A Self-Service user flow defines the steps an user will follow while signing-up for an application in your tenant. These applications can be the custom built or SaaS applications. This allows users to sign-up for an app and creates a guest account in the Azure AD tenant.
These user flows cannot be used for MS apps like Teams or SharePoint.
Enable self-service sign-up
Before creating and adding self-service sign-up user flow to your applications, the feature has to be enabled. Once enabled, the necessary options become available.
In the left menu, click External Identities and then External collaboration settings
External collaboration settings
Toggle Yes to Enable guest self-service sign up via user flows
Click Save
Create user flow for self-service sign-up
Now we’re ready to create user flow for self-service sign-up and add it to an application.
Under the same External identities section in the above steps, click User flows in the left menu
Select New user flow
Enter a Name for the user flow. The name is automatically prefixed with B2X_1_
Select the Identity providers
Azure AD is the default identity provider, which means that users are able to sign up by default with an Azure AD account
Google and Facebook, Microsoft Account, and Email OTP are also options
Under User attributes, choose the attributes you want to collect from the user
For additional attributes, click on Show more
Click Create
New user flow
Select the Page Layout
We can customize the order in which the attributes are displayed on the sign-up page
Click on the user flow created
Click on Page Layouts under Customize in the left menu
For my scenario, I’ve reordered the fields and selected optional as No for the fields I consider mandatory
Click Save
Page Layout
Add Application(s) to the user flow
Now, we are ready to associate an application to the user flow,
In the left menu, under Use, select Applications
Select Add application
For my scenario, I’m adding the Salesforce application to enable users to do a self-signup
Search for the application and click Select
Add application
This concludes the steps in the Azure AD admin portal
Guest User experience
We can simply provide the application URL to the guest user for them to sign-up.
In my scenario, I’m using the Salesforce application in my environment,
Salesforce login page
When user tries to login with their own credentials, they will get an error ‘This account does not exist in this organization..‘ This means that the user who is part of a different Azure AD tenant doesn’t exist in the home tenant which the Salesforce application is part of.
Login error
User clicks on Create a new one or Create one!
Select Sign up with email. Enter Email address and password
Review and click Accept in the Permissions requested by: screen
Note: See in screenshot below, Permissions requested by: is the tenant where the application lives
Fill the necessary information and click Continue
Note: This next screen is a result of how we configured the page layout earlier.
And it redirects the user to the Salesforce landing page. I don’t have anything configured within Salesforce for this specific user
Salesforce landing page
So, there are few things to note here:
When the user goes through a self-signup process, guest account is automatically created for the user in the home tenant
Like in my example, as I don’t have user provisioning enabled with Salesforce, the user has to be created within Salesforce
I’m only know the basics on Salesforce’s inner workings but I do have the authentication part configured with Azure AD
If you are following this guide and also allowing guest users to login to Salesforce, have your Salesforce administrator setup this guest user with the user’s home tenant’s email account
Guest user’s profile
Hope this post helped you in setting up the Azure AD self-service sign-up user flow to an app.
This one took me a while to understand what is happening and how to resolve it. The Teams audio and calling functions are not something I deal with on a daily basis but it was good learning experience.
One of the Teams tenant I manage kept running out of pooled minutes really quickly. I wasn’t actively monitoring the usage but I did notice the emails from Microsoft that were warning us that the minutes are almost used up and users won’t be able to use the PSTN conferencing services for the rest of the calendar month unless more communication credits were added.
What is the deal here exactly?
Each user assigned an ‘Audio Conferencing’ license which provides a dial-in phone number when they schedule a meeting, is given 60 minutes per month of pooled minutes that can be used for inbound or outbound PSTN dialing for meetings. This ‘Audio Conferencing’ license is only needed for users scheduling the meetings. Meeting attendees who dial in don’t need this license. Depending on how you have deployed Teams in your organization, whether as a full blown phone system or used specifically for meetings, this pooling minutes is only for meetings and is separate from other dial plans(domestic or international) that you may have.
Users with ‘Audio Conferencing’ license are given a default invite number in the same country as what their O365 account’s usage location is set to.
In a example scenario where an organization has 100 users that have ‘Audio Conferencing’ license, 100 X 60 minutes and you get 6000 pooled minutes for your tenant to PSTN dial-in and dial-out of meetings. One the 6000 minutes are consumed users will no longer be able to dial-in or dial-out of the meetings using the number provided in the meetings.
Note: Users can still participate using the Teams meeting clients(Desktop or phone app).
Why users use the PSTN dial-in numbers for Teams online meetings
Personally I love the Teams app, both on the desktop and the phone. And I can tell Microsoft is adding new functionalities over time. I also like it how I can use the phone app for voice and also launch Teams on my desktop and I get an option to ‘add the device’ to the ongoing call on the phone. This way, I can present using the desktop.
Using this VOIP features via the Teams app(phone or desktop) doesn’t incur additional cost to the organization but there are some scenarios where including a dial-in number to meetings makes sense,
Poor or limited internet connectivity
Users moving in and out of limited data coverage where voice quality may be better
Users having issues with VOIP on their PC and phone app
Users are used to the old ways
Users lack training in Teams clients(Desktop or phone app)
Determine pooled minutes and usage
To check your PSTN pooled minutes, you can run usage reports in the Teams admin center,
Teams Admin Center –> Analytics & reports –> Usage reports
PSTN minute and SMS(preview) pools
PSTN and SMS(preview) usage
PSTN minute and SMS(preview) pools
PSTN and SMS(preview) usage
What is burning precious PSTN minutes
Based on the reports and further reading I realized the ‘Call me‘ feature in Teams is apparently a well known and heavily used user loved feature which seems to be a behavior that followed users from using other conferencing tools.
Users can join a meeting and have the meeting call and join them or dial in manually to the meeting.
As I mentioned earlier, the users using this feature didn’t realize they can use their computer audio or the Teams app on their phone. There were others who thought this was a handy feature and more convenient. Well, what they didn’t know or didn’t care is, the outbound calls were eating those pooled PSTN minutes and affecting the entire organization for users who would really need it.
What is the fix?
This can be fixed by educating the users about the VOIP options, using the computer or phone Teams app. And yes, obviously by putting policies in the tenant.
In the Teams admin center, the dial-out from meeting can be controlled on a per-user basis
In the left navigation, select Users, and then select the display name of the user from the list of available users
Under Audio Conferencing, select Edit
Under Dial-out from meetings, select the dial-out restriction option you desire
Select Save
This may resolve the issue by assigning ‘Don’t allow’ policy for the users who are the heavy hitters of the ‘Call me’ feature but more users might start using this feature and you’ll have to constantly monitor the usage.
To prevent this, you can set a tenant level policy based on your requirements and organizational needs. Once the global policy is in place, you can assign a policy on a per-user level.
The following table provides an overview of each policy.
PowerShell cmdlet
Description
DialoutCPCandPSTNInternational
User in the conference can dial out to international and domestic numbers, and this user can also make outbound calls to international and domestic numbers.
DialoutCPCDomesticPSTNInternational
User in the conference can only dial out to domestic numbers, and this user can make outbound calls to international and domestic numbers.
DialoutCPCDisabledPSTNInternational
User in the conference can’t dial out. This user can make outbound calls to international and domestic numbers.
DialoutCPCInternationalPSTNDomestic
User in the conference can dial out to international and domestic numbers, and this user can only make outbound calls to domestic PSTN number.
DialoutCPCInternationalPSTNDisabled
User in the conference can dial out to international and domestic numbers, and this user cannot make any outbound calls to PSTN number besides emergency numbers.
DialoutCPCandPSTNDomestic
User in the conference can only dial out to domestic numbers, and this user can only make outbound call to domestic PSTN numbers.
DialoutCPCDomesticPSTNDisabled
User in the conference can only dial out to domestic numbers, and this user cannot make any outbound calls to PSTN number besides emergency numbers.
DialoutCPCDisabledPSTNDomestic
User in the conference can’t dial out, and this user can only make outbound call to domestic PSTN numbers.
DialoutCPCandPSTNDisabled
User in the conference can’t dial out, and this user can’t make any outbound calls to PSTN number besides emergency numbers.
DialoutCPCZoneAPSTNInternational
User in the conference can only dial out to Zone A countries and regions, and this user can make outbound calls to international and domestic numbers.
DialoutCPCZoneAPSTNDomestic
User in the conference can only dial out to Zone A countries and regions, and this user can only make outbound calls to domestic PSTN number.
DialoutCPCZoneAPSTNDisabled
User in the conference can only dial out to Zone A countries and regions, and this user can’t make any outbound calls to PSTN number besides emergency numbers.
To set the policy on the tenant level, use following cmdlet. Use the pre-defined policy from the table above for the ‘policy name’
In my scenario, my plan is to set the global dial-out from meetings policy to DialoutCPCandPSTNDisabled. And assign per-user policy based on their needs.
Tenant-level policy
Note: All users of the tenant who don’t have any dial-out policy assigned will get the global policy.
You can set what is allowed per-user using the Teams admin center as covered earlier or you can use PowerShell to assign a policy to a list of users using this below script.
#Connect-MicrosoftTeams
$list=import-csv "c:\tmp\user.csv"
Foreach($user in $list){
Grant-CsDialoutPolicy -identity $user.UserId -PolicyName "DialoutCPCandPSTNDomestic" #Setting 'DialoutCPCandPSTNDomestic' policy to the users
}
You can also export a report of users and their Dial-Out policy assigned to them,
Teams and its audio services are a much more detailed topic and I covered what applied to the issue I faced. Hope you’d be able to as well if you encounter this.
Most organizations have Enterprise Agreement (EA) accounts for Azure billing. Microsoft offers the Cost Management App which can be used to view and analyze Azure costs using Power BI. The Cost Management App only works with EA accounts.
But you might have situations where you are managing Azure billing using Customer Agreement. Microsoft has updated the Azure Cost Manager connector in Power BI to support Customer Agreement. The Azure Cost Management connector for Power BI Desktop can be used to build powerful, customized visualizations and report to help us understand Azure spending.
Azure Cost Management allows 3 kinds of connections:
Customer Agreement: Common for small business or individual accounts
Enterprise Agreement: Accounts used by big organizations where payment goes through via purchase orders and such
Billing Profile: This is sort of like a subset of Customer Agreement. Allows us to organize via rules, like, cost-center, department, etc
To proceed further, make sure you have the Power BI desktop App downloaded and installed on your machine.
Determine Billing Information in Azure
To connect to a billing account, we need to retrieve the Billing account ID from Azure portal:
In the Azure portal, search for Cost Management + Billing
Select Billing profile
In the left navigation menu, under Settings in the menu, select Properties
Make sure this billing account has a at least Billing account reader assigned to it
This can be determined by clicking on Billing scopes in the left navigation menu or in the Properties tab
Under Billing profile, copy ID
Billing Account ID
Connect using Azure Cost Management in Power BI
To use the Azure Cost Management connector in Power BI Desktop:
Launch Power BI Desktop
Click Get data from the splash page or from the Home ribbon
Click Azure from the list of data categories
Select Azure Cost Management
Connect Azure Cost Management
Under Choose Scope,
To connect to a Billing Account
Select Manually Input Scope and input the connection string in below format, with {billingAccountId} that we determined in the earlier section
Select Manually Input Scope and input the connection string in below format, the {billingAccountId} and {billingProfileId} can be determined in the same properties tab as in earlier section
A Navigator window shows all the available data tables
Select a table to see a preview dialog
One or more tables can be selected by selecting the boxes beside their name and then click Load
For the report I have in mind, I only need the Usage details table and I’m selecting it to be loaded
Available Tables
Table
Description
Balance summary
Summary of the balance for the current billing month for EA
Billing events
Event log of new invoices, credit purchases, etc. Microsoft Customer Agreement only
Budgets
Budget details to view actual costs or usage against existing budget targets
Charges
A month-level summary of Azure usage, Marketplace charges, and charges billed separately. Microsoft Customer Agreement only.
Credit lots
Azure credit lot purchase details for the provided billing profile. Microsoft Customer Agreement only.
Pricesheets
Applicable meter rates for the provided billing profile or EA enrollment.
RI charges
Charges associated to Reserved Instances over the last 24 months. This table is in the process of being deprecated, please use RI transactions
RI recommendations (shared)
Reserved Instance purchase recommendations based on all subscription usage trends for the last 30 days
RI recommendations (single)
Reserved Instance purchase recommendations based on single subscription usage trends for the last 30 days
RI transactions
List of transactions for reserved instances on billing account scope
RI usage details
Consumption details for existing Reserved Instances over the last month
RI usage summary
Daily Azure reservation usage percentage
Usage details
A breakdown of consumed quantities and estimated charges for the given billing profile on EA enrollment
Usage details amortized
A breakdown of consumed quantities and estimated amortized charges for the given billing profile on EA enrollment
Data available through the connector
When we select Load, the data is loaded into Power BI Desktop
Depending on the tables you choose, you may be asked to for authentication
When the data we selected is loaded, the data tables and fields are shown in the Fields pane
Loaded fields
I built this visualization below using some of these fields,
Visualization showing Azure cost by ResourceGroup Name, Date, Meter and Meter sub-category
The data is there and you are only limited by the amount on time you have, to spend within Power BI and your imagination.😉
I’m a big fan of Tableau and I love creating visualizations. Now I’ve started using Power BI more and more with Azure related stuff. Plus Power BI Pro comes bundled with Office 365 E5.
Hope this post helped you in setting up your Azure cost reports with Power BI.
All users can create M365 groups, this is the option enabled by default. Microsoft probably took this approach so as to make sure users can collaborate without any IT assistance.
This is good but when it comes to start managing Teams and the related resources that get created, it can easily become an IT data governance nightmare. If your organization is in its initial phases of Teams rollout, IMO it is better to disable group creation ability for the masses and preferable do a phased approach.
When we disable M365 group creation, it affects all services that rely on groups for access, including:
Outlook
SharePoint
Microsoft Teams
Microsoft Stream
Yammer
Planner
Power BI (classic)
Project for the web
To have a solution that is sort of a best of both worlds scenario, we can designate an Azure AD group with specific users who have the permissions to create M365 groups.
Create an Azure AD Group
To create a new Azure AD group, the New-AzureADGroup cmdlet can be used or can also be created from the Azure AD admin portal. I’m naming the group ‘M365 – Group Creators’
New-AzureADGroup -DisplayName "M365 - Group Creators" -Description "Group that allows users to create M365 groups" -MailEnabled $false -SecurityEnabled $true -MailNickName "NotSet"
New Azure AD group
Keep in mind this doesn’t prevent users with Azure AD admin roles which has group creation capabilities from creating new groups.
Set Group Creators
The following needs to be run from PowerShell. Make sure AzureADPreview is installed and connected.
To determine if the group is allowed to create to groups,
(Get-AzureADDirectorySetting).Values
verify settings
Only one group can be used to control the ability to create Microsoft 365 Groups. But, other groups can be nested as members of this group.
In case your organization wants to revert back this setting in the future, you can do so by changing $AllowGroupCreation to “True” and the group value to “”
Usually the settings takes 30ish minutes to take effect. You can verify this by trying to create a group with a user who is a non-member of the allowed Azure AD group.
If a user who is part of the group creators can’t create a M365 group, it’s worth checking the OWA policy. The Get-OwaMailboxPolicy can be used to check this,
To import members from a csv and add to an existing Distribution Group:
$Name = Read-Host "Enter DistributionGroup name to add members"
Import-csv "C:\tmp\members.csv" | ForEach-Object {
Add-DistributionGroupMember -Identity $Name -Member $_.member
}
To determine existing distribution group members for a distribution group:
To set distribution group to accept messages from authenticated (internal) and unauthenticated (external) senders.
Note: If you don’t specify this parameter while creating the distribution group, the default value is set to ‘true’ meaning messages from unauthenticated (external) senders are rejected.
$Name = Read-Host "Enter DistributionGroup's name to allow external senders"
Set-DistributionGroup -Identity $Name -RequireSenderAuthenticationEnabled $false
To change an existing distribution group’s name:
$Name = Read-Host "Enter name of existing group to be renamed"
$NewName = Read-Host "Enter new name"
Set-DistributionGroup -Identity $Name -Name $NewName -DisplayName $NewName -Alias $NewName
