow users to set "Standard", "Secret", and "Top Secret" on groups they create. Group classifications aren't set by default and you need to create it in order for your users to set it. Use Microsoft Entra ID PowerShell to point your users to your organization's usage guidelines for Office 365 groups.
Define Office 365 Group naming policyTo enforce consistent naming conventions for Office 365 groups created or edited by your users, set up a group naming policy for your tenants in Microsoft Entra ID (Azure AD). For example, you could use the naming policy to communicate the function of a group, membership, geographic region, or who created the group. You could also use the naming policy to help categorize groups in the address book. You can use the policy to block specific words from being used in group names and aliases.
Enable Advance Threat Protection for TeamsPeople regularly share files and collaborate using SharePoint, OneDrive, and Microsoft Teams. With Office 365 Advanced Threat Protection (ATP), your organization can collaborate in a safer manner. ATP helps detect and block files that are identified as malicious in team sites and document libraries.
Enable connectors in your Exchange Online environmentWhen connectors are disabled in Exchange Online environment this is impacting connectors in Microsoft Teams. Users who are trying to add a connector in both Teams desktop client and a web app version will get the error: “Connectors have been turned off for this mailbox by the admin. Contact your admin if you want to have connectors turned on: Access to Connectors is disabled.”
Enable Teams license for some Office 365 UsersAt the user level, access to Microsoft Teams can be enabled or disabled on a per-user basis by assigning or removing the Microsoft Teams product license. Once the license is disabled, the user access to Microsoft Teams will be prevented and the user will no longer be able to see Teams in the Office 365 app launcher and homepage.
Enable users SharePoint Online, OneDrive for Business and Exchange OnlineFor the full Microsoft Teams experience, every user should be enabled for Exchange Online, SharePoint Online, and Office 365 Group creation.SharePoint Online is required to share and store files in team conversations. OneDrive for Business is required to share and store files in private chats. If users aren't assigned and enabled with SharePoint Online licenses, they don't have OneDrive for Business storage in Office 365. File sharing will continue to work in Channels, but users are unable to share files in Chats without OneDrive for Business storage in Office 365. In Microsoft Teams, security and compliance features like eDiscovery, Content Search, archiving, and legal hold work best in Exchange Online and SharePoint Online environments. For channel conversations, messages are journaled to the group mailbox in Exchange Online, where they're available for eDiscovery. If SharePoint Online and OneDrive for Business (using work or school account) are enabled across the organization and for users, these compliance features are available for all files within Teams as well.
Ensure a public IP associated with FQDN of the SBCsSBC needs to have valid public IP address to make it accessible from Internet by Teams Direct Routing components.
Ensure that the right ports and protocols are open across your network for optimum call experienceSkype for Business Online audio/video calls over TCP traffic do not perform as well as calls over UDP traffic.
Grant Teams Direct Routing users with appropriate Voice Routing PolicyList of users who are enabled for Teams DR/Hybrid Voice but not assigned with any OnlineVoiceRoutingPolicy
Implement Office 365 Groups governanceOffice 365 Groups has a rich set of tools to implement any governance capabilities your organization might require.
Improve Network Performance for Skype for Business Online/Microsoft TeamsThe quality of real-time media (audio, video, and application sharing) over IP is greatly impacted by the quality of end-to-end network connectivity. For optimal Skype for Business Online media quality, it is important for you to make sure there is a high-quality connection between your company network and Skype for Business Online. The best way to accomplish this is to set up your internal network and cloud connectivity based on the capacity of your network to accommodate for peak traffic volume for Skype for Business Online across all connections.
Info: Teams which have external/guest usersYou should review external users who had been invited to Teams in your environment.
Leverage the Teams RBAC to specify different levels of Teams administrative accessUsing Microsoft Entra ID (Azure AD), you can designate administrators who need different levels of access for managing Microsoft Teams. Administrators can manage the entire Teams workload, or they can have delegated permissions for troubleshooting call quality problems or managing your organization's telephony needs.
Limit the number of Office 365 Global AdministratorsHaving too many Office 365 Global Administrators might indicate that you’ve not assigned the right individuals to manage your overall Office 365 environment. This could result in unwanted configuration changes to Office 365 if some of these individuals does not have the right skills or capabilities.
Multi Factor Authentication (MFA) is not enabled for Skype for Business Administrators and/or Office 365 Global AdministratorsMake sure that any account who is in the Global Administrators or Skype for Business Online Administrators group are not enabled for Multi Factor Authentication (MFA). It is recommended to enable MFA for these accounts to add an additional layer of security during the authentication process.
Office 365 Groups usage guidelines has not been put in-placeWhen users create or edit a group, you can show them a link to your organization's usage guidelines. For example, if you require a specific prefix or suffix to be added to a group name.
Old version of Skype for Business Network Assessment Tool detectedUsing an older version of the Skype for Business Network Assessment Tool will impact the data collection. It is recommended to update to the latest version of the tool and run another data collection.
Review Teams meeting policy assigned to your usersMeeting policies are used to control the features that are available to meeting participants for meeting that are scheduled by users in your organization. Different users across your organization might need different meeting features based of what they do and other things. By providing them with the right meeting policy, not only you facilitate them to accomplish their jobs but also you help to optimize the Teams environment and organization resources.
Review the ability for Team owners to invite external users to teamsAllowing Team owners to invite external users to teams could improve work productivity and drive collaboration with external users.
Review the Direct Routing Users whose Skype for Business accounts are hosted in on-premises Skype for Business ServerMicrosoft Teams Direct Routing works only if SfB user accounts is hosted in Skype for Business Online.
Review the Teams user accounts which had some provisioning problemsUsers may experience issue when using Skype for Business Online or Microsoft Teams when they’re not properly provisioned.
Review the Teams users’ calling policyAll users are configured with the default Teams calling policy.
Review your Teams Co-existence mode and upgrade settingsYour current Teams and Skype for Business Global co-existence mode may be set to Island mode which might not be the best co-existence mode for the organization and could be limiting features.
Set AllowGuestsToAccessGroups on unified group setting to TrueThis setting indicates whether or not a guest user can have access to Files or OneNote content in your Teams. This setting does not require an Microsoft Entra ID Premium P1 license.
Set the UsersPermissionToReadOtherUsersEnabled to true in your Azure AD configurationWhen this value is set to false in AAD, Teams owner is unable to add external/internal members in Microsoft Teams, and the following error message is displayed: "We couldn't add member. We ran into an issue. Please try again later." However, members can be added directly to Office 365 groups.
Specify a security group who can create Office 365 groups and its related servicesBecause it's so easy for users to create Office 365 Groups, you aren't inundated with requests to create them on behalf of other people. Depending on your business, however, you might want to control who has the ability to create groups.
Teams Upgrade Status: Candidate - Check the Teams Upgrade Status using Get-CsTeamsUpgradeStatusMicrosoft initiates and performs automatic upgrade to Teams to organizations that meet certain requirements. You need to understand what Teams upgrade means and the impact it would have to your organization.
Teams Upgrade Status: Deferred - Check the Teams Upgrade Status using Get-CsTeamsUpgradeStatusMicrosoft initiates and performs automatic upgrade to Teams to organizations that meet certain requirements. You need to understand what Teams upgrade means and the impact it would have to your organization.
Teams Upgrade Status: Downgraded - Check the Teams Upgrade Status using Get-CsTeamsUpgradeStatusMicrosoft initiates and performs automatic upgrade to Teams to organizations that meet certain requirements. You need to understand what Teams upgrade means and the impact it would have to your organization.
Teams Upgrade Status: Paused- Check the Teams Upgrade Status using Get-CsTeamsUpgradeStatusMicrosoft initiates and performs automatic upgrade to Teams to organizations that meet certain requirements. You need to understand what Teams upgrade means and the impact it would have to your organization.
Teams Upgrade Status: ScheduledForUpgrade - Check the Teams Upgrade Status using Get-CsTeamsUpgradeStatusMicrosoft initiates and performs automatic upgrade to Teams to organizations that meet certain requirements. You need to understand what Teams upgrade means and the impact it would have to your organization.
Teams Upgrade Status: Upgraded - Check the Teams Upgrade Status using Get-CsTeamsUpgradeStatusMicrosoft initiates and performs automatic upgrade to Teams to organizations that meet certain requirements. You need to understand what Teams upgrade means and the impact it would have to your organization.
Validate licenses assigned to Teams Room SystemWithout the proper license, you may have some Teams Meeting room features that are not working properly or not available such as the ability to dial-out attendees into your meeting