Install AAD Connect if you installed version

Thursday, April 1, 2021

Microsoft released AAD Connect as a download-only version. Although it includes significant changes, including updating the software to use the new AAD V2 endpoint, it was not offered as an automatic update. Turns out that was a wise decision since it breaks the Azure AD Connect Health feature.

Release status

3/31/2021: Released for download only, not available for auto upgrade

Bug fixes

  • This release fixes a bug in version where, after upgrade to that release, the Azure AD Connect Health feature was not registered correctly and did not work. Customers who have deployed build are requested to update their Azure AD Connect server with this build, which will correctly register the Health feature.

If you installed build (either first-time install or as a manual update) please update ASAP to the newest build Get it here: Download Microsoft Azure Active Directory Connect from Official Microsoft Download Center

Read more ...

You cannot migrate mailbox off of Office365 while the mailbox has a connected account enabled

Thursday, March 25, 2021

Exchange hybrid is the only Microsoft migration method that allows you to move mailboxes in both directions between Exchange and Office 365.

I'm working with a customer who is offboarding their mailboxes from Exchange Online back to Exchange Server 2016. Several mailboxes cannot be migrated back to on-premises due to the following error:

You cannot migrate mailbox '2f15ec3c-b024-4a25-2fdf-bfda9fd806ba' off of Office365 while the mailbox has a connected account enabled. To successfully remove the connected accounts, run the following command: 'Get-Subscription -Mailbox MailboxID -Aggregati

Note the truncated command, which isn't very useful. 

The Get-Subscription cmdlet let's you view the properties of an existing subscription configured in a user's cloud-based mailbox. This cmdlet is used by Outlook on the web Options to display the list of email subscriptions that the end user has, such as POP, IMAP, Facebook, and LinkedIn.

The exact issue with the mailbox can be determined by running the following in Exchange Online PowerShell:

Get-Subscription -Mailbox user -AggregationType all | select DisplayName, Name, AggregationType, UserId, LastModifiedTime, LastSuccessfulSync, CreationType, Status, StatusDescription, DetailedStatus

We can see that the user has configured a subscription to LinkedIn so that Outlook can do a PeopleConnection lookup. This service was closed down by Microsoft over 3 years ago, but the subscription on the mailbox remains.

Run the following cmdlet in EXOPS to remove the subscription from the mailbox:

Get-Subscription -Mailbox UserId -AggregationType All | Remove-Subscription

Now you can resume the mailbox migration to complete the offboard.

Read more ...

Please join me for "HAFNIUM Exchange Server Hack: Why Patching Isn't Enough & Where to Start Hunting" webinar

Thursday, March 11, 2021

Please join me, Michael Van Horenbeeck, and Paul Robichaux for a spirited discussion of the HAFNIUM Exchange Server Hack: Why Patching Isn't Enough & Where to Start Hunting. This free live webinar will held Friday, March 12, 2021 at 11:00AM EST.

We'll be discussing:

  • How and where to spot key indicators of compromise
  • Practical guidance on next steps to take if you’ve been compromised
  • Ways to proactively start protecting yourself against future attacks
I hope you can join us!

Read more ...

New Article: How to Decide Between Azure AD Connect and Azure AD Connect Cloud Sync

Thursday, March 11, 2021

I just published an article describing the differences between using Azure AD Connect and Microsoft's new Azure AD Connect Cloud Sync service. In it, I give the information you need to decide if the new Cloud Sync service is right for you. (Spoiler alert: If you run Exchange hybrid, it isn't.)

Please read How to Decide Between Azure AD Connect and Azure AD Connect Cloud Sync on the Practical 365 website.

Read more ...

URGENT: Patch your Exchange Servers NOW!

Wednesday, March 3, 2021

UPDATE: Microsoft updated it's Microsoft Safety Scanner Tool (MSERT) to scan for malicious files that may be dropped on your Exchange Servers by the latest CVE vulnerabilities. 
You can run this on any Windows server. Run a Full Scan which will scan all files and folders, even those excluded by antivirus. The tool will automatically remove malicious files and, if any were found, prompt for restart to finish up.


Yesterday Microsoft posted a blog article, Released: March 2021 Exchange Server Security Updates, for a serious zero-day vulnerability in Exchange Server.


The security update addresses a vulnerability that was released publicly on the web and every script kiddy is playing around with it.

Important Things to Know

  • The vulnerability affects ALL versions and update levels of Exchange.
  • The attack starts with an unauthenticated request to an Exchange server, so if your Exchange Server is not publicly accessible, less risk can be assumed. You're still open to internal attacks, though. PATCH YOUR SERVERS.
  • Security updates have been released for the following Exchange versions and Cumulative Update levels:
    • Exchange 2010 SP3
    • Exchange 2013 CU23
    • Exchange 2016 CU18
    • Exchange 2016 CU19
    • Exchange 2019 CU7
    • Exchange 2019 CU8
  • If your Exchange Servers are not at these CU levels, you need to get on the latest CU for your version before you can install the security update.
    • Be aware the .NET Framework and Visual Studio C++ runtime prerequisites may be required to update your server to the latest CU. The Exchange CU setup will block installation until the prerequisites are satisfied.
    • .NET Framework installations and updates can peg your CPU for a while after restarting. Plan accordingly.
  • You MUST run the security update from an ELEVATED CMD prompt. Admins who ignore this have reported that it breaks ECP.
  • Hybrid customers are affected, as well. Apply these updates to your hybrid management servers.

Best Practices

  • Apply the patches ASAP.
  • Always restart the Exchange server BEFORE you install the security updates or upgrade the CU. That way you know that the server reboots properly before you install the updates. It also releases any locked files.
  • The update normally takes 15-20 minutes to install. Always restart the Exchange Server AFTER installing the security updates or upgrading the CU (whether it prompts you to, or not). I find that it doesn't warn you to restart about 50% of the time on the dozen or so servers I've upgraded.
  • Do not "batch" updates. For example, don't upgrade Exchange 2016 CU17 to CU19 and immediately install the security patch without rebooting. Restart Exchange Server after every update.
  • Always keep your Exchange Server up to date with the latest (or second to latest) CU so you can more easily install urgent updates like these.

Helpful Tips

Run the following from an elevated PowerShell or EMS console so you can right-click an MSI or MSP file and "Run as Administrator":

New-ItemProperty registry::HKEY_CLASSES_ROOT\Msi.Patch\shell\runas\command -Name "(Default)" -Value '"%SystemRoot%\System32\msiexec.exe" /p "%1" %*' -PropertyType ExpandString -Force

New-ItemProperty registry::HKEY_CLASSES_ROOT\Msi.Package\shell\runas\command -Name "(Default)" -Value '"%SystemRoot%\System32\msiexec.exe" /p "%1" %*' -PropertyType ExpandString -Force
Use the following PowerShell script to check for compromise. Run elevated. This script does not work on Exchange 2010.
Start-Transcript -Path "Check-Compromise-$env:COMPUTERNAME.log" -Force
Write-Host "Checking for CVE-2021-26858 exploitation..."
findstr /snip /c:"Download failed and temporary file" "%PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog\*.log"
Write-Host "Checking for CVE-2021-26857 exploitation..."
Get-EventLog -LogName Application -Source "MSExchange Unified Messaging" -EntryType Error | Where-Object { $_.Message -like "*System.InvalidCastException*" }
Write-Host "Checking for CVE-2021-27065 exploitation..."
Select-String -Path "$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\ECP\Server\*.log" -Pattern 'Set-.+VirtualDirectory'
Write-Host "Checking CVE-2021-26855 exploitation..."
$logs = (Get-ChildItem -Recurse -Path "$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\HttpProxy" -Filter '*.log' -ErrorAction SilentlyContinue).FullName | sort -Descending
$logCount = $logs.Count
foreach ($log in $logs) {
$percentage = $i / $logCount * 100
$perc = $percentage.ToString("#")
Write-Progress "Search in progress" -Status "$perc% Complete:" -PercentComplete $percentage
Import-Csv -Path $log -ErrorAction SilentlyContinue | Where-Object { $_.AuthenticatedUser -eq "" -and $_.AnchorMailbox -like 'ServerInfo~*/*' } | select DateTime, AnchorMailbox
Review the Check-Compromise-<computername>.log file for results. You can ignore any errors that say something like, "The member '40' is already present." See HAFNIUM targeting Exchange Servers with 0-day exploits for more details.

If your update fails for some reason, you may find that all the Exchange services are stopped and disabled. If you try to rerun the update it will fail again for this reason. Run the following to return the Exchange service to automatic, then reboot and try again ELEVATED.
Get-Service -Name MSExchangeDelivery, MSExchangeRepl,MSExchangeRPC,MSExchangeFastSearch, MSExchangeThrottling, wsbexchange,MSExchangeSubmission, MSExchangeMailboxReplication, MSExchangeMailboxAssistants, MSExchangeIMAP4BE, MSExchangeImap4, MSExchangeIS, MSExchangeDagMgmt, MSExchangeDiagnostics, MSExchangeFrontEndTransport, MSExchangeADTopology, MSExchangeAntispamUpdate, MSExchangeUM, MSExchangeEdgeSync, MSExchangeHM, MSExchangeHMRecovery, MSExchangeServiceHost, MSExchangeTransport, MSExchangeTransportLogSearch, FMS, HostControllerService, winmgmt, remoteregistry, w3svc, iisadmin | Set-Service -StartupType automatic
Whenever a new version of .NET Framework is installed or a .NET Framework update is applied, the server CPU will peg at 90-100% utilization after reboot for up to 40 minutes while it recompiles MOFs. This process is also called NGEN. You will see mscorsvw.exe processes chewing up CPU. The same happens after you install an Exchange update, since Exchange Server is written in .NET.

Use the 7318.DrainNGenQueue.wsf script to speed up .NET Framework recompiling performance by allowing it to use multiple threads and up to 6 cores. Run it after any .NET Framework installation or update.

Read more ...

How to remove Assignments from Microsoft Teams EDU

Friday, December 18, 2020

Microsoft Teams EDU tenants include an Assignments app in Teams. The Assignments and Grades features in Teams for Education allow educators to assign tasks, work, or quizzes to their students. Educators can manage assignment timelines, instructions, add resources to turn in, grade with rubrics, and more. They can also track class and individual student progress in the Grades tab.

You can learn more about Assignments and Grades in Teams for Education here.

Higher ed customers may want to disable the Assignments app because they already use other ways of assigning and tracking assignments. For them, it can be confusing to students and faculty when the Assignments app is pinned to the left rail of Teams.

Pinned apps in Teams are normally assigned using a Setup Policy in the Teams Admin Center at (Teams apps > Setup policies). Here, you can configure which apps are pinned to the Teams app navigation bar and the order in which they are displayed.

Notice that the disappearing banner at the top of the policy says, "Because you have at least one Office 365 Education license, the Assignments app will be automatically included in each app setup policy." You will also notice that the Assignments app is not listed as a pinned app, so you cannot remove it.

In order to remove Assignments from pinned apps, configure a Permission Policy (Teams apps > Permission policies). Customers who want to remove this would normally edit the Global (Org-wide default) policy, but you can also create a new policy for this and assign it to specific users.

Edit the policy thusly:

  • Under Microsoft apps, select "Block specific apps and allow all others" in the dropdown list.
  • Click the Block apps button .
  • Search for "Assignments", then click Add, and Block.
  • Click the Save button.

It may take up to an hour before the Assignments app is removed from pinned apps for the users the permission policy applies to.

Read more ...

Important Outlook Connectivity Update for Microsoft 365

Friday, December 11, 2020

Here we go again.

It appears that Microsoft going to actively block connectivity for older versions of Outlook on November 1, 2021 -- less than 11 months from now. 

Previously, Outlook connectivity has always been best effort for older versions, meaning that if you can connect to Microsoft 365 with an older non-supported version, then great. If you can't connect, you are required to install a supported version.

The reasoning for this is noble - Microsoft doesn't want older less secure versions of Outlook to connect to the service. Most Office 365/Microsoft 365 customers are already running Microsoft 365 Apps for enterprise (aka Office ProPlus) which is always up-to-date, so no problem.

But future Microsoft 365 and hybrid customers will need to upgrade all their clients prior to migration, and a lot of enterprises won’t be able to update in that time.

The bottom line is, if your clients are not already running Microsoft 365 Apps for enterprise and you plan to migrate to Microsoft 365, you need to start upgrading your Office apps now.

Here is the notification from Microsoft:

Update to Microsoft 365 and Outlook for Windows connectivity



Major update: Announcement started

Applied To: All


To ensure that we meet performance expectations, we are updating the supported versions of Outlook for Windows that can connect to Microsoft 365 services. 

Effective November 1, 2021, the following versions of Outlook for Windows, as part of Office and Microsoft 365 Apps, will not be able to connect with Office 365 and Microsoft 365 services. 

Office and Microsoft 365 Apps

Outlook for Windows Version

Office 2013

15.0.4970.9999 and older

Office 2016

16.0.4599.9999 and older

Microsoft 365 Apps for enterprise (formerly Office 365 ProPlus)

1705 and older

Microsoft 365 Apps for business (formerly Office 365 Business)

1705 and older

[Key Points:]

  • Major: Retirement
  • Timing: November 1, 2021
  • Action: Ensure Outlook for Windows client are updated accordingly

[How this will affect your organization:]

Versions that are newer than minimum version requirements listed above, but are not the currently supported version, may experience connectivity issues.

To see a list of the currently supported versions, visit Update history for Microsoft 365 Apps (listed by date)(for Microsoft 365 Apps) or Latest updates for versions of Office that use Windows Installer (MSI)(see “Latest Public Update” for Office 2013 and 2016).

Supported versions of Outlook for Windows in Office and Microsoft365 will continue to connect to Microsoft 365 services as expected. 

 [What you need to do to prepare:]

We recommend that all users upgrade to the supported versions of Office and Microsoft 365 Apps.

Read more ...