Connecting to Office 365/Exchange

Posted on by
97

powershell

Last update: Version 3.17, September 8, 2023

Almost 3 years ago, I wrote an article on how to enhance the PowerShell Integrated Scripting Environment, or ISE. That seemed adequate for the Exchange admin back then, who would mostly connect PowerShell sessions to their on-premises environment, and occasionally a bit of Exchange Online.

Fast forward to 2015, most modern Exchange administrators not only require a connection – if any – to their Exchange on-premises environment, but likely to one or more of the Office 365 services as well, including Exchange On-Premises, Azure Active Directory, Exchange Online Protection, Microsoft Teams, Skype for Business Online, SharePoint Online, Azure Information Protection or Compliance Center.

All these services use a different PowerShell session, use a different endpoint FQDN, and in some cases require a locally installed PowerShell module. Likely common denominator is the credential used to access each of these services. So, tired of re-entering my credentials every time when switching from Exchange Online to Exchange Online Protection, I created a script with a set of functions to allow me connect to each individual Office 365 service or Exchange Online:

  • Connect-AzureActiveDirectory: Connects to Azure Active Directory
  • Connect-AIP: Connects to Azure Information Protection
  • Connect-ExchangeOnline: Connects to Exchange Online
  • Connect-SkypeOnline: Connects to Skype for Business Online
  • Connect-EOP: Connects to Exchange Online Protection
  • Connect-ComplianceCenter: Connects to Compliance Center
  • Connect-SharePointOnline: Connects to SharePoint Online
  • Connect-MSTeams: Connects to Microsoft Teams
  • Get-Office365Credentials: Gets Office 365 credentials
  • Connect-ExchangeOnPremises: Connects to Exchange On-Premises
  • Get-OnPremisesCredentials: Gets On-Premises credentials
  • Get-ExchangeOnPremisesFQDN: Gets FQDN for Exchange On-Premises
  • Get-Office365Tenant: Gets Office 365 tenant name (SharePoint)
  • Set-Office365Environment: Configures Uri’s and region to use
  • Get-TenantID: Returns TenantID using previously used credentials
  • Update-Office365Modules: Updates supported Office 365 modules
  • Report-Office365Modules: Report on known vs online module versions

Note that functions and credentials used in the script are global, and in principle only need to be entered once per shell or ISE session. If you need different credentials, call Get-Office365Credentials again. User interaction is a very basic (Read-Host), but it does the job. The script will also detect if  any PowerShell module supporting Multi-Factor Authentication is installed. If so, you will be prompted if for using MFA when authenticating to workloads such as Exchange Online, Azure Active Directory, Microsoft Teams, Skype for Business Online or SharePoint Online.

Requirements
During initialization, the script will detect the modules which are required for certain Office 365 services. When not installed, it will notify you, and provide a link where to obtain the PowerShell module. The related Connect function will not be made available. PowerShell is required to run this script, which is tested against version 5.1 (but should work with lower versions down to version 3).

Usage
The functions are contained in a script called Connect-Office365Services.ps1. You can call this script manually from your PowerShell session to make the functions available. However, more convenient may be to have them always available in every PowerShell or ISE session. To achieve this, you need to edit your $profile, which is a script which always starts when you start a PowerShell or ISE session. By default this file does not exist and you need to create it, including the path. Also note that the files for PowerShell and ISE are different, Microsoft.PowerShell_profile.ps1
and Microsoft.PowerShellISE_profile.ps1 respectively.

Now, of course you can copy and paste the functions from the script file to your own $profile. Better is to call the script from your $profile, as this allows you to overwrite the Connect-Office365Services.ps1 with updates. To achieve this, assume you copied the Connect-Office365Services.ps1 in the same location as your $profile, for example C:\Users\Michel\Documents\WindowsPowerShell. You can then make PowerShell and ISE call this script by adding the following line to the $profile scripts:

& “$PSScriptRoot\Connect-Office365Services.ps1”

Now when you start a PowerShell session, you might see the following:

cos175

This shows the default environment is targeted (AzureCloud), the Exchange Modern Authentication PowerShell module as well as other modules mentioned in the example are installed. When online version checking is enabled (OnlineModuleVersionChecks variable), a check will be performed against the online repository, e.g. PSGallery, and outdated modules will be reported, like the Skype for Business Online module in the example. It’s also possible to automatically update modules setting the variable OnlineModuleAutoUpdate.

When you load the script from ISE, it will show something similar. However, it will also detect ISE and make connect functions available through the Add-On menu:

image

Notes
Customize this script to your liking. Note that for updating modules, you need to have administrator permissions on the local system.

Download
You can download the script from GitHub.

Revision History
Revision information is embedded in the source.

Feedback
Feedback is welcomed through the comments. If you got scripting suggestions, questions or want to report bugs, you can do this through GitHub or by using the contact form.

IT/Dev Connections 2015 App

Posted on by
Reply

IMG_0608A quick note that if you are attending IT/Dev Connections this year, you can now build your schedule using a mobile app. The app allows you to browse and pick from 190 sessions, view speaker bios, etc.

The app is available for:

For other devices, you can use the generic mobile website here.

Note: You can still register for the event. New registrations can use SPKRSOC15 when registering for a $400 off!

The UC Architects Podcast Ep54

Posted on by
Reply

iTunes-Podcast-logo[1]Episode 54 of The UC Architects podcast is now available. This episode is hosted by Steve Goodman, who is joined by Michael van Horenbeeck and Michel de Rooij. Editing was done by Andrew Price.

Some of the topics discussed in this episode are:

You can download the podcast here or you can subscribe to the podcasts using iTunes, Zune or use the RSS feed.

About
The UC Architects is a community podcast by people with a passion for Unified Communications; our main focus is on Exchange, Skype for Business or related subjects.

KEMP LoadMaster & HA Virtual ID

Posted on by
Reply

imageA small heads-up on something which you need to configure when deploying a Highly Available setup of physical or virtual KEMP LoadMaster devices in environments with redundant network routing components, but this may apply to other components with similar functionality as well. While in typical environments the LoadMaster’s default setting will never be an issue, it can easily be overlooked or not immediately considered suspect when you do have issues, for example in hosted environments.

Note: If you are looking for more information on load balancing Exchange 2013 using KEMP LoadMaster devices, Exchange-fellow Jeff Guillet did an excellent multi-part write-up on this topic here.

When configuring multiple LoadMaster’s in a High Availability setup, one of the settings is the HA Virtual ID parameter, which is located System Configuration > Miscellaneous Options > HA Parameters. This setting configures the routing identifier used by the LoadMaster as part of the VRRP or Virtual Router Redundancy Protocol (see RFC5798).

The HA Virtual ID is used to construct a unique MAC address, so that all devices in the same VRRP group can communicate. The MAC address uses a format as defined by VRRP, and is 00:00:5E:00:01:<ID> for IPv4 and 00:00:5E:00:02:<ID> for IPv6.  One device, the Master being the Active LoadMaster, owns the VRRP group and manages its MAC address and shared IP address.

As you can imagine, using the same identifier for multiple non-related devices on the same segment may cause unexpected behavior, like LoadMasters being unable to communicate with eachother, both HA LoadMasters thinking they are the Active HA node, or other disruptive behavior. This is likely caused by a device other than LoadMasters managing the VRRP group.

Therefor, it is recommended to always change the default value of ‘1’, but always consult with the network or hosting people which value to use, as different vendors use their own default ID. For example, Cisco may use a different default value than FortiNet or CheckPoint for their redundant networking components. Of course, you also need to use different values when using multiple HA LoadMaster deployments on the same segment.

Exchange Server 2016 Preview is here!

Posted on by
7

Ex2013 LogoAnd so it begins. Few moments ago, the Exchange team published the public preview of Exchange 2016. The build number of the preview version is 15.1.225.17 (yes, 15.1.*, not 16.*). Exchange 2016 Preview raises schema to version 15317.

The team’s post contains information on the changes and features introduced in Exchange 2016. Many of these were already announced at Ignite earlier this year. An earlier blog post on these announcements can be found here.

With this Exchange 2016 Preview, there are important deviations from announcements made at Ignite 2015:

  • Minimum required Forest Functional Level (FFL) and Domain Functional Level (DFL) is Windows Server 2008. At Ignite is was announced Windows Server 2008 R2 FFL/DFL would be required.
  • Supported Operating Systems will be Windows Server 2012 and Windows Server 2012 R2. At Ignite, it was announced Windows Server 2012 was not going to be supported. Note that Windows Server 10 (Windows Server 2016) is currently in preview, is not (yet) supported, but likely will be at or shortly after both reach RTM status.
  • Coexistence requires  Exchange Server 2013 Cumulative Update 8 or Exchange Server 2010 Service Pack 3 Rollup 9. This is lower than Exchange 2013 CU10+ or Exchange 2010 SP3 RU11+ as was mentioned at Ignite.
  • Exchange 2016 Preview works with Outlook 2013, Outlook 2010 with KB2965295, or Outlook 2016 (currently in Preview). This is a lower requirement than Outlook 2010 SP2 with KB2956191 and KB2965295 or Outlook 2013 SP1 with KB3020812 as announced at Ignite. Note that Mac users can utilize Outlook for Mac for Office 365 or Outlook for Mac 2011.
  • Not mentioned at Ignite, but something which recently was introduced in Exchange Online, is the introduction of auto-expanding In-Place Archives in Exchange 2016 Preview. After filling up the initial archive with 100 GB (default quota), Exchange will create auxiliary archives in chunks of 50 GB. To the end user using Outlook 2016 or Outlook for the web (the new Outlook WebApp branding), these archives will appear as a single archive. Downlevel Outlook clients will only display the initial 100 GB archive.

Meanwhile, the TechNet technical library has been updated with information on Exchange 2016. Be advised that this documentation may be incomplete and subject to change, and in fact may even be not on par with the preview product. However, as the product reaches RTM, the documentation should become more complete and final.

Some links to get you started:

  • The official announcement from the Exchange Team can be found here
  • Preliminary documentation for Exchange 2016 can be found on TechNet here
  • Documentation on Active Directory schema changes for Exchange 2016 can be found here

Needless to say, this is a preview. It’s great to play with in a lab, but don’t install it in your production environment unless you are part of the TAP program.

You can download the Exchange 2016 Preview here