After updating your PowerShell modules which support managing parts of the Microsoft 365, some of us are curious about what changes are introduced with the updated module. In the world of continuous change, it is hard to keep track of these changes. New cmdlets or parameters get added to support new features, and some get removed as they become obsolete. So, how to discover what those changes are after updating to the latest module?
Time to blog on a small script I created for this purpose a long time ago, Compare-Cmdlets.ps1. This script has two operating modes:
Export currently available cmdlets and parameters for supported modules.
Compare two exports of cmdlets & parameters and report the differences.
Currently, the following command sets are supported:
Command sets are exported per module, where a module is assumed to be present by a simple check for cmdlet availability (specified in column Test Cmdlet). That is, if Get-Mailbox is available, the ExchangeOnline module is assumed to be available. It does not distinguish between the Exchange PowerShell module or ‘classic’ Remote PowerShell session, nor will it take into account the repository origin of the module, nor if the Get-AzureADUser is coming from the AzureAD or AzureADPreview module.
That said, here’s how this is works. Load up PowerShell and have your modules installed and ready. Some modules like ExchangeOnlineManagement require connecting to the service first to import the cmdlet functions, so for ExchangeOnlineManagement run Connect-ExchangeOnline first. Same applies to the newer Teams modules, where the Skype Connector functions are only available after running New-CsOnlineSession.
Then run Compare-Cmdlets to export the cmdlets and parameters for those modules. The commands will by default be exported to an XML in a subfolder named ‘data’. The name of the file is mentioned in the table above. If you want to use a different folder to store the XML files, use DataFolder parameter.
Note that with Exchange, the cmdlets available to you depend on which role you have been assigned in Exchange’s Role-Based Access Control model. For example, if you haven’t explicitly assigned Mailbox-ImportRequest to your account, you will not see it in the exports. Therefor, when exporting module changes, it is required using an account with the same roles assigned to have proper exports. But when needed, you can also use it to report on command set differences between two Exchange Online accounts.
After updating some of the modules, or downloading one of the command set reference XMLs I stored with the script on GitHub, you can use Compare-Cmdlets to compare different versions of module exports. For example, to compare the cmdlets of Microsoft Teams module 1.1.4 with those after updating to 1.1.5, use
The cmdlet Get-TeamChannel has a new GroupId parameter.
The cmdlet New-CsGroupPolicyAssignment parameter PolicyType has been removed.
The cmdlet Add-TeamChannelUser is new.
Note that common parameters (e.g. Verbose and ErrorAction) and optional common parameters (e.g. WhatIf) are left out of the equation. Also, parameters are not compared in depth and only presence is checked. If for example a parameter changes type (e.g. string to multivalue), Compare-Cmdlets does not pick that up.
As-is, the script is made to run on demand from an interactive PowerShell session. Ideally, this would run scheduled and serverless from within the service, reporting changes by e-mail.
The script Compare-Cmdlets.ps1 can be downloaded from GitHub here. If you find this useful, would like to comment or have suggestions, use the comments below or leave them on GitHub.
With the emergency to facilitate working from home due to the Corona pandemic, many organizations were faced with a dilemma. When running Exchange 2013 or some even Exchange 2010 on-premises, and a desire to start using Microsoft Teams, organizations were confronted with the following requirements for integrating Microsoft Teams with Exchange on-premises (source):
Users with mailboxes hosted on-premises must be synchronized to Azure Active Directory.
Running Exchange 2016 Cumulative Update 3 or later on-premises.
OAuth needs to be configured (via Hybrid Configuration Wizard, or manual as MVP fellow Jaap blogged about here).
Recently, an additional requirement was added to explain that for delegates to schedule calendar meetings on behalf of another person, some additional steps are required (steps 2-3 mentioned here).
Now as you might know, Exchange 2010 does not support OAuth authentication. But, by putting Exchange 2016 in front of Exchange 2010, Exchange 2016 can be used for dealing with OAuth authentication, as well as dealing with client traffic as it can down-level proxy to Exchange 2010 for mailboxes hosted on those servers. Looking at these requirements, organizations might conclude that putting Exchange 2016 CU3 in front of their Exchange environment, and configuring OAuth would suffice the requirement to integrate Teams with their Exchange on-premises environment.
Alas, the additional requirement for full Teams integration is that the mailbox server hosting the mailbox should support REST API. Teams leverages Graph REST API calls to interact with mailboxes. In an Hybrid Exchange setup, on-premises mailboxes are identified, and related REST API calls will be directed at the on-premises REST endpoint, landing on your Exchange environment. The requirement for REST API support is something which is not explicitly stated in the Teams integration article, despite my earlier pull request.
It is however stated implicitly in an article on REST support in Hybrid Exchange or the original publication on REST API support in Exchange 2016 CU3 by the Exchange PG, two articles which you might easily have missed or forgotten about. Either way, it states that “All on-premises mailboxes that will use the REST APIs must be located on databases located on Exchange 2016 CU3 servers”.
Thus, with REST API support only being available per Exchange 2016 CU3, Teams will not fully integrate with mailboxes hosted on earlier versions of Exchange. Exchange 2016 can be used to offload OAuth when your mailbox is still on Exchange 2010 (which works fine for Exchange Web Services for Free/Busy, for example), but Exchange 2010 does not support REST API, and thus will never understand those ‘weird’ (proxied) requests landing on /api virtual directory, typical of REST API calls. Consequently, you will see AutodiscoverV2 and REST API calls greeted with a 404:
Typically, first thing users usually will notice missing is the Calendar integration:
Knowing this, the assumption could be that this combination doesn’t work at all, but as often the truth lies somewhere in the middle. You can use Teams when mailboxes are still hosted on pre-Exchange 2016 CU3, if you can live with the limitations. Below I have included a short overview of these, or other noteworthy items. The information is complementary to the How Exchange and Teams interact article. I hope it may help in discussions on what works and what doesn’t.
Disclaimer: Validated with mailbox hosted on Exchange 2010 with Exchange 2016 in front, OAuth and SkypeOnline AppId configured, and using Outlook 2016 C2R. Information may be subject to change. The list may not be conclusive; if you have any additional observations, please leave them in the comments.
Create & View Meetings in Teams
No Calendar integration as this requires Outlook Calendar REST API. Visual clue is absence of the Calendar button.
Modify User Photo in Teams (client)
Doesn’t work when mailbox is hosted in Exchange on-premises.
History doesn’t propagate to mailboxes hosted in Exchange on-premises in ‘Teams Calls’ folder. Does
Access Outlook Contacts
Works only with Exchange Online mailboxes.
May use & receive voice-mail, but can’t play from Teams.
Create & View/Update Teams Meetings from Outlook
Using default Teams Meeting add-in.
Create Teams Meetings from Outlook as Delegate
Teams Scheduler uses AutodiscoverV2 to discover delegate EWS endpoint, and fails. Outlook will display “Sorry, but we can’t connect to the server right now. Please try again later.”
View/Update Teams Meetings from Outlook as Delegate
EWS is used to fetch and update the calendar item.
MailTips in Teams
MailTips like Out of Office are not shown in Teams. MailTips work for Exchange 2016 CU3+.
Create & View Channel Meetings in Teams
Doesn’t work when mailbox is hosted in Exchange on-premises.
Share to Teams
Doesn’t work when mailbox is hosted in Exchange on-premises.
Of course, the better experience is to be had when your mailbox is hosted on Exchange 2016 CU3 or later (including Exchange 2019), or best when you simply host them in Exchange Online. However, given the circumstances and pressure from the organization to use Teams, that route might not be an option for everyone. Organizations may look at substantial investments in time and resources. In those cases, it might be good to know of alternative less preferable scenarios, and more important, any possible limitations you might encounter when taking a shortcut.
Note: If you are looking for the script to download Ignite contents, you can find it at the TechNet Gallery or Github.
It shouldn’t be a surprise to you, but this is the week of Ignite 2019 in Orlando, where Microsoft and other speakers will not only tell you about the latest and greatest, and how to implement recent products and use their technologies, but also draw more of the roadmap of things to come. Unfortunately, I won’t be attending Ignite (again), but similar to last year Microsoft will be live streaming keynotes, breakouts as well as theater sessions. So, you can watch stuff as it happens in the comfort of your own home or on-demand at a later time.
To access the catalog, including live streams, you can of course dive in the 1981 sessions located on the Ignite portal. Details on sessions, speakers etc. as well as filtering options are already present to help you pick what to watch, and recorded media will be added as it becomes available, including slidedecks.
For your convenience, I made a short list of sessions on Exchange Server, related technologies such as Outlook Mobile but also Teams and Groups, as well as some potentially interesting IT Pros sessions on Graph:
Note that the table above was constructed using the Get-EventSession script. I’ll be closely monitoring things this week to try to make sure it can retrieve Ignite contents as it gets published and cope with any changes in publishing as happened in recent years during the event.
Update: Added note about Intune App Protection policies.
One of the most requested features for Microsoft Teams on UserVoice is the ability to switch accounts. When you are working in consulting like me, chances are you need to switch accounts very often. This means you need to log in and out of every account to interact with their or guest access teams. Meanwhile your company might also be sending you messages, so you have to log in there as well. Now, on desktops one can leverage browsers’ private mode to accomplish simultaneous logons, but for mobile clients such alternative does not exist. All in all, this situation is far from ideal.
Now, the mobile workforce can rejoice, as iOS and Android received a client update (126.96.36.199 on iOS, don’t have Android device at hand currently). The updated client allows them to add more than one account, and quickly (and I mean quickly) switch between these accounts and guest accounts.
To add an account, open the menu (), open Settings and select Add account at the bottom to add an existing account to your configuration.
After you finish adding accounts, you can switch between accounts by opening the menu, and selecting one of the accounts or guest access which are shown at the bottom, grouped with the account they belong to. Example is shown right (yes, this is dark mode).
To remove an account, activate the account (by selecting it or one guest access), open the menu, and select Settings and Sign Out.
Another benefit is when your tenant is Azure Information Protection enabled. After logging in, you get prompted and need to restart the Teams app. That annoyance doesn’t happen when switching accounts, as the app remains logged in when switching.
Note that at the moment, badges are only updated within the same account and guest access.
Note that you cannot configure more than one account which has Intune App Protection configured. If you already have an IAP-enabled account and another gets IAP enabled, Teams requires you to pick one of the IAP accounts to be removed from the Teams app configuration.
Now, the only thing left to do is hope this functionality will arrive for Teams Desktop soon.