Office 365

Exchange Online and Exchange On-Premises Security Groups

I had a requirement come up where I needed a list of Exchange Online users as well as Exchange On-Premises users. If you’re hybrid or going through a long migration, there’s many scenarios where you want certain products or settings applied against the users and accounts based on where their mailbox is.

You could maintain that manually, but why do that when you can automate it!

Thankfully there’s two easy commands that will return accounts based on where they are – get-mailbox and get-remotemailbox. As long as you’re in Exchange Hybrid mode, you can run both of these commands against your local Exchange server.

Here’s the quick script I wrote up:

$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://exchange server name/Powershell -Authentication Kerberos
Import-PSSession $session
$remoteusers = Get-RemoteMailbox -resultsize unlimited
$onpremusers = Get-mailbox -resultsize unlimited
$remotegroup = "Exchange Online Users"
$onpremgroup = "Exchange OnPrem Users"

Get-ADGroup $remotegroup | Set-ADObject -clear member
Get-ADGroup $onpremgroup | Set-ADObject -clear member

foreach ($user in $remoteusers){
Add-ADGroupMember -Identity $remotegroup -Members $user.SamAccountName
}

foreach ($user in $onpremusers){
Add-ADGroupMember -Identity $onpremgroup -Members $user.SamAccountName
}

Remove-PSSession $Session

All I’m doing here is getting the two user types and putting them into variables – $remoteusers and $onpremusers. I’ve also used the group names as variables, so you can create whatever AD groups you like and put them into the $remotegroup and $onpremgroup variables.

Also I’m clearing out all members of the group before adding users, which means if someone gets migrated or leaves, they’ll be cleaned up from the old group properly.

Finally I’m going through the two users lists and using ‘foreach’ to add each user to the relevant group, using the SamAccountName value of each result to identify them.

It’s only a basic script, but you can easily add extra filters to the Get-Mailbox and Get-RemoteMailbox commands to do things such as only getting users from certain OUs.

This was tested on Exchange 2010, so if you get different results on Exchange 2013 or 2016 please let me know.

Microsoft Bookings for E3 and E5 Customers

There’s a few Office 365 features that were released only for Business customers; there’s a nice list of all the Office 365 Features and what subscription they sit under on Technet. The good news is that they’re coming to Enterprise customers too!

The first service to be available is called Bookings which lets you build a booking system for your customers to use. There’s actually a lot to it – you can set rates, who’s available, what times to book, what sort of appointments customers can choose.. I can see it being a big benefit to a small business to have a very easy to configure and professional booking system.

I can see why Microsoft originally didn’t let Enterprise customers have this product – it’s not going to work well if you have 1000 staff that can be booked using it, and have more complex requirements.

Regardless, I’m sure many Enterprise customers want to at least have a look at a new free addon that’s part of their subscription.

There’s a few steps to getting access to Bookings, and it’s different to other products such as Teams. Again, Microsoft have a Technet Guide on getting Bookings but here’s the abbreviated version;

In Office 365 Admin, go to Billing > Purchase Services. Find Business Apps (it’s near the bottom), and follow the bouncing ball from the ‘Buy Now’ button which shows up when you hover over or click the Business Apps tile. It’s a bit strange to go through a purchase process for an E3/E5 subscription.

Although there’s an option to “Automatically assign to all of your users with no licenses” I found that at the end of the process, nobody actually had the license applied. You’ll need to follow your normal license allocation procedure (which at the basic level, can be choosing a user from the admin console, going to Product Licenses, finding ‘Business Apps’ and changing the switch to ‘on’).

I also hit an issue when going through the purchase process when choosing to pay. I had the message ‘Sign-in required For security reasons, please try signing in again. If you receive this notification again, a specific browser setting is preventing you from utilizing this page. Please follow this support article to fix the issue.’ Trying again ended up going in a loop to see that message. Google Chrome I couldn’t resolve this; Internet Explorer however, set your browser settings as per the support article but then completely close all IE windows, or it doesn’t seem to work.

Once you’ve purchased, it only takes a minute or less for the licenses to appear. As above, make sure you’ve then checked and applied the license to an account you plan to test on. The app itself may take longer to show up in the dots menu, but you can go direct to bookings.office.com and you will hopefully see a page like this:

From there, you can start to check out settings and configure it up!

Removing Unwanted SMTP Records From Exchange Hybrid

I’m still new to Exchange Online and Office 365 mailbox management, but got stuck on this scenario for a bit.

After testing an E-mail Address Policy, I wanted to remove what the policy had done. I’d already discovered that taking an address off a policy itself doesn’t remove it from the accounts, and run this simple script to remove the unwanted SMTP record off each account. However, accounts that had been migrated to Office 365 didn’t change and still had the unwanted SMTP record.

I checked on Exchange Online itself, and the address I’d added hadn’t flowed through. I believe this was because it was using a domain that Office 365 didn’t know about – but that also meant that I had no records to change at that end. I could however go into the mailbox itself via the Exchange console and remove the unwanted record.

It turns out, that I had to use the ‘Get-RemoteMailbox’ and ‘Set-RemoteMailbox’ command in place of the ‘Get-Mailbox’ command. Although I was working with Exchange PowerShell on-premises, the mailbox type is “RemoteUserMailbox’. ‘Get-Mailbox’ against any migrated item will not find those objects that live in the cloud.

 

If you want to see which Exchange objects have a particular SMTP record in Exchange 2010, regardless of what mailbox type they are or where it lives, there’s an easy way.

Make sure the ‘Recipient Configuration’ tree option in the Exchange Console is selected, and filter with E-Mail Addresses > Contains > your unwanted SMTP record:

This will make sure all object types (including groups, contacts etc) don’t have the unwanted SMTP record.

Office 365 Extra Features Overview

In September 2017, I presented at the user group I co-own with Brett Moffett on the topic of Office 365 Extra Feature Overview. I wanted to show some of the key parts of Office 365 beyond Exchange, SharePoint and Skype for Business. Here’s a recording of that presentation:

 

Forms is still my favorite ‘quick win’ feature, which I previously covered along with a sample form and results.

If you’re ever in Adelaide and want to come along to our monthly catchups, here’s our Meetup page: https://www.meetup.com/preview/Adelaide-Microsoft-ITPro-Community

 

 

CIAOPS Academy

Today I’m sharing Robert Crane‘s CIAOPS Academy service. He’s an Australian based Microsoft Office Servers and Services MVP, and seems to be rather busy with all his different projects, including the CIAOPS Need To Know podcast.

That podcast I highly recommend as an easy way to keep on on the latest Office 365 and Azure news. Even though I try to keep on top of it myself, they often raise other new features or changes that I hadn’t come across yet.

Beyond that though, the CIAOPS Academy is a service I personally pay for that Robert provides. I am on the lowest tier, but the private Facebook group that Robert runs is an invaluable source of fellow professionals who ask and help all things in the Microsoft tech space.

It’s different to other communities with it’s paywall, as everyone is invested and cares about the topics raised.

There’s also a referral program for signups – sure you can use my affiliate link to CIAOPS Academy or use one that doesn’t help me pay for my own access here. I’m not one to suggest services or products I don’t believe in myself, but I’ve had several questions raised already which has more than paid for the service in my mind.

The bronze level (which is what I use) is enough for me right now, but higher levels give you access to videos and other training materials.

The bonus news I can share here is that there is now a 7 day trial available, which is mentioned at the bottom of the patron page above. If you want to see what it’s about and check it’s worthwhile, you can now do it for free!

In summary, if you’re someone who is either new to, or currently managing Office 365 and Azure, this is a great group of people to be a part of. I’m not the only other Microsoft MVP there, which I think shows the value of this service.

Microsoft Forms Preview

Microsoft Forms has been around for a while. A year ago, it was released only to Office 365 Education customers as a nice, simple way to make surveys and quizzes. There’s a bunch of content out there about it already, for those who want to learn more.

More recently, it’s been released to the wider population with a bunch of improvements, albeit still in ‘Preview’. As I can now access it from one of my Office 365 tenants, I thought it was worth having a play with.

Forms is a lightweight, easy way of creating questionnaires and gathering the responses. Having no experience with it previously, I made up this survey within a minute (half the time was picking a theme!).

Have a look and feel free to enter data, and try to break it:

Test Quiz

Right now, there’s two options on the main Forms page: Create a form, or create a quiz. Creating a quiz looks pretty blank from the beginning, with a title and the option to add a question. It’s worth mentioning that I couldn’t tell what the difference between the form or quiz option was!

Using the ‘Add question’ button gives you the options on what sort of question it is; Choice, Text, Rating or Date. From that, you’ll see a very easy to configure form, where you can configure the question to your liking. Points are possible if it’s checking someone’s knowledge and you want an end score. You can choose if a question is mandatory with the ‘Required’ toggle, or if multiple answers are allowed.

The elypsis hides a few more options depending on the question type – maths, if you need to use an equation (you can see the education influence here). but also if your question needs a subtitle, or if you want the answers shuffled to reduce bias (there’s that type of person that always picks ‘C’ when they don’t know).

There’s also a ‘Branching’ option which lets you configure what path the quiz will take, depending on which answer is given. How long until someone creates a ‘Choose your own adventure’ with this :) ?

I posted this on Twitter not too long ago, and at the time of writing this, there was 26 responses. I haven’t done anything beyond clicking the ‘Responses’ tab to see this data:

To me, this looks incredibly useful. So little effort required to start getting feedback, and the data displayed easily. There’s also the option to open the data in Excel, which shows the raw data and lets you manipulate the views.

The survey by default requires access in your organisation to respond. With that, you can choose if names are recorded, and if only one response is allowed per person.

It’s possible and easy to change this restriction to ‘Anyone with the link can respond’, but it does mean all entries will be marked as ‘anonymous’ and you’ll have no guaranteed tracking of who entered the data.

Another note is that forms is fully supported on mobile browsers. A few people tried this quiz and reported a great experience.

As pointed out on Practical 365, Microsoft Forms is turning up and on by default on Office 365 tenants, if you don’t want this on please read that post.

This is a free component of Office 365, and worth investigating even in it’s preview state for internal surveys – maybe it will replace Survey Monkey (which I’m a fan of)?

Zero-click Single Sign-On Without ADFS

Login prompts to websites are a pain. Enterprise employees these days expect to have a single sign-on experience (meaning the same username/password everywhere) and a minimal amount of logging in to systems each day.

It’s a very different from years ago where every system had it’s own unique login, and users got into the habit of synchronizing password changes when the regular password expiries hit (and I’m sure some companies still run this way), but it’s a problem IT as a whole has worked on for many years.

Microsoft has had a big focus in identity management for many years, with products such as FIM/MIM and ADFS along with the old faithful Active Directory, controlling and giving framework for authentication. The on-premises approach didn’t work for cloud based technologies though. Going to a site such as Office365.com will show an area to sign in:

 

Going back to the requirements of getting logged out of sites, or needing to log into each different Microsoft service is a pain and time sink for users. The original answer to this problem was ADFS. This works well, but requires the ADFS infrastructure to be set up, and needs to be highly available. If ADFS goes down, your users can no longer authenticate to Azure AD, which is what powers the identity management and authentication orchestration for Microsoft enterprise users (this includes Office 365).

More recently, another native solution was released – Pass Through Authentication for Azure AD Connect (Azure AD Connect being the service that syncs your on premises AD to Azure AD). This removes the requirement for entering a password to these Microsoft services which is great for users, but still requires the entry of the username (which in Azure AD, is the User Principal Name, and looks the same as an email address to confuse things more for users). It’s a good start, but still not the seamless authentication many users expect.

There is another way of providing zero-touch logins to Microsoft services without ADFS, which is Azure AD Domain Join. Windows 10 is a requirement here, but beyond that, the setup is quite easy if you’re already configured for Azure AD. Maurice Daly has written a great guide on this, which outlines all the requirements and steps to follow to be up and running. (Thanks Maurice for your help on this!)

Gotcha for myself: I found that I had an old version of the Microsoft Azure Active Directory Module for Windows PowerShell which didn’t have the get-msoldevice cmdlet at all, and had to download an updated version. I also updated the AzureRM module for good measure since it was also out of date, but shouldn’t have been a requirement.

This is a rather complex topic, so I’ve tried to give a fly-over view of the native options available. There’s also Smart Links which can speed up and improve the user experience.

If you’re on Azure AD and Windows 10, give Azure AD Domain Join a try. It may save you the hassle of building and maintaining an ADFS server, and give your users a better experience overall.