Users Managing Email Groups and Exchange Online

For a very long time, users have been able to manage email group members via the Outlook client. Going into the Address Book, finding the group in the Global Address list, going into Properties and choosing ‘Modify Members’:

From there, someone can add or remove members as long as they’d been added to the “Managed By” field against the object in Active Directory, as well as ticking the box “Manager can update membership list” below it.

Easy! Except, that no longer works if the user is in Exchange Online, and the Email Group is from on-premises AD rather than Azure AD/Office 365. It’s not supported. This problem has been around for a while, back in 2015 Perficent wrote about this same topic. The options given for managing these groups are:

  • Exchange Admin Center
  • Exchange Management Console
  • Exchange Management Shell

None of those are what you want your standard users touching in my opinion – although you can give someone access to the Exchange Admin Center and only see the distribution groups they own – but for me, I’m still on Exchange 2010 so this isn’t an option.  This leaves you with a few options:

1. Change all your email groups to Cloud based groups. If this makes sense for you, doing this will let the manager of a cloud based group add/remove members via the Outlook Address Book.
You can also look at changing distribution groups over to Office 365 Groups (which are also cloud based), which give a whole bunch of different features beyond a what a distribution group can do, while giving the same standard DG experience.

2. Make all requests come through to IT so you can make the changes yourself. Not great for anyone involved, as it’s double/triple handling something where the user could quickly do it themselves.

3. Create Dynamic Distribution Groups and let automation do it’s thing – which will work for some, but exceptions to rules and the inability to see who’s in a group can make this frustrating for some.

4. Provide another way for staff to change group members themselves.

I’ve gone with option 4 – as I’m a big fan of Adaxes which I’ve written about a few times on my blog before, and they have a nice way of giving users a web interface that only lets staff manage the groups they’re the owner of.

There’s other ways to do this as well of course and other 3rd party solutions that can expose ways of adding/removing members of a on-premises distribution group – but remember there could be up to a half hour delay in syncing the change from AD to AAD via Azure AD Connect. If possible, look at adding a trigger at the end of a group change to do a delta sync:

Start-ADSyncSyncCycle -PolicyType Delta

That’ll be the quickest way to get the change up quickly, as staff may be used to the change working immediately.

There’s a lot to consider on how you’ll manage this, so make sure it’s sorted before you migrate – or expect a lot more tickets going through your helpdesk.

Migrate a Single Mailbox Out of a Exchange Online Migration Batch

A few posts on this since it’s what I’m working on :)

It is possible to sync all your mailboxes from Exchange On-Prem to Exchange Online as a single batch, and then complete individual items – but it’s not obvious that this is even possible.

Normally if you start a migration, you can choose multiple mailboxes or use a CSV file to specify which accounts to start migrating – while specifying the option to manually complete the batch, so the actual migration happens when you want it to:

The problem is, once you’ve fixed any problems that arise and mailboxes are in a ‘synced’ state, there’s no visible way to complete a single mailbox – just the whole batch. That may not be what you want to do. You could work out a way to create a separate batch for every single mailbox you’re migrating, but there’s also a way to complete one mailbox at a time.

In PowerShell, once you’ve connected to Exchange Online, you can run the a command to see all the mailboxes syncing, and their status:

Get-MoveRequest

If a mailbox is ready to be finalised, it should have the status of ‘Synced’. This is different to the status of ‘Completed’, which occurs once the mailbox has been fully migrated across.

To trigger the completion of a single mailbox in a batch, use this PowerShell command:

Set-MoveRequest -Identity “mailbox name” -CompleteAfter 1

The mailbox will then do it’s final syncing and complete, without affecting the other jobs in the same batch. The -CompleteAfter parameter is supposed to set the delay before the request is completed in date/time format, but using the value ‘1’ seems to immediately trigger this.

Now you can do a single batch job, and selectively complete mailboxes as you choose – easy! 

(Note that there was an old method of doing the above by setting the variable SuspendWhenReadytoComplete to $false which no longer works)

Exchange Online Mail Enabled Security Groups

One of the things I’ve found out while migrating to Exchange Online was around access to shared mailboxes, and having to alter my methods slightly.

For Exchange On-Prem (Exchange 2010), whenever I created a shared mailbox I would control access with a security group. If the mailbox was called “Finance”, then I’d have an Active Directory Security Group called “Finance Mailbox Full Access” and give that group full access to the mailbox. Then, I’d add the staff that needed access to that group – meaning it was easier to track and manage who had access to what, particularly with nested group support so I could add a whole department in.

The extra win on this approach was around applying logic to the groups. When someone joined or left Finance, the user management process would ensure the user was added to a group for Finance. That would then feed into all the access that Finance were granted through the groups that single group was inside – and it works great. 

The good news is that this is still possible going to Exchange Online, my nested and automated systems can continue to work. However, some changes were required to make this work.

Firstly, any security group that is going to be added to an Exchange Online mailbox for access must be mail enabled. This goes against my personal best practice as I liked complete seperation of security groups and email groups, because I didn’t want to deal with scenarios where ‘All Finance need this resource, but I don’t want them to get the emails about the same resource’. Still, having a descriptive security group name should avoid that happening. 

This leads to another catch – to mail enable a security group, it has to be ‘universal’. In turn, that means every other group that those groups are inside also need to be universal.

For me this was easy, since all my security groups were cleanly in a single OU, and there was no impact to me on changing them to universal (check this for yourself though!)

Get-ADGroup -SearchBase 
“ou=Security Groups,ou=ABC,dc=com” | Set-ADGroup -GroupScope DomainLocal

After that, ,ail enabling an existing security group is easy with the PowerShell command:

Enable-DistributionGroup

I was actually able to mail enable all my Security Groups that granted mailbox access at once, by getting all the groups and filtering them down to only ones that contained the word ‘Mailbox’

Get-Group -resultsize unlimited | where {$_.name -like “mailbox“} | Enable-DistributionGroup

You’ll also need to mail enable any groups inside the groups, and you should be able to work this out based on the above commands.

Keep in mind you’ll probably want to hide all these groups from the address book so users can’t see them – in Exchange 2010 the GUI lets you mass select and change this option, but it’s also easy to do from PowerShell (but you’d need to 


Get-Group -resultsize unlimited | where {$_.name -like “mailbox“}| Set-DistributionGroup –HiddenFromAddressListsEnabled:$true

Note that if you use PowerShell to give a non mail-enabled Security Group access to a mailbox, it will appear in the Exchange admin center, but it won’t work. As far as EAC knows, it has no members because it’s not mail enabled. I found this out the hard way!

Conditional Access Makes MFA Migration Easier

Microsoft Azure’s Conditional Access is a really great way to get a company using Multi-Factor Authentication. The old argument of not wanting MFA to get in the way of logins constantly goes away with this solution, because it lets you set the rules and scenarios where MFA will and won’t trigger.

To be more accurate, the access controls that Conditional Access can use lets you use more than just MFA to log in (username/password/token style). You can set the rules so a trusted device negates the need for MFA.

This isn’t new anymore either. Here’s a video from Microsoft back in March 2017 talking about how all this works:

What this means is that someone with a username and password on a device that is either InTune enrolled, or set up for Azure AD Hybrid is trustworthy enough. Of course this is less secure than asking for MFA every time, but do you really need to do that when someone is using their work laptop?

Another condition to choose from is ‘Locations’. You can decide that MFA won’t kick in if the login is coming from inside your corporate network. You can also target different applications with different rules that stack – so maybe the payroll system will always ask for MFA, but a less sensitive one will only ask when not on a managed device.

Security wise, there’s also a ‘Sign-in Risk‘ option where each authentication attempt is evaluated and given a risk ranking, and access can be granted or blocked based on the results. Note that this one needs Azure AD Premium P2 which isn’t part of the Microsoft 365 E3 subscription – E5 or separate licensing is required.

Because Conditional Access works like a bunch of Outlook rules, you can slowly build up and adjust what kicks in when. It’s really easy to do, and there’s really no excuse (once you have licensing!) to stop you setting it up ready to demo to staff. 

Combine Conditional Access with Azure AD App Proxy where you can externalise any internal web based app, while forcing auth on it and you’ve got an easy way of enabling workers to do their jobs remotely, while being happy about the security around it – and NOT just poking a hole in a firewall, exposing your IIS box to the world.

Lenovo 500 Multimedia Controller Review

Thanks to Lenovo, I’ve been given an interesting new gadget to review – the Lenovo 500 Multimedia Controller. It’s a compact sized wireless keyboard, designed for usage from a couch.

For a long time, I’ve used a computer plugged into the main loungeroom TV for a variety of things – watching TV shows and movies via local copies of content on Kodi, streaming services like Netflix and YouTube, as well as general web browsing.

The sticking point on doing all of this from a couch rather than a desk, is how to drive it all. I’ve tried a fairly vast array of devices:

  • A standard wireless keyboard and mouse, an ‘air mouse’ – too clunky and no nice flat surface to use the mouse on.
  • An ‘air mouse’ which is what happens when you breed a keyboard and Nintendo Wiimote together – inaccurate and slow to type on.
  • A dedicated remote control for ‘media’ content – too limiting in what you can do with it, no keyboard for typing.
  • Smartphone as keyboard/mouse – keyboard too slow to type on, mouse too tricky to use, always need smartphone around.
  • All in one keyboard and trackpad – the current winner for me (Logitech K400

The all in one keyboard and trackpad gives me what I want – a full keyboard experience so I can type fast, a multi-touch trackpad so I can move the cursor around fairly well, and use gestures like scrolling through pages. However, it’s still rather large, and doesn’t really like being dropped (the batteries generally go flying).

That’s why I was looking forward to trying Lenovo’s solution to this, and compare it to my currently winning solution.

The box turned up which looks simple enough, and shows what you’re getting :

Opening the box, all that’s inside beyond plastic and manuals are the keyboard itself, a tiny dongle, and a USB extension cable.

The keyboard itself looks and feels very well made. I was expecting something of average quality, but this feels premium. It has a reasonable amount of weight to it and the keys feel very solid – there is no cheap plastic to be found:

Getting the back cover off was a bit tricky – I needed to apply a lot more force than I was comfortable with, but that’s probably good for a device that’ll probably get thrown around and dropped. It takes two AAA batteries (included in the box in some countries) which will last up to 8 months – about normal for a wireless keyboard.

After clicking the back cover back on, I had one more look at the device. It has a decent amount of weight to it which helps with the premium feel, and a curved back sort of like an old iPhone 3GS, but a more emphasised curve – again, a really nice design that feels good to hold:

After plugging it in to my Intel NUC running Windows 10, the device was ready to use. When I first looked at the device (I decided to approach it with no research until after I’d finished playing), I assumed the bottom section was a trackpad. It turns out, the entire keyboard area is a trackpad! Everywhere from the top left Escape key, to the bottom right arrow key is one giant trackpad – despite the keys actually being individual buttons that press down. It even supports gestures, such as scrolling.

Quick demo of using the device as a trackpad

The bottom section are dedicated left and right click mouse buttons, with no touch abilities. The keyboard itself can be used to click also, just like a trackpad and using a tap motion rather than actually pressing down on it.

It’s also worth noting that the cursor sensitivity can be adjusted via the keyboard itself, with the Fn + F9 and Fn+F10 key combos – personally I upped the sensitivity a bit.

After using it for a while, here’s the pros and cons I formed about this device:

Pros:

  • High quality device – good materials, good weight, not flimsy in any way
  • Compact – it’s about the size of a large smartphone
  • Touchpad accuracy – fairly accurate with a very large surface to work with
  • Keyboard keys – they press down seperately and actually click. Typing can be done similar to the old full keyboard Nokias.
  • Battery – ~ 8 months means you won’t go flat easily, or have to remember about charging the device. It can be treated like any other standard remote control

Cons:

  • Small keys – no small device will let me type as fast as I can on a full sized keyboard, but this is probably the best to expect for a device this size
  • Touchpad sensitivity – because the keys are so close to the edge, I found my hands would accidently rest againt a key and affect my ability to move the cursor.

Overall, this is the best keyboard I’ve seen for couch usage for it’s size. The more important consideration is how you expect to use it; if you do a lot of typing and are used to typing fast, you’re going to need a full sized keyboard – no mini keyboard is going to be as good to use. However, for light typing and a trackpad experience, in a form factor that’s around smart-phone size, this ticks all the boxes.

Because the Lenovo 500 Multimedia Controller is a different style of device than what you’d be used to, there is a little adaptation required to put your hands in the right spot, get used to tapping the trackpad instead of clicking and use a small keyboard – but these to me were just minor adjustments I had to learn, rather than being too difficult to change what I do.

A note for Australians – at the time of writing, I can’t see anywhere to buy this locally, but for US residents the device costs around $40US.