Office 365 Engage 2017 Wrap-up

Last week the inaugural Office 365 Engage conference took place in the small but charming city of Haarlem, The Netherlands. With hotels for speakers and attendees close by, the event took place in the Philharmonie, a venue normally used for concerts and theater performances. This lead to some amazing shots on social media of sessions being held in “Room A” (the theater), “Room B” (with bar) and “Room E” (the concert hall).


“Room A”

With Tony Redmond being the chair for this non-Microsoft event, one of the few big Microsoft-technology related events remaining in Europe, organizer BWW Media Group managed to attract an amazing line-up of speakers. Amongst them were quite a number of Microsoft MVP’s, some like Paul Robichaux or Chris Goosen even flying in from overseas. Being sort of a home game to me, it was other speaker’s turn to having to cope with jetlag.

Sessions presented were on all things Office 365 related, such as Azure AD, Exchange Online, SharePoint Online, Groups and Teams, and also more dev-oriented sessions on things like the Graph API. Also, more generic topics were also put to the table, like the roadmap and coping with continuous development, GDPR or hybrid strategies.


“Room B”

On Monday, Jaap Wesselius and I held a full-day workshop on PowerShell for Office 365. The attendees were coming from all over Europe, which shows that there is a demand for an European event of this size on this topic. On Tuesday, I presented a session on Managing Exchange Online using PowerShell, Tips & Tricks. Pending feedback from evaluations, the workshop and session went very well. For those that attended our workshop on Monday, PowerShell for Office 365, or my session on Tuesday on Exchange Online and PowerShell Tips & Tricks, the slide decks will be made available later through the organizer. Sample code from the session is available from the TechNet Gallery here.

Image may contain: one or more people and indoor
“Room E”

Finally, a big thank you to BWW’s Megan Keller, their CEO George Coll, and all the other staff as well, who made speakers and attendees feel welcome at this event, which was small and intimate, a different experience from more massive events like Microsoft Ignite. Also a big thank you to the folks of Quadro-Tech for sponsoring the post-conference drinks.

With everything being walking distance, and with pleasant summer weather, the after-conference hours for catching up with peers and attendees were very enjoyable. BWW was also so kind to offer us speakers a boat trip, where we could experience Haarlem from the waterside, including the obligatory snapshots of windmills, fields and cows.

Note that the organizer is still looking for feedback on the event. Share with them what you like or didn’t like, so they can improve next year’s conference. I am really looking forward to next year’s event, to be held in June 2018, and would highly recommend it to anyone. Hope to see you there next year!

HCW fails on intra-organization configuration

o365logoFor my lab, I often have to recreate the Exchange Hybrid configuration for a fresh setup of Exchange On-Premises using formerly used namespaces. Normally you would just run the Exchange Hybrid Configuration Wizard (HCW) after configuring certificates and endpoint URLs. If you don’t clean up the previous configuration information from your tenant upfront, you may then run in the following error message when running the HCW:

Updating hybrid configuration failed with error ‎’Subtask Configure execution failed: Configure IntraOrganization Connector Execution of the Get-IntraOrganizationConfiguration cmdlet has thrown an exception. This may indicate invalid parameters in your hybrid configuration settings. Multiple OnPremises configuration objects were found. Please use the OrganizationGuid parameter to select a specific OnPremises configuration object.

Multiple OnPremises configuration objects indicates there are multiple intra-organization objects defined in your tenant. You can clean up previous intra-organization configuration objects from your tenant as follows:

  1. First, in your Exchange On-Premises environment, run the Get-OrganizationConfig cmdlet from the Exchange Management Shell:
    image
  2. Copy the Guid value, in the example 1a95d446-ff56-4399-a95e-8ab46c30912b.
  3. Connect to Exchange Online (instruction here).
  4. Check the existing On-Premises definitions in your tenant by running Get-OnPremisesOrganization. There should be more than 1 entry.
  5. To remove the orphaned objects, remove all the objects that don’t match the Organization Guid you retrieved from your On-Premises environment earlier, e.g.:Get-OnPremisesOrganization | Where { $_.OrganizationGuid –ne ‘1a95d446-ff56-4399-a95e-8ab46c30912b’ } | Remove-OnPremisesOrganization
    image
  6. Now you could try re-running the HCW immediately, but chances are you will run in another error caused by orphaned intra-organization connectors (IOC). In those cases, when the HCW tries to run New-IntraOrganizationConnector, it will fail as the namespace defined by TargetAddressDomains is already in use by an existing connector, and ‘The domain <domain> already exists in another intra-organization connector’ is reported. Those connectors, named ‘HybridIOC – ’, where GUID is the Guid of previously used organizations, exist in your tenant. In your Exchange Online session, run the following cmdlet to remove orphaned connector definitions:Get-IntraOrganizationConnector | Where { $_.Identity –ne ‘HybridIOC – 1a95d446-ff56-4399-a95e-8ab46c30912b’ } | Remove-IntraOrganizationConnector
    image
  7. While you’re at it, you also might want to remove previously created connectors. Again, in your Exchange Online session, run the following cmdlets to remove orphaned inbound and outbound connectors (again, using the previously noted Organization GUID):
    Get-OutboundConnector | Where { $_.Identity –ne ‘Outbound to 1a95d446-ff56-4399-a95e-8ab46c30912b’ } | Remove-OutboundConnector
    Get-InboundConnector | Where { $_.Identity –ne ‘Inbound from 1a95d446-ff56-4399-a95e-8ab46c30912b’ } | Remove-InboundConnector

After removing these orphaned objects, you should be able to run the HCW succesfully.

Book: Pro Exchange 2013 SP1 PowerShell Administration

As some of you may have noticed, it has been a bit more quiet here than it used to be. Well, the reason for that, after several months of collaborative hard work, blood, sweat and tears, is finally here (and in stores just in time for the Holidays): A book titled Pro Exchange 2013 Service Pack 1 PowerShell Administration!

2013pa

Together with fellow Exchange MVP Jaap Wesselius, we will talk you through topics such as:

  • Deployment and co-existence scenarios.
  • The Client Access Server role and topics such as namespaces, certificates, load balancing, and publishing.
  • The Mailbox Server role and topics such as managing mailboxes, distribution lists and recipients, message transport
  • High availability topics like Database Availability Groups and Client Access and Transport availability.
  • Message Hygiene using the Edge Transport server role and anti-spam features.
  • Backup, Restore and Disaster Recovery, including the backup-less’ Native Data Protection scenario.
  • Unified Messaging features and integration with IP telephony solutions such as Microsoft Lync Server.
  • Compliance features like In-Place Archiving and MRM, In-Place Discovery, In-Place Hold, Data Loss Prevention including fingerprinting, and auditing.
  • Role-Based Access Control model and Split Permissions model for organizations that require this.
  • Office 365 and Exchange Online (EXO) scenarios, federating organizations, directory synchronization, ADFS and Multi-Factor Authentication, as well as basic tasks like onboarding and offboarding mailboxes.

Our 600+ page book will take a PowerShell-first approach when talking about Exchange Server 2013. You can order the book from Amazon here.

I have also added it to the book page here, which also contains other useful books when you want to learn about Exchange or related technologies like PowerShell, Active Directory or Lync Server.

HCW 2013 Subtask CheckPrereqs execution failed

Ex2013 LogoA quick heads-up on the Hybrid Configuration Wizard (HCW) in Exchange 2013, which is broken. The HCW in Exchange 2010 does not have this issue.

The HCW is needed when you want to configure or maintain your Exchange 2013 Hybrid configuration. When checking the prerequisites, the Exchange 2013 HCW may throw the following error message:

Subtask CheckPrereqs execution failed: Check Tenant Prerequisites
Deserialization fails due to one SerializationException: 
Microsoft.Exchange.Compliance.Serialization.Formatters.BlockedTypeException: 
The type to be (de)serialized is not allowed: 
Microsoft.Exchange.Data.Directory.DirectoryBackendType

The issue has been documented in KB2988229. An Interim Update is available, as reported here. The IU is available for Exhange 2013 Service Pack 1 (CU4) and Cumulative Update 5. Unfortunately, the IU is not available publicly, but must be requested through support.

The fix will be incorporated in Exchange 2013 Cumulative Update 6.

If you must, you can use Exchange fellow Steve Goodman’s instructions documented here, which describes the process to manually configure Exchange 2013 Hybrid deployments. Be advised that, as Steve also points out, the Exchange Hybrid deployment support status depends on the ability to run HCW successfully.

Multi-Factor Authentication in Office 365 (Part 2)

wp_ss_20140521_0001Multifactor Authentication is a must-have for services based in the cloud, especially for accounts with administrative purposes. We have already covered what Office 365 Multifactor Authentication is and how to configure it in Office 365 tenants with the Office 365 admin center, and we briefly showed the end user experience. Now we will look at how we can use the Azure Active Directory Module for Windows PowerShell to configure Office 365 authentication with MFA.

Azure Active Directory Module for Windows PowerShell (AADMPS) enables organizations to not only configure MFA for existing end users who use PowerShell, but also enhance their current provisioning process with MFA options. By pre-configuring MFA, administrators can prevent end users from having to go through the initial MFA setup process and use their currently configured mobile phone or office number for verification.

Read the full article over on SearchExchange

Multi-Factor Authentication in Office 365 (Part 1)

Multi-Factor AuthenticationMulti-Factor Authentication identifies an end user with more than one factor. Authentication is based on something you know, such as your password; something you have, such as a security token or smart card; or something that’s a physical characteristic of who you are, such as biometrics. By creating an additional factor on top of the password, identity is better protected. Multi-Factor Authentication is seen as a must-have for cloud-based services, especially for administrative types of accounts.

In this first tip on SearchExchange, I explain how you can configure Multi-Factor Authentication in Office 365, discuss the so-called contact methods, explain app passwords for non-MFA applications as well as show the MFA end user experience.

Read the full article over on SearchExchange

Script Updates

powershellA small heads-up for those not following me on Twitter of one of the other social media channels. Last week I made updates to the following three scripts:

Install-Exchange2013.ps1, version 1.72

  • Added CU5 support
  • Added KB2971467 (CU5 Disable Shared Cache Service Managed Availability probes)

Remove-DuplicateItems.ps1, version 1.3

  • Changed parameter Mailbox, you can now use an e-mail address as well.
  • Added parameter Credentials.
  • Added item class and size for certain duplication checks.
  • Changed item removal process
  • Remove items after, not while processing folder. Avoids asynchronous deletion issues.
  • Works against Office 365.

Remove-MessageClassItems.ps1, version 1.3

  • Changed parameter Mailbox, you can now use an e-mail address as well
  • Added parameter Credentials
  • Added parameter PartialMatching for partial class name matching.
  • Changed item removal process. Remove items after, not while processing folder. Avoids asynchronous deletion issues.
  • Works against Office 365.
  • Deleted Items folder will be processed, unless MoveToDeletedItems is used.
  • Changed EWS DLL loading, can now be in current folder as well.

Be advised I keep am overview of the scripts and their current versions with publish dates here.

 

Office 365 and “There are no items to show in this folder”

Be advised that when accessing shared mailboxes on Office 365 using Outlook in online mode, you may experience an issue with Outlook not properly updating the mailbox view.

Instead, Outlook will return a “There are no items to show in this view” message. The folder in the folder navigation pane displayed the proper number of (unread) items in the folder.

This could be the symptom of an issue which was already solved in Exchange 2010 Service Pack 1 Rollup 5. It seems the Office 365 data centers are not running a current version of Exchange, as today I received the message the Office 365 environment is currently being upgraded with Exchange 2010 Service Pack 2. The message also mentions the upgrade is to be completed at the end of the month.

More information on the issue in knowledge base articles kb2500648, announcing the fix is included in Exchange 2010 SP1 RU5.

Until then, the suggested workaround is to click one of the columns twice after which Outlook will update the view properly. Of course, you could also enable cached mode, if your setup and company policy permits (e.g. not running Outlook on terminal server).

Federation Information could not be received ..

When setting up federation between Exchange organization using the Hybrid Configuration Wizard, to connect your on-premise Exchange environment with Office 365, you may encounter an error message in the 2nd step of the Hybrid Configuration Wizard, Update-HybridConfiguration:

image

When inspecting the Update-HybridConfiguration results, it reads:

Updating hybrid configuration failed with error ‘Subtask Configure execution failed: Creating Organization Relationships.
Execution of the Get-FederationInformation cmdlet had thrown an exception. This may indicate invalid parameters in your Hybrid Configuration settings.
Federation information could not be received from the external organization.
..

The problem lies in the sentence “Federation Information could not be received from external organization”. To see where it goes wrong, you could run Set-HybridConfiguration and Update-HybridConfiguration manually, using additional parameters as shown in the result screen, providing proper credentials and additionally addint the Verbose parameter to increase output logged.

Most of the time this problem comes down to one of the following issues, which can be verified by running the following cmdlet, where example.com is to be replaced by the federated domain:

Get-FederationInformation example.com –Verbose

You’ll probably see the cmdlet going trough the discovery motions using autodiscover, ending up in the same “Federation information could not be received from the external organization” message. When analyzing this output, you’ll see it contains two hints on the potential issues:

Get-FederationInformation : The discovery process returned the following results:
Type=Failure;Url=https://autodiscover.example.com/autodiscover/autodiscover.svc;Exception=Discovery for domain example.com failed.; …

1. Autodiscover
The first issue often overlooked is internal autodiscover not working via DNS or not being set up properly, i.e. split DNS configurations. Some customers don’t configure internal DNS autodiscover records or don’t allow (internal) autodiscover to go through the proxy from inside.

Normally, when using regular clients like Outlook, this isn’t an issue because domain joined clients will be using SCP records from AD. However, federation will use DNS records so you need allow it or set it up in DNS; a CNAME for autodiscover.example.com as well as autodiscover.service.example.com pointing to your hybrid server will suffice.

Also make sure you enable WSSecurity authentication for autodiscover on your hybrid server using:

Set-AutodiscoverVirtualDirectory -Identity ‘autodiscover (Default Web Site)’ –WSSecurityAuthentication $true

2. Proxy rules
In the error message you’ll notice a autodiscover-related request going to /autodiscover/autodiscover.svc. These requests are normally caught by the autodiscover rule (path /autodiscover/*) in ISA or TMG. Issue is, these service requests require unauthenticated traffic. When you turn on logging in TMG, you’ll notice the requests for /autodiscover/autodiscover.svc will be denied.

To solve this issue, and to get federation working, you need to set up an additional ISA/TMG rule pointing to the hybrid server, using the proper public names (don’t forget autodiscover), bound to the OWA listener. You need to allow All Users (as opposed to Authenticated Users), set authentication to “No Authentication, but users can authenticate directly” and configure the following paths:

  • /EWS/Exchange.asmx/wssecurity
  • /Autodiscover/Autodiscover.svc
  • /Autodiscover/Autodiscover.svc/wssecurity

After configuring the rule, you need to put it above all the other Exchange rules, making it the first matching rule when federation traffic hits ISA/TMG.

After applying the rule changes, Get-FederationInfo example.com should work and you can continue with the Hybrid Configuration.

For more information on setting up co-existence, consult the steps provided by the Exchange Deployment Assistent.

Exchange PST Capture Tool released

It took a while, but today the Exchange Team released the long awaited Microsoft Exchange PST Capture Tool (initial version 14.3.16.4). The tool can be used to discover and inject PST files in an Exchange 2010 Exchange Online mailbox or archive.

The tool was originally from Red Gate and known as PST Importer. It’s architecture consists of three components: the central service, (optional) agents for PST discovery, registration and collecting PST files and an administrative console (image by Red Gate):

The online documentation can be found here.

Note that although it’s only supported for Exchange 2010 and Exchange Online, you can use it with Exchange 2007; it’s only untested (and probably unsupported) with that product.

You can read the official announcement here; you can download the tool and the agents here.