Category Archives: Office365

ADFS and wAP trust breaks with 500 Internal Server error

Error code

Yesterday my colleague sent me a message informing me that ADFS is not working. When I tried to login to Office 365 Portal page with a federated domain’s user I got a 500 Internal Server Error.

When it occurs:

If you are using Office 365 with ADFS Integration in place, You might get this error when trying to authenticate your users to login to Office 365 or any of its services.

image

WAP Server

In this environment I am using WAP Proxy server behind ADFS and when installing this I configured a trust using a Public Certificate but for some reason this trust was broken.

image

Investigation and Solution:

After investigating the WAP proxy it seems it had couple of problems:

1- Could not resolve ADFS server name on WAP Server.

  • In my environment where we are using Sentinel, We have isolated the primary DC in the environment and due to this the WAP server could not reach to the DNS Server. I solved this by pointing the machine to the secondary DC and add the ADFS hostname to the host file.

2- The Web Application Proxy Service would not start.

  • The errors related to the service not starting in the event viewer were all pointing to a certificate thumbprint which didn’t even exist in the WAP’s personal store.

Event Viewer Errors

There were couple of errors related to the certificate and Service issue, Event ID 224, Event ID 12025, Event ID 7023 and Event ID 224.

The one which mostly got my attention was the 224:

The federation server proxy configuration could not be updated with the latest configuration on the federation service.

Retrieval of proxy config data from federation server using trust certificate with thumbprint failed with status code unauthorized. The remote server returned an error code 401.

clip_image001

Resolution:

From WAP server’s fire up PowerShell as an admin and list the certificate you have got on your Personal store and match the ThumbPrints of the certificate in the error to make sure it exists or not.

Even if the certificate exists you will still need to re-establish trust with ADFS to make sure WAP can connect to ADFS without an issue.

Dir Cert:\localmachine\my

This should show the certificates you have got on your store.

image

Now pick up the valid Public certificate which you want to use for the trust and use the below command to establish the trust

Install-WebApplicationProxy –CertificateThumbprint “Enter Certificate ThumbPrint here” –FederationServiceName “ADFS Public FQDN Here”

image

After few moments you should see that WAP services went back to normal and you can now login your users to Office 365 portal through ADFS.

image

clip_image001[6]

Upgrading Exchange Online PowerShell to V2 Module

Managing Exchange Online

If you have Exchange Online and your users are MFA enabled then you most likely will be using Exchange Online’ s ECP (Exchange Control Panel or Admin Center) to connect to Exchange Online PowerShell through the Hybrid Windows since this is the only supported way with MFA.

image

Clicking on Configure would install the PowerShell Module of Exchange Online which looks like the below screenshot.

image

New PowerShell with MFA support

If you have launched Exchange Online PowerShell today then you most likely have noticed there’s a red line stating the possibility to try the new (Preview Version) of Exchange PowerShell V2 .

Microsoft has recently released a new version of Exchange Online PowerShell Module which supports MFA and can be run directly from your computer without the need to login to Exchange Online Admin Center and download any files from there.  Check details in this link

As stated in the article, the Module is just in preview so it has some known and maybe unknown bugs as well.

How to Install it?

The installation process is pretty straightforward, Launch Windows PowerShel as an Administrator (It’s required for the installation).

Run these 4 cmdlets

Set-ExecutionPolicy RemoteSigned

Install-Module PowershellGet –Force

Update-Module PowershellGet

Install-Module -Name ExchangeOnlineManagement

image

You might get a warning that the Module you’re about to install is from an Untrusted Repository, Accept it by typing Y and hit enter

Type the following cmdlet to ensure that Exchange Online Management module is installed

Import-Module ExchangeOnlineManagement; Get-Module ExchangeOnlineManagement

image

Connecting to Exchange Online

To connect to Exchange Online, Run the following cmdlet along with the new parameter –EnableErrorReporting which gives the ability to record all the cmdlets that you have run along with errors generated as well.

Connect-ExchangeOnline -EnableErrorReporting -LogDirectoryPath e:\ExchOnlineLogs.txt -LogLevel All

image

image

After connecting, I am going to try and run two commands the Old Cmdlets and New Cmdlet and see the difference between them:

  1. Get-CASMailbox -ResultSize 10
  2. Get-EXOCasMailbox -ResultSize 10

image

The new Cmdlet has much more details, although it says that it runs faster but it took few seconds more than the old one to run (Probably first time).

image

After you run those two Cmdlets, There will be two files generated in the log directory which we have pointed the parameter to save files to.

The CSV files have details about the two cmdlets and the HTTP Method they are utilizing in order to connect along the Request and response latency.

imageimage

This new version seems to be extremely useful esp in environments where such deep details are needed for troubleshooting issues.

Stay tuned for more

Reference:

https://docs.microsoft.com/en-us/powershell/exchange/exchange-online/exchange-online-powershell-v2/exchange-online-powershell-v2?view=exchange-ps

Error After Migrating ADFS from 2012R2 to 2016

The Story:

You might have got a request to upgrade from ADFS 2012 R2 to Windows ADFS 2016.

This process can be complicated especially if you’ll have to migrate the Database as well and it would be more of an issue when the Database is WID (Windows Internal Database) since there’s no much documentation about troubleshooting issues involving WID on ADFS.

I have got a request from a client whom have done a migration with another consultant and obviously it was not done right.

Symptoms

On Windows 2016 ADFS when trying to update the ADFS SSL certificate I get the following error:

Set-AdfsSslCertificate -ThumbPrint A7etc : PS0159 : The Operation is not supported at the current Farm Behavior Level ‘1’. Raise the farm to at least version ‘2’ before retrying.

At line:1 char:1

clip_image001

Trying to update the database from 1 to 2,3 will also fail with the following error:

Invoke-AdfsFarmBehaviorLevelRaise

image

Error:

Database upgrade cannot be performed on AdfsServer.domain.com. Error: A database for the target behavior level already exists.

Troubleshooting:

If you’re installing ADFS on WID (Windows Internal Database) you should run the following to get the database name/Connect String

On ADFS Server

Open Windows PowerShell

  1. Enter the following:
    $adfs = gwmi -Namespace root/ADFS -Class SecurityTokenService

    and hit Enter

  2. Enter the following:
    $adfs.ConfigurationDatabaseConnectionString

    and hit enter.

  3. You should see the connect string information.

image

Go to Service Console and stop ADFS Service or from Powershell type Net stop adfssrv

Run SQL Server 2017 Database Engine Tuning Advisor as an administrator

clip_image001[4]

Use the Server name as this

\\.\pipe\MICROSOFT##WID\tsql\query

As for Authentication, Use the Windows Authentication with the user you’re logged into if you know that’s a privileged user and can authenticate, If not try with a user which you’ve done the upgrade of ADFS with.

image

After authenticating, You will be able to see AdfsConfiguration , AdfsConfigurationV3 and AdfsArtifactStore. What we need to see is that AdfsConfigurationV3 has data in it and is not totally empty.

clip_image001[6]

After checking and comparing the size between V1 and V3, It appeared that V3 database is empty. So what next?

Solution

Deleting the AdfsConfigurationV3 was the first thought that hit my mind however, before deleting anything I always take a snapshot of the VM since backing up the WID is more painful and takes more time than simply backing up the VM (Checkpoint, Snapshot).

So the steps to fix this issue is

  • Taking a VM Snapshot/Checkpoint/Backup.
  • Download Microsoft SQL Server Management Studio from this link https://go.microsoft.com/fwlink/?linkid=864329
  • Install Microsoft SQL Server Management Studio on ADFS Server
  • Run MS SQL Server Management Studio as Administrator
  • In the Server Name type :

\\.\pipe\MICROSOFT##WID\tsql\query

Leave the Authentication as it is and logon.

image

  • From the SQL Object Explorer right click and Delete the AdfsConfigurationV3 and leave AdfsConfiguration Database only.

image

  • After deleting the Database, Start ADFS Service to make sure that it can load the old database without an issue.
  • Then run the cmdlet Invoke-AdfsFarmBehaviorLevelRaise and Accept by typing Y and Enter.

image

This might take about 5 minutes to finish.

image

When this process is done, You should see the following message indicating the success of the Database Upgrade.

image

To double check, We will run the cmdlet Get-AdfsFarmInformation

image

Updating Certificate

After this success, I am going to run the cmdlet below to replace the current certificate with the new one

Set-AdfsSslCertificate -Thumbprint 9b19426e17180c0b9c5d4atye53dda3bce9dbff

And here we go. It works perfectly fine

image

References:

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-sql

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/design/federation-server-farm-using-sql-server

Search and Delete certain Items/Folders from a Mailbox

The Story

During a project of Hybrid migration from Exchange on-premises to Exchange online, I was almost about to finalize the project by moving the last remaining users mailboxes however had an interesting issue to deal with where a user was failing with the following error:

Error:

Error: MigrationPermanentException: Mailbox dumpster size 50.87 GB (54,620,074,576 bytes) exceeds target quota 30 GB –> Mailbox dumpster size 50.87 GB exceeds target quota.

image

After some research it turned out that you can clean the dumpster using search-mailbox PowerShell cmdlet, Sync the user’s object with ADConnect and then continue the migration from the last failure.

To solve the issue, Go on your Exchange on-premises and launch Exchange Management shell

Solution:

First, Let’s see the user’s dumpster and recoverable items

Get-MailboxFolderStatistics -Identity “User” -FolderScope RecoverableItems | Format-Table Name,FolderPath,ItemsInFolder,FolderAndSubfolderSize

image

To Delete the dumpster only use this

Delete dumpster only

Search-mailbox -identity User -SearchDumpsterOnly –DeleteContent

To delete a certain email with certain subject in the dumpster use the following:

Get-mailbox “user”| search-mailbox –searchquery “Subject:’*'” –DeleteContent –SearchDumpsterOnly

image

The cmdlet will search and delete

clip_image001

image

Reference:

https://docs.microsoft.com/en-us/microsoft-365/compliance/search-for-and-delete-messagesadmin-help

How to Bulk Delete Exchange Online Distribution and Office 365 groups


Part of Office 365 security auditing is to ensure that all users and groups in your organization are created for a purpose of which you’re aware of and can control these users, groups.

After auditing groups on Office 365 Exchange CP, I noticed that it’s not possible to bulk or multi delete groups from CP and it has to be done one by one or go through the better and more professional way of using PowerShell.


Create CSV for groups to be deleted:

In order for you to delete multiple groups at once you’ll need to first create file with the groups that needs to be deleted. Download the CSV from Groups tab in Exchange Admin Center as in the below screenshot.


image

Once you download the file you can create a new column where you’ll highlight the once to be deleted and export the csv after filtering the once to be deleted.


image


Connect to Office 365:

Once you’ve got the file ready, You only need to connect to Office 365, You might want to make sure you have an App Password created with the privileged account if your MFA is enabled to delete/create groups or users.

To create an app password you must login to your account and follow these steps

https://support.office.com/en-us/article/create-an-app-password-for-office-365-3e7c860f-bda4-4441-a618-b53953ee1183

After logging in to Exchange Online ( Office 365 ) you will be able to bulk delete groups using the following script

# This script deletes selected groups imported from csv file “Groups-to-delete.csv”
# CSV file contains the following
# DISPLAYNAME,GROUPTYPE,STATUS,EMAIL,Delete
# Group1(ADEO),Distribution list,Group1@Moh10ly.com,yes
# Make sure you use an APP Password to authenticate Exchange Online
$cres = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $cres -Authentication Basic -AllowRedirection
Import-PSSession $Session
$groups = Import-Csv “C:\Users\groups-to-delete.csv”
foreach ($group in $groups)
{
$GroupID = $Group.Email
$DN = $group.DISPLAYNAME
$State = $group.STATUS
If (Get-DistributionGroup -Identity $GroupID){
Write-Host $DN exists and will be deleted -ForegroundColor Green
Remove-DistributionGroup -Identity $GroupID -Confirm } else
{
Write-Host $DN “Group doesn’t exist”
}
}

image


Delete Office 365 Type Groups:

In the case you have Office 365 type groups, Those groups are not considered Exchange groups and they don’t reside in Exchange server but Azure AD and they must be deleted from there. Assuming I want to delete some Office 365 groups that has name (Kaizala) in their display name.

First let’s connect to Azure AD, which will allow you to see the Office 365 groups and be able to delete them.


Connecting to Azure AD

image

Let’s get the Kaizala groups and see if the powershell command will show us the result positively.

Get-AzureADMSGroup | Where-Object {$_.displayname -like “*kaiza*”}

image

Let’s delete these groups using this cmdlet

Get-AzureADMSGroup | Where-Object {$_.displayname -like “*kaiza*”} | Remove-AzureADMSGroup

image

image

After deleting, now we can see that Kaizala groups are all deleted.

NOTE: Microsoft will keep those groups for a day if you mistakenly have deleted them you’ll be able to recover them from ECP.

If not, They will remain in the Recycle bin for 30 days before permanently getting deleted.


Hope this article helped you.

Installing and configuring IIS SMTP for Office 365 with User License

Prerequisites:

1- Office 365 Licensed User.

2- Windows Server 2016 OS.

3- Public Static IP (To add to the SPF policy to avoid getting emails flagged as spam)

4- Allow outbound port 587 on your Firewall.



Regardless of Windows Operating system you’re going to install the SMTP Role the steps are the same. You’re going to install the SMTP Server feature from the Server Manager as following:


First Launch Server Manager (Windows 2016) and click on Manage\Add Roles and Features


image

Next

image

Click next to choose the installation type, Make sure you choose the Role-based or Feature type of installation

image

Next select the server where you want to install the SMTP Feature

image

Click next to head to the next step, The SMTP feature is normally located in the Features page not the role so proceed further by clicking Next

image

Scroll down in the Feature page until you get to SMTP Server

image

Click on the checkbox next to SMTP Server and add the features which will automatically pop up

image

Click Next

image

Click Next again, Leave unchanged here

image

Click Install and you will get your SMTP Server ready


image

Open IIS 6.0 Manager to Manage your Relay

image

To setup SMTP server for relay through Office 365 follow those steps:


Set up SMTP

Open Server Manager, select Tools, and then select Internet Information Services (IIS) 6.0.

  1. – Expand the current server, right-click the SMTP Virtual Server, and then select Properties.
  2. – On the General tab, select Advanced > Add.
  3. – In the IP Address box, specify the address of the server that’s hosting the SMTP server.
  4. – In the Port box, enter 587 and select OK.
  5. – On the Access tab, do the following:


clip_image001

On the Access tab, do the following:

  1. Select Authentication and make sure that Anonymous Access is selected.

clip_image001[4]

Select Connection > Only the List Below, and then specify the IP addresses of the devices that will be connecting to the SMTP server, such as printers.

clip_image002

clip_image003

clip_image004

Select Relay > Only the List Below, and then specify the IP address of the devices relaying through this SMTP server

clip_image005

  1. On the Delivery tab, select Outbound Security, and then do the following:
    1. Select Basic Authentication.
    2. Enter the credentials of the Office 365 user who you want to use to relay SMTP mail.
    3. Select TLS Encryption.
    4. Select Outbound Connections, and in the TCP Port box, enter 587 and select OK.
    5. Select Advanced and specify SMTP.office365.com as the Smart Host.

image

clip_image007

clip_image008

  1. Restart the IIS service and the SMTP service.

clip_image009

https://technet.microsoft.com/en-us/library/dn592151v=exchg.150).aspx>


clip_image010

Let’s make a test by creating a notepad file with the following Test

image

image

Ref:

https://technet.microsoft.com/en-us/library/dn592151(v=exchg.150).aspx

Connect-MsolService fails with Exception of type was thrown


If you are working on Windows 10 and try to connect to Microsoft Online PowerShell you might get exposed to couple of failures and errors.

The first error that would appear is the following:


image


Connect-msolservice : Exception of type ‘Microsoft.Online.Administration.Automation.MicrosoftOnlineException’ was
thrown PS C:\WINDOWS\system32> $msolcred = get-credential



Cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
PS C:\WINDOWS\system32> connect-msolservice -credential $msolcred
connect-msolservice : Exception of type ‘Microsoft.Online.Administration.Automation.MicrosoftOnlineException’ was
thrown.
At line:1 char:1
+ connect-msolservice -credential $msolcred
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     + CategoryInfo          : OperationStopped: (:) [Connect-MsolService], MicrosoftOnlineException
     + FullyQualifiedErrorId : 0x800434D4,Microsoft.Online.Administration.Automation.ConnectMsolService


The first thing that came to mind was the MFA that Microsoft has forced during this month. So I created an app password and tried it but that didn’t work neither and I got the following error


image

PS C:\WINDOWS\system32> $msolcred = get-credential

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
PS C:\WINDOWS\system32> connect-msolservice -credential $msolcred
connect-msolservice : The user name or password is incorrect. Verify your user name, and then type your password again.
At line:1 char:1
+ connect-msolservice -credential $msolcred
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     + CategoryInfo          : OperationStopped: (:) [Connect-MsolService], MicrosoftOnlineException
     + FullyQualifiedErrorId : 0x80048821,Microsoft.Online.Administration.Automation.ConnectMsolService

I checked the following links on google to see if I am up to date

https://support.microsoft.com/en-us/help/2887306

https://support.microsoft.com/en-us/help/2887306/connect-msolservice-exception-of-type-was-thrown-error-when-you-use-th

Apparently the only thing not mentioned is how to update the MSOnline module on your computer, Microsoft requires Latest module of MSOnline 1.1 in order for you to connect.

Get-Module MSOnline

image

Solution 1:

In order for you to get this to work, You need to update the module manually using Powershell with Administrative Privileges.

First Find the module and make sure it reads the latest version which is supposed to be different than the one installed on your PC.

Find-Module -name MSOnline

image

Trying to Install MSOnline using the following CMDLet resulted in a warning that I am using version 1.0 and need to use –force parameter.

Install-Module -Name MSOnline

image

Solution 2:

Instead, I used the following cmdlet to force installation of version 1.1.183.17 but also ended up with an error stating the following:

Find-Module -name msonline |Install-Module –Force

image

PackageManagement\Install-Package : The following commands are already available on this system:’Add-MsolAdministrative
UnitMember,Add-MsolForeignGroupToRole,Add-MsolGroupMember,Add-MsolRoleMember,Add-MsolScopedRoleMember,Confirm-MsolDomai
n,Confirm-MsolEmailVerifiedDomain,Connect-MsolService,Convert-MsolFederatedUser,Get-MsolAccountSku,Get-MsolAdministrati


Solution 3:

The parameter which resolves the issue is the –AllowClobber, AllowClobber Overrides warning messages about conflicts with existing commands. Overwrites existing commands that have the same name as commands being installed according to MS’s article.

Find-Module -name msonline |Install-Module -Force –AllowClobber


You should now close Powershell and relaunch it as administrator and the moment you type Connect-MsolService you should get a window asking for your credentials.


image


image

Microsoft Office 365 is available in Mac App Store now

Last year Microsoft has promised that it’ll bring Microsoft office 365 on the Mac App Store and today is the day.

The statement by MS reads:

“We are excited to welcome Microsoft Office 365 to the all new Mac App Store in macOS Mojave. Apple and Microsoft have worked together to bring great Office productivity to Mac users from the very beginning. Now, with Office 365 on the Mac App Store, it’s easier than ever to get the latest and best version of Office 365 for Mac, iPad, and iPhone.”
—Phil Schiller, Apple’s senior vice president of Worldwide Marketing

  • Image result for office 365 apps mac

Office 365 apps are already available for Mac however, placing these app in Mac App Store gives the Mac users the capability to manage apps updates, control their installation and much more.

The Office 365 apps were supposed to be released last year but due to delay for unknown reasons they have postponed it to 2019.

Image of a MacBook open displaying Dark Mode in PowerPoint.

Download Office 365 from the Mac App Store.*

Configure Proxy addresses (SMTP) to all the users in OU using SAM Account and a Public Domain on Active Directory

 

This PowerShell will look up at your active directory user’s Proxy Addresses attribute and see if it’s empty, it’ll change it to include a Primary SMTP Address using user’s SamAccount + domain you configure in the PowerShell.

 

image

## READY

 

Import-Module ActiveDirectory

 

Write-host “If the user’s proxy attribute is empty the powershell will add user proxy address..” -ForegroundColor yellow

 

$proxydomain = “@PublicDomain.com” #Specify the domain you’d like to add as user’s primary SMTP Address.

$userou = “OU=Test,DC=moh10ly,DC=com” #Specify the OU where you want the PowerShell to work in your AD

$users = Get-ADUser -Filter { ProxyAddresses -notlike “*” } -SearchBase $userou -Properties SamAccountName, ProxyAddresses, givenName, Surname

 

Foreach ($user in $users) {

write-host $user.DistinguishedName

Set-ADUser -Identity $user.SamAccountName -Add @{Proxyaddresses=“SMTP:”+$($user.samaccountname)$($proxydomain)}

#

write-host “ProxyAddress is Set” -ForegroundColor Green -BackgroundColor Black

}

 

 

 

### for Mail Attribute ###

 

## READY

Import-Module ActiveDirectory

$proxydomain = “@Publicdomain.com”

$userou = “OU=Test,DC=moh10ly,DC=com”

Write-host “Set user’s mail attribute to $proxydomain -ForegroundColor White

$users = Get-ADUser -Filter * -SearchBase $userou -Properties SamAccountName, ProxyAddresses, givenName, Surname, mail

Foreach ($user in $users) {

 

    write-host $user.mail

 

    Set-ADUser -Identity $user.SamAccountName -Replace @{mail=$($user.samaccountname)$($proxydomain)}

 

    #

 

    write-host “ProxyAddress is Set” -ForegroundColor Green -BackgroundColor Black

 

    }

 

 

Office 365 Mail flow in Hybrid doesn’t work after you white list office365 IPs on your SMTP gateway

I have deployed Hybrid environment for a customer who have Exchange 2010 SP3 with over 11K users. the customer was using SMTP gateway for spam protection and didn’t want to disable or close the gateway through the hybrid environment deployment or after and wanted to have their gateway constantly.

While Microsoft doesn’t support any SMTP gateways in Hybrid environment I had to find away to configure this gateway to allow any incoming or outgoing emails from Office365 tenant to Exchange on-premises using the whitelist feature in all its services e.g. (Anti-Spam, Virus, spoof…etc

After configuring the hybrid deployment I had a problem with mail flow from/to Exchange Online.

I have checked all Microsoft’s Office 365/Exchange Online/ Exchange Online protection IPs/CIDs in order to white list them or add them to the ignore list on the SMTP gateway in order for mail flow to not be checked from and to Exchange online if the source is Exchange on-premises but that didn’t work until I find a Microsoft article that which was modified very recently by Microsoft 31-05-2016.

image

Click here for the link

The article mentioned that the IP list have been updated, including the removed IPs list as well.

image

While tracing the logs on Office 365 Message tracer tool I noticed that the connection to the SMTP gateway has been refused due to an IP which the MS article described as “Removed” but it was still used to send emails from Exchange online.

The IP was 213.199.154.78 was greylisted on the SMTP gateway due to it not being added to the white list.

image

If you read the article you’ll notice that the subnet 213.199.154.0 has been mentioned as removed. so adding the IP to the white list has solved the problem for me

image

REF:

https://technet.microsoft.com/en-us/library/dn163581(v=exchg.150).aspx

https://technet.microsoft.com/library/dn163583(v=exchg.150).aspx

Hope this helps