Send as SMTP alias is now available in Exchange Online

Wednesday, April 21, 2021

One of the longest running user requests is finally a reality. Users can finally send emails as one of their alias SMTP addresses. At least they can in Exchange Online in Microsoft 365. We'll need to wait and see if this comes to on-premises Exchange Servers. I can't imagine why it wouldn't, but it will probably only come to Exchange 2019 in a future CU or Exchange Server vNext.

UserVoice may no longer exist, but ancient stone tablets have been unearthed that show this has been requested by users for a long, long time.

Exchange Admins can assign alternate email addresses, or aliases, to user mailboxes. Users can receive emails for any of their aliases, but up till now, emails and replies can only be sent using their primary SMTP email address.

With the new behavior, emails sent using one of their aliases show the From address and the Reply-To address as the alias SMTP address that's being used. And there was much rejoicing.

You enable Send From Alias using Exchange Online PowerShell. Simply run the following cmdlet:

Set-OrganizationConfig -SendFromAliasEnabled $true

Once set, users can send emails using one of their configured alias addresses in Outlook or OWA.

To do this in Outlook, the user must first show the From field for new emails using the Options menu. Then they can pick an alias address they've previously used or click Other Email Address and type in the one they want to use.

To do this from Outlook on the web, create a new message, click the (...) ellipses, and click Show From. Then type the email alias you want to use for the new email.

Emails will be delivered to recipients showing the user's full name and the From email address:

If we examine the SMTP headers we see that the From address and the Return-Path values are using the specified alias.

It's important to have valid SPF, DKIM, and/or DMARC records set for the alternate alias' domain to ensure delivery can be made. This is an important consideration with customers in merger and acquisition scenarios.

In my testing I found that when the user receives emails or replies to the alias, Outlook always replies from the primary email address. The user will need to manually change the From address if they want to "continue the lie". Hopefully, this will be fixed in the future.

Read more ...

Install AAD Connect if you installed version

Thursday, April 1, 2021

Microsoft released AAD Connect as a download-only version. Although it includes significant changes, including updating the software to use the new AAD V2 endpoint, it was not offered as an automatic update. Turns out that was a wise decision since it breaks the Azure AD Connect Health feature.

Release status

3/31/2021: Released for download only, not available for auto upgrade

Bug fixes

  • This release fixes a bug in version where, after upgrade to that release, the Azure AD Connect Health feature was not registered correctly and did not work. Customers who have deployed build are requested to update their Azure AD Connect server with this build, which will correctly register the Health feature.

If you installed build (either first-time install or as a manual update) please update ASAP to the newest build Get it here: Download Microsoft Azure Active Directory Connect from Official Microsoft Download Center

Read more ...

You cannot migrate mailbox off of Office365 while the mailbox has a connected account enabled

Thursday, March 25, 2021

Exchange hybrid is the only Microsoft migration method that allows you to move mailboxes in both directions between Exchange and Office 365.

I'm working with a customer who is offboarding their mailboxes from Exchange Online back to Exchange Server 2016. Several mailboxes cannot be migrated back to on-premises due to the following error:

You cannot migrate mailbox '2f15ec3c-b024-4a25-2fdf-bfda9fd806ba' off of Office365 while the mailbox has a connected account enabled. To successfully remove the connected accounts, run the following command: 'Get-Subscription -Mailbox MailboxID -Aggregati

Note the truncated command, which isn't very useful. 

The Get-Subscription cmdlet let's you view the properties of an existing subscription configured in a user's cloud-based mailbox. This cmdlet is used by Outlook on the web Options to display the list of email subscriptions that the end user has, such as POP, IMAP, Facebook, and LinkedIn.

The exact issue with the mailbox can be determined by running the following in Exchange Online PowerShell:

Get-Subscription -Mailbox user -AggregationType all | select DisplayName, Name, AggregationType, UserId, LastModifiedTime, LastSuccessfulSync, CreationType, Status, StatusDescription, DetailedStatus

We can see that the user has configured a subscription to LinkedIn so that Outlook can do a PeopleConnection lookup. This service was closed down by Microsoft over 3 years ago, but the subscription on the mailbox remains.

Run the following cmdlet in EXOPS to remove the subscription from the mailbox:

Get-Subscription -Mailbox UserId -AggregationType All | Remove-Subscription

Now you can resume the mailbox migration to complete the offboard.

Read more ...

Please join me for "HAFNIUM Exchange Server Hack: Why Patching Isn't Enough & Where to Start Hunting" webinar

Thursday, March 11, 2021

Please join me, Michael Van Horenbeeck, and Paul Robichaux for a spirited discussion of the HAFNIUM Exchange Server Hack: Why Patching Isn't Enough & Where to Start Hunting. This free live webinar will held Friday, March 12, 2021 at 11:00AM EST.

We'll be discussing:

  • How and where to spot key indicators of compromise
  • Practical guidance on next steps to take if you’ve been compromised
  • Ways to proactively start protecting yourself against future attacks
I hope you can join us!

Read more ...

New Article: How to Decide Between Azure AD Connect and Azure AD Connect Cloud Sync

Thursday, March 11, 2021

I just published an article describing the differences between using Azure AD Connect and Microsoft's new Azure AD Connect Cloud Sync service. In it, I give the information you need to decide if the new Cloud Sync service is right for you. (Spoiler alert: If you run Exchange hybrid, it isn't.)

Please read How to Decide Between Azure AD Connect and Azure AD Connect Cloud Sync on the Practical 365 website.

Read more ...

URGENT: Patch your Exchange Servers NOW!

Wednesday, March 3, 2021

UPDATE: Microsoft updated it's Microsoft Safety Scanner Tool (MSERT) to scan for malicious files that may be dropped on your Exchange Servers by the latest CVE vulnerabilities. 
You can run this on any Windows server. Run a Full Scan which will scan all files and folders, even those excluded by antivirus. The tool will automatically remove malicious files and, if any were found, prompt for restart to finish up.


Yesterday Microsoft posted a blog article, Released: March 2021 Exchange Server Security Updates, for a serious zero-day vulnerability in Exchange Server.


The security update addresses a vulnerability that was released publicly on the web and every script kiddy is playing around with it.

Important Things to Know

  • The vulnerability affects ALL versions and update levels of Exchange.
  • The attack starts with an unauthenticated request to an Exchange server, so if your Exchange Server is not publicly accessible, less risk can be assumed. You're still open to internal attacks, though. PATCH YOUR SERVERS.
  • Security updates have been released for the following Exchange versions and Cumulative Update levels:
    • Exchange 2010 SP3
    • Exchange 2013 CU23
    • Exchange 2016 CU18
    • Exchange 2016 CU19
    • Exchange 2019 CU7
    • Exchange 2019 CU8
  • If your Exchange Servers are not at these CU levels, you need to get on the latest CU for your version before you can install the security update.
    • Be aware the .NET Framework and Visual Studio C++ runtime prerequisites may be required to update your server to the latest CU. The Exchange CU setup will block installation until the prerequisites are satisfied.
    • .NET Framework installations and updates can peg your CPU for a while after restarting. Plan accordingly.
  • You MUST run the security update from an ELEVATED CMD prompt. Admins who ignore this have reported that it breaks ECP.
  • Hybrid customers are affected, as well. Apply these updates to your hybrid management servers.

Best Practices

  • Apply the patches ASAP.
  • Always restart the Exchange server BEFORE you install the security updates or upgrade the CU. That way you know that the server reboots properly before you install the updates. It also releases any locked files.
  • The update normally takes 15-20 minutes to install. Always restart the Exchange Server AFTER installing the security updates or upgrading the CU (whether it prompts you to, or not). I find that it doesn't warn you to restart about 50% of the time on the dozen or so servers I've upgraded.
  • Do not "batch" updates. For example, don't upgrade Exchange 2016 CU17 to CU19 and immediately install the security patch without rebooting. Restart Exchange Server after every update.
  • Always keep your Exchange Server up to date with the latest (or second to latest) CU so you can more easily install urgent updates like these.

Helpful Tips

Run the following from an elevated PowerShell or EMS console so you can right-click an MSI or MSP file and "Run as Administrator":

New-ItemProperty registry::HKEY_CLASSES_ROOT\Msi.Patch\shell\runas\command -Name "(Default)" -Value '"%SystemRoot%\System32\msiexec.exe" /p "%1" %*' -PropertyType ExpandString -Force

New-ItemProperty registry::HKEY_CLASSES_ROOT\Msi.Package\shell\runas\command -Name "(Default)" -Value '"%SystemRoot%\System32\msiexec.exe" /p "%1" %*' -PropertyType ExpandString -Force
Use the following PowerShell script to check for compromise. Run elevated. This script does not work on Exchange 2010.
Start-Transcript -Path "Check-Compromise-$env:COMPUTERNAME.log" -Force
Write-Host "Checking for CVE-2021-26858 exploitation..."
findstr /snip /c:"Download failed and temporary file" "%PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog\*.log"
Write-Host "Checking for CVE-2021-26857 exploitation..."
Get-EventLog -LogName Application -Source "MSExchange Unified Messaging" -EntryType Error | Where-Object { $_.Message -like "*System.InvalidCastException*" }
Write-Host "Checking for CVE-2021-27065 exploitation..."
Select-String -Path "$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\ECP\Server\*.log" -Pattern 'Set-.+VirtualDirectory'
Write-Host "Checking CVE-2021-26855 exploitation..."
$logs = (Get-ChildItem -Recurse -Path "$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\HttpProxy" -Filter '*.log' -ErrorAction SilentlyContinue).FullName | sort -Descending
$logCount = $logs.Count
foreach ($log in $logs) {
$percentage = $i / $logCount * 100
$perc = $percentage.ToString("#")
Write-Progress "Search in progress" -Status "$perc% Complete:" -PercentComplete $percentage
Import-Csv -Path $log -ErrorAction SilentlyContinue | Where-Object { $_.AuthenticatedUser -eq "" -and $_.AnchorMailbox -like 'ServerInfo~*/*' } | select DateTime, AnchorMailbox
Review the Check-Compromise-<computername>.log file for results. You can ignore any errors that say something like, "The member '40' is already present." See HAFNIUM targeting Exchange Servers with 0-day exploits for more details.

If your update fails for some reason, you may find that all the Exchange services are stopped and disabled. If you try to rerun the update it will fail again for this reason. Run the following to return the Exchange service to automatic, then reboot and try again ELEVATED.
Get-Service -Name MSExchangeDelivery, MSExchangeRepl,MSExchangeRPC,MSExchangeFastSearch, MSExchangeThrottling, wsbexchange,MSExchangeSubmission, MSExchangeMailboxReplication, MSExchangeMailboxAssistants, MSExchangeIMAP4BE, MSExchangeImap4, MSExchangeIS, MSExchangeDagMgmt, MSExchangeDiagnostics, MSExchangeFrontEndTransport, MSExchangeADTopology, MSExchangeAntispamUpdate, MSExchangeUM, MSExchangeEdgeSync, MSExchangeHM, MSExchangeHMRecovery, MSExchangeServiceHost, MSExchangeTransport, MSExchangeTransportLogSearch, FMS, HostControllerService, winmgmt, remoteregistry, w3svc, iisadmin | Set-Service -StartupType automatic
Whenever a new version of .NET Framework is installed or a .NET Framework update is applied, the server CPU will peg at 90-100% utilization after reboot for up to 40 minutes while it recompiles MOFs. This process is also called NGEN. You will see mscorsvw.exe processes chewing up CPU. The same happens after you install an Exchange update, since Exchange Server is written in .NET.

Use the 7318.DrainNGenQueue.wsf script to speed up .NET Framework recompiling performance by allowing it to use multiple threads and up to 6 cores. Run it after any .NET Framework installation or update.

Read more ...

How to remove Assignments from Microsoft Teams EDU

Friday, December 18, 2020

Microsoft Teams EDU tenants include an Assignments app in Teams. The Assignments and Grades features in Teams for Education allow educators to assign tasks, work, or quizzes to their students. Educators can manage assignment timelines, instructions, add resources to turn in, grade with rubrics, and more. They can also track class and individual student progress in the Grades tab.

You can learn more about Assignments and Grades in Teams for Education here.

Higher ed customers may want to disable the Assignments app because they already use other ways of assigning and tracking assignments. For them, it can be confusing to students and faculty when the Assignments app is pinned to the left rail of Teams.

Pinned apps in Teams are normally assigned using a Setup Policy in the Teams Admin Center at (Teams apps > Setup policies). Here, you can configure which apps are pinned to the Teams app navigation bar and the order in which they are displayed.

Notice that the disappearing banner at the top of the policy says, "Because you have at least one Office 365 Education license, the Assignments app will be automatically included in each app setup policy." You will also notice that the Assignments app is not listed as a pinned app, so you cannot remove it.

In order to remove Assignments from pinned apps, configure a Permission Policy (Teams apps > Permission policies). Customers who want to remove this would normally edit the Global (Org-wide default) policy, but you can also create a new policy for this and assign it to specific users.

Edit the policy thusly:

  • Under Microsoft apps, select "Block specific apps and allow all others" in the dropdown list.
  • Click the Block apps button .
  • Search for "Assignments", then click Add, and Block.
  • Click the Save button.

It may take up to an hour before the Assignments app is removed from pinned apps for the users the permission policy applies to.

Read more ...