Category: Office 365

Enable Modern Authentication for Office 2013
article #1446, updated 30 days ago

It’s by registry entry:

https://docs.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/enable-modern-authentication?view=o365-worldwide

Categories:      

==============

When AD -> Azure Sync Fails or Needs Set Up for a User
article #1417, updated 35 days ago

There are many ways of doing this. Here is one way to bring everything into a single consistent behavior, a landing place from which you can vary slightly at need.

This presumes that you have Azure/AD sync installed and working in general, and yielding errors in the Synchronization Service window for one or more users. Make sure that you don’t have duplicate email addresses in AD, that could be bad.

The first steps are in Active Directory Users and Computers.

  1. Set the user’s email correctly in his/her AD object, in “E-mail” under General.
  2. Set proxyAddresses in the Attribute Editor. The primary email address has to be the same, and in proxyAddresses has to be of the format “SMTP:email@domain.com”. There can be others in proxyAddresses but smtp must be lowercase. Also in proxyAddresses, set mailNickname blank.
  3. Under Account, either the user login name plus the dropdown domain is to be the same as the above, or it is to be a valid login according to the O365 console. If the dropdown domain list is local only, you can add the Internet domain list in Active Directory Domains and Trusts, with a right-click on the root level in the left pane of that window, and then an add of one or more alternative UPN suffixes. Then restart ADUC and the domain(s) you just added will be available in the dropdown.

Now we do some other things.

  1. Run Azure/AD sync, this is CMD, do it as administrator:
repadmin /syncall /AdeP
@"%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command ^
"Import-Module ADSync; Start-ADSyncSyncCycle -PolicyType Delta"
  1. If you see errors in the Synchronization Service window, you’ll need something called a “hard match”, which changes enough to connect the AD user with the Azure user. Here’s a script for it, in Powershell. You’ll need to run it as administrator on a domain controller, and it will ask you to log into the O365 tenant. Items of note:
  • This uses something called UPN, UserPrincipalName. While Azure’s UPN is the O365 “primary email address”, Active Directory’s UPN is the double item under Profile in AD, the username plus the domain dropdown.
  • If you use this approach, the Office 365 login is changed to be the same as the AD login — which is a good thing in the net result, it keeps things very consistent and predictable.
  • Once the hard match is complete, you can change anything on the AD side and it will mirror up to Azure.
############################################
# Active Directory / Office 365 Hard Match #
############################################

$ADUPN = 'active_directory_user@companynetwork.com'
$AzureUPN = 'azure_user@companynetwork.com'

'############################################'
'# Active Directory / Office 365 Hard Match #'
'############################################'
''

'Initiating prep for hard match.'
"Active Directory : $ADUPN"
"Azure AD :         $AzureUPN"
''

# Sets TLS version.  Necessary for some platforms.
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

$reportStatus = ''
$currentOp = ''
function ShowProgress {
	param( [string]$reportStatus, [string]$currentOp )

	Write-Progress -Activity "Hard Match" -Status $reportStatus -PercentComplete -1 -CurrentOperation $currentOp
	# Write-Progress is not compatible with some remote shell methods.

}

Function PrepareModule {
	param( [string]$ModuleName )

	If (Get-Module -ListAvailable -Name $ModuleName)
		{ Update-Module $ModuleName }
	Else
		{ Install-Module $ModuleName }
	}

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force > $null

'Preparing Powershell environment...'

ShowProgress("Preparing Powershell environment...","Setting up to use Powershell Gallery...")

ShowProgress("Preparing Powershell environment:","Setting up to use page provider NuGet...")
Install-PackageProvider -Name NuGet -Force | Out-Null

# This appears to set PSGallery nicely when need be
Register-PSRepository -Default -InstallationPolicy Trusted 2> $null
Set-PSRepository -InstallationPolicy Trusted -Name PSGallery

ShowProgress("Preparing Powershell environment...","Checking/preparing module NuGet...")
PrepareModule("NuGet")
ShowProgress("Preparing Powershell environment...","Checking/preparing module AzureAD...")
PrepareModule("AzureAD")

''
'Setting up hard match...'
''

'Connect to AzureAD:'
Connect-AzureAD

''
'Turn off AZ/AD Sync...'
''

Set-ADSyncScheduler -SyncCycleEnabled $false

"Now get original Azure ImmutableID for $AzureUPN ..."
$AzureUser = Get-AzureADUser -SearchString $AzureUPN
$OriginalAzureImmutableID = $AzureUser.ImmutableID
"Extracted Azure ImmutableID: $OriginalAzureImmutableID"
""
""
"And now extract AD GUID for $ADUPN ..."
ldifde -f export.txt -r "(Userprincipalname=$ADUPN)" -l *
$ADGUID = (-split (type export.txt | select-string "ObjectGUID"))[1]

''
"Extracted AD GUID: $ADGUID"
""
""
'Set AD GUID as Azure ImmutableID...'
Set-AzureADuser -ObjectID $AzureUser.ObjectID -ImmutableID $ADGUID

''
'New Azure ImmutableID retrieved as confirmation:'
$AzureUser = Get-AzureADUser -SearchString $AzureUPN
$AzureUser.ImmutableID

''
'Finally, turn on AZ/AD Sync again...'

Set-ADSyncScheduler -SyncCycleEnabled $true

'Done!'

Categories:      

==============

The Office 365 console...
article #1424, updated 162 days ago

…is often like a flying carpet in a hurricane.

Categories:      

==============

Connect PowerShell to Exchange Online / Office 365 / Azure
article #804, updated 384 days ago

The following method is the Microsoft-recommended current one. You may need to use Install-Module instead of Update-Module depending on pre-existing installations et cetera:

Set-ExecutionPolicy RemoteSigned -Force -Scope Process
Update-Module -Name ExchangeOnlineManagement
Update-Module -Name AzureAD
Update-Module -Name MSOnline
Import-Module -Name ExchangeOnlineManagement
Import-Module -Name MSOnline
Import-Module -Name AzureAD
Connect-ExchangeOnline -UserPrincipalName login@domain.com -ShowProgress $true

The following method is the previous, and is the one which works pre-Windows-10 and/or Powershell before 5.1:

$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session -DisableNameChecking

When you’re done, be sure to do the following afterwards, or you may have to wait for automatic session expiration.

Remove-PSSession $Session

Categories:      

==============

Convert Exchange Online / Office 365 Mailbox from AD Sync to Cloud Only
article #1368, updated 465 days ago

In administrative Powershell:

  1. Install-Module AzureAD
  2. Install-Module MSOnline
  3. Connect-AzureAD
  4. Connect-MsolService

In Active Directory Users and Computers, remove the user object from OU being AD-synched. Then complete an Azure/AD sync cycle. Then:

  1. Restore-MsolUser -UserPrincipalName users_login_probably_email
  2. Set-MsolUser -UserPrincipalName users_login_probably_email -ImmutableId "$null"

Do the last step before the next automatic AD sync!

Categories:      

==============

Filter On-Prem Exchange Attributes for Azure AD Sync and Office 365 Migration
article #1379, updated 498 days ago

A couple of links:

https://itpro-tips.com/2019/this-users-on-premises-mailbox-hasnt-been-migrated-to-exchange-online/

https://answers.microsoft.com/en-us/msoffice/forum/all/this-users-on-premise-mailbox-hasnt-been-migrated/5735f499-7079-42a4-a5e9-8da275404d09

Categories:      

==============

Upload Huge PSTs to Exchange Online / Office 365 Using AzCopy
article #1373, updated 499 days ago

One can use this to import really big ones, dozens of gigabytes in size, imports which will crash, hang, and otherwise cough on Outlook very easily. Runs directly to folders inside of mailboxes. The amazing Yvonne Wynkoop found the first really good set of instructions we have seen:

blog.natfan.io/importing-psts

Mysteries do abound about the Microsoft-provided command line tool AzCopy, not the least being the fact that there is a version 10 and a version 8.1. Items as of this writing:

  • Version 8.1 is downloadable from Office 365, and works. Have no clue what 10 is for.
  • Usage and download of it, is now through Office 365 Security & Compliance, Information Governance, Import.
  • When you run it for an upload, add “/NC:2” to the end of the command line. This increases its speed and stability quite a lot, and prevents timeouts. Default is reportedly 24. Perhaps the developers are sitting on Google Fiber?
  • If it times out, just restart it carefully, it will usually continue where it left off.

If the above works for you, use the same number when downloading PSTs from eDiscovery, via registry edit:

https://docs.microsoft.com/en-us/microsoft-365/compliance/increase-download-speeds-when-exporting-ediscovery-results?view=o365-worldwide

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Exchange\Client\eDiscovery\ExportTool]
"DownloadConcurrency"="2"

Categories:      

==============

Improve speed and prevent timeouts downloading PSTs from Office 365
article #1311, updated 503 days ago

If you let the eDiscovery Export Tool time out, it will eventually give you a link:

https://docs.microsoft.com/en-us/office365/securitycompliance/increase-download-speeds-when-exporting-ediscovery-results

which has the registry edit below. No explanation is given, but it does say that adjustment of the number (in some direction?) can help.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Exchange\Client\eDiscovery\ExportTool]
"DownloadConcurrency"="2"

Categories:      

==============

New Exchange Online connectivity for Powershell
article #1357, updated 596 days ago

New methods, reportedly considerably better, have not tested yet myself:

https://docs.microsoft.com/en-us/powershell/exchange/exchange-online/exchange-online-powershell-v2/exchange-online-powershell-v2?view=exchange-ps

Categories:      

==============

Turn Off Azure AD Sync via Powershell
article #1334, updated 737 days ago

  1. Install the Azure Active Directory Module for Powershell.
  1. Connect to Azure AD, and disable sync:
Set-MsolDirSyncEnabled –EnableDirSync $false
  1. Check status, repeatedly, until it returns False. It can take 72 hours for sync to be fully deactivated.
(Get-MSOLCompanyInformation).DirectorySynchronizationEnabled 

Categories: