Printer email services using Office 365

The simplest way to set up a network multifunction printer to send captured scans by email is by using SMTP client submission. It allows your printer to log in to an Office 365 mailbox and send mail just like Outlook Desktop does. Emails from your printer are then delivered to your hosted mailboxes or external recipients. This way avoids some of the problems associated with the other configuration options available which is covered here.

Print services: SMTP submission

printer smtp

If your printer has settings for an email address/username and password for the send to email feature, then there is a good chance that it can send using SMTP client submission. The settings needed for SMTP client submission to connect to Office 365 are:

Office 365 Printer Settings

Printer settingValue
Server/Smart hostsmtp.office365.com
Port587
Transport Layer Security (TLS)/ StartTLS/AuthenticationEnabled/On/StartTLS
Username/Email AddressLogin credentials of the hosted mailbox being used to send from
e.g. printer@contoso.com
PasswordPassword for the mailbox entered above

Limitations

Unless your printer is advanced enough to store multiple mailboxes login credentials, you can only send mail from one mailbox for this option. Also, Office 365 imposes a limit of 30 messages sent per minute for each mailbox.
Other configuration options

We have recently updated the comprehensive configuration document that details the three configuration options for setting up your printer. If the settings above to not work, you should visit the article for its more detailed explanations covering Microsoft’s 3 recommended process for printers/scanners/multifunction devices:

 

About Powershell Scripts

About Powershell Scripts

Powershell provides highly scalable management utilities for managing bulk data and code deployment in single and simultaneous multiple server sessions.

To access the principle Powershell portal, see http://powershell.office.com/

To access the library, see https://gallery.technet.microsoft.com/office365

For security reasons, scripts are often “remote signed” which means that unless the author is “trusted”, you can review scripts in notepad, but the scripts cannot be executed. This is a security feature to prevent unwanted code being accidentally executed on machines. One way to make a script usable is to use the <unblock-file -verbose> command in Powershell 3.0 and higher to unlock scripts. Be sure to check code before adopting.

For help with scripting problems, visit the Powershell Community at:

http://pwershell.org

Managing tenants using Powershell

Managing tenants using Powershell

Whereas Powershell’s implicit security complicates connectivity to remote servers, authentication provides network administrators with utilities that extend far beyond GUI driven interfaces like Exchange Administration Console (EAC). This article explains how to initiate and terminate remote sessions to third party tenants.

When Powershell is properly configured, network administrators need three commands to open a session, and one command to close a session. Once connected, administrators assign a variable to call tenant ID which in turn enables connectivity to client servers.

Opening a Powershell Session

Import-Module MSOnline
Connect-MsolService
$tenID=(get-msolpartnercontract -domain domainname.com).tenantId.guid

To terminate a session:

Remove-PSSession $Session

Connection script

An unsigned script which automates the commands above and additionally calls the snap-in module for Exchange is available at ComStat’s Script page. If loaded to local drive c:\script, the Powershell command looks like:

c:\script\EXO-Connect.ps1

To test the snap-ins are loaded on sign in, run this command:

get-mailbox

Remember to sign out of sessions using

Remove-PSSession $Session.

Explanation & Concepts

Administrators can handle common management function with Office 365 and Exchange control panels. Occasionally, delegated network administrators need to configure client side processes that Office 365 and EAC does not provide for. Also, Powershell can run one command across several servers simultaneously.

For guidance on Microsoft’s current provisions for advanced management of client tenancies, check here.

Windows PowerShell cmdlets for Office 365

Before using Powershell with Office 365 for the first time, Powershell needs some utilities.  Users need to install “MS Online Service Sign-in Assistant for IT Professionals”. Also, the commands that Powershell relies on for Office 365 management are housed in “Azure Active Directory Module for Windows Powershell”. Follow the guidance here to install these services. Another useful download is “Windows PowerShell Module for Lync Online” here.

Cmdlt modules do not install directly into Powershell. Instead, these “snap-ins” sit in a separate directory and called when they are needed for sessions. Modules are managed this way to enable users to rapidly update Powershell’s main cmdlt library, which is updated frequently and is available for download by running this update command:

update-help -force

Using Powershell as a tenant’s global administrator

Delegated administrators can login to client tenants with a tenant’s global administrator credentials if they are available. From a security standpoint, this is not good practice. However, to test Powershell is adequately equipped and session execution policy permissions (more about this below) are properly set, it is worth running a simple script to test the Powershell. For instance, the following script can be used to view basic tenant information on either caistar.com or comstation.co.uk. The script, together with other scripts listed in this article, are available at ComStat’s Sharepoint script site.

c:\script\MSOLTenantDetails.ps1

– more information about this script is available here. At time of writing, this script is unsigned. Depending on your Powershell environment, you may need to run this command:

Set-ExecutionPolicy Unrestricted

Powershell imposes a strict security policy. The policy requires scripts to be “trusted”, and by default Powershell will not execute unsigned scripts. Signing scripts can be done within Powershell. This prevents scripts being tampered with, for example with additional commands that may be malicious. Since the scripts used here are short and can be quickly previewed, another approach when opening Powershell is to run the following command:

Set-ExecutionPolicy Unrestricted

For access to a client’s tenant, follow the guidance below.

Establishing a remote Session

Open Powershell and run the following commands:

Import-Module MSOnline
Connect-MsolService

When prompted, enter the credentials that you use to log into Office 365 portal (MOP) and that allow you to manage Office 365 on behalf of your customers.

Once logged in to Caistar or Comstation, the session will provide for connectivity to other servers to which delegated administration is granted. Commands are run as if executing on the administrator’s server, however each command is programmed to call a variable which points to the target server.

$tenID=(get-msolpartnercontract -domain domainname.com).tenantId.guid

In this case, we establish a variable called “tenantID”. The variable is assigned using the command $tenID= and then a sub routine is executed to call the client’s tenant ID by reference to the domain name associated with the account. Office 365 tenant IDs are longer than credit card numbers, so by calling the tenant ID from client’s domain name and then calling the output “tenantID”, this saves a lot of keystrokes. Here is an example, using hafodrenewables.co.uk (tenant ID = acc617f5-9d4a-4ea9-8823-2385e7d5271a)

$tenID=(get-msolpartnercontract -domain hafodrenewables.co.uk).tenantId.guid

Succesful command execution returns the user to the command prompt. From now, on, commands executed with -tenantID $tenID will execute functions on client servers. To test connectivity, try running this command after assigning a client to a variable to find users on a client server:

get-msoluser -tenantID $tenID

The important point to understand is that Powershell executes commands on a tenant ID, not a domain name. Also, the variable that references the client’s tenant ID must be called with each command, or commands will be executed on the host server. Lastly, by assigning multiple tenant IDs to one variable, administrators can simultaneously run one command across multiple servers and compile output in either formatted tables or even .html. In this way, tasks that might take hours or days can be run in seconds.

Exchange Commands

List Office 365 users:

get-msoluser -tenantID $tenID

Change a user password which never expires:

Set-MsolUser -UserPrincipalName alias@domainname.com -PasswordNeverExpires $true -tenantID $tenID

Test password change:

Get-MSolUser -UserPrincipalName alias@domainname.com -tenantID $tenID |
Onboarding, and the case for supported services

Onboarding, and the case for supported services

“There is an awkward inverse in the relationship between technology, cost, and risk. While ever more sophisticated services come to market at ever lower costs, the inherent risks associated with these software solutions increase while user awareness remains behind the curve”.

Steve Galloway discusses the evolving nature of professional IT network support/administration and the changing risks that small businesses face.

Where “fast” broadband and “cloud” were once the marketing buzz words of marketing types in search of fertile sales pastures, today “onboarding” is the fashionably coined phrase, which describes a process where businesses migrate their data and other IT resources to mature cloud solutions like Office 365. Two years ago onboarding was a leading edge concept in commercial terms. The principle was not in fact, a new concept  to IT. The only changes were those associated with the bandwidth and computing availability to make services possible.

Today, onboarding’s trickle has turned into a tidal swell. The economies of scale that cloud services bring to businesses large and small are compelling, yet organisations struggle to keep up with toxic hazards lurking in data protection laws and proliferating accessibility.

This is not just a problem for big business. It is worth sitting up for: apart from legal liabilities which small businesses face for negligent treatment of customers’ personal data, the financial and reputational consequences following “leakage” of a firm’s own sensitive data can be ruinous, and the source could be as seemingly innocuous as your own mobile phone.

Historically, the network engineer’s bête noir was the office printer, and email. Even in the era of “cloud”, when the paperless office’s Promised Land has finally dawned, printers are still the benchmark that bookeepers and office managers use to guage network performance. Still, office printers vex users and support teams alike: printers jam when you need them most and for all the remote tools in the world you still have to hear them and the see the printer output to know that they are fixed.

Yet, printers stand a distant second to email. There are two ends of this spectrum for engineers. The first is the impossible support request along the lines of “somebody (read: “unknown person”) sent me an email and I didn’t get it (potentially as long as a year or more ago)”. The second is the ominous portent that heralds a black day for server room teams with the first “an email I just sent to (an important trading partner) has just bounced with the message “return to sender”, IP address blacklisted”. Somewhere in between lies the web site contact form that quietly ceases to work, and everything falls somewhere in between.

Workgroup printers were designed with critical performance in mind, but machines are just that, and it is perhaps easier for users to live with frustrating printer failures. After all, like cats and dogs, mechanical failure is a human condition. Ditto, snail mail: if the postman is late, the staff I remembered employing in the 1980’s went to the pastry shop and fired up the percolator for a morning of “R and R”, and if I was brave I would admit a few transgressions of my own. After all, how could anyone work without the morning post?

That culture changed forever with email. Email is not really more important than snail mail. However, something does appear to award them a significantly higher value. Perhaps it is a sense of entitlement. Perhaps its ethereal or “virtual” state leading us to imagine that it is not “machinery” that is capable of failing.

The problem with email really goes back to its genesis: email was not designed to be a critical business tool.  It just happened to become the most transformative business tool of the “Knowledge Revolution”. Email is fundamentally flawed for the business purposes we use it for today because by definition it is an unreliable service. Its design is founded in the quantum proposition that in chaos all paths between two points are possible. “Quantum” is an interesting term. It is a scientific proposition, but some scientists fall out with it because conventional science likes the idea that predictable things happen in predictable circumstances and if they could order the world there would be answers for all circumstances. Since quantum theory says there is no order in the first place, it understandably nags at the realm of science which requires order. The world is not very predictable though, and when one stops to imagine how many thousands or millions of random routes that the fragments which comprise one email take to reconstitute at another end, it is amazing that email works at all. Sometimes things do break down, and when it comes to email the user reaction is more often than not disproportinately robust.

So, email is a broken wheel in many respects, but by the time anyone realised how important email was and despite other technologies like social networking, the world was stuck with something we love to hate, unless that hate is directed at a network engineer by proxy. Instead, computer science has tried to construct orderly solutions to encapsulate a chaotic process at incredible costs. Ultimately, and in the debate over the virtues of science versus philoposphy, chaos prevails and the “quantumistas” and philosphers have devised some clarification: it is possible for the same thing to materialise elsewhere almost instantly, but not always. Is that not email?

Whatever, the reality is that in answering an email user’s defensively simple demand (“I just want my email to work”), an industry as ubiquitous as the energy industry itself has evolved in a fraction of the time to try to make it possible and subsequently  email is not the only issue in the context of this article. The problem for small business is that the tools big business have utilised in the past to make email viable are only now becoming available to small businesses thanks to the economies of scale that come with cloud computing, and with it some serious headaches.

Which brings us to the point. In bringing big business “reliability” to email and other chaotic Internet services for the small business market, the solutions themselves pose evolving threats to small businesses which only big businesses have typically feared – namely the risk of loss or leakage of an organisation’s sensitve data and its customers’ personal data.

Businesses face any number of risks, from malicious hacking to internal espionage, and even more worldly risks like flooding and storms. We live in a chaotic world. In terms of IT, though, there is a more pervasive problem for organisations which comes from an unexpected corner – mobile devices like tablets and mobile phones. By connecting users with laptops, tablets, and mobile phones to organisational email and electronic document libraries, small businesses unwittingly double and triple the size of their IT networks at a stroke, incrementally increasing the risk of data protection breaches. Arguably, even a doubling of a conventional network would once have prompted a planned development. Instead, individuals now own enough devices to constitute a small business network of its own:

365_multi_device_400

Giving email and document access to employees 24/7 is a compelling proposition whichever way one considers it. So, let’s consider what happens when a boss asks his IT engineer to connect his manager’s personally owned mobile phone to company email services. Despite the fact that the company may have good control of its IT policies to comply with its obligation under data protection laws, by connecting third party assets to the company network, the company is now at risk of compromise: the mobile phone may have been left at a restuarant, or perhaps the manager has installed an app on his mobile phone which might have nothing to do with business processes at face value, but which subsequently trawls business information on the employee’s phone for information, which could possibly lead to data protection breaches and consequently, catastrophic consequences. These things can happen in unpredictable ways. The fate of US retailer Target’s headline-busting customer credit card theft in 2013 is well documented. The loss happened not by hacking the company’s “conventional” and well ordered IT network, but by compromising its cash tills.

Another pertinent example is the enormous institutional damage caused with the systemic “hacking” of mobile phones by journalists over several years in Britain. So simple was the technique that real hackers are (probably) offended at the thought that the technique could even be called hacking in the first place. The point is just that – overwhelmingly, personal and business information is wide open to abuse via employee-connected devices, whether by the family computer at home, a portable tablet, or simplistically, a mobile phone. As businesses use new technologies such as voice services, the nature of risk changes again and extends beyond just email and contact lists.

Small business users often tell me, “but those cases are examples of big businesses getting what they deserve, won’t happen to me”. This may be seen as a feasible argument, but the victim is the public in both cases, and unfortunately the risk to small businesses ceding data through compromise to malicious parties is no less. While big business devotes resources to governance policies and managing peripheral equipment, small business usually makes no effort at all while regularly getting caught out in the process.

Small business users will alternately say that responsibility lies with cloud providers to which they migrate services to. They even cite this as a reason for onboarding. In the UK, there is already a track record of legal precedent to say that that does not wash either. Legal responsibility of customer data remains absolutely with the business who takes custody of it in the first place – the data handler in UK parlance, the “responsible party” elsewhere.

What should small businesses do? What about professional services like Office 365? At the point of sale customers are told that there are tools for managing conventional and portable devices – indeed, a major selling point of these kinds of services is the ability to connect users with as many as 5 devices to their centralised service. How does a network newcomer sort that out, though? When it is all businesses can do to get email off the flight deck in the first place, who spends time on academic issues like lost phones?

Moreover, in buying mature and proven services like Office 365, how many organisations have asked staff to modify mobile phone voicemail PIN numbers following the historic phone hacking scandal mentioned above? How many power users have developed a tested policy for dealing with broader issues concerning their organisation’s lost laptops and mobile devices?

The answer to all this and more is the old fashioned concept of the network admin who has been around the block a couple of times. The likelier truth is that by the time a power user understands how to remotely lock someone’s iPad or a mobile phone after it is lost (a telco SIM block does not stop a wifi connected device from continuing to collect business emails and sych documents), the damage has long been done, and the user’s business ends up underwriting reputational damage, statutory censure, and legal liability. Worse than that is the enemy within. Handsets, tablets, and any other connected device that is not subject to governance, leaves your business open to an ongoing risk with every app a user runs without the organisation’s knowledge. In Hollywood terms, the threat is present and real.

There is a beguiling appeal to the unbelievably low price points for sophisticated business services. It can appear to be that such low price points can somehow circumvent risks we face in the real world, as if the risks are not really there any more. For example, Microsoft’s Hosted Exchange email service offers email tools that only big businesses with immense IT departments could have afforded to fund as far back as 5 years ago. The application costs as little as £2.50 per month for one user at time of writing. Importantly, although it introduces a Pandora’s box, the expertise to operate Exchange safely is still commensurate with the engineering skill crucially required for efficient management of  sizeable IT departments.

Today, there is an awkward inverse in the relationship between technology, cost, and risk. It is a difficult reality that is standing the world on its head far beyond the IT world itself. Increasingly sophisticated services come to market at ever lower costs, providing services which drive labour costs down. Although these technologies reduce a lot of operational costs too, other risks persist and broader exposure increases yet more risks. The inherent risks associated with evolving technologies like “onboarding” increase while user awareness remains behind the curve, and so the case for professionally consolidating and supporting devices within an organisation’s conventional and extended IT network remains stronger than ever.

decreasing versus increasing risk

Desreasing software costs do not diminish risks which increase with the proliferation of mobile devices in business networks.

ComStat is a certified Microsoft partner and accredited network adminstrator, capable of coping with organisations small and large. For advice about establishing and managing an “compliant” network policy, please call Steve Galloway on 07834 461 266.

Office 365 delegated network administration

Office 365 delegated network administration

Delegated network administrators are certified Microsoft Cloud Partners who meet Microsoft standards for planning, deployment, and ongoing support of Microsoft Exchange, Office 365, and other Microsoft Cloud product lines. Delegated administrators are experienced engineers and consultants who are capable of managing large and small installations according to Microsoft’s benchmarks. ComStat is a Microsoft Cloud Partner and certified delegated administrator.

Delegated administrators perform tasks like liasing with Microsoft Support, setting up mailboxes, adding or removing users and groups, data migration, managing domain names and zone records, managing security policies, managing Exchange-connected mobile devices, managing transport, DLP, and other Exchange services, etc. Whereas small businesses are often faced with steep learning curves and under-utilized software, delegated administrators provide a reliable point of contact to advise business owners and implement application features that are beyond the scope of limited in-house resources.

Delegated administrators allow users to get the maximum resources from Microsoft applications.

A delegated administrator assumes the same rights as a global administrator, who is typically the owner of subscribed services. However, the owner/global administrator have the right to withdraw or reassign delegated administrator rights. Office 365 administrator rights extend to include the following privileges:

  • global administration
  • delegated administration
  • billing administration
  • password administration
  • services administration
  • user management administration