Teams – now in Lock-down – Limit creations

So, in these times, Teams are becoming extremely popular and valuable for company’s with everybody working from home, and Microsoft giving away 6-months of free Teams licenses for new Tenants, it’s growing crazy fast. Its easy to get started, and users can create teams out-of-the-box🙈.

But for a few Administrators it can (In my own humble opinion, anyways) turn into a Wild West with out any form of control, with users creating new teams, as they like. (Why this isn’t a build in feature, and enabled by default, I don’t understand?🙄)

It might be an “old school” kind of thinking, but I would like some control over who does what in “my environment”.

I figured that others would be in the same situation, so I started my little adventure, in to figuring out how to “Lock-down” Teams, so that normal users wont be able to create what ever they want. You can do this in various ways, but the one I liked the most, is where you can control access to Teams creation through Group access. Fortunately for us, Microsoft has released an article on how to. You can read the original MS article HERE.

Lets get into it wlEmoticon-fingerscrossed.png

First of, you need to log in to your Office 365 Tenant, with your Global Admin and create the security groupgroup creationIn my Example I created the group “Office 365 group limitation” Copy the below PowerShell script to your favorite editor, like Notepad, PowerShell ISE or Visual Studio Code. Name the script how you like, I kept it like MS suggested, GroupCreators.ps1

$GroupName = "Office 365 group limitation"
$AllowGroupCreation = "False"


$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
	  $template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}
    $settingsCopy = $template.CreateDirectorySetting()
    New-AzureADDirectorySetting -DirectorySetting $settingsCopy
    $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id

$settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID
$settingsCopy["EnableGroupCreation"] = $AllowGroupCreation

	$settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString $GroupName).objectid
 else {
$settingsCopy["GroupCreationAllowedGroupId"] = $GroupName
Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy

(Get-AzureADDirectorySetting -Id $settingsObjectID).Values

Change the Group name in the script, to the group name you created in the beginning. You will need your O365 Global admin, to run the script. Also if you haven’t already, you need to install the Azure AD module for PowerShell.

Install-Module AzureADPreview

If you have the used the module before or maybe have the general availability version (2.0), make sure you either remove and reinstall or update it before continuing.

And you’re ready 👍 If you have a handful of users that you trust, you add them to the group, or maybe your Helpdesk workers, so that they can create Teams for the users.

This is what it looks like now for the users!

Without group membership…


With group membership…


From now on, when users go to Teams and click the “Join or Create a team”, the only options is to join a team with a code or they can search for the Team, if they know the name. Here’s a few options:

  1. You as an admin, add them.
  2. You tell the newly appointed owner to add users themselves 👍
  3. The users search for the Team and join 👍
  4. Or you send them a Code, that they can use to join the Team with (Team owner can do this) 👍

That’s it, you’re done and have just a little more control with what’s going on again 😊

Launch Teams app when clicking “Join Microsoft Teams Meeting” link in Meeting invite

I’ll start of by saying that I really love Teams, I do, BUT there is definitely room for improvement!

One of the things that really annoyed me lately is when joining an online meeting, the default web browser opens up and you need to click the “Open” button in the popup…. Why Microsoft….. Just Why??

Luckily (For you😁) it annoyed me enough to do some research and figure out how to get around it. Unfortunately I cant suppress the opening of the web browser, but I can get it to open the Teams app automatically 👍

So here we go. Oh, and by the way, this guide will work with Google Chrome and Edge Chromium.

So you get an invite to a Teams meeting, and when you want to join, you click the “Join Microsoft Teams Meeting”


It opens your web browser, and that box, where you have to press “Open” (If you have the desktop app installed),


it launches you’re Teams app, and you’re ready to go. But why? Why not just open you’re Teams app right away?

Here is how in Edge Chromium

Open your registry and navigate to


Now, most likely you don’t have much in there, so you need to add the following key’s


Now add a new STRING value, name it 1, open it up and add the value



and that’s it😳, from now on when you click the “Join Microsoft Teams Meeting”, it opens your default browser and then the Teams meeting👍

If you want to do it with a Commandline, this should do it (Remember to run CMD as Administrator 😉)

REG ADD HKCU\Software\Policies\Microsoft\Edge\URLAllowlist /v “1” /d “msteams://*” /t REG_SZ

Here is how in Google Chrome


Now add a new STRING value, name it 1, open it up and add the value



Again, if you want to do it with a Commandline, this should do it (Remember to run CMD as Administrator 😉)

REG ADD HKCU\Software\Policies\Google\Chrome\URLWhitelist /v “1” /d “msteams://*” /t REG_SZ

You can double check that the policy works correctly, if you open Google Chrome or Edge Chromium and go to:


Or for Edge



Happy Teaming 😊

Oops, I deleted AZUREADSSOACC – What now – How to fix

Accidents happen, we are only human and sometimes we accidently delete something that we shouldnt have. In most cases its no big deal, we can restore wlEmoticon-thumbsup.png. When it comes to Active Directory, it actually can be an issue. AD restores can be a nightmare (in my humble oppinion, anyways).

On a quick sidenote, enable AD recycle Bin, it can really save you some time.

Open Active Directory Administrative Center



After enabling it, you can’t disable it (but why would you?)

BUT, in this case we “act” like, we havent enabled it wlEmoticon-smile.png

So somebody accidently deleted the AZUREADSSOACC computer account . This is the “virtual” computer account, used with Azure AADConnect when you enable SSO. (You can read more about it in a previous articel HERE.

Normally its placed In the Computers container2019-10-08_11h12_28

But, in this case we deleted it ( And just to prove to you, that I’m not cheating smiley disappointed)


It’s gonewlEmoticon-sleepysmile.png


First you need to log on the computer on which you have AADConnect running.

Right click, and choose run as Admin (If you have UAC enabled, click yes wlEmoticon-smile.png ) on the “Azure AD Connect” icon, placed, must likly on your desktop (Thats default)



Click “Configure”


Choose “Change user sign-in”, and click next. Logon with your Office 365 Global Admin account


Remove the option for “Enable single sign-on” and click next


And then, Configure


Now, if the next screenshot is what you get, you are got to gowlEmoticon-thumbsup.png. If it comes with a warning, saying something like “Single sign-on could not be disabled”, have no fear, it did for me when I did some test the first time. Run the wizard to the end, wait 5-10 min. and try again. You should end up with it being succesfully disabled.


Status: For now, we have diabled SSO. Now we need to enable it again, because its an awesome feature and we really want it……

Run the Wizard again (As an admin), and make sure you set the tick (or what ever you call it) in “Enable single sign-on”


Click next – In the “Enter credentials” box, you need to provide your local Domain Admin


Click OK, and next


Click “Configure” and let the wizard do its magicwlEmoticon-confusedsmile.png


Dont be alarmed, if it throws an error, it did for me a couple of times, just hit retry.


Yay…success… and look, AZUREADSSOACC is back where it belongs in AD wlEmoticon-openmouthedsmile.png2019-10-08_11h39_57

Give it time to run a sync (or force one with PowerShell Start-ADSyncSyncCycle -PolicyType Delta ), but eventually it will sync back up, and work like it did before.

Happy Clouding wlEmoticon-smile.png

AADConnect password sync error

So, long time since the last post. Its been a long an very hot summer, and things are starting to turn back to Business as usual Confused smile.

I started up my lap environment, after a good long vacation, and wow and behold…. AADConnect errors Sleepy smile I needed the lab for some testing…. Oh well, time for an article then.

After booting up, and some time to sync, this messages appeared in the O365 portal



Disappointed smile….. Didn’t make much sense to me… “Last synced 31 minutes ago”, but “warning no recent synchronization” ???

Didn’t spend to much time investigating, figured it had something to do with the whole environment being shutdown for a month, so went straight to try and fix it…My thoughts where, that trying to disable, do a sync and then re-enable password sync, would be a good place to start.

Here we go Open-mouthed smile

Started the AADConnect wizard


Choose “Configure”, and then “Change user sign-in”


So, log on with your Tenant global admin cred’s


Set the option to “Do not configure”




And then “Configure”. Just to make sure it actually was synchronizing, I ran the PowerShell sync cmdlet

Start-ADSyncSyncCycle -PolicyType delta

After it was successful (Had to run it a couple of times, since the reconfiguration of AADConnect, initiates a Complete sync, which takes some time) I reconfigured AADConnect to again allow password hash sync.


Enter your O365 tenant credentials if prompted!



After id was done, I waited a good 5 minutes for the initial sync, and then ran the PowerShell cmdlet again

And the waiting game started. It can take some time for O365 to realize that you actually did something, so after about 15 minutes everything looked fine again.



Pretty easy fix Smile

Skype for Business online – Hide some users from the adressebook – Notes from the field

Its been a while since my last post, but I’ve been busy at customers…. I know, booooring, but unfortunately I’m not filthy rich smiley confused.

At one of my recent jobs, I came a cross a “weird” question from a customer. They have ALOT (+200.000 object) of none licensed users in their tenant, and they where all visible in their SfB (Skype For Business). Meaning, when you searched for, lets say, Thomas….. They would get way more then they asked for. So what to do? 

All the non licensed users where synchronized from a different tenant (a customer tenant), and needed to be there.

Exchange Online wasn’t a problem. Since they don’t have a license, they don’t get to go in the GAL. SfB, a whole other thing.

So after doing a whole lot of research we came up with this solution, which worked, and that i would like to share with you guys. I will be using my test tenant for this, show and tell wlEmoticon-smile.png.

Find the user in your local AD (And quickly set the “Advanced view”, so you can see “Attribute editor”, within the user.)

Find the attribute MailNickName, and set it to the users account name


Next, find msExchHideFromAddressLists and set it to true


Sit back and let nature, or in this case, AADConnect and the Managed Folder Assistant, take action. Seriously, have a little patients, in this particular tenant, it took about 48 hours for the changes to take effect.

So knowing this, you should be able to do a short script to add this information to the users attributes.

Good luck wlEmoticon-smile.png

Seamless Sign On, Kerberos roll over–Wait what??

UPDATE: So happy to see that Microsoft has heard our prayers. They are working on a solution to automate the rollover in Azure. Read more about it HERE.


So, you’ve installed Seamless Sign On, and its been running awesome, by chance you logon to your Azure tenant, just nosy browsing around, improving your Azure skills, and suddenly you find this……. Kerberos Roll Over, wait what? erhm… What?….. Confused smile


First of, when I saw this, I thought it was a joke, but after thinking it over, it made sense….in a weird kind of way.

First of, when you install AADConnect and enable Seamless Sign On and Single Sign On, you get an extra auto generated Computer object in your AD called AZUAREADSSOACC.


This is the object in charge of handling / generating the shared Kerberos key needed between local AD and Azure AD. (best leave that one alone Smile with tongue out)

Since this is a “dead, virtual” object, it is not able to create new keys automatically, so for at best practice, MS recommends to do a manual “Roll-Over” every 30 days. I will explain how to do this in a short while, first of, cast your vote HERE, for the feature of AADConnect to do automatic Roll-Overs….Awesome, Thanks.

First of, connect your Powershell ISE to your Tenant.

(You got to know that one by now Smile)

Next you run these simple Cmdlets. (NOTE: These Cmdlets and the text is copied from the official MS documentation. Explanations where great, so no need to convert them )

(I’m really sorry, but for some reason i didn’t get the steps in, where you have to import the powershell script AzureADSSO.psd1. This script has the CMDlets you need.)

You have to run this from the server, where you run AADConnect. So, dive down to the install dir, and import this

cd “C:\Program Files\Microsoft Azure Active Directory Connect”

Import-Module .\AzureADSSO.psd1


#This command should give you a popup to enter your tenant’s Global Administrator credentials.

Get-AzureADSSOStatus | fl

#This command provides you the list of AD forests (look at the “Domains” list) on which this feature has been enabled.

#Step 2. Update the Kerberos decryption key on each AD forest that it was set it up on

= Get-Credential

# When prompted, enter the Domain Administrator credentials for the intended AD forest

-OnPremCredentials $O365Cred

#This command updates the Kerberos decryption key for the AZUREADSSOACC computer account in this specific AD forest and
 updates it in Azure AD.

#Repeat the preceding steps for each AD forest that you’ve set up the feature on

And you’re done…. AADConnect welcomes you back in 30 days Smile. Seriously, save it in a .psd1 file, for easy running, next time.

THATS why I use PowerShell ISE for everything (and the fact that my memory is really bad Open-mouthed smile)

I’ve seen some bloggers doing articles where they save Global Tenant admin’s and corresponding passwords in text files, encrypted, not encrypted and so on, in an attempt to automate this. Needles to say, this is a MAJOR SECURITY RISK, and cannot be recommended. Better yet, go cast your vote, so that MS puts this feature inside AADConnect.

Until next time, happy cloud computing Smile

Office 365 update – apps seeking pension

Just a quickiesmiley confused

A few, well used App’s are on the path to retirement.

SfB (Skype for Business) for the Windows Phone is retiring May 20th 2018. Microsoft has decided not to develop the Skype app for windows phones anymore.

OWA app for IOS and Android The much used, and loved mail app, is also retiring on May 15th 2018. More info HERE.

Alternatives for the OWA App, is of course Outlook, for either IOS or Android.

I’ve been using Outlook for both platforms, for some time now. I must admit, its getting really good. For the first couple of years, it was terrible, but they are definitely getting there.

If you haven’t, you should try it out

Outlook for Android

Outlook for IOS