SuperTekBoy

Practical Help for Exchange & Office 365

Office 365 Tutorials

Change which organizational units (OUs) are synced to Office 365

By 8 Comments

71 Shares
Share
Tweet
Share
Reddit
Print

In this article, we are going to take a look at changing which objects get synced to Office 365 through organizational unit (OU) filtering. By default, Azure AD Connect is configured to sync all objects in all OUs. Filtering allows us to exclude OUs, and the objects they contain, so they are not synchronized to Office 365. An example of this may be to exclude an OU that contains service accounts for on-premises applications.

In our example, we are going to narrow our sync scope to just a few select organizational units in the domain skaro.local. We will be working with the latest version of Azure AD Connect and a single forest environment.

Let’s get started!

UPDATE 08/04/18: While these steps do still work, Microsoft recommends changing your OUs by rerunning the Azure AD Connect wizard. This can be done by double-clicking the Azure AD Connect icon. If the wizard does not work, you can use these steps as a fallback method.

Selecting which OUs to synchronize

First, log onto the server where you have Azure AD Connect installed and open the Synchronization Service program.

Synchronization Service Azure AD Connect

This opens the Synchronization Service Manager. From here select the Connectors tab. Under the Connectors section double-click the name of your local Active Directory. In my example, this is SKARO.LOCAL. This will bring up the Properties screen for that connector.

Azure AD Connect - Connectors tab - Local AD Properties
[Read more…] about Change which organizational units (OUs) are synced to Office 365

How to create an Office 365 mailbox (in hybrid)

By 23 Comments

111 Shares
Share
Tweet
Share
Reddit
Print

When a company has implemented Exchange hybrid and has moved some or all their users to Office 365, the question “How do I create a mailbox in Office 365?” frequently comes up.

In this article, we explore how to create a mailbox in Exchange Online when directory synchronization is in place. For this article, we will explore this process using Exchange 2016. We will look at how to complete this task with the GUI and PowerShell. Note that these steps are identical for Exchange 2013.

Using the Exchange Admin Center

This is the simplest and quickest way to create a mailbox in Office 365. The drawback of this solution is that it only allows you to create an entirely new Active Directory user. A preexisting user without a mailbox cannot be enabled for an Office 365 mailbox using the GUI. To grant an existing user an Office 365 mailbox you will need to use PowerShell. Alternatively, that user could be given an on-prem mailbox and then move that mailbox to Office 365.

If your current process is to create a new account in Active Directory first and then enable the mailbox in Exchange second, I would recommend reversing these steps. Using the method below allows you to create a basic user in Active Directory with a mailbox in Office 365. Then you can go back into Active Directory to make any additional changes to the new account, such as group memberships.

For our example, we are going to create a new user called Wilfred Mott who will have a mailbox in Office 365. Wilfred does not currently have a user account in Active Directory so we can use this method. Wilfred’s email will be wilfred.mott@exchangeservergeek.com.

From your on-premises Exchange 2016 server, log into the Exchange Admin Center. Select the Recipients tab and Mailboxes sub-tab. Click the New (plus sign) and select Office 365 mailbox.

Note: If you do not see this option you may be missing the required RBAC permissions, or, there is an issue with your hybrid configuration.

Create a new Office 365 mailbox

Selecting this option walks you through the process of creating a remote mailbox in Office 365. The benefit here is that you do not need to migrate the mailbox after it is created as it already exists as an object in the cloud. Keep in mind that you will not see this mailbox in the Office 365 tenant until directory synchronization has run.

[Read more…] about How to create an Office 365 mailbox (in hybrid)

Changing the meeting layout in Skype for Business

By 7 Comments

65 Shares
Share
Tweet
Share
Reddit
Print

When you enter a Skype for Business meeting it is launched in speaker view. The Speaker view adds the portrait of the presenter to the lower right of the screen. The portrait will change to whoever is currently speaking. This view is especially useful when the presenter is using a webcam as the picture is replaced with their video stream. Unfortunately, this can cover part of the presentation as shown below. This view can be changed but the option to do so is not in an intuitive location. In total there are three views for a Skype meeting. In this article, we will look at all three and how to switch between them.

Skype for Business Speaker View

To change from speaker view we use the Pick a Layout button (). This button is located at the top right of the screen in the title bar. If you select this button a checkmark will indicate what view you are currently in. In our case, we are in Speaker View. To pick another view select it from the list.

[Read more…] about Changing the meeting layout in Skype for Business

Change the notification email for directory synchronization failures

By 3 Comments

153 Shares
Share
Tweet
Share
Reddit
Print

In this article, we explore how to change the email address that receives the Office 365 directory synchronization failure notifications. We will explore how to do this with PowerShell.

Let’s get started!

Getting connected

First, you will need to have access to the Windows Azure Active Directory Module for Windows PowerShell. An article detailing how to install this module and all prerequisites can be found here.

You should have an icon on your desktop named Windows Azure Active Directory Module for Windows PowerShell. Right-click on this icon and select Run As Administrator from the context menu.

Windows Azure Active Directory Module for Windows PowerShell Icon

At the PowerShell prompt enter the following command and hit enter.

 C:\> Set-ExecutionPolicy –ExecutionPolicy RemoteSigned

Execution Policy Change
The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose you to the security risks described in the
about_Execution_Policies help topic at http://go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the execution policy?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "N"):

Press Y for yes and hit Enter.

[Read more…] about Change the notification email for directory synchronization failures

Enable explicit DKIM signing in Office 365

By 19 Comments

178 Shares
Share
Tweet
Share
Reddit
Print

In this article, we will take a look at how to enable explicit DKIM signing in Office 365.

What exactly is DKIM?

DomainKeys Identified Mail (DKIM) is an email authentication mechanism designed to prevent email spoofing. DKIM utilizes a cryptographic key pair and DNS records to provide sender validation and message integrity. It does this in the following way.

DKIM

The sender encrypts selected parts of the message header with its private key. This is defined by the “h” field in the diagram above. In our example, we are encrypting the From, To, and Subject fields to name a few. Portions or all of the message body may also be hashed. The DKIM header itself is not encrypted. In the DKIM header, the “d” value identifies the sender domain. The “s” value identifies a unique selector defined by the sender.

The recipient combines the selector and domain values to form a DNS query. Using our diagram above the domain field is marked as supertekboy.com and the selector field is marked as selector1. Using these values the recipient forms the following DNS query.

selector1._domainkey.supertekboy.com

The _domainkey portion of the query is a fixed part of the protocol.

The name servers for the sender respond with a TXT record containing the public key. The recipient can then use this public key to decrypt the header (and any parts of the body).

Successful decryption validates the sender. A DKIM=Pass is attached to the message header which increases the confidence level of the message.

One of the drawbacks of DKIM is that it doesn’t prevent close misspellings of a domain. For example, I could register supertecboy.com and configure DKIM signing. DKIM will pass because the messages are coming from supertecboy.com. But to an untrained eye, supertekboy.com and supertecboy.com might be considered the same entity. When in fact the latter is a spoofer.

[Read more…] about Enable explicit DKIM signing in Office 365

Add a legal disclaimer to all outbound email (Exchange/O365)

By 7 Comments

86 Shares
Share
Tweet
Share
Reddit
Print

Adding a legal disclaimer to all outbound email is an important task. Thankfully, this is a simple process in Exchange on-premises and Office 365. In fact, the instructions are identical for Exchange 2013, Exchange 2016 and Office 365.

For this article, our example company, Time Travel Research, wishes that all email leaving the organization have a legal disclaimer. Time Travel Research is not concerned about applying a disclaimer if the message remains inside the organization. For example, a disclaimer between two employees is not necessary. However, they would like all external messages, whether it be to a customer or a vendor, to have this disclaimer.

Let’s get started!

Add a legal disclaimer to all outbound email

Log in to the Exchange Admin Center. Once logged in, navigate to Mail Flow >> Rules. Click the New (Excchange 2016 New) button.

From the drop-down menu, you will notice several choices. These choices are rule templates. We could just select Create a new rule. That would start us with a blank rule with no conditions. However, to give us a head start lets pick the Apply disclaimers template. This will configure a couple of items for us.

Add a legal disclaimer to all outbound email Exchange Office 365
[Read more…] about Add a legal disclaimer to all outbound email (Exchange/O365)

Don’t feed the Phish

By Leave a Comment

36 Shares
Share
Tweet
Share
Reddit
Print

This morning I woke up to a very interesting phishing email. I never blog about phishing attacks but I found this one particularly interesting as it was spoofing Microsoft account services.

Identify the Phish

Phishing emails are always getting more creative. Sometimes it is hard to spot a fake from a legitimate email. But there are always a couple of tells on a fake email. The one I received this morning had a few.

Outlook.com Microsoft Team Phishing Attack

The first was the email address. Despite it displaying outlook.com the part to the left of the at symbol read “outlooo.teeam”. This was the first red flag.

The second red flag is the sketchy use of the English language throughout the body of the message itself. It just doesn’t read well.

Then comes the Verify Your Account button. This was the ultimate red flag. Without clicking I hovered my mouse pointer over the button. It revealed where it was going to take me. Even if the email address had been formatted better and the body of the message was grammatically correct the link was the surefire tell. In the screenshot above I superimposed the link so you can see where it was taking me. Clearly not a Microsoft site. But some site in India.

The final red flag was the trademark symbol at the end of the message. I have no idea why the word “team” (or perhaps the entire phrase) is a trademark.

Now that we have identified a phishing email what’s next? I recommend reporting it to your anti-spam provider. Below are the steps for reporting it to Microsoft. If you have a 3rd party vendor for spam, check with your system admin on how to submit messages to them for analysis.

[Read more…] about Don’t feed the Phish

Easily Connect to Exchange Online with PowerShell

By 8 Comments

62 Shares
Share
Tweet
Share
Reddit
Print

In a previous article, I explained how to connect to Office 365 with PowerShell. In this article, we explore how to use PowerShell to connect to Exchange Online. We will cover both the Exchange Online PowerShell Module version 1 and version 2.

Let’s get started!

Exchange Online PowerShell Module v2

One of the challenges of a large Exchange Online organization is that PowerShell commands can take a very long time to run. The Exchange Team released the Exchange Online PowerShell V2 module to combat this problem, which ships with all new Exchange cmdlets while still supporting the old cmdlets. Microsoft has determined that these new cmdlets are up to eight times faster in certain instances. I highly recommend using this module over the V1 module. The V2 module has been generally available since June 2020.

To use the new Exchange Online module, launch PowerShell as an administrator and run the following command.

 C:\> Install-Module ExchangeOnlineManagement

If you did not have NuGet previously installed from another PowerShell library you will be prompted to install it. Press Y and hit Enter.

 NuGet provider is required to continue.
PowerShellGet requires NuGet provider version '2.8.5.201' or newer to 
interact with NuGet-based repositories. The NuGet provider must be 
available in 'C:\Program Files\PackageManagement\ProviderAssemblies' or
'C:\Users\<user>\AppData\Local\PackageManagement\ProviderAssemblies'. 

You can also install the NuGet provider by running 'Install-PackageProvider 
-Name NuGet -MinimumVersion 2.8.5.201 -Force'. 

Do you want PowerShellGet to install and import the NuGet provider now?
[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y

Once NuGet has installed you will then be prompted to install the Exchange Online Management module. Press Y and hit Enter.

 Untrusted repository.
You are installing the modules from an untrusted repository. If you trust 
this repository, change its InstallationPolicy value by running the 
Set-PSRepository cmdlet. 

Are you sure you want to install the modules from 'PSGallery'?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "N"): Y

If you have never changed your remote execution policy, I recommend changing it here. This will allow the Exchange Online PowerShell V2 module to run. To do this, type the following and press Y, and hit Enter when prompted.

 C:\> Set-ExecutionPolicy RemoteSigned

Execution Policy Change.
The execution policy helps protect you from scripts that you do not trust. 
Changing the execution policy might expose you to the security risks 
described in the about_Execution_Policies help topic at 
https:/go.microsoft.com/fwlink/?LinkID=135170. 

Do you want to change the execution policy?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "N"): Y

With all the prerequisites met you can now make a connection to Exchange Online. To do this use the Connect-ExchangeOnline command. You can also pass the -UserPrincipalName parameter to make it easier to reconnect when using the command from the PowerShell buffer.

 C:\> Connect-ExchangeOnline -UserPrincipalName <admin account>

Once you have provided your password (and satisfied any MFA challenges) you will be connected to Exchange Online. The initial connection screen gives you example of the new commands and their older counterparts.

-------------------------------------------------------------------
The module allows access to all existing remote PowerShell (V1) cmdlets 
in addition to the 9 new, faster, and more reliable cmdlets.
|----------------------------------------------------------------------|
|    Old Cmdlets                  |    New/Reliable/Faster Cmdlets     | 
|----------------------------------------------------------------------|
|    Get-CASMailbox               |    Get-EXOCASMailbox               |
|    Get-Mailbox                  |    Get-EXOMailbox                  |
|    Get-MailboxFolderPermission  |    Get-EXOMailboxFolderPermission  |
|    Get-MailboxFolderStatistics  |    Get-EXOMailboxFolderStatistics  |
|    Get-MailboxPermission        |    Get-EXOMailboxPermission        |
|    Get-MailboxStatistics        |    Get-EXOMailboxStatistics        |
|    Get-MobileDeviceStatistics   |    Get-EXOMobileDeviceStatistics   |
|    Get-Recipient                |    Get-EXORecipient                |
|    Get-RecipientPermission      |    Get-EXORecipientPermission      |
|----------------------------------------------------------------------|

You can now issue commands.

[Read more…] about Easily Connect to Exchange Online with PowerShell