AdminDroid – very powerfull reporting on your M365/O365 tenant

Disclaimer: This review was done based on license provided from vendor to MVPs. Purpose of this review is to provide an overview of the software functionality, with no intention to provide free marketing or sales initiatives. Author was not compensated for this review in any way.

Each organization that uses Office 365 needs reporting from time to time. For bigger organizations, this need is even more frequent. And while you can get some basic GUI based reporting in Office 365 admin center, for more detailed reporting you would probably need to dig in to PowerShell. If you are not an expert (or fan) of the PowerShell or you simply like GUI based reporting with a lot of details, you might want to look at some third-party solutions. One of them, which does a very nice job in this field is AdminDroid.

AdminDroid is a GUI based console, that runs as a web service on your local host and connects to your Office365 tenant to pull various kinds of reports for you. In general, you can pull all these reports by yourself, by using PowerShell, but you will need a lot of knowledge and a lot of time to do it. Also, you might need A LOT more time to pack all these reports in graphic format and that’s the real magic that AdminDroid does. It “listens” to your tenant activities and provide you with almost real time info about various things. For this purpose, you will be to provide a service account on your tenant with Global reader permissions.

When you configure AdminDroid for your Office365 tenant, you will need to leave for some time to gather data. Some data will be available very fast, but for some data you will need to wait for a few hours.
AdminDroid console is divided in two parts – Dashboards and Reports/Audit Reports. While on Dashboard you can see some most important data about your tenant and objects in your tenant, in Reports section you can generate various reports using several filters and download them in appropriate format.

For example, home (Overall) dashboard shows you current state of objects in your AzureAD, Security features such as MFA, state of mailboxes on Exchange Online, as well as data about SharePoint online. See example below:


If you need to see more detailed data, each of the key Office 365 services has its own Dashboard. If you click on Azure AD you can see details about your license usage, users and groups and their activities and many other details. On Exchange dashboard you can see details about mailboxes in your organization, but also charts on most active or inactive users, mailbox usage, mailbox traffic and mailbox delegation.


Dashboard called Usage and Adoption is especially interesting. Here you can see details about activities per job title, city, state, country and company. So, if your users are in multiple cities/states and you want to see frequency of their activities – this is the place to look for. If you want to see how your Project Managers perform and how they use Office 365 services you should also look here.

However, while looking at the Dashboards might be very interesting, even funny, the real power of AdminDroid is in its reporting capabilities. For each of the key Office365 services you can run dozens of various reports. For each report you can set a view and configure filters to narrow your results. Reports can be downloaded in HTML, PDF, CSV, XLS, XLSX and RAW formats. Reports can be very detailed, as well as large, so it is highly recommended to use filters before running a report. Especially if you have a lot of users.

Audit reports are even more interesting. For example, you can pull a report about all performed SendAs activities in your organization. You can also get a report on each mailbox activity performed on a single mailbox or multiple mailboxes. For AzureAD, you can track login activities, password change/reset activities, admin role management, audit policy management and many more. AdminDroid can even connect to your Intune and pull reports from there. However, if you explore SecureScore reports you can find a lot more than Intune reports – in general, complete Secure Score of your company is available there.

Tracking file and folder-based activities on SharePoint and OneDrive can be very useful for troubleshooting purposes. You can audit and pull in report, every single file/folder activity performed on your tenant, with a bunch of additional details.


Security based reports also provides data that might be very useful. I’ve found few reports very useful there. For example, you can quickly get a list of users that failed to pass MFA challenge. Or users that are trying to sign in with expired passwords. There is also a special report on Admin Login failures as well as report on history of admin role assignments activities.

All reports can be pulled on demand or scheduled to perform. You can choose between 796 preconfigured reports to schedule, which is really an impressive number.

So, if you are looking for a good, GUI based, reporting solution for your Microsoft 365 / Office 365 tenant, AdminDroid is definitely worth to try. Pricing is pretty decent, and you can even get a free version – if you are satisfied with Azure AD Reports and Dashboards only. MVPs (Office Apps & Services) can get a free license, while edu and non-profits are having quite a big discounts. Take a look here.

Enable Teams attendance report

If you are a teacher, and doing your teaching over Teams, you probably need some kind of record about participants on your classes. In the recent Teams update, Microsoft added this functionality to Teams, but it is disabled by default, and you will not be able to use it out-of-the-box even if your tenant and Teams app are updated. To enable this functionality, you need to use PowerShell as well as credentials for tenant admin.
Currently, Teams is being managed by by cmdlets from both Teams module for PowerShell and Skype for Business module, so it is recommended to install both. Teams PowerShell module is installed pretty easy, by typing:
install-module -Name MicrosoftTeams in your PowerShell console. You just need to run it as Administrator.
To install Skype for Business module for PowerShell, you need to go here, download the module and install it. After installation is completed, type following in PowerShell console:
Import-Module SkypeOnlineConnector
Once you have these module installed, you will be able to manage Teams on your tenant.
To get attendance report functionality, you need to use Set-CSTeamsMeetingPolicy cmdlet on your Global policy. First, type:
$Session = New-CsOnlineSession, to open a session. You will need to enter your admin tenant credentials after running this command. Once you are authenticated, import the session, by typing:
Import-PSSession $Session
After this, you need to run following command to enable attendance report functionality:
Set-CSTeamsMeetingPolicy – Identity Global – AllowEngagementReport “Enabled”
To ensure that functionality is enabled, run following command:
Get-CsTeamsMeetingPolicy -Identity Global
You will get the result as on following picture:


Ensure that AllowEngagementReport variable has the value Enabled.
Now, you run Teams app, start your meeting, and in the participants list, you will have new option, to download participants report in CSV format.


However, there is one important limitation to this – you’ll only be able to download the attendance report while the meeting is in progress and participants are still present. There is no ability to download the report once the meeting has ended.

Restoring Teams meeting add-in in Outlook

I had kind of weird situation few days ago, when Teams meeting add-in in Outlook just disappeared for no visible reason. Not having that add-in in Outlook actually prevents you from scheduling Teams meeting from Outlook, which not a nice situation. You surely can do it directly from Teams calendar, but that might not be so convenient for several reasons. I first tried some common and known troubleshooting steps. I restarted Teams app, as well as Outlook, tried to reinstall Teams, but nothing helped. The only option was to reinstall Office apps, but I was not in the mood for that for several reasons, so I decided to dig deeper into this issue. On another computer, where Teams meeting add-in was present and working, I opened Outlook, switch to Options and opened Add-ins console. There, I was able to locate Teams meeting files location, like you can see on the following screenshot:


As you can see, it is located in within AppData folder in your user profile. AppData folder is hidden by deafult, so you need to set folder options to actually see it.

When you browse to the folder where Teams meeting add-in is located you can find install log file. It is called meeting-addin-install-logs. When you open it, you can see what was going on with this add-in. However, you can also find a command that is being executed for Teams add-in installation.

This command is:

regsvr32.exe /s /n /i:user "C:\Users\userprofilename\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.20077.4\x64\Microsoft.Teams.AddinLoader.dll"

So, I closed the Outlook and I ran command prompt with elevated privileges, and executed this command. After I got command prompt back again, I restarted the Outlook and – Teams add-in was there again Smile.

Take care!

Kako da koristite Teams u školama i vrtićima

Kako je prethodni post sa uputstvima za kreiranje i korištenje besplatnog personalnog Teams tenanta imao jako veliku posjećenost, preko svih mojih očekivanja, nastavljamo u sličnom tonu, za opšte dobro Smile.

Kako sam primijetio da se obrazovne institucije na vrlo različite načine snalaze sa online nastavom, neke sa Teams-om, neke bez Teams-a, odlučio sam da se još malo pozabavim kreiranjem uputstava. Inicijalno, na to me je potakla želja da jednom vrtiću pomognem da se preko Teams-a djeca druže sa učiteljicama. Nakon kreiranja i konfiguracije EDU O365 A1 tenanta, te podešavanja Teams platforme, shvatio sam da korištenje ove platforme treba nekako približiti i učiteljicama a i roditeljima djece, kako bi se online druženja uspješno odvijala. Očekivano, vrlo malo njih je imalo raniji kontakt sa ovom platformom. To je rezultiralo sa uputstvima koja postavljam u ovom postu i na osnovu kojih je pomenuti vrtić uspješno uspostavio online druženja. Jedno je namijenjeno organizatorima sastanaka na Teams-u, a drugo onima koji se na Teams spajaju kao korisnici. Uputstva su pravljena za vrtić, ali sam ih naknadno malo generalizirao, kako bi se mogla lako koristiti i za škole.

Pošto me je dosta ljudi pitalo za ovo, postavljam ih ovdje i iskreno se nadam da će nekome pomoći u ovoj, za sve nas neočekivanoj situaciji. Uputstva ne sadrže dio koji se odnosi na kreiranje Teams-a tenanta na Office 365 A1 paketu – to je dio koji će svakako odraditi neko u IT-u. Srećom, i ta procedura nije teška i dosta lako se završi. Ako imate problema sa ovim, slobodno se javite, pokušat ću pomoći.

Uputstvo za organizatore Teams sastanaka

Uputstvo za učesnike Teams sastanaka

Link za besplatan trial Office 365 A1

Kako da aktivirate besplatan Teams u vrijeme Corone / How to enable free Teams in Corona times

(This post is only in Bosnian/Serbian/Croatian)

Da bih pomogao onima koji danas, vjerovatno više nego ikad, trebaju neku online komunikaciju iz bilo kojih razloga, a ne raspolažu potrebnim vještinama da to omoguće sami, napisao sam ovo uputstvo.

Pomoću koraka opisanih u ovom dokumentu, možete iskoristiti Microsoft inicijativu za besplatno korištenje Teams softvera u svrhu online komunikacije. Na ovaj način se možete brzo i lako povezati sa svima koji imaju Internet konekciju.

Teams aplikaciju za PC računar, Mac ili mobilni telefon možete besplatno skinuti sa Microsoft Teams stranice ili sa iOS/Android app store-a.

Uputstvo koje je tema ovog posta, možete skinuti ovdje.

Passwords, attributes and more in Azure AD and AD DS

Having an Azure AD as your additional or main directory is a good thing. Unlike AD DS, which is built having primarily on-premises environments in mind, Azure AD is much more flexible and more adoptable to today’s hybrid environments. As most of us probably know, Azure AD serves as a directory and as authentication/authorization mechanism for most of services running on Azure. Most commonly, it is used by Office 365. However, it is even more interesting when you use it together with your local AD DS environment. Synchronization between AD DS and Azure AD is very easy to setup – if you don’t need much customization, you can do it in literally few clicks. On the other hand, if you want to customize it or do some fine tuning – you have plenty of options for that.

In this post, I want to emphasize some less known things and facts regarding passwords and attributes of user accounts when using Azure AD in hybrid environment, with locally deployed AD DS.
One of the things that are so desperately missing from AD DS is self-service password reset. Sure, you can implement it on the AD DS if you deploy Microsoft Identity Manager, but usually it’s not worth so much. Azure AD provides you with this functionality out-of-the-box. However, in hybrid, if you use Azure AD Premium P1 or P2, you can use this functionality even for your local AD DS. All you have to do is to configure self-service password reset in Azure AD admin portal, while having password-write back enabled by Azure AD Connect (followed by few PS commands executed locally to set appropriate permissions to write passwords).


Self-service password reset functionality gives users the option to reset their own password without requiring intervention by an administrator. To reset a password, users must do additional authentication of their identity. The following alternative authentication methods are available – Email, Mobile phone, Office phone, Security questions. These alternative authentication methods must be setup by user before actually using this functionality. You can find very good resources on SSPR here: and for password write back, see here:


Users can change their passwords via the login page or user settings in Office 365, and have them written back to on-premises AD DS, when you deploy Office 365 in hybrid scenario.

Let’s see few more useful things about user accounts when used in hybrid environment:

  • If you accidentally delete a user account and a directory synchronization cycle runs, this action will delete the user in Office 365. However, if you have the recycle bin feature enabled in AD DS, you can recover the account from the recycle bin, and the link between accounts is re-established. If you do not have the recycle bin enabled, you might need to create another account with a new GUID.
  • Synchronized user accounts that you delete from your local AD DS will also appear in Deleted users section in Office 365 admin center. However, if you restore this type of deleted user account, it will reappear as account created in cloud and will not be synchronized with local AD DS anymore.
  • Password policy that you configure in the Office 365 applies to user accounts created in Office 365. However, if you synchronize user accounts from your local AD DS, these accounts will be affected by password policy that you configure by using Group Policy in your local domain. Password settings from your local AD DS override password settings in Office 365, for synchronized accounts.
  • You should be aware that for synchronized user accounts with password hash sync, their corresponding cloud account password is set to Never Expire. This means that a user can continue to sign in to Office 365 by using a synchronized password that is expired in your on-premises AD DS. Cloud password for such user is updated when a user changes the password in the on-premises environment.
  • If you have user accounts in your local AD DS that are set to expire at some time, as part of user account management, you should know that accountExpires attribute is not synchronized to Office 365. Because of this, an expired account in your local AD DS, configured for password hash synchronization will still be active in Office 365. It is recommended in this scenario that you have a workflow action that runs a PowerShell script that disables the user’s account in the Office 365.

Office client apps in Office 365 plans – are they all the same?


During discussions with our clients regarding Office 365 plans, I realized that most of the people are not aware of differences in Office client apps that comes with different Office 365 plans. Instead, most people think that all Office 365 plans, that include Office client apps, actually contain same Office client applications (Word, Excel, Outlook,…). For example, Office 365 E3 contains Office client apps as well as Office 365 Business Premium. However, these are not the same (although very similar) Office client apps. This misunderstanding can sometimes lead to wrong licensing decisions and/or missing functionalities. And that’s the reason I’m writing this post.

So, if you decided to license your Office client applications through Office 365 (instead of buying standalone Office package), you should know that we are basically talking about two, very similar but still different, licensing options – Office 365 ProPlus and Office 365 Business. Both can be purchased separately, or as a part of some Office 365 plans.

Office 365 Business is also integrated in Office 365 Business Premium. Similarly, Office 365 ProPlus is integrated in Office 365 Enterprise E3 and E5 license plans.

Although Office 365 ProPlus and Office 365 Business provide very similar functionalities and features, they are not the same product. Users tend to think that Office applications provided in the Office 365 ProPlus package are exactly the same, as the Office applications in Office 365 Business; this is because both versions are installed in a same way and provide almost the same user experience.

Both Office 365 ProPlus and Office 365 Business provide Office client apps such as Word, Excel, PowerPoint, Outlook, Publisher, and Skype for Business. Also, in both versions, you can use these apps on up to five devices per user, and in both versions you have the ability to get Office updates as long as you have valid license.

However, there are number of differences between Office 365 ProPlus and Office 365 Business.

The most important differences are:

• Office 365 Business can be deployed on up to 300 users per organization, while Office 365 ProPlus does not have such a limitation.

• Office 365 ProPlus provides Microsoft Skype for Business application while Office 365 Business does not.

• Office 365 ProPlus allows you to run Office client apps in virtual desktop scenario, while Office 365 Business does not allow this.

• Office 365 ProPlus supports features for archiving and compliance such as Exchange Online and SharePoint Online Archiving and Compliance, while Office 365 Business does not. Besides, you can integrate Office client apps from Office 365 ProPlus with Azure Information Protection. Client applications from Office 365 Business does not fully support integration with Azure Information Protection.

• Office 365 ProPlus supports Group Policy–based deployment configuration. This is not possible with Office 365 Business.

• Office 365 ProPlus provides InfoPath Designer application while Office 365 Business does not. Also, Power Query, Power Pivot and Power View are not supported in Office 365 Business.

As you can see, most of differences are not visible to the end user, but admins should be aware of these differences – especially in medium sized companies that usually go with Office 365 Business Premium as their choice. And yes, this is usually good choice for small and mid-sized companies unless you need some functionality that is available only in Office 365 ProPlus and not in Office 365 Business. For example, if you are running a 100 users company and plan to go with Office 365, you’ll probably think about Office 365 Business Premium. However, if you go this way, and later decide that you want to deploy Azure Information Protection to your clients and have it integrated in Office apps – you will not be able to do that. If you run into this scenario (or already have it) you will need to buy your users Office 365 ProPlus or E3 license.

Out of office – does it make sense anymore?


out_of_office_messageOne of the most common things that almost everyone does is to set out of office (aka. OOF – if you want to know why it is not OOO, see here) message to his/her mailbox account, when leaving the office or workplace for some time.
Some people do it when they plan to be absent for few days or more, some do it even when they are not there for a half of day. And while some try to provide genuine messages with more or less sense of humor (yes, I mean these 404-like messages), most of these messages are typical in a way that 90% of them contain a phrase “limited email or Internet access”. This is mostly used as an excuse for not replying as fast as usual. These days, while I’m on a mini vacation (and out of office), I’m thinking about does this really make sense anymore. Are we really having limited Internet access while we are out of office? Or we have even more Internet access than we usually consume, while on regular activities in the office? It is enough to look people around you, and the answer is pretty clear – being out office, on a vacation or a business trip, actually does not limit our Internet or email access. On the contrary, we mostly doing everything we can to have the Internet access most of the time. Today, it is almost impossible to find a café, restaurant or hotel without Internet access for guests. Some of these facilities care more about their WiFi quality than about their toilets. If you are attending a conference or some business event – free Internet access is mandatory. Yes, sometimes it does not work so fast, and you might not be able to watch HD Youtube videos, but we are talking about email here. You’re not taking your laptop with you? Even if that’s true (which I doubt) how many emails you actually read on your laptop today, not to mention old fashioned desktops? Speaking for myself, I read at least half of my emails on my phone. I also respond to many of them from my phone – when I realized that, I decided that I need a phone with bigger screen.

So, it’s not about being limited with Internet access (and you know it J). Is it about time that we have to answer emails while out of office? Not for me. If I’m on a business trip, I usually have more time for emails than when I’m at my office. My usual working day is full of meetings, and very often, I don’t even open my laptop before afternoon, not mention evenings when I spend time with my family. Actually, when I’m out of office for some business trip, I have more time to read and respond to emails (and I do get a lot of them). I know quite a few people that are faster to respond on email while they are out of office than when they are in the office (whatever that means). Because of this, I’m seriously thinking to start using In-the-office automatic reply for myself. I just need some time to figure out some genuine message that will not make people think I’m crazy.

On vacation, I read emails at least once a day. It is my choice, not saying it’s a right thing to do. It is just that I’ve realized that this is less stressful thing to do, than to have 1000+ unread emails when I’m back. I fully respect those who like to disconnect from email, it just does not work for me.

If it is not about time, and definitely not about having limited Internet access, is it about our willingness to respond to email while out of office? I think it is. Having OOF message on your mailbox is actually a nice way to say “Yes, I’ve probably red your email in about 15 minutes after you sent it, but will not respond for some time because I’m out of office”. If it is an email that requires some action from you, this kind of excuse worth even more J. And because you’re out of office, most people will restrain from calling you on the phone (personally, I dislike phone calls most of the time).
Let me know what you think, in your comments.


These days I’m using Office365 Delve more and more. What really looks very interesting there is My Analytics part. If you didn’t try it so far, and you’re using Office365, I strongly recommend that you do. Among other things, Delve will actually tell you how do you manage your time and especially how you manage your emails. You might be surprised when you look at it. And maybe you realize that you need in-the-office automatic replies more than you think.

Mailbox migration between Exchange organizations–content index issue


When you move mailboxes from one Exchange organization to another, you need to perform several preparation steps, as I wrote before on my blog. However, you can still face several strange issues. One of the issues I have found few days ago was quite strange. When creating migration batch, user object was left in Syncing state for a long time and eventually end up in Failed state. Exploring the migration log discovered this message “Relinquishing job because of large delays due to unfavorable server health or budget limitations”. Not descriptive at all. After some time, I realized that ContentIndexState of the database where source mailbox resides is in Failed state. From that point, things were quite easy to resolve. Run the EMS and execute following cmdlets:

Stop-Service MSExchangeFastSearch
Stop-Service HostControllerService

to stop these two services. After the services are stopped, go to the folder where your mailbox database is stored and delete the Exchange content index catalog for the database (it is in the same folders as database, named as database GUID). After you do it, start the

MSExchangeFastSearch and HostControllerService services by using Start-Service cmdlets. When they are up and running, create and start migration batch again. It will work without issues.

Load Balancing in Exchange Server 2016

Similar as when TMG was EOL, and people were asking how should they publish Exchange services now, now we have a similar question with load balancing of Exchange Server, since support for Windows Network Load Balancing is no more. Architectural changes in Exchange Server 2016 which resulted in having only one server role now (now even Client Access Server is integrated with Mailbox Server) makes impossible WNLB for usage. Reason is simple – you can’t use WNLB and Failover Clustering (required by DAG) on the same pair of machines. However, to be honest, even if this is not the case, WNLB is not a solution that I’d recommend for Exchange load balancing to anyone. It’s too old with too many issues for a critical service like Exchange.
So, obviously, we need an external solution for load balancing client access traffic. In most cases, we are actually talking about HTTPS based traffic, as most Exchange traffic (except for SMTP) is using this protocol.
With Exchange 2013 Microsoft announced that it is not required anymore to go with expensive Layer 7 load balancers for Exchange – you can also use cheaper and simpler Layer 4 balancer for client requests. What’s even better, there’s no need for session affinity anymore. This is because client access services now proxy the connection to any Mailbox Server, and it doesn’t really matter where client actually establish the session. This simplifies the requirements for Exchange load balancers even more.
Let’s see what is the real difference actually, and why should you care about this anyway. You might be surprised that main issue here is actually node health check. Luckily, Microsoft provided a very intelligent way to handle this even with cheap (or free) load balancers. As I’m currently writing a course on Exchange 2016, I’ll use some of my draft materials to clarify this.

Load balancers that work on Layer 4 are not aware of the actual traffic content being load balanced. The load balancer forwards the connection based on the IP address and port on which it received the client’s request and it has no knowledge of the target URL or request content. For example, load balancer on the Layer 4 does not recognize if a client is connecting with Outlook on the Web or with Exchange Active Sync as both connections are using the same port (443). Also, load balancers on the Layer 4 are not able to detect the actual functionality of the server node that is included in load balancing pool. For example, Layer 4 load balancer can detect if one of the servers from the pool is completely down, because it does not responds to PING, but it can’t detect if IIS service on that server is working or not. From the client access perspective, if IIS is not working on the server, it is almost the same as the server is done. However, it will not be marked down by Layer 4 load balancer in this case. Some Layer 4 load balancers can provide simple health check by testing availability of a specific virtual directory, such as /owa, but functionality of one virtual directory does not guarantee that others are also working fine.

Load balancers that work on the Layer 7 of OSI model are much more intelligent. Layer 7 load balancer is aware of the type of traffic passing through it. This type of load balancer can inspect the content of the traffic between the clients and the Exchange server. From this inspection, it gets that results and uses this information to make its forwarding decisions. For example, it can route traffic based on the virtual directory to which a client is trying to connect, such as /owa, /ecp or /mapi and it can use a different routing logic, depending on the URL the client is connecting to. When using a Layer 7 load balancer, you can also leverage the capabilities of Exchange Server 2016 Managed Availability feature. This built-in feature of Exchange monitors the critical components and services of Exchange server and based on results it can take actions.

Managed Availability uses Probes, Monitors and Responders as components that work together. These components test, detect, and try to resolve possible problems. Probe component is used first. It tries to gather information or execute a diagnostic tests for a specific Exchange component. After that a Monitor component is used to evaluate the results that Probe provides. Monitor uses the results information to make the decision whether the component is healthy or unhealthy. If a component is unhealthy, a Responder component can take measures to bring that failed component back to a healthy state. This can include service restart, database failover or, in some cases, server reboot.

If a critical server component is healthy, Managed Availability generates a web page named healthcheck.htm. You can find this web page under each virtual directory, for example, /owa/healthcheck.htm or /ecp/healthcheck.htm. If Managed Availability detects that server component is unhealthy, the health check web page is not available and a 403 error is returned. You can use this to point your load balancer to the health check web page for each critical service.

Layer 7 load balancer can use this to detect functionality of critical services, and based on that information decide if it will forward client connections to that node. If the load balancer health check receives a 200 status response from health check web page, then the service or protocol is up and running. If the load balancer receives a 403 status code, then it means that Managed Availability has marked that protocol instance down on the Mailbox server.

Although it might look that load balancer actually performs a simple health check against the server nodes in the pool, health check web page provides an information about workload’s health by taking into account multiple internal health check probes performed by Managed Availability.

It is highly recommended that you configure your load balancer to perform the node health check based on information provided by Managed Availability feature. If you don’t do this, then the load balancer could direct client access requests to a server that Managed Availability has marked unhealthy. At the end, this results in inconsistent management and negative user experience.