Connecting to Office 365/Exchange

powershellAlmost 3 years ago, I wrote an article on how to enhance the PowerShell Integrated Scripting Environment, or ISE. That seemed adequate for the Exchange admin back then, who mostly connected their PowerShell session to their his on-premises environment, and perhaps occasionally a bit of Exchange Online.

Fast forward to 2015, most modern Exchange administrators not only require a connection – if any – to their Exchange on-premises environment, but likely to one or more of the Office 365 services as well. This includes Exchange On-Premises, Azure Active Directory, Exchange Online Protection and perhaps even Skype for Business Online, SharePoint Online, Azure Rights Management Services or Compliance Center.

All these service use a different PowerShell session, use a different endpoint FQDN, and sometimes even require a locally installed PowerShell module. Likely common denominator is the credential used to access each of these services. So, tired of re-entering my credentials every time when switching from Exchange Online to Exchange Online Protection, I created a script with a set of functions to allow me connect to each individual Office 365 service or Exchange Online:

  • Connect-AzureAD: Connects to Azure Active Directory
  • Connect-AzureRMS: Connects to Azure Rights Management
  • Connect-ExchangeOnline: Connects to Exchange Online
  • Connect-SkypeOnline: Connects to Skype for Business Online
  • Connect-EOP: Connects to Exchange Online Protection
  • Connect-ComplianceCenter: Connects to Compliance Center
  • Connect-SharePointOnline: Connects to SharePoint Online
  • Get-Office365Credentials: Gets Office 365 credentials
  • Connect-ExchangeOnPremises: Connects to Exchange On-Premises
  • Get-OnPremisesCredentials: Gets On-Premises credentials
  • Get-ExchangeOnPremisesFQDN: Gets FQDN for Exchange On-Premises
  • Get-Office365Tenant: Gets Office 365 tenant name (SharePoint)

Note that functions and credentials used in the script are global, and in principle only need to be entered once per shell or ISE session. If you need different credentials, call Get-Office365Credentials again. User interaction is a very basic Read-Host, but it does the job.

Requirements
During initialization, the script will detect the modules which are required for certain Office 365 services. When not installed, it will notify you, and provide a link where to obtain the PowerShell module. The related Connect function will not be made available. The Azure Active Directory module also requires the Microsoft Online Sign-In Assistant to be installed. Needless to say, PowerShell is required to run this script, which is tested against version 4 (but should work with 3)

Usage
The functions are contained in a script called Connect-Office365Services.ps1. You can call this script manually from your PowerShell session to make the functions available. However, more convenient may be to have them always available in every PowerShell or ISE session. To achieve this, you need to edit your $profile, which is a script which always starts when you start a PowerShell or ISE session. By default this file does not exist and you need to create it, including the path. Also note that the files for PowerShell and ISE are different, Microsoft.PowerShell_profile.ps1
and Microsoft.PowerShellISE_profile.ps1 respectively.

Now, of course you can copy and paste the functions from the script file to your own $profile. Better is to call the script from your $profile, as this allows you to overwrite the Connect-Office365Services.ps1 with updates. To achieve this, assume you copied the Connect-Office365Services.ps1 in the same location as your $profile, for example C:\Users\Michel\Documents\WindowsPowerShell. You can then make PowerShell and ISE call this script by adding the following line to the $profile scripts:

& “$PSScriptRoot\Connect-Office365Services.ps1”

Now when you start a PowerShell session, you might see the following:

image

This shows the Microsoft Online Sign-In Assistant and Azure Active Directory PowerShell module is available, and related connect functions should be available.

When you load the script from ISE, it will show something similar. However, it will also show ISE is detected and make all functions available through the Add-On menu:

image

Notes
Customize this script to your liking. For example, if you always want to connect to Azure Active Directory when connecting to Exchange Online, add Connect-AzureAD in the Connect-ExchangeOnline function, or when you always want to connect to a fixed FQDN for Exchange On-Premises, insert it in the script or – better – configure your $profile to predefine the FQDN, e.g. $global:ExchangeOnPremisesFQDN=’mail.contoso.com’.

Windows 10
Be advised that when used with Windows 10 build 10525 or 10532, your PowerShell session might crash when connecting to certain services, e.g. Exchange Online Protection. Fellow Exchange MVP Tony Redmond wrote about this here, including a possible workaround. Windows 10 RTM does not have this issue.

Download / Revisions
You can download the script from the TechNet Gallery here. The TechNet Gallery page as well as the script contains revision information.

Feedback
Feedback is welcomed through the comments. If you got scripting suggestions or questions, do not hesitate using the contact form.

HCW fails on intra-organization configuration

o365logoFor my lab, I often have to recreate the Exchange Hybrid configuration for a fresh setup of Exchange On-Premises using formerly used namespaces. Normally you would just run the Exchange Hybrid Configuration Wizard (HCW) after configuring certificates and endpoint URLs. If you don’t clean up the previous configuration information from your tenant upfront, you may then run in the following error message when running the HCW:

Updating hybrid configuration failed with error ‎’Subtask Configure execution failed: Configure IntraOrganization Connector Execution of the Get-IntraOrganizationConfiguration cmdlet has thrown an exception. This may indicate invalid parameters in your hybrid configuration settings. Multiple OnPremises configuration objects were found. Please use the OrganizationGuid parameter to select a specific OnPremises configuration object.

Multiple OnPremises configuration objects indicates there are multiple intra-organization objects defined in your tenant. You can clean up previous intra-organization configuration objects from your tenant as follows:

  1. First, in your Exchange On-Premises environment, run the Get-OrganizationConfig cmdlet from the Exchange Management Shell:
    image
  2. Copy the Guid value, in the example 1a95d446-ff56-4399-a95e-8ab46c30912b.
  3. Connect to Exchange Online (instruction here).
  4. Check the existing On-Premises definitions in your tenant by running Get-OnPremisesOrganization. There should be more than 1 entry.
  5. To remove the orphaned objects, remove all the objects that don’t match the Organization Guid you retrieved from your On-Premises environment earlier, e.g.:Get-OnPremisesOrganization | Where { $_.OrganizationGuid –ne ‘1a95d446-ff56-4399-a95e-8ab46c30912b’ } | Remove-OnPremisesOrganization
    image
  6. Now you could try re-running the HCW immediately, but chances are you will run in another error caused by orphaned intra-organization connectors (IOC). In those cases, when the HCW tries to run New-IntraOrganizationConnector, it will fail as the namespace defined by TargetAddressDomains is already in use by an existing connector, and ‘The domain <domain> already exists in another intra-organization connector’ is reported. Those connectors, named ‘HybridIOC – ’, where GUID is the Guid of previously used organizations, exist in your tenant. In your Exchange Online session, run the following cmdlet to remove orphaned connector definitions:Get-IntraOrganizationConnector | Where { $_.Identity –ne ‘HybridIOC – 1a95d446-ff56-4399-a95e-8ab46c30912b’ } | Remove-IntraOrganizationConnector
    image
  7. While you’re at it, you also might want to remove previously created connectors. Again, in your Exchange Online session, run the following cmdlets to remove orphaned inbound and outbound connectors (again, using the previously noted Organization GUID):
    Get-OutboundConnector | Where { $_.Identity –ne ‘Outbound to 1a95d446-ff56-4399-a95e-8ab46c30912b’ } | Remove-OutboundConnector
    Get-InboundConnector | Where { $_.Identity –ne ‘Inbound from 1a95d446-ff56-4399-a95e-8ab46c30912b’ } | Remove-InboundConnector

After removing these orphaned objects, you should be able to run the HCW succesfully.

The UC Architects Podcast Ep51

iTunes-Podcast-logo[1]Episode 51 of The UC Architects podcast is now available. This episode is hosted by Steve Goodman who is joined by Dave Stork and John Cook.. Editing was done by Andrew Price.

Some of the topics discussed in this episode are:

  • Exchange 2013 CU8
  • Exchange 2010 SP3 CU9
  • Exchange ActiveSync onboarding to Office 365
  • Exchange 2013 Hybrid Config Wizard
  • Office 2013 modern auth public preview
  • Staying informed of Office 365 changes
  • Office 2016 preview
  • Updates for Outlook for iOS
  • Azure AD Sync
  • Office 365 MDM
  • Questions from listeners
  • Lync Kerberos Account
  • Lync/Skype for Business Network Planning for Silk Code
  • Controlling Lync/Skype for Business with your arms
  • Get ready for Skype for Business
  • Updates and Skype for Business
  • Microsoft Ignite
  • UCBUG
  • UCDAY
  • UCExpo

You can download the podcast here or you can subscribe to the podcasts using iTunes, Zune or use the RSS feed.

About
The UC Architects is a bi-weekly community podcast by people with a passion for Unified Communications; our main focus is on Exchange, Lync or related subjects.

The UC Architects Podcast Ep50

iTunes-Podcast-logo[1]Episode 50 of The UC Architects podcast is now available. This episode is hosted by Pat Richard, who is joined by John A Cook and Ståle Hansen. Editing was done by Andrew Price.

Some of the topics discussed in this episode are:

  • Network ports for clients and mail flow in Exchange 2013
  • iOS 8.2 has been released
  • Using the Hybrid Configuration Wizard in Exchange Server 2013 (Part 2)
  • How and when to decommission Exchange Hybrid
  • The Office 2016 Mac Preview is here!
  • The Exchange Server 2013 Management Pack for System Center Operations Manager has been updated
  • A Guide to PowerShell for Lync and Exchange Online
  • Be the first to learn what’s next for Exchange and Office 365 at Microsoft Ignite
  • Free Load Balancer – KEMP Virtual LoadMaster
  • Use Windows PowerShell cmdlets to enable OneDrive sync for domains that are on the safe recipients list
  • Office 365 for Exchange Professionals
  • Office 365 Partner Admin app
  • Making Clutter in Office 365 even better
  • Azure AD Premium (and EMS) available for partner use
  • Getting rate limiting warnings for auto-discovered partners on your #Lync edge (event id 14603)
  • March 2015 update for #Lync for Mac 2011 14.0.11 (KB3037358)
  • How do I control the Lync and Skype UI with the Skype for Business client
  • Managing the Skype Client UI in Skype for Business
  • Set up Two-Armed Kemp VLM as Reverse Proxy/HLB for Lync 2013
  • Latest Visual C++ 2012 update (11.0.61030) won’t let #Lync Resource Kit or Debugging Tools install
  • March 10, 2015 update for #Lync 2013 (KB2956174)
  • Lync Monitoring Reports Decoder
  • Updates Lync Server 2013 Management Pack
  • LS Storage Service event 32054 after you enable Lync 2013 Mobility in an Exchange 2010 environment
  • Measure your conferencing adoption today with SQL
  • QoS Calculator v1.2
  • Update to Lync 2013 mobile app (v5.8, secure app settings, bug fixes)
  • Lync 2012 Database Mirror Manager update
  • Being a UC Superhero with Lync QoE Superpowers
  • LyncPro: Call Monitor Pro for Skype for Business & Lync: Enhancements and Extensibility
  • Book – Lync Server Cookbook
  • Ignite
  • EventZero/The UC Architects party at Ignite
  • LyncDay becomes SkypeDays
  • UCBUG meeting 05/13/2015
  • UCDAY UK meeting 09/28/2015

More information on the podcast including references and a link to download the podcast here or you can subscribe to the podcasts using iTunes, Zune or use the RSS feed.

About
The UC Architects is a bi-weekly community podcast by people with a passion for Unified Communications; our main focus is on Exchange, Lync or related subjects.

The UC Architects Podcast Ep49

iTunes-Podcast-logo[1]Episode 49 of The UC Architects podcast is now available. This episode is hosted by Steve Goodman, who is joined by Dave Stork, Pat Richard, John A Cook and myself. Editing was done by Andrew Price.

Some of the topics discussed in this episode are:

  • PIN lock and other updates to Outlook for iOS and Android
  • Exchange 2013 and Exchange 2010 Coexistence with Kerberos Authentication
  • Training Course: High Availability for Exchange Server 2013
  • Broken IMAP on Exchange 2013 and how to fix it
  • Windows Mobile does not support your new SSL certificate
  • Introducing New-ExchangeWebsite for Exchange 2013
  • A quick look at the Sunrise Calendar app
  • RBAC Manager R2 for Exchange
  • BitTitan offers Nuix-as-a-service
  • PowerShell for MigrationWiz updated
  • Sign in page branding and cloud user self-service password reset for Office 365
  • A better way to recover a mailbox
  • Automated Hybrid Troubleshooting Experience
  • Shared Mailbox Sent Items Changes Coming to Office 365
  • How Groups could be so much better
  • Using the Hybrid Configuration Wizard in Exchange Server 2013
  • Office 365: Deployment Content Moving
  • Azure AD Sync Service Updated
  • Pausing Music When On A #Lync Call – Using the Client SDK
  • Lync Client 2013 – Disable Customer Experience Improvement Program
  • New update for Lync Environment Report now supports custom Word document templates
  • Lync Server 2013 Control Panel crashes when you access the Route tab under the Voice Routing tab
  • Lync client may connect to a non federated partner, even if you though it should not
  • Persistent Chat – December 2014 CU – 500 Internal Server Error
  • Lync / Skype for Business Photo Editor Version 1.0 available now!
  • Do you need a Lync Server license for every Lync Server role–or is this just a Lync licensing myth?
  • Enabling Group Paging on Polycom VVX Phones for Lync or Skype
  • Issues with Unified Contact Store in combination with Lync on-premises & Exchange Online
  • Deep Dive into Set-CsPinSendCAWelcomeMail
  • Skype for Business and Lync troubleshooting 101
  • Update to Skype for Business / Lync Validator KHI reader. Longer list of counters + graphs
  • Book – Deploying and Managing Exchange 2013 HA
  • Book – Exam Ref 70-342 Advanced Solutions of Microsoft Exchange Server 2013
  • Book – Lync Server Cookbook
  • Ignite
  • Stale Hansen – Speaking at Ignite
  • UCBUG Meeting May 13th
  • UCDAY UK – 28th Sept by by Andrew P, Steve, Jason Wynn, Iain Smith, Adam Gent and Tom A

More information on the podcast including references and a link to download the podcast here or you can subscribe to the podcasts using iTunes, Zune or use the RSS feed.

About
The UC Architects is a bi-weekly community podcast by people with a passion for Unified Communications; our main focus is on Exchange, Lync or related subjects.

Blocking Outlook App for iOS & Android

imageYesterday, Microsoft announced the immediate availability the Outlook for iOS and Outlook for Android preview. These apps are the former app named Acompli, which was acquired by Microsoft in December, last year. It is unlikely that Microsoft will develop and support two similar apps, so one can assume the new Outlook app will replace the current OWA for iOS and OWA for Android (or just OWA for Devices) apps.

The app isn’t without a little controversy:

  • The app stores credentials in a cloud environment from Amazon Web Services for e-mail accounts that don’t support OAuth authorization.
  • The app makes use of a service sitting between the app and your mailbox. This service acts as a sort of proxy (hence it requires those credentials), fetching, (pre)processing and sending e-mail. In some way this is smart, as it makes the app less dependent on back-end peculiarities, using a uniform protocol to communicate with the proxy service.
  • The app does not distinguish between devices (device identities are assigned to your account, which makes sense since the app uses a service to retrieve and process your e-mail).
  • The app does not honor ActiveSync policies, like PIN requirements. While true, this app is not an ordinary Exchange ActiveSync client.

You can read more about this here and here.

In all fairness, when the app was still named Accompli, nobody cried foul. But the app is now rebranded Outlook and property of Microsoft, so it seems this made the app fair game. I hope Microsoft is working behind the scenes to make the new Outlook app enterprise-ready, and I’m sure it won’t be long before we see the app’s services move from AWS to Azure. The whole outrage in the media also seems a bit misplaced, as Connected Accounts in Exchange Online, which will retrieve e-mail from a POP or IMAP mailbox, will also store credentials ‘in the cloud’.

It is recommended to treat the app as a consumer app for now, and you may want to block the app in your organization. I have written on how to accomplish blocking or quarantining faulty iOS updates before. However, in those articles I used the reported OS version to block or quarantine devices. The Outlook app proxy service reports itself as “Outlook for iOS and Android” as device model when querying your mailbox, allowing us to use the DeviceModel parameter for matching.

The cmdlet to block or quarantine the new Outlook app in Exchange 2010, Exchange 2013 or Office 365,  is:

New-ActiveSyncDeviceAccessRule –QueryString 'Outlook for iOS and Android' –Characteristic DeviceModel –AccessLevel Block

or, to quarantine:

New-ActiveSyncDeviceAccessRule –QueryString 'Outlook for iOS and Android' –Characteristic DeviceModel –AccessLevel Quarantine

For examples of alternative blocking methods using TMG or F5, check this article. If you need to specify the user agent string, use “Outlook-iOS-Android/1.0” (or partial matching on “Outlook-iOS-Android” to block future updates of the app as well).

As goes for all mobile devices in enterprise environments, as an organization it may be better to test and aprove devices and OS versions rather than to be confronted with mobile apps with possible faulty behavior after an update or which may violate corporate security policies.

Ignite 2015 Session Catalog is here!

ignite ButtonA short heads-up as the session catalog for Microsoft Ignite has been published. So, if you are still undecided or already want to pick ‘must see’ sessions for your schedule, you can check the session catalog here.

The session catalog contains 275 sessions, covering products like Exchange (49), Office 365 (85) and Skype for Business (26). It will be the first major Microsoft event where details will emerge on the next version of Exchange, Exchange v.Next.

The Exchange team published a blog on the Exchange-related Ignite sessions here. The blog contains a nice video featuring Greg Taylor and Jeff Mealiffe talking about what to expect at Ignite.

Also, on Febuary 3rd, the team behind Ignite as well as several speakers will be available on Twitter to answer any questions you may have on Ignite. Use the hashtag #IgniteJam to participate, or follow @MS_Ignite for any updates.

More information on Ignite, pre-day sessions, the session catalog and the #IgniteJam in the original post on Channel 9 here.

Multi-Factor Authentication in Office 365 (Part 2)

wp_ss_20140521_0001Multifactor Authentication is a must-have for services based in the cloud, especially for accounts with administrative purposes. We have already covered what Office 365 Multifactor Authentication is and how to configure it in Office 365 tenants with the Office 365 admin center, and we briefly showed the end user experience. Now we will look at how we can use the Azure Active Directory Module for Windows PowerShell to configure Office 365 authentication with MFA.

Azure Active Directory Module for Windows PowerShell (AADMPS) enables organizations to not only configure MFA for existing end users who use PowerShell, but also enhance their current provisioning process with MFA options. By pre-configuring MFA, administrators can prevent end users from having to go through the initial MFA setup process and use their currently configured mobile phone or office number for verification.

Read the full article over on SearchExchange

Multi-Factor Authentication in Office 365 (Part 1)

Multi-Factor AuthenticationMulti-Factor Authentication identifies an end user with more than one factor. Authentication is based on something you know, such as your password; something you have, such as a security token or smart card; or something that’s a physical characteristic of who you are, such as biometrics. By creating an additional factor on top of the password, identity is better protected. Multi-Factor Authentication is seen as a must-have for cloud-based services, especially for administrative types of accounts.

In this first tip on SearchExchange, I explain how you can configure Multi-Factor Authentication in Office 365, discuss the so-called contact methods, explain app passwords for non-MFA applications as well as show the MFA end user experience.

Read the full article over on SearchExchange

Script Updates

powershellA small heads-up for those not following me on Twitter of one of the other social media channels. Last week I made updates to the following three scripts:

Install-Exchange2013.ps1, version 1.72

  • Added CU5 support
  • Added KB2971467 (CU5 Disable Shared Cache Service Managed Availability probes)

Remove-DuplicateItems.ps1, version 1.3

  • Changed parameter Mailbox, you can now use an e-mail address as well.
  • Added parameter Credentials.
  • Added item class and size for certain duplication checks.
  • Changed item removal process
  • Remove items after, not while processing folder. Avoids asynchronous deletion issues.
  • Works against Office 365.

Remove-MessageClassItems.ps1, version 1.3

  • Changed parameter Mailbox, you can now use an e-mail address as well
  • Added parameter Credentials
  • Added parameter PartialMatching for partial class name matching.
  • Changed item removal process. Remove items after, not while processing folder. Avoids asynchronous deletion issues.
  • Works against Office 365.
  • Deleted Items folder will be processed, unless MoveToDeletedItems is used.
  • Changed EWS DLL loading, can now be in current folder as well.

Be advised I keep am overview of the scripts and their current versions with publish dates here.