Category Archives: Exchange Online

Mimecast trust cert hacked in Microsoft supply chain

image

The Threatpost.com and other cyber security news published articles claiming that A Mimecast-issued certificate used to authenticate some of the company’s products to Microsoft 365 Exchange Web Services has been “compromised by a sophisticated threat actor,” the company has announced.

Office 365 Products and Services Explained

Mimecast provides email security services that customers can apply to their Microsoft 365 accounts by establishing a connection to Mimecast’s servers. The certificate in question is used to verify and authenticate those connections made to Mimecast’s Sync and Recover (backups for mailbox folder structure, calendar content and contacts from Exchange On-Premises or Microsoft 365 mailboxes), Continuity Monitor (looks for disruptions in email traffic) and Internal Email Protect (IEP) (inspects internally generated emails for malicious links, attachments or for sensitive content).

A compromise means that cyberattackers could take over the connection, though which inbound and outbound mail flows, researchers said. It would be possible to intercept that traffic, or possibly to infiltrate customers’ Microsoft 365 Exchange Web Services and steal information.

Reference:

https://threatpost.com/mimecast-certificate-microsoft-supply-chain-attack/162965/

https://www.crn.com/news/security/hackers-compromise-mimecast-certificate-for-microsoft-authentication

Upgrading Exchange Online PowerShell to V2 Module

Managing Exchange Online

If you have Exchange Online and your users are MFA enabled then you most likely will be using Exchange Online’ s ECP (Exchange Control Panel or Admin Center) to connect to Exchange Online PowerShell through the Hybrid Windows since this is the only supported way with MFA.

image

Clicking on Configure would install the PowerShell Module of Exchange Online which looks like the below screenshot.

image

New PowerShell with MFA support

If you have launched Exchange Online PowerShell today then you most likely have noticed there’s a red line stating the possibility to try the new (Preview Version) of Exchange PowerShell V2 .

Microsoft has recently released a new version of Exchange Online PowerShell Module which supports MFA and can be run directly from your computer without the need to login to Exchange Online Admin Center and download any files from there.  Check details in this link

As stated in the article, the Module is just in preview so it has some known and maybe unknown bugs as well.

How to Install it?

The installation process is pretty straightforward, Launch Windows PowerShel as an Administrator (It’s required for the installation).

Run these 4 cmdlets

Set-ExecutionPolicy RemoteSigned

Install-Module PowershellGet –Force

Update-Module PowershellGet

Install-Module -Name ExchangeOnlineManagement

image

You might get a warning that the Module you’re about to install is from an Untrusted Repository, Accept it by typing Y and hit enter

Type the following cmdlet to ensure that Exchange Online Management module is installed

Import-Module ExchangeOnlineManagement; Get-Module ExchangeOnlineManagement

image

Connecting to Exchange Online

To connect to Exchange Online, Run the following cmdlet along with the new parameter –EnableErrorReporting which gives the ability to record all the cmdlets that you have run along with errors generated as well.

Connect-ExchangeOnline -EnableErrorReporting -LogDirectoryPath e:\ExchOnlineLogs.txt -LogLevel All

image

image

After connecting, I am going to try and run two commands the Old Cmdlets and New Cmdlet and see the difference between them:

  1. Get-CASMailbox -ResultSize 10
  2. Get-EXOCasMailbox -ResultSize 10

image

The new Cmdlet has much more details, although it says that it runs faster but it took few seconds more than the old one to run (Probably first time).

image

After you run those two Cmdlets, There will be two files generated in the log directory which we have pointed the parameter to save files to.

The CSV files have details about the two cmdlets and the HTTP Method they are utilizing in order to connect along the Request and response latency.

imageimage

This new version seems to be extremely useful esp in environments where such deep details are needed for troubleshooting issues.

Stay tuned for more

Reference:

https://docs.microsoft.com/en-us/powershell/exchange/exchange-online/exchange-online-powershell-v2/exchange-online-powershell-v2?view=exchange-ps

Use Group Based Licensing to Active Office 365 Users

The Story

I got a request to place users into Security Groups for management purposes, The client have already users active but many of those users have left the work place and still have E3 or E1 Licenses which they should not have since this is pricey licenses and backing up users details is the easiest and most cost effective way of handling this.

So, To start (Prerequisites):

The Group based licensing management is a new feature, Was introduced in 2019 and not many people know that it is there however, This feature doesn’t come for free as you know (Since it’s Microsoft) and you must have a license for it or at least have users with E3 licensing model. So the requirements are:

  • – Azure AD Premium P1 or Higher
  • – Office 365 E3 or Higher.
  • – EMS or Higher.

How does it work?

In order for you to get this to work  you need to make sure you have planned from where you want to manage those groups and their licenses, Online? Or On-Premises?

If Online

If you’re going to do this online, then you need to create a group for each Licensing Model which represents the intended License and its users e.g. Office365-E1 is going to be created as a security group and dedicated to E1 License users.

Office365-E3 will also be created the same way and users of License type E3 will be added to it.

If On-Premises

If you’re going to manage those groups on-premises, Then you must have ADConnect (Azure AD Sync) tool to sync those groups after creating them.

In my case I have created those groups in the following manner:

image

After creating those groups, You will need to sync them to Office 365 using ADConnect. To force this to sync immediately fire up Powershell on Azure Connect Server and type

Start-ADSyncSyncCycle -PolicyType delta

image

image

What If I have users already assigned with License?

If you have users already assigned licenses and want to manage them using Group Based licensing then you’re going to have to get a list of all your users with their Licenses information into a CSV file and Import those users to the groups you created base on the license they have.

I created a PowerShell that would match user’s names and based on the license mentioned in the CSV file would add them to the relevant group but first you need to export Users from Office 365.

Export Users and their license from Office 365

First of all we’ll connect to Office 365 MSOL Service using Online Powershell

image

Get-MsolUser -All |Where {$_.IsLicensed -eq $true } |Select DisplayName,UsageLocation,@{n=”Licenses Type”;e={$_.Licenses.AccountSKUid}},SignInName,UserPrincipalName,@{n=”ProxyAddresses”;e={$_.ProxyAddresses}}| Export-csv -Path C:ExportlicenseUsage.csv -notype

image

So this is how my CSV look right after I exported the users, We need to do some tuning on this CSV file to clean it and get it ready for our PowerShell.

image

There are total of 6 columns in this folder, If for whatever reason you wanted to use the ProxyAddress to distinguish users feel free to keep them in the script but in my case I didn’t need them so I deleted the entire column.

So I will keep the following (Remove Spacing between License Type)

  • DisplayName
  • UsageLocation
  • LicenseType
  • SignInName
  • UserPrincipalName

The Value of the License Type is usually formatted like this “TenantName: License” and in order to make this column useful I am going to remove the Tenant name from all the cells.

Find and Replace can easily remove and clean these values for you.

image

After cleaning the column, this is how it looks

image

This should be useful for us now along with the PowerShell to add the users to their relevant groups.

On Active Directory from an elevated PowerShell

Run PowerShell ISE  from a privileged account and copy + paste this script in ISE,

$ImportedUsers = Import-csv “C:\Users\AD\Desktop\ExportlicenseUsage.csv”

Foreach ($ImportedUser in $ImportedUsers){
$License = $ImportedUser.LicensesType
$E3 = “E3-Office365”
$E1 = “E1-Office365”
$EMS = “EMS-Office365”
$Sam = $ImportedUser.SamAccountName
$ImportedUPN = $ImportedUser.UserPrincipalName

$AllUsers = Get-ADUser -Filter * -Properties *
         Foreach ($User in $AllUsers)
         {
         $UPN = $User.UserPrincipalName

            if($user.UserPrincipalName -eq $ImportedUPN -and $License -match “EMS”)
                 {
                 Add-ADGroupMember -Identity $EMS -Members $Sam
                 Write-Host $($UPN) “User has EMS License and has been added to the Group EMS” -ForegroundColor DarkGreen -BackgroundColor White
                 }
                     ElseIf ($user.UserPrincipalName -eq $ImportedUPN -and $License -Contains “STANDARDPACK”)
                     {
                     Add-ADGroupMember -Identity $E1 -Members $Sam
                     Write-Host $($UPN) “User has E1 License and has been added to the Group E1” -ForegroundColor black -BackgroundColor green
                     }
                         ElseIf ($user.UserPrincipalName -eq $ImportedUPN -and $License -Contains “ENTERPRISEPACK”)
                         {
                         Add-ADGroupMember -Identity $E3 -Members $Sam
                         Write-Host $($UPN) “User has E3 License and has been added to the Group E3” -ForegroundColor Blue -BackgroundColor White
                         }
         }
}

image

Enabling Group Based License from Azure Portal

After this script finishes, I can open Azure Portal

From Azure Active Directory > Licenses > All Products

image   image    image

I will choose the license which I want to assign to a group of which I have created on my on-premises AD

image

Click on the License (Office 365 E1)  and choose Assign from top menu

image

Make sure you select assignment options and customize the license according to the products you want your group members to use then click on Users and Groups and select the relevant Group which you’ve created (In my case it’s E1-Office365)

image

Here, The group has been assigned

image

Click assign and you should be done

image

We will do the same for E3 Users

image

image

NOTE

From now on, Removing any user from this group will revoke their license and any service connected to it, You must be very careful when removing users from this group.

Microsoft has done great job covering this thoroughly and in a great detail including Scripts to be able to do many things like grabbing users who have an inherited license from a group or manually assigned. I am writing down the references if you’re more curious into these.

References:

https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/licensing-groups-assign

https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/licensing-ps-examples

How to Sync Cloud User to On-premises AD ?

The Story:

I have got this client who constantly keeps on making the mistake of create user from Cloud and provision them with a license in an Exchange Hybrid environment.

Although this is not difficult to fix but it’s not the recommended approach when creating a new user especially in a Hybrid environment since Exchange on-premises won’t recognize this user and most likely will consider any incoming emails from it as spoof or spam.

How to Create a Cloud user from Exchange On-premises?

From Exchange on-premises ECP Admin panel you have the option to directly create user on-cloud which will also create a user object on on-premises AD.

image

Second option – Using Powershell

It’s not that much different than the Web UI option but it’s just for people who prefer using PowerShell than GUI

Enable-RemoteMailbox –Identity User –RemoteRoutingAddress user@yourTenant.mail.onmicrosoft.com

The reason to follow those two methods is due to the need of Exchange on-premises being aware of each of those users so mail flow between Exchange on-premises and Online would not get affected and route this users mail to the wrong place or flag it as spammed or spoof …etc.

The Real Question now is: How to Sync Cloud User to On-premises AD ?

If by mistake we created a user on Cloud (Office 365) and we forgot to create an AD User for this account, that user might already have started using his account on Office 365 (Sharepoint, Exchange, Teams) etc.

There also might be the intention of moving users from Cloud to On-premises Exchange in case the company wanted to decrease their spending on cloud users and in this case when Migrating a cloud user to on-premises you will get the following errors:

image

test3@domain.com

Status: Failed

test3@domain.com Skipped item details

User status

Data migrated:

Migration rate:

Last successful sync date:

Error: MigrationPermanentException: Cannot find a recipient that has mailbox GUID ‎’03c9764e-8b8e-4f33-94d1-ef098c4de656‎’. –> Cannot find a recipient that has mailbox GUID ‎’03c9764e-8b8e-4f33-94d1-ef098c4de656‎’.

So how do we overcome this situation since syncing a user might require you to delete the cloud user and recreate it on AD?

Solution:

To sync the user from the Cloud to on-premises you will need to follow these steps :

1- Create an on-premises Mailbox where the following attributes would be matching the cloud user

  • UserPrincipalname
  • ProxyAddresses
  • SamAccountName
  • Alias

2- The Location of the OU where the On-premises user is going to be created must be provisioned by ADConnect (Azure AD Connect)

You can look which of these OU are provisioned by Starting AD Connect Sync Manager

image

By verifying the user you created in the AD is in the right OU, You can now start AD Sync from PowerShell to speed up the process.

image

Below, You can see the user has been successfully synchronized to the cloud without any issue.

image

Now we’ll see it from the portal to confirm the user is synced with AD

image

Depending on the Source anchor being used in ADConnect there might be a GUID conflict or not, You will get an error similar to when trying to migrate the user in the beginning however you can solve this by replacing the cloud user’s GUID (ImmutableID) with the on-premises user which will force the user to merge with the On-prem user.

Let’s confirm in our case if the user on-cloud has a matching GUID with the one on-premises.

From CMD or Powershell you can use the following command to get the user’s ImmutableID (ObjectGUID) .

ldifde -f c:\Test.txt -d “cn=Test3,DC=Domain,DC=com”

image

Checking the notepad we just exported you can see the Immutable ID on AD for the User test3 is IkTni9mw7Ee4YefeGpz7IA==

image

To be able to see the user on Office 365, We need to logon to MSOL through Exchange Online powershell

Connect to Exchange Online’s powershell using your Online ECP.

image

Once you click on Configure this should download an executable file that will launch PowerShell Online which allows you to use the Modern Authentication (MFA) to use PowerShell safely.

image

Connect-Msoluser will connect you to Office 365 and you’ll be able to get the user’s properties and see if the Immutable ID is matching to the user’s GUID.

Once you’re connect you can use the following cmdlet to get the user’s properties.

Get-MsolUser -UserPrincipalName test3@domain.com |fl DisplayName,ImmutableID

image

You can see they are matching each other, In case there’s a conflict then you can simply set the online user’s Immutable ID to the on-premises user and that should solve the problem.

Ref:

https://support.microsoft.com/en-us/help/2956029/migrationpermanentexception-cannot-find-a-recipient-that-has-mailbox-g

https://docs.microsoft.com/en-us/exchange/hybrid-deployment/create-cloud-based-archive

How to Bulk Delete Exchange Online Distribution and Office 365 groups


Part of Office 365 security auditing is to ensure that all users and groups in your organization are created for a purpose of which you’re aware of and can control these users, groups.

After auditing groups on Office 365 Exchange CP, I noticed that it’s not possible to bulk or multi delete groups from CP and it has to be done one by one or go through the better and more professional way of using PowerShell.


Create CSV for groups to be deleted:

In order for you to delete multiple groups at once you’ll need to first create file with the groups that needs to be deleted. Download the CSV from Groups tab in Exchange Admin Center as in the below screenshot.


image

Once you download the file you can create a new column where you’ll highlight the once to be deleted and export the csv after filtering the once to be deleted.


image


Connect to Office 365:

Once you’ve got the file ready, You only need to connect to Office 365, You might want to make sure you have an App Password created with the privileged account if your MFA is enabled to delete/create groups or users.

To create an app password you must login to your account and follow these steps

https://support.office.com/en-us/article/create-an-app-password-for-office-365-3e7c860f-bda4-4441-a618-b53953ee1183

After logging in to Exchange Online ( Office 365 ) you will be able to bulk delete groups using the following script

# This script deletes selected groups imported from csv file “Groups-to-delete.csv”
# CSV file contains the following
# DISPLAYNAME,GROUPTYPE,STATUS,EMAIL,Delete
# Group1(ADEO),Distribution list,Group1@Moh10ly.com,yes
# Make sure you use an APP Password to authenticate Exchange Online
$cres = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $cres -Authentication Basic -AllowRedirection
Import-PSSession $Session
$groups = Import-Csv “C:\Users\groups-to-delete.csv”
foreach ($group in $groups)
{
$GroupID = $Group.Email
$DN = $group.DISPLAYNAME
$State = $group.STATUS
If (Get-DistributionGroup -Identity $GroupID){
Write-Host $DN exists and will be deleted -ForegroundColor Green
Remove-DistributionGroup -Identity $GroupID -Confirm } else
{
Write-Host $DN “Group doesn’t exist”
}
}

image


Delete Office 365 Type Groups:

In the case you have Office 365 type groups, Those groups are not considered Exchange groups and they don’t reside in Exchange server but Azure AD and they must be deleted from there. Assuming I want to delete some Office 365 groups that has name (Kaizala) in their display name.

First let’s connect to Azure AD, which will allow you to see the Office 365 groups and be able to delete them.


Connecting to Azure AD

image

Let’s get the Kaizala groups and see if the powershell command will show us the result positively.

Get-AzureADMSGroup | Where-Object {$_.displayname -like “*kaiza*”}

image

Let’s delete these groups using this cmdlet

Get-AzureADMSGroup | Where-Object {$_.displayname -like “*kaiza*”} | Remove-AzureADMSGroup

image

image

After deleting, now we can see that Kaizala groups are all deleted.

NOTE: Microsoft will keep those groups for a day if you mistakenly have deleted them you’ll be able to recover them from ECP.

If not, They will remain in the Recycle bin for 30 days before permanently getting deleted.


Hope this article helped you.

Remove old Exchange 2010-2013 migration with hybrid office 365

 

You might want reset your Hybrid configuration or start it from scratch because you’re having issues with it or it’s not functioning properly. in Exchange 2010 the removal of Hybrid integration from powershell will almost everytime end up with errors or not work due to an issue.

In order to get around this and get on with the removal of the Hybrid environment .. please follow this guide

Open your Exchange Console and start by removing the Organization Relationships.

clip_image002

clip_image003

clip_image004

clip_image005

Once that’s complete go to Hub transport and remove all the remote domains that have been added from the Hybrid Setup.

clip_image006

 

clip_image007

Remove Microsoft O365 tenant domain which ends with on.microsoft.com

clip_image008

clip_image009

Make sure that you delete the Connectors that have been created by the Hybrid Wizard e.g. Outbound to Office 365.

clip_image010

clip_image011

Removing Receive connectors (Inbound from Office 365)

clip_image012

Since remove-hybridconfiguration cmdlet is not supported to remove the hybrid configuration object from AD then we have no choice but to use ADSIEDIT tool to do so.

I will navigate to Configuration > Services > Microsoft Exchange > First Organization > Delete “CN=Hybrid Configuration”

clip_image013

clip_image014

clip_image015

Restart MSExchangeServicehost after you have deleted the Hybrid object.

clip_image016

Now you can restart the Hybrid setup again from scratch

clip_image017

Office 365 Mail flow in Hybrid doesn’t work after you white list office365 IPs on your SMTP gateway

I have deployed Hybrid environment for a customer who have Exchange 2010 SP3 with over 11K users. the customer was using SMTP gateway for spam protection and didn’t want to disable or close the gateway through the hybrid environment deployment or after and wanted to have their gateway constantly.

While Microsoft doesn’t support any SMTP gateways in Hybrid environment I had to find away to configure this gateway to allow any incoming or outgoing emails from Office365 tenant to Exchange on-premises using the whitelist feature in all its services e.g. (Anti-Spam, Virus, spoof…etc

After configuring the hybrid deployment I had a problem with mail flow from/to Exchange Online.

I have checked all Microsoft’s Office 365/Exchange Online/ Exchange Online protection IPs/CIDs in order to white list them or add them to the ignore list on the SMTP gateway in order for mail flow to not be checked from and to Exchange online if the source is Exchange on-premises but that didn’t work until I find a Microsoft article that which was modified very recently by Microsoft 31-05-2016.

image

Click here for the link

The article mentioned that the IP list have been updated, including the removed IPs list as well.

image

While tracing the logs on Office 365 Message tracer tool I noticed that the connection to the SMTP gateway has been refused due to an IP which the MS article described as “Removed” but it was still used to send emails from Exchange online.

The IP was 213.199.154.78 was greylisted on the SMTP gateway due to it not being added to the white list.

image

If you read the article you’ll notice that the subnet 213.199.154.0 has been mentioned as removed. so adding the IP to the white list has solved the problem for me

image

REF:

https://technet.microsoft.com/en-us/library/dn163581(v=exchg.150).aspx

https://technet.microsoft.com/library/dn163583(v=exchg.150).aspx

Hope this helps

Export and import PST to Office 365 Exchange online mailboxes

Microsoft has launched a new feature that allows administrators to import PST to Exchange online directly through the portal.

 

In this article I’ll guide you through the steps of uploading one PST file and import it to a user’s mailbox. Although the steps are identical to Microsoft’s TechNet article but it’s more detailed and with screenshots. As I was personally reading and following the article at some point I got confused as to what which shared folder is the article speaking of and little tiny bits that are not detailed since Microsoft combines two methods in the same page “Ship data on Physical Drives and Upload files over the network”

 

So to achieve this, you’ll have to first sign in to your Office 365 portal. Open Exchange admin center and follow the below steps:

 

  1. Granting Permission

 

Grant your self-importing PST permission to users by navigating to Exchange admin center -> Permissions> Double click on Compliance Management

Under Roles: click on + and add Mailbox Import Export role

Click on + Under Members and add your user account

clip_image001[5]

 

2. `Copy Secure URL and secure storage account key

 

To get the Azure secure storage account key and URL you will have to go back to the Office 365 portal and then click on Import tab on the left pane

Then click on the Key sign below

 

clip_image002[4]

 

When you click on it, you will be able to retrieve the key and the URL by clicking on Copy Key and URL .

 

clip_image003[4]

 

The copy is pretty long and you’ll have to notice that sometimes you might get confused and copy only the appearing portion of it in the field… if you do so and copied that in the Azcopy command or Azure storage explorer you might get an error …

Here’s my Secure Storage account key that I am using on a trial version of Office 365.

 

KA9Z00rEYa1JlqGE4wO222MnsN5ywT0elOgLeNht/fSMIJPe2134hEChuuDJ5mfdknq8ts0+cez6uUvFzcQd6g==

 

The URL has an important part which you will be using in Azure Storage Explorer tool in order to login and browse your Tenant’s storage which you’ll use to upload PST to.

The URL will appear as following.. You will need to copy the part highlighted in bold

https://d49d7ae0e38a4d8e9c93565.blob.core.windows.net/ingestiondata/

 

You have to copy this in red in to the storage account name

d49d7ae0e38a4d8e9c93565

 

3. Copying PST files to Azure Folder using Azcopy command or Azure Storage Explorer (You can use Azure Storage Explorer too)

 

In order to upload PST files to Azure, you have two methods. The first is using Azcopy command which is pretty easy and straightforward (but still CMD dependent) or you can use the GUI Application which is Azure Storage explorer

To download azcopy, you can use the following link

 

http://az635501.vo.msecnd.net/azcopy-3-2-0/MicrosoftAzureStorageTools.msi

 

Or download them from the Import page as well under Resources:

 

clip_image004[4]

 

Once the tool is installed. Right click on it and open it as administrator

 

The following command will take all the files inside my local folder path C:UsersMohammedDesktopupload

It will create a folder in Azure’s default folder ingestiondata called “Server01/PSTshareR1/”

 

It will use the destkey that I have retrieved from Office 365 Import window. And will leave all the logs in your local drive c:PSTuploadUploadlog.log

 

AzCopy /Source:C:UsersMohammedDesktopupload /Dest:https://d49d7ae0e38a4d8e9c93565.blob.core.windows.net/ingestiondata/SERVER01/PSTshareR1/

/Destkey:KA9Z00rEYa1JlqGE4wO222MnsN5ywT0elOgLeNht/fSMIJPe2134hEChuuDJ5mfdknq8ts0+cez6uUvFzcQd6g== /S /V:C:PSTUploadUploadlog.log

 

clip_image005[4]

 

To make sure that files are uploaded. I will open Azure Storage Explorer 6 (Preview) and click Add Account on top

On add storage account window I will use the blob name that I have got from the URL earlier and storage secure key in the storage account key below and click on save.

 

clip_image006[4]

 

Once I click that I will get a list of directories .. The default directory which is used by Office 365 is the “Ingestiondata” folder .. There our files will be uploaded.

 

clip_image007[4]

 

https://azure.microsoft.com/en-us/documentation/articles/storage-use-azcopy/

 

4. Create CSV File to import PST

 

Assuming you have 150 PST files that you want to upload and import into users which already have been enabled on Exchange online … In order to do so you will have to prepare a CSV file that looks like the below sample

 

To provide an explanation of what each column stands for .. Microsoft has written a table that clears the dust but some parts were not even clear for me like the FilePath as in the TechNet article it gets you confused with the “Ship data on Physical hard drives” since it uses your drive to upload data directly to Azure through the Import tool on Office 365 portal.

 

image

 

From <https://technet.microsoft.com/library/ms.o365.cc.IngestionHelp.aspx?v=15.1.166.0&l=1&f=255&MSPPError=-2147217396>

Note:

The friendly path here is the path of the folder you have created in Azure through the Azcopy command

AzCopy /Source:C:UsersMohammedDesktopupload /Dest:https://d49d7ae0e38a4d8e9c93565.blob.core.windows.net/ingestiondata/SERVER01/PSTshareR1/

/Destkey:KA9Z00rEYa1JlqGE4wO222MnsN5ywT0elOgLeNht/fSMIJPe2134hEChuuDJ5mfdknq8ts0+cez6uUvFzcQd6g== /S /V:C:PSTUploadUploadlog.log

 

clip_image008[4]

 

So the CSV File is ready.

 

 

In Azure Storage Explorer I doubled check if the PST files has finished uploading and it’s there.

clip_image009[4]

 

5. Using the Upload Files over the network

 

Back to Office 365 portal, go to Import and click on the + Sign and select Upload files over the network

 

clip_image010[4]

 

Select I have access to the mapping file as well

 

clip_image011[4]

 

Click on + and upload the CSV file that you have prepared for the mapping

Next File is imported, Click on “By checking this box, you agree to the terms and conditions of this service.

 

clip_image012[4]

 

As soon as you accept and click next the Import is going to check path, email, folder and will start the import process.

 

clip_image013[4]

clip_image014[4]

 

Email before importing

 

clip_image015[4]

 

Imported started, folder has been created

 

clip_image016[4]

 

Importing is done

 

clip_image017[4]

clip_image018[4]

 

Importing is done

Reference

 

https://technet.microsoft.com/library/ms.o365.cc.IngestionHelp.aspx?v=15.1.166.0&l=1&f=255&MSPPError=-2147217396#BKMK_CreateAnewMappingtoupload

https://azure.microsoft.com/en-us/documentation/articles/storage-use-azcopy/

Free Multi SAN Certificate for your Exchange for two years

 

I am sure there is a lot of people out there who has been looking for free certificate but the search  in google would always give you the same result of the CA providers and the only Free SSL certificate provider which is startcom company that provides a single SAN certificate for a year that.

 

But this provider wosign (Which also uses Startcom CA too) provides 2 years Multi SAN certificate for free (I tried 2 SANs and 6 SANs) and in both cases it worked perfectly for me although I don’t use these certificates for production environment but they are so important for lab and test environments e.g. (Exchange Hybrid Integration or migration and Lync Integration with Lync Online for EV integration).

Link to the free certificate click Here

I am going to write the steps below to get the certificate, also the longest time that I have waited for the certificate was 12 hours but I eventually has got it

 

The multi san cert is limited only to two years maximum but it serves the purpose.

Step 1 :

Fill in the subdomains that you want to use the SSL certificate for. each should be entered in a new line.

Note:

Then select 2 years and the type of Algorithms (mostly SHA2 as it’s more secure)

Step 2: Step 2 is to verify your domain ownership.

To do so you will have to click on Validate Now and then select the email which is entered in your domain’s Whois or the default admin or Administrator@domain.com users

I usually create admin user or have access to the administrator user’s email on Exchange or google apps.

 

Note, The validation process is restricted to be finished in only 60 seconds and that the validation email will get to you in 35 seconds so you only have 25 seconds to copy the validation

 

Step 3:

Generate CSR and paste it in the CSR box and once you paste it click with your mouse anywhere outside of the box in order for the SANs to appear in the small box on the right.

 

clip_image001

 

Once the SANs appear then click on Generate certificate and you should see the below screen

clip_image002

 

I am already using Hybrid integration between Exchange 2013 and Exchange online and the certificate works very well for me.

 

clip_image003

 

Hope you find this useful

Installing and configuring Azure Active Directory Sync and use IDFIX

To install Azure Active Directory Sync , we will have to prepare prerequisites

https://technet.microsoft.com/library/jj151815.aspx?f=255&MSPPError=-2147217396#bkmk_installmodule

To prepare Azure Active Directory Sync Server, you will need to download the following tools to check for users attributes on your local AD:

  1. Mirosoft Windows Server 2008R2/2012R2
  2. NetFramework 4 (For IDFIX tool to work)
  3. IDFIX (to Check if there’s any issue on AD with DirSync)

Note:

One of the new features that came with AADSync is that it can be installed on the DC server as well. but some may choose to have it on a separate server to avoid any risk.

 

Software Prerequisites

Install required tools for Azure Active Directory Connector (Dirsync)

  1. AADSYNC latest version (Download here) (Version Review link)
  2. Microsoft Online Services Sign-In Assistant for IT Professionals RTW (Here)
  3. Azure Active Directory Module for Windows PowerShell (64-bit version) (Here)

clip_image001

 

Additionally, to connect and synchronize to Office 365, the following prerequisites need to be installed before installing AADSYNC…

Install “Windows Azure Active Directory Module for Windows PowerShell (64-bit version)”.  It is highly recommended that this machine be restarted before installing DirSync.

 

NOTE: Effective October 20, 2014, the 32-bit version of Azure Active Directory Module for Windows PowerShell is discontinued. Support for the 32-bit version will no longer occur, and future updates to the Azure Active Directory Module will be released only for the 64-bit version. We strongly recommend you install the 64-bit version to ensure future support and compatibility. Refer to “Install the Azure AD Module” in Manage Azure AD using Windows PowerShell.

 

If DirSync is to be installed on a server with Windows 2008 R2, beginning with version 1.0.6765.0006, PowerShell 3.0 is required and can be installed from Windows Management Framework 3.0; AND beginning with version 1.0.6985.000, .NET Framework 4.5.1 is a prerequisite.

 

From <https://oddytee.wordpress.com/2014/03/11/requirements-for-dirsync/>

 

Installing Netframework 4.5

clip_image002

clip_image003

 

Once you download IDFIX, you have to unzip and run the exe tool

Right click on Idfix and run it as administrator to give it the required privileges to access AD users and groups.

image

 

After you run it, it must look like the following

clip_image004

 

After running the tool you will have to click on Query to get the problematic users/groups and solve the ones that you want them to be synced to Office 365 Azure AD.

Top Level Domain:

The most common issue that occurs when preparing for AADSYNC is the Top Level domain users related errors (If .local is used)

clip_image005

To Fix this issue for all the users/groups which will be synced to O365 you will have to open Active Directory Domains and Trusts:

Right click on Active directory domains and trusts and click properties then add your public domain to the Alternative UPN Suffixes:

image

image

 

Next open Active directory users and computers to change the UPN to the correct one that matches your public domain.

Note:

Changing the domain suffix for your users suffixes won’t affect their login to their machines or any other application server.

 

image

 

Select the users in which OU that you want it to be synced and right click and choose Properties.

image

 

image

 

image

 

Proxy Address:

You might as well face another issue with users that you intend to sync to Office 365 which is the SMTP proxy address. in some Exchange Organizations the e-mail policy might be set wrong and therefore the user might have an invalid domain value in his proxyaddress attribute e.g. user@domain.local

 

To solve this, there are 3 ways to solve it. First would be to use Exchange on-premises Email policy to delete the .local SMTP proxy and set the public domain one.

The other two ways would be that you delete the proxyaddress manually or with a powershell script . I personally prefer to do this manually due to avoid any risk that it may impose on the users objects.

Another method would be the IDFIX it self or Admodify.

In the below snapshot I used IDFIX to fix the proxyaddress of the problematic users.

clip_image008

 

Installation of ADDSYNC 

First we’ll install Microsoft Online Services Sign-In Assistant for IT Professionals RTW…

clip_image009

Next Windows Azure AD powershell module

clip_image010

Installing AADirsync

clip_image011

clip_image012

clip_image013

clip_image014

clip_image015

In the next step you will have to enter an Office 365 Global administrator user (preferably not onmicrosoft.com user) and I would recommend that you create a cloud user on Office 365 with global admin privileges to use with AADSYNC.

clip_image016

Next before you continue, you should open your O365 portal and Enable ADSync there.

image

When you click on Set up the following page should come to you. you should click on Activate AD Sync.

clip_image018

clip_image019

 

Now you may continue to config AADSYNC, below I am going to use a different user that’s dedicated only to “AADSYNC” tool. I will calll it Dirsynccloud@domain.com

 

image

 

Next On Active directory on-premises I will configure a new user called (Dirsync) that’s member of enterprise admins. this user will have access to all the OUs that will be synced in order to sync their attributes and passwords..etc

image

 

Once you enter your Enterprise domain account below and click add forest, it will be enlisted below and you can add additional number of forests if you have more.

 

image

clip_image025

 

Next you may choose to have Hybrid deployment if you have Exchange on-premises (At least Exchange 2010 SP3) but if not then no need to tick the box. The password write-back is a feature that requires an Azure premium AD subscription so if you don’t have this subscription then you don’t really need to tick this box.

 

The Azure AD app and attribute filtering is a feature that allows you to pick a certain application attribute you want to sync back and forth to Azure AD e.g. (Exchange, SharePoint..etc). If you don’t tick this box the normal standard attributes will be synced which will include (Exchange and user’s basic info) you can find it as soon as the setup finished and you open ADDSync UI.

 

clip_image026

Password writeback overview

Password writeback is an Azure Active Directory Sync component that can be enabled and used by the current subscribers of Azure Active Directory Premium. For more information, see Azure Active Directory Editions. It allows you to configure your cloud tenant to write passwords back to you on-premises Active Directory. It obviates you from having to set up and manage a complicated on-premises self-service password reset solution, and it provides a convenient cloud-based way for your users to reset their on-premises passwords wherever they are. Read on for some of the key features of password writeback:

From <https://msdn.microsoft.com/en-us/library/azure/dn903642.aspx>

You can enable filtering in AADSync at any time. If you have already run the default configurations of directory synchronization and then configured the filtering, the objects that are filtered out are no longer synchronized to Azure AD. As a result, any objects in Azure AD that were previously synchronized but were then filtered are deleted in Azure AD. If objects were inadvertently deleted because of a filtering error, you can re-create the objects in Azure AD by removing your filtering configurations, and then synchronize your directories again.

From <https://msdn.microsoft.com/en-us/library/azure/dn801051.aspx>

image

 

Next I will not tick Synchronize now because this will sync All local AD objects and OUs to the cloud, in my case I just want to choose particular OUs to sync to the cloud.

 

clip_image029

 

In order to configure AADSYNC to choose which on-premises Active directory Organization Unit you want to change you will have to navigate to the following path on the server which you installed AADSYNC.

PATH:

C:Program FilesMicrosoft Azure AD SyncUIShellmiisclient.exe

Right click on domain.local and click properties

image

Next Click on “Configure Directory Partitions” and Under “Credentials” Click on Containers and enter your new on-premises enterprise admin account.

image

 

Next select the OU you want to sync to the cloud and click OK

image

 

Next you will want to open “Task Scheduler” on the server and Enable the task that was created by AADSYNC installation to enable every 3 hours sync..

image

 

In order to Force the sync you will have to run a separate command that Microsoft has brought along with AADSYNC called “DirectorySyncClientCmd” the command can be run from Powershell or made a shortcut on a desktop and directly run.

Path:

c:Program FilesMicrosoft Azure AD SyncBinDirectorySyncClientCmd

 

Hope you find this useful. Winking smile