If you have Exchange Online and your users are MFA enabled then you most likely will be using Exchange Online’ s ECP (Exchange Control Panel or Admin Center) to connect to Exchange Online PowerShell through the Hybrid Windows since this is the only supported way with MFA.
Clicking on Configure would install the PowerShell Module of Exchange Online which looks like the below screenshot.
New PowerShell with MFA support
If you have launched Exchange Online PowerShell today then you most likely have noticed there’s a red line stating the possibility to try the new (Preview Version) of Exchange PowerShell V2 .
Microsoft has recently released a new version of Exchange Online PowerShell Module which supports MFA and can be run directly from your computer without the need to login to Exchange Online Admin Center and download any files from there. Check details in this link
As stated in the article, the Module is just in preview so it has some known and maybe unknown bugs as well.
How to Install it?
The installation process is pretty straightforward, Launch Windows PowerShel as an Administrator (It’s required for the installation).
Run these 4 cmdlets
Install-Module PowershellGet –Force
Install-Module -Name ExchangeOnlineManagement
You might get a warning that the Module you’re about to install is from an Untrusted Repository, Accept it by typing Y and hit enter
Type the following cmdlet to ensure that Exchange Online Management module is installed
To connect to Exchange Online, Run the following cmdlet along with the new parameter –EnableErrorReporting which gives the ability to record all the cmdlets that you have run along with errors generated as well.
Connect-ExchangeOnline -EnableErrorReporting -LogDirectoryPath e:\ExchOnlineLogs.txt -LogLevel All
After connecting, I am going to try and run two commands the Old Cmdlets and New Cmdlet and see the difference between them:
Get-CASMailbox -ResultSize 10
Get-EXOCasMailbox -ResultSize 10
The new Cmdlet has much more details, although it says that it runs faster but it took few seconds more than the old one to run (Probably first time).
After you run those two Cmdlets, There will be two files generated in the log directory which we have pointed the parameter to save files to.
The CSV files have details about the two cmdlets and the HTTP Method they are utilizing in order to connect along the Request and response latency.
This new version seems to be extremely useful esp in environments where such deep details are needed for troubleshooting issues.
I got a request to place users into Security Groups for management purposes, The client have already users active but many of those users have left the work place and still have E3 or E1 Licenses which they should not have since this is pricey licenses and backing up users details is the easiest and most cost effective way of handling this.
So, To start (Prerequisites):
The Group based licensing management is a new feature, Was introduced in 2019 and not many people know that it is there however, This feature doesn’t come for free as you know (Since it’s Microsoft) and you must have a license for it or at least have users with E3 licensing model. So the requirements are:
– Azure AD Premium P1 or Higher
– Office 365 E3 or Higher.
– EMS or Higher.
How does it work?
In order for you to get this to work you need to make sure you have planned from where you want to manage those groups and their licenses, Online? Or On-Premises?
If you’re going to do this online, then you need to create a group for each Licensing Model which represents the intended License and its users e.g. Office365-E1 is going to be created as a security group and dedicated to E1 License users.
Office365-E3 will also be created the same way and users of License type E3 will be added to it.
If you’re going to manage those groups on-premises, Then you must have ADConnect (Azure AD Sync) tool to sync those groups after creating them.
In my case I have created those groups in the following manner:
After creating those groups, You will need to sync them to Office 365 using ADConnect. To force this to sync immediately fire up Powershell on Azure Connect Server and type
Start-ADSyncSyncCycle -PolicyType delta
What If I have users already assigned with License?
If you have users already assigned licenses and want to manage them using Group Based licensing then you’re going to have to get a list of all your users with their Licenses information into a CSV file and Import those users to the groups you created base on the license they have.
I created a PowerShell that would match user’s names and based on the license mentioned in the CSV file would add them to the relevant group but first you need to export Users from Office 365.
Export Users and their license from Office 365
First of all we’ll connect to Office 365 MSOL Service using Online Powershell
So this is how my CSV look right after I exported the users, We need to do some tuning on this CSV file to clean it and get it ready for our PowerShell.
There are total of 6 columns in this folder, If for whatever reason you wanted to use the ProxyAddress to distinguish users feel free to keep them in the script but in my case I didn’t need them so I deleted the entire column.
So I will keep the following (Remove Spacing between License Type)
The Value of the License Type is usually formatted like this “TenantName: License” and in order to make this column useful I am going to remove the Tenant name from all the cells.
Find and Replace can easily remove and clean these values for you.
After cleaning the column, this is how it looks
This should be useful for us now along with the PowerShell to add the users to their relevant groups.
On Active Directory from an elevated PowerShell
Run PowerShell ISE from a privileged account and copy + paste this script in ISE,
if($user.UserPrincipalName -eq $ImportedUPN -and $License -match “EMS”)
Add-ADGroupMember -Identity $EMS -Members $Sam
Write-Host $($UPN) “User has EMS License and has been added to the Group EMS” -ForegroundColor DarkGreen -BackgroundColor White
ElseIf ($user.UserPrincipalName -eq $ImportedUPN -and $License -Contains “STANDARDPACK”)
Add-ADGroupMember -Identity $E1 -Members $Sam
Write-Host $($UPN) “User has E1 License and has been added to the Group E1” -ForegroundColor black -BackgroundColor green
ElseIf ($user.UserPrincipalName -eq $ImportedUPN -and $License -Contains “ENTERPRISEPACK”)
Add-ADGroupMember -Identity $E3 -Members $Sam
Write-Host $($UPN) “User has E3 License and has been added to the Group E3” -ForegroundColor Blue -BackgroundColor White
Enabling Group Based License from Azure Portal
After this script finishes, I can open Azure Portal
From Azure Active Directory > Licenses > All Products
I will choose the license which I want to assign to a group of which I have created on my on-premises AD
Click on the License (Office 365 E1) and choose Assign from top menu
Make sure you select assignment options and customize the license according to the products you want your group members to use then click on Users and Groups and select the relevant Group which you’ve created (In my case it’s E1-Office365)
Here, The group has been assigned
Click assign and you should be done
We will do the same for E3 Users
From now on, Removing any user from this group will revoke their license and any service connected to it, You must be very careful when removing users from this group.
Microsoft has done great job covering this thoroughly and in a great detail including Scripts to be able to do many things like grabbing users who have an inherited license from a group or manually assigned. I am writing down the references if you’re more curious into these.
I have got this client who constantly keeps on making the mistake of create user from Cloud and provision them with a license in an Exchange Hybrid environment.
Although this is not difficult to fix but it’s not the recommended approach when creating a new user especially in a Hybrid environment since Exchange on-premises won’t recognize this user and most likely will consider any incoming emails from it as spoof or spam.
How to Create a Cloud user from Exchange On-premises?
From Exchange on-premises ECP Admin panel you have the option to directly create user on-cloud which will also create a user object on on-premises AD.
Second option – Using Powershell
It’s not that much different than the Web UI option but it’s just for people who prefer using PowerShell than GUI
The reason to follow those two methods is due to the need of Exchange on-premises being aware of each of those users so mail flow between Exchange on-premises and Online would not get affected and route this users mail to the wrong place or flag it as spammed or spoof …etc.
The Real Question now is: How to Sync Cloud User to On-premises AD ?
If by mistake we created a user on Cloud (Office 365) and we forgot to create an AD User for this account, that user might already have started using his account on Office 365 (Sharepoint, Exchange, Teams) etc.
There also might be the intention of moving users from Cloud to On-premises Exchange in case the company wanted to decrease their spending on cloud users and in this case when Migrating a cloud user to on-premises you will get the following errors:
Error: MigrationPermanentException: Cannot find a recipient that has mailbox GUID ’03c9764e-8b8e-4f33-94d1-ef098c4de656’. –> Cannot find a recipient that has mailbox GUID ’03c9764e-8b8e-4f33-94d1-ef098c4de656’.
So how do we overcome this situation since syncing a user might require you to delete the cloud user and recreate it on AD?
To sync the user from the Cloud to on-premises you will need to follow these steps :
1- Create an on-premises Mailbox where the following attributes would be matching the cloud user
2- The Location of the OU where the On-premises user is going to be created must be provisioned by ADConnect (Azure AD Connect)
You can look which of these OU are provisioned by Starting AD Connect Sync Manager
By verifying the user you created in the AD is in the right OU, You can now start AD Sync from PowerShell to speed up the process.
Below, You can see the user has been successfully synchronized to the cloud without any issue.
Now we’ll see it from the portal to confirm the user is synced with AD
Depending on the Source anchor being used in ADConnect there might be a GUID conflict or not, You will get an error similar to when trying to migrate the user in the beginning however you can solve this by replacing the cloud user’s GUID (ImmutableID) with the on-premises user which will force the user to merge with the On-prem user.
Let’s confirm in our case if the user on-cloud has a matching GUID with the one on-premises.
From CMD or Powershell you can use the following command to get the user’s ImmutableID (ObjectGUID) .
During a project of Hybrid migration from Exchange on-premises to Exchange online, I was almost about to finalize the project by moving the last remaining users mailboxes however had an interesting issue to deal with where a user was failing with the following error:
In Exchange MRSPROXY.SVC FAILED BECAUSE NO SERVICE WAS LISTENING ON THE SPECIFIED ENDPOINT. THE REMOTE SERVER RETURNED AN ERROR: (404) NOT FOUND
Exchange 2010 / 2013
You get an error when you’re trying to setup Hybrid configuration between your Exchange On-premises or Online.
After I had one issue like this I did some research and used Fiddler / Wireshark to check for traffic I noticed that the traffic on the server is not encrypted and testing the Migration Server Availability was reporting that the MRS service was not listening on the supposed port which is 443.
This problem may occur if the ExchangeGUID property of the Exchange Online MailUser object does not match the ExchangeGUID property of the on-premises mailbox. To successfully move a mailbox, the value of the ExchangeGUID property in the Exchange Online mailbox and in the associated on-premises remote mailbox must match.
In this case the solution was pretty easy, but still you’ll have to make a hard choice of choosing to place Exchange behind a load balancing with SSL Offloading on or not.
In my case I had to turn off the SSL Offloading on the Load balancer and that alone was enough to get this working.
Make sure that SSL Offloading is disabled on OWA/OA and Load balancer if there’s one.
In office 365 when you’re working on Exchange 2010,2013, 2016 or 2019 in a hybrid environment things might look easy but in a big enterprises where Internet security is something being taken into account very seriously. It might cause many issues that you don’t expect at all.
One of my clients whom I was doing Exchange Migration for had an issue with the Migration. The error was as follows:
Error occurs after Office 365 Exchange online connects to Exchange on-premises 2010 mailbox server
RPR05DG049-db131′, Mailbox server ‘DB3PR05MB0778.eurprd05.prod.outlook.com’
Version 15.1 (Build 466.0).RequestExpiryTimestamp : 03.04.2116 07:42:38
ObjectState : New
To troubleshoot issues, You need to put so many things into account! The architecture of the infrastructure of where you are doing the project is very important and the need of knowing how things are working matters.
Things that could always come in mind and handy are what you will need to start your troubleshooting:
The resultant report will reveal the error and shows you where is the exact culprit.
– Disk Latency
– Firewall Configuration (IPS/IDS)
From Exchange 2016 to 2019 or 2013 to 2016 The transient error might be related to MRSProxy or at least this is the case with me 90% of the time. To resolve this issue you will need to change the MRSProxy values on the target server and depending on the error might also be the Source server too.
1. Some instability was detected in communications as well as saturation by the size of the link.
2. The procedure to increase the timeout for the service through the file MRSProxy
In order to setup a signature for all office 365 Exchange Online users without manually going after each client and set it up, you can do so by using mail flow rules to append the signature along within each and every out going email. To do so, you will have to go to Office 365 Exchange admin portal, then navigate to Mail flow –> choose Rules and click on the + sign
Click on “Apply disclaimers…”
When the new rules opens up, you will have to give it a name and apply condition for the rule. an empty form looks like this one
but here’s what mine looks like, I choose the sender address includes “Specific domain” then in the append the disclaimer part, I have entered an HTML code which includes all user details
after applying the disclaimer I choose to wrap it up. and then in the exception part I added a rule that excludes adding the disclaimer and signature to any reply message by reading the “RE” word in the subject field.
Now the disclaimer code is as following and you may want to configure it or customize it according to your needs.
HTML CODE</br> </br> <div style=”font-size:9pt; font-family: ‘Calibri’,sans-serif;”> %%DisplayName%%</br> %%Department%%</br> %%Email%%</br> </br> <div><img alt=”Logo” src=”http://s11.postimg.org/jjdha41wv/mynigga.jpg“><p><p><p>Tel: %%PhoneNumber%%</br> Gsm: %%MobileNumber%%</br> Fax: %%FaxNumber%%</br> Address:%%Street%%</div> </div> <span style=”font-size:12pt; font-family: ‘Cambria’,’times new roman’,’garamond’,serif; color:#100101;”>Disclaimer</span></br> <p style=”font-size:8pt; line-height:10pt; font-family: ‘Cambria’,’times roman’,serif;”> ________________________________________ </br> <span style=”padding-top:10px; font-weight:bold; color:#CC0000; font-size:10pt; font-family: ‘Calibri’,Arial,sans-serif; “><a href=”http://www.companywebsite.com”>http://www.companywebsite.com</a></span></br></div></br> ________________________________________</br> <span style=”font-size:10pt; font-family: ‘Cambria’,’times new roman’,’garamond’,serif; color:#928E8E;”>This e-mail and any information included within any attached document are private and confidential and intended solely for the addressee. Company name does not accept any legal responsibility for the contents of this message and any attached documents. If you are not the intended addressee, it is forbidden to disclose, use, copy, or forward any information within the message or engage in any activity regarding the contents of this message. In such case please notify the sender and delete the message from your system immediately. Company name also denounces any legal responsibility for any amendments made on the electronic message and the outcome of these amendments, as well as any error and/or defect, virus content and any damage that may be given to your system.</span> </p> <span style=”padding-top:10px; font-weight:bold; color:#CC0000; font-size:10pt; font-family: ‘Calibri’,Arial,sans-serif; “><a href=http://www.companywebsite.com>Company Name </a></span></br></br> </div>
I have highlighted the customizable part of the code in Yellow and red so you can change it or configure it according to how you want it to fit for you. The Display name, Department, Email ….etc are all variables for users attributes and they are being pulled from the Microsoft Azure AD, so if your users don’t have any information filled in there then users will likely won’t show anything
Note for the red highlighted link you will have to import only “HTTP” link for the uploaded logo of your company. HTTPS won’t be acceptable or read.
If you’re an HTML noob , you can use the following links for testing and changing colors..etc
Using the w3schools.com website, you can copy the code on the left pane and click on see results and it’ll show you the result on the right pane
See how it looks like
Once you’re done with the code, you will have to copy and paste the link in the disclaimer part on the right pane. next click Save and probably this will take about 10 minutes to be applied or less.
To test if this is going to work, I will go on one of the users that I applied the rule for and fill out their details like display name, e-mail, street ..etc and try to send out an email with this user.
Microsoft has decided to charge for this service (8$ for each GB) …
Microsoft has launched a new feature that allows administrators to import PST to Exchange online directly through the portal.
In this article I’ll guide you through the steps of uploading one PST file and import it to a user’s mailbox. Although the steps are identical to Microsoft’s TechNet article but it’s more detailed and with screenshots.
So to achieve this, you’ll have to first sign in to your Office 365 portal. Open Exchange admin center and follow the below steps:
Grant your self-importing PST permission to users by navigating to Exchange admin center -> Permissions> Double click on Compliance Management
Under Roles: click on + and add Mailbox Import Export role
Click on + Under Members and add your user account
2. `Copy Secure URL and secure storage account key
To get the Azure secure storage account key and URL you will have to go back to the Office 365 portal and then click on Import tab on the left pane
Then click on the Key sign below
When you click on it, you will be able to retrieve the key and the URL by clicking on Copy Key and URL .
The secure storage account key is pretty long and you’ll have to notice that sometimes you might get confused and copy only the appearing portion of it in the field… if you do so and copied that in the Azcopy command or Azure storage explorer you might get an error …
Here’s my Secure Storage account key that I am using on a trial version of Office 365.
You have to copy this in to the storage account name
3. Copying PST files to Azure Folder using Azcopy command or Azure Storage Explorer (You can use Azure Storage Explorer too)
In order to upload PST files to Azure, you have two methods. The first is using Azcopy command which is pretty easy and straightforward (but still CMD dependent) or you can use the GUI Application which is Azure Storage explorer
To download azcopy, you can use the following link
Assuming you have 150 PST files that you want to upload and import into users which already have been enabled on Exchange online … In order to do so you will have to prepare a CSV file that looks like the below sample
To provide an explanation of what each column stands for .. Microsoft has written a table that clears the dust but some parts were not even clear for me like the FilePath as in the TechNet article it gets you confused with the “Ship data on Physical hard drives” since it uses your drive to upload data directly to Azure through the Import tool on Office 365 portal.
Apparently the commands above didn’t work. And so I had to check something else.!
In order to solve the problem first
I had to assign License to the user synced on O365.
Check User’s Proxy target attribute using ADSI. (Which was correct)
Checking Archiving Attributes since the error is mentioning the Archiving option.
After checking the Archiving attributes it turns that the admin of Exchange has changed the below attributes before he assign user the license on o365 and migrate the user.
5. So deleting the value below msExchArchiveName and setting up msExchRemoteReceipeintType back to 4 have solved the problem 6. Of course DirSync needs to be applied in order to sync changes to AD on O365.
The migration for the User should be “continued” from previous migration batch in the portal otherwise if you start any new batch for the same user the result will be completed but migration won’t take place.
If you used DirSync to sync users from local to online, please try to restart the DirSync to check whether this issue persists or not.