November 2017 - Undocumented Features

Configuration

Office 365 Groups and Anonymous External Senders

Posted on November 28, 2017October 8, 2018

I have created a more detailed example of how to do this here: https://www.undocumented-features.com/2018/09/14/fixing-office-365-anonymous-group-write-back-and-external-delivery/

Office 365 Groups are glorious creations. There are, however, some instances where they don’t work as you anticipate (or hope). One of those scenarios is when you are configured in hybrid coexistence with the following scenario:

Office 365 Group Writeback is enabled (for configuring permissions, see this script)
RequireSenderAuthenticationEnabled is set to False for an Office 365 group
Your organization’s MX record is configured to point on-premises

In this scenario, external emails sent to Office 365 groups (via your organization’s MX record pointing on-premises) will be returned with one of our favorite NDRs:

“You do not have permission to send to this recipient.”

This happens because the RequireSenderAuthentication attribute (which maps to msExchRequireAuthToSendTo) written to the synced group object is set to the constant True inside of AAD Connect (as shown in the rule “Out to AD – Group SOAInAAD”):

Which translates to this on written-back group objects:

In order to fix this, you need to either update the rule (Edit | Disable and Make a Copy) or update the msExchRequireAuthToSendTo attribute on the synced group objects if you are keeping your MX pointed on-premises, or update the MX to point to Office 365.… [ Continue reading ]

Information

Office 365 Administration Inside Out

Posted on November 27, 2017August 29, 2018

Hey! It’s finally here! After months of hard work (almost a year from when we started until a copy at my doorstep), we’ve finally made it to the finish line! Also, pay no mind to my poor cuticles!

You can read the press release here: https://blogs.msdn.microsoft.com/microsoft_press/2017/11/27/new-book-microsoft-office-365-administration-inside-out-includes-current-book-service-2nd-edition

Or jump straight to Amazon and order it: http://aka.ms/o365adminio

While you’re at it, be sure to check out the blogs of the other authors, filled with all sorts of goodies:

Darryl Kegg, https://aka.ms/dkeggblog

Lou Mandich, http://blogs.technet.com/b/loum/

Ed Fisher, https://blogs.technet.microsoft.com/edfisher/… [ Continue reading ]

Configuration

Block direct delivery to @onmicrosoft.com addresses in a hybrid environment

Posted on November 21, 2017November 20, 2018

UPDATE: [11/20/2018] I had an error in the transport rule configuration in the last example, as well as a note that a TR would NDR external traffic. I have this post accordingly.

We’re all familiar with how Office 365 tenants work–when you spin up a new Office 365 tenant, you get a managed domain (tenant.onmicrosoft.com). … [ Continue reading ]

Configuration

Disable Skype SKUs across all users

Posted on November 21, 2017

This week, I was presented with a question from a partner who was in the middle of the Skype for Business portion of a larger merger and acquisition migration project. The customer had enabled the Skype for Business license for all users in the tenant (including users who hadn’t migrated for other domains and forests), and since neither the hybrid configuration nor DNS were complete, messages and calls were undeliverable. … [ Continue reading ]

Security

Detecting Outlook / Exchange data exfiltration

Posted on November 17, 2017

While I was working on a script to configure Office 365 Secure Score settings, I came up with a few scripts that I thought would be helpful in monitoring your messaging environments. Many organizations have policies against data exfiltration, but detecting and enforcing are totally different animals. … [ Continue reading ]