Multi-Factor Authentication in Office 365 (Part 2)

wp_ss_20140521_0001Multifactor Authentication is a must-have for services based in the cloud, especially for accounts with administrative purposes. We have already covered what Office 365 Multifactor Authentication is and how to configure it in Office 365 tenants with the Office 365 admin center, and we briefly showed the end user experience. Now we will look at how we can use the Azure Active Directory Module for Windows PowerShell to configure Office 365 authentication with MFA.

Azure Active Directory Module for Windows PowerShell (AADMPS) enables organizations to not only configure MFA for existing end users who use PowerShell, but also enhance their current provisioning process with MFA options. By pre-configuring MFA, administrators can prevent end users from having to go through the initial MFA setup process and use their currently configured mobile phone or office number for verification.

Read the full article over on SearchExchange

Multi-Factor Authentication in Office 365 (Part 1)

Multi-Factor AuthenticationMulti-Factor Authentication identifies an end user with more than one factor. Authentication is based on something you know, such as your password; something you have, such as a security token or smart card; or something that’s a physical characteristic of who you are, such as biometrics. By creating an additional factor on top of the password, identity is better protected. Multi-Factor Authentication is seen as a must-have for cloud-based services, especially for administrative types of accounts.

In this first tip on SearchExchange, I explain how you can configure Multi-Factor Authentication in Office 365, discuss the so-called contact methods, explain app passwords for non-MFA applications as well as show the MFA end user experience.

Read the full article over on SearchExchange

Script Updates

powershellA small heads-up for those not following me on Twitter of one of the other social media channels. Last week I made updates to the following three scripts:

Install-Exchange2013.ps1, version 1.72

  • Added CU5 support
  • Added KB2971467 (CU5 Disable Shared Cache Service Managed Availability probes)

Remove-DuplicateItems.ps1, version 1.3

  • Changed parameter Mailbox, you can now use an e-mail address as well.
  • Added parameter Credentials.
  • Added item class and size for certain duplication checks.
  • Changed item removal process
  • Remove items after, not while processing folder. Avoids asynchronous deletion issues.
  • Works against Office 365.

Remove-MessageClassItems.ps1, version 1.3

  • Changed parameter Mailbox, you can now use an e-mail address as well
  • Added parameter Credentials
  • Added parameter PartialMatching for partial class name matching.
  • Changed item removal process. Remove items after, not while processing folder. Avoids asynchronous deletion issues.
  • Works against Office 365.
  • Deleted Items folder will be processed, unless MoveToDeletedItems is used.
  • Changed EWS DLL loading, can now be in current folder as well.

Be advised I keep am overview of the scripts and their current versions with publish dates here.

 

Clutter in the Gutter?

At the Microsoft Exchange Conference earlier this year, the Office team introduced us to some nice features which were under development at that time. These features are part of Office Graph, a machine learning feature set meant to make the end user experience more personal and contextual as part of the Enterprise Social initiative.

imageIn the keynote, during a “Geek out with Perry”, Perry (Corporate VP for Microsoft Exchange) mentioned that the “Cloud First” approach allowed Microsoft to implement features step by step, with the option of reverting not-so-good changes. In the end, this should also result in a better product for the on-premises customer when releasing new Exchange builds, and ultimately Exchange v.Next (the next version), as they would not receive the not-so-good changes. It was mentioned several times, also in individual sessions on Office Graph features like Clutter and Groups as well, that these features would be “cloud-first” but there was “no ETA yet” for Exchange on-premises. At that time, most of us leaving MEC did that with the impression that all these features, at some point, would make it to Exchange or Exchange v.Next.

Apparently we got hold of the wrong end of the stick. Last week this article appeared on Network World, where in an interview with Julia White (GM Office Marketing) she mentioned that Clutter would not make it to “Office Server”, which seems to be the term for the on-premises deployments of the Exchange, Sharepoint and Lync Server triplet. This was a bit surprising, given the information received at MEC. The reason given in the article for this deviation was that Office Graph is too “compute intensive” to include on a Office Server. I assume to preempt any sounds on being forced to the service, Julia states that, “It’s not capricious favoritism toward Office 365 customers.” This is more or less in line with Microsoft’s earlier statements, on not having plans to stop delivering on-premises releases of Exchange (v.Next). In the discussion that followed on Twitter, Julia confirmed that “Clutter won’t make ExServer v.Next unfortunately.”

File:Classic shot of the ENIAC.jpgThe scale of Office 365 is incomparable to the average business running Exchange, Sharepoint and Lync on-premises and the amount of information that needs to be processed for Office Graph. And I can’t help it, but looking at the ‘compute intensive’ argument brings back memories of computer rooms where big monolithic systems offered computing powered easily surpassed by today’s tablet. With Clutter being expected for later this year and vNext next year, that is a considerable window. Some claim that Moore’s Law is obsolete and we also can’t expect to be running Skynet from home next year but still, computing power increases and I know of some customers who would just get the additional hardware onboard to facilitate those extra features. In addition, Clutter can be enabled on a per-user basis anyway.

In a more or less opposite statement, Julia is quoted saying, “Our philosophy is anything we technically can ship in servers, we will. We want our server customers and our cloud customers to have as much as we can ship to them. If it’s possible technically and it’s feasible then we’ll put it in the servers.” I think the reason for not adding Clutter should be sought in the hints Julia provided in the 2nd part of the article. With on-premises customer not following or even delaying upgrading to current versions of Microsoft’s products, Exchange, Sharepoint, Lync and clients, makes it hard to ship and support product transcending features, especially if this requires the latest (and greatest) version.

Think Site Mailboxes, more or less the predecessor of the announced Groups feature of Office Graph. Implementing Site Mailboxes requires Exchange 2013, Sharepoint 2013 and Outlook 2013 and additional configuration to integrate the Exchange and Sharepoint products. In the field, I see very low adoption of Site Mailboxes. Many customers are running older product levels (blocking implementation) or it’s a more elementary reason like not having deployed Sharepoint. But then, for those that are running Site Mailboxes, it adds value. Isn’t that what this is all about? Note that for the compliance discovery feature to work, proper configuration of Exchange, Sharepoint and Lync is required as well, but compliance is perhaps is a better selling point than clutter or one of the other Office Graph features could ever be.

“Assumption is ..” are the first words of a well-known saying. For the future, don’t expect anything you see announced for Office 365 to be ported to the on-premises Exchange releases, even though that product stems from the same code. Then again, features might get dropped, for reasons provided above or just because they were not ready. That’s nothing new and we got accustomed to a little disappointment now and then. In the case of Clutter, it’s a shame because it looked like a neat feature to work more efficiently through e-mail without configuring tons of rules. In the case of Groups, it is confirmed for v.Next, but you never know for sure until it is released. Meanwhile, Microsoft should maybe try to prevent confusion by demonstrating Clutter a.o. in sessions called “What’s new in Exchange“.

If you got an opinion on these changes in course or feature drops, please share them in the comments.

MEC 2014 Update: Sessions & Speakers

mec2014logoA quick heads-up for those still in doubt whether to visit MEC or waiting for session information after which to decide on attending or not. MEC is the premier global event for Microsoft Exchange and Office 365 professionals and the 2014 edition will be held in Austin, Texas (USA) from March 31st to April 2nd, 2014.

The first sessions and speakers of the Microsoft Exchange Conference 2014 – or MEC for short – have been announced. According to the announcement, there is more to come so make sure you follow MEC’s official Twitter account at @mecconf.

MEC is a chance to get in-depth information and learn from real-life experiences on Exchange and anything related. It’s also a chance to meet people from the Exchange product group and the majority of your Exchange rock stars – presenting or attending (like me).

There are still tickets available. When you want to attend, you can register here.

The UC Architects Podcast Ep28

iTunes-Podcast-logo[1]We’re glad to announce the availability of episode 28 of The UC Architects podcast. This is a special episode recorded with a live audience during DevConnections 2013 in Las Vegas.

This episode is hosted by Steve Goodman, Johan Veldhuis, and Michael van Horenbeeck. Special guests are Tony Redmond, Greg Taylor (Microsoft), Jeff Mealiffe (Microsoft) and John Rodriguez (Microsoft).

Topics discussed in this special episode are:

  • MEC is back  – registration is now open, so get signing up! What might await those thinking of going? And with MEC, is there still a gap in the market for conferences like Exchange Connections?
  • Where is the place for on-premises Exchange long-term and how does this affect the Exchange-centric IT pro? What kind of skills will they need in 2-5 years time?
  • Is there a need for top level training and certification for Exchange?
  • Product quality – Is is Exchange a victim of it’s own success?
  • Exchange in the public cloud. Amazon Web Services have released a guide on deploying Exchange on AWS. Does this give more choice to organizations?
  • Questions from the audience

More information on the podcast including references and option to play or download the podcast directly through here or you can subscribe to the podcasts using iTunes, Zune or use the RSS feed.

About
The UC Architects is a bi-weekly community podcast by people with a passion for Unified Communications; our main focus is on Exchange, Lync or related subjects.

The UC Architects Podcast Ep27

iTunes-Podcast-logo[1]We’re glad to announce the availability of episode 27 of The UC Architects podcast.

This episode is hosted by Steve Goodman, Pat Richard, Michael van Hoorenbeeck, John Cook, Serkan Varoglu, Tim Harrington, Johan Veldhuis and yours truly. Special guests are Andrew Higginbotham (Exchange MCM), Brian Reid (Exchange MCM, Instructor), and Jeff Guillet (Exchange MCM, MVP).

This is a special episode on the cancellation of the MCM/MCSM and MCA certifications by Microsoft, the impact on the certification market, MCM/MCSMs and those aspiring the certification and to the IT Professional community in general.

Special thanks to Andrew J. Price for some blitz editing.

More information on the podcast including references and a link to download the podcast directly here or you can subscribe to the podcasts using iTunes, Zune or use the RSS feed.

About
The UC Architects is a bi-weekly community podcast by people with a passion for Unified Communications; our main focus is on Exchange, Lync or related subjects.

OWA for iPhone and OWA for iPad are here!

imageToday, the Exchange team announced the immediate availability of the (free) OWA for iPhone and OWA for iPad apps. Exchange fellows Tony Redmond and Dave Stork already hinted earlier this month that something was about to happen in this area.

Users of the Windows 8 Mail app may find the look of the OWA apps to be very familiar:

A quick summary on the app features:

  • Stored credentials for automatic logins;
  • Push notifications;
  • Meeting reminders (even with app closed);
  • Voice activated actions (English only);
  • Contact sync for caller ID function;
  • Remote wipe capability (user data, when the app runs).

That last one is a great, much requested feature when Bring Your Own Device is practiced (apart from that it makes sense due to the sandboxing principle). When required the business can selectively wipe business data without touching your personal information, similar to a feature to be introduced with Windows 8.1 called Remote Business Data Removal.

Besides that you need an iPhone 4S or iPad 2 or higher running iOS 6 or later, the apps are currently only supported for Office 365 subscribers running the tenant on Wave15 (or later). There are reports of the apps working with on-premises Exchange 2013 but that’s unofficial. To find out which version your tenant is running, use Get-OrganizationConfig in a remote PowerShell session, e.g.

$session = New-PSSession –ConnectionUri https://ps.outlook.com/powershell –AllowRedirection –Authentication Basic –Credential (Get-Credential) –ConfigurationName Microsoft.Exchange
Import-PSSession $session
Get-OrganizationConfig | ft AdminDisplayVersion

image

My tenant is running on 15.0.698.10 (15 = Wave 15), so theoretically I’m good to be running OWA for iPhone or OWA for iPad. I say theoretically, as I don’t have any iPhone or iPad available for testing.

An app version for on-premises Exchange 2013 is expected to be released at a later date. More information on configuration and usage of the OWA apps on the Office 365 blog here.

Removing Duplicate Items from a Mailbox

powershellLast version: 1.41, November 26th, 2014.

For those involved with Exchange migration projects or managing Exchange environments, at some point you probably have experienced the situation where people ended up with duplicate items in their mailbox. Duplicate items can be caused by many things, but most common are:

  • Synchronization tools or plug-in. Entries from the mailbox are treated as new entries and as a consequence are added to the mailbox when synchronizing information back to the mailbox, creating duplicates. In the past, I’ve seen this happening with Nokia PC Suite and Google Apps Sync for example;
  • Importing existing data. Accidental import from – for example – a PST file to a mailbox  can lead to duplicate entries.

image

When looking for a solution, you’ll probably encounter MSKB299349, “How to remove duplicate imported items in Outlook”. This article describes a manual procedure to remove duplicates entries from your calendar, contacts, inbox or other folders. Not a very helpful and labor intensive.

When continuing your search, you’ll find lots (I mean lots!) of tools and Outlook add-ins, like Vaita’s DIR or MAPILab’s Duplicate Remover. Not all this software is free (some even require payment per duplicate removal of appointments, contacts or e-mail) and some might not even work (MAPI-based tools may not work against Exchange 2013).

When you finally have selected a tool, in most cases they require installation of a piece of software and someone to perform the removal process using the tool or Outlook with add-in. When you’re an Apple shop you’ll require different tools, unless you’re running a Windows desktop somewhere (I’ll just pretend I didn’t hear you saying ‘Why don’t you install the tool on the Exchange server’).

Wouldn’t it be nice if you’d have a PowerShell script you can conveniently run from any workstation (or server) with PowerShell installed, removing those duplicate items from a user’s mailbox remotely? If the answer is yes, the Remove-DuplicateItems.ps1 script may be something for you.

Requirements
Using the Remove-DuplicateItems.p1 script requires Exchange 2007 or later and Exchange Web Services (EWS) Managed API 1.2 (or later) which you can download here. Alternatively, when you already got the EWS Managed API Microsoft.Exchange.WebServices.DLL somewhere, you can copy it to the same folder where the script is located and it will be picked up. The script has been developed and tested against Exchange 2007, meaning it’s a PowerShell 1.0 script which should be compatible with later versions of PowerShell or Exchange.

Also take notice that since you’ll be processing user mailboxes, you’ll need to have full mailbox access or impersonation permissions; the latter is preferred. For details on how to configure impersonation for Exchange 2010 using RBAC, see this article or check here for details on how to configure impersonation for Exchange 2007.

Usage
The script Remove-DuplicateItems.ps1 uses the following syntax:

Remove-DuplicateItems.ps1 [-Mailbox] <String> [[-Type] <String>] [-Retain <String>] [-Server <String>] [-Impersonation] [-DeleteMode <String>] [-Credentials <PSCredential>] [-Mode <String>] [-MailboxOnly] [-ArchiveOnly] [-WhatIf] [-Confirm] [<CommonParameters>]

A quick walk-through on the parameters and switches:

  • Mailbox is the e-mail address or name of the mailbox to process. If name is used, it is matched against cn/SAMAccountname/email address of local AD.
  • Type determines what folders are checked for duplicates. Valid options are Mail, Calendar, Contacts, Tasks, Notes or All (Default).
  • Retain determines which item to retain by comparing last modification times. Valid options are Newest (default) or Oldest.
  • Server is the name of the Client Access Server to access for Exchange Web Services. When omitted, the script will attempt to use Autodiscover.
  • When the Impersonation switch is specified, impersonation will be used for mailbox access, otherwise the current user context will be used.
  • DeleteMode specifies how to remove messages. Possible values are HardDelete (permanently deleted), SoftDelete (use dumpster, default) or MoveToDeletedItems (move to Deleted Items folder).
  • Credentials specifies credentials to use (provide credentials using Get-Credential).
  • Mode determines how items are matched. Options are Quick, which uses PidTagSearchKey and is the default mode, or Full which uses a predefined set of attributes to match items, depending on the item class:
ItemClass Criteria
Contacts File As, First Name, Last Name, Company Name, Business Phone, Mobile Phone, Home Phone, Size
Distribution List FileAs, Number of Members, Size
Calendar Subject, Location, Start & End Date, Size
Task Subject, Start Date, Due Date, Status, Size
Note Contents, Color, Size
Mail Subject, Internet Message ID, DateTimeSent, DateTimeReceived, Sender, Size
Other Subject, DateTimeReceived
  • MailboxOnly specifies you only want to process the primary mailbox of specified users. You als need to use this parameter  when running against mailboxes on Exchange Server 2007.
  • ArchiveOnly specifies you only want to process personal archives of specified users.

Few notes:

  • When MoveToDeletedItems is specified, the Deleted Items folder will be skipped;
  • When Type is omitted or set to All, all folders are scanned, including folders like Conversation History, RSS Feeds, etc.;
  • When Quick mode is used and PidTagSearchKey is missing or inaccessible, search will fall back to Full mode;
  • For more info on PidTagSearchKey, see http://msdn.microsoft.com/en-us/library/cc815908.aspx. Note that PidTagSearchKey will have duplicate values for copied objects.
  • You need to specify MailboxOnly when running against mailboxes on Exchange Server 2007 as the Exchange 2010 personal archive options in EWSare not support in Exchange 2007 mode.

So, suppose you want to remove  duplicate Appointments from the calendar of mailbox migtester1 using attribute matching, moving duplicate items to the DeletedItems, using Impersonation and you want to generate extra output using Verbose. In such case, you could use the following cmdlet:

Remove-DuplicateItems.ps1 -Mailbox migtester1 -Type Calendar -Impersonation -DeleteMode MoveToDeletedItems -Mode Full -Verbose

image

Alternative, you can use an e-mail address and specify credentials.  This allows the script to run against mailboxes in Office 365, for example:

Remove-DuplicateItems.ps1 -Mailbox olrik@office365tenant.onmicrosoft.com -Type Mail -DeleteMode MoveToDeletedItems -Mode Full -Credentials (Get-Credential) -Retain Oldest

In case you want to process multiple mailboxes, you can use a CSV file which needs to contain the Mailbox field. An example of how the CSV could look:

Mailbox
francis
philip

The cmdlet could then be something like:

Import-CSV users.csv1 | Remove-DuplicateItems.ps1 -DeleteMode HardDelete -Impersonation

Download
You can download the script from the TechNet Gallery here.

Feedback
Feedback is welcomed through the comments. If you got scripting suggestions or questions, do not hesitate using the contact form.

Revision History
See TechNet Gallery page.

TechEd NA 2013 UC Sessions

TechEd NA 2013Yesterday was the last day of the TechEd North America 2013. It was my first visit to TechEd North America and it was a great; I not only got to meet lots of interesting people in real life, the sessions were also excellent. The hosting city of New Orleans contributed a lot to the total experience with friendly people, nice music and the Cajun kitchen.

Now, for your convenience I put down a list of all UC related sessions; note that you can find an overview of all TechEd NA 2013 sessions here.

Exchange

Lync

Office 365