Exchange Online Delegation Rights

exchange-online

Managing Exchange Calendars with PowerShell.

Some companies I deployed Exchange or Office 365 would like to be able to view readable information in everyone’s calendar by default you only get Free or Busy information. The following script changes the default calendar permissions for ALL Users folders to Reviewer – This gives you readable / not editable information.

foreach($user in Get-Mailbox  -RecipientTypeDetails UserMailbox) {
$cal = $user.alias+":\Calendar"
Set-MailboxFolderPermission -Identity $cal -User Default -AccessRights Reviewer
}

Senior management sometimes have PA’s that will need delegate access to their calendar, this this will include view calendar items that are marked as private.

To Set the delegate to view private items in the calendar

Add-MailboxFolderPermission –Identity <delegates mailbox>:\Calendar 
–User <delegated mailbox> -AccessRights Editor -SharingPermissionFlags 
Delegate,CanViewPrivateItems

To Set the delegate to not view private items in the calendar

Add-MailboxFolderPermission -Identity <delegates mailbox>:\Calendar 
-User <delegated mailbox> -AccessRights Editor -SharingPermissionFlags 
Delegate

To remove any individual calendar permission

Remove-MailboxFolderPermission -Identity "delegates mailbox:\Calendar" 
-user "delegated mailbox"
Advertisements

How to migrate G-Suite to Office 365

Wow, time flies when you are having fun….I can’t believe it has been 7 months since my last post.

So since January I have been really busy with numerous projects revolving largely around Office 365 and Exchange. I have picked up some useful knowledge which I will write about here in the coming weeks.

This post is dedicated to something new to me – G-Suite to Office 365 – What a ride this has been! Let me explain how I managed to get it all to hang together and get the two services to exist together during the migration and testing phases.

EMAIL Co Existence / Routing between O365 and G-Suite

This was the tricky bit, how could we get users to co-exist in different services whilst we undertake testing and migrations? There is no connector or hybrid solution like there is with Exchange. We did not want to cut over all the users at the same time – this had to be a phased migration over to Office 365. We are also using MimeCast for SPAM and Relay protection so we need Google & Office 365 to send outbound via Mimecast without any mails getting blocked. Here is how we did it:

Office 365

Office 365 needs to be forwarding mail onto a domain that G-Suite knows about and the users mailboxes need to have an alias address for office 365 to forward onto.

The steps are as follows:

  • Add Domain Domain A with MX Record
  • Add secondary email address for each user. This needs to be set to: user@domainA.com

For users that are not yet in Office 365 we need to configure the Accepted Domain as an Internal Relay in Mail Flow in Exchange Online Admin Centre

internalrelay

Then we create a connector back to G-Suite for any address that does not live in O365 yet. Doing this tells Exchange Online to send the email to the recipient over in G-Suite.

We then stumbled across another minor problem. In order for the Email Data to be migrated into the new Office 365 users mailbox, we need to activate the license. In doing this creates a Office 365 mailbox so then Office 365 thinks the user is now happily working from Office 365. “WRONG”!!! The user still lives in G-Suite until the migration is completed. So in order for the users in Office 365 to send to a user in G-Suite who’s mailbox is provisioned in O365 we have need to create another forwarder back to G-Suite until the migration is completed. How to do this in bulk is in a following section in the blog post. – Adding Contacts to Office 365.

G-Suite

G-Suite needs to have a forwarder configured that the Tenant does not have the domain registered to. If you register a domain with Google it treats all SUB domains as internal as well, so a completely new unregistered domain is required to forward any Office 365 bound mail to.

In order for Gmail to send a message to a forwarding address, the address needs to be verified. So here is a way to forward to an address that is not verified (added to the G-Suite Tenant):

You will need to apply mappings (aliases) to recipient addresses on messages received by your domain. You can map multiple individual recipient addresses (a maximum of 2,000 entries) to other addresses. An individual address can map to a maximum of twelve addresses.

This is a basic routing concept, sometimes called a virtual user table, that’s frequently used in mail routing situations to redirect mail from one address to another. By using this setting you don’t need to create individual routing settings for each address mapping.

Configure the Recipient address map setting for your domain:

  1. From the Admin console Home page, go to Appsand thenG Suiteand thenGmailand thenAdvanced settings.Tip: To see Advanced settings, scroll to the bottom of the Gmail page.

  2. At the top of the page, ensure that the top-level org is highlighted.
  3. Scroll down to the Recipient address map section, or type Recipient address map in the search box:

    If the setting’s status is Not configured yet, click Configure (the “Add setting” dialog box displays).

    ​If the setting’s status is Locally applied or Inherited, click Edit to edit an existing setting (the “Edit setting” dialog box displays).

  4. Enter a short description that will appear within the setting’s summary.
  5. Under Messages to affect, select All incoming messages or Only external incoming messages.
  6. Scroll down to Routing options, and select Also route to original destination to send a copy of the message to the new address and also deliver it to the original recipient.

    Note: If you don’t select this option, the message is only sent to the new address.

    For example, jensmith@solarmora.com is in the address map and the new address is jensmith@gmail.com. If the checkbox is checked, both jensmith@solarmora.com and jensmith@gmail.com will receive a copy of the message. If the checkbox is unchecked, then only jensmith@gmail.com will receive the message.

  7. Enter address mappings in the box.

    Each mapping must include two addresses on a single line, separated by a comma. Place the map-to address after the comma. In the following example, davidb@solarmora.com is the map-to address:

    jensmith@solarmora.com, davidb@solarmora.com
    Each address must be a complete, specific address, and is case-insensitive. An address can be mapped to multiple map-to addresses. In the following example, jensmith@solarmora.com is mapped to both michellec@solarmora.com and johnd@solarmora.com:

    jensmith@solarmora.commichellec@solarmora.com
    jensmith@solarmora.comjohnd@solarmora.com

  8. Click Add to add the mappings.
  9. When you’re finished making changes, click Add setting or Save to close the dialog box.
    Note: Any settings you add are highlighted on the “Email settings” page.
  10. Click Save changes at the bottom of the “Email settings” page.
  11. When you’re finished, click Add Setting (at the bottom of the dialog box).
  12. Click Save changes (at the bottom of the “Email settings” page) to confirm your changes.

It can take up to an hour for changes to propagate to user accounts. You can track changes in the Admin audit log.

Adding Contacts to Office 365

First of all you will need a CSV file like the one in the image below ensuring the column headers match:

externalcontacts

When you have created your list of new Contacts that you need to create you can then import these into Office 365 using the following Powershell Commands:

To Connect to Office 365 Powershell:

Import-Module MSOnline
$O365Cred = Get-Credential
$O365Session = New-PSSession –ConfigurationName Microsoft.Exchange -ConnectionUri 
https://ps.outlook.com/powershell -Credential $O365Cred -Authentication Basic 
-AllowRedirection
Import-PSSession $O365Session

To import the contacts in your CSV file:

Import-Csv c:\externalcontacts.csv|%
{New-MailContact -Name $_.Name -DisplayName $_.Name -ExternalEmailAddress 
$_.ExternalEmailAddress -FirstName $_.FirstName -LastName $_.LastName}

We then had to update all the Office 365 mailboxes to use the forwarding address to send mail back to G-Suite using the following PowerShell and CSV file:

o365forwarding

Import-CSV "C:\Temp\Users.csv" | % 
{ $_.Condition = [bool]($_.Condition -as [int]); $_  } |
 ForEach {Set-Mailbox -Identity $_.mailbox
 -ForwardingAddress $_.forwardto -Delivertomailboxandforward
 $_.Condition}

On Prem AD with NO Exchange Attributes

So when adding the mailboxes in Office 365 be default the users email addresses were the onmicrosoft.com domain. This was happening because there were no On Premise Exchange Server therefore no Proxy addresses recorded in Active Directory. We then had to add all of the email address alias’s to the proxy addresses using PowerShell. The next few commands are how we did this.

Export the SamAccount and Existing Email details

Import-Module ActiveDirectory
# Delete file if it exists
$FileName = "C:\temp\user.csv"
if (Test-Path $FileName) 
{
  Remove-Item $FileName
}
Get-Aduser -filter * -Properties * | 
Select SamAccountName,mail | export-csv $FileName

Once you have a list of users with the correct list of Alias addresses I then ran the following PoweShell to update all of the proxy addresses

GC C:\temp\user.csv | % {
Set-ADUser $_ -Add @{ProxyAddresses="smtp:$_@aliasdomain.org.uk"}
}

Implementation of Mimecast – Outbound

G-Suite

To prepare your outbound G Suite hostname:

  1. Log on to the Google Admin Console.
  2. Navigate to Apps | G Suite | Gmail | Advanced Settings.
  3. Click on the Hosts button.
  4. Click on the Add Route button.
  5. Enter a Route Name (e.g. Mimecast Outbound Host).
  6. Select Multiple Host and enter the Mimecast Outbound Hostnames for your Mimecast region. Both must be marked as primary. See the “Outbound Send Connectors section of the Mimecast Gateway page for full details.
  7. Click on the Save button.
  8. Click on the Add Route button.
  9. Enter a Route Name (e.g. Internal Sending Host).
  10. Select Multiple Host and enter the Google Apps MX Records (ASPMX.L.GOOGLE.COM. and ALT1.ASPMX.L.GOOGLE.COM).
  11. Click on the Save button.

To configure routing rules:

  1. Click on the General Settings tab.
  2. Navigate to the Routing section.
  3. Click on the Configure button.
  4. Select the Outbound option in the “Messages to Affect” section.
  5. Select the Change Route option in the Route section.
  6. Select the Route Name created in step 5 of the “Preparing Your Outbound Hostname” section.
  7. Click on the Add Setting button.
  8. Click on the Add Another button.
  9. Select the Internal | Sending option in the “Messages to Affect” section.
  10. Select the Change Route option in the Route section.
  11. Select the Route Name created in step 9 of the “Preparing Your Outbound Hostname” section.
  12. Click on the Add Setting button.

 

Office 365

  1. Log in to the Office 365 Administration Console.
  2. Select the Admin | Exchange menu item.
  3. Select the Mail Flow | Connectors menu item.
  4. Create a Connector.
  5. Complete the New Connector – Select Your Mail Flow Scenario dialog as follows:
    Field Description
    From Select “Office 365” from the drop down list.
    To Select “Partner Organization” from the drop down list.
  6. Select the Next button.
  7. Complete the New Connector – New Connector dialog as follows:
    Field Description
    Name Enter a name for the connector.
    Description Enter a description for the connector.
    Turn It On Select this option to enable the connector.
  8. Select the Next button.
  9. Select the Only When Email Messages are Sent to These Domains option.
  10. Select the ico_plus.png icon to add the recipient domains that should use this connector.
  11. Enter a value of * to route all outbound emails through us.
  12. Select the OK button.
    Connector
  13. Select the Next button.
  14. Select the Route Email Through These Smart Hosts option.
  15. Select the ico_plus.png icon to add your region’s smart hosts.
    add_smart_host.png

    Region Office 365 Account Hostnames
    Europe (Excluding Germany) eu-smtp-o365-outbound-1.mimecast.com

    eu-smtp-o365-outbound-2.mimecast.com

    Germany de-smtp-o365-outbound-1.mimecast.com

    de-smtp-o365-outbound-2.mimecast.com

    America us-smtp-o365-outbound-1.mimecast.com

    us-smtp-o365-outbound-2.mimecast.com

    South Africa za-smtp-o365-outbound-1.mimecast.co.za

    za-smtp-o365-outbound-2.mimecast.co.za

    Australia au-smtp-o365-outbound-1.mimecast.com

    au-smtp-o365-outbound-2.mimecast.com

    Offshore je-smtp-o365-outbound-1.mimecast-offshore.com

    je-smtp-o365-outbound-2.mimecast-offshore.com

  16. Select the Save button.
  17. Select the Next button.
  18. Select the following options:
    • Always use Transport Layer Security (TLS) to Secure the Connection (recommended)
    • Issued by a trusted certificate authority (CA)
  19. Select the Next button.
  20. Select the Next button.
  21. Add an Email Address of a recipient from a domain external to your organization.
  22. Select the Validate button.
  23. Select the Save button once Office 365 has successfully validated your settings.

Cloud Migrator Used for Data Migrations

Link to the 3rd Party Migration Tool:

https://cloudm.co/cloudmigrator?gclid=CjwKCAjwns_bBRBCEiwA7AVGHlIcjIAmgfI64swjBotgV_WwduBCpMhEaBjYrcruD30K1wuJPuIkERoC–wQAvD_BwE

So our experience with the Cloud Migrator APP has been interesting. Initially we started to use the Cloud Migrator Go SaaS application which was reasonably simple to configure following the guides provided by Cloud M. However we soon realised there were speed issues when moving data between G-Suite & O365.  The issues are caused by the API’s between GSuite and O365 being limited. There is nothing we or Cloud M could do to improve the migration speed between the two services.

We then switched to the Cloud Migrator App which you install on your own dedicated server On Premise – in our case we used a Virtual machine in VMWare. Once configured we were able to fire up numerous Servers to run Cloud Migrator having a number of migration batches running at the same time and our Data throughput seemed to be 4x that of the cloud Migrator Go SaaS option.

All in all the customer is now running Co Existence of Office 365 and G-Suite. Mail is flowing and users are happy. We intend to complete the migration to Office 365 in the coming weeks. I decided to write this post as there does not seem to be many guides out there to help you migrate from G-Suite to Office 365. Hopefully if you read this it will help you on your projects.

 

 

Useful Powershell Commands for Exchange

One of my recent projects was to implement a new Highly Available Exchange 2016 environment for a customer who was upgrading from Exchange 2010. When Exchange 2016 was in place, we then had to create  hybrid to Office 365. Below are some really useful PowerShell Commands I used during the implementation.

Installing Exchange 2016 Pre Requisites 

Install-WindowsFeature AS-HTTP-Activation, Server-Media-Foundation, 
NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, 
RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, 
RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, 
Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, 
Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, 
Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, 
Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, 
Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, 
Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, 
RSAT-ADDS

Collecting Virtual Directory Details 

Outlook Anywhere

Get-OutlookAnywhere -AdPropertiesonly | Select server,Internalhostname,
Externalhostname

Outlook Web Access

Get-OWAVirtualDirectory -AdPropertiesOnly | Select Server,InternalURL,
ExternalURL

Exchange Control Panel

Get-ECPVirtualDirectory -AdPropertiesOnly | Select Server,InternalURL,
ExternalURL

Outlook Address Book

Get-OABVirtualDirectory -AdPropertiesOnly | Select Server,InternalURL,
ExternalURL

Web Services

Get-WebServicesVirtualDirectory -AdPropertiesOnly | Select Server,
InternalURL,ExternalURL

MAPI

Get-MAPIVirtualDirectory -AdPropertiesOnly | Select Server,InternalURL,
ExternalURL

Active Sync

Get-ActiveSyncVirtualDirectory -AdPropertiesOnly | Select Server,
InternalURL,ExternalURL

 

AutoDiscover

Collecting the AutoDiscover URI for Exchange 2010 Servers in the environment

Get-ClientAccessServer -identity SERVERNAME|select Name,
AutodiscoverServiceInternalURI |FL

Setting the AutoDiscover URI on the newly installed Exchange 2016 Server

Set-ClientAccessService -identity SERVERNAME -AutodiscoverServiceInternalURI 
https://mail.domainname.com/autodiscover/autodiscover.xml

 

Exchange 2016 CU7 Hybrid Gotcha!!!

So after a successful deployment of Exchange 2016 the next step was to create a hybrid to Office 365 Exchange Online, Simple as Exchange 2016 was “Born in the cloud” according to Microsoft. NOT SO!!! – I downloaded the latest version of Exchange 2016 which at the time was CU7, but when configuring the hybrid it would just sit at adding Federated Domain.

A bug slipped into Exchange 2016 CU7 which prevents the HCW from completing. The HCW fails to get past the domain ownership validation:


No matter how hard you try, you can’t get past this screen.

Fortunately CU8 was release 19th December 2017 – So I spent the next day patching my newly installed Exchange environment. – then completing the Hybrid configuration.

Exchange 2010–Office 365 Hybrid Setup – Remote Powershell

Recently I have been getting issues with performing a hybrid configuration from an on premise Exchange 2010 Server running the latest services packs and meeting all the required pre requisites to perform a Hybrid configuration to Office 365.

One of the first steps is to connect your on Premise exchange server to Office 365 using remote PowerShell, following the how to guide it tells you to connect to the following URI in the command below:

$session = new-pssession -configurationname microsoft.exchange -connectionuri https//ps.outlook.com/powershell/ -credential $o365cred -authentication basic

When you run this command you will get the following error:

ps.outlook.com] The WinRM service cannot process the request because the request needs to be sent to a different machine. Use the redirect information to send the request to a new machine. Redirect location reported: https://ps.outlook.com/PowerShell-LiveID?PSVersion=2.0 . To automatically connect to the redirected URI, verify “MaximumConnectionRedirectionCount” property of session preference variable “PSSessionOption” and use “AllowRedirection” parameter on the cmdlet.+ CategoryInfo : OpenError: (System.Manageme….RemoteRunspace:RemoteRunspace) [], PSRemotingTransportRed
irectException + FullyQualifiedErrorId : PSSessionOpenFailed

After speaking with Microsoft I have identified the URI has changed to https://outlook.office365.com/powershell-liveid/

and the Powershell command is slightly different to include the –AllowRedirection as there are multiple servers to connect to.

The command that worked for me was the following:

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

Connect to Exchange Online using remote PowerShell

What do you need to know before you begin?

  • You can use the following versions of Windows:
    • Windows 8 or Windows 8.1
    • Windows Server 2012 or Windows Server 2012 R2
    • Windows 7 Service Pack 1 (SP1)*
    • Windows Server 2008 R2 SP1*

* You need to install the Microsoft .NET Framework 4.5 or 4.5.1 and then either the Windows Management Framework 3.0 or the Windows Management Framework 4.0. For more information, see Installing the .NET Framework 4.5, 4.5.1 and Windows Management Framework 3.0 or Windows Management Framework 4.0.

Connect to Exchange Online

  1. On your local computer, open Windows PowerShell and run the following command.
    $UserCredential = Get-Credential

    In the Windows PowerShell Credential Request dialog box, type your Exchange Online user name and password, and then click OK.

  2. Run the following command.

    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

    Note   If you are an Office 365 operated by 21Vianet customer in China, use the following value for the ConnectionUri parameter: https://partner.outlook.cn/PowerShell.

  3. Run the following command.

    Import-PSSession $Session

NoteNote:

Be sure to disconnect the remote PowerShell session when you’re finished. If you close the Windows PowerShell window without disconnecting the session, you could use up all the remote PowerShell sessions available to you, and you’ll need to wait for the sessions to expire. To disconnect the remote PowerShell session, run the following command.

Remove-PSSession $Session

How do you know this worked?

After Step 3, the Exchange Online cmdlets are imported into your local Windows PowerShell session as tracked by a progress bar. If you don’t receive any errors, you connected successfully. A quick test is to run an Exchange Online cmdlet—for example, Get-Mailbox—and see the results.

If you receive errors, check the following requirements:

  • A common problem is an incorrect password. Run the three steps again and pay close attention to the user name and password you enter in Step 1.
  • To help prevent denial-of-service (DoS) attacks, you’re limited to three open remote PowerShell connections to your Exchange Online organization.
  • Windows PowerShell needs to be configured to run scripts. You only need to configure this setting once on your computer, not every time you connect. To enable Windows PowerShell to run signed scripts, run the following command in an elevated Windows PowerShell window (a Windows PowerShell window you opened by selecting Run as administrator).

    Set-ExecutionPolicy RemoteSigned
  • The account you use to connect to Exchange Online must be enabled for remote Shell. For more information, see Manage remote PowerShell access in Exchange Online.
  • TCP port 80 traffic needs to be open between your local computer and Exchange Online. It’s probably open, but it’s something to consider if your organization has a restrictive Internet access policy.