SuperTekBoy

Practical Help for Exchange & Office 365

Office 365 Solutions

Hybrid Configuration Service may be limited

By 2 Comments

23 Shares
Share
Tweet
Share
Reddit
Print

When running the Hybrid Configuration Wizard, you may receive the following error on the credential page.

Hybrid Configuration Service may be limited - Exchange Online
Hybrid Configuration Service may be limited

This error is the result of an out of date hybrid configuration wizard. In the screenshot above, we are using version 16.0.3149.4. At the time of writing, the current version is 17.0.4554.0.

Despite the historically self-updating nature of the hybrid configuration wizard, users on older versions will need to uninstall and then reinstall version 17 from the portal. However, once installed, version 17 will check for updates on launch.

The new wizard contains several significant changes, including smaller bug fixes and enhancements.

The first is that the wizard will no longer create or require a federation trust in some Exchange environments. If the wizard detects the presence of Exchange 2010, the federation trust will be created. However, if the on-premises environment only includes Exchange 2013 or newer, the federation trust is skipped. This means that domain proof is not required, which skips the need to create DNS TXT records as part of the wizard.

Second, the wizard also vastly improves how it reports OAuth errors if enablement fails during the execution of the wizard. Detailed OAuth failure messages are now reported in the HCW logs, which will help significantly with troubleshooting.

[Read more…] about Hybrid Configuration Service may be limited

Hybrid Configuration Wizard fails: WinRM client cannot process the request

By 1 Comment

19 Shares
Share
Tweet
Share
Reddit
Print

Ran into the following error when running the Hybrid Configuration Wizard. The error occurred during the gathering configuration information screen, immediately after authenticating to Office 365.

The WinRM client cannot process the request - Basic Authentication is currently disabled
Connecting to remote server failed with the following error message: Connecting to remote server outlook.office365.com failed with the following error message:  The WinRM client cannot process the request. Basic authentication is currently disabled in the client configuration . Change the client configuration and try the request again.

From the error message we can see the issue lies with basic authentication being disabled in the WinRM client. Basic authentication is enabled by default, so the fact it is disabled is likely due to security being hardened in the operating system.

[Read more…] about Hybrid Configuration Wizard fails: WinRM client cannot process the request

Blocking OneDrive may save attachments to the default SharePoint document library

By Leave a Comment

33 Shares
Share
Tweet
Share
Reddit
Print

I have had a few instances where customers have blocked OneDrive in their Office 365 tenant. This is often the result of a looming Exchange 2010 support deadline and a lack of time to establish governance, security, compliance, and training around both Exchange and every other service in Office 365. Unfortunately, the methods used to block some of these services may have unexpected consequences.

In each of these instances, OneDrive was blocked by removing the user’s ability to create OneDrive storage in the tenant. SharePoint Online was also in its default out-of-the-box state with default permissions. In each case we ran into the following symptoms:

  • Despite the OneDrive block, an Outlook Web App user could successfully select the option Save to OneDrive for their attachments
  • The attachment would not save to OneDrive, but instead, the default SharePoint document library inside a folder named Attachments

In the next sections, we show how the OneDrive block was put in place and how SharePoint was configured to cause this perfect storm of incorrect attachment saving. We will then identify a workaround for the issue.

How OneDrive was blocked

The method described in this section is commonly found on the internet to block OneDrive access for users. In all cases, OneDrive was configured using this method.

The block is configured by navigating to the SharePoint Admin Center and selecting More Features. From the More Features window, click the Open button under the User Profiles section.

Blocking users from accessing OneDrive

From the User Profiles screen, select Manage User Permissions. On the Permissions for User Profile dialog, select Everyone except external users. In the Permissions box, Create Personal Site was unchecked. When unchecked this removes the user’s ability to create a personal OneDrive site.

Blocking users from accessing OneDrive B

Note: This method does not affect users with existing OneDrive storage. To revoke access to existing storage, the site collection admin for each OneDrive personal store would need to be replaced.

[Read more…] about Blocking OneDrive may save attachments to the default SharePoint document library

RPC/HTTP & Block Legacy Auth may prevent Outlook reconfiguration after migrating to Exchange Online

By Leave a Comment

48 Shares
Share
Tweet
Share
Reddit
Print

I have had a few projects now where one of the security requirements for Office 365 was to implement a conditional access policy that blocked legacy authentication (also known as basic auth). What this block does is enforce modern authentication for all clients. Any clients not using modern authentication will be denied access to all Office 365 resources.

In each of these projects, these security policies were enforced prior to moving any mailboxes to Exchange Online. In each case we ran into the same two symptoms:

  • The Outlook client (which supported modern authentication) failed to reconfigure after a mailbox migration to Exchange Online
  • Any on-premises users with permissions to a migrated mailbox were now getting a continuous basic authentication prompt

How the conditional access policy was configured

In all cases, the conditional access policy was scoped to all users and all cloud apps.

Conditional Access Policy - Block Legacy Authentication (Basic)

Conditions scoped under Client Apps were set to include Mobile apps and desktop clients with a subitem of Other clients. No other conditions were set. The access control was to Block access.

Conditional Access Policy - Block Legacy Authentication (Basic) 2

Note: “Other clients” includes clients that use basic/legacy authentication, and do not support modern authentication. Reference: Conditional Access: Conditions

After we migrated a mailbox and Outlook failed to reconfigure (continuous legacy auth prompts) we could see the failure under Azure AD Sign-Ins. Oddly our Outlook client (Office ProPlus) which supported modern authentication was being blocked due to legacy authentication.

Azure AD Sign-Ins Conditional Access Failure RPC over HTTP
[Read more…] about RPC/HTTP & Block Legacy Auth may prevent Outlook reconfiguration after migrating to Exchange Online

Revoke your guest access to an Office 365 tenant (and Teams)

By 2 Comments

46 Shares
Share
Tweet
Share
Reddit
Print

As a consultant, I am often invited to collaborate in other Office 365 tenants. This is often presented in the form of guest access into that tenant, which allows me to access applications such as Microsoft Teams or share files with SharePoint Online.

The benefit of guest access is that I can collaborate as if I were a member of that organization without consuming a license, or, requiring an identity in that tenant. For example, my guest access into that tenant could easily be attached to a personal email account hosted at outlook.com.

I often see guest access granted in mergers and acquisitions where the two companies need to collaborate at a business level well before any technology to integrate the two companies has been implemented.

But other scenarios that drive guest access include a company needing to collaborate with its vendors or partners, or, a consultant working with a customer on a project.

But what happens when that guest access is no longer needed?

For our example, Amy Pond successfully completed a project at Super Awesome LLC. Amy collaborated with Super Awesome employees using Microsoft Teams and would like to remove Super Awesome from her Microsoft Teams client. Amy needs to maintain access to Totally Brilliant LLC, which is her new project, and SuperTekBoy LLC, which is her employer. The screenshot below is how Amy’s Microsoft Teams client looks today.

Guest Access to other Microsoft Teams

In this article, Amy will leave Super Awesome’s Office 365 tenant by revoking her own guest access. After she revokes her access she will no longer have any access to any Super Awesome apps or data.

Let’s get started!

[Read more…] about Revoke your guest access to an Office 365 tenant (and Teams)

Presence missing in Outlook after Teams Only switch

By 38 Comments

59 Shares
Share
Tweet
Share
Reddit
Print

If you have recently made the switch from Skype to Teams Only mode in Office 365, you may have lost your presence data in Outlook.

Skype and Teams share their presence data with Outlook. When viewing or composing an email in Outlook you can also see the presence of anyone internal in your organization and any external users you have federated presence data with. That presence date will look like the screenshot below.

Presence data from Teams and Skype in Microsoft Outlook

In the example above, I have a green checkmark which identifies my presence as available. This could also be yellow to show away, red to show busy and, other presences such as do-not-disturb, out of office, or, unknown. This presence data can show up in other Office applications as well, such as Microsoft Word when co-authoring a document in real-time.

If you have recently switched to Teams-Only mode and there is no presence circle at all, then you may need to reconfigure your Teams client to share presence data. Below is an example of what that will look like.

Note: Presence data will also be missing if your Microsoft Teams client is not running.

Missing Presence Data in Microsoft Outlook
[Read more…] about Presence missing in Outlook after Teams Only switch

Connect-MsolService may fail when MFA is enabled

By 10 Comments

28 Shares
Share
Tweet
Share
Reddit
Print

When attempting to use Connect-MsolService with an MFA-enabled admin account you may receive a legacy auth prompt as opposed to a modern auth prompt. This incorrect prompt is due to the MSOnline PowerShell module being out of date. 

Unable to use Connect-MsolOnline with MFA - Exception of type Microsoft.Online.Administration.Automation.MicrosoftOnlineException

If you were to enter credentials in the legacy prompt you would be unable to connect and would receive the following cryptic error.

 C:\> Connect-MsolService

Connect-MsolService : Exception of type 'Microsoft.Online.Administration.Automation.MicrosoftOnlineException' was thrown. 
At line:1 char:1

Connect-MsolService
~~~~~~~~~~~~~~~~~~~
CategoryInfo          : OperationStopped: (:) [Connect-MsolService], MicrosoftOnlineException
FullyQualifiedErrorId : 0x800434D4,Microsoft.Online.Administration.Automation.ConnectMsolService

So, all we need to do is update, right?

Well, depending on how you originally installed the MSOnline module the update process may not be intuitive as you might think.

[Read more…] about Connect-MsolService may fail when MFA is enabled

Fixing frequent blank screens in Outlook for iOS & Android

By 9 Comments

26 Shares
Share
Tweet
Share
Reddit
Print

When I first started using Outlook for Android it was running great. I use it to check three different email accounts–two accounts in Office 365 and one Outlook.com.

However, as the months went by the app seemed to get slower and slower, with more frequent blank screens. These blank screens would appear most often when I would try to pull up my folder list (pictured below)

Outlook for Android & iOS Slow Folder Opening

Although it would happen at other times as well. Such as trying to open an email (pictured below).

Outlook for Android & iOS Slow Email Opening

This delay would generally last a few seconds. But sometimes it could take as long as 10 seconds for the folder list or email to appear. Certainly enough to hinder productivity in the app.

[Read more…] about Fixing frequent blank screens in Outlook for iOS & Android