Password less sign in to Office 365

Today i was busy hardening my Office 365 Security and i came to the topic about Password less sign-in. I have heard this at some recent events like Experts Live an Ignite. So it was time to configure this.

What is Password less sign in

Password less sign in is a different way of login in to Azure AD. You will sign in with a number picker instead of a old school password. As you all know Microsoft thinks old school passwords are not safe anymore. And logically this is true. Because a Password is just a set of characters If you take a common password like “Welcome123!@” then these are al characters and there is no difference in character between a capital W or a symbol like @. The only difficulty you can create is the length but if someone want to crack that, then that will just be a matter of time until it is cracked.

How does it work

How does password less sign-in work. This new method allows you to completely replace your password with a number match on yourAzure Authenticator app as the first factor together with your biometric like Touch ID for the 2nd factor to complete the sign-in.  This 2-way communication with the identity provider (IdP), in this case, Azure AD, makes the phone itself a strong credential and a password is no longer required because we have the number challenge.

I think this way of authentication combined with Windows hello for business is where safe authentication is heading to.

Configuration

To start configuring Password less sign in We should start up Powershell. I used the cloud based version of Powershell from Azure AD.

Cloud shell Powershell password-less sign-in

When pressing this button in Azure AD a Cloud shell will start “you need a storage account for this”.
When the cloud shell is started it is time to configure the password-less sign-in.

Powershell cloud shell password-less sign-in

type or copy the following command. And no worries you will only make the option available besides the other authentication methods.

New-AzureADPolicy -Type AuthenticatorAppSignInPolicy -Definition ‘{“AuthenticatorAppSignInPolicy”:{“Enabled”:true}}’ -isOrganizationDefault $true -DisplayName AuthenticatorAppSignIn

Powershell commando password-less sign-in

When this is done you have configured Password-less sign in. And it is time to try it out. Make sure you test it first to some pilot users. The impact can be high but you wont lock anyone out.

Issues

There are still some issue due this functionality is still in preview. The current issues are regarding.

  • ADFS integrated with Azure AD
  • Azure MFA
  • Only one device registration is possible

For more info check here for the Microsoft docs. Also check out my other blogs

Exchange buildnumbers and versions

I have created a list with all Exchange buildnumbers and version numbers. The list starts from Exchange 2010 because everything before 2010 is end of life. In the future i will mark RU and CU which contain a schema differently.

Exchange buildnumbers Server 2019

Bellow you find a table with all the buildnumbers regarding Exchange server 2019

BuildDescriptionRelease Date
15.02.0330.007Security Update For Exchange Server 2019 CU1 (KB4487563)2019 April 9
15.02.0330.006CU1 For Exchange Server 2019 RTM (KB4471391)2019 February 12
15.02.0221.016Security Update For Exchange Server 2019 RTM (KB4487563)2019 April 9
15.02.0221.014Security Update For Exchange Server 2019 RTM (KB4471389)2019 January 9
15.02.0221.012​Exchange Server 2019 RTM2018 October 22
15.02.0196.000Exchange Server 2019 – Preview2018 July 24

Exchange buildnumbers Server 2016

Bellow you find a table with all the buildnumbers regarding Exchange server 2016

BuildDescriptionRelease Date
15.01.1713.006Security Update For Exchange Server 2016 CU12 (KB4487563)2019 April 9
15.01.1713.005CU12 for Exchange Server 2016 (KB4471392)2019 February 12
15.01.1591.016Security Update For Exchange Server 2016 CU11 (KB4487563)2019 April 9
15.01.1591.013Security Update For Exchange Server 2016 CU11 (KB4471389)2019 January 9
15.01.1591.100CU11 for Exchange Server 2016 (KB4134118)2018 October 16
15.01.1531.010Security Update For Exchange Server 2016 CU10 (KB4471389)2019 January 9
15.01.1531.008Security Update For Exchange Server 2016 CU10 (KB4459266)2018 October 9
15.01.1531.006Security Update For Exchange Server 2016 CU10 (KB4340731)2018 August 14
15.01.1531.003CU10 for Exchange Server 2016 (KB4099852)2018 June 19
15.01.1466.012Security Update For Exchange Server 2016 CU9 (KB4459266)2018 October 9
15.01.1466.010Security Update For Exchange Server 2016 CU9 (KB4340731)2018 August 14
15.01.1466.008Security Update For Exchange Server 2016 CU9 (KB4092041)2018 May 8
15.01.1466.003CU9 for Exchange Server 2016 (KB4055222)2018 March 20
15.01.1415.007Security Update For Exchange Server 2016 CU8 (KB4092041)2018 May 8
15.01.1415.002CU8 for Exchange Server 2016 (KB4035145)2017 December 17
15.01.1261.037Security Update for Exchange Server 2016 CU7 (KB4045655)2017 December 12
15.01.1261.035CU7 for Exchange Server 2016 (KB4018115)2017 September 16
15.01.1034.033Security Update For Exchange Server 2016 CU6 (KB4045655)2017 December 12
15.01.1034.032Security Update For Exchange Server 2016 CU6 (KB4036108)2017 September 12
15.01.1034.026CU6 for Exchange Server 2016 (KB4012108)2017 June 27
15.01.0845.039Security Update For Exchange Server 2016 CU5 (KB4036108)2017 September 12
15.01.0845.036Security Update For Exchange Server 2016 CU5 (KB4018588) 2017 July 11
15.01.0845.034CU5 for Exchange Server 2016 (KB4012106)2017 March 21
15.01.0669.032CU4 for Exchange Server 2016 (KB3177106)2016 December 13
15.01.0544.030MS17-015 Security Update for Exchange Server 2016 CU32017 March 14
15.01.0544.027CU3 for Exchange Server 2016 (KB3152589)2016 September 20
15.01.0466.037MS16-108 Security Update for Exchange Server 2016 CU22016 September 13
15.01.0466.034CU2 for Exchange Server 2016 (KB3135742)2016 June 21
15.01.0396.037MS16-108 Security Update for Exchange Server 2016 CU12016 September 13
15.01.0396.033MS16-079 Security Update for Exchange Server 2016 CU12016 June 14
15.01.0396.030CU1 for Exchange Server 2016 (KB3134844)2016 March 15
15.01.0225.049MS16-079 Security Update for Exchange Server 2016 RTM2016 June 14
15.01.0225.042Exchange Server 2016 RTM2015 September 28
15.01.0225.016Exchange Server 2016 Preview2015 July 15

Exchange buildnumbers Server 2013

Bellow you find a table with all the buildnumbers regarding Exchange server 2013

BuildDescriptionRelease Date
15.00.1473.004Security Update For Exchange Server 2013 CU22 (KB4487563)2019 April 9
15.00.1473.003CU22 for Exchange Server 2013 (KB4345836)2019 February 12
15.00.1395.010Security Update For Exchange Server 2013 CU21 (KB4471389)2019 January 9
15.00.1395.008Security Update For Exchange Server 2013 CU21 (KB4459266)2018 October 9
15.00.1395.007Security Update For Exchange Server 2013 CU21 (KB4340731)2018 August 14
15.00.1395.004CU21 for Exchange Server 2013 (KB4099855)2018 June 19
15.00.1367.009Security Update For Exchange Server 2013 CU20 (KB4340731)2018 August 14
15.00.1367.006Security Update For Exchange Server 2013 CU20 (KB4092041)2018 May 8
15.00.1367.003CU20 for Exchange Server 2013 (KB4055221)2018 March 20
15.00.1365.007Security Update For Exchange Server 2013 CU19 (KB4092041)2018 May 8
15.00.1365.001CU19 for Exchange Server 2013 (KB4037224)2017 December 17
15.00.1347.003Security Update For Exchange Server 2013 CU18 (KB4045655)2017 December 12
15.00.1347.002CU18 for Exchange Server 2013 (KB4022631)2017 September 16
15.00.1320.007Security Update For Exchange Server 2013 CU17 (KB4045655)2017 December 12
15.00.1320.006Security Update For Exchange Server 2013 CU17 (KB4036108)2017 September 12
15.00.1320.004CU17 for Exchange Server 2013 (KB4012114)2017 June 27
15.00.1293.006Security Update For Exchange Server 2013 CU16 (KB4036108)2017 September 12
15.00.1293.004Security Update For Exchange Server 2013 CU16 (KB4018588)2017 July 11
15.00.1293.002CU16 for Exchange Server 2013 (KB4012112)2017 March 21
15.00.1263.005CU15 for Exchange Server 2013 (KB3197044)2016 December 13
15.00.1236.006MS17-015 Security Update for Exchange Server 2013 CU142017 March 14
15.00.1236.003CU14 for Exchange Server 2013 (KB3177670)2016 September 20
15.00.1210.006MS16-108 Security Update for Exchange Server 2013 CU132016 September 13
15.00.1210.003CU13 for Exchange Server 2013 (KB3135743)2016 June 21
15.00.1178.009MS16-108 Security Update for Exchange Server 2013 CU122016 September 13
15.00.1178.006MS16-079 Security Update for Exchange Server 2013 CU122016 June 14
15.00.1178.004CU12 for Exchange Server 2013 (KB3108023)2016 March 15
15.00.1156.010MS16-079 Security Update for Exchange Server 2013 CU112016 June 14
15.00.1156.006CU11 for Exchange Server 2013 (KB3099522)2015 December 10
15.00.1130.007CU10 for Exchange Server 2013 (KB3078678)2015 September 15
15.00.1104.005CU9 for Exchange Server 2013 (KB3049849)2015 June 16
15.00.1076.009CU8 for Exchange Server 2013 (KB3030080)2015 March 17
15.00.1044.025CU7 for Exchange Server 2013 (KB2986485)2014 December 9
15.00.0995.029CU6 for Exchange Server 2013 (KB2961810)2014 August 26
15.00.0913.022CU5 for Exchange Server 2013 (KB2936880)2014 May 27
15.00.0847.062Security Update For Exchange Server 2013 SP1 (KB4092041)2018 May 8
15.00.0847.057Security Update For Exchange Server 2013 SP1 (KB4036108)2017 September 12
15.00.847.055Security Update For Exchange Server 2013 SP1 (KB4018588)2017 July 11
15.00.0847.053MS17-015 Security Update for Exchange Server 2013 SP12017 March 14
15.00.0847.050MS16-108 Security Update for Exchange Server 2013 SP12016 September 13
15.00.0847.047MS16-079 Security Update for Exchange Server 2013 SP12016 June 14
15.00.0847.032Service Pack 1/CU4 for Exchange Server 2013 (KB2926248)2014 February 25
15.00.0775.041CU3 for Exchange Server 2013 (KB2892464)2013 December 5
15.00.0712.024CU2 Version 2 for Exchange Server 2013 (KB2859928)2013 July 29
15.00.0712.022CU2 for Exchange Server 2013 (KB2859928)2013 July 29
15.00.0620.029CU1 for Exchange Server 2013 (KB2816900)2013 April 2
15.00.0516.032Exchange Server 2013 RTM2012 December 3

Exchange buildnumbers Server 2010

Bellow you find a table with all the buildnumbers regarding Exchange server 2010

BuildDescriptionRelease Date
14.03.0442.000Update Rollup 26 for Exchange Server 2010 SP3 (KB4487052)2019 February 12
14.03.0435.000Update Rollup 25 for Exchange Server 2010 SP3 (KB4468742)2019 January 8
14.03.0419.000Update Rollup 24 for Exchange Server 2010 SP3 (KB4458321)2018 September 11
14.03.0417.001Update Rollup 23 for Exchange Server 2010 SP3 (KB4340733)2018 August 14
14.03.0411.000Update Rollup 22 for Exchange Server 2010 SP3 (KB4295699)2018 June 19
14.03.0399.002Update Rollup 21 for Exchange Server 2010 SP3 (KB4091243)2018 May 8
14.03.0399.002Update Rollup 21 for Exchange Server 2010 SP3 (KB4091243)2018 May 8
14.03.0389.001Update Rollup 20 for Exchange Server 2010 SP3 (KB4073537)2018 March 5
14.03.0382.000Update Rollup 19 for Exchange Server 2010 SP3 (KB4035162)2017 December 17
14.03.0361.001Update Rollup 18 for Exchange Server 2010 SP3 (KB4018588)2017 July 11
14.03.0352.000Update Rollup 17 for Exchange Server 2010 SP3 (KB4011326)2017 March 21
14.03.0339.000Update Rollup 16 for Exchange Server 2010 SP3 (KB3184730)2016 December 13
14.03.0319.002Update Rollup 15 (MS16-108) for Exchange Server 2010 SP3 (KB3184728)2016 September 13
14.03.0301.000Update Rollup 14 (MS16-079) for Exchange Server 2010 SP3 (KB3151097)2016 June 14
14.03.0294.000Update Rollup 13 for Exchange Server 2010 SP3 (KB3141339)2016 March 15
14.03.0279.002Update Rollup 12 for Exchange Server 2010 SP3 (KB3096066)2015 December 10
14.03.0266.001Update Rollup 11 for Exchange Server 2010 SP3 (KB3078674)2015 September 15
14.03.0248.002Update Rollup 10 for Exchange Server 2010 SP3 (KB3049853)2015 June 16
14.03.0235.001Update Rollup 9 for Exchange Server 2010 SP3 (KB3030085)2015 March 17
14.03.0224.002Update Rollup 8 v2 for Exchange Server 2010 SP3 (KB2986475)2014 December 12
14.03.0224.001Update Rollup 8 v1 for Exchange Server 2010 SP3 (recalled)2014 December 9
14.03.0210.002Update Rollup 7 for Exchange Server 2010 SP3 (KB2961522)2014 August 26
14.03.0195.001Update Rollup 6 for Exchange Server 2010 SP3 (KB2936871)2014 May 27
14.03.0181.006Update Rollup 5 for Exchange Server 2010 SP3 (KB2917508)2014 February 24
14.03.0174.001Update Rollup 4 for Exchange Server 2010 SP3 (KB2905616)2013 December 9
14.03.0169.001Update Rollup 3 for Exchange Server 2010 SP3 (KB2891587)2013 November 25
14.03.0158.001Update Rollup 2 for Exchange Server 2010 SP3 (KB2866475)2013 August 8
14.03.0146.000Update Rollup 1 for Exchange Server 2010 SP3 (KB2803727)2013 May 29
14.03.0123.004Service Pack 3 for Exchange Server 2010 (KB2808208)2013 February 12
14.02.0247.005Service Pack 2 for Exchange Server 20102011 December 4
14.01.0218.015Service Pack 1 for Exchange Server 20102010 August 23
14.00.0639.021Exchange Server 2010 RTM2009 November 9
Exchange updates and buildnumbers

Single Label Domain (SLD) and Azure AD Connect

The SLD Azure AD case

Some time ago I was at this customer where I needed to setup Azure AD from 2 forests and 7 domains. Essentially this customer wanted to move to Office 365 Exchange Online. When I was making an inventory of these domains I came across a Single Label Domain (SLD). And me at the age of 30 had never heard of this one.

Single label Domain (SLD)

So what is a single label domain. SLD is a name that is used to describe domains which have only a single name, and no suffix. As example, your Active Directory domain might have a name like company.local, but if it were Single Label, it might be just company.

Either way SLD or Single label domains are a pretty grey area when it comes to support when you need Microsoft. So some advice is to avoid them at all times.

Ok lets go back on topic. We have 2 Active Directory Forests One of these forest is Single label and we have 7 domains and one of these 7 domains is a Single label domain. All the rest is just a normal FQDN like company.local.

Now we get back to the part Microsoft that Microsoft does not support this.

Setting up Azure AD

When you start configuring Azure AD you get to a certain point that AzureAD is asks for you domain forest(s) to give in so it can discover the domain underneath. Both Forests will be discovered yes even the Single label One. And Yes it discovers all FQDN domain names underneath. Except the Single label domain that one will not be discovered.

I understand that this was a little confusing so see the table below :).

Forest.local

Discoverd

Forest.

Discoverd

Domain.local1

Yes

Domain.local5

Yes

Domain.local2

Yes

Domain.local6

Yes

Domain.local3

Yes

Domain.

No

Domain.local4

Yes

I tried some different kind of things to get the Domain. Discovered within Azure AD connect. In the end I found out that with creating a Host file gets it the domain discovered in Azure AD connect. So we moved to the next setup screen in Azure AD connect and that is letting Azure AD discover anything what is inside the domain and then I mean the objects itself.

This is never going to work even with the setup of the hosts file it doesn’t work. So this quest came to a end and we needed to figure out something else.

So what we did is we made a decision to create a new Forest with a new domain and move all the users to that domain. For this task we used ADMT. ADMT is a tool from Microsoft that provides a “copy” action to move Active Directory object from and to different type of domains.

Active Directory Migration Tool (ADMT)

Microsoft developed ADMT to speed the migration process and reduce the chance of errors. ADMT performs object migrations and security translations in a way to limit disruptions to let users access network resources while the migration is underway.

Check this URL if you want to start with ADMT.

https://www.microsoft.com/en-us/download/details.aspx?id=19188

An easy way to manage your organization with Intune

Next up Intune

Since some time Microsoft has been promoting lots of companies to go with Intune. Most of these companies want to use a solution like Intune but sometime already have a system in place which takes care of their mobile devices. Think about Airwatch or Mobile Iron. Most of the time Intune gets compared with Mobile Iron or Airwatch but what most companies do not know is that Intune is not just about mobile devices. It can do lots more than that.

Where to start with Intune

As mentioned before lots of companies do not know where to start with Intune. One of the most asked question I get at customers is do I start with MDM for mobile devices or do I start with MAM and what is the difference. And how do i make sure i enroll the devices without big impact to my users.

First of all the best thing you can do is start with a simple pilot for Mobile Application Management (MAM). Based on a azureAD group. What MAM does is, it manages the applications you make available within Intune for you mobile devices. If you start with this i recommend to just select all the applications from the Microsoft Office 365 subscription.

You can do this within the App protection policies.

intune apps

As you can see my selection of apps are put in just for Android devices. This comes because i have created two policies. One for Android and One for IOS. The reason for this is that i can manage both type of devices separately. For instance if i want to add apps like Google Maps (Android) or Safari (Apple) you can manage these just for these device types.

*make sure you assign your policies to just a few of you, not for the entire company when testing.

Mobile application management (MAM)

As written above you can implement Mobile application management pretty easy. Just make sure you have the right licenses (EM+S E3 or EM+S E5 or Intune). and you are good to go. But what does Mobile application management actually do.

Basically MAM manages the applications you offer to your users as a service to use. This means that a user which has for example a private device can use Outlook for IOS/Android with corporate email in a safe way. The user just need to install the application from the Google playstore or Itunes. The users will be guided thru the process and will end up with a safe working version of outlook with his corporate email.

With the policies you have created you have set some properties to prevent options like; Copy from email to phone storage, open Urls from email into unmanaged browser, Save attachments to non managed storage.

Mobile Device Management (MDM)

What is mobile device management (MDM), MDM is a way of securing the device a user gets from his company. Most of the time i advise this option when a company has company phones which they give to their employees. In this case the device is owned by the company so there is a possibility that you want to do more with the device then just manage the applications like in MAM. Things you can do more then you can do with MAM  are;

  • Device encryption
  • Push company owned apps
  • Install applications from Itunes or Google playstore
  • Wipe entire device instead of just the managed applications
  • Push certificates and WiFi profiles
  • And lots more

I hope this gives you some insights on MAM and MDM. In my opinion these are the best options to start with when starting with Intune. But you can imagine there are lots more feature you can do with Intune. Think about enrolling Windows 10 devices with autopilot, so you can really give you customers a seamless out-of-the-box-experience (OOBE). Even Co-management is possible these days.  In the following blogs i will guid you thru the implementation of some of these features and possibilities.

If you have some ideas for a blogpost regarding Intune that you needs to be worked out please let me know. And i will try if i can create a tutorial for this.

Also do not forget to check my other blogs @j3rmeyer.nl

 

Running Hybrid Configuration Wizard (HCW) for the first time

Hybrid Configuration Wizard (HCW)

Every time when i have to implement a Hybrid Scenario or HCW at a customer i caught myself of using a different blog as a safety guidance. I do this so i do not make a mistake or forget something during the configuration of  the Hybrid Configuration Wizard. Here are some things you should consider before moving forward and configuring this peace of software.

There are two useful blogs that i have found so far which cover the load. Both of these blogs cover the same solution.

Code two and Practical 365

But before running the Hybrid configuration wizard you should think about what kind of hybrid scenario you would like to have and maintain. Do you go for the short or Long term Hybrid

Hybrid exchange

Short or Long term Hybrid

At the last Techsummit conference in Amsterdam Michael von Hybrid had a great session about this. You can find his Techsummit slides here. Since i have seen this session I am always discussing these topics with the customer so they know what they can expect from their Exchange Hybrid scenario. And they know how to manage their environment in a hybrid situation.

Want to read my other blogposts?

Mailbox migration hangs on TotalStalledDueToWriteThrottle

TotalStalledDueToWriteThrottle

Mailbox migration can take a long time to finish. Most of the time this can be a pain when there is a lot of pressure on the migration project.

To get more insights in these issue you can execute the command bellow to get an overview of what is going on with your mailbox move.

Get-MoveRequest | get-MoveRequestStatistics

or

(Get-MoveRequestStatistics <id> -IncludeReport).Report.TargetThrottles

As you can see in the print screen there are a lot of TotalStalledDueTo…  These error occur most of the time due to an error on the back-end of the Microsoft services.

TotalStalledDueToWriteThrottle

Common mailbox migration issues

Some of you might know this but Microsoft is handling a queue for moving and migrating company mailboxes and user placeholders that want to on board. This will hit most of the services of office 365 like Exchange online and Azure AD.

Microsoft is doing this to make sure everybody has the same performance and expectations to migrate, they do this so their services will not be overloaded with move requests.

There is no solution for these error messages the only thing you can do is create a ticket for Microsoft.  But we have seen that most of the time the Microsoft Fasttrack  team is not using the migrationbatch method or MRS replication. They are just using the individual request. The reason for that is (cause they are easier to manage)

Note: just keep raising to tickets, just to make a signal to Microsoft.

Source: Thanks Michel de Rooij and Thomas Verwer to bring this to our attention.

 

How to disable Office Groups and Teams creation the right way.

Why disable groups/ teams creation

Some companies want to permit access to group and our teams creation. There can be many reasons for this. For instance you want to disable the creation of groups and teams to be more in control over these features.

To do this the right way it is recommended that only certain users are able to create groups and teams. In order to perform this it is rather recommended to create a Universal Security Group (which is mail enabled). This group will be used only for group and team creation.

First steps

As mentioned before it is recommended to create a Universal Security Group (which is mail enabled). When you have Azure AD Connect in place you should create this group on-premise and sync this over to Azure AD. That means that you management will maintain On-premise.

You can also create this group in Azure AD itself. If that is your way to go you should just create a security group in Azure AD. Please understand that your management will be in AzureAD/ Office 365.

The Script

To disable the group/ teams creation you can run the script bellow from the Azure AD PowerShell module

$Settings = Get-AzureADDirectorySetting | Where-Object {$_.DisplayName -eq ‘Group.Unified’}
If ( !( $Settings)) {
# No Group.Unified object found, create new settings object from template
Get-AzureADDirectorySettingTemplate | Where-Object {$_.DisplayName -eq ‘Group.Unified’} | Select-Object -ExpandProperty Values
$Template = Get-AzureADDirectorySettingTemplate | Where-Object {$_.DisplayName -eq ‘Group.Unified’}
$Template | Select-Object -ExpandProperty Values
$Settings = $Template.CreateDirectorySetting()
}
$Settings[‘EnableGroupCreation’] = ‘false’
$Settings[‘AllowToAddGuests’] = ‘false’
$Settings[‘GroupCreationAllowedGroupId’] = ( Get-AzureADGroup -SearchString ‘Office365GroupTeamsAdmins‘).ObjectId
If ( Get-AzureADDirectorySetting | Where-Object {$_.DisplayName -eq ‘Group.Unified’} ) {
Get-AzureADDirectorySetting | Where-Object {$_.DisplayName -eq ‘Group.Unified’} | Set-AzureADDirectorySetting -DirectorySetting $Settings
}
Else {
New-AzureADDirectorySetting -DirectorySetting $Settings
}

And make sure there is a Synced universal mail enabled security group with the name Office365GroupTeamsAdmins. Because  the user must be in the group Office365GroupTeamsAdmins to create groups and teams so all other users are not permitted.
Thanks to Michel de Rooij for this script

What to do with public folders when moving to Exchange Online

Moving to Exchange online

Sometimes a migration to office 365 can be difficult when it comes to Public folders. When the plan is to migrate from for instance Exchange 2010 to office 365 Exchange Online a discussion must be made. What to do with the public folders? In my opinion there are 3 scenario’s that can be discussed. In this blog post i will write down these 3 scenario’s .

A little bit of history

For youngsters in IT like myself it is pretty hard to understand what public folders are and what they do. This comes because we never worked with them or have used them. Luckily there are lots of experienced Microsoft Professionals like my colleague Michel de Rooij.  Who can explain this perfectly.

So what is a public folder: According to TechTarget a public folder In Microsoft Outlook, a public folder is a folder created to share information with others. The owner of a public folder can set privileges so that only a select group of users have access to the folder, or the folder can be made available to everyone on the network who uses the same mail client. Public folders in Outlook can contain contacts, calendar items, messages, journal entries, or Outlook Forms.

What to do with Public Folder Scenario’s

In the scenario’s bellow i will write down 3 scenario’s what to do with public folders. In these options i will also keep notice that most companies want to get rid of their public folders.

Scenario 1: Migrate public folder to modern public folders

Microsoft has published a article on Technet on how to migrate legacy public folders to modern public folders on Office 365. In this case Microsoft just continues the support on public folders when they are migrated to Office 365.

The migration itself has some limitations which i will summarize bellow.

  • Exchange 2010 Sp3 or higher is needed
  • Legacy public folder cannot be larger the 2 GB
  • Public folder cannot contain \ or other strange symbols
  • Modern public folders are not accessible for legacy (on-premise) users
  • All users need to be migrated first
  • Max 1000 public folders allowed
  • Big bang migration with downtime

As you can see there are some limitations and difficulties. These difficulties are most of all in managing expectation at the business side cause public folders need to be cleaned or renamed.

Scenario 2: Migrate public folder to Office 365 groups

The second scenario is to migrate the legacy public folders to Office 365 groups. Microsoft has described this in the following Technet article. When moving public folders to Office 365 groups there are some difficulties that need to be managed first before you can start the migration.
One of these difficulties is that it is only possible to migrate the email and calendar items to an Office 365 group.

Bellow you find the summary of limitations.

  • All users must be migrated to Office 365 before you begin
  • Work process for end user will change ( they will use a office group instead of public folder)
  • Office 365 groups are not accessible for legacy users
  • Only mail and calendar items are supported
  • Maximum size of Public folder can be 25 GB to migrate
  • Phased migration is possible when using a > Exchange 2013 server
  • Downtime

Scenario 3: Do not migrate public folder to Office 365

When you have Exchange 2010 in a hybrid setup it is possible to configure the public folders co-existing. This means that the public folder stay where they are, but are accessible from on-premise and from online. There are some limitations, one of these limitations is that it is not possible to open this public folder from Outlook.office365.com/owa.

Remember i told you in the beginning that there is probably a scenario on how to get rid of the Public Folders? Well this is in my opinion the best and most business friendly way to do it.

Therefor just make sure the co-existing is in place. So next up you put the public folders in read only. and give the users a Shared mailbox, Office 365 group or even a team as their new place to collaborate from.

One last thing keep in mind that when you go for this option you have to keep your on-premise environment for a little bit longer before you decommission it.

Export all mailboxes with their sizes to TXT or CSV with Powershell

Export mailboxes

Most of the time when you are into a Mailbox migration project you have this phase that you need to inventory the amount of user mailboxes. With their size. Do you want to perform such action you need to use Exchange Powershell to be able to get these kind of data out of Exchange.

Powershell

To export this mailbox data out of exchange you can use the command Get-MailboxStatistics -identity “sAMACCOUNTNAME” | fl. This will give you a complete list of the output matched with the j3rmeyer account/ mailbox in exchange.

If you look further you notice that there is actually only one useful unique attribute (so you can match this later on with Active Directory). That one attribute is the ‘MailboxGuid’.

To get this data i a useful way out of exchange the best thing to do is combine this data together with the DisplayName.

The script

In this script i will combine the Display name with the MailboxGuid and the total size of the mailbox in MB. This is not all i want i want to export all the mailboxes on that specified Exchange server. To do that you need to give in the Server name instead of the identity of the user.

Below you will find the script i use to export such data:

Get-MailboxStatistics -server “DATABASESERVERNAME” | Sort-Object TotalItemSize -Descending | ft DisplayName,

mailboxguid, @{label=”TotalItemSize(KB)”;expression={$_.TotalItemSize.Value.ToKB()}},ItemCount > c:\temp\mailbox_sizes_

emailboxserver.txt

So when you want to change the output file into an Excel CSV file instead of TXT. It is possible use the Powershell script below to perform such action:

Get-MailboxStatistics -server “DATABASESERVERNAME” | Sort-Object TotalItemSize -Descending | ft DisplayName,

mailboxguid, @{label=”TotalItemSize(KB)”;expression={$_.TotalItemSize.Value.ToKB()}},ItemCount | Out-File C:\temp\mailbox_sizes_emailserver.csv

 

Cheat sheet with all Ports and rules needed for a Skype 2015 Onpremise environment

Skype For Business Ports

As in my previous post i will share a cheat sheet with you. This time the cheat sheet refers to a Skype For Business Onpremise implementation. To make things easier for myself, I created an overview of all ports and ip adresses that hits firewalls and network of customers.

TThe document is mentions as a cheat sheet this means that you can adjust it and present it to the customers network team.

Overview

There are always some requirements.

  • External IP adresses for remote Subdomains
  • Access to EXternal DNS
  • This Drawing does not contain the Office webapp server

Skype Ports

Please let me know if you are missing some things.