Yes! it is finally possible to connect to Exchange Online from PowerShell installed on MacOS. I noticed some tweets about this being possible on Linux earlier in the week so I thought I’d re-visit testing it on MacOS. PowerShell remoting has been available in the MacOs version since powershell-6.0.0-alpha.15, but it didn’t include the ability to specify a “ConnectionUri’ as the endpoint – it only worked with server names and IP addresses. powershell-6.0.0-alpha.17 which was recently released now includes this functionality.
Since starting this blog in 2008, I have been using Google Feedburner to publish my RSS feeds and enable 'subscribe by email' functionality. At the time it was a great platform and it provided many benefits, but after nearly 9 years that is no longer the case.
Feedburner has been pretty stagnant since 2012 and I have recently started to notice RSS validation errors in my feed which in-turn cause issues with some of the current and planned integrations I have running on the blog. Over the next month, I will be making some changes to the way RSS feeds work on the blog. I will not remove RSS feeds entirely but will be transitioning them from Feedburner.
My analytics data shows that I do have a bunch of subscribers using RSS and email and I do expect the transition to be fairly smooth. Unfortunately, those subscribing via email will need to resubscribe once the transition is done - I figure that an 'opt-in' strategy would be best in this instance. All in all, I'm hoping for minimal disruption.
TLDR; I will continue to offer RSS feeds, but some upcoming changes may mean that you need to resubscribe.
Ever since the launch of Office 365 (and BPOS before that) there has been a desire to make accessing these services as seamless as possible. Single Sign On (SSO) has long been high on the requirements list for many organizations and while it has been possible for some time now to provide a near seamless login experience, it has historically come at a cost in the form of additional infrastructure - usually deployed on-premises and at the very least carrying some sort of administrative burden. I’m not against identity federation, I think it definitely has it’s place and most of the customers I work with already have some federation solution deployed so it makes a lot of sense leveraging it for Office 365 as well, but there are always those organizations who don’t already have a solution in place or those smaller environments where it doesn’t make a whole lot of sense to implement a highly-available AD FS deployment.
Password Sync has long been the best compromise, offering a “Same Sign On” experience where users are able to use their existing AD credentials to access Office 365 services. The recent announcement of Pass-Through Authentication and Single Sign-on means that things are about to get a whole lot better!
I wanted to put together a quick post and run through how easy it is to setup Single Sign On and review the user experience when it is used with Password Sync. Single Sign On can also be enabled with the new Pass-through authentication option, but that’s a story for another post!
Before getting started, it is important to understand the client requirements. The client should:
be using a domain-joined machine
be using Windows and a supported browser (Edge is not supported)
have direct access to a domain controller
have the Kerberos end-points defined in the browser’s Intranet zone (AD Group Policy is the easiest way to do this)
https://autologon.microsoftazuread-sso.com
https://aadg.windows.net.nsatc.net
Once the client requirements have been taken care of, we need to update AAD Connect. At the time of writing, version 1.1.380.0 is the latest version. It looks like these new features were introduced in version 1.1.370.0. If we compare the the “User sign-in” page to that of an older build you’ll notice the addition of a few more features:
To upgrade AAD Connect, follow your regular upgrade procedure. If you don’t have any customizations or special considerations, you can just let the wizard perform the upgrade for you:
Once upgraded, you’ll want to run the configuration wizard again and tick the “Enable single sign on” checkbox on the “User sign-in” page (shown above) and that is all there is to it!
Let’s compare the user experience before and after enabling Single Sign On. Here is the user experience before:
and here is the user experience after implementing Single Sign On with AAD Connect (you’ll notice that I do not have to re-enter my password this time):
Note: In the demo videos, I have my home page set in a way that forces my custom branding before any user credentials are entered. You can do this by either creating a web redirect or setting your home page to: https://login.microsoftonline.com/login.srf?whr=your_domain.com (replace your_domain.com with your actual domain name!)
There is a lot of great documentation available about Single Sign On on the Microsoft website, I highly recommend that you check it out as well:
In today’s browser first, cloud first world, many organizations look at reducing risk by imposing strict session timeout settings on their productivity tools and applications. The idea generally is that if a user is not actively using and application for 10 –15 mins, they have completed the task they were working on and have forgotten to logoff correctly. This can be especially dangerous when these applications are accessed on shared terminals or public computers. Given that email remains a vitally important business tool for many organizations, reducing the session timeout on Exchange Online (and Exchange 2016) is a fairly common request and it is really simple to do.
By default, session timeout is enabled for OWA (let’s just call it that, shall we?) and it set to 6 hours. You can confirm this configuration via PowerShell using the Get-OrganizationConfig cmdlet:
There are two parameters in particular worth paying attention to:
ActivityBasedAuthenticationTimeoutEnabled
ActivityBasedAuthenticationTimeoutInterval
ActivityBasedAuthenticationTimeoutEnabled is pretty self-explanatory, you will want to keep it enabled if you intended to set the timeout interval. The ActivityBasedAuthenticationTimeoutInterval parameter controls the actual timeout interval in hh:mm:ss format where hh = hours, mm = minutes and ss = seconds. Note that this parameter has a range of 5 min - 8 hrs. Changes can be made using the Set-OrganizationConfig cmdlet, for example to set the timeout interval to 15 mins we'd issue the following cmd:
Azure Active Directory (AAD) conditional access is something I’ve been wanting to post about for a while now. A scenario I come across fairly often is the desire to prevent access or add an additional layer of security to certain Office 365 workloads when the user is connecting from a remote, non-corporate location. In the past, this could be achieved by making use of claims rules and Active Directory Federation Services (AD FS) which meant that it wasn’t possible for those organizations not making use of federated identities with Office 365.
AAD conditional access solves this problem and makes it really simple to apply access policies to AAD connected applications. Conditional access does require an AAD premium license (P1). In this post we’ll cover a simple location based scenario where we prevent users from accessing Outlook on the web (OWA) from outside of the organization’s network. In order to configure conditional access you will require:
Azure Active Directory premium licensing
Access to the Azure management portal (classic portal)
Conditional access policies are configured via the classic Azure management portal (http://manage.windowsazure.com). Locate “Active Directory” on the left-hand side, select your Office 365 directory and click the “Applications” option.
Next, select the “Office 365 Exchange Online” application and turn access rules “On” under the “Multi-factor authentication and location based access rules” section. You have the option of applying your rules to all users or select groups. You then select the “Block access when not at work” option. You also have to option to enforce MFA for an application which is useful if you would like to enable MFA only for specific applications or you could require MFA only when users are accessing the application from outside the corporate network.
It is important to ensure that you define your corporate network ranges by clicking link. All connections from locations outside the definted network ranges will be treated as remote.
Once configured, you will notice that users are still able to access the Office 365 portal however, once they click the mail option in the app launcher they will no longer be able to access Outlook on the web unless they are connecting from a approved location.
This is a very simple example of how to use location based access rules. It is also possible to configure device based access policies which provide an incredible amount of control over which devices can access your applications. I’ll cover device based access policies in a future post.
It’s here! We’ve all had to wait a little longer than usual for our yearly conference fix since Ignite in May last year, but the wait is finally over and here I am on the eve of Ignite 2016 in my hotel room in Atlanta. There are so many great speakers this year so I wanted to put together a short post listing some of them and highlighting some of the great Office 365 and Exchange sessions that I am personally looking forward to attending.
Monday:
Take control of your security and compliance with Office 365 (THR1003) - Caroline Shin: 12:30pm - 12:50pm, Microsoft Theater 4
Design global voice deployments with Skype for Business (THR3057) - Ståle Hansen: 1:30pm - 1:50pm, MVP Hub Talk 1
Learn how Microsoft IT governs SharePoint Online and Office 365 Groups (THR2031) - David Johnson: 5:40pm - 6:00pm, Microsoft Theater 4
Tuesday:
Debate the top 10 reasons not to move your Exchange on-premises mailboxes to Exchange Online (BRK2215) - Greg Taylor, Tony Redmond, Steve Conn: 9:00am - 10:15am, B401 – B402
Experience Scott Schnoll's Exchange tips and tricks (BRK3253) - Scott Schnoll: 10:45am - 12:00pm, B401 – B402
Meet twin sons of different mothers - Exchange Engineers and Exchange MVPs (BRK2219) - Tony Redmond, Jeff Mealiffe, Andrew Higginbotham, Jeff Guillet, Karim Batthish :12:30pm - 1:45pm, C112
Unplug with the experts on Exchange Server and Exchange Online (BRK2216) - Wendy Wilkes, Greg Taylor, Ross Smith IV, Jeff Mealiffe, Timothy Heeney: 2:15pm - 3:30pm, B401 – B402
Access intelligence in the Microsoft Graph and API (BRK3199) - Jon Meling, Andreas Eide: 4:00pm - 5:15pm, A311 – A312
Wednesday:
Run Microsoft Exchange Hybrid for the long haul (BRK3217) - Timothy Heeney, Nicolas Blank: 9:00am - 10:15am, Georgia Ballroom
Prepare for the future with Windows 10 & Office 365 - better together (THR3061) - Raphael Köllner: 10:20am - 10:40am, Expo Theater 2
Explore the ultimate field guide to Microsoft Office 365 Groups (BRK3001) - Tony Redmond, Benjamin Niaulin, Amit Gupta: 10:45am - 12:00pm, Georgia Ballroom
Understand the Microsoft Exchange Server 2016 Architecture (BRK3221) - Ross Smith IV, Mike Cooper: 12:30pm - 1:45pm, Georgia Ballroom
Migrate to Exchange Online via Exchange Hybrid (BRK3219) - Michael Van Horenbeeck, Timothy Heeney - 2:15pm - 3:30pm, Thomas Murphy Ballroom 2&3
Design your Exchange infrastructure right (or consider moving to Office 365) (BRK2093) - Adrian Moore, Boris Lokhvitsky, Robert Gillies: 4:00pm - 5:15pm, B312 – B314
Thursday:
Deploy Microsoft Exchange Server 2016 (BRK3220) - Jeff Guillet: 9:00am - 10:15am, Sidney Marcus Auditorium
Unplug with the experts on Microsoft Exchange Top Issues (BRK3000) - Nino Bilic, Nasir Ali, Amir Haque, Shawn McGrath, Timothy Heeney, Scott Landry, Gabe Bratton, Angela Taylor: 10:45am - 12:00pm, B401 – B402
Investigate tools and techniques for Exchange Performance Troubleshooting (BRK3007) - Jeff Mealiffe, Nasir Ali: 12:30pm - 1:45pm, Georgia Ballroom
Automate Exchange deployment with Powershell Desired State Configuration (THR3040) - Ingo Gegenwarth: 2:10pm - 2:30pm, Expo Theater 2
Deploy Microsoft Office 365 Client using Configuration Manager (BRK3002) - Amesh Mansukhani, Doug Davis: 4:30pm - 5:15pm, B211 – B212
There is so much great content this year that conflicts are inevitable. Many sessions are repeated throughout the conference, especially on Friday so be sure to look at the alternate times if you are torn between two sessions that are scheduled at the same time.
Outside of the content, there are a bunch of activities taking place this year. ENow Software will once again host one of their legendary “Scheduled Maintenance” parties, these are usually one of the must-attend events of any conference but are for registered guests only so hopefully you have already registered. QUADROtech has put an interesting spin on the Pokemon Go craze with their “QTmon” competition where contestants have the chance to win $2,220 in cash. Tony Redmond has a great post about this on his blog here, you can also visit this QUADROtech page for more info.
The modern attachments (aka cloudy attachments) feature in Outlook 2016 makes it simple for users to share documents stored in OneDrive for Business or SharePoint with each other as links instead of actually attaching the file and emailing it around. This is a great way to reduce the number of different document versions floating around the organization and helps promote collaboration and co-authoring. Once a cloudy attachment is attached to an email, the user can grant view only or edit permissions to the recipient and Exchange will automatically take care of applying the appropriate permission to the document.
This feature is available out of the box for Exchange Online users using Outlook 2016 and can be enabled for on-premises users with mailboxes on Exchange 2016 provided OAuth between Exchange 2016 and Office 365 has been configured properly and the appropriate prerequisites are in place, but what happens to on-premises customers who do not have Exchange 2016 deployed? The scenario is really interesting in that Outlook will still allow users to send cloudy attachments, but because the backend Exchange environment isn’t able to apply the appropriate permission to the document the recipient will be unable to view the attachment:
This behavior may confuse users and may not be desirable in some environments and while there is no way to specifically disable modern attachments, there is a workaround that may help achieve similar results. There are two options in Outlook that enable modern attachments:
The “Browse Web Locations” option allows users to select files from OneDrive for Business, SharePoint sites or Groups.
The “Recent items” list provides a list of recently saved documents and when these documents are saved to OneDrive for Business or SharePoint it will automatically provide the option to attach a cloudy attachment version of the document.
Disabling these two options in Outlook will effectively prevent users from being able to send cloudy attachments and change the user experience from this:
To this:
In order to do this, the following registry keys need to be added to the client machine for each user:
If you are using Outlook 2016 on Windows or Mac you will have noticed the recent addition of a one-click ‘Archive’ button to the ribbon. The addition of the archive button was announced at the end of February, but seems to have caught a bunch of customers by surprise and there appears to be some confusion about it’s intended purpose. If you are unfamiliar with the one-click ‘Archive’ button, here’s what it looks like:
The archive button is intended to make archiving email a one-click operation, but this does not archive email to an Online Archive and does not require users to have an Online Archive enabled. Instead, the button will file email to an ‘Archive’ folder in your existing mailbox. The intention here is that this button provides a single-click way to clean or declutter your inbox of messages that you have already read. It is important to understand the following about the archive button:
The archive button cannot be used to send email messages to the Online Archive.
Since the archive folder is a folder in the root of the mailbox, moving email to it will not reduce the overall size of the mailbox.
If a folder called ‘Archive’ does not already exist in the root of the mailbox, the user will be prompted to create one:
Certain organizations may feel like this creates confusion amongst their user community and would therefore like to automate the create of the ‘Archive’ folder in their user mailboxes. Fortunately, MVP (and fellow Aussie!) Glen Scales has a great solution for creating mailbox folders using PowerShell the EWS managed API. In order to use his module, you will need to download and install the EWS managed API from here. Once installed, you will need to connect to Exchange Online via remote PowerShell and import the module. It them becomes a matter of using the Create-Folder cmdlet included in the module. The module has few parameters and a lot of other functionality but we only need the following:
functionLoad-EWSManagedAPI{param()Begin{## Load Managed API dll###CHECK FOR EWS MANAGED API, IF PRESENT IMPORT THE HIGHEST VERSION EWS DLL, ELSE EXIT$EWSDLL=(($(Get-ItemProperty-ErrorActionSilentlyContinue-PathRegistry::$(Get-ChildItem-ErrorActionSilentlyContinue-Path'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Exchange\Web Services'|Sort-ObjectName-Descending|Select-Object-First1-ExpandPropertyName)).'Install Directory')+"Microsoft.Exchange.WebServices.dll")if(Test-Path$EWSDLL){Import-Module$EWSDLL}else{"$(get-date -format yyyyMMddHHmmss):""This script requires the EWS Managed API 1.2 or later.""Please download and install the current version of the EWS Managed API from""http://go.microsoft.com/fwlink/?LinkId=255472""""Exiting Script."exit}}}functionConnect-Exchange{param([Parameter(Position=0,Mandatory=$true)][string]$MailboxName,[Parameter(Position=1,Mandatory=$true)][System.Management.Automation.PSCredential]$Credentials)Begin{Load-EWSManagedAPI## Set Exchange Version$ExchangeVersion=[Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2010_SP1## Create Exchange Service Object$service=New-ObjectMicrosoft.Exchange.WebServices.Data.ExchangeService($ExchangeVersion)#Credentials$creds=New-ObjectSystem.Net.NetworkCredential($Credentials.UserName.ToString(),$Credentials.GetNetworkCredential().password.ToString())$service.Credentials=$creds#CAS URL hardcoded for Exchange Online$uri=[system.URI]"https://outlook.office365.com/EWS/Exchange.asmx"$service.Url=$uriif(!$service.URL){throw"Error connecting to EWS"}else{return$service}}}functionCreate-Folder{param([Parameter(Position=0,Mandatory=$true)][string]$MailboxName,[Parameter(Position=1,Mandatory=$true)][System.Management.Automation.PSCredential]$Credentials,[Parameter(Position=2,Mandatory=$true)][String]$NewFolderName)Begin{$service=Connect-Exchange-MailboxName$MailboxName-Credentials$Credentials$NewFolder=new-objectMicrosoft.Exchange.WebServices.Data.Folder($service)$NewFolder.DisplayName=$NewFolderName$NewFolder.FolderClass="IPF.Note"#Bind to the MsgFolderRoot folder$folderid=new-objectMicrosoft.Exchange.WebServices.Data.FolderId([Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::MsgFolderRoot,$MailboxName)$EWSParentFolder=[Microsoft.Exchange.WebServices.Data.Folder]::Bind($service,$folderid)#Define Folder Veiw Really only want to return one object$fvFolderView=new-objectMicrosoft.Exchange.WebServices.Data.FolderView(1)#Define a Search folder that is going to do a search based on the DisplayName of the folder$SfSearchFilter=new-objectMicrosoft.Exchange.WebServices.Data.SearchFilter+IsEqualTo([Microsoft.Exchange.WebServices.Data.FolderSchema]::DisplayName,$NewFolderName)#Do the Search$findFolderResults=$service.FindFolders($EWSParentFolder.Id,$SfSearchFilter,$fvFolderView)if($findFolderResults.TotalCount-eq0){Write-host("Folder Doesn't Exist")-ForegroundColorYellow$NewFolder.Save($EWSParentFolder.Id)Write-host("Folder Created")-ForegroundColorGreen}else{Write-error("Folder already Exist with that Name")}}}#Define tenant credentials$Credentials=Get-Credential#Define mailboxes that need the archive folder created# Get all mailboxes$Mailboxes=Get-Mailbox-ResultSizeUnlimited|Where-Object{$_.Name-notlike"DiscoverySearchMailbox*"}#Or import a list of mailboxes from .txt# $Mailboxes = Get-Content C:\Temp\Mailboxes.txt#Create the folderForEach($MailboxNamein$Mailboxes){Write-host"Processing $MailboxName"-ForegroundColorYellowCreate-Folder-MailboxName$MailboxName.PrimarySmtpAddress-NewFolderNameArchive-Credentials$Credentials}
Once the ‘Archive’ folder has been created, it will become the destination for all messages that are selected when the ‘Archive’ button is clicked.
A word of caution: If you have a large number of mailboxes, you may run into throttling issues if you attempt to do this on all mailboxes at the same time so it is definitely worth considering a phased rollout in larger environments.
I've been traveling this week and spent a couple of days in Washington D.C were I presented two sessions at a small technology conference for overseas schools (K-12). I had a great time presenting and interacting with attendees from all over the world - my Microsoft focussed sessions definitely stood out at a conference heavily dominated by Google.
The highlight of my week was the email I received this morning from the Microsoft MVP program presenting me with a 2016 MVP award. This is my third MVP award and as always I'm honored to part of the MVP community. I'm very fortunate to have the opportunity to interact with so many folks who I admire and respect as often as I do.
I've just published an updated version of my Connect-EXO.ps1 script. This version, (version 3.2) includes a very minor fix for those using German language keyboards. This update is the result of testing and feedback from the TechNet community and I wanted to thank all those involved.
I have been planning some big updates to this script and work on version 4.0 will begin soon - watch this space!
