Managing Teams in Multiple Tenants

Managing Teams in Multiple Tenants

So I work in multiple M365 Tenants, and even after years of uservoice feedback, and more complaints, Teams is dead awful at working between two tenants. And only gets worse if you ever decide to try guest accounts in Azure which really just add MORE accounts to switch between..

That said, I work in primarily two Tenants and was recently going over with some of my team how I manage both. So here goes.

First some short pointers.

  1. Choose your primary tenant. This is the one you sign into the desktop apps with.
  2. Chrome based Edge with signed in profiles can help this effort.
  3. Signing into the Azure tenant on your windows machine via ADAL can also ease the pain.

Sidenote. Using ADAL, where you sign into Azure via Windows is probably not required. It can make things a bit easier by allowing edge to leverage ADAL when you HAVE to switch between profiles because you are already signed in.

enter image description here

With that said, I have seen issues with setting up a secondary synced profile in Edge that isn't first attached via ADAL IF your first profile IS synced via ADAL. So if you run into issues, setting up the "work account" in Windows settings can help this.

enter image description here

Once you have a primary selected and signed in, you should also sign into Edge and sync the profile with your M365 account. It does make moving machines and upgrades easier as well and since this is typically a work use case, privacy concerns here basically go out the windows.

Once the intial setup is done its now time to setup your secondary account. The basic steps here are to:

  1. Sign into a secondary profile in Edge and sync it with your other tenant.
  2. Enable automatic profile switchingenter image description here
  3. Configure the default profile for external links to use your primary profle. This will make sure any links clicked in places like Outlook will open in your primary profileasdf
  4. Go to profile preferences for sites and add any overrides for your secondary tenant. Some often used ones include shortname-my.sharepoint.com for OneDrive links etc. Anything that uses the secondary M365 tenant can go here.

enter image description here

So now any links going to your secondary Tenant should be opening in a profile that is also using cached credentials and signed into said tenant. This will avoid things like this a warning that is thrown in a browser session if you switch accounts in another tab. And whats worse is if you hit "refresh" you will pretty much just get dumped to a generic landing page in whatever tenant you are signed into.

enter image description here

Now for the teams part. Edge has an ability to make any website an "App" in windows. Its basically just edge in some hybrid kiosk mode, but it makes the application launchable from the start menu and pins it to your taskbar.

So open your secondary profile in Edge, and head to teams.microsoft.com and login. Then hit your ... menu and go to Apps and "Install this site as an app."

enter image description here

Click through the confirmation and select whether you want this to auto-start, pin to the desktop etc and hit Allow.

enter image description here

If you ever want to remove this as well, you can simply right click on the app in the start menu and hit Uninstall

enter image description here

The next change worth making is going back to your Edge browser version of teams and clicking the security lock and changing the permissions to the following. This will allow you to join meetings and such without any prompts to allow the mic etc.

enter image description here

One last thing I do is modify my notification settings in any Teams tenant that isnt my primary and set the missed activity emails to ASAP. This ensures I dont miss any messages within reason as I should also see them in email.

enter image description here

And Voila, I now have two independent versions of Teams on my desktop that I can use in my taskbar etc.

enter image description here

Moving HTMLy to a new server

One of the reasons I host using HTMLy is that it is quite simple. No DB's to manage, just PHP and some .MD files.

I have been upgrading many of my servers that run on 18.04 and sometimes PHP doesnt make this as easy as it should be. My old instance ran on Apache. Nothing against Apache, I am just increasingly more familiar with NGINX. So a do-release-upgrade failed, and rather than take the time to properly fix the post-upgrade issues, I just rolled a new VPS (and saved some cash) and moved my files.

Process was fairly simple though.

  1. Build new server, install and configure SSH, firewall, user etc.
  2. Install php-fpm and nginx
  3. Configure nginx
  4. Copy the root webserver files from the old source to the new.
  5. setup my rsync accounts and re-configure my backups

This is all pretty boilerplate stuff. I use UFW for the firewall and simply limit SSH connections to my known IP's I tend to work from. I configure SSH with normal settings, like limiting access to groups, only using key based auth etc.

PHP-FPM needs nothing special, though NGINX did need some tweaking. The recommended config, at least for Debian/Ubuntu does work out of the box. I am not using PHP-cgi or TCP sockets but rather the default Unix sockets.

Here is the sample config that does work.

server {
    listen 80 ;
    listen [::]:80;

    server_name wallyswiki.com www.wallyswiki.com;
    root /var/www/html;

    # Add index.php to the list if you are using PHP
    index index.php index.html index.htm index.nginx-debian.html;

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log error;

    location / {
            try_files $uri $uri/ /index.php?$args;
    }

    # Commented out as it broke the admin pages
    #location ~ /config/ {
    #    deny all;
    #}

    # pass PHP scripts to FastCGI server
    #
    location ~ .php$ {
            include snippets/fastcgi-php.conf;
    #
    #       # With php-fpm (or other unix sockets):
            fastcgi_pass unix:/run/php/php8.1-fpm.sock;
    #       # With php-cgi (or other tcp sockets):
    #       fastcgi_pass 127.0.0.1:9000;
    #       fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME
            $document_root$fastcgi_script_name;
            include        fastcgi_params;
    }

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    location ~ /.ht {
            deny all;
     }
    }

After this its simply setting up certbot/Lets Encrypt.

Finally, since there is no DB or anything to work off of. You can simply copy over your files and make sure the permissions (namely the www-data:www-data users and groups) are set properly.

For me, I simply created a tar file, used SCP to copy the file over and extracted it. Though you could easily do this with rsync as well, and this would be especially useful if you are trying to keep multiple locations in sync.

UPDATE

I noticed RSS wasnt working. Nginx was throwing the following in error.log

2023/05/12 00:33:36 [error] 16320#16320: *1090 FastCGI sent in stderr: "PHP message: PHP Fatal error:  Uncaught Error: Class "SimpleXMLElement" not found in /var/www/html/system/vendor/suin/php-rss-writer/src/Suin/RSSWriter/SimpleXMLElement.php:9

Therefore I simply installed php8.1-xml and issue is fixed.

sudo apt install php8.1-xml
sudo service php8.1-fpm restart
sudo service nginx restart

Downgrading Unifi AP Firmware

So you might have tried upgrading your Unifi devices via the controller and for some reason it did not work. Usually this means that the download of the firmware-file failed and chances are big this happens for one of your Switches. In my usecase I am manually upgrading the US-8-60W.

First you download the latest .bin-file from the Downloads page. Make sure to put it in the Downloads-folder on your Macbook in order to follow the steps I have specified below, else you need aadjust accordingly.

Open the Terminal app and copy the firmware over

scp ./US.bcm5334x_5.43.23+12533.201223.0319.bin ubnt@10.0.1.2:/tmp/fwupdate.bin

If this is the first time establishing an ssh connection to the device it will ask you if you want to continue connecting. Type ‘yes’ and press Enter.

Add the password.

If you don’t remember the username/password to ssh into your devices you can check them in your controller. Go to Settings > System Settings > Controller Configuration > Device SSH Authentication. If you did not set it up yet you can do so now.

The Terminal will show you the progress of uploading the .bin-file to /tmp/fwupdate.bin which for me took about 20 seconds.

After the file is uploaded you now need to ssh into the device and execute the upgrade command:

ssh ubnt@10.0.1.2

Add password. (this is the same user/password you used before to upload the file). Then:

syswrapper.sh upgrade2 &

You will see the progress again and in total just give it 5 minutes and reload the controller to verify the upgraded firmware version.

That’s it.

Source: https://www.carlobloks.com/blog/manually-upgrading-unifi-firmware/