SuperTekBoy

Practical Help for Exchange & Office 365

Office 365 Solutions

Revoke your guest access to an Office 365 tenant (and Teams)

By 2 Comments

46 Shares
Share
Tweet
Share
Reddit
Email

As a consultant, I am often invited to collaborate in other Office 365 tenants. This is often presented in the form of guest access into that tenant, which allows me to access applications such as Microsoft Teams or share files with SharePoint Online.

The benefit of guest access is that I can collaborate as if I were a member of that organization without consuming a license, or, requiring an identity in that tenant. For example, my guest access into that tenant could easily be attached to a personal email account hosted at outlook.com.

I often see guest access granted in mergers and acquisitions where the two companies need to collaborate at a business level well before any technology to integrate the two companies has been implemented.

But other scenarios that drive guest access include a company needing to collaborate with its vendors or partners, or, a consultant working with a customer on a project.

But what happens when that guest access is no longer needed?

For our example, Amy Pond successfully completed a project at Super Awesome LLC. Amy collaborated with Super Awesome employees using Microsoft Teams and would like to remove Super Awesome from her Microsoft Teams client. Amy needs to maintain access to Totally Brilliant LLC, which is her new project, and SuperTekBoy LLC, which is her employer. The screenshot below is how Amy’s Microsoft Teams client looks today.

Guest Access to other Microsoft Teams

In this article, Amy will leave Super Awesome’s Office 365 tenant by revoking her own guest access. After she revokes her access she will no longer have any access to any Super Awesome apps or data.

Let’s get started!

[Read more…] about Revoke your guest access to an Office 365 tenant (and Teams)

Presence missing in Outlook after Teams Only switch

By 15 Comments

42 Shares
Share
Tweet
Share
Reddit
Email

If you have recently made the switch from Skype to Teams Only mode in Office 365, you may have lost your presence data in Outlook.

Skype and Teams share their presence data with Outlook. When viewing or composing an email in Outlook you can also see the presence of anyone internal in your organization and any external users you have federated presence data with. That presence date will look like the screenshot below.

Presence data from Teams and Skype in Microsoft Outlook

In the example above, I have a green checkmark which identifies my presence as available. This could also be yellow to show away, red to show busy and, other presences such as do-not-disturb, out of office, or, unknown. This presence data can show up in other Office applications as well, such as Microsoft Word when co-authoring a document in real-time.

If you have recently switched to Teams-Only mode and there is no presence circle at all, then you may need to reconfigure your Teams client to share presence data. Below is an example of what that will look like.

Note: Presence data will also be missing if your Microsoft Teams client is not running.

Missing Presence Data in Microsoft Outlook
[Read more…] about Presence missing in Outlook after Teams Only switch

Connect-MsolService may fail when MFA is enabled

By 7 Comments

22 Shares
Share
Tweet
Share
Reddit
Email

When attempting to use Connect-MsolService with an MFA-enabled admin account you may receive a legacy auth prompt as opposed to a modern auth prompt. This incorrect prompt is due to the MSOnline PowerShell module being out of date. 

Unable to use Connect-MsolOnline with MFA - Exception of type Microsoft.Online.Administration.Automation.MicrosoftOnlineException

If you were to enter credentials in the legacy prompt you would be unable to connect and would receive the following cryptic error.

 C:\> Connect-MsolService

Connect-MsolService : Exception of type 'Microsoft.Online.Administration.Automation.MicrosoftOnlineException' was thrown. 
At line:1 char:1

Connect-MsolService
~~~~~~~~~~~~~~~~~~~
CategoryInfo          : OperationStopped: (:) [Connect-MsolService], MicrosoftOnlineException
FullyQualifiedErrorId : 0x800434D4,Microsoft.Online.Administration.Automation.ConnectMsolService

So, all we need to do is update, right?

Well, depending on how you originally installed the MSOnline module the update process may not be intuitive as you might think.

[Read more…] about Connect-MsolService may fail when MFA is enabled

Fixing frequent blank screens in Outlook for iOS & Android

By 9 Comments

26 Shares
Share
Tweet
Share
Reddit
Email

When I first started using Outlook for Android it was running great. I use it to check three different email accounts–two accounts in Office 365 and one Outlook.com.

However, as the months went by the app seemed to get slower and slower, with more frequent blank screens. These blank screens would appear most often when I would try to pull up my folder list (pictured below)

Outlook for Android & iOS Slow Folder Opening

Although it would happen at other times as well. Such as trying to open an email (pictured below).

Outlook for Android & iOS Slow Email Opening

This delay would generally last a few seconds. But sometimes it could take as long as 10 seconds for the folder list or email to appear. Certainly enough to hinder productivity in the app.

[Read more…] about Fixing frequent blank screens in Outlook for iOS & Android

No account settings were returned from the Autodiscover response

By 12 Comments

97 Shares
Share
Tweet
Share
Reddit
Email

While attempting to configure an Outlook client with an Exchange mailbox I ran into an issue where the account creation would not complete. Instead, Outlook would stop on “Search for server settings” and prompt me for a username and password. The credentials of my Exchange account did not work and kicked back the login prompt.

When I attempted to test Autodiscover using testconnectivity.microsoft.com I ran into an even stranger error. Autodiscover appeared to work. But I received the error “No account settings were returned from the Autodiscover response”.

No account settings were returned from the Autodiscover response

Examining the Autodiscover response I noticed that the test successfully completed against the root of supertekboy.com. This was odd as supertekboy.com is redirected to the website www.supertekboy.com where no Autodiscover responses should be happening.

No account settings were returned from the Autodiscover response using root domain record

However, when attempting to plug the Autodiscover URL into a web browser I found that something was responding to Autodiscover requests. It was responding with an error of “Autodiscovery must be provided a valid email address”.

Autodiscovery must be provided a valid email address b

This isn’t an Exchange or Office 365 autodiscover response. Instead, this was my web hosting provider responding to my Autodiscover request. Specifically, cPanel. cPanel has its own implementation of autodiscover, which allows Outlook and other email clients to automatically configure themselves for a cPanel mailbox. Unfortunately, this conflicts with autodiscover locating an Exchange or Office 365 mailbox.

[Read more…] about No account settings were returned from the Autodiscover response

Access is Denied when enabling Group Writeback

By 3 Comments

36 Shares
Share
Tweet
Share
Reddit
Email

Group Writeback is a feature in Azure AD Connect that allows for Office 365 Groups to be written back to your on-premises Active Directory as a universal distribution group. This allows your on-premises users in a hybrid environment to send email to the Office 365 Group.

When configuring group writeback you specify which organizational unit (OU) you want these objects to be written. Each of these Office 365 groups is then represented by a separate universal distribution group that starts with the name of “Group_” followed by a unique identifier.

In the screenshot below I have two Office 365 groups that are being written back to my local AD.

Group Writeback Azure AD Connect

The problem – Access is Denied

When I first tried to get these groups written back to this organizational unit was where I ran into problems. I was following this Microsoft document verbatim. The document specifies to open Active Directory Users and Computers and locate the account that started with “AAD_”. Which I found.

The document later uses this account to run a script. When running the script everything completed as expected. No errors.

Group Writeback Script Azure AD Connect

When I checked the permissions on the organizational unit I could see that the script had added the AAD_ account with a bunch of permissions. Everything looked good.

However, I quickly started generating errors in Azure AD Connect. When I opened the Synchronization Manager I received the following error on the export of my Office 365 group. “Permission Issue – Access is denied”

Group Writeback Access is Denied Synchronization Manager
[Read more…] about Access is Denied when enabling Group Writeback

Unable to delete newly created calendar in Outlook on the Web (OWA)

By 2 Comments

33 Shares
Share
Tweet
Share
Reddit
Email

If you created a new calendar in Outlook on the Web you may notice the option to delete it might be missing. I see this question come up quite a lot so I figured it was time to address it with a blog post.

The issue occurs when a user creates a calendar in Outlook on the Web. Often the calendar is created in error because the user was trying to add a shared calendar instead. When the user right-clicks the calendar they will see no option to delete.

We have an example of this in the screenshot below. The user has created a calendar titled, “My New Calendar”. However, when they right-click there is no option to delete.

Outlook on the web OWA can not delete calendar
[Read more…] about Unable to delete newly created calendar in Outlook on the Web (OWA)

Hybrid mail flow: TLS negotiation failed with error NoCredentials

By 21 Comments

58 Shares
Share
Tweet
Share
Reddit
Email

Ran into a strange problem recently where an Exchange 2016 server could not send mail to Office 365 via hybrid mail flow. What made this situation particularly strange is that other Exchange servers in the environment had no problem sending messages over the hybrid connection. On the problem server, messages would get stuck in the queue and eventually time out.

The queues were filled with retries such as these.

451 4.4.0 Primary target IP address responded with: "421 4.2.1 Unable to connect." Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or deliver failed to all alternate hosts.

This message tells us that the server was unable to connect to Office 365. Unfortunately, it does not give us much detail beyond that. For that level of detail, we need to enable logging on the SMTP send connector used to send mail to Office 365.

Turn up logging on the SMTP Send Connector

To enable logging on a send connector, log into the Exchange Admin Center (EAC) and select the Mail Flow tab and Send Connectors sub-tab. Double click the send connector named Outbound to Office 365 and select Verbose under the General tab. Click Save.

Configure verbose logging on Exchange 2016 send connector

To perform this same action through the Exchange Management Shell (EMS) type the following command.

 C:\> Set-SendConnector -Identity "Outbound to Office 365" -ProtocolLoggingLevel Verbose

Note: Protocol logging can take some time before it starts creating log files. You can jump-start this process by restarting the Microsoft Exchange Transport service. Keep in mind this will disrupt mail flow on that server while the service restarts. The default location for SMTP send logs in Exchange 2016 is  %ExchangeInstallPath%TransportRoles\Logs\Hub\ProtocolLog\SmtpSend.

While we waited for logging to generate some entries we also confirmed that we could successfully make a connection from the problem server to Office 365. For this task, we confirmed that we could telnet over port 25 to Office 365 and send an email message. This confirmed two things. First that this server was not being blocked on outbound port 25. Second that this server could resolve and reach Office 365 servers.

[Read more…] about Hybrid mail flow: TLS negotiation failed with error NoCredentials