- Overview of Microsoft MVP Program
- Getting out of the patching and server management business
- Updated Hybrid Configuration Wizard (v17)
- Keeping an Exchange server on-prem for secure mail relay
- GUI for restoring deleted mail for users
- Reply-all storm protection
- Support for DANE / DNSSEC
- New defaults for SMTP Auth
- Deprecation and deadline extension for basic auth
- Getting all users to multi-factor authentication
When running the Hybrid Configuration Wizard, you may receive the following error on the credential page.
Hybrid Configuration Service may be limited
This error is the result of an out of date hybrid configuration wizard. In the screenshot above, we are using version 16.0.3149.4. At the time of writing, the current version is 17.0.4554.0.
Despite the historically self-updating nature of the hybrid configuration wizard, users on older versions will need to uninstall and then reinstall version 17 from the portal. However, once installed, version 17 will check for updates on launch.
The new wizard contains several significant changes, including smaller bug fixes and enhancements.
The first is that the wizard will no longer create or require a federation trust in some Exchange environments. If the wizard detects the presence of Exchange 2010, the federation trust will be created. However, if the on-premises environment only includes Exchange 2013 or newer, the federation trust is skipped. This means that domain proof is not required, which skips the need to create DNS TXT records as part of the wizard.
Second, the wizard also vastly improves how it reports OAuth errors if enablement fails during the execution of the wizard. Detailed OAuth failure messages are now reported in the HCW logs, which will help significantly with troubleshooting.[Read more…] about Hybrid Configuration Service may be limited
As always, test these updates in a lab first! I recommend checking out this 7-part guide on configuring Exchange in your lab. It doesn’t take much to get one going.
The updates are as follows:
So, what’s new in these Cumulative Updates?
In this series of cumulative updates, Microsoft added thirteen new blocked file types for use with the OWA Mailbox Policy. The additions included several scripting extensions, including many python file types such as .py, .pyc, and .pyo. For a full list of the new extensions, check the following article.
These cumulative updates also correct an issue when using the Restore-RecoverableItems command in a pipe. We covered the cloud-exclusive GUI version of this command in an article earlier this week. Be sure to check it out.
Companies leveraging Hybrid Modern Authentication will also want to take note of these updates as they fix unexpected authentication prompts during certificate rollovers.
Customers leveraging Edge Transport will also want to take note as these updates resolve a situation where Edge Transport servers may become unresponsive due to deadlock in the shadow redundancy manager.[Read more…] about Exchange Cumulative Updates (June 2020)
Recover deleted mail using the new Exchange Admin Center in Office 365
In the last quarterly update, we covered the new Exchange Admin Center in Office 365. Exclusive to the new admin center is the ability to recover deleted items back into a user’s mailbox. This process has been available using PowerShell for some time.
Keep in mind you can only recover up to the limit of your single item recovery policy. By default, this is 14 days in Office 365, but can be increased to 30 days (although you will need to set this ahead of time).
You can read more about how to recover deleted items in the following article.
Preventing Reply-All Storms in Exchange Online
Microsoft has added a new feature to combat reply-all storms. These storms are particularly prevalent when numerous people execute a reply-all to a massive distribution list.
Microsoft’s initial reply-all protection will block replies to an email thread for 4 hours if it detects more than ten reply-all messages within 60 minutes to a thread with over 5,000 recipients.
The eleventh sender will receive a non-delivery report titled Reply-All Storm Protection with the reason the message was blocked.[Read more…] about Exchange Online Updates (June 2020)
The PowerShell command to recover deleted email for a user has been around for some time. However, these PowerShell commands now have a graphical interface in the new Exchange Admin Center.
In this article, we explore how to recover deleted email for a user. But first, there are some permission prerequisites.
Assigning your admin account recovery permissions
Before we can restore mail for a user we need permission to do so. The permission in question is the Mailbox Import / Export permission. By default, no one is assigned this permission in Exchange.
Log onto the Exchange Admin Center and navigate to Permissions > Admin Roles.
At this point, we have two options. We can either assign the Mailbox Import / Export role to an existing role group (such as Organization Management) or, we can create a new role group. Let’s do the latter.
Click the New button (). This launches the new role group dialog.
Type a Name and Description for your role. In our example, we went with Email Recovery Role.
If needed select a custom write scope, or, leave at default. The default scope allows the role holder to apply these permissions to the entire organization. You can define a custom write scope to limit the scope of this permission. For example, the scope could be limited to a specific business unit or group of users. This is particularly useful if you need to delegate this role.
Under Roles click the Add button ().
Double-click Mailbox Import Export and click Ok.
Under Members click the Add button ().
Double-click each administrator you want to assign this role and click Ok.
Note: Once the role group is created it can take up to one hour for the permissions to take effect.[Read more…] about Recover deleted email using the new Exchange Admin Center
Ran into the following error when running the Hybrid Configuration Wizard. The error occurred during the gathering configuration information screen, immediately after authenticating to Office 365.
Connecting to remote server failed with the following error message: Connecting to remote server outlook.office365.com failed with the following error message: The WinRM client cannot process the request. Basic authentication is currently disabled in the client configuration . Change the client configuration and try the request again.
From the error message we can see the issue lies with basic authentication being disabled in the WinRM client. Basic authentication is enabled by default, so the fact it is disabled is likely due to security being hardened in the operating system.[Read more…] about Hybrid Configuration Wizard fails: WinRM client cannot process the request
On February 29th I had the great pleasure of being a guest on the RunAs Radio podcast. I joined host Richard Campbell to discuss all the new security requirements coming to Exchange Online, specifically around the new modern authentication requirement and the deprecation of TLS 1.0 and 1.1.[Read more…] about RunAs Radio #684 – Exchange in 2020 with Gareth Gudger
I have had a few instances where customers have blocked OneDrive in their Office 365 tenant. This is often the result of a looming Exchange 2010 support deadline and a lack of time to establish governance, security, compliance, and training around both Exchange and every other service in Office 365. Unfortunately, the methods used to block some of these services may have unexpected consequences.
In each of these instances, OneDrive was blocked by removing the user’s ability to create OneDrive storage in the tenant. SharePoint Online was also in its default out-of-the-box state with default permissions. In each case we ran into the following symptoms:
- Despite the OneDrive block, an Outlook Web App user could successfully select the option Save to OneDrive for their attachments
- The attachment would not save to OneDrive, but instead, the default SharePoint document library inside a folder named Attachments
In the next sections, we show how the OneDrive block was put in place and how SharePoint was configured to cause this perfect storm of incorrect attachment saving. We will then identify a workaround for the issue.
How OneDrive was blocked
The method described in this section is commonly found on the internet to block OneDrive access for users. In all cases, OneDrive was configured using this method.
The block is configured by navigating to the SharePoint Admin Center and selecting More Features. From the More Features window, click the Open button under the User Profiles section.
From the User Profiles screen, select Manage User Permissions. On the Permissions for User Profile dialog, select Everyone except external users. In the Permissions box, Create Personal Site was unchecked. When unchecked this removes the user’s ability to create a personal OneDrive site.
Note: This method does not affect users with existing OneDrive storage. To revoke access to existing storage, the site collection admin for each OneDrive personal store would need to be replaced.[Read more…] about Blocking OneDrive may save attachments to the default SharePoint document library