2019

How to Block Self-Service Purchases in Microsoft 365

Thursday, November 21, 2019

On October 23, Microsoft announced that they were going to introduce self-service purchase options for Microsoft 365 users on November 19, 2019. Microsoft says this was "due to customer demand," but I don't know a single customer that has EVER asked for this. <snarkymode>It was likely cooked up by someone at Microsoft who thought this would be an excellent way to boost adoption and help make their revenue targets.</snarkymode>

After getting a ton of REAL feedback from customers, Microsoft decided to delay implementation of this change till January 2020 and, more importantly, give tenant administrators a way to turn it off ahead of time. While this opt-out model is welcome, I believe an opt-in model is more appropriate. Organizations should be in control of their corporate data by default.

Fellow MVP Michel de Rooij wrote an article for the Enow ESE Blog explaining how to block self-service purchases. It only takes a few minutes to read and implement. Do it now or spend a lot more time explaining why you didn't do it later.

Recap of Microsoft Ignite 2019

Friday, November 15, 2019

I had a GREAT time at Microsoft Ignite 2019 in Orlando! I hope you were able to attend or at least catch some of the online sessions that were streamed in real-time.

One of the big highlights for me this week was attending the ENow VIP dinner where I sat between Greg Taylor (Exchange Marketing Lead extraordinaire) and Jeffrey Snover (the father of PowerShell).

I was very pleased to see how many people made the trek to Theater 9 to see my two sessions, "Reading SMTP Headers Like a Boss" (please ignore the fact that they got the photo wrong - I have no idea who that is) and "Twenty minutes to a secure environment".

Please read my recap of Microsoft Ignite 2019 on the ENow ESE Blog and learn about some significant improvements coming to Exchange Online.

Come see me at @MSIgnite in Orlando!

Tuesday, October 29, 2019

I'm pleased to be speaking at Microsoft Ignite in Orlando next week. This will be a fabulous conference with lots of fantastic content!

BRK3145: IT burnout - the state of the industry panel (45 minute breakout)
Have you been working non-stop and never taking a break? Do you go on vacation, but still find yourself working? Does your leadership expect you to be available all the time even when you are not on-call? Do you go home, answering email in between all of the family things going on that evening? Are you truly present in all the things you do?
Recently, our team conducted a survey about IT burnout to get a real sense of how IT professionals are functioning and managing their personal well-being. We learned some interesting things that will surprise you, and have some statistics you won't want to miss. Join me and a panel of MVPs to have a discussion on this tough topic.
Session ID: 78641
When: OCCC W224 F-H
Where: Tuesday 10:15-11:00am

THR3033: Reading SMTP headers like a boss (20 minute theater session)
Learn how to read SMTP headers for fun and profit! In this demo-tastic session, learn how to read SMTP headers to troubleshoot mail flow, SPF, DKIM, and DMARC. Also, see some of the online tools available to analyze headers and turn you into an SMTP rock star.
Session ID: 78655
When: Thursday 11:30-11:50am
Where: The Hub - Theater 9

THR3034: Twenty minutes to a secure environment (20 minute theater session)
Legacy authentication is an attacker's best friend. Learn how to secure your environment using modern authentication in the cloud and hybrid modern authentication for on-premises. Then, learn how to turn off legacy authentication in your Microsoft 365 and Exchange 2019 environments to keep the bad guys out!
Session ID: 78663
When: Friday 12:05-12:25pm
Where: The Hub - Theater 9

In addition to my sessions you'll find me at the Exchange booth on the expo floor and at various Exchange and identity sessions throughout the week. I hope you'll come to these great sessions and say hi!

Postpone upgrading AAD Connect if you deployed Hybrid Azure AD join

Tuesday, October 8, 2019

Microsoft has reported an issue with Azure AD Connect 1.4.18.0 and Hybrid Azure AD joined devices. They recommend not deploying this version if you have deployed Hybrid AAD join.

1.4.18.0 https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-version-history#14180

Warning

We are investigating an incident where some customers are experiencing an issue with existing Hybrid Azure AD joined devices after upgrading to this version of Azure AD Connect. We advise customers who have deployed Hybrid Azure AD join to postpone upgrading to this version until the root cause of these issues are fully understood and mitigated. More information will be provided as soon as possible.

This version has been removed from manual download until their incident investigation is complete. The latest version available now on the website is AAD Connect 1.3.21.0.

Details of the incident are not available, but if you have deployed AADC 1.4.18.0 and are experiencing problems, I recommend completely uninstalling AAD Connect and installing version 1.3.21.0.

The Death of Basic Authentication in Office 365

Tuesday, September 24, 2019

Microsoft posted the article, "Improving Security - Together" where they explain that they will be turning off Basic Authentication in Exchange Online for EWS, Exchange ActiveSync (EAS), POP, IMAP and Remote PowerShell on October 13, 2020. That means that only apps that support modern authentication using OAUTH 2 will be able to connect to Exchange Online after that time. There are currently no plans to override this behavior.

I applaud this move, since it greatly improves the security posture for your tenant and Office 365 as a whole. The vast majority of bad actors use Basic authentication (username/password credentials) for their attacks. That said, there are caveats you should be aware of.

Exchange ActiveSync is probably the most heavily utilized protocol in this list. EAS has been shipping with every version of Exchange since Exchange Server 2003. Millions of users across the globe count on it to manage emails from their mobile phones and tablets. Many of these users have moved over to the Outlook mobile apps for iOS and Android, but a very significant number are still using the native email apps on their phones.

Apple started supporting modern auth in iOS 11, so any reasonably up-to-date iOS device should be unaffected by the removal of Basic auth for EAS. Android is a different story. There are so many older devices out there with different Android versions from different vendors, it's hard to say which devices will be affected. Some versions may have native support for OAUTH 2 using the AppAuth for Android library, while some mail apps in the Play Store may have built-in support in the app (Outlook for Android is one example). In the end, you really need to test your apps.

The best way to do that is to setup or reconfigure a mail account on your mobile devices. If you're prompted for modern auth to setup your account, as below, you should be good to go.

OAUTH 2 (Modern Auth) prompt

If you get a Basic authentication prompt within the app, you're app probably doesn't support OAUTH 2. Download the Outlook mobile app for iOS or Android, or another email app that supports it.

The POP and IMAP protocols are less often used, but when they are, it's typically for app integration with a line of business app. Examples include help desk ticketing systems, ERP solutions, life-cycle management systems, etc. These apps are usually critical to the business, so anything that affects email connectivity must be carefully planned. Microsoft is planning to add OAuth support to both POP and IMAP in the next few months, but the apps that use these protocols must also be updated to support it. That means software updates for these LOB apps (assuming they will support OAUTH 2), possible additional support costs, contracts, etc. Plan ahead and talk with these vendors now to see how they plan to support OAUTH 2. You may even need to go so far as to change LOB solution providers.

An Overview of Tenant to Tenant Migrations in Office 365

Wednesday, September 18, 2019

Recently I wrote a chapter for the eBook, "Everything you need to know about Tenant to Tenant Migrations" for Practical 365. You can download the eBook for free here.

You can read a quick teaser for that chapter here on the Practical 365 site.

Syncing Email Signatures Across Devices is soon to become a reality!!

Tuesday, September 10, 2019

Will wonders never cease. Just when I was convinced that Outlook UserVoice was the place where all good ideas go to die, I received the following update:

"Thank you to everyone who voted. We’re happy to report that we’re working on sync’ing signatures across devices. More details to come as we have them.

Sincerely,
Ricardo, Duncan, Sunder and David on behalf of the Outlook team"

After I posted the article, "Storing email signatures in the Exchange mailbox" on this blog, this UserVoice request became the top voted request on the Outlook UserVoice website by a wide margin, with over 7,915 votes. It has more than twice the number of votes than the #2 most voted item. Thank you to all of you who voted!

This new feature will undoubtedly come to Office 365 ProPlus customers first, so if you're hot on seeing it, make sure you're using the latest and greatest version of Outlook. I'll let you know when the new feature lands.

Video Tutorial on Hybrid Azure AD Join

Thursday, August 22, 2019

Microsoft produced this short (7:21) video which shows how to configure Hybrid Azure Active Directory Join in your on-premises environment. Hybrid AAD join is an important step in using Intune to manage your corporate devices and information. With device management in Azure Active Directory (Azure AD), you can ensure that users are accessing your resources from devices that meet your standards for security and compliance.

This video will be included in future hybrid AAD join documentation to be published in the next few days and weeks. You can view it at https://www.microsoft.com/en-us/videoplayer/embed/RE3C9hO.

Managing SSL certificates may be getting that much more difficult

Wednesday, August 14, 2019

Remember when you used to be able to get an SSL certificate that lasted 3-5 years? Now you can only get one that lasts 2 years, and a change proposed by Google would reduce the maximum validity period to just 13 months beginning March 2020. This would be a global change to the industry, impacting all certificate authorities.

Read this important update from Digicert:

IMPORTANT UPDATE

Dear Security Professional,

We are reaching out to you regarding an important proposal raised recently at the CA/Browser Forum that could impact the products you are using.

What’s happening?

Google proposed a change that, if the ballot passes, will reduce the validity period of certificates from the current maximum of two years to 13 months. The proposed ballot was endorsed by Apple and another CA, making the ballot eligible for voting. If the ballot passes at the CA/Browser Forum, the change in requirements will go into effect in March 2020. Any certificates issued after the effective date would need to comply with the shortened validity period requirements. Even if the ballot fails, the browsers sponsoring the ballot could unilaterally implement this requirement in their root program and make compliance required for certificates issued by trusted CAs in their root stores.

This change is a follow up on Google’s previous initiative to reduce lifetimes from three to two years https://www.digicert.com/blog/3-year-certificates-eliminated-industry-wide-change/) in 2018.

Who is impacted?

The changes proposed by Google would impact all publicly trusted TLS certificate users, regardless of which certificate authority issues the certificate. If the ballot passes, all publicly trusted certificates issued or re-issued after March 2020 would have a maximum validity of 13 months. Customers using certificates with validity periods longer than 13 months are encouraged to review their systems and evaluate how the proposed changes might impact their deployment and use of certificates.

Please note that all TLS certificates issued prior to March 2020 with a validity period longer than 13 months will remain functional. This ballot does not affect non-TLS certificates, including code signing, private TLS, client certificates, etc. There will be no need to revoke any certificates as a result of this ballot.

This would be a global change to the industry, impacting all certificate authorities.

DigiCert’s position

DigiCert believes industry-wide changes should be made only after measuring whether the changes in security are sufficiently balanced with the impact on end users. In this case, we feel that further shortening certificate lifetimes, especially absent reasonable timelines for companies to prepare, would have the opposite effect in causing significant pain to customers and possibly leading to some human-caused errors as they scramble to adjust.

We believe the goal of improving certificate security is better served by allowing more time for companies to continue their growing use of automation and to prepare for these changes. DigiCert would like to continue the conversation and gather customer input before this issue is brought to a ballot. We think this discussion should include a timeline that allows for companies to properly plan for shorter lifetimes.

Regardless of the outcome of this ballot, we stand ready to help our customers. DigiCert’s focus and deployment of discovery and automation tools make sure our systems are fully capable of helping our customers meet changes that may arise in industry standards, including shortening lifecycles. In fact, DigiCert currently offers certificate lifetimes as short as eight hours for customers who want that option. Having said that, our ability to help our customers with these changes doesn’t mitigate all the potential impact that a rushed implementation would have on the industry.

What to do

The CA/Browser Forum makes changes to standards as security issues evolve. To remain compliant with these changes, organizations with large amounts of certificates should consider sophisticated automation tools to help manage certificate inventories and ease certificate deployment. At DigiCert, we are focused on simplifying the certificate management process and developing new tools for automating certificate use. Customers worldwide use DigiCert to automate their process using our Lemur plug-ins, REST APIs, SCEP and EST services, and ACME service. Combining ACME with the automated scanning service in CertCentral allows TLS customers to easily scan their entire environment, find certificates that require replacement, and deploy up-to-date technology.

DigiCert will continue to keep you apprised of CA/B Forum activities. Please read our position to the industry in this new blog: https://www.digicert.com/blog/how-reduced-tls-ssl-certificate-lifetimes-to-one-year-would-affect-you/

Be heard

The CA/Browser Forum accepts comments from outside participants; however, all discussions are public. You have two choices: you can submit your comments to DigiCert through this survey, which we plan to summarize and provide to the CA/B Forum or you can join the CA/B Forum as an Interested Party, which will allow posting of your comments directly to the Forum mailing list. See https://cabforum.org/working-groups/ (bottom of page).

We are eager to share information with the browsers about the impact these changes may have on customers. We look forward to providing this information and representing your interests in the Forum and security world.

How to Create a Hub Transport Rule Based on Any Attachment

Tuesday, August 13, 2019

Transport rules are cool. Except when they don't work the way you expect.

I wanted to create a transport rule that blocks outgoing email to external recipients that contains an attachment, except for members of the "Allow Outbound Attachments" group. So, I created the following rule:

The trouble is, that it blocks any email that is not sent as plain-text, even though there is no attachment. Not good.

I examined the headers on emails with and without attachments and found the X-MS-Has-Attach X-header has a yes value when there's an attachment and is <blank> when there isn't.

...Message-ID: <BL0PR01MB4243EF8B4D8DD1624C9C6E77D4D20@BL9PR01MB4243.prod.exchangelabs.com>References: <1db58e8b507e4f7f81a892f1bb48654e@ex.contoso.com>In-Reply-To: <1db58e8b507e4f7f81a892f1bb48654e@ex.contoso.com>Accept-Language: en-USContent-Language: en-USX-MS-Has-Attach: yesX-MS-TNEF-Correlator:Authentication-Results-Original: spf=none (sender IP is )...

I modified the rule as below and it now works perfectly.

It's worth noting that the header values are not cAsE sensitive.

Authoritative vs Internal Relay Domains in Exchange

Thursday, July 25, 2019

tl;dr: Ensure the accepted domain(s) in Exchange Online are configured as Authoritative, not Internal Relay, even if you're in hybrid, to take advantage of Directory Based Edge Blocking.

Those of you who have worked with Exchange Server for a long time and those familiar with cross forest migrations will probably know about Authoritative vs. Internal Relay domains. When a domain is set to Authoritative, email is delivered only to valid recipients in the Exchange organization. With Internal Relay domains, email is delivered to recipients that exist in the Exchange organization and other emails are relayed to another email server in a different location.

I've seen a number of customers (especially Exchange hybrid customers) configure their domains on-premises or in Exchange Online Protection as Internal Relay, thinking that this is required in order to relay emails on-premises or to their tenant. This isn't necessary because emails will still relay between on-prem and EXO using the targetAddress (aka external routing address) value, which always happens even if the domain is set to Authoritative.

Why is this a big deal? Well, Exchange Online online has a feature called Directory Based Edge Blocking (DBEB), which rejects messages for invalid recipients at the service network perimeter. Exchange Edge Transport servers will do the same thing for on-prem. DBEB prevents Exchange from accepting invalid emails, scanning them for malware and spam, perform rules processing, etc. when they have no hope of being delivered to a bad email address.

If a domain is set to Internal Relay, DBEB can't work since it would block unknown emails from being relayed to another server. With DBEB, Exchange performs a directory lookup before it even accepts the email. If the recipient address doesn't exist, Exchange rejects the email with a 550 5.4.1 Recipient address rejected: Access denied error. RFC states it's up to the sending server to generate the NDR back to the sender.

Keep your Exchange Federation Trust up-to-date

Monday, July 8, 2019

From time to time, Microsoft refreshes the certificate used by the Microsoft Federation Gateway service in Office 365. They just did this again on July 5, 2019. The MFG is the trust broker used by hybrid organizations and by other on-premises orgs that share free/busy information between them. Most Exchange configurations will update the federation trust metadata automatically, but if your on-premises org is running Exchange 2010 or Exchange 2013 on Windows Server 2008 you will need to update this manually.

Begin by testing to see if the metadata is up-to-date in your org by running the Test-FederationTrust cmdlet in EMS from one of your Exchange servers. The cmdlet normally does not require any switches to run.

Exchange will check AD to confirm that the Federation Trust configuration object exists and is valid, the Token Issuer certificate is valid, and then request a delegation token from the MFG. Here's what a good test looks like in Exchange 2010:

Test-FederationTrust from Exchange 2010

Exchange 2013+ performs a few more detailed tests using a built-in test account:

Test-FederationTrust from Exchange 2013

If you see any validation errors, such as the following error, you will need to update your MFG refresh token manually:

Id : TokenValidationType : ErrorMessage : Failed to validate delegation token.

You can update AD with the latest Microsoft Federation Gateway certificate one time by running the following cmdlet from EMS on any Exchange server in your org:

Get-FederationTrust | Set-FederationTrust –RefreshMetadata

Once updated, run the Test-FederationTrust cmdlet again to confirm the validation and delegation token is valid.

If you want to automate this process, you can create a scheduled task on one of your Exchange servers to update the federation trust once per day. Nothing will actually update in your environment unless Microsoft updates their MFG certificate. Run the following from an elevated CMD prompt or EMS window to create the scheduled task:

Schtasks /create /sc Daily /tn FedRefresh /tr "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -version 2.0 -command Add-PSSnapIn Microsoft.Exchange.Management.PowerShell.E2010;$fedTrust = Get-FederationTrust;Set-FederationTrust -Identity $fedTrust.Name -RefreshMetadata" /ru System

Remember, you will only need to do this if your organization runs Exchange 2010 or Exchange 2013 on Windows Server 2008. Later versions of Windows allows Exchange to update the federation trust certificate automatically.

Congratulations 2019-2020 Microsoft MVP!

Monday, July 1, 2019

Once again I am deeply honored to receive the Microsoft MVP Award in the Office Servers and Apps category for 2019-2020. This is my eleventh consecutive year for this award.

The MVP Award is an important recognition to me and I'm very pleased to receive it. It includes several benefits, but the most important one to me are all the interactions with the great product groups at Microsoft. These relationships allow me to reach out to specific product team members to provide feedback and get clarification on product features and behaviors.

It's a mutually beneficial partnership -- under NDA, Microsoft is able to talk with MVPs about product futures, provide access to technology adoption programs (TAPs) to try out new software, and solicit our feedback. As MVPs, we are able to provide important and honest feedback to the product teams about how new features and behaviors will affect our customers, beta test new software and file bug reports, and be advocates for you, the customer.

This also adds value to my IT consulting business, EXPTA Consulting. It's evidence that Microsoft values my technical leadership and real-world experience, which I bring to each and every engagement, and customers know that I provide the best results as their trusted advisor.

AAD Connect 1.3.21.0 fixes two vulnerabilities

Wednesday, May 15, 2019

AAD Connect version 1.3.21.0 was released today, which fixes an elevation of privilege vulnerability found in version 1.3.20.0. This latest build is a pure security release -- it does not include any new features.

Fixed an elevation of privilege vulnerability that exists in Microsoft Azure Active Directory Connect build 1.3.20.0. This vulnerability, under certain conditions, may allow an attacker to execute two powershell cmdlets in the context of a privileged account, and perform privileged actions. This security update addresses the issue by disabling these cmdlets. For more information see security update.

To exploit this vulnerability, an attacker would need to authenticate to the Azure AD Connect server. These cmdlets can be executed remotely only if remote access is enabled on the Azure AD Connect server. This security update address the issue by disabling these cmdlets.

It is recommended to download and install AAD Connect 1.3.21.0 ASAP, rather than wait for the auto upgrade process to run which can take several days or may be disabled in your environment.

Join us for a Free Webinar: Top 5 Hybrid Considerations, May 16 @ 10:00 AM PDT

Tuesday, May 14, 2019

Please join me and fellow MVP Jaap Wesselius for a free webinar where we discuss the Top 5 Exchange Hybrid Considerations. This webinar is hosted by my friends at Enow Software.

The challenge in managing an Exchange / Hybrid environment really lies in all the complexities. Jaap and I will cover the "Top 5 Exchange Hybrid" considerations, laying out all your options and the best plan given various organizational needs and goals.

Whether your organization is thinking about running an Exchange hybrid environment or already is, you don't want to miss the Top 5 considerations. We will touch on:

Identities
Synchronization
Authentication
Can't give away everything, tune in for more!

Tune in on May 16 at 10:00 AM PDT for best practices from the experts. Doing so could help your organization avoid an overly complicated environment, costly outages, and/or a poor end user experience.

See you there!

HCW Organization Configuration Transfer breaks Outlook connectivity to Office 365

Thursday, May 2, 2019

5/16/2019 Update -- The latest version of the HCW (version 16.0.3054.9 ) no longer syncs the OAuth2ClientProfileEnabled property, which caused the issue. Thanks to the Exchange product group for fixing this so quickly.

Recent versions of the Office 365 Hybrid Configuration Wizard (HCW) offer a feature called Organization Configuration Transfer, which is documented here. Organization Configuration Transfer (OCT) copies the organization policy objects from on-premises to Exchange Online (EXO), and updates values in EXO with the values from on-premises.

OCT is an option when running the HCW, not a requirement. It is designed to reduce the number of policies and objects that need to be configured in EXO by copying them from on-prem. Admins can also occasionally re-transfer settings using OCT in order to update EXO with new or updated on-prem policies and configurations.

OCT was updated to OCT-V2 on November 2018 to include several additional objects that were not previously synced, including the Organization Config object. This poses a problem if your on-prem environment is not configured for hybrid modern authentication because it will turn off access to EXO from Outlook and Skype for Business. This happens when the OCT overwrites the OAuth2ClientProfileEnabled property using Set-OrganizationConfiguration. On-prem environments without hybrid modern auth have this property set to false, where online it is always true (unless you want to deny modern auth).

Review the objects that OCT will transfer

The OCT will update the OAuth2ClientProfileEnabled property to FALSE

Turning the OAuth2ClientProfileEnabled property to false disables modern authentication for clients like Outlook and Skype for Business, and users will be continuously prompted for authentication and will be unable to connect to Exchange Online. Hilarity does not ensue.

This happened in my own environment. I discovered using Admin Audit Logging that the OAuth2ClientProfileEnabled property in the Organization Config was set to false the Friday before the problem started on Sunday morning. That date/time corresponded to the HCW logs. I had re-run the HCW and the Org Transfer Friday afternoon, which set the property to false.

Fiddler showed the same error described in the Auth_URI Failures section of the HMA article (https://blogs.technet.microsoft.com/exchange/2017/12/06/announcing-hybrid-modern-authentication-for-exchange-on-premises/):

HTTP/1.1 401 Unauthorized

Cache-Control: private

Server: Microsoft-IIS/10.0

request-id: 3e5472dd-320e-4378-85e1-e22f00b53d38

X-CalculatedBETarget: dm6pr04mb6185.namprd04.prod.outlook.com

X-RUM-Validated: 1

X-UserType: Business

x-ms-diagnostics: 4000000;reason="Flighting is not enabled for domain 'cloud@expta.com'.";error_category="oauth_not_available"

X-DiagInfo: DM6PR04MB6185

X-BEServer: DM6PR04MB6185

X-AspNet-Version: 4.0.30319

Set-Cookie: X-BackEndCookie2=cloud@expta.com=u56Lnp2ejJqByMzPms7OyJ3Sz5rNntLLnczJ0sbMz8rSm5qdm8vOy8uezcmegcfMycrGmc3L0sjMx5vSy8/JnNLHnpzM0prMypnMzcabz5vPxoHNz87G0s/K0s3Gq83NxcrIxcvMgZGeko+Nm8/L0Y+NkJvRkIqLk5CQlNGckJKBzw==; expires=Wed, 29-May-2019 22:57:43 GMT; path=/autodiscover; secure; HttpOnly

Set-Cookie: X-BackEndCookie=cloud@expta.com=u56Lnp2ejJqByMzPms7OyJ3Sz5rNntLLnczJ0sbMz8rSm5qdm8vOy8uezcmegcfMycrGmc3L0sjMx5vSy8/JnNLHnpzM0prMypnMzcabz5vPxoHNz87G0s/K0s3Gq83NxcrIxcvMgZGeko+Nm8/L0Y+NkJvRkIqLk5CQlNGckJKBzw==; expires=Wed, 29-May-2019 22:57:43 GMT; path=/autodiscover; secure; HttpOnly

X-Powered-By: ASP.NET

X-FEServer: BYAPR02CA0010

WWW-Authenticate: Bearer client_id="00000002-0000-0ff1-ce00-000000000000", trusted_issuers="00000001-0000-0000-c000-000000000000@*", token_types="app_asserted_user_v1 service_asserted_app_v1", authorization_uri="https://login.windows.net/common/oauth2/authorize", error="invalid_token",Basic Realm=""

Date: Mon, 29 Apr 2019 22:57:42 GMT

Content-Length: 0

Tenants who have modern authentication enabled in EXO or any tenant created after August 2018 would normally have this enabled.

To easily check if this is affecting your Exchange Online environment run the following cmdlet in EXO PowerShell:

(Get-OrganizationConfig).OAuth2ClientProfileEnabled

Tenants who have modern authentication enabled in EXO or any tenant created after August 2018 would normally have this value set to True. If it isn't, run the following cmdlet:

Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

Note that it takes up to 30 minutes before the change becomes effective.

I've been working with the product team to remove this property transfer from OCT, since no one can think for a good reason for this property to sync in the first place. In the meantime, if you use OCT in the HCW you should remove the checkbox for Organization Config on the right-hand side.

Don't miss Comms vNext 2019!

Friday, April 26, 2019

For those of you who were fortunate enough to attend the MEC conferences, you understand what it's like to be a part of a wonderful blend of community and awesome technical content.

If you work with Teams or Skype for Business that experience is happening again with the Comms vNext conference in Denver, CO June 5-6th 2019.

This two-day conference promises to be a spectacular event with 36 sessions devoted to Teams and Skype for Business. Sessions will cover voice and voicemail, end-user adoption, development and much more. And all sessions will be led by the superheroes of the industry including 9 Microsoft product group members, 18 MVPs and MCMs from around the world. The keynote will be held on Wednesday, June 5th, by Heidi Gloudemans.

In my view, the most valuable part of a conference like this is the opportunity to develop business relationships with the speakers and attendees. Folks who work with these technologies every day, just like you. With a limit of only 300 attendees, this conference promises to bring everyone together in a way that can't be matched in other huge conferences.

The cost of this two-day event is only $299 for both days and access to all sessions. Even better, you can get a hotel-included package for $525, which includes a two-night stay at the Denver Renaissance Stapleton where the conference will be held. Register today before this conference sells out!

AAD Connect 1.3.90.0 is about to be released

Wednesday, March 27, 2019

Microsoft is about to release Azure AD Connect version 1.3.90.0 to all AAD Connect customers. Typically, they pre-release it to select customers through a limited release program using AAD Connect's auto-upgrade feature. When the telemetry comes back that the upgrade is successful they perform a general availability release to all customers a few days later.

To check which build you're running, run the following cmdlet:

(Get-Item 'C:\Program Files\Microsoft Azure Active Directory Connect\AzureADConnect.exe').VersionInfo

The output will look like this:

There are some significant improvements in this version. The ones I find particularly interesting are highlighted below.

New features and improvements

Add support for Domain Refresh
Exchange Mail Public Folders feature goes GA
Improve wizard error handling for service failures
Added warning link for old UI on connector properties page.
The Unified Groups Writeback feature is now GA
Improved SSPR error message when the DC is missing an LDAP control
Added diagnostics for DCOM registry errors during install
Improved tracing of PHS RPC errors
Allow EA creds from a child domain
Allow database name to be entered during install (default name ADSync)
Upgrade to ADAL 3.19.8 to pick up a WS-Trust fix for Ping and add support for new Azure instances
Modify Group Sync Rules to flow samAccountName, DomainNetbios and DomainFQDN to cloud - needed for claims
Modified Default Sync Rule Handling – read more here.
Added a new agent running as a windows service. This agent, named “Admin Agent”, enables deeper remote diagnostics of the Azure AD Connect server to help Microsoft Engineers troubleshoot when you open a support case. Read more about the Admin Agent here.
Updated the End User License Agreement (EULA)
Added auto upgrade support for deployments that use AD FS as their login type. This also removed the requirement of updating the AD FS Azure AD Relying Party Trust as part of the upgrade process.
Added an Azure AD trust management task that provides two options: analyze/update trust and reset trust.
Changed the AD FS Azure AD Relying Party trust behavior so that it always uses the -SupportMultipleDomain switch (includes trust and Azure AD domain updates).
Changed the install new AD FS farm behavior so that it requires a .pfx certificate by removing the option of using a pre-installed certificate.
Updated the install new AD FS farm workflow so that it only allows deploying 1 AD FS and 1 WAP server. All additional servers will be done after initial installation.

Fixed issues

Fix the SQL reconnect logic for ADSync service
Fix to allow clean Install using an empty SQL AOA DB
Fix PS Permissions script to refine GWB permissions
Fix VSS Errors with LocalDB
Fix misleading error message when object type is not in scope
Corrected an issue where installation of Azure AD PowerShell on a server could potentially cause an assembly conflict with Azure AD Connect.
Fixed PHS bug on Staging Server when Connector Credentials are updated in the old UI.
Fixed some memory leaks
Miscellaneous Autoupgrade fixes
Miscellaneous fixes to Export and Unconfirmed Import Processing
Fixed a bug with handling a backslash in Domain and OU filtering
Fixed an issue where ADSync service takes more than 2 minutes to stop and causes a problem at upgrade time.

Clearing up confusion about Office 365 Equivalency Use Rights

Friday, February 22, 2019

You may have heard about "Office 365 equivalency rights" or "dual use rights". These rights allow users to access on premises servers, such as Windows Server, Exchange Server, SharePoint Server, and Skype for Business Server using their Office 365 E3 or E5 licenses.

Office 365 equivalency licenses only provide user use rights, not server rights. In other words, O365 licenses are equivalent to Exchange Server Client Access Licenses (both Standard and Enterprise) and Windows Server CALs, but you still need server licenses to run Exchange Server on Windows Server on premises.

One exception to this rule is that your Office 365 subscription let's you use the free hybrid key to run an Exchange hybrid management server. An important caveat here is that the hybrid server cannot be used to host user mailboxes or Public Folders, and you may still need a server license for Windows Server. The free hybrid key is available to all Enterprise Office 365 customers, even if they get their license from the CSP channel which says it's "Not On Premises Capable -- Cloud only rights".

Microsoft used to have an authoritative website called, "Licensing How To: Using Office 365 user licenses to meet CAL requirements" that described how these equivalency rights work, but it became a casualty when Microsoft moved most documentation to docs.microsoft.com. Fortunately, you can still read a cached copy of that website from the web archive (for now, at least -- who knows how long that will last).

A suitable replacement for the now-gone licensing website is the Licensing Office 365 document. I include a copy of that PDF document here on my blog, just in case it falls to the same fate. ;)

Notable extracts from this document include the following about equivalent use rights:

“Office 365 E3 provides your users with the latest full Office across most devices, plus a wide range of integrated collaboration services coupled with advanced compliance features and full IT power. Office 365 Enterprise includes Office 365 ProPlus for up to five PCs or Macs, five tablets, and five smartphones. It also includes Exchange Online, SharePoint Online, Lync Online, and Yammer Enterprise—along with access rights to equivalent on-premises server workloads.” (Page 3)
“Note that all Microsoft 365 E3 and E5 USL license a user for access to Windows Server, but does not include a license for the Windows Server product itself.” (Page 2)

Note that the title of the section is "On-premises server rights", but it should really be "On-premises user rights" since it only applies to the User Subscription License (USL).

Hopefully, this will help you answer some of your user CAL questions when you have an Office 365 subscription. I've seen some licensing providers say that you still need to buy user CALs, even when you have an Office 365 subscription that includes these equivalency rights.

Join me at COUCUG for a talk about the new Exchange patches

Wednesday, February 20, 2019

Join me Thursday, February 21st, as I present a session on Exchange Server patching, specifically around the new security patches just released. I'll be presenting to a live audience via Skype for Business at the Colorado Unified Communications User Group (COUCUG).

Where: 7595 Technology Way, Suite 400 Denver, CO 80237

When: February 21st, 4:00-6:00 pm

Who: Anyone interested in Microsoft Unified (Intelligent) Communications

Agenda (all times in Mountain Standard Time):

4:00-4:10 pm - Arrival and introductions

4:10-5:00 pm - Jeff Guillet and Exchange patching

5:00-5:20 pm - Dinner

5:20-6:00 pm - Jonathan and Exchange Online UM (the death of)

Thanks to our friends at Jabra for hosting dinner!

The Microsoft Hybrid Agent: What you need to know

Thursday, February 7, 2019

Microsoft just announced the new Hybrid Agent Public Preview. This represents an important step toward making it easier for on-prem organizations to implement a hybrid configuration with Exchange Online. Work on the new hybrid agent was announced at Microsoft Ignite 2018 in Orlando, FL to great fanfare.

I wrote an article for the ENow ESE blog where I discuss what it all means and caveats for this implementation. Read it here.

How to work with Inactive Mailboxes in a Hybrid Environment

Tuesday, January 29, 2019

Earlier today the Exchange team posted an article on the EHLO Blog explaining how to manage inactive mailboxes in Exchange Online. That blog post is geared mainly toward cloud-only tenants. This article gives information about the differences between inactive users and shared mailboxes and how to configure them both in a hybrid environment.

Inactive vs Shared Mailboxes

Most customers are interested in a way to remove the Office 365 license from terminated users to reduce costs, while maintaining access to their email. There are two ways to do this.

Inactive mailboxes are mailboxes that have been put on litigation hold and the Office 365 licenses have been removed from the user account in Azure AD. Normally when you remove an Exchange Online license from a user account, the mailbox becomes disconnected and will eventually be purged from EXO (30 days by default). However, if the mailbox is placed on litigation hold before the user account is deleted or unlicensed, EXO is unable to delete the mailbox until the lit hold is removed.

Shared mailboxes are mailboxes that multiple users can access to read and send e-mail messages. Shared mailboxes allow a group of users to view and send e-mail from a common mailbox. This type of mailbox also does not require an EXO license, but has some limits placed on it to prevent abuse.

I put together a table that lists some of the important differences between Inactive and Shared mailboxes that may help you chose which one to use. Neither require an EXO license.

Characteristic	Inactive Mailbox	Shared Mailbox
Requires an EXO license	No	No
Accessed by	Only by users with Discovery Management role	Any user with Full Access rights or with Discovery Management role
Can receive new emails	No	Yes
Can send new emails	No	Yes
Mailbox size limit	100 GB	50 GB
Supports online archive mailboxes	Yes	Yes, but requires a license
Messages can be changed or deleted	No	Yes

Note: There are other limits and requirements, as well. See Exchange Online Limits for the complete list.

Inactive mailboxes are just that -- inactive. The mailbox contents are in stasis and cannot be changed. No new emails can be sent or received by an inactive mailbox. The original user cannot access the mailbox because the account has been deleted or the Office 365 license(s) have been removed. Only users with the Discovery Management role can access the historical mailbox contents. If a user was granted full access to that mailbox prior to removing the license(s), the mailbox may still show in Outlook, but the contents will be inaccessible.

Some organizations chose to convert mailboxes for terminated users into shared mailboxes instead and assign full access to the user's manager or another team member or group. That way, emails sent to the shared mailbox don't bounce with an NDR and the user with full access can respond for the termed employee. Just keep in mind the size and archive limits listed above. See Correcting Shared Mailbox provisioning and sizing for more details.

How to Configure an Inactive Mailbox in a Hybrid Environment

Normally in a hybrid environment all user and mailbox management is done on-premises and the configuration changes sync to the cloud. However, configuring litigation hold for an inactive mailbox is performed directly in Exchange Online.

Follow the first two steps listed in the EHLO Blog article. These are performed in the Microsoft Exchange Online Powershell Module.

1. Put the mailbox on a hold (which will also place the Archive on the hold, if it is present). For this scenario I’ve used LitigationHold, but, any hold from Exchange Online, or Security and Compliance can be used:

Set-Mailbox David -LitigationHoldEnabled $True -LitigationHoldDuration Unlimited

Note: The hold setting may take up to 60 minutes to take effect.

2. Ensure the mailbox has Litigation Hold enabled:

Get-Mailbox David | fl PrimarySMTPAddress, Identity, LitigationHoldEnabled, LitigationHoldDuration, MailboxPlan, PersistedCapabilities, SKUAssigned

User properties should now show:

PrimarySmtpAddress : David@contoso.com

Identity : David

LitigationHoldEnabled : True

LitigationHoldDuration : Unlimited

MailboxPlan : ExchangeOnlineEnterprise-0527a260-bea3-46a3-9f4f-215fdd24f4d9

PersistedCapabilities : {BPOS_S_O365PAM, BPOS_S_ThreatIntelligenceAddOn, BPOS_S_EquivioAnalytics, BPOS_S_CustomerLockbox, BPOS_S_Analytics, BPOS_S_Enterprise}

SKUAssigned : True

3. Wait for Azure AD Connect to replicate the change back to on-premises or you can force AAD replication using the following command on your AAD Connect server:

Start-ADSyncSyncCycle -PolicyType delta

4. Now you can either delete the user's AD account from on-premises, which will sync to ADD and remove the user account there. The inactive mailbox will not be deleted because it's on indefinite litigation hold. Use the procedures here to access the inactive mailbox.

How to Configure a Shared Mailbox in a Hybrid Environment

First, it's important to know that it's recommended that you do not convert a mailbox that was migrated to Exchange Online to a shared mailbox. The mailbox should be moved back to on-prem, converted to a shared mailbox, and remigrated to Office 365 again. The reason is that AAD Connect doesn't sync the correct attributes back to on-premises. See Convert a user's mailbox in a hybrid environment for more details.

That said, it is possible to convert a migrated user mailbox to a shared mailbox by updating AD on-premises manually. Jetze Mellema blogged about it here. Just follow these steps:

1. Sign-in to the Exchange Online Admin Center and navigate to Recipients > Mailboxes.

2. Select the user account you wish to convert and select Convert to Shared Mailbox on the right-side pane. The mailbox will now show under Shared mailboxes in the Exchange Admin Center in Exchange Online.

3. In AD on premises, change the following two attributes for the user account. This can be done using ADSIEdit or the Advanced view of AD Users and Computers on the Attributes tab.

msExchRemoteRecipientType: 100
msExchRecipientTypeDetails: 34359738368

4. Remove the Office 365 licenses from the Shared mailbox.

5. Disable the user account in AD on-prem and Windows will manage its password. The mailbox will now show under Shared mailboxes in the Exchange Admin Center on premises.

Subscribe to: Posts (Atom)