Quickly Change Authentication models in Azure AD / Office 365

In 2017 Microsoft has made some major improvements to their Managed authentication model to make it a viable competitor to the cumbersome Federated model. As a refresher, Federated identity requires Microsoft ADFS infrastructure deployed (along with ADConnect for AD Sync), and to make it highly available entails multiple servers deployed in multiple datacenters/Azure, global load balancing of the internet-facing URL with Azure Traffic Manager – dependencies on your private cloud to authenticate to the public cloud. Managed identity still uses ADConnect for AD Sync but the biggest drawback is that you didn’t get the “seamless” single signon (SSO) experience that ADFS provides, only “same sign on” (SSO) and needing to reenter your credentials.

Microsoft has recently added Seamless Single Signon and Pass-Thru Authentication (as an alternative to password-hash synchronization in high security environments, but out of scope for this article) to ADConnect, in efforts to further eliminate the ADFS dependencies previously mentioned, and with this I’ve been working a large number of projects in planning / executing a move away from ADFS.

What I’ve found is that it’s always been a grey area on how long this process takes, given most of the documentation calls for using the Convert-MSOLDomainToStandard cmdlet and dealing with the password conversion process. If you follow these steps there’s an easier way to do it.

Step 1 – Check Local Active Directory

The first step is ensuring that you have local AD setup and able to support Password Sync. One of the Microsoft Premier Field Engineers (PFE) wrote a great blog on this in 2016:

“First, ensure your Azure AD Connect Sync ID has “Replicate Directory Changes” and “Replicate Directory Changes All” permissions in AD (For Password Sync to function properly). If you did not set this up initially, you will have to do this prior to configuring”

This can be done thru Active Directory Users & Computers


Continue reading “Quickly Change Authentication models in Azure AD / Office 365” »

Office 365 Whitelist URLs for Firewalls & Trusted Sites

With the ever growing list of Microsoft Office 365 services comes a growing number of URLs to whitelist on web application firewalls, proxies, and IE trusted sites lists. The full list, which can be found at https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2, is quite intensive and for my own sake (and that of my clients) I’ve created the abbreviated list below to save not only the community but myself some time!


Creating an Offline install of Office 365 Pro Plus

So how do you create an offline installation of Office 365 Pro Plus for distribution on machines when you don’t want them all chewing up the internet connection at once?

First, download the Office 2016 Deployment Tool from:


(Note: you can reuse this tool to download Current branch versions each month, however Microsoft does update this to support new deployment features and resolve deployment bugs so check back often for new versions!)

Run the EXE and extract to a folder – It will only produce setup.exe

image image

Open a command prompt and browse to the extract folder, and run setup.exe /download


This will sit here for a bit while it downloads the current build to the subfolder under \Office\Data with the build number. As you can see here, the build is primarily 32-bit but provides 64-bit support as part of the installation.

In this case, this folder sits on a file share (which we’ll get to in a moment) that will serve as our “SourcePath”




The next part to performing the deployment as part of an administrative install is to create the configure XML file. You can read more about the syntax, formatting, etc at:

In an enterprise environment, it’s typical that you will have a Deferred and a Current branch (to borrow from Microsoft terminology).

The SourcePath is our Deferred that goes as the core install for all our machines, and the Updates path (towards the bottom) is another folder that we run our download process again on a monthly basis for the Current branch. Whenever a new version of the current branch is downloaded to the Updates folder, it will “update Office to the newest version. Only the files that have changed in the new version will be updated”

To perform the actual install, we need a configuration XML to use in conjunction with the setup file to perform the full Offline install. For this I like to use the online XML Configuration File editor, located at https://officedev.github.io/Office-IT-Pro-Deployment-Scripts/XmlEditor.html

<Add OfficeClientEdition=“32” Channel=“Current” SourcePath=“\\network\path”> <Product ID=“O365ProPlusRetail”>
<Language ID=“en-us”/>
<Property Name=“AUTOACTIVATE” Value=“1”/>
<Property Name=“FORCEAPPSHUTDOWN” Value=“TRUE”/>
<Property Name=“SharedComputerLicensing” Value=“0”/>
<Property Name=“PinIconsToTaskbar” Value=“TRUE”/>
<Logging Level=“Standard” Path=“c:\windows\temp”/>
<Display Level=“None” AcceptEULA=“TRUE”/>
<Updates Enabled=“TRUE” Channel=“Current” UpdatePath=“\\network\path”/> </Configuration>

From our workstation we can manually run (or use a deployment tool like SCCM to push out Office 2016 to the enterprise) using the setup.exe /configure switch.

Then before you know it, volia!





Quickly Enroll PCs with Intune

There are 2 easy ways to get the Intune client installed on your PCs:

Go to http://portal.manage.microsoft.com and log in with an account assigned an Intune license.

Click the information bar saying the device isn’t enrolled, and then click Enroll!


Then click Download software and run the Microsoft_Intune_Setup.exe


(Be sure you have local admin rights to perform the install first!)


Otherwise, if you want to provide the install more centrally, you need to log into:


From there under Admin go to Client Software Download


Click the button to download


Keep in mind this is specific to the tenant itself


As it includes the installer EXE and the certificate specific to your tenant


Now you’ll want to extract the EXE and cert to a folder (let’s say C:\temp\InstallIntune) and double-click on the EXE to start the install.

However if you’re looking to deploy Intune with a new PC image (such as part of a Windows 10 rollout) in an Enterprise environment, you’ll want to prepare setup and the enrollment process properly.

You’ll still want to extract the installer to the hard drive, but then create a setup_intune.cmd and place it under %windir%\setup\scripts. This is important because it finalizes portions of the install BEFORE any users sign on for the first time.

Here is the contents of the setup_intune.cmd:

%windir%\system32\reg.exe add HKEY_LOCAL_MACHINE\Software\Microsoft\Onlinemanagement\Deployment /v
WindowsIntuneEnrollPending /t REG_DWORD /d 1
%systemdrive%\temp\InstallIntune\Microsoft_Intune_Setup.exe /PrepareEnroll

Now once your machines start to come online and users login, their machines will enroll with Intune

Migrating Public Folders from 2010 to 2016

A little over 5 years ago I wrote a blog on how to migrate public folders from Exchange 2007 to 2010, hoping that that would be the last migration path that would be needed for the long standing public folder system. Surprise! Exchange 2013 brought along “Public Folder Mailboxes”, which brought new life into the age old structure, and killed off the dreaded replica process in lieu of DAG replication. On top of this new process has brought some new headache, as well as some old ones that have been around since Exchange 2003. We’re going to try and tackle those problems before we get down to the actual process of migration.

But let’s jump ahead before we come back and look at the age old issue of public folder migrations: mail-enabled public folders. The issue that has stemmed back to the older days of Exchange is how the Alias field allowed use of what are now seen as invalid characters. Sure the Technet article for migrating public folders gives us a script for searching for forward slashes but not invalid characters, which you may still see from environments migrated from Exchange 2003


When you mail-enable a public folder pre-Exchange 2010, it would create these as Public Folder objects in Active Directory under the Default naming context | Microsoft Exchange System Objects. As you can see on the left in the Public Folder Management Console, the mail enabled public folders, indicated by a folder with an envelope on it, correspond to the object on the left in AD.


If we open Exchange Powershell on Exchange 2010, we can find these any folders with illegal characters rather quickly:

Get-MailPublicFolder -ResultSize Unlimited | Where-Object{$_.alias -match ‘\s’}

Error: Property expression “RA (Malcolm) 2009-19” isn’t valid. Valid values are: Strings formed with characters from A to Z (uppercase or lowercase), digits from 0 to 9, !, #, $, %, &, ‘, *, +, -, /, =, ?, ^, _, `, {, |, } or ~. One or more periods may be embedded in an alias, but each period should be preceded and followed by at least one of the other characters. Unicode characters from U+00A1 to U+00FF are also valid in an alias, but they will be mapped to a best-fit US-ASCII string in the e-mail address, which is generated from such an alias.

This can quickly return a LOT of errors that correspond not only to illegal characters. Some of these are completely normal and have to do with the original Offline Address Book and it’s traditional Public Folder distribution method.


Continue reading “Migrating Public Folders from 2010 to 2016” »

Enabling Access to Security Groups in MIM for All Users

I have a customer that is looking to give normal users access to view and request access to Security groups thru MIM so I whipped this up!

Under Management Policy Rules search for Security to minimize your scope


Enable the following rules by disabling “Policy Is Disabled”

Security group management: Users can read selected attributes of group resources
Security group management: Users can add or remove any member of groups subject to owner approval



When you’re done these rules should reflect “No” in the Disabled column!!!!

Then change the Requestors on these following rules from Security Group Users to All Users and Groups

Security group management: Users can add or remove any member of groups subject to owner approval



Security group management: Users can read selected attributes of group resources



Next, under Administration go to Search Scope


Edit the following item and add the Usage keyword


Do the same thing in Administration under Navigation Bar Resource



Edit the following item and add the Usage keyword


Whenever you make UI changes, you need to perform an IISRESET on the Portal server

Now log in as your user and you should see the Security group section the same way an Administrator should see it.


Office 365 Groups & My Apps Panel: A New Twist to an Old Problem

Recently our team at Concurrency had a meeting with one of the Program Managers at Microsoft for Office 365 Groups and this spurred a conversation internally about how the team is helping customers use Office 365 Groups. After spending hours in my own lab developing training material around the Enterprise Mobility Suite as well as using Office 365 Groups, a new twist to an age-old problem of collaboration and management appeared that has seemingly haunted teams and departments. Using Microsoft’s approach of self service and some new (well, not SO new, maybe 12-18 months old) technology solves this dilemma with the modern tool of Office 365 groups.

So let’s dive into. We have a test customer that currently has Office 365 E3 CALs for their users. They just implemented Office 365, and in an effort to improve productivity they have an Accounting department which their own Office 365 group. Remember for now Office 365 Group are purely “In Cloud” – there will be a conversion process eventually to convert distribution groups to Office 365 groups (see the Roadmap – https://fasttrack.microsoft.com/roadmap).


Office 365 Groups is a tool for addressing collaboration in our modern age – messages via Outlook and Exchange Online, real-time team chat via Skype for Business Online, and document collaboration via SharePoint Online. The best experience right now out there is via OWA in my opinion.


Continue reading “Office 365 Groups & My Apps Panel: A New Twist to an Old Problem” »

Skype For Business Online PowerShell Cheat Sheet

There are just some things you can’t do inside the Office 365 portal. Exchange Online has matured to the point where remote PowerShell works perfectly and loads all of the cmdlets over the wire. Skype for Business Online is still building to that point. You need the separate PowerShell module (https://www.microsoft.com/en-us/download/details.aspx?id=39366 ) to get started, and while installing it is the easy part using it takes a little bit of work. Here are a cheat sheet I’ve put together.

How to Connect

If you install the Skype for Business PowerShell module and try to load it in the Skype for Business Administrative Shell, you must use the -AllowClobber switch with running Import-PSSession (https://technet.microsoft.com/en-us/library/hh849970.aspx). Otherwise the Skype for Business on-premises cmdlets leach thru in place of the Online ones. Here’s the connection script that I usually save in a PowerShell file for quick launching:

Import-Module SkypeOnlineConnector
$cred = Get-Credential
$CSSession = New-CsOnlineSession -Credential $cred
Import-PSSession $CSSession -AllowClobber

Always have a cloud-only account (<tenant>.onmicrosoft.com) available for emergency situations.

In a Single Sign-On environment (https://support.office.com/en-us/article/Office-365-integration-with-on-premises-environments-263faf8d-aa21-428b-aed3-2021837a4b65?ui=en-US&rs=en-US&ad=US&fromAR=1) you’ll have a back door if on-premises is down. Once directory synchronization is setup, administrators grant their domain account (<user>@<yourdomain>.com) Global Administrator rights for daily tasks. Nothing wrong with this, but it can cause Problem #1

Problem #1 – LyncDiscover

When trying to setup Skype for Business Hybrid using your domain account, Skype for Business Online PowerShell doesn’t resolve the Cloud and instead the on-premises lyncdiscover.<yourdomain>.com. This cases a 503 error when trying to login.

PS C:\Users\user> $CSSession = New-CsOnlineSession -Credential $cred

Get-CsPowerShellEndpoint : The remote server returned an error: (503) Server Unavailable
At C:\Program Files\Common Files\Skype for Business
Online\Modules\skypeonlineconnector\SkypeOnlineConnectorStartup.psm1:94 char:26
+ … $targetUri = Get-CsPowerShellEndpoint -TargetDomain $adminDomain
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-CsPowerShellEndpoint], WebException
+ FullyQualifiedErrorId : System.Net.WebException,Microsoft.Rtc.Management.OnlineConnector.GetPowerShellEndpointCm

This is a scenario where you will want to use that cloud-only account to sign in for an administrative tasks.

Problem #2 – The New Tenant

With a new Skype for Business Online tenant, even if you have users in your Office 365 tenant and have assigned them a Skype for Business Online license, there’s still that last bit of configuration that doesn’t seems to happen behind the scenes until at least 1 user logs in. If you don’t, when you go to connect to Skype for Business Online PowerShell you’ll get a 404 error:

PS C:\Users\user> $CSSession = New-CsOnlineSession -Credential $cred

Get-CsPowerShellEndpoint : The remote server returned an error: (404) File Not Found
At C:\Program Files\Common Files\Skype for Business
Online\Modules\skypeonlineconnector\SkypeOnlineConnectorStartup.psm1:94 char:26
+ … $targetUri = Get-CsPowerShellEndpoint -TargetDomain $adminDomain
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-CsPowerShellEndpoint], WebException
+ FullyQualifiedErrorId : System.Net.WebException,Microsoft.Rtc.Management.OnlineConnector.GetPowerShellEndpointCmdlet

Once everything is tied together, you’ll achieve a successful sign on to Skype for Business Online PowerShell!

PS C:\Users\user> $CSSession = New-CsOnlineSession -Credential $cred -Verbose
VERBOSE: Determining domain to admin
VERBOSE: AdminDomain = ‘tenant.onmicrosoft.com’
VERBOSE: Discovering PowerShell endpoint URI
VERBOSE: TargetUri = ‘https://admin2a.online.lync.com/OcsPowershellLiveId’
VERBOSE: Requesting authentication token
VERBOSE: Success
VERBOSE: Initializing remote session
VERBOSE: Success

Exchange Online 2016 Hybrid Guidance & Architecture

After doing quite a few Exchange Online hybrid deployments, I decided that it was time to do what I do best – build a design template so I don’t have to continue to reinvent the wheel for each project. I’ve done this for Exchange, Active Directory and SCCM audit documentation, but those are stories for another day…

In a typical scenario we’re taking an existing, highly available Exchange 2010 environment that is protected behind their own spam filtering devices (so this could change and be a services, no problems) and adding a secondary Exchange hybrid server dedicated for this purpose – be it Exchange 2013 or even Exchange 2016. I’ve deployed a few of these already and they work great, think Exchange 2013 SP2 but with better results. More of that in a moment.

But you ask “why not just run Hybrid on the existing Exchange servers? The biggest one is that the Hybrid wizard on Exchange 2010 hasn’t gotten any better since SP3. Sure the Cumulative Updates have fixed some bugs but with Exchange Online running on the Exchange 2016 build, the gap is getting wider in regards to the success rate of being able to run thru the Hybrid Wizard the first 5-6 times without having to go back and fix issues (or create new ones).

Or, let’s say that eventually you’ll be migrated to Exchange Online, you’ll have your MX records flipped, most likely using Exchange Online Protection (and the rest of the stack), but may still have that need to run some mailboxes on-premises, or you want a nice GUI to provision your users / groups (yes, you CAN run without a Hybrid server but we’re talking a LOT of Powershell), or you have a LOT of SMTP endpoints and switching them all to the Cloud for relay just doesn’t make sense. Having a newer version of Exchange in the environment that’s NOT on extended support.makes the most sense.

There are some “gotchas” however: as of Exchange 2013 CU8 Microsoft has introduced their new hybrid wizard – and let me tell you this thing it’s amazing. Of course now with Exchange 2016 its built in.


Once of the previous “gotchas” with Exchange 2013 hybrid was the requirement to flip all of the CAS traffic over on day one to make things work/ Now, with Exchange 2016, this is no longer a requirement. More on that over at the Technet blog. The only thing you have to remember is that if you keep your existing Exchange 2010 environment, and still have Autodiscover pointed there, you’re going to run into a few issues: free/busy will be broken, migration batches will be broken, however mail flow will still work, and the only way to move a mailbox is thru New-MoveRequest.

This is because when you create the organization relationship, even in Exchange 2016, it does NOT use the organization FQDN you’ve specified but instead populates with the typical autodiscover URL.


To fix this, you need to run:

Get-OrganizationRelationship | Set-OrganizationRelationship -TargetAutodiscoverEpr "https://hybrid.domain.com/autodiscover/autodiscover.svc/WSSecurity"

There are a few instances that have been documented as well where you also need to run:

Get-OrganizationRelationship | Set-OrganizationRelationship -TargetSharingEpr "https://hybrid.domain.com/ews/exchange.asmx"

There’s also a great blog post that goes into troubleshooting Authentication on the Exchange 2010 side as well, where Negotiate authentication (which is there by default but against best practice) can cause Cloud -> On-Premises authentication issues.

So you’ve seen some pretty compelling reasons to deploy Exchange 2016 for your hybrid environment. Whether it be in a Federated or Synchronized identity model, and with in conjunction with AD Connect for directory synchronization, you can get setup with hybrid easer than ever.

Also Microsoft has recently updated the Exchange Hybrid Product Key Distribution wizards so you can finally deploy Exchange 2016 in an Exchange 2010 environment as your Hybrid server and be covered under Microdot proper licensing and support. You can grab your key at:


So without further adieu, here is version 2 of my EO Hybrid architecture.


Deep Dive in On-Premises Public Folder Hybrid with Exchange Online

Public Folders have been on the way out ever since Exchange 2007 but there are still organizations that are slow to migration to “better” options (IE, Shared Mailboxes or Sharepoint sites).

Previous processes required migration before moving mailboxes however the Hybrid process will allow the migration of end user mailboxes up to Exchange Online while at the same time providing additional time for moving the data to other options.

The biggest “gotcha” of this scenario requires the configuration of the CAS role to be added to the server hosting the public folder database

The key comment in the Technet blog spelling this out starts with:

The addition of the CAS role will ensure public folder replica referrals happen appropriately if a folder a user is accessing does not have a local replica in the PFDB.

Exchange Online uses RemotePublicFolderMailboxes on the on-premises server with the public folder database in conjunction with the Client Access Server role.
We also need a dedicated mailbox database and mailbox because of how RPC client traffic is relayed thru this role.
In an Exchange 2010 CAS array environment, mailbox databases are stamped with the array name. This won’t work in routing RPC client access traffic properly, thus the separate database.

I had the priviledge of setting this up in an Exchange 2010 hybrid environment and wanted to share a few “gotchas” I encountered.
Let’s take our Mailbox server with the Public folder database, OCEX04




Continue reading “Deep Dive in On-Premises Public Folder Hybrid with Exchange Online” »