SuperTekBoy

Practical Help for Exchange & Office 365

Office 365 Solutions

Connect-MsolService may fail when MFA is enabled

By Leave a Comment

3 Shares
Share
Tweet
+1
Share
Reddit

When attempting to use Connect-MsolService with an MFA-enabled admin account you may receive a legacy auth prompt as opposed to a modern auth prompt. This incorrect prompt is due to the MSOnline PowerShell module being out of date. 

Unable to use Connect-MsolOnline with MFA - Exception of type Microsoft.Online.Administration.Automation.MicrosoftOnlineException

If you were to enter credentials in the legacy prompt you would be unable to connect and would receive the following cryptic error.

 C:\> Connect-MsolService

Connect-MsolService : Exception of type 'Microsoft.Online.Administration.Automation.MicrosoftOnlineException' was thrown. 
At line:1 char:1

Connect-MsolService
~~~~~~~~~~~~~~~~~~~
CategoryInfo          : OperationStopped: (:) [Connect-MsolService], MicrosoftOnlineException
FullyQualifiedErrorId : 0x800434D4,Microsoft.Online.Administration.Automation.ConnectMsolService

So, all we need to do is update, right?

Well, depending on how you originally installed the MSOnline module the update process may not be intuitive as you might think.

[Read more…] about Connect-MsolService may fail when MFA is enabled

Fixing frequent blank screens in Outlook for iOS & Android

By 6 Comments

26 Shares
Share
Tweet
+1
Share
Reddit
When I first started using Outlook for Android it was running great. I use it to check three different email accounts–two accounts in Office 365 and one Outlook.com.

However, as the months went by the app seemed to get slower and slower, with more frequent blank screens. These blank screens would appear most often when I would try to pull up my folder list (pictured below)

Outlook for Android & iOS Slow Folder Opening

Although it would happen at other times as well. Such as trying to open an email (pictured below).

Outlook for Android & iOS Slow Email Opening

This delay would generally last a few seconds. But sometimes it could take as long as 10 seconds for the folder list or email to appear. Certainly enough to hinder productivity in the app. [Read more…] about Fixing frequent blank screens in Outlook for iOS & Android

No account settings were returned from the Autodiscover response

By 10 Comments

97 Shares
Share
Tweet
+1
Share
Reddit
While attempting to configure an Outlook client with an Exchange mailbox I ran into an issue where the account creation would not complete. Instead, Outlook would stop on “Search for server settings” and prompt me for a username and password. The credentials of my Exchange account did not work and kicked back the login prompt.

When I attempted to test Autodiscover using testconnectivity.microsoft.com I ran into an even stranger error. Autodiscover appeared to work. But I received the error “No account settings were returned from the Autodiscover response”.

No account settings were returned from the Autodiscover response

Examining the Autodiscover response I noticed that the test successfully completed against the root of supertekboy.com. This was odd as supertekboy.com is redirected to the website www.supertekboy.com where no Autodiscover responses should be happening.

No account settings were returned from the Autodiscover response using root domain record

However, when attempting to plug the Autodiscover URL into a web browser I found that something was responding to Autodiscover requests. It was responding with an error of “Autodiscovery must be provided a valid email address”.

Autodiscovery must be provided a valid email address b

This isn’t an Exchange or Office 365 autodiscover response. Instead, this was my web hosting provider responding to my Autodiscover request. Specifically, cPanel. cPanel has its own implementation of autodiscover, which allows Outlook and other email clients to automatically configure themselves for a cPanel mailbox. Unfortunately, this conflicts with autodiscover locating an Exchange or Office 365 mailbox. [Read more…] about No account settings were returned from the Autodiscover response

Access is Denied when enabling Group Writeback

By 3 Comments

37 Shares
Share
Tweet
+1
Share
Reddit
Group Writeback is a feature in Azure AD Connect that allows for Office 365 Groups to be written back to your on-premises Active Directory as a universal distribution group. This allows your on-premises users in a hybrid environment to send email to the Office 365 Group.

When configuring group writeback you specify which organizational unit (OU) you want these objects to be written. Each of these Office 365 groups is then represented by a separate universal distribution group that starts with a name of “Group_” followed by a unique identifier.

In the screenshot below I have two Office 365 groups that are being written back to my local AD.

Group Writeback Azure AD Connect

The problem – Access is Denied

When I first tried to get these groups written back to this organizational unit was where I ran into problems. I was following this Microsoft document verbatim. The document specifies to open Active Directory Users and Computers and locate the account that started with “AAD_”. Which I found.

The document later uses this account to run a script. When running the script everything completed as expected. No errors.

Group Writeback Script Azure AD Connect

When I checked the permissions on the organizational unit I could see that the script had added the AAD_ account with a bunch of permissions. Everything looked good.

However, I quickly started generating errors in Azure AD Connect. When I opened Synchronization Manager I received the following error on the export of my Office 365 group. “Permission Issue – Access is denied”

Group Writeback Access is Denied Synchronization Manager

[Read more…] about Access is Denied when enabling Group Writeback

Unable to delete newly created calendar in Outlook on the Web (OWA)

By 2 Comments

34 Shares
Share
Tweet
+1
Share
Reddit
If you created a new calendar in Outlook on the Web you may notice the option to delete it might be missing. I see this question come up quite a lot so figured it was time to address it with a blog post.

The issue occurs when a user creates a calendar in Outlook on the Web. Often the calendar is created in error because the user was trying to add a shared calendar instead. When the user right-clicks the calendar they will see no option to delete.

We have an example of this in the screenshot below. The user has created a calendar titled, “My New Calendar”. However, when they right-click there is no option to delete.

Outlook on the web OWA can not delete calendar

[Read more…] about Unable to delete newly created calendar in Outlook on the Web (OWA)

Hybrid mail flow: TLS negotiation failed with error NoCredentials

By 14 Comments

60 Shares
Share
Tweet
+1
Share
Reddit
Ran into a strange problem recently where an Exchange 2016 server could not send mail to Office 365 via hybrid mail flow. What made this situation particularly strange is that other Exchange servers in the environment had no problem sending messages over the hybrid connection. On the problem server, messages would get stuck in the queue and eventually time out.

The queues were filled with retries such as these.

451 4.4.0 Primary target IP address responded with: "421 4.2.1 Unable to connect." Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or deliver failed to all alternate hosts.

This message tells us that the server was unable to connect to Office 365. Unfortunately, it does not give us much detail beyond that. For that level of detail, we need to enable logging on the SMTP send connector used to send mail to Office 365.

Turn up logging on the SMTP Send Connector

To enable logging on an send connector log into the Exchange Admin Center (EAC) and select the Mail Flow tab and Send Connectors sub tab. Double click the send connector named Outbound to Office 365 and select Verbose under the General tab. Click Save.

Configure verbose logging on Exchange 2016 send connector

To perform this same action through the Exchange Management Shell (EMS) type the following command.

 C:\> Set-SendConnector -Identity "Outbound to Office 365" -ProtocolLoggingLevel Verbose

Note: Protocol logging can take some time before it starts creating log files. You can jump-start this process by restarting the Microsoft Exchange Transport service. Keep in mind this will disrupt mail flow on that server while the service restarts. The default location for SMTP send logs in Exchange 2016 is  %ExchangeInstallPath%TransportRoles\Logs\Hub\ProtocolLog\SmtpSend.

While we waited for logging to generate some entries we also confirmed that we could successfully make a connection from the problem server to Office 365. For this task, we confirmed that we could telnet over port 25 to Office 365 and send an email message. This confirmed two things. First that this server was not being blocked on outbound port 25. Second that this server could resolve and reach Office 365 servers. [Read more…] about Hybrid mail flow: TLS negotiation failed with error NoCredentials

Unexpected result from Windows Live. 1007 Access Denied – Federation Trust

By Leave a Comment

34 Shares
Share
Tweet
+1
Share
Reddit
Recently while trying to remove a domain from the federation trust I received the following error.

The URI couldn't be released. An unexpected results was received from Windows Live 1007 Access Denied

The URI "supertekboy.com" for domain "supertekboy.com" on application identifier "000000004804735E" couldn't be released. Detailed information: "An unexpected result was received from Windows Live. Detailed information: "1007 AccessDenied: Access Denied.".".

Despite the almost cryptic error, this one is actually quite simple to fix. In this particular case, the time in my domain was 5 minutes behind the rest of the world. Or more importantly, 5 minutes offset from the Microsoft Federation Gateway. As soon as I brought my time forward I was able to immediately release the shared domain from the federation trust.

Error 1007 can occur while making other configuration changes to the federation trust. It is not just linked to releasing a domain. So if you see this error while performing any task with the federation trust, check the time on your Exchange boxes.

TwitterHave you run into this error? What was your solution? Drop a comment below or join the conversation on Twitter @SuperTekBoy.

The delegation token is NULL – Hybrid Free/Busy

By 1 Comment

77 Shares
Share
Tweet
+1
Share
Reddit
Ran into a strange issue recently where on-premises users could not see the free/busy information for test users I had migrated to Exchange Online. Exchange Online, on the other hand, had no problem seeing the free/busy of the on-premises users. I had just run the hybrid configuration wizard and it completed without incident. The environment had not been previously enabled for the Microsoft Federation Gateway so I let the wizard take care of that step as well.

When we tested the trust with the federation gateway we received the following error on Step 5 of 6: Requesting delegation token.

 C:\> Test-FederationTrust -UserIdentity rsong@exchangeservergeek.com

<...edited...>

RunspaceId : e4e42cab-62f4-4d70-be15-69143b273823
Id : TokenRequest
Type : Error
Message : Failed to request delegation token.

Error. Attempted to get delegation token, but token came back as null.

The token coming back as null seemed to be the key here. Unfortunately, the web seemed to lack any real way to fix the existing trust. We resolved to delete and recreate the trust with the federation gateway.

Recreating the Federation Trust

Warning: Before we get started with the process you will need access to external DNS zone. Recreating the trust voids the current TXT record that was used for domain validation.

To delete the federation trust navigate to the Organization > Sharing tabs in the Exchange Admin Center. Under the section titled Federation Trust click the Remove button. Click Yes to confirm.

Removing the trust with the Microsoft Federation Gateway

[Read more…] about The delegation token is NULL – Hybrid Free/Busy