Microsoft – Exchange KB

Microsoft Admin Portals

November 9, 2020January 8, 2021Godwin DanielLeave a comment

Microsoft 365 Admin Portals

Portal Name	URL
Microsoft 365 Admin Portal	https://admin.microsoft.com/
Microsoft 365 Compliance	https://compliance.microsoft.com/
Microsoft Endpoint Manager Admin Console	https://endpoint.microsoft.com/
Microsoft Endpoint Manager Admin Console (old)	https://devicemanagement.portal.azure.com/
Exchange Admin Center (new)	https://admin.exchange.microsoft.com/
Exchange Admin Center (old)	https://outlook.office365.com/ecp/
Microsoft Teams Admin Center	https://admin.teams.microsoft.com/
SharePoint Admin Center	https://admin.microsoft.com/sharepoint
OneDrive Admin Center	https://admin.onedrive.com/
Apps Admin Center	https://config.office.com/officeSettings#
Power BI Admin Portal	https://app.powerbi.com/admin-portal/usageMetrics?noSignUpCheck=1
Power Platform admin center	https://admin.powerplatform.microsoft.com/
Microsoft Stream Admin Center	https://web.microsoftstream.com/admin
Skype for Business admin center (deprecated)	https://webdir2a.online.lync.com/LSCP
Kaizala Management Portal	https://manage.kaiza.la/
Yammer Admin	https://www.yammer.com/office365/admin
Microsoft Store for Business	https://businessstore.microsoft.com/
Microsoft Store for Education	https://educationstore.microsoft.com/
Microsoft Partner Center	https://partner.microsoft.com/dashboard
Microsoft Remote Connectivity Analyzer	https://testconnectivity.microsoft.com
Microsoft 365 network connectivity test	https://connectivity.office.com/
Microsoft Call Quality Dashboard	https://cqd.teams.microsoft.com/

Azure IT Admin Portals

Portal Name	URL
Microsoft Azure Portal	https://portal.azure.com/
Microsoft Azure (Release Candidate)	https://rc.portal.azure.com/
Microsoft Azure (Preview)	https://preview.portal.azure.com/
Azure Resource Explorer	https://resources.azure.com/
Azure Cloud Shell	https://shell.azure.com/
Azure Active Directory admin center	https://aad.portal.azure.com/
Azure Cosmos DB	https://cosmos.azure.com/
Azure Data Factory	https://adf.azure.com/
Azure Cognitive Services Custom Translator	https://portal.customtranslator.azure.ai/
Azure Non-profit Portal	https://nonprofit.microsoft.com/#/ngoportal

Azure IT Admin Portals – Sub Portal Links

Portal Name	URL
Azure Security Center	https://portal.azure.com…

Microsoft Licensing/Support Portals

Portal Name	URL
Volume Licensing Service Center	https://www.microsoft.com/Licensing/servicecenter/
Next Generation Volume Licensing	https://businessaccount.microsoft.com/
Microsoft Azure Enterprise Portal	https://ea.azure.com/
Microsoft Services Hub	https://serviceshub.microsoft.com/
Microsoft License Advisor	https://mla.microsoft.com/
Microsoft Partner Center	https://partner.microsoft.com/
Azure Subscriptions	https://account.azure.com/Subscriptions

Security / Defender IT Admin Portals

Portal Name	URL
Microsoft Cloud App Security	https://portal.cloudappsecurity.com/
Microsoft Defender for Endpoints (Previously Defender ATP)	https://securitycenter.windows.com/
Microsoft 365 Defender	https://security.microsoft.com/
Office 365 Security & Compliance	https://protection.office.com/
Microsoft Defender for Identity (Previously Azure ATP)	https://portal.atp.azure.com/
Multi-factor authentication	https://account.activedirectory.windowsazure.com…

Developer Portals

Portal Name	URL
Graph Explorer	https://developer.microsoft.com/en-us/graph/graph-explorer
Azure DevOps	https://dev.azure.com/
Visual Studio Subscriptions	https://my.visualstudio.com/
Visual Studio Subscriptions Management	https://manage.visualstudio.com/
Adaptive Cards	https://adaptivecards.io/

Other Useful Microsoft Portals

Portal Name	URL
Office 365 Anti-Spam IP Delist Portal	https://sender.office.com/
Azure Status	https://status.azure.com/
Azure DevOps Status	https://status.dev.azure.com/
Windows Virtual Desktop Consent Page	https://rdweb.wvd.microsoft.com/
Customer Digital Experiences	http://demos.microsoft.com/
Group Policy Search	https://gpsearch.azurewebsites.net/
Microsoft Startups	https://portal.startups.microsoft.com/
Office UI Fabric Icons	https://uifabricicons.azurewebsites.net/
Become Microsoft Certified	https://query.prod.cms.rt.microsoft.com…
Tech Community Video Hub	https://techcommunity.microsoft.com/t5/video-hub/ct-p/VideoHub
Microsoft Azure Sponsorships	https://www.microsoftazuresponsorships.com/
Microsoft Dynamics Lifecycle Services	https://lcs.dynamics.com/
Microsoft MVP	https://mvp.microsoft.com/

Portal Name	URL
What is my Microsoft Azure and Office 365 tenant ID?	https://www.whatismytenantid.com/
Office 365 ATP Safe Links Decoder	https://o365atp.com/
Message Header Analyzer	https://mha.azurewebsites.net/
Tenant Availability Check	https://o365.rocks/

Reference: https://msportals.xyz/

Block File Sharing in Teams

June 26, 2020June 27, 2020Godwin Daniel9 Comments

COVID-19 has led many IT Departments scrambling to roll out some form of conference/ collaboration tool as many had to work remotely. This has affected organizations that where were not agile or cloud agnostic by not adopting to modern workplace earlier on.

Microsoft Teams runs on SharePoint Online, OneDrive in its core, organizations running on-premises compliance/DLP solutions will find it hard to put in controls for data in the cloud, not being an early adopter, and having to enable collaboration tools such as Microsoft Teams is a daunting task when you want to protect the organizational data from going walkabouts. If your organization is one of those, which is like a cat on the wall – how do we do it?

Block File sharing in Teams by:

1. Not assigning a SharePoint Online license for End-users
2. Not creating a Teams or Channels, if you do….
3. Create Teams for your organization but remove the Teams members from having EDIT permission on the Teams SharePoint Site.
4. Additionally if the tenant has Microsoft Cloud App Security enabled – create a session based conditional policy, which blocks upload and download of files in Teams and SharePoint Online.

SharePoint Online License – by not assigning this you deprive the end users from accessing OneDrive for business, which is primary storage for file sharing when it comes to 1-1 and group chats.

Creating a Team – when a team is created with members, this creates a SharePoint online site, which by default allows members to have edit permission on the site. By removing the EDIT permission from the Team site leaves members with only read permission leaving only the owner of the Team/SharePoint site full permission, no just do not assign or delegate the owner permission to a regular user.

Microsoft Cloud App Security – is a Microsoft CASB solution (Cloud Access Security Broker) acts as a reverse proxy. A session based conditional policy can be configured to prevent file uploads/downloads in Teams/Sharepoint site, caveat this only works when accessing them via Web but not through desktop client, hence the above point – remove EDIT permission for Team members. MCAS gives you an insight and alert when someone does indeed try to upload a file as it will block and alert the admin.

Now that you have control of filesharing and enabled Microsoft Teams, start strategic roll out of cloud solutions for DLP, Information protection and governance, classification – all of this is available via Microsoft 365 through Azure Information Protection, DLP, Azure and Defender ATP which can scan and classify your organization data automatically based on data sensitivity you can control.

Licenses could not be assigned or removed due to an error -Azure AD group based licenses

June 5, 2020June 5, 2020Godwin DanielLeave a comment

Scenario: Group based licensing is enabled in Azure AD. Exchange online is not assigned through the group based licensed. Newly added users to the group fail to get licenses assigned via the group. Reprocessing the group based license throws error:

Licenses could not be assigned or removed due to an error

Solution: A recent service plan backfilled by the O365 Commerce Team into the Office and Microsoft SKUs Microsoft Bookings a has been added as Enabled on all the licenses. This service plan has a dependency on Exchange Online (Plan 1) or Exchange Online (Plan2).

Disabling the Microsoft Bookings service plan in the affected groups should resolve the licensing error.

Kill all active user sessions in any Azure AD/ Office 365 application

March 28, 2020March 28, 2020Godwin Daniel4 Comments

If you are are ever in a situation where you have to deal with a compromised O365 account or situation similar to mine where users were assigned Onedrive/SPO license and you want to revoke them and stop users from using them immediately, the below cmdlet is much helpful.

If you are dealing with a large group of users, you may tire your fingers clicking on “initiate sign-out” or better get all members of the group and use cmdlet Revoke-AzureADUserAllRefreshToken which invalidates the refresh tokens issued to applications for a user. The cmdlet also invalidates tokens issued to session cookies in a browser for the user. The cmdlet operates by resetting the refreshTokensValidFromDateTime user property to the current date and time.

Get the group objectid

Get-MsolGroup [groupname] | fl ObjectId

Next, export the users of the group to a csv

Get-MsolGroupMember -GroupObjectId xxxxx-xxxxx-xxxxx-xxxxx | Select-Object EmailAddress | Export-Csv -Path c:\temp\users.csv

Import the csv and revoke th refresh token for these users.

Import-CSV “c:\temp\users.csv” | % {Get-AzureADUser -SearchString $_.emailaddress | Revoke-AzureADUserAllRefreshToken}

Add Fullmailbox Permission in PowerShell using a CSV file

September 24, 2018Godwin DanielLeave a comment

Create a CSV with following fields and save it in a temp folder

UserMailbox and User

copy the below and save as .ps1 file in the same temp folder e.g C:\temp

$csv = Import-csv -path “C:\temp\fullaccess.csv”
foreach($User in $csv)
{
Add-MailboxPermission -Identity $user.UserMailbox -User $user.User -AccessRights FullAccess -InheritanceType All
}

Run the script to apply permissions

Force a sync from Azure AD Connect to Office 365

June 29, 2018March 28, 2020Godwin DanielLeave a comment

AAD sync runs every 30 minutes, we are several situations where you cant wait 30 minutes for a change to sync across, you still want to force a sync. To do so, on the server which has AAD Connect installed and type the following to import the AAD Connect PowerShell module:

Import-Module ADSync

You check the current settings of the sync scheduler

Get-ADSyncScheduler

adsync01

To force a delta sync, you the following PowerShell command:

Start-ADSyncSyncCycle -PolicyType Delta

adsync02

If you want to force an initial (full) sync, use this command:

Start-ADSyncSyncCycle -PolicyType Initial

Export Calendar permissions for specific OU

June 11, 2018Godwin DanielLeave a comment

The below has been tested on exchange 2010 to export calendar permissions for mailboxes in a specific OU.

# Get the mailboxes
$Mailboxes = get-mailbox -OrganizationalUnit “OU=Users,DC=Contoso,DC=local” -Filter {RecipientTypeDetails -eq “usermailbox”} -ResultSize Unlimited

# An array for the output
$Output = @()

# Loop through the mailboxes
ForEach ($Mailbox in $Mailboxes) {
# Get the name of the calendar folder
$Calendar = (($Mailbox.PrimarySmtpAddress.ToString())+ “:\” + (Get-MailboxFolderStatistics -Identity $Mailbox.DistinguishedName -FolderScope Calendar | Select-Object -First 1).Name)

# Get the permissions on the folder
$Permissions = Get-MailboxFolderPermission -Identity $Calendar

# Loop through the permissions, populating the output array
ForEach ($Permission in $Permissions) {
$Permission | Add-Member -MemberType NoteProperty -Name “Mailbox” -value $Mailbox.DisplayName
$Output = $Output + $Permission
}
}

# Write the output to a CSV file
$Output | Select-Object Mailbox, User, {$_.AccessRights}, IsValid | Export-Csv -Path C:\temp\Calendarpermissions.csv -NoTypeInformation

Filtering to the specific OU is very useful if you are managing multi-tenant exchange environment. Modify the above script as per your needs and save as .ps1 to run on powershell.

Get-MailboxStatistics to export Mailbox size in Exchange Powershell

June 5, 2018June 6, 2018Godwin DanielLeave a comment

Use the below to export mailbox statistics from exchange PowerShell. There are different commands which help you filter and manipulate the exported data.

The exported information is always useful during Office 365 migration to assess mailbox sizes and item counts, last login time and required bandwidth.

Export Mailbox size and statistics of all users
get-mailbox -resultsize unlimited | get-mailboxstatistics | ft DisplayName,TotalItemSize,Itemcount | export-csv C:\temp\mailboxstatistics.csv
Export Mailbox statistics for a specific OU (organizational unit)

get-mailbox -OrganizationalUnit “OU=Sales,OU=London Staff,DC=contoso,DC=local” -resultsize unlimited | get-mailboxstatistics | ft DisplayName,TotalItemSize,Itemcount | export-csv C:\temp\salesstaffmbstats.csv

Export Mailbox statistics based on domain address

In this example we use the where cmdlet to specify the search filter base. In the below example I am searching for users with specific email address, useful in a multi tenant environment.

Here I am trying to export mailbox statistics for specific set of users who have exchangekb as their email address suffix.

get-mailbox | where {$_.EmailAddresses -like “*exchangekb*”} | get-mailboxstatistics | select-object displayname, totalitemsize, itemcount, lastlogontime, exchangeguid | export-csv C:\temp\exchangekbstats.csv

How to Adjust the link expiration time in Office 365 Message Encryption for encypted emails

June 1, 2018June 1, 2018Godwin DanielLeave a comment

With the new Office 365 Message Encryption feature helps enable non-Office 365 recipients of protected emails to read and respond with ease, regardless of the device, app, service, or identity they use to receive their email. Yayy!! that is great no longer need to download software etc but now another challenge, when recipient see this message that the link will expire after 2 months –

Joe.bloggs@contoso.com has sent you a protected message.
Read the message

This link will expire on August 01, 2018
Learn about messages protected by Office 365

Any way or form to change the expiry of link is not available yet and perhaps by voting on Office365 Uservoice using the below link will get Microsoft to address this soon.

Allow for adjusting the link expiration time for an OME v2 encrypted message. – Customer Feedback for Microsoft Office 365

Exchange 2013 Emails stuck in Drafts

March 19, 2014March 31, 2014Godwin Daniel8 Comments

No outgoing Emails in Exchange 2013 fresh install , sent emails get stuck in Drafts folder in OWA,

Scenario: The problematic environment was a fresh install of exchange 2013, no migration and new mailboxes were created, but when emails were sent they got stuck in the drafts folder, OWA or outlook both failed sending emails. This is a 2012 environment, main DC and a member 2012 server, both being virtual and the server hosting exchange was a clone server.

Diagnosis: After enabling verbose logging on the default receive connector, the following error messages were seen in the SMTP recieve located here: C:\Program Files\MicrosoftExchange Server\V15\TransportRoles\Logs\Hub\ProtocolLogSmtpReceive\

X.X.X.X:2525,X.X.X.X:53103,>,421 4.3.2 Service not available,

Enabled kerberos logging using :http://support.microsoft.com/default.aspx?scid=kb;EN-US;262177

after this checked the eventlogs showed a huge number of Kerberos related errors under System:

A Kerberos error message was received:
on logon session DOMAIN.LOCALExchangeservername$
Client Time:
Server Time: 0:35:49.0000 3/19/2014 Z
Error Code: 0x6 KDC_ERR_C_PRINCIPAL_UNKNOWN

Checked to make sure all services are running and checking SPN are set correctly using the setspn commands:

setspn -L hostname
setspn -r AccountName

more details here: http://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx

Also checked to make sure correct DNS settings were used in the Exchange server under EAC=>Servers=>edit=>DNS lookups.

In my case both internal and external lookups were set to ” all network adapters ipv4″

Solution: Eventually it turned out to be the Security Policy setting wasnt enabled for Access this computer from the network Policy in Group Policy

The default domain policy was applied to the OU where the Exchange 2013 server was, hence updated default domain policy: so open Group Policy Editor and go to

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\

Put a tick on Define these policy settings and add the default groups as per : http://technet.microsoft.com/en-us/library/cc740196(v=ws.10).aspx

Administrators
Backup Operators
Users
Everyone

Please note this is a 2012 server and for some reason there are no power users as per the article.

Did a gpupdate /force on DC and exchange and reboot exchange services and voila all stuck emails were going out one at a time.

At this point in time the kerberos errors are still being generated, I still need to fix this…more soon.

	SBX on Manage Exchange 2010 Calendar…
	Abdulrehman Altaf (@… on Block File Sharing in Tea…
	Shakthi on Kill all active user sessions…
	Godwin Daniel on Recover deleted Active directo…
	ANTONIO on Recover deleted Active directo…