O365 PowerBI

April 17, 2018


Today I would like to demonstrate a real life example on how to use Microsoft Power BI.

Setting the scene :

We are currently deploying the Windows 10 platform in a large environment, we have allready performed a swap of approx 6000 devices and are now starting the refresh on existing devices that are capable of running Windows 10.

In order to do so we rely on our network or Champions. These are skilled , ict minded collegues that each have a group of enduser under their “care”. They can assist their group of users and have specific tools and communication channels available with the ICT service.

Now the customer has approximately 350 different locations in Belgium and we have created a “self-service” system where the end-user drives the upgrade by contacting his favorite champion. He/she can start the refresh operation after performing some manual, some semi-automated actions and after a few hours the laptop is completely up and running with Microsoft latest operating system.

However there are approx 12k devices that will need to be upgraded so this will be an ongoing operation for quite some time. So we needed a way to visualise and to stimulate progress. In comes Power BI !

In short Power Bi is the Business Intelligence part of Office 365 , allowing you to create valuable insight in data. We are not going to discuss the details , we are just going to perform a quick overview and show the result.

Additional info and step by step can be found here :


Step 1 : get the data

Easy , we export the data from sccm query to excel. We get raw data like pc name , AD site and client OS name.


We allready modify the data by creating a pivottable that show totals for location , OS version and devices.


Now we can import this file in our Power BI environment.


Step 2 : manipulate the data

Well our sccm report has the following parameters : pc name, operating system version and AD Site name. The AD site name has a syntax that contains postal code, city and adress information.

Because we want to visualise per province we needed to do the following :

=> Split the column with the ad site information based on “,”


=> Create an additional column that displays province information based on the postal code. Use a formula.


Then combine the information for maximum accuracy on geo location. Also rename to English language.


Good ! Now we want to display something that show the number of devices with Windows 10 versus thet total number of devices. We use a new measure.


Tip ! Rename you headers so you know which data you are using.

Now we define the location field and select the visualisation.


Stunning ! We quickly get an interactive overview of how the rollout is progressing.


And we can even create a location based visualisation.


The sky is the limit … Enjoy.

Gino D


Quid Pro Quo EMS

September 14, 2016


Quid Pro Quo …or in the words of Austin Powers : Squid Pro Quo, meaning “a feavour for a feavour”. From the corporate ICT’s perspectieve this translates to : we provide additional services that you can use whenever, wherever but … We need to have some information about the location and device before we do that.

Sounds good … Let’s take a popular cloud service like mail/calendar or cloud storage as an example.

What might be a good compromise :

We’ll provide you access to onedrive for business but … We like to make sure the device is locally encrypted , has a minimum of security applied to it and is not jailbroken.

And we provide you with a single sign on experience on your corporate machines but require some kind of multi factor authentication on BYOD.

Let’s see how we could do this. You’ll need active directory Premium to start with this.

First we open our admin center -> Azure AD -> Domain -> and use the applications tab


Now we’ll continue for the Sharepoint online service and configure it.


Now we’ll activate the MFA for a sepcific Office 365 security group of users and request MFA only when the user is not in a “work” location.


You’ll need to define what work locations are by clicking the link . So first we’ll go for the scenario when we require MFA when the user is not @ Work.

Additional info can be found here : https://azure.microsoft.com/en-us/documentation/articles/active-directory-conditional-access-azuread-connected-apps/?rnd=1

So we’ll define the work locations in this case based on ip / subnet combination.

Now if I logon to the onedrive from my machine in that ip subnet -> we expect no MFA

Unfortunately I kept on recieving the Additional verification box …

BTW : the Microsoft Authenticator App is simply a great tool !

No more hassles with copy/paste of codes through sms or applications. The app simply allows you to approve or deny the authentication request.

Install the app -> link your account by scanning a QR code ( use myapss.microsoft.com )


And approve or deny


Great functionality there … But back to the subject … Why do I require MFA now ? …


Now if I modified the trusted IP range with my external IP address recieved from my ISP ( as my Wifi router is of course using NATting )


Bingo ! No MFA request …


While if I do this from another machine -> I recieve the request for MFA.



Okay now let’s go one step further and deny access if not @ work.



Now let’s see the result if we try to connect on a not @ Work location machine.




Yes ! No access …

So overall this is some great functionality , MFA is not a on/off scenario and we can have a granular implementation per service and define different settings per location.

We can select to force MFA when not on work location or simply block access completely. It’s clear that cloud first mobile first is really on track.

Next up : device based access rules.


Gino D


August 15, 2016


Empowerment of users is always great, we all want to be able to do some required actions when we want to, instead of logging requests and waiting for the actions to occur.

The Microsoft EMS is a combined set of cloud services wrapped up in one license formule. More info can be found here : https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility. But today we focus on the olympic games in Rio 2016 self serivce group management and password reset.

First we need to enable the required features in Azure AD.


Now add the test user to the required Azure groups and open https://myapps.microsoft.com

Now this user can create new security or office 365 groups ( depending on the group membershp above )

Now what’s really great is that we can delegate the group membership ( adding or removing users to the group ) to the group owners. We could also do this using AD and supply a users and computers mmc internally or use FIM but this is straight out of the box.

Let’s see how it looks.


Now we can create a new group ( we’ll use an O365 group )


Now we have set up this group to require owner approval, so in this case we can decide who can be a member.

So if we log on with another user ( with an EMS license ) , look for the group we can request access !


Let’s join.


And the owner can approve / deny,


And the requested user can verify the status of his request using the same interface but my requests


That’s it , great functionality for delegating the creation and the ownership of security or office 365 groups. Power to the users !


Gino D.