Use Powershell to remove aliases from O365 users

First blog of the new year! Let me start off by wishing everyone a great 2016!

A quick blog this time. One of my clients sold a part of their company and needed to hand over the domain they currently use in Office 365. So, for all users I needed to remove the alias ending on this domain.

Of course, PowerShell is the tool for the job.

We need to remove the alias from the EmailAddresses property of the users, using the set-mailbox cmdlet. In full:

So yet again, be it Office 365, Azure, or on-prem: PowerShell is the way to go!

Skype Meeting Broadcast is GA!

The preview period has ended, and Skype Meeting Broadcast is now general available!

I blogged about Skype Meeting Broadcast before and spoke at Experts Live 2015 about the features and functionality, and it’s nice to see that now all Office 365 costumers can start using this feature.

There are some steps you need to perform to get Skype Meeting Broadcast running for your organization. As always, Microsoft has documented this well. You can find all relevant documentation here.

Have a good meeting!

Fixing a messed up ESXi Passtrough configuration

Okay, not exactly O365-related but an issue I came across recently that needed to be fixed. You can see this post as some sort of documentation for myself ­čśë

The situation: we have some costumers running a Dell R730 with VMWare ESXi as a hypervisor running of a SD card, with several virtual machines on either local or shared storage. Recently they purchased some software that needed a dongle as a licensing devices, so this needed to be passed through to one of the VM’s. At first, we decided (because there would be several dongles needed) to passtrough the entire USB controller to the virtual. That’s not quite difficult: in the advanced settings for the hypervisor, select the devices you wish to passtrough, reboot the host and your all set. After that, you can connect a virtual USB-device to the VM so the connected devices should be exposed to the guest… Unfortunately, this didn’t work out. The connected device couldn’t be correctly addressed in the guest, so we decided to undo the passtrough of the USB-controller and connect the USB-device directly to the guest, without passing trough the controller. So, back to the advanced settings, disable the passtrough and reboot the host once again.

Once back up, we couldn’t select any USB-devices to connect to the guest. So, let’s start up Putty and SSH in to the host to check if there are any devices available:

Nothing was returned. No devices, but also no USB-controllers. Almost as if the passtrough was still active…. Back to the GUI to check the config. Passtrough still enabled on those USB-controllers, while we disabled that just a few minutes ago. After some Googling, we found an article about passing trough USB-controllers when running ESXi from an SD-card. Long story short: the SD-slot is attached to the same USB-controller. When booting, ESXi can read from this SD-card and load the configuration in memory, but as soon as the passtrough is initiated the SD-card becomes unavailable to the hypervisor and everything you change to the configuration can’t be written back to the card, and is lost at reboot.

Most solutions on userforums to this issue state that reinstalling ESXi will resolve it. Of course it does, and of course your VM’s will remain intact and you can easily restart them when the hypervisor is restored, but I wanted a real fix. I came up with booting the server, trough iDRAC, from a bootable Linux-disk. In this case I used Knoppix, but any bootable Linux distro will do.

The SD-card will be available as a device in the shell you booted to. In my case, the partition that holds the right files was /dev/sdb5, but your milage may vary. The file we need is is the state.tgz file. Just look for this file. I’ll mount the partition to a directory on the bootable Linux distro.

We’ll copy the state.tgz file from the SDCard to a temp directory on our running distro, and extract the local.tgz file from the state.tgz file. Next, we’ll unpack the local.tgz file.

No, we’ll have an etc directory in our temp directory. We’ll navigate to the esx.conf file and edit it.

In the esx.conf file, you can find the devices with their respective GUID, with ‘owner = “passtrough”‘. Remove the entire line that states the owner, and save and close the file. After that, we’ll navigate back up to the temp directory to repack the directory to local.tgz and repack local.tgz to state.tgz

Before writing back the adjusted state.tgz to the SD-card, we’ll want to backup the current file. So, navigate back to the SD-card, backup the current file and replace it with the adjusted one.

To clean everything up nicely, we’ll navigate back to the temp folder, so we can unmounts the SD-card before rebooting the host.

After this, the server will boot back to ESXi and the passtrough of the USB-controllers will be undone so we can connect the USB-dongle directly to the guest.

Keep in mind, that some of the command used in this example require you to be root, so depending on the distribution you are booting from you might need to use sudo.




Fingerprint readers and corporate email

Fingerprint readers are hot. Many phones now sport this nifty future helping you to unlock your phone even faster. Despite the fact that this Is pretty cool, it does bring some challenges to the admin. Ever since Exchange 2003, and all the way up to Office 365, Exchange has had the option to define a policy to secure the devices connecting through ActiveSync. You can disable camera’s or Bluetooth to protect data leakage from your organization, or define a policy that requires the user to set up a PIN on his device when connecting to his (or her) corporate email account.

There are a few options that can be set here. Simply requiring a PIN, defining the minimum length of the PIN, the time-out before requiring a PIN, and more. What you can’t define, is to allow or disallow certain security options, like fingerprint readers.

If your fingerprint-enabled device plays nice with these settings, varies per device. It turns out that Apple implemented the fingerprint reader on their iPhones to be a substitution for the PIN. When you use the fingerprint reader, the chipset will in the background just use the PIN to unlock the device.

Android phones, or at least the Samsung Galaxy ones, work differently. The fingerprint reader here is just that: a fingerprint reader. The system sees this as a different authentication option and doesn’t use the PIN function as underlying technology. When connecting to Exchange, a PIN will be enforced despite the fact that the fingerprint technology is used, because the Exchange server enforcing this policy isn’t aware of the fact that this reader is there.

Currently, the only way to work around this issue is to not require a password in the mobile device policy, which is a security risk, or to use 3rd party applications to sync your mail. Which is of course an even bigger security risk.

Naar Experts Live 2015?

As Experts Live is a Dutch event, this post is in Dutch. ­čÖé

Op 19 november is Experts Live weer te bezoeken in Cinemec in Ede. Het is het grootste Microsoft-gerelateerde community-event in Nederland en biedt met 49 breakout-sessies heel veel informatie over O365, Azure, OMS, EMS, Hyper-V, Azure Stack en Windows.

In de O365-track mag ik zelf ‘s ochtends mijn ervaringen delen met Skype Meeting Broadcast. Ik laat zien hoe de verschillende rollen technisch zijn ge├»mplementeerd, wat de (on)mogelijkheden zijn en laat in een aantal demo’s zien hoe een Skype Meeting Broadcast georganiseerd en geproduceerd wordt en wat de gebruikerservaring is voor de kijkers.

Wil je ook naar Experts Live maar heb je nog geen kaartjes? Ik mag een aantal kaarten weggeven! Stuur me een mailtje met je contactinformatie en wellicht kan ik je blij maken!

stopped-extension-dll-exception when running DirSync

Today I ran into a problem at a costumer. They are running an Exchange 2013 server in a hybrid configuration with O365. Part of the users are on the local Exchange server, but the main part of the users use O365 for their mailbox needs.

Some new mailboxes were needed, so I created the users in Active Directory and ran the enable-remotemailbox cmdlet to provision their mailboxes. Next step is to assign a license in O365, so I kicked of DirSync with the start-onlinecoexistencesync cmdlet and reverted to the O365 portal to license my new users…. But they didn’t show up.

I checked the MIIS client to see that the export to Azure AD failed with the ‘stopped-extension-dll-exception’ error.

After some research, I found that this can be related to the execution policy in PowerShell. For DirSync to run successfully, it turns out the PoSH execution policy should be set to ‘unrestricted’. Earlier this week, a GPO was activated at this costumer to enable PowerShell remoting, including the option to set the execution policy to ‘ remote signed’. After creating a deny for this policy for the server running DirSync and manually setting the execution policy back to ‘unrestricted’, DirSync worked again and my newly created users started showing up in the O365 portal.

Wise lesson: for DirSync to run successfully, the execution policy for PowerShell on the server running DirSync needs to be set to ‘unrestricted’. Pretty weird, as in IMHO ‘remote signed’ is the preferred and most secure setting. It is strange, at least, that Microsoft’s own products don’t work in this scenario. I haven’t tried this with the newer AADSync yet, so maybe this flaw was fixed in the newer releases.

There are a few issues on the O365 support pages regarding this issue, some of which stating that even if the execution policy is set to ‘unrestricted’ via GPO DirSync won’t work; the GPO must set the execution policy to undefined and the execution policy on the server needs to be set manually. However, only some of the people responding could confirm this, so your mileage may vary…

Managing O365 groups with PowerShell

One of the much appreciated features in Office 365 are the new Office 365 Groups.

An Office 365 group provides a way to collaborate on a project with co-workers. When created, the Office 365 system creates a shared mailbox, shared calendar, a Sharepoint teamsite and a OneNote notebook for the team to use. When allowed by their tenant administrator, users can create a new Office 365 group themselves, without the need to contact their IT department.

When looking at these functionalities for our internal network, we decided they might come in handy for certain projects. To keep things as standard as possible, we needed a way to automate the creation of these groups as much as possible. And when you talk automation, you talk Powershell.

It turns out you can manage new Office 365 groups through Powershell without hassle. In Powershell, these groups are referred to as ‘unified groups’. As you know, there are only three commands you know to learn Powershell: get-command, get-help and get-member. Let’s use these commands to check out what we can do with these groups in Powershell.

Ofcourse, we need to log on to our O365 tenant with Powershell first. After that, we’ll need to find out which commands are available.

As you can see, there are multiple cmdlets to add, remove and manage new Office 365 groups. I would like to start out with creating a new group, so I’ll need some info on that.

To get some pointers on the use of this cmdlet, we can ask for some examples.

So, let’s create a new group! Because I don’t want my colleagues to be able to see this group, I’ll set the accesstype to private.

Office 365 will no create the new group. It takes some time to complete the command, because the system will provision all parts of the group: a shared mailbox, shared calendar, OneNote notebook,

When the group is live, we can see what is stored about the group.

After creating the group, we might want to add some members to it. The new-unifiedgrouplinks is what does just that.

Ofcourse, you can use the get-unifiedgrouplinks cmdlet to retrieve the members or owners of a group. A unifiedgrouplink can be of different types: owner, member or subscriber.

By using this cmdlets, you could automate the creation, management and deletion of Office 365 groups. That way, you can set up all the groups you deploy in exactly the same way and perform these tasks automatically on certain triggers!

Message trace retention in O365

There seems to be some misunderstanding about the retention of message trace data in Office 365. To be clear: this data is stored for 90 days. You can find this info on TechNet.

I can see where the confusion comes in, tho. When you run the get-messagetrace cmdlet from Powershell, you only get the information for messages from the last 7 days. If you wish to retrieve data for older messages, you should start a new historical search.

This Powershell command starts the search job with the specified criteria. For information on the parameters you can use with the cmdlet, check the documentation. When searching for a large timeframe or in heavily used mailboxes, it can take op to a few hours to collect al the date. If you specify the NotifyAddress parameter in your cmdlet, you will be notified when the report is ready.┬áResults will be sent to the specified address. If you don’t specify an address for the notification, you can revert to the Exchange Online admin portal to retrieve the data. You can find you historical searches on the mailflow -> message trace section of the Exchange Online portal.

It can be wise to discuss the 90 days retention period of Office 365 with your customer. If the organization requires a larger retention, for example because of legal reasons, you may need to implement 3rd party products to achieve this.

365 Dude at Experts Live 2015

On November 19th I’ll be at Experts Live 2015 in Ede. This year I will not only be there listening to the cool sessions on all new Microsoft technology and absorbing all the knowledge, but I’ll also present a session myself.

Early in the morning, at 07:45, i’ll be talking about Skype Meeting Broadcast. We’ll cover the technological architecture, when to use a broadcast in stead of a regular Skype for Business meeting and of course do some live demo on setting up and producing a broadcast, as well as the view you’ll have when attending such a broadcast.

If you’re at Experts Live this year, be sure to check this out! Want more information about the event or buy tickets? Check out the Experts Live website or watch the video in which some of the speakers are presented. See you there!

New in Outlook Web App: email reminders for meetings

One of the features that was recently released in Outlook Web App is the email reminder for meetings in your calendar.

If you’re on the ‘first release’ ring in Office 365, you should have this function already. If you’re not, you will get the feature sometime soon.

Adding an email reminder is quite straightforward: simply open the meeting and click the ‘add an email reminder’ link
In the screen that opens up, you can set just a few things.

First of all, you can set when the reminder will be sent.

Next, we set the recipients for the reminder. We can send the reminder to only the organizer, or to all attendees.
And last but not least, we set the message we would like to send.As you can see, this is a very nice way of reminding attendees of a meeting, especially if you want everyone to come prepared!