Tuesday, June 15, 2021

20 Amazing IT Admin Updates for Back to School!!

Education IT admins around the world are already planning for the next Back-to-School (BTS) season. If your organization is returning to in person learning, fully remote, or somewhere in between, Microsoft has you covered. Here are the latest Microsoft 365 product updates and roadmap items you need to know!!

School Data Sync (SDS)

SDS is releasing 11 amazing updates for the upcoming BTS season, including a new enhanced v2.1 CSV data schema for Education Insights Premium, group provisioning support in v2.1 sync profiles, and a several updates to MS Graph APIs for SDS remote management and partner integration scenarios!!

  1. v2.1 CSV Schema Update: SDS is evolving the v2 CSV file schema to include a variety of new data elements like demographics, flags, sessions, parents and guardians, and courses. These new data elements will be used for both SDS provisioning scenarios and Education Insights Premium enhancements, as described later in this post. Of course, the 2.1 schema still contains all of the same Higher Education and K12 data elements we introduced with the initial v2 release last summer. The new data schema is available now within SDS under the v2.1 CSV Sync Profile setup. Learn More

    Item 1 - CSV Schema.png


    Release Planned: Available Now

  2. SDS for Insights: Microsoft recently announced Education Insights Premium, which provides an enriched set of analytics capabilities and reports for organizational leaders within the tenant. To power the experience, SDS is introducing SDS for Insights which merges the data ingested by SDS with the M365 activity data captured and utilized by the Insights App in Teams. The result is enhanced Insights with rich educational context. SDS also ingests organizational data like school memberships, which can be leveraged by Education Insight Premium to school leaders access to Insights for just their school, instead of viewing Insights for the entire organization. Deploying SDS for Insights not only provides more data for Insights, but it also sets and provides the organizational boundaries for delegated access to a subset of Insights reports.

    Item 2 - Insights Premium.png


    Release Planned: Available Now (public preview)

  3. v2.1 Security Group Sync: SDS is adding the ability to create the dynamic Security Groups (SGs) when using the v2.1 CSV format. On the SDS settings page, an IT admin can easily enable the creation of Security Groups like All Teachers, All Students, and School based SGs. Security Groups are broadly useful across M365, and can help IT Admin manage users, devices, and applications across the platform. Find the settings below on the SDS settings page!

    Item 3 - Security Groups.png

    Release Planned: Available Now

  4. v2.1 Administrative Unit (AU) Sync: SDS is adding the ability to create dynamic School based AUs when using the v2.1 CSV format. New v2.1 sync profiles will create and manage these AUs by default, and the AUs will contain every student, teacher, and class within each school. AUs help IT admins enable delegated administrators with AU scoped roles, allowing them to manage subsets of the broader directory and tenant. See the collection of updates related to delegated administration in the M365 Admin Center, which SDS will help you deploy and utilize.

    Release Planned: Available Now

  5. v2.1 Parents & Guardians: SDS is adding the ability to create the Parent and Guardian Contacts when using the v2.1 CSV format. With the introduction of the new relationships.csv, IT admins can now optionally ingest Parent and Guardian data to provision each one as contacts within substrate. These contacts are then used within Teams for Education to send the Weekly Parent Email Digest. Also, stay tuned for new Parent and Guardian use cases coming soon to M365!!

    Item 5 - P and G s.png

    Release Planned: Available Now

  6. v2.1 writing more data to Azure AD: SDS is adding the ability to write more attributes onto synced users and groups in Azure AD. The new optional user extension attributes include grade and school associations which can be utilized by Azure AD Dynamic Groups provisioning engine and are also made available on MS Graph to complement app integration scenarios. New optional Groups attributes will include course title, grade, subject, and term/session details, which also may be used to enrich app integration scenarios and assist with group cleanup processes.

    Release Planned: Available Now

  7. New OneRoster API Providers: SDS has just introduced a collection of new OneRoster API partners and providers for simplified setup and configuration of SDS sync profiles which do not require CSV export and import management. The newly released SDS OneRoster API providers include Arbor Education, Edge Learning, eSchooling, iSAMS, Rediker Software, and Skyward!!

    Item 7 - OneRoster API providers.png


    Release Planned: Available Now

  8. App-Only Sync Profile Management APIs: SDS provides a collection of Remote Management APIs on MS Graph within the broader Education API set. The APIs allow customers and partners to remotely manage and monitor their sync profiles. For Managed Service Providers, this required a persistent Global Admin account within the tenant to facilitate remote monitoring and management of their customers. We are excited to announce support for app-only context within most remote management APIs, to remotely manage and monitor SDS sync profiles across multiple tenants from a single application or system, without requiring a persistent Global Admin account in the tenant.

    Item 8 - Education Graph.png


    Release Planned: Available Now

  9. Sync Status API Update: SDS provides an Get Sync Status API on MS Graph to remotely monitor Sync Profile Status. This API is critical for remote SDS management. The SDS team is introducing several enhancements to the Sync Status API, to ensure alignment and consistency with Sync status reporting through the SDS application’s user interface, for deeper insights into the current state of sync.

    Release Planned: Mid-July 2021

  10. Sync Performance Boost: When you configure SDS to start syncing data, each sync profile runs through a pre-sync validation process. During this process, SDS calls into Azure AD to check for valid/matching users before attempting to sync user data forward. This process can be time intensive and add several hours to first-time sync in large tenants. SDS will now pre-load Azure AD data into the SDS service, allowing pre-sync validation to run locally. The change will exponentially decrease sync times, reducing the validation checks from hours to just a few minutes, allowing the real sync to start and complete much faster.

    Release Planned: Mid-July 2021

  11. Grade Sync adding new providers: Educators shouldn‘t have to copy and paste grades - ever. Grade Sync is the time-saving solution within Teams Assignments that automatically sends grades you enter to your Student Information System (SIS) gradebook. Grade Sync now supports syncing to OneRoster v1.1 compliant providers including verified providers: Aequitas, eSchoolData, Infinite Campus, PowerSchool, and Skyward. Learn More about getting started syncing grades.

    Release Planned: Summer 2021 (private preview)

M365 Admin Center and School Level IT Administration

The Microsoft 365 Admin Center is releasing a brand-new experience for Education IT Admins for BTS! The new experience provides a single and centralized place for delegated School level IT admins to perform and manage the most common administrative tasks across M365 workloads like Azure AD, Teams, Exchange, and SharePoint. This will help central IT teams and Global Administrators focus on higher privileged tasks within M365 while delegating the operational tasks down to others within the organization as appropriate. Using Administrative Unit (AU) scoping and RBAC role assignments, delegates will be empowered to manage the subset of users, groups, teams, and group connected sites associated with their specific school, college, or subset of the broader tenant and directory!!

 

  1. M365 Admin Center UX for School IT: The M365 Admin Center will provide a new streamlined experience for School level IT admins, which allows central IT teams and Global Administrators to delegate many common and repeatable administrative tasks to school level delegates. The solution ensures that school delegates can only manage the subset of users, groups, teams, sites, and objects associated with their school(s). The tasks and permissions within the solution span Azure AD, Teams, Exchange, and SharePoint:
    • Manage Users, Attributes, Reset Passwords, and Assign Licenses
    • Manage Groups, Teams, and Group Connected Sites
    • Manage Email, Chat, External Sharing, and Privacy
    • Manage Memberships and Access
    • (Coming soon) Manage Teams channels, Security Groups, and add Groups and Teams to an AU


    Item 2-1 - MAC Portal.png

    Release Planned: Mid-July (public preview)

  2. Administrative Unit support across Teams, SharePoint, and Exchange: Administrative units provide a way to define the structure of an organization to assist with delegated management. For example, one administrative unit for each school in a district. However, these have solely supported management across users and Azure AD groups. To ensure delegated admins can manage across more Microsoft services, Microsoft extended administrative unit support to Teams, Microsoft Groups, and SharePoint sites. There are also three new scoped administration roles that can be assigned: Teams Admin, SharePoint Admin, and Exchange Recipient Admin. These roles can be assigned to an admin over a particular AU, which grants them rights to manage only the objects within that AU from the Microsoft 365 Admin Center. The AU scoped roles will only provide a targeted subset of the role’s broader functionality, while the un-scoped version of these RBAC roles will continue to allow IT admins to do much more within each service specific admin portal.

    Release Planned: Mid-July (public preview)

  3. Structure your tenant and delegate admin tasks across your organization: Administrative units let you subdivide your organization into a logical structure that meets your needs, and then assign specific administrators that can manage only the members of that unit. For example, you can use administrative units to delegate permissions to administrators so they can control access, manage users, and set policies only in the “School of Engineering,” instead of the entire university.

    Global admins and privileged role admins can create and manage the membership of administrative units in the Microsoft 365 admin center today. We’ve also added 3 new scoped roles, increasing the total number of scoped role assignments a delegated admin can have to 9. We are going to continue adding functionality to the delegated admin experience, including support for bulk user membership assignments and dynamic user membership.

    Item 2-2 MAC with AU Management.png

    Release Planned: Mid-July (public preview)

  4. Delegated Password Reset with Password Writeback Support: One of the most common challenges for EDU IT Admins is the endless student password reset requests. The M365 Admin Center recently released a new streamlined experience for Educators and School Leaders, allowing them to easily perform password resets for their students. To complete the story, M365 Admin Center is adding support for delegated password reset on hybrid Identities with password writeback enabled via AAD Connect Sync!! Now every EDU organization can delegate password reset permissions to Educators and School leaders!!
  5.  

    Release Planned: Mid-July (public preview)

Duty of Care and Student Protection

Many EDU organizations deploy M365 tenants containing multiple schools, sometimes spanning hundreds or even thousands of schools within a single tenant. To protect the students within the tenant for bullying or unintended communications and content sharing, IT admins need a way to set boundaries within the tenant. M365 offers Information Barriers (IB) to provide boundaries for directory visibility, communication, and collaboration. We are pleased to announce a collection of new Information Barrier enhancements planned to release this August tailored for Education.

 

  1. Users in Multiple IB Segments: Many EDU institutions have educators that teach across multiple schools, and to support school segmentation educators must be allowed to exist in multiple segments. In addition, Microsoft recommends IT create an All Staff IB segment and policy to facilitate broad communication and collaboration amongst all educators and staff within the tenant, while keeping students segmented to just the school(s) which they attend. To support these scenarios and provide EDU adequate flexibility in design and implementation, Information Barriers will support assigning users into multiple IB segments.

    Release Planned: August 2021

  2. Support scale of 5K+ IB Segments per Tenant: Microsoft recommends deploying into a single tenant when user populations are 1M users or less for a single organization. To support 1M user tenants with school per school segmentation, Microsoft will begin supporting 5K segments per tenant. This scale increase should empower any 1M user or less organization to deploy M365 in a single tenant model while also protecting the students and their data contained within the tenant.

    Release Planned: August 2021

  3. Support for 4 IB Modes on Groups: User segments and IB policies will restrict people’s ability to see and find other users in a variety of people picker experiences like adding users to a chat and communicating via Teams. In addition, we are introducing IB modes on Microsoft 365 Groups to further strengthen IB compliance. The IB modes will evaluate group membership, access, and sharing controls.

    • Open mode - no restrictions on the group or its content, anyone can be a member of the group.
    • ownerModerated mode - the group membership is restricted to users from within the owner’s IB segments, and allows the owners to share content with other users within their segments.
    • Implicit mode - the group membership is restricted to users within group members IB segments, and content is restricted to the group members.
    • Explicit mode - the group membership is restricted to the users within the segments explicitly stamped on the group by IT admins. Content is restricted to users within the segments on the group and site access permissions.

     

    Release Planned: August 2021

  4. Support IBs based on AU membership: For organizations that have deployed School Data Sync, they are creating an AU per school by default. To help schools onboard and adopt information barriers with ease, Microsoft will support creating IB segments based on the membership of an Administrative Unit. So, once you have setup SDS and have created your school AUs, you can configure an IB policy per school and mirror your School AU memberships with a corresponding School IB segment with ease.

    Release Planned: August 2021

  5. SDS provisioning of groups with IB Mode ownerModerated: School Data Sync will begin creating all Class Groups with IB mode ownerModerated, to prepare organizations for Information Barriers adoption. This setting will allow the educator (owner) to add and invite any other users from the segments which they are a member of, and share content with their segment members, putting them in control of their classes.

    Release Planned: August 2021

  6. IBs + Address Book Policy in the same tenant: Information Barriers will be fully supported by Teams and SharePoint, but Outlook and OWA do not yet support IBs. To mitigate directory exposure and the ability to easily find and communication with others outside of the intended segment(s), Microsoft will support configuring and running both Information Barriers and Address Book Policy within the same tenant, at the same time. This will allow IT to apply segmentation that spans all 3 core workloads - Teams, SharePoint, and Exchange.

    Release Planned: August 2021

Posted at https://sl.advdat.com/3iQ1BIZ