Category Archives: Office 365

Microsoft Office 365 Federation Metadata Update Automation Installation Tool

Leave a reply
What is the Microsoft Office 365 Federation Metadata Update Automation Installation Tool?

This tool automates an otherwise manual process, which if not performed, would prevent all users from signing into Office 365 when the token signing certificate expires (once per year). This tool is a PowerShell script that creates a scheduled task to tell Office 365 to trust the self-signed certificate.
Get the tool:
http://gallery.technet.microsoft.com/scriptcenter/Office-365-Federation-27410bdc 

[Update 2/15/2013]
It turns out that it is still necessary to restart the internal ADFS service after the token signing certificate has been issued.

Who needs the tool?

All Office 365 customers that have implemented Single-Sign-On with ADFS 2.0 must update their token signing certificate every year otherwise users will be unable to sign in. They would all benefit from this tool, otherwise they have to predict when the cert expires, then follow a manual process to trust the new cert.

What if the tool is not installed? What is the manual process?

I welcome this tool. Last year, I blogged about the manual steps to predict when the token signing certificate must be installed.
http://blogs.catapultsystems.com/IT/archive/2012/03/07/cannot-sign-on-to-office-365.aspx
Fixing the problem is not too difficult, however, preventing the problem from occurring is actually somewhat confusing. So I highly recommend all customers to use this tool!
If you do not want to run the tool, here is what you must do:

1. Find out when your existing token signing cert will expire.

2. Subtract 20 days from the expiration date.

3. From that date, ADFS will automatically issue a new certificate that will co-exist with the primary certificate for 5 days (this is the default period, but it can be configured to be a longer period). At the end of that 5 day period, the new token signing certificate is made primary, and this actually disrupts service until someone takes manual action to run a PowerShell command to force Office 365 to trust the new cert. This is necessary because it is a self-signed certificate and therefore, o365 needs to be informed by someone (or an automated task) that the cert has changed. This is exactly what the tool above helps automate, so that if someone does not predict the date correctly, it will avoid an outage.

For example, this is what you will see when you are in the 5 day period when the new cert has been automatically issued but it has not yet been made the primary cert. The old is ‘IsPrimary’ = True, and the new one is there but it is not yet the Primary.
Launch Powershell.
Type the following:
Add-PSSnapin Microsoft.Adfs.PowerShell
Get-ADFSCertificate –CertificateType token-signing

What happens if I ignore the expiration date of the token signing cert?

You’ll find out – your users will call you when they are unable to sign into Outlook, or Outlook Web Access. They will get an error “There was a problem accessing the site. Try to browse the site again.”

What does the tool require?

  • You must make sure that you have installed the latest version of the Microsoft Online Services Module for Windows PowerShell
  • You need to have a functioning AD FS 2.0 Federation Service
  • You need to have access to Global Administrator credentials for your Office 365 tenant
  • You need to have at least one verified domain in the Office 365 tenant must be of type ‘Federated’
  • This tool must be executed on a writable Federation Server
  • The currently logged on user must be a member of the local Administrators group
  • The Microsoft Online Services Module for Windows PowerShell must be installed. You can download the module from http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652560.aspx
Running the tool

After you download the tool (aka powershell script) onto your internal ADFS server, you need to right-click on it and unblock it. Otherwise you will get errors like “the script is not digitally signed. The script will not execute on the system.”

Also, if you get an error that “Failed MSOL credential validation.” it is because you are running the script in the regular Windows Powershell or ADFS PowerShell module.  You need to make sure you run this in the window “Microsoft Online Services Module for Windows PowerShell” that looks like this on the desktop:

Then just change directory to the location of where you saved the script and run the script.

Verifying it worked

Launch Task Scheduler. You will see the new task has been scheduled to run at midnight every day.

Recommendation: Because the scheduled task will run under the account that you were logged in with, you will need to remember to update this scheduled task whenever you change your password, or run the tool with a service account with a non-expiring password (best bet!/recommended!). It would totally defeat the purpose of going to all this effort only to have the script not run when you are counting on it because the password was changed and the scheduled task failed.

How to recover missing emails in Office 365

Leave a reply

When an email is deleted, where does it go? It goes to the Deleted Items folder.
When the deleted items folder is emptied, where does it go? It goes to a hidden folder called deletions. The duration that deleted items remain in this folder is based on the deleted item retention settings configured for the mailbox database or the mailbox. By default, a Exchange 2010 mailbox database is configured to retain deleted items for 14 days, and the recoverable items warning quota and recoverable items quota are set to 20 gigabytes (GB) and 30 GB respectively. These are configurable settings with Exchange on-premise:
http://technet.microsoft.com/en-us/library/ee364752.aspx
With Exchange Online, Plan 2, you can increase this from 14 to 30 days. The Recoverable Items folder does not count against the user’s primary mailbox.
http://jorgerdiaz.wordpress.com/2012/07/19/office-365-changes-legal-hold-and-single-item-recovery/
Note: These items can still be recovered by the end-user by highlighting the folder and clicking ‘Recover Deleted Items.’

When this recoverable items folder is purged, where do those emails go?
It depends on whether single-item recovery has been enabled on the mailbox. When Single-item recovery is enabled on a mailbox and the recoverable items folder is emptied, these items remain in a hidden folder that the user cannot alter in any way: Recoverable Items\Purges.
Two mechanisms can be used to configure Single Item Recovery in Exchange 2010:

  • rolling legal hold = Time limited safeguarding of data where the items are stored in the Recoverable Items folder based on a predefined retention period. In this case, the retention period is set per mailbox (or the mailbox database defaults will apply if a specific value is not set for the mailbox).
  • litigation hold = Unlimited safeguarding of data -where Items in the recovery folder will never be purged. Retention period and quota limitation set on a “litigation hold” mailbox will be ignored. This would ensure that deleted mailbox items and record changes won’t be purged.

The following example assigns a 7 year rolling legal hold on a mailbox. It is important to note the mailbox won’t be on Legal Hold for 7 years, this is actually a tag stating any new message will be retained for 7 years once created or received by the mailbox. So a message that arrives on 2.6.2013 will be kept until 2.6.2020.

Set-Mailbox –identity [email protected] –LitigationHoldEnabled $True –LitigationHoldDuration 2555

With Single Item Recovery enabled, items will remain in the Recoverable Items\Purges folder even if the mailbox owner deletes items from their inbox, empties the Deleted Items folder and then purges the contents of the dumpster. These items can then be searched for by a compliance officer if required, as the items are both indexed and discoverable. Additionally, these items will move with the mailbox if the mailbox is moved to a different mailbox database.
Why not always enable single item recovery?
1. You need to make sure you plan for the additional disk space required. See this article for more information on planning for single item recovery.
http://www.msexchange.org/articles-tutorials/exchange-server-2010/high-availability-recovery/single-item-recovery-part2.html

2. You have to enable it on each individual mailbox, you can’t set a policy that says “all mailboxes will always have it enabled.” It would be awesome if newly created mailboxes could automatically be enabled for single item recovery, but that is not how Exchange currently works.

But what if you want to move those items out of the Recoverable Items\Purges and back into the user’s mailbox?

Recovering items from this hidden Purges folder can only be performed by an Exchange or Office 365 Administrator.
There are three options for restoring items from the Purges folder. My favorite is Option 3 (MFCMAPI) because it can restore the items back to the user’s deleted items folder.

Option 1: You can use powershell
http://technet.microsoft.com/en-us/library/ff660637.aspx

Option 2: You can use the Exchange Control Panel’s eDiscovery search
Create an In-Place eDiscovery Search

or

Option 3: Use MFCMAPI

Instructions for using MFCMAPI to restore items from the Purges folder.
1. Download MFCMAPI (use this tool at your own risk!)

http://mfcmapi.codeplex.com/releases/view/97321

2. Follow the screen-shots on my older post that I have not yet migrated the pictures to this blog:

http://blogs.catapultsystems.com/IT/archive/2013/02/06/how-to-recover-missing-emails-in-office-365.aspx

Summary

While this tool is very powerful, it can also be very destructive (just like Regedit) so this author is not responsible for any damages caused by misuse of this tool. This post is for educational purposes only, use at your own risk!

References

Achieving Immutability with Exchange Online and Exchange Server 2010
History of MFCMAPI
Additional things you can do with MFCMAPI

20 ways to send large files over the Internet

Leave a reply

When you need to send large files, email is often the most restrictive transport. By default on-premise Exchange 2010 limits emails to just 10 megabytes, and Office 365 offers 25megabytes per email message. While you can increase your on-premise email server size limit, you cannot increase the size limit in Office 365 beyond 25megabytes. Even if you could increase it beyond 25megabytes, if your recipients are outside your organization, their email server may limit the size of email to 10 megabytes. For end-users, this is a frustrating experience, and it results in helpdesk requests like “why am I getting this bounce-back message when I email so and so.”
Many IT departments provide users with either FTP sites or SharePoint extranet sites to share large files with external users. However, those solutions require IT overhead to maintain.

There are now many free or low cost solutions for sharing files including:
1. Adobe SendNow – at $20/year this seems to be very reasonable. The Outlook plug-in does not yet work with Office 2013.
2. Box.com – offers a free account. The business account ($15/month) includes a pretty amazing outlook plug-in.
3. YouSendit – Free accounts can send up to 100MB. Paid plans start at $10/month or $100/year and the size per email increases to 2GB.  The biggest plus is the outlook plug-in because it will automatically detect when attachments exceed a pre-determined size, ex: 10mb or 35mb. I verified that the Outlook plug-in works with Office 2013.

Once I signed up for a free account with YouSendIT, I downloaded the free Outlook Plug-In.

YouSendit’s Outlook plug-in offers a single-sign in option to integrate with Active Directory.

While there are other cloud storage providers, most are consumer oriented and do not natively integrate with Microsoft Outlook.

Xobni is a 3rd party tool that allows Outlook to to send files from DropBox or SkyDrive.
Likewise, Harmon.ie has an Outlook 2007/2010 plug-in that converts large attachments to links on Google Drive. The plug-in does not support Office 2013.

For quick ad/hoc file transfers, check out 7. DropSend and 8. WeTransfer.com. Within seconds of visiting their websites you can transfer large files (up to 2 Gigabytes! for free).

Here are the other 12 sites that offer file sharing services: Egnyte, SendThisFile (offers Outlook plug-in), Send6, MediaMax, MailBigFile, SendSpace, MegaUpload, zUpload, MyOtherDrive, DivShare, TransferBigFiles and MediaFire

How to share your Outlook calendar free/busy with your friends and family

Leave a reply

Both Microsoft Exchange on-premise and the hosted version of Office 365 provide a calendar publishing feature that makes it easy to share your calendar free/busy information with your friends and family.

For end-users, it takes less than 5 minutes to have this working and only takes a few mouse clicks.

1. Logon to Outlook Web Access and click on the Calendar.

2. Click on the Share menu, and then click on “Publish this Calendar to Internet’

3. Select the Publishing detail (how much do you want to share, the full details of your calendar or just when you are free or busy? Also, select the access level – should anyone be able to view your calendar or only those who receive a link to your calendar?

4. That’s it! Now, to share your calendar, just click on the Share Menu again, and select  ‘Send Links to This Calendar.

5. Enter the email address of your friends or family

After you click Send, then the recipient/s will get an email with an invite. When they click on the hyperlink containing the .ics file, they will have a pop-up message like the one below ‘subscribe to the calendar?’

After they click Subscribe, they will then be able to View your calendar.

The previous steps just work out of box with Office 365. However, if you do not have Office 365, your email administrator can still setup Internet Calendar Publishing if they are running Exchange 2010 SP1 or later. For more information, see:
http://technet.microsoft.com/en-us/library/ff607475(v=exchg.141).aspx

How to Quarantine unauthorized smartphones with Exchange or Office 365

Leave a reply

Some organizations have a mobile device policy where they only permit company-owned phones to connect to their email server. They want to prevent employee-owned or rogue devices from establishing an active-sync connection.

Exchange 2010 and Office 365 provide the ability to quarantine phones that attempt to enroll in an active-sync relationship. This permits an administrator to review the device before approving.

The process works very well because the user receives an email letting them know that their device is pending administrator approval. The administrator receives an email letting them know a new device requires approval.

Configuring it is also very simple. Just sign into the Exchange Control Panel (ECP) and click a few boxes.

Note: this setting will apply to all existing phones, so you will need to be prepared to perform a one-time mass approval for existing phones that are already connected. An email will be generated to users that their phone is in quarantine, which might be unsettling to some users, so I recommend sending an email in advance to inform them they can ignore the email. Perhaps there is a way to prevent this behavior from occurring for existing devices and only allow it to occur for new devices, but I have not found that option yet.

After this has been configured, you may want to delegate fine-grained RBAC rights to your mobile phone administrators so that they can approve these devices without having too much additional privs within Exchange.

ActiveSyncDeviceManagementNew-ManagementRole “ActiveSync User Options” –Parent ‘User Options’

New-ManagementRole “ActiveSync Client Access” –Parent ‘Organization Client Access’

Get-ManagementRoleEntry –Identity ‘ActiveSync User Options\*’ | Where {$_.Name –notlike “*activesync*”} | Remove-ManagementRoleEntry –Confirm:$False

Get-ManagementRoleEntry –Identity ‘ActiveSync Client Access\*’ | Where {$_.Name –notlike “*activesync*”} | Remove-ManagementRoleEntry –Confirm:$False

Remove-ManagementRoleEntry ‘ActiveSync Client Access\Set-ActiveSyncOrganizationSettings’
Remove-ManagementRoleEntry ‘ActiveSync Client Access\Set-ActiveSyncDeviceAccessRule’
Remove-ManagementRoleEntry ‘ActiveSync Client Access\Remove-ActiveSyncDeviceAccessRule’
Remove-ManagementRoleEntry ‘ActiveSync Client Access\New-ActiveSyncDeviceAccessRule’

New-RoleGroup ‘ActiveSync Access Admins’ –Roles ‘ActiveSync User Options’, ‘ActiveSync Client Access’

Add-RoleGroupMember “ActiveSync Access Admins” -Member [email protected]

The delegated administrator should then see quarantined devices in the Exchange Control Panel.

The link to my original blog post with pictures is available here:

http://blogs.catapultsystems.com/IT/archive/2012/11/30/how-to-quarantine-unauthorized-smartphones-with-exchange-2010-or-office-365.aspx

Office 365 free busy not working with Exchange 2003

Leave a reply

In an Exchange 2003 and Office 365 Hybrid Deployment environment, the Office 365 users are able to view the Free/Busy information of Exchange 2003 users or resources. However, the Exchange 2003 user may not be able to view the Free/Busy information of the Office 365 users or resources unexpectedly.

Many configuration issues may cause this to occur. In the case of my customer, the cause was to change the permission for the free/busy folder from the Default Permission: Author to Editor as described here:

http://blogs.technet.com/b/hot/archive/2012/03/30/an-exchange-server-2003-user-cannot-view-the-free-busy-information-of-office-365-resources-or-users-within-a-hybrid-deployment.aspx

This can be accomplished in the Exchange 2003 System Manager. Right click on folder with the EXTERNAL name and select properties.

Click Client Permissions

Change the Default Permission from Author to Editor

If you are lucky, this will solve the problem for you. If not, there are a few other things to try.

The first issue that you should be aware of is that Outlook Web Access (OWA) cannot view free/busy for a mailbox that resides in Exchange Online.

http://community.office365.com/en-us/wikis/officeapps/558.aspx 

There are some articles that recommend setting the LegacyExchangeDN parameter in mailboxes but I did not have to do that. http://technet.microsoft.com/en-us/library/hh310374.aspx
http://community.office365.com/en-us/wikis/officeapps/558.aspx
http://community.office365.com/en-us/forums/162/t/55245.aspx

There are also articles that recommend hardcoding the targetsharingepr record but I think that was only necessary when Exchange Online was in Beta. For example, they said to run this command
Set-OrganizationRelationship “CompanyABC” -TargetSharingEpr https://mail.companyabc.com/EWS/Exchange.asmx/WSSecurity
http://blogs.technet.com/b/neiljohn/archive/2011/08/15/office-365-hybrid-deployment-exchange-rich-coexistence-sharing-availability-free-busy.aspx
Again, I don’t think that is necessary with the current builds because it is not mentioned in the Exchange Deployment Assistant documentation.

There are also issues with routing group configuration that could cause problems with free/busy. One of our other customers ran into this so you should see whether this impacts you: http://blogs.technet.com/b/messaging_with_communications/archive/2011/09/09/office365-exchange-2003-free-busy-coexistence.aspx

One helpful technique to isolate the issue is to create a user on the Exchange 2010 Hybrid server. If the user can view free/busy for Exchange Online mailboxes, then the issue is isolated to public folder configuration since Exchange 2010 users do not rely on PF for free/busy. However, if a Exchange 2010 mailbox cannot view Exchange online free/busy, then the problem could be with the organizational relationship and autodiscover DNS records.

http://support.microsoft.com/kb/2555008

http://blogs.technet.com/b/hot/archive/2012/03/30/free-busy-information-is-not-being-shared-between-cloud-and-on-premise-accounts-error-code-5037.aspx

Another article I found helpful was to validate that the free/busy folders exist to begin with.

http://support.microsoft.com/kb/2555008

Original blog post with images is available here:

Office 365 free busy not working with Exchange 2003