Configuration

Migrating from Exchange Online eDiscovery and In-Place Hold to the Security & Compliance Center

One of the issues that some of my larger customers have been dealing with is the lack of tooling and planning around moving legacy Exchange Online In-Place eDiscovery & Holds to the new(ish) Security & Compliance Center.  Our direction has been to either let them age out or manually recreate them the Security & Compliance Center.… [ Continue reading ]

Configuration

Migrate-EOPSettings now does ATP!

ATP! ATP!

At long last, I’ve made a first pass at updating the Migrate-EOPSettings script to now include settings for Advanced Threat Protection.  I’ve had several customers moving their instances from commercial EOP to Office 365 GCC, and while my Migrate EOP script would capture just about everything, it came to my attention that we still had configuration to do for ATP. … [ Continue reading ]

Configuration

Updated Tool Roundup!

Over the last couple of days, I’ve updated a few tools that I have published on the gallery.  Here’s the run-down:

AAD Connect Network and Name Resolution Test

I’ve been busy with this tool a lot lately, both adding tests and tweaking the way things are done. … [ Continue reading ]

Configuration

Office 365 Groups and Anonymous External Senders

I have created a more detailed example of how to do this here: https://www.undocumented-features.com/2018/09/14/fixing-office-365-anonymous-group-write-back-and-external-delivery/

Office 365 Groups are glorious creations.  There are, however, some instances where they don’t work as you anticipate (or hope). One of those scenarios is when you are configured in hybrid coexistence with the following scenario:

  • Office 365 Group Writeback is enabled (for configuring permissions, see this script)
  • RequireSenderAuthenticationEnabled is set to False for an Office 365 group
  • Your organization’s MX record is configured to point on-premises

In this scenario, external emails sent to Office 365 groups (via your organization’s MX record pointing on-premises) will be returned with one of our favorite NDRs:

“You do not have permission to send to this recipient.”

This happens because the RequireSenderAuthentication attribute (which maps to msExchRequireAuthToSendTo) written to the synced group object is set to the constant True inside of AAD Connect (as shown in the rule “Out to AD – Group SOAInAAD”):

Which translates to this on written-back group objects:

In order to fix this, you need to either update the rule (Edit | Disable and Make a Copy) or update the msExchRequireAuthToSendTo attribute on the synced group objects if you are keeping your MX pointed on-premises, or update the MX to point to Office 365.… [ Continue reading ]

Scripting

Update to Wipe Exchange Online Mailbox script

Earlier today, I was asked to make an update to my script to wipe Exchange Online mailboxes to include Archive Mailboxes.  Fortunately, it ended up being much easier than I anticipated:

When I enumerated the mailbox originally, I used:

$Root = [Microsoft.Exchange.WebServices.Data.Folder]::Bind($service, [Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Root)

In order to access the Archive folder, I just had to change the WellKnownFolderName from Root to ArchiveRoot, after examining the list available at https://msdn.microsoft.com/en-us/library/microsoft.exchange.webservices.data.wellknownfoldername(v=exchg.80).aspx.… [ Continue reading ]

Configuration

Manage Office 365 Distribution Groups via Excel spreadsheet or CSV

A consultant friend of mine posed an interesting question to me this week–one of his customers wanted to be able to let his users administer a cloud-managed Office 365 distribution group by uploading a CSV or Excel spreadsheet.  From an administration perspective, I have done an incredible amount of directory management tasks using CSVs, so this didn’t seem like that difficult of a task.… [ Continue reading ]