Exchange Online Service Account Options

Going from Exchange On-Premises to Exchange Online can be a bit of a learning curve. One of the changes is having to worry about licensing a lot more; on-prem you can have as many service accounts as you need (e.g. a ticketing application may need access to a mailbox to send and receive emails, or to create IT Helpdesk jobs from emails) and you’re good to go.

With Exchange Online however, every single account needs to be licensed. As per Microsoft’s FAQ on the topic:


Exchange Online is licensed via a subscription model in which each user needs a User Subscription License (USL). Three types of subscriptions are available: Exchange Online Kiosk, Exchange Online Plan 1, and Exchange Online Plan 2. These subscriptions can be purchased on their own or as part of an Office 365 plan that includes SharePoint Online, Skype for Business Online, and Office ProPlus.


Here’s a breakdown of all the license options for Exchange Online, and what features each license has.

Your normal users are probably going to have some sort of business package applied to each user – one of the most common is Office 365 Enterprise E3, but generally not value for money for a single purpose service account.

The Exchange Online Kiosk plan is the cheapest, but limited.  Also note that there’s the Office 365 F1 plan which includes Exchange Online Kiosk, but again is a more expensive package with features you probably don’t need. Although this license can also be used to access another mailbox, there are many limitations such as “Exchange Online Kiosk does not provide access rights for utilization with on-premises servers.” and the ability to access the mailbox using Microsoft Outlook. It also can’t use Exchange Web Services (EWS) which is one of the more modern ways that a developer will read or manipulate emails.

Exchange Online Kiosk has the brief description of “Basic messaging and calendaring plan with Web email and POP access.” If you purely want to send emails via SMTP using Office 365’s SMTP connector, then this is what you need.

For most other functions, you’ll need at least Exchange Online Plan 1. This is the next cheapest option, and gives you a standard fully working Exchange Online account with a fully functional mailbox.

There is another option around all this; if you’re happy to run Exchange Hybrid but have all your mailboxes in Exchange Online, you’re entitled to a free Exchange Server license. With that in place, you can use SMTP relays to allow your on-premises accounts to use that connecter without a license, and have that relay back to Office 365. It’s also possible to do ignoring  Exchange Hybrid if you build your own IIS server and SMTP Relay. Both of these options are great for devices like printers that may be sending emails anonymously, or to avoid changing configuration of all your devices with the new Office 365 SMTP server smtp.office365.com .

As you’ll need to do license management and probably be looking at month to month charges, it’s important to understand licensing and allocate in the most cost effective way. Of course, all this may change so please check official Microsoft documentation to ensure you’re getting what you need.

Null Dynamic Membership Rules in Azure Active Directory

Azure Active Directory has the ability to create Security Groups with Dynamic membership. This is great if you can apply logic to a group, as members will fall in and out of scope without any work required.

Microsoft have a great writeup on how it all works and how to create rules, however I’ve run into a scenario not covered in the documentation.

If you create a Dynamic membership rule and want to include only attributes that have no value, the term ‘null’ works fine. You can create your group or modify the rule without issue.
However, if your binary operator (the equals part in the example above) is set to ‘not’, it won’t work.
The use case I had for ‘not null’ was to have a group of users which only had employee numbers, which was an easy way of filtering out test accounts, service accounts and so on.

You’ll get this error:

Failed to create group

Failed to create group ‘groupname’. Dynamic membership rule validation error: Invalid operands found for operator.Invalid operands found for operator -not

The way to fix this is to go into the ‘Advanced Rule’ option and change the term ‘null’ to ‘$null’

Note that you can’t do this from the simple rule view, changing ‘null’ to ‘$null’ there results in the code looking like this:

(user.extensionAttribute1 -eq “$null”)

 

Where it should look like this, without the quotes:

(user.extensionAttribute1 -eq $null)

A simple fix, but something that’s not documented on the support page. Hope this helps anyone who runs into the same problem.

Update Microsoft’s Documentation Yourself

This might be a strange concept to many people out there. Microsoft is letting you help correct/update/add to their online documentation at https://docs.microsoft.com

I’m typing this from Microsoft’s Headquarters as part of the MVP Summit, and the session is one of the few not under NDA which is a good reason to blog it :) Here’s my summary of the presentation:

Docs.Microsoft.Com is the new platform for Microsoft’s technical documentation across their entire product line for IT Professionals and Developers.

Why contribute?

To share your knowledge, help others and for Microsoft MVPs it adds to your contributions to keep the badge next year. This isn’t to do Microsoft’s documentation for them.

Where to start?

Start small – clarifications, examples (e.g. SDK/PowerShell), guidance tips and translations. If you see something wrong, fix it.

How to do it

You’ll need a GitHub account – https://github.com/join (don’t worry, you won’t need a client – this is all browser based).

Once you’re signed up, you find the article you want to change and choose the ‘Edit’ link on the top right below ‘Feedback’:

Then, you’ll need to click the pen icon (highlighted in yellow) to edit the actual text:

Now you’re able to change the raw text. The documents themselves are in Markdown. This means you’ll need to use characters to modify your text. For example **test** will come out as test. There’s a great cheatsheet here on lots of examples, but for starters follow what you can already see in the documentation rather than trying to create new styles.

You can use the ‘Preview’ tab to see the document with your new changes too. Once you’re happy, at the bottom of the page give a brief description of the change, and click ‘Propose File Change’

After that, you’ll see the final page which shows your change, and the button to ‘Create Pull Request’

You’re done! (For the most part). Your change gets sent off to the document owner for review. You’ll get some emails back advising of the progress, any questions/clarification and in the end, the change approved and your request closed.

It’s a very simple process while making sure the documentation is still Microsoft controlled. Get updating today!

Become an Office Insider

Similar to the Windows Insiders program, you can also be an Office Insider.

The programs have the same ideas – give users access to new features before everyone else, and let those users provide feedback to help report issues or shape decisions that will go out to the rest of the world.

This program is for the Click To Run version of Office, not MSI.

If you’re not already a Windows Insider, Microsoft has easy to follow instructions. It’s also not a requirement to be a Windows Insider to be an Office Insider.

For Office Insiders, it depends what version of Office you’re licensed to. Home, Personal and University licenses can just go to File > Account > Office Insider from any Office app, and follow the prompts.

However if you’re using a School or Work account, you won’t see this option. The full instructions are available from Microsoft but here’s the condensed version:

Download Office 2016 Deployment Tool and run it. It will extract a setup.exe and configuration.xml file.

Edit the configuration.xml file: The line -<Add Channel=”Monthly” OfficeClientEdition=”32″> needs the word ‘Monthly‘ changed to either ‘InsiderFast’ to get updates as early in the process as possible.

Open an admin commant prompt, navigate to the folder that contains the two above files and run:

Setup.exe /configure configuration.xml

(If you have any issues, try uninstalling your existing version of Office).

Once that’s done, you should be good to go. Launch an Office app such as Word, log in with your Work/School account, and go to File > Account. Under the About Word section, you should see a mention of Office Insider:

If you want to be an Office Insider for apps on iOS or Android, then follow the instructions here on how to register and obtain updates (it’s very easy!).

OneDrive for Business Auto Sign In – Windows 10

If you’re looking at starting to use OneDrive for Business and you’re working with a PCs joined to a local domain, you can now have a seamless sign in experience for end users (Note that the Group Policy setting for this is in preview according to the documentation).

OneDrive for Business from the client’s perspective has been dropped. It’s just OneDrive now, even though the backend is OneDrive for Business as part of an Office 365 subscription.

You’ll need Windows 10 1709+ for this, as that’s the first version of Windows 10 that has OneDrive baked in. There’s no deployment of the app required then, so you won’t need to use or modify OneDrive for Business. The newer client has much less syncing issues too – if you’re not sure what one you’re using, check what executable is running. OneDrive.exe is the new client, where Groove.exe is the older.

Since OneDrive is part of Windows 10 now, if you aren’t ready for this or don’t want it yet, you’ll need to use the Group Policy setting ‘Prevent the usage of OneDrive for file storage’ which is found in Computer Settings > Policies > Administrative Tempates > Windows Components > OneDrive (note that this is different to the location of where the above new policies sit for OneDrive, which is one level down straight under Administrative Templates).

If you’re migrating from an existing install, then you’ll need to follow this process. Otherwise if you’re starting fresh, there’s a great guide here to go through.

 

The short version of these steps is:

  1. Windows 10 1709 already has OneDrive, so no deployment required.
  2. Get the ADML and ADMX Group Policy files and deploy them in your environment. Make sure they’re the latest ones too, which you should be able to get from any Windows 10 1709 PC in the path %localappdata%\Microsoft\OneDrive\BuildNumber\adm\
  3. Configure your Group Policies to the settings you want, but the one you’ll need for auto sign in is “Silently configure OneDrive using Windows 10 or domain credentials“. This setting should set the regsitry key [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\OneDrive] “SilentAccountConfig”=dword:00000001. With this setting, there’s an extra registry settings to configure:[HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive] “EnableADAL”=dword:00000001 – This setting enables Modern Authentication for OneDrive.

That’s it!

After this is configured and you log on, the OneDrive client will automatically sign in as the logged on user – assuming you’re properly set up on the Azure AD and Office 365 side of things. There’s no prompt, no notification and users can start using it straight away at their convenience.

Note that if you disabled OneDrive from running at first user login (usually via the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run with something like “C:\Windows\SysWOW64\OneDriveSetup.exe /silent”, you’ll need to retrigger the install. That /silent switch will make OneDrive install and sign in automatically with the above settings.

If you’re planning on moving user’s home drives to OneDrive, you’ll need to manually move the files or run a script like this to migrate the data – or find a paid solution.