Webcast: Office 365 Tenant Hacks; The Ultimate Guide to Post Migration Setup

If you’re an IT Pro, just wrapping up a migration or otherwise settling into an Office 365 Tenant, check out my recent webcast with Redmond Magazine and Backupify. The offline recording is available now.

Recording:

     Office 365 Tenant Hacks: The Ultimate Guide to Post Migration Setup

Slides:

     Office 365_Tenant_Hacks_The_Ultimate_Guide_to_Post_Migration_Setup.pptx

17Sep2019

Start Outlook in Offline Mode (without opening it first)

I can’t believe how hard this was to find! There are numerous articles, including official ones that claim to answer this question, but all pretty much say the same thing:

“Click this button”

WorkOffline

But that of course means Outlook is already running. Maybe you don’t want that. For example, earlier today I needed to open a profile that was connected to a “corrupt” mailbox, but I didn’t want to risk the offline version of the data, in case it turned out being the only copy I had left. I won’t bother listing a bunch of other reasons we might want to launch Outlook with the connection to the server disabled. I’m sure you’ve got your own anyway, otherwise you wouldn’t be here.

For years I’ve just found other ways to solve whatever my problem was, but not today; today I was finally fed up with all the bad advice on how to go about this (e.g. outlook.exe /safe – does NOT start offline)!

Its pretty much a sure thing that this button toggled a registry value somewhere. It is Microsoft Office after all, and just about every configuration is in the registry. The trick is knowing what key. Outlook 2013 and later seem to love their unreadable hex/binary reg values, so looking at this with the regedit’s FIND feature isn’t going to help. I decided to turn to one of my favorite tools: ProcMon

If you haven’t heard about ProcMon, you should do yourself a favor and check it out. It lets you see what reg/file/network/process profiling & thread activity a given executable is responsible for. Actually, you should save a copy of all the SysInternal utilities in case they find themselves in the cross-hairs of Microsoft’s “cloud-first” software ray gun.

After opening ProcMon and filtering out a lot of noise, I found myself looking at every RegSetValue event Outlook.Exe was doing. I then toggled the “Work Offline” button a few times and saw this entry being flipped back and forth:

00030398

Therefore, it would prove that the values are as follows:

Work Online

[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046]
"00030398"=hex:02,00,00,00

 

Work Offline

[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046]
"00030398"=hex:01,00,00,00

 

00030398b

The registry editor is a little odd for this type of value. Its called a binary value, but actually stored in hex, so set it just like the picture above, with only four sets of numbers on the right. If you do, Outlook will open with the “Work Offline” mode enabled.

For what it’s worth, I’ve tested this with Outlook 2016 on multiple computers and also found a mention on the TechNet forums (only able to find this after learning about “00030398”) suggesting it works all the way back to Outlook 2007, so it’s probably reliable, even though it looks like a pretty obscure string of numbers.

 

 

Webcast: Don’t Just Survive Your Office 365 Tenant Migration – Master It!

Yesterday I had the opportunity to lead another webcast for Redmond Magazine, this time on the topic of Office 365 Tenant to Tenant migrations. If you have a Tenant to Tenant migration looming on your horizon, or if you’re interested in this topic, you can check out the on-demand recording with the link  below.

https://redmondmag.com/webcasts/2018/05/quest-jun13.aspx?tc=page0

T2T Webcast

 

Querying msExchDelegateListLink in Exchange Online with PowerShell

There are a number of articles that describe the relationship between the FullAccess permission of an Exchange mailbox and the msExchDelegateListLink attribute. Here are two good ones:

In short, this attribute lists all the other mailboxes your mailbox has FullAccess to, unless AutoMapping was set to $false when assigning the permission. It can be a handy attribute to query when trying to learn what mailboxes might appear in an end-user’s Outlook profile.

This attribute is synced to Office 365 via Azure AD Connect, however, for whatever reason, it is not synced back on-premises for new or migrated mailboxes. It is also not exposed in Get-User, Get-Mailbox, Get-MailboxStatistics, Microsoft Graph or Azure AD Graph.

The information is however included in the user’s AutoDiscover XML response. This is how Outlook knows what mailboxes to mount. If you want to look at this data manually, use the ctrl+right-click tool from the Outlook icon on the system tray. This article describes how to do that, if somehow you’re reading this but don’t already know about this tool:

You can also look at the AutoDiscover XML file via the venerable TestConnectivity.Microsoft.com web site. Look at the bottom of of the file, and you’ll see “AlternativeMailbox” entries.

<AlternativeMailbox>

        <Type>Delegate</Type>

        <DisplayName>crowley test 1</DisplayName>

        <SmtpAddress>crowleytest1@mikecrowley.us</SmtpAddress>

        <OwnerSmtpAddress>crowleytest1@mikecrowley.us</OwnerSmtpAddress>

      </AlternativeMailbox>

      <AlternativeMailbox>

        <Type>Delegate</Type>

        <DisplayName>crowley test 2</DisplayName>

        <SmtpAddress>crowleytest2@mikecrowley.us</SmtpAddress>

        <OwnerSmtpAddress>crowleytest2@mikecrowley.us</OwnerSmtpAddress>

</AlternativeMailbox>

While not exactly the msExchDelegateListLink attribute, its the same difference.

This is neat, but to be useful at scale, we need to query this in PowerShell. Fortunately, there are two methods to fetch the AutoDiscover XML.

You can query these endpoints directly or through the the Exchange Web Services (EWS) API. If you don’t have a preference, Microsoft’s documentation recommends SOAP, which is the approach I’ll discuss here.

Using Invoke-WebRequest and SOAP, we can request specific attributes, such as AlternateMailboxes. Other useful attributes are listed in this article:

While I’m not a developer (developers, please keep your laughter to yourself!), I did manage to cobble together the following SOAP request, which will be the string we “post” to the AutoDiscover service. You’ll notice I’ve marked the user we’re querying and any attributes I might want in bold (modify this list to suit your needs):

<soap:Envelope xmlns:a=”http://schemas.microsoft.com/exchange/2010/Autodiscover&#8221;
xmlns:wsa=”http://www.w3.org/2005/08/addressing&#8221;
xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance&#8221;
xmlns:soap=”http://schemas.xmlsoap.org/soap/envelope/”&gt;
<soap:Header>
<a:RequestedServerVersion>Exchange2013</a:RequestedServerVersion>
<wsa:Action>http://schemas.microsoft.com/exchange/2010/Autodiscover/Autodiscover/GetUserSettings</wsa:Action&gt;
<wsa:To>https://autodiscover.exchange.microsoft.com/autodiscover/autodiscover.svc</wsa:To&gt;
</soap:Header>
<soap:Body>
<a:GetUserSettingsRequestMessage xmlns:a=”http://schemas.microsoft.com/exchange/2010/Autodiscover”&gt;
<a:Request>
<a:Users>
<a:User>
<a:Mailbox>bob@contoso.com</a:Mailbox>
</a:User>
</a:Users>
<a:RequestedSettings>
<a:Setting>UserDisplayName</a:Setting>
<a:Setting>UserDN</a:Setting>
<a:Setting>UserDeploymentId</a:Setting>
<a:Setting>MailboxDN</a:Setting>
<a:Setting>AlternateMailboxes</a:Setting>
</a:RequestedSettings>
</a:Request>
</a:GetUserSettingsRequestMessage>
</soap:Body>
</soap:Envelope>

(For this post, I only care about AlternateMailboxes.)

AutoDiscover requires authentication, so we’ll also need to use the Get-Credential cmdlet. Interestingly, any mailbox can query the AutoDiscover response for any other user in the Office 365 tenant. This means, through PowerShell, I can look up the msExchDelegateListLink / AlternativeMailbox values for other users (even without administrative privileges).

I’ve written a function to return the results in a PowerShell array like this:

Get-AlternateMailboxes-Example

 

I should also point out:

  • It has the Exchange Online URL hard-coded within, though you could adapt this for other URLs if you’d like.
  • Both SMTPAddress and Credential parameters require valid Exchange Online mailboxes (though, as previously mentioned they do not need to be the same mailbox).

Usage Example:

Get-AlternateMailboxes -SMTPAddress bob@contoso.com -Credential (Get-Credential)

Finally, here is the script itself:

 

The Cost of Doing Nothing: A Ransomware Backup Story

Once again, I had the chance to present on the topic of ransomware with Redmond Magazine, as this continues to be a hot topic! Quest software’s John O’Boyle and I did what we could to summarize the current state of ransomware in a Microsoft-based environment and provide real-life experiences and advice for dealing with this type of malware. While we had a great turnout, I’m sure some of you missed it, so I invite you to view the offline recording below:

quest-ransomware

The Cost of Doing Nothing: A Ransomware Backup Story

Do You Need Built-in or Bolt-on Security for Office 365?

This week I had a chance to meet with Mimecast’s Strategic Technical Consultant and fellow Microsoft MVP J. Peter Bruzzese to discuss the need or possible lack thereof 3rd party add-on solutions to Office 365 in a webcast this week. This is familiar territory to both J. Peter and I so we had no trouble jumping right into a lively discussion!

If you missed it, please see the offline recording here:

Built-in-Or-Bolt-on.PNG

Preventing and Mitigating Ransomware Infections

Today I had a chance to interview the accomplished author and founder of KnowBe4, Stu Sjouwerman on the subject of Ransomware. Stu shared some great insight and real world experiences in dealing with ransomware outbreaks and the realities we’re faced with (e.g. actually paying the ransom).

If you missed it, you can view the recording for free, here:

cymld2lwgaisima

https://redmondmag.com/webcasts/2016/11/knowbe4121-preventing-and-mitigating-account-compromises.aspx

Discussing Mobile Application Management On RunAsRadio

Microsoft has made Windows Intune a big focus area this year, and at Baseline Technologies, we’re seeing an uptick in customer interest as well. Microsoft’s MDM tool can now truly protect your organization’s data without the old “all or nothing” approach from years past.

A few weeks back I was invited to discuss this with Richard Campbell at RunAsRadio. If you’re interested in this hot area of technology, why not check out the free show!

RunAsRadio499.PNG

Awarded the Microsoft MVP for the 7th year!

7thYearMVPI am thrilled to report that Microsoft has awarded me with the Most Valuable Professional award for the 7th consecutive year!

By far, the best benefit of this program are the great relationships I’ve been able to build both with the Microsoft product groups as well as other MVPs. MVPs are a fantastic community of experts who generously share their knowledge and their time. I’m honored to once again be included among their ranks.

Recent Webcasts

Hiya folks, for those that don’t follow me on Twitter, I wanted to point out a few webcasts I’ve been involved with. Check ’em out!

 

Best Practices for Migrating PSTs and Email Archives to Office 365

pstarchivewebcasthttps://redmondmag.com/webcasts/2016/06/delljuly19.aspx

Office 365 Migrations and Beyond – Planning for Potential Risks

o365beyondwebcast
https://redmondmag.com/webcasts/2016/08/mimecast-sept8.aspx

Skype for Business Online Cloud PBX: Picking Good Numbers

Not your granddaddy’s SfBO

Late last year, Microsoft released a dial-in conferencing and PSTN add-on to the popular Office 365 suite. With these new features, I expect Skype for Business Online to attract serious interest. As a technical implementer, if you’re Office 365 focus has been limited to Exchange and SharePoint Online, you’ll want to be sure you’re positioned to support these new features before your competition beats you to it!

For an excellent, no-fluff introduction to the topic, I recommend you read fellow MVP Paul Robichaux’s article over on WindowsITPro: “Skype for Business: PSTN Calling

Selecting Pleasant Telephone Numbers

One of the first things you’ll want to do after you’ve got the necessary licensing situated is to assign phone numbers to your users. If you’re using the Admin Center, you’ll find this approach is documented here.

When using this screen to assign numbers to my business, I found that the numbers that were being presented weren’t very palatable.AdminCenterNumbers

Obviously this is a subjective assessment, though as an example, you’ll likely agree that numbers that end in ‘0000’ are generally more desirable and memorable than those that involve digits from all over your dial pad. Maybe there is some secret TelCo handshake which allows you to pick from great phone numbers, but alas, I don’t know it. 😦

Perhaps more frustratingly, is the fact the portal limits you by showing only a few numbers at a time (per 10 minutes). Based on my business’ location in in Maryland, I wanted a 301 number, but am I supposed to look at 10 numbers every 10 minutes? I’ve not done this with a large tenant yet, so it is possible this UI scales with more licenses/users, but in my testing I couldn’t find a way around this issue.

The good news however, is that PowerShell once again comes to the rescue! Using the Skype for Business Online cmdlets, we are able to bypass the selection limits of the Admin Center and view up to 200 numbers, in a given city, at a time.

The approach is as follows:

  1. Download and install the SfBO PowerShell module.
  2. Establish a PowerShell remoting session.
  3. Figure out what region you want numbers for, and take note of the geocodes.
  4. Search the inventory, reserving 200 numbers for 10 minutes.
  5. If necessary, manually release the numbers and look at another region.
  6. If all else fails, wait 10+ minutes and re-try the above.

Search and Filter with PowerShell

Connect to SfBO

$credential = Get-Credential mike@contoso.com
$lyncSession = New-CsOnlineSession -Credential $credential
Import-PSSession $lyncSession

Search the inventory

$x = Search-CsOnlineTelephoneNumberInventory -InventoryType Subscriber -Region NOAM -Country US -Area MD -City SS -Quantity 200
Get-CsOnlineTelephoneNumberReservationsInformation

$x.Reservations.numbers.DisplayNumber

Use PowerShell filtering to find desirable number patterns

#Numbers with 00
$x.Reservations.numbers.DisplayNumber | ? {$_ -like '*00*'}

#Numbers ending in 0
$x.Reservations.numbers.DisplayNumber | ? {$_ -like '*0'}

#Numbers not containing 304
$x.Reservations.numbers.DisplayNumber | ? {$_ -notlike '*304*'}

#Numbers with 0 in the last group
$x.Reservations.numbers.DisplayNumber | ? {(($_ -split ' ' )[-1]) -like '*0*'}

PowerShell PSTN FilteringRelease the numbers and look at a different region (avoiding the 10 minute wait)

Clear-CsOnlineTelephoneNumberReservation -ReservationId $x.ReservationId -InventoryType subscriber
$x = Search-CsOnlineTelephoneNumberInventory -InventoryType Subscriber -Region NOAM -Country US -Area MD -City BE -Quantity 200

$x.Reservations.numbers.DisplayNumber

Select the numbers you like (Don’t forget to include the country code)

Select-CsOnlineTelephoneNumberInventory -ReservationId $x.ReservationId -TelephoneNumbers 13010000000, 13010000003, 13010000002 -Region NOAM -Country US -Area MD -City SS

NOTE: I haven’t worked out the code myself, but you may want to find phone numbers in consecutive blocks, so here is a topic that discusses how to do that.

Once you’ve got the numbers reserved, you can continue to use PowerShell to assign them to your licensed users, or you can go back to the Admin Center and assign them there.

——————– EDIT: December 2016 ——————–

The GeoCode documentation is being depricated. To determine your GeoCode utilize these cmdlets

e.g.

Get-CsOnlineTelephoneNumberInventoryRegions -InventoryType Subscriber
Get-CsOnlineTelephoneNumberInventoryCountries -InventoryType Subscriber -RegionalGroup NOAM
Get-CsOnlineTelephoneNumberInventoryAreas -InventoryType Subscriber -RegionalGroup NOAM -CountryOrRegion US
Get-CsOnlineTelephoneNumberInventoryCities -InventoryType Subscriber -RegionalGroup NOAM -CountryOrRegion US -Area MD

Enabling/Disabling AAD Connect’s Automatic Upgrade Feature

Last week, Microsoft announced this quarter’s Azure Active Directory Connect (AADConnect) update. Version 1.1 (download) includes some big changes, including one that made me worry. AAD Connect now has an Automatic Upgrade feature! Given that this is the first version to include this concept, we won’t see how it works until next quarter, but I sure do hope they are careful.

Cautiously Optimistic

Over the past few years we’ve seen several DirSync/AADSync/AADConnect versions be revoked due to bugs, which means you could wake up one morning to some terrible sync catastrophe resulting from bad sync rules or who knows what. Case in point: THIS VERSION!!! You’ll see in the comments of the announcement I linked above, several people had problems with the upgrade to the 1.1 build and Microsoft quickly released a new version 4 days ago (1.1.110.0). Nevertheless, I believe such a sync-related catastrophe is unlikely. The greater risk is letting your sync software get too out of date, which is something I see more often than I don’t. In fact, Microsoft’s sync tools have been so reliable that many organizations are probably still running the same version deployed when they first migrated to Office 365 (Though they are possibly in an unsupported scenario).AADConnect Auto Upgrade

New installations of AAD Connect which use the default “Express” option will enable Automatic Upgrade for you.

I did an in-place upgrade from a prior version to 1.1.110.0 and it left Auto Upgrade in a “Suspended” state, which is not to be confused with “Disabled”. I’m not sure why we need two “not-enabled” states, but it is described in the documentation as a system-only value. It will be easier to test this when there is actually a version beyond 1.1.110.0 to upgrade to.

I think it is interesting that this product doesn’t hook into the operating system’s Automatic Update feature, as most Microsoft products do. My theory is that the Azure AD team is currently moving faster than the requisite internal coordination allows.AADConnect Auto Upgrade 2

Disabling Automatic Upgrade

I would discourage anyone from turning off Automatic Upgrade without good cause (FUD does not count), though there may be some good causes.

For example, while Microsoft discourages us from modifying the default synchronization rules (The product has pop-ups warning you about this too), it is supported. The caveat is that upgrades sometimes redefine the default rules, overwriting your changes. In this case, the guidance states:

If you need to change the scope or the join setting in an “out-of-box” synchronization rule, document this and reapply the change after upgrading to a newer version of Azure AD Connect

As you have probably guessed, this scenario presents a problem with the idea of an automatic upgrade. Luckily for this, and perhaps other reasons, you can disable Automatic Upgrade. There are two new cmdlets for controlling the behavior:

  • Get-ADSyncAutoUpgrade
  • Set-ADSyncAutoUpgrade

Get-ADSyncAutoUpgrade will show you the current state, which will be Enabled, Disabled or Suspended. You can also see this by looking the AAD Connect summary page (second image above).

To disable AAD Connect’s Automatic Upgrade feature, type:

Set-ADSyncAutoUpgrade -AutoUpgradeState Disabled

Enabling Automatic Upgrade

If you need to enable the feature, type:

Set-ADSyncAutoUpgrade -AutoUpgradeState Enabled

Discussing the “Preferred Architecture” on the Exchange Server Pro Podcast

Last month, I was invited back to the Exchange Server Pro Podcast to discuss the Exchange Server Preferred Architecture with Paul Cunningham, a fellow Microsoft MVP.  During the discussion, we covered the definition of the term as well as how to balance it against the realities of your Exchange Environment.false-true

If you’ve got 30 minutes , check it out!

Podcast Episode 8: The Preferred Architecture with Mike Crowley

Presenting at the Rockville, MD Office 365 User Group

If you’ve been here once or twice, you’ll know I like talking about Office 365 and Azure AD Directory Synchronization! If you like this topic too, or are preparing for an upcoming migration, and are in the Washington DC Metro Area next Thursday (Nov. 12), please come to the Rockville-based Office 365 user group meeting.

Rockville Office 365 User Group

During this event, I’ll be covering sync across the following agenda:

  1. Introduction to concepts
  2. Environment Readiness
  3. Tools
  4. Operations and Troubleshooting
  5. Q&A

Attendance is free but please RSVP here:

Guest Appearance on the Exchange Server Pro Podcast

A few days back, I had an opportunity to chat with Paul Cunningham on his Exchange Server Pro Podcast. Paul is a world-renowned Exchange Server expert and Microsoft MVP, based out of Australia. We discussed ways to protect Exchange from attack, along with other security concepts while responding to the recent news around “OWA Vulnerabilities”.false-true

If you’ve got 30 minutes , check it out!

Podcast Episode 4: Securing Outlook Web App (OWA) and Exchange Server with Mike Crowley