Category Archives: Microsoft Azure

Everything about Azure and Cloud technology

Active Directory, Exchange 2016, Exchange 2019, Exchange Online, Microsoft Azure, Microsoft Azure Active Directory Sync, Microsoft Exchange, Office 365

How to Sync Cloud User to On-premises AD ?

4 Comments

The Story:

I have got this client who constantly keeps on making the mistake of create user from Cloud and provision them with a license in an Exchange Hybrid environment.

Although this is not difficult to fix but it’s not the recommended approach when creating a new user especially in a Hybrid environment since Exchange on-premises won’t recognize this user and most likely will consider any incoming emails from it as spoof or spam.

How to Create a Cloud user from Exchange On-premises?

From Exchange on-premises ECP Admin panel you have the option to directly create user on-cloud which will also create a user object on on-premises AD.

image

Second option – Using Powershell

It’s not that much different than the Web UI option but it’s just for people who prefer using PowerShell than GUI

Enable-RemoteMailbox –Identity User –RemoteRoutingAddress user@yourTenant.mail.onmicrosoft.com

The reason to follow those two methods is due to the need of Exchange on-premises being aware of each of those users so mail flow between Exchange on-premises and Online would not get affected and route this users mail to the wrong place or flag it as spammed or spoof …etc.

The Real Question now is: How to Sync Cloud User to On-premises AD ?

If by mistake we created a user on Cloud (Office 365) and we forgot to create an AD User for this account, that user might already have started using his account on Office 365 (Sharepoint, Exchange, Teams) etc.

There also might be the intention of moving users from Cloud to On-premises Exchange in case the company wanted to decrease their spending on cloud users and in this case when Migrating a cloud user to on-premises you will get the following errors:

image

test3@domain.com

Status: Failed

test3@domain.com Skipped item details

User status

Data migrated:

Migration rate:

Last successful sync date:

Error: MigrationPermanentException: Cannot find a recipient that has mailbox GUID ‎’03c9764e-8b8e-4f33-94d1-ef098c4de656‎’. –> Cannot find a recipient that has mailbox GUID ‎’03c9764e-8b8e-4f33-94d1-ef098c4de656‎’.

So how do we overcome this situation since syncing a user might require you to delete the cloud user and recreate it on AD?

Solution:

To sync the user from the Cloud to on-premises you will need to follow these steps :

1- Create an on-premises Mailbox where the following attributes would be matching the cloud user

  • UserPrincipalname
  • ProxyAddresses
  • SamAccountName
  • Alias

2- The Location of the OU where the On-premises user is going to be created must be provisioned by ADConnect (Azure AD Connect)

You can look which of these OU are provisioned by Starting AD Connect Sync Manager

image

By verifying the user you created in the AD is in the right OU, You can now start AD Sync from PowerShell to speed up the process.

image

Below, You can see the user has been successfully synchronized to the cloud without any issue.

image

Now we’ll see it from the portal to confirm the user is synced with AD

image

Depending on the Source anchor being used in ADConnect there might be a GUID conflict or not, You will get an error similar to when trying to migrate the user in the beginning however you can solve this by replacing the cloud user’s GUID (ImmutableID) with the on-premises user which will force the user to merge with the On-prem user.

Let’s confirm in our case if the user on-cloud has a matching GUID with the one on-premises.

From AD run CMD or Powershell you can use the following command to get the user’s ImmutableID (ObjectGUID) .

ldifde -f c:\Test.txt -d “cn=Test3,DC=Domain,DC=com”

image

From Notepad checking the user we just exported you can see the Immutable ID on AD for the User test3 is IkTni9mw7Ee4YefeGpz7IA==

image

To be able to see the user on Office 365, We need to logon to MSOL through Exchange Online PowerShell

Connect to Exchange Online’s powershell using your Online ECP.

image

Once you click on Configure this should download an executable file that will launch PowerShell Online which allows you to use the Modern Authentication (MFA) to use PowerShell safely.

image

Connect-Msoluser will connect you to Office 365 and you’ll be able to get the user’s properties and see if the Immutable ID is matching to the user’s GUID.

Once you’re connect you can use the following cmdlet to get the user’s properties.

Get-MsolUser -UserPrincipalName test3@domain.com |fl DisplayName,ImmutableID

image

You can see they are matching each other, In case there’s a conflict then you can simply set the online user’s Immutable ID to match the on-premises user’s ImmutableID.

Once done, Go and force ADConnect to sync the user and you’ll see if the problem has been resolved. The command for changing the Immutableid is as follows:

Set-MsolUser -UserPrincipleName test3@domain.com -ImmutableID IkTni9mw7Ee4YefeGpz7IA==

Ref:

https://support.microsoft.com/en-us/help/2956029/migrationpermanentexception-cannot-find-a-recipient-that-has-mailbox-g

https://docs.microsoft.com/en-us/exchange/hybrid-deployment/create-cloud-based-archive

Exchange Online, Microsoft Azure, Office 365

Export Office 365 users from specific domain and change their passwords

Leave a comment

First of all you will need to connect to your tenant with your global admin account using the following script

Import-Module MSOnline

$O365Cred = Get-Credential

$O365Session = New-PSSession –ConfigurationName Microsoft.Exchange -ConnectionUrihttps://ps.outlook.com/powershell -Credential $O365Cred -Authentication Basic -AllowRedirection

Import-PSSession $O365Session

Connect-MsolService –Credential $O365Cred

After connecting you will need to type the following command line which will export all users in a specific domain that’s added to your portal if you have more than one domain added there.

Get-MsolUser -DomainName Domain.com | Select UserPrincipalName | Export-Csv C:\users.csv –NoTypeInformation

clip_image001

Change passwords for those users by using the following command and pressing enter you’ll be giving a line to enter your new password that you wanna set for all users in the exported file.

$PASS = Read-Host

clip_image002

Run this command to change the passwords

Import-Csv C:\Users.csv | % {Set-MsolUserPassword -userPrincipalName $_.UserPrincipalName -NewPassword $PASS -ForceChangePassword $True}

clip_image003

That’s it. Now users inside the exported csv file have the new password which you have just set.

Note that users will be prompted to reset their passwords upon login, if you don’t want this to happen you can remove the -ForceChangePassword $True parameter.

del.icio.us Tags: Office365,Office 365,Exchange Online,Azure

Microsoft Azure, Office 365

Copy Immutable ID and Proxy Addresses from Azure to Active Directory

Leave a comment

Matching Users after migrating to new Active Directory Forest

Installing ADConnect in a new forest for the same users which have been migrated to a new Active Directory forest

In order to do so you will have to launch Azure powershell in admin mode and connect to MSOL service as in the following snapshot

$cred = get-credential
After connecting then type/copy the following 
Get-MsolUser -ReturnDeletedUsers -All | Out-GridView

clip_image001[5]

Once you type enter a GUI will come up showing you all the deleted users list, you should delete any old non-usable account that has similar attributes to the ones that you’re about to Sync from the AD to O365. 

clip_image002[4]

Once you’re sure about what do you want to delete you can go ahead with the following Command to delete the users

Note:
You must be sure that when you run this command, you will no longer be able to restore any deleted item or object later on.

Get-MsolUser -ReturnDeletedUsers -All | Remove-MsolUser -RemoveFromRecycleBin -Force –Verbose

clip_image003[4]

Now you should run the following Script on the same open power shell in order to start the copying process. 

Import-Module Msonline
Import-Module ActiveDirectory
$cred = Get-Credential
Connect-MsolService -Credential $cred
$onlineusers = Get-MsolUser -All
$adusers = Get-ADUser -Filter *

Press enter and when you want you get prompted to select an option choose 1 and enter

clip_image004[4]

Note:If you would like to receive the powershell script please don’t hesitate to contact me. 

After the copy is finished you can match for yourself the list of ImmutableID along with the GUID 
Ldifde -f dump.txt

Dump.txt

clip_image005[4]
clip_image006[4]

Microsoft Azure, Microsoft Azure Active Directory Sync

AZURE ACTIVE DIRECTORY SYNC EVENT ID 906 FAILED WHILE PURGING RUN HISTORY INVALID NAMESPACE

Leave a comment

Symptoms: 

You may notice that when you try to run the Sync command DirectorySyncClientCmd it doesn’t do anything and just closes right away.

If you open your Event viewer you may notice that you are getting the following event

image

Failed while Purging Run History

Invalid namespace
at System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus errorCode) at System.Management.ManagementScope.InitializeGuts(Object o) at System.Management.ManagementScope.Initialize() at System.Management.ManagementObjectSearcher.Initialize() at System.Management.ManagementObjectSearcher.Get() at Microsoft.Azure.ActiveDirectory.Synchronization.DirectorySyncClientCmd.Program.PurgeRunHistory(TimeSpan purgeInterval) at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ActionExecutor.Execute(Action action, String description) at Microsoft.Azure.ActiveDirectory.Synchronization.DirectorySyncClientCmd.Program.Main(String[] args)

Cause:

This happens when the WMI object had unregistered itself which might be caused by another tool installed or uninstalled at the time when the problem started to occur.

Resolution:

To resolve the issue, you ‘ll have to run few command lines… each are explained below

mofcomp “D:\Program Files\Microsoft Azure AD Sync\Bin\mmswmi.mof”

As it shows in the command screenshot below the ‘mofcomp’ parses the MMS (FIM) wmi file and goes through the process of adding the classes  to the WMI repository.

image

regsvr32 /s “D:\Program Files\Microsoft Azure AD Sync\Bin\mmswmi.dll”

Registers the WMI mmswmi.dll file to the server.

image

net stop winmgmt /y

image

net start winmgmt
net start “IP Helper”
net start “User Access Logging Service”
net start “Microsoft Azure AD Sync”

image

D:\Program Files\Microsoft Azure AD Sync\Bin\DirectorySyncClientCmd.exe”

clip_image001
clip_image002
clip_image003
clip_image004
image

References:

– https://social.technet.microsoft.com/Forums/en-US/cafd290d-d1a8-4d15-b4db-d79460216438/azure-ad-sync-error?forum=WindowsAzureAD

– http://blogs.technet.com/b/latam/archive/2015/06/01/erros-1603-ao-instalar-o-aadsync-microsoft-azure-active-directory-sync-services.aspx

Microsoft Azure

Add multiple endpoints or port range to an Azure Virtual Machine

Leave a comment

If you ever needed to add multiple ports or range of ports endpoints to a particular Virtual machine on Azure. you might have a difficulty doing this since it’s not allowed by design and that will require time to do this manually for range of ports. that’s where this article comes handy.

To achieve this first you will need to connect to your Azure subscription on Azure powershell. Azure PowerShell.

Run Azure powershell as an administrator and type the following cmdlet to get your subscription info

Get-AzurePublishSettingsFile

clip_image001

This will open a page and ask you to sign in to your Azure user account and download a file called Visual Studio Premium with MSDN-DATE-credentials.publishsettings

clip_image002

In the powershell you will have to navigate to where the file is located. And import the settings that have just been downloaded in that file

Import-azurepublishSettingsFile `.\Visual Studio FileLocation`

clip_image003

You can check for your account and Subscription, using Get-azureaccount script

clip_image004

Now I have setup a ubuntu Machine on Azure that hosts Openfire Chat server which requires 10000-10005 port range for the media service. On Azure Web interface the port range option is not yet supported. The only available option is through powershell which will open the required port range for us.

To do so I’ll use the following cmdlet highlighting the required information to enter

To create endpoints for ports 10000-10005:

$vm = Get-AzureVM -ServiceName moh10ly -Name ubunut-mohammed ; 10000..10005 | ForEach { $VM | Add-AzureEndpoint -Name TestEndpoint$_ -Protocol TCP -LocalPort $_ -PublicPort $_} ; $vm | Update-AzureVM

To Acquire your service name, you can simply login to Azure portal and check out All Items and see the cloud service name .. Just like the below screenshot

clip_image005

To Check your VMname simply navigate to Virtual machines tab and on the right side you can see the name.. I have copied it as well in the command.

clip_image006

Once you edited the cmdlet with your information you can enter it in the Powershell and enter

It should return something like this.

clip_image007

Once finished you can check Azure end point portal for the new ports configuration

clip_image008

Here we go .. Ports are created in Azure

clip_image009

To remove the endpoints for ports 10000-10005:

$vm = Get-AzureVM -ServiceName moh10ly -Name ubunut-mohammed ; 10000..10005 | ForEach { $VM | Remove-AzureEndpoint -Name TestEndpoint$_} ; $vm | Update-AzureVM