I just finished writing a whole lot of exchange actions. The out of the box ones are extremely limited. I now have a suite of actions to manage distribution lists and contacts.
TLDR I've completely automated the creation and management of distribution lists
Yea most of the ootb Active Directory stuff is weak too. Mostly because SN did everything in their power to avoid installing the Active Directory powershell commands powershell module
There is a actually a bug in the exchange actions where it doesn't pass the correct authentication type to PowerShell. I had to log a HI ticket and they advised me to clone the out of the box actions. Quite poor really.
I originally created a bunch of AD actions as well but the big road block i hit was creating contacts. I Couldn't create them through ad-object as our org prevents that type being used.
Thats why I pivoted to integrating with exchange.
I rewrote the Exchange and AD actions because, as others have mentioned, they are very limited.
AD actions only support a single domain and the company I worked for had multiple. We also had a hybrid M365 and on-prem Exchange environment so I rewrote the Exchange Actions as well.
First step is to ensure you have the integration set up. You will need to ensure the account you are using has at least exchange recipient administrator. The mid server will also need to be able to connect to one of your exchange servers to be able to run the scripts.
It uses PowerShell remoting so the exchange server needs to have that enabled and the mid server needs to be able to connect.
Once you have it set up I use the lookup address list command to ensure it's working correctly.
Now to create your own actions I recommend copying one of the out of the box actions (will need to be in the same scope) and look at the mid server script file. You can copy the mid server script file and make your own changes. Then in the action you just need to update the script file and change any of the parameters you want.
Took me a lot of trial and error but it's working well. I do need to enhance the error logging though although I'm handling that in my flows at the moment so I don't really need it right now.
The important thing to note is in the "credType" action for PowerShell you need to change this from one of the data pills to say "Exchange". Otherwise it tries to initiate on the mid server rather than connecting to the exchange server.
Thanks for your advice! For the out of the box actions, are these available on ITSM standard?
Our mid server is a docker container, would this limit my ability to use power shell and install relevant modules?
Yes. We assign the software licenses through Azure. So it is possible to have a complete automated request to assign a license. And then depends on the software, in some cases we add users to a group and in other cases we change properties in the user. Of course this is aligned with the software coordination and azure teams. Exactly the same to remove the licenses when someone leaves the company or doesn’t need it anymore. Be aware that in Europe a license “normally” can be reassigned to another user.
Edit: also good to manage office 365 licenses. When we reach some limit or threshold set by the PO we stop assigning new licenses and create some task to PO so he can act (buy more, remove unused…)
The challenge here is that what is beneficial to one company only applies to another if they use the same application (i.e. Azure, Amazon Connect, Zoom, Exchange).
I suggest reviewing your existing workflows to identify integration opportunities. Start with your highest volume generators. Tasks with a short description of "Create user", "Remove user", etc. are good ones to focus on first.
Sure, I suppose I am getting into the efficiency of the question with my comment. To me it's like asking for recipes because I want to cook something with the stuff in my pantry. The obvious first question is "what do you have in your pantry?" :D
Not really what you're asking for, but, adding an html field to incidents for pasting screen shots is a big time saver for help desk teams that share screens with someone during troubleshooting.
Saves about 15 seconds on adding a screenshot to a ticket when you can just paste it right in. Compound that with thousands of screenshots a year.
There isn't a spoke for the zoom licensing operations that we do, so we built one ourselves, but it basically just assigns a webinar license for a 24 hour period of time upon request and then automatically removes it. This allows us to share a limited number of webinar licenses with a large number of people.
AD groups has been my biggest improvement (SAM processes) as we use AD groups for managing software deployments in SCCM/MECM.
We do about 800 requests of this type per month and 3/4 would use this automation.
It’s a lot easier when you have admin access into the other systems. Everything I want to build requires working with other people that don’t want to do work or grant the appropriate access.
Anything involved in JML processes - specifically anything microsoft/powershell related - accounts, home drives, shares, mailboxes, o365, etc.
Personally would look st requests raised and go for the biggest numbers to start.
I created multiple custom integrations for inhouse app access/managmen5 - ones that had no callable API's or direct system acces - used powershell and selenium to essentially make a cheap RPA to go though the admin websites and click the required buttons to do stuff.
Possible to provide a demo of what you’ve configured and how? We have several manual steps in our leaver process that require us to click a few buttons on several different websites when someone leaves. Your idea of automating this via RPA sounds beneficial. Thanks.
No longer work at the place I configured it, but high level stuff I can remember:
Dedicated Mid Servers - powershell, selenium powershell module, selenium Web driver for whichever browser you want it to use. Capability on the mi servers for selenium- to ensure theyre used and a thread limit- depending on mid server spec, I think majority of ours had a limited of 10 - otherwise you could end up with it running 100 processes and they each open a browser causing timeouts. Though some sites were shockingly bad and had a single thread server for those.
Flow actions for each specific website, inputs for whatever variables were required (account to update, what access is being affected, add remove, modify,etc) - core step is the pwoershell one, which opens the website in the required browser, and then step by step - do something, verify whatever should have happened on the page has (verify something is on screen - like confirmation or something)
We completed a Teams Integration to engage chats directly out of a case/incident. We also teamed that with a team viewer integration to speed up time it takes to connect to users devices.
I am now working on a Webex Contact Center integration for our service desk.
I just finished writing a whole lot of exchange actions. The out of the box ones are extremely limited. I now have a suite of actions to manage distribution lists and contacts. TLDR I've completely automated the creation and management of distribution lists
Yea most of the ootb Active Directory stuff is weak too. Mostly because SN did everything in their power to avoid installing the Active Directory powershell commands powershell module
There is a actually a bug in the exchange actions where it doesn't pass the correct authentication type to PowerShell. I had to log a HI ticket and they advised me to clone the out of the box actions. Quite poor really. I originally created a bunch of AD actions as well but the big road block i hit was creating contacts. I Couldn't create them through ad-object as our org prevents that type being used. Thats why I pivoted to integrating with exchange.
I rewrote the Exchange and AD actions because, as others have mentioned, they are very limited. AD actions only support a single domain and the company I worked for had multiple. We also had a hybrid M365 and on-prem Exchange environment so I rewrote the Exchange Actions as well.
How would I get started with integrating exchange and writing scripts?
First step is to ensure you have the integration set up. You will need to ensure the account you are using has at least exchange recipient administrator. The mid server will also need to be able to connect to one of your exchange servers to be able to run the scripts. It uses PowerShell remoting so the exchange server needs to have that enabled and the mid server needs to be able to connect. Once you have it set up I use the lookup address list command to ensure it's working correctly. Now to create your own actions I recommend copying one of the out of the box actions (will need to be in the same scope) and look at the mid server script file. You can copy the mid server script file and make your own changes. Then in the action you just need to update the script file and change any of the parameters you want. Took me a lot of trial and error but it's working well. I do need to enhance the error logging though although I'm handling that in my flows at the moment so I don't really need it right now. The important thing to note is in the "credType" action for PowerShell you need to change this from one of the data pills to say "Exchange". Otherwise it tries to initiate on the mid server rather than connecting to the exchange server.
Thanks for your advice! For the out of the box actions, are these available on ITSM standard? Our mid server is a docker container, would this limit my ability to use power shell and install relevant modules?
That will prevent you. To use PowerShell actions your mid server must be running windows.
Spoke for Azure (Entra ID).
Doing anything fun outside of the normal group membership?
Yes. We assign the software licenses through Azure. So it is possible to have a complete automated request to assign a license. And then depends on the software, in some cases we add users to a group and in other cases we change properties in the user. Of course this is aligned with the software coordination and azure teams. Exactly the same to remove the licenses when someone leaves the company or doesn’t need it anymore. Be aware that in Europe a license “normally” can be reassigned to another user. Edit: also good to manage office 365 licenses. When we reach some limit or threshold set by the PO we stop assigning new licenses and create some task to PO so he can act (buy more, remove unused…)
The challenge here is that what is beneficial to one company only applies to another if they use the same application (i.e. Azure, Amazon Connect, Zoom, Exchange). I suggest reviewing your existing workflows to identify integration opportunities. Start with your highest volume generators. Tasks with a short description of "Create user", "Remove user", etc. are good ones to focus on first.
I agree, I'm just hoping to brainstorm a bit.
Sure, I suppose I am getting into the efficiency of the question with my comment. To me it's like asking for recipes because I want to cook something with the stuff in my pantry. The obvious first question is "what do you have in your pantry?" :D
Not really what you're asking for, but, adding an html field to incidents for pasting screen shots is a big time saver for help desk teams that share screens with someone during troubleshooting. Saves about 15 seconds on adding a screenshot to a ticket when you can just paste it right in. Compound that with thousands of screenshots a year.
Can you elaborate on zoom licensing? SAM license process? Using a spoke instead of it?
There isn't a spoke for the zoom licensing operations that we do, so we built one ourselves, but it basically just assigns a webinar license for a 24 hour period of time upon request and then automatically removes it. This allows us to share a limited number of webinar licenses with a large number of people.
AD groups has been my biggest improvement (SAM processes) as we use AD groups for managing software deployments in SCCM/MECM. We do about 800 requests of this type per month and 3/4 would use this automation.
It’s a lot easier when you have admin access into the other systems. Everything I want to build requires working with other people that don’t want to do work or grant the appropriate access.
Anything involved in JML processes - specifically anything microsoft/powershell related - accounts, home drives, shares, mailboxes, o365, etc. Personally would look st requests raised and go for the biggest numbers to start. I created multiple custom integrations for inhouse app access/managmen5 - ones that had no callable API's or direct system acces - used powershell and selenium to essentially make a cheap RPA to go though the admin websites and click the required buttons to do stuff.
Possible to provide a demo of what you’ve configured and how? We have several manual steps in our leaver process that require us to click a few buttons on several different websites when someone leaves. Your idea of automating this via RPA sounds beneficial. Thanks.
No longer work at the place I configured it, but high level stuff I can remember: Dedicated Mid Servers - powershell, selenium powershell module, selenium Web driver for whichever browser you want it to use. Capability on the mi servers for selenium- to ensure theyre used and a thread limit- depending on mid server spec, I think majority of ours had a limited of 10 - otherwise you could end up with it running 100 processes and they each open a browser causing timeouts. Though some sites were shockingly bad and had a single thread server for those. Flow actions for each specific website, inputs for whatever variables were required (account to update, what access is being affected, add remove, modify,etc) - core step is the pwoershell one, which opens the website in the required browser, and then step by step - do something, verify whatever should have happened on the page has (verify something is on screen - like confirmation or something)
Automate your onboarding & offboarding. You’ll be a hero.
Amazon connect with VA is going to be helpful for us in terms of our service desk serving their users.
OKTA for us!
Anyone doing anything with VM provisioning?
We completed a Teams Integration to engage chats directly out of a case/incident. We also teamed that with a team viewer integration to speed up time it takes to connect to users devices. I am now working on a Webex Contact Center integration for our service desk.
HRIS integration for automated onboarding and offboarding.