Configuration

Apply Security & Compliance Center Retention Labels to Outlook Folders

Posted on August 27, 2019August 29, 2019
by Aaron Guilmette

I couldn’t really come up with a cool-sounding title for this post, so I just went with the basics of what it does.

Last week, I worked with a customer that wanted to deploy custom retention labels to custom folders inside a user’s mailbox–the idea being that they would create a custom folder structure such as this under a user’s Inbox:

\Inbox
\Inbox\Retention Schedule
\Inbox\Retention Schedule\2 Year (apply a 2-year retention label to everything in this folder)
\Inbox\Retention Schedule\4 Year (apply a 4-year retention label to everything in this folder)
\Inbox\Retention Schedule\7 Year (apply a 7-year retention label to everything in this folder)
\Inbox\Retention Schedule\Forever (apply a ‘Never delete’ retention label to everything in this folder)

Seems easy enough, right? … [ Continue reading ]

Configuration

Exchange Online Protection (EOP) Best Practices and Recommendations

Posted on August 13, 2019September 18, 2019
by Aaron Guilmette

Yes. I said it.

Someone needed to put a line in the sand and today, that person is me. I’m going to say these are some best practices.

But of course, your mileage may vary, depending on your type of organization (users at a local bank or city government will have different threats presented to them than an engineering firm with international customers, for example). … [ Continue reading ]

Scripting

Removing Orphaned Mailbox Searches

Posted on July 11, 2019
by Aaron Guilmette

An issue came up today for one of my customers–how to remove orphaned mailbox searches in Exchange Online. Apparently, they have about 300 mailboxes in this state. Oops.

So, in order to do this, you need to go through a handful of steps:

Identify all of the Mailbox Searches.

… [ Continue reading ]

Updates and Fixes

Update to Forwarding Address Export Import Tool

Posted on February 8, 2019
by Aaron Guilmette

Every now and then, I get a ahead of myself. I’ve updated a typo in the script on the gallery, a vestige of when I updated the script to use server-side filtering. The bug revealed itself when you did not use the -Domain parameter.… [ Continue reading ]

Scripting

Getting Around the Basics of Azure Automation for Office 365

Posted on January 31, 2019February 1, 2019
by Aaron Guilmette

One of the the things that we’ve learned about the cloud over the past few years is that you still need an environment (a utility server, an app server, a something) to run batch jobs and custom scripts against your environments. … [ Continue reading ]

Scripting

Update to the WipeExchangeOnlineMailbox tool

Posted on January 23, 2019
by Aaron Guilmette

Who knew you’d need an update to a tool meant to delete things?

After working with a partner today and an out-of-control email application spamming user mailboxes, we decided an update was necessary. Outlook became unusable with several hundred thousand messages in Deleted Items. … [ Continue reading ]

Configuration

Migrating from Exchange Online eDiscovery and In-Place Hold to the Security & Compliance Center

Posted on January 10, 2019January 14, 2019
by Aaron Guilmette

One of the issues that some of my larger customers have been dealing with is the lack of tooling and planning around moving legacy Exchange Online In-Place eDiscovery & Holds to the new(ish) Security & Compliance Center. Our direction has been to either let them age out or manually recreate them the Security & Compliance Center.… [ Continue reading ]

Configuration

Find Whitelisted Users, Domains, and IPs in Office 365

Posted on December 10, 2018December 11, 2018
by Aaron Guilmette

If you’ve ever asked anyone how to do virtually anything, the answer is usually “It depends.” Just as there is no wrong way to eat a Reese’s Peanut Butter Cup and more than one way to skin a cat, so it frequently is with technological tasks. … [ Continue reading ]

Configuration

Delegating Reporting Access for Exchange Online

Posted on December 4, 2018December 4, 2018
by Aaron Guilmette

Earlier this week, I had a request for assistance with delegating reporting features in Exchange Online to non-administrative users. This is a frequent topic of discussion when it comes to compliance and security officers validating that systems are not being misused by unauthorized persons.… [ Continue reading ]

Configuration

Migrate-EOPSettings now does ATP!

Posted on December 3, 2018December 3, 2018
by Aaron Guilmette

ATP! ATP!

At long last, I’ve made a first pass at updating the Migrate-EOPSettings script to now include settings for Advanced Threat Protection. I’ve had several customers moving their instances from commercial EOP to Office 365 GCC, and while my Migrate EOP script would capture just about everything, it came to my attention that we still had configuration to do for ATP. … [ Continue reading ]

Configuration

Update to the Export-CalendarProcessing tool

Posted on October 5, 2018October 5, 2018
by Aaron Guilmette

As luck would have it, I have one more update to deliver today.

One of my peers (shout out to Mike Manning) noticed that when using the ExportImport-CalendarProcessing tool, mailbox objects that have some special characters in them don’t get processed correctly on the import function. … [ Continue reading ]

Configuration

Fixing Office 365 Anonymous Group Write-back and External Delivery

Posted on September 14, 2018October 12, 2018
by Aaron Guilmette

Yes, Hell has frozen over. The cows have come home. The lady of size has sung.

I have come up with a “best case” solution for the Office 365 hybrid group write-back problem.

Background

For the long(er) background, you’ll probably want to go see this post.… [ Continue reading ]

Configuration

Forwarding Address Import and Export

Posted on September 13, 2018January 2, 2019
by Aaron Guilmette

Four score and many moons ago, I was working on one of my first projects in Microsoft Consulting Services. This particular customer (a university) shared their Active Directory infrastructure with a hospital. During the course of their business, employees would frequently move between organizations. … [ Continue reading ]

Configuration

Mail-enabling Guest Users or “How I made everyone show up in the Address Book”

Posted on June 15, 2018August 29, 2018
by Aaron Guilmette

So, today, I received an email from one of my esteemed colleagues asking how we could get B2B Azure AD tenant guests to show up in the Office 365 GAL. I thought, “Yeah, that should be something that’s possible. … [ Continue reading ]

Information

Using “Restore-RecoverableItems”, or “how I saved my own bacon”

Posted on April 23, 2018
by Aaron Guilmette

Since the dawn of time (or at least, since the dawn of the Epoch), people have been inadvertently deleting stuff. As is attributed to Uncle Ben, “with great power comes great responsibility,” and so it is true with the system administrator. … [ Continue reading ]

Configuration

Updated Tool Roundup!

Posted on April 5, 2018September 13, 2018
by Aaron Guilmette

Over the last couple of days, I’ve updated a few tools that I have published on the gallery. Here’s the run-down:

AAD Connect Network and Name Resolution Test

I’ve been busy with this tool a lot lately, both adding tests and tweaking the way things are done. … [ Continue reading ]

Client

Export Exchange Online Client Access Report

Posted on March 1, 2018
by Aaron Guilmette

So, imagine this:

The security team comes to you and asks you for a report on how people are accessing Exchange Online services–browser, mobile, Outlook client. In the olden days of Exchange on-premises, you could look at the IIS logs to check browser traffic. … [ Continue reading ]

Configuration

Office 365 Groups and Anonymous External Senders

Posted on November 28, 2017October 8, 2018
by Aaron Guilmette

I have created a more detailed example of how to do this here: https://www.undocumented-features.com/2018/09/14/fixing-office-365-anonymous-group-write-back-and-external-delivery/

Office 365 Groups are glorious creations. There are, however, some instances where they don’t work as you anticipate (or hope). One of those scenarios is when you are configured in hybrid coexistence with the following scenario:

Office 365 Group Writeback is enabled (for configuring permissions, see this script)
RequireSenderAuthenticationEnabled is set to False for an Office 365 group
Your organization’s MX record is configured to point on-premises

In this scenario, external emails sent to Office 365 groups (via your organization’s MX record pointing on-premises) will be returned with one of our favorite NDRs:

“You do not have permission to send to this recipient.”

This happens because the RequireSenderAuthentication attribute (which maps to msExchRequireAuthToSendTo) written to the synced group object is set to the constant True inside of AAD Connect (as shown in the rule “Out to AD – Group SOAInAAD”):

Which translates to this on written-back group objects:

In order to fix this, you need to either update the rule (Edit | Disable and Make a Copy) or update the msExchRequireAuthToSendTo attribute on the synced group objects if you are keeping your MX pointed on-premises, or update the MX to point to Office 365.… [ Continue reading ]

Configuration

Block direct delivery to @onmicrosoft.com addresses in a hybrid environment

Posted on November 21, 2017January 29, 2019
by Aaron Guilmette

UPDATE: [11/20/2018] I had an error in the transport rule configuration in the last example, as well as a note that a TR would NDR external traffic. I have this post accordingly.

We’re all familiar with how Office 365 tenants work–when you spin up a new Office 365 tenant, you get a managed domain (tenant.onmicrosoft.com). … [ Continue reading ]

Security

Detecting Outlook / Exchange data exfiltration

Posted on November 17, 2017
by Aaron Guilmette

While I was working on a script to configure Office 365 Secure Score settings, I came up with a few scripts that I thought would be helpful in monitoring your messaging environments. Many organizations have policies against data exfiltration, but detecting and enforcing are totally different animals. … [ Continue reading ]