Multi-Factor Authentication in Office 365 (Part 2)

wp_ss_20140521_0001Multifactor Authentication is a must-have for services based in the cloud, especially for accounts with administrative purposes. We have already covered what Office 365 Multifactor Authentication is and how to configure it in Office 365 tenants with the Office 365 admin center, and we briefly showed the end user experience. Now we will look at how we can use the Azure Active Directory Module for Windows PowerShell to configure Office 365 authentication with MFA.

Azure Active Directory Module for Windows PowerShell (AADMPS) enables organizations to not only configure MFA for existing end users who use PowerShell, but also enhance their current provisioning process with MFA options. By pre-configuring MFA, administrators can prevent end users from having to go through the initial MFA setup process and use their currently configured mobile phone or office number for verification.

Read the full article over on SearchExchange

Multi-Factor Authentication in Office 365 (Part 1)

Multi-Factor AuthenticationMulti-Factor Authentication identifies an end user with more than one factor. Authentication is based on something you know, such as your password; something you have, such as a security token or smart card; or something that’s a physical characteristic of who you are, such as biometrics. By creating an additional factor on top of the password, identity is better protected. Multi-Factor Authentication is seen as a must-have for cloud-based services, especially for administrative types of accounts.

In this first tip on SearchExchange, I explain how you can configure Multi-Factor Authentication in Office 365, discuss the so-called contact methods, explain app passwords for non-MFA applications as well as show the MFA end user experience.

Read the full article over on SearchExchange

Sent Items Management

Exchange 2010 LogoWith the release of Exchange 2010 SP3, you can now control where sent items are stored when Send-As or Send-on-Behalf permissions are configured and you’re using Outlook Web Access. In Outlook we already had the possibility to control where sent items are stored this using registry keys, but now we can do so from Outlook Web Access or using the Exchange Management Shell. Unlike Outlook, you unfortunately can’t control where deleted items are stored.

As a quick reminder, to configure permissions for user Francis to send e-mail messages as Philip or on behalf of Philip, you would use:

Add-ADPermission Philip -User Francis -Extendedrights "Send As"
Set-Mailbox Philip -GrantSendOnBehalfTo Francis

Sent Items Management from Outlook Web Access
To access the Sent Items Management option, use OWA to open the (shared) mailbox and navigate to Settings > Sent Items


You can configure the following options for Send-As or Send-on-Behalf e-mail:

  • From mailbox: The sent item will be stored in the Sent Items folder of the (shared) mailbox;
  • Sender and From mailboxes: The sent item will be stored in the Sent Items folder of the (shared) mailbox and actual sender;
  • Sender mailbox: The sent item will be stored in the Sent Items folder of the actual sender (default).

Sent Items Management using EMS
To inspect where sent items are stored, use Get-MailboxSentItemsConfiguration, e.g.

Get-MailboxSentItemsConfiguration Philip


To configure the settings, use Set-MailboxSentItemsConfiguration in conjunction with SendAsItemsCopiedTo or SendOnBehalfOfItemsCopiedTo specifying Sender, From or SenderAndFrom. For example, to configure the items sent as Philip to be stored in the mailbox of both Philip and the actual sender, use the following cmdlet:

Set-MailboxSentItemsConfiguration Philip –SenderAndFrom


It would be nice if Outlook would honor these settings, just like the signatures, so you configure this centrally and have consistent behavior regardless of the client setting. It shouldn’t be difficult, using Exchange Web Services as a vehicle to store and retrieve this information.

MsExchQueryBaseDN and Exchange 2010 SP1

Note: At TechEd NA 2011 session EXL326, announcing Exchange 2010 SP2 features (e.g. GAL segmentation), Greg Taylor stated that SP1 breaks MsExchQueryBaseDN in Exchange 2010. This might explain the behaviour as described in this article.

As you may know, the msExchQueryBaseDN attribute can be used to limit a user’s scope of the global address book and address searches (also see kb817218). This is helpful for restricting access in environments consisting of multiple organizations or organizations with a substantial  number of mail-enabled objects. The attribute is part of the user object and you configure it by pointing it to a DN of the OU or address list of choice, e.g. OU=sales,DC=company,DC=com. Note that by default msExchQueryBaseDN is empty, so that user will search the whole domain the user’s part of.

With Exchange 2010 SP1, the following unexpected behavior is encountered in Outlook when you’ve set the msExchQueryBaseDN attribute:

msExchQueryBaseDN Set
When msExchQueryBaseDN is set to a valid DN, Outlook WebApp (OWA) will show the default global address with elements from the configured msExchQueryBaseDN downwards. Outlook 2007/2010 will show an empty global address list; other global address lists are invisible. Searching the address book in OWA works, in Outlook it doesn’t because Outlook thinks the address list is empty:


Note that if the structure contains many elements, opening the global address list in OWA may result in the following exception:

Url: https://…/owa/forms/premium/SubPageContainer.aspx?ae=AddressList&t=Recipients&subpage=DirectoryView.ascx
User host address: …
User: Blake, Francis
EX Address: /o=…
SMTP Address:
OWA version:
Mailbox server: ex2010a.domain.local
Exception type: Microsoft.Exchange.Data.Directory.ADVlvSizeLimitExceededException
Exception message: Active Directory operation failed on ex2010a.domain.local. There are too many entries which exceed limit of Virtual List View. Additional information: The directory service encountered an unknown failure. Active directory response: 000020EF: SvcErr: DSID-03140350, problem 5010 (UNAVAIL_EXTENSION), data 0

The message indicates it tries to fit too many elements in the list.

MsExchQueryBaseDN cleared
When msExchQueryBaseDN is cleared, Outlook and OWA will show the default global address list as well as other address lists. Also, even though the number of elements is equal or larger than when msExchQueryBaseDN is set, the global address list will show in OWA. So, apparently the number of elements isn’t an issue, which makes the exception you get in OWA when msExchQueryBaseDN is set confusing.


After some digging, I think this behavior is related to dropping address list segregation support for on-premises Exchange 2010 and moving several functions and support for it to Exchange 2010 hosting mode. A possible clue can be found in the Exchange 2010 mailbox attribute QueryBaseDNRestrictionEnabled, which description reads:

The QueryBaseDNRestrictionEnabled parameter specifies whether to restrict a user’s ability to view or search for other mailboxes in their organization. If this parameter is set to $true, the global address list (GAL) of the specified mailbox user isn’t populated. Specifically, if the user views the GAL, it will appear empty. If this parameter is set to $false, users can use the GAL to view all mailboxes in their organization, including mailboxes for which this parameter is set to $true. The default value is $false.

This empty GAL behavior when QueryBaseDNRestrictionEnabled is set to $true matches the behavior encountered when setting the msExchQueryBaseDN attribute.

So be advised that while we wait for Service Pack 2, of which the Exchange Team said it will contain some form of (still undisclosed) address list segregation (announcement here),you will run into the issues described above when using msExchQueryBaseDN in an Exchange 2010 SP1 environment.

To bulk clear the msExchQueryBaseDN attribute for a whole domain, execute the following command from the Exchange Management Shell:

Get-Mailbox –ResultSize Unlimited | ForEach {$o=[ADSI](“LDAP://”+$_.distinguishedName);$o.PutEx(1,”msExchQueryBaseDN”,0);$o.SetInfo()}

Updated: Added SP2 announcement mentioning to broken MsExchQueryBaseDN (May 18th).

Disabling editing account information in OWA

In Exchange 2010, by default users have permission to edit their contact information from the Exchange Control Panel. In organizations where this is unwanted, like when account information is provisioned, you need to remove these permissions.


These permissions flow from the Default Role Assignment Policy.

Note: You could have changed the default role assignment. To view the default assignment policy, check the IsDefault attribute, e.g.

Get-RoleAssignmentPolicy | Where { $_.IsDefault -eq $True }

Now, each mailbox-enabled user is assigned the default policy when created. You can verify this by inspecting the RoleAssignmentPolicy using Get-Mailbox, e.g.


The assigned roles of this policy can be viewed using Get-ManagementRoleAssignment:


The ability to edit contact information lies in the MyContactInformation. You can view a description of this role using:

Get-ManagementRole MyContactInformation | select Description

The output reads, “This role enables individual users to modify their contact information, including address and phone numbers.”

To remove this ability you have the option of removing the assignment or you can simply disable the assignment using Set-ManagementRoleAssignment, e.g.

Set-ManagementRoleAssignment -Identity "MyContactInformation-Default Role Assignment Policy" -Enabled $false 

Now after logging into OWA the contact information is view-only (despite the Edit button) and the Save option is gone.

Note that after performing this step, if you want to enable contact information for some users, you need to create a new RoleAssignmentPolicy, similar to the default one but with the MyContactInformation and assign that policy to those users. For example:

New-RoleAssignmentPolicy "Default Role Assignment Policy with Info"
Get-ManagementRoleAssignment -RoleAssignee "Default Role Assignment Policy" | New-ManagementRoleAssignment -Policy "Default Role Assignment Policy with Info"

You can use the same exercise to remove other unwanted functions, like the ability to create distribution groups (MyDistributionGroups) or to manage distribution group memberships (MyDistributionGroupMembership).

Outlook Web App Web Parts in Exchange 2010 SP1

After the introduction of Exchange 2010 RTM, many developers –especially on Sharepoint – complained that Microsoft had dropped Web Parts support. Web Parts are small pieces of (Exchange) content which you can incorporate in your own (Sharepoint) application or personalized web page using customized URLs. The source of this content can the mailbox of the authenticated user or other mailboxes to which that user has sufficient permissions.

For example, in Exchange 2007 you can access a web part showing your weekly Exchange calendar using the following URL:


Now in Exchange 2010 RTM this didn’t work anymore. Luckily, with SP1 Web Parts were reinstated. Calling a Web Part through an URL always starts with https://<FQDN>/owa, followed by one or more of the following parameters:

  • SMTP address – This overrides the mailbox to open by specifying the SMTP address associated with the mailbox you want to access, e.g. fblake@lab.local. This parameter always needs to be specified first as part of the location, i.e. it’s not a parameter;
  • cmd – Must be used present when not specifying a specific mailbox and it’s assigned value should be “contents”. This parameter makes sure the Web Part is shown and not the full OWA interface;
  • id (optional) – opens a specific folder by specifying its PR_ENTRY_ID value;
  • fpath (optional) – specifies mailbox folder to display starting from the root folder, e.g. projects/2010. Note that when you specify Inbox you might encounter issues because of user’s localization settings, i.e. “Postvak IN” (Dutch) instead of Inbox;
  • module (optional) – specifies one of the standard folders to open, preventing localization issues. Possible values are Inbox, Calendar, Contacts, Tasks or Publicfolders;
  • view (optional) – Configure the view depending on the folder. For example, for calendar you can specify monthly, weekly or daily; for Inbox view you can specify a few sort options.
  • d, m, y (optional) – Allows you to specify a date for the calendar view;
  • part (optional) – When specifying part=1, the Web Part will be shown using reduced UI to make it more compact.

Note that when constructing the URL you need to comply with URL encoding rules, so replace a space with %20 and a slash with %2f for example. More information on this subject here. Also, use “?” before the first parameter and “&” between any additional parameters.

Some examples:

Open a monthly view of our calendar:


Open our Inbox:


Open our inbox with a reduced UI (to fit it in smaller spaces):


Access the Projects folder located in the root of another mailbox:


For those unfamiliar with this Web Part functionality, be sure to check it out as it allows you to easily integrate Exchange information in your application or website. More detailed information on using Outlook Web App Web Parts check here. For those running Exchange 2007, this information is located here (there are some minor differences).