Tuesday, November 11, 2014

Updating Azure Active Directory Powershell

If you have been using Office 365 for any period of time, you may be familiar with seeing this error:

WARNING:  There is a newer version of the Microsoft Online Services Module.  Your current version will still work as expected, however the latest version can be downloaded at: https://portal.microsoftonline.com.

Thankfully, Microsoft updated their page to help show you what version you have and how to update this.

Here's the URL:  http://technet.microsoft.com/en-us/library/jj151815.aspx#bkmk_installmodule

If you run the following command you can see the currently installed version:
(get-item C:\Windows\System32\WindowsPowerShell\v1.0\Modules\MSOnline\Microsoft.Online.Administration.Automation.PSModule.dll).VersionInfo.FileVersion

In order to update this, you need to uninstall the existing version.  If you have had this installed for a long time, you may also need to uninstall and reinstall the latest versions of these:
Hope this helps!  As of this posting, the current version is reporting 1.0.8073.4

Thursday, November 06, 2014

Using Regular Expressions in Exchange Transport rules

I was recently tasked with creating a Transport Rule that fired if an email's subject line "started with" a string.   Unfortunately, this is not an option in the GUI or powershell with Exchange 2013 or Exchange Online, but you can use regular expressions.

First, here's the link of the different Transport Rule Conditions:

If you scan the Description column for "that match the specified regular expression" you will see that many different Transport conditions can use these.

I did some searching, and found this older Exchange 2010 document that details the RegEx support here:

(And just in case, I will copy paste it at the bottom of this post as well)

So my customer's rule was very simple:
Choosing a subject matching ^## would select any subject that begun with ##

If you are interested in configuring Message Encryption, it requires Azure RMS licensing, and then following these two articles:

Another really good example of a usage for regex is to match on something like a SS# pattern and block transmitting external to the organization using something like:
If subject or body matches \d\d\d-\d\d-\d\d\d\d

Pattern matching in Exchange Transport Rules

Pattern string Description
\S The \S pattern string matches any single character that's not a space.
\s The \s pattern string matches any single white-space character.
\D The \D pattern string matches any non-numeric digit.
\d The \d pattern string matches any single numeric digit.
\w The \w pattern string matches any single Unicode character categorized as a letter or decimal digit.
\W The \W pattern string matches any single Unicode character not categorized as a letter or a decimal digit.
| The pipe ( | ) character performs an OR function.
* The asterisk ( * ) character matches zero or more instances of the previous character. For example, ab*c matches the following strings: ac, abc, abbbbc.
( ) Parentheses act as grouping delimiters. For example, a(bc)* matches the following strings: a, abc, abcbc, abcbcbc, and so on.
\ A backslash is used as an escaping character before a special character. Special characters are characters used in pattern strings:
  • Backslash ( \ )
  • Pipe ( | )
  • Asterisk ( * )
  • Opening parenthesis ( ( )
  • Closing parenthesis ( ) )
  • Caret ( ^ )
  • Dollar sign ( $ )
For example, if you want to match a string that contains (525), you would type \(525\).
^ The caret ( ^ ) character indicates that the pattern string that follows the caret must exist at the start of the text string being matched.
For example, ^fred@contoso matches fred@contoso.com and fred@contoso.co.uk but not alfred@contoso.com.
$ The dollar sign ( $ ) character indicates that the preceding pattern string must exist at the end of the text string being matched.
For example, contoso.com$ matches adam@contoso.com and kim@research.contoso.com, but doesn't match kim@contoso.com.au

Wednesday, November 05, 2014

Managing Office 365 Cloud changes

With some of the recent releases of new functionality in the cloud, many customers are finding themselves scrambling to document the new functionality for their end users, or find ways of disabling it until they can communicate, train, and document the new features.

In the past few months, Office 365 Groups was deployed for all Office 365 tenants, and the new Delve feature is available in preview as well.

First, I want to cover the Service Settings -> Updates section.  This allows you to enable or disable previewing new features.  This impacts all users in your tenant!  This allows you to control if your users will see new features first, or when they come out of preview mode.

One nice thing about First Release is that you do get to see and work with the newest features, but it also means your users will see new features "light up" immediately, meaning you won't have much time to document and instruct them on using it.

Of course, with First Release off, you won't prevent the new features from coming, but you will have more opportunity to read up on the feature and gain some intelligence on how other organizations are using them effectively.  The BEST place to read for this is the Office team blog at http://blogs.office.com

Another question I am constantly helping customers with is "what kind of data goes in an Office 365 group versus a distribution group versus a Lync persistent chat versus an Exchange Public Folder" - the answers here depend greatly on what licensing and resources you have and what kind of business process you already have developed, but I have found this link on Office 365 Collaboration to be very helpful for customers trying to find the right place for their data.

Recently released features and how to control them:


Microsoft Delve has a TechNet article on administering it - Delve is based on Office Graph, a new SharePoint function that collects data from Exchange, SharePoint and OneDrive to display data that is most relevant to your users in one place.  It uses machine learning to build and learn what content your users share and who they share it with to display documents, files, posts and content relevant to your users' workflows.

Instantly turn off Delve and the Office graph
You can instantly turn off access to the Office graph and remove Delve from the Office 365 global navigation.
  1. Sign in to Office 365 with a global admin account.
  2. Choose Admin > SharePoint. You’re now in the SharePoint admin center.
  3. Choose Settings.
  4. Under Office graph, select Don’t allow access to the Office graph.

Office 365 Groups 

Currently there is not a way to completely remove Office 365 Groups, but you can prevent usage and creation of them until a time arrives that your organization is ready to deploy them and have had time to communicate and train business units on what content belongs in a group.

Tony Redmond has a great article covering Office 365 groups here, and so far it has the most detail of any article I have read.  Blocking Office 365 groups is done using OWA policy and the –GroupCreationEnabled attribute set to $false.   I would recommend setting your default OWA policy to $false, and then testing and training with groups with a pilot group of users with a separate OWA policy with this setting set to $true.   However, keep in mind, we are only blocking group CREATION.  So once a pilot user creates a group, all users with permissions in that group could participate in using the group.

Exchange Online Inbox Clutter  (updated 11/19/2014)

Microsoft unvailed Clutter this week to first release customers as an additional way for Outlook Web Access (OWA) users to help control their inboxes better.   There is not currently any way to control this administratively, it is a per user mailbox view setting.   Microsoft is also in the process of updating the "options" dialogs, but the below screenshot shows how a user may enable or disable this feature today.  By default, Clutter is disabled.

Office 365 Video (Added on 11/20/2014)

Office 365 Video was introduced on 11/20/2014 on the Office Blog.  They had this administrative guide published on day one, and from it, we learn how to disable this feature as well.  For now, Office 365 video is only available if you have First Release enabled in your tenant.

To disable Office 365 Video
  1. Sign in to Office 365 with your SharePoint Online admin account.
  2. Go to the SharePoint admin center.
  3. In the left navigation pane, select settings.
  4. In the Streaming Video Service section, select Disable streaming video through Azure Media Services and disable the Video Portal.
    Disable Office 365 Video setting in SharePoint Online admin center Note   While this change is propagated through the system, the Video link on the Office 365 top navigation bar or the Video icon in the Office 365app launcher might still be visible. Even while the link or icon is still visible, no one in your organization will be able to use Office 365 Video.

Friday, October 10, 2014

Multi Organization O365 migrations - SMTP routing and Criteria Based Routing

When migrating three disparate email organizations into a single Office 365 tenant, one of the major hurdles in this was ensuring that once we have the first organization (CompanyA.com) migrated, the tenant is essentially in production, and while we are planning on turning up and licensing users for the next organization (CompanyB.com), we realized the problems this would cause.

The second organization is large.  Very large.  So we need to pre-stage data into mailboxes that could take days or even weeks.

The SMTP routing issue presented
If users from CompanyA.com were to attempt to email CompanyB.com, the messages would deliver to their mailbox in the tenant.   The same will be true when CompanyA.com and CompanyB.com are in production and CompanyC.com is pre-staging

We considered blanking out the mail attribute in AD to avoid this and just pre-stage to their tenant email address (companyABC.onmicrosoft.com) but too many other AD integrated applications relied on that field so that was not an option.

We began looking around in DirSync filtering for ways to blank the mail attribute by pairing it to an unused AD attribute in Active Directory.  This is NOT AT ALL recommended.

Microsoft does not support modification or operation of the Directory Sync tool outside of those actions formally documented.  The actions documented below in this article are supported. 
Unsupported actions include:
    • Opening the underlying FIM Sync Engine to modify Connector configuration  
    • Manually controlling the frequency and/or ordering of Synchronization Run Profiles or changing the attributes that are synchronized to the cloud. 
Any of these actions may result in an inconsistent or unsupported state of the Directory Sync tool and as a result, Microsoft cannot provide technical support for such deployments / usage of the tool.
Filtering configurations applied to your directory synchronization instance aren’t saved when you install or upgrade to a newer version. If you are upgrading to a newer version of directory synchronization, you must re-apply filtering configurations after you upgrade, but before you run the first synchronization cycle.

That seems like very clear and strong language.  It's not supported, and if you change anything it might also break if and when you patch DirSync.

So without putting the customer in an unsupported space, how can we address the presenting mail routing issue? 

Enter Criteria Based Routing!

Two basic steps here:

  1. Create an Outbound Connector for the CompanyB.com domain
    1. On the Delivery section, specify "Route mail through smart hosts" and manually enter the existing MX records for the CompanyB.com domain
    2. On the "Scope" section, select "Use for Criteria Based Routing (CBR)"
  2. Create a Transport Rule
    1. Apply this rule if: The recipient is.. located inside the organization
    2. And: A recipient's domain is.. companyb.com
    3. Use the following outbound connector.. Select the connector created in Step 1

That's it.  Now you can license mailboxes with their correct SMTP addresses, pre-stage data, and they will NOT receive any SMTP traffic until you disable or remove the connector and the rule.  Which in addition is a much easier cutover day task than to be changing users or DirSync configurations en masse.

Hope this helps you, please post if it does!

Tuesday, September 30, 2014

Exchange Online Shared Mailboxes - Licensing, quota and compliance

Like all things cloud, things change.  This was based on September 2014 data and findings.

Writing today about shared mailboxes as a customer recently had several requirements and in reviewing the service description, I have found some inconsistent information.

And here's the current text of the footnote:
A user must have an Exchange Online license in order to access a shared mailbox. Shared mailboxes don’t require a separate license. However, if you want to enable In-Place Archive for a shared mailbox, you must assign an Exchange Online Plan 1 or Exchange Online Plan 2 license to the mailbox. If you want to enable In-Place Hold for a shared mailbox, you must assign an Exchange Online Plan 2 license to the mailbox. After a license is assigned to a shared mailbox, the mailbox size will increase to that of the licensed plan.

So for the purpose of this blog, I am going to focus on three issues:
  1. How large can a shared mailbox (no license) be?
  2. Can you put shared mailboxes into litigation hold or in-place hold?
  3. If you needed >10GB mailboxes or in place hold, how would you assign a license? 
How large can a shared mailbox (no license) be?
I created a shared mailbox and did a get-mailbox and see the prohibit send and receive is at 50GB

So, either the service description is incorrect, or PowerShell's quota reporting of space is incorrect.

So, I started stuffing the shared mailbox.  I have a pretty nice home PC.  SSD, 32GB RAM, etc.  I'd say around 5GB, using Outlook 2013 with all current patches, a shared mailbox became pretty slow and difficult to work with, even in OWA and Outlook 2013.
Can you put shared mailboxes into litigation hold or in-place hold? 
Based on the service description, you need a license for both litigation hold or in-place hold.  
Here's the GUI versus powershell of my in place hold.  You can see that in shell it shows there are no sourcemailboxes but the GUI shows I have an in place hold.  Confusing and very misleading.
According to the shared mailbox screen, it is under in-place hold

And my test eDiscovery with in place hold seems to be capturing data:

 And the preview shows my data!

What about litigation hold?   Well, that allows me to set it:

But can we trust it?  Is it really holding data?  The answer is yes.  Here's a trimmed screenshot of a prior test (not the same as the in-place hold) that captured data.  Even better, this mailbox was deleted, so this also proves that it is in litigation hold since the mailbox is no longer enabled, we know we are not searching an active mailbox.

If you needed >10GB mailboxes or in place hold, how would you assign a license? 

According to the Service Description, if you need in place hold or larger than 10GB shared mailboxes, you need to assign an Exchange Online Plan 1 or Plan 2 license to the mailbox.

However, since the mailbox is shared, you cannot assign a license to it.

So I opened a quick case asking "how do I apply a license to a shared mailbox?"

Their answer was simple - you need to convert the mailbox to a user mailbox.

Once converted, you can assign a license.   However, one may argue or be concerned on the points this brings up:
  • This is no longer a shared mailbox, but is a user mailbox that is shared, it now has a username and password (and the password assigned is not very complex if a cloud only account (@tenant.onmicrosoft.com) 
  • This is now a cloud only account, if you run DirSync or had a security requirement that all accounts be sourced in AD, this would not be within that policy, or subject to any policies your authentication solution might enforce.  If you had a Hybrid environment, you could convert and move the shared user mailbox to on premise, or just create your shared mailboxes on premise
  • Licensing does not appear to be required to have in-place or litigation hold enabled 
UPDATE 10/1/2014: Thanks to Nino Bilic for pointing out, you ABSOLUTELY can license a shared mailbox.  In O365 Users, search for it, and add a country and license.  He also advises that while quota and hold status may be working without a license, you should license them, in case Microsoft decides to enforce licensing, it could put you in a state of non compliance or over the size limit shared mailboxes!

UPDATE 10/8/2014: Another nod to Nino - In this article, Microsoft addresses Exchange Online licensing required and explicitly mentions Litigation Hold as WELL as in place hold require an Exchange plan 2 license!
Manage inactive mailboxes in Exchange Online

In closing..
  1. Quota, litigation and in-place hold all function as expected on shared mailboxes without a license, however this could change and be enforced at any given time, so obviously recommend using licensing if the functionality is needed.
  2. Litigation and in-place hold are completely enabled for shared mailboxes, regardless of the licensing section of the Service Description
  3. Licensing a shared mailbox can be performed by converting them to a user mailbox or by assigning a license to the shared mailbox MSOLUser as documented above

Automation of Azure Active Directory Federation settings using PingFederate for SSO

OK, I am guessing this will not be a very popular article, but if it helps even one person...  PLEASE COMMENT and tell me!  I am sure this could also be used with other Single Sign On 3rd party vendors with some modifications.

I had a customer using PingFederate for Authentication in Office 365, and they have a test bed environment and a production environment, and during our planning and testing phase we had to switch back and forth a few times, and there was an expectation that they might need to repeat this process later when they patch the PingFederate, or if they are testing new/extended functionality.

So I wrote this script to help you swap out the setting in Azure Active Directory PowerShell (aka MSOLshell)

You will need to edit:
  1. The $cert value
  2. The array of domains
  3. The array of PingFederate strings
  4. The $ssoURLroot
  5. Anything else specific to your environment
  6. Edit the actual set cmdlet to execute instead of write-host once you are comfortable with the script building the commands needed
 Hope this helps someone!

$cert = "reallylongstringofcharactershere"
$domain = @("companyABC.com", "companyDEF.com", "companyGHI.com", "companyJKL.com")
$string = @("randomcharactersfromping1", "randomcharactersfromping2", "randomcharactersfromping3","randomcharactersfromping4")
$ssoURLroot = "https://sso.companyABC.com/"

$ssomid1 = "idp/"
$ssomid2 = "pf/"

$logonURIend = "/sts.wst"
$logoffURIend = "/prp.wsf"
$metadataend = "/sts_mex.ping?PartnerSpId=urn:federation:MicrosoftOnline"

for ($i=0; $i -lt $domain.length; $i++)
    $logonURI = $ssoURLroot + $ssomid1 + $string[$i] + $logonURIend
    $LogOffUri = $ssoURLroot + $ssomid1 + $string[$i] + $logoffURIend
    $MexchUri = $ssoURLroot + $ssomid2 + $string[$i] + $metadataend
    $PassLogOnUri = $ssoURLroot + $ssomid1 + $string[$i] + $logoffURIend
    write-host set-msoldomainfederationsettings -signingcertificate $cert -activelogonuri $logonURI -logoffuri $logoffuri -metadataExchangeUri $mexchuri -passivelogonUri $passlogonUri -domainname $domain[$i]
    sleep 2
Get-MsolDomainFederationSettings -domainname $domain[$i]
    # Change above line from write-host to execute!