Picking up where I left off on part 1 of this post, I wanted go into what it would take to refine some roles for managing eDiscovery for larger organizations.
In this scenario, we’re going to:
- Remove users from any existing eDiscovery roles or groups
- Create a security group to hold users that will perform eDiscovery searches
- Create a custom role group that has the appropriate eDiscovery roles and add the security group as a member
If you didn’t read the previous blog post on this topic, I’d encourage you to go back and do so, since I’m going to continue using the same users and compliance filters.… [ Continue reading ]
Diving deeper into the Security & Compliance Center, I decided to embark on trying to scope eDiscovery permissions to meet a certain set of requirements that we see when multiple business units want or need to maintain independence from a content search and discovery perspective.… [ Continue reading ]
I have created a more detailed example of how to do this here: https://www.undocumented-features.com/2018/09/14/fixing-office-365-anonymous-group-write-back-and-external-delivery/
Office 365 Groups are glorious creations. There are, however, some instances where they don’t work as you anticipate (or hope). One of those scenarios is when you are configured in hybrid coexistence with the following scenario:
- Office 365 Group Writeback is enabled (for configuring permissions, see this script)
- RequireSenderAuthenticationEnabled is set to False for an Office 365 group
- Your organization’s MX record is configured to point on-premises
In this scenario, external emails sent to Office 365 groups (via your organization’s MX record pointing on-premises) will be returned with one of our favorite NDRs:
“You do not have permission to send to this recipient.”
This happens because the RequireSenderAuthentication attribute (which maps to msExchRequireAuthToSendTo) written to the synced group object is set to the constant True inside of AAD Connect (as shown in the rule “Out to AD – Group SOAInAAD”):
Which translates to this on written-back group objects:
In order to fix this, you need to either update the rule (Edit | Disable and Make a Copy) or update the msExchRequireAuthToSendTo attribute on the synced group objects if you are keeping your MX pointed on-premises, or update the MX to point to Office 365.… [ Continue reading ]
Hey! It’s finally here! After months of hard work (almost a year from when we started until a copy at my doorstep), we’ve finally made it to the finish line! Also, pay no mind to my poor cuticles!
You can read the press release here: https://blogs.msdn.microsoft.com/microsoft_press/2017/11/27/new-book-microsoft-office-365-administration-inside-out-includes-current-book-service-2nd-edition
Or jump straight to Amazon and order it: http://aka.ms/o365adminio
While you’re at it, be sure to check out the blogs of the other authors, filled with all sorts of goodies:
Darryl Kegg, https://aka.ms/dkeggblog
Lou Mandich, http://blogs.technet.com/b/loum/
Ed Fisher, https://blogs.technet.microsoft.com/edfisher/… [ Continue reading ]
UPDATE: [11/20/2018] I had an error in the transport rule configuration in the last example, as well as a note that a TR would NDR external traffic. I have this post accordingly.
We’re all familiar with how Office 365 tenants work–when you spin up a new Office 365 tenant, you get a managed domain (tenant.onmicrosoft.com). … [ Continue reading ]
This week, I was presented with a question from a partner who was in the middle of the Skype for Business portion of a larger merger and acquisition migration project. The customer had enabled the Skype for Business license for all users in the tenant (including users who hadn’t migrated for other domains and forests), and since neither the hybrid configuration nor DNS were complete, messages and calls were undeliverable. … [ Continue reading ]
While I was working on a script to configure Office 365 Secure Score settings, I came up with a few scripts that I thought would be helpful in monitoring your messaging environments. Many organizations have policies against data exfiltration, but detecting and enforcing are totally different animals. … [ Continue reading ]
UPDATE: This tool has been updated to include implicit policies created in the Security and Compliance Center.
Last week, I was asked by a few people for information on displaying holds applied to mailboxes.
Holds come in several varieties:
- In-Place Holds created via the Exchange Admin Center or eDiscovery case
- Retention Policies (either as Retention or Label policies)
- Litigation Hold set as a mailbox property
- Legacy Exchange MRM policies
When viewed programmatically from PowerShell, you’ll notice that In-Place Holds and Retention Policies are somewhat inverse relationships like the legacy MRM policies–that is, the various policies in the Security & Compliance Center don’t have lists of objects applied to them. … [ Continue reading ]
While working with a partner this weekend on a tenant to tenant migration, we had the need to migrate Office 365 groups. There’s not really a lot of information around on recreating groups and memberships, so I decided to put together a tool to help the effort.… [ Continue reading ]
Earlier today, I was asked to make an update to my script to wipe Exchange Online mailboxes to include Archive Mailboxes. Fortunately, it ended up being much easier than I anticipated:
When I enumerated the mailbox originally, I used:
$Root = [Microsoft.Exchange.WebServices.Data.Folder]::Bind($service, [Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Root)
In order to access the Archive folder, I just had to change the WellKnownFolderName from Root to ArchiveRoot, after examining the list available at https://msdn.microsoft.com/en-us/library/microsoft.exchange.webservices.data.wellknownfoldername(v=exchg.80).aspx.… [ Continue reading ]
Recently, I had a requirement come up to enable the bulk restore of content from a OneDrive for Business site in the event of a cryptoware or ransomware attack. OneDrive has versioning turned on, so I figured this would be an “easy” add. … [ Continue reading ]
Since it’s initial creation, I’ve made a few updates to the Advanced AAD Connect permissions tool. The most recent updates:
- 2017-10-11 – delegating write permissions to the CN=adminSDHolder,CN=System container
- 2017-10-05 – delegating write permissions to the ms-DS-ConsistencyGuid property
These two updates should allow for a more complete AAD Connect permissions delegation experience. … [ Continue reading ]
In light of the discovery that a recent comprise involved administrator credentials that were not protected with multi-factor authentication, I thought revisiting http://securescore.office.com might be a good idea.
For the uninitiated, Secure Score is a tool that we provide to examine some configuration items and give guidance on others in respect to creating a more secure operating environment for your Office 365 tenant. … [ Continue reading ]
This week, I received an email from a colleague asking if there was a way to work around the default behavior described in https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-implement-password-synchronization:
Password expiration policy
If a user is in the scope of password synchronization, the cloud account password is set to Never Expire.… [ Continue reading ]
Update: I’ve also added some new features, detailed in https://www.undocumented-features.com/2017/10/16/recovering-from-crypto-or-ransomware-attacks-with-the-onedrive-for-business-admin-tool/.
While updating a script I wrote to remove the “Shared with Everyone” folder in OneDrive for business, it dawned on me that there are a number of bulk management tasks for OneDrive that are not easy to do, that we don’t have specific guidance on, or only have little bits of information scattered around the interwebs.… [ Continue reading ]
Updated with additional requirements and scenarios, 2017-10-26.
I recently worked with a customer that needed assistance in configuring the additional permissions required for AAD Connect delegation. After chasing down an incredible number of prerequisite information, I decided it would be more helpful to my customer to put together a tool that would help them configure the various permissions delegations.… [ Continue reading ]
A consultant friend of mine posed an interesting question to me this week–one of his customers wanted to be able to let his users administer a cloud-managed Office 365 distribution group by uploading a CSV or Excel spreadsheet. From an administration perspective, I have done an incredible amount of directory management tasks using CSVs, so this didn’t seem like that difficult of a task.… [ Continue reading ]
I meant to post this earlier, but I wanted to let everyone know that I’ve had the great honor of being able to write a book with some of the titans of Microsoft Consulting Services. The book has all new content for Office 365 based on our experience in the field, and even features current service release updates. … [ Continue reading ]
The people have spoken.
I’ve updated the tool with a couple of features:
- Include the Skype for Business IP ranges in the proxy bypass list, since there are occasions that it is necessary.
- Added an option for *all* IP ranges in the XML feed for selected products to be added to the proxy bypass list
- Added an option for *only* IP ranges in the XML feed for selected products to be added to the proxy bypass list
- Added an option to export the IP ranges for selected products to a separate text file.
… [ Continue reading ]
A while ago, I wrote about a script that I had built for creating BitTitan MigrationWiz connectors with the parameters necessary to do bulk resource mapping. This worked pretty well, until I downloaded the newest version of the PowerShell module when I had to do it for a customer that was already partway through their migration.… [ Continue reading ]