GRANIKOS

Problem: When you try to connect to SharePoint Online using PowerShell you receive an Access Denied error as follows: PS C:\> Connect-SPOService -Url https://tenant-admin.sharepoint.com -credential $credential Connect-SPOService : Cannot contact web site 'https://tenant-admin.sharepoint.com/' or the web site does not support SharePoint Online credentials. The response status code is 'Unauthorized'. The response headers are 'X-SharePointHealthScore=0, SPRequestGuid=310ce59d-002b-3000-ef1a-70e5fe7eaf72, request-id=310ce59d-002b-3000-ef1a-70e5fe7eaf72, X-MSDAVEXT_Error=917656; Acces s+denied.+Before+opening+files+in+this+location%2c+you+must+first+browse+to+the +web+site+and+select+the+option+to+login+automatically., Solution Connecto to the SPO Service without the previously entered credentials ($credential) and enable the LegacyAuthProtocolsEnabled attribute. Set-SPOTenant -LegacyAuthProtocolsEnabled $True   Enjoy SharePoint Online.    

Problem After configuring Access Services you cannot deploy Access custom web apps from Access 2013 - an error with a Correlation ID occurs.   Reason As if it´s not inconvenient enough to configure the SharePoint Access Services Requirements (e.g. AppStore with DNS), the SQL Server Configuration can be the cause, too. In the SharePoint Site Content overview you can see the faulty deployed App and in it`s details the following error: The database server is temporarily unavailable. Details: The sp_configure value 'contained database authentication' must be set to 1 in order to alter a contained database. You may need to use RECONFIGURE to set the value_in_use. ALTER DATABASE statement failed.   Solution You need to enable the SQL Server 2012 Feature Contained Database Authentication if you receive this error. You can do this in the Management Studio via this T-SQL statement: SP_CONFIGURE 'contained database authentication', 1; GO RECONFIGURE; GO   Enjoy SharePoint!  

Last updated: 2017-02-08 NoSpamProxy Azure Edition is the cloud based email security gateway of the successful NoSpamProxy family of products by Net at Work. The Azure edition of NoSpamProxy can easiliy be deployed using the Microsoft Azure Marketplace. NoSpamProxy Azure easily connects an Office 365 tenant and offers an easy way to provide centralized email encryption and decryption with PGP and/or S/MIME for mailboxes hosted in Exchange Online. Additionally, NoSpamProxy Azure provides compliant anti-spam handling, an anti-malware component, and a large file portal. The edition currently available in Microsoft Azure installs a NoSpamProxy single-server deployment. A single-server deployment combines the NoSpamProxy intranet role and the gateway role on a single server. The NoSpamProxy Azure Edition is provided as BYOL (Bring Your Own License) deployment. In addition to the recurring fees for the Microsoft Azure VM you are required to buy a NoSpamProxy license. If you already own a NoSpamProxy Version 11 license, the license can be used for the NoSpamProxy Azure Edition as well. Content DeploymentOptions Notes Deployment Links   Deployment Options Due to the nature of a cloud service NoSpamProxy Azure can be operated in different scenarios in ...

This is a translated blog post of the original post in German, which can be read here. Different technologies are used to verify the validity of email senders. Each technolgy by itself represents only one component of an holistic solution. It is currently recommended to implemtent all three technologies. The technologies are: SPF - Sender Policy Framework The SPF resource record of a DNS zone defines which servers (host names or IP addresses) are allowed to send emails on behalf of the domain. Each sender domain must have it's own SPF resource record.   DKIM - Domain Keys Identified Mail DKIM pursues the same objective as SPF. With DKIM parts of an email message are enrypted using a provivate key. The public key is published as a DNS resource record. In the most cases the key pair ist generated by the mail servers, as these encrpyt the message anyway.   DMARC - Domain-based Message Authentication, Reporting & Conformance DMARC is placed on top of SPF and DKIM. DMARC executes a so called alignment for SPF and DKIM. An alignment defines a ...

The use of certificate based email encryption is still a challenging task for administrators. When you store end user certificates stored locally on computers, you accept the risk of the user certificates being deleted or overwritten unintentionally. The use of smart cards helps to mitigate the risks associated with locally stored certificates. But smart cards are too complicated for large and agile companies. The use of smart cards with mobile devices is even more complicated, if not impossible. Gateway Encryption A simple and reliable solution is to use encryption and decryption capabilities at the company email gateway(s). This approach allows for: Central management of user and domain certificates or keys S/MIME PGP Central management of digital signage and encryption parameters for email communication with partner companies Encryption of any outgoing email communication, regardless of the client used to compose the message: Outlook OWA Outlook on the web Mobile phone Tablet Application Usage of internal eDiscovery solutions as internally stored email communication is still searchable No lost user certificates anymore Besides ...

Problem Out-of-Office (OOF) messages have to follow the compliance rules as regular email communication. This is not necessarily a known fact to end users. If a company does have a strict compliance policy regarding external OOF messages you can use the following solution to establish a strict and simple to use OOF configuration.  Only specific employees are supposed to send OOF messages to external recipients. All other employees are supposed to send internal OOF messages only. Solution The solution consists of two PowerShell scripts. The first script is used to remove any exisiting OOF rules created by a user using the Outlook OOF Rule Wizard. This is required to avoid any strange behaviours in regards to OOF messages being sent even if OOF is deactivated. The most common reasons for such a behaviour are migrated OOF rules created by previous Exchange Server versions. Remove-OOFRule.ps1 This script finds and removes all OOF rules for all users using Exchange Web Services (EWS). This script is supposed to be executed in preparation for the next script.     Set-ExternalOOF.ps1 This script sets the ExternalOofOptions attribute of a user ...

Description This script searches for OOF rules created by users using the Outlook rule-tab in the OOF assistant and deletes exisiting OOF rules. In preparation to configure compliant Out-Of-Office (OFF) settings for users, any existing OOF rule needs to be deleted. The script will use either an exisiting Exchange Server EWS library or the Managed EWS library installed using the default file path. This is the first of two scripts for the complete solution. Find the second script here. The script access the mailbox rules using Exchange Web Services. Therefore the account executing the script either needs to have ApplicationImpersonation rights or full access to the user mailbox. Requirements Exchange Management Shell (EMS) 2013+ GlobalFunctions library as described here: http://scripts.granikos.eu Locally installed Exchange Web Services (EWS) Library, https://www.microsoft.com/en-us/download/details.aspx?id=42951 Examples # EXAMPLE 1 # Find any existing OOF rule and write results to log file Remove-OOFRule # EXAMPLE 2 # Find and delete any existing OOF rules in all user mailboxes and write delete actions to log file Remove-OOFRule -Delete # EXAMPLE 3 # Find and delete any existing OOF rules for user SomeUser@varunagroup.de and write delete actions to log file Remove-OOFRule -Mailbox SomeUser@varunagroup.de ...

Description This script sets the mailbox ExternalOofOptions to 'External' for members of a given security group. ExternalOofOptions for users that are NOT a member of the security group will be set to 'InternalOnly'. If required the script will set the ExternalAudience to None and will delete an existing OOF message. Controlling the ExternalOofOptions and ExternalAudience settings has been implemented to follow dedicated company compliance rules. This is the second of two scripts for the complete solution. Find the first script here. Requirements Exchange Management Shell (EMS) 2013+ GlobalFunctions library as described here: http://scripts.granikos.eu Examples # EXAMPLE # Run script with default settings .\Set-ExternalOOF.ps1 Version History 1.0, Initial community release Links Download and follow at Github: https://github.com/Apoc70/Manage-OOF-Settings Download and like at TechNet Gallery: https://gallery.technet.microsoft.com/Set-external-OOF-settings-c9bee2ad Follow Twitter @stensitzki LinkedIn Xing  

Troubleshooting Active Directory Federation Services is a tedious tasks for any administrator. Therefore, I've started this blog post to have a comprehensive overview of information sources. The following list provides links for Active Directory Federation Services troubleshooting: ADFS – How to enable Trace Debugging and advanced access logging, https://migration-blog.com/2015/11/26/adfs-how-to-enable-trace-debugging-and-advanced-access-logging/ Troubleshooting ADFS: Enabling additional logging, http://www.jaapbrasser.com/troubleshooting-adfs-enabling-additional-logging/ AD FS Diagnostics Module, https://gallery.technet.microsoft.com/scriptcenter/AD-FS-Diagnostics-Module-8269de31 Under the hood tour of Azure AD Connect Health: AD FS Diagnostics Module, https://blogs.technet.microsoft.com/aadceeteam/2015/02/13/under-the-hood-tour-of-azure-ad-connect-health-ad-fs-diagnostics-module/ AD FS for Windows Server 2016 Best Practices, https://flamingkeys.com/ad-fs-windows-server-2016-best-practices/ Backup and Recovery with the AD FS Rapid Restore Tool, https://blog.auth360.net/2016/10/02/backup-and-recovery-with-the-ad-fs-rapid-restore-tool/ Additonal information about AD FS can be found here:  If you know of other AD FS troubleshooting information, please use the comments section below to share.    

Description This script fetches emails from a given monitoring mailbox by searching email messages for a given subject string. In this case email messages sent by the ENow Management Suite (http://enowsoftware.com/). Status messages are parsed to extract Disk Performance alert data for further processing in Power BI. The mailbox is queried using Exchange Web Services (EWS). The EWS endpoint is identified by AutoDiscover. The script exports the following columns for further processing: SERVER = Name of Exchange server reporting issue DATE = Date of issue occurance (Short Date) TIME = Time of issue occurance (Long Time) IO = READ or WRITE THRESHOLD = WARNING or CRITICAL VALUE = reported value You can easily adjust the script to fit your requirements. Search for other message subjects and parse for other content in the message body. Requirements Windows Server 2012 R2+  Exchange Server 2013+ Exchange Web Services Library Examples Code Samples # Run script using default parameters .\Get-EmailContent.ps1 Example output "COMPUTER";"DATE";"TIME";"IO";"THRESHOLD";"VALUE" "EXLABP08";"19.05.2017";"11:15:38";"READ";"Critical";"109,90" "EXLABP08";"19.05.2017";"11:15:38";"WRITE";"Warning";"23,61" "EXLABP08";"19.05.2017";"11:15:38";"READ";"Critical";"80,13" "EXLABP08";"19.05.2017";"11:15:38";"WRITE";"Warning";"21,58" "EXLABP08";"19.05.2017";"11:15:38";"READ";"Warning";"33,01" "EXLABP08";"19.05.2017";"11:15:38";"READ";"Critical";"53,04" "EXLABP08";"19.05.2017";"11:15:38";"READ";"Warning";"24,24" "EXLABP08";"19.05.2017";"11:15:38";"READ";"Warning";"40,01" Power BI report examples This example shows that P04 and P08 have exceeded the critical and warning state disk performance thresholds more often than the other servers. The next example shows the same date ...

My application as Microsoft Certified Trainer for the next year has been accepted by Microsoft. My workshops and MOC courses focus on: Exchange Server 2016 / 2013 / 2010 Office 365 Microsoft Azure Active Directory Federation Services Cloud Security i am looking forward to a third successful year as MCT. If you are looking for additonal information about workshops provided by Granikos check this page: https://www.granikos.eu/en/Consulting/Workshops        

When you delete a public folder using a legacy Outlook client, you can easily restore the deleted folder and it's content using the Recover Deleted Items function.  Due to a fancy trick implemented in Outlook 2013 and Outlook 2016 the recovered folder will not be recovered using it's full name. This phenomenon has been verified with Exchange On-Premises and Exchange Online on the server side and Outlook 2013/2016 and Outlook 365 ProPlus. The following example uses public folders in Exchange Online and Outlook 365 ProPlus. Example In this example I will delete and recover a public folder named My Public Folder. After deletion of My Public Folder and it's content, I need to select the original parent folder and click the Recover Deleted Items button in the button bar. The Recover Deleted Items dialogue opens and we select the deleted item for recovery. The dialogue displays the original name of the deleted folder. After recovering the deleted folder the folder is recovered with the first character only. That's an annoying result in regards to customer self-care when users restore deleted items on their own behalf. But wait, there is a ...

The PowerShell script to Set mailbox quotas at database or mailbox level the simple way has been updated to Version 1.4. The code has been refactored to functions and has received some PowerShell hygiene patters. Please report any issues directly at Github. If you like the script, please rate the script at TechNet Gallery. Enjoy!    

  The PowerShell script to purge Exchange Server and IIS log files has been updated to version 2.0. Release 2.0 allows for copying of files that will be deleted to be copied to a central file repository. The script will create a folder per server and the full log file folder structure will be preserved. The next release will contain an option to compress the copied log files. Added code: function Copy-LogFiles { [CmdletBinding()] param( [string]$SourceServer, [string]$SourcePath, $FilesToMove ) if($SourceServer -ne '') { # path per SERVER for zipped archives $ServerRepositoryPath = Join-Path -Path $RepositoryRootPath -ChildPath $SourceServer # subfolder used as target for copying source folders and files $ServerRepositoryLogsPath = Join-Path -Path $ServerRepositoryPath -ChildPath $LogSubfolderName $ServerRepositoryPath = Join-Path -Path $RepositoryRootPath -ChildPath $SourceServer if(!(Test-Path -Path $ServerRepositoryPath)) { # Create new target directory for server, if does not exist $null = New-Item ...

Problem You can block an user from logging on to Office 365 by setting the BlockCredential attribute to $true. Set-MsolUser -UserPrincipalName myuser@mcsmemail.de -BlockCredential $true But the MSOL user attribute is reverted to $false, when ADD Connect synchonization cycle runs. This happens, because the local Active Directory attribute accountEnabled is used to controll the BlockCredential attribute in Azure AD. Solution If your IT operation requires the ability to have enabled users in your local Active Directory infrastructure and you need to prevent logon to cloud services you need to prevent the accountEnabled attribute from being synchronized to Azure AD. This might not necessarily be a general requirement during normal operations, but might be useful while doing a Proof-of-Concept. Just exclude the attribute from the Azure Active Directory connector in the Synchronization Service Manager. The following script disables all users excluding Users following a specific naming pattern Users listed in a string array # Userfilter $UserExceptions = ("Sync_SYNC01_add98768492f@mcsmemail.onmicrosoft.com","SPO-SRV-ACCOUNT@mcsmemail.de","SynchedAdmin@mcsmemail.de") # Fetch synchronized users $DomainAccounts = Get-MsolUser -EnabledFilter EnabledOnly -MaxResults 5000 | Where-Object -Property LastDirSyncTime -ne $null # Select synchronized users not following the pattern ADM*@mcsmemail.de (admin accounts in this case) $DomainAccountsWithoutAdmins = $DomainAccounts | ...