markwilson.it

Creating an Office 365 profanity filter (works for Exchange too)

Posted on Tuesday 18 August 2015Wednesday 19 August 2015 By Mark Wilson

This content is 10 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

As part of recreating the rules that my customer currently has set up with a popular cloud-based message hygiene platform, I needed to create an Office 365 profanity filter for Exchange Online. Believe it or not, there isn’t one built into the product (it disappeared with BPOS) but you can do some interesting things with DLP classification rules and policies.

I’d like to publish the exact steps here but I can’t, for commercial reasons. What I can do though is signpost some useful resources:

Jedi Hammond has a useful post on Creating Custom DLP Classification Rules and Policy.
The XML you need for the Custom DLP policy template can be found in the Microsoft TechNet advice for developing sensitive information rule packages. It’s a bit difficult to follow in places and a couple more posts that might help include this blog post from Jorge R Diaz and this forum question from John Mello.
You’ll need to generate some GUIDs.
Jamie Wilkinson has dug out a list of bad words that Google uses.

Once you’ve created a policy you can apply it in PowerShell with:

New-ClassificationRuleCollection –FileData ([Byte[]]$(Get-Content -path ProfanityPolicy.xml -Encoding byte -ReadCount 0))

If you need to update it then the cmdlet is Set-ClassificationRuleCollection and if you want to take it out again, Remove-ClassificationRuleCollection will do the trick.

With the classification in place, you can create rules that use the policy. In my case, one to block emails containing sensitive content (i.e. a list of pre-defined words) and send an incident report to a defined mailbox.

Even though I was working with Exchange Online (v15), the same process will work for Exchange Server 2013 and, presumably 2016 when it comes…

Finally, one gotcha I found (well, it was a user error really):

I thought my rule wasn’t working. When I later logged into the shared mailbox that blocked messages were copied to, I found copies of the messages I’d been sending for quite a while. My confusion was because I’d been testing with Policy Tips (which seemed a bit hit and miss in OWA) and that doesn’t actually block the message (doh!). As soon as I enforced the rule, my rude messages started bouncing back as expected…

NDR from message blocked by Office 365 profanity filter

Short takes: Excel tips to display the worksheet name and validate data; editing Microsoft Project files stored on SharePoint; and an XPS to PDF conversion service

Posted on Monday 17 August 2015Monday 17 August 2015 By Mark Wilson

Another collection of mini-posts based on recent IT trials and tribulations…

Excel tips to display the worksheet name in a cell and to validate data

Last week, I was working on an Excel spreadsheet that acts as a plan for a series of tests. Each sheet has the same format, with some conditional formatting and associated logic to total up passes/fails and give a RAG score for the sheet. Those RAG scores are presented in an overview page – and data is copied between cells so that information is only populated once but appears on every sheet. I’m quite pleased with the result but I did need to work a little on some of the tricks.

Firstly, data validation in lists (for the pass/fail). This is fairly straightforward but I usually forget how to do it so it’s worth reading the TechNet Productivity Hub post on restricting data entry in Excel with lists.

The second trick was to read the name of each worksheet and use that information in a cell (so I could name a worksheet after a set of tests, and see that name displayed as a header on the page too). Here, the SuperUser site came to the rescue and the code I needed in the cell was:

=RIGHT(CELL("filename",A1),LEN(CELL("filename",A1))-FIND("]",CELL("filename",A1),1))

Incidentally, I also needed to look something up that I’ve blogged about previously: if a cell shows the formula rather than the result, check the formatting is General and not Text.

Editing Microsoft Project files stored on SharePoint

Much as I try, it seems I can’t avoid working with Microsoft Project. Unfortunately, when working directly from SharePoint the files are opened read-only. The answer, it seems, is to work on a synchronised local copy – as described by Victor Butuza on his Microsoft Office SharePoint blog.

XPS to PDF conversion web service

Every now and again, I find myself wanting to create a PDF from an email, just to upload a receipt to Xero (the expenses system I use at work). Unfortunately Xero isn’t happy with XPS files – and Windows 8.1/Outlook don’t create PDFs, but a quick Internet search turned up XPS2PDF, a simple, fast and apparently secure way to convert my files. There’s an API for those who want to make the conversion programmatically too.

One man’s battle with unlocking his Skype account…

Posted on Friday 7 August 2015Monday 3 August 2015 By Mark Wilson

I’ve blogged and tweeted many times about identity in the Microsoft cloud (“Microsoft accounts” vs. “work or school accounts”, formerly known as “organizational accounts”) but I completely forgot another set of credentials – Skype accounts, an anomaly from before Skype was bought by Microsoft but which should have been killed off by now… Then, a few weeks ago, I got an email from Skype (noreply@notifications.skype.com) to say that

“At Skype, we take customer safety and security very seriously. We have identified a potential compromise with your Skype account: […] and we have temporarily suspended access until you reset the account’s password.”

A day later (possibly after I followed the advice in the first email, I can’t remember now), I got another email

“The password for the Skype account: […] was recently changed. If you requested this change then you can ignore this email. If this wasn’t you, your account may have been compromised. Please follow these steps to reset your password.”

Never mind, I thought, I’ll just click the link (after checking it’s genuine) and reset my password then.

No. It’s not that simple.

I then entered a bizarre process of answering questions and then going into a hold loop for about 24 hours before someone checks your responses and effectively says “you’re in”, or “no, try again”. There’s no number to call, no person to speak to, but there appears to be a human element to the process. The official response from Skype Customer Support is: “Unfortunately I am not able to check on the details on your account because you did not pass the verification”. I can get access to my bank account with the right combination of mother’s maiden name, place of birth etc. but to unlock my Skype account I need:

Country
Language
First name
Last name
Email address
Email address provided when registered
Date when I created my Skype account (mm/yy)
Five names from my Contacts list
Name (first and last) provided when registering for my account
Country selected when registered

And optionally:

If you used a credit card, please provide any two of the first six digits of the credit card number and any two of the last four digits of the credit card number.
If you used PayPal or Skrill, please provide the email address that is associated with your PayPal or Skrill account.
If you used another payment method, please specify which one you used.
What is your date of birth (dd/mm/yy)?
What is the total cost of a recent order that you have made?
On what date did you place the recent order (dd/mm/yy)?
Please provide two phone numbers that you have recently called or contacted using Skype.
What is your full billing address?

I’ve had my Skype account for so long now that Microsoft possibly don’t have a record of when it was created. I certainly don’t know exactly when I did it (I probably used an old work email address and I don’t have any of the associated emails) but I can be sure it was more than 10 years ago. I’ve never topped up my Skype account with credit (I don’t use it to make paid calls). And I’ve repeatedly failed the verification checks to unlock my account. My last-ditch attempt was to answer just the mandatory questions and hope I get the month/year right. I may need a few more attempts yet for a brute force attack… Security is great, but when the service provider locks the account for you, and then won’t let you back in, it’s not so good. Skype’s official advice is to open a new account. With a name like Mark Wilson it’s pretty hard to get a decent username. I have a really good Skype username (my name) and I still live in hope of one day being able to answer the questions I need to get it back. In the meantime, thankfully, my Microsoft account credentials still work with Skype…

Purple spot next to Skype for Business presence information

Posted on Thursday 6 August 2015Friday 7 August 2015 By Mark Wilson

I noticed a couple of days ago that my Skype for Business presence information was accompanied by a purple dot/spot. I hadn’t seen this before and I wondered what it meant. Unfortunately, I couldn’t find anything on the ‘net.

Purple spot next to Skype for Business presence information

My colleague Brian Cain (@BrianCainUC) clearly has better googling (ahem, Binging) skills than I, because he found Microsoft knowledge base article 3072756, describing a change that explains the phenomenon.

It seems that, since the 14 July 2015 update for the Microsoft (Lync 2013) Skype for Business client, when a calendar shows a user as Out of Office (i.e. the appointment status, not to be confused with an Automatic reply message from Exchange), the purple spot appears next to the Skype for Business presence information when they are online anyway…

I regularly add time into my Calendar for when I’m travelling (and mark it as Out of Office) but if my travel plans change (or I’m running late) I might still be online in Skype for Business and that’s what causes the purple spot to be displayed.

The article also describes some other changes in behaviour that might lead to a purple arrow being shown where the presence indicator normally is.

Incidentally, whilst researching this, I also found a useful FAQ about presence and pictures in Lync (Skype for Business) that may be worth a read.

Using the Microsoft Project calendar to block out time when people are not available

Posted on Wednesday 5 August 2015Thursday 6 August 2015 By Mark Wilson

I hate Microsoft Project.

I mean, as a tool it’s OK, but it’s idiosyncratic and time-consuming to use; and even copying/pasting information is not as straightforward as it should be. Besides which, far too many people confuse a Gantt Chart with a project plan… and I blame Microsoft Project for that…

When I was at Fujitsu, I avoided having Project on my PC. If I didn’t have a license, I couldn’t edit plans… I could only view them. Unfortunately I can’t get away with that any more and, tonight, I lost most of the evening to some edits that went wrong with tasks getting split across days (I think I changed the working hours to reflect the hours we really work… but that messed something else up).

Anyway, I digress. Something I did find this evening was a really useful article describing how to change the working days for a Microsoft Project calendar. Using this I could not only add bank holidays that were missing in the standard calendar, but add the days that I’m not available to work on the project – for example because of annual leave, or other client commitments – so that the plan couldn’t allocate tasks to me on days I’m not booked to that customer. You can also edit dates that people are available to work on a project directly (I don’t like referring to people as “resources”) but that doesn’t take into account odd days here and there of non-available time.

Next time though, I’ll leave editing the plan to the Engagement Managers…

Unable to boot from USB flash drive on a Lenovo PC (to install Windows 10)

Posted on Monday 3 August 2015Thursday 6 August 2015 By Mark Wilson

Yesterday, I wrote about not having to wait for Windows 10 to be advertised to my PCs and downloading the software directly instead. Unfortunately, things didn’t turn out to be quite that simple.

Overnight, both the Windows 8.1 PCs in our house decided that Windows 10 was ready (I clearly need to be more patient) but my 10 year-old son wanted to perform the upgrade (he’s a trainee geek) so, I waited for him to come home tonight before we tried it out. Because I’d already downloaded the media I thought I could skip bringing almost 3GB down over my ADSL line and boot from USB but we had a little trouble along the way…

I’d prepared a USB flash drive from the Windows 10 .ISO file using Rufus but our family PC (a Lenovo IdeaPad Flex 15) didn’t want to boot from it.

First of all, I had to work out the boot menu key combination (F12) but, even then, the boot menu only wanted to boot from the network, or from the local hard drive. I checked the BIOS (F1 at boot) and USB boot was enabled. Following Lenovo support article HT076906 (How to enter Setup Utility (F1) or Boot Menu (F12) on a Microsoft Windows 8/8.1 preloaded PC), I tried various combinations to reboot the machine (including Shift+Shutdown for a full shutdown and Shift+Restart for Windows boot options) but nothing was helping to boot from USB.

I tried recreating my media using different partition schemes for UEFI but that didn’t work either. So I followed Lenovo support article HT078684 (Cannot Boot From a USB Key – Idea Notebooks/Desktops) to:

Run cmd.exe with Administrator privileges.
Insert the target USB boot media device into an available USB port.
Type:
diskpart
list disk (and make note of the disk number of the target USB drive)
select disk n (where n is the target USB drive noted earlier)
clean
create partition primary
format fs=fat32 quick
active
assign
list volume
exit
Copy the entire contents of the Windows ISO onto the newly created UEFI boot media.

After this, I successfully restarted the PC, using F12 to access the boot menu and could boot from USB (i.e. the flash drive was available in the menu).

Unfortunately, after all that effort, Windows 10 wanted a product key to install (which I didn’t think I had on a PC that came with Windows pre-installed), so I went back to an in-place upgrade using Windows Update.

Installing Windows 10 via Windows Update

It’s been a few years since I regularly built PCs and it seems my desktop skills are a little rusty… since then, I’ve discovered a number of utilities for reading the product key of my Windows installation (which is also stored in the BIOS) – the tool I used is Windows Product Key Finder, available for download from CodePlex.

Short takes: Windows 10 download location; btvstack.exe and Skype

Posted on Monday 3 August 2015Monday 3 August 2015 By Mark Wilson

Some more mini-posts glued together as a “short take”…

Windows 10 download location – no need to wait for a notification

As a “Windows Insider” (yeah, right, me and several million others…) I’ve been patiently waiting for the notification icon on my Family PC to tell me that Windows 10 is ready for me to download and install. I didn’t expect it immediately on July 29th – anyway, I was on holiday last week so I could wait a few days – but I did hope I’d get it over the weekend (especially as I had a new PC to set up for my wife… more on that in a future post).

Well, after tweeting my frustration, I received multiple replies asking me why I didn’t download it directly. It seems you don’t need to wait for a notification icon, just download from the Microsoft website (either for a direct update, or to create media for other PCs). Just take note that this will not work for enterprise editions.

Incidentally (and thanks to Garry Martin for this tip), Rufus is a handy app for creating USB media from an .ISO image.

btvstack.exe wants to use Skype

When I launched Skype yesterday, it told me that btvstack.exe wants to use Skype and presented two options – allow or deny access. How do I know which to chose? What is btvstack.exe? Is it a piece of malware that will start running up huge Skype bills for me? Should I allow it.

Well, Rob Schmuecker (@robschmuecker) has already done the legwork and written a post that tells us “What is BtvStack.exe and why is Skype asking me to allow it?“. If the Skype developers were being a little less cryptic they might have said “Skype wants to use your computer’s Bluetooth radio to connect to a device – is that OK?”. You probably don’t need to allow access but if you use a Bluetooth headset, then maybe you will…

Short takes: refreshing all the fields in a Word document; fixing the spacing after a table in Word

Posted on Friday 31 July 2015Wednesday 22 July 2015 By Mark Wilson

More snippets of info from the last few weeks… this time with a focus on Word…

Refreshing all the fields in a Word 2013 document

I was writing a pretty sizable document recently, with many tens of tables, a few figures and lots of cross references so I wanted to be able to easily update all the fields in one fell swoop. Well, it turns out to be remarkable easy to do, if not immediately obvious, in Word 2013 (and it seems it works for older versions too). Just go to Print Preview and the fields will be updated! You’ll still need to manually update tables of contents, etc. if you’ve added/removed sections, but all the other fields in the document will be taken care of.

Fixing the spacing after a table in Word

Another challenge I had with my document was that it included a lot of tables, and after each table the following line was too close. If I included a blank line, it was too big (and anyway, that’s not the right answer); and if I edited the Normal style then it would affect the rest of the document.

I found some suggestions in a post from Allen Wyatt. The first was to amend the table positioning and set top and bottom spacing but that involves letting text flow around the table (and potentially tables floating off around the document in the same way as so many pictures do…). The simpler approach was to create a new style, based on Normal, called After Table, which has the appropriate paragraph spacing set. No more ghastly gaps and dodgy new lines – instead I just use the After Table style on the paragraph immediately after each table.

An approach to enabling Office 365 features and functionality using group membership

Posted on Monday 27 July 2015Sunday 19 July 2015 By Mark Wilson

For large enterprises with a mature approach to IT services, the idea of managing access to features and functionality in Office 365 via a web portal is a step backwards. Service desk teams may be given specific instructions and limited access in order to carry out just the tasks that they need to. Arguably that’s not “may be given” but “should only be given”…

One of my customers uses Active Directory groups to assign access to software – for example Project, or Visio – applications that are not universally available. We were talking about doing something similar for Office 365 features and functionality – i.e. adding a user to an Active Directory group to enable an element of their Office 365 subscription (the users are synchronised from the on premises AD to Azure AD).

I suggested writing a PowerShell script to run as a scheduled task, querying the membership of a particular group, and then making the changes in Office 365 to enable particular features. We could use it, for example, to enable a feature like OneDrive for Business to just a sub-set of users; or to assign Project Online or Visio Online licenses.

Well, it turns out I’m no innovator here and it’s already being done elsewhere – Office 365 MVP Johan Dahlbom has published his script at the 365 lab. I haven’t run the script yet… but it certainly proves the concept and gives us a starting point…

In which geographical region is my Office 365 tenant hosted?

Posted on Thursday 23 July 2015Monday 10 August 2015 By Mark Wilson

Yesterday, I wrote about some considerations for naming an Office 365 tenant and I mentioned that the name was the second of two important things to think about.

For many customers in Europe, the question of where in the world their Office 365 tenant is homed is crucial. Without going into the whys and wherefores (which are too big a can of worms for this blog post) us Europeans generally need our data to be in European datacentres (by law).

The region in which the tenant is created is set when you sign up for Office 365, by picking the country associated with your account. At sign-up it says that the country is locked to determine:

The services you can use.
The billing currency.
The closest datacentre.

Actually, that’s not quite the whole story: the services available can be set at user level (according to their location); and the closest datacentre is actually based on DNS, routing to the closest datacentre, and then across Microsoft’s network to the final destination (at least for Exchange Online).

There are also some services (notably Yammer) for which there is no hosting outside the United States.

But what if you didn’t create the tenant? In many large organisations someone may already have created a companyname.onmicrosoft.com (where companyname is the tenant name) and, as the tenant name can’t be changed either, you need to be sure that it is suitable for use rather than just starting over again.

Checking where your tenant is hosted

I spent some time looking at ways to see where a given tenant is hosted and here are a few methods I found.

In PowerShell (after remoting to Exchange Online) and using Get-OrganizationalUnit and Get-OrganizationConfig I found:

The OrganizationalUnit was listed as eurpr02a001.prod.outlook.com/Microsoft Exchange Hosted Organizations/markwilson.onmicrosoft.com
The OrganizationId was EURPR02A001.prod.outlook.com/Microsoft Exchange Hosted Organizations/markwilson.onmicrosoft.com – EURPR02A001.prod.outlook.com/ConfigurationUnits/markwilson.onmicrosoft.com/Configuration
The DistinguishedName was CN=Configuration,CN=markwilson.onmicrosoft.com,CN=ConfigurationUnits,DC=EURPR02A001,DC=prod,DC=outlook,DC=com
The ObjectCategory was EURPR02A001.prod.outlook.com/Configuration/Schema/ms-Exch-Configuration-Unit-Container
The OriginatingServer was AMSPR02A001DC01.EURPR02A001.prod.outlook.com

I don’t know Microsoft’s naming standards but I’d be willing to place a small bet that EUR is Europe and AMS is Amsterdam.

Looking at the message headers on an email received I saw it passed through various servers until ultimately it got to AMSPR02MB246.eurprd02.prod.outlook.com and DB3PR02MB252.eurprd02.prod.outlook.com (mail servers in Amsterdam and Dublin? Certainly in Europe?

Also, Get-MsolCompanyInformation tells me that the CountryLetterCode is GB (Great Britain):

This is also visible in the Office 365 Admin Center under the company profile (where GB has been translated to United Kingdom… which is not the same as Great Britain but is close enough in this case).

With a combination of the above, I think I can be pretty sure that my tenant is in Europe!

Further information

There’s some interesting reading on the Microsoft Online Services: Where is my data? page, including links to data maps (like this one for Europe).