SuperTekBoy

Practical Help for Exchange & Office 365

Office 365 Solutions

Blocking OneDrive may save attachments to the default SharePoint document library

By Leave a Comment

32 Shares
Share
Tweet
Share
Reddit
Print

I have had a few instances where customers have blocked OneDrive in their Office 365 tenant. This is often the result of a looming Exchange 2010 support deadline and a lack of time to establish governance, security, compliance, and training around both Exchange and every other service in Office 365. Unfortunately, the methods used to block some of these services may have unexpected consequences.

In each of these instances, OneDrive was blocked by removing the user’s ability to create OneDrive storage in the tenant. SharePoint Online was also in its default out-of-the-box state with default permissions. In each case we ran into the following symptoms:

  • Despite the OneDrive block, an Outlook Web App user could successfully select the option Save to OneDrive for their attachments
  • The attachment would not save to OneDrive, but instead, the default SharePoint document library inside a folder named Attachments

In the next sections, we show how the OneDrive block was put in place and how SharePoint was configured to cause this perfect storm of incorrect attachment saving. We will then identify a workaround for the issue.

How OneDrive was blocked

The method described in this section is commonly found on the internet to block OneDrive access for users. In all cases, OneDrive was configured using this method.

The block is configured by navigating to the SharePoint Admin Center and selecting More Features. From the More Features window, click the Open button under the User Profiles section.

Blocking users from accessing OneDrive

From the User Profiles screen, select Manage User Permissions. On the Permissions for User Profile dialog, select Everyone except external users. In the Permissions box, Create Personal Site was unchecked. When unchecked this removes the user’s ability to create a personal OneDrive site.

Blocking users from accessing OneDrive B

Note: This method does not affect users with existing OneDrive storage. To revoke access to existing storage, the site collection admin for each OneDrive personal store would need to be replaced.

[Read more…] about Blocking OneDrive may save attachments to the default SharePoint document library

RPC/HTTP & Block Legacy Auth may prevent Outlook reconfiguration after migrating to Exchange Online

By Leave a Comment

48 Shares
Share
Tweet
Share
Reddit
Print

I have had a few projects now where one of the security requirements for Office 365 was to implement a conditional access policy that blocked legacy authentication (also known as basic auth). What this block does is enforce modern authentication for all clients. Any clients not using modern authentication will be denied access to all Office 365 resources.

In each of these projects, these security policies were enforced prior to moving any mailboxes to Exchange Online. In each case we ran into the same two symptoms:

  • The Outlook client (which supported modern authentication) failed to reconfigure after a mailbox migration to Exchange Online
  • Any on-premises users with permissions to a migrated mailbox were now getting a continuous basic authentication prompt

How the conditional access policy was configured

In all cases, the conditional access policy was scoped to all users and all cloud apps.

Conditional Access Policy - Block Legacy Authentication (Basic)

Conditions scoped under Client Apps were set to include Mobile apps and desktop clients with a subitem of Other clients. No other conditions were set. The access control was to Block access.

Conditional Access Policy - Block Legacy Authentication (Basic) 2

Note: “Other clients” includes clients that use basic/legacy authentication, and do not support modern authentication. Reference: Conditional Access: Conditions

After we migrated a mailbox and Outlook failed to reconfigure (continuous legacy auth prompts) we could see the failure under Azure AD Sign-Ins. Oddly our Outlook client (Office ProPlus) which supported modern authentication was being blocked due to legacy authentication.

Azure AD Sign-Ins Conditional Access Failure RPC over HTTP
[Read more…] about RPC/HTTP & Block Legacy Auth may prevent Outlook reconfiguration after migrating to Exchange Online

Revoke your guest access to an Office 365 tenant (and Teams)

By 2 Comments

46 Shares
Share
Tweet
Share
Reddit
Print

As a consultant, I am often invited to collaborate in other Office 365 tenants. This is often presented in the form of guest access into that tenant, which allows me to access applications such as Microsoft Teams or share files with SharePoint Online.

The benefit of guest access is that I can collaborate as if I were a member of that organization without consuming a license, or, requiring an identity in that tenant. For example, my guest access into that tenant could easily be attached to a personal email account hosted at outlook.com.

I often see guest access granted in mergers and acquisitions where the two companies need to collaborate at a business level well before any technology to integrate the two companies has been implemented.

But other scenarios that drive guest access include a company needing to collaborate with its vendors or partners, or, a consultant working with a customer on a project.

But what happens when that guest access is no longer needed?

For our example, Amy Pond successfully completed a project at Super Awesome LLC. Amy collaborated with Super Awesome employees using Microsoft Teams and would like to remove Super Awesome from her Microsoft Teams client. Amy needs to maintain access to Totally Brilliant LLC, which is her new project, and SuperTekBoy LLC, which is her employer. The screenshot below is how Amy’s Microsoft Teams client looks today.

Guest Access to other Microsoft Teams

In this article, Amy will leave Super Awesome’s Office 365 tenant by revoking her own guest access. After she revokes her access she will no longer have any access to any Super Awesome apps or data.

Let’s get started!

[Read more…] about Revoke your guest access to an Office 365 tenant (and Teams)

Presence missing in Outlook after Teams Only switch

By 28 Comments

49 Shares
Share
Tweet
Share
Reddit
Print

If you have recently made the switch from Skype to Teams Only mode in Office 365, you may have lost your presence data in Outlook.

Skype and Teams share their presence data with Outlook. When viewing or composing an email in Outlook you can also see the presence of anyone internal in your organization and any external users you have federated presence data with. That presence date will look like the screenshot below.

Presence data from Teams and Skype in Microsoft Outlook

In the example above, I have a green checkmark which identifies my presence as available. This could also be yellow to show away, red to show busy and, other presences such as do-not-disturb, out of office, or, unknown. This presence data can show up in other Office applications as well, such as Microsoft Word when co-authoring a document in real-time.

If you have recently switched to Teams-Only mode and there is no presence circle at all, then you may need to reconfigure your Teams client to share presence data. Below is an example of what that will look like.

Note: Presence data will also be missing if your Microsoft Teams client is not running.

Missing Presence Data in Microsoft Outlook
[Read more…] about Presence missing in Outlook after Teams Only switch

Connect-MsolService may fail when MFA is enabled

By 8 Comments

23 Shares
Share
Tweet
Share
Reddit
Print

When attempting to use Connect-MsolService with an MFA-enabled admin account you may receive a legacy auth prompt as opposed to a modern auth prompt. This incorrect prompt is due to the MSOnline PowerShell module being out of date. 

Unable to use Connect-MsolOnline with MFA - Exception of type Microsoft.Online.Administration.Automation.MicrosoftOnlineException

If you were to enter credentials in the legacy prompt you would be unable to connect and would receive the following cryptic error.

 C:\> Connect-MsolService

Connect-MsolService : Exception of type 'Microsoft.Online.Administration.Automation.MicrosoftOnlineException' was thrown. 
At line:1 char:1

Connect-MsolService
~~~~~~~~~~~~~~~~~~~
CategoryInfo          : OperationStopped: (:) [Connect-MsolService], MicrosoftOnlineException
FullyQualifiedErrorId : 0x800434D4,Microsoft.Online.Administration.Automation.ConnectMsolService

So, all we need to do is update, right?

Well, depending on how you originally installed the MSOnline module the update process may not be intuitive as you might think.

[Read more…] about Connect-MsolService may fail when MFA is enabled

Fixing frequent blank screens in Outlook for iOS & Android

By 9 Comments

26 Shares
Share
Tweet
Share
Reddit
Print

When I first started using Outlook for Android it was running great. I use it to check three different email accounts–two accounts in Office 365 and one Outlook.com.

However, as the months went by the app seemed to get slower and slower, with more frequent blank screens. These blank screens would appear most often when I would try to pull up my folder list (pictured below)

Outlook for Android & iOS Slow Folder Opening

Although it would happen at other times as well. Such as trying to open an email (pictured below).

Outlook for Android & iOS Slow Email Opening

This delay would generally last a few seconds. But sometimes it could take as long as 10 seconds for the folder list or email to appear. Certainly enough to hinder productivity in the app.

[Read more…] about Fixing frequent blank screens in Outlook for iOS & Android

No account settings were returned from the Autodiscover response

By 13 Comments

97 Shares
Share
Tweet
Share
Reddit
Print

While attempting to configure an Outlook client with an Exchange mailbox I ran into an issue where the account creation would not complete. Instead, Outlook would stop on “Search for server settings” and prompt me for a username and password. The credentials of my Exchange account did not work and kicked back the login prompt.

When I attempted to test Autodiscover using testconnectivity.microsoft.com I ran into an even stranger error. Autodiscover appeared to work. But I received the error “No account settings were returned from the Autodiscover response”.

No account settings were returned from the Autodiscover response

Examining the Autodiscover response I noticed that the test successfully completed against the root of supertekboy.com. This was odd as supertekboy.com is redirected to the website www.supertekboy.com where no Autodiscover responses should be happening.

No account settings were returned from the Autodiscover response using root domain record

However, when attempting to plug the Autodiscover URL into a web browser I found that something was responding to Autodiscover requests. It was responding with an error of “Autodiscovery must be provided a valid email address”.

Autodiscovery must be provided a valid email address b

This isn’t an Exchange or Office 365 autodiscover response. Instead, this was my web hosting provider responding to my Autodiscover request. Specifically, cPanel. cPanel has its own implementation of autodiscover, which allows Outlook and other email clients to automatically configure themselves for a cPanel mailbox. Unfortunately, this conflicts with autodiscover locating an Exchange or Office 365 mailbox.

[Read more…] about No account settings were returned from the Autodiscover response

Access is Denied when enabling Group Writeback

By 4 Comments

36 Shares
Share
Tweet
Share
Reddit
Print

Group Writeback is a feature in Azure AD Connect that allows for Office 365 Groups to be written back to your on-premises Active Directory as a universal distribution group. This allows your on-premises users in a hybrid environment to send email to the Office 365 Group.

When configuring group writeback you specify which organizational unit (OU) you want these objects to be written. Each of these Office 365 groups is then represented by a separate universal distribution group that starts with the name of “Group_” followed by a unique identifier.

In the screenshot below I have two Office 365 groups that are being written back to my local AD.

Group Writeback Azure AD Connect

The problem – Access is Denied

When I first tried to get these groups written back to this organizational unit was where I ran into problems. I was following this Microsoft document verbatim. The document specifies to open Active Directory Users and Computers and locate the account that started with “AAD_”. Which I found.

The document later uses this account to run a script. When running the script everything completed as expected. No errors.

Group Writeback Script Azure AD Connect

When I checked the permissions on the organizational unit I could see that the script had added the AAD_ account with a bunch of permissions. Everything looked good.

However, I quickly started generating errors in Azure AD Connect. When I opened the Synchronization Manager I received the following error on the export of my Office 365 group. “Permission Issue – Access is denied”

Group Writeback Access is Denied Synchronization Manager
[Read more…] about Access is Denied when enabling Group Writeback