Category Archives: Exchange Online

Checking and Providing Full and SendAs delegate access on O365 Exchange Online

Delegate Permissions

This is a code that I have wrote recently to check if an account have Full and SendAs access on target mailboxes in CSV and give the option to choose whether to provide this access or not.

Checking First:

You’ll need to provide two things to get this code working, First the Source account that will need access to the mailboxes. in this case referred to as “ServiceAccount”.

CSV List of Mailbxoes:

You’ll need to provide list of Mailboxes of the users you’d like to provide access to, the List must be user’s Identity either UPN or SMTP would be fine.

The Service account’s Identity must be the UPN attribute.

If you would like to improve this code please do comment or get in touch directly

Thanks

#Connect to Exchange
#Connect & Login to ExchangeOnline (MFA)

try
{
    Get-Clutter -Identity user@domain.com -ErrorAction Stop > $null
}
catch 
{
Connect-ExchangeOnline
}

    $Users = import-csv 'C:\CSV\MailboxListIsHere.csv'
    $ServiceAccount = 'Your Account that will access other Mailboxes' #// Please change the SVC account before running the code
    

        foreach ($User in $users)
        {
            $Mailbox = $User.Identity
            
            #Checking Full Access
            $Full = Get-MailboxPermission -Identity $Mailbox -User $ServiceAccount
            If ($Full.AccessRights -eq "FullAccess")
            {
                Write-Host -f Green $($ServiceAccount) "Already has Full access to $Mailbox."}
            
                    Else
                    {
                        $Answer1 = Read-Host "Do you want to assign $($ServiceAccount) Full access to $Mailbox (Yes or No)"
                        If ($Answer1 -eq "Yes")
                            {
                                Try{
                                    Add-MailboxPermission -Identity $Mailbox -User $ServiceAccount -AccessRights FullAccess
                                    Write-Host -f DarkGreen $($ServiceAccount) "Send-as access has been added to $Mailbox"
                                    }
                           
                            Catch{ ($Full.AccessRights -eq "FullAccess")}
                            
                        }
                        
                    }
                
                $SendAs = Get-RecipientPermission -Identity $Mailbox -Trustee $ServiceAccount -AccessRights SendAs
                if($SendAs.AccessRights -eq "SendAs") {
                    Write-Host -f Green $($ServiceAccount) "Already has SendAs access to $Mailbox."
                    }
                    Else
                    {
                        $Answer2 = Read-Host "Do you want to assign $($ServiceAccount) Send-as access to $Mailbox (Yes or No)"
                        If ($Answer2 -eq "Yes")
                            {
                                Try{
                                    Add-RecipientPermission -Identity $Mailbox -AccessRights SendAs -Trustee $ServiceAccount
                                    Write-Host -f Green $($ServiceAccount) "has Send-as access on $Mailbox"
                                }
                            Catch{($SendAs.AccessRights -eq "Sendas")}}
                            else{Exit}
                        }
                    }
        }
            
        

550 relay not permitted distribution group contact

550 relay not permitted distribution group contact

Symptoms

When trying to add an external contact inside a Distribution group. A failure delivery mail with the following NDR is returned.

Delivery has failed to these recipients or groups:

Externalcontact@domain.com

Your message couldn’t be delivered and there was no valid enhanced status code being issued by the remote mail system to determine the exact cause, status: ‘550 relay not permitted’.

The following organization rejected your message: mxserver

Header

Diagnostic information for administrators:

Generating server: server
Externalcontact@domain.com

Remote Server returned '550 relay not permitted'

Original message headers:

Resent-From: <inboundemail@Exchangedomain.com>
Received: from 
with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521) id 15.1.2375.17; Wed, 15
 Dec 2021 11:53:30 -0500
Received: from mail-ot1-f41.google.com (209.85.210.41) by
 with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384) id 15.1.2375.17 via Frontend
 Transport; Wed, 15 Dec 2021 11:53:30 -0500
Received: by mail-ot1-f41.google.com with SMTP id a23-20020a9d4717000000b0056c15d6d0caso25610296otf.12
        for <inboundemail@Exchangedomain.com>; Wed, 15 Dec 2021 08:53:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
        bh=rR2IMeF7H4JDA9rxaP9qe9SS4+k1fEFk6/Y7HUCR5us=;
        b=NV4VaI1l4JibchEYURu8Z0pAkxU2Km1s5xNxC3pE+vHL/7vd77ut2ri0zUvBqMRcLr
         kOSnRYnDeMnc7EAbsOJRP2oSx6afnHB1yN8WjMijDE/Va/0jOp7Ni4K0PTXIyz2X0W5i
         VPQuoTgOsyKkjN+HZqVpXgxHy8RyRNkiTnUsutwRIZZWevIoHC/p0cwad8yN6tIdCVif
         IMkACRMkA0HeAzBR/v0ctAChdUpkbcBXA+85hbuO2O8CQdXBCBCf4EzpjqiI97QK24yf
         oedS61hmS2qb2zFQ6f8qxmYBgxdK4lQWdI9TdurXmpnQHBKZFIqW56US0cMQ3jCpSF9q
         Se2A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to;
        bh=rR2IMeF7H4JDA9rxaP9qe9SS4+k1fEFk6/Y7HUCR5us=;
        b=qVj/PXzNyVqwff+McPc2WmcrhKnU1KzHFugZOqxTRB+v+IKASjxOXzq4oernUflv1P
         ApDShejS2jAO6czxgamOrV4i4E7MUlqM1ZOAORM1+ZZiicTPhLk4ybx88t6Ex6xWG8x1
         CayHD9LjorI/UGhs60fFXpfxREnRvz1mMXk4RQlUVGn7oQvlJZaApknskvs/KDaxB3K4
         l1HvunANu25x9/zmf6OuJEkNuhUQWPnh5TESf52pLknaUmeHBA9Ff4LhEFLoyuj2KwxX
         jDfyvQ3RRs8kN3S+IQntHrukyU6cIy4xskUiSzOUa4wb/b6SfSu7sVb5wy/3MzUcPfwQ
         NJuA==
X-Gm-Message-State: AOAM532yV7/oLUbulh/fnSKX/dvcwEJRrBUakKGRB2AAjJBFmHgQ1juk
	htSdNKTpkhrpu4K0SDKv8LbcseSolYSLvjbVKAFNgKmI1m/3Fg==
X-Google-Smtp-Source: ABdhPJyCyLPmOHEOsFfrUD36h6e5hI9mquwq0Sr3Q+d/MecZbT33ghjh5xXztarpHRBZm944nU8Zrrg/gk50FxN5cxk=
X-Received: by 2002:a9d:7b51:: with SMTP id f17mr9431931oto.88.1639587180247;
 Wed, 15 Dec 2021 08:53:00 -0800 (PST)
MIME-Version: 1.0
References: <cad49hozzrxa94krz4t+3pdqre=npiq+vv8svw3hbcnyzbca_dg@mail.gmail.com>
In-Reply-To: <cad49hozzrxa94krz4t+3pdqre=npiq+vv8svw3hbcnyzbca_dg@mail.gmail.com>
From: External Sender <Sender@gmail.com>
Date: Wed, 15 Dec 2021 22:22:47 +0530
Message-ID: <cad49hoym7ryqqfrzm++=xse4yh-g6pzy10xfo_bqnpyffhc=9g@mail.gmail.com>
Subject: Fwd: test email to Exchange DG
To: <inboundemail@Exchangedomain.com>
Content-Type: multipart/alternative; boundary="00000000000074fd9b05d33223fa"
Return-Path: Sender@gmail.com
X-Auto-Response-Suppress: DR, OOF, AutoReply

Cause:

By default, the ReportToManagerEnabled parameter is set to False and the ReportToOriginatorEnabled parameter is set to True when a distribution group is created in Exchange Online. When the parameters are both set to False, the Return-Path field in the header of the message is <> (blank). This means that the remote messaging system will not send delivery reports to the user who sent the message to the distribution group.

Additionally, if spam filtering is enabled on the remote messaging system, the message is dropped, and delivery reports are suppressed. This occurs because some anti-spam devices might flag messages whose Return-Path field is blank and not let the messages be delivered.

Resolution:

Set-DistributionGroup -ReportToManagerEnabled $true -ReportToOriginatorEnabled $false -Identity distributiongroup@domain.com

REF:

https://docs.microsoft.com/en-US/exchange/troubleshoot/email-delivery/external-recipients-not-receiving-distribution-group-emails

Testing Office 365 SMTP relay

In order to test Office 365 SMTP relay you will have to create a user with an Exchange online license. After the email is activated for this user you can test this user for relay with the following powershell.

First connect to Microsoft Online service with this user that you’ll be using for relaying.

$msolcred = Get-Credential

Next edit the following powershell with the user’s e-mail and the recipient’s too

Send-MailMessage -From Office365User@Domain.com -To info@moh10ly.com -Subject “Test Email” -Body “Test SMTP Relay Service” -SmtpServer smtp.office365.com -Credential $msolcred -UseSsl -Port 587

clip_image001
clip_image002

https://technet.microsoft.com/en-us/library/dn554323(v=exchg.150).aspx

This test is known as Client SMTP submission you can also use a different method for multiple devices where you can configure them all to point to a single server (IIS) in a method known as IIS for relay with Office 365 however, all the methods what involve office 365 (Only) for relay will require a user with Exchange online license assigned to it.

https://technet.microsoft.com/en-us/library/dn592151%28v=exchg.150%29.aspx

Note:

The use of this command is not recommended for security reasons in particular for not supporting the modern protocols. use it on your own risk and make sure the user assigned to this service has no privilege’s or not any Office 365 feature admin or power user.

Mimecast trust cert hacked in Microsoft supply chain

image

The Threatpost.com and other cyber security news published articles claiming that A Mimecast-issued certificate used to authenticate some of the company’s products to Microsoft 365 Exchange Web Services has been “compromised by a sophisticated threat actor,” the company has announced.

Office 365 Products and Services Explained

Mimecast provides email security services that customers can apply to their Microsoft 365 accounts by establishing a connection to Mimecast’s servers. The certificate in question is used to verify and authenticate those connections made to Mimecast’s Sync and Recover (backups for mailbox folder structure, calendar content and contacts from Exchange On-Premises or Microsoft 365 mailboxes), Continuity Monitor (looks for disruptions in email traffic) and Internal Email Protect (IEP) (inspects internally generated emails for malicious links, attachments or for sensitive content).

A compromise means that cyberattackers could take over the connection, though which inbound and outbound mail flows, researchers said. It would be possible to intercept that traffic, or possibly to infiltrate customers’ Microsoft 365 Exchange Web Services and steal information.

Reference:

https://threatpost.com/mimecast-certificate-microsoft-supply-chain-attack/162965/

https://www.crn.com/news/security/hackers-compromise-mimecast-certificate-for-microsoft-authentication

Upgrading Exchange Online PowerShell to V2 Module

Managing Exchange Online

If you have Exchange Online and your users are MFA enabled then you most likely will be using Exchange Online’ s ECP (Exchange Control Panel or Admin Center) to connect to Exchange Online PowerShell through the Hybrid Windows since this is the only supported way with MFA.

image

Clicking on Configure would install the PowerShell Module of Exchange Online which looks like the below screenshot.

image

New PowerShell with MFA support

If you have launched Exchange Online PowerShell today then you most likely have noticed there’s a red line stating the possibility to try the new (Preview Version) of Exchange PowerShell V2 .

Microsoft has recently released a new version of Exchange Online PowerShell Module which supports MFA and can be run directly from your computer without the need to login to Exchange Online Admin Center and download any files from there.  Check details in this link

As stated in the article, the Module is just in preview so it has some known and maybe unknown bugs as well.

How to Install it?

The installation process is pretty straightforward, Launch Windows PowerShel as an Administrator (It’s required for the installation).

Run these 4 cmdlets

Set-ExecutionPolicy RemoteSigned
Install-Module PowershellGet –Force
Update-Module PowershellGet
Install-Module -Name ExchangeOnlineManagement

image

You might get a warning that the Module you’re about to install is from an Untrusted Repository, Accept it by typing Y and hit enter

Type the following cmdlet to ensure that Exchange Online Management module is installed

Import-Module ExchangeOnlineManagement; Get-Module ExchangeOnlineManagement

image

Connecting to Exchange Online

To connect to Exchange Online, Run the following cmdlet along with the new parameter –EnableErrorReporting which gives the ability to record all the cmdlets that you have run along with errors generated as well.

Connect-ExchangeOnline -EnableErrorReporting -LogDirectoryPath e:\ExchOnlineLogs.txt -LogLevel All

image

image

After connecting, I am going to try and run two commands the Old Cmdlets and New Cmdlet and see the difference between them:

Get-CASMailbox -ResultSize 10
Get-EXOCasMailbox -ResultSize 10

image

The new Cmdlet has much more details, although it says that it runs faster but it took few seconds more than the old one to run (Probably first time).

image

After you run those two Cmdlets, There will be two files generated in the log directory which we have pointed the parameter to save files to.

The CSV files have details about the two cmdlets and the HTTP Method they are utilizing in order to connect along the Request and response latency.

imageimage

This new version seems to be extremely useful esp in environments where such deep details are needed for troubleshooting issues.

Stay tuned for more

Reference:

https://docs.microsoft.com/en-us/powershell/exchange/exchange-online/exchange-online-powershell-v2/exchange-online-powershell-v2?view=exchange-ps

Use Group Based Licensing to Activate Office 365 Users

The Story

I got a request to place users into Security Groups for management purposes, The client have already users active but many of those users have left the work place and still have E3 or E1 Licenses which they should not have since this is pricey licenses and backing up users details is the easiest and most cost effective way of handling this.

So, To start (Prerequisites):

The Group based licensing management is a new feature, Was introduced in 2019 and not many people know that it is there however, This feature doesn’t come for free as you know (Since it’s Microsoft) and you must have a license for it or at least have users with E3 licensing model. So the requirements are:

  • – Azure AD Premium P1 or Higher
  • – Office 365 E3 or Higher.
  • – EMS or Higher.

How does it work?

In order for you to get this to work  you need to make sure you have planned from where you want to manage those groups and their licenses, Online? Or On-Premises?

IF Online

If you’re going to do this online, then you need to create a group for each Licensing Model which represents the intended License and its users e.g. Office365-E1 is going to be created as a security group and dedicated to E1 License users.

Office365-E3 will also be created the same way and users of License type E3 will be added to it.

If On-Premises

If you’re going to manage those groups on-premises, Then you must have ADConnect (Azure AD Sync) tool to sync those groups after creating them.

In my case I have created those groups in the following manner:

image

After creating those groups, You will need to sync them to Office 365 using ADConnect. To force this to sync immediately fire up Powershell on Azure Connect Server and type

Start-ADSyncSyncCycle -PolicyType delta

image

image

What If I have users already assigned with License?

If you have users already assigned licenses and want to manage them using Group Based licensing then you’re going to have to get a list of all your users with their Licenses information into a CSV file and Import those users to the groups you created base on the license they have.

I created a PowerShell that would match user’s names and based on the license mentioned in the CSV file would add them to the relevant group but first you need to export Users from Office 365.

Export Users and their license from Office 365

First of all we’ll connect to Office 365 MSOL Service using Online Powershell

image

Get-MsolUser -All |Where {$_.IsLicensed -eq $true } |Select DisplayName,UsageLocation,@{n="Licenses Type";e={$_.Licenses.AccountSKUid}},SignInName,UserPrincipalName,@{n="ProxyAddresses";e={$_.ProxyAddresses}}| Export-csv -Path C:ExportlicenseUsage.csv -notype

image

So this is how my CSV look right after I exported the users, We need to do some tuning on this CSV file to clean it and get it ready for our PowerShell.

image

There are total of 6 columns in this folder, If for whatever reason you wanted to use the ProxyAddress to distinguish users feel free to keep them in the script but in my case I didn’t need them so I deleted the entire column.

So I will keep the following (Remove Spacing between License Type)

  • DisplayName
  • UsageLocation
  • LicenseType
  • SignInName
  • UserPrincipalName

The Value of the License Type is usually formatted like this “TenantName: License” and in order to make this column useful I am going to remove the Tenant name from all the cells.

Find and Replace can easily remove and clean these values for you.

image

After cleaning the column, this is how it looks

image

This should be useful for us now along with the PowerShell to add the users to their relevant groups.

On Active Directory from an elevated PowerShell

Run PowerShell ISE  from a privileged account and copy + paste this script in ISE,

$ImportedUsers = Import-csv "C:\Users\AD\Desktop\ExportlicenseUsage.csv"

Foreach ($ImportedUser in $ImportedUsers){
$License = $ImportedUser.LicensesType
$E3 = "E3-Office365"
$E1 = "E1-Office365"
$EMS = "EMS-Office365"
$Sam = $ImportedUser.SamAccountName
$ImportedUPN = $ImportedUser.UserPrincipalName

$AllUsers = Get-ADUser -Filter * -Properties *
Foreach ($User in $AllUsers)
{
$UPN = $User.UserPrincipalName

if($user.UserPrincipalName -eq $ImportedUPN -and $License -match "EMS")
{
Add-ADGroupMember -Identity $EMS -Members $Sam
Write-Host $($UPN) "User has EMS License and has been added to the Group EMS" -ForegroundColor DarkGreen -BackgroundColor White
}
ElseIf ($user.UserPrincipalName -eq $ImportedUPN -and $License -Contains "STANDARDPACK")
{
Add-ADGroupMember -Identity $E1 -Members $Sam
Write-Host $($UPN) "User has E1 License and has been added to the Group E1" -ForegroundColor black -BackgroundColor green
}
ElseIf ($user.UserPrincipalName -eq $ImportedUPN -and $License -Contains "ENTERPRISEPACK")
{
Add-ADGroupMember -Identity $E3 -Members $Sam
Write-Host $($UPN) "User has E3 License and has been added to the Group E3" -ForegroundColor Blue -BackgroundColor White
}
}
}

image

Enabling Group Based License from Azure Portal

After this script finishes, I can open Azure Portal

From Azure Active Directory > Licenses > All Products

image   image    image

I will choose the license which I want to assign to a group of which I have created on my on-premises AD

image

Click on the License (Office 365 E1)  and choose Assign from top menu

image

Make sure you select assignment options and customize the license according to the products you want your group members to use then click on Users and Groups and select the relevant Group which you’ve created (In my case it’s E1-Office365)

image

Here, The group has been assigned

image

Click assign and you should be done

image

We will do the same for E3 Users

image

image

NOTE

From now on, Removing any user from this group will revoke their license and any service connected to it, You must be very careful when removing users from this group.

Microsoft has done great job covering this thoroughly and in a great detail including Scripts to be able to do many things like grabbing users who have an inherited license from a group or manually assigned. I am writing down the references if you’re more curious into these.

References:

https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/licensing-groups-assign

https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/licensing-ps-examples

How to Sync Cloud User to On-premises AD ?

The Story:

I have got this client who constantly keeps on making the mistake of create user from Cloud and provision them with a license in an Exchange Hybrid environment.

Although this is not difficult to fix but it’s not the recommended approach when creating a new user especially in a Hybrid environment since Exchange on-premises won’t recognize this user and most likely will consider any incoming emails from it as spoof or spam.

How to Create a Cloud user from Exchange On-premises?

From Exchange on-premises ECP Admin panel you have the option to directly create user on-cloud which will also create a user object on on-premises AD.

image

Second option – Using Powershell

It’s not that much different than the Web UI option but it’s just for people who prefer using PowerShell than GUI

Enable-RemoteMailbox –Identity User –RemoteRoutingAddress user@yourTenant.mail.onmicrosoft.com

The reason to follow those two methods is due to the need of Exchange on-premises being aware of each of those users so mail flow between Exchange on-premises and Online would not get affected and route this users mail to the wrong place or flag it as spammed or spoof …etc.

The Real Question now is: How to Sync Cloud User to On-premises AD ?

If by mistake we created a user on Cloud (Office 365) and we forgot to create an AD User for this account, that user might already have started using his account on Office 365 (Sharepoint, Exchange, Teams) etc.

There also might be the intention of moving users from Cloud to On-premises Exchange in case the company wanted to decrease their spending on cloud users and in this case when Migrating a cloud user to on-premises you will get the following errors:

image

test3@domain.com

Status: Failed

test3@domain.com Skipped item details

User status

Data migrated:

Migration rate:

Last successful sync date:

Error: MigrationPermanentException: Cannot find a recipient that has mailbox GUID ‎’03c9764e-8b8e-4f33-94d1-ef098c4de656‎’. –> Cannot find a recipient that has mailbox GUID ‎’03c9764e-8b8e-4f33-94d1-ef098c4de656‎’.

So how do we overcome this situation since syncing a user might require you to delete the cloud user and recreate it on AD?

Solution:

To sync the user from the Cloud to on-premises you will need to follow these steps :

1- Create an on-premises Mailbox where the following attributes would be matching the cloud user

  • UserPrincipalname
  • ProxyAddresses
  • SamAccountName
  • Alias

2- The Location of the OU where the On-premises user is going to be created must be provisioned by ADConnect (Azure AD Connect)

You can look which of these OU are provisioned by Starting AD Connect Sync Manager

image

By verifying the user you created in the AD is in the right OU, You can now start AD Sync from PowerShell to speed up the process.

image

Below, You can see the user has been successfully synchronized to the cloud without any issue.

image

Now we’ll see it from the portal to confirm the user is synced with AD

image

Depending on the Source anchor being used in ADConnect there might be a GUID conflict or not, You will get an error similar to when trying to migrate the user in the beginning however you can solve this by replacing the cloud user’s GUID (ImmutableID) with the on-premises user which will force the user to merge with the On-prem user.

Let’s confirm in our case if the user on-cloud has a matching GUID with the one on-premises.

From AD run CMD or Powershell you can use the following command to get the user’s ImmutableID (ObjectGUID) .

ldifde -f c:\Test.txt -d “cn=Test3,DC=Domain,DC=com”

image

From Notepad checking the user we just exported you can see the Immutable ID on AD for the User test3 is IkTni9mw7Ee4YefeGpz7IA==

image

To be able to see the user on Office 365, We need to logon to MSOL through Exchange Online PowerShell

Connect to Exchange Online’s powershell using your Online ECP.

image

Once you click on Configure this should download an executable file that will launch PowerShell Online which allows you to use the Modern Authentication (MFA) to use PowerShell safely.

image

Connect-Msoluser will connect you to Office 365 and you’ll be able to get the user’s properties and see if the Immutable ID is matching to the user’s GUID.

Once you’re connect you can use the following cmdlet to get the user’s properties.

Get-MsolUser -UserPrincipalName test3@domain.com |fl DisplayName,ImmutableID

image

You can see they are matching each other, In case there’s a conflict then you can simply set the online user’s Immutable ID to match the on-premises user’s ImmutableID.

Once done, Go and force ADConnect to sync the user and you’ll see if the problem has been resolved. The command for changing the Immutableid is as follows:

Set-MsolUser -UserPrincipleName test3@domain.com -ImmutableID IkTni9mw7Ee4YefeGpz7IA==

Ref:

https://support.microsoft.com/en-us/help/2956029/migrationpermanentexception-cannot-find-a-recipient-that-has-mailbox-g

https://docs.microsoft.com/en-us/exchange/hybrid-deployment/create-cloud-based-archive

Search and Delete certain Items/Folders from a Mailbox

The Story

During a project of Hybrid migration from Exchange on-premises to Exchange online, I was almost about to finalize the project by moving the last remaining users mailboxes however had an interesting issue to deal with where a user was failing with the following error:

The Error after migration:

Error: MigrationPermanentException: Mailbox dumpster size 50.87 GB (54,620,074,576 bytes) exceeds target quota 30 GB –> Mailbox dumpster size 50.87 GB exceeds target quota.

image

After some research it turned out that you can clean the dumpster using search-mailbox PowerShell cmdlet, Sync the user’s object with ADConnect and then continue the migration from the last failure.

To solve the issue, Go on your Exchange on-premises and launch Exchange Management shell

Solution applied:

First, Let’s see the user’s dumpster and recoverable items

Get-MailboxFolderStatistics -Identity “User” -FolderScope RecoverableItems | Format-Table Name,FolderPath,ItemsInFolder,FolderAndSubfolderSize

image

To Delete the dumpster only use this

Delete dumpster only

Search-mailbox -identity User -SearchDumpsterOnly –DeleteContent

To delete a certain email with certain subject in the dumpster use the following:

Get-mailbox “user”| search-mailbox –searchquery “Subject:’*'” –DeleteContent –SearchDumpsterOnly

image

The cmdlet will search and delete

clip_image001

image

Reference:

https://docs.microsoft.com/en-us/microsoft-365/compliance/search-for-and-delete-messagesadmin-help

In Exchange MRSPROXY.SVC FAILED BECAUSE NO SERVICE WAS LISTENING ON THE SPECIFIED ENDPOINT.

Symptoms

In Exchange MRSPROXY.SVC FAILED BECAUSE NO SERVICE WAS LISTENING ON THE SPECIFIED ENDPOINT. THE REMOTE SERVER RETURNED AN ERROR: (404) NOT FOUND

Exchange 2010 / 2013

You get an error when you’re trying to setup Hybrid configuration between your Exchange On-premises or Online.

After I had one issue like this I did some research and used Fiddler / Wireshark to check for traffic I noticed that the traffic on the server is not encrypted and testing the Migration Server Availability was reporting that the MRS service was not listening on the supposed port which is 443.

CAUSE


This problem may occur if the ExchangeGUID property of the Exchange Online MailUser object does not match the ExchangeGUID property of the on-premises mailbox. To successfully move a mailbox, the value of the ExchangeGUID property in the Exchange Online mailbox and in the associated on-premises remote mailbox must match.

image

In this case the solution was pretty easy, but still you’ll have to make a hard choice of choosing to place Exchange behind a load balancing with SSL Offloading on or not.

In my case I had to turn off the SSL Offloading on the Load balancer and that alone was enough to get this working.

Resolution:

Make sure that SSL Offloading is disabled on OWA/OA and Load balancer if there’s one.

Other resolutions:

https://support.microsoft.com/en-us/kb/3065754

Slow Migration – Office 365

The story:

In office 365 when you’re working on Exchange 2010,2013, 2016 or 2019 in a hybrid environment things might look easy but in a big enterprises where Internet security is something being taken into account very seriously. It might cause many issues that you don’t expect at all.

One of my clients whom I was doing Exchange Migration for had an issue with the Migration. The error was as follows:

Error occurs after Office 365 Exchange online connects to Exchange on-premises 2010 mailbox server

Error in Office 365

         : 20.

                                           27.04.2016 08:03:17 [DB3PR05MB0778] Transient error DataExportTransientExcep

                                           tion has occurred. The system will retry (2/1280).

                                           27.04.2016 08:04:53 [DB3PR05MB0778] The Microsoft Exchange Mailbox Replicati

                                           on service ‘DB3PR05MB0778.eurprd05.prod.outlook.com’ (15.1.466.25 caps:03FFF

                                           F) is examining the request.

                                           27.04.2016 08:04:55 [DB3PR05MB0778] Connected to target mailbox ‘lcwonline.o

                                           nmicrosoft.com\ec96e315-1059-4710-b358-1c4b42f3edeb (Primary)’, database ‘EU

                                           RPR05DG049-db131′, Mailbox server ‘DB3PR05MB0778.eurprd05.prod.outlook.com’

                                           Version 15.1 (Build 466.0).RequestExpiryTimestamp                   : 03.04.2116 07:42:38

ObjectState                              : New

Troubleshooting:

To troubleshoot issues, You need to put so many things into account! The architecture of the infrastructure of where you are doing the project is very important and the need of knowing how things are working matters.

Things that could always come in mind and handy are what you will need to start your troubleshooting:

– Bandwidth Limitations or Performance:

https://technet.microsoft.com/en-us/library/dn592150(v=exchg.150).aspx

https://technet.microsoft.com/en-us/library/jj200581(v=exchg.150).aspx

– Exchange Configuration (MRS)

To troubleshoot the MRs, You need to know what kind of error you’re getting and to see this you can use the following powershell after you connect to Office 365 powershell.

Get-MoveRequest {email} | Get-MoveRequestStatistics -Diagnostic -IncludeReport | Export-Clixml c:\logfile.xml

The resultant report will reveal the error and shows you where is the exact culprit.

– Disk Latency
– Firewall Configuration (IPS/IDS)

From Exchange 2016 to 2019 or 2013 to 2016 The transient error might be related to MRSProxy or at least this is the case with me 90% of the time. To resolve this issue you will need to change the MRSProxy values on the target server and depending on the error might also be the Source server too.

SOLUTION:

===========

1. Some instability was detected in communications as well as saturation by the size of the link.
2. The procedure to increase the timeout for the service through the file MRSProxy

File: MsExchangeMailboxReplication.exe.config

Object / line: DataImportTimeout.

New Value: 00:10:00

clip_image001[4]

New Configuration

clip_image001[6]