About Michel de Rooij

Michel de Rooij, with over 25 years of mixed consulting and automation experience with Exchange and related technologies, is a consultant for Rapid Circle. He assists organizations in their journey to and using Microsoft 365, primarily focusing on Exchange and associated technologies and automating processes using PowerShell or Graph. Michel's authorship of several Exchange books and role in the Office 365 for IT Pros author team are a testament to his knowledge. Besides writing for Practical365.com, he maintains a blog on eightwone.com with supporting scripts on GitHub. Michel has been a Microsoft MVP since 2013.

Basic Authentication: End of an Era

Posted on March 31, 2022 by Michel de Rooij

1sep2022: Added announcement regarding Jan2023 extension

Back in September 2019, Microsoft announced it would start to turn off Basic Authentication for non-SMTP protocols in Exchange Online on tenants where the authentication protocol was detected as inactive. This is part of an overall movement to deprecate the less secure Basic Authentication, which is unfit to face the security challenges of the modern world, being subject to things like password spray attacks. It’s modern successor, modern authentication or OAuth2, uses a token and claim based mechanism contrary to sending accounts and passwords, and is the preferred authentication method. When combined with Azure AD for authentication, Modern Authentication also supports features such as Multi-Factor Authentication or Conditional Access.

The original date for disabling of Basic Authentication was October 13^th, 2020. Then the world had other matters to deal with, and Microsoft extended the timelines. After initially postponing turning Basic Authentication off to second half of 2021, the ‘start date’ for permanently turning the lights off for Basic Authentication was set to October 1^st, 2022, as per this article on Docs and MC286990 in the Message Center. Mind the ‘start’ in start date, as flicking the switch for millions of tenants takes time before it becomes effective on your tenant. Organizations do need to anticipate on this change for the first of October.

On September 1st, Microsoft published an update to these timelines as there were still some cases were organizations could not make the deadline of October 1st. To meet these customers “one last time”, organizations can now use the self-service diagnostics to extend disabling of Basic Authentication to January 2023. This needs to be done per protocol, also if organizations requested opt-out or re-enabled Basic Authentication earlier. Details as well as instructions and revised timelines on Basic Authentication switching off are laid out in a new article.

Until then, organizations can (re-)enable Basic Authentication for the protocols they need, using the self-help system in the Microsoft 365 admin center. After entering “Diag: Enable Basic Auth in EXO” in the problem search query, the request will be checked, and Basic Authentication will get enabled. But with the end of support for Basic Authentication, so will this temporary workaround. On a side note, per end of 2020, newly created tenants already have basic authentication disabled by means of security defaults – if those organizations require Basic Authentication for some reason, they will also need to reconfigure security defaults which by default is an all or nothing option for all protocols.

So, with the doomsday counter ticking away for Basic Authentication, what are the consequences for Exchange related workloads organizations might wonder. In this article, I will address some of these concerns.

Update: Microsoft meanwhile has disclosed much awaited details on changes in the native Mail app on iOS. This update is effective per iOS 15.6, and adds support for migrating configured accounts from using Basic Authentication to using Modern Authentication (OAuth). For this work work seamlessly and without user interruption, some configuration is needed on the back-end. Details can be found in a separate article here on this specific topic.

Click here to read the full article on ENow Solutions blog. Note that the ENow article does not include later updates, such as the latest timeline revisions and iOS account conversion, both mentioned above.

The Missing Cmdlets Mystery

Posted on March 29, 2022 by Michel de Rooij

A short blog on something which I find still surprises admins and consultants working with Exchange Online Management module for Powershell. The Exchange Online Management v2 module has been offering support for REST for a while now. One of the benefits of using these REST-based cmdlets, apart from performance and resilience, is that it uses Modern Authentication to connect to Exchange Online, which is the way forward, as Basic Authentication gets directed to the exit.

Now the initial versions of the module supported a limited set of 9 cmdlets. The REST cmdlets used the EXO prefix, such as Get-EXOMailbox as counterpart of Get-Mailbox. I wrote an earlier blog about using EXOv2, configuring the app in Azure and alternative ways to authenticate here.

Per version 2.0.6, which is still in preview, around 250 additional cmdlets got REST support as well, but using their original name and parameter set. You can check the number of cmdlets available after connecting, e.g.

Install-Module ExchangeOnlineManagement
Connect-ExchangeOnline -UserPrincipalName <UPN>
((Get-Module).Where{ $_.ExportedCommands.'Get-Mailbox'} | Select-Object -ExpandProperty ExportedCommands).GetEnumerator() | Measure-Object

As you can see above, after connecting this version supports 397 cmdlets for my role in addition to the 31 available pre-connecting. Your exact number might vary, based on the roles assigned to your account.

The confusion usually starts when people enter commands or run scripts, and find cmdlets are “missing”. Often they find that the Set/New cmdlet is unavailable, while the Get is available, e.g.

Before, this could be an indication those commands were removed from the role assigned to you, such as the New-MailboxImportRequest cmdlet which only is available if you have mailbox import/export assigned. But in this situation, it could be that the cmdlet does not have a REST call (yet). In those cases, you need to connect using a regular Remote PowerShell session, by specifying -UseRPSSession:

Connect-ExchangeOnline -UserPrincipalName <UPN> -UseRPSSession

When connecting this way, I have 739 cmdlets at my disposal, including the ones which do not support REST. Note that cmdlets which support REST still will use REST; the commands that require Remote PowerShell will use the imported cmdlet. As a reminder, Remote Powershell requires Basic Authentication, and therefor must be enabled on the system you are connecting from.

Tip: Did you know you can view the release notes of the installed Exchange Online Management module by inspecting the ReleaseNotes property, e.g.

(Get-Module ExchangeOnlineManagement).ReleaseNotes

Security Updates Exchange 2013-2019 (Mar2022)

Posted on March 8, 2022 by Michel de Rooij

The Exchange PG released March updates for Exchange Server 2013, 2016 and 2019. More detailed information on patching and how to get current when running an earlier CU of Exchange, can be found at the original blog post here.

The vulnerabilities addressed in these security updates are:

Vulnerability	Category	Severity	Rating
CVE-2022-23277	Remote Code Execution	Critical	CVSS:3.1 8.8 / 7.7
CVE-2022-24463	Spoofing	Important	CVSS:3.1 6.5 / 5.7

These vulnerabilities are addressed in the following security updates below. The exception is KB5010324 which does not fix CVE-2022-24463 for Exchange 2013. If this is because of the severity classification or the problem being non-existent for Exchange 2013, has not been not disclosed.

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU11	Download	15.2.986.22	KB5012698	KB5008631
Exchange 2019 CU10	Download	15.2.922.27	KB5012698	KB5008631
Exchange 2016 CU22	Download	15.1.2375.24	KB5012698	KB5008631
Exchange 2016 CU21	Download	15.1.2308.27	KB5012698	KB5008631
Exchange 2013 CU23	Download	15.0.1497.33	KB5010324	KB5008631

Finally, KB5010324 also contains the following additional fix for Exchange 2013:

5012925 RFC certificate timestamp validation in Exchange Server 2013

Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU11 to Exchange 2019 CU10. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU10-KBXXXXXX-x64-en.msp.

As a reminder, run the Security Update from an elevated command prompt to prevent issues during installation. In other words: Do not just double-click on the .MSP file. And on a final note, as with any patch or update, I’d recommend to apply this in a test environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach; the ratings are an indication of the urgency.

Security Updates Exchange 2013-2019 (Jan2022)

Posted on January 11, 2022 by Michel de Rooij

Another year, another Patch Tuesday! A quick blog on January 2022’s security updates for Exchange Server 2013 up to 2019.

The vulnerabilities addressed in these security updates are:

Vulnerability	Category	Severity	Rating
CVE-2022-21969	Remote Code Execution	Important	CVSS:3.1 9.0 / 7.8
CVE-2022-21855	Remote Code Execution	Important	CVSS:3.1 9.0 / 7.8
CVE-2022-21846	Remote Code Execution	Critical	CVSS:3.0 9.0 / 7.8

Vulnerabilities mentioned in the table above are addressed in the following security updates.

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU11	Download	15.2.986.15	KB5008631	KB5007409
Exchange 2019 CU10	Download	15.2.922.20	KB5008631	KB5007409
Exchange 2016 CU22	Download	15.1.2375.18	KB5008631	KB5007409
Exchange 2016 CU21	Download	15.1.2308.21	KB5008631	KB5007409
Exchange 2013 CU23	Download	15.0.1497.28	KB5008631	KB5007409

More detailed information can be found at the original blog post here. The security update also fixes the OWA redirection problem for Exchange hybrid deployments introduced with the November security updates.

Annual Report 2021

Posted on January 9, 2022 by Michel de Rooij

Happy new year to all my dear readers and followers. While some thought after 2020 things would improve soon, 2021 proved to be another year of dealing with measures. That said, 2021 was not very different compared to 2020 from a work perspective, with many organizations now professionalizing their quickly adopted digital transformation, further normalization for work from home scenarios. The year again proved to be a challenge for those busy working on customer projects while catering to the community as well. In the end, it is all about finding a balance, especially if you are working from home and the rest of the household is as well.

Now, without further ado, here are some of this blog’s and GitHub’s top entries for 2021.

General Stats

Number of views: 271,751 (3,086,610 all-time)
Unique visitors: 168,011 (1,627,860 all-time)
Number of posts: 17 (647 total)
Followers: 508
Busiest day: March 4, 2021 (5,616)
Popular time of day: Wednesday, 3pm

Popular blogs

Not surprisingly, posts related to the Hafnium security updates lead the way in 2021:

POPULAR Blogs from 2021
Security Update Exchange 2010-2019 (Mar2021)
Security Updates Exchange 2013-2019 (Jul2021)
Security Recommendation Exchange 2016-2019
Security Updates Exchange 2013-2019 (Nov2021)
Security Updates Exchange 2013-2019 (Oct2021)

Popular scripts in 2021

While I published some additional scripts on my GitHub repository, some scripts like the script to download Ignite sessions or remove duplicate items from Exchange mailboxes remain popular. I performed a total of 144 updates on the scripts, and have 102 people following my GitHub profile.