O365 PowerBI

April 17, 2018

Hello,

Today I would like to demonstrate a real life example on how to use Microsoft Power BI.

Setting the scene :

We are currently deploying the Windows 10 platform in a large environment, we have allready performed a swap of approx 6000 devices and are now starting the refresh on existing devices that are capable of running Windows 10.

In order to do so we rely on our network or Champions. These are skilled , ict minded collegues that each have a group of enduser under their “care”. They can assist their group of users and have specific tools and communication channels available with the ICT service.

Now the customer has approximately 350 different locations in Belgium and we have created a “self-service” system where the end-user drives the upgrade by contacting his favorite champion. He/she can start the refresh operation after performing some manual, some semi-automated actions and after a few hours the laptop is completely up and running with Microsoft latest operating system.

However there are approx 12k devices that will need to be upgraded so this will be an ongoing operation for quite some time. So we needed a way to visualise and to stimulate progress. In comes Power BI !

In short Power Bi is the Business Intelligence part of Office 365 , allowing you to create valuable insight in data. We are not going to discuss the details , we are just going to perform a quick overview and show the result.

Additional info and step by step can be found here :

https://docs.microsoft.com/en-us/power-bi/guided-learning/

Step 1 : get the data

Easy , we export the data from sccm query to excel. We get raw data like pc name , AD site and client OS name.

clip_image001

We allready modify the data by creating a pivottable that show totals for location , OS version and devices.

clip_image002

Now we can import this file in our Power BI environment.

clip_image003

Step 2 : manipulate the data

Well our sccm report has the following parameters : pc name, operating system version and AD Site name. The AD site name has a syntax that contains postal code, city and adress information.

Because we want to visualise per province we needed to do the following :

=> Split the column with the ad site information based on “,”

clip_image004

=> Create an additional column that displays province information based on the postal code. Use a formula.

clip_image005

Then combine the information for maximum accuracy on geo location. Also rename to English language.

clip_image006

Good ! Now we want to display something that show the number of devices with Windows 10 versus thet total number of devices. We use a new measure.

clip_image007

Tip ! Rename you headers so you know which data you are using.

Now we define the location field and select the visualisation.

clip_image008

Stunning ! We quickly get an interactive overview of how the rollout is progressing.

clip_image009

And we can even create a location based visualisation.

clip_image010

The sky is the limit … Enjoy.

Gino D

Advertisements

Quid Pro Quo EMS

September 14, 2016

Hello,

Quid Pro Quo …or in the words of Austin Powers : Squid Pro Quo, meaning “a feavour for a feavour”. From the corporate ICT’s perspectieve this translates to : we provide additional services that you can use whenever, wherever but … We need to have some information about the location and device before we do that.

Sounds good … Let’s take a popular cloud service like mail/calendar or cloud storage as an example.

What might be a good compromise :

We’ll provide you access to onedrive for business but … We like to make sure the device is locally encrypted , has a minimum of security applied to it and is not jailbroken.

And we provide you with a single sign on experience on your corporate machines but require some kind of multi factor authentication on BYOD.

Let’s see how we could do this. You’ll need active directory Premium to start with this.

First we open our admin center -> Azure AD -> Domain -> and use the applications tab

clip_image002

Now we’ll continue for the Sharepoint online service and configure it.

clip_image004

Now we’ll activate the MFA for a sepcific Office 365 security group of users and request MFA only when the user is not in a “work” location.

clip_image006

You’ll need to define what work locations are by clicking the link . So first we’ll go for the scenario when we require MFA when the user is not @ Work.

Additional info can be found here : https://azure.microsoft.com/en-us/documentation/articles/active-directory-conditional-access-azuread-connected-apps/?rnd=1

So we’ll define the work locations in this case based on ip / subnet combination.

Now if I logon to the onedrive from my machine in that ip subnet -> we expect no MFA

Unfortunately I kept on recieving the Additional verification box …

BTW : the Microsoft Authenticator App is simply a great tool !

No more hassles with copy/paste of codes through sms or applications. The app simply allows you to approve or deny the authentication request.

Install the app -> link your account by scanning a QR code ( use myapss.microsoft.com )

clip_image008

And approve or deny

clip_image010

Great functionality there … But back to the subject … Why do I require MFA now ? …

clip_image012

Now if I modified the trusted IP range with my external IP address recieved from my ISP ( as my Wifi router is of course using NATting )

clip_image014

Bingo ! No MFA request …

clip_image016

While if I do this from another machine -> I recieve the request for MFA.

clip_image018

 

Okay now let’s go one step further and deny access if not @ work.

clip_image020

 

Now let’s see the result if we try to connect on a not @ Work location machine.

clip_image022

 

 

Yes ! No access …

So overall this is some great functionality , MFA is not a on/off scenario and we can have a granular implementation per service and define different settings per location.

We can select to force MFA when not on work location or simply block access completely. It’s clear that cloud first mobile first is really on track.

Next up : device based access rules.

Enjoy.

Gino D


EMS

August 15, 2016

Hello,

Empowerment of users is always great, we all want to be able to do some required actions when we want to, instead of logging requests and waiting for the actions to occur.

The Microsoft EMS is a combined set of cloud services wrapped up in one license formule. More info can be found here : https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility. But today we focus on the olympic games in Rio 2016 self serivce group management and password reset.

First we need to enable the required features in Azure AD.

clip_image002

Now add the test user to the required Azure groups and open https://myapps.microsoft.com

Now this user can create new security or office 365 groups ( depending on the group membershp above )

Now what’s really great is that we can delegate the group membership ( adding or removing users to the group ) to the group owners. We could also do this using AD and supply a users and computers mmc internally or use FIM but this is straight out of the box.

Let’s see how it looks.

clip_image004

Now we can create a new group ( we’ll use an O365 group )

clip_image006

Now we have set up this group to require owner approval, so in this case we can decide who can be a member.

So if we log on with another user ( with an EMS license ) , look for the group we can request access !

clip_image008

Let’s join.

clip_image010

And the owner can approve / deny,

clip_image012

And the requested user can verify the status of his request using the same interface but my requests

clip_image014

That’s it , great functionality for delegating the creation and the ownership of security or office 365 groups. Power to the users !

Enjoy.

Gino D.