de-DEen-GB
 
rss

Just can't get enough of IT

This blog is about mostly anything in IT. But the primary focuses are Microsoft Technologies like Exchange, Office 365, Azure and Cloud Security.

Office 365Problem

You can block an user from logging on to Office 365 by setting the BlockCredential attribute to $true.

Set-MsolUser -UserPrincipalName myuser@mcsmemail.de -BlockCredential $true

But the MSOL user attribute is reverted to $false, when ADD Connect synchonization cycle runs.

This happens, because the local Active Directory attribute accountEnabled is used to controll the BlockCredential attribute in Azure AD.

Solution

If your IT operation requires the ability to have enabled users in your local Active Directory infrastructure and you need to prevent logon to cloud services you need to prevent the accountEnabled attribute from being synchronized to Azure AD. This might not necessarily be a general requirement during normal operations, but might be useful while doing a Proof-of-Concept.

Just exclude the attribute from the Azure Active Directory connector in the Synchronization Service Manager.

Excluding the accountEnabled attribute from being synchronized with Azure AD

The following script disables all users excluding

  • Users following a specific naming pattern
  • Users listed in a string array
# Userfilter
$UserExceptions = ("Sync_SYNC01_add98768492f@mcsmemail.onmicrosoft.com","SPO-SRV-ACCOUNT@mcsmemail.de","SynchedAdmin@mcsmemail.de")

# Fetch synchronized users 
$DomainAccounts = Get-MsolUser -EnabledFilter EnabledOnly -MaxResults 5000 | Where-Object -Property LastDirSyncTime -ne $null

# Select synchronized users not following the pattern ADM*@mcsmemail.de (admin accounts in this case)
$DomainAccountsWithoutAdmins =  $DomainAccounts | Where-Object -Property UserPrincipalName -notlike "ADM*@mcsmemail.de"

# Exclude accounts listed in $UserExceptions
$DomainAccountsWithoutAdminsFiltered = $DomainAccountsWithoutAdmins | Where-Object -Property UserPrincipalName -NotIn $UserExceptions
 

# Now block cloud logon for all filtered users
ForEach ($User2Block in $DomainAccountsWithoutAdminsFiltered) {
  Write-Host ('Disabling User: {0}.UserPrincipalName)' -f $User2Block)
  Set-MsolUser -UserPrincipalName $User2Block.UserPrincipalName -BlockCredential $true
}

Enjoy Office 365.

 

 

 

Read More »
On February 17, 2017
0 Comment
528 Views

Office 365Microsoft AzureDescription

Using this script you can test the domain availability in Office 365 and Azure AD. As there are different closed Office 365 and Azure AD regions you need to test per dedicated closed Office 365 region.

Regions currently implemented:

  • Global
    This is the default public Office 365 cloud
  • Germany
    This is the dedicated Germany Cloud offering aka Office 365 Germany
  • China
    This is the Office 365 region hosted by VIANET21

The script queries the login uri for the selected Office 365 region.

The response contains metadata about the domain queried. If the domain already exists in the specified region the metadata contains information if the domain is verified and/or federated.

 Load function into your current PowerShell session:

. .\Test-DomainAvailability.ps1

 

Examples

# EXAMPLE
# Test domain availability in the default region - Office 365 Global

Test-DomainAvailability -DomainName example.com 

# EXAMPLE
# Test domain availability in Office 365 China    

Test-DomainAvailability -DomainName example.com -LookupRegion China

Version History

  • 1.0, Initial community release

Links

Additional Credits

Original source: https://blogs.technet.microsoft.com/tip_of_the_day/2017/02/16/cloud-tip-of-the-day-use-powershell-to-check-domain-availability-for-office-365-and-azure/

Follow

 

Read More »

Problem

It might happen that a mobile device running an Android operating system is not being redirected properly by the on-premises AutoDiscover service, when the mailbox has been migrated to Office 365.

If your device is not redirected, the device prefix is not recognized by Exchange Server and therefore not being redirected properly. The new device redirect feature for Android devices was introduced in Exchange Server 2010 SP3 RU9, Exchange Server 2013 CU8, and Exchange Server 2016.

The following device prefixes are known to Exchange by default:

  • Acer, ADR9, Ally, Amazon, Android, ASUS, EasClient, FUJITSU, HTC, HUAWEI, LG, LS, Moto, Mozilla, NEC, Nokia, Palm, PANASONIC, PANTECH, Remoba, Samsung, SEMC, SHARP, SONY-, TOSHIBA, Vortex, VS, ZTE

Solution

If the device prefix of your device is not part of the default list, you can add the prefix to the AutoDiscover web.config file. 

Add the device prefix to the MobileSyncRedirectBypassClientPrefixes key in the appSettings node.

  <appSettings>
    <add key="LiveIdBasicAuthModule.AllowLiveIDOnlyAuth" value="true" />
    <add key="LiveIdBasicAuthModule.ApplicationName" value="Microsoft.Exchange.Autodiscover" />
    <add key="LiveIdBasicAuthModule.RecoverableErrorStatus" value="456" />
    <add key="LiveIdBasicAuthModule.PasswordExpiredErrorStatus" value="457" />
    <add key="ActiveManagerCacheExpirationIntervalSecs" value="5" />
    <add key="ProxyRequestTimeOutInMilliSeconds" value="30000" />
    <add key="LiveIdNegotiateAuxiliaryModule.AllowLiveIDOnlyAuth" value="true" />
    <add key="TrustedClientsForInstanceBasedPerfCounters" value="bes" />
    <add key="InstanceBasedPerfCounterTimeWindowInterval" value="900000" />
    <add key="MobileSyncRedirectBypassEnabled" value="true" />
    <add key="MobileSyncRedirectBypassClientPrefixes" value="Acer,ADR9,Ally,Amazon,Android,ASUS,EasClient,FUJITSU,HTC,HUAWEI,LG,LS,Moto,Mozilla,NEC,Nokia,Palm,PANASONIC,PANTECH,Remoba,Samsung,SEMC,SHARP,SONY-,TOSHIBA,Vortex,VS,ZTE" />
  </appSettings>

File location

%ExchangeInstallPath%\ClientAccess\Autodiscover\web.config

Notes

  • Modify the web.config on each Exchange 2010/2013 Client Access Server and each Exchange 2016 server.
  • After installing an Exchange 2013/2016 CU, the web.config must be modified again.

As always: Be careful when modifying application settings. Test such changes in a test environment first, if possible.

Links

 


You need assistance with your Exchange Server setup? You have questions about your Exchange Server infrastructure and going hybrid? You are interested in what Exchange Server 2016 has to offer for your environment?

Contact me at thomas@mcsmemail.de
Follow at https://twitter.com/stensitzki

Read More »

Troubleshooting Outlook connectivity issues with Office 365 is tricky. Administrators can use two valuable tools provided by Microsoft to identify and even fix client related connectivity issues.

1. Outlook Account Test Page

Start with the Outlook account problems test page in the Office 365 portal. You need to log on as the Office 365 user having issues.

SARA Server

The site tests for the following:

  • You cannot create an Outlook profile or you are asked for your password repeatedly when creating one.
  • You cannot connect to your mailbox or receive an error that a mailbox cannot be found.
  • You are getting invalid license errors or messages that Office cannot verify the license.

If no issues are identified after you've logged on to Office 365, move to the next step.

2. Support and Recovery Assistant

The Microsoft Support and Recovery Assistant (SARA) for Office 365 is click to run tool that is installed and executed locally.

Support and Recovery Assistant (SARA)

These two tools fix most of the Outlook connectivity issues you are facing as an Office 365 administrator.

Links

 

Enjoy Office 365

Read More »

Office 365 for Exchange Professionals CoverBook Review

During DEV/IT Connection the new release of Office 365 for Exchange Professionals has been published.

Personally I recommend this book to every Exchange professional who wants to implement Exchange Hybrid setups or needs to migrate to Office 365. If you want to be successful, read this book and use it as a reference.

The information provided reflects the experience of the authors who contribute to the Exchange community regularly. This has been written without any Office 365 marketing stuff in mind. (As one of the authrors is Tony Redmond).

The chapters provide an overview of the various technologies as well as detailed informations for the day to day work of an Exchange administrator. Notes from the field help to understand the complex (or not so complex at all) requirements of Exchange hybrid configurations.

Due to the nature of "The Service", an Exchange administrators needs to keep up with the changes deployed constantly. This book covers the most recent changes and evolvement to "The Service" like Groups or Delve.

I will kep it short:

Buy It. Read It. Enjoy It.

Not joking...

Buy the Book

Read More »