When configuring an Exchange Hybrid environment, the Hybrid Configuration Wizard (HCW) handles the majority of the heavy lifting. Despite the automation of the HCW, my colleagues and I have noticed there are some settings related to “Remote Domains” that don’t always end up properly configured.

The Hybrid Configuration Wizard (HCW) has evolved since its initial release in SP2 for Exchange 2010; with each update to Exchange 2010 or Exchange 2013, it’s possible that the logic used by the HCW has been updated. So while it’s difficult to say what specific settings were configured by the HCW at the time your organization ran it, I’ve noticed that at least the current version of the Exchange 2013 HCW does not seem to properly configure “Remote Domains”.

If left misconfigured, you may find that features such as “Out of Office” and “Voting Buttons” do not function as expected in an Exchange Hybrid environment.

What is a “Remote Domain”?

Misconfigured Remote Domains in Exchange Hybrid

DomainName                  AllowedOOFType   TNEFEnabled
----------                  --------------   -----------
*                           External            
lab4.iwitl.com              External            
lab4.mail.onmicrosoft.com   External

…and here they are in Exchange Online as configured by the Exchange 2013 CU6 HCW:

DomainName                  AllowedOOFType   TNEFEnabled
----------                  --------------   -----------
*                           External

Below are the on-premises remote domains as recently configured in an environment using the Exchange 2010 SP3 HCW:

DomainName                  AllowedOOFType   TNEFEnabled
----------                  --------------   -----------
*                           External
lab1.iwitl.com              External
lab1.mail.onmicrosoft.com   InternalLegacy   True

…and here they are in Exchange Online as configured by the Exchange 2010 SP3 HCW:

DomainName                  AllowedOOFType   TNEFEnabled
----------                  --------------   -----------
*                           External
lab1.iwitl.com              InternalLegacy   True
lab1.mail.onmicrosoft.com   External

The Remote Domains configured by the Exchange 2010 HCW appear to be correct whereas the Exchange 2013 Remote Domains look to be misconfigured.

What’s The Impact?

Out of Office (AllowedOOFType)
The “Out of Office” message in Exchange allows the user to setup separate responses for senders that are “inside” or “outside” your organization. This allows you to provide a more generic message to external parties while providing more detailed message or personal contact information to your coworkers. When your Remote Domains are not configured properly, you’ll find that everyone, internal and external, receives the “outside” message.

What’s interesting about this setting is that with the above 2013 settings configured by the HCW, you’ll actually receive misleading information from the Out of Office “mail tip”. When you go to send a message cross-premises, the mail tip will show the “internal” Out of Office but Exchange will actually return the “external” message.

Voting Buttons (TNEFEnabled)
Perhaps not a frequently used feature but Outlook allows you to create a poll using “voting buttons”. The idea is you email a question with either the default or custom voting buttons enabled and you can then track the recipient’s responses from the message in your “Sent Items”. If your Remote Domains are not configured properly, you may find that the recipient does not see the actual buttons to submit their vote. The problem seems to only occur for on-premises to cloud messages when configured using the above 2013 settings.

Resolution

To correct Out of Office messages sent to cloud users and the missing voting buttons, we need to change “AllowedOOFType” to “InternalLegacy” and set “TNEFEnabled” to “$true” for our coexistence domain. We can do that by using the “Set-RemoteDomain” command below in the on-premises Exchange organization:

Set-RemoteDomain "Hybrid Domain - lab4.mail.onmicrosoft.com" -AllowedOOFType InternalLegacy -TNEFEnabled $true

To correct the cloud side, we need to first create a Remote Domain and then set the appropriate properties:

New-RemoteDomain "lab4.iwitl.com" -DomainName "lab4.iwitl.com"
Set-RemoteDomain "lab4.iwitl.com" -AllowedOOFType InternalLegacy -TNEFEnabled $true

Note: As you make these changes to Remote Domains, there can be a delay before you see the changes fully implemented. So don’t be surprised in your first couple tests if you receive both the internal and external Out of Office messages.

Summary

• Remote Domains control certain message types at an organizational level
• The Hybrid Configuration Wizard configures Remote Domains during setup
• Your Remote Domains could be misconfigured and it could easily go unnoticed by most
• Misconfiguration of Remote Domains can impact “Out of Office” and “Voting Buttons”
• Delays may occur before changes to Remote Domains actually take effect

 
Did you find this article helpful?

Leave a comment below or follow me on Twitter (@JoePalarchio) for additional posts and information on Office 365.

As we wrap up 2014, I took a quick look back at my articles for the year and the distribution of topics. This was my first year posting here on the Perficient blogs and while the frequency of my posts was not as consistent as I might have liked, I’m sure my posts will be evolving and constantly improving (much like Office 365).

I really try to focus on providing original content around Exchange Online, Lync Online or infrastructure components such as Directory Sync and AD FS. I’ve scrapped a number of posts that I started after finding the content sufficiently covered elsewhere, so hopefully what you read here is something new and interesting.

Below is a quick summary of my 21 posts in 2014, all in one spot. I have a number of posts already in the planning stages for 2015 and hope to keep a fairly regular schedule; fortunately there’s never a shortage of topics to discuss when it comes to Office 365.

If Exchange Online, Lync Online, Directory Sync or AD FS are of interest to you, there’s a number of ways to keep in touch:

• Subscribe via my RSS feed using your favorite RSS reader (Outlook works…)
• Leave a comment below (perhaps on a topic you’d like to see covered) which will allow you to subscribe via email.
• Follow me on Twitter (@JoePalarchio); my feed is nearly 100% Office 365 content so you don’t have to worry about seeing pictures of my latest meal or a rant about airline luggage handling.

Thanks for reading!

See you in 2015!

Exchange Online

Hybrid Wizard Fails To Update Default Address Policy
The Hybrid Configuration Wizard can have issues updating the default address policy when you have some legacy artifacts hanging around. In this article I cover the issues and provides some options for resolution.

Hybrid Wizard Fails Due To WPAD / PAC
Trying to run the Hybrid Configuration Wizard can be a headache when the Exchange server traffic is proxied. This article covers some ways to address proxies using WPAD / PAC.

Mailbox Fails to Convert During Migration
Occasionally when migrating a mailbox to Exchange Online, the on-premises object does not convert to a remote mailbox. The Microsoft instructions to resolve this situation can create a bit of a mess, this post includes a script that is a better way.

Dynamic Distribution Groups in Exchange Hybrid
Any Exchange Hybrid environment with Dynamic Distribution Groups needs the script in this post.

You’ve Migrated to Exchange Online, So Now What?
I occasionally come across Exchange admins that start questioning what their role is now that they’ve migrated to Exchange Online. There’s actually a lot to do, here are some ideas.

How to Handle “Large Messages” During Migration
Exchange Online does not allow you to migrate messages larger than 25 MB, this article provides some guidance on how to deal with this restriction.

300 Days of Mainstream Support Left for Outlook 2010
Well, 300 days at the time this post was written… Mainstream support expires for Outlook 2010 on October 13, 2015. Here I provide some options on how to stay supported with Office 365.

The Importance of Remote Domains in Exchange Hybrid
The Hybrid Configuration Wizard doesn’t always setup Remote Domains properly which can impact things like your “Out of Office” messages and “Voting Buttons”. This post helps explain that scenario and provides a resolution.

Lync Online

Understanding Archiving in Lync Online [Mac Edition]
The same as above but on the Mac platform which adds a few little wrinkles to the mix.

Directory Sync / AD FS

Assign Licensing “User Location” via Active Directory
A quick explanation of what “User Location” is in Office 365 and how you can synchronize this value from Active Directory as opposed to assigning it manually.

Script to Correct DirSync “Permission-Issue” Errors
A script to help environments where there are security restrictions in Active Directory that stop DirSync from syncing successfully.

DirSync Password Sync: Did You Know?
Five things you might not have known about Password Sync. Definitely not show stoppers but a good FYI when considering Password Sync vs AD FS.

Configuring AD FS & DirSync with an Alternate Login
A feature released in 2014 allows you to use an attribute other than UPN for your Office 365 login. This post covers how to set it up but also some of the nuances that come with implementing this feature.

Replacing the SSL Certificate in AD FS 3.0
Eventually you’ll need to replace your SSL certificate on AD FS 3.0; here’s how.

AD FS Authentication Fails Due To Time Skew
A quick troubleshooting article explaining how the time sync on your AD FS proxy can cause authentication failures.

AD FS Authentication Fails Due To Token Size
If you’ve had a number of Active Directory migrations over the years, there’s a chance you’ll run into a token size issue that can cause problems authenticating via AD FS.

Other

My Experience Taking a Microsoft Certification Exam …At Home
If you need to take Microsoft certification exams as part of your job or just your career goals, you can now take some at home or in your office. This articles covers my experience with this new online exam offering.
 
Did you find this article helpful?

Leave a comment below or follow me on Twitter (@JoePalarchio) for additional posts and information on Office 365.

You did it!

You migrated your organization’s mail environment to Exchange Online. The post-migration dust is starting to settle, the project plan tasks are nearly all checked off and you’re done, you’re finally done.

…or are you?

Below are a five tasks that can get overlooked when configuring your Exchange Online environment. While some may be optional for your organization, nearly all are quick and easy to implement.

1. Modify the Default Retention Policy

If you take a look at the “Default MRM Policy” retention policy in your tenant, you’ll see it’s primarily Personal tags that your users would need to use (or likely just ignore). There are, however, a couple settings to be aware of:

To address these settings, you could create a new policy but that also means setting that policy for each mailbox now and in the future. The alternative is to edit the existing “Default MRM Policy” to meet your organization’s requirements by removing or changing the tags.

Additional information: Retention Tags and Retention Policies

2. Increase the Deleted Items Retention

There are two components to address here: First the existing mailboxes need to be addressed and then we should make this the default for any new mailboxes that are created in the future.

For existing mailboxes, you can run a command similar to below:

Get-Mailbox -ResultSize Unlimited | Set-Mailbox -RetainDeletedItemsFor 30

For new mailboxes, the “RetainDeletedItemsFor” value is one of the few settings you can change in your tenant’s mailbox plan. To set this value as the default going forward, use the following:

Get-MailboxPlan | Set-MailboxPlan -RetainDeletedItemsFor 30

There you go, you just doubled your recovery window for deleted items.

Additional information: Exchange Online users can’t keep messages for longer than 14 days in Office 365

3. Enable “End-User Spam Notifications”

In Exchange Online, users can access their spam quarantine via the URL: https://admin.protection.outlook.com/quarantine. If you want your users to receive email notifications, that needs to be configured in the service and is disabled by default.

The location of this setting is a bit hidden. If you navigate to the “Content Filter” tab within “Protection”, you’ll see a “Configure end-user spam notifications…” link on the right side. Once you find it, you basically check a single box to enable it and select a date interval (1 – 15 days) of how often you want the messages sent.

Additional information: Configure End-User Spam Notifications in Exchange Online

4. Set the Migration Endpoint Credentials

When running the HCW, you were asked for on-premises credentials and may have supplied your own. The credentials provided during the HCW are stored in the “Migration Endpoint” settings and are used by Exchange Online to migrate mailboxes. You may want these credentials to be non-expiring or to be a service account if you expect an extended cycle of mailbox migrations.

You can modify the endpoint using the “Set-MigrationEndpoint” cmdlet or by navigating to it in the portal. In the portal, you’ll find the endpoint by going to Recipients | Migration and then clicking the “…” and selecting “Migration Endpoints”. The account used needs to be a member of the “Recipient Management” group in the on-premises environment.

5. Enable Mailbox Audit Logging

Enabling audit logging can be simple as running the command below:

Get-Mailbox -ResultSize Unlimited | Set-Mailbox –AuditEnabled $true

That said, take some time with this one to discuss the appropriate auditing strategy for your organization. If your organization has auditing needs then you’ll probably need to also look at using RBAC to grant people access to that data as well.

Additional information: Mailbox Audit Logging

Summary

• All of these tasks are executed fairly easily.
• The default Retention Policy assigned to mailboxes makes some assumptions that may not be appropriate for your organizations.
• The Deleted Item Retention can be doubled with two quick PowerShell commands.
• The option to notify a user of their quarantined items is available but disabled by default.
• Credentials for mailbox migrations are stored in the Migration Endpoint; migrations will fail if these are expired.
• Take the time discuss Mailbox Audit Logging with your security teams.

 
Did you find this article helpful?

Leave a comment below or follow me on Twitter (@JoePalarchio) for additional posts and information on Office 365.

Trying to stay on top all the changes in Office 365 can be a daunting task. In a previous article, “How to Stay Informed of Changes“, I described some of the methods that I use to try and stay informed.

One of those methods, the “Office 365 Roadmap“, seems to have been updated recently with a handful of new features planned. Ideally there would be an RSS feed or an update log for the page, it’s a bit of a treasure hunt when reviewing the roadmap.

Below are a few exciting new features that look to have recently appeared on the Office 365 Roadmap.

These features are all in the “In Development” phase on the roadmap. I’m fairly certain these are all recent additions but since there is no change log, I’m just going from memory. My focus is on the Exchange Online, Lync Online and infrastructure side of things so there are likely some SharePoint or OneDrive additions hidden in there as well.

Removing Deleted Items Retention Period

Public Folder eDiscovery & In-Place Hold

Drive Shipping and Network Based Data Import for Office 365

Increase Message Size limit to 50 MB

Exchange Transport Rule: Recipient Notification Action

Search

So When Will We See These Features?

Many of the limits within Exchange Online are values that your users are unlikely to exceed. Despite this, we occasionally see situations where a limit is exceeded in ways you might not expect.

As perhaps best illustrated by the fabled “640K ought to be enough for anybody” quote (falsely?) attributed to Bill Gates, the requirements of users changes over time. Fortunately, Office 365 has maintained pace in most cases by raising various limits.

I recently worked with a client that exceeded the default 30 GB “RecoverableItemsQuota” value set on their mailbox. As a result, meeting invites sent to the user were being returned as undeliverable to the senders.

What is the “RecoverableItemsQuota”?

How can you tell if you’re at risk of exceeding the limit?

Is 30 GB a limit we can expect to exceed?

How can we increase the limit in Exchange Online?

First, some background on “Recoverable Items”

The folder structure we’re talking about looks like this:

For mailboxes on holds such as “In-Place Hold” or “Litigation Hold”, the purge never occurs and the messages under hold continue to accumulate in the hidden “Purges” folder. Additionally, any changes to a message are retained through “copy on write” and stored in the hidden “Versions” folder within “Recoverable Items”.

What is the “RecoverableItemsQuota”?

How can you tell if you’re at risk of exceeding the limit?

Is 30 GB a limit we can expect to exceed?

How can we increase the limit in Exchange Online?

Fortunately, per the Office 365 Roadmap, Microsoft has begun increasing this quota to 100 GB for mailboxes that are on In-Place Hold or Litigation Hold. The feature is currently listed as “Launched” and I’ve started to see it appear in some but not all tenants.

When messages go wrong…

STOREDRV.Deliver.Exception:QuotaExceededException.MapiExceptionShutoffQuotaExceeded; Failed to process message due to a permanent exception with message Move/Copy messages failed.
Delivery has failed to these recipients or groups:

User, Test (Test.User@iwitl.com)
There's a problem with the recipient's mailbox. Please try resending the message. If the problem
continues, please contact your helpdesk.

The following organization rejected your message: BY1PR0101MB1142.prod.exchangelabs.com.

Diagnostic information for administrators:
Generating server: DM2PR0101MB1151.prod.exchangelabs.com

Test.User@iwitl.com
BY1PR0101MB1142.prod.exchangelabs.com
Remote Server returned
'554 5.2.0 STOREDRV.Deliver.Exception:QuotaExceededException.MapiExceptionShutoffQuotaExceeded;
Failed to process message due to a permanent exception with message Move/Copy messages failed.
[Stage: OnCreatedEvent][Agent: Meeting Message Processing Agent]'

This recipient, who was on Litigation Hold, had in fact exceeded the 30 GB “Recoverable Items” limit. A ticket was placed into Microsoft and the quota was raised to 100 GB.

Looking further into the mailbox, I found that it was the “Versions” folder where nearly all of the 30 GB resided. A deeper look into the folder and there were hundreds of the same meeting invite (with a sizable attachment) repeated over and over. The meetings all had the text:

Exchange 2013 re-created a meeting that was missing from your calendar

If you’ve been paying attention to some the issues with the iOS ActiveSync client, you’ll recognize this is currently one of the issues that creeps up from time to time. Additional documentation can be found in KB3015401. As best that I could tell, the meeting invite had some corruption issues, possibly as a result of a mobile device, and since the mailbox is on Litigation Hold, any changes to that entry are then saved in the “Versions” folder. There are a number of reasons why the invite might have been updated, some related to the attachment but in any case, it was an interesting issue.

Summary

• There is a flow to deleted messages that progress through various folders (some hidden) in the mailbox.
• The default quota for “Recoverable Items” in Exchange Online is 30 GB.
• PowerShell scripts can be used to report on the current size of a user’s “Recoverable Items”.
• A ticket can be opened with Microsoft to increase the "Recoverable Items" quota.
• The "Recoverable Items" quota is currently being increased to 100 GB for mailboxes on holds.
• Corruption of a message can cause a user’s “Recoverable Items” to inflate if the mailbox is on hold.

 
Did you find this article helpful?

Leave a comment below or follow me on Twitter (@JoePalarchio) for additional posts and information on Office 365.

Azure Active Directory Sync Services (AADSync) was made “generally available” in September 2014. While the old DirSync tool is still available (and actually still linked to in the portal), AADSync should be what you’re looking to deploy at this point. As we make this transition, there is a learning curve in trying to understand how to accomplish certain tasks in AADSync that you may have previously done in DirSync.

One of the configuration settings I often implement with DirSync is the creation of a filter to only synchronize attributes with a properly formatted UPN.

Below is how this filter can be implemented using the AADSync PowerShell module.

What Are We Filtering?

Although it’s outside of the scope of what we’re doing here, I also like to use one of the Exchange custom attributes to allow for ad-hoc filtering of miscellaneous accounts. The click-by-click process for that filter is defined in the “Inbound Filtering” section of the this article: AADSync: Configuring Filtering

Why Use PowerShell?

Creating The Filter

Import-Module ADSync

Next, we’ll want to determine the “Identifier” for our Active Directory connector:

Get-ADSyncConnector | FT Name, Identifier

The above environment has two Active Directory forests (lab4.iwitl.net and lab5.iwitl.net) configured in AADSync. We’ll setup the filter on the lab4.iwitl.net (bfd53bb7-8bde-4b13-8136-decb91e29d13) connector.

Now we create the filter for the connector:

New-ADSyncRule  `
-Name 'In from AD - User Filter by UPN' `
-Description 'Only sync users with company1.com and company2.com UPN suffixes' `
-Direction 'Inbound' `
-Precedence 50 `
-SourceObjectType 'user' `
-TargetObjectType 'person' `
-Connector 'bfd53bb7-8bde-4b13-8136-decb91e29d13' `
-LinkType 'Join' `
-SoftDeleteExpiryInterval 0 `
-ImmutableTag '' `
-OutVariable syncRule

Add-ADSyncAttributeFlowMapping  `
-SynchronizationRule $syncRule[0] `
-Source @('userPrincipalName') `
-Destination 'cloudFiltered' `
-FlowType 'Expression' `
-ValueMergeType 'Update' `
-Expression 'IIF((InStr(LCase([userPrincipalName]), "@company1.com") = 0 && InStr(LCase([userPrincipalName]), "@company2.com") = 0), True, NULL)' `
-OutVariable syncRule

Add-ADSyncRule -SynchronizationRule $syncRule[0]

With the above filter you’ll want to pay attention to the “precedence” and make sure it doesn’t conflict with any other filters you’ve created. Also important to note is that the “InStr” function appears to be case-sensitive thus the use of “LCase”. Additional documentation on the functions can be found at: Azure AD Sync Functions Reference.

Summary

• DirSync is being replaced by AADSync and should be used in new deployments.
• Understand what type of filtering is supported.
• Documentation on the AADSync PowerShell module is a bit non-existent at the moment.
• Using PowerShell to create your filters is repeatable and easier to document.
• Be sure to check out the AADSync “best practices for changing the default configuration“.

 
Did you find this article helpful?

Leave a comment below or follow me on Twitter (@JoePalarchio) for additional posts and information on Office 365.

In my post “How to Stay Informed of Changes“, I covered some of the different information sources I use to keep track of changes in Office 365. Something I’ve since added to that list is the version release history page for the Azure Active Directory PowerShell Module. The page has an RSS feed which you can add to Outlook or your favorite RSS reader to get notified of updates.

The Azure AD PowerShell Module is something that is easy to forget about. You likely installed it when you first started working with Office 365 and may not have touched it since then.

It still connects, so why bother updating?

Why Update?

Do I Need An Update?

Aside from the above warning, you can check your version against the version release page by running the following command:

(Get-Item C:\Windows\System32\WindowsPowerShell\v1.0\Modules\MSOnline\Microsoft.Online.Administration.Automation.PSModule.dll).VersionInfo.FileVersion

Running The Update

After the update, you should be able to connect to Azure AD without the friendly warning message.

Summary

• Watch the RSS feed on the version release page to get notified of updates.
• New Office 365 features may require new versions of the Azure AD PowerShell module.
• Updating takes only a few minutes.

 
Did you find this article helpful?

Leave a comment below or follow me on Twitter (@JoePalarchio) for additional posts and information on Office 365.

You would think that after working in technology for around 20 years, the “awe factor” would start to wear down. The fact is, I’m still amazed by some of the features that companies like Microsoft develop and how they manage to continuously push out great new functionality to their clients. With Office 365, it’s a continuous stream of features that either assists IT departments or provides added functionality for users with the end result of providing a better user experience through technology.

Today was another one of those “that just makes so much sense” moments where Microsoft was able to use the supporting infrastructure behind Office 365 to improve the user experience.

I’m referring to this email below that I received:

I assume using client logging information from our users, Microsoft was able to identify that a small batch of users are connected with an out-of-date version of Outlook. In the email communication, I was provided a list of the affected users and the potential symptoms they may be seeing.

So simple yet so helpful.

Now you could likely implement something similar in an on-premises Exchange environment. I’m sure someone has done it already and you might even find a script out on the Internet or a package you can purchase. This however, just popped in my inbox with no additional effort or costs based out of Microsoft’s desire to ensure a good user experience.

Well done Microsoft!
 
Did you find this article helpful?

Leave a comment below or follow me on Twitter (@JoePalarchio) for additional posts and information on Office 365.

The Office 365 Roadmap can be a bit of a treasure hunt at times. It’s great that Microsoft provides transparency into what is planned or in progress but figuring out when the roadmap has changed or what has changed on it can be a bit of a challenge.

I noticed that the roadmap was updated this weekend. In the update, a number of features were changed from “Launched” to “Previously Released” and there were a few additions that were basically informative (e.g. the planned rename of “Lync Online” to “Skype for Business Online”).

There was, however, one addition to the “In Development” section that stood out:

So it looks like two features that were previously only available to Azure AD Premium subscribers will eventually be made available to all subscribers.

A little more info on these two features…

Like all items on the roadmap, there’s no specific launch date and features tend to roll out over a period of time across tenants.

Keep watching the roadmap and hopefully these will transition to the “Rolling Out” section soon!
 
Did you find this article helpful?

Leave a comment below or follow me on Twitter (@JoePalarchio) for additional posts and information on Office 365.

Exchange Hybrid, when configured properly, can provide almost seamless coexistence between Exchange Online and your on-premises Exchange environment. Part of this concept is that while you technically have two separate Exchange organizations, the mail flow between these organizations appears “internal” so that a message from a cloud user looks no different than a message from an on-premises user.

As a consultant nearly 100% focused on Exchange Online migrations, I’ve come across a variety of situations where hybrid mail flow is not working properly. If you spend any time browsing the Office 365 Community Forums, you’ll see a number of posts on this same issue.

Even if the Hybrid Configuration Wizard completed successfully, it does not mean that hybrid mail flow is setup properly. In some cases, mail will actually be routing between organizations and it may seem like everything is working. A deeper look into the messages and you might find that while they are routing, they are not appearing as “internal”.

Below are some of the things to look for and how to resolve these hybrid mail flow issues.

The Configuration Basics

There are some differences in how the configuration is setup in Exchange 2010 versus Exchange 2013 which is why you’ll see some issues on one platform and not the other.

If you’ve modified the connectors created by the HCW in an attempt to “make things work”, there’s a good chance you’ll want to delete them and let the HCW recreate them so you can identify the true root cause of your mail flow problem.

But My Mail Is Routing… So It Must Be Working

It basically comes down to whether the messages between environments appear as “internal” or “external”. So just like a conference room is not going to accept a booking request from a random Internet user, it won’t accept a booking from your cloud user if that message appears as external.

The quick way to check is to look at a message received in each environment and check the message headers. If the header “X-MS-Exchange-Organization-AuthAs” says “Internal”, then all is well; if the header says “Anonymous”, you may have one of the issues below.

Issue #1: Incorrectly Configured Hybrid Routing Domain (Exchange 2010)

Issue #2: Not Preserving EOP Source IP (Exchange 2010)

Issue #3: Improperly Configured “Remote Domains” (Exchange 2013)

Issue #4: SSL Certificate Mismatch (Exchange 2013)

Issue #5: Use Of A Third-Party SMTP Gateway (Exchange 2010 / 2013)

https://technet.microsoft.com/en-us/library/jj659055(v=exchg.150).aspx

While you can leave your non-hybrid traffic routing through a third-party appliance, using it in the middle of your hybrid mail flow may cause messages to appear as external and is not supported.

Issue #6: Failing To Update EOP IP Addresses (Exchange 2010 / 2013)

Issue #7: Firewall Blocking STARTTLS Command (Exchange 2010 / 2013)

Microsoft has some notes on various firewall vendors and what they each call this feature: “Cannot send or receive e-mail messages behind a Cisco PIX or Cisco ASA firewall (KB320027)“.

Issue #8: Blacklisted IP Address (Exchange 2010 / 2013)

Summary

• Just because mail routes, doesn’t mean hybrid mail flow is working properly.
• Check the message headers of cross-premises messages to verify proper configuration.
• Exchange 2010 and Exchange 2013 have different configurations for hybrid mail flow.
• Attempts to create “workarounds” to issues may succeed in routing mail but may break hybrid mail flow.

 
Did you find this article helpful?

Leave a comment below or follow me on Twitter (@JoePalarchio) for additional posts and information on Office 365.

Address Lists are a way to create an additional “view” within the Global Address List (GAL) based on a set of mailboxes attributes.

As an example, perhaps you want to create a view for everyone with the “Office” of “Headquarters”. This new Address List would appear as an additional dropdown in both Outlook and OWA. Address Lists are also part of Address Book Policies (ABPs) should you want to have actual segmentation of your GAL.

However, with Exchange Online, there is a small issue with Address Lists that can make them challenging to work with.

The Issue

When I first experienced this issue, I ran across a blog post by the Exchange Team with the entertaining suggestion to “tickle” the mailbox. Yes, “tickle”.

For the purposes of this article, we’ll use this completely unofficial definition that I’ve made up:

Try to stay with me through the rest of this ridiculousness, I promise not to mention a certain furry red Sesame Street character…

Time to “Tickle”

So to “tickle” a mailbox would mean doing the following:

• Finding an attribute that could be changed (e.g. an extension attribute)
• Change the attribute for all mail objects
• Initiate a directory sync
• Change the attribute back for all mail objects
• Initiate a directory sync

After all this, your Address List would now show the proper members.

Microsoft eventually released a KB article (KB2955640) that describes the above process (minus any reference of “tickling”).

A Better Way…

While most attributes are authored from your on-premises Active Directory, there are a few that can be written directly in the cloud. If we “tickled” the mailbox with one of these attributes, it would remove the directory sync requirement.

Of the list of attributes that can be written directly in the cloud, I wanted to make sure it would be relatively non-impactful if something went wrong. It’s probably not a good idea to play with any of the litigation hold attributes as it would be difficult to explain all this “tickling” as part of conversations with your corporate legal.

The value I settled on was “SimpleDisplayName”. This attribute exists on mailboxes, mail users and distribution groups; in most cases this attribute will have a null value. It also seems to have an interesting behavior in that just setting it to its original value still seems to trigger an update.

So in the interest of continuing this “tickling” silliness, I have put together a quick “Tickle-MailRecipients” script. Running this script in Exchange Online will take the existing “SimpleDisplayName” value for all mailboxes, mail users and distribution groups and write it back to the object, thus forcing an update of any Address Lists.

More Info

Script

Summary

• Address Lists can be a useful way to provide additional filtered views of the GAL.
• In Exchange Online, Address Lists have the unexpected behavior of not populating at creation.
• Lack of an “Update-AddressList” cmdlet means objects need to be “tickled”.
• The “SimpleDisplayName” attribute is not synchronized from on-premises AD and is authored in the cloud.
• A form of the word “tickle” has been used 12 times in this article. …well, now 13.

 
Did you find this article helpful?

Leave a comment below or follow me on Twitter (@JoePalarchio) for additional posts and information on Office 365.

Back in April of 2014, Microsoft announced a feature called “Alternate Login ID” (sometimes referred to as “Alternative Login ID”). The idea was that instead of changing the UPNs in your on-premises Active Directory, you could use a different value to authenticate to Office 365 and sync that value to the cloud as your login.

At the time of release, I wrote an article (“Office 365 – Configuring AD FS & DirSync with an Alternate Login“) that covered the necessary configuration to use Alternate Login ID. It seemed like a very viable option for organizations that had dependencies on their current UPNs and would not be able to easily change their UPNs. In the past 10 months, that article has been one of the more popular articles that I’ve written so I wanted to follow it up with an update based on information that we now know today.

The Previous 10 Months…

What We Know Today

Fast forward to February 2015 and Microsoft has now added the following text to the wiki page for Alternate Login ID:

This update was made on February 17th, the previous version of the article just gave a warning about Autodiscover in Exchange hybrid under the “may impact various other Azure AD and Office 365 scenarios” section. The same information was added at some point to the TechNet page for this feature: Configuring Alternate Login ID.

The language seems a bit stronger now saying that the feature is not compatible.

Issues We’re Aware Of

In addition to the above known issues, it would be reasonable to have concerns about future compatibility with features like the upcoming authentication change to Active Directory Authentication Library (ADAL).

Concerns with AADSync

Today, we have the new AADSync tool which is replacing DirSync. This tool provides a, perhaps too easy way, to enable Alternate Login ID during installation. It’s very likely that someone installing AADSync wouldn’t necessarily know that they were enabling this feature based on how the configuration options are presented.

During installation, you are asked what you would like the “userPrincipalName” in the cloud to be matched to in your on-premises Active Directory. Should you change this value from the default to something like “mail”, you are now using Alternate Login ID from a Directory Synchronization perspective (although you still need to configure AD FS).

The “Learn more about user matching” link in the installer doesn’t provide much additional guidance, it takes you to a page that says:

No warning, however, of any potential limitations to come…

Summary

• Alternative Login ID allows you to use a value other than the on-premises UPN to authenticate to Office 365.
• The feature should be used when you “can’t change UPNs”, not when you “don’t want to”.
• There are a list of known “limitations” with using Alternative Login ID that you should be aware of should you decide to implement it.
• AADSync provides an easy way to implement Alternate Login ID, possibly without the installer knowing they are doing so.

 
Did you find this article helpful?

Leave a comment below or follow me on Twitter (@JoePalarchio) for additional posts and information on Office 365.

It’s been about six months since “Azure AD Sync” (often called “AADSync”) was made generally available with the intended purpose to replace the previous DirSync tool. In addition to an overhaul under the hood, AADSync brought with it new features such as support for multiple Active Directory forests.

If you’re configuring Directory Synchronization for the first time, it is recommended to use AADSync instead of DirSync. If you have an existing DirSync environment, you might find that AADSync fills some requirements that DirSync does not.

Below are 10 quick little tidbits you might not have known about Azure AD Sync.

What’s in a Name?

Upgrading from DirSync / FIM

Forcing a Synchronization

To force a sync, navigate to “C:\Program Files\Microsoft Azure AD Sync\Bin” and run:

Not sure of the logic here, hopefully this is changed at some point and this is moved back into PowerShell.

Undocumented PowerShell Module

Forcing a Password Sync

You can sync password by using the PowerShell module and these instructions: How to Use PowerShell to Trigger a Full Password Sync in Azure AD Sync

Sync Rules Editor

When to Use Full SQL

Skipping the Initial Sync

Service Account Permissions

Azure Active Directory Connect

For the past year, we’ve heard Satya Nadella’s “cloud-first, mobile-first” vision from Microsoft. Some joke that they both can’t be “first” but let’s just call it priority “1A” and “1B”.

I see it every day in Office 365. Exchange Online has nearly a bi-weekly addition of features while the on-premises version lags behind. It makes sense too that at some point, Microsoft will have to decide that “feature X” will go into the next version of Exchange as there needs to be some incentive to purchase the next version. Meanwhile, the “evergreen” service of Exchange Online continues to receive updates.

In the past 24 hours, two examples popped up demonstrating this priority.

Example #1

On Monday evening, a conversation popped up in the “Office 365 Network” on Yammer with essentially some complaints about Microsoft sending communications to Exchange Online users about Clutter. Within 24 hours, a Program Manager from Microsoft was responding to the questions and dialog continued, explaining some of the rational behind the behavior. A couple hours later, a feature announcement was released describing new admin functionality for Clutter: “Making Clutter in Office 365 even better“.

Now maybe the timing was just right as Microsoft obviously had been planning the admin features and it was even a roadmap item. Regardless, the access to the Office 365 team via Yammer and their prompt response is unprecedented in my opinion, nothing I’ve seen from any on-premises products. When you watch the Yammer conversations, you really get the sense that Microsoft is listening. If your organization uses Office 365, you should definitely be hooked into the Office 365 Network on Yammer.

Example #2

The release date for this functionality in Office 365 was stated as “now” or “very soon”. For on-premises Exchange 2013, it will come as part of CU9.

Microsoft has a release cadence of approximately 3-4 cumulative updates (CUs) per year. The current release of Exchange 2013 is CU7 with CU8 probably arriving in the next month or two which puts CU9 probably 6 months or more away. Then you have the usual delays before on-premises customers test and deploy the latest cumulative update (since we’ve all been burned before by being early adopters) and realistically most organizations aren’t running CU9 for probably 7-8 months.

So that’s your delta right now, about 7-8 months and by that point, we’ll have moved on and started talking about the next version of Exchange.

Summary

Configuring Exchange hybrid prior to the Hybrid Configuration Wizard (HCW) is just a distant memory at this point. The process that was a painfully long configuration was greatly simplified with the release of the HCW with SP2 for Exchange 2010 back in May 2011.

As much as the HCW has made my job easier, I’m always a bit hesitant about black box processes. Since an early age, I’ve always been one that needed to know how things work under the hood.

So what does the wizard do?

What does it change?

What is the impact?

If you submitted a change control request stating that you’re going to “run the hybrid wizard”, you’re probably being asked these same questions.

For those that are implementing Exchange hybrid on a regular basis, what the wizard does should not be a mystery at this point. If you’re new to Exchange hybrid, I’ve outlined below the individual commands run by the wizard and areas where there might be potential risk.

My Process

This was done on an Exchange 2010 SP3 UR8 server, it’s possible that the HCW changes with updates and it has slightly changed over the years.

Six Stages

• Check Prerequisites
  
• Configure Legacy Exchange Support
  
• Configure Recipient Settings
  
• Creating Organization Relationships
  
• Configuring Organization Relationship Settings
  
• Configure Mail Flow

Stage 1: Check Prerequisites

Stage 2: Configure Legacy Exchange Support

The command below is executed in the on-premises environment to create a folder in the Public Folder hierarchy called “OU=EXTERNAL (FYDIBOHF25SPDLT)”. This folder is used for sharing of free/busy information cross-premises when you have Exchange 2003 in the environment.

Stage 3: Configure Recipient Settings

First, the “coexistence domain” (tenant.mail.onmicrosoft.com) is setup as a remote domain and an accepted domain in the on-premises environment.

The coexistence domain is then added to the email addresses policies that contain the SMTP domains selected in the wizard and those email address policies are applied.

Stage 4: Creating Organization Relationships

These are run on-premises:

These are run in the tenant:

Stage 5: Configuring Organization Relationship Settings

These are run on-premises:

These are run in the tenant:

Stage 6: Configure Mail Flow

The commands below are run on-premises. A send connector called “Outbound to Office 365″ is created it send messages with your coexistence domain (tenant.mail.onmicrosoft.com) to EOP using TLS. A receive connector is created that is restricted to the source IPs for EOP. The remote domain for your coexistence domain is then configured so that the appropriate out-of-office (OOF) is sent cross-premises.

The commands below are run in the tenant. The remote domains in the cloud configured similar to the on-premises domains and then the hybrid mail flow is set. The “-CentralizedTransportEnabled” parameter here is dependent upon the option you selected during the wizard. When this is “True”, this means that messages from cloud users to the Internet are sent back on-premises as opposed to being sent direct from EOP to the Internet recipient.

What About Exchange 2013?

On Wednesday, Microsoft announced a new Office 365 mobile app called “Send“. The idea behind the app is to be able to send quick and simple messages to other users via email.

The first question that came to mind was, “What problem is this app trying to solve?” My phone can already send emails, IMs and text messages, did we really need another option?

My thoughts then shifted to “How does this work?”, “What kind of security options are there?” and other questions that clients are bound to ask.

In the interest of peeking behind the scenes, I ran the app through Fiddler to see what the traffic looked like. Some thoughts based on the results are below…

Getting The App

At the initial release, the app is only available on iOS and in the US and Canada. This will obviously change in the future although it’s a bit interesting to see how iOS seems to receive some of the first releases from Microsoft these days. Finding the app in the Apple App Store is a bit tricky, it’s listed under “Send, a Microsoft Garage Project“.

If you look for other “Microsoft Garage” apps, you’ll notice they have another interesting app called “Tossup” which looks to be for sending surveys to friends on where to go to for lunch, etc.

Logging In (and Out?)

The process to login to the app is pretty much the same as most Office 365 applications. I was able to easily login to the application via my organization’s AD FS. When I went to look at how to logout, I found out there isn’t a way. In the FAQ you’ll find that you basically need to uninstall the application to logout.

Sending a Message

Sending messages is certainly quick and simple, it’s a very similar look and feel to sending a text. If the user has the “Send” app, the message will pop up in the app, otherwise the recipient will just receive the message in their mailbox. The messages are sent via your Office 365 mailbox and will show up in your “Sent Items”. Since these messages are going out your Exchange Online environment, they’ll flow through any DLP or other filtering you’re performing on SMTP traffic.

Receiving Messages

Even when you have the “Send” app installed, the messages arrive in your mailbox in addition to appearing in the app; the messages all have “#Send” in the subject line. The duplicate alerts quickly get annoying so I made a folder called “#Send History” and setup a rule in Outlook to move messages there based on that subject.

The “#Send” subject appears to be important to the app and what causes messages to pop up in the application. I was able to compose a new message with that subject line and it popped up in the recipient’s app.

The Network Trace

I configured my iPhone to run through Fiddler with SSL decryption and setup the app.

The authentication appears to use OAuth and then the rest of the app communication is connecting via an API as opposed to directly using Exchange Web Services (EWS) or ActiveSync. The API communication is all to the host “flow-prod-api.outlookapps.com” and does not appear to be the APIs that I’ve seen published. That said, I’m by no means a developer and will probably need to have some other eyes take a look at the requests.

The “flow” name in the above hostname seems to indicate this is “Microsoft Flow” app that had information leaked back in May.

Securing Access

While the Microsoft approach seems to be allowing users to access their email from any device and any location, I have some clients that take a significantly more restrictive stance. Certainly we will be asked by clients to block access to this application and the method in which that will be done is still TBD.

Update: Exchange Server MVP Paul Cunningham found that the host application is connecting to Exchange Online via EWS and it can be blocked by using the “MicrosoftSend/*” string. Apparently when you block the app, it makes Microsoft sad.

So Do We Need This?

In the short time the app has been out, it’s amazing that people seem to be on one extreme or another with it. Some of my clients and coworkers love it right out of the gate, others think it’s an overlap of multiple existing technologies and there is no need for it.

I can see certain situations where the app could be useful. It’s definitely a bit beta but I imagine that’s to be expected out of the “Microsoft Garage”. A logout option would be nice and it doesn’t seem like you can add additional people to a group conversation that you have going.

More Info to Come

The above is all pretty early observations, more info is surely to come. Microsoft has setup a group in Yammer for the application and there is a “YamJam” scheduled on July 28th at 9:00 AM PST.

Did you find this article helpful?

Leave a comment below or follow me on Twitter (@JoePalarchio) for additional posts and information on Office 365.

Looking to do some more reading on Office 365?

Catch up on my past articles here: Joe Palarchio.

A topic that seems to be surrounded with much confusion in Exchange Online is the concept of “Retention Policies”. While the feature itself is not new to Exchange, for many organizations it seems that establishing their first email retention strategy is coupled with their migration to the cloud.

Even for organizations that have a well established email retention strategy, the move to the cloud changes many of the factors that may have contributed to the policy and it’s worth reevaluating.

Below are some of the commonly misunderstood functions of Retention Policies and some of the pitfalls I’ve seen in unsuccessful attempts to establish an email retention strategy.

What Retention Policies Are

Perhaps a result of the name itself, there often seems to be confusion about what retention policies even are. Part of the confusion is that a legal definition of “retention policy” probably doesn’t exactly equate to the functionality of the Exchange feature. If a client previously had a third-party system in place for “email retention”, it can add to the confusion.

The most simple definition that I provide to clients is: “Retention Policies define the maximum amount of time that an email is kept but with no guarantee that it will be kept that long.” You can see how this definition might differ from other types of retention policies or strategies in an organization. If you’re developing an “employee retention strategy”, the goal of that strategy is not to create a timeline for when you’re getting rid of your employees.

A more detailed explanation of Retention Policies would include that they are comprised of “Retention Tags” and tags can have different types actions and functionality. For more information, TechNet has a pretty good article on the topic: Retention Tags and Retention Policies.

What Retention Policies Are Not

Working with the above “simple definition”, we now know there is no guarantee that an email will be kept the length of time specified in the Retention Policy. This is evident when you look at the tags in the Retention Policy, you’ll see an action like “Delete After 7 Years”. So while the email will be deleted after 7 years by the system, it could also be deleted by the user after 7 days.

So Retention Policies really don’t actually “retain” anything, instead they actually remove data. If you’re looking to keep emails for a minimum period of time, regardless of user action, the feature you want is either “Litigation Hold” or “In-Place Hold”. If your corporate policy is to keep emails for 7 years (no more, no less), then a combination of Retention Policies with Litigation Hold or In-Place Hold can help you achieve this.

So How About “Retention Hold”?

The feature “Retention Hold” has a name made of two words that might make you think you’re keeping emails. While it’s sort of true, it might not be how you expect.

Basically the Retention Hold feature is designed to put your Retention Policy on “pause” for a mailbox. So if the user is gone for an extended period of time, your Retention Policy isn’t going in and clearing out emails before they were even seen. Again, it doesn’t stop a user from deleting emails because Retention Policies don’t actually retain emails.

Key Concepts To Know About Retention Policies

• Retention Policies do not prohibit a user from removing the email message from his/her mailbox.
  
• Every mailbox in Exchange Online is assigned a Retention Policy.
  
• The Default Retention Policy in Exchange Online includes a tag that will move emails to the archive mailbox (if enabled) after two years.
  
• When a Retention Policy is applied to a mailbox, it also applies to the online archive mailbox (if it exists).
  
• Retention Policies are processed by a scheduled task that runs every 7 days. This means emails could be kept up to 7 days past the expiration period.
  
• If a mailbox is less than 10 MB, it is not processed by the scheduled task and thus the Retention Policy does not apply unless you manually run the task (KB2627729).

Common Pitfalls

Armed with the above knowledge, you’ll avoid much of the confusion around Retention Policies. That said, there are a few more areas worthy of discussion.

The Corporate Retention Policy You Can’t Implement
The most common issue I see is when a corporate retention policy is handed down by a legal department with no input on the technical capabilities of Exchange. A policy will be written and approved that says something like “emails cannot be kept in the Inbox” or “email cannot be kept on the system” for period of time. Then we dive into lengthy discussions around what exactly is the “Inbox” or “system”. Is it the folder called “Inbox” within a mailbox or are we talking about the entire mailbox itself. If it’s just the Inbox folder, what are we really accomplishing from a legal standpoint if a user can keep the email somewhere else within the same mailbox? In short, make sure your messaging administrators have some input into your corporate retention policy.

“Because We’ve Always Done It That Way…”
The next mistake is trying to carryover existing procedures to the cloud without reevaluating them. Some pretty important aspects change when you move to the cloud, top on that list is that you’re really not paying for storage anymore. Okay, you’re paying for it but your Office 365 mailbox costs are the same whether your mailbox is 50 MB or 50 GB. In the on-premises world, storage is relatively expensive so in some instances a corporate retention policy started with disk space in mind and not necessary legal. So while there is something to be said for maintaining a “tidy” mailbox, you need to be reasonable or your users will engineer their own solutions. Any time I work with a company that has an aggressive retention policy or terribly small mailbox quotas, I also find that they have GBs if not TBs of PSTs scattered across their network.

Bundled with the above, some organizations previously tried to keep the primary mailbox size small so that the OST created locally by Outlook was manageable. So they deleted emails after X number of days or moved them into the online archive mailbox which was not cached. Starting with Outlook 2013, we no longer cache the entire mailbox which should eliminate the need for this practice. While you’re at it, consider whether you even need to use the online archive anymore: “Is the Archive Mailbox Still Relevant?”

Summary

• Understand what Retention Policies are and aren’t
  
• Retention Policies on their own won’t stop a user from deleting an email
  
• Use “Litigation Hold” or “In-Place Hold” in combination with Retention Policies if necessary
  
• Develop a corporate retention policy that makes sense from a legal and technical standpoint
  
• When moving to the cloud, take the time to reevaluate the intent around your corporate retention policy

Did you find this article helpful?

Leave a comment below or follow me on Twitter (@JoePalarchio) for additional posts and information on Office 365.

Looking to do some more reading on Office 365?

Catch up on my past articles here: Joe Palarchio.

If you’re an administrator for Office 365, you’re likely very familiar with the fact that while some tasks can be performed in the portal, many need to be done via PowerShell. If you’ve managed to get this far in your IT life without using PowerShell, Office 365 is going to force you to learn it.

Even those that are savvy with PowerShell at times still do things in what I would consider a less than efficient manner. I’ve watched countless admins paste commands into the PowerShell window in order to connect to Office 365. They open up their OneNote or a Notepad file on the desktop every time they want to connect to Exchange Online and paste in the string of commands.

Below is an easier and more efficient way…

The first thing to note is that when connecting to Office 365 via PowerShell, you’re connecting to each workload individually. So Azure AD, Exchange Online, Skype for Business Online and SharePoint Online all have different commands used to connect to them. You can connect to all of them or you can connect to an individual workload.

What I like to do is add functions to my PowerShell profile for connecting to the workloads. I create a function for each workload and then one to load them all; I do, however, connect to Azure AD with each workload.

Prerequisites

First you will need to download and install each of the following and then reboot:

• PowerShell 3.0 or higher (link)
  
• Microsoft Online Services Sign-in Assistant (link)
  
• Azure Active Directory Module for Windows PowerShell (link)
  
• Skype for Business Online Windows PowerShell Module (link)
  
• SharePoint Online Management Shell (link)

Creating The Functions

Launch a PowerShell console as an admin and enter the following:

notepad $profile

Now paste the following into the Notepad window and save:

function Connect-AzureAD
{
  if(-not(Get-Module -name MSOnline)) {Import-Module MSOnline}

  Write-Host "Connecting to Azure AD..."

  $global:Cred = $host.ui.PromptForCredential("Office 365 Admin Credentials", "Please Enter Your Office 365 Admin Account & Password","","")

  Connect-MsolService -Credential $global:Cred

  $host.ui.RawUI.WindowTitle = "Connected to Office 365 as: " + $cred.username

  Write-Host ""
}

function Connect-ExchangeOnline
{
  if(-not($Cred)) {Connect-AzureAD}

  Write-Host "Connecting to Exchange Online..."

  $global:SessionEXO = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $global:Cred -Authentication Basic -AllowRedirection
   
  Import-PSSession $global:SessionEXO | Out-Null

  Write-Host ""
}

function Connect-SkypeOnline
{
  if(-not($Cred)) {Connect-AzureAD}

  Write-Host "Connecting to Skype for Business Online..."

  if(-not(Get-Module -name LyncOnlineConnector)) {Import-Module LyncOnlineConnector}

  $global:SessionSFB = New-CsOnlineSession -Credential $global:Cred

  Import-PSSession $global:SessionSFB | Out-Null

  Write-Host ""
}

function Connect-SharePointOnline
{
  if(-not($Cred)) {Connect-AzureAD}

  Write-Host "Connecting to SharePoint Online..."

  if(-not(Get-Module -name Microsoft.Online.Sharepoint.PowerShell)) {Import-Module Microsoft.Online.Sharepoint.PowerShell}

  if ($cred.username -like "*.onmicrosoft.com") {
    $Tenant = ($cred.username.Substring($cred.username.IndexOf("@") + 1)).Replace(".onmicrosoft.com","")
  }
  else {
    $Tenant = Read-Host -Prompt 'Enter the Tenant Name (i.e. Enter "contoso" for "contoso.onmicrosoft.com")'
  }

  Connect-SPOService -url https://$Tenant-admin.sharepoint.com -Credential $global:Cred

  Write-Host ""
}

function Connect-O365
{
  Connect-AzureAD
  Connect-ExchangeOnline
  Connect-SkypeOnline
  Connect-SharePointOnline
}

Using The Functions

Now when you launch PowerShell, you can run any of the following functions:

Connect-AzureAD
Connect-ExchangeOnline
Connect-SkypeOnline
Connect-SharePointOnline
Connect-O365

The “Connect-O365” function will connect to all workloads whereas the others will connect to an individual workload plus Azure AD.

So there you go, no more copy and paste. It’ll take you about 10 minutes to setup and then you’re probably saving a minute for each of the thousands of times you connect in the future.

What Else?

If you’re looking for more PowerShell tips and tricks related to Office 365, make sure you check out the site that Microsoft recently released: http://powershell.office.com/


Did you find this article helpful?

Leave a comment below or follow me on Twitter (@JoePalarchio) for additional posts and information on Office 365.

Looking to do some more reading on Office 365?

Catch up on my past articles here: Joe Palarchio.

Office ProPlus has done a great job of getting many organizations in a position where they’re running a fully patched and current version of Microsoft Office. It’s a component of Office 365 that really brings great value to organizations that previously didn’t have a solid deployment or patching process for Office.

Quick Aside: If you’re still running Office 2010, mainstream support is up in October…

While the current version of ProPlus is essentially Office 2013, there will come a time when Office ProPlus upgrades to Office 2016.

In the article below I’ll outline some of the reasons you’ll want to take some caution with this upgrade.

This week, Microsoft posted the following announcement in the Office 365 Message Center:

Included in the announcement is this article outlining some of what is to come in the pending upgrade: Prepare to update Office 365 ProPlus to the Office 2016 version

The Good: Update Branches

The Good: Familiar User Interface

Watch For: Incompatibilities with Project / Visio

In the recent Microsoft article, it contains the following note:

 
As you can imagine, losing their Project or Visio installation could create some unhappy users if you don’t prepare for this change.

Update: As pointed out in the comments below, this incompatibility between MSI and C2R installations appears to be limited to products of the same version (2013 / 2016). It appears that running the MSI installation of Visio 2013 and Project 2013 may be supported with Office 2016 C2R. The above quote about removal of Visio and Project is referencing the 2013 C2R versions of those products, not the MSI-installed versions.

Watch For: Add-In Incompatibilities

Even Microsoft is guilty of this with their “Mail Protection Reports for Office 365” spreadsheet. Trying to install the add-in on Office 2016 results in the following failure as it can’t find Excel 2013.

Watch For: Current Update Process

Summary

Just a quick FYI in this post…

Exchange Online allows for a fair amount of customization however there are still a few items here and there that can be done in on-premises Exchange but not in the cloud.

Recently, I’ve had a couple clients interested in blocking their users from using Outlook or a specific version of Outlook. In on-premises Exchange, the “Set-CASMailbox” cmdlet has a parameter called “MAPIBlockOutlookVersions” that can be used to achieve this; unfortunately, Exchange Online does not have this parameter.

The next thought was that the “MAPIEnabled” parameter could be used to block Outlook; this setting is actually what is set on users with an Office 365 “Kiosk” license which does not allow for connectivity via Outlook.

While “MAPIEnabled” does in fact block Outlook, it also causes some unexpected changes to Autodiscover…

Disabling MAPI, in both on-premises and the cloud, changes the Autodiscover response for the mailbox. While Autodiscover will still complete successfully with MAPI disabled, you’ll notice that the EWS URL for the mailbox is not returned in the XML response.

As a result, applications trying to use Autodiscover and EWS may fail on mailboxes with MAPI disabled unless the EWS URL is somehow hard-coded in the application. It would not be uncommon for an application to try and use EWS via Autodiscover, applications such as Cisco Unity Connection and BlackBerry Business Cloud Services (BBCS) both do this.

You can confirm the missing EWS URL via the Microsoft Remote Connectivity Analyzer. When running the Exchange Web Services test, you’ll receive the following response:

 
Just an FYI should you decide that disabling MAPI is a setting you choose to implement.

Did you find this article helpful?

Leave a comment below or follow me on Twitter (@JoePalarchio) for additional posts and information on Office 365.

Looking to do some more reading on Office 365?

Catch up on my past articles here: Joe Palarchio.