Turning Office 365 Off at the Weekend

Posted on April 20, 2017 by Tony Redmond in Office, Office 365 with

France Weekend

France Says No to Weekend Working

The French El Khomri law that allows “the full exercise by the employee of his right to disconnect and implementation by the company of devices to regulate the use of digital tools” came into effect on January 1, 2017. The law gives employees the right to avoid the use of IT systems, including Office 365, at weekend and holiday periods. The exact details of how employees can disconnect are subject to discussions within individual companies and agreement between management and bodies such as workers’ councils.

 

 

The logic behind the new law is that everyone deserves the right not to be disturbed by work interruptions when they are at home or on vacation and should be spending time with their families. It is hard to argue against the intent of the law. It seems like everyone is interrupt-driven today and our lives are governed by the squeaks, beeps, and other noises emitted by PCs and other devices. Tools like MyAnalytics allow people to measure how much time they spend on activities outside normal working hours, but it is unclear how effective this data is in persuading corporate employees to ease back.

Hence the new requirement on companies operating in France to come to some arrangement to protect employees against overwork caused by “digital tools”. It is easy to imagine how to cut off IT for on-premises servers. After all, the easiest thing in the world is to power down all systems over the weekend and during public holidays. Or simply disconnect the external network.

But Office 365 isn’t Designed for France

Things are more complex with Office 365. First, Office 365 is a massive multi-tenant environment where work from different tenants is intermingled on servers. For instance, mailboxes from one tenant can exist in the same database as those from other tenants. Second, although Office 365 operates in different datacenter regions, most of those regions span multiple countries and therefore multiple legislative environments.

Last, it is up to individual companies to discuss and determine arrangements with their staff Every company is different. Some will only have French employees, others will operate inside and outside France. Some will operate on a classic 9-to-5 basis, others must maintain business operations on a 24×7 basis. Some employees will need access at the weekend because of their jobs while others will cheerfully never want to see an IT system on a weekend. And anyway, the lines of what a weekend is have blurred as different cultures combine in heterogeneous societies. All of this proves that it would be terrifically difficult for Office 365 to provide a single out-of-the-box answer for French companies.

PowerShell to the Rescue

Which leaves us with PowerShell. Again!

Conceptually, it is easy to list the steps necessary to block user access for specific periods.

  • Identify the users to block.
  • Identify the times for a block to be active.
  • Block the users’ credentials during the designated periods.

Setting a flag can identify the users to block. For instance, if you use Exchange Online, you could use one of the custom attributes. In this example, we populate the CustomAttribute12 property for a mailbox with “Weekend”.

If you do not use Exchange Online, you must pick an attribute that exists for the user’s Azure Active Directory account and use that. However, most of those attributes are used to hold information like the user’s address and phone numbers that are visible to users, so there is no obvious good answer. In either case, once you have marked the users to block, you then need to have some method to prevent access to Office 365, Fortunately, this is easily done by blocking user credentials. Two steps are required. First, we assemble the set of mailboxes to process. We then block their account credentials. Here is some simple code that does the job.

This code relies on the value of the WindowsEmailAddress property for the mailbox being the same as the User Principal Name for the account. This is the desired state, but the two values might not match.

Assuming everything works, Office 365 blocks the user’s credentials. Any attempt to connect results in an “account locked” error (Figure 1).

Office 365 blocks a user account

Figure 1: Office 365 blocks a user account (image credit: Tony Redmond)

To unlock the account, we reverse the process and run the Set-MsolUser cmdlet to set the BlockCredential switch for each account to False. For example:

More Work to Do

Of course, this is only an outline of the work that’s needed to block users. You’d also have to set the dates to block and schedule scripts to block access. For instance, you might disable access at 6PM on Friday and allow access again at 8AM on Monday. Some error handling and logging would be nice and you’d have to accommodate exceptions and so on. In other words, a few lines of PowerShell are not a complete solution.

Sponsored

Other solutions are suggested elsewhere (here’s one example), some of which are pretty inventive. If you’re in the position where management asks you to implement a block, it is worthwhile checking out what others have done or investigated before making up your mind. Bear in mind that Office 365 now covers a host of different applications and clients, so your solution needs to be workload-independent. That’s why blocking credentials is such a good approach.

One thing’s for sure. Don’t expect Microsoft to offer a solution. They want you to use Office 365 all the time. Even at weekends.

Follow Tony on Twitter @12Knocksinna.

Want to know more about how to manage Office 365? Find what you need to know in “Office 365 for IT Pros”, the most comprehensive eBook covering all aspects of Office 365. Available in PDF and EPUB formats (suitable for iBooks) or for Amazon Kindle.

Tagged with , , , , ,

Register for this upcoming webinar on Petri.com
Webinar: Accelerate Smart Factory ROI with Deloitte and HPE’s Digital IoT

Join HPE and Deloitte for a discussion on how to take advantage of IT and OT convergence to deliver the Factory of the Future

Tuesday, October 24, 2017
at 2 p.m. EST

Register for this upcoming webinar on Petri.com
Webinar: Accelerate Smart Factory ROI with Deloitte and HPE’s Digital IoT

Join HPE and Deloitte for a discussion on how to take advantage of IT and OT convergence to deliver the Factory of the Future

Tuesday, October 24, 2017
at 2 p.m. EST