Exchange Online and Remote Domains

 

Info

This article talks about the importance to configure Remote Domain both on Exchange on premise and Exchange Online to control the format and type of email messages exchange between hosted mailbox users and on premise mailbox users.

This post is available on my new blog:

https://blog.ahasayen.com/exchange-online-and-remote-domain/

Hybrid Email Moderation Part 1

Info

This article talks about the importance to configure Remote Domain both on Exchange on premise and Exchange Online to control the format and type of email messages exchange between hosted mailbox users and on premise mailbox users.

This post is available on my new blog:

https://blog.ahasayen.com/exchange-online-and-remote-domain/

Modern Authentication Part 2

We will go through how modern authentication works when a user is trying to use Outlook client with modern authentication to connect to his mailbox in Exchange Online.

  • Outlook user is trying to connect to a service which is Exchange Online [EXO].
  • EXO will tell me go and get credentials [401 redirect] to Azure AD
  • I put my UPN, and Azure AD says “Hey you are federated, go to Aramex STS [302: go to on premise STS]
  • Now, I go my ADFS server, authentication, and then I will get SAML token, then I will send that SAML token to Azure AD.
  • Azure AD then will give me:
    • Refresh Token [I will cache this token in credential manager]
    • Access Token (Bearer) [ will use this access token to send it to Exchange Online]
  • Exchange Online will take my access token and let me in.

 

User gets Access Token and Refresh Token from Azure AD

Full connectivity in modern authentication

If we use Fiddler to see what is happening, we can see that the Authorization is Bearer, and of course if you open Outlook Connection you will see that the Authn is now Bearer* instead of Clear*.

When I need to re-authenticate?

Since EXO is authenticating me using my access token (not refresh token) and that access token is short lived (an hour), then I may need to re-authenticate as soon as my access token is expired.

Now instead of doing all the previous authentication workflow, and since I already have a valid refresh token that is not expired yet, I will use that refresh token to authenticate to Azure AD and get a new access token without the need to get back to my ADFS [STS] and authenticate there.

  • Outlook will contact EXO and present the expired access token.
  • EXO will do 401 access token invalid and ask for new access token.
  • Outlook will check if the machine has valid refresh token.
  • If found, it will pick up that refresh token, talk to Azure AD, authenticate using that refresh token, and then get a new valid access token that can be sent to EXO.

Troubleshoot Modern Authentication

  • First of all make sure you are using Office 2016.
  • Make sure you have the latest patches.
  • Use fiddler to inspect traffic [advance troubleshooting]
  • Use Office Configuration Analyzer Tool http://aka.ms/offcat.

Bonus Tool:

Modern Authentication Part 1

It is simply OAuth Based Authentication for Office clients against Office 365. It enables:

  • Multi-Factor authentication
  • Support for third party STSes
  • Conditional Access

Supported across platform:

  • iOS, OS X
  • Android
  • Windows

Modern Authentication Client Support

Office Client Updates

Modern Authentication rely heavily on how much Office clients applications are patched. The first thing to troubleshoot is to make sure that the client is fully patched with the latest Public Updates [PU].

Nowadays, Public Updates [PU] are released every month and they include all previous updates. So If we are in October, if you installed October PU it will include all previous updates

PUs include two types of updates:

  • Security updates: Patch Tuesday
  • Non-security updates: 1st Tuesday of the month.

You can go here to see information about PU for each month. Normally you care about PU of the current month as it includes everything before.

https://blogs.technet.microsoft.com/office_sustained_engineering/

Now, we are moving from MSI version of Office clients apps to Click-to-Run (C2R) which includes not only updates every month, but also new features every month to catch on Office 365 new monthly features.

Also Click-to-Run comes with new Change Release Management approach by introducing different channels [Branches] to release those updates.

Why Modern Authentication NOW?

We have now Outlook and one way to authentication, and we have other apps like Excel, word, and others, which are using different way to authenticate.

We need a common platform for authentication, so that when you log to PowerPoint, you need also to be able to access OneDrive for example. So Single Sign On is something we want to ensure.

So now we are moving from application authentication to common authentication which is [MSO.dll] and the new one which is ADAL.dll which is used by modern authentication.

 

By ammar hasayen Posted in Azure

Exchange Email Moderation Script

Hi everyone,

Email Moderation is one of my best features in mail flow restrictions in Exchange. You can assign one or more moderators to groups, so that if any one of them approves the email being sent, then this will release the email to that moderated group.

You can view email moderation information from Exchange GUI admin tools, but for dynamic moderated groups, you shall use PowerShell to view and configure email moderation. Usually, dynamic groups that has country or office filter criteria will contain lots of people and you want them to be moderated.

No Dashboard for moderation info

The first issue people have with email moderation is how to get a report with all email moderated groups and their moderators, and bypass moderation recipients. There is no dashboard that shows all this information in one place.

Disabled or Orphan Moderators

The second issue that Email Administrators will face is moderation list maintenance. Suppose that GroupA has one moderator called John. John decided to leave the company, and his account is now disabled. Now GroupA has no moderators. It has Moderation status set to true, but no moderators. Some cleanup job need to be performed frequently to check for the health and existence of the moderators.

Single Moderator Issue

Moreover, the best recommendation is to have at least two moderators for each moderated group, so that if one of them is not available or on a leave, the other one can moderate that group. You may want to have a regular checks to detect moderated groups with one moderators only.

Solution

I have created a PowerShell Script that you can run, and it will do the following:

  1. Generate CSV file that lists all moderated groups in your environment with the following Info:
    1. Group Name
    2. Dynamic mailing group or not
    3. Moderators list
    4. Bypass moderation list
    5. Managed By list.
    6. Email Address
    7. Alert column if a single moderator is detected.
    8. Health Field to indicate if one of the moderators is disabled or does not have mailbox anymore.
    9. Empty Moderator List warning
  2. Three Log Files will be generated. One for information, one for empty moderator groups, and one listing groups with disabled mailbox moderators.

EmailModerationScript

Download the Script here

You can download the script from here Get-CorpModerationInfo

Azure AD Sync Monitor Script

If you are synchronizing your on premise Active Directory with Azure Active Directory, then you know for sure that maintaining a healthy synchronization is not an easy thing to do.

I want to give you my experience in synchronizing a single domain AD to Azure AD, using ObjectGuid as anchor attribute.

The Challenge

I am using Azure AD Connect to synchronize AD objects to Azure AD. The Azure AD Connect tool is nice, and it gives you the health of the synchronization process and a nice error messages if there is a problem synchronizing one of your on premise AD objects. I used the AD connect tool for a month, and everything was fine. No errors and everything looks clean.

I then noticed that couple of users are having problem with Office 365 and i discovered that they have never synched to Azure AD in the first place. I did Get-MSOLUser on them and no results are returned. I had to go to Azure AD Connect and force Full AD Import to sort out this issue.

I become so worried about this, and I started to compare the number of AD users and Azure AD users to at least ensure matching numbers. Count AD users and Azure AD users and compare them is not enough, as there is no guarantee that the same objects represent these numbers.

I then came with an idea. I wanted to take each AD user, collect his ObjectGuid, and then compute his ImmutableID, go to Azure AD, and search for that ImmutableID, and finally linked the AD user with his Azure AD copy. We will do that for all AD users. Finally, we can identify AD users that does not have Azure copies, and Azure AD users that are not mapped to AD users.

This will guarantee that each one of your AD users are mapped to Azure AD users. Along this journey, the script will generate couple of information:

  • AD users not in Azure
  • Azure users not in AD
  • Azure users with Synch Errors
  • Filtered AD users from Synchronization
  • Total number of AD users
  • Total number of Azure users
  • Last AD Sync time

Compare you on Premise AD users and Azure users 11

Conditions to use the script

  1. This script assumes you are using ObjectGuid as anchor attribute
  2. If you have multiple domains, forests or you are doing filters to scope AD users by OU or attribute, then you must write your script block to populate the $ADusers_Raw variable, by searching inside the script for (Raw data collection from AD) region. You can find examples there to do that. By default the script will do Get-ADuser to retrieve all users.

Compare you on Premise AD users and Azure users 2

Script Visuals

The script provides many visuals to help you see what is going on:

  • The script code is divided into regions that you can expand separately for better script browsing.
  • Progress bars will appear during running the script to give you a feel and sense of what is going on during the run time of the script.
  • Summary information is displayed on the PowerShell console window with summary statistics.
  • Results are written at the end of the script in two locations:
    • The PowerShell console window.
    • Couple of files that are generated on the script running directory.

Notes

The script connects to Active Directory and gets a list of users (Get-ADUser) , and then connects to Azure Active Directory AAD and gets all azure users (Get-MSOLUser). A comparison then is performed by mapping each AD user with his Azure user, and identify un-synchronized AD users that do not have a mapped/synched Azure copy.

This script assumes that ObjectGUID is used as the anchor attribute to link/map AD user and Azure AAD user. If you are using any other attribute, then this script is not for your case.

The script needs to get the list of AD users that you are synchronizing to Azure AD. Microsoft Sync tool gives you the ability to filter by OU or by attribute. Another tricky part of the script is when you are synchronizing multiple domains or perhaps multiple forests. For all those different cases, it is your job to populate the variable called ($ADusers_Raw) located under (Raw data collection from AD) region in this script.
By default, the script will do Get-ADUser to populate this variable. In your case, you may need to write your own script block to collect all AD user objects that you are synching to azure.

Script Parameters

.PARAMETER ScriptFilesPath
Path to store the script output files. For example C:\ , or ‘.\’ to represent the current directory.

.PARAMETER Proxy
As the script needs to connect to Azure, an internet connectivity is required. Use this option if you have an internet proxy that prompts for credentials.

.PARAMETER CreateGlobalObject
The switch when used, the script will generate an extra csv file that contains a unified view of each user with properties from the on premise AD and Azure AD.

Examples

.EXAMPLE
.\Compare-CorpAzureIDs.ps1 -ScriptFilesPath .\

.EXAMPLE
.\Compare-CorpAzureIDs.ps1 -ScriptFilesPath .\ -Proxy:$true

.EXAMPLE
.\Compare-CorpAzureIDs.ps1 -ScriptFilesPath .\ -CreateGlobalObject

Download the script

You can download the script from here.

Azure Sync Case

I was working heavily on AD Sync Tool with all its versions including the AAD Connect tool. And I came across an issue that will cause you trouble soon. So in this blog post I will share my experience with you.

Case:

My environment was consisting of one AD domain with Exchange 2010 on premise and a single sign on experience. The AD domain and SMTP domain is the same (contoso.com)

I have a manager called John Smith:

  • UPN : JohnS@contoso.com
  • SMTP address : John.Smith@contoso.com

This manager came to me asking me to add a secondary SMTP address for him John@contoso.com. Since that SMTP address is available, I agreed.

Azure AAD Sync UPN vs SMTP 12121

Life goes on. John is a big manager and he used his nice clean new SMTP John@contoso.com in all his communications. He printed the new email address to his business cards.

So far, we have all our mailboxes are on premise and we do not have any Office 365 implementation.

The Problem

After 10 years, the corporate decided to start using Azure services and they decided to start with AD Sync next month.

Meanwhile, a new employee is hired with name John William. The IT department assigned him the following:

  • UPN : John@Contoso.com
  • SamAccountName : Contoso\John
  • SMTP Address : John.William@Contoso.com

Everything is fine so far and there is no single conflict.

Azure AAD Sync UPN vs SMTP 1212122

Now when we started to Sync users to Azure AAD, John Smith user is no longer synchronizing to Azure AD and the AD sync tool is giving an error for that user.

“Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services:[ProxyAddresses smtp: JohnS@contoso.com].Correct or remove the duplicate values in your local directory.”

After opening a case with Microsoft, we reviewed our AD Sync configuration and after opening the AAD Connect sync tool, we confirmed that we are using ObjectGUID as the anchor attribute and not email address.

Microsoft confirms that when an on premise mail enabled user is synched to Azure AD, he is assigned a secondary SMTP in the form of his UPN. So in this case, when John William is being synched to Azure AD, Azure will try to stamp him with a secondary SMTP in the form of John@Contoso.com which causes a conflict with John Smith user.

So although there is no conflict on premise, Azure introduces this type of conflict and throwing sync error.  Microsoft answered us : “THIS IS BY DESIGN DEAL WITH IT”

How big this problem is

Now, we contacted John Smith and asked him to give away his lovely John@Contoso.com SMTP address. What do you think his reaction is ? He is using that email address since years and he cannot give it away. Further more, if he agreed to give it away, and if Azure assigned it to John William user, then people sending emails to John@contoso.com will be sending to John William and this is by itself a security and privacy issue.

So we went to John William and ask him to change his UPN and SamAccountName. This solves the problem for a while, until a new employee come again with the name John Robert, and the IT found that Contoso\John is not used in the enterprise and so they assigned it to John Robert.

Now suddenly the Sync Tool will throw a sync error and the same loop happens over and over.

Imagine you have many users who used to have clean SMTP addresses and you have to go through them one by one and do this 🙂

Config Manager SCCM 2012/R2 SUP Fix

Hi everyone,

I want to share with you a strange behavior that happened that day when you uninstall WSUS and SUP from a server and then you try to install them again.

Say for example that you have a dedicated server running WSUS and SUP on it, and you got to a problem that you could not solve, and you decided to remove WSUS and SUP and then install them again to solve the problem. It can happen.

The moment you remove WSUS and SUP, at the Config Manager console, all updates will appear as expired. The strange thing is that when you install WSUS and SUP again, the synchrronization between your SCCM server and WSUS/SUP will work without errors but nothing get synched. No single error.

Resolution:

  • Uninstall SUP and confirmed from the supsetup.log to that it’s been uninstalled.
  • Run “select * from WSUSserverlocations” and confirm that it has removed entry for SCA.
  • Backup/Export HKLM\SOFTWARE\Microsoft\SMS\Components\SMS_WSUS_SYNC_MANAGER and renamed it.
  • Install SUP and again get the SUPSetup.log to verify.
  • New HKLM\SOFTWARE\Microsoft\SMS\Components\SMS_WSUS_SYNC_MANAGER registry key created automatically.
  • Restart SMS_EXECUTIVE.
  • Synchronization started.

[Resolution provided by Microsoft Support]

Azure AD and AADConnect bulk delete

Hi everyone,

So you are using Azure AAD Connect to sync your directory to Azure Active Directory (a.k.a AAD), and everything works just fine.

Now a security audit is happening in your corporation, and they identified many inactive or disabled users in your on premise AD that are no longer in use.

Then you went to your on premise AD and deleted all those users. If you delete more than 500 users at once from your on premise AD, then your Azure AAD Connect will refuse to sync those deletion to Azure AAD.

You may receive an email that looks like this:


Hello admin@contoso.com,

At Sunday, 18 October 2015 12:11:40 GMT the Identity synchronization service detected that the number of deletions exceeded the configured deletion threshold for Contoso Corporation [Contoso.onmicrosoft.com]. A total of 800 objects were sent for deletion in this Identity synchronization run. This met or exceeded the configured deletion threshold value of 500 objects.
We need you to provide confirmation that these deletions should be processed before we will proceed.

Please see Preventing Accidental Deletions for more information about the error listed in this email message.
Thank you,

The Azure Active Directory Team

Why ?

When you install the Azure AD Connect, by default a feature called accidental deletes is enabled with a threshold of 500 objects. This simply means that the sync tool will not export from metaverse to azure AAD more than 500 deletes at once.

This objective of such feature is to protect you from accidental configuration changes and changes to your on-premise directory which may affect large number of users.

The default value of 500 objects is configurable by running Enable-ADSyncExportDeletionThreshold with a value that fits your organization size and requirements.

What to do?

If all the deletes are legitimate deletions, then do the following:

  1. To temporarily disable this feature and authorize those deletions, run the PowerShell cmdlet: Disable-ADSyncExportDeletionThreshold
  2. With the Azure Active Directory Connector still selected in AAD Connect tool, select the action Run and select Export.
  3. To re-enable the protection run the PowerShell cmdlet: Enable-ADSyncExportDeletionThreshold